boring-sys: Update boring-pq.patch

cjpatton · cjpatton · commit 4aadbc90c063 · 2026-04-30T15:48:42.000-07:00
diff --git a/boring-sys/patches/boring-pq.patch b/boring-sys/patches/boring-pq.patch
@@ -1,7 +1,7 @@
-From cb5689e091f515fc8a42ceaff08d702333e505ed Mon Sep 17 00:00:00 2001
-From: Anthony Ramine <aramine@cloudflare.com>
-Date: Wed, 3 Dec 2025 11:10:16 +0100
-Subject: [PATCH] Add additional post-quantum key agreements
+From e45854b34aa48b1fdefad81906cdb9931e697bbc Mon Sep 17 00:00:00 2001
+From: Christopher Patton <cpatton@cloudflare.com>
+Date: Tue, 21 Apr 2026 15:45:09 -0700
+Subject: [PATCH] Add additional post-quantum key agreement
 
 This patch adds:
 
@@ -16,6 +16,8 @@ This patch adds:
    non post-quantum and a post-quantum keyshare if available.  These
    functions allow one to change the behaviour to only send a single
    keyshare.
+
+
 ---
  crypto/obj/obj_dat.h                |   6 +-
  crypto/obj/obj_mac.num              |   1 +
@@ -26,7 +28,7 @@ This patch adds:
  ssl/internal.h                      |  12 ++-
  ssl/ssl_key_share.cc                | 111 +++++++++++++++++++++++++++-
  ssl/ssl_lib.cc                      |  16 +++-
- ssl/ssl_test.cc                     |  19 ++++-
+ ssl/ssl_test.cc                     |  24 +++++-
  ssl/test/runner/basic_tests.go      |   2 +
  ssl/test/runner/cbc_tests.go        |   3 +
  ssl/test/runner/common.go           |   2 +-
@@ -35,22 +37,22 @@ This patch adds:
  ssl/test/runner/extension_tests.go  |   3 +-
  ssl/test/runner/key_update_tests.go |   6 +-
  tool/client.cc                      |   9 +++
- 18 files changed, 245 insertions(+), 42 deletions(-)
+ 18 files changed, 249 insertions(+), 43 deletions(-)
 
 diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h
-index d8b86dcd2..6dd49ec36 100644
+index 10ad9bb14..3fe6fdec6 100644
 --- a/crypto/obj/obj_dat.h
 +++ b/crypto/obj/obj_dat.h
-@@ -15,7 +15,7 @@
- // This file is generated by crypto/obj/objects.go.
+@@ -16,7 +16,7 @@
  
  
+ BSSL_NAMESPACE_BEGIN
 -#define NUM_NID 971
 +#define NUM_NID 972
  
  static const uint8_t kObjectData[] = {
      /* NID_rsadsi */
-@@ -8799,6 +8799,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
+@@ -8800,6 +8800,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
      {"id-ml-dsa-87", "ML-DSA-87", NID_ML_DSA_87, 9, &kObjectData[6223], 0},
      {"id-alg-ml-kem-768", "ML-KEM-768", NID_ML_KEM_768, 9, &kObjectData[6232],
       0},
@@ -59,15 +61,15 @@ index d8b86dcd2..6dd49ec36 100644
  };
  
  static const uint16_t kNIDsInShortNameOrder[] = {
-@@ -8931,6 +8933,7 @@ static const uint16_t kNIDsInShortNameOrder[] = {
+@@ -8932,6 +8934,7 @@ static const uint16_t kNIDsInShortNameOrder[] = {
      18 /* OU */,
      749 /* Oakley-EC2N-3 */,
      750 /* Oakley-EC2N-4 */,
 +    971 /* P256Kyber768Draft00 */,
      9 /* PBE-MD2-DES */,
      168 /* PBE-MD2-RC2-64 */,
      10 /* PBE-MD5-DES */,
-@@ -9854,6 +9857,7 @@ static const uint16_t kNIDsInLongNameOrder[] = {
+@@ -9855,6 +9858,7 @@ static const uint16_t kNIDsInLongNameOrder[] = {
      366 /* OCSP Nonce */,
      371 /* OCSP Service Locator */,
      180 /* OCSP Signing */,
@@ -111,18 +113,18 @@ index 83a1cf592..7265f15f6 100644
  #if defined(__cplusplus)
  } /* extern C */
 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
-index ff68ba69e..0730e769a 100644
+index 3a2e6dc50..300848e0f 100644
 --- a/include/openssl/ssl.h
 +++ b/include/openssl/ssl.h
-@@ -2550,6 +2550,7 @@ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
+@@ -2579,6 +2579,7 @@ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
  #define SSL_GROUP_X25519_MLKEM768 0x11ec
  #define SSL_GROUP_X25519_KYBER768_DRAFT00 0x6399
  #define SSL_GROUP_MLKEM1024 0x0202
 +#define SSL_GROUP_P256_KYBER768_DRAFT00 0xfe32
  
