From 5e93d3001e7bbf983510956f9065c63a8d4dc625 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Sun, 16 Oct 2022 07:14:02 +0100 Subject: [PATCH 01/26] Bump bindgen dep to 0.60.1 --- Cargo.toml | 3 --- openssl-sys/Cargo.toml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 63e983aef2..c33c3475a7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -6,6 +6,3 @@ members = [ "openssl-sys", "systest", ] - -[patch.crates-io] -bindgen = { git = "https://github.com/daviddrysdale/rust-bindgen", branch = "allowlist-file" } diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 62cc6428ed..ede3a73611 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -22,7 +22,7 @@ libc = "0.2" bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] -bindgen = { version = "0.59.2", optional = true } +bindgen = { version = "0.60.1", optional = true } cc = "1.0" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" From fc66d184873fd0c13dc2a202f3697177f4081ebc Mon Sep 17 00:00:00 2001 From: Kian-Meng Ang Date: Mon, 17 Oct 2022 00:09:28 +0800 Subject: [PATCH 02/26] Update deprecated link to official doc See https://github.com/sfackler/rust-openssl/commit/d2cc0eae2d2373c9372c77f7eb7a80e7c16986f2 --- openssl-sys/build/main.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index a8911e7b14..c2aceeec84 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -202,9 +202,9 @@ specific to your distribution: # On Alpine Linux apk add openssl-dev -See rust-openssl README for more information: +See rust-openssl documentation for more information: - https://github.com/sfackler/rust-openssl#linux + https://docs.rs/openssl ", e ); From eacc52cc1fc54e6db51cc382f071fb07b380aaf7 Mon Sep 17 00:00:00 2001 From: Niklas Hallqvist Date: Mon, 26 Sep 2022 16:19:20 +0200 Subject: [PATCH 03/26] Recognize LibreSSL 3.6 --- openssl-sys/build/main.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index c2aceeec84..e0b5045484 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -280,6 +280,7 @@ See rust-openssl documentation for more information: (3, 4, 0) => ('3', '4', '0'), (3, 4, _) => ('3', '4', 'x'), (3, 5, _) => ('3', '5', 'x'), + (3, 6, _) => ('3', '6', 'x'), _ => version_error(), }; @@ -322,7 +323,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.5, but a different version of OpenSSL was found. The build is now aborting +through 3.6, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From 6e4df6981b3814fee5a83ddd8f667815c5b3165e Mon Sep 17 00:00:00 2001 From: Niklas Hallqvist Date: Thu, 13 Oct 2022 19:43:34 +0200 Subject: [PATCH 04/26] Add LibreSSL 3.6 to the mix --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index decfe7200b..8c6bf17850 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -201,6 +201,11 @@ jobs: library: name: libressl version: 3.5.2 + - target: x86_64-unknown-linux-gnu + bindgen: false + library: + name: libressl + version: 3.6.0 exclude: - library: name: boringssl From 99dade1334c4d652f4ee6c487f8c2255369947db Mon Sep 17 00:00:00 2001 From: Niklas Hallqvist Date: Mon, 17 Oct 2022 11:29:35 +0200 Subject: [PATCH 05/26] Latest LibreSSL on the 3.5.x branch is 3.5.3 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8c6bf17850..1df2603793 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -200,7 +200,7 @@ jobs: bindgen: false library: name: libressl - version: 3.5.2 + version: 3.5.3 - target: x86_64-unknown-linux-gnu bindgen: false library: From 62cd28ef9a8726c2710305c41367d0f6d96fd2fd Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Mon, 17 Oct 2022 20:14:54 -0400 Subject: [PATCH 06/26] CI: update bindgen-enabled LibreSSL targets too --- .github/workflows/ci.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1df2603793..e8e8aa4f6d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -185,7 +185,12 @@ jobs: bindgen: true library: name: libressl - version: 3.5.2 + version: 3.5.3 + - target: x86_64-unknown-linux-gnu + bindgen: true + library: + name: libressl + version: 3.6.0 - target: x86_64-unknown-linux-gnu bindgen: false library: From 85de37e6fe5a87bbe428c0bb80fbb028c0d9b7dd Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Mon, 17 Oct 2022 20:15:45 -0400 Subject: [PATCH 07/26] Limit max LibreSSL to 3.6.0, as the 3.6 series is still in development --- openssl-sys/build/main.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index e0b5045484..2ca53c9771 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -280,7 +280,7 @@ See rust-openssl documentation for more information: (3, 4, 0) => ('3', '4', '0'), (3, 4, _) => ('3', '4', 'x'), (3, 5, _) => ('3', '5', 'x'), - (3, 6, _) => ('3', '6', 'x'), + (3, 6, 0) => ('3', '6', '0'), _ => version_error(), }; @@ -323,7 +323,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.6, but a different version of OpenSSL was found. The build is now aborting +through 3.6.0, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From 213de3ce72f47a2b8278626c6cb5a4cc7f800d29 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Mon, 17 Oct 2022 20:41:23 -0400 Subject: [PATCH 08/26] Ignore two PKCS#7 tests on LibreSSL 3.6.0 only, re-enable for 3.6.1 --- openssl/build.rs | 8 ++++++++ openssl/src/pkcs7.rs | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/openssl/build.rs b/openssl/build.rs index 81bae9d9bf..fc6492292c 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -94,5 +94,13 @@ fn main() { if version >= 0x3_05_00_00_0 { println!("cargo:rustc-cfg=libressl350"); } + + if version >= 0x3_06_00_00_0 { + println!("cargo:rustc-cfg=libressl360"); + } + + if version >= 0x3_06_01_00_0 { + println!("cargo:rustc-cfg=libressl361"); + } } } diff --git a/openssl/src/pkcs7.rs b/openssl/src/pkcs7.rs index e1b30f9289..ae4571db85 100644 --- a/openssl/src/pkcs7.rs +++ b/openssl/src/pkcs7.rs @@ -361,7 +361,9 @@ mod tests { assert_eq!(content.expect("should be non-empty"), message.as_bytes()); } + /// https://marc.info/?l=openbsd-cvs&m=166602943014106&w=2 #[test] + #[cfg_attr(all(libressl360, not(libressl361)), ignore)] fn sign_verify_test_normal() { let cert = include_bytes!("../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -397,7 +399,9 @@ mod tests { assert!(content.is_none()); } + /// https://marc.info/?l=openbsd-cvs&m=166602943014106&w=2 #[test] + #[cfg_attr(all(libressl360, not(libressl361)), ignore)] fn signers() { let cert = include_bytes!