From 5fffb2b285c41106eff5902ce3ea059902bf0a70 Mon Sep 17 00:00:00 2001 From: Josh Robson Chase Date: Fri, 7 Jun 2019 10:26:17 -0400 Subject: [PATCH 001/209] Add higher-level bindings to the API CRLs --- openssl/src/x509/mod.rs | 151 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 8df2818a5e..2d8cd5df73 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1296,6 +1296,136 @@ impl X509ReqRef { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::X509_CRL; + fn drop = ffi::X509_CRL_free; + + /// An `X509` certificate request. + pub struct X509Crl; + /// Reference to `X509Crl`. + pub struct X509CrlRef; +} + +impl X509Crl { + from_pem! { + /// Deserializes a PEM-encoded Certificate Revocation List + /// + /// The input should have a header of `-----BEGIN X509 CRL-----`. + /// + /// This corresponds to [`PEM_read_bio_X509_CRL`]. + /// + /// [`PEM_read_bio_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_X509_REQ.html + from_pem, + X509Crl, + ffi::PEM_read_bio_X509_CRL + } + + from_der! { + /// Deserializes a DER-encoded Certificate Revocation List + /// + /// This corresponds to [`d2i_X509_CRL`]. + /// + /// [`d2i_X509_CRL`]: https://www.openssl.org/docs/man1.1.0/crypto/d2i_X509_REQ.html + from_der, + X509Crl, + ffi::d2i_X509_CRL + } +} + +impl X509CrlRef { + to_pem! { + /// Serializes the certificate request to a PEM-encoded Certificate Revocation List. + /// + /// The output will have a header of `-----BEGIN X509 CRL-----`. + /// + /// This corresponds to [`PEM_write_bio_X509_CRL`]. + /// + /// [`PEM_write_bio_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_write_bio_X509_REQ.html + to_pem, + ffi::PEM_write_bio_X509_CRL + } + + to_der! { + /// Serializes the certificate request to a DER-encoded Certificate Revocation List. + /// + /// This corresponds to [`i2d_X509_CRL`]. + /// + /// [`i2d_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/i2d_X509_REQ.html + to_der, + ffi::i2d_X509_CRL + } + + /// Returns the CRL's `lastUpdate` time. + /// + /// This corresponds to [`X509_CRL_get0_lastUpdate"] + /// + /// [`X509_CRL_get0_lastUpdate`]: https://www.openssl.org/docs/man1.1.1/man3/X509_CRL_get0_lastUpdate.html + pub fn last_update(&self) -> &Asn1TimeRef { + unsafe { + let date = X509_CRL_get0_lastUpdate(self.as_ptr()); + assert!(!date.is_null()); + Asn1TimeRef::from_ptr(date as *mut _) + } + } + + /// Returns the CRL's `nextUpdate` time. + /// + /// If the `nextUpdate` field is missing, returns `None`. + /// + /// This corresponds to [`X509_CRL_get0_nextUpdate"] + /// + /// [`X509_CRL_get0_nextUpdate`]: https://www.openssl.org/docs/man1.1.1/man3/X509_CRL_get0_nextUpdate.html + pub fn next_update(&self) -> Option<&Asn1TimeRef> { + unsafe { + let date = X509_CRL_get0_nextUpdate(self.as_ptr()); + if date.is_null() { + None + } else { + Some(Asn1TimeRef::from_ptr(date as *mut _)) + } + } + } + + /// Check if the provided certificate is in the revocation list. + pub fn is_revoked(&self, cert: &X509Ref) -> bool { + unsafe { + let mut ret = ptr::null_mut::(); + ffi::X509_CRL_get0_by_serial( + self.as_ptr(), + &mut ret as *mut _, + cert.serial_number().as_ptr(), + ); + !ret.is_null() + } + } + + /// Get the issuer name from the revocation list. + pub fn issuer_name(&self) -> &X509NameRef { + unsafe { + let name = X509_CRL_get_issuer(self.as_ptr()); + assert!(!name.is_null()); + X509NameRef::from_ptr(name) + } + } + + /// Check if the CRL is signed using the given public key. + /// + /// Only the signature is checked: no other checks (such as certificate chain validity) + /// are performed. + /// + /// Returns `true` if verification succeeds. + /// + /// This corresponds to [`X509_CRL_verify"]. + /// + /// [`X509_CRL_verify`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_verify.html + pub fn verify(&self, key: &PKeyRef) -> Result + where + T: HasPublic, + { + unsafe { cvt_n(ffi::X509_CRL_verify(self.as_ptr(), key.as_ptr())).map(|n| n != 0) } + } +} + /// The result of peer certificate verification. #[derive(Copy, Clone, PartialEq, Eq)] pub struct X509VerifyResult(c_int); @@ -1612,3 +1742,24 @@ cfg_if! { } } } + +cfg_if! { + if #[cfg(ossl110)] { + use ffi::{ + X509_CRL_get_issuer, X509_CRL_get0_nextUpdate, X509_CRL_get0_lastUpdate, + }; + } else { + #[allow(bad_style)] + unsafe fn X509_CRL_get0_lastUpdate(x: *const ffi::X509_CRL) -> *mut ffi::ASN1_TIME { + (*(*x).crl).lastUpdate + } + #[allow(bad_style)] + unsafe fn X509_CRL_get0_nextUpdate(x: *const ffi::X509_CRL) -> *mut ffi::ASN1_TIME { + (*(*x).crl).nextUpdate + } + #[allow(bad_style)] + unsafe fn X509_CRL_get_issuer(x: *const ffi::X509_CRL) -> *mut ffi::X509_NAME { + (*(*x).crl).issuer + } + } +} From 47c487c98d42764f6956956540eb70ef68f3d0e9 Mon Sep 17 00:00:00 2001 From: Josh Robson Chase Date: Mon, 10 Jun 2019 10:14:14 -0400 Subject: [PATCH 002/209] Expose higher-level bindings to X509Revoked --- openssl/src/x509/mod.rs | 120 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 112 insertions(+), 8 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2d8cd5df73..ec7e8909d3 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1296,6 +1296,63 @@ impl X509ReqRef { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::X509_REVOKED; + fn drop = ffi::X509_REVOKED_free; + + /// An `X509` certificate request. + pub struct X509Revoked; + /// Reference to `X509Crl`. + pub struct X509RevokedRef; +} + +impl Stackable for X509Revoked { + type StackType = ffi::stack_st_X509_REVOKED; +} + +impl X509Revoked { + from_der! { + /// Deserializes a DER-encoded certificate revokation status + /// + /// This corresponds to [`d2i_X509_REVOKED`]. + /// + /// [`d2i_X509_REVOKED`]: https://www.openssl.org/docs/man1.1.0/crypto/d2i_X509_REVOKED.html + from_der, + X509Revoked, + ffi::d2i_X509_REVOKED + } +} + +impl X509RevokedRef { + to_der! { + /// Serializes the certificate request to a DER-encoded certificate revocation status + /// + /// This corresponds to [`i2d_X509_REVOKED`]. + /// + /// [`i2d_X509_REVOKED`]: https://www.openssl.org/docs/man1.0.2/crypto/i2d_X509_REQ.html + to_der, + ffi::i2d_X509_REVOKED + } + + /// Get the date that the certificate was revoked + pub fn revocation_date(&self) -> &Asn1TimeRef { + unsafe { + let r = X509_REVOKED_get0_revocationDate(self.as_ptr() as *const _); + assert!(!r.is_null()); + Asn1TimeRef::from_ptr(r as *mut _) + } + } + + /// Get the serial number of the revoked certificate + pub fn serial_number(&self) -> &Asn1IntegerRef { + unsafe { + let r = X509_REVOKED_get0_serialNumber(self.as_ptr() as *const _); + assert!(!r.is_null()); + Asn1IntegerRef::from_ptr(r as *mut _) + } + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_CRL; fn drop = ffi::X509_CRL_free; @@ -1355,6 +1412,18 @@ impl X509CrlRef { ffi::i2d_X509_CRL } + /// Get the stack of revocation entries + pub fn get_revoked(&self) -> Option> { + unsafe { + let revoked = X509_CRL_get_REVOKED(self.as_ptr()); + if revoked.is_null() { + None + } else { + Some(Stack::from_ptr(revoked)) + } + } + } + /// Returns the CRL's `lastUpdate` time. /// /// This corresponds to [`X509_CRL_get0_lastUpdate"] @@ -1386,16 +1455,37 @@ impl X509CrlRef { } } - /// Check if the provided certificate is in the revocation list. - pub fn is_revoked(&self, cert: &X509Ref) -> bool { + /// Get the revocation status of a certificate by its serial number + /// + /// This corresponds to [`X509_CRL_get0_by_serial`] + /// + /// [`X509_CRL_get0_by_serial`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_serial.html + pub fn get_by_serial(&self, serial: &Asn1IntegerRef) -> Option<&X509RevokedRef> { unsafe { let mut ret = ptr::null_mut::(); - ffi::X509_CRL_get0_by_serial( - self.as_ptr(), - &mut ret as *mut _, - cert.serial_number().as_ptr(), - ); - !ret.is_null() + ffi::X509_CRL_get0_by_serial(self.as_ptr(), &mut ret as *mut _, serial.as_ptr()); + if ret.is_null() { + None + } else { + Some(X509RevokedRef::from_ptr(ret)) + } + } + } + + /// Get the revocation status of a certificate + /// + /// This corresponds to [`X509_CRL_get0_by_cert`] + /// + /// [`X509_CRL_get0_by_cert`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_cert.html + pub fn get_by_cert(&self, cert: &X509) -> Option<&X509RevokedRef> { + unsafe { + let mut ret = ptr::null_mut::(); + ffi::X509_CRL_get0_by_cert(self.as_ptr(), &mut ret as *mut _, cert.as_ptr()); + if ret.is_null() { + None + } else { + Some(X509RevokedRef::from_ptr(ret)) + } } } @@ -1747,6 +1837,8 @@ cfg_if! { if #[cfg(ossl110)] { use ffi::{ X509_CRL_get_issuer, X509_CRL_get0_nextUpdate, X509_CRL_get0_lastUpdate, + X509_CRL_get_REVOKED, + X509_REVOKED_get0_revocationDate, X509_REVOKED_get0_serialNumber, }; } else { #[allow(bad_style)] @@ -1761,5 +1853,17 @@ cfg_if! { unsafe fn X509_CRL_get_issuer(x: *const ffi::X509_CRL) -> *mut ffi::X509_NAME { (*(*x).crl).issuer } + #[allow(bad_style)] + unsafe fn X509_CRL_get_REVOKED(x: *const ffi::X509_CRL) -> *mut ffi::stack_st_X509_REVOKED { + (*(*x).crl).revoked + } + #[allow(bad_style)] + unsafe fn X509_REVOKED_get0_serialNumber(x: *const ffi::X509_REVOKED) -> *mut ffi::ASN1_INTEGER { + (*x).serialNumber + } + #[allow(bad_style)] + unsafe fn X509_REVOKED_get0_revocationDate(x: *const ffi::X509_REVOKED) -> *mut ffi::ASN1_TIME { + (*x).revocationDate + } } } From 3b3b4994b2d5a36dffda671d69b3ee69cdcad1de Mon Sep 17 00:00:00 2001 From: Josh Robson Chase Date: Mon, 10 Jun 2019 13:12:26 -0400 Subject: [PATCH 003/209] Add basic CRL test --- openssl/src/x509/tests.rs | 23 +++++++++- openssl/test/ca.crt | 88 ++++++++++++++++++++++++++++++++++++++ openssl/test/crl-ca.crt | 20 +++++++++ openssl/test/subca.crt | 88 ++++++++++++++++++++++++++++++++++++++ openssl/test/test.crl | Bin 0 -> 469 bytes 5 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 openssl/test/ca.crt create mode 100644 openssl/test/crl-ca.crt create mode 100644 openssl/test/subca.crt create mode 100644 openssl/test/test.crl diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 155a16a8d8..a21169e7f9 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -14,7 +14,7 @@ use crate::x509::store::X509StoreBuilder; use crate::x509::verify::X509VerifyFlags; #[cfg(ossl110)] use crate::x509::X509Builder; -use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; +use crate::x509::{X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; use hex::{self, FromHex}; fn pkey() -> PKey { @@ -453,3 +453,24 @@ fn x509_ref_version_no_version_set() { "Default certificate version is incorrect", ); } + +#[test] +fn test_load_crl() { + let ca = include_bytes!("../../test/crl-ca.crt"); + let ca = X509::from_pem(ca).unwrap(); + + let crl = include_bytes!("../../test/test.crl"); + let crl = X509Crl::from_der(crl).unwrap(); + assert!(crl.verify(&ca.public_key().unwrap()).unwrap()); + + let cert = include_bytes!("../../test/subca.crt"); + let cert = X509::from_pem(cert).unwrap(); + + let revoked = crl.get_by_cert(&cert).unwrap(); + + assert_eq!( + revoked.serial_number().to_bn().unwrap(), + cert.serial_number().to_bn().unwrap(), + "revoked and cert serial numbers should match" + ); +} diff --git a/openssl/test/ca.crt b/openssl/test/ca.crt new file mode 100644 index 0000000000..a0a8ab2390 --- /dev/null +++ b/openssl/test/ca.crt @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 13:ae:da:d8:f4:18:d7:73:b8:bd:35:c9:ce:8e:b3:fc + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=TestCA + Validity + Not Before: Jun 6 19:11:19 2019 GMT + Not After : May 21 19:11:19 2022 GMT + Subject: CN=SubCA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b0:09:fc:54:e7:6a:9f:0c:bd:ad:5a:8d:ef:94: + 4e:11:a6:87:19:4f:bf:a6:e1:62:a5:2d:b7:17:df: + 67:53:70:da:fe:7d:99:17:ee:13:47:0b:40:0b:a2: + 34:32:a9:d3:bf:20:fc:13:77:a1:d5:26:60:1f:f0: + d4:be:dc:76:7c:1e:6c:b4:4c:01:7c:56:cd:5c:53: + ec:81:b3:81:2a:b2:35:26:06:5a:79:e0:b3:9e:e4: + 57:e1:09:de:ad:7f:c8:cd:87:ee:49:93:30:52:58: + b2:bc:0f:c1:b6:10:44:f8:85:d5:5b:0a:9b:28:fe: + f4:f4:4a:16:a6:f7:25:e9:96:47:69:73:5b:33:77: + 92:7d:61:8d:2a:3d:d5:04:89:40:bf:6b:d2:fd:5d: + e2:1a:80:a9:8e:c8:92:f6:e5:4c:00:84:f9:6e:2a: + 93:a3:23:ee:28:23:81:f4:54:f0:18:2c:ee:32:8e: + 38:9c:a0:c8:33:04:b0:fc:4c:43:1a:5c:04:84:9f: + 73:c6:08:c7:1d:64:39:fe:72:19:3b:cc:a5:fd:0b: + 43:25:0d:2b:a9:88:77:9e:62:e6:ac:c2:9a:60:42: + 4f:4a:54:47:bc:a0:29:72:7c:38:52:c9:ea:27:c5: + 3d:d0:81:4a:3e:b8:78:79:4b:89:b8:4e:6d:1b:24: + 15:bd + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 CRL Distribution Points: + + Full Name: + URI:http://127.0.0.1:8081/pki/test.crl + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + FD:82:45:39:A1:91:41:F2:66:CC:0D:75:D5:0D:40:D5:81:A7:A1:43 + X509v3 Authority Key Identifier: + keyid:C5:CC:F5:A1:8C:D9:E4:A7:BA:EC:21:F5:D1:84:23:EA:0D:C2:C7:30 + DirName:/CN=TestCA + serial:33:E7:04:87:09:32:87:21:D9:CD:7C:AA:4C:5A:BB:2C:6C:7B:54:28 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + 96:a0:ff:8a:4b:bd:45:96:c9:72:3c:63:e3:48:c4:ab:ef:7e: + db:76:3f:d9:02:9e:69:c8:d9:36:55:e1:f5:9b:c9:69:d8:69: + 02:ac:50:8c:60:94:2c:2e:b9:a8:65:ac:f5:00:b0:8b:96:25: + 0b:8a:ef:94:21:57:e2:04:c2:c3:86:bf:06:4e:91:5c:e6:bc: + 1b:03:31:8b:64:ea:c5:79:c3:5c:94:e5:aa:67:7e:74:12:07: + 14:fd:cd:32:02:26:26:c9:0a:ed:d4:da:ee:2a:84:e3:f1:60: + b3:09:77:27:a1:3c:ac:ec:61:18:30:b5:6d:1f:16:0a:24:1a: + cf:1c:1b:60:a5:60:e5:2c:8b:cf:37:83:0c:15:e7:79:30:3f: + ee:50:45:7c:4b:c6:2c:cd:2c:81:0a:98:f1:65:44:7a:ca:2a: + 20:1a:de:19:d9:4b:ca:a1:e2:a4:b5:14:47:bf:b4:68:15:03: + c0:55:e5:f4:47:0e:55:9f:fe:85:d8:2c:7d:d0:1a:96:11:b9: + 68:b7:74:1e:61:94:c1:ae:87:52:2d:c6:26:ba:51:ed:f1:91: + c0:e6:4c:f8:ad:02:23:75:51:fc:f8:69:05:ec:cf:31:50:5a: + 41:78:eb:3d:27:4d:9b:68:ef:ba:0e:ba:3a:7d:60:00:9d:53: + a5:08:3d:c6 +-----BEGIN CERTIFICATE----- +MIIDbDCCAlSgAwIBAgIQE67a2PQY13O4vTXJzo6z/DANBgkqhkiG9w0BAQsFADAR +MQ8wDQYDVQQDDAZUZXN0Q0EwHhcNMTkwNjA2MTkxMTE5WhcNMjIwNTIxMTkxMTE5 +WjAQMQ4wDAYDVQQDDAVTdWJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALAJ/FTnap8Mva1aje+UThGmhxlPv6bhYqUttxffZ1Nw2v59mRfuE0cLQAui +NDKp078g/BN3odUmYB/w1L7cdnwebLRMAXxWzVxT7IGzgSqyNSYGWnngs57kV+EJ +3q1/yM2H7kmTMFJYsrwPwbYQRPiF1VsKmyj+9PRKFqb3JemWR2lzWzN3kn1hjSo9 +1QSJQL9r0v1d4hqAqY7IkvblTACE+W4qk6Mj7igjgfRU8Bgs7jKOOJygyDMEsPxM +QxpcBISfc8YIxx1kOf5yGTvMpf0LQyUNK6mId55i5qzCmmBCT0pUR7ygKXJ8OFLJ +6ifFPdCBSj64eHlLibhObRskFb0CAwEAAaOBwDCBvTAzBgNVHR8ELDAqMCigJqAk +hiJodHRwOi8vMTI3LjAuMC4xOjgwODEvcGtpL3Rlc3QuY3JsMAwGA1UdEwQFMAMB +Af8wHQYDVR0OBBYEFP2CRTmhkUHyZswNddUNQNWBp6FDMEwGA1UdIwRFMEOAFMXM +9aGM2eSnuuwh9dGEI+oNwscwoRWkEzARMQ8wDQYDVQQDDAZUZXN0Q0GCFDPnBIcJ +Moch2c18qkxauyxse1QoMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA +lqD/iku9RZbJcjxj40jEq+9+23Y/2QKeacjZNlXh9ZvJadhpAqxQjGCULC65qGWs +9QCwi5YlC4rvlCFX4gTCw4a/Bk6RXOa8GwMxi2TqxXnDXJTlqmd+dBIHFP3NMgIm +JskK7dTa7iqE4/Fgswl3J6E8rOxhGDC1bR8WCiQazxwbYKVg5SyLzzeDDBXneTA/ +7lBFfEvGLM0sgQqY8WVEesoqIBreGdlLyqHipLUUR7+0aBUDwFXl9EcOVZ/+hdgs +fdAalhG5aLd0HmGUwa6HUi3GJrpR7fGRwOZM+K0CI3VR/PhpBezPMVBaQXjrPSdN +m2jvug66On1gAJ1TpQg9xg== +-----END CERTIFICATE----- diff --git a/openssl/test/crl-ca.crt b/openssl/test/crl-ca.crt new file mode 100644 index 0000000000..a4a9075af4 --- /dev/null +++ b/openssl/test/crl-ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPDCCAiSgAwIBAgIUM+cEhwkyhyHZzXyqTFq7LGx7VCgwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGVGVzdENBMB4XDTE5MDYwNjE5MTA1NVoXDTI5MDYwMzE5 +MTA1NVowETEPMA0GA1UEAwwGVGVzdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAtNcFPtD1MHcolhgTHIAx/b9OyawCbVzvgasv8R9+94ZMhoGc/tNc +dVg271pCSmj+zYAFYsIwjxW+iq2e5A/fiBc6uqtNfEbU7+77QzxFG5wIbXtmmqEb +dVbqBT28NeKTR6X+EHlNgbw90CHy7byA7LMewxbTt2q1eY1RnB0ji8zdGZmIUPeC +WxzkxXEd0fg+KwBFN3YHV9CJX2KJ10qv7DvbKHeIVBU7osm6tzvNglNnnT90GFSY +zc59b+zS00axcY3Kn08Vt+1qWB9Sl8tixCTGqR538y/ambDr3NCWsiQYWys9KE1L +g0nEaIjb84R7b+qNmPtOezd9tanx7j9UzQIDAQABo4GLMIGIMB0GA1UdDgQWBBTF +zPWhjNnkp7rsIfXRhCPqDcLHMDBMBgNVHSMERTBDgBTFzPWhjNnkp7rsIfXRhCPq +DcLHMKEVpBMwETEPMA0GA1UEAwwGVGVzdENBghQz5wSHCTKHIdnNfKpMWrssbHtU +KDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA +gdyQq6F8DO5rn7rZSLehTFx6tbtfncC/BOXZEGLZO0ciTrQ9Q8xHwRhz0W09QE1A +/GsBzb++PuvAl9i82WvunyPB5KZh+GPiaaqf466MdQrXj+IyqxeC9Lg9wEUjwRgp +ANVd3moKap5IZ9WDvhyEng2Oy8/btP2iqVEmd58rGAodd671eOPD8QkIxSquiIwy +Cu5s3IBZ0BOuSG9fWoyPTGMKAhzQPFiXGvWOabCkMz3TsPYVY5ENpq2K8cWn2D/r +TD1yPPdINg6HrALGD3S0sD+k588oS7U5oj1L8V4KJQTLSbh6/XcBpasa5Jdv7ZZe +lVgt69Gsn5Cf2BkbwhbF2Q== +-----END CERTIFICATE----- diff --git a/openssl/test/subca.crt b/openssl/test/subca.crt new file mode 100644 index 0000000000..a0a8ab2390 --- /dev/null +++ b/openssl/test/subca.crt @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 13:ae:da:d8:f4:18:d7:73:b8:bd:35:c9:ce:8e:b3:fc + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=TestCA + Validity + Not Before: Jun 6 19:11:19 2019 GMT + Not After : May 21 19:11:19 2022 GMT + Subject: CN=SubCA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b0:09:fc:54:e7:6a:9f:0c:bd:ad:5a:8d:ef:94: + 4e:11:a6:87:19:4f:bf:a6:e1:62:a5:2d:b7:17:df: + 67:53:70:da:fe:7d:99:17:ee:13:47:0b:40:0b:a2: + 34:32:a9:d3:bf:20:fc:13:77:a1:d5:26:60:1f:f0: + d4:be:dc:76:7c:1e:6c:b4:4c:01:7c:56:cd:5c:53: + ec:81:b3:81:2a:b2:35:26:06:5a:79:e0:b3:9e:e4: + 57:e1:09:de:ad:7f:c8:cd:87:ee:49:93:30:52:58: + b2:bc:0f:c1:b6:10:44:f8:85:d5:5b:0a:9b:28:fe: + f4:f4:4a:16:a6:f7:25:e9:96:47:69:73:5b:33:77: + 92:7d:61:8d:2a:3d:d5:04:89:40:bf:6b:d2:fd:5d: + e2:1a:80:a9:8e:c8:92:f6:e5:4c:00:84:f9:6e:2a: + 93:a3:23:ee:28:23:81:f4:54:f0:18:2c:ee:32:8e: + 38:9c:a0:c8:33:04:b0:fc:4c:43:1a:5c:04:84:9f: + 73:c6:08:c7:1d:64:39:fe:72:19:3b:cc:a5:fd:0b: + 43:25:0d:2b:a9:88:77:9e:62:e6:ac:c2:9a:60:42: + 4f:4a:54:47:bc:a0:29:72:7c:38:52:c9:ea:27:c5: + 3d:d0:81:4a:3e:b8:78:79:4b:89:b8:4e:6d:1b:24: + 15:bd + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 CRL Distribution Points: + + Full Name: + URI:http://127.0.0.1:8081/pki/test.crl + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + FD:82:45:39:A1:91:41:F2:66:CC:0D:75:D5:0D:40:D5:81:A7:A1:43 + X509v3 Authority Key Identifier: + keyid:C5:CC:F5:A1:8C:D9:E4:A7:BA:EC:21:F5:D1:84:23:EA:0D:C2:C7:30 + DirName:/CN=TestCA + serial:33:E7:04:87:09:32:87:21:D9:CD:7C:AA:4C:5A:BB:2C:6C:7B:54:28 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + 96:a0:ff:8a:4b:bd:45:96:c9:72:3c:63:e3:48:c4:ab:ef:7e: + db:76:3f:d9:02:9e:69:c8:d9:36:55:e1:f5:9b:c9:69:d8:69: + 02:ac:50:8c:60:94:2c:2e:b9:a8:65:ac:f5:00:b0:8b:96:25: + 0b:8a:ef:94:21:57:e2:04:c2:c3:86:bf:06:4e:91:5c:e6:bc: + 1b:03:31:8b:64:ea:c5:79:c3:5c:94:e5:aa:67:7e:74:12:07: + 14:fd:cd:32:02:26:26:c9:0a:ed:d4:da:ee:2a:84:e3:f1:60: + b3:09:77:27:a1:3c:ac:ec:61:18:30:b5:6d:1f:16:0a:24:1a: + cf:1c:1b:60:a5:60:e5:2c:8b:cf:37:83:0c:15:e7:79:30:3f: + ee:50:45:7c:4b:c6:2c:cd:2c:81:0a:98:f1:65:44:7a:ca:2a: + 20:1a:de:19:d9:4b:ca:a1:e2:a4:b5:14:47:bf:b4:68:15:03: + c0:55:e5:f4:47:0e:55:9f:fe:85:d8:2c:7d:d0:1a:96:11:b9: + 68:b7:74:1e:61:94:c1:ae:87:52:2d:c6:26:ba:51:ed:f1:91: + c0:e6:4c:f8:ad:02:23:75:51:fc:f8:69:05:ec:cf:31:50:5a: + 41:78:eb:3d:27:4d:9b:68:ef:ba:0e:ba:3a:7d:60:00:9d:53: + a5:08:3d:c6 +-----BEGIN CERTIFICATE----- +MIIDbDCCAlSgAwIBAgIQE67a2PQY13O4vTXJzo6z/DANBgkqhkiG9w0BAQsFADAR +MQ8wDQYDVQQDDAZUZXN0Q0EwHhcNMTkwNjA2MTkxMTE5WhcNMjIwNTIxMTkxMTE5 +WjAQMQ4wDAYDVQQDDAVTdWJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALAJ/FTnap8Mva1aje+UThGmhxlPv6bhYqUttxffZ1Nw2v59mRfuE0cLQAui +NDKp078g/BN3odUmYB/w1L7cdnwebLRMAXxWzVxT7IGzgSqyNSYGWnngs57kV+EJ +3q1/yM2H7kmTMFJYsrwPwbYQRPiF1VsKmyj+9PRKFqb3JemWR2lzWzN3kn1hjSo9 +1QSJQL9r0v1d4hqAqY7IkvblTACE+W4qk6Mj7igjgfRU8Bgs7jKOOJygyDMEsPxM +QxpcBISfc8YIxx1kOf5yGTvMpf0LQyUNK6mId55i5qzCmmBCT0pUR7ygKXJ8OFLJ +6ifFPdCBSj64eHlLibhObRskFb0CAwEAAaOBwDCBvTAzBgNVHR8ELDAqMCigJqAk +hiJodHRwOi8vMTI3LjAuMC4xOjgwODEvcGtpL3Rlc3QuY3JsMAwGA1UdEwQFMAMB +Af8wHQYDVR0OBBYEFP2CRTmhkUHyZswNddUNQNWBp6FDMEwGA1UdIwRFMEOAFMXM +9aGM2eSnuuwh9dGEI+oNwscwoRWkEzARMQ8wDQYDVQQDDAZUZXN0Q0GCFDPnBIcJ +Moch2c18qkxauyxse1QoMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA +lqD/iku9RZbJcjxj40jEq+9+23Y/2QKeacjZNlXh9ZvJadhpAqxQjGCULC65qGWs +9QCwi5YlC4rvlCFX4gTCw4a/Bk6RXOa8GwMxi2TqxXnDXJTlqmd+dBIHFP3NMgIm +JskK7dTa7iqE4/Fgswl3J6E8rOxhGDC1bR8WCiQazxwbYKVg5SyLzzeDDBXneTA/ +7lBFfEvGLM0sgQqY8WVEesoqIBreGdlLyqHipLUUR7+0aBUDwFXl9EcOVZ/+hdgs +fdAalhG5aLd0HmGUwa6HUi3GJrpR7fGRwOZM+K0CI3VR/PhpBezPMVBaQXjrPSdN +m2jvug66On1gAJ1TpQg9xg== +-----END CERTIFICATE----- diff --git a/openssl/test/test.crl b/openssl/test/test.crl new file mode 100644 index 0000000000000000000000000000000000000000..aead062c4d3945d2569eb9bca682f99801ec1af0 GIT binary patch literal 469 zcmXqLV!UY3xQmIA(SVnYQ>)FR?K>|cBR4C9fuJEjP>4B{g_(yfB(=E2*-@O=(9*!n z(7@2l)YQNt3dA)uGBAg74U`QOnFNH_-MaBb;(GCpy{0G6^=rZigUHb{Ul;b=e6oDk8^x~|Ta;h%9y)HYP;`kf7VDctjGwc#a~icP z-aK2g$|q{KPEK`*2AZ>(n;01x>e!C^`8Tb)ukIM*+bnQiGzTdng_%WuD6JikZ0Rp7+RNeg7o#!S^{ z5b$3;d(-X3wpCX`=I)G}%$BrRSl=#uiI(m8V(!m;yR_72Tr*m|H^_N{UTp~5J+0ZI zN%Q6%ZU|NH`+hL=T$r}ihd+;Rcgt;;H_LsxUFMR4;L7*xyC&Cdz2p4w>+J>4-`#7j z4qVjB&0xRCOYqCKzJCuj_o+>YQgTIF`ZcmsjHR)eyQu-Q8+0?ih_t#C{6sQXT0k^t> literal 0 HcmV?d00001 From 1645c32f1869d272324fee13ee121be16f837737 Mon Sep 17 00:00:00 2001 From: Josh Robson Chase Date: Tue, 11 Jun 2019 09:39:05 -0400 Subject: [PATCH 004/209] Return a borrowed stack and expose the `removeFromCrl` status --- openssl/src/x509/mod.rs | 62 +++++++++++++++++++++++++++++---------- openssl/src/x509/tests.rs | 7 +++-- 2 files changed, 51 insertions(+), 18 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index ec7e8909d3..9011cef293 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1363,6 +1363,23 @@ foreign_type_and_impl_send_sync! { pub struct X509CrlRef; } +/// The status of a certificate in a revoction list +/// +/// Corresponds to the return value from the [`X509_CRL_get0_by_*`] methods. +/// +/// [`X509_CRL_get0_by_*`]: https://www.openssl.org/docs/man1.1.0/man3/X509_CRL_get0_by_serial.html +pub enum CrlStatus<'a> { + /// The certificate is not present in the list + NotRevoked, + /// The certificate is in the list and is revoked + Revoked(&'a X509RevokedRef), + /// The certificate is in the list, but has the "removeFromCrl" status. + /// + /// This can occur if the certificate was revoked with the "CertificateHold" + /// reason, and has since been unrevoked. + RemoveFromCrl(&'a X509RevokedRef), +} + impl X509Crl { from_pem! { /// Deserializes a PEM-encoded Certificate Revocation List @@ -1413,13 +1430,13 @@ impl X509CrlRef { } /// Get the stack of revocation entries - pub fn get_revoked(&self) -> Option> { + pub fn get_revoked(&self) -> Option<&StackRef> { unsafe { let revoked = X509_CRL_get_REVOKED(self.as_ptr()); if revoked.is_null() { None } else { - Some(Stack::from_ptr(revoked)) + Some(StackRef::from_ptr(revoked)) } } } @@ -1455,20 +1472,36 @@ impl X509CrlRef { } } + // Helper used by the X509_CRL_get0_by_* methods to convert their return value to the status enum + unsafe fn to_crl_status<'a>( + status: c_int, + revoked_entry: *mut ffi::X509_REVOKED, + ) -> CrlStatus<'a> { + match status { + 0 => CrlStatus::NotRevoked, + 1 => { + assert!(!revoked_entry.is_null()); + CrlStatus::Revoked(X509RevokedRef::from_ptr(revoked_entry)) + } + 2 => { + assert!(!revoked_entry.is_null()); + CrlStatus::RemoveFromCrl(X509RevokedRef::from_ptr(revoked_entry)) + } + _ => unreachable!("X509_CRL_get0_by_{{serial,cert}} should only return 0, 1, or 2."), + } + } + /// Get the revocation status of a certificate by its serial number /// /// This corresponds to [`X509_CRL_get0_by_serial`] /// /// [`X509_CRL_get0_by_serial`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_serial.html - pub fn get_by_serial(&self, serial: &Asn1IntegerRef) -> Option<&X509RevokedRef> { + pub fn get_by_serial<'a>(&'a self, serial: &Asn1IntegerRef) -> CrlStatus<'a> { unsafe { let mut ret = ptr::null_mut::(); - ffi::X509_CRL_get0_by_serial(self.as_ptr(), &mut ret as *mut _, serial.as_ptr()); - if ret.is_null() { - None - } else { - Some(X509RevokedRef::from_ptr(ret)) - } + let status = + ffi::X509_CRL_get0_by_serial(self.as_ptr(), &mut ret as *mut _, serial.as_ptr()); + Self::to_crl_status(status, ret) } } @@ -1477,15 +1510,12 @@ impl X509CrlRef { /// This corresponds to [`X509_CRL_get0_by_cert`] /// /// [`X509_CRL_get0_by_cert`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_cert.html - pub fn get_by_cert(&self, cert: &X509) -> Option<&X509RevokedRef> { + pub fn get_by_cert<'a>(&'a self, cert: &X509) -> CrlStatus<'a> { unsafe { let mut ret = ptr::null_mut::(); - ffi::X509_CRL_get0_by_cert(self.as_ptr(), &mut ret as *mut _, cert.as_ptr()); - if ret.is_null() { - None - } else { - Some(X509RevokedRef::from_ptr(ret)) - } + let status = + ffi::X509_CRL_get0_by_cert(self.as_ptr(), &mut ret as *mut _, cert.as_ptr()); + Self::to_crl_status(status, ret) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index a21169e7f9..ce1f7901a2 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -14,7 +14,7 @@ use crate::x509::store::X509StoreBuilder; use crate::x509::verify::X509VerifyFlags; #[cfg(ossl110)] use crate::x509::X509Builder; -use crate::x509::{X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; +use crate::x509::{CrlStatus, X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; use hex::{self, FromHex}; fn pkey() -> PKey { @@ -466,7 +466,10 @@ fn test_load_crl() { let cert = include_bytes!("../../test/subca.crt"); let cert = X509::from_pem(cert).unwrap(); - let revoked = crl.get_by_cert(&cert).unwrap(); + let revoked = match crl.get_by_cert(&cert) { + CrlStatus::Revoked(revoked) => revoked, + _ => panic!("cert should be revoked"), + }; assert_eq!( revoked.serial_number().to_bn().unwrap(), From e02d167658a1e5b76de089a4dd67ba90e964382a Mon Sep 17 00:00:00 2001 From: Josh Robson Chase Date: Tue, 13 Apr 2021 10:33:04 -0400 Subject: [PATCH 005/209] Cargo fmt and refactor CrlStatus constructor to appease clippy --- openssl/src/x509/mod.rs | 47 ++++++++++++++++++++++----------------- openssl/src/x509/tests.rs | 4 +++- 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 9011cef293..e1f603563f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1380,6 +1380,30 @@ pub enum CrlStatus<'a> { RemoveFromCrl(&'a X509RevokedRef), } +impl<'a> CrlStatus<'a> { + // Helper used by the X509_CRL_get0_by_* methods to convert their return + // value to the status enum. + // Safety note: the returned CrlStatus must not outlive the owner of the + // revoked_entry pointer. + unsafe fn from_ffi_status( + status: c_int, + revoked_entry: *mut ffi::X509_REVOKED, + ) -> CrlStatus<'a> { + match status { + 0 => CrlStatus::NotRevoked, + 1 => { + assert!(!revoked_entry.is_null()); + CrlStatus::Revoked(X509RevokedRef::from_ptr(revoked_entry)) + } + 2 => { + assert!(!revoked_entry.is_null()); + CrlStatus::RemoveFromCrl(X509RevokedRef::from_ptr(revoked_entry)) + } + _ => unreachable!("X509_CRL_get0_by_{{serial,cert}} should only return 0, 1, or 2."), + } + } +} + impl X509Crl { from_pem! { /// Deserializes a PEM-encoded Certificate Revocation List @@ -1472,25 +1496,6 @@ impl X509CrlRef { } } - // Helper used by the X509_CRL_get0_by_* methods to convert their return value to the status enum - unsafe fn to_crl_status<'a>( - status: c_int, - revoked_entry: *mut ffi::X509_REVOKED, - ) -> CrlStatus<'a> { - match status { - 0 => CrlStatus::NotRevoked, - 1 => { - assert!(!revoked_entry.is_null()); - CrlStatus::Revoked(X509RevokedRef::from_ptr(revoked_entry)) - } - 2 => { - assert!(!revoked_entry.is_null()); - CrlStatus::RemoveFromCrl(X509RevokedRef::from_ptr(revoked_entry)) - } - _ => unreachable!("X509_CRL_get0_by_{{serial,cert}} should only return 0, 1, or 2."), - } - } - /// Get the revocation status of a certificate by its serial number /// /// This corresponds to [`X509_CRL_get0_by_serial`] @@ -1501,7 +1506,7 @@ impl X509CrlRef { let mut ret = ptr::null_mut::(); let status = ffi::X509_CRL_get0_by_serial(self.as_ptr(), &mut ret as *mut _, serial.as_ptr()); - Self::to_crl_status(status, ret) + CrlStatus::from_ffi_status(status, ret) } } @@ -1515,7 +1520,7 @@ impl X509CrlRef { let mut ret = ptr::null_mut::(); let status = ffi::X509_CRL_get0_by_cert(self.as_ptr(), &mut ret as *mut _, cert.as_ptr()); - Self::to_crl_status(status, ret) + CrlStatus::from_ffi_status(status, ret) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index ce1f7901a2..2735f47d71 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -14,7 +14,9 @@ use crate::x509::store::X509StoreBuilder; use crate::x509::verify::X509VerifyFlags; #[cfg(ossl110)] use crate::x509::X509Builder; -use crate::x509::{CrlStatus, X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; +use crate::x509::{ + CrlStatus, X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, +}; use hex::{self, FromHex}; fn pkey() -> PKey { From 6df9f1374a97bcd5138ea2d9a84e169d9b0b74aa Mon Sep 17 00:00:00 2001 From: iamwwc Date: Fri, 2 Dec 2022 11:04:10 +0800 Subject: [PATCH 006/209] sync to rust-openssl --- openssl-sys/src/ssl.rs | 6 ++++++ openssl/src/ssl/mod.rs | 13 +++++++++++++ 2 files changed, 19 insertions(+) diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index 12243dc4fc..d3f09738c6 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -339,6 +339,8 @@ pub const SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: c_int = 71; #[cfg(any(libressl, all(ossl101, not(ossl110))))] pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; pub const SSL_CTRL_GET_EXTRA_CHAIN_CERTS: c_int = 82; +#[cfg(ossl102)] +pub const SSL_CTRL_CHAIN_CERT: c_int = 89; #[cfg(any(ossl111, libressl252))] pub const SSL_CTRL_SET_GROUPS_LIST: c_int = 92; #[cfg(any(libressl, all(ossl102, not(ossl110))))] @@ -406,6 +408,10 @@ cfg_if! { } } } +#[cfg(ossl102)] +pub unsafe fn SSL_add_chain_certificate_pem(ssl: *mut ::SSL, ptr: *mut c_void) -> c_long { + SSL_ctrl(ssl, SSL_CTRL_CHAIN_CERT, 1, ptr) +} #[cfg(ossl102)] pub unsafe fn SSL_CTX_set1_sigalgs_list(ctx: *mut SSL_CTX, s: *const c_char) -> c_long { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 4f349a4e4b..ec960fa107 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3104,6 +3104,19 @@ impl SslRef { } } } + #[corresponds(SSL_add1_chain_cert)] + #[cfg(ossl102)] + pub fn add_chain_certificate_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { + let cert = X509::from_pem(chain)?; + let ret = unsafe { + ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _ as *mut _) + }; + if ret == 1 { + Ok(()) + }else { + Err(ErrorStack::get()) + } + } } /// An SSL stream midway through the handshake process. From 21bf31dc3a6daf852984ed1fd75c031c3293a810 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Fri, 2 Dec 2022 13:20:28 +0800 Subject: [PATCH 007/209] format code --- openssl/src/ssl/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index ec960fa107..88e550ba8d 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3113,7 +3113,7 @@ impl SslRef { }; if ret == 1 { Ok(()) - }else { + } else { Err(ErrorStack::get()) } } From 20f6cbee33e6dd062cbc235107fef82b20cf6434 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Fri, 2 Dec 2022 17:17:45 +0800 Subject: [PATCH 008/209] remove duplicate as cast --- openssl/src/ssl/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 88e550ba8d..35da01f37c 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3109,7 +3109,7 @@ impl SslRef { pub fn add_chain_certificate_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { let cert = X509::from_pem(chain)?; let ret = unsafe { - ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _ as *mut _) + ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _ ) }; if ret == 1 { Ok(()) From a43e828460ec6980beba8fae17e858c6c498c3f9 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Fri, 2 Dec 2022 17:43:16 +0800 Subject: [PATCH 009/209] make cargo fmt happy --- openssl/src/ssl/mod.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 35da01f37c..6d192fc594 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3108,9 +3108,8 @@ impl SslRef { #[cfg(ossl102)] pub fn add_chain_certificate_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { let cert = X509::from_pem(chain)?; - let ret = unsafe { - ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _ ) - }; + let ret = + unsafe { ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _) }; if ret == 1 { Ok(()) } else { From 0a44a12a1ed54695138450882f060905051f0ff1 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Sun, 4 Dec 2022 10:27:11 +0800 Subject: [PATCH 010/209] rename function --- openssl-sys/src/ssl.rs | 2 +- openssl/src/ssl/mod.rs | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index d3f09738c6..e38aa367f9 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -409,7 +409,7 @@ cfg_if! { } } #[cfg(ossl102)] -pub unsafe fn SSL_add_chain_certificate_pem(ssl: *mut ::SSL, ptr: *mut c_void) -> c_long { +pub unsafe fn SSL_add1_chain_cert(ssl: *mut ::SSL, ptr: *mut c_void) -> c_long { SSL_ctrl(ssl, SSL_CTRL_CHAIN_CERT, 1, ptr) } diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 6d192fc594..ddb1894a0f 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3106,10 +3106,9 @@ impl SslRef { } #[corresponds(SSL_add1_chain_cert)] #[cfg(ossl102)] - pub fn add_chain_certificate_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { + pub fn add_chain_cert_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { let cert = X509::from_pem(chain)?; - let ret = - unsafe { ffi::SSL_add_chain_certificate_pem(self.as_ptr(), cert.as_ptr() as *mut _) }; + let ret = unsafe { ffi::SSL_add1_chain_cert(self.as_ptr(), cert.as_ptr() as *mut _) }; if ret == 1 { Ok(()) } else { From bf02d2d8d3014880a8f9e095de0afaa353084a3f Mon Sep 17 00:00:00 2001 From: iamwwc Date: Mon, 5 Dec 2022 16:13:37 +0800 Subject: [PATCH 011/209] add unit test --- openssl/src/ssl/test/mod.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index ab8d79aab4..e12e4f0854 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1413,3 +1413,10 @@ fn session_cache_size() { let ctx = ctx.build(); assert_eq!(ctx.session_cache_size(), 1234); } + +#[test] +fn add_chain_cert_pem() { + let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); + let mut ssl = Ssl::new(&ctx).unwrap(); + assert!(ssl.add_chain_cert_pem(CERT).is_ok()); +} \ No newline at end of file From 8c475f7b316a2ba420688764fbf71b470415f60d Mon Sep 17 00:00:00 2001 From: iamwwc Date: Mon, 5 Dec 2022 16:13:51 +0800 Subject: [PATCH 012/209] fmt --- openssl/src/ssl/test/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index e12e4f0854..aa29233ab3 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1419,4 +1419,4 @@ fn add_chain_cert_pem() { let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); let mut ssl = Ssl::new(&ctx).unwrap(); assert!(ssl.add_chain_cert_pem(CERT).is_ok()); -} \ No newline at end of file +} From 5c2cc87431b5bfc8544e36694887fc5485982e0d Mon Sep 17 00:00:00 2001 From: iamwwc Date: Mon, 5 Dec 2022 16:16:07 +0800 Subject: [PATCH 013/209] reflect macro name --- openssl/src/ssl/mod.rs | 5 ++--- openssl/src/ssl/test/mod.rs | 3 ++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index ddb1894a0f..460ef63fad 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3106,9 +3106,8 @@ impl SslRef { } #[corresponds(SSL_add1_chain_cert)] #[cfg(ossl102)] - pub fn add_chain_cert_pem(&mut self, chain: &[u8]) -> Result<(), ErrorStack> { - let cert = X509::from_pem(chain)?; - let ret = unsafe { ffi::SSL_add1_chain_cert(self.as_ptr(), cert.as_ptr() as *mut _) }; + pub fn add_chain_cert_pem(&mut self, chain: X509) -> Result<(), ErrorStack> { + let ret = unsafe { ffi::SSL_add1_chain_cert(self.as_ptr(), chain.as_ptr() as *mut _) }; if ret == 1 { Ok(()) } else { diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index aa29233ab3..39734a2f6a 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1417,6 +1417,7 @@ fn session_cache_size() { #[test] fn add_chain_cert_pem() { let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); + let cert = X509::from_pem(CERT).unwrap(); let mut ssl = Ssl::new(&ctx).unwrap(); - assert!(ssl.add_chain_cert_pem(CERT).is_ok()); + assert!(ssl.add_chain_cert_pem(cert).is_ok()); } From 24363b3e429e0f2072a14571a6f33e7f76a6887e Mon Sep 17 00:00:00 2001 From: iamwwc Date: Mon, 5 Dec 2022 16:26:17 +0800 Subject: [PATCH 014/209] test cfg. rename --- openssl/src/ssl/mod.rs | 2 +- openssl/src/ssl/test/mod.rs | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 460ef63fad..4016943802 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3106,7 +3106,7 @@ impl SslRef { } #[corresponds(SSL_add1_chain_cert)] #[cfg(ossl102)] - pub fn add_chain_cert_pem(&mut self, chain: X509) -> Result<(), ErrorStack> { + pub fn add_chain_cert(&mut self, chain: X509) -> Result<(), ErrorStack> { let ret = unsafe { ffi::SSL_add1_chain_cert(self.as_ptr(), chain.as_ptr() as *mut _) }; if ret == 1 { Ok(()) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 39734a2f6a..dc9cc78527 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1415,9 +1415,10 @@ fn session_cache_size() { } #[test] -fn add_chain_cert_pem() { +#[cfg(ossl102)] +fn add_chain_cert() { let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); let cert = X509::from_pem(CERT).unwrap(); let mut ssl = Ssl::new(&ctx).unwrap(); - assert!(ssl.add_chain_cert_pem(cert).is_ok()); + assert!(ssl.add_chain_cert(cert).is_ok()); } From 230050f00417dd84c558be653b0afbd625ce2da9 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 8 Dec 2022 20:13:41 +0200 Subject: [PATCH 015/209] build: harden ci.yml permissions Signed-off-by: Alex --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9090ca194d..e4aeee0c9b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,9 @@ concurrency: group: ${{ github.ref }} cancel-in-progress: true +permissions: + contents: read # to fetch code (actions/checkout) + jobs: rustfmt: name: rustfmt From 5aadcab921fb277a3cc620d822cb7f7d5565d5a8 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 11 Dec 2022 08:11:17 -0500 Subject: [PATCH 016/209] cleanup --- openssl-sys/src/ssl.rs | 5 +++-- openssl/src/ssl/mod.rs | 12 ++++++------ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index e38aa367f9..9e3956bf2c 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -408,9 +408,10 @@ cfg_if! { } } } + #[cfg(ossl102)] -pub unsafe fn SSL_add1_chain_cert(ssl: *mut ::SSL, ptr: *mut c_void) -> c_long { - SSL_ctrl(ssl, SSL_CTRL_CHAIN_CERT, 1, ptr) +pub unsafe fn SSL_add0_chain_cert(ssl: *mut ::SSL, ptr: *mut X509) -> c_long { + SSL_ctrl(ssl, SSL_CTRL_CHAIN_CERT, 0, ptr as *mut c_void) } #[cfg(ossl102)] diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 4016943802..89a380e072 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3104,15 +3104,15 @@ impl SslRef { } } } - #[corresponds(SSL_add1_chain_cert)] + + #[corresponds(SSL_add0_chain_cert)] #[cfg(ossl102)] pub fn add_chain_cert(&mut self, chain: X509) -> Result<(), ErrorStack> { - let ret = unsafe { ffi::SSL_add1_chain_cert(self.as_ptr(), chain.as_ptr() as *mut _) }; - if ret == 1 { - Ok(()) - } else { - Err(ErrorStack::get()) + unsafe { + cvt(ffi::SSL_add0_chain_cert(self.as_ptr(), chain.as_ptr()) as c_int).map(|_| ())?; + mem::forget(chain); } + Ok(()) } } From 3f2563f6eaec658e7288eb972792bd5ffff29011 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Tue, 13 Dec 2022 15:16:09 +0100 Subject: [PATCH 017/209] Add get_security_bits for PKey Signed-off-by: Steffen Eiden --- openssl-sys/src/handwritten/evp.rs | 8 ++++++++ openssl/src/pkey.rs | 17 +++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index a85d628ade..535b2d5f5d 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -402,6 +402,7 @@ cfg_if! { extern "C" { pub fn EVP_PKEY_get_id(pkey: *const EVP_PKEY) -> c_int; pub fn EVP_PKEY_get_bits(key: *const EVP_PKEY) -> c_int; + pub fn EVP_PKEY_get_security_bits(key: *const EVP_PKEY) -> c_int; } #[inline] @@ -413,6 +414,12 @@ cfg_if! { pub unsafe fn EVP_PKEY_bits(pkey: *const EVP_PKEY) -> c_int { EVP_PKEY_get_bits(pkey) } + + #[inline] + pub unsafe fn EVP_PKEY_security_bits(pkey: *const EVP_PKEY) -> c_int { + EVP_PKEY_get_security_bits(pkey) + } + } else { extern "C" { pub fn EVP_PKEY_id(pkey: *const EVP_PKEY) -> c_int; @@ -420,6 +427,7 @@ cfg_if! { const_ptr_api! { extern "C" { pub fn EVP_PKEY_bits(key: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; + pub fn EVP_PKEY_security_bits(pkey: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; } } } diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 7d438ebadc..ef26c68aaa 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -229,6 +229,14 @@ where unsafe { ffi::EVP_PKEY_bits(self.as_ptr()) as u32 } } + ///Returns the number of security bits. + /// + ///Bits of security is defined in NIST SP800-57. + #[corresponds(EVP_PKEY_security_bits)] + pub fn security_bits(&self) -> u32 { + unsafe { ffi::EVP_PKEY_security_bits(self.as_ptr()) as u32 } + } + /// Compares the public component of this key with another. #[corresponds(EVP_PKEY_cmp)] pub fn public_eq(&self, other: &PKeyRef) -> bool @@ -1018,6 +1026,15 @@ mod tests { assert_eq!(ec_key.private_key(), ec_key_.private_key()); } + #[test] + fn test_security_bits() { + let group = crate::ec::EcGroup::from_curve_name(crate::nid::Nid::SECP521R1).unwrap(); + let ec_key = EcKey::generate(&group).unwrap(); + let pkey: PKey = ec_key.clone().try_into().unwrap(); + + assert_eq!(pkey.security_bits(), 256); + } + #[test] #[cfg(not(boringssl))] fn test_dh_conversion() { From 632ed2bee9f78a5e7423e9251829d6f87f5bccec Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Thu, 15 Dec 2022 13:35:50 +0100 Subject: [PATCH 018/209] fixup! Add get_security_bits for PKey --- openssl-sys/src/evp.rs | 5 +++++ openssl/src/pkey.rs | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index fc3003f7bd..9db924ea53 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -143,6 +143,11 @@ cfg_if! { pub unsafe fn EVP_PKEY_bits(pkey: *const EVP_PKEY) -> c_int { EVP_PKEY_get_bits(pkey) } + + #[inline] + pub unsafe fn EVP_PKEY_security_bits(pkey: *const EVP_PKEY) -> c_int { + EVP_PKEY_get_security_bits(pkey) + } } } diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index ef26c68aaa..62cc71bdad 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -1030,7 +1030,7 @@ mod tests { fn test_security_bits() { let group = crate::ec::EcGroup::from_curve_name(crate::nid::Nid::SECP521R1).unwrap(); let ec_key = EcKey::generate(&group).unwrap(); - let pkey: PKey = ec_key.clone().try_into().unwrap(); + let pkey: PKey = ec_key.try_into().unwrap(); assert_eq!(pkey.security_bits(), 256); } From 4ad1ee6c57055da60201a10fc61b9e229eb8de55 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Thu, 15 Dec 2022 15:57:22 +0100 Subject: [PATCH 019/209] fixup! EVP_PKEY_security_bits --- openssl-sys/src/handwritten/evp.rs | 1 + openssl/src/pkey.rs | 1 + 2 files changed, 2 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 535b2d5f5d..8bc9675ecd 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -427,6 +427,7 @@ cfg_if! { const_ptr_api! { extern "C" { pub fn EVP_PKEY_bits(key: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; + #[cfg(ossl110)] pub fn EVP_PKEY_security_bits(pkey: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; } } diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 62cc71bdad..dd2af2f36f 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -233,6 +233,7 @@ where /// ///Bits of security is defined in NIST SP800-57. #[corresponds(EVP_PKEY_security_bits)] + #[cfg(ossl110)] pub fn security_bits(&self) -> u32 { unsafe { ffi::EVP_PKEY_security_bits(self.as_ptr()) as u32 } } From afe7f9ad376cfb515925bd7d303e3dfe9ba0d704 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Thu, 15 Dec 2022 16:05:02 +0100 Subject: [PATCH 020/209] fixup! Add get_security_bits for PKey --- openssl/src/pkey.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index dd2af2f36f..1d2e68aea8 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -1028,6 +1028,7 @@ mod tests { } #[test] + #[cfg(ossl110)] fn test_security_bits() { let group = crate::ec::EcGroup::from_curve_name(crate::nid::Nid::SECP521R1).unwrap(); let ec_key = EcKey::generate(&group).unwrap(); From f9f4d6565c60a9b11df928aec3756c0f514a54f7 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 15 Dec 2022 20:05:00 -0500 Subject: [PATCH 021/209] clippy --- openssl/src/asn1.rs | 2 +- openssl/src/bn.rs | 1 + openssl/src/conf.rs | 1 + openssl/src/rsa.rs | 1 + openssl/src/ssl/callbacks.rs | 4 ++-- openssl/src/ssl/mod.rs | 4 ++-- openssl/src/x509/tests.rs | 1 + 7 files changed, 9 insertions(+), 5 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 7f936837db..b02f9ac41e 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -512,7 +512,7 @@ impl Asn1Integer { } impl Asn1IntegerRef { - #[allow(missing_docs)] + #[allow(missing_docs, clippy::unnecessary_cast)] #[deprecated(since = "0.10.6", note = "use to_bn instead")] pub fn get(&self) -> i64 { unsafe { ffi::ASN1_INTEGER_get(self.as_ptr()) as i64 } diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 2619b5ba63..8f0e350755 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -336,6 +336,7 @@ impl BigNumRef { /// Returns the number of significant bits in `self`. #[corresponds(BN_num_bits)] + #[allow(clippy::unnecessary_cast)] pub fn num_bits(&self) -> i32 { unsafe { ffi::BN_num_bits(self.as_ptr()) as i32 } } diff --git a/openssl/src/conf.rs b/openssl/src/conf.rs index 2c54cf28d0..715519c595 100644 --- a/openssl/src/conf.rs +++ b/openssl/src/conf.rs @@ -20,6 +20,7 @@ mod methods { impl ConfMethod { /// Retrieve handle to the default OpenSSL configuration file processing function. #[corresponds(NCONF_default)] + #[allow(clippy::should_implement_trait)] pub fn default() -> ConfMethod { unsafe { ffi::init(); diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs index b5d096744a..68cf64b036 100644 --- a/openssl/src/rsa.rs +++ b/openssl/src/rsa.rs @@ -234,6 +234,7 @@ where /// Validates RSA parameters for correctness #[corresponds(RSA_check_key)] + #[allow(clippy::unnecessary_cast)] pub fn check_key(&self) -> Result { unsafe { let result = ffi::RSA_check_key(self.as_ptr()) as i32; diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index 45760dc66a..091b1fb771 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -482,7 +482,7 @@ where .ssl_context() .ex_data(SslContext::cached_ex_index::()) .expect("BUG: stateless cookie verify callback missing") as *const F; - let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize); + let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len); (*callback)(ssl, slice) as c_int } @@ -654,7 +654,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: custom ext parse callback missing") as *const F; let ectx = ExtensionContext::from_bits_truncate(context); - let slice = slice::from_raw_parts(input as *const u8, inlen as usize); + let slice = slice::from_raw_parts(input as *const u8, inlen); let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 89a380e072..aba606248f 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1867,7 +1867,7 @@ impl SslContextRef { /// /// A value of 0 means that the cache size is unbounded. #[corresponds(SSL_CTX_sess_get_cache_size)] - #[allow(clippy::useless_conversion)] + #[allow(clippy::unnecessary_cast)] pub fn session_cache_size(&self) -> i64 { unsafe { ffi::SSL_CTX_sess_get_cache_size(self.as_ptr()) as i64 } } @@ -3289,7 +3289,7 @@ impl SslStream { ) }; if ret > 0 { - Ok(written as usize) + Ok(written) } else { Err(self.make_error(ret)) } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 33d6f4f1e9..336de3c914 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -634,6 +634,7 @@ fn test_verify_param_set_depth() { #[test] #[cfg(any(ossl102, libressl261))] +#[allow(clippy::bool_to_int_with_if)] fn test_verify_param_set_depth_fails_verification() { let cert = include_bytes!("../../test/leaf.pem"); let cert = X509::from_pem(cert).unwrap(); From cc811f5fd17ee808cbde4ff30cb84762e52fa371 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Fri, 16 Dec 2022 21:20:46 -0500 Subject: [PATCH 022/209] Add to CI/unblock LibreSSL 3.7.0 --- .github/workflows/ci.yml | 10 ++++++++++ openssl-sys/build/main.rs | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e4aeee0c9b..57728778f7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -187,6 +187,11 @@ jobs: library: name: libressl version: 3.6.1 + - target: x86_64-unknown-linux-gnu + bindgen: true + library: + name: libressl + version: 3.7.0 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -202,6 +207,11 @@ jobs: library: name: libressl version: 3.6.1 + - target: x86_64-unknown-linux-gnu + bindgen: false + library: + name: libressl + version: 3.7.0 exclude: - library: name: boringssl diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 71b36c2309..cdea3eb447 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -282,6 +282,7 @@ See rust-openssl documentation for more information: (3, 5, _) => ('3', '5', 'x'), (3, 6, 0) => ('3', '6', '0'), (3, 6, _) => ('3', '6', 'x'), + (3, 7, 0) => ('3', '7', '0'), _ => version_error(), }; @@ -324,7 +325,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.6.x, but a different version of OpenSSL was found. The build is now aborting +through 3.7.0, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From 8178f3b38ab098e989846a01a560e26207f870b8 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Fri, 16 Dec 2022 21:42:52 -0500 Subject: [PATCH 023/209] Add LibreSSL 3.7.0 build cfg --- openssl-sys/build/cfgs.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 9ae7748cc6..6e1e5286a1 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -43,6 +43,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_05_00_00_0 { cfgs.push("libressl350"); } + if libressl_version >= 0x3_07_00_00_0 { + cfgs.push("libressl370"); + } } else { let openssl_version = openssl_version.unwrap(); From fda7d92f033d5bcbba69850c27148869f01e5745 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Fri, 16 Dec 2022 21:43:31 -0500 Subject: [PATCH 024/209] X509_V_FLAG_CB_ISSUER_CHECK deprecated in LibreSSL 3.7.0 --- openssl-sys/src/x509_vfy.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/x509_vfy.rs b/openssl-sys/src/x509_vfy.rs index 8deaeeaaf3..455a748b52 100644 --- a/openssl-sys/src/x509_vfy.rs +++ b/openssl-sys/src/x509_vfy.rs @@ -100,9 +100,9 @@ cfg_if! { #[cfg(ossl300)] pub const X509_V_ERR_INVALID_CA: c_int = 79; -#[cfg(not(ossl110))] +#[cfg(not(any(ossl110, libressl370)))] pub const X509_V_FLAG_CB_ISSUER_CHECK: c_ulong = 0x1; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl370))] pub const X509_V_FLAG_CB_ISSUER_CHECK: c_ulong = 0x0; pub const X509_V_FLAG_USE_CHECK_TIME: c_ulong = 0x2; pub const X509_V_FLAG_CRL_CHECK: c_ulong = 0x4; From b99d7265430420b63b71baf01cbc23088e10ee2c Mon Sep 17 00:00:00 2001 From: Max Lim Date: Sat, 17 Dec 2022 19:59:47 +0300 Subject: [PATCH 025/209] Add OSSL_PROVIDER_set_default_search_path binding --- openssl-sys/src/handwritten/provider.rs | 5 +++++ openssl/src/provider.rs | 18 +++++++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/provider.rs b/openssl-sys/src/handwritten/provider.rs index ffa7cc580e..93eaa072f3 100644 --- a/openssl-sys/src/handwritten/provider.rs +++ b/openssl-sys/src/handwritten/provider.rs @@ -12,4 +12,9 @@ extern "C" { ) -> *mut OSSL_PROVIDER; #[cfg(ossl300)] pub fn OSSL_PROVIDER_unload(prov: *mut OSSL_PROVIDER) -> c_int; + #[cfg(ossl300)] + pub fn OSSL_PROVIDER_set_default_search_path( + ctx: *mut OSSL_LIB_CTX, + path: *const c_char, + ) -> c_int; } diff --git a/openssl/src/provider.rs b/openssl/src/provider.rs index 72d54f41dc..147fadfdbc 100644 --- a/openssl/src/provider.rs +++ b/openssl/src/provider.rs @@ -1,6 +1,6 @@ -use crate::cvt_p; use crate::error::ErrorStack; use crate::lib_ctx::LibCtxRef; +use crate::{cvt, cvt_p}; use foreign_types::{ForeignType, ForeignTypeRef}; use openssl_macros::corresponds; use std::ffi::CString; @@ -58,4 +58,20 @@ impl Provider { Ok(Provider::from_ptr(p)) } } + + /// Specifies the default search path that is to be used for looking for providers in the specified library context. + /// If left unspecified, an environment variable and a fall back default value will be used instead + /// + /// If `ctx` is `None`, the provider will be loaded into the default library context. + #[corresponds(OSSL_PROVIDER_set_default_search_path)] + pub fn set_default_search_path(ctx: Option<&LibCtxRef>, path: &str) -> Result<(), ErrorStack> { + let path = CString::new(path).unwrap(); + unsafe { + cvt(ffi::OSSL_PROVIDER_set_default_search_path( + ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr), + path.as_ptr(), + )) + .map(|_| ()) + } + } } From e01fbac4b3c98fca47c9b16d58aed329dd4d72b6 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Mon, 19 Dec 2022 19:55:29 -0500 Subject: [PATCH 026/209] openssl-sys: add LibreSSL 3.6.0 to cfgs --- openssl-sys/build/cfgs.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 6e1e5286a1..d925d90ad7 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -43,6 +43,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_05_00_00_0 { cfgs.push("libressl350"); } + if libressl_version >= 0x3_06_00_00_0 { + cfgs.push("libressl360"); + } if libressl_version >= 0x3_07_00_00_0 { cfgs.push("libressl370"); } From 0d8d5022583bb585b6cfe028c344113ecf1b77bc Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Mon, 19 Dec 2022 19:57:58 -0500 Subject: [PATCH 027/209] Expose EVP_PKEY_security_bits for LibreSSL 3.6.0 and later --- openssl-sys/src/handwritten/evp.rs | 2 +- openssl/src/pkey.rs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 8bc9675ecd..5ee017f7d1 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -427,7 +427,7 @@ cfg_if! { const_ptr_api! { extern "C" { pub fn EVP_PKEY_bits(key: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn EVP_PKEY_security_bits(pkey: #[const_ptr_if(any(ossl110, libressl280))] EVP_PKEY) -> c_int; } } diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 1d2e68aea8..2039e7e908 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -233,7 +233,7 @@ where /// ///Bits of security is defined in NIST SP800-57. #[corresponds(EVP_PKEY_security_bits)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn security_bits(&self) -> u32 { unsafe { ffi::EVP_PKEY_security_bits(self.as_ptr()) as u32 } } @@ -1028,7 +1028,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] fn test_security_bits() { let group = crate::ec::EcGroup::from_curve_name(crate::nid::Nid::SECP521R1).unwrap(); let ec_key = EcKey::generate(&group).unwrap(); From 71013f7efd637ca9fec214f6cb80e8806f3208af Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 20 Dec 2022 12:31:27 +0100 Subject: [PATCH 028/209] Fix output buffer check introduced in #1733 Sadly the condition used to relax output buffer checks that depended on the `num` parameter does not really hold so this change effectively reverts PR #1733. As clarified on the OpenSSL mailing list [0] and during integration tests the `num` parameter does not reflect the internal buffer cache size thus one needs to pessimistically assume that each call to `cipher_update` will need sufficient size to contain one additional block. Streaming ciphers are not affected by this revert. [0]: https://mta.openssl.org/pipermail/openssl-users/2022-December/015727.html --- openssl/src/cipher_ctx.rs | 155 +++----------------------------------- 1 file changed, 10 insertions(+), 145 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index c0377d969b..d09f8cbd50 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -379,49 +379,6 @@ impl CipherCtxRef { unsafe { ffi::EVP_CIPHER_CTX_num(self.as_ptr()) as usize } } - /// Returns number of bytes cached in partial block update. - #[cfg(ossl110)] - fn used_block_size(&self) -> usize { - self.num() - } - - /// Returns maximum number of bytes that could be cached. - #[cfg(not(ossl110))] - fn used_block_size(&self) -> usize { - self.block_size() - } - - /// Calculate the minimal size of the output buffer given the - /// input buffer size. - /// - /// For streaming ciphers the minimal output size is the same as - /// the input size. For block ciphers the minimal output size - /// additionally depends on the partial blocks that might have - /// been written in previous calls to [`Self::cipher_update`]. - /// - /// This function takes into account the number of partially - /// written blocks for block ciphers for supported targets - /// (OpenSSL >= 1.1). For unsupported targets the number of - /// partially written bytes is assumed to contain one full block - /// (pessimistic case). - /// - /// # Panics - /// - /// Panics if the context has not been initialized with a cipher. - pub fn minimal_output_size(&self, inlen: usize) -> usize { - let block_size = self.block_size(); - if block_size > 1 { - // block cipher - let num = self.used_block_size(); - let total_size = inlen + num; - let num_blocks = total_size / block_size; - num_blocks * block_size - } else { - // streaming cipher - inlen - } - } - /// Sets the length of the IV expected by this context. /// /// Only some ciphers support configurable IV lengths. @@ -569,7 +526,11 @@ impl CipherCtxRef { output: Option<&mut [u8]>, ) -> Result { if let Some(output) = &output { - let min_output_size = self.minimal_output_size(input.len()); + let mut block_size = self.block_size(); + if block_size == 1 { + block_size = 0; + } + let min_output_size = input.len() + block_size; assert!( output.len() >= min_output_size, "Output buffer size should be at least {} bytes.", @@ -588,16 +549,13 @@ impl CipherCtxRef { /// /// This function is the same as [`Self::cipher_update`] but with the /// output size check removed. It can be used when the exact - /// buffer size control is maintained by the caller and the - /// underlying cryptographic library doesn't expose exact block - /// cache data (e.g. OpenSSL < 1.1, BoringSSL, LibreSSL). + /// buffer size control is maintained by the caller. /// /// SAFETY: The caller is expected to provide `output` buffer /// large enough to contain correct number of bytes. For streaming /// ciphers the output buffer size should be at least as big as /// the input buffer. For block ciphers the size of the output - /// buffer depends on the state of partially updated blocks (see - /// [`Self::minimal_output_size`]). + /// buffer depends on the state of partially updated blocks. #[corresponds(EVP_CipherUpdate)] pub unsafe fn cipher_update_unchecked( &mut self, @@ -757,75 +715,6 @@ mod test { aes_128_cbc(cipher); } - #[test] - #[cfg(ossl110)] - fn partial_block_updates() { - test_block_cipher_for_partial_block_updates(Cipher::aes_128_cbc()); - test_block_cipher_for_partial_block_updates(Cipher::aes_256_cbc()); - test_block_cipher_for_partial_block_updates(Cipher::des_ede3_cbc()); - } - - #[cfg(ossl110)] - fn test_block_cipher_for_partial_block_updates(cipher: &'static CipherRef) { - let mut key = vec![0; cipher.key_length()]; - rand_bytes(&mut key).unwrap(); - let mut iv = vec![0; cipher.iv_length()]; - rand_bytes(&mut iv).unwrap(); - - let mut ctx = CipherCtx::new().unwrap(); - - ctx.encrypt_init(Some(cipher), Some(&key), Some(&iv)) - .unwrap(); - ctx.set_padding(false); - - let block_size = cipher.block_size(); - assert!(block_size > 1, "Need a block cipher, not a stream cipher"); - - // update cipher with non-full block - // expect no output until a block is complete - let outlen = ctx - .cipher_update(&vec![0; block_size - 1], Some(&mut [0; 0])) - .unwrap(); - assert_eq!(0, outlen); - - // update cipher with missing bytes from the previous block - // and one additional block, output should contain two blocks - let mut two_blocks = vec![0; block_size * 2]; - let outlen = ctx - .cipher_update(&vec![0; block_size + 1], Some(&mut two_blocks)) - .unwrap(); - assert_eq!(block_size * 2, outlen); - - ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); - - // try to decrypt - ctx.decrypt_init(Some(cipher), Some(&key), Some(&iv)) - .unwrap(); - ctx.set_padding(false); - - // update cipher with non-full block - // expect no output until a block is complete - let outlen = ctx - .cipher_update(&two_blocks[0..block_size - 1], Some(&mut [0; 0])) - .unwrap(); - assert_eq!(0, outlen); - - // update cipher with missing bytes from the previous block - // and one additional block, output should contain two blocks - let mut two_blocks_decrypted = vec![0; block_size * 2]; - let outlen = ctx - .cipher_update( - &two_blocks[block_size - 1..], - Some(&mut two_blocks_decrypted), - ) - .unwrap(); - assert_eq!(block_size * 2, outlen); - - ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); - // check if the decrypted blocks are the same as input (all zeros) - assert_eq!(two_blocks_decrypted, vec![0; block_size * 2]); - } - #[test] fn test_stream_ciphers() { test_stream_cipher(Cipher::aes_192_ctr()); @@ -894,43 +783,19 @@ mod test { } #[test] - #[should_panic(expected = "Output buffer size should be at least 16 bytes.")] - #[cfg(ossl110)] - fn full_block_updates_aes_128() { - output_buffer_too_small(Cipher::aes_128_cbc()); - } - - #[test] - #[should_panic(expected = "Output buffer size should be at least 16 bytes.")] - #[cfg(ossl110)] - fn full_block_updates_aes_256() { - output_buffer_too_small(Cipher::aes_256_cbc()); - } - - #[test] - #[should_panic(expected = "Output buffer size should be at least 8 bytes.")] - #[cfg(ossl110)] - fn full_block_updates_3des() { - output_buffer_too_small(Cipher::des_ede3_cbc()); - } - - #[test] - #[should_panic(expected = "Output buffer size should be at least 32 bytes.")] - #[cfg(not(ossl110))] + #[should_panic(expected = "Output buffer size should be at least 33 bytes.")] fn full_block_updates_aes_128() { output_buffer_too_small(Cipher::aes_128_cbc()); } #[test] - #[should_panic(expected = "Output buffer size should be at least 32 bytes.")] - #[cfg(not(ossl110))] + #[should_panic(expected = "Output buffer size should be at least 33 bytes.")] fn full_block_updates_aes_256() { output_buffer_too_small(Cipher::aes_256_cbc()); } #[test] - #[should_panic(expected = "Output buffer size should be at least 16 bytes.")] - #[cfg(not(ossl110))] + #[should_panic(expected = "Output buffer size should be at least 17 bytes.")] fn full_block_updates_3des() { output_buffer_too_small(Cipher::des_ede3_cbc()); } From 45e5dce285f189e23f941ac890e17277a5112adc Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 20 Dec 2022 13:33:09 +0100 Subject: [PATCH 029/209] Expose `Cipher::cipher_final_unchecked` This mirrors the `Cipher::cipher_update_unchecked` API call for clients that want to manually track the state of internal OpenSSL cipher buffer size. --- openssl/src/cipher_ctx.rs | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index d09f8cbd50..379f83a7ba 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -607,14 +607,34 @@ impl CipherCtxRef { assert!