openssl 4 support (#2591)

reaperhulk · claude · web-flow · commit 1fc51efa3f63 · 2026-04-15T20:07:23.000-04:00
* Add initial support for OpenSSL 4.x betas

Accept OpenSSL 4.x in the version check (raising the ceiling to 4.0.0
final), add the ossl400 cfg flag, and ignore tests with behavioral
changes in OpenSSL 4 (tmp_dh_callback, zero_length_buffers).

* Fix zero-length SSL_read_ex/SSL_write_ex calling into OpenSSL

The empty-buffer early return was only on the pre-1.1.1 code path.
On the ossl111/libressl path, SSL_read_ex and SSL_write_ex were called
with length 0, causing OpenSSL to perform wire I/O unnecessarily. This
was exposed by OpenSSL 4 which now errors. Hoist the guard above the
cfg_if so it applies to all versions.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;

* Handle const-qualified return types in OpenSSL 4

OpenSSL 4 changed X509_NAME_ENTRY_get_data, X509_NAME_ENTRY_get_object,
and X509_CRL_get_issuer to return const pointers. Use const_ptr_if(ossl400)
in the FFI bindings and cast to *mut at the call sites since we only
return immutable references.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;

* Add Version::Openssl4xx, bind SSL_OP_IGNORE_UNEXPECTED_EOF

Add a distinct Openssl4xx variant to the Version enum and use it for
OpenSSL 4.x detection. Bind SSL_OP_IGNORE_UNEXPECTED_EOF (gated on
ossl400) and set it in the default_verify_paths test to handle peers
that close without close_notify.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;

* Add 4.0.0-beta1 in CI

* cargo fmt

* update a comment and some cfg guards

* missed a comment

* 4.0.0

---------

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -182,6 +182,8 @@ jobs:
               version: 338f44af3c92ef665bf740a8127a2d69c872b52a
             - name: openssl
               version: vendored
+            - name: openssl
+              version: 4.0.0
             - name: openssl
               version: 3.6.0
             - name: openssl
diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs
@@ -93,6 +93,9 @@ pub fn get(openssl_version: Option<u64>, libressl_version: Option<u64>) -> Vec<&
         if openssl_version >= 0x3_05_00_00_0 {
             cfgs.push("ossl350");
         }
+        if openssl_version >= 0x4_00_00_00_0 {
+            cfgs.push("ossl400");
+        }
     }
 
     cfgs
diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs
@@ -19,6 +19,7 @@ mod run_bindgen;
 
 #[derive(PartialEq)]
 enum Version {
+    Openssl4xx,
     Openssl3xx,
     Openssl11x,
     Libressl,
@@ -180,6 +181,7 @@ fn main() {
     println!("cargo:rustc-check-cfg=cfg(ossl320)");
     println!("cargo:rustc-check-cfg=cfg(ossl330)");
     println!("cargo:rustc-check-cfg=cfg(ossl340)");
+    println!("cargo:rustc-check-cfg=cfg(ossl400)");
 
     check_ssl_kind();
 
@@ -226,7 +228,9 @@ fn main() {
             }
         }
         None => match version {
-            Version::Openssl3xx | Version::Openssl11x if target.contains("windows-msvc") => {
+            Version::Openssl4xx | Version::Openssl3xx | Version::Openssl11x
+                if target.contains("windows-msvc") =>
+            {
                 vec!["libssl", "libcrypto"]
             }
             _ => vec!["ssl", "crypto"],
@@ -270,7 +274,7 @@ fn main() {
     }
 
     // https://github.com/openssl/openssl/pull/15086
-    if version == Version::Openssl3xx
+    if (version == Version::Openssl3xx || version == Version::Openssl4xx)
         && kind == "static"
         && (env::var("CARGO_CFG_TARGET_OS").unwrap() == "linux"
             || env::var("CARGO_CFG_TARGET_OS").unwrap() == "android")
@@ -436,8 +440,10 @@ See rust-openssl documentation for more information:
         let openssl_version = openssl_version.unwrap();
         println!("cargo:version_number={openssl_version:x}");
 
-        if openssl_version >= 0x4_00_00_00_0 {
+        if openssl_version >= 0x5_00_00_00_0 {
             version_error()
+        } else if openssl_version >= 0x4_00_00_00_0 {
+            Version::Openssl4xx
         } else if openssl_version >= 0x3_00_00_00_0 {
             Version::Openssl3xx
         } else if openssl_version >= 0x1_01_01_00_0 {
@@ -460,7 +466,7 @@ fn version_error() -> ! {
     panic!(
         "
 
