min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove `SslCurve` API 

This is incompatible with the latest internal FIPS build. Namely, the
various group identifiers have been renamed since the previous version.
This commit is contained in:
Christopher Patton 2025-09-29 16:10:50 -07:00 committed by Alessandro Ghedini
parent 21735accf8
commit b46d77087e
2 changed files with 1 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
boring/src/ssl/mod.rs
View File

@ -695,86 +695,6 @@ impl From<u16> for SslSignatureAlgorithm {
} }
} }
/// Numeric identifier of a TLS curve.
#[repr(transparent)]
#[derive(Debug, Copy, Clone, PartialEq, Eq)]
pub struct SslCurveNid(c_int);
/// A TLS Curve.
#[repr(transparent)]
#[derive(Debug, Copy, Clone, PartialEq, Eq)]
pub struct SslCurve(c_int);
impl SslCurve {
pub const SECP224R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP224R1 as _);
pub const SECP256R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP256R1 as _);
pub const SECP384R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP384R1 as _);
pub const SECP521R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP521R1 as _);
pub const X25519: SslCurve = SslCurve(ffi::SSL_GROUP_X25519 as _);
pub const X25519_KYBER768_DRAFT00: SslCurve =
SslCurve(ffi::SSL_GROUP_X25519_KYBER768_DRAFT00 as _);
#[cfg(feature = "pq-experimental")]
pub const X25519_KYBER768_DRAFT00_OLD: SslCurve =
SslCurve(ffi::SSL_GROUP_X25519_KYBER768_DRAFT00_OLD as _);
#[cfg(feature = "pq-experimental")]
pub const X25519_KYBER512_DRAFT00: SslCurve =
SslCurve(ffi::SSL_GROUP_X25519_KYBER512_DRAFT00 as _);
#[cfg(feature = "pq-experimental")]
pub const P256_KYBER768_DRAFT00: SslCurve = SslCurve(ffi::SSL_GROUP_P256_KYBER768_DRAFT00 as _);
#[cfg(feature = "pq-experimental")]
pub const X25519_MLKEM768: SslCurve = SslCurve(ffi::SSL_GROUP_X25519_MLKEM768 as _);
/// Returns the curve name
#[corresponds(SSL_get_curve_name)]
#[must_use]
pub fn name(&self) -> Option<&'static str> {
unsafe {
let ptr = ffi::SSL_get_curve_name(self.0 as u16);
if ptr.is_null() {
return None;
}
CStr::from_ptr(ptr).to_str().ok()
}
}
// **NOTE**: This function only exists because the version of boringssl we currently use does
// not expose SSL_CTX_set1_group_ids. Because `SslRef::curve()` returns the public SSL_GROUP id
// as opposed to the internal NID, but `SslContextBuilder::set_curves()` requires the internal
// NID, we need this mapping in place to avoid breaking changes to the public API. Once the
// underlying boringssl version is upgraded, this should be removed in favor of the new
// SSL_CTX_set1_group_ids API.
pub fn nid(&self) -> Option<SslCurveNid> {
match self.0 {
ffi::SSL_GROUP_SECP224R1 => Some(ffi::NID_secp224r1),
ffi::SSL_GROUP_SECP256R1 => Some(ffi::NID_X9_62_prime256v1),
ffi::SSL_GROUP_SECP384R1 => Some(ffi::NID_secp384r1),
ffi::SSL_GROUP_SECP521R1 => Some(ffi::NID_secp521r1),
ffi::SSL_GROUP_X25519 => Some(ffi::NID_X25519),
ffi::SSL_GROUP_X25519_KYBER768_DRAFT00 => Some(ffi::NID_X25519Kyber768Draft00),
#[cfg(feature = "pq-experimental")]
ffi::SSL_GROUP_X25519_KYBER768_DRAFT00_OLD => Some(ffi::NID_X25519Kyber768Draft00Old),
#[cfg(feature = "pq-experimental")]
ffi::SSL_GROUP_X25519_KYBER512_DRAFT00 => Some(ffi::NID_X25519Kyber512Draft00),
#[cfg(feature = "pq-experimental")]
ffi::SSL_GROUP_P256_KYBER768_DRAFT00 => Some(ffi::NID_P256Kyber768Draft00),
#[cfg(feature = "pq-experimental")]
ffi::SSL_GROUP_X25519_MLKEM768 => Some(ffi::NID_X25519MLKEM768),
_ => None,
}
.map(SslCurveNid)
}
}
/// A compliance policy. /// A compliance policy.
#[derive(Debug, Copy, Clone, PartialEq, Eq)] #[derive(Debug, Copy, Clone, PartialEq, Eq)]
pub struct CompliancePolicy(ffi::ssl_compliance_policy_t); pub struct CompliancePolicy(ffi::ssl_compliance_policy_t);
@ -2025,24 +1945,6 @@ impl SslContextBuilder {
} }
} }
/// Sets the context's supported curves.
#[corresponds(SSL_CTX_set1_curves)]
pub fn set_curves(&mut self, curves: &[SslCurve]) -> Result<(), ErrorStack> {
let curves: Vec<i32> = curves
.iter()
.filter_map(|curve| curve.nid().map(|nid| nid.0))
.collect();
unsafe {
cvt_0i(ffi::SSL_CTX_set1_curves(
self.as_ptr(),
curves.as_ptr() as *const _,
curves.len(),
))
.map(|_| ())
}
}
/// Sets the context's compliance policy. /// Sets the context's compliance policy.
/// ///
/// This feature isn't available in the certified version of BoringSSL. /// This feature isn't available in the certified version of BoringSSL.
@ -2887,31 +2789,6 @@ impl SslRef {
} }
} }
/// Sets the ongoing session's supported groups by their named identifiers
/// (formerly referred to as curves).
#[corresponds(SSL_set1_groups)]
pub fn set_group_nids(&mut self, group_nids: &[SslCurveNid]) -> Result<(), ErrorStack> {
unsafe {
cvt_0i(ffi::SSL_set1_curves(
self.as_ptr(),
group_nids.as_ptr() as *const _,
group_nids.len(),
))
.map(|_| ())
}
}
/// Returns the [`SslCurve`] used for this `SslRef`.
#[corresponds(SSL_get_curve_id)]
#[must_use]
pub fn curve(&self) -> Option<SslCurve> {
let curve_id = unsafe { ffi::SSL_get_curve_id(self.as_ptr()) };
if curve_id == 0 {
return None;
}
Some(SslCurve(curve_id.into()))
}
/// Returns an `ErrorCode` value for the most recent operation on this `SslRef`. /// Returns an `ErrorCode` value for the most recent operation on this `SslRef`.
#[corresponds(SSL_get_error)] #[corresponds(SSL_get_error)]
#[must_use] #[must_use]

