diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml index 675a02f34..9d2db4d70 100644 --- a/boring-sys/Cargo.toml +++ b/boring-sys/Cargo.toml @@ -33,6 +33,8 @@ include = [ "/deps/boringssl/crypto/err/*.errordata", "/deps/boringssl/**/*.bzl", "/deps/boringssl/**/*.cc", + "/deps/boringssl/**/*.cpp", + "/deps/boringssl/**/*.in", "/deps/boringssl/**/CMakeLists.txt", "/deps/boringssl/**/sources.cmake", "/deps/boringssl/**/util/go_tests.txt", diff --git a/boring-sys/build/config.rs b/boring-sys/build/config.rs index 108a439d8..4c1973dad 100644 --- a/boring-sys/build/config.rs +++ b/boring-sys/build/config.rs @@ -107,7 +107,7 @@ impl Config { ); } - let features_with_patches_enabled = self.features.rpk || self.features.underscore_wildcards; + let features_with_patches_enabled = self.features.underscore_wildcards; let patches_required = features_with_patches_enabled && !self.env.assume_patched; diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs index d192a0f8c..692795726 100644 --- a/boring-sys/build/main.rs +++ b/boring-sys/build/main.rs @@ -443,13 +443,10 @@ fn ensure_patches_applied(config: &Config) -> io::Result<()> { native BoringSSL is expected to have the patches included" ); return Ok(()); - } else if config.env.source_path.is_some() - && (config.features.rpk || config.features.underscore_wildcards) - { + } else if config.env.source_path.is_some() && config.features.underscore_wildcards { panic!( "BORING_BSSL_ASSUME_PATCHED must be set when setting - BORING_BSSL_SOURCE_PATH and using any of the following - features: rpk, underscore-wildcards" + BORING_BSSL_SOURCE_PATH and using the underscore-wildcards feature" ); } @@ -467,10 +464,7 @@ fn ensure_patches_applied(config: &Config) -> io::Result<()> { println!("cargo:warning=applying post quantum crypto patch to boringssl"); apply_patch(config, "boring-pq.patch")?; - if config.features.rpk { - println!("cargo:warning=applying RPK patch to boringssl"); - apply_patch(config, "rpk.patch")?; - } + // RPK support is now native to BoringSSL; no patch needed. if config.features.underscore_wildcards { println!("cargo:warning=applying underscore wildcards patch to boringssl"); diff --git a/boring-sys/deps/boringssl b/boring-sys/deps/boringssl index 91a66a59b..4a3cda40b 160000 --- a/boring-sys/deps/boringssl +++ b/boring-sys/deps/boringssl @@ -1 +1 @@ -Subproject commit 91a66a59b6c1435120ff83e245d7719411294386 +Subproject commit 4a3cda40b965bbda7cebf86e35c1ed6890ebcc34 diff --git a/boring-sys/patches/boring-pq.patch b/boring-sys/patches/boring-pq.patch index f0aa1ea26..da0e35146 100644 --- a/boring-sys/patches/boring-pq.patch +++ b/boring-sys/patches/boring-pq.patch @@ -1,56 +1,17 @@ -From cb5689e091f515fc8a42ceaff08d702333e505ed Mon Sep 17 00:00:00 2001 -From: Anthony Ramine -Date: Wed, 3 Dec 2025 11:10:16 +0100 -Subject: [PATCH] Add additional post-quantum key agreements - -This patch adds: - -1. Enable X25519MLKEM768 by default. - -2. Supports for P256Kyber768Draft00 under 0xfe32, which we temporarily - need for compliance reasons. (Note that this is not the codepoint - allocated for that exchange in the IANA table.) - Enables by default and in FIPS mode. - -3. Add SSL(_CTX)_use_second_keyshare. By default BoringSSL will send a - non post-quantum and a post-quantum keyshare if available. These - functions