("../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); From 6e5551a1dee41a5745440afeef8f40b028b872e1 Mon Sep 17 00:00:00 2001 From: Robert Masen Date: Tue, 18 Oct 2022 15:42:47 -0500 Subject: [PATCH 09/26] add assume_init fn to openssl_sys --- openssl-sys/src/lib.rs | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 1d36a104fe..0d6676827e 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -85,6 +85,10 @@ mod openssl { mod x509_vfy; mod x509v3; + use std::sync::Once; + // explicitly initialize to work around https://github.com/openssl/openssl/issues/3505 + static INIT: Once = Once::new(); + // FIXME remove pub type PasswordCallback = unsafe extern "C" fn( buf: *mut c_char, @@ -96,10 +100,6 @@ mod openssl { #[cfg(ossl110)] pub fn init() { use std::ptr; - use std::sync::Once; - - // explicitly initialize to work around https://github.com/openssl/openssl/issues/3505 - static INIT: Once = Once::new(); #[cfg(not(ossl111b))] let init_options = OPENSSL_INIT_LOAD_SSL_STRINGS; @@ -116,7 +116,7 @@ mod openssl { use std::io::{self, Write}; use std::mem; use std::process; - use std::sync::{Mutex, MutexGuard, Once}; + use std::sync::{Mutex, MutexGuard}; static mut MUTEXES: *mut Vec> = 0 as *mut Vec>; static mut GUARDS: *mut Vec>> = @@ -160,8 +160,6 @@ mod openssl { } } - static INIT: Once = Once::new(); - INIT.call_once(|| unsafe { SSL_library_init(); SSL_load_error_strings(); @@ -181,6 +179,19 @@ mod openssl { set_id_callback(); }) } + + /// Disable explicit initialization of the openssl libs. + /// + /// This is only appropriate to use if the openssl crate is being consumed by an application + /// that will be performing the initialization explicitly. + /// + /// # Safety + /// + /// In some versions of openssl, skipping initialization will fall back to the default procedure + /// while other will cause difficult to debug errors so care must be taken when calling this. + pub unsafe fn assume_init() { + INIT.call_once(|| {}); + } } #[cfg(openssl)] pub use openssl::*; From 56ef65a7ba8bcd78a6540d7cc7db2d918d537714 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Fri, 21 Oct 2022 00:27:28 -0400 Subject: [PATCH 10/26] CI: remove EOLed LibreSSL 3.4 --- .github/workflows/ci.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8e8aa4f6d..46a625fc8e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -176,11 +176,6 @@ jobs: library: name: libressl version: 2.5.5 - - target: x86_64-unknown-linux-gnu - bindgen: true - library: - name: libressl - version: 3.4.3 - target: x86_64-unknown-linux-gnu bindgen: true library: @@ -196,11 +191,6 @@ jobs: library: name: libressl version: 2.5.5 - - target: x86_64-unknown-linux-gnu - bindgen: false - library: - name: libressl - version: 3.4.3 - target: x86_64-unknown-linux-gnu bindgen: false library: From f0c642575064bb9bae2772913f3a00fd1d71393b Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 22 Oct 2022 09:12:34 -0400 Subject: [PATCH 11/26] Remove boringssl master builds --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 46a625fc8e..d67ad1bf2a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -149,8 +149,6 @@ jobs: - true - false library: - - name: boringssl - version: master - name: boringssl version: 5697a9202615925696f8dc7f4e286d44d474769e - name: openssl From bbdcaf7c69b66683b34c13f75eaa634e8710efcf Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 22 Oct 2022 09:30:59 -0400 Subject: [PATCH 12/26] Release openssl-sys v0.9.77 --- openssl-sys/CHANGELOG.md | 7 +++++++ openssl-sys/Cargo.toml | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 6c53d813ee..bcbb5ec937 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,13 @@ ## [Unreleased] +## [v0.9.77] - 2022-10-22 + +### Added + +* Added support for LibreSSL 3.6.0 +* Added `assume_init`. + ## [v0.9.76] - 2022-09-26 ### Added diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ede3a73611..7c6ab832d6 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.76" +version = "0.9.77" authors = [ "Alex Crichton ", "Steven Fackler ", From bc8506dfe7da788c928d82e1ce08bbfe77330658 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 25 Oct 2022 09:58:23 +0200 Subject: [PATCH 13/26] Fix reference to `Self::cipher_final` in docs This patch changes the position of backtick and square brackets so that the reference is rendered as a link in generated documentation. --- openssl/src/cipher_ctx.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 46492566f9..8e017115b1 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -407,7 +407,7 @@ impl CipherCtxRef { /// Retrieves the calculated authentication tag from the context. /// - /// This should be called after `[Self::cipher_final]`, and is only supported by authenticated ciphers. + /// This should be called after [`Self::cipher_final`], and is only supported by authenticated ciphers. /// /// The size of the buffer indicates the size of the tag. While some ciphers support a range of tag sizes, it is /// recommended to pick the maximum size. From b82aae328f56ecf77e3d5a17fadbea27b214b643 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 27 Oct 2022 12:53:14 +0200 Subject: [PATCH 14/26] Add NID constants for Brainpool curves Brainpool curves are used by European government organizations that are suspicious of the NIST curves. Brainpool curves are very similar to NIST curves with one critical difference: the parameters to Brainpool are nothing-up-my-sleeve numbers [0]. The actual values of the NID constants have been taken from the OpenSSL source code [1]. [0]: https://github.com/veorq/numsgen#seeds [1]: https://github.com/openssl/openssl/blob/4e6647506331fc3b3ef5b23e5dbe188279ddd575/include/openssl/obj_mac.h#L4759 --- openssl-sys/src/obj_mac.rs | 6 ++++++ openssl/src/nid.rs | 6 ++++++ systest/build.rs | 1 + 3 files changed, 13 insertions(+) diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 6237afa6c8..ed50ebcc5f 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -94,6 +94,12 @@ pub const NID_sect409k1: c_int = 731; pub const NID_sect409r1: c_int = 732; pub const NID_sect571k1: c_int = 733; pub const NID_sect571r1: c_int = 734; +#[cfg(ossl110)] +pub const NID_brainpoolP256r1: c_int = 927; +#[cfg(ossl110)] +pub const NID_brainpoolP384r1: c_int = 931; +#[cfg(ossl110)] +pub const NID_brainpoolP512r1: c_int = 933; pub const NID_wap_wsg_idm_ecid_wtls1: c_int = 735; pub const NID_wap_wsg_idm_ecid_wtls3: c_int = 736; pub const NID_wap_wsg_idm_ecid_wtls4: c_int = 737; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index 355bba10ee..eadae31653 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -215,6 +215,12 @@ impl Nid { pub const SECT409R1: Nid = Nid(ffi::NID_sect409r1); pub const SECT571K1: Nid = Nid(ffi::NID_sect571k1); pub