33
boring/src/ssl/test/mod.rs
View File

@ -13,9 +13,8 @@ use crate::pkey::PKey;
use crate::srtp::SrtpProfileId; use crate::srtp::SrtpProfileId;
use crate::ssl::test::server::Server; use crate::ssl::test::server::Server;
use crate::ssl::SslVersion; use crate::ssl::SslVersion;
use crate::ssl::{self, SslCurve};
use crate::ssl::{ use crate::ssl::{
ExtensionType, ShutdownResult, ShutdownState, Ssl, SslAcceptor, SslAcceptorBuilder, self, ExtensionType, ShutdownResult, ShutdownState, Ssl, SslAcceptor, SslAcceptorBuilder,
SslConnector, SslContext, SslFiletype, SslMethod, SslOptions, SslStream, SslVerifyMode, SslConnector, SslContext, SslFiletype, SslMethod, SslOptions, SslStream, SslVerifyMode,
}; };
use crate::x509::store::X509StoreBuilder; use crate::x509::store::X509StoreBuilder;
@ -952,36 +951,6 @@ fn sni_callback_swapped_ctx() {
assert!(CALLED_BACK.load(Ordering::SeqCst)); assert!(CALLED_BACK.load(Ordering::SeqCst));
} }
#[test]
fn get_curve() {
let server = Server::builder().build();
let client = server.client_with_root_ca();
let client_stream = client.connect();
let curve = client_stream.ssl().curve().expect("curve");
assert!(curve.name().is_some());
}
#[test]
fn get_curve_name() {
assert_eq!(SslCurve::SECP224R1.name(), Some("P-224"));
assert_eq!(SslCurve::SECP256R1.name(), Some("P-256"));
assert_eq!(SslCurve::SECP384R1.name(), Some("P-384"));
assert_eq!(SslCurve::SECP521R1.name(), Some("P-521"));
assert_eq!(SslCurve::X25519.name(), Some("X25519"));
}
#[test]
fn set_curves() {
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
ctx.set_curves(&[
SslCurve::SECP224R1,
SslCurve::SECP256R1,
SslCurve::SECP384R1,
SslCurve::X25519,
])
.expect("Failed to set curves");
}
#[test] #[test]
fn test_get_ciphers() { fn test_get_ciphers() {
let ctx_builder = SslContext::builder(SslMethod::tls()).unwrap(); let ctx_builder = SslContext::builder(SslMethod::tls()).unwrap();