allow one to change the behaviour to only send a single - keyshare. ---- - crypto/obj/obj_dat.h | 6 +- - crypto/obj/obj_mac.num | 1 + - crypto/obj/objects.txt | 1 + - include/openssl/nid.h | 3 + - include/openssl/ssl.h | 15 ++++ - ssl/extensions.cc | 26 ++++--- - ssl/internal.h | 12 ++- - ssl/ssl_key_share.cc | 111 +++++++++++++++++++++++++++- - ssl/ssl_lib.cc | 16 +++- - ssl/ssl_test.cc | 19 ++++- - ssl/test/runner/basic_tests.go | 2 + - ssl/test/runner/cbc_tests.go | 3 + - ssl/test/runner/common.go | 2 +- - ssl/test/runner/curve_tests.go | 28 +++---- - ssl/test/runner/ech_tests.go | 24 +++++- - ssl/test/runner/extension_tests.go | 3 +- - ssl/test/runner/key_update_tests.go | 6 +- - tool/client.cc | 9 +++ - 18 files changed, 245 insertions(+), 42 deletions(-) - diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h -index d8b86dcd2..6dd49ec36 100644 +index 10ad9bb14..3fe6fdec6 100644 --- a/crypto/obj/obj_dat.h +++ b/crypto/obj/obj_dat.h -@@ -15,7 +15,7 @@ - // This file is generated by crypto/obj/objects.go. +@@ -16,7 +16,7 @@ + BSSL_NAMESPACE_BEGIN -#define NUM_NID 971 +#define NUM_NID 972 static const uint8_t kObjectData[] = { /* NID_rsadsi */ -@@ -8799,6 +8799,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = { +@@ -8800,6 +8800,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = { {"id-ml-dsa-87", "ML-DSA-87", NID_ML_DSA_87, 9, &kObjectData[6223], 0}, {"id-alg-ml-kem-768", "ML-KEM-768", NID_ML_KEM_768, 9, &kObjectData[6232], 0}, @@ -59,7 +20,7 @@ index d8b86dcd2..6dd49ec36 100644 }; static const uint16_t kNIDsInShortNameOrder[] = { -@@ -8931,6 +8933,7 @@ static const uint16_t kNIDsInShortNameOrder[] = { +@@ -8932,6 +8934,7 @@ static const uint16_t kNIDsInShortNameOrder[] = { 18 /* OU */, 749 /* Oakley-EC2N-3 */, 750 /* Oakley-EC2N-4 */, @@ -67,7 +28,7 @@ index d8b86dcd2..6dd49ec36 100644 9 /* PBE-MD2-DES */, 168 /* PBE-MD2-RC2-64 */, 10 /* PBE-MD5-DES */, -@@ -9854,6 +9857,7 @@ static const uint16_t kNIDsInLongNameOrder[] = { +@@ -9855,6 +9858,7 @@ static const uint16_t kNIDsInLongNameOrder[] = { 366 /* OCSP Nonce */, 371 /* OCSP Service Locator */, 180 /* OCSP Signing */, @@ -111,10 +72,10 @@ index 83a1cf592..7265f15f6 100644 #if defined(__cplusplus) } /* extern C */ diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h -index ff68ba69e..0730e769a 100644 +index 453318b92..2740469fb 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h -@@ -2550,6 +2550,7 @@ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx); +@@ -2582,6 +2582,7 @@ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx); #define SSL_GROUP_X25519_MLKEM768 0x11ec #define SSL_GROUP_X25519_KYBER768_DRAFT00 0x6399 #define SSL_GROUP_MLKEM1024 0x0202 @@ -122,7 +83,7 @@ index ff68ba69e..0730e769a 100644 // SSL_CTX_set1_group_ids sets the preferred groups for |ctx| to |group_ids|. // Each element of |group_ids| should be a unique one of the |SSL_GROUP_*| -@@ -5964,6 +5965,20 @@ OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves); +@@ -6202,6 +6203,20 @@ OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves); // SSL_set1_curves_list calls |SSL_set1_groups_list|. OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); @@ -144,10 +105,10 @@ index ff68ba69e..0730e769a 100644 // |SSL_get_negotiated_group| to return an unrecognized group. BoringSSL never // returns this