77f612c16c
Simplify Error::reason()
2025-10-15 10:35:38 +01:00
75ef523230
Safer CryptoBufferBuilder::build
2025-10-02 17:55:21 +01:00
5957ce94cc
ErrorStack ctor for custom errors
2025-10-02 17:55:21 +01:00
e3998212ed
Fix string data conversion in ErrorStack::put()
2025-10-02 17:55:21 +01:00
353ea62c17
Convert CipherCtx fns into a safe abstraction. Additional testing.
2025-10-01 11:00:57 +01:00
8773f0e1fa
Use Ref foreign type instead of forgetting
2025-10-01 11:00:57 +01:00
ab8513ef8f
Expose a safe Rust interface for the session resumption callback
2025-10-01 11:00:57 +01:00
ac1d71cb54
Use MaybeUninit for raw_ticket_key key/iv
2025-10-01 11:00:57 +01:00
5cb35db989
initialize key_name and iv. mark fn as _unsafe to allow for future changes to the api
2025-10-01 11:00:57 +01:00
b9af0ef176
clippy
2025-10-01 11:00:57 +01:00
ba85fbb7ad
simplify tests
2025-10-01 11:00:57 +01:00
f526b57daa
update documentation
2025-10-01 11:00:57 +01:00
ae783f8273
add test case for TicketKeyCallbackResult::Noop
2025-10-01 11:00:57 +01:00
ea1d120912
pr comments: safety, receive multiple nst, return status refactor
2025-10-01 11:00:57 +01:00
c49282f112
Add set_ticket_key_callback (SSL_CTX_set_tlsext_ticket_key_cb)
...
Add a wrapper for the `SSL_CTX_set_tlsext_ticket_key_cb`, which allows
consumers to configure the EVP_CIPHER_CTX and HMAC_CTX used for
encrypting/decrypting session tickets.
See https://docs.openssl.org/1.0.2/man3/SSL_CTX_set_tlsext_ticket_key_cb/
for more details.
2025-10-01 11:00:57 +01:00
b3521e5523
Add SslRef::curve_name()
2025-09-30 16:57:59 +01:00
4ce1308e1c
Make rpk feature flag additive
2025-09-30 16:45:49 +01:00
1c51c7ee3b
Add back the `curve()` method on `SslRef`
...
Instead of returning an `SslCurve`, just return the `u16` returned by
BoringSSL.
2025-09-30 16:14:54 +01:00
7078f61077
Remove outdated comments on FIPS API compatibility
2025-09-30 16:14:54 +01:00
b46d77087e
Remove `SslCurve` API
...
This is incompatible with the latest internal FIPS build. Namely, the
various group identifiers have been renamed since the previous version.
2025-09-30 16:14:54 +01:00
21735accf8
pq: fix MSVC C4146 warning
2025-09-30 16:22:47 +02:00
72dabe1d85
Remove the "kx-*" features
...
The "kx-*" features control default key exchange preferences. Its
implementation requires disabling APIs for manually setting curve
preferences via `set_curves()` or `set_curves_list()`.
In practice, most teams need to be able to override default preferences
at runtime anyway, which means these features were never really used.
This commit gets rid of them, thereby reducing some complexity in the
API.
2025-09-30 09:36:33 +01:00
646ae33c61
X509Builder::append_extension2 -> X509Builder::append_extension
2025-09-26 17:38:53 +01:00
8abba360d3
`Ssl::new_from_ref` -> `Ssl::new()`
2025-09-26 17:38:53 +01:00
0fc992bd76
Align SslStream APIs with upstream
...
SslStream::new() is fallible, but `SslStream::from_raw_parts()` and
`SslStreamBuilder::new()` now unwrap. Upstream has also deprecated the
`SslStreamBuilder`, maybe we should do the same.
2025-09-26 17:38:53 +01:00
4cb7e260a8
Clean-up legacy FIPS options
...
Per BoringSSL's FIPS policy, its `main` branch is the "update branch"
for FedRAMP compliance's purposes.
This means that we can stop using a specific BoringSSL branch when
enabling FIPS, as well as a number of hacks that allowed us to build
more recent BoringSSL versions with an older pre-compiled FIPS modules.
This also required slightly updating the main BoringSSL submodule, as
the previous version had an issue when building with the FIPS option
enabled. This is turn required some changes to the PQ patch as well as
some APIs that don't seem to be exposed publicly, as well as changing
some paths in the other patches.
In order to allow a smooth upgrade of internal projects, the `fips-compat`
feature is reduced in scope and renamed to `legacy-compat-deprecated` so
that we can incrementally upgrade internal BoringSSL forks. In practice
this shouldn't really be something anyone else would need, since in
order to work it requires a specific mix of BoringSSL version and
backported patches.
2025-09-26 17:12:23 +01:00
78b8ceaf10
Add more reliable library_reason()
2025-09-26 14:17:31 +01:00
974c3d2db0
Ensure that ERR_LIB type can be named
2025-09-26 14:17:31 +01:00
b4bf601394
Remove support for Hyper v0
2025-09-26 13:46:44 +01:00
c3f33f0ea1
Upgrade deps
2025-09-26 13:34:13 +01:00
3116032a83
Skip Rust version detection for bindgen
2025-09-26 13:34:13 +01:00
9bad96e48b
Style nits
2025-09-26 13:33:19 +01:00
fa9df8081d
Deprecated GHA feature
2025-09-26 13:20:26 +01:00
4814eb8547
Ensure rustfmt and clippy are available
2025-09-26 13:20:26 +01:00
a50a39fde7
Support TARGET_CC and CC_{target}
2025-09-26 10:57:01 +01:00
21f2885be3
Fix swapped host/target args
2025-09-26 10:57:01 +01:00
79338a99ea
CStr UTF-8 improvements
2025-09-26 10:55:46 +01:00
330bf825d4
Release 4.19.0 ( #382 )
2025-09-05 12:13:20 -07:00
963425eb82
Add binding for X509_check_ip_asc
...
The binding corresponds to
https://boringssl.googlesource.com/boringssl.git/+/refs/heads/master/include/openssl/x509.h#4690 .
To see the SANs covered by the specified cert, use:
```shell
❯ openssl x509 -in ./boring/test/alt_name_cert.pem -noout -text | grep -A1 "Subject Alternative Name"
X509v3 Subject Alternative Name:
DNS:example.com, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, email:test@example.com, URI:http://www.example.com
```
2025-09-05 10:23:00 +01:00
50fa2e672f
Use ERR_clear_error
2025-09-03 17:24:30 +01:00
a91bfdc67d
Error descriptions and docs
2025-09-03 17:24:30 +01:00
8d77a5d40e
Boring doesn't use function codes
2025-09-03 17:24:30 +01:00
c5045fb6b4
Fix patched docs.rs builds
2025-09-03 17:24:22 +01:00
8966ca27b7
Test docs.rs docs
2025-09-03 17:24:22 +01:00
3de1385660
Fix doc links
2025-09-03 17:24:22 +01:00
404a753921
Bump
2025-08-29 19:45:01 +01:00
a264df22fa
Clippy
2025-08-29 10:51:09 -07:00
26ac58b2bd
Remove some comments referring to OpenSSL
...
Signed-off-by: Harry Stern <hstern@cloudflare.com>
2025-07-21 09:39:25 -07:00
0ca11b5680
Use cargo:warning for warnings
2025-06-13 15:06:50 +02:00
8d5fba3767
Don't link binaries on docs.rs
2025-06-13 15:06:50 +02:00
Kornel