min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3,514 Commits 2 Branches 0 Tags 16 MiB
Commit Graph

330 Commits

Author SHA1 Message Date
0x676e67 5ddfb2e097
chore(ssl): remove deprecated code (#98) 2025-10-21 13:15:12 +08:00
0x676e67 231010c0cb Merge remote-tracking branch 'upstream/master' 2025-10-21 12:35:13 +08:00
Christopher Patton 5cd912df1d Remove "pq-experimental", apply PQ patch by default 
Users can override the new default behavior in the usual way. The
expectation is that the build of BoringSSL they provide the feature set
implemented by the patch.
 2025-10-15 10:36:27 +01:00
Kornel 77f612c16c Simplify Error::reason() 2025-10-15 10:35:38 +01:00
Kornel 75ef523230 Safer CryptoBufferBuilder::build 2025-10-02 17:55:21 +01:00
Kornel 5957ce94cc ErrorStack ctor for custom errors 2025-10-02 17:55:21 +01:00
Kornel e3998212ed Fix string data conversion in ErrorStack::put() 2025-10-02 17:55:21 +01:00
Apoorv Kothari 353ea62c17 Convert CipherCtx fns into a safe abstraction. Additional testing. 2025-10-01 11:00:57 +01:00
Kornel 8773f0e1fa Use Ref foreign type instead of forgetting 2025-10-01 11:00:57 +01:00
Apoorv Kothari ab8513ef8f Expose a safe Rust interface for the session resumption callback 2025-10-01 11:00:57 +01:00
Kornel ac1d71cb54 Use MaybeUninit for raw_ticket_key key/iv 2025-10-01 11:00:57 +01:00
Apoorv Kothari 5cb35db989 initialize key_name and iv. mark fn as _unsafe to allow for future changes to the api 2025-10-01 11:00:57 +01:00
Apoorv Kothari b9af0ef176 clippy 2025-10-01 11:00:57 +01:00
Apoorv Kothari ba85fbb7ad simplify tests 2025-10-01 11:00:57 +01:00
Apoorv Kothari f526b57daa update documentation 2025-10-01 11:00:57 +01:00
Apoorv Kothari ae783f8273 add test case for TicketKeyCallbackResult::Noop 2025-10-01 11:00:57 +01:00
Apoorv Kothari ea1d120912 pr comments: safety, receive multiple nst, return status refactor 2025-10-01 11:00:57 +01:00
Apoorv Kothari c49282f112 Add set_ticket_key_callback (SSL_CTX_set_tlsext_ticket_key_cb) 
Add a wrapper for the `SSL_CTX_set_tlsext_ticket_key_cb`, which allows
consumers to configure the EVP_CIPHER_CTX and HMAC_CTX used for
encrypting/decrypting session tickets.

See https://docs.openssl.org/1.0.2/man3/SSL_CTX_set_tlsext_ticket_key_cb/
for more details.
 2025-10-01 11:00:57 +01:00
Alessandro Ghedini b3521e5523 Add SslRef::curve_name() 2025-09-30 16:57:59 +01:00
Kornel 4ce1308e1c Make rpk feature flag additive 2025-09-30 16:45:49 +01:00
Christopher Patton 1c51c7ee3b Add back the `curve()` method on `SslRef` 
Instead of returning an `SslCurve`, just return the `u16` returned by
BoringSSL.
 2025-09-30 16:14:54 +01:00
Christopher Patton 7078f61077 Remove outdated comments on FIPS API compatibility 2025-09-30 16:14:54 +01:00
Christopher Patton b46d77087e Remove `SslCurve` API 
This is incompatible with the latest internal FIPS build. Namely, the
various group identifiers have been renamed since the previous version.
 2025-09-30 16:14:54 +01:00
Christopher Patton 72dabe1d85 Remove the "kx-*" features 
The "kx-*" features control default key exchange preferences. Its
implementation requires disabling APIs for manually setting curve
preferences via `set_curves()` or `set_curves_list()`.

In practice, most teams need to be able to override default preferences
at runtime anyway, which means these features were never really used.
This commit gets rid of them, thereby reducing some complexity in the
API.
 2025-09-30 09:36:33 +01:00
Rushil Mehra 646ae33c61 X509Builder::append_extension2 -> X509Builder::append_extension 2025-09-26 17:38:53 +01:00
Rushil Mehra 8abba360d3 `Ssl::new_from_ref` -> `Ssl::new()` 2025-09-26 17:38:53 +01:00
Rushil Mehra 0fc992bd76 Align SslStream APIs with upstream 
SslStream::new() is fallible, but `SslStream::from_raw_parts()` and
`SslStreamBuilder::new()` now unwrap. Upstream has also deprecated the
`SslStreamBuilder`, maybe we should do the same.
 2025-09-26 17:38:53 +01:00
Alessandro Ghedini 4cb7e260a8 Clean-up legacy FIPS options 
Per BoringSSL's FIPS policy, its `main` branch is the "update branch"
for FedRAMP compliance's purposes.