-This crate is only compatible with OpenSSL (version 1.1.0, 1.1.1, or 3.x), or LibreSSL 3.5.0
+This crate is only compatible with OpenSSL (version 1.1.0, 1.1.1, 3.x, or 4.x), or LibreSSL 3.5.0
 through 4.2.x, but a different version of OpenSSL was found. The build is now aborting
 due to this version mismatch.
 
diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs
@@ -332,7 +332,13 @@ extern "C" {
     pub fn X509_CRL_get_REVOKED(crl: *mut X509_CRL) -> *mut stack_st_X509_REVOKED;
     pub fn X509_CRL_get0_nextUpdate(x: *const X509_CRL) -> *const ASN1_TIME;
     pub fn X509_CRL_get0_lastUpdate(x: *const X509_CRL) -> *const ASN1_TIME;
-    pub fn X509_CRL_get_issuer(x: *const X509_CRL) -> *mut X509_NAME;
+}
+const_ptr_api! {
+    extern "C" {
+        pub fn X509_CRL_get_issuer(x: *const X509_CRL) -> #[const_ptr_if(ossl400)] X509_NAME;
+    }
+}
+extern "C" {
 
     #[cfg(ossl110)]
     pub fn X509_get0_extensions(req: *const X509) -> *const stack_st_X509_EXTENSION;
@@ -370,8 +376,8 @@ const_ptr_api! {
             set: c_int,
         ) -> c_int;
         pub fn i2d_X509_NAME(n: #[const_ptr_if(ossl300)] X509_NAME, buf: *mut *mut u8) -> c_int;
-        pub fn X509_NAME_ENTRY_get_object(ne: *const X509_NAME_ENTRY) -> *mut ASN1_OBJECT;
-        pub fn X509_NAME_ENTRY_get_data(ne: *const X509_NAME_ENTRY) -> *mut ASN1_STRING;
+        pub fn X509_NAME_ENTRY_get_object(ne: *const X509_NAME_ENTRY) -> #[const_ptr_if(ossl400)] ASN1_OBJECT;
+        pub fn X509_NAME_ENTRY_get_data(ne: *const X509_NAME_ENTRY) -> #[const_ptr_if(ossl400)] ASN1_STRING;
     }
 }
 extern "C" {
diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs
@@ -82,6 +82,8 @@ cfg_if! {
 }
 #[cfg(ossl110)]
 pub const SSL_OP_SAFARI_ECDHE_ECDSA_BUG: ssl_op_type!() = 0x00000040;
+#[cfg(ossl300)]
+pub const SSL_OP_IGNORE_UNEXPECTED_EOF: ssl_op_type!() = 0x00000080;
 
 pub const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: ssl_op_type!() = 0x00000800;
 
diff --git a/openssl/build.rs b/openssl/build.rs
@@ -50,6 +50,7 @@ fn main() {
     println!("cargo:rustc-check-cfg=cfg(ossl330)");
     println!("cargo:rustc-check-cfg=cfg(ossl340)");
     println!("cargo:rustc-check-cfg=cfg(ossl350)");
+    println!("cargo:rustc-check-cfg=cfg(ossl400)");
 
     if env::var("DEP_OPENSSL_LIBRESSL").is_ok() {
         println!("cargo:rustc-cfg=libressl");
@@ -155,5 +156,8 @@ fn main() {
         if version >= 0x3_05_00_00_0 {
             println!("cargo:rustc-cfg=ossl350");
         }
+        if version >= 0x4_00_00_00_0 {
+            println!("cargo:rustc-cfg=ossl400");
+        }
     }
 }
diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs
@@ -1,7 +1,7 @@
 //! Bindings to OpenSSL
 //!
 //! This crate provides a safe interface to the popular OpenSSL cryptography library. OpenSSL versions 1.0.2 through
-//! 3.x.x and LibreSSL versions 3.5 through 4.2.x are supported.
+//! 4.x.x and LibreSSL versions 3.5 through 4.2.x are supported.
 //!
 //! # Building
 //!
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
@@ -150,6 +150,11 @@ bitflags! {
         /// Disables a countermeasure against an SSLv3/TLSv1.0 vulnerability affecting CBC ciphers.
         const DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS as SslOptionsRepr;
 
