Skip to content

boring-sys: Include mldsa.h and bump BoringSSL to latest #498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
cjpatton wants to merge 3 commits into from
Closed

boring-sys: Include mldsa.h and bump BoringSSL to latest #498

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d84fa86
boring-sys: Include mldsa.h
cjpatton Apr 21, 2026
0ba38de
boring-sys: Bump BoringSSL to 238273995
cjpatton Apr 21, 2026
831aa24
boring-sys: Update boring-pq.patch
cjpatton Apr 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions boring-sys/build/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -791,6 +791,7 @@ fn generate_bindings(config: &Config) -> Result<PathBuf, Box<dyn std::error::Err
"md4.h",
"md5.h",
"mlkem.h",
"mldsa.h",
"obj_mac.h",
"objects.h",
"opensslv.h",
Expand Down
2 changes: 1 addition & 1 deletion boring-sys/deps/boringssl
Open in desktop
Submodule boringssl updated 1411 files
114 changes: 64 additions & 50 deletions boring-sys/patches/boring-pq.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
From cb5689e091f515fc8a42ceaff08d702333e505ed Mon Sep 17 00:00:00 2001
From: Anthony Ramine <aramine@cloudflare.com>
Date: Wed, 3 Dec 2025 11:10:16 +0100
Subject: [PATCH] Add additional post-quantum key agreements
From e45854b34aa48b1fdefad81906cdb9931e697bbc Mon Sep 17 00:00:00 2001
From: Christopher Patton <cpatton@cloudflare.com>
Date: Tue, 21 Apr 2026 15:45:09 -0700
Subject: [PATCH] Add additional post-quantum key agreement

This patch adds:

Expand All @@ -16,6 +16,8 @@ This patch adds:
non post-quantum and a post-quantum keyshare if available. These
functions allow one to change the behaviour to only send a single
keyshare.


---
crypto/obj/obj_dat.h | 6 +-
crypto/obj/obj_mac.num | 1 +
Expand All @@ -26,7 +28,7 @@ This patch adds:
ssl/internal.h | 12 ++-
ssl/ssl_key_share.cc | 111 +++++++++++++++++++++++++++-
ssl/ssl_lib.cc | 16 +++-
ssl/ssl_test.cc | 19 ++++-
ssl/ssl_test.cc | 24 +++++-
ssl/test/runner/basic_tests.go | 2 +
ssl/test/runner/cbc_tests.go | 3 +
ssl/test/runner/common.go | 2 +-
Expand All @@ -35,22 +37,22 @@ This patch adds:
ssl/test/runner/extension_tests.go | 3 +-
ssl/test/runner/key_update_tests.go | 6 +-
tool/client.cc | 9 +++
18 files changed, 245 insertions(+), 42 deletions(-)
18 files changed, 249 insertions(+), 43 deletions(-)

diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h
index d8b86dcd2..6dd49ec36 100644
index 10ad9bb14..3fe6fdec6 100644
--- a/crypto/obj/obj_dat.h
+++ b/crypto/obj/obj_dat.h
@@ -15,7 +15,7 @@
// This file is generated by crypto/obj/objects.go.
@@ -16,7 +16,7 @@


BSSL_NAMESPACE_BEGIN
-#define NUM_NID 971
+#define NUM_NID 972

static const uint8_t kObjectData[] = {
/* NID_rsadsi */
@@ -8799,6 +8799,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
@@ -8800,6 +8800,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
{"id-ml-dsa-87", "ML-DSA-87", NID_ML_DSA_87, 9, &kObjectData[6223], 0},
{"id-alg-ml-kem-768", "ML-KEM-768", NID_ML_KEM_768, 9, &kObjectData[6232],
0},
Expand All @@ -59,15 +61,15 @@ index d8b86dcd2..6dd49ec36 100644
};