(output.len() >= block_size); } + unsafe { self.cipher_final_unchecked(output) } + } + + /// Finalizes the encryption or decryption process. + /// + /// Any remaining data will be written to the output buffer. + /// + /// Returns the number of bytes written to `output`. + /// + /// This function is the same as [`Self::cipher_final`] but with + /// the output buffer size check removed. + /// + /// SAFETY: The caller is expected to provide `output` buffer + /// large enough to contain correct number of bytes. For streaming + /// ciphers the output buffer can be empty, for block ciphers the + /// output buffer should be at least as big as the block. + #[corresponds(EVP_CipherFinal)] + pub unsafe fn cipher_final_unchecked( + &mut self, + output: &mut [u8], + ) -> Result { let mut outl = 0; - unsafe { - cvt(ffi::EVP_CipherFinal( - self.as_ptr(), - output.as_mut_ptr(), - &mut outl, - ))?; - } + + cvt(ffi::EVP_CipherFinal( + self.as_ptr(), + output.as_mut_ptr(), + &mut outl, + ))?; Ok(outl as usize) } From 27edce934080430fbdd9da108dea4807494233aa Mon Sep 17 00:00:00 2001 From: Cfir Tsabari Date: Tue, 20 Dec 2022 15:30:33 +0200 Subject: [PATCH 030/209] Mark Openssl # deprecated functions --- openssl-sys/src/handwritten/aes.rs | 1 + openssl-sys/src/handwritten/bn.rs | 4 ++++ openssl/src/aes.rs | 4 +++- openssl/src/bn.rs | 7 +++++++ 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/aes.rs b/openssl-sys/src/handwritten/aes.rs index 241848eccf..884f9d7242 100644 --- a/openssl-sys/src/handwritten/aes.rs +++ b/openssl-sys/src/handwritten/aes.rs @@ -12,6 +12,7 @@ extern "C" { pub fn AES_set_encrypt_key(userKey: *const c_uchar, bits: c_int, key: *mut AES_KEY) -> c_int; pub fn AES_set_decrypt_key(userKey: *const c_uchar, bits: c_int, key: *mut AES_KEY) -> c_int; + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub fn AES_ige_encrypt( in_: *const c_uchar, out: *mut c_uchar, diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index d523f24d34..8e5ae153dd 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -7,8 +7,10 @@ extern "C" { pub fn BN_CTX_secure_new() -> *mut BN_CTX; pub fn BN_CTX_free(ctx: *mut BN_CTX); pub fn BN_rand(r: *mut BIGNUM, bits: c_int, top: c_int, bottom: c_int) -> c_int; + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub fn BN_pseudo_rand(r: *mut BIGNUM, bits: c_int, top: c_int, bottom: c_int) -> c_int; pub fn BN_rand_range(r: *mut BIGNUM, range: *const BIGNUM) -> c_int; + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub fn BN_pseudo_rand_range(r: *mut BIGNUM, range: *const BIGNUM) -> c_int; pub fn BN_new() -> *mut BIGNUM; #[cfg(ossl110)] @@ -122,12 +124,14 @@ extern "C" { rem: *const BIGNUM, cb: *mut BN_GENCB, ) -> c_int; + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub fn BN_is_prime_ex( p: *const BIGNUM, checks: c_int, ctx: *mut BN_CTX, cb: *mut BN_GENCB, ) -> c_int; + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub fn BN_is_prime_fasttest_ex( p: *const BIGNUM, checks: c_int, diff --git a/openssl/src/aes.rs b/openssl/src/aes.rs index 440dd05723..cbc4999bb8 100644 --- a/openssl/src/aes.rs +++ b/openssl/src/aes.rs @@ -23,7 +23,7 @@ //! # Examples #![cfg_attr( - not(boringssl), + all(not(boringssl), not(osslconf = "OPENSSL_NO_DEPRECATED_3_0")), doc = r#"\ ## AES IGE ```rust @@ -156,6 +156,7 @@ impl AesKey { /// Panics if `in_` is not the same length as `out`, if that length is not a multiple of 16, or if /// `iv` is not at least 32 bytes. #[cfg(not(boringssl))] +#[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[corresponds(AES_ige_encrypt)] pub fn aes_ige(in_: &[u8], out: &mut [u8], key: &AesKey, iv: &mut [u8], mode: Mode) { unsafe { @@ -268,6 +269,7 @@ mod test { // From https://www.mgp25.com/AESIGE/ #[test] #[cfg(not(boringssl))] + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] fn ige_vector_1() { let raw_key = "000102030405060708090A0B0C0D0E0F"; let raw_iv = "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"; diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 8f0e350755..1cd00dd4bc 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -217,6 +217,7 @@ impl BigNumRef { } /// The cryptographically weak counterpart to `rand_in_range`. + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[corresponds(BN_pseudo_rand_range)] pub fn pseudo_rand_range(&self, rnd: &mut BigNumRef) -> Result<(), ErrorStack> { unsafe { cvt(ffi::BN_pseudo_rand_range(rnd.as_ptr(), self.as_ptr())).map(|_| ()) } @@ -385,6 +386,7 @@ impl BigNumRef { } /// The cryptographically weak counterpart to `rand`. Not suitable for key generation. + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[corresponds(BN_pseudo_rand)] #[allow(clippy::useless_conversion)] pub fn pseudo_rand(&mut self, bits: i32, msb: MsbOption, odd: bool) -> Result<(), ErrorStack> { @@ -722,6 +724,7 @@ impl BigNumRef { /// # Return Value /// /// Returns `true` if `self` is prime with an error probability of less than `0.25 ^ checks`. + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[corresponds(BN_is_prime_ex)] #[allow(clippy::useless_conversion)] pub fn is_prime(&self, checks: i32, ctx: &mut BigNumContextRef) -> Result { @@ -745,6 +748,7 @@ impl BigNumRef { /// # Return Value /// /// Returns `true` if `self` is prime with an error probability of less than `0.25 ^ checks`. + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[corresponds(BN_is_prime_fasttest_ex)] #[allow(clippy::useless_conversion)] pub fn is_prime_fasttest( @@ -1388,6 +1392,7 @@ mod tests { assert_eq!(a, &(&a << 1) >> 1); } + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[test] fn test_rand_range() { let range = BigNum::from_u32(909_829_283).unwrap(); @@ -1396,6 +1401,7 @@ mod tests { assert!(result >= BigNum::from_u32(0).unwrap() && result < range); } + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[test] fn test_pseudo_rand_range() { let range = BigNum::from_u32(909_829_283).unwrap(); @@ -1404,6 +1410,7 @@ mod tests { assert!(result >= BigNum::from_u32(0).unwrap() && result < range); } + #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[test] fn test_prime_numbers() { let a = BigNum::from_u32(19_029_017).unwrap(); From f32af9f4aac5d4a29b48c7782fcdd1a219a3fc64 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 20 Dec 2022 09:36:23 -0500 Subject: [PATCH 031/209] Release openssl-sys v0.9.80 --- openssl-sys/CHANGELOG.md | 16 +++++++++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index ec815325f7..1bf8690dbe 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,19 @@ ## [Unreleased] +## [v0.9.80] - 2022-12-20 + +### Fixed + +* Added `NO_DEPRECATED_3_0` cfg checks for more APIs. + +### Added + +* Added support for LibreSSL 3.7.0. +* Added `SSL_CTRL_CHAIN_CERT` and `SSL_add0_chain_cert`. +* Added `EVP_PKEY_get_security_bits` and `EVP_PKEY_security_bits`. +* Added `OSSL_PROVIDER_set_default_search_path`. + ## [v0.9.79] - 2022-12-06 ### Added @@ -357,7 +370,8 @@ * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80..master +[v0.9.80]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79...openssl-sys-v0.9.80 [v0.9.79]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.78...openssl-sys-v0.9.79 [v0.9.78]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.77...openssl-sys-v0.9.78 [v0.9.77]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.76...openssl-sys-v0.9.77 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index de6b33e80b..d8e4c7661b 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.79" +version = "0.9.80" authors = [ "Alex Crichton ", "Steven Fackler ", From 7df56869c5e1e32369091ab106750d644d3aa0c4 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 20 Dec 2022 09:41:50 -0500 Subject: [PATCH 032/209] Release openssl v0.10.45 --- openssl/CHANGELOG.md | 19 +++++++++++++++++-- openssl/Cargo.toml | 4 ++-- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index f66bcb7501..0af50bcc24 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,20 @@ ## [Unreleased] +## [v0.10.45] - 2022-12-20 + +### Fixed + +* Removed the newly added `CipherCtxRef::minimal_output_size` method, which did not work properly. +* Added `NO_DEPRECATED_3_0` cfg checks for more APIs. + +### Added + +* Added `SslRef::add_chain_cert`. +* Added `PKeyRef::security_bits`. +* Added `Provider::set_default_search_path`. +* Added `CipherCtxRef::cipher_final_unchecked`. + ## [v0.10.44] - 2022-12-06 ### Added @@ -649,8 +663,9 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...master -[v0.10.44]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.44 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...master +[v0.10.45]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.45 +[v0.10.44]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.43...openssl-v0.10.44 [v0.10.43]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.42...openssl-v0.10.43 [v0.10.42]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.41...openssl-v0.10.42 [v0.10.41]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.40...openssl-v0.10.41 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 03f621eddd..1fd24448fd 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.44" +version = "0.10.45" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.79", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.80", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From b0a1102d3bf61727019f55581a8e0c5cc0a41ebb Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Tue, 13 Dec 2022 14:08:43 +0100 Subject: [PATCH 033/209] Add bindings for more X509_VERIFY_PARAM functions Signed-off-by: Steffen Eiden --- openssl-sys/src/handwritten/x509_vfy.rs | 6 ++ openssl-sys/src/x509_vfy.rs | 23 ++++++++ openssl/src/x509/tests.rs | 75 +++++++++++++++++++++++++ openssl/src/x509/verify.rs | 44 +++++++++++++++ 4 files changed, 148 insertions(+) diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 632bb9f689..3ebbea697b 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -119,4 +119,10 @@ extern "C" { ip: *const c_uchar, iplen: size_t, ) -> c_int; + #[cfg(ossl110)] + pub fn X509_VERIFY_PARAM_set_auth_level(param: *mut X509_VERIFY_PARAM, lvl: c_int); + #[cfg(ossl110)] + pub fn X509_VERIFY_PARAM_get_auth_level(param: *const X509_VERIFY_PARAM) -> c_int; + #[cfg(ossl102)] + pub fn X509_VERIFY_PARAM_set_purpose(param: *mut X509_VERIFY_PARAM, purpose: c_int) -> c_int; } diff --git a/openssl-sys/src/x509_vfy.rs b/openssl-sys/src/x509_vfy.rs index 455a748b52..ab6cb1afbf 100644 --- a/openssl-sys/src/x509_vfy.rs +++ b/openssl-sys/src/x509_vfy.rs @@ -147,3 +147,26 @@ pub unsafe fn X509_LOOKUP_add_dir( std::ptr::null_mut(), ) } + +#[cfg(ossl102)] +pub const X509_PURPOSE_SSL_CLIENT: c_int = 1; +#[cfg(ossl102)] +pub const X509_PURPOSE_SSL_SERVER: c_int = 2; +#[cfg(ossl102)] +pub const X509_PURPOSE_NS_SSL_SERVER: c_int = 3; +#[cfg(ossl102)] +pub const X509_PURPOSE_SMIME_SIGN: c_int = 4; +#[cfg(ossl102)] +pub const X509_PURPOSE_SMIME_ENCRYPT: c_int = 5; +#[cfg(ossl102)] +pub const X509_PURPOSE_CRL_SIGN: c_int = 6; +#[cfg(ossl102)] +pub const X509_PURPOSE_ANY: c_int = 7; +#[cfg(ossl102)] +pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; +#[cfg(ossl102)] +pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; +#[cfg(ossl102)] +pub const X509_PURPOSE_MIN: c_int = 1; +#[cfg(ossl102)] +pub const X509_PURPOSE_MAX: c_int = 9; diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 336de3c914..a9de3cc4a1 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -16,6 +16,8 @@ use crate::x509::extension::{ #[cfg(not(boringssl))] use crate::x509::store::X509Lookup; use crate::x509::store::X509StoreBuilder; +#[cfg(ossl102)] +use crate::x509::verify::X509PurposeFlags; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; #[cfg(ossl110)] @@ -693,3 +695,76 @@ fn test_load_cert_file() { .init(&store, &cert, &chain, |c| c.verify_cert()) .unwrap()); } + +#[test] +#[cfg(ossl110)] +fn test_verify_param_auth_level() { + let mut param = X509VerifyParam::new().unwrap(); + let auth_lvl = 2; + let auth_lvl_default = -1; + + assert_eq!(param.auth_level(), auth_lvl_default); + + param.set_auth_level(auth_lvl); + assert_eq!(param.auth_level(), auth_lvl); +} + +#[test] +#[cfg(ossl102)] +fn test_set_purpose() { + let cert = include_bytes!("../../test/leaf.pem"); + let cert = X509::from_pem(cert).unwrap(); + let intermediate_ca = include_bytes!("../../test/intermediate-ca.pem"); + let intermediate_ca = X509::from_pem(intermediate_ca).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let mut chain = Stack::new().unwrap(); + chain.push(intermediate_ca).unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + verify_params.set_purpose(X509PurposeFlags::ANY).unwrap(); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + let mut context = X509StoreContext::new().unwrap(); + + assert!(context + .init(&store, &cert, &chain, |c| c.verify_cert()) + .unwrap()); +} + +#[test] +#[cfg(ossl102)] +fn test_set_purpose_fails_verification() { + let cert = include_bytes!("../../test/leaf.pem"); + let cert = X509::from_pem(cert).unwrap(); + let intermediate_ca = include_bytes!("../../test/intermediate-ca.pem"); + let intermediate_ca = X509::from_pem(intermediate_ca).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let mut chain = Stack::new().unwrap(); + chain.push(intermediate_ca).unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + store_bldr.add_cert(ca).unwrap(); + let mut verify_params = X509VerifyParam::new().unwrap(); + verify_params + .set_purpose(X509PurposeFlags::TIMESTAMP_SIGN) + .unwrap(); + store_bldr.set_param(&verify_params).unwrap(); + let store = store_bldr.build(); + + let expected_error = "unsupported certificate purpose"; + let mut context = X509StoreContext::new().unwrap(); + assert_eq!( + context + .init(&store, &cert, &chain, |c| { + c.verify_cert()?; + Ok(c.error()) + }) + .unwrap() + .error_string(), + expected_error + ) +} diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 20dd4bea8d..dbd206e5d5 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -162,4 +162,48 @@ impl X509VerifyParamRef { pub fn set_depth(&mut self, depth: c_int) { unsafe { ffi::X509_VERIFY_PARAM_set_depth(self.as_ptr(), depth) } } + + /// Sets the authentication security level to auth_level + #[corresponds(X509_VERIFY_PARAM_set_auth_level)] + #[cfg(ossl110)] + pub fn set_auth_level(&mut self, lvl: c_int) { + unsafe { ffi::X509_VERIFY_PARAM_set_auth_level(self.as_ptr(), lvl) } + } + + /// Gets the current authentication security level + #[corresponds(X509_VERIFY_PARAM_get_auth_level)] + #[cfg(ossl110)] + pub fn auth_level(&self) -> i32 { + unsafe { ffi::X509_VERIFY_PARAM_get_auth_level(self.as_ptr()) } + } + + /// Sets the verification purpose + #[corresponds(X509_VERIFY_PARAM_set_purpose)] + #[cfg(ossl102)] + pub fn set_purpose(&mut self, purpose: X509PurposeFlags) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::X509_VERIFY_PARAM_set_purpose( + self.as_ptr(), + purpose.bits, + )) + .map(|_| ()) + } + } +} + +#[cfg(ossl102)] +bitflags! { + /// Bitflags defining the purpose of the verification + pub struct X509PurposeFlags: c_int { + const SSL_CLIENT = ffi::X509_PURPOSE_SSL_CLIENT; + const SSL_SERVER = ffi::X509_PURPOSE_SSL_SERVER; + const NS_SSL_SERVER = ffi::X509_PURPOSE_NS_SSL_SERVER; + const SMIME_SIGN = ffi::X509_PURPOSE_SMIME_SIGN; + const SMIME_ENCRYPT = ffi::X509_PURPOSE_SMIME_ENCRYPT; + const CRL_SIGN = ffi::X509_PURPOSE_CRL_SIGN; + const ANY = ffi::X509_PURPOSE_ANY; + const OCSP_HELPER = ffi::X509_PURPOSE_OCSP_HELPER; + const TIMESTAMP_SIGN = ffi::X509_PURPOSE_TIMESTAMP_SIGN; + } + } From 263c7ce1e694a3b2ed16e1d99acbba3cc5280edb Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Tue, 13 Dec 2022 19:15:37 +0100 Subject: [PATCH 034/209] Add X509_NAME_add_entry binding Signed-off-by: Steffen Eiden --- openssl-sys/src/handwritten/x509.rs | 7 +++++++ openssl/src/x509/mod.rs | 15 +++++++++++++++ openssl/src/x509/tests.rs | 18 ++++++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 2203b6081d..57737a0b06 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -286,6 +286,13 @@ const_ptr_api! { pub fn X509_NAME_dup(x: #[const_ptr_if(ossl300)] X509_NAME) -> *mut X509_NAME; #[cfg(any(ossl110, libressl270))] pub fn X509_dup(x: #[const_ptr_if(ossl300)] X509) -> *mut X509; + #[cfg(any(ossl101, libressl350))] + pub fn X509_NAME_add_entry( + name: *mut X509_NAME, + ne: #[const_ptr_if(any(ossl110, libressl))] X509_NAME_ENTRY, + loc: c_int, + set: c_int, + ) -> c_int; } } extern "C" { diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index edd54aa840..f7518e937a 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -872,6 +872,21 @@ impl X509NameBuilder { } } + /// Add a name entry + #[corresponds(X509_NAME_add_entry)] + #[cfg(any(ossl101, libressl350))] + pub fn append_entry(&mut self, ne: &X509NameEntryRef) -> std::result::Result<(), ErrorStack> { + unsafe { + cvt(ffi::X509_NAME_add_entry( + self.0.as_ptr(), + ne.as_ptr(), + -1, + 0, + )) + .map(|_| ()) + } + } + /// Add a field entry by str. /// /// This corresponds to [`X509_NAME_add_entry_by_txt`]. diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 336de3c914..9622dfae8f 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -693,3 +693,21 @@ fn test_load_cert_file() { .init(&store, &cert, &chain, |c| c.verify_cert()) .unwrap()); } + +#[test] +#[cfg(any(ossl101, libressl350))] +fn test_add_name_entry() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let inp_name = cert.subject_name().entries().next().unwrap(); + + let mut names = X509Name::builder().unwrap(); + names.append_entry(inp_name).unwrap(); + let names = names.build(); + + let mut entries = names.entries(); + let outp_name = entries.next().unwrap(); + assert_eq!(outp_name.object().nid(), inp_name.object().nid()); + assert_eq!(outp_name.data().as_slice(), inp_name.data().as_slice()); + assert!(entries.next().is_none()); +} From 5b507990b7f7f72feb3ffa9c96b8596e137885fb Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 21 Dec 2022 16:00:56 -0500 Subject: [PATCH 035/209] Fix doc links Closes #1764 --- openssl/src/asn1.rs | 10 ++++----- openssl/src/bn.rs | 6 ++--- openssl/src/derive.rs | 8 +++---- openssl/src/dsa.rs | 6 ++--- openssl/src/ec.rs | 2 +- openssl/src/encrypt.rs | 4 ++-- openssl/src/hash.rs | 4 ++-- openssl/src/nid.rs | 2 +- openssl/src/pkcs12.rs | 2 +- openssl/src/sign.rs | 12 +++++----- openssl/src/ssl/mod.rs | 4 ++-- openssl/src/symm.rs | 6 ++--- openssl/src/x509/mod.rs | 46 +++++++++++++++++++-------------------- openssl/src/x509/store.rs | 2 +- 14 files changed, 57 insertions(+), 57 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index b02f9ac41e..55de049c08 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -187,7 +187,7 @@ foreign_type_and_impl_send_sync! { /// [ASN_TIME_set] documentation at OpenSSL explains the ASN.1 implementation /// used by OpenSSL. /// - /// [ASN_TIME_set]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_TIME_set.html + /// [ASN_TIME_set]: https://www.openssl.org/docs/manmaster/crypto/ASN1_TIME_set.html pub struct Asn1Time; /// Reference to an [`Asn1Time`] /// @@ -423,7 +423,7 @@ foreign_type_and_impl_send_sync! { /// structures. This implementation uses [ASN1_STRING-to_UTF8] to preserve /// compatibility with Rust's String. /// - /// [ASN1_STRING-to_UTF8]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_STRING_to_UTF8.html + /// [ASN1_STRING-to_UTF8]: https://www.openssl.org/docs/manmaster/crypto/ASN1_STRING_to_UTF8.html pub struct Asn1String; /// A reference to an [`Asn1String`]. pub struct Asn1StringRef; @@ -492,7 +492,7 @@ foreign_type_and_impl_send_sync! { /// OpenSSL documentation includes [`ASN1_INTEGER_set`]. /// /// [`bn`]: ../bn/index.html - /// [`ASN1_INTEGER_set`]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_INTEGER_set.html + /// [`ASN1_INTEGER_set`]: https://www.openssl.org/docs/manmaster/crypto/ASN1_INTEGER_set.html pub struct Asn1Integer; /// A reference to an [`Asn1Integer`]. pub struct Asn1IntegerRef; @@ -504,7 +504,7 @@ impl Asn1Integer { /// Corresponds to [`BN_to_ASN1_INTEGER`]. Also see /// [`BigNumRef::to_asn1_integer`]. /// - /// [`BN_to_ASN1_INTEGER`]: https://www.openssl.org/docs/man1.1.0/crypto/BN_to_ASN1_INTEGER.html + /// [`BN_to_ASN1_INTEGER`]: https://www.openssl.org/docs/manmaster/crypto/BN_to_ASN1_INTEGER.html /// [`BigNumRef::to_asn1_integer`]: ../bn/struct.BigNumRef.html#method.to_asn1_integer pub fn from_bn(bn: &BigNumRef) -> Result { bn.to_asn1_integer() @@ -586,7 +586,7 @@ foreign_type_and_impl_send_sync! { /// /// [`Nid`]: ../nid/index.html /// [`nid::COMMONNAME`]: ../nid/constant.COMMONNAME.html - /// [`OBJ_nid2obj`]: https://www.openssl.org/docs/man1.1.0/crypto/OBJ_obj2nid.html + /// [`OBJ_nid2obj`]: https://www.openssl.org/docs/manmaster/crypto/OBJ_obj2nid.html pub struct Asn1Object; /// A reference to an [`Asn1Object`]. pub struct Asn1ObjectRef; diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 1cd00dd4bc..0328730a23 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -91,7 +91,7 @@ foreign_type_and_impl_send_sync! { /// to allocate. BigNumContext and the OpenSSL [`BN_CTX`] structure are used /// internally when passing BigNum values between subroutines. /// - /// [`BN_CTX`]: https://www.openssl.org/docs/man1.1.0/crypto/BN_CTX_new.html + /// [`BN_CTX`]: https://www.openssl.org/docs/manmaster/crypto/BN_CTX_new.html pub struct BigNumContext; /// Reference to [`BigNumContext`] /// @@ -134,7 +134,7 @@ foreign_type_and_impl_send_sync! { /// /// [`new`]: struct.BigNum.html#method.new /// [`Dref`]: struct.BigNum.html#deref-methods - /// [`BN_new`]: https://www.openssl.org/docs/man1.1.0/crypto/BN_new.html + /// [`BN_new`]: https://www.openssl.org/docs/manmaster/crypto/BN_new.html /// /// # Examples /// ``` @@ -1063,7 +1063,7 @@ impl BigNum { /// /// OpenSSL documentation at [`BN_bin2bn`] /// - /// [`BN_bin2bn`]: https://www.openssl.org/docs/man1.1.0/crypto/BN_bin2bn.html + /// [`BN_bin2bn`]: https://www.openssl.org/docs/manmaster/crypto/BN_bin2bn.html /// /// ``` /// # use openssl::bn::BigNum; diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index 87a04a14a3..5d422f6976 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -69,7 +69,7 @@ impl<'a> Deriver<'a> { /// /// This corresponds to [`EVP_PKEY_derive_init`]. /// - /// [`EVP_PKEY_derive_init`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html + /// [`EVP_PKEY_derive_init`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html pub fn new(key: &'a PKeyRef) -> Result, ErrorStack> where T: HasPrivate, @@ -85,7 +85,7 @@ impl<'a> Deriver<'a> { /// /// This corresponds to [`EVP_PKEY_derive_set_peer`]: /// - /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html + /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where T: HasPublic, @@ -100,7 +100,7 @@ impl<'a> Deriver<'a> { /// This corresponds to [`EVP_PKEY_derive`]. /// /// [`Deriver::derive`]: #method.derive - /// [`EVP_PKEY_derive`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html + /// [`EVP_PKEY_derive`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html pub fn len(&mut self) -> Result { unsafe { let mut len = 0; @@ -114,7 +114,7 @@ impl<'a> Deriver<'a> { /// /// This corresponds to [`EVP_PKEY_derive`]. /// - /// [`EVP_PKEY_derive`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html + /// [`EVP_PKEY_derive`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html pub fn derive(&mut self, buf: &mut [u8]) -> Result { let mut len = buf.len(); unsafe { diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 5f59ba8acd..c550f6548b 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -37,7 +37,7 @@ generic_foreign_type_and_impl_send_sync! { /// /// OpenSSL documentation at [`DSA_new`] /// - /// [`DSA_new`]: https://www.openssl.org/docs/man1.1.0/crypto/DSA_new.html + /// [`DSA_new`]: https://www.openssl.org/docs/manmaster/crypto/DSA_new.html /// /// # Examples /// @@ -191,8 +191,8 @@ impl Dsa { /// /// The `bits` parameter corresponds to the length of the prime `p`. /// - /// [`DSA_generate_parameters_ex`]: https://www.openssl.org/docs/man1.1.0/crypto/DSA_generate_parameters_ex.html - /// [`DSA_generate_key`]: https://www.openssl.org/docs/man1.1.0/crypto/DSA_generate_key.html + /// [`DSA_generate_parameters_ex`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_parameters_ex.html + /// [`DSA_generate_key`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_key.html pub fn generate(bits: u32) -> Result, ErrorStack> { ffi::init(); unsafe { diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 24b3832224..248ced3e41 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -73,7 +73,7 @@ impl Asn1Flag { /// /// OpenSSL documentation at [`EC_GROUP`] /// - /// [`EC_GROUP`]: https://www.openssl.org/docs/man1.1.0/crypto/EC_GROUP_get_seed_len.html + /// [`EC_GROUP`]: https://www.openssl.org/docs/manmaster/crypto/EC_GROUP_get_seed_len.html pub const EXPLICIT_CURVE: Asn1Flag = Asn1Flag(0); /// Standard Curves diff --git a/openssl/src/encrypt.rs b/openssl/src/encrypt.rs index 3cb10fcca2..d3db0fd414 100644 --- a/openssl/src/encrypt.rs +++ b/openssl/src/encrypt.rs @@ -113,7 +113,7 @@ impl<'a> Encrypter<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_padding.html + /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( @@ -317,7 +317,7 @@ impl<'a> Decrypter<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_padding.html + /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 8e27505a02..37442fb274 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -68,7 +68,7 @@ impl MessageDigest { /// /// This corresponds to [`EVP_get_digestbynid`]. /// - /// [`EVP_get_digestbynid`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html + /// [`EVP_get_digestbynid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html pub fn from_nid(type_: Nid) -> Option { unsafe { let ptr = ffi::EVP_get_digestbynid(type_.as_raw()); @@ -84,7 +84,7 @@ impl MessageDigest { /// /// This corresponds to [`EVP_get_digestbyname`]. /// - /// [`EVP_get_digestbyname`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html + /// [`EVP_get_digestbyname`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html pub fn from_name(name: &str) -> Option { ffi::init(); let name = CString::new(name).ok()?; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index eadae31653..e4562a1c27 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -44,7 +44,7 @@ pub struct SignatureAlgorithms { /// The following documentation provides context about `Nid`s and their usage /// in OpenSSL. /// -/// - [Obj_nid2obj](https://www.openssl.org/docs/man1.1.0/crypto/OBJ_create.html) +/// - [Obj_nid2obj](https://www.openssl.org/docs/manmaster/crypto/OBJ_create.html) #[derive(Debug, Copy, Clone, PartialEq, Eq, Hash)] pub struct Nid(c_int); diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index d4e19dc9f3..c6347a573b 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -185,7 +185,7 @@ impl Pkcs12Builder { // According to the OpenSSL docs, keytype is a non-standard extension for MSIE, // It's values are KEY_SIG or KEY_EX, see the OpenSSL docs for more information: - // https://www.openssl.org/docs/man1.0.2/crypto/PKCS12_create.html + // https://www.openssl.org/docs/manmaster/crypto/PKCS12_create.html let keytype = 0; let pkcs12 = cvt_p(ffi::PKCS12_create( diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index b675825e2c..9cfda48105 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -214,7 +214,7 @@ impl<'a> Signer<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_padding.html + /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( @@ -231,7 +231,7 @@ impl<'a> Signer<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]. /// - /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html + /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen( @@ -285,7 +285,7 @@ impl<'a> Signer<'a> { /// /// OpenSSL documentation at [`EVP_DigestSignFinal`]. /// - /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestSignFinal.html + /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestSignFinal.html pub fn len(&self) -> Result { self.len_intern() } @@ -325,7 +325,7 @@ impl<'a> Signer<'a> { /// /// OpenSSL documentation at [`EVP_DigestSignFinal`]. /// - /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestSignFinal.html + /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestSignFinal.html pub fn sign(&self, buf: &mut [u8]) -> Result { unsafe { let mut len = buf.len(); @@ -507,7 +507,7 @@ impl<'a> Verifier<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_padding.html + /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( @@ -524,7 +524,7 @@ impl<'a> Verifier<'a> { /// /// This corresponds to [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]. /// - /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html + /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen( diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index aba606248f..9debaa37d0 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1047,7 +1047,7 @@ impl SslContextBuilder { /// /// See [`ciphers`] for details on the format. /// - /// [`ciphers`]: https://www.openssl.org/docs/man1.1.0/apps/ciphers.html + /// [`ciphers`]: https://www.openssl.org/docs/manmaster/apps/ciphers.html #[corresponds(SSL_CTX_set_cipher_list)] pub fn set_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack> { let cipher_list = CString::new(cipher_list).unwrap(); @@ -2200,7 +2200,7 @@ impl Ssl { /// /// This corresponds to [`SSL_new`]. /// - /// [`SSL_new`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_new.html + /// [`SSL_new`]: https://www.openssl.org/docs/manmaster/ssl/SSL_new.html #[corresponds(SSL_new)] pub fn new(ctx: &SslContextRef) -> Result { let session_ctx_index = try_get_session_ctx_index()?; diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index c75bbc0c4a..911a7ab2e7 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -68,7 +68,7 @@ pub enum Mode { /// /// See OpenSSL doc at [`EVP_EncryptInit`] for more information on each algorithms. /// -/// [`EVP_EncryptInit`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_EncryptInit.html +/// [`EVP_EncryptInit`]: https://www.openssl.org/docs/manmaster/crypto/EVP_EncryptInit.html #[derive(Copy, Clone, PartialEq, Eq)] pub struct Cipher(*const ffi::EVP_CIPHER); @@ -77,7 +77,7 @@ impl Cipher { /// /// This corresponds to [`EVP_get_cipherbynid`] /// - /// [`EVP_get_cipherbynid`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_get_cipherbyname.html + /// [`EVP_get_cipherbynid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_get_cipherbyname.html pub fn from_nid(nid: Nid) -> Option { let ptr = unsafe { ffi::EVP_get_cipherbyname(ffi::OBJ_nid2sn(nid.as_raw())) }; if ptr.is_null() { @@ -91,7 +91,7 @@ impl Cipher { /// /// This corresponds to [`EVP_CIPHER_nid`] /// - /// [`EVP_CIPHER_nid`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_CIPHER_nid.html + /// [`EVP_CIPHER_nid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_CIPHER_nid.html pub fn nid(&self) -> Nid { let nid = unsafe { ffi::EVP_CIPHER_nid(self.0) }; Nid::from_raw(nid) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index f7518e937a..c9d2a64215 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -109,8 +109,8 @@ impl X509StoreContextRef { /// This corresponds to [`X509_STORE_CTX_init`] before calling `with_context` and to /// [`X509_STORE_CTX_cleanup`] after calling `with_context`. /// - /// [`X509_STORE_CTX_init`]: https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html - /// [`X509_STORE_CTX_cleanup`]: https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_cleanup.html + /// [`X509_STORE_CTX_init`]: https://www.openssl.org/docs/manmaster/crypto/X509_STORE_CTX_init.html + /// [`X509_STORE_CTX_cleanup`]: https://www.openssl.org/docs/manmaster/crypto/X509_STORE_CTX_cleanup.html pub fn init( &mut self, trust: &store::X509StoreRef, @@ -891,7 +891,7 @@ impl X509NameBuilder { /// /// This corresponds to [`X509_NAME_add_entry_by_txt`]. /// - /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_add_entry_by_txt.html + /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_txt.html pub fn append_entry_by_text(&mut self, field: &str, value: &str) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); @@ -913,7 +913,7 @@ impl X509NameBuilder { /// /// This corresponds to [`X509_NAME_add_entry_by_txt`]. /// - /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_add_entry_by_txt.html + /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_txt.html pub fn append_entry_by_text_with_type( &mut self, field: &str, @@ -940,7 +940,7 @@ impl X509NameBuilder { /// /// This corresponds to [`X509_NAME_add_entry_by_NID`]. /// - /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_add_entry_by_NID.html + /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> { unsafe { assert!(value.len() <= c_int::max_value() as usize); @@ -961,7 +961,7 @@ impl X509NameBuilder { /// /// This corresponds to [`X509_NAME_add_entry_by_NID`]. /// - /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_add_entry_by_NID.html + /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html pub fn append_entry_by_nid_with_type( &mut self, field: Nid, @@ -1068,7 +1068,7 @@ impl X509NameRef { /// /// This corresponds to [`i2d_X509_NAME`]. /// - /// [`i2d_X509_NAME`]: https://www.openssl.org/docs/man1.1.0/crypto/i2d_X509_NAME.html + /// [`i2d_X509_NAME`]: https://www.openssl.org/docs/manmaster/crypto/i2d_X509_NAME.html to_der, ffi::i2d_X509_NAME } @@ -1132,7 +1132,7 @@ impl X509NameEntryRef { /// /// This corresponds to [`X509_NAME_ENTRY_get_data`]. /// - /// [`X509_NAME_ENTRY_get_data`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_ENTRY_get_data.html + /// [`X509_NAME_ENTRY_get_data`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_ENTRY_get_data.html pub fn data(&self) -> &Asn1StringRef { unsafe { let data = ffi::X509_NAME_ENTRY_get_data(self.as_ptr()); @@ -1145,7 +1145,7 @@ impl X509NameEntryRef { /// /// This corresponds to [`X509_NAME_ENTRY_get_object`]. /// - /// [`X509_NAME_ENTRY_get_object`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_ENTRY_get_object.html + /// [`X509_NAME_ENTRY_get_object`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_ENTRY_get_object.html pub fn object(&self) -> &Asn1ObjectRef { unsafe { let object = ffi::X509_NAME_ENTRY_get_object(self.as_ptr()); @@ -1168,7 +1168,7 @@ impl X509ReqBuilder { /// /// This corresponds to [`X509_REQ_new`]. /// - ///[`X509_REQ_new`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_new.html + ///[`X509_REQ_new`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_new.html pub fn new() -> Result { unsafe { ffi::init(); @@ -1180,7 +1180,7 @@ impl X509ReqBuilder { /// /// This corresponds to [`X509_REQ_set_version`]. /// - ///[`X509_REQ_set_version`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_set_version.html + ///[`X509_REQ_set_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_version.html pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_REQ_set_version( @@ -1195,7 +1195,7 @@ impl X509ReqBuilder { /// /// This corresponds to [`X509_REQ_set_subject_name`]. /// - /// [`X509_REQ_set_subject_name`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_set_subject_name.html + /// [`X509_REQ_set_subject_name`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_subject_name.html pub fn set_subject_name(&mut self, subject_name: &X509NameRef) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_REQ_set_subject_name( @@ -1210,7 +1210,7 @@ impl X509ReqBuilder { /// /// This corresponds to [`X509_REQ_set_pubkey`]. /// - /// [`X509_REQ_set_pubkey`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_set_pubkey.html + /// [`X509_REQ_set_pubkey`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_pubkey.html pub fn set_pubkey(&mut self, key: &PKeyRef) -> Result<(), ErrorStack> where T: HasPublic, @@ -1260,7 +1260,7 @@ impl X509ReqBuilder { /// /// This corresponds to [`X509_REQ_sign`]. /// - /// [`X509_REQ_sign`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_sign.html + /// [`X509_REQ_sign`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_sign.html pub fn sign(&mut self, key: &PKeyRef, hash: MessageDigest) -> Result<(), ErrorStack> where T: HasPrivate, @@ -1304,7 +1304,7 @@ impl X509Req { /// /// This corresponds to [`PEM_read_bio_X509_REQ`]. /// - /// [`PEM_read_bio_X509_REQ`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_X509_REQ.html + /// [`PEM_read_bio_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/PEM_read_bio_X509_REQ.html from_pem, X509Req, ffi::PEM_read_bio_X509_REQ @@ -1315,7 +1315,7 @@ impl X509Req { /// /// This corresponds to [`d2i_X509_REQ`]. /// - /// [`d2i_X509_REQ`]: https://www.openssl.org/docs/man1.1.0/crypto/d2i_X509_REQ.html + /// [`d2i_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/d2i_X509_REQ.html from_der, X509Req, ffi::d2i_X509_REQ @@ -1330,7 +1330,7 @@ impl X509ReqRef { /// /// This corresponds to [`PEM_write_bio_X509_REQ`]. /// - /// [`PEM_write_bio_X509_REQ`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_write_bio_X509_REQ.html + /// [`PEM_write_bio_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/PEM_write_bio_X509_REQ.html to_pem, ffi::PEM_write_bio_X509_REQ } @@ -1340,7 +1340,7 @@ impl X509ReqRef { /// /// This corresponds to [`i2d_X509_REQ`]. /// - /// [`i2d_X509_REQ`]: https://www.openssl.org/docs/man1.0.2/crypto/i2d_X509_REQ.html + /// [`i2d_X509_REQ`]: https://www.openssl.org/docs/manmaster/crypto/i2d_X509_REQ.html to_der, ffi::i2d_X509_REQ } @@ -1356,7 +1356,7 @@ impl X509ReqRef { /// /// This corresponds to [`X509_REQ_get_version`] /// - /// [`X509_REQ_get_version`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_get_version.html + /// [`X509_REQ_get_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_version.html pub fn version(&self) -> i32 { unsafe { X509_REQ_get_version(self.as_ptr()) as i32 } } @@ -1365,7 +1365,7 @@ impl X509ReqRef { /// /// This corresponds to [`X509_REQ_get_subject_name`] /// - /// [`X509_REQ_get_subject_name`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_get_subject_name.html + /// [`X509_REQ_get_subject_name`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_subject_name.html pub fn subject_name(&self) -> &X509NameRef { unsafe { let name = X509_REQ_get_subject_name(self.as_ptr()); @@ -1377,7 +1377,7 @@ impl X509ReqRef { /// /// This corresponds to [`X509_REQ_get_pubkey"] /// - /// [`X509_REQ_get_pubkey`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_get_pubkey.html + /// [`X509_REQ_get_pubkey`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_pubkey.html pub fn public_key(&self) -> Result, ErrorStack> { unsafe { let key = cvt_p(ffi::X509_REQ_get_pubkey(self.as_ptr()))?; @@ -1391,7 +1391,7 @@ impl X509ReqRef { /// /// This corresponds to [`X509_REQ_verify"]. /// - /// [`X509_REQ_verify`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_REQ_verify.html + /// [`X509_REQ_verify`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_verify.html pub fn verify(&self, key: &PKeyRef) -> Result where T: HasPublic, @@ -1452,7 +1452,7 @@ impl X509VerifyResult { /// /// This corresponds to [`X509_verify_cert_error_string`]. /// - /// [`X509_verify_cert_error_string`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_verify_cert_error_string.html + /// [`X509_verify_cert_error_string`]: https://www.openssl.org/docs/manmaster/crypto/X509_verify_cert_error_string.html #[allow(clippy::trivially_copy_pass_by_ref)] pub fn error_string(&self) -> &'static str { ffi::init(); diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index a685fa18e6..15b87e8ca9 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -145,7 +145,7 @@ generic_foreign_type_and_impl_send_sync! { /// Marker type corresponding to the [`X509_LOOKUP_hash_dir`] lookup method. /// -/// [`X509_LOOKUP_hash_dir`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_LOOKUP_hash_dir.html +/// [`X509_LOOKUP_hash_dir`]: https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_hash_dir.html // FIXME should be an enum pub struct HashDir; From 3de9f26c1676712c9bad99622a953e55a9f5842e Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Tue, 13 Dec 2022 13:23:22 +0100 Subject: [PATCH 036/209] Add binding for X509_load_crl_file Signed-off-by: Steffen Eiden --- openssl-sys/src/handwritten/x509_vfy.rs | 1 + openssl/src/x509/store.rs | 20 +++++++++++++++++++- openssl/src/x509/tests.rs | 9 +++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 3ebbea697b..387b9dd045 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -21,6 +21,7 @@ extern "C" { ret: *mut *mut c_char, ) -> c_int; pub fn X509_load_cert_file(ctx: *mut X509_LOOKUP, file: *const c_char, _type: c_int) -> c_int; + pub fn X509_load_crl_file(ctx: *mut X509_LOOKUP, file: *const c_char, _type: c_int) -> c_int; } extern "C" { diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index 15b87e8ca9..fa17cc4b9c 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -194,8 +194,9 @@ impl X509Lookup { #[cfg(not(boringssl))] impl X509LookupRef { - #[corresponds(X509_load_cert_file)] /// Specifies a file from which certificates will be loaded + #[corresponds(X509_load_cert_file)] + // FIXME should return 'Result>( &mut self, file: P, @@ -211,6 +212,23 @@ impl X509LookupRef { .map(|_| ()) } } + + /// Specifies a file from which certificate revocation lists will be loaded + #[corresponds(X509_load_crl_file)] + pub fn load_crl_file>( + &mut self, + file: P, + file_type: SslFiletype, + ) -> Result { + let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap(); + unsafe { + cvt(ffi::X509_load_crl_file( + self.as_ptr(), + file.as_ptr(), + file_type.as_raw(), + )) + } + } } generic_foreign_type_and_impl_send_sync! { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index d5be9f0f53..114869aa1a 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -786,3 +786,12 @@ fn test_add_name_entry() { assert_eq!(outp_name.data().as_slice(), inp_name.data().as_slice()); assert!(entries.next().is_none()); } + +#[test] +#[cfg(not(boringssl))] +fn test_load_crl_file_fail() { + let mut store_bldr = X509StoreBuilder::new().unwrap(); + let lookup = store_bldr.add_lookup(X509Lookup::file()).unwrap(); + let res = lookup.load_crl_file("test/root-ca.pem", SslFiletype::PEM); + assert!(res.is_err()); +} From 19f159438fee63fe9e394d5e530da14de168c587 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 24 Dec 2022 23:29:25 -0500 Subject: [PATCH 037/209] Added PKey::private_key_to_pkcs8 --- openssl/src/pkey.rs | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 2039e7e908..780bd637e5 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -323,6 +323,25 @@ where } } + /// Serializes a private key into an unencrypted DER-formatted PKCS#8 + #[corresponds(i2d_PKCS8PrivateKey_bio)] + pub fn private_key_to_pkcs8(&self) -> Result, ErrorStack> { + unsafe { + let bio = MemBio::new()?; + cvt(ffi::i2d_PKCS8PrivateKey_bio( + bio.as_ptr(), + self.as_ptr(), + ptr::null(), + ptr::null_mut(), + 0, + None, + ptr::null_mut(), + ))?; + + Ok(bio.get_buf().to_owned()) + } + } + /// Serializes a private key into a DER-formatted PKCS#8, using the supplied password to /// encrypt the key. /// @@ -889,7 +908,14 @@ mod tests { #[test] fn test_unencrypted_pkcs8() { let key = include_bytes!("../test/pkcs8-nocrypt.der"); - PKey::private_key_from_pkcs8(key).unwrap(); + let pkey = PKey::private_key_from_pkcs8(key).unwrap(); + let serialized = pkey.private_key_to_pkcs8().unwrap(); + let pkey2 = PKey::private_key_from_pkcs8(&serialized).unwrap(); + + assert_eq!( + pkey2.private_key_to_der().unwrap(), + pkey.private_key_to_der().unwrap() + ); } #[test] From d3e557cf4836e49d97f38dcf2b349b8e7c30d9a8 Mon Sep 17 00:00:00 2001 From: timothy Date: Sun, 25 Dec 2022 20:40:54 +0700 Subject: [PATCH 038/209] Export SRTP_AEAD_AES_128_GCM and SRTP_AEAD_AES_256_GCM to BoringSSL --- openssl/src/srtp.rs | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/openssl/src/srtp.rs b/openssl/src/srtp.rs index 7ed3135963..595757dc04 100644 --- a/openssl/src/srtp.rs +++ b/openssl/src/srtp.rs @@ -46,10 +46,12 @@ impl SrtpProfileId { SrtpProfileId(ffi::SRTP_AES128_F8_SHA1_32 as c_ulong); pub const SRTP_NULL_SHA1_80: SrtpProfileId = SrtpProfileId(ffi::SRTP_NULL_SHA1_80 as c_ulong); pub const SRTP_NULL_SHA1_32: SrtpProfileId = SrtpProfileId(ffi::SRTP_NULL_SHA1_32 as c_ulong); - #[cfg(ossl110)] - pub const SRTP_AEAD_AES_128_GCM: SrtpProfileId = SrtpProfileId(ffi::SRTP_AEAD_AES_128_GCM); - #[cfg(ossl110)] - pub const SRTP_AEAD_AES_256_GCM: SrtpProfileId = SrtpProfileId(ffi::SRTP_AEAD_AES_256_GCM); + #[cfg(any(boringssl, ossl110))] + pub const SRTP_AEAD_AES_128_GCM: SrtpProfileId = + SrtpProfileId(ffi::SRTP_AEAD_AES_128_GCM as c_ulong); + #[cfg(any(boringssl, ossl110))] + pub const SRTP_AEAD_AES_256_GCM: SrtpProfileId = + SrtpProfileId(ffi::SRTP_AEAD_AES_256_GCM as c_ulong); /// Creates a `SrtpProfileId` from an integer representation. pub fn from_raw(value: c_ulong) -> SrtpProfileId { From f95fd5bac186bd0531de7d5b363fa3071066900e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Dec 2022 14:50:15 -0500 Subject: [PATCH 039/209] Refs #1768 -- reject boringssl if unstable_boringssl feature isn't specified --- openssl-sys/build/expando.c | 4 ++++ openssl-sys/build/main.rs | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 2ec63ec046..980241074a 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -15,6 +15,10 @@ NEW_VERSION(OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR, OPENSSL_VERSION_PATCH) VERSION(OPENSSL, OPENSSL_VERSION_NUMBER) #endif +#ifdef OPENSSL_IS_BORINGSSL +RUST_OPENSSL_IS_BORINGSSL +#endif + #ifdef OPENSSL_NO_BF RUST_CONF_OPENSSL_NO_BF #endif diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index cdea3eb447..1c5a5e7d9f 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -215,12 +215,14 @@ See rust-openssl documentation for more information: let mut enabled = vec![]; let mut openssl_version = None; let mut libressl_version = None; + let mut is_boringssl = false; for line in expanded.lines() { let line = line.trim(); let openssl_prefix = "RUST_VERSION_OPENSSL_"; let new_openssl_prefix = "RUST_VERSION_NEW_OPENSSL_"; let libressl_prefix = "RUST_VERSION_LIBRESSL_"; + let boringsl_prefix = "RUST_OPENSSL_IS_BORINGSSL"; let conf_prefix = "RUST_CONF_"; if line.starts_with(openssl_prefix) { let version = &line[openssl_prefix.len()..]; @@ -233,9 +235,15 @@ See rust-openssl documentation for more information: libressl_version = Some(parse_version(version)); } else if line.starts_with(conf_prefix) { enabled.push(&line[conf_prefix.len()..]); + } else if line.starts_with(boringsl_prefix) { + is_boringssl = true; } } + if is_boringssl { + panic!("BoringSSL detected, but `unstable_boringssl` feature wasn't specified.") + } + for enabled in &enabled { println!("cargo:rustc-cfg=osslconf=\"{}\"", enabled); } From ed40115eb09d3a9d9d3baa78011c43e08f752e2a Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 29 Dec 2022 18:40:05 -0500 Subject: [PATCH 040/209] Support pkcs12 archives without an identity --- openssl/src/cms.rs | 16 +++++++++++----- openssl/src/pkcs12.rs | 41 ++++++++++++++++++++++++++++++----------- 2 files changed, 41 insertions(+), 16 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 185c4dfa94..bef21f93c9 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -249,7 +249,7 @@ mod test { let priv_cert_bytes = include_bytes!("../test/cms.p12"); let priv_cert = Pkcs12::from_der(priv_cert_bytes).expect("failed to load priv cert"); let priv_cert = priv_cert - .parse("mypass") + .parse2("mypass") .expect("failed to parse priv cert"); // encrypt cms message using public key cert @@ -274,13 +274,16 @@ mod test { CmsContentInfo::from_der(&encrypted_der).expect("failed read cms from der"); let decrypt_with_cert_check = decrypt - .decrypt(&priv_cert.pkey, &priv_cert.cert) + .decrypt( + priv_cert.pkey.as_ref().unwrap(), + priv_cert.cert.as_ref().unwrap(), + ) .expect("failed to decrypt cms"); let decrypt_with_cert_check = String::from_utf8(decrypt_with_cert_check) .expect("failed to create string from cms content"); let decrypt_without_cert_check = decrypt - .decrypt_without_cert_check(&priv_cert.pkey) + .decrypt_without_cert_check(priv_cert.pkey.as_ref().unwrap()) .expect("failed to decrypt cms"); let decrypt_without_cert_check = String::from_utf8(decrypt_without_cert_check) .expect("failed to create string from cms content"); @@ -296,13 +299,16 @@ mod test { CmsContentInfo::from_pem(&encrypted_pem).expect("failed read cms from pem"); let decrypt_with_cert_check = decrypt - .decrypt(&priv_cert.pkey, &priv_cert.cert) + .decrypt( + priv_cert.pkey.as_ref().unwrap(), + priv_cert.cert.as_ref().unwrap(), + ) .expect("failed to decrypt cms"); let decrypt_with_cert_check = String::from_utf8(decrypt_with_cert_check) .expect("failed to create string from cms content"); let decrypt_without_cert_check = decrypt - .decrypt_without_cert_check(&priv_cert.pkey) + .decrypt_without_cert_check(priv_cert.pkey.as_ref().unwrap()) .expect("failed to decrypt cms"); let decrypt_without_cert_check = String::from_utf8(decrypt_without_cert_check) .expect("failed to create string from cms content"); diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index c6347a573b..1548b36885 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -32,9 +32,22 @@ impl Pkcs12Ref { ffi::i2d_PKCS12 } + /// Deprecated. + #[deprecated(note = "Use parse2 instead", since = "0.10.46")] + #[allow(deprecated)] + pub fn parse(&self, pass: &str) -> Result { + let parsed = self.parse2(pass)?; + + Ok(ParsedPkcs12 { + pkey: parsed.pkey.unwrap(), + cert: parsed.cert.unwrap(), + chain: parsed.chain, + }) + } + /// Extracts the contents of the `Pkcs12`. #[corresponds(PKCS12_parse)] - pub fn parse(&self, pass: &str) -> Result { + pub fn parse2(&self, pass: &str) -> Result { unsafe { let pass = CString::new(pass.as_bytes()).unwrap(); @@ -50,12 +63,11 @@ impl Pkcs12Ref { &mut chain, ))?; - let pkey = PKey::from_ptr(pkey); - let cert = X509::from_ptr(cert); - + let pkey = PKey::from_ptr_opt(pkey); + let cert = X509::from_ptr_opt(cert); let chain = Stack::from_ptr_opt(chain); - Ok(ParsedPkcs12 { pkey, cert, chain }) + Ok(ParsedPkcs12_2 { pkey, cert, chain }) } } } @@ -93,12 +105,19 @@ impl Pkcs12 { } } +#[deprecated(note = "Use ParsedPkcs12_2 instead", since = "0.10.46")] pub struct ParsedPkcs12 { pub pkey: PKey, pub cert: X509, pub chain: Option>, } +pub struct ParsedPkcs12_2 { + pub pkey: Option>, + pub cert: Option, + pub chain: Option>, +} + pub struct Pkcs12Builder { nid_key: Nid, nid_cert: Nid, @@ -246,10 +265,10 @@ mod test { let der = include_bytes!("../test/identity.p12"); let pkcs12 = Pkcs12::from_der(der).unwrap(); - let parsed = pkcs12.parse("mypass").unwrap(); + let parsed = pkcs12.parse2("mypass").unwrap(); assert_eq!( - hex::encode(parsed.cert.digest(MessageDigest::sha1()).unwrap()), + hex::encode(parsed.cert.unwrap().digest(MessageDigest::sha1()).unwrap()), "59172d9313e84459bcff27f967e79e6e9217e584" ); @@ -268,7 +287,7 @@ mod test { let der = include_bytes!("../test/keystore-empty-chain.p12"); let pkcs12 = Pkcs12::from_der(der).unwrap(); - let parsed = pkcs12.parse("cassandra").unwrap(); + let parsed = pkcs12.parse2("cassandra").unwrap(); if let Some(stack) = parsed.chain { assert_eq!(stack.len(), 0); } @@ -309,12 +328,12 @@ mod test { let der = pkcs12.to_der().unwrap(); let pkcs12 = Pkcs12::from_der(&der).unwrap(); - let parsed = pkcs12.parse("mypass").unwrap(); + let parsed = pkcs12.parse2("mypass").unwrap(); assert_eq!( - &*parsed.cert.digest(MessageDigest::sha1()).unwrap(), + &*parsed.cert.unwrap().digest(MessageDigest::sha1()).unwrap(), &*cert.digest(MessageDigest::sha1()).unwrap() ); - assert!(parsed.pkey.public_eq(&pkey)); + assert!(parsed.pkey.unwrap().public_eq(&pkey)); } } From e04098e8567d275c04fc617c57884e7c379c5b6f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 30 Dec 2022 19:26:58 -0500 Subject: [PATCH 041/209] Support construction of PKCS#12 archives with no identity --- openssl/src/pkcs12.rs | 129 +++++++++++++++++++++++++++++------------- 1 file changed, 91 insertions(+), 38 deletions(-) diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index 1548b36885..d74705eaa8 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -41,7 +41,7 @@ impl Pkcs12Ref { Ok(ParsedPkcs12 { pkey: parsed.pkey.unwrap(), cert: parsed.cert.unwrap(), - chain: parsed.chain, + chain: parsed.ca, }) } @@ -53,21 +53,21 @@ impl Pkcs12Ref { let mut pkey = ptr::null_mut(); let mut cert = ptr::null_mut(); - let mut chain = ptr::null_mut(); + let mut ca = ptr::null_mut(); cvt(ffi::PKCS12_parse( self.as_ptr(), pass.as_ptr(), &mut pkey, &mut cert, - &mut chain, + &mut ca, ))?; let pkey = PKey::from_ptr_opt(pkey); let cert = X509::from_ptr_opt(cert); - let chain = Stack::from_ptr_opt(chain); + let ca = Stack::from_ptr_opt(ca); - Ok(ParsedPkcs12_2 { pkey, cert, chain }) + Ok(ParsedPkcs12_2 { pkey, cert, ca }) } } } @@ -94,13 +94,16 @@ impl Pkcs12 { ffi::init(); Pkcs12Builder { + name: None, + pkey: None, + cert: None, + ca: None, nid_key: Nid::UNDEF, nid_cert: Nid::UNDEF, iter: ffi::PKCS12_DEFAULT_ITER, mac_iter: ffi::PKCS12_DEFAULT_ITER, #[cfg(not(boringssl))] mac_md: None, - ca: None, } } } @@ -115,20 +118,54 @@ pub struct ParsedPkcs12 { pub struct ParsedPkcs12_2 { pub pkey: Option>, pub cert: Option, - pub chain: Option>, + pub ca: Option>, } pub struct Pkcs12Builder { + // FIXME borrow + name: Option, + pkey: Option>, + cert: Option, + ca: Option>, nid_key: Nid, nid_cert: Nid, iter: c_int, mac_iter: c_int, + // FIXME remove #[cfg(not(boringssl))] mac_md: Option, - ca: Option>, } impl Pkcs12Builder { + /// The `friendlyName` used for the certificate and private key. + pub fn name(&mut self, name: &str) -> &mut Self { + self.name = Some(CString::new(name).unwrap()); + self + } + + /// The private key. + pub fn pkey(&mut self, pkey: &PKeyRef) -> &mut Self + where + T: HasPrivate, + { + let new_pkey = unsafe { PKeyRef::from_ptr(pkey.as_ptr()) }; + self.pkey = Some(new_pkey.to_owned()); + self + } + + /// The certificate. + pub fn cert(&mut self, cert: &X509Ref) -> &mut Self { + self.cert = Some(cert.to_owned()); + self + } + + /// An additional set of certificates to include in the archive beyond the one provided to + /// `build`. + pub fn ca(&mut self, ca: Stack) -> &mut Self { + self.ca = Some(ca); + self + } + /// The encryption algorithm that should be used for the key pub fn key_algorithm(&mut self, nid: Nid) -> &mut Self { self.nid_key = nid; @@ -163,24 +200,13 @@ impl Pkcs12Builder { self } - /// An additional set of certificates to include in the archive beyond the one provided to - /// `build`. - pub fn ca(&mut self, ca: Stack) -> &mut Self { - self.ca = Some(ca); - self - } - - /// Builds the PKCS #12 object - /// - /// # Arguments - /// - /// * `password` - the password used to encrypt the key and certificate - /// * `friendly_name` - user defined name for the certificate - /// * `pkey` - key to store - /// * `cert` - certificate to store - #[corresponds(PKCS12_create)] + /// Deprecated. + #[deprecated( + note = "Use Self::{name, pkey, cert, build2} instead.", + since = "0.10.46" + )] pub fn build( - self, + mut self, password: &str, friendly_name: &str, pkey: &PKeyRef, @@ -189,11 +215,21 @@ impl Pkcs12Builder { where T: HasPrivate, { + self.name(friendly_name) + .pkey(pkey) + .cert(cert) + .build2(password) + } + + /// Builds the PKCS#12 object. + #[corresponds(PKCS12_create)] + pub fn build2(&self, password: &str) -> Result { unsafe { let pass = CString::new(password).unwrap(); - let friendly_name = CString::new(friendly_name).unwrap(); - let pkey = pkey.as_ptr(); - let cert = cert.as_ptr(); + let pass = pass.as_ptr(); + let friendly_name = self.name.as_ref().map_or(ptr::null(), |p| p.as_ptr()); + let pkey = self.pkey.as_ref().map_or(ptr::null(), |p| p.as_ptr()); + let cert = self.cert.as_ref().map_or(ptr::null(), |p| p.as_ptr()); let ca = self .ca .as_ref() @@ -208,10 +244,10 @@ impl Pkcs12Builder { let keytype = 0; let pkcs12 = cvt_p(ffi::PKCS12_create( - pass.as_ptr() as *const _ as *mut _, - friendly_name.as_ptr() as *const _ as *mut _, - pkey, - cert, + pass as *mut _, + friendly_name as *mut _, + pkey as *mut _, + cert as *mut _, ca, nid_key, nid_cert, @@ -232,7 +268,7 @@ impl Pkcs12Builder { cvt(ffi::PKCS12_set_mac( pkcs12.as_ptr(), - pass.as_ptr(), + pass, -1, ptr::null_mut(), 0, @@ -272,7 +308,7 @@ mod test { "59172d9313e84459bcff27f967e79e6e9217e584" ); - let chain = parsed.chain.unwrap(); + let chain = parsed.ca.unwrap(); assert_eq!(chain.len(), 1); assert_eq!( hex::encode(chain[0].digest(MessageDigest::sha1()).unwrap()), @@ -288,7 +324,7 @@ mod test { let der = include_bytes!("../test/keystore-empty-chain.p12"); let pkcs12 = Pkcs12::from_der(der).unwrap(); let parsed = pkcs12.parse2("cassandra").unwrap(); - if let Some(stack) = parsed.chain { + if let Some(stack) = parsed.ca { assert_eq!(stack.len(), 0); } } @@ -321,9 +357,11 @@ mod test { builder.sign(&pkey, MessageDigest::sha256()).unwrap(); let cert = builder.build(); - let pkcs12_builder = Pkcs12::builder(); - let pkcs12 = pkcs12_builder - .build("mypass", subject_name, &pkey, &cert) + let pkcs12 = Pkcs12::builder() + .name(subject_name) + .pkey(&pkey) + .cert(&cert) + .build2("mypass") .unwrap(); let der = pkcs12.to_der().unwrap(); @@ -336,4 +374,19 @@ mod test { ); assert!(parsed.pkey.unwrap().public_eq(&pkey)); } + + #[test] + fn create_only_ca() { + let ca = include_bytes!("../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let mut chain = Stack::new().unwrap(); + chain.push(ca).unwrap(); + + let pkcs12 = Pkcs12::builder().ca(chain).build2("hunter2").unwrap(); + let parsed = pkcs12.parse2("hunter2").unwrap(); + + assert!(parsed.cert.is_none()); + assert!(parsed.pkey.is_none()); + assert_eq!(parsed.ca.unwrap().len(), 1); + } } From ae3b75f81eca319d0731c43b05ce8aafad91bc8b Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Thu, 5 Jan 2023 15:56:50 +0000 Subject: [PATCH 042/209] Update CRL bindings --- openssl/src/x509/mod.rs | 73 ++++++++++++----------------------------- 1 file changed, 21 insertions(+), 52 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index f52f4ea169..d607d2cec0 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1426,11 +1426,8 @@ impl Stackable for X509Revoked { impl X509Revoked { from_der! { - /// Deserializes a DER-encoded certificate revokation status - /// - /// This corresponds to [`d2i_X509_REVOKED`]. - /// - /// [`d2i_X509_REVOKED`]: https://www.openssl.org/docs/man1.1.0/crypto/d2i_X509_REVOKED.html + /// Deserializes a DER-encoded certificate revocation status + #[corresponds(d2i_X509_REVOKED)] from_der, X509Revoked, ffi::d2i_X509_REVOKED @@ -1440,15 +1437,13 @@ impl X509Revoked { impl X509RevokedRef { to_der! { /// Serializes the certificate request to a DER-encoded certificate revocation status - /// - /// This corresponds to [`i2d_X509_REVOKED`]. - /// - /// [`i2d_X509_REVOKED`]: https://www.openssl.org/docs/man1.0.2/crypto/i2d_X509_REQ.html + #[corresponds(d2i_X509_REVOKED)] to_der, ffi::i2d_X509_REVOKED } /// Get the date that the certificate was revoked + #[corresponds(X509_REVOKED_get0_revocationDate)] pub fn revocation_date(&self) -> &Asn1TimeRef { unsafe { let r = X509_REVOKED_get0_revocationDate(self.as_ptr() as *const _); @@ -1458,6 +1453,7 @@ impl X509RevokedRef { } /// Get the serial number of the revoked certificate + #[corresponds(X509_REVOKED_get0_serialNumber)] pub fn serial_number(&self) -> &Asn1IntegerRef { unsafe { let r = X509_REVOKED_get0_serialNumber(self.as_ptr() as *const _); @@ -1513,7 +1509,10 @@ impl<'a> CrlStatus<'a> { assert!(!revoked_entry.is_null()); CrlStatus::RemoveFromCrl(X509RevokedRef::from_ptr(revoked_entry)) } - _ => unreachable!("X509_CRL_get0_by_{{serial,cert}} should only return 0, 1, or 2."), + _ => unreachable!( + "{}", + "X509_CRL_get0_by_{{serial,cert}} should only return 0, 1, or 2." + ), } } } @@ -1523,10 +1522,7 @@ impl X509Crl { /// Deserializes a PEM-encoded Certificate Revocation List /// /// The input should have a header of `-----BEGIN X509 CRL-----`. - /// - /// This corresponds to [`PEM_read_bio_X509_CRL`]. - /// - /// [`PEM_read_bio_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_X509_REQ.html + #[corresponds(PEM_read_bio_X509_CRL)] from_pem, X509Crl, ffi::PEM_read_bio_X509_CRL @@ -1534,10 +1530,7 @@ impl X509Crl { from_der! { /// Deserializes a DER-encoded Certificate Revocation List - /// - /// This corresponds to [`d2i_X509_CRL`]. - /// - /// [`d2i_X509_CRL`]: https://www.openssl.org/docs/man1.1.0/crypto/d2i_X509_REQ.html + #[corresponds(d2i_X509_CRL)] from_der, X509Crl, ffi::d2i_X509_CRL @@ -1549,20 +1542,14 @@ impl X509CrlRef { /// Serializes the certificate request to a PEM-encoded Certificate Revocation List. /// /// The output will have a header of `-----BEGIN X509 CRL-----`. - /// - /// This corresponds to [`PEM_write_bio_X509_CRL`]. - /// - /// [`PEM_write_bio_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_write_bio_X509_REQ.html + #[corresponds(PEM_write_bio_X509_CRL)] to_pem, ffi::PEM_write_bio_X509_CRL } to_der! { /// Serializes the certificate request to a DER-encoded Certificate Revocation List. - /// - /// This corresponds to [`i2d_X509_CRL`]. - /// - /// [`i2d_X509_CRL`]: https://www.openssl.org/docs/man1.0.2/crypto/i2d_X509_REQ.html + #[corresponds(i2d_X509_CRL)] to_der, ffi::i2d_X509_CRL } @@ -1580,10 +1567,7 @@ impl X509CrlRef { } /// Returns the CRL's `lastUpdate` time. - /// - /// This corresponds to [`X509_CRL_get0_lastUpdate"] - /// - /// [`X509_CRL_get0_lastUpdate`]: https://www.openssl.org/docs/man1.1.1/man3/X509_CRL_get0_lastUpdate.html + #[corresponds(X509_CRL_get0_lastUpdate)] pub fn last_update(&self) -> &Asn1TimeRef { unsafe { let date = X509_CRL_get0_lastUpdate(self.as_ptr()); @@ -1595,26 +1579,16 @@ impl X509CrlRef { /// Returns the CRL's `nextUpdate` time. /// /// If the `nextUpdate` field is missing, returns `None`. - /// - /// This corresponds to [`X509_CRL_get0_nextUpdate"] - /// - /// [`X509_CRL_get0_nextUpdate`]: https://www.openssl.org/docs/man1.1.1/man3/X509_CRL_get0_nextUpdate.html + #[corresponds(X509_CRL_get0_nextUpdate)] pub fn next_update(&self) -> Option<&Asn1TimeRef> { unsafe { let date = X509_CRL_get0_nextUpdate(self.as_ptr()); - if date.is_null() { - None - } else { - Some(Asn1TimeRef::from_ptr(date as *mut _)) - } + Asn1TimeRef::from_const_ptr_opt(date) } } /// Get the revocation status of a certificate by its serial number - /// - /// This corresponds to [`X509_CRL_get0_by_serial`] - /// - /// [`X509_CRL_get0_by_serial`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_serial.html + #[corresponds(X509_CRL_get0_by_serial)] pub fn get_by_serial<'a>(&'a self, serial: &Asn1IntegerRef) -> CrlStatus<'a> { unsafe { let mut ret = ptr::null_mut::(); @@ -1625,10 +1599,7 @@ impl X509CrlRef { } /// Get the revocation status of a certificate - /// - /// This corresponds to [`X509_CRL_get0_by_cert`] - /// - /// [`X509_CRL_get0_by_cert`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_get0_by_cert.html + #[corresponds(X509_CRL_get0_by_cert)] pub fn get_by_cert<'a>(&'a self, cert: &X509) -> CrlStatus<'a> { unsafe { let mut ret = ptr::null_mut::(); @@ -1639,6 +1610,7 @@ impl X509CrlRef { } /// Get the issuer name from the revocation list. + #[corresponds(X509_CRL_get_issuer)] pub fn issuer_name(&self) -> &X509NameRef { unsafe { let name = X509_CRL_get_issuer(self.as_ptr()); @@ -1653,10 +1625,7 @@ impl X509CrlRef { /// are performed. /// /// Returns `true` if verification succeeds. - /// - /// This corresponds to [`X509_CRL_verify"]. - /// - /// [`X509_CRL_verify`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_CRL_verify.html + #[corresponds(X509_CRL_verify)] pub fn verify(&self, key: &PKeyRef) -> Result where T: HasPublic, @@ -1994,7 +1963,7 @@ cfg_if! { } cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl350))] { use ffi::{ X509_CRL_get_issuer, X509_CRL_get0_nextUpdate, X509_CRL_get0_lastUpdate, X509_CRL_get_REVOKED, From 3f68c0e5c77bd27ece67eb589ac71fc734fffe5b Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Thu, 5 Jan 2023 16:56:02 +0000 Subject: [PATCH 043/209] Use boringssl CRL functions, not structs --- openssl/src/x509/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d607d2cec0..7870fa836f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1963,7 +1963,7 @@ cfg_if! { } cfg_if! { - if #[cfg(any(ossl110, libressl350))] { + if #[cfg(any(ossl110, libressl350, boringssl))] { use ffi::{ X509_CRL_get_issuer, X509_CRL_get0_nextUpdate, X509_CRL_get0_lastUpdate, X509_CRL_get_REVOKED, From afaf34065b06ecc0ba5f6ef0460bbfe5ee245ded Mon Sep 17 00:00:00 2001 From: Rui Chen Date: Sat, 7 Jan 2023 00:22:09 -0500 Subject: [PATCH 044/209] brew: prefer to install openssl@3 --- openssl/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 891651ec53..035c90c682 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -29,7 +29,7 @@ //! //! ```not_rust //! # macOS (Homebrew) -//! $ brew install openssl@1.1 +//! $ brew install openssl@3 //! //! # macOS (MacPorts) //! $ sudo port install openssl From 32a303a752732fdd27c407a3a7fd668e546c05db Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 7 Jan 2023 19:53:23 -0500 Subject: [PATCH 045/209] Remove manual libatomic reference The upstream bug has been fixed. --- openssl-sys/build/main.rs | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 1c5a5e7d9f..02ab5c4ac3 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -122,16 +122,6 @@ fn main() { println!