  // SSL_CTX_set1_group_ids sets the preferred groups for |ctx| to |group_ids|.
  // Each element of |group_ids| should be a unique one of the |SSL_GROUP_*|
-@@ -5964,6 +5965,20 @@ OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves);
+@@ -6195,6 +6196,20 @@ OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves);
  // SSL_set1_curves_list calls |SSL_set1_groups_list|.
  OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
  
@@ -144,18 +146,18 @@ index ff68ba69e..0730e769a 100644
  // |SSL_get_negotiated_group| to return an unrecognized group. BoringSSL never
  // returns this value, but we define this constant for compatibility.
 diff --git a/ssl/extensions.cc b/ssl/extensions.cc
-index c5f90688c..e0514fed3 100644
+index 529226876..e2ed74d5f 100644
 --- a/ssl/extensions.cc
 +++ b/ssl/extensions.cc
-@@ -101,6 +101,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {
+@@ -106,6 +106,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {
  static bool is_post_quantum_group(uint16_t id) {
    switch (id) {
      case SSL_GROUP_X25519_KYBER768_DRAFT00:
 +    case SSL_GROUP_P256_KYBER768_DRAFT00:
      case SSL_GROUP_X25519_MLKEM768:
      case SSL_GROUP_MLKEM1024:
        return true;
-@@ -2241,18 +2242,21 @@ bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) {
+@@ -2413,18 +2414,21 @@ bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) {
      if (!default_key_shares.TryPushBack(supported_group_list[0])) {
        return false;
      }
@@ -189,10 +191,10 @@ index c5f90688c..e0514fed3 100644
      selected_key_shares.emplace(default_key_shares);
    }
 diff --git a/ssl/internal.h b/ssl/internal.h
-index a69505b47..1f5ce51e6 100644
+index 4d86a6170..1c0d9f2fd 100644
 --- a/ssl/internal.h
 +++ b/ssl/internal.h
-@@ -955,7 +955,7 @@ struct NamedGroup {
+@@ -913,7 +913,7 @@ struct NamedGroup {
  Span<const NamedGroup> NamedGroups();
  
  // kNumNamedGroups is the number of supported groups.
@@ -201,7 +203,7 @@ index a69505b47..1f5ce51e6 100644
  
  // DefaultSupportedGroupIds returns the list of IDs for the default groups that
  // are supported when the caller hasn't explicitly configured supported groups.
-@@ -3388,6 +3388,11 @@ struct SSL_CONFIG {
+@@ -3512,6 +3512,11 @@ struct SSL_CONFIG {
    // permute_extensions is whether to permute extensions when sending messages.
    bool permute_extensions : 1;
  
@@ -213,7 +215,7 @@ index a69505b47..1f5ce51e6 100644
    // aes_hw_override if set indicates we should override checking for aes
    // hardware support, and use the value in aes_hw_override_value instead.
    bool aes_hw_override : 1;
-@@ -4015,6 +4020,11 @@ struct ssl_ctx_st : public bssl::RefCounted<ssl_ctx_st> {
+@@ -4149,6 +4154,11 @@ struct ssl_ctx_st : public bssl::RefCounted<ssl_ctx_st> {
    // permute_extensions is whether to permute extensions when sending messages.
    bool permute_extensions : 1;
  
@@ -371,34 +373,34 @@ index d155b5527..4fb08906b 100644
        return nullptr;
    }
 diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
-index f64b103fb..fe5bb9bc7 100644
+index de4e79efc..4ca2e799d 100644
 --- a/ssl/ssl_lib.cc
 +++ b/ssl/ssl_lib.cc
-@@ -397,6 +397,7 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
+@@ -385,6 +385,7 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
        channel_id_enabled(false),
        grease_enabled(false),
        permute_extensions(false),
 +      disable_second_keyshare(false),
        allow_unknown_alpn_protos(false),
        false_start_allowed_without_alpn(false),
        handoff(false),
-@@ -527,6 +528,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
+@@ -517,6 +518,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
    ssl->config->retain_only_sha256_of_client_certs =
        ctx->retain_only_sha256_of_client_certs;
    ssl->config->permute_extensions = ctx->permute_extensions;
 +  ssl->config->disable_second_keyshare = ctx->disable_second_keyshare;
    ssl->config->aes_hw_override = ctx->aes_hw_override;
    ssl->config->aes_hw_override_value = ctx->aes_hw_override_value;
    ssl->config->compliance_policy = ctx->compliance_policy;
-@@ -586,6 +588,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
+@@ -582,6 +584,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
        jdk11_workaround(false),
        quic_use_legacy_codepoint(false),
        permute_extensions(false),
 +      disable_second_keyshare(false),
        alps_use_new_codepoint(true) {
    assert(ssl);
  }
-@@ -3331,6 +3334,15 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) {
+@@ -3372,6 +3375,15 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) {
    return SSL_set1_groups_list(ssl, curves);
  }
  
