diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dcdd28f32a..724c125cea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -154,14 +154,17 @@ jobs: - false library: - name: boringssl - version: bcecc7d834fc44ad257b2f23f88e1cf597ab2736 + version: 8d71d244c0debac4079beeb02b5802fde59b94bd - name: openssl version: vendored - name: openssl - version: 3.1.2 + version: 3.2.0-beta1 dl-path: / - name: openssl - version: 1.1.1v + version: 3.1.4 + dl-path: / + - name: openssl + version: 1.1.1w dl-path: / - name: openssl version: 1.1.0l @@ -202,7 +205,7 @@ jobs: bindgen: false library: name: libressl - version: 3.8.0 + version: 3.8.1 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: @@ -236,7 +239,7 @@ jobs: - uses: actions/cache@v3 with: path: /opt/openssl - key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-2 + key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-6 if: matrix.library.version != 'vendored' id: openssl-cache - run: | @@ -310,11 +313,8 @@ jobs: make install # Copy stuff around so it's all as the build system expects. - cp -r rust/ "$OPENSSL_DIR/rust" - mkdir -p "$OPENSSL_DIR/crypto/" - mkdir -p "$OPENSSL_DIR/ssl/" - cp "$OPENSSL_DIR/lib/libcrypto.a" "$OPENSSL_DIR/crypto/" - cp "$OPENSSL_DIR/lib/libssl.a" "$OPENSSL_DIR/ssl/" + cp -r ../rust/ "$OPENSSL_DIR/rust" + cp -r ./ "$OPENSSL_DIR/build" esac if: matrix.library.version != 'vendored' && !steps.openssl-cache.outputs.cache-hit @@ -353,6 +353,7 @@ jobs: run: | if [[ "${{ matrix.library.name }}" == "boringssl" && "${{ matrix.bindgen }}" != "true" ]]; then features="--features unstable_boringssl" + BORINGSSL_BUILD_DIR="$OPENSSL_DIR/build/" fi if [[ "${{ matrix.library.version }}" == "vendored" ]]; then features="--features vendored" diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 9166bd5aca..b8120733f6 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,30 @@ ## [Unreleased] +## [v0.9.94] - 2023-11-01 + +### Changed + +* `X509_ALGOR` is now opaque on new LibreSSL releases + +### Added + +* Added support for building with `OPENSSL_NO_SCRYPT` +* Added `EVP_PKEY_RSA_PSS` and `EVP_PKEY_DHX` +* Functions and constants for using HKDF `EVP_PKEY` are now available on LibreSSL. +* Added `SSL_CTX_set_security_level`, `SSL_set_security_level`, `SSL_CTX_get_security_level`, `SSL_get_security_level` +* Added `X509_check_host`, `X509_check_email`, `X509_check_ip`, `X509_check_ip_asc` + +## [v0.9.93] - 2023-09-04 + +### Changed + +* The `vendored` Cargo feature now builds OpenSSL 3.1, as 1.1.1 is reaching its EOL. + +### Added + +* Added support for LibreSSL 3.8.1. + ## [v0.9.92] - 2023-08-27 ### Added @@ -498,7 +522,9 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.94..master +[v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93...openssl-sys-v0.9.94 +[v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92...openssl-sys-v0.9.93 [v0.9.92]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91...openssl-sys-v0.9.92 [v0.9.91]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91 [v0.9.90]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89...openssl-sys-v0.9.90 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 98a7c793be..980f41e92c 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.92" +version = "0.9.94" authors = [ "Alex Crichton ", "Steven Fackler ", @@ -25,7 +25,7 @@ bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } cc = "1.0.61" -openssl-src = { version = "111", optional = true } +openssl-src = { version = "300.1.2", optional = true, features = ["legacy"] } pkg-config = "0.3.9" vcpkg = "0.2.8" diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 2f3ff3eafd..2454ef66a4 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -53,9 +53,21 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_07_00_00_0 { cfgs.push("libressl370"); } + if libressl_version >= 0x3_08_00_00_0 { + cfgs.push("libressl380"); + } + if libressl_version >= 0x3_08_01_00_0 { + cfgs.push("libressl381"); + } + if libressl_version >= 0x3_08_02_00_0 { + cfgs.push("libressl382"); + } } else { let openssl_version = openssl_version.unwrap(); + if openssl_version >= 0x3_02_00_00_0 { + cfgs.push("ossl320"); + } if openssl_version >= 0x3_00_00_00_0 { cfgs.push("ossl300"); } diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index cd7456b4f0..e171621dca 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -134,3 +134,7 @@ RUST_CONF_OPENSSL_NO_DEPRECATED_3_0 #ifdef OPENSSL_NO_SEED RUST_CONF_OPENSSL_NO_SEED #endif + +#ifdef OPENSSL_NO_SCRYPT +RUST_CONF_OPENSSL_NO_SCRYPT +#endif diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 21ccf3d037..cd732ca46a 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -60,6 +60,14 @@ fn check_ssl_kind() { if cfg!(feature = "unstable_boringssl") { println!("cargo:rustc-cfg=boringssl"); println!("cargo:boringssl=true"); + + if let Ok(vars) = env::var("DEP_BSSL_CONF") { + for var in vars.split(',') { + println!("cargo:rustc-cfg=osslconf=\"{}\"", var); + } + println!("cargo:conf={}", vars); + } + // BoringSSL does not have any build logic, exit early std::process::exit(0); } @@ -115,6 +123,16 @@ fn main() { println!("cargo:rustc-link-lib={}={}", kind, lib); } + // https://github.com/openssl/openssl/pull/15086 + if version == Version::Openssl3xx + && kind == "static" + && (env::var("CARGO_CFG_TARGET_OS").unwrap() == "linux" + || env::var("CARGO_CFG_TARGET_OS").unwrap() == "android") + && env::var("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap() == "32" + { + println!("cargo:rustc-link-lib=dylib=atomic"); + } + if kind == "static" && target.contains("windows") { println!("cargo:rustc-link-lib=dylib=gdi32"); println!("cargo:rustc-link-lib=dylib=user32"); @@ -213,6 +231,11 @@ See rust-openssl documentation for more information: } } + for enabled in &enabled { + println!("cargo:rustc-cfg=osslconf=\"{}\"", enabled); + } + println!("cargo:conf={}", enabled.join(",")); + if is_boringssl { println!