From 90d9199f858c0fc887f2a6778bb05f611a0ff456 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Jun 2023 21:36:33 -0400 Subject: [PATCH 01/25] Fix warnings from BoringSSL on Rust 1.70 --- openssl-sys/build/run_bindgen.rs | 8 ++++++++ openssl-sys/src/lib.rs | 1 + 2 files changed, 9 insertions(+) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 4fa9ec66f2..87b748f23b 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -110,11 +110,15 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { let mut builder = bindgen::builder() .rust_target(RustTarget::Stable_1_47) .ctypes_prefix("::libc") + .raw_line("use libc::*;") .derive_default(false) .enable_function_attribute_detection() .default_macro_constant_type(MacroTypeVariation::Signed) .rustified_enum("point_conversion_form_t") .allowlist_file(".*/openssl/[^/]+\\.h") + .allowlist_recursively(false) + .blocklist_function("BIO_vsnprintf") + .blocklist_function("OPENSSL_vasprintf") .wrap_static_fns(true) .wrap_static_fns_path(out_dir.join("boring_static_wrapper").display().to_string()) .layout_tests(false) @@ -165,11 +169,15 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .arg(out_dir.join("bindgen.rs")) .arg("--rust-target=1.47") .arg("--ctypes-prefix=::libc") + .arg("--raw-line=use libc::*;") .arg("--no-derive-default") .arg("--enable-function-attribute-detection") .arg("--default-macro-constant-type=signed") .arg("--rustified-enum=point_conversion_form_t") .arg("--allowlist-file=.*/openssl/[^/]+\\.h") + .arg("--no-recursive-allowlist") + .arg("--blocklist-function=BIO_vsnprintf") + .arg("--blocklist-function=OPENSSL_vasprintf") .arg("--experimental") .arg("--wrap-static-fns") .arg("--wrap-static-fns-path") diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index c3084755cc..5a65e8b349 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -10,6 +10,7 @@ overflowing_literals, unused_imports )] +#![cfg_attr(feature = "unstable_boringssl", allow(ambiguous_glob_reexports))] #![doc(html_root_url = "https://docs.rs/openssl-sys/0.9")] #![recursion_limit = "128"] // configure fixed limit across all rust versions From e476f9a08a40c1cde55950f26f1e5203c51d0889 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sun, 4 Jun 2023 13:15:22 -0400 Subject: [PATCH 02/25] Honor OPENSSL_NO_OCB if OpenSSL was built this way Setting ossl110 in the BoringSSL build (see #1944) causes rust-openssl to expect OCB support. However, OpenSSL already has a feature guard for OCB, which BoringSSL sets. rust-openssl just isn't honoring it. This fixes building against an OpenSSL built with ./config no-ocb --- openssl-sys/build/expando.c | 4 ++++ openssl/src/symm.rs | 14 +++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 54681a0b95..5d003d9022 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -75,6 +75,10 @@ RUST_CONF_OPENSSL_NO_NEXTPROTONEG RUST_CONF_OPENSSL_NO_OCSP #endif +#ifdef OPENSSL_NO_OCB +RUST_CONF_OPENSSL_NO_OCB +#endif + #ifdef OPENSSL_NO_PSK RUST_CONF_OPENSSL_NO_PSK #endif diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 611080805f..8da341f7f6 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -142,7 +142,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_128_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_128_ocb()) } } @@ -187,7 +187,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_192_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_192_ocb()) } } @@ -237,7 +237,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_256_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_256_ocb()) } } @@ -402,14 +402,14 @@ impl Cipher { } /// Determines whether the cipher is using OCB mode - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn is_ocb(self) -> bool { self == Cipher::aes_128_ocb() || self == Cipher::aes_192_ocb() || self == Cipher::aes_256_ocb() } - #[cfg(not(ossl110))] + #[cfg(any(not(ossl110), osslconf = "OPENSSL_NO_OCB"))] const fn is_ocb(self) -> bool { false } @@ -1422,7 +1422,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn test_aes_128_ocb() { let key = "000102030405060708090a0b0c0d0e0f"; let aad = "0001020304050607"; @@ -1458,7 +1458,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn test_aes_128_ocb_fail() { let key = "000102030405060708090a0b0c0d0e0f"; let aad = "0001020304050607"; From 5283d7c994541a99bab9b33f809bd662a5aa47a7 