const SECT571R1: Nid = Nid(ffi::NID_sect571r1); + #[cfg(ossl110)] + pub const BRAINPOOL_P256R1: Nid = Nid(ffi::NID_brainpoolP256r1); + #[cfg(ossl110)] + pub const BRAINPOOL_P384R1: Nid = Nid(ffi::NID_brainpoolP384r1); + #[cfg(ossl110)] + pub const BRAINPOOL_P512R1: Nid = Nid(ffi::NID_brainpoolP512r1); pub const WAP_WSG_IDM_ECID_WTLS1: Nid = Nid(ffi::NID_wap_wsg_idm_ecid_wtls1); pub const WAP_WSG_IDM_ECID_WTLS3: Nid = Nid(ffi::NID_wap_wsg_idm_ecid_wtls3); pub const WAP_WSG_IDM_ECID_WTLS4: Nid = Nid(ffi::NID_wap_wsg_idm_ecid_wtls4); diff --git a/systest/build.rs b/systest/build.rs index 2618a05b97..e54438114b 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -55,6 +55,7 @@ fn main() { .header("openssl/x509v3.h") .header("openssl/safestack.h") .header("openssl/hmac.h") + .header("openssl/obj_mac.h") .header("openssl/ssl.h") .header("openssl/err.h") .header("openssl/rand.h") From 74f83c941e50bb765b024a7f2829761b77bf7ea7 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 27 Oct 2022 10:41:08 +0200 Subject: [PATCH 15/26] Add `BigNum::copy_from_slice` Unfortunately `BigNum::from_slice` always creates a new BigNum and cannot be used to initialize an already existing BigNum thus it is not possible to have a secure BigNum initialized from a slice. This patch adds the function for overwriting existing BigNum with given slice bytes. Thus the BigNum can be created using `BigNum::new_secure` and then overwritten using `BigNum::copy_from_slice`. --- openssl/src/bn.rs | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 5de7f7cb38..d98fec4d0b 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -1080,6 +1080,30 @@ impl BigNum { .map(|p| BigNum::from_ptr(p)) } } + + /// Copies data from a slice overwriting what was in the BigNum. + /// + /// This function can be used to copy data from a slice to a + /// [secure BigNum][`BigNum::new_secure`]. + /// + /// # Examples + /// + /// ``` + /// # use openssl::bn::BigNum; + /// let mut bignum = BigNum::new().unwrap(); + /// bignum.copy_from_slice(&[0x12, 0x00, 0x34]).unwrap(); + /// + /// assert_eq!(bignum, BigNum::from_u32(0x120034).unwrap()); + /// ``` + #[corresponds(BN_bin2bn)] + pub fn copy_from_slice(&mut self, n: &[u8]) -> Result<(), ErrorStack> { + unsafe { + assert!(n.len() <= LenType::max_value() as usize); + + cvt_p(ffi::BN_bin2bn(n.as_ptr(), n.len() as LenType, self.0))?; + Ok(()) + } + } } impl fmt::Debug for BigNumRef { From e4d30c06bc0fb5abeb122bc78282f0a04060170e Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Mon, 31 Oct 2022 09:50:43 +0100 Subject: [PATCH 16/26] bn: Fix checking against LenType --- openssl/src/bn.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index d98fec4d0b..2619b5ba63 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -1070,7 +1070,7 @@ impl BigNum { pub fn from_slice(n: &[u8]) -> Result { unsafe { ffi::init(); - assert!(n.len() <= c_int::max_value() as usize); + assert!(n.len() <= LenType::max_value() as usize); cvt_p(ffi::BN_bin2bn( n.as_ptr(), From 78a5fde6ee5b23b8eb0c1cf815489b855c2141a9 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Tue, 1 Nov 2022 14:39:43 -0400 Subject: [PATCH 17/26] CI: update LibreSSL 3.6 to 3.6.1 --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d67ad1bf2a..9090ca194d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -183,7 +183,7 @@ jobs: bindgen: true library: name: libressl - version: 3.6.0 + version: 3.6.1 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -198,7 +198,7 @@ jobs: bindgen: false library: name: libressl - version: 3.6.0 + version: 3.6.1 exclude: - library: name: boringssl From 0d2b5f924e94c608a83132c21f81186b9ac6ea29 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Tue, 1 Nov 2022 14:40:37 -0400 Subject: [PATCH 18/26] Allow LibreSSL 3.6.x, as 3.6.1 is declared stable --- openssl-sys/build/main.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 2ca53c9771..71b36c2309 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -281,6 +281,7 @@ See rust-openssl documentation for more information: (3, 4, _) => ('3', '4', 'x'), (3, 5, _) => ('3', '5', 'x'), (3, 6, 0) => ('3', '6', '0'), + (3, 6, _) => ('3', '6', 'x'), _ => version_error(), }; @@ -323,7 +324,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.6.0, but a different version of OpenSSL was found. The build is now aborting +through 3.6.x, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From 7e7ce09be31dd44ae81ac12ede59f238701342d1 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Fri, 28 Oct 2022 11:45:56 +0200 Subject: [PATCH 19/26] Expose Camellia, CAST5 and IDEA ciphers All of them are used in the OpenPGP specification for symmetric ciphers [0]. IDEA and CAST5 may be old but they are provided for users for decryption of archive data. Camellia is used in the new version of the OpenPGP specification as an alternative to AES. [0]: https://openpgp-wg.gitlab.io/rfc4880bis/#name-symmetric-key-algorithms --- openssl-sys/build/expando.c | 8 +++++ openssl-sys/src/handwritten/evp.rs | 23 ++++++++++++++ openssl/src/cipher.rs | 50 ++++++++++++++++++++++++++++++ 3 files changed, 81 insertions(+) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index c150dcd51f..2ec63ec046 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -27,6 +27,14 @@ RUST_CONF_OPENSSL_NO_BUF_FREELISTS RUST_CONF_OPENSSL_NO_CHACHA #endif +#ifdef OPENSSL_NO_IDEA +RUST_CONF_OPENSSL_NO_IDEA +#endif + +#ifdef OPENSSL_NO_CAMELLIA +RUST_CONF_OPENSSL_NO_CAMELLIA +#endif + #ifdef OPENSSL_NO_CMS RUST_CONF_OPENSSL_NO_CMS #endif diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 86487e13bb..ffb0a0819d 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -364,6 +364,29 @@ extern "C" { #[cfg(all(any(ossl111, libressl291), not(osslconf = "OPENSSL_NO_SM4")))] pub fn EVP_sm4_ctr() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_128_cfb128() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_128_ecb() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_192_cfb128() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_192_ecb() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_256_cfb128() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_256_ecb() -> *const EVP_CIPHER; + + #[cfg(not(boringssl))] + pub fn EVP_cast5_cfb64() -> *const EVP_CIPHER; + #[cfg(not(boringssl))] + pub fn EVP_cast5_ecb() -> *const EVP_CIPHER; + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn EVP_idea_cfb64() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn EVP_idea_ecb() -> *const EVP_CIPHER; + #[cfg(not(ossl110))] pub