("cargo:rustc-link-lib={}={}", kind, lib); } - // https://github.com/openssl/openssl/pull/15086 - if version == Version::Openssl3xx - && kind == "static" - && (env::var("CARGO_CFG_TARGET_OS").unwrap() == "linux" - || env::var("CARGO_CFG_TARGET_OS").unwrap() == "android") - && env::var("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap() == "32" - { - println!("cargo:rustc-link-lib=dylib=atomic"); - } - if kind == "static" && target.contains("windows") { println!("cargo:rustc-link-lib=dylib=gdi32"); println!("cargo:rustc-link-lib=dylib=user32"); From a16ca8d45efb9aeb83de87c12ccd52a13c58ed12 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Tue, 27 Dec 2022 18:28:20 +0800 Subject: [PATCH 046/209] Added following SSL api - set_method - set_private_key_file - set_private_key - set_certificate_pem - set_certificate_chain_file - add_client_ca - set_client_ca_list - set_min_proto_version - set_max_proto_version - set_ciphersuites - set_verify_cert_store --- openssl-sys/src/handwritten/ssl.rs | 9 ++ openssl-sys/src/ssl.rs | 5 + openssl/src/ssl/mod.rs | 175 ++++++++++++++++++++++++++++- openssl/src/ssl/test/mod.rs | 55 +++++++++ 4 files changed, 241 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 35b99de3b5..e0c22090e3 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -492,6 +492,8 @@ extern "C" { pub fn SSL_CTX_set_ciphersuites(ctx: *mut SSL_CTX, str: *const c_char) -> c_int; #[cfg(any(ossl111, libressl340))] pub fn SSL_set_ciphersuites(ssl: *mut ::SSL, str: *const c_char) -> c_int; + pub fn SSL_set_cipher_list(ssl: *mut SSL, s: *const c_char) -> c_int; + pub fn SSL_set_ssl_method(s: *mut SSL, method: *const SSL_METHOD) -> c_int; pub fn SSL_set_verify( ssl: *mut SSL, mode: c_int, @@ -515,6 +517,13 @@ extern "C" { ctx: *mut SSL_CTX, cert_chain_file: *const c_char, ) -> c_int; + pub fn SSL_use_PrivateKey_file(ssl: *mut SSL, file: *const c_char, type_: c_int) -> c_int; + pub fn SSL_use_PrivateKey(ssl: *mut SSL, pkey: *mut EVP_PKEY) -> c_int; + pub fn SSL_use_certificate(ssl: *mut SSL, x: *mut X509) -> c_int; + #[cfg(any(ossl110, libressl332))] + pub fn SSL_use_certificate_chain_file(ssl: *mut SSL, file: *const c_char) -> c_int; + pub fn SSL_set_client_CA_list(s: *mut SSL, name_list: *mut stack_st_X509_NAME); + pub fn SSL_add_client_CA(ssl: *mut SSL, x: *mut X509) -> c_int; pub fn SSL_load_client_CA_file(file: *const c_char) -> *mut stack_st_X509_NAME; #[cfg(not(ossl110))] diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index 9e3956bf2c..c66e42c2c9 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -392,6 +392,11 @@ pub unsafe fn SSL_CTX_set0_verify_cert_store(ctx: *mut SSL_CTX, st: *mut X509_ST SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, st as *mut c_void) } +#[cfg(ossl102)] +pub unsafe fn SSL_set0_verify_cert_store(ssl: *mut SSL, st: *mut X509_STORE) -> c_long { + SSL_ctrl(ssl, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, st as *mut c_void) +} + cfg_if! { if #[cfg(ossl111)] { pub unsafe fn SSL_CTX_set1_groups_list(ctx: *mut SSL_CTX, s: *const c_char) -> c_long { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 9debaa37d0..8f40ce8212 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -2507,10 +2507,8 @@ impl SslRef { /// Like [`SslContext::private_key`]. /// - /// This corresponds to `SSL_get_privatekey`. - /// /// [`SslContext::private_key`]: struct.SslContext.html#method.private_key - #[corresponds(SSL_get_certificate)] + #[corresponds(SSL_get_privatekey)] pub fn private_key(&self) -> Option<&PKeyRef> { unsafe { let ptr = ffi::SSL_get_privatekey(self.as_ptr()); @@ -3114,6 +3112,177 @@ impl SslRef { } Ok(()) } + + /// Sets a new default TLS/SSL method for SSL objects + #[cfg(not(boringssl))] + pub fn set_method(&mut self, method: SslMethod) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_set_ssl_method(self.as_ptr(), method.as_ptr()))?; + }; + Ok(()) + } + + /// Loads the private key from a file. + #[corresponds(SSL_use_Private_Key_file)] + pub fn set_private_key_file>( + &mut self, + path: P, + ssl_file_type: SslFiletype, + ) -> Result<(), ErrorStack> { + let p = path.as_ref().as_os_str().to_str().unwrap(); + let key_file = CString::new(p).unwrap(); + unsafe { + cvt(ffi::SSL_use_PrivateKey_file( + self.as_ptr(), + key_file.as_ptr(), + ssl_file_type.as_raw(), + ))?; + }; + Ok(()) + } + + /// Sets the private key. + #[corresponds(SSL_use_PrivateKey)] + pub fn set_private_key(&mut self, pkey: &PKeyRef) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_use_PrivateKey(self.as_ptr(), pkey.as_ptr()))?; + }; + Ok(()) + } + + /// Sets the certificate + #[corresponds(SSL_use_certificate)] + pub fn set_certificate(&mut self, cert: &X509Ref) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_use_certificate(self.as_ptr(), cert.as_ptr()))?; + }; + Ok(()) + } + + /// Loads a certificate chain from a file. + /// + /// The file should contain a sequence of PEM-formatted certificates, the first being the leaf + /// certificate, and the remainder forming the chain of certificates up to and including the + /// trusted root certificate. + #[corresponds(SSL_use_certificate_chain_file)] + #[cfg(any(ossl110, libressl332))] + pub fn set_certificate_chain_file>( + &mut self, + path: P, + ) -> Result<(), ErrorStack> { + let p = path.as_ref().as_os_str().to_str().unwrap(); + let cert_file = CString::new(p).unwrap(); + unsafe { + cvt(ffi::SSL_use_certificate_chain_file( + self.as_ptr(), + cert_file.as_ptr(), + ))?; + }; + Ok(()) + } + + /// Sets ca certificate that client trusted + #[corresponds(SSL_add_client_CA)] + pub fn add_client_ca(&mut self, cacert: &X509Ref) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_add_client_CA(self.as_ptr(), cacert.as_ptr()))?; + }; + Ok(()) + } + + // Sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl + #[corresponds(SSL_set_client_CA_list)] + pub fn set_client_ca_list(&mut self, list: Stack) { + unsafe { ffi::SSL_set_client_CA_list(self.as_ptr(), list.as_ptr()) } + mem::forget(list); + } + + /// Sets the minimum supported protocol version. + /// + /// A value of `None` will enable protocol versions down the the lowest version supported by + /// OpenSSL. + /// + /// Requires OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer. + #[corresponds(SSL_set_min_proto_version)] + #[cfg(any(ossl110, libressl261))] + pub fn set_min_proto_version(&mut self, version: Option) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_set_min_proto_version( + self.as_ptr(), + version.map_or(0, |v| v.0 as _), + )) + .map(|_| ()) + } + } + + /// Sets the maximum supported protocol version. + /// + /// A value of `None` will enable protocol versions down the the highest version supported by + /// OpenSSL. + /// + /// Requires OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer. + #[corresponds(SSL_set_max_proto_version)] + #[cfg(any(ossl110, libressl261))] + pub fn set_max_proto_version(&mut self, version: Option) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_set_max_proto_version( + self.as_ptr(), + version.map_or(0, |v| v.0 as _), + )) + .map(|_| ()) + } + } + + /// Sets the list of supported ciphers for the TLSv1.3 protocol. + /// + /// The `set_cipher_list` method controls the cipher suites for protocols before TLSv1.3. + /// + /// The format consists of TLSv1.3 cipher suite names separated by `:` characters in order of + /// preference. + /// + /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. + #[corresponds(SSL_set_ciphersuites)] + #[cfg(any(ossl111, libressl340))] + pub fn set_ciphersuites(&mut self, cipher_list: &str) -> Result<(), ErrorStack> { + let cipher_list = CString::new(cipher_list).unwrap(); + unsafe { + cvt(ffi::SSL_set_ciphersuites( + self.as_ptr(), + cipher_list.as_ptr() as *const _, + )) + .map(|_| ()) + } + } + + /// Sets the list of supported ciphers for protocols before TLSv1.3. + /// + /// The `set_ciphersuites` method controls the cipher suites for TLSv1.3. + /// + /// See [`ciphers`] for details on the format. + /// + /// [`ciphers`]: https://www.openssl.org/docs/manmaster/apps/ciphers.html + #[corresponds(SSL_set_cipher_list)] + pub fn set_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack> { + let cipher_list = CString::new(cipher_list).unwrap(); + unsafe { + cvt(ffi::SSL_set_cipher_list( + self.as_ptr(), + cipher_list.as_ptr() as *const _, + )) + .map(|_| ()) + } + } + + /// Set the certificate store used for certificate verification + #[corresponds(SSL_set_cert_store)] + #[cfg(ossl102)] + pub fn set_verify_cert_store(&mut self, cert_store: X509Store) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_set0_verify_cert_store(self.as_ptr(), cert_store.as_ptr()) as c_int)?; + mem::forget(cert_store); + Ok(()) + } + } } /// An SSL stream midway through the handshake process. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index dc9cc78527..ddf01f2dd0 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1422,3 +1422,58 @@ fn add_chain_cert() { let mut ssl = Ssl::new(&ctx).unwrap(); assert!(ssl.add_chain_cert(cert).is_ok()); } +#[test] +#[cfg(ossl111)] +fn set_ssl_certificate_key_related_api() { + let cert_str: &str = include_str!("../../../test/cert.pem"); + let key_str: &str = include_str!("../../../test/key.pem"); + let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); + let cert_x509 = X509::from_pem(CERT).unwrap(); + let mut ssl = Ssl::new(&ctx).unwrap(); + assert!(ssl.set_method(SslMethod::tls()).is_ok()); + ssl.set_private_key_file("test/key.pem", SslFiletype::PEM) + .unwrap(); + { + let pkey = String::from_utf8( + ssl.private_key() + .unwrap() + .private_key_to_pem_pkcs8() + .unwrap(), + ) + .unwrap(); + assert!(pkey.lines().eq(key_str.lines())); + } + let pkey = PKey::private_key_from_pem(KEY).unwrap(); + ssl.set_private_key(pkey.as_ref()).unwrap(); + { + let pkey = String::from_utf8( + ssl.private_key() + .unwrap() + .private_key_to_pem_pkcs8() + .unwrap(), + ) + .unwrap(); + assert!(pkey.lines().eq(key_str.lines())); + } + ssl.set_certificate(cert_x509.as_ref()).unwrap(); + let cert = String::from_utf8(ssl.certificate().unwrap().to_pem().unwrap()).unwrap(); + assert!(cert.lines().eq(cert_str.lines())); + ssl.add_client_ca(cert_x509.as_ref()).unwrap(); + ssl.set_min_proto_version(Some(SslVersion::TLS1_2)).unwrap(); + ssl.set_max_proto_version(Some(SslVersion::TLS1_3)).unwrap(); + ssl.set_cipher_list("HIGH:!aNULL:!MD5").unwrap(); + ssl.set_ciphersuites("TLS_AES_128_GCM_SHA256").unwrap(); + let x509 = X509::from_pem(ROOT_CERT).unwrap(); + let mut builder = X509StoreBuilder::new().unwrap(); + builder.add_cert(x509).unwrap(); + let store = builder.build(); + ssl.set_verify_cert_store(store).unwrap(); +} + +#[test] +#[cfg(ossl110)] +fn test_ssl_set_cert_chain_file() { + let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); + let mut ssl = Ssl::new(&ctx).unwrap(); + ssl.set_certificate_chain_file("test/cert.pem").unwrap(); +} From 1241df5cc0aacc78d03c90cd30d4d3d5437fa95a Mon Sep 17 00:00:00 2001 From: Liu Dingming Date: Tue, 10 Jan 2023 13:37:30 +0800 Subject: [PATCH 047/209] Remove use of pkg_config's legacy api --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index df451438ad..b5dfe8e259 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -211,7 +211,7 @@ fn try_pkg_config() { let lib = match pkg_config::Config::new() .print_system_libs(false) - .find("openssl") + .probe("openssl") { Ok(lib) => lib, Err(e) => { From 62c8dfdedf67d947f2ff5da0b0ae94741ea8671a Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Thu, 12 Jan 2023 11:14:35 +0100 Subject: [PATCH 048/209] Add check for OPENSSL_NO_CAST This check detects at build time if CAST5 algorithm has been disabled in current OpenSSL library build. See: https://github.com/sfackler/rust-openssl/pull/1717#issuecomment-1379474589 --- openssl-sys/build/expando.c | 4 ++++ openssl-sys/src/handwritten/evp.rs | 4 ++-- openssl/src/cipher.rs | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 980241074a..11fb04db0c 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -39,6 +39,10 @@ RUST_CONF_OPENSSL_NO_IDEA RUST_CONF_OPENSSL_NO_CAMELLIA #endif +#ifdef OPENSSL_NO_CAST +RUST_CONF_OPENSSL_NO_CAST +#endif + #ifdef OPENSSL_NO_CMS RUST_CONF_OPENSSL_NO_CMS #endif diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 5ee017f7d1..46e5b88f04 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -380,9 +380,9 @@ extern "C" { #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_256_ecb() -> *const EVP_CIPHER; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn EVP_cast5_cfb64() -> *const EVP_CIPHER; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn EVP_cast5_ecb() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index ab5f49d22f..aeedf459aa 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -358,12 +358,12 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_ecb() as *mut _) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn cast5_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_cfb64() as *mut _) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn cast5_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_ecb() as *mut _) } } From 45f6f2b50bfdbba31b47ce8244e0c783b8c4da71 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 13:38:13 +0100 Subject: [PATCH 049/209] Fixed X509_PURPOSE issues (location and implementation) --- openssl-sys/src/handwritten/x509_vfy.rs | 22 ++++++ openssl-sys/src/x509_vfy.rs | 23 ------ openssl-sys/src/x509v3.rs | 22 ++++++ openssl/src/x509/mod.rs | 97 +++++++++++++++++++++++++ openssl/src/x509/store.rs | 16 +++- openssl/src/x509/tests.rs | 71 +++++++++++++++++- openssl/src/x509/verify.rs | 29 +------- 7 files changed, 227 insertions(+), 53 deletions(-) diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 387b9dd045..58dff38465 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -4,6 +4,18 @@ use *; #[cfg(any(libressl, all(ossl102, not(ossl110))))] pub enum X509_VERIFY_PARAM_ID {} +#[repr(C)] +pub struct X509_PURPOSE { + pub purpose: c_int, + pub trust: c_int, // Default trust ID + pub flags: c_int, + pub check_purpose: + Option c_int>, + pub name: *mut c_char, + pub sname: *mut c_char, + pub usr_data: *mut c_void, +} + extern "C" { #[cfg(ossl110)] pub fn X509_LOOKUP_meth_free(method: *mut X509_LOOKUP_METHOD); @@ -48,6 +60,9 @@ extern "C" { pub fn X509_STORE_set_default_paths(store: *mut X509_STORE) -> c_int; pub fn X509_STORE_set_flags(store: *mut X509_STORE, flags: c_ulong) -> c_int; + pub fn X509_STORE_set_purpose(ctx: *mut X509_STORE, purpose: c_int) -> c_int; + pub fn X509_STORE_set_trust(ctx: *mut X509_STORE, trust: c_int) -> c_int; + } const_ptr_api! { @@ -127,3 +142,10 @@ extern "C" { #[cfg(ossl102)] pub fn X509_VERIFY_PARAM_set_purpose(param: *mut X509_VERIFY_PARAM, purpose: c_int) -> c_int; } + +const_ptr_api! { + extern "C" { + pub fn X509_PURPOSE_get_by_sname(sname: #[const_ptr_if(any(ossl110, libressl280))] c_char) -> c_int; + pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; + } +} diff --git a/openssl-sys/src/x509_vfy.rs b/openssl-sys/src/x509_vfy.rs index ab6cb1afbf..455a748b52 100644 --- a/openssl-sys/src/x509_vfy.rs +++ b/openssl-sys/src/x509_vfy.rs @@ -147,26 +147,3 @@ pub unsafe fn X509_LOOKUP_add_dir( std::ptr::null_mut(), ) } - -#[cfg(ossl102)] -pub const X509_PURPOSE_SSL_CLIENT: c_int = 1; -#[cfg(ossl102)] -pub const X509_PURPOSE_SSL_SERVER: c_int = 2; -#[cfg(ossl102)] -pub const X509_PURPOSE_NS_SSL_SERVER: c_int = 3; -#[cfg(ossl102)] -pub const X509_PURPOSE_SMIME_SIGN: c_int = 4; -#[cfg(ossl102)] -pub const X509_PURPOSE_SMIME_ENCRYPT: c_int = 5; -#[cfg(ossl102)] -pub const X509_PURPOSE_CRL_SIGN: c_int = 6; -#[cfg(ossl102)] -pub const X509_PURPOSE_ANY: c_int = 7; -#[cfg(ossl102)] -pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; -#[cfg(ossl102)] -pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; -#[cfg(ossl102)] -pub const X509_PURPOSE_MIN: c_int = 1; -#[cfg(ossl102)] -pub const X509_PURPOSE_MAX: c_int = 9; diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index ac826b601b..28b6cb7bc4 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -58,15 +58,25 @@ pub const EXFLAG_FRESHEST: u32 = 0x1000; #[cfg(any(ossl102, libressl261))] pub const EXFLAG_SS: u32 = 0x2000; +#[cfg(not(boringssl))] pub const X509v3_KU_DIGITAL_SIGNATURE: u32 = 0x0080; +#[cfg(not(boringssl))] pub const X509v3_KU_NON_REPUDIATION: u32 = 0x0040; +#[cfg(not(boringssl))] pub const X509v3_KU_KEY_ENCIPHERMENT: u32 = 0x0020; +#[cfg(not(boringssl))] pub const X509v3_KU_DATA_ENCIPHERMENT: u32 = 0x0010; +#[cfg(not(boringssl))] pub const X509v3_KU_KEY_AGREEMENT: u32 = 0x0008; +#[cfg(not(boringssl))] pub const X509v3_KU_KEY_CERT_SIGN: u32 = 0x0004; +#[cfg(not(boringssl))] pub const X509v3_KU_CRL_SIGN: u32 = 0x0002; +#[cfg(not(boringssl))] pub const X509v3_KU_ENCIPHER_ONLY: u32 = 0x0001; +#[cfg(not(boringssl))] pub const X509v3_KU_DECIPHER_ONLY: u32 = 0x8000; +#[cfg(not(boringssl))] pub const X509v3_KU_UNDEF: u32 = 0xffff; pub const XKU_SSL_SERVER: u32 = 0x1; @@ -79,3 +89,15 @@ pub const XKU_TIMESTAMP: u32 = 0x40; pub const XKU_DVCS: u32 = 0x80; #[cfg(ossl110)] pub const XKU_ANYEKU: u32 = 0x100; + +pub const X509_PURPOSE_SSL_CLIENT: c_int = 1; +pub const X509_PURPOSE_SSL_SERVER: c_int = 2; +pub const X509_PURPOSE_NS_SSL_SERVER: c_int = 3; +pub const X509_PURPOSE_SMIME_SIGN: c_int = 4; +pub const X509_PURPOSE_SMIME_ENCRYPT: c_int = 5; +pub const X509_PURPOSE_CRL_SIGN: c_int = 6; +pub const X509_PURPOSE_ANY: c_int = 7; +pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; +pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; +pub const X509_PURPOSE_MIN: c_int = 1; +pub const X509_PURPOSE_MAX: c_int = 9; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index c9d2a64215..514935c8cb 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -227,6 +227,7 @@ impl X509Builder { /// Note that the version is zero-indexed; that is, a certificate corresponding to version 3 of /// the X.509 standard should pass `2` to this method. #[corresponds(X509_set_version)] + #[allow(clippy::useless_conversion)] pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_set_version(self.0.as_ptr(), version as c_long)).map(|_| ()) } } @@ -1181,6 +1182,7 @@ impl X509ReqBuilder { /// This corresponds to [`X509_REQ_set_version`]. /// ///[`X509_REQ_set_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_version.html + #[allow(clippy::useless_conversion)] pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_REQ_set_version( @@ -1737,3 +1739,98 @@ cfg_if! { } } } + +pub struct X509PurposeId(i32); + +impl X509PurposeId { + pub const SSL_CLIENT: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SSL_CLIENT); + pub const SSL_SERVER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SSL_SERVER); + pub const NS_SSL_SERVER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_NS_SSL_SERVER); + pub const SMIME_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SMIME_SIGN); + pub const SMIME_ENCRYPT: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SMIME_ENCRYPT); + pub const CRL_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_CRL_SIGN); + pub const ANY: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_ANY); + pub const OCSP_HELPER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_OCSP_HELPER); + pub const TIMESTAMP_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_TIMESTAMP_SIGN); + + pub fn value(&self) -> i32 { + self.0 + } +} + +impl From for X509PurposeId { + fn from(id: i32) -> Self { + X509PurposeId(id) + } +} + +/// fake free method, since X509_PURPOSE is static +unsafe fn no_free_purpose(_purps: *mut ffi::X509_PURPOSE) {} + +foreign_type_and_impl_send_sync! { + type CType = ffi::X509_PURPOSE; + fn drop = no_free_purpose; + + /// Adjust parameters associated with certificate verification. + pub struct X509Purpose; + /// Reference to `X509Purpose`. + pub struct X509PurposeRef; +} + +impl X509Purpose { + /// Get the internal table index of an X509_PURPOSE for a given short name. Valid short + /// names include + /// - "sslclient", + /// - "sslserver", + /// - "nssslserver", + /// - "smimesign", + /// - "smimeencrypt", + /// - "crlsign", + /// - "any", + /// - "ocsphelper", + /// - "timestampsign" + /// The index can be used with `X509Purpose::from_idx()` to get the purpose. + #[allow(clippy::unnecessary_cast)] + pub fn get_by_sname(sname: &str) -> Result { + unsafe { + let sname = CString::new(sname).unwrap(); + cfg_if! { + if #[cfg(any(ossl110, libressl280))] { + let purpose = cvt_n(ffi::X509_PURPOSE_get_by_sname(sname.as_ptr() as *const _))?; + } else { + let purpose = cvt_n(ffi::X509_PURPOSE_get_by_sname(sname.as_ptr() as *mut _))?; + } + } + Ok(purpose as i32) + } + } + + /// Get an `X509PurposeRef` for a given index value. The index can be obtained from e.g. + /// `X509Purpose::get_by_sname()`. + #[corresponds(X509_PURPOSE_get0)] + pub fn from_idx(idx: i32) -> Result<&'static X509PurposeRef, ErrorStack> { + unsafe { + let ptr = cvt_p(ffi::X509_PURPOSE_get0(idx))?; + Ok(X509PurposeRef::from_ptr(ptr)) + } + } +} + +impl X509PurposeRef { + /// Get the purpose value from an X509Purpose structure. This value is one of + /// - `X509_PURPOSE_SSL_CLIENT` + /// - `X509_PURPOSE_SSL_SERVER` + /// - `X509_PURPOSE_NS_SSL_SERVER` + /// - `X509_PURPOSE_SMIME_SIGN` + /// - `X509_PURPOSE_SMIME_ENCRYPT` + /// - `X509_PURPOSE_CRL_SIGN` + /// - `X509_PURPOSE_ANY` + /// - `X509_PURPOSE_OCSP_HELPER` + /// - `X509_PURPOSE_TIMESTAMP_SIGN` + pub fn purpose(&self) -> X509PurposeId { + unsafe { + let x509_purpose: *mut ffi::X509_PURPOSE = self.as_ptr(); + X509PurposeId::from((*x509_purpose).purpose) + } + } +} diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index fa17cc4b9c..d8c17bbe50 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -51,8 +51,9 @@ use crate::ssl::SslFiletype; use crate::stack::StackRef; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef}; -use crate::x509::{X509Object, X509}; +use crate::x509::{X509Object, X509PurposeId, X509}; use crate::{cvt, cvt_p}; +use libc::c_int; use openssl_macros::corresponds; #[cfg(not(boringssl))] use std::ffi::CString; @@ -125,6 +126,19 @@ impl X509StoreBuilderRef { unsafe { cvt(ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits())).map(|_| ()) } } + /// Sets the certificate purpose. + /// The purpose value can be obtained by `X509Purpose::get_by_sname()` + #[corresponds(X509_STORE_set_purpose)] + pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::X509_STORE_set_purpose( + self.as_ptr(), + purpose.value() as c_int, + )) + .map(|_| ()) + } + } + /// Sets certificate chain validation related parameters. #[corresponds[X509_STORE_set1_param]] #[cfg(any(ossl102, libressl261))] diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 114869aa1a..6a61b0ffc3 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -16,12 +16,14 @@ use crate::x509::extension::{ #[cfg(not(boringssl))] use crate::x509::store::X509Lookup; use crate::x509::store::X509StoreBuilder; -#[cfg(ossl102)] -use crate::x509::verify::X509PurposeFlags; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; #[cfg(ossl110)] use crate::x509::X509Builder; +#[cfg(any(ossl102, libressl261))] +use crate::x509::X509Purpose; +#[cfg(ossl102)] +use crate::x509::X509PurposeId; use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] @@ -440,6 +442,67 @@ fn test_verify_fails_with_crl_flag_set_and_no_crl() { ) } +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_cert_with_purpose() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let chain = Stack::new().unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + let purpose_idx = X509Purpose::get_by_sname("sslserver") + .expect("Getting certificate purpose 'sslserver' failed"); + let x509_purpose = + X509Purpose::from_idx(purpose_idx).expect("Getting certificate purpose failed"); + store_bldr + .set_purpose(x509_purpose.purpose()) + .expect("Setting certificate purpose failed"); + store_bldr.add_cert(ca).unwrap(); + + let store = store_bldr.build(); + + let mut context = X509StoreContext::new().unwrap(); + assert!(context + .init(&store, &cert, &chain, |c| c.verify_cert()) + .unwrap()); +} + +#[test] +#[cfg(any(ossl102, libressl261))] +fn test_verify_cert_with_wrong_purpose_fails() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let ca = include_bytes!("../../test/root-ca.pem"); + let ca = X509::from_pem(ca).unwrap(); + let chain = Stack::new().unwrap(); + + let mut store_bldr = X509StoreBuilder::new().unwrap(); + let purpose_idx = X509Purpose::get_by_sname("timestampsign") + .expect("Getting certificate purpose 'timestampsign' failed"); + let x509_purpose = + X509Purpose::from_idx(purpose_idx).expect("Getting certificate purpose failed"); + store_bldr + .set_purpose(x509_purpose.purpose()) + .expect("Setting certificate purpose failed"); + store_bldr.add_cert(ca).unwrap(); + + let store = store_bldr.build(); + + let mut context = X509StoreContext::new().unwrap(); + assert_eq!( + context + .init(&store, &cert, &chain, |c| { + c.verify_cert()?; + Ok(c.error()) + }) + .unwrap() + .error_string(), + "unsupported certificate purpose" + ) +} + #[cfg(ossl110)] #[test] fn x509_ref_version() { @@ -724,7 +787,7 @@ fn test_set_purpose() { let mut store_bldr = X509StoreBuilder::new().unwrap(); store_bldr.add_cert(ca).unwrap(); let mut verify_params = X509VerifyParam::new().unwrap(); - verify_params.set_purpose(X509PurposeFlags::ANY).unwrap(); + verify_params.set_purpose(X509PurposeId::ANY).unwrap(); store_bldr.set_param(&verify_params).unwrap(); let store = store_bldr.build(); let mut context = X509StoreContext::new().unwrap(); @@ -750,7 +813,7 @@ fn test_set_purpose_fails_verification() { store_bldr.add_cert(ca).unwrap(); let mut verify_params = X509VerifyParam::new().unwrap(); verify_params - .set_purpose(X509PurposeFlags::TIMESTAMP_SIGN) + .set_purpose(X509PurposeId::TIMESTAMP_SIGN) .unwrap(); store_bldr.set_param(&verify_params).unwrap(); let store = store_bldr.build(); diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index dbd206e5d5..b0e22ef462 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -4,6 +4,8 @@ use libc::{c_int, c_uint, c_ulong, time_t}; use std::net::IpAddr; use crate::error::ErrorStack; +#[cfg(ossl102)] +use crate::x509::X509PurposeId; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -180,30 +182,7 @@ impl X509VerifyParamRef { /// Sets the verification purpose #[corresponds(X509_VERIFY_PARAM_set_purpose)] #[cfg(ossl102)] - pub fn set_purpose(&mut self, purpose: X509PurposeFlags) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::X509_VERIFY_PARAM_set_purpose( - self.as_ptr(), - purpose.bits, - )) - .map(|_| ()) - } + pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> { + unsafe { cvt(ffi::X509_VERIFY_PARAM_set_purpose(self.as_ptr(), purpose.0)).map(|_| ()) } } } - -#[cfg(ossl102)] -bitflags! { - /// Bitflags defining the purpose of the verification - pub struct X509PurposeFlags: c_int { - const SSL_CLIENT = ffi::X509_PURPOSE_SSL_CLIENT; - const SSL_SERVER = ffi::X509_PURPOSE_SSL_SERVER; - const NS_SSL_SERVER = ffi::X509_PURPOSE_NS_SSL_SERVER; - const SMIME_SIGN = ffi::X509_PURPOSE_SMIME_SIGN; - const SMIME_ENCRYPT = ffi::X509_PURPOSE_SMIME_ENCRYPT; - const CRL_SIGN = ffi::X509_PURPOSE_CRL_SIGN; - const ANY = ffi::X509_PURPOSE_ANY; - const OCSP_HELPER = ffi::X509_PURPOSE_OCSP_HELPER; - const TIMESTAMP_SIGN = ffi::X509_PURPOSE_TIMESTAMP_SIGN; - } - -} From 38ec6d735c70f56906805e31c512c8a2131c163b Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 13:59:11 +0100 Subject: [PATCH 050/209] Moved X509Purpose related definitions. --- openssl-sys/src/handwritten/x509.rs | 19 +++++++++++++++++++ openssl-sys/src/handwritten/x509_vfy.rs | 19 ------------------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 57737a0b06..047f3df262 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -645,3 +645,22 @@ extern "C" { pub fn X509_print(bio: *mut BIO, x509: *mut X509) -> c_int; pub fn X509_REQ_print(bio: *mut BIO, req: *mut X509_REQ) -> c_int; } + +#[repr(C)] +pub struct X509_PURPOSE { + pub purpose: c_int, + pub trust: c_int, // Default trust ID + pub flags: c_int, + pub check_purpose: + Option c_int>, + pub name: *mut c_char, + pub sname: *mut c_char, + pub usr_data: *mut c_void, +} + +const_ptr_api! { + extern "C" { + pub fn X509_PURPOSE_get_by_sname(sname: #[const_ptr_if(any(ossl110, libressl280))] c_char) -> c_int; + pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; + } +} diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 58dff38465..48e6371c46 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -4,18 +4,6 @@ use *; #[cfg(any(libressl, all(ossl102, not(ossl110))))] pub enum X509_VERIFY_PARAM_ID {} -#[repr(C)] -pub struct X509_PURPOSE { - pub purpose: c_int, - pub trust: c_int, // Default trust ID - pub flags: c_int, - pub check_purpose: - Option c_int>, - pub name: *mut c_char, - pub sname: *mut c_char, - pub usr_data: *mut c_void, -} - extern "C" { #[cfg(ossl110)] pub fn X509_LOOKUP_meth_free(method: *mut X509_LOOKUP_METHOD); @@ -142,10 +130,3 @@ extern "C" { #[cfg(ossl102)] pub fn X509_VERIFY_PARAM_set_purpose(param: *mut X509_VERIFY_PARAM, purpose: c_int) -> c_int; } - -const_ptr_api! { - extern "C" { - pub fn X509_PURPOSE_get_by_sname(sname: #[const_ptr_if(any(ossl110, libressl280))] c_char) -> c_int; - pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; - } -} From 40f2df87f92aa496d7e5c71c2e12bc95be85ca7e Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 16 Jan 2023 09:11:17 +0100 Subject: [PATCH 051/209] X509Purpose -> X509PurposeRef. --- openssl-sys/src/x509v3.rs | 10 --------- openssl/src/x509/mod.rs | 47 ++++++++++++++++----------------------- openssl/src/x509/store.rs | 5 ++--- openssl/src/x509/tests.rs | 14 ++++++------ 4 files changed, 28 insertions(+), 48 deletions(-) diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index 28b6cb7bc4..ed135fa99b 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -58,25 +58,15 @@ pub const EXFLAG_FRESHEST: u32 = 0x1000; #[cfg(any(ossl102, libressl261))] pub const EXFLAG_SS: u32 = 0x2000; -#[cfg(not(boringssl))] pub const X509v3_KU_DIGITAL_SIGNATURE: u32 = 0x0080; -#[cfg(not(boringssl))] pub const X509v3_KU_NON_REPUDIATION: u32 = 0x0040; -#[cfg(not(boringssl))] pub const X509v3_KU_KEY_ENCIPHERMENT: u32 = 0x0020; -#[cfg(not(boringssl))] pub const X509v3_KU_DATA_ENCIPHERMENT: u32 = 0x0010; -#[cfg(not(boringssl))] pub const X509v3_KU_KEY_AGREEMENT: u32 = 0x0008; -#[cfg(not(boringssl))] pub const X509v3_KU_KEY_CERT_SIGN: u32 = 0x0004; -#[cfg(not(boringssl))] pub const X509v3_KU_CRL_SIGN: u32 = 0x0002; -#[cfg(not(boringssl))] pub const X509v3_KU_ENCIPHER_ONLY: u32 = 0x0001; -#[cfg(not(boringssl))] pub const X509v3_KU_DECIPHER_ONLY: u32 = 0x8000; -#[cfg(not(boringssl))] pub const X509v3_KU_UNDEF: u32 = 0xffff; pub const XKU_SSL_SERVER: u32 = 0x1; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 514935c8cb..b885dd5778 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -8,7 +8,7 @@ //! the secure protocol for browsing the web. use cfg_if::cfg_if; -use foreign_types::{ForeignType, ForeignTypeRef}; +use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; use libc::{c_int, c_long, c_uint}; use std::cmp::{self, Ordering}; use std::error::Error; @@ -1740,7 +1740,8 @@ cfg_if! { } } -pub struct X509PurposeId(i32); +#[derive(Copy, Clone, PartialEq, Eq)] +pub struct X509PurposeId(c_int); impl X509PurposeId { pub const SSL_CLIENT: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_SSL_CLIENT); @@ -1753,31 +1754,24 @@ impl X509PurposeId { pub const OCSP_HELPER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_OCSP_HELPER); pub const TIMESTAMP_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_TIMESTAMP_SIGN); - pub fn value(&self) -> i32 { - self.0 - } -} + /// Constructs an `X509PurposeId` from a raw OpenSSL value. + pub fn from_raw(id: c_int) -> Self { X509PurposeId(id) } -impl From for X509PurposeId { - fn from(id: i32) -> Self { - X509PurposeId(id) + /// Returns the raw OpenSSL value represented by this type. + pub fn as_raw(&self) -> c_int { + self.0 } } -/// fake free method, since X509_PURPOSE is static -unsafe fn no_free_purpose(_purps: *mut ffi::X509_PURPOSE) {} +/// A reference to an [`X509_PURPOSE`]. +pub struct X509PurposeRef(Opaque); -foreign_type_and_impl_send_sync! { +/// Implements a wrapper type for the static `X509_PURPOSE` table in OpenSSL. +impl ForeignTypeRef for X509PurposeRef { type CType = ffi::X509_PURPOSE; - fn drop = no_free_purpose; - - /// Adjust parameters associated with certificate verification. - pub struct X509Purpose; - /// Reference to `X509Purpose`. - pub struct X509PurposeRef; } -impl X509Purpose { +impl X509PurposeRef { /// Get the internal table index of an X509_PURPOSE for a given short name. Valid short /// names include /// - "sslclient", @@ -1789,9 +1783,9 @@ impl X509Purpose { /// - "any", /// - "ocsphelper", /// - "timestampsign" - /// The index can be used with `X509Purpose::from_idx()` to get the purpose. + /// The index can be used with `X509PurposeRef::from_idx()` to get the purpose. #[allow(clippy::unnecessary_cast)] - pub fn get_by_sname(sname: &str) -> Result { + pub fn get_by_sname(sname: &str) -> Result { unsafe { let sname = CString::new(sname).unwrap(); cfg_if! { @@ -1801,22 +1795,19 @@ impl X509Purpose { let purpose = cvt_n(ffi::X509_PURPOSE_get_by_sname(sname.as_ptr() as *mut _))?; } } - Ok(purpose as i32) + Ok(purpose) } } - /// Get an `X509PurposeRef` for a given index value. The index can be obtained from e.g. - /// `X509Purpose::get_by_sname()`. + /// `X509PurposeRef::get_by_sname()`. #[corresponds(X509_PURPOSE_get0)] - pub fn from_idx(idx: i32) -> Result<&'static X509PurposeRef, ErrorStack> { + pub fn from_idx(idx: c_int) -> Result<&'static X509PurposeRef, ErrorStack> { unsafe { let ptr = cvt_p(ffi::X509_PURPOSE_get0(idx))?; Ok(X509PurposeRef::from_ptr(ptr)) } } -} -impl X509PurposeRef { /// Get the purpose value from an X509Purpose structure. This value is one of /// - `X509_PURPOSE_SSL_CLIENT` /// - `X509_PURPOSE_SSL_SERVER` @@ -1830,7 +1821,7 @@ impl X509PurposeRef { pub fn purpose(&self) -> X509PurposeId { unsafe { let x509_purpose: *mut ffi::X509_PURPOSE = self.as_ptr(); - X509PurposeId::from((*x509_purpose).purpose) + X509PurposeId::from_raw((*x509_purpose).purpose) } } } diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index d8c17bbe50..55d5d75258 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -53,7 +53,6 @@ use crate::stack::StackRef; use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef}; use crate::x509::{X509Object, X509PurposeId, X509}; use crate::{cvt, cvt_p}; -use libc::c_int; use openssl_macros::corresponds; #[cfg(not(boringssl))] use std::ffi::CString; @@ -127,13 +126,13 @@ impl X509StoreBuilderRef { } /// Sets the certificate purpose. - /// The purpose value can be obtained by `X509Purpose::get_by_sname()` + /// The purpose value can be obtained by `X509PurposeRef::get_by_sname()` #[corresponds(X509_STORE_set_purpose)] pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_STORE_set_purpose( self.as_ptr(), - purpose.value() as c_int, + purpose.as_raw(), )) .map(|_| ()) } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 6a61b0ffc3..9a482f1d39 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -21,7 +21,7 @@ use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; #[cfg(ossl110)] use crate::x509::X509Builder; #[cfg(any(ossl102, libressl261))] -use crate::x509::X509Purpose; +use crate::x509::X509PurposeRef; #[cfg(ossl102)] use crate::x509::X509PurposeId; use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; @@ -452,12 +452,12 @@ fn test_verify_cert_with_purpose() { let chain = Stack::new().unwrap(); let mut store_bldr = X509StoreBuilder::new().unwrap(); - let purpose_idx = X509Purpose::get_by_sname("sslserver") + let purpose_idx = X509PurposeRef::get_by_sname("sslserver") .expect("Getting certificate purpose 'sslserver' failed"); - let x509_purpose = - X509Purpose::from_idx(purpose_idx).expect("Getting certificate purpose failed"); + let x509_purposeref = + X509PurposeRef::from_idx(purpose_idx).expect("Getting certificate purpose failed"); store_bldr - .set_purpose(x509_purpose.purpose()) + .set_purpose(x509_purposeref.purpose()) .expect("Setting certificate purpose failed"); store_bldr.add_cert(ca).unwrap(); @@ -479,10 +479,10 @@ fn test_verify_cert_with_wrong_purpose_fails() { let chain = Stack::new().unwrap(); let mut store_bldr = X509StoreBuilder::new().unwrap(); - let purpose_idx = X509Purpose::get_by_sname("timestampsign") + let purpose_idx = X509PurposeRef::get_by_sname("timestampsign") .expect("Getting certificate purpose 'timestampsign' failed"); let x509_purpose = - X509Purpose::from_idx(purpose_idx).expect("Getting certificate purpose failed"); + X509PurposeRef::from_idx(purpose_idx).expect("Getting certificate purpose failed"); store_bldr .set_purpose(x509_purpose.purpose()) .expect("Setting certificate purpose failed"); From 3b14f19c267badde10f2b364fdd833ea3915e103 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 16 Jan 2023 09:22:23 +0100 Subject: [PATCH 052/209] rustfmt --- openssl/src/x509/mod.rs | 4 +++- openssl/src/x509/store.rs | 8 +------- openssl/src/x509/tests.rs | 4 ++-- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index b885dd5778..d29a21e4af 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1755,7 +1755,9 @@ impl X509PurposeId { pub const TIMESTAMP_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_TIMESTAMP_SIGN); /// Constructs an `X509PurposeId` from a raw OpenSSL value. - pub fn from_raw(id: c_int) -> Self { X509PurposeId(id) } + pub fn from_raw(id: c_int) -> Self { + X509PurposeId(id) + } /// Returns the raw OpenSSL value represented by this type. pub fn as_raw(&self) -> c_int { diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index 55d5d75258..a90bf3515f 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -129,13 +129,7 @@ impl X509StoreBuilderRef { /// The purpose value can be obtained by `X509PurposeRef::get_by_sname()` #[corresponds(X509_STORE_set_purpose)] pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::X509_STORE_set_purpose( - self.as_ptr(), - purpose.as_raw(), - )) - .map(|_| ()) - } + unsafe { cvt(ffi::X509_STORE_set_purpose(self.as_ptr(), purpose.as_raw())).map(|_| ()) } } /// Sets certificate chain validation related parameters. diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 9a482f1d39..5f92b5e3d8 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -20,10 +20,10 @@ use crate::x509::store::X509StoreBuilder; use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; #[cfg(ossl110)] use crate::x509::X509Builder; -#[cfg(any(ossl102, libressl261))] -use crate::x509::X509PurposeRef; #[cfg(ossl102)] use crate::x509::X509PurposeId; +#[cfg(any(ossl102, libressl261))] +use crate::x509::X509PurposeRef; use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] From 6d6944767c30cd43fefec920eb29ef1acf4e55b9 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 15:11:36 +0100 Subject: [PATCH 053/209] Prepared openssl-sys for pkcs7 and x509 extensions. --- openssl-sys/build/cfgs.rs | 3 + openssl-sys/src/handwritten/asn1.rs | 49 ++++- openssl-sys/src/handwritten/mod.rs | 2 + openssl-sys/src/handwritten/pkcs7.rs | 245 ++++++++++++++++++++++- openssl-sys/src/handwritten/types.rs | 16 +- openssl-sys/src/handwritten/x509.rs | 36 +++- openssl-sys/src/handwritten/x509_attr.rs | 60 ++++++ 7 files changed, 396 insertions(+), 15 deletions(-) create mode 100644 openssl-sys/src/handwritten/x509_attr.rs diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index d925d90ad7..960515f00f 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -31,6 +31,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x2_09_01_00_0 { cfgs.push("libressl291"); } + if libressl_version >= 0x3_01_00_00_0 { + cfgs.push("libressl310"); + } if libressl_version >= 0x3_02_01_00_0 { cfgs.push("libressl321"); } diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 844f9102a9..e866b1ea90 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,23 +10,60 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); + pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } +pub enum ASN1_OBJECT {} + stack!(stack_st_ASN1_OBJECT); +#[repr(C)] +pub struct ASN1_TYPE { + pub type_: c_int, + pub value: ASN1_TYPE_value, +} +#[repr(C)] +pub union ASN1_TYPE_value { + pub ptr: *mut c_char, + pub boolean: ASN1_BOOLEAN, + pub asn1_string: *mut ASN1_STRING, + pub object: *mut ASN1_OBJECT, + pub integer: *mut ASN1_INTEGER, + pub enumerated: *mut ASN1_ENUMERATED, + pub bit_string: *mut ASN1_BIT_STRING, + pub octet_string: *mut ASN1_OCTET_STRING, + pub printablestring: *mut ASN1_PRINTABLESTRING, + pub t61string: *mut ASN1_T61STRING, + pub ia5string: *mut ASN1_IA5STRING, + pub generalstring: *mut ASN1_GENERALSTRING, + pub bmpstring: *mut ASN1_BMPSTRING, + pub universalstring: *mut ASN1_UNIVERSALSTRING, + pub utctime: *mut ASN1_UTCTIME, + pub generalizedtime: *mut ASN1_GENERALIZEDTIME, + pub visiblestring: *mut ASN1_VISIBLESTRING, + pub utf8string: *mut ASN1_UTF8STRING, + /* + * set and sequence are left complete and still contain the set or + * sequence bytes + */ + pub set: *mut ASN1_STRING, + pub sequence: *mut ASN1_STRING, + pub asn1_value: *mut ASN1_VALUE, +} + extern "C" { pub fn ASN1_STRING_type_new(ty: c_int) -> *mut ASN1_STRING; #[cfg(any(ossl110, libressl273))] pub fn ASN1_STRING_get0_data(x: *const ASN1_STRING) -> *const c_uchar; #[cfg(any(all(ossl101, not(ossl110)), libressl))] pub fn ASN1_STRING_data(x: *mut ASN1_STRING) -> *mut c_uchar; - - pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); - + pub fn ASN1_STRING_new() -> *mut ASN1_STRING; pub fn ASN1_STRING_free(x: *mut ASN1_STRING); pub fn ASN1_STRING_length(x: *const ASN1_STRING) -> c_int; + pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len_in: c_int) -> c_int; - pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len: c_int) -> c_int; + pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); + pub fn ASN1_OCTET_STRING_free(x: *mut ASN1_OCTET_STRING); pub fn ASN1_GENERALIZEDTIME_free(tm: *mut ASN1_GENERALIZEDTIME); pub fn ASN1_GENERALIZEDTIME_print(b: *mut BIO, tm: *const ASN1_GENERALIZEDTIME) -> c_int; @@ -51,10 +88,14 @@ extern "C" { pub fn ASN1_TIME_set_string(s: *mut ASN1_TIME, str: *const c_char) -> c_int; #[cfg(ossl111)] pub fn ASN1_TIME_set_string_X509(s: *mut ASN1_TIME, str: *const c_char) -> c_int; + + pub fn ASN1_TYPE_free(x: *mut ASN1_TYPE); } const_ptr_api! { extern "C" { pub fn ASN1_STRING_to_UTF8(out: *mut *mut c_uchar, s: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; + pub fn ASN1_STRING_type(x: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; + pub fn ASN1_generate_v3(str: #[const_ptr_if(any(ossl110, libressl280))] c_char, cnf: *mut X509V3_CTX) -> *mut ASN1_TYPE; } } diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 28aa4aecd0..fea7549898 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -28,6 +28,7 @@ pub use self::stack::*; pub use self::tls1::*; pub use self::types::*; pub use self::x509::*; +pub use self::x509_attr::*; pub use self::x509_vfy::*; pub use self::x509v3::*; @@ -61,5 +62,6 @@ mod stack; mod tls1; mod types; mod x509; +mod x509_attr; mod x509_vfy; mod x509v3; diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index fc0239e7b8..2f76cab9c2 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -1,12 +1,195 @@ use libc::*; use *; -pub enum PKCS7_SIGNED {} -pub enum PKCS7_ENVELOPE {} -pub enum PKCS7_SIGN_ENVELOPE {} -pub enum PKCS7_DIGEST {} -pub enum PKCS7_ENCRYPT {} -pub enum PKCS7 {} +// use x509::stack_st_X509; +// use x509_attr::stack_st_X509_ATTRIBUTE; + +#[cfg(ossl300)] +#[repr(C)] +pub struct PKCS7_CTX { + libctx: *mut OSSL_LIB_CTX, + propq: *mut c_char, +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_SIGNED { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub contents: *mut PKCS7, + } + } else { + pub enum PKCS7_SIGNED {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENC_CONTENT { + pub content_type: *mut ASN1_OBJECT, + pub algorithm: *mut X509_ALGOR, + pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ + pub cipher: *const EVP_CIPHER, + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, + } + } else { + pub enum PKCS7_ENC_CONTENT {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + } + } else { + pub enum PKCS7_ENVELOPE {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_SIGN_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO + } + } else { + pub enum PKCS7_SIGN_ENVELOPE {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_DIGEST { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub md: *mut X509_ALGOR, /* md used */ + pub contents: *mut PKCS7, + pub digest: *mut ASN1_OCTET_STRING, + } + } else { + pub enum PKCS7_DIGEST {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENCRYPT { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub enc_data: *mut PKCS7_ENC_CONTENT, + } + } else { + pub enum PKCS7_ENCRYPT {} + } +} + +extern "C" { + pub fn PKCS7_SIGNED_free(info: *mut PKCS7_SIGNED); + pub fn PKCS7_ENC_CONTENT_free(info: *mut PKCS7_ENC_CONTENT); + pub fn PKCS7_ENVELOPE_free(info: *mut PKCS7_ENVELOPE); + pub fn PKCS7_SIGN_ENVELOPE_free(info: *mut PKCS7_SIGN_ENVELOPE); + pub fn PKCS7_DIGEST_free(info: *mut PKCS7_DIGEST); + pub fn PKCS7_SIGNER_INFO_free(info: *mut PKCS7_SIGNER_INFO); +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7 { + /* + * The following is non NULL if it contains ASN1 encoding of this + * structure + */ + pub asn1: *mut c_uchar, + pub length: c_long, + // # define PKCS7_S_HEADER 0 + // # define PKCS7_S_BODY 1 + // # define PKCS7_S_TAIL 2 + pub state: c_int, /* used during processing */ + pub detached: c_int, + pub type_: *mut ASN1_OBJECT, + /* content as defined by the type */ + /* + * all encryption/message digests are applied to the 'contents', leaving + * out the 'type' field. + */ + pub d: PKCS7_data, + #[cfg(ossl300)] + pub ctx: PKCS7_CTX, + } + #[repr(C)] + pub union PKCS7_data { + pub ptr: *mut c_char, + /* NID_pkcs7_data */ + pub data: *mut ASN1_OCTET_STRING, + /* NID_pkcs7_signed */ + pub sign: *mut PKCS7_SIGNED, + /* NID_pkcs7_enveloped */ + pub enveloped: *mut PKCS7_ENVELOPE, + /* NID_pkcs7_signedAndEnveloped */ + pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, + /* NID_pkcs7_digest */ + pub digest: *mut PKCS7_DIGEST, + /* NID_pkcs7_encrypted */ + pub encrypted: *mut PKCS7_ENCRYPT, + /* Anything else */ + pub other: *mut ASN1_TYPE, + } + } else { + pub enum PKCS7 {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl))] { + #[repr(C)] + pub struct PKCS7_ISSUER_AND_SERIAL { + pub issuer: *mut X509_NAME, + pub serial: *mut ASN1_INTEGER, + } + } else { + pub enum PKCS7_ISSUER_AND_SERIAL {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl))] { + #[repr(C)] + pub struct PKCS7_SIGNER_INFO { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub digest_alg: *mut X509_ALGOR, + pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ + pub digest_enc_alg: *mut X509_ALGOR, + pub enc_digest: *mut ASN1_OCTET_STRING, + pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, + } + } else { + pub enum PKCS7_SIGNER_INFO {} + } +} + +stack!(stack_st_PKCS7_SIGNER_INFO); +stack!(stack_st_PKCS7_RECIP_INFO); extern "C" { pub fn d2i_PKCS7(a: *mut *mut PKCS7, pp: *mut *const c_uchar, length: c_long) -> *mut PKCS7; @@ -15,6 +198,7 @@ extern "C" { const_ptr_api! { extern "C" { pub fn i2d_PKCS7(a: #[const_ptr_if(ossl300)] PKCS7, buf: *mut *mut u8) -> c_int; + pub fn i2d_PKCS7_bio(bio: *mut BIO, p7: #[const_ptr_if(ossl300)] PKCS7) -> c_int; } } @@ -67,4 +251,53 @@ extern "C" { ) -> c_int; pub fn SMIME_read_PKCS7(bio: *mut BIO, bcont: *mut *mut BIO) -> *mut PKCS7; + + pub fn PKCS7_new() -> *mut PKCS7; + + pub fn PKCS7_set_type(p7: *mut PKCS7, nid_pkcs7: c_int) -> c_int; + + pub fn PKCS7_add_certificate(p7: *mut PKCS7, x509: *mut X509) -> c_int; + + pub fn PKCS7_add_signature( + p7: *mut PKCS7, + x509: *mut X509, + pkey: *mut EVP_PKEY, + digest: *const EVP_MD, + ) -> *mut PKCS7_SIGNER_INFO; + + pub fn PKCS7_set_signed_attributes( + p7si: *mut PKCS7_SIGNER_INFO, + attributes: *mut stack_st_X509_ATTRIBUTE, + ) -> c_int; + + pub fn PKCS7_add_signed_attribute( + p7si: *mut PKCS7_SIGNER_INFO, + nid: c_int, + attrtype: c_int, + data: *mut c_void, + ) -> c_int; + + pub fn PKCS7_content_new(p7: *mut PKCS7, nid_pkcs7: c_int) -> c_int; + + pub fn PKCS7_dataInit(p7: *mut PKCS7, bio: *mut BIO) -> *mut BIO; + + pub fn PKCS7_dataFinal(p7: *mut PKCS7, bio: *mut BIO) -> c_int; + + pub fn PKCS7_get_signer_info(p7: *mut PKCS7) -> *mut stack_st_PKCS7_SIGNER_INFO; + + pub fn PKCS7_SIGNER_INFO_get0_algs( + si: *mut PKCS7_SIGNER_INFO, + pk: *mut *mut EVP_PKEY, + pdig: *mut *mut X509_ALGOR, + psig: *mut *mut X509_ALGOR, + ); +} + +const_ptr_api! { + extern "C" { + pub fn PKCS7_get_signed_attribute( + si: #[const_ptr_if(ossl300)] PKCS7_SIGNER_INFO, + nid: c_int + ) -> *mut ASN1_TYPE; + } } diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 476578c051..addc599abb 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -3,14 +3,26 @@ use libc::*; #[allow(unused_imports)] use *; +#[derive(Copy, Clone)] +pub enum ASN1_BOOLEAN {} +pub enum ASN1_ENUMERATED {} pub enum ASN1_INTEGER {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} pub enum ASN1_TIME {} -pub enum ASN1_TYPE {} pub enum ASN1_OBJECT {} pub enum ASN1_OCTET_STRING {} +pub enum ASN1_PRINTABLESTRING {} +pub enum ASN1_T61STRING {} +pub enum ASN1_IA5STRING {} +pub enum ASN1_GENERALSTRING {} +pub enum ASN1_BMPSTRING {} +pub enum ASN1_UNIVERSALSTRING {} +pub enum ASN1_UTCTIME {} +pub enum ASN1_VISIBLESTRING {} +pub enum ASN1_UTF8STRING {} +pub enum ASN1_VALUE {} pub enum bio_st {} // FIXME remove cfg_if! { @@ -325,6 +337,8 @@ cfg_if! { } } +stack!(stack_st_X509_ALGOR); + pub enum X509_LOOKUP_METHOD {} pub enum X509_NAME {} diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 047f3df262..486f712c34 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -15,8 +15,6 @@ pub enum X509_EXTENSION {} stack!(stack_st_X509_EXTENSION); -stack!(stack_st_X509_ATTRIBUTE); - cfg_if! { if #[cfg(any(ossl110, libressl350))] { pub enum X509_REQ_INFO {} @@ -27,7 +25,7 @@ cfg_if! { pub version: *mut ::ASN1_INTEGER, pub subject: *mut ::X509_NAME, pubkey: *mut c_void, - pub attributes: *mut stack_st_X509_ATTRIBUTE, + pub attributes: *mut ::stack_st_X509_ATTRIBUTE, } } } @@ -271,9 +269,12 @@ extern "C" { pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION); + pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_NAME_ENTRY_free(x: *mut X509_NAME_ENTRY); pub fn X509_NAME_new() -> *mut X509_NAME; + pub fn X509_NAME_cmp(x: *const X509_NAME, y: *const X509_NAME) -> c_int; pub fn X509_NAME_free(x: *mut X509_NAME); pub fn X509_new() -> *mut X509; @@ -359,6 +360,33 @@ const_ptr_api! { -> c_int; } } +extern "C" { + pub fn X509_REQ_get_attr_count(req: *const X509_REQ) -> c_int; + pub fn X509_REQ_get_attr_by_NID(req: *const X509_REQ, nid: c_int, lastpos: c_int) -> c_int; + pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_add1_attr_by_txt( + req: *mut X509_REQ, + attrname: *const c_char, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; + pub fn X509_REQ_add1_attr_by_NID( + req: *mut X509_REQ, + nid: c_int, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; + pub fn X509_REQ_add1_attr_by_OBJ( + req: *mut X509_REQ, + obj: *const ASN1_OBJECT, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; +} extern "C" { pub fn X509_set_pubkey(x: *mut X509, pkey: *mut EVP_PKEY) -> c_int; pub fn X509_REQ_verify(req: *mut X509_REQ, pkey: *mut EVP_PKEY) -> c_int; @@ -607,6 +635,7 @@ const_ptr_api! { pub fn X509_STORE_get0_objects(ctx: #[const_ptr_if(ossl300)] X509_STORE) -> *mut stack_st_X509_OBJECT; } } + #[cfg(any(ossl110, libressl270))] extern "C" { pub fn X509_OBJECT_get0_X509(x: *const X509_OBJECT) -> *mut X509; @@ -633,7 +662,6 @@ extern "C" { extern "C" { pub fn X509_cmp(a: *const X509, b: *const X509) -> c_int; - pub fn X509_NAME_cmp(a: *const X509_NAME, b: *const X509_NAME) -> c_int; pub fn X509_issuer_and_serial_cmp(a: *const X509, b: *const X509) -> c_int; pub fn X509_issuer_name_cmp(a: *const X509, b: *const X509) -> c_int; pub fn X509_subject_name_cmp(a: *const X509, b: *const X509) -> c_int; diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs new file mode 100644 index 0000000000..b14be38619 --- /dev/null +++ b/openssl-sys/src/handwritten/x509_attr.rs @@ -0,0 +1,60 @@ +use libc::*; + +use *; + +pub enum X509_ATTRIBUTE {} + +stack!(stack_st_X509_ATTRIBUTE); + +extern "C" { + pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create( + nid: c_int, + atrtype: c_int, + value: *mut c_void, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_NID( + attr: *mut *mut X509_ATTRIBUTE, + nid: c_int, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_OBJ( + attr: *mut *mut X509_ATTRIBUTE, + obj: *const ASN1_OBJECT, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_txt( + attr: *mut *mut X509_ATTRIBUTE, + atrname: *const c_char, + atrtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; + pub fn X509_ATTRIBUTE_set1_data( + attr: *mut X509_ATTRIBUTE, + attrtype: c_int, + data: *const c_void, + len: c_int, + ) -> c_int; + pub fn X509_ATTRIBUTE_get0_data( + attr: *mut X509_ATTRIBUTE, + idx: c_int, + atrtype: c_int, + data: *mut c_void, + ) -> *mut c_void; + pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; + pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; + +} +const_ptr_api! { + extern "C" { + pub fn X509_ATTRIBUTE_count( + attr: #[const_ptr_if(any(ossl110, libressl291))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 + ) -> c_int; + } +} From d2e30181e586929abf1ee93d5c8152f8d034385c Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 16:17:48 +0100 Subject: [PATCH 054/209] Fixed systest. --- systest/build.rs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/systest/build.rs b/systest/build.rs index e54438114b..02c820b3e7 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -108,7 +108,10 @@ fn main() { || s.starts_with("CRYPTO_EX_") }); cfg.skip_struct(|s| { - s == "ProbeResult" || s == "X509_OBJECT_data" // inline union + s == "ProbeResult" || + s == "X509_OBJECT_data" || // inline union + s == "PKCS7_data" || + s == "ASN1_TYPE_value" }); cfg.skip_fn(move |s| { s == "CRYPTO_memcmp" || // uses volatile @@ -128,7 +131,9 @@ fn main() { cfg.skip_field_type(|s, field| { (s == "EVP_PKEY" && field == "pkey") || // union (s == "GENERAL_NAME" && field == "d") || // union - (s == "X509_OBJECT" && field == "data") // union + (s == "X509_OBJECT" && field == "data") || // union + (s == "PKCS7" && field == "d") || // union + (s == "ASN1_TYPE" && field == "value") // union }); cfg.skip_signededness(|s| { s.ends_with("_cb") From 920ec61a584053b719b547ee0fb444f5087e0377 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 16 Jan 2023 14:37:54 +0100 Subject: [PATCH 055/209] Trigger build From 33e91420c714cb1d62ff8806a79397913e3b44ed Mon Sep 17 00:00:00 2001 From: Andrew Scull Date: Fri, 20 Jan 2023 00:29:34 +0000 Subject: [PATCH 056/209] Add X509Name::to_owned() The X509_NAME_dup() function can fail but that isn't compatible with the ToOwned trait. Follow the pattern used in BigNum to add a custom, fallible to_owned() function. --- openssl/src/x509/mod.rs | 7 +++++++ openssl/src/x509/tests.rs | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d29a21e4af..b88ee60678 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1064,6 +1064,13 @@ impl X509NameRef { Ok(cmp.cmp(&0)) } + /// Copies the name to a new `X509Name`. + #[corresponds(X509_NAME_dup)] + #[cfg(any(boringssl, ossl110, libressl270))] + pub fn to_owned(&self) -> Result { + unsafe { cvt_p(ffi::X509_NAME_dup(self.as_ptr())).map(|n| X509Name::from_ptr(n)) } + } + to_der! { /// Serializes the certificate into a DER-encoded X509 name structure. /// diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 5f92b5e3d8..2d45f01579 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -615,6 +615,16 @@ fn test_name_cmp() { assert_eq!(Ordering::Greater, subject.try_cmp(issuer).unwrap()); } +#[test] +#[cfg(any(boringssl, ossl110, libressl270))] +fn test_name_to_owned() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + let name = cert.subject_name(); + let copied_name = name.to_owned().unwrap(); + assert_eq!(Ordering::Equal, name.try_cmp(&copied_name).unwrap()); +} + #[test] #[cfg(any(ossl102, libressl261))] fn test_verify_param_set_time_fails_verification() { From 06581aea73c44a29413e5e94c9cb1aa09e8d4ce6 Mon Sep 17 00:00:00 2001 From: Stephane Raux Date: Fri, 20 Jan 2023 16:40:11 -0600 Subject: [PATCH 057/209] Fix debug formatting of ipaddress for GeneralName `from_utf8_lossy` is not appropriate as the bytes are the raw IP address (e.g. 4 bytes for IPv4). --- openssl/src/x509/mod.rs | 11 +++++++++-- openssl/src/x509/tests.rs | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 2 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index b88ee60678..940c8c9c51 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -11,11 +11,13 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; use libc::{c_int, c_long, c_uint}; use std::cmp::{self, Ordering}; +use std::convert::TryFrom; use std::error::Error; use std::ffi::{CStr, CString}; use std::fmt; use std::marker::PhantomData; use std::mem; +use std::net::IpAddr; use std::path::Path; use std::ptr; use std::slice; @@ -1555,8 +1557,13 @@ impl fmt::Debug for GeneralNameRef { } else if let Some(uri) = self.uri() { formatter.write_str(uri) } else if let Some(ipaddress) = self.ipaddress() { - let result = String::from_utf8_lossy(ipaddress); - formatter.write_str(&result) + let address = <[u8; 16]>::try_from(ipaddress) + .map(IpAddr::from) + .or_else(|_| <[u8; 4]>::try_from(ipaddress).map(IpAddr::from)); + match address { + Ok(a) => fmt::Debug::fmt(&a, formatter), + Err(_) => fmt::Debug::fmt(ipaddress, formatter), + } } else { formatter.write_str("(empty)") } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 2d45f01579..5f41342522 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -868,3 +868,40 @@ fn test_load_crl_file_fail() { let res = lookup.load_crl_file("test/root-ca.pem", SslFiletype::PEM); assert!(res.is_err()); } + +#[cfg(ossl110)] +fn ipaddress_as_subject_alternative_name_is_formatted_in_debug(expected_ip: T) +where + T: Into, +{ + let expected_ip = format!("{:?}", expected_ip.into()); + let mut builder = X509Builder::new().unwrap(); + let san = SubjectAlternativeName::new() + .ip(&expected_ip) + .build(&builder.x509v3_context(None, None)) + .unwrap(); + builder.append_extension(san).unwrap(); + let cert = builder.build(); + let actual_ip = cert + .subject_alt_names() + .into_iter() + .flatten() + .map(|n| format!("{:?}", *n)) + .next() + .unwrap(); + assert_eq!(actual_ip, expected_ip); +} + +#[cfg(ossl110)] +#[test] +fn ipv4_as_subject_alternative_name_is_formatted_in_debug() { + ipaddress_as_subject_alternative_name_is_formatted_in_debug([8u8, 8, 8, 128]); +} + +#[cfg(ossl110)] +#[test] +fn ipv6_as_subject_alternative_name_is_formatted_in_debug() { + ipaddress_as_subject_alternative_name_is_formatted_in_debug([ + 8u8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 128, + ]); +} From 11797d9ecb73e94b7f55a49274318abc9dc074d2 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 1 Feb 2023 07:33:20 -0500 Subject: [PATCH 058/209] Bump OpenSSL --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 57728778f7..3b7b4dc9cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,10 +157,10 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.0.5 + version: 3.0.7 dl-path: / - name: openssl - version: 1.1.1q + version: 1.1.1s dl-path: / - name: openssl version: 1.1.0l From dc976d756f9d3273c3c6f960fadb88e44b468050 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 3 Feb 2023 09:31:37 -0500 Subject: [PATCH 059/209] Migrate the openssl-sys crate to the 2018 edition Needed for #1806 --- openssl-macros/src/lib.rs | 2 + openssl-sys/Cargo.toml | 1 + openssl-sys/build/find_normal.rs | 1 - openssl-sys/build/main.rs | 6 +- openssl-sys/src/asn1.rs | 2 +- openssl-sys/src/bio.rs | 2 +- openssl-sys/src/bn.rs | 2 - openssl-sys/src/cms.rs | 1 - openssl-sys/src/crypto.rs | 2 +- openssl-sys/src/ec.rs | 2 +- openssl-sys/src/evp.rs | 2 +- openssl-sys/src/handwritten/aes.rs | 2 +- openssl-sys/src/handwritten/asn1.rs | 2 +- openssl-sys/src/handwritten/bio.rs | 24 ++-- openssl-sys/src/handwritten/bn.rs | 4 +- openssl-sys/src/handwritten/cms.rs | 34 ++--- openssl-sys/src/handwritten/conf.rs | 2 +- openssl-sys/src/handwritten/crypto.rs | 2 +- openssl-sys/src/handwritten/dh.rs | 2 +- openssl-sys/src/handwritten/dsa.rs | 2 +- openssl-sys/src/handwritten/ec.rs | 2 +- openssl-sys/src/handwritten/err.rs | 2 +- openssl-sys/src/handwritten/evp.rs | 6 +- openssl-sys/src/handwritten/hmac.rs | 2 +- openssl-sys/src/handwritten/kdf.rs | 2 +- openssl-sys/src/handwritten/object.rs | 2 +- openssl-sys/src/handwritten/ocsp.rs | 2 +- openssl-sys/src/handwritten/pem.rs | 2 +- openssl-sys/src/handwritten/pkcs12.rs | 2 +- openssl-sys/src/handwritten/pkcs7.rs | 2 +- openssl-sys/src/handwritten/provider.rs | 2 +- openssl-sys/src/handwritten/rsa.rs | 39 +++-- openssl-sys/src/handwritten/sha.rs | 2 +- openssl-sys/src/handwritten/srtp.rs | 2 +- openssl-sys/src/handwritten/ssl.rs | 62 ++++---- openssl-sys/src/handwritten/tls1.rs | 4 +- openssl-sys/src/handwritten/types.rs | 184 ++++++++++++------------ openssl-sys/src/handwritten/x509.rs | 30 ++-- openssl-sys/src/handwritten/x509_vfy.rs | 2 +- openssl-sys/src/handwritten/x509v3.rs | 2 +- openssl-sys/src/lib.rs | 5 +- openssl-sys/src/macros.rs | 2 +- openssl-sys/src/ocsp.rs | 2 - openssl-sys/src/pem.rs | 2 - openssl-sys/src/pkcs7.rs | 2 - openssl-sys/src/rsa.rs | 2 +- openssl-sys/src/sha.rs | 2 +- openssl-sys/src/srtp.rs | 2 - openssl-sys/src/ssl.rs | 12 +- openssl-sys/src/tls1.rs | 2 +- openssl-sys/src/types.rs | 3 +- openssl-sys/src/x509.rs | 2 - openssl-sys/src/x509_vfy.rs | 2 +- openssl-sys/src/x509v3.rs | 2 +- openssl/build.rs | 6 +- openssl/examples/mk_certs.rs | 2 + openssl/src/lib.rs | 1 + openssl/src/sign.rs | 2 +- systest/build.rs | 2 + 59 files changed, 250 insertions(+), 255 deletions(-) diff --git a/openssl-macros/src/lib.rs b/openssl-macros/src/lib.rs index c007409ace..99db988818 100644 --- a/openssl-macros/src/lib.rs +++ b/openssl-macros/src/lib.rs @@ -1,3 +1,5 @@ +#![allow(clippy::uninlined_format_args)] + use proc_macro::TokenStream; use proc_macro2::Ident; use quote::quote; diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index d8e4c7661b..7b5c8104d8 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -12,6 +12,7 @@ readme = "README.md" categories = ["cryptography", "external-ffi-bindings"] links = "openssl" build = "build/main.rs" +edition = "2018" [features] vendored = ['openssl-src'] diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index b5dfe8e259..791fc33985 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -1,4 +1,3 @@ -use pkg_config; use std::ffi::OsString; use std::path::{Path, PathBuf}; use std::process::{self, Command}; diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 02ab5c4ac3..262ea2cbab 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -1,4 +1,8 @@ -#![allow(clippy::inconsistent_digit_grouping, clippy::unusual_byte_groupings)] +#![allow( + clippy::inconsistent_digit_grouping, + clippy::uninlined_format_args, + clippy::unusual_byte_groupings +)] extern crate autocfg; #[cfg(feature = "bindgen")] diff --git a/openssl-sys/src/asn1.rs b/openssl-sys/src/asn1.rs index a5106d4676..caf14f7b96 100644 --- a/openssl-sys/src/asn1.rs +++ b/openssl-sys/src/asn1.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::*; // ASN.1 tag values pub const V_ASN1_EOC: c_int = 0; diff --git a/openssl-sys/src/bio.rs b/openssl-sys/src/bio.rs index b4beab6ca1..ea6053b592 100644 --- a/openssl-sys/src/bio.rs +++ b/openssl-sys/src/bio.