From 6cfc71348309454c4f7219b0fdb4818bfa15583a Mon Sep 17 00:00:00 2001
From: Hasan Gondal <hasan@afraidlabs.com>
Date: Fri, 19 Feb 2021 22:52:38 +0000
Subject: [PATCH 1/2] Enable various client features of bssl

---
 boring/src/ssl/mod.rs | 90 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 89 insertions(+), 1 deletion(-)

diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index 25e3f7ca..b3506d03 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -92,7 +92,7 @@ use stack::{Stack, StackRef};
 use x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef};
 use x509::verify::X509VerifyParamRef;
 use x509::{X509Name, X509Ref, X509StoreContextRef, X509VerifyResult, X509};
-use {cvt, cvt_n, cvt_p, init};
+use {cvt, cvt_0i, cvt_n, cvt_p, init};
 
 pub use ssl::connector::{
     ConnectConfiguration, SslAcceptor, SslAcceptorBuilder, SslConnector, SslConnectorBuilder,
@@ -484,6 +484,48 @@ impl SslVersion {
     pub const TLS1_3: SslVersion = SslVersion(ffi::TLS1_3_VERSION as _);
 }
 
+/// A signature verification algorithm.
+#[repr(transparent)]
+#[derive(Debug, Copy, Clone, PartialEq, Eq)]
+pub struct SslSignatureAlgorithm(u16);
+
+impl SslSignatureAlgorithm {
+    pub const RSA_PKCS1_SHA1: SslSignatureAlgorithm =
+        SslSignatureAlgorithm(ffi::SSL_SIGN_RSA_PKCS1_SHA1 as _);
+
+    pub const RSA_PKCS1_SHA256: SslSignatureAlgorithm =
+        SslSignatureAlgorithm(ffi::SSL_SIGN_RSA_PKCS1_SHA256 as _);
+
+    pub const RSA_PKCS1_SHA384: SslSignatureAlgorithm =
+        SslSignatureAlgorithm(ffi::SSL_SIGN_RSA_PKCS1_SHA384 as _);
+
+    pub const RSA_PKCS1_SHA512: SslSignatureAlgorithm =
+        SslSignatureAlgorithm(ffi::SSL_SIGN_RSA_PKCS1_SHA512 as _);
+
+    pub const ECDSA_SHA1: SslSignatureAlgorithm =
+        SslSignatureAlgorithm(ffi::SSL_SIGN_ECDSA_SHA1 as _);
+
+    pub const ECDSA_SECP256R1_SHA256: SslSignatureAlgorithm =
+        SslSignatureAlgorithm(ffi::SSL_SIGN_ECDSA_SECP256R1_SHA256 as _);
+
+    pub const ECDSA_SECP384R1_SHA384: SslSignatureAlgorithm =
+        SslSignatureAlgorithm(ffi::SSL_SIGN_ECDSA_SECP384R1_SHA384 as _);
+
+    pub const ECDSA_SECP521R1_SHA512: SslSignatureAlgorithm =
+        SslSignatureAlgorithm(ffi::SSL_SIGN_ECDSA_SECP521R1_SHA512 as _);
+
+    pub const RSA_PSS_RSAE_SHA256: SslSignatureAlgorithm =
+        SslSignatureAlgorithm(ffi::SSL_SIGN_RSA_PSS_RSAE_SHA256 as _);
+
+    pub const RSA_PSS_RSAE_SHA384: SslSignatureAlgorithm =
+        SslSignatureAlgorithm(ffi::SSL_SIGN_RSA_PSS_RSAE_SHA384 as _);
+
+    pub const RSA_PSS_RSAE_SHA512: SslSignatureAlgorithm =
+        SslSignatureAlgorithm(ffi::SSL_SIGN_RSA_PSS_RSAE_SHA512 as _);
+
+    pub const ED25519: SslSignatureAlgorithm = SslSignatureAlgorithm(ffi::SSL_SIGN_ED25519 as _);
+}
+
 /// A standard implementation of protocol selection for Application Layer Protocol Negotiation
 /// (ALPN).
 ///
@@ -1346,6 +1388,52 @@ impl SslContextBuilder {
         }
     }
 