fn OPENSSL_add_all_algorithms_noconf(); diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 0e5d85dd15..ab5f49d22f 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -328,6 +328,56 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_rc4() as *mut _) } } + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia128_cfb128() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_cfb128() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia128_ecb() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_ecb() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia192_cfb128() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_cfb128() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia192_ecb() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_ecb() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia256_cfb128() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_cfb128() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia256_ecb() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_ecb() as *mut _) } + } + + #[cfg(not(boringssl))] + pub fn cast5_cfb64() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_cast5_cfb64() as *mut _) } + } + + #[cfg(not(boringssl))] + pub fn cast5_ecb() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_cast5_ecb() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn idea_cfb64() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_idea_cfb64() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn idea_ecb() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_idea_ecb() as *mut _) } + } + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_chacha20() as *mut _) } From cca9c7bb59ee0b1bace15d622a179be9e194d9c0 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Wed, 19 Oct 2022 11:36:15 +0200 Subject: [PATCH 20/26] Add openssl::dsa::DsaSig Adds safe interface for parsing and constructing DSA signatures and their components: `r` and `s`. --- openssl-sys/src/handwritten/dsa.rs | 27 ++++ openssl/src/dsa.rs | 194 +++++++++++++++++++++++++++++ 2 files changed, 221 insertions(+) diff --git a/openssl-sys/src/handwritten/dsa.rs b/openssl-sys/src/handwritten/dsa.rs index 604c68f032..c676c6b0ad 100644 --- a/openssl-sys/src/handwritten/dsa.rs +++ b/openssl-sys/src/handwritten/dsa.rs @@ -2,6 +2,18 @@ use libc::*; use *; +cfg_if! { + if #[cfg(any(ossl110, libressl280))] { + pub enum DSA_SIG {} + } else { + #[repr(C)] + pub struct DSA_SIG { + pub r: *mut BIGNUM, + pub s: *mut BIGNUM, + } + } +} + extern "C" { pub fn DSA_new() -> *mut DSA; pub fn DSA_free(dsa: *mut DSA); @@ -55,4 +67,19 @@ extern "C" { pub fn DSA_get0_key(d: *const DSA, pub_key: *mut *const BIGNUM, priv_key: *mut *const BIGNUM); #[cfg(any(ossl110, libressl273))] pub fn DSA_set0_key(d: *mut DSA, pub_key: *mut BIGNUM, priv_key: *mut BIGNUM) -> c_int; + pub fn d2i_DSA_SIG( + sig: *mut *mut DSA_SIG, + pp: *mut *const c_uchar, + length: c_long, + ) -> *mut DSA_SIG; + pub fn i2d_DSA_SIG(a: *const DSA_SIG, pp: *mut *mut c_uchar) -> c_int; + + pub fn DSA_SIG_new() -> *mut DSA_SIG; + pub fn DSA_SIG_free(sig: *mut DSA_SIG); + + #[cfg(any(ossl110, libressl273))] + pub fn DSA_SIG_get0(sig: *const DSA_SIG, pr: *mut *const BIGNUM, ps: *mut *const BIGNUM); + + #[cfg(any(ossl110, libressl273))] + pub fn DSA_SIG_set0(sig: *mut DSA_SIG, pr: *mut BIGNUM, ps: *mut BIGNUM) -> c_int; } diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 78fa1c25dc..5f59ba8acd 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -344,6 +344,159 @@ cfg_if! { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::DSA_SIG; + fn drop = ffi::DSA_SIG_free; + + /// Object representing DSA signature. + /// + /// DSA signatures consist of two components: `r` and `s`. + /// + /// # Examples + /// + /// ``` + /// use std::convert::TryInto; + /// + /// use openssl::bn::BigNum; + /// use openssl::dsa::{Dsa, DsaSig}; + /// use openssl::hash::MessageDigest; + /// use openssl::pkey::PKey; + /// use openssl::sign::{Signer, Verifier}; + /// + /// const TEST_DATA: &[u8] = &[0, 1, 2, 3, 4, 5, 6, 7, 8, 9]; + /// let dsa_ref = Dsa::generate(1024).unwrap(); + /// + /// let pub_key: PKey<_> = dsa_ref.clone().try_into().unwrap(); + /// let priv_key: PKey<_> = dsa_ref.try_into().unwrap(); + /// + /// let mut signer = if let Ok(signer) = Signer::new(MessageDigest::sha256(), &priv_key) { + /// signer + /// } else { + /// // DSA signing is not supported (eg. BoringSSL) + /// return; + /// }; + /// + /// signer.update(TEST_DATA).unwrap(); + /// + /// let signature = signer.sign_to_vec().unwrap(); + /// // Parse DER-encoded DSA signature + /// let signature = DsaSig::from_der(&signature).unwrap(); + /// + /// // Extract components `r` and `s` + /// let r = BigNum::from_slice(&signature.r().to_vec()).unwrap(); + /// let s = BigNum::from_slice(&signature.s().to_vec()).unwrap(); + /// + /// // Construct new DSA signature from components + /// let signature = DsaSig::from_private_components(r, s).unwrap(); + /// + /// // Serialize DSA signature to DER + /// let signature = signature.to_der().unwrap(); + /// + /// let mut verifier = Verifier::new(MessageDigest::sha256(), &pub_key).unwrap(); + /// verifier.update(TEST_DATA).unwrap(); + /// assert!(verifier.verify(&signature[..]).unwrap()); + /// ``` + pub struct DsaSig; + + /// Reference to a [`DsaSig`]. + pub struct DsaSigRef; +} + +impl DsaSig { + /// Returns a new `DsaSig` by setting the `r` and `s` values associated with an DSA signature. + #[corresponds(DSA_SIG_set0)] + pub fn from_private_components(r: BigNum, s: BigNum) -> Result { + unsafe { + let sig = cvt_p(ffi::DSA_SIG_new())?; + DSA_SIG_set0(sig, r.as_ptr(), s.as_ptr()); + mem::forget((r, s)); + Ok(DsaSig::from_ptr(sig)) + } + } + + from_der! { + /// Decodes a DER-encoded DSA signature. + #[corresponds(d2i_DSA_SIG)] + from_der, + DsaSig, + ffi::d2i_DSA_SIG + } +} + +impl fmt::Debug for DsaSig { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + f.debug_struct("DsaSig") + .field("r", self.r()) + .field("s", self.s()) + .finish() + } +} + +impl DsaSigRef { + to_der! { + /// Serializes the DSA signature into a DER-encoded `DSASignature` structure. + #[corresponds(i2d_DSA_SIG)] + to_der, + ffi::i2d_DSA_SIG + } + + /// Returns internal component `r` of an `DsaSig`. + #[corresponds(DSA_SIG_get0)] + pub fn r(&self) -> &BigNumRef { + unsafe { + let mut r = ptr::null(); + DSA_SIG_get0(self.as_ptr(), &mut r, ptr::null_mut()); + BigNumRef::from_const_ptr(r) + } + } + + /// Returns internal component `s` of an `DsaSig`. + #[corresponds(DSA_SIG_get0)] + pub fn s(&self) -> &BigNumRef { + unsafe { + let mut s = ptr::null(); + DSA_SIG_get0(self.as_ptr(), ptr::null_mut(), &mut s); + BigNumRef::from_const_ptr(s) + } + } +} + +cfg_if! { + if #[cfg(any(ossl110, libressl273))] { + use ffi::{DSA_SIG_set0, DSA_SIG_get0}; + } else { + #[allow(bad_style)] + unsafe fn DSA_SIG_set0( + sig: *mut ffi::DSA_SIG, + r: *mut ffi::BIGNUM, + s: *mut ffi::BIGNUM, + ) -> c_int { + if r.is_null() || s.is_null() { + return 0; + } + ffi::BN_clear_free((*sig).r); + ffi::BN_clear_free((*sig).s); + (*sig).r = r; + (*sig).s = s; + 1 + } + + #[allow(bad_style)] + unsafe fn DSA_SIG_get0( + sig: *const ffi::DSA_SIG, + pr: *mut *const ffi::BIGNUM, + ps: *mut *const ffi::BIGNUM) + { + if !pr.is_null() { + (*pr) = (*sig).r; + } + if !ps.is_null() { + (*ps) = (*sig).s; + } + } + } +} + #[cfg(test)] mod test { use super::*; @@ -444,10 +597,51 @@ mod test { assert!