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 3 Jun 2023 11:44:10 -0400 Subject: [PATCH 03/25] Fix some deprecated patterns when using BoringSSL The RSA and DSA changes will be needed to avoid build breakage soon. The others are mostly tidying up. There's another place around BIO that we'd ideally also switch over, but that depends on resolving the __fixed_rust mess first. This addresses a symptom of #1944, but not the root cause. --- openssl/src/asn1.rs | 2 +- openssl/src/dsa.rs | 5 +++-- openssl/src/ecdsa.rs | 2 +- openssl/src/hash.rs | 2 +- openssl/src/md_ctx.rs | 2 +- openssl/src/rsa.rs | 2 +- 6 files changed, 8 insertions(+), 7 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 0e720ae0b3..801310d411 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -738,7 +738,7 @@ impl fmt::Debug for Asn1ObjectRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::ASN1_STRING_get0_data; } else { #[allow(bad_style)] diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 1463ee4115..1a63e8ad8f 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -7,6 +7,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; +#[cfg(not(boringssl))] use libc::c_int; use std::fmt; use std::mem; @@ -314,7 +315,7 @@ impl fmt::Debug for Dsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{DSA_get0_key, DSA_get0_pqg, DSA_set0_key, DSA_set0_pqg}; } else { #[allow(bad_style)] @@ -493,7 +494,7 @@ impl DsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{DSA_SIG_set0, DSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/ecdsa.rs b/openssl/src/ecdsa.rs index 0a960e7b9e..f3b27b3953 100644 --- a/openssl/src/ecdsa.rs +++ b/openssl/src/ecdsa.rs @@ -110,7 +110,7 @@ impl EcdsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{ECDSA_SIG_set0, ECDSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 37442fb274..52d73deed4 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -43,7 +43,7 @@ use crate::nid::Nid; use crate::{cvt, cvt_p}; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, boringssl))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/md_ctx.rs b/openssl/src/md_ctx.rs index c4d3f06b94..156f3c2fc9 100644 --- a/openssl/src/md_ctx.rs +++ b/openssl/src/md_ctx.rs @@ -93,7 +93,7 @@ use std::convert::TryFrom; use std::ptr; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, boringssl))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs index 68cf64b036..f155b12dfe 100644 --- a/openssl/src/rsa.rs +++ b/openssl/src/rsa.rs @@ -581,7 +581,7 @@ impl fmt::Debug for Rsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{ RSA_get0_key, RSA_get0_factors, RSA_get0_crt_params, RSA_set0_key, RSA_set0_factors, RSA_set0_crt_params, From a3b6cb5fdc7df2754ab9a5d3f4039e469e42d332 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Jun 2023 08:55:49 +0800 Subject: [PATCH 04/25] add get_asn1_flag to EcGroupRef --- openssl-sys/src/handwritten/ec.rs | 2 ++ openssl/src/ec.rs | 13 +++++++++++++ 2 files changed, 15 insertions(+) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index 6ee475f327..ec781a715a 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -46,6 +46,8 @@ extern "C" { pub fn EC_GROUP_set_asn1_flag(key: *mut EC_GROUP, flag: c_int); + pub fn EC_GROUP_get_asn1_flag(group: *const EC_GROUP) -> c_int; + pub fn EC_GROUP_get_curve_GFp( group: *const EC_GROUP, p: *mut BIGNUM, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 248ced3e41..55523fee0a 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -294,6 +294,12 @@ impl EcGroupRef { } } + /// Gets the flag determining if the group corresponds to a named curve. + #[corresponds(EC_GROUP_get_asn1_flag)] + pub fn get_asn1_flag(&mut self) -> Asn1Flag { + unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } + } + /// Returns the name of the curve, if a name is associated. #[corresponds(EC_GROUP_get_curve_name)] pub fn curve_name(&self) -> Option { @@ -1265,4 +1271,11 @@ mod test { let group2 = EcGroup::from_curve_name(Nid::X9_62_PRIME239V3).unwrap(); assert!