Bump BoringSSL submodule to 4a3cda40b (API version 40)#507
Open
johnhurt wants to merge 1 commit into
Open
Conversation
johnhurt
force-pushed
the
bump-boringssl
branch
9 times, most recently
from
aedf346 to
3eec293
Compare
Update the BoringSSL submodule from 91a66a59b (API version 37) to
4a3cda40b965bbda7cebf86e35c1ed6890ebcc34 (API version 40), moving the
dependency forward by 653 commits.
Changes:
boring-pq.patch:
Updated context lines in crypto/obj/obj_dat.h and tool/client.cc to
match the new BoringSSL source.
rpk.patch removed:
Raw Public Key (RPK) support is now native to upstream BoringSSL as
of this version, so the Cloudflare-maintained patch is no longer
needed. The upstream implementation provides equivalent functionality
under different API names:
SSL_CREDENTIAL_new_raw_public_key(void) -> SSL_CREDENTIAL_new_raw_public_key(EVP_PKEY*)
SSL_get0_peer_pubkey -> SSL_get0_peer_rpk
SSL_CTX_set_server_certificate_types -> SSL_CTX_set1_accepted_peer_cert_types
SSL_set_server_certificate_types -> SSL_set1_accepted_peer_cert_types
SSL_get_server_certificate_type_selected -> SSL_get_peer_cert_type
TLS_CERTIFICATE_TYPE_X509 -> TLSEXT_cert_type_x509
TLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY -> TLSEXT_cert_type_rpk
SSL_CREDENTIAL_set1_spki has no upstream equivalent; the upstream
constructor takes EVP_PKEY* directly, so set_spki_bytes is removed
from the Rust API.
SSL_CTX_get0_server_certificate_types and
SSL_get0_server_certificate_types have no upstream equivalent and
are removed from the Rust API.
The rpk Cargo feature flag is preserved and continues to gate the
Rust API surface.
boring-sys/Cargo.toml:
Added *.cpp and *.in to the include list for cargo publish, as the
new BoringSSL version includes third_party/benchmark files that use
these extensions.
Collaborator
|
I believe this is largely a duplicate of #499. Key differences:
Also, @kornelski asked us to hold of on upgrading boring until we resolve more internal blockers for bumping boring 4 to 5. The main one is quiche, which we have a PR for that is still under review: cloudflare/quiche#2446 |
Contributor
Author
|
I see. Yeah, maintaining the rust api is a good call. I can confirm that mldsa works with the boringssl commit I am setting here, but only barely. I know the commits 2 weeks prior did not work. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update the BoringSSL submodule from
91a66a59b(API version 37) to4a3cda40b(API version 40), moving the dependency forward by 653 commits.Changes
boring-pq.patch
Updated context lines in
crypto/obj/obj_dat.handtool/client.ccto match the new BoringSSL source.rpk.patch removed
Raw Public Key (RPK) support is now native to upstream BoringSSL as of this version, so the patch is no longer needed. The upstream implementation provides equivalent functionality under different API names:
SSL_CREDENTIAL_new_raw_public_key(void)SSL_CREDENTIAL_new_raw_public_key(EVP_PKEY*)SSL_get0_peer_pubkeySSL_get0_peer_rpkSSL_CTX_set_server_certificate_typesSSL_CTX_set1_accepted_peer_cert_typesSSL_set_server_certificate_typesSSL_set1_accepted_peer_cert_typesSSL_get_server_certificate_type_selectedSSL_get_peer_cert_typeTLS_CERTIFICATE_TYPE_X509TLSEXT_cert_type_x509TLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEYTLSEXT_cert_type_rpkRemoved from Rust API (no upstream equivalent):
SslCredentialBuilder::set_spki_bytes— upstream constructor takesEVP_PKEY*directlySslContextRef::server_certificate_types— no getter in upstreamSslRef::server_certificate_types— no getter in upstreamBreaking change:
SslCredential::new_raw_public_key()now takes&PKeyRef<Private>instead of no arguments.The
rpkCargo feature flag is preserved and continues to gate the Rust API surface.boring-sys/Cargo.toml
Added
*.cppand*.into the include list forcargo publish, as the new BoringSSL version includesthird_party/benchmarkfiles that use these extensions.