value, but we define this constant for compatibility. diff --git a/ssl/extensions.cc b/ssl/extensions.cc -index c5f90688c..e0514fed3 100644 +index 50ce434bf..503cb1a22 100644 --- a/ssl/extensions.cc +++ b/ssl/extensions.cc -@@ -101,6 +101,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) { +@@ -106,6 +106,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) { static bool is_post_quantum_group(uint16_t id) { switch (id) { case SSL_GROUP_X25519_KYBER768_DRAFT00: @@ -155,7 +116,7 @@ index c5f90688c..e0514fed3 100644 case SSL_GROUP_X25519_MLKEM768: case SSL_GROUP_MLKEM1024: return true; -@@ -2241,18 +2242,21 @@ bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) { +@@ -2418,18 +2419,21 @@ bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) { if (!default_key_shares.TryPushBack(supported_group_list[0])) { return false; } @@ -189,10 +150,10 @@ index c5f90688c..e0514fed3 100644 selected_key_shares.emplace(default_key_shares); } diff --git a/ssl/internal.h b/ssl/internal.h -index a69505b47..1f5ce51e6 100644 +index 4d86a6170..1c0d9f2fd 100644 --- a/ssl/internal.h +++ b/ssl/internal.h -@@ -955,7 +955,7 @@ struct NamedGroup { +@@ -913,7 +913,7 @@ struct NamedGroup { Span NamedGroups(); // kNumNamedGroups is the number of supported groups. @@ -201,7 +162,7 @@ index a69505b47..1f5ce51e6 100644 // DefaultSupportedGroupIds returns the list of IDs for the default groups that // are supported when the caller hasn't explicitly configured supported groups. -@@ -3388,6 +3388,11 @@ struct SSL_CONFIG { +@@ -3512,6 +3512,11 @@ struct SSL_CONFIG { // permute_extensions is whether to permute extensions when sending messages. bool permute_extensions : 1; @@ -213,7 +174,7 @@ index a69505b47..1f5ce51e6 100644 // aes_hw_override if set indicates we should override checking for aes // hardware support, and use the value in aes_hw_override_value instead. bool aes_hw_override : 1; -@@ -4015,6 +4020,11 @@ struct ssl_ctx_st : public bssl::RefCounted { +@@ -4149,6 +4154,11 @@ struct ssl_ctx_st : public bssl::RefCounted { // permute_extensions is whether to permute extensions when sending messages. bool permute_extensions : 1; @@ -371,10 +332,10 @@ index d155b5527..4fb08906b 100644 return nullptr; } diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc -index f64b103fb..fe5bb9bc7 100644 +index de4e79efc..4ca2e799d 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc -@@ -397,6 +397,7 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method) +@@ -385,6 +385,7 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method) channel_id_enabled(false), grease_enabled(false), permute_extensions(false), @@ -382,7 +343,7 @@ index f64b103fb..fe5bb9bc7 100644 allow_unknown_alpn_protos(false), false_start_allowed_without_alpn(false), handoff(false), -@@ -527,6 +528,7 @@ SSL *SSL_new(SSL_CTX *ctx) { +@@ -517,6 +518,7 @@ SSL *SSL_new(SSL_CTX *ctx) { ssl->config->retain_only_sha256_of_client_certs = ctx->retain_only_sha256_of_client_certs; ssl->config->permute_extensions = ctx->permute_extensions; @@ -390,7 +351,7 @@ index f64b103fb..fe5bb9bc7 100644 ssl->config->aes_hw_override = ctx->aes_hw_override; ssl->config->aes_hw_override_value = ctx->aes_hw_override_value; ssl->config->compliance_policy = ctx->compliance_policy; -@@ -586,6 +588,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg) +@@ -582,6 +584,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg) jdk11_workaround(false), quic_use_legacy_codepoint(false), permute_extensions(false), @@ -398,7 +359,7 @@ index f64b103fb..fe5bb9bc7 100644 alps_use_new_codepoint(true) { assert(ssl); } -@@ -3331,6 +3334,15 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) { +@@ -3372,6 +3375,15 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) { return SSL_set1_groups_list(ssl, curves); } @@ -414,7 +375,7 @@ index f64b103fb..fe5bb9bc7 100644 namespace fips202205 { // (References are to SP 800-52r2): -@@ -3342,7 +3354,9 @@ namespace fips202205 { +@@ -3383,7 +3395,9 @@ namespace fips202205 { // Section 3.3.1 // "The server shall be configured to only use cipher suites that are // composed entirely of NIST approved algorithms" @@ -426,10 +387,10 @@ index f64b103fb..fe5bb9bc7 100644 static const uint16_t kSigAlgs[] = { SSL_SIGN_RSA_PKCS1_SHA256, diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc -index 779a2c37a..36a0cab3b 100644 +index 7a6da95fc..7e934b854 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc -@@ -506,6 +506,14 @@ static const CurveTest kCurveTests[] = { +@@ -522,6 +522,14 @@ static const CurveTest kCurveTests[] = { "MLKEM1024:X25519MLKEM768", {SSL_GROUP_MLKEM1024, SSL_GROUP_X25519_MLKEM768}, }, @@ -444,7 +405,7 @@ index 779a2c37a..36a0cab3b 100644 { "P-256:P-384:P-521:X25519", -@@ -668,7 +676,9 @@ TEST(SSLTest, CurveRules) { +@@ -683,7 +691,9 @@ TEST(SSLTest, CurveRules) { } TEST(SSLTest, DefaultCurves) { @@ -455,7 +416,7 @@ index 779a2c37a..36a0cab3b 100644 SSL_GROUP_SECP384R1}; // Test the group ID APIs. -@@ -1522,6 +1532,9 @@ static bool GetClientHello(SSL *ssl, std::vector *out) { +@@ -1643,6 +1653,9 @@ static bool GetClientHello(SSL *ssl, std::vector *out) { static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version, size_t ticket_len) { bssl::UniquePtr ctx(SSL_CTX_new(TLS_method())); @@ -465,7 +426,7 @@ index 779a2c37a..36a0cab3b 100644 bssl::UniquePtr session = CreateSessionWithTicket(session_version, ticket_len); if (!ctx || !session) { -@@ -6815,7 +6828,9 @@ TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) { +@@ -7061,7 +7074,9 @@ TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) { // The default list of groups is used before applying the handoff. EXPECT_THAT(server->config->supported_group_list, @@ -477,10 +438,10 @@ index 779a2c37a..36a0cab3b 100644 ASSERT_TRUE(SSL_apply_handoff(server.get(), handoff)); EXPECT_EQ(1u, server->config->supported_group_list.size()); diff --git a/ssl/test/runner/basic_tests.go b/ssl/test/runner/basic_tests.go -index 08de8fa5f..dd945fa49 100644 +index dfd17d5f1..054241404 100644 --- a/ssl/test/runner/basic_tests.go +++ b/ssl/test/runner/basic_tests.go -@@ -129,6 +129,7 @@ read alert 1 0 +@@ -132,6 +132,7 @@ read alert 1 0 `write hs 1 read hs 3 write hs 1 @@ -488,7 +449,7 @@ index 08de8fa5f..dd945fa49 100644 read hs 2 read hs 11 read hs 12 -@@ -1956,6 +1957,7 @@ read alert 1 0 +@@ -1975,6 +1976,7 @@ read alert 1 0 write hs 2 write hs 8 write hs 11 @@ -518,10 +479,10 @@ index 6f49d12af..5e970b2b5 100644 }) } diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go -index 7dbde72c9..9d18d9d45 100644 +index ad8e3f73c..4224f2b89 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go -@@ -2095,7 +2095,7 @@ type ProtocolBugs struct { +@@ -2177,7 +2177,7 @@ type ProtocolBugs struct { FailIfHelloRetryRequested bool // FailIfPostQuantumOffered will cause a server to reject a ClientHello if @@ -531,10 +492,10 @@ index 7dbde72c9..9d18d9d45 100644 // ExpectKeyShares, if not nil, lists (in order) the curves that a ClientHello diff --git a/ssl/test/runner/curve_tests.go b/ssl/test/runner/curve_tests.go -index 8e7b0a45b..556bf314d 100644 +index 9bc13115e..0d11da734 100644 --- a/ssl/test/runner/curve_tests.go +++ b/ssl/test/runner/curve_tests.go -@@ -579,17 +579,6 @@ func addCurveTests() { +@@ -581,17 +581,6 @@ func addCurveTests() { }) } @@ -552,7 +513,7 @@ index 8e7b0a45b..556bf314d 100644 for _, curve := range testCurves { if !isMLKEMGroup(curve.id) { continue -@@ -679,18 +668,19 @@ func addCurveTests() { +@@ -681,18 +670,19 @@ func addCurveTests() { }) } @@ -630,7 +591,7 @@ index 2cd3c10d3..f19d8d20a 100644 clientAndServerHelloInitial += "write ccs\n" } diff --git a/ssl/test/runner/extension_tests.go b/ssl/test/runner/extension_tests.go -index d6adb7759..4eb80aa8e 100644 +index 3087efe37..61a036d8b 100644 --- a/ssl/test/runner/extension_tests.go +++ b/ssl/test/runner/extension_tests.go @@ -16,6 +16,7 @@ package runner @@ -651,7 +612,7 @@ index d6adb7759..4eb80aa8e 100644 // Test that illegal extensions in TLS 1.3 are rejected by the client if diff --git a/ssl/test/runner/key_update_tests.go b/ssl/test/runner/key_update_tests.go -index 0a9053038..5ce709589 100644 +index f98528265..2068b1102 100644 --- a/ssl/test/runner/key_update_tests.go +++ b/ssl/test/runner/key_update_tests.go @@ -14,7 +14,10 @@ @@ -675,10 +636,10 @@ index 0a9053038..5ce709589 100644 // Test that shim responds to KeyUpdate requests. diff --git a/tool/client.cc b/tool/client.cc -index 0839d4880..be9b79259 100644 +index 1653af8da..cab725d40 100644 --- a/tool/client.cc +++ b/tool/client.cc -@@ -125,6 +125,11 @@ static const struct argument kArguments[] = { +@@ -156,6 +156,11 @@ static const struct argument kArguments[] = { kBooleanArgument, "Permute extensions in handshake messages", }, @@ -688,9 +649,9 @@ index 0839d4880..be9b79259 100644 + "Do not send a second keyshare", + }, { - "-test-resumption", kBooleanArgument, - "Connect to the server twice. The first connection is closed once a " -@@ -538,6 +543,10 @@ bool Client(const std::vector &args) { + "-test-resumption", + kBooleanArgument, +@@ -637,6 +642,10 @@ bool Client(const std::vector &args) { SSL_CTX_set_permute_extensions(ctx.get(), 1); } @@ -698,9 +659,6 @@ index 0839d4880..be9b79259 100644 + SSL_CTX_use_second_keyshare(ctx.get(), 0); + } + + // Configure accepted roots. if (args_map.count("-root-certs") != 0) { if (!SSL_CTX_load_verify_locations( - ctx.get(), args_map["-root-certs"].c_str(), nullptr)) { --- -2.40.0 - diff --git a/boring-sys/src/lib.rs b/boring-sys/src/lib.rs index 1810d174c..702dbcc67 100644 --- a/boring-sys/src/lib.rs +++ b/boring-sys/src/lib.rs @@ -26,14 +26,14 @@ mod generated { } // explicitly require presence of some symbols to check if the bindings worked +#[cfg(feature = "rpk")] +pub use generated::SSL_CREDENTIAL_new_raw_public_key; pub use generated::{ssl_compliance_policy_t, ERR_add_error_data, SSL_set1_groups}; // if these are missing, your include path is incorrect or has a wrong version of boringssl pub use