From dded5d4e8c7dcf12db549f362d926e3ee3dcdb49 Mon Sep 17 00:00:00 2001 From: 0x676e67 Date: Wed, 12 Feb 2025 22:49:09 +0800 Subject: [PATCH] Sync `Detailed error codes` and `Clean up boring_sys::init()` (#47) * RTG-3333 Support X25519MLKEM768 by default, but don't sent it as client X25519MLKEM768 is the standardised successor of the preliminary X25519Kyber768Draft00. Latest browsers have switched to X25519MLKEM768. Cloudflare supports both on the edge. We've had support for X25519MLKEM768 in this crate for a while, but didn't enable by default. We're now enabling serverside support by default. We also let clients advertise support when set to kx-client-pq-supported. We don't enable support by default yet for clients set to kx-client-pq-preferred, as that would cause an extra round-trip due to HelloRetryRequest if the server doesn't support X25519MLKEM768 yet. BoringSSL against which we build must support X25519MLKEM768, otherwise this will fail. * replace once_cell with LazyLock We can drop the once_cell dependency since the same functionality is implemented in std now. Requires bumping MSRV to 1.80. * fix manual_c_str_literals clippy warning * chore: Fix docs on SslRef::replace_ex_data * Detailed error codes * Clean up boring_sys::init() We don't need the workaround that was initially introduced for a bug in openssl, and OPENSSL_init_ssl always calls into CRYPTO_library_init on boringssl, so just call it explicitly. --------- Co-authored-by: Bas Westerbaan Co-authored-by: Alessandro Ghedini Co-authored-by: Evan Rittenhouse Co-authored-by: Kornel Co-authored-by: Rushil Mehra --- boring-sys/src/lib.rs | 17 +++-------------- boring/src/error.rs | 13 +++++++++++++ 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/boring-sys/src/lib.rs b/boring-sys/src/lib.rs index c821b3e5..094221ff 100644 --- a/boring-sys/src/lib.rs +++ b/boring-sys/src/lib.rs @@ -48,18 +48,7 @@ pub const fn ERR_GET_REASON(l: c_uint) -> c_int { } pub fn init() { - use std::ptr; - use std::sync::Once; - - // explicitly initialize to work around https://github.com/openssl/openssl/issues/3505 - static INIT: Once = Once::new(); - - let init_options = OPENSSL_INIT_LOAD_SSL_STRINGS; - - INIT.call_once(|| { - assert_eq!( - unsafe { OPENSSL_init_ssl(init_options.try_into().unwrap(), ptr::null_mut()) }, - 1 - ) - }); + unsafe { + CRYPTO_library_init(); + } } diff --git a/boring/src/error.rs b/boring/src/error.rs index fdc3ba9e..9cdc878b 100644 --- a/boring/src/error.rs +++ b/boring/src/error.rs @@ -182,6 +182,12 @@ impl Error { } } + /// Returns the raw OpenSSL error constant for the library reporting the + /// error. + pub fn library_code(&self) -> libc::c_int { + ffi::ERR_GET_LIB(self.code) + } + /// Returns the name of the function reporting the error. pub fn function(&self) -> Option<&'static str> { unsafe { @@ -206,6 +212,11 @@ impl Error { } } + /// Returns the raw OpenSSL error constant for the reason for the error. + pub fn reason_code(&self) -> libc::c_int { + ffi::ERR_GET_REASON(self.code) + } + /// Returns the name of the source file which encountered the error. pub fn file(&self) -> &'static str { unsafe { @@ -235,12 +246,14 @@ impl fmt::Debug for Error { if let Some(library) = self.library() { builder.field("library", &library); } + builder.field("library_code", &self.library_code()); if let Some(function) = self.function() { builder.field("function", &function); } if let Some(reason) = self.reason() { builder.field("reason", &reason); } + builder.field("reason_code", &self.reason_code()); builder.field("file", &self.file()); builder.field("line", &self.line()); if let Some(data) = self.data() {