From 5fffb2b285c41106eff5902ce3ea059902bf0a70 Mon Sep 17 00:00:00 2001 From: Josh Robson Chase Date: Fri, 7 Jun 2019 10:26:17 -0400 Subject: [PATCH 001/341] Add higher-level bindings to the API CRLs --- openssl/src/x509/mod.rs | 151 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 8df2818a5e..2d8cd5df73 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1296,6 +1296,136 @@ impl X509ReqRef { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::X509_CRL; + fn drop = ffi::X509_CRL_free; + + /// An `X509` certificate request. + pub struct X509Crl; + /// Reference to `X509Crl`. + pub struct X509CrlRef; +} + +impl X509Crl { + from_pem! { + /// Deserializes a PEM-encoded Certificate Revocation List + /// + /// The input should have a header of `-----BEGIN X509 CRL-----`. + /// + /// This corresponds to [`PEM_read_bio_X509_CRL`]. + /// + /// [`PEM_read_bio_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_X509_REQ.html + from_pem, + X509Crl, + ffi::PEM_read_bio_X509_CRL + } + + from_der! { + /// Deserializes a DER-encoded Certificate Revocation List + /// + /// This corresponds to [`d2i_X509_CRL`]. + /// + /// [`d2i_X509_CRL`]: https://www.openssl.org/docs/man1.1.0/crypto/d2i_X509_REQ.html + from_der, + X509Crl, + ffi::d2i_X509_CRL + } +} + +impl X509CrlRef { + to_pem! { + /// Serializes the certificate request to a PEM-encoded Certificate Revocation List. + /// + /// The output will have a header of `-----BEGIN X509 CRL-----`. + /// + /// This corresponds to [`PEM_write_bio_X509_CRL`]. + /// + /// [`PEM_write_bio_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_write_bio_X509_REQ.html + to_pem, + ffi::PEM_write_bio_X509_CRL + } + + to_der! { + /// Serializes the certificate request to a DER-encoded Certificate Revocation List. + /// + /// This corresponds to [`i2d_X509_CRL`]. + /// + /// [`i2d_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/i2d_X509_REQ.html + to_der, + ffi::i2d_X509_CRL + } + + /// Returns the CRL's `lastUpdate` time. + /// + /// This corresponds to [`X509_CRL_get0_lastUpdate"] + /// + /// [`X509_CRL_get0_lastUpdate`]: https://www.openssl.org/docs/man1.1.1/man3/X509_CRL_get0_lastUpdate.html + pub fn last_update(&self) -> &Asn1TimeRef { + unsafe { + let date = X509_CRL_get0_lastUpdate(self.as_ptr()); + assert!(!date.is_null()); + Asn1TimeRef::from_ptr(date as *mut _) + } + } + + /// Returns the CRL's `nextUpdate` time. + /// + /// If the `nextUpdate` field is missing, returns `None`. + /// + /// This corresponds to [`X509_CRL_get0_nextUpdate"] + /// + /// [`X509_CRL_get0_nextUpdate`]: https://www.openssl.org/docs/man1.1.1/man3/X509_CRL_get0_nextUpdate.html + pub fn next_update(&self) -> Option<&Asn1TimeRef> { + unsafe { + let date = X509_CRL_get0_nextUpdate(self.as_ptr()); + if date.is_null() { + None + } else { + Some(Asn1TimeRef::from_ptr(date as *mut _)) + } + } + } + + /// Check if the provided certificate is in the revocation list. + pub fn is_revoked(&self, cert: &X509Ref) -> bool { + unsafe { + let mut ret = ptr::null_mut::(); + ffi::X509_CRL_get0_by_serial( + self.as_ptr(), + &mut ret as *mut _, + cert.serial_number().as_ptr(), + ); + !ret.is_null() + } + } + + /// Get the issuer name from the revocation list. + pub fn issuer_name(&self) -> &X509NameRef { + unsafe { + let name = X509_CRL_get_issuer(self.as_ptr()); + assert!(!name.is_null()); + X509NameRef::from_ptr(name) + } + } + + /// Check if the CRL is signed using the given public key. + /// + /// Only the signature is checked: no other checks (such as certificate chain validity) + /// are performed. + /// + /// Returns `true` if verification succeeds. + /// + /// This corresponds to [`X509_CRL_verify"]. + /// + /// [`X509_CRL_verify`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_verify.html + pub fn verify(&self, key: &PKeyRef) -> Result + where + T: HasPublic, + { + unsafe { cvt_n(ffi::X509_CRL_verify(self.as_ptr(), key.as_ptr())).map(|n| n != 0) } + } +} + /// The result of peer certificate verification. #[derive(Copy, Clone, PartialEq, Eq)] pub struct X509VerifyResult(c_int); @@ -1612,3 +1742,24 @@ cfg_if! { } } } + +cfg_if! { + if #[cfg(ossl110)] { + use ffi::{ + X509_CRL_get_issuer, X509_CRL_get0_nextUpdate, X509_CRL_get0_lastUpdate, + }; + } else { + #[allow(bad_style)] + unsafe fn X509_CRL_get0_lastUpdate(x: *const ffi::X509_CRL) -> *mut ffi::ASN1_TIME { + (*(*x).crl).lastUpdate + } + #[allow(bad_style)] + unsafe fn X509_CRL_get0_nextUpdate(x: *const ffi::X509_CRL) -> *mut ffi::ASN1_TIME { + (*(*x).crl).nextUpdate + } + #[allow(bad_style)] + unsafe fn X509_CRL_get_issuer(x: *const ffi::X509_CRL) -> *mut ffi::X509_NAME { + (*(*x).crl).issuer + } + } +} From 47c487c98d42764f6956956540eb70ef68f3d0e9 Mon Sep 17 00:00:00 2001 From: Josh Robson Chase Date: Mon, 10 Jun 2019 10:14:14 -0400 Subject: [PATCH 002/341] Expose higher-level bindings to X509Revoked --- openssl/src/x509/mod.rs | 120 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 112 insertions(+), 8 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2d8cd5df73..ec7e8909d3 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1296,6 +1296,63 @@ impl X509ReqRef { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::X509_REVOKED; + fn drop = ffi::X509_REVOKED_free; + + /// An `X509` certificate request. + pub struct X509Revoked; + /// Reference to `X509Crl`. + pub struct X509RevokedRef; +} + +impl Stackable for X509Revoked { + type StackType = ffi::stack_st_X509_REVOKED; +} + +impl X509Revoked { + from_der! { + /// Deserializes a DER-encoded certificate revokation status + /// + /// This corresponds to [`d2i_X509_REVOKED`]. + /// + /// [`d2i_X509_REVOKED`]: https://www.openssl.org/docs/man1.1.0/crypto/d2i_X509_REVOKED.html + from_der, + X509Revoked, + ffi::d2i_X509_REVOKED + } +} + +impl X509RevokedRef { + to_der! { + /// Serializes the certificate request to a DER-encoded certificate revocation status + /// + /// This corresponds to [`i2d_X509_REVOKED`]. + /// + /// [`i2d_X509_REVOKED`]: https://www.openssl.org/docs/man1.0.2/crypto/i2d_X509_REQ.html + to_der, + ffi::i2d_X509_REVOKED + } + + /// Get the date that the certificate was revoked + pub fn revocation_date(&self) -> &Asn1TimeRef { + unsafe { + let r = X509_REVOKED_get0_revocationDate(self.as_ptr() as *const _); + assert!(!r.is_null()); + Asn1TimeRef::from_ptr(r as *mut _) + } + } + + /// Get the serial number of the revoked certificate + pub fn serial_number(&self) -> &Asn1IntegerRef { + unsafe { + let r = X509_REVOKED_get0_serialNumber(self.as_ptr() as *const _); + assert!(!r.is_null()); + Asn1IntegerRef::from_ptr(r as *mut _) + } + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_CRL; fn drop = ffi::X509_CRL_free; @@ -1355,6 +1412,18 @@ impl X509CrlRef { ffi::i2d_X509_CRL } + /// Get the stack of revocation entries + pub fn get_revoked(&self) -> Option> { + unsafe { + let revoked = X509_CRL_get_REVOKED(self.as_ptr()); + if revoked.is_null() { + None + } else { + Some(Stack::from_ptr(revoked)) + } + } + } + /// Returns the CRL's `lastUpdate` time. /// /// This corresponds to [`X509_CRL_get0_lastUpdate"] @@ -1386,16 +1455,37 @@ impl X509CrlRef { } } - /// Check if the provided certificate is in the revocation list. - pub fn is_revoked(&self, cert: &X509Ref) -> bool { + /// Get the revocation status of a certificate by its serial number + /// + /// This corresponds to [`X509_CRL_get0_by_serial`] + /// + /// [`X509_CRL_get0_by_serial`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_serial.html + pub fn get_by_serial(&self, serial: &Asn1IntegerRef) -> Option<&X509RevokedRef> { unsafe { let mut ret = ptr::null_mut::(); - ffi::X509_CRL_get0_by_serial( - self.as_ptr(), - &mut ret as *mut _, - cert.serial_number().as_ptr(), - ); - !ret.is_null() + ffi::X509_CRL_get0_by_serial(self.as_ptr(), &mut ret as *mut _, serial.as_ptr()); + if ret.is_null() { + None + } else { + Some(X509RevokedRef::from_ptr(ret)) + } + } + } + + /// Get the revocation status of a certificate + /// + /// This corresponds to [`X509_CRL_get0_by_cert`] + /// + /// [`X509_CRL_get0_by_cert`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_cert.html + pub fn get_by_cert(&self, cert: &X509) -> Option<&X509RevokedRef> { + unsafe { + let mut ret = ptr::null_mut::(); + ffi::X509_CRL_get0_by_cert(self.as_ptr(), &mut ret as *mut _, cert.as_ptr()); + if ret.is_null() { + None + } else { + Some(X509RevokedRef::from_ptr(ret)) + } } } @@ -1747,6 +1837,8 @@ cfg_if! { if #[cfg(ossl110)] { use ffi::{ X509_CRL_get_issuer, X509_CRL_get0_nextUpdate, X509_CRL_get0_lastUpdate, + X509_CRL_get_REVOKED, + X509_REVOKED_get0_revocationDate, X509_REVOKED_get0_serialNumber, }; } else { #[allow(bad_style)] @@ -1761,5 +1853,17 @@ cfg_if! { unsafe fn X509_CRL_get_issuer(x: *const ffi::X509_CRL) -> *mut ffi::X509_NAME { (*(*x).crl).issuer } + #[allow(bad_style)] + unsafe fn X509_CRL_get_REVOKED(x: *const ffi::X509_CRL) -> *mut ffi::stack_st_X509_REVOKED { + (*(*x).crl).revoked + } + #[allow(bad_style)] + unsafe fn X509_REVOKED_get0_serialNumber(x: *const ffi::X509_REVOKED) -> *mut ffi::ASN1_INTEGER { + (*x).serialNumber + } + #[allow(bad_style)] + unsafe fn X509_REVOKED_get0_revocationDate(x: *const ffi::X509_REVOKED) -> *mut ffi::ASN1_TIME { + (*x).revocationDate + } } } From 3b3b4994b2d5a36dffda671d69b3ee69cdcad1de Mon Sep 17 00:00:00 2001 From: Josh Robson Chase Date: Mon, 10 Jun 2019 13:12:26 -0400 Subject: [PATCH 003/341] Add basic CRL test --- openssl/src/x509/tests.rs | 23 +++++++++- openssl/test/ca.crt | 88 ++++++++++++++++++++++++++++++++++++++ openssl/test/crl-ca.crt | 20 +++++++++ openssl/test/subca.crt | 88 ++++++++++++++++++++++++++++++++++++++ openssl/test/test.crl | Bin 0 -> 469 bytes 5 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 openssl/test/ca.crt create mode 100644 openssl/test/crl-ca.crt create mode 100644 openssl/test/subca.crt create mode 100644 openssl/test/test.crl diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 155a16a8d8..a21169e7f9 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -14,7 +14,7 @@ use crate::x509::store::X509StoreBuilder; use crate::x509::verify::X509VerifyFlags; #[cfg(ossl110)] use crate::x509::X509Builder; -use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; +use crate::x509::{X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; use hex::{self, FromHex}; fn pkey() -> PKey { @@ -453,3 +453,24 @@ fn x509_ref_version_no_version_set() { "Default certificate version is incorrect", ); } + +#[test] +fn test_load_crl() { + let ca = include_bytes!("../../test/crl-ca.crt"); + let ca = X509::from_pem(ca).unwrap(); + + let crl = include_bytes!("../../test/test.crl"); + let crl = X509Crl::from_der(crl).unwrap(); + assert!(crl.verify(&ca.public_key().unwrap()).unwrap()); + + let cert = include_bytes!("../../test/subca.crt"); + let cert = X509::from_pem(cert).unwrap(); + + let revoked = crl.get_by_cert(&cert).unwrap(); + + assert_eq!( + revoked.serial_number().to_bn().unwrap(), + cert.serial_number().to_bn().unwrap(), + "revoked and cert serial numbers should match" + ); +} diff --git a/openssl/test/ca.crt b/openssl/test/ca.crt new file mode 100644 index 0000000000..a0a8ab2390 --- /dev/null +++ b/openssl/test/ca.crt @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 13:ae:da:d8:f4:18:d7:73:b8:bd:35:c9:ce:8e:b3:fc + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=TestCA + Validity + Not Before: Jun 6 19:11:19 2019 GMT + Not After : May 21 19:11:19 2022 GMT + Subject: CN=SubCA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b0:09:fc:54:e7:6a:9f:0c:bd:ad:5a:8d:ef:94: + 4e:11:a6:87:19:4f:bf:a6:e1:62:a5:2d:b7:17:df: + 67:53:70:da:fe:7d:99:17:ee:13:47:0b:40:0b:a2: + 34:32:a9:d3:bf:20:fc:13:77:a1:d5:26:60:1f:f0: + d4:be:dc:76:7c:1e:6c:b4:4c:01:7c:56:cd:5c:53: + ec:81:b3:81:2a:b2:35:26:06:5a:79:e0:b3:9e:e4: + 57:e1:09:de:ad:7f:c8:cd:87:ee:49:93:30:52:58: + b2:bc:0f:c1:b6:10:44:f8:85:d5:5b:0a:9b:28:fe: + f4:f4:4a:16:a6:f7:25:e9:96:47:69:73:5b:33:77: + 92:7d:61:8d:2a:3d:d5:04:89:40:bf:6b:d2:fd:5d: + e2:1a:80:a9:8e:c8:92:f6:e5:4c:00:84:f9:6e:2a: + 93:a3:23:ee:28:23:81:f4:54:f0:18:2c:ee:32:8e: + 38:9c:a0:c8:33:04:b0:fc:4c:43:1a:5c:04:84:9f: + 73:c6:08:c7:1d:64:39:fe:72:19:3b:cc:a5:fd:0b: + 43:25:0d:2b:a9:88:77:9e:62:e6:ac:c2:9a:60:42: + 4f:4a:54:47:bc:a0:29:72:7c:38:52:c9:ea:27:c5: + 3d:d0:81:4a:3e:b8:78:79:4b:89:b8:4e:6d:1b:24: + 15:bd + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 CRL Distribution Points: + + Full Name: + URI:http://127.0.0.1:8081/pki/test.crl + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + FD:82:45:39:A1:91:41:F2:66:CC:0D:75:D5:0D:40:D5:81:A7:A1:43 + X509v3 Authority Key Identifier: + keyid:C5:CC:F5:A1:8C:D9:E4:A7:BA:EC:21:F5:D1:84:23:EA:0D:C2:C7:30 + DirName:/CN=TestCA + serial:33:E7:04:87:09:32:87:21:D9:CD:7C:AA:4C:5A:BB:2C:6C:7B:54:28 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + 96:a0:ff:8a:4b:bd:45:96:c9:72:3c:63:e3:48:c4:ab:ef:7e: + db:76:3f:d9:02:9e:69:c8:d9:36:55:e1:f5:9b:c9:69:d8:69: + 02:ac:50:8c:60:94:2c:2e:b9:a8:65:ac:f5:00:b0:8b:96:25: + 0b:8a:ef:94:21:57:e2:04:c2:c3:86:bf:06:4e:91:5c:e6:bc: + 1b:03:31:8b:64:ea:c5:79:c3:5c:94:e5:aa:67:7e:74:12:07: + 14:fd:cd:32:02:26:26:c9:0a:ed:d4:da:ee:2a:84:e3:f1:60: + b3:09:77:27:a1:3c:ac:ec:61:18:30:b5:6d:1f:16:0a:24:1a: + cf:1c:1b:60:a5:60:e5:2c:8b:cf:37:83:0c:15:e7:79:30:3f: + ee:50:45:7c:4b:c6:2c:cd:2c:81:0a:98:f1:65:44:7a:ca:2a: + 20:1a:de:19:d9:4b:ca:a1:e2:a4:b5:14:47:bf:b4:68:15:03: + c0:55:e5:f4:47:0e:55:9f:fe:85:d8:2c:7d:d0:1a:96:11:b9: + 68:b7:74:1e:61:94:c1:ae:87:52:2d:c6:26:ba:51:ed:f1:91: + c0:e6:4c:f8:ad:02:23:75:51:fc:f8:69:05:ec:cf:31:50:5a: + 41:78:eb:3d:27:4d:9b:68:ef:ba:0e:ba:3a:7d:60:00:9d:53: + a5:08:3d:c6 +-----BEGIN CERTIFICATE----- +MIIDbDCCAlSgAwIBAgIQE67a2PQY13O4vTXJzo6z/DANBgkqhkiG9w0BAQsFADAR +MQ8wDQYDVQQDDAZUZXN0Q0EwHhcNMTkwNjA2MTkxMTE5WhcNMjIwNTIxMTkxMTE5 +WjAQMQ4wDAYDVQQDDAVTdWJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALAJ/FTnap8Mva1aje+UThGmhxlPv6bhYqUttxffZ1Nw2v59mRfuE0cLQAui +NDKp078g/BN3odUmYB/w1L7cdnwebLRMAXxWzVxT7IGzgSqyNSYGWnngs57kV+EJ +3q1/yM2H7kmTMFJYsrwPwbYQRPiF1VsKmyj+9PRKFqb3JemWR2lzWzN3kn1hjSo9 +1QSJQL9r0v1d4hqAqY7IkvblTACE+W4qk6Mj7igjgfRU8Bgs7jKOOJygyDMEsPxM +QxpcBISfc8YIxx1kOf5yGTvMpf0LQyUNK6mId55i5qzCmmBCT0pUR7ygKXJ8OFLJ +6ifFPdCBSj64eHlLibhObRskFb0CAwEAAaOBwDCBvTAzBgNVHR8ELDAqMCigJqAk +hiJodHRwOi8vMTI3LjAuMC4xOjgwODEvcGtpL3Rlc3QuY3JsMAwGA1UdEwQFMAMB +Af8wHQYDVR0OBBYEFP2CRTmhkUHyZswNddUNQNWBp6FDMEwGA1UdIwRFMEOAFMXM +9aGM2eSnuuwh9dGEI+oNwscwoRWkEzARMQ8wDQYDVQQDDAZUZXN0Q0GCFDPnBIcJ +Moch2c18qkxauyxse1QoMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA +lqD/iku9RZbJcjxj40jEq+9+23Y/2QKeacjZNlXh9ZvJadhpAqxQjGCULC65qGWs +9QCwi5YlC4rvlCFX4gTCw4a/Bk6RXOa8GwMxi2TqxXnDXJTlqmd+dBIHFP3NMgIm +JskK7dTa7iqE4/Fgswl3J6E8rOxhGDC1bR8WCiQazxwbYKVg5SyLzzeDDBXneTA/ +7lBFfEvGLM0sgQqY8WVEesoqIBreGdlLyqHipLUUR7+0aBUDwFXl9EcOVZ/+hdgs +fdAalhG5aLd0HmGUwa6HUi3GJrpR7fGRwOZM+K0CI3VR/PhpBezPMVBaQXjrPSdN +m2jvug66On1gAJ1TpQg9xg== +-----END CERTIFICATE----- diff --git a/openssl/test/crl-ca.crt b/openssl/test/crl-ca.crt new file mode 100644 index 0000000000..a4a9075af4 --- /dev/null +++ b/openssl/test/crl-ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPDCCAiSgAwIBAgIUM+cEhwkyhyHZzXyqTFq7LGx7VCgwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGVGVzdENBMB4XDTE5MDYwNjE5MTA1NVoXDTI5MDYwMzE5 +MTA1NVowETEPMA0GA1UEAwwGVGVzdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAtNcFPtD1MHcolhgTHIAx/b9OyawCbVzvgasv8R9+94ZMhoGc/tNc +dVg271pCSmj+zYAFYsIwjxW+iq2e5A/fiBc6uqtNfEbU7+77QzxFG5wIbXtmmqEb +dVbqBT28NeKTR6X+EHlNgbw90CHy7byA7LMewxbTt2q1eY1RnB0ji8zdGZmIUPeC +WxzkxXEd0fg+KwBFN3YHV9CJX2KJ10qv7DvbKHeIVBU7osm6tzvNglNnnT90GFSY +zc59b+zS00axcY3Kn08Vt+1qWB9Sl8tixCTGqR538y/ambDr3NCWsiQYWys9KE1L +g0nEaIjb84R7b+qNmPtOezd9tanx7j9UzQIDAQABo4GLMIGIMB0GA1UdDgQWBBTF +zPWhjNnkp7rsIfXRhCPqDcLHMDBMBgNVHSMERTBDgBTFzPWhjNnkp7rsIfXRhCPq +DcLHMKEVpBMwETEPMA0GA1UEAwwGVGVzdENBghQz5wSHCTKHIdnNfKpMWrssbHtU +KDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA +gdyQq6F8DO5rn7rZSLehTFx6tbtfncC/BOXZEGLZO0ciTrQ9Q8xHwRhz0W09QE1A +/GsBzb++PuvAl9i82WvunyPB5KZh+GPiaaqf466MdQrXj+IyqxeC9Lg9wEUjwRgp +ANVd3moKap5IZ9WDvhyEng2Oy8/btP2iqVEmd58rGAodd671eOPD8QkIxSquiIwy +Cu5s3IBZ0BOuSG9fWoyPTGMKAhzQPFiXGvWOabCkMz3TsPYVY5ENpq2K8cWn2D/r +TD1yPPdINg6HrALGD3S0sD+k588oS7U5oj1L8V4KJQTLSbh6/XcBpasa5Jdv7ZZe +lVgt69Gsn5Cf2BkbwhbF2Q== +-----END CERTIFICATE----- diff --git a/openssl/test/subca.crt b/openssl/test/subca.crt new file mode 100644 index 0000000000..a0a8ab2390 --- /dev/null +++ b/openssl/test/subca.crt @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 13:ae:da:d8:f4:18:d7:73:b8:bd:35:c9:ce:8e:b3:fc + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=TestCA + Validity + Not Before: Jun 6 19:11:19 2019 GMT + Not After : May 21 19:11:19 2022 GMT + Subject: CN=SubCA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b0:09:fc:54:e7:6a:9f:0c:bd:ad:5a:8d:ef:94: + 4e:11:a6:87:19:4f:bf:a6:e1:62:a5:2d:b7:17:df: + 67:53:70:da:fe:7d:99:17:ee:13:47:0b:40:0b:a2: + 34:32:a9:d3:bf:20:fc:13:77:a1:d5:26:60:1f:f0: + d4:be:dc:76:7c:1e:6c:b4:4c:01:7c:56:cd:5c:53: + ec:81:b3:81:2a:b2:35:26:06:5a:79:e0:b3:9e:e4: + 57:e1:09:de:ad:7f:c8:cd:87:ee:49:93:30:52:58: + b2:bc:0f:c1:b6:10:44:f8:85:d5:5b:0a:9b:28:fe: + f4:f4:4a:16:a6:f7:25:e9:96:47:69:73:5b:33:77: + 92:7d:61:8d:2a:3d:d5:04:89:40:bf:6b:d2:fd:5d: + e2:1a:80:a9:8e:c8:92:f6:e5:4c:00:84:f9:6e:2a: + 93:a3:23:ee:28:23:81:f4:54:f0:18:2c:ee:32:8e: + 38:9c:a0:c8:33:04:b0:fc:4c:43:1a:5c:04:84:9f: + 73:c6:08:c7:1d:64:39:fe:72:19:3b:cc:a5:fd:0b: + 43:25:0d:2b:a9:88:77:9e:62:e6:ac:c2:9a:60:42: + 4f:4a:54:47:bc:a0:29:72:7c:38:52:c9:ea:27:c5: + 3d:d0:81:4a:3e:b8:78:79:4b:89:b8:4e:6d:1b:24: + 15:bd + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 CRL Distribution Points: + + Full Name: + URI:http://127.0.0.1:8081/pki/test.crl + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + FD:82:45:39:A1:91:41:F2:66:CC:0D:75:D5:0D:40:D5:81:A7:A1:43 + X509v3 Authority Key Identifier: + keyid:C5:CC:F5:A1:8C:D9:E4:A7:BA:EC:21:F5:D1:84:23:EA:0D:C2:C7:30 + DirName:/CN=TestCA + serial:33:E7:04:87:09:32:87:21:D9:CD:7C:AA:4C:5A:BB:2C:6C:7B:54:28 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + 96:a0:ff:8a:4b:bd:45:96:c9:72:3c:63:e3:48:c4:ab:ef:7e: + db:76:3f:d9:02:9e:69:c8:d9:36:55:e1:f5:9b:c9:69:d8:69: + 02:ac:50:8c:60:94:2c:2e:b9:a8:65:ac:f5:00:b0:8b:96:25: + 0b:8a:ef:94:21:57:e2:04:c2:c3:86:bf:06:4e:91:5c:e6:bc: + 1b:03:31:8b:64:ea:c5:79:c3:5c:94:e5:aa:67:7e:74:12:07: + 14:fd:cd:32:02:26:26:c9:0a:ed:d4:da:ee:2a:84:e3:f1:60: + b3:09:77:27:a1:3c:ac:ec:61:18:30:b5:6d:1f:16:0a:24:1a: + cf:1c:1b:60:a5:60:e5:2c:8b:cf:37:83:0c:15:e7:79:30:3f: + ee:50:45:7c:4b:c6:2c:cd:2c:81:0a:98:f1:65:44:7a:ca:2a: + 20:1a:de:19:d9:4b:ca:a1:e2:a4:b5:14:47:bf:b4:68:15:03: + c0:55:e5:f4:47:0e:55:9f:fe:85:d8:2c:7d:d0:1a:96:11:b9: + 68:b7:74:1e:61:94:c1:ae:87:52:2d:c6:26:ba:51:ed:f1:91: + c0:e6:4c:f8:ad:02:23:75:51:fc:f8:69:05:ec:cf:31:50:5a: + 41:78:eb:3d:27:4d:9b:68:ef:ba:0e:ba:3a:7d:60:00:9d:53: + a5:08:3d:c6 +-----BEGIN CERTIFICATE----- +MIIDbDCCAlSgAwIBAgIQE67a2PQY13O4vTXJzo6z/DANBgkqhkiG9w0BAQsFADAR +MQ8wDQYDVQQDDAZUZXN0Q0EwHhcNMTkwNjA2MTkxMTE5WhcNMjIwNTIxMTkxMTE5 +WjAQMQ4wDAYDVQQDDAVTdWJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALAJ/FTnap8Mva1aje+UThGmhxlPv6bhYqUttxffZ1Nw2v59mRfuE0cLQAui +NDKp078g/BN3odUmYB/w1L7cdnwebLRMAXxWzVxT7IGzgSqyNSYGWnngs57kV+EJ +3q1/yM2H7kmTMFJYsrwPwbYQRPiF1VsKmyj+9PRKFqb3JemWR2lzWzN3kn1hjSo9 +1QSJQL9r0v1d4hqAqY7IkvblTACE+W4qk6Mj7igjgfRU8Bgs7jKOOJygyDMEsPxM +QxpcBISfc8YIxx1kOf5yGTvMpf0LQyUNK6mId55i5qzCmmBCT0pUR7ygKXJ8OFLJ +6ifFPdCBSj64eHlLibhObRskFb0CAwEAAaOBwDCBvTAzBgNVHR8ELDAqMCigJqAk +hiJodHRwOi8vMTI3LjAuMC4xOjgwODEvcGtpL3Rlc3QuY3JsMAwGA1UdEwQFMAMB +Af8wHQYDVR0OBBYEFP2CRTmhkUHyZswNddUNQNWBp6FDMEwGA1UdIwRFMEOAFMXM +9aGM2eSnuuwh9dGEI+oNwscwoRWkEzARMQ8wDQYDVQQDDAZUZXN0Q0GCFDPnBIcJ +Moch2c18qkxauyxse1QoMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA +lqD/iku9RZbJcjxj40jEq+9+23Y/2QKeacjZNlXh9ZvJadhpAqxQjGCULC65qGWs +9QCwi5YlC4rvlCFX4gTCw4a/Bk6RXOa8GwMxi2TqxXnDXJTlqmd+dBIHFP3NMgIm +JskK7dTa7iqE4/Fgswl3J6E8rOxhGDC1bR8WCiQazxwbYKVg5SyLzzeDDBXneTA/ +7lBFfEvGLM0sgQqY8WVEesoqIBreGdlLyqHipLUUR7+0aBUDwFXl9EcOVZ/+hdgs +fdAalhG5aLd0HmGUwa6HUi3GJrpR7fGRwOZM+K0CI3VR/PhpBezPMVBaQXjrPSdN +m2jvug66On1gAJ1TpQg9xg== +-----END CERTIFICATE----- diff --git a/openssl/test/test.crl b/openssl/test/test.crl new file mode 100644 index 0000000000000000000000000000000000000000..aead062c4d3945d2569eb9bca682f99801ec1af0 GIT binary patch literal 469 zcmXqLV!UY3xQmIA(SVnYQ>)FR?K>|cBR4C9fuJEjP>4B{g_(yfB(=E2*-@O=(9*!n z(7@2l)YQNt3dA)uGBAg74U`QOnFNH_-MaBb;(GCpy{0G6^=rZigUHb{Ul;b=e6oDk8^x~|Ta;h%9y)HYP;`kf7VDctjGwc#a~icP z-aK2g$|q{KPEK`*2AZ>(n;01x>e!C^`8Tb)ukIM*+bnQiGzTdng_%WuD6JikZ0Rp7+RNeg7o#!S^{ z5b$3;d(-X3wpCX`=I)G}%$BrRSl=#uiI(m8V(!m;yR_72Tr*m|H^_N{UTp~5J+0ZI zN%Q6%ZU|NH`+hL=T$r}ihd+;Rcgt;;H_LsxUFMR4;L7*xyC&Cdz2p4w>+J>4-`#7j z4qVjB&0xRCOYqCKzJCuj_o+>YQgTIF`ZcmsjHR)eyQu-Q8+0?ih_t#C{6sQXT0k^t> literal 0 HcmV?d00001 From 1645c32f1869d272324fee13ee121be16f837737 Mon Sep 17 00:00:00 2001 From: Josh Robson Chase Date: Tue, 11 Jun 2019 09:39:05 -0400 Subject: [PATCH 004/341] Return a borrowed stack and expose the `removeFromCrl` status --- openssl/src/x509/mod.rs | 62 +++++++++++++++++++++++++++++---------- openssl/src/x509/tests.rs | 7 +++-- 2 files changed, 51 insertions(+), 18 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index ec7e8909d3..9011cef293 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1363,6 +1363,23 @@ foreign_type_and_impl_send_sync! { pub struct X509CrlRef; } +/// The status of a certificate in a revoction list +/// +/// Corresponds to the return value from the [`X509_CRL_get0_by_*`] methods. +/// +/// [`X509_CRL_get0_by_*`]: https://www.openssl.org/docs/man1.1.0/man3/X509_CRL_get0_by_serial.html +pub enum CrlStatus<'a> { + /// The certificate is not present in the list + NotRevoked, + /// The certificate is in the list and is revoked + Revoked(&'a X509RevokedRef), + /// The certificate is in the list, but has the "removeFromCrl" status. + /// + /// This can occur if the certificate was revoked with the "CertificateHold" + /// reason, and has since been unrevoked. + RemoveFromCrl(&'a X509RevokedRef), +} + impl X509Crl { from_pem! { /// Deserializes a PEM-encoded Certificate Revocation List @@ -1413,13 +1430,13 @@ impl X509CrlRef { } /// Get the stack of revocation entries - pub fn get_revoked(&self) -> Option> { + pub fn get_revoked(&self) -> Option<&StackRef> { unsafe { let revoked = X509_CRL_get_REVOKED(self.as_ptr()); if revoked.is_null() { None } else { - Some(Stack::from_ptr(revoked)) + Some(StackRef::from_ptr(revoked)) } } } @@ -1455,20 +1472,36 @@ impl X509CrlRef { } } + // Helper used by the X509_CRL_get0_by_* methods to convert their return value to the status enum + unsafe fn to_crl_status<'a>( + status: c_int, + revoked_entry: *mut ffi::X509_REVOKED, + ) -> CrlStatus<'a> { + match status { + 0 => CrlStatus::NotRevoked, + 1 => { + assert!(!revoked_entry.is_null()); + CrlStatus::Revoked(X509RevokedRef::from_ptr(revoked_entry)) + } + 2 => { + assert!(!revoked_entry.is_null()); + CrlStatus::RemoveFromCrl(X509RevokedRef::from_ptr(revoked_entry)) + } + _ => unreachable!("X509_CRL_get0_by_{{serial,cert}} should only return 0, 1, or 2."), + } + } + /// Get the revocation status of a certificate by its serial number /// /// This corresponds to [`X509_CRL_get0_by_serial`] /// /// [`X509_CRL_get0_by_serial`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_serial.html - pub fn get_by_serial(&self, serial: &Asn1IntegerRef) -> Option<&X509RevokedRef> { + pub fn get_by_serial<'a>(&'a self, serial: &Asn1IntegerRef) -> CrlStatus<'a> { unsafe { let mut ret = ptr::null_mut::(); - ffi::X509_CRL_get0_by_serial(self.as_ptr(), &mut ret as *mut _, serial.as_ptr()); - if ret.is_null() { - None - } else { - Some(X509RevokedRef::from_ptr(ret)) - } + let status = + ffi::X509_CRL_get0_by_serial(self.as_ptr(), &mut ret as *mut _, serial.as_ptr()); + Self::to_crl_status(status, ret) } } @@ -1477,15 +1510,12 @@ impl X509CrlRef { /// This corresponds to [`X509_CRL_get0_by_cert`] /// /// [`X509_CRL_get0_by_cert`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_cert.html - pub fn get_by_cert(&self, cert: &X509) -> Option<&X509RevokedRef> { + pub fn get_by_cert<'a>(&'a self, cert: &X509) -> CrlStatus<'a> { unsafe { let mut ret = ptr::null_mut::(); - ffi::X509_CRL_get0_by_cert(self.as_ptr(), &mut ret as *mut _, cert.as_ptr()); - if ret.is_null() { - None - } else { - Some(X509RevokedRef::from_ptr(ret)) - } + let status = + ffi::X509_CRL_get0_by_cert(self.as_ptr(), &mut ret as *mut _, cert.as_ptr()); + Self::to_crl_status(status, ret) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index a21169e7f9..ce1f7901a2 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -14,7 +14,7 @@ use crate::x509::store::X509StoreBuilder; use crate::x509::verify::X509VerifyFlags; #[cfg(ossl110)] use crate::x509::X509Builder; -use crate::x509::{X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; +use crate::x509::{CrlStatus, X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; use hex::{self, FromHex}; fn pkey() -> PKey { @@ -466,7 +466,10 @@ fn test_load_crl() { let cert = include_bytes!("../../test/subca.crt"); let cert = X509::from_pem(cert).unwrap(); - let revoked = crl.get_by_cert(&cert).unwrap(); + let revoked = match crl.get_by_cert(&cert) { + CrlStatus::Revoked(revoked) => revoked, + _ => panic!("cert should be revoked"), + }; assert_eq!( revoked.serial_number().to_bn().unwrap(), From e02d167658a1e5b76de089a4dd67ba90e964382a Mon Sep 17 00:00:00 2001 From: Josh Robson Chase Date: Tue, 13 Apr 2021 10:33:04 -0400 Subject: [PATCH 005/341] Cargo fmt and refactor CrlStatus constructor to appease clippy --- openssl/src/x509/mod.rs | 47 ++++++++++++++++++++++----------------- openssl/src/x509/tests.rs | 4 +++- 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 9011cef293..e1f603563f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1380,6 +1380,30 @@ pub enum CrlStatus<'a> { RemoveFromCrl(&'a X509RevokedRef), } +impl<'a> CrlStatus<'a> { + // Helper used by the X509_CRL_get0_by_* methods to convert their return + // value to the status enum. + // Safety note: the returned CrlStatus must not outlive the owner of the + // revoked_entry pointer. + unsafe fn from_ffi_status( + status: c_int, + revoked_entry: *mut ffi::X509_REVOKED, + ) -> CrlStatus<'a> { + match status { + 0 => CrlStatus::NotRevoked, + 1 => { + assert!(!revoked_entry.is_null()); + CrlStatus::Revoked(X509RevokedRef::from_ptr(revoked_entry)) + } + 2 => { + assert!(!revoked_entry.is_null()); + CrlStatus::RemoveFromCrl(X509RevokedRef::from_ptr(revoked_entry)) + } + _ => unreachable!("X509_CRL_get0_by_{{serial,cert}} should only return 0, 1, or 2."), + } + } +} + impl X509Crl { from_pem! { /// Deserializes a PEM-encoded Certificate Revocation List @@ -1472,25 +1496,6 @@ impl X509CrlRef { } } - // Helper used by the X509_CRL_get0_by_* methods to convert their return value to the status enum - unsafe fn to_crl_status<'a>( - status: c_int, - revoked_entry: *mut ffi::X509_REVOKED, - ) -> CrlStatus<'a> { - match status { - 0 => CrlStatus::NotRevoked, - 1 => { - assert!(!revoked_entry.is_null()); - CrlStatus::Revoked(X509RevokedRef::from_ptr(revoked_entry)) - } - 2 => { - assert!(!revoked_entry.is_null()); - CrlStatus::RemoveFromCrl(X509RevokedRef::from_ptr(revoked_entry)) - } - _ => unreachable!("X509_CRL_get0_by_{{serial,cert}} should only return 0, 1, or 2."), - } - } - /// Get the revocation status of a certificate by its serial number /// /// This corresponds to [`X509_CRL_get0_by_serial`] @@ -1501,7 +1506,7 @@ impl X509CrlRef { let mut ret = ptr::null_mut::(); let status = ffi::X509_CRL_get0_by_serial(self.as_ptr(), &mut ret as *mut _, serial.as_ptr()); - Self::to_crl_status(status, ret) + CrlStatus::from_ffi_status(status, ret) } } @@ -1515,7 +1520,7 @@ impl X509CrlRef { let mut ret = ptr::null_mut::(); let status = ffi::X509_CRL_get0_by_cert(self.as_ptr(), &mut ret as *mut _, cert.as_ptr()); - Self::to_crl_status(status, ret) + CrlStatus::from_ffi_status(status, ret) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index ce1f7901a2..2735f47d71 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -14,7 +14,9 @@ use crate::x509::store::X509StoreBuilder; use crate::x509::verify::X509VerifyFlags; #[cfg(ossl110)] use crate::x509::X509Builder; -use crate::x509::{CrlStatus, X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; +use crate::x509::{ + CrlStatus, X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, +}; use hex::{self, FromHex}; fn pkey() -> PKey { From 5e93d3001e7bbf983510956f9065c63a8d4dc625 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Sun, 16 Oct 2022 07:14:02 +0100 Subject: [PATCH 006/341] Bump bindgen dep to 0.60.1 --- Cargo.toml | 3 --- openssl-sys/Cargo.toml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 63e983aef2..c33c3475a7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -6,6 +6,3 @@ members = [ "openssl-sys", "systest", ] - -[patch.crates-io] -bindgen = { git = "https://github.com/daviddrysdale/rust-bindgen", branch = "allowlist-file" } diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 62cc6428ed..ede3a73611 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -22,7 +22,7 @@ libc = "0.2" bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] -bindgen = { version = "0.59.2", optional = true } +bindgen = { version = "0.60.1", optional = true } cc = "1.0" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" From fc66d184873fd0c13dc2a202f3697177f4081ebc Mon Sep 17 00:00:00 2001 From: Kian-Meng Ang Date: Mon, 17 Oct 2022 00:09:28 +0800 Subject: [PATCH 007/341] Update deprecated link to official doc See https://github.com/sfackler/rust-openssl/commit/d2cc0eae2d2373c9372c77f7eb7a80e7c16986f2 --- openssl-sys/build/main.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index a8911e7b14..c2aceeec84 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -202,9 +202,9 @@ specific to your distribution: # On Alpine Linux apk add openssl-dev -See rust-openssl README for more information: +See rust-openssl documentation for more information: - https://github.com/sfackler/rust-openssl#linux + https://docs.rs/openssl ", e ); From eacc52cc1fc54e6db51cc382f071fb07b380aaf7 Mon Sep 17 00:00:00 2001 From: Niklas Hallqvist Date: Mon, 26 Sep 2022 16:19:20 +0200 Subject: [PATCH 008/341] Recognize LibreSSL 3.6 --- openssl-sys/build/main.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index c2aceeec84..e0b5045484 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -280,6 +280,7 @@ See rust-openssl documentation for more information: (3, 4, 0) => ('3', '4', '0'), (3, 4, _) => ('3', '4', 'x'), (3, 5, _) => ('3', '5', 'x'), + (3, 6, _) => ('3', '6', 'x'), _ => version_error(), }; @@ -322,7 +323,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.5, but a different version of OpenSSL was found. The build is now aborting +through 3.6, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From 6e4df6981b3814fee5a83ddd8f667815c5b3165e Mon Sep 17 00:00:00 2001 From: Niklas Hallqvist Date: Thu, 13 Oct 2022 19:43:34 +0200 Subject: [PATCH 009/341] Add LibreSSL 3.6 to the mix --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index decfe7200b..8c6bf17850 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -201,6 +201,11 @@ jobs: library: name: libressl version: 3.5.2 + - target: x86_64-unknown-linux-gnu + bindgen: false + library: + name: libressl + version: 3.6.0 exclude: - library: name: boringssl From 99dade1334c4d652f4ee6c487f8c2255369947db Mon Sep 17 00:00:00 2001 From: Niklas Hallqvist Date: Mon, 17 Oct 2022 11:29:35 +0200 Subject: [PATCH 010/341] Latest LibreSSL on the 3.5.x branch is 3.5.3 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8c6bf17850..1df2603793 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -200,7 +200,7 @@ jobs: bindgen: false library: name: libressl - version: 3.5.2 + version: 3.5.3 - target: x86_64-unknown-linux-gnu bindgen: false library: From 62cd28ef9a8726c2710305c41367d0f6d96fd2fd Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Mon, 17 Oct 2022 20:14:54 -0400 Subject: [PATCH 011/341] CI: update bindgen-enabled LibreSSL targets too --- .github/workflows/ci.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1df2603793..e8e8aa4f6d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -185,7 +185,12 @@ jobs: bindgen: true library: name: libressl - version: 3.5.2 + version: 3.5.3 + - target: x86_64-unknown-linux-gnu + bindgen: true + library: + name: libressl + version: 3.6.0 - target: x86_64-unknown-linux-gnu bindgen: false library: From 85de37e6fe5a87bbe428c0bb80fbb028c0d9b7dd Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Mon, 17 Oct 2022 20:15:45 -0400 Subject: [PATCH 012/341] Limit max LibreSSL to 3.6.0, as the 3.6 series is still in development --- openssl-sys/build/main.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index e0b5045484..2ca53c9771 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -280,7 +280,7 @@ See rust-openssl documentation for more information: (3, 4, 0) => ('3', '4', '0'), (3, 4, _) => ('3', '4', 'x'), (3, 5, _) => ('3', '5', 'x'), - (3, 6, _) => ('3', '6', 'x'), + (3, 6, 0) => ('3', '6', '0'), _ => version_error(), }; @@ -323,7 +323,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.6, but a different version of OpenSSL was found. The build is now aborting +through 3.6.0, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From 213de3ce72f47a2b8278626c6cb5a4cc7f800d29 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Mon, 17 Oct 2022 20:41:23 -0400 Subject: [PATCH 013/341] Ignore two PKCS#7 tests on LibreSSL 3.6.0 only, re-enable for 3.6.1 --- openssl/build.rs | 8 ++++++++ openssl/src/pkcs7.rs | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/openssl/build.rs b/openssl/build.rs index 81bae9d9bf..fc6492292c 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -94,5 +94,13 @@ fn main() { if version >= 0x3_05_00_00_0 { println!("cargo:rustc-cfg=libressl350"); } + + if version >= 0x3_06_00_00_0 { + println!("cargo:rustc-cfg=libressl360"); + } + + if version >= 0x3_06_01_00_0 { + println!("cargo:rustc-cfg=libressl361"); + } } } diff --git a/openssl/src/pkcs7.rs b/openssl/src/pkcs7.rs index e1b30f9289..ae4571db85 100644 --- a/openssl/src/pkcs7.rs +++ b/openssl/src/pkcs7.rs @@ -361,7 +361,9 @@ mod tests { assert_eq!(content.expect("should be non-empty"), message.as_bytes()); } + /// https://marc.info/?l=openbsd-cvs&m=166602943014106&w=2 #[test] + #[cfg_attr(all(libressl360, not(libressl361)), ignore)] fn sign_verify_test_normal() { let cert = include_bytes!("../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -397,7 +399,9 @@ mod tests { assert!(content.is_none()); } + /// https://marc.info/?l=openbsd-cvs&m=166602943014106&w=2 #[test] + #[cfg_attr(all(libressl360, not(libressl361)), ignore)] fn signers() { let cert = include_bytes!("../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); From 6e5551a1dee41a5745440afeef8f40b028b872e1 Mon Sep 17 00:00:00 2001 From: Robert Masen Date: Tue, 18 Oct 2022 15:42:47 -0500 Subject: [PATCH 014/341] add assume_init fn to openssl_sys --- openssl-sys/src/lib.rs | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 1d36a104fe..0d6676827e 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -85,6 +85,10 @@ mod openssl { mod x509_vfy; mod x509v3; + use std::sync::Once; + // explicitly initialize to work around https://github.com/openssl/openssl/issues/3505 + static INIT: Once = Once::new(); + // FIXME remove pub type PasswordCallback = unsafe extern "C" fn( buf: *mut c_char, @@ -96,10 +100,6 @@ mod openssl { #[cfg(ossl110)] pub fn init() { use std::ptr; - use std::sync::Once; - - // explicitly initialize to work around https://github.com/openssl/openssl/issues/3505 - static INIT: Once = Once::new(); #[cfg(not(ossl111b))] let init_options = OPENSSL_INIT_LOAD_SSL_STRINGS; @@ -116,7 +116,7 @@ mod openssl { use std::io::{self, Write}; use std::mem; use std::process; - use std::sync::{Mutex, MutexGuard, Once}; + use std::sync::{Mutex, MutexGuard}; static mut MUTEXES: *mut Vec> = 0 as *mut Vec>; static mut GUARDS: *mut Vec>> = @@ -160,8 +160,6 @@ mod openssl { } } - static INIT: Once = Once::new(); - INIT.call_once(|| unsafe { SSL_library_init(); SSL_load_error_strings(); @@ -181,6 +179,19 @@ mod openssl { set_id_callback(); }) } + + /// Disable explicit initialization of the openssl libs. + /// + /// This is only appropriate to use if the openssl crate is being consumed by an application + /// that will be performing the initialization explicitly. + /// + /// # Safety + /// + /// In some versions of openssl, skipping initialization will fall back to the default procedure + /// while other will cause difficult to debug errors so care must be taken when calling this. + pub unsafe fn assume_init() { + INIT.call_once(|| {}); + } } #[cfg(openssl)] pub use openssl::*; From 56ef65a7ba8bcd78a6540d7cc7db2d918d537714 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Fri, 21 Oct 2022 00:27:28 -0400 Subject: [PATCH 015/341] CI: remove EOLed LibreSSL 3.4 --- .github/workflows/ci.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8e8aa4f6d..46a625fc8e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -176,11 +176,6 @@ jobs: library: name: libressl version: 2.5.5 - - target: x86_64-unknown-linux-gnu - bindgen: true - library: - name: libressl - version: 3.4.3 - target: x86_64-unknown-linux-gnu bindgen: true library: @@ -196,11 +191,6 @@ jobs: library: name: libressl version: 2.5.5 - - target: x86_64-unknown-linux-gnu - bindgen: false - library: - name: libressl - version: 3.4.3 - target: x86_64-unknown-linux-gnu bindgen: false library: From f0c642575064bb9bae2772913f3a00fd1d71393b Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 22 Oct 2022 09:12:34 -0400 Subject: [PATCH 016/341] Remove boringssl master builds --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 46a625fc8e..d67ad1bf2a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -149,8 +149,6 @@ jobs: - true - false library: - - name: boringssl - version: master - name: boringssl version: 5697a9202615925696f8dc7f4e286d44d474769e - name: openssl From bbdcaf7c69b66683b34c13f75eaa634e8710efcf Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 22 Oct 2022 09:30:59 -0400 Subject: [PATCH 017/341] Release openssl-sys v0.9.77 --- openssl-sys/CHANGELOG.md | 7 +++++++ openssl-sys/Cargo.toml | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 6c53d813ee..bcbb5ec937 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,13 @@ ## [Unreleased] +## [v0.9.77] - 2022-10-22 + +### Added + +* Added support for LibreSSL 3.6.0 +* Added `assume_init`. + ## [v0.9.76] - 2022-09-26 ### Added diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ede3a73611..7c6ab832d6 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.76" +version = "0.9.77" authors = [ "Alex Crichton ", "Steven Fackler ", From bc8506dfe7da788c928d82e1ce08bbfe77330658 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 25 Oct 2022 09:58:23 +0200 Subject: [PATCH 018/341] Fix reference to `Self::cipher_final` in docs This patch changes the position of backtick and square brackets so that the reference is rendered as a link in generated documentation. --- openssl/src/cipher_ctx.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 46492566f9..8e017115b1 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -407,7 +407,7 @@ impl CipherCtxRef { /// Retrieves the calculated authentication tag from the context. /// - /// This should be called after `[Self::cipher_final]`, and is only supported by authenticated ciphers. + /// This should be called after [`Self::cipher_final`], and is only supported by authenticated ciphers. /// /// The size of the buffer indicates the size of the tag. While some ciphers support a range of tag sizes, it is /// recommended to pick the maximum size. From b82aae328f56ecf77e3d5a17fadbea27b214b643 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 27 Oct 2022 12:53:14 +0200 Subject: [PATCH 019/341] Add NID constants for Brainpool curves Brainpool curves are used by European government organizations that are suspicious of the NIST curves. Brainpool curves are very similar to NIST curves with one critical difference: the parameters to Brainpool are nothing-up-my-sleeve numbers [0]. The actual values of the NID constants have been taken from the OpenSSL source code [1]. [0]: https://github.com/veorq/numsgen#seeds [1]: https://github.com/openssl/openssl/blob/4e6647506331fc3b3ef5b23e5dbe188279ddd575/include/openssl/obj_mac.h#L4759 --- openssl-sys/src/obj_mac.rs | 6 ++++++ openssl/src/nid.rs | 6 ++++++ systest/build.rs | 1 + 3 files changed, 13 insertions(+) diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 6237afa6c8..ed50ebcc5f 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -94,6 +94,12 @@ pub const NID_sect409k1: c_int = 731; pub const NID_sect409r1: c_int = 732; pub const NID_sect571k1: c_int = 733; pub const NID_sect571r1: c_int = 734; +#[cfg(ossl110)] +pub const NID_brainpoolP256r1: c_int = 927; +#[cfg(ossl110)] +pub const NID_brainpoolP384r1: c_int = 931; +#[cfg(ossl110)] +pub const NID_brainpoolP512r1: c_int = 933; pub const NID_wap_wsg_idm_ecid_wtls1: c_int = 735; pub const NID_wap_wsg_idm_ecid_wtls3: c_int = 736; pub const NID_wap_wsg_idm_ecid_wtls4: c_int = 737; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index 355bba10ee..eadae31653 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -215,6 +215,12 @@ impl Nid { pub const SECT409R1: Nid = Nid(ffi::NID_sect409r1); pub const SECT571K1: Nid = Nid(ffi::NID_sect571k1); pub const SECT571R1: Nid = Nid(ffi::NID_sect571r1); + #[cfg(ossl110)] + pub const BRAINPOOL_P256R1: Nid = Nid(ffi::NID_brainpoolP256r1); + #[cfg(ossl110)] + pub const BRAINPOOL_P384R1: Nid = Nid(ffi::NID_brainpoolP384r1); + #[cfg(ossl110)] + pub const BRAINPOOL_P512R1: Nid = Nid(ffi::NID_brainpoolP512r1); pub const WAP_WSG_IDM_ECID_WTLS1: Nid = Nid(ffi::NID_wap_wsg_idm_ecid_wtls1); pub const WAP_WSG_IDM_ECID_WTLS3: Nid = Nid(ffi::NID_wap_wsg_idm_ecid_wtls3); pub const WAP_WSG_IDM_ECID_WTLS4: Nid = Nid(ffi::NID_wap_wsg_idm_ecid_wtls4); diff --git a/systest/build.rs b/systest/build.rs index 2618a05b97..e54438114b 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -55,6 +55,7 @@ fn main() { .header("openssl/x509v3.h") .header("openssl/safestack.h") .header("openssl/hmac.h") + .header("openssl/obj_mac.h") .header("openssl/ssl.h") .header("openssl/err.h") .header("openssl/rand.h") From 74f83c941e50bb765b024a7f2829761b77bf7ea7 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 27 Oct 2022 10:41:08 +0200 Subject: [PATCH 020/341] Add `BigNum::copy_from_slice` Unfortunately `BigNum::from_slice` always creates a new BigNum and cannot be used to initialize an already existing BigNum thus it is not possible to have a secure BigNum initialized from a slice. This patch adds the function for overwriting existing BigNum with given slice bytes. Thus the BigNum can be created using `BigNum::new_secure` and then overwritten using `BigNum::copy_from_slice`. --- openssl/src/bn.rs | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 5de7f7cb38..d98fec4d0b 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -1080,6 +1080,30 @@ impl BigNum { .map(|p| BigNum::from_ptr(p)) } } + + /// Copies data from a slice overwriting what was in the BigNum. + /// + /// This function can be used to copy data from a slice to a + /// [secure BigNum][`BigNum::new_secure`]. + /// + /// # Examples + /// + /// ``` + /// # use openssl::bn::BigNum; + /// let mut bignum = BigNum::new().unwrap(); + /// bignum.copy_from_slice(&[0x12, 0x00, 0x34]).unwrap(); + /// + /// assert_eq!(bignum, BigNum::from_u32(0x120034).unwrap()); + /// ``` + #[corresponds(BN_bin2bn)] + pub fn copy_from_slice(&mut self, n: &[u8]) -> Result<(), ErrorStack> { + unsafe { + assert!(n.len() <= LenType::max_value() as usize); + + cvt_p(ffi::BN_bin2bn(n.as_ptr(), n.len() as LenType, self.0))?; + Ok(()) + } + } } impl fmt::Debug for BigNumRef { From e4d30c06bc0fb5abeb122bc78282f0a04060170e Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Mon, 31 Oct 2022 09:50:43 +0100 Subject: [PATCH 021/341] bn: Fix checking against LenType --- openssl/src/bn.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index d98fec4d0b..2619b5ba63 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -1070,7 +1070,7 @@ impl BigNum { pub fn from_slice(n: &[u8]) -> Result { unsafe { ffi::init(); - assert!(n.len() <= c_int::max_value() as usize); + assert!(n.len() <= LenType::max_value() as usize); cvt_p(ffi::BN_bin2bn( n.as_ptr(), From 78a5fde6ee5b23b8eb0c1cf815489b855c2141a9 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Tue, 1 Nov 2022 14:39:43 -0400 Subject: [PATCH 022/341] CI: update LibreSSL 3.6 to 3.6.1 --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d67ad1bf2a..9090ca194d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -183,7 +183,7 @@ jobs: bindgen: true library: name: libressl - version: 3.6.0 + version: 3.6.1 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -198,7 +198,7 @@ jobs: bindgen: false library: name: libressl - version: 3.6.0 + version: 3.6.1 exclude: - library: name: boringssl From 0d2b5f924e94c608a83132c21f81186b9ac6ea29 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Tue, 1 Nov 2022 14:40:37 -0400 Subject: [PATCH 023/341] Allow LibreSSL 3.6.x, as 3.6.1 is declared stable --- openssl-sys/build/main.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 2ca53c9771..71b36c2309 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -281,6 +281,7 @@ See rust-openssl documentation for more information: (3, 4, _) => ('3', '4', 'x'), (3, 5, _) => ('3', '5', 'x'), (3, 6, 0) => ('3', '6', '0'), + (3, 6, _) => ('3', '6', 'x'), _ => version_error(), }; @@ -323,7 +324,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.6.0, but a different version of OpenSSL was found. The build is now aborting +through 3.6.x, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From 7e7ce09be31dd44ae81ac12ede59f238701342d1 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Fri, 28 Oct 2022 11:45:56 +0200 Subject: [PATCH 024/341] Expose Camellia, CAST5 and IDEA ciphers All of them are used in the OpenPGP specification for symmetric ciphers [0]. IDEA and CAST5 may be old but they are provided for users for decryption of archive data. Camellia is used in the new version of the OpenPGP specification as an alternative to AES. [0]: https://openpgp-wg.gitlab.io/rfc4880bis/#name-symmetric-key-algorithms --- openssl-sys/build/expando.c | 8 +++++ openssl-sys/src/handwritten/evp.rs | 23 ++++++++++++++ openssl/src/cipher.rs | 50 ++++++++++++++++++++++++++++++ 3 files changed, 81 insertions(+) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index c150dcd51f..2ec63ec046 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -27,6 +27,14 @@ RUST_CONF_OPENSSL_NO_BUF_FREELISTS RUST_CONF_OPENSSL_NO_CHACHA #endif +#ifdef OPENSSL_NO_IDEA +RUST_CONF_OPENSSL_NO_IDEA +#endif + +#ifdef OPENSSL_NO_CAMELLIA +RUST_CONF_OPENSSL_NO_CAMELLIA +#endif + #ifdef OPENSSL_NO_CMS RUST_CONF_OPENSSL_NO_CMS #endif diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 86487e13bb..ffb0a0819d 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -364,6 +364,29 @@ extern "C" { #[cfg(all(any(ossl111, libressl291), not(osslconf = "OPENSSL_NO_SM4")))] pub fn EVP_sm4_ctr() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_128_cfb128() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_128_ecb() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_192_cfb128() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_192_ecb() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_256_cfb128() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_256_ecb() -> *const EVP_CIPHER; + + #[cfg(not(boringssl))] + pub fn EVP_cast5_cfb64() -> *const EVP_CIPHER; + #[cfg(not(boringssl))] + pub fn EVP_cast5_ecb() -> *const EVP_CIPHER; + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn EVP_idea_cfb64() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn EVP_idea_ecb() -> *const EVP_CIPHER; + #[cfg(not(ossl110))] pub fn OPENSSL_add_all_algorithms_noconf(); diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 0e5d85dd15..ab5f49d22f 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -328,6 +328,56 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_rc4() as *mut _) } } + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia128_cfb128() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_cfb128() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia128_ecb() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_ecb() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia192_cfb128() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_cfb128() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia192_ecb() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_ecb() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia256_cfb128() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_cfb128() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia256_ecb() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_ecb() as *mut _) } + } + + #[cfg(not(boringssl))] + pub fn cast5_cfb64() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_cast5_cfb64() as *mut _) } + } + + #[cfg(not(boringssl))] + pub fn cast5_ecb() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_cast5_ecb() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn idea_cfb64() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_idea_cfb64() as *mut _) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn idea_ecb() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_idea_ecb() as *mut _) } + } + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_chacha20() as *mut _) } From cca9c7bb59ee0b1bace15d622a179be9e194d9c0 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Wed, 19 Oct 2022 11:36:15 +0200 Subject: [PATCH 025/341] Add openssl::dsa::DsaSig Adds safe interface for parsing and constructing DSA signatures and their components: `r` and `s`. --- openssl-sys/src/handwritten/dsa.rs | 27 ++++ openssl/src/dsa.rs | 194 +++++++++++++++++++++++++++++ 2 files changed, 221 insertions(+) diff --git a/openssl-sys/src/handwritten/dsa.rs b/openssl-sys/src/handwritten/dsa.rs index 604c68f032..c676c6b0ad 100644 --- a/openssl-sys/src/handwritten/dsa.rs +++ b/openssl-sys/src/handwritten/dsa.rs @@ -2,6 +2,18 @@ use libc::*; use *; +cfg_if! { + if #[cfg(any(ossl110, libressl280))] { + pub enum DSA_SIG {} + } else { + #[repr(C)] + pub struct DSA_SIG { + pub r: *mut BIGNUM, + pub s: *mut BIGNUM, + } + } +} + extern "C" { pub fn DSA_new() -> *mut DSA; pub fn DSA_free(dsa: *mut DSA); @@ -55,4 +67,19 @@ extern "C" { pub fn DSA_get0_key(d: *const DSA, pub_key: *mut *const BIGNUM, priv_key: *mut *const BIGNUM); #[cfg(any(ossl110, libressl273))] pub fn DSA_set0_key(d: *mut DSA, pub_key: *mut BIGNUM, priv_key: *mut BIGNUM) -> c_int; + pub fn d2i_DSA_SIG( + sig: *mut *mut DSA_SIG, + pp: *mut *const c_uchar, + length: c_long, + ) -> *mut DSA_SIG; + pub fn i2d_DSA_SIG(a: *const DSA_SIG, pp: *mut *mut c_uchar) -> c_int; + + pub fn DSA_SIG_new() -> *mut DSA_SIG; + pub fn DSA_SIG_free(sig: *mut DSA_SIG); + + #[cfg(any(ossl110, libressl273))] + pub fn DSA_SIG_get0(sig: *const DSA_SIG, pr: *mut *const BIGNUM, ps: *mut *const BIGNUM); + + #[cfg(any(ossl110, libressl273))] + pub fn DSA_SIG_set0(sig: *mut DSA_SIG, pr: *mut BIGNUM, ps: *mut BIGNUM) -> c_int; } diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 78fa1c25dc..5f59ba8acd 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -344,6 +344,159 @@ cfg_if! { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::DSA_SIG; + fn drop = ffi::DSA_SIG_free; + + /// Object representing DSA signature. + /// + /// DSA signatures consist of two components: `r` and `s`. + /// + /// # Examples + /// + /// ``` + /// use std::convert::TryInto; + /// + /// use openssl::bn::BigNum; + /// use openssl::dsa::{Dsa, DsaSig}; + /// use openssl::hash::MessageDigest; + /// use openssl::pkey::PKey; + /// use openssl::sign::{Signer, Verifier}; + /// + /// const TEST_DATA: &[u8] = &[0, 1, 2, 3, 4, 5, 6, 7, 8, 9]; + /// let dsa_ref = Dsa::generate(1024).unwrap(); + /// + /// let pub_key: PKey<_> = dsa_ref.clone().try_into().unwrap(); + /// let priv_key: PKey<_> = dsa_ref.try_into().unwrap(); + /// + /// let mut signer = if let Ok(signer) = Signer::new(MessageDigest::sha256(), &priv_key) { + /// signer + /// } else { + /// // DSA signing is not supported (eg. BoringSSL) + /// return; + /// }; + /// + /// signer.update(TEST_DATA).unwrap(); + /// + /// let signature = signer.sign_to_vec().unwrap(); + /// // Parse DER-encoded DSA signature + /// let signature = DsaSig::from_der(&signature).unwrap(); + /// + /// // Extract components `r` and `s` + /// let r = BigNum::from_slice(&signature.r().to_vec()).unwrap(); + /// let s = BigNum::from_slice(&signature.s().to_vec()).unwrap(); + /// + /// // Construct new DSA signature from components + /// let signature = DsaSig::from_private_components(r, s).unwrap(); + /// + /// // Serialize DSA signature to DER + /// let signature = signature.to_der().unwrap(); + /// + /// let mut verifier = Verifier::new(MessageDigest::sha256(), &pub_key).unwrap(); + /// verifier.update(TEST_DATA).unwrap(); + /// assert!(verifier.verify(&signature[..]).unwrap()); + /// ``` + pub struct DsaSig; + + /// Reference to a [`DsaSig`]. + pub struct DsaSigRef; +} + +impl DsaSig { + /// Returns a new `DsaSig` by setting the `r` and `s` values associated with an DSA signature. + #[corresponds(DSA_SIG_set0)] + pub fn from_private_components(r: BigNum, s: BigNum) -> Result { + unsafe { + let sig = cvt_p(ffi::DSA_SIG_new())?; + DSA_SIG_set0(sig, r.as_ptr(), s.as_ptr()); + mem::forget((r, s)); + Ok(DsaSig::from_ptr(sig)) + } + } + + from_der! { + /// Decodes a DER-encoded DSA signature. + #[corresponds(d2i_DSA_SIG)] + from_der, + DsaSig, + ffi::d2i_DSA_SIG + } +} + +impl fmt::Debug for DsaSig { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + f.debug_struct("DsaSig") + .field("r", self.r()) + .field("s", self.s()) + .finish() + } +} + +impl DsaSigRef { + to_der! { + /// Serializes the DSA signature into a DER-encoded `DSASignature` structure. + #[corresponds(i2d_DSA_SIG)] + to_der, + ffi::i2d_DSA_SIG + } + + /// Returns internal component `r` of an `DsaSig`. + #[corresponds(DSA_SIG_get0)] + pub fn r(&self) -> &BigNumRef { + unsafe { + let mut r = ptr::null(); + DSA_SIG_get0(self.as_ptr(), &mut r, ptr::null_mut()); + BigNumRef::from_const_ptr(r) + } + } + + /// Returns internal component `s` of an `DsaSig`. + #[corresponds(DSA_SIG_get0)] + pub fn s(&self) -> &BigNumRef { + unsafe { + let mut s = ptr::null(); + DSA_SIG_get0(self.as_ptr(), ptr::null_mut(), &mut s); + BigNumRef::from_const_ptr(s) + } + } +} + +cfg_if! { + if #[cfg(any(ossl110, libressl273))] { + use ffi::{DSA_SIG_set0, DSA_SIG_get0}; + } else { + #[allow(bad_style)] + unsafe fn DSA_SIG_set0( + sig: *mut ffi::DSA_SIG, + r: *mut ffi::BIGNUM, + s: *mut ffi::BIGNUM, + ) -> c_int { + if r.is_null() || s.is_null() { + return 0; + } + ffi::BN_clear_free((*sig).r); + ffi::BN_clear_free((*sig).s); + (*sig).r = r; + (*sig).s = s; + 1 + } + + #[allow(bad_style)] + unsafe fn DSA_SIG_get0( + sig: *const ffi::DSA_SIG, + pr: *mut *const ffi::BIGNUM, + ps: *mut *const ffi::BIGNUM) + { + if !pr.is_null() { + (*pr) = (*sig).r; + } + if !ps.is_null() { + (*ps) = (*sig).s; + } + } + } +} + #[cfg(test)] mod test { use super::*; @@ -444,10 +597,51 @@ mod test { assert!(verifier.verify(&signature[..]).unwrap()); } + #[test] + #[cfg(not(boringssl))] + fn test_signature_der() { + use std::convert::TryInto; + + const TEST_DATA: &[u8] = &[0, 1, 2, 3, 4, 5, 6, 7, 8, 9]; + let dsa_ref = Dsa::generate(1024).unwrap(); + + let pub_key: PKey<_> = dsa_ref.clone().try_into().unwrap(); + let priv_key: PKey<_> = dsa_ref.try_into().unwrap(); + + let mut signer = Signer::new(MessageDigest::sha256(), &priv_key).unwrap(); + signer.update(TEST_DATA).unwrap(); + + let signature = signer.sign_to_vec().unwrap(); + eprintln!("{:?}", signature); + let signature = DsaSig::from_der(&signature).unwrap(); + + let r = BigNum::from_slice(&signature.r().to_vec()).unwrap(); + let s = BigNum::from_slice(&signature.s().to_vec()).unwrap(); + + let signature = DsaSig::from_private_components(r, s).unwrap(); + let signature = signature.to_der().unwrap(); + + let mut verifier = Verifier::new(MessageDigest::sha256(), &pub_key).unwrap(); + verifier.update(TEST_DATA).unwrap(); + assert!(verifier.verify(&signature[..]).unwrap()); + } + #[test] #[allow(clippy::redundant_clone)] fn clone() { let key = Dsa::generate(2048).unwrap(); drop(key.clone()); } + + #[test] + fn dsa_sig_debug() { + let sig = DsaSig::from_der(&[ + 48, 46, 2, 21, 0, 135, 169, 24, 58, 153, 37, 175, 248, 200, 45, 251, 112, 238, 238, 89, + 172, 177, 182, 166, 237, 2, 21, 0, 159, 146, 151, 237, 187, 8, 82, 115, 14, 183, 103, + 12, 203, 46, 161, 208, 251, 167, 123, 131, + ]) + .unwrap(); + let s = format!("{:?}", sig); + assert_eq!(s, "DsaSig { r: 774484690634577222213819810519929266740561094381, s: 910998676210681457251421818099943952372231273347 }"); + } } From 808b9519c4b923e5f0777723a2f80926b822f61f Mon Sep 17 00:00:00 2001 From: Alex Baker Date: Fri, 30 Sep 2022 13:02:51 -0500 Subject: [PATCH 026/341] Add support for X509_VERIFY_PARAM_set_time and X509_VERIFY_PARAM_set_depth --- openssl-sys/src/handwritten/x509_vfy.rs | 14 +++ openssl/src/x509/store.rs | 9 +- openssl/src/x509/tests.rs | 127 +++++++++++++++++++++++- openssl/src/x509/verify.rs | 27 ++++- openssl/test/intermediate-ca.key | 27 +++++ openssl/test/intermediate-ca.pem | 22 ++++ openssl/test/leaf.pem | 21 ++++ 7 files changed, 243 insertions(+), 4 deletions(-) create mode 100644 openssl/test/intermediate-ca.key create mode 100644 openssl/test/intermediate-ca.pem create mode 100644 openssl/test/leaf.pem diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index d8768d7c8c..ef2a6aac94 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -47,6 +47,12 @@ extern "C" { pub fn X509_STORE_set_flags(store: *mut X509_STORE, flags: c_ulong) -> c_int; } +const_ptr_api! { + extern "C" { + pub fn X509_STORE_set1_param(store: *mut X509_STORE, pm: #[const_ptr_if(ossl300)] X509_VERIFY_PARAM) -> c_int; + } +} + const_ptr_api! { extern "C" { pub fn X509_STORE_CTX_get_ex_data(ctx: #[const_ptr_if(ossl300)] X509_STORE_CTX, idx: c_int) -> *mut c_void; @@ -73,6 +79,8 @@ cfg_if! { } extern "C" { + #[cfg(any(ossl102, libressl261))] + pub fn X509_VERIFY_PARAM_new() -> *mut X509_VERIFY_PARAM; #[cfg(any(ossl102, libressl261))] pub fn X509_VERIFY_PARAM_free(param: *mut X509_VERIFY_PARAM); @@ -80,6 +88,12 @@ extern "C" { pub fn X509_VERIFY_PARAM_set_flags(param: *mut X509_VERIFY_PARAM, flags: c_ulong) -> c_int; #[cfg(any(ossl102, libressl261))] pub fn X509_VERIFY_PARAM_clear_flags(param: *mut X509_VERIFY_PARAM, flags: c_ulong) -> c_int; + + #[cfg(any(ossl102, libressl261))] + pub fn X509_VERIFY_PARAM_set_time(param: *mut X509_VERIFY_PARAM, t: time_t); + + #[cfg(any(ossl102, libressl261))] + pub fn X509_VERIFY_PARAM_set_depth(param: *mut X509_VERIFY_PARAM, depth: c_int); } const_ptr_api! { extern "C" { diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index a08d1e2ef9..120d6369a0 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -50,7 +50,7 @@ use crate::error::ErrorStack; use crate::ssl::SslFiletype; use crate::stack::StackRef; #[cfg(any(ossl102, libressl261))] -use crate::x509::verify::X509VerifyFlags; +use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef}; use crate::x509::{X509Object, X509}; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -122,6 +122,13 @@ impl X509StoreBuilderRef { pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits())).map(|_| ()) } } + + /// Sets certificate chain validation related parameters. + #[corresponds[X509_STORE_set1_param]] + #[cfg(any(ossl102, libressl261))] + pub fn set_param(&mut self, param: &X509VerifyParamRef) -> Result<(), ErrorStack> { + unsafe { cvt(ffi::X509_STORE_set1_param(self.as_ptr(), param.as_ptr())).map(|_| ()) } + } } generic_foreign_type_and_impl_send_sync! { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index fcca2c7bf1..ace6175017 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -13,11 +13,13 @@ use crate::x509::extension::{ }; use crate::x509::store::X509StoreBuilder; #[cfg(any(ossl102, libressl261))] -use crate::x509::verify::X509VerifyFlags; +use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; #[cfg(ossl110)] use crate::x509::X509Builder; use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; use hex::{self, FromHex}; +#[cfg(any(ossl102, libressl261))] +use libc::time_t; fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); @@ -543,3 +545,126 @@ fn test_name_cmp() { assert_eq!(Ordering::Equal, subject.try_cmp(subject).unwrap()); assert_eq!(Ordering::Greater, subject.try_cmp(issuer).unwrap()); } + +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_param_set_time_fails_verification() { + const TEST_T_2030: time_t = 1893456000; + + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let chain = Stack::new().unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + verify_params.set_time(TEST_T_2030); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + + let mut context = X509StoreContext::new().unwrap(); + assert_eq!( + context + .init(&store, &cert, &chain, |c| { + c.verify_cert()?; + Ok(c.error()) + }) + .unwrap() + .error_string(), + "certificate has expired" + ) +} + +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_param_set_time() { + const TEST_T_2020: time_t = 1577836800; + + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let chain = Stack::new().unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + verify_params.set_time(TEST_T_2020); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + + let mut context = X509StoreContext::new().unwrap(); + assert!(context + .init(&store, &cert, &chain, |c| c.verify_cert()) + .unwrap()); +} + +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_param_set_depth() { + let cert = include_bytes!("../../test/leaf.pem"); + let cert = X509::from_pem(cert).unwrap(); + let intermediate_ca = include_bytes!("../../test/intermediate-ca.pem"); + let intermediate_ca = X509::from_pem(intermediate_ca).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let mut chain = Stack::new().unwrap(); + chain.push(intermediate_ca).unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + // OpenSSL 1.1.0+ considers the root certificate to not be part of the chain, while 1.0.2 and LibreSSL do + let expected_depth = if cfg!(any(ossl110)) { 1 } else { 2 }; + verify_params.set_depth(expected_depth); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + + let mut context = X509StoreContext::new().unwrap(); + assert!(context + .init(&store, &cert, &chain, |c| c.verify_cert()) + .unwrap()); +} + +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_param_set_depth_fails_verification() { + let cert = include_bytes!("../../test/leaf.pem"); + let cert = X509::from_pem(cert).unwrap(); + let intermediate_ca = include_bytes!("../../test/intermediate-ca.pem"); + let intermediate_ca = X509::from_pem(intermediate_ca).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let mut chain = Stack::new().unwrap(); + chain.push(intermediate_ca).unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + // OpenSSL 1.1.0+ considers the root certificate to not be part of the chain, while 1.0.2 and LibreSSL do + let expected_depth = if cfg!(any(ossl110)) { 0 } else { 1 }; + verify_params.set_depth(expected_depth); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + + // OpenSSL 1.1.0+ added support for X509_V_ERR_CERT_CHAIN_TOO_LONG, while 1.0.2 simply ignores the intermediate + let expected_error = if cfg!(any(ossl110, libressl261)) { + "certificate chain too long" + } else { + "unable to get local issuer certificate" + }; + + let mut context = X509StoreContext::new().unwrap(); + assert_eq!( + context + .init(&store, &cert, &chain, |c| { + c.verify_cert()?; + Ok(c.error()) + }) + .unwrap() + .error_string(), + expected_error + ) +} diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 4752133996..20dd4bea8d 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -1,10 +1,10 @@ use bitflags::bitflags; use foreign_types::ForeignTypeRef; -use libc::{c_uint, c_ulong}; +use libc::{c_int, c_uint, c_ulong, time_t}; use std::net::IpAddr; -use crate::cvt; use crate::error::ErrorStack; +use crate::{cvt, cvt_p}; use openssl_macros::corresponds; bitflags! { @@ -69,6 +69,17 @@ foreign_type_and_impl_send_sync! { pub struct X509VerifyParamRef; } +impl X509VerifyParam { + /// Create an X509VerifyParam + #[corresponds(X509_VERIFY_PARAM_new)] + pub fn new() -> Result { + unsafe { + ffi::init(); + cvt_p(ffi::X509_VERIFY_PARAM_new()).map(X509VerifyParam) + } + } +} + impl X509VerifyParamRef { /// Set the host flags. #[corresponds(X509_VERIFY_PARAM_set_hostflags)] @@ -139,4 +150,16 @@ impl X509VerifyParamRef { .map(|_| ()) } } + + /// Set the verification time, where time is of type time_t, traditionaly defined as seconds since the epoch + #[corresponds(X509_VERIFY_PARAM_set_time)] + pub fn set_time(&mut self, time: time_t) { + unsafe { ffi::X509_VERIFY_PARAM_set_time(self.as_ptr(), time) } + } + + /// Set the verification depth + #[corresponds(X509_VERIFY_PARAM_set_depth)] + pub fn set_depth(&mut self, depth: c_int) { + unsafe { ffi::X509_VERIFY_PARAM_set_depth(self.as_ptr(), depth) } + } } diff --git a/openssl/test/intermediate-ca.key b/openssl/test/intermediate-ca.key new file mode 100644 index 0000000000..48f449534e --- /dev/null +++ b/openssl/test/intermediate-ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA1HsHFTpgKeWL/y6oKtARZm0Dy6J/08E0CujmdpVp0xnkXi/A +RARnbMEbOPfmBUMOkVtQT3+l5aCgIAX+Kg6K7sQvio8nQUgOxuO1YpGlYu9EMtc7 +5fNxA1T0CuXXx8ClfEqW1ZV7ziQV0J4gzvuI26A7XyUhdk1oP/Al3F/94TmH6dtP +SQ2K901O2zknU+bpPheQy08SE20k/nUOJAsiwtsxqY8hHOL1sXZ4K+I311hl0QpD +OYf7eBcBdo2Mc5Nzjd9LPGLk1lE3itAXpayFMmfuuA0IdH1gNfy18axFEEVnj6CS +2epGpmAckUEWUOse1WBhDEt6ddowT1iw7X4mWwIDAQABAoIBAGMGXzuudAiymTc5 +OFiTlbhlkAJEXkyC201GU7nqUmJ2y651lKZeYxEVQimfpszG/rARnXEfbWKCJH4o +LNbO5kL2na12n/XVrkVU9EDW3fwoxGDpXFoDxaSm4AGAMrs+diFh5b/upb9ho+UQ +/PtZ0OOCXokuFdU7qB08P3jgJ8LhooqWnZ4AC0rhN85CMNIKs/nrUrnmS3FZLVd/ +NWI9Vfjsndd41Gkho0A7tgOSnwRupk/Bv1b0px31h8ucp9/nLuR8vbGSdS/R9Sta +pB9KNYYQ3LrhQGjddnEU0gj8qsuWgnoPf7eaWsLVunPLHQzL2hNNKL1eBADm7Lhh +avIlnrkCgYEA8Q8UhOeIO0sMU8sB4NPTUf2UT9xjURoowGsGgbDEk21eABH6VC33 +VYt5r5xwbZFQvVaTbe+EI1YDpjH1cvpmorEWI47Nm4Vbf9JujW/hoQwuwpzOpdUT +2G4tfMQrmTw/9HJ0l9+1Ib+A93dB8GvR0NE1uueaWanWvXARInwGiscCgYEA4aZ9 +mbhuwx88sSRMXwxSZw+R5BRrjdC0CeoimGg4/P84bKgc0YsjAha5jWaC/h8xN2Pb +w45b3hQ0/FP8xohP0bp/5eeiDbqb6JuO5bI3CnfBrVpu1CAuIrf7lhkar3a0wluB +k03fVHuVLtydACDJBKrZm1F39lpiZiEqlBIp080CgYEAwRwYjwPAEefkHzhQ7+Ah +uNwQtQ1TjsQLA2J5mumWAJirphjA1jDgo+oQ+Iq1UkEIUjWJ85bd30TntXruK0bH +c+uzVZbvxXfGvhZAtBN9x/svdn4R2a1hsY9J51prpt0qStRp7MSsoTV9xkEGVOi6 +87K1fV5OOyggvC+Lunlq8D8CgYAVSCOObPOdWYPa3SaKzFm1OKW00iw2qtlgGgH7 +R9EgI14J+W0GYk4B82y6plFycDSvGa7vaazGbDd3GOC9RLvqduF7KHaDPvdXX9yB +U2aXiSXuGJpdTU+snJeQ13tJ0zNHJWQ6JV0L1cADNHFmQrFSzF5LpMpgpLOlGDmw +z2m8fQKBgQDclFeonyn0zcXqznun9kAKkMij4s6lSdRgi/5Zh1WbJwOso9oWfwz9 +SSTP2KBO8B+/yFvuo5SWrbNaTz9/KuzMTv4HXz5ukLbyN9Jjtk73fdBBRSjL+zF5 +jU56oXHrwBhEqWQ77Ps60r+FmDjUgUhyJl14ZfkzICUK7NLFxKrvMQ== +-----END RSA PRIVATE KEY----- diff --git a/openssl/test/intermediate-ca.pem b/openssl/test/intermediate-ca.pem new file mode 100644 index 0000000000..266ef593cb --- /dev/null +++ b/openssl/test/intermediate-ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDszCCApugAwIBAgIEFSQSITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB +VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMB4XDTIyMTEwMzA3MDc0OVoXDTI2MDgxMTA3MDc0OVowgYkxCzAJ +BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l +dCBXaWRnaXRzIFB0eSBMdGQxIDAeBgNVBAsMF0ludGVybWVkaWF0ZSBEZXBhcnRt +ZW50MSAwHgYDVQQDDBdpbnRlcm1lZGlhdGUuZm9vYmFyLmNvbTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBANR7BxU6YCnli/8uqCrQEWZtA8uif9PBNAro +5naVadMZ5F4vwEQEZ2zBGzj35gVDDpFbUE9/peWgoCAF/ioOiu7EL4qPJ0FIDsbj +tWKRpWLvRDLXO+XzcQNU9Arl18fApXxKltWVe84kFdCeIM77iNugO18lIXZNaD/w +Jdxf/eE5h+nbT0kNivdNTts5J1Pm6T4XkMtPEhNtJP51DiQLIsLbMamPIRzi9bF2 +eCviN9dYZdEKQzmH+3gXAXaNjHOTc43fSzxi5NZRN4rQF6WshTJn7rgNCHR9YDX8 +tfGsRRBFZ4+gktnqRqZgHJFBFlDrHtVgYQxLenXaME9YsO1+JlsCAwEAAaNmMGQw +HQYDVR0OBBYEFAXJImmmxYXx6L1SRRhgP3Tyq2J6MB8GA1UdIwQYMBaAFGzTpQOr +DV8syY2KnIiniHe4N/2aMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQD +AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQCnUh7iNbnFBjVa4sFx02r65syxUhcvM/ya +DcSe1esGUwjZLyKVl9BTfQ6kfNa/6Z/t5cprp0R3etalN31dxka7xSDwzFNdBczB +zYDIVOVlcGLL1Xjozacm6YHo773dqxZS36rVMk3NqNUY6GJJ+CGso2xZShcBg2KG +fPlNPiRz3847E3dwouDYcP1MXf2ql/Y7dRbE+8kb3bWkSusJVb/4EHjpR7yZjKmh +eXHVVx1dKnCGRldn3+dSNhN6mxNaSeBE2hb158+diQvL5u3f//va7SOpCi0f4d8E +UCnLhieyrDlr42XXfz42BqRpqBO1SDjQwzIIc9Fbevwb916OSExp +-----END CERTIFICATE----- diff --git a/openssl/test/leaf.pem b/openssl/test/leaf.pem new file mode 100644 index 0000000000..0f7aa808de --- /dev/null +++ b/openssl/test/leaf.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDejCCAmICBBUkEiQwDQYJKoZIhvcNAQELBQAwgYkxCzAJBgNVBAYTAkFVMRMw +EQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0 +eSBMdGQxIDAeBgNVBAsMF0ludGVybWVkaWF0ZSBEZXBhcnRtZW50MSAwHgYDVQQD +DBdpbnRlcm1lZGlhdGUuZm9vYmFyLmNvbTAeFw0yMjExMDMwNzE3NTJaFw0yNjA4 +MTEwNzE3NTJaMHkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGDAWBgNVBAsMD0xlYWYg +RGVwYXJ0bWVudDEYMBYGA1UEAwwPbGVhZi5mb29iYXIuY29tMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs9STUHGIcSOtioK6+02k9Jx4JuYVJ0SB7Ebd +FAhGiOxBSoOljRVmmALti89QMmRiRqlyJnGJch7AloCCRsLJA0MfUYvauqmKHZFk +iqtZ1HocHQ/LGNKfkILcclb4xp2nGYntKAyEqer3Qc6aPWAnQAV/+BshU1vlMfwU +T6vOJRG69mft6dkHEWSzZd7++7HmFQGnDmIs5jBJVCOgKVttkN8Bk2EsTvJi9zl2 +SXLTcVrTAxEvuawv2ZXvdI/Cpt1WW0litXlFLcYBGwt/N93TX/L3Iyw5HcNd/xf9 +QwOr6RR66krQJzKxwcIY934uq6cyTQhexgnffb65qXL4bbV5fwIDAQABMA0GCSqG +SIb3DQEBCwUAA4IBAQAZf0/r04AeKN2QhQ7Z0o2Iu/Yj3OD2tnbxVoltYk8CRfp3 +7VGl/5PUbmXXBSwMc4Udj88JlreU7iNEPAKtBqFczw0pwNfvxKG4Eh3vsfKrP+5g +gtVwDG0mWeKJ7udrmFt8N0uwxVYDKp/gv5+Bw2eMew9Eoyenj6k2yg0nbFKzA3EH +DqngETzX0dhdiYwVcoJFUK5ni3tVl9qi6FpmaTE6C5nTQLyH4CI+vo2x/QHINGaJ +OzY/rx35iyVqXVqxN/gO/hp6g0nT5zLuMg2rfvcAhdDsD7htYcHiNkofrC8s0oQE +W+r01EhxdEVvY1nYWanBCF6tktc5v5qf2WMS4ye5 +-----END CERTIFICATE----- From 520f6efb94fba8e6ed2c356cd46a60c0cc3675bb Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Wed, 9 Nov 2022 09:21:48 +0100 Subject: [PATCH 027/341] Fix reference to ECC --- openssl-sys/src/macros.rs | 2 +- openssl/src/ec.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/macros.rs b/openssl-sys/src/macros.rs index 2f8bf77c39..cb675f6e41 100644 --- a/openssl-sys/src/macros.rs +++ b/openssl-sys/src/macros.rs @@ -38,7 +38,7 @@ macro_rules! cfg_if { // semicolon is all the remaining items (@__items ($($not:meta,)*) ; ) => {}; (@__items ($($not:meta,)*) ; ( ($($m:meta),*) ($($it:item)*) ), $($rest:tt)*) => { - // Emit all items within one block, applying an approprate #[cfg]. The + // Emit all items within one block, applying an appropriate #[cfg]. The // #[cfg] will require all `$m` matchers specified and must also negate // all previous matchers. cfg_if! { @__apply cfg(all($($m,)* not(any($($not),*)))), $($it)* } diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index d768612c74..a6a6dc975a 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -14,7 +14,7 @@ //! //! [`EcGroup`]: struct.EcGroup.html //! [`Nid`]: ../nid/struct.Nid.html -//! [Eliptic Curve Cryptography]: https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography +//! [Elliptic Curve Cryptography]: https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography use foreign_types::{ForeignType, ForeignTypeRef}; use libc::c_int; use std::fmt; From 9ab49ba3e30c4435374dee94874936c717bda4dd Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 22 Nov 2022 17:44:51 +0100 Subject: [PATCH 028/341] Fix lint error on clippy 1.65 --- openssl-errors/tests/test.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-errors/tests/test.rs b/openssl-errors/tests/test.rs index 12e79b830e..98259b9b08 100644 --- a/openssl-errors/tests/test.rs +++ b/openssl-errors/tests/test.rs @@ -32,7 +32,7 @@ fn basic() { cfg_if! { if #[cfg(ossl300)] { // https://github.com/openssl/openssl/issues/12530 - assert!(error.data() == None || error.data() == Some("")); + assert!(error.data().is_none() || error.data() == Some("")); } else { assert_eq!(error.data(), None); } From 6c52dd49285dd7ec289b0a6a011499d71914ba35 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 22 Nov 2022 15:43:48 +0100 Subject: [PATCH 029/341] Improve `PKey` documentation related to ed25519/ed448 This patch adds doctests with common usage to the `generate_*` functions as well as cross links to other pieces of documentation. --- openssl/src/pkey.rs | 100 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 92 insertions(+), 8 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 1e09b77b54..7d438ebadc 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -238,10 +238,10 @@ where unsafe { ffi::EVP_PKEY_cmp(self.as_ptr(), other.as_ptr()) == 1 } } - /// Raw byte representation of a public key + /// Raw byte representation of a public key. /// /// This function only works for algorithms that support raw public keys. - /// Currently this is: X25519, ED25519, X448 or ED448 + /// Currently this is: [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_public_key)] #[cfg(ossl111)] pub fn raw_public_key(&self) -> Result, ErrorStack> { @@ -289,10 +289,10 @@ where ffi::i2d_PrivateKey } - /// Raw byte representation of a private key + /// Raw byte representation of a private key. /// /// This function only works for algorithms that support raw private keys. - /// Currently this is: HMAC, X25519, ED25519, X448 or ED448 + /// Currently this is: [`Id::HMAC`], [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_private_key)] #[cfg(ossl111)] pub fn raw_private_key(&self) -> Result, ErrorStack> { @@ -482,25 +482,109 @@ impl PKey { ctx.keygen() } - /// Generates a new private Ed25519 key + /// Generates a new private X25519 key. + /// + /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`]. + /// + /// # Examples + /// + /// ``` + /// # fn main() -> Result<(), Box> { + /// use openssl::pkey::{PKey, Id}; + /// use openssl::derive::Deriver; + /// + /// let public = // ... + /// # &PKey::generate_x25519()?.raw_public_key()?; + /// let public_key = PKey::public_key_from_raw_bytes(public, Id::X25519)?; + /// + /// let key = PKey::generate_x25519()?; + /// let mut deriver = Deriver::new(&key)?; + /// deriver.set_peer(&public_key)?; + /// + /// let secret = deriver.derive_to_vec()?; + /// assert_eq!(secret.len(), 32); + /// # Ok(()) } + /// ``` #[cfg(ossl111)] pub fn generate_x25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::X25519) } - /// Generates a new private Ed448 key + /// Generates a new private X448 key. + /// + /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`]. + /// + /// # Examples + /// + /// ``` + /// # fn main() -> Result<(), Box> { + /// use openssl::pkey::{PKey, Id}; + /// use openssl::derive::Deriver; + /// + /// let public = // ... + /// # &PKey::generate_x448()?.raw_public_key()?; + /// let public_key = PKey::public_key_from_raw_bytes(public, Id::X448)?; + /// + /// let key = PKey::generate_x448()?; + /// let mut deriver = Deriver::new(&key)?; + /// deriver.set_peer(&public_key)?; + /// + /// let secret = deriver.derive_to_vec()?; + /// assert_eq!(secret.len(), 56); + /// # Ok(()) } + /// ``` #[cfg(ossl111)] pub fn generate_x448() -> Result, ErrorStack> { PKey::generate_eddsa(Id::X448) } - /// Generates a new private Ed25519 key + /// Generates a new private Ed25519 key. + /// + /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`]. + /// + /// # Examples + /// + /// ``` + /// # fn main() -> Result<(), Box> { + /// use openssl::pkey::{PKey, Id}; + /// use openssl::sign::Signer; + /// + /// let key = PKey::generate_ed25519()?; + /// let public_key = key.raw_public_key()?; + /// + /// let mut signer = Signer::new_without_digest(&key)?; + /// let digest = // ... + /// # &vec![0; 32]; + /// let signature = signer.sign_oneshot_to_vec(digest)?; + /// assert_eq!(signature.len(), 64); + /// # Ok(()) } + /// ``` #[cfg(ossl111)] pub fn generate_ed25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::ED25519) } - /// Generates a new private Ed448 key + /// Generates a new private Ed448 key. + /// + /// To import a private key from raw bytes see [`PKey::private_key_from_raw_bytes`]. + /// + /// # Examples + /// + /// ``` + /// # fn main() -> Result<(), Box> { + /// use openssl::pkey::{PKey, Id}; + /// use openssl::sign::Signer; + /// + /// let key = PKey::generate_ed448()?; + /// let public_key = key.raw_public_key()?; + /// + /// let mut signer = Signer::new_without_digest(&key)?; + /// let digest = // ... + /// # &vec![0; 32]; + /// let signature = signer.sign_oneshot_to_vec(digest)?; + /// assert_eq!(signature.len(), 114); + /// # Ok(()) } + /// ``` #[cfg(ossl111)] pub fn generate_ed448() -> Result, ErrorStack> { PKey::generate_eddsa(Id::ED448) From d5037d4dcae4fcb5c301f9df907975033185a926 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 23 Nov 2022 17:46:44 -0800 Subject: [PATCH 030/341] Release openssl-sys v0.9.78 --- openssl-sys/CHANGELOG.md | 17 ++++++++++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index bcbb5ec937..0c549f6117 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,20 @@ ## [Unreleased] +## [v0.9.78] - 2022-11-23 + +### Added + +* Added support for LibreSSL 3.6.x. +* Added `NID_brainpoolP256r1`, `NID_brainpoolP384r1`, and `NID_brainpool512r1`. +* Added `EVP_camellia_128_cfb128`, `EVP_camellia_128_ecb`, `EVP_camellia_192_cfb128`, `EVP_camellia_192_ecb`, + `EVP_camellia_256_cfb128`, and `EVP_camellia_256_ecb`. +* Added `EVP_cast5_cfb64` and `EVP_cast5_ecb`. +* Added `EVP_idea_cfb64` and `EVP_idea_ecb`. +* Added `DSA_SIG`, `d2i_DSA_SIG`, `i2d_DSA_SIG`, `DSA_SIG_new`, `DSA_SIG_free`, `DSA_SIG_get0`, and `DSA_SIG_set0`. +* Added `X509_STORE_set1_param`, `X509_VERIFY_PARAM_new`, `X509_VERIFY_PARAM_set_time`, and + `X509_VERIFY_PARAM_set_depth`. + ## [v0.9.77] - 2022-10-22 ### Added @@ -336,7 +350,8 @@ * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.76..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.77..master +[v0.9.77]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.76...openssl-sys-v0.9.77 [v0.9.76]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.75...openssl-sys-v0.9.76 [v0.9.75]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.74...openssl-sys-v0.9.75 [v0.9.74]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.73...openssl-sys-v0.9.74 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7c6ab832d6..ee1a57cd19 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.77" +version = "0.9.78" authors = [ "Alex Crichton ", "Steven Fackler ", From 7db5cc72d326360ffa62398201635effedb885c6 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 23 Nov 2022 17:53:05 -0800 Subject: [PATCH 031/341] Release openssl v0.10.43 --- openssl/CHANGELOG.md | 14 +++++++++++++- openssl/Cargo.toml | 4 ++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index ba28a5a383..31564986e0 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.10.43] - 2022-11-23 + +### Added + +* Added `Nid::BRAINPOOL_P256R1`, `Nid::BRAINPOOL_P384R1`, `Nid::BRAINPOOL_P512R1`. +* Added `BigNumRef::copy_from_slice`. +* Added `Cipher` constructors for Camellia, CAST5, and IDEA ciphers. +* Added `DsaSig`. +* Added `X509StoreBuilderRef::set_param`. +* Added `X509VerifyParam::new`, `X509VerifyParamRef::set_time`, and `X509VerifyParamRef::set_depth`. + ## [v0.10.42] - 2022-09-26 ### Added @@ -630,7 +641,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.42...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.43...master +[v0.10.43]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.42...openssl-v0.10.43 [v0.10.42]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.41...openssl-v0.10.42 [v0.10.41]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.40...openssl-v0.10.41 [v0.10.40]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.39...openssl-v0.10.40 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 41bd0fdb2f..b6204e4490 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.42" +version = "0.10.43" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.76", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.78", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 0106165088d13635cd2ead04b1d20375546e376a Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 10 Nov 2022 10:33:31 +0100 Subject: [PATCH 032/341] Expose `num` parameter of the cipher --- openssl-sys/src/evp.rs | 5 +++++ openssl-sys/src/handwritten/evp.rs | 3 +++ openssl/src/cipher_ctx.rs | 16 ++++++++++++++++ 3 files changed, 24 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 1e1a4dd93d..fc3003f7bd 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -97,6 +97,11 @@ cfg_if! { pub unsafe fn EVP_CIPHER_CTX_iv_length(ctx: *const EVP_CIPHER_CTX) -> c_int { EVP_CIPHER_CTX_get_iv_length(ctx) } + + #[inline] + pub unsafe fn EVP_CIPHER_CTX_num(ctx: *const EVP_CIPHER_CTX) -> c_int { + EVP_CIPHER_CTX_get_num(ctx) + } } else { pub unsafe fn EVP_MD_CTX_size(ctx: *const EVP_MD_CTX) -> c_int { EVP_MD_size(EVP_MD_CTX_md(ctx)) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index ffb0a0819d..a85d628ade 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -26,6 +26,7 @@ cfg_if! { pub fn EVP_CIPHER_CTX_get_key_length(ctx: *const EVP_CIPHER_CTX) -> c_int; pub fn EVP_CIPHER_CTX_get_iv_length(ctx: *const EVP_CIPHER_CTX) -> c_int; pub fn EVP_CIPHER_CTX_get_tag_length(ctx: *const EVP_CIPHER_CTX) -> c_int; + pub fn EVP_CIPHER_CTX_get_num(ctx: *const EVP_CIPHER_CTX) -> c_int; } } else { extern "C" { @@ -44,6 +45,8 @@ cfg_if! { pub fn EVP_CIPHER_CTX_block_size(ctx: *const EVP_CIPHER_CTX) -> c_int; pub fn EVP_CIPHER_CTX_key_length(ctx: *const EVP_CIPHER_CTX) -> c_int; pub fn EVP_CIPHER_CTX_iv_length(ctx: *const EVP_CIPHER_CTX) -> c_int; + #[cfg(ossl110)] + pub fn EVP_CIPHER_CTX_num(ctx: *const EVP_CIPHER_CTX) -> c_int; } } } diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 8e017115b1..a4d1c461c5 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -363,6 +363,22 @@ impl CipherCtxRef { unsafe { ffi::EVP_CIPHER_CTX_iv_length(self.as_ptr()) as usize } } + /// Returns the `num` parameter of the cipher. + /// + /// Built-in ciphers typically use this to track how much of the + /// current underlying block has been "used" already. + /// + /// # Panics + /// + /// Panics if the context has not been initialized with a cipher. + #[corresponds(EVP_CIPHER_CTX_num)] + #[cfg(ossl110)] + pub fn num(&self) -> usize { + self.assert_cipher(); + + unsafe { ffi::EVP_CIPHER_CTX_num(self.as_ptr()) as usize } + } + /// Sets the length of the IV expected by this context. /// /// Only some ciphers support configurable IV lengths. From 5ecff30dfecf35777e1ff7e7307e3d3a2414955e Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Mon, 14 Nov 2022 10:43:11 +0100 Subject: [PATCH 033/341] Make `CipherCtx::cipher_update` more flexible This change relaxes constraints on the output buffer size when it can be safely determined how many bytes will be put in the output buffer. For supported cryptographic backends (OpenSSL >= 1.1) the cipher's `num` parameter will be consulted for the number of bytes in the block cache. For unsupported backends the behavior will not change (the code will assume full block in the cache). For callers that do the check themselves and want to use other backends (e.g. BoringSSL or LibreSSL) and unsafe `cipher_update_unchecked` function is added. Additionally a `CipherCtx::minimal_output_size` function is added for letting the callers know how big should the output buffer be for the next `cipher_update` call. Fixes #1729. See: https://mta.openssl.org/pipermail/openssl-users/2022-November/015623.html --- openssl/src/cipher_ctx.rs | 304 +++++++++++++++++++++++++++++++++++--- 1 file changed, 286 insertions(+), 18 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index a4d1c461c5..c0377d969b 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -379,6 +379,49 @@ impl CipherCtxRef { unsafe { ffi::EVP_CIPHER_CTX_num(self.as_ptr()) as usize } } + /// Returns number of bytes cached in partial block update. + #[cfg(ossl110)] + fn used_block_size(&self) -> usize { + self.num() + } + + /// Returns maximum number of bytes that could be cached. + #[cfg(not(ossl110))] + fn used_block_size(&self) -> usize { + self.block_size() + } + + /// Calculate the minimal size of the output buffer given the + /// input buffer size. + /// + /// For streaming ciphers the minimal output size is the same as + /// the input size. For block ciphers the minimal output size + /// additionally depends on the partial blocks that might have + /// been written in previous calls to [`Self::cipher_update`]. + /// + /// This function takes into account the number of partially + /// written blocks for block ciphers for supported targets + /// (OpenSSL >= 1.1). For unsupported targets the number of + /// partially written bytes is assumed to contain one full block + /// (pessimistic case). + /// + /// # Panics + /// + /// Panics if the context has not been initialized with a cipher. + pub fn minimal_output_size(&self, inlen: usize) -> usize { + let block_size = self.block_size(); + if block_size > 1 { + // block cipher + let num = self.used_block_size(); + let total_size = inlen + num; + let num_blocks = total_size / block_size; + num_blocks * block_size + } else { + // streaming cipher + inlen + } + } + /// Sets the length of the IV expected by this context. /// /// Only some ciphers support configurable IV lengths. @@ -517,33 +560,61 @@ impl CipherCtxRef { /// /// # Panics /// - /// Panics if `output.len()` is less than `input.len()` plus the cipher's block size. + /// Panics if `output` doesn't contain enough space for data to be + /// written as specified by [`Self::minimal_output_size`]. #[corresponds(EVP_CipherUpdate)] pub fn cipher_update( &mut self, input: &[u8], output: Option<&mut [u8]>, ) -> Result { - let inlen = c_int::try_from(input.len()).unwrap(); - if let Some(output) = &output { - let mut block_size = self.block_size(); - if block_size == 1 { - block_size = 0; - } - assert!(output.len() >= input.len() + block_size); + let min_output_size = self.minimal_output_size(input.len()); + assert!( + output.len() >= min_output_size, + "Output buffer size should be at least {} bytes.", + min_output_size + ); } + unsafe { self.cipher_update_unchecked(input, output) } + } + + /// Writes data into the context. + /// + /// Providing no output buffer will cause the input to be considered additional authenticated data (AAD). + /// + /// Returns the number of bytes written to `output`. + /// + /// This function is the same as [`Self::cipher_update`] but with the + /// output size check removed. It can be used when the exact + /// buffer size control is maintained by the caller and the + /// underlying cryptographic library doesn't expose exact block + /// cache data (e.g. OpenSSL < 1.1, BoringSSL, LibreSSL). + /// + /// SAFETY: The caller is expected to provide `output` buffer + /// large enough to contain correct number of bytes. For streaming + /// ciphers the output buffer size should be at least as big as + /// the input buffer. For block ciphers the size of the output + /// buffer depends on the state of partially updated blocks (see + /// [`Self::minimal_output_size`]). + #[corresponds(EVP_CipherUpdate)] + pub unsafe fn cipher_update_unchecked( + &mut self, + input: &[u8], + output: Option<&mut [u8]>, + ) -> Result { + let inlen = c_int::try_from(input.len()).unwrap(); + let mut outlen = 0; - unsafe { - cvt(ffi::EVP_CipherUpdate( - self.as_ptr(), - output.map_or(ptr::null_mut(), |b| b.as_mut_ptr()), - &mut outlen, - input.as_ptr(), - inlen, - ))?; - } + + cvt(ffi::EVP_CipherUpdate( + self.as_ptr(), + output.map_or(ptr::null_mut(), |b| b.as_mut_ptr()), + &mut outlen, + input.as_ptr(), + inlen, + ))?; Ok(outlen as usize) } @@ -604,7 +675,7 @@ impl CipherCtxRef { #[cfg(test)] mod test { use super::*; - use crate::cipher::Cipher; + use crate::{cipher::Cipher, rand::rand_bytes}; #[cfg(not(boringssl))] use std::slice; @@ -685,4 +756,201 @@ mod test { let cipher = Cipher::aes_128_cbc(); aes_128_cbc(cipher); } + + #[test] + #[cfg(ossl110)] + fn partial_block_updates() { + test_block_cipher_for_partial_block_updates(Cipher::aes_128_cbc()); + test_block_cipher_for_partial_block_updates(Cipher::aes_256_cbc()); + test_block_cipher_for_partial_block_updates(Cipher::des_ede3_cbc()); + } + + #[cfg(ossl110)] + fn test_block_cipher_for_partial_block_updates(cipher: &'static CipherRef) { + let mut key = vec![0; cipher.key_length()]; + rand_bytes(&mut key).unwrap(); + let mut iv = vec![0; cipher.iv_length()]; + rand_bytes(&mut iv).unwrap(); + + let mut ctx = CipherCtx::new().unwrap(); + + ctx.encrypt_init(Some(cipher), Some(&key), Some(&iv)) + .unwrap(); + ctx.set_padding(false); + + let block_size = cipher.block_size(); + assert!(block_size > 1, "Need a block cipher, not a stream cipher"); + + // update cipher with non-full block + // expect no output until a block is complete + let outlen = ctx + .cipher_update(&vec![0; block_size - 1], Some(&mut [0; 0])) + .unwrap(); + assert_eq!(0, outlen); + + // update cipher with missing bytes from the previous block + // and one additional block, output should contain two blocks + let mut two_blocks = vec![0; block_size * 2]; + let outlen = ctx + .cipher_update(&vec![0; block_size + 1], Some(&mut two_blocks)) + .unwrap(); + assert_eq!(block_size * 2, outlen); + + ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); + + // try to decrypt + ctx.decrypt_init(Some(cipher), Some(&key), Some(&iv)) + .unwrap(); + ctx.set_padding(false); + + // update cipher with non-full block + // expect no output until a block is complete + let outlen = ctx + .cipher_update(&two_blocks[0..block_size - 1], Some(&mut [0; 0])) + .unwrap(); + assert_eq!(0, outlen); + + // update cipher with missing bytes from the previous block + // and one additional block, output should contain two blocks + let mut two_blocks_decrypted = vec![0; block_size * 2]; + let outlen = ctx + .cipher_update( + &two_blocks[block_size - 1..], + Some(&mut two_blocks_decrypted), + ) + .unwrap(); + assert_eq!(block_size * 2, outlen); + + ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); + // check if the decrypted blocks are the same as input (all zeros) + assert_eq!(two_blocks_decrypted, vec![0; block_size * 2]); + } + + #[test] + fn test_stream_ciphers() { + test_stream_cipher(Cipher::aes_192_ctr()); + test_stream_cipher(Cipher::aes_256_ctr()); + } + + fn test_stream_cipher(cipher: &'static CipherRef) { + let mut key = vec![0; cipher.key_length()]; + rand_bytes(&mut key).unwrap(); + let mut iv = vec![0; cipher.iv_length()]; + rand_bytes(&mut iv).unwrap(); + + let mut ctx = CipherCtx::new().unwrap(); + + ctx.encrypt_init(Some(cipher), Some(&key), Some(&iv)) + .unwrap(); + ctx.set_padding(false); + + assert_eq!( + 1, + cipher.block_size(), + "Need a stream cipher, not a block cipher" + ); + + // update cipher with non-full block + // this is a streaming cipher so the number of output bytes + // will be the same as the number of input bytes + let mut output = vec![0; 32]; + let outlen = ctx + .cipher_update(&[1; 15], Some(&mut output[0..15])) + .unwrap(); + assert_eq!(15, outlen); + + // update cipher with missing bytes from the previous block + // as previously it will output the same number of bytes as + // the input + let outlen = ctx + .cipher_update(&[1; 17], Some(&mut output[15..])) + .unwrap(); + assert_eq!(17, outlen); + + ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); + + // try to decrypt + ctx.decrypt_init(Some(cipher), Some(&key), Some(&iv)) + .unwrap(); + ctx.set_padding(false); + + // update cipher with non-full block + // expect that the output for stream cipher will contain + // the same number of bytes as the input + let mut output_decrypted = vec![0; 32]; + let outlen = ctx + .cipher_update(&output[0..15], Some(&mut output_decrypted[0..15])) + .unwrap(); + assert_eq!(15, outlen); + + let outlen = ctx + .cipher_update(&output[15..], Some(&mut output_decrypted[15..])) + .unwrap(); + assert_eq!(17, outlen); + + ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); + // check if the decrypted blocks are the same as input (all ones) + assert_eq!(output_decrypted, vec![1; 32]); + } + + #[test] + #[should_panic(expected = "Output buffer size should be at least 16 bytes.")] + #[cfg(ossl110)] + fn full_block_updates_aes_128() { + output_buffer_too_small(Cipher::aes_128_cbc()); + } + + #[test] + #[should_panic(expected = "Output buffer size should be at least 16 bytes.")] + #[cfg(ossl110)] + fn full_block_updates_aes_256() { + output_buffer_too_small(Cipher::aes_256_cbc()); + } + + #[test] + #[should_panic(expected = "Output buffer size should be at least 8 bytes.")] + #[cfg(ossl110)] + fn full_block_updates_3des() { + output_buffer_too_small(Cipher::des_ede3_cbc()); + } + + #[test] + #[should_panic(expected = "Output buffer size should be at least 32 bytes.")] + #[cfg(not(ossl110))] + fn full_block_updates_aes_128() { + output_buffer_too_small(Cipher::aes_128_cbc()); + } + + #[test] + #[should_panic(expected = "Output buffer size should be at least 32 bytes.")] + #[cfg(not(ossl110))] + fn full_block_updates_aes_256() { + output_buffer_too_small(Cipher::aes_256_cbc()); + } + + #[test] + #[should_panic(expected = "Output buffer size should be at least 16 bytes.")] + #[cfg(not(ossl110))] + fn full_block_updates_3des() { + output_buffer_too_small(Cipher::des_ede3_cbc()); + } + + fn output_buffer_too_small(cipher: &'static CipherRef) { + let mut key = vec![0; cipher.key_length()]; + rand_bytes(&mut key).unwrap(); + let mut iv = vec![0; cipher.iv_length()]; + rand_bytes(&mut iv).unwrap(); + + let mut ctx = CipherCtx::new().unwrap(); + + ctx.encrypt_init(Some(cipher), Some(&key), Some(&iv)) + .unwrap(); + ctx.set_padding(false); + + let block_size = cipher.block_size(); + assert!(block_size > 1, "Need a block cipher, not a stream cipher"); + + ctx.cipher_update(&vec![0; block_size + 1], Some(&mut vec![0; block_size - 1])) + .unwrap(); + } } From 91dfef563fd7518278a5da0fff113b78692cb8a4 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 24 Nov 2022 13:21:33 +0100 Subject: [PATCH 034/341] Add module descriptions --- openssl/src/dh.rs | 2 ++ openssl/src/md.rs | 2 ++ openssl/src/version.rs | 2 ++ 3 files changed, 6 insertions(+) diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index af9912a412..12170b994e 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -1,3 +1,5 @@ +//! Diffie-Hellman key agreement. + use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use std::mem; diff --git a/openssl/src/md.rs b/openssl/src/md.rs index b9297e29a7..4ade8e870d 100644 --- a/openssl/src/md.rs +++ b/openssl/src/md.rs @@ -1,3 +1,5 @@ +//! Message digest algorithms. + #[cfg(ossl300)] use crate::cvt_p; #[cfg(ossl300)] diff --git a/openssl/src/version.rs b/openssl/src/version.rs index da9d24e9fc..f1a324c12c 100644 --- a/openssl/src/version.rs +++ b/openssl/src/version.rs @@ -11,6 +11,8 @@ // limitations under the License. // +//! Build and version information. + use cfg_if::cfg_if; use openssl_macros::corresponds; use std::ffi::CStr; From b42a2b771428d9d99508605ef91639dfe45bb087 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 1 Dec 2022 10:09:38 +0100 Subject: [PATCH 035/341] Add documentation to `openssl::sign::Verifier` --- openssl/src/sign.rs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 457ff1228d..b675825e2c 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -403,6 +403,8 @@ impl<'a> Write for Signer<'a> { } } +/// A type which can be used to verify the integrity and authenticity +/// of data given the signature. pub struct Verifier<'a> { md_ctx: *mut ffi::EVP_MD_CTX, pctx: *mut ffi::EVP_PKEY_CTX, @@ -426,7 +428,7 @@ impl<'a> Verifier<'a> { /// Creates a new `Verifier`. /// /// This cannot be used with Ed25519 or Ed448 keys. Please refer to - /// `new_without_digest`. + /// [`Verifier::new_without_digest`]. /// /// OpenSSL documentation at [`EVP_DigestVerifyInit`]. /// @@ -553,7 +555,7 @@ impl<'a> Verifier<'a> { /// Feeds more data into the `Verifier`. /// /// Please note that PureEdDSA (Ed25519 and Ed448 keys) do not support streaming. - /// Use `verify_oneshot` instead. + /// Use [`Verifier::verify_oneshot`] instead. /// /// OpenSSL documentation at [`EVP_DigestUpdate`]. /// From a6af54eee171b66633aee339d751a27c99e44436 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 1 Dec 2022 10:10:06 +0100 Subject: [PATCH 036/341] Move `openssl::hash` documentation to respective functions --- openssl/src/hash.rs | 103 +++++++++++++++++++++++++++++--------------- 1 file changed, 69 insertions(+), 34 deletions(-) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index fd83869c9a..8e27505a02 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -1,3 +1,35 @@ +//! Message digest (hash) computation support. +//! +//! # Examples +//! +//! Calculate a hash in one go: +//! +//! ``` +//! # fn main() -> Result<(), Box> { +//! use openssl::hash::{hash, MessageDigest}; +//! +//! let data = b"\x42\xF4\x97\xE0"; +//! let spec = b"\x7c\x43\x0f\x17\x8a\xef\xdf\x14\x87\xfe\xe7\x14\x4e\x96\x41\xe2"; +//! let res = hash(MessageDigest::md5(), data)?; +//! assert_eq!(&*res, spec); +//! # Ok(()) } +//! ``` +//! +//! Supply the input in chunks: +//! +//! ``` +//! use openssl::hash::{Hasher, MessageDigest}; +//! +//! # fn main() -> Result<(), Box> { +//! let mut hasher = Hasher::new(MessageDigest::sha256())?; +//! hasher.update(b"test")?; +//! hasher.update(b"this")?; +//! let digest: &[u8] = &hasher.finish()?; +//! +//! let expected = hex::decode("9740e652ab5b4acd997a7cca13d6696702ccb2d441cca59fc6e285127f28cfe6")?; +//! assert_eq!(digest, expected); +//! # Ok(()) } +//! ``` use cfg_if::cfg_if; use std::ffi::CString; use std::fmt; @@ -18,6 +50,7 @@ cfg_if! { } } +/// A message digest algorithm. #[derive(Copy, Clone, PartialEq, Eq)] pub struct MessageDigest(*const ffi::EVP_MD); @@ -174,44 +207,18 @@ use self::State::*; /// /// # Examples /// -/// Calculate a hash in one go: -/// -/// ``` -/// use openssl::hash::{hash, MessageDigest}; -/// -/// let data = b"\x42\xF4\x97\xE0"; -/// let spec = b"\x7c\x43\x0f\x17\x8a\xef\xdf\x14\x87\xfe\xe7\x14\x4e\x96\x41\xe2"; -/// let res = hash(MessageDigest::md5(), data).unwrap(); -/// assert_eq!(&*res, spec); -/// ``` -/// -/// Supply the input in chunks: -/// /// ``` /// use openssl::hash::{Hasher, MessageDigest}; /// +/// # fn main() -> Result<(), Box> { /// let data = [b"\x42\xF4", b"\x97\xE0"]; /// let spec = b"\x7c\x43\x0f\x17\x8a\xef\xdf\x14\x87\xfe\xe7\x14\x4e\x96\x41\xe2"; -/// let mut h = Hasher::new(MessageDigest::md5()).unwrap(); -/// h.update(data[0]).unwrap(); -/// h.update(data[1]).unwrap(); -/// let res = h.finish().unwrap(); +/// let mut h = Hasher::new(MessageDigest::md5())?; +/// h.update(data[0])?; +/// h.update(data[1])?; +/// let res = h.finish()?; /// assert_eq!(&*res, spec); -/// ``` -/// -/// Use an XOF hasher (OpenSSL 1.1.1+): -/// -/// ``` -/// #[cfg(ossl111)] -/// { -/// use openssl::hash::{hash_xof, MessageDigest}; -/// -/// let data = b"\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x62\x61\x73\x65\x20\x61\x72\x65\x20\x62\x65\x6c\x6f\x6e\x67\x20\x74\x6f\x20\x75\x73"; -/// let spec = b"\x49\xd0\x69\x7f\xf5\x08\x11\x1d\x8b\x84\xf1\x5e\x46\xda\xf1\x35"; -/// let mut buf = vec![0; 16]; -/// hash_xof(MessageDigest::shake_128(), data, buf.as_mut_slice()).unwrap(); -/// assert_eq!(buf, spec); -/// } +/// # Ok(()) } /// ``` /// /// # Warning @@ -220,8 +227,10 @@ use self::State::*; /// /// Don't ever hash passwords, use the functions in the `pkcs5` module or bcrypt/scrypt instead. /// -/// For extendable output functions (XOFs, i.e. SHAKE128/SHAKE256), you must use finish_xof instead -/// of finish and provide a buf to store the hash. The hash will be as long as the buf. +/// For extendable output functions (XOFs, i.e. SHAKE128/SHAKE256), +/// you must use [`Hasher::finish_xof`] instead of [`Hasher::finish`] +/// and provide a `buf` to store the hash. The hash will be as long as +/// the `buf`. pub struct Hasher { ctx: *mut ffi::EVP_MD_CTX, md: *const ffi::EVP_MD, @@ -411,6 +420,19 @@ impl fmt::Debug for DigestBytes { } /// Computes the hash of the `data` with the non-XOF hasher `t`. +/// +/// # Examples +/// +/// ``` +/// # fn main() -> Result<(), Box> { +/// use openssl::hash::{hash, MessageDigest}; +/// +/// let data = b"\x42\xF4\x97\xE0"; +/// let spec = b"\x7c\x43\x0f\x17\x8a\xef\xdf\x14\x87\xfe\xe7\x14\x4e\x96\x41\xe2"; +/// let res = hash(MessageDigest::md5(), data)?; +/// assert_eq!(&*res, spec); +/// # Ok(()) } +/// ``` pub fn hash(t: MessageDigest, data: &[u8]) -> Result { let mut h = Hasher::new(t)?; h.update(data)?; @@ -418,6 +440,19 @@ pub fn hash(t: MessageDigest, data: &[u8]) -> Result { } /// Computes the hash of the `data` with the XOF hasher `t` and stores it in `buf`. +/// +/// # Examples +/// +/// ``` +/// use openssl::hash::{hash_xof, MessageDigest}; +/// +/// let data = b"\x41\x6c\x6c\x20\x79\x6f\x75\x72\x20\x62\x61\x73\x65\x20\x61\x72\x65\x20\x62\x65\x6c\x6f\x6e\x67\x20\x74\x6f\x20\x75\x73"; +/// let spec = b"\x49\xd0\x69\x7f\xf5\x08\x11\x1d\x8b\x84\xf1\x5e\x46\xda\xf1\x35"; +/// let mut buf = vec![0; 16]; +/// hash_xof(MessageDigest::shake_128(), data, buf.as_mut_slice()).unwrap(); +/// assert_eq!(buf, spec); +/// ``` +/// #[cfg(ossl111)] pub fn hash_xof(t: MessageDigest, data: &[u8], buf: &mut [u8]) -> Result<(), ErrorStack> { let mut h = Hasher::new(t)?; From 9b851cdf76db340da49e6bfb4c40abb953272bff Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 1 Dec 2022 10:10:27 +0100 Subject: [PATCH 037/341] Add documentation to several `openssl::ec` items --- openssl/src/ec.rs | 64 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 55 insertions(+), 9 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index a6a6dc975a..24b3832224 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -116,6 +116,19 @@ foreign_type_and_impl_send_sync! { impl EcGroup { /// Returns the group of a standard named curve. + /// + /// # Examples + /// + /// ``` + /// # fn main() -> Result<(), Box> { + /// use openssl::nid::Nid; + /// use openssl::ec::{EcGroup, EcKey}; + /// + /// let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve + /// let group = EcGroup::from_curve_name(nid)?; + /// let key = EcKey::generate(&group)?; + /// # Ok(()) } + /// ``` #[corresponds(EC_GROUP_new_by_curve_name)] pub fn from_curve_name(nid: Nid) -> Result { unsafe { @@ -748,26 +761,32 @@ impl EcKey { } impl EcKey { - /// Constructs an `EcKey` from the specified group with the associated `EcPoint`, public_key. + /// Constructs an `EcKey` from the specified group with the associated [`EcPoint`]: `public_key`. /// - /// This will only have the associated public_key. + /// This will only have the associated `public_key`. /// /// # Example /// - /// ```no_run + /// ``` + /// # fn main() -> Result<(), Box> { /// use openssl::bn::BigNumContext; /// use openssl::ec::*; /// use openssl::nid::Nid; /// use openssl::pkey::PKey; /// - /// // get bytes from somewhere, i.e. this will not produce a valid key - /// let public_key: Vec = vec![]; + /// let group = EcGroup::from_curve_name(Nid::SECP384R1)?; + /// let mut ctx = BigNumContext::new()?; + /// + /// // get bytes from somewhere + /// let public_key = // ... + /// # EcKey::generate(&group)?.public_key().to_bytes(&group, + /// # PointConversionForm::COMPRESSED, &mut ctx)?; /// /// // create an EcKey from the binary form of a EcPoint - /// let group = EcGroup::from_curve_name(Nid::SECP256K1).unwrap(); - /// let mut ctx = BigNumContext::new().unwrap(); - /// let point = EcPoint::from_bytes(&group, &public_key, &mut ctx).unwrap(); - /// let key = EcKey::from_public_key(&group, &point); + /// let point = EcPoint::from_bytes(&group, &public_key, &mut ctx)?; + /// let key = EcKey::from_public_key(&group, &point)?; + /// key.check_key()?; + /// # Ok(()) } /// ``` #[corresponds(EC_KEY_set_public_key)] pub fn from_public_key( @@ -835,6 +854,33 @@ impl EcKey { impl EcKey { /// Generates a new public/private key pair on the specified curve. + /// + /// # Examples + /// + /// ``` + /// # fn main() -> Result<(), Box> { + /// use openssl::bn::BigNumContext; + /// use openssl::nid::Nid; + /// use openssl::ec::{EcGroup, EcKey, PointConversionForm}; + /// + /// let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve + /// let group = EcGroup::from_curve_name(nid)?; + /// let key = EcKey::generate(&group)?; + /// + /// let mut ctx = BigNumContext::new()?; + /// + /// let public_key = &key.public_key().to_bytes( + /// &group, + /// PointConversionForm::COMPRESSED, + /// &mut ctx, + /// )?; + /// assert_eq!