From 52028c58b9ae183c087a5857b3b06228d393ac9d Mon Sep 17 00:00:00 2001 From: Bas Westerbaan Date: Fri, 13 Sep 2024 12:30:55 +0200 Subject: [PATCH] Expose SSL(_CTX)_set1_curves_list set_surves_list is similar to set_curves, but the curves are specified by a string. This makes it convenient when the supported curves of the underlying BoringSSL is not known at compile time. Also fix a bug in checking return value of SSL_set1_curves_list. --- boring/src/ssl/mod.rs | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index 04e0ee43..3da9854f 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -1789,6 +1789,24 @@ impl SslContextBuilder { unsafe { ffi::SSL_CTX_enable_ocsp_stapling(self.as_ptr()) } } + /// Sets the context's supported curves. + // + // If the "kx-*" flags are used to set key exchange preference, then don't allow the user to + // set them here. This ensures we don't override the user's preference without telling them: + // when the flags are used, the preferences are set just before connecting or accepting. + #[cfg(not(feature = "kx-safe-default"))] + #[corresponds(SSL_CTX_set1_curves_list)] + pub fn set_curves_list(&mut self, curves: &str) -> Result<(), ErrorStack> { + let curves = CString::new(curves).unwrap(); + unsafe { + cvt_0i(ffi::SSL_CTX_set1_curves_list( + self.as_ptr(), + curves.as_ptr() as *const _, + )) + .map(|_| ()) + } + } + /// Sets the context's supported curves. // // If the "kx-*" flags are used to set key exchange preference, then don't allow the user to @@ -2589,11 +2607,10 @@ impl SslRef { } #[corresponds(SSL_set1_curves_list)] - #[cfg(feature = "kx-safe-default")] - fn set_curves_list(&mut self, curves: &str) -> Result<(), ErrorStack> { + pub fn set_curves_list(&mut self, curves: &str) -> Result<(), ErrorStack> { let curves = CString::new(curves).unwrap(); unsafe { - cvt(ffi::SSL_set1_curves_list( + cvt_0i(ffi::SSL_set1_curves_list( self.as_ptr(), curves.as_ptr() as *const _, ))