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::*; pub const BIO_TYPE_NONE: c_int = 0; diff --git a/openssl-sys/src/bn.rs b/openssl-sys/src/bn.rs index f7393d0f50..a6bbcce883 100644 --- a/openssl-sys/src/bn.rs +++ b/openssl-sys/src/bn.rs @@ -1,7 +1,5 @@ use libc::*; -use *; - #[cfg(target_pointer_width = "64")] pub type BN_ULONG = c_ulonglong; #[cfg(target_pointer_width = "32")] diff --git a/openssl-sys/src/cms.rs b/openssl-sys/src/cms.rs index 59c770e5dc..f008adb1c7 100644 --- a/openssl-sys/src/cms.rs +++ b/openssl-sys/src/cms.rs @@ -1,5 +1,4 @@ use libc::*; -use *; #[cfg(ossl101)] pub const CMS_TEXT: c_uint = 0x1; diff --git a/openssl-sys/src/crypto.rs b/openssl-sys/src/crypto.rs index 842faa4e2f..35be07eada 100644 --- a/openssl-sys/src/crypto.rs +++ b/openssl-sys/src/crypto.rs @@ -1,5 +1,5 @@ +use super::*; use libc::*; -use *; extern "C" { #[deprecated(note = "use CRYPTO_set_locking_callback__fixed_rust instead")] diff --git a/openssl-sys/src/ec.rs b/openssl-sys/src/ec.rs index c01d6f22af..995a84ff64 100644 --- a/openssl-sys/src/ec.rs +++ b/openssl-sys/src/ec.rs @@ -1,7 +1,7 @@ use libc::*; use std::ptr; -use *; +use super::*; pub const OPENSSL_EC_NAMED_CURVE: c_int = 1; diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 9db924ea53..a98e438426 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -1,5 +1,5 @@ +use super::*; use libc::*; -use *; pub const EVP_MAX_MD_SIZE: c_uint = 64; diff --git a/openssl-sys/src/handwritten/aes.rs b/openssl-sys/src/handwritten/aes.rs index 884f9d7242..ba249362cb 100644 --- a/openssl-sys/src/handwritten/aes.rs +++ b/openssl-sys/src/handwritten/aes.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[repr(C)] pub struct AES_KEY { diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 844f9102a9..7163a69d5e 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[repr(C)] pub struct ASN1_ENCODING { diff --git a/openssl-sys/src/handwritten/bio.rs b/openssl-sys/src/handwritten/bio.rs index 7241df0f3e..7d97522251 100644 --- a/openssl-sys/src/handwritten/bio.rs +++ b/openssl-sys/src/handwritten/bio.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; extern "C" { pub fn BIO_set_flags(b: *mut BIO, flags: c_int); @@ -17,14 +17,14 @@ cfg_if! { pub struct BIO_METHOD { pub type_: c_int, pub name: *const c_char, - pub bwrite: Option c_int>, - pub bread: Option c_int>, - pub bputs: Option c_int>, - pub bgets: Option c_int>, - pub ctrl: Option c_long>, - pub create: Option c_int>, - pub destroy: Option c_int>, - pub callback_ctrl: Option c_long>, + pub bwrite: Option c_int>, + pub bread: Option c_int>, + pub bputs: Option c_int>, + pub bgets: Option c_int>, + pub ctrl: Option c_long>, + pub create: Option c_int>, + pub destroy: Option c_int>, + pub callback_ctrl: Option c_long>, } } } @@ -39,11 +39,11 @@ extern "C" { #[cfg(not(osslconf = "OPENSSL_NO_STDIO"))] pub fn BIO_new_fp(stream: *mut FILE, close_flag: c_int) -> *mut BIO; #[cfg(any(ossl110, libressl273))] - pub fn BIO_set_data(a: *mut ::BIO, data: *mut c_void); + pub fn BIO_set_data(a: *mut BIO, data: *mut c_void); #[cfg(any(ossl110, libressl273))] - pub fn BIO_get_data(a: *mut ::BIO) -> *mut c_void; + pub fn BIO_get_data(a: *mut BIO) -> *mut c_void; #[cfg(any(ossl110, libressl273))] - pub fn BIO_set_init(a: *mut ::BIO, init: c_int); + pub fn BIO_set_init(a: *mut BIO, init: c_int); pub fn BIO_write(b: *mut BIO, buf: *const c_void, len: c_int) -> c_int; pub fn BIO_read(b: *mut BIO, buf: *mut c_void, len: c_int) -> c_int; pub fn BIO_ctrl(b: *mut BIO, cmd: c_int, larg: c_long, parg: *mut c_void) -> c_long; diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index 8e5ae153dd..81348f692a 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; extern "C" { pub fn BN_CTX_new() -> *mut BN_CTX; @@ -31,7 +31,7 @@ extern "C" { pub fn BN_sqr(r: *mut BIGNUM, a: *const BIGNUM, ctx: *mut BN_CTX) -> c_int; pub fn BN_set_negative(bn: *mut BIGNUM, n: c_int); #[cfg(any(ossl110, libressl350))] - pub fn BN_is_negative(b: *const ::BIGNUM) -> c_int; + pub fn BN_is_negative(b: *const BIGNUM) -> c_int; pub fn BN_div( dv: *mut BIGNUM, diff --git a/openssl-sys/src/handwritten/cms.rs b/openssl-sys/src/handwritten/cms.rs index 291bc798b7..7eff2c4d49 100644 --- a/openssl-sys/src/handwritten/cms.rs +++ b/openssl-sys/src/handwritten/cms.rs @@ -1,11 +1,11 @@ +use super::super::*; use libc::*; -use *; pub enum CMS_ContentInfo {} extern "C" { #[cfg(ossl101)] - pub fn CMS_ContentInfo_free(cms: *mut ::CMS_ContentInfo); + pub fn CMS_ContentInfo_free(cms: *mut CMS_ContentInfo); } const_ptr_api! { @@ -18,38 +18,38 @@ const_ptr_api! { extern "C" { #[cfg(ossl101)] pub fn d2i_CMS_ContentInfo( - a: *mut *mut ::CMS_ContentInfo, + a: *mut *mut CMS_ContentInfo, pp: *mut *const c_uchar, length: c_long, - ) -> *mut ::CMS_ContentInfo; + ) -> *mut CMS_ContentInfo; #[cfg(ossl101)] - pub fn SMIME_read_CMS(bio: *mut ::BIO, bcont: *mut *mut ::BIO) -> *mut ::CMS_ContentInfo; + pub fn SMIME_read_CMS(bio: *mut BIO, bcont: *mut *mut BIO) -> *mut CMS_ContentInfo; #[cfg(ossl101)] pub fn CMS_sign( - signcert: *mut ::X509, - pkey: *mut ::EVP_PKEY, - certs: *mut ::stack_st_X509, - data: *mut ::BIO, + signcert: *mut X509, + pkey: *mut EVP_PKEY, + certs: *mut stack_st_X509, + data: *mut BIO, flags: c_uint, - ) -> *mut ::CMS_ContentInfo; + ) -> *mut CMS_ContentInfo; #[cfg(ossl101)] pub fn CMS_encrypt( certs: *mut stack_st_X509, - data: *mut ::BIO, + data: *mut BIO, cipher: *const EVP_CIPHER, flags: c_uint, - ) -> *mut ::CMS_ContentInfo; + ) -> *mut CMS_ContentInfo; #[cfg(ossl101)] pub fn CMS_decrypt( - cms: *mut ::CMS_ContentInfo, - pkey: *mut ::EVP_PKEY, - cert: *mut ::X509, - dcont: *mut ::BIO, - out: *mut ::BIO, + cms: *mut CMS_ContentInfo, + pkey: *mut EVP_PKEY, + cert: *mut X509, + dcont: *mut BIO, + out: *mut BIO, flags: c_uint, ) -> c_int; } diff --git a/openssl-sys/src/handwritten/conf.rs b/openssl-sys/src/handwritten/conf.rs index 9b9d4b26ff..2348d7d4c9 100644 --- a/openssl-sys/src/handwritten/conf.rs +++ b/openssl-sys/src/handwritten/conf.rs @@ -1,4 +1,4 @@ -use *; +use super::super::*; extern "C" { pub fn NCONF_new(meth: *mut CONF_METHOD) -> *mut CONF; diff --git a/openssl-sys/src/handwritten/crypto.rs b/openssl-sys/src/handwritten/crypto.rs index ab17d2fa9e..62ccbce1ec 100644 --- a/openssl-sys/src/handwritten/crypto.rs +++ b/openssl-sys/src/handwritten/crypto.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; stack!(stack_st_void); diff --git a/openssl-sys/src/handwritten/dh.rs b/openssl-sys/src/handwritten/dh.rs index d55326bc80..a4de122eac 100644 --- a/openssl-sys/src/handwritten/dh.rs +++ b/openssl-sys/src/handwritten/dh.rs @@ -1,4 +1,4 @@ -use *; +use super::super::*; extern "C" { pub fn DH_new() -> *mut DH; diff --git a/openssl-sys/src/handwritten/dsa.rs b/openssl-sys/src/handwritten/dsa.rs index c676c6b0ad..be25f23b67 100644 --- a/openssl-sys/src/handwritten/dsa.rs +++ b/openssl-sys/src/handwritten/dsa.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::super::*; cfg_if! { if #[cfg(any(ossl110, libressl280))] { diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index ed0b1a7074..6ee475f327 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[repr(C)] #[derive(Copy, Clone)] diff --git a/openssl-sys/src/handwritten/err.rs b/openssl-sys/src/handwritten/err.rs index d8f36e4970..5653c1d18a 100644 --- a/openssl-sys/src/handwritten/err.rs +++ b/openssl-sys/src/handwritten/err.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[repr(C)] pub struct ERR_STRING_DATA { diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 46e5b88f04..772709650b 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; cfg_if! { if #[cfg(ossl300)] { @@ -344,9 +344,9 @@ extern "C" { #[cfg(ossl110)] pub fn EVP_aes_256_ocb() -> *const EVP_CIPHER; #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] - pub fn EVP_chacha20() -> *const ::EVP_CIPHER; + pub fn EVP_chacha20() -> *const EVP_CIPHER; #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] - pub fn EVP_chacha20_poly1305() -> *const ::EVP_CIPHER; + pub fn EVP_chacha20_poly1305() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn EVP_seed_cbc() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] diff --git a/openssl-sys/src/handwritten/hmac.rs b/openssl-sys/src/handwritten/hmac.rs index 7cbb7cc9ad..b52d63fb1f 100644 --- a/openssl-sys/src/handwritten/hmac.rs +++ b/openssl-sys/src/handwritten/hmac.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::super::*; cfg_if! { if #[cfg(any(ossl110, libressl350))] { diff --git a/openssl-sys/src/handwritten/kdf.rs b/openssl-sys/src/handwritten/kdf.rs index b8e6c63bb1..0f14b63a9c 100644 --- a/openssl-sys/src/handwritten/kdf.rs +++ b/openssl-sys/src/handwritten/kdf.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; cfg_if! { if #[cfg(ossl300)] { diff --git a/openssl-sys/src/handwritten/object.rs b/openssl-sys/src/handwritten/object.rs index d2c525b806..06e6553433 100644 --- a/openssl-sys/src/handwritten/object.rs +++ b/openssl-sys/src/handwritten/object.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::super::*; extern "C" { pub fn OBJ_nid2ln(nid: c_int) -> *const c_char; diff --git a/openssl-sys/src/handwritten/ocsp.rs b/openssl-sys/src/handwritten/ocsp.rs index bb194c2860..c194a831b9 100644 --- a/openssl-sys/src/handwritten/ocsp.rs +++ b/openssl-sys/src/handwritten/ocsp.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; pub enum OCSP_CERTID {} diff --git a/openssl-sys/src/handwritten/pem.rs b/openssl-sys/src/handwritten/pem.rs index ebce932b6c..42997177e4 100644 --- a/openssl-sys/src/handwritten/pem.rs +++ b/openssl-sys/src/handwritten/pem.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; pub type pem_password_cb = Option< unsafe extern "C" fn( diff --git a/openssl-sys/src/handwritten/pkcs12.rs b/openssl-sys/src/handwritten/pkcs12.rs index 792ab3527a..728c333ad2 100644 --- a/openssl-sys/src/handwritten/pkcs12.rs +++ b/openssl-sys/src/handwritten/pkcs12.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::super::*; pub enum PKCS12 {} diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index fc0239e7b8..78f96ec3e3 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; pub enum PKCS7_SIGNED {} pub enum PKCS7_ENVELOPE {} diff --git a/openssl-sys/src/handwritten/provider.rs b/openssl-sys/src/handwritten/provider.rs index 93eaa072f3..3e18a02be7 100644 --- a/openssl-sys/src/handwritten/provider.rs +++ b/openssl-sys/src/handwritten/provider.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; extern "C" { #[cfg(ossl300)] diff --git a/openssl-sys/src/handwritten/rsa.rs b/openssl-sys/src/handwritten/rsa.rs index d2a1439bee..d05edfc301 100644 --- a/openssl-sys/src/handwritten/rsa.rs +++ b/openssl-sys/src/handwritten/rsa.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; cfg_if! { if #[cfg(ossl300)] { @@ -18,36 +18,31 @@ extern "C" { pub fn RSA_size(k: *const RSA) -> c_int; #[cfg(any(ossl110, libressl273))] - pub fn RSA_set0_key( - r: *mut ::RSA, - n: *mut ::BIGNUM, - e: *mut ::BIGNUM, - d: *mut ::BIGNUM, - ) -> c_int; + pub fn RSA_set0_key(r: *mut RSA, n: *mut BIGNUM, e: *mut BIGNUM, d: *mut BIGNUM) -> c_int; #[cfg(any(ossl110, libressl273))] - pub fn RSA_set0_factors(r: *mut ::RSA, p: *mut ::BIGNUM, q: *mut ::BIGNUM) -> c_int; + pub fn RSA_set0_factors(r: *mut RSA, p: *mut BIGNUM, q: *mut BIGNUM) -> c_int; #[cfg(any(ossl110, libressl273))] pub fn RSA_set0_crt_params( - r: *mut ::RSA, - dmp1: *mut ::BIGNUM, - dmq1: *mut ::BIGNUM, - iqmp: *mut ::BIGNUM, + r: *mut RSA, + dmp1: *mut BIGNUM, + dmq1: *mut BIGNUM, + iqmp: *mut BIGNUM, ) -> c_int; #[cfg(any(ossl110, libressl273))] pub fn RSA_get0_key( - r: *const ::RSA, - n: *mut *const ::BIGNUM, - e: *mut *const ::BIGNUM, - d: *mut *const ::BIGNUM, + r: *const RSA, + n: *mut *const BIGNUM, + e: *mut *const BIGNUM, + d: *mut *const BIGNUM, ); #[cfg(any(ossl110, libressl273))] - pub fn RSA_get0_factors(r: *const ::RSA, p: *mut *const ::BIGNUM, q: *mut *const ::BIGNUM); + pub fn RSA_get0_factors(r: *const RSA, p: *mut *const BIGNUM, q: *mut *const BIGNUM); #[cfg(any(ossl110, libressl273))] pub fn RSA_get0_crt_params( - r: *const ::RSA, - dmp1: *mut *const ::BIGNUM, - dmq1: *mut *const ::BIGNUM, - iqmp: *mut *const ::BIGNUM, + r: *const RSA, + dmp1: *mut *const BIGNUM, + dmq1: *mut *const BIGNUM, + iqmp: *mut *const BIGNUM, ); #[cfg(not(ossl110))] @@ -93,7 +88,7 @@ extern "C" { k: *mut RSA, pad: c_int, ) -> c_int; - pub fn RSA_check_key(r: *const ::RSA) -> c_int; + pub fn RSA_check_key(r: *const RSA) -> c_int; pub fn RSA_free(rsa: *mut RSA); pub fn RSA_up_ref(rsa: *mut RSA) -> c_int; diff --git a/openssl-sys/src/handwritten/sha.rs b/openssl-sys/src/handwritten/sha.rs index 64fe2ce883..7d00b592f1 100644 --- a/openssl-sys/src/handwritten/sha.rs +++ b/openssl-sys/src/handwritten/sha.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; cfg_if! { if #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] { diff --git a/openssl-sys/src/handwritten/srtp.rs b/openssl-sys/src/handwritten/srtp.rs index 7500584be8..d4c7af8ebd 100644 --- a/openssl-sys/src/handwritten/srtp.rs +++ b/openssl-sys/src/handwritten/srtp.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; extern "C" { pub fn SSL_CTX_set_tlsext_use_srtp(ctx: *mut SSL_CTX, profiles: *const c_char) -> c_int; diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index e0c22090e3..a22f58931e 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; pub enum SSL_METHOD {} pub enum SSL_CIPHER {} @@ -13,15 +13,15 @@ cfg_if! { pub master_key_length: c_int, pub master_key: [c_uchar; 48], session_id_length: c_uint, - session_id: [c_uchar; ::SSL_MAX_SSL_SESSION_ID_LENGTH as usize], + session_id: [c_uchar; SSL_MAX_SSL_SESSION_ID_LENGTH as usize], sid_ctx_length: c_uint, - sid_ctx: [c_uchar; ::SSL_MAX_SID_CTX_LENGTH as usize], - peer: *mut ::X509, + sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize], + peer: *mut X509, verify_result: c_long, timeout: c_long, time: time_t, pub references: c_int, - cipher: *const ::SSL_CIPHER, + cipher: *const SSL_CIPHER, cipher_id: c_long, ciphers: *mut stack_st_SSL_CIPHER, tlsext_hostname: *mut c_char, @@ -50,7 +50,7 @@ cfg_if! { cipher: *const c_void, cipher_id: c_ulong, ciphers: *mut c_void, - ex_data: ::CRYPTO_EX_DATA, + ex_data: CRYPTO_EX_DATA, prev: *mut c_void, next: *mut c_void, tlsext_hostname: *mut c_char, @@ -93,7 +93,7 @@ cfg_if! { cipher: *const c_void, cipher_id: c_ulong, ciphers: *mut c_void, - ex_data: ::CRYPTO_EX_DATA, + ex_data: CRYPTO_EX_DATA, prev: *mut c_void, next: *mut c_void, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] @@ -156,12 +156,12 @@ pub type tls_session_secret_cb_fn = Option< #[cfg(ossl111)] pub type SSL_custom_ext_add_cb_ex = Option< unsafe extern "C" fn( - ssl: *mut ::SSL, + ssl: *mut SSL, ext_type: c_uint, context: c_uint, out: *mut *const c_uchar, outlen: *mut size_t, - x: *mut ::X509, + x: *mut X509, chainidx: size_t, al: *mut c_int, add_arg: *mut c_void, @@ -171,7 +171,7 @@ pub type SSL_custom_ext_add_cb_ex = Option< #[cfg(ossl111)] pub type SSL_custom_ext_free_cb_ex = Option< unsafe extern "C" fn( - ssl: *mut ::SSL, + ssl: *mut SSL, ext_type: c_uint, context: c_uint, out: *const c_uchar, @@ -182,12 +182,12 @@ pub type SSL_custom_ext_free_cb_ex = Option< #[cfg(ossl111)] pub type SSL_custom_ext_parse_cb_ex = Option< unsafe extern "C" fn( - ssl: *mut ::SSL, + ssl: *mut SSL, ext_type: c_uint, context: c_uint, input: *const c_uchar, inlen: size_t, - x: *mut ::X509, + x: *mut X509, chainidx: size_t, al: *mut c_int, parse_arg: *mut c_void, @@ -228,18 +228,18 @@ cfg_if! { if #[cfg(any(ossl110, libressl280))] { extern "C" { pub fn SSL_CTX_sess_set_get_cb( - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, get_session_cb: Option< - unsafe extern "C" fn(*mut ::SSL, *const c_uchar, c_int, *mut c_int) -> *mut SSL_SESSION, + unsafe extern "C" fn(*mut SSL, *const c_uchar, c_int, *mut c_int) -> *mut SSL_SESSION, >, ); } } else { extern "C" { pub fn SSL_CTX_sess_set_get_cb( - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, get_session_cb: Option< - unsafe extern "C" fn(*mut ::SSL, *mut c_uchar, c_int, *mut c_int) -> *mut SSL_SESSION, + unsafe extern "C" fn(*mut SSL, *mut c_uchar, c_int, *mut c_int) -> *mut SSL_SESSION, >, ); } @@ -391,7 +391,7 @@ extern "C" { extern "C" { #[cfg(ossl111)] pub fn SSL_CTX_add_custom_ext( - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, ext_type: c_uint, context: c_uint, add_cb: SSL_custom_ext_add_cb_ex, @@ -439,8 +439,8 @@ const_ptr_api! { cfg_if! { if #[cfg(libressl261)] { extern "C" { - pub fn SSL_CTX_set_min_proto_version(ctx: *mut ::SSL_CTX, version: u16) -> c_int; - pub fn SSL_CTX_set_max_proto_version(ctx: *mut ::SSL_CTX, version: u16) -> c_int; + pub fn SSL_CTX_set_min_proto_version(ctx: *mut SSL_CTX, version: u16) -> c_int; + pub fn SSL_CTX_set_max_proto_version(ctx: *mut SSL_CTX, version: u16) -> c_int; pub fn SSL_set_min_proto_version(s: *mut SSL, version: u16) -> c_int; pub fn SSL_set_max_proto_version(s: *mut SSL, version: u16) -> c_int; } @@ -450,8 +450,8 @@ cfg_if! { cfg_if! { if #[cfg(libressl270)] { extern "C" { - pub fn SSL_CTX_get_min_proto_version(ctx: *mut ::SSL_CTX) -> c_int; - pub fn SSL_CTX_get_max_proto_version(ctx: *mut ::SSL_CTX) -> c_int; + pub fn SSL_CTX_get_min_proto_version(ctx: *mut SSL_CTX) -> c_int; + pub fn SSL_CTX_get_max_proto_version(ctx: *mut SSL_CTX) -> c_int; pub fn SSL_get_min_proto_version(s: *mut SSL) -> c_int; pub fn SSL_get_max_proto_version(s: *mut SSL) -> c_int; } @@ -477,7 +477,7 @@ const_ptr_api! { } extern "C" { #[cfg(ossl111)] - pub fn SSL_CIPHER_get_handshake_digest(cipher: *const ::SSL_CIPHER) -> *const ::EVP_MD; + pub fn SSL_CIPHER_get_handshake_digest(cipher: *const SSL_CIPHER) -> *const EVP_MD; pub fn SSL_CIPHER_get_name(cipher: *const SSL_CIPHER) -> *const c_char; #[cfg(ossl111)] pub fn SSL_CIPHER_standard_name(cipher: *const SSL_CIPHER) -> *const c_char; @@ -491,7 +491,7 @@ extern "C" { #[cfg(any(ossl111, libressl340))] pub fn SSL_CTX_set_ciphersuites(ctx: *mut SSL_CTX, str: *const c_char) -> c_int; #[cfg(any(ossl111, libressl340))] - pub fn SSL_set_ciphersuites(ssl: *mut ::SSL, str: *const c_char) -> c_int; + pub fn SSL_set_ciphersuites(ssl: *mut SSL, str: *const c_char) -> c_int; pub fn SSL_set_cipher_list(ssl: *mut SSL, s: *const c_char) -> c_int; pub fn SSL_set_ssl_method(s: *mut SSL, method: *const SSL_METHOD) -> c_int; pub fn SSL_set_verify( @@ -643,7 +643,7 @@ extern "C" { pub fn SSL_peek(ssl: *mut SSL, buf: *mut c_void, num: c_int) -> c_int; #[cfg(any(ossl111, libressl340))] pub fn SSL_read_early_data( - s: *mut ::SSL, + s: *mut SSL, buf: *mut c_void, num: size_t, readbytes: *mut size_t, @@ -797,9 +797,9 @@ extern "C" { pub fn SSL_CTX_get_ex_new_index( argl: c_long, argp: *mut c_void, - new_func: Option<::CRYPTO_EX_new>, - dup_func: Option<::CRYPTO_EX_dup>, - free_func: Option<::CRYPTO_EX_free>, + new_func: Option, + dup_func: Option, + free_func: Option, ) -> c_int; pub fn SSL_CTX_set_ex_data(ctx: *mut SSL_CTX, idx: c_int, data: *mut c_void) -> c_int; @@ -826,13 +826,9 @@ extern "C" { #[cfg(not(ossl110))] #[link_name = "SSL_CTX_set_tmp_ecdh_callback"] pub fn SSL_CTX_set_tmp_ecdh_callback__fixed_rust( - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, ecdh: Option< - unsafe extern "C" fn( - ssl: *mut ::SSL, - is_export: c_int, - keylength: c_int, - ) -> *mut ::EC_KEY, + unsafe extern "C" fn(ssl: *mut SSL, is_export: c_int, keylength: c_int) -> *mut EC_KEY, >, ); #[cfg(not(ossl110))] diff --git a/openssl-sys/src/handwritten/tls1.rs b/openssl-sys/src/handwritten/tls1.rs index a54dcbc80d..8cf992fbce 100644 --- a/openssl-sys/src/handwritten/tls1.rs +++ b/openssl-sys/src/handwritten/tls1.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; extern "C" { pub fn SSL_get_servername(ssl: *const SSL, name_type: c_int) -> *const c_char; @@ -17,7 +17,7 @@ extern "C" { #[cfg(ossl111)] pub fn SSL_export_keying_material_early( - s: *mut ::SSL, + s: *mut SSL, out: *mut c_uchar, olen: size_t, label: *const c_char, diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 476578c051..b229a37597 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -1,7 +1,7 @@ use libc::*; #[allow(unused_imports)] -use *; +use super::super::*; pub enum ASN1_INTEGER {} pub enum ASN1_GENERALIZEDTIME {} @@ -136,22 +136,22 @@ cfg_if! { pub struct DH { pub pad: c_int, pub version: c_int, - pub p: *mut ::BIGNUM, - pub g: *mut ::BIGNUM, + pub p: *mut BIGNUM, + pub g: *mut BIGNUM, pub length: c_long, - pub pub_key: *mut ::BIGNUM, - pub priv_key: *mut ::BIGNUM, + pub pub_key: *mut BIGNUM, + pub priv_key: *mut BIGNUM, pub flags: c_int, - pub method_mont_p: *mut ::BN_MONT_CTX, - pub q: *mut ::BIGNUM, - pub j: *mut ::BIGNUM, + pub method_mont_p: *mut BN_MONT_CTX, + pub q: *mut BIGNUM, + pub j: *mut BIGNUM, pub seed: *mut c_uchar, pub seedlen: c_int, - pub counter: *mut ::BIGNUM, + pub counter: *mut BIGNUM, pub references: c_int, - pub ex_data: ::CRYPTO_EX_DATA, - pub meth: *const ::DH_METHOD, - pub engine: *mut ::ENGINE, + pub ex_data: CRYPTO_EX_DATA, + pub meth: *const DH_METHOD, + pub engine: *mut ENGINE, } } } @@ -194,57 +194,57 @@ cfg_if! { pub struct RSA { pub pad: c_int, pub version: c_long, - pub meth: *const ::RSA_METHOD, + pub meth: *const RSA_METHOD, - pub engine: *mut ::ENGINE, - pub n: *mut ::BIGNUM, - pub e: *mut ::BIGNUM, - pub d: *mut ::BIGNUM, - pub p: *mut ::BIGNUM, - pub q: *mut ::BIGNUM, - pub dmp1: *mut ::BIGNUM, - pub dmq1: *mut ::BIGNUM, - pub iqmp: *mut ::BIGNUM, + pub engine: *mut ENGINE, + pub n: *mut BIGNUM, + pub e: *mut BIGNUM, + pub d: *mut BIGNUM, + pub p: *mut BIGNUM, + pub q: *mut BIGNUM, + pub dmp1: *mut BIGNUM, + pub dmq1: *mut BIGNUM, + pub iqmp: *mut BIGNUM, - pub ex_data: ::CRYPTO_EX_DATA, + pub ex_data: CRYPTO_EX_DATA, pub references: c_int, pub flags: c_int, - pub _method_mod_n: *mut ::BN_MONT_CTX, - pub _method_mod_p: *mut ::BN_MONT_CTX, - pub _method_mod_q: *mut ::BN_MONT_CTX, + pub _method_mod_n: *mut BN_MONT_CTX, + pub _method_mod_p: *mut BN_MONT_CTX, + pub _method_mod_q: *mut BN_MONT_CTX, - pub blinding: *mut ::BN_BLINDING, - pub mt_blinding: *mut ::BN_BLINDING, + pub blinding: *mut BN_BLINDING, + pub mt_blinding: *mut BN_BLINDING, } } else { #[repr(C)] pub struct RSA { pub pad: c_int, pub version: c_long, - pub meth: *const ::RSA_METHOD, + pub meth: *const RSA_METHOD, - pub engine: *mut ::ENGINE, - pub n: *mut ::BIGNUM, - pub e: *mut ::BIGNUM, - pub d: *mut ::BIGNUM, - pub p: *mut ::BIGNUM, - pub q: *mut ::BIGNUM, - pub dmp1: *mut ::BIGNUM, - pub dmq1: *mut ::BIGNUM, - pub iqmp: *mut ::BIGNUM, + pub engine: *mut ENGINE, + pub n: *mut BIGNUM, + pub e: *mut BIGNUM, + pub d: *mut BIGNUM, + pub p: *mut BIGNUM, + pub q: *mut BIGNUM, + pub dmp1: *mut BIGNUM, + pub dmq1: *mut BIGNUM, + pub iqmp: *mut BIGNUM, - pub ex_data: ::CRYPTO_EX_DATA, + pub ex_data: CRYPTO_EX_DATA, pub references: c_int, pub flags: c_int, - pub _method_mod_n: *mut ::BN_MONT_CTX, - pub _method_mod_p: *mut ::BN_MONT_CTX, - pub _method_mod_q: *mut ::BN_MONT_CTX, + pub _method_mod_n: *mut BN_MONT_CTX, + pub _method_mod_p: *mut BN_MONT_CTX, + pub _method_mod_q: *mut BN_MONT_CTX, pub bignum_data: *mut c_char, - pub blinding: *mut ::BN_BLINDING, - pub mt_blinding: *mut ::BN_BLINDING, + pub blinding: *mut BN_BLINDING, + pub mt_blinding: *mut BN_BLINDING, } } } @@ -259,12 +259,12 @@ cfg_if! { #[repr(C)] pub struct X509 { pub cert_info: *mut X509_CINF, - pub sig_alg: *mut ::X509_ALGOR, - pub signature: *mut ::ASN1_BIT_STRING, + pub sig_alg: *mut X509_ALGOR, + pub signature: *mut ASN1_BIT_STRING, pub valid: c_int, pub references: c_int, pub name: *mut c_char, - pub ex_data: ::CRYPTO_EX_DATA, + pub ex_data: CRYPTO_EX_DATA, pub ex_pathlen: c_long, pub ex_pcpathlen: c_long, pub ex_flags: c_ulong, @@ -319,7 +319,7 @@ cfg_if! { } else { #[repr(C)] pub struct X509_ALGOR { - pub algorithm: *mut ::ASN1_OBJECT, + pub algorithm: *mut ASN1_OBJECT, parameter: *mut c_void, } } @@ -460,10 +460,10 @@ cfg_if! { #[repr(C)] pub struct SSL { version: c_int, - method: *const ::SSL_METHOD, - rbio: *mut ::BIO, - wbio: *mut ::BIO, - bbio: *mut ::BIO, + method: *const SSL_METHOD, + rbio: *mut BIO, + wbio: *mut BIO, + bbio: *mut BIO, pub server: c_int, s3: *mut c_void, d1: *mut c_void, @@ -471,20 +471,20 @@ cfg_if! { cipher_list: *mut stack_st_SSL_CIPHER, cert: *mut c_void, sid_ctx_length: c_uint, - sid_ctx: [c_uchar; ::SSL_MAX_SID_CTX_LENGTH as usize], - session: *mut ::SSL_SESSION, + sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize], + session: *mut SSL_SESSION, verify_mode: c_int, error: c_int, error_code: c_int, - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, verify_result: c_long, references: c_int, client_version: c_int, max_send_fragment: c_uint, tlsext_hostname: *mut c_char, tlsext_status_type: c_int, - initial_ctx: *mut ::SSL_CTX, - enc_read_ctx: *mut ::EVP_CIPHER_CTX, + initial_ctx: *mut SSL_CTX, + enc_read_ctx: *mut EVP_CIPHER_CTX, read_hash: *mut EVP_MD_CTX, internal: *mut c_void, } @@ -493,7 +493,7 @@ cfg_if! { pub struct SSL { version: c_int, type_: c_int, - method: *const ::SSL_METHOD, + method: *const SSL_METHOD, rbio: *mut c_void, wbio: *mut c_void, bbio: *mut c_void, @@ -531,25 +531,25 @@ cfg_if! { cipher_list_by_id: *mut stack_st_SSL_CIPHER, mac_flags: c_int, aead_read_ctx: *mut c_void, - enc_read_ctx: *mut ::EVP_CIPHER_CTX, - read_hash: *mut ::EVP_MD_CTX, + enc_read_ctx: *mut EVP_CIPHER_CTX, + read_hash: *mut EVP_MD_CTX, aead_write_ctx: *mut c_void, - enc_write_ctx: *mut ::EVP_CIPHER_CTX, - write_hash: *mut ::EVP_MD_CTX, + enc_write_ctx: *mut EVP_CIPHER_CTX, + write_hash: *mut EVP_MD_CTX, cert: *mut c_void, sid_ctx_length: c_uint, - sid_ctx: [c_uchar; ::SSL_MAX_SID_CTX_LENGTH as usize], - session: *mut ::SSL_SESSION, - generate_session_id: ::GEN_SESSION_CB, + sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize], + session: *mut SSL_SESSION, + generate_session_id: GEN_SESSION_CB, verify_mode: c_int, - verify_callback: Option c_int>, + verify_callback: Option c_int>, info_callback: Option, error: c_int, error_code: c_int, - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, debug: c_int, verify_result: c_long, - ex_data: ::CRYPTO_EX_DATA, + ex_data: CRYPTO_EX_DATA, client_CA: *mut stack_st_X509_NAME, references: c_int, options: c_ulong, @@ -575,11 +575,11 @@ cfg_if! { tlsext_ellipticcurvelist_length: size_t, tlsext_ellipticcurvelist: *mut c_uchar, tlsext_session_ticket: *mut c_void, - tlsext_session_ticket_ext_cb: ::tls_session_ticket_ext_cb_fn, + tlsext_session_ticket_ext_cb: tls_session_ticket_ext_cb_fn, tls_session_ticket_ext_cb_arg: *mut c_void, - tls_session_secret_cb: ::tls_session_secret_cb_fn, + tls_session_secret_cb: tls_session_secret_cb_fn, tls_session_secret_cb_arg: *mut c_void, - initial_ctx: *mut ::SSL_CTX, + initial_ctx: *mut SSL_CTX, next_proto_negotiated: *mut c_uchar, next_proto_negotiated_len: c_uchar, srtp_profiles: *mut c_void, @@ -596,7 +596,7 @@ cfg_if! { pub struct SSL { version: c_int, type_: c_int, - method: *const ::SSL_METHOD, + method: *const SSL_METHOD, rbio: *mut c_void, wbio: *mut c_void, bbio: *mut c_void, @@ -628,19 +628,19 @@ cfg_if! { cipher_list: *mut stack_st_SSL_CIPHER, cipher_list_by_id: *mut stack_st_SSL_CIPHER, mac_flags: c_int, - enc_read_ctx: *mut ::EVP_CIPHER_CTX, - read_hash: *mut ::EVP_MD_CTX, + enc_read_ctx: *mut EVP_CIPHER_CTX, + read_hash: *mut EVP_MD_CTX, expand: *mut c_void, - enc_write_ctx: *mut ::EVP_CIPHER_CTX, - write_hash: *mut ::EVP_MD_CTX, + enc_write_ctx: *mut EVP_CIPHER_CTX, + write_hash: *mut EVP_MD_CTX, compress: *mut c_void, cert: *mut c_void, sid_ctx_length: c_uint, - sid_ctx: [c_uchar; ::SSL_MAX_SID_CTX_LENGTH as usize], - session: *mut ::SSL_SESSION, - generate_session_id: ::GEN_SESSION_CB, + sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize], + session: *mut SSL_SESSION, + generate_session_id: GEN_SESSION_CB, verify_mode: c_int, - verify_callback: Option c_int>, + verify_callback: Option c_int>, info_callback: Option, error: c_int, error_code: c_int, @@ -654,10 +654,10 @@ cfg_if! { #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_server_callback: Option c_uint>, - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, debug: c_int, verify_result: c_long, - ex_data: ::CRYPTO_EX_DATA, + ex_data: CRYPTO_EX_DATA, client_CA: *mut stack_st_X509_NAME, references: c_int, options: c_ulong, @@ -716,15 +716,15 @@ cfg_if! { #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_session_ticket: *mut c_void, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_session_ticket_ext_cb: ::tls_session_ticket_ext_cb_fn, + tlsext_session_ticket_ext_cb: tls_session_ticket_ext_cb_fn, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tls_session_ticket_ext_cb_arg: *mut c_void, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tls_session_secret_cb: ::tls_session_secret_cb_fn, + tls_session_secret_cb: tls_session_secret_cb_fn, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tls_session_secret_cb_arg: *mut c_void, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - initial_ctx: *mut ::SSL_CTX, + initial_ctx: *mut SSL_CTX, #[cfg(all( not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_NEXTPROTONEG") @@ -747,7 +747,7 @@ cfg_if! { tlsext_hb_seq: c_uint, renegotiate: c_int, #[cfg(not(osslconf = "OPENSSL_NO_SRP"))] - srp_ctx: ::SRP_CTX, + srp_ctx: SRP_CTX, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_client_proto_list: *mut c_uchar, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] @@ -761,7 +761,7 @@ cfg_if! { } else if #[cfg(libressl251)] { #[repr(C)] pub struct SSL_CTX { - method: *const ::SSL_METHOD, + method: *const SSL_METHOD, cipher_list: *mut stack_st_SSL_CIPHER, cert_store: *mut c_void, session_timeout: c_long, @@ -769,8 +769,8 @@ cfg_if! { extra_certs: *mut stack_st_X509, verify_mode: c_int, sid_ctx_length: c_uint, - sid_ctx: [c_uchar; ::SSL_MAX_SID_CTX_LENGTH as usize], - param: *mut ::X509_VERIFY_PARAM, + sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize], + param: *mut X509_VERIFY_PARAM, default_passwd_callback: *mut c_void, default_passwd_callback_userdata: *mut c_void, internal: *mut c_void, @@ -800,7 +800,7 @@ cfg_if! { client_cert_cb: *mut c_void, app_gen_cookie_cb: *mut c_void, app_verify_cookie_cb: *mut c_void, - ex_dat: ::CRYPTO_EX_DATA, + ex_dat: CRYPTO_EX_DATA, rsa_md5: *mut c_void, md5: *mut c_void, sha1: *mut c_void, @@ -870,7 +870,7 @@ cfg_if! { client_cert_cb: *mut c_void, app_gen_cookie_cb: *mut c_void, app_verify_cookie_cb: *mut c_void, - ex_dat: ::CRYPTO_EX_DATA, + ex_dat: CRYPTO_EX_DATA, rsa_md5: *mut c_void, md5: *mut c_void, sha1: *mut c_void, @@ -1058,7 +1058,7 @@ cfg_if! { } else if #[cfg(libressl)] { #[repr(C)] pub struct CRYPTO_EX_DATA { - pub sk: *mut ::stack_st_void, + pub sk: *mut stack_st_void, } } else { #[repr(C)] diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 047f3df262..8762e5f98d 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[repr(C)] pub struct X509_VAL { @@ -24,8 +24,8 @@ cfg_if! { #[repr(C)] pub struct X509_REQ_INFO { pub enc: ASN1_ENCODING, - pub version: *mut ::ASN1_INTEGER, - pub subject: *mut ::X509_NAME, + pub version: *mut ASN1_INTEGER, + pub subject: *mut X509_NAME, pubkey: *mut c_void, pub attributes: *mut stack_st_X509_ATTRIBUTE, } @@ -313,26 +313,26 @@ const_ptr_api! { } } extern "C" { - pub fn X509_issuer_name_hash(x: *mut ::X509) -> c_ulong; - pub fn X509_subject_name_hash(x: *mut ::X509) -> c_ulong; + pub fn X509_issuer_name_hash(x: *mut X509) -> c_ulong; + pub fn X509_subject_name_hash(x: *mut X509) -> c_ulong; } const_ptr_api! { extern "C" { - pub fn X509_get_issuer_name(x: #[const_ptr_if(any(ossl110, libressl280))] ::X509) -> *mut ::X509_NAME; + pub fn X509_get_issuer_name(x: #[const_ptr_if(any(ossl110, libressl280))] X509) -> *mut X509_NAME; pub fn X509_set_subject_name(x: *mut X509, name: #[const_ptr_if(ossl300)] X509_NAME) -> c_int; - pub fn X509_get_subject_name(x: #[const_ptr_if(any(ossl110, libressl280))] ::X509) -> *mut ::X509_NAME; + pub fn X509_get_subject_name(x: #[const_ptr_if(any(ossl110, libressl280))] X509) -> *mut X509_NAME; } } cfg_if! { if #[cfg(any(ossl110, libressl350))] { extern "C" { - pub fn X509_set1_notBefore(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int; - pub fn X509_set1_notAfter(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int; + pub fn X509_set1_notBefore(x: *mut X509, tm: *const ASN1_TIME) -> c_int; + pub fn X509_set1_notAfter(x: *mut X509, tm: *const ASN1_TIME) -> c_int; } } else { extern "C" { - pub fn X509_set_notBefore(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int; - pub fn X509_set_notAfter(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int; + pub fn X509_set_notBefore(x: *mut X509, tm: *const ASN1_TIME) -> c_int; + pub fn X509_set_notAfter(x: *mut X509, tm: *const ASN1_TIME) -> c_int; } } } @@ -414,7 +414,7 @@ extern "C" { pub fn X509_CRL_get_issuer(x: *const X509_CRL) -> *mut X509_NAME; #[cfg(ossl110)] - pub fn X509_get0_extensions(req: *const ::X509) -> *const stack_st_X509_EXTENSION; + pub fn X509_get0_extensions(req: *const X509) -> *const stack_st_X509_EXTENSION; pub fn X509_CRL_set_version(crl: *mut X509_CRL, version: c_long) -> c_int; } @@ -559,7 +559,7 @@ const_ptr_api! { pub fn X509_get_ext_by_critical(x: #[const_ptr_if(any(ossl110, libressl280))] X509, crit: c_int, lastpos: c_int) -> c_int; pub fn X509_get_ext(x: #[const_ptr_if(any(ossl110, libressl280))] X509, loc: c_int) -> *mut X509_EXTENSION; pub fn X509_get_ext_d2i( - x: #[const_ptr_if(any(ossl110, libressl280))] ::X509, + x: #[const_ptr_if(any(ossl110, libressl280))] X509, nid: c_int, crit: *mut c_int, idx: *mut c_int, @@ -571,7 +571,7 @@ const_ptr_api! { pub fn X509_CRL_get_ext_by_critical(x: #[const_ptr_if(any(ossl110, libressl280))] X509_CRL, crit: c_int, lastpos: c_int) -> c_int; pub fn X509_CRL_get_ext(x: #[const_ptr_if(any(ossl110, libressl280))] X509_CRL, loc: c_int) -> *mut X509_EXTENSION; pub fn X509_CRL_get_ext_d2i( - x: #[const_ptr_if(any(ossl110, libressl280))] ::X509_CRL, + x: #[const_ptr_if(any(ossl110, libressl280))] X509_CRL, nid: c_int, crit: *mut c_int, idx: *mut c_int, @@ -583,7 +583,7 @@ const_ptr_api! { pub fn X509_REVOKED_get_ext_by_critical(x: #[const_ptr_if(any(ossl110, libressl280))] X509_REVOKED, crit: c_int, lastpos: c_int) -> c_int; pub fn X509_REVOKED_get_ext(x: #[const_ptr_if(any(ossl110, libressl280))] X509_REVOKED, loc: c_int) -> *mut X509_EXTENSION; pub fn X509_REVOKED_get_ext_d2i( - x: #[const_ptr_if(any(ossl110, libressl280))] ::X509_REVOKED, + x: #[const_ptr_if(any(ossl110, libressl280))] X509_REVOKED, nid: c_int, crit: *mut c_int, idx: *mut c_int, diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 48e6371c46..9adf63fa0e 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; #[cfg(any(libressl, all(ossl102, not(ossl110))))] pub enum X509_VERIFY_PARAM_ID {} diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index a47b815ad9..d0923e32b2 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -1,5 +1,5 @@ +use super::super::*; use libc::*; -use *; pub enum CONF_METHOD {} diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 0d6676827e..b1d51a8580 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1,6 +1,7 @@ #![allow( clippy::missing_safety_doc, clippy::unreadable_literal, + clippy::uninlined_format_args, clippy::upper_case_acronyms, dead_code, non_camel_case_types, @@ -130,7 +131,7 @@ mod openssl { ) { let mutex = &(*MUTEXES)[n as usize]; - if mode & ::CRYPTO_LOCK != 0 { + if mode & CRYPTO_LOCK != 0 { (*GUARDS)[n as usize] = Some(mutex.lock().unwrap()); } else { if let None = (*GUARDS)[n as usize].take() { @@ -165,7 +166,7 @@ mod openssl { SSL_load_error_strings(); OPENSSL_add_all_algorithms_noconf(); - let num_locks = ::CRYPTO_num_locks(); + let num_locks = CRYPTO_num_locks(); let mut mutexes = Box::new(Vec::new()); for _ in 0..num_locks { mutexes.push(Mutex::new(())); diff --git a/openssl-sys/src/macros.rs b/openssl-sys/src/macros.rs index cb675f6e41..e1b08c467a 100644 --- a/openssl-sys/src/macros.rs +++ b/openssl-sys/src/macros.rs @@ -63,7 +63,7 @@ macro_rules! stack { } else { #[repr(C)] pub struct $t { - pub stack: ::_STACK, + pub stack: $crate::_STACK, } } } diff --git a/openssl-sys/src/ocsp.rs b/openssl-sys/src/ocsp.rs index 7efac4d449..fc0db39e90 100644 --- a/openssl-sys/src/ocsp.rs +++ b/openssl-sys/src/ocsp.rs @@ -1,7 +1,5 @@ use libc::*; -use *; - pub const OCSP_REVOKED_STATUS_NOSTATUS: c_int = -1; pub const OCSP_REVOKED_STATUS_UNSPECIFIED: c_int = 0; pub const OCSP_REVOKED_STATUS_KEYCOMPROMISE: c_int = 1; diff --git a/openssl-sys/src/pem.rs b/openssl-sys/src/pem.rs index 2a05ad58cd..f7dd8ac30d 100644 --- a/openssl-sys/src/pem.rs +++ b/openssl-sys/src/pem.rs @@ -1,5 +1,3 @@ use libc::*; -use *; - pub const PEM_R_NO_START_LINE: c_int = 108; diff --git a/openssl-sys/src/pkcs7.rs b/openssl-sys/src/pkcs7.rs index 188693f9f2..0a56225a91 100644 --- a/openssl-sys/src/pkcs7.rs +++ b/openssl-sys/src/pkcs7.rs @@ -1,7 +1,5 @@ use libc::*; -use *; - pub const PKCS7_TEXT: c_int = 0x1; pub const PKCS7_NOCERTS: c_int = 0x2; pub const PKCS7_NOSIGS: c_int = 0x4; diff --git a/openssl-sys/src/rsa.rs b/openssl-sys/src/rsa.rs index 351ac84c03..ff30cf1e23 100644 --- a/openssl-sys/src/rsa.rs +++ b/openssl-sys/src/rsa.rs @@ -1,7 +1,7 @@ use libc::*; use std::ptr; -use *; +use super::super::*; pub const RSA_F4: c_long = 0x10001; diff --git a/openssl-sys/src/sha.rs b/openssl-sys/src/sha.rs index 8b77f546c6..4ad0c17cda 100644 --- a/openssl-sys/src/sha.rs +++ b/openssl-sys/src/sha.rs @@ -1,6 +1,6 @@ +use super::*; use libc::*; use std::ptr; -use *; #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] pub const SHA_LBLOCK: c_int = 16; diff --git a/openssl-sys/src/srtp.rs b/openssl-sys/src/srtp.rs index 78298d23ec..93c77970c9 100644 --- a/openssl-sys/src/srtp.rs +++ b/openssl-sys/src/srtp.rs @@ -1,7 +1,5 @@ use libc::*; -use *; - pub const SRTP_AES128_CM_SHA1_80: c_ulong = 0x0001; pub const SRTP_AES128_CM_SHA1_32: c_ulong = 0x0002; pub const SRTP_AES128_F8_SHA1_80: c_ulong = 0x0003; diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index c66e42c2c9..e812673333 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -1,7 +1,7 @@ use libc::*; use std::ptr; -use *; +use super::*; #[cfg(not(ossl110))] pub const SSL_MAX_KRB5_PRINCIPAL_LENGTH: c_int = 256; @@ -415,7 +415,7 @@ cfg_if! { } #[cfg(ossl102)] -pub unsafe fn SSL_add0_chain_cert(ssl: *mut ::SSL, ptr: *mut X509) -> c_long { +pub unsafe fn SSL_add0_chain_cert(ssl: *mut SSL, ptr: *mut X509) -> c_long { SSL_ctrl(ssl, SSL_CTRL_CHAIN_CERT, 0, ptr as *mut c_void) } @@ -440,7 +440,7 @@ pub unsafe fn SSL_CTX_set_ecdh_auto(ctx: *mut SSL_CTX, onoff: c_int) -> c_int { } #[cfg(any(libressl, all(ossl102, not(ossl110))))] -pub unsafe fn SSL_set_ecdh_auto(ssl: *mut ::SSL, onoff: c_int) -> c_int { +pub unsafe fn SSL_set_ecdh_auto(ssl: *mut SSL, onoff: c_int) -> c_int { SSL_ctrl( ssl, SSL_CTRL_SET_ECDH_AUTO, @@ -579,12 +579,12 @@ extern "C" { #[deprecated(note = "use SSL_CTX_set_tmp_ecdh_callback__fixed_rust instead")] #[cfg(not(ossl110))] pub fn SSL_CTX_set_tmp_ecdh_callback( - ctx: *mut ::SSL_CTX, + ctx: *mut SSL_CTX, ecdh: unsafe extern "C" fn( - ssl: *mut ::SSL, + ssl: *mut SSL, is_export: c_int, keylength: c_int, - ) -> *mut ::EC_KEY, + ) -> *mut EC_KEY, ); #[deprecated(note = "use SSL_set_tmp_ecdh_callback__fixed_rust instead")] #[cfg(not(ossl110))] diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index d02f5c0497..f7ae302046 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -2,7 +2,7 @@ use libc::*; use std::mem; use std::ptr; -use *; +use super::*; pub const TLS1_VERSION: c_int = 0x301; pub const TLS1_1_VERSION: c_int = 0x302; diff --git a/openssl-sys/src/types.rs b/openssl-sys/src/types.rs index dbf11291af..10c8f6771a 100644 --- a/openssl-sys/src/types.rs +++ b/openssl-sys/src/types.rs @@ -1,5 +1,6 @@ use libc::*; -use *; + +use super::*; cfg_if! { if #[cfg(any(ossl110, libressl280))] { diff --git a/openssl-sys/src/x509.rs b/openssl-sys/src/x509.rs index 0263c00b69..714b06c9bc 100644 --- a/openssl-sys/src/x509.rs +++ b/openssl-sys/src/x509.rs @@ -1,7 +1,5 @@ use libc::*; -use *; - pub const X509_FILETYPE_PEM: c_int = 1; pub const X509_FILETYPE_ASN1: c_int = 2; pub const X509_FILETYPE_DEFAULT: c_int = 3; diff --git a/openssl-sys/src/x509_vfy.rs b/openssl-sys/src/x509_vfy.rs index 455a748b52..2fa176fed5 100644 --- a/openssl-sys/src/x509_vfy.rs +++ b/openssl-sys/src/x509_vfy.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::*; pub const X509_V_OK: c_int = 0; #[cfg(ossl102f)] diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index ed135fa99b..5ae4439083 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -1,6 +1,6 @@ use libc::*; -use *; +use super::*; #[repr(C)] pub struct GENERAL_NAME { diff --git a/openssl/build.rs b/openssl/build.rs index fc6492292c..7651429f38 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -1,4 +1,8 @@ -#![allow(clippy::inconsistent_digit_grouping, clippy::unusual_byte_groupings)] +#![allow( + clippy::inconsistent_digit_grouping, + clippy::uninlined_format_args, + clippy::unusual_byte_groupings +)] use std::env; diff --git a/openssl/examples/mk_certs.rs b/openssl/examples/mk_certs.rs index e944af06bc..48538c7a74 100644 --- a/openssl/examples/mk_certs.rs +++ b/openssl/examples/mk_certs.rs @@ -1,3 +1,5 @@ +#![allow(clippy::uninlined_format_args)] + //! A program that generates ca certs, certs verified by the ca, and public //! and private keys. diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 035c90c682..8988f4c3c0 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -119,6 +119,7 @@ //! ``` #![doc(html_root_url = "https://docs.rs/openssl/0.10")] #![warn(rust_2018_idioms)] +#![allow(clippy::uninlined_format_args)] #[doc(inline)] pub use ffi::init; diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 9cfda48105..51738651c6 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -711,7 +711,7 @@ mod test { #[cfg(not(boringssl))] fn test_hmac(ty: MessageDigest, tests: &[(Vec, Vec, Vec)]) { - for &(ref key, ref data, ref res) in tests.iter() { + for (key, data, res) in tests.iter() { let pkey = PKey::hmac(key).unwrap(); let mut signer = Signer::new(ty, &pkey).unwrap(); signer.update(data).unwrap(); diff --git a/systest/build.rs b/systest/build.rs index e54438114b..34677d204f 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -1,3 +1,5 @@ +#![allow(clippy::uninlined_format_args)] + use std::env; #[allow(clippy::inconsistent_digit_grouping, clippy::unusual_byte_groupings)] From c03d56cf81860357316ed9a60c8bd6e7dfdee740 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 6 Feb 2023 20:23:05 -0500 Subject: [PATCH 060/209] Add a 3.1.0-beta1 CI build --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3b7b4dc9cc..3b70429224 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -156,6 +156,9 @@ jobs: version: 5697a9202615925696f8dc7f4e286d44d474769e - name: openssl version: vendored + - name: openssl + version: 3.1.0-beta1 + dl-path: / - name: openssl version: 3.0.7 dl-path: / From 26fc7974e0b1f620a2a3788e93c811202a29ba33 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 8 Feb 2023 09:16:39 -0500 Subject: [PATCH 061/209] Bump CI versions --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3b70429224..43abdf7a69 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -160,10 +160,10 @@ jobs: version: 3.1.0-beta1 dl-path: / - name: openssl - version: 3.0.7 + version: 3.0.8 dl-path: / - name: openssl - version: 1.1.1s + version: 1.1.1t dl-path: / - name: openssl version: 1.1.0l From 3bf2b3a90532476ba6e480ab7ab63620fff437cf Mon Sep 17 00:00:00 2001 From: Maurice Lam Date: Fri, 10 Feb 2023 02:08:10 +0000 Subject: [PATCH 062/209] Expand documentation on PkeyCtxRef's HKDF APIs --- openssl/src/pkey_ctx.rs | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index f79372fb11..c9eb1ec744 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -84,8 +84,23 @@ pub struct HkdfMode(c_int); #[cfg(ossl111)] impl HkdfMode { + /// This is the default mode. Calling [`derive`][PkeyCtxRef::derive] on a [`PkeyCtxRef`] set up + /// for HKDF will perform an extract followed by an expand operation in one go. The derived key + /// returned will be the result after the expand operation. The intermediate fixed-length + /// pseudorandom key K is not returned. pub const EXTRACT_THEN_EXPAND: Self = HkdfMode(ffi::EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND); + + /// In this mode calling [`derive`][PkeyCtxRef::derive] will just perform the extract operation. + /// The value returned will be the intermediate fixed-length pseudorandom key K. + /// + /// The digest, key and salt values must be set before a key is derived or an error occurs. pub const EXTRACT_ONLY: Self = HkdfMode(ffi::EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY); + + /// In this mode calling [`derive`][PkeyCtxRef::derive] will just perform the expand operation. + /// The input key should be set to the intermediate fixed-length pseudorandom key K returned + /// from a previous extract operation. + /// + /// The digest, key and info values must be set before a key is derived or an error occurs. pub const EXPAND_ONLY: Self = HkdfMode(ffi::EVP_PKEY_HKDEF_MODE_EXPAND_ONLY); } @@ -487,6 +502,10 @@ impl PkeyCtxRef { /// /// Defaults to [`HkdfMode::EXTRACT_THEN_EXPAND`]. /// + /// WARNING: Although this API calls it a "mode", HKDF-Extract and HKDF-Expand are distinct + /// operations with distinct inputs and distinct kinds of keys. Callers should not pass input + /// secrets for one operation into the other. + /// /// Requires OpenSSL 1.1.1 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_mode)] #[cfg(ossl111)] @@ -499,7 +518,12 @@ impl PkeyCtxRef { Ok(()) } - /// Sets the input keying material for HKDF generation. + /// Sets the input material for HKDF generation as the "key". + /// + /// Which input is the key depends on the "mode" (see [`set_hkdf_mode`][Self::set_hkdf_mode]). + /// If [`HkdfMode::EXTRACT_THEN_EXPAND`] or [`HkdfMode::EXTRACT_ONLY`], this function specifies + /// the input keying material (IKM) for HKDF-Extract. If [`HkdfMode::EXPAND_ONLY`], it instead + /// specifies the pseudorandom key (PRK) for HKDF-Expand. /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] @@ -521,6 +545,8 @@ impl PkeyCtxRef { /// Sets the salt value for HKDF generation. /// + /// If performing HKDF-Expand only, this parameter is ignored. + /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] #[cfg(ossl110)] @@ -541,6 +567,8 @@ impl PkeyCtxRef { /// Appends info bytes for HKDF generation. /// + /// If performing HKDF-Extract only, this parameter is ignored. + /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] #[cfg(ossl110)] From cc826a562b39b42d472f579f6809cb7014eab769 Mon Sep 17 00:00:00 2001 From: Maurice Lam Date: Fri, 10 Feb 2023 18:33:58 +0000 Subject: [PATCH 063/209] Run cargo fmt --- openssl/src/pkey_ctx.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index c9eb1ec744..42289b9f48 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -568,7 +568,7 @@ impl PkeyCtxRef { /// Appends info bytes for HKDF generation. /// /// If performing HKDF-Extract only, this parameter is ignored. - /// + /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] #[cfg(ossl110)] From 140a0b92f9d84a81c339cd52fe4e2129b241b08a Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Sun, 12 Feb 2023 17:08:39 +0000 Subject: [PATCH 064/209] Fix cert verification failure tests This swaps the verification failure tests over from checking the error string to checking the error id against the constant exposed by openssl-sys to make the tests more reliable. This was required by the string changing in OpenSSL 3.0.8. --- openssl/src/x509/tests.rs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 5f41342522..9457238c33 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -490,6 +490,7 @@ fn test_verify_cert_with_wrong_purpose_fails() { let store = store_bldr.build(); + let expected_error = ffi::X509_V_ERR_INVALID_PURPOSE; let mut context = X509StoreContext::new().unwrap(); assert_eq!( context @@ -498,8 +499,8 @@ fn test_verify_cert_with_wrong_purpose_fails() { Ok(c.error()) }) .unwrap() - .error_string(), - "unsupported certificate purpose" + .as_raw(), + expected_error ) } @@ -828,7 +829,7 @@ fn test_set_purpose_fails_verification() { store_bldr.set_param(&verify_params).unwrap(); let store = store_bldr.build(); - let expected_error = "unsupported certificate purpose"; + let expected_error = ffi::X509_V_ERR_INVALID_PURPOSE; let mut context = X509StoreContext::new().unwrap(); assert_eq!( context @@ -837,7 +838,7 @@ fn test_set_purpose_fails_verification() { Ok(c.error()) }) .unwrap() - .error_string(), + .as_raw(), expected_error ) } From b91f6a2d0572f00d0baa93d98d3512802704ca0f Mon Sep 17 00:00:00 2001 From: Ladislav Sladecek Date: Tue, 19 Jan 2021 20:10:25 +0100 Subject: [PATCH 065/209] Add CMS_verify() method. --- openssl-sys/src/handwritten/cms.rs | 10 ++ openssl/src/cms.rs | 161 ++++++++++++++++++++++++++++- 2 files changed, 169 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/cms.rs b/openssl-sys/src/handwritten/cms.rs index 7eff2c4d49..6606dac3a6 100644 --- a/openssl-sys/src/handwritten/cms.rs +++ b/openssl-sys/src/handwritten/cms.rs @@ -35,6 +35,16 @@ extern "C" { flags: c_uint, ) -> *mut CMS_ContentInfo; + #[cfg(ossl101)] + pub fn CMS_verify( + cms: *mut ::CMS_ContentInfo, + certs: *mut ::stack_st_X509, + store: *mut ::X509_STORE, + indata: *mut ::BIO, + out: *mut ::BIO, + flags: c_uint, + ) -> c_int; + #[cfg(ossl101)] pub fn CMS_encrypt( certs: *mut stack_st_X509, diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index bef21f93c9..31ab5b9110 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -15,7 +15,7 @@ use crate::error::ErrorStack; use crate::pkey::{HasPrivate, PKeyRef}; use crate::stack::StackRef; use crate::symm::Cipher; -use crate::x509::{X509Ref, X509}; +use crate::x509::{store::X509StoreRef, X509Ref, X509}; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -227,14 +227,61 @@ impl CmsContentInfo { Ok(CmsContentInfo::from_ptr(cms)) } } + + /// Verify this CmsContentInfo's signature, given a stack of certificates + /// in certs, an X509 store in store. If the signature is detached, the + /// data can be passed in data. The data sans signature will be copied + /// into output_data if it is present. + /// + /// OpenSSL documentation at [`CMS_verify`] + /// + /// [`CMS_verify`]: https://www.openssl.org/docs/manmaster/man3/CMS_verify.html + pub fn verify( + &mut self, + certs: Option<&StackRef>, + store: &X509StoreRef, + indata: Option<&[u8]>, + output_data: Option<&mut Vec>, + flags: CMSOptions, + ) -> Result<(), ErrorStack> { + unsafe { + let certs_ptr = certs.map_or(ptr::null_mut(), |p| p.as_ptr()); + let indata_bio = match indata { + Some(data) => Some(MemBioSlice::new(data)?), + None => None, + }; + let indata_bio_ptr = indata_bio.as_ref().map_or(ptr::null_mut(), |p| p.as_ptr()); + let out_bio = MemBio::new()?; + + cvt(ffi::CMS_verify( + self.as_ptr(), + certs_ptr, + store.as_ptr(), + indata_bio_ptr, + out_bio.as_ptr(), + flags.bits(), + ))?; + + if let Some(out_data) = output_data { + *out_data = out_bio.get_buf().to_vec(); + }; + + Ok(()) + } + } } #[cfg(test)] mod test { use super::*; + use crate::pkcs12::Pkcs12; + use crate::pkey::PKey; use crate::stack::Stack; - use crate::x509::X509; + use crate::x509::{ + store::{X509Store, X509StoreBuilder}, + X509, + }; #[test] fn cms_encrypt_decrypt() { @@ -317,4 +364,114 @@ mod test { assert_eq!(input, decrypt_without_cert_check); } } + + fn cms_sign_verify_generic_helper(is_detached: bool) { + // load cert with private key + let cert_bytes = include_bytes!("../test/cert.pem"); + let cert = X509::from_pem(cert_bytes).expect("failed to load cert.pem"); + + let key_bytes = include_bytes!("../test/key.pem"); + let key = PKey::private_key_from_pem(key_bytes).expect("failed to load key.pem"); + + let root_bytes = include_bytes!("../test/root-ca.pem"); + let root = X509::from_pem(root_bytes).expect("failed to load root-ca.pem"); + + // sign cms message using public key cert + let data = b"Hello world!"; + + let (opt, ext_data): (CMSOptions, Option<&[u8]>) = if is_detached { + (CMSOptions::DETACHED | CMSOptions::BINARY, Some(data)) + } else { + (CMSOptions::empty(), None) + }; + + let mut cms = CmsContentInfo::sign(Some(&cert), Some(&key), None, Some(data), opt) + .expect("failed to CMS sign a message"); + + // check CMS signature length + let pem_cms = cms + .to_pem() + .expect("failed to pack CmsContentInfo into PEM"); + assert!(!pem_cms.is_empty()); + + // verify CMS signature + let mut builder = X509StoreBuilder::new().expect("failed to create X509StoreBuilder"); + builder + .add_cert(root) + .expect("failed to add root-ca into X509StoreBuilder"); + let store: X509Store = builder.build(); + let mut out_data: Vec = Vec::new(); + let res = cms.verify( + None, + &store, + ext_data, + Some(&mut out_data), + CMSOptions::empty(), + ); + + // check verification result - valid signature + res.unwrap(); + assert_eq!(data.len(), out_data.len()); + } + + #[test] + fn cms_sign_verify_ok() { + cms_sign_verify_generic_helper(false); + } + + #[test] + fn cms_sign_verify_detached_ok() { + cms_sign_verify_generic_helper(true); + } + + #[test] + fn cms_sign_verify_error() { + #[cfg(ossl300)] + let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); + + // load cert with private key + let priv_cert_bytes = include_bytes!("../test/cms.p12"); + let priv_cert = Pkcs12::from_der(priv_cert_bytes).expect("failed to load priv cert"); + let priv_cert = priv_cert + .parse("mypass") + .expect("failed to parse priv cert"); + + // sign cms message using public key cert + let data = b"Hello world!"; + let mut cms = CmsContentInfo::sign( + Some(&priv_cert.cert), + Some(&priv_cert.pkey), + None, + Some(data), + CMSOptions::empty(), + ) + .expect("failed to CMS sign a message"); + + // check CMS signature length + let pem_cms = cms + .to_pem() + .expect("failed to pack CmsContentInfo into PEM"); + assert!(!pem_cms.is_empty()); + + let empty_store = X509StoreBuilder::new() + .expect("failed to create X509StoreBuilder") + .build(); + + // verify CMS signature + let res = cms.verify(None, &empty_store, Some(data), None, CMSOptions::empty()); + + // check verification result - this is an invalid signature + match res { + Err(es) => { + let error_array = es.errors(); + assert_eq!(1, error_array.len()); + let err = error_array[0] + .data() + .expect("failed to retrieve verification error data"); + let err1 = err.replace(" self-", "self "); + assert_eq!("Verify error:self signed certificate", err1); + } + _ => panic!("expected CMS verification error, got Ok()"), + } + } } From 52fd5a4039b03be5519fddf49199b04380933aea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Wed, 5 Jan 2022 19:01:54 +0100 Subject: [PATCH 066/209] Setting provider in openssl::ssl::test::zero_length_buffers. --- openssl/src/ssl/test/mod.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index ddf01f2dd0..668ea421e8 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -258,6 +258,9 @@ fn clear_ctx_options() { #[test] fn zero_length_buffers() { + #[cfg(ossl300)] + let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); + let server = Server::builder().build(); let mut s = server.client().connect(); From 39782084c56157ba83ac769b7c9ff024238a579f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Wed, 8 Feb 2023 19:34:40 +0100 Subject: [PATCH 067/209] Rebase to current master with fixes. --- openssl-sys/src/handwritten/cms.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/openssl-sys/src/handwritten/cms.rs b/openssl-sys/src/handwritten/cms.rs index 6606dac3a6..e62e6295f9 100644 --- a/openssl-sys/src/handwritten/cms.rs +++ b/openssl-sys/src/handwritten/cms.rs @@ -37,11 +37,11 @@ extern "C" { #[cfg(ossl101)] pub fn CMS_verify( - cms: *mut ::CMS_ContentInfo, - certs: *mut ::stack_st_X509, - store: *mut ::X509_STORE, - indata: *mut ::BIO, - out: *mut ::BIO, + cms: *mut CMS_ContentInfo, + certs: *mut stack_st_X509, + store: *mut X509_STORE, + indata: *mut BIO, + out: *mut BIO, flags: c_uint, ) -> c_int; From 5cd2429277b99bfa01389fa50a91ebf3427f55f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Wed, 8 Feb 2023 19:53:54 +0100 Subject: [PATCH 068/209] Fixed new warning --- openssl/src/cms.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 31ab5b9110..c68b74dd68 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -433,14 +433,14 @@ mod test { let priv_cert_bytes = include_bytes!("../test/cms.p12"); let priv_cert = Pkcs12::from_der(priv_cert_bytes).expect("failed to load priv cert"); let priv_cert = priv_cert - .parse("mypass") + .parse2("mypass") .expect("failed to parse priv cert"); // sign cms message using public key cert let data = b"Hello world!"; let mut cms = CmsContentInfo::sign( - Some(&priv_cert.cert), - Some(&priv_cert.pkey), + Some(&priv_cert.cert.unwrap()), + Some(&priv_cert.pkey.unwrap()), None, Some(data), CMSOptions::empty(), From 11291cc5b8e23a1455b184d282e7794090db204d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 16:35:33 +0100 Subject: [PATCH 069/209] Rename 'indata' to 'detached_data'. --- openssl-sys/src/handwritten/cms.rs | 2 +- openssl/src/cms.rs | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/openssl-sys/src/handwritten/cms.rs b/openssl-sys/src/handwritten/cms.rs index e62e6295f9..a13ea423c4 100644 --- a/openssl-sys/src/handwritten/cms.rs +++ b/openssl-sys/src/handwritten/cms.rs @@ -40,7 +40,7 @@ extern "C" { cms: *mut CMS_ContentInfo, certs: *mut stack_st_X509, store: *mut X509_STORE, - indata: *mut BIO, + detached_data: *mut BIO, out: *mut BIO, flags: c_uint, ) -> c_int; diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index c68b74dd68..3b4964c9fe 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -240,24 +240,24 @@ impl CmsContentInfo { &mut self, certs: Option<&StackRef>, store: &X509StoreRef, - indata: Option<&[u8]>, + detached_data: Option<&[u8]>, output_data: Option<&mut Vec>, flags: CMSOptions, ) -> Result<(), ErrorStack> { unsafe { let certs_ptr = certs.map_or(ptr::null_mut(), |p| p.as_ptr()); - let indata_bio = match indata { + let detached_data_bio = match detached_data { Some(data) => Some(MemBioSlice::new(data)?), None => None, }; - let indata_bio_ptr = indata_bio.as_ref().map_or(ptr::null_mut(), |p| p.as_ptr()); + let detached_data_bio_ptr = detached_data_bio.as_ref().map_or(ptr::null_mut(), |p| p.as_ptr()); let out_bio = MemBio::new()?; cvt(ffi::CMS_verify( self.as_ptr(), certs_ptr, store.as_ptr(), - indata_bio_ptr, + detached_data_bio_ptr, out_bio.as_ptr(), flags.bits(), ))?; From 08f39c0bf5b458ec038bf4820396225e9ec6729e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 17:23:25 +0100 Subject: [PATCH 070/209] Remove legacy provider. --- openssl/src/ssl/test/mod.rs | 3 --- 1 file changed, 3 deletions(-) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 668ea421e8..ddf01f2dd0 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -258,9 +258,6 @@ fn clear_ctx_options() { #[test] fn zero_length_buffers() { - #[cfg(ossl300)] - let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); - let server = Server::builder().build(); let mut s = server.client().connect(); From 044bf8263896080f9002de355b76fec682260433 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 17:26:05 +0100 Subject: [PATCH 071/209] Compare whole arrays in test. --- openssl/src/cms.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 3b4964c9fe..b2a10d0163 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -411,7 +411,7 @@ mod test { // check verification result - valid signature res.unwrap(); - assert_eq!(data.len(), out_data.len()); + assert_eq!(data.to_vec(), out_data); } #[test] From 400d85fe9d5c4e29a5de8c3668eea3ff7c55a3e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 17:26:37 +0100 Subject: [PATCH 072/209] Improve comments. --- openssl/src/cms.rs | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index b2a10d0163..85f8401b49 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -228,14 +228,14 @@ impl CmsContentInfo { } } - /// Verify this CmsContentInfo's signature, given a stack of certificates - /// in certs, an X509 store in store. If the signature is detached, the - /// data can be passed in data. The data sans signature will be copied - /// into output_data if it is present. + /// Verify this CmsContentInfo's signature, + /// This will search the 'certs' list for the signing certificate. + /// Additional certificates, needed for building the certificate chain, may be + /// given in 'store' as well as additional CRLs. + /// A detached signature may be passed in `detached_data`. The signed content + /// without signature, will be copied into output_data if it is present. /// - /// OpenSSL documentation at [`CMS_verify`] - /// - /// [`CMS_verify`]: https://www.openssl.org/docs/manmaster/man3/CMS_verify.html + #[corresponds(CMS_verify)] pub fn verify( &mut self, certs: Option<&StackRef>, From dc78915dcae9561afb74ff7fac0b6802e89546a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 17:27:26 +0100 Subject: [PATCH 073/209] Change store to Option --- openssl/src/cms.rs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 85f8401b49..b9680fd5ea 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -239,13 +239,14 @@ impl CmsContentInfo { pub fn verify( &mut self, certs: Option<&StackRef>, - store: &X509StoreRef, + store: Option<&X509StoreRef>, detached_data: Option<&[u8]>, output_data: Option<&mut Vec>, flags: CMSOptions, ) -> Result<(), ErrorStack> { unsafe { let certs_ptr = certs.map_or(ptr::null_mut(), |p| p.as_ptr()); + let store_ptr = store.map_or(ptr::null_mut(), |p| p.as_ptr()); let detached_data_bio = match detached_data { Some(data) => Some(MemBioSlice::new(data)?), None => None, @@ -256,7 +257,7 @@ impl CmsContentInfo { cvt(ffi::CMS_verify( self.as_ptr(), certs_ptr, - store.as_ptr(), + store_ptr, detached_data_bio_ptr, out_bio.as_ptr(), flags.bits(), @@ -403,7 +404,7 @@ mod test { let mut out_data: Vec = Vec::new(); let res = cms.verify( None, - &store, + Some(&store), ext_data, Some(&mut out_data), CMSOptions::empty(), @@ -458,7 +459,7 @@ mod test { .build(); // verify CMS signature - let res = cms.verify(None, &empty_store, Some(data), None, CMSOptions::empty()); + let res = cms.verify(None, Some(&empty_store), Some(data), None, CMSOptions::empty()); // check verification result - this is an invalid signature match res { From 25ccfc68b4d256c43e2bd850192ad33b70a69059 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Mon, 13 Feb 2023 17:56:23 +0100 Subject: [PATCH 074/209] Make error test more robust --- openssl/src/cms.rs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index b9680fd5ea..b86267a4f2 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -467,10 +467,8 @@ mod test { let error_array = es.errors(); assert_eq!(1, error_array.len()); let err = error_array[0] - .data() - .expect("failed to retrieve verification error data"); - let err1 = err.replace(" self-", "self "); - assert_eq!("Verify error:self signed certificate", err1); + .code(); + assert_eq!(err, 0); } _ => panic!("expected CMS verification error, got Ok()"), } From a4180459f4057b49d0e5e5d3831b7501177ab3bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Tue, 14 Feb 2023 17:47:16 +0100 Subject: [PATCH 075/209] Replace string check with code check in test 'cms_sign_verify_error'. --- openssl/src/cms.rs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index b86267a4f2..6f020f4b1e 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -462,13 +462,14 @@ mod test { let res = cms.verify(None, Some(&empty_store), Some(data), None, CMSOptions::empty()); // check verification result - this is an invalid signature + // defined in openssl crypto/cms/cms.h + const CMS_R_CERTIFICATE_VERIFY_ERROR: i32 = 100; match res { Err(es) => { let error_array = es.errors(); assert_eq!