("cargo:rustc-cfg=boringssl"); println!("cargo:boringssl=true"); @@ -223,11 +246,6 @@ See rust-openssl documentation for more information: // We set this for any non-BoringSSL lib. println!("cargo:rustc-cfg=openssl"); - for enabled in &enabled { - println!("cargo:rustc-cfg=osslconf=\"{}\"", enabled); - } - println!("cargo:conf={}", enabled.join(",")); - for cfg in cfgs::get(openssl_version, libressl_version) { println!("cargo:rustc-cfg={}", cfg); } @@ -273,6 +291,7 @@ See rust-openssl documentation for more information: (3, 7, 1) => ('3', '7', '1'), (3, 7, _) => ('3', '7', 'x'), (3, 8, 0) => ('3', '8', '0'), + (3, 8, 1) => ('3', '8', '1'), _ => version_error(), }; @@ -314,8 +333,8 @@ fn version_error() -> ! { panic!( " -This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.8.0, but a different version of OpenSSL was found. The build is now aborting +This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3), or LibreSSL 2.5 +through 3.8.1, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " diff --git a/openssl-sys/src/crypto.rs b/openssl-sys/src/crypto.rs index 35be07eada..bdc0add156 100644 --- a/openssl-sys/src/crypto.rs +++ b/openssl-sys/src/crypto.rs @@ -106,7 +106,7 @@ pub const CRYPTO_LOCK_SSL_CTX: c_int = 12; pub const CRYPTO_LOCK_SSL_SESSION: c_int = 14; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl381))] { pub const CRYPTO_EX_INDEX_SSL: c_int = 0; pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1; } else if #[cfg(libressl)] { diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index d2ca215407..e317fea35c 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -7,8 +7,12 @@ pub const PKCS5_SALT_LEN: c_int = 8; pub const PKCS12_DEFAULT_ITER: c_int = 2048; pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; +#[cfg(any(openssl111, boringssl))] +pub const EVP_PKEY_RSA_PSS: c_int = NID_rsassaPss; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; +#[cfg(ossl110)] +pub const EVP_PKEY_DHX: c_int = NID_dhpublicnumber; pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey; #[cfg(ossl111)] pub const EVP_PKEY_SM2: c_int = NID_sm2; @@ -24,7 +28,7 @@ pub const EVP_PKEY_HMAC: c_int = NID_hmac; pub const EVP_PKEY_CMAC: c_int = NID_cmac; #[cfg(ossl111)] pub const EVP_PKEY_POLY1305: c_int = NID_poly1305; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_HKDF: c_int = NID_hkdf; #[cfg(ossl102)] @@ -197,31 +201,31 @@ pub const EVP_PKEY_CTRL_CIPHER: c_int = 12; pub const EVP_PKEY_ALG_CTRL: c_int = 0x1000; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND: c_int = 0; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY: c_int = 1; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_HKDEF_MODE_EXPAND_ONLY: c_int = 2; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_MD: c_int = EVP_PKEY_ALG_CTRL + 3; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_SALT: c_int = EVP_PKEY_ALG_CTRL + 4; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_KEY: c_int = EVP_PKEY_ALG_CTRL + 5; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_INFO: c_int = EVP_PKEY_ALG_CTRL + 6; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_CTRL_HKDF_MODE: c_int = EVP_PKEY_ALG_CTRL + 7; -#[cfg(all(ossl111, not(ossl300)))] +#[cfg(any(all(ossl111, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set_hkdf_mode(ctx: *mut EVP_PKEY_CTX, mode: c_int) -> c_int { EVP_PKEY_CTX_ctrl( ctx, @@ -233,7 +237,7 @@ pub unsafe fn EVP_PKEY_CTX_set_hkdf_mode(ctx: *mut EVP_PKEY_CTX, mode: c_int) -> ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set_hkdf_md(ctx: *mut EVP_PKEY_CTX, md: *const EVP_MD) -> c_int { EVP_PKEY_CTX_ctrl( ctx, @@ -245,7 +249,7 @@ pub unsafe fn EVP_PKEY_CTX_set_hkdf_md(ctx: *mut EVP_PKEY_CTX, md: *const EVP_MD ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set1_hkdf_salt( ctx: *mut EVP_PKEY_CTX, salt: *const u8, @@ -261,7 +265,7 @@ pub unsafe fn EVP_PKEY_CTX_set1_hkdf_salt( ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set1_hkdf_key( ctx: *mut EVP_PKEY_CTX, key: *const u8, @@ -277,7 +281,7 @@ pub unsafe fn EVP_PKEY_CTX_set1_hkdf_key( ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info( ctx: *mut EVP_PKEY_CTX, info: *const u8, diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index fc42c13946..fb55f6b82c 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -75,7 +75,6 @@ extern "C" { m: *const BIGNUM, ctx: *mut BN_CTX, ) -> c_int; - #[cfg(ossl110)] pub fn BN_mod_sqrt( ret: *mut BIGNUM, a: *const BIGNUM, diff --git a/openssl-sys/src/handwritten/dh.rs b/openssl-sys/src/handwritten/dh.rs index 87a0817ce5..c4671c969f 100644 --- a/openssl-sys/src/handwritten/dh.rs +++ b/openssl-sys/src/handwritten/dh.rs @@ -5,6 +5,7 @@ extern "C" { pub fn DH_free(dh: *mut DH); pub fn DH_check(dh: *const DH, codes: *mut c_int) -> c_int; + #[cfg(not(libressl382))] pub fn DH_generate_parameters( prime_len: c_int, generator: c_int, diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index e8ad6aa2d7..bf5aa421bd 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -52,7 +52,7 @@ cfg_if! { } cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl382))] { extern "C" { pub fn EVP_MD_CTX_new() -> *mut EVP_MD_CTX; pub fn EVP_MD_CTX_free(ctx: *mut EVP_MD_CTX); @@ -294,13 +294,13 @@ extern "C" { pub fn EVP_sha256() -> *const EVP_MD; pub fn EVP_sha384() -> *const EVP_MD; pub fn EVP_sha512() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_224() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_256() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_384() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_512() -> *const EVP_MD; #[cfg(ossl111)] pub fn EVP_shake128() -> *const EVP_MD; @@ -391,28 +391,38 @@ extern "C" { #[cfg(all(any(ossl111, libressl291), not(osslconf = "OPENSSL_NO_SM4")))] pub fn EVP_sm4_ctr() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_128_cfb128() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_128_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn EVP_camellia_128_cbc() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_192_cfb128() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_192_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn EVP_camellia_192_cbc() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_256_cfb128() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_256_ecb() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn EVP_camellia_256_cbc() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn EVP_cast5_cfb64() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn EVP_cast5_ecb() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] + pub fn EVP_cast5_cbc() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn EVP_idea_cfb64() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn EVP_idea_ecb() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] + pub fn EVP_idea_cbc() -> *const EVP_CIPHER; #[cfg(not(ossl110))] pub fn OPENSSL_add_all_algorithms_noconf(); diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index d4f4b619f4..944a476618 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -924,3 +924,17 @@ extern "C" { #[cfg(all(ossl111, not(ossl111b)))] pub fn SSL_get_num_tickets(s: *mut SSL) -> size_t; } + +extern "C" { + #[cfg(any(ossl110, libressl360))] + pub fn SSL_CTX_set_security_level(ctx: *mut SSL_CTX, level: c_int); + + #[cfg(any(ossl110, libressl360))] + pub fn SSL_set_security_level(s: *mut SSL, level: c_int); + + #[cfg(any(ossl110, libressl360))] + pub fn SSL_CTX_get_security_level(ctx: *const SSL_CTX) -> c_int; + + #[cfg(any(ossl110, libressl360))] + pub fn SSL_get_security_level(s: *const SSL) -> c_int; +} diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 06354728f2..a03a878305 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -329,7 +329,7 @@ cfg_if! { } } cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl382))] { pub enum X509_ALGOR {} } else { #[repr(C)] diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 2ee0452597..2f59bf6663 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -145,3 +145,22 @@ extern "C" { pub fn DIST_POINT_free(dist_point: *mut DIST_POINT); pub fn DIST_POINT_NAME_free(dist_point: *mut DIST_POINT_NAME); } + +#[cfg(ossl102)] +extern "C" { + pub fn X509_check_host( + x: *mut X509, + chk: *const c_char, + chklen: usize, + flags: c_uint, + peername: *mut *mut c_char, + ) -> c_int; + pub fn X509_check_email( + x: *mut X509, + chk: *const c_char, + chklen: usize, + flags: c_uint, + ) -> c_int; + pub fn X509_check_ip(x: *mut X509, chk: *const c_uchar, chklen: usize, flags: c_uint) -> c_int; + pub fn X509_check_ip_asc(x: *mut X509, ipasc: *const c_char, flags: c_uint) -> c_int; +} diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 784b7637e1..0e23386fd3 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -11,7 +11,7 @@ #![recursion_limit = "128"] // configure fixed limit across all rust versions extern crate libc; -pub use libc::*; +pub use libc::c_int; #[cfg(feature = "unstable_boringssl")] extern crate bssl_sys; diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 6ae48834b5..9f4c7c12dd 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -135,6 +135,8 @@ pub const NID_sha512WithRSAEncryption: c_int = 670; pub const NID_sha224WithRSAEncryption: c_int = 671; pub const NID_pkcs3: c_int = 27; pub const NID_dhKeyAgreement: c_int = 28; +#[cfg(ossl110)] +pub const NID_dhpublicnumber: c_int = 920; pub const NID_pkcs5: c_int = 187; pub const NID_pbeWithMD2AndDES_CBC: c_int = 9; pub const NID_pbeWithMD5AndDES_CBC: c_int = 10; @@ -926,6 +928,8 @@ pub const NID_X25519: c_int = 950; pub const NID_X448: c_int = 1035; #[cfg(ossl110)] pub const NID_hkdf: c_int = 1036; +#[cfg(libressl360)] +pub const NID_hkdf: c_int = 1022; #[cfg(ossl111)] pub const NID_poly1305: c_int = 1061; #[cfg(ossl111)] @@ -974,12 +978,20 @@ pub const NID_sm4_ctr: c_int = 1139; pub const NID_sm4_ctr: c_int = 979; #[cfg(ossl111)] pub const NID_sha3_224: c_int = 1096; +#[cfg(libressl380)] +pub const NID_sha3_224: c_int = 1031; #[cfg(ossl111)] pub const NID_sha3_256: c_int = 1097; +#[cfg(libressl380)] +pub const NID_sha3_256: c_int = 1032; #[cfg(ossl111)] pub const NID_sha3_384: c_int = 1098; +#[cfg(libressl380)] +pub const NID_sha3_384: c_int = 1033; #[cfg(ossl111)] pub const NID_sha3_512: c_int = 1099; +#[cfg(libressl380)] +pub const NID_sha3_512: c_int = 1034; #[cfg(ossl111)] pub const NID_shake128: c_int = 1100; #[cfg(ossl111)] diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index d2ff53489e..230dea1736 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -89,8 +89,16 @@ pub const X509_PURPOSE_CRL_SIGN: c_int = 6; pub const X509_PURPOSE_ANY: c_int = 7; pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; +#[cfg(ossl320)] +pub const X509_PURPOSE_CODE_SIGN: c_int = 10; pub const X509_PURPOSE_MIN: c_int = 1; -pub const X509_PURPOSE_MAX: c_int = 9; +cfg_if! { + if #[cfg(ossl320)] { + pub const X509_PURPOSE_MAX: c_int = 10; + } else { + pub const X509_PURPOSE_MAX: c_int = 9; + } +} pub const CRL_REASON_UNSPECIFIED: c_int = 0; pub const CRL_REASON_KEY_COMPROMISE: c_int = 1; diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index f5409b1222..f1acc1fccf 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,24 @@ ## [Unreleased] +## [v0.10.58] - 2023-11-01 + +### Added + +* Added `Id::{RSA_PSS,DHX}` constants +* Added `SslContextBuilder::set_security_level` +* Added `SslContextRef::security_level` +* Added `SslRef::set_security_level`, `SslRef::security_level` +* Added `Cipher::{camellia_128_cbc, camellia_192_cbc, camellia_256_cbc, cast5_cbc, idea_cbc}` +* Added `X509CrlRef::extension` +* Added `X509PurposeId::CODE_SIGN` + +### Changed + +* `Pkey` HKDF functionality now works on LibreSSL +* `BigNum::mod_sqrt` is now available on all OpenSSLs +* `MessageDigest::sha3*` are now available on LibreSSL + ## [v0.10.57] - 2023-08-27 ### Added @@ -797,7 +815,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.58...master +[v0.10.57]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...openssl-v0.10.58 [v0.10.57]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...openssl-v0.10.57 [v0.10.56]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...openssl-v0.10.56 [v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index ec8beaef9c..9a2f5016f5 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.57" +version = "0.10.58" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.92", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.94", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" diff --git a/openssl/build.rs b/openssl/build.rs index 0a974b33e6..87a9fa06f5 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -13,7 +13,6 @@ fn main() { if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { println!