Skip to content

Don't build dh code on BoringSSL #9103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
reaperhulk merged 1 commit into from
Jun 21, 2023
Merged

Don't build dh code on BoringSSL #9103

reaperhulk merged 1 commit into from
Jun 21, 2023

Conversation

@alex
Copy link
Member

@alex alex commented Jun 20, 2023

It doesn't support DH via EVP

@alex alex mentioned this pull request Jun 20, 2023
Merged
@alex
Don't build dh code on BoringSSL
3418b18 
It doesn't support DH via EVP
@alex
Copy link
Member Author

alex commented Jun 21, 2023

Relevant context: from_dh is removed on BoringSSL in teh latest openssl crate. It used to simply always fail. This change hides all methods that use that function on boringssl. They are never invoked because dh_supported() returns False on boring.

@reaperhulk
Copy link
Member

reaperhulk commented Jun 21, 2023

What happens on boring if you load a DER DH parameters? That will ultimately call openssl::dh::Dh::from_pqg, which is presumably still present-but-fails on boring?

@alex
Copy link
Member Author

alex commented Jun 21, 2023

It'll actually work. BoringSSL has DH, it just doesn't have EVP support for DH.

@alex
Copy link
Member Author

alex commented Jun 21, 2023

That was true before this PR as well, to be clear.

@reaperhulk reaperhulk merged commit 47105c6 into main Jun 21, 2023
@alex alex deleted the alex-patch-2 branch June 21, 2023 12:53
alex added a commit to alex/cryptography that referenced this pull request Nov 28, 2023
@alex
Don't build dh code on BoringSSL (pyca#9103)
1303e7e 
It doesn't support DH via EVP
reaperhulk pushed a commit that referenced this pull request Nov 28, 2023
@alex @botovq
Backport LibreSSL 3.8.2 support for a 41.0.7 release (#9931)
4054596 
* Backport LibreSSL 3.8.2 support for a 41.0.7 release

* ci fixes

* LibreSSL 3.8.1 and later is OPENSSL_NO_ENGINE (#9456)

Unfortunately, some projects are not prepared to build without
ENGINE symbols, so just like BoringSSL we needed to keep some stubs.

* Don't build dh code on BoringSSL (#9103)

It doesn't support DH via EVP

* Update ci.yml (#9527)

---------

Co-authored-by: Theo Buehler <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reaperhulk reaperhulk reaperhulk approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alex @reaperhulk