(!g.is_on_curve(&group2, &mut ctx).unwrap()); } + + #[test] + fn get_flags() { + let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let flag = group.get_asn1_flag(); + assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); + } } From faae7bb9ad7d569e16b7d21295d813dd4672ef07 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Jun 2023 12:33:47 +0800 Subject: [PATCH 05/25] rename and test on openssl 1.1.0+ --- openssl/src/ec.rs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 55523fee0a..d6ef049101 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -296,7 +296,7 @@ impl EcGroupRef { /// Gets the flag determining if the group corresponds to a named curve. #[corresponds(EC_GROUP_get_asn1_flag)] - pub fn get_asn1_flag(&mut self) -> Asn1Flag { + pub fn asn1_flag(&mut self) -> Asn1Flag { unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } } @@ -1273,9 +1273,10 @@ mod test { } #[test] - fn get_flags() { + #[cfg(not(any(ossl102, ossl101)))] + fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); - let flag = group.get_asn1_flag(); + let flag = group.asn1_flag(); assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); } } From 38a54607ad8901819fa8292f69757b51ce59e8d9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 07:08:20 +0800 Subject: [PATCH 06/25] partialeq on asn1flag --- openssl/src/ec.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index d6ef049101..446697f527 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -57,7 +57,7 @@ impl PointConversionForm { /// Named Curve or Explicit /// /// This type acts as a boolean as to whether the `EcGroup` is named or explicit. -#[derive(Copy, Clone)] +#[derive(Copy, Clone, PartialEq)] pub struct Asn1Flag(c_int); impl Asn1Flag { @@ -1277,6 +1277,6 @@ mod test { fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); - assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); + assert_eq!(flag, Asn1Flag::NAMED_CURVE); } } From 37966b326fd417142f912f18dd67ad3e27bac570 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 07:20:20 +0800 Subject: [PATCH 07/25] fix test target configs, add debug derive --- openssl/src/ec.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 446697f527..22d6d1888d 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -57,7 +57,7 @@ impl PointConversionForm { /// Named Curve or Explicit /// /// This type acts as a boolean as to whether the `EcGroup` is named or explicit. -#[derive(Copy, Clone, PartialEq)] +#[derive(Copy, Clone, Debug, PartialEq)] pub struct Asn1Flag(c_int); impl Asn1Flag { @@ -1273,7 +1273,7 @@ mod test { } #[test] - #[cfg(not(any(ossl102, ossl101)))] + #[cfg(any(boringssl, ossl111, libressl350))] fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); From d52ac4e4f08b4d0c4d1b2d181d6baee3f042e972 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 19:42:34 -0400 Subject: [PATCH 08/25] Fixed type mutability on asn1_flag --- openssl/src/ec.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 22d6d1888d..6993e4edda 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -296,7 +296,7 @@ impl EcGroupRef { /// Gets the flag determining if the group corresponds to a named curve. #[corresponds(EC_GROUP_get_asn1_flag)] - pub fn asn1_flag(&mut self) -> Asn1Flag { + pub fn asn1_flag(&self) -> Asn1Flag { unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } } From 1b9fba4e782affd312f9c9ad6f80d57eb8a82be1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 19:47:47 -0400 Subject: [PATCH 09/25] Update ec.rs --- openssl/src/ec.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 6993e4edda..5310564ecc 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -1275,7 +1275,7 @@ mod test { #[test] #[cfg(any(boringssl, ossl111, libressl350))] fn asn1_flag() { - let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); assert_eq!(flag, Asn1Flag::NAMED_CURVE); } From 7b18e903c6c1a0adc09b0eb7ea1876fad70fbe37 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 08:19:17 +0800 Subject: [PATCH 10/25] allow affine_coordinates on boring and libre --- openssl-sys/src/handwritten/ec.rs | 2 +- openssl/src/ec.rs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index ec781a715a..182a5559a3 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -101,7 +101,7 @@ extern "C" { pub fn EC_POINT_dup(p: *const EC_POINT, group: *const EC_GROUP) -> *mut EC_POINT; - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] pub fn EC_POINT_get_affine_coordinates( group: *const EC_GROUP, p: *const EC_POINT, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 5310564ecc..b648aec334 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -491,7 +491,7 @@ impl EcPointRef { /// Places affine coordinates of a curve over a prime field in the provided /// `x` and `y` `BigNum`s. #[corresponds(EC_POINT_get_affine_coordinates)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] pub fn affine_coordinates( &self, group: &EcGroupRef, @@ -1197,7 +1197,7 @@ mod test { assert!