(verifier.verify(&signature[..]).unwrap()); } + #[test] + #[cfg(not(boringssl))] + fn test_signature_der() { + use std::convert::TryInto; + + const TEST_DATA: &[u8] = &[0, 1, 2, 3, 4, 5, 6, 7, 8, 9]; + let dsa_ref = Dsa::generate(1024).unwrap(); + + let pub_key: PKey<_> = dsa_ref.clone().try_into().unwrap(); + let priv_key: PKey<_> = dsa_ref.try_into().unwrap(); + + let mut signer = Signer::new(MessageDigest::sha256(), &priv_key).unwrap(); + signer.update(TEST_DATA).unwrap(); + + let signature = signer.sign_to_vec().unwrap(); + eprintln!("{:?}", signature); + let signature = DsaSig::from_der(&signature).unwrap(); + + let r = BigNum::from_slice(&signature.r().to_vec()).unwrap(); + let s = BigNum::from_slice(&signature.s().to_vec()).unwrap(); + + let signature = DsaSig::from_private_components(r, s).unwrap(); + let signature = signature.to_der().unwrap(); + + let mut verifier = Verifier::new(MessageDigest::sha256(), &pub_key).unwrap(); + verifier.update(TEST_DATA).unwrap(); + assert!(verifier.verify(&signature[..]).unwrap()); + } + #[test] #[allow(clippy::redundant_clone)] fn clone() { let key = Dsa::generate(2048).unwrap(); drop(key.clone()); } + + #[test] + fn dsa_sig_debug() { + let sig = DsaSig::from_der(&[ + 48, 46, 2, 21, 0, 135, 169, 24, 58, 153, 37, 175, 248, 200, 45, 251, 112, 238, 238, 89, + 172, 177, 182, 166, 237, 2, 21, 0, 159, 146, 151, 237, 187, 8, 82, 115, 14, 183, 103, + 12, 203, 46, 161, 208, 251, 167, 123, 131, + ]) + .unwrap(); + let s = format!("{:?}", sig); + assert_eq!(s, "DsaSig { r: 774484690634577222213819810519929266740561094381, s: 910998676210681457251421818099943952372231273347 }"); + } } From 808b9519c4b923e5f0777723a2f80926b822f61f Mon Sep 17 00:00:00 2001 From: Alex Baker Date: Fri, 30 Sep 2022 13:02:51 -0500 Subject: [PATCH 21/26] Add support for X509_VERIFY_PARAM_set_time and X509_VERIFY_PARAM_set_depth --- openssl-sys/src/handwritten/x509_vfy.rs | 14 +++ openssl/src/x509/store.rs | 9 +- openssl/src/x509/tests.rs | 127 +++++++++++++++++++++++- openssl/src/x509/verify.rs | 27 ++++- openssl/test/intermediate-ca.key | 27 +++++ openssl/test/intermediate-ca.pem | 22 ++++ openssl/test/leaf.pem | 21 ++++ 7 files changed, 243 insertions(+), 4 deletions(-) create mode 100644 openssl/test/intermediate-ca.key create mode 100644 openssl/test/intermediate-ca.pem create mode 100644 openssl/test/leaf.pem diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index d8768d7c8c..ef2a6aac94 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -47,6 +47,12 @@ extern "C" { pub fn X509_STORE_set_flags(store: *mut X509_STORE, flags: c_ulong) -> c_int; } +const_ptr_api! { + extern "C" { + pub fn X509_STORE_set1_param(store: *mut X509_STORE, pm: #[const_ptr_if(ossl300)] X509_VERIFY_PARAM) -> c_int; + } +} + const_ptr_api! { extern "C" { pub fn X509_STORE_CTX_get_ex_data(ctx: #[const_ptr_if(ossl300)] X509_STORE_CTX, idx: c_int) -> *mut c_void; @@ -73,6 +79,8 @@ cfg_if! { } extern "C" { + #[cfg(any(ossl102, libressl261))] + pub fn X509_VERIFY_PARAM_new() -> *mut X509_VERIFY_PARAM; #[cfg(any(ossl102, libressl261))] pub fn X509_VERIFY_PARAM_free(param: *mut X509_VERIFY_PARAM); @@ -80,6 +88,12 @@ extern "C" { pub fn X509_VERIFY_PARAM_set_flags(param: *mut X509_VERIFY_PARAM, flags: c_ulong) -> c_int; #[cfg(any(ossl102, libressl261))] pub fn X509_VERIFY_PARAM_clear_flags(param: *mut X509_VERIFY_PARAM, flags: c_ulong) -> c_int; + + #[cfg(any(ossl102, libressl261))] + pub fn X509_VERIFY_PARAM_set_time(param: *mut X509_VERIFY_PARAM, t: time_t); + + #[cfg(any(ossl102, libressl261))] + pub fn X509_VERIFY_PARAM_set_depth(param: *mut X509_VERIFY_PARAM, depth: c_int); } const_ptr_api! { extern "C" { diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index a08d1e2ef9..120d6369a0 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -50,7 +50,7 @@ use crate::error::ErrorStack; use crate::ssl::SslFiletype; use crate::stack::StackRef; #[cfg(any(ossl102, libressl261))] -use crate::x509::verify::X509VerifyFlags; +use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef}; use crate::x509::{X509Object, X509}; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -122,6 +122,13 @@ impl X509StoreBuilderRef { pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits())).map(|_| ()) } } + + /// Sets certificate chain validation related parameters. + #[corresponds[X509_STORE_set1_param]] + #[cfg(any(ossl102, libressl261))] + pub fn set_param(&mut self, param: &X509VerifyParamRef) -> Result<(), ErrorStack> { + unsafe { cvt(ffi::X509_STORE_set1_param(self.as_ptr(), param.as_ptr())).map(|_| ()) } + } } generic_foreign_type_and_impl_send_sync! { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index fcca2c7bf1..ace6175017 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -13,11 +13,13 @@ use crate::x509::extension::{ }; use crate::x509::store::X509StoreBuilder; #[cfg(any(ossl102, libressl261))] -use crate::x509::verify::X509VerifyFlags; +use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; #[cfg(ossl110)] use crate::x509::X509Builder; use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; use hex::{self, FromHex}; +#[cfg(any(ossl102, libressl261))] +use libc::time_t; fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); @@ -543,3 +545,126 @@ fn test_name_cmp() { assert_eq!(Ordering::Equal, subject.try_cmp(subject).unwrap()); assert_eq!