static const uint16_t kNIDsInShortNameOrder[] = {
@@ -8931,6 +8933,7 @@ static const uint16_t kNIDsInShortNameOrder[] = {
@@ -8932,6 +8934,7 @@ static const uint16_t kNIDsInShortNameOrder[] = {
18 /* OU */,
749 /* Oakley-EC2N-3 */,
750 /* Oakley-EC2N-4 */,
+ 971 /* P256Kyber768Draft00 */,
9 /* PBE-MD2-DES */,
168 /* PBE-MD2-RC2-64 */,
10 /* PBE-MD5-DES */,
@@ -9854,6 +9857,7 @@ static const uint16_t kNIDsInLongNameOrder[] = {
@@ -9855,6 +9858,7 @@ static const uint16_t kNIDsInLongNameOrder[] = {
366 /* OCSP Nonce */,
371 /* OCSP Service Locator */,
180 /* OCSP Signing */,
Expand Down Expand Up @@ -111,18 +113,18 @@ index 83a1cf592..7265f15f6 100644
#if defined(__cplusplus)
} /* extern C */
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index ff68ba69e..0730e769a 100644
index 3a2e6dc50..300848e0f 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2550,6 +2550,7 @@ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
@@ -2579,6 +2579,7 @@ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
#define SSL_GROUP_X25519_MLKEM768 0x11ec
#define SSL_GROUP_X25519_KYBER768_DRAFT00 0x6399
#define SSL_GROUP_MLKEM1024 0x0202
+#define SSL_GROUP_P256_KYBER768_DRAFT00 0xfe32

// SSL_CTX_set1_group_ids sets the preferred groups for |ctx| to |group_ids|.
// Each element of |group_ids| should be a unique one of the |SSL_GROUP_*|
@@ -5964,6 +5965,20 @@ OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves);
@@ -6195,6 +6196,20 @@ OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves);
// SSL_set1_curves_list calls |SSL_set1_groups_list|.
OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);

Expand All @@ -144,18 +146,18 @@ index ff68ba69e..0730e769a 100644
// |SSL_get_negotiated_group| to return an unrecognized group. BoringSSL never
// returns this value, but we define this constant for compatibility.
diff --git a/ssl/extensions.cc b/ssl/extensions.cc
index c5f90688c..e0514fed3 100644
index 529226876..e2ed74d5f 100644
--- a/ssl/extensions.cc
+++ b/ssl/extensions.cc
@@ -101,6 +101,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {
@@ -106,6 +106,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {
static bool is_post_quantum_group(uint16_t id) {
switch (id) {
case SSL_GROUP_X25519_KYBER768_DRAFT00:
+ case SSL_GROUP_P256_KYBER768_DRAFT00:
case SSL_GROUP_X25519_MLKEM768:
case SSL_GROUP_MLKEM1024:
return true;
@@ -2241,18 +2242,21 @@ bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) {
@@ -2413,18 +2414,21 @@ bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) {
if (!default_key_shares.TryPushBack(supported_group_list[0])) {
return false;
}
Expand Down Expand Up @@ -189,10 +191,10 @@ index c5f90688c..e0514fed3 100644
selected_key_shares.emplace(default_key_shares);
}
diff --git a/ssl/internal.h b/ssl/internal.h
index a69505b47..1f5ce51e6 100644
index 4d86a6170..1c0d9f2fd 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -955,7 +955,7 @@ struct NamedGroup {
@@ -913,7 +913,7 @@ struct NamedGroup {
Span<const NamedGroup> NamedGroups();

// kNumNamedGroups is the number of supported groups.
Expand All @@ -201,7 +203,7 @@ index a69505b47..1f5ce51e6 100644

// DefaultSupportedGroupIds returns the list of IDs for the default groups that
// are supported when the caller hasn't explicitly configured supported groups.
@@ -3388,6 +3388,11 @@ struct SSL_CONFIG {
@@ -3512,6 +3512,11 @@ struct SSL_CONFIG {
// permute_extensions is whether to permute extensions when sending messages.
bool permute_extensions : 1;

Expand All @@ -213,7 +215,7 @@ index a69505b47..1f5ce51e6 100644
// aes_hw_override if set indicates we should override checking for aes
// hardware support, and use the value in aes_hw_override_value instead.
bool aes_hw_override : 1;
@@ -4015,6 +4020,11 @@ struct ssl_ctx_st : public bssl::RefCounted<ssl_ctx_st> {
@@ -4149,6 +4154,11 @@ struct ssl_ctx_st : public bssl::RefCounted<ssl_ctx_st> {
// permute_extensions is whether to permute extensions when sending messages.
bool permute_extensions : 1;