(ec_key.check_key().is_ok()); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] #[test] fn get_affine_coordinates() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); From f783cbe145cc084a160e478dfe1fb9dc50dcdcab Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 09:27:04 +0800 Subject: [PATCH 11/25] add support for EVP_PKEY_derive_set_peer_ex in OpenSSL 3 via Deriver::set_peer_ex --- openssl-sys/src/handwritten/evp.rs | 6 +++++ openssl/src/derive.rs | 38 ++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index db018e9a42..4041d8b671 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -522,6 +522,12 @@ extern "C" { pub fn EVP_PKEY_derive_init(ctx: *mut EVP_PKEY_CTX) -> c_int; pub fn EVP_PKEY_derive_set_peer(ctx: *mut EVP_PKEY_CTX, peer: *mut EVP_PKEY) -> c_int; + #[cfg(ossl300)] + pub fn EVP_PKEY_derive_set_peer_ex( + ctx: *mut EVP_PKEY_CTX, + peer: *mut EVP_PKEY, + validate_peer: c_int, + ) -> c_int; pub fn EVP_PKEY_derive(ctx: *mut EVP_PKEY_CTX, key: *mut c_uchar, size: *mut size_t) -> c_int; #[cfg(ossl300)] diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index 5d422f6976..ef1f61424d 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -93,6 +93,30 @@ impl<'a> Deriver<'a> { unsafe { cvt(ffi::EVP_PKEY_derive_set_peer(self.0, key.as_ptr())).map(|_| ()) } } + /// Sets the peer key used for secret derivation along with optionally validating the peer public key. + /// + /// This corresponds to [`EVP_PKEY_derive_set_peer_ex`]: + /// + /// [`EVP_PKEY_derive_set_peer_ex`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_set_peer_ex.html + #[cfg(ossl300)] + pub fn set_peer_ex( + &mut self, + key: &'a PKeyRef, + validate_peer: bool, + ) -> Result<(), ErrorStack> + where + T: HasPublic, + { + unsafe { + cvt(ffi::EVP_PKEY_derive_set_peer_ex( + self.0, + key.as_ptr(), + validate_peer as i32, + )) + .map(|_| ()) + } + } + /// Returns the size of the shared secret. /// /// It can be used to size the buffer passed to [`Deriver::derive`]. @@ -179,4 +203,18 @@ mod test { let shared = deriver.derive_to_vec().unwrap(); assert!(!shared.is_empty()); } + + #[test] + #[cfg(ossl300)] + fn test_ec_key_derive_ex() { + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let ec_key = EcKey::generate(&group).unwrap(); + let ec_key2 = EcKey::generate(&group).unwrap(); + let pkey = PKey::from_ec_key(ec_key).unwrap(); + let pkey2 = PKey::from_ec_key(ec_key2).unwrap(); + let mut deriver = Deriver::new(&pkey).unwrap(); + deriver.set_peer_ex(&pkey2, true).unwrap(); + let shared = deriver.derive_to_vec().unwrap(); + assert!(!shared.is_empty()); + } } From 45e4fc23c8a68685ce076ead1ab01f21970633c0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 08:26:57 +0800 Subject: [PATCH 12/25] Update openssl/src/derive.rs Co-authored-by: Steven Fackler --- openssl/src/derive.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index ef1f61424d..e5ecaadbc2 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -95,9 +95,8 @@ impl<'a> Deriver<'a> { /// Sets the peer key used for secret derivation along with optionally validating the peer public key. /// - /// This corresponds to [`EVP_PKEY_derive_set_peer_ex`]: - /// - /// [`EVP_PKEY_derive_set_peer_ex`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_set_peer_ex.html + /// Requires OpenSSL 3.0.0 or newer. + #[corresponds(EVP_PKEY_derive_set_peer_ex)] #[cfg(ossl300)] pub fn set_peer_ex( &mut self, From 50ac347ad63974857e57742c8fcebeb6c9e9e59e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:07:06 +0800 Subject: [PATCH 13/25] add missing import --- openssl/src/derive.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index e5ecaadbc2..bfb85a6aba 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -56,6 +56,7 @@ use std::ptr; use crate::error::ErrorStack; use crate::pkey::{HasPrivate, HasPublic, PKeyRef}; use crate::{cvt, cvt_p}; +use openssl_macros::corresponds; /// A type used to derive a shared secret between two keys. pub struct Deriver<'a>(*mut ffi::EVP_PKEY_CTX, PhantomData<&'a ()>); From 87f1a1a1e8c5089de2810c358204a1822ea0b1ed Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:14:58 +0800 Subject: [PATCH 14/25] add another corresponds to avoid warnings about no use --- openssl/src/derive.