(1, error_array.len()); - let err = error_array[0] - .code(); - assert_eq!(err, 0); + let code = error_array[0].code(); + assert_eq!(ffi::ERR_GET_REASON(code), CMS_R_CERTIFICATE_VERIFY_ERROR); } _ => panic!("expected CMS verification error, got Ok()"), } From 1e47c74c8d3604ab4dde04333b187667459e3837 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Tue, 14 Feb 2023 18:10:59 +0100 Subject: [PATCH 076/209] Reuse output_data manipulation from pkcs7 in CMS. --- openssl/src/cms.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 6f020f4b1e..5f9fdd847d 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -263,8 +263,9 @@ impl CmsContentInfo { flags.bits(), ))?; - if let Some(out_data) = output_data { - *out_data = out_bio.get_buf().to_vec(); + if let Some(data) = output_data { + data.clear(); + data.extend_from_slice(out_bio.get_buf()); }; Ok(()) From 705f592e71226a052efc15417a868bc56596830d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Tue, 14 Feb 2023 18:14:45 +0100 Subject: [PATCH 077/209] Reformat. --- openssl/src/cms.rs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 5f9fdd847d..6b6aa9fd8c 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -232,7 +232,7 @@ impl CmsContentInfo { /// This will search the 'certs' list for the signing certificate. /// Additional certificates, needed for building the certificate chain, may be /// given in 'store' as well as additional CRLs. - /// A detached signature may be passed in `detached_data`. The signed content + /// A detached signature may be passed in `detached_data`. The signed content /// without signature, will be copied into output_data if it is present. /// #[corresponds(CMS_verify)] @@ -251,7 +251,9 @@ impl CmsContentInfo { Some(data) => Some(MemBioSlice::new(data)?), None => None, }; - let detached_data_bio_ptr = detached_data_bio.as_ref().map_or(ptr::null_mut(), |p| p.as_ptr()); + let detached_data_bio_ptr = detached_data_bio + .as_ref() + .map_or(ptr::null_mut(), |p| p.as_ptr()); let out_bio = MemBio::new()?; cvt(ffi::CMS_verify( @@ -460,7 +462,13 @@ mod test { .build(); // verify CMS signature - let res = cms.verify(None, Some(&empty_store), Some(data), None, CMSOptions::empty()); + let res = cms.verify( + None, + Some(&empty_store), + Some(data), + None, + CMSOptions::empty(), + ); // check verification result - this is an invalid signature // defined in openssl crypto/cms/cms.h From bfb7518c9c89b4e7bab223e0caa4b5e6ad0cf968 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ladislav=20Sl=C3=A1de=C4=8Dek?= Date: Tue, 14 Feb 2023 18:28:03 +0100 Subject: [PATCH 078/209] Changelog --- openssl/CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 0af50bcc24..79dd8c2b42 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,8 @@ ## [Unreleased] +* Added `CMS_verify`. + ## [v0.10.45] - 2022-12-20 ### Fixed From 667737fd0f40e74bcc1d4d9c9d060a63205b3544 Mon Sep 17 00:00:00 2001 From: Jimmy Brush Date: Tue, 14 Feb 2023 19:44:22 -0500 Subject: [PATCH 079/209] Add SSL_CTX_set_num_tickets and friends These are required to disable session tickets on TLS 1.3 connections. --- openssl-sys/src/handwritten/ssl.rs | 14 +++++++++++ openssl/src/ssl/mod.rs | 40 ++++++++++++++++++++++++++++++ openssl/src/ssl/test/mod.rs | 14 +++++++++++ 3 files changed, 68 insertions(+) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index a22f58931e..f179a04ab1 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -897,3 +897,17 @@ extern "C" { #[cfg(ossl110)] pub fn OPENSSL_init_ssl(opts: u64, settings: *const OPENSSL_INIT_SETTINGS) -> c_int; } + +extern "C" { + #[cfg(ossl111)] + pub fn SSL_CTX_set_num_tickets(ctx: *mut SSL_CTX, num_tickets: size_t) -> c_int; + + #[cfg(ossl111)] + pub fn SSL_set_num_tickets(s: *mut SSL, num_tickets: size_t) -> c_int; + + #[cfg(ossl111)] + pub fn SSL_CTX_get_num_tickets(ctx: *const SSL_CTX) -> size_t; + + #[cfg(ossl111)] + pub fn SSL_get_num_tickets(s: *const SSL) -> size_t; +} diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 8f40ce8212..be898d627e 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1687,6 +1687,16 @@ impl SslContextBuilder { } } + /// Sets the number of TLS 1.3 session tickets that will be sent to a client after a full + /// handshake. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_CTX_set_num_tickets)] + #[cfg(ossl111)] + pub fn set_num_tickets(&mut self, num_tickets: usize) -> Result<(), ErrorStack> { + unsafe { cvt(ffi::SSL_CTX_set_num_tickets(self.as_ptr(), num_tickets)).map(|_| ()) } + } + /// Consumes the builder, returning a new `SslContext`. pub fn build(self) -> SslContext { self.0 @@ -1880,6 +1890,16 @@ impl SslContextRef { let mode = unsafe { ffi::SSL_CTX_get_verify_mode(self.as_ptr()) }; SslVerifyMode::from_bits(mode).expect("SSL_CTX_get_verify_mode returned invalid mode") } + + /// Gets the number of TLS 1.3 session tickets that will be sent to a client after a full + /// handshake. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_CTX_get_num_tickets)] + #[cfg(ossl111)] + pub fn num_tickets(&self) -> usize { + unsafe { ffi::SSL_CTX_get_num_tickets(self.as_ptr()) } + } } /// Information about the state of a cipher. @@ -3283,6 +3303,26 @@ impl SslRef { Ok(()) } } + + /// Sets the number of TLS 1.3 session tickets that will be sent to a client after a full + /// handshake. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_set_num_tickets)] + #[cfg(ossl111)] + pub fn set_num_tickets(&mut self, num_tickets: usize) -> Result<(), ErrorStack> { + unsafe { cvt(ffi::SSL_set_num_tickets(self.as_ptr(), num_tickets)).map(|_| ()) } + } + + /// Gets the number of TLS 1.3 session tickets that will be sent to a client after a full + /// handshake. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_get_num_tickets)] + #[cfg(ossl111)] + pub fn num_tickets(&self) -> usize { + unsafe { ffi::SSL_get_num_tickets(self.as_ptr()) } + } } /// An SSL stream midway through the handshake process. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index ddf01f2dd0..1eb9fe4bad 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1477,3 +1477,17 @@ fn test_ssl_set_cert_chain_file() { let mut ssl = Ssl::new(&ctx).unwrap(); ssl.set_certificate_chain_file("test/cert.pem").unwrap(); } + +#[test] +#[cfg(ossl111)] +fn set_num_tickets() { + let mut ctx = SslContext::builder(SslMethod::tls_server()).unwrap(); + ctx.set_num_tickets(3).unwrap(); + let ctx = ctx.build(); + assert_eq!(3, ctx.num_tickets()); + + let mut ssl = Ssl::new(&ctx).unwrap(); + ssl.set_num_tickets(5).unwrap(); + let ssl = ssl; + assert_eq!(5, ssl.num_tickets()); +} From 8da6c721a84ce147a5942e672ab0e6e08c8bda49 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Wed, 22 Feb 2023 12:56:51 +0100 Subject: [PATCH 080/209] openssl: Fix `CIHPER` -> `CIPHER` typo --- openssl/src/cipher_ctx.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 379f83a7ba..211c58ba20 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -386,7 +386,7 @@ impl CipherCtxRef { /// # Panics /// /// Panics if the context has not been initialized with a cipher. - #[corresponds(EVP_CIHPER_CTX_ctrl)] + #[corresponds(EVP_CIPHER_CTX_ctrl)] pub fn set_iv_length(&mut self, len: usize) -> Result<(), ErrorStack> { self.assert_cipher(); From b821f00a1d0fa45a653d401538e68977a332ab71 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:29:33 +0100 Subject: [PATCH 081/209] Fixed review comments. --- openssl-sys/src/handwritten/asn1.rs | 7 --- openssl-sys/src/handwritten/object.rs | 1 + openssl-sys/src/handwritten/pkcs7.rs | 18 +++++- openssl-sys/src/handwritten/types.rs | 9 +-- openssl-sys/src/handwritten/x509.rs | 70 +++++++++++++++++++++++- openssl-sys/src/handwritten/x509_attr.rs | 60 -------------------- 6 files changed, 88 insertions(+), 77 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index e866b1ea90..6e1f8c9b66 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,11 +10,8 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); - pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } -pub enum ASN1_OBJECT {} - stack!(stack_st_ASN1_OBJECT); #[repr(C)] @@ -42,10 +39,6 @@ pub union ASN1_TYPE_value { pub generalizedtime: *mut ASN1_GENERALIZEDTIME, pub visiblestring: *mut ASN1_VISIBLESTRING, pub utf8string: *mut ASN1_UTF8STRING, - /* - * set and sequence are left complete and still contain the set or - * sequence bytes - */ pub set: *mut ASN1_STRING, pub sequence: *mut ASN1_STRING, pub asn1_value: *mut ASN1_VALUE, diff --git a/openssl-sys/src/handwritten/object.rs b/openssl-sys/src/handwritten/object.rs index d2c525b806..5b4599c20a 100644 --- a/openssl-sys/src/handwritten/object.rs +++ b/openssl-sys/src/handwritten/object.rs @@ -27,4 +27,5 @@ extern "C" { pub fn OBJ_length(obj: *const ASN1_OBJECT) -> libc::size_t; #[cfg(ossl111)] pub fn OBJ_get0_data(obj: *const ASN1_OBJECT) -> *const c_uchar; + pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 2f76cab9c2..332586515a 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -1,9 +1,6 @@ use libc::*; use *; -// use x509::stack_st_X509; -// use x509_attr::stack_st_X509_ATTRIBUTE; - #[cfg(ossl300)] #[repr(C)] pub struct PKCS7_CTX { @@ -106,6 +103,9 @@ extern "C" { pub fn PKCS7_SIGN_ENVELOPE_free(info: *mut PKCS7_SIGN_ENVELOPE); pub fn PKCS7_DIGEST_free(info: *mut PKCS7_DIGEST); pub fn PKCS7_SIGNER_INFO_free(info: *mut PKCS7_SIGNER_INFO); + pub fn PKCS7_ENCRYPT_free(enc: *mut PKCS7_ENCRYPT); + pub fn PKCS7_ISSUER_AND_SERIAL_free(ias: *mut PKCS7_ISSUER_AND_SERIAL); + pub fn PKCS7_RECIP_INFO_free(info: *mut PKCS7_RECIP_INFO); } cfg_if! { @@ -189,6 +189,18 @@ cfg_if! { } stack!(stack_st_PKCS7_SIGNER_INFO); + +#[repr(C)] +pub struct PKCS7_RECIP_INFO { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub key_enc_algor: *mut X509_ALGOR, + pub enc_key: *mut ASN1_OCTET_STRING, + pub cert: *mut X509, /* get the pub-key from this */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, +} + stack!(stack_st_PKCS7_RECIP_INFO); extern "C" { diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index addc599abb..181340d486 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -3,16 +3,18 @@ use libc::*; #[allow(unused_imports)] use *; -#[derive(Copy, Clone)] -pub enum ASN1_BOOLEAN {} +pub enum ASN1_OBJECT {} +pub enum ASN1_VALUE {} + +pub type ASN1_BOOLEAN = c_int; pub enum ASN1_ENUMERATED {} pub enum ASN1_INTEGER {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} pub enum ASN1_TIME {} -pub enum ASN1_OBJECT {} pub enum ASN1_OCTET_STRING {} +pub enum ASN1_NULL {} pub enum ASN1_PRINTABLESTRING {} pub enum ASN1_T61STRING {} pub enum ASN1_IA5STRING {} @@ -22,7 +24,6 @@ pub enum ASN1_UNIVERSALSTRING {} pub enum ASN1_UTCTIME {} pub enum ASN1_VISIBLESTRING {} pub enum ASN1_UTF8STRING {} -pub enum ASN1_VALUE {} pub enum bio_st {} // FIXME remove cfg_if! { diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 486f712c34..fc94bbb741 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -15,6 +15,10 @@ pub enum X509_EXTENSION {} stack!(stack_st_X509_EXTENSION); +pub enum X509_ATTRIBUTE {} + +stack!(stack_st_X509_ATTRIBUTE); + cfg_if! { if #[cfg(any(ossl110, libressl350))] { pub enum X509_REQ_INFO {} @@ -269,8 +273,6 @@ extern "C" { pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION); - pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); - pub fn X509_NAME_ENTRY_free(x: *mut X509_NAME_ENTRY); pub fn X509_NAME_new() -> *mut X509_NAME; @@ -689,6 +691,68 @@ pub struct X509_PURPOSE { const_ptr_api! { extern "C" { pub fn X509_PURPOSE_get_by_sname(sname: #[const_ptr_if(any(ossl110, libressl280))] c_char) -> c_int; - pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; + } +} +extern "C" { + pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; +} + +extern "C" { + pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_ATTRIBUTE_create( + nid: c_int, + atrtype: c_int, + value: *mut c_void, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_NID( + attr: *mut *mut X509_ATTRIBUTE, + nid: c_int, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_OBJ( + attr: *mut *mut X509_ATTRIBUTE, + obj: *const ASN1_OBJECT, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_txt( + attr: *mut *mut X509_ATTRIBUTE, + atrname: *const c_char, + atrtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; + pub fn X509_ATTRIBUTE_set1_data( + attr: *mut X509_ATTRIBUTE, + attrtype: c_int, + data: *const c_void, + len: c_int, + ) -> c_int; + pub fn X509_ATTRIBUTE_get0_data( + attr: *mut X509_ATTRIBUTE, + idx: c_int, + atrtype: c_int, + data: *mut c_void, + ) -> *mut c_void; + pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; + pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; + pub fn d2i_X509_ATTRIBUTE( + a: *mut *mut X509_ATTRIBUTE, + pp: *mut *const c_uchar, + length: c_long, + ) -> *mut X509_ATTRIBUTE; +} +const_ptr_api! { + extern "C" { + pub fn X509_ATTRIBUTE_count( + attr: #[const_ptr_if(any(ossl110, libressl280))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 + ) -> c_int; + pub fn i2d_X509_ATTRIBUTE(x: #[const_ptr_if(ossl300)] X509_ATTRIBUTE, buf: *mut *mut u8) -> c_int; + pub fn X509_ATTRIBUTE_dup(x: #[const_ptr_if(ossl300)] X509_ATTRIBUTE) -> *mut X509_ATTRIBUTE; } } diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs index b14be38619..e69de29bb2 100644 --- a/openssl-sys/src/handwritten/x509_attr.rs +++ b/openssl-sys/src/handwritten/x509_attr.rs @@ -1,60 +0,0 @@ -use libc::*; - -use *; - -pub enum X509_ATTRIBUTE {} - -stack!(stack_st_X509_ATTRIBUTE); - -extern "C" { - pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create( - nid: c_int, - atrtype: c_int, - value: *mut c_void, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_NID( - attr: *mut *mut X509_ATTRIBUTE, - nid: c_int, - atrtype: c_int, - data: *const c_void, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_OBJ( - attr: *mut *mut X509_ATTRIBUTE, - obj: *const ASN1_OBJECT, - atrtype: c_int, - data: *const c_void, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_txt( - attr: *mut *mut X509_ATTRIBUTE, - atrname: *const c_char, - atrtype: c_int, - bytes: *const c_uchar, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; - pub fn X509_ATTRIBUTE_set1_data( - attr: *mut X509_ATTRIBUTE, - attrtype: c_int, - data: *const c_void, - len: c_int, - ) -> c_int; - pub fn X509_ATTRIBUTE_get0_data( - attr: *mut X509_ATTRIBUTE, - idx: c_int, - atrtype: c_int, - data: *mut c_void, - ) -> *mut c_void; - pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; - pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; - -} -const_ptr_api! { - extern "C" { - pub fn X509_ATTRIBUTE_count( - attr: #[const_ptr_if(any(ossl110, libressl291))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 - ) -> c_int; - } -} From d77c6518873b063de9cc6bca4f708b765ffbb284 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:37:23 +0100 Subject: [PATCH 082/209] Removed emtpy x509_attr.rs --- openssl-sys/src/handwritten/mod.rs | 2 -- openssl-sys/src/handwritten/x509_attr.rs | 0 2 files changed, 2 deletions(-) delete mode 100644 openssl-sys/src/handwritten/x509_attr.rs diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index fea7549898..28aa4aecd0 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -28,7 +28,6 @@ pub use self::stack::*; pub use self::tls1::*; pub use self::types::*; pub use self::x509::*; -pub use self::x509_attr::*; pub use self::x509_vfy::*; pub use self::x509v3::*; @@ -62,6 +61,5 @@ mod stack; mod tls1; mod types; mod x509; -mod x509_attr; mod x509_vfy; mod x509v3; diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs deleted file mode 100644 index e69de29bb2..0000000000 From 0bd4876a951f2fe7da227daa2ee2e67cc7ee3ed3 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:57:16 +0100 Subject: [PATCH 083/209] clippy. --- openssl-sys/src/handwritten/x509.rs | 6 +++--- openssl/src/sign.rs | 2 +- openssl/src/x509/mod.rs | 12 ++++++++++-- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index fc94bbb741..46ec3e14a9 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -365,8 +365,8 @@ const_ptr_api! { extern "C" { pub fn X509_REQ_get_attr_count(req: *const X509_REQ) -> c_int; pub fn X509_REQ_get_attr_by_NID(req: *const X509_REQ, nid: c_int, lastpos: c_int) -> c_int; - pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; - pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut X509_ATTRIBUTE; + pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut X509_ATTRIBUTE; pub fn X509_REQ_add1_attr_by_txt( req: *mut X509_REQ, attrname: *const c_char, @@ -699,7 +699,7 @@ extern "C" { extern "C" { pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_ATTRIBUTE_free(attr: *mut X509_ATTRIBUTE); pub fn X509_ATTRIBUTE_create( nid: c_int, atrtype: c_int, diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 9cfda48105..51738651c6 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -711,7 +711,7 @@ mod test { #[cfg(not(boringssl))] fn test_hmac(ty: MessageDigest, tests: &[(Vec, Vec, Vec)]) { - for &(ref key, ref data, ref res) in tests.iter() { + for (key, data, res) in tests.iter() { let pkey = PKey::hmac(key).unwrap(); let mut signer = Signer::new(ty, &pkey).unwrap(); signer.update(data).unwrap(); diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d29a21e4af..2da41bd1a5 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -388,7 +388,10 @@ impl X509Ref { /// Returns the hash of the certificates subject #[corresponds(X509_subject_name_hash)] pub fn subject_name_hash(&self) -> u32 { - unsafe { ffi::X509_subject_name_hash(self.as_ptr()) as u32 } + #[allow(clippy::unnecessary_cast)] + unsafe { + ffi::X509_subject_name_hash(self.as_ptr()) as u32 + } } /// Returns this certificate's issuer name. @@ -403,7 +406,10 @@ impl X509Ref { /// Returns the hash of the certificates issuer #[corresponds(X509_issuer_name_hash)] pub fn issuer_name_hash(&self) -> u32 { - unsafe { ffi::X509_issuer_name_hash(self.as_ptr()) as u32 } + #[allow(clippy::unnecessary_cast)] + unsafe { + ffi::X509_issuer_name_hash(self.as_ptr()) as u32 + } } /// Returns this certificate's subject alternative name entries, if they exist. @@ -545,6 +551,7 @@ impl X509Ref { /// Note that `0` return value stands for version 1, `1` for version 2 and so on. #[corresponds(X509_get_version)] #[cfg(ossl110)] + #[allow(clippy::unnecessary_cast)] pub fn version(&self) -> i32 { unsafe { ffi::X509_get_version(self.as_ptr()) as i32 } } @@ -1359,6 +1366,7 @@ impl X509ReqRef { /// This corresponds to [`X509_REQ_get_version`] /// /// [`X509_REQ_get_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_version.html + #[allow(clippy::unnecessary_cast)] pub fn version(&self) -> i32 { unsafe { X509_REQ_get_version(self.as_ptr()) as i32 } } From 9f8c82161361da1eef0169fce7e4cac2b6094e53 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 08:16:05 +0100 Subject: [PATCH 084/209] Removed invalid path operator. --- openssl-sys/src/handwritten/x509.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 46ec3e14a9..917b41e425 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -29,7 +29,7 @@ cfg_if! { pub version: *mut ::ASN1_INTEGER, pub subject: *mut ::X509_NAME, pubkey: *mut c_void, - pub attributes: *mut ::stack_st_X509_ATTRIBUTE, + pub attributes: *mut stack_st_X509_ATTRIBUTE, } } } From f13427168389420bc21011903ddb21c9d59be351 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 09:44:10 +0100 Subject: [PATCH 085/209] Removed unnecessary cfg_if's. --- openssl-sys/src/handwritten/pkcs7.rs | 252 +++++++++++---------------- 1 file changed, 97 insertions(+), 155 deletions(-) diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 332586515a..60dcfe0d64 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -8,92 +8,51 @@ pub struct PKCS7_CTX { propq: *mut c_char, } -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_SIGNED { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ - pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, - pub contents: *mut PKCS7, - } - } else { - pub enum PKCS7_SIGNED {} - } +#[repr(C)] +pub struct PKCS7_SIGNED { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub contents: *mut PKCS7, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENC_CONTENT { - pub content_type: *mut ASN1_OBJECT, - pub algorithm: *mut X509_ALGOR, - pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ - pub cipher: *const EVP_CIPHER, - #[cfg(ossl300)] - pub ctx: *const PKCS7_CTX, - } - } else { - pub enum PKCS7_ENC_CONTENT {} - } +#[repr(C)] +pub struct PKCS7_ENC_CONTENT { + pub content_type: *mut ASN1_OBJECT, + pub algorithm: *mut X509_ALGOR, + pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ + pub cipher: *const EVP_CIPHER, + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, - pub enc_data: *mut PKCS7_ENC_CONTENT, - } - } else { - pub enum PKCS7_ENVELOPE {} - } +#[repr(C)] +pub struct PKCS7_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_SIGN_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ - pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, - pub enc_data: *mut PKCS7_ENC_CONTENT, - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO - } - } else { - pub enum PKCS7_SIGN_ENVELOPE {} - } +#[repr(C)] +pub struct PKCS7_SIGN_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_DIGEST { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub md: *mut X509_ALGOR, /* md used */ - pub contents: *mut PKCS7, - pub digest: *mut ASN1_OCTET_STRING, - } - } else { - pub enum PKCS7_DIGEST {} - } +#[repr(C)] +pub struct PKCS7_DIGEST { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub md: *mut X509_ALGOR, /* md used */ + pub contents: *mut PKCS7, + pub digest: *mut ASN1_OCTET_STRING, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENCRYPT { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub enc_data: *mut PKCS7_ENC_CONTENT, - } - } else { - pub enum PKCS7_ENCRYPT {} - } +#[repr(C)] +pub struct PKCS7_ENCRYPT { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub enc_data: *mut PKCS7_ENC_CONTENT, } extern "C" { @@ -108,84 +67,67 @@ extern "C" { pub fn PKCS7_RECIP_INFO_free(info: *mut PKCS7_RECIP_INFO); } -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7 { - /* - * The following is non NULL if it contains ASN1 encoding of this - * structure - */ - pub asn1: *mut c_uchar, - pub length: c_long, - // # define PKCS7_S_HEADER 0 - // # define PKCS7_S_BODY 1 - // # define PKCS7_S_TAIL 2 - pub state: c_int, /* used during processing */ - pub detached: c_int, - pub type_: *mut ASN1_OBJECT, - /* content as defined by the type */ - /* - * all encryption/message digests are applied to the 'contents', leaving - * out the 'type' field. - */ - pub d: PKCS7_data, - #[cfg(ossl300)] - pub ctx: PKCS7_CTX, - } - #[repr(C)] - pub union PKCS7_data { - pub ptr: *mut c_char, - /* NID_pkcs7_data */ - pub data: *mut ASN1_OCTET_STRING, - /* NID_pkcs7_signed */ - pub sign: *mut PKCS7_SIGNED, - /* NID_pkcs7_enveloped */ - pub enveloped: *mut PKCS7_ENVELOPE, - /* NID_pkcs7_signedAndEnveloped */ - pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, - /* NID_pkcs7_digest */ - pub digest: *mut PKCS7_DIGEST, - /* NID_pkcs7_encrypted */ - pub encrypted: *mut PKCS7_ENCRYPT, - /* Anything else */ - pub other: *mut ASN1_TYPE, - } - } else { - pub enum PKCS7 {} - } +#[repr(C)] +pub struct PKCS7 { + /* + * The following is non NULL if it contains ASN1 encoding of this + * structure + */ + pub asn1: *mut c_uchar, + pub length: c_long, + // # define PKCS7_S_HEADER 0 + // # define PKCS7_S_BODY 1 + // # define PKCS7_S_TAIL 2 + pub state: c_int, /* used during processing */ + pub detached: c_int, + pub type_: *mut ASN1_OBJECT, + /* content as defined by the type */ + /* + * all encryption/message digests are applied to the 'contents', leaving + * out the 'type' field. + */ + pub d: PKCS7_data, + #[cfg(ossl300)] + pub ctx: PKCS7_CTX, } -cfg_if! { - if #[cfg(any(ossl101, libressl))] { - #[repr(C)] - pub struct PKCS7_ISSUER_AND_SERIAL { - pub issuer: *mut X509_NAME, - pub serial: *mut ASN1_INTEGER, - } - } else { - pub enum PKCS7_ISSUER_AND_SERIAL {} - } +#[repr(C)] +pub union PKCS7_data { + pub ptr: *mut c_char, + /* NID_pkcs7_data */ + pub data: *mut ASN1_OCTET_STRING, + /* NID_pkcs7_signed */ + pub sign: *mut PKCS7_SIGNED, + /* NID_pkcs7_enveloped */ + pub enveloped: *mut PKCS7_ENVELOPE, + /* NID_pkcs7_signedAndEnveloped */ + pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, + /* NID_pkcs7_digest */ + pub digest: *mut PKCS7_DIGEST, + /* NID_pkcs7_encrypted */ + pub encrypted: *mut PKCS7_ENCRYPT, + /* Anything else */ + pub other: *mut ASN1_TYPE, } -cfg_if! { - if #[cfg(any(ossl101, libressl))] { - #[repr(C)] - pub struct PKCS7_SIGNER_INFO { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, - pub digest_alg: *mut X509_ALGOR, - pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ - pub digest_enc_alg: *mut X509_ALGOR, - pub enc_digest: *mut ASN1_OCTET_STRING, - pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ - pub pkey: *mut EVP_PKEY, /* The private key to sign with */ - #[cfg(ossl300)] - pub ctx: *const PKCS7_CTX, - } - } else { - pub enum PKCS7_SIGNER_INFO {} - } +#[repr(C)] +pub struct PKCS7_ISSUER_AND_SERIAL { + pub issuer: *mut X509_NAME, + pub serial: *mut ASN1_INTEGER, +} + +#[repr(C)] +pub struct PKCS7_SIGNER_INFO { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub digest_alg: *mut X509_ALGOR, + pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ + pub digest_enc_alg: *mut X509_ALGOR, + pub enc_digest: *mut ASN1_OCTET_STRING, + pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, } stack!(stack_st_PKCS7_SIGNER_INFO); From 9c30e4e418c26c9e4adfff4bd64aae2713897564 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 09:56:23 +0100 Subject: [PATCH 086/209] rustfmt hit me once more --- openssl-sys/src/handwritten/pkcs7.rs | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 60dcfe0d64..754fc9e2b8 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -10,10 +10,10 @@ pub struct PKCS7_CTX { #[repr(C)] pub struct PKCS7_SIGNED { - pub version: *mut ASN1_INTEGER, /* version 1 */ + pub version: *mut ASN1_INTEGER, /* version 1 */ pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, pub contents: *mut PKCS7, } @@ -34,18 +34,18 @@ pub struct PKCS7_ENVELOPE { } #[repr(C)] pub struct PKCS7_SIGN_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 1 */ + pub version: *mut ASN1_INTEGER, /* version 1 */ pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, pub enc_data: *mut PKCS7_ENC_CONTENT, - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, } #[repr(C)] pub struct PKCS7_DIGEST { pub version: *mut ASN1_INTEGER, /* version 0 */ - pub md: *mut X509_ALGOR, /* md used */ + pub md: *mut X509_ALGOR, /* md used */ pub contents: *mut PKCS7, pub digest: *mut ASN1_OCTET_STRING, } @@ -125,7 +125,7 @@ pub struct PKCS7_SIGNER_INFO { pub digest_enc_alg: *mut X509_ALGOR, pub enc_digest: *mut ASN1_OCTET_STRING, pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ - pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ #[cfg(ossl300)] pub ctx: *const PKCS7_CTX, } From 3af29817172dce38419b4e21c5f212d66fb6bee8 Mon Sep 17 00:00:00 2001 From: Doug Bodden Date: Tue, 28 Feb 2023 13:33:49 -0500 Subject: [PATCH 087/209] Add DTLS 1.2 support in newer releases of SSL libs. --- openssl-sys/src/handwritten/ssl.rs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index f179a04ab1..1000276ab9 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -679,6 +679,10 @@ cfg_if! { pub fn TLS_server_method() -> *const SSL_METHOD; pub fn TLS_client_method() -> *const SSL_METHOD; + + // DTLS 1.2 support doesn't exist in LibresSSL 2.9.1 + #[cfg(ossl110)] + pub fn DTLSv1_2_method() -> *const SSL_METHOD; } } else { extern "C" { @@ -699,7 +703,8 @@ cfg_if! { pub fn DTLSv1_method() -> *const SSL_METHOD; - #[cfg(ossl102)] + // DTLS 1.2 support started in OpenSSL 1.0.2, LibreSSL 3.3.2 + #[cfg(any(ossl102,libressl332))] pub fn DTLSv1_2_method() -> *const SSL_METHOD; } } From d05a149c85cf8fcb31f6fc072fc46d46371eec11 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 Mar 2023 09:08:56 -0500 Subject: [PATCH 088/209] bump actions/cache version this is needed to deal with a GHA deprecation --- .github/workflows/ci.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 43abdf7a69..cd766f5cba 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,19 +36,19 @@ jobs: - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/index key: index-${{ runner.os }}-${{ github.run_number }} restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/cache key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} - run: cargo fetch - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: target key: target-${{ github.job }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} @@ -64,19 +64,19 @@ jobs: version: 1.56.0 - run: echo "::set-output name=version::$(rustc --version)" id: rust-version - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/index key: index-${{ runner.os }}-${{ github.run_number }} restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/cache key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} - run: cargo fetch - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: target key: target-${{ github.job }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} @@ -92,19 +92,19 @@ jobs: id: rust-version - run: echo "VCPKG_ROOT=$env:VCPKG_INSTALLATION_ROOT" | Out-File -FilePath $env:GITHUB_ENV -Append - run: vcpkg install openssl:x64-windows-static-md - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/index key: index-${{ runner.os }}-${{ github.run_number }} restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/cache key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} - run: cargo fetch - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: target key: target-${{ github.job }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} @@ -120,19 +120,19 @@ jobs: - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/index key: index-${{ runner.os }}-${{ github.run_number }} restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/cache key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} - run: cargo fetch - # - uses: actions/cache@v1 + # - uses: actions/cache@v3 # with: # path: target # key: target-${{ github.job }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} @@ -249,7 +249,7 @@ jobs: sudo apt-get update sudo apt-get install -y $packages - run: sudo apt-get remove -y libssl-dev - - uses: actions/cache@v2 + - uses: actions/cache@v3 with: path: /opt/openssl key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-2 @@ -329,19 +329,19 @@ jobs: echo '[patch.crates-io]' > .cargo/config.toml echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust" }' >> .cargo/config.toml if: matrix.library.name == 'boringssl' - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/index key: index-${{ runner.os }}-${{ github.run_number }} restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.cargo/registry/cache key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} - run: cargo fetch - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: target key: target-${{ matrix.target }}-${{ matrix.bindgen }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }} From be90abaff6c2660e77705fa2108fe9d010c8b567 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 Mar 2023 09:47:07 -0500 Subject: [PATCH 089/209] bump checkout as well --- .github/workflows/ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd766f5cba..1b78d37d29 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,7 @@ jobs: name: rustfmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - uses: sfackler/actions/rustfmt@master @@ -32,7 +32,7 @@ jobs: name: clippy runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version @@ -58,7 +58,7 @@ jobs: name: min-version runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master with: version: 1.56.0 @@ -86,7 +86,7 @@ jobs: name: windows-vcpkg runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version @@ -116,7 +116,7 @@ jobs: name: macos-homebrew runs-on: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version @@ -227,7 +227,7 @@ jobs: CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_AR: arm-linux-gnueabihf-ar CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_RUNNER: qemu-arm -L /usr/arm-linux-gnueabihf steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - run: echo "::set-output name=version::$(rustc --version)" id: rust-version From e10d37724133c07a2db8dad53d22519b7b565988 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 Mar 2023 10:06:41 -0500 Subject: [PATCH 090/209] replace explicit set-output as well --- .github/workflows/ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1b78d37d29..b5c0be1df8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - - run: echo "::set-output name=version::$(rustc --version)" + - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - uses: actions/cache@v3 with: @@ -62,7 +62,7 @@ jobs: - uses: sfackler/actions/rustup@master with: version: 1.56.0 - - run: echo "::set-output name=version::$(rustc --version)" + - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - uses: actions/cache@v3 with: @@ -88,7 +88,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - - run: echo "::set-output name=version::$(rustc --version)" + - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - run: echo "VCPKG_ROOT=$env:VCPKG_INSTALLATION_ROOT" | Out-File -FilePath $env:GITHUB_ENV -Append - run: vcpkg install openssl:x64-windows-static-md @@ -118,7 +118,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - - run: echo "::set-output name=version::$(rustc --version)" + - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - uses: actions/cache@v3 with: @@ -229,7 +229,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: sfackler/actions/rustup@master - - run: echo "::set-output name=version::$(rustc --version)" + - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - run: rustup target add ${{ matrix.target }} - name: Install packages From 1ab42213942eb58f9293d597169086ebbbf11d22 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 7 Mar 2023 15:39:39 -0500 Subject: [PATCH 091/209] Fix link typo Closes #1834 --- openssl/src/sha.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/sha.rs b/openssl/src/sha.rs index dd026677c6..24128904a3 100644 --- a/openssl/src/sha.rs +++ b/openssl/src/sha.rs @@ -57,7 +57,7 @@ pub fn sha1(data: &[u8]) -> [u8; 20] { } /// Computes the SHA224 hash of some data. -#[corresponds(SH224)] +#[corresponds(SHA224)] #[inline] pub fn sha224(data: &[u8]) -> [u8; 28] { unsafe { From 9a9c5041f60ad9e9a00cbcd60587ea9b937bd4f9 Mon Sep 17 00:00:00 2001 From: shinmao Date: Thu, 9 Mar 2023 20:21:46 -0500 Subject: [PATCH 092/209] add missed free() on error add free statement if error occurs in `SSL_set_tlsext_status_ocsp_resp()` --- openssl/src/ssl/mod.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index be898d627e..8e42cc8bbc 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -2881,6 +2881,10 @@ impl SslRef { response.len() as c_long, ) as c_int) .map(|_| ()) + .map_err(|e| { + ffi::OPENSSL_free(p) + e + }) } } From 7f52549c006fb495f50060efb88129cabf5ac5fb Mon Sep 17 00:00:00 2001 From: shinmao Date: Thu, 9 Mar 2023 21:30:46 -0500 Subject: [PATCH 093/209] add missing semicolon --- openssl/src/ssl/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 8e42cc8bbc..c8648c4bcd 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -2882,7 +2882,7 @@ impl SslRef { ) as c_int) .map(|_| ()) .map_err(|e| { - ffi::OPENSSL_free(p) + ffi::OPENSSL_free(p); e }) } From 65a75a818f280ed578e9e68f7d6c1ca203b10e6f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 Mar 2023 09:00:46 -0500 Subject: [PATCH 094/209] Added support for building boringssl with bindgen This allows building it without the bssl-sys crate. This is an alternative approach to fixing #1768 (in contrast to #1806). This maintains support for using the bssl-sys crate. --- .github/workflows/ci.yml | 30 ++++---- openssl-sys/Cargo.toml | 2 +- openssl-sys/build/main.rs | 21 ++++-- openssl-sys/build/run_bindgen.rs | 117 +++++++++++++++++++++++++++++-- openssl-sys/src/lib.rs | 18 ++++- openssl/build.rs | 2 +- openssl/src/bio.rs | 4 +- openssl/src/dh.rs | 2 +- openssl/src/error.rs | 11 ++- openssl/src/lib.rs | 5 ++ 10 files changed, 179 insertions(+), 33 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b5c0be1df8..8bbdaf2055 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -153,7 +153,7 @@ jobs: - false library: - name: boringssl - version: 5697a9202615925696f8dc7f4e286d44d474769e + version: 93e8d4463d59d671e9c5c6171226341f04b07907 - name: openssl version: vendored - name: openssl @@ -215,10 +215,6 @@ jobs: library: name: libressl version: 3.7.0 - exclude: - - library: - name: boringssl - bindgen: true name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: @@ -311,16 +307,26 @@ jobs: make install_sw ;; "boringssl") - sed -i rust/CMakeLists.txt -e '1s%^%include_directories(../include)\n%' - cpu=`echo ${{ matrix.target }} | cut -d - -f 1` + mkdir build + cd build + echo "set(CMAKE_SYSTEM_NAME Linux)" > toolchain.cmake echo "set(CMAKE_SYSTEM_PROCESSOR $cpu)" >> toolchain.cmake echo "set(triple ${{ matrix.target }})" >> toolchain.cmake echo 'set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} '$OS_FLAGS '" CACHE STRING "c++ flags")' >> toolchain.cmake echo 'set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} '$OS_FLAGS '" CACHE STRING "c flags")' >> toolchain.cmake echo 'set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} '$OS_FLAGS '" CACHE STRING "asm flags")' >> toolchain.cmake - cmake -DRUST_BINDINGS="${{ matrix.target }}" -B $OPENSSL_DIR -DCMAKE_TOOLCHAIN_FILE=toolchain.cmake - make -C $OPENSSL_DIR + + cmake .. -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DRUST_BINDINGS="${{ matrix.target }}" -DCMAKE_INSTALL_PREFIX="${OPENSSL_DIR}" -DCMAKE_TOOLCHAIN_FILE=toolchain.cmake + make -j "$(nproc)" + make install + + # Copy stuff around so it's all as the build system expects. + cp -r rust/ "$OPENSSL_DIR/rust" + mkdir -p "$OPENSSL_DIR/crypto/" + mkdir -p "$OPENSSL_DIR/ssl/" + cp "$OPENSSL_DIR/lib/libcrypto.a" "$OPENSSL_DIR/crypto/" + cp "$OPENSSL_DIR/lib/libssl.a" "$OPENSSL_DIR/ssl/" esac if: matrix.library.version != 'vendored' && !steps.openssl-cache.outputs.cache-hit @@ -328,7 +334,7 @@ jobs: mkdir -p .cargo echo '[patch.crates-io]' > .cargo/config.toml echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust" }' >> .cargo/config.toml - if: matrix.library.name == 'boringssl' + if: matrix.library.name == 'boringssl' && !matrix.bindgen - uses: actions/cache@v3 with: path: ~/.cargo/registry/index @@ -350,14 +356,14 @@ jobs: if [[ "${{ matrix.library.version }}" == "vendored" ]]; then features="--features vendored" fi - if [[ "${{ matrix.bindgen }}" == "true" ]]; then + if [[ "${{ matrix.bindgen }}" == "true" && "${{ matrix.library.name }}" != "boringssl" ]]; then features="$features --features bindgen" fi cargo run --manifest-path=systest/Cargo.toml --target ${{ matrix.target }} $features if: matrix.library.name != 'boringssl' - name: Test openssl run: | - if [[ "${{ matrix.library.name }}" == "boringssl" ]]; then + if [[ "${{ matrix.library.name }}" == "boringssl" && "${{ matrix.bindgen }}" != "true" ]]; then features="--features unstable_boringssl" fi if [[ "${{ matrix.library.version }}" == "vendored" ]]; then diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7b5c8104d8..4f057bf9fa 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -23,7 +23,7 @@ libc = "0.2" bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] -bindgen = { version = "0.60.1", optional = true } +bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } cc = "1.0" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 262ea2cbab..c5a68a630a 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -23,7 +23,6 @@ mod cfgs; mod find_normal; #[cfg(feature = "vendored")] mod find_vendored; -#[cfg(feature = "bindgen")] mod run_bindgen; #[derive(PartialEq)] @@ -32,6 +31,7 @@ enum Version { Openssl11x, Openssl10x, Libressl, + Boringssl, } fn env_inner(name: &str) -> Option { @@ -67,10 +67,9 @@ fn find_openssl(target: &str) -> (Vec, PathBuf) { fn check_ssl_kind() { if cfg!(feature = "unstable_boringssl") { println!("cargo:rustc-cfg=boringssl"); + println!("cargo:boringssl=true"); // BoringSSL does not have any build logic, exit early std::process::exit(0); - } else { - println!("cargo:rustc-cfg=openssl"); } } @@ -146,8 +145,12 @@ fn check_rustc_versions() { #[allow(clippy::let_and_return)] fn postprocess(include_dirs: &[PathBuf]) -> Version { let version = validate_headers(include_dirs); - #[cfg(feature = "bindgen")] - run_bindgen::run(&include_dirs); + + // Never run bindgen for BoringSSL, if it was needed we already ran it. + if version != Version::Boringssl { + #[cfg(feature = "bindgen")] + run_bindgen::run(&include_dirs); + } version } @@ -235,9 +238,15 @@ See rust-openssl documentation for more information: } if is_boringssl { - panic!("BoringSSL detected, but `unstable_boringssl` feature wasn't specified.") + println!("cargo:rustc-cfg=boringssl"); + println!("cargo:boringssl=true"); + run_bindgen::run_boringssl(include_dirs); + return Version::Boringssl; } + // We set this for any non-BoringSSL lib. + println!("cargo:rustc-cfg=openssl"); + for enabled in &enabled { println!("cargo:rustc-cfg=osslconf=\"{}\"", enabled); } diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 9531e6e8bb..0c127ae5c6 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -1,13 +1,17 @@ +#[cfg(feature = "bindgen")] use bindgen::callbacks::{MacroParsingBehavior, ParseCallbacks}; -use bindgen::RustTarget; -use std::env; +#[cfg(feature = "bindgen")] +use bindgen::{MacroTypeVariation, RustTarget}; +use std::io::Write; use std::path::PathBuf; +#[cfg(not(feature = "bindgen"))] +use std::process; +use std::{env, fs}; const INCLUDES: &str = " #include #include #include -#include #include #include #include @@ -17,7 +21,6 @@ const INCLUDES: &str = " #include #include #include -#include #include #include #include @@ -35,10 +38,15 @@ const INCLUDES: &str = " // this must be included after ssl.h for libressl! #include -#if !defined(LIBRESSL_VERSION_NUMBER) +#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) #include #endif +#if !defined(OPENSSL_IS_BORINGSSL) +#include +#include +#endif + #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000 #include #endif @@ -48,6 +56,7 @@ const INCLUDES: &str = " #endif "; +#[cfg(feature = "bindgen")] pub fn run(include_dirs: &[PathBuf]) { let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap()); @@ -94,9 +103,107 @@ pub fn run(include_dirs: &[PathBuf]) { .unwrap(); } +#[cfg(feature = "bindgen")] +pub fn run_boringssl(include_dirs: &[PathBuf]) { + let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap()); + let mut builder = bindgen::builder() + .rust_target(RustTarget::Stable_1_47) + .ctypes_prefix("::libc") + .derive_default(false) + .enable_function_attribute_detection() + .size_t_is_usize(true) + .default_macro_constant_type(MacroTypeVariation::Signed) + .rustified_enum("point_conversion_form_t") + .allowlist_file(".*/openssl/[^/]+\\.h") + .wrap_static_fns(true) + .wrap_static_fns_path(out_dir.join("boring_static_wrapper").display().to_string()) + .layout_tests(false) + .header_contents("includes.h", INCLUDES); + + for include_dir in include_dirs { + builder = builder + .clang_arg("-I") + .clang_arg(include_dir.display().to_string()); + } + + builder + .generate() + .unwrap() + .write_to_file(out_dir.join("bindgen.rs")) + .unwrap(); + + fs::File::create(out_dir.join("boring_static_wrapper.h")) + .expect("Failed to create boring_static_wrapper.h") + .write_all(INCLUDES.as_bytes()) + .expect("Failed to write contents to boring_static_wrapper.h"); + + cc::Build::new() + .file(out_dir.join("boring_static_wrapper.c")) + .includes(include_dirs) + .flag("-include") + .flag( + &out_dir + .join("boring_static_wrapper.h") + .display() + .to_string(), + ) + .compile("boring_static_wrapper"); +} + +#[cfg(not(feature = "bindgen"))] +pub fn run_boringssl(include_dirs: &[PathBuf]) { + let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap()); + + fs::File::create(out_dir.join("boring_static_wrapper.h")) + .expect("Failed to create boring_static_wrapper.h") + .write_all(INCLUDES.as_bytes()) + .expect("Failed to write contents to boring_static_wrapper.h"); + + let mut bindgen_cmd = process::Command::new("bindgen"); + bindgen_cmd + .arg("-o") + .arg(out_dir.join("bindgen.rs")) + .arg("--rust-target=1.47") + .arg("--ctypes-prefix=::libc") + .arg("--no-derive-default") + .arg("--enable-function-attribute-detection") + .arg("--size_t-is-usize") + .arg("--default-macro-constant-type=signed") + .arg("--rustified-enum=point_conversion_form_t") + .arg("--allowlist-file=.*/openssl/[^/]+\\.h") + .arg("--experimental") + .arg("--wrap-static-fns") + .arg("--wrap-static-fns-path") + .arg(out_dir.join("boring_static_wrapper").display().to_string()) + .arg("--no-layout-tests") + .arg(out_dir.join("boring_static_wrapper.h")) + .arg("--") + .arg(format!("--target={}", env::var("TARGET").unwrap())); + + for include_dir in include_dirs { + bindgen_cmd.arg("-I").arg(include_dir.display().to_string()); + } + + let result = bindgen_cmd.status().expect("bindgen failed to execute"); + assert!(result.success()); + + cc::Build::new() + .file(out_dir.join("boring_static_wrapper.c")) + .includes(include_dirs) + .flag("-include") + .flag( + &out_dir + .join("boring_static_wrapper.h") + .display() + .to_string(), + ) + .compile("boring_static_wrapper"); +} + #[derive(Debug)] struct OpensslCallbacks; +#[cfg(feature = "bindgen")] impl ParseCallbacks for OpensslCallbacks { // for now we'll continue hand-writing constants fn will_parse_macro(&self, _name: &str) -> MacroParsingBehavior { diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index b1d51a8580..c3084755cc 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -16,11 +16,25 @@ extern crate libc; pub use libc::*; -#[cfg(boringssl)] +#[cfg(feature = "unstable_boringssl")] extern crate bssl_sys; -#[cfg(boringssl)] +#[cfg(feature = "unstable_boringssl")] pub use bssl_sys::*; +#[cfg(all(boringssl, not(feature = "unstable_boringssl")))] +#[path = "."] +mod boringssl { + include!(concat!(env!("OUT_DIR"), "/bindgen.rs")); + + pub fn init() { + unsafe { + CRYPTO_library_init(); + } + } +} +#[cfg(all(boringssl, not(feature = "unstable_boringssl")))] +pub use boringssl::*; + #[cfg(openssl)] #[path = "."] mod openssl { diff --git a/openssl/build.rs b/openssl/build.rs index 7651429f38..5cddce90c2 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -11,7 +11,7 @@ fn main() { println!("cargo:rustc-cfg=libressl"); } - if env::var("CARGO_FEATURE_UNSTABLE_BORINGSSL").is_ok() { + if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { println!("cargo:rustc-cfg=boringssl"); return; } diff --git a/openssl/src/bio.rs b/openssl/src/bio.rs index 6a72552adc..0f54935a6b 100644 --- a/openssl/src/bio.rs +++ b/openssl/src/bio.rs @@ -25,7 +25,7 @@ impl<'a> MemBioSlice<'a> { let bio = unsafe { cvt_p(BIO_new_mem_buf( buf.as_ptr() as *const _, - buf.len() as c_int, + buf.len() as crate::SLenType, ))? }; @@ -74,7 +74,7 @@ impl MemBio { } cfg_if! { - if #[cfg(ossl102)] { + if #[cfg(any(ossl102, boringssl))] { use ffi::BIO_new_mem_buf; } else { #[allow(bad_style)] diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index 12170b994e..e781543e27 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -239,7 +239,7 @@ where } cfg_if! { - if #[cfg(any(ossl110, libressl270))] { + if #[cfg(any(ossl110, libressl270, boringssl))] { use ffi::{DH_set0_pqg, DH_get0_pqg, DH_get0_key, DH_set0_key}; } else { #[allow(bad_style)] diff --git a/openssl/src/error.rs b/openssl/src/error.rs index 58b4d70a38..f9a7c54b8f 100644 --- a/openssl/src/error.rs +++ b/openssl/src/error.rs @@ -297,19 +297,24 @@ impl fmt::Debug for Error { } impl fmt::Display for Error { + // On BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on + // OpenSSL/LibreSSL they're safe. + #[allow(unused_unsafe)] fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result { write!(fmt, "error:{:08X}", self.code())?; match self.library() { Some(l) => write!(fmt, ":{}", l)?, - None => write!(fmt, ":lib({})", ffi::ERR_GET_LIB(self.code()))?, + None => write!(fmt, ":lib({})", unsafe { ffi::ERR_GET_LIB(self.code()) })?, } match self.function() { Some(f) => write!(fmt, ":{}", f)?, - None => write!(fmt, ":func({})", ffi::ERR_GET_FUNC(self.code()))?, + None => write!(fmt, ":func({})", unsafe { ffi::ERR_GET_FUNC(self.code()) })?, } match self.reason() { Some(r) => write!(fmt, ":{}", r)?, - None => write!(fmt, ":reason({})", ffi::ERR_GET_REASON(self.code()))?, + None => write!(fmt, ":reason({})", unsafe { + ffi::ERR_GET_REASON(self.code()) + })?, } write!( fmt, diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 8988f4c3c0..5678298a03 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -190,6 +190,11 @@ type LenType = libc::size_t; #[cfg(not(boringssl))] type LenType = libc::c_int; +#[cfg(boringssl)] +type SLenType = libc::ssize_t; +#[cfg(not(boringssl))] +type SLenType = libc::c_int; + #[inline] fn cvt_p(r: *mut T) -> Result<*mut T, ErrorStack> { if r.is_null() { From b3b83c4ab25d0751fecd941bff5668d1c2b7b665 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 14 Mar 2023 09:51:10 -0400 Subject: [PATCH 095/209] Bump CI to 3.1.0 --- .github/workflows/ci.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b5c0be1df8..60d729207a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,10 +157,7 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.1.0-beta1 - dl-path: / - - name: openssl - version: 3.0.8 + version: 3.1.0 dl-path: / - name: openssl version: 1.1.1t From ee3eaa325ba04fffcc1b795213b366ee3ee1378b Mon Sep 17 00:00:00 2001 From: Doug Bodden Date: Tue, 14 Mar 2023 14:00:12 +0000 Subject: [PATCH 096/209] Move code per PR feedback. --- openssl-sys/src/handwritten/ssl.rs | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 1000276ab9..29562d41ef 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -680,9 +680,6 @@ cfg_if! { pub fn TLS_client_method() -> *const SSL_METHOD; - // DTLS 1.2 support doesn't exist in LibresSSL 2.9.1 - #[cfg(ossl110)] - pub fn DTLSv1_2_method() -> *const SSL_METHOD; } } else { extern "C" { @@ -710,6 +707,13 @@ cfg_if! { } } +extern "C" { + #[cfg(ossl110)] + pub fn DTLSv1_2_method() -> *const SSL_METHOD; +} + + + extern "C" { pub fn SSL_get_error(ssl: *const SSL, ret: c_int) -> c_int; pub fn SSL_get_version(ssl: *const SSL) -> *const c_char; From 40eed05da58adcc42874a09c07b3abc633a74ed3 Mon Sep 17 00:00:00 2001 From: Doug Bodden Date: Tue, 14 Mar 2023 14:08:30 +0000 Subject: [PATCH 097/209] Fix formatting. --- openssl-sys/src/handwritten/ssl.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 29562d41ef..65a4f42f6b 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -712,8 +712,6 @@ extern "C" { pub fn DTLSv1_2_method() -> *const SSL_METHOD; } - - extern "C" { pub fn SSL_get_error(ssl: *const SSL, ret: c_int) -> c_int; pub fn SSL_get_version(ssl: *const SSL) -> *const c_char; From 4a630b78a7471713d532f9d557ce628f10459ef5 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 14 Mar 2023 20:05:28 -0400 Subject: [PATCH 098/209] Revert "Add DTLS 1.2 support in newer releases of SSL libs." --- openssl-sys/src/handwritten/ssl.rs | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 65a4f42f6b..f179a04ab1 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -679,7 +679,6 @@ cfg_if! { pub fn TLS_server_method() -> *const SSL_METHOD; pub fn TLS_client_method() -> *const SSL_METHOD; - } } else { extern "C" { @@ -700,18 +699,12 @@ cfg_if! { pub fn DTLSv1_method() -> *const SSL_METHOD; - // DTLS 1.2 support started in OpenSSL 1.0.2, LibreSSL 3.3.2 - #[cfg(any(ossl102,libressl332))] + #[cfg(ossl102)] pub fn DTLSv1_2_method() -> *const SSL_METHOD; } } } -extern "C" { - #[cfg(ossl110)] - pub fn DTLSv1_2_method() -> *const SSL_METHOD; -} - extern "C" { pub fn SSL_get_error(ssl: *const SSL, ret: c_int) -> c_int; pub fn SSL_get_version(ssl: *const SSL) -> *const c_char; From 54329d7cbd71467c797ebe48258d3ecff1c26498 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 14 Mar 2023 21:05:41 -0400 Subject: [PATCH 099/209] Release openssl-sys v0.9.81 --- openssl-sys/CHANGELOG.md | 22 ++++++++++++++++++++++ openssl-sys/Cargo.toml | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 1bf8690dbe..194705320a 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,28 @@ ## [Unreleased] +## [v0.9.81] - 2023-03-14 + +### Fixed + +Fixed builds against OpenSSL built with `no-cast`. + +### Added + +* Added experimental bindgen support for BoringSSL. +* Added `X509_VERIFY_PARAM_set_auth_level`, `X509_VERIFY_PARAM_get_auth_level`, and `X509_VERIFY_PARAM_set_purpose`. +* Added `X509_PURPOSE_*` consts. +* Added `X509_NAME_add_entry`. +* Added `X509_load_crl_file`. +* Added `SSL_set_cipher_list`, `SSL_set_ssl_method`, `SSL_use_PrivateKey_file`, `SSL_use_PrivateKey`, `SSL_use_certificate`, `SSL_use_certificate_chain_file`, `SSL_set_client_CA_list`, `SSL_add_client_CA`, and `SSL_set0_verify_cert_store`. +* Added `X509_PURPOSE`, `X509_STORE_set_purpose`, and `X509_STORE_set_trust`. +* Added `SSL_CTX_set_num_tickets`, `SSL_set_num_tickets`, `SSL_CTX_get_num_tickets`, and `SSL_get_num_tickets`. +* Added `CMS_verify`. + +### Removed + +* Removed an unnecessary link to libatomic for 32-bit android targets. + ## [v0.9.80] - 2022-12-20 ### Fixed diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 4f057bf9fa..23e20109e7 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.80" +version = "0.9.81" authors = [ "Alex Crichton ", "Steven Fackler ", From 98f4d44997f30cbd468bd6e0146b7c98e9ba642d Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 14 Mar 2023 21:21:15 -0400 Subject: [PATCH 100/209] Release openssl v0.10.46 --- openssl/CHANGELOG.md | 30 ++++++++++++++++++++++++++++-- openssl/Cargo.toml | 4 ++-- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 79dd8c2b42..6c0efdf616 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,7 +2,32 @@ ## [Unreleased] -* Added `CMS_verify`. +## [v0.10.46] - 2023-03-14 + +### Fixed + +* Fixed a potential null-pointer deref when parsing a PKCS#12 archive with no identity. +* Fixed builds against OpenSSL built with `no-cast`. +* Fixed debug formatting of `GeneralName`. + +### Deprecated + +* Deprecated `PKcs12Ref::parse` in favor of `Pkcs12Ref::parse2`. +* Deprecated `ParsedPkcs12` in favor of `ParsedPkcs12_2`. +* Deprecated `Pkcs12Builder::build` in favor of `Pkcs12Builder::build2`. + +### Added + +* Added `X509VerifyParamRef::set_auth_level`, `X509VerifyParamRef::auth_level`, and `X509VerifyParamRef::set_purpose`. +* Added `X509PurposeId` and `X509Purpose`. +* Added `X509NameBuilder::append_entry`. +* Added `PKeyRef::private_key_to_pkcs8`. +* Added `X509LookupRef::load_crl_file`. +* Added `Pkcs12Builder::name`, `Pkcs12Builder::pkey`, and `Pkcs12Builder::cert`. +* Added `SslRef::set_method`, `SslRef::set_private_key_file`, `SslRef::set_private_key`, `SslRef::set_certificate`, `SslRef::set_certificate_chain_file`, `SslRef::add_client_ca`, `SslRef::set_client_ca_list`, `SslRef::set_min_proto_version`, `SslREf::set_max_proto_version`, `SslRef::set_ciphersuites`, `SslRef::set_cipher_list`, `SslRef::set_verify_cert_store`. +* Added `X509NameRef::to_owned`. +* Added `SslContextBuilder::set_num_tickets`, `SslContextRef::num_tickets`, `SslRef::set_num_tickets`, and `SslRef::num_tickets`. +* Added `CmsContentInfo::verify`. ## [v0.10.45] - 2022-12-20 @@ -665,7 +690,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...master +[v0.10.46]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...openssl-v0.10.46 [v0.10.45]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.45 [v0.10.44]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.43...openssl-v0.10.44 [v0.10.43]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.42...openssl-v0.10.43 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 1fd24448fd..42bc8fdcc4 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.45" +version = "0.10.46" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.80", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.81", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 816eb64c39ad09d8fa75bc97cd7d99be68a00f9b Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 14 Mar 2023 21:25:12 -0400 Subject: [PATCH 101/209] fix changelog --- openssl-sys/CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 194705320a..5a77e2f9f4 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -392,7 +392,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81..master +[v0.9.81]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80...openssl-sys-v0.9.81 [v0.9.80]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79...openssl-sys-v0.9.80 [v0.9.79]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.78...openssl-sys-v0.9.79 [v0.9.78]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.77...openssl-sys-v0.9.78 From 2fe8b94066f1063ec78b0502052e4558379514a0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 15 Mar 2023 07:34:43 -0400 Subject: [PATCH 102/209] Enable X/Ed25519 support on BoringSSL --- openssl/src/pkey.rs | 36 ++++++++++++++++++++---------------- openssl/src/sign.rs | 12 ++++++------ 2 files changed, 26 insertions(+), 22 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 780bd637e5..ca9e08b253 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -47,7 +47,7 @@ use crate::dh::Dh; use crate::dsa::Dsa; use crate::ec::EcKey; use crate::error::ErrorStack; -#[cfg(ossl110)] +#[cfg(any(ossl110, boringssl))] use crate::pkey_ctx::PkeyCtx; use crate::rsa::Rsa; use crate::symm::Cipher; @@ -89,11 +89,11 @@ impl Id { #[cfg(ossl110)] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub const ED25519: Id = Id(ffi::EVP_PKEY_ED25519); #[cfg(ossl111)] pub const ED448: Id = Id(ffi::EVP_PKEY_ED448); - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub const X25519: Id = Id(ffi::EVP_PKEY_X25519); #[cfg(ossl111)] pub const X448: Id = Id(ffi::EVP_PKEY_X448); @@ -252,7 +252,7 @@ where /// This function only works for algorithms that support raw public keys. /// Currently this is: [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_public_key)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn raw_public_key(&self) -> Result, ErrorStack> { unsafe { let mut len = 0; @@ -303,7 +303,7 @@ where /// This function only works for algorithms that support raw private keys. /// Currently this is: [`Id::HMAC`], [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_private_key)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn raw_private_key(&self) -> Result, ErrorStack> { unsafe { let mut len = 0; @@ -503,7 +503,7 @@ impl PKey { ctx.keygen() } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] fn generate_eddsa(id: Id) -> Result, ErrorStack> { let mut ctx = PkeyCtx::new_id(id)?; ctx.keygen_init()?; @@ -533,7 +533,7 @@ impl PKey { /// assert_eq!(secret.len(), 32); /// # Ok(()) } /// ``` - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn generate_x25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::X25519) } @@ -587,7 +587,7 @@ impl PKey { /// assert_eq!(signature.len(), 64); /// # Ok(()) } /// ``` - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn generate_ed25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::ED25519) } @@ -737,7 +737,7 @@ impl PKey { /// /// Algorithm types that support raw private keys are HMAC, X25519, ED25519, X448 or ED448 #[corresponds(EVP_PKEY_new_raw_private_key)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn private_key_from_raw_bytes( bytes: &[u8], key_type: Id, @@ -778,7 +778,7 @@ impl PKey { /// /// Algorithm types that support raw public keys are X25519, ED25519, X448 or ED448 #[corresponds(EVP_PKEY_new_raw_public_key)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn public_key_from_raw_bytes( bytes: &[u8], key_type: Id, @@ -1084,7 +1084,7 @@ mod tests { assert_eq!(&g, dh_.generator()); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] fn test_raw_public_key(gen: fn() -> Result, ErrorStack>, key_type: Id) { // Generate a new key let key = gen().unwrap(); @@ -1100,7 +1100,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] fn test_raw_private_key(gen: fn() -> Result, ErrorStack>, key_type: Id) { // Generate a new key let key = gen().unwrap(); @@ -1111,26 +1111,30 @@ mod tests { // Compare the der encoding of the original and raw / restored public key assert_eq!( - key.private_key_to_der().unwrap(), - from_raw.private_key_to_der().unwrap() + key.private_key_to_pkcs8().unwrap(), + from_raw.private_key_to_pkcs8().unwrap() ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] #[test] fn test_raw_public_key_bytes() { test_raw_public_key(PKey::generate_x25519, Id::X25519); test_raw_public_key(PKey::generate_ed25519, Id::ED25519); + #[cfg(not(boringssl))] test_raw_public_key(PKey::generate_x448, Id::X448); + #[cfg(not(boringssl))] test_raw_public_key(PKey::generate_ed448, Id::ED448); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] #[test] fn test_raw_private_key_bytes() { test_raw_private_key(PKey::generate_x25519, Id::X25519); test_raw_private_key(PKey::generate_ed25519, Id::ED25519); + #[cfg(not(boringssl))] test_raw_private_key(PKey::generate_x448, Id::X448); + #[cfg(not(boringssl))] test_raw_private_key(PKey::generate_ed448, Id::ED448); } diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 51738651c6..1c13a625b3 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -290,7 +290,7 @@ impl<'a> Signer<'a> { self.len_intern() } - #[cfg(not(ossl111))] + #[cfg(all(not(ossl111), not(boringssl)))] fn len_intern(&self) -> Result { unsafe { let mut len = 0; @@ -303,7 +303,7 @@ impl<'a> Signer<'a> { } } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] fn len_intern(&self) -> Result { unsafe { let mut len = 0; @@ -360,7 +360,7 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSign`]. /// /// [`EVP_DigestSign`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestSign.html - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn sign_oneshot( &mut self, sig_buf: &mut [u8], @@ -382,7 +382,7 @@ impl<'a> Signer<'a> { /// Returns the signature. /// /// This is a simple convenience wrapper over `len` and `sign_oneshot`. - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn sign_oneshot_to_vec(&mut self, data_buf: &[u8]) -> Result, ErrorStack> { let mut sig_buf = vec![0; self.len()?]; let len = self.sign_oneshot(&mut sig_buf, data_buf)?; @@ -596,7 +596,7 @@ impl<'a> Verifier<'a> { /// OpenSSL documentation at [`EVP_DigestVerify`]. /// /// [`EVP_DigestVerify`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestVerify.html - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] pub fn verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result { unsafe { let r = ffi::EVP_DigestVerify( @@ -846,7 +846,7 @@ mod test { } #[test] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl))] fn eddsa() { let key = PKey::generate_ed25519().unwrap(); From 0d44062e96937100563a425816b8b6859dcbb62a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 15 Mar 2023 17:05:43 -0400 Subject: [PATCH 103/209] Enable X/Ed25519 support on LibreSSL 3.7.0 --- openssl-sys/src/evp.rs | 4 ++-- openssl-sys/src/handwritten/evp.rs | 4 ++-- openssl-sys/src/obj_mac.rs | 4 ++++ openssl/src/pkey.rs | 36 +++++++++++++++--------------- openssl/src/sign.rs | 12 +++++----- 5 files changed, 32 insertions(+), 28 deletions(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index a98e438426..69b49fbb0b 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -10,9 +10,9 @@ pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl370))] pub const EVP_PKEY_X25519: c_int = NID_X25519; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl370))] pub const EVP_PKEY_ED25519: c_int = NID_ED25519; #[cfg(ossl111)] pub const EVP_PKEY_X448: c_int = NID_X448; diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 772709650b..1a05b7eae3 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -230,7 +230,7 @@ cfg_if! { } } cfg_if! { - if #[cfg(ossl111)] { + if #[cfg(any(ossl111, libressl370))] { extern "C" { pub fn EVP_DigestSign( ctx: *mut EVP_MD_CTX, @@ -566,7 +566,7 @@ const_ptr_api! { } cfg_if! { - if #[cfg(any(ossl111))] { + if #[cfg(any(ossl111, libressl370))] { extern "C" { pub fn EVP_PKEY_get_raw_public_key( pkey: *const EVP_PKEY, diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index ed50ebcc5f..1f8e10003a 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -920,12 +920,16 @@ pub const NID_aes_192_cbc_hmac_sha1: c_int = 917; pub const NID_aes_256_cbc_hmac_sha1: c_int = 918; #[cfg(ossl111)] pub const NID_X25519: c_int = 1034; +#[cfg(libressl370)] +pub const NID_X25519: c_int = 950; #[cfg(ossl111)] pub const NID_X448: c_int = 1035; #[cfg(ossl110)] pub const NID_hkdf: c_int = 1036; #[cfg(ossl111)] pub const NID_ED25519: c_int = 1087; +#[cfg(libressl370)] +pub const NID_ED25519: c_int = 952; #[cfg(ossl111)] pub const NID_ED448: c_int = 1088; #[cfg(ossl111)] diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index ca9e08b253..bec4bfdafc 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -47,7 +47,7 @@ use crate::dh::Dh; use crate::dsa::Dsa; use crate::ec::EcKey; use crate::error::ErrorStack; -#[cfg(any(ossl110, boringssl))] +#[cfg(any(ossl110, boringssl, libressl370))] use crate::pkey_ctx::PkeyCtx; use crate::rsa::Rsa; use crate::symm::Cipher; @@ -89,11 +89,11 @@ impl Id { #[cfg(ossl110)] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub const ED25519: Id = Id(ffi::EVP_PKEY_ED25519); #[cfg(ossl111)] pub const ED448: Id = Id(ffi::EVP_PKEY_ED448); - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub const X25519: Id = Id(ffi::EVP_PKEY_X25519); #[cfg(ossl111)] pub const X448: Id = Id(ffi::EVP_PKEY_X448); @@ -252,7 +252,7 @@ where /// This function only works for algorithms that support raw public keys. /// Currently this is: [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_public_key)] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn raw_public_key(&self) -> Result, ErrorStack> { unsafe { let mut len = 0; @@ -303,7 +303,7 @@ where /// This function only works for algorithms that support raw private keys. /// Currently this is: [`Id::HMAC`], [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_private_key)] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn raw_private_key(&self) -> Result, ErrorStack> { unsafe { let mut len = 0; @@ -503,7 +503,7 @@ impl PKey { ctx.keygen() } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] fn generate_eddsa(id: Id) -> Result, ErrorStack> { let mut ctx = PkeyCtx::new_id(id)?; ctx.keygen_init()?; @@ -533,7 +533,7 @@ impl PKey { /// assert_eq!