(public_key.len(), 33); + /// assert_ne!(public_key[0], 0x04); + /// + /// let private_key = key.private_key().to_vec(); + /// assert!(private_key.len() >= 31); + /// # Ok(()) } + /// ``` #[corresponds(EC_KEY_generate_key)] pub fn generate(group: &EcGroupRef) -> Result, ErrorStack> { unsafe { From d390c414ec9039207986bf44ce4b89e00ab4a0ed Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 1 Dec 2022 10:10:50 +0100 Subject: [PATCH 038/341] Add more elaborate ECDH example to `openssl::derive` --- openssl/src/derive.rs | 50 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index 1e252d9efc..87a04a14a3 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -1,4 +1,54 @@ //! Shared secret derivation. +//! +//! # Example +//! +//! The following example implements [ECDH] using `NIST P-384` keys: +//! +//! ``` +//! # fn main() -> Result<(), Box> { +//! # use std::convert::TryInto; +//! use openssl::bn::BigNumContext; +//! use openssl::pkey::PKey; +//! use openssl::derive::Deriver; +//! use openssl::ec::{EcGroup, EcKey, EcPoint, PointConversionForm}; +//! use openssl::nid::Nid; +//! +//! let group = EcGroup::from_curve_name(Nid::SECP384R1)?; +//! +//! let first: PKey<_> = EcKey::generate(&group)?.try_into()?; +//! +//! // second party generates an ephemeral key and derives +//! // a shared secret using first party's public key +//! let shared_key = EcKey::generate(&group)?; +//! // shared_public is sent to first party +//! let mut ctx = BigNumContext::new()?; +//! let shared_public = shared_key.public_key().to_bytes( +//! &group, +//! PointConversionForm::COMPRESSED, +//! &mut ctx, +//! )?; +//! +//! let shared_key: PKey<_> = shared_key.try_into()?; +//! let mut deriver = Deriver::new(&shared_key)?; +//! deriver.set_peer(&first)?; +//! // secret can be used e.g. as a symmetric encryption key +//! let secret = deriver.derive_to_vec()?; +//! # drop(deriver); +//! +//! // first party derives the same shared secret using +//! // shared_public +//! let point = EcPoint::from_bytes(&group, &shared_public, &mut ctx)?; +//! let recipient_key: PKey<_> = EcKey::from_public_key(&group, &point)?.try_into()?; +//! let mut deriver = Deriver::new(&first)?; +//! deriver.set_peer(&recipient_key)?; +//! let first_secret = deriver.derive_to_vec()?; +//! +//! assert_eq!(secret, first_secret); +//! # Ok(()) } +//! ``` +//! +//! [ECDH]: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman + use foreign_types::ForeignTypeRef; use std::marker::PhantomData; use std::ptr; From 6df9f1374a97bcd5138ea2d9a84e169d9b0b74aa Mon Sep 17 00:00:00 2001 From: iamwwc Date: Fri, 2 Dec 2022 11:04:10 +0800 Subject: [PATCH 039/341] sync to rust-openssl --- openssl-sys/src/ssl.rs | 6 ++++++ openssl/src/ssl/mod.rs | 13 +++++++++++++ 2 files changed, 19 insertions(+) diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index 12243dc4fc..d3f09738c6 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -339,6 +339,8 @@ pub const SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: c_int = 71; #[cfg(any(libressl, all(ossl101, not(ossl110))))] pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; pub const SSL_CTRL_GET_EXTRA_CHAIN_CERTS: c_int = 82; +#[cfg(ossl102)] +pub const SSL_CTRL_CHAIN_CERT: c_int = 89; #[cfg(any(ossl111, libressl252))] pub const SSL_CTRL_SET_GROUPS_LIST: c_int = 92; #[cfg(any(libressl, all(ossl102, not(ossl110))))] @@ -406,6 +408,10 @@ cfg_if! { } } } +#[cfg(ossl102)] +pub unsafe fn SSL_add_chain_certificate_pem(ssl: *mut ::SSL, ptr: *mut c_void) -> c_long { + SSL_ctrl(ssl, SSL_CTRL_CHAIN_CERT, 1, ptr) +} #[cfg(ossl102)] pub unsafe fn SSL_CTX_set1_sigalgs_list(ctx: *mut SSL_CTX, s: *const c_char) -> c_long { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 4f349a4e4b..ec960fa107 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3104,6 +3104,19 @@ impl SslRef { } } } + #[corresponds(SSL_add1_chain_cert)] + #[cfg(ossl102)] + pub fn add_chain_certificate_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { + let cert = X509::from_pem(chain)?; + let ret = unsafe { + ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _ as *mut _) + }; + if ret == 1 { + Ok(()) + }else { + Err(ErrorStack::get()) + } + } } /// An SSL stream midway through the handshake process. From 21bf31dc3a6daf852984ed1fd75c031c3293a810 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Fri, 2 Dec 2022 13:20:28 +0800 Subject: [PATCH 040/341] format code --- openssl/src/ssl/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index ec960fa107..88e550ba8d 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3113,7 +3113,7 @@ impl SslRef { }; if ret == 1 { Ok(()) - }else { + } else { Err(ErrorStack::get()) } } From 20f6cbee33e6dd062cbc235107fef82b20cf6434 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Fri, 2 Dec 2022 17:17:45 +0800 Subject: [PATCH 041/341] remove duplicate as cast --- openssl/src/ssl/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 88e550ba8d..35da01f37c 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3109,7 +3109,7 @@ impl SslRef { pub fn add_chain_certificate_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { let cert = X509::from_pem(chain)?; let ret = unsafe { - ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _ as *mut _) + ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _ ) }; if ret == 1 { Ok(()) From a43e828460ec6980beba8fae17e858c6c498c3f9 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Fri, 2 Dec 2022 17:43:16 +0800 Subject: [PATCH 042/341] make cargo fmt happy --- openssl/src/ssl/mod.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 35da01f37c..6d192fc594 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3108,9 +3108,8 @@ impl SslRef { #[cfg(ossl102)] pub fn add_chain_certificate_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { let cert = X509::from_pem(chain)?; - let ret = unsafe { - ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _ ) - }; + let ret = + unsafe { ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _) }; if ret == 1 { Ok(()) } else { From 5ae938ee55c949f64329ec95e640f523238219dc Mon Sep 17 00:00:00 2001 From: Alex Baker Date: Fri, 30 Sep 2022 13:25:13 -0500 Subject: [PATCH 043/341] Add support for X509_load_cert_file --- openssl-sys/src/handwritten/x509_vfy.rs | 2 ++ openssl/src/x509/store.rs | 33 +++++++++++++++++++++++++ openssl/src/x509/tests.rs | 24 ++++++++++++++++++ 3 files changed, 59 insertions(+) diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index ef2a6aac94..632bb9f689 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -12,6 +12,7 @@ extern "C" { extern "C" { pub fn X509_LOOKUP_free(ctx: *mut X509_LOOKUP); pub fn X509_LOOKUP_hash_dir() -> *mut X509_LOOKUP_METHOD; + pub fn X509_LOOKUP_file() -> *mut X509_LOOKUP_METHOD; pub fn X509_LOOKUP_ctrl( ctx: *mut X509_LOOKUP, cmd: c_int, @@ -19,6 +20,7 @@ extern "C" { argl: c_long, ret: *mut *mut c_char, ) -> c_int; + pub fn X509_load_cert_file(ctx: *mut X509_LOOKUP, file: *const c_char, _type: c_int) -> c_int; } extern "C" { diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index 120d6369a0..5acbfb5404 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -56,6 +56,8 @@ use crate::{cvt, cvt_p}; use openssl_macros::corresponds; #[cfg(not(boringssl))] use std::ffi::CString; +#[cfg(not(boringssl))] +use std::path::Path; foreign_type_and_impl_send_sync! { type CType = ffi::X509_STORE; @@ -176,6 +178,37 @@ impl X509LookupRef { } } +/// Marker type corresponding to the [`X509_LOOKUP_file`] lookup method. +/// +/// [`X509_LOOKUP_file`]: https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_file.html +pub struct File; + +impl X509Lookup { + /// Lookup method loads all the certificates or CRLs present in a file + /// into memory at the time the file is added as a lookup source. + #[corresponds(X509_LOOKUP_file)] + pub fn file() -> &'static X509LookupMethodRef { + unsafe { X509LookupMethodRef::from_ptr(ffi::X509_LOOKUP_file()) } + } +} + +#[cfg(not(boringssl))] +impl X509LookupRef { + #[corresponds(X509_load_cert_file)] + /// Specifies a file from which certificates will be loaded + pub fn load_cert_file>(&mut self, file: P, file_type: SslFiletype) -> Result<(), ErrorStack> { + let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap(); + unsafe { + cvt(ffi::X509_load_cert_file( + self.as_ptr(), + file.as_ptr(), + file_type.as_raw(), + )) + .map(|_| ()) + } + } +} + generic_foreign_type_and_impl_send_sync! { type CType = ffi::X509_LOOKUP_METHOD; fn drop = X509_LOOKUP_meth_free; diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index ace6175017..33d6f4f1e9 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -6,11 +6,15 @@ use crate::hash::MessageDigest; use crate::nid::Nid; use crate::pkey::{PKey, Private}; use crate::rsa::Rsa; +#[cfg(not(boringssl))] +use crate::ssl::SslFiletype; use crate::stack::Stack; use crate::x509::extension::{ AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier, }; +#[cfg(not(boringssl))] +use crate::x509::store::X509Lookup; use crate::x509::store::X509StoreBuilder; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; @@ -668,3 +672,23 @@ fn test_verify_param_set_depth_fails_verification() { expected_error ) } + +#[test] +#[cfg(not(boringssl))] +fn test_load_cert_file() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let chain = Stack::new().unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + let lookup = store_bldr.add_lookup(X509Lookup::file()).unwrap(); + lookup + .load_cert_file("test/root-ca.pem", SslFiletype::PEM) + .unwrap(); + let store = store_bldr.build(); + + let mut context = X509StoreContext::new().unwrap(); + assert!(context + .init(&store, &cert, &chain, |c| c.verify_cert()) + .unwrap()); +} From 6643d07213d93186a50f64d28cb8bd955efbe43a Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 3 Dec 2022 15:17:59 -0500 Subject: [PATCH 044/341] rustfmt --- openssl/src/x509/store.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index 5acbfb5404..a685fa18e6 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -196,7 +196,11 @@ impl X509Lookup { impl X509LookupRef { #[corresponds(X509_load_cert_file)] /// Specifies a file from which certificates will be loaded - pub fn load_cert_file>(&mut self, file: P, file_type: SslFiletype) -> Result<(), ErrorStack> { + pub fn load_cert_file>( + &mut self, + file: P, + file_type: SslFiletype, + ) -> Result<(), ErrorStack> { let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap(); unsafe { cvt(ffi::X509_load_cert_file( From 0a44a12a1ed54695138450882f060905051f0ff1 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Sun, 4 Dec 2022 10:27:11 +0800 Subject: [PATCH 045/341] rename function --- openssl-sys/src/ssl.rs | 2 +- openssl/src/ssl/mod.rs | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index d3f09738c6..e38aa367f9 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -409,7 +409,7 @@ cfg_if! { } } #[cfg(ossl102)] -pub unsafe fn SSL_add_chain_certificate_pem(ssl: *mut ::SSL, ptr: *mut c_void) -> c_long { +pub unsafe fn SSL_add1_chain_cert(ssl: *mut ::SSL, ptr: *mut c_void) -> c_long { SSL_ctrl(ssl, SSL_CTRL_CHAIN_CERT, 1, ptr) } diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 6d192fc594..ddb1894a0f 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3106,10 +3106,9 @@ impl SslRef { } #[corresponds(SSL_add1_chain_cert)] #[cfg(ossl102)] - pub fn add_chain_certificate_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { + pub fn add_chain_cert_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { let cert = X509::from_pem(chain)?; - let ret = - unsafe { ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _) }; + let ret = unsafe { ffi::SSL_add1_chain_cert(self.as_ptr(), cert.as_ptr() as *mut _) }; if ret == 1 { Ok(()) } else { From bf02d2d8d3014880a8f9e095de0afaa353084a3f Mon Sep 17 00:00:00 2001 From: iamwwc Date: Mon, 5 Dec 2022 16:13:37 +0800 Subject: [PATCH 046/341] add unit test --- openssl/src/ssl/test/mod.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index ab8d79aab4..e12e4f0854 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1413,3 +1413,10 @@ fn session_cache_size() { let ctx = ctx.build(); assert_eq!(ctx.session_cache_size(), 1234); } + +#[test] +fn add_chain_cert_pem() { + let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); + let mut ssl = Ssl::new(&ctx).unwrap(); + assert!(ssl.add_chain_cert_pem(CERT).is_ok()); +} \ No newline at end of file From 8c475f7b316a2ba420688764fbf71b470415f60d Mon Sep 17 00:00:00 2001 From: iamwwc Date: Mon, 5 Dec 2022 16:13:51 +0800 Subject: [PATCH 047/341] fmt --- openssl/src/ssl/test/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index e12e4f0854..aa29233ab3 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1419,4 +1419,4 @@ fn add_chain_cert_pem() { let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); let mut ssl = Ssl::new(&ctx).unwrap(); assert!(ssl.add_chain_cert_pem(CERT).is_ok()); -} \ No newline at end of file +} From 5c2cc87431b5bfc8544e36694887fc5485982e0d Mon Sep 17 00:00:00 2001 From: iamwwc Date: Mon, 5 Dec 2022 16:16:07 +0800 Subject: [PATCH 048/341] reflect macro name --- openssl/src/ssl/mod.rs | 5 ++--- openssl/src/ssl/test/mod.rs | 3 ++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index ddb1894a0f..460ef63fad 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3106,9 +3106,8 @@ impl SslRef { } #[corresponds(SSL_add1_chain_cert)] #[cfg(ossl102)] - pub fn add_chain_cert_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { - let cert = X509::from_pem(chain)?; - let ret = unsafe { ffi::SSL_add1_chain_cert(self.as_ptr(), cert.as_ptr() as *mut _) }; + pub fn add_chain_cert_pem(&mut self, chain: X509) -> Result<(), ErrorStack> { + let ret = unsafe { ffi::SSL_add1_chain_cert(self.as_ptr(), chain.as_ptr() as *mut _) }; if ret == 1 { Ok(()) } else { diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index aa29233ab3..39734a2f6a 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1417,6 +1417,7 @@ fn session_cache_size() { #[test] fn add_chain_cert_pem() { let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); + let cert = X509::from_pem(CERT).unwrap(); let mut ssl = Ssl::new(&ctx).unwrap(); - assert!(ssl.add_chain_cert_pem(CERT).is_ok()); + assert!(ssl.add_chain_cert_pem(cert).is_ok()); } From 24363b3e429e0f2072a14571a6f33e7f76a6887e Mon Sep 17 00:00:00 2001 From: iamwwc Date: Mon, 5 Dec 2022 16:26:17 +0800 Subject: [PATCH 049/341] test cfg. rename --- openssl/src/ssl/mod.rs | 2 +- openssl/src/ssl/test/mod.rs | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 460ef63fad..4016943802 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3106,7 +3106,7 @@ impl SslRef { } #[corresponds(SSL_add1_chain_cert)] #[cfg(ossl102)] - pub fn add_chain_cert_pem(&mut self, chain: X509) -> Result<(), ErrorStack> { + pub fn add_chain_cert(&mut self, chain: X509) -> Result<(), ErrorStack> { let ret = unsafe { ffi::SSL_add1_chain_cert(self.as_ptr(), chain.as_ptr() as *mut _) }; if ret == 1 { Ok(()) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 39734a2f6a..dc9cc78527 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1415,9 +1415,10 @@ fn session_cache_size() { } #[test] -fn add_chain_cert_pem() { +#[cfg(ossl102)] +fn add_chain_cert() { let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); let cert = X509::from_pem(CERT).unwrap(); let mut ssl = Ssl::new(&ctx).unwrap(); - assert!(ssl.add_chain_cert_pem(cert).is_ok()); + assert!(ssl.add_chain_cert(cert).is_ok()); } From a1b82a2d837ede8f221964c0bbec79f635ea0f23 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 6 Dec 2022 07:37:00 -0500 Subject: [PATCH 050/341] Release openssl-sys v0.9.79 --- openssl-sys/CHANGELOG.md | 11 ++++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 0c549f6117..ec815325f7 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,13 @@ ## [Unreleased] +## [v0.9.79] - 2022-12-06 + +### Added + +* Added `EVP_CIPHER_CTX_num`. +* Added `X509_LOOKUP_file` and `X509_load_cert_file`. + ## [v0.9.78] - 2022-11-23 ### Added @@ -350,7 +357,9 @@ * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.77..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79..master +[v0.9.79]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.78...openssl-sys-v0.9.79 +[v0.9.78]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.77...openssl-sys-v0.9.78 [v0.9.77]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.76...openssl-sys-v0.9.77 [v0.9.76]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.75...openssl-sys-v0.9.76 [v0.9.75]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.74...openssl-sys-v0.9.75 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ee1a57cd19..de6b33e80b 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.78" +version = "0.9.79" authors = [ "Alex Crichton ", "Steven Fackler ", From e0b937c48ddf9532fcd76c12e4b5d7879762c11d Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 6 Dec 2022 07:41:51 -0500 Subject: [PATCH 051/341] Release openssl v0.10.44 --- openssl/CHANGELOG.md | 11 ++++++++++- openssl/Cargo.toml | 4 ++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 31564986e0..f66bcb7501 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,14 @@ ## [Unreleased] +## [v0.10.44] - 2022-12-06 + +### Added + +* Added `CipherCtxRef::num`, `CipherCtxRef::minimal_output_size`, and `CipherCtxRef::cipher_update_unchecked`. +* Improved output buffer size checks in `CipherCtxRef::cipher_update`. +* Added `X509Lookup::file` and `X509LookupRef::load_cert_file`. + ## [v0.10.43] - 2022-11-23 ### Added @@ -641,7 +649,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.43...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...master +[v0.10.44]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.44 [v0.10.43]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.42...openssl-v0.10.43 [v0.10.42]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.41...openssl-v0.10.42 [v0.10.41]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.40...openssl-v0.10.41 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index b6204e4490..03f621eddd 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.43" +version = "0.10.44" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.78", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.79", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 230050f00417dd84c558be653b0afbd625ce2da9 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 8 Dec 2022 20:13:41 +0200 Subject: [PATCH 052/341] build: harden ci.yml permissions Signed-off-by: Alex --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9090ca194d..e4aeee0c9b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,9 @@ concurrency: group: ${{ github.ref }} cancel-in-progress: true +permissions: + contents: read # to fetch code (actions/checkout) + jobs: rustfmt: name: rustfmt From 5aadcab921fb277a3cc620d822cb7f7d5565d5a8 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 11 Dec 2022 08:11:17 -0500 Subject: [PATCH 053/341] cleanup --- openssl-sys/src/ssl.rs | 5 +++-- openssl/src/ssl/mod.rs | 12 ++++++------ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index e38aa367f9..9e3956bf2c 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -408,9 +408,10 @@ cfg_if! { } } } + #[cfg(ossl102)] -pub unsafe fn SSL_add1_chain_cert(ssl: *mut ::SSL, ptr: *mut c_void) -> c_long { - SSL_ctrl(ssl, SSL_CTRL_CHAIN_CERT, 1, ptr) +pub unsafe fn SSL_add0_chain_cert(ssl: *mut ::SSL, ptr: *mut X509) -> c_long { + SSL_ctrl(ssl, SSL_CTRL_CHAIN_CERT, 0, ptr as *mut c_void) } #[cfg(ossl102)] diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 4016943802..89a380e072 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3104,15 +3104,15 @@ impl SslRef { } } } - #[corresponds(SSL_add1_chain_cert)] + + #[corresponds(SSL_add0_chain_cert)] #[cfg(ossl102)] pub fn add_chain_cert(&mut self, chain: X509) -> Result<(), ErrorStack> { - let ret = unsafe { ffi::SSL_add1_chain_cert(self.as_ptr(), chain.as_ptr() as *mut _) }; - if ret == 1 { - Ok(()) - } else { - Err(ErrorStack::get()) + unsafe { + cvt(ffi::SSL_add0_chain_cert(self.as_ptr(), chain.as_ptr()) as c_int).map(|_| ())?; + mem::forget(chain); } + Ok(()) } } From 3f2563f6eaec658e7288eb972792bd5ffff29011 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Tue, 13 Dec 2022 15:16:09 +0100 Subject: [PATCH 054/341] Add get_security_bits for PKey Signed-off-by: Steffen Eiden --- openssl-sys/src/handwritten/evp.rs | 8 ++++++++ openssl/src/pkey.rs | 17 +++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index a85d628ade..535b2d5f5d 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -402,6 +402,7 @@ cfg_if! { extern "C" { pub fn EVP_PKEY_get_id(pkey: *const EVP_PKEY) -> c_int; pub fn EVP_PKEY_get_bits(key: *const EVP_PKEY) -> c_int; + pub fn EVP_PKEY_get_security_bits(key: *const EVP_PKEY) -> c_int; } #[inline] @@ -413,6 +414,12 @@ cfg_if! { pub unsafe fn EVP_PKEY_bits(pkey: *const EVP_PKEY) -> c_int { EVP_PKEY_get_bits(pkey) } + + #[inline] + pub unsafe fn EVP_PKEY_security_bits(pkey: *const EVP_PKEY) -> c_int { + EVP_PKEY_get_security_bits(pkey) + } + } else { extern "C" { pub fn EVP_PKEY_id(pkey: *const EVP_PKEY) -> c_int; @@ -420,6 +427,7 @@ cfg_if! { const_ptr_api! { extern "C" { pub fn EVP_PKEY_bits(key: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; + pub fn EVP_PKEY_security_bits(pkey: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; } } } diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 7d438ebadc..ef26c68aaa 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -229,6 +229,14 @@ where unsafe { ffi::EVP_PKEY_bits(self.as_ptr()) as u32 } } + ///Returns the number of security bits. + /// + ///Bits of security is defined in NIST SP800-57. + #[corresponds(EVP_PKEY_security_bits)] + pub fn security_bits(&self) -> u32 { + unsafe { ffi::EVP_PKEY_security_bits(self.as_ptr()) as u32 } + } + /// Compares the public component of this key with another. #[corresponds(EVP_PKEY_cmp)] pub fn public_eq(&self, other: &PKeyRef) -> bool @@ -1018,6 +1026,15 @@ mod tests { assert_eq!(ec_key.private_key(), ec_key_.private_key()); } + #[test] + fn test_security_bits() { + let group = crate::ec::EcGroup::from_curve_name(crate::nid::Nid::SECP521R1).unwrap(); + let ec_key = EcKey::generate(&group).unwrap(); + let pkey: PKey = ec_key.clone().try_into().unwrap(); + + assert_eq!(pkey.security_bits(), 256); + } + #[test] #[cfg(not(boringssl))] fn test_dh_conversion() { From 632ed2bee9f78a5e7423e9251829d6f87f5bccec Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Thu, 15 Dec 2022 13:35:50 +0100 Subject: [PATCH 055/341] fixup! Add get_security_bits for PKey --- openssl-sys/src/evp.rs | 5 +++++ openssl/src/pkey.rs | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index fc3003f7bd..9db924ea53 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -143,6 +143,11 @@ cfg_if! { pub unsafe fn EVP_PKEY_bits(pkey: *const EVP_PKEY) -> c_int { EVP_PKEY_get_bits(pkey) } + + #[inline] + pub unsafe fn EVP_PKEY_security_bits(pkey: *const EVP_PKEY) -> c_int { + EVP_PKEY_get_security_bits(pkey) + } } } diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index ef26c68aaa..62cc71bdad 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -1030,7 +1030,7 @@ mod tests { fn test_security_bits() { let group = crate::ec::EcGroup::from_curve_name(crate::nid::Nid::SECP521R1).unwrap(); let ec_key = EcKey::generate(&group).unwrap(); - let pkey: PKey = ec_key.clone().try_into().unwrap(); + let pkey: PKey = ec_key.try_into().unwrap(); assert_eq!(pkey.security_bits(), 256); } From 4ad1ee6c57055da60201a10fc61b9e229eb8de55 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Thu, 15 Dec 2022 15:57:22 +0100 Subject: [PATCH 056/341] fixup! EVP_PKEY_security_bits --- openssl-sys/src/handwritten/evp.rs | 1 + openssl/src/pkey.rs | 1 + 2 files changed, 2 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 535b2d5f5d..8bc9675ecd 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -427,6 +427,7 @@ cfg_if! { const_ptr_api! { extern "C" { pub fn EVP_PKEY_bits(key: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; + #[cfg(ossl110)] pub fn EVP_PKEY_security_bits(pkey: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; } } diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 62cc71bdad..dd2af2f36f 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -233,6 +233,7 @@ where /// ///Bits of security is defined in NIST SP800-57. #[corresponds(EVP_PKEY_security_bits)] + #[cfg(ossl110)] pub fn security_bits(&self) -> u32 { unsafe { ffi::EVP_PKEY_security_bits(self.as_ptr()) as u32 } } From afe7f9ad376cfb515925bd7d303e3dfe9ba0d704 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Thu, 15 Dec 2022 16:05:02 +0100 Subject: [PATCH 057/341] fixup! Add get_security_bits for PKey --- openssl/src/pkey.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index dd2af2f36f..1d2e68aea8 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -1028,6 +1028,7 @@ mod tests { } #[test] + #[cfg(ossl110)] fn test_security_bits() { let group = crate::ec::EcGroup::from_curve_name(crate::nid::Nid::SECP521R1).unwrap(); let ec_key = EcKey::generate(&group).unwrap(); From f9f4d6565c60a9b11df928aec3756c0f514a54f7 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 15 Dec 2022 20:05:00 -0500 Subject: [PATCH 058/341] clippy --- openssl/src/asn1.rs | 2 +- openssl/src/bn.rs | 1 + openssl/src/conf.rs | 1 + openssl/src/rsa.rs | 1 + openssl/src/ssl/callbacks.rs | 4 ++-- openssl/src/ssl/mod.rs | 4 ++-- openssl/src/x509/tests.rs | 1 + 7 files changed, 9 insertions(+), 5 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 7f936837db..b02f9ac41e 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -512,7 +512,7 @@ impl Asn1Integer { } impl Asn1IntegerRef { - #[allow(missing_docs)] + #[allow(missing_docs, clippy::unnecessary_cast)] #[deprecated(since = "0.10.6", note = "use to_bn instead")] pub fn get(&self) -> i64 { unsafe { ffi::ASN1_INTEGER_get(self.as_ptr()) as i64 } diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 2619b5ba63..8f0e350755 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -336,6 +336,7 @@ impl BigNumRef { /// Returns the number of significant bits in `self`. #[corresponds(BN_num_bits)] + #[allow(clippy::unnecessary_cast)] pub fn num_bits(&self) -> i32 { unsafe { ffi::BN_num_bits(self.as_ptr()) as i32 } } diff --git a/openssl/src/conf.rs b/openssl/src/conf.rs index 2c54cf28d0..715519c595 100644 --- a/openssl/src/conf.rs +++ b/openssl/src/conf.rs @@ -20,6 +20,7 @@ mod methods { impl ConfMethod { /// Retrieve handle to the default OpenSSL configuration file processing function. #[corresponds(NCONF_default)] + #[allow(clippy::should_implement_trait)] pub fn default() -> ConfMethod { unsafe { ffi::init(); diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs index b5d096744a..68cf64b036 100644 --- a/openssl/src/rsa.rs +++ b/openssl/src/rsa.rs @@ -234,6 +234,7 @@ where /// Validates RSA parameters for correctness #[corresponds(RSA_check_key)] + #[allow(clippy::unnecessary_cast)] pub fn check_key(&self) -> Result { unsafe { let result = ffi::RSA_check_key(self.as_ptr()) as i32; diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index 45760dc66a..091b1fb771 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -482,7 +482,7 @@ where .ssl_context() .ex_data(SslContext::cached_ex_index::()) .expect("BUG: stateless cookie verify callback missing") as *const F; - let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize); + let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len); (*callback)(ssl, slice) as c_int } @@ -654,7 +654,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: custom ext parse callback missing") as *const F; let ectx = ExtensionContext::from_bits_truncate(context); - let slice = slice::from_raw_parts(input as *const u8, inlen as usize); + let slice = slice::from_raw_parts(input as *const u8, inlen); let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 89a380e072..aba606248f 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1867,7 +1867,7 @@ impl SslContextRef { /// /// A value of 0 means that the cache size is unbounded. #[corresponds(SSL_CTX_sess_get_cache_size)] - #[allow(clippy::useless_conversion)] + #[allow(clippy::unnecessary_cast)] pub fn session_cache_size(&self) -> i64 { unsafe { ffi::SSL_CTX_sess_get_cache_size(self.as_ptr()) as i64 } } @@ -3289,7 +3289,7 @@ impl SslStream { ) }; if ret > 0 { - Ok(written as usize) + Ok(written) } else { Err(self.make_error(ret)) } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 33d6f4f1e9..336de3c914 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -634,6 +634,7 @@ fn test_verify_param_set_depth() { #[test] #[cfg(any(ossl102, libressl261))] +#[allow(clippy::bool_to_int_with_if)] fn test_verify_param_set_depth_fails_verification() { let cert = include_bytes!("../../test/leaf.pem"); let cert = X509::from_pem(cert).unwrap(); From cc811f5fd17ee808cbde4ff30cb84762e52fa371 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Fri, 16 Dec 2022 21:20:46 -0500 Subject: [PATCH 059/341] Add to CI/unblock LibreSSL 3.7.0 --- .github/workflows/ci.yml | 10 ++++++++++ openssl-sys/build/main.rs | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e4aeee0c9b..57728778f7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -187,6 +187,11 @@ jobs: library: name: libressl version: 3.6.1 + - target: x86_64-unknown-linux-gnu + bindgen: true + library: + name: libressl + version: 3.7.0 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -202,6 +207,11 @@ jobs: library: name: libressl version: 3.6.1 + - target: x86_64-unknown-linux-gnu + bindgen: false + library: + name: libressl + version: 3.7.0 exclude: - library: name: boringssl diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 71b36c2309..cdea3eb447 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -282,6 +282,7 @@ See rust-openssl documentation for more information: (3, 5, _) => ('3', '5', 'x'), (3, 6, 0) => ('3', '6', '0'), (3, 6, _) => ('3', '6', 'x'), + (3, 7, 0) => ('3', '7', '0'), _ => version_error(), }; @@ -324,7 +325,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.6.x, but a different version of OpenSSL was found. The build is now aborting +through 3.7.0, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From 8178f3b38ab098e989846a01a560e26207f870b8 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Fri, 16 Dec 2022 21:42:52 -0500 Subject: [PATCH 060/341] Add LibreSSL 3.7.0 build cfg --- openssl-sys/build/cfgs.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 9ae7748cc6..6e1e5286a1 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -43,6 +43,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_05_00_00_0 { cfgs.push("libressl350"); } + if libressl_version >= 0x3_07_00_00_0 { + cfgs.push("libressl370"); + } } else { let openssl_version = openssl_version.unwrap(); From fda7d92f033d5bcbba69850c27148869f01e5745 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Fri, 16 Dec 2022 21:43:31 -0500 Subject: [PATCH 061/341] X509_V_FLAG_CB_ISSUER_CHECK deprecated in LibreSSL 3.7.0 --- openssl-sys/src/x509_vfy.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/x509_vfy.rs b/openssl-sys/src/x509_vfy.rs index 8deaeeaaf3..455a748b52 100644 --- a/openssl-sys/src/x509_vfy.rs +++ b/openssl-sys/src/x509_vfy.rs @@ -100,9 +100,9 @@ cfg_if! { #[cfg(ossl300)] pub const X509_V_ERR_INVALID_CA: c_int = 79; -#[cfg(not(ossl110))] +#[cfg(not(any(ossl110, libressl370)))] pub const X509_V_FLAG_CB_ISSUER_CHECK: c_ulong = 0x1; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl370))] pub const X509_V_FLAG_CB_ISSUER_CHECK: c_ulong = 0x0; pub const X509_V_FLAG_USE_CHECK_TIME: c_ulong = 0x2; pub const X509_V_FLAG_CRL_CHECK: c_ulong = 0x4; From b99d7265430420b63b71baf01cbc23088e10ee2c Mon Sep 17 00:00:00 2001 From: Max Lim Date: Sat, 17 Dec 2022 19:59:47 +0300 Subject: [PATCH 062/341] Add OSSL_PROVIDER_set_default_search_path binding --- openssl-sys/src/handwritten/provider.rs | 5 +++++ openssl/src/provider.rs | 18 +++++++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/provider.rs b/openssl-sys/src/handwritten/provider.rs index ffa7cc580e..93eaa072f3 100644 --- a/openssl-sys/src/handwritten/provider.rs +++ b/openssl-sys/src/handwritten/provider.rs @@ -12,4 +12,9 @@ extern "C" { ) -> *mut OSSL_PROVIDER; #[cfg(ossl300)] pub fn OSSL_PROVIDER_unload(prov: *mut OSSL_PROVIDER) -> c_int; + #[cfg(ossl300)] + pub fn OSSL_PROVIDER_set_default_search_path( + ctx: *mut OSSL_LIB_CTX, + path: *const c_char, + ) -> c_int; } diff --git a/openssl/src/provider.rs b/openssl/src/provider.rs index 72d54f41dc..147fadfdbc 100644 --- a/openssl/src/provider.rs +++ b/openssl/src/provider.rs @@ -1,6 +1,6 @@ -use crate::cvt_p; use crate::error::ErrorStack; use crate::lib_ctx::LibCtxRef; +use crate::{cvt, cvt_p}; use foreign_types::{ForeignType, ForeignTypeRef}; use openssl_macros::corresponds; use std::ffi::CString; @@ -58,4 +58,20 @@ impl Provider { Ok(Provider::from_ptr(p)) } } + + /// Specifies the default search path that is to be used for looking for providers in the specified library context. + /// If left unspecified, an environment variable and a fall back default value will be used instead + /// + /// If `ctx` is `None`, the provider will be loaded into the default library context. + #[corresponds(OSSL_PROVIDER_set_default_search_path)] + pub fn set_default_search_path(ctx: Option<&LibCtxRef>, path: &str) -> Result<(), ErrorStack> { + let path = CString::new(path).unwrap(); + unsafe { + cvt(ffi::OSSL_PROVIDER_set_default_search_path( + ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr), + path.as_ptr(), + )) + .map(|_| ()) + } + } } From e01fbac4b3c98fca47c9b16d58aed329dd4d72b6 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Mon, 19 Dec 2022 19:55:29 -0500 Subject: [PATCH 063/341] openssl-sys: add LibreSSL 3.6.0 to cfgs --- openssl-sys/build/cfgs.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 6e1e5286a1..d925d90ad7 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -43,6 +43,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_05_00_00_0 { cfgs.push("libressl350"); } + if libressl_version >= 0x3_06_00_00_0 { + cfgs.push("libressl360"); + } if libressl_version >= 0x3_07_00_00_0 { cfgs.push("libressl370"); } From 0d8d5022583bb585b6cfe028c344113ecf1b77bc Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Mon, 19 Dec 2022 19:57:58 -0500 Subject: [PATCH 064/341] Expose EVP_PKEY_security_bits for LibreSSL 3.6.0 and later --- openssl-sys/src/handwritten/evp.rs | 2 +- openssl/src/pkey.rs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 8bc9675ecd..5ee017f7d1 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -427,7 +427,7 @@ cfg_if! { const_ptr_api! { extern "C" { pub fn EVP_PKEY_bits(key: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn EVP_PKEY_security_bits(pkey: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; } } diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 1d2e68aea8..2039e7e908 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -233,7 +233,7 @@ where /// ///Bits of security is defined in NIST SP800-57. #[corresponds(EVP_PKEY_security_bits)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn security_bits(&self) -> u32 { unsafe { ffi::EVP_PKEY_security_bits(self.as_ptr()) as u32 } } @@ -1028,7 +1028,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] fn test_security_bits() { let group = crate::ec::EcGroup::from_curve_name(crate::nid::Nid::SECP521R1).unwrap(); let ec_key = EcKey::generate(&group).unwrap(); From 71013f7efd637ca9fec214f6cb80e8806f3208af Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 20 Dec 2022 12:31:27 +0100 Subject: [PATCH 065/341] Fix output buffer check introduced in #1733 Sadly the condition used to relax output buffer checks that depended on the `num` parameter does not really hold so this change effectively reverts PR #1733. As clarified on the OpenSSL mailing list [0] and during integration tests the `num` parameter does not reflect the internal buffer cache size thus one needs to pessimistically assume that each call to `cipher_update` will need sufficient size to contain one additional block. Streaming ciphers are not affected by this revert. [0]: https://mta.openssl.org/pipermail/openssl-users/2022-December/015727.html --- openssl/src/cipher_ctx.rs | 155 +++----------------------------------- 1 file changed, 10 insertions(+), 145 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index c0377d969b..d09f8cbd50 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -379,49 +379,6 @@ impl CipherCtxRef { unsafe { ffi::EVP_CIPHER_CTX_num(self.as_ptr()) as usize } } - /// Returns number of bytes cached in partial block update. - #[cfg(ossl110)] - fn used_block_size(&self) -> usize { - self.num() - } - - /// Returns maximum number of bytes that could be cached. - #[cfg(not(ossl110))] - fn used_block_size(&self) -> usize { - self.block_size() - } - - /// Calculate the minimal size of the output buffer given the - /// input buffer size. - /// - /// For streaming ciphers the minimal output size is the same as - /// the input size. For block ciphers the minimal output size - /// additionally depends on the partial blocks that might have - /// been written in previous calls to [`Self::cipher_update`]. - /// - /// This function takes into account the number of partially - /// written blocks for block ciphers for supported targets - /// (OpenSSL >= 1.1). For unsupported targets the number of - /// partially written bytes is assumed to contain one full block - /// (pessimistic case). - /// - /// # Panics - /// - /// Panics if the context has not been initialized with a cipher. - pub fn minimal_output_size(&self, inlen: usize) -> usize { - let block_size = self.block_size(); - if block_size > 1 { - // block cipher - let num = self.used_block_size(); - let total_size = inlen + num; - let num_blocks = total_size / block_size; - num_blocks * block_size - } else { - // streaming cipher - inlen - } - } - /// Sets the length of the IV expected by this context. /// /// Only some ciphers support configurable IV lengths. @@ -569,7 +526,11 @@ impl CipherCtxRef { output: Option<&mut [u8]>, ) -> Result { if let Some(output) = &output { - let min_output_size = self.minimal_output_size(input.len()); + let mut block_size = self.block_size(); + if block_size == 1 { + block_size = 0; + } + let min_output_size = input.len() + block_size; assert!( output.len() >= min_output_size, "Output buffer size should be at least {} bytes.", @@ -588,16 +549,13 @@ impl CipherCtxRef { /// /// This function is the same as [`Self::cipher_update`] but with the /// output size check removed. It can be used when the exact - /// buffer size control is maintained by the caller and the - /// underlying cryptographic library doesn't expose exact block - /// cache data (e.g. OpenSSL < 1.1, BoringSSL, LibreSSL). + /// buffer size control is maintained by the caller. /// /// SAFETY: The caller is expected to provide `output` buffer /// large enough to contain correct number of bytes. For streaming /// ciphers the output buffer size should be at least as big as /// the input buffer. For block ciphers the size of the output - /// buffer depends on the state of partially updated blocks (see - /// [`Self::minimal_output_size`]). + /// buffer depends on the state of partially updated blocks. #[corresponds(EVP_CipherUpdate)] pub unsafe fn cipher_update_unchecked( &mut self, @@ -757,75 +715,6 @@ mod test { aes_128_cbc(cipher); } - #[test] - #[cfg(ossl110)] - fn partial_block_updates() { - test_block_cipher_for_partial_block_updates(Cipher::aes_128_cbc()); - test_block_cipher_for_partial_block_updates(Cipher::aes_256_cbc()); - test_block_cipher_for_partial_block_updates(Cipher::des_ede3_cbc()); - } - - #[cfg(ossl110)] - fn test_block_cipher_for_partial_block_updates(cipher: &'static CipherRef) { - let mut key = vec![0; cipher.key_length()]; - rand_bytes(&mut key).unwrap(); - let mut iv = vec![0; cipher.iv_length()]; - rand_bytes(&mut iv).unwrap(); - - let mut ctx = CipherCtx::new().unwrap(); - - ctx.encrypt_init(Some(cipher), Some(&key), Some(&iv)) - .unwrap(); - ctx.set_padding(false); - - let block_size = cipher.block_size(); - assert!(block_size > 1, "Need a block cipher, not a stream cipher"); - - // update cipher with non-full block - // expect no output until a block is complete - let outlen = ctx - .cipher_update(&vec![0; block_size - 1], Some(&mut [0; 0])) - .unwrap(); - assert_eq!(0, outlen); - - // update cipher with missing bytes from the previous block - // and one additional block, output should contain two blocks - let mut two_blocks = vec![0; block_size * 2]; - let outlen = ctx - .cipher_update(&vec![0; block_size + 1], Some(&mut two_blocks)) - .unwrap(); - assert_eq!(block_size * 2, outlen); - - ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); - - // try to decrypt - ctx.decrypt_init(Some(cipher), Some(&key), Some(&iv)) - .unwrap(); - ctx.set_padding(false); - - // update cipher with non-full block - // expect no output until a block is complete - let outlen = ctx - .cipher_update(&two_blocks[0..block_size - 1], Some(&mut [0; 0])) - .unwrap(); - assert_eq!(0, outlen); - - // update cipher with missing bytes from the previous block - // and one additional block, output should contain two blocks - let mut two_blocks_decrypted = vec![0; block_size * 2]; - let outlen = ctx - .cipher_update( - &two_blocks[block_size - 1..], - Some(&mut two_blocks_decrypted), - ) - .unwrap(); - assert_eq!(block_size * 2, outlen); - - ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); - // check if the decrypted blocks are the same as input (all zeros) - assert_eq!(two_blocks_decrypted, vec![0; block_size * 2]); - } - #[test] fn test_stream_ciphers() { test_stream_cipher(Cipher::aes_192_ctr()); @@ -894,43 +783,19 @@ mod test { } #[test] - #[should_panic(expected = "Output buffer size should be at least 16 bytes.")] - #[cfg(ossl110)] - fn full_block_updates_aes_128() { - output_buffer_too_small(Cipher::aes_128_cbc()); - } - - #[test] - #[should_panic(expected = "Output buffer size should be at least 16 bytes.")] - #[cfg(ossl110)] - fn full_block_updates_aes_256() { - output_buffer_too_small(Cipher::aes_256_cbc()); - } - - #[test] - #[should_panic(expected = "Output buffer size should be at least 8 bytes.")] - #[cfg(ossl110)] - fn full_block_updates_3des() { - output_buffer_too_small(Cipher::des_ede3_cbc()); - } - - #[test] - #[should_panic(expected = "Output buffer size should be at least 32 bytes.")] - #[cfg(not(ossl110))] + #[should_panic(expected = "Output buffer size should be at least 33 bytes.")] fn full_block_updates_aes_128() { output_buffer_too_small(Cipher::aes_128_cbc()); } #[test] - #[should_panic(expected = "Output buffer size should be at least 32 bytes.")] - #[cfg(not(ossl110))] + #[should_panic(expected = "Output buffer size should be at least 33 bytes.")] fn full_block_updates_aes_256() { output_buffer_too_small(Cipher::aes_256_cbc()); } #[test] - #[should_panic(expected = "Output buffer size should be at least 16 bytes.")] - #[cfg(not(ossl110))] + #[should_panic(expected = "Output buffer size should be at least 17 bytes.")] fn full_block_updates_3des() { output_buffer_too_small(Cipher::des_ede3_cbc()); } From 45e5dce285f189e23f941ac890e17277a5112adc Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 20 Dec 2022 13:33:09 +0100 Subject: [PATCH 066/341] Expose `Cipher::cipher_final_unchecked` This mirrors the `Cipher::cipher_update_unchecked` API call for clients that want to manually track the state of internal OpenSSL cipher buffer size. --- openssl/src/cipher_ctx.rs | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index d09f8cbd50..379f83a7ba 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -607,14 +607,34 @@ impl CipherCtxRef { assert!(output.len() >= block_size); } + unsafe { self.cipher_final_unchecked(output) } + } + + /// Finalizes the encryption or decryption process. + /// + /// Any remaining data will be written to the output buffer. + /// + /// Returns the number of bytes written to `output`. + /// + /// This function is the same as [`Self::cipher_final`] but with + /// the output buffer size check removed. + /// + /// SAFETY: The caller is expected to provide `output` buffer + /// large enough to contain correct number of bytes. For streaming + /// ciphers the output buffer can be empty, for block ciphers the + /// output buffer should be at least as big as the block. + #[corresponds(EVP_CipherFinal)] + pub unsafe fn cipher_final_unchecked( + &mut self, + output: &mut [u8], + ) -> Result { let mut outl = 0; - unsafe { - cvt(ffi::EVP_CipherFinal( - self.as_ptr(), - output.as_mut_ptr(), - &mut outl, - ))?; - } + + cvt(ffi::EVP_CipherFinal( + self.as_ptr(), + output.as_mut_ptr(), + &mut outl, + ))?; Ok(outl as usize) } From 27edce934080430fbdd9da108dea4807494233aa Mon Sep 17 00:00:00 2001 From: Cfir Tsabari Date: Tue, 20 Dec 2022 15:30:33 +0200 Subject: [PATCH 067/341] Mark Openssl # deprecated functions --- openssl-sys/src/handwritten/aes.rs | 1 + openssl-sys/src/handwritten/bn.rs | 4 ++++ openssl/src/aes.rs | 4 +++- openssl/src/bn.rs | 7 +++++++ 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/aes.rs b/openssl-sys/src/handwritten/aes.rs index 241848eccf..884f9d7242 100644 --- a/openssl-sys/src/handwritten/aes.rs +++ b/openssl-sys/src/handwritten/aes.rs @@ -12,6 +12,7 @@ extern "C" { pub fn AES_set_encrypt_key(userKey: *const c_uchar, bits: c_int, key: *mut AES_KEY) -> c_int; pub fn AES_set_decrypt_key(userKey: *const c_uchar, bits: c_int, key: *mut AES_KEY) -> c_int; + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub fn AES_ige_encrypt( in_: *const c_uchar, out: *mut c_uchar, diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index d523f24d34..8e5ae153dd 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -7,8 +7,10 @@ extern "C" { pub fn BN_CTX_secure_new() -> *mut BN_CTX; pub fn BN_CTX_free(ctx: *mut BN_CTX); pub fn BN_rand(r: *mut BIGNUM, bits: c_int, top: c_int, bottom: c_int) -> c_int; + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub fn BN_pseudo_rand(r: *mut BIGNUM, bits: c_int, top: c_int, bottom: c_int) -> c_int; pub fn BN_rand_range(r: *mut BIGNUM, range: *const BIGNUM) -> c_int; + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub fn BN_pseudo_rand_range(r: *mut BIGNUM, range: *const BIGNUM) -> c_int; pub fn BN_new() -> *mut BIGNUM; #[cfg(ossl110)] @@ -122,12 +124,14 @@ extern "C" { rem: *const BIGNUM, cb: *mut BN_GENCB, ) -> c_int; + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub fn BN_is_prime_ex( p: *const BIGNUM, checks: c_int, ctx: *mut BN_CTX, cb: *mut BN_GENCB, ) -> c_int; + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub fn BN_is_prime_fasttest_ex( p: *const BIGNUM, checks: c_int, diff --git a/openssl/src/aes.rs b/openssl/src/aes.rs index 440dd05723..cbc4999bb8 100644 --- a/openssl/src/aes.rs +++ b/openssl/src/aes.rs @@ -23,7 +23,7 @@ //! # Examples #![cfg_attr( - not(boringssl), + all(not(boringssl), not(osslconf = "OPENSSL_NO_DEPRECATED_3_0")), doc = r#"\ ## AES IGE ```rust @@ -156,6 +156,7 @@ impl AesKey { /// Panics if `in_` is not the same length as `out`, if that length is not a multiple of 16, or if /// `iv` is not at least 32 bytes. #[cfg(not(boringssl))] +#[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[corresponds(AES_ige_encrypt)] pub fn aes_ige(in_: &[u8], out: &mut [u8], key: &AesKey, iv: &mut [u8], mode: Mode) { unsafe { @@ -268,6 +269,7 @@ mod test { // From https://www.mgp25.com/AESIGE/ #[test] #[cfg(not(boringssl))] + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] fn ige_vector_1() { let raw_key = "000102030405060708090A0B0C0D0E0F"; let raw_iv = "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"; diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 8f0e350755..1cd00dd4bc 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -217,6 +217,7 @@ impl BigNumRef { } /// The cryptographically weak counterpart to `rand_in_range`. + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[corresponds(BN_pseudo_rand_range)] pub fn pseudo_rand_range(&self, rnd: &mut BigNumRef) -> Result<(), ErrorStack> { unsafe { cvt(ffi::BN_pseudo_rand_range(rnd.as_ptr(), self.as_ptr())).map(|_| ()) } @@ -385,6 +386,7 @@ impl BigNumRef { } /// The cryptographically weak counterpart to `rand`. Not suitable for key generation. + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[corresponds(BN_pseudo_rand)] #[allow(clippy::useless_conversion)] pub fn pseudo_rand(&mut self, bits: i32, msb: MsbOption, odd: bool) -> Result<(), ErrorStack> { @@ -722,6 +724,7 @@ impl BigNumRef { /// # Return Value /// /// Returns `true` if `self` is prime with an error probability of less than `0.25 ^ checks`. + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[corresponds(BN_is_prime_ex)] #[allow(clippy::useless_conversion)] pub fn is_prime(&self, checks: i32, ctx: &mut BigNumContextRef) -> Result { @@ -745,6 +748,7 @@ impl BigNumRef { /// # Return Value /// /// Returns `true` if `self` is prime with an error probability of less than `0.25 ^ checks`. + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[corresponds(BN_is_prime_fasttest_ex)] #[allow(clippy::useless_conversion)] pub fn is_prime_fasttest( @@ -1388,6 +1392,7 @@ mod tests { assert_eq!(a, &(&a << 1) >> 1); } + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[test] fn test_rand_range() { let range = BigNum::from_u32(909_829_283).unwrap(); @@ -1396,6 +1401,7 @@ mod tests { assert!(result >= BigNum::from_u32(0).unwrap() && result < range); } + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[test] fn test_pseudo_rand_range() { let range = BigNum::from_u32(909_829_283).unwrap(); @@ -1404,6 +1410,7 @@ mod tests { assert!(result >= BigNum::from_u32(0).unwrap() && result < range); } + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[test] fn test_prime_numbers() { let a = BigNum::from_u32(19_029_017).unwrap(); From f32af9f4aac5d4a29b48c7782fcdd1a219a3fc64 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 20 Dec 2022 09:36:23 -0500 Subject: [PATCH 068/341] Release openssl-sys v0.9.80 --- openssl-sys/CHANGELOG.md | 16 +++++++++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index ec815325f7..1bf8690dbe 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,19 @@ ## [Unreleased] +## [v0.9.80] - 2022-12-20 + +### Fixed + +* Added `NO_DEPRECATED_3_0` cfg checks for more APIs. + +### Added + +* Added support for LibreSSL 3.7.0. +* Added `SSL_CTRL_CHAIN_CERT` and `SSL_add0_chain_cert`. +* Added `EVP_PKEY_get_security_bits` and `EVP_PKEY_security_bits`. +* Added `OSSL_PROVIDER_set_default_search_path`. + ## [v0.9.79] - 2022-12-06 ### Added @@ -357,7 +370,8 @@ * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80..master +[v0.9.80]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79...openssl-sys-v0.9.80 [v0.9.79]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.78...openssl-sys-v0.9.79 [v0.9.78]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.77...openssl-sys-v0.9.78 [v0.9.77]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.76...openssl-sys-v0.9.77 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index de6b33e80b..d8e4c7661b 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.79" +version = "0.9.80" authors = [ "Alex Crichton ", "Steven Fackler ", From 7df56869c5e1e32369091ab106750d644d3aa0c4 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 20 Dec 2022 09:41:50 -0500 Subject: [PATCH 069/341] Release openssl v0.10.45 --- openssl/CHANGELOG.md | 19 +++++++++++++++++-- openssl/Cargo.toml | 4 ++-- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index f66bcb7501..0af50bcc24 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,20 @@ ## [Unreleased] +## [v0.10.45] - 2022-12-20 + +### Fixed + +* Removed the newly added `CipherCtxRef::minimal_output_size` method, which did not work properly. +* Added `NO_DEPRECATED_3_0` cfg checks for more APIs. + +### Added + +* Added `SslRef::add_chain_cert`. +* Added `PKeyRef::security_bits`. +* Added `Provider::set_default_search_path`. +* Added `CipherCtxRef::cipher_final_unchecked`. + ## [v0.10.44] - 2022-12-06 ### Added @@ -649,8 +663,9 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...master -[v0.10.44]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.44 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...master +[v0.10.45]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.45 +[v0.10.44]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.43...openssl-v0.10.44 [v0.10.43]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.42...openssl-v0.10.43 [v0.10.42]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.41...openssl-v0.10.42 [v0.10.41]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.40...openssl-v0.10.41 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 03f621eddd..1fd24448fd 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.44" +version = "0.10.45" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.79", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.80", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From b0a1102d3bf61727019f55581a8e0c5cc0a41ebb Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Tue, 13 Dec 2022 14:08:43 +0100 Subject: [PATCH 070/341] Add bindings for more X509_VERIFY_PARAM functions Signed-off-by: Steffen Eiden --- openssl-sys/src/handwritten/x509_vfy.rs | 6 ++ openssl-sys/src/x509_vfy.rs | 23 ++++++++ openssl/src/x509/tests.rs | 75 +++++++++++++++++++++++++ openssl/src/x509/verify.rs | 44 +++++++++++++++ 4 files changed, 148 insertions(+) diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 632bb9f689..3ebbea697b 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -119,4 +119,10 @@ extern "C" { ip: *const c_uchar, iplen: size_t, ) -> c_int; + #[cfg(ossl110)] + pub fn X509_VERIFY_PARAM_set_auth_level(param: *mut X509_VERIFY_PARAM, lvl: c_int); + #[cfg(ossl110)] + pub fn X509_VERIFY_PARAM_get_auth_level(param: *const X509_VERIFY_PARAM) -> c_int; + #[cfg(ossl102)] + pub fn X509_VERIFY_PARAM_set_purpose(param: *mut X509_VERIFY_PARAM, purpose: c_int) -> c_int; } diff --git a/openssl-sys/src/x509_vfy.rs b/openssl-sys/src/x509_vfy.rs index 455a748b52..ab6cb1afbf 100644 --- a/openssl-sys/src/x509_vfy.rs +++ b/openssl-sys/src/x509_vfy.rs @@ -147,3 +147,26 @@ pub unsafe fn X509_LOOKUP_add_dir( std::ptr::null_mut(), ) } + +#[cfg(ossl102)] +pub const X509_PURPOSE_SSL_CLIENT: c_int = 1; +#[cfg(ossl102)] +pub const X509_PURPOSE_SSL_SERVER: c_int = 2; +#[cfg(ossl102)] +pub const X509_PURPOSE_NS_SSL_SERVER: c_int = 3; +#[cfg(ossl102)] +pub const X509_PURPOSE_SMIME_SIGN: c_int = 4; +#[cfg(ossl102)] +pub const X509_PURPOSE_SMIME_ENCRYPT: c_int = 5; +#[cfg(ossl102)] +pub const X509_PURPOSE_CRL_SIGN: c_int = 6; +#[cfg(ossl102)] +pub const X509_PURPOSE_ANY: c_int = 7; +#[cfg(ossl102)] +pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; +#[cfg(ossl102)] +pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; +#[cfg(ossl102)] +pub const X509_PURPOSE_MIN: c_int = 1; +#[cfg(ossl102)] +pub const X509_PURPOSE_MAX: c_int = 9; diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 336de3c914..a9de3cc4a1 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -16,6 +16,8 @@ use crate::x509::extension::{ #[cfg(not(boringssl))] use crate::x509::store::X509Lookup; use crate::x509::store::X509StoreBuilder; +#[cfg(ossl102)] +use crate::x509::verify::X509PurposeFlags; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; #[cfg(ossl110)] @@ -693,3 +695,76 @@ fn test_load_cert_file() { .init(&store, &cert, &chain, |c| c.verify_cert()) .unwrap()); } + +#[test] +#[cfg(ossl110)] +fn test_verify_param_auth_level() { + let mut param = X509VerifyParam::new().unwrap(); + let auth_lvl = 2; + let auth_lvl_default = -1; + + assert_eq!(param.auth_level(), auth_lvl_default); + + param.set_auth_level(auth_lvl); + assert_eq!(param.auth_level(), auth_lvl); +} + +#[test] +#[cfg(ossl102)] +fn test_set_purpose() { + let cert = include_bytes!("../../test/leaf.pem"); + let cert = X509::from_pem(cert).unwrap(); + let intermediate_ca = include_bytes!("../../test/intermediate-ca.pem"); + let intermediate_ca = X509::from_pem(intermediate_ca).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let mut chain = Stack::new().unwrap(); + chain.push(intermediate_ca).unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + verify_params.set_purpose(X509PurposeFlags::ANY).unwrap(); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + let mut context = X509StoreContext::new().unwrap(); + + assert!(context + .init(&store, &cert, &chain, |c| c.verify_cert()) + .unwrap()); +} + +#[test] +#[cfg(ossl102)] +fn test_set_purpose_fails_verification() { + let cert = include_bytes!("../../test/leaf.pem"); + let cert = X509::from_pem(cert).unwrap(); + let intermediate_ca = include_bytes!("../../test/intermediate-ca.pem"); + let intermediate_ca = X509::from_pem(intermediate_ca).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let mut chain = Stack::new().unwrap(); + chain.push(intermediate_ca).unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + verify_params + .set_purpose(X509PurposeFlags::TIMESTAMP_SIGN) + .unwrap(); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + + let expected_error = "unsupported certificate purpose"; + let mut context = X509StoreContext::new().unwrap(); + assert_eq!( + context + .init(&store, &cert, &chain, |c| { + c.verify_cert()?; + Ok(c.error()) + }) + .unwrap() + .error_string(), + expected_error + ) +} diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 20dd4bea8d..dbd206e5d5 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -162,4 +162,48 @@ impl X509VerifyParamRef { pub fn set_depth(&mut self, depth: c_int) { unsafe { ffi::X509_VERIFY_PARAM_set_depth(self.as_ptr(), depth) } } + + /// Sets the authentication security level to auth_level + #[corresponds(X509_VERIFY_PARAM_set_auth_level)] + #[cfg(ossl110)] + pub fn set_auth_level(&mut self, lvl: c_int) { + unsafe { ffi::X509_VERIFY_PARAM_set_auth_level(self.as_ptr(), lvl) } + } + + /// Gets the current authentication security level + #[corresponds(X509_VERIFY_PARAM_get_auth_level)] + #[cfg(ossl110)] + pub fn auth_level(&self) -> i32 { + unsafe { ffi::X509_VERIFY_PARAM_get_auth_level(self.as_ptr()) } + } + + /// Sets the verification purpose + #[corresponds(X509_VERIFY_PARAM_set_purpose)] + #[cfg(ossl102)] + pub fn set_purpose(&mut self, purpose: X509PurposeFlags) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::X509_VERIFY_PARAM_set_purpose( + self.as_ptr(), + purpose.bits, + )) + .map(|_| ()) + } + } +} + +#[cfg(ossl102)] +bitflags! { + /// Bitflags defining the purpose of the verification + pub struct X509PurposeFlags: c_int { + const SSL_CLIENT = ffi::X509_PURPOSE_SSL_CLIENT; + const SSL_SERVER = ffi::X509_PURPOSE_SSL_SERVER; + const NS_SSL_SERVER = ffi::X509_PURPOSE_NS_SSL_SERVER; + const SMIME_SIGN = ffi::X509_PURPOSE_SMIME_SIGN; + const SMIME_ENCRYPT = ffi::X509_PURPOSE_SMIME_ENCRYPT; + const CRL_SIGN = ffi::X509_PURPOSE_CRL_SIGN; + const ANY = ffi::X509_PURPOSE_ANY; + const OCSP_HELPER = ffi::X509_PURPOSE_OCSP_HELPER; + const TIMESTAMP_SIGN = ffi::X509_PURPOSE_TIMESTAMP_SIGN; + } + } From 263c7ce1e694a3b2ed16e1d99acbba3cc5280edb Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Tue, 13 Dec 2022 19:15:37 +0100 Subject: [PATCH 071/341] Add X509_NAME_add_entry binding Signed-off-by: Steffen Eiden --- openssl-sys/src/handwritten/x509.rs | 7 +++++++ openssl/src/x509/mod.rs | 15 +++++++++++++++ openssl/src/x509/tests.rs | 18 ++++++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 2203b6081d..57737a0b06 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -286,6 +286,13 @@ const_ptr_api! { pub fn X509_NAME_dup(x: #[const_ptr_if(ossl300)] X509_NAME) -> *mut X509_NAME; #[cfg(any(ossl110, libressl270))] pub fn X509_dup(x: #[const_ptr_if(ossl300)] X509) -> *mut X509; + #[cfg(any(ossl101, libressl350))] + pub fn X509_NAME_add_entry( + name: *mut X509_NAME, + ne: #[const_ptr_if(any(ossl110, libressl))] X509_NAME_ENTRY, + loc: c_int, + set: c_int, + ) -> c_int; } } extern "C" { diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index edd54aa840..f7518e937a 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -872,6 +872,21 @@ impl X509NameBuilder { } } + /// Add a name entry + #[corresponds(X509_NAME_add_entry)] + #[cfg(any(ossl101, libressl350))] + pub fn append_entry(&mut self, ne: &X509NameEntryRef) -> std::result::Result<(), ErrorStack> { + unsafe { + cvt(ffi::X509_NAME_add_entry( + self.0.as_ptr(), + ne.as_ptr(), + -1, + 0, + )) + .map(|_| ()) + } + } + /// Add a field entry by str. /// /// This corresponds to [`X509_NAME_add_entry_by_txt`]. diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 336de3c914..9622dfae8f 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -693,3 +693,21 @@ fn test_load_cert_file() { .init(&store, &cert, &chain, |c| c.verify_cert()) .unwrap()); } + +#[test] +#[cfg(any(ossl101, libressl350))] +fn test_add_name_entry() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let inp_name = cert.subject_name().entries().next().unwrap(); + + let mut names = X509Name::builder().unwrap(); + names.append_entry(inp_name).unwrap(); + let names = names.build(); + + let mut entries = names.entries(); + let outp_name = entries.next().unwrap(); + assert_eq!(outp_name.object().nid(), inp_name.object().nid()); + assert_eq!(outp_name.data().as_slice(), inp_name.data().as_slice()); + assert!(entries.next().is_none()); +} From 5b507990b7f7f72feb3ffa9c96b8596e137885fb Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 21 Dec 2022 16:00:56 -0500 Subject: [PATCH 072/341] Fix doc links Closes #1764 --- openssl/src/asn1.rs | 10 ++++----- openssl/src/bn.rs | 6 ++--- openssl/src/derive.rs | 8 +++---- openssl/src/dsa.rs | 6 ++--- openssl/src/ec.rs | 2 +- openssl/src/encrypt.rs | 4 ++-- openssl/src/hash.rs | 4 ++-- openssl/src/nid.rs | 2 +- openssl/src/pkcs12.rs | 2 +- openssl/src/sign.rs | 12 +++++----- openssl/src/ssl/mod.rs | 4 ++-- openssl/src/symm.rs | 6 ++--- openssl/src/x509/mod.rs | 46 +++++++++++++++++++-------------------- openssl/src/x509/store.rs | 2 +- 14 files changed, 57 insertions(+), 57 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index b02f9ac41e..55de049c08 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -187,7 +187,7 @@ foreign_type_and_impl_send_sync! { /// [ASN_TIME_set] documentation at OpenSSL explains the ASN.1 implementation /// used by OpenSSL. /// - /// [ASN_TIME_set]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_TIME_set.html + /// [ASN_TIME_set]: https://www.openssl.org/docs/manmaster/crypto/ASN1_TIME_set.html pub struct Asn1Time; /// Reference to an [`Asn1Time`] /// @@ -423,7 +423,7 @@ foreign_type_and_impl_send_sync! { /// structures. This implementation uses [ASN1_STRING-to_UTF8] to preserve /// compatibility with Rust's String. /// - /// [ASN1_STRING-to_UTF8]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_STRING_to_UTF8.html + /// [ASN1_STRING-to_UTF8]: https://www.openssl.org/docs/manmaster/crypto/ASN1_STRING_to_UTF8.html pub struct Asn1String; /// A reference to an [`Asn1String`]. pub struct Asn1StringRef; @@ -492,7 +492,7 @@ foreign_type_and_impl_send_sync! { /// OpenSSL documentation includes [`ASN1_INTEGER_set`]. /// /// [`bn`]: ../bn/index.html - /// [`ASN1_INTEGER_set`]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_INTEGER_set.html + /// [`ASN1_INTEGER_set`]: https://www.openssl.org/docs/manmaster/crypto/ASN1_INTEGER_set.html pub struct Asn1Integer; /// A reference to an [`Asn1Integer`]. pub struct Asn1IntegerRef; @@ -504,7 +504,7 @@ impl Asn1Integer { /// Corresponds to [`BN_to_ASN1_INTEGER`]. Also see /// [`BigNumRef::to_asn1_integer`]. /// - /// [`BN_to_ASN1_INTEGER`]: https://www.openssl.org/docs/man1.1.0/crypto/BN_to_ASN1_INTEGER.html + /// [`BN_to_ASN1_INTEGER`]: https://www.openssl.org/docs/manmaster/crypto/BN_to_ASN1_INTEGER.html /// [`BigNumRef::to_asn1_integer`]: ../bn/struct.BigNumRef.html#method.to_asn1_integer pub fn from_bn(bn: &BigNumRef) -> Result { bn.to_asn1_integer() @@ -586,7 +586,7 @@ foreign_type_and_impl_send_sync! { /// /// [`Nid`]: ../nid/index.html /// [`nid::COMMONNAME`]: ../nid/constant.COMMONNAME.html - /// [`OBJ_nid2obj`]: https://www.openssl.org/docs/man1.1.0/crypto/OBJ_obj2nid.html + /// [`OBJ_nid2obj`]: https://www.openssl.org/docs/manmaster/crypto/OBJ_obj2nid.html pub struct Asn1Object; /// A reference to an [`Asn1Object`]. pub struct Asn1ObjectRef; diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 1cd00dd4bc..0328730a23 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -91,7 +91,7 @@ foreign_type_and_impl_send_sync! { /// to allocate. BigNumContext and the OpenSSL [`BN_CTX`] structure are used /// internally when passing BigNum values between subroutines. /// - /// [`BN_CTX`]: https://www.openssl.org/docs/man1.1.0/crypto/BN_CTX_new.html + /// [`BN_CTX`]: https://www.openssl.org/docs/manmaster/crypto/BN_CTX_new.html pub struct BigNumContext; /// Reference to [`BigNumContext`] /// @@ -134,7 +134,7 @@ foreign_type_and_impl_send_sync! { /// /// [`new`]: struct.BigNum.html#method.new /// [`Dref`]: struct.BigNum.html#deref-methods - /// [`BN_new`]: https://www.openssl.org/docs/man1.1.0/crypto/BN_new.html + /// [`BN_new`]: https://www.openssl.org/docs/manmaster/crypto/BN_new.html /// /// # Examples /// ``` @@ -1063,7 +1063,7 @@ impl BigNum { /// /// OpenSSL documentation at [`BN_bin2bn`] /// - /// [`BN_bin2bn`]: https://www.openssl.org/docs/man1.1.0/crypto/BN_bin2bn.html + /// [`BN_bin2bn`]: https://www.openssl.org/docs/manmaster/crypto/BN_bin2bn.html /// /// ``` /// # use openssl::bn::BigNum; diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index 87a04a14a3..5d422f6976 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -69,7 +69,7 @@ impl<'a> Deriver<'a> { /// /// This corresponds to [`EVP_PKEY_derive_init`]. /// - /// [`EVP_PKEY_derive_init`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html + /// [`EVP_PKEY_derive_init`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html pub fn new(key: &'a PKeyRef) -> Result, ErrorStack> where T: HasPrivate, @@ -85,7 +85,7 @@ impl<'a> Deriver<'a> { /// /// This corresponds to [`EVP_PKEY_derive_set_peer`]: /// - /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html + /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where T: HasPublic, @@ -100,7 +100,7 @@ impl<'a> Deriver<'a> { /// This corresponds to [`EVP_PKEY_derive`]. /// /// [`Deriver::derive`]: #method.derive - /// [`EVP_PKEY_derive`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html + /// [`EVP_PKEY_derive`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html pub fn len(&mut self) -> Result { unsafe { let mut len = 0; @@ -114,7 +114,7 @@ impl<'a> Deriver<'a> { /// /// This corresponds to [`EVP_PKEY_derive`]. /// - /// [`EVP_PKEY_derive`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html + /// [`EVP_PKEY_derive`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html pub fn derive(&mut self, buf: &mut [u8]) -> Result { let mut len = buf.len(); unsafe { diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 5f59ba8acd..c550f6548b 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -37,7 +37,7 @@ generic_foreign_type_and_impl_send_sync! { /// /// OpenSSL documentation at [`DSA_new`] /// - /// [`DSA_new`]: https://www.openssl.org/docs/man1.1.0/crypto/DSA_new.html + /// [`DSA_new`]: https://www.openssl.org/docs/manmaster/crypto/DSA_new.html /// /// # Examples /// @@ -191,8 +191,8 @@ impl Dsa { /// /// The `bits` parameter corresponds to the length of the prime `p`. /// - /// [`DSA_generate_parameters_ex`]: https://www.openssl.org/docs/man1.1.0/crypto/DSA_generate_parameters_ex.html - /// [`DSA_generate_key`]: https://www.openssl.org/docs/man1.1.0/crypto/DSA_generate_key.html + /// [`DSA_generate_parameters_ex`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_parameters_ex.html + /// [`DSA_generate_key`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_key.html pub fn generate(bits: u32) -> Result, ErrorStack> { ffi::init(); unsafe { diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 24b3832224..248ced3e41 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -73,7 +73,7 @@ impl Asn1Flag { /// /// OpenSSL documentation at [`EC_GROUP`] /// - /// [`EC_GROUP`]: https://www.openssl.org/docs/man1.1.0/crypto/EC_GROUP_get_seed_len.html + /// [`EC_GROUP`]: https://www.openssl.org/docs/manmaster/crypto/EC_GROUP_get_seed_len.html pub const EXPLICIT_CURVE: Asn1Flag = Asn1Flag(0); /// Standard Curves diff --git a/openssl/src/encrypt.rs b/openssl/src/encrypt.rs index 3cb10fcca2..d3db0fd414 100644 --- a/openssl/src/encrypt.rs +++ b/openssl/src/encrypt.rs @@ -113,7 +113,7 @@ impl<'a> Encrypter<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_padding.html + /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( @@ -317,7 +317,7 @@ impl<'a> Decrypter<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_padding.html + /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 8e27505a02..37442fb274 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -68,7 +68,7 @@ impl MessageDigest { /// /// This corresponds to [`EVP_get_digestbynid`]. /// - /// [`EVP_get_digestbynid`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html + /// [`EVP_get_digestbynid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html pub fn from_nid(type_: Nid) -> Option { unsafe { let ptr = ffi::EVP_get_digestbynid(type_.as_raw()); @@ -84,7 +84,7 @@ impl MessageDigest { /// /// This corresponds to [`EVP_get_digestbyname`]. /// - /// [`EVP_get_digestbyname`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html + /// [`EVP_get_digestbyname`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html pub fn from_name(name: &str) -> Option { ffi::init(); let name = CString::new(name).ok()?; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index eadae31653..e4562a1c27 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -44,7 +44,7 @@ pub struct SignatureAlgorithms { /// The following documentation provides context about `Nid`s and their usage /// in OpenSSL. /// -/// - [Obj_nid2obj](https://www.openssl.org/docs/man1.1.0/crypto/OBJ_create.html) +/// - [Obj_nid2obj](https://www.openssl.org/docs/manmaster/crypto/OBJ_create.html) #[derive(Debug, Copy, Clone, PartialEq, Eq, Hash)] pub struct Nid(c_int); diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index d4e19dc9f3..c6347a573b 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -185,7 +185,7 @@ impl Pkcs12Builder { // According to the OpenSSL docs, keytype is a non-standard extension for MSIE, // It's values are KEY_SIG or KEY_EX, see the OpenSSL docs for more information: - // https://www.openssl.org/docs/man1.0.2/crypto/PKCS12_create.html + // https://www.openssl.org/docs/manmaster/crypto/PKCS12_create.html let keytype = 0; let pkcs12 = cvt_p(ffi::PKCS12_create( diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index b675825e2c..9cfda48105 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -214,7 +214,7 @@ impl<'a> Signer<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_padding.html + /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( @@ -231,7 +231,7 @@ impl<'a> Signer<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]. /// - /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html + /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen( @@ -285,7 +285,7 @@ impl<'a> Signer<'a> { /// /// OpenSSL documentation at [`EVP_DigestSignFinal`]. /// - /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestSignFinal.html + /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestSignFinal.html pub fn len(&self) -> Result { self.len_intern() } @@ -325,7 +325,7 @@ impl<'a> Signer<'a> { /// /// OpenSSL documentation at [`EVP_DigestSignFinal`]. /// - /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestSignFinal.html + /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestSignFinal.html pub fn sign(&self, buf: &mut [u8]) -> Result { unsafe { let mut len = buf.len(); @@ -507,7 +507,7 @@ impl<'a> Verifier<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_padding.html + /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( @@ -524,7 +524,7 @@ impl<'a> Verifier<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]. /// - /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html + /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen( diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index aba606248f..9debaa37d0 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1047,7 +1047,7 @@ impl SslContextBuilder { /// /// See [`ciphers`] for details on the format. /// - /// [`ciphers`]: https://www.openssl.org/docs/man1.1.0/apps/ciphers.html + /// [`ciphers`]: https://www.openssl.org/docs/manmaster/apps/ciphers.html #[corresponds(SSL_CTX_set_cipher_list)] pub fn set_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack> { let cipher_list = CString::new(cipher_list).unwrap(); @@ -2200,7 +2200,7 @@ impl Ssl { /// /// This corresponds to [`SSL_new`]. /// - /// [`SSL_new`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_new.html + /// [`SSL_new`]: https://www.openssl.org/docs/manmaster/ssl/SSL_new.html #[corresponds(SSL_new)] pub fn new(ctx: &SslContextRef) -> Result { let session_ctx_index = try_get_session_ctx_index()?; diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index c75bbc0c4a..911a7ab2e7 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -68,7 +68,7 @@ pub enum Mode { /// /// See OpenSSL doc at [`EVP_EncryptInit`] for more information on each algorithms. /// -/// [`EVP_EncryptInit`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_EncryptInit.html +/// [`EVP_EncryptInit`]: https://www.openssl.org/docs/manmaster/crypto/EVP_EncryptInit.html #[derive(Copy, Clone, PartialEq, Eq)] pub struct Cipher(*const ffi::EVP_CIPHER); @@ -77,7 +77,7 @@ impl Cipher { /// /// This corresponds to [`EVP_get_cipherbynid`] /// - /// [`EVP_get_cipherbynid`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_get_cipherbyname.html + /// [`EVP_get_cipherbynid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_get_cipherbyname.html pub fn from_nid(nid: Nid) -> Option { let ptr = unsafe { ffi::EVP_get_cipherbyname(ffi::OBJ_nid2sn(nid.as_raw())) }; if ptr.is_null() { @@ -91,7 +91,7 @@ impl Cipher { /// /// This corresponds to [`EVP_CIPHER_nid`] /// - /// [`EVP_CIPHER_nid`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_CIPHER_nid.html + /// [`EVP_CIPHER_nid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_CIPHER_nid.html pub fn nid(&self) -> Nid { let nid = unsafe { ffi::EVP_CIPHER_nid(self.0) }; Nid::from_raw(nid) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index f7518e937a..c9d2a64215 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -109,8 +109,8 @@ impl X509StoreContextRef { /// This corresponds to [`X509_STORE_CTX_init`] before calling `with_context` and to /// [`X509_STORE_CTX_cleanup`] after calling `with_context`. /// - /// [`X509_STORE_CTX_init`]: https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html - /// [`X509_STORE_CTX_cleanup`]: https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_cleanup.html + /// [`X509_STORE_CTX_init`]: https://www.openssl.org/docs/manmaster/crypto/X509_STORE_CTX_init.html + /// [`X509_STORE_CTX_cleanup`]: https://www.openssl.org/docs/manmaster/crypto/X509_STORE_CTX_cleanup.html pub fn init( &mut self, trust: &store::X509StoreRef, @@ -891,7 +891,7 @@ impl X509NameBuilder { /// /// This corresponds to [`X509_NAME_add_entry_by_txt`]. /// - /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_add_entry_by_txt.html + /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_txt.html pub fn append_entry_by_text(&mut self, field: &str, value: &str) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); @@ -913,7 +913,7 @@ impl X509NameBuilder { /// /// This corresponds to [`X509_NAME_add_entry_by_txt`]. /// - /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_add_entry_by_txt.html + /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_txt.html pub fn append_entry_by_text_with_type( &mut self, field: &str, @@ -940,7 +940,7 @@ impl X509NameBuilder { /// /// This corresponds to [`X509_NAME_add_entry_by_NID`]. /// - /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_add_entry_by_NID.html + /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> { unsafe { assert!(value.len() <= c_int::max_value() as usize); @@ -961,7 +961,7 @@ impl X509NameBuilder { /// /// This corresponds to [`X509_NAME_add_entry_by_NID`]. /// - /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_add_entry_by_NID.html + /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html pub fn append_entry_by_nid_with_type( &mut self, field: Nid, @@ -1068,7 +1068,7 @@ impl X509NameRef { /// /// This corresponds to [`i2d_X509_NAME`]. /// - /// [`i2d_X509_NAME`]: https://www.openssl.org/docs/man1.1.0/crypto/i2d_X509_NAME.html + /// [`i2d_X509_NAME`]: https://www.openssl.org/docs/manmaster/crypto/i2d_X509_NAME.html to_der, ffi::i2d_X509_NAME } @@ -1132,7 +1132,7 @@ impl X509NameEntryRef { /// /// This corresponds to [`X509_NAME_ENTRY_get_data`]. /// - /// [`X509_NAME_ENTRY_get_data`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_ENTRY_get_data.html + /// [`X509_NAME_ENTRY_get_data`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_ENTRY_get_data.html pub fn data(&self) -> &Asn1StringRef { unsafe { let data = ffi::X509_NAME_ENTRY_get_data(self.as_ptr()); @@ -1145,7 +1145,7 @@ impl X509NameEntryRef { /// /// This corresponds to [`X509_NAME_ENTRY_get_object`]. /// - /// [`X509_NAME_ENTRY_get_object`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_ENTRY_get_object.html + /// [`X509_NAME_ENTRY_get_object`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_ENTRY_get_object.html pub fn object(&self) -> &Asn1ObjectRef { unsafe { let object = ffi::X509_NAME_ENTRY_get_object(self.as_ptr()); @@ -1168,7 +1168,7 @@ impl X509ReqBuilder { /// /// This corresponds to [`X509_REQ_new`]. /// - ///[`X509_REQ_new`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_new.html + ///[`X509_REQ_new`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_new.html pub fn new() -> Result { unsafe { ffi::init(); @@ -1180,7 +1180,7 @@ impl X509ReqBuilder { /// /// This corresponds to [`X509_REQ_set_version`]. /// - ///[`X509_REQ_set_version`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_set_version.html + ///[`X509_REQ_set_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_version.html pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_REQ_set_version( @@ -1195,7 +1195,7 @@ impl X509ReqBuilder { /// /// This corresponds to [`X509_REQ_set_subject_name`]. /// - /// [`X509_REQ_set_subject_name`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_set_subject_name.html + /// [`X509_REQ_set_subject_name`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_subject_name.html pub fn set_subject_name(&mut self, subject_name: &X509NameRef) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_REQ_set_subject_name( @@ -1210,7 +1210,7 @@ impl X509ReqBuilder { /// /// This corresponds to [`X509_REQ_set_pubkey`]. /// - /// [`X509_REQ_set_pubkey`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_set_pubkey.html + /// [`X509_REQ_set_pubkey`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_pubkey.html pub fn set_pubkey(&mut self, key: &PKeyRef) -> Result<(), ErrorStack> where T: HasPublic, @@ -1260,7 +1260,7 @@ impl X509ReqBuilder { /// /// This corresponds to [`X509_REQ_sign`]. /// - /// [`X509_REQ_sign`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_sign.html + /// [`X509_REQ_sign`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_sign.html pub fn sign(&mut self, key: &PKeyRef, hash: MessageDigest) -> Result<(), ErrorStack> where T: HasPrivate, @@ -1304,7 +1304,7 @@ impl X509Req { /// /// This corresponds to [`PEM_read_bio_X509_REQ`]. /// - /// [`PEM_read_bio_X509_REQ`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_X509_REQ.html + /// [`PEM_read_bio_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/PEM_read_bio_X509_REQ.html from_pem, X509Req, ffi::PEM_read_bio_X509_REQ @@ -1315,7 +1315,7 @@ impl X509Req { /// /// This corresponds to [`d2i_X509_REQ`]. /// - /// [`d2i_X509_REQ`]: https://www.openssl.org/docs/man1.1.0/crypto/d2i_X509_REQ.html + /// [`d2i_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/d2i_X509_REQ.html from_der, X509Req, ffi::d2i_X509_REQ @@ -1330,7 +1330,7 @@ impl X509ReqRef { /// /// This corresponds to [`PEM_write_bio_X509_REQ`]. /// - /// [`PEM_write_bio_X509_REQ`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_write_bio_X509_REQ.html + /// [`PEM_write_bio_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/PEM_write_bio_X509_REQ.html to_pem, ffi::PEM_write_bio_X509_REQ } @@ -1340,7 +1340,7 @@ impl X509ReqRef { /// /// This corresponds to [`i2d_X509_REQ`]. /// - /// [`i2d_X509_REQ`]: https://www.openssl.org/docs/man1.0.2/crypto/i2d_X509_REQ.html + /// [`i2d_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/i2d_X509_REQ.html to_der, ffi::i2d_X509_REQ } @@ -1356,7 +1356,7 @@ impl X509ReqRef { /// /// This corresponds to [`X509_REQ_get_version`] /// - /// [`X509_REQ_get_version`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_get_version.html + /// [`X509_REQ_get_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_version.html pub fn version(&self) -> i32 { unsafe { X509_REQ_get_version(self.as_ptr()) as i32 } } @@ -1365,7 +1365,7 @@ impl X509ReqRef { /// /// This corresponds to [`X509_REQ_get_subject_name`] /// - /// [`X509_REQ_get_subject_name`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_get_subject_name.html + /// [`X509_REQ_get_subject_name`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_subject_name.html pub fn subject_name(&self) -> &X509NameRef { unsafe { let name = X509_REQ_get_subject_name(self.as_ptr()); @@ -1377,7 +1377,7 @@ impl X509ReqRef { /// /// This corresponds to [`X509_REQ_get_pubkey"] /// - /// [`X509_REQ_get_pubkey`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_get_pubkey.html + /// [`X509_REQ_get_pubkey`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_pubkey.html pub fn public_key(&self) -> Result, ErrorStack> { unsafe { let key = cvt_p(ffi::X509_REQ_get_pubkey(self.as_ptr()))?; @@ -1391,7 +1391,7 @@ impl X509ReqRef { /// /// This corresponds to [`X509_REQ_verify"]. /// - /// [`X509_REQ_verify`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_verify.html + /// [`X509_REQ_verify`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_verify.html pub fn verify(&self, key: &PKeyRef) -> Result where T: HasPublic, @@ -1452,7 +1452,7 @@ impl X509VerifyResult { /// /// This corresponds to [`X509_verify_cert_error_string`]. /// - /// [`X509_verify_cert_error_string`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_verify_cert_error_string.html + /// [`X509_verify_cert_error_string`]: https://www.openssl.org/docs/manmaster/crypto/X509_verify_cert_error_string.html #[allow(clippy::trivially_copy_pass_by_ref)] pub fn error_string(&self) -> &'static str { ffi::init(); diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index a685fa18e6..15b87e8ca9 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -145,7 +145,7 @@ generic_foreign_type_and_impl_send_sync! { /// Marker type corresponding to the [`X509_LOOKUP_hash_dir`] lookup method. /// -/// [`X509_LOOKUP_hash_dir`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_LOOKUP_hash_dir.html +/// [`X509_LOOKUP_hash_dir`]: https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_hash_dir.html // FIXME should be an enum pub struct HashDir; From 3de9f26c1676712c9bad99622a953e55a9f5842e Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Tue, 13 Dec 2022 13:23:22 +0100 Subject: [PATCH 073/341] Add binding for X509_load_crl_file Signed-off-by: Steffen Eiden --- openssl-sys/src/handwritten/x509_vfy.rs | 1 + openssl/src/x509/store.rs | 20 +++++++++++++++++++- openssl/src/x509/tests.rs | 9 +++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 3ebbea697b..387b9dd045 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -21,6 +21,7 @@ extern "C" { ret: *mut *mut c_char, ) -> c_int; pub fn X509_load_cert_file(ctx: *mut X509_LOOKUP, file: *const c_char, _type: c_int) -> c_int; + pub fn X509_load_crl_file(ctx: *mut X509_LOOKUP, file: *const c_char, _type: c_int) -> c_int; } extern "C" { diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index 15b87e8ca9..fa17cc4b9c 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -194,8 +194,9 @@ impl X509Lookup { #[cfg(not(boringssl))] impl X509LookupRef { - #[corresponds(X509_load_cert_file)] /// Specifies a file from which certificates will be loaded + #[corresponds(X509_load_cert_file)] + // FIXME should return 'Result>( &mut self, file: P, @@ -211,6 +212,23 @@ impl X509LookupRef { .map(|_| ()) } } + + /// Specifies a file from which certificate revocation lists will be loaded + #[corresponds(X509_load_crl_file)] + pub fn load_crl_file>( + &mut self, + file: P, + file_type: SslFiletype, + ) -> Result { + let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap(); + unsafe { + cvt(ffi::X509_load_crl_file( + self.as_ptr(), + file.as_ptr(), + file_type.as_raw(), + )) + } + } } generic_foreign_type_and_impl_send_sync! { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index d5be9f0f53..114869aa1a 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -786,3 +786,12 @@ fn test_add_name_entry() { assert_eq!(outp_name.data().as_slice(), inp_name.data().as_slice()); assert!(entries.next().is_none()); } + +#[test] +#[cfg(not(boringssl))] +fn test_load_crl_file_fail() { + let mut store_bldr = X509StoreBuilder::new().unwrap(); + let lookup = store_bldr.add_lookup(X509Lookup::file()).unwrap(); + let res = lookup.load_crl_file("test/root-ca.pem", SslFiletype::PEM); + assert!(res.is_err()); +} From 19f159438fee63fe9e394d5e530da14de168c587 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 24 Dec 2022 23:29:25 -0500 Subject: [PATCH 074/341] Added PKey::private_key_to_pkcs8 --- openssl/src/pkey.rs | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 2039e7e908..780bd637e5 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -323,6 +323,25 @@ where } } + /// Serializes a private key into an unencrypted DER-formatted PKCS#8 + #[corresponds(i2d_PKCS8PrivateKey_bio)] + pub fn private_key_to_pkcs8(&self) -> Result, ErrorStack> { + unsafe { + let bio = MemBio::new()?; + cvt(ffi::i2d_PKCS8PrivateKey_bio( + bio.as_ptr(), + self.as_ptr(), + ptr::null(), + ptr::null_mut(), + 0, + None, + ptr::null_mut(), + ))?; + + Ok(bio.get_buf().to_owned()) + } + } + /// Serializes a private key into a DER-formatted PKCS#8, using the supplied password to /// encrypt the key. /// @@ -889,7 +908,14 @@ mod tests { #[test] fn test_unencrypted_pkcs8() { let key = include_bytes!("../test/pkcs8-nocrypt.der"); - PKey::private_key_from_pkcs8(key).unwrap(); + let pkey = PKey::private_key_from_pkcs8(key).unwrap(); + let serialized = pkey.private_key_to_pkcs8().unwrap(); + let pkey2 = PKey::private_key_from_pkcs8(&serialized).unwrap(); + + assert_eq!( + pkey2.private_key_to_der().unwrap(), + pkey.private_key_to_der().unwrap() + ); } #[test] From d3e557cf4836e49d97f38dcf2b349b8e7c30d9a8 Mon Sep 17 00:00:00 2001 From: timothy Date: Sun, 25 Dec 2022 20:40:54 +0700 Subject: [PATCH 075/341] Export SRTP_AEAD_AES_128_GCM and SRTP_AEAD_AES_256_GCM to BoringSSL --- openssl/src/srtp.rs | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/openssl/src/srtp.rs b/openssl/src/srtp.rs index 7ed3135963..595757dc04 100644 --- a/openssl/src/srtp.rs +++ b/openssl/src/srtp.rs @@ -46,10 +46,12 @@ impl SrtpProfileId { SrtpProfileId(ffi::SRTP_AES128_F8_SHA1_32 as c_ulong); pub const SRTP_NULL_SHA1_80: SrtpProfileId = SrtpProfileId(ffi::SRTP_NULL_SHA1_80 as c_ulong); pub const SRTP_NULL_SHA1_32: SrtpProfileId = SrtpProfileId(ffi::SRTP_NULL_SHA1_32 as c_ulong); - #[cfg(ossl110)] - pub const SRTP_AEAD_AES_128_GCM: SrtpProfileId = SrtpProfileId(ffi::SRTP_AEAD_AES_128_GCM); - #[cfg(ossl110)] - pub const SRTP_AEAD_AES_256_GCM: SrtpProfileId = SrtpProfileId(ffi::SRTP_AEAD_AES_256_GCM); + #[cfg(any(boringssl, ossl110))] + pub const SRTP_AEAD_AES_128_GCM: SrtpProfileId = + SrtpProfileId(ffi::SRTP_AEAD_AES_128_GCM as c_ulong); + #[cfg(any(boringssl, ossl110))] + pub const SRTP_AEAD_AES_256_GCM: SrtpProfileId = + SrtpProfileId(ffi::SRTP_AEAD_AES_256_GCM as c_ulong); /// Creates a `SrtpProfileId` from an integer representation. pub fn from_raw(value: c_ulong) -> SrtpProfileId { From f95fd5bac186bd0531de7d5b363fa3071066900e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Dec 2022 14:50:15 -0500 Subject: [PATCH 076/341] Refs #1768 -- reject boringssl if unstable_boringssl feature isn't specified --- openssl-sys/build/expando.c | 4 ++++ openssl-sys/build/main.rs | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 2ec63ec046..980241074a 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -15,6 +15,10 @@ NEW_VERSION(OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR, OPENSSL_VERSION_PATCH) VERSION(OPENSSL, OPENSSL_VERSION_NUMBER) #endif +#ifdef OPENSSL_IS_BORINGSSL +RUST_OPENSSL_IS_BORINGSSL +#endif + #ifdef OPENSSL_NO_BF RUST_CONF_OPENSSL_NO_BF #endif diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index cdea3eb447..1c5a5e7d9f 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -215,12 +215,14 @@ See rust-openssl documentation for more information: let mut enabled = vec![]; let mut openssl_version = None; let mut libressl_version = None; + let mut is_boringssl = false; for line in expanded.lines() { let line = line.trim(); let openssl_prefix = "RUST_VERSION_OPENSSL_"; let new_openssl_prefix = "RUST_VERSION_NEW_OPENSSL_"; let libressl_prefix = "RUST_VERSION_LIBRESSL_"; + let boringsl_prefix = "RUST_OPENSSL_IS_BORINGSSL"; let conf_prefix = "RUST_CONF_"; if line.starts_with(openssl_prefix) { let version = &line[openssl_prefix.len()..]; @@ -233,9 +235,15 @@ See rust-openssl documentation for more information: libressl_version = Some(parse_version(version)); } else if line.starts_with(conf_prefix) { enabled.push(&line[conf_prefix.len()..]); + } else if line.starts_with(boringsl_prefix) { + is_boringssl = true; } } + if is_boringssl { + panic!("BoringSSL detected, but `unstable_boringssl` feature wasn't specified.") + } + for enabled in &enabled { println!("cargo:rustc-cfg=osslconf=\"{}\"", enabled); } From ed40115eb09d3a9d9d3baa78011c43e08f752e2a Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 29 Dec 2022 18:40:05 -0500 Subject: [PATCH 077/341] Support pkcs12 archives without an identity --- openssl/src/cms.rs | 16 +++++++++++----- openssl/src/pkcs12.rs | 41 ++++++++++++++++++++++++++++++----------- 2 files changed, 41 insertions(+), 16 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 185c4dfa94..bef21f93c9 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -249,7 +249,7 @@ mod test { let priv_cert_bytes = include_bytes!("../test/cms.p12"); let priv_cert = Pkcs12::from_der(priv_cert_bytes).expect("failed to load priv cert"); let priv_cert = priv_cert - .parse("mypass") + .parse2("mypass") .expect("failed to parse priv cert"); // encrypt cms message using public key cert @@ -274,13 +274,16 @@ mod test { CmsContentInfo::from_der(&encrypted_der).expect("failed read cms from der"); let decrypt_with_cert_check = decrypt - .decrypt(&priv_cert.pkey, &priv_cert.cert) + .decrypt( + priv_cert.pkey.as_ref().unwrap(), + priv_cert.cert.as_ref().unwrap(), + ) .expect("failed to decrypt cms"); let decrypt_with_cert_check = String::from_utf8(decrypt_with_cert_check) .expect("failed to create string from cms content"); let decrypt_without_cert_check = decrypt - .decrypt_without_cert_check(&priv_cert.pkey) + .decrypt_without_cert_check(priv_cert.pkey.as_ref().unwrap()) .expect("failed to decrypt cms"); let decrypt_without_cert_check = String::from_utf8(decrypt_without_cert_check) .expect("failed to create string from cms content"); @@ -296,13 +299,16 @@ mod test { CmsContentInfo::from_pem(&encrypted_pem).expect("failed read cms from pem"); let decrypt_with_cert_check = decrypt - .decrypt(&priv_cert.pkey, &priv_cert.cert) + .decrypt( + priv_cert.pkey.as_ref().unwrap(), + priv_cert.cert.as_ref().unwrap(), + ) .expect("failed to decrypt cms"); let decrypt_with_cert_check = String::from_utf8(decrypt_with_cert_check) .expect("failed to create string from cms content"); let decrypt_without_cert_check = decrypt - .decrypt_without_cert_check(&priv_cert.pkey) + .decrypt_without_cert_check(priv_cert.pkey.as_ref().unwrap()) .expect("failed to decrypt cms"); let decrypt_without_cert_check = String::from_utf8(decrypt_without_cert_check) .expect("failed to create string from cms content"); diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index c6347a573b..1548b36885 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -32,9 +32,22 @@ impl Pkcs12Ref { ffi::i2d_PKCS12 } + /// Deprecated. + #[deprecated(note = "Use parse2 instead", since = "0.10.46")] + #[allow(deprecated)] + pub fn parse(&self, pass: &str) -> Result { + let parsed = self.parse2(pass)?; + + Ok(ParsedPkcs12 { + pkey: parsed.pkey.unwrap(), + cert: parsed.cert.unwrap(), + chain: parsed.chain, + }) + } + /// Extracts the contents of the `Pkcs12`. #[corresponds(PKCS12_parse)] - pub fn parse(&self, pass: &str) -> Result { + pub fn parse2(&self, pass: &str) -> Result { unsafe { let pass = CString::new(pass.as_bytes()).unwrap(); @@ -50,12 +63,11 @@ impl Pkcs12Ref { &mut chain, ))?; - let pkey = PKey::from_ptr(pkey); - let cert = X509::from_ptr(cert); - + let pkey = PKey::from_ptr_opt(pkey); + let cert = X509::from_ptr_opt(cert); let chain = Stack::from_ptr_opt(chain); - Ok(ParsedPkcs12 { pkey, cert, chain }) + Ok(ParsedPkcs12_2 { pkey, cert, chain }) } } } @@ -93,12 +105,19 @@ impl Pkcs12 { } } +#[deprecated(note = "Use ParsedPkcs12_2 instead", since = "0.10.46")] pub struct ParsedPkcs12 { pub pkey: PKey, pub cert: X509, pub chain: Option>, } +pub struct ParsedPkcs12_2 { + pub pkey: Option>, + pub cert: Option, + pub chain: Option>, +} + pub struct Pkcs12Builder { nid_key: Nid, nid_cert: Nid, @@ -246,10 +265,10 @@ mod test { let der = include_bytes!("../test/identity.p12"); let pkcs12 = Pkcs12::from_der(der).unwrap(); - let parsed = pkcs12.parse("mypass").unwrap(); + let parsed = pkcs12.parse2("mypass").unwrap(); assert_eq!( - hex::encode(parsed.cert.digest(MessageDigest::sha1()).unwrap()), + hex::encode(parsed.cert.unwrap().digest(MessageDigest::sha1()).unwrap()), "59172d9313e84459bcff27f967e79e6e9217e584" ); @@ -268,7 +287,7 @@ mod test { let der = include_bytes!("../test/keystore-empty-chain.p12"); let pkcs12 = Pkcs12::from_der(der).unwrap(); - let parsed = pkcs12.parse("cassandra").unwrap(); + let parsed = pkcs12.parse2("cassandra").unwrap(); if let Some(stack) = parsed.chain { assert_eq!(stack.len(), 0); } @@ -309,12 +328,12 @@ mod test { let der = pkcs12.to_der().unwrap(); let pkcs12 = Pkcs12::from_der(&der).unwrap(); - let parsed = pkcs12.parse("mypass").unwrap(); + let parsed = pkcs12.parse2("mypass").unwrap(); assert_eq!( - &*parsed.cert.digest(MessageDigest::sha1()).unwrap(), + &*parsed.cert.unwrap().digest(MessageDigest::sha1()).unwrap(), &*cert.digest(MessageDigest::sha1()).unwrap() ); - assert!(parsed.pkey.public_eq(&pkey)); + assert!(parsed.pkey.unwrap().public_eq(&pkey)); } } From e04098e8567d275c04fc617c57884e7c379c5b6f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 30 Dec 2022 19:26:58 -0500 Subject: [PATCH 078/341] Support construction of PKCS#12 archives with no identity --- openssl/src/pkcs12.rs | 129 +++++++++++++++++++++++++++++------------- 1 file changed, 91 insertions(+), 38 deletions(-) diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index 1548b36885..d74705eaa8 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -41,7 +41,7 @@ impl Pkcs12Ref { Ok(ParsedPkcs12 { pkey: parsed.pkey.unwrap(), cert: parsed.cert.unwrap(), - chain: parsed.chain, + chain: parsed.ca, }) } @@ -53,21 +53,21 @@ impl Pkcs12Ref { let mut pkey = ptr::null_mut(); let mut cert = ptr::null_mut(); - let mut chain = ptr::null_mut(); + let mut ca = ptr::null_mut(); cvt(ffi::PKCS12_parse( self.as_ptr(), pass.as_ptr(), &mut pkey, &mut cert, - &mut chain, + &mut ca, ))?; let pkey = PKey::from_ptr_opt(pkey); let cert = X509::from_ptr_opt(cert); - let chain = Stack::from_ptr_opt(chain); + let ca = Stack::from_ptr_opt(ca); - Ok(ParsedPkcs12_2 { pkey, cert, chain }) + Ok(ParsedPkcs12_2 { pkey, cert, ca }) } } } @@ -94,13 +94,16 @@ impl Pkcs12 { ffi::init(); Pkcs12Builder { + name: None, + pkey: None, + cert: None, + ca: None, nid_key: Nid::UNDEF, nid_cert: Nid::UNDEF, iter: ffi::PKCS12_DEFAULT_ITER, mac_iter: ffi::PKCS12_DEFAULT_ITER, #[cfg(not(boringssl))] mac_md: None, - ca: None, } } } @@ -115,20 +118,54 @@ pub struct ParsedPkcs12 { pub struct ParsedPkcs12_2 { pub pkey: Option>, pub cert: Option, - pub chain: Option>, + pub ca: Option>, } pub struct Pkcs12Builder { + // FIXME borrow + name: Option, + pkey: Option>, + cert: Option, + ca: Option>, nid_key: Nid, nid_cert: Nid, iter: c_int, mac_iter: c_int, + // FIXME remove #[cfg(not(boringssl))] mac_md: Option, - ca: Option>, } impl Pkcs12Builder { + /// The `friendlyName` used for the certificate and private key. + pub fn name(&mut self, name: &str) -> &mut Self { + self.name = Some(CString::new(name).unwrap()); + self + } + + /// The private key. + pub fn pkey(&mut self, pkey: &PKeyRef) -> &mut Self + where + T: HasPrivate, + { + let new_pkey = unsafe { PKeyRef::from_ptr(pkey.as_ptr()) }; + self.pkey = Some(new_pkey.to_owned()); + self + } + + /// The certificate. + pub fn cert(&mut self, cert: &X509Ref) -> &mut Self { + self.cert = Some(cert.to_owned()); + self + } + + /// An additional set of certificates to include in the archive beyond the one provided to + /// `build`. + pub fn ca(&mut self, ca: Stack) -> &mut Self { + self.ca = Some(ca); + self + } + /// The encryption algorithm that should be used for the key pub fn key_algorithm(&mut self, nid: Nid) -> &mut Self { self.nid_key = nid; @@ -163,24 +200,13 @@ impl Pkcs12Builder { self } - /// An additional set of certificates to include in the archive beyond the one provided to - /// `build`. - pub fn ca(&mut self, ca: Stack) -> &mut Self { - self.ca = Some(ca); - self - } - - /// Builds the PKCS #12 object - /// - /// # Arguments - /// - /// * `password` - the password used to encrypt the key and certificate - /// * `friendly_name` - user defined name for the certificate - /// * `pkey` - key to store - /// * `cert` - certificate to store - #[corresponds(PKCS12_create)] + /// Deprecated. + #[deprecated( + note = "Use Self::{name, pkey, cert, build2} instead.", + since = "0.10.46" + )] pub fn build( - self, + mut self, password: &str, friendly_name: &str, pkey: &PKeyRef, @@ -189,11 +215,21 @@ impl Pkcs12Builder { where T: HasPrivate, { + self.name(friendly_name) + .pkey(pkey) + .cert(cert) + .build2(password) + } + + /// Builds the PKCS#12 object. + #[corresponds(PKCS12_create)] + pub fn build2(&self, password: &str) -> Result { unsafe { let pass = CString::new(password).unwrap(); - let friendly_name = CString::new(friendly_name).unwrap(); - let pkey = pkey.as_ptr(); - let cert = cert.as_ptr(); + let pass = pass.as_ptr(); + let friendly_name = self.name.as_ref().map_or(ptr::null(), |p| p.as_ptr()); + let pkey = self.pkey.as_ref().map_or(ptr::null(), |p| p.as_ptr()); + let cert = self.cert.as_ref().map_or(ptr::null(), |p| p.as_ptr()); let ca = self .ca .as_ref() @@ -208,10 +244,10 @@ impl Pkcs12Builder { let keytype = 0; let pkcs12 = cvt_p(ffi::PKCS12_create( - pass.as_ptr() as *const _ as *mut _, - friendly_name.as_ptr() as *const _ as *mut _, - pkey, - cert, + pass as *mut _, + friendly_name as *mut _, + pkey as *mut _, + cert as *mut _, ca, nid_key, nid_cert, @@ -232,7 +268,7 @@ impl Pkcs12Builder { cvt(ffi::PKCS12_set_mac( pkcs12.as_ptr(), - pass.as_ptr(), + pass, -1, ptr::null_mut(), 0, @@ -272,7 +308,7 @@ mod test { "59172d9313e84459bcff27f967e79e6e9217e584" ); - let chain = parsed.chain.unwrap(); + let chain = parsed.ca.unwrap(); assert_eq!(chain.len(), 1); assert_eq!( hex::encode(chain[0].digest(MessageDigest::sha1()).unwrap()), @@ -288,7 +324,7 @@ mod test { let der = include_bytes!("../test/keystore-empty-chain.p12"); let pkcs12 = Pkcs12::from_der(der).unwrap(); let parsed = pkcs12.parse2("cassandra").unwrap(); - if let Some(stack) = parsed.chain { + if let Some(stack) = parsed.ca { assert_eq!(stack.len(), 0); } } @@ -321,9 +357,11 @@ mod test { builder.sign(&pkey, MessageDigest::sha256()).unwrap(); let cert = builder.build(); - let pkcs12_builder = Pkcs12::builder(); - let pkcs12 = pkcs12_builder - .build("mypass", subject_name, &pkey, &cert) + let pkcs12 = Pkcs12::builder() + .name(subject_name) + .pkey(&pkey) + .cert(&cert) + .build2("mypass") .unwrap(); let der = pkcs12.to_der().unwrap(); @@ -336,4 +374,19 @@ mod test { ); assert!(parsed.pkey.unwrap().public_eq(&pkey)); } + + #[test] + fn create_only_ca() { + let ca = include_bytes!("../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let mut chain = Stack::new().unwrap(); + chain.push(ca).unwrap(); + + let pkcs12 = Pkcs12::builder().ca(chain).build2("hunter2").unwrap(); + let parsed = pkcs12.parse2("hunter2").unwrap(); + + assert!(parsed.cert.is_none()); + assert!(parsed.pkey.is_none()); + assert_eq!