diff options
author | Adam Langley <agl@chromium.org> | 2024-01-08 14:17:36 -0800 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2024-01-19 18:25:19 +0000 |
commit | 0ea8ee17f96937eee487a0052d36d43fc64d7318 (patch) | |
tree | aa6f0ac244874f3a1bf62e2a5a18672f33c28c17 /rust | |
parent | 42098472108fe4207a3058ab27f175eeb566f0fb (diff) | |
download | boringssl-0ea8ee17f96937eee487a0052d36d43fc64d7318.zip boringssl-0ea8ee17f96937eee487a0052d36d43fc64d7318.tar.gz boringssl-0ea8ee17f96937eee487a0052d36d43fc64d7318.tar.bz2 |
Reworking bssl_crypto: Sync+Send for ECC and RSA.
Change-Id: I87bcf08839c1c8e7cbdb8f5fdc3717b528a60de2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65180
Reviewed-by: Bob Beck <bbe@google.com>
Diffstat (limited to 'rust')
-rw-r--r-- | rust/bssl-crypto/src/ec.rs | 25 | ||||
-rw-r--r-- | rust/bssl-crypto/src/rsa.rs | 20 |
2 files changed, 45 insertions, 0 deletions
diff --git a/rust/bssl-crypto/src/ec.rs b/rust/bssl-crypto/src/ec.rs index 98b4199..90452c5 100644 --- a/rust/bssl-crypto/src/ec.rs +++ b/rust/bssl-crypto/src/ec.rs @@ -242,6 +242,18 @@ impl Point { } } +// Safety: +// +// An `EC_POINT` can be used concurrently from multiple threads so long as no +// mutating operations are performed. The mutating operations used here are +// `EC_POINT_mul` and `EC_POINT_oct2point` (which can be observed by setting +// `point` to be `*const` in the struct and seeing what errors trigger. +// +// Both those operations are done internally, however, before a `Point` is +// returned. So, after construction, callers cannot mutate the `EC_POINT`. +unsafe impl Sync for Point {} +unsafe impl Send for Point {} + impl Drop for Point { fn drop(&mut self) { // Safety: `self.point` must be valid because only valid `Point`s can @@ -434,6 +446,19 @@ impl Key { } } +// Safety: +// +// An `EC_KEY` is safe to use from multiple threads so long as no mutating +// operations are performed. (Reference count changes don't count as mutating.) +// The mutating operations used here are: +// * EC_KEY_generate_key +// * EC_KEY_oct2priv +// * EC_KEY_set_public_key +// But those are all done internally, before a `Key` is returned. So, once +// constructed, callers cannot mutate the `EC_KEY`. +unsafe impl Sync for Key {} +unsafe impl Send for Key {} + impl Drop for Key { fn drop(&mut self) { // Safety: `self.0` must be valid because only valid `Key`s can diff --git a/rust/bssl-crypto/src/rsa.rs b/rust/bssl-crypto/src/rsa.rs index ba85535..cd67d79 100644 --- a/rust/bssl-crypto/src/rsa.rs +++ b/rust/bssl-crypto/src/rsa.rs @@ -151,6 +151,16 @@ impl PublicKey { } } +// Safety: +// +// An `RSA` is safe to use from multiple threads so long as no mutating +// operations are performed. (Reference count changes don't count as mutating.) +// No mutating operations are performed. `RSA_verify` takes a non-const pointer +// but the BoringSSL docs specifically say that "these functions are considered +// non-mutating for thread-safety purposes and may be used concurrently." +unsafe impl Sync for PublicKey {} +unsafe impl Send for PublicKey {} + impl Drop for PublicKey { fn drop(&mut self) { // Safety: this object owns `self.0`. @@ -279,6 +289,16 @@ impl PrivateKey { } } +// Safety: +// +// An `RSA` is safe to use from multiple threads so long as no mutating +// operations are performed. (Reference count changes don't count as mutating.) +// No mutating operations are performed. `RSA_sign` takes a non-const pointer +// but the BoringSSL docs specifically say that "these functions are considered +// non-mutating for thread-safety purposes and may be used concurrently." +unsafe impl Sync for PrivateKey {} +unsafe impl Send for PrivateKey {} + impl Drop for PrivateKey { fn drop(&mut self) { // Safety: `self.0` is always owned by this struct. |