(Ordering::Greater, subject.try_cmp(issuer).unwrap()); } + +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_param_set_time_fails_verification() { + const TEST_T_2030: time_t = 1893456000; + + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let chain = Stack::new().unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + verify_params.set_time(TEST_T_2030); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + + let mut context = X509StoreContext::new().unwrap(); + assert_eq!( + context + .init(&store, &cert, &chain, |c| { + c.verify_cert()?; + Ok(c.error()) + }) + .unwrap() + .error_string(), + "certificate has expired" + ) +} + +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_param_set_time() { + const TEST_T_2020: time_t = 1577836800; + + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let chain = Stack::new().unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + verify_params.set_time(TEST_T_2020); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + + let mut context = X509StoreContext::new().unwrap(); + assert!(context + .init(&store, &cert, &chain, |c| c.verify_cert()) + .unwrap()); +} + +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_param_set_depth() { + let cert = include_bytes!("../../test/leaf.pem"); + let cert = X509::from_pem(cert).unwrap(); + let intermediate_ca = include_bytes!("../../test/intermediate-ca.pem"); + let intermediate_ca = X509::from_pem(intermediate_ca).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let mut chain = Stack::new().unwrap(); + chain.push(intermediate_ca).unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + // OpenSSL 1.1.0+ considers the root certificate to not be part of the chain, while 1.0.2 and LibreSSL do + let expected_depth = if cfg!(any(ossl110)) { 1 } else { 2 }; + verify_params.set_depth(expected_depth); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + + let mut context = X509StoreContext::new().unwrap(); + assert!(context + .init(&store, &cert, &chain, |c| c.verify_cert()) + .unwrap()); +} + +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_param_set_depth_fails_verification() { + let cert = include_bytes!("../../test/leaf.pem"); + let cert = X509::from_pem(cert).unwrap(); + let intermediate_ca = include_bytes!("../../test/intermediate-ca.pem"); + let intermediate_ca = X509::from_pem(intermediate_ca).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let mut chain = Stack::new().unwrap(); + chain.push(intermediate_ca).unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + // OpenSSL 1.1.0+ considers the root certificate to not be part of the chain, while 1.0.2 and LibreSSL do + let expected_depth = if cfg!(any(ossl110)) { 0 } else { 1 }; + verify_params.set_depth(expected_depth); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + + // OpenSSL 1.1.0+ added support for X509_V_ERR_CERT_CHAIN_TOO_LONG, while 1.0.2 simply ignores the intermediate + let expected_error = if cfg!(any(ossl110, libressl261)) { + "certificate chain too long" + } else { + "unable to get local issuer certificate" + }; + + let mut context = X509StoreContext::new().unwrap(); + assert_eq!( + context + .init(&store, &cert, &chain, |c| { + c.verify_cert()?; + Ok(c.error()) + }) + .unwrap() + .error_string(), + expected_error + ) +} diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 4752133996..20dd4bea8d 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -1,10 +1,10 @@ use bitflags::bitflags; use foreign_types::ForeignTypeRef; -use libc::{c_uint, c_ulong}; +use libc::{c_int, c_uint, c_ulong, time_t}; use std::net::IpAddr; -use crate::cvt; use crate::error::ErrorStack; +use crate::{cvt, cvt_p}; use openssl_macros::corresponds; bitflags! { @@ -69,6 +69,17 @@ foreign_type_and_impl_send_sync! { pub struct X509VerifyParamRef; } +impl X509VerifyParam { + /// Create an X509VerifyParam + #[corresponds(X509_VERIFY_PARAM_new)] + pub fn new() -> Result { + unsafe { + ffi::init(); + cvt_p(ffi::X509_VERIFY_PARAM_new()).map(X509VerifyParam) + } + } +} + impl X509VerifyParamRef { /// Set the host flags. #[corresponds(X509_VERIFY_PARAM_set_hostflags)] @@ -139,4 +150,16 @@ impl X509VerifyParamRef { .map(|_| ()) } } + + /// Set the verification time, where time is of type time_t, traditionaly defined as seconds since the epoch + #[corresponds(X509_VERIFY_PARAM_set_time)] + pub fn set_time(&mut self, time: time_t) { + unsafe { ffi::X509_VERIFY_PARAM_set_time(self.as_ptr(), time) } + } + + /// Set the verification depth + #[corresponds(X509_VERIFY_PARAM_set_depth)] + pub fn set_depth(&mut self, depth: c_int) { + unsafe { ffi::X509_VERIFY_PARAM_set_depth(self.as_ptr(), depth) } + } } diff --git a/openssl/test/intermediate-ca.key b/openssl/test/intermediate-ca.key new file mode 100644 index 0000000000..48f449534e --- /dev/null +++ b/openssl/test/intermediate-ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA1HsHFTpgKeWL/y6oKtARZm0Dy6J/08E0CujmdpVp0xnkXi/A +RARnbMEbOPfmBUMOkVtQT3+l5aCgIAX+Kg6K7sQvio8nQUgOxuO1YpGlYu9EMtc7 +5fNxA1T0CuXXx8ClfEqW1ZV7ziQV0J4gzvuI26A7XyUhdk1oP/Al3F/94TmH6dtP +SQ2K901O2zknU+bpPheQy08SE20k/nUOJAsiwtsxqY8hHOL1sXZ4K+I311hl0QpD +OYf7eBcBdo2Mc5Nzjd9LPGLk1lE3itAXpayFMmfuuA0IdH1gNfy18axFEEVnj6CS +2epGpmAckUEWUOse1WBhDEt6ddowT1iw7X4mWwIDAQABAoIBAGMGXzuudAiymTc5 +OFiTlbhlkAJEXkyC201GU7nqUmJ2y651lKZeYxEVQimfpszG/rARnXEfbWKCJH4o +LNbO5kL2na12n/XVrkVU9EDW3fwoxGDpXFoDxaSm4AGAMrs+diFh5b/upb9ho+UQ +/PtZ0OOCXokuFdU7qB08P3jgJ8LhooqWnZ4AC0rhN85CMNIKs/nrUrnmS3FZLVd/ +NWI9Vfjsndd41Gkho0A7tgOSnwRupk/Bv1b0px31h8ucp9/nLuR8vbGSdS/R9Sta +pB9KNYYQ3LrhQGjddnEU0gj8qsuWgnoPf7eaWsLVunPLHQzL2hNNKL1eBADm7Lhh +avIlnrkCgYEA8Q8UhOeIO0sMU8sB4NPTUf2UT9xjURoowGsGgbDEk21eABH6VC33 +VYt5r5xwbZFQvVaTbe+EI1YDpjH1cvpmorEWI47Nm4Vbf9JujW/hoQwuwpzOpdUT +2G4tfMQrmTw/9HJ0l9+1Ib+A93dB8GvR0NE1uueaWanWvXARInwGiscCgYEA4aZ9 +mbhuwx88sSRMXwxSZw+R5BRrjdC0CeoimGg4/P84bKgc0YsjAha5jWaC/h8xN2Pb +w45b3hQ0/FP8xohP0bp/5eeiDbqb6JuO5bI3CnfBrVpu1CAuIrf7lhkar3a0wluB +k03fVHuVLtydACDJBKrZm1F39lpiZiEqlBIp080CgYEAwRwYjwPAEefkHzhQ7+Ah +uNwQtQ1TjsQLA2J5mumWAJirphjA1jDgo+oQ+Iq1UkEIUjWJ85bd30TntXruK0bH +c+uzVZbvxXfGvhZAtBN9x/svdn4R2a1hsY9J51prpt0qStRp7MSsoTV9xkEGVOi6 +87K1fV5OOyggvC+Lunlq8D8CgYAVSCOObPOdWYPa3SaKzFm1OKW00iw2qtlgGgH7 +R9EgI14J+W0GYk4B82y6plFycDSvGa7vaazGbDd3GOC9RLvqduF7KHaDPvdXX9yB +U2aXiSXuGJpdTU+snJeQ13tJ0zNHJWQ6JV0L1cADNHFmQrFSzF5LpMpgpLOlGDmw +z2m8fQKBgQDclFeonyn0zcXqznun9kAKkMij4s6lSdRgi/5Zh1WbJwOso9oWfwz9 +SSTP2KBO8B+/yFvuo5SWrbNaTz9/KuzMTv4HXz5ukLbyN9Jjtk73fdBBRSjL+zF5 +jU56oXHrwBhEqWQ77Ps60r+FmDjUgUhyJl14ZfkzICUK7NLFxKrvMQ== +-----END RSA PRIVATE KEY----- diff --git a/openssl/test/intermediate-ca.pem b/openssl/test/intermediate-ca.pem new file mode 100644 index 0000000000..266ef593cb --- /dev/null +++ b/openssl/test/intermediate-ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDszCCApugAwIBAgIEFSQSITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB +VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMB4XDTIyMTEwMzA3MDc0OVoXDTI2MDgxMTA3MDc0OVowgYkxCzAJ +BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l +dCBXaWRnaXRzIFB0eSBMdGQxIDAeBgNVBAsMF0ludGVybWVkaWF0ZSBEZXBhcnRt +ZW50MSAwHgYDVQQDDBdpbnRlcm1lZGlhdGUuZm9vYmFyLmNvbTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBANR7BxU6YCnli/8uqCrQEWZtA8uif9PBNAro +5naVadMZ5F4vwEQEZ2zBGzj35gVDDpFbUE9/peWgoCAF/ioOiu7EL4qPJ0FIDsbj +tWKRpWLvRDLXO+XzcQNU9Arl18fApXxKltWVe84kFdCeIM77iNugO18lIXZNaD/w +Jdxf/eE5h+nbT0kNivdNTts5J1Pm6T4XkMtPEhNtJP51DiQLIsLbMamPIRzi9bF2 +eCviN9dYZdEKQzmH+3gXAXaNjHOTc43fSzxi5NZRN4rQF6WshTJn7rgNCHR9YDX8 +tfGsRRBFZ4+gktnqRqZgHJFBFlDrHtVgYQxLenXaME9YsO1+JlsCAwEAAaNmMGQw +HQYDVR0OBBYEFAXJImmmxYXx6L1SRRhgP3Tyq2J6MB8GA1UdIwQYMBaAFGzTpQOr +DV8syY2KnIiniHe4N/2aMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQD +AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQCnUh7iNbnFBjVa4sFx02r65syxUhcvM/ya +DcSe1esGUwjZLyKVl9BTfQ6kfNa/6Z/t5cprp0R3etalN31dxka7xSDwzFNdBczB +zYDIVOVlcGLL1Xjozacm6YHo773dqxZS36rVMk3NqNUY6GJJ+CGso2xZShcBg2KG +fPlNPiRz3847E3dwouDYcP1MXf2ql/Y7dRbE+8kb3bWkSusJVb/4EHjpR7yZjKmh +eXHVVx1dKnCGRldn3+dSNhN6mxNaSeBE2hb158+diQvL5u3f//va7SOpCi0f4d8E +UCnLhieyrDlr42XXfz42BqRpqBO1SDjQwzIIc9Fbevwb916OSExp +-----END CERTIFICATE----- diff --git a/openssl/test/leaf.pem b/openssl/test/leaf.pem new file mode 100644 index 0000000000..0f7aa808de --- /dev/null +++ b/openssl/test/leaf.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDejCCAmICBBUkEiQwDQYJKoZIhvcNAQELBQAwgYkxCzAJBgNVBAYTAkFVMRMw +EQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0 +eSBMdGQxIDAeBgNVBAsMF0ludGVybWVkaWF0ZSBEZXBhcnRtZW50MSAwHgYDVQQD +DBdpbnRlcm1lZGlhdGUuZm9vYmFyLmNvbTAeFw0yMjExMDMwNzE3NTJaFw0yNjA4 +MTEwNzE3NTJaMHkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGDAWBgNVBAsMD0xlYWYg +RGVwYXJ0bWVudDEYMBYGA1UEAwwPbGVhZi5mb29iYXIuY29tMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs9STUHGIcSOtioK6+02k9Jx4JuYVJ0SB7Ebd +FAhGiOxBSoOljRVmmALti89QMmRiRqlyJnGJch7AloCCRsLJA0MfUYvauqmKHZFk +iqtZ1HocHQ/LGNKfkILcclb4xp2nGYntKAyEqer3Qc6aPWAnQAV/+BshU1vlMfwU +T6vOJRG69mft6dkHEWSzZd7++7HmFQGnDmIs5jBJVCOgKVttkN8Bk2EsTvJi9zl2 +SXLTcVrTAxEvuawv2ZXvdI/Cpt1WW0litXlFLcYBGwt/N93TX/L3Iyw5HcNd/xf9 +QwOr6RR66krQJzKxwcIY934uq6cyTQhexgnffb65qXL4bbV5fwIDAQABMA0GCSqG +SIb3DQEBCwUAA4IBAQAZf0/r04AeKN2QhQ7Z0o2Iu/Yj3OD2tnbxVoltYk8CRfp3 +7VGl/5PUbmXXBSwMc4Udj88JlreU7iNEPAKtBqFczw0pwNfvxKG4Eh3vsfKrP+5g +gtVwDG0mWeKJ7udrmFt8N0uwxVYDKp/gv5+Bw2eMew9Eoyenj6k2yg0nbFKzA3EH +DqngETzX0dhdiYwVcoJFUK5ni3tVl9qi6FpmaTE6C5nTQLyH4CI+vo2x/QHINGaJ +OzY/rx35iyVqXVqxN/gO/hp6g0nT5zLuMg2rfvcAhdDsD7htYcHiNkofrC8s0oQE +W+r01EhxdEVvY1nYWanBCF6tktc5v5qf2WMS4ye5 +-----END CERTIFICATE----- From 520f6efb94fba8e6ed2c356cd46a60c0cc3675bb Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Wed, 9 Nov 2022 09:21:48 +0100 Subject: [PATCH 22/26] Fix reference to ECC --- openssl-sys/src/macros.rs | 2 +- openssl/src/ec.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/macros.rs b/openssl-sys/src/macros.rs index 2f8bf77c39..cb675f6e41 100644 --- a/openssl-sys/src/macros.rs +++ b/openssl-sys/src/macros.rs @@ -38,7 +38,7 @@ macro_rules! cfg_if { // semicolon is all the remaining items (@__items ($($not:meta,)*) ; ) => {}; (@__items ($($not:meta,)*) ; ( ($($m:meta),*) ($($it:item)*) ), $($rest:tt)*) => { - // Emit all items within one block, applying an approprate #[cfg]. The + // Emit all items within one block, applying an appropriate #[cfg]. The // #[cfg] will require all `$m` matchers specified and must also negate // all previous matchers. cfg_if! { @__apply cfg(all($($m,)* not(any($($not),*)))), $($it)* } diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index d768612c74..a6a6dc975a 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -14,7 +14,7 @@ //! //! [`EcGroup`]: struct.EcGroup.html //! [`Nid`]: ../nid/struct.Nid.html -//! [Eliptic Curve Cryptography]: https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography +//! [Elliptic Curve Cryptography]: https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography use foreign_types::{ForeignType, ForeignTypeRef}; use libc::c_int; use std::fmt; From 9ab49ba3e30c4435374dee94874936c717bda4dd Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 22 Nov 2022 17:44:51 +0100 Subject: [PATCH 23/26] Fix lint error on clippy 1.65 --- openssl-errors/tests/test.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-errors/tests/test.rs b/openssl-errors/tests/test.rs index 12e79b830e..98259b9b08 100644 --- a/openssl-errors/tests/test.rs +++ b/openssl-errors/tests/test.rs @@ -32,7 +32,7 @@ fn basic() { cfg_if! { if #[cfg(ossl300)] { // https://github.com/openssl/openssl/issues/12530 - assert!(error.data() == None || error.data() == Some("")); + assert!(error.data().is_none() || error.data() == Some("")); } else { assert_eq!(error.data(), None); } From 6c52dd49285dd7ec289b0a6a011499d71914ba35 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 22 Nov 2022 15:43:48 +0100 Subject: [PATCH 24/26] Improve `PKey` documentation related to ed25519/ed448 This patch adds doctests with common usage to the `generate_*` functions as well as cross links to other pieces of documentation. --- openssl/src/pkey.rs | 100 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 92 insertions(+), 8 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 1e09b77b54..7d438ebadc 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -238,10 +238,10 @@ where unsafe { ffi::EVP_PKEY_cmp(self.as_ptr(), other.as_ptr()) == 1 } } - /// Raw byte representation of a public key + /// Raw byte representation of a public key. /// /// This function only works for algorithms that support raw public keys. - /// Currently this is: X25519, ED25519, X448 or ED448 + /// Currently this is: [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_public_key)] #[cfg(ossl111)] pub fn raw_public_key(&self) -> Result, ErrorStack> { @@ -289,10 +289,10 @@ where ffi::i2d_PrivateKey } - /// Raw byte representation of a private key + /// Raw byte representation of a private key. /// /// This function only works for algorithms that support raw private keys. - /// Currently this is: HMAC, X25519, ED25519, X448 or ED448 + /// Currently this is: [`Id::HMAC`], [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_private_key)] #[cfg(ossl111)] pub fn raw_private_key(&self) -> Result, ErrorStack> { @@ -482,25 +482,109 @@ impl PKey { ctx.keygen() } - /// Generates a new private Ed25519 key + /// Generates a new private X25519 key. + /// + /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`]. + /// + /// # Examples + /// + /// ``` + /// # fn main() -> Result<(), Box> { + /// use openssl::pkey::{PKey, Id}; + /// use openssl::derive::Deriver; + /// + /// let public = // ... + /// # &PKey::generate_x25519()?.raw_public_key()?; + /// let public_key = PKey::public_key_from_raw_bytes(public, Id::X25519)?; + /// + /// let key = PKey::generate_x25519()?; + /// let mut deriver = Deriver::new(&key)?; + /// deriver.set_peer(&public_key)?; + /// + /// let secret = deriver.derive_to_vec()?; + /// assert_eq!