Reworking bssl_crypto: Sync+Send for ECC and RSA.
Change-Id: I87bcf08839c1c8e7cbdb8f5fdc3717b528a60de2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65180
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/rust/bssl-crypto/src/ec.rs b/rust/bssl-crypto/src/ec.rs
index 98b4199..90452c5 100644
--- a/rust/bssl-crypto/src/ec.rs
+++ b/rust/bssl-crypto/src/ec.rs
@@ -242,6 +242,18 @@
}
}
+// Safety:
+//
+// An `EC_POINT` can be used concurrently from multiple threads so long as no
+// mutating operations are performed. The mutating operations used here are
+// `EC_POINT_mul` and `EC_POINT_oct2point` (which can be observed by setting
+// `point` to be `*const` in the struct and seeing what errors trigger.
+//
+// Both those operations are done internally, however, before a `Point` is
+// returned. So, after construction, callers cannot mutate the `EC_POINT`.
+unsafe impl Sync for Point {}
+unsafe impl Send for Point {}
+
impl Drop for Point {
fn drop(&mut self) {
// Safety: `self.point` must be valid because only valid `Point`s can
@@ -434,6 +446,19 @@
}
}
+// Safety:
+//
+// An `EC_KEY` is safe to use from multiple threads so long as no mutating
+// operations are performed. (Reference count changes don't count as mutating.)
+// The mutating operations used here are:
+// * EC_KEY_generate_key
+// * EC_KEY_oct2priv
+// * EC_KEY_set_public_key
+// But those are all done internally, before a `Key` is returned. So, once
+// constructed, callers cannot mutate the `EC_KEY`.
+unsafe impl Sync for Key {}
+unsafe impl Send for Key {}
+
impl Drop for Key {
fn drop(&mut self) {
// Safety: `self.0` must be valid because only valid `Key`s can
diff --git a/rust/bssl-crypto/src/rsa.rs b/rust/bssl-crypto/src/rsa.rs
index ba85535..cd67d79 100644
--- a/rust/bssl-crypto/src/rsa.rs
+++ b/rust/bssl-crypto/src/rsa.rs
@@ -151,6 +151,16 @@
}
}
+// Safety:
+//
+// An `RSA` is safe to use from multiple threads so long as no mutating
+// operations are performed. (Reference count changes don't count as mutating.)
+// No mutating operations are performed. `RSA_verify` takes a non-const pointer
+// but the BoringSSL docs specifically say that "these functions are considered
+// non-mutating for thread-safety purposes and may be used concurrently."
+unsafe impl Sync for PublicKey {}
+unsafe impl Send for PublicKey {}
+
impl Drop for PublicKey {
fn drop(&mut self) {
// Safety: this object owns `self.0`.
@@ -279,6 +289,16 @@
}
}
+// Safety:
+//
+// An `RSA` is safe to use from multiple threads so long as no mutating
+// operations are performed. (Reference count changes don't count as mutating.)
+// No mutating operations are performed. `RSA_sign` takes a non-const pointer
+// but the BoringSSL docs specifically say that "these functions are considered
+// non-mutating for thread-safety purposes and may be used concurrently."
+unsafe impl Sync for PrivateKey {}
+unsafe impl Send for PrivateKey {}
+
impl Drop for PrivateKey {
fn drop(&mut self) {
// Safety: `self.0` is always owned by this struct.