("cargo:rustc-cfg=boringssl"); - return; } if let Ok(v) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { @@ -67,6 +66,12 @@ fn main() { if version >= 0x3_07_00_00_0 { println!("cargo:rustc-cfg=libressl370"); } + if version >= 0x3_08_00_00_0 { + println!("cargo:rustc-cfg=libressl380"); + } + if version >= 0x3_08_02_00_0 { + println!("cargo:rustc-cfg=libressl382"); + } } if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { @@ -102,61 +107,8 @@ fn main() { if version >= 0x3_01_00_00_0 { println!("cargo:rustc-cfg=ossl310"); } - } - - if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { - let version = u64::from_str_radix(&version, 16).unwrap(); - - if version >= 0x2_05_01_00_0 { - println!("cargo:rustc-cfg=libressl251"); - } - - if version >= 0x2_06_01_00_0 { - println!("cargo:rustc-cfg=libressl261"); - } - - if version >= 0x2_07_00_00_0 { - println!("cargo:rustc-cfg=libressl270"); - } - - if version >= 0x2_07_01_00_0 { - println!("cargo:rustc-cfg=libressl271"); - } - - if version >= 0x2_07_03_00_0 { - println!("cargo:rustc-cfg=libressl273"); - } - - if version >= 0x2_08_00_00_0 { - println!("cargo:rustc-cfg=libressl280"); - } - - if version >= 0x2_09_01_00_0 { - println!("cargo:rustc-cfg=libressl291"); - } - - if version >= 0x3_02_01_00_0 { - println!("cargo:rustc-cfg=libressl321"); - } - - if version >= 0x3_03_02_00_0 { - println!("cargo:rustc-cfg=libressl332"); - } - - if version >= 0x3_04_00_00_0 { - println!("cargo:rustc-cfg=libressl340"); - } - - if version >= 0x3_05_00_00_0 { - println!("cargo:rustc-cfg=libressl350"); - } - - if version >= 0x3_06_00_00_0 { - println!("cargo:rustc-cfg=libressl360"); - } - - if version >= 0x3_06_01_00_0 { - println!("cargo:rustc-cfg=libressl361"); + if version >= 0x3_02_00_00_0 { + println!("cargo:rustc-cfg=ossl320"); } } } diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index c75fac1d70..1ae450bb75 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -655,7 +655,6 @@ impl BigNumRef { /// Places into `self` the modular square root of `a` such that `self^2 = a (mod p)` #[corresponds(BN_mod_sqrt)] - #[cfg(ossl110)] pub fn mod_sqrt( &mut self, a: &BigNumRef, @@ -1229,7 +1228,7 @@ impl Ord for BigNumRef { impl PartialOrd for BigNum { fn partial_cmp(&self, oth: &BigNum) -> Option { - self.deref().partial_cmp(oth.deref()) + Some(self.cmp(oth)) } } @@ -1490,17 +1489,23 @@ mod tests { assert!(b.is_const_time()) } - #[cfg(ossl110)] #[test] fn test_mod_sqrt() { let mut ctx = BigNumContext::new().unwrap(); - let s = BigNum::from_hex_str("47A8DD7626B9908C80ACD7E0D3344D69").unwrap(); - let p = BigNum::from_hex_str("81EF47265B58BCE5").unwrap(); + let s = BigNum::from_hex_str("2").unwrap(); + let p = BigNum::from_hex_str("7DEB1").unwrap(); + let mut sqrt = BigNum::new().unwrap(); let mut out = BigNum::new().unwrap(); - out.mod_sqrt(&s, &p, &mut ctx).unwrap(); - assert_eq!(out, BigNum::from_hex_str("7C6D179E19B97BDD").unwrap()); + // Square the root because OpenSSL randomly returns one of 2E42C or 4FA85 + sqrt.mod_sqrt(&s, &p, &mut ctx).unwrap(); + out.mod_sqr(&sqrt, &p, &mut ctx).unwrap(); + assert!(out == s); + + let s = BigNum::from_hex_str("3").unwrap(); + let p = BigNum::from_hex_str("5").unwrap(); + assert!(out.mod_sqrt(&s, &p, &mut ctx).is_err()); } #[test] diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 2b89861365..892cae1db7 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -201,7 +201,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_128_ocb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_ocb() as *mut _) } } @@ -258,7 +258,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_192_ocb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_ocb() as *mut _) } } @@ -315,7 +315,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_256_ocb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_ocb() as *mut _) } } @@ -343,13 +343,11 @@ impl Cipher { } #[cfg(not(osslconf = "OPENSSL_NO_BF"))] - #[cfg(not(boringssl))] pub fn bf_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_bf_cfb64() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_BF"))] - #[cfg(not(boringssl))] pub fn bf_ofb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_bf_ofb() as *mut _) } } @@ -380,52 +378,52 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_rc4() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia128_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_cfb128() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia128_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia192_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_cfb128() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia192_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia256_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_cfb128() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia256_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn cast5_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_cfb64() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn cast5_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn idea_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_idea_cfb64() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn idea_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_idea_ecb() as *mut _) } } @@ -441,25 +439,21 @@ impl Cipher { } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_cbc() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_cbc() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_cfb128() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_ecb() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_ofb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_ofb() as *mut _) } } diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index f9031d2976..1769ee9716 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -548,7 +548,7 @@ impl CipherCtxRef { /// # Panics /// /// Panics if `output` doesn't contain enough space for data to be - /// written as specified by [`Self::minimal_output_size`]. + /// written. #[corresponds(EVP_CipherUpdate)] pub fn cipher_update( &mut self, diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index 7445e3408c..d46b9ee466 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -475,6 +475,6 @@ mod tests { let g = BigNum::from_hex_str("02").unwrap(); let dh2 = Dh::from_pqg(p, None, g).unwrap(); assert!(dh1.check_key().unwrap()); - assert!(!dh2.check_key().unwrap()); + assert!(matches!(dh2.check_key(), Ok(false) | Err(_))); } } diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index d541ddfc23..0dda1dbbce 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -195,7 +195,7 @@ impl EcGroupRef { /// a term in the polynomial. It will be set to 3 `1`s or 5 `1`s depending on /// using a trinomial or pentanomial. #[corresponds(EC_GROUP_get_curve_GF2m)] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_EC2M")))] + #[cfg(not(osslconf = "OPENSSL_NO_EC2M"))] pub fn components_gf2m( &self, p: &mut BigNumRef, @@ -586,7 +586,7 @@ impl EcPointRef { /// Places affine coordinates of a curve over a binary field in the provided /// `x` and `y` `BigNum`s #[corresponds(EC_POINT_get_affine_coordinates_GF2m)] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_EC2M")))] + #[cfg(not(osslconf = "OPENSSL_NO_EC2M"))] pub fn affine_coordinates_gf2m( &self, group: &EcGroupRef, @@ -1324,7 +1324,7 @@ mod test { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_EC2M")))] + #[cfg(not(osslconf = "OPENSSL_NO_EC2M"))] fn is_on_curve() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let mut ctx = BigNumContext::new().unwrap(); diff --git a/openssl/src/ecdsa.rs b/openssl/src/ecdsa.rs index f3b27b3953..3dc17c68dd 100644 --- a/openssl/src/ecdsa.rs +++ b/openssl/src/ecdsa.rs @@ -158,7 +158,7 @@ mod test { } #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] + #[cfg_attr(osslconf = "OPENSSL_NO_EC", ignore)] fn sign_and_verify() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let private_key = EcKey::generate(&group).unwrap(); @@ -186,7 +186,7 @@ mod test { } #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] + #[cfg_attr(osslconf = "OPENSSL_NO_EC", ignore)] fn check_private_components() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let private_key = EcKey::generate(&group).unwrap(); @@ -206,7 +206,7 @@ mod test { } #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] + #[cfg_attr(osslconf = "OPENSSL_NO_EC", ignore)] fn serialize_deserialize() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let private_key = EcKey::generate(&group).unwrap(); diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 52d73deed4..01d7097b09 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -43,7 +43,7 @@ use crate::nid::Nid; use crate::{cvt, cvt_p}; cfg_if! { - if #[cfg(any(ossl110, boringssl))] { + if #[cfg(any(ossl110, boringssl, libressl382))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; @@ -127,22 +127,22 @@ impl MessageDigest { unsafe { MessageDigest(ffi::EVP_sha512()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_224() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_224()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_256() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_256()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_384() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_384()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_512() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_512()) } } @@ -157,7 +157,7 @@ impl MessageDigest { unsafe { MessageDigest(ffi::EVP_shake256()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_RMD160")))] + #[cfg(not(osslconf = "OPENSSL_NO_RMD160"))] pub fn ripemd160() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_ripemd160()) } } @@ -624,7 +624,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_224() { let tests = [( @@ -644,7 +644,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_256() { let tests = [( @@ -664,7 +664,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_384() { let tests = [("416c6c20796f75722062617365206172652062656c6f6e6720746f207573", @@ -684,7 +684,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_512() { let tests = [("416c6c20796f75722062617365206172652062656c6f6e6720746f207573", @@ -745,7 +745,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(osslconf = "OPENSSL_NO_RMD160"))] #[cfg_attr(ossl300, ignore)] fn test_ripemd160() { #[cfg(ossl300)] diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index fe29d02293..bc9d2b3455 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -140,7 +140,7 @@ pub mod base64; pub mod bn; pub mod cipher; pub mod cipher_ctx; -#[cfg(all(not(boringssl), not(libressl), not(osslconf = "OPENSSL_NO_CMS")))] +#[cfg(all(not(libressl), not(osslconf = "OPENSSL_NO_CMS")))] pub mod cms; pub mod conf; pub mod derive; @@ -162,7 +162,7 @@ pub mod md; pub mod md_ctx; pub mod memcmp; pub mod nid; -#[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_OCSP")))] +#[cfg(not(osslconf = "OPENSSL_NO_OCSP"))] pub mod