Expand Down Expand Up @@ -371,34 +373,34 @@ index d155b5527..4fb08906b 100644
return nullptr;
}
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index f64b103fb..fe5bb9bc7 100644
index de4e79efc..4ca2e799d 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -397,6 +397,7 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
@@ -385,6 +385,7 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
channel_id_enabled(false),
grease_enabled(false),
permute_extensions(false),
+ disable_second_keyshare(false),
allow_unknown_alpn_protos(false),
false_start_allowed_without_alpn(false),
handoff(false),
@@ -527,6 +528,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
@@ -517,6 +518,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
ssl->config->retain_only_sha256_of_client_certs =
ctx->retain_only_sha256_of_client_certs;
ssl->config->permute_extensions = ctx->permute_extensions;
+ ssl->config->disable_second_keyshare = ctx->disable_second_keyshare;
ssl->config->aes_hw_override = ctx->aes_hw_override;
ssl->config->aes_hw_override_value = ctx->aes_hw_override_value;
ssl->config->compliance_policy = ctx->compliance_policy;
@@ -586,6 +588,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
@@ -582,6 +584,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
jdk11_workaround(false),
quic_use_legacy_codepoint(false),
permute_extensions(false),
+ disable_second_keyshare(false),
alps_use_new_codepoint(true) {
assert(ssl);
}
@@ -3331,6 +3334,15 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) {
@@ -3372,6 +3375,15 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) {
return SSL_set1_groups_list(ssl, curves);
}

Expand All @@ -414,7 +416,7 @@ index f64b103fb..fe5bb9bc7 100644
namespace fips202205 {

// (References are to SP 800-52r2):
@@ -3342,7 +3354,9 @@ namespace fips202205 {
@@ -3383,7 +3395,9 @@ namespace fips202205 {
// Section 3.3.1
// "The server shall be configured to only use cipher suites that are
// composed entirely of NIST approved algorithms"
Expand All @@ -426,10 +428,10 @@ index f64b103fb..fe5bb9bc7 100644
static const uint16_t kSigAlgs[] = {
SSL_SIGN_RSA_PKCS1_SHA256,
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 779a2c37a..36a0cab3b 100644
index 49adcaf72..6427ecf5d 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -506,6 +506,14 @@ static const CurveTest kCurveTests[] = {
@@ -520,6 +520,14 @@ static const CurveTest kCurveTests[] = {
"MLKEM1024:X25519MLKEM768",
{SSL_GROUP_MLKEM1024, SSL_GROUP_X25519_MLKEM768},
},
Expand All @@ -444,7 +446,7 @@ index 779a2c37a..36a0cab3b 100644

{
"P-256:P-384:P-521:X25519",
@@ -668,7 +676,9 @@ TEST(SSLTest, CurveRules) {
@@ -681,7 +689,9 @@ TEST(SSLTest, CurveRules) {
}

TEST(SSLTest, DefaultCurves) {
Expand All @@ -455,7 +457,7 @@ index 779a2c37a..36a0cab3b 100644
SSL_GROUP_SECP384R1};

// Test the group ID APIs.
@@ -1522,6 +1532,9 @@ static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
@@ -1641,6 +1651,9 @@ static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
size_t ticket_len) {
bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
Expand All @@ -465,7 +467,19 @@ index 779a2c37a..36a0cab3b 100644
bssl::UniquePtr<SSL_SESSION> session =
CreateSessionWithTicket(session_version, ticket_len);
if (!ctx || !session) {
@@ -6815,7 +6828,9 @@ TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
@@ -2315,7 +2328,10 @@ TEST(SSLTest, SetGroupIdsWithEqualPreference) {
// Test that the SSL group flags are defaulted to zero when zero groups are set
// (i.e. using the default groups).
TEST(SSLTest, SetGroupIdsWithFlags_DefaultGroups) {
- const uint16_t kDefaultGroups[] = {SSL_GROUP_X25519, SSL_GROUP_SECP256R1,
+ const uint16_t kDefaultGroups[] = {SSL_GROUP_X25519_MLKEM768,
+ SSL_GROUP_P256_KYBER768_DRAFT00,
+ SSL_GROUP_X25519,
+ SSL_GROUP_SECP256R1,
SSL_GROUP_SECP384R1};
const uint32_t kBogusFlags[] = {SSL_GROUP_FLAG_EQUAL_PREFERENCE_WITH_NEXT,
SSL_GROUP_FLAG_EQUAL_PREFERENCE_WITH_NEXT, 0};
@@ -7052,7 +7068,9 @@ TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {

// The default list of groups is used before applying the handoff.
EXPECT_THAT(server->config->supported_group_list,
Expand All @@ -477,18 +491,18 @@ index 779a2c37a..36a0cab3b 100644
ASSERT_TRUE(SSL_apply_handoff(server.get(), handoff));
EXPECT_EQ(1u, server->config->supported_group_list.size());
diff --git a/ssl/test/runner/basic_tests.go b/ssl/test/runner/basic_tests.go
index 08de8fa5f..dd945fa49 100644
index dfd17d5f1..054241404 100644
--- a/ssl/test/runner/basic_tests.go
+++ b/ssl/test/runner/basic_tests.go
@@ -129,6 +129,7 @@ read alert 1 0
@@ -132,6 +132,7 @@ read alert 1 0
`write hs 1
read hs 3
write hs 1
+write hs 1
read hs 2
read hs 11
read hs 12
@@ -1956,6 +1957,7 @@ read alert 1 0
@@ -1975,6 +1976,7 @@ read alert 1 0
write hs 2
write hs 8
write hs 11
Expand Down Expand Up @@ -518,10 +532,10 @@ index 6f49d12af..5e970b2b5 100644
})
}
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 7dbde72c9..9d18d9d45 100644
index 2d174832f..5056444de 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -2095,7 +2095,7 @@ type ProtocolBugs struct {
@@ -2172,7 +2172,7 @@ type ProtocolBugs struct {
FailIfHelloRetryRequested bool

// FailIfPostQuantumOffered will cause a server to reject a ClientHello if
Expand All @@ -531,10 +545,10 @@ index 7dbde72c9..9d18d9d45 100644

// ExpectKeyShares, if not nil, lists (in order) the curves that a ClientHello
diff --git a/ssl/test/runner/curve_tests.go b/ssl/test/runner/curve_tests.go
index 8e7b0a45b..556bf314d 100644
index 9bc13115e..0d11da734 100644
--- a/ssl/test/runner/curve_tests.go
+++ b/ssl/test/runner/curve_tests.go
@@ -579,17 +579,6 @@ func addCurveTests() {
@@ -581,17 +581,6 @@ func addCurveTests() {
})
}

Expand All @@ -552,7 +566,7 @@ index 8e7b0a45b..556bf314d 100644
for _, curve := range testCurves {
if !isMLKEMGroup(curve.id) {
continue
@@ -679,18 +668,19 @@ func addCurveTests() {
@@ -681,18 +670,19 @@ func addCurveTests() {
})
}

Expand Down Expand Up @@ -630,7 +644,7 @@ index 2cd3c10d3..f19d8d20a 100644
clientAndServerHelloInitial += "write ccs\n"
}
diff --git a/ssl/test/runner/extension_tests.go b/ssl/test/runner/extension_tests.go
index d6adb7759..4eb80aa8e 100644
index 3087efe37..61a036d8b 100644
--- a/ssl/test/runner/extension_tests.go
+++ b/ssl/test/runner/extension_tests.go
@@ -16,6 +16,7 @@ package runner
Expand All @@ -651,7 +665,7 @@ index d6adb7759..4eb80aa8e 100644

// Test that illegal extensions in TLS 1.3 are rejected by the client if
diff --git a/ssl/test/runner/key_update_tests.go b/ssl/test/runner/key_update_tests.go
index 0a9053038..5ce709589 100644
index f98528265..2068b1102 100644
--- a/ssl/test/runner/key_update_tests.go
+++ b/ssl/test/runner/key_update_tests.go
@@ -14,7 +14,10 @@
Expand All @@ -675,10 +689,10 @@ index 0a9053038..5ce709589 100644

// Test that shim responds to KeyUpdate requests.
diff --git a/tool/client.cc b/tool/client.cc
index 0839d4880..be9b79259 100644
index 1653af8da..cab725d40 100644
--- a/tool/client.cc
+++ b/tool/client.cc
@@ -125,6 +125,11 @@ static const struct argument kArguments[] = {
@@ -156,6 +156,11 @@ static const struct argument kArguments[] = {
kBooleanArgument,
"Permute extensions in handshake messages",
},
Expand All @@ -688,19 +702,19 @@ index 0839d4880..be9b79259 100644
+ "Do not send a second keyshare",
+ },
{
"-test-resumption", kBooleanArgument,
"Connect to the server twice. The first connection is closed once a "
@@ -538,6 +543,10 @@ bool Client(const std::vector<std::string> &args) {
"-test-resumption",
kBooleanArgument,
@@ -637,6 +642,10 @@ bool Client(const std::vector<std::string> &args) {
SSL_CTX_set_permute_extensions(ctx.get(), 1);
}

+ if (args_map.count("-disable-second-keyshare") != 0) {
+ SSL_CTX_use_second_keyshare(ctx.get(), 0);
+ }
+
// Configure accepted roots.
if (args_map.count("-root-certs") != 0) {
if (!SSL_CTX_load_verify_locations(
ctx.get(), args_map["-root-certs"].c_str(), nullptr)) {
--
2.40.0
2.50.1 (Apple Git-155)

Loading