(secret.len(), 32); /// # Ok(()) } /// ``` - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn generate_x25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::X25519) } @@ -587,7 +587,7 @@ impl PKey { /// assert_eq!(signature.len(), 64); /// # Ok(()) } /// ``` - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn generate_ed25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::ED25519) } @@ -737,7 +737,7 @@ impl PKey { /// /// Algorithm types that support raw private keys are HMAC, X25519, ED25519, X448 or ED448 #[corresponds(EVP_PKEY_new_raw_private_key)] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn private_key_from_raw_bytes( bytes: &[u8], key_type: Id, @@ -778,7 +778,7 @@ impl PKey { /// /// Algorithm types that support raw public keys are X25519, ED25519, X448 or ED448 #[corresponds(EVP_PKEY_new_raw_public_key)] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn public_key_from_raw_bytes( bytes: &[u8], key_type: Id, @@ -1084,7 +1084,7 @@ mod tests { assert_eq!(&g, dh_.generator()); } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] fn test_raw_public_key(gen: fn() -> Result, ErrorStack>, key_type: Id) { // Generate a new key let key = gen().unwrap(); @@ -1100,7 +1100,7 @@ mod tests { ); } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] fn test_raw_private_key(gen: fn() -> Result, ErrorStack>, key_type: Id) { // Generate a new key let key = gen().unwrap(); @@ -1116,25 +1116,25 @@ mod tests { ); } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] #[test] fn test_raw_public_key_bytes() { test_raw_public_key(PKey::generate_x25519, Id::X25519); test_raw_public_key(PKey::generate_ed25519, Id::ED25519); - #[cfg(not(boringssl))] + #[cfg(all(not(boringssl), not(libressl370)))] test_raw_public_key(PKey::generate_x448, Id::X448); - #[cfg(not(boringssl))] + #[cfg(all(not(boringssl), not(libressl370)))] test_raw_public_key(PKey::generate_ed448, Id::ED448); } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] #[test] fn test_raw_private_key_bytes() { test_raw_private_key(PKey::generate_x25519, Id::X25519); test_raw_private_key(PKey::generate_ed25519, Id::ED25519); - #[cfg(not(boringssl))] + #[cfg(all(not(boringssl), not(libressl370)))] test_raw_private_key(PKey::generate_x448, Id::X448); - #[cfg(not(boringssl))] + #[cfg(all(not(boringssl), not(libressl370)))] test_raw_private_key(PKey::generate_ed448, Id::ED448); } diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 1c13a625b3..406bb42e8f 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -290,7 +290,7 @@ impl<'a> Signer<'a> { self.len_intern() } - #[cfg(all(not(ossl111), not(boringssl)))] + #[cfg(all(not(ossl111), not(boringssl), not(libressl370)))] fn len_intern(&self) -> Result { unsafe { let mut len = 0; @@ -303,7 +303,7 @@ impl<'a> Signer<'a> { } } - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] fn len_intern(&self) -> Result { unsafe { let mut len = 0; @@ -360,7 +360,7 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSign`]. /// /// [`EVP_DigestSign`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestSign.html - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn sign_oneshot( &mut self, sig_buf: &mut [u8], @@ -382,7 +382,7 @@ impl<'a> Signer<'a> { /// Returns the signature. /// /// This is a simple convenience wrapper over `len` and `sign_oneshot`. - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn sign_oneshot_to_vec(&mut self, data_buf: &[u8]) -> Result, ErrorStack> { let mut sig_buf = vec![0; self.len()?]; let len = self.sign_oneshot(&mut sig_buf, data_buf)?; @@ -596,7 +596,7 @@ impl<'a> Verifier<'a> { /// OpenSSL documentation at [`EVP_DigestVerify`]. /// /// [`EVP_DigestVerify`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestVerify.html - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] pub fn verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result { unsafe { let r = ffi::EVP_DigestVerify( @@ -846,7 +846,7 @@ mod test { } #[test] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, libressl370))] fn eddsa() { let key = PKey::generate_ed25519().unwrap(); From 4bc21b01fe2010c11444e0f5f72592bd7c5f38d5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 18 Mar 2023 21:39:29 -0400 Subject: [PATCH 104/209] Expose the raw library and reason codes on Error --- openssl/src/error.rs | 48 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 11 deletions(-) diff --git a/openssl/src/error.rs b/openssl/src/error.rs index f9a7c54b8f..064d635234 100644 --- a/openssl/src/error.rs +++ b/openssl/src/error.rs @@ -198,11 +198,7 @@ impl Error { self.line, self.func.as_ref().map_or(ptr::null(), |s| s.as_ptr()), ); - ffi::ERR_set_error( - ffi::ERR_GET_LIB(self.code), - ffi::ERR_GET_REASON(self.code), - ptr::null(), - ); + ffi::ERR_set_error(self.library_code(), self.reason_code(), ptr::null()); } } @@ -214,9 +210,9 @@ impl Error { let line = self.line.try_into().unwrap(); unsafe { ffi::ERR_put_error( - ffi::ERR_GET_LIB(self.code), + self.library_code(), ffi::ERR_GET_FUNC(self.code), - ffi::ERR_GET_REASON(self.code), + self.reason_code(), self.file.as_ptr(), line, ); @@ -240,6 +236,15 @@ impl Error { } } + /// Returns the raw OpenSSL error constant for the library reporting the + /// error. + // On BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on + // OpenSSL/LibreSSL they're safe. + #[allow(unused_unsafe)] + pub fn library_code(&self) -> libc::c_int { + unsafe { ffi::ERR_GET_LIB(self.code) } + } + /// Returns the name of the function reporting the error. pub fn function(&self) -> Option> { self.func.as_ref().map(|s| s.as_str()) @@ -257,6 +262,14 @@ impl Error { } } + /// Returns the raw OpenSSL error constant for the reason for the error. + // On BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on + // OpenSSL/LibreSSL they're safe. + #[allow(unused_unsafe)] + pub fn reason_code(&self) -> libc::c_int { + unsafe { ffi::ERR_GET_REASON(self.code) } + } + /// Returns the name of the source file which encountered the error. pub fn file(&self) -> RetStr<'_> { self.file.as_str() @@ -304,7 +317,7 @@ impl fmt::Display for Error { write!(fmt, "error:{:08X}", self.code())?; match self.library() { Some(l) => write!(fmt, ":{}", l)?, - None => write!(fmt, ":lib({})", unsafe { ffi::ERR_GET_LIB(self.code()) })?, + None => write!(fmt, ":lib({})", self.library_code())?, } match self.function() { Some(f) => write!(fmt, ":{}", f)?, @@ -312,9 +325,7 @@ impl fmt::Display for Error { } match self.reason() { Some(r) => write!(fmt, ":{}", r)?, - None => write!(fmt, ":reason({})", unsafe { - ffi::ERR_GET_REASON(self.code()) - })?, + None => write!(fmt, ":reason({})", self.reason_code())?, } write!( fmt, @@ -387,3 +398,18 @@ cfg_if! { } } } + +#[cfg(test)] +mod tests { + use crate::nid::Nid; + + #[test] + fn test_error_library_code() { + let stack = Nid::create("not-an-oid", "invalid", "invalid").unwrap_err(); + let errors = stack.errors(); + #[cfg(not(boringssl))] + assert_eq!(errors[0].library_code(), ffi::ERR_LIB_ASN1); + #[cfg(boringssl)] + assert_eq!(errors[0].library_code(), ffi::ERR_LIB_OBJ as libc::c_int); + } +} From 286320cd0d0c4745b0f78f9ccbfc0ebaa0e46a6f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 19 Mar 2023 19:39:09 -0400 Subject: [PATCH 105/209] bump libressl to 3.7.1 --- .github/workflows/ci.yml | 24 ++---------------------- openssl-sys/build/main.rs | 3 ++- 2 files changed, 4 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4d2df5397b..16f873bd95 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -181,17 +181,7 @@ jobs: bindgen: true library: name: libressl - version: 3.5.3 - - target: x86_64-unknown-linux-gnu - bindgen: true - library: - name: libressl - version: 3.6.1 - - target: x86_64-unknown-linux-gnu - bindgen: true - library: - name: libressl - version: 3.7.0 + version: 3.7.1 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -201,17 +191,7 @@ jobs: bindgen: false library: name: libressl - version: 3.5.3 - - target: x86_64-unknown-linux-gnu - bindgen: false - library: - name: libressl - version: 3.6.1 - - target: x86_64-unknown-linux-gnu - bindgen: false - library: - name: libressl - version: 3.7.0 + version: 3.7.1 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index c5a68a630a..3357518f55 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -294,6 +294,7 @@ See rust-openssl documentation for more information: (3, 6, 0) => ('3', '6', '0'), (3, 6, _) => ('3', '6', 'x'), (3, 7, 0) => ('3', '7', '0'), + (3, 7, 1) => ('3', '7', '1'), _ => version_error(), }; @@ -336,7 +337,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.7.0, but a different version of OpenSSL was found. The build is now aborting +through 3.7.1, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From 803e245fa5721ac30a36888565f18c102567d877 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 19 Mar 2023 19:55:23 -0400 Subject: [PATCH 106/209] Release openssl-sys v0.9.82 --- openssl-sys/CHANGELOG.md | 10 +++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 5a77e2f9f4..3cb0711817 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,13 @@ ## [Unreleased] +## [v0.9.82] - 2023-03-19 + +### Added + +* Added support for LibreSSL 3.7.1. +* Added support for X25519 and Ed25519 on LibreSSL and BoringSSL. + ## [v0.9.81] - 2023-03-14 ### Fixed @@ -392,7 +399,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82..master +[v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 [v0.9.81]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80...openssl-sys-v0.9.81 [v0.9.80]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79...openssl-sys-v0.9.80 [v0.9.79]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.78...openssl-sys-v0.9.79 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 23e20109e7..ed3161c784 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.81" +version = "0.9.82" authors = [ "Alex Crichton ", "Steven Fackler ", From ead5e0a0aa27ce440285a5eefd04acc8488e56db Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 19 Mar 2023 19:57:55 -0400 Subject: [PATCH 107/209] Release openssl v0.10.47 --- openssl/CHANGELOG.md | 10 +++++++++- openssl/Cargo.toml | 4 ++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 6c0efdf616..7de74b8045 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,13 @@ ## [Unreleased] +## [v0.10.47] - 2023-03-19 + +### Added + +* Added support for X25519 and Ed25519 on LibreSSL and BoringSSL. +* Added `Error::library_code` and `Error::reason_code`. + ## [v0.10.46] - 2023-03-14 ### Fixed @@ -690,7 +697,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...master +[v0.10.47]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...openssl-v0.10.47 [v0.10.46]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...openssl-v0.10.46 [v0.10.45]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.45 [v0.10.44]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.43...openssl-v0.10.44 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 42bc8fdcc4..158acff5a3 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.46" +version = "0.10.47" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.81", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.82", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 8f920041cc5e7da1863218d1cf264c27c7f6a9c5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 20 Mar 2023 20:38:57 -0400 Subject: [PATCH 108/209] Skip a test that hangs on OpenSSL 3.1.0 --- openssl/build.rs | 3 +++ openssl/src/error.rs | 3 +++ 2 files changed, 6 insertions(+) diff --git a/openssl/build.rs b/openssl/build.rs index 5cddce90c2..5441606b28 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -50,6 +50,9 @@ fn main() { if version >= 0x3_00_00_00_0 { println!("cargo:rustc-cfg=ossl300"); } + if version >= 0x3_01_00_00_0 { + println!("cargo:rustc-cfg=ossl310"); + } } if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { diff --git a/openssl/src/error.rs b/openssl/src/error.rs index 064d635234..e097ce6881 100644 --- a/openssl/src/error.rs +++ b/openssl/src/error.rs @@ -401,9 +401,12 @@ cfg_if! { #[cfg(test)] mod tests { + #[cfg(not(ossl310))] use crate::nid::Nid; #[test] + // Due to a bug in OpenSSL 3.1.0, this test can hang there. Skip for now. + #[cfg(not(ossl310))] fn test_error_library_code() { let stack = Nid::create("not-an-oid", "invalid", "invalid").unwrap_err(); let errors = stack.errors(); From 4ecaf691c889d03bb5699ef2fa1c01665e430593 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 20 Mar 2023 20:51:18 -0400 Subject: [PATCH 109/209] Fix LibreSSL version checking in openssl/ Previously it only did exact version matching -- different from how OpenSSL worked, and causing it to make many APIs exposed only on a single version of LibreSSL. This fixes that, and in the process identifies a bug in openssl-sys. --- openssl-sys/build/cfgs.rs | 3 +++ openssl/build.rs | 53 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 54 insertions(+), 2 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index d925d90ad7..960515f00f 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -31,6 +31,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x2_09_01_00_0 { cfgs.push("libressl291"); } + if libressl_version >= 0x3_01_00_00_0 { + cfgs.push("libressl310"); + } if libressl_version >= 0x3_02_01_00_0 { cfgs.push("libressl321"); } diff --git a/openssl/build.rs b/openssl/build.rs index 5441606b28..0a974b33e6 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -16,8 +16,57 @@ fn main() { return; } - if let Ok(v) = env::var("DEP_OPENSSL_LIBRESSL_VERSION") { - println!("cargo:rustc-cfg=libressl{}", v); + if let Ok(v) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { + let version = u64::from_str_radix(&v, 16).unwrap(); + + if version >= 0x2_05_00_00_0 { + println!("cargo:rustc-cfg=libressl250"); + } + if version >= 0x2_05_01_00_0 { + println!("cargo:rustc-cfg=libressl251"); + } + if version >= 0x2_06_01_00_0 { + println!("cargo:rustc-cfg=libressl261"); + } + if version >= 0x2_07_00_00_0 { + println!("cargo:rustc-cfg=libressl270"); + } + if version >= 0x2_07_01_00_0 { + println!("cargo:rustc-cfg=libressl271"); + } + if version >= 0x2_07_03_00_0 { + println!("cargo:rustc-cfg=libressl273"); + } + if version >= 0x2_08_00_00_0 { + println!("cargo:rustc-cfg=libressl280"); + } + if version >= 0x2_09_01_00_0 { + println!("cargo:rustc-cfg=libressl291"); + } + if version >= 0x3_01_00_00_0 { + println!("cargo:rustc-cfg=libressl310"); + } + if version >= 0x3_02_01_00_0 { + println!("cargo:rustc-cfg=libressl321"); + } + if version >= 0x3_03_02_00_0 { + println!("cargo:rustc-cfg=libressl332"); + } + if version >= 0x3_04_00_00_0 { + println!("cargo:rustc-cfg=libressl340"); + } + if version >= 0x3_05_00_00_0 { + println!("cargo:rustc-cfg=libressl350"); + } + if version >= 0x3_06_00_00_0 { + println!("cargo:rustc-cfg=libressl360"); + } + if version >= 0x3_06_01_00_0 { + println!("cargo:rustc-cfg=libressl361"); + } + if version >= 0x3_07_00_00_0 { + println!("cargo:rustc-cfg=libressl370"); + } } if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { From e5b6d97ed170f835b56440d79edcd46381a46ebc Mon Sep 17 00:00:00 2001 From: Samuel Moelius Date: Wed, 22 Mar 2023 20:21:07 -0400 Subject: [PATCH 110/209] Improve reliability of some tests --- openssl/src/ssl/test/mod.rs | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 1eb9fe4bad..03dc89e5c3 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -84,17 +84,21 @@ fn verify_trusted_with_set_cert() { #[test] fn verify_untrusted_callback_override_ok() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + let server = Server::builder().build(); let mut client = server.client(); client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { + CALLED_BACK.store(true, Ordering::SeqCst); assert!(x509.current_cert().is_some()); true }); client.connect(); + assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] @@ -113,6 +117,8 @@ fn verify_untrusted_callback_override_bad() { #[test] fn verify_trusted_callback_override_ok() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + let server = Server::builder().build(); let mut client = server.client(); @@ -120,11 +126,13 @@ fn verify_trusted_callback_override_ok() { client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { + CALLED_BACK.store(true, Ordering::SeqCst); assert!(x509.current_cert().is_some()); true }); client.connect(); + assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] @@ -144,21 +152,27 @@ fn verify_trusted_callback_override_bad() { #[test] fn verify_callback_load_certs() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + let server = Server::builder().build(); let mut client = server.client(); client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { + CALLED_BACK.store(true, Ordering::SeqCst); assert!(x509.current_cert().is_some()); true }); client.connect(); + assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] fn verify_trusted_get_error_ok() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + let server = Server::builder().build(); let mut client = server.client(); @@ -166,11 +180,13 @@ fn verify_trusted_get_error_ok() { client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { + CALLED_BACK.store(true, Ordering::SeqCst); assert_eq!(x509.error(), X509VerifyResult::OK); true }); client.connect(); + assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] @@ -469,8 +485,11 @@ fn test_alpn_server_select_none_fatal() { #[test] #[cfg(any(ossl102, libressl261))] fn test_alpn_server_select_none() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { + CALLED_BACK.store(true, Ordering::SeqCst); ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK) }); let server = server.build(); @@ -479,6 +498,7 @@ fn test_alpn_server_select_none() { client.ctx().set_alpn_protos(b"\x06http/2").unwrap(); let s = client.connect(); assert_eq!(None, s.ssl().selected_alpn_protocol()); + assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] @@ -595,7 +615,7 @@ fn refcount_ssl_context() { { let new_ctx_a = SslContext::builder(SslMethod::tls()).unwrap().build(); - let _new_ctx_b = ssl.set_ssl_context(&new_ctx_a); + ssl.set_ssl_context(&new_ctx_a).unwrap(); } } @@ -731,7 +751,7 @@ fn connector_no_hostname_still_verifies() { } #[test] -fn connector_no_hostname_can_disable_verify() { +fn connector_can_disable_verify() { let server = Server::builder().build(); let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); @@ -742,8 +762,7 @@ fn connector_no_hostname_can_disable_verify() { let mut s = connector .configure() .unwrap() - .verify_hostname(false) - .connect("foobar.com", s) + .connect("fizzbuzz.com", s) .unwrap(); s.read_exact(&mut [0]).unwrap(); } From 482575bff434f58b80ffea34a9610d0ff265ac1f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 21 Mar 2023 20:20:26 -0400 Subject: [PATCH 111/209] Resolve an injection vulnerability in SAN creation --- openssl-sys/src/handwritten/x509.rs | 7 ++ openssl-sys/src/handwritten/x509v3.rs | 1 + openssl/src/x509/extension.rs | 69 ++++++++++++++------ openssl/src/x509/mod.rs | 94 ++++++++++++++++++++++++++- openssl/src/x509/tests.rs | 38 +++++++++++ 5 files changed, 185 insertions(+), 24 deletions(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 8762e5f98d..abda4110cf 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -550,6 +550,13 @@ extern "C" { pub fn X509_EXTENSION_get_object(ext: *mut X509_EXTENSION) -> *mut ASN1_OBJECT; pub fn X509_EXTENSION_get_data(ext: *mut X509_EXTENSION) -> *mut ASN1_OCTET_STRING; } + +const_ptr_api! { + extern "C" { + pub fn i2d_X509_EXTENSION(ext: #[const_ptr_if(ossl300)] X509_EXTENSION, pp: *mut *mut c_uchar) -> c_int; + } +} + const_ptr_api! { extern "C" { // in X509 diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index d0923e32b2..4f661ca5ec 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -4,6 +4,7 @@ use libc::*; pub enum CONF_METHOD {} extern "C" { + pub fn GENERAL_NAME_new() -> *mut GENERAL_NAME; pub fn GENERAL_NAME_free(name: *mut GENERAL_NAME); } diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index ebbea1c885..21d8faac35 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -20,7 +20,8 @@ use std::fmt::Write; use crate::error::ErrorStack; use crate::nid::Nid; -use crate::x509::{X509Extension, X509v3Context}; +use crate::x509::{Asn1Object, GeneralName, Stack, X509Extension, X509v3Context}; +use foreign_types::ForeignType; /// An extension which indicates whether a certificate is a CA certificate. pub struct BasicConstraints { @@ -463,11 +464,19 @@ impl AuthorityKeyIdentifier { } } +enum RustGeneralName { + Dns(String), + Email(String), + Uri(String), + Ip(String), + Rid(String), +} + /// An extension that allows additional identities to be bound to the subject /// of the certificate. pub struct SubjectAlternativeName { critical: bool, - names: Vec, + items: Vec, } impl Default for SubjectAlternativeName { @@ -481,7 +490,7 @@ impl SubjectAlternativeName { pub fn new() -> SubjectAlternativeName { SubjectAlternativeName { critical: false, - names: vec![], + items: vec![], } } @@ -493,55 +502,73 @@ impl SubjectAlternativeName { /// Sets the `email` flag. pub fn email(&mut self, email: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("email:{}", email)); + self.items.push(RustGeneralName::Email(email.to_string())); self } /// Sets the `uri` flag. pub fn uri(&mut self, uri: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("URI:{}", uri)); + self.items.push(RustGeneralName::Uri(uri.to_string())); self } /// Sets the `dns` flag. pub fn dns(&mut self, dns: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("DNS:{}", dns)); + self.items.push(RustGeneralName::Dns(dns.to_string())); self } /// Sets the `rid` flag. pub fn rid(&mut self, rid: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("RID:{}", rid)); + self.items.push(RustGeneralName::Rid(rid.to_string())); self } /// Sets the `ip` flag. pub fn ip(&mut self, ip: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("IP:{}", ip)); + self.items.push(RustGeneralName::Ip(ip.to_string())); self } /// Sets the `dirName` flag. - pub fn dir_name(&mut self, dir_name: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("dirName:{}", dir_name)); - self + /// + /// Not currently actually supported, always panics. + #[deprecated = "dir_name is deprecated and always panics. Please file a bug if you have a use case for this."] + pub fn dir_name(&mut self, _dir_name: &str) -> &mut SubjectAlternativeName { + unimplemented!( + "This has not yet been adapted for the new internals. File a bug if you need this." + ); } /// Sets the `otherName` flag. - pub fn other_name(&mut self, other_name: &str) -> &mut SubjectAlternativeName { - self.names.push(format!("otherName:{}", other_name)); - self + /// + /// Not currently actually supported, always panics. + #[deprecated = "other_name is deprecated and always panics. Please file a bug if you have a use case for this."] + pub fn other_name(&mut self, _other_name: &str) -> &mut SubjectAlternativeName { + unimplemented!( + "This has not yet been adapted for the new internals. File a bug if you need this." + ); } /// Return a `SubjectAlternativeName` extension as an `X509Extension`. - pub fn build(&self, ctx: &X509v3Context<'_>) -> Result { - let mut value = String::new(); - let mut first = true; - append(&mut value, &mut first, self.critical, "critical"); - for name in &self.names { - append(&mut value, &mut first, true, name); + pub fn build(&self, _ctx: &X509v3Context<'_>) -> Result { + let mut stack = Stack::new()?; + for item in &self.items { + let gn = match item { + RustGeneralName::Dns(s) => GeneralName::new_dns(s.as_bytes())?, + RustGeneralName::Email(s) => GeneralName::new_email(s.as_bytes())?, + RustGeneralName::Uri(s) => GeneralName::new_uri(s.as_bytes())?, + RustGeneralName::Ip(s) => { + GeneralName::new_ip(s.parse().map_err(|_| ErrorStack::get())?)? + } + RustGeneralName::Rid(s) => GeneralName::new_rid(Asn1Object::from_str(s)?)?, + }; + stack.push(gn)?; + } + + unsafe { + X509Extension::new_internal(Nid::SUBJECT_ALT_NAME, self.critical, stack.as_ptr().cast()) } - X509Extension::new_nid(None, Some(ctx), Nid::SUBJECT_ALT_NAME, &value) } } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 4f08bbc667..3d8f236fd5 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -9,9 +9,9 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; -use libc::{c_int, c_long, c_uint}; +use libc::{c_int, c_long, c_uint, c_void}; use std::cmp::{self, Ordering}; -use std::convert::TryFrom; +use std::convert::{TryFrom, TryInto}; use std::error::Error; use std::ffi::{CStr, CString}; use std::fmt; @@ -24,7 +24,8 @@ use std::slice; use std::str; use crate::asn1::{ - Asn1BitStringRef, Asn1IntegerRef, Asn1ObjectRef, Asn1StringRef, Asn1TimeRef, Asn1Type, + Asn1BitStringRef, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, Asn1TimeRef, + Asn1Type, }; use crate::bio::MemBioSlice; use crate::conf::ConfRef; @@ -851,6 +852,15 @@ impl X509Extension { } } + pub(crate) unsafe fn new_internal( + nid: Nid, + critical: bool, + value: *mut c_void, + ) -> Result { + ffi::init(); + cvt_p(ffi::X509V3_EXT_i2d(nid.as_raw(), critical as _, value)).map(X509Extension) + } + /// Adds an alias for an extension /// /// # Safety @@ -863,6 +873,15 @@ impl X509Extension { } } +impl X509ExtensionRef { + to_der! { + /// Serializes the Extension to its standard DER encoding. + #[corresponds(i2d_X509_EXTENSION)] + to_der, + ffi::i2d_X509_EXTENSION + } +} + /// A builder used to construct an `X509Name`. pub struct X509NameBuilder(X509Name); @@ -1715,6 +1734,75 @@ foreign_type_and_impl_send_sync! { pub struct GeneralNameRef; } +impl GeneralName { + unsafe fn new( + type_: c_int, + asn1_type: Asn1Type, + value: &[u8], + ) -> Result { + ffi::init(); + let gn = GeneralName::from_ptr(cvt_p(ffi::GENERAL_NAME_new())?); + (*gn.as_ptr()).type_ = type_; + let s = cvt_p(ffi::ASN1_STRING_type_new(asn1_type.as_raw()))?; + ffi::ASN1_STRING_set(s, value.as_ptr().cast(), value.len().try_into().unwrap()); + + #[cfg(boringssl)] + { + (*gn.as_ptr()).d.ptr = s.cast(); + } + #[cfg(not(boringssl))] + { + (*gn.as_ptr()).d = s.cast(); + } + + Ok(gn) + } + + pub(crate) fn new_email(email: &[u8]) -> Result { + unsafe { GeneralName::new(ffi::GEN_EMAIL, Asn1Type::IA5STRING, email) } + } + + pub(crate) fn new_dns(dns: &[u8]) -> Result { + unsafe { GeneralName::new(ffi::GEN_DNS, Asn1Type::IA5STRING, dns) } + } + + pub(crate) fn new_uri(uri: &[u8]) -> Result { + unsafe { GeneralName::new(ffi::GEN_URI, Asn1Type::IA5STRING, uri) } + } + + pub(crate) fn new_ip(ip: IpAddr) -> Result { + match ip { + IpAddr::V4(addr) => unsafe { + GeneralName::new(ffi::GEN_IPADD, Asn1Type::OCTET_STRING, &addr.octets()) + }, + IpAddr::V6(addr) => unsafe { + GeneralName::new(ffi::GEN_IPADD, Asn1Type::OCTET_STRING, &addr.octets()) + }, + } + } + + pub(crate) fn new_rid(oid: Asn1Object) -> Result { + unsafe { + ffi::init(); + let gn = cvt_p(ffi::GENERAL_NAME_new())?; + (*gn).type_ = ffi::GEN_RID; + + #[cfg(boringssl)] + { + (*gn).d.registeredID = oid.as_ptr(); + } + #[cfg(not(boringssl))] + { + (*gn).d = oid.as_ptr().cast(); + } + + mem::forget(oid); + + Ok(GeneralName::from_ptr(gn)) + } + } +} + impl GeneralNameRef { fn ia5_string(&self, ffi_type: c_int) -> Option<&str> { unsafe { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 5c563a2192..41a9bc4d61 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -287,6 +287,44 @@ fn x509_builder() { assert_eq!(serial, x509.serial_number().to_bn().unwrap()); } +#[test] +fn x509_extension_to_der() { + let builder = X509::builder().unwrap(); + + for (ext, expected) in [ + ( + BasicConstraints::new().critical().ca().build().unwrap(), + b"0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff" as &[u8], + ), + ( + SubjectAlternativeName::new() + .dns("example.com,DNS:example2.com") + .build(&builder.x509v3_context(None, None)) + .unwrap(), + b"0'\x06\x03U\x1d\x11\x04 0\x1e\x82\x1cexample.com,DNS:example2.com", + ), + ( + SubjectAlternativeName::new() + .rid("1.2.3.4") + .uri("https://example.com") + .build(&builder.x509v3_context(None, None)) + .unwrap(), + b"0#\x06\x03U\x1d\x11\x04\x1c0\x1a\x88\x03*\x03\x04\x86\x13https://example.com", + ), + ( + ExtendedKeyUsage::new() + .server_auth() + .other("2.999.1") + .other("clientAuth") + .build() + .unwrap(), + b"0\x22\x06\x03U\x1d%\x04\x1b0\x19\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x03\x887\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x02", + ), + ] { + assert_eq!(&ext.to_der().unwrap(), expected); + } +} + #[test] fn x509_req_builder() { let pkey = pkey(); From 332311b597cc444a10d4acaf122ee58bd1bc8ff8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 21 Mar 2023 20:31:02 -0400 Subject: [PATCH 112/209] Resolve an injection vulnerability in EKU creation --- openssl/src/asn1.rs | 5 ++ openssl/src/x509/extension.rs | 92 +++++++++-------------------------- openssl/src/x509/tests.rs | 8 +++ 3 files changed, 35 insertions(+), 70 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 55de049c08..c0178c7e65 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -39,6 +39,7 @@ use crate::bio::MemBio; use crate::bn::{BigNum, BigNumRef}; use crate::error::ErrorStack; use crate::nid::Nid; +use crate::stack::Stackable; use crate::string::OpensslString; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -592,6 +593,10 @@ foreign_type_and_impl_send_sync! { pub struct Asn1ObjectRef; } +impl Stackable for Asn1Object { + type StackType = ffi::stack_st_ASN1_OBJECT; +} + impl Asn1Object { /// Constructs an ASN.1 Object Identifier from a string representation of the OID. #[corresponds(OBJ_txt2obj)] diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index 21d8faac35..f04d227960 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -18,9 +18,10 @@ //! ``` use std::fmt::Write; +use crate::asn1::Asn1Object; use crate::error::ErrorStack; use crate::nid::Nid; -use crate::x509::{Asn1Object, GeneralName, Stack, X509Extension, X509v3Context}; +use crate::x509::{GeneralName, Stack, X509Extension, X509v3Context}; use foreign_types::ForeignType; /// An extension which indicates whether a certificate is a CA certificate. @@ -223,18 +224,7 @@ impl KeyUsage { /// for which the certificate public key can be used for. pub struct ExtendedKeyUsage { critical: bool, - server_auth: bool, - client_auth: bool, - code_signing: bool, - email_protection: bool, - time_stamping: bool, - ms_code_ind: bool, - ms_code_com: bool, - ms_ctl_sign: bool, - ms_sgc: bool, - ms_efs: bool, - ns_sgc: bool, - other: Vec, + items: Vec, } impl Default for ExtendedKeyUsage { @@ -248,18 +238,7 @@ impl ExtendedKeyUsage { pub fn new() -> ExtendedKeyUsage { ExtendedKeyUsage { critical: false, - server_auth: false, - client_auth: false, - code_signing: false, - email_protection: false, - time_stamping: false, - ms_code_ind: false, - ms_code_com: false, - ms_ctl_sign: false, - ms_sgc: false, - ms_efs: false, - ns_sgc: false, - other: vec![], + items: vec![], } } @@ -271,101 +250,74 @@ impl ExtendedKeyUsage { /// Sets the `serverAuth` flag to `true`. pub fn server_auth(&mut self) -> &mut ExtendedKeyUsage { - self.server_auth = true; - self + self.other("serverAuth") } /// Sets the `clientAuth` flag to `true`. pub fn client_auth(&mut self) -> &mut ExtendedKeyUsage { - self.client_auth = true; - self + self.other("clientAuth") } /// Sets the `codeSigning` flag to `true`. pub fn code_signing(&mut self) -> &mut ExtendedKeyUsage { - self.code_signing = true; - self + self.other("codeSigning") } /// Sets the `emailProtection` flag to `true`. pub fn email_protection(&mut self) -> &mut ExtendedKeyUsage { - self.email_protection = true; - self + self.other("emailProtection") } /// Sets the `timeStamping` flag to `true`. pub fn time_stamping(&mut self) -> &mut ExtendedKeyUsage { - self.time_stamping = true; - self + self.other("timeStamping") } /// Sets the `msCodeInd` flag to `true`. pub fn ms_code_ind(&mut self) -> &mut ExtendedKeyUsage { - self.ms_code_ind = true; - self + self.other("msCodeInd") } /// Sets the `msCodeCom` flag to `true`. pub fn ms_code_com(&mut self) -> &mut ExtendedKeyUsage { - self.ms_code_com = true; - self + self.other("msCodeCom") } /// Sets the `msCTLSign` flag to `true`. pub fn ms_ctl_sign(&mut self) -> &mut ExtendedKeyUsage { - self.ms_ctl_sign = true; - self + self.other("msCTLSign") } /// Sets the `msSGC` flag to `true`. pub fn ms_sgc(&mut self) -> &mut ExtendedKeyUsage { - self.ms_sgc = true; - self + self.other("msSGC") } /// Sets the `msEFS` flag to `true`. pub fn ms_efs(&mut self) -> &mut ExtendedKeyUsage { - self.ms_efs = true; - self + self.other("msEFS") } /// Sets the `nsSGC` flag to `true`. pub fn ns_sgc(&mut self) -> &mut ExtendedKeyUsage { - self.ns_sgc = true; - self + self.other("nsSGC") } /// Sets a flag not already defined. pub fn other(&mut self, other: &str) -> &mut ExtendedKeyUsage { - self.other.push(other.to_owned()); + self.items.push(other.to_string()); self } /// Return the `ExtendedKeyUsage` extension as an `X509Extension`. pub fn build(&self) -> Result { - let mut value = String::new(); - let mut first = true; - append(&mut value, &mut first, self.critical, "critical"); - append(&mut value, &mut first, self.server_auth, "serverAuth"); - append(&mut value, &mut first, self.client_auth, "clientAuth"); - append(&mut value, &mut first, self.code_signing, "codeSigning"); - append( - &mut value, - &mut first, - self.email_protection, - "emailProtection", - ); - append(&mut value, &mut first, self.time_stamping, "timeStamping"); - append(&mut value, &mut first, self.ms_code_ind, "msCodeInd"); - append(&mut value, &mut first, self.ms_code_com, "msCodeCom"); - append(&mut value, &mut first, self.ms_ctl_sign, "msCTLSign"); - append(&mut value, &mut first, self.ms_sgc, "msSGC"); - append(&mut value, &mut first, self.ms_efs, "msEFS"); - append(&mut value, &mut first, self.ns_sgc, "nsSGC"); - for other in &self.other { - append(&mut value, &mut first, true, other); + let mut stack = Stack::new()?; + for item in &self.items { + stack.push(Asn1Object::from_str(item)?)?; + } + unsafe { + X509Extension::new_internal(Nid::EXT_KEY_USAGE, self.critical, stack.as_ptr().cast()) } - X509Extension::new_nid(None, None, Nid::EXT_KEY_USAGE, &value) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 41a9bc4d61..91fd36790c 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -325,6 +325,14 @@ fn x509_extension_to_der() { } } +#[test] +fn eku_invalid_other() { + assert!(ExtendedKeyUsage::new() + .other("1.1.1.1.1,2.2.2.2.2") + .build() + .is_err()); +} + #[test] fn x509_req_builder() { let pkey = pkey(); From 78aa9aa22cfd58ac33d1e19184cec667438fd2a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 21 Mar 2023 20:44:15 -0400 Subject: [PATCH 113/209] Always provide an X509V3Context in X509Extension::new because OpenSSL requires it for some extensions (and segfaults without) --- openssl/src/x509/mod.rs | 40 +++++++++++++++++++++++++++++++++++---- openssl/src/x509/tests.rs | 10 +++++++++- 2 files changed, 45 insertions(+), 5 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 3d8f236fd5..60df75ae72 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -816,14 +816,30 @@ impl X509Extension { ) -> Result { let name = CString::new(name).unwrap(); let value = CString::new(value).unwrap(); + let mut ctx; unsafe { ffi::init(); let conf = conf.map_or(ptr::null_mut(), ConfRef::as_ptr); - let context = context.map_or(ptr::null_mut(), X509v3Context::as_ptr); + let context_ptr = match context { + Some(c) => c.as_ptr(), + None => { + ctx = mem::zeroed(); + + ffi::X509V3_set_ctx( + &mut ctx, + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + 0, + ); + &mut ctx + } + }; let name = name.as_ptr() as *mut _; let value = value.as_ptr() as *mut _; - cvt_p(ffi::X509V3_EXT_nconf(conf, context, name, value)).map(X509Extension) + cvt_p(ffi::X509V3_EXT_nconf(conf, context_ptr, name, value)).map(X509Extension) } } @@ -841,14 +857,30 @@ impl X509Extension { value: &str, ) -> Result { let value = CString::new(value).unwrap(); + let mut ctx; unsafe { ffi::init(); let conf = conf.map_or(ptr::null_mut(), ConfRef::as_ptr); - let context = context.map_or(ptr::null_mut(), X509v3Context::as_ptr); + let context_ptr = match context { + Some(c) => c.as_ptr(), + None => { + ctx = mem::zeroed(); + + ffi::X509V3_set_ctx( + &mut ctx, + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + 0, + ); + &mut ctx + } + }; let name = name.as_raw(); let value = value.as_ptr() as *mut _; - cvt_p(ffi::X509V3_EXT_nconf_nid(conf, context, name, value)).map(X509Extension) + cvt_p(ffi::X509V3_EXT_nconf_nid(conf, context_ptr, name, value)).map(X509Extension) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 91fd36790c..57734f2665 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -25,7 +25,7 @@ use crate::x509::X509PurposeId; #[cfg(any(ossl102, libressl261))] use crate::x509::X509PurposeRef; use crate::x509::{ - CrlStatus, X509Crl, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, + CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, }; use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] @@ -287,6 +287,14 @@ fn x509_builder() { assert_eq!(serial, x509.serial_number().to_bn().unwrap()); } +#[test] +fn x509_extension_new() { + assert!(X509Extension::new(None, None, "crlDistributionPoints", "section").is_err()); + assert!(X509Extension::new(None, None, "proxyCertInfo", "").is_err()); + assert!(X509Extension::new(None, None, "certificatePolicies", "").is_err()); + assert!(X509Extension::new(None, None, "subjectAltName", "dirName:section").is_err()); +} + #[test] fn x509_extension_to_der() { let builder = X509::builder().unwrap(); From a7528056c5be6f3fbabc52c2fd02882b208d5939 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 21 Mar 2023 20:45:35 -0400 Subject: [PATCH 114/209] Document the horror show --- openssl/src/x509/mod.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 60df75ae72..bb55cada02 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -807,6 +807,9 @@ impl X509Extension { /// Some extension types, such as `subjectAlternativeName`, require an `X509v3Context` to be /// provided. /// + /// DO NOT CALL THIS WITH UNTRUSTED `value`: `value` is an OpenSSL + /// mini-language that can read arbitrary files. + /// /// See the extension module for builder types which will construct certain common extensions. pub fn new( conf: Option<&ConfRef>, @@ -849,6 +852,9 @@ impl X509Extension { /// Some extension types, such as `nid::SUBJECT_ALTERNATIVE_NAME`, require an `X509v3Context` to /// be provided. /// + /// DO NOT CALL THIS WITH UNTRUSTED `value`: `value` is an OpenSSL + /// mini-language that can read arbitrary files. + /// /// See the extension module for builder types which will construct certain common extensions. pub fn new_nid( conf: Option<&ConfRef>, From 6ced4f305e44df7ca32e478621bf4840b122f1a3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 21 Mar 2023 20:49:48 -0400 Subject: [PATCH 115/209] Fix race condition with X509Name creation --- openssl/src/x509/mod.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index bb55cada02..5b55918750 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1045,7 +1045,10 @@ impl X509NameBuilder { /// Return an `X509Name`. pub fn build(self) -> X509Name { - self.0 + // Round-trip through bytes because OpenSSL is not const correct and + // names in a "modified" state compute various things lazily. This can + // lead to data-races because OpenSSL doesn't have locks or anything. + X509Name::from_der(&self.0.to_der().unwrap()).unwrap() } } From 4ff734fe4c5a22f7346b7b3c47ece4c4c1c01817 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 23 Mar 2023 21:46:58 -0400 Subject: [PATCH 116/209] Release openssl v0.10.48 and openssl-sys v0.9.83 (#1855) --- openssl-sys/CHANGELOG.md | 14 +++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 13 ++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 28 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 3cb0711817..8587ad2262 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.83] - 2023-03-23 + +### Fixed + +* Fixed version checks for LibreSSL. + +### Added + +* Added `i2d_X509_EXTENSION`. +* Added `GENERAL_NAME_new`. + ## [v0.9.82] - 2023-03-19 ### Added @@ -399,7 +410,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83..master +[v0.9.83]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82...openssl-sys-v0.9.83 [v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 [v0.9.81]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80...openssl-sys-v0.9.81 [v0.9.80]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79...openssl-sys-v0.9.80 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ed3161c784..ad7582ad05 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.82" +version = "0.9.83" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 7de74b8045..c6d9b303cd 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,16 @@ ## [Unreleased] +## [v0.10.48] - 2023-03-23 + +### Fixed + +* Fixed injection vulnerabilities where OpenSSL's configuration mini-language could be used via `x509::extension::SubjectAlternativeName` and `x509::extension::ExtendedKeyUsage`. The mini-language can read arbitrary files amongst other things. + * As part of fixing this `SubjectAlternativeName::dir_name` and `SubjectAlternativeName::other_name` are deprecated and their implementations always `panic!`. If you have a use case for these, please file an issue. +* Fixed several NULL pointer dereferences in OpenSSL that could be triggered via `x509::X509Extension::new` and `x509::X509Extension::new_nid`. Note that these methods still accept OpenSSL's configuration mini-language, and therefore should not be used with untrusted data. +* Fixed a data-race with `x509::X509Name` that are created with `x509::X509NameBuilder` and then used concurrently. +* Fixed LibreSSL version checking. More functions should now be correctly available on LibreSSL. + ## [v0.10.47] - 2023-03-19 ### Added @@ -697,7 +707,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...master +[v0.10.48]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48 [v0.10.47]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...openssl-v0.10.47 [v0.10.46]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...openssl-v0.10.46 [v0.10.45]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.45 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 158acff5a3..e49bd9163e 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.47" +version = "0.10.48" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.82", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.83", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 8f3da5efcdfdb913aa01711b4ad117f5f65ceb7a Mon Sep 17 00:00:00 2001 From: Konrad Borowski Date: Sat, 25 Mar 2023 17:38:28 +0100 Subject: [PATCH 117/209] Bump syn dep to 2 --- openssl-macros/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-macros/Cargo.toml b/openssl-macros/Cargo.toml index d55f2267d8..cc85815ade 100644 --- a/openssl-macros/Cargo.toml +++ b/openssl-macros/Cargo.toml @@ -11,4 +11,4 @@ proc-macro = true [dependencies] proc-macro2 = "1" quote = "1" -syn = { version = "1", features = ["full"] } +syn = { version = "2", features = ["full"] } From 7632ba6e56812f8a56410730c439bbd83b10783c Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Fri, 17 Mar 2023 18:19:28 +0000 Subject: [PATCH 118/209] Add issuer_name and reason_code to X509RevokedRef --- openssl-sys/src/handwritten/asn1.rs | 4 ++ openssl-sys/src/handwritten/types.rs | 1 + openssl-sys/src/x509v3.rs | 11 ++++ openssl/src/asn1.rs | 26 ++++++++ openssl/src/x509/mod.rs | 93 +++++++++++++++++++++++++++- 5 files changed, 133 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 7163a69d5e..f1bcc73f34 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -51,6 +51,10 @@ extern "C" { pub fn ASN1_TIME_set_string(s: *mut ASN1_TIME, str: *const c_char) -> c_int; #[cfg(ossl111)] pub fn ASN1_TIME_set_string_X509(s: *mut ASN1_TIME, str: *const c_char) -> c_int; + + pub fn ASN1_ENUMERATED_free(a: *mut ASN1_ENUMERATED); + #[cfg(ossl110)] + pub fn ASN1_ENUMERATED_get_int64(pr: *mut i64, a: *const ASN1_ENUMERATED) -> c_int; } const_ptr_api! { diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index b229a37597..3351ceabc4 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -4,6 +4,7 @@ use libc::*; use super::super::*; pub enum ASN1_INTEGER {} +pub enum ASN1_ENUMERATED {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index 5ae4439083..d2ff53489e 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -91,3 +91,14 @@ pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; pub const X509_PURPOSE_MIN: c_int = 1; pub const X509_PURPOSE_MAX: c_int = 9; + +pub const CRL_REASON_UNSPECIFIED: c_int = 0; +pub const CRL_REASON_KEY_COMPROMISE: c_int = 1; +pub const CRL_REASON_CA_COMPROMISE: c_int = 2; +pub const CRL_REASON_AFFILIATION_CHANGED: c_int = 3; +pub const CRL_REASON_SUPERSEDED: c_int = 4; +pub const CRL_REASON_CESSATION_OF_OPERATION: c_int = 5; +pub const CRL_REASON_CERTIFICATE_HOLD: c_int = 6; +pub const CRL_REASON_REMOVE_FROM_CRL: c_int = 8; +pub const CRL_REASON_PRIVILEGE_WITHDRAWN: c_int = 9; +pub const CRL_REASON_AA_COMPROMISE: c_int = 10; diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index c0178c7e65..db752ad9f1 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -666,6 +666,32 @@ cfg_if! { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::ASN1_ENUMERATED; + fn drop = ffi::ASN1_ENUMERATED_free; + + /// An ASN.1 enumerated. + pub struct Asn1Enumerated; + /// A reference to an [`Asn1Enumerated`]. + pub struct Asn1EnumeratedRef; +} + +impl Asn1EnumeratedRef { + /// Get the value, if it fits in the required bounds. + #[corresponds(ASN1_ENUMERATED_get)] + #[cfg(ossl110)] + pub fn get_i64(&self) -> Result { + let mut crl_reason = 0; + unsafe { + cvt(ffi::ASN1_ENUMERATED_get_int64( + &mut crl_reason, + self.as_ptr(), + ))?; + } + Ok(crl_reason) + } +} + #[cfg(test)] mod tests { use super::*; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 5b55918750..e628e64a6d 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -24,8 +24,8 @@ use std::slice; use std::str; use crate::asn1::{ - Asn1BitStringRef, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, Asn1TimeRef, - Asn1Type, + Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, + Asn1TimeRef, Asn1Type, }; use crate::bio::MemBioSlice; use crate::conf::ConfRef; @@ -1481,6 +1481,37 @@ impl X509ReqRef { } } +/// The reason that a certificate was revoked. +#[derive(Debug, Copy, Clone, PartialEq, Eq)] +pub struct CrlReason(i64); + +#[allow(missing_docs)] // no need to document the constants +impl CrlReason { + pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED as i64); + pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE as i64); + pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE as i64); + pub const AFFILIATION_CHANGED: CrlReason = + CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED as i64); + pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED as i64); + pub const CESSATION_OF_OPERATION: CrlReason = + CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION as i64); + pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD as i64); + pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL as i64); + pub const PRIVILEGE_WITHDRAWN: CrlReason = + CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN as i64); + pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE as i64); + + /// Constructs an `CrlReason` from a raw OpenSSL value. + pub fn from_raw(value: i64) -> Self { + CrlReason(value) + } + + /// Returns the raw OpenSSL value represented by this type. + pub fn as_raw(&self) -> i64 { + self.0 + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; @@ -1513,6 +1544,13 @@ impl X509RevokedRef { ffi::i2d_X509_REVOKED } + /// Copies the entry to a new `X509Revoked`. + #[corresponds(X509_NAME_dup)] + #[cfg(any(boringssl, ossl110, libressl270))] + pub fn to_owned(&self) -> Result { + unsafe { cvt_p(ffi::X509_REVOKED_dup(self.as_ptr())).map(|n| X509Revoked::from_ptr(n)) } + } + /// Get the date that the certificate was revoked #[corresponds(X509_REVOKED_get0_revocationDate)] pub fn revocation_date(&self) -> &Asn1TimeRef { @@ -1532,6 +1570,46 @@ impl X509RevokedRef { Asn1IntegerRef::from_ptr(r as *mut _) } } + + /// Get the issuer name of the revoked certificate + #[corresponds(X509_REVOKED_get_ext_d2i)] + pub fn issuer_name(&self) -> Option> { + // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. + unsafe { + let issuer_names = ffi::X509_REVOKED_get_ext_d2i( + self.as_ptr() as *const _, + // NID_certificate_issuer is a X509_REVOKED extension that + // returns a GENERAL_NAMES, which is a Stack + ffi::NID_certificate_issuer, + // Only one instance of the extension is permissable + ptr::null_mut(), + // Don't care if the extension is critical + ptr::null_mut(), + ); + Stack::from_ptr_opt(issuer_names as *mut _) + } + } + + /// Get the reason that the certificate was revoked + #[corresponds(X509_REVOKED_get_ext_d2i)] + #[cfg(ossl110)] + pub fn reason_code(&self) -> Option> { + let reason_code = unsafe { + // The return value may be NULL if the extension wasn't found or + // there were multiple, and we require only one. + Asn1Enumerated::from_ptr_opt(ffi::X509_REVOKED_get_ext_d2i( + // self.as_ptr() is a valid pointer to a X509_REVOKED + self.as_ptr() as *const _, + // NID_crl_reason is an X509_REVOKED extension that is an ASN1_ENUMERATED + ffi::NID_crl_reason, + // Only one instance of the extension is permissable + ptr::null_mut(), + // Don't care if the extension is critical + ptr::null_mut(), + ) as *mut _) + }?; + Some(reason_code.get_i64().map(CrlReason::from_raw)) + } } foreign_type_and_impl_send_sync! { @@ -1872,6 +1950,17 @@ impl GeneralNameRef { self.ia5_string(ffi::GEN_EMAIL) } + /// Returns the contents of this `GeneralName` if it is a `directoryName`. + pub fn directory_name(&self) -> Option<&X509NameRef> { + unsafe { + if (*self.as_ptr()).type_ != ffi::GEN_DIRNAME { + return None; + } + + Some(X509NameRef::from_const_ptr((*self.as_ptr()).d as *const _)) + } + } + /// Returns the contents of this `GeneralName` if it is a `dNSName`. pub fn dnsname(&self) -> Option<&str> { self.ia5_string(ffi::GEN_DNS) From 30aa4085e71c85637d6b1a9f9c4107e977a4a3d6 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Mon, 27 Mar 2023 17:52:14 +0100 Subject: [PATCH 119/209] Expose X509_REVOKED_get_ext_d2i more directly --- openssl/src/asn1.rs | 2 +- openssl/src/nid.rs | 4 +- openssl/src/x509/mod.rs | 125 ++++++++++++++++++++++++---------------- 3 files changed, 78 insertions(+), 53 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index db752ad9f1..8599539add 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -678,7 +678,7 @@ foreign_type_and_impl_send_sync! { impl Asn1EnumeratedRef { /// Get the value, if it fits in the required bounds. - #[corresponds(ASN1_ENUMERATED_get)] + #[corresponds(ASN1_ENUMERATED_get_int64)] #[cfg(ossl110)] pub fn get_i64(&self) -> Result { let mut crl_reason = 0; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index e4562a1c27..81b74d342f 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -51,13 +51,13 @@ pub struct Nid(c_int); #[allow(non_snake_case)] impl Nid { /// Create a `Nid` from an integer representation. - pub fn from_raw(raw: c_int) -> Nid { + pub const fn from_raw(raw: c_int) -> Nid { Nid(raw) } /// Return the integer representation of a `Nid`. #[allow(clippy::trivially_copy_pass_by_ref)] - pub fn as_raw(&self) -> c_int { + pub const fn as_raw(&self) -> c_int { self.0 } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index e628e64a6d..decb005efd 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -50,6 +50,15 @@ pub mod store; #[cfg(test)] mod tests; +/// A type of X509 extension. +/// +/// # Safety +/// The value of NID and Output must match those in OpenSSL so that +pub unsafe trait ExtensionType { + const NID: Nid; + type Output: ForeignType; +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_STORE_CTX; fn drop = ffi::X509_STORE_CTX_free; @@ -1483,31 +1492,28 @@ impl X509ReqRef { /// The reason that a certificate was revoked. #[derive(Debug, Copy, Clone, PartialEq, Eq)] -pub struct CrlReason(i64); +pub struct CrlReason(c_int); #[allow(missing_docs)] // no need to document the constants impl CrlReason { - pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED as i64); - pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE as i64); - pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE as i64); - pub const AFFILIATION_CHANGED: CrlReason = - CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED as i64); - pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED as i64); - pub const CESSATION_OF_OPERATION: CrlReason = - CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION as i64); - pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD as i64); - pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL as i64); - pub const PRIVILEGE_WITHDRAWN: CrlReason = - CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN as i64); - pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE as i64); + pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED); + pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE); + pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE); + pub const AFFILIATION_CHANGED: CrlReason = CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED); + pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED); + pub const CESSATION_OF_OPERATION: CrlReason = CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION); + pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD); + pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL); + pub const PRIVILEGE_WITHDRAWN: CrlReason = CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN); + pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE); /// Constructs an `CrlReason` from a raw OpenSSL value. - pub fn from_raw(value: i64) -> Self { + pub const fn from_raw(value: c_int) -> Self { CrlReason(value) } /// Returns the raw OpenSSL value represented by this type. - pub fn as_raw(&self) -> i64 { + pub const fn as_raw(&self) -> c_int { self.0 } } @@ -1571,45 +1577,59 @@ impl X509RevokedRef { } } - /// Get the issuer name of the revoked certificate + /// Get the criticality and value of an extension. + /// + /// This returns None if the extension is not present or occurs multiple times. #[corresponds(X509_REVOKED_get_ext_d2i)] - pub fn issuer_name(&self) -> Option> { - // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. - unsafe { - let issuer_names = ffi::X509_REVOKED_get_ext_d2i( - self.as_ptr() as *const _, - // NID_certificate_issuer is a X509_REVOKED extension that - // returns a GENERAL_NAMES, which is a Stack - ffi::NID_certificate_issuer, - // Only one instance of the extension is permissable - ptr::null_mut(), - // Don't care if the extension is critical + pub fn extension(&self) -> Result, ErrorStack> { + let mut critical = -1; + let out = unsafe { + // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. + let ext = ffi::X509_REVOKED_get_ext_d2i( + self.as_ptr(), + T::NID.as_raw(), + &mut critical as *mut _, ptr::null_mut(), ); - Stack::from_ptr_opt(issuer_names as *mut _) + // SAFETY: Extensions's contract promises that the type returned by + // OpenSSL here is T::Output. + T::Output::from_ptr_opt(ext as *mut _) + }; + match (critical, out) { + (0, Some(out)) => Ok(Some((false, out))), + (1, Some(out)) => Ok(Some((true, out))), + // -1 means the extension wasn't found, -2 means multiple were found. + (-1 | -2, _) => Ok(None), + // A critical value of 0 or 1 suggests success, but a null pointer + // was returned so something went wrong. + (0 | 1, None) => Err(ErrorStack::get()), + (..=-3 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), } } +} - /// Get the reason that the certificate was revoked - #[corresponds(X509_REVOKED_get_ext_d2i)] - #[cfg(ossl110)] - pub fn reason_code(&self) -> Option> { - let reason_code = unsafe { - // The return value may be NULL if the extension wasn't found or - // there were multiple, and we require only one. - Asn1Enumerated::from_ptr_opt(ffi::X509_REVOKED_get_ext_d2i( - // self.as_ptr() is a valid pointer to a X509_REVOKED - self.as_ptr() as *const _, - // NID_crl_reason is an X509_REVOKED extension that is an ASN1_ENUMERATED - ffi::NID_crl_reason, - // Only one instance of the extension is permissable - ptr::null_mut(), - // Don't care if the extension is critical - ptr::null_mut(), - ) as *mut _) - }?; - Some(reason_code.get_i64().map(CrlReason::from_raw)) - } +/// The CRL entry extension identifying the reason for revocation see [`CrlReason`], +/// this is as defined in RFC 5280 Section 5.3.1. +pub enum ReasonCode {} + +// SAFETY: CertificateIssuer is defined to be a stack of GeneralName in the RFC +// and in OpenSSL. +unsafe impl ExtensionType for ReasonCode { + const NID: Nid = Nid::from_raw(ffi::NID_crl_reason); + + type Output = Asn1Enumerated; +} + +/// The CRL entry extension identifying the issuer of a certificate used in +/// indirect CRLs, as defined in RFC 5280 Section 5.3.3. +pub enum CertificateIssuer {} + +// SAFETY: CertificateIssuer is defined to be a stack of GeneralName in the RFC +// and in OpenSSL. +unsafe impl ExtensionType for CertificateIssuer { + const NID: Nid = Nid::from_raw(ffi::NID_certificate_issuer); + + type Output = Stack; } foreign_type_and_impl_send_sync! { @@ -1957,7 +1977,12 @@ impl GeneralNameRef { return None; } - Some(X509NameRef::from_const_ptr((*self.as_ptr()).d as *const _)) + #[cfg(boringssl)] + let d = (*self.as_ptr()).d.ptr; + #[cfg(not(boringssl))] + let d = (*self.as_ptr()).d; + + Some(X509NameRef::from_const_ptr(d as *const _)) } } From 3b25d11504f8547637b591fa4360df78cc6c2ac1 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Mon, 27 Mar 2023 18:40:19 +0100 Subject: [PATCH 120/209] Use range pattern compatible with MSRV --- openssl/src/x509/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index decb005efd..a6ead63a2e 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1603,7 +1603,7 @@ impl X509RevokedRef { // A critical value of 0 or 1 suggests success, but a null pointer // was returned so something went wrong. (0 | 1, None) => Err(ErrorStack::get()), - (..=-3 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), + (c_int::MIN..=-2 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), } } } From 95680c816c55b617d2f5949cf2aedd060082840d Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Tue, 28 Mar 2023 12:08:27 +0100 Subject: [PATCH 121/209] Add test for CRL entry extensions --- openssl/src/x509/mod.rs | 1 + openssl/src/x509/tests.rs | 42 +++++++++++++++++++++++++++++-- openssl/test/entry_extensions.crl | 10 ++++++++ 3 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 openssl/test/entry_extensions.crl diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index a6ead63a2e..e30dd80730 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -54,6 +54,7 @@ mod tests; /// /// # Safety /// The value of NID and Output must match those in OpenSSL so that +/// `Output::from_ptr_opt(*_get_ext_d2i(*, NID, ...))` is valid. pub unsafe trait ExtensionType { const NID: Nid; type Output: ForeignType; diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 57734f2665..7fb383631f 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -18,12 +18,12 @@ use crate::x509::store::X509Lookup; use crate::x509::store::X509StoreBuilder; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; -#[cfg(ossl110)] -use crate::x509::X509Builder; #[cfg(ossl102)] use crate::x509::X509PurposeId; #[cfg(any(ossl102, libressl261))] use crate::x509::X509PurposeRef; +#[cfg(ossl110)] +use crate::x509::{CrlReason, X509Builder}; use crate::x509::{ CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, }; @@ -31,6 +31,8 @@ use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] use libc::time_t; +use super::{CertificateIssuer, ReasonCode}; + fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); PKey::from_rsa(rsa).unwrap() @@ -611,6 +613,42 @@ fn test_load_crl() { ); } +#[test] +fn test_crl_entry_extensions() { + let crl = include_bytes!("../../test/entry_extensions.crl"); + let crl = X509Crl::from_pem(crl).unwrap(); + + let revoked_certs = crl.get_revoked().unwrap(); + let entry = &revoked_certs[0]; + + let (critical, issuer) = entry + .extension::() + .unwrap() + .expect("Certificate issuer extension should be present"); + assert!(critical, "Certificate issuer extension is critical"); + assert_eq!(issuer.len(), 1, "Certificate issuer should have one entry"); + let issuer = issuer[0] + .directory_name() + .expect("Issuer should be a directory name"); + assert_eq!( + format!("{:?}", issuer), + r#"[countryName = "GB", commonName = "Test CA"]"# + ); + + // reason_code can't be inspected without ossl110 + #[allow(unused_variables)] + let (critical, reason_code) = entry + .extension::() + .unwrap() + .expect("Reason code extension should be present"); + assert!