ocsp; pub mod pkcs12; pub mod pkcs5; diff --git a/openssl/src/md.rs b/openssl/src/md.rs index 4ade8e870d..08e4aacf3e 100644 --- a/openssl/src/md.rs +++ b/openssl/src/md.rs @@ -150,25 +150,25 @@ impl Md { unsafe { MdRef::from_ptr(ffi::EVP_sha512() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_224() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_224() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_256() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_256() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_384() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_384() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_512() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_512() as *mut _) } @@ -188,14 +188,12 @@ impl Md { #[cfg(not(osslconf = "OPENSSL_NO_RMD160"))] #[inline] - #[cfg(not(boringssl))] pub fn ripemd160() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_ripemd160() as *mut _) } } #[cfg(all(any(ossl111, libressl291), not(osslconf = "OPENSSL_NO_SM3")))] #[inline] - #[cfg(not(boringssl))] pub fn sm3() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sm3() as *mut _) } } diff --git a/openssl/src/md_ctx.rs b/openssl/src/md_ctx.rs index 156f3c2fc9..30e0337b47 100644 --- a/openssl/src/md_ctx.rs +++ b/openssl/src/md_ctx.rs @@ -93,7 +93,7 @@ use std::convert::TryFrom; use std::ptr; cfg_if! { - if #[cfg(any(ossl110, boringssl))] { + if #[cfg(any(ossl110, boringssl, libressl382))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index 91fcdeca9d..a78d0e660c 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1078,13 +1078,13 @@ impl Nid { pub const SM2: Nid = Nid(ffi::NID_sm2); #[cfg(any(ossl111, libressl291))] pub const SM3: Nid = Nid(ffi::NID_sm3); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_224: Nid = Nid(ffi::NID_sha3_224); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_256: Nid = Nid(ffi::NID_sha3_256); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_384: Nid = Nid(ffi::NID_sha3_384); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_512: Nid = Nid(ffi::NID_sha3_512); #[cfg(ossl111)] pub const SHAKE128: Nid = Nid(ffi::NID_shake128); diff --git a/openssl/src/pkcs5.rs b/openssl/src/pkcs5.rs index cd704e8256..afaae55a29 100644 --- a/openssl/src/pkcs5.rs +++ b/openssl/src/pkcs5.rs @@ -115,7 +115,7 @@ pub fn pbkdf2_hmac( /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PBE_scrypt)] -#[cfg(any(ossl110, boringssl))] +#[cfg(all(any(ossl110, boringssl), not(osslconf = "OPENSSL_NO_SCRYPT")))] #[allow(clippy::useless_conversion)] pub fn scrypt( pass: &[u8], diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 453aeed72f..ac5989c572 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -78,17 +78,21 @@ pub struct Id(c_int); impl Id { pub const RSA: Id = Id(ffi::EVP_PKEY_RSA); + #[cfg(any(openssl111, boringssl))] + pub const RSA_PSS: Id = Id(ffi::EVP_PKEY_RSA_PSS); #[cfg(not(boringssl))] pub const HMAC: Id = Id(ffi::EVP_PKEY_HMAC); #[cfg(not(boringssl))] pub const CMAC: Id = Id(ffi::EVP_PKEY_CMAC); pub const DSA: Id = Id(ffi::EVP_PKEY_DSA); pub const DH: Id = Id(ffi::EVP_PKEY_DH); + #[cfg(ossl110)] + pub const DHX: Id = Id(ffi::EVP_PKEY_DHX); pub const EC: Id = Id(ffi::EVP_PKEY_EC); #[cfg(ossl111)] pub const SM2: Id = Id(ffi::EVP_PKEY_SM2); - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); #[cfg(any(ossl111, boringssl, libressl370))] diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 4ac32a8517..85778e2166 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -80,10 +80,10 @@ use std::convert::TryFrom; use std::ptr; /// HKDF modes of operation. -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub struct HkdfMode(c_int); -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] impl HkdfMode { /// This is the default mode. Calling [`derive`][PkeyCtxRef::derive] on a [`PkeyCtxRef`] set up /// for HKDF will perform an extract followed by an expand operation in one go. The derived key @@ -566,7 +566,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_md)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn set_hkdf_md(&mut self, digest: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -589,7 +589,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.1 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_mode)] - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl360))] #[inline] pub fn set_hkdf_mode(&mut self, mode: HkdfMode) -> Result<(), ErrorStack> { unsafe { @@ -608,7 +608,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn set_hkdf_key(&mut self, key: &[u8]) -> Result<(), ErrorStack> { #[cfg(not(boringssl))] @@ -633,7 +633,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn set_hkdf_salt(&mut self, salt: &[u8]) -> Result<(), ErrorStack> { #[cfg(not(boringssl))] @@ -658,7 +658,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn add_hkdf_info(&mut self, info: &[u8]) -> Result<(), ErrorStack> { #[cfg(not(boringssl))] @@ -855,7 +855,7 @@ mod test { } #[test] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] fn hkdf() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); @@ -877,7 +877,7 @@ mod test { } #[test] - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl360))] fn hkdf_expand() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); @@ -901,7 +901,7 @@ mod test { } #[test] - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl360))] fn hkdf_extract() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 1c770d18b7..0154b1d4b7 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -81,7 +81,7 @@ use crate::rsa::Padding; use crate::{cvt, cvt_p}; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl382))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index bdfbfc14f0..d147c3c343 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1718,6 +1718,16 @@ impl SslContextBuilder { unsafe { cvt(ffi::SSL_CTX_set_num_tickets(self.as_ptr(), num_tickets)).map(|_| ()) } } + /// Set the context's security