@@ -414,7 +416,7 @@ index f64b103fb..fe5bb9bc7 100644
  namespace fips202205 {
  
  // (References are to SP 800-52r2):
-@@ -3342,7 +3354,9 @@ namespace fips202205 {
+@@ -3383,7 +3395,9 @@ namespace fips202205 {
  // Section 3.3.1
  // "The server shall be configured to only use cipher suites that are
  // composed entirely of NIST approved algorithms"
@@ -426,10 +428,10 @@ index f64b103fb..fe5bb9bc7 100644
  static const uint16_t kSigAlgs[] = {
      SSL_SIGN_RSA_PKCS1_SHA256,
 diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
-index 779a2c37a..36a0cab3b 100644
+index 49adcaf72..6427ecf5d 100644
 --- a/ssl/ssl_test.cc
 +++ b/ssl/ssl_test.cc
-@@ -506,6 +506,14 @@ static const CurveTest kCurveTests[] = {
+@@ -520,6 +520,14 @@ static const CurveTest kCurveTests[] = {
          "MLKEM1024:X25519MLKEM768",
          {SSL_GROUP_MLKEM1024, SSL_GROUP_X25519_MLKEM768},
      },
@@ -444,7 +446,7 @@ index 779a2c37a..36a0cab3b 100644
  
      {
          "P-256:P-384:P-521:X25519",
-@@ -668,7 +676,9 @@ TEST(SSLTest, CurveRules) {
+@@ -681,7 +689,9 @@ TEST(SSLTest, CurveRules) {
  }
  
  TEST(SSLTest, DefaultCurves) {
@@ -455,7 +457,7 @@ index 779a2c37a..36a0cab3b 100644
                                  SSL_GROUP_SECP384R1};
  
    // Test the group ID APIs.
-@@ -1522,6 +1532,9 @@ static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
+@@ -1641,6 +1651,9 @@ static bool GetClientHello(SSL *ssl, std::vector<uint8_t> *out) {
  static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
                                  size_t ticket_len) {
    bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
@@ -465,7 +467,19 @@ index 779a2c37a..36a0cab3b 100644
    bssl::UniquePtr<SSL_SESSION> session =
        CreateSessionWithTicket(session_version, ticket_len);
    if (!ctx || !session) {
-@@ -6815,7 +6828,9 @@ TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
+@@ -2315,7 +2328,10 @@ TEST(SSLTest, SetGroupIdsWithEqualPreference) {
+ // Test that the SSL group flags are defaulted to zero when zero groups are set
+ // (i.e. using the default groups).
+ TEST(SSLTest, SetGroupIdsWithFlags_DefaultGroups) {
+-  const uint16_t kDefaultGroups[] = {SSL_GROUP_X25519, SSL_GROUP_SECP256R1,
++  const uint16_t kDefaultGroups[] = {SSL_GROUP_X25519_MLKEM768,
++                                     SSL_GROUP_P256_KYBER768_DRAFT00,
++                                     SSL_GROUP_X25519,
++                                     SSL_GROUP_SECP256R1,
+                                      SSL_GROUP_SECP384R1};
+   const uint32_t kBogusFlags[] = {SSL_GROUP_FLAG_EQUAL_PREFERENCE_WITH_NEXT,
+                                   SSL_GROUP_FLAG_EQUAL_PREFERENCE_WITH_NEXT, 0};
+@@ -7052,7 +7068,9 @@ TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) {
  