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index bfb85a6aba..c62b902161 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -87,6 +87,7 @@ impl<'a> Deriver<'a> { /// This corresponds to [`EVP_PKEY_derive_set_peer`]: /// /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html + #[corresponds(EVP_PKEY_derive_set_peer)] pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where T: HasPublic, From 2604033874debae65cad42ecef47613f6a147e85 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:21:03 +0800 Subject: [PATCH 15/25] remove outdated comment --- openssl/src/derive.rs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index c62b902161..424c5f92d7 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -83,10 +83,6 @@ impl<'a> Deriver<'a> { } /// Sets the peer key used for secret derivation. - /// - /// This corresponds to [`EVP_PKEY_derive_set_peer`]: - /// - /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html #[corresponds(EVP_PKEY_derive_set_peer)] pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where From c2f4d5875aaac9b4748a6734fb20af044d408c7b Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 8 Jun 2023 12:45:21 -0400 Subject: [PATCH 16/25] Use type-safe wrappers instead of EVP_PKEY_assign In OpenSSL, these are macros, so they didn't get imported by bindgen, but they're proper functions in BoringSSL and we'd prefer callers use those for safety. For OpenSSL, just add the corresponding functions in openssl-sys, matching how rust-openssl handles EVP_PKEY_CTX_ctrl. Using the type-safe wrappers flags that rust-openssl was trying to convert DH to EVP_PKEY, but BoringSSL doesn't actually support this. (DH is a legacy primitive, so we haven't routed it to EVP_PKEY right now.) --- openssl-sys/src/evp.rs | 16 ++++++++++++++++ openssl/src/pkey.rs | 26 ++++++-------------------- 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 72ca2434fc..07fae49eb5 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -285,3 +285,19 @@ pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info( info as *mut c_void, ) } + +pub unsafe fn EVP_PKEY_assign_RSA(pkey: *mut EVP_PKEY, rsa: *mut RSA) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_DSA(pkey: *mut EVP_PKEY, dsa: *mut DSA) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_DSA, dsa as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_DH(pkey: *mut EVP_PKEY, dh: *mut DH) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_EC_KEY(pkey: *mut EVP_PKEY, ec_key: *mut EC_KEY) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_EC, ec_key as *mut c_void) +} diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index af41421768..130024da3d 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -406,11 +406,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_RSA, - rsa.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_RSA(pkey.0, rsa.as_ptr()))?; mem::forget(rsa); Ok(pkey) } @@ -422,11 +418,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DSA, - dsa.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_DSA(pkey.0, dsa.as_ptr()))?; mem::forget(dsa); Ok(pkey) } @@ -434,15 +426,12 @@ impl PKey { /// Creates a new `PKey` containing a Diffie-Hellman key. #[corresponds(EVP_PKEY_assign_DH)] + #[cfg(not(boringssl))] pub fn from_dh(dh: Dh) -> Result, ErrorStack> { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DH, - dh.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_DH(pkey.0, dh.as_ptr()))?; mem::forget(dh); Ok(pkey) } @@ -454,11 +443,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_EC, - ec_key.