+    /// Set's whether the context should enable GREASE.
+    ///
+    /// This corresponds to [`SSL_CTX_set_grease_enabled`]
+    ///
+    /// [`SSL_CTX_set_grease_enabled`]: https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_grease_enabled
+    pub fn set_grease_enabled(&mut self, enabled: bool) {
+        unsafe { ffi::SSL_CTX_set_grease_enabled(self.as_ptr(), enabled as _) }
+    }
+
+    /// Sets the context's supported signature verification algorithms.
+    ///
+    /// This corresponds to [`SSL_CTX_set_verify_algorithm_prefs`]
+    ///
+    /// [`SSL_CTX_set_verify_algorithm_prefs`]: https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_verify_algorithm_prefs
+    pub fn set_verify_algorithm_prefs(
+        &mut self,
+        prefs: &[SslSignatureAlgorithm],
+    ) -> Result<(), ErrorStack> {
+        unsafe {
+            cvt_0i(ffi::SSL_CTX_set_verify_algorithm_prefs(
+                self.as_ptr(),
+                prefs.as_ptr() as *const _,
+                prefs.len(),
+            ))
+            .map(|_| ())
+        }
+    }
+
+    /// Enables SCT requests on all client SSL handshakes.
+    ///
+    /// This corresponds to [`SSL_CTX_enable_signed_cert_timestamps`]
+    ///
+    /// [`SSL_CTX_enable_signed_cert_timestamps`]: https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_enable_signed_cert_timestamps
+    pub fn enable_signed_cert_timestamps(&mut self) {
+        unsafe { ffi::SSL_CTX_enable_signed_cert_timestamps(self.as_ptr()) }
+    }
+
+    /// Enables OCSP stapling on all client SSL handshakes.
+    ///
+    /// This corresponds to [`SSL_CTX_enable_ocsp_stapling`]
+    ///
+    /// [`SSL_CTX_enable_ocsp_stapling`]: https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_enable_ocsp_stapling
+    pub fn enable_ocsp_stapling(&mut self) {
+        unsafe { ffi::SSL_CTX_enable_ocsp_stapling(self.as_ptr()) }
+    }
+
     /// Consumes the builder, returning a new `SslContext`.
     pub fn build(self) -> SslContext {
         self.0

From ee94b2a01d924da90788f2e6f47a41e0b3ba2b6c Mon Sep 17 00:00:00 2001
From: Hasan Gondal <hasan@afraidlabs.com>
Date: Sat, 20 Feb 2021 00:25:37 +0000
Subject: [PATCH 2/2] Add support for SSL_CTX_set1_curves

---
 boring/src/ssl/mod.rs | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index b3506d03..8f7d35eb 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -526,6 +526,25 @@ impl SslSignatureAlgorithm {
     pub const ED25519: SslSignatureAlgorithm = SslSignatureAlgorithm(ffi::SSL_SIGN_ED25519 as _);
 }
 
+/// A TLS Curve.
+#[repr(transparent)]
+#[derive(Debug, Copy, Clone, PartialEq, Eq)]
+pub struct SslCurve(c_int);
+
+impl SslCurve {
+    pub const SECP224R1: SslCurve = SslCurve(ffi::NID_secp224r1);
+
+    pub const SECP256R1: SslCurve = SslCurve(ffi::NID_X9_62_prime256v1);
+
+    pub const SECP384R1: SslCurve = SslCurve(ffi::NID_secp384r1);
+
+    pub const SECP521R1: SslCurve = SslCurve(ffi::NID_secp521r1);
+
+    pub const X25519: SslCurve = SslCurve(ffi::NID_X25519);
+
+    pub const CECPQ2: SslCurve = SslCurve(ffi::NID_CECPQ2);
+}
+
 /// A standard implementation of protocol selection for Application Layer Protocol Negotiation
 /// (ALPN).
 ///
@@ -1434,6 +1453,22 @@ impl SslContextBuilder {
         unsafe { ffi::SSL_CTX_enable_ocsp_stapling(self.as_ptr()) }
     }
 
+    /// Sets the context's supported curves.
+    ///
+    /// This corresponds to [`SSL_CTX_set1_curves`]
+    ///
+    /// [`SSL_CTX_set1_curves`]: https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set1_curves
+    pub fn set_curves(&mut self, curves: &[SslCurve]) -> Result<(), ErrorStack> {
+        unsafe {
+            cvt_0i(ffi::SSL_CTX_set1_curves(
+                self.as_ptr(),
+                curves.as_ptr() as *const _,
+                curves.len(),
+            ))
+            .map(|_| ())
+        }
+    }
+
     /// Consumes the builder, returning a new `SslContext`.
     pub fn build(self) -> SslContext {
         self.0