(parsed.ca.unwrap().len(), 1); + } } From ae3b75f81eca319d0731c43b05ce8aafad91bc8b Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Thu, 5 Jan 2023 15:56:50 +0000 Subject: [PATCH 079/341] Update CRL bindings --- openssl/src/x509/mod.rs | 73 ++++++++++++----------------------------- 1 file changed, 21 insertions(+), 52 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index f52f4ea169..d607d2cec0 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1426,11 +1426,8 @@ impl Stackable for X509Revoked { impl X509Revoked { from_der! { - /// Deserializes a DER-encoded certificate revokation status - /// - /// This corresponds to [`d2i_X509_REVOKED`]. - /// - /// [`d2i_X509_REVOKED`]: https://www.openssl.org/docs/man1.1.0/crypto/d2i_X509_REVOKED.html + /// Deserializes a DER-encoded certificate revocation status + #[corresponds(d2i_X509_REVOKED)] from_der, X509Revoked, ffi::d2i_X509_REVOKED @@ -1440,15 +1437,13 @@ impl X509Revoked { impl X509RevokedRef { to_der! { /// Serializes the certificate request to a DER-encoded certificate revocation status - /// - /// This corresponds to [`i2d_X509_REVOKED`]. - /// - /// [`i2d_X509_REVOKED`]: https://www.openssl.org/docs/man1.0.2/crypto/i2d_X509_REQ.html + #[corresponds(d2i_X509_REVOKED)] to_der, ffi::i2d_X509_REVOKED } /// Get the date that the certificate was revoked + #[corresponds(X509_REVOKED_get0_revocationDate)] pub fn revocation_date(&self) -> &Asn1TimeRef { unsafe { let r = X509_REVOKED_get0_revocationDate(self.as_ptr() as *const _); @@ -1458,6 +1453,7 @@ impl X509RevokedRef { } /// Get the serial number of the revoked certificate + #[corresponds(X509_REVOKED_get0_serialNumber)] pub fn serial_number(&self) -> &Asn1IntegerRef { unsafe { let r = X509_REVOKED_get0_serialNumber(self.as_ptr() as *const _); @@ -1513,7 +1509,10 @@ impl<'a> CrlStatus<'a> { assert!(!revoked_entry.is_null()); CrlStatus::RemoveFromCrl(X509RevokedRef::from_ptr(revoked_entry)) } - _ => unreachable!("X509_CRL_get0_by_{{serial,cert}} should only return 0, 1, or 2."), + _ => unreachable!( + "{}", + "X509_CRL_get0_by_{{serial,cert}} should only return 0, 1, or 2." + ), } } } @@ -1523,10 +1522,7 @@ impl X509Crl { /// Deserializes a PEM-encoded Certificate Revocation List /// /// The input should have a header of `-----BEGIN X509 CRL-----`. - /// - /// This corresponds to [`PEM_read_bio_X509_CRL`]. - /// - /// [`PEM_read_bio_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_X509_REQ.html + #[corresponds(PEM_read_bio_X509_CRL)] from_pem, X509Crl, ffi::PEM_read_bio_X509_CRL @@ -1534,10 +1530,7 @@ impl X509Crl { from_der! { /// Deserializes a DER-encoded Certificate Revocation List - /// - /// This corresponds to [`d2i_X509_CRL`]. - /// - /// [`d2i_X509_CRL`]: https://www.openssl.org/docs/man1.1.0/crypto/d2i_X509_REQ.html + #[corresponds(d2i_X509_CRL)] from_der, X509Crl, ffi::d2i_X509_CRL @@ -1549,20 +1542,14 @@ impl X509CrlRef { /// Serializes the certificate request to a PEM-encoded Certificate Revocation List. /// /// The output will have a header of `-----BEGIN X509 CRL-----`. - /// - /// This corresponds to [`PEM_write_bio_X509_CRL`]. - /// - /// [`PEM_write_bio_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_write_bio_X509_REQ.html + #[corresponds(PEM_write_bio_X509_CRL)] to_pem, ffi::PEM_write_bio_X509_CRL } to_der! { /// Serializes the certificate request to a DER-encoded Certificate Revocation List. - /// - /// This corresponds to [`i2d_X509_CRL`]. - /// - /// [`i2d_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/i2d_X509_REQ.html + #[corresponds(i2d_X509_CRL)] to_der, ffi::i2d_X509_CRL } @@ -1580,10 +1567,7 @@ impl X509CrlRef { } /// Returns the CRL's `lastUpdate` time. - /// - /// This corresponds to [`X509_CRL_get0_lastUpdate"] - /// - /// [`X509_CRL_get0_lastUpdate`]: https://www.openssl.org/docs/man1.1.1/man3/X509_CRL_get0_lastUpdate.html + #[corresponds(X509_CRL_get0_lastUpdate)] pub fn last_update(&self) -> &Asn1TimeRef { unsafe { let date = X509_CRL_get0_lastUpdate(self.as_ptr()); @@ -1595,26 +1579,16 @@ impl X509CrlRef { /// Returns the CRL's `nextUpdate` time. /// /// If the `nextUpdate` field is missing, returns `None`. - /// - /// This corresponds to [`X509_CRL_get0_nextUpdate"] - /// - /// [`X509_CRL_get0_nextUpdate`]: https://www.openssl.org/docs/man1.1.1/man3/X509_CRL_get0_nextUpdate.html + #[corresponds(X509_CRL_get0_nextUpdate)] pub fn next_update(&self) -> Option<&Asn1TimeRef> { unsafe { let date = X509_CRL_get0_nextUpdate(self.as_ptr()); - if date.is_null() { - None - } else { - Some(Asn1TimeRef::from_ptr(date as *mut _)) - } + Asn1TimeRef::from_const_ptr_opt(date) } } /// Get the revocation status of a certificate by its serial number - /// - /// This corresponds to [`X509_CRL_get0_by_serial`] - /// - /// [`X509_CRL_get0_by_serial`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_serial.html + #[corresponds(X509_CRL_get0_by_serial)] pub fn get_by_serial<'a>(&'a self, serial: &Asn1IntegerRef) -> CrlStatus<'a> { unsafe { let mut ret = ptr::null_mut::(); @@ -1625,10 +1599,7 @@ impl X509CrlRef { } /// Get the revocation status of a certificate - /// - /// This corresponds to [`X509_CRL_get0_by_cert`] - /// - /// [`X509_CRL_get0_by_cert`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_cert.html + #[corresponds(X509_CRL_get0_by_cert)] pub fn get_by_cert<'a>(&'a self, cert: &X509) -> CrlStatus<'a> { unsafe { let mut ret = ptr::null_mut::(); @@ -1639,6 +1610,7 @@ impl X509CrlRef { } /// Get the issuer name from the revocation list. + #[corresponds(X509_CRL_get_issuer)] pub fn issuer_name(&self) -> &X509NameRef { unsafe { let name = X509_CRL_get_issuer(self.as_ptr()); @@ -1653,10 +1625,7 @@ impl X509CrlRef { /// are performed. /// /// Returns `true` if verification succeeds. - /// - /// This corresponds to [`X509_CRL_verify"]. - /// - /// [`X509_CRL_verify`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_verify.html + #[corresponds(X509_CRL_verify)] pub fn verify(&self, key: &PKeyRef) -> Result where T: HasPublic, @@ -1994,7 +1963,7 @@ cfg_if! { } cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl350))] { use ffi::{ X509_CRL_get_issuer, X509_CRL_get0_nextUpdate, X509_CRL_get0_lastUpdate, X509_CRL_get_REVOKED, From 3f68c0e5c77bd27ece67eb589ac71fc734fffe5b Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Thu, 5 Jan 2023 16:56:02 +0000 Subject: [PATCH 080/341] Use boringssl CRL functions, not structs --- openssl/src/x509/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d607d2cec0..7870fa836f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1963,7 +1963,7 @@ cfg_if! { } cfg_if! { - if #[cfg(any(ossl110, libressl350))] { + if #[cfg(any(ossl110, libressl350, boringssl))] { use ffi::{ X509_CRL_get_issuer, X509_CRL_get0_nextUpdate, X509_CRL_get0_lastUpdate, X509_CRL_get_REVOKED, From afaf34065b06ecc0ba5f6ef0460bbfe5ee245ded Mon Sep 17 00:00:00 2001 From: Rui Chen Date: Sat, 7 Jan 2023 00:22:09 -0500 Subject: [PATCH 081/341] brew: prefer to install openssl@3 --- openssl/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 891651ec53..035c90c682 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -29,7 +29,7 @@ //! //! ```not_rust //! # macOS (Homebrew) -//! $ brew install openssl@1.1 +//! $ brew install openssl@3 //! //! # macOS (MacPorts) //! $ sudo port install openssl From 32a303a752732fdd27c407a3a7fd668e546c05db Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 7 Jan 2023 19:53:23 -0500 Subject: [PATCH 082/341] Remove manual libatomic reference The upstream bug has been fixed. --- openssl-sys/build/main.rs | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 1c5a5e7d9f..02ab5c4ac3 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -122,16 +122,6 @@ fn main() { println!("cargo:rustc-link-lib={}={}", kind, lib); } - // https://github.com/openssl/openssl/pull/15086 - if version == Version::Openssl3xx - && kind == "static" - && (env::var("CARGO_CFG_TARGET_OS").unwrap() == "linux" - || env::var("CARGO_CFG_TARGET_OS").unwrap() == "android") - && env::var("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap() == "32" - { - println!("cargo:rustc-link-lib=dylib=atomic"); - } - if kind == "static" && target.contains("windows") { println!("cargo:rustc-link-lib=dylib=gdi32"); println!("cargo:rustc-link-lib=dylib=user32"); From a16ca8d45efb9aeb83de87c12ccd52a13c58ed12 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Tue, 27 Dec 2022 18:28:20 +0800 Subject: [PATCH 083/341] Added following SSL api - set_method - set_private_key_file - set_private_key - set_certificate_pem - set_certificate_chain_file - add_client_ca - set_client_ca_list - set_min_proto_version - set_max_proto_version - set_ciphersuites - set_verify_cert_store --- openssl-sys/src/handwritten/ssl.rs | 9 ++ openssl-sys/src/ssl.rs | 5 + openssl/src/ssl/mod.rs | 175 ++++++++++++++++++++++++++++- openssl/src/ssl/test/mod.rs | 55 +++++++++ 4 files changed, 241 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 35b99de3b5..e0c22090e3 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -492,6 +492,8 @@ extern "C" { pub fn SSL_CTX_set_ciphersuites(ctx: *mut SSL_CTX, str: *const c_char) -> c_int; #[cfg(any(ossl111, libressl340))] pub fn SSL_set_ciphersuites(ssl: *mut ::SSL, str: *const c_char) -> c_int; + pub fn SSL_set_cipher_list(ssl: *mut SSL, s: *const c_char) -> c_int; + pub fn SSL_set_ssl_method(s: *mut SSL, method: *const SSL_METHOD) -> c_int; pub fn SSL_set_verify( ssl: *mut SSL, mode: c_int, @@ -515,6 +517,13 @@ extern "C" { ctx: *mut SSL_CTX, cert_chain_file: *const c_char, ) -> c_int; + pub fn SSL_use_PrivateKey_file(ssl: *mut SSL, file: *const c_char, type_: c_int) -> c_int; + pub fn SSL_use_PrivateKey(ssl: *mut SSL, pkey: *mut EVP_PKEY) -> c_int; + pub fn SSL_use_certificate(ssl: *mut SSL, x: *mut X509) -> c_int; + #[cfg(any(ossl110, libressl332))] + pub fn SSL_use_certificate_chain_file(ssl: *mut SSL, file: *const c_char) -> c_int; + pub fn SSL_set_client_CA_list(s: *mut SSL, name_list: *mut stack_st_X509_NAME); + pub fn SSL_add_client_CA(ssl: *mut SSL, x: *mut X509) -> c_int; pub fn SSL_load_client_CA_file(file: *const c_char) -> *mut stack_st_X509_NAME; #[cfg(not(ossl110))] diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index 9e3956bf2c..c66e42c2c9 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -392,6 +392,11 @@ pub unsafe fn SSL_CTX_set0_verify_cert_store(ctx: *mut SSL_CTX, st: *mut X509_ST SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, st as *mut c_void) } +#[cfg(ossl102)] +pub unsafe fn SSL_set0_verify_cert_store(ssl: *mut SSL, st: *mut X509_STORE) -> c_long { + SSL_ctrl(ssl, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, st as *mut c_void) +} + cfg_if! { if #[cfg(ossl111)] { pub unsafe fn SSL_CTX_set1_groups_list(ctx: *mut SSL_CTX, s: *const c_char) -> c_long { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 9debaa37d0..8f40ce8212 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -2507,10 +2507,8 @@ impl SslRef { /// Like [`SslContext::private_key`]. /// - /// This corresponds to `SSL_get_privatekey`. - /// /// [`SslContext::private_key`]: struct.SslContext.html#method.private_key - #[corresponds(SSL_get_certificate)] + #[corresponds(SSL_get_privatekey)] pub fn private_key(&self) -> Option<&PKeyRef> { unsafe { let ptr = ffi::SSL_get_privatekey(self.as_ptr()); @@ -3114,6 +3112,177 @@ impl SslRef { } Ok(()) } + + /// Sets a new default TLS/SSL method for SSL objects + #[cfg(not(boringssl))] + pub fn set_method(&mut self, method: SslMethod) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_set_ssl_method(self.as_ptr(), method.as_ptr()))?; + }; + Ok(()) + } + + /// Loads the private key from a file. + #[corresponds(SSL_use_Private_Key_file)] + pub fn set_private_key_file>( + &mut self, + path: P, + ssl_file_type: SslFiletype, + ) -> Result<(), ErrorStack> { + let p = path.as_ref().as_os_str().to_str().unwrap(); + let key_file = CString::new(p).unwrap(); + unsafe { + cvt(ffi::SSL_use_PrivateKey_file( + self.as_ptr(), + key_file.as_ptr(), + ssl_file_type.as_raw(), + ))?; + }; + Ok(()) + } + + /// Sets the private key. + #[corresponds(SSL_use_PrivateKey)] + pub fn set_private_key(&mut self, pkey: &PKeyRef) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_use_PrivateKey(self.as_ptr(), pkey.as_ptr()))?; + }; + Ok(()) + } + + /// Sets the certificate + #[corresponds(SSL_use_certificate)] + pub fn set_certificate(&mut self, cert: &X509Ref) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_use_certificate(self.as_ptr(), cert.as_ptr()))?; + }; + Ok(()) + } + + /// Loads a certificate chain from a file. + /// + /// The file should contain a sequence of PEM-formatted certificates, the first being the leaf + /// certificate, and the remainder forming the chain of certificates up to and including the + /// trusted root certificate. + #[corresponds(SSL_use_certificate_chain_file)] + #[cfg(any(ossl110, libressl332))] + pub fn set_certificate_chain_file>( + &mut self, + path: P, + ) -> Result<(), ErrorStack> { + let p = path.as_ref().as_os_str().to_str().unwrap(); + let cert_file = CString::new(p).unwrap(); + unsafe { + cvt(ffi::SSL_use_certificate_chain_file( + self.as_ptr(), + cert_file.as_ptr(), + ))?; + }; + Ok(()) + } + + /// Sets ca certificate that client trusted + #[corresponds(SSL_add_client_CA)] + pub fn add_client_ca(&mut self, cacert: &X509Ref) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_add_client_CA(self.as_ptr(), cacert.as_ptr()))?; + }; + Ok(()) + } + + // Sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl + #[corresponds(SSL_set_client_CA_list)] + pub fn set_client_ca_list(&mut self, list: Stack) { + unsafe { ffi::SSL_set_client_CA_list(self.as_ptr(), list.as_ptr()) } + mem::forget(list); + } + + /// Sets the minimum supported protocol version. + /// + /// A value of `None` will enable protocol versions down the the lowest version supported by + /// OpenSSL. + /// + /// Requires OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer. + #[corresponds(SSL_set_min_proto_version)] + #[cfg(any(ossl110, libressl261))] + pub fn set_min_proto_version(&mut self, version: Option) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_set_min_proto_version( + self.as_ptr(), + version.map_or(0, |v| v.0 as _), + )) + .map(|_| ()) + } + } + + /// Sets the maximum supported protocol version. + /// + /// A value of `None` will enable protocol versions down the the highest version supported by + /// OpenSSL. + /// + /// Requires OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer. + #[corresponds(SSL_set_max_proto_version)] + #[cfg(any(ossl110, libressl261))] + pub fn set_max_proto_version(&mut self, version: Option) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_set_max_proto_version( + self.as_ptr(), + version.map_or(0, |v| v.0 as _), + )) + .map(|_| ()) + } + } + + /// Sets the list of supported ciphers for the TLSv1.3 protocol. + /// + /// The `set_cipher_list` method controls the cipher suites for protocols before TLSv1.3. + /// + /// The format consists of TLSv1.3 cipher suite names separated by `:` characters in order of + /// preference. + /// + /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. + #[corresponds(SSL_set_ciphersuites)] + #[cfg(any(ossl111, libressl340))] + pub fn set_ciphersuites(&mut self, cipher_list: &str) -> Result<(), ErrorStack> { + let cipher_list = CString::new(cipher_list).unwrap(); + unsafe { + cvt(ffi::SSL_set_ciphersuites( + self.as_ptr(), + cipher_list.as_ptr() as *const _, + )) + .map(|_| ()) + } + } + + /// Sets the list of supported ciphers for protocols before TLSv1.3. + /// + /// The `set_ciphersuites` method controls the cipher suites for TLSv1.3. + /// + /// See [`ciphers`] for details on the format. + /// + /// [`ciphers`]: https://www.openssl.org/docs/manmaster/apps/ciphers.html + #[corresponds(SSL_set_cipher_list)] + pub fn set_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack> { + let cipher_list = CString::new(cipher_list).unwrap(); + unsafe { + cvt(ffi::SSL_set_cipher_list( + self.as_ptr(), + cipher_list.as_ptr() as *const _, + )) + .map(|_| ()) + } + } + + /// Set the certificate store used for certificate verification + #[corresponds(SSL_set_cert_store)] + #[cfg(ossl102)] + pub fn set_verify_cert_store(&mut self, cert_store: X509Store) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_set0_verify_cert_store(self.as_ptr(), cert_store.as_ptr()) as c_int)?; + mem::forget(cert_store); + Ok(()) + } + } } /// An SSL stream midway through the handshake process. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index dc9cc78527..ddf01f2dd0 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1422,3 +1422,58 @@ fn add_chain_cert() { let mut ssl = Ssl::new(&ctx).unwrap(); assert!(ssl.add_chain_cert(cert).is_ok()); } +#[test] +#[cfg(ossl111)] +fn set_ssl_certificate_key_related_api() { + let cert_str: &str = include_str!("../../../test/cert.pem"); + let key_str: &str = include_str!("../../../test/key.pem"); + let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); + let cert_x509 = X509::from_pem(CERT).unwrap(); + let mut ssl = Ssl::new(&ctx).unwrap(); + assert!(ssl.set_method(SslMethod::tls()).is_ok()); + ssl.set_private_key_file("test/key.pem", SslFiletype::PEM) + .unwrap(); + { + let pkey = String::from_utf8( + ssl.private_key() + .unwrap() + .private_key_to_pem_pkcs8() + .unwrap(), + ) + .unwrap(); + assert!(pkey.lines().eq(key_str.lines())); + } + let pkey = PKey::private_key_from_pem(KEY).unwrap(); + ssl.set_private_key(pkey.as_ref()).unwrap(); + { + let pkey = String::from_utf8( + ssl.private_key() + .unwrap() + .private_key_to_pem_pkcs8() + .unwrap(), + ) + .unwrap(); + assert!(pkey.lines().eq(key_str.lines())); + } + ssl.set_certificate(cert_x509.as_ref()).unwrap(); + let cert = String::from_utf8(ssl.certificate().unwrap().to_pem().unwrap()).unwrap(); + assert!(cert.lines().eq(cert_str.lines())); + ssl.add_client_ca(cert_x509.as_ref()).unwrap(); + ssl.set_min_proto_version(Some(SslVersion::TLS1_2)).unwrap(); + ssl.set_max_proto_version(Some(SslVersion::TLS1_3)).unwrap(); + ssl.set_cipher_list("HIGH:!aNULL:!MD5").unwrap(); + ssl.set_ciphersuites("TLS_AES_128_GCM_SHA256").unwrap(); + let x509 = X509::from_pem(ROOT_CERT).unwrap(); + let mut builder = X509StoreBuilder::new().unwrap(); + builder.add_cert(x509).unwrap(); + let store = builder.build(); + ssl.set_verify_cert_store(store).unwrap(); +} + +#[test] +#[cfg(ossl110)] +fn test_ssl_set_cert_chain_file() { + let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); + let mut ssl = Ssl::new(&ctx).unwrap(); + ssl.set_certificate_chain_file("test/cert.pem").unwrap(); +} From 1241df5cc0aacc78d03c90cd30d4d3d5437fa95a Mon Sep 17 00:00:00 2001 From: Liu Dingming Date: Tue, 10 Jan 2023 13:37:30 +0800 Subject: [PATCH 084/341] Remove use of pkg_config's legacy api --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index df451438ad..b5dfe8e259 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -211,7 +211,7 @@ fn try_pkg_config() { let lib = match pkg_config::Config::new() .print_system_libs(false) - .find("openssl") + .probe("openssl") { Ok(lib) => lib, Err(e) => { From 62c8dfdedf67d947f2ff5da0b0ae94741ea8671a Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 12 Jan 2023 11:14:35 +0100 Subject: [PATCH 085/341] Add check for OPENSSL_NO_CAST This check detects at build time if CAST5 algorithm has been disabled in current OpenSSL library build. See: https://github.com/sfackler/rust-openssl/pull/1717#issuecomment-1379474589 --- openssl-sys/build/expando.c | 4 ++++ openssl-sys/src/handwritten/evp.rs | 4 ++-- openssl/src/cipher.rs | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 980241074a..11fb04db0c 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -39,6 +39,10 @@ RUST_CONF_OPENSSL_NO_IDEA RUST_CONF_OPENSSL_NO_CAMELLIA #endif +#ifdef OPENSSL_NO_CAST +RUST_CONF_OPENSSL_NO_CAST +#endif + #ifdef OPENSSL_NO_CMS RUST_CONF_OPENSSL_NO_CMS #endif diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 5ee017f7d1..46e5b88f04 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -380,9 +380,9 @@ extern "C" { #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_256_ecb() -> *const EVP_CIPHER; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn EVP_cast5_cfb64() -> *const EVP_CIPHER; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn EVP_cast5_ecb() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index ab5f49d22f..aeedf459aa 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -358,12 +358,12 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_ecb() as *mut _) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn cast5_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_cfb64() as *mut _) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn cast5_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_ecb() as *mut _) } } From 45f6f2b50bfdbba31b47ce8244e0c783b8c4da71 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 13:38:13 +0100 Subject: [PATCH 086/341] Fixed X509_PURPOSE issues (location and implementation) --- openssl-sys/src/handwritten/x509_vfy.rs | 22 ++++++ openssl-sys/src/x509_vfy.rs | 23 ------ openssl-sys/src/x509v3.rs | 22 ++++++ openssl/src/x509/mod.rs | 97 +++++++++++++++++++++++++ openssl/src/x509/store.rs | 16 +++- openssl/src/x509/tests.rs | 71 +++++++++++++++++- openssl/src/x509/verify.rs | 29 +------- 7 files changed, 227 insertions(+), 53 deletions(-) diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 387b9dd045..58dff38465 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -4,6 +4,18 @@ use *; #[cfg(any(libressl, all(ossl102, not(ossl110))))] pub enum X509_VERIFY_PARAM_ID {} +#[repr(C)] +pub struct X509_PURPOSE { + pub purpose: c_int, + pub trust: c_int, // Default trust ID + pub flags: c_int, + pub check_purpose: + Option c_int>, + pub name: *mut c_char, + pub sname: *mut c_char, + pub usr_data: *mut c_void, +} + extern "C" { #[cfg(ossl110)] pub fn X509_LOOKUP_meth_free(method: *mut X509_LOOKUP_METHOD); @@ -48,6 +60,9 @@ extern "C" { pub fn X509_STORE_set_default_paths(store: *mut X509_STORE) -> c_int; pub fn X509_STORE_set_flags(store: *mut X509_STORE, flags: c_ulong) -> c_int; + pub fn X509_STORE_set_purpose(ctx: *mut X509_STORE, purpose: c_int) -> c_int; + pub fn X509_STORE_set_trust(ctx: *mut X509_STORE, trust: c_int) -> c_int; + } const_ptr_api! { @@ -127,3 +142,10 @@ extern "C" { #[cfg(ossl102)] pub fn X509_VERIFY_PARAM_set_purpose(param: *mut X509_VERIFY_PARAM, purpose: c_int) -> c_int; } + +const_ptr_api! { + extern "C" { + pub fn X509_PURPOSE_get_by_sname(sname: #[const_ptr_if(any(ossl110, libressl280))] c_char) -> c_int; + pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; + } +} diff --git a/openssl-sys/src/x509_vfy.rs b/openssl-sys/src/x509_vfy.rs index ab6cb1afbf..455a748b52 100644 --- a/openssl-sys/src/x509_vfy.rs +++ b/openssl-sys/src/x509_vfy.rs @@ -147,26 +147,3 @@ pub unsafe fn X509_LOOKUP_add_dir( std::ptr::null_mut(), ) } - -#[cfg(ossl102)] -pub const X509_PURPOSE_SSL_CLIENT: c_int = 1; -#[cfg(ossl102)] -pub const X509_PURPOSE_SSL_SERVER: c_int = 2; -#[cfg(ossl102)] -pub const X509_PURPOSE_NS_SSL_SERVER: c_int = 3; -#[cfg(ossl102)] -pub const X509_PURPOSE_SMIME_SIGN: c_int = 4; -#[cfg(ossl102)] -pub const X509_PURPOSE_SMIME_ENCRYPT: c_int = 5; -#[cfg(ossl102)] -pub const X509_PURPOSE_CRL_SIGN: c_int = 6; -#[cfg(ossl102)] -pub const X509_PURPOSE_ANY: c_int = 7; -#[cfg(ossl102)] -pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; -#[cfg(ossl102)] -pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; -#[cfg(ossl102)] -pub const X509_PURPOSE_MIN: c_int = 1; -#[cfg(ossl102)] -pub const X509_PURPOSE_MAX: c_int = 9; diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index ac826b601b..28b6cb7bc4 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -58,15 +58,25 @@ pub const EXFLAG_FRESHEST: u32 = 0x1000; #[cfg(any(ossl102, libressl261))] pub const EXFLAG_SS: u32 = 0x2000; +#[cfg(not(boringssl))] pub const X509v3_KU_DIGITAL_SIGNATURE: u32 = 0x0080; +#[cfg(not(boringssl))] pub const X509v3_KU_NON_REPUDIATION: u32 = 0x0040; +#[cfg(not(boringssl))] pub const X509v3_KU_KEY_ENCIPHERMENT: u32 = 0x0020; +#[cfg(not(boringssl))] pub const X509v3_KU_DATA_ENCIPHERMENT: u32 = 0x0010; +#[cfg(not(boringssl))] pub const X509v3_KU_KEY_AGREEMENT: u32 = 0x0008; +#[cfg(not(boringssl))] pub const X509v3_KU_KEY_CERT_SIGN: u32 = 0x0004; +#[cfg(not(boringssl))] pub const X509v3_KU_CRL_SIGN: u32 = 0x0002; +#[cfg(not(boringssl))] pub const X509v3_KU_ENCIPHER_ONLY: u32 = 0x0001; +#[cfg(not(boringssl))] pub const X509v3_KU_DECIPHER_ONLY: u32 = 0x8000; +#[cfg(not(boringssl))] pub const X509v3_KU_UNDEF: u32 = 0xffff; pub const XKU_SSL_SERVER: u32 = 0x1; @@ -79,3 +89,15 @@ pub const XKU_TIMESTAMP: u32 = 0x40; pub const XKU_DVCS: u32 = 0x80; #[cfg(ossl110)] pub const XKU_ANYEKU: u32 = 0x100; + +pub const X509_PURPOSE_SSL_CLIENT: c_int = 1; +pub const X509_PURPOSE_SSL_SERVER: c_int = 2; +pub const X509_PURPOSE_NS_SSL_SERVER: c_int = 3; +pub const X509_PURPOSE_SMIME_SIGN: c_int = 4; +pub const X509_PURPOSE_SMIME_ENCRYPT: c_int = 5; +pub const X509_PURPOSE_CRL_SIGN: c_int = 6; +pub const X509_PURPOSE_ANY: c_int = 7; +pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; +pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; +pub const X509_PURPOSE_MIN: c_int = 1; +pub const X509_PURPOSE_MAX: c_int = 9; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index c9d2a64215..514935c8cb 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -227,6 +227,7 @@ impl X509Builder { /// Note that the version is zero-indexed; that is, a certificate corresponding to version 3 of /// the X.509 standard should pass `2` to this method. #[corresponds(X509_set_version)] + #[allow(clippy::useless_conversion)] pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_set_version(self.0.as_ptr(), version as c_long)).map(|_| ()) } } @@ -1181,6 +1182,7 @@ impl X509ReqBuilder { /// This corresponds to [`X509_REQ_set_version`]. /// ///[`X509_REQ_set_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_version.html + #[allow(clippy::useless_conversion)] pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_REQ_set_version( @@ -1737,3 +1739,98 @@ cfg_if! { } } } + +pub struct X509PurposeId(i32); + +impl X509PurposeId { + pub const SSL_CLIENT: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SSL_CLIENT); + pub const SSL_SERVER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SSL_SERVER); + pub const NS_SSL_SERVER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_NS_SSL_SERVER); + pub const SMIME_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SMIME_SIGN); + pub const SMIME_ENCRYPT: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SMIME_ENCRYPT); + pub const CRL_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_CRL_SIGN); + pub const ANY: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_ANY); + pub const OCSP_HELPER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_OCSP_HELPER); + pub const TIMESTAMP_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_TIMESTAMP_SIGN); + + pub fn value(&self) -> i32 { + self.0 + } +} + +impl From for X509PurposeId { + fn from(id: i32) -> Self { + X509PurposeId(id) + } +} + +/// fake free method, since X509_PURPOSE is static +unsafe fn no_free_purpose(_purps: *mut ffi::X509_PURPOSE) {} + +foreign_type_and_impl_send_sync! { + type CType = ffi::X509_PURPOSE; + fn drop = no_free_purpose; + + /// Adjust parameters associated with certificate verification. + pub struct X509Purpose; + /// Reference to `X509Purpose`. + pub struct X509PurposeRef; +} + +impl X509Purpose { + /// Get the internal table index of an X509_PURPOSE for a given short name. Valid short + /// names include + /// - "sslclient", + /// - "sslserver", + /// - "nssslserver", + /// - "smimesign", + /// - "smimeencrypt", + /// - "crlsign", + /// - "any", + /// - "ocsphelper", + /// - "timestampsign" + /// The index can be used with `X509Purpose::from_idx()` to get the purpose. + #[allow(clippy::unnecessary_cast)] + pub fn get_by_sname(sname: &str) -> Result { + unsafe { + let sname = CString::new(sname).unwrap(); + cfg_if! { + if #[cfg(any(ossl110, libressl280))] { + let purpose = cvt_n(ffi::X509_PURPOSE_get_by_sname(sname.as_ptr() as *const _))?; + } else { + let purpose = cvt_n(ffi::X509_PURPOSE_get_by_sname(sname.as_ptr() as *mut _))?; + } + } + Ok(purpose as i32) + } + } + + /// Get an `X509PurposeRef` for a given index value. The index can be obtained from e.g. + /// `X509Purpose::get_by_sname()`. + #[corresponds(X509_PURPOSE_get0)] + pub fn from_idx(idx: i32) -> Result<&'static X509PurposeRef, ErrorStack> { + unsafe { + let ptr = cvt_p(ffi::X509_PURPOSE_get0(idx))?; + Ok(X509PurposeRef::from_ptr(ptr)) + } + } +} + +impl X509PurposeRef { + /// Get the purpose value from an X509Purpose structure. This value is one of + /// - `X509_PURPOSE_SSL_CLIENT` + /// - `X509_PURPOSE_SSL_SERVER` + /// - `X509_PURPOSE_NS_SSL_SERVER` + /// - `X509_PURPOSE_SMIME_SIGN` + /// - `X509_PURPOSE_SMIME_ENCRYPT` + /// - `X509_PURPOSE_CRL_SIGN` + /// - `X509_PURPOSE_ANY` + /// - `X509_PURPOSE_OCSP_HELPER` + /// - `X509_PURPOSE_TIMESTAMP_SIGN` + pub fn purpose(&self) -> X509PurposeId { + unsafe { + let x509_purpose: *mut ffi::X509_PURPOSE = self.as_ptr(); + X509PurposeId::from((*x509_purpose).purpose) + } + } +} diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index fa17cc4b9c..d8c17bbe50 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -51,8 +51,9 @@ use crate::ssl::SslFiletype; use crate::stack::StackRef; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef}; -use crate::x509::{X509Object, X509}; +use crate::x509::{X509Object, X509PurposeId, X509}; use crate::{cvt, cvt_p}; +use libc::c_int; use openssl_macros::corresponds; #[cfg(not(boringssl))] use std::ffi::CString; @@ -125,6 +126,19 @@ impl X509StoreBuilderRef { unsafe { cvt(ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits())).map(|_| ()) } } + /// Sets the certificate purpose. + /// The purpose value can be obtained by `X509Purpose::get_by_sname()` + #[corresponds(X509_STORE_set_purpose)] + pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::X509_STORE_set_purpose( + self.as_ptr(), + purpose.value() as c_int, + )) + .map(|_| ()) + } + } + /// Sets certificate chain validation related parameters. #[corresponds[X509_STORE_set1_param]] #[cfg(any(ossl102, libressl261))] diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 114869aa1a..6a61b0ffc3 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -16,12 +16,14 @@ use crate::x509::extension::{ #[cfg(not(boringssl))] use crate::x509::store::X509Lookup; use crate::x509::store::X509StoreBuilder; -#[cfg(ossl102)] -use crate::x509::verify::X509PurposeFlags; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; #[cfg(ossl110)] use crate::x509::X509Builder; +#[cfg(any(ossl102, libressl261))] +use crate::x509::X509Purpose; +#[cfg(ossl102)] +use crate::x509::X509PurposeId; use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] @@ -440,6 +442,67 @@ fn test_verify_fails_with_crl_flag_set_and_no_crl() { ) } +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_cert_with_purpose() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let chain = Stack::new().unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + let purpose_idx = X509Purpose::get_by_sname("sslserver") + .expect("Getting certificate purpose 'sslserver' failed"); + let x509_purpose = + X509Purpose::from_idx(purpose_idx).expect("Getting certificate purpose failed"); + store_bldr + .set_purpose(x509_purpose.purpose()) + .expect("Setting certificate purpose failed"); + store_bldr.add_cert(ca).unwrap(); + + let store = store_bldr.build(); + + let mut context = X509StoreContext::new().unwrap(); + assert!(context + .init(&store, &cert, &chain, |c| c.verify_cert()) + .unwrap()); +} + +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_cert_with_wrong_purpose_fails() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let chain = Stack::new().unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + let purpose_idx = X509Purpose::get_by_sname("timestampsign") + .expect("Getting certificate purpose 'timestampsign' failed"); + let x509_purpose = + X509Purpose::from_idx(purpose_idx).expect("Getting certificate purpose failed"); + store_bldr + .set_purpose(x509_purpose.purpose()) + .expect("Setting certificate purpose failed"); + store_bldr.add_cert(ca).unwrap(); + + let store = store_bldr.build(); + + let mut context = X509StoreContext::new().unwrap(); + assert_eq!( + context + .init(&store, &cert, &chain, |c| { + c.verify_cert()?; + Ok(c.error()) + }) + .unwrap() + .error_string(), + "unsupported certificate purpose" + ) +} + #[cfg(ossl110)] #[test] fn x509_ref_version() { @@ -724,7 +787,7 @@ fn test_set_purpose() { let mut store_bldr = X509StoreBuilder::new().unwrap(); store_bldr.add_cert(ca).unwrap(); let mut verify_params = X509VerifyParam::new().unwrap(); - verify_params.set_purpose(X509PurposeFlags::ANY).unwrap(); + verify_params.set_purpose(X509PurposeId::ANY).unwrap(); store_bldr.set_param(&verify_params).unwrap(); let store = store_bldr.build(); let mut context = X509StoreContext::new().unwrap(); @@ -750,7 +813,7 @@ fn test_set_purpose_fails_verification() { store_bldr.add_cert(ca).unwrap(); let mut verify_params = X509VerifyParam::new().unwrap(); verify_params - .set_purpose(X509PurposeFlags::TIMESTAMP_SIGN) + .set_purpose(X509PurposeId::TIMESTAMP_SIGN) .unwrap(); store_bldr.set_param(&verify_params).unwrap(); let store = store_bldr.build(); diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index dbd206e5d5..b0e22ef462 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -4,6 +4,8 @@ use libc::{c_int, c_uint, c_ulong, time_t}; use std::net::IpAddr; use crate::error::ErrorStack; +#[cfg(ossl102)] +use crate::x509::X509PurposeId; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -180,30 +182,7 @@ impl X509VerifyParamRef { /// Sets the verification purpose #[corresponds(X509_VERIFY_PARAM_set_purpose)] #[cfg(ossl102)] - pub fn set_purpose(&mut self, purpose: X509PurposeFlags) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::X509_VERIFY_PARAM_set_purpose( - self.as_ptr(), - purpose.bits, - )) - .map(|_| ()) - } + pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> { + unsafe { cvt(ffi::X509_VERIFY_PARAM_set_purpose(self.as_ptr(), purpose.0)).map(|_| ()) } } } - -#[cfg(ossl102)] -bitflags! { - /// Bitflags defining the purpose of the verification - pub struct X509PurposeFlags: c_int { - const SSL_CLIENT = ffi::X509_PURPOSE_SSL_CLIENT; - const SSL_SERVER = ffi::X509_PURPOSE_SSL_SERVER; - const NS_SSL_SERVER = ffi::X509_PURPOSE_NS_SSL_SERVER; - const SMIME_SIGN = ffi::X509_PURPOSE_SMIME_SIGN; - const SMIME_ENCRYPT = ffi::X509_PURPOSE_SMIME_ENCRYPT; - const CRL_SIGN = ffi::X509_PURPOSE_CRL_SIGN; - const ANY = ffi::X509_PURPOSE_ANY; - const OCSP_HELPER = ffi::X509_PURPOSE_OCSP_HELPER; - const TIMESTAMP_SIGN = ffi::X509_PURPOSE_TIMESTAMP_SIGN; - } - -} From 38ec6d735c70f56906805e31c512c8a2131c163b Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 13:59:11 +0100 Subject: [PATCH 087/341] Moved X509Purpose related definitions. --- openssl-sys/src/handwritten/x509.rs | 19 +++++++++++++++++++ openssl-sys/src/handwritten/x509_vfy.rs | 19 ------------------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 57737a0b06..047f3df262 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -645,3 +645,22 @@ extern "C" { pub fn X509_print(bio: *mut BIO, x509: *mut X509) -> c_int; pub fn X509_REQ_print(bio: *mut BIO, req: *mut X509_REQ) -> c_int; } + +#[repr(C)] +pub struct X509_PURPOSE { + pub purpose: c_int, + pub trust: c_int, // Default trust ID + pub flags: c_int, + pub check_purpose: + Option c_int>, + pub name: *mut c_char, + pub sname: *mut c_char, + pub usr_data: *mut c_void, +} + +const_ptr_api! { + extern "C" { + pub fn X509_PURPOSE_get_by_sname(sname: #[const_ptr_if(any(ossl110, libressl280))] c_char) -> c_int; + pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; + } +} diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 58dff38465..48e6371c46 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -4,18 +4,6 @@ use *; #[cfg(any(libressl, all(ossl102, not(ossl110))))] pub enum X509_VERIFY_PARAM_ID {} -#[repr(C)] -pub struct X509_PURPOSE { - pub purpose: c_int, - pub trust: c_int, // Default trust ID - pub flags: c_int, - pub check_purpose: - Option c_int>, - pub name: *mut c_char, - pub sname: *mut c_char, - pub usr_data: *mut c_void, -} - extern "C" { #[cfg(ossl110)] pub fn X509_LOOKUP_meth_free(method: *mut X509_LOOKUP_METHOD); @@ -142,10 +130,3 @@ extern "C" { #[cfg(ossl102)] pub fn X509_VERIFY_PARAM_set_purpose(param: *mut X509_VERIFY_PARAM, purpose: c_int) -> c_int; } - -const_ptr_api! { - extern "C" { - pub fn X509_PURPOSE_get_by_sname(sname: #[const_ptr_if(any(ossl110, libressl280))] c_char) -> c_int; - pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; - } -} From 40f2df87f92aa496d7e5c71c2e12bc95be85ca7e Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 16 Jan 2023 09:11:17 +0100 Subject: [PATCH 088/341] X509Purpose -> X509PurposeRef. --- openssl-sys/src/x509v3.rs | 10 --------- openssl/src/x509/mod.rs | 47 ++++++++++++++++----------------------- openssl/src/x509/store.rs | 5 ++--- openssl/src/x509/tests.rs | 14 ++++++------ 4 files changed, 28 insertions(+), 48 deletions(-) diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index 28b6cb7bc4..ed135fa99b 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -58,25 +58,15 @@ pub const EXFLAG_FRESHEST: u32 = 0x1000; #[cfg(any(ossl102, libressl261))] pub const EXFLAG_SS: u32 = 0x2000; -#[cfg(not(boringssl))] pub const X509v3_KU_DIGITAL_SIGNATURE: u32 = 0x0080; -#[cfg(not(boringssl))] pub const X509v3_KU_NON_REPUDIATION: u32 = 0x0040; -#[cfg(not(boringssl))] pub const X509v3_KU_KEY_ENCIPHERMENT: u32 = 0x0020; -#[cfg(not(boringssl))] pub const X509v3_KU_DATA_ENCIPHERMENT: u32 = 0x0010; -#[cfg(not(boringssl))] pub const X509v3_KU_KEY_AGREEMENT: u32 = 0x0008; -#[cfg(not(boringssl))] pub const X509v3_KU_KEY_CERT_SIGN: u32 = 0x0004; -#[cfg(not(boringssl))] pub const X509v3_KU_CRL_SIGN: u32 = 0x0002; -#[cfg(not(boringssl))] pub const X509v3_KU_ENCIPHER_ONLY: u32 = 0x0001; -#[cfg(not(boringssl))] pub const X509v3_KU_DECIPHER_ONLY: u32 = 0x8000; -#[cfg(not(boringssl))] pub const X509v3_KU_UNDEF: u32 = 0xffff; pub const XKU_SSL_SERVER: u32 = 0x1; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 514935c8cb..b885dd5778 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -8,7 +8,7 @@ //! the secure protocol for browsing the web. use cfg_if::cfg_if; -use foreign_types::{ForeignType, ForeignTypeRef}; +use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; use libc::{c_int, c_long, c_uint}; use std::cmp::{self, Ordering}; use std::error::Error; @@ -1740,7 +1740,8 @@ cfg_if! { } } -pub struct X509PurposeId(i32); +#[derive(Copy, Clone, PartialEq, Eq)] +pub struct X509PurposeId(c_int); impl X509PurposeId { pub const SSL_CLIENT: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SSL_CLIENT); @@ -1753,31 +1754,24 @@ impl X509PurposeId { pub const OCSP_HELPER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_OCSP_HELPER); pub const TIMESTAMP_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_TIMESTAMP_SIGN); - pub fn value(&self) -> i32 { - self.0 - } -} + /// Constructs an `X509PurposeId` from a raw OpenSSL value. + pub fn from_raw(id: c_int) -> Self { X509PurposeId(id) } -impl From for X509PurposeId { - fn from(id: i32) -> Self { - X509PurposeId(id) + /// Returns the raw OpenSSL value represented by this type. + pub fn as_raw(&self) -> c_int { + self.0 } } -/// fake free method, since X509_PURPOSE is static -unsafe fn no_free_purpose(_purps: *mut ffi::X509_PURPOSE) {} +/// A reference to an [`X509_PURPOSE`]. +pub struct X509PurposeRef(Opaque); -foreign_type_and_impl_send_sync! { +/// Implements a wrapper type for the static `X509_PURPOSE` table in OpenSSL. +impl ForeignTypeRef for X509PurposeRef { type CType = ffi::X509_PURPOSE; - fn drop = no_free_purpose; - - /// Adjust parameters associated with certificate verification. - pub struct X509Purpose; - /// Reference to `X509Purpose`. - pub struct X509PurposeRef; } -impl X509Purpose { +impl X509PurposeRef { /// Get the internal table index of an X509_PURPOSE for a given short name. Valid short /// names include /// - "sslclient", @@ -1789,9 +1783,9 @@ impl X509Purpose { /// - "any", /// - "ocsphelper", /// - "timestampsign" - /// The index can be used with `X509Purpose::from_idx()` to get the purpose. + /// The index can be used with `X509PurposeRef::from_idx()` to get the purpose. #[allow(clippy::unnecessary_cast)] - pub fn get_by_sname(sname: &str) -> Result { + pub fn get_by_sname(sname: &str) -> Result { unsafe { let sname = CString::new(sname).unwrap(); cfg_if! { @@ -1801,22 +1795,19 @@ impl X509Purpose { let purpose = cvt_n(ffi::X509_PURPOSE_get_by_sname(sname.as_ptr() as *mut _))?; } } - Ok(purpose as i32) + Ok(purpose) } } - /// Get an `X509PurposeRef` for a given index value. The index can be obtained from e.g. - /// `X509Purpose::get_by_sname()`. + /// `X509PurposeRef::get_by_sname()`. #[corresponds(X509_PURPOSE_get0)] - pub fn from_idx(idx: i32) -> Result<&'static X509PurposeRef, ErrorStack> { + pub fn from_idx(idx: c_int) -> Result<&'static X509PurposeRef, ErrorStack> { unsafe { let ptr = cvt_p(ffi::X509_PURPOSE_get0(idx))?; Ok(X509PurposeRef::from_ptr(ptr)) } } -} -impl X509PurposeRef { /// Get the purpose value from an X509Purpose structure. This value is one of /// - `X509_PURPOSE_SSL_CLIENT` /// - `X509_PURPOSE_SSL_SERVER` @@ -1830,7 +1821,7 @@ impl X509PurposeRef { pub fn purpose(&self) -> X509PurposeId { unsafe { let x509_purpose: *mut ffi::X509_PURPOSE = self.as_ptr(); - X509PurposeId::from((*x509_purpose).purpose) + X509PurposeId::from_raw((*x509_purpose).purpose) } } } diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index d8c17bbe50..55d5d75258 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -53,7 +53,6 @@ use crate::stack::StackRef; use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef}; use crate::x509::{X509Object, X509PurposeId, X509}; use crate::{cvt, cvt_p}; -use libc::c_int; use openssl_macros::corresponds; #[cfg(not(boringssl))] use std::ffi::CString; @@ -127,13 +126,13 @@ impl X509StoreBuilderRef { } /// Sets the certificate purpose. - /// The purpose value can be obtained by `X509Purpose::get_by_sname()` + /// The purpose value can be obtained by `X509PurposeRef::get_by_sname()` #[corresponds(X509_STORE_set_purpose)] pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_STORE_set_purpose( self.as_ptr(), - purpose.value() as c_int, + purpose.as_raw(), )) .map(|_| ()) } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 6a61b0ffc3..9a482f1d39 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -21,7 +21,7 @@ use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; #[cfg(ossl110)] use crate::x509::X509Builder; #[cfg(any(ossl102, libressl261))] -use crate::x509::X509Purpose; +use crate::x509::X509PurposeRef; #[cfg(ossl102)] use crate::x509::X509PurposeId; use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; @@ -452,12 +452,12 @@ fn test_verify_cert_with_purpose() { let chain = Stack::new().unwrap(); let mut store_bldr = X509StoreBuilder::new().unwrap(); - let purpose_idx = X509Purpose::get_by_sname("sslserver") + let purpose_idx = X509PurposeRef::get_by_sname("sslserver") .expect("Getting certificate purpose 'sslserver' failed"); - let x509_purpose = - X509Purpose::from_idx(purpose_idx).expect("Getting certificate purpose failed"); + let x509_purposeref = + X509PurposeRef::from_idx(purpose_idx).expect("Getting certificate purpose failed"); store_bldr - .set_purpose(x509_purpose.purpose()) + .set_purpose(x509_purposeref.purpose()) .expect("Setting certificate purpose failed"); store_bldr.add_cert(ca).unwrap(); @@ -479,10 +479,10 @@ fn test_verify_cert_with_wrong_purpose_fails() { let chain = Stack::new().unwrap(); let mut store_bldr = X509StoreBuilder::new().unwrap(); - let purpose_idx = X509Purpose::get_by_sname("timestampsign") + let purpose_idx = X509PurposeRef::get_by_sname("timestampsign") .expect("Getting certificate purpose 'timestampsign' failed"); let x509_purpose = - X509Purpose::from_idx(purpose_idx).expect("Getting certificate purpose failed"); + X509PurposeRef::from_idx(purpose_idx).expect("Getting certificate purpose failed"); store_bldr .set_purpose(x509_purpose.purpose()) .expect("Setting certificate purpose failed"); From 3b14f19c267badde10f2b364fdd833ea3915e103 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 16 Jan 2023 09:22:23 +0100 Subject: [PATCH 089/341] rustfmt --- openssl/src/x509/mod.rs | 4 +++- openssl/src/x509/store.rs | 8 +------- openssl/src/x509/tests.rs | 4 ++-- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index b885dd5778..d29a21e4af 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1755,7 +1755,9 @@ impl X509PurposeId { pub const TIMESTAMP_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_TIMESTAMP_SIGN); /// Constructs an `X509PurposeId` from a raw OpenSSL value. - pub fn from_raw(id: c_int) -> Self { X509PurposeId(id) } + pub fn from_raw(id: c_int) -> Self { + X509PurposeId(id) + } /// Returns the raw OpenSSL value represented by this type. pub fn as_raw(&self) -> c_int { diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index 55d5d75258..a90bf3515f 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -129,13 +129,7 @@ impl X509StoreBuilderRef { /// The purpose value can be obtained by `X509PurposeRef::get_by_sname()` #[corresponds(X509_STORE_set_purpose)] pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::X509_STORE_set_purpose( - self.as_ptr(), - purpose.as_raw(), - )) - .map(|_| ()) - } + unsafe { cvt(ffi::X509_STORE_set_purpose(self.as_ptr(), purpose.as_raw())).map(|_| ()) } } /// Sets certificate chain validation related parameters. diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 9a482f1d39..5f92b5e3d8 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -20,10 +20,10 @@ use crate::x509::store::X509StoreBuilder; use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; #[cfg(ossl110)] use crate::x509::X509Builder; -#[cfg(any(ossl102, libressl261))] -use crate::x509::X509PurposeRef; #[cfg(ossl102)] use crate::x509::X509PurposeId; +#[cfg(any(ossl102, libressl261))] +use crate::x509::X509PurposeRef; use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] From 6d6944767c30cd43fefec920eb29ef1acf4e55b9 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 15:11:36 +0100 Subject: [PATCH 090/341] Prepared openssl-sys for pkcs7 and x509 extensions. --- openssl-sys/build/cfgs.rs | 3 + openssl-sys/src/handwritten/asn1.rs | 49 ++++- openssl-sys/src/handwritten/mod.rs | 2 + openssl-sys/src/handwritten/pkcs7.rs | 245 ++++++++++++++++++++++- openssl-sys/src/handwritten/types.rs | 16 +- openssl-sys/src/handwritten/x509.rs | 36 +++- openssl-sys/src/handwritten/x509_attr.rs | 60 ++++++ 7 files changed, 396 insertions(+), 15 deletions(-) create mode 100644 openssl-sys/src/handwritten/x509_attr.rs diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index d925d90ad7..960515f00f 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -31,6 +31,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x2_09_01_00_0 { cfgs.push("libressl291"); } + if libressl_version >= 0x3_01_00_00_0 { + cfgs.push("libressl310"); + } if libressl_version >= 0x3_02_01_00_0 { cfgs.push("libressl321"); } diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 844f9102a9..e866b1ea90 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,23 +10,60 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); + pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } +pub enum ASN1_OBJECT {} + stack!(stack_st_ASN1_OBJECT); +#[repr(C)] +pub struct ASN1_TYPE { + pub type_: c_int, + pub value: ASN1_TYPE_value, +} +#[repr(C)] +pub union ASN1_TYPE_value { + pub ptr: *mut c_char, + pub boolean: ASN1_BOOLEAN, + pub asn1_string: *mut ASN1_STRING, + pub object: *mut ASN1_OBJECT, + pub integer: *mut ASN1_INTEGER, + pub enumerated: *mut ASN1_ENUMERATED, + pub bit_string: *mut ASN1_BIT_STRING, + pub octet_string: *mut ASN1_OCTET_STRING, + pub printablestring: *mut ASN1_PRINTABLESTRING, + pub t61string: *mut ASN1_T61STRING, + pub ia5string: *mut ASN1_IA5STRING, + pub generalstring: *mut ASN1_GENERALSTRING, + pub bmpstring: *mut ASN1_BMPSTRING, + pub universalstring: *mut ASN1_UNIVERSALSTRING, + pub utctime: *mut ASN1_UTCTIME, + pub generalizedtime: *mut ASN1_GENERALIZEDTIME, + pub visiblestring: *mut ASN1_VISIBLESTRING, + pub utf8string: *mut ASN1_UTF8STRING, + /* + * set and sequence are left complete and still contain the set or + * sequence bytes + */ + pub set: *mut ASN1_STRING, + pub sequence: *mut ASN1_STRING, + pub asn1_value: *mut ASN1_VALUE, +} + extern "C" { pub fn ASN1_STRING_type_new(ty: c_int) -> *mut ASN1_STRING; #[cfg(any(ossl110, libressl273))] pub fn ASN1_STRING_get0_data(x: *const ASN1_STRING) -> *const c_uchar; #[cfg(any(all(ossl101, not(ossl110)), libressl))] pub fn ASN1_STRING_data(x: *mut ASN1_STRING) -> *mut c_uchar; - - pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); - + pub fn ASN1_STRING_new() -> *mut ASN1_STRING; pub fn ASN1_STRING_free(x: *mut ASN1_STRING); pub fn ASN1_STRING_length(x: *const ASN1_STRING) -> c_int; + pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len_in: c_int) -> c_int; - pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len: c_int) -> c_int; + pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); + pub fn ASN1_OCTET_STRING_free(x: *mut ASN1_OCTET_STRING); pub fn ASN1_GENERALIZEDTIME_free(tm: *mut ASN1_GENERALIZEDTIME); pub fn ASN1_GENERALIZEDTIME_print(b: *mut BIO, tm: *const ASN1_GENERALIZEDTIME) -> c_int; @@ -51,10 +88,14 @@ extern "C" { pub fn ASN1_TIME_set_string(s: *mut ASN1_TIME, str: *const c_char) -> c_int; #[cfg(ossl111)] pub fn ASN1_TIME_set_string_X509(s: *mut ASN1_TIME, str: *const c_char) -> c_int; + + pub fn ASN1_TYPE_free(x: *mut ASN1_TYPE); } const_ptr_api! { extern "C" { pub fn ASN1_STRING_to_UTF8(out: *mut *mut c_uchar, s: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; + pub fn ASN1_STRING_type(x: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; + pub fn ASN1_generate_v3(str: #[const_ptr_if(any(ossl110, libressl280))] c_char, cnf: *mut X509V3_CTX) -> *mut ASN1_TYPE; } } diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 28aa4aecd0..fea7549898 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -28,6 +28,7 @@ pub use self::stack::*; pub use self::tls1::*; pub use self::types::*; pub use self::x509::*; +pub use self::x509_attr::*; pub use self::x509_vfy::*; pub use self::x509v3::*; @@ -61,5 +62,6 @@ mod stack; mod tls1; mod types; mod x509; +mod x509_attr; mod x509_vfy; mod x509v3; diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index fc0239e7b8..2f76cab9c2 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -1,12 +1,195 @@ use libc::*; use *; -pub enum PKCS7_SIGNED {} -pub enum PKCS7_ENVELOPE {} -pub enum PKCS7_SIGN_ENVELOPE {} -pub enum PKCS7_DIGEST {} -pub enum PKCS7_ENCRYPT {} -pub enum PKCS7 {} +// use x509::stack_st_X509; +// use x509_attr::stack_st_X509_ATTRIBUTE; + +#[cfg(ossl300)] +#[repr(C)] +pub struct PKCS7_CTX { + libctx: *mut OSSL_LIB_CTX, + propq: *mut c_char, +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_SIGNED { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub contents: *mut PKCS7, + } + } else { + pub enum PKCS7_SIGNED {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENC_CONTENT { + pub content_type: *mut ASN1_OBJECT, + pub algorithm: *mut X509_ALGOR, + pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ + pub cipher: *const EVP_CIPHER, + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, + } + } else { + pub enum PKCS7_ENC_CONTENT {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + } + } else { + pub enum PKCS7_ENVELOPE {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_SIGN_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO + } + } else { + pub enum PKCS7_SIGN_ENVELOPE {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_DIGEST { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub md: *mut X509_ALGOR, /* md used */ + pub contents: *mut PKCS7, + pub digest: *mut ASN1_OCTET_STRING, + } + } else { + pub enum PKCS7_DIGEST {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENCRYPT { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub enc_data: *mut PKCS7_ENC_CONTENT, + } + } else { + pub enum PKCS7_ENCRYPT {} + } +} + +extern "C" { + pub fn PKCS7_SIGNED_free(info: *mut PKCS7_SIGNED); + pub fn PKCS7_ENC_CONTENT_free(info: *mut PKCS7_ENC_CONTENT); + pub fn PKCS7_ENVELOPE_free(info: *mut PKCS7_ENVELOPE); + pub fn PKCS7_SIGN_ENVELOPE_free(info: *mut PKCS7_SIGN_ENVELOPE); + pub fn PKCS7_DIGEST_free(info: *mut PKCS7_DIGEST); + pub fn PKCS7_SIGNER_INFO_free(info: *mut PKCS7_SIGNER_INFO); +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7 { + /* + * The following is non NULL if it contains ASN1 encoding of this + * structure + */ + pub asn1: *mut c_uchar, + pub length: c_long, + // # define PKCS7_S_HEADER 0 + // # define PKCS7_S_BODY 1 + // # define PKCS7_S_TAIL 2 + pub state: c_int, /* used during processing */ + pub detached: c_int, + pub type_: *mut ASN1_OBJECT, + /* content as defined by the type */ + /* + * all encryption/message digests are applied to the 'contents', leaving + * out the 'type' field. + */ + pub d: PKCS7_data, + #[cfg(ossl300)] + pub ctx: PKCS7_CTX, + } + #[repr(C)] + pub union PKCS7_data { + pub ptr: *mut c_char, + /* NID_pkcs7_data */ + pub data: *mut ASN1_OCTET_STRING, + /* NID_pkcs7_signed */ + pub sign: *mut PKCS7_SIGNED, + /* NID_pkcs7_enveloped */ + pub enveloped: *mut PKCS7_ENVELOPE, + /* NID_pkcs7_signedAndEnveloped */ + pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, + /* NID_pkcs7_digest */ + pub digest: *mut PKCS7_DIGEST, + /* NID_pkcs7_encrypted */ + pub encrypted: *mut PKCS7_ENCRYPT, + /* Anything else */ + pub other: *mut ASN1_TYPE, + } + } else { + pub enum PKCS7 {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl))] { + #[repr(C)] + pub struct PKCS7_ISSUER_AND_SERIAL { + pub issuer: *mut X509_NAME, + pub serial: *mut ASN1_INTEGER, + } + } else { + pub enum PKCS7_ISSUER_AND_SERIAL {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl))] { + #[repr(C)] + pub struct PKCS7_SIGNER_INFO { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub digest_alg: *mut X509_ALGOR, + pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ + pub digest_enc_alg: *mut X509_ALGOR, + pub enc_digest: *mut ASN1_OCTET_STRING, + pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, + } + } else { + pub enum PKCS7_SIGNER_INFO {} + } +} + +stack!(stack_st_PKCS7_SIGNER_INFO); +stack!(stack_st_PKCS7_RECIP_INFO); extern "C" { pub fn d2i_PKCS7(a: *mut *mut PKCS7, pp: *mut *const c_uchar, length: c_long) -> *mut PKCS7; @@ -15,6 +198,7 @@ extern "C" { const_ptr_api! { extern "C" { pub fn i2d_PKCS7(a: #[const_ptr_if(ossl300)] PKCS7, buf: *mut *mut u8) -> c_int; + pub fn i2d_PKCS7_bio(bio: *mut BIO, p7: #[const_ptr_if(ossl300)] PKCS7) -> c_int; } } @@ -67,4 +251,53 @@ extern "C" { ) -> c_int; pub fn SMIME_read_PKCS7(bio: *mut BIO, bcont: *mut *mut BIO) -> *mut PKCS7; + + pub fn PKCS7_new() -> *mut PKCS7; + + pub fn PKCS7_set_type(p7: *mut PKCS7, nid_pkcs7: c_int) -> c_int; + + pub fn PKCS7_add_certificate(p7: *mut PKCS7, x509: *mut X509) -> c_int; + + pub fn PKCS7_add_signature( + p7: *mut PKCS7, + x509: *mut X509, + pkey: *mut EVP_PKEY, + digest: *const EVP_MD, + ) -> *mut PKCS7_SIGNER_INFO; + + pub fn PKCS7_set_signed_attributes( + p7si: *mut PKCS7_SIGNER_INFO, + attributes: *mut stack_st_X509_ATTRIBUTE, + ) -> c_int; + + pub fn PKCS7_add_signed_attribute( + p7si: *mut PKCS7_SIGNER_INFO, + nid: c_int, + attrtype: c_int, + data: *mut c_void, + ) -> c_int; + + pub fn PKCS7_content_new(p7: *mut PKCS7, nid_pkcs7: c_int) -> c_int; + + pub fn PKCS7_dataInit(p7: *mut PKCS7, bio: *mut BIO) -> *mut BIO; + + pub fn PKCS7_dataFinal(p7: *mut PKCS7, bio: *mut BIO) -> c_int; + + pub fn PKCS7_get_signer_info(p7: *mut PKCS7) -> *mut stack_st_PKCS7_SIGNER_INFO; + + pub fn PKCS7_SIGNER_INFO_get0_algs( + si: *mut PKCS7_SIGNER_INFO, + pk: *mut *mut EVP_PKEY, + pdig: *mut *mut X509_ALGOR, + psig: *mut *mut X509_ALGOR, + ); +} + +const_ptr_api! { + extern "C" { + pub fn PKCS7_get_signed_attribute( + si: #[const_ptr_if(ossl300)] PKCS7_SIGNER_INFO, + nid: c_int + ) -> *mut ASN1_TYPE; + } } diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 476578c051..addc599abb 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -3,14 +3,26 @@ use libc::*; #[allow(unused_imports)] use *; +#[derive(Copy, Clone)] +pub enum ASN1_BOOLEAN {} +pub enum ASN1_ENUMERATED {} pub enum ASN1_INTEGER {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} pub enum ASN1_TIME {} -pub enum ASN1_TYPE {} pub enum ASN1_OBJECT {} pub enum ASN1_OCTET_STRING {} +pub enum ASN1_PRINTABLESTRING {} +pub enum ASN1_T61STRING {} +pub enum ASN1_IA5STRING {} +pub enum ASN1_GENERALSTRING {} +pub enum ASN1_BMPSTRING {} +pub enum ASN1_UNIVERSALSTRING {} +pub enum ASN1_UTCTIME {} +pub enum ASN1_VISIBLESTRING {} +pub enum ASN1_UTF8STRING {} +pub enum ASN1_VALUE {} pub enum bio_st {} // FIXME remove cfg_if! { @@ -325,6 +337,8 @@ cfg_if! { } } +stack!(stack_st_X509_ALGOR); + pub enum X509_LOOKUP_METHOD {} pub enum X509_NAME {} diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 047f3df262..486f712c34 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -15,8 +15,6 @@ pub enum X509_EXTENSION {} stack!(stack_st_X509_EXTENSION); -stack!(stack_st_X509_ATTRIBUTE); - cfg_if! { if #[cfg(any(ossl110, libressl350))] { pub enum X509_REQ_INFO {} @@ -27,7 +25,7 @@ cfg_if! { pub version: *mut ::ASN1_INTEGER, pub subject: *mut ::X509_NAME, pubkey: *mut c_void, - pub attributes: *mut stack_st_X509_ATTRIBUTE, + pub attributes: *mut ::stack_st_X509_ATTRIBUTE, } } } @@ -271,9 +269,12 @@ extern "C" { pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION); + pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_NAME_ENTRY_free(x: *mut X509_NAME_ENTRY); pub fn X509_NAME_new() -> *mut X509_NAME; + pub fn X509_NAME_cmp(x: *const X509_NAME, y: *const X509_NAME) -> c_int; pub fn X509_NAME_free(x: *mut X509_NAME); pub fn X509_new() -> *mut X509; @@ -359,6 +360,33 @@ const_ptr_api! { -> c_int; } } +extern "C" { + pub fn X509_REQ_get_attr_count(req: *const X509_REQ) -> c_int; + pub fn X509_REQ_get_attr_by_NID(req: *const X509_REQ, nid: c_int, lastpos: c_int) -> c_int; + pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_add1_attr_by_txt( + req: *mut X509_REQ, + attrname: *const c_char, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; + pub fn X509_REQ_add1_attr_by_NID( + req: *mut X509_REQ, + nid: c_int, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; + pub fn X509_REQ_add1_attr_by_OBJ( + req: *mut X509_REQ, + obj: *const ASN1_OBJECT, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; +} extern "C" { pub fn X509_set_pubkey(x: *mut X509, pkey: *mut EVP_PKEY) -> c_int; pub fn X509_REQ_verify(req: *mut X509_REQ, pkey: *mut EVP_PKEY) -> c_int; @@ -607,6 +635,7 @@ const_ptr_api! { pub fn X509_STORE_get0_objects(ctx: #[const_ptr_if(ossl300)] X509_STORE) -> *mut stack_st_X509_OBJECT; } } + #[cfg(any(ossl110, libressl270))] extern "C" { pub fn X509_OBJECT_get0_X509(x: *const X509_OBJECT) -> *mut X509; @@ -633,7 +662,6 @@ extern "C" { extern "C" { pub fn X509_cmp(a: *const X509, b: *const X509) -> c_int; - pub fn X509_NAME_cmp(a: *const X509_NAME, b: *const X509_NAME) -> c_int; pub fn X509_issuer_and_serial_cmp(a: *const X509, b: *const X509) -> c_int; pub fn X509_issuer_name_cmp(a: *const X509, b: *const X509) -> c_int; pub fn X509_subject_name_cmp(a: *const X509, b: *const X509) -> c_int; diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs new file mode 100644 index 0000000000..b14be38619 --- /dev/null +++ b/openssl-sys/src/handwritten/x509_attr.rs @@ -0,0 +1,60 @@ +use libc::*; + +use *; + +pub enum X509_ATTRIBUTE {} + +stack!(stack_st_X509_ATTRIBUTE); + +extern "C" { + pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create( + nid: c_int, + atrtype: c_int, + value: *mut c_void, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_NID( + attr: *mut *mut X509_ATTRIBUTE, + nid: c_int, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_OBJ( + attr: *mut *mut X509_ATTRIBUTE, + obj: *const ASN1_OBJECT, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_txt( + attr: *mut *mut X509_ATTRIBUTE, + atrname: *const c_char, + atrtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; + pub fn X509_ATTRIBUTE_set1_data( + attr: *mut X509_ATTRIBUTE, + attrtype: c_int, + data: *const c_void, + len: c_int, + ) -> c_int; + pub fn X509_ATTRIBUTE_get0_data( + attr: *mut X509_ATTRIBUTE, + idx: c_int, + atrtype: c_int, + data: *mut c_void, + ) -> *mut c_void; + pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; + pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; + +} +const_ptr_api! { + extern "C" { + pub fn X509_ATTRIBUTE_count( + attr: #[const_ptr_if(any(ossl110, libressl291))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 + ) -> c_int; + } +} From d2e30181e586929abf1ee93d5c8152f8d034385c Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 16:17:48 +0100 Subject: [PATCH 091/341] Fixed systest. --- systest/build.rs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/systest/build.rs b/systest/build.rs index e54438114b..02c820b3e7 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -108,7 +108,10 @@ fn main() { || s.starts_with("CRYPTO_EX_") }); cfg.skip_struct(|s| { - s == "ProbeResult" || s == "X509_OBJECT_data" // inline union + s == "ProbeResult" || + s == "X509_OBJECT_data" || // inline union + s == "PKCS7_data" || + s == "ASN1_TYPE_value" }); cfg.skip_fn(move |s| { s == "CRYPTO_memcmp" || // uses volatile @@ -128,7 +131,9 @@ fn main() { cfg.skip_field_type(|s, field| { (s == "EVP_PKEY" && field == "pkey") || // union (s == "GENERAL_NAME" && field == "d") || // union - (s == "X509_OBJECT" && field == "data") // union + (s == "X509_OBJECT" && field == "data") || // union + (s == "PKCS7" && field == "d") || // union + (s == "ASN1_TYPE" && field == "value") // union }); cfg.skip_signededness(|s| { s.ends_with("_cb") From 920ec61a584053b719b547ee0fb444f5087e0377 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 16 Jan 2023 14:37:54 +0100 Subject: [PATCH 092/341] Trigger build From 33e91420c714cb1d62ff8806a79397913e3b44ed Mon Sep 17 00:00:00 2001 From: Andrew Scull Date: Fri, 20 Jan 2023 00:29:34 +0000 Subject: [PATCH 093/341] Add X509Name::to_owned() The X509_NAME_dup() function can fail but that isn't compatible with the ToOwned trait. Follow the pattern used in BigNum to add a custom, fallible to_owned() function. --- openssl/src/x509/mod.rs | 7 +++++++ openssl/src/x509/tests.rs | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d29a21e4af..b88ee60678 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1064,6 +1064,13 @@ impl X509NameRef { Ok(cmp.cmp(&0)) } + /// Copies the name to a new `X509Name`. + #[corresponds(X509_NAME_dup)] + #[cfg(any(boringssl, ossl110, libressl270))] + pub fn to_owned(&self) -> Result { + unsafe { cvt_p(ffi::X509_NAME_dup(self.as_ptr())).map(|n| X509Name::from_ptr(n)) } + } + to_der! { /// Serializes the certificate into a DER-encoded X509 name structure. /// diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 5f92b5e3d8..2d45f01579 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -615,6 +615,16 @@ fn test_name_cmp() { assert_eq!(Ordering::Greater, subject.try_cmp(issuer).unwrap()); } +#[test] +#[cfg(any(boringssl, ossl110, libressl270))] +fn test_name_to_owned() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let name = cert.subject_name(); + let copied_name = name.to_owned().unwrap(); + assert_eq!(Ordering::Equal, name.try_cmp(&copied_name).unwrap()); +} + #[test] #[cfg(any(ossl102, libressl261))] fn test_verify_param_set_time_fails_verification() { From 06581aea73c44a29413e5e94c9cb1aa09e8d4ce6 Mon Sep 17 00:00:00 2001 From: Stephane Raux Date: Fri, 20 Jan 2023 16:40:11 -0600 Subject: [PATCH 094/341] Fix debug formatting of ipaddress for GeneralName `from_utf8_lossy` is not appropriate as the bytes are the raw IP address (e.g. 4 bytes for IPv4). --- openssl/src/x509/mod.rs | 11 +++++++++-- openssl/src/x509/tests.rs | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 2 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index b88ee60678..940c8c9c51 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -11,11 +11,13 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; use libc::{c_int, c_long, c_uint}; use std::cmp::{self, Ordering}; +use std::convert::TryFrom; use std::error::Error; use std::ffi::{CStr, CString}; use std::fmt; use std::marker::PhantomData; use std::mem; +use std::net::IpAddr; use std::path::Path; use std::ptr; use std::slice; @@ -1555,8 +1557,13 @@ impl fmt::Debug for GeneralNameRef { } else if let Some(uri) = self.uri() { formatter.write_str(uri) } else if let Some(ipaddress) = self.ipaddress() { - let result = String::from_utf8_lossy(ipaddress); - formatter.write_str(&result) + let address = <[u8; 16]>::try_from(ipaddress) + .map(IpAddr::from) + .or_else(|_| <[u8; 4]>::try_from(ipaddress).map(IpAddr::from)); + match address { + Ok(a) => fmt::Debug::fmt(&a, formatter), + Err(_) => fmt::Debug::fmt(ipaddress, formatter), + } } else { formatter.write_str("(empty)") } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 2d45f01579..5f41342522 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -868,3 +868,40 @@ fn test_load_crl_file_fail() { let res = lookup.load_crl_file("test/root-ca.pem", SslFiletype::PEM); assert!(res.is_err()); } + +#[cfg(ossl110)] +fn ipaddress_as_subject_alternative_name_is_formatted_in_debug(expected_ip: T) +where + T: Into, +{ + let expected_ip = format!("{:?}", expected_ip.into()); + let mut builder = X509Builder::new().unwrap(); + let san = SubjectAlternativeName::new() + .ip(&expected_ip) + .build(&builder.x509v3_context(None, None)) + .unwrap(); + builder.append_extension(san).unwrap(); + let cert = builder.build(); + let actual_ip = cert + .subject_alt_names() + .into_iter() + .flatten() + .map(|n| format!("{:?}", *n)) + .next() + .unwrap(); + assert_eq!(actual_ip, expected_ip); +} + +#[cfg(ossl110)] +#[test] +fn ipv4_as_subject_alternative_name_is_formatted_in_debug() { + ipaddress_as_subject_alternative_name_is_formatted_in_debug([8u8, 8, 8, 128]); +} + +#[cfg(ossl110)] +#[test] +fn ipv6_as_subject_alternative_name_is_formatted_in_debug() { + ipaddress_as_subject_alternative_name_is_formatted_in_debug([ + 8u8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 128, + ]); +} From 11797d9ecb73e94b7f55a49274318abc9dc074d2 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 1 Feb 2023 07:33:20 -0500 Subject: [PATCH 095/341] Bump OpenSSL --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 57728778f7..3b7b4dc9cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,10 +157,10 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.0.5 + version: 3.0.7 dl-path: / - name: openssl - version: 1.1.1q + version: 1.1.1s dl-path: / - name: openssl version: 1.1.0l From dc976d756f9d3273c3c6f960fadb88e44b468050 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 3 Feb 2023 09:31:37 -0500 Subject: [PATCH 096/341] Migrate the openssl-sys crate to the 2018 edition Needed for #1806 --- openssl-macros/src/lib.rs | 2 + openssl-sys/Cargo.toml | 1 + openssl-sys/build/find_normal.rs | 1 - openssl-sys/build/main.rs | 6 +- openssl-sys/src/asn1.rs | 2 +- openssl-sys/src/bio.rs | 2 +- openssl-sys/src/bn.rs | 2 - openssl-sys/src/cms.rs | 1 - openssl-sys/src/crypto.rs | 2 +- openssl-sys/src/ec.rs | 2 +- openssl-sys/src/evp.rs | 2 +- openssl-sys/src/handwritten/aes.rs | 2 +- openssl-sys/src/handwritten/asn1.rs | 2 +- openssl-sys/src/handwritten/bio.rs | 24 ++-- openssl-sys/src/handwritten/bn.rs | 4 +- openssl-sys/src/handwritten/cms.rs | 34 ++--- openssl-sys/src/handwritten/conf.rs | 2 +- openssl-sys/src/handwritten/crypto.rs | 2 +- openssl-sys/src/handwritten/dh.rs | 2 +- openssl-sys/src/handwritten/dsa.rs | 2 +- openssl-sys/src/handwritten/ec.rs | 2 +- openssl-sys/src/handwritten/err.rs | 2 +- openssl-sys/src/handwritten/evp.rs | 6 +- openssl-sys/src/handwritten/hmac.rs | 2 +- openssl-sys/src/handwritten/kdf.rs | 2 +- openssl-sys/src/handwritten/object.rs | 2 +- openssl-sys/src/handwritten/ocsp.rs | 2 +- openssl-sys/src/handwritten/pem.rs | 2 +- openssl-sys/src/handwritten/pkcs12.rs | 2 +- openssl-sys/src/handwritten/pkcs7.rs | 2 +- openssl-sys/src/handwritten/provider.rs | 2 +- openssl-sys/src/handwritten/rsa.rs | 39 +++-- openssl-sys/src/handwritten/sha.rs | 2 +- openssl-sys/src/handwritten/srtp.rs | 2 +- openssl-sys/src/handwritten/ssl.rs | 62 ++++---- openssl-sys/src/handwritten/tls1.rs | 4 +- openssl-sys/src/handwritten/types.rs | 184 ++++++++++++------------ openssl-sys/src/handwritten/x509.rs | 30 ++-- openssl-sys/src/handwritten/x509_vfy.rs | 2 +- openssl-sys/src/handwritten/x509v3.rs | 2 +- openssl-sys/src/lib.rs | 5 +- openssl-sys/src/macros.rs | 2 +- openssl-sys/src/ocsp.rs | 2 - openssl-sys/src/pem.rs | 2 - openssl-sys/src/pkcs7.rs | 2 - openssl-sys/src/rsa.rs | 2 +- openssl-sys/src/sha.rs | 2 +- openssl-sys/src/srtp.rs | 2 - openssl-sys/src/ssl.rs | 12 +- openssl-sys/src/tls1.rs | 2 +- openssl-sys/src/types.rs | 3 +- openssl-sys/src/x509.rs | 2 - openssl-sys/src/x509_vfy.rs | 2 +- openssl-sys/src/x509v3.rs | 2 +- openssl/build.rs | 6 +- openssl/examples/mk_certs.rs | 2 + openssl/src/lib.rs | 1 + openssl/src/sign.rs | 2 +- systest/build.rs | 2 + 59 files changed, 250 insertions(+), 255 deletions(-) diff --git a/openssl-macros/src/lib.rs b/openssl-macros/src/lib.rs index c007409ace..99db988818 100644 --- a/openssl-macros/src/lib.rs +++ b/openssl-macros/src/lib.rs @@ -1,3 +1,5 @@ +#![allow(clippy::uninlined_format_args)] + use proc_macro::TokenStream; use proc_macro2::Ident; use quote::quote; diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index d8e4c7661b..7b5c8104d8 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -12,6 +12,7 @@ readme = "README.md" categories = ["cryptography", "external-ffi-bindings"] links = "openssl" build = "build/main.rs" +edition = "2018" [features] vendored = ['openssl-src'] diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index b5dfe8e259..791fc33985 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -1,4 +1,3 @@ -use pkg_config; use std::ffi::OsString; use std::path::{Path, PathBuf}; use std::process::{self, Command}; diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 02ab5c4ac3..262ea2cbab 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -1,4 +1,8 @@ -#![allow(clippy::inconsistent_digit_grouping, clippy::unusual_byte_groupings)] +#![allow( + clippy::inconsistent_digit_grouping, + clippy::uninlined_format_args, + clippy::unusual_byte_groupings +)] extern crate autocfg; #[cfg(feature = "bindgen")] diff --git a/openssl-sys/src/asn1.rs b/openssl-sys/src/asn1.rs index a5106d4676..caf14f7b96 100644 --- a/openssl-sys/src/asn1.rs +++ b/openssl-sys/src/asn1.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::*; // ASN.1 tag values pub const V_ASN1_EOC: c_int = 0; diff --git a/openssl-sys/src/bio.rs b/openssl-sys/src/bio.rs index b4beab6ca1..ea6053b592 100644 --- a/openssl-sys/src/bio.rs +++ b/openssl-sys/src/bio.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::*; pub const BIO_TYPE_NONE: c_int = 0; diff --git a/openssl-sys/src/bn.rs b/openssl-sys/src/bn.rs index f7393d0f50..a6bbcce883 100644 --- a/openssl-sys/src/bn.rs +++ b/openssl-sys/src/bn.rs @@ -1,7 +1,5 @@ use libc::*; -use *; - #[cfg(target_pointer_width = "64")] pub type BN_ULONG = c_ulonglong; #[cfg(target_pointer_width = "32")] diff --git a/openssl-sys/src/cms.rs b/openssl-sys/src/cms.rs index 59c770e5dc..f008adb1c7 100644 --- a/openssl-sys/src/cms.rs +++ b/openssl-sys/src/cms.rs @@ -1,5 +1,4 @@ use libc::*; -use *; #[cfg(ossl101)] pub const CMS_TEXT: c_uint = 0x1; diff --git a/openssl-sys/src/crypto.rs b/openssl-sys/src/crypto.rs index 842faa4e2f..35be07eada 100644 --- a/openssl-sys/src/crypto.rs +++ b/openssl-sys/src/crypto.rs @@ -1,5 +1,5 @@ +use super::*; use libc::*; -use *; extern "C" { #[deprecated(note = "use CRYPTO_set_locking_callback__fixed_rust instead")] diff --git a/openssl-sys/src/ec.rs b/openssl-sys/src/ec.rs index c01d6f22af..995a84ff64 100644 --- a/openssl-sys/src/ec.rs +++ b/openssl-sys/src/ec.rs @@ -1,7 +1,7 @@ use libc::*; use std::ptr; -use *; +use super::*; pub const OPENSSL_EC_NAMED_CURVE: c_int = 1; diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 9db924ea53..a98e438426 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -1,5 +1,5 @@ +use super::*; use libc::*; -use *; pub const EVP_MAX_MD_SIZE: c_uint = 64; diff --git a/openssl-sys/src/handwritten/aes.rs b/openssl-sys/src/handwritten/aes.rs index 884f9d7242..ba249362cb 100644 --- a/openssl-sys/src/handwritten/aes.rs +++ b/openssl-sys/src/handwritten/aes.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[repr(C)] pub struct AES_KEY { diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 844f9102a9..7163a69d5e 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[repr(C)] pub struct ASN1_ENCODING { diff --git a/openssl-sys/src/handwritten/bio.rs b/openssl-sys/src/handwritten/bio.rs index 7241df0f3e..7d97522251 100644 --- a/openssl-sys/src/handwritten/bio.rs +++ b/openssl-sys/src/handwritten/bio.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; extern "C" { pub fn BIO_set_flags(b: *mut BIO, flags: c_int); @@ -17,14 +17,14 @@ cfg_if! { pub struct BIO_METHOD { pub type_: c_int, pub name: *const c_char, - pub bwrite: Option c_int>, - pub bread: Option c_int>, - pub bputs: Option c_int>, - pub bgets: Option c_int>, - pub ctrl: Option c_long>, - pub create: Option c_int>, - pub destroy: Option c_int>, - pub callback_ctrl: Option c_long>, + pub bwrite: Option c_int>, + pub bread: Option c_int>, + pub bputs: Option c_int>, + pub bgets: Option c_int>, + pub ctrl: Option c_long>, + pub create: Option c_int>, + pub destroy: Option c_int>, + pub callback_ctrl: Option c_long>, } } } @@ -39,11 +39,11 @@ extern "C" { #[cfg(not(osslconf = "OPENSSL_NO_STDIO"))] pub fn BIO_new_fp(stream: *mut FILE, close_flag: c_int) -> *mut BIO; #[cfg(any(ossl110, libressl273))] - pub fn BIO_set_data(a: *mut ::BIO, data: *mut c_void); + pub fn BIO_set_data(a: *mut BIO, data: *mut c_void); #[cfg(any(ossl110, libressl273))] - pub fn BIO_get_data(a: *mut ::BIO) -> *mut c_void; + pub fn BIO_get_data(a: *mut BIO) -> *mut c_void; #[cfg(any(ossl110, libressl273))] - pub fn BIO_set_init(a: *mut ::BIO, init: c_int); + pub fn BIO_set_init(a: *mut BIO, init: c_int); pub fn BIO_write(b: *mut BIO, buf: *const c_void, len: c_int) -> c_int; pub fn BIO_read(b: *mut BIO, buf: *mut c_void, len: c_int) -> c_int; pub fn BIO_ctrl(b: *mut BIO, cmd: c_int, larg: c_long, parg: *mut c_void) -> c_long; diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index 8e5ae153dd..81348f692a 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; extern "C" { pub fn BN_CTX_new() -> *mut BN_CTX; @@ -31,7 +31,7 @@ extern "C" { pub fn BN_sqr(r: *mut BIGNUM, a: *const BIGNUM, ctx: *mut BN_CTX) -> c_int; pub fn BN_set_negative(bn: *mut BIGNUM, n: c_int); #[cfg(any(ossl110, libressl350))] - pub fn BN_is_negative(b: *const ::BIGNUM) -> c_int; + pub fn BN_is_negative(b: *const BIGNUM) -> c_int; pub fn BN_div( dv: *mut BIGNUM, diff --git a/openssl-sys/src/handwritten/cms.rs b/openssl-sys/src/handwritten/cms.rs index 291bc798b7..7eff2c4d49 100644 --- a/openssl-sys/src/handwritten/cms.rs +++ b/openssl-sys/src/handwritten/cms.rs @@ -1,11 +1,11 @@ +use super::super::*; use libc::*; -use *; pub enum CMS_ContentInfo {} extern "C" { #[cfg(ossl101)] - pub fn CMS_ContentInfo_free(cms: *mut ::CMS_ContentInfo); + pub fn CMS_ContentInfo_free(cms: *mut CMS_ContentInfo); } const_ptr_api! { @@ -18,38 +18,38 @@ const_ptr_api! { extern "C" { #[cfg(ossl101)] pub fn d2i_CMS_ContentInfo( - a: *mut *mut ::CMS_ContentInfo, + a: *mut *mut CMS_ContentInfo, pp: *mut *const c_uchar, length: c_long, - ) -> *mut ::CMS_ContentInfo; + ) -> *mut CMS_ContentInfo; #[cfg(ossl101)] - pub fn SMIME_read_CMS(bio: *mut ::BIO, bcont: *mut *mut ::BIO) -> *mut ::CMS_ContentInfo; + pub fn SMIME_read_CMS(bio: *mut BIO, bcont: *mut *mut BIO) -> *mut CMS_ContentInfo; #[cfg(ossl101)] pub fn CMS_sign( - signcert: *mut ::X509, - pkey: *mut ::EVP_PKEY, - certs: *mut ::stack_st_X509, - data: *mut ::BIO, + signcert: *mut X509, + pkey: *mut EVP_PKEY, + certs: *mut stack_st_X509, + data: *mut BIO, flags: c_uint, - ) -> *mut ::CMS_ContentInfo; + ) -> *mut CMS_ContentInfo; #[cfg(ossl101)] pub fn CMS_encrypt( certs: *mut stack_st_X509, - data: *mut ::BIO, + data: *mut BIO, cipher: *const EVP_CIPHER, flags: c_uint, - ) -> *mut ::CMS_ContentInfo; + ) -> *mut CMS_ContentInfo; #[cfg(ossl101)] pub fn CMS_decrypt( - cms: *mut ::CMS_ContentInfo, - pkey: *mut ::EVP_PKEY, - cert: *mut ::X509, - dcont: *mut ::BIO, - out: *mut ::BIO, + cms: *mut CMS_ContentInfo, + pkey: *mut EVP_PKEY, + cert: *mut X509, + dcont: *mut BIO, + out: *mut BIO, flags: c_uint, ) -> c_int; } diff --git a/openssl-sys/src/handwritten/conf.rs b/openssl-sys/src/handwritten/conf.rs index 9b9d4b26ff..2348d7d4c9 100644 --- a/openssl-sys/src/handwritten/conf.rs +++ b/openssl-sys/src/handwritten/conf.rs @@ -1,4 +1,4 @@ -use *; +use super::super::*; extern "C" { pub fn NCONF_new(meth: *mut CONF_METHOD) -> *mut CONF; diff --git a/openssl-sys/src/handwritten/crypto.rs b/openssl-sys/src/handwritten/crypto.rs index ab17d2fa9e..62ccbce1ec 100644 --- a/openssl-sys/src/handwritten/crypto.rs +++ b/openssl-sys/src/handwritten/crypto.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; stack!(stack_st_void); diff --git a/openssl-sys/src/handwritten/dh.rs b/openssl-sys/src/handwritten/dh.rs index d55326bc80..a4de122eac 100644 --- a/openssl-sys/src/handwritten/dh.rs +++ b/openssl-sys/src/handwritten/dh.rs @@ -1,4 +1,4 @@ -use *; +use super::super::*; extern "C" { pub fn DH_new() -> *mut DH; diff --git a/openssl-sys/src/handwritten/dsa.rs b/openssl-sys/src/handwritten/dsa.rs index c676c6b0ad..be25f23b67 100644 --- a/openssl-sys/src/handwritten/dsa.rs +++ b/openssl-sys/src/handwritten/dsa.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::super::*; cfg_if! { if #[cfg(any(ossl110, libressl280))] { diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index ed0b1a7074..6ee475f327 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[repr(C)] #[derive(Copy, Clone)] diff --git a/openssl-sys/src/handwritten/err.rs b/openssl-sys/src/handwritten/err.rs index d8f36e4970..5653c1d18a 100644 --- a/openssl-sys/src/handwritten/err.rs +++ b/openssl-sys/src/handwritten/err.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[repr(C)] pub struct ERR_STRING_DATA { diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 46e5b88f04..772709650b 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; cfg_if! { if #[cfg(ossl300)] { @@ -344,9 +344,9 @@ extern "C" { #[cfg(ossl110)] pub fn EVP_aes_256_ocb() -> *const EVP_CIPHER; #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] - pub fn EVP_chacha20() -> *const ::EVP_CIPHER; + pub fn EVP_chacha20() -> *const EVP_CIPHER; #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] - pub fn EVP_chacha20_poly1305() -> *const ::EVP_CIPHER; + pub fn EVP_chacha20_poly1305() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn EVP_seed_cbc() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] diff --git a/openssl-sys/src/handwritten/hmac.rs b/openssl-sys/src/handwritten/hmac.rs index 7cbb7cc9ad..b52d63fb1f 100644 --- a/openssl-sys/src/handwritten/hmac.rs +++ b/openssl-sys/src/handwritten/hmac.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::super::*; cfg_if! { if #[cfg(any(ossl110, libressl350))] { diff --git a/openssl-sys/src/handwritten/kdf.rs b/openssl-sys/src/handwritten/kdf.rs index b8e6c63bb1..0f14b63a9c 100644 --- a/openssl-sys/src/handwritten/kdf.rs +++ b/openssl-sys/src/handwritten/kdf.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; cfg_if! { if #[cfg(ossl300)] { diff --git a/openssl-sys/src/handwritten/object.rs b/openssl-sys/src/handwritten/object.rs index d2c525b806..06e6553433 100644 --- a/openssl-sys/src/handwritten/object.rs +++ b/openssl-sys/src/handwritten/object.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::super::*; extern "C" { pub fn OBJ_nid2ln(nid: c_int) -> *const c_char; diff --git a/openssl-sys/src/handwritten/ocsp.rs b/openssl-sys/src/handwritten/ocsp.rs index bb194c2860..c194a831b9 100644 --- a/openssl-sys/src/handwritten/ocsp.rs +++ b/openssl-sys/src/handwritten/ocsp.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; pub enum OCSP_CERTID {} diff --git a/openssl-sys/src/handwritten/pem.rs b/openssl-sys/src/handwritten/pem.rs index ebce932b6c..42997177e4 100644 --- a/openssl-sys/src/handwritten/pem.rs +++ b/openssl-sys/src/handwritten/pem.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; pub type pem_password_cb = Option< unsafe extern "C" fn( diff --git a/openssl-sys/src/handwritten/pkcs12.rs b/openssl-sys/src/handwritten/pkcs12.rs index 792ab3527a..728c333ad2 100644 --- a/openssl-sys/src/handwritten/pkcs12.rs +++ b/openssl-sys/src/handwritten/pkcs12.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::super::*; pub enum PKCS12 {} diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index fc0239e7b8..78f96ec3e3 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; pub enum PKCS7_SIGNED {} pub enum PKCS7_ENVELOPE {} diff --git a/openssl-sys/src/handwritten/provider.rs b/openssl-sys/src/handwritten/provider.rs index 93eaa072f3..3e18a02be7 100644 --- a/openssl-sys/src/handwritten/provider.rs +++ b/openssl-sys/src/handwritten/provider.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; extern "C" { #[cfg(ossl300)] diff --git a/openssl-sys/src/handwritten/rsa.rs b/openssl-sys/src/handwritten/rsa.rs index d2a1439bee..d05edfc301 100644 --- a/openssl-sys/src/handwritten/rsa.rs +++ b/openssl-sys/src/handwritten/rsa.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; cfg_if! { if #[cfg(ossl300)] { @@ -18,36 +18,31 @@ extern "C" { pub fn RSA_size(k: *const RSA) -> c_int; #[cfg(any(ossl110, libressl273))] - pub fn RSA_set0_key( - r: *mut ::RSA, - n: *mut ::BIGNUM, - e: *mut ::BIGNUM, - d: *mut ::BIGNUM, - ) -> c_int; + pub fn RSA_set0_key(r: *mut RSA, n: *mut BIGNUM, e: *mut BIGNUM, d: *mut BIGNUM) -> c_int; #[cfg(any(ossl110, libressl273))] - pub fn RSA_set0_factors(r: *mut ::RSA, p: *mut ::BIGNUM, q: *mut ::BIGNUM) -> c_int; + pub fn RSA_set0_factors(r: *mut RSA, p: *mut BIGNUM, q: *mut BIGNUM) -> c_int; #[cfg(any(ossl110, libressl273))] pub fn RSA_set0_crt_params( - r: *mut ::RSA, - dmp1: *mut ::BIGNUM, - dmq1: *mut ::BIGNUM, - iqmp: *mut ::BIGNUM, + r: *mut RSA, + dmp1: *mut BIGNUM, + dmq1: *mut BIGNUM, + iqmp: *mut BIGNUM, ) -> c_int; #[cfg(any(ossl110, libressl273))] pub fn RSA_get0_key( - r: *const ::RSA, - n: *mut *const ::BIGNUM, - e: *mut *const ::BIGNUM, - d: *mut *const ::BIGNUM, + r: *const RSA, + n: *mut *const BIGNUM, + e: *mut *const BIGNUM, + d: *mut *const BIGNUM, ); #[cfg(any(ossl110, libressl273))] - pub fn RSA_get0_factors(r: *const ::RSA, p: *mut *const ::BIGNUM, q: *mut *const ::BIGNUM); + pub fn RSA_get0_factors(r: *const RSA, p: *mut *const BIGNUM, q: *mut *const BIGNUM); #[cfg(any(ossl110, libressl273))] pub fn RSA_get0_crt_params( - r: *const ::RSA, - dmp1: *mut *const ::BIGNUM, - dmq1: *mut *const ::BIGNUM, - iqmp: *mut *const ::BIGNUM, + r: *const RSA, + dmp1: *mut *const BIGNUM, + dmq1: *mut *const BIGNUM, + iqmp: *mut *const BIGNUM, ); #[cfg(not(ossl110))] @@ -93,7 +88,7 @@ extern "C" { k: *mut RSA, pad: c_int, ) -> c_int; - pub fn RSA_check_key(r: *const ::RSA) -> c_int; + pub fn RSA_check_key(r: *const RSA) -> c_int; pub fn RSA_free(rsa: *mut RSA); pub fn RSA_up_ref(rsa: *mut RSA) -> c_int; diff --git a/openssl-sys/src/handwritten/sha.rs b/openssl-sys/src/handwritten/sha.rs index 64fe2ce883..7d00b592f1 100644 --- a/openssl-sys/src/handwritten/sha.rs +++ b/openssl-sys/src/handwritten/sha.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; cfg_if! { if #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] { diff --git a/openssl-sys/src/handwritten/srtp.rs b/openssl-sys/src/handwritten/srtp.rs index 7500584be8..d4c7af8ebd 100644 --- a/openssl-sys/src/handwritten/srtp.rs +++ b/openssl-sys/src/handwritten/srtp.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; extern "C" { pub fn SSL_CTX_set_tlsext_use_srtp(ctx: *mut SSL_CTX, profiles: *const c_char) -> c_int; diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index e0c22090e3..a22f58931e 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; pub enum SSL_METHOD {} pub enum SSL_CIPHER {} @@ -13,15 +13,15 @@ cfg_if! { pub master_key_length: c_int, pub master_key: [c_uchar; 48], session_id_length: c_uint, - session_id: [c_uchar; ::SSL_MAX_SSL_SESSION_ID_LENGTH as usize], + session_id: [c_uchar; SSL_MAX_SSL_SESSION_ID_LENGTH as usize], sid_ctx_length: c_uint, - sid_ctx: [c_uchar; ::SSL_MAX_SID_CTX_LENGTH as usize], - peer: *mut ::X509, + sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize], + peer: *mut X509, verify_result: c_long, timeout: c_long, time: time_t, pub references: c_int, - cipher: *const ::SSL_CIPHER, + cipher: *const SSL_CIPHER, cipher_id: c_long, ciphers: *mut stack_st_SSL_CIPHER, tlsext_hostname: *mut c_char, @@ -50,7 +50,7 @@ cfg_if! { cipher: *const c_void, cipher_id: c_ulong, ciphers: *mut c_void, - ex_data: ::CRYPTO_EX_DATA, + ex_data: CRYPTO_EX_DATA, prev: *mut c_void, next: *mut c_void, tlsext_hostname: *mut c_char, @@ -93,7 +93,7 @@ cfg_if! { cipher: *const c_void, cipher_id: c_ulong, ciphers: *mut c_void, - ex_data: ::CRYPTO_EX_DATA, + ex_data: CRYPTO_EX_DATA, prev: *mut c_void, next: *mut c_void, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] @@ -156,12 +156,12 @@ pub type tls_session_secret_cb_fn = Option< #[cfg(ossl111)] pub type SSL_custom_ext_add_cb_ex = Option< unsafe extern "C" fn( - ssl: *mut ::SSL, + ssl: *mut SSL, ext_type: c_uint, context: c_uint, out: *mut *const c_uchar, outlen: *mut size_t, - x: *mut ::X509, + x: *mut X509, chainidx: size_t, al: *mut c_int, add_arg: *mut c_void, @@ -171,7 +171,7 @@ pub type SSL_custom_ext_add_cb_ex = Option< #[cfg(ossl111)] pub type SSL_custom_ext_free_cb_ex = Option< unsafe extern "C" fn( - ssl: *mut ::SSL, + ssl: *mut SSL, ext_type: c_uint, context: c_uint, out: *const c_uchar, @@ -182,12 +182,12 @@ pub type SSL_custom_ext_free_cb_ex = Option< #[cfg(ossl111)] pub type SSL_custom_ext_parse_cb_ex = Option< unsafe extern "C" fn( - ssl: *mut ::SSL, + ssl: *mut SSL, ext_type: c_uint, context: c_uint, input: *const c_uchar, inlen: size_t, - x: *mut ::X509, + x: *mut X509, chainidx: size_t, al: *mut c_int, parse_arg: *mut c_void, @@ -228,18 +228,18 @@ cfg_if! { if #[cfg(any(ossl110, libressl280))] { extern "C" { pub fn SSL_CTX_sess_set_get_cb( - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, get_session_cb: Option< - unsafe extern "C" fn(*mut ::SSL, *const c_uchar, c_int, *mut c_int) -> *mut SSL_SESSION, + unsafe extern "C" fn(*mut SSL, *const c_uchar, c_int, *mut c_int) -> *mut SSL_SESSION, >, ); } } else { extern "C" { pub fn SSL_CTX_sess_set_get_cb( - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, get_session_cb: Option< - unsafe extern "C" fn(*mut ::SSL, *mut c_uchar, c_int, *mut c_int) -> *mut SSL_SESSION, + unsafe extern "C" fn(*mut SSL, *mut c_uchar, c_int, *mut c_int) -> *mut SSL_SESSION, >, ); } @@ -391,7 +391,7 @@ extern "C" { extern "C" { #[cfg(ossl111)] pub fn SSL_CTX_add_custom_ext( - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, ext_type: c_uint, context: c_uint, add_cb: SSL_custom_ext_add_cb_ex, @@ -439,8 +439,8 @@ const_ptr_api! { cfg_if! { if #[cfg(libressl261)] { extern "C" { - pub fn SSL_CTX_set_min_proto_version(ctx: *mut ::SSL_CTX, version: u16) -> c_int; - pub fn SSL_CTX_set_max_proto_version(ctx: *mut ::SSL_CTX, version: u16) -> c_int; + pub fn SSL_CTX_set_min_proto_version(ctx: *mut SSL_CTX, version: u16) -> c_int; + pub fn SSL_CTX_set_max_proto_version(ctx: *mut SSL_CTX, version: u16) -> c_int; pub fn SSL_set_min_proto_version(s: *mut SSL, version: u16) -> c_int; pub fn SSL_set_max_proto_version(s: *mut SSL, version: u16) -> c_int; } @@ -450,8 +450,8 @@ cfg_if! { cfg_if! { if #[cfg(libressl270)] { extern "C" { - pub fn SSL_CTX_get_min_proto_version(ctx: *mut ::SSL_CTX) -> c_int; - pub fn SSL_CTX_get_max_proto_version(ctx: *mut ::SSL_CTX) -> c_int; + pub fn SSL_CTX_get_min_proto_version(ctx: *mut SSL_CTX) -> c_int; + pub fn SSL_CTX_get_max_proto_version(ctx: *mut SSL_CTX) -> c_int; pub fn SSL_get_min_proto_version(s: *mut SSL) -> c_int; pub fn SSL_get_max_proto_version(s: *mut SSL) -> c_int; } @@ -477,7 +477,7 @@ const_ptr_api! { } extern "C" { #[cfg(ossl111)] - pub fn SSL_CIPHER_get_handshake_digest(cipher: *const ::SSL_CIPHER) -> *const ::EVP_MD; + pub fn SSL_CIPHER_get_handshake_digest(cipher: *const SSL_CIPHER) -> *const EVP_MD; pub fn SSL_CIPHER_get_name(cipher: *const SSL_CIPHER) -> *const c_char; #[cfg(ossl111)] pub fn SSL_CIPHER_standard_name(cipher: *const SSL_CIPHER) -> *const c_char; @@ -491,7 +491,7 @@ extern "C" { #[cfg(any(ossl111, libressl340))] pub fn SSL_CTX_set_ciphersuites(ctx: *mut SSL_CTX, str: *const c_char) -> c_int; #[cfg(any(ossl111, libressl340))] - pub fn SSL_set_ciphersuites(ssl: *mut ::SSL, str: *const c_char) -> c_int; + pub fn SSL_set_ciphersuites(ssl: *mut SSL, str: *const c_char) -> c_int; pub fn SSL_set_cipher_list(ssl: *mut SSL, s: *const c_char) -> c_int; pub fn SSL_set_ssl_method(s: *mut SSL, method: *const SSL_METHOD) -> c_int; pub fn SSL_set_verify( @@ -643,7 +643,7 @@ extern "C" { pub fn SSL_peek(ssl: *mut SSL, buf: *mut c_void, num: c_int) -> c_int; #[cfg(any(ossl111, libressl340))] pub fn SSL_read_early_data( - s: *mut ::SSL, + s: *mut SSL, buf: *mut c_void, num: size_t, readbytes: *mut size_t, @@ -797,9 +797,9 @@ extern "C" { pub fn SSL_CTX_get_ex_new_index( argl: c_long, argp: *mut c_void, - new_func: Option<::CRYPTO_EX_new>, - dup_func: Option<::CRYPTO_EX_dup>, - free_func: Option<::CRYPTO_EX_free>, + new_func: Option, + dup_func: Option, + free_func: Option, ) -> c_int; pub fn SSL_CTX_set_ex_data(ctx: *mut SSL_CTX, idx: c_int, data: *mut c_void) -> c_int; @@ -826,13 +826,9 @@ extern "C" { #[cfg(not(ossl110))] #[link_name = "SSL_CTX_set_tmp_ecdh_callback"] pub fn SSL_CTX_set_tmp_ecdh_callback__fixed_rust( - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, ecdh: Option< - unsafe extern "C" fn( - ssl: *mut ::SSL, - is_export: c_int, - keylength: c_int, - ) -> *mut ::EC_KEY, + unsafe extern "C" fn(ssl: *mut SSL, is_export: c_int, keylength: c_int) -> *mut EC_KEY, >, ); #[cfg(not(ossl110))] diff --git a/openssl-sys/src/handwritten/tls1.rs b/openssl-sys/src/handwritten/tls1.rs index a54dcbc80d..8cf992fbce 100644 --- a/openssl-sys/src/handwritten/tls1.rs +++ b/openssl-sys/src/handwritten/tls1.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; extern "C" { pub fn SSL_get_servername(ssl: *const SSL, name_type: c_int) -> *const c_char; @@ -17,7 +17,7 @@ extern "C" { #[cfg(ossl111)] pub fn SSL_export_keying_material_early( - s: *mut ::SSL, + s: *mut SSL, out: *mut c_uchar, olen: size_t, label: *const c_char, diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 476578c051..b229a37597 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -1,7 +1,7 @@ use libc::*; #[allow(unused_imports)] -use *; +use super::super::*; pub enum ASN1_INTEGER {} pub enum ASN1_GENERALIZEDTIME {} @@ -136,22 +136,22 @@ cfg_if! { pub struct DH { pub pad: c_int, pub version: c_int, - pub p: *mut ::BIGNUM, - pub g: *mut ::BIGNUM, + pub p: *mut BIGNUM, + pub g: *mut BIGNUM, pub length: c_long, - pub pub_key: *mut ::BIGNUM, - pub priv_key: *mut ::BIGNUM, + pub pub_key: *mut BIGNUM, + pub priv_key: *mut BIGNUM, pub flags: c_int, - pub method_mont_p: *mut ::BN_MONT_CTX, - pub q: *mut ::BIGNUM, - pub j: *mut ::BIGNUM, + pub method_mont_p: *mut BN_MONT_CTX, + pub q: *mut BIGNUM, + pub j: *mut BIGNUM, pub seed: *mut c_uchar, pub seedlen: c_int, - pub counter: *mut ::BIGNUM, + pub counter: *mut BIGNUM, pub references: c_int, - pub ex_data: ::CRYPTO_EX_DATA, - pub meth: *const ::DH_METHOD, - pub engine: *mut ::ENGINE, + pub ex_data: CRYPTO_EX_DATA, + pub meth: *const DH_METHOD, + pub engine: *mut ENGINE, } } } @@ -194,57 +194,57 @@ cfg_if! { pub struct RSA { pub pad: c_int, pub version: c_long, - pub meth: *const ::RSA_METHOD, + pub meth: *const RSA_METHOD, - pub engine: *mut ::ENGINE, - pub n: *mut ::BIGNUM, - pub e: *mut ::BIGNUM, - pub d: *mut ::BIGNUM, - pub p: *mut ::BIGNUM, - pub q: *mut ::BIGNUM, - pub dmp1: *mut ::BIGNUM, - pub dmq1: *mut ::BIGNUM, - pub iqmp: *mut ::BIGNUM, + pub engine: *mut ENGINE, + pub n: *mut BIGNUM, + pub e: *mut BIGNUM, + pub d: *mut BIGNUM, + pub p: *mut BIGNUM, + pub q: *mut BIGNUM, + pub dmp1: *mut BIGNUM, + pub dmq1: *mut BIGNUM, + pub iqmp: *mut BIGNUM, - pub ex_data: ::CRYPTO_EX_DATA, + pub ex_data: CRYPTO_EX_DATA, pub references: c_int, pub flags: c_int, - pub _method_mod_n: *mut ::BN_MONT_CTX, - pub _method_mod_p: *mut ::BN_MONT_CTX, - pub _method_mod_q: *mut ::BN_MONT_CTX, + pub _method_mod_n: *mut BN_MONT_CTX, + pub _method_mod_p: *mut BN_MONT_CTX, + pub _method_mod_q: *mut BN_MONT_CTX, - pub blinding: *mut ::BN_BLINDING, - pub mt_blinding: *mut ::BN_BLINDING, + pub blinding: *mut BN_BLINDING, + pub mt_blinding: *mut BN_BLINDING, } } else { #[repr(C)] pub struct RSA { pub pad: c_int, pub version: c_long, - pub meth: *const ::RSA_METHOD, + pub meth: *const RSA_METHOD, - pub engine: *mut ::ENGINE, - pub n: *mut ::BIGNUM, - pub e: *mut ::BIGNUM, - pub d: *mut ::BIGNUM, - pub p: *mut ::BIGNUM, - pub q: *mut ::BIGNUM, - pub dmp1: *mut ::BIGNUM, - pub dmq1: *mut ::BIGNUM, - pub iqmp: *mut ::BIGNUM, + pub engine: *mut ENGINE, + pub n: *mut BIGNUM, + pub e: *mut BIGNUM, + pub d: *mut BIGNUM, + pub p: *mut BIGNUM, + pub q: *mut BIGNUM, + pub dmp1: *mut BIGNUM, + pub dmq1: *mut BIGNUM, + pub iqmp: *mut BIGNUM, - pub ex_data: ::CRYPTO_EX_DATA, + pub ex_data: CRYPTO_EX_DATA, pub references: c_int, pub flags: c_int, - pub _method_mod_n: *mut ::BN_MONT_CTX, - pub _method_mod_p: *mut ::BN_MONT_CTX, - pub _method_mod_q: *mut ::BN_MONT_CTX, + pub _method_mod_n: *mut BN_MONT_CTX, + pub _method_mod_p: *mut BN_MONT_CTX, + pub _method_mod_q: *mut BN_MONT_CTX, pub bignum_data: *mut c_char, - pub blinding: *mut ::BN_BLINDING, - pub mt_blinding: *mut ::BN_BLINDING, + pub blinding: *mut BN_BLINDING, + pub mt_blinding: *mut BN_BLINDING, } } } @@ -259,12 +259,12 @@ cfg_if! { #[repr(C)] pub struct X509 { pub cert_info: *mut X509_CINF, - pub sig_alg: *mut ::X509_ALGOR, - pub signature: *mut ::ASN1_BIT_STRING, + pub sig_alg: *mut X509_ALGOR, + pub signature: *mut ASN1_BIT_STRING, pub valid: c_int, pub references: c_int, pub name: *mut c_char, - pub ex_data: ::CRYPTO_EX_DATA, + pub ex_data: CRYPTO_EX_DATA, pub ex_pathlen: c_long, pub ex_pcpathlen: c_long, pub ex_flags: c_ulong, @@ -319,7 +319,7 @@ cfg_if! { } else { #[repr(C)] pub struct X509_ALGOR { - pub algorithm: *mut ::ASN1_OBJECT, + pub algorithm: *mut ASN1_OBJECT, parameter: *mut c_void, } } @@ -460,10 +460,10 @@ cfg_if! { #[repr(C)] pub struct SSL { version: c_int, - method: *const ::SSL_METHOD, - rbio: *mut ::BIO, - wbio: *mut ::BIO, - bbio: *mut ::BIO, + method: *const SSL_METHOD, + rbio: *mut BIO, + wbio: *mut BIO, + bbio: *mut BIO, pub server: c_int, s3: *mut c_void, d1: *mut c_void, @@ -471,20 +471,20 @@ cfg_if! { cipher_list: *mut stack_st_SSL_CIPHER, cert: *mut c_void, sid_ctx_length: c_uint, - sid_ctx: [c_uchar; ::SSL_MAX_SID_CTX_LENGTH as usize], - session: *mut ::SSL_SESSION, + sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize], + session: *mut SSL_SESSION, verify_mode: c_int, error: c_int, error_code: c_int, - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, verify_result: c_long, references: c_int, client_version: c_int, max_send_fragment: c_uint, tlsext_hostname: *mut c_char, tlsext_status_type: c_int, - initial_ctx: *mut ::SSL_CTX, - enc_read_ctx: *mut ::EVP_CIPHER_CTX, + initial_ctx: *mut SSL_CTX, + enc_read_ctx: *mut EVP_CIPHER_CTX, read_hash: *mut EVP_MD_CTX, internal: *mut c_void, } @@ -493,7 +493,7 @@ cfg_if! { pub struct SSL { version: c_int, type_: c_int, - method: *const ::SSL_METHOD, + method: *const SSL_METHOD, rbio: *mut c_void, wbio: *mut c_void, bbio: *mut c_void, @@ -531,25 +531,25 @@ cfg_if! { cipher_list_by_id: *mut stack_st_SSL_CIPHER, mac_flags: c_int, aead_read_ctx: *mut c_void, - enc_read_ctx: *mut ::EVP_CIPHER_CTX, - read_hash: *mut ::EVP_MD_CTX, + enc_read_ctx: *mut EVP_CIPHER_CTX, + read_hash: *mut EVP_MD_CTX, aead_write_ctx: *mut c_void, - enc_write_ctx: *mut ::EVP_CIPHER_CTX, - write_hash: *mut ::EVP_MD_CTX, + enc_write_ctx: *mut EVP_CIPHER_CTX, + write_hash: *mut EVP_MD_CTX, cert: *mut c_void, sid_ctx_length: c_uint, - sid_ctx: [c_uchar; ::SSL_MAX_SID_CTX_LENGTH as usize], - session: *mut ::SSL_SESSION, - generate_session_id: ::GEN_SESSION_CB, + sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize], + session: *mut SSL_SESSION, + generate_session_id: GEN_SESSION_CB, verify_mode: c_int, - verify_callback: Option c_int>, + verify_callback: Option c_int>, info_callback: Option, error: c_int, error_code: c_int, - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, debug: c_int, verify_result: c_long, - ex_data: ::CRYPTO_EX_DATA, + ex_data: CRYPTO_EX_DATA, client_CA: *mut stack_st_X509_NAME, references: c_int, options: c_ulong, @@ -575,11 +575,11 @@ cfg_if! { tlsext_ellipticcurvelist_length: size_t, tlsext_ellipticcurvelist: *mut c_uchar, tlsext_session_ticket: *mut c_void, - tlsext_session_ticket_ext_cb: ::tls_session_ticket_ext_cb_fn, + tlsext_session_ticket_ext_cb: tls_session_ticket_ext_cb_fn, tls_session_ticket_ext_cb_arg: *mut c_void, - tls_session_secret_cb: ::tls_session_secret_cb_fn, + tls_session_secret_cb: tls_session_secret_cb_fn, tls_session_secret_cb_arg: *mut c_void, - initial_ctx: *mut ::SSL_CTX, + initial_ctx: *mut SSL_CTX, next_proto_negotiated: *mut c_uchar, next_proto_negotiated_len: c_uchar, srtp_profiles: *mut c_void, @@ -596,7 +596,7 @@ cfg_if! { pub struct SSL { version: c_int, type_: c_int, - method: *const ::SSL_METHOD, + method: *const SSL_METHOD, rbio: *mut c_void, wbio: *mut c_void, bbio: *mut c_void, @@ -628,19 +628,19 @@ cfg_if! { cipher_list: *mut stack_st_SSL_CIPHER, cipher_list_by_id: *mut stack_st_SSL_CIPHER, mac_flags: c_int, - enc_read_ctx: *mut ::EVP_CIPHER_CTX, - read_hash: *mut ::EVP_MD_CTX, + enc_read_ctx: *mut EVP_CIPHER_CTX, + read_hash: *mut EVP_MD_CTX, expand: *mut c_void, - enc_write_ctx: *mut ::EVP_CIPHER_CTX, - write_hash: *mut ::EVP_MD_CTX, + enc_write_ctx: *mut EVP_CIPHER_CTX, + write_hash: *mut EVP_MD_CTX, compress: *mut c_void, cert: *mut c_void, sid_ctx_length: c_uint, - sid_ctx: [c_uchar; ::SSL_MAX_SID_CTX_LENGTH as usize], - session: *mut ::SSL_SESSION, - generate_session_id: ::GEN_SESSION_CB, + sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize], + session: *mut SSL_SESSION, + generate_session_id: GEN_SESSION_CB, verify_mode: c_int, - verify_callback: Option c_int>, + verify_callback: Option c_int>, info_callback: Option, error: c_int, error_code: c_int, @@ -654,10 +654,10 @@ cfg_if! { #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_server_callback: Option c_uint>, - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, debug: c_int, verify_result: c_long, - ex_data: ::CRYPTO_EX_DATA, + ex_data: CRYPTO_EX_DATA, client_CA: *mut stack_st_X509_NAME, references: c_int, options: c_ulong, @@ -716,15 +716,15 @@ cfg_if! { #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_session_ticket: *mut c_void, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_session_ticket_ext_cb: ::tls_session_ticket_ext_cb_fn, + tlsext_session_ticket_ext_cb: tls_session_ticket_ext_cb_fn, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tls_session_ticket_ext_cb_arg: *mut c_void, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tls_session_secret_cb: ::tls_session_secret_cb_fn, + tls_session_secret_cb: tls_session_secret_cb_fn, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tls_session_secret_cb_arg: *mut c_void, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - initial_ctx: *mut ::SSL_CTX, + initial_ctx: *mut SSL_CTX, #[cfg(all( not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_NEXTPROTONEG") @@ -747,7 +747,7 @@ cfg_if! { tlsext_hb_seq: c_uint, renegotiate: c_int, #[cfg(not(osslconf = "OPENSSL_NO_SRP"))] - srp_ctx: ::SRP_CTX, + srp_ctx: SRP_CTX, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_client_proto_list: *mut c_uchar, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] @@ -761,7 +761,7 @@ cfg_if! { } else if #[cfg(libressl251)] { #[repr(C)] pub struct SSL_CTX { - method: *const ::SSL_METHOD, + method: *const SSL_METHOD, cipher_list: *mut stack_st_SSL_CIPHER, cert_store: *mut c_void, session_timeout: c_long, @@ -769,8 +769,8 @@ cfg_if! { extra_certs: *mut stack_st_X509, verify_mode: c_int, sid_ctx_length: c_uint, - sid_ctx: [c_uchar; ::SSL_MAX_SID_CTX_LENGTH as usize], - param: *mut ::X509_VERIFY_PARAM, + sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize], + param: *mut X509_VERIFY_PARAM, default_passwd_callback: *mut c_void, default_passwd_callback_userdata: *mut c_void, internal: *mut c_void, @@ -800,7 +800,7 @@ cfg_if! { client_cert_cb: *mut c_void, app_gen_cookie_cb: *mut c_void, app_verify_cookie_cb: *mut c_void, - ex_dat: ::CRYPTO_EX_DATA, + ex_dat: CRYPTO_EX_DATA, rsa_md5: *mut c_void, md5: *mut c_void, sha1: *mut c_void, @@ -870,7 +870,7 @@ cfg_if! { client_cert_cb: *mut c_void, app_gen_cookie_cb: *mut c_void, app_verify_cookie_cb: *mut c_void, - ex_dat: ::CRYPTO_EX_DATA, + ex_dat: CRYPTO_EX_DATA, rsa_md5: *mut c_void, md5: *mut c_void, sha1: *mut c_void, @@ -1058,7 +1058,7 @@ cfg_if! { } else if #[cfg(libressl)] { #[repr(C)] pub struct CRYPTO_EX_DATA { - pub sk: *mut ::stack_st_void, + pub sk: *mut stack_st_void, } } else { #[repr(C)] diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 047f3df262..8762e5f98d 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[repr(C)] pub struct X509_VAL { @@ -24,8 +24,8 @@ cfg_if! { #[repr(C)] pub struct X509_REQ_INFO { pub enc: ASN1_ENCODING, - pub version: *mut ::ASN1_INTEGER, - pub subject: *mut ::X509_NAME, + pub version: *mut ASN1_INTEGER, + pub subject: *mut X509_NAME, pubkey: *mut c_void, pub attributes: *mut stack_st_X509_ATTRIBUTE, } @@ -313,26 +313,26 @@ const_ptr_api! { } } extern "C" { - pub fn X509_issuer_name_hash(x: *mut ::X509) -> c_ulong; - pub fn X509_subject_name_hash(x: *mut ::X509) -> c_ulong; + pub fn X509_issuer_name_hash(x: *mut X509) -> c_ulong; + pub fn X509_subject_name_hash(x: *mut X509) -> c_ulong; } const_ptr_api! { extern "C" { - pub fn X509_get_issuer_name(x: #[const_ptr_if(any(ossl110, libressl280))] ::X509) -> *mut ::X509_NAME; + pub fn X509_get_issuer_name(x: #[const_ptr_if(any(ossl110, libressl280))] X509) -> *mut X509_NAME; pub fn X509_set_subject_name(x: *mut X509, name: #[const_ptr_if(ossl300)] X509_NAME) -> c_int; - pub fn X509_get_subject_name(x: #[const_ptr_if(any(ossl110, libressl280))] ::X509) -> *mut ::X509_NAME; + pub fn X509_get_subject_name(x: #[const_ptr_if(any(ossl110, libressl280))] X509) -> *mut X509_NAME; } } cfg_if! { if #[cfg(any(ossl110, libressl350))] { extern "C" { - pub fn X509_set1_notBefore(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int; - pub fn X509_set1_notAfter(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int; + pub fn X509_set1_notBefore(x: *mut X509, tm: *const ASN1_TIME) -> c_int; + pub fn X509_set1_notAfter(x: *mut X509, tm: *const ASN1_TIME) -> c_int; } } else { extern "C" { - pub fn X509_set_notBefore(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int; - pub fn X509_set_notAfter(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int; + pub fn X509_set_notBefore(x: *mut X509, tm: *const ASN1_TIME) -> c_int; + pub fn X509_set_notAfter(x: *mut X509, tm: *const ASN1_TIME) -> c_int; } } } @@ -414,7 +414,7 @@ extern "C" { pub fn X509_CRL_get_issuer(x: *const X509_CRL) -> *mut X509_NAME; #[cfg(ossl110)] - pub fn X509_get0_extensions(req: *const ::X509) -> *const stack_st_X509_EXTENSION; + pub fn X509_get0_extensions(req: *const X509) -> *const stack_st_X509_EXTENSION; pub fn X509_CRL_set_version(crl: *mut X509_CRL, version: c_long) -> c_int; } @@ -559,7 +559,7 @@ const_ptr_api! { pub fn X509_get_ext_by_critical(x: #[const_ptr_if(any(ossl110, libressl280))] X509, crit: c_int, lastpos: c_int) -> c_int; pub fn X509_get_ext(x: #[const_ptr_if(any(ossl110, libressl280))] X509, loc: c_int) -> *mut X509_EXTENSION; pub fn X509_get_ext_d2i( - x: #[const_ptr_if(any(ossl110, libressl280))] ::X509, + x: #[const_ptr_if(any(ossl110, libressl280))] X509, nid: c_int, crit: *mut c_int, idx: *mut c_int, @@ -571,7 +571,7 @@ const_ptr_api! { pub fn X509_CRL_get_ext_by_critical(x: #[const_ptr_if(any(ossl110, libressl280))] X509_CRL, crit: c_int, lastpos: c_int) -> c_int; pub fn X509_CRL_get_ext(x: #[const_ptr_if(any(ossl110, libressl280))] X509_CRL, loc: c_int) -> *mut X509_EXTENSION; pub fn X509_CRL_get_ext_d2i( - x: #[const_ptr_if(any(ossl110, libressl280))] ::X509_CRL, + x: #[const_ptr_if(any(ossl110, libressl280))] X509_CRL, nid: c_int, crit: *mut c_int, idx: *mut c_int, @@ -583,7 +583,7 @@ const_ptr_api! { pub fn X509_REVOKED_get_ext_by_critical(x: #[const_ptr_if(any(ossl110, libressl280))] X509_REVOKED, crit: c_int, lastpos: c_int) -> c_int; pub fn X509_REVOKED_get_ext(x: #[const_ptr_if(any(ossl110, libressl280))] X509_REVOKED, loc: c_int) -> *mut X509_EXTENSION; pub fn X509_REVOKED_get_ext_d2i( - x: #[const_ptr_if(any(ossl110, libressl280))] ::X509_REVOKED, + x: #[const_ptr_if(any(ossl110, libressl280))] X509_REVOKED, nid: c_int, crit: *mut c_int, idx: *mut c_int, diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 48e6371c46..9adf63fa0e 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[cfg(any(libressl, all(ossl102, not(ossl110))))] pub enum X509_VERIFY_PARAM_ID {} diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index a47b815ad9..d0923e32b2 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; pub enum CONF_METHOD {} diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 0d6676827e..b1d51a8580 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1,6 +1,7 @@ #![allow( clippy::missing_safety_doc, clippy::unreadable_literal, + clippy::uninlined_format_args, clippy::upper_case_acronyms, dead_code, non_camel_case_types, @@ -130,7 +131,7 @@ mod openssl { ) { let mutex = &(*MUTEXES)[n as usize]; - if mode & ::CRYPTO_LOCK != 0 { + if mode & CRYPTO_LOCK != 0 { (*GUARDS)[n as usize] = Some(mutex.lock().unwrap()); } else { if let None = (*GUARDS)[n as usize].take() { @@ -165,7 +166,7 @@ mod openssl { SSL_load_error_strings(); OPENSSL_add_all_algorithms_noconf(); - let num_locks = ::CRYPTO_num_locks(); + let num_locks = CRYPTO_num_locks(); let mut mutexes = Box::new(Vec::new()); for _ in 0..num_locks { mutexes.push(Mutex::new(())); diff --git a/openssl-sys/src/macros.rs b/openssl-sys/src/macros.rs index cb675f6e41..e1b08c467a 100644 --- a/openssl-sys/src/macros.rs +++ b/openssl-sys/src/macros.rs @@ -63,7 +63,7 @@ macro_rules! stack { } else { #[repr(C)] pub struct $t { - pub stack: ::_STACK, + pub stack: $crate::_STACK, } } } diff --git a/openssl-sys/src/ocsp.rs b/openssl-sys/src/ocsp.rs index 7efac4d449..fc0db39e90 100644 --- a/openssl-sys/src/ocsp.rs +++ b/openssl-sys/src/ocsp.rs @@ -1,7 +1,5 @@ use libc::*; -use *; - pub const OCSP_REVOKED_STATUS_NOSTATUS: c_int = -1; pub const OCSP_REVOKED_STATUS_UNSPECIFIED: c_int = 0; pub const OCSP_REVOKED_STATUS_KEYCOMPROMISE: c_int = 1; diff --git a/openssl-sys/src/pem.rs b/openssl-sys/src/pem.rs index 2a05ad58cd..f7dd8ac30d 100644 --- a/openssl-sys/src/pem.rs +++ b/openssl-sys/src/pem.rs @@ -1,5 +1,3 @@ use libc::*; -use *; - pub const PEM_R_NO_START_LINE: c_int = 108; diff --git a/openssl-sys/src/pkcs7.rs b/openssl-sys/src/pkcs7.rs index 188693f9f2..0a56225a91 100644 --- a/openssl-sys/src/pkcs7.rs +++ b/openssl-sys/src/pkcs7.rs @@ -1,7 +1,5 @@ use libc::*; -use *; - pub const PKCS7_TEXT: c_int = 0x1; pub const PKCS7_NOCERTS: c_int = 0x2; pub const PKCS7_NOSIGS: c_int = 0x4; diff --git a/openssl-sys/src/rsa.rs b/openssl-sys/src/rsa.rs index 351ac84c03..ff30cf1e23 100644 --- a/openssl-sys/src/rsa.rs +++ b/openssl-sys/src/rsa.rs @@ -1,7 +1,7 @@ use libc::*; use std::ptr; -use *; +use super::super::*; pub const RSA_F4: c_long = 0x10001; diff --git a/openssl-sys/src/sha.rs b/openssl-sys/src/sha.rs index 8b77f546c6..4ad0c17cda 100644 --- a/openssl-sys/src/sha.rs +++ b/openssl-sys/src/sha.rs @@ -1,6 +1,6 @@ +use super::*; use libc::*; use std::ptr; -use *; #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub const SHA_LBLOCK: c_int = 16; diff --git a/openssl-sys/src/srtp.rs b/openssl-sys/src/srtp.rs index 78298d23ec..93c77970c9 100644 --- a/openssl-sys/src/srtp.rs +++ b/openssl-sys/src/srtp.rs @@ -1,7 +1,5 @@ use libc::*; -use *; - pub const SRTP_AES128_CM_SHA1_80: c_ulong = 0x0001; pub const SRTP_AES128_CM_SHA1_32: c_ulong = 0x0002; pub const SRTP_AES128_F8_SHA1_80: c_ulong = 0x0003; diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index c66e42c2c9..e812673333 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -1,7 +1,7 @@ use libc::*; use std::ptr; -use *; +use super::*; #[cfg(not(ossl110))] pub const SSL_MAX_KRB5_PRINCIPAL_LENGTH: c_int = 256; @@ -415,7 +415,7 @@ cfg_if! { } #[cfg(ossl102)] -pub unsafe fn SSL_add0_chain_cert(ssl: *mut ::SSL, ptr: *mut X509) -> c_long { +pub unsafe fn SSL_add0_chain_cert(ssl: *mut SSL, ptr: *mut X509) -> c_long { SSL_ctrl(ssl, SSL_CTRL_CHAIN_CERT, 0, ptr as *mut c_void) } @@ -440,7 +440,7 @@ pub unsafe fn SSL_CTX_set_ecdh_auto(ctx: *mut SSL_CTX, onoff: c_int) -> c_int { } #[cfg(any(libressl, all(ossl102, not(ossl110))))] -pub unsafe fn SSL_set_ecdh_auto(ssl: *mut ::SSL, onoff: c_int) -> c_int { +pub unsafe fn SSL_set_ecdh_auto(ssl: *mut SSL, onoff: c_int) -> c_int { SSL_ctrl( ssl, SSL_CTRL_SET_ECDH_AUTO, @@ -579,12 +579,12 @@ extern "C" { #[deprecated(note = "use SSL_CTX_set_tmp_ecdh_callback__fixed_rust instead")] #[cfg(not(ossl110))] pub fn SSL_CTX_set_tmp_ecdh_callback( - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, ecdh: unsafe extern "C" fn( - ssl: *mut ::SSL, + ssl: *mut SSL, is_export: c_int, keylength: c_int, - ) -> *mut ::EC_KEY, + ) -> *mut EC_KEY, ); #[deprecated(note = "use SSL_set_tmp_ecdh_callback__fixed_rust instead")] #[cfg(not(ossl110))] diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index d02f5c0497..f7ae302046 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -2,7 +2,7 @@ use libc::*; use std::mem; use std::ptr; -use *; +use super::*; pub const TLS1_VERSION: c_int = 0x301; pub const TLS1_1_VERSION: c_int = 0x302; diff --git a/openssl-sys/src/types.rs b/openssl-sys/src/types.rs index dbf11291af..10c8f6771a 100644 --- a/openssl-sys/src/types.rs +++ b/openssl-sys/src/types.rs @@ -1,5 +1,6 @@ use libc::*; -use *; + +use super::*; cfg_if! { if #[cfg(any(ossl110, libressl280))] { diff --git a/openssl-sys/src/x509.rs b/openssl-sys/src/x509.rs index 0263c00b69..714b06c9bc 100644 --- a/openssl-sys/src/x509.rs +++ b/openssl-sys/src/x509.rs @@ -1,7 +1,5 @@ use libc::*; -use *; - pub const X509_FILETYPE_PEM: c_int = 1; pub const X509_FILETYPE_ASN1: c_int = 2; pub const X509_FILETYPE_DEFAULT: c_int = 3; diff --git a/openssl-sys/src/x509_vfy.rs b/openssl-sys/src/x509_vfy.rs index 455a748b52..2fa176fed5 100644 --- a/openssl-sys/src/x509_vfy.rs +++ b/openssl-sys/src/x509_vfy.