(!critical, "Reason code extension is not critical"); + #[cfg(ossl110)] + assert_eq!( + CrlReason::KEY_COMPROMISE, + CrlReason::from_raw(reason_code.get_i64().unwrap() as ffi::c_int) + ); +} + #[test] fn test_save_subject_der() { let cert = include_bytes!("../../test/cert.pem"); diff --git a/openssl/test/entry_extensions.crl b/openssl/test/entry_extensions.crl new file mode 100644 index 0000000000..9654171cf1 --- /dev/null +++ b/openssl/test/entry_extensions.crl @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBXDCCAQICAQEwCgYIKoZIzj0EAwIwETEPMA0GA1UEAwwGQ1JMIENBFw0yMzAz +MjgwOTQ5MThaFw0yMzA0MDQwOTUwMDdaMIGAMH4CFE+Y95/1pOqa6c9fUEJ8c04k +xu2PFw0yMzAzMjgwOTQ3MzNaMFcwLwYDVR0dAQH/BCUwI6QhMB8xCzAJBgNVBAYT +AkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgGA1UdGAQRGA8yMDIz +MDMyODA5NDQ0MFqgPTA7MB8GA1UdIwQYMBaAFNX1GZ0RWuC+4gz1wuy5H32T2W+R +MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wCgYIKoZIzj0EAwIDSAAwRQIgbl7x +W+WVAb+zlvKcJLmHVuC+gbqR4jqwGIHHgQl2J8kCIQCo/sAF5sDqy/cL+fbzBeUe +YoY2h6lIkj9ENwU8ZCt03w== +-----END X509 CRL----- From a888f7a098bd65837ff064fc30be326aa1371117 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Tue, 28 Mar 2023 09:49:47 +0100 Subject: [PATCH 122/209] Implement cmp and to_owned for Asn1Integer --- openssl-sys/src/handwritten/asn1.rs | 2 ++ openssl/src/asn1.rs | 42 ++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 7163a69d5e..d2bc21ce59 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -43,8 +43,10 @@ extern "C" { pub fn ASN1_TIME_set(from: *mut ASN1_TIME, to: time_t) -> *mut ASN1_TIME; pub fn ASN1_INTEGER_free(x: *mut ASN1_INTEGER); + pub fn ASN1_INTEGER_dup(a: *const ASN1_INTEGER) -> *mut ASN1_INTEGER; pub fn ASN1_INTEGER_get(dest: *const ASN1_INTEGER) -> c_long; pub fn ASN1_INTEGER_set(dest: *mut ASN1_INTEGER, value: c_long) -> c_int; + pub fn ASN1_INTEGER_cmp(a: *const ASN1_INTEGER, b: *const ASN1_INTEGER) -> c_int; pub fn BN_to_ASN1_INTEGER(bn: *const BIGNUM, ai: *mut ASN1_INTEGER) -> *mut ASN1_INTEGER; pub fn ASN1_INTEGER_to_BN(ai: *const ASN1_INTEGER, bn: *mut BIGNUM) -> *mut BIGNUM; diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index c0178c7e65..a282fc2cc7 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -27,7 +27,6 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_char, c_int, c_long, time_t}; -#[cfg(ossl102)] use std::cmp::Ordering; use std::ffi::CString; use std::fmt; @@ -512,6 +511,23 @@ impl Asn1Integer { } } +impl Ord for Asn1Integer { + fn cmp(&self, other: &Self) -> Ordering { + Asn1IntegerRef::cmp(self, other) + } +} +impl PartialOrd for Asn1Integer { + fn partial_cmp(&self, other: &Asn1Integer) -> Option { + Some(self.cmp(other)) + } +} +impl Eq for Asn1Integer {} +impl PartialEq for Asn1Integer { + fn eq(&self, other: &Asn1Integer) -> bool { + Asn1IntegerRef::eq(self, other) + } +} + impl Asn1IntegerRef { #[allow(missing_docs, clippy::unnecessary_cast)] #[deprecated(since = "0.10.6", note = "use to_bn instead")] @@ -536,6 +552,30 @@ impl Asn1IntegerRef { pub fn set(&mut self, value: i32) -> Result<(), ErrorStack> { unsafe { cvt(ffi::ASN1_INTEGER_set(self.as_ptr(), value as c_long)).map(|_| ()) } } + + /// Creates a new Asn1Integer with the same value. + #[corresponds(ASN1_INTEGER_dup)] + pub fn to_owned(&self) -> Result { + unsafe { cvt_p(ffi::ASN1_INTEGER_dup(self.as_ptr())).map(|p| Asn1Integer::from_ptr(p)) } + } +} + +impl Ord for Asn1IntegerRef { + fn cmp(&self, other: &Self) -> Ordering { + let res = unsafe { ffi::ASN1_INTEGER_cmp(self.as_ptr(), other.as_ptr()) }; + res.cmp(&0) + } +} +impl PartialOrd for Asn1IntegerRef { + fn partial_cmp(&self, other: &Asn1IntegerRef) -> Option { + Some(self.cmp(other)) + } +} +impl Eq for Asn1IntegerRef {} +impl PartialEq for Asn1IntegerRef { + fn eq(&self, other: &Asn1IntegerRef) -> bool { + self.cmp(other) == Ordering::Equal + } } foreign_type_and_impl_send_sync! { From 516f1b5252ba736a8dce2f79b7bff15b55feabf4 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Tue, 28 Mar 2023 12:28:01 +0100 Subject: [PATCH 123/209] Add tests for Asn1Integer comparison and to_owned --- openssl/src/asn1.rs | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index a282fc2cc7..8823f95b58 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -789,6 +789,28 @@ mod tests { assert!(c_ref < a_ref); } + #[test] + fn integer_to_owned() { + let a = Asn1Integer::from_bn(&BigNum::from_dec_str("42").unwrap()).unwrap(); + let b = a.to_owned().unwrap(); + assert_eq!( + a.to_bn().unwrap().to_dec_str().unwrap().to_string(), + b.to_bn().unwrap().to_dec_str().unwrap().to_string(), + ); + assert_ne!(a.as_ptr(), b.as_ptr()); + } + + #[test] + fn integer_cmp() { + let a = Asn1Integer::from_bn(&BigNum::from_dec_str("42").unwrap()).unwrap(); + let b = Asn1Integer::from_bn(&BigNum::from_dec_str("42").unwrap()).unwrap(); + let c = Asn1Integer::from_bn(&BigNum::from_dec_str("43").unwrap()).unwrap(); + assert!(a == b); + assert!(a != c); + assert!(a < c); + assert!(c > b); + } + #[test] fn object_from_str() { let object = Asn1Object::from_str("2.16.840.1.101.3.4.2.1").unwrap(); From 424745064356ac91fc6c50b7ef823a4deca3b313 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 30 Mar 2023 15:14:23 -0400 Subject: [PATCH 124/209] try skipping another test on openssl 3.1.0 See: https://github.com/openssl/openssl/issues/20613 --- openssl/src/nid.rs | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index e4562a1c27..53e2eab15e 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1165,10 +1165,13 @@ mod test { assert_eq!(nid.short_name().unwrap(), "foo"); assert_eq!(nid.long_name().unwrap(), "foobar"); - let invalid_oid = Nid::create("invalid_oid", "invalid", "invalid"); - assert!( - invalid_oid.is_err(), - "invalid_oid should not return a valid value" - ); + // Due to a bug in OpenSSL 3.1.0, this test crashes on Windows + if !cfg(ossl310) { + let invalid_oid = Nid::create("invalid_oid", "invalid", "invalid"); + assert!( + invalid_oid.is_err(), + "invalid_oid should not return a valid value" + ); + } } } From f949d4098d48038849cf9537829759167ffe0dfa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 30 Mar 2023 15:18:24 -0400 Subject: [PATCH 125/209] Fix syntax error I accidentally pushed to master --- openssl/src/nid.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index 53e2eab15e..1ab96f3701 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1166,7 +1166,7 @@ mod test { assert_eq!(nid.long_name().unwrap(), "foobar"); // Due to a bug in OpenSSL 3.1.0, this test crashes on Windows - if !cfg(ossl310) { + if !cfg!(ossl310) { let invalid_oid = Nid::create("invalid_oid", "invalid", "invalid"); assert!( invalid_oid.is_err(), From c906f184dfdc981450b5014bf5aaf6e291958fbe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 30 Mar 2023 14:23:44 -0400 Subject: [PATCH 126/209] Drop dependency on autocfg It's used to check for a Rust version well below our MSRV. --- openssl-sys/Cargo.toml | 1 - openssl-sys/build/main.rs | 11 ------- openssl-sys/src/err.rs | 68 ++++++++++++++++++--------------------- openssl-sys/src/macros.rs | 18 ----------- 4 files changed, 32 insertions(+), 66 deletions(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ad7582ad05..109a859ddc 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -27,7 +27,6 @@ bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } cc = "1.0" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" -autocfg = "1.0" [target.'cfg(target_env = "msvc")'.build-dependencies] vcpkg = "0.2.8" diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 3357518f55..5c1f668fb7 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -4,7 +4,6 @@ clippy::unusual_byte_groupings )] -extern crate autocfg; #[cfg(feature = "bindgen")] extern crate bindgen; extern crate cc; @@ -74,8 +73,6 @@ fn check_ssl_kind() { } fn main() { - check_rustc_versions(); - check_ssl_kind(); let target = env::var("TARGET").unwrap(); @@ -134,14 +131,6 @@ fn main() { } } -fn check_rustc_versions() { - let cfg = autocfg::new(); - - if cfg.probe_rustc_version(1, 31) { - println!("cargo:rustc-cfg=const_fn"); - } -} - #[allow(clippy::let_and_return)] fn postprocess(include_dirs: &[PathBuf]) -> Version { let version = validate_headers(include_dirs); diff --git a/openssl-sys/src/err.rs b/openssl-sys/src/err.rs index 5e84e6208a..4a6a2775e4 100644 --- a/openssl-sys/src/err.rs +++ b/openssl-sys/src/err.rs @@ -20,51 +20,47 @@ cfg_if! { pub const ERR_RFLAG_FATAL: c_ulong = 0x1 << ERR_RFLAGS_OFFSET; - const_fn! { - pub const fn ERR_SYSTEM_ERROR(errcode: c_ulong) -> bool { - errcode & ERR_SYSTEM_FLAG != 0 - } + pub const fn ERR_SYSTEM_ERROR(errcode: c_ulong) -> bool { + errcode & ERR_SYSTEM_FLAG != 0 + } - pub const fn ERR_GET_LIB(errcode: c_ulong) -> c_int { - // hacks since `if` isn't yet stable in const functions :( - ((ERR_LIB_SYS as c_ulong * (ERR_SYSTEM_ERROR(errcode) as c_ulong)) | - (((errcode >> ERR_LIB_OFFSET) & ERR_LIB_MASK) * (!ERR_SYSTEM_ERROR(errcode) as c_ulong))) as c_int - } + pub const fn ERR_GET_LIB(errcode: c_ulong) -> c_int { + // hacks since `if` isn't yet stable in const functions :( + ((ERR_LIB_SYS as c_ulong * (ERR_SYSTEM_ERROR(errcode) as c_ulong)) | + (((errcode >> ERR_LIB_OFFSET) & ERR_LIB_MASK) * (!ERR_SYSTEM_ERROR(errcode) as c_ulong))) as c_int + } - pub const fn ERR_GET_FUNC(_errcode: c_ulong) -> c_int { - 0 - } + pub const fn ERR_GET_FUNC(_errcode: c_ulong) -> c_int { + 0 + } - pub const fn ERR_GET_REASON(errcode: c_ulong) -> c_int { - // hacks since `if` isn't yet stable in const functions :( - ((ERR_LIB_SYS as c_ulong * (ERR_SYSTEM_ERROR(errcode) as c_ulong)) | - ((errcode & ERR_REASON_MASK) * (!ERR_SYSTEM_ERROR(errcode) as c_ulong))) as c_int - } + pub const fn ERR_GET_REASON(errcode: c_ulong) -> c_int { + // hacks since `if` isn't yet stable in const functions :( + ((ERR_LIB_SYS as c_ulong * (ERR_SYSTEM_ERROR(errcode) as c_ulong)) | + ((errcode & ERR_REASON_MASK) * (!ERR_SYSTEM_ERROR(errcode) as c_ulong))) as c_int + } - pub const fn ERR_PACK(lib: c_int, _func: c_int, reason: c_int) -> c_ulong { - ((lib as c_ulong & ERR_LIB_MASK) << ERR_LIB_OFFSET) | - (reason as c_ulong & ERR_REASON_MASK) - } + pub const fn ERR_PACK(lib: c_int, _func: c_int, reason: c_int) -> c_ulong { + ((lib as c_ulong & ERR_LIB_MASK) << ERR_LIB_OFFSET) | + (reason as c_ulong & ERR_REASON_MASK) } } else { - const_fn! { - pub const fn ERR_PACK(l: c_int, f: c_int, r: c_int) -> c_ulong { - ((l as c_ulong & 0x0FF) << 24) | - ((f as c_ulong & 0xFFF) << 12) | - (r as c_ulong & 0xFFF) - } + pub const fn ERR_PACK(l: c_int, f: c_int, r: c_int) -> c_ulong { + ((l as c_ulong & 0x0FF) << 24) | + ((f as c_ulong & 0xFFF) << 12) | + (r as c_ulong & 0xFFF) + } - pub const fn ERR_GET_LIB(l: c_ulong) -> c_int { - ((l >> 24) & 0x0FF) as c_int - } + pub const fn ERR_GET_LIB(l: c_ulong) -> c_int { + ((l >> 24) & 0x0FF) as c_int + } - pub const fn ERR_GET_FUNC(l: c_ulong) -> c_int { - ((l >> 12) & 0xFFF) as c_int - } + pub const fn ERR_GET_FUNC(l: c_ulong) -> c_int { + ((l >> 12) & 0xFFF) as c_int + } - pub const fn ERR_GET_REASON(l: c_ulong) -> c_int { - (l & 0xFFF) as c_int - } + pub const fn ERR_GET_REASON(l: c_ulong) -> c_int { + (l & 0xFFF) as c_int } } } diff --git a/openssl-sys/src/macros.rs b/openssl-sys/src/macros.rs index e1b08c467a..96523db8f4 100644 --- a/openssl-sys/src/macros.rs +++ b/openssl-sys/src/macros.rs @@ -70,24 +70,6 @@ macro_rules! stack { }; } -#[cfg(const_fn)] -macro_rules! const_fn { - ($(pub const fn $name:ident($($arg:ident: $t:ty),*) -> $ret:ty $b:block)*) => { - $( - pub const fn $name($($arg: $t),*) -> $ret $b - )* - } -} - -#[cfg(not(const_fn))] -macro_rules! const_fn { - ($(pub const fn $name:ident($($arg:ident: $t:ty),*) -> $ret:ty $b:block)*) => { - $( - pub fn $name($($arg: $t),*) -> $ret $b - )* - } -} - // openssl changes `*mut` to `*const` in certain parameters in certain versions; // in C this is ABI and (mostly) API compatible. // From d355cb80385dcfbab03805fc9407d5a4db11db7a Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 30 Mar 2023 19:25:05 -0400 Subject: [PATCH 127/209] Don't use IP addresses in SNI --- openssl/src/ssl/connector.rs | 5 ++-- openssl/src/ssl/test/mod.rs | 57 +++++++++++++++++++++++++++++++++++- 2 files changed, 59 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 39f729df90..66d1bd8939 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -11,6 +11,7 @@ use crate::ssl::{ SslOptions, SslRef, SslStream, SslVerifyMode, }; use crate::version; +use std::net::IpAddr; const FFDHE_2048: &str = " -----BEGIN DH PARAMETERS----- @@ -177,9 +178,9 @@ impl ConnectConfiguration { /// Returns an `Ssl` configured to connect to the provided domain. /// - /// The domain is used for SNI and hostname verification if enabled. + /// The domain is used for SNI (if it is not an IP address) and hostname verification if enabled. pub fn into_ssl(mut self, domain: &str) -> Result { - if self.sni { + if self.sni && domain.parse::().is_err() { self.ssl.set_hostname(domain)?; } diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 03dc89e5c3..a34309a7d6 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -21,10 +21,10 @@ use crate::hash::MessageDigest; use crate::ocsp::{OcspResponse, OcspResponseStatus}; use crate::pkey::PKey; use crate::srtp::SrtpProfileId; -use crate::ssl; use crate::ssl::test::server::Server; #[cfg(any(ossl110, ossl111, libressl261))] use crate::ssl::SslVersion; +use crate::ssl::{self, NameType, SslConnectorBuilder}; #[cfg(ossl111)] use crate::ssl::{ClientHelloResponse, ExtensionContext}; use crate::ssl::{ @@ -767,6 +767,61 @@ fn connector_can_disable_verify() { s.read_exact(&mut [0]).unwrap(); } +#[test] +fn connector_does_use_sni_with_dnsnames() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + + let mut builder = Server::builder(); + builder.ctx().set_servername_callback(|ssl, _| { + assert_eq!(ssl.servername(NameType::HOST_NAME), Some("foobar.com")); + CALLED_BACK.store(true, Ordering::SeqCst); + Ok(()) + }); + let server = builder.build(); + + let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); + connector.set_ca_file("test/root-ca.pem").unwrap(); + + let s = server.connect_tcp(); + let mut s = connector + .build() + .configure() + .unwrap() + .connect("foobar.com", s) + .unwrap(); + s.read_exact(&mut [0]).unwrap(); + + assert!(CALLED_BACK.load(Ordering::SeqCst)); +} + +#[test] +fn connector_doesnt_use_sni_with_ips() { + static CALLED_BACK: AtomicBool = AtomicBool::new(false); + + let mut builder = Server::builder(); + builder.ctx().set_servername_callback(|ssl, _| { + assert_eq!(ssl.servername(NameType::HOST_NAME), None); + CALLED_BACK.store(true, Ordering::SeqCst); + Ok(()) + }); + let server = builder.build(); + + let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); + // The server's cert isn't issued for 127.0.0.1 but we don't care for this test. + connector.set_verify(SslVerifyMode::NONE); + + let s = server.connect_tcp(); + let mut s = connector + .build() + .configure() + .unwrap() + .connect("127.0.0.1", s) + .unwrap(); + s.read_exact(&mut [0]).unwrap(); + + assert!(CALLED_BACK.load(Ordering::SeqCst)); +} + fn test_mozilla_server(new: fn(SslMethod) -> Result) { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let port = listener.local_addr().unwrap().port(); From 42469df82086d1f14bf87db24183e24f7693394e Mon Sep 17 00:00:00 2001 From: Asger Hautop Drewsen Date: Fri, 31 Mar 2023 10:15:35 +0200 Subject: [PATCH 128/209] Fix typo in documentation for set_{min,max}_proto_version --- openssl/src/ssl/mod.rs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index c8648c4bcd..6ef356d36d 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1120,7 +1120,7 @@ impl SslContextBuilder { /// Sets the minimum supported protocol version. /// - /// A value of `None` will enable protocol versions down the the lowest version supported by + /// A value of `None` will enable protocol versions down to the lowest version supported by /// OpenSSL. /// /// Requires OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer. @@ -1138,7 +1138,7 @@ impl SslContextBuilder { /// Sets the maximum supported protocol version. /// - /// A value of `None` will enable protocol versions down the the highest version supported by + /// A value of `None` will enable protocol versions up to the highest version supported by /// OpenSSL. /// /// Requires OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer. @@ -1156,7 +1156,7 @@ impl SslContextBuilder { /// Gets the minimum supported protocol version. /// - /// A value of `None` indicates that all versions down the the lowest version supported by + /// A value of `None` indicates that all versions down to the lowest version supported by /// OpenSSL are enabled. /// /// Requires OpenSSL 1.1.0g or LibreSSL 2.7.0 or newer. @@ -1175,7 +1175,7 @@ impl SslContextBuilder { /// Gets the maximum supported protocol version. /// - /// A value of `None` indicates that all versions down the the highest version supported by + /// A value of `None` indicates that all versions up to the highest version supported by /// OpenSSL are enabled. /// /// Requires OpenSSL 1.1.0g or LibreSSL 2.7.0 or newer. @@ -3223,7 +3223,7 @@ impl SslRef { /// Sets the minimum supported protocol version. /// - /// A value of `None` will enable protocol versions down the the lowest version supported by + /// A value of `None` will enable protocol versions down to the lowest version supported by /// OpenSSL. /// /// Requires OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer. @@ -3241,7 +3241,7 @@ impl SslRef { /// Sets the maximum supported protocol version. /// - /// A value of `None` will enable protocol versions down the the highest version supported by + /// A value of `None` will enable protocol versions up to the highest version supported by /// OpenSSL. /// /// Requires OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer. From 34171f4f79d45c8132a53dfcd0bef37eb8b1ea73 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Mon, 23 Jan 2023 14:49:33 +0100 Subject: [PATCH 129/209] Add basic X509 Distribution Point extension support Adds support to read the full name of a distribution point extension. Signed-off-by: Steffen Eiden --- openssl-sys/src/handwritten/x509.rs | 2 + openssl-sys/src/handwritten/x509v3.rs | 27 +++++++++++++ openssl/src/x509/mod.rs | 57 +++++++++++++++++++++++++++ openssl/src/x509/tests.rs | 27 +++++++++++++ openssl/test/certv3.pem | 23 +++++++++++ openssl/test/certv3_extfile | 1 + systest/build.rs | 5 ++- 7 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 openssl/test/certv3.pem create mode 100644 openssl/test/certv3_extfile diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index abda4110cf..37bbf7b085 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -9,6 +9,8 @@ pub struct X509_VAL { pub enum X509_NAME_ENTRY {} +stack!(stack_st_X509_NAME_ENTRY); + stack!(stack_st_X509_NAME); pub enum X509_EXTENSION {} diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 4f661ca5ec..4a15f3df5f 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -103,3 +103,30 @@ extern "C" { #[cfg(ossl110)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; } + +#[repr(C)] +pub struct DIST_POINT_NAME { + pub type_: c_int, + pub name: DIST_POINT_NAME_st_anon_union, + pub dpname: *mut X509_NAME, +} + +#[repr(C)] +pub union DIST_POINT_NAME_st_anon_union { + pub fullname: *mut stack_st_GENERAL_NAME, + pub relativename: *mut stack_st_X509_NAME_ENTRY, +} + +#[repr(C)] +pub struct DIST_POINT { + pub distpoint: *mut DIST_POINT_NAME, + pub reasons: *mut ASN1_BIT_STRING, + pub CRLissuer: *mut stack_st_GENERAL_NAME, + pub dp_reasons: c_int, +} +stack!(stack_st_DIST_POINT); + +extern "C" { + pub fn DIST_POINT_free(dist_point: *mut DIST_POINT); + pub fn DIST_POINT_NAME_free(dist_point: *mut DIST_POINT_NAME); +} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 5b55918750..eab1ea6757 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -423,6 +423,20 @@ impl X509Ref { } } + /// Returns this certificate's CRL distribution points, if they exist. + #[corresponds(X509_get_ext_d2i)] + pub fn crl_distribution_points(&self) -> Option> { + unsafe { + let stack = ffi::X509_get_ext_d2i( + self.as_ptr(), + ffi::NID_crl_distribution_points, + ptr::null_mut(), + ptr::null_mut(), + ); + Stack::from_ptr_opt(stack as *mut _) + } + } + /// Returns this certificate's issuer alternative name entries, if they exist. #[corresponds(X509_get_ext_d2i)] pub fn issuer_alt_names(&self) -> Option> { @@ -1927,6 +1941,49 @@ impl Stackable for GeneralName { type StackType = ffi::stack_st_GENERAL_NAME; } +foreign_type_and_impl_send_sync! { + type CType = ffi::DIST_POINT; + fn drop = ffi::DIST_POINT_free; + + /// A `X509` distribution point. + pub struct DistPoint; + /// Reference to `DistPoint`. + pub struct DistPointRef; +} + +impl DistPointRef { + /// Returns the name of this distribution point if it exists + pub fn distpoint(&self) -> Option<&DistPointNameRef> { + unsafe { DistPointNameRef::from_const_ptr_opt((*self.as_ptr()).distpoint) } + } +} + +foreign_type_and_impl_send_sync! { + type CType = ffi::DIST_POINT_NAME; + fn drop = ffi::DIST_POINT_NAME_free; + + /// A `X509` distribution point. + pub struct DistPointName; + /// Reference to `DistPointName`. + pub struct DistPointNameRef; +} + +impl DistPointNameRef { + /// Returns the contents of this DistPointName if it is a fullname. + pub fn fullname(&self) -> Option<&StackRef> { + unsafe { + if (*self.as_ptr()).type_ != 0 { + return None; + } + StackRef::from_const_ptr_opt((*self.as_ptr()).name.fullname) + } + } +} + +impl Stackable for DistPoint { + type StackType = ffi::stack_st_DIST_POINT; +} + foreign_type_and_impl_send_sync! { type CType = ffi::ACCESS_DESCRIPTION; fn drop = ffi::ACCESS_DESCRIPTION_free; diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 57734f2665..3659604413 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -986,3 +986,30 @@ fn ipv6_as_subject_alternative_name_is_formatted_in_debug() { 8u8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 128, ]); } + +#[test] +fn test_dist_point() { + let cert = include_bytes!("../../test/certv3.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let dps = cert.crl_distribution_points().unwrap(); + let dp = dps.get(0).unwrap(); + let dp_nm = dp.distpoint().unwrap(); + let dp_gns = dp_nm.fullname().unwrap(); + let dp_gn = dp_gns.get(0).unwrap(); + assert_eq!(dp_gn.uri().unwrap(), "http://example.com/crl.pem"); + + let dp = dps.get(1).unwrap(); + let dp_nm = dp.distpoint().unwrap(); + let dp_gns = dp_nm.fullname().unwrap(); + let dp_gn = dp_gns.get(0).unwrap(); + assert_eq!(dp_gn.uri().unwrap(), "http://example.com/crl2.pem"); + assert!(dps.get(2).is_none()) +} + +#[test] +fn test_dist_point_null() { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert!(cert.crl_distribution_points().is_none()); +} diff --git a/openssl/test/certv3.pem b/openssl/test/certv3.pem new file mode 100644 index 0000000000..819409164d --- /dev/null +++ b/openssl/test/certv3.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIUDeCGNunyJfBd3U/qUtmCcvbMyZwwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzAxMjMxMzMzNTJaFw0zMzAx +MjAxMzMzNTJaMFoxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCmZvb2Jh +ci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo9CWMRLMXo1CF +/iORh9B4NhtJF/8tR9PlG95sNvyWuQQ/8jfev+8zErplxfLkt0pJqcoiZG8g9NU0 +kU6o5T+/1QgZclCAoZaS0Jqxmoo2Yk/1Qsj16pnMBc10uSDk6V9aJSX1vKwONVNS +wiHA1MhX+i7Wf7/K0niq+k7hOkhleFkWgZtUq41gXh1VfOugka7UktYnk9mrBbAM +jmaloZNn2pMMAQxVg4ThiLm3zvuWqvXASWzUZc7IAd1GbN4AtDuhs252eqE9E4iT +Hk7F14wAS1JWqv666hReGHrmZJGx0xQTM9vPD1HN5t2U3KTfhO/mTlAUWVyg9tCt +OzboKgs1AgMBAAGjgZMwgZAwTgYDVR0fBEcwRTAgoB6gHIYaaHR0cDovL2V4YW1w +bGUuY29tL2NybC5wZW0wIaAfoB2GG2h0dHA6Ly9leGFtcGxlLmNvbS9jcmwyLnBl +bTAdBgNVHQ4EFgQUtnMvYaVLoe9ILBWxn/PcNC+8rDAwHwYDVR0jBBgwFoAUbNOl +A6sNXyzJjYqciKeId7g3/ZowDQYJKoZIhvcNAQELBQADggEBAJZyk6Eo4p3JIyOt +7t6ET3K18BKvlRilze+zrGkaQYvKRsP6YzbZWgcIq59hy5VeFCX5O2WP91CPG3MU +I9eRiih66/ry3G4I8QEdpRKnn0N5unbGjb5qPT5wXrhU4IO+vn3sGZGM4uIM1/3K +N/bOh9CTsu9YqrdHSGeDyNzCy/XZ/j5bP4aNm31ZDNCZDFsbjr3/yTLcpHPL0UP3 +mCX8D16BDu1Nep+wK9VRuOEw6Z9tlT/VjTImzoOUoJO/o2UHfSHahX+n2aC5OpI6 +BdhaFBuJ1vn+yTWf3zIjhWUdp9TlzgRyFiyetP2FcKwremVVGdDq/Y6dfXaq8CA1 +6Fr9KTY= +-----END CERTIFICATE----- diff --git a/openssl/test/certv3_extfile b/openssl/test/certv3_extfile new file mode 100644 index 0000000000..1b3df49482 --- /dev/null +++ b/openssl/test/certv3_extfile @@ -0,0 +1 @@ +crlDistributionPoints=URI:http://example.com/crl.pem,URI:http://example.com/crl2.pem diff --git a/systest/build.rs b/systest/build.rs index 34677d204f..4f45e2d6fa 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -110,7 +110,9 @@ fn main() { || s.starts_with("CRYPTO_EX_") }); cfg.skip_struct(|s| { - s == "ProbeResult" || s == "X509_OBJECT_data" // inline union + s == "ProbeResult" || + s == "X509_OBJECT_data" || // inline union + s == "DIST_POINT_NAME_st_anon_union" // inline union }); cfg.skip_fn(move |s| { s == "CRYPTO_memcmp" || // uses volatile @@ -130,6 +132,7 @@ fn main() { cfg.skip_field_type(|s, field| { (s == "EVP_PKEY" && field == "pkey") || // union (s == "GENERAL_NAME" && field == "d") || // union + (s == "DIST_POINT_NAME" && field == "name") || // union (s == "X509_OBJECT" && field == "data") // union }); cfg.skip_signededness(|s| { From 29d993ffaad363b2bfae80434d57d428ef25484d Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 1 Apr 2023 09:57:21 -0400 Subject: [PATCH 130/209] Release openssl-macros v0.1.1 --- openssl-macros/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-macros/Cargo.toml b/openssl-macros/Cargo.toml index cc85815ade..5337de751e 100644 --- a/openssl-macros/Cargo.toml +++ b/openssl-macros/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-macros" -version = "0.1.0" +version = "0.1.1" edition = "2018" license = "MIT/Apache-2.0" description = "Internal macros used by the openssl crate." From 545cfa48f8ef66e60bbf3b5b0323268f265e040f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 1 Apr 2023 10:02:30 -0400 Subject: [PATCH 131/209] Release openssl-sys v0.9.84 --- openssl-sys/CHANGELOG.md | 11 ++++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 8587ad2262..0d8c1e184e 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,14 @@ ## [Unreleased] +## [v0.9.84] - 2023-04-01 + +### Added + +* Added `ASN1_INTEGER_dup` and `ASN1_INTEGER_cmp`. +* Added `stack_st_X509_NAME_ENTRY`. +* Added `DIST_POINT_NAME`, `DIST_POINT`, `stack_st_DIST_POINT`, `DIST_POINT_free`, and `DIST_POINT_NAME_free`. + ## [v0.9.83] - 2023-03-23 ### Fixed @@ -410,7 +418,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84..master +[v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 [v0.9.83]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82...openssl-sys-v0.9.83 [v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 [v0.9.81]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80...openssl-sys-v0.9.81 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 109a859ddc..0dc6df9253 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.83" +version = "0.9.84" authors = [ "Alex Crichton ", "Steven Fackler ", From 36c474ada4360aefd2460cdee5157552fb83cc08 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 1 Apr 2023 10:08:38 -0400 Subject: [PATCH 132/209] Release openssl v0.10.49 --- openssl/CHANGELOG.md | 14 +++++++++++++- openssl/Cargo.toml | 4 ++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index c6d9b303cd..8feb2a36b8 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.10.49] - 2023-04-01 + +### Fixed + +* `SslConnector` no longer sets the SNI extension when connecting to an IP address. + +### Added + +* Implemented `Ord`, `PartialOrd`, `Eq`, and `PartialEq` for `Asn1Integer` and `Asn1IntegerRef`. +* Added `X509Ref::crl_distribution_points`, and `DistPoint`. + ## [v0.10.48] - 2023-03-23 ### Fixed @@ -707,7 +718,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...master +[v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 [v0.10.48]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48 [v0.10.47]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...openssl-v0.10.47 [v0.10.46]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...openssl-v0.10.46 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index e49bd9163e..6e2e28fc52 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.48" +version = "0.10.49" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.83", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.84", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 12a0de583988b33bdc728863ba393989132ad147 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 5 Apr 2023 11:34:56 -0500 Subject: [PATCH 133/209] Raise the minimum CC version --- openssl-sys/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 0dc6df9253..ce852e54ea 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -24,7 +24,7 @@ bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } -cc = "1.0" +cc = "1.0.52" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" From b8559cbaf81fa504c4811096153f73d1bb29bf2f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 5 Apr 2023 11:41:52 -0500 Subject: [PATCH 134/209] whoops --- openssl-sys/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ce852e54ea..13927f7d2e 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -24,7 +24,7 @@ bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } -cc = "1.0.52" +cc = "1.0.61" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" From edf3a165c77f4fd66db483d72db960bbcc08db5a Mon Sep 17 00:00:00 2001 From: Harold Bruintjes Date: Thu, 6 Apr 2023 14:00:24 +0200 Subject: [PATCH 135/209] Add in-place cipher update method Add the cipher_update_inplace method to CipherCtxRef that permits encryption and decryption to happen in-place when the cipher is a stream cipher. This avoid the need to allocate a second buffer if the original data does not have to be maintained. --- openssl/src/cipher_ctx.rs | 77 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 211c58ba20..216c09e5b0 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -591,6 +591,50 @@ impl CipherCtxRef { Ok(len) } + /// Like [`Self::cipher_update`] except that it writes output into the + /// `data` buffer. The `inlen` parameter specifies the number of bytes in + /// `data` that are considered the input. For streaming ciphers, the size of + /// `data` must be at least the input size. Otherwise, it must be at least + /// an additional block size larger. + /// + /// Note: Use [`Self::cipher_update`] with no output argument to write AAD. + /// + /// # Panics + /// + /// This function panics if the input size cannot be represented as `int` or + /// exceeds the buffer size, or if the output buffer does not contain enough + /// additional space. + #[corresponds(EVP_CipherUpdate)] + pub fn cipher_update_inplace( + &mut self, + data: &mut [u8], + inlen: usize, + ) -> Result { + assert!(inlen <= data.len(), "Input size may not exceed buffer size"); + let block_size = self.block_size(); + if block_size != 1 { + assert!( + data.len() >= inlen + block_size, + "Output buffer size must be at least {} bytes.", + inlen + block_size + ); + } + + let inlen = c_int::try_from(inlen).unwrap(); + let mut outlen = 0; + unsafe { + cvt(ffi::EVP_CipherUpdate( + self.as_ptr(), + data.as_mut_ptr(), + &mut outlen, + data.as_ptr(), + inlen, + )) + }?; + + Ok(outlen as usize) + } + /// Finalizes the encryption or decryption process. /// /// Any remaining data will be written to the output buffer. @@ -778,6 +822,26 @@ mod test { ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); + // encrypt again, but use in-place encryption this time + // First reset the IV + ctx.encrypt_init(None, None, Some(&iv)).unwrap(); + ctx.set_padding(false); + let mut data_inplace: [u8; 32] = [1; 32]; + let outlen = ctx + .cipher_update_inplace(&mut data_inplace[0..15], 15) + .unwrap(); + assert_eq!(15, outlen); + + let outlen = ctx + .cipher_update_inplace(&mut data_inplace[15..32], 17) + .unwrap(); + assert_eq!(17, outlen); + + ctx.cipher_final(&mut [0u8; 0]).unwrap(); + + // Check that the resulting data is encrypted in the same manner + assert_eq!(data_inplace.as_slice(), output.as_slice()); + // try to decrypt ctx.decrypt_init(Some(cipher), Some(&key), Some(&iv)) .unwrap(); @@ -800,6 +864,19 @@ mod test { ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); // check if the decrypted blocks are the same as input (all ones) assert_eq!(output_decrypted, vec![1; 32]); + + // decrypt again, but now the output in-place + ctx.decrypt_init(None, None, Some(&iv)).unwrap(); + ctx.set_padding(false); + + let outlen = ctx.cipher_update_inplace(&mut output[0..15], 15).unwrap(); + assert_eq!(15, outlen); + + let outlen = ctx.cipher_update_inplace(&mut output[15..], 17).unwrap(); + assert_eq!(17, outlen); + + ctx.cipher_final_vec(&mut vec![0; 0]).unwrap(); + assert_eq!(output_decrypted, output); } #[test] From 1a52fa61a4ce49249c41cd77aa767dcacbac6279 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Sun, 9 Apr 2023 11:05:57 -0400 Subject: [PATCH 136/209] Bump LibreSSL to 3.7.2 3.7 series is now stable --- .github/workflows/ci.yml | 4 ++-- openssl-sys/build/main.rs | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 16f873bd95..e8bf8c9c86 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -181,7 +181,7 @@ jobs: bindgen: true library: name: libressl - version: 3.7.1 + version: 3.7.2 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -191,7 +191,7 @@ jobs: bindgen: false library: name: libressl - version: 3.7.1 + version: 3.7.2 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 5c1f668fb7..ba149c17ff 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -284,6 +284,7 @@ See rust-openssl documentation for more information: (3, 6, _) => ('3', '6', 'x'), (3, 7, 0) => ('3', '7', '0'), (3, 7, 1) => ('3', '7', '1'), + (3, 7, _) => ('3', '7', 'x'), _ => version_error(), }; @@ -326,7 +327,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.7.1, but a different version of OpenSSL was found. The build is now aborting +through 3.7.x, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From b03b9ea09b59da99b0e27b6753db33b93181fae8 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 9 Apr 2023 20:04:09 -0400 Subject: [PATCH 137/209] Release openssl-sys v0.9.85 --- openssl-sys/CHANGELOG.md | 9 ++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 0d8c1e184e..b5d487759b 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.9.85] - 2023-04-09 + +### Added + +* Added support for LibreSSL 3.7.x. + ## [v0.9.84] - 2023-04-01 ### Added @@ -418,7 +424,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85..master +[v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.85 [v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 [v0.9.83]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82...openssl-sys-v0.9.83 [v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 13927f7d2e..cad799a3a4 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.84" +version = "0.9.85" authors = [ "Alex Crichton ", "Steven Fackler ", From 8395a89532e257eee6769f6e60b74bfb6cf951cc Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 9 Apr 2023 20:06:24 -0400 Subject: [PATCH 138/209] Release openssl v0.10.50 --- openssl/CHANGELOG.md | 9 ++++++++- openssl/Cargo.toml | 4 ++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 8feb2a36b8..3730cf5ce5 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.10.50] - 2023-04-09 + +### Added + +* Added `CipherCtxRef::cipher_update_inplace`. + ## [v0.10.49] - 2023-04-01 ### Fixed @@ -718,7 +724,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...master +[v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 [v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 [v0.10.48]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48 [v0.10.47]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...openssl-v0.10.47 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 6e2e28fc52..699273d114 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.49" +version = "0.10.50" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.84", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.85", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From a27dd4d799702c44578b62572f2dcfed2022496b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 10 Apr 2023 14:45:28 +0800 Subject: [PATCH 139/209] update documentation to reflect libressl support --- openssl/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 5678298a03..7829b79cba 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -1,7 +1,7 @@ //! Bindings to OpenSSL //! //! This crate provides a safe interface to the popular OpenSSL cryptography library. OpenSSL versions 1.0.1 through -//! 3.x.x and LibreSSL versions 2.5 through 3.4.1 are supported. +//! 3.x.x and LibreSSL versions 2.5 through 3.7.x are supported. //! //! # Building //! From c2fbe9a1d6c85d1d43470b3f1188bf74056f0d51 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 15 Apr 2023 19:11:26 -0400 Subject: [PATCH 140/209] Fixes #1882 -- added APIs for setting public keys on Dh --- openssl/src/dh.rs | 46 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index e781543e27..f7246975b3 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -7,7 +7,7 @@ use std::ptr; use crate::bn::{BigNum, BigNumRef}; use crate::error::ErrorStack; -use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private}; +use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private, Public}; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -66,6 +66,16 @@ impl Dh { } } + /// Sets the public key on the DH object. + pub fn set_public_key(self, pub_key: BigNum) -> Result, ErrorStack> { + unsafe { + let dh_ptr = self.0; + cvt(DH_set0_key(dh_ptr, pub_key.as_ptr(), ptr::null_mut()))?; + mem::forget((self, pub_key)); + Ok(Dh::from_ptr(dh_ptr)) + } + } + /// Sets the private key on the DH object and recomputes the public key. pub fn set_private_key(self, priv_key: BigNum) -> Result, ErrorStack> { unsafe { @@ -79,6 +89,16 @@ impl Dh { } } + /// Sets the public and private keys on the DH object. + pub fn set_key(self, pub_key: BigNum, priv_key: BigNum) -> Result, ErrorStack> { + unsafe { + let dh_ptr = self.0; + cvt(DH_set0_key(dh_ptr, pub_key.as_ptr(), priv_key.as_ptr()))?; + mem::forget((self, pub_key, priv_key)); + Ok(Dh::from_ptr(dh_ptr)) + } + } + /// Generates DH params based on the given `prime_len` and a fixed `generator` value. #[corresponds(DH_generate_parameters_ex)] pub fn generate_params(prime_len: u32, generator: u32) -> Result, ErrorStack> { @@ -367,6 +387,30 @@ mod tests { assert_eq!(key1.private_key(), key2.private_key()); } + #[test] + #[cfg(ossl102)] + fn test_set_keys() { + let dh1 = Dh::get_2048_256().unwrap(); + let key1 = dh1.generate_key().unwrap(); + + let dh2 = Dh::get_2048_256().unwrap(); + let key2 = dh2 + .set_public_key(key1.public_key().to_owned().unwrap()) + .unwrap(); + + assert_eq!(key1.public_key(), key2.public_key()); + + let dh3 = Dh::get_2048_256().unwrap(); + let key3 = dh3 + .set_key( + key1.public_key().to_owned().unwrap(), + key1.private_key().to_owned().unwrap(), + ) + .unwrap(); + assert_eq!(key1.public_key(), key3.public_key()); + assert_eq!(key1.private_key(), key3.private_key()); + } + #[test] fn test_dh_from_pem() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); From 5e4815810b4ffe924a0dd7344bb5e584d58087fb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 16 Apr 2023 17:20:30 -0400 Subject: [PATCH 141/209] Fixes #1884 -- don't leave an error on the stack in public_eq --- openssl/src/pkey.rs | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index bec4bfdafc..c03b181c80 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -244,7 +244,11 @@ where where U: HasPublic, { - unsafe { ffi::EVP_PKEY_cmp(self.as_ptr(), other.as_ptr()) == 1 } + let res = unsafe { ffi::EVP_PKEY_cmp(self.as_ptr(), other.as_ptr()) == 1 }; + // Clear the stack. OpenSSL will put an error on the stack when the + // keys are different types in some situations. + let _ = ErrorStack::get(); + res } /// Raw byte representation of a public key. @@ -885,6 +889,7 @@ mod tests { use crate::dh::Dh; use crate::dsa::Dsa; use crate::ec::EcKey; + use crate::error::Error; use crate::nid::Nid; use crate::rsa::Rsa; use crate::symm::Cipher; @@ -1168,4 +1173,17 @@ mod tests { let key = PKey::ec_gen("prime256v1").unwrap(); assert!(key.ec_key().is_ok()); } + + #[test] + fn test_public_eq() { + let rsa = Rsa::generate(2048).unwrap(); + let pkey1 = PKey::from_rsa(rsa).unwrap(); + + let group = crate::ec::EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let ec_key = EcKey::generate(&group).unwrap(); + let pkey2 = PKey::from_ec_key(ec_key).unwrap(); + + assert!(!pkey1.public_eq(&pkey2)); + assert!(Error::get().is_none()); + } } From f0b752d251608e4c07d707ff688ce4fe23cf00d4 Mon Sep 17 00:00:00 2001 From: Martin Algesten Date: Tue, 18 Apr 2023 09:23:40 +0200 Subject: [PATCH 142/209] DTLS1 and DTLS1_2 SslVersion for set_min_proto_version() Expose constants to allow limiting the DTLS version. --- openssl-sys/src/tls1.rs | 3 +++ openssl/src/ssl/mod.rs | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index f7ae302046..fd83da7ae4 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -10,6 +10,9 @@ pub const TLS1_2_VERSION: c_int = 0x303; #[cfg(any(ossl111, libressl340))] pub const TLS1_3_VERSION: c_int = 0x304; +pub const DTLS1_VERSION: c_int = 0xFEFF; +pub const DTLS1_2_VERSION: c_int = 0xFEFD; + pub const TLS1_AD_DECODE_ERROR: c_int = 50; pub const TLS1_AD_UNRECOGNIZED_NAME: c_int = 112; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 6ef356d36d..4ebf47dd09 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -644,6 +644,16 @@ impl SslVersion { /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. #[cfg(any(ossl111, libressl340))] pub const TLS1_3: SslVersion = SslVersion(ffi::TLS1_3_VERSION); + + /// DTLSv1.0 + /// + /// DTLS 1.0 corresponds to TLS 1.1. + pub const DTLS1: SslVersion = SslVersion(ffi::DTLS1_VERSION); + + /// DTLSv1.2 + /// + /// DTLS 1.2 corresponds to TLS 1.2 to harmonize versions. There was never a DTLS 1.1. + pub const DTLS1_2: SslVersion = SslVersion(ffi::DTLS1_2_VERSION); } cfg_if! { From 36fd9651f6239349fa4c750371615f90c45182fa Mon Sep 17 00:00:00 2001 From: Martin Algesten Date: Tue, 18 Apr 2023 10:01:39 +0200 Subject: [PATCH 143/209] Limit DTLS1.2 to openssl 1.0.2 and libressl 3.3.2 --- openssl-sys/src/tls1.rs | 1 + openssl/src/ssl/mod.rs | 1 + 2 files changed, 2 insertions(+) diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index fd83da7ae4..2cb08a91f3 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -11,6 +11,7 @@ pub const TLS1_2_VERSION: c_int = 0x303; pub const TLS1_3_VERSION: c_int = 0x304; pub const DTLS1_VERSION: c_int = 0xFEFF; +#[cfg(any(ossl102, libressl332))] pub const DTLS1_2_VERSION: c_int = 0xFEFD; pub const TLS1_AD_DECODE_ERROR: c_int = 50; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 4ebf47dd09..5b8775c98c 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -653,6 +653,7 @@ impl SslVersion { /// DTLSv1.2 /// /// DTLS 1.2 corresponds to TLS 1.2 to harmonize versions. There was never a DTLS 1.1. + #[cfg(any(ossl102, libressl332))] pub const DTLS1_2: SslVersion = SslVersion(ffi::DTLS1_2_VERSION); } From 428a7e595cff993a6a869e9fafd8b34743e4bfbe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Apr 2023 20:01:17 -0400 Subject: [PATCH 144/209] Remove size_t-is-usize argument to bindgen It's been on by default for a while: https://github.com/rust-lang/rust-bindgen/commit/cc78b6fdb6e829e5fb8fa1639f2182cb49333569 --- openssl-sys/build/run_bindgen.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 0c127ae5c6..3361786357 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -111,7 +111,6 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .ctypes_prefix("::libc") .derive_default(false) .enable_function_attribute_detection() - .size_t_is_usize(true) .default_macro_constant_type(MacroTypeVariation::Signed) .rustified_enum("point_conversion_form_t") .allowlist_file(".*/openssl/[^/]+\\.h") @@ -167,7 +166,6 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .arg("--ctypes-prefix=::libc") .arg("--no-derive-default") .arg("--enable-function-attribute-detection") - .arg("--size_t-is-usize") .arg("--default-macro-constant-type=signed") .arg("--rustified-enum=point_conversion_form_t") .arg("--allowlist-file=.*/openssl/[^/]+\\.h") From c7f91fc4e6b505d50c7ecaaaef5a74919672b425 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Apr 2023 20:38:00 -0400 Subject: [PATCH 145/209] Update BoringSSL in CI --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8bf8c9c86..b8314824b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -153,7 +153,7 @@ jobs: - false library: - name: boringssl - version: 93e8d4463d59d671e9c5c6171226341f04b07907 + version: bcecc7d834fc44ad257b2f23f88e1cf597ab2736 - name: openssl version: vendored - name: openssl From a0bfb99e44e9709b4606a3a8ab5b76134a056b25 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 04:12:28 -0400 Subject: [PATCH 146/209] Fix build for changes in boringssl paths --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b8314824b5..71deb57ab9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -310,7 +310,7 @@ jobs: - run: | mkdir -p .cargo echo '[patch.crates-io]' > .cargo/config.toml - echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust" }' >> .cargo/config.toml + echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust/bssl-sys" }' >> .cargo/config.toml if: matrix.library.name == 'boringssl' && !matrix.bindgen - uses: actions/cache@v3 with: From b2ca7210f258c2cf32b8e045d5d03e4f4a365260 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 04:12:40 -0400 Subject: [PATCH 147/209] Fix types for boringssl changes --- openssl/src/x509/mod.rs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 00b467fb77..774fc4289b 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -986,13 +986,13 @@ impl X509NameBuilder { pub fn append_entry_by_text(&mut self, field: &str, value: &str) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_txt( self.0.as_ptr(), field.as_ptr() as *mut _, ffi::MBSTRING_UTF8, value.as_ptr(), - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1013,13 +1013,13 @@ impl X509NameBuilder { ) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_txt( self.0.as_ptr(), field.as_ptr() as *mut _, ty.as_raw(), value.as_ptr(), - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1034,13 +1034,13 @@ impl X509NameBuilder { /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> { unsafe { - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_NID( self.0.as_ptr(), field.as_raw(), ffi::MBSTRING_UTF8, value.as_ptr() as *mut _, - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1060,13 +1060,13 @@ impl X509NameBuilder { ty: Asn1Type, ) -> Result<(), ErrorStack> { unsafe { - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_NID( self.0.as_ptr(), field.as_raw(), ty.as_raw(), value.as_ptr() as *mut _, - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) From 9f9009392c8788b1b4e984b8a81ff919c28754e5 Mon Sep 17 00:00:00 2001 From: remigranotier <42846930+remigranotier@users.noreply.github.com> Date: Thu, 20 Apr 2023 16:54:09 +0200 Subject: [PATCH 148/209] Documentation typo for X509Crl Fixed x509Crl description from "a X509 certificate request" to "a X509 certificate revocation list" --- openssl/src/x509/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 774fc4289b..971fb982a6 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1545,7 +1545,7 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; - /// An `X509` certificate request. + /// An `X509` certificate revocation list. pub struct X509Revoked; /// Reference to `X509Crl`. pub struct X509RevokedRef; From 75a6e0e47db672987eed0cef48dc3860e8b153cf Mon Sep 17 00:00:00 2001 From: remigranotier <42846930+remigranotier@users.noreply.github.com> Date: Thu, 20 Apr 2023 16:59:03 +0200 Subject: [PATCH 149/209] [Documentation] fixed X509Crl and X509Revoked description in doc Pardon my previous MR, Ctrl+F tricked me... This one fixes (for good) descriptions for both X509Crl and X509Revoked --- openssl/src/x509/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 971fb982a6..030770587e 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1545,9 +1545,9 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; - /// An `X509` certificate revocation list. + /// An `X509` certificate revocation status. pub struct X509Revoked; - /// Reference to `X509Crl`. + /// Reference to `X509Revoked`. pub struct X509RevokedRef; } @@ -1659,7 +1659,7 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_CRL; fn drop = ffi::X509_CRL_free; - /// An `X509` certificate request. + /// An `X509` certificate revocation list. pub struct X509Crl; /// Reference to `X509Crl`. pub struct X509CrlRef; From 2ac0d838ff5f78cd019c225075a3745e65ef6675 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 13:15:44 -0600 Subject: [PATCH 150/209] add asn1octetstring creation support --- openssl-sys/src/handwritten/asn1.rs | 6 ++++ openssl/src/asn1.rs | 48 +++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 13c233a473..fa43a7a5c1 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -51,9 +51,15 @@ extern "C" { #[cfg(any(all(ossl101, not(ossl110)), libressl))] pub fn ASN1_STRING_data(x: *mut ASN1_STRING) -> *mut c_uchar; pub fn ASN1_STRING_new() -> *mut ASN1_STRING; + pub fn ASN1_OCTET_STRING_new() -> *mut ASN1_OCTET_STRING; pub fn ASN1_STRING_free(x: *mut ASN1_STRING); pub fn ASN1_STRING_length(x: *const ASN1_STRING) -> c_int; pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len_in: c_int) -> c_int; + pub fn ASN1_OCTET_STRING_set( + x: *mut ASN1_OCTET_STRING, + data: *const c_uchar, + len_in: c_int, + ) -> c_int; pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); pub fn ASN1_OCTET_STRING_free(x: *mut ASN1_OCTET_STRING); diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 8956f8d709..d75e05166e 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -28,6 +28,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_char, c_int, c_long, time_t}; use std::cmp::Ordering; +use std::convert::TryInto; use std::ffi::CString; use std::fmt; use std::ptr; @@ -611,6 +612,46 @@ impl Asn1BitStringRef { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::ASN1_OCTET_STRING; + fn drop = ffi::ASN1_OCTET_STRING_free; + /// ASN.1 OCTET STRING type + pub struct Asn1OctetString; + /// A reference to an [`Asn1OctetString`]. + pub struct Asn1OctetStringRef; +} + +impl Asn1OctetString { + /// Creates an Asn1OctetString from bytes + pub fn new_from_bytes(value: &[u8]) -> Result { + ffi::init(); + unsafe { + let s = cvt_p(ffi::ASN1_OCTET_STRING_new())?; + ffi::ASN1_OCTET_STRING_set(s, value.as_ptr(), value.len().try_into().unwrap()); + Ok(Self::from_ptr(s)) + } + } +} + +impl Asn1OctetStringRef { + /// Returns the octet string as an array of bytes. + #[corresponds(ASN1_STRING_get0_data)] + pub fn as_slice(&self) -> &[u8] { + unsafe { slice::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr().cast()), self.len()) } + } + + /// Returns the number of bytes in the octet string. + #[corresponds(ASN1_STRING_length)] + pub fn len(&self) -> usize { + unsafe { ffi::ASN1_STRING_length(self.as_ptr().cast()) as usize } + } + + /// Determines if the string is empty. + pub fn is_empty(&self) -> bool { + self.len() == 0 + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::ASN1_OBJECT; fn drop = ffi::ASN1_OBJECT_free; @@ -859,4 +900,11 @@ mod tests { &[0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01], ); } + + #[test] + fn asn1_octet_string() { + let octet_string = Asn1OctetString::new_from_bytes(b"hello world").unwrap(); + assert_eq!(octet_string.as_slice(), b"hello world"); + assert_eq!(octet_string.len(), 11); + } } From 4e1bbee5f07d6edc505876566ad958edd0232bfa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 13 Apr 2023 19:35:45 -0400 Subject: [PATCH 151/209] Introduce X509Extension::new_from_der and deprecate the bad APIs --- openssl/src/x509/extension.rs | 12 +++++++++ openssl/src/x509/mod.rs | 47 +++++++++++++++++++++++++++++++++-- openssl/src/x509/tests.rs | 18 +++++++++++++- 3 files changed, 74 insertions(+), 3 deletions(-) diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index f04d227960..075227dec3 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -67,6 +67,9 @@ impl BasicConstraints { } /// Return the `BasicConstraints` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self) -> Result { let mut value = String::new(); if self.critical { @@ -183,6 +186,9 @@ impl KeyUsage { } /// Return the `KeyUsage` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self) -> Result { let mut value = String::new(); let mut first = true; @@ -346,6 +352,9 @@ impl SubjectKeyIdentifier { } /// Return a `SubjectKeyIdentifier` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self, ctx: &X509v3Context<'_>) -> Result { let mut value = String::new(); let mut first = true; @@ -398,6 +407,9 @@ impl AuthorityKeyIdentifier { } /// Return a `AuthorityKeyIdentifier` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self, ctx: &X509v3Context<'_>) -> Result { let mut value = String::new(); let mut first = true; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 030770587e..ea6fc13b72 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -24,8 +24,8 @@ use std::slice; use std::str; use crate::asn1::{ - Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, - Asn1TimeRef, Asn1Type, + Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, + Asn1OctetStringRef, Asn1StringRef, Asn1TimeRef, Asn1Type, }; use crate::bio::MemBioSlice; use crate::conf::ConfRef; @@ -842,6 +842,13 @@ impl X509Extension { /// mini-language that can read arbitrary files. /// /// See the extension module for builder types which will construct certain common extensions. + /// + /// This function is deprecated, `X509Extension::new_from_der` or the + /// types in `x509::extension` should be used in its place. + #[deprecated( + note = "Use x509::extension types or new_from_der instead", + since = "0.10.51" + )] pub fn new( conf: Option<&ConfRef>, context: Option<&X509v3Context<'_>>, @@ -887,6 +894,13 @@ impl X509Extension { /// mini-language that can read arbitrary files. /// /// See the extension module for builder types which will construct certain common extensions. + /// + /// This function is deprecated, `X509Extension::new_from_der` or the + /// types in `x509::extension` should be used in its place. + #[deprecated( + note = "Use x509::extension types or new_from_der instead", + since = "0.10.51" + )] pub fn new_nid( conf: Option<&ConfRef>, context: Option<&X509v3Context<'_>>, @@ -921,6 +935,31 @@ impl X509Extension { } } + /// Constructs a new X509 extension value from its OID, whether it's + /// critical, and its DER contents. + /// + /// The extent structure of the DER value will vary based on the + /// extension type, and can generally be found in the RFC defining the + /// extension. + /// + /// For common extension types, there are Rust APIs provided in + /// `openssl::x509::extensions` which are more ergonomic. + pub fn new_from_der( + oid: &Asn1ObjectRef, + critical: bool, + der_contents: &Asn1OctetStringRef, + ) -> Result { + unsafe { + cvt_p(ffi::X509_EXTENSION_create_by_OBJ( + ptr::null_mut(), + oid.as_ptr(), + critical as _, + der_contents.as_ptr(), + )) + .map(X509Extension) + } + } + pub(crate) unsafe fn new_internal( nid: Nid, critical: bool, @@ -936,6 +975,10 @@ impl X509Extension { /// /// This method modifies global state without locking and therefore is not thread safe #[corresponds(X509V3_EXT_add_alias)] + #[deprecated( + note = "Use x509::extension types or new_from_der and then this is not necessary", + since = "0.10.51" + )] pub unsafe fn add_alias(to: Nid, from: Nid) -> Result<(), ErrorStack> { ffi::init(); cvt(ffi::X509V3_EXT_add_alias(to.as_raw(), from.as_raw())).map(|_| ()) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 81801358b1..4e01d8d8a3 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -1,6 +1,6 @@ use std::cmp::Ordering; -use crate::asn1::Asn1Time; +use crate::asn1::{Asn1Object, Asn1OctetString, Asn1Time}; use crate::bn::{BigNum, MsbOption}; use crate::hash::MessageDigest; use crate::nid::Nid; @@ -290,6 +290,8 @@ fn x509_builder() { } #[test] +// This tests `X509Extension::new`, even though its deprecated. +#[allow(deprecated)] fn x509_extension_new() { assert!(X509Extension::new(None, None, "crlDistributionPoints", "section").is_err()); assert!(X509Extension::new(None, None, "proxyCertInfo", "").is_err()); @@ -297,6 +299,20 @@ fn x509_extension_new() { assert!(X509Extension::new(None, None, "subjectAltName", "dirName:section").is_err()); } +#[test] +fn x509_extension_new_from_der() { + let ext = X509Extension::new_from_der( + &Asn1Object::from_str("2.5.29.19").unwrap(), + true, + &Asn1OctetString::new_from_bytes(b"\x30\x03\x01\x01\xff").unwrap(), + ) + .unwrap(); + assert_eq!( + ext.to_der().unwrap(), + b"0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff" + ); +} + #[test] fn x509_extension_to_der() { let builder = X509::builder().unwrap(); From babb61c3812f85c25bb4fd105d46a2659823a8f9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 16:30:40 -0600 Subject: [PATCH 152/209] Release openssl v0.10.51 and openssl-sys v0.9.86 --- openssl-sys/CHANGELOG.md | 16 ++++++++++++++-- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 17 ++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 33 insertions(+), 6 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index b5d487759b..20e599b8ab 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.86] - 2023-04-20 + +### Fixed + +* Fixed BoringSSL support with the latest bindgen release. + +### Added + +* Added bindings for PKCS#7 functions and more X.509 functions. + + ## [v0.9.85] - 2023-04-09 ### Added @@ -424,8 +435,9 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85..master -[v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.85 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86..master +[v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 +[v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 [v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 [v0.9.83]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82...openssl-sys-v0.9.83 [v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index cad799a3a4..c5cced2880 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.85" +version = "0.9.86" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 3730cf5ce5..f4eca89166 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,20 @@ ## [Unreleased] +## [v0.10.51] - 2023-04-20 + +### Added + +* Added `X509RevokedRef::issuer_name` and `X509RevokedRef::reason_code`. +* Added `Dh::set_key` and `Dh::set_public_key` +* Added `Asn1OctetString` and `Asn1OctetStringRef1` +* Added `X509Extension::new_from_der` + +### Deprecated + +* Deprecated `X509Extension::new` and `X509Extension::new_nid` in favor of `X509Extension::new_from_der` and the `extensions` module. +* Deprecated `X509Extension::add_alias`, it is not required with `new_from_der` or the `extensions` module. + ## [v0.10.50] - 2023-04-09 ### Added @@ -724,7 +738,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...master +[v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 [v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 [v0.10.48]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 699273d114..ba72250c92 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.50" +version = "0.10.51" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.85", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.86", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 0a3cca2178a08a318cacc5c4d4938daf55ac3979 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 18:37:40 -0600 Subject: [PATCH 153/209] Expose BigNum::to_vec_padded on libressl --- openssl-sys/src/handwritten/bn.rs | 2 +- openssl/src/bn.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index 81348f692a..5457f61710 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -23,7 +23,7 @@ extern "C" { pub fn BN_clear_free(bn: *mut BIGNUM); pub fn BN_bin2bn(s: *const u8, size: c_int, ret: *mut BIGNUM) -> *mut BIGNUM; pub fn BN_bn2bin(a: *const BIGNUM, to: *mut u8) -> c_int; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl340))] pub fn BN_bn2binpad(a: *const BIGNUM, to: *mut u8, tolen: c_int) -> c_int; pub fn BN_sub(r: *mut BIGNUM, a: *const BIGNUM, b: *const BIGNUM) -> c_int; pub fn BN_add(r: *mut BIGNUM, a: *const BIGNUM, b: *const BIGNUM) -> c_int; diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 0328730a23..5cfe4b375d 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -814,7 +814,7 @@ impl BigNumRef { /// assert_eq!(&bn_vec, &[0, 0, 0x45, 0x43]); /// ``` #[corresponds(BN_bn2binpad)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl340, boringssl))] pub fn to_vec_padded(&self, pad_to: i32) -> Result, ErrorStack> { let mut v = Vec::with_capacity(pad_to as usize); unsafe { From 4438bd5092f396111dc367fbda6abd54ff6f126f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 20:54:16 -0600 Subject: [PATCH 154/209] add support for DH check key I am sorry, no one should need this. Stop doing finite field DH. Fields weren't meant to be finite --- openssl-sys/src/handwritten/dh.rs | 1 + openssl/src/dh.rs | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/openssl-sys/src/handwritten/dh.rs b/openssl-sys/src/handwritten/dh.rs index a4de122eac..87a0817ce5 100644 --- a/openssl-sys/src/handwritten/dh.rs +++ b/openssl-sys/src/handwritten/dh.rs @@ -3,6 +3,7 @@ use super::super::*; extern "C" { pub fn DH_new() -> *mut DH; pub fn DH_free(dh: *mut DH); + pub fn DH_check(dh: *const DH, codes: *mut c_int) -> c_int; pub fn DH_generate_parameters( prime_len: c_int, diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index f7246975b3..7445e3408c 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -39,6 +39,16 @@ where params_to_der, ffi::i2d_DHparams } + + /// Validates DH parameters for correctness + #[corresponds(DH_check_key)] + pub fn check_key(&self) -> Result { + unsafe { + let mut codes = 0; + cvt(ffi::DH_check(self.as_ptr(), &mut codes))?; + Ok(codes == 0) + } + } } impl Dh { @@ -457,4 +467,14 @@ mod tests { assert_eq!(shared_a, shared_b); } + + #[test] + fn test_dh_check_key() { + let dh1 = Dh::generate_params(512, 2).unwrap(); + let p = BigNum::from_hex_str("04").unwrap(); + let g = BigNum::from_hex_str("02").unwrap(); + let dh2 = Dh::from_pqg(p, None, g).unwrap(); + assert!(dh1.check_key().unwrap()); + assert!