generated::{BIO_new, OPENSSL_free, SSL_ERROR_NONE}; // if these are missing, your include path is incorrect #[cfg(feature = "fips")] pub use generated::{FIPS_mode, SSL_CTX_set_compliance_policy}; // your include path is incorrect or has a version of boringssl without FIPS support #[cfg(feature = "mlkem")] -pub use generated::{MLKEM768_encap, MLKEM768_private_key_from_seed}; // your include path is incorrect or has a version of boringssl without mlkem support -#[cfg(feature = "rpk")] -pub use generated::{SSL_CREDENTIAL_new_raw_public_key, SSL_CREDENTIAL_set1_spki}; // your include path is incorrect or has a version of boringssl without rpk support +pub use generated::{MLKEM768_encap, MLKEM768_private_key_from_seed}; // your include path is incorrect or has a version of boringssl without mlkem support // RPK is native to BoringSSL at this version pub use generated::*; diff --git a/boring/src/ssl/credential.rs b/boring/src/ssl/credential.rs index df8fb0c30..e7585d316 100644 --- a/boring/src/ssl/credential.rs +++ b/boring/src/ssl/credential.rs @@ -29,12 +29,15 @@ foreign_type_and_impl_send_sync! { impl SslCredential { /// Create a credential suitable for a handshake using a raw public key. + /// `pkey` must contain both a private and public key. #[corresponds(SSL_CREDENTIAL_new_raw_public_key)] #[cfg(feature = "rpk")] - pub fn new_raw_public_key() -> Result { + pub fn new_raw_public_key( + pkey: &crate::pkey::PKeyRef, + ) -> Result { unsafe { Ok(SslCredentialBuilder(Self::from_ptr(cvt_p( - ffi::SSL_CREDENTIAL_new_raw_public_key(), + ffi::SSL_CREDENTIAL_new_raw_public_key(pkey.as_ptr()), )?))) } } @@ -172,33 +175,8 @@ impl SslCredentialBuilder { } } - // Sets the SPKI of the raw public key credential. - // - // If `spki` is `None`, the SPKI is extracted from the credential's private key. - #[corresponds(SSL_CREDENTIAL_set1_spki)] - #[cfg(feature = "rpk")] - pub fn set_spki_bytes(&mut self, spki: Option<&[u8]>) -> Result<(), ErrorStack> { - unsafe { - let spki = spki - .map(|spki| { - cvt_p(ffi::CRYPTO_BUFFER_new( - spki.as_ptr(), - spki.len(), - ptr::null_mut(), - )) - }) - .transpose()? - .unwrap_or(ptr::null_mut()); - - let ret = cvt_0i(ffi::SSL_CREDENTIAL_set1_spki(self.0.as_ptr(), spki)).map(|_| ()); - - if !spki.is_null() { - ffi::CRYPTO_BUFFER_free(spki); - } - - ret - } - } + // NOTE: set_spki_bytes removed -- upstream SSL_CREDENTIAL_new_raw_public_key + // takes the key directly, so a separate SPKI setter is not needed. #[must_use] pub fn build(self) -> SslCredential { diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index a4575d0c9..6d99e2368 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -2081,7 +2081,7 @@ impl SslContextBuilder { types: &[CertificateType], ) -> Result<(), ErrorStack> { unsafe { - cvt_0i(ffi::SSL_CTX_set_server_certificate_types( + cvt_0i(ffi::SSL_CTX_set1_accepted_peer_cert_types( self.as_ptr(), types.as_ptr() as *const u8, types.len(), @@ -2376,26 +2376,7 @@ impl SslContextRef { unsafe { cvt(ffi::SSL_CTX_set1_ech_keys(self.as_ptr(), keys.as_ptr())) } } - /// Returns the list of server certificate types. - #[corresponds(SSL_CTX_get0_server_certificate_types)] - #[cfg(feature = "rpk")] - #[must_use] - pub fn server_certificate_types(&self) -> Option<&[CertificateType]> { - let mut types = ptr::null(); - let mut types_len = 