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::*; pub const X509_V_OK: c_int = 0; #[cfg(ossl102f)] diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index ed135fa99b..5ae4439083 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::*; #[repr(C)] pub struct GENERAL_NAME { diff --git a/openssl/build.rs b/openssl/build.rs index fc6492292c..7651429f38 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -1,4 +1,8 @@ -#![allow(clippy::inconsistent_digit_grouping, clippy::unusual_byte_groupings)] +#![allow( + clippy::inconsistent_digit_grouping, + clippy::uninlined_format_args, + clippy::unusual_byte_groupings +)] use std::env; diff --git a/openssl/examples/mk_certs.rs b/openssl/examples/mk_certs.rs index e944af06bc..48538c7a74 100644 --- a/openssl/examples/mk_certs.rs +++ b/openssl/examples/mk_certs.rs @@ -1,3 +1,5 @@ +#![allow(clippy::uninlined_format_args)] + //! A program that generates ca certs, certs verified by the ca, and public //! and private keys. diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 035c90c682..8988f4c3c0 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -119,6 +119,7 @@ //! ``` #![doc(html_root_url = "https://docs.rs/openssl/0.10")] #![warn(rust_2018_idioms)] +#![allow(clippy::uninlined_format_args)] #[doc(inline)] pub use ffi::init; diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 9cfda48105..51738651c6 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -711,7 +711,7 @@ mod test { #[cfg(not(boringssl))] fn test_hmac(ty: MessageDigest, tests: &[(Vec, Vec, Vec)]) { - for &(ref key, ref data, ref res) in tests.iter() { + for (key, data, res) in tests.iter() { let pkey = PKey::hmac(key).unwrap(); let mut signer = Signer::new(ty, &pkey).unwrap(); signer.update(data).unwrap(); diff --git a/systest/build.rs b/systest/build.rs index e54438114b..34677d204f 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -1,3 +1,5 @@ +#![allow(clippy::uninlined_format_args)] + use std::env; #[allow(clippy::inconsistent_digit_grouping, clippy::unusual_byte_groupings)] From c03d56cf81860357316ed9a60c8bd6e7dfdee740 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 6 Feb 2023 20:23:05 -0500 Subject: [PATCH 097/341] Add a 3.1.0-beta1 CI build --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3b7b4dc9cc..3b70429224 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -156,6 +156,9 @@ jobs: version: 5697a9202615925696f8dc7f4e286d44d474769e - name: openssl version: vendored + - name: openssl + version: 3.1.0-beta1 + dl-path: / - name: openssl version: 3.0.7 dl-path: / From 26fc7974e0b1f620a2a3788e93c811202a29ba33 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 8 Feb 2023 09:16:39 -0500 Subject: [PATCH 098/341] Bump CI versions --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3b70429224..43abdf7a69 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -160,10 +160,10 @@ jobs: version: 3.1.0-beta1 dl-path: / - name: openssl - version: 3.0.7 + version: 3.0.8 dl-path: / - name: openssl - version: 1.1.1s + version: 1.1.1t dl-path: / - name: openssl version: 1.1.0l From 3bf2b3a90532476ba6e480ab7ab63620fff437cf Mon Sep 17 00:00:00 2001 From: Maurice Lam Date: Fri, 10 Feb 2023 02:08:10 +0000 Subject: [PATCH 099/341] Expand documentation on PkeyCtxRef's HKDF APIs --- openssl/src/pkey_ctx.rs | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index f79372fb11..c9eb1ec744 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -84,8 +84,23 @@ pub struct HkdfMode(c_int); #[cfg(ossl111)] impl HkdfMode { + /// This is the default mode. Calling [`derive`][PkeyCtxRef::derive] on a [`PkeyCtxRef`] set up + /// for HKDF will perform an extract followed by an expand operation in one go. The derived key + /// returned will be the result after the expand operation. The intermediate fixed-length + /// pseudorandom key K is not returned. pub const EXTRACT_THEN_EXPAND: Self = HkdfMode(ffi::EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND); + + /// In this mode calling [`derive`][PkeyCtxRef::derive] will just perform the extract operation. + /// The value returned will be the intermediate fixed-length pseudorandom key K. + /// + /// The digest, key and salt values must be set before a key is derived or an error occurs. pub const EXTRACT_ONLY: Self = HkdfMode(ffi::EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY); + + /// In this mode calling [`derive`][PkeyCtxRef::derive] will just perform the expand operation. + /// The input key should be set to the intermediate fixed-length pseudorandom key K returned + /// from a previous extract operation. + /// + /// The digest, key and info values must be set before a key is derived or an error occurs. pub const EXPAND_ONLY: Self = HkdfMode(ffi::EVP_PKEY_HKDEF_MODE_EXPAND_ONLY); } @@ -487,6 +502,10 @@ impl PkeyCtxRef { /// /// Defaults to [`HkdfMode::EXTRACT_THEN_EXPAND`]. /// + /// WARNING: Although this API calls it a "mode", HKDF-Extract and HKDF-Expand are distinct + /// operations with distinct inputs and distinct kinds of keys. Callers should not pass input + /// secrets for one operation into the other. + /// /// Requires OpenSSL 1.1.1 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_mode)] #[cfg(ossl111)] @@ -499,7 +518,12 @@ impl PkeyCtxRef { Ok(()) } - /// Sets the input keying material for HKDF generation. + /// Sets the input material for HKDF generation as the "key". + /// + /// Which input is the key depends on the "mode" (see [`set_hkdf_mode`][Self::set_hkdf_mode]). + /// If [`HkdfMode::EXTRACT_THEN_EXPAND`] or [`HkdfMode::EXTRACT_ONLY`], this function specifies + /// the input keying material (IKM) for HKDF-Extract. If [`HkdfMode::EXPAND_ONLY`], it instead + /// specifies the pseudorandom key (PRK) for HKDF-Expand. /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] @@ -521,6 +545,8 @@ impl PkeyCtxRef { /// Sets the salt value for HKDF generation. /// + /// If performing HKDF-Expand only, this parameter is ignored. + /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] #[cfg(ossl110)] @@ -541,6 +567,8 @@ impl PkeyCtxRef { /// Appends info bytes for HKDF generation. /// + /// If performing HKDF-Extract only, this parameter is ignored. + /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] #[cfg(ossl110)] From cc826a562b39b42d472f579f6809cb7014eab769 Mon Sep 17 00:00:00 2001 From: Maurice Lam Date: Fri, 10 Feb 2023 18:33:58 +0000 Subject: [PATCH 100/341] Run cargo fmt --- openssl/src/pkey_ctx.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index c9eb1ec744..42289b9f48 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -568,7 +568,7 @@ impl PkeyCtxRef { /// Appends info bytes for HKDF generation. /// /// If performing HKDF-Extract only, this parameter is ignored. - /// + /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] #[cfg(ossl110)] From 140a0b92f9d84a81c339cd52fe4e2129b241b08a Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Sun, 12 Feb 2023 17:08:39 +0000 Subject: [PATCH 101/341] Fix cert verification failure tests This swaps the verification failure tests over from checking the error string to checking the error id against the constant exposed by openssl-sys to make the tests more reliable. This was required by the string changing in OpenSSL 3.0.8. --- openssl/src/x509/tests.rs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 5f41342522..9457238c33 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -490,6 +490,7 @@ fn test_verify_cert_with_wrong_purpose_fails() { let store = store_bldr.build(); + let expected_error = ffi::X509_V_ERR_INVALID_PURPOSE; let mut context = X509StoreContext::new().unwrap(); assert_eq!( context @@ -498,8 +499,8 @@ fn test_verify_cert_with_wrong_purpose_fails() { Ok(c.error()) }) .unwrap() - .error_string(), - "unsupported certificate purpose" + .as_raw(), + expected_error ) } @@ -828,7 +829,7 @@ fn test_set_purpose_fails_verification() { store_bldr.set_param(&verify_params).unwrap(); let store = store_bldr.build(); - let expected_error = "unsupported certificate purpose"; + let expected_error = ffi::X509_V_ERR_INVALID_PURPOSE; let mut context = X509StoreContext::new().unwrap(); assert_eq!( context @@ -837,7 +838,7 @@ fn test_set_purpose_fails_verification() { Ok(c.error()) }) .unwrap() - .error_string(), + .as_raw(), expected_error ) } From b91f6a2d0572f00d0baa93d98d3512802704ca0f Mon Sep 17 00:00:00 2001 From: Ladislav Sladecek Date: Tue, 19 Jan 2021 20:10:25 +0100 Subject: [PATCH 102/341] Add CMS_verify() method. --- openssl-sys/src/handwritten/cms.rs | 10 ++ openssl/src/cms.rs | 161 ++++++++++++++++++++++++++++- 2 files changed, 169 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/cms.rs b/openssl-sys/src/handwritten/cms.rs index 7eff2c4d49..6606dac3a6 100644 --- a/openssl-sys/src/handwritten/cms.rs +++ b/openssl-sys/src/handwritten/cms.rs @@ -35,6 +35,16 @@ extern "C" { flags: c_uint, ) -> *mut CMS_ContentInfo; + #[cfg(ossl101)] + pub fn CMS_verify( + cms: *mut ::CMS_ContentInfo, + certs: *mut ::stack_st_X509, + store: *mut ::X509_STORE, + indata: *mut ::BIO, + out: *mut ::BIO, + flags: c_uint, + ) -> c_int; + #[cfg(ossl101)] pub fn CMS_encrypt( certs: *mut stack_st_X509, diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index bef21f93c9..31ab5b9110 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -15,7 +15,7 @@ use crate::error::ErrorStack; use crate::pkey::{HasPrivate, PKeyRef}; use crate::stack::StackRef; use crate::symm::Cipher; -use crate::x509::{X509Ref, X509}; +use crate::x509::{store::X509StoreRef, X509Ref, X509}; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -227,14 +227,61 @@ impl CmsContentInfo { Ok(CmsContentInfo::from_ptr(cms)) } } + + /// Verify this CmsContentInfo's signature, given a stack of certificates + /// in certs, an X509 store in store. If the signature is detached, the + /// data can be passed in data. The data sans signature will be copied + /// into output_data if it is present. + /// + /// OpenSSL documentation at [`CMS_verify`] + /// + /// [`CMS_verify`]: https://www.openssl.org/docs/manmaster/man3/CMS_verify.html + pub fn verify( + &mut self, + certs: Option<&StackRef>, + store: &X509StoreRef, + indata: Option<&[u8]>, + output_data: Option<&mut Vec>, + flags: CMSOptions, + ) -> Result<(), ErrorStack> { + unsafe { + let certs_ptr = certs.map_or(ptr::null_mut(), |p| p.as_ptr()); + let indata_bio = match indata { + Some(data) => Some(MemBioSlice::new(data)?), + None => None, + }; + let indata_bio_ptr = indata_bio.as_ref().map_or(ptr::null_mut(), |p| p.as_ptr()); + let out_bio = MemBio::new()?; + + cvt(ffi::CMS_verify( + self.as_ptr(), + certs_ptr, + store.as_ptr(), + indata_bio_ptr, + out_bio.as_ptr(), + flags.bits(), + ))?; + + if let Some(out_data) = output_data { + *out_data = out_bio.get_buf().to_vec(); + }; + + Ok(()) + } + } } #[cfg(test)] mod test { use super::*; + use crate::pkcs12::Pkcs12; + use crate::pkey::PKey; use crate::stack::Stack; - use crate::x509::X509; + use crate::x509::{ + store::{X509Store, X509StoreBuilder}, + X509, + }; #[test] fn cms_encrypt_decrypt() { @@ -317,4 +364,114 @@ mod test { assert_eq!(input, decrypt_without_cert_check); } } + + fn cms_sign_verify_generic_helper(is_detached: bool) { + // load cert with private key + let cert_bytes = include_bytes!("../test/cert.pem"); + let cert = X509::from_pem(cert_bytes).expect("failed to load cert.pem"); + + let key_bytes = include_bytes!("../test/key.pem"); + let key = PKey::private_key_from_pem(key_bytes).expect("failed to load key.pem"); + + let root_bytes = include_bytes!("../test/root-ca.pem"); + let root = X509::from_pem(root_bytes).expect("failed to load root-ca.pem"); + + // sign cms message using public key cert + let data = b"Hello world!"; + + let (opt, ext_data): (CMSOptions, Option<&[u8]>) = if is_detached { + (CMSOptions::DETACHED | CMSOptions::BINARY, Some(data)) + } else { + (CMSOptions::empty(), None) + }; + + let mut cms = CmsContentInfo::sign(Some(&cert), Some(&key), None, Some(data), opt) + .expect("failed to CMS sign a message"); + + // check CMS signature length + let pem_cms = cms + .to_pem() + .expect("failed to pack CmsContentInfo into PEM"); + assert!(!pem_cms.is_empty()); + + // verify CMS signature + let mut builder = X509StoreBuilder::new().expect("failed to create X509StoreBuilder"); + builder + .add_cert(root) + .expect("failed to add root-ca into X509StoreBuilder"); + let store: X509Store = builder.build(); + let mut out_data: Vec = Vec::new(); + let res = cms.verify( + None, + &store, + ext_data, + Some(&mut out_data), + CMSOptions::empty(), + ); + + // check verification result - valid signature + res.unwrap(); + assert_eq!(data.len(), out_data.len()); + } + + #[test] + fn cms_sign_verify_ok() { + cms_sign_verify_generic_helper(false); + } + + #[test] + fn cms_sign_verify_detached_ok() { + cms_sign_verify_generic_helper(true); + } + + #[test] + fn cms_sign_verify_error() { + #[cfg(ossl300)] + let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); + + // load cert with private key + let priv_cert_bytes = include_bytes!("../test/cms.p12"); + let priv_cert = Pkcs12::from_der(priv_cert_bytes).expect("failed to load priv cert"); + let priv_cert = priv_cert + .parse("mypass") + .expect("failed to parse priv cert"); + + // sign cms message using public key cert + let data = b"Hello world!"; + let mut cms = CmsContentInfo::sign( + Some(&priv_cert.cert), + Some(&priv_cert.pkey), + None, + Some(data), + CMSOptions::empty(), + ) + .expect("failed to CMS sign a message"); + + // check CMS signature length + let pem_cms = cms + .to_pem() + .expect("failed to pack CmsContentInfo into PEM"); + assert!(!pem_cms.is_empty()); + + let empty_store = X509StoreBuilder::new() + .expect("failed to create X509StoreBuilder") + .build(); + + // verify CMS signature + let res = cms.verify(None, &empty_store, Some(data), None, CMSOptions::empty()); + + // check verification result - this is an invalid signature + match res { + Err(es) => { + let error_array = es.errors(); + assert_eq!(1, error_array.len()); + let err = error_array[0] + .data() + .expect("failed to retrieve verification error data"); + let err1 = err.replace(" self-", "self "); + assert_eq!("Verify error:self signed certificate", err1); + } + _ => panic!("expected CMS verification error, got Ok()"), + } + } } From 52fd5a4039b03be5519fddf49199b04380933aea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Wed, 5 Jan 2022 19:01:54 +0100 Subject: [PATCH 103/341] Setting provider in openssl::ssl::test::zero_length_buffers. --- openssl/src/ssl/test/mod.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index ddf01f2dd0..668ea421e8 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -258,6 +258,9 @@ fn clear_ctx_options() { #[test] fn zero_length_buffers() { + #[cfg(ossl300)] + let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); + let server = Server::builder().build(); let mut s = server.client().connect(); From 39782084c56157ba83ac769b7c9ff024238a579f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Wed, 8 Feb 2023 19:34:40 +0100 Subject: [PATCH 104/341] Rebase to current master with fixes. --- openssl-sys/src/handwritten/cms.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/openssl-sys/src/handwritten/cms.rs b/openssl-sys/src/handwritten/cms.rs index 6606dac3a6..e62e6295f9 100644 --- a/openssl-sys/src/handwritten/cms.rs +++ b/openssl-sys/src/handwritten/cms.rs @@ -37,11 +37,11 @@ extern "C" { #[cfg(ossl101)] pub fn CMS_verify( - cms: *mut ::CMS_ContentInfo, - certs: *mut ::stack_st_X509, - store: *mut ::X509_STORE, - indata: *mut ::BIO, - out: *mut ::BIO, + cms: *mut CMS_ContentInfo, + certs: *mut stack_st_X509, + store: *mut X509_STORE, + indata: *mut BIO, + out: *mut BIO, flags: c_uint, ) -> c_int; From 5cd2429277b99bfa01389fa50a91ebf3427f55f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Wed, 8 Feb 2023 19:53:54 +0100 Subject: [PATCH 105/341] Fixed new warning --- openssl/src/cms.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 31ab5b9110..c68b74dd68 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -433,14 +433,14 @@ mod test { let priv_cert_bytes = include_bytes!("../test/cms.p12"); let priv_cert = Pkcs12::from_der(priv_cert_bytes).expect("failed to load priv cert"); let priv_cert = priv_cert - .parse("mypass") + .parse2("mypass") .expect("failed to parse priv cert"); // sign cms message using public key cert let data = b"Hello world!"; let mut cms = CmsContentInfo::sign( - Some(&priv_cert.cert), - Some(&priv_cert.pkey), + Some(&priv_cert.cert.unwrap()), + Some(&priv_cert.pkey.unwrap()), None, Some(data), CMSOptions::empty(), From 11291cc5b8e23a1455b184d282e7794090db204d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 16:35:33 +0100 Subject: [PATCH 106/341] Rename 'indata' to 'detached_data'. --- openssl-sys/src/handwritten/cms.rs | 2 +- openssl/src/cms.rs | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/openssl-sys/src/handwritten/cms.rs b/openssl-sys/src/handwritten/cms.rs index e62e6295f9..a13ea423c4 100644 --- a/openssl-sys/src/handwritten/cms.rs +++ b/openssl-sys/src/handwritten/cms.rs @@ -40,7 +40,7 @@ extern "C" { cms: *mut CMS_ContentInfo, certs: *mut stack_st_X509, store: *mut X509_STORE, - indata: *mut BIO, + detached_data: *mut BIO, out: *mut BIO, flags: c_uint, ) -> c_int; diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index c68b74dd68..3b4964c9fe 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -240,24 +240,24 @@ impl CmsContentInfo { &mut self, certs: Option<&StackRef>, store: &X509StoreRef, - indata: Option<&[u8]>, + detached_data: Option<&[u8]>, output_data: Option<&mut Vec>, flags: CMSOptions, ) -> Result<(), ErrorStack> { unsafe { let certs_ptr = certs.map_or(ptr::null_mut(), |p| p.as_ptr()); - let indata_bio = match indata { + let detached_data_bio = match detached_data { Some(data) => Some(MemBioSlice::new(data)?), None => None, }; - let indata_bio_ptr = indata_bio.as_ref().map_or(ptr::null_mut(), |p| p.as_ptr()); + let detached_data_bio_ptr = detached_data_bio.as_ref().map_or(ptr::null_mut(), |p| p.as_ptr()); let out_bio = MemBio::new()?; cvt(ffi::CMS_verify( self.as_ptr(), certs_ptr, store.as_ptr(), - indata_bio_ptr, + detached_data_bio_ptr, out_bio.as_ptr(), flags.bits(), ))?; From 08f39c0bf5b458ec038bf4820396225e9ec6729e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 17:23:25 +0100 Subject: [PATCH 107/341] Remove legacy provider. --- openssl/src/ssl/test/mod.rs | 3 --- 1 file changed, 3 deletions(-) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 668ea421e8..ddf01f2dd0 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -258,9 +258,6 @@ fn clear_ctx_options() { #[test] fn zero_length_buffers() { - #[cfg(ossl300)] - let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); - let server = Server::builder().build(); let mut s = server.client().connect(); From 044bf8263896080f9002de355b76fec682260433 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 17:26:05 +0100 Subject: [PATCH 108/341] Compare whole arrays in test. --- openssl/src/cms.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 3b4964c9fe..b2a10d0163 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -411,7 +411,7 @@ mod test { // check verification result - valid signature res.unwrap(); - assert_eq!(data.len(), out_data.len()); + assert_eq!(data.to_vec(), out_data); } #[test] From 400d85fe9d5c4e29a5de8c3668eea3ff7c55a3e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 17:26:37 +0100 Subject: [PATCH 109/341] Improve comments. --- openssl/src/cms.rs | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index b2a10d0163..85f8401b49 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -228,14 +228,14 @@ impl CmsContentInfo { } } - /// Verify this CmsContentInfo's signature, given a stack of certificates - /// in certs, an X509 store in store. If the signature is detached, the - /// data can be passed in data. The data sans signature will be copied - /// into output_data if it is present. + /// Verify this CmsContentInfo's signature, + /// This will search the 'certs' list for the signing certificate. + /// Additional certificates, needed for building the certificate chain, may be + /// given in 'store' as well as additional CRLs. + /// A detached signature may be passed in `detached_data`. The signed content + /// without signature, will be copied into output_data if it is present. /// - /// OpenSSL documentation at [`CMS_verify`] - /// - /// [`CMS_verify`]: https://www.openssl.org/docs/manmaster/man3/CMS_verify.html + #[corresponds(CMS_verify)] pub fn verify( &mut self, certs: Option<&StackRef>, From dc78915dcae9561afb74ff7fac0b6802e89546a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 17:27:26 +0100 Subject: [PATCH 110/341] Change store to Option --- openssl/src/cms.rs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 85f8401b49..b9680fd5ea 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -239,13 +239,14 @@ impl CmsContentInfo { pub fn verify( &mut self, certs: Option<&StackRef>, - store: &X509StoreRef, + store: Option<&X509StoreRef>, detached_data: Option<&[u8]>, output_data: Option<&mut Vec>, flags: CMSOptions, ) -> Result<(), ErrorStack> { unsafe { let certs_ptr = certs.map_or(ptr::null_mut(), |p| p.as_ptr()); + let store_ptr = store.map_or(ptr::null_mut(), |p| p.as_ptr()); let detached_data_bio = match detached_data { Some(data) => Some(MemBioSlice::new(data)?), None => None, @@ -256,7 +257,7 @@ impl CmsContentInfo { cvt(ffi::CMS_verify( self.as_ptr(), certs_ptr, - store.as_ptr(), + store_ptr, detached_data_bio_ptr, out_bio.as_ptr(), flags.bits(), @@ -403,7 +404,7 @@ mod test { let mut out_data: Vec = Vec::new(); let res = cms.verify( None, - &store, + Some(&store), ext_data, Some(&mut out_data), CMSOptions::empty(), @@ -458,7 +459,7 @@ mod test { .build(); // verify CMS signature - let res = cms.verify(None, &empty_store, Some(data), None, CMSOptions::empty()); + let res = cms.verify(None, Some(&empty_store), Some(data), None, CMSOptions::empty()); // check verification result - this is an invalid signature match res { From 25ccfc68b4d256c43e2bd850192ad33b70a69059 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 17:56:23 +0100 Subject: [PATCH 111/341] Make error test more robust --- openssl/src/cms.rs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index b9680fd5ea..b86267a4f2 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -467,10 +467,8 @@ mod test { let error_array = es.errors(); assert_eq!(1, error_array.len()); let err = error_array[0] - .data() - .expect("failed to retrieve verification error data"); - let err1 = err.replace(" self-", "self "); - assert_eq!("Verify error:self signed certificate", err1); + .code(); + assert_eq!(err, 0); } _ => panic!("expected CMS verification error, got Ok()"), } From a4180459f4057b49d0e5e5d3831b7501177ab3bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Tue, 14 Feb 2023 17:47:16 +0100 Subject: [PATCH 112/341] Replace string check with code check in test 'cms_sign_verify_error'. --- openssl/src/cms.rs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index b86267a4f2..6f020f4b1e 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -462,13 +462,14 @@ mod test { let res = cms.verify(None, Some(&empty_store), Some(data), None, CMSOptions::empty()); // check verification result - this is an invalid signature + // defined in openssl crypto/cms/cms.h + const CMS_R_CERTIFICATE_VERIFY_ERROR: i32 = 100; match res { Err(es) => { let error_array = es.errors(); assert_eq!(1, error_array.len()); - let err = error_array[0] - .code(); - assert_eq!(err, 0); + let code = error_array[0].code(); + assert_eq!(ffi::ERR_GET_REASON(code), CMS_R_CERTIFICATE_VERIFY_ERROR); } _ => panic!("expected CMS verification error, got Ok()"), } From 1e47c74c8d3604ab4dde04333b187667459e3837 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Tue, 14 Feb 2023 18:10:59 +0100 Subject: [PATCH 113/341] Reuse output_data manipulation from pkcs7 in CMS. --- openssl/src/cms.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 6f020f4b1e..5f9fdd847d 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -263,8 +263,9 @@ impl CmsContentInfo { flags.bits(), ))?; - if let Some(out_data) = output_data { - *out_data = out_bio.get_buf().to_vec(); + if let Some(data) = output_data { + data.clear(); + data.extend_from_slice(out_bio.get_buf()); }; Ok(()) From 705f592e71226a052efc15417a868bc56596830d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Tue, 14 Feb 2023 18:14:45 +0100 Subject: [PATCH 114/341] Reformat. --- openssl/src/cms.rs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 5f9fdd847d..6b6aa9fd8c 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -232,7 +232,7 @@ impl CmsContentInfo { /// This will search the 'certs' list for the signing certificate. /// Additional certificates, needed for building the certificate chain, may be /// given in 'store' as well as additional CRLs. - /// A detached signature may be passed in `detached_data`. The signed content + /// A detached signature may be passed in `detached_data`. The signed content /// without signature, will be copied into output_data if it is present. /// #[corresponds(CMS_verify)] @@ -251,7 +251,9 @@ impl CmsContentInfo { Some(data) => Some(MemBioSlice::new(data)?), None => None, }; - let detached_data_bio_ptr = detached_data_bio.as_ref().map_or(ptr::null_mut(), |p| p.as_ptr()); + let detached_data_bio_ptr = detached_data_bio + .as_ref() + .map_or(ptr::null_mut(), |p| p.as_ptr()); let out_bio = MemBio::new()?; cvt(ffi::CMS_verify( @@ -460,7 +462,13 @@ mod test { .build(); // verify CMS signature - let res = cms.verify(None, Some(&empty_store), Some(data), None, CMSOptions::empty()); + let res = cms.verify( + None, + Some(&empty_store), + Some(data), + None, + CMSOptions::empty(), + ); // check verification result - this is an invalid signature // defined in openssl crypto/cms/cms.h From bfb7518c9c89b4e7bab223e0caa4b5e6ad0cf968 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Tue, 14 Feb 2023 18:28:03 +0100 Subject: [PATCH 115/341] Changelog --- openssl/CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 0af50bcc24..79dd8c2b42 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,8 @@ ## [Unreleased] +* Added `CMS_verify`. + ## [v0.10.45] - 2022-12-20 ### Fixed From 667737fd0f40e74bcc1d4d9c9d060a63205b3544 Mon Sep 17 00:00:00 2001 From: Jimmy Brush Date: Tue, 14 Feb 2023 19:44:22 -0500 Subject: [PATCH 116/341] Add SSL_CTX_set_num_tickets and friends These are required to disable session tickets on TLS 1.3 connections. --- openssl-sys/src/handwritten/ssl.rs | 14 +++++++++++ openssl/src/ssl/mod.rs | 40 ++++++++++++++++++++++++++++++ openssl/src/ssl/test/mod.rs | 14 +++++++++++ 3 files changed, 68 insertions(+) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index a22f58931e..f179a04ab1 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -897,3 +897,17 @@ extern "C" { #[cfg(ossl110)] pub fn OPENSSL_init_ssl(opts: u64, settings: *const OPENSSL_INIT_SETTINGS) -> c_int; } + +extern "C" { + #[cfg(ossl111)] + pub fn SSL_CTX_set_num_tickets(ctx: *mut SSL_CTX, num_tickets: size_t) -> c_int; + + #[cfg(ossl111)] + pub fn SSL_set_num_tickets(s: *mut SSL, num_tickets: size_t) -> c_int; + + #[cfg(ossl111)] + pub fn SSL_CTX_get_num_tickets(ctx: *const SSL_CTX) -> size_t; + + #[cfg(ossl111)] + pub fn SSL_get_num_tickets(s: *const SSL) -> size_t; +} diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 8f40ce8212..be898d627e 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1687,6 +1687,16 @@ impl SslContextBuilder { } } + /// Sets the number of TLS 1.3 session tickets that will be sent to a client after a full + /// handshake. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_CTX_set_num_tickets)] + #[cfg(ossl111)] + pub fn set_num_tickets(&mut self, num_tickets: usize) -> Result<(), ErrorStack> { + unsafe { cvt(ffi::SSL_CTX_set_num_tickets(self.as_ptr(), num_tickets)).map(|_| ()) } + } + /// Consumes the builder, returning a new `SslContext`. pub fn build(self) -> SslContext { self.0 @@ -1880,6 +1890,16 @@ impl SslContextRef { let mode = unsafe { ffi::SSL_CTX_get_verify_mode(self.as_ptr()) }; SslVerifyMode::from_bits(mode).expect("SSL_CTX_get_verify_mode returned invalid mode") } + + /// Gets the number of TLS 1.3 session tickets that will be sent to a client after a full + /// handshake. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_CTX_get_num_tickets)] + #[cfg(ossl111)] + pub fn num_tickets(&self) -> usize { + unsafe { ffi::SSL_CTX_get_num_tickets(self.as_ptr()) } + } } /// Information about the state of a cipher. @@ -3283,6 +3303,26 @@ impl SslRef { Ok(()) } } + + /// Sets the number of TLS 1.3 session tickets that will be sent to a client after a full + /// handshake. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_set_num_tickets)] + #[cfg(ossl111)] + pub fn set_num_tickets(&mut self, num_tickets: usize) -> Result<(), ErrorStack> { + unsafe { cvt(ffi::SSL_set_num_tickets(self.as_ptr(), num_tickets)).map(|_| ()) } + } + + /// Gets the number of TLS 1.3 session tickets that will be sent to a client after a full + /// handshake. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_get_num_tickets)] + #[cfg(ossl111)] + pub fn num_tickets(&self) -> usize { + unsafe { ffi::SSL_get_num_tickets(self.as_ptr()) } + } } /// An SSL stream midway through the handshake process. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index ddf01f2dd0..1eb9fe4bad 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1477,3 +1477,17 @@ fn test_ssl_set_cert_chain_file() { let mut ssl = Ssl::new(&ctx).unwrap(); ssl.set_certificate_chain_file("test/cert.pem").unwrap(); } + +#[test] +#[cfg(ossl111)] +fn set_num_tickets() { + let mut ctx = SslContext::builder(SslMethod::tls_server()).unwrap(); + ctx.set_num_tickets(3).unwrap(); + let ctx = ctx.build(); + assert_eq!(3, ctx.num_tickets()); + + let mut ssl = Ssl::new(&ctx).unwrap(); + ssl.set_num_tickets(5).unwrap(); + let ssl = ssl; + assert_eq!(5, ssl.num_tickets()); +} From 8da6c721a84ce147a5942e672ab0e6e08c8bda49 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Wed, 22 Feb 2023 12:56:51 +0100 Subject: [PATCH 117/341] openssl: Fix `CIHPER` -> `CIPHER` typo --- openssl/src/cipher_ctx.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 379f83a7ba..211c58ba20 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -386,7 +386,7 @@ impl CipherCtxRef { /// # Panics /// /// Panics if the context has not been initialized with a cipher. - #[corresponds(EVP_CIHPER_CTX_ctrl)] + #[corresponds(EVP_CIPHER_CTX_ctrl)] pub fn set_iv_length(&mut self, len: usize) -> Result<(), ErrorStack> { self.assert_cipher(); From b821f00a1d0fa45a653d401538e68977a332ab71 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:29:33 +0100 Subject: [PATCH 118/341] Fixed review comments. --- openssl-sys/src/handwritten/asn1.rs | 7 --- openssl-sys/src/handwritten/object.rs | 1 + openssl-sys/src/handwritten/pkcs7.rs | 18 +++++- openssl-sys/src/handwritten/types.rs | 9 +-- openssl-sys/src/handwritten/x509.rs | 70 +++++++++++++++++++++++- openssl-sys/src/handwritten/x509_attr.rs | 60 -------------------- 6 files changed, 88 insertions(+), 77 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index e866b1ea90..6e1f8c9b66 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,11 +10,8 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); - pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } -pub enum ASN1_OBJECT {} - stack!(stack_st_ASN1_OBJECT); #[repr(C)] @@ -42,10 +39,6 @@ pub union ASN1_TYPE_value { pub generalizedtime: *mut ASN1_GENERALIZEDTIME, pub visiblestring: *mut ASN1_VISIBLESTRING, pub utf8string: *mut ASN1_UTF8STRING, - /* - * set and sequence are left complete and still contain the set or - * sequence bytes - */ pub set: *mut ASN1_STRING, pub sequence: *mut ASN1_STRING, pub asn1_value: *mut ASN1_VALUE, diff --git a/openssl-sys/src/handwritten/object.rs b/openssl-sys/src/handwritten/object.rs index d2c525b806..5b4599c20a 100644 --- a/openssl-sys/src/handwritten/object.rs +++ b/openssl-sys/src/handwritten/object.rs @@ -27,4 +27,5 @@ extern "C" { pub fn OBJ_length(obj: *const ASN1_OBJECT) -> libc::size_t; #[cfg(ossl111)] pub fn OBJ_get0_data(obj: *const ASN1_OBJECT) -> *const c_uchar; + pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 2f76cab9c2..332586515a 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -1,9 +1,6 @@ use libc::*; use *; -// use x509::stack_st_X509; -// use x509_attr::stack_st_X509_ATTRIBUTE; - #[cfg(ossl300)] #[repr(C)] pub struct PKCS7_CTX { @@ -106,6 +103,9 @@ extern "C" { pub fn PKCS7_SIGN_ENVELOPE_free(info: *mut PKCS7_SIGN_ENVELOPE); pub fn PKCS7_DIGEST_free(info: *mut PKCS7_DIGEST); pub fn PKCS7_SIGNER_INFO_free(info: *mut PKCS7_SIGNER_INFO); + pub fn PKCS7_ENCRYPT_free(enc: *mut PKCS7_ENCRYPT); + pub fn PKCS7_ISSUER_AND_SERIAL_free(ias: *mut PKCS7_ISSUER_AND_SERIAL); + pub fn PKCS7_RECIP_INFO_free(info: *mut PKCS7_RECIP_INFO); } cfg_if! { @@ -189,6 +189,18 @@ cfg_if! { } stack!(stack_st_PKCS7_SIGNER_INFO); + +#[repr(C)] +pub struct PKCS7_RECIP_INFO { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub key_enc_algor: *mut X509_ALGOR, + pub enc_key: *mut ASN1_OCTET_STRING, + pub cert: *mut X509, /* get the pub-key from this */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, +} + stack!(stack_st_PKCS7_RECIP_INFO); extern "C" { diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index addc599abb..181340d486 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -3,16 +3,18 @@ use libc::*; #[allow(unused_imports)] use *; -#[derive(Copy, Clone)] -pub enum ASN1_BOOLEAN {} +pub enum ASN1_OBJECT {} +pub enum ASN1_VALUE {} + +pub type ASN1_BOOLEAN = c_int; pub enum ASN1_ENUMERATED {} pub enum ASN1_INTEGER {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} pub enum ASN1_TIME {} -pub enum ASN1_OBJECT {} pub enum ASN1_OCTET_STRING {} +pub enum ASN1_NULL {} pub enum ASN1_PRINTABLESTRING {} pub enum ASN1_T61STRING {} pub enum ASN1_IA5STRING {} @@ -22,7 +24,6 @@ pub enum ASN1_UNIVERSALSTRING {} pub enum ASN1_UTCTIME {} pub enum ASN1_VISIBLESTRING {} pub enum ASN1_UTF8STRING {} -pub enum ASN1_VALUE {} pub enum bio_st {} // FIXME remove cfg_if! { diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 486f712c34..fc94bbb741 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -15,6 +15,10 @@ pub enum X509_EXTENSION {} stack!(stack_st_X509_EXTENSION); +pub enum X509_ATTRIBUTE {} + +stack!(stack_st_X509_ATTRIBUTE); + cfg_if! { if #[cfg(any(ossl110, libressl350))] { pub enum X509_REQ_INFO {} @@ -269,8 +273,6 @@ extern "C" { pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION); - pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); - pub fn X509_NAME_ENTRY_free(x: *mut X509_NAME_ENTRY); pub fn X509_NAME_new() -> *mut X509_NAME; @@ -689,6 +691,68 @@ pub struct X509_PURPOSE { const_ptr_api! { extern "C" { pub fn X509_PURPOSE_get_by_sname(sname: #[const_ptr_if(any(ossl110, libressl280))] c_char) -> c_int; - pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; + } +} +extern "C" { + pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; +} + +extern "C" { + pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_ATTRIBUTE_create( + nid: c_int, + atrtype: c_int, + value: *mut c_void, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_NID( + attr: *mut *mut X509_ATTRIBUTE, + nid: c_int, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_OBJ( + attr: *mut *mut X509_ATTRIBUTE, + obj: *const ASN1_OBJECT, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_txt( + attr: *mut *mut X509_ATTRIBUTE, + atrname: *const c_char, + atrtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; + pub fn X509_ATTRIBUTE_set1_data( + attr: *mut X509_ATTRIBUTE, + attrtype: c_int, + data: *const c_void, + len: c_int, + ) -> c_int; + pub fn X509_ATTRIBUTE_get0_data( + attr: *mut X509_ATTRIBUTE, + idx: c_int, + atrtype: c_int, + data: *mut c_void, + ) -> *mut c_void; + pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; + pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; + pub fn d2i_X509_ATTRIBUTE( + a: *mut *mut X509_ATTRIBUTE, + pp: *mut *const c_uchar, + length: c_long, + ) -> *mut X509_ATTRIBUTE; +} +const_ptr_api! { + extern "C" { + pub fn X509_ATTRIBUTE_count( + attr: #[const_ptr_if(any(ossl110, libressl280))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 + ) -> c_int; + pub fn i2d_X509_ATTRIBUTE(x: #[const_ptr_if(ossl300)] X509_ATTRIBUTE, buf: *mut *mut u8) -> c_int; + pub fn X509_ATTRIBUTE_dup(x: #[const_ptr_if(ossl300)] X509_ATTRIBUTE) -> *mut X509_ATTRIBUTE; } } diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs index b14be38619..e69de29bb2 100644 --- a/openssl-sys/src/handwritten/x509_attr.rs +++ b/openssl-sys/src/handwritten/x509_attr.rs @@ -1,60 +0,0 @@ -use libc::*; - -use *; - -pub enum X509_ATTRIBUTE {} - -stack!(stack_st_X509_ATTRIBUTE); - -extern "C" { - pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create( - nid: c_int, - atrtype: c_int, - value: *mut c_void, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_NID( - attr: *mut *mut X509_ATTRIBUTE, - nid: c_int, - atrtype: c_int, - data: *const c_void, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_OBJ( - attr: *mut *mut X509_ATTRIBUTE, - obj: *const ASN1_OBJECT, - atrtype: c_int, - data: *const c_void, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_txt( - attr: *mut *mut X509_ATTRIBUTE, - atrname: *const c_char, - atrtype: c_int, - bytes: *const c_uchar, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; - pub fn X509_ATTRIBUTE_set1_data( - attr: *mut X509_ATTRIBUTE, - attrtype: c_int, - data: *const c_void, - len: c_int, - ) -> c_int; - pub fn X509_ATTRIBUTE_get0_data( - attr: *mut X509_ATTRIBUTE, - idx: c_int, - atrtype: c_int, - data: *mut c_void, - ) -> *mut c_void; - pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; - pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; - -} -const_ptr_api! { - extern "C" { - pub fn X509_ATTRIBUTE_count( - attr: #[const_ptr_if(any(ossl110, libressl291))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 - ) -> c_int; - } -} From d77c6518873b063de9cc6bca4f708b765ffbb284 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:37:23 +0100 Subject: [PATCH 119/341] Removed emtpy x509_attr.rs --- openssl-sys/src/handwritten/mod.rs | 2 -- openssl-sys/src/handwritten/x509_attr.rs | 0 2 files changed, 2 deletions(-) delete mode 100644 openssl-sys/src/handwritten/x509_attr.rs diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index fea7549898..28aa4aecd0 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -28,7 +28,6 @@ pub use self::stack::*; pub use self::tls1::*; pub use self::types::*; pub use self::x509::*; -pub use self::x509_attr::*; pub use self::x509_vfy::*; pub use self::x509v3::*; @@ -62,6 +61,5 @@ mod stack; mod tls1; mod types; mod x509; -mod x509_attr; mod x509_vfy; mod x509v3; diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs deleted file mode 100644 index e69de29bb2..0000000000 From 0bd4876a951f2fe7da227daa2ee2e67cc7ee3ed3 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:57:16 +0100 Subject: [PATCH 120/341] clippy. --- openssl-sys/src/handwritten/x509.rs | 6 +++--- openssl/src/sign.rs | 2 +- openssl/src/x509/mod.rs | 12 ++++++++++-- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index fc94bbb741..46ec3e14a9 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -365,8 +365,8 @@ const_ptr_api! { extern "C" { pub fn X509_REQ_get_attr_count(req: *const X509_REQ) -> c_int; pub fn X509_REQ_get_attr_by_NID(req: *const X509_REQ, nid: c_int, lastpos: c_int) -> c_int; - pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; - pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut X509_ATTRIBUTE; + pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut X509_ATTRIBUTE; pub fn X509_REQ_add1_attr_by_txt( req: *mut X509_REQ, attrname: *const c_char, @@ -699,7 +699,7 @@ extern "C" { extern "C" { pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_ATTRIBUTE_free(attr: *mut X509_ATTRIBUTE); pub fn X509_ATTRIBUTE_create( nid: c_int, atrtype: c_int, diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 9cfda48105..51738651c6 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -711,7 +711,7 @@ mod test { #[cfg(not(boringssl))] fn test_hmac(ty: MessageDigest, tests: &[(Vec, Vec, Vec)]) { - for &(ref key, ref data, ref res) in tests.iter() { + for (key, data, res) in tests.iter() { let pkey = PKey::hmac(key).unwrap(); let mut signer = Signer::new(ty, &pkey).unwrap(); signer.update(data).unwrap(); diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d29a21e4af..2da41bd1a5 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -388,7 +388,10 @@ impl X509Ref { /// Returns the hash of the certificates subject #[corresponds(X509_subject_name_hash)] pub fn subject_name_hash(&self) -> u32 { - unsafe { ffi::X509_subject_name_hash(self.as_ptr()) as u32 } + #[allow(clippy::unnecessary_cast)] + unsafe { + ffi::X509_subject_name_hash(self.as_ptr()) as u32 + } } /// Returns this certificate's issuer name. @@ -403,7 +406,10 @@ impl X509Ref { /// Returns the hash of the certificates issuer #[corresponds(X509_issuer_name_hash)] pub fn issuer_name_hash(&self) -> u32 { - unsafe { ffi::X509_issuer_name_hash(self.as_ptr()) as u32 } + #[allow(clippy::unnecessary_cast)] + unsafe { + ffi::X509_issuer_name_hash(self.as_ptr()) as u32 + } } /// Returns this certificate's subject alternative name entries, if they exist. @@ -545,6 +551,7 @@ impl X509Ref { /// Note that `0` return value stands for version 1, `1` for version 2 and so on. #[corresponds(X509_get_version)] #[cfg(ossl110)] + #[allow(clippy::unnecessary_cast)] pub fn version(&self) -> i32 { unsafe { ffi::X509_get_version(self.as_ptr()) as i32 } } @@ -1359,6 +1366,7 @@ impl X509ReqRef { /// This corresponds to [`X509_REQ_get_version`] /// /// [`X509_REQ_get_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_version.html + #[allow(clippy::unnecessary_cast)] pub fn version(&self) -> i32 { unsafe { X509_REQ_get_version(self.as_ptr()) as i32 } } From 9f8c82161361da1eef0169fce7e4cac2b6094e53 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 08:16:05 +0100 Subject: [PATCH 121/341] Removed invalid path operator. --- openssl-sys/src/handwritten/x509.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 46ec3e14a9..917b41e425 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -29,7 +29,7 @@ cfg_if! { pub version: *mut ::ASN1_INTEGER, pub subject: *mut ::X509_NAME, pubkey: *mut c_void, - pub attributes: *mut ::stack_st_X509_ATTRIBUTE, + pub attributes: *mut stack_st_X509_ATTRIBUTE, } } } From f13427168389420bc21011903ddb21c9d59be351 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 09:44:10 +0100 Subject: [PATCH 122/341] Removed unnecessary cfg_if's. --- openssl-sys/src/handwritten/pkcs7.rs | 252 +++++++++++---------------- 1 file changed, 97 insertions(+), 155 deletions(-) diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 332586515a..60dcfe0d64 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -8,92 +8,51 @@ pub struct PKCS7_CTX { propq: *mut c_char, } -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_SIGNED { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ - pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, - pub contents: *mut PKCS7, - } - } else { - pub enum PKCS7_SIGNED {} - } +#[repr(C)] +pub struct PKCS7_SIGNED { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub contents: *mut PKCS7, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENC_CONTENT { - pub content_type: *mut ASN1_OBJECT, - pub algorithm: *mut X509_ALGOR, - pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ - pub cipher: *const EVP_CIPHER, - #[cfg(ossl300)] - pub ctx: *const PKCS7_CTX, - } - } else { - pub enum PKCS7_ENC_CONTENT {} - } +#[repr(C)] +pub struct PKCS7_ENC_CONTENT { + pub content_type: *mut ASN1_OBJECT, + pub algorithm: *mut X509_ALGOR, + pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ + pub cipher: *const EVP_CIPHER, + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, - pub enc_data: *mut PKCS7_ENC_CONTENT, - } - } else { - pub enum PKCS7_ENVELOPE {} - } +#[repr(C)] +pub struct PKCS7_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_SIGN_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ - pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, - pub enc_data: *mut PKCS7_ENC_CONTENT, - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO - } - } else { - pub enum PKCS7_SIGN_ENVELOPE {} - } +#[repr(C)] +pub struct PKCS7_SIGN_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_DIGEST { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub md: *mut X509_ALGOR, /* md used */ - pub contents: *mut PKCS7, - pub digest: *mut ASN1_OCTET_STRING, - } - } else { - pub enum PKCS7_DIGEST {} - } +#[repr(C)] +pub struct PKCS7_DIGEST { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub md: *mut X509_ALGOR, /* md used */ + pub contents: *mut PKCS7, + pub digest: *mut ASN1_OCTET_STRING, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENCRYPT { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub enc_data: *mut PKCS7_ENC_CONTENT, - } - } else { - pub enum PKCS7_ENCRYPT {} - } +#[repr(C)] +pub struct PKCS7_ENCRYPT { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub enc_data: *mut PKCS7_ENC_CONTENT, } extern "C" { @@ -108,84 +67,67 @@ extern "C" { pub fn PKCS7_RECIP_INFO_free(info: *mut PKCS7_RECIP_INFO); } -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7 { - /* - * The following is non NULL if it contains ASN1 encoding of this - * structure - */ - pub asn1: *mut c_uchar, - pub length: c_long, - // # define PKCS7_S_HEADER 0 - // # define PKCS7_S_BODY 1 - // # define PKCS7_S_TAIL 2 - pub state: c_int, /* used during processing */ - pub detached: c_int, - pub type_: *mut ASN1_OBJECT, - /* content as defined by the type */ - /* - * all encryption/message digests are applied to the 'contents', leaving - * out the 'type' field. - */ - pub d: PKCS7_data, - #[cfg(ossl300)] - pub ctx: PKCS7_CTX, - } - #[repr(C)] - pub union PKCS7_data { - pub ptr: *mut c_char, - /* NID_pkcs7_data */ - pub data: *mut ASN1_OCTET_STRING, - /* NID_pkcs7_signed */ - pub sign: *mut PKCS7_SIGNED, - /* NID_pkcs7_enveloped */ - pub enveloped: *mut PKCS7_ENVELOPE, - /* NID_pkcs7_signedAndEnveloped */ - pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, - /* NID_pkcs7_digest */ - pub digest: *mut PKCS7_DIGEST, - /* NID_pkcs7_encrypted */ - pub encrypted: *mut PKCS7_ENCRYPT, - /* Anything else */ - pub other: *mut ASN1_TYPE, - } - } else { - pub enum PKCS7 {} - } +#[repr(C)] +pub struct PKCS7 { + /* + * The following is non NULL if it contains ASN1 encoding of this + * structure + */ + pub asn1: *mut c_uchar, + pub length: c_long, + // # define PKCS7_S_HEADER 0 + // # define PKCS7_S_BODY 1 + // # define PKCS7_S_TAIL 2 + pub state: c_int, /* used during processing */ + pub detached: c_int, + pub type_: *mut ASN1_OBJECT, + /* content as defined by the type */ + /* + * all encryption/message digests are applied to the 'contents', leaving + * out the 'type' field. + */ + pub d: PKCS7_data, + #[cfg(ossl300)] + pub ctx: PKCS7_CTX, } -cfg_if! { - if #[cfg(any(ossl101, libressl))] { - #[repr(C)] - pub struct PKCS7_ISSUER_AND_SERIAL { - pub issuer: *mut X509_NAME, - pub serial: *mut ASN1_INTEGER, - } - } else { - pub enum PKCS7_ISSUER_AND_SERIAL {} - } +#[repr(C)] +pub union PKCS7_data { + pub ptr: *mut c_char, + /* NID_pkcs7_data */ + pub data: *mut ASN1_OCTET_STRING, + /* NID_pkcs7_signed */ + pub sign: *mut PKCS7_SIGNED, + /* NID_pkcs7_enveloped */ + pub enveloped: *mut PKCS7_ENVELOPE, + /* NID_pkcs7_signedAndEnveloped */ + pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, + /* NID_pkcs7_digest */ + pub digest: *mut PKCS7_DIGEST, + /* NID_pkcs7_encrypted */ + pub encrypted: *mut PKCS7_ENCRYPT, + /* Anything else */ + pub other: *mut ASN1_TYPE, } -cfg_if! { - if #[cfg(any(ossl101, libressl))] { - #[repr(C)] - pub struct PKCS7_SIGNER_INFO { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, - pub digest_alg: *mut X509_ALGOR, - pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ - pub digest_enc_alg: *mut X509_ALGOR, - pub enc_digest: *mut ASN1_OCTET_STRING, - pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ - pub pkey: *mut EVP_PKEY, /* The private key to sign with */ - #[cfg(ossl300)] - pub ctx: *const PKCS7_CTX, - } - } else { - pub enum PKCS7_SIGNER_INFO {} - } +#[repr(C)] +pub struct PKCS7_ISSUER_AND_SERIAL { + pub issuer: *mut X509_NAME, + pub serial: *mut ASN1_INTEGER, +} + +#[repr(C)] +pub struct PKCS7_SIGNER_INFO { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub digest_alg: *mut X509_ALGOR, + pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ + pub digest_enc_alg: *mut X509_ALGOR, + pub enc_digest: *mut ASN1_OCTET_STRING, + pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, } stack!(stack_st_PKCS7_SIGNER_INFO); From 9c30e4e418c26c9e4adfff4bd64aae2713897564 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 09:56:23 +0100 Subject: [PATCH 123/341] rustfmt hit me once more --- openssl-sys/src/handwritten/pkcs7.rs | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 60dcfe0d64..754fc9e2b8 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -10,10 +10,10 @@ pub struct PKCS7_CTX { #[repr(C)] pub struct PKCS7_SIGNED { - pub version: *mut ASN1_INTEGER, /* version 1 */ + pub version: *mut ASN1_INTEGER, /* version 1 */ pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, pub contents: *mut PKCS7, } @@ -34,18 +34,18 @@ pub struct PKCS7_ENVELOPE { } #[repr(C)] pub struct PKCS7_SIGN_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 1 */ + pub version: *mut ASN1_INTEGER, /* version 1 */ pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, pub enc_data: *mut PKCS7_ENC_CONTENT, - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, } #[repr(C)] pub struct PKCS7_DIGEST { pub version: *mut ASN1_INTEGER, /* version 0 */ - pub md: *mut X509_ALGOR, /* md used */ + pub md: *mut X509_ALGOR, /* md used */ pub contents: *mut PKCS7, pub digest: *mut ASN1_OCTET_STRING, } @@ -125,7 +125,7 @@ pub struct PKCS7_SIGNER_INFO { pub digest_enc_alg: *mut X509_ALGOR, pub enc_digest: *mut ASN1_OCTET_STRING, pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ - pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ #[cfg(ossl300)] pub ctx: *const PKCS7_CTX, } From 3af29817172dce38419b4e21c5f212d66fb6bee8 Mon Sep 17 00:00:00 2001 From: Doug Bodden Date: Tue, 28 Feb 2023 13:33:49 -0500 Subject: [PATCH 124/341] Add DTLS 1.2 support in newer releases of SSL libs. --- openssl-sys/src/handwritten/ssl.rs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index f179a04ab1..1000276ab9 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -679,6 +679,10 @@ cfg_if! { pub fn TLS_server_method() -> *const SSL_METHOD; pub fn TLS_client_method() -> *const SSL_METHOD; + + // DTLS 1.2 support doesn't exist in LibresSSL 2.9.1 + #[cfg(ossl110)] + pub fn DTLSv1_2_method() -> *const SSL_METHOD; } } else { extern "C" { @@ -699,7 +703,8 @@ cfg_if! { pub fn DTLSv1_method() -> *const SSL_METHOD; - #[cfg(ossl102)] + // DTLS 1.2 support started in OpenSSL 1.0.2, LibreSSL 3.3.2 + #[cfg(any(ossl102,libressl332))] pub fn DTLSv1_2_method() -> *const SSL_METHOD; } } From d05a149c85cf8fcb31f6fc072fc46d46371eec11 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 Mar 2023 09:08:56 -0500 Subject: [PATCH 125/341] bump actions/cache version this is needed to deal with a GHA deprecation --- .github/workflows/ci.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 43abdf7a69..cd766f5cba 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,19 +36,19 @@ jobs: - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/index key: index-${{ runner.os }}-${{ github.run_number }} restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/cache key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} - run: cargo fetch - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: target key: target-${{ github.job }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} @@ -64,19 +64,19 @@ jobs: version: 1.56.0 - run: echo "::set-output name=version::$(rustc --version)" id: rust-version - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/index key: index-${{ runner.os }}-${{ github.run_number }} restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/cache key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} - run: cargo fetch - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: target key: target-${{ github.job }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} @@ -92,19 +92,19 @@ jobs: id: rust-version - run: echo "VCPKG_ROOT=$env:VCPKG_INSTALLATION_ROOT" | Out-File -FilePath $env:GITHUB_ENV -Append - run: vcpkg install openssl:x64-windows-static-md - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/index key: index-${{ runner.os }}-${{ github.run_number }} restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/cache key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} - run: cargo fetch - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: target key: target-${{ github.job }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} @@ -120,19 +120,19 @@ jobs: - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/index key: index-${{ runner.os }}-${{ github.run_number }} restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/cache key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} - run: cargo fetch - # - uses: actions/cache@v1 + # - uses: actions/cache@v3 # with: # path: target # key: target-${{ github.job }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} @@ -249,7 +249,7 @@ jobs: sudo apt-get update sudo apt-get install -y $packages - run: sudo apt-get remove -y libssl-dev - - uses: actions/cache@v2 + - uses: actions/cache@v3 with: path: /opt/openssl key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-2 @@ -329,19 +329,19 @@ jobs: echo '[patch.crates-io]' > .cargo/config.toml echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust" }' >> .cargo/config.toml if: matrix.library.name == 'boringssl' - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/index key: index-${{ runner.os }}-${{ github.run_number }} restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/cache key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} - run: cargo fetch - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: target key: target-${{ matrix.target }}-${{ matrix.bindgen }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} From be90abaff6c2660e77705fa2108fe9d010c8b567 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 Mar 2023 09:47:07 -0500 Subject: [PATCH 126/341] bump checkout as well --- .github/workflows/ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd766f5cba..1b78d37d29 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,7 @@ jobs: name: rustfmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - uses: sfackler/actions/rustfmt@master @@ -32,7 +32,7 @@ jobs: name: clippy runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version @@ -58,7 +58,7 @@ jobs: name: min-version runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master with: version: 1.56.0 @@ -86,7 +86,7 @@ jobs: name: windows-vcpkg runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version @@ -116,7 +116,7 @@ jobs: name: macos-homebrew runs-on: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version @@ -227,7 +227,7 @@ jobs: CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_AR: arm-linux-gnueabihf-ar CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_RUNNER: qemu-arm -L /usr/arm-linux-gnueabihf steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version From e10d37724133c07a2db8dad53d22519b7b565988 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 Mar 2023 10:06:41 -0500 Subject: [PATCH 127/341] replace explicit set-output as well --- .github/workflows/ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1b78d37d29..b5c0be1df8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - - run: echo "::set-output name=version::$(rustc --version)" + - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - uses: actions/cache@v3 with: @@ -62,7 +62,7 @@ jobs: - uses: sfackler/actions/rustup@master with: version: 1.56.0 - - run: echo "::set-output name=version::$(rustc --version)" + - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - uses: actions/cache@v3 with: @@ -88,7 +88,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - - run: echo "::set-output name=version::$(rustc --version)" + - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - run: echo "VCPKG_ROOT=$env:VCPKG_INSTALLATION_ROOT" | Out-File -FilePath $env:GITHUB_ENV -Append - run: vcpkg install openssl:x64-windows-static-md @@ -118,7 +118,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - - run: echo "::set-output name=version::$(rustc --version)" + - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - uses: actions/cache@v3 with: @@ -229,7 +229,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - - run: echo "::set-output name=version::$(rustc --version)" + - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - run: rustup target add ${{ matrix.target }} - name: Install packages From 1ab42213942eb58f9293d597169086ebbbf11d22 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 7 Mar 2023 15:39:39 -0500 Subject: [PATCH 128/341] Fix link typo Closes #1834 --- openssl/src/sha.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/sha.rs b/openssl/src/sha.rs index dd026677c6..24128904a3 100644 --- a/openssl/src/sha.rs +++ b/openssl/src/sha.rs @@ -57,7 +57,7 @@ pub fn sha1(data: &[u8]) -> [u8; 20] { } /// Computes the SHA224 hash of some data. -#[corresponds(SH224)] +#[corresponds(SHA224)] #[inline] pub fn sha224(data: &[u8]) -> [u8; 28] { unsafe { From 9a9c5041f60ad9e9a00cbcd60587ea9b937bd4f9 Mon Sep 17 00:00:00 2001 From: shinmao Date: Thu, 9 Mar 2023 20:21:46 -0500 Subject: [PATCH 129/341] add missed free() on error add free statement if error occurs in `SSL_set_tlsext_status_ocsp_resp()` --- openssl/src/ssl/mod.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index be898d627e..8e42cc8bbc 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -2881,6 +2881,10 @@ impl SslRef { response.len() as c_long, ) as c_int) .map(|_| ()) + .map_err(|e| { + ffi::OPENSSL_free(p) + e + }) } } From 7f52549c006fb495f50060efb88129cabf5ac5fb Mon Sep 17 00:00:00 2001 From: shinmao Date: Thu, 9 Mar 2023 21:30:46 -0500 Subject: [PATCH 130/341] add missing semicolon --- openssl/src/ssl/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 8e42cc8bbc..c8648c4bcd 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -2882,7 +2882,7 @@ impl SslRef { ) as c_int) .map(|_| ()) .map_err(|e| { - ffi::OPENSSL_free(p) + ffi::OPENSSL_free(p); e }) } From 65a75a818f280ed578e9e68f7d6c1ca203b10e6f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 Mar 2023 09:00:46 -0500 Subject: [PATCH 131/341] Added support for building boringssl with bindgen This allows building it without the bssl-sys crate. This is an alternative approach to fixing #1768 (in contrast to #1806). This maintains support for using the bssl-sys crate. --- .github/workflows/ci.yml | 30 ++++---- openssl-sys/Cargo.toml | 2 +- openssl-sys/build/main.rs | 21 ++++-- openssl-sys/build/run_bindgen.rs | 117 +++++++++++++++++++++++++++++-- openssl-sys/src/lib.rs | 18 ++++- openssl/build.rs | 2 +- openssl/src/bio.rs | 4 +- openssl/src/dh.rs | 2 +- openssl/src/error.rs | 11 ++- openssl/src/lib.rs | 5 ++ 10 files changed, 179 insertions(+), 33 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b5c0be1df8..8bbdaf2055 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -153,7 +153,7 @@ jobs: - false library: - name: boringssl - version: 5697a9202615925696f8dc7f4e286d44d474769e + version: 93e8d4463d59d671e9c5c6171226341f04b07907 - name: openssl version: vendored - name: openssl @@ -215,10 +215,6 @@ jobs: library: name: libressl version: 3.7.0 - exclude: - - library: - name: boringssl - bindgen: true name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: @@ -311,16 +307,26 @@ jobs: make install_sw ;; "boringssl") - sed -i rust/CMakeLists.txt -e '1s%^%include_directories(../include)\n%' - cpu=`echo ${{ matrix.target }} | cut -d - -f 1` + mkdir build + cd build + echo "set(CMAKE_SYSTEM_NAME Linux)" > toolchain.cmake echo "set(CMAKE_SYSTEM_PROCESSOR $cpu)" >> toolchain.cmake echo "set(triple ${{ matrix.target }})" >> toolchain.cmake echo 'set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} '$OS_FLAGS '" CACHE STRING "c++ flags")' >> toolchain.cmake echo 'set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} '$OS_FLAGS '" CACHE STRING "c flags")' >> toolchain.cmake echo 'set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} '$OS_FLAGS '" CACHE STRING "asm flags")' >> toolchain.cmake - cmake -DRUST_BINDINGS="${{ matrix.target }}" -B $OPENSSL_DIR -DCMAKE_TOOLCHAIN_FILE=toolchain.cmake - make -C $OPENSSL_DIR + + cmake .. -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DRUST_BINDINGS="${{ matrix.target }}" -DCMAKE_INSTALL_PREFIX="${OPENSSL_DIR}" -DCMAKE_TOOLCHAIN_FILE=toolchain.cmake + make -j "$(nproc)" + make install + + # Copy stuff around so it's all as the build system expects. + cp -r rust/ "$OPENSSL_DIR/rust" + mkdir -p "$OPENSSL_DIR/crypto/" + mkdir -p "$OPENSSL_DIR/ssl/" + cp "$OPENSSL_DIR/lib/libcrypto.a" "$OPENSSL_DIR/crypto/" + cp "$OPENSSL_DIR/lib/libssl.a" "$OPENSSL_DIR/ssl/" esac if: matrix.library.version != 'vendored' && !steps.openssl-cache.outputs.cache-hit @@ -328,7 +334,7 @@ jobs: mkdir -p .cargo echo '[patch.crates-io]' > .cargo/config.toml echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust" }' >> .cargo/config.toml - if: matrix.library.name == 'boringssl' + if: matrix.library.name == 'boringssl' && !matrix.bindgen - uses: actions/cache@v3 with: path: ~/.cargo/registry/index @@ -350,14 +356,14 @@ jobs: if [[ "${{ matrix.library.version }}" == "vendored" ]]; then features="--features vendored" fi - if [[ "${{ matrix.bindgen }}" == "true" ]]; then + if [[ "${{ matrix.bindgen }}" == "true" && "${{ matrix.library.name }}" != "boringssl" ]]; then features="$features --features bindgen" fi cargo run --manifest-path=systest/Cargo.toml --target ${{ matrix.target }} $features if: matrix.library.name != 'boringssl' - name: Test openssl run: | - if [[ "${{ matrix.library.name }}" == "boringssl" ]]; then + if [[ "${{ matrix.library.name }}" == "boringssl" && "${{ matrix.bindgen }}" != "true" ]]; then features="--features unstable_boringssl" fi if [[ "${{ matrix.library.version }}" == "vendored" ]]; then diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7b5c8104d8..4f057bf9fa 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -23,7 +23,7 @@ libc = "0.2" bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] -bindgen = { version = "0.60.1", optional = true } +bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } cc = "1.0" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 262ea2cbab..c5a68a630a 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -23,7 +23,6 @@ mod cfgs; mod find_normal; #[cfg(feature = "vendored")] mod find_vendored; -#[cfg(feature = "bindgen")] mod run_bindgen; #[derive(PartialEq)] @@ -32,6 +31,7 @@ enum Version { Openssl11x, Openssl10x, Libressl, + Boringssl, } fn env_inner(name: &str) -> Option { @@ -67,10 +67,9 @@ fn find_openssl(target: &str) -> (Vec, PathBuf) { fn check_ssl_kind() { if cfg!(feature = "unstable_boringssl") { println!("cargo:rustc-cfg=boringssl"); + println!("cargo:boringssl=true"); // BoringSSL does not have any build logic, exit early std::process::exit(0); - } else { - println!("cargo:rustc-cfg=openssl"); } } @@ -146,8 +145,12 @@ fn check_rustc_versions() { #[allow(clippy::let_and_return)] fn postprocess(include_dirs: &[PathBuf]) -> Version { let version = validate_headers(include_dirs); - #[cfg(feature = "bindgen")] - run_bindgen::run(&include_dirs); + + // Never run bindgen for BoringSSL, if it was needed we already ran it. + if version != Version::Boringssl { + #[cfg(feature = "bindgen")] + run_bindgen::run(&include_dirs); + } version } @@ -235,9 +238,15 @@ See rust-openssl documentation for more information: } if is_boringssl { - panic!("BoringSSL detected, but `unstable_boringssl` feature wasn't specified.") + println!("cargo:rustc-cfg=boringssl"); + println!("cargo:boringssl=true"); + run_bindgen::run_boringssl(include_dirs); + return Version::Boringssl; } + // We set this for any non-BoringSSL lib. + println!("cargo:rustc-cfg=openssl"); + for enabled in &enabled { println!("cargo:rustc-cfg=osslconf=\"{}\"", enabled); } diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 9531e6e8bb..0c127ae5c6 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -1,13 +1,17 @@ +#[cfg(feature = "bindgen")] use bindgen::callbacks::{MacroParsingBehavior, ParseCallbacks}; -use bindgen::RustTarget; -use std::env; +#[cfg(feature = "bindgen")] +use bindgen::{MacroTypeVariation, RustTarget}; +use std::io::Write; use std::path::PathBuf; +#[cfg(not(feature = "bindgen"))] +use std::process; +use std::{env, fs}; const INCLUDES: &str = " #include #include #include -#include #include #include #include @@ -17,7 +21,6 @@ const INCLUDES: &str = " #include #include #include -#include #include #include #include @@ -35,10 +38,15 @@ const INCLUDES: &str = " // this must be included after ssl.h for libressl! #include -#if !defined(LIBRESSL_VERSION_NUMBER) +#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) #include #endif +#if !defined(OPENSSL_IS_BORINGSSL) +#include +#include +#endif + #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000 #include #endif @@ -48,6 +56,7 @@ const INCLUDES: &str = " #endif "; +#[cfg(feature = "bindgen")] pub fn run(include_dirs: &[PathBuf]) { let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap()); @@ -94,9 +103,107 @@ pub fn run(include_dirs: &[PathBuf]) { .unwrap(); } +#[cfg(feature = "bindgen")] +pub fn run_boringssl(include_dirs: &[PathBuf]) { + let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap()); + let mut builder = bindgen::builder() + .rust_target(RustTarget::Stable_1_47) + .ctypes_prefix("::libc") + .derive_default(false) + .enable_function_attribute_detection() + .size_t_is_usize(true) + .default_macro_constant_type(MacroTypeVariation::Signed) + .rustified_enum("point_conversion_form_t") + .allowlist_file(".*/openssl/[^/]+\\.h") + .wrap_static_fns(true) + .wrap_static_fns_path(out_dir.join("boring_static_wrapper").display().to_string()) + .layout_tests(false) + .header_contents("includes.h", INCLUDES); + + for include_dir in include_dirs { + builder = builder + .clang_arg("-I") + .clang_arg(include_dir.display().to_string()); + } + + builder + .generate() + .unwrap() + .write_to_file(out_dir.join("bindgen.rs")) + .unwrap(); + + fs::File::create(out_dir.join("boring_static_wrapper.h")) + .expect("Failed to create boring_static_wrapper.h") + .write_all(INCLUDES.as_bytes()) + .expect("Failed to write contents to boring_static_wrapper.h"); + + cc::Build::new() + .file(out_dir.join("boring_static_wrapper.c")) + .includes(include_dirs) + .flag("-include") + .flag( + &out_dir + .join("boring_static_wrapper.h") + .display() + .to_string(), + ) + .compile("boring_static_wrapper"); +} + +#[cfg(not(feature = "bindgen"))] +pub fn run_boringssl(include_dirs: &[PathBuf]) { + let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap()); + + fs::File::create(out_dir.join("boring_static_wrapper.h")) + .expect("Failed to create boring_static_wrapper.h") + .write_all(INCLUDES.as_bytes()) + .expect("Failed to write contents to boring_static_wrapper.h"); + + let mut bindgen_cmd = process::Command::new("bindgen"); + bindgen_cmd + .arg("-o") + .arg(out_dir.join("bindgen.rs")) + .arg("--rust-target=1.47") + .arg("--ctypes-prefix=::libc") + .arg("--no-derive-default") + .arg("--enable-function-attribute-detection") + .arg("--size_t-is-usize") + .arg("--default-macro-constant-type=signed") + .arg("--rustified-enum=point_conversion_form_t") + .arg("--allowlist-file=.*/openssl/[^/]+\\.h") + .arg("--experimental") + .arg("--wrap-static-fns") + .arg("--wrap-static-fns-path") + .arg(out_dir.join("boring_static_wrapper").display().to_string()) + .arg("--no-layout-tests") + .arg(out_dir.join("boring_static_wrapper.h")) + .arg("--") + .arg(format!("--target={}", env::var("TARGET").unwrap())); + + for include_dir in include_dirs { + bindgen_cmd.arg("-I").arg(include_dir.display().to_string()); + } + + let result = bindgen_cmd.status().expect("bindgen failed to execute"); + assert!(result.success()); + + cc::Build::new() + .file(out_dir.join("boring_static_wrapper.c")) + .includes(include_dirs) + .flag("-include") + .flag( + &out_dir + .join("boring_static_wrapper.h") + .display() + .to_string(), + ) + .compile("boring_static_wrapper"); +} + #[derive(Debug)] struct OpensslCallbacks; +#[cfg(feature = "bindgen")] impl ParseCallbacks for OpensslCallbacks { // for now we'll continue hand-writing constants fn will_parse_macro(&self, _name: &str) -> MacroParsingBehavior { diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index b1d51a8580..c3084755cc 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -16,11 +16,25 @@ extern crate libc; pub use libc::*; -#[cfg(boringssl)] +#[cfg(feature = "unstable_boringssl")] extern crate bssl_sys; -#[cfg(boringssl)] +#[cfg(feature = "unstable_boringssl")] pub use bssl_sys::*; +#[cfg(all(boringssl, not(feature = "unstable_boringssl")))] +#[path = "."] +mod boringssl { + include!(concat!(env!("OUT_DIR"), "/bindgen.rs")); + + pub fn init() { + unsafe { + CRYPTO_library_init(); + } + } +} +#[cfg(all(boringssl, not(feature = "unstable_boringssl")))] +pub use boringssl::*; + #[cfg(openssl)] #[path = "."] mod openssl { diff --git a/openssl/build.rs b/openssl/build.rs index 7651429f38..5cddce90c2 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -11,7 +11,7 @@ fn main() { println!("cargo:rustc-cfg=libressl"); } - if env::var("CARGO_FEATURE_UNSTABLE_BORINGSSL").is_ok() { + if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { println!("cargo:rustc-cfg=boringssl"); return; } diff --git a/openssl/src/bio.rs b/openssl/src/bio.rs index 6a72552adc..0f54935a6b 100644 --- a/openssl/src/bio.rs +++ b/openssl/src/bio.rs @@ -25,7 +25,7 @@ impl<'a> MemBioSlice<'a> { let bio = unsafe { cvt_p(BIO_new_mem_buf( buf.as_ptr() as *const _, - buf.len() as c_int, + buf.len() as crate::SLenType, ))? }; @@ -74,7 +74,7 @@ impl MemBio { } cfg_if! { - if #[cfg(ossl102)] { + if #[cfg(any(ossl102, boringssl))] { use ffi::BIO_new_mem_buf; } else { #[allow(bad_style)] diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index 12170b994e..e781543e27 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -239,7 +239,7 @@ where } cfg_if! { - if #[cfg(any(ossl110, libressl270))] { + if #[cfg(any(ossl110, libressl270, boringssl))] { use ffi::{DH_set0_pqg, DH_get0_pqg, DH_get0_key, DH_set0_key}; } else { #[allow(bad_style)] diff --git a/openssl/src/error.rs b/openssl/src/error.rs index 58b4d70a38..f9a7c54b8f 100644 --- a/openssl/src/error.rs +++ b/openssl/src/error.rs @@ -297,19 +297,24 @@ impl fmt::Debug for Error { } impl fmt::Display for Error { + // On BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on + // OpenSSL/LibreSSL they're safe. + #[allow(unused_unsafe)] fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result { write!(fmt, "error:{:08X}", self.code())?; match self.library() { Some(l) => write!(fmt, ":{}", l)?, - None => write!(fmt, ":lib({})", ffi::ERR_GET_LIB(self.code()))?, + None => write!(fmt, ":lib({})", unsafe { ffi::ERR_GET_LIB(self.code()) })?, } match self.function() { Some(f) => write!(fmt, ":{}", f)?, - None => write!(fmt, ":func({})", ffi::ERR_GET_FUNC(self.code()))?, + None => write!(fmt, ":func({})", unsafe { ffi::ERR_GET_FUNC(self.code()) })?, } match self.reason() { Some(r) => write!(fmt, ":{}", r)?, - None => write!(fmt, ":reason({})", ffi::ERR_GET_REASON(self.code()))?, + None => write!(fmt, ":reason({})", unsafe { + ffi::ERR_GET_REASON(self.code()) + })?, } write!( fmt, diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 8988f4c3c0..5678298a03 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -190,6 +190,11 @@ type LenType = libc::size_t; #[cfg(not(boringssl))] type LenType = libc::c_int; +#[cfg(boringssl)] +type SLenType = libc::ssize_t; +#[cfg(not(boringssl))] +type SLenType = libc::c_int; + #[inline] fn cvt_p(r: *mut T) -> Result<*mut T, ErrorStack> { if r.is_null() { From b3b83c4ab25d0751fecd941bff5668d1c2b7b665 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 14 Mar 2023 09:51:10 -0400 Subject: [PATCH 132/341] Bump CI to 3.1.0 --- .github/workflows/ci.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b5c0be1df8..60d729207a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,10 +157,7 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.1.0-beta1 - dl-path: / - - name: openssl - version: 3.0.8 + version: 3.1.0 dl-path: / - name: openssl version: 1.1.1t From ee3eaa325ba04fffcc1b795213b366ee3ee1378b Mon Sep 17 00:00:00 2001 From: Doug Bodden Date: Tue, 14 Mar 2023 14:00:12 +0000 Subject: [PATCH 133/341] Move code per PR feedback. --- openssl-sys/src/handwritten/ssl.rs | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 1000276ab9..29562d41ef 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -680,9 +680,6 @@ cfg_if! { pub fn TLS_client_method() -> *const SSL_METHOD; - // DTLS 1.2 support doesn't exist in LibresSSL 2.9.1 - #[cfg(ossl110)] - pub fn DTLSv1_2_method() -> *const SSL_METHOD; } } else { extern "C" { @@ -710,6 +707,13 @@ cfg_if! { } } +extern "C" { + #[cfg(ossl110)] + pub fn DTLSv1_2_method() -> *const SSL_METHOD; +} + + + extern "C" { pub fn SSL_get_error(ssl: *const SSL, ret: c_int) -> c_int; pub fn SSL_get_version(ssl: *const SSL) -> *const c_char; From 40eed05da58adcc42874a09c07b3abc633a74ed3 Mon Sep 17 00:00:00 2001 From: Doug Bodden Date: Tue, 14 Mar 2023 14:08:30 +0000 Subject: [PATCH 134/341] Fix formatting. --- openssl-sys/src/handwritten/ssl.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 29562d41ef..65a4f42f6b 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -712,8 +712,6 @@ extern "C" { pub fn DTLSv1_2_method() -> *const SSL_METHOD; } - - extern "C" { pub fn SSL_get_error(ssl: *const SSL, ret: c_int) -> c_int; pub fn SSL_get_version(ssl: *const SSL) -> *const c_char; From 4a630b78a7471713d532f9d557ce628f10459ef5 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 14 Mar 2023 20:05:28 -0400 Subject: [PATCH 135/341] Revert "Add DTLS 1.2 support in newer releases of SSL libs." --- openssl-sys/src/handwritten/ssl.rs | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 65a4f42f6b..f179a04ab1 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -679,7 +679,6 @@ cfg_if! { pub fn TLS_server_method() -> *const SSL_METHOD; pub fn TLS_client_method() -> *const SSL_METHOD; - } } else { extern "C" { @@ -700,18 +699,12 @@ cfg_if! { pub fn DTLSv1_method() -> *const SSL_METHOD; - // DTLS 1.2 support started in OpenSSL 1.0.2, LibreSSL 3.3.2 - #[cfg(any(ossl102,libressl332))] + #[cfg(ossl102)] pub fn DTLSv1_2_method() -> *const SSL_METHOD; } } } -extern "C" { - #[cfg(ossl110)] - pub fn DTLSv1_2_method() -> *const SSL_METHOD; -} - extern "C" { pub fn SSL_get_error(ssl: *const SSL, ret: c_int) -> c_int; pub fn SSL_get_version(ssl: *const SSL) -> *const c_char; From 54329d7cbd71467c797ebe48258d3ecff1c26498 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 14 Mar 2023 21:05:41 -0400 Subject: [PATCH 136/341] Release openssl-sys v0.9.81 --- openssl-sys/CHANGELOG.md | 22 ++++++++++++++++++++++ openssl-sys/Cargo.toml | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 1bf8690dbe..194705320a 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,28 @@ ## [Unreleased] +## [v0.9.81] - 2023-03-14 + +### Fixed + +Fixed builds against OpenSSL built with `no-cast`. + +### Added + +* Added experimental bindgen support for BoringSSL. +* Added `X509_VERIFY_PARAM_set_auth_level`, `X509_VERIFY_PARAM_get_auth_level`, and `X509_VERIFY_PARAM_set_purpose`. +* Added `X509_PURPOSE_*` consts. +* Added `X509_NAME_add_entry`. +* Added `X509_load_crl_file`. +* Added `SSL_set_cipher_list`, `SSL_set_ssl_method`, `SSL_use_PrivateKey_file`, `SSL_use_PrivateKey`, `SSL_use_certificate`, `SSL_use_certificate_chain_file`, `SSL_set_client_CA_list`, `SSL_add_client_CA`, and `SSL_set0_verify_cert_store`. +* Added `X509_PURPOSE`, `X509_STORE_set_purpose`, and `X509_STORE_set_trust`. +* Added `SSL_CTX_set_num_tickets`, `SSL_set_num_tickets`, `SSL_CTX_get_num_tickets`, and `SSL_get_num_tickets`. +* Added `CMS_verify`. + +### Removed + +* Removed an unnecessary link to libatomic for 32-bit android targets. + ## [v0.9.80] - 2022-12-20 ### Fixed diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 4f057bf9fa..23e20109e7 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.80" +version = "0.9.81" authors = [ "Alex Crichton ", "Steven Fackler ", From 98f4d44997f30cbd468bd6e0146b7c98e9ba642d Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 14 Mar 2023 21:21:15 -0400 Subject: [PATCH 137/341] Release openssl v0.10.46 --- openssl/CHANGELOG.md | 30 ++++++++++++++++++++++++++++-- openssl/Cargo.toml | 4 ++-- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 79dd8c2b42..6c0efdf616 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,7 +2,32 @@ ## [Unreleased] -* Added `CMS_verify`. +## [v0.10.46] - 2023-03-14 + +### Fixed + +* Fixed a potential null-pointer deref when parsing a PKCS#12 archive with no identity. +* Fixed builds against OpenSSL built with `no-cast`. +* Fixed debug formatting of `GeneralName`. + +### Deprecated + +* Deprecated `PKcs12Ref::parse` in favor of `Pkcs12Ref::parse2`. +* Deprecated `ParsedPkcs12` in favor of `ParsedPkcs12_2`. +* Deprecated `Pkcs12Builder::build` in favor of `Pkcs12Builder::build2`. + +### Added + +* Added `X509VerifyParamRef::set_auth_level`, `X509VerifyParamRef::auth_level`, and `X509VerifyParamRef::set_purpose`. +* Added `X509PurposeId` and `X509Purpose`. +* Added `X509NameBuilder::append_entry`. +* Added `PKeyRef::private_key_to_pkcs8`. +* Added `X509LookupRef::load_crl_file`. +* Added `Pkcs12Builder::name`, `Pkcs12Builder::pkey`, and `Pkcs12Builder::cert`. +* Added `SslRef::set_method`, `SslRef::set_private_key_file`, `SslRef::set_private_key`, `SslRef::set_certificate`, `SslRef::set_certificate_chain_file`, `SslRef::add_client_ca`, `SslRef::set_client_ca_list`, `SslRef::set_min_proto_version`, `SslREf::set_max_proto_version`, `SslRef::set_ciphersuites`, `SslRef::set_cipher_list`, `SslRef::set_verify_cert_store`. +* Added `X509NameRef::to_owned`. +* Added `SslContextBuilder::set_num_tickets`, `SslContextRef::num_tickets`, `SslRef::set_num_tickets`, and `SslRef::num_tickets`. +* Added `CmsContentInfo::verify`. ## [v0.10.45] - 2022-12-20 @@ -665,7 +690,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...master +[v0.10.46]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...openssl-v0.10.46 [v0.10.45]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.45 [v0.10.44]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.43...openssl-v0.10.44 [v0.10.43]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.42...openssl-v0.10.43 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 1fd24448fd..42bc8fdcc4 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.45" +version = "0.10.46" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.80", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.81", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 816eb64c39ad09d8fa75bc97cd7d99be68a00f9b Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 14 Mar 2023 21:25:12 -0400 Subject: [PATCH 138/341] fix changelog --- openssl-sys/CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 194705320a..5a77e2f9f4 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -392,7 +392,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81..master +[v0.9.81]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80...openssl-sys-v0.9.81 [v0.9.80]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79...openssl-sys-v0.9.80 [v0.9.79]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.78...openssl-sys-v0.9.79 [v0.9.78]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.77...openssl-sys-v0.9.78 From 2fe8b94066f1063ec78b0502052e4558379514a0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 15 Mar 2023 07:34:43 -0400 Subject: [PATCH 139/341] Enable X/Ed25519 support on BoringSSL --- openssl/src/pkey.rs | 36 ++++++++++++++++++++---------------- openssl/src/sign.rs | 12 ++++++------ 2 files changed, 26 insertions(+), 22 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 780bd637e5..ca9e08b253 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -47,7 +47,7 @@ use crate::dh::Dh; use crate::dsa::Dsa; use crate::ec::EcKey; use crate::error::ErrorStack; -#[cfg(ossl110)] +#[cfg(any(ossl110, boringssl))] use crate::pkey_ctx::PkeyCtx; use crate::rsa::Rsa; use crate::symm::Cipher; @@ -89,11 +89,11 @@ impl Id { #[cfg(ossl110)] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub const ED25519: Id = Id(ffi::EVP_PKEY_ED25519); #[cfg(ossl111)] pub const ED448: Id = Id(ffi::EVP_PKEY_ED448); - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub const X25519: Id = Id(ffi::EVP_PKEY_X25519); #[cfg(ossl111)] pub const X448: Id = Id(ffi::EVP_PKEY_X448); @@ -252,7 +252,7 @@ where /// This function only works for algorithms that support raw public keys. /// Currently this is: [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_public_key)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn raw_public_key(&self) -> Result, ErrorStack> { unsafe { let mut len = 0; @@ -303,7 +303,7 @@ where /// This function only works for algorithms that support raw private keys. /// Currently this is: [`Id::HMAC`], [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_private_key)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn raw_private_key(&self) -> Result, ErrorStack> { unsafe { let mut len = 0; @@ -503,7 +503,7 @@ impl PKey { ctx.keygen() } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] fn generate_eddsa(id: Id) -> Result, ErrorStack> { let mut ctx = PkeyCtx::new_id(id)?; ctx.keygen_init()?; @@ -533,7 +533,7 @@ impl PKey { /// assert_eq!(secret.len(), 32); /// # Ok(()) } /// ``` - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn generate_x25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::X25519) } @@ -587,7 +587,7 @@ impl PKey { /// assert_eq!(signature.len(), 64); /// # Ok(()) } /// ``` - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn generate_ed25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::ED25519) } @@ -737,7 +737,7 @@ impl PKey { /// /// Algorithm types that support raw private keys are HMAC, X25519, ED25519, X448 or ED448 #[corresponds(EVP_PKEY_new_raw_private_key)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn private_key_from_raw_bytes( bytes: &[u8], key_type: Id, @@ -778,7 +778,7 @@ impl PKey { /// /// Algorithm types that support raw public keys are X25519, ED25519, X448 or ED448 #[corresponds(EVP_PKEY_new_raw_public_key)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn public_key_from_raw_bytes( bytes: &[u8], key_type: Id, @@ -1084,7 +1084,7 @@ mod tests { assert_eq!(&g, dh_.generator()); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] fn test_raw_public_key(gen: fn() -> Result, ErrorStack>, key_type: Id) { // Generate a new key let key = gen().unwrap(); @@ -1100,7 +1100,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] fn test_raw_private_key(gen: fn() -> Result, ErrorStack>, key_type: Id) { // Generate a new key let key = gen().unwrap(); @@ -1111,26 +1111,30 @@ mod tests { // Compare the der encoding of the original and raw / restored public key assert_eq!( - key.private_key_to_der().unwrap(), - from_raw.private_key_to_der().unwrap() + key.private_key_to_pkcs8().unwrap(), + from_raw.private_key_to_pkcs8().unwrap() ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] #[test] fn test_raw_public_key_bytes() { test_raw_public_key(PKey::generate_x25519, Id::X25519); test_raw_public_key(PKey::generate_ed25519, Id::ED25519); + #[cfg(not(boringssl))] test_raw_public_key(PKey::generate_x448, Id::X448); + #[cfg(not(boringssl))] test_raw_public_key(PKey::generate_ed448, Id::ED448); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] #[test] fn test_raw_private_key_bytes() { test_raw_private_key(PKey::generate_x25519, Id::X25519); test_raw_private_key(PKey::generate_ed25519, Id::ED25519); + #[cfg(not(boringssl))] test_raw_private_key(PKey::generate_x448, Id::X448); + #[cfg(not(boringssl))] test_raw_private_key(PKey::generate_ed448, Id::ED448); } diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 51738651c6..1c13a625b3 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -290,7 +290,7 @@ impl<'a> Signer<'a> { self.len_intern() } - #[cfg(not(ossl111))] + #[cfg(all(not(ossl111), not(boringssl)))] fn len_intern(&self) -> Result { unsafe { let mut len = 0; @@ -303,7 +303,7 @@ impl<'a> Signer<'a> { } } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] fn len_intern(&self) -> Result { unsafe { let mut len = 0; @@ -360,7 +360,7 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSign`]. /// /// [`EVP_DigestSign`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestSign.html - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn sign_oneshot( &mut self, sig_buf: &mut [u8], @@ -382,7 +382,7 @@ impl<'a> Signer<'a> { /// Returns the signature. /// /// This is a simple convenience wrapper over `len` and `sign_oneshot`. - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn sign_oneshot_to_vec(&mut self, data_buf: &[u8]) -> Result, ErrorStack> { let mut sig_buf = vec![0; self.len()?]; let len = self.sign_oneshot(&mut sig_buf, data_buf)?; @@ -596,7 +596,7 @@ impl<'a> Verifier<'a> { /// OpenSSL documentation at [`EVP_DigestVerify`]. /// /// [`EVP_DigestVerify`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestVerify.html - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result { unsafe { let r = ffi::EVP_DigestVerify( @@ -846,7 +846,7 @@ mod test { } #[test] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] fn eddsa() { let key = PKey::generate_ed25519().unwrap(); From 0d44062e96937100563a425816b8b6859dcbb62a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 15 Mar 2023 17:05:43 -0400 Subject: [PATCH 140/341] Enable X/Ed25519 support on LibreSSL 3.7.0 --- openssl-sys/src/evp.rs | 4 ++-- openssl-sys/src/handwritten/evp.rs | 4 ++-- openssl-sys/src/obj_mac.rs | 4 ++++ openssl/src/pkey.rs | 36 +++++++++++++++--------------- openssl/src/sign.rs | 12 +++++----- 5 files changed, 32 insertions(+), 28 deletions(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index a98e438426..69b49fbb0b 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -10,9 +10,9 @@ pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl370))] pub const EVP_PKEY_X25519: c_int = NID_X25519; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl370))] pub const EVP_PKEY_ED25519: c_int = NID_ED25519; #[cfg(ossl111)] pub const EVP_PKEY_X448: c_int = NID_X448; diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 772709650b..1a05b7eae3 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -230,7 +230,7 @@ cfg_if! { } } cfg_if! { - if #[cfg(ossl111)] { + if #[cfg(any(ossl111, libressl370))] { extern "C" { pub fn EVP_DigestSign( ctx: *mut EVP_MD_CTX, @@ -566,7 +566,7 @@ const_ptr_api! { } cfg_if! { - if #[cfg(any(ossl111))] { + if #[cfg(any(ossl111, libressl370))] { extern "C" { pub fn EVP_PKEY_get_raw_public_key( pkey: *const EVP_PKEY, diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index ed50ebcc5f..1f8e10003a 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -920,12 +920,16 @@ pub const NID_aes_192_cbc_hmac_sha1: c_int = 917; pub const NID_aes_256_cbc_hmac_sha1: c_int = 918; #[cfg(ossl111)] pub const NID_X25519: c_int = 1034; +#[cfg(libressl370)] +pub const NID_X25519: c_int = 950; #[cfg(ossl111)] pub const NID_X448: c_int = 1035; #[cfg(ossl110)] pub const NID_hkdf: c_int = 1036; #[cfg(ossl111)] pub const NID_ED25519: c_int = 1087; +#[cfg(libressl370)] +pub const NID_ED25519: c_int = 952; #[cfg(ossl111)] pub const NID_ED448: c_int = 1088; #[cfg(ossl111)] diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index ca9e08b253..bec4bfdafc 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -47,7 +47,7 @@ use crate::dh::Dh; use crate::dsa::Dsa; use crate::ec::EcKey; use crate::error::ErrorStack; -#[cfg(any(ossl110, boringssl))] +#[cfg(any(ossl110, boringssl, libressl370))] use crate::pkey_ctx::PkeyCtx; use crate::rsa::Rsa; use crate::symm::Cipher; @@ -89,11 +89,11 @@ impl Id { #[cfg(ossl110)] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub const ED25519: Id = Id(ffi::EVP_PKEY_ED25519); #[cfg(ossl111)] pub const ED448: Id = Id(ffi::EVP_PKEY_ED448); - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub const X25519: Id = Id(ffi::EVP_PKEY_X25519); #[cfg(ossl111)] pub const X448: Id = Id(ffi::EVP_PKEY_X448); @@ -252,7 +252,7 @@ where /// This function only works for algorithms that support raw public keys. /// Currently this is: [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_public_key)] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn raw_public_key(&self) -> Result, ErrorStack> { unsafe { let mut len = 0; @@ -303,7 +303,7 @@ where /// This function only works for algorithms that support raw private keys. /// Currently this is: [`Id::HMAC`], [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_private_key)] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn raw_private_key(&self) -> Result, ErrorStack> { unsafe { let mut len = 0; @@ -503,7 +503,7 @@ impl PKey { ctx.keygen() } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] fn generate_eddsa(id: Id) -> Result, ErrorStack> { let mut ctx = PkeyCtx::new_id(id)?; ctx.keygen_init()?; @@ -533,7 +533,7 @@ impl PKey { /// assert_eq!(secret.len(), 32); /// # Ok(()) } /// ``` - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn generate_x25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::X25519) } @@ -587,7 +587,7 @@ impl PKey { /// assert_eq!(signature.len(), 64); /// # Ok(()) } /// ``` - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn generate_ed25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::ED25519) } @@ -737,7 +737,7 @@ impl PKey { /// /// Algorithm types that support raw private keys are HMAC, X25519, ED25519, X448 or ED448 #[corresponds(EVP_PKEY_new_raw_private_key)] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn private_key_from_raw_bytes( bytes: &[u8], key_type: Id, @@ -778,7 +778,7 @@ impl PKey { /// /// Algorithm types that support raw public keys are X25519, ED25519, X448 or ED448 #[corresponds(EVP_PKEY_new_raw_public_key)] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn public_key_from_raw_bytes( bytes: &[u8], key_type: Id, @@ -1084,7 +1084,7 @@ mod tests { assert_eq!(&g, dh_.generator()); } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] fn test_raw_public_key(gen: fn() -> Result, ErrorStack>, key_type: Id) { // Generate a new key let key = gen().unwrap(); @@ -1100,7 +1100,7 @@ mod tests { ); } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] fn test_raw_private_key(gen: fn() -> Result, ErrorStack>, key_type: Id) { // Generate a new key let key = gen().unwrap(); @@ -1116,25 +1116,25 @@ mod tests { ); } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] #[test] fn test_raw_public_key_bytes() { test_raw_public_key(PKey::generate_x25519, Id::X25519); test_raw_public_key(PKey::generate_ed25519, Id::ED25519); - #[cfg(not(boringssl))] + #[cfg(all(not(boringssl), not(libressl370)))] test_raw_public_key(PKey::generate_x448, Id::X448); - #[cfg(not(boringssl))] + #[cfg(all(not(boringssl), not(libressl370)))] test_raw_public_key(PKey::generate_ed448, Id::ED448); } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] #[test] fn test_raw_private_key_bytes() { test_raw_private_key(PKey::generate_x25519, Id::X25519); test_raw_private_key(PKey::generate_ed25519, Id::ED25519); - #[cfg(not(boringssl))] + #[cfg(all(not(boringssl), not(libressl370)))] test_raw_private_key(PKey::generate_x448, Id::X448); - #[cfg(not(boringssl))] + #[cfg(all(not(boringssl), not(libressl370)))] test_raw_private_key(PKey::generate_ed448, Id::ED448); } diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 1c13a625b3..406bb42e8f 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -290,7 +290,7 @@ impl<'a> Signer<'a> { self.len_intern() } - #[cfg(all(not(ossl111), not(boringssl)))] + #[cfg(all(not(ossl111), not(boringssl), not(libressl370)))] fn len_intern(&self) -> Result { unsafe { let mut len = 0; @@ -303,7 +303,7 @@ impl<'a> Signer<'a> { } } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] fn len_intern(&self) -> Result { unsafe { let mut len = 0; @@ -360,7 +360,7 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSign`]. /// /// [`EVP_DigestSign`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestSign.html - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn sign_oneshot( &mut self, sig_buf: &mut [u8], @@ -382,7 +382,7 @@ impl<'a> Signer<'a> { /// Returns the signature. /// /// This is a simple convenience wrapper over `len` and `sign_oneshot`. - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn sign_oneshot_to_vec(&mut self, data_buf: &[u8]) -> Result, ErrorStack> { let mut sig_buf = vec![0; self.len()?]; let len = self.sign_oneshot(&mut sig_buf, data_buf)?; @@ -596,7 +596,7 @@ impl<'a> Verifier<'a> { /// OpenSSL documentation at [`EVP_DigestVerify`]. /// /// [`EVP_DigestVerify`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestVerify.html - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result { unsafe { let r = ffi::EVP_DigestVerify( @@ -846,7 +846,7 @@ mod test { } #[test] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] fn eddsa() { let key = PKey::generate_ed25519().unwrap(); From 4bc21b01fe2010c11444e0f5f72592bd7c5f38d5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 18 Mar 2023 21:39:29 -0400 Subject: [PATCH 141/341] Expose the raw library and reason codes on Error --- openssl/src/error.rs | 48 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 11 deletions(-) diff --git a/openssl/src/error.rs b/openssl/src/error.rs index f9a7c54b8f..064d635234 100644 --- a/openssl/src/error.rs +++ b/openssl/src/error.rs @@ -198,11 +198,7 @@ impl Error { self.line, self.func.as_ref().map_or(ptr::null(), |s| s.as_ptr()), ); - ffi::ERR_set_error( - ffi::ERR_GET_LIB(self.code), - ffi::ERR_GET_REASON(self.code), - ptr::null(), - ); + ffi::ERR_set_error(self.library_code(), self.reason_code(), ptr::null()); } } @@ -214,9 +210,9 @@ impl Error { let line = self.line.try_into().unwrap(); unsafe { ffi::ERR_put_error( - ffi::ERR_GET_LIB(self.code), + self.library_code(), ffi::ERR_GET_FUNC(self.code), - ffi::ERR_GET_REASON(self.code), + self.reason_code(), self.file.as_ptr(), line, ); @@ -240,6 +236,15 @@ impl Error { } } + /// Returns the raw OpenSSL error constant for the library reporting the + /// error. + // On BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on + // OpenSSL/LibreSSL they're safe. + #[allow(unused_unsafe)] + pub fn library_code(&self) -> libc::c_int { + unsafe { ffi::ERR_GET_LIB(self.code) } + } + /// Returns the name of the function reporting the error. pub fn function(&self) -> Option> { self.func.as_ref().map(|s| s.as_str()) @@ -257,6 +262,14 @@ impl Error { } } + /// Returns the raw OpenSSL error constant for the reason for the error. + // On BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on + // OpenSSL/LibreSSL they're safe. + #[allow(unused_unsafe)] + pub fn reason_code(&self) -> libc::c_int { + unsafe { ffi::ERR_GET_REASON(self.code) } + } + /// Returns the name of the source file which encountered the error. pub fn file(&self) -> RetStr<'_> { self.file.as_str() @@ -304,7 +317,7 @@ impl fmt::Display for Error { write!