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_EC_KEY(pkey.0, ec_key.as_ptr()))?; mem::forget(ec_key); Ok(pkey) } @@ -861,6 +846,7 @@ impl TryFrom> for Dsa { } } +#[cfg(not(boringssl))] impl TryFrom> for PKey { type Error = ErrorStack; From 7c0f0a79d98608c7570baa25a379e7f312453c06 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Wed, 14 Jun 2023 10:24:00 +0800 Subject: [PATCH 17/25] add NID SM2 --- openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/nid.rs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 22bfccba3f..6ae48834b5 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -935,6 +935,8 @@ pub const NID_ED25519: c_int = 952; #[cfg(ossl111)] pub const NID_ED448: c_int = 1088; #[cfg(ossl111)] +pub const NID_sm2: c_int = 1172; +#[cfg(ossl111)] pub const NID_sm3: c_int = 1143; #[cfg(libressl291)] pub const NID_sm3: c_int = 968; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index c8c60885f1..91fcdeca9d 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1074,6 +1074,8 @@ impl Nid { pub const AES_128_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_128_cbc_hmac_sha1); pub const AES_192_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_192_cbc_hmac_sha1); pub const AES_256_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_256_cbc_hmac_sha1); + #[cfg(ossl111)] + pub const SM2: Nid = Nid(ffi::NID_sm2); #[cfg(any(ossl111, libressl291))] pub const SM3: Nid = Nid(ffi::NID_sm3); #[cfg(ossl111)] From 9840b534e0996e39cde8ac5faedf81b68f3d2c3a Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Wed, 14 Jun 2023 10:34:58 +0800 Subject: [PATCH 18/25] add pkey Id SM2 --- openssl-sys/src/evp.rs | 2 ++ openssl/src/pkey.rs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 07fae49eb5..56eaa4bbff 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -10,6 +10,8 @@ pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey; +#[cfg(ossl111)] +pub const EVP_PKEY_SM2: c_int = NID_sm2; #[cfg(any(ossl111, libressl370))] pub const EVP_PKEY_X25519: c_int = NID_X25519; #[cfg(any(ossl111, libressl370))] diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 130024da3d..453aeed72f 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -85,6 +85,8 @@ impl Id { pub const DSA: Id = Id(ffi::EVP_PKEY_DSA); pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); + #[cfg(ossl111)] + pub const SM2: Id = Id(ffi::EVP_PKEY_SM2); #[cfg(any(ossl110, boringssl))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); From fb5ae60cbb1dbbb2e34d47e113b25bc31f4acc37 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:16:03 +0700 Subject: [PATCH 19/25] clippy: remove unused allow attributes --- openssl-sys/build/cfgs.rs | 1 + openssl-sys/build/main.rs | 9 +-------- openssl-sys/src/lib.rs | 4 ---- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index f09ec29b53..2f3ff3eafd 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -1,3 +1,4 @@ +#[allow(clippy::unusual_byte_groupings)] pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<&'static str> { let mut cfgs = vec![]; diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 1762068d75..306482d1a8 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -1,9 +1,3 @@ -#![allow( - clippy::inconsistent_digit_grouping, - clippy::uninlined_format_args, - clippy::unusual_byte_groupings -)] - #[cfg(feature = "bindgen")] extern crate bindgen; extern crate cc; @@ -131,7 +125,6 @@ fn main() { } } -#[allow(clippy::let_and_return)] fn postprocess(include_dirs: &[PathBuf]) -> Version { let version = validate_headers(include_dirs); @@ -146,7 +139,7 @@ fn postprocess(include_dirs: &[PathBuf]) -> Version { /// Validates the header files found in `include_dir` and then returns the /// version string of OpenSSL. -#[allow(clippy::manual_strip)] // we need to support pre-1.45.0 +#[allow(clippy::unusual_byte_groupings)] fn validate_headers(include_dirs: &[PathBuf]) -> Version { // This `*-sys` crate only works with OpenSSL 1.0.1, 1.0.2, 1.1.0, 1.1.1 and 3.0.0. // To correctly expose the right API from this crate, take a look at diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 5a65e8b349..784b7637e1 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1,13 +1,9 @@ #![allow( clippy::missing_safety_doc, - clippy::unreadable_literal, - clippy::uninlined_format_args, - clippy::upper_case_acronyms, dead_code, non_camel_case_types, non_snake_case, non_upper_case_globals, - overflowing_literals, unused_imports )] #![cfg_attr(feature = "unstable_boringssl", allow(ambiguous_glob_reexports))] From b1e16e927622b8c044f88de802523dead0b0ec5e Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:17:07 +0700 Subject: [PATCH 20/25] clippy: use strip_prefix instead of manually strip --- openssl-sys/build/main.rs | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 306482d1a8..6fb8c3ed82 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -203,17 +203,14 @@ See rust-openssl