level to a value between 0 and 5, inclusive. + /// A security value of 0 allows allows all parameters and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_CTX_set_security_level)] + #[cfg(any(ossl110, libressl360))] + pub fn set_security_level(&mut self, level: u32) { + unsafe { ffi::SSL_CTX_set_security_level(self.as_ptr(), level as c_int) } + } + /// Consumes the builder, returning a new `SslContext`. pub fn build(self) -> SslContext { self.0 @@ -1921,6 +1931,16 @@ impl SslContextRef { pub fn num_tickets(&self) -> usize { unsafe { ffi::SSL_CTX_get_num_tickets(self.as_ptr()) } } + + /// Get the context's security level, which controls the allowed parameters + /// and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_CTX_get_security_level)] + #[cfg(any(ossl110, libressl360))] + pub fn security_level(&self) -> u32 { + unsafe { ffi::SSL_CTX_get_security_level(self.as_ptr()) as u32 } + } } /// Information about the state of a cipher. @@ -3405,6 +3425,26 @@ impl SslRef { pub fn num_tickets(&self) -> usize { unsafe { ffi::SSL_get_num_tickets(self.as_ptr()) } } + + /// Set the context's security level to a value between 0 and 5, inclusive. + /// A security value of 0 allows allows all parameters and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_set_security_level)] + #[cfg(any(ossl110, libressl360))] + pub fn set_security_level(&mut self, level: u32) { + unsafe { ffi::SSL_set_security_level(self.as_ptr(), level as c_int) } + } + + /// Get the connection's security level, which controls the allowed parameters + /// and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_get_security_level)] + #[cfg(any(ossl110, libressl360))] + pub fn security_level(&self) -> u32 { + unsafe { ffi::SSL_get_security_level(self.as_ptr()) as u32 } + } } /// An SSL stream midway through the handshake process. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 7707af238f..542656cb04 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1023,7 +1023,9 @@ fn idle_session() { assert!(ssl.session().is_none()); } -/// possible LibreSSL bug since 3.2.1 +/// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do +/// not work due to lack of PSK support. The test passes with NO_TLSV1_3, +/// but let's ignore it until LibreSSL supports it out of the box. #[test] #[cfg_attr(libressl321, ignore)] fn active_session() { @@ -1081,7 +1083,9 @@ fn status_callbacks() { assert!(CALLED_BACK_CLIENT.load(Ordering::SeqCst)); } -/// possible LibreSSL bug since 3.2.1 +/// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do +/// not work due to lack of PSK support. The test passes with NO_TLSV1_3, +/// but let's ignore it until LibreSSL supports it out of the box. #[test] #[cfg_attr(libressl321, ignore)] fn new_session_callback() { @@ -1106,7 +1110,9 @@ fn new_session_callback() { assert!(CALLED_BACK.load(Ordering::SeqCst)); } -/// possible LibreSSL bug since 3.2.1 +/// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do +/// not work due to lack of PSK support. The test passes with NO_TLSV1_3, +/// but let's ignore it until LibreSSL supports it out of the box. #[test] #[cfg_attr(libressl321, ignore)] fn new_session_callback_swapped_ctx() { @@ -1568,3 +1574,17 @@ fn set_num_tickets() { let ssl = ssl; assert_eq!(5, ssl.num_tickets()); } + +#[test] +#[cfg(ossl110)] +fn set_security_level() { + let mut ctx = SslContext::builder(SslMethod::tls_server()).unwrap(); + ctx.set_security_level(3); + let ctx = ctx.build(); + assert_eq!(3, ctx.security_level()); + + let mut ssl = Ssl::new(&ctx).unwrap(); + ssl.set_security_level(4); + let ssl = ssl; + assert_eq!(4, ssl.security_level()); +} diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 7ebb70338e..7cf152e3c1 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -252,12 +252,12 @@ impl Cipher { unsafe { Cipher(ffi::EVP_bf_ecb()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_BF")))] + #[cfg(not(osslconf = "OPENSSL_NO_BF"))] pub fn bf_cfb64() -> Cipher { unsafe { Cipher(ffi::EVP_bf_cfb64()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_BF")))] + #[cfg(not(osslconf = "OPENSSL_NO_BF"))] pub fn bf_ofb() -> Cipher { unsafe { Cipher(ffi::EVP_bf_ofb()) } } @@ -288,6 +288,26 @@ impl Cipher { unsafe { Cipher(ffi::EVP_rc4()) } } + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_128_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_128_cbc()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_192_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_192_cbc()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] + pub fn camellia_256_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_256_cbc()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] + pub fn cast5_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_cast5_cbc()) } + } + /// Requires OpenSSL 1.1.0 or newer. #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20() -> Cipher { @@ -300,22 +320,27 @@ impl Cipher { unsafe { Cipher(ffi::EVP_chacha20_poly1305()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] + pub fn idea_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_idea_cbc()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_seed_cbc()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_cfb128() -> Cipher { unsafe { Cipher(ffi::EVP_seed_cfb128()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_ecb() -> Cipher { unsafe { Cipher(ffi::EVP_seed_ecb()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_ofb() -> Cipher { unsafe { Cipher(ffi::EVP_seed_ofb()) } } @@ -1534,7 +1559,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_cbc() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1548,7 +1573,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_cfb128() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1562,7 +1587,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_ecb() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1576,7 +1601,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_ofb() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 24605df806..97242ff4d8 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -832,7 +832,7 @@ impl Ord for X509 { impl PartialOrd for X509 { fn partial_cmp(&self, other: &Self) -> Option { - X509Ref::partial_cmp(self, other) + Some(self.cmp(other)) } } @@ -1746,6 +1746,17 @@ unsafe impl ExtensionType for CertificateIssuer { type Output = Stack; } +/// The CRL extension identifying how to access information and services for the issuer of the CRL +pub enum AuthorityInformationAccess {} + +// SAFETY: AuthorityInformationAccess is defined to be a stack of AccessDescription in the RFC +// and in OpenSSL. +unsafe impl ExtensionType for AuthorityInformationAccess { + const NID: Nid = Nid::from_raw(ffi::NID_info_access); + + type Output = Stack; +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_CRL; fn drop = ffi::X509_CRL_free; @@ -1915,6 +1926,36 @@ impl X509CrlRef { { unsafe { cvt_n(ffi::X509_CRL_verify(self.as_ptr(), key.as_ptr())).map(|n| n != 0) } } + + /// Get the criticality and value of an extension. + /// + /// This returns None if the extension is not present or occurs multiple times. + #[corresponds(X509_CRL_get_ext_d2i)] + pub fn extension(&self) -> Result, ErrorStack> { + let mut critical = -1; + let out = unsafe { + // SAFETY: self.as_ptr() is a valid pointer to an X509_CRL. + let ext = ffi::X509_CRL_get_ext_d2i( + self.as_ptr(), + T::NID.as_raw(), + &mut critical as *mut _, + ptr::null_mut(), + ); + // SAFETY: Extensions's contract promises that the type returned by + // OpenSSL here is T::Output. + T::Output::from_ptr_opt(ext as *mut _) + }; + match (critical, out) { + (0, Some(out)) => Ok(Some((false, out))), + (1, Some(out)) => Ok(Some((true, out))), + // -1 means the extension wasn't found, -2 means multiple were found. + (-1 | -2, _) => Ok(None), + // A critical value of 0 or 1 suggests success, but a null pointer + // was returned so something went wrong. + (0 | 1, None) => Err(ErrorStack::get()), + (c_int::MIN..=-2 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), + } + } } /// The result of peer certificate verification. @@ -2459,6 +2500,8 @@ impl X509PurposeId { pub const ANY: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_ANY); pub const OCSP_HELPER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_OCSP_HELPER); pub const TIMESTAMP_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_TIMESTAMP_SIGN); + #[cfg(ossl320)] + pub const CODE_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_CODE_SIGN); /// Constructs an `X509PurposeId` from a raw OpenSSL value. pub fn from_raw(id: c_int) -> Self { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index da3ce2fed2..a4a3de970c 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -34,7 +34,7 @@ use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] use libc::time_t; -use super::{CertificateIssuer, ReasonCode}; +use super::{AuthorityInformationAccess, CertificateIssuer, ReasonCode}; fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); @@ -701,6 +701,24 @@ fn test_crl_entry_extensions() { let crl = include_bytes!("../../test/entry_extensions.crl"); let crl = X509Crl::from_pem(crl).unwrap(); + let (critical, access_info) = crl + .extension::() + .unwrap() + .expect("Authority Information Access extension should be present"); + assert!( + !critical, + "Authority Information Access extension is not critical" + ); + assert_eq!( + access_info.len(), + 1, + "Authority Information Access should have one entry" + ); + assert_eq!(access_info[0].method().to_string(), "CA Issuers"); + assert_eq!( + access_info[0].location().uri(), + Some("http://www.example.com/ca.crt") + ); let revoked_certs = crl.get_revoked().unwrap(); let entry = &revoked_certs[0]; diff --git a/openssl/test/entry_extensions.crl b/openssl/test/entry_extensions.crl index 9654171cf1..5b0ee298ed 100644 --- a/openssl/test/entry_extensions.crl +++ b/openssl/test/entry_extensions.crl @@ -1,10 +1,11 @@ -----BEGIN X509 CRL----- -MIIBXDCCAQICAQEwCgYIKoZIzj0EAwIwETEPMA0GA1UEAwwGQ1JMIENBFw0yMzAz -MjgwOTQ5MThaFw0yMzA0MDQwOTUwMDdaMIGAMH4CFE+Y95/1pOqa6c9fUEJ8c04k -xu2PFw0yMzAzMjgwOTQ3MzNaMFcwLwYDVR0dAQH/BCUwI6QhMB8xCzAJBgNVBAYT -AkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgGA1UdGAQRGA8yMDIz -MDMyODA5NDQ0MFqgPTA7MB8GA1UdIwQYMBaAFNX1GZ0RWuC+4gz1wuy5H32T2W+R -MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wCgYIKoZIzj0EAwIDSAAwRQIgbl7x -W+WVAb+zlvKcJLmHVuC+gbqR4jqwGIHHgQl2J8kCIQCo/sAF5sDqy/cL+fbzBeUe -YoY2h6lIkj9ENwU8ZCt03w== +MIIBojCCAUkCAQEwCgYIKoZIzj0EAwIwHTEbMBkGA1UEAwwSY3J5cHRvZ3JhcGh5 +LmlvIENBFw0yMzA3MjUxNDA1MzlaFw0yMzA4MDExNDA1MzlaMIGAMH4CFE+Y95/1 +pOqa6c9fUEJ8c04kxu2PFw0yMzA3MjUxNDA1MzlaMFcwLwYDVR0dAQH/BCUwI6Qh +MB8xCzAJBgNVBAYTAkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgG +A1UdGAQRGA8yMDIzMDcyNTE0MDUzOVqgeDB2MB8GA1UdIwQYMBaAFK6qKNgsGefh +XexO9WsIwiQ/73R8MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wOQYIKwYBBQUH +AQEELTArMCkGCCsGAQUFBzAChh1odHRwOi8vd3d3LmV4YW1wbGUuY29tL2NhLmNy +dDAKBggqhkjOPQQDAgNHADBEAiB22SXxFnQUB41uxfyCvg2dAs2nFiR0r8jft/cd +G8zcKAIgeYkNOzRn4lyopK6J94rhm8jIIuJRj3Ns9XcH+91N370= -----END X509 CRL----- diff --git a/systest/Cargo.toml b/systest/Cargo.toml index 97a5405b0e..d1e55ac3f2 100644 --- a/systest/Cargo.toml +++ b/systest/Cargo.toml @@ -9,7 +9,7 @@ libc = "0.2" openssl-sys = { path = "../openssl-sys" } [build-dependencies] -ctest2 = "0.4" +ctest2 = "0.4.7" [features] vendored = ['openssl-sys/vendored'] diff --git a/systest/build.rs b/systest/build.rs index 53407eafad..833e09fb5c 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -69,8 +69,11 @@ fn main() { .header("openssl/evp.h") .header("openssl/x509_vfy.h"); - if libressl_version.is_some() { + if let Some(version) = libressl_version { cfg.header("openssl/poly1305.h"); + if version >= 0x30600000 { + cfg.header("openssl/kdf.h"); + } } if let Some(version) = openssl_version {