(fmt, "error:{:08X}", self.code())?; match self.library() { Some(l) => write!(fmt, ":{}", l)?, - None => write!(fmt, ":lib({})", unsafe { ffi::ERR_GET_LIB(self.code()) })?, + None => write!(fmt, ":lib({})", self.library_code())?, } match self.function() { Some(f) => write!(fmt, ":{}", f)?, @@ -312,9 +325,7 @@ impl fmt::Display for Error { } match self.reason() { Some(r) => write!(fmt, ":{}", r)?, - None => write!(fmt, ":reason({})", unsafe { - ffi::ERR_GET_REASON(self.code()) - })?, + None => write!(fmt, ":reason({})", self.reason_code())?, } write!( fmt, @@ -387,3 +398,18 @@ cfg_if! { } } } + +#[cfg(test)] +mod tests { + use crate::nid::Nid; + + #[test] + fn test_error_library_code() { + let stack = Nid::create("not-an-oid", "invalid", "invalid").unwrap_err(); + let errors = stack.errors(); + #[cfg(not(boringssl))] + assert_eq!(errors[0].library_code(), ffi::ERR_LIB_ASN1); + #[cfg(boringssl)] + assert_eq!(errors[0].library_code(), ffi::ERR_LIB_OBJ as libc::c_int); + } +} From 286320cd0d0c4745b0f78f9ccbfc0ebaa0e46a6f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 19 Mar 2023 19:39:09 -0400 Subject: [PATCH 142/341] bump libressl to 3.7.1 --- .github/workflows/ci.yml | 24 ++---------------------- openssl-sys/build/main.rs | 3 ++- 2 files changed, 4 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4d2df5397b..16f873bd95 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -181,17 +181,7 @@ jobs: bindgen: true library: name: libressl - version: 3.5.3 - - target: x86_64-unknown-linux-gnu - bindgen: true - library: - name: libressl - version: 3.6.1 - - target: x86_64-unknown-linux-gnu - bindgen: true - library: - name: libressl - version: 3.7.0 + version: 3.7.1 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -201,17 +191,7 @@ jobs: bindgen: false library: name: libressl - version: 3.5.3 - - target: x86_64-unknown-linux-gnu - bindgen: false - library: - name: libressl - version: 3.6.1 - - target: x86_64-unknown-linux-gnu - bindgen: false - library: - name: libressl - version: 3.7.0 + version: 3.7.1 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index c5a68a630a..3357518f55 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -294,6 +294,7 @@ See rust-openssl documentation for more information: (3, 6, 0) => ('3', '6', '0'), (3, 6, _) => ('3', '6', 'x'), (3, 7, 0) => ('3', '7', '0'), + (3, 7, 1) => ('3', '7', '1'), _ => version_error(), }; @@ -336,7 +337,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.7.0, but a different version of OpenSSL was found. The build is now aborting +through 3.7.1, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From 803e245fa5721ac30a36888565f18c102567d877 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 19 Mar 2023 19:55:23 -0400 Subject: [PATCH 143/341] Release openssl-sys v0.9.82 --- openssl-sys/CHANGELOG.md | 10 +++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 5a77e2f9f4..3cb0711817 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,13 @@ ## [Unreleased] +## [v0.9.82] - 2023-03-19 + +### Added + +* Added support for LibreSSL 3.7.1. +* Added support for X25519 and Ed25519 on LibreSSL and BoringSSL. + ## [v0.9.81] - 2023-03-14 ### Fixed @@ -392,7 +399,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82..master +[v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 [v0.9.81]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80...openssl-sys-v0.9.81 [v0.9.80]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79...openssl-sys-v0.9.80 [v0.9.79]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.78...openssl-sys-v0.9.79 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 23e20109e7..ed3161c784 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.81" +version = "0.9.82" authors = [ "Alex Crichton ", "Steven Fackler ", From ead5e0a0aa27ce440285a5eefd04acc8488e56db Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 19 Mar 2023 19:57:55 -0400 Subject: [PATCH 144/341] Release openssl v0.10.47 --- openssl/CHANGELOG.md | 10 +++++++++- openssl/Cargo.toml | 4 ++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 6c0efdf616..7de74b8045 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,13 @@ ## [Unreleased] +## [v0.10.47] - 2023-03-19 + +### Added + +* Added support for X25519 and Ed25519 on LibreSSL and BoringSSL. +* Added `Error::library_code` and `Error::reason_code`. + ## [v0.10.46] - 2023-03-14 ### Fixed @@ -690,7 +697,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...master +[v0.10.47]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...openssl-v0.10.47 [v0.10.46]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...openssl-v0.10.46 [v0.10.45]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.45 [v0.10.44]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.43...openssl-v0.10.44 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 42bc8fdcc4..158acff5a3 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.46" +version = "0.10.47" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.81", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.82", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 8f920041cc5e7da1863218d1cf264c27c7f6a9c5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 20 Mar 2023 20:38:57 -0400 Subject: [PATCH 145/341] Skip a test that hangs on OpenSSL 3.1.0 --- openssl/build.rs | 3 +++ openssl/src/error.rs | 3 +++ 2 files changed, 6 insertions(+) diff --git a/openssl/build.rs b/openssl/build.rs index 5cddce90c2..5441606b28 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -50,6 +50,9 @@ fn main() { if version >= 0x3_00_00_00_0 { println!("cargo:rustc-cfg=ossl300"); } + if version >= 0x3_01_00_00_0 { + println!("cargo:rustc-cfg=ossl310"); + } } if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { diff --git a/openssl/src/error.rs b/openssl/src/error.rs index 064d635234..e097ce6881 100644 --- a/openssl/src/error.rs +++ b/openssl/src/error.rs @@ -401,9 +401,12 @@ cfg_if! { #[cfg(test)] mod tests { + #[cfg(not(ossl310))] use crate::nid::Nid; #[test] + // Due to a bug in OpenSSL 3.1.0, this test can hang there. Skip for now. + #[cfg(not(ossl310))] fn test_error_library_code() { let stack = Nid::create("not-an-oid", "invalid", "invalid").unwrap_err(); let errors = stack.errors(); From 4ecaf691c889d03bb5699ef2fa1c01665e430593 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 20 Mar 2023 20:51:18 -0400 Subject: [PATCH 146/341] Fix LibreSSL version checking in openssl/ Previously it only did exact version matching -- different from how OpenSSL worked, and causing it to make many APIs exposed only on a single version of LibreSSL. This fixes that, and in the process identifies a bug in openssl-sys. --- openssl-sys/build/cfgs.rs | 3 +++ openssl/build.rs | 53 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 54 insertions(+), 2 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index d925d90ad7..960515f00f 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -31,6 +31,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x2_09_01_00_0 { cfgs.push("libressl291"); } + if libressl_version >= 0x3_01_00_00_0 { + cfgs.push("libressl310"); + } if libressl_version >= 0x3_02_01_00_0 { cfgs.push("libressl321"); } diff --git a/openssl/build.rs b/openssl/build.rs index 5441606b28..0a974b33e6 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -16,8 +16,57 @@ fn main() { return; } - if let Ok(v) = env::var("DEP_OPENSSL_LIBRESSL_VERSION") { - println!("cargo:rustc-cfg=libressl{}", v); + if let Ok(v) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { + let version = u64::from_str_radix(&v, 16).unwrap(); + + if version >= 0x2_05_00_00_0 { + println!("cargo:rustc-cfg=libressl250"); + } + if version >= 0x2_05_01_00_0 { + println!("cargo:rustc-cfg=libressl251"); + } + if version >= 0x2_06_01_00_0 { + println!("cargo:rustc-cfg=libressl261"); + } + if version >= 0x2_07_00_00_0 { + println!("cargo:rustc-cfg=libressl270"); + } + if version >= 0x2_07_01_00_0 { + println!("cargo:rustc-cfg=libressl271"); + } + if version >= 0x2_07_03_00_0 { + println!("cargo:rustc-cfg=libressl273"); + } + if version >= 0x2_08_00_00_0 { + println!("cargo:rustc-cfg=libressl280"); + } + if version >= 0x2_09_01_00_0 { + println!("cargo:rustc-cfg=libressl291"); + } + if version >= 0x3_01_00_00_0 { + println!("cargo:rustc-cfg=libressl310"); + } + if version >= 0x3_02_01_00_0 { + println!("cargo:rustc-cfg=libressl321"); + } + if version >= 0x3_03_02_00_0 { + println!("cargo:rustc-cfg=libressl332"); + } + if version >= 0x3_04_00_00_0 { + println!("cargo:rustc-cfg=libressl340"); + } + if version >= 0x3_05_00_00_0 { + println!("cargo:rustc-cfg=libressl350"); + } + if version >= 0x3_06_00_00_0 { + println!("cargo:rustc-cfg=libressl360"); + } + if version >= 0x3_06_01_00_0 { + println!("cargo:rustc-cfg=libressl361"); + } + if version >= 0x3_07_00_00_0 { + println!("cargo:rustc-cfg=libressl370"); + } } if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { From e5b6d97ed170f835b56440d79edcd46381a46ebc Mon Sep 17 00:00:00 2001 From: Samuel Moelius Date: Wed, 22 Mar 2023 20:21:07 -0400 Subject: [PATCH 147/341] Improve reliability of some tests --- openssl/src/ssl/test/mod.rs | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 1eb9fe4bad..03dc89e5c3 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -84,17 +84,21 @@ fn verify_trusted_with_set_cert() { #[test] fn verify_untrusted_callback_override_ok() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + let server = Server::builder().build(); let mut client = server.client(); client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { + CALLED_BACK.store(true, Ordering::SeqCst); assert!(x509.current_cert().is_some()); true }); client.connect(); + assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] @@ -113,6 +117,8 @@ fn verify_untrusted_callback_override_bad() { #[test] fn verify_trusted_callback_override_ok() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + let server = Server::builder().build(); let mut client = server.client(); @@ -120,11 +126,13 @@ fn verify_trusted_callback_override_ok() { client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { + CALLED_BACK.store(true, Ordering::SeqCst); assert!(x509.current_cert().is_some()); true }); client.connect(); + assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] @@ -144,21 +152,27 @@ fn verify_trusted_callback_override_bad() { #[test] fn verify_callback_load_certs() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + let server = Server::builder().build(); let mut client = server.client(); client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { + CALLED_BACK.store(true, Ordering::SeqCst); assert!(x509.current_cert().is_some()); true }); client.connect(); + assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] fn verify_trusted_get_error_ok() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + let server = Server::builder().build(); let mut client = server.client(); @@ -166,11 +180,13 @@ fn verify_trusted_get_error_ok() { client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { + CALLED_BACK.store(true, Ordering::SeqCst); assert_eq!(x509.error(), X509VerifyResult::OK); true }); client.connect(); + assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] @@ -469,8 +485,11 @@ fn test_alpn_server_select_none_fatal() { #[test] #[cfg(any(ossl102, libressl261))] fn test_alpn_server_select_none() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { + CALLED_BACK.store(true, Ordering::SeqCst); ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK) }); let server = server.build(); @@ -479,6 +498,7 @@ fn test_alpn_server_select_none() { client.ctx().set_alpn_protos(b"\x06http/2").unwrap(); let s = client.connect(); assert_eq!(None, s.ssl().selected_alpn_protocol()); + assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] @@ -595,7 +615,7 @@ fn refcount_ssl_context() { { let new_ctx_a = SslContext::builder(SslMethod::tls()).unwrap().build(); - let _new_ctx_b = ssl.set_ssl_context(&new_ctx_a); + ssl.set_ssl_context(&new_ctx_a).unwrap(); } } @@ -731,7 +751,7 @@ fn connector_no_hostname_still_verifies() { } #[test] -fn connector_no_hostname_can_disable_verify() { +fn connector_can_disable_verify() { let server = Server::builder().build(); let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); @@ -742,8 +762,7 @@ fn connector_no_hostname_can_disable_verify() { let mut s = connector .configure() .unwrap() - .verify_hostname(false) - .connect("foobar.com", s) + .connect("fizzbuzz.com", s) .unwrap(); s.read_exact(&mut [0]).unwrap(); } From 482575bff434f58b80ffea34a9610d0ff265ac1f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 21 Mar 2023 20:20:26 -0400 Subject: [PATCH 148/341] Resolve an injection vulnerability in SAN creation --- openssl-sys/src/handwritten/x509.rs | 7 ++ openssl-sys/src/handwritten/x509v3.rs | 1 + openssl/src/x509/extension.rs | 69 ++++++++++++++------ openssl/src/x509/mod.rs | 94 ++++++++++++++++++++++++++- openssl/src/x509/tests.rs | 38 +++++++++++ 5 files changed, 185 insertions(+), 24 deletions(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 8762e5f98d..abda4110cf 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -550,6 +550,13 @@ extern "C" { pub fn X509_EXTENSION_get_object(ext: *mut X509_EXTENSION) -> *mut ASN1_OBJECT; pub fn X509_EXTENSION_get_data(ext: *mut X509_EXTENSION) -> *mut ASN1_OCTET_STRING; } + +const_ptr_api! { + extern "C" { + pub fn i2d_X509_EXTENSION(ext: #[const_ptr_if(ossl300)] X509_EXTENSION, pp: *mut *mut c_uchar) -> c_int; + } +} + const_ptr_api! { extern "C" { // in X509 diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index d0923e32b2..4f661ca5ec 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -4,6 +4,7 @@ use libc::*; pub enum CONF_METHOD {} extern "C" { + pub fn GENERAL_NAME_new() -> *mut GENERAL_NAME; pub fn GENERAL_NAME_free(name: *mut GENERAL_NAME); } diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index ebbea1c885..21d8faac35 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -20,7 +20,8 @@ use std::fmt::Write; use crate::error::ErrorStack; use crate::nid::Nid; -use crate::x509::{X509Extension, X509v3Context}; +use crate::x509::{Asn1Object, GeneralName, Stack, X509Extension, X509v3Context}; +use foreign_types::ForeignType; /// An extension which indicates whether a certificate is a CA certificate. pub struct BasicConstraints { @@ -463,11 +464,19 @@ impl AuthorityKeyIdentifier { } } +enum RustGeneralName { + Dns(String), + Email(String), + Uri(String), + Ip(String), + Rid(String), +} + /// An extension that allows additional identities to be bound to the subject /// of the certificate. pub struct SubjectAlternativeName { critical: bool, - names: Vec, + items: Vec, } impl Default for SubjectAlternativeName { @@ -481,7 +490,7 @@ impl SubjectAlternativeName { pub fn new() -> SubjectAlternativeName { SubjectAlternativeName { critical: false, - names: vec![], + items: vec![], } } @@ -493,55 +502,73 @@ impl SubjectAlternativeName { /// Sets the `email` flag. pub fn email(&mut self, email: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("email:{}", email)); + self.items.push(RustGeneralName::Email(email.to_string())); self } /// Sets the `uri` flag. pub fn uri(&mut self, uri: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("URI:{}", uri)); + self.items.push(RustGeneralName::Uri(uri.to_string())); self } /// Sets the `dns` flag. pub fn dns(&mut self, dns: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("DNS:{}", dns)); + self.items.push(RustGeneralName::Dns(dns.to_string())); self } /// Sets the `rid` flag. pub fn rid(&mut self, rid: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("RID:{}", rid)); + self.items.push(RustGeneralName::Rid(rid.to_string())); self } /// Sets the `ip` flag. pub fn ip(&mut self, ip: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("IP:{}", ip)); + self.items.push(RustGeneralName::Ip(ip.to_string())); self } /// Sets the `dirName` flag. - pub fn dir_name(&mut self, dir_name: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("dirName:{}", dir_name)); - self + /// + /// Not currently actually supported, always panics. + #[deprecated = "dir_name is deprecated and always panics. Please file a bug if you have a use case for this."] + pub fn dir_name(&mut self, _dir_name: &str) -> &mut SubjectAlternativeName { + unimplemented!( + "This has not yet been adapted for the new internals. File a bug if you need this." + ); } /// Sets the `otherName` flag. - pub fn other_name(&mut self, other_name: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("otherName:{}", other_name)); - self + /// + /// Not currently actually supported, always panics. + #[deprecated = "other_name is deprecated and always panics. Please file a bug if you have a use case for this."] + pub fn other_name(&mut self, _other_name: &str) -> &mut SubjectAlternativeName { + unimplemented!( + "This has not yet been adapted for the new internals. File a bug if you need this." + ); } /// Return a `SubjectAlternativeName` extension as an `X509Extension`. - pub fn build(&self, ctx: &X509v3Context<'_>) -> Result { - let mut value = String::new(); - let mut first = true; - append(&mut value, &mut first, self.critical, "critical"); - for name in &self.names { - append(&mut value, &mut first, true, name); + pub fn build(&self, _ctx: &X509v3Context<'_>) -> Result { + let mut stack = Stack::new()?; + for item in &self.items { + let gn = match item { + RustGeneralName::Dns(s) => GeneralName::new_dns(s.as_bytes())?, + RustGeneralName::Email(s) => GeneralName::new_email(s.as_bytes())?, + RustGeneralName::Uri(s) => GeneralName::new_uri(s.as_bytes())?, + RustGeneralName::Ip(s) => { + GeneralName::new_ip(s.parse().map_err(|_| ErrorStack::get())?)? + } + RustGeneralName::Rid(s) => GeneralName::new_rid(Asn1Object::from_str(s)?)?, + }; + stack.push(gn)?; + } + + unsafe { + X509Extension::new_internal(Nid::SUBJECT_ALT_NAME, self.critical, stack.as_ptr().cast()) } - X509Extension::new_nid(None, Some(ctx), Nid::SUBJECT_ALT_NAME, &value) } } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 4f08bbc667..3d8f236fd5 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -9,9 +9,9 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; -use libc::{c_int, c_long, c_uint}; +use libc::{c_int, c_long, c_uint, c_void}; use std::cmp::{self, Ordering}; -use std::convert::TryFrom; +use std::convert::{TryFrom, TryInto}; use std::error::Error; use std::ffi::{CStr, CString}; use std::fmt; @@ -24,7 +24,8 @@ use std::slice; use std::str; use crate::asn1::{ - Asn1BitStringRef, Asn1IntegerRef, Asn1ObjectRef, Asn1StringRef, Asn1TimeRef, Asn1Type, + Asn1BitStringRef, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, Asn1TimeRef, + Asn1Type, }; use crate::bio::MemBioSlice; use crate::conf::ConfRef; @@ -851,6 +852,15 @@ impl X509Extension { } } + pub(crate) unsafe fn new_internal( + nid: Nid, + critical: bool, + value: *mut c_void, + ) -> Result { + ffi::init(); + cvt_p(ffi::X509V3_EXT_i2d(nid.as_raw(), critical as _, value)).map(X509Extension) + } + /// Adds an alias for an extension /// /// # Safety @@ -863,6 +873,15 @@ impl X509Extension { } } +impl X509ExtensionRef { + to_der! { + /// Serializes the Extension to its standard DER encoding. + #[corresponds(i2d_X509_EXTENSION)] + to_der, + ffi::i2d_X509_EXTENSION + } +} + /// A builder used to construct an `X509Name`. pub struct X509NameBuilder(X509Name); @@ -1715,6 +1734,75 @@ foreign_type_and_impl_send_sync! { pub struct GeneralNameRef; } +impl GeneralName { + unsafe fn new( + type_: c_int, + asn1_type: Asn1Type, + value: &[u8], + ) -> Result { + ffi::init(); + let gn = GeneralName::from_ptr(cvt_p(ffi::GENERAL_NAME_new())?); + (*gn.as_ptr()).type_ = type_; + let s = cvt_p(ffi::ASN1_STRING_type_new(asn1_type.as_raw()))?; + ffi::ASN1_STRING_set(s, value.as_ptr().cast(), value.len().try_into().unwrap()); + + #[cfg(boringssl)] + { + (*gn.as_ptr()).d.ptr = s.cast(); + } + #[cfg(not(boringssl))] + { + (*gn.as_ptr()).d = s.cast(); + } + + Ok(gn) + } + + pub(crate) fn new_email(email: &[u8]) -> Result { + unsafe { GeneralName::new(ffi::GEN_EMAIL, Asn1Type::IA5STRING, email) } + } + + pub(crate) fn new_dns(dns: &[u8]) -> Result { + unsafe { GeneralName::new(ffi::GEN_DNS, Asn1Type::IA5STRING, dns) } + } + + pub(crate) fn new_uri(uri: &[u8]) -> Result { + unsafe { GeneralName::new(ffi::GEN_URI, Asn1Type::IA5STRING, uri) } + } + + pub(crate) fn new_ip(ip: IpAddr) -> Result { + match ip { + IpAddr::V4(addr) => unsafe { + GeneralName::new(ffi::GEN_IPADD, Asn1Type::OCTET_STRING, &addr.octets()) + }, + IpAddr::V6(addr) => unsafe { + GeneralName::new(ffi::GEN_IPADD, Asn1Type::OCTET_STRING, &addr.octets()) + }, + } + } + + pub(crate) fn new_rid(oid: Asn1Object) -> Result { + unsafe { + ffi::init(); + let gn = cvt_p(ffi::GENERAL_NAME_new())?; + (*gn).type_ = ffi::GEN_RID; + + #[cfg(boringssl)] + { + (*gn).d.registeredID = oid.as_ptr(); + } + #[cfg(not(boringssl))] + { + (*gn).d = oid.as_ptr().cast(); + } + + mem::forget(oid); + + Ok(GeneralName::from_ptr(gn)) + } + } +} + impl GeneralNameRef { fn ia5_string(&self, ffi_type: c_int) -> Option<&str> { unsafe { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 5c563a2192..41a9bc4d61 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -287,6 +287,44 @@ fn x509_builder() { assert_eq!(serial, x509.serial_number().to_bn().unwrap()); } +#[test] +fn x509_extension_to_der() { + let builder = X509::builder().unwrap(); + + for (ext, expected) in [ + ( + BasicConstraints::new().critical().ca().build().unwrap(), + b"0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff" as &[u8], + ), + ( + SubjectAlternativeName::new() + .dns("example.com,DNS:example2.com") + .build(&builder.x509v3_context(None, None)) + .unwrap(), + b"0'\x06\x03U\x1d\x11\x04 0\x1e\x82\x1cexample.com,DNS:example2.com", + ), + ( + SubjectAlternativeName::new() + .rid("1.2.3.4") + .uri("https://example.com") + .build(&builder.x509v3_context(None, None)) + .unwrap(), + b"0#\x06\x03U\x1d\x11\x04\x1c0\x1a\x88\x03*\x03\x04\x86\x13https://example.com", + ), + ( + ExtendedKeyUsage::new() + .server_auth() + .other("2.999.1") + .other("clientAuth") + .build() + .unwrap(), + b"0\x22\x06\x03U\x1d%\x04\x1b0\x19\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x03\x887\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x02", + ), + ] { + assert_eq!(&ext.to_der().unwrap(), expected); + } +} + #[test] fn x509_req_builder() { let pkey = pkey(); From 332311b597cc444a10d4acaf122ee58bd1bc8ff8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 21 Mar 2023 20:31:02 -0400 Subject: [PATCH 149/341] Resolve an injection vulnerability in EKU creation --- openssl/src/asn1.rs | 5 ++ openssl/src/x509/extension.rs | 92 +++++++++-------------------------- openssl/src/x509/tests.rs | 8 +++ 3 files changed, 35 insertions(+), 70 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 55de049c08..c0178c7e65 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -39,6 +39,7 @@ use crate::bio::MemBio; use crate::bn::{BigNum, BigNumRef}; use crate::error::ErrorStack; use crate::nid::Nid; +use crate::stack::Stackable; use crate::string::OpensslString; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -592,6 +593,10 @@ foreign_type_and_impl_send_sync! { pub struct Asn1ObjectRef; } +impl Stackable for Asn1Object { + type StackType = ffi::stack_st_ASN1_OBJECT; +} + impl Asn1Object { /// Constructs an ASN.1 Object Identifier from a string representation of the OID. #[corresponds(OBJ_txt2obj)] diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index 21d8faac35..f04d227960 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -18,9 +18,10 @@ //! ``` use std::fmt::Write; +use crate::asn1::Asn1Object; use crate::error::ErrorStack; use crate::nid::Nid; -use crate::x509::{Asn1Object, GeneralName, Stack, X509Extension, X509v3Context}; +use crate::x509::{GeneralName, Stack, X509Extension, X509v3Context}; use foreign_types::ForeignType; /// An extension which indicates whether a certificate is a CA certificate. @@ -223,18 +224,7 @@ impl KeyUsage { /// for which the certificate public key can be used for. pub struct ExtendedKeyUsage { critical: bool, - server_auth: bool, - client_auth: bool, - code_signing: bool, - email_protection: bool, - time_stamping: bool, - ms_code_ind: bool, - ms_code_com: bool, - ms_ctl_sign: bool, - ms_sgc: bool, - ms_efs: bool, - ns_sgc: bool, - other: Vec, + items: Vec, } impl Default for ExtendedKeyUsage { @@ -248,18 +238,7 @@ impl ExtendedKeyUsage { pub fn new() -> ExtendedKeyUsage { ExtendedKeyUsage { critical: false, - server_auth: false, - client_auth: false, - code_signing: false, - email_protection: false, - time_stamping: false, - ms_code_ind: false, - ms_code_com: false, - ms_ctl_sign: false, - ms_sgc: false, - ms_efs: false, - ns_sgc: false, - other: vec![], + items: vec![], } } @@ -271,101 +250,74 @@ impl ExtendedKeyUsage { /// Sets the `serverAuth` flag to `true`. pub fn server_auth(&mut self) -> &mut ExtendedKeyUsage { - self.server_auth = true; - self + self.other("serverAuth") } /// Sets the `clientAuth` flag to `true`. pub fn client_auth(&mut self) -> &mut ExtendedKeyUsage { - self.client_auth = true; - self + self.other("clientAuth") } /// Sets the `codeSigning` flag to `true`. pub fn code_signing(&mut self) -> &mut ExtendedKeyUsage { - self.code_signing = true; - self + self.other("codeSigning") } /// Sets the `emailProtection` flag to `true`. pub fn email_protection(&mut self) -> &mut ExtendedKeyUsage { - self.email_protection = true; - self + self.other("emailProtection") } /// Sets the `timeStamping` flag to `true`. pub fn time_stamping(&mut self) -> &mut ExtendedKeyUsage { - self.time_stamping = true; - self + self.other("timeStamping") } /// Sets the `msCodeInd` flag to `true`. pub fn ms_code_ind(&mut self) -> &mut ExtendedKeyUsage { - self.ms_code_ind = true; - self + self.other("msCodeInd") } /// Sets the `msCodeCom` flag to `true`. pub fn ms_code_com(&mut self) -> &mut ExtendedKeyUsage { - self.ms_code_com = true; - self + self.other("msCodeCom") } /// Sets the `msCTLSign` flag to `true`. pub fn ms_ctl_sign(&mut self) -> &mut ExtendedKeyUsage { - self.ms_ctl_sign = true; - self + self.other("msCTLSign") } /// Sets the `msSGC` flag to `true`. pub fn ms_sgc(&mut self) -> &mut ExtendedKeyUsage { - self.ms_sgc = true; - self + self.other("msSGC") } /// Sets the `msEFS` flag to `true`. pub fn ms_efs(&mut self) -> &mut ExtendedKeyUsage { - self.ms_efs = true; - self + self.other("msEFS") } /// Sets the `nsSGC` flag to `true`. pub fn ns_sgc(&mut self) -> &mut ExtendedKeyUsage { - self.ns_sgc = true; - self + self.other("nsSGC") } /// Sets a flag not already defined. pub fn other(&mut self, other: &str) -> &mut ExtendedKeyUsage { - self.other.push(other.to_owned()); + self.items.push(other.to_string()); self } /// Return the `ExtendedKeyUsage` extension as an `X509Extension`. pub fn build(&self) -> Result { - let mut value = String::new(); - let mut first = true; - append(&mut value, &mut first, self.critical, "critical"); - append(&mut value, &mut first, self.server_auth, "serverAuth"); - append(&mut value, &mut first, self.client_auth, "clientAuth"); - append(&mut value, &mut first, self.code_signing, "codeSigning"); - append( - &mut value, - &mut first, - self.email_protection, - "emailProtection", - ); - append(&mut value, &mut first, self.time_stamping, "timeStamping"); - append(&mut value, &mut first, self.ms_code_ind, "msCodeInd"); - append(&mut value, &mut first, self.ms_code_com, "msCodeCom"); - append(&mut value, &mut first, self.ms_ctl_sign, "msCTLSign"); - append(&mut value, &mut first, self.ms_sgc, "msSGC"); - append(&mut value, &mut first, self.ms_efs, "msEFS"); - append(&mut value, &mut first, self.ns_sgc, "nsSGC"); - for other in &self.other { - append(&mut value, &mut first, true, other); + let mut stack = Stack::new()?; + for item in &self.items { + stack.push(Asn1Object::from_str(item)?)?; + } + unsafe { + X509Extension::new_internal(Nid::EXT_KEY_USAGE, self.critical, stack.as_ptr().cast()) } - X509Extension::new_nid(None, None, Nid::EXT_KEY_USAGE, &value) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 41a9bc4d61..91fd36790c 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -325,6 +325,14 @@ fn x509_extension_to_der() { } } +#[test] +fn eku_invalid_other() { + assert!(ExtendedKeyUsage::new() + .other("1.1.1.1.1,2.2.2.2.2") + .build() + .is_err()); +} + #[test] fn x509_req_builder() { let pkey = pkey(); From 78aa9aa22cfd58ac33d1e19184cec667438fd2a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 21 Mar 2023 20:44:15 -0400 Subject: [PATCH 150/341] Always provide an X509V3Context in X509Extension::new because OpenSSL requires it for some extensions (and segfaults without) --- openssl/src/x509/mod.rs | 40 +++++++++++++++++++++++++++++++++++---- openssl/src/x509/tests.rs | 10 +++++++++- 2 files changed, 45 insertions(+), 5 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 3d8f236fd5..60df75ae72 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -816,14 +816,30 @@ impl X509Extension { ) -> Result { let name = CString::new(name).unwrap(); let value = CString::new(value).unwrap(); + let mut ctx; unsafe { ffi::init(); let conf = conf.map_or(ptr::null_mut(), ConfRef::as_ptr); - let context = context.map_or(ptr::null_mut(), X509v3Context::as_ptr); + let context_ptr = match context { + Some(c) => c.as_ptr(), + None => { + ctx = mem::zeroed(); + + ffi::X509V3_set_ctx( + &mut ctx, + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + 0, + ); + &mut ctx + } + }; let name = name.as_ptr() as *mut _; let value = value.as_ptr() as *mut _; - cvt_p(ffi::X509V3_EXT_nconf(conf, context, name, value)).map(X509Extension) + cvt_p(ffi::X509V3_EXT_nconf(conf, context_ptr, name, value)).map(X509Extension) } } @@ -841,14 +857,30 @@ impl X509Extension { value: &str, ) -> Result { let value = CString::new(value).unwrap(); + let mut ctx; unsafe { ffi::init(); let conf = conf.map_or(ptr::null_mut(), ConfRef::as_ptr); - let context = context.map_or(ptr::null_mut(), X509v3Context::as_ptr); + let context_ptr = match context { + Some(c) => c.as_ptr(), + None => { + ctx = mem::zeroed(); + + ffi::X509V3_set_ctx( + &mut ctx, + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + 0, + ); + &mut ctx + } + }; let name = name.as_raw(); let value = value.as_ptr() as *mut _; - cvt_p(ffi::X509V3_EXT_nconf_nid(conf, context, name, value)).map(X509Extension) + cvt_p(ffi::X509V3_EXT_nconf_nid(conf, context_ptr, name, value)).map(X509Extension) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 91fd36790c..57734f2665 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -25,7 +25,7 @@ use crate::x509::X509PurposeId; #[cfg(any(ossl102, libressl261))] use crate::x509::X509PurposeRef; use crate::x509::{ - CrlStatus, X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, + CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, }; use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] @@ -287,6 +287,14 @@ fn x509_builder() { assert_eq!(serial, x509.serial_number().to_bn().unwrap()); } +#[test] +fn x509_extension_new() { + assert!(X509Extension::new(None, None, "crlDistributionPoints", "section").is_err()); + assert!(X509Extension::new(None, None, "proxyCertInfo", "").is_err()); + assert!(X509Extension::new(None, None, "certificatePolicies", "").is_err()); + assert!(X509Extension::new(None, None, "subjectAltName", "dirName:section").is_err()); +} + #[test] fn x509_extension_to_der() { let builder = X509::builder().unwrap(); From a7528056c5be6f3fbabc52c2fd02882b208d5939 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 21 Mar 2023 20:45:35 -0400 Subject: [PATCH 151/341] Document the horror show --- openssl/src/x509/mod.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 60df75ae72..bb55cada02 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -807,6 +807,9 @@ impl X509Extension { /// Some extension types, such as `subjectAlternativeName`, require an `X509v3Context` to be /// provided. /// + /// DO NOT CALL THIS WITH UNTRUSTED `value`: `value` is an OpenSSL + /// mini-language that can read arbitrary files. + /// /// See the extension module for builder types which will construct certain common extensions. pub fn new( conf: Option<&ConfRef>, @@ -849,6 +852,9 @@ impl X509Extension { /// Some extension types, such as `nid::SUBJECT_ALTERNATIVE_NAME`, require an `X509v3Context` to /// be provided. /// + /// DO NOT CALL THIS WITH UNTRUSTED `value`: `value` is an OpenSSL + /// mini-language that can read arbitrary files. + /// /// See the extension module for builder types which will construct certain common extensions. pub fn new_nid( conf: Option<&ConfRef>, From 6ced4f305e44df7ca32e478621bf4840b122f1a3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 21 Mar 2023 20:49:48 -0400 Subject: [PATCH 152/341] Fix race condition with X509Name creation --- openssl/src/x509/mod.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index bb55cada02..5b55918750 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1045,7 +1045,10 @@ impl X509NameBuilder { /// Return an `X509Name`. pub fn build(self) -> X509Name { - self.0 + // Round-trip through bytes because OpenSSL is not const correct and + // names in a "modified" state compute various things lazily. This can + // lead to data-races because OpenSSL doesn't have locks or anything. + X509Name::from_der(&self.0.to_der().unwrap()).unwrap() } } From 4ff734fe4c5a22f7346b7b3c47ece4c4c1c01817 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 23 Mar 2023 21:46:58 -0400 Subject: [PATCH 153/341] Release openssl v0.10.48 and openssl-sys v0.9.83 (#1855) --- openssl-sys/CHANGELOG.md | 14 +++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 13 ++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 28 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 3cb0711817..8587ad2262 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.83] - 2023-03-23 + +### Fixed + +* Fixed version checks for LibreSSL. + +### Added + +* Added `i2d_X509_EXTENSION`. +* Added `GENERAL_NAME_new`. + ## [v0.9.82] - 2023-03-19 ### Added @@ -399,7 +410,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83..master +[v0.9.83]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82...openssl-sys-v0.9.83 [v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 [v0.9.81]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80...openssl-sys-v0.9.81 [v0.9.80]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79...openssl-sys-v0.9.80 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ed3161c784..ad7582ad05 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.82" +version = "0.9.83" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 7de74b8045..c6d9b303cd 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,16 @@ ## [Unreleased] +## [v0.10.48] - 2023-03-23 + +### Fixed + +* Fixed injection vulnerabilities where OpenSSL's configuration mini-language could be used via `x509::extension::SubjectAlternativeName` and `x509::extension::ExtendedKeyUsage`. The mini-language can read arbitrary files amongst other things. + * As part of fixing this `SubjectAlternativeName::dir_name` and `SubjectAlternativeName::other_name` are deprecated and their implementations always `panic!`. If you have a use case for these, please file an issue. +* Fixed several NULL pointer dereferences in OpenSSL that could be triggered via `x509::X509Extension::new` and `x509::X509Extension::new_nid`. Note that these methods still accept OpenSSL's configuration mini-language, and therefore should not be used with untrusted data. +* Fixed a data-race with `x509::X509Name` that are created with `x509::X509NameBuilder` and then used concurrently. +* Fixed LibreSSL version checking. More functions should now be correctly available on LibreSSL. + ## [v0.10.47] - 2023-03-19 ### Added @@ -697,7 +707,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...master +[v0.10.48]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48 [v0.10.47]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...openssl-v0.10.47 [v0.10.46]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...openssl-v0.10.46 [v0.10.45]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.45 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 158acff5a3..e49bd9163e 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.47" +version = "0.10.48" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.82", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.83", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 8f3da5efcdfdb913aa01711b4ad117f5f65ceb7a Mon Sep 17 00:00:00 2001 From: Konrad Borowski Date: Sat, 25 Mar 2023 17:38:28 +0100 Subject: [PATCH 154/341] Bump syn dep to 2 --- openssl-macros/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-macros/Cargo.toml b/openssl-macros/Cargo.toml index d55f2267d8..cc85815ade 100644 --- a/openssl-macros/Cargo.toml +++ b/openssl-macros/Cargo.toml @@ -11,4 +11,4 @@ proc-macro = true [dependencies] proc-macro2 = "1" quote = "1" -syn = { version = "1", features = ["full"] } +syn = { version = "2", features = ["full"] } From 7632ba6e56812f8a56410730c439bbd83b10783c Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Fri, 17 Mar 2023 18:19:28 +0000 Subject: [PATCH 155/341] Add issuer_name and reason_code to X509RevokedRef --- openssl-sys/src/handwritten/asn1.rs | 4 ++ openssl-sys/src/handwritten/types.rs | 1 + openssl-sys/src/x509v3.rs | 11 ++++ openssl/src/asn1.rs | 26 ++++++++ openssl/src/x509/mod.rs | 93 +++++++++++++++++++++++++++- 5 files changed, 133 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 7163a69d5e..f1bcc73f34 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -51,6 +51,10 @@ extern "C" { pub fn ASN1_TIME_set_string(s: *mut ASN1_TIME, str: *const c_char) -> c_int; #[cfg(ossl111)] pub fn ASN1_TIME_set_string_X509(s: *mut ASN1_TIME, str: *const c_char) -> c_int; + + pub fn ASN1_ENUMERATED_free(a: *mut ASN1_ENUMERATED); + #[cfg(ossl110)] + pub fn ASN1_ENUMERATED_get_int64(pr: *mut i64, a: *const ASN1_ENUMERATED) -> c_int; } const_ptr_api! { diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index b229a37597..3351ceabc4 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -4,6 +4,7 @@ use libc::*; use super::super::*; pub enum ASN1_INTEGER {} +pub enum ASN1_ENUMERATED {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index 5ae4439083..d2ff53489e 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -91,3 +91,14 @@ pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; pub const X509_PURPOSE_MIN: c_int = 1; pub const X509_PURPOSE_MAX: c_int = 9; + +pub const CRL_REASON_UNSPECIFIED: c_int = 0; +pub const CRL_REASON_KEY_COMPROMISE: c_int = 1; +pub const CRL_REASON_CA_COMPROMISE: c_int = 2; +pub const CRL_REASON_AFFILIATION_CHANGED: c_int = 3; +pub const CRL_REASON_SUPERSEDED: c_int = 4; +pub const CRL_REASON_CESSATION_OF_OPERATION: c_int = 5; +pub const CRL_REASON_CERTIFICATE_HOLD: c_int = 6; +pub const CRL_REASON_REMOVE_FROM_CRL: c_int = 8; +pub const CRL_REASON_PRIVILEGE_WITHDRAWN: c_int = 9; +pub const CRL_REASON_AA_COMPROMISE: c_int = 10; diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index c0178c7e65..db752ad9f1 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -666,6 +666,32 @@ cfg_if! { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::ASN1_ENUMERATED; + fn drop = ffi::ASN1_ENUMERATED_free; + + /// An ASN.1 enumerated. + pub struct Asn1Enumerated; + /// A reference to an [`Asn1Enumerated`]. + pub struct Asn1EnumeratedRef; +} + +impl Asn1EnumeratedRef { + /// Get the value, if it fits in the required bounds. + #[corresponds(ASN1_ENUMERATED_get)] + #[cfg(ossl110)] + pub fn get_i64(&self) -> Result { + let mut crl_reason = 0; + unsafe { + cvt(ffi::ASN1_ENUMERATED_get_int64( + &mut crl_reason, + self.as_ptr(), + ))?; + } + Ok(crl_reason) + } +} + #[cfg(test)] mod tests { use super::*; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 5b55918750..e628e64a6d 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -24,8 +24,8 @@ use std::slice; use std::str; use crate::asn1::{ - Asn1BitStringRef, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, Asn1TimeRef, - Asn1Type, + Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, + Asn1TimeRef, Asn1Type, }; use crate::bio::MemBioSlice; use crate::conf::ConfRef; @@ -1481,6 +1481,37 @@ impl X509ReqRef { } } +/// The reason that a certificate was revoked. +#[derive(Debug, Copy, Clone, PartialEq, Eq)] +pub struct CrlReason(i64); + +#[allow(missing_docs)] // no need to document the constants +impl CrlReason { + pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED as i64); + pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE as i64); + pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE as i64); + pub const AFFILIATION_CHANGED: CrlReason = + CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED as i64); + pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED as i64); + pub const CESSATION_OF_OPERATION: CrlReason = + CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION as i64); + pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD as i64); + pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL as i64); + pub const PRIVILEGE_WITHDRAWN: CrlReason = + CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN as i64); + pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE as i64); + + /// Constructs an `CrlReason` from a raw OpenSSL value. + pub fn from_raw(value: i64) -> Self { + CrlReason(value) + } + + /// Returns the raw OpenSSL value represented by this type. + pub fn as_raw(&self) -> i64 { + self.0 + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; @@ -1513,6 +1544,13 @@ impl X509RevokedRef { ffi::i2d_X509_REVOKED } + /// Copies the entry to a new `X509Revoked`. + #[corresponds(X509_NAME_dup)] + #[cfg(any(boringssl, ossl110, libressl270))] + pub fn to_owned(&self) -> Result { + unsafe { cvt_p(ffi::X509_REVOKED_dup(self.as_ptr())).map(|n| X509Revoked::from_ptr(n)) } + } + /// Get the date that the certificate was revoked #[corresponds(X509_REVOKED_get0_revocationDate)] pub fn revocation_date(&self) -> &Asn1TimeRef { @@ -1532,6 +1570,46 @@ impl X509RevokedRef { Asn1IntegerRef::from_ptr(r as *mut _) } } + + /// Get the issuer name of the revoked certificate + #[corresponds(X509_REVOKED_get_ext_d2i)] + pub fn issuer_name(&self) -> Option> { + // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. + unsafe { + let issuer_names = ffi::X509_REVOKED_get_ext_d2i( + self.as_ptr() as *const _, + // NID_certificate_issuer is a X509_REVOKED extension that + // returns a GENERAL_NAMES, which is a Stack + ffi::NID_certificate_issuer, + // Only one instance of the extension is permissable + ptr::null_mut(), + // Don't care if the extension is critical + ptr::null_mut(), + ); + Stack::from_ptr_opt(issuer_names as *mut _) + } + } + + /// Get the reason that the certificate was revoked + #[corresponds(X509_REVOKED_get_ext_d2i)] + #[cfg(ossl110)] + pub fn reason_code(&self) -> Option> { + let reason_code = unsafe { + // The return value may be NULL if the extension wasn't found or + // there were multiple, and we require only one. + Asn1Enumerated::from_ptr_opt(ffi::X509_REVOKED_get_ext_d2i( + // self.as_ptr() is a valid pointer to a X509_REVOKED + self.as_ptr() as *const _, + // NID_crl_reason is an X509_REVOKED extension that is an ASN1_ENUMERATED + ffi::NID_crl_reason, + // Only one instance of the extension is permissable + ptr::null_mut(), + // Don't care if the extension is critical + ptr::null_mut(), + ) as *mut _) + }?; + Some(reason_code.get_i64().map(CrlReason::from_raw)) + } } foreign_type_and_impl_send_sync! { @@ -1872,6 +1950,17 @@ impl GeneralNameRef { self.ia5_string(ffi::GEN_EMAIL) } + /// Returns the contents of this `GeneralName` if it is a `directoryName`. + pub fn directory_name(&self) -> Option<&X509NameRef> { + unsafe { + if (*self.as_ptr()).type_ != ffi::GEN_DIRNAME { + return None; + } + + Some(X509NameRef::from_const_ptr((*self.as_ptr()).d as *const _)) + } + } + /// Returns the contents of this `GeneralName` if it is a `dNSName`. pub fn dnsname(&self) -> Option<&str> { self.ia5_string(ffi::GEN_DNS) From 30aa4085e71c85637d6b1a9f9c4107e977a4a3d6 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Mon, 27 Mar 2023 17:52:14 +0100 Subject: [PATCH 156/341] Expose X509_REVOKED_get_ext_d2i more directly --- openssl/src/asn1.rs | 2 +- openssl/src/nid.rs | 4 +- openssl/src/x509/mod.rs | 125 ++++++++++++++++++++++++---------------- 3 files changed, 78 insertions(+), 53 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index db752ad9f1..8599539add 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -678,7 +678,7 @@ foreign_type_and_impl_send_sync! { impl Asn1EnumeratedRef { /// Get the value, if it fits in the required bounds. - #[corresponds(ASN1_ENUMERATED_get)] + #[corresponds(ASN1_ENUMERATED_get_int64)] #[cfg(ossl110)] pub fn get_i64(&self) -> Result { let mut crl_reason = 0; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index e4562a1c27..81b74d342f 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -51,13 +51,13 @@ pub struct Nid(c_int); #[allow(non_snake_case)] impl Nid { /// Create a `Nid` from an integer representation. - pub fn from_raw(raw: c_int) -> Nid { + pub const fn from_raw(raw: c_int) -> Nid { Nid(raw) } /// Return the integer representation of a `Nid`. #[allow(clippy::trivially_copy_pass_by_ref)] - pub fn as_raw(&self) -> c_int { + pub const fn as_raw(&self) -> c_int { self.0 } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index e628e64a6d..decb005efd 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -50,6 +50,15 @@ pub mod store; #[cfg(test)] mod tests; +/// A type of X509 extension. +/// +/// # Safety +/// The value of NID and Output must match those in OpenSSL so that +pub unsafe trait ExtensionType { + const NID: Nid; + type Output: ForeignType; +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_STORE_CTX; fn drop = ffi::X509_STORE_CTX_free; @@ -1483,31 +1492,28 @@ impl X509ReqRef { /// The reason that a certificate was revoked. #[derive(Debug, Copy, Clone, PartialEq, Eq)] -pub struct CrlReason(i64); +pub struct CrlReason(c_int); #[allow(missing_docs)] // no need to document the constants impl CrlReason { - pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED as i64); - pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE as i64); - pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE as i64); - pub const AFFILIATION_CHANGED: CrlReason = - CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED as i64); - pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED as i64); - pub const CESSATION_OF_OPERATION: CrlReason = - CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION as i64); - pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD as i64); - pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL as i64); - pub const PRIVILEGE_WITHDRAWN: CrlReason = - CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN as i64); - pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE as i64); + pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED); + pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE); + pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE); + pub const AFFILIATION_CHANGED: CrlReason = CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED); + pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED); + pub const CESSATION_OF_OPERATION: CrlReason = CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION); + pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD); + pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL); + pub const PRIVILEGE_WITHDRAWN: CrlReason = CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN); + pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE); /// Constructs an `CrlReason` from a raw OpenSSL value. - pub fn from_raw(value: i64) -> Self { + pub const fn from_raw(value: c_int) -> Self { CrlReason(value) } /// Returns the raw OpenSSL value represented by this type. - pub fn as_raw(&self) -> i64 { + pub const fn as_raw(&self) -> c_int { self.0 } } @@ -1571,45 +1577,59 @@ impl X509RevokedRef { } } - /// Get the issuer name of the revoked certificate + /// Get the criticality and value of an extension. + /// + /// This returns None if the extension is not present or occurs multiple times. #[corresponds(X509_REVOKED_get_ext_d2i)] - pub fn issuer_name(&self) -> Option> { - // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. - unsafe { - let issuer_names = ffi::X509_REVOKED_get_ext_d2i( - self.as_ptr() as *const _, - // NID_certificate_issuer is a X509_REVOKED extension that - // returns a GENERAL_NAMES, which is a Stack - ffi::NID_certificate_issuer, - // Only one instance of the extension is permissable - ptr::null_mut(), - // Don't care if the extension is critical + pub fn extension(&self) -> Result, ErrorStack> { + let mut critical = -1; + let out = unsafe { + // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. + let ext = ffi::X509_REVOKED_get_ext_d2i( + self.as_ptr(), + T::NID.as_raw(), + &mut critical as *mut _, ptr::null_mut(), ); - Stack::from_ptr_opt(issuer_names as *mut _) + // SAFETY: Extensions's contract promises that the type returned by + // OpenSSL here is T::Output. + T::Output::from_ptr_opt(ext as *mut _) + }; + match (critical, out) { + (0, Some(out)) => Ok(Some((false, out))), + (1, Some(out)) => Ok(Some((true, out))), + // -1 means the extension wasn't found, -2 means multiple were found. + (-1 | -2, _) => Ok(None), + // A critical value of 0 or 1 suggests success, but a null pointer + // was returned so something went wrong. + (0 | 1, None) => Err(ErrorStack::get()), + (..=-3 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), } } +} - /// Get the reason that the certificate was revoked - #[corresponds(X509_REVOKED_get_ext_d2i)] - #[cfg(ossl110)] - pub fn reason_code(&self) -> Option> { - let reason_code = unsafe { - // The return value may be NULL if the extension wasn't found or - // there were multiple, and we require only one. - Asn1Enumerated::from_ptr_opt(ffi::X509_REVOKED_get_ext_d2i( - // self.as_ptr() is a valid pointer to a X509_REVOKED - self.as_ptr() as *const _, - // NID_crl_reason is an X509_REVOKED extension that is an ASN1_ENUMERATED - ffi::NID_crl_reason, - // Only one instance of the extension is permissable - ptr::null_mut(), - // Don't care if the extension is critical - ptr::null_mut(), - ) as *mut _) - }?; - Some(reason_code.get_i64().map(CrlReason::from_raw)) - } +/// The CRL entry extension identifying the reason for revocation see [`CrlReason`], +/// this is as defined in RFC 5280 Section 5.3.1. +pub enum ReasonCode {} + +// SAFETY: CertificateIssuer is defined to be a stack of GeneralName in the RFC +// and in OpenSSL. +unsafe impl ExtensionType for ReasonCode { + const NID: Nid = Nid::from_raw(ffi::NID_crl_reason); + + type Output = Asn1Enumerated; +} + +/// The CRL entry extension identifying the issuer of a certificate used in +/// indirect CRLs, as defined in RFC 5280 Section 5.3.3. +pub enum CertificateIssuer {} + +// SAFETY: CertificateIssuer is defined to be a stack of GeneralName in the RFC +// and in OpenSSL. +unsafe impl ExtensionType for CertificateIssuer { + const NID: Nid = Nid::from_raw(ffi::NID_certificate_issuer); + + type Output = Stack; } foreign_type_and_impl_send_sync! { @@ -1957,7 +1977,12 @@ impl GeneralNameRef { return None; } - Some(X509NameRef::from_const_ptr((*self.as_ptr()).d as *const _)) + #[cfg(boringssl)] + let d = (*self.as_ptr()).d.ptr; + #[cfg(not(boringssl))] + let d = (*self.as_ptr()).d; + + Some(X509NameRef::from_const_ptr(d as *const _)) } } From 3b25d11504f8547637b591fa4360df78cc6c2ac1 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Mon, 27 Mar 2023 18:40:19 +0100 Subject: [PATCH 157/341] Use range pattern compatible with MSRV --- openssl/src/x509/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index decb005efd..a6ead63a2e 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1603,7 +1603,7 @@ impl X509RevokedRef { // A critical value of 0 or 1 suggests success, but a null pointer // was returned so something went wrong. (0 | 1, None) => Err(ErrorStack::get()), - (..=-3 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), + (c_int::MIN..=-2 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), } } } From 95680c816c55b617d2f5949cf2aedd060082840d Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Tue, 28 Mar 2023 12:08:27 +0100 Subject: [PATCH 158/341] Add test for CRL entry extensions --- openssl/src/x509/mod.rs | 1 + openssl/src/x509/tests.rs | 42 +++++++++++++++++++++++++++++-- openssl/test/entry_extensions.crl | 10 ++++++++ 3 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 openssl/test/entry_extensions.crl diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index a6ead63a2e..e30dd80730 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -54,6 +54,7 @@ mod tests; /// /// # Safety /// The value of NID and Output must match those in OpenSSL so that +/// `Output::from_ptr_opt(*_get_ext_d2i(*, NID, ...))` is valid. pub unsafe trait ExtensionType { const NID: Nid; type Output: ForeignType; diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 57734f2665..7fb383631f 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -18,12 +18,12 @@ use crate::x509::store::X509Lookup; use crate::x509::store::X509StoreBuilder; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; -#[cfg(ossl110)] -use crate::x509::X509Builder; #[cfg(ossl102)] use crate::x509::X509PurposeId; #[cfg(any(ossl102, libressl261))] use crate::x509::X509PurposeRef; +#[cfg(ossl110)] +use crate::x509::{CrlReason, X509Builder}; use crate::x509::{ CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, }; @@ -31,6 +31,8 @@ use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] use libc::time_t; +use super::{CertificateIssuer, ReasonCode}; + fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); PKey::from_rsa(rsa).unwrap() @@ -611,6 +613,42 @@ fn test_load_crl() { ); } +#[test] +fn test_crl_entry_extensions() { + let crl = include_bytes!("../../test/entry_extensions.crl"); + let crl = X509Crl::from_pem(crl).unwrap(); + + let revoked_certs = crl.get_revoked().unwrap(); + let entry = &revoked_certs[0]; + + let (critical, issuer) = entry + .extension::() + .unwrap() + .expect("Certificate issuer extension should be present"); + assert!(critical, "Certificate issuer extension is critical"); + assert_eq!(issuer.len(), 1, "Certificate issuer should have one entry"); + let issuer = issuer[0] + .directory_name() + .expect("Issuer should be a directory name"); + assert_eq!( + format!("{:?}", issuer), + r#"[countryName = "GB", commonName = "Test CA"]"# + ); + + // reason_code can't be inspected without ossl110 + #[allow(unused_variables)] + let (critical, reason_code) = entry + .extension::() + .unwrap() + .expect("Reason code extension should be present"); + assert!(!critical, "Reason code extension is not critical"); + #[cfg(ossl110)] + assert_eq!( + CrlReason::KEY_COMPROMISE, + CrlReason::from_raw(reason_code.get_i64().unwrap() as ffi::c_int) + ); +} + #[test] fn test_save_subject_der() { let cert = include_bytes!("../../test/cert.pem"); diff --git a/openssl/test/entry_extensions.crl b/openssl/test/entry_extensions.crl new file mode 100644 index 0000000000..9654171cf1 --- /dev/null +++ b/openssl/test/entry_extensions.crl @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBXDCCAQICAQEwCgYIKoZIzj0EAwIwETEPMA0GA1UEAwwGQ1JMIENBFw0yMzAz +MjgwOTQ5MThaFw0yMzA0MDQwOTUwMDdaMIGAMH4CFE+Y95/1pOqa6c9fUEJ8c04k +xu2PFw0yMzAzMjgwOTQ3MzNaMFcwLwYDVR0dAQH/BCUwI6QhMB8xCzAJBgNVBAYT +AkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgGA1UdGAQRGA8yMDIz +MDMyODA5NDQ0MFqgPTA7MB8GA1UdIwQYMBaAFNX1GZ0RWuC+4gz1wuy5H32T2W+R +MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wCgYIKoZIzj0EAwIDSAAwRQIgbl7x +W+WVAb+zlvKcJLmHVuC+gbqR4jqwGIHHgQl2J8kCIQCo/sAF5sDqy/cL+fbzBeUe +YoY2h6lIkj9ENwU8ZCt03w== +-----END X509 CRL----- From a888f7a098bd65837ff064fc30be326aa1371117 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Tue, 28 Mar 2023 09:49:47 +0100 Subject: [PATCH 159/341] Implement cmp and to_owned for Asn1Integer --- openssl-sys/src/handwritten/asn1.rs | 2 ++ openssl/src/asn1.rs | 42 ++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 7163a69d5e..d2bc21ce59 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -43,8 +43,10 @@ extern "C" { pub fn ASN1_TIME_set(from: *mut ASN1_TIME, to: time_t) -> *mut ASN1_TIME; pub fn ASN1_INTEGER_free(x: *mut ASN1_INTEGER); + pub fn ASN1_INTEGER_dup(a: *const ASN1_INTEGER) -> *mut ASN1_INTEGER; pub fn ASN1_INTEGER_get(dest: *const ASN1_INTEGER) -> c_long; pub fn ASN1_INTEGER_set(dest: *mut ASN1_INTEGER, value: c_long) -> c_int; + pub fn ASN1_INTEGER_cmp(a: *const ASN1_INTEGER, b: *const ASN1_INTEGER) -> c_int; pub fn BN_to_ASN1_INTEGER(bn: *const BIGNUM, ai: *mut ASN1_INTEGER) -> *mut ASN1_INTEGER; pub fn ASN1_INTEGER_to_BN(ai: *const ASN1_INTEGER, bn: *mut BIGNUM) -> *mut BIGNUM; diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index c0178c7e65..a282fc2cc7 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -27,7 +27,6 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_char, c_int, c_long, time_t}; -#[cfg(ossl102)] use std::cmp::Ordering; use std::ffi::CString; use std::fmt; @@ -512,6 +511,23 @@ impl Asn1Integer { } } +impl Ord for Asn1Integer { + fn cmp(&self, other: &Self) -> Ordering { + Asn1IntegerRef::cmp(self, other) + } +} +impl PartialOrd for Asn1Integer { + fn partial_cmp(&self, other: &Asn1Integer) -> Option { + Some(self.cmp(other)) + } +} +impl Eq for Asn1Integer {} +impl PartialEq for Asn1Integer { + fn eq(&self, other: &Asn1Integer) -> bool { + Asn1IntegerRef::eq(self, other) + } +} + impl Asn1IntegerRef { #[allow(missing_docs, clippy::unnecessary_cast)] #[deprecated(since = "0.10.6", note = "use to_bn instead")] @@ -536,6 +552,30 @@ impl Asn1IntegerRef { pub fn set(&mut self, value: i32) -> Result<(), ErrorStack> { unsafe { cvt(ffi::ASN1_INTEGER_set(self.as_ptr(), value as c_long)).map(|_| ()) } } + + /// Creates a new Asn1Integer with the same value. + #[corresponds(ASN1_INTEGER_dup)] + pub fn to_owned(&self) -> Result { + unsafe { cvt_p(ffi::ASN1_INTEGER_dup(self.as_ptr())).map(|p| Asn1Integer::from_ptr(p)) } + } +} + +impl Ord for Asn1IntegerRef { + fn cmp(&self, other: &Self) -> Ordering { + let res = unsafe { ffi::ASN1_INTEGER_cmp(self.as_ptr(), other.as_ptr()) }; + res.cmp(&0) + } +} +impl PartialOrd for Asn1IntegerRef { + fn partial_cmp(&self, other: &Asn1IntegerRef) -> Option { + Some(self.cmp(other)) + } +} +impl Eq for Asn1IntegerRef {} +impl PartialEq for Asn1IntegerRef { + fn eq(&self, other: &Asn1IntegerRef) -> bool { + self.cmp(other) == Ordering::Equal + } } foreign_type_and_impl_send_sync! { From 516f1b5252ba736a8dce2f79b7bff15b55feabf4 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Tue, 28 Mar 2023 12:28:01 +0100 Subject: [PATCH 160/341] Add tests for Asn1Integer comparison and to_owned --- openssl/src/asn1.rs | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index a282fc2cc7..8823f95b58 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -789,6 +789,28 @@ mod tests { assert!(c_ref < a_ref); } + #[test] + fn integer_to_owned() { + let a = Asn1Integer::from_bn(&BigNum::from_dec_str("42").unwrap()).unwrap(); + let b = a.to_owned().unwrap(); + assert_eq!( + a.to_bn().unwrap().to_dec_str().unwrap().to_string(), + b.to_bn().unwrap().to_dec_str().unwrap().to_string(), + ); + assert_ne!(a.as_ptr(), b.as_ptr()); + } + + #[test] + fn integer_cmp() { + let a = Asn1Integer::from_bn(&BigNum::from_dec_str("42").unwrap()).unwrap(); + let b = Asn1Integer::from_bn(&BigNum::from_dec_str("42").unwrap()).unwrap(); + let c = Asn1Integer::from_bn(&BigNum::from_dec_str("43").unwrap()).unwrap(); + assert!(a == b); + assert!(a != c); + assert!(a < c); + assert!(c > b); + } + #[test] fn object_from_str() { let object = Asn1Object::from_str("2.16.840.1.101.3.4.2.1").unwrap(); From 424745064356ac91fc6c50b7ef823a4deca3b313 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 30 Mar 2023 15:14:23 -0400 Subject: [PATCH 161/341] try skipping another test on openssl 3.1.0 See: https://github.com/openssl/openssl/issues/20613 --- openssl/src/nid.rs | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index e4562a1c27..53e2eab15e 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1165,10 +1165,13 @@ mod test { assert_eq!(nid.short_name().unwrap(), "foo"); assert_eq!(nid.long_name().unwrap(), "foobar"); - let invalid_oid = Nid::create("invalid_oid", "invalid", "invalid"); - assert!( - invalid_oid.is_err(), - "invalid_oid should not return a valid value" - ); + // Due to a bug in OpenSSL 3.1.0, this test crashes on Windows + if !cfg(ossl310) { + let invalid_oid = Nid::create("invalid_oid", "invalid", "invalid"); + assert!( + invalid_oid.is_err(), + "invalid_oid should not return a valid value" + ); + } } } From f949d4098d48038849cf9537829759167ffe0dfa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 30 Mar 2023 15:18:24 -0400 Subject: [PATCH 162/341] Fix syntax error I accidentally pushed to master --- openssl/src/nid.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index 53e2eab15e..1ab96f3701 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1166,7 +1166,7 @@ mod test { assert_eq!(nid.long_name().unwrap(), "foobar"); // Due to a bug in OpenSSL 3.1.0, this test crashes on Windows - if !cfg(ossl310) { + if !cfg!(ossl310) { let invalid_oid = Nid::create("invalid_oid", "invalid", "invalid"); assert!( invalid_oid.is_err(), From c906f184dfdc981450b5014bf5aaf6e291958fbe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 30 Mar 2023 14:23:44 -0400 Subject: [PATCH 163/341] Drop dependency on autocfg It's used to check for a Rust version well below our MSRV. --- openssl-sys/Cargo.toml | 1 - openssl-sys/build/main.rs | 11 ------- openssl-sys/src/err.rs | 68 ++++++++++++++++++--------------------- openssl-sys/src/macros.rs | 18 ----------- 4 files changed, 32 insertions(+), 66 deletions(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ad7582ad05..109a859ddc 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -27,7 +27,6 @@ bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } cc = "1.0" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" -autocfg = "1.0" [target.'cfg(target_env = "msvc")'.build-dependencies] vcpkg = "0.2.8" diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 3357518f55..5c1f668fb7 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -4,7 +4,6 @@ clippy::unusual_byte_groupings )] -extern crate autocfg; #[cfg(feature = "bindgen")] extern crate bindgen; extern crate cc; @@ -74,8 +73,6 @@ fn check_ssl_kind() { } fn main() { - check_rustc_versions(); - check_ssl_kind(); let target = env::var("TARGET").unwrap(); @@ -134,14 +131,6 @@ fn main() { } } -fn check_rustc_versions() { - let cfg = autocfg::new(); - - if cfg.probe_rustc_version(1, 31) { - println!("cargo:rustc-cfg=const_fn"); - } -} - #[allow(clippy::let_and_return)] fn postprocess(include_dirs: &[PathBuf]) -> Version { let version = validate_headers(include_dirs); diff --git a/openssl-sys/src/err.rs b/openssl-sys/src/err.rs index 5e84e6208a..4a6a2775e4 100644 --- a/openssl-sys/src/err.rs +++ b/openssl-sys/src/err.rs @@ -20,51 +20,47 @@ cfg_if! { pub const ERR_RFLAG_FATAL: c_ulong = 0x1 << ERR_RFLAGS_OFFSET; - const_fn! { - pub const fn ERR_SYSTEM_ERROR(errcode: c_ulong) -> bool { - errcode & ERR_SYSTEM_FLAG != 0 - } + pub const fn ERR_SYSTEM_ERROR(errcode: c_ulong) -> bool { + errcode & ERR_SYSTEM_FLAG != 0 + } - pub const fn ERR_GET_LIB(errcode: c_ulong) -> c_int { - // hacks since `if` isn't yet stable in const functions :( - ((ERR_LIB_SYS as c_ulong * (ERR_SYSTEM_ERROR(errcode) as c_ulong)) | - (((errcode >> ERR_LIB_OFFSET) & ERR_LIB_MASK) * (!ERR_SYSTEM_ERROR(errcode) as c_ulong))) as c_int - } + pub const fn ERR_GET_LIB(errcode: c_ulong) -> c_int { + // hacks since `if` isn't yet stable in const functions :( + ((ERR_LIB_SYS as c_ulong * (ERR_SYSTEM_ERROR(errcode) as c_ulong)) | + (((errcode >> ERR_LIB_OFFSET) & ERR_LIB_MASK) * (!ERR_SYSTEM_ERROR(errcode) as c_ulong))) as c_int + } - pub const fn ERR_GET_FUNC(_errcode: c_ulong) -> c_int { - 0 - } + pub const fn ERR_GET_FUNC(_errcode: c_ulong) -> c_int { + 0 + } - pub const fn ERR_GET_REASON(errcode: c_ulong) -> c_int { - // hacks since `if` isn't yet stable in const functions :( - ((ERR_LIB_SYS as c_ulong * (ERR_SYSTEM_ERROR(errcode) as c_ulong)) | - ((errcode & ERR_REASON_MASK) * (!ERR_SYSTEM_ERROR(errcode) as c_ulong))) as c_int - } + pub const fn ERR_GET_REASON(errcode: c_ulong) -> c_int { + // hacks since `if` isn't yet stable in const functions :( + ((ERR_LIB_SYS as c_ulong * (ERR_SYSTEM_ERROR(errcode) as c_ulong)) | + ((errcode & ERR_REASON_MASK) * (!ERR_SYSTEM_ERROR(errcode) as c_ulong))) as c_int + } - pub const fn ERR_PACK(lib: c_int, _func: c_int, reason: c_int) -> c_ulong { - ((lib as c_ulong & ERR_LIB_MASK) << ERR_LIB_OFFSET) | - (reason as c_ulong & ERR_REASON_MASK) - } + pub const fn ERR_PACK(lib: c_int, _func: c_int, reason: c_int) -> c_ulong { + ((lib as c_ulong & ERR_LIB_MASK) << ERR_LIB_OFFSET) | + (reason as c_ulong & ERR_REASON_MASK) } } else { - const_fn! { - pub const fn ERR_PACK(l: c_int, f: c_int, r: c_int) -> c_ulong { - ((l as c_ulong & 0x0FF) << 24) | - ((f as c_ulong & 0xFFF) << 12) | - (r as c_ulong & 0xFFF) - } + pub const fn ERR_PACK(l: c_int, f: c_int, r: c_int) -> c_ulong { + ((l as c_ulong & 0x0FF) << 24) | + ((f as c_ulong & 0xFFF) << 12) | + (r as c_ulong & 0xFFF) + } - pub const fn ERR_GET_LIB(l: c_ulong) -> c_int { - ((l >> 24) & 0x0FF) as c_int - } + pub const fn ERR_GET_LIB(l: c_ulong) -> c_int { + ((l >> 24) & 0x0FF) as c_int + } - pub const fn ERR_GET_FUNC(l: c_ulong) -> c_int { - ((l >> 12) & 0xFFF) as c_int - } + pub const fn ERR_GET_FUNC(l: c_ulong) -> c_int { + ((l >> 12) & 0xFFF) as c_int + } - pub const fn ERR_GET_REASON(l: c_ulong) -> c_int { - (l & 0xFFF) as c_int - } + pub const fn ERR_GET_REASON(l: c_ulong) -> c_int { + (l & 0xFFF) as c_int } } } diff --git a/openssl-sys/src/macros.rs b/openssl-sys/src/macros.rs index e1b08c467a..96523db8f4 100644 --- a/openssl-sys/src/macros.rs +++ b/openssl-sys/src/macros.rs @@ -70,24 +70,6 @@ macro_rules! stack { }; } -#[cfg(const_fn)] -macro_rules! const_fn { - ($(pub const fn $name:ident($($arg:ident: $t:ty),*) -> $ret:ty $b:block)*) => { - $( - pub const fn $name($($arg: $t),*) -> $ret $b - )* - } -} - -#[cfg(not(const_fn))] -macro_rules! const_fn { - ($(pub const fn $name:ident($($arg:ident: $t:ty),*) -> $ret:ty $b:block)*) => { - $( - pub fn $name($($arg: $t),*) -> $ret $b - )* - } -} - // openssl changes `*mut` to `*const` in certain parameters in certain versions; // in C this is ABI and (mostly) API compatible. // From d355cb80385dcfbab03805fc9407d5a4db11db7a Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 30 Mar 2023 19:25:05 -0400 Subject: [PATCH 164/341] Don't use IP addresses in SNI --- openssl/src/ssl/connector.rs | 5 ++-- openssl/src/ssl/test/mod.rs | 57 +++++++++++++++++++++++++++++++++++- 2 files changed, 59 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 39f729df90..66d1bd8939 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -11,6 +11,7 @@ use crate::ssl::{ SslOptions, SslRef, SslStream, SslVerifyMode, }; use crate::version; +use std::net::IpAddr; const FFDHE_2048: &str = " -----BEGIN DH PARAMETERS----- @@ -177,9 +178,9 @@ impl ConnectConfiguration { /// Returns an `Ssl` configured to connect to the provided domain. /// - /// The domain is used for SNI and hostname verification if enabled. + /// The domain is used for SNI (if it is not an IP address) and hostname verification if enabled. pub fn into_ssl(mut self, domain: &str) -> Result { - if self.sni { + if self.sni && domain.parse::().is_err() { self.ssl.set_hostname(domain)?; } diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 03dc89e5c3..a34309a7d6 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -21,10 +21,10 @@ use crate::hash::MessageDigest; use crate::ocsp::{OcspResponse, OcspResponseStatus}; use crate::pkey::PKey; use crate::srtp::SrtpProfileId; -use crate::ssl; use crate::ssl::test::server::Server; #[cfg(any(ossl110, ossl111, libressl261))] use crate::ssl::SslVersion; +use crate::ssl::{self, NameType, SslConnectorBuilder}; #[cfg(ossl111)] use crate::ssl::{ClientHelloResponse, ExtensionContext}; use crate::ssl::{ @@ -767,6 +767,61 @@ fn connector_can_disable_verify() { s.read_exact(&mut [0]).unwrap(); } +#[test] +fn connector_does_use_sni_with_dnsnames() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + + let mut builder = Server::builder(); + builder.ctx().set_servername_callback(|ssl, _| { + assert_eq!(ssl.servername(NameType::HOST_NAME), Some("foobar.com")); + CALLED_BACK.store(true, Ordering::SeqCst); + Ok(()) + }); + let server = builder.build(); + + let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); + connector.set_ca_file("test/root-ca.pem").unwrap(); + + let s = server.connect_tcp(); + let mut s = connector + .build() + .configure() + .unwrap() + .connect("foobar.com", s) + .unwrap(); + s.read_exact(&mut [0]).unwrap(); + + assert!(CALLED_BACK.load(Ordering::SeqCst)); +} + +#[test] +fn connector_doesnt_use_sni_with_ips() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + + let mut builder = Server::builder(); + builder.ctx().set_servername_callback(|ssl, _| { + assert_eq!(ssl.servername(NameType::HOST_NAME), None); + CALLED_BACK.store(true, Ordering::SeqCst); + Ok(()) + }); + let server = builder.build(); + + let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); + // The server's cert isn't issued for 127.0.0.1 but we don't care for this test. + connector.set_verify(SslVerifyMode::NONE); + + let s = server.connect_tcp(); + let mut s = connector + .build() + .configure() + .unwrap() + .connect("127.0.0.1", s) + .unwrap(); + s.read_exact(&mut [0]).unwrap(); + + assert!(CALLED_BACK.load(Ordering::SeqCst)); +} + fn test_mozilla_server(new: fn(SslMethod) -> Result) { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let port = listener.local_addr().unwrap().port(); From 42469df82086d1f14bf87db24183e24f7693394e Mon Sep 17 00:00:00 2001 From: Asger Hautop Drewsen Date: Fri, 31 Mar 2023 10:15:35 +0200 Subject: [PATCH 165/341] Fix typo in documentation for set_{min,max}_proto_version --- openssl/src/ssl/mod.rs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index c8648c4bcd..6ef356d36d 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1120,7 +1120,7 @@ impl SslContextBuilder { /// Sets the minimum supported protocol version. /// - /// A value of `None` will enable protocol versions down the the lowest version supported by + /// A value of `None` will enable protocol versions down to the lowest version supported by /// OpenSSL. /// /// Requires OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer. @@ -1138,7 +1138,7 @@ impl SslContextBuilder { /// Sets the maximum supported protocol version. /// - /// A value of `None` will enable protocol versions down the the highest version supported by + /// A value of `None` will enable protocol versions up to the highest version supported by /// OpenSSL. /// /// Requires OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer. @@ -1156,7 +1156,7 @@ impl SslContextBuilder { /// Gets the minimum supported protocol version. /// - /// A value of `None` indicates that all versions down the the lowest version supported by + /// A value of `None` indicates that all versions down to the lowest version supported by /// OpenSSL are enabled. /// /// Requires OpenSSL 1.1.0g or LibreSSL 2.7.0 or newer. @@ -1175,7 +1175,7 @@ impl SslContextBuilder { /// Gets the maximum supported protocol version. /// - /// A value of `None` indicates that all versions down the the highest version supported by + /// A value of `None` indicates that all versions up to the highest version supported by /// OpenSSL are enabled. /// /// Requires OpenSSL 1.1.0g or LibreSSL 2.7.0 or newer. @@ -3223,7 +3223,7 @@ impl SslRef { /// Sets the minimum supported protocol version. /// - /// A value of `None` will enable protocol versions down the the lowest version supported by + /// A value of `None` will enable protocol versions down to the lowest version supported by /// OpenSSL. /// /// Requires OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer. @@ -3241,7 +3241,7 @@ impl SslRef { /// Sets the maximum supported protocol version. /// - /// A value of `None` will enable protocol versions down the the highest version supported by + /// A value of `None` will enable protocol versions up to the highest version supported by /// OpenSSL. /// /// Requires OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer. From 34171f4f79d45c8132a53dfcd0bef37eb8b1ea73 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Mon, 23 Jan 2023 14:49:33 +0100 Subject: [PATCH 166/341] Add basic X509 Distribution Point extension support Adds support to read the full name of a distribution point extension. Signed-off-by: Steffen Eiden --- openssl-sys/src/handwritten/x509.rs | 2 + openssl-sys/src/handwritten/x509v3.rs | 27 +++++++++++++ openssl/src/x509/mod.rs | 57 +++++++++++++++++++++++++++ openssl/src/x509/tests.rs | 27 +++++++++++++ openssl/test/certv3.pem | 23 +++++++++++ openssl/test/certv3_extfile | 1 + systest/build.rs | 5 ++- 7 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 openssl/test/certv3.pem create mode 100644 openssl/test/certv3_extfile diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index abda4110cf..37bbf7b085 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -9,6 +9,8 @@ pub struct X509_VAL { pub enum X509_NAME_ENTRY {} +stack!(stack_st_X509_NAME_ENTRY); + stack!(stack_st_X509_NAME); pub enum X509_EXTENSION {} diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 4f661ca5ec..4a15f3df5f 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -103,3 +103,30 @@ extern "C" { #[cfg(ossl110)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; } + +#[repr(C)] +pub struct DIST_POINT_NAME { + pub type_: c_int, + pub name: DIST_POINT_NAME_st_anon_union, + pub dpname: *mut X509_NAME, +} + +#[repr(C)] +pub union DIST_POINT_NAME_st_anon_union { + pub fullname: *mut stack_st_GENERAL_NAME, + pub relativename: *mut stack_st_X509_NAME_ENTRY, +} + +#[repr(C)] +pub struct DIST_POINT { + pub distpoint: *mut DIST_POINT_NAME, + pub reasons: *mut ASN1_BIT_STRING, + pub CRLissuer: *mut stack_st_GENERAL_NAME, + pub dp_reasons: c_int, +} +stack!(stack_st_DIST_POINT); + +extern "C" { + pub fn DIST_POINT_free(dist_point: *mut DIST_POINT); + pub fn DIST_POINT_NAME_free(dist_point: *mut DIST_POINT_NAME); +} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 5b55918750..eab1ea6757 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -423,6 +423,20 @@ impl X509Ref { } } + /// Returns this certificate's CRL distribution points, if they exist. + #[corresponds(X509_get_ext_d2i)] + pub fn crl_distribution_points(&self) -> Option> { + unsafe { + let stack = ffi::X509_get_ext_d2i( + self.as_ptr(), + ffi::NID_crl_distribution_points, + ptr::null_mut(), + ptr::null_mut(), + ); + Stack::from_ptr_opt(stack as *mut _) + } + } + /// Returns this certificate's issuer alternative name entries, if they exist. #[corresponds(X509_get_ext_d2i)] pub fn issuer_alt_names(&self) -> Option> { @@ -1927,6 +1941,49 @@ impl Stackable for GeneralName { type StackType = ffi::stack_st_GENERAL_NAME; } +foreign_type_and_impl_send_sync! { + type CType = ffi::DIST_POINT; + fn drop = ffi::DIST_POINT_free; + + /// A `X509` distribution point. + pub struct DistPoint; + /// Reference to `DistPoint`. + pub struct DistPointRef; +} + +impl DistPointRef { + /// Returns the name of this distribution point if it exists + pub fn distpoint(&self) -> Option<&DistPointNameRef> { + unsafe { DistPointNameRef::from_const_ptr_opt((*self.as_ptr()).distpoint) } + } +} + +foreign_type_and_impl_send_sync! { + type CType = ffi::DIST_POINT_NAME; + fn drop = ffi::DIST_POINT_NAME_free; + + /// A `X509` distribution point. + pub struct DistPointName; + /// Reference to `DistPointName`. + pub struct DistPointNameRef; +} + +impl DistPointNameRef { + /// Returns the contents of this DistPointName if it is a fullname. + pub fn fullname(&self) -> Option<&StackRef> { + unsafe { + if (*self.as_ptr()).type_ != 0 { + return None; + } + StackRef::from_const_ptr_opt((*self.as_ptr()).name.fullname) + } + } +} + +impl Stackable for DistPoint { + type StackType = ffi::stack_st_DIST_POINT; +} + foreign_type_and_impl_send_sync! { type CType = ffi::ACCESS_DESCRIPTION; fn drop = ffi::ACCESS_DESCRIPTION_free; diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 57734f2665..3659604413 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -986,3 +986,30 @@ fn ipv6_as_subject_alternative_name_is_formatted_in_debug() { 8u8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 128, ]); } + +#[test] +fn test_dist_point() { + let cert = include_bytes!("../../test/certv3.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let dps = cert.crl_distribution_points().unwrap(); + let dp = dps.get(0).unwrap(); + let dp_nm = dp.distpoint().unwrap(); + let dp_gns = dp_nm.fullname().unwrap(); + let dp_gn = dp_gns.get(0).unwrap(); + assert_eq!(dp_gn.uri().unwrap(), "http://example.com/crl.pem"); + + let dp = dps.get(1).unwrap(); + let dp_nm = dp.distpoint().unwrap(); + let dp_gns = dp_nm.fullname().unwrap(); + let dp_gn = dp_gns.get(0).unwrap(); + assert_eq!(dp_gn.uri().unwrap(), "http://example.com/crl2.pem"); + assert!(dps.get(2).is_none()) +} + +#[test] +fn test_dist_point_null() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert!(cert.crl_distribution_points().is_none()); +} diff --git a/openssl/test/certv3.pem b/openssl/test/certv3.pem new file mode 100644 index 0000000000..819409164d --- /dev/null +++ b/openssl/test/certv3.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIUDeCGNunyJfBd3U/qUtmCcvbMyZwwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzAxMjMxMzMzNTJaFw0zMzAx +MjAxMzMzNTJaMFoxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCmZvb2Jh +ci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo9CWMRLMXo1CF +/iORh9B4NhtJF/8tR9PlG95sNvyWuQQ/8jfev+8zErplxfLkt0pJqcoiZG8g9NU0 +kU6o5T+/1QgZclCAoZaS0Jqxmoo2Yk/1Qsj16pnMBc10uSDk6V9aJSX1vKwONVNS +wiHA1MhX+i7Wf7/K0niq+k7hOkhleFkWgZtUq41gXh1VfOugka7UktYnk9mrBbAM +jmaloZNn2pMMAQxVg4ThiLm3zvuWqvXASWzUZc7IAd1GbN4AtDuhs252eqE9E4iT +Hk7F14wAS1JWqv666hReGHrmZJGx0xQTM9vPD1HN5t2U3KTfhO/mTlAUWVyg9tCt +OzboKgs1AgMBAAGjgZMwgZAwTgYDVR0fBEcwRTAgoB6gHIYaaHR0cDovL2V4YW1w +bGUuY29tL2NybC5wZW0wIaAfoB2GG2h0dHA6Ly9leGFtcGxlLmNvbS9jcmwyLnBl +bTAdBgNVHQ4EFgQUtnMvYaVLoe9ILBWxn/PcNC+8rDAwHwYDVR0jBBgwFoAUbNOl +A6sNXyzJjYqciKeId7g3/ZowDQYJKoZIhvcNAQELBQADggEBAJZyk6Eo4p3JIyOt +7t6ET3K18BKvlRilze+zrGkaQYvKRsP6YzbZWgcIq59hy5VeFCX5O2WP91CPG3MU +I9eRiih66/ry3G4I8QEdpRKnn0N5unbGjb5qPT5wXrhU4IO+vn3sGZGM4uIM1/3K +N/bOh9CTsu9YqrdHSGeDyNzCy/XZ/j5bP4aNm31ZDNCZDFsbjr3/yTLcpHPL0UP3 +mCX8D16BDu1Nep+wK9VRuOEw6Z9tlT/VjTImzoOUoJO/o2UHfSHahX+n2aC5OpI6 +BdhaFBuJ1vn+yTWf3zIjhWUdp9TlzgRyFiyetP2FcKwremVVGdDq/Y6dfXaq8CA1 +6Fr9KTY= +-----END CERTIFICATE----- diff --git a/openssl/test/certv3_extfile b/openssl/test/certv3_extfile new file mode 100644 index 0000000000..1b3df49482 --- /dev/null +++ b/openssl/test/certv3_extfile @@ -0,0 +1 @@ +crlDistributionPoints=URI:http://example.com/crl.pem,URI:http://example.com/crl2.pem diff --git a/systest/build.rs b/systest/build.rs index 34677d204f..4f45e2d6fa 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -110,7 +110,9 @@ fn main() { || s.starts_with("CRYPTO_EX_") }); cfg.skip_struct(|s| { - s == "ProbeResult" || s == "X509_OBJECT_data" // inline union + s == "ProbeResult" || + s == "X509_OBJECT_data" || // inline union + s == "DIST_POINT_NAME_st_anon_union" // inline union }); cfg.skip_fn(move |s| { s == "CRYPTO_memcmp" || // uses volatile @@ -130,6 +132,7 @@ fn main() { cfg.skip_field_type(|s, field| { (s == "EVP_PKEY" && field == "pkey") || // union (s == "GENERAL_NAME" && field == "d") || // union + (s == "DIST_POINT_NAME" && field == "name") || // union (s == "X509_OBJECT" && field == "data") // union }); cfg.skip_signededness(|s| { From 29d993ffaad363b2bfae80434d57d428ef25484d Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 1 Apr 2023 09:57:21 -0400 Subject: [PATCH 167/341] Release openssl-macros v0.1.1 --- openssl-macros/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-macros/Cargo.toml b/openssl-macros/Cargo.toml index cc85815ade..5337de751e 100644 --- a/openssl-macros/Cargo.toml +++ b/openssl-macros/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-macros" -version = "0.1.0" +version = "0.1.1" edition = "2018" license = "MIT/Apache-2.0" description = "Internal macros used by the openssl crate." From 545cfa48f8ef66e60bbf3b5b0323268f265e040f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 1 Apr 2023 10:02:30 -0400 Subject: [PATCH 168/341] Release openssl-sys v0.9.84 --- openssl-sys/CHANGELOG.md | 11 ++++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 8587ad2262..0d8c1e184e 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,14 @@ ## [Unreleased] +## [v0.9.84] - 2023-04-01 + +### Added + +* Added `ASN1_INTEGER_dup` and `ASN1_INTEGER_cmp`. +* Added `stack_st_X509_NAME_ENTRY`. +* Added `DIST_POINT_NAME`, `DIST_POINT`, `stack_st_DIST_POINT`, `DIST_POINT_free`, and `DIST_POINT_NAME_free`. + ## [v0.9.83] - 2023-03-23 ### Fixed @@ -410,7 +418,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84..master +[v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 [v0.9.83]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82...openssl-sys-v0.9.83 [v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 [v0.9.81]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80...openssl-sys-v0.9.81 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 109a859ddc..0dc6df9253 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.83" +version = "0.9.84" authors = [ "Alex Crichton ", "Steven Fackler ", From 36c474ada4360aefd2460cdee5157552fb83cc08 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 1 Apr 2023 10:08:38 -0400 Subject: [PATCH 169/341] Release openssl v0.10.49 --- openssl/CHANGELOG.md | 14 +++++++++++++- openssl/Cargo.toml | 4 ++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index c6d9b303cd..8feb2a36b8 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.10.49] - 2023-04-01 + +### Fixed + +* `SslConnector` no longer sets the SNI extension when connecting to an IP address. + +### Added + +* Implemented `Ord`, `PartialOrd`, `Eq`, and `PartialEq` for `Asn1Integer` and `Asn1IntegerRef`. +* Added `X509Ref::crl_distribution_points`, and `DistPoint`. + ## [v0.10.48] - 2023-03-23 ### Fixed @@ -707,7 +718,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...master +[v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 [v0.10.48]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48 [v0.10.47]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...openssl-v0.10.47 [v0.10.46]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...openssl-v0.10.46 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index e49bd9163e..6e2e28fc52 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.48" +version = "0.10.49" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.83", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.84", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 12a0de583988b33bdc728863ba393989132ad147 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 5 Apr 2023 11:34:56 -0500 Subject: [PATCH 170/341] Raise the minimum CC version --- openssl-sys/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 0dc6df9253..ce852e54ea 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -24,7 +24,7 @@ bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } -cc = "1.0" +cc = "1.0.52" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" From b8559cbaf81fa504c4811096153f73d1bb29bf2f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 5 Apr 2023 11:41:52 -0500 Subject: [PATCH 171/341] whoops --- openssl-sys/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ce852e54ea..13927f7d2e 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -24,7 +24,7 @@ bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } -cc = "1.0.52" +cc = "1.0.61" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" From edf3a165c77f4fd66db483d72db960bbcc08db5a Mon Sep 17 00:00:00 2001 From: Harold Bruintjes Date: Thu, 6 Apr 2023 14:00:24 +0200 Subject: [PATCH 172/341] Add in-place cipher update method Add the cipher_update_inplace method to CipherCtxRef that permits encryption and decryption to happen in-place when the cipher is a stream cipher. This avoid the need to allocate a second buffer if the original data does not have to be maintained. --- openssl/src/cipher_ctx.rs | 77 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 211c58ba20..216c09e5b0 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -591,6 +591,50 @@ impl CipherCtxRef { Ok(len) } + /// Like [`Self::cipher_update`] except that it writes output into the + /// `data` buffer. The `inlen` parameter specifies the number of bytes in + /// `data` that are considered the input. For streaming ciphers, the size of + /// `data` must be at least the input size. Otherwise, it must be at least + /// an additional block size larger. + /// + /// Note: Use [`Self::cipher_update`] with no output argument to write AAD. + /// + /// # Panics + /// + /// This function panics if the input size cannot be represented as `int` or + /// exceeds the buffer size, or if the output buffer does not contain enough + /// additional space. + #[corresponds(EVP_CipherUpdate)] + pub fn cipher_update_inplace( + &mut self, + data: &mut [u8], + inlen: usize, + ) -> Result { + assert!(inlen <= data.len(), "Input size may not exceed buffer size"); + let block_size = self.block_size(); + if block_size != 1 { + assert!( + data.len() >= inlen + block_size, + "Output buffer size must be at least {} bytes.", + inlen + block_size + ); + } + + let inlen = c_int::try_from(inlen).unwrap(); + let mut outlen = 0; + unsafe { + cvt(ffi::EVP_CipherUpdate( + self.as_ptr(), + data.as_mut_ptr(), + &mut outlen, + data.as_ptr(), + inlen, + )) + }?; + + Ok(outlen as usize) + } + /// Finalizes the encryption or decryption process. /// /// Any remaining data will be written to the output buffer. @@ -778,6 +822,26 @@ mod test { ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); + // encrypt again, but use in-place encryption this time + // First reset the IV + ctx.encrypt_init(None, None, Some(&iv)).unwrap(); + ctx.set_padding(false); + let mut data_inplace: [u8; 32] = [1; 32]; + let outlen = ctx + .cipher_update_inplace(&mut data_inplace[0..15], 15) + .unwrap(); + assert_eq!(15, outlen); + + let outlen = ctx + .cipher_update_inplace(&mut data_inplace[15..32], 17) + .unwrap(); + assert_eq!(17, outlen); + + ctx.cipher_final(&mut [0u8; 0]).unwrap(); + + // Check that the resulting data is encrypted in the same manner + assert_eq!(data_inplace.as_slice(), output.as_slice()); + // try to decrypt ctx.decrypt_init(Some(cipher), Some(&key), Some(&iv)) .unwrap(); @@ -800,6 +864,19 @@ mod test { ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); // check if the decrypted blocks are the same as input (all ones) assert_eq!(output_decrypted, vec![1; 32]); + + // decrypt again, but now the output in-place + ctx.decrypt_init(None, None, Some(&iv)).unwrap(); + ctx.set_padding(false); + + let outlen = ctx.cipher_update_inplace(&mut output[0..15], 15).unwrap(); + assert_eq!(15, outlen); + + let outlen = ctx.cipher_update_inplace(&mut output[15..], 17).unwrap(); + assert_eq!(17, outlen); + + ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); + assert_eq!(output_decrypted, output); } #[test] From 1a52fa61a4ce49249c41cd77aa767dcacbac6279 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Sun, 9 Apr 2023 11:05:57 -0400 Subject: [PATCH 173/341] Bump LibreSSL to 3.7.2 3.7 series is now stable --- .github/workflows/ci.yml | 4 ++-- openssl-sys/build/main.rs | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 16f873bd95..e8bf8c9c86 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -181,7 +181,7 @@ jobs: bindgen: true library: name: libressl - version: 3.7.1 + version: 3.7.2 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -191,7 +191,7 @@ jobs: bindgen: false library: name: libressl - version: 3.7.1 + version: 3.7.2 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 5c1f668fb7..ba149c17ff 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -284,6 +284,7 @@ See rust-openssl documentation for more information: (3, 6, _) => ('3', '6', 'x'), (3, 7, 0) => ('3', '7', '0'), (3, 7, 1) => ('3', '7', '1'), + (3, 7, _) => ('3', '7', 'x'), _ => version_error(), }; @@ -326,7 +327,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.7.1, but a different version of OpenSSL was found. The build is now aborting +through 3.7.x, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From b03b9ea09b59da99b0e27b6753db33b93181fae8 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 9 Apr 2023 20:04:09 -0400 Subject: [PATCH 174/341] Release openssl-sys v0.9.85 --- openssl-sys/CHANGELOG.md | 9 ++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 0d8c1e184e..b5d487759b 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.9.85] - 2023-04-09 + +### Added + +* Added support for LibreSSL 3.7.x. + ## [v0.9.84] - 2023-04-01 ### Added @@ -418,7 +424,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85..master +[v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.85 [v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 [v0.9.83]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82...openssl-sys-v0.9.83 [v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 13927f7d2e..cad799a3a4 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.84" +version = "0.9.85" authors = [ "Alex Crichton ", "Steven Fackler ", From 8395a89532e257eee6769f6e60b74bfb6cf951cc Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 9 Apr 2023 20:06:24 -0400 Subject: [PATCH 175/341] Release openssl v0.10.50 --- openssl/CHANGELOG.md | 9 ++++++++- openssl/Cargo.toml | 4 ++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 8feb2a36b8..3730cf5ce5 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.10.50] - 2023-04-09 + +### Added + +* Added `CipherCtxRef::cipher_update_inplace`. + ## [v0.10.49] - 2023-04-01 ### Fixed @@ -718,7 +724,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...master +[v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 [v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 [v0.10.48]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48 [v0.10.47]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...openssl-v0.10.47 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 6e2e28fc52..699273d114 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.49" +version = "0.10.50" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.84", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.85", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From a27dd4d799702c44578b62572f2dcfed2022496b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 10 Apr 2023 14:45:28 +0800 Subject: [PATCH 176/341] update documentation to reflect libressl support --- openssl/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 5678298a03..7829b79cba 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -1,7 +1,7 @@ //! Bindings to OpenSSL //! //! This crate provides a safe interface to the popular OpenSSL cryptography library. OpenSSL versions 1.0.1 through -//! 3.x.x and LibreSSL versions 2.5 through 3.4.1 are supported. +//! 3.x.x and LibreSSL versions 2.5 through 3.7.x are supported. //! //! # Building //! From c2fbe9a1d6c85d1d43470b3f1188bf74056f0d51 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 15 Apr 2023 19:11:26 -0400 Subject: [PATCH 177/341] Fixes #1882 -- added APIs for setting public keys on Dh --- openssl/src/dh.rs | 46 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index e781543e27..f7246975b3 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -7,7 +7,7 @@ use std::ptr; use crate::bn::{BigNum, BigNumRef}; use crate::error::ErrorStack; -use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private}; +use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private, Public}; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -66,6 +66,16 @@ impl Dh { } } + /// Sets the public key on the DH object. + pub fn set_public_key(self, pub_key: BigNum) -> Result, ErrorStack> { + unsafe { + let dh_ptr = self.0; + cvt(DH_set0_key(dh_ptr, pub_key.as_ptr(), ptr::null_mut()))?; + mem::forget((self, pub_key)); + Ok(Dh::from_ptr(dh_ptr)) + } + } + /// Sets the private key on the DH object and recomputes the public key. pub fn set_private_key(self, priv_key: BigNum) -> Result, ErrorStack> { unsafe { @@ -79,6 +89,16 @@ impl Dh { } } + /// Sets the public and private keys on the DH object. + pub fn set_key(self, pub_key: BigNum, priv_key: BigNum) -> Result, ErrorStack> { + unsafe { + let dh_ptr = self.0; + cvt(DH_set0_key(dh_ptr, pub_key.as_ptr(), priv_key.as_ptr()))?; + mem::forget((self, pub_key, priv_key)); + Ok(Dh::from_ptr(dh_ptr)) + } + } + /// Generates DH params based on the given `prime_len` and a fixed `generator` value. #[corresponds(DH_generate_parameters_ex)] pub fn generate_params(prime_len: u32, generator: u32) -> Result, ErrorStack> { @@ -367,6 +387,30 @@ mod tests { assert_eq!(key1.private_key(), key2.private_key()); } + #[test] + #[cfg(ossl102)] + fn test_set_keys() { + let dh1 = Dh::get_2048_256().unwrap(); + let key1 = dh1.generate_key().unwrap(); + + let dh2 = Dh::get_2048_256().unwrap(); + let key2 = dh2 + .set_public_key(key1.public_key().to_owned().unwrap()) + .unwrap(); + + assert_eq!(key1.public_key(), key2.public_key()); + + let dh3 = Dh::get_2048_256().unwrap(); + let key3 = dh3 + .set_key( + key1.public_key().to_owned().unwrap(), + key1.private_key().to_owned().unwrap(), + ) + .unwrap(); + assert_eq!(key1.public_key(), key3.public_key()); + assert_eq!(key1.private_key(), key3.private_key()); + } + #[test] fn test_dh_from_pem() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); From 5e4815810b4ffe924a0dd7344bb5e584d58087fb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 16 Apr 2023 17:20:30 -0400 Subject: [PATCH 178/341] Fixes #1884 -- don't leave an error on the stack in public_eq --- openssl/src/pkey.rs | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index bec4bfdafc..c03b181c80 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -244,7 +244,11 @@ where where U: HasPublic, { - unsafe { ffi::EVP_PKEY_cmp(self.as_ptr(), other.as_ptr()) == 1 } + let res = unsafe { ffi::EVP_PKEY_cmp(self.as_ptr(), other.as_ptr()) == 1 }; + // Clear the stack. OpenSSL will put an error on the stack when the + // keys are different types in some situations. + let _ = ErrorStack::get(); + res } /// Raw byte representation of a public key. @@ -885,6 +889,7 @@ mod tests { use crate::dh::Dh; use crate::dsa::Dsa; use crate::ec::EcKey; + use crate::error::Error; use crate::nid::Nid; use crate::rsa::Rsa; use crate::symm::Cipher; @@ -1168,4 +1173,17 @@ mod tests { let key = PKey::ec_gen("prime256v1").unwrap(); assert!(key.ec_key().is_ok()); } + + #[test] + fn test_public_eq() { + let rsa = Rsa::generate(2048).unwrap(); + let pkey1 = PKey::from_rsa(rsa).unwrap(); + + let group = crate::ec::EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let ec_key = EcKey::generate(&group).unwrap(); + let pkey2 = PKey::from_ec_key(ec_key).unwrap(); + + assert!(!pkey1.public_eq(&pkey2)); + assert!(Error::get().is_none()); + } } From f0b752d251608e4c07d707ff688ce4fe23cf00d4 Mon Sep 17 00:00:00 2001 From: Martin Algesten Date: Tue, 18 Apr 2023 09:23:40 +0200 Subject: [PATCH 179/341] DTLS1 and DTLS1_2 SslVersion for set_min_proto_version() Expose constants to allow limiting the DTLS version. --- openssl-sys/src/tls1.rs | 3 +++ openssl/src/ssl/mod.rs | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index f7ae302046..fd83da7ae4 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -10,6 +10,9 @@ pub const TLS1_2_VERSION: c_int = 0x303; #[cfg(any(ossl111, libressl340))] pub const TLS1_3_VERSION: c_int = 0x304; +pub const DTLS1_VERSION: c_int = 0xFEFF; +pub const DTLS1_2_VERSION: c_int = 0xFEFD; + pub const TLS1_AD_DECODE_ERROR: c_int = 50; pub const TLS1_AD_UNRECOGNIZED_NAME: c_int = 112; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 6ef356d36d..4ebf47dd09 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -644,6 +644,16 @@ impl SslVersion { /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. #[cfg(any(ossl111, libressl340))] pub const TLS1_3: SslVersion = SslVersion(ffi::TLS1_3_VERSION); + + /// DTLSv1.0 + /// + /// DTLS 1.0 corresponds to TLS 1.1. + pub const DTLS1: SslVersion = SslVersion(ffi::DTLS1_VERSION); + + /// DTLSv1.2 + /// + /// DTLS 1.2 corresponds to TLS 1.2 to harmonize versions. There was never a DTLS 1.1. + pub const DTLS1_2: SslVersion = SslVersion(ffi::DTLS1_2_VERSION); } cfg_if! { From 36fd9651f6239349fa4c750371615f90c45182fa Mon Sep 17 00:00:00 2001 From: Martin Algesten Date: Tue, 18 Apr 2023 10:01:39 +0200 Subject: [PATCH 180/341] Limit DTLS1.2 to openssl 1.0.2 and libressl 3.3.2 --- openssl-sys/src/tls1.rs | 1 + openssl/src/ssl/mod.rs | 1 + 2 files changed, 2 insertions(+) diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index fd83da7ae4..2cb08a91f3 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -11,6 +11,7 @@ pub const TLS1_2_VERSION: c_int = 0x303; pub const TLS1_3_VERSION: c_int = 0x304; pub const DTLS1_VERSION: c_int = 0xFEFF; +#[cfg(any(ossl102, libressl332))] pub const DTLS1_2_VERSION: c_int = 0xFEFD; pub const TLS1_AD_DECODE_ERROR: c_int = 50; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 4ebf47dd09..5b8775c98c 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -653,6 +653,7 @@ impl SslVersion { /// DTLSv1.2 /// /// DTLS 1.2 corresponds to TLS 1.2 to harmonize versions. There was never a DTLS 1.1. + #[cfg(any(ossl102, libressl332))] pub const DTLS1_2: SslVersion = SslVersion(ffi::DTLS1_2_VERSION); } From 428a7e595cff993a6a869e9fafd8b34743e4bfbe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Apr 2023 20:01:17 -0400 Subject: [PATCH 181/341] Remove size_t-is-usize argument to bindgen It's been on by default for a while: https://github.com/rust-lang/rust-bindgen/commit/cc78b6fdb6e829e5fb8fa1639f2182cb49333569 --- openssl-sys/build/run_bindgen.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 0c127ae5c6..3361786357 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -111,7 +111,6 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .ctypes_prefix("::libc") .derive_default(false) .enable_function_attribute_detection() - .size_t_is_usize(true) .default_macro_constant_type(MacroTypeVariation::Signed) .rustified_enum("point_conversion_form_t") .allowlist_file(".*/openssl/[^/]+\\.h") @@ -167,7 +166,6 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .arg("--ctypes-prefix=::libc") .arg("--no-derive-default") .arg("--enable-function-attribute-detection") - .arg("--size_t-is-usize") .arg("--default-macro-constant-type=signed") .arg("--rustified-enum=point_conversion_form_t") .arg("--allowlist-file=.*/openssl/[^/]+\\.h") From c7f91fc4e6b505d50c7ecaaaef5a74919672b425 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Apr 2023 20:38:00 -0400 Subject: [PATCH 182/341] Update BoringSSL in CI --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8bf8c9c86..b8314824b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -153,7 +153,7 @@ jobs: - false library: - name: boringssl - version: 93e8d4463d59d671e9c5c6171226341f04b07907 + version: bcecc7d834fc44ad257b2f23f88e1cf597ab2736 - name: openssl version: vendored - name: openssl From a0bfb99e44e9709b4606a3a8ab5b76134a056b25 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 04:12:28 -0400 Subject: [PATCH 183/341] Fix build for changes in boringssl paths --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b8314824b5..71deb57ab9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -310,7 +310,7 @@ jobs: - run: | mkdir -p .cargo echo '[patch.crates-io]' > .cargo/config.toml - echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust" }' >> .cargo/config.toml + echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust/bssl-sys" }' >> .cargo/config.toml if: matrix.library.name == 'boringssl' && !matrix.bindgen - uses: actions/cache@v3 with: From b2ca7210f258c2cf32b8e045d5d03e4f4a365260 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 04:12:40 -0400 Subject: [PATCH 184/341] Fix types for boringssl changes --- openssl/src/x509/mod.rs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 00b467fb77..774fc4289b 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -986,13 +986,13 @@ impl X509NameBuilder { pub fn append_entry_by_text(&mut self, field: &str, value: &str) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_txt( self.0.as_ptr(), field.as_ptr() as *mut _, ffi::MBSTRING_UTF8, value.as_ptr(), - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1013,13 +1013,13 @@ impl X509NameBuilder { ) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_txt( self.0.as_ptr(), field.as_ptr() as *mut _, ty.as_raw(), value.as_ptr(), - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1034,13 +1034,13 @@ impl X509NameBuilder { /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> { unsafe { - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_NID( self.0.as_ptr(), field.as_raw(), ffi::MBSTRING_UTF8, value.as_ptr() as *mut _, - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1060,13 +1060,13 @@ impl X509NameBuilder { ty: Asn1Type, ) -> Result<(), ErrorStack> { unsafe { - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_NID( self.0.as_ptr(), field.as_raw(), ty.as_raw(), value.as_ptr() as *mut _, - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) From 9f9009392c8788b1b4e984b8a81ff919c28754e5 Mon Sep 17 00:00:00 2001 From: remigranotier <42846930+remigranotier@users.noreply.github.com> Date: Thu, 20 Apr 2023 16:54:09 +0200 Subject: [PATCH 185/341] Documentation typo for X509Crl Fixed x509Crl description from "a X509 certificate request" to "a X509 certificate revocation list" --- openssl/src/x509/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 774fc4289b..971fb982a6 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1545,7 +1545,7 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; - /// An `X509` certificate request. + /// An `X509` certificate revocation list. pub struct X509Revoked; /// Reference to `X509Crl`. pub struct X509RevokedRef; From 75a6e0e47db672987eed0cef48dc3860e8b153cf Mon Sep 17 00:00:00 2001 From: remigranotier <42846930+remigranotier@users.noreply.github.com> Date: Thu, 20 Apr 2023 16:59:03 +0200 Subject: [PATCH 186/341] [Documentation] fixed X509Crl and X509Revoked description in doc Pardon my previous MR, Ctrl+F tricked me... This one fixes (for good) descriptions for both X509Crl and X509Revoked --- openssl/src/x509/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 971fb982a6..030770587e 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1545,9 +1545,9 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; - /// An `X509` certificate revocation list. + /// An `X509` certificate revocation status. pub struct X509Revoked; - /// Reference to `X509Crl`. + /// Reference to `X509Revoked`. pub struct X509RevokedRef; } @@ -1659,7 +1659,7 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_CRL; fn drop = ffi::X509_CRL_free; - /// An `X509` certificate request. + /// An `X509` certificate revocation list. pub struct X509Crl; /// Reference to `X509Crl`. pub struct X509CrlRef; From 2ac0d838ff5f78cd019c225075a3745e65ef6675 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 13:15:44 -0600 Subject: [PATCH 187/341] add asn1octetstring creation support --- openssl-sys/src/handwritten/asn1.rs | 6 ++++ openssl/src/asn1.rs | 48 +++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 13c233a473..fa43a7a5c1 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -51,9 +51,15 @@ extern "C" { #[cfg(any(all(ossl101, not(ossl110)), libressl))] pub fn ASN1_STRING_data(x: *mut ASN1_STRING) -> *mut c_uchar; pub fn ASN1_STRING_new() -> *mut ASN1_STRING; + pub fn ASN1_OCTET_STRING_new() -> *mut ASN1_OCTET_STRING; pub fn ASN1_STRING_free(x: *mut ASN1_STRING); pub fn ASN1_STRING_length(x: *const ASN1_STRING) -> c_int; pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len_in: c_int) -> c_int; + pub fn ASN1_OCTET_STRING_set( + x: *mut ASN1_OCTET_STRING, + data: *const c_uchar, + len_in: c_int, + ) -> c_int; pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); pub fn ASN1_OCTET_STRING_free(x: *mut ASN1_OCTET_STRING); diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 8956f8d709..d75e05166e 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -28,6 +28,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_char, c_int, c_long, time_t}; use std::cmp::Ordering; +use std::convert::TryInto; use std::ffi::CString; use std::fmt; use std::ptr; @@ -611,6 +612,46 @@ impl Asn1BitStringRef { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::ASN1_OCTET_STRING; + fn drop = ffi::ASN1_OCTET_STRING_free; + /// ASN.1 OCTET STRING type + pub struct Asn1OctetString; + /// A reference to an [`Asn1OctetString`]. + pub struct Asn1OctetStringRef; +} + +impl Asn1OctetString { + /// Creates an Asn1OctetString from bytes + pub fn new_from_bytes(value: &[u8]) -> Result { + ffi::init(); + unsafe { + let s = cvt_p(ffi::ASN1_OCTET_STRING_new())?; + ffi::ASN1_OCTET_STRING_set(s, value.as_ptr(), value.len().try_into().unwrap()); + Ok(Self::from_ptr(s)) + } + } +} + +impl Asn1OctetStringRef { + /// Returns the octet string as an array of bytes. + #[corresponds(ASN1_STRING_get0_data)] + pub fn as_slice(&self) -> &[u8] { + unsafe { slice::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr().cast()), self.len()) } + } + + /// Returns the number of bytes in the octet string. + #[corresponds(ASN1_STRING_length)] + pub fn len(&self) -> usize { + unsafe { ffi::ASN1_STRING_length(self.as_ptr().cast()) as usize } + } + + /// Determines if the string is empty. + pub fn is_empty(&self) -> bool { + self.len() == 0 + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::ASN1_OBJECT; fn drop = ffi::ASN1_OBJECT_free; @@ -859,4 +900,11 @@ mod tests { &[0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01], ); } + + #[test] + fn asn1_octet_string() { + let octet_string = Asn1OctetString::new_from_bytes(b"hello world").unwrap(); + assert_eq!