Google Git
Sign in
boringssl/boringssl.git/0ea8ee17f96937eee487a0052d36d43fc64d7318^!/.
commit
0ea8ee17f96937eee487a0052d36d43fc64d7318
[log]
author
Adam Langley <agl@chromium.org>
Mon Jan 08 14:17:36 2024 -0800
committer
Adam Langley <agl@google.com>
Fri Jan 19 18:25:19 2024 +0000
tree
aa6f0ac244874f3a1bf62e2a5a18672f33c28c17
parent
42098472108fe4207a3058ab27f175eeb566f0fb [diff]
Reworking bssl_crypto: Sync+Send for ECC and RSA.

Change-Id: I87bcf08839c1c8e7cbdb8f5fdc3717b528a60de2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65180
Reviewed-by: Bob Beck <bbe@google.com>

diff --git a/rust/bssl-crypto/src/ec.rs b/rust/bssl-crypto/src/ec.rs
index 98b4199..90452c5 100644
--- a/rust/bssl-crypto/src/ec.rs
+++ b/rust/bssl-crypto/src/ec.rs

@@ -242,6 +242,18 @@
     }
 }
 
+// Safety:
+//
+// An `EC_POINT` can be used concurrently from multiple threads so long as no
+// mutating operations are performed. The mutating operations used here are
+// `EC_POINT_mul` and `EC_POINT_oct2point` (which can be observed by setting
+// `point` to be `*const` in the struct and seeing what errors trigger.
+//
+// Both those operations are done internally, however, before a `Point` is
+// returned. So, after construction, callers cannot mutate the `EC_POINT`.
+unsafe impl Sync for Point {}
+unsafe impl Send for Point {}
+
 impl Drop for Point {
     fn drop(&mut self) {
         // Safety: `self.point` must be valid because only valid `Point`s can
@@ -434,6 +446,19 @@
     }
 }
 
+// Safety:
+//
+// An `EC_KEY` is safe to use from multiple threads so long as no mutating
+// operations are performed. (Reference count changes don't count as mutating.)
+// The mutating operations used here are:
+//   * EC_KEY_generate_key
+//   * EC_KEY_oct2priv
+//   * EC_KEY_set_public_key
+// But those are all done internally, before a `Key` is returned. So, once
+// constructed, callers cannot mutate the `EC_KEY`.
+unsafe impl Sync for Key {}
+unsafe impl Send for Key {}
+
 impl Drop for Key {
     fn drop(&mut self) {
         // Safety: `self.0` must be valid because only valid `Key`s can

diff --git a/rust/bssl-crypto/src/rsa.rs b/rust/bssl-crypto/src/rsa.rs
index ba85535..cd67d79 100644
--- a/rust/bssl-crypto/src/rsa.rs
+++ b/rust/bssl-crypto/src/rsa.rs

@@ -151,6 +151,16 @@
     }
 }
 
+// Safety:
+//
+// An `RSA` is safe to use from multiple threads so long as no mutating
+// operations are performed. (Reference count changes don't count as mutating.)
+// No mutating operations are performed. `RSA_verify` takes a non-const pointer
+// but the BoringSSL docs specifically say that "these functions are considered
+// non-mutating for thread-safety purposes and may be used concurrently."
+unsafe impl Sync for PublicKey {}
+unsafe impl Send for PublicKey {}
+
 impl Drop for PublicKey {
     fn drop(&mut self) {
         // Safety: this object owns `self.0`.
@@ -279,6 +289,16 @@
     }
 }
 
+// Safety:
+//
+// An `RSA` is safe to use from multiple threads so long as no mutating
+// operations are performed. (Reference count changes don't count as mutating.)
+// No mutating operations are performed. `RSA_sign` takes a non-const pointer
+// but the BoringSSL docs specifically say that "these functions are considered
+// non-mutating for thread-safety purposes and may be used concurrently."
+unsafe impl Sync for PrivateKey {}
+unsafe impl Send for PrivateKey {}
+
 impl Drop for PrivateKey {
     fn drop(&mut self) {
         // Safety: `self.0` is always owned by this struct.