Fix our patches to work with latest boring

2026-01-14 15:40:20 -05:00 · 2026-01-14 15:40:20 -05:00 · 7437b54a87
commit 7437b54a87
parent c2e54d6928
3 changed files with 9 additions and 11 deletions
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@ -708,8 +708,6 @@ pub struct SslCurveNid(c_int);
 pub struct SslCurve(c_int);

 impl SslCurve {
-    pub const SECP224R1: SslCurve = SslCurve(ffi::SSL_CURVE_SECP224R1 as _);
-
    pub const SECP256R1: SslCurve = SslCurve(ffi::SSL_CURVE_SECP256R1 as _);

    pub const SECP384R1: SslCurve = SslCurve(ffi::SSL_CURVE_SECP384R1 as _);
@ -774,7 +772,6 @@ impl SslCurve {
    #[allow(dead_code)]
    pub fn nid(&self) -> Option<SslCurveNid> {
        match self.0 {
-            ffi::SSL_CURVE_SECP224R1 => Some(ffi::NID_secp224r1),
            ffi::SSL_CURVE_SECP256R1 => Some(ffi::NID_X9_62_prime256v1),
            ffi::SSL_CURVE_SECP384R1 => Some(ffi::NID_secp384r1),
            ffi::SSL_CURVE_SECP521R1 => Some(ffi::NID_secp521r1),
--- a/boring/src/ssl/test/mod.rs
+++ b/boring/src/ssl/test/mod.rs
@ -989,7 +989,6 @@ fn get_curve() {

 #[test]
 fn get_curve_name() {
-    assert_eq!(SslCurve::SECP224R1.name(), Some("P-224"));
    assert_eq!(SslCurve::SECP256R1.name(), Some("P-256"));
    assert_eq!(SslCurve::SECP384R1.name(), Some("P-384"));
    assert_eq!(SslCurve::SECP521R1.name(), Some("P-521"));
@ -1000,13 +999,8 @@ fn get_curve_name() {
 #[test]
 fn set_curves() {
    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_curves(&[
-        SslCurve::SECP224R1,
-        SslCurve::SECP256R1,
-        SslCurve::SECP384R1,
-        SslCurve::X25519,
-    ])
-    .expect("Failed to set curves");
+    ctx.set_curves(&[SslCurve::SECP256R1, SslCurve::SECP384R1, SslCurve::X25519])
+        .expect("Failed to set curves");
 }

 #[test]
--- a/boring/src/x509/mod.rs
+++ b/boring/src/x509/mod.rs
@ -187,7 +187,9 @@ impl X509StoreContextRef {
        impl Drop for Cleanup<'_> {
            fn drop(&mut self) {
                unsafe {
+                    let error = ffi::X509_STORE_CTX_get_error(self.0.as_ptr());
                    ffi::X509_STORE_CTX_cleanup(self.0.as_ptr());
+                    ffi::X509_STORE_CTX_set_error(self.0.as_ptr(), error);
                }
            }
        }
@ -286,10 +288,15 @@ impl X509StoreContextRef {
        unsafe {
            ffi::X509_STORE_CTX_set0_crls(self.as_ptr(), untrusted_crls.as_ptr());
            let res = cvt_n(ffi::X509_verify_cert(self.as_ptr())).map(|n| n != 0);
+            let verify_error = ffi::X509_STORE_CTX_get_error(self.as_ptr());
            // set0_crls does not take ownership of the stack, so we'll drop and free
            // untrusted_crls after this method. null out the crls in ctx to make sure
            // no one has a reference to it.
            ffi::X509_STORE_CTX_set0_crls(self.as_ptr(), ptr::null_mut());
+            if matches!(res, Ok(false)) {
+                // Preserve the verification error because clearing crls may reset it.
+                ffi::X509_STORE_CTX_set_error(self.as_ptr(), verify_error);
+            }
            res
        }
    }