(octet_string.as_slice(), b"hello world"); + assert_eq!(octet_string.len(), 11); + } } From 4e1bbee5f07d6edc505876566ad958edd0232bfa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 13 Apr 2023 19:35:45 -0400 Subject: [PATCH 188/341] Introduce X509Extension::new_from_der and deprecate the bad APIs --- openssl/src/x509/extension.rs | 12 +++++++++ openssl/src/x509/mod.rs | 47 +++++++++++++++++++++++++++++++++-- openssl/src/x509/tests.rs | 18 +++++++++++++- 3 files changed, 74 insertions(+), 3 deletions(-) diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index f04d227960..075227dec3 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -67,6 +67,9 @@ impl BasicConstraints { } /// Return the `BasicConstraints` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self) -> Result { let mut value = String::new(); if self.critical { @@ -183,6 +186,9 @@ impl KeyUsage { } /// Return the `KeyUsage` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self) -> Result { let mut value = String::new(); let mut first = true; @@ -346,6 +352,9 @@ impl SubjectKeyIdentifier { } /// Return a `SubjectKeyIdentifier` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self, ctx: &X509v3Context<'_>) -> Result { let mut value = String::new(); let mut first = true; @@ -398,6 +407,9 @@ impl AuthorityKeyIdentifier { } /// Return a `AuthorityKeyIdentifier` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self, ctx: &X509v3Context<'_>) -> Result { let mut value = String::new(); let mut first = true; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 030770587e..ea6fc13b72 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -24,8 +24,8 @@ use std::slice; use std::str; use crate::asn1::{ - Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, - Asn1TimeRef, Asn1Type, + Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, + Asn1OctetStringRef, Asn1StringRef, Asn1TimeRef, Asn1Type, }; use crate::bio::MemBioSlice; use crate::conf::ConfRef; @@ -842,6 +842,13 @@ impl X509Extension { /// mini-language that can read arbitrary files. /// /// See the extension module for builder types which will construct certain common extensions. + /// + /// This function is deprecated, `X509Extension::new_from_der` or the + /// types in `x509::extension` should be used in its place. + #[deprecated( + note = "Use x509::extension types or new_from_der instead", + since = "0.10.51" + )] pub fn new( conf: Option<&ConfRef>, context: Option<&X509v3Context<'_>>, @@ -887,6 +894,13 @@ impl X509Extension { /// mini-language that can read arbitrary files. /// /// See the extension module for builder types which will construct certain common extensions. + /// + /// This function is deprecated, `X509Extension::new_from_der` or the + /// types in `x509::extension` should be used in its place. + #[deprecated( + note = "Use x509::extension types or new_from_der instead", + since = "0.10.51" + )] pub fn new_nid( conf: Option<&ConfRef>, context: Option<&X509v3Context<'_>>, @@ -921,6 +935,31 @@ impl X509Extension { } } + /// Constructs a new X509 extension value from its OID, whether it's + /// critical, and its DER contents. + /// + /// The extent structure of the DER value will vary based on the + /// extension type, and can generally be found in the RFC defining the + /// extension. + /// + /// For common extension types, there are Rust APIs provided in + /// `openssl::x509::extensions` which are more ergonomic. + pub fn new_from_der( + oid: &Asn1ObjectRef, + critical: bool, + der_contents: &Asn1OctetStringRef, + ) -> Result { + unsafe { + cvt_p(ffi::X509_EXTENSION_create_by_OBJ( + ptr::null_mut(), + oid.as_ptr(), + critical as _, + der_contents.as_ptr(), + )) + .map(X509Extension) + } + } + pub(crate) unsafe fn new_internal( nid: Nid, critical: bool, @@ -936,6 +975,10 @@ impl X509Extension { /// /// This method modifies global state without locking and therefore is not thread safe #[corresponds(X509V3_EXT_add_alias)] + #[deprecated( + note = "Use x509::extension types or new_from_der and then this is not necessary", + since = "0.10.51" + )] pub unsafe fn add_alias(to: Nid, from: Nid) -> Result<(), ErrorStack> { ffi::init(); cvt(ffi::X509V3_EXT_add_alias(to.as_raw(), from.as_raw())).map(|_| ()) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 81801358b1..4e01d8d8a3 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -1,6 +1,6 @@ use std::cmp::Ordering; -use crate::asn1::Asn1Time; +use crate::asn1::{Asn1Object, Asn1OctetString, Asn1Time}; use crate::bn::{BigNum, MsbOption}; use crate::hash::MessageDigest; use crate::nid::Nid; @@ -290,6 +290,8 @@ fn x509_builder() { } #[test] +// This tests `X509Extension::new`, even though its deprecated. +#[allow(deprecated)] fn x509_extension_new() { assert!(X509Extension::new(None, None, "crlDistributionPoints", "section").is_err()); assert!(X509Extension::new(None, None, "proxyCertInfo", "").is_err()); @@ -297,6 +299,20 @@ fn x509_extension_new() { assert!(X509Extension::new(None, None, "subjectAltName", "dirName:section").is_err()); } +#[test] +fn x509_extension_new_from_der() { + let ext = X509Extension::new_from_der( + &Asn1Object::from_str("2.5.29.19").unwrap(), + true, + &Asn1OctetString::new_from_bytes(b"\x30\x03\x01\x01\xff").unwrap(), + ) + .unwrap(); + assert_eq!( + ext.to_der().unwrap(), + b"0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff" + ); +} + #[test] fn x509_extension_to_der() { let builder = X509::builder().unwrap(); From babb61c3812f85c25bb4fd105d46a2659823a8f9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 16:30:40 -0600 Subject: [PATCH 189/341] Release openssl v0.10.51 and openssl-sys v0.9.86 --- openssl-sys/CHANGELOG.md | 16 ++++++++++++++-- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 17 ++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 33 insertions(+), 6 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index b5d487759b..20e599b8ab 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.86] - 2023-04-20 + +### Fixed + +* Fixed BoringSSL support with the latest bindgen release. + +### Added + +* Added bindings for PKCS#7 functions and more X.509 functions. + + ## [v0.9.85] - 2023-04-09 ### Added @@ -424,8 +435,9 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85..master -[v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.85 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86..master +[v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 +[v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 [v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 [v0.9.83]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82...openssl-sys-v0.9.83 [v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index cad799a3a4..c5cced2880 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.85" +version = "0.9.86" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 3730cf5ce5..f4eca89166 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,20 @@ ## [Unreleased] +## [v0.10.51] - 2023-04-20 + +### Added + +* Added `X509RevokedRef::issuer_name` and `X509RevokedRef::reason_code`. +* Added `Dh::set_key` and `Dh::set_public_key` +* Added `Asn1OctetString` and `Asn1OctetStringRef1` +* Added `X509Extension::new_from_der` + +### Deprecated + +* Deprecated `X509Extension::new` and `X509Extension::new_nid` in favor of `X509Extension::new_from_der` and the `extensions` module. +* Deprecated `X509Extension::add_alias`, it is not required with `new_from_der` or the `extensions` module. + ## [v0.10.50] - 2023-04-09 ### Added @@ -724,7 +738,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...master +[v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 [v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 [v0.10.48]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 699273d114..ba72250c92 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.50" +version = "0.10.51" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.85", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.86", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 0a3cca2178a08a318cacc5c4d4938daf55ac3979 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 18:37:40 -0600 Subject: [PATCH 190/341] Expose BigNum::to_vec_padded on libressl --- openssl-sys/src/handwritten/bn.rs | 2 +- openssl/src/bn.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index 81348f692a..5457f61710 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -23,7 +23,7 @@ extern "C" { pub fn BN_clear_free(bn: *mut BIGNUM); pub fn BN_bin2bn(s: *const u8, size: c_int, ret: *mut BIGNUM) -> *mut BIGNUM; pub fn BN_bn2bin(a: *const BIGNUM, to: *mut u8) -> c_int; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl340))] pub fn BN_bn2binpad(a: *const BIGNUM, to: *mut u8, tolen: c_int) -> c_int; pub fn BN_sub(r: *mut BIGNUM, a: *const BIGNUM, b: *const BIGNUM) -> c_int; pub fn BN_add(r: *mut BIGNUM, a: *const BIGNUM, b: *const BIGNUM) -> c_int; diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 0328730a23..5cfe4b375d 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -814,7 +814,7 @@ impl BigNumRef { /// assert_eq!(&bn_vec, &[0, 0, 0x45, 0x43]); /// ``` #[corresponds(BN_bn2binpad)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl340, boringssl))] pub fn to_vec_padded(&self, pad_to: i32) -> Result, ErrorStack> { let mut v = Vec::with_capacity(pad_to as usize); unsafe { From 4438bd5092f396111dc367fbda6abd54ff6f126f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 20:54:16 -0600 Subject: [PATCH 191/341] add support for DH check key I am sorry, no one should need this. Stop doing finite field DH. Fields weren't meant to be finite --- openssl-sys/src/handwritten/dh.rs | 1 + openssl/src/dh.rs | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/openssl-sys/src/handwritten/dh.rs b/openssl-sys/src/handwritten/dh.rs index a4de122eac..87a0817ce5 100644 --- a/openssl-sys/src/handwritten/dh.rs +++ b/openssl-sys/src/handwritten/dh.rs @@ -3,6 +3,7 @@ use super::super::*; extern "C" { pub fn DH_new() -> *mut DH; pub fn DH_free(dh: *mut DH); + pub fn DH_check(dh: *const DH, codes: *mut c_int) -> c_int; pub fn DH_generate_parameters( prime_len: c_int, diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index f7246975b3..7445e3408c 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -39,6 +39,16 @@ where params_to_der, ffi::i2d_DHparams } + + /// Validates DH parameters for correctness + #[corresponds(DH_check_key)] + pub fn check_key(&self) -> Result { + unsafe { + let mut codes = 0; + cvt(ffi::DH_check(self.as_ptr(), &mut codes))?; + Ok(codes == 0) + } + } } impl Dh { @@ -457,4 +467,14 @@ mod tests { assert_eq!(shared_a, shared_b); } + + #[test] + fn test_dh_check_key() { + let dh1 = Dh::generate_params(512, 2).unwrap(); + let p = BigNum::from_hex_str("04").unwrap(); + let g = BigNum::from_hex_str("02").unwrap(); + let dh2 = Dh::from_pqg(p, None, g).unwrap(); + assert!(dh1.check_key().unwrap()); + assert!(!dh2.check_key().unwrap()); + } } From 1c46f360af0c141ae755562bd7090e25264f3e9f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 21:58:04 -0600 Subject: [PATCH 192/341] add poly1305 EVP_PKEY type --- openssl-sys/src/evp.rs | 2 ++ openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/pkey.rs | 2 ++ 3 files changed, 6 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 69b49fbb0b..72ca2434fc 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -20,6 +20,8 @@ pub const EVP_PKEY_X448: c_int = NID_X448; pub const EVP_PKEY_ED448: c_int = NID_ED448; pub const EVP_PKEY_HMAC: c_int = NID_hmac; pub const EVP_PKEY_CMAC: c_int = NID_cmac; +#[cfg(ossl111)] +pub const EVP_PKEY_POLY1305: c_int = NID_poly1305; #[cfg(ossl110)] pub const EVP_PKEY_HKDF: c_int = NID_hkdf; diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 1f8e10003a..22bfccba3f 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -927,6 +927,8 @@ pub const NID_X448: c_int = 1035; #[cfg(ossl110)] pub const NID_hkdf: c_int = 1036; #[cfg(ossl111)] +pub const NID_poly1305: c_int = 1061; +#[cfg(ossl111)] pub const NID_ED25519: c_int = 1087; #[cfg(libressl370)] pub const NID_ED25519: c_int = 952; diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index c03b181c80..cec1c482e1 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -97,6 +97,8 @@ impl Id { pub const X25519: Id = Id(ffi::EVP_PKEY_X25519); #[cfg(ossl111)] pub const X448: Id = Id(ffi::EVP_PKEY_X448); + #[cfg(ossl111)] + pub const POLY1305: Id = Id(ffi::EVP_PKEY_POLY1305); /// Creates a `Id` from an integer representation. pub fn from_raw(value: c_int) -> Id { From e073b4d2b06596acfa6cf380c030ca7843a78fda Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 18 Apr 2023 23:36:09 +0800 Subject: [PATCH 193/341] add more x509 extension helper functions --- openssl-sys/src/handwritten/x509v3.rs | 8 ++++++ openssl/src/x509/mod.rs | 40 +++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 4a15f3df5f..fb517df904 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -102,6 +102,14 @@ extern "C" { pub fn X509_get_key_usage(x: *mut X509) -> u32; #[cfg(ossl110)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; + #[cfg(ossl110)] + pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; + #[cfg(ossl110)] + pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; + #[cfg(ossl110)] + pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; + #[cfg(ossl110)] + pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } #[repr(C)] diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index ea6fc13b72..796ee2f09f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -483,6 +483,46 @@ impl X509Ref { } } + /// Returns this certificate's subject key id, if it exists. + #[corresponds(X509_get0_subject_key_id)] + #[cfg(ossl110)] + pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { + unsafe { + let data = ffi::X509_get0_subject_key_id(self.as_ptr()); + Asn1StringRef::from_const_ptr_opt(data as *const _) + } + } + + /// Returns this certificate's authority key id, if it exists. + #[corresponds(X509_get0_authority_key_id)] + #[cfg(ossl110)] + pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { + unsafe { + let data = ffi::X509_get0_authority_key_id(self.as_ptr()); + Asn1StringRef::from_const_ptr_opt(data as *const _) + } + } + + /// Returns this certificate's authority issuer name entries, if they exist. + #[corresponds(X509_get0_authority_issuer)] + #[cfg(ossl110)] + pub fn authority_issuer(&self) -> Option> { + unsafe { + let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); + Stack::from_ptr_opt(stack as *mut _) + } + } + + /// Returns this certificate's authority serial number, if it exists. + #[corresponds(X509_get0_authority_serial)] + #[cfg(ossl110)] + pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { + unsafe { + let r = ffi::X509_get0_authority_serial(self.as_ptr()); + Asn1IntegerRef::from_const_ptr_opt(r) + } + } + #[corresponds(X509_get_pubkey)] pub fn public_key(&self) -> Result, ErrorStack> { unsafe { From e8108cb202dc38b0f272c7df1fee79d0723bc6d8 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 18 Apr 2023 23:46:11 +0800 Subject: [PATCH 194/341] update cfg flag --- openssl-sys/src/handwritten/x509v3.rs | 14 +++++++------- openssl/src/x509/mod.rs | 8 ++++---- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index fb517df904..08f1648435 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,19 +96,19 @@ extern "C" { indent: c_int, ) -> c_int; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_key_usage(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 796ee2f09f..d0ca9d3c63 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -485,7 +485,7 @@ impl X509Ref { /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { unsafe { let data = ffi::X509_get0_subject_key_id(self.as_ptr()); @@ -495,7 +495,7 @@ impl X509Ref { /// Returns this certificate's authority key id, if it exists. #[corresponds(X509_get0_authority_key_id)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { unsafe { let data = ffi::X509_get0_authority_key_id(self.as_ptr()); @@ -505,7 +505,7 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_issuer(&self) -> Option> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); @@ -515,7 +515,7 @@ impl X509Ref { /// Returns this certificate's authority serial number, if it exists. #[corresponds(X509_get0_authority_serial)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { unsafe { let r = ffi::X509_get0_authority_serial(self.as_ptr()); From eefdcd0435626e3689a18d394769b35798c0bf63 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Fri, 21 Apr 2023 22:18:55 +0800 Subject: [PATCH 195/341] update cfg condition and use new Asn1OctetString --- openssl-sys/src/handwritten/x509v3.rs | 10 +++++----- openssl/src/x509/mod.rs | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 08f1648435..09a92640b6 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,15 +96,15 @@ extern "C" { indent: c_int, ) -> c_int; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_key_usage(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; #[cfg(ossl111)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d0ca9d3c63..2946ee1e63 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -485,21 +485,21 @@ impl X509Ref { /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] - #[cfg(ossl111)] - pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { + #[cfg(ossl110)] + pub fn subject_key_id(&self) -> Option<&Asn1OctetStringRef> { unsafe { let data = ffi::X509_get0_subject_key_id(self.as_ptr()); - Asn1StringRef::from_const_ptr_opt(data as *const _) + Asn1OctetStringRef::from_const_ptr_opt(data) } } /// Returns this certificate's authority key id, if it exists. #[corresponds(X509_get0_authority_key_id)] - #[cfg(ossl111)] - pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { + #[cfg(ossl110)] + pub fn authority_key_id(&self) -> Option<&Asn1OctetStringRef> { unsafe { let data = ffi::X509_get0_authority_key_id(self.as_ptr()); - Asn1StringRef::from_const_ptr_opt(data as *const _) + Asn1OctetStringRef::from_const_ptr_opt(data) } } From ec747f417ed9c18f43498c175ac656edb635b915 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 22 Apr 2023 09:07:52 -0600 Subject: [PATCH 196/341] Don't restrict the Signer lifetime Creating a new EVP_PKEY_CTX uprefs the EVP_PKEY --- openssl/src/sign.rs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 406bb42e8f..a32f5c9144 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -117,10 +117,10 @@ pub struct Signer<'a> { _p: PhantomData<&'a ()>, } -unsafe impl<'a> Sync for Signer<'a> {} -unsafe impl<'a> Send for Signer<'a> {} +unsafe impl Sync for Signer<'_> {} +unsafe impl Send for Signer<'_> {} -impl<'a> Drop for Signer<'a> { +impl Drop for Signer<'_> { fn drop(&mut self) { // pkey_ctx is owned by the md_ctx, so no need to explicitly free it. unsafe { @@ -130,7 +130,7 @@ impl<'a> Drop for Signer<'a> { } #[allow(clippy::len_without_is_empty)] -impl<'a> Signer<'a> { +impl Signer<'_> { /// Creates a new `Signer`. /// /// This cannot be used with Ed25519 or Ed448 keys. Please refer to @@ -139,7 +139,7 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSignInit`]. /// /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html - pub fn new(type_: MessageDigest, pkey: &'a PKeyRef) -> Result, ErrorStack> + pub fn new<'a, T>(type_: MessageDigest, pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, { @@ -154,16 +154,16 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSignInit`]. /// /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html - pub fn new_without_digest(pkey: &'a PKeyRef) -> Result, ErrorStack> + pub fn new_without_digest<'a, T>(pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, { Self::new_intern(None, pkey) } - fn new_intern( + fn new_intern<'a, T>( type_: Option, - pkey: &'a PKeyRef, + pkey: &PKeyRef, ) -> Result, ErrorStack> where T: HasPrivate, From 3f2e02bbff532f2c6aa28950cfe8dd1108144f5e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 13:42:21 -0600 Subject: [PATCH 197/341] add low level cmac bindings these are deprecated in ossl3, but the only common interface across openssl, libressl, and boring --- openssl-sys/src/handwritten/cmac.rs | 18 ++++++++++++++++++ openssl-sys/src/handwritten/mod.rs | 2 ++ openssl-sys/src/handwritten/types.rs | 2 ++ systest/build.rs | 1 + 4 files changed, 23 insertions(+) create mode 100644 openssl-sys/src/handwritten/cmac.rs diff --git a/openssl-sys/src/handwritten/cmac.rs b/openssl-sys/src/handwritten/cmac.rs new file mode 100644 index 0000000000..e44094d21a --- /dev/null +++ b/openssl-sys/src/handwritten/cmac.rs @@ -0,0 +1,18 @@ +use libc::*; + +use super::super::*; + +extern "C" { + pub fn CMAC_CTX_new() -> *mut CMAC_CTX; + pub fn CMAC_CTX_free(ctx: *mut CMAC_CTX); + pub fn CMAC_Init( + ctx: *mut CMAC_CTX, + key: *const c_void, + len: size_t, + cipher: *const EVP_CIPHER, + impl_: *mut ENGINE, + ) -> c_int; + pub fn CMAC_Update(ctx: *mut CMAC_CTX, data: *const c_void, len: size_t) -> c_int; + pub fn CMAC_Final(ctx: *mut CMAC_CTX, out: *mut c_uchar, len: *mut size_t) -> c_int; + pub fn CMAC_CTX_copy(dst: *mut CMAC_CTX, src: *const CMAC_CTX) -> c_int; +} diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 28aa4aecd0..9c0f844501 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -2,6 +2,7 @@ pub use self::aes::*; pub use self::asn1::*; pub use self::bio::*; pub use self::bn::*; +pub use self::cmac::*; pub use self::cms::*; pub use self::conf::*; pub use self::crypto::*; @@ -35,6 +36,7 @@ mod aes; mod asn1; mod bio; mod bn; +mod cmac; mod cms; mod conf; mod crypto; diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 84724f35ef..06354728f2 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -125,6 +125,8 @@ pub enum EVP_PKEY_ASN1_METHOD {} pub enum EVP_PKEY_CTX {} +pub enum CMAC_CTX {} + cfg_if! { if #[cfg(any(ossl110, libressl280))] { pub enum HMAC_CTX {} diff --git a/systest/build.rs b/systest/build.rs index 2efcdfe1bf..6d3ac3a3d3 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -56,6 +56,7 @@ fn main() { .header("openssl/bio.h") .header("openssl/x509v3.h") .header("openssl/safestack.h") + .header("openssl/cmac.h") .header("openssl/hmac.h") .header("openssl/obj_mac.h") .header("openssl/ssl.h") From 0dc14f7ffa279e0b6a29ef35d6ce832da3ca53d1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 13:53:22 -0600 Subject: [PATCH 198/341] add cmac to bindgen too --- openssl-sys/build/run_bindgen.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 3361786357..4fa9ec66f2 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -12,6 +12,7 @@ const INCLUDES: &str = " #include #include #include +#include #include #include #include From 0257e2611d01127607b724a043642b01adf41706 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 22 Apr 2023 14:45:19 -0600 Subject: [PATCH 199/341] Expose pbkdf2_hmac and scrypt on BoringSSL --- openssl/src/lib.rs | 1 - openssl/src/pkcs5.rs | 26 +++++++++++++++----------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 7829b79cba..c2c390cc1b 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -165,7 +165,6 @@ pub mod nid; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_OCSP")))] pub mod ocsp; pub mod pkcs12; -#[cfg(not(boringssl))] pub mod pkcs5; #[cfg(not(boringssl))] pub mod pkcs7; diff --git a/openssl/src/pkcs5.rs b/openssl/src/pkcs5.rs index c15ce47761..cd704e8256 100644 --- a/openssl/src/pkcs5.rs +++ b/openssl/src/pkcs5.rs @@ -1,9 +1,13 @@ +#[cfg(not(boringssl))] use libc::c_int; +use std::convert::TryInto; +#[cfg(not(boringssl))] use std::ptr; use crate::cvt; use crate::error::ErrorStack; use crate::hash::MessageDigest; +#[cfg(not(boringssl))] use crate::symm::Cipher; use openssl_macros::corresponds; @@ -25,6 +29,7 @@ pub struct KeyIvPair { /// `pbkdf2_hmac` or another more modern key derivation algorithm. #[corresponds(EVP_BytesToKey)] #[allow(clippy::useless_conversion)] +#[cfg(not(boringssl))] pub fn bytes_to_key( cipher: Cipher, digest: MessageDigest, @@ -91,19 +96,15 @@ pub fn pbkdf2_hmac( key: &mut [u8], ) -> Result<(), ErrorStack> { unsafe { - assert!(pass.len() <= c_int::max_value() as usize); - assert!(salt.len() <= c_int::max_value() as usize); - assert!(key.len() <= c_int::max_value() as usize); - ffi::init(); cvt(ffi::PKCS5_PBKDF2_HMAC( pass.as_ptr() as *const _, - pass.len() as c_int, + pass.len().try_into().unwrap(), salt.as_ptr(), - salt.len() as c_int, - iter as c_int, + salt.len().try_into().unwrap(), + iter.try_into().unwrap(), hash.as_ptr(), - key.len() as c_int, + key.len().try_into().unwrap(), key.as_mut_ptr(), )) .map(|_| ()) @@ -114,7 +115,8 @@ pub fn pbkdf2_hmac( /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PBE_scrypt)] -#[cfg(any(ossl110))] +#[cfg(any(ossl110, boringssl))] +#[allow(clippy::useless_conversion)] pub fn scrypt( pass: &[u8], salt: &[u8], @@ -134,7 +136,7 @@ pub fn scrypt( n, r, p, - maxmem, + maxmem.try_into().unwrap(), key.as_mut_ptr() as *mut _, key.len(), )) @@ -145,6 +147,7 @@ pub fn scrypt( #[cfg(test)] mod tests { use crate::hash::MessageDigest; + #[cfg(not(boringssl))] use crate::symm::Cipher; // Test vectors from @@ -246,6 +249,7 @@ mod tests { } #[test] + #[cfg(not(boringssl))] fn bytes_to_key() { let salt = [16_u8, 34_u8, 19_u8, 23_u8, 141_u8, 4_u8, 207_u8, 221_u8]; @@ -282,7 +286,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(any(ossl110, boringssl))] fn scrypt() { let pass = "pleaseletmein"; let salt = "SodiumChloride"; From 8f23c2f6fa527657fa4d98cd6ac808d301d1aae7 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 16:13:48 -0600 Subject: [PATCH 200/341] binding to get fips status for ossl300 --- openssl-sys/src/handwritten/evp.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 1a05b7eae3..050d2c88bb 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -65,6 +65,14 @@ cfg_if! { } } +cfg_if! { + if #[cfg(ossl300)] { + extern "C" { + pub fn EVP_default_properties_is_fips_enabled(libctx: *mut OSSL_LIB_CTX) -> c_int; + } + } +} + extern "C" { pub fn EVP_DigestInit_ex(ctx: *mut EVP_MD_CTX, typ: *const EVP_MD, imple: *mut ENGINE) -> c_int; From bdba0d3f39b46dadceeca6b08aef142039ddb949 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 19:25:27 +0800 Subject: [PATCH 201/341] addi ski and aki tests --- openssl/src/x509/mod.rs | 4 ++-- openssl/src/x509/tests.rs | 26 ++++++++++++++++++++++++++ openssl/test/github.pem | 31 +++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 openssl/test/github.pem diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2946ee1e63..2753d09124 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -506,10 +506,10 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] #[cfg(ossl111)] - pub fn authority_issuer(&self) -> Option> { + pub fn authority_issuer(&self) -> Option<&StackRef> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); - Stack::from_ptr_opt(stack as *mut _) + StackRef::from_const_ptr_opt(stack) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 4e01d8d8a3..d33f0c0821 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -168,6 +168,32 @@ fn test_subject_alt_name() { assert_eq!(Some("http://www.example.com"), subject_alt_names[4].uri()); } +#[test] +#[cfg(ossl110)] +fn test_subject_key_id() { + let cert = include_bytes!("../../test/github.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let subject_key_id = cert.subject_key_id().unwrap(); + assert_eq!( + subject_key_id.as_slice(), + &b"\xC7\x07\x27\x78\x85\xF2\x9D\x33\xC9\x4C\x5E\x56\x7D\x5C\xD6\x8E\x72\x67\xEB\xDE"[..] + ); +} + +#[test] +#[cfg(ossl110)] +fn test_authority_key_id() { + let cert = include_bytes!("../../test/github.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let subject_key_id = cert.authority_key_id().unwrap(); + assert_eq!( + subject_key_id.as_slice(), + &b"\x0A\xBC\x08\x29\x17\x8C\xA5\x39\x6D\x7A\x0E\xCE\x33\xC7\x2E\xB3\xED\xFB\xC3\x7A"[..] + ); +} + #[test] fn test_subject_alt_name_iter() { let cert = include_bytes!("../../test/alt_name_cert.pem"); diff --git a/openssl/test/github.pem b/openssl/test/github.pem new file mode 100644 index 0000000000..34bcb44322 --- /dev/null +++ b/openssl/test/github.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFajCCBPGgAwIBAgIQDNCovsYyz+ZF7KCpsIT7HDAKBggqhkjOPQQDAzBWMQsw +CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp +Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjMwMjE0MDAw +MDAwWhcNMjQwMzE0MjM1OTU5WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs +aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHVi +LCBJbmMuMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAEo6QDRgPfRlFWy8k5qyLN52xZlnqToPu5QByQMog2xgl2nFD1Vfd2Xmgg +nO4i7YMMFTAQQUReMqyQodWq8uVDs6OCA48wggOLMB8GA1UdIwQYMBaAFAq8CCkX +jKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBTHByd4hfKdM8lMXlZ9XNaOcmfr3jAl +BgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNvbTAOBgNVHQ8BAf8E +BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGbBgNVHR8EgZMw +gZAwRqBEoEKGQGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5 +YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5jcmwwRqBEoEKGQGh0dHA6Ly9jcmw0LmRp +Z2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5j +cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3 +dy5kaWdpY2VydC5jb20vQ1BTMIGFBggrBgEFBQcBAQR5MHcwJAYIKwYBBQUHMAGG +GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcwAoZDaHR0cDovL2Nh +Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAy +MENBMS0xLmNydDAJBgNVHRMEAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoA +dwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYZQ3Rv6AAAEAwBI +MEYCIQDkFq7T4iy6gp+pefJLxpRS7U3gh8xQymmxtI8FdzqU6wIhALWfw/nLD63Q +YPIwG3EFchINvWUfB6mcU0t2lRIEpr8uAHYASLDja9qmRzQP5WoC+p0w6xxSActW +3SyB2bu/qznYhHMAAAGGUN0cKwAABAMARzBFAiAePGAyfiBR9dbhr31N9ZfESC5G +V2uGBTcyTyUENrH3twIhAPwJfsB8A4MmNr2nW+sdE1n2YiCObW+3DTHr2/UR7lvU +AHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGGUN0cOgAABAMA +SDBGAiEAzOBr9OZ0+6OSZyFTiywN64PysN0FLeLRyL5jmEsYrDYCIQDu0jtgWiMI +KU6CM0dKcqUWLkaFE23c2iWAhYAHqrFRRzAKBggqhkjOPQQDAwNnADBkAjAE3A3U +3jSZCpwfqOHBdlxi9ASgKTU+wg0qw3FqtfQ31OwLYFdxh0MlNk/HwkjRSWgCMFbQ +vMkXEPvNvv4t30K6xtpG26qmZ+6OiISBIIXMljWnsiYR1gyZnTzIg3AQSw4Vmw== +-----END CERTIFICATE----- From 57bd34d614db206703ee2435a3d62cf3a7eb6481 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 22:39:19 +0800 Subject: [PATCH 202/341] add more tests --- openssl/src/x509/tests.rs | 33 ++++++++++++++++++----- openssl/test/authority_key_identifier.pem | 19 +++++++++++++ openssl/test/github.pem | 31 --------------------- 3 files changed, 46 insertions(+), 37 deletions(-) create mode 100644 openssl/test/authority_key_identifier.pem delete mode 100644 openssl/test/github.pem diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index d33f0c0821..748d70dbba 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -171,29 +171,50 @@ fn test_subject_alt_name() { #[test] #[cfg(ossl110)] fn test_subject_key_id() { - let cert = include_bytes!("../../test/github.pem"); + let cert = include_bytes!("../../test/certv3.pem"); let cert = X509::from_pem(cert).unwrap(); let subject_key_id = cert.subject_key_id().unwrap(); assert_eq!( subject_key_id.as_slice(), - &b"\xC7\x07\x27\x78\x85\xF2\x9D\x33\xC9\x4C\x5E\x56\x7D\x5C\xD6\x8E\x72\x67\xEB\xDE"[..] + &b"\xB6\x73\x2F\x61\xA5\x4B\xA1\xEF\x48\x2C\x15\xB1\x9F\xF3\xDC\x34\x2F\xBC\xAC\x30"[..] ); } #[test] #[cfg(ossl110)] fn test_authority_key_id() { - let cert = include_bytes!("../../test/github.pem"); + let cert = include_bytes!("../../test/certv3.pem"); let cert = X509::from_pem(cert).unwrap(); - let subject_key_id = cert.authority_key_id().unwrap(); + let authority_key_id = cert.authority_key_id().unwrap(); assert_eq!( - subject_key_id.as_slice(), - &b"\x0A\xBC\x08\x29\x17\x8C\xA5\x39\x6D\x7A\x0E\xCE\x33\xC7\x2E\xB3\xED\xFB\xC3\x7A"[..] + authority_key_id.as_slice(), + &b"\x6C\xD3\xA5\x03\xAB\x0D\x5F\x2C\xC9\x8D\x8A\x9C\x88\xA7\x88\x77\xB8\x37\xFD\x9A"[..] ); } +#[test] +fn test_authority_issuer_and_serial() { + let cert = include_bytes!("../../test/authority_key_identifier.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let authority_issuer = cert.authority_issuer().unwrap(); + assert_eq!(1, authority_issuer.len()); + let dn = authority_issuer[0].directory_name().unwrap(); + let mut o = dn.entries_by_nid(Nid::ORGANIZATIONNAME); + let o = o.next().unwrap().data().as_utf8().unwrap(); + assert_eq!(o.as_bytes(), b"PyCA"); + let mut cn = dn.entries_by_nid(Nid::COMMONNAME); + let cn = cn.next().unwrap().data().as_utf8().unwrap(); + assert_eq!(cn.as_bytes(), b"cryptography.io"); + + let authority_serial = cert.authority_serial().unwrap(); + let serial = authority_serial.to_bn().unwrap(); + let expected = BigNum::from_u32(3).unwrap(); + assert_eq!(serial, expected); +} + #[test] fn test_subject_alt_name_iter() { let cert = include_bytes!("../../test/alt_name_cert.pem"); diff --git a/openssl/test/authority_key_identifier.pem b/openssl/test/authority_key_identifier.pem new file mode 100644 index 0000000000..cbe9169fc9 --- /dev/null +++ b/openssl/test/authority_key_identifier.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDIjCCAgqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADApMQ0wCwYDVQQKDARQeUNB +MRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wHhcNMTUwNTAzMDk0OTU2WhcNMTYw +NTAyMDk0OTU2WjApMQ0wCwYDVQQKDARQeUNBMRgwFgYDVQQDDA9jcnlwdG9ncmFw +aHkuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCadi1UZioxdnP +ajqlRZHeKsSxvXXhgrWvlt91P3gV0dBThRFhJsLOhjNLz6PO6KeRbjz9GhTA2hdk +xtIpXrjvTv9dEJ1/k0xebsHWgFC43aTlgekw0U4cMwMe5NGeeg1tfzbJwldIN+cK +vabc08ADlkmM6DMnUArkzA2yii0DErRFMSIGrkDr6E9puord3h6Mh8Jfnc3TDAq8 +Qo1DI2XM7oFSWNfecQ9KbIC5wzzT+7Shoyz7QmCk/XhRzt8Xcfc3yAXIwazvLf8b +YP1auaSG11a5E+w6onj91h8UHKKOXu+rdq5YYPZ+qUYpxA7ZJ/VAGadMulYbXaO8 +Syi39HTpAgMBAAGjVTBTMFEGA1UdIwRKMEiAFDlFPso9Yh3qhkn2WqtAt6RwmPHs +oS2kKzApMQ0wCwYDVQQKDARQeUNBMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW+C +AQMwDQYJKoZIhvcNAQEFBQADggEBAFbZYy6aZJUK/f7nJx2Rs/ht6hMbM32/RoXZ +JGbYapNVqVu/vymcfc/se3FHS5OVmPsnRlo/FIKDn/r5DGl73Sn/FvDJiLJZFucT +msyYuHZ+ZRYWzWmN2fcB3cfxj0s3qps6f5OoCOqoINOSe4HRGlw4X9keZSD+3xAt +vHNwQdlPC7zWbPdrzLT+FqR0e/O81vFJJS6drHJWqPcR3NQVtZw+UF7A/HKwbfeL +Nu2zj6165hzOi9HUxa2/mPr/eLUUV1sTzXp2+TFjt3rVCjW1XnpMLdwNBHzjpyAB +dTOX3iw0+BPy3s2jtnCW1PLpc74kvSTaBwhg74sq39EXfIKax00= +-----END CERTIFICATE----- diff --git a/openssl/test/github.pem b/openssl/test/github.pem deleted file mode 100644 index 34bcb44322..0000000000 --- a/openssl/test/github.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFajCCBPGgAwIBAgIQDNCovsYyz+ZF7KCpsIT7HDAKBggqhkjOPQQDAzBWMQsw -CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp -Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjMwMjE0MDAw -MDAwWhcNMjQwMzE0MjM1OTU5WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs -aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHVi -LCBJbmMuMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D -AQcDQgAEo6QDRgPfRlFWy8k5qyLN52xZlnqToPu5QByQMog2xgl2nFD1Vfd2Xmgg -nO4i7YMMFTAQQUReMqyQodWq8uVDs6OCA48wggOLMB8GA1UdIwQYMBaAFAq8CCkX -jKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBTHByd4hfKdM8lMXlZ9XNaOcmfr3jAl -BgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNvbTAOBgNVHQ8BAf8E -BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGbBgNVHR8EgZMw -gZAwRqBEoEKGQGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5 -YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5jcmwwRqBEoEKGQGh0dHA6Ly9jcmw0LmRp -Z2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5j -cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3 -dy5kaWdpY2VydC5jb20vQ1BTMIGFBggrBgEFBQcBAQR5MHcwJAYIKwYBBQUHMAGG -GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcwAoZDaHR0cDovL2Nh -Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAy -MENBMS0xLmNydDAJBgNVHRMEAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoA -dwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYZQ3Rv6AAAEAwBI -MEYCIQDkFq7T4iy6gp+pefJLxpRS7U3gh8xQymmxtI8FdzqU6wIhALWfw/nLD63Q -YPIwG3EFchINvWUfB6mcU0t2lRIEpr8uAHYASLDja9qmRzQP5WoC+p0w6xxSActW -3SyB2bu/qznYhHMAAAGGUN0cKwAABAMARzBFAiAePGAyfiBR9dbhr31N9ZfESC5G -V2uGBTcyTyUENrH3twIhAPwJfsB8A4MmNr2nW+sdE1n2YiCObW+3DTHr2/UR7lvU -AHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGGUN0cOgAABAMA -SDBGAiEAzOBr9OZ0+6OSZyFTiywN64PysN0FLeLRyL5jmEsYrDYCIQDu0jtgWiMI -KU6CM0dKcqUWLkaFE23c2iWAhYAHqrFRRzAKBggqhkjOPQQDAwNnADBkAjAE3A3U -3jSZCpwfqOHBdlxi9ASgKTU+wg0qw3FqtfQ31OwLYFdxh0MlNk/HwkjRSWgCMFbQ -vMkXEPvNvv4t30K6xtpG26qmZ+6OiISBIIXMljWnsiYR1gyZnTzIg3AQSw4Vmw== ------END CERTIFICATE----- From c9db15a8ef94f1404b931107f4637cab77f071d6 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 22:41:58 +0800 Subject: [PATCH 203/341] add missing feature flag --- openssl/src/x509/tests.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 748d70dbba..d4dbf316d2 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -195,6 +195,7 @@ fn test_authority_key_id() { } #[test] +#[cfg(ossl111)] fn test_authority_issuer_and_serial() { let cert = include_bytes!("../../test/authority_key_identifier.pem"); let cert = X509::from_pem(cert).unwrap(); From 5ddf89fcd828890c38c36deff9a6bd58df9ce857 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 24 Apr 2023 15:56:02 -0600 Subject: [PATCH 204/341] changelog and version bumps for openssl and openssl-sys --- openssl-sys/CHANGELOG.md | 14 +++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 12 +++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 20e599b8ab..324ff1a82a 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.87] - 2023-04-24 + +### Added + +* Added `DH_CHECK`. +* Added `CMAC_CTX_new`, `CMAC_CTX_free`, `CMAC_Init`, `CMAC_Update`, `CMAC_Final`, and `CMAC_CTX_copy`. +* Added `EVP_default_properties_is_fips_enabled`. +* Added `X509_get0_subject_key_id`, `X509_get0_authority_key_id`, `X509_get0_authority_issuer`, and `X509_get0_authority_serial`. +* Added `NID_poly1305`. + + ## [v0.9.86] - 2023-04-20 ### Fixed @@ -435,7 +446,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87..master +[v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 [v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 [v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index c5cced2880..811318bbaf 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.86" +version = "0.9.87" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index f4eca89166..c62da00a1b 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,15 @@ ## [Unreleased] +## [v0.10.52] - 2023-04-24 + +### Added + +* Added `DhRef::check_key`. +* Added `Id::POLY1305`. +* Added `X509Ref::subject_key_id`, `X509Ref::authority_key_id`, `X509Ref::authority_issuer`, and `X509Ref::authority_serial`. + + ## [v0.10.51] - 2023-04-20 ### Added @@ -738,7 +747,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...master +[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 [v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index ba72250c92..addf5cb060 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.51" +version = "0.10.52" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.86", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.87", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From e483e782c2b0204787501281a35aadc352f7a2ad Mon Sep 17 00:00:00 2001 From: Andrew Walbran Date: Wed, 26 Apr 2023 15:43:13 +0100 Subject: [PATCH 205/341] Update to bitflags 2.2.1. This is a new major version so some code changes are required. --- openssl/Cargo.toml | 2 +- openssl/src/cms.rs | 2 ++ openssl/src/ocsp.rs | 2 ++ openssl/src/pkcs7.rs | 14 ++++++++------ openssl/src/ssl/mod.rs | 36 ++++++++++++++++++++++++++---------- openssl/src/x509/verify.rs | 18 ++++++++++++++---- 6 files changed, 53 insertions(+), 21 deletions(-) diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index addf5cb060..67ad335675 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -23,7 +23,7 @@ unstable_boringssl = ["ffi/unstable_boringssl"] default = [] [dependencies] -bitflags = "1.0" +bitflags = "2.2.1" cfg-if = "1.0" foreign-types = "0.3.1" libc = "0.2" diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 6b6aa9fd8c..d11443b5ce 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -20,6 +20,8 @@ use crate::{cvt, cvt_p}; use openssl_macros::corresponds; bitflags! { + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct CMSOptions : c_uint { const TEXT = ffi::CMS_TEXT; const CMS_NOCERTS = ffi::CMS_NOCERTS; diff --git a/openssl/src/ocsp.rs b/openssl/src/ocsp.rs index 7506d34fb3..93a5d36b7e 100644 --- a/openssl/src/ocsp.rs +++ b/openssl/src/ocsp.rs @@ -15,6 +15,8 @@ use crate::{cvt, cvt_p}; use openssl_macros::corresponds; bitflags! { + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct OcspFlag: c_ulong { const NO_CERTS = ffi::OCSP_NOCERTS; const NO_INTERN = ffi::OCSP_NOINTERN; diff --git a/openssl/src/pkcs7.rs b/openssl/src/pkcs7.rs index ae4571db85..a272c598b8 100644 --- a/openssl/src/pkcs7.rs +++ b/openssl/src/pkcs7.rs @@ -28,6 +28,8 @@ foreign_type_and_impl_send_sync! { } bitflags! { + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct Pkcs7Flags: c_int { const TEXT = ffi::PKCS7_TEXT; const NOCERTS = ffi::PKCS7_NOCERTS; @@ -111,7 +113,7 @@ impl Pkcs7 { certs.as_ptr(), input_bio.as_ptr(), cipher.as_ptr(), - flags.bits, + flags.bits(), )) .map(Pkcs7) } @@ -141,7 +143,7 @@ impl Pkcs7 { pkey.as_ptr(), certs.as_ptr(), input_bio.as_ptr(), - flags.bits, + flags.bits(), )) .map(Pkcs7) } @@ -159,7 +161,7 @@ impl Pkcs7Ref { output.as_ptr(), self.as_ptr(), input_bio.as_ptr(), - flags.bits, + flags.bits(), )) .map(|_| output.get_buf().to_owned()) } @@ -205,7 +207,7 @@ impl Pkcs7Ref { pkey.as_ptr(), cert.as_ptr(), output.as_ptr(), - flags.bits, + flags.bits(), )) .map(|_| output.get_buf().to_owned()) } @@ -241,7 +243,7 @@ impl Pkcs7Ref { store.as_ptr(), indata_bio_ptr, out_bio.as_ptr(), - flags.bits, + flags.bits(), )) .map(|_| ())? } @@ -265,7 +267,7 @@ impl Pkcs7Ref { let ptr = cvt_p(ffi::PKCS7_get0_signers( self.as_ptr(), certs.as_ptr(), - flags.bits, + flags.bits(), ))?; // The returned stack is owned by the caller, but the certs inside are not! Our stack interface can't deal diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 5b8775c98c..b9e4e20bc8 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -143,6 +143,8 @@ cfg_if! { bitflags! { /// Options controlling the behavior of an `SslContext`. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct SslOptions: SslOptionsRepr { /// Disables a countermeasure against an SSLv3/TLSv1.0 vulnerability affecting CBC ciphers. const DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS as SslOptionsRepr; @@ -281,6 +283,8 @@ bitflags! { bitflags! { /// Options controlling the behavior of an `SslContext`. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct SslMode: SslBitType { /// Enables "short writes". /// @@ -378,6 +382,8 @@ unsafe impl Send for SslMethod {} bitflags! { /// Options controlling the behavior of certificate verification. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct SslVerifyMode: i32 { /// Verifies that the peer's certificate is trusted. /// @@ -410,6 +416,8 @@ type SslTimeTy = c_long; bitflags! { /// Options controlling the behavior of session caching. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct SslSessionCacheMode: SslBitType { /// No session caching for the client or server takes place. const OFF = ffi::SSL_SESS_CACHE_OFF; @@ -447,6 +455,8 @@ bitflags! { #[cfg(ossl111)] bitflags! { /// Which messages and under which conditions an extension should be added or expected. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct ExtensionContext: c_uint { /// This extension is only allowed in TLS const TLS_ONLY = ffi::SSL_EXT_TLS_ONLY; @@ -735,7 +745,7 @@ impl SslContextBuilder { #[corresponds(SSL_CTX_set_verify)] pub fn set_verify(&mut self, mode: SslVerifyMode) { unsafe { - ffi::SSL_CTX_set_verify(self.as_ptr(), mode.bits as c_int, None); + ffi::SSL_CTX_set_verify(self.as_ptr(), mode.bits() as c_int, None); } } @@ -752,7 +762,7 @@ impl SslContextBuilder { { unsafe { self.set_ex_data(SslContext::cached_ex_index::(), verify); - ffi::SSL_CTX_set_verify(self.as_ptr(), mode.bits as c_int, Some(raw_verify::)); + ffi::SSL_CTX_set_verify(self.as_ptr(), mode.bits() as c_int, Some(raw_verify::)); } } @@ -839,7 +849,7 @@ impl SslContextBuilder { pub fn set_mode(&mut self, mode: SslMode) -> SslMode { unsafe { let bits = ffi::SSL_CTX_set_mode(self.as_ptr(), mode.bits() as MtuTy) as SslBitType; - SslMode { bits } + SslMode::from_bits_retain(bits) } } @@ -1111,14 +1121,14 @@ impl SslContextBuilder { pub fn set_options(&mut self, option: SslOptions) -> SslOptions { let bits = unsafe { ffi::SSL_CTX_set_options(self.as_ptr(), option.bits()) } as SslOptionsRepr; - SslOptions { bits } + SslOptions::from_bits_retain(bits) } /// Returns the options used by the context. #[corresponds(SSL_CTX_get_options)] pub fn options(&self) -> SslOptions { let bits = unsafe { ffi::SSL_CTX_get_options(self.as_ptr()) } as SslOptionsRepr; - SslOptions { bits } + SslOptions::from_bits_retain(bits) } /// Clears the options used by the context, returning the old set. @@ -1126,7 +1136,7 @@ impl SslContextBuilder { pub fn clear_options(&mut self, option: SslOptions) -> SslOptions { let bits = unsafe { ffi::SSL_CTX_clear_options(self.as_ptr(), option.bits()) } as SslOptionsRepr; - SslOptions { bits } + SslOptions::from_bits_retain(bits) } /// Sets the minimum supported protocol version. @@ -1475,7 +1485,7 @@ impl SslContextBuilder { pub fn set_session_cache_mode(&mut self, mode: SslSessionCacheMode) -> SslSessionCacheMode { unsafe { let bits = ffi::SSL_CTX_set_session_cache_mode(self.as_ptr(), mode.bits()); - SslSessionCacheMode { bits } + SslSessionCacheMode::from_bits_retain(bits) } } @@ -2333,7 +2343,7 @@ impl SslRef { /// [`SslContextBuilder::set_verify`]: struct.SslContextBuilder.html#method.set_verify #[corresponds(SSL_set_verify)] pub fn set_verify(&mut self, mode: SslVerifyMode) { - unsafe { ffi::SSL_set_verify(self.as_ptr(), mode.bits as c_int, None) } + unsafe { ffi::SSL_set_verify(self.as_ptr(), mode.bits() as c_int, None) } } /// Returns the verify mode that was set using `set_verify`. @@ -2354,7 +2364,11 @@ impl SslRef { unsafe { // this needs to be in an Arc since the callback can register a new callback! self.set_ex_data(Ssl::cached_ex_index(), Arc::new(verify)); - ffi::SSL_set_verify(self.as_ptr(), mode.bits as c_int, Some(ssl_raw_verify::)); + ffi::SSL_set_verify( + self.as_ptr(), + mode.bits() as c_int, + Some(ssl_raw_verify::), + ); } } @@ -3666,7 +3680,7 @@ impl SslStream { pub fn get_shutdown(&mut self) -> ShutdownState { unsafe { let bits = ffi::SSL_get_shutdown(self.ssl.as_ptr()); - ShutdownState { bits } + ShutdownState::from_bits_retain(bits) } } @@ -3999,6 +4013,8 @@ pub enum ShutdownResult { bitflags! { /// The shutdown state of a session. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct ShutdownState: c_int { /// A close notify message has been sent to the peer. const SENT = ffi::SSL_SENT_SHUTDOWN; diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index b0e22ef462..edd50764eb 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -11,6 +11,8 @@ use openssl_macros::corresponds; bitflags! { /// Flags used to check an `X509` certificate. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct X509CheckFlags: c_uint { const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT; const NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS; @@ -28,6 +30,8 @@ bitflags! { bitflags! { /// Flags used to verify an `X509` certificate chain. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct X509VerifyFlags: c_ulong { const CB_ISSUER_CHECK = ffi::X509_V_FLAG_CB_ISSUER_CHECK; const USE_CHECK_TIME = ffi::X509_V_FLAG_USE_CHECK_TIME; @@ -87,14 +91,20 @@ impl X509VerifyParamRef { #[corresponds(X509_VERIFY_PARAM_set_hostflags)] pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) { unsafe { - ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits); + ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits()); } } /// Set verification flags. #[corresponds(X509_VERIFY_PARAM_set_flags)] pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> { - unsafe { cvt(ffi::X509_VERIFY_PARAM_set_flags(self.as_ptr(), flags.bits)).map(|_| ()) } + unsafe { + cvt(ffi::X509_VERIFY_PARAM_set_flags( + self.as_ptr(), + flags.bits(), + )) + .map(|_| ()) + } } /// Clear verification flags. @@ -103,7 +113,7 @@ impl X509VerifyParamRef { unsafe { cvt(ffi::X509_VERIFY_PARAM_clear_flags( self.as_ptr(), - flags.bits, + flags.bits(), )) .map(|_| ()) } @@ -113,7 +123,7 @@ impl X509VerifyParamRef { #[corresponds(X509_VERIFY_PARAM_get_flags)] pub fn flags(&mut self) -> X509VerifyFlags { let bits = unsafe { ffi::X509_VERIFY_PARAM_get_flags(self.as_ptr()) }; - X509VerifyFlags { bits } + X509VerifyFlags::from_bits_retain(bits) } /// Set the expected DNS hostname. From 7756ab8a9a0faed77b674f2b44736ec31a726713 Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 14:46:10 -0700 Subject: [PATCH 206/341] Fix link errors for X509_get0_authority_xxx methods on Ubuntu/bionic --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/src/handwritten/x509v3.rs | 4 ++-- openssl/src/x509/mod.rs | 4 ++-- openssl/src/x509/tests.rs | 2 +- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 960515f00f..f09ec29b53 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -91,6 +91,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if openssl_version >= 0x1_01_01_03_0 { cfgs.push("ossl111c"); } + if openssl_version >= 0x1_01_01_04_0 { + cfgs.push("ossl111d"); + } } cfgs diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 09a92640b6..7789b629a6 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -106,9 +106,9 @@ extern "C" { pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; #[cfg(ossl110)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2753d09124..a8e298bf3f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -505,7 +505,7 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn authority_issuer(&self) -> Option<&StackRef> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); @@ -515,7 +515,7 @@ impl X509Ref { /// Returns this certificate's authority serial number, if it exists. #[corresponds(X509_get0_authority_serial)] - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { unsafe { let r = ffi::X509_get0_authority_serial(self.as_ptr()); diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index d4dbf316d2..c5ea6accf3 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -195,7 +195,7 @@ fn test_authority_key_id() { } #[test] -#[cfg(ossl111)] +#[cfg(ossl111d)] fn test_authority_issuer_and_serial() { let cert = include_bytes!("../../test/authority_key_identifier.pem"); let cert = X509::from_pem(cert).unwrap(); From 34260b833fe5fc66b8322ce106f0f970cb99a10e Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 15:24:33 -0700 Subject: [PATCH 207/341] Check for OPENSSL_NO_RC4 when using EVP_rc4 --- openssl-sys/build/expando.c | 4 ++++ openssl-sys/src/handwritten/evp.rs | 1 + openssl/src/cipher.rs | 1 + openssl/src/symm.rs | 1 + 4 files changed, 7 insertions(+) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 11fb04db0c..54681a0b95 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -79,6 +79,10 @@ RUST_CONF_OPENSSL_NO_OCSP RUST_CONF_OPENSSL_NO_PSK #endif +#ifdef OPENSSL_NO_RC4 +RUST_CONF_OPENSSL_NO_RC4 +#endif + #ifdef OPENSSL_NO_RFC3779 RUST_CONF_OPENSSL_NO_RFC3779 #endif diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 050d2c88bb..db018e9a42 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -311,6 +311,7 @@ extern "C" { pub fn EVP_des_ede3_cbc() -> *const EVP_CIPHER; pub fn EVP_des_ede3_cfb64() -> *const EVP_CIPHER; pub fn EVP_des_cbc() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn EVP_rc4() -> *const EVP_CIPHER; pub fn EVP_bf_ecb() -> *const EVP_CIPHER; pub fn EVP_bf_cbc() -> *const EVP_CIPHER; diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index aeedf459aa..87f7660cde 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -324,6 +324,7 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_des_ede3_cfb64() as *mut _) } } + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn rc4() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_rc4() as *mut _) } } diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 911a7ab2e7..611080805f 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -283,6 +283,7 @@ impl Cipher { unsafe { Cipher(ffi::EVP_des_ede3_cfb64()) } } + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn rc4() -> Cipher { unsafe { Cipher(ffi::EVP_rc4()) } } From cd3803ec016258366b56607355f1a63738ddaf2c Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 15:53:11 -0700 Subject: [PATCH 208/341] Fix tests on Ubuntu/bionic too --- openssl-sys/src/handwritten/ssl.rs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index f179a04ab1..039e2d9116 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -905,9 +905,13 @@ extern "C" { #[cfg(ossl111)] pub fn SSL_set_num_tickets(s: *mut SSL, num_tickets: size_t) -> c_int; - #[cfg(ossl111)] + #[cfg(ossl111b)] pub fn SSL_CTX_get_num_tickets(ctx: *const SSL_CTX) -> size_t; + #[cfg(all(ossl111, not(ossl111b)))] + pub fn SSL_CTX_get_num_tickets(ctx: *mut SSL_CTX) -> size_t; - #[cfg(ossl111)] + #[cfg(ossl111b)] pub fn SSL_get_num_tickets(s: *const SSL) -> size_t; + #[cfg(all(ossl111, not(ossl111b)))] + pub fn SSL_get_num_tickets(s: *mut SSL) -> size_t; } From dd2ce585e469979e70fa5a368bc0ed975ba7d016 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 2 May 2023 22:39:01 +0800 Subject: [PATCH 209/341] add X509::pathlen --- openssl-sys/src/handwritten/x509v3.rs | 2 ++ openssl/src/x509/mod.rs | 8 ++++++++ openssl/src/x509/tests.rs | 16 ++++++++++++++++ 3 files changed, 26 insertions(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 7789b629a6..f92441134e 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,6 +96,8 @@ extern "C" { indent: c_int, ) -> c_int; + #[cfg(ossl110)] + pub fn X509_get_pathlen(x: *mut X509) -> c_long; #[cfg(ossl110)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; #[cfg(ossl110)] diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index a8e298bf3f..2b2f8a50d8 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -483,6 +483,14 @@ impl X509Ref { } } + /// Retrieves the path length extension from a certificate, if it exists. + #[corresponds(X509_get_pathlen)] + #[cfg(ossl110)] + pub fn pathlen(&self) -> Option { + let v = unsafe { ffi::X509_get_pathlen(self.as_ptr()) }; + u32::try_from(v).ok() + } + /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] #[cfg(ossl110)] diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index c5ea6accf3..a3f3cd8803 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -168,6 +168,22 @@ fn test_subject_alt_name() { assert_eq!(Some("http://www.example.com"), subject_alt_names[4].uri()); } +#[test] +#[cfg(ossl110)] +fn test_retrieve_pathlen() { + let cert = include_bytes!("../../test/root-ca.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), None); + + let cert = include_bytes!("../../test/intermediate-ca.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), Some(0)); + + let cert = include_bytes!("../../test/alt_name_cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), None); +} + #[test] #[cfg(ossl110)] fn test_subject_key_id() { From 7e6d518499c98b554ceb2707ed3f7724cd4716f5 Mon Sep 17 00:00:00 2001 From: Louis Hampton Date: Fri, 12 May 2023 10:36:51 +0100 Subject: [PATCH 210/341] Add bindings to SSL_bytes_to_cipher_list --- openssl-sys/src/handwritten/ssl.rs | 9 +++++ openssl/src/ssl/mod.rs | 54 +++++++++++++++++++++++++++++- openssl/src/ssl/test/mod.rs | 3 ++ 3 files changed, 65 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 039e2d9116..d4f4b619f4 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -648,6 +648,15 @@ extern "C" { num: size_t, readbytes: *mut size_t, ) -> c_int; + #[cfg(ossl111)] + pub fn SSL_bytes_to_cipher_list( + s: *mut SSL, + bytes: *const c_uchar, + len: size_t, + isv2format: c_int, + sk: *mut *mut stack_st_SSL_CIPHER, + scsvs: *mut *mut stack_st_SSL_CIPHER, + ) -> c_int; } extern "C" { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 5b8775c98c..3bd10052ed 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -72,7 +72,7 @@ use crate::srtp::{SrtpProtectionProfile, SrtpProtectionProfileRef}; use crate::ssl::bio::BioMethod; use crate::ssl::callbacks::*; use crate::ssl::error::InnerError; -use crate::stack::{Stack, StackRef}; +use crate::stack::{Stack, StackRef, Stackable}; use crate::util::{ForeignTypeExt, ForeignTypeRefExt}; use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; #[cfg(any(ossl102, libressl261))] @@ -1940,6 +1940,10 @@ impl ForeignType for SslCipher { } } +impl Stackable for SslCipher { + type StackType = ffi::stack_st_SSL_CIPHER; +} + impl Deref for SslCipher { type Target = SslCipherRef; @@ -2056,6 +2060,19 @@ impl SslCipherRef { } } +impl fmt::Debug for SslCipherRef { + fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result { + write!(fmt, "{}", self.name()) + } +} + +/// A stack of selected ciphers, and a stack of selected signalling cipher suites +#[derive(Debug)] +pub struct CipherLists { + pub suites: Stack, + pub signalling_suites: Stack, +} + foreign_type_and_impl_send_sync! { type CType = ffi::SSL_SESSION; fn drop = ffi::SSL_SESSION_free; @@ -3083,6 +3100,41 @@ impl SslRef { } } + /// Decodes a slice of wire-format cipher suite specification bytes. Unsupported cipher suites + /// are ignored. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_bytes_to_cipher_list)] + #[cfg(ossl111)] + pub fn bytes_to_ciphers_stack( + &self, + bytes: &[u8], + isv2format: bool, + ) -> Result { + unsafe { + let ptr = bytes.as_ptr(); + let len = bytes.len(); + let mut sk = ptr::null_mut(); + let mut scsvs = ptr::null_mut(); + let res = ffi::SSL_bytes_to_cipher_list( + self.as_ptr(), + ptr, + len, + isv2format as c_int, + &mut sk, + &mut scsvs, + ); + if res == 1 { + Ok(CipherLists { + suites: Stack::from_ptr(sk), + signalling_suites: Stack::from_ptr(scsvs), + }) + } else { + Err(ErrorStack::get()) + } + } + } + /// Returns the compression methods field of the client's hello message. /// /// This can only be used inside of the client hello callback. Otherwise, `None` is returned. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index a34309a7d6..bbad911ca8 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1458,6 +1458,9 @@ fn client_hello() { assert!(ssl.client_hello_session_id().is_some()); assert!(ssl.client_hello_ciphers().is_some()); assert!(ssl.client_hello_compression_methods().is_some()); + assert!(ssl + .bytes_to_ciphers_stack(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) + .is_ok()); CALLED_BACK.store(true, Ordering::SeqCst); Ok(ClientHelloResponse::SUCCESS) From da9eeddb05a2fd0d56b1cea16878f501bc987b0f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 14 May 2023 20:14:24 -0400 Subject: [PATCH 211/341] rename --- openssl/src/ssl/mod.rs | 2 +- openssl/src/ssl/test/mod.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 3bd10052ed..0feaced213 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3106,7 +3106,7 @@ impl SslRef { /// Requires OpenSSL 1.1.1 or newer. #[corresponds(SSL_bytes_to_cipher_list)] #[cfg(ossl111)] - pub fn bytes_to_ciphers_stack( + pub fn bytes_to_cipher_list( &self, bytes: &[u8], isv2format: bool, diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index bbad911ca8..39cc054df2 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1459,7 +1459,7 @@ fn client_hello() { assert!(ssl.client_hello_ciphers().is_some()); assert!(ssl.client_hello_compression_methods().is_some()); assert!(ssl - .bytes_to_ciphers_stack(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) + .bytes_to_cipher_list(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) .is_ok()); CALLED_BACK.store(true, Ordering::SeqCst); From 0194e3f9decf0820615ce5b70f26433ac15eaba7 Mon Sep 17 00:00:00 2001 From: Andrew Scull Date: Mon, 15 May 2023 21:39:50 +0000 Subject: [PATCH 212/341] Add boringssl hkdf derivation --- openssl/src/pkey.rs | 2 +- openssl/src/pkey_ctx.rs | 21 +++++++++++++++------ 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index cec1c482e1..82a0a9d136 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -86,7 +86,7 @@ impl Id { pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); #[cfg(any(ossl111, boringssl, libressl370))] diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 42289b9f48..aba8a66a32 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -485,7 +485,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_md)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_md(&mut self, digest: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -527,10 +527,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_key(&mut self, key: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(key.len()).unwrap(); + #[cfg(boringssl)] + let len = key.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_set1_hkdf_key( @@ -549,10 +552,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_salt(&mut self, salt: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(salt.len()).unwrap(); + #[cfg(boringssl)] + let len = salt.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_set1_hkdf_salt( @@ -571,10 +577,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn add_hkdf_info(&mut self, info: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(info.len()).unwrap(); + #[cfg(boringssl)] + let len = info.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_add1_hkdf_info( @@ -632,7 +641,7 @@ mod test { #[cfg(not(boringssl))] use crate::cipher::Cipher; use crate::ec::{EcGroup, EcKey}; - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl))] use crate::md::Md; use crate::nid::Nid; use crate::pkey::PKey; @@ -717,7 +726,7 @@ mod test { } #[test] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] fn hkdf() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); From 56e94e335ce7519b0c5e2ae7e530730a83220d18 Mon Sep 17 00:00:00 2001 From: Felix Huettner Date: Mon, 1 May 2023 21:14:10 +0200 Subject: [PATCH 213/341] add other name support the issue with other name SANs is that they can contain arbitary data. As we can no longer use the old method for other_name for security reasons we now add `other_name2` as an alternative. --- openssl-sys/src/handwritten/asn1.rs | 9 ++++++++ openssl-sys/src/handwritten/x509v3.rs | 5 +++++ openssl/src/asn1.rs | 1 + openssl/src/x509/extension.rs | 23 +++++++++++++++----- openssl/src/x509/mod.rs | 31 +++++++++++++++++++++++++++ openssl/src/x509/tests.rs | 28 ++++++++++++++++++++++++ 6 files changed, 92 insertions(+), 5 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index fa43a7a5c1..16ffcccfe7 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,6 +10,7 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); + pub fn OBJ_dup(x: *const ASN1_OBJECT) -> *mut ASN1_OBJECT; } stack!(stack_st_ASN1_OBJECT); @@ -94,7 +95,14 @@ extern "C" { #[cfg(ossl110)] pub fn ASN1_ENUMERATED_get_int64(pr: *mut i64, a: *const ASN1_ENUMERATED) -> c_int; + pub fn ASN1_TYPE_new() -> *mut ASN1_TYPE; + pub fn ASN1_TYPE_set(a: *mut ASN1_TYPE, type_: c_int, value: *mut c_void); pub fn ASN1_TYPE_free(x: *mut ASN1_TYPE); + pub fn d2i_ASN1_TYPE( + k: *mut *mut ASN1_TYPE, + buf: *mut *const u8, + len: c_long, + ) -> *mut ASN1_TYPE; } const_ptr_api! { @@ -102,5 +110,6 @@ const_ptr_api! { pub fn ASN1_STRING_to_UTF8(out: *mut *mut c_uchar, s: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; pub fn ASN1_STRING_type(x: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; pub fn ASN1_generate_v3(str: #[const_ptr_if(any(ossl110, libressl280))] c_char, cnf: *mut X509V3_CTX) -> *mut ASN1_TYPE; + pub fn i2d_ASN1_TYPE(a: #[const_ptr_if(ossl300)] ASN1_TYPE, pp: *mut *mut c_uchar) -> c_int; } } diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index f92441134e..2ee0452597 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -6,6 +6,11 @@ pub enum CONF_METHOD {} extern "C" { pub fn GENERAL_NAME_new() -> *mut GENERAL_NAME; pub fn GENERAL_NAME_free(name: *mut GENERAL_NAME); + pub fn GENERAL_NAME_set0_othername( + gen: *mut GENERAL_NAME, + oid: *mut ASN1_OBJECT, + value: *mut ASN1_TYPE, + ) -> c_int; } #[repr(C)] diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index d75e05166e..0e720ae0b3 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -655,6 +655,7 @@ impl Asn1OctetStringRef { foreign_type_and_impl_send_sync! { type CType = ffi::ASN1_OBJECT; fn drop = ffi::ASN1_OBJECT_free; + fn clone = ffi::OBJ_dup; /// Object Identifier /// diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index 075227dec3..11e0151530 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -434,6 +434,7 @@ enum RustGeneralName { Uri(String), Ip(String), Rid(String), + OtherName(Asn1Object, Vec), } /// An extension that allows additional identities to be bound to the subject @@ -506,12 +507,21 @@ impl SubjectAlternativeName { /// Sets the `otherName` flag. /// - /// Not currently actually supported, always panics. - #[deprecated = "other_name is deprecated and always panics. Please file a bug if you have a use case for this."] + /// Not currently actually supported, always panics. Please use other_name2 + #[deprecated = "other_name is deprecated and always panics. Please use other_name2."] pub fn other_name(&mut self, _other_name: &str) -> &mut SubjectAlternativeName { - unimplemented!( - "This has not yet been adapted for the new internals. File a bug if you need this." - ); + unimplemented!("This has not yet been adapted for the new internals. Use other_name2."); + } + + /// Sets the `otherName` flag. + /// + /// `content` must be a valid der encoded ASN1_TYPE + /// + /// If you want to add just a ia5string use `other_name_ia5string` + pub fn other_name2(&mut self, oid: Asn1Object, content: &[u8]) -> &mut SubjectAlternativeName { + self.items + .push(RustGeneralName::OtherName(oid, content.into())); + self } /// Return a `SubjectAlternativeName` extension as an `X509Extension`. @@ -526,6 +536,9 @@ impl SubjectAlternativeName { GeneralName::new_ip(s.parse().map_err(|_| ErrorStack::get())?)? } RustGeneralName::Rid(s) => GeneralName::new_rid(Asn1Object::from_str(s)?)?, + RustGeneralName::OtherName(oid, content) => { + GeneralName::new_other_name(oid.clone(), content)? + } }; stack.push(gn)?; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2b2f8a50d8..4325b132e3 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -2054,6 +2054,37 @@ impl GeneralName { Ok(GeneralName::from_ptr(gn)) } } + + pub(crate) fn new_other_name( + oid: Asn1Object, + value: &Vec, + ) -> Result { + unsafe { + ffi::init(); + + let typ = cvt_p(ffi::d2i_ASN1_TYPE( + ptr::null_mut(), + &mut value.as_ptr().cast(), + value.len().try_into().unwrap(), + ))?; + + let gn = cvt_p(ffi::GENERAL_NAME_new())?; + (*gn).type_ = ffi::GEN_OTHERNAME; + + if let Err(e) = cvt(ffi::GENERAL_NAME_set0_othername( + gn, + oid.as_ptr().cast(), + typ, + )) { + ffi::GENERAL_NAME_free(gn); + return Err(e); + } + + mem::forget(oid); + + Ok(GeneralName::from_ptr(gn)) + } + } } impl GeneralNameRef { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index a3f3cd8803..da3ce2fed2 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -27,6 +27,9 @@ use crate::x509::{CrlReason, X509Builder}; use crate::x509::{ CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, }; + +#[cfg(ossl110)] +use foreign_types::ForeignType; use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] use libc::time_t; @@ -1105,6 +1108,31 @@ fn ipv6_as_subject_alternative_name_is_formatted_in_debug() { ]); } +#[cfg(ossl110)] +#[test] +fn other_name_as_subject_alternative_name() { + let oid = Asn1Object::from_str("1.3.6.1.5.5.7.8.11").unwrap(); + // this is the hex representation of "test" encoded as a ia5string + let content = [0x16, 0x04, 0x74, 0x65, 0x73, 0x74]; + + let mut builder = X509Builder::new().unwrap(); + let san = SubjectAlternativeName::new() + .other_name2(oid, &content) + .build(&builder.x509v3_context(None, None)) + .unwrap(); + builder.append_extension(san).unwrap(); + let cert = builder.build(); + let general_name = cert + .subject_alt_names() + .into_iter() + .flatten() + .next() + .unwrap(); + unsafe { + assert_eq!((*general_name.as_ptr()).type_, 0); + } +} + #[test] fn test_dist_point() { let cert = include_bytes!("../../test/certv3.pem"); From 8436f088898a7a286fb1af7e552d644d411e95db Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Sat, 27 May 2023 11:30:13 -0400 Subject: [PATCH 214/341] Allow LibreSSL 3.8.0 --- openssl-sys/build/main.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index ba149c17ff..1762068d75 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -285,6 +285,7 @@ See rust-openssl documentation for more information: (3, 7, 0) => ('3', '7', '0'), (3, 7, 1) => ('3', '7', '1'), (3, 7, _) => ('3', '7', 'x'), + (3, 8, 0) => ('3', '8', '0'), _ => version_error(), }; @@ -327,7 +328,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.7.x, but a different version of OpenSSL was found. The build is now aborting +through 3.8.0, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From e41a13249630a9b3bed7dd84e243bf85f4d2fd4b Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Sat, 27 May 2023 11:31:02 -0400 Subject: [PATCH 215/341] CI: bump LibreSSL --- .github/workflows/ci.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71deb57ab9..75117ffab8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -181,7 +181,12 @@ jobs: bindgen: true library: name: libressl - version: 3.7.2 + version: 3.7.3 + - target: x86_64-unknown-linux-gnu + bindgen: true + library: + name: libressl + version: 3.8.0 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -191,7 +196,12 @@ jobs: bindgen: false library: name: libressl - version: 3.7.2 + version: 3.7.3 + - target: x86_64-unknown-linux-gnu + bindgen: false + library: + name: libressl + version: 3.8.0 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: From b937b66ae6c3c1828c33477f234cdf6fe7f31700 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 May 2023 04:46:03 -0500 Subject: [PATCH 216/341] add Dsa with some helper functions DSA is terrible, I'm sorry we have to add this --- openssl/src/dsa.rs | 63 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index c550f6548b..d8dcaa9fdb 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -14,7 +14,7 @@ use std::ptr; use crate::bn::{BigNum, BigNumRef}; use crate::error::ErrorStack; -use crate::pkey::{HasParams, HasPrivate, HasPublic, Private, Public}; +use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private, Public}; use crate::util::ForeignTypeRefExt; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -183,6 +183,49 @@ type BitType = libc::c_uint; #[cfg(not(boringssl))] type BitType = c_int; +impl Dsa { + /// Creates a DSA params based upon the given parameters. + #[corresponds(DSA_set0_pqg)] + pub fn from_pqg(p: BigNum, q: BigNum, g: BigNum) -> Result, ErrorStack> { + unsafe { + let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); + cvt(DSA_set0_pqg(dsa.0, p.as_ptr(), q.as_ptr(), g.as_ptr()))?; + mem::forget((p, q, g)); + Ok(dsa) + } + } + + /// Generates DSA params based on the given number of bits. + #[corresponds(DSA_generate_parameters_ex)] + pub fn generate_params(bits: u32) -> Result, ErrorStack> { + ffi::init(); + unsafe { + let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); + cvt(ffi::DSA_generate_parameters_ex( + dsa.0, + bits as BitType, + ptr::null(), + 0, + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + ))?; + Ok(dsa) + } + } + + /// Generates a private key based on the DSA params. + #[corresponds(DSA_generate_key)] + pub fn generate_key(self) -> Result, ErrorStack> { + unsafe { + let dsa_ptr = self.0; + cvt(ffi::DSA_generate_key(dsa_ptr))?; + mem::forget(self); + Ok(Dsa::from_ptr(dsa_ptr)) + } + } +} + impl Dsa { /// Generate a DSA key pair. /// @@ -556,6 +599,24 @@ mod test { assert_eq!(dsa.g(), &BigNum::from_u32(60).unwrap()); } + #[test] + fn test_params() { + let params = Dsa::generate_params(1024).unwrap(); + let p = params.p().to_owned().unwrap(); + let q = params.q().to_owned().unwrap(); + let g = params.g().to_owned().unwrap(); + let key = params.generate_key().unwrap(); + let params2 = Dsa::from_pqg( + key.p().to_owned().unwrap(), + key.q().to_owned().unwrap(), + key.g().to_owned().unwrap(), + ) + .unwrap(); + assert_eq!(p, *params2.p()); + assert_eq!(q, *params2.q()); + assert_eq!(g, *params2.g()); + } + #[test] #[cfg(not(boringssl))] fn test_signature() { From c972e700df5ab3edafc3d966d74eaa99bc9d460a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 May 2023 09:18:18 -0500 Subject: [PATCH 217/341] reimplement Dsa::generate in terms of generate_params/generate_key --- openssl/src/dsa.rs | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index d8dcaa9fdb..1f594f28b4 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -229,29 +229,10 @@ impl Dsa { impl Dsa { /// Generate a DSA key pair. /// - /// Calls [`DSA_generate_parameters_ex`] to populate the `p`, `g`, and `q` values. - /// These values are used to generate the key pair with [`DSA_generate_key`]. - /// /// The `bits` parameter corresponds to the length of the prime `p`. - /// - /// [`DSA_generate_parameters_ex`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_parameters_ex.html - /// [`DSA_generate_key`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_key.html pub fn generate(bits: u32) -> Result, ErrorStack> { - ffi::init(); - unsafe { - let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); - cvt(ffi::DSA_generate_parameters_ex( - dsa.0, - bits as BitType, - ptr::null(), - 0, - ptr::null_mut(), - ptr::null_mut(), - ptr::null_mut(), - ))?; - cvt(ffi::DSA_generate_key(dsa.0))?; - Ok(dsa) - } + let params = Dsa::generate_params(bits)?; + params.generate_key() } /// Create a DSA key pair with the given parameters From b3cdda01b571535afe596927b59cf4690b47b806 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 May 2023 14:24:25 -0400 Subject: [PATCH 218/341] Added DER serialization for `DSAPrivateKey` --- openssl/src/dsa.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 1f594f28b4..1463ee4115 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -127,6 +127,13 @@ where ffi::PEM_write_bio_DSAPrivateKey } + to_der! { + /// Serializes the private_key to a DER-encoded `DSAPrivateKey` structure. + #[corresponds(i2d_DSAPrivateKey)] + private_key_to_der, + ffi::i2d_DSAPrivateKey + } + /// Returns a reference to the private key component of `self`. #[corresponds(DSA_get0_key)] pub fn priv_key(&self) -> &BigNumRef { From 6a65a2b5138c012f1bc60e947ddc52d20795454a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 May 2023 09:01:23 +0800 Subject: [PATCH 219/341] version bump 0.9.88 and 0.10.53 --- openssl-sys/CHANGELOG.md | 15 ++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 10 +++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 26 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 324ff1a82a..48029f8aab 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,18 @@ ## [Unreleased] +## [v0.9.88] - 2023-05-30 + +### Added + +* Added support for the LibreSSL 3.8.0. +* Added support for detecting `OPENSSL_NO_RC4`. +* Added `OBJ_dup`. +* Added `ASN1_TYPE_new`, `ASN1_TYPE_set`, `d2i_ASN1_TYPE`, and `i2d_ASN1_TYPE`. +* Added `SSL_bytes_to_cipher_list`, `SSL_CTX_get_num_tickets`, and `SSL_get_num_tickets`. +* Added `GENERAL_NAME_set0_othername`. +* Added `X509_get_pathlen`. + ## [v0.9.87] - 2023-04-24 ### Added @@ -446,7 +458,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88..master +[v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 [v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 [v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 811318bbaf..7589a3ca0e 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.87" +version = "0.9.88" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index c62da00a1b..79e0d9c1ff 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,13 @@ ## [Unreleased] +## [v0.10.53] - 2023-05-30 + +### Added + +* Added `Dsa::from_pqg`, `Dsa::generate_key`, and `Dsa::generate_params`. +* Added `SslRef::bytes_to_cipher_list`. + ## [v0.10.52] - 2023-04-24 ### Added @@ -747,7 +754,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...master +[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index addf5cb060..e6f5e4d565 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.52" +version = "0.10.53" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.87", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.88", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 7a040da108ced53e227fa48225759f3fce7487e0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 May 2023 09:29:45 +0800 Subject: [PATCH 220/341] Update openssl/CHANGELOG.md Co-authored-by: Alex Gaynor --- openssl/CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 79e0d9c1ff..b174156a5a 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -8,6 +8,7 @@ * Added `Dsa::from_pqg`, `Dsa::generate_key`, and `Dsa::generate_params`. * Added `SslRef::bytes_to_cipher_list`. +* Added `SubjectAlternativeName::other_name2` ## [v0.10.52] - 2023-04-24 From b83aec7f30ab295011c23cd6e479abcc69039bbe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 31 May 2023 13:49:34 -0400 Subject: [PATCH 221/341] Remove converting PKCS#8 passphrase to CString It's not required, there's an explicit length. --- openssl/src/pkey.rs | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 82a0a9d136..af41421768 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -57,7 +57,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, c_long}; use openssl_macros::corresponds; -use std::convert::TryFrom; +use std::convert::{TryFrom, TryInto}; use std::ffi::CString; use std::fmt; use std::mem; @@ -350,10 +350,6 @@ where /// Serializes a private key into a DER-formatted PKCS#8, using the supplied password to /// encrypt the key. - /// - /// # Panics - /// - /// Panics if `passphrase` contains an embedded null. #[corresponds(i2d_PKCS8PrivateKey_bio)] pub fn private_key_to_pkcs8_passphrase( &self, @@ -362,14 +358,12 @@ where ) -> Result, ErrorStack> { unsafe { let bio = MemBio::new()?; - let len = passphrase.len(); - let passphrase = CString::new(passphrase).unwrap(); cvt(ffi::i2d_PKCS8PrivateKey_bio( bio.as_ptr(), self.as_ptr(), cipher.as_ptr(), passphrase.as_ptr() as *const _ as *mut _, - len as ::libc::c_int, + passphrase.len().try_into().unwrap(), None, ptr::null_mut(), ))?; From 68ff80a935857c3e6a0b99905292e81af600e250 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 31 May 2023 21:31:38 -0400 Subject: [PATCH 222/341] Version bump for openssl v0.10.54 release --- openssl/CHANGELOG.md | 11 +++++++++-- openssl/Cargo.toml | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index b174156a5a..29af6ca816 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.10.54] - 2023-05-31 + +### Fixed + +* `PKey::private_key_to_pkcs8_passphrase` no longer panics if a `passphrase` contains a NUL byte. + ## [v0.10.53] - 2023-05-30 ### Added @@ -755,8 +761,9 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...master -[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...master +[v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 +[v0.10.53]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index e6f5e4d565..c4367cd4c6 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.53" +version = "0.10.54" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" From 90d9199f858c0fc887f2a6778bb05f611a0ff456 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Jun 2023 21:36:33 -0400 Subject: [PATCH 223/341] Fix warnings from BoringSSL on Rust 1.70 --- openssl-sys/build/run_bindgen.rs | 8 ++++++++ openssl-sys/src/lib.rs | 1 + 2 files changed, 9 insertions(+) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 4fa9ec66f2..87b748f23b 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -110,11 +110,15 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { let mut builder = bindgen::builder() .rust_target(RustTarget::Stable_1_47) .ctypes_prefix("::libc") + .raw_line("use libc::*;") .derive_default(false) .enable_function_attribute_detection() .default_macro_constant_type(MacroTypeVariation::Signed) .rustified_enum("point_conversion_form_t") .allowlist_file(".*/openssl/[^/]+\\.h") + .allowlist_recursively(false) + .blocklist_function("BIO_vsnprintf") + .blocklist_function("OPENSSL_vasprintf") .wrap_static_fns(true) .wrap_static_fns_path(out_dir.join("boring_static_wrapper").display().to_string()) .layout_tests(false) @@ -165,11 +169,15 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .arg(out_dir.join("bindgen.rs")) .arg("--rust-target=1.47") .arg("--ctypes-prefix=::libc") + .arg("--raw-line=use libc::*;") .arg("--no-derive-default") .arg("--enable-function-attribute-detection") .arg("--default-macro-constant-type=signed") .arg("--rustified-enum=point_conversion_form_t") .arg("--allowlist-file=.*/openssl/[^/]+\\.h") + .arg("--no-recursive-allowlist") + .arg("--blocklist-function=BIO_vsnprintf") + .arg("--blocklist-function=OPENSSL_vasprintf") .arg("--experimental") .arg("--wrap-static-fns") .arg("--wrap-static-fns-path") diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index c3084755cc..5a65e8b349 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -10,6 +10,7 @@ overflowing_literals, unused_imports )] +#![cfg_attr(feature = "unstable_boringssl", allow(ambiguous_glob_reexports))] #![doc(html_root_url = "https://docs.rs/openssl-sys/0.9")] #![recursion_limit = "128"] // configure fixed limit across all rust versions From e476f9a08a40c1cde55950f26f1e5203c51d0889 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sun, 4 Jun 2023 13:15:22 -0400 Subject: [PATCH 224/341] Honor OPENSSL_NO_OCB if OpenSSL was built this way Setting ossl110 in the BoringSSL build (see #1944) causes rust-openssl to expect OCB support. However, OpenSSL already has a feature guard for OCB, which BoringSSL sets. rust-openssl just isn't honoring it. This fixes building against an OpenSSL built with ./config no-ocb --- openssl-sys/build/expando.c | 4 ++++ openssl/src/symm.rs | 14 +++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 54681a0b95..5d003d9022 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -75,6 +75,10 @@ RUST_CONF_OPENSSL_NO_NEXTPROTONEG RUST_CONF_OPENSSL_NO_OCSP #endif +#ifdef OPENSSL_NO_OCB +RUST_CONF_OPENSSL_NO_OCB +#endif + #ifdef OPENSSL_NO_PSK RUST_CONF_OPENSSL_NO_PSK #endif diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 611080805f..8da341f7f6 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -142,7 +142,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_128_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_128_ocb()) } } @@ -187,7 +187,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_192_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_192_ocb()) } } @@ -237,7 +237,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_256_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_256_ocb()) } } @@ -402,14 +402,14 @@ impl Cipher { } /// Determines whether the cipher is using OCB mode - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn is_ocb(self) -> bool { self == Cipher::aes_128_ocb() || self == Cipher::aes_192_ocb() || self == Cipher::aes_256_ocb() } - #[cfg(not(ossl110))] + #[cfg(any(not(ossl110), osslconf = "OPENSSL_NO_OCB"))] const fn is_ocb(self) -> bool { false } @@ -1422,7 +1422,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn test_aes_128_ocb() { let key = "000102030405060708090a0b0c0d0e0f"; let aad = "0001020304050607"; @@ -1458,7 +1458,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn test_aes_128_ocb_fail() { let key = "000102030405060708090a0b0c0d0e0f"; let aad = "0001020304050607"; From 5283d7c994541a99bab9b33f809bd662a5aa47a7 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 3 Jun 2023 11:44:10 -0400 Subject: [PATCH 225/341] Fix some deprecated patterns when using BoringSSL The RSA and DSA changes will be needed to avoid build breakage soon. The others are mostly tidying up. There's another place around BIO that we'd ideally also switch over, but that depends on resolving the __fixed_rust mess first. This addresses a symptom of #1944, but not the root cause. --- openssl/src/asn1.rs | 2 +- openssl/src/dsa.rs | 5 +++-- openssl/src/ecdsa.rs | 2 +- openssl/src/hash.rs | 2 +- openssl/src/md_ctx.rs | 2 +- openssl/src/rsa.rs | 2 +- 6 files changed, 8 insertions(+), 7 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 0e720ae0b3..801310d411 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -738,7 +738,7 @@ impl fmt::Debug for Asn1ObjectRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::ASN1_STRING_get0_data; } else { #[allow(bad_style)] diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 1463ee4115..1a63e8ad8f 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -7,6 +7,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; +#[cfg(not(boringssl))] use libc::c_int; use std::fmt; use std::mem; @@ -314,7 +315,7 @@ impl fmt::Debug for Dsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{DSA_get0_key, DSA_get0_pqg, DSA_set0_key, DSA_set0_pqg}; } else { #[allow(bad_style)] @@ -493,7 +494,7 @@ impl DsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{DSA_SIG_set0, DSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/ecdsa.rs b/openssl/src/ecdsa.rs index 0a960e7b9e..f3b27b3953 100644 --- a/openssl/src/ecdsa.rs +++ b/openssl/src/ecdsa.rs @@ -110,7 +110,7 @@ impl EcdsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{ECDSA_SIG_set0, ECDSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 37442fb274..52d73deed4 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -43,7 +43,7 @@ use crate::nid::Nid; use crate::{cvt, cvt_p}; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, boringssl))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/md_ctx.rs b/openssl/src/md_ctx.rs index c4d3f06b94..156f3c2fc9 100644 --- a/openssl/src/md_ctx.rs +++ b/openssl/src/md_ctx.rs @@ -93,7 +93,7 @@ use std::convert::TryFrom; use std::ptr; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, boringssl))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs index 68cf64b036..f155b12dfe 100644 --- a/openssl/src/rsa.rs +++ b/openssl/src/rsa.rs @@ -581,7 +581,7 @@ impl fmt::Debug for Rsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{ RSA_get0_key, RSA_get0_factors, RSA_get0_crt_params, RSA_set0_key, RSA_set0_factors, RSA_set0_crt_params, From a3b6cb5fdc7df2754ab9a5d3f4039e469e42d332 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Jun 2023 08:55:49 +0800 Subject: [PATCH 226/341] add get_asn1_flag to EcGroupRef --- openssl-sys/src/handwritten/ec.rs | 2 ++ openssl/src/ec.rs | 13 +++++++++++++ 2 files changed, 15 insertions(+) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index 6ee475f327..ec781a715a 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -46,6 +46,8 @@ extern "C" { pub fn EC_GROUP_set_asn1_flag(key: *mut EC_GROUP, flag: c_int); + pub fn EC_GROUP_get_asn1_flag(group: *const EC_GROUP) -> c_int; + pub fn EC_GROUP_get_curve_GFp( group: *const EC_GROUP, p: *mut BIGNUM, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 248ced3e41..55523fee0a 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -294,6 +294,12 @@ impl EcGroupRef { } } + /// Gets the flag determining if the group corresponds to a named curve. + #[corresponds(EC_GROUP_get_asn1_flag)] + pub fn get_asn1_flag(&mut self) -> Asn1Flag { + unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } + } + /// Returns the name of the curve, if a name is associated. #[corresponds(EC_GROUP_get_curve_name)] pub fn curve_name(&self) -> Option { @@ -1265,4 +1271,11 @@ mod test { let group2 = EcGroup::from_curve_name(Nid::X9_62_PRIME239V3).unwrap(); assert!(!g.is_on_curve(&group2, &mut ctx).unwrap()); } + + #[test] + fn get_flags() { + let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let flag = group.get_asn1_flag(); + assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); + } } From faae7bb9ad7d569e16b7d21295d813dd4672ef07 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Jun 2023 12:33:47 +0800 Subject: [PATCH 227/341] rename and test on openssl 1.1.0+ --- openssl/src/ec.rs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 55523fee0a..d6ef049101 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -296,7 +296,7 @@ impl EcGroupRef { /// Gets the flag determining if the group corresponds to a named curve. #[corresponds(EC_GROUP_get_asn1_flag)] - pub fn get_asn1_flag(&mut self) -> Asn1Flag { + pub fn asn1_flag(&mut self) -> Asn1Flag { unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } } @@ -1273,9 +1273,10 @@ mod test { } #[test] - fn get_flags() { + #[cfg(not(any(ossl102, ossl101)))] + fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); - let flag = group.get_asn1_flag(); + let flag = group.asn1_flag(); assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); } } From 38a54607ad8901819fa8292f69757b51ce59e8d9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 07:08:20 +0800 Subject: [PATCH 228/341] partialeq on asn1flag --- openssl/src/ec.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index d6ef049101..446697f527 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -57,7 +57,7 @@ impl PointConversionForm { /// Named Curve or Explicit /// /// This type acts as a boolean as to whether the `EcGroup` is named or explicit. -#[derive(Copy, Clone)] +#[derive(Copy, Clone, PartialEq)] pub struct Asn1Flag(c_int); impl Asn1Flag { @@ -1277,6 +1277,6 @@ mod test { fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); - assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); + assert_eq!(flag, Asn1Flag::NAMED_CURVE); } } From 37966b326fd417142f912f18dd67ad3e27bac570 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 07:20:20 +0800 Subject: [PATCH 229/341] fix test target configs, add debug derive --- openssl/src/ec.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 446697f527..22d6d1888d 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -57,7 +57,7 @@ impl PointConversionForm { /// Named Curve or Explicit /// /// This type acts as a boolean as to whether the `EcGroup` is named or explicit. -#[derive(Copy, Clone, PartialEq)] +#[derive(Copy, Clone, Debug, PartialEq)] pub struct Asn1Flag(c_int); impl Asn1Flag { @@ -1273,7 +1273,7 @@ mod test { } #[test] - #[cfg(not(any(ossl102, ossl101)))] + #[cfg(any(boringssl, ossl111, libressl350))] fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); From d52ac4e4f08b4d0c4d1b2d181d6baee3f042e972 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 19:42:34 -0400 Subject: [PATCH 230/341] Fixed type mutability on asn1_flag --- openssl/src/ec.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 22d6d1888d..6993e4edda 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -296,7 +296,7 @@ impl EcGroupRef { /// Gets the flag determining if the group corresponds to a named curve. #[corresponds(EC_GROUP_get_asn1_flag)] - pub fn asn1_flag(&mut self) -> Asn1Flag { + pub fn asn1_flag(&self) -> Asn1Flag { unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } } From 1b9fba4e782affd312f9c9ad6f80d57eb8a82be1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 19:47:47 -0400 Subject: [PATCH 231/341] Update ec.rs --- openssl/src/ec.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 6993e4edda..5310564ecc 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -1275,7 +1275,7 @@ mod test { #[test] #[cfg(any(boringssl, ossl111, libressl350))] fn asn1_flag() { - let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); assert_eq!(flag, Asn1Flag::NAMED_CURVE); } From 7b18e903c6c1a0adc09b0eb7ea1876fad70fbe37 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 08:19:17 +0800 Subject: [PATCH 232/341] allow affine_coordinates on boring and libre --- openssl-sys/src/handwritten/ec.rs | 2 +- openssl/src/ec.rs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index ec781a715a..182a5559a3 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -101,7 +101,7 @@ extern "C" { pub fn EC_POINT_dup(p: *const EC_POINT, group: *const EC_GROUP) -> *mut EC_POINT; - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] pub fn EC_POINT_get_affine_coordinates( group: *const EC_GROUP, p: *const EC_POINT, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 5310564ecc..b648aec334 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -491,7 +491,7 @@ impl EcPointRef { /// Places affine coordinates of a curve over a prime field in the provided /// `x` and `y` `BigNum`s. #[corresponds(EC_POINT_get_affine_coordinates)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] pub fn affine_coordinates( &self, group: &EcGroupRef, @@ -1197,7 +1197,7 @@ mod test { assert!(ec_key.check_key().is_ok()); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] #[test] fn get_affine_coordinates() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); From f783cbe145cc084a160e478dfe1fb9dc50dcdcab Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 09:27:04 +0800 Subject: [PATCH 233/341] add support for EVP_PKEY_derive_set_peer_ex in OpenSSL 3 via Deriver::set_peer_ex --- openssl-sys/src/handwritten/evp.rs | 6 +++++ openssl/src/derive.rs | 38 ++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index db018e9a42..4041d8b671 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -522,6 +522,12 @@ extern "C" { pub fn EVP_PKEY_derive_init(ctx: *mut EVP_PKEY_CTX) -> c_int; pub fn EVP_PKEY_derive_set_peer(ctx: *mut EVP_PKEY_CTX, peer: *mut EVP_PKEY) -> c_int; + #[cfg(ossl300)] + pub fn EVP_PKEY_derive_set_peer_ex( + ctx: *mut EVP_PKEY_CTX, + peer: *mut EVP_PKEY, + validate_peer: c_int, + ) -> c_int; pub fn EVP_PKEY_derive(ctx: *mut EVP_PKEY_CTX, key: *mut c_uchar, size: *mut size_t) -> c_int; #[cfg(ossl300)] diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index 5d422f6976..ef1f61424d 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -93,6 +93,30 @@ impl<'a> Deriver<'a> { unsafe { cvt(ffi::EVP_PKEY_derive_set_peer(self.0, key.as_ptr())).map(|_| ()) } } + /// Sets the peer key used for secret derivation along with optionally validating the peer public key. + /// + /// This corresponds to [`EVP_PKEY_derive_set_peer_ex`]: + /// + /// [`EVP_PKEY_derive_set_peer_ex`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_set_peer_ex.html + #[cfg(ossl300)] + pub fn set_peer_ex( + &mut self, + key: &'a PKeyRef, + validate_peer: bool, + ) -> Result<(), ErrorStack> + where + T: HasPublic, + { + unsafe { + cvt(ffi::EVP_PKEY_derive_set_peer_ex( + self.0, + key.as_ptr(), + validate_peer as i32, + )) + .map(|_| ()) + } + } + /// Returns the size of the shared secret. /// /// It can be used to size the buffer passed to [`Deriver::derive`]. @@ -179,4 +203,18 @@ mod test { let shared = deriver.derive_to_vec().unwrap(); assert!(!shared.is_empty()); } + + #[test] + #[cfg(ossl300)] + fn test_ec_key_derive_ex() { + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let ec_key = EcKey::generate(&group).unwrap(); + let ec_key2 = EcKey::generate(&group).unwrap(); + let pkey = PKey::from_ec_key(ec_key).unwrap(); + let pkey2 = PKey::from_ec_key(ec_key2).unwrap(); + let mut deriver = Deriver::new(&pkey).unwrap(); + deriver.set_peer_ex(&pkey2, true).unwrap(); + let shared = deriver.derive_to_vec().unwrap(); + assert!(!shared.is_empty()); + } } From 45e4fc23c8a68685ce076ead1ab01f21970633c0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 08:26:57 +0800 Subject: [PATCH 234/341] Update openssl/src/derive.rs Co-authored-by: Steven Fackler --- openssl/src/derive.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index ef1f61424d..e5ecaadbc2 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -95,9 +95,8 @@ impl<'a> Deriver<'a> { /// Sets the peer key used for secret derivation along with optionally validating the peer public key. /// - /// This corresponds to [`EVP_PKEY_derive_set_peer_ex`]: - /// - /// [`EVP_PKEY_derive_set_peer_ex`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_set_peer_ex.html + /// Requires OpenSSL 3.0.0 or newer. + #[corresponds(EVP_PKEY_derive_set_peer_ex)] #[cfg(ossl300)] pub fn set_peer_ex( &mut self, From 50ac347ad63974857e57742c8fcebeb6c9e9e59e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:07:06 +0800 Subject: [PATCH 235/341] add missing import --- openssl/src/derive.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index e5ecaadbc2..bfb85a6aba 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -56,6 +56,7 @@ use std::ptr; use crate::error::ErrorStack; use crate::pkey::{HasPrivate, HasPublic, PKeyRef}; use crate::{cvt, cvt_p}; +use openssl_macros::corresponds; /// A type used to derive a shared secret between two keys. pub struct Deriver<'a>(*mut ffi::EVP_PKEY_CTX, PhantomData<&'a ()>); From 87f1a1a1e8c5089de2810c358204a1822ea0b1ed Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:14:58 +0800 Subject: [PATCH 236/341] add another corresponds to avoid warnings about no use --- openssl/src/derive.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index bfb85a6aba..c62b902161 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -87,6 +87,7 @@ impl<'a> Deriver<'a> { /// This corresponds to [`EVP_PKEY_derive_set_peer`]: /// /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html + #[corresponds(EVP_PKEY_derive_set_peer)] pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where T: HasPublic, From 2604033874debae65cad42ecef47613f6a147e85 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:21:03 +0800 Subject: [PATCH 237/341] remove outdated comment --- openssl/src/derive.rs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index c62b902161..424c5f92d7 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -83,10 +83,6 @@ impl<'a> Deriver<'a> { } /// Sets the peer key used for secret derivation. - /// - /// This corresponds to [`EVP_PKEY_derive_set_peer`]: - /// - /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html #[corresponds(EVP_PKEY_derive_set_peer)] pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where From c2f4d5875aaac9b4748a6734fb20af044d408c7b Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 8 Jun 2023 12:45:21 -0400 Subject: [PATCH 238/341] Use type-safe wrappers instead of EVP_PKEY_assign In OpenSSL, these are macros, so they didn't get imported by bindgen, but they're proper functions in BoringSSL and we'd prefer callers use those for safety. For OpenSSL, just add the corresponding functions in openssl-sys, matching how rust-openssl handles EVP_PKEY_CTX_ctrl. Using the type-safe wrappers flags that rust-openssl was trying to convert DH to EVP_PKEY, but BoringSSL doesn't actually support this. (DH is a legacy primitive, so we haven't routed it to EVP_PKEY right now.) --- openssl-sys/src/evp.rs | 16 ++++++++++++++++ openssl/src/pkey.rs | 26 ++++++-------------------- 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 72ca2434fc..07fae49eb5 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -285,3 +285,19 @@ pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info( info as *mut c_void, ) } + +pub unsafe fn EVP_PKEY_assign_RSA(pkey: *mut EVP_PKEY, rsa: *mut RSA) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_DSA(pkey: *mut EVP_PKEY, dsa: *mut DSA) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_DSA, dsa as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_DH(pkey: *mut EVP_PKEY, dh: *mut DH) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_EC_KEY(pkey: *mut EVP_PKEY, ec_key: *mut EC_KEY) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_EC, ec_key as *mut c_void) +} diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index af41421768..130024da3d 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -406,11 +406,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_RSA, - rsa.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_RSA(pkey.0, rsa.as_ptr()))?; mem::forget(rsa); Ok(pkey) } @@ -422,11 +418,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DSA, - dsa.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_DSA(pkey.0, dsa.as_ptr()))?; mem::forget(dsa); Ok(pkey) } @@ -434,15 +426,12 @@ impl PKey { /// Creates a new `PKey` containing a Diffie-Hellman key. #[corresponds(EVP_PKEY_assign_DH)] + #[cfg(not(boringssl))] pub fn from_dh(dh: Dh) -> Result, ErrorStack> { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DH, - dh.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_DH(pkey.0, dh.as_ptr()))?; mem::forget(dh); Ok(pkey) } @@ -454,11 +443,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_EC, - ec_key.