This means that we can stop using a specific BoringSSL branch when
enabling FIPS, as well as a number of hacks that allowed us to build
more recent BoringSSL versions with an older pre-compiled FIPS modules.

This also required slightly updating the main BoringSSL submodule, as
the previous version had an issue when building with the FIPS option
enabled. This is turn required some changes to the PQ patch as well as
some APIs that don't seem to be exposed publicly, as well as changing
some paths in the other patches.

In order to allow a smooth upgrade of internal projects, the `fips-compat`
feature is reduced in scope and renamed to `legacy-compat-deprecated` so
that we can incrementally upgrade internal BoringSSL forks. In practice
this shouldn't really be something anyone else would need, since in
order to work it requires a specific mix of BoringSSL version and
backported patches.
 2025-09-26 17:12:23 +01:00
Kornel 78b8ceaf10 Add more reliable library_reason() 2025-09-26 14:17:31 +01:00
Kornel 9bad96e48b Style nits 2025-09-26 13:33:19 +01:00
Kornel 79338a99ea CStr UTF-8 improvements 2025-09-26 10:55:46 +01:00
0x676e67 2f94005cf0
feat: Add `set_preserve_tls13_cipher_list` method to `SslContextBuilder` (#97) 
* feat: Add set_preserve_tls13_cipher_list method to `SslContextBuilder`

* Update boring/src/ssl/mod.rs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-09-19 18:59:00 +08:00
0x676e67 219a6bccea Merge remote-tracking branch 'upstream/master' 2025-09-08 17:00:51 +08:00
Evan Rittenhouse 963425eb82 Add binding for X509_check_ip_asc 
The binding corresponds to
https://boringssl.googlesource.com/boringssl.git/+/refs/heads/master/include/openssl/x509.h#4690.

To see the SANs covered by the specified cert, use:

```shell
❯ openssl x509 -in ./boring/test/alt_name_cert.pem -noout -text | grep -A1 "Subject Alternative Name"
            X509v3 Subject Alternative Name:
                DNS:example.com, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, email:test@example.com, URI:http://www.example.com
```
 2025-09-05 10:23:00 +01:00
0x676e67 197b9fcb5c Merge remote-tracking branch 'upstream/master' 2025-09-04 16:20:35 +08:00
Kornel 50fa2e672f Use ERR_clear_error 2025-09-03 17:24:30 +01:00
Kornel a91bfdc67d Error descriptions and docs 2025-09-03 17:24:30 +01:00
Kornel 8d77a5d40e Boring doesn't use function codes 2025-09-03 17:24:30 +01:00
Kornel 3de1385660 Fix doc links 2025-09-03 17:24:22 +01:00
Kornel a264df22fa Clippy 2025-08-29 10:51:09 -07:00
0x676e67 d0103d9a55
boring-sys: Implement `MLKEM1024` for TLS (#93) 
* boring-sys: Implement MLKEM1024 for TLS

* clippy fix
 2025-08-21 08:09:09 +08:00
0x676e67 8ec7576cf4
feat: Add Hash impls for extension types (#84) 2025-07-06 17:59:49 +08:00
0x676e67 3a32ea51f7 docs(connector): update documents 2025-06-21 19:54:17 +08:00
0x676e67 590cef9b1f docs: update prefer chacha20 option docs 2025-06-18 22:16:46 +08:00
0x676e67 afde990c6b docs: update prefer chacha20 option docs 2025-06-18 22:15:44 +08:00
0x676e67 eaf49e631e
feat(boring): sync updated extension permutation patch (#80) 2025-06-18 12:36:34 +08:00
0x676e67 4ba97ba54e
chore(boring): Remove deprecated or outdated APIs (#79) 2025-06-17 23:19:52 +08:00
0x676e67 f08c7cf8b7
test(boring): fix ech test (#77) 2025-06-17 22:26:23 +08:00
0x676e67 f4419dc416 revert(boring): Restore `src/x509/store.rs` to match upstream 2025-06-17 20:22:42 +08:00
0x676e67 e04066ee46 Merge remote-tracking branch 'upstream/master' 2025-06-17 20:16:49 +08:00