(secret.len(), 32); + /// # Ok(()) } + /// ``` #[cfg(ossl111)] pub fn generate_x25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::X25519) } - /// Generates a new private Ed448 key + /// Generates a new private X448 key. + /// + /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`]. + /// + /// # Examples + /// + /// ``` + /// # fn main() -> Result<(), Box> { + /// use openssl::pkey::{PKey, Id}; + /// use openssl::derive::Deriver; + /// + /// let public = // ... + /// # &PKey::generate_x448()?.raw_public_key()?; + /// let public_key = PKey::public_key_from_raw_bytes(public, Id::X448)?; + /// + /// let key = PKey::generate_x448()?; + /// let mut deriver = Deriver::new(&key)?; + /// deriver.set_peer(&public_key)?; + /// + /// let secret = deriver.derive_to_vec()?; + /// assert_eq!(secret.len(), 56); + /// # Ok(()) } + /// ``` #[cfg(ossl111)] pub fn generate_x448() -> Result, ErrorStack> { PKey::generate_eddsa(Id::X448) } - /// Generates a new private Ed25519 key + /// Generates a new private Ed25519 key. + /// + /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`]. + /// + /// # Examples + /// + /// ``` + /// # fn main() -> Result<(), Box> { + /// use openssl::pkey::{PKey, Id}; + /// use openssl::sign::Signer; + /// + /// let key = PKey::generate_ed25519()?; + /// let public_key = key.raw_public_key()?; + /// + /// let mut signer = Signer::new_without_digest(&key)?; + /// let digest = // ... + /// # &vec![0; 32]; + /// let signature = signer.sign_oneshot_to_vec(digest)?; + /// assert_eq!(signature.len(), 64); + /// # Ok(()) } + /// ``` #[cfg(ossl111)] pub fn generate_ed25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::ED25519) } - /// Generates a new private Ed448 key + /// Generates a new private Ed448 key. + /// + /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`]. + /// + /// # Examples + /// + /// ``` + /// # fn main() -> Result<(), Box> { + /// use openssl::pkey::{PKey, Id}; + /// use openssl::sign::Signer; + /// + /// let key = PKey::generate_ed448()?; + /// let public_key = key.raw_public_key()?; + /// + /// let mut signer = Signer::new_without_digest(&key)?; + /// let digest = // ... + /// # &vec![0; 32]; + /// let signature = signer.sign_oneshot_to_vec(digest)?; + /// assert_eq!(signature.len(), 114); + /// # Ok(()) } + /// ``` #[cfg(ossl111)] pub fn generate_ed448() -> Result, ErrorStack> { PKey::generate_eddsa(Id::ED448) From d5037d4dcae4fcb5c301f9df907975033185a926 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 23 Nov 2022 17:46:44 -0800 Subject: [PATCH 25/26] Release openssl-sys v0.9.78 --- openssl-sys/CHANGELOG.md | 17 ++++++++++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index bcbb5ec937..0c549f6117 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,20 @@ ## [Unreleased] +## [v0.9.78] - 2022-11-23 + +### Added + +* Added support for LibreSSL 3.6.x. +* Added `NID_brainpoolP256r1`, `NID_brainpoolP384r1`, and `NID_brainpool512r1`. +* Added `EVP_camellia_128_cfb128`, `EVP_camellia_128_ecb`, `EVP_camellia_192_cfb128`, `EVP_camellia_192_ecb`, + `EVP_camellia_256_cfb128`, and `EVP_camellia_256_ecb`. +* Added `EVP_cast5_cfb64` and `EVP_cast5_ecb`. +* Added `EVP_idea_cfb64` and `EVP_idea_ecb`. +* Added `DSA_SIG`, `d2i_DSA_SIG`, `i2d_DSA_SIG`, `DSA_SIG_new`, `DSA_SIG_free`, `DSA_SIG_get0`, and `DSA_SIG_set0`. +* Added `X509_STORE_set1_param`, `X509_VERIFY_PARAM_new`, `X509_VERIFY_PARAM_set_time`, and + `X509_VERIFY_PARAM_set_depth`. + ## [v0.9.77] - 2022-10-22 ### Added @@ -336,7 +350,8 @@ * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.76..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.77..master +[v0.9.77]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.76...openssl-sys-v0.9.77 [v0.9.76]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.75...openssl-sys-v0.9.76 [v0.9.75]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.74...openssl-sys-v0.9.75 [v0.9.74]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.73...openssl-sys-v0.9.74 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7c6ab832d6..ee1a57cd19 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.77" +version = "0.9.78" authors = [ "Alex Crichton ", "Steven Fackler ", From 7db5cc72d326360ffa62398201635effedb885c6 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 23 Nov 2022 17:53:05 -0800 Subject: [PATCH 26/26] Release openssl v0.10.43 --- openssl/CHANGELOG.md | 14 +++++++++++++- openssl/Cargo.toml | 4 ++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index ba28a5a383..31564986e0 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.10.43] - 2022-11-23 + +### Added + +* Added `Nid::BRAINPOOL_P256R1`, `Nid::BRAINPOOL_P384R1`, `Nid::BRAINPOOL_P512R1`. +* Added `BigNumRef::copy_from_slice`. +* Added `Cipher` constructors for Camellia, CAST5, and IDEA ciphers. +* Added `DsaSig`. +* Added `X509StoreBuilderRef::set_param`. +* Added `X509VerifyParam::new`, `X509VerifyParamRef::set_time`, and `X509VerifyParamRef::set_depth`. + ## [v0.10.42] - 2022-09-26 ### Added @@ -630,7 +641,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.42...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.43...master +[v0.10.43]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.42...openssl-v0.10.43 [v0.10.42]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.41...openssl-v0.10.42 [v0.10.41]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.40...openssl-v0.10.41 [v0.10.40]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.39...openssl-v0.10.40 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 41bd0fdb2f..b6204e4490 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.42" +version = "0.10.43" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.76", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.78", path = "../openssl-sys" } [dev-dependencies] hex = "0.3"