From 4b37d88b803f3d86bf3d7899b2c5aeb048e560f1 Mon Sep 17 00:00:00 2001 From: Bas Westerbaan Date: Tue, 17 Sep 2024 10:00:25 +0200 Subject: [PATCH] Expose SSL(_CTX)_set1_curves_list (#270) set_surves_list is similar to set_curves, but the curves are specified by a string. This makes it convenient when the supported curves of the underlying BoringSSL is not known at compile time. Also fix a bug in checking return value of SSL_set1_curves_list. --- boring/src/ssl/mod.rs | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index be32e545..6a9361e1 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -1849,6 +1849,24 @@ impl SslContextBuilder { unsafe { ffi::SSL_CTX_enable_ocsp_stapling(self.as_ptr()) } } + /// Sets the context's supported curves. + // + // If the "kx-*" flags are used to set key exchange preference, then don't allow the user to + // set them here. This ensures we don't override the user's preference without telling them: + // when the flags are used, the preferences are set just before connecting or accepting. + #[cfg(not(feature = "kx-safe-default"))] + #[corresponds(SSL_CTX_set1_curves_list)] + pub fn set_curves_list(&mut self, curves: &str) -> Result<(), ErrorStack> { + let curves = CString::new(curves).unwrap(); + unsafe { + cvt_0i(ffi::SSL_CTX_set1_curves_list( + self.as_ptr(), + curves.as_ptr() as *const _, + )) + .map(|_| ()) + } + } + /// Sets the context's supported curves. // // If the "kx-*" flags are used to set key exchange preference, then don't allow the user to @@ -2661,11 +2679,10 @@ impl SslRef { } #[corresponds(SSL_set1_curves_list)] - #[cfg(feature = "kx-safe-default")] - fn set_curves_list(&mut self, curves: &str) -> Result<(), ErrorStack> { + pub fn set_curves_list(&mut self, curves: &str) -> Result<(), ErrorStack> { let curves = CString::new(curves).unwrap(); unsafe { - cvt(ffi::SSL_set1_curves_list( + cvt_0i(ffi::SSL_set1_curves_list( self.as_ptr(), curves.as_ptr() as *const _, ))