    // The default list of groups is used before applying the handoff.
    EXPECT_THAT(server->config->supported_group_list,
@@ -477,18 +491,18 @@ index 779a2c37a..36a0cab3b 100644
    ASSERT_TRUE(SSL_apply_handoff(server.get(), handoff));
    EXPECT_EQ(1u, server->config->supported_group_list.size());
 diff --git a/ssl/test/runner/basic_tests.go b/ssl/test/runner/basic_tests.go
-index 08de8fa5f..dd945fa49 100644
+index dfd17d5f1..054241404 100644
 --- a/ssl/test/runner/basic_tests.go
 +++ b/ssl/test/runner/basic_tests.go
-@@ -129,6 +129,7 @@ read alert 1 0
+@@ -132,6 +132,7 @@ read alert 1 0
  				`write hs 1
  read hs 3
  write hs 1
 +write hs 1
  read hs 2
  read hs 11
  read hs 12
-@@ -1956,6 +1957,7 @@ read alert 1 0
+@@ -1975,6 +1976,7 @@ read alert 1 0
  write hs 2
  write hs 8
  write hs 11
@@ -518,10 +532,10 @@ index 6f49d12af..5e970b2b5 100644
  		})
  	}
 diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
-index 7dbde72c9..9d18d9d45 100644
+index 2d174832f..5056444de 100644
 --- a/ssl/test/runner/common.go
 +++ b/ssl/test/runner/common.go
-@@ -2095,7 +2095,7 @@ type ProtocolBugs struct {
+@@ -2172,7 +2172,7 @@ type ProtocolBugs struct {
  	FailIfHelloRetryRequested bool
  
  	// FailIfPostQuantumOffered will cause a server to reject a ClientHello if
@@ -531,10 +545,10 @@ index 7dbde72c9..9d18d9d45 100644
  
  	// ExpectKeyShares, if not nil, lists (in order) the curves that a ClientHello
 diff --git a/ssl/test/runner/curve_tests.go b/ssl/test/runner/curve_tests.go
-index 8e7b0a45b..556bf314d 100644
+index 9bc13115e..0d11da734 100644
 --- a/ssl/test/runner/curve_tests.go
 +++ b/ssl/test/runner/curve_tests.go
-@@ -579,17 +579,6 @@ func addCurveTests() {
+@@ -581,17 +581,6 @@ func addCurveTests() {
  		})
  	}
  
@@ -552,7 +566,7 @@ index 8e7b0a45b..556bf314d 100644
  	for _, curve := range testCurves {
  		if !isMLKEMGroup(curve.id) {
  			continue
-@@ -679,18 +668,19 @@ func addCurveTests() {
+@@ -681,18 +670,19 @@ func addCurveTests() {
  		})
  	}
  
@@ -630,7 +644,7 @@ index 2cd3c10d3..f19d8d20a 100644
  			clientAndServerHelloInitial += "write ccs\n"
  		}
 diff --git a/ssl/test/runner/extension_tests.go b/ssl/test/runner/extension_tests.go
-index d6adb7759..4eb80aa8e 100644
+index 3087efe37..61a036d8b 100644
 --- a/ssl/test/runner/extension_tests.go
 +++ b/ssl/test/runner/extension_tests.go
 @@ -16,6 +16,7 @@ package runner
@@ -651,7 +665,7 @@ index d6adb7759..4eb80aa8e 100644
  
  	// Test that illegal extensions in TLS 1.3 are rejected by the client if
 diff --git a/ssl/test/runner/key_update_tests.go b/ssl/test/runner/key_update_tests.go
-index 0a9053038..5ce709589 100644
+index f98528265..2068b1102 100644
 --- a/ssl/test/runner/key_update_tests.go
 +++ b/ssl/test/runner/key_update_tests.go
 @@ -14,7 +14,10 @@
@@ -675,10 +689,10 @@ index 0a9053038..5ce709589 100644
  
  	// Test that shim responds to KeyUpdate requests.
 diff --git a/tool/client.cc b/tool/client.cc
-index 0839d4880..be9b79259 100644
+index 1653af8da..cab725d40 100644
 --- a/tool/client.cc
 +++ b/tool/client.cc
-@@ -125,6 +125,11 @@ static const struct argument kArguments[] = {
+@@ -156,6 +156,11 @@ static const struct argument kArguments[] = {
          kBooleanArgument,
          "Permute extensions in handshake messages",
      },
@@ -688,19 +702,19 @@ index 0839d4880..be9b79259 100644
 +        "Do not send a second keyshare",
 +    },
      {
-         "-test-resumption", kBooleanArgument,
-         "Connect to the server twice. The first connection is closed once a "
-@@ -538,6 +543,10 @@ bool Client(const std::vector<std::string> &args) {
+         "-test-resumption",
+         kBooleanArgument,
+@@ -637,6 +642,10 @@ bool Client(const std::vector<std::string> &args) {
      SSL_CTX_set_permute_extensions(ctx.get(), 1);
    }
  
 +  if (args_map.count("-disable-second-keyshare") != 0) {
 +    SSL_CTX_use_second_keyshare(ctx.get(), 0);
 +  }
 +
+   // Configure accepted roots.
    if (args_map.count("-root-certs") != 0) {
      if (!SSL_CTX_load_verify_locations(
-             ctx.get(), args_map["-root-certs"].c_str(), nullptr)) {
 -- 
-2.40.0
+2.50.1 (Apple Git-155)
 