+        /// If set, a peer closing the connection without sending a close_notify alert is
+        /// treated as a normal EOF rather than an error.
+        #[cfg(ossl300)]
+        const IGNORE_UNEXPECTED_EOF = ffi::SSL_OP_IGNORE_UNEXPECTED_EOF as SslOptionsRepr;
+
         /// A "reasonable default" set of options which enables compatibility flags.
         #[cfg(not(any(boringssl, awslc)))]
         const ALL = ffi::SSL_OP_ALL as SslOptionsRepr;
@@ -3731,6 +3736,10 @@ impl<S: Read + Write> SslStream<S> {
     /// then the first `n` bytes of `buf` are guaranteed to be initialized.
     #[corresponds(SSL_read_ex)]
     pub fn ssl_read_uninit(&mut self, buf: &mut [MaybeUninit<u8>]) -> Result<usize, Error> {
+        if buf.is_empty() {
+            return Ok(0);
+        }
+
         cfg_if! {
             if #[cfg(any(ossl111, libressl))] {
                 let mut readbytes = 0;
@@ -3749,10 +3758,6 @@ impl<S: Read + Write> SslStream<S> {
                     Err(self.make_error(ret))
                 }
             } else {
-                if buf.is_empty() {
-                    return Ok(0);
-                }
-
                 let len = usize::min(c_int::MAX as usize, buf.len()) as c_int;
                 let ret = unsafe {
                     ffi::SSL_read(self.ssl().as_ptr(), buf.as_mut_ptr().cast(), len)
@@ -3772,6 +3777,10 @@ impl<S: Read + Write> SslStream<S> {
     /// OpenSSL is waiting on read or write readiness.
     #[corresponds(SSL_write_ex)]
     pub fn ssl_write(&mut self, buf: &[u8]) -> Result<usize, Error> {
+        if buf.is_empty() {
+            return Ok(0);
+        }
+
         cfg_if! {
             if #[cfg(any(ossl111, libressl))] {
                 let mut written = 0;
@@ -3790,10 +3799,6 @@ impl<S: Read + Write> SslStream<S> {
                     Err(self.make_error(ret))
                 }
             } else {
-                if buf.is_empty() {
-                    return Ok(0);
-                }
-
                 let len = usize::min(c_int::MAX as usize, buf.len()) as c_int;
                 let ret = unsafe {
                     ffi::SSL_write(self.ssl().as_ptr(), buf.as_ptr().cast(), len)
diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs
@@ -675,6 +675,8 @@ fn default_verify_paths() {
     let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
     ctx.set_default_verify_paths().unwrap();
     ctx.set_verify(SslVerifyMode::PEER);
+    #[cfg(ossl400)]
+    ctx.set_options(super::SslOptions::IGNORE_UNEXPECTED_EOF);
     let ctx = ctx.build();
     let s = match TcpStream::connect("google.com:443") {
         Ok(s) => s,
@@ -965,7 +967,7 @@ fn cert_store() {
 }
 
 #[test]
-#[cfg_attr(any(boringssl, awslc), ignore)]
+#[cfg_attr(any(boringssl, awslc, ossl400), ignore)]
 fn tmp_dh_callback() {
     static CALLED_BACK: AtomicBool = AtomicBool::new(false);
 
@@ -989,7 +991,7 @@ fn tmp_dh_callback() {
 }
 
 #[test]
-#[cfg_attr(any(boringssl, awslc), ignore)]
+#[cfg_attr(any(boringssl, awslc, ossl400), ignore)]
 fn tmp_dh_callback_ssl() {
     static CALLED_BACK: AtomicBool = AtomicBool::new(false);
 
diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
@@ -1324,7 +1324,7 @@ impl X509NameEntryRef {
     pub fn data(&self) -> &Asn1StringRef {
         unsafe {
             let data = ffi::X509_NAME_ENTRY_get_data(self.as_ptr());
-            Asn1StringRef::from_ptr(data)
+            Asn1StringRef::from_ptr(data as *mut _)
         }
     }
 
