From b46d77087e38cbeafb7767ead0b8db84ca9bb887 Mon Sep 17 00:00:00 2001
From: Christopher Patton <cpatton@cloudflare.com>
Date: Mon, 29 Sep 2025 16:10:50 -0700
Subject: [PATCH] Remove `SslCurve` API

This is incompatible with the latest internal FIPS build. Namely, the
various group identifiers have been renamed since the previous version.
---
 boring/src/ssl/mod.rs      | 123 -------------------------------------
 boring/src/ssl/test/mod.rs |  33 +---------
 2 files changed, 1 insertion(+), 155 deletions(-)

diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index 302f99ba..574f001d 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -695,86 +695,6 @@ impl From<u16> for SslSignatureAlgorithm {
     }
 }
 
-/// Numeric identifier of a TLS curve.
-#[repr(transparent)]
-#[derive(Debug, Copy, Clone, PartialEq, Eq)]
-pub struct SslCurveNid(c_int);
-
-/// A TLS Curve.
-#[repr(transparent)]
-#[derive(Debug, Copy, Clone, PartialEq, Eq)]
-pub struct SslCurve(c_int);
-
-impl SslCurve {
-    pub const SECP224R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP224R1 as _);
-
-    pub const SECP256R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP256R1 as _);
-
-    pub const SECP384R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP384R1 as _);
-
-    pub const SECP521R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP521R1 as _);
-
-    pub const X25519: SslCurve = SslCurve(ffi::SSL_GROUP_X25519 as _);
-
-    pub const X25519_KYBER768_DRAFT00: SslCurve =
-        SslCurve(ffi::SSL_GROUP_X25519_KYBER768_DRAFT00 as _);
-
-    #[cfg(feature = "pq-experimental")]
-    pub const X25519_KYBER768_DRAFT00_OLD: SslCurve =
-        SslCurve(ffi::SSL_GROUP_X25519_KYBER768_DRAFT00_OLD as _);
-
-    #[cfg(feature = "pq-experimental")]
-    pub const X25519_KYBER512_DRAFT00: SslCurve =
-        SslCurve(ffi::SSL_GROUP_X25519_KYBER512_DRAFT00 as _);
-
-    #[cfg(feature = "pq-experimental")]
-    pub const P256_KYBER768_DRAFT00: SslCurve = SslCurve(ffi::SSL_GROUP_P256_KYBER768_DRAFT00 as _);
-
-    #[cfg(feature = "pq-experimental")]
-    pub const X25519_MLKEM768: SslCurve = SslCurve(ffi::SSL_GROUP_X25519_MLKEM768 as _);
-
-    /// Returns the curve name
-    #[corresponds(SSL_get_curve_name)]
-    #[must_use]
-    pub fn name(&self) -> Option<&'static str> {
-        unsafe {
-            let ptr = ffi::SSL_get_curve_name(self.0 as u16);
-            if ptr.is_null() {
-                return None;
-            }
-
-            CStr::from_ptr(ptr).to_str().ok()
-        }
-    }
-
-    // **NOTE**: This function only exists because the version of boringssl we currently use does
-    // not expose SSL_CTX_set1_group_ids. Because `SslRef::curve()` returns the public SSL_GROUP id
-    // as opposed to the internal NID, but `SslContextBuilder::set_curves()` requires the internal
-    // NID, we need this mapping in place to avoid breaking changes to the public API. Once the
-    // underlying boringssl version is upgraded, this should be removed in favor of the new
-    // SSL_CTX_set1_group_ids API.
-    pub fn nid(&self) -> Option<SslCurveNid> {
-        match self.0 {
-            ffi::SSL_GROUP_SECP224R1 => Some(ffi::NID_secp224r1),
-            ffi::SSL_GROUP_SECP256R1 => Some(ffi::NID_X9_62_prime256v1),
-            ffi::SSL_GROUP_SECP384R1 => Some(ffi::NID_secp384r1),
-            ffi::SSL_GROUP_SECP521R1 => Some(ffi::NID_secp521r1),
-            ffi::SSL_GROUP_X25519 => Some(ffi::NID_X25519),
-            ffi::SSL_GROUP_X25519_KYBER768_DRAFT00 => Some(ffi::NID_X25519Kyber768Draft00),
-            #[cfg(feature = "pq-experimental")]
-            ffi::SSL_GROUP_X25519_KYBER768_DRAFT00_OLD => Some(ffi::NID_X25519Kyber768Draft00Old),
-            #[cfg(feature = "pq-experimental")]
-            ffi::SSL_GROUP_X25519_KYBER512_DRAFT00 => Some(ffi::NID_X25519Kyber512Draft00),
-            #[cfg(feature = "pq-experimental")]
-            ffi::SSL_GROUP_P256_KYBER768_DRAFT00 => Some(ffi::NID_P256Kyber768Draft00),
-            #[cfg(feature = "pq-experimental")]
-            ffi::SSL_GROUP_X25519_MLKEM768 => Some(ffi::NID_X25519MLKEM768),
-            _ => None,
-        }
-        .map(SslCurveNid)
-    }
-}
-
 /// A compliance policy.
 #[derive(Debug, Copy, Clone, PartialEq, Eq)]
 pub struct CompliancePolicy(ffi::ssl_compliance_policy_t);
@@ -2025,24 +1945,6 @@ impl SslContextBuilder {
         }
     }
 