0; - unsafe { - ffi::SSL_CTX_get0_server_certificate_types(self.as_ptr(), &mut types, &mut types_len); - - if types_len == 0 { - return None; - } - - Some(slice::from_raw_parts( - types as *const CertificateType, - types_len, - )) - } - } + // NOTE: SSL_CTX_get0_server_certificate_types has no upstream equivalent. } /// Error returned by the callback to get a session when operation @@ -3870,7 +3851,7 @@ impl SslRef { #[cfg(feature = "rpk")] pub fn peer_pubkey(&self) -> Option<&PKeyRef> { unsafe { - let pubkey = ffi::SSL_get0_peer_pubkey(self.as_ptr()); + let pubkey = ffi::SSL_get0_peer_rpk(self.as_ptr()); if pubkey.is_null() { return None; @@ -3889,7 +3870,7 @@ impl SslRef { types: &[CertificateType], ) -> Result<(), ErrorStack> { unsafe { - cvt_0i(ffi::SSL_set_server_certificate_types( + cvt_0i(ffi::SSL_set1_accepted_peer_cert_types( self.as_ptr(), types.as_ptr() as *const u8, types.len(), @@ -3898,34 +3879,14 @@ impl SslRef { } } - /// Returns the list of server certificate types. - #[corresponds(SSL_get0_server_certificate_types)] - #[must_use] - #[cfg(feature = "rpk")] - pub fn server_certificate_types(&self) -> Option<&[CertificateType]> { - let mut types = ptr::null(); - let mut types_len = 0; - unsafe { - ffi::SSL_get0_server_certificate_types(self.as_ptr(), &mut types, &mut types_len); - - if types_len == 0 { - return None; - } - - Some(slice::from_raw_parts( - types as *const CertificateType, - types_len, - )) - } - } + // NOTE: SSL_get0_server_certificate_types has no upstream equivalent. - /// Returns the server certificate type selected by the server, or `CertificateType::X509` - /// if there is no handshake. - #[corresponds(SSL_get_server_certificate_type_selected)] + /// Returns the peer's certificate type, or `CertificateType::X509` by default. + #[corresponds(SSL_get_peer_cert_type)] #[must_use] #[cfg(feature = "rpk")] pub fn selected_server_certificate_type(&self) -> CertificateType { - unsafe { CertificateType(ffi::SSL_get_server_certificate_type_selected(self.as_ptr())) } + unsafe { CertificateType(ffi::SSL_get_peer_cert_type(self.as_ptr()) as u8) } } } @@ -4478,10 +4439,10 @@ pub struct CertificateType(u8); #[cfg(feature = "rpk")] impl CertificateType { /// A X.509 certificate. - pub const X509: Self = Self(ffi::TLS_CERTIFICATE_TYPE_X509 as u8); + pub const X509: Self = Self(ffi::TLSEXT_cert_type_x509 as u8); /// A raw public key. - pub const RAW_PUBLIC_KEY: Self = Self(ffi::TLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY as u8); + pub const RAW_PUBLIC_KEY: Self = Self(ffi::TLSEXT_cert_type_rpk as u8); } /// The result of a shutdown request. diff --git a/tokio-boring/tests/rpk.rs b/tokio-boring/tests/rpk.rs index b39f9d53c..7e0f45bcb 100644 --- a/tokio-boring/tests/rpk.rs +++ b/tokio-boring/tests/rpk.rs @@ -30,14 +30,10 @@ fn create_server() -> ( let mut acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap(); let private_key = PKey::private_key_from_pem(&std::fs::read("tests/key.pem").unwrap()).unwrap(); - let spki = std::fs::read("tests/pubkey.der").unwrap(); acceptor .add_credential({ - let mut cred = SslCredential::new_raw_public_key().unwrap(); - - cred.set_private_key(&private_key).unwrap(); - cred.set_spki_bytes(Some(&spki)).unwrap(); + let cred = SslCredential::new_raw_public_key(&private_key).unwrap(); &cred.build() })