Skip to content

Expose set_groups/set_curves functions#14288

Merged
alex merged 1 commit intopyca:mainfrom
schwabe:schwabe/set_groups
Feb 12, 2026
Merged

Expose set_groups/set_curves functions#14288
alex merged 1 commit intopyca:mainfrom
schwabe:schwabe/set_groups

Conversation

@schwabe
Copy link
Contributor

@schwabe schwabe commented Feb 10, 2026

This allows pyOpenSSL to restrict the groups allowed to be used. E.g. for restricting the groups to post-quantum hybrid groups (e.g. X25519MLKEM768) to always ensure that post-quantum cryptography is used.

This commit uses the set_curves instead of the set_groups variant since that naming is available on all OpenSSL versions and forks.

@alex
Copy link
Member

alex commented Feb 10, 2026

Before we land new CFFI APIs in cryptography, we prefer to have a PoC up for pyOpenSSL, just to make sure the APIs we're adding support a reasonable design in pyOpenSSL.

@schwabe
Copy link
Contributor Author

schwabe commented Feb 11, 2026
edited
Loading

Sure, the PR for pyOpenSSL is here: pyca/pyopenssl#1477

I still struggle a bit to figure out how to tell the CI for pyOpenSSL/Github/nox to tell that it needs to build cryptography from this PR to make the tests work. Installing manually the cryptography version in the venv make the tests work at least on OpenSSL.

@alex
Copy link
Member

alex commented Feb 11, 2026

That's fine, the goal is demonstrate that this can work (and that we'll actually getting a pyOpenSSL PR out of it).

Unfortunately for a while we had a lot of folks send PRs to add new bindings, but never follow up with the pyOpenSSL PRs.

alex
alex reviewed Feb 11, 2026
View reviewed changes
src/_cffi_src/openssl/ssl.py Outdated

/* both functions are have int return type according to the man page but
* long in its implementation. Newer versions also have the set1_groups
* function but the curves variants are availalbe on all forks and OpenSSL
Copy link
Member

@alex alex Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* function but the curves variants are availalbe on all forks and OpenSSL
* function but the curves variants are available on all forks and OpenSSL

@schwabe
Expose set_groups/set_curves functions
ef0417f 
This allows pyOpenSSL to restrict the groups allowed to be used. E.g.
for restricting the groups to post-quantum hybrid groups
(e.g. X25519MLKEM768) to always ensure that post-quantum cryptography is
used.

This commit uses the set_curves instead of the set_groups variant since
that naming is available on all OpenSSL versions and forks.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
@alex alex enabled auto-merge (squash) February 12, 2026 12:25
@alex alex merged commit ae9501f into pyca:main Feb 12, 2026
130 of 132 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alex alex alex approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@schwabe @alex