-    /// Sets the context's supported curves.
-    #[corresponds(SSL_CTX_set1_curves)]
-    pub fn set_curves(&mut self, curves: &[SslCurve]) -> Result<(), ErrorStack> {
-        let curves: Vec<i32> = curves
-            .iter()
-            .filter_map(|curve| curve.nid().map(|nid| nid.0))
-            .collect();
-
-        unsafe {
-            cvt_0i(ffi::SSL_CTX_set1_curves(
-                self.as_ptr(),
-                curves.as_ptr() as *const _,
-                curves.len(),
-            ))
-            .map(|_| ())
-        }
-    }
-
     /// Sets the context's compliance policy.
     ///
     /// This feature isn't available in the certified version of BoringSSL.
@@ -2887,31 +2789,6 @@ impl SslRef {
         }
     }
 
-    /// Sets the ongoing session's supported groups by their named identifiers
-    /// (formerly referred to as curves).
-    #[corresponds(SSL_set1_groups)]
-    pub fn set_group_nids(&mut self, group_nids: &[SslCurveNid]) -> Result<(), ErrorStack> {
-        unsafe {
-            cvt_0i(ffi::SSL_set1_curves(
-                self.as_ptr(),
-                group_nids.as_ptr() as *const _,
-                group_nids.len(),
-            ))
-            .map(|_| ())
-        }
-    }
-
-    /// Returns the [`SslCurve`] used for this `SslRef`.
-    #[corresponds(SSL_get_curve_id)]
-    #[must_use]
-    pub fn curve(&self) -> Option<SslCurve> {
-        let curve_id = unsafe { ffi::SSL_get_curve_id(self.as_ptr()) };
-        if curve_id == 0 {
-            return None;
-        }
-        Some(SslCurve(curve_id.into()))
-    }
-
     /// Returns an `ErrorCode` value for the most recent operation on this `SslRef`.
     #[corresponds(SSL_get_error)]
     #[must_use]
diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs
index 0a4f6243..a5d937a4 100644
--- a/boring/src/ssl/test/mod.rs
+++ b/boring/src/ssl/test/mod.rs
@@ -13,9 +13,8 @@ use crate::pkey::PKey;
 use crate::srtp::SrtpProfileId;
 use crate::ssl::test::server::Server;
 use crate::ssl::SslVersion;
-use crate::ssl::{self, SslCurve};
 use crate::ssl::{
-    ExtensionType, ShutdownResult, ShutdownState, Ssl, SslAcceptor, SslAcceptorBuilder,
+    self, ExtensionType, ShutdownResult, ShutdownState, Ssl, SslAcceptor, SslAcceptorBuilder,
     SslConnector, SslContext, SslFiletype, SslMethod, SslOptions, SslStream, SslVerifyMode,
 };
 use crate::x509::store::X509StoreBuilder;
@@ -952,36 +951,6 @@ fn sni_callback_swapped_ctx() {
     assert!(CALLED_BACK.load(Ordering::SeqCst));
 }
 
-#[test]
-fn get_curve() {
-    let server = Server::builder().build();
-    let client = server.client_with_root_ca();
-    let client_stream = client.connect();
-    let curve = client_stream.ssl().curve().expect("curve");
-    assert!(curve.name().is_some());
-}
-
-#[test]
-fn get_curve_name() {
-    assert_eq!(SslCurve::SECP224R1.name(), Some("P-224"));
-    assert_eq!(SslCurve::SECP256R1.name(), Some("P-256"));
-    assert_eq!(SslCurve::SECP384R1.name(), Some("P-384"));
-    assert_eq!(SslCurve::SECP521R1.name(), Some("P-521"));
-    assert_eq!(SslCurve::X25519.name(), Some("X25519"));
-}
-
-#[test]
-fn set_curves() {
-    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_curves(&[
-        SslCurve::SECP224R1,
-        SslCurve::SECP256R1,
-        SslCurve::SECP384R1,
-        SslCurve::X25519,
-    ])
-    .expect("Failed to set curves");
-}
-
 #[test]
 fn test_get_ciphers() {
     let ctx_builder = SslContext::builder(SslMethod::tls()).unwrap();