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_EC_KEY(pkey.0, ec_key.as_ptr()))?; mem::forget(ec_key); Ok(pkey) } @@ -861,6 +846,7 @@ impl TryFrom> for Dsa { } } +#[cfg(not(boringssl))] impl TryFrom> for PKey { type Error = ErrorStack; From 7c0f0a79d98608c7570baa25a379e7f312453c06 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Wed, 14 Jun 2023 10:24:00 +0800 Subject: [PATCH 239/341] add NID SM2 --- openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/nid.rs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 22bfccba3f..6ae48834b5 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -935,6 +935,8 @@ pub const NID_ED25519: c_int = 952; #[cfg(ossl111)] pub const NID_ED448: c_int = 1088; #[cfg(ossl111)] +pub const NID_sm2: c_int = 1172; +#[cfg(ossl111)] pub const NID_sm3: c_int = 1143; #[cfg(libressl291)] pub const NID_sm3: c_int = 968; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index c8c60885f1..91fcdeca9d 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1074,6 +1074,8 @@ impl Nid { pub const AES_128_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_128_cbc_hmac_sha1); pub const AES_192_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_192_cbc_hmac_sha1); pub const AES_256_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_256_cbc_hmac_sha1); + #[cfg(ossl111)] + pub const SM2: Nid = Nid(ffi::NID_sm2); #[cfg(any(ossl111, libressl291))] pub const SM3: Nid = Nid(ffi::NID_sm3); #[cfg(ossl111)] From 9840b534e0996e39cde8ac5faedf81b68f3d2c3a Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Wed, 14 Jun 2023 10:34:58 +0800 Subject: [PATCH 240/341] add pkey Id SM2 --- openssl-sys/src/evp.rs | 2 ++ openssl/src/pkey.rs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 07fae49eb5..56eaa4bbff 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -10,6 +10,8 @@ pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey; +#[cfg(ossl111)] +pub const EVP_PKEY_SM2: c_int = NID_sm2; #[cfg(any(ossl111, libressl370))] pub const EVP_PKEY_X25519: c_int = NID_X25519; #[cfg(any(ossl111, libressl370))] diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 130024da3d..453aeed72f 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -85,6 +85,8 @@ impl Id { pub const DSA: Id = Id(ffi::EVP_PKEY_DSA); pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); + #[cfg(ossl111)] + pub const SM2: Id = Id(ffi::EVP_PKEY_SM2); #[cfg(any(ossl110, boringssl))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); From fb5ae60cbb1dbbb2e34d47e113b25bc31f4acc37 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:16:03 +0700 Subject: [PATCH 241/341] clippy: remove unused allow attributes --- openssl-sys/build/cfgs.rs | 1 + openssl-sys/build/main.rs | 9 +-------- openssl-sys/src/lib.rs | 4 ---- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index f09ec29b53..2f3ff3eafd 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -1,3 +1,4 @@ +#[allow(clippy::unusual_byte_groupings)] pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<&'static str> { let mut cfgs = vec![]; diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 1762068d75..306482d1a8 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -1,9 +1,3 @@ -#![allow( - clippy::inconsistent_digit_grouping, - clippy::uninlined_format_args, - clippy::unusual_byte_groupings -)] - #[cfg(feature = "bindgen")] extern crate bindgen; extern crate cc; @@ -131,7 +125,6 @@ fn main() { } } -#[allow(clippy::let_and_return)] fn postprocess(include_dirs: &[PathBuf]) -> Version { let version = validate_headers(include_dirs); @@ -146,7 +139,7 @@ fn postprocess(include_dirs: &[PathBuf]) -> Version { /// Validates the header files found in `include_dir` and then returns the /// version string of OpenSSL. -#[allow(clippy::manual_strip)] // we need to support pre-1.45.0 +#[allow(clippy::unusual_byte_groupings)] fn validate_headers(include_dirs: &[PathBuf]) -> Version { // This `*-sys` crate only works with OpenSSL 1.0.1, 1.0.2, 1.1.0, 1.1.1 and 3.0.0. // To correctly expose the right API from this crate, take a look at diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 5a65e8b349..784b7637e1 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1,13 +1,9 @@ #![allow( clippy::missing_safety_doc, - clippy::unreadable_literal, - clippy::uninlined_format_args, - clippy::upper_case_acronyms, dead_code, non_camel_case_types, non_snake_case, non_upper_case_globals, - overflowing_literals, unused_imports )] #![cfg_attr(feature = "unstable_boringssl", allow(ambiguous_glob_reexports))] From b1e16e927622b8c044f88de802523dead0b0ec5e Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:17:07 +0700 Subject: [PATCH 242/341] clippy: use strip_prefix instead of manually strip --- openssl-sys/build/main.rs | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 306482d1a8..6fb8c3ed82 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -203,17 +203,14 @@ See rust-openssl documentation for more information: let libressl_prefix = "RUST_VERSION_LIBRESSL_"; let boringsl_prefix = "RUST_OPENSSL_IS_BORINGSSL"; let conf_prefix = "RUST_CONF_"; - if line.starts_with(openssl_prefix) { - let version = &line[openssl_prefix.len()..]; + if let Some(version) = line.strip_prefix(openssl_prefix) { openssl_version = Some(parse_version(version)); - } else if line.starts_with(new_openssl_prefix) { - let version = &line[new_openssl_prefix.len()..]; + } else if let Some(version) = line.strip_prefix(new_openssl_prefix) { openssl_version = Some(parse_new_version(version)); - } else if line.starts_with(libressl_prefix) { - let version = &line[libressl_prefix.len()..]; + } else if let Some(version) = line.strip_prefix(libressl_prefix) { libressl_version = Some(parse_version(version)); - } else if line.starts_with(conf_prefix) { - enabled.push(&line[conf_prefix.len()..]); + } else if let Some(conf) = line.strip_prefix(conf_prefix) { + enabled.push(conf); } else if line.starts_with(boringsl_prefix) { is_boringssl = true; } From 8587ff88431fc9ef495eda1b5bcfab4d310ef3cd Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:18:11 +0700 Subject: [PATCH 243/341] chore: use pre-existing clean APIs instead --- openssl-sys/build/main.rs | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 6fb8c3ed82..3359165a33 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -155,9 +155,7 @@ fn validate_headers(include_dirs: &[PathBuf]) -> Version { // account for compile differences and such. println!("cargo:rerun-if-changed=build/expando.c"); let mut gcc = cc::Build::new(); - for include_dir in include_dirs { - gcc.include(include_dir); - } + gcc.includes(include_dirs); let expanded = match gcc.file("build/expando.c").try_expand() { Ok(expanded) => expanded, Err(e) => { @@ -326,18 +324,13 @@ due to this version mismatch. } // parses a string that looks like "0x100020cfL" -#[allow(deprecated)] // trim_right_matches is now trim_end_matches -#[allow(clippy::match_like_matches_macro)] // matches macro requires rust 1.42.0 fn parse_version(version: &str) -> u64 { // cut off the 0x prefix assert!(version.starts_with("0x")); let version = &version[2..]; // and the type specifier suffix - let version = version.trim_right_matches(|c: char| match c { - '0'..='9' | 'a'..='f' | 'A'..='F' => false, - _ => true, - }); + let version = version.trim_end_matches(|c: char| !c.is_ascii_hexdigit()); u64::from_str_radix(version, 16).unwrap() } From 8ab3c3f3a8e6102b734d849132aaeb9728cec669 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:22:34 +0700 Subject: [PATCH 244/341] update min-version passed to bindgen --- .github/workflows/ci.yml | 1 + openssl-sys/build/run_bindgen.rs | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 75117ffab8..33c352cd2c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,6 +59,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + # Remember to also update `--rust-target` in `openssl-sys/build/run_bindgen.rs` - uses: sfackler/actions/rustup@master with: version: 1.56.0 diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 87b748f23b..6743403161 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -167,7 +167,7 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { bindgen_cmd .arg("-o") .arg(out_dir.join("bindgen.rs")) - .arg("--rust-target=1.47") + .arg("--rust-target=1.56") .arg("--ctypes-prefix=::libc") .arg("--raw-line=use libc::*;") .arg("--no-derive-default") From 978435639b0e1a93a953a7f211216c33aaedc450 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:33:56 +0700 Subject: [PATCH 245/341] chore: simplify cfg attributes --- openssl/src/ssl/mod.rs | 4 ++-- openssl/src/ssl/test/mod.rs | 2 +- openssl/src/symm.rs | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 0feaced213..27e817f307 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -599,7 +599,7 @@ impl AlpnError { /// Terminate the handshake with a fatal alert. /// /// Requires OpenSSL 1.1.0 or newer. - #[cfg(any(ossl110))] + #[cfg(ossl110)] pub const ALERT_FATAL: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_ALERT_FATAL); /// Do not select a protocol, but continue the handshake. @@ -2413,7 +2413,7 @@ impl SslRef { /// /// Requires OpenSSL 1.0.1 or 1.0.2. #[corresponds(SSL_set_tmp_ecdh_callback)] - #[cfg(any(all(ossl101, not(ossl110))))] + #[cfg(all(ossl101, not(ossl110)))] #[deprecated(note = "this function leaks memory and does not exist on newer OpenSSL versions")] pub fn set_tmp_ecdh_callback(&mut self, callback: F) where diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 39cc054df2..7707af238f 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -467,7 +467,7 @@ fn test_alpn_server_advertise_multiple() { } #[test] -#[cfg(any(ossl110))] +#[cfg(ossl110)] fn test_alpn_server_select_none_fatal() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 8da341f7f6..c1dbdfee7b 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -1478,7 +1478,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(ossl110)] fn test_chacha20() { let key = "0000000000000000000000000000000000000000000000000000000000000000"; let iv = "00000000000000000000000000000000"; @@ -1493,7 +1493,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(ossl110)] fn test_chacha20_poly1305() { let key = "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"; let iv = "070000004041424344454647"; From 155b3dc71700d2ff31651bbc99b991765a718c4e Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 19 Jun 2023 13:10:09 -0400 Subject: [PATCH 246/341] Fix handling of empty host strings --- openssl/src/x509/verify.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index b0e22ef462..e8481c551c 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -120,9 +120,11 @@ impl X509VerifyParamRef { #[corresponds(X509_VERIFY_PARAM_set1_host)] pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { unsafe { + // len == 0 means "run strlen" :( + let raw_host = if host.is_empty() { "\0" } else { host }; cvt(ffi::X509_VERIFY_PARAM_set1_host( self.as_ptr(), - host.as_ptr() as *const _, + raw_host.as_ptr() as *const _, host.len(), )) .map(|_| ()) From 983b9e210ac27895a39e0ed11a407b7936192313 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Jun 2023 16:25:18 -0400 Subject: [PATCH 247/341] Release openssl v0.10.55 and openssl-sys v0.9.89 --- openssl-sys/CHANGELOG.md | 18 +++++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 18 +++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 37 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 48029f8aab..13c3f32a6c 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,21 @@ ## [Unreleased] +## [v0.9.89] - 2023-06-20 + +### Fixed + +* Fixed compilation with recent versions of BoringSSL. + +### Added + +* Added support for detecting OpenSSL compiled with `OPENSSL_NO_OCB`. +* Added `EVP_PKEY_SM2` and `NID_sm2`. +* Added `EVP_PKEY_assign_RSA`, `EVP_PKEY_assign_DSA`, `EVP_PKEY_assign_DH`, and `EVP_PKEY_assign_EC_KEY`. +* Added `EC_GROUP_get_asn1_flag`. +* Expose `EC_POINT_get_affine_coordinates` on BoringSSL and LibreSSL. +* Added `EVP_PKEY_derive_set_peer_ex`. + ## [v0.9.88] - 2023-05-30 ### Added @@ -458,7 +473,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89..master +[v0.9.89]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.89 [v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 [v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7589a3ca0e..0c261c5719 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.88" +version = "0.9.89" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 29af6ca816..a0622ecccd 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,21 @@ ## [Unreleased] +## [v0.10.55] - 2023-06-20 + +### Fixed + +* Fixed compilation with the latest version of BoringSSL. +* Fixed compilation when OpenSSL is compiled with `OPENSSL_NO_OCB`. +* Fixed a segfault in `X509VerifyParamRef::set_host` when called with an empty string. + +### Added + +* Added `Deriver::set_peer_ex`. +* Added `EcGroupRef::asn1_flag`. +* Exposed `EcPointRef::affine_coordinates` on BoringSSL and LibreSSL. +* Added `Nid::SM2` and `Id::SM2` + ## [v0.10.54] - 2023-05-31 ### Fixed @@ -761,7 +776,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...master +[v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 [v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 [v0.10.53]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index c4367cd4c6..956d08cf9e 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.54" +version = "0.10.55" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.88", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.89", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 28a3a31b17cb8fafc8970da59e386fc7487821a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Jun 2023 17:17:24 -0400 Subject: [PATCH 248/341] Fix regression in building BoringSSL This configuration is not currently tested. --- openssl-sys/CHANGELOG.md | 9 ++++++++- openssl-sys/Cargo.toml | 2 +- openssl-sys/build/run_bindgen.rs | 4 +++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 13c3f32a6c..4554a58def 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.9.90] - 2023-06-20 + +### Fixed + +* Fixed compilation with BoringSSL when building with the bindgen CLI. + ## [v0.9.89] - 2023-06-20 ### Fixed @@ -473,7 +479,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90..master +[v0.9.90]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89...openssl-sys-v0.9.90 [v0.9.89]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.89 [v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 [v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 0c261c5719..4a22c918db 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.89" +version = "0.9.90" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 6743403161..5d307503f6 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -167,7 +167,9 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { bindgen_cmd .arg("-o") .arg(out_dir.join("bindgen.rs")) - .arg("--rust-target=1.56") + // Must be a valid version from + // https://docs.rs/bindgen/latest/bindgen/enum.RustTarget.html + .arg("--rust-target=1.47") .arg("--ctypes-prefix=::libc") .arg("--raw-line=use libc::*;") .arg("--no-derive-default") From 21afcf0b333dbbc1e48d9d9c018a862a66cafa5c Mon Sep 17 00:00:00 2001 From: Alex Page Date: Tue, 20 Jun 2023 21:58:49 -0400 Subject: [PATCH 249/341] bn: Add mod_sqrt --- openssl-sys/src/handwritten/bn.rs | 7 +++++++ openssl/src/bn.rs | 20 ++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index 5457f61710..03b1f9ccb5 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -73,6 +73,13 @@ extern "C" { m: *const BIGNUM, ctx: *mut BN_CTX, ) -> c_int; + #[cfg(ossl110)] + pub fn BN_mod_sqrt( + ret: *mut BIGNUM, + a: *const BIGNUM, + p: *const BIGNUM, + ctx: *mut BN_CTX, + ) -> *mut BIGNUM; pub fn BN_mod_word(r: *const BIGNUM, w: BN_ULONG) -> BN_ULONG; pub fn BN_div_word(r: *mut BIGNUM, w: BN_ULONG) -> BN_ULONG; diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 5cfe4b375d..b501b45ffa 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -639,6 +639,26 @@ impl BigNumRef { } } + /// Places into `self` the modular square root of `a` such that `self^2 = a (mod p)` + #[corresponds(BN_mod_sqrt)] + #[cfg(ossl110)] + pub fn mod_sqrt( + &mut self, + a: &BigNumRef, + p: &BigNumRef, + ctx: &mut BigNumContextRef, + ) -> Result<(), ErrorStack> { + unsafe { + cvt_p(ffi::BN_mod_sqrt( + self.as_ptr(), + a.as_ptr(), + p.as_ptr(), + ctx.as_ptr(), + )) + .map(|_| ()) + } + } + /// Places the result of `a^p` in `self`. #[corresponds(BN_exp)] pub fn exp( From 3834005a4b99d280ffd27ea5d573755ddc9cc1ca Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 22 Jun 2023 10:06:25 -0700 Subject: [PATCH 250/341] Remove duplicate binding definitions --- openssl-sys/src/handwritten/evp.rs | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 4041d8b671..ad70e0578b 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -413,22 +413,6 @@ cfg_if! { pub fn EVP_PKEY_get_bits(key: *const EVP_PKEY) -> c_int; pub fn EVP_PKEY_get_security_bits(key: *const EVP_PKEY) -> c_int; } - - #[inline] - pub unsafe fn EVP_PKEY_id(pkey: *const EVP_PKEY) -> c_int { - EVP_PKEY_get_id(pkey) - } - - #[inline] - pub unsafe fn EVP_PKEY_bits(pkey: *const EVP_PKEY) -> c_int { - EVP_PKEY_get_bits(pkey) - } - - #[inline] - pub unsafe fn EVP_PKEY_security_bits(pkey: *const EVP_PKEY) -> c_int { - EVP_PKEY_get_security_bits(pkey) - } - } else { extern "C" { pub fn EVP_PKEY_id(pkey: *const EVP_PKEY) -> c_int; From 702319d1338d088d604571e67f06846e5423f23c Mon Sep 17 00:00:00 2001 From: Ming-Wei Shih Date: Mon, 19 Jun 2023 15:11:46 -0700 Subject: [PATCH 251/341] Support AES wrap and wrap_pad in Cipher Signed-off-by: Ming-Wei Shih --- openssl-sys/src/evp.rs | 3 + openssl-sys/src/handwritten/evp.rs | 13 +++ openssl/src/cipher.rs | 36 ++++++ openssl/src/cipher_ctx.rs | 180 +++++++++++++++++++++++++++++ 4 files changed, 232 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 56eaa4bbff..63a653cc49 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -27,6 +27,9 @@ pub const EVP_PKEY_POLY1305: c_int = NID_poly1305; #[cfg(ossl110)] pub const EVP_PKEY_HKDF: c_int = NID_hkdf; +#[cfg(ossl102)] +pub const EVP_CIPHER_CTX_FLAG_WRAP_ALLOW: c_int = 0x1; + pub const EVP_CTRL_GCM_SET_IVLEN: c_int = 0x9; pub const EVP_CTRL_GCM_GET_TAG: c_int = 0x10; pub const EVP_CTRL_GCM_SET_TAG: c_int = 0x11; diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 4041d8b671..6920510431 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -283,6 +283,7 @@ extern "C" { ptr: *mut c_void, ) -> c_int; pub fn EVP_CIPHER_CTX_rand_key(ctx: *mut EVP_CIPHER_CTX, key: *mut c_uchar) -> c_int; + pub fn EVP_CIPHER_CTX_set_flags(ctx: *mut EVP_CIPHER_CTX, flags: c_int); pub fn EVP_md_null() -> *const EVP_MD; pub fn EVP_md5() -> *const EVP_MD; @@ -329,6 +330,10 @@ extern "C" { pub fn EVP_aes_128_ofb() -> *const EVP_CIPHER; #[cfg(ossl110)] pub fn EVP_aes_128_ocb() -> *const EVP_CIPHER; + #[cfg(ossl102)] + pub fn EVP_aes_128_wrap() -> *const EVP_CIPHER; + #[cfg(ossl110)] + pub fn EVP_aes_128_wrap_pad() -> *const EVP_CIPHER; pub fn EVP_aes_192_ecb() -> *const EVP_CIPHER; pub fn EVP_aes_192_cbc() -> *const EVP_CIPHER; pub fn EVP_aes_192_cfb1() -> *const EVP_CIPHER; @@ -340,6 +345,10 @@ extern "C" { pub fn EVP_aes_192_ofb() -> *const EVP_CIPHER; #[cfg(ossl110)] pub fn EVP_aes_192_ocb() -> *const EVP_CIPHER; + #[cfg(ossl102)] + pub fn EVP_aes_192_wrap() -> *const EVP_CIPHER; + #[cfg(ossl110)] + pub fn EVP_aes_192_wrap_pad() -> *const EVP_CIPHER; pub fn EVP_aes_256_ecb() -> *const EVP_CIPHER; pub fn EVP_aes_256_cbc() -> *const EVP_CIPHER; pub fn EVP_aes_256_cfb1() -> *const EVP_CIPHER; @@ -352,6 +361,10 @@ extern "C" { pub fn EVP_aes_256_ofb() -> *const EVP_CIPHER; #[cfg(ossl110)] pub fn EVP_aes_256_ocb() -> *const EVP_CIPHER; + #[cfg(ossl102)] + pub fn EVP_aes_256_wrap() -> *const EVP_CIPHER; + #[cfg(ossl110)] + pub fn EVP_aes_256_wrap_pad() -> *const EVP_CIPHER; #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn EVP_chacha20() -> *const EVP_CIPHER; #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 87f7660cde..8677886e16 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -191,6 +191,18 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_ocb() as *mut _) } } + /// Requires OpenSSL 1.0.2 or newer. + #[cfg(ossl102)] + pub fn aes_128_wrap() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_wrap() as *mut _) } + } + + /// Requires OpenSSL 1.1.0 or newer. + #[cfg(ossl110)] + pub fn aes_128_wrap_pad() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_wrap_pad() as *mut _) } + } + pub fn aes_192_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_ecb() as *mut _) } } @@ -236,6 +248,18 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_ocb() as *mut _) } } + /// Requires OpenSSL 1.0.2 or newer. + #[cfg(ossl102)] + pub fn aes_192_wrap() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_wrap() as *mut _) } + } + + /// Requires OpenSSL 1.1.0 or newer. + #[cfg(ossl110)] + pub fn aes_192_wrap_pad() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_wrap_pad() as *mut _) } + } + pub fn aes_256_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_ecb() as *mut _) } } @@ -281,6 +305,18 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_ocb() as *mut _) } } + /// Requires OpenSSL 1.0.2 or newer. + #[cfg(ossl102)] + pub fn aes_256_wrap() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_wrap() as *mut _) } + } + + /// Requires OpenSSL 1.1.0 or newer. + #[cfg(ossl110)] + pub fn aes_256_wrap_pad() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_wrap_pad() as *mut _) } + } + #[cfg(not(osslconf = "OPENSSL_NO_BF"))] pub fn bf_cbc() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_bf_cbc() as *mut _) } diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 216c09e5b0..56d0d26700 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -55,6 +55,8 @@ use crate::error::ErrorStack; #[cfg(not(boringssl))] use crate::pkey::{HasPrivate, HasPublic, PKey, PKeyRef}; use crate::{cvt, cvt_p}; +#[cfg(ossl102)] +use bitflags::bitflags; use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, c_uchar}; @@ -80,6 +82,15 @@ foreign_type_and_impl_send_sync! { pub struct CipherCtxRef; } +#[cfg(ossl102)] +bitflags! { + /// Flags for `EVP_CIPHER_CTX`. + pub struct CipherCtxFlags : c_int { + /// The flag used to opt into AES key wrap ciphers. + const FLAG_WRAP_ALLOW = ffi::EVP_CIPHER_CTX_FLAG_WRAP_ALLOW; + } +} + impl CipherCtx { /// Creates a new context. #[corresponds(EVP_CIPHER_CTX_new)] @@ -509,6 +520,17 @@ impl CipherCtxRef { Ok(()) } + /// Set ctx flags. + /// + /// This function is currently used to enable AES key wrap feature supported by OpenSSL 1.0.2 or newer. + #[corresponds(EVP_CIPHER_CTX_set_flags)] + #[cfg(ossl102)] + pub fn set_flags(&mut self, flags: CipherCtxFlags) { + unsafe { + ffi::EVP_CIPHER_CTX_set_flags(self.as_ptr(), flags.bits()); + } + } + /// Writes data into the context. /// /// Providing no output buffer will cause the input to be considered additional authenticated data (AAD). @@ -915,4 +937,162 @@ mod test { ctx.cipher_update(&vec![0; block_size + 1], Some(&mut vec![0; block_size - 1])) .unwrap(); } + + #[cfg(ossl102)] + fn cipher_wrap_test(cipher: &CipherRef, pt: &str, ct: &str, key: &str, iv: Option<&str>) { + let pt = hex::decode(pt).unwrap(); + let key = hex::decode(key).unwrap(); + let expected = hex::decode(ct).unwrap(); + let iv = iv.map(|v| hex::decode(v).unwrap()); + let padding = 8 - pt.len() % 8; + let mut computed = vec![0; pt.len() + padding + cipher.block_size() * 2]; + let mut ctx = CipherCtx::new().unwrap(); + + ctx.set_flags(CipherCtxFlags::FLAG_WRAP_ALLOW); + ctx.encrypt_init(Some(cipher), Some(&key), iv.as_deref()) + .unwrap(); + + let count = ctx.cipher_update(&pt, Some(&mut computed)).unwrap(); + let rest = ctx.cipher_final(&mut computed[count..]).unwrap(); + computed.truncate(count + rest); + + if computed != expected { + println!("Computed: {}", hex::encode(&computed)); + println!("Expected: {}", hex::encode(&expected)); + if computed.len() != expected.len() { + println!( + "Lengths differ: {} in computed vs {} expected", + computed.len(), + expected.len() + ); + } + panic!("test failure"); + } + } + + #[test] + #[cfg(ossl102)] + fn test_aes128_wrap() { + let pt = "00112233445566778899aabbccddeeff"; + let ct = "7940ff694448b5bb5139c959a4896832e55d69aa04daa27e"; + let key = "2b7e151628aed2a6abf7158809cf4f3c"; + let iv = "0001020304050607"; + + cipher_wrap_test(Cipher::aes_128_wrap(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl102)] + fn test_aes128_wrap_default_iv() { + let pt = "00112233445566778899aabbccddeeff"; + let ct = "38f1215f0212526f8a70b51955b9fbdc9fe3041d9832306e"; + let key = "2b7e151628aed2a6abf7158809cf4f3c"; + + cipher_wrap_test(Cipher::aes_128_wrap(), pt, ct, key, None); + } + + #[test] + #[cfg(ossl110)] + fn test_aes128_wrap_pad() { + let pt = "00112233445566778899aabbccddee"; + let ct = "f13998f5ab32ef82a1bdbcbe585e1d837385b529572a1e1b"; + let key = "2b7e151628aed2a6abf7158809cf4f3c"; + let iv = "00010203"; + + cipher_wrap_test(Cipher::aes_128_wrap_pad(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl110)] + fn test_aes128_wrap_pad_default_iv() { + let pt = "00112233445566778899aabbccddee"; + let ct = "3a501085fb8cf66f4186b7df851914d471ed823411598add"; + let key = "2b7e151628aed2a6abf7158809cf4f3c"; + + cipher_wrap_test(Cipher::aes_128_wrap_pad(), pt, ct, key, None); + } + + #[test] + #[cfg(ossl102)] + fn test_aes192_wrap() { + let pt = "9f6dee187d35302116aecbfd059657efd9f7589c4b5e7f5b"; + let ct = "83b89142dfeeb4871e078bfb81134d33e23fedc19b03a1cf689973d3831b6813"; + let key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; + let iv = "0001020304050607"; + + cipher_wrap_test(Cipher::aes_192_wrap(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl102)] + fn test_aes192_wrap_default_iv() { + let pt = "9f6dee187d35302116aecbfd059657efd9f7589c4b5e7f5b"; + let ct = "c02c2cf11505d3e4851030d5534cbf5a1d7eca7ba8839adbf239756daf1b43e6"; + let key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; + + cipher_wrap_test(Cipher::aes_192_wrap(), pt, ct, key, None); + } + + #[test] + #[cfg(ossl110)] + fn test_aes192_wrap_pad() { + let pt = "00112233445566778899aabbccddee"; + let ct = "b4f6bb167ef7caf061a74da82b36ad038ca057ab51e98d3a"; + let key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; + let iv = "00010203"; + + cipher_wrap_test(Cipher::aes_192_wrap_pad(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl110)] + fn test_aes192_wrap_pad_default_iv() { + let pt = "00112233445566778899aabbccddee"; + let ct = "b2c37a28cc602753a7c944a4c2555a2df9c98b2eded5312e"; + let key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; + + cipher_wrap_test(Cipher::aes_192_wrap_pad(), pt, ct, key, None); + } + + #[test] + #[cfg(ossl102)] + fn test_aes256_wrap() { + let pt = "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"; + let ct = "cc05da2a7f56f7dd0c144231f90bce58648fa20a8278f5a6b7d13bba6aa57a33229d4333866b7fd6"; + let key = "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"; + let iv = "0001020304050607"; + + cipher_wrap_test(Cipher::aes_256_wrap(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl102)] + fn test_aes256_wrap_default_iv() { + let pt = "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"; + let ct = "0b24f068b50e52bc6987868411c36e1b03900866ed12af81eb87cef70a8d1911731c1d7abf789d88"; + let key = "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"; + + cipher_wrap_test(Cipher::aes_256_wrap(), pt, ct, key, None); + } + + #[test] + #[cfg(ossl110)] + fn test_aes256_wrap_pad() { + let pt = "00112233445566778899aabbccddee"; + let ct = "91594e044ccc06130d60e6c84a996aa4f96a9faff8c5f6e7"; + let key = "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"; + let iv = "00010203"; + + cipher_wrap_test(Cipher::aes_256_wrap_pad(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl110)] + fn test_aes256_wrap_pad_default_iv() { + let pt = "00112233445566778899aabbccddee"; + let ct = "dc3c166a854afd68aea624a4272693554bf2e4fcbae602cd"; + let key = "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"; + + cipher_wrap_test(Cipher::aes_256_wrap_pad(), pt, ct, key, None); + } } From fa460ea62bc47404d1f2ef297e8ebd8c3a802892 Mon Sep 17 00:00:00 2001 From: Alex Page Date: Fri, 23 Jun 2023 00:35:30 -0400 Subject: [PATCH 252/341] bn: Add simple test for mod_sqrt --- openssl/src/bn.rs | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index b501b45ffa..b406668a0f 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -1475,4 +1475,17 @@ mod tests { b.set_const_time(); assert!(b.is_const_time()) } + + #[cfg(ossl110)] + #[test] + fn test_mod_sqrt() { + let mut ctx = BigNumContext::new().unwrap(); + + let s = BigNum::from_hex_str("47A8DD7626B9908C80ACD7E0D3344D69").unwrap(); + let p = BigNum::from_hex_str("81EF47265B58BCE5").unwrap(); + let mut out = BigNum::new().unwrap(); + + out.mod_sqrt(&s, &p, &mut ctx).unwrap(); + assert_eq!(out, BigNum::from_hex_str("7C6D179E19B97BDD").unwrap()); + } } From 4c19f4b6f9de20b3020c0f110a29882fdd109b87 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 24 Jun 2023 23:48:27 -0400 Subject: [PATCH 253/341] Allow setting the MD on signature PkeyCtx --- openssl-sys/src/evp.rs | 14 +++++++++++ openssl-sys/src/handwritten/evp.rs | 3 +++ openssl/src/pkey_ctx.rs | 40 +++++++++++++++++++++++++++++- 3 files changed, 56 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 56eaa4bbff..41c1caf518 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -186,6 +186,8 @@ pub const EVP_PKEY_OP_TYPE_SIG: c_int = EVP_PKEY_OP_SIGN pub const EVP_PKEY_OP_TYPE_CRYPT: c_int = EVP_PKEY_OP_ENCRYPT | EVP_PKEY_OP_DECRYPT; +pub const EVP_PKEY_CTRL_MD: c_int = 1; + pub const EVP_PKEY_CTRL_SET_MAC_KEY: c_int = 6; pub const EVP_PKEY_CTRL_CIPHER: c_int = 12; @@ -288,6 +290,18 @@ pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info( ) } +#[cfg(all(not(ossl300), not(boringssl)))] +pub unsafe fn EVP_PKEY_CTX_set_signature_md(cxt: *mut EVP_PKEY_CTX, md: *mut EVP_MD) -> c_int { + EVP_PKEY_CTX_ctrl( + cxt, + -1, + EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_MD, + 0, + md as *mut c_void, + ) +} + pub unsafe fn EVP_PKEY_assign_RSA(pkey: *mut EVP_PKEY, rsa: *mut RSA) -> c_int { EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa as *mut c_void) } diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index ad70e0578b..190ffc26f8 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -497,6 +497,9 @@ extern "C" { p2: *mut c_void, ) -> c_int; + #[cfg(ossl300)] + pub fn EVP_PKEY_CTX_set_signature_md(ctx: *mut EVP_PKEY_CTX, md: *const EVP_MD) -> c_int; + pub fn EVP_PKEY_new_mac_key( type_: c_int, e: *mut ENGINE, diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index aba8a66a32..8f7a10515d 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -351,6 +351,22 @@ impl PkeyCtxRef { Ok(()) } + /// Sets which algorithm was used to compute the digest used in a + /// signature. With RSA signatures this causes the signature to be wrapped + /// in a `DigestInfo` structure. This is almost always what you want with + /// RSA signatures. + #[corresponds(EVP_PKEY_CTX_set_signature_md)] + #[inline] + pub fn set_signature_md(&self, md: &MdRef) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::EVP_PKEY_CTX_set_signature_md( + self.as_ptr(), + md.as_ptr(), + ))?; + } + Ok(()) + } + /// Returns the RSA padding mode in use. /// /// This is only useful for RSA keys. @@ -641,11 +657,12 @@ mod test { #[cfg(not(boringssl))] use crate::cipher::Cipher; use crate::ec::{EcGroup, EcKey}; - #[cfg(any(ossl102, libressl310, boringssl))] + use crate::hash::{hash, MessageDigest}; use crate::md::Md; use crate::nid::Nid; use crate::pkey::PKey; use crate::rsa::Rsa; + use crate::sign::Verifier; #[test] fn rsa() { @@ -698,6 +715,27 @@ mod test { assert_eq!(pt, out); } + #[test] + fn rsa_sign() { + let key = include_bytes!("../test/rsa.pem"); + let rsa = Rsa::private_key_from_pem(key).unwrap(); + let pkey = PKey::from_rsa(rsa).unwrap(); + + let mut ctx = PkeyCtx::new(&pkey).unwrap(); + ctx.sign_init().unwrap(); + ctx.set_rsa_padding(Padding::PKCS1).unwrap(); + ctx.set_signature_md(Md::sha384()).unwrap(); + + let msg = b"hello world"; + let digest = hash(MessageDigest::sha384(), msg).unwrap(); + let mut signature = vec![]; + ctx.sign_to_vec(&digest, &mut signature).unwrap(); + + let mut verifier = Verifier::new(MessageDigest::sha384(), &pkey).unwrap(); + verifier.update(msg).unwrap(); + assert!(matches!(verifier.verify(&signature), Ok(true))); + } + #[test] fn derive() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); From c10bbd094cd9c34e160044b3d54c0597a2a30ed0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Jun 2023 10:21:13 -0400 Subject: [PATCH 254/341] Added set_rsa_pss_saltlen to PkeyCtx --- openssl/src/pkey_ctx.rs | 42 +++++++++++++++++++++++++++++++++++++++++ openssl/src/sign.rs | 2 +- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 8f7a10515d..3c6c7430c5 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -70,6 +70,7 @@ use crate::error::ErrorStack; use crate::md::MdRef; use crate::pkey::{HasPrivate, HasPublic, Id, PKey, PKeyRef, Private}; use crate::rsa::Padding; +use crate::sign::RsaPssSaltlen; use crate::{cvt, cvt_n, cvt_p}; use foreign_types::{ForeignType, ForeignTypeRef}; #[cfg(not(boringssl))] @@ -397,6 +398,21 @@ impl PkeyCtxRef { Ok(()) } + /// Sets the RSA PSS salt length. + /// + /// This is only useful for RSA keys. + #[corresponds(EVP_PKEY_CTX_set_rsa_pss_saltlen)] + #[inline] + pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen( + self.as_ptr(), + len.as_raw(), + )) + .map(|_| ()) + } + } + /// Sets the RSA MGF1 algorithm. /// /// This is only useful for RSA keys. @@ -736,6 +752,32 @@ mod test { assert!(matches!(verifier.verify(&signature), Ok(true))); } + #[test] + fn rsa_sign_pss() { + let key = include_bytes!("../test/rsa.pem"); + let rsa = Rsa::private_key_from_pem(key).unwrap(); + let pkey = PKey::from_rsa(rsa).unwrap(); + + let mut ctx = PkeyCtx::new(&pkey).unwrap(); + ctx.sign_init().unwrap(); + ctx.set_rsa_padding(Padding::PKCS1_PSS).unwrap(); + ctx.set_signature_md(Md::sha384()).unwrap(); + ctx.set_rsa_pss_saltlen(RsaPssSaltlen::custom(14)).unwrap(); + + let msg = b"hello world"; + let digest = hash(MessageDigest::sha384(), msg).unwrap(); + let mut signature = vec![]; + ctx.sign_to_vec(&digest, &mut signature).unwrap(); + + let mut verifier = Verifier::new(MessageDigest::sha384(), &pkey).unwrap(); + verifier.set_rsa_padding(Padding::PKCS1_PSS).unwrap(); + verifier + .set_rsa_pss_saltlen(RsaPssSaltlen::custom(14)) + .unwrap(); + verifier.update(msg).unwrap(); + assert!(matches!(verifier.verify(&signature), Ok(true))); + } + #[test] fn derive() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index a32f5c9144..1c770d18b7 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -93,7 +93,7 @@ pub struct RsaPssSaltlen(c_int); impl RsaPssSaltlen { /// Returns the integer representation of `RsaPssSaltlen`. - fn as_raw(&self) -> c_int { + pub(crate) fn as_raw(&self) -> c_int { self.0 } From 246389861bbf6d82f87ab9a370370ddea9c54aea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Jun 2023 13:23:09 -0400 Subject: [PATCH 255/341] Added is_even and is_odd on BN --- openssl-sys/src/handwritten/bn.rs | 2 ++ openssl/src/bn.rs | 27 +++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index 03b1f9ccb5..fc42c13946 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -32,6 +32,8 @@ extern "C" { pub fn BN_set_negative(bn: *mut BIGNUM, n: c_int); #[cfg(any(ossl110, libressl350))] pub fn BN_is_negative(b: *const BIGNUM) -> c_int; + #[cfg(any(ossl110, libressl350))] + pub fn BN_is_odd(b: *const BIGNUM) -> c_int; pub fn BN_div( dv: *mut BIGNUM, diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index b406668a0f..c75fac1d70 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -335,6 +335,20 @@ impl BigNumRef { unsafe { BN_is_negative(self.as_ptr()) == 1 } } + /// Returns `true` is `self` is even. + #[corresponds(BN_is_even)] + #[cfg(any(ossl110, boringssl, libressl350))] + pub fn is_even(&self) -> bool { + !self.is_odd() + } + + /// Returns `true` is `self` is odd. + #[corresponds(BN_is_odd)] + #[cfg(any(ossl110, boringssl, libressl350))] + pub fn is_odd(&self) -> bool { + unsafe { ffi::BN_is_odd(self.as_ptr()) == 1 } + } + /// Returns the number of significant bits in `self`. #[corresponds(BN_num_bits)] #[allow(clippy::unnecessary_cast)] @@ -1488,4 +1502,17 @@ mod tests { out.mod_sqrt(&s, &p, &mut ctx).unwrap(); assert_eq!(out, BigNum::from_hex_str("7C6D179E19B97BDD").unwrap()); } + + #[test] + #[cfg(any(ossl110, boringssl, libressl350))] + fn test_odd_even() { + let a = BigNum::from_u32(17).unwrap(); + let b = BigNum::from_u32(18).unwrap(); + + assert!(a.is_odd()); + assert!(!b.is_odd()); + + assert!(!a.is_even()); + assert!(b.is_even()); + } } From 9eafd8221edff79bac0d883875926c862d2d94bc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 23 Jun 2023 17:19:17 -0400 Subject: [PATCH 256/341] Correctly handle errors being on the stack when EVP_PKEY_verify returns 0 --- openssl/src/pkey_ctx.rs | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 3c6c7430c5..3e1a67426c 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -71,7 +71,7 @@ use crate::md::MdRef; use crate::pkey::{HasPrivate, HasPublic, Id, PKey, PKeyRef, Private}; use crate::rsa::Padding; use crate::sign::RsaPssSaltlen; -use crate::{cvt, cvt_n, cvt_p}; +use crate::{cvt, cvt_p}; use foreign_types::{ForeignType, ForeignTypeRef}; #[cfg(not(boringssl))] use libc::c_int; @@ -210,13 +210,25 @@ where #[inline] pub fn verify(&mut self, data: &[u8], sig: &[u8]) -> Result { unsafe { - let r = cvt_n(ffi::EVP_PKEY_verify( + let r = ffi::EVP_PKEY_verify( self.as_ptr(), sig.as_ptr(), sig.len(), data.as_ptr(), data.len(), - ))?; + ); + // `EVP_PKEY_verify` is not terribly consistent about how it, + // reports errors. It does not clearly distinguish between 0 and + // -1, and may put errors on the stack in both cases. If there's + // errors on the stack, we return `Err()`, else we return + // `Ok(false)`. + if r <= 0 { + let errors = ErrorStack::get(); + if !errors.errors().is_empty() { + return Err(errors); + } + } + Ok(r == 1) } } @@ -889,5 +901,19 @@ mod test { ctx.verify_init().unwrap(); let valid = ctx.verify(bad_data, &signature).unwrap(); assert!(!valid); + assert!(ErrorStack::get().errors().is_empty()); + } + + #[test] + fn verify_fail_ec() { + let key1 = + EcKey::generate(&EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap()).unwrap(); + let key1 = PKey::from_ec_key(key1).unwrap(); + + let data = b"Some Crypto Text"; + let mut ctx = PkeyCtx::new(&key1).unwrap(); + ctx.verify_init().unwrap(); + assert!(matches!(ctx.verify(data, &[0; 64]), Ok(false) | Err(_))); + assert!(ErrorStack::get().errors().is_empty()); } } From 813cdf62891aff0bb320d976eab46f7dc3f0aa06 Mon Sep 17 00:00:00 2001 From: Michael Farrell Date: Tue, 27 Jun 2023 18:32:47 +1000 Subject: [PATCH 257/341] Allow running vcpkg on any windows target --- openssl-sys/Cargo.toml | 2 -- openssl-sys/build/find_normal.rs | 9 +++++---- openssl-sys/build/main.rs | 1 - 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 4a22c918db..9b102fa8dc 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -27,8 +27,6 @@ bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } cc = "1.0.61" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" - -[target.'cfg(target_env = "msvc")'.build-dependencies] vcpkg = "0.2.8" # We don't actually use metadeps for annoying reasons but this is still here for tooling diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 791fc33985..ff25ac6412 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -232,8 +232,12 @@ fn try_pkg_config() { /// /// Note that if this succeeds then the function does not return as vcpkg /// should emit all of the cargo metadata that we need. -#[cfg(target_env = "msvc")] fn try_vcpkg() { + let target = env::var("TARGET").unwrap(); + if !target.contains("windows") { + return; + } + // vcpkg will not emit any metadata if it can not find libraries // appropriate for the target triple with the desired linkage. @@ -257,9 +261,6 @@ fn try_vcpkg() { process::exit(0); } -#[cfg(not(target_env = "msvc"))] -fn try_vcpkg() {} - fn execute_command_and_get_output(cmd: &str, args: &[&str]) -> Option { let out = Command::new(cmd).args(args).output(); if let Ok(ref r1) = out { diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 3359165a33..21ccf3d037 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -4,7 +4,6 @@ extern crate cc; #[cfg(feature = "vendored")] extern crate openssl_src; extern crate pkg_config; -#[cfg(target_env = "msvc")] extern crate vcpkg; use std::collections::HashSet; From 7faa7d590fec01986c5f9b86df651036ba95f6d2 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 15:43:59 +0200 Subject: [PATCH 258/341] OpenBSD case, specify /usr to find_openssl_dir --- openssl-sys/build/find_normal.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 791fc33985..1f6e718db7 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -97,6 +97,11 @@ fn find_openssl_dir(target: &str) -> OsString { return OsString::from("/usr"); } + // OpenBSD ships with OpenSSL but doesn't include a pkg-config file :( + if host == target && target.contains("openbsd") { + return OsString::from("/usr"); + } + // DragonFly has libressl (or openssl) in ports, but this doesn't include a pkg-config file if host == target && target.contains("dragonfly") { return OsString::from("/usr/local"); From 02d70b5135b38ccf0455867a44ba2697b270cfd6 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 15:46:09 +0200 Subject: [PATCH 259/341] improve comment --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 1f6e718db7..16d1908783 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -97,7 +97,7 @@ fn find_openssl_dir(target: &str) -> OsString { return OsString::from("/usr"); } - // OpenBSD ships with OpenSSL but doesn't include a pkg-config file :( + // OpenBSD ships with LibreSSL but doesn't include a pkg-config file :( if host == target && target.contains("openbsd") { return OsString::from("/usr"); } From 86f0a0b82aa01cee172e93300c3cbd8b483ea701 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 16:19:26 +0200 Subject: [PATCH 260/341] https://github.com/sfackler/rust-openssl/pull/1983#discussion_r1243795604 --- openssl-sys/build/find_normal.rs | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 16d1908783..99e84ce531 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -92,13 +92,8 @@ fn find_openssl_dir(target: &str) -> OsString { try_pkg_config(); try_vcpkg(); - // FreeBSD ships with OpenSSL but doesn't include a pkg-config file :( - if host == target && target.contains("freebsd") { - return OsString::from("/usr"); - } - - // OpenBSD ships with LibreSSL but doesn't include a pkg-config file :( - if host == target && target.contains("openbsd") { + // FreeBSD and OpenBSD ship with Libre|OpenSSL but don't include a pkg-config file + if host == target && target.contains("freebsd") || target.contains("openbsd")) { return OsString::from("/usr"); } From 101331555013099dec60e1b9af7c143b9aafc0fa Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 16:24:26 +0200 Subject: [PATCH 261/341] oups fix missing '('! /o\ --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 99e84ce531..3ca192c936 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -93,7 +93,7 @@ fn find_openssl_dir(target: &str) -> OsString { try_vcpkg(); // FreeBSD and OpenBSD ship with Libre|OpenSSL but don't include a pkg-config file - if host == target && target.contains("freebsd") || target.contains("openbsd")) { + if host == target && target.contains(("freebsd") || target.contains("openbsd")) { return OsString::from("/usr"); } From 92d23a63897378ddb6594982a585001c18e502b0 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 16:29:10 +0200 Subject: [PATCH 262/341] fix bad parenthesis --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 3ca192c936..624e8e425d 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -93,7 +93,7 @@ fn find_openssl_dir(target: &str) -> OsString { try_vcpkg(); // FreeBSD and OpenBSD ship with Libre|OpenSSL but don't include a pkg-config file - if host == target && target.contains(("freebsd") || target.contains("openbsd")) { + if host == target && (target.contains("freebsd") || target.contains("openbsd")) { return OsString::from("/usr"); } From e89f0870645e1417fdff348b346ec0616ead1f94 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 16:36:00 +0200 Subject: [PATCH 263/341] fmt: remove trailing space --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 624e8e425d..3508d68bdd 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -92,7 +92,7 @@ fn find_openssl_dir(target: &str) -> OsString { try_pkg_config(); try_vcpkg(); - // FreeBSD and OpenBSD ship with Libre|OpenSSL but don't include a pkg-config file + // FreeBSD and OpenBSD ship with Libre|OpenSSL but don't include a pkg-config file if host == target && (target.contains("freebsd") || target.contains("openbsd")) { return OsString::from("/usr"); } From 9ac03bce4b3e058633761b66a85a7d014a396d38 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 28 Jun 2023 21:44:10 -0400 Subject: [PATCH 264/341] Added support for recovering signed data from signatures --- openssl-sys/src/handwritten/evp.rs | 8 +++ openssl/src/pkey_ctx.rs | 83 ++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 65b809b917..7da92eeeb8 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -572,6 +572,14 @@ extern "C" { pin: *const c_uchar, pinlen: size_t, ) -> c_int; + pub fn EVP_PKEY_verify_recover_init(ctx: *mut EVP_PKEY_CTX) -> c_int; + pub fn EVP_PKEY_verify_recover( + ctx: *mut EVP_PKEY_CTX, + rout: *mut c_uchar, + routlen: *mut size_t, + sig: *const c_uchar, + siglen: size_t, + ) -> c_int; } const_ptr_api! { diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 3e1a67426c..39bb406a5e 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -165,6 +165,17 @@ where Ok(()) } + /// Prepares the context for signature recovery using the public key. + #[corresponds(EVP_PKEY_verify_recover_init)] + #[inline] + pub fn verify_recover_init(&mut self) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::EVP_PKEY_verify_recover_init(self.as_ptr()))?; + } + + Ok(()) + } + /// Encrypts data using the public key. /// /// If `to` is set to `None`, an upper bound on the number of bytes required for the output buffer will be @@ -232,6 +243,32 @@ where Ok(r == 1) } } + + /// Recovers the original data signed by the private key. You almost + /// always want `verify` instead. + /// + /// Returns the number of bytes written to `to`, or the number of bytes + /// that would be written, if `to` is `None. + #[corresponds(EVP_PKEY_verify_recover)] + #[inline] + pub fn verify_recover( + &mut self, + sig: &[u8], + to: Option<&mut [u8]>, + ) -> Result { + let mut written = to.as_ref().map_or(0, |b| b.len()); + unsafe { + cvt(ffi::EVP_PKEY_verify_recover( + self.as_ptr(), + to.map_or(ptr::null_mut(), |b| b.as_mut_ptr()), + &mut written, + sig.as_ptr(), + sig.len(), + ))?; + } + + Ok(written) + } } impl PkeyCtxRef @@ -916,4 +953,50 @@ mod test { assert!(matches!(ctx.verify(data, &[0; 64]), Ok(false) | Err(_))); assert!(ErrorStack::get().errors().is_empty()); } + + #[test] + fn test_verify_recover() { + let key = Rsa::generate(2048).unwrap(); + let key = PKey::from_rsa(key).unwrap(); + + let digest = [ + 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, + 24, 25, 26, 27, 28, 29, 30, 31, + ]; + + let mut ctx = PkeyCtx::new(&key).unwrap(); + ctx.sign_init().unwrap(); + ctx.set_rsa_padding(Padding::PKCS1).unwrap(); + ctx.set_signature_md(Md::sha256()).unwrap(); + let mut signature = vec![]; + ctx.sign_to_vec(&digest, &mut signature).unwrap(); + + // Attempt recovery of just the digest. + let mut ctx = PkeyCtx::new(&key).unwrap(); + ctx.verify_recover_init().unwrap(); + ctx.set_rsa_padding(Padding::PKCS1).unwrap(); + ctx.set_signature_md(Md::sha256()).unwrap(); + let length = ctx.verify_recover(&signature, None).unwrap(); + let mut result_buf = vec![0; length]; + let length = ctx + .verify_recover(&signature, Some(&mut result_buf)) + .unwrap(); + assert_eq!(length, digest.len()); + // result_buf contains the digest + assert_eq!(result_buf[..length], digest); + + // Attempt recovery of teh entire DigestInfo + let mut ctx = PkeyCtx::new(&key).unwrap(); + ctx.verify_recover_init().unwrap(); + ctx.set_rsa_padding(Padding::PKCS1).unwrap(); + let length = ctx.verify_recover(&signature, None).unwrap(); + let mut result_buf = vec![0; length]; + let length = ctx + .verify_recover(&signature, Some(&mut result_buf)) + .unwrap(); + // 32-bytes of SHA256 digest + the ASN.1 DigestInfo structure == 51 bytes + assert_eq!(length, 51); + // The digest is the end of the DigestInfo structure. + assert_eq!(result_buf[length - digest.len()..length], digest); + } } From 8ae5dcf463126c966c329bcfba770c4635f91d2c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 29 Jun 2023 08:52:30 -0400 Subject: [PATCH 265/341] Expose PkeyCtx::set_rsa_oaep_md on BoringSSL --- openssl/src/pkey_ctx.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 39bb406a5e..dffad039bb 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -482,7 +482,7 @@ impl PkeyCtxRef { /// /// This is only useful for RSA keys. #[corresponds(EVP_PKEY_CTX_set_rsa_oaep_md)] - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl))] #[inline] pub fn set_rsa_oaep_md(&mut self, md: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -753,7 +753,7 @@ mod test { } #[test] - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl))] fn rsa_oaep() { let key = include_bytes!("../test/rsa.pem"); let rsa = Rsa::private_key_from_pem(key).unwrap(); From 3dd78a71553e3d9d12baf21abf5ffec0db07b879 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 5 Jul 2023 07:07:36 -0400 Subject: [PATCH 266/341] Expose Cipher::aes_128_gcm on boringssl --- openssl/src/cipher.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 8677886e16..d26b93c261 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -170,7 +170,6 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_cfb8() as *mut _) } } - #[cfg(not(boringssl))] pub fn aes_128_gcm() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_gcm() as *mut _) } } From f951978a7154417bf98623c7bc2105d8ef724ae7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 5 Jul 2023 07:13:40 -0400 Subject: [PATCH 267/341] Make test more flexible, sometimes this returns errors instead of invalid --- openssl/src/pkey_ctx.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index dffad039bb..4ac32a8517 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -936,8 +936,8 @@ mod test { let bad_data = b"Some Crypto text"; ctx.verify_init().unwrap(); - let valid = ctx.verify(bad_data, &signature).unwrap(); - assert!(!valid); + let valid = ctx.verify(bad_data, &signature); + assert!(matches!(valid, Ok(false) | Err(_))); assert!(ErrorStack::get().errors().is_empty()); } From 8de2783b7f96cf8ceb99a9e5f7f82e4ee2ff731f Mon Sep 17 00:00:00 2001 From: Michael Farrell Date: Thu, 6 Jul 2023 16:00:29 +1000 Subject: [PATCH 268/341] allow running pkg-config when targetting windows from non-windows hosts --- openssl-sys/build/find_normal.rs | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 3508d68bdd..68af5cc6c2 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -196,15 +196,13 @@ https://github.com/sfackler/rust-openssl#windows /// typically tells us all the information that we need. fn try_pkg_config() { let target = env::var("TARGET").unwrap(); - let host = env::var("HOST").unwrap(); - // If we're going to windows-gnu we can use pkg-config, but only so long as - // we're coming from a windows host. - // - // Otherwise if we're going to windows we probably can't use pkg-config. - if target.contains("windows-gnu") && host.contains("windows") { + // If we're using mingw (windows-gnu*), we can use pkg-config, but we need + // to allow mismatched host/target. + if target.contains("windows-gnu") { env::set_var("PKG_CONFIG_ALLOW_CROSS", "1"); } else if target.contains("windows") { + // MSVC targets use vcpkg instead. return; } From 4d2379f246d53e33d8cf37331de6021e7a6dd016 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 6 Jul 2023 16:45:49 -0700 Subject: [PATCH 269/341] Tweak pkg-config logic We don't want to broaden the contexts that we automatically enable PKG_CONFIG_ALLOW_CROSS --- openssl-sys/build/find_normal.rs | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 68af5cc6c2..67dc07d586 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -197,11 +197,10 @@ https://github.com/sfackler/rust-openssl#windows fn try_pkg_config() { let target = env::var("TARGET").unwrap(); - // If we're using mingw (windows-gnu*), we can use pkg-config, but we need - // to allow mismatched host/target. - if target.contains("windows-gnu") { + // FIXME we really shouldn't be automatically enabling this + if target.contains("windows-gnu") && host.contains("windows") { env::set_var("PKG_CONFIG_ALLOW_CROSS", "1"); - } else if target.contains("windows") { + } else if target.contains("windows-msvc") { // MSVC targets use vcpkg instead. return; } From 41c03d6d8e7acd0df07bc70aaa824fb23b1e2a19 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 6 Jul 2023 16:50:02 -0700 Subject: [PATCH 270/341] Un-break the build --- openssl-sys/build/find_normal.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 67dc07d586..0f45cce11b 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -196,6 +196,7 @@ https://github.com/sfackler/rust-openssl#windows /// typically tells us all the information that we need. fn try_pkg_config() { let target = env::var("TARGET").unwrap(); + let host = env::var("HOST").unwrap(); // FIXME we really shouldn't be automatically enabling this if target.contains("windows-gnu") && host.contains("windows") { From ddd04786155e7c3855e5c3f4303a7d2b8c908d76 Mon Sep 17 00:00:00 2001 From: Alexis Mousset Date: Mon, 17 Jul 2023 01:28:15 +0200 Subject: [PATCH 271/341] Update vendored openssl to version 3.1 --- openssl-sys/Cargo.toml | 2 +- openssl-sys/build/main.rs | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 9b102fa8dc..f49afa42fe 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -25,7 +25,7 @@ bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } cc = "1.0.61" -openssl-src = { version = "111", optional = true } +openssl-src = { version = "300.1.2", optional = true, features = ["legacy"] } pkg-config = "0.3.9" vcpkg = "0.2.8" diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 21ccf3d037..7122b48627 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -115,6 +115,16 @@ fn main() { println!("cargo:rustc-link-lib={}={}", kind, lib); } + // https://github.com/openssl/openssl/pull/15086 + if version == Version::Openssl3xx + && kind == "static" + && (env::var("CARGO_CFG_TARGET_OS").unwrap() == "linux" + || env::var("CARGO_CFG_TARGET_OS").unwrap() == "android") + && env::var("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap() == "32" + { + println!("cargo:rustc-link-lib=dylib=atomic"); + } + if kind == "static" && target.contains("windows") { println!("cargo:rustc-link-lib=dylib=gdi32"); println!("cargo:rustc-link-lib=dylib=user32"); From 55ee0da8d09683a6aa97a8d9ff2eb0bc778112a6 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Wed, 19 Jul 2023 14:58:36 +0200 Subject: [PATCH 272/341] Expose Poly1305 bindings on libressl and boringssl --- openssl-sys/CHANGELOG.md | 4 ++++ openssl-sys/build/run_bindgen.rs | 4 ++++ openssl-sys/src/handwritten/mod.rs | 4 ++++ openssl-sys/src/handwritten/poly1305.rs | 23 +++++++++++++++++++++++ systest/build.rs | 4 ++++ 5 files changed, 39 insertions(+) create mode 100644 openssl-sys/src/handwritten/poly1305.rs diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 4554a58def..1fbbbd499b 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,10 @@ ## [Unreleased] +### Added + +* Expose `poly1305_state`, `CRYPTO_poly1305_init`, `CRYPTO_poly1305_update`, and `CRYPTO_poly1305_finish` on BoringSSL and LibreSSL. + ## [v0.9.90] - 2023-06-20 ### Fixed diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 5d307503f6..1eeaad225d 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -55,6 +55,10 @@ const INCLUDES: &str = " #if OPENSSL_VERSION_NUMBER >= 0x30000000 #include #endif + +#if defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) +#include +#endif "; #[cfg(feature = "bindgen")] diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 9c0f844501..d3adfa5a13 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -18,6 +18,8 @@ pub use self::ocsp::*; pub use self::pem::*; pub use self::pkcs12::*; pub use self::pkcs7::*; +#[cfg(libressl)] +pub use self::poly1305::*; pub use self::provider::*; pub use self::rand::*; pub use self::rsa::*; @@ -52,6 +54,8 @@ mod ocsp; mod pem; mod pkcs12; mod pkcs7; +#[cfg(libressl)] +mod poly1305; mod provider; mod rand; mod rsa; diff --git a/openssl-sys/src/handwritten/poly1305.rs b/openssl-sys/src/handwritten/poly1305.rs new file mode 100644 index 0000000000..8ff22f3580 --- /dev/null +++ b/openssl-sys/src/handwritten/poly1305.rs @@ -0,0 +1,23 @@ +use super::super::*; +use libc::*; + +cfg_if! { + if #[cfg(libressl)] { + #[repr(C)] + #[derive(Debug, Copy, Clone)] + pub struct poly1305_context { + pub aligner: usize, + pub opaque: [::libc::c_uchar; 136usize], + } + pub type poly1305_state = poly1305_context; + extern "C" { + pub fn CRYPTO_poly1305_init(ctx: *mut poly1305_context, key: *const ::libc::c_uchar); + pub fn CRYPTO_poly1305_update( + ctx: *mut poly1305_context, + in_: *const ::libc::c_uchar, + len: usize, + ); + pub fn CRYPTO_poly1305_finish(ctx: *mut poly1305_context, mac: *mut ::libc::c_uchar); + } + } +} diff --git a/systest/build.rs b/systest/build.rs index 6d3ac3a3d3..53407eafad 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -69,6 +69,10 @@ fn main() { .header("openssl/evp.h") .header("openssl/x509_vfy.h"); + if libressl_version.is_some() { + cfg.header("openssl/poly1305.h"); + } + if let Some(version) = openssl_version { cfg.header("openssl/cms.h"); if version >= 0x10100000 { From eb883a1a7b31a0280a1ed2dc4ebfab5d3d01fb67 Mon Sep 17 00:00:00 2001 From: Andrea Frigido Date: Thu, 20 Jul 2023 18:43:34 +0100 Subject: [PATCH 273/341] Update license field following SPDX 2.1 license expression standard --- openssl-errors/Cargo.toml | 2 +- openssl-macros/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-errors/Cargo.toml b/openssl-errors/Cargo.toml index 1f60f0ee08..5285b266e1 100644 --- a/openssl-errors/Cargo.toml +++ b/openssl-errors/Cargo.toml @@ -3,7 +3,7 @@ name = "openssl-errors" version = "0.2.0" authors = ["Steven Fackler "] edition = "2018" -license = "MIT/Apache-2.0" +license = "MIT OR Apache-2.0" description = "Custom error library support for the openssl crate." repository = "https://github.com/sfackler/rust-openssl" readme = "README.md" diff --git a/openssl-macros/Cargo.toml b/openssl-macros/Cargo.toml index 5337de751e..7f0c1c7e44 100644 --- a/openssl-macros/Cargo.toml +++ b/openssl-macros/Cargo.toml @@ -2,7 +2,7 @@ name = "openssl-macros" version = "0.1.1" edition = "2018" -license = "MIT/Apache-2.0" +license = "MIT OR Apache-2.0" description = "Internal macros used by the openssl crate." [lib] From ebf8027a921a528b91ce3515a3454a502ecd8c27 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Thu, 20 Jul 2023 15:46:10 +0800 Subject: [PATCH 274/341] add EcPointRef::to_hex_str and EcPoint::from_hex_str --- openssl-sys/src/handwritten/ec.rs | 14 +++++++ openssl/src/ec.rs | 63 +++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index 182a5559a3..f199bc891c 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -152,6 +152,20 @@ extern "C" { ctx: *mut BN_CTX, ) -> c_int; + pub fn EC_POINT_point2hex( + group: *const EC_GROUP, + p: *const EC_POINT, + form: point_conversion_form_t, + ctx: *mut BN_CTX, + ) -> *mut c_char; + + pub fn EC_POINT_hex2point( + group: *const EC_GROUP, + s: *const c_char, + p: *mut EC_POINT, + ctx: *mut BN_CTX, + ) -> *mut EC_POINT; + pub fn EC_POINT_add( group: *const EC_GROUP, r: *mut EC_POINT, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index b648aec334..d541ddfc23 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -15,6 +15,7 @@ //! [`EcGroup`]: struct.EcGroup.html //! [`Nid`]: ../nid/struct.Nid.html //! [Elliptic Curve Cryptography]: https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography +use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::c_int; use std::fmt; @@ -28,6 +29,13 @@ use crate::util::ForeignTypeRefExt; use crate::{cvt, cvt_n, cvt_p, init}; use openssl_macros::corresponds; +cfg_if! { + if #[cfg(not(boringssl))] { + use std::ffi::CString; + use crate::string::OpensslString; + } +} + /// Compressed or Uncompressed conversion /// /// Conversion from the binary value of the point on the curve is performed in one of @@ -463,6 +471,26 @@ impl EcPointRef { } } + /// Serializes the point to a hexadecimal string representation. + #[corresponds(EC_POINT_point2hex)] + #[cfg(not(boringssl))] + pub fn to_hex_str( + &self, + group: &EcGroupRef, + form: PointConversionForm, + ctx: &mut BigNumContextRef, + ) -> Result { + unsafe { + let buf = cvt_p(ffi::EC_POINT_point2hex( + group.as_ptr(), + self.as_ptr(), + form.0, + ctx.as_ptr(), + ))?; + Ok(OpensslString::from_ptr(buf)) + } + } + /// Creates a new point on the specified curve with the same value. #[corresponds(EC_POINT_dup)] pub fn to_owned(&self, group: &EcGroupRef) -> Result { @@ -631,6 +659,27 @@ impl EcPoint { } Ok(point) } + + /// Creates point from a hexadecimal string representation + #[corresponds(EC_POINT_hex2point)] + #[cfg(not(boringssl))] + pub fn from_hex_str( + group: &EcGroupRef, + s: &str, + ctx: &mut BigNumContextRef, + ) -> Result { + let point = EcPoint::new(group)?; + unsafe { + let c_str = CString::new(s.as_bytes()).unwrap(); + cvt_p(ffi::EC_POINT_hex2point( + group.as_ptr(), + c_str.as_ptr() as *const _, + point.as_ptr(), + ctx.as_ptr(), + ))?; + } + Ok(point) + } } generic_foreign_type_and_impl_send_sync! { @@ -1121,6 +1170,20 @@ mod test { assert!(point.eq(&group, &point2, &mut ctx).unwrap()); } + #[test] + #[cfg(not(boringssl))] + fn point_hex_str() { + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let key = EcKey::generate(&group).unwrap(); + let point = key.public_key(); + let mut ctx = BigNumContext::new().unwrap(); + let hex = point + .to_hex_str(&group, PointConversionForm::COMPRESSED, &mut ctx) + .unwrap(); + let point2 = EcPoint::from_hex_str(&group, &hex, &mut ctx).unwrap(); + assert!(point.eq(&group, &point2, &mut ctx).unwrap()); + } + #[test] fn point_owned() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); From c8b6077ca8b0d741383abcd1586d3ba4bbbaadd5 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 24 Jul 2023 13:00:37 -0400 Subject: [PATCH 275/341] Gate BIO_new_socket in OPENSSL_NO_SOCK in handwritten bindings OpenSSL conditions the availability of this symbol on OPENSSL_NO_SOCK. Match that in the handwritten bindings. This doesn't really matter as it's only in the handwritten bindings and not used by rust-openssl, but we may as well make it match OpenSSL. --- openssl-sys/build/expando.c | 4 ++++ openssl-sys/src/handwritten/bio.rs | 1 + 2 files changed, 5 insertions(+) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 5d003d9022..cd7456b4f0 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -111,6 +111,10 @@ RUST_CONF_OPENSSL_NO_SSL3_METHOD RUST_CONF_OPENSSL_NO_TLSEXT #endif +#ifdef OPENSSL_NO_SOCK +RUST_CONF_OPENSSL_NO_SOCK +#endif + #ifdef OPENSSL_NO_STDIO RUST_CONF_OPENSSL_NO_STDIO #endif diff --git a/openssl-sys/src/handwritten/bio.rs b/openssl-sys/src/handwritten/bio.rs index 7d97522251..5f65ec5e5c 100644 --- a/openssl-sys/src/handwritten/bio.rs +++ b/openssl-sys/src/handwritten/bio.rs @@ -58,6 +58,7 @@ const_ptr_api! { } extern "C" { + #[cfg(not(osslconf = "OPENSSL_NO_SOCK"))] pub fn BIO_new_socket(sock: c_int, close_flag: c_int) -> *mut BIO; #[cfg(any(ossl110, libressl273))] From cc8eced7e2cbb0391b3a32fc7f9e1bf3bf3ad8e0 Mon Sep 17 00:00:00 2001 From: Geoff Thomas Date: Tue, 25 Jul 2023 14:26:43 +0100 Subject: [PATCH 276/341] Add support for CRL extensions and the Authority Information Access extension --- openssl/src/x509/mod.rs | 41 +++++++++++++++++++++++++++++++ openssl/src/x509/tests.rs | 13 +++++++++- openssl/test/entry_extensions.crl | 17 +++++++------ 3 files changed, 62 insertions(+), 9 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 4325b132e3..2ebfb4376a 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1746,6 +1746,17 @@ unsafe impl ExtensionType for CertificateIssuer { type Output = Stack; } +/// The CRL extension identifying how to access information and services for the issuer of the CRL +pub enum AuthorityInformationAccess {} + +// SAFETY: AuthorityInformationAccess is defined to be a stack of AccessDescription in the RFC +// and in OpenSSL. +unsafe impl ExtensionType for AuthorityInformationAccess { + const NID: Nid = Nid::from_raw(ffi::NID_info_access); + + type Output = Stack; +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_CRL; fn drop = ffi::X509_CRL_free; @@ -1915,6 +1926,36 @@ impl X509CrlRef { { unsafe { cvt_n(ffi::X509_CRL_verify(self.as_ptr(), key.as_ptr())).map(|n| n != 0) } } + + /// Get the criticality and value of an extension. + /// + /// This returns None if the extension is not present or occurs multiple times. + #[corresponds(X509_CRL_get_ext_d2i)] + pub fn extension(&self) -> Result, ErrorStack> { + let mut critical = -1; + let out = unsafe { + // SAFETY: self.as_ptr() is a valid pointer to an X509_CRL. + let ext = ffi::X509_CRL_get_ext_d2i( + self.as_ptr(), + T::NID.as_raw(), + &mut critical as *mut _, + ptr::null_mut(), + ); + // SAFETY: Extensions's contract promises that the type returned by + // OpenSSL here is T::Output. + T::Output::from_ptr_opt(ext as *mut _) + }; + match (critical, out) { + (0, Some(out)) => Ok(Some((false, out))), + (1, Some(out)) => Ok(Some((true, out))), + // -1 means the extension wasn't found, -2 means multiple were found. + (-1 | -2, _) => Ok(None), + // A critical value of 0 or 1 suggests success, but a null pointer + // was returned so something went wrong. + (0 | 1, None) => Err(ErrorStack::get()), + (c_int::MIN..=-2 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), + } + } } /// The result of peer certificate verification. diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index da3ce2fed2..69a9ca5cc4 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -34,7 +34,7 @@ use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] use libc::time_t; -use super::{CertificateIssuer, ReasonCode}; +use super::{AuthorityInformationAccess, CertificateIssuer, ReasonCode}; fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); @@ -701,6 +701,17 @@ fn test_crl_entry_extensions() { let crl = include_bytes!("../../test/entry_extensions.crl"); let crl = X509Crl::from_pem(crl).unwrap(); + let (critical, access_info) = crl + .extension::() + .unwrap() + .expect("Authority Information Access extension should be present"); + assert!(!critical, "Authority Information Access extension is not critical"); + assert_eq!(access_info.len(), 1, "Authority Information Access should have one entry"); + assert_eq!(access_info[0].method().to_string(), "CA Issuers"); + assert_eq!( + access_info[0].location().uri(), + Some("http://www.example.com/ca.crt") + ); let revoked_certs = crl.get_revoked().unwrap(); let entry = &revoked_certs[0]; diff --git a/openssl/test/entry_extensions.crl b/openssl/test/entry_extensions.crl index 9654171cf1..5b0ee298ed 100644 --- a/openssl/test/entry_extensions.crl +++ b/openssl/test/entry_extensions.crl @@ -1,10 +1,11 @@ -----BEGIN X509 CRL----- -MIIBXDCCAQICAQEwCgYIKoZIzj0EAwIwETEPMA0GA1UEAwwGQ1JMIENBFw0yMzAz -MjgwOTQ5MThaFw0yMzA0MDQwOTUwMDdaMIGAMH4CFE+Y95/1pOqa6c9fUEJ8c04k -xu2PFw0yMzAzMjgwOTQ3MzNaMFcwLwYDVR0dAQH/BCUwI6QhMB8xCzAJBgNVBAYT -AkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgGA1UdGAQRGA8yMDIz -MDMyODA5NDQ0MFqgPTA7MB8GA1UdIwQYMBaAFNX1GZ0RWuC+4gz1wuy5H32T2W+R -MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wCgYIKoZIzj0EAwIDSAAwRQIgbl7x -W+WVAb+zlvKcJLmHVuC+gbqR4jqwGIHHgQl2J8kCIQCo/sAF5sDqy/cL+fbzBeUe -YoY2h6lIkj9ENwU8ZCt03w== +MIIBojCCAUkCAQEwCgYIKoZIzj0EAwIwHTEbMBkGA1UEAwwSY3J5cHRvZ3JhcGh5 +LmlvIENBFw0yMzA3MjUxNDA1MzlaFw0yMzA4MDExNDA1MzlaMIGAMH4CFE+Y95/1 +pOqa6c9fUEJ8c04kxu2PFw0yMzA3MjUxNDA1MzlaMFcwLwYDVR0dAQH/BCUwI6Qh +MB8xCzAJBgNVBAYTAkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgG +A1UdGAQRGA8yMDIzMDcyNTE0MDUzOVqgeDB2MB8GA1UdIwQYMBaAFK6qKNgsGefh +XexO9WsIwiQ/73R8MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wOQYIKwYBBQUH +AQEELTArMCkGCCsGAQUFBzAChh1odHRwOi8vd3d3LmV4YW1wbGUuY29tL2NhLmNy +dDAKBggqhkjOPQQDAgNHADBEAiB22SXxFnQUB41uxfyCvg2dAs2nFiR0r8jft/cd +G8zcKAIgeYkNOzRn4lyopK6J94rhm8jIIuJRj3Ns9XcH+91N370= -----END X509 CRL----- From c63efb942cc0bf67358d5d8b36097a7eff7176d8 Mon Sep 17 00:00:00 2001 From: Geoff Thomas Date: Tue, 25 Jul 2023 15:14:55 +0100 Subject: [PATCH 277/341] cargo fmt --- openssl/src/x509/tests.rs | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 69a9ca5cc4..a4a3de970c 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -705,8 +705,15 @@ fn test_crl_entry_extensions() { .extension::() .unwrap() .expect("Authority Information Access extension should be present"); - assert!(!critical, "Authority Information Access extension is not critical"); - assert_eq!(access_info.len(), 1, "Authority Information Access should have one entry"); + assert!( + !critical, + "Authority Information Access extension is not critical" + ); + assert_eq!( + access_info.len(), + 1, + "Authority Information Access should have one entry" + ); assert_eq!(access_info[0].method().to_string(), "CA Issuers"); assert_eq!( access_info[0].location().uri(), From ee4c126f89c31367c5ee202bd98ae5a99a9b8df5 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 1 Aug 2023 11:19:26 -0400 Subject: [PATCH 278/341] bump ci versions --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 33c352cd2c..dcdd28f32a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -158,10 +158,10 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.1.0 + version: 3.1.2 dl-path: / - name: openssl - version: 1.1.1t + version: 1.1.1v dl-path: / - name: openssl version: 1.1.0l From 8449b822854e29213756ad339abbfb833a73216e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 5 Aug 2023 12:40:24 -0400 Subject: [PATCH 279/341] Implement Deref[Mut] for Cipher on older OpenSSLs They don't do anything, but this can be useful when writing code that works with multiple versions of OpenSSL. --- openssl/src/cipher.rs | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index d26b93c261..f81895e513 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -12,6 +12,7 @@ use foreign_types::{ForeignTypeRef, Opaque}; use openssl_macros::corresponds; #[cfg(ossl300)] use std::ffi::CString; +use std::ops::{Deref, DerefMut}; #[cfg(ossl300)] use std::ptr; @@ -41,7 +42,6 @@ cfg_if! { cfg_if! { if #[cfg(ossl300)] { use foreign_types::ForeignType; - use std::ops::{Deref, DerefMut}; type Inner = *mut ffi::EVP_CIPHER; @@ -90,6 +90,22 @@ cfg_if! { } } else { enum Inner {} + + impl Deref for Cipher { + type Target = CipherRef; + + #[inline] + fn deref(&self) -> &Self::Target { + match self.0 {} + } + } + + impl DerefMut for Cipher { + #[inline] + fn deref_mut(&mut self) -> &mut Self::Target { + match self.0 {} + } + } } } From 12ee78d277e4f986ff7da5572d42059810b0f8e3 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 6 Aug 2023 19:02:25 +1200 Subject: [PATCH 280/341] changelog and version bump --- openssl-sys/CHANGELOG.md | 10 +++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 14 +++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 1fbbbd499b..3a1a1f1865 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,9 +2,16 @@ ## [Unreleased] +## [v0.9.91] - 2023-08-06 + ### Added * Expose `poly1305_state`, `CRYPTO_poly1305_init`, `CRYPTO_poly1305_update`, and `CRYPTO_poly1305_finish` on BoringSSL and LibreSSL. +* Fix detection of libraries on OpenBSD. +* Added `EC_POINT_point2hex` and `EC_POINT_hex2point`. +* Added `EVP_PKEY_verify_recover_init`, `EVP_PKEY_verify_recover`, and `EVP_PKEY_CTX_set_signature_md`. +* Added `EVP_CIPHER_CTX_FLAG_WRAP_ALLOW` and `EVP_CTX_set_flags`. +* Added `BN_mod_sqrt`. ## [v0.9.90] - 2023-06-20 @@ -483,7 +490,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91..master +[v0.9.91]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91 [v0.9.90]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89...openssl-sys-v0.9.90 [v0.9.89]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.89 [v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 9b102fa8dc..3caa72fa79 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.90" +version = "0.9.91" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index a0622ecccd..b6bbbb9ce7 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.10.56] - 2023-08-06 + +## Added + +* Added `BigNumRef::mod_sqrt`. +* Added `PkeyCtxRef::set_signature_md` and `PkeyCtxRef::set_rsa_pss_saltlen`. +* Added `PkeyCtxRef::verify_recover_init` and `PkeyCtxRef::verify_recover`. +* Added `BigNumRef::is_even` and `BigNumRef::is_odd`. +* Added `EcPointRef::to_hex_str` and `EcPoint::from_hex_str`. +* Added support for AES key wrap and wrap pad. + ## [v0.10.55] - 2023-06-20 ### Fixed @@ -776,7 +787,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...master +[v0.10.56]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...openssl-v0.10.56 [v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 [v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 [v0.10.53]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 956d08cf9e..17f82ca843 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.55" +version = "0.10.56" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.89", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.91", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From ca438e2b32a4dff8d0500109a42eafb91eee74a2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 10 Aug 2023 18:59:36 -0400 Subject: [PATCH 281/341] Expose chacha20_poly1305 on LibreSSL --- openssl-sys/src/handwritten/evp.rs | 2 +- openssl/src/cipher.rs | 2 +- openssl/src/symm.rs | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 7da92eeeb8..9ebe212c42 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -367,7 +367,7 @@ extern "C" { pub fn EVP_aes_256_wrap_pad() -> *const EVP_CIPHER; #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn EVP_chacha20() -> *const EVP_CIPHER; - #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] + #[cfg(all(any(ossl110, libressl360), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn EVP_chacha20_poly1305() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn EVP_seed_cbc() -> *const EVP_CIPHER; diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index f81895e513..2b89861365 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -435,7 +435,7 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_chacha20() as *mut _) } } - #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] + #[cfg(all(any(ossl110, libressl360), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20_poly1305() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_chacha20_poly1305() as *mut _) } } diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index c1dbdfee7b..7ebb70338e 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -295,7 +295,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] + #[cfg(all(any(ossl110, libressl360), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20_poly1305() -> Cipher { unsafe { Cipher(ffi::EVP_chacha20_poly1305()) } } @@ -1493,7 +1493,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] fn test_chacha20_poly1305() { let key = "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"; let iv = "070000004041424344454647"; From 19b7a64b6dd93a2bccfbedd89e9f1db3f6711a83 Mon Sep 17 00:00:00 2001 From: John Tyner Date: Sun, 20 Aug 2023 19:46:03 -0400 Subject: [PATCH 282/341] Add openssl::cipher_ctx::CipherCtx::clone --- openssl-sys/src/handwritten/evp.rs | 2 ++ openssl/src/cipher_ctx.rs | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 9ebe212c42..e8ad6aa2d7 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -271,6 +271,8 @@ const_ptr_api! { extern "C" { pub fn EVP_CIPHER_CTX_new() -> *mut EVP_CIPHER_CTX; pub fn EVP_CIPHER_CTX_free(ctx: *mut EVP_CIPHER_CTX); + pub fn EVP_CIPHER_CTX_copy(dst: *mut EVP_CIPHER_CTX, src: *const EVP_CIPHER_CTX) -> c_int; + pub fn EVP_MD_CTX_copy_ex(dst: *mut EVP_MD_CTX, src: *const EVP_MD_CTX) -> c_int; #[cfg(ossl111)] pub fn EVP_MD_CTX_reset(ctx: *mut EVP_MD_CTX) -> c_int; diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 56d0d26700..714a0815af 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -102,6 +102,15 @@ impl CipherCtx { Ok(CipherCtx::from_ptr(ptr)) } } + + #[corresponds(EVP_CIPHER_CTX_copy)] + pub fn clone(&self) -> Result { + let n = CipherCtx::new()?; + unsafe { + cvt(ffi::EVP_CIPHER_CTX_copy(n.as_ptr(), self.as_ptr()))?; + } + Ok(n) + } } impl CipherCtxRef { From f3a35f87ce4d77c827abcf96b34419e955514bbb Mon Sep 17 00:00:00 2001 From: John Tyner Date: Mon, 21 Aug 2023 07:54:49 -0400 Subject: [PATCH 283/341] replace clone() with copy() to better mimic openssl interface --- openssl/src/cipher_ctx.rs | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 714a0815af..25d1060eba 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -102,18 +102,17 @@ impl CipherCtx { Ok(CipherCtx::from_ptr(ptr)) } } +} +impl CipherCtxRef { #[corresponds(EVP_CIPHER_CTX_copy)] - pub fn clone(&self) -> Result { - let n = CipherCtx::new()?; + pub fn copy(&mut self, src: &CipherCtx) -> Result<(), ErrorStack> { unsafe { - cvt(ffi::EVP_CIPHER_CTX_copy(n.as_ptr(), self.as_ptr()))?; + cvt(ffi::EVP_CIPHER_CTX_copy(self.as_ptr(), src.as_ptr()))?; + Ok(()) } - Ok(n) } -} -impl CipherCtxRef { /// Initializes the context for encryption. /// /// Normally this is called once to set all of the cipher, key, and IV. However, this process can be split up From d2663601fcf41ab9727a0dfa8d3540eb1419fcec Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 21 Aug 2023 17:54:02 -0700 Subject: [PATCH 284/341] Update openssl/src/cipher_ctx.rs --- openssl/src/cipher_ctx.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 25d1060eba..f9031d2976 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -106,7 +106,7 @@ impl CipherCtx { impl CipherCtxRef { #[corresponds(EVP_CIPHER_CTX_copy)] - pub fn copy(&mut self, src: &CipherCtx) -> Result<(), ErrorStack> { + pub fn copy(&mut self, src: &CipherCtxRef) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_CIPHER_CTX_copy(self.as_ptr(), src.as_ptr()))?; Ok(()) From c317ffe6254c28be6fc4ca60b5ca54a37e556e49 Mon Sep 17 00:00:00 2001 From: Daniel Houck Date: Tue, 22 Aug 2023 19:46:34 -0400 Subject: [PATCH 285/341] Add X509VerifyParam::set_email This is substantially similar to the other X.509 verification parameter options like host. --- openssl-sys/src/handwritten/x509_vfy.rs | 6 ++++++ openssl/CHANGELOG.md | 3 +++ openssl/src/x509/verify.rs | 15 +++++++++++++++ 3 files changed, 24 insertions(+) diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 9adf63fa0e..a560e586d8 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -118,6 +118,12 @@ extern "C" { #[cfg(any(ossl102, libressl261))] pub fn X509_VERIFY_PARAM_set_hostflags(param: *mut X509_VERIFY_PARAM, flags: c_uint); #[cfg(any(ossl102, libressl261))] + pub fn X509_VERIFY_PARAM_set1_email( + param: *mut X509_VERIFY_PARAM, + email: *const c_char, + emaillen: size_t, + ) -> c_int; + #[cfg(any(ossl102, libressl261))] pub fn X509_VERIFY_PARAM_set1_ip( param: *mut X509_VERIFY_PARAM, ip: *const c_uchar, diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index b6bbbb9ce7..6c7f532d85 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,9 @@ ## [Unreleased] +### Added + * Added `X509VerifyParam::set_email` + ## [v0.10.56] - 2023-08-06 ## Added diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index e8481c551c..9e2caa5500 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -131,6 +131,21 @@ impl X509VerifyParamRef { } } + /// Set the expected email address. + #[corresponds(X509_VERIFY_PARAM_set1_email)] + pub fn set_email(&mut self, email: &str) -> Result<(), ErrorStack> { + unsafe { + // len == 0 means "run strlen" :( + let raw_email = if email.is_empty() { "\0" } else { email }; + cvt(ffi::X509_VERIFY_PARAM_set1_email( + self.as_ptr(), + raw_email.as_ptr() as *const _, + email.len(), + )) + .map(|_| ()) + } + } + /// Set the expected IPv4 or IPv6 address. #[corresponds(X509_VERIFY_PARAM_set1_ip)] pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> { From 970895159a7817e384b4a9fdbedb2744e85e3e6f Mon Sep 17 00:00:00 2001 From: Jade Ellis Date: Sat, 26 Aug 2023 14:38:54 +0000 Subject: [PATCH 286/341] Add perl-FindBin dep for fedora Compilation in fedora fails without this installed with message: --- stderr Can't locate FindBin.pm in @INC (you may need to install the FindBin module) ... --- openssl/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index c2c390cc1b..fe29d02293 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -44,7 +44,7 @@ //! $ sudo apt-get install pkg-config libssl-dev //! //! # Fedora -//! $ sudo dnf install pkg-config openssl-devel +//! $ sudo dnf install pkg-config perl-FindBin openssl-devel //! //! # Alpine Linux //! $ apk add pkgconfig openssl-dev From 03bc8192d28373fdbe4da4f443c2990ff4180ce0 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 26 Aug 2023 10:57:17 -0400 Subject: [PATCH 287/341] clippy --- openssl-sys/src/rsa.rs | 2 +- openssl/src/encrypt.rs | 6 +++--- openssl/src/ssl/callbacks.rs | 9 +++++++++ openssl/src/ssl/mod.rs | 1 + openssl/src/x509/mod.rs | 2 ++ 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/openssl-sys/src/rsa.rs b/openssl-sys/src/rsa.rs index ff30cf1e23..64107cd6b2 100644 --- a/openssl-sys/src/rsa.rs +++ b/openssl-sys/src/rsa.rs @@ -76,7 +76,7 @@ pub unsafe fn EVP_PKEY_CTX_set0_rsa_oaep_label( EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_RSA_OAEP_LABEL, len, - label as *mut c_void, + label, ) } diff --git a/openssl/src/encrypt.rs b/openssl/src/encrypt.rs index d3db0fd414..4522146f89 100644 --- a/openssl/src/encrypt.rs +++ b/openssl/src/encrypt.rs @@ -40,7 +40,7 @@ //! assert_eq!(&*decrypted, data); //! ``` #[cfg(any(ossl102, libressl310))] -use libc::{c_int, c_void}; +use libc::c_int; use std::{marker::PhantomData, ptr}; use crate::error::ErrorStack; @@ -174,7 +174,7 @@ impl<'a> Encrypter<'a> { cvt(ffi::EVP_PKEY_CTX_set0_rsa_oaep_label( self.pctx, - p as *mut c_void, + p, label.len() as c_int, )) .map(|_| ()) @@ -378,7 +378,7 @@ impl<'a> Decrypter<'a> { cvt(ffi::EVP_PKEY_CTX_set0_rsa_oaep_label( self.pctx, - p as *mut c_void, + p, label.len() as c_int, )) .map(|_| ()) diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index 091b1fb771..c6414fb517 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -86,6 +86,7 @@ where }; // Give the callback mutable slices into which it can write the identity and psk. let identity_sl = slice::from_raw_parts_mut(identity as *mut u8, max_identity_len as usize); + #[allow(clippy::unnecessary_cast)] let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); match (*callback)(ssl, hint, identity_sl, psk_sl) { Ok(psk_len) => psk_len as u32, @@ -124,6 +125,7 @@ where Some(CStr::from_ptr(identity).to_bytes()) }; // Give the callback mutable slices into which it can write the psk. + #[allow(clippy::unnecessary_cast)] let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); match (*callback)(ssl, identity, psk_sl) { Ok(psk_len) => psk_len as u32, @@ -194,6 +196,7 @@ where .ssl_context() .ex_data(SslContext::cached_ex_index::()) .expect("BUG: alpn callback missing") as *const F; + #[allow(clippy::unnecessary_cast)] let protos = slice::from_raw_parts(inbuf as *const u8, inlen as usize); match (*callback)(ssl, protos) { @@ -412,6 +415,7 @@ where .expect("BUG: session context missing") .ex_data(SslContext::cached_ex_index::()) .expect("BUG: get session callback missing") as *const F; + #[allow(clippy::unnecessary_cast)] let data = slice::from_raw_parts(data as *const u8, len as usize); match (*callback)(ssl, data) { @@ -455,6 +459,7 @@ where .ssl_context() .ex_data(SslContext::cached_ex_index::()) .expect("BUG: stateless cookie generate callback missing") as *const F; + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts_mut(cookie as *mut u8, ffi::SSL_COOKIE_LENGTH as usize); match (*callback)(ssl, slice) { Ok(len) => { @@ -482,6 +487,7 @@ where .ssl_context() .ex_data(SslContext::cached_ex_index::()) .expect("BUG: stateless cookie verify callback missing") as *const F; + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len); (*callback)(ssl, slice) as c_int } @@ -503,6 +509,7 @@ where .expect("BUG: cookie generate callback missing") as *const F; // We subtract 1 from DTLS1_COOKIE_LENGTH as the ostensible value, 256, is erroneous but retained for // compatibility. See comments in dtls1.h. + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts_mut(cookie as *mut u8, ffi::DTLS1_COOKIE_LENGTH as usize - 1); match (*callback)(ssl, slice) { @@ -542,6 +549,7 @@ where .ssl_context() .ex_data(SslContext::cached_ex_index::()) .expect("BUG: cookie verify callback missing") as *const F; + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize); (*callback)(ssl, slice) as c_int @@ -654,6 +662,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: custom ext parse callback missing") as *const F; let ectx = ExtensionContext::from_bits_truncate(context); + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts(input as *const u8, inlen); let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 270b4dd87b..bdfbfc14f0 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -2132,6 +2132,7 @@ impl SslSessionRef { unsafe { let mut len = 0; let p = ffi::SSL_SESSION_get_id(self.as_ptr(), &mut len); + #[allow(clippy::unnecessary_cast)] slice::from_raw_parts(p as *const u8, len as usize) } } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 4325b132e3..24605df806 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -2102,6 +2102,7 @@ impl GeneralNameRef { let ptr = ASN1_STRING_get0_data(d as *mut _); let len = ffi::ASN1_STRING_length(d as *mut _); + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts(ptr as *const u8, len as usize); // IA5Strings are stated to be ASCII (specifically IA5). Hopefully // OpenSSL checks that when loading a certificate but if not we'll @@ -2155,6 +2156,7 @@ impl GeneralNameRef { let ptr = ASN1_STRING_get0_data(d as *mut _); let len = ffi::ASN1_STRING_length(d as *mut _); + #[allow(clippy::unnecessary_cast)] Some(slice::from_raw_parts(ptr as *const u8, len as usize)) } } From 2d8f2f6a7f324b2676d99e382c095307e818dff8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 26 Aug 2023 20:30:35 -0400 Subject: [PATCH 288/341] Release openssl v0.10.57 and openssl-sys v0.9.92 --- openssl-sys/CHANGELOG.md | 11 ++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 12 ++++++++++-- openssl/Cargo.toml | 4 ++-- 4 files changed, 23 insertions(+), 6 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 3a1a1f1865..9166bd5aca 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,14 @@ ## [Unreleased] +## [v0.9.92] - 2023-08-27 + +### Added + +* Added `EVP_CIPHER_CTX_copy` +* Expose `EVP_chacha20_poly1305` on LibreSSL +* Added `X509_VERIFY_PARAM_set1_email` + ## [v0.9.91] - 2023-08-06 ### Added @@ -490,7 +498,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92..master +[v0.9.92]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91...openssl-sys-v0.9.92 [v0.9.91]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91 [v0.9.90]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89...openssl-sys-v0.9.90 [v0.9.89]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.89 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 3caa72fa79..98a7c793be 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.91" +version = "0.9.92" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 6c7f532d85..f5409b1222 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,8 +2,15 @@ ## [Unreleased] +## [v0.10.57] - 2023-08-27 + ### Added - * Added `X509VerifyParam::set_email` +* Added `X509VerifyParam::set_email` +* `Cipher::chacha20_poly1305` is now available on LibreSSL +* Added `CipherCtx::copy` + +### Changed +* Updated `bitflags` dependecy to the 2.x series ## [v0.10.56] - 2023-08-06 @@ -790,7 +797,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...master +[v0.10.57]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...openssl-v0.10.57 [v0.10.56]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...openssl-v0.10.56 [v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 [v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 8a646b4502..ec8beaef9c 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.56" +version = "0.10.57" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.91", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.92", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From fc1ca1f6c7251e79e51284d10bb2310eda7f9355 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 1 Sep 2023 08:51:22 -0400 Subject: [PATCH 289/341] LibreSSL 3.8.1 support --- .github/workflows/ci.yml | 2 +- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/build/main.rs | 5 +++-- openssl-sys/src/crypto.rs | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dcdd28f32a..196f41f450 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -202,7 +202,7 @@ jobs: bindgen: false library: name: libressl - version: 3.8.0 + version: 3.8.1 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 2f3ff3eafd..34a58f7d68 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -53,6 +53,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_07_00_00_0 { cfgs.push("libressl370"); } + if libressl_version >= 0x3_08_01_00_0 { + cfgs.push("libressl381"); + } } else { let openssl_version = openssl_version.unwrap(); diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 21ccf3d037..82013b6c7d 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -273,6 +273,7 @@ See rust-openssl documentation for more information: (3, 7, 1) => ('3', '7', '1'), (3, 7, _) => ('3', '7', 'x'), (3, 8, 0) => ('3', '8', '0'), + (3, 8, 1) => ('3', '8', '1'), _ => version_error(), }; @@ -314,8 +315,8 @@ fn version_error() -> ! { panic!( " -This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.8.0, but a different version of OpenSSL was found. The build is now aborting +This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3), or LibreSSL 2.5 +through 3.8.1, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " diff --git a/openssl-sys/src/crypto.rs b/openssl-sys/src/crypto.rs index 35be07eada..bdc0add156 100644 --- a/openssl-sys/src/crypto.rs +++ b/openssl-sys/src/crypto.rs @@ -106,7 +106,7 @@ pub const CRYPTO_LOCK_SSL_CTX: c_int = 12; pub const CRYPTO_LOCK_SSL_SESSION: c_int = 14; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl381))] { pub const CRYPTO_EX_INDEX_SSL: c_int = 0; pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1; } else if #[cfg(libressl)] { From 6b3b9fc039d45446c8308aceeee8dfc5e3ff69fa Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 4 Sep 2023 16:04:07 -0400 Subject: [PATCH 290/341] Release openssl-sys v0.9.93 --- openssl-sys/CHANGELOG.md | 13 ++++++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 9166bd5aca..8d2a65574b 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,16 @@ ## [Unreleased] +## [v0.9.93] - 2023-09-04 + +### Changed + +* The `vendored` Cargo feature now builds OpenSSL 3.1, as 1.1.1 is reaching its EOL. + +### Added + +* Added support for LibreSSL 3.8.1. + ## [v0.9.92] - 2023-08-27 ### Added @@ -498,7 +508,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93..master +[v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92...openssl-sys-v0.9.93 [v0.9.92]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91...openssl-sys-v0.9.92 [v0.9.91]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91 [v0.9.90]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89...openssl-sys-v0.9.90 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 885f105832..44fc45a71b 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.92" +version = "0.9.93" authors = [ "Alex Crichton ", "Steven Fackler ", From d27ab95cdca2e05275b78158bbb222009a24c290 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 8 Sep 2023 16:44:47 -0400 Subject: [PATCH 291/341] Test against 3.2.0-alpha1 --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 196f41f450..54e7fd2e84 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,6 +157,9 @@ jobs: version: bcecc7d834fc44ad257b2f23f88e1cf597ab2736 - name: openssl version: vendored + - name: openssl + version: 3.2.0-alpha1 + dl-path: / - name: openssl version: 3.1.2 dl-path: / From efefb22d15034e270fbebd91cb29b1ca156a6da3 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 8 Sep 2023 18:53:50 -0400 Subject: [PATCH 292/341] Fix const --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/src/x509v3.rs | 10 +++++++++- openssl/build.rs | 3 +++ openssl/src/x509/mod.rs | 2 ++ 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 34a58f7d68..8ee6f62373 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -59,6 +59,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& } else { let openssl_version = openssl_version.unwrap(); + if openssl_version >= 0x3_02_00_00_0 { + cfgs.push("ossl320"); + } if openssl_version >= 0x3_00_00_00_0 { cfgs.push("ossl300"); } diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index d2ff53489e..230dea1736 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -89,8 +89,16 @@ pub const X509_PURPOSE_CRL_SIGN: c_int = 6; pub const X509_PURPOSE_ANY: c_int = 7; pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; +#[cfg(ossl320)] +pub const X509_PURPOSE_CODE_SIGN: c_int = 10; pub const X509_PURPOSE_MIN: c_int = 1; -pub const X509_PURPOSE_MAX: c_int = 9; +cfg_if! { + if #[cfg(ossl320)] { + pub const X509_PURPOSE_MAX: c_int = 10; + } else { + pub const X509_PURPOSE_MAX: c_int = 9; + } +} pub const CRL_REASON_UNSPECIFIED: c_int = 0; pub const CRL_REASON_KEY_COMPROMISE: c_int = 1; diff --git a/openssl/build.rs b/openssl/build.rs index 0a974b33e6..d5a7ac4039 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -102,6 +102,9 @@ fn main() { if version >= 0x3_01_00_00_0 { println!("cargo:rustc-cfg=ossl310"); } + if version >= 0x3_02_00_00_0 { + println!("cargo:rustc-cfg=ossl320"); + } } if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 24605df806..cc900e3936 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -2459,6 +2459,8 @@ impl X509PurposeId { pub const ANY: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_ANY); pub const OCSP_HELPER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_OCSP_HELPER); pub const TIMESTAMP_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_TIMESTAMP_SIGN); + #[cfg(ossl320)] + pub const CODE_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_CODE_SIGN); /// Constructs an `X509PurposeId` from a raw OpenSSL value. pub fn from_raw(id: c_int) -> Self { From d9348649ac98fda3dac3315b7da9fdf55f729515 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 9 Sep 2023 12:41:57 -0400 Subject: [PATCH 293/341] Removed reference to non-existent method --- openssl/src/cipher_ctx.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index f9031d2976..1769ee9716 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -548,7 +548,7 @@ impl CipherCtxRef { /// # Panics /// /// Panics if `output` doesn't contain enough space for data to be - /// written as specified by [`Self::minimal_output_size`]. + /// written. #[corresponds(EVP_CipherUpdate)] pub fn cipher_update( &mut self, From 1bedd863e3add9e4c6d5b5adf55ccc3f1765a0bd Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 11 Sep 2023 11:32:43 -0400 Subject: [PATCH 294/341] Bump CI to 1.1.1w --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 54e7fd2e84..7638597ef1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -164,7 +164,7 @@ jobs: version: 3.1.2 dl-path: / - name: openssl - version: 1.1.1v + version: 1.1.1w dl-path: / - name: openssl version: 1.1.0l From ee008fccda2cbd001efd33f7df8f260d393b81f8 Mon Sep 17 00:00:00 2001 From: John Gallagher Date: Tue, 12 Sep 2023 15:29:38 -0400 Subject: [PATCH 295/341] [openssl-sys] Add X509_check_{host,email,ip,ip_asc} fns --- openssl-sys/src/handwritten/x509v3.rs | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 2ee0452597..69a3bc2ff2 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -145,3 +145,21 @@ extern "C" { pub fn DIST_POINT_free(dist_point: *mut DIST_POINT); pub fn DIST_POINT_NAME_free(dist_point: *mut DIST_POINT_NAME); } + +extern "C" { + pub fn X509_check_host( + x: *mut X509, + chk: *const c_char, + chklen: usize, + flags: c_uint, + peername: *mut *mut c_char, + ) -> c_int; + pub fn X509_check_email( + x: *mut X509, + chk: *const c_char, + chklen: usize, + flags: c_uint, + ) -> c_int; + pub fn X509_check_ip(x: *mut X509, chk: *const c_uchar, chklen: usize, flags: c_uint) -> c_int; + pub fn X509_check_ip_asc(x: *mut X509, ipasc: *const c_char, flags: c_uint) -> c_int; +} From 2dc8f96dd78431d557e243bd839efd710297bd6c Mon Sep 17 00:00:00 2001 From: John Gallagher Date: Tue, 12 Sep 2023 15:58:16 -0400 Subject: [PATCH 296/341] add cfg guard --- openssl-sys/src/handwritten/x509v3.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 69a3bc2ff2..2f59bf6663 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -146,6 +146,7 @@ extern "C" { pub fn DIST_POINT_NAME_free(dist_point: *mut DIST_POINT_NAME); } +#[cfg(ossl102)] extern "C" { pub fn X509_check_host( x: *mut X509, From 2f269c9ecd262bb5f4a9e78524449788d7d33de0 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 19 Sep 2023 09:57:00 -0400 Subject: [PATCH 297/341] Bump CI to 3.1.3 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7638597ef1..bf58049444 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -161,7 +161,7 @@ jobs: version: 3.2.0-alpha1 dl-path: / - name: openssl - version: 3.1.2 + version: 3.1.3 dl-path: / - name: openssl version: 1.1.1w From 5f502a2918afcefecde80e59cf25d0525809a930 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 26 Sep 2023 18:44:33 -0400 Subject: [PATCH 298/341] Expose CBC mode for several more (bad) ciphers --- openssl-sys/src/handwritten/evp.rs | 10 ++++++++++ openssl/src/symm.rs | 25 +++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index e8ad6aa2d7..96cc814cc2 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -396,23 +396,33 @@ extern "C" { #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_128_ecb() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_128_cbc() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_192_cfb128() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_192_ecb() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_192_cbc() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_256_cfb128() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_256_ecb() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_256_cbc() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn EVP_cast5_cfb64() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn EVP_cast5_ecb() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + pub fn EVP_cast5_cbc() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] pub fn EVP_idea_cfb64() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] pub fn EVP_idea_ecb() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn EVP_idea_cbc() -> *const EVP_CIPHER; #[cfg(not(ossl110))] pub fn OPENSSL_add_all_algorithms_noconf(); diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 7ebb70338e..52dc1f0bc6 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -288,6 +288,26 @@ impl Cipher { unsafe { Cipher(ffi::EVP_rc4()) } } + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia_128_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_128_cbc()) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia_192_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_192_cbc()) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia_256_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_256_cbc()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] + pub fn cast5_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_cast5_cbc()) } + } + /// Requires OpenSSL 1.1.0 or newer. #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20() -> Cipher { @@ -300,6 +320,11 @@ impl Cipher { unsafe { Cipher(ffi::EVP_chacha20_poly1305()) } } + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn idea_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_idea_cbc()) } + } + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] pub fn seed_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_seed_cbc()) } From f1f5169b19a21b42cbca43cc723b3fc9da5576cf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 27 Sep 2023 07:22:21 -0400 Subject: [PATCH 299/341] Expose two additional Pkey IDs --- openssl-sys/src/evp.rs | 4 ++++ openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/pkey.rs | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index d2ca215407..fcbee00ec6 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -7,8 +7,12 @@ pub const PKCS5_SALT_LEN: c_int = 8; pub const PKCS12_DEFAULT_ITER: c_int = 2048; pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; +#[cfg(any(openssl111, boringssl))] +pub const EVP_PKEY_RSA_PSS: c_int = NID_rsassaPss; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; +#[cfg(ossl110)] +pub const EVP_PKEY_DHX: c_int = NID_dhpublicnumber; pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey; #[cfg(ossl111)] pub const EVP_PKEY_SM2: c_int = NID_sm2; diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 6ae48834b5..1b24c3cbd8 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -135,6 +135,8 @@ pub const NID_sha512WithRSAEncryption: c_int = 670; pub const NID_sha224WithRSAEncryption: c_int = 671; pub const NID_pkcs3: c_int = 27; pub const NID_dhKeyAgreement: c_int = 28; +#[cfg(ossl110)] +pub const NID_dhpublicnumber: c_int = 920; pub const NID_pkcs5: c_int = 187; pub const NID_pbeWithMD2AndDES_CBC: c_int = 9; pub const NID_pbeWithMD5AndDES_CBC: c_int = 10; diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 453aeed72f..fab4f5d118 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -78,12 +78,16 @@ pub struct Id(c_int); impl Id { pub const RSA: Id = Id(ffi::EVP_PKEY_RSA); + #[cfg(any(openssl111, boringssl))] + pub const RSA_PSS: Id = Id(ffi::EVP_PKEY_RSA_PSS); #[cfg(not(boringssl))] pub const HMAC: Id = Id(ffi::EVP_PKEY_HMAC); #[cfg(not(boringssl))] pub const CMAC: Id = Id(ffi::EVP_PKEY_CMAC); pub const DSA: Id = Id(ffi::EVP_PKEY_DSA); pub const DH: Id = Id(ffi::EVP_PKEY_DH); + #[cfg(ossl110)] + pub const DHX: Id = Id(ffi::EVP_PKEY_DHX); pub const EC: Id = Id(ffi::EVP_PKEY_EC); #[cfg(ossl111)] pub const SM2: Id = Id(ffi::EVP_PKEY_SM2); From f2217fd13903601ecd0e547cd5ce79d751c7c348 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 28 Sep 2023 14:32:52 -0400 Subject: [PATCH 300/341] Bump CI to 3.2.0-alpha2 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bf58049444..02dc46598f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -158,7 +158,7 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.2.0-alpha1 + version: 3.2.0-alpha2 dl-path: / - name: openssl version: 3.1.3 From 7e52fe6d828c3c5d6bb30c7e96a0f708a910132f Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 10 Oct 2023 14:00:16 +0200 Subject: [PATCH 301/341] Fix clippy error indicating error in implementation --- openssl/src/bn.rs | 2 +- openssl/src/x509/mod.