Added feature: SSL_group_to_name entrypoint #104
Conversation
|
Thanks -- could you:
That should make some of the unrelated changes fall away. With that said I think the changes here are substantially good. |
21e2e5d to
3aa196b
Compare
|
The rebase doesn't seem to have worked out? There's a still a bunch of other changes appearing in your commit. |
Added: New Entrypoint to build Added: New NIDs
3aa196b to
c4d7585
Compare
|
Sorry for the troubles! Now everything should be rebased properly. |
src/lib.rs
Outdated
| description: c"TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD\n", | ||
| }; | ||
|
|
||
| #[allow(dead_code)] |
There was a problem hiding this comment.
It looks like this allow is here because the standard_name, algorithm secbits and group_id fields aren't ref'd. It feels like perhaps we should omit those until there's a concrete need.
If that happened, would TlsGroupInfo be needed at all? Couldn't we map the rustls NamedGroup directly to a cstr label?
src/lib.rs
Outdated
|
|
||
| #[allow(dead_code)] | ||
| struct TlsGroupInfo { | ||
| pub tls_name: &'static CStr, |
There was a problem hiding this comment.
I don't think these fields need to be pub since the struct itself isn't.
src/lib.rs
Outdated
| } | ||
|
|
||
| impl TlsGroupInfo { | ||
| pub fn find_by_id(id: NamedGroup) -> Option<&'static Self> { |
There was a problem hiding this comment.
I think this could be mod-private instead of pub as well.
| } | ||
|
|
||
| entry! { | ||
| pub fn _SSL_group_to_name(ssl: *const SSL, id: c_int) -> *const c_char { |
There was a problem hiding this comment.
It would be nice to have something like tests/constants.c that runs through SSL_group_to_name for some supported NIDs and prints the results so we can have a runner.rs test like constants that checks the C program's output is the same linking libssl or rustls-libssl
There was a problem hiding this comment.
I added the function. Unfortunately C Openssl just crashes if it faces an unknown nid, so I did not add MLKEM nids (they are not implemented in older versions). I also moved the existing functionality to a separate function for a clearer structure.
Added: Test group_to_name in tests/constants.c Refactored: Moved tests in separate functions in tests/constants.c
7af8a39 to
715b6da
Compare
Hello everyone,
I added the SSL_group_to_name entrypoint, as this is required by Debian 12 nginx.
The main changes are:
In future the groups could be used to implement the functions in https://docs.openssl.org/3.3/man3/SSL_CTX_set1_curves/.
I am happy to discuss the changes!