documentation for more information: let libressl_prefix = "RUST_VERSION_LIBRESSL_"; let boringsl_prefix = "RUST_OPENSSL_IS_BORINGSSL"; let conf_prefix = "RUST_CONF_"; - if line.starts_with(openssl_prefix) { - let version = &line[openssl_prefix.len()..]; + if let Some(version) = line.strip_prefix(openssl_prefix) { openssl_version = Some(parse_version(version)); - } else if line.starts_with(new_openssl_prefix) { - let version = &line[new_openssl_prefix.len()..]; + } else if let Some(version) = line.strip_prefix(new_openssl_prefix) { openssl_version = Some(parse_new_version(version)); - } else if line.starts_with(libressl_prefix) { - let version = &line[libressl_prefix.len()..]; + } else if let Some(version) = line.strip_prefix(libressl_prefix) { libressl_version = Some(parse_version(version)); - } else if line.starts_with(conf_prefix) { - enabled.push(&line[conf_prefix.len()..]); + } else if let Some(conf) = line.strip_prefix(conf_prefix) { + enabled.push(conf); } else if line.starts_with(boringsl_prefix) { is_boringssl = true; } From 8587ff88431fc9ef495eda1b5bcfab4d310ef3cd Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:18:11 +0700 Subject: [PATCH 21/25] chore: use pre-existing clean APIs instead --- openssl-sys/build/main.rs | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 6fb8c3ed82..3359165a33 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -155,9 +155,7 @@ fn validate_headers(include_dirs: &[PathBuf]) -> Version { // account for compile differences and such. println!("cargo:rerun-if-changed=build/expando.c"); let mut gcc = cc::Build::new(); - for include_dir in include_dirs { - gcc.include(include_dir); - } + gcc.includes(include_dirs); let expanded = match gcc.file("build/expando.c").try_expand() { Ok(expanded) => expanded, Err(e) => { @@ -326,18 +324,13 @@ due to this version mismatch. } // parses a string that looks like "0x100020cfL" -#[allow(deprecated)] // trim_right_matches is now trim_end_matches -#[allow(clippy::match_like_matches_macro)] // matches macro requires rust 1.42.0 fn parse_version(version: &str) -> u64 { // cut off the 0x prefix assert!(version.starts_with("0x")); let version = &version[2..]; // and the type specifier suffix - let version = version.trim_right_matches(|c: char| match c { - '0'..='9' | 'a'..='f' | 'A'..='F' => false, - _ => true, - }); + let version = version.trim_end_matches(|c: char| !c.is_ascii_hexdigit()); u64::from_str_radix(version, 16).unwrap() } From 8ab3c3f3a8e6102b734d849132aaeb9728cec669 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:22:34 +0700 Subject: [PATCH 22/25] update min-version passed to bindgen --- .github/workflows/ci.yml | 1 + openssl-sys/build/run_bindgen.rs | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 75117ffab8..33c352cd2c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,6 +59,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + # Remember to also update `--rust-target` in `openssl-sys/build/run_bindgen.rs` - uses: sfackler/actions/rustup@master with: version: 1.56.0 diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 87b748f23b..6743403161 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -167,7 +167,7 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { bindgen_cmd .arg("-o") .arg(out_dir.join("bindgen.rs")) - .arg("--rust-target=1.47") + .arg("--rust-target=1.56") .arg("--ctypes-prefix=::libc") .arg("--raw-line=use libc::*;") .arg("--no-derive-default") From 978435639b0e1a93a953a7f211216c33aaedc450 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:33:56 +0700 Subject: [PATCH 23/25] chore: simplify cfg attributes --- openssl/src/ssl/mod.rs | 4 ++-- openssl/src/ssl/test/mod.rs | 2 +- openssl/src/symm.rs | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 0feaced213..27e817f307 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -599,7 +599,7 @@ impl AlpnError { /// Terminate the handshake with a fatal alert. /// /// Requires OpenSSL 1.1.0 or newer. - #[cfg(any(ossl110))] + #[cfg(ossl110)] pub const ALERT_FATAL: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_ALERT_FATAL); /// Do not select a protocol, but continue the handshake. @@ -2413,7 +2413,7 @@ impl SslRef { /// /// Requires OpenSSL 1.0.1 or 1.0.2. #[corresponds(SSL_set_tmp_ecdh_callback)] - #[cfg(any(all(ossl101, not(ossl110))))] + #[cfg(all(ossl101, not(ossl110)))] #[deprecated(note = "this function leaks memory and does not exist on newer OpenSSL versions")] pub fn set_tmp_ecdh_callback(&mut self, callback: F) where diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 39cc054df2..7707af238f 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -467,7 +467,7 @@ fn test_alpn_server_advertise_multiple() { } #[test] -#[cfg(any(ossl110))] +#[cfg(ossl110)] fn test_alpn_server_select_none_fatal() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 8da341f7f6..c1dbdfee7b 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -1478,7 +1478,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(ossl110)] fn test_chacha20() { let key = "0000000000000000000000000000000000000000000000000000000000000000"; let iv = "00000000000000000000000000000000"; @@ -1493,7 +1493,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(ossl110)] fn test_chacha20_poly1305() { let key = "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"; let iv = "070000004041424344454647"; From 155b3dc71700d2ff31651bbc99b991765a718c4e Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 19 Jun 2023 13:10:09 -0400 Subject: [PATCH 24/25] Fix handling of empty host strings --- openssl/src/x509/verify.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index b0e22ef462..e8481c551c 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -120,9 +120,11 @@ impl X509VerifyParamRef { #[corresponds(X509_VERIFY_PARAM_set1_host)] pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { unsafe { + // len == 0 means "run strlen" :( + let raw_host = if host.is_empty() { "\0" } else { host }; cvt(ffi::X509_VERIFY_PARAM_set1_host( self.as_ptr(), - host.as_ptr() as *const _, + raw_host.as_ptr() as *const _, host.len(), )) .map(|_| ()) From 983b9e210ac27895a39e0ed11a407b7936192313 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Jun 2023 16:25:18 -0400 Subject: [PATCH 25/25] Release openssl v0.10.55 and openssl-sys v0.9.89 --- openssl-sys/CHANGELOG.md | 18 +++++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 18 +++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 37 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 48029f8aab..13c3f32a6c 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,21 @@ ## [Unreleased] +## [v0.9.89] - 2023-06-20 + +### Fixed + +* Fixed compilation with recent versions of BoringSSL. + +### Added + +* Added support for detecting OpenSSL compiled with `OPENSSL_NO_OCB`. +* Added `EVP_PKEY_SM2` and `NID_sm2`. +* Added `EVP_PKEY_assign_RSA`, `EVP_PKEY_assign_DSA`, `EVP_PKEY_assign_DH`, and `EVP_PKEY_assign_EC_KEY`. +* Added `EC_GROUP_get_asn1_flag`. +* Expose `EC_POINT_get_affine_coordinates` on BoringSSL and LibreSSL. +* Added `EVP_PKEY_derive_set_peer_ex`. + ## [v0.9.88] - 2023-05-30 ### Added @@ -458,7 +473,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89..master +[v0.9.89]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.89 [v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 [v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7589a3ca0e..0c261c5719 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.88" +version = "0.9.89" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 29af6ca816..a0622ecccd 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,21 @@ ## [Unreleased] +## [v0.10.55] - 2023-06-20 + +### Fixed + +* Fixed compilation with the latest version of BoringSSL. +* Fixed compilation when OpenSSL is compiled with `OPENSSL_NO_OCB`. +* Fixed a segfault in `X509VerifyParamRef::set_host` when called with an empty string. + +### Added + +* Added `Deriver::set_peer_ex`. +* Added `EcGroupRef::asn1_flag`. +* Exposed `EcPointRef::affine_coordinates` on BoringSSL and LibreSSL. +* Added `Nid::SM2` and `Id::SM2` + ## [v0.10.54] - 2023-05-31 ### Fixed @@ -761,7 +776,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...master +[v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 [v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 [v0.10.53]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index c4367cd4c6..956d08cf9e 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.54" +version = "0.10.55" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.88", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.89", path = "../openssl-sys" } [dev-dependencies] hex = "0.3"