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index c75fac1d70..a67d0807aa 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -1229,7 +1229,7 @@ impl Ord for BigNumRef { impl PartialOrd for BigNum { fn partial_cmp(&self, oth: &BigNum) -> Option { - self.deref().partial_cmp(oth.deref()) + Some(self.cmp(oth)) } } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d211006b78..97242ff4d8 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -832,7 +832,7 @@ impl Ord for X509 { impl PartialOrd for X509 { fn partial_cmp(&self, other: &Self) -> Option { - X509Ref::partial_cmp(self, other) + Some(self.cmp(other)) } } From 0773149c60436ed01559dee161de58eaf7ca0019 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 10 Oct 2023 14:00:38 +0200 Subject: [PATCH 302/341] Upgrade ctest2 to mitigate `mem::forget` warnings --- systest/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systest/Cargo.toml b/systest/Cargo.toml index 97a5405b0e..d1e55ac3f2 100644 --- a/systest/Cargo.toml +++ b/systest/Cargo.toml @@ -9,7 +9,7 @@ libc = "0.2" openssl-sys = { path = "../openssl-sys" } [build-dependencies] -ctest2 = "0.4" +ctest2 = "0.4.7" [features] vendored = ['openssl-sys/vendored'] From 32734b756a9cbf7c3312dd14a27a1046e010e528 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Wed, 11 Oct 2023 12:27:35 +0200 Subject: [PATCH 303/341] Fix `hostent` re-export warning by explicitly re-exporting only `c_int` --- openssl-sys/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 784b7637e1..0e23386fd3 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -11,7 +11,7 @@ #![recursion_limit = "128"] // configure fixed limit across all rust versions extern crate libc; -pub use libc::*; +pub use libc::c_int; #[cfg(feature = "unstable_boringssl")] extern crate bssl_sys; From 043b83d3a3f33f5b9020cde6f7dd2bfe84477c66 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 12 Oct 2023 13:05:10 -0400 Subject: [PATCH 304/341] Use osslconf on BoringSSL This reduces a bunch of special casing. Relies on changes from the latest BoringSSL HEAD. --- .github/workflows/ci.yml | 12 +++++------- openssl-sys/build/main.rs | 18 +++++++++++++----- openssl-sys/src/handwritten/evp.rs | 30 +++++++++++++++--------------- openssl/build.rs | 1 - openssl/src/cipher.rs | 26 ++++++++++---------------- openssl/src/dh.rs | 2 +- openssl/src/ec.rs | 6 +++--- openssl/src/hash.rs | 4 ++-- openssl/src/lib.rs | 4 ++-- openssl/src/md.rs | 2 -- openssl/src/symm.rs | 28 ++++++++++++++-------------- 11 files changed, 65 insertions(+), 68 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 02dc46598f..318441aa65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -154,7 +154,7 @@ jobs: - false library: - name: boringssl - version: bcecc7d834fc44ad257b2f23f88e1cf597ab2736 + version: 8d71d244c0debac4079beeb02b5802fde59b94bd - name: openssl version: vendored - name: openssl @@ -239,7 +239,7 @@ jobs: - uses: actions/cache@v3 with: path: /opt/openssl - key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-2 + key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-6 if: matrix.library.version != 'vendored' id: openssl-cache - run: | @@ -313,11 +313,8 @@ jobs: make install # Copy stuff around so it's all as the build system expects. - cp -r rust/ "$OPENSSL_DIR/rust" - mkdir -p "$OPENSSL_DIR/crypto/" - mkdir -p "$OPENSSL_DIR/ssl/" - cp "$OPENSSL_DIR/lib/libcrypto.a" "$OPENSSL_DIR/crypto/" - cp "$OPENSSL_DIR/lib/libssl.a" "$OPENSSL_DIR/ssl/" + cp -r ../rust/ "$OPENSSL_DIR/rust" + cp -r ./ "$OPENSSL_DIR/build" esac if: matrix.library.version != 'vendored' && !steps.openssl-cache.outputs.cache-hit @@ -356,6 +353,7 @@ jobs: run: | if [[ "${{ matrix.library.name }}" == "boringssl" && "${{ matrix.bindgen }}" != "true" ]]; then features="--features unstable_boringssl" + BORINGSSL_BUILD_DIR="$OPENSSL_DIR/build/" fi if [[ "${{ matrix.library.version }}" == "vendored" ]]; then features="--features vendored" diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 738987b602..cd732ca46a 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -60,6 +60,14 @@ fn check_ssl_kind() { if cfg!(feature = "unstable_boringssl") { println!("cargo:rustc-cfg=boringssl"); println!("cargo:boringssl=true"); + + if let Ok(vars) = env::var("DEP_BSSL_CONF") { + for var in vars.split(',') { + println!("cargo:rustc-cfg=osslconf=\"{}\"", var); + } + println!("cargo:conf={}", vars); + } + // BoringSSL does not have any build logic, exit early std::process::exit(0); } @@ -223,6 +231,11 @@ See rust-openssl documentation for more information: } } + for enabled in &enabled { + println!("cargo:rustc-cfg=osslconf=\"{}\"", enabled); + } + println!("cargo:conf={}", enabled.join(",")); + if is_boringssl { println!("cargo:rustc-cfg=boringssl"); println!("cargo:boringssl=true"); @@ -233,11 +246,6 @@ See rust-openssl documentation for more information: // We set this for any non-BoringSSL lib. println!("cargo:rustc-cfg=openssl"); - for enabled in &enabled { - println!("cargo:rustc-cfg=osslconf=\"{}\"", enabled); - } - println!("cargo:conf={}", enabled.join(",")); - for cfg in cfgs::get(openssl_version, libressl_version) { println!("cargo:rustc-cfg={}", cfg); } diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 96cc814cc2..5a112fe8a1 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -391,37 +391,37 @@ extern "C" { #[cfg(all(any(ossl111, libressl291), not(osslconf = "OPENSSL_NO_SM4")))] pub fn EVP_sm4_ctr() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_128_cfb128() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_128_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_128_cbc() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_192_cfb128() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_192_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_192_cbc() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_256_cfb128() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_256_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_256_cbc() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn EVP_cast5_cfb64() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn EVP_cast5_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn EVP_cast5_cbc() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn EVP_idea_cfb64() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn EVP_idea_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn EVP_idea_cbc() -> *const EVP_CIPHER; #[cfg(not(ossl110))] diff --git a/openssl/build.rs b/openssl/build.rs index d5a7ac4039..4a5b6289ae 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -13,7 +13,6 @@ fn main() { if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { println!("cargo:rustc-cfg=boringssl"); - return; } if let Ok(v) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 2b89861365..088f393516 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -343,13 +343,11 @@ impl Cipher { } #[cfg(not(osslconf = "OPENSSL_NO_BF"))] - #[cfg(not(boringssl))] pub fn bf_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_bf_cfb64() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_BF"))] - #[cfg(not(boringssl))] pub fn bf_ofb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_bf_ofb() as *mut _) } } @@ -380,52 +378,52 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_rc4() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia128_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_cfb128() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia128_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia192_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_cfb128() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia192_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia256_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_cfb128() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia256_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn cast5_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_cfb64() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn cast5_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn idea_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_idea_cfb64() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn idea_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_idea_ecb() as *mut _) } } @@ -441,25 +439,21 @@ impl Cipher { } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_cbc() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_cbc() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_cfb128() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_ecb() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_ofb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_ofb() as *mut _) } } diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index 7445e3408c..d46b9ee466 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -475,6 +475,6 @@ mod tests { let g = BigNum::from_hex_str("02").unwrap(); let dh2 = Dh::from_pqg(p, None, g).unwrap(); assert!(dh1.check_key().unwrap()); - assert!(!dh2.check_key().unwrap()); + assert!(matches!(dh2.check_key(), Ok(false) | Err(_))); } } diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index d541ddfc23..0dda1dbbce 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -195,7 +195,7 @@ impl EcGroupRef { /// a term in the polynomial. It will be set to 3 `1`s or 5 `1`s depending on /// using a trinomial or pentanomial. #[corresponds(EC_GROUP_get_curve_GF2m)] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_EC2M")))] + #[cfg(not(osslconf = "OPENSSL_NO_EC2M"))] pub fn components_gf2m( &self, p: &mut BigNumRef, @@ -586,7 +586,7 @@ impl EcPointRef { /// Places affine coordinates of a curve over a binary field in the provided /// `x` and `y` `BigNum`s #[corresponds(EC_POINT_get_affine_coordinates_GF2m)] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_EC2M")))] + #[cfg(not(osslconf = "OPENSSL_NO_EC2M"))] pub fn affine_coordinates_gf2m( &self, group: &EcGroupRef, @@ -1324,7 +1324,7 @@ mod test { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_EC2M")))] + #[cfg(not(osslconf = "OPENSSL_NO_EC2M"))] fn is_on_curve() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let mut ctx = BigNumContext::new().unwrap(); diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 52d73deed4..7592758101 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -157,7 +157,7 @@ impl MessageDigest { unsafe { MessageDigest(ffi::EVP_shake256()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_RMD160")))] + #[cfg(not(osslconf = "OPENSSL_NO_RMD160"))] pub fn ripemd160() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_ripemd160()) } } @@ -745,7 +745,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(osslconf = "OPENSSL_NO_RMD160"))] #[cfg_attr(ossl300, ignore)] fn test_ripemd160() { #[cfg(ossl300)] diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index fe29d02293..bc9d2b3455 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -140,7 +140,7 @@ pub mod base64; pub mod bn; pub mod cipher; pub mod cipher_ctx; -#[cfg(all(not(boringssl), not(libressl), not(osslconf = "OPENSSL_NO_CMS")))] +#[cfg(all(not(libressl), not(osslconf = "OPENSSL_NO_CMS")))] pub mod cms; pub mod conf; pub mod derive; @@ -162,7 +162,7 @@ pub mod md; pub mod md_ctx; pub mod memcmp; pub mod nid; -#[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_OCSP")))] +#[cfg(not(osslconf = "OPENSSL_NO_OCSP"))] pub mod ocsp; pub mod pkcs12; pub mod pkcs5; diff --git a/openssl/src/md.rs b/openssl/src/md.rs index 4ade8e870d..8f191afebe 100644 --- a/openssl/src/md.rs +++ b/openssl/src/md.rs @@ -188,14 +188,12 @@ impl Md { #[cfg(not(osslconf = "OPENSSL_NO_RMD160"))] #[inline] - #[cfg(not(boringssl))] pub fn ripemd160() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_ripemd160() as *mut _) } } #[cfg(all(any(ossl111, libressl291), not(osslconf = "OPENSSL_NO_SM3")))] #[inline] - #[cfg(not(boringssl))] pub fn sm3() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sm3() as *mut _) } } diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 52dc1f0bc6..7cf152e3c1 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -252,12 +252,12 @@ impl Cipher { unsafe { Cipher(ffi::EVP_bf_ecb()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_BF")))] + #[cfg(not(osslconf = "OPENSSL_NO_BF"))] pub fn bf_cfb64() -> Cipher { unsafe { Cipher(ffi::EVP_bf_cfb64()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_BF")))] + #[cfg(not(osslconf = "OPENSSL_NO_BF"))] pub fn bf_ofb() -> Cipher { unsafe { Cipher(ffi::EVP_bf_ofb()) } } @@ -288,17 +288,17 @@ impl Cipher { unsafe { Cipher(ffi::EVP_rc4()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia_128_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_camellia_128_cbc()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia_192_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_camellia_192_cbc()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia_256_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_camellia_256_cbc()) } } @@ -320,27 +320,27 @@ impl Cipher { unsafe { Cipher(ffi::EVP_chacha20_poly1305()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn idea_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_idea_cbc()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_seed_cbc()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_cfb128() -> Cipher { unsafe { Cipher(ffi::EVP_seed_cfb128()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_ecb() -> Cipher { unsafe { Cipher(ffi::EVP_seed_ecb()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_ofb() -> Cipher { unsafe { Cipher(ffi::EVP_seed_ofb()) } } @@ -1559,7 +1559,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_cbc() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1573,7 +1573,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_cfb128() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1587,7 +1587,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_ecb() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1601,7 +1601,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_ofb() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); From 35c8e90b76d0f7a0b4064a0299d2fc529f9707a3 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 01:33:10 +0200 Subject: [PATCH 305/341] Make X509_ALGOR opaque for LibreSSL The struct is still public because that is also the case in OpenSSL, but it should no longer be accessed directly. --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/src/handwritten/types.rs | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 8ee6f62373..ac7fe28596 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -56,6 +56,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_08_01_00_0 { cfgs.push("libressl381"); } + if libressl_version >= 0x3_08_02_00_0 { + cfgs.push("libressl382"); + } } else { let openssl_version = openssl_version.unwrap(); diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 06354728f2..a03a878305 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -329,7 +329,7 @@ cfg_if! { } } cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl382))] { pub enum X509_ALGOR {} } else { #[repr(C)] From ac2640d4c132439a02a4392a8fe64041d5483c2f Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 15:45:05 +0200 Subject: [PATCH 306/341] Don't ignore ECDSA tests without GF2m support This looks like a typo. We can't do ECDSA without EC support, but ECDSA for the prime curve P-256 works just fine without GF2m support. --- openssl/src/ecdsa.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/ecdsa.rs b/openssl/src/ecdsa.rs index f3b27b3953..3dc17c68dd 100644 --- a/openssl/src/ecdsa.rs +++ b/openssl/src/ecdsa.rs @@ -158,7 +158,7 @@ mod test { } #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] + #[cfg_attr(osslconf = "OPENSSL_NO_EC", ignore)] fn sign_and_verify() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let private_key = EcKey::generate(&group).unwrap(); @@ -186,7 +186,7 @@ mod test { } #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] + #[cfg_attr(osslconf = "OPENSSL_NO_EC", ignore)] fn check_private_components() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let private_key = EcKey::generate(&group).unwrap(); @@ -206,7 +206,7 @@ mod test { } #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] + #[cfg_attr(osslconf = "OPENSSL_NO_EC", ignore)] fn serialize_deserialize() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let private_key = EcKey::generate(&group).unwrap(); From 6218635e6523fbfe893feacd2d747b8f509000d0 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 16:23:14 +0200 Subject: [PATCH 307/341] Clarify 'possible LibreSSL bug' These test fail by default because of lack of PSK support in LibreSSL's TLSv1.3 stack. They do work with SslOptions::NO_TLSV1_3 but it seems preferable to keep ignoring the tests until they are properly supported. --- openssl/src/ssl/test/mod.rs | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 7707af238f..6013614118 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1023,7 +1023,9 @@ fn idle_session() { assert!(ssl.session().is_none()); } -/// possible LibreSSL bug since 3.2.1 +/// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do +/// not work due to lack of PSK support. The test passes with NO_TLSV1_3, +/// but let's ignore it until LibreSSL supports it out of the box. #[test] #[cfg_attr(libressl321, ignore)] fn active_session() { @@ -1081,7 +1083,9 @@ fn status_callbacks() { assert!(CALLED_BACK_CLIENT.load(Ordering::SeqCst)); } -/// possible LibreSSL bug since 3.2.1 +/// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do +/// not work due to lack of PSK support. The test passes with NO_TLSV1_3, +/// but let's ignore it until LibreSSL supports it out of the box. #[test] #[cfg_attr(libressl321, ignore)] fn new_session_callback() { @@ -1106,7 +1110,9 @@ fn new_session_callback() { assert!(CALLED_BACK.load(Ordering::SeqCst)); } -/// possible LibreSSL bug since 3.2.1 +/// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do +/// not work due to lack of PSK support. The test passes with NO_TLSV1_3, +/// but let's ignore it until LibreSSL supports it out of the box. #[test] #[cfg_attr(libressl321, ignore)] fn new_session_callback_swapped_ctx() { From dab8c7a52387b3a570cc7f21fdd9e380d3f52e11 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 16:55:34 +0200 Subject: [PATCH 308/341] Enable BN_mod_sqrt() for upcoming LibreSSL 3.8.2 This API was inherited from OpenSSL, so it has always been present. Enable it for the upcoming LibreSSL release. The test as it was written would fail since LibreSSL returns the other square root. Improve the test to work with all possible implementations with a more interesting test case. Also check for error in the simplest situation where no square root exists. --- openssl-sys/src/handwritten/bn.rs | 2 +- openssl/src/bn.rs | 19 +++++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index fc42c13946..c93521ad91 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -75,7 +75,7 @@ extern "C" { m: *const BIGNUM, ctx: *mut BN_CTX, ) -> c_int; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl382))] pub fn BN_mod_sqrt( ret: *mut BIGNUM, a: *const BIGNUM, diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index a67d0807aa..e1cde2c878 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -655,7 +655,7 @@ impl BigNumRef { /// Places into `self` the modular square root of `a` such that `self^2 = a (mod p)` #[corresponds(BN_mod_sqrt)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl382))] pub fn mod_sqrt( &mut self, a: &BigNumRef, @@ -1490,17 +1490,24 @@ mod tests { assert!(b.is_const_time()) } - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl382))] #[test] fn test_mod_sqrt() { let mut ctx = BigNumContext::new().unwrap(); - let s = BigNum::from_hex_str("47A8DD7626B9908C80ACD7E0D3344D69").unwrap(); - let p = BigNum::from_hex_str("81EF47265B58BCE5").unwrap(); + let s = BigNum::from_hex_str("2").unwrap(); + let p = BigNum::from_hex_str("7DEB1").unwrap(); + let mut sqrt = BigNum::new().unwrap(); let mut out = BigNum::new().unwrap(); - out.mod_sqrt(&s, &p, &mut ctx).unwrap(); - assert_eq!(out, BigNum::from_hex_str("7C6D179E19B97BDD").unwrap()); + // Square the root because OpenSSL randomly returns one of 2E42C or 4FA85 + sqrt.mod_sqrt(&s, &p, &mut ctx).unwrap(); + out.mod_sqr(&sqrt, &p, &mut ctx).unwrap(); + assert!(out == s); + + let s = BigNum::from_hex_str("3").unwrap(); + let p = BigNum::from_hex_str("5").unwrap(); + assert!(out.mod_sqrt(&s, &p, &mut ctx).is_err()); } #[test] From c84e3fcd6b7bfbfb0669d955eac0d88fc0ba9d59 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 17:11:11 +0200 Subject: [PATCH 309/341] Enable BN_mod_sqrt() unconditionally --- openssl-sys/src/handwritten/bn.rs | 1 - openssl/src/bn.rs | 2 -- 2 files changed, 3 deletions(-) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index c93521ad91..fb55f6b82c 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -75,7 +75,6 @@ extern "C" { m: *const BIGNUM, ctx: *mut BN_CTX, ) -> c_int; - #[cfg(any(ossl110, libressl382))] pub fn BN_mod_sqrt( ret: *mut BIGNUM, a: *const BIGNUM, diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index e1cde2c878..1ae450bb75 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -655,7 +655,6 @@ impl BigNumRef { /// Places into `self` the modular square root of `a` such that `self^2 = a (mod p)` #[corresponds(BN_mod_sqrt)] - #[cfg(any(ossl110, libressl382))] pub fn mod_sqrt( &mut self, a: &BigNumRef, @@ -1490,7 +1489,6 @@ mod tests { assert!(b.is_const_time()) } - #[cfg(any(ossl110, libressl382))] #[test] fn test_mod_sqrt() { let mut ctx = BigNumContext::new().unwrap(); From ae74dec45d4fcfabf1ba211fdd15763ddca119e3 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 23:09:26 +0200 Subject: [PATCH 310/341] Use EVP_MD_CTX_{new,free}() in LibreSSL 3.8.2 These functions have been available since LibreSSL 2.7.2. --- openssl-sys/src/handwritten/evp.rs | 2 +- openssl/src/hash.rs | 2 +- openssl/src/md_ctx.rs | 2 +- openssl/src/sign.rs | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 5a112fe8a1..3deeb9343c 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -52,7 +52,7 @@ cfg_if! { } cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl382))] { extern "C" { pub fn EVP_MD_CTX_new() -> *mut EVP_MD_CTX; pub fn EVP_MD_CTX_free(ctx: *mut EVP_MD_CTX); diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 7592758101..285ec8b528 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -43,7 +43,7 @@ use crate::nid::Nid; use crate::{cvt, cvt_p}; cfg_if! { - if #[cfg(any(ossl110, boringssl))] { + if #[cfg(any(ossl110, boringssl, libressl382))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/md_ctx.rs b/openssl/src/md_ctx.rs index 156f3c2fc9..30e0337b47 100644 --- a/openssl/src/md_ctx.rs +++ b/openssl/src/md_ctx.rs @@ -93,7 +93,7 @@ use std::convert::TryFrom; use std::ptr; cfg_if! { - if #[cfg(any(ossl110, boringssl))] { + if #[cfg(any(ossl110, boringssl, libressl382))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 1c770d18b7..0154b1d4b7 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -81,7 +81,7 @@ use crate::rsa::Padding; use crate::{cvt, cvt_p}; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl382))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; From 01cc521c7ee12fb2a907b7b83e372974c3f7c2bf Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Sat, 21 Oct 2023 00:24:12 +0200 Subject: [PATCH 311/341] Enable SHA-3 for LibreSSL 3.8.0 --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/src/handwritten/evp.rs | 8 ++++---- openssl-sys/src/obj_mac.rs | 8 ++++++++ openssl/build.rs | 3 +++ openssl/src/hash.rs | 16 ++++++++-------- openssl/src/md.rs | 8 ++++---- openssl/src/nid.rs | 8 ++++---- 7 files changed, 34 insertions(+), 20 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index ac7fe28596..2454ef66a4 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -53,6 +53,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_07_00_00_0 { cfgs.push("libressl370"); } + if libressl_version >= 0x3_08_00_00_0 { + cfgs.push("libressl380"); + } if libressl_version >= 0x3_08_01_00_0 { cfgs.push("libressl381"); } diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 5a112fe8a1..87deae2ac9 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -294,13 +294,13 @@ extern "C" { pub fn EVP_sha256() -> *const EVP_MD; pub fn EVP_sha384() -> *const EVP_MD; pub fn EVP_sha512() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_224() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_256() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_384() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_512() -> *const EVP_MD; #[cfg(ossl111)] pub fn EVP_shake128() -> *const EVP_MD; diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 1b24c3cbd8..93aa5cdff9 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -976,12 +976,20 @@ pub const NID_sm4_ctr: c_int = 1139; pub const NID_sm4_ctr: c_int = 979; #[cfg(ossl111)] pub const NID_sha3_224: c_int = 1096; +#[cfg(libressl380)] +pub const NID_sha3_224: c_int = 1031; #[cfg(ossl111)] pub const NID_sha3_256: c_int = 1097; +#[cfg(libressl380)] +pub const NID_sha3_256: c_int = 1032; #[cfg(ossl111)] pub const NID_sha3_384: c_int = 1098; +#[cfg(libressl380)] +pub const NID_sha3_384: c_int = 1033; #[cfg(ossl111)] pub const NID_sha3_512: c_int = 1099; +#[cfg(libressl380)] +pub const NID_sha3_512: c_int = 1034; #[cfg(ossl111)] pub const NID_shake128: c_int = 1100; #[cfg(ossl111)] diff --git a/openssl/build.rs b/openssl/build.rs index 4a5b6289ae..93ef534d27 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -66,6 +66,9 @@ fn main() { if version >= 0x3_07_00_00_0 { println!("cargo:rustc-cfg=libressl370"); } + if version >= 0x3_08_00_00_0 { + println!("cargo:rustc-cfg=libressl380"); + } } if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 7592758101..9fa9ef3e37 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -127,22 +127,22 @@ impl MessageDigest { unsafe { MessageDigest(ffi::EVP_sha512()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_224() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_224()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_256() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_256()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_384() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_384()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_512() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_512()) } } @@ -624,7 +624,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_224() { let tests = [( @@ -644,7 +644,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_256() { let tests = [( @@ -664,7 +664,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_384() { let tests = [("416c6c20796f75722062617365206172652062656c6f6e6720746f207573", @@ -684,7 +684,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_512() { let tests = [("416c6c20796f75722062617365206172652062656c6f6e6720746f207573", diff --git a/openssl/src/md.rs b/openssl/src/md.rs index 8f191afebe..08e4aacf3e 100644 --- a/openssl/src/md.rs +++ b/openssl/src/md.rs @@ -150,25 +150,25 @@ impl Md { unsafe { MdRef::from_ptr(ffi::EVP_sha512() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_224() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_224() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_256() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_256() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_384() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_384() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_512() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_512() as *mut _) } diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index 91fcdeca9d..a78d0e660c 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1078,13 +1078,13 @@ impl Nid { pub const SM2: Nid = Nid(ffi::NID_sm2); #[cfg(any(ossl111, libressl291))] pub const SM3: Nid = Nid(ffi::NID_sm3); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_224: Nid = Nid(ffi::NID_sha3_224); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_256: Nid = Nid(ffi::NID_sha3_256); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_384: Nid = Nid(ffi::NID_sha3_384); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_512: Nid = Nid(ffi::NID_sha3_512); #[cfg(ossl111)] pub const SHAKE128: Nid = Nid(ffi::NID_shake128); From a4f2a38c8eae051266e419e0e676ce8385c25351 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Sat, 21 Oct 2023 09:30:16 +0200 Subject: [PATCH 312/341] Remove DH_generate_parameters for LibreSSL 3.8.2 OpenSSL 0.9.8 deprecated DH_generate_parameters nearly 20 years ago. In 62acbe3a3ed internals switched to using the _ex version. Let's remove it from the API surface consumed from LibreSSL so we can eventually remove it on our side and finally make some long overdue internal simplifications. --- openssl-sys/src/handwritten/dh.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/src/handwritten/dh.rs b/openssl-sys/src/handwritten/dh.rs index 87a0817ce5..c4671c969f 100644 --- a/openssl-sys/src/handwritten/dh.rs +++ b/openssl-sys/src/handwritten/dh.rs @@ -5,6 +5,7 @@ extern "C" { pub fn DH_free(dh: *mut DH); pub fn DH_check(dh: *const DH, codes: *mut c_int) -> c_int; + #[cfg(not(libressl382))] pub fn DH_generate_parameters( prime_len: c_int, generator: c_int, From 96567a222b43298b88e94da77907b25097b1c3e8 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Sat, 21 Oct 2023 01:27:47 +0200 Subject: [PATCH 313/341] Enable HKDF support for LibreSSL >= 3.6.0 --- openssl-sys/src/evp.rs | 28 ++++++++++++++-------------- openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/pkey.rs | 2 +- openssl/src/pkey_ctx.rs | 20 ++++++++++---------- systest/build.rs | 5 ++++- 5 files changed, 31 insertions(+), 26 deletions(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index fcbee00ec6..e317fea35c 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -28,7 +28,7 @@ pub const EVP_PKEY_HMAC: c_int = NID_hmac; pub const EVP_PKEY_CMAC: c_int = NID_cmac; #[cfg(ossl111)] pub const EVP_PKEY_POLY1305: c_int = NID_poly1305; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_HKDF: c_int = NID_hkdf; #[cfg(ossl102)] @@ -201,31 +201,31 @@ pub const EVP_PKEY_CTRL_CIPHER: c_int = 12; pub const EVP_PKEY_ALG_CTRL: c_int = 0x1000; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND: c_int = 0; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY: c_int = 1; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_HKDEF_MODE_EXPAND_ONLY: c_int = 2; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_MD: c_int = EVP_PKEY_ALG_CTRL + 3; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_SALT: c_int = EVP_PKEY_ALG_CTRL + 4; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_KEY: c_int = EVP_PKEY_ALG_CTRL + 5; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_INFO: c_int = EVP_PKEY_ALG_CTRL + 6; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_CTRL_HKDF_MODE: c_int = EVP_PKEY_ALG_CTRL + 7; -#[cfg(all(ossl111, not(ossl300)))] +#[cfg(any(all(ossl111, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set_hkdf_mode(ctx: *mut EVP_PKEY_CTX, mode: c_int) -> c_int { EVP_PKEY_CTX_ctrl( ctx, @@ -237,7 +237,7 @@ pub unsafe fn EVP_PKEY_CTX_set_hkdf_mode(ctx: *mut EVP_PKEY_CTX, mode: c_int) -> ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set_hkdf_md(ctx: *mut EVP_PKEY_CTX, md: *const EVP_MD) -> c_int { EVP_PKEY_CTX_ctrl( ctx, @@ -249,7 +249,7 @@ pub unsafe fn EVP_PKEY_CTX_set_hkdf_md(ctx: *mut EVP_PKEY_CTX, md: *const EVP_MD ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set1_hkdf_salt( ctx: *mut EVP_PKEY_CTX, salt: *const u8, @@ -265,7 +265,7 @@ pub unsafe fn EVP_PKEY_CTX_set1_hkdf_salt( ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set1_hkdf_key( ctx: *mut EVP_PKEY_CTX, key: *const u8, @@ -281,7 +281,7 @@ pub unsafe fn EVP_PKEY_CTX_set1_hkdf_key( ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info( ctx: *mut EVP_PKEY_CTX, info: *const u8, diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 93aa5cdff9..9f4c7c12dd 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -928,6 +928,8 @@ pub const NID_X25519: c_int = 950; pub const NID_X448: c_int = 1035; #[cfg(ossl110)] pub const NID_hkdf: c_int = 1036; +#[cfg(libressl360)] +pub const NID_hkdf: c_int = 1022; #[cfg(ossl111)] pub const NID_poly1305: c_int = 1061; #[cfg(ossl111)] diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index fab4f5d118..ac5989c572 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -92,7 +92,7 @@ impl Id { #[cfg(ossl111)] pub const SM2: Id = Id(ffi::EVP_PKEY_SM2); - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); #[cfg(any(ossl111, boringssl, libressl370))] diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 4ac32a8517..85778e2166 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -80,10 +80,10 @@ use std::convert::TryFrom; use std::ptr; /// HKDF modes of operation. -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub struct HkdfMode(c_int); -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] impl HkdfMode { /// This is the default mode. Calling [`derive`][PkeyCtxRef::derive] on a [`PkeyCtxRef`] set up /// for HKDF will perform an extract followed by an expand operation in one go. The derived key @@ -566,7 +566,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_md)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn set_hkdf_md(&mut self, digest: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -589,7 +589,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.1 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_mode)] - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl360))] #[inline] pub fn set_hkdf_mode(&mut self, mode: HkdfMode) -> Result<(), ErrorStack> { unsafe { @@ -608,7 +608,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn set_hkdf_key(&mut self, key: &[u8]) -> Result<(), ErrorStack> { #[cfg(not(boringssl))] @@ -633,7 +633,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn set_hkdf_salt(&mut self, salt: &[u8]) -> Result<(), ErrorStack> { #[cfg(not(boringssl))] @@ -658,7 +658,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn add_hkdf_info(&mut self, info: &[u8]) -> Result<(), ErrorStack> { #[cfg(not(boringssl))] @@ -855,7 +855,7 @@ mod test { } #[test] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] fn hkdf() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); @@ -877,7 +877,7 @@ mod test { } #[test] - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl360))] fn hkdf_expand() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); @@ -901,7 +901,7 @@ mod test { } #[test] - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl360))] fn hkdf_extract() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); diff --git a/systest/build.rs b/systest/build.rs index 53407eafad..833e09fb5c 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -69,8 +69,11 @@ fn main() { .header("openssl/evp.h") .header("openssl/x509_vfy.h"); - if libressl_version.is_some() { + if let Some(version) = libressl_version { cfg.header("openssl/poly1305.h"); + if version >= 0x30600000 { + cfg.header("openssl/kdf.h"); + } } if let Some(version) = openssl_version { From fb578735d6d83c9f33814ecacd03ebb4466a4d80 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Sun, 22 Oct 2023 00:46:14 +0200 Subject: [PATCH 314/341] Add missing libressl382 config to openssl/build.rs In 04ffe960 and ae74dec45 I added conditionals on libressl382 but missed the build script. --- openssl/build.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssl/build.rs b/openssl/build.rs index 93ef534d27..19cb17e2ac 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -69,6 +69,9 @@ fn main() { if version >= 0x3_08_00_00_0 { println!("cargo:rustc-cfg=libressl380"); } + if version >= 0x3_08_02_00_0 { + println!("cargo:rustc-cfg=libressl382"); + } } if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { From a44fa61c537a72bfd2ac89bf755b1995215f23a8 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Sun, 22 Oct 2023 00:50:28 +0200 Subject: [PATCH 315/341] Remove stale near-duplicate version parser The DEP_OPENSSL_LIBRESSL_VERSION_NUMBER handling has two near-duplicate parsers. The new one added in 4ecaf691 was subsequently extended and the old one went stale: libressl250, 310, 370, 380 are missing from it. --- openssl/build.rs | 56 ------------------------------------------------ 1 file changed, 56 deletions(-) diff --git a/openssl/build.rs b/openssl/build.rs index 19cb17e2ac..87a9fa06f5 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -111,60 +111,4 @@ fn main() { println!("cargo:rustc-cfg=ossl320"); } } - - if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { - let version = u64::from_str_radix(&version, 16).unwrap(); - - if version >= 0x2_05_01_00_0 { - println!("cargo:rustc-cfg=libressl251"); - } - - if version >= 0x2_06_01_00_0 { - println!("cargo:rustc-cfg=libressl261"); - } - - if version >= 0x2_07_00_00_0 { - println!("cargo:rustc-cfg=libressl270"); - } - - if version >= 0x2_07_01_00_0 { - println!("cargo:rustc-cfg=libressl271"); - } - - if version >= 0x2_07_03_00_0 { - println!("cargo:rustc-cfg=libressl273"); - } - - if version >= 0x2_08_00_00_0 { - println!("cargo:rustc-cfg=libressl280"); - } - - if version >= 0x2_09_01_00_0 { - println!("cargo:rustc-cfg=libressl291"); - } - - if version >= 0x3_02_01_00_0 { - println!("cargo:rustc-cfg=libressl321"); - } - - if version >= 0x3_03_02_00_0 { - println!("cargo:rustc-cfg=libressl332"); - } - - if version >= 0x3_04_00_00_0 { - println!("cargo:rustc-cfg=libressl340"); - } - - if version >= 0x3_05_00_00_0 { - println!("cargo:rustc-cfg=libressl350"); - } - - if version >= 0x3_06_00_00_0 { - println!("cargo:rustc-cfg=libressl360"); - } - - if version >= 0x3_06_01_00_0 { - println!("cargo:rustc-cfg=libressl361"); - } - } } From 5e0a6ffec83afa4e210e8f422b83cfae9cf98e15 Mon Sep 17 00:00:00 2001 From: Guy Lewin Date: Mon, 23 Oct 2023 15:54:31 -0400 Subject: [PATCH 316/341] Respect OPENSSL_NO_OCB --- openssl/src/cipher.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 088f393516..892cae1db7 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -201,7 +201,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_128_ocb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_ocb() as *mut _) } } @@ -258,7 +258,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_192_ocb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_ocb() as *mut _) } } @@ -315,7 +315,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_256_ocb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_ocb() as *mut _) } } From 0e60f5dc1eafed89e2e758ce1b4044bc59ccb7f3 Mon Sep 17 00:00:00 2001 From: Guy Lewin Date: Mon, 23 Oct 2023 16:21:57 -0400 Subject: [PATCH 317/341] Support OPENSSL_NO_SCRYPT --- openssl-sys/build/expando.c | 4 ++++ openssl/src/pkcs5.rs | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index cd7456b4f0..e171621dca 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -134,3 +134,7 @@ RUST_CONF_OPENSSL_NO_DEPRECATED_3_0 #ifdef OPENSSL_NO_SEED RUST_CONF_OPENSSL_NO_SEED #endif + +#ifdef OPENSSL_NO_SCRYPT +RUST_CONF_OPENSSL_NO_SCRYPT +#endif diff --git a/openssl/src/pkcs5.rs b/openssl/src/pkcs5.rs index cd704e8256..afaae55a29 100644 --- a/openssl/src/pkcs5.rs +++ b/openssl/src/pkcs5.rs @@ -115,7 +115,7 @@ pub fn pbkdf2_hmac( /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PBE_scrypt)] -#[cfg(any(ossl110, boringssl))] +#[cfg(all(any(ossl110, boringssl), not(osslconf = "OPENSSL_NO_SCRYPT")))] #[allow(clippy::useless_conversion)] pub fn scrypt( pass: &[u8], From d40a28f28178ce4703b9ba74dbd57e990ae7fa77 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 24 Oct 2023 10:11:47 -0400 Subject: [PATCH 318/341] Bump CI version --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 318441aa65..1256386d3f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -161,7 +161,7 @@ jobs: version: 3.2.0-alpha2 dl-path: / - name: openssl - version: 3.1.3 + version: 3.1.4 dl-path: / - name: openssl version: 1.1.1w From d8df1056fe0aaef28310acf7c43d06864f762389 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 26 Oct 2023 09:55:56 -0400 Subject: [PATCH 319/341] Bump 3.2.0 beta --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1256386d3f..724c125cea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -158,7 +158,7 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.2.0-alpha2 + version: 3.2.0-beta1 dl-path: / - name: openssl version: 3.1.4 From aebfe8e72c4fec80cf1f0105449251fddd163376 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Fri, 27 Oct 2023 19:14:38 +0000 Subject: [PATCH 320/341] add security level bindings --- openssl-sys/src/handwritten/ssl.rs | 14 +++++++++++ openssl/src/ssl/mod.rs | 40 ++++++++++++++++++++++++++++++ openssl/src/ssl/test/mod.rs | 14 +++++++++++ 3 files changed, 68 insertions(+) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index d4f4b619f4..6b9a329ea8 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -924,3 +924,17 @@ extern "C" { #[cfg(all(ossl111, not(ossl111b)))] pub fn SSL_get_num_tickets(s: *mut SSL) -> size_t; } + +extern "C" { + #[cfg(ossl110)] + pub fn SSL_CTX_set_security_level(ctx: *mut SSL_CTX, level: c_int); + + #[cfg(ossl110)] + pub fn SSL_set_security_level(s: *mut SSL, level: c_int); + + #[cfg(ossl110)] + pub fn SSL_CTX_get_security_level(ctx: *const SSL_CTX) -> c_int; + + #[cfg(ossl110)] + pub fn SSL_get_security_level(s: *const SSL) -> c_int; +} diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index bdfbfc14f0..1e19d2a809 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1718,6 +1718,16 @@ impl SslContextBuilder { unsafe { cvt(ffi::SSL_CTX_set_num_tickets(self.as_ptr(), num_tickets)).map(|_| ()) } } + /// Set the context's security level, which controls the allowed parameters + /// and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_CTX_set_security_level)] + #[cfg(ossl110)] + pub fn set_security_level(&mut self, level: u32) { + unsafe { ffi::SSL_CTX_set_security_level(self.as_ptr(), level as c_int) } + } + /// Consumes the builder, returning a new `SslContext`. pub fn build(self) -> SslContext { self.0 @@ -1921,6 +1931,16 @@ impl SslContextRef { pub fn num_tickets(&self) -> usize { unsafe { ffi::SSL_CTX_get_num_tickets(self.as_ptr()) } } + + /// Get the context's security level, which controls the allowed parameters + /// and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_CTX_get_security_level)] + #[cfg(ossl110)] + pub fn security_level(&self) -> u32 { + unsafe { ffi::SSL_CTX_get_security_level(self.as_ptr()) as u32 } + } } /// Information about the state of a cipher. @@ -3405,6 +3425,26 @@ impl SslRef { pub fn num_tickets(&self) -> usize { unsafe { ffi::SSL_get_num_tickets(self.as_ptr()) } } + + /// Set the connection's security level, which controls the allowed parameters + /// and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_set_security_level)] + #[cfg(ossl110)] + pub fn set_security_level(&mut self, level: u32) { + unsafe { ffi::SSL_set_security_level(self.as_ptr(), level as c_int) } + } + + /// Get the connection's security level, which controls the allowed parameters + /// and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_get_security_level)] + #[cfg(ossl110)] + pub fn security_level(&self) -> u32 { + unsafe { ffi::SSL_get_security_level(self.as_ptr()) as u32 } + } } /// An SSL stream midway through the handshake process. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 6013614118..542656cb04 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1574,3 +1574,17 @@ fn set_num_tickets() { let ssl = ssl; assert_eq!(5, ssl.num_tickets()); } + +#[test] +#[cfg(ossl110)] +fn set_security_level() { + let mut ctx = SslContext::builder(SslMethod::tls_server()).unwrap(); + ctx.set_security_level(3); + let ctx = ctx.build(); + assert_eq!(3, ctx.security_level()); + + let mut ssl = Ssl::new(&ctx).unwrap(); + ssl.set_security_level(4); + let ssl = ssl; + assert_eq!(4, ssl.security_level()); +} From d6591bb3cd9e5c36cb807b91c34c70f3103f2729 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Sat, 28 Oct 2023 21:00:04 +0000 Subject: [PATCH 321/341] address pr feedback * add libressl360 cfg statement * add 0-5 reference to documentation --- openssl-sys/src/handwritten/ssl.rs | 8 ++++---- openssl/src/ssl/mod.rs | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 6b9a329ea8..944a476618 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -926,15 +926,15 @@ extern "C" { } extern "C" { - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn SSL_CTX_set_security_level(ctx: *mut SSL_CTX, level: c_int); - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn SSL_set_security_level(s: *mut SSL, level: c_int); - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn SSL_CTX_get_security_level(ctx: *const SSL_CTX) -> c_int; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn SSL_get_security_level(s: *const SSL) -> c_int; } diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 1e19d2a809..d147c3c343 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1718,12 +1718,12 @@ impl SslContextBuilder { unsafe { cvt(ffi::SSL_CTX_set_num_tickets(self.as_ptr(), num_tickets)).map(|_| ()) } } - /// Set the context's security level, which controls the allowed parameters - /// and algorithms. + /// Set the context's security level to a value between 0 and 5, inclusive. + /// A security value of 0 allows allows all parameters and algorithms. /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(SSL_CTX_set_security_level)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn set_security_level(&mut self, level: u32) { unsafe { ffi::SSL_CTX_set_security_level(self.as_ptr(), level as c_int) } } @@ -1937,7 +1937,7 @@ impl SslContextRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(SSL_CTX_get_security_level)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn security_level(&self) -> u32 { unsafe { ffi::SSL_CTX_get_security_level(self.as_ptr()) as u32 } } @@ -3426,12 +3426,12 @@ impl SslRef { unsafe { ffi::SSL_get_num_tickets(self.as_ptr()) } } - /// Set the connection's security level, which controls the allowed parameters - /// and algorithms. + /// Set the context's security level to a value between 0 and 5, inclusive. + /// A security value of 0 allows allows all parameters and algorithms. /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(SSL_set_security_level)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn set_security_level(&mut self, level: u32) { unsafe { ffi::SSL_set_security_level(self.as_ptr(), level as c_int) } } @@ -3441,7 +3441,7 @@ impl SslRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(SSL_get_security_level)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn security_level(&self) -> u32 { unsafe { ffi::SSL_get_security_level(self.as_ptr()) as u32 } } From c1f56954de38debf6e27493fea23dcade0626db2 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Fri, 27 Oct 2023 22:39:21 +0000 Subject: [PATCH 322/341] add peer temp key bindings --- openssl-sys/src/ssl.rs | 10 ++++++++ openssl/src/ssl/mod.rs | 33 +++++++++++++++++++++++++- openssl/src/ssl/test/mod.rs | 47 ++++++++++++++++++++++++++++++++++++- 3 files changed, 88 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index e812673333..ac71dc298d 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -349,6 +349,7 @@ pub const SSL_CTRL_SET_ECDH_AUTO: c_int = 94; pub const SSL_CTRL_SET_SIGALGS_LIST: c_int = 98; #[cfg(ossl102)] pub const SSL_CTRL_SET_VERIFY_CERT_STORE: c_int = 106; +pub const SSL_CTRL_GET_PEER_TMP_KEY: c_int = 109; #[cfg(ossl110)] pub const SSL_CTRL_GET_EXTMS_SUPPORT: c_int = 122; #[cfg(any(ossl110, libressl261))] @@ -359,6 +360,7 @@ pub const SSL_CTRL_SET_MAX_PROTO_VERSION: c_int = 124; pub const SSL_CTRL_GET_MIN_PROTO_VERSION: c_int = 130; #[cfg(any(ossl110g, libressl270))] pub const SSL_CTRL_GET_MAX_PROTO_VERSION: c_int = 131; +pub const SSL_CTRL_GET_TMP_KEY: c_int = 133; pub unsafe fn SSL_CTX_set_tmp_dh(ctx: *mut SSL_CTX, dh: *mut DH) -> c_long { SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, dh as *mut c_void) @@ -507,6 +509,14 @@ cfg_if! { } } +pub unsafe fn SSL_get_peer_tmp_key(ssl: *mut SSL, key: *mut *mut EVP_PKEY) -> c_int { + SSL_ctrl(ssl, SSL_CTRL_GET_PEER_TMP_KEY, 0, key as *mut c_void) as c_int +} + +pub unsafe fn SSL_get_tmp_key(ssl: *mut SSL, key: *mut *mut EVP_PKEY) -> c_int { + SSL_ctrl(ssl, SSL_CTRL_GET_TMP_KEY, 0, key as *mut c_void) as c_int +} + #[cfg(ossl111)] pub const SSL_CLIENT_HELLO_SUCCESS: c_int = 1; #[cfg(ossl111)] diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index d147c3c343..8bd6d945a1 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -67,7 +67,7 @@ use crate::ex_data::Index; use crate::hash::MessageDigest; #[cfg(any(ossl110, libressl270))] use crate::nid::Nid; -use crate::pkey::{HasPrivate, PKeyRef, Params, Private}; +use crate::pkey::{HasPrivate, PKey, PKeyRef, Params, Private, Public}; use crate::srtp::{SrtpProtectionProfile, SrtpProtectionProfileRef}; use crate::ssl::bio::BioMethod; use crate::ssl::callbacks::*; @@ -3445,6 +3445,37 @@ impl SslRef { pub fn security_level(&self) -> u32 { unsafe { ffi::SSL_get_security_level(self.as_ptr()) as u32 } } + + /// Get the temporary key provided by the peer that is used during key + /// exchange. + // We use an owned value because EVP_KEY free need to be called when it is + // dropped + #[corresponds(SSL_get_peer_tmp_key)] + pub fn peer_temp_key(&self) -> Result, ErrorStack> { + unsafe { + let mut key = ptr::null_mut(); + match cvt(ffi::SSL_get_peer_tmp_key(self.as_ptr(), &mut key)) { + Ok(_) => Ok(PKey::::from_ptr(key)), + Err(e) => Err(e), + } + } + } + + /// Returns the temporary key from the local end of the connection that is + /// used during key exchange. + // We use an owned value because EVP_KEY free need to be called when it is + // dropped + #[corresponds(SSL_get_peer_tmp_key)] + pub fn temp_key(&self) -> Result, ErrorStack> { + unsafe { + let mut key = ptr::null_mut(); + match cvt(ffi::SSL_get_tmp_key(self.as_ptr(), &mut key)) { + Ok(_) => Ok(PKey::::from_ptr(key)), + Err(e) => Err(e), + } + } + } + } /// An SSL stream midway through the handshake process. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 542656cb04..3c90e728be 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -19,7 +19,7 @@ use crate::error::ErrorStack; use crate::hash::MessageDigest; #[cfg(not(boringssl))] use crate::ocsp::{OcspResponse, OcspResponseStatus}; -use crate::pkey::PKey; +use crate::pkey::{Id, PKey}; use crate::srtp::SrtpProfileId; use crate::ssl::test::server::Server; #[cfg(any(ossl110, ossl111, libressl261))] @@ -322,6 +322,51 @@ fn state() { ); } +// when a connection uses ECDHE P-256 key exchange, then the temp key APIs +// return P-256 keys, and the peer and local keys are different. +#[test] +fn peer_temp_key_p384() { + let mut server = Server::builder(); + server.ctx().set_groups_list("P-384").unwrap(); + let server = server.build(); + let s = server.client().connect(); + let peer_temp = s.ssl().peer_temp_key().unwrap(); + assert_eq!(peer_temp.id(), Id::EC); + assert_eq!(peer_temp.bits(), 384); + + let local_temp = s.ssl().temp_key().unwrap(); + assert_eq!(local_temp.id(), Id::EC); + assert_eq!(local_temp.bits(), 384); + + assert_ne!( + peer_temp.ec_key().unwrap().public_key_to_der().unwrap(), + local_temp.ec_key().unwrap().public_key_to_der().unwrap(), + ); +} + +// when a connection uses RSA key exchange, then the peer (server) temp key is +// an Error because there is no temp key, and the local (client) temp key is the +// temp key sent in the initial key share. +#[test] +fn peer_temp_key_rsa() { + let mut server = Server::builder(); + server.ctx().set_cipher_list("RSA").unwrap(); + // RSA key exchange is not allowed in TLS 1.3, so force the connection + // to negotiate TLS 1.2 + server.ctx().set_max_proto_version(Some(SslVersion::TLS1_2)).unwrap(); + let server = server.build(); + let mut client = server.client(); + client.ctx().set_groups_list("P-521").unwrap(); + let s = client.connect(); + let peer_temp = s.ssl().peer_temp_key(); + assert!(peer_temp.is_err()); + + // this is the temp key that the client sent in the initial key share + let local_temp = s.ssl().temp_key().unwrap(); + assert_eq!(local_temp.id(), Id::EC); + assert_eq!(local_temp.bits(), 521); +} + /// Tests that when both the client as well as the server use SRTP and their /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. From 386c36a87db6b8ccd67112400a3083ee8b4ca1d6 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Mon, 30 Oct 2023 19:08:19 +0000 Subject: [PATCH 323/341] gate temp key on ossl 3.0.0 --- openssl-sys/src/ssl.rs | 17 +++++++++++------ openssl/src/ssl/mod.rs | 4 +++- openssl/src/ssl/test/mod.rs | 6 ++++-- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index ac71dc298d..e02485b288 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -349,6 +349,7 @@ pub const SSL_CTRL_SET_ECDH_AUTO: c_int = 94; pub const SSL_CTRL_SET_SIGALGS_LIST: c_int = 98; #[cfg(ossl102)] pub const SSL_CTRL_SET_VERIFY_CERT_STORE: c_int = 106; +#[cfg(ossl300)] pub const SSL_CTRL_GET_PEER_TMP_KEY: c_int = 109; #[cfg(ossl110)] pub const SSL_CTRL_GET_EXTMS_SUPPORT: c_int = 122; @@ -360,6 +361,7 @@ pub const SSL_CTRL_SET_MAX_PROTO_VERSION: c_int = 124; pub const SSL_CTRL_GET_MIN_PROTO_VERSION: c_int = 130; #[cfg(any(ossl110g, libressl270))] pub const SSL_CTRL_GET_MAX_PROTO_VERSION: c_int = 131; +#[cfg(ossl300)] pub const SSL_CTRL_GET_TMP_KEY: c_int = 133; pub unsafe fn SSL_CTX_set_tmp_dh(ctx: *mut SSL_CTX, dh: *mut DH) -> c_long { @@ -508,13 +510,16 @@ cfg_if! { } } } +cfg_if! { + if #[cfg(ossl300)] { + pub unsafe fn SSL_get_peer_tmp_key(ssl: *mut SSL, key: *mut *mut EVP_PKEY) -> c_int { + SSL_ctrl(ssl, SSL_CTRL_GET_PEER_TMP_KEY, 0, key as *mut c_void) as c_int + } -pub unsafe fn SSL_get_peer_tmp_key(ssl: *mut SSL, key: *mut *mut EVP_PKEY) -> c_int { - SSL_ctrl(ssl, SSL_CTRL_GET_PEER_TMP_KEY, 0, key as *mut c_void) as c_int -} - -pub unsafe fn SSL_get_tmp_key(ssl: *mut SSL, key: *mut *mut EVP_PKEY) -> c_int { - SSL_ctrl(ssl, SSL_CTRL_GET_TMP_KEY, 0, key as *mut c_void) as c_int + pub unsafe fn SSL_get_tmp_key(ssl: *mut SSL, key: *mut *mut EVP_PKEY) -> c_int { + SSL_ctrl(ssl, SSL_CTRL_GET_TMP_KEY, 0, key as *mut c_void) as c_int + } + } } #[cfg(ossl111)] diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 8bd6d945a1..9d7ba0edc3 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3451,6 +3451,7 @@ impl SslRef { // We use an owned value because EVP_KEY free need to be called when it is // dropped #[corresponds(SSL_get_peer_tmp_key)] + #[cfg(ossl300)] pub fn peer_temp_key(&self) -> Result, ErrorStack> { unsafe { let mut key = ptr::null_mut(); @@ -3465,7 +3466,8 @@ impl SslRef { /// used during key exchange. // We use an owned value because EVP_KEY free need to be called when it is // dropped - #[corresponds(SSL_get_peer_tmp_key)] + #[corresponds(SSL_get_tmp_key)] + #[cfg(ossl300)] pub fn temp_key(&self) -> Result, ErrorStack> { unsafe { let mut key = ptr::null_mut(); diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 3c90e728be..b289f0fcc8 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -322,9 +322,10 @@ fn state() { ); } -// when a connection uses ECDHE P-256 key exchange, then the temp key APIs -// return P-256 keys, and the peer and local keys are different. +// when a connection uses ECDHE P-384 key exchange, then the temp key APIs +// return P-384 keys, and the peer and local keys are different. #[test] +#[cfg(ossl300)] fn peer_temp_key_p384() { let mut server = Server::builder(); server.ctx().set_groups_list("P-384").unwrap(); @@ -348,6 +349,7 @@ fn peer_temp_key_p384() { // an Error because there is no temp key, and the local (client) temp key is the // temp key sent in the initial key share. #[test] +#[cfg(ossl300)] fn peer_temp_key_rsa() { let mut server = Server::builder(); server.ctx().set_cipher_list("RSA").unwrap(); From 8ae4cdee0df1c1f4ff2b14e3f7da504b2c6b8aa6 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Mon, 30 Oct 2023 19:25:37 +0000 Subject: [PATCH 324/341] conform to tmp naming convention The rust bindings use the same "tmp" spelling as the C apis. --- openssl/src/ssl/mod.rs | 4 ++-- openssl/src/ssl/test/mod.rs | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 9d7ba0edc3..58f8177e7f 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3452,7 +3452,7 @@ impl SslRef { // dropped #[corresponds(SSL_get_peer_tmp_key)] #[cfg(ossl300)] - pub fn peer_temp_key(&self) -> Result, ErrorStack> { + pub fn peer_tmp_key(&self) -> Result, ErrorStack> { unsafe { let mut key = ptr::null_mut(); match cvt(ffi::SSL_get_peer_tmp_key(self.as_ptr(), &mut key)) { @@ -3468,7 +3468,7 @@ impl SslRef { // dropped #[corresponds(SSL_get_tmp_key)] #[cfg(ossl300)] - pub fn temp_key(&self) -> Result, ErrorStack> { + pub fn tmp_key(&self) -> Result, ErrorStack> { unsafe { let mut key = ptr::null_mut(); match cvt(ffi::SSL_get_tmp_key(self.as_ptr(), &mut key)) { diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index b289f0fcc8..5b90b230fd 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -331,11 +331,11 @@ fn peer_temp_key_p384() { server.ctx().set_groups_list("P-384").unwrap(); let server = server.build(); let s = server.client().connect(); - let peer_temp = s.ssl().peer_temp_key().unwrap(); + let peer_temp = s.ssl().peer_tmp_key().unwrap(); assert_eq!(peer_temp.id(), Id::EC); assert_eq!(peer_temp.bits(), 384); - let local_temp = s.ssl().temp_key().unwrap(); + let local_temp = s.ssl().tmp_key().unwrap(); assert_eq!(local_temp.id(), Id::EC); assert_eq!(local_temp.bits(), 384); @@ -360,11 +360,11 @@ fn peer_temp_key_rsa() { let mut client = server.client(); client.ctx().set_groups_list("P-521").unwrap(); let s = client.connect(); - let peer_temp = s.ssl().peer_temp_key(); + let peer_temp = s.ssl().peer_tmp_key(); assert!(peer_temp.is_err()); // this is the temp key that the client sent in the initial key share - let local_temp = s.ssl().temp_key().unwrap(); + let local_temp = s.ssl().tmp_key().unwrap(); assert_eq!(local_temp.id(), Id::EC); assert_eq!(local_temp.bits(), 521); } From cc0698ad49244f412476b9d4969b2c9dbd2ba40a Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Mon, 30 Oct 2023 19:46:29 +0000 Subject: [PATCH 325/341] use c_long return value --- openssl-sys/src/ssl.rs | 8 ++++---- openssl/src/lib.rs | 11 ++++++++++- openssl/src/ssl/mod.rs | 6 +++--- openssl/src/ssl/test/mod.rs | 4 ++-- 4 files changed, 19 insertions(+), 10 deletions(-) diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index e02485b288..52ea5b2135 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -512,12 +512,12 @@ cfg_if! { } cfg_if! { if #[cfg(ossl300)] { - pub unsafe fn SSL_get_peer_tmp_key(ssl: *mut SSL, key: *mut *mut EVP_PKEY) -> c_int { - SSL_ctrl(ssl, SSL_CTRL_GET_PEER_TMP_KEY, 0, key as *mut c_void) as c_int + pub unsafe fn SSL_get_peer_tmp_key(ssl: *mut SSL, key: *mut *mut EVP_PKEY) -> c_long { + SSL_ctrl(ssl, SSL_CTRL_GET_PEER_TMP_KEY, 0, key as *mut c_void) } - pub unsafe fn SSL_get_tmp_key(ssl: *mut SSL, key: *mut *mut EVP_PKEY) -> c_int { - SSL_ctrl(ssl, SSL_CTRL_GET_TMP_KEY, 0, key as *mut c_void) as c_int + pub unsafe fn SSL_get_tmp_key(ssl: *mut SSL, key: *mut *mut EVP_PKEY) -> c_long { + SSL_ctrl(ssl, SSL_CTRL_GET_TMP_KEY, 0, key as *mut c_void) } } } diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index bc9d2b3455..202e3acf66 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -124,7 +124,7 @@ #[doc(inline)] pub use ffi::init; -use libc::c_int; +use libc::{c_int, c_long}; use crate::error::ErrorStack; @@ -212,6 +212,15 @@ fn cvt(r: c_int) -> Result { } } +#[inline] +fn cvt_long(r: c_long) -> Result { + if r <= 0 { + Err(ErrorStack::get()) + } else { + Ok(r) + } +} + #[inline] fn cvt_n(r: c_int) -> Result { if r < 0 { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 58f8177e7f..4619ade2c2 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -78,7 +78,7 @@ use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::X509VerifyParamRef; use crate::x509::{X509Name, X509Ref, X509StoreContextRef, X509VerifyResult, X509}; -use crate::{cvt, cvt_n, cvt_p, init}; +use crate::{cvt, cvt_long, cvt_n, cvt_p, init}; use bitflags::bitflags; use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; @@ -3455,7 +3455,7 @@ impl SslRef { pub fn peer_tmp_key(&self) -> Result, ErrorStack> { unsafe { let mut key = ptr::null_mut(); - match cvt(ffi::SSL_get_peer_tmp_key(self.as_ptr(), &mut key)) { + match cvt_long(ffi::SSL_get_peer_tmp_key(self.as_ptr(), &mut key)) { Ok(_) => Ok(PKey::::from_ptr(key)), Err(e) => Err(e), } @@ -3471,7 +3471,7 @@ impl SslRef { pub fn tmp_key(&self) -> Result, ErrorStack> { unsafe { let mut key = ptr::null_mut(); - match cvt(ffi::SSL_get_tmp_key(self.as_ptr(), &mut key)) { + match cvt_long(ffi::SSL_get_tmp_key(self.as_ptr(), &mut key)) { Ok(_) => Ok(PKey::::from_ptr(key)), Err(e) => Err(e), } diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 5b90b230fd..8a2f616bcd 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -326,7 +326,7 @@ fn state() { // return P-384 keys, and the peer and local keys are different. #[test] #[cfg(ossl300)] -fn peer_temp_key_p384() { +fn peer_tmp_key_p384() { let mut server = Server::builder(); server.ctx().set_groups_list("P-384").unwrap(); let server = server.build(); @@ -350,7 +350,7 @@ fn peer_temp_key_p384() { // temp key sent in the initial key share. #[test] #[cfg(ossl300)] -fn peer_temp_key_rsa() { +fn peer_tmp_key_rsa() { let mut server = Server::builder(); server.ctx().set_cipher_list("RSA").unwrap(); // RSA key exchange is not allowed in TLS 1.3, so force the connection From 4965ce9f2099c1641af5a2649a3ddf92fb0b3848 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Mon, 30 Oct 2023 20:19:17 +0000 Subject: [PATCH 326/341] address pr feedback * tmp_key return private information, use the appropriate type * gate imports behind the appropriate flags --- openssl/src/lib.rs | 8 +++++++- openssl/src/ssl/mod.rs | 13 ++++++++----- openssl/src/ssl/test/mod.rs | 5 ++++- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 202e3acf66..4b9ee80454 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -124,7 +124,9 @@ #[doc(inline)] pub use ffi::init; -use libc::{c_int, c_long}; +use libc::c_int; +#[cfg(ossl300)] +use libc::c_long; use crate::error::ErrorStack; @@ -212,7 +214,11 @@ fn cvt(r: c_int) -> Result { } } +// cvt_long is currently only used in functions that require openssl >= 3.0.0, +// so this cfg statement is used to avoid "unused function" errors when +// compiling with openssl < 3.0.0 #[inline] +#[cfg(ossl300)] fn cvt_long(r: c_long) -> Result { if r <= 0 { Err(ErrorStack::get()) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 4619ade2c2..cc643ae57f 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -57,6 +57,8 @@ //! } //! } //! ``` +#[cfg(ossl300)] +use crate::cvt_long; use crate::dh::{Dh, DhRef}; #[cfg(all(ossl101, not(ossl110)))] use crate::ec::EcKey; @@ -67,7 +69,9 @@ use crate::ex_data::Index; use crate::hash::MessageDigest; #[cfg(any(ossl110, libressl270))] use crate::nid::Nid; -use crate::pkey::{HasPrivate, PKey, PKeyRef, Params, Private, Public}; +use crate::pkey::{HasPrivate, PKeyRef, Params, Private}; +#[cfg(ossl300)] +use crate::pkey::{PKey, Public}; use crate::srtp::{SrtpProtectionProfile, SrtpProtectionProfileRef}; use crate::ssl::bio::BioMethod; use crate::ssl::callbacks::*; @@ -78,7 +82,7 @@ use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::X509VerifyParamRef; use crate::x509::{X509Name, X509Ref, X509StoreContextRef, X509VerifyResult, X509}; -use crate::{cvt, cvt_long, cvt_n, cvt_p, init}; +use crate::{cvt, cvt_n, cvt_p, init}; use bitflags::bitflags; use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; @@ -3468,16 +3472,15 @@ impl SslRef { // dropped #[corresponds(SSL_get_tmp_key)] #[cfg(ossl300)] - pub fn tmp_key(&self) -> Result, ErrorStack> { + pub fn tmp_key(&self) -> Result, ErrorStack> { unsafe { let mut key = ptr::null_mut(); match cvt_long(ffi::SSL_get_tmp_key(self.as_ptr(), &mut key)) { - Ok(_) => Ok(PKey::::from_ptr(key)), + Ok(_) => Ok(PKey::::from_ptr(key)), Err(e) => Err(e), } } } - } /// An SSL stream midway through the handshake process. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 8a2f616bcd..1fc9ba6b48 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -355,7 +355,10 @@ fn peer_tmp_key_rsa() { server.ctx().set_cipher_list("RSA").unwrap(); // RSA key exchange is not allowed in TLS 1.3, so force the connection // to negotiate TLS 1.2 - server.ctx().set_max_proto_version(Some(SslVersion::TLS1_2)).unwrap(); + server + .ctx() + .set_max_proto_version(Some(SslVersion::TLS1_2)) + .unwrap(); let server = server.build(); let mut client = server.client(); client.ctx().set_groups_list("P-521").unwrap(); From b7be1dc3040c31af72832f4392d7ddc54b7558f6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 1 Nov 2023 13:31:28 -0700 Subject: [PATCH 327/341] Release openssl v0.10.58 and openssl-sys v0.9.94 --- openssl-sys/CHANGELOG.md | 17 ++++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 21 ++++++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 39 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 8d2a65574b..b8120733f6 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,20 @@ ## [Unreleased] +## [v0.9.94] - 2023-11-01 + +### Changed + +* `X509_ALGOR` is now opaque on new LibreSSL releases + +### Added + +* Added support for building with `OPENSSL_NO_SCRYPT` +* Added `EVP_PKEY_RSA_PSS` and `EVP_PKEY_DHX` +* Functions and constants for using HKDF `EVP_PKEY` are now available on LibreSSL. +* Added `SSL_CTX_set_security_level`, `SSL_set_security_level`, `SSL_CTX_get_security_level`, `SSL_get_security_level` +* Added `X509_check_host`, `X509_check_email`, `X509_check_ip`, `X509_check_ip_asc` + ## [v0.9.93] - 2023-09-04 ### Changed @@ -508,7 +522,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.94..master +[v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93...openssl-sys-v0.9.94 [v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92...openssl-sys-v0.9.93 [v0.9.92]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91...openssl-sys-v0.9.92 [v0.9.91]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 44fc45a71b..980f41e92c 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.93" +version = "0.9.94" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index f5409b1222..f1acc1fccf 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,24 @@ ## [Unreleased] +## [v0.10.58] - 2023-11-01 + +### Added + +* Added `Id::{RSA_PSS,DHX}` constants +* Added `SslContextBuilder::set_security_level` +* Added `SslContextRef::security_level` +* Added `SslRef::set_security_level`, `SslRef::security_level` +* Added `Cipher::{camellia_128_cbc, camellia_192_cbc, camellia_256_cbc, cast5_cbc, idea_cbc}` +* Added `X509CrlRef::extension` +* Added `X509PurposeId::CODE_SIGN` + +### Changed + +* `Pkey` HKDF functionality now works on LibreSSL +* `BigNum::mod_sqrt` is now available on all OpenSSLs +* `MessageDigest::sha3*` are now available on LibreSSL + ## [v0.10.57] - 2023-08-27 ### Added @@ -797,7 +815,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.58...master +[v0.10.57]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...openssl-v0.10.58 [v0.10.57]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...openssl-v0.10.57 [v0.10.56]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...openssl-v0.10.56 [v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index ec8beaef9c..9a2f5016f5 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.57" +version = "0.10.58" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.92", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.94", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 946b706ddb62e9bc3f9a88d86431a19a77eec324 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 1 Nov 2023 16:00:47 -0700 Subject: [PATCH 328/341] Fixed cfg for RSA_PSS --- openssl-sys/src/evp.rs | 2 +- openssl/src/pkey.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index e317fea35c..a3a8a84fb5 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -7,7 +7,7 @@ pub const PKCS5_SALT_LEN: c_int = 8; pub const PKCS12_DEFAULT_ITER: c_int = 2048; pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; -#[cfg(any(openssl111, boringssl))] +#[cfg(any(ossl111, libressl310, boringssl))] pub const EVP_PKEY_RSA_PSS: c_int = NID_rsassaPss; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index ac5989c572..8f0b5bdf70 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -78,7 +78,7 @@ pub struct Id(c_int); impl Id { pub const RSA: Id = Id(ffi::EVP_PKEY_RSA); - #[cfg(any(openssl111, boringssl))] + #[cfg(any(ossl111, libressl310, boringssl))] pub const RSA_PSS: Id = Id(ffi::EVP_PKEY_RSA_PSS); #[cfg(not(boringssl))] pub const HMAC: Id = Id(ffi::EVP_PKEY_HMAC); From 05b620dd524b9f6966924ddbfbeb59dc015ffb72 Mon Sep 17 00:00:00 2001 From: Arnav Singh Date: Thu, 2 Nov 2023 08:55:39 -0700 Subject: [PATCH 329/341] Add binding to NID of Chacha20-Poly1305 cipher Ref: - https://github.com/openssl/openssl/blob/OpenSSL_1_1_0l/include/openssl/obj_mac.h#L4325 - https://github.com/openbsd/src/blob/d781822394e40621101778573b197bbb39bc8d5b/lib/libcrypto/objects/obj_mac.num#L967 --- openssl-sys/src/obj_mac.rs | 4 ++++ openssl/src/nid.rs | 2 ++ 2 files changed, 6 insertions(+) diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 9f4c7c12dd..2c4b6aaeb9 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -996,3 +996,7 @@ pub const NID_sha3_512: c_int = 1034; pub const NID_shake128: c_int = 1100; #[cfg(ossl111)] pub const NID_shake256: c_int = 1101; +#[cfg(ossl110)] +pub const NID_chacha20_poly1305: c_int = 1018; +#[cfg(libressl271)] +pub const NID_chacha20_poly1305: c_int = 967; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index a78d0e660c..a5bd93ca42 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1090,6 +1090,8 @@ impl Nid { pub const SHAKE128: Nid = Nid(ffi::NID_shake128); #[cfg(ossl111)] pub const SHAKE256: Nid = Nid(ffi::NID_shake256); + #[cfg(any(ossl110, libressl271))] + pub const CHACHA20_POLY1305: Nid = Nid(ffi::NID_chacha20_poly1305); } #[cfg(test)] From 6f6e5c4f02c370c594ccf404a4a67e366d26ad1c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 2 Nov 2023 21:50:11 -0700 Subject: [PATCH 330/341] fixes #2050 -- build and test on libressl 3.8.2 --- .github/workflows/ci.yml | 4 ++-- openssl-sys/build/main.rs | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 724c125cea..1bb0155986 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -190,7 +190,7 @@ jobs: bindgen: true library: name: libressl - version: 3.8.0 + version: 3.8.2 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -205,7 +205,7 @@ jobs: bindgen: false library: name: libressl - version: 3.8.1 + version: 3.8.2 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index cd732ca46a..bbee7c5c0d 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -292,6 +292,7 @@ See rust-openssl documentation for more information: (3, 7, _) => ('3', '7', 'x'), (3, 8, 0) => ('3', '8', '0'), (3, 8, 1) => ('3', '8', '1'), + (3, 8, _) => ('3', '8', 'x'), _ => version_error(), }; From 955c34819ec71ae4cd16fff5b974b44e64080252 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 3 Nov 2023 07:29:15 -0700 Subject: [PATCH 331/341] Release openssl v0.10.59 and openssl-sys v0.9.95 --- openssl-sys/CHANGELOG.md | 16 ++++++++++++++-- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 15 +++++++++++++-- openssl/Cargo.toml | 4 ++-- 4 files changed, 30 insertions(+), 7 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index b8120733f6..1113ce8c60 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.95] - 2023-11-03 + +### Changed + +* Fixed the availability of `EVP_PKEY_RSA_PSS` on OpenSSL + +### Added + +* Added support for LibreSSL 3.8.x. +* Added `NID_chacha20_poly1305` + ## [v0.9.94] - 2023-11-01 ### Changed @@ -522,8 +533,9 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.94..master -[v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93...openssl-sys-v0.9.94 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.95..master +[v0.9.95]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.94...openssl-sys-v0.9.95 +[v0.9.94]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93...openssl-sys-v0.9.94 [v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92...openssl-sys-v0.9.93 [v0.9.92]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91...openssl-sys-v0.9.92 [v0.9.91]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 980f41e92c..fc7e8f3c7a 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.94" +version = "0.9.95" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index f1acc1fccf..f9a433fae8 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,16 @@ ## [Unreleased] +## [v0.10.59] - 2023-11-03 + +### Added + +* Added `Nid::CHACHA20_POLY1305` + +### Changed + +* Fixed the availability of `Id::RSA_PSS` on OpenSSL + ## [v0.10.58] - 2023-11-01 ### Added @@ -815,8 +825,9 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.58...master -[v0.10.57]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...openssl-v0.10.58 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.59...master +[v0.10.59]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.58...openssl-v0.10.59 +[v0.10.58]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...openssl-v0.10.58 [v0.10.57]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...openssl-v0.10.57 [v0.10.56]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...openssl-v0.10.56 [v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 9a2f5016f5..6778dcbb0e 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.58" +version = "0.10.59" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.94", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.95", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 1ec2b3af013c7d757d4684e783cf20b8fc4a8ca5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 3 Nov 2023 10:58:32 -0700 Subject: [PATCH 332/341] Expose a few more (bad) ciphers in cipher::Cipher --- openssl/src/cipher.rs | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 892cae1db7..722847b0ef 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -388,6 +388,11 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_ecb() as *mut _) } } + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia128_cbc() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_cbc() as *mut _) } + } + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia192_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_cfb128() as *mut _) } @@ -398,6 +403,11 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_ecb() as *mut _) } } + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia192_cbc() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_cbc() as *mut _) } + } + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia256_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_cfb128() as *mut _) } @@ -408,6 +418,11 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_ecb() as *mut _) } } + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia256_cbc() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_cbc() as *mut _) } + } + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn cast5_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_cfb64() as *mut _) } @@ -418,6 +433,11 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_ecb() as *mut _) } } + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] + pub fn cast5_cbc() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_cast5_cbc() as *mut _) } + } + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn idea_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_idea_cfb64() as *mut _) } @@ -428,6 +448,11 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_idea_ecb() as *mut _) } } + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] + pub fn idea_cbc() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_idea_cbc() as *mut _) } + } + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_chacha20() as *mut _) } From e097a0279e5c4a0caef17ff0520d506439b6a9aa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 Nov 2023 09:45:50 -0700 Subject: [PATCH 333/341] Correct off-by-one in minimum output buffer size computation If there was a full block in the buffer, it would have already been returned. --- openssl/src/cipher_ctx.rs | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 1769ee9716..754539c7e9 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -556,11 +556,8 @@ impl CipherCtxRef { output: Option<&mut [u8]>, ) -> Result { if let Some(output) = &output { - let mut block_size = self.block_size(); - if block_size == 1 { - block_size = 0; - } - let min_output_size = input.len() + block_size; + let block_size = self.block_size(); + let min_output_size = input.len() + block_size - 1; assert!( output.len() >= min_output_size, "Output buffer size should be at least {} bytes.", @@ -910,19 +907,19 @@ mod test { } #[test] - #[should_panic(expected = "Output buffer size should be at least 33 bytes.")] + #[should_panic(expected = "Output buffer size should be at least 32 bytes.")] fn full_block_updates_aes_128() { output_buffer_too_small(Cipher::aes_128_cbc()); } #[test] - #[should_panic(expected = "Output buffer size should be at least 33 bytes.")] + #[should_panic(expected = "Output buffer size should be at least 32 bytes.")] fn full_block_updates_aes_256() { output_buffer_too_small(Cipher::aes_256_cbc()); } #[test] - #[should_panic(expected = "Output buffer size should be at least 17 bytes.")] + #[should_panic(expected = "Output buffer size should be at least 16 bytes.")] fn full_block_updates_3des() { output_buffer_too_small(Cipher::des_ede3_cbc()); } From 3cab63cd30d8c8f92b11d1fa8fe3f65a1dfdfbf8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 3 Nov 2023 11:41:38 -0700 Subject: [PATCH 334/341] Expose a few more (bad) ciphers in symm::Cipher --- openssl-sys/src/handwritten/evp.rs | 13 +++++ openssl/src/symm.rs | 89 ++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index bf5aa421bd..6d11447506 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -312,7 +312,10 @@ extern "C" { pub fn EVP_des_ecb() -> *const EVP_CIPHER; pub fn EVP_des_ede3() -> *const EVP_CIPHER; pub fn EVP_des_ede3_cbc() -> *const EVP_CIPHER; + pub fn EVP_des_ede3_ecb() -> *const EVP_CIPHER; pub fn EVP_des_ede3_cfb64() -> *const EVP_CIPHER; + pub fn EVP_des_ede3_cfb8() -> *const EVP_CIPHER; + pub fn EVP_des_ede3_ofb() -> *const EVP_CIPHER; pub fn EVP_des_cbc() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn EVP_rc4() -> *const EVP_CIPHER; @@ -398,17 +401,23 @@ extern "C" { #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_128_cbc() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn EVP_camellia_128_ofb() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_192_cfb128() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_192_ecb() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_192_cbc() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn EVP_camellia_192_ofb() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_256_cfb128() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_256_ecb() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_256_cbc() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn EVP_camellia_256_ofb() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn EVP_cast5_cfb64() -> *const EVP_CIPHER; @@ -416,6 +425,8 @@ extern "C" { pub fn EVP_cast5_ecb() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn EVP_cast5_cbc() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] + pub fn EVP_cast5_ofb() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn EVP_idea_cfb64() -> *const EVP_CIPHER; @@ -423,6 +434,8 @@ extern "C" { pub fn EVP_idea_ecb() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn EVP_idea_cbc() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] + pub fn EVP_idea_ofb() -> *const EVP_CIPHER; #[cfg(not(ossl110))] pub fn OPENSSL_add_all_algorithms_noconf(); diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 7cf152e3c1..21cf6cb075 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -278,11 +278,25 @@ impl Cipher { unsafe { Cipher(ffi::EVP_des_ede3_cbc()) } } + pub fn des_ede3_ecb() -> Cipher { + unsafe { Cipher(ffi::EVP_des_ede3_ecb()) } + } + #[cfg(not(boringssl))] pub fn des_ede3_cfb64() -> Cipher { unsafe { Cipher(ffi::EVP_des_ede3_cfb64()) } } + #[cfg(not(boringssl))] + pub fn des_ede3_cfb8() -> Cipher { + unsafe { Cipher(ffi::EVP_des_ede3_cfb8()) } + } + + #[cfg(not(boringssl))] + pub fn des_ede3_ofb() -> Cipher { + unsafe { Cipher(ffi::EVP_des_ede3_ofb()) } + } + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn rc4() -> Cipher { unsafe { Cipher(ffi::EVP_rc4()) } @@ -293,21 +307,81 @@ impl Cipher { unsafe { Cipher(ffi::EVP_camellia_128_cbc()) } } + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_128_ecb() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_128_ecb()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_128_ofb() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_128_ofb()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_128_cfb128() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_128_cfb128()) } + } + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia_192_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_camellia_192_cbc()) } } + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_192_ecb() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_192_ecb()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_192_ofb() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_192_ofb()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_192_cfb128() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_192_cfb128()) } + } + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia_256_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_camellia_256_cbc()) } } + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_256_ecb() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_256_ecb()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_256_ofb() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_256_ofb()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_256_cfb128() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_256_cfb128()) } + } + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn cast5_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_cast5_cbc()) } } + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] + pub fn cast5_ecb() -> Cipher { + unsafe { Cipher(ffi::EVP_cast5_ecb()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] + pub fn cast5_ofb() -> Cipher { + unsafe { Cipher(ffi::EVP_cast5_ofb()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] + pub fn cast5_cfb64() -> Cipher { + unsafe { Cipher(ffi::EVP_cast5_cfb64()) } + } + /// Requires OpenSSL 1.1.0 or newer. #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20() -> Cipher { @@ -325,6 +399,21 @@ impl Cipher { unsafe { Cipher(ffi::EVP_idea_cbc()) } } + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] + pub fn idea_ecb() -> Cipher { + unsafe { Cipher(ffi::EVP_idea_ecb()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] + pub fn idea_ofb() -> Cipher { + unsafe { Cipher(ffi::EVP_idea_ofb()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] + pub fn idea_cfb64() -> Cipher { + unsafe { Cipher(ffi::EVP_idea_cfb64()) } + } + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_seed_cbc()) } From 09b46d2499fbe5ac3aea1f3ab92bc6191d6866a3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 5 Nov 2023 19:50:19 -0500 Subject: [PATCH 335/341] Revert "Correct off-by-one in minimum output buffer size computation" --- openssl/src/cipher_ctx.rs | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 754539c7e9..1769ee9716 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -556,8 +556,11 @@ impl CipherCtxRef { output: Option<&mut [u8]>, ) -> Result { if let Some(output) = &output { - let block_size = self.block_size(); - let min_output_size = input.len() + block_size - 1; + let mut block_size = self.block_size(); + if block_size == 1 { + block_size = 0; + } + let min_output_size = input.len() + block_size; assert!( output.len() >= min_output_size, "Output buffer size should be at least {} bytes.", @@ -907,19 +910,19 @@ mod test { } #[test] - #[should_panic(expected = "Output buffer size should be at least 32 bytes.")] + #[should_panic(expected = "Output buffer size should be at least 33 bytes.")] fn full_block_updates_aes_128() { output_buffer_too_small(Cipher::aes_128_cbc()); } #[test] - #[should_panic(expected = "Output buffer size should be at least 32 bytes.")] + #[should_panic(expected = "Output buffer size should be at least 33 bytes.")] fn full_block_updates_aes_256() { output_buffer_too_small(Cipher::aes_256_cbc()); } #[test] - #[should_panic(expected = "Output buffer size should be at least 16 bytes.")] + #[should_panic(expected = "Output buffer size should be at least 17 bytes.")] fn full_block_updates_3des() { output_buffer_too_small(Cipher::des_ede3_cbc()); } From 5989092543c07a28af5379a4b67a1b08665de6fd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 10 Nov 2023 21:50:04 -0500 Subject: [PATCH 336/341] Expose ChaCha20 on LibreSSL --- openssl-sys/src/handwritten/evp.rs | 2 +- openssl/src/cipher.rs | 2 +- openssl/src/symm.rs | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 6d11447506..fabb13383e 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -370,7 +370,7 @@ extern "C" { pub fn EVP_aes_256_wrap() -> *const EVP_CIPHER; #[cfg(ossl110)] pub fn EVP_aes_256_wrap_pad() -> *const EVP_CIPHER; - #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] + #[cfg(all(any(ossl110, libressl310), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn EVP_chacha20() -> *const EVP_CIPHER; #[cfg(all(any(ossl110, libressl360), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn EVP_chacha20_poly1305() -> *const EVP_CIPHER; diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 722847b0ef..b5c82e8f68 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -453,7 +453,7 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_idea_cbc() as *mut _) } } - #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] + #[cfg(all(any(ossl110, libressl310), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_chacha20() as *mut _) } } diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 21cf6cb075..1e9dc34fc6 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -383,7 +383,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] + #[cfg(all(any(ossl110, libressl310), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20() -> Cipher { unsafe { Cipher(ffi::EVP_chacha20()) } } @@ -1592,7 +1592,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl310))] fn test_chacha20() { let key = "0000000000000000000000000000000000000000000000000000000000000000"; let iv = "00000000000000000000000000000000"; From cf9681a55cabd4cb9f1475bde17b5079f2a0384e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 19 Nov 2023 09:11:34 -0500 Subject: [PATCH 337/341] fixes #2096 -- deprecate `X509StoreRef::objects`, it is unsound Introduce `X509StoreRef::all_certificates` as a replacement. --- openssl-sys/src/handwritten/x509.rs | 2 ++ openssl/src/cipher_ctx.rs | 6 ++++-- openssl/src/lib.rs | 2 +- openssl/src/x509/store.rs | 18 +++++++++++++++++- openssl/src/x509/tests.rs | 15 +++++++++++++++ 5 files changed, 39 insertions(+), 4 deletions(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index f5e3c24289..c5419ed6eb 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -644,6 +644,8 @@ const_ptr_api! { extern "C" { #[cfg(any(ossl110, libressl270))] pub fn X509_STORE_get0_objects(ctx: #[const_ptr_if(ossl300)] X509_STORE) -> *mut stack_st_X509_OBJECT; + #[cfg(ossl300)] + pub fn X509_STORE_get1_all_certs(ctx: *mut X509_STORE) -> *mut stack_st_X509; } } diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 1769ee9716..58e789b044 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -581,7 +581,8 @@ impl CipherCtxRef { /// output size check removed. It can be used when the exact /// buffer size control is maintained by the caller. /// - /// SAFETY: The caller is expected to provide `output` buffer + /// # Safety + /// The caller is expected to provide `output` buffer /// large enough to contain correct number of bytes. For streaming /// ciphers the output buffer size should be at least as big as /// the input buffer. For block ciphers the size of the output @@ -693,7 +694,8 @@ impl CipherCtxRef { /// This function is the same as [`Self::cipher_final`] but with /// the output buffer size check removed. /// - /// SAFETY: The caller is expected to provide `output` buffer + /// # Safety + /// The caller is expected to provide `output` buffer /// large enough to contain correct number of bytes. For streaming /// ciphers the output buffer can be empty, for block ciphers the /// output buffer should be at least as big as the block. diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 4b9ee80454..5c9ccf7a05 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -119,7 +119,7 @@ //! ``` #![doc(html_root_url = "https://docs.rs/openssl/0.10")] #![warn(rust_2018_idioms)] -#![allow(clippy::uninlined_format_args)] +#![allow(clippy::uninlined_format_args, clippy::needless_doctest_main)] #[doc(inline)] pub use ffi::init; diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index a90bf3515f..8619086ebb 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -42,12 +42,14 @@ //! ``` use cfg_if::cfg_if; -use foreign_types::ForeignTypeRef; +use foreign_types::{ForeignType, ForeignTypeRef}; use std::mem; use crate::error::ErrorStack; #[cfg(not(boringssl))] use crate::ssl::SslFiletype; +#[cfg(ossl300)] +use crate::stack::Stack; use crate::stack::StackRef; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef}; @@ -260,10 +262,24 @@ foreign_type_and_impl_send_sync! { impl X509StoreRef { /// Get a reference to the cache of certificates in this store. + /// + /// This method is deprecated. It is **unsound** and will be removed in a + /// future version of rust-openssl. `X509StoreRef::all_certificates` + /// should be used instead. + #[deprecated( + note = "This method is unsound, and will be removed in a future version of rust-openssl. X509StoreRef::all_certificates should be used instead." + )] #[corresponds(X509_STORE_get0_objects)] pub fn objects(&self) -> &StackRef { unsafe { StackRef::from_ptr(X509_STORE_get0_objects(self.as_ptr())) } } + + /// Returns a stack of all the certificates in this store. + #[corresponds(X509_STORE_get1_all_certs)] + #[cfg(ossl300)] + pub fn all_certificates(&self) -> Stack { + unsafe { Stack::from_ptr(ffi::X509_STORE_get1_all_certs(self.as_ptr())) } + } } cfg_if! { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index a4a3de970c..0444a067dd 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -1177,3 +1177,18 @@ fn test_dist_point_null() { let cert = X509::from_pem(cert).unwrap(); assert!(cert.crl_distribution_points().is_none()); } + +#[test] +#[cfg(ossl300)] +fn test_store_all_certificates() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let store = { + let mut b = X509StoreBuilder::new().unwrap(); + b.add_cert(cert).unwrap(); + b.build() + }; + + assert_eq!(store.all_certificates().len(), 1); +} From 602d38dca7b8a22a355e1e53199d922742025c5c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 19 Nov 2023 09:29:12 -0500 Subject: [PATCH 338/341] Added `update_unchecked` to `symm::Crypter` --- openssl/src/cipher_ctx.rs | 6 ++++-- openssl/src/lib.rs | 2 +- openssl/src/symm.rs | 21 +++++++++++++++++++++ 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 1769ee9716..58e789b044 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -581,7 +581,8 @@ impl CipherCtxRef { /// output size check removed. It can be used when the exact /// buffer size control is maintained by the caller. /// - /// SAFETY: The caller is expected to provide `output` buffer + /// # Safety + /// The caller is expected to provide `output` buffer /// large enough to contain correct number of bytes. For streaming /// ciphers the output buffer size should be at least as big as /// the input buffer. For block ciphers the size of the output @@ -693,7 +694,8 @@ impl CipherCtxRef { /// This function is the same as [`Self::cipher_final`] but with /// the output buffer size check removed. /// - /// SAFETY: The caller is expected to provide `output` buffer + /// # Safety + /// The caller is expected to provide `output` buffer /// large enough to contain correct number of bytes. For streaming /// ciphers the output buffer can be empty, for block ciphers the /// output buffer should be at least as big as the block. diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 4b9ee80454..5c9ccf7a05 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -119,7 +119,7 @@ //! ``` #![doc(html_root_url = "https://docs.rs/openssl/0.10")] #![warn(rust_2018_idioms)] -#![allow(clippy::uninlined_format_args)] +#![allow(clippy::uninlined_format_args, clippy::needless_doctest_main)] #[doc(inline)] pub use ffi::init; diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 1e9dc34fc6..0ff9d874e2 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -696,6 +696,27 @@ impl Crypter { self.ctx.cipher_update(input, Some(output)) } + /// Feeds data from `input` through the cipher, writing encrypted/decrypted + /// bytes into `output`. + /// + /// The number of bytes written to `output` is returned. Note that this may + /// not be equal to the length of `input`. + /// + /// # Safety + /// + /// The caller must provide an `output` buffer large enough to contain + /// correct number of bytes. For streaming ciphers the output buffer size + /// should be at least as big as the input buffer. For block ciphers the + /// size of the output buffer depends on the state of partially updated + /// blocks. + pub unsafe fn update_unchecked( + &mut self, + input: &[u8], + output: &mut [u8], + ) -> Result { + self.ctx.cipher_update_unchecked(input, Some(output)) + } + /// Finishes the encryption/decryption process, writing any remaining data /// to `output`. /// From e839496d9ed0bd4dcd4f1ec24e049cbe117ef1bb Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 20 Nov 2023 10:26:06 -1000 Subject: [PATCH 339/341] Don't leak when overwriting ex data --- openssl/src/ssl/mod.rs | 42 +++++++++++++++++++++++-------- openssl/src/ssl/test/mod.rs | 49 ++++++++++++++++++++++++++++++++++++- 2 files changed, 80 insertions(+), 11 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index cc643ae57f..fb38bb3e4a 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1572,16 +1572,34 @@ impl SslContextBuilder { /// /// This can be used to provide data to callbacks registered with the context. Use the /// `SslContext::new_ex_index` method to create an `Index`. + // FIXME should return a result #[corresponds(SSL_CTX_set_ex_data)] pub fn set_ex_data(&mut self, index: Index, data: T) { self.set_ex_data_inner(index, data); } fn set_ex_data_inner(&mut self, index: Index, data: T) -> *mut c_void { + match self.ex_data_mut(index) { + Some(v) => { + *v = data; + (v as *mut T).cast() + } + _ => unsafe { + let data = Box::into_raw(Box::new(data)) as *mut c_void; + ffi::SSL_CTX_set_ex_data(self.as_ptr(), index.as_raw(), data); + data + }, + } + } + + fn ex_data_mut(&mut self, index: Index) -> Option<&mut T> { unsafe { - let data = Box::into_raw(Box::new(data)) as *mut c_void; - ffi::SSL_CTX_set_ex_data(self.as_ptr(), index.as_raw(), data); - data + let data = ffi::SSL_CTX_get_ex_data(self.as_ptr(), index.as_raw()); + if data.is_null() { + None + } else { + Some(&mut *data.cast()) + } } } @@ -2965,15 +2983,19 @@ impl SslRef { /// /// This can be used to provide data to callbacks registered with the context. Use the /// `Ssl::new_ex_index` method to create an `Index`. + // FIXME should return a result #[corresponds(SSL_set_ex_data)] pub fn set_ex_data(&mut self, index: Index, data: T) { - unsafe { - let data = Box::new(data); - ffi::SSL_set_ex_data( - self.as_ptr(), - index.as_raw(), - Box::into_raw(data) as *mut c_void, - ); + match self.ex_data_mut(index) { + Some(v) => *v = data, + None => unsafe { + let data = Box::new(data); + ffi::SSL_set_ex_data( + self.as_ptr(), + index.as_raw(), + Box::into_raw(data) as *mut c_void, + ); + }, } } diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 1fc9ba6b48..412c4a5dc6 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -10,7 +10,7 @@ use std::net::UdpSocket; use std::net::{SocketAddr, TcpListener, TcpStream}; use std::path::Path; use std::process::{Child, ChildStdin, Command, Stdio}; -use std::sync::atomic::{AtomicBool, Ordering}; +use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering}; use std::thread; use std::time::Duration; @@ -1638,3 +1638,50 @@ fn set_security_level() { let ssl = ssl; assert_eq!(4, ssl.security_level()); } + +#[test] +fn ssl_ctx_ex_data_leak() { + static DROPS: AtomicUsize = AtomicUsize::new(0); + + struct DropTest; + + impl Drop for DropTest { + fn drop(&mut self) { + DROPS.fetch_add(1, Ordering::Relaxed); + } + } + + let idx = SslContext::new_ex_index().unwrap(); + + let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + ctx.set_ex_data(idx, DropTest); + ctx.set_ex_data(idx, DropTest); + assert_eq!(DROPS.load(Ordering::Relaxed), 1); + + drop(ctx); + assert_eq!(DROPS.load(Ordering::Relaxed), 2); +} + +#[test] +fn ssl_ex_data_leak() { + static DROPS: AtomicUsize = AtomicUsize::new(0); + + struct DropTest; + + impl Drop for DropTest { + fn drop(&mut self) { + DROPS.fetch_add(1, Ordering::Relaxed); + } + } + + let idx = Ssl::new_ex_index().unwrap(); + + let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); + let mut ssl = Ssl::new(&ctx).unwrap(); + ssl.set_ex_data(idx, DropTest); + ssl.set_ex_data(idx, DropTest); + assert_eq!(DROPS.load(Ordering::Relaxed), 1); + + drop(ssl); + assert_eq!(DROPS.load(Ordering::Relaxed), 2); +} From a92c23794149dc6bec8a8b1148c68bbe048851c9 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 20 Nov 2023 15:21:22 -1000 Subject: [PATCH 340/341] clippy --- openssl/src/cipher_ctx.rs | 8 ++++++-- openssl/src/lib.rs | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 1769ee9716..abb1f11ef3 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -581,7 +581,9 @@ impl CipherCtxRef { /// output size check removed. It can be used when the exact /// buffer size control is maintained by the caller. /// - /// SAFETY: The caller is expected to provide `output` buffer + /// # Safety + /// + /// The caller is expected to provide `output` buffer /// large enough to contain correct number of bytes. For streaming /// ciphers the output buffer size should be at least as big as /// the input buffer. For block ciphers the size of the output @@ -693,7 +695,9 @@ impl CipherCtxRef { /// This function is the same as [`Self::cipher_final`] but with /// the output buffer size check removed. /// - /// SAFETY: The caller is expected to provide `output` buffer + /// # Safety + /// + /// The caller is expected to provide `output` buffer /// large enough to contain correct number of bytes. For streaming /// ciphers the output buffer can be empty, for block ciphers the /// output buffer should be at least as big as the block. diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 4b9ee80454..5c9ccf7a05 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -119,7 +119,7 @@ //! ``` #![doc(html_root_url = "https://docs.rs/openssl/0.10")] #![warn(rust_2018_idioms)] -#![allow(clippy::uninlined_format_args)] +#![allow(clippy::uninlined_format_args, clippy::needless_doctest_main)] #[doc(inline)] pub use ffi::init; From df66283bbc734f20b968357bfc336def7b309b15 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 22 Nov 2023 15:38:19 -0500 Subject: [PATCH 341/341] Release openssl v0.10.60 and openssl-sys v0.9.96 --- openssl-sys/CHANGELOG.md | 15 ++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 26 +++++++++++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 42 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 1113ce8c60..84262e4077 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,18 @@ ## [Unreleased] +## [v0.9.96] - 2023-11-22 + +### Changed + +* `EVP_chacha20` is now available on LibreSSL + +### Added + +* Added `EVP_des_ede3_ecb`, `EVP_des_ede3_cfb8`, `EVP_des_ede3_ofb`, `EVP_camellia_128_ofb`, `EVP_camellia_192_ofb`, `EVP_camellia_256_ofb`, `EVP_cast5_ofb`, `EVP_idea_ofb` +* Added `X509_STORE_get1_all_certs` +* Added `SSL_CTRL_GET_PEER_TMP_KEY`, `SSL_CTRL_GET_TMP_KEY`, `SSL_get_peer_tmp_key`, `SSL_get_tmp_key` + ## [v0.9.95] - 2023-11-03 ### Changed @@ -533,7 +545,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.95..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.96..master +[v0.9.96]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.95...openssl-sys-v0.9.96 [v0.9.95]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.94...openssl-sys-v0.9.95 [v0.9.94]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93...openssl-sys-v0.9.94 [v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92...openssl-sys-v0.9.93 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index fc7e8f3c7a..95d920adb6 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.95" +version = "0.9.96" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index f9a433fae8..d616f57fc2 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,29 @@ ## [Unreleased] +## [v0.10.60] - 2023-11-22 + +### Deprecated + +* Deprecated `X509StoreRef::objects`. It is unsound. All callers should migrate to using `X509StoreRef::all_certificates` instead. + +### Fixed + +* Fixed a memory leak when calling `SslContextBuilder::set_ex_data` and `SslRef::set_ex_data` multiple times with the same index. + +### Added + +* Added `X509StoreRef::all_certificates` +* Added `cipher::Cipher::{camellia128_cbc,camellia192_cbc,camellia256_cbc,cast5_cbc,idea_cbc}` +* Added `symm::Cipher::{des_ede3_ecb,des_ede3_cfb8,des_ede3_ofb,camellia_128_ecb,camellia_128_ofb,camellia_128_cfb128,camellia_192_ecb,camellia_192_ofb,camellia_192_cfb128,camellia_256_ecb,camellia_256_ofb,camellia_256_cfb128,cast5_ecb,cast5_ofb,cast5_cfb64,idea_ecb,idea_ofb,idea_cfb64}` +* Added `Crypter::update_unchecked` +* Added `SslRef::{peer_tmp_key,tmp_key}` + +### Changed + +* `cipher::Cipher::chacha20` is now available on LibreSSL +* `symm::Cipher::chacha20` is now available on LibreSSL + ## [v0.10.59] - 2023-11-03 ### Added @@ -825,7 +848,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.59...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.60...master +[v0.10.60]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.59...openssl-v0.10.60 [v0.10.59]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.58...openssl-v0.10.59 [v0.10.58]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...openssl-v0.10.58 [v0.10.57]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...openssl-v0.10.57 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 6778dcbb0e..aaf48b81a6 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.59" +version = "0.10.60" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.95", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.96", path = "../openssl-sys" } [dev-dependencies] hex = "0.3"