@@ -1334,7 +1334,7 @@ impl X509NameEntryRef {
     pub fn object(&self) -> &Asn1ObjectRef {
         unsafe {
             let object = ffi::X509_NAME_ENTRY_get_object(self.as_ptr());
-            Asn1ObjectRef::from_ptr(object)
+            Asn1ObjectRef::from_ptr(object as *mut _)
         }
     }
 }
@@ -1873,7 +1873,7 @@ impl X509CrlRef {
         unsafe {
             let name = X509_CRL_get_issuer(self.as_ptr());
             assert!(!name.is_null());
-            X509NameRef::from_ptr(name)
+            X509NameRef::from_ptr(name as *mut _)
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,9 @@ pub fn get(openssl_version: Option<u64>, libressl_version: Option<u64>) -> Vec<&`
`93`	`93`	`if openssl_version >= 0x3_05_00_00_0 {`
`94`	`94`	`cfgs.push("ossl350");`
`95`	`95`	`}`
	`96`	`+ if openssl_version >= 0x4_00_00_00_0 {`
	`97`	`+ cfgs.push("ossl400");`
	`98`	`+ }`
`96`	`99`	`}`
`97`	`100`
`98`	`101`	`cfgs`
Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,8 @@ cfg_if! {`
`82`	`82`	`}`
`83`	`83`	`#[cfg(ossl110)]`
`84`	`84`	`pub const SSL_OP_SAFARI_ECDHE_ECDSA_BUG: ssl_op_type!() = 0x00000040;`
	`85`	`+#[cfg(ossl300)]`
	`86`	`+pub const SSL_OP_IGNORE_UNEXPECTED_EOF: ssl_op_type!() = 0x00000080;`
`85`	`87`
`86`	`88`	`pub const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: ssl_op_type!() = 0x00000800;`
`87`	`89`
Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ fn main() {`
`50`	`50`	`println!("cargo:rustc-check-cfg=cfg(ossl330)");`
`51`	`51`	`println!("cargo:rustc-check-cfg=cfg(ossl340)");`
`52`	`52`	`println!("cargo:rustc-check-cfg=cfg(ossl350)");`
	`53`	`+ println!("cargo:rustc-check-cfg=cfg(ossl400)");`
`53`	`54`
`54`	`55`	`if env::var("DEP_OPENSSL_LIBRESSL").is_ok() {`
`55`	`56`	`println!("cargo:rustc-cfg=libressl");`
`@@ -155,5 +156,8 @@ fn main() {`
`155`	`156`	`if version >= 0x3_05_00_00_0 {`
`156`	`157`	`println!("cargo:rustc-cfg=ossl350");`
`157`	`158`	`}`
	`159`	`+ if version >= 0x4_00_00_00_0 {`
	`160`	`+ println!("cargo:rustc-cfg=ossl400");`
	`161`	`+ }`
`158`	`162`	`}`
`159`	`163`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1324,7 +1324,7 @@ impl X509NameEntryRef {`
`1324`	`1324`	`pub fn data(&self) -> &Asn1StringRef {`
`1325`	`1325`	`unsafe {`
`1326`	`1326`	`let data = ffi::X509_NAME_ENTRY_get_data(self.as_ptr());`
`1327`		`- Asn1StringRef::from_ptr(data)`
	`1327`	`+ Asn1StringRef::from_ptr(data as *mut _)`
`1328`	`1328`	`}`
`1329`	`1329`	`}`
`1330`	`1330`
`@@ -1334,7 +1334,7 @@ impl X509NameEntryRef {`
`1334`	`1334`	`pub fn object(&self) -> &Asn1ObjectRef {`
`1335`	`1335`	`unsafe {`
`1336`	`1336`	`let object = ffi::X509_NAME_ENTRY_get_object(self.as_ptr());`
`1337`		`- Asn1ObjectRef::from_ptr(object)`
	`1337`	`+ Asn1ObjectRef::from_ptr(object as *mut _)`
`1338`	`1338`	`}`
`1339`	`1339`	`}`
`1340`	`1340`	`}`
`@@ -1873,7 +1873,7 @@ impl X509CrlRef {`
`1873`	`1873`	`unsafe {`
`1874`	`1874`	`let name = X509_CRL_get_issuer(self.as_ptr());`
`1875`	`1875`	`assert!(!name.is_null());`
`1876`		`- X509NameRef::from_ptr(name)`
	`1876`	`+ X509NameRef::from_ptr(name as *mut _)`
`1877`	`1877`	`}`
`1878`	`1878`	`}`
`1879`	`1879`