(!dh2.check_key().unwrap()); + } } From 1c46f360af0c141ae755562bd7090e25264f3e9f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 21:58:04 -0600 Subject: [PATCH 155/209] add poly1305 EVP_PKEY type --- openssl-sys/src/evp.rs | 2 ++ openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/pkey.rs | 2 ++ 3 files changed, 6 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 69b49fbb0b..72ca2434fc 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -20,6 +20,8 @@ pub const EVP_PKEY_X448: c_int = NID_X448; pub const EVP_PKEY_ED448: c_int = NID_ED448; pub const EVP_PKEY_HMAC: c_int = NID_hmac; pub const EVP_PKEY_CMAC: c_int = NID_cmac; +#[cfg(ossl111)] +pub const EVP_PKEY_POLY1305: c_int = NID_poly1305; #[cfg(ossl110)] pub const EVP_PKEY_HKDF: c_int = NID_hkdf; diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 1f8e10003a..22bfccba3f 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -927,6 +927,8 @@ pub const NID_X448: c_int = 1035; #[cfg(ossl110)] pub const NID_hkdf: c_int = 1036; #[cfg(ossl111)] +pub const NID_poly1305: c_int = 1061; +#[cfg(ossl111)] pub const NID_ED25519: c_int = 1087; #[cfg(libressl370)] pub const NID_ED25519: c_int = 952; diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index c03b181c80..cec1c482e1 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -97,6 +97,8 @@ impl Id { pub const X25519: Id = Id(ffi::EVP_PKEY_X25519); #[cfg(ossl111)] pub const X448: Id = Id(ffi::EVP_PKEY_X448); + #[cfg(ossl111)] + pub const POLY1305: Id = Id(ffi::EVP_PKEY_POLY1305); /// Creates a `Id` from an integer representation. pub fn from_raw(value: c_int) -> Id { From e073b4d2b06596acfa6cf380c030ca7843a78fda Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 18 Apr 2023 23:36:09 +0800 Subject: [PATCH 156/209] add more x509 extension helper functions --- openssl-sys/src/handwritten/x509v3.rs | 8 ++++++ openssl/src/x509/mod.rs | 40 +++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 4a15f3df5f..fb517df904 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -102,6 +102,14 @@ extern "C" { pub fn X509_get_key_usage(x: *mut X509) -> u32; #[cfg(ossl110)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; + #[cfg(ossl110)] + pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; + #[cfg(ossl110)] + pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; + #[cfg(ossl110)] + pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; + #[cfg(ossl110)] + pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } #[repr(C)] diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index ea6fc13b72..796ee2f09f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -483,6 +483,46 @@ impl X509Ref { } } + /// Returns this certificate's subject key id, if it exists. + #[corresponds(X509_get0_subject_key_id)] + #[cfg(ossl110)] + pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { + unsafe { + let data = ffi::X509_get0_subject_key_id(self.as_ptr()); + Asn1StringRef::from_const_ptr_opt(data as *const _) + } + } + + /// Returns this certificate's authority key id, if it exists. + #[corresponds(X509_get0_authority_key_id)] + #[cfg(ossl110)] + pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { + unsafe { + let data = ffi::X509_get0_authority_key_id(self.as_ptr()); + Asn1StringRef::from_const_ptr_opt(data as *const _) + } + } + + /// Returns this certificate's authority issuer name entries, if they exist. + #[corresponds(X509_get0_authority_issuer)] + #[cfg(ossl110)] + pub fn authority_issuer(&self) -> Option> { + unsafe { + let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); + Stack::from_ptr_opt(stack as *mut _) + } + } + + /// Returns this certificate's authority serial number, if it exists. + #[corresponds(X509_get0_authority_serial)] + #[cfg(ossl110)] + pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { + unsafe { + let r = ffi::X509_get0_authority_serial(self.as_ptr()); + Asn1IntegerRef::from_const_ptr_opt(r) + } + } + #[corresponds(X509_get_pubkey)] pub fn public_key(&self) -> Result, ErrorStack> { unsafe { From e8108cb202dc38b0f272c7df1fee79d0723bc6d8 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 18 Apr 2023 23:46:11 +0800 Subject: [PATCH 157/209] update cfg flag --- openssl-sys/src/handwritten/x509v3.rs | 14 +++++++------- openssl/src/x509/mod.rs | 8 ++++---- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index fb517df904..08f1648435 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,19 +96,19 @@ extern "C" { indent: c_int, ) -> c_int; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_key_usage(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 796ee2f09f..d0ca9d3c63 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -485,7 +485,7 @@ impl X509Ref { /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { unsafe { let data = ffi::X509_get0_subject_key_id(self.as_ptr()); @@ -495,7 +495,7 @@ impl X509Ref { /// Returns this certificate's authority key id, if it exists. #[corresponds(X509_get0_authority_key_id)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { unsafe { let data = ffi::X509_get0_authority_key_id(self.as_ptr()); @@ -505,7 +505,7 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_issuer(&self) -> Option> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); @@ -515,7 +515,7 @@ impl X509Ref { /// Returns this certificate's authority serial number, if it exists. #[corresponds(X509_get0_authority_serial)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { unsafe { let r = ffi::X509_get0_authority_serial(self.as_ptr()); From eefdcd0435626e3689a18d394769b35798c0bf63 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Fri, 21 Apr 2023 22:18:55 +0800 Subject: [PATCH 158/209] update cfg condition and use new Asn1OctetString --- openssl-sys/src/handwritten/x509v3.rs | 10 +++++----- openssl/src/x509/mod.rs | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 08f1648435..09a92640b6 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,15 +96,15 @@ extern "C" { indent: c_int, ) -> c_int; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_key_usage(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; #[cfg(ossl111)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d0ca9d3c63..2946ee1e63 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -485,21 +485,21 @@ impl X509Ref { /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] - #[cfg(ossl111)] - pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { + #[cfg(ossl110)] + pub fn subject_key_id(&self) -> Option<&Asn1OctetStringRef> { unsafe { let data = ffi::X509_get0_subject_key_id(self.as_ptr()); - Asn1StringRef::from_const_ptr_opt(data as *const _) + Asn1OctetStringRef::from_const_ptr_opt(data) } } /// Returns this certificate's authority key id, if it exists. #[corresponds(X509_get0_authority_key_id)] - #[cfg(ossl111)] - pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { + #[cfg(ossl110)] + pub fn authority_key_id(&self) -> Option<&Asn1OctetStringRef> { unsafe { let data = ffi::X509_get0_authority_key_id(self.as_ptr()); - Asn1StringRef::from_const_ptr_opt(data as *const _) + Asn1OctetStringRef::from_const_ptr_opt(data) } } From ec747f417ed9c18f43498c175ac656edb635b915 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 22 Apr 2023 09:07:52 -0600 Subject: [PATCH 159/209] Don't restrict the Signer lifetime Creating a new EVP_PKEY_CTX uprefs the EVP_PKEY --- openssl/src/sign.rs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 406bb42e8f..a32f5c9144 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -117,10 +117,10 @@ pub struct Signer<'a> { _p: PhantomData<&'a ()>, } -unsafe impl<'a> Sync for Signer<'a> {} -unsafe impl<'a> Send for Signer<'a> {} +unsafe impl Sync for Signer<'_> {} +unsafe impl Send for Signer<'_> {} -impl<'a> Drop for Signer<'a> { +impl Drop for Signer<'_> { fn drop(&mut self) { // pkey_ctx is owned by the md_ctx, so no need to explicitly free it. unsafe { @@ -130,7 +130,7 @@ impl<'a> Drop for Signer<'a> { } #[allow(clippy::len_without_is_empty)] -impl<'a> Signer<'a> { +impl Signer<'_> { /// Creates a new `Signer`. /// /// This cannot be used with Ed25519 or Ed448 keys. Please refer to @@ -139,7 +139,7 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSignInit`]. /// /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html - pub fn new(type_: MessageDigest, pkey: &'a PKeyRef) -> Result, ErrorStack> + pub fn new<'a, T>(type_: MessageDigest, pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, { @@ -154,16 +154,16 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSignInit`]. /// /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html - pub fn new_without_digest(pkey: &'a PKeyRef) -> Result, ErrorStack> + pub fn new_without_digest<'a, T>(pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, { Self::new_intern(None, pkey) } - fn new_intern( + fn new_intern<'a, T>( type_: Option, - pkey: &'a PKeyRef, + pkey: &PKeyRef, ) -> Result, ErrorStack> where T: HasPrivate, From 3f2e02bbff532f2c6aa28950cfe8dd1108144f5e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 13:42:21 -0600 Subject: [PATCH 160/209] add low level cmac bindings these are deprecated in ossl3, but the only common interface across openssl, libressl, and boring --- openssl-sys/src/handwritten/cmac.rs | 18 ++++++++++++++++++ openssl-sys/src/handwritten/mod.rs | 2 ++ openssl-sys/src/handwritten/types.rs | 2 ++ systest/build.rs | 1 + 4 files changed, 23 insertions(+) create mode 100644 openssl-sys/src/handwritten/cmac.rs diff --git a/openssl-sys/src/handwritten/cmac.rs b/openssl-sys/src/handwritten/cmac.rs new file mode 100644 index 0000000000..e44094d21a --- /dev/null +++ b/openssl-sys/src/handwritten/cmac.rs @@ -0,0 +1,18 @@ +use libc::*; + +use super::super::*; + +extern "C" { + pub fn CMAC_CTX_new() -> *mut CMAC_CTX; + pub fn CMAC_CTX_free(ctx: *mut CMAC_CTX); + pub fn CMAC_Init( + ctx: *mut CMAC_CTX, + key: *const c_void, + len: size_t, + cipher: *const EVP_CIPHER, + impl_: *mut ENGINE, + ) -> c_int; + pub fn CMAC_Update(ctx: *mut CMAC_CTX, data: *const c_void, len: size_t) -> c_int; + pub fn CMAC_Final(ctx: *mut CMAC_CTX, out: *mut c_uchar, len: *mut size_t) -> c_int; + pub fn CMAC_CTX_copy(dst: *mut CMAC_CTX, src: *const CMAC_CTX) -> c_int; +} diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 28aa4aecd0..9c0f844501 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -2,6 +2,7 @@ pub use self::aes::*; pub use self::asn1::*; pub use self::bio::*; pub use self::bn::*; +pub use self::cmac::*; pub use self::cms::*; pub use self::conf::*; pub use self::crypto::*; @@ -35,6 +36,7 @@ mod aes; mod asn1; mod bio; mod bn; +mod cmac; mod cms; mod conf; mod crypto; diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 84724f35ef..06354728f2 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -125,6 +125,8 @@ pub enum EVP_PKEY_ASN1_METHOD {} pub enum EVP_PKEY_CTX {} +pub enum CMAC_CTX {} + cfg_if! { if #[cfg(any(ossl110, libressl280))] { pub enum HMAC_CTX {} diff --git a/systest/build.rs b/systest/build.rs index 2efcdfe1bf..6d3ac3a3d3 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -56,6 +56,7 @@ fn main() { .header("openssl/bio.h") .header("openssl/x509v3.h") .header("openssl/safestack.h") + .header("openssl/cmac.h") .header("openssl/hmac.h") .header("openssl/obj_mac.h") .header("openssl/ssl.h") From 0dc14f7ffa279e0b6a29ef35d6ce832da3ca53d1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 13:53:22 -0600 Subject: [PATCH 161/209] add cmac to bindgen too --- openssl-sys/build/run_bindgen.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 3361786357..4fa9ec66f2 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -12,6 +12,7 @@ const INCLUDES: &str = " #include #include #include +#include #include #include #include From 0257e2611d01127607b724a043642b01adf41706 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 22 Apr 2023 14:45:19 -0600 Subject: [PATCH 162/209] Expose pbkdf2_hmac and scrypt on BoringSSL --- openssl/src/lib.rs | 1 - openssl/src/pkcs5.rs | 26 +++++++++++++++----------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 7829b79cba..c2c390cc1b 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -165,7 +165,6 @@ pub mod nid; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_OCSP")))] pub mod ocsp; pub mod pkcs12; -#[cfg(not(boringssl))] pub mod pkcs5; #[cfg(not(boringssl))] pub mod pkcs7; diff --git a/openssl/src/pkcs5.rs b/openssl/src/pkcs5.rs index c15ce47761..cd704e8256 100644 --- a/openssl/src/pkcs5.rs +++ b/openssl/src/pkcs5.rs @@ -1,9 +1,13 @@ +#[cfg(not(boringssl))] use libc::c_int; +use std::convert::TryInto; +#[cfg(not(boringssl))] use std::ptr; use crate::cvt; use crate::error::ErrorStack; use crate::hash::MessageDigest; +#[cfg(not(boringssl))] use crate::symm::Cipher; use openssl_macros::corresponds; @@ -25,6 +29,7 @@ pub struct KeyIvPair { /// `pbkdf2_hmac` or another more modern key derivation algorithm. #[corresponds(EVP_BytesToKey)] #[allow(clippy::useless_conversion)] +#[cfg(not(boringssl))] pub fn bytes_to_key( cipher: Cipher, digest: MessageDigest, @@ -91,19 +96,15 @@ pub fn pbkdf2_hmac( key: &mut [u8], ) -> Result<(), ErrorStack> { unsafe { - assert!(pass.len() <= c_int::max_value() as usize); - assert!(salt.len() <= c_int::max_value() as usize); - assert!(key.len() <= c_int::max_value() as usize); - ffi::init(); cvt(ffi::PKCS5_PBKDF2_HMAC( pass.as_ptr() as *const _, - pass.len() as c_int, + pass.len().try_into().unwrap(), salt.as_ptr(), - salt.len() as c_int, - iter as c_int, + salt.len().try_into().unwrap(), + iter.try_into().unwrap(), hash.as_ptr(), - key.len() as c_int, + key.len().try_into().unwrap(), key.as_mut_ptr(), )) .map(|_| ()) @@ -114,7 +115,8 @@ pub fn pbkdf2_hmac( /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PBE_scrypt)] -#[cfg(any(ossl110))] +#[cfg(any(ossl110, boringssl))] +#[allow(clippy::useless_conversion)] pub fn scrypt( pass: &[u8], salt: &[u8], @@ -134,7 +136,7 @@ pub fn scrypt( n, r, p, - maxmem, + maxmem.try_into().unwrap(), key.as_mut_ptr() as *mut _, key.len(), )) @@ -145,6 +147,7 @@ pub fn scrypt( #[cfg(test)] mod tests { use crate::hash::MessageDigest; + #[cfg(not(boringssl))] use crate::symm::Cipher; // Test vectors from @@ -246,6 +249,7 @@ mod tests { } #[test] + #[cfg(not(boringssl))] fn bytes_to_key() { let salt = [16_u8, 34_u8, 19_u8, 23_u8, 141_u8, 4_u8, 207_u8, 221_u8]; @@ -282,7 +286,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(any(ossl110, boringssl))] fn scrypt() { let pass = "pleaseletmein"; let salt = "SodiumChloride"; From 8f23c2f6fa527657fa4d98cd6ac808d301d1aae7 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 16:13:48 -0600 Subject: [PATCH 163/209] binding to get fips status for ossl300 --- openssl-sys/src/handwritten/evp.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 1a05b7eae3..050d2c88bb 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -65,6 +65,14 @@ cfg_if! { } } +cfg_if! { + if #[cfg(ossl300)] { + extern "C" { + pub fn EVP_default_properties_is_fips_enabled(libctx: *mut OSSL_LIB_CTX) -> c_int; + } + } +} + extern "C" { pub fn EVP_DigestInit_ex(ctx: *mut EVP_MD_CTX, typ: *const EVP_MD, imple: *mut ENGINE) -> c_int; From bdba0d3f39b46dadceeca6b08aef142039ddb949 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 19:25:27 +0800 Subject: [PATCH 164/209] addi ski and aki tests --- openssl/src/x509/mod.rs | 4 ++-- openssl/src/x509/tests.rs | 26 ++++++++++++++++++++++++++ openssl/test/github.pem | 31 +++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 openssl/test/github.pem diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2946ee1e63..2753d09124 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -506,10 +506,10 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] #[cfg(ossl111)] - pub fn authority_issuer(&self) -> Option> { + pub fn authority_issuer(&self) -> Option<&StackRef> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); - Stack::from_ptr_opt(stack as *mut _) + StackRef::from_const_ptr_opt(stack) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 4e01d8d8a3..d33f0c0821 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -168,6 +168,32 @@ fn test_subject_alt_name() { assert_eq!(Some("http://www.example.com"), subject_alt_names[4].uri()); } +#[test] +#[cfg(ossl110)] +fn test_subject_key_id() { + let cert = include_bytes!("../../test/github.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let subject_key_id = cert.subject_key_id().unwrap(); + assert_eq!( + subject_key_id.as_slice(), + &b"\xC7\x07\x27\x78\x85\xF2\x9D\x33\xC9\x4C\x5E\x56\x7D\x5C\xD6\x8E\x72\x67\xEB\xDE"[..] + ); +} + +#[test] +#[cfg(ossl110)] +fn test_authority_key_id() { + let cert = include_bytes!("../../test/github.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let subject_key_id = cert.authority_key_id().unwrap(); + assert_eq!( + subject_key_id.as_slice(), + &b"\x0A\xBC\x08\x29\x17\x8C\xA5\x39\x6D\x7A\x0E\xCE\x33\xC7\x2E\xB3\xED\xFB\xC3\x7A"[..] + ); +} + #[test] fn test_subject_alt_name_iter() { let cert = include_bytes!("../../test/alt_name_cert.pem"); diff --git a/openssl/test/github.pem b/openssl/test/github.pem new file mode 100644 index 0000000000..34bcb44322 --- /dev/null +++ b/openssl/test/github.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFajCCBPGgAwIBAgIQDNCovsYyz+ZF7KCpsIT7HDAKBggqhkjOPQQDAzBWMQsw +CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp +Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjMwMjE0MDAw +MDAwWhcNMjQwMzE0MjM1OTU5WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs +aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHVi +LCBJbmMuMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAEo6QDRgPfRlFWy8k5qyLN52xZlnqToPu5QByQMog2xgl2nFD1Vfd2Xmgg +nO4i7YMMFTAQQUReMqyQodWq8uVDs6OCA48wggOLMB8GA1UdIwQYMBaAFAq8CCkX +jKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBTHByd4hfKdM8lMXlZ9XNaOcmfr3jAl +BgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNvbTAOBgNVHQ8BAf8E +BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGbBgNVHR8EgZMw +gZAwRqBEoEKGQGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5 +YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5jcmwwRqBEoEKGQGh0dHA6Ly9jcmw0LmRp +Z2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5j +cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3 +dy5kaWdpY2VydC5jb20vQ1BTMIGFBggrBgEFBQcBAQR5MHcwJAYIKwYBBQUHMAGG +GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcwAoZDaHR0cDovL2Nh +Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAy +MENBMS0xLmNydDAJBgNVHRMEAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoA +dwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYZQ3Rv6AAAEAwBI +MEYCIQDkFq7T4iy6gp+pefJLxpRS7U3gh8xQymmxtI8FdzqU6wIhALWfw/nLD63Q +YPIwG3EFchINvWUfB6mcU0t2lRIEpr8uAHYASLDja9qmRzQP5WoC+p0w6xxSActW +3SyB2bu/qznYhHMAAAGGUN0cKwAABAMARzBFAiAePGAyfiBR9dbhr31N9ZfESC5G +V2uGBTcyTyUENrH3twIhAPwJfsB8A4MmNr2nW+sdE1n2YiCObW+3DTHr2/UR7lvU +AHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGGUN0cOgAABAMA +SDBGAiEAzOBr9OZ0+6OSZyFTiywN64PysN0FLeLRyL5jmEsYrDYCIQDu0jtgWiMI +KU6CM0dKcqUWLkaFE23c2iWAhYAHqrFRRzAKBggqhkjOPQQDAwNnADBkAjAE3A3U +3jSZCpwfqOHBdlxi9ASgKTU+wg0qw3FqtfQ31OwLYFdxh0MlNk/HwkjRSWgCMFbQ +vMkXEPvNvv4t30K6xtpG26qmZ+6OiISBIIXMljWnsiYR1gyZnTzIg3AQSw4Vmw== +-----END CERTIFICATE----- From 57bd34d614db206703ee2435a3d62cf3a7eb6481 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 22:39:19 +0800 Subject: [PATCH 165/209] add more tests --- openssl/src/x509/tests.rs | 33 ++++++++++++++++++----- openssl/test/authority_key_identifier.pem | 19 +++++++++++++ openssl/test/github.pem | 31 --------------------- 3 files changed, 46 insertions(+), 37 deletions(-) create mode 100644 openssl/test/authority_key_identifier.pem delete mode 100644 openssl/test/github.pem diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index d33f0c0821..748d70dbba 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -171,29 +171,50 @@ fn test_subject_alt_name() { #[test] #[cfg(ossl110)] fn test_subject_key_id() { - let cert = include_bytes!("../../test/github.pem"); + let cert = include_bytes!("../../test/certv3.pem"); let cert = X509::from_pem(cert).unwrap(); let subject_key_id = cert.subject_key_id().unwrap(); assert_eq!( subject_key_id.as_slice(), - &b"\xC7\x07\x27\x78\x85\xF2\x9D\x33\xC9\x4C\x5E\x56\x7D\x5C\xD6\x8E\x72\x67\xEB\xDE"[..] + &b"\xB6\x73\x2F\x61\xA5\x4B\xA1\xEF\x48\x2C\x15\xB1\x9F\xF3\xDC\x34\x2F\xBC\xAC\x30"[..] ); } #[test] #[cfg(ossl110)] fn test_authority_key_id() { - let cert = include_bytes!("../../test/github.pem"); + let cert = include_bytes!("../../test/certv3.pem"); let cert = X509::from_pem(cert).unwrap(); - let subject_key_id = cert.authority_key_id().unwrap(); + let authority_key_id = cert.authority_key_id().unwrap(); assert_eq!( - subject_key_id.as_slice(), - &b"\x0A\xBC\x08\x29\x17\x8C\xA5\x39\x6D\x7A\x0E\xCE\x33\xC7\x2E\xB3\xED\xFB\xC3\x7A"[..] + authority_key_id.as_slice(), + &b"\x6C\xD3\xA5\x03\xAB\x0D\x5F\x2C\xC9\x8D\x8A\x9C\x88\xA7\x88\x77\xB8\x37\xFD\x9A"[..] ); } +#[test] +fn test_authority_issuer_and_serial() { + let cert = include_bytes!("../../test/authority_key_identifier.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let authority_issuer = cert.authority_issuer().unwrap(); + assert_eq!(1, authority_issuer.len()); + let dn = authority_issuer[0].directory_name().unwrap(); + let mut o = dn.entries_by_nid(Nid::ORGANIZATIONNAME); + let o = o.next().unwrap().data().as_utf8().unwrap(); + assert_eq!(o.as_bytes(), b"PyCA"); + let mut cn = dn.entries_by_nid(Nid::COMMONNAME); + let cn = cn.next().unwrap().data().as_utf8().unwrap(); + assert_eq!(cn.as_bytes(), b"cryptography.io"); + + let authority_serial = cert.authority_serial().unwrap(); + let serial = authority_serial.to_bn().unwrap(); + let expected = BigNum::from_u32(3).unwrap(); + assert_eq!(serial, expected); +} + #[test] fn test_subject_alt_name_iter() { let cert = include_bytes!("../../test/alt_name_cert.pem"); diff --git a/openssl/test/authority_key_identifier.pem b/openssl/test/authority_key_identifier.pem new file mode 100644 index 0000000000..cbe9169fc9 --- /dev/null +++ b/openssl/test/authority_key_identifier.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDIjCCAgqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADApMQ0wCwYDVQQKDARQeUNB +MRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wHhcNMTUwNTAzMDk0OTU2WhcNMTYw +NTAyMDk0OTU2WjApMQ0wCwYDVQQKDARQeUNBMRgwFgYDVQQDDA9jcnlwdG9ncmFw +aHkuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCadi1UZioxdnP +ajqlRZHeKsSxvXXhgrWvlt91P3gV0dBThRFhJsLOhjNLz6PO6KeRbjz9GhTA2hdk +xtIpXrjvTv9dEJ1/k0xebsHWgFC43aTlgekw0U4cMwMe5NGeeg1tfzbJwldIN+cK +vabc08ADlkmM6DMnUArkzA2yii0DErRFMSIGrkDr6E9puord3h6Mh8Jfnc3TDAq8 +Qo1DI2XM7oFSWNfecQ9KbIC5wzzT+7Shoyz7QmCk/XhRzt8Xcfc3yAXIwazvLf8b +YP1auaSG11a5E+w6onj91h8UHKKOXu+rdq5YYPZ+qUYpxA7ZJ/VAGadMulYbXaO8 +Syi39HTpAgMBAAGjVTBTMFEGA1UdIwRKMEiAFDlFPso9Yh3qhkn2WqtAt6RwmPHs +oS2kKzApMQ0wCwYDVQQKDARQeUNBMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW+C +AQMwDQYJKoZIhvcNAQEFBQADggEBAFbZYy6aZJUK/f7nJx2Rs/ht6hMbM32/RoXZ +JGbYapNVqVu/vymcfc/se3FHS5OVmPsnRlo/FIKDn/r5DGl73Sn/FvDJiLJZFucT +msyYuHZ+ZRYWzWmN2fcB3cfxj0s3qps6f5OoCOqoINOSe4HRGlw4X9keZSD+3xAt +vHNwQdlPC7zWbPdrzLT+FqR0e/O81vFJJS6drHJWqPcR3NQVtZw+UF7A/HKwbfeL +Nu2zj6165hzOi9HUxa2/mPr/eLUUV1sTzXp2+TFjt3rVCjW1XnpMLdwNBHzjpyAB +dTOX3iw0+BPy3s2jtnCW1PLpc74kvSTaBwhg74sq39EXfIKax00= +-----END CERTIFICATE----- diff --git a/openssl/test/github.pem b/openssl/test/github.pem deleted file mode 100644 index 34bcb44322..0000000000 --- a/openssl/test/github.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFajCCBPGgAwIBAgIQDNCovsYyz+ZF7KCpsIT7HDAKBggqhkjOPQQDAzBWMQsw -CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp -Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjMwMjE0MDAw -MDAwWhcNMjQwMzE0MjM1OTU5WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs -aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHVi -LCBJbmMuMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D -AQcDQgAEo6QDRgPfRlFWy8k5qyLN52xZlnqToPu5QByQMog2xgl2nFD1Vfd2Xmgg -nO4i7YMMFTAQQUReMqyQodWq8uVDs6OCA48wggOLMB8GA1UdIwQYMBaAFAq8CCkX -jKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBTHByd4hfKdM8lMXlZ9XNaOcmfr3jAl -BgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNvbTAOBgNVHQ8BAf8E -BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGbBgNVHR8EgZMw -gZAwRqBEoEKGQGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5 -YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5jcmwwRqBEoEKGQGh0dHA6Ly9jcmw0LmRp -Z2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5j -cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3 -dy5kaWdpY2VydC5jb20vQ1BTMIGFBggrBgEFBQcBAQR5MHcwJAYIKwYBBQUHMAGG -GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcwAoZDaHR0cDovL2Nh -Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAy -MENBMS0xLmNydDAJBgNVHRMEAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoA -dwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYZQ3Rv6AAAEAwBI -MEYCIQDkFq7T4iy6gp+pefJLxpRS7U3gh8xQymmxtI8FdzqU6wIhALWfw/nLD63Q -YPIwG3EFchINvWUfB6mcU0t2lRIEpr8uAHYASLDja9qmRzQP5WoC+p0w6xxSActW -3SyB2bu/qznYhHMAAAGGUN0cKwAABAMARzBFAiAePGAyfiBR9dbhr31N9ZfESC5G -V2uGBTcyTyUENrH3twIhAPwJfsB8A4MmNr2nW+sdE1n2YiCObW+3DTHr2/UR7lvU -AHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGGUN0cOgAABAMA -SDBGAiEAzOBr9OZ0+6OSZyFTiywN64PysN0FLeLRyL5jmEsYrDYCIQDu0jtgWiMI -KU6CM0dKcqUWLkaFE23c2iWAhYAHqrFRRzAKBggqhkjOPQQDAwNnADBkAjAE3A3U -3jSZCpwfqOHBdlxi9ASgKTU+wg0qw3FqtfQ31OwLYFdxh0MlNk/HwkjRSWgCMFbQ -vMkXEPvNvv4t30K6xtpG26qmZ+6OiISBIIXMljWnsiYR1gyZnTzIg3AQSw4Vmw== ------END CERTIFICATE----- From c9db15a8ef94f1404b931107f4637cab77f071d6 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 22:41:58 +0800 Subject: [PATCH 166/209] add missing feature flag --- openssl/src/x509/tests.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 748d70dbba..d4dbf316d2 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -195,6 +195,7 @@ fn test_authority_key_id() { } #[test] +#[cfg(ossl111)] fn test_authority_issuer_and_serial() { let cert = include_bytes!("../../test/authority_key_identifier.pem"); let cert = X509::from_pem(cert).unwrap(); From 5ddf89fcd828890c38c36deff9a6bd58df9ce857 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 24 Apr 2023 15:56:02 -0600 Subject: [PATCH 167/209] changelog and version bumps for openssl and openssl-sys --- openssl-sys/CHANGELOG.md | 14 +++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 12 +++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 20e599b8ab..324ff1a82a 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.87] - 2023-04-24 + +### Added + +* Added `DH_CHECK`. +* Added `CMAC_CTX_new`, `CMAC_CTX_free`, `CMAC_Init`, `CMAC_Update`, `CMAC_Final`, and `CMAC_CTX_copy`. +* Added `EVP_default_properties_is_fips_enabled`. +* Added `X509_get0_subject_key_id`, `X509_get0_authority_key_id`, `X509_get0_authority_issuer`, and `X509_get0_authority_serial`. +* Added `NID_poly1305`. + + ## [v0.9.86] - 2023-04-20 ### Fixed @@ -435,7 +446,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87..master +[v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 [v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 [v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index c5cced2880..811318bbaf 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.86" +version = "0.9.87" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index f4eca89166..c62da00a1b 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,15 @@ ## [Unreleased] +## [v0.10.52] - 2023-04-24 + +### Added + +* Added `DhRef::check_key`. +* Added `Id::POLY1305`. +* Added `X509Ref::subject_key_id`, `X509Ref::authority_key_id`, `X509Ref::authority_issuer`, and `X509Ref::authority_serial`. + + ## [v0.10.51] - 2023-04-20 ### Added @@ -738,7 +747,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...master +[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 [v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index ba72250c92..addf5cb060 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.51" +version = "0.10.52" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.86", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.87", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 7756ab8a9a0faed77b674f2b44736ec31a726713 Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 14:46:10 -0700 Subject: [PATCH 168/209] Fix link errors for X509_get0_authority_xxx methods on Ubuntu/bionic --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/src/handwritten/x509v3.rs | 4 ++-- openssl/src/x509/mod.rs | 4 ++-- openssl/src/x509/tests.rs | 2 +- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 960515f00f..f09ec29b53 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -91,6 +91,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if openssl_version >= 0x1_01_01_03_0 { cfgs.push("ossl111c"); } + if openssl_version >= 0x1_01_01_04_0 { + cfgs.push("ossl111d"); + } } cfgs diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 09a92640b6..7789b629a6 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -106,9 +106,9 @@ extern "C" { pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; #[cfg(ossl110)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2753d09124..a8e298bf3f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -505,7 +505,7 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn authority_issuer(&self) -> Option<&StackRef> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); @@ -515,7 +515,7 @@ impl X509Ref { /// Returns this certificate's authority serial number, if it exists. #[corresponds(X509_get0_authority_serial)] - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { unsafe { let r = ffi::X509_get0_authority_serial(self.as_ptr()); diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index d4dbf316d2..c5ea6accf3 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -195,7 +195,7 @@ fn test_authority_key_id() { } #[test] -#[cfg(ossl111)] +#[cfg(ossl111d)] fn test_authority_issuer_and_serial() { let cert = include_bytes!("../../test/authority_key_identifier.pem"); let cert = X509::from_pem(cert).unwrap(); From 34260b833fe5fc66b8322ce106f0f970cb99a10e Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 15:24:33 -0700 Subject: [PATCH 169/209] Check for OPENSSL_NO_RC4 when using EVP_rc4 --- openssl-sys/build/expando.c | 4 ++++ openssl-sys/src/handwritten/evp.rs | 1 + openssl/src/cipher.rs | 1 + openssl/src/symm.rs | 1 + 4 files changed, 7 insertions(+) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 11fb04db0c..54681a0b95 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -79,6 +79,10 @@ RUST_CONF_OPENSSL_NO_OCSP RUST_CONF_OPENSSL_NO_PSK #endif +#ifdef OPENSSL_NO_RC4 +RUST_CONF_OPENSSL_NO_RC4 +#endif + #ifdef OPENSSL_NO_RFC3779 RUST_CONF_OPENSSL_NO_RFC3779 #endif diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 050d2c88bb..db018e9a42 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -311,6 +311,7 @@ extern "C" { pub fn EVP_des_ede3_cbc() -> *const EVP_CIPHER; pub fn EVP_des_ede3_cfb64() -> *const EVP_CIPHER; pub fn EVP_des_cbc() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn EVP_rc4() -> *const EVP_CIPHER; pub fn EVP_bf_ecb() -> *const EVP_CIPHER; pub fn EVP_bf_cbc() -> *const EVP_CIPHER; diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index aeedf459aa..87f7660cde 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -324,6 +324,7 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_des_ede3_cfb64() as *mut _) } } + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn rc4() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_rc4() as *mut _) } } diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 911a7ab2e7..611080805f 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -283,6 +283,7 @@ impl Cipher { unsafe { Cipher(ffi::EVP_des_ede3_cfb64()) } } + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn rc4() -> Cipher { unsafe { Cipher(ffi::EVP_rc4()) } } From cd3803ec016258366b56607355f1a63738ddaf2c Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 15:53:11 -0700 Subject: [PATCH 170/209] Fix tests on Ubuntu/bionic too --- openssl-sys/src/handwritten/ssl.rs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index f179a04ab1..039e2d9116 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -905,9 +905,13 @@ extern "C" { #[cfg(ossl111)] pub fn SSL_set_num_tickets(s: *mut SSL, num_tickets: size_t) -> c_int; - #[cfg(ossl111)] + #[cfg(ossl111b)] pub fn SSL_CTX_get_num_tickets(ctx: *const SSL_CTX) -> size_t; + #[cfg(all(ossl111, not(ossl111b)))] + pub fn SSL_CTX_get_num_tickets(ctx: *mut SSL_CTX) -> size_t; - #[cfg(ossl111)] + #[cfg(ossl111b)] pub fn SSL_get_num_tickets(s: *const SSL) -> size_t; + #[cfg(all(ossl111, not(ossl111b)))] + pub fn SSL_get_num_tickets(s: *mut SSL) -> size_t; } From dd2ce585e469979e70fa5a368bc0ed975ba7d016 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 2 May 2023 22:39:01 +0800 Subject: [PATCH 171/209] add X509::pathlen --- openssl-sys/src/handwritten/x509v3.rs | 2 ++ openssl/src/x509/mod.rs | 8 ++++++++ openssl/src/x509/tests.rs | 16 ++++++++++++++++ 3 files changed, 26 insertions(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 7789b629a6..f92441134e 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,6 +96,8 @@ extern "C" { indent: c_int, ) -> c_int; + #[cfg(ossl110)] + pub fn X509_get_pathlen(x: *mut X509) -> c_long; #[cfg(ossl110)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; #[cfg(ossl110)] diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index a8e298bf3f..2b2f8a50d8 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -483,6 +483,14 @@ impl X509Ref { } } + /// Retrieves the path length extension from a certificate, if it exists. + #[corresponds(X509_get_pathlen)] + #[cfg(ossl110)] + pub fn pathlen(&self) -> Option { + let v = unsafe { ffi::X509_get_pathlen(self.as_ptr()) }; + u32::try_from(v).ok() + } + /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] #[cfg(ossl110)] diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index c5ea6accf3..a3f3cd8803 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -168,6 +168,22 @@ fn test_subject_alt_name() { assert_eq!(Some("http://www.example.com"), subject_alt_names[4].uri()); } +#[test] +#[cfg(ossl110)] +fn test_retrieve_pathlen() { + let cert = include_bytes!("../../test/root-ca.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), None); + + let cert = include_bytes!("../../test/intermediate-ca.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), Some(0)); + + let cert = include_bytes!("../../test/alt_name_cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), None); +} + #[test] #[cfg(ossl110)] fn test_subject_key_id() { From 7e6d518499c98b554ceb2707ed3f7724cd4716f5 Mon Sep 17 00:00:00 2001 From: Louis Hampton Date: Fri, 12 May 2023 10:36:51 +0100 Subject: [PATCH 172/209] Add bindings to SSL_bytes_to_cipher_list --- openssl-sys/src/handwritten/ssl.rs | 9 +++++ openssl/src/ssl/mod.rs | 54 +++++++++++++++++++++++++++++- openssl/src/ssl/test/mod.rs | 3 ++ 3 files changed, 65 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 039e2d9116..d4f4b619f4 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -648,6 +648,15 @@ extern "C" { num: size_t, readbytes: *mut size_t, ) -> c_int; + #[cfg(ossl111)] + pub fn SSL_bytes_to_cipher_list( + s: *mut SSL, + bytes: *const c_uchar, + len: size_t, + isv2format: c_int, + sk: *mut *mut stack_st_SSL_CIPHER, + scsvs: *mut *mut stack_st_SSL_CIPHER, + ) -> c_int; } extern "C" { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 5b8775c98c..3bd10052ed 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -72,7 +72,7 @@ use crate::srtp::{SrtpProtectionProfile, SrtpProtectionProfileRef}; use crate::ssl::bio::BioMethod; use crate::ssl::callbacks::*; use crate::ssl::error::InnerError; -use crate::stack::{Stack, StackRef}; +use crate::stack::{Stack, StackRef, Stackable}; use crate::util::{ForeignTypeExt, ForeignTypeRefExt}; use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; #[cfg(any(ossl102, libressl261))] @@ -1940,6 +1940,10 @@ impl ForeignType for SslCipher { } } +impl Stackable for SslCipher { + type StackType = ffi::stack_st_SSL_CIPHER; +} + impl Deref for SslCipher { type Target = SslCipherRef; @@ -2056,6 +2060,19 @@ impl SslCipherRef { } } +impl fmt::Debug for SslCipherRef { + fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result { + write!(fmt, "{}", self.name()) + } +} + +/// A stack of selected ciphers, and a stack of selected signalling cipher suites +#[derive(Debug)] +pub struct CipherLists { + pub suites: Stack, + pub signalling_suites: Stack, +} + foreign_type_and_impl_send_sync! { type CType = ffi::SSL_SESSION; fn drop = ffi::SSL_SESSION_free; @@ -3083,6 +3100,41 @@ impl SslRef { } } + /// Decodes a slice of wire-format cipher suite specification bytes. Unsupported cipher suites + /// are ignored. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_bytes_to_cipher_list)] + #[cfg(ossl111)] + pub fn bytes_to_ciphers_stack( + &self, + bytes: &[u8], + isv2format: bool, + ) -> Result { + unsafe { + let ptr = bytes.as_ptr(); + let len = bytes.len(); + let mut sk = ptr::null_mut(); + let mut scsvs = ptr::null_mut(); + let res = ffi::SSL_bytes_to_cipher_list( + self.as_ptr(), + ptr, + len, + isv2format as c_int, + &mut sk, + &mut scsvs, + ); + if res == 1 { + Ok(CipherLists { + suites: Stack::from_ptr(sk), + signalling_suites: Stack::from_ptr(scsvs), + }) + } else { + Err(ErrorStack::get()) + } + } + } + /// Returns the compression methods field of the client's hello message. /// /// This can only be used inside of the client hello callback. Otherwise, `None` is returned. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index a34309a7d6..bbad911ca8 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1458,6 +1458,9 @@ fn client_hello() { assert!(ssl.client_hello_session_id().is_some()); assert!(ssl.client_hello_ciphers().is_some()); assert!(ssl.client_hello_compression_methods().is_some()); + assert!(ssl + .bytes_to_ciphers_stack(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) + .is_ok()); CALLED_BACK.store(true, Ordering::SeqCst); Ok(ClientHelloResponse::SUCCESS) From da9eeddb05a2fd0d56b1cea16878f501bc987b0f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 14 May 2023 20:14:24 -0400 Subject: [PATCH 173/209] rename --- openssl/src/ssl/mod.rs | 2 +- openssl/src/ssl/test/mod.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 3bd10052ed..0feaced213 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3106,7 +3106,7 @@ impl SslRef { /// Requires OpenSSL 1.1.1 or newer. #[corresponds(SSL_bytes_to_cipher_list)] #[cfg(ossl111)] - pub fn bytes_to_ciphers_stack( + pub fn bytes_to_cipher_list( &self, bytes: &[u8], isv2format: bool, diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index bbad911ca8..39cc054df2 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1459,7 +1459,7 @@ fn client_hello() { assert!(ssl.client_hello_ciphers().is_some()); assert!(ssl.client_hello_compression_methods().is_some()); assert!(ssl - .bytes_to_ciphers_stack(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) + .bytes_to_cipher_list(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) .is_ok()); CALLED_BACK.store(true, Ordering::SeqCst); From 0194e3f9decf0820615ce5b70f26433ac15eaba7 Mon Sep 17 00:00:00 2001 From: Andrew Scull Date: Mon, 15 May 2023 21:39:50 +0000 Subject: [PATCH 174/209] Add boringssl hkdf derivation --- openssl/src/pkey.rs | 2 +- openssl/src/pkey_ctx.rs | 21 +++++++++++++++------ 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index cec1c482e1..82a0a9d136 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -86,7 +86,7 @@ impl Id { pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); #[cfg(any(ossl111, boringssl, libressl370))] diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 42289b9f48..aba8a66a32 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -485,7 +485,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_md)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_md(&mut self, digest: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -527,10 +527,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_key(&mut self, key: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(key.len()).unwrap(); + #[cfg(boringssl)] + let len = key.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_set1_hkdf_key( @@ -549,10 +552,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_salt(&mut self, salt: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(salt.len()).unwrap(); + #[cfg(boringssl)] + let len = salt.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_set1_hkdf_salt( @@ -571,10 +577,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn add_hkdf_info(&mut self, info: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(info.len()).unwrap(); + #[cfg(boringssl)] + let len = info.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_add1_hkdf_info( @@ -632,7 +641,7 @@ mod test { #[cfg(not(boringssl))] use crate::cipher::Cipher; use crate::ec::{EcGroup, EcKey}; - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl))] use crate::md::Md; use crate::nid::Nid; use crate::pkey::PKey; @@ -717,7 +726,7 @@ mod test { } #[test] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] fn hkdf() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); From 56e94e335ce7519b0c5e2ae7e530730a83220d18 Mon Sep 17 00:00:00 2001 From: Felix Huettner Date: Mon, 1 May 2023 21:14:10 +0200 Subject: [PATCH 175/209] add other name support the issue with other name SANs is that they can contain arbitary data. As we can no longer use the old method for other_name for security reasons we now add `other_name2` as an alternative. --- openssl-sys/src/handwritten/asn1.rs | 9 ++++++++ openssl-sys/src/handwritten/x509v3.rs | 5 +++++ openssl/src/asn1.rs | 1 + openssl/src/x509/extension.rs | 23 +++++++++++++++----- openssl/src/x509/mod.rs | 31 +++++++++++++++++++++++++++ openssl/src/x509/tests.rs | 28 ++++++++++++++++++++++++ 6 files changed, 92 insertions(+), 5 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index fa43a7a5c1..16ffcccfe7 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,6 +10,7 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); + pub fn OBJ_dup(x: *const ASN1_OBJECT) -> *mut ASN1_OBJECT; } stack!(stack_st_ASN1_OBJECT); @@ -94,7 +95,14 @@ extern "C" { #[cfg(ossl110)] pub fn ASN1_ENUMERATED_get_int64(pr: *mut i64, a: *const ASN1_ENUMERATED) -> c_int; + pub fn ASN1_TYPE_new() -> *mut ASN1_TYPE; + pub fn ASN1_TYPE_set(a: *mut ASN1_TYPE, type_: c_int, value: *mut c_void); pub fn ASN1_TYPE_free(x: *mut ASN1_TYPE); + pub fn d2i_ASN1_TYPE( + k: *mut *mut ASN1_TYPE, + buf: *mut *const u8, + len: c_long, + ) -> *mut ASN1_TYPE; } const_ptr_api! { @@ -102,5 +110,6 @@ const_ptr_api! { pub fn ASN1_STRING_to_UTF8(out: *mut *mut c_uchar, s: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; pub fn ASN1_STRING_type(x: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; pub fn ASN1_generate_v3(str: #[const_ptr_if(any(ossl110, libressl280))] c_char, cnf: *mut X509V3_CTX) -> *mut ASN1_TYPE; + pub fn i2d_ASN1_TYPE(a: #[const_ptr_if(ossl300)] ASN1_TYPE, pp: *mut *mut c_uchar) -> c_int; } } diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index f92441134e..2ee0452597 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -6,6 +6,11 @@ pub enum CONF_METHOD {} extern "C" { pub fn GENERAL_NAME_new() -> *mut GENERAL_NAME; pub fn GENERAL_NAME_free(name: *mut GENERAL_NAME); + pub fn GENERAL_NAME_set0_othername( + gen: *mut GENERAL_NAME, + oid: *mut ASN1_OBJECT, + value: *mut ASN1_TYPE, + ) -> c_int; } #[repr(C)] diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index d75e05166e..0e720ae0b3 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -655,6 +655,7 @@ impl Asn1OctetStringRef { foreign_type_and_impl_send_sync! { type CType = ffi::ASN1_OBJECT; fn drop = ffi::ASN1_OBJECT_free; + fn clone = ffi::OBJ_dup; /// Object Identifier /// diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index 075227dec3..11e0151530 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -434,6 +434,7 @@ enum RustGeneralName { Uri(String), Ip(String), Rid(String), + OtherName(Asn1Object, Vec), } /// An extension that allows additional identities to be bound to the subject @@ -506,12 +507,21 @@ impl SubjectAlternativeName { /// Sets the `otherName` flag. /// - /// Not currently actually supported, always panics. - #[deprecated = "other_name is deprecated and always panics. Please file a bug if you have a use case for this."] + /// Not currently actually supported, always panics. Please use other_name2 + #[deprecated = "other_name is deprecated and always panics. Please use other_name2."] pub fn other_name(&mut self, _other_name: &str) -> &mut SubjectAlternativeName { - unimplemented!( - "This has not yet been adapted for the new internals. File a bug if you need this." - ); + unimplemented!("This has not yet been adapted for the new internals. Use other_name2."); + } + + /// Sets the `otherName` flag. + /// + /// `content` must be a valid der encoded ASN1_TYPE + /// + /// If you want to add just a ia5string use `other_name_ia5string` + pub fn other_name2(&mut self, oid: Asn1Object, content: &[u8]) -> &mut SubjectAlternativeName { + self.items + .push(RustGeneralName::OtherName(oid, content.into())); + self } /// Return a `SubjectAlternativeName` extension as an `X509Extension`. @@ -526,6 +536,9 @@ impl SubjectAlternativeName { GeneralName::new_ip(s.parse().map_err(|_| ErrorStack::get())?)? } RustGeneralName::Rid(s) => GeneralName::new_rid(Asn1Object::from_str(s)?)?, + RustGeneralName::OtherName(oid, content) => { + GeneralName::new_other_name(oid.clone(), content)? + } }; stack.push(gn)?; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2b2f8a50d8..4325b132e3 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -2054,6 +2054,37 @@ impl GeneralName { Ok(GeneralName::from_ptr(gn)) } } + + pub(crate) fn new_other_name( + oid: Asn1Object, + value: &Vec, + ) -> Result { + unsafe { + ffi::init(); + + let typ = cvt_p(ffi::d2i_ASN1_TYPE( + ptr::null_mut(), + &mut value.as_ptr().cast(), + value.len().try_into().unwrap(), + ))?; + + let gn = cvt_p(ffi::GENERAL_NAME_new())?; + (*gn).type_ = ffi::GEN_OTHERNAME; + + if let Err(e) = cvt(ffi::GENERAL_NAME_set0_othername( + gn, + oid.as_ptr().cast(), + typ, + )) { + ffi::GENERAL_NAME_free(gn); + return Err(e); + } + + mem::forget(oid); + + Ok(GeneralName::from_ptr(gn)) + } + } } impl GeneralNameRef { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index a3f3cd8803..da3ce2fed2 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -27,6 +27,9 @@ use crate::x509::{CrlReason, X509Builder}; use crate::x509::{ CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, }; + +#[cfg(ossl110)] +use foreign_types::ForeignType; use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] use libc::time_t; @@ -1105,6 +1108,31 @@ fn ipv6_as_subject_alternative_name_is_formatted_in_debug() { ]); } +#[cfg(ossl110)] +#[test] +fn other_name_as_subject_alternative_name() { + let oid = Asn1Object::from_str("1.3.6.1.5.5.7.8.11").unwrap(); + // this is the hex representation of "test" encoded as a ia5string + let content = [0x16, 0x04, 0x74, 0x65, 0x73, 0x74]; + + let mut builder = X509Builder::new().unwrap(); + let san = SubjectAlternativeName::new() + .other_name2(oid, &content) + .build(&builder.x509v3_context(None, None)) + .unwrap(); + builder.append_extension(san).unwrap(); + let cert = builder.build(); + let general_name = cert + .subject_alt_names() + .into_iter() + .flatten() + .next() + .unwrap(); + unsafe { + assert_eq!((*general_name.as_ptr()).type_, 0); + } +} + #[test] fn test_dist_point() { let cert = include_bytes!("../../test/certv3.pem"); From 8436f088898a7a286fb1af7e552d644d411e95db Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Sat, 27 May 2023 11:30:13 -0400 Subject: [PATCH 176/209] Allow LibreSSL 3.8.0 --- openssl-sys/build/main.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index ba149c17ff..1762068d75 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -285,6 +285,7 @@ See rust-openssl documentation for more information: (3, 7, 0) => ('3', '7', '0'), (3, 7, 1) => ('3', '7', '1'), (3, 7, _) => ('3', '7', 'x'), + (3, 8, 0) => ('3', '8', '0'), _ => version_error(), }; @@ -327,7 +328,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.7.x, but a different version of OpenSSL was found. The build is now aborting +through 3.8.0, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From e41a13249630a9b3bed7dd84e243bf85f4d2fd4b Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Sat, 27 May 2023 11:31:02 -0400 Subject: [PATCH 177/209] CI: bump LibreSSL --- .github/workflows/ci.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71deb57ab9..75117ffab8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -181,7 +181,12 @@ jobs: bindgen: true library: name: libressl - version: 3.7.2 + version: 3.7.3 + - target: x86_64-unknown-linux-gnu + bindgen: true + library: + name: libressl + version: 3.8.0 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -191,7 +196,12 @@ jobs: bindgen: false library: name: libressl - version: 3.7.2 + version: 3.7.3 + - target: x86_64-unknown-linux-gnu + bindgen: false + library: + name: libressl + version: 3.8.0 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: From b937b66ae6c3c1828c33477f234cdf6fe7f31700 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 May 2023 04:46:03 -0500 Subject: [PATCH 178/209] add Dsa with some helper functions DSA is terrible, I'm sorry we have to add this --- openssl/src/dsa.rs | 63 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index c550f6548b..d8dcaa9fdb 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -14,7 +14,7 @@ use std::ptr; use crate::bn::{BigNum, BigNumRef}; use crate::error::ErrorStack; -use crate::pkey::{HasParams, HasPrivate, HasPublic, Private, Public}; +use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private, Public}; use crate::util::ForeignTypeRefExt; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -183,6 +183,49 @@ type BitType = libc::c_uint; #[cfg(not(boringssl))] type BitType = c_int; +impl Dsa { + /// Creates a DSA params based upon the given parameters. + #[corresponds(DSA_set0_pqg)] + pub fn from_pqg(p: BigNum, q: BigNum, g: BigNum) -> Result, ErrorStack> { + unsafe { + let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); + cvt(DSA_set0_pqg(dsa.0, p.as_ptr(), q.as_ptr(), g.as_ptr()))?; + mem::forget((p, q, g)); + Ok(dsa) + } + } + + /// Generates DSA params based on the given number of bits. + #[corresponds(DSA_generate_parameters_ex)] + pub fn generate_params(bits: u32) -> Result, ErrorStack> { + ffi::init(); + unsafe { + let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); + cvt(ffi::DSA_generate_parameters_ex( + dsa.0, + bits as BitType, + ptr::null(), + 0, + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + ))?; + Ok(dsa) + } + } + + /// Generates a private key based on the DSA params. + #[corresponds(DSA_generate_key)] + pub fn generate_key(self) -> Result, ErrorStack> { + unsafe { + let dsa_ptr = self.0; + cvt(ffi::DSA_generate_key(dsa_ptr))?; + mem::forget(self); + Ok(Dsa::from_ptr(dsa_ptr)) + } + } +} + impl Dsa { /// Generate a DSA key pair. /// @@ -556,6 +599,24 @@ mod test { assert_eq!(dsa.g(), &BigNum::from_u32(60).unwrap()); } + #[test] + fn test_params() { + let params = Dsa::generate_params(1024).unwrap(); + let p = params.p().to_owned().unwrap(); + let q = params.q().to_owned().unwrap(); + let g = params.g().to_owned().unwrap(); + let key = params.generate_key().unwrap(); + let params2 = Dsa::from_pqg( + key.p().to_owned().unwrap(), + key.q().to_owned().unwrap(), + key.g().to_owned().unwrap(), + ) + .unwrap(); + assert_eq!(p, *params2.p()); + assert_eq!(q, *params2.q()); + assert_eq!(g, *params2.g()); + } + #[test] #[cfg(not(boringssl))] fn test_signature() { From c972e700df5ab3edafc3d966d74eaa99bc9d460a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 May 2023 09:18:18 -0500 Subject: [PATCH 179/209] reimplement Dsa::generate in terms of generate_params/generate_key --- openssl/src/dsa.rs | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index d8dcaa9fdb..1f594f28b4 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -229,29 +229,10 @@ impl Dsa { impl Dsa { /// Generate a DSA key pair. /// - /// Calls [`DSA_generate_parameters_ex`] to populate the `p`, `g`, and `q` values. - /// These values are used to generate the key pair with [`DSA_generate_key`]. - /// /// The `bits` parameter corresponds to the length of the prime `p`. - /// - /// [`DSA_generate_parameters_ex`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_parameters_ex.html - /// [`DSA_generate_key`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_key.html pub fn generate(bits: u32) -> Result, ErrorStack> { - ffi::init(); - unsafe { - let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); - cvt(ffi::DSA_generate_parameters_ex( - dsa.0, - bits as BitType, - ptr::null(), - 0, - ptr::null_mut(), - ptr::null_mut(), - ptr::null_mut(), - ))?; - cvt(ffi::DSA_generate_key(dsa.0))?; - Ok(dsa) - } + let params = Dsa::generate_params(bits)?; + params.generate_key() } /// Create a DSA key pair with the given parameters From b3cdda01b571535afe596927b59cf4690b47b806 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 May 2023 14:24:25 -0400 Subject: [PATCH 180/209] Added DER serialization for `DSAPrivateKey` --- openssl/src/dsa.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 1f594f28b4..1463ee4115 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -127,6 +127,13 @@ where ffi::PEM_write_bio_DSAPrivateKey } + to_der! { + /// Serializes the private_key to a DER-encoded `DSAPrivateKey` structure. + #[corresponds(i2d_DSAPrivateKey)] + private_key_to_der, + ffi::i2d_DSAPrivateKey + } + /// Returns a reference to the private key component of `self`. #[corresponds(DSA_get0_key)] pub fn priv_key(&self) -> &BigNumRef { From 6a65a2b5138c012f1bc60e947ddc52d20795454a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 May 2023 09:01:23 +0800 Subject: [PATCH 181/209] version bump 0.9.88 and 0.10.53 --- openssl-sys/CHANGELOG.md | 15 ++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 10 +++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 26 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 324ff1a82a..48029f8aab 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,18 @@ ## [Unreleased] +## [v0.9.88] - 2023-05-30 + +### Added + +* Added support for the LibreSSL 3.8.0. +* Added support for detecting `OPENSSL_NO_RC4`. +* Added `OBJ_dup`. +* Added `ASN1_TYPE_new`, `ASN1_TYPE_set`, `d2i_ASN1_TYPE`, and `i2d_ASN1_TYPE`. +* Added `SSL_bytes_to_cipher_list`, `SSL_CTX_get_num_tickets`, and `SSL_get_num_tickets`. +* Added `GENERAL_NAME_set0_othername`. +* Added `X509_get_pathlen`. + ## [v0.9.87] - 2023-04-24 ### Added @@ -446,7 +458,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88..master +[v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 [v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 [v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 811318bbaf..7589a3ca0e 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.87" +version = "0.9.88" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index c62da00a1b..79e0d9c1ff 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,13 @@ ## [Unreleased] +## [v0.10.53] - 2023-05-30 + +### Added + +* Added `Dsa::from_pqg`, `Dsa::generate_key`, and `Dsa::generate_params`. +* Added `SslRef::bytes_to_cipher_list`. + ## [v0.10.52] - 2023-04-24 ### Added @@ -747,7 +754,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...master +[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index addf5cb060..e6f5e4d565 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.52" +version = "0.10.53" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.87", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.88", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 7a040da108ced53e227fa48225759f3fce7487e0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 May 2023 09:29:45 +0800 Subject: [PATCH 182/209] Update openssl/CHANGELOG.md Co-authored-by: Alex Gaynor --- openssl/CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 79e0d9c1ff..b174156a5a 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -8,6 +8,7 @@ * Added `Dsa::from_pqg`, `Dsa::generate_key`, and `Dsa::generate_params`. * Added `SslRef::bytes_to_cipher_list`. +* Added `SubjectAlternativeName::other_name2` ## [v0.10.52] - 2023-04-24 From b83aec7f30ab295011c23cd6e479abcc69039bbe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 31 May 2023 13:49:34 -0400 Subject: [PATCH 183/209] Remove converting PKCS#8 passphrase to CString It's not required, there's an explicit length. --- openssl/src/pkey.rs | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 82a0a9d136..af41421768 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -57,7 +57,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, c_long}; use openssl_macros::corresponds; -use std::convert::TryFrom; +use std::convert::{TryFrom, TryInto}; use std::ffi::CString; use std::fmt; use std::mem; @@ -350,10 +350,6 @@ where /// Serializes a private key into a DER-formatted PKCS#8, using the supplied password to /// encrypt the key. - /// - /// # Panics - /// - /// Panics if `passphrase` contains an embedded null. #[corresponds(i2d_PKCS8PrivateKey_bio)] pub fn private_key_to_pkcs8_passphrase( &self, @@ -362,14 +358,12 @@ where ) -> Result, ErrorStack> { unsafe { let bio = MemBio::new()?; - let len = passphrase.len(); - let passphrase = CString::new(passphrase).unwrap(); cvt(ffi::i2d_PKCS8PrivateKey_bio( bio.as_ptr(), self.as_ptr(), cipher.as_ptr(), passphrase.as_ptr() as *const _ as *mut _, - len as ::libc::c_int, + passphrase.len().try_into().unwrap(), None, ptr::null_mut(), ))?; From 68ff80a935857c3e6a0b99905292e81af600e250 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 31 May 2023 21:31:38 -0400 Subject: [PATCH 184/209] Version bump for openssl v0.10.54 release --- openssl/CHANGELOG.md | 11 +++++++++-- openssl/Cargo.toml | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index b174156a5a..29af6ca816 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.10.54] - 2023-05-31 + +### Fixed + +* `PKey::private_key_to_pkcs8_passphrase` no longer panics if a `passphrase` contains a NUL byte. + ## [v0.10.53] - 2023-05-30 ### Added @@ -755,8 +761,9 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...master -[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...master +[v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 +[v0.10.53]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index e6f5e4d565..c4367cd4c6 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.53" +version = "0.10.54" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" From 90d9199f858c0fc887f2a6778bb05f611a0ff456 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Jun 2023 21:36:33 -0400 Subject: [PATCH 185/209] Fix warnings from BoringSSL on Rust 1.70 --- openssl-sys/build/run_bindgen.rs | 8 ++++++++ openssl-sys/src/lib.rs | 1 + 2 files changed, 9 insertions(+) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 4fa9ec66f2..87b748f23b 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -110,11 +110,15 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { let mut builder = bindgen::builder() .rust_target(RustTarget::Stable_1_47) .ctypes_prefix("::libc") + .raw_line("use libc::*;") .derive_default(false) .enable_function_attribute_detection() .default_macro_constant_type(MacroTypeVariation::Signed) .rustified_enum("point_conversion_form_t") .allowlist_file(".*/openssl/[^/]+\\.h") + .allowlist_recursively(false) + .blocklist_function("BIO_vsnprintf") + .blocklist_function("OPENSSL_vasprintf") .wrap_static_fns(true) .wrap_static_fns_path(out_dir.join("boring_static_wrapper").display().to_string()) .layout_tests(false) @@ -165,11 +169,15 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .arg(out_dir.join("bindgen.rs")) .arg("--rust-target=1.47") .arg("--ctypes-prefix=::libc") + .arg("--raw-line=use libc::*;") .arg("--no-derive-default") .arg("--enable-function-attribute-detection") .arg("--default-macro-constant-type=signed") .arg("--rustified-enum=point_conversion_form_t") .arg("--allowlist-file=.*/openssl/[^/]+\\.h") + .arg("--no-recursive-allowlist") + .arg("--blocklist-function=BIO_vsnprintf") + .arg("--blocklist-function=OPENSSL_vasprintf") .arg("--experimental") .arg("--wrap-static-fns") .arg("--wrap-static-fns-path") diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index c3084755cc..5a65e8b349 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -10,6 +10,7 @@ overflowing_literals, unused_imports )] +#![cfg_attr(feature = "unstable_boringssl", allow(ambiguous_glob_reexports))] #![doc(html_root_url = "https://docs.rs/openssl-sys/0.9")] #![recursion_limit = "128"] // configure fixed limit across all rust versions From e476f9a08a40c1cde55950f26f1e5203c51d0889 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sun, 4 Jun 2023 13:15:22 -0400 Subject: [PATCH 186/209] Honor OPENSSL_NO_OCB if OpenSSL was built this way Setting ossl110 in the BoringSSL build (see #1944) causes rust-openssl to expect OCB support. However, OpenSSL already has a feature guard for OCB, which BoringSSL sets. rust-openssl just isn't honoring it. This fixes building against an OpenSSL built with ./config no-ocb --- openssl-sys/build/expando.c | 4 ++++ openssl/src/symm.rs | 14 +++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 54681a0b95..5d003d9022 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -75,6 +75,10 @@ RUST_CONF_OPENSSL_NO_NEXTPROTONEG RUST_CONF_OPENSSL_NO_OCSP #endif +#ifdef OPENSSL_NO_OCB +RUST_CONF_OPENSSL_NO_OCB +#endif + #ifdef OPENSSL_NO_PSK RUST_CONF_OPENSSL_NO_PSK #endif diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 611080805f..8da341f7f6 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -142,7 +142,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_128_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_128_ocb()) } } @@ -187,7 +187,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_192_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_192_ocb()) } } @@ -237,7 +237,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_256_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_256_ocb()) } } @@ -402,14 +402,14 @@ impl Cipher { } /// Determines whether the cipher is using OCB mode - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn is_ocb(self) -> bool { self == Cipher::aes_128_ocb() || self == Cipher::aes_192_ocb() || self == Cipher::aes_256_ocb() } - #[cfg(not(ossl110))] + #[cfg(any(not(ossl110), osslconf = "OPENSSL_NO_OCB"))] const fn is_ocb(self) -> bool { false } @@ -1422,7 +1422,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn test_aes_128_ocb() { let key = "000102030405060708090a0b0c0d0e0f"; let aad = "0001020304050607"; @@ -1458,7 +1458,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn test_aes_128_ocb_fail() { let key = "000102030405060708090a0b0c0d0e0f"; let aad = "0001020304050607"; From 5283d7c994541a99bab9b33f809bd662a5aa47a7 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 3 Jun 2023 11:44:10 -0400 Subject: [PATCH 187/209] Fix some deprecated patterns when using BoringSSL The RSA and DSA changes will be needed to avoid build breakage soon. The others are mostly tidying up. There's another place around BIO that we'd ideally also switch over, but that depends on resolving the __fixed_rust mess first. This addresses a symptom of #1944, but not the root cause. --- openssl/src/asn1.rs | 2 +- openssl/src/dsa.rs | 5 +++-- openssl/src/ecdsa.rs | 2 +- openssl/src/hash.rs | 2 +- openssl/src/md_ctx.rs | 2 +- openssl/src/rsa.rs | 2 +- 6 files changed, 8 insertions(+), 7 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 0e720ae0b3..801310d411 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -738,7 +738,7 @@ impl fmt::Debug for Asn1ObjectRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::ASN1_STRING_get0_data; } else { #[allow(bad_style)] diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 1463ee4115..1a63e8ad8f 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -7,6 +7,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; +#[cfg(not(boringssl))] use libc::c_int; use std::fmt; use std::mem; @@ -314,7 +315,7 @@ impl fmt::Debug for Dsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{DSA_get0_key, DSA_get0_pqg, DSA_set0_key, DSA_set0_pqg}; } else { #[allow(bad_style)] @@ -493,7 +494,7 @@ impl DsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{DSA_SIG_set0, DSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/ecdsa.rs b/openssl/src/ecdsa.rs index 0a960e7b9e..f3b27b3953 100644 --- a/openssl/src/ecdsa.rs +++ b/openssl/src/ecdsa.rs @@ -110,7 +110,7 @@ impl EcdsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{ECDSA_SIG_set0, ECDSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 37442fb274..52d73deed4 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -43,7 +43,7 @@ use crate::nid::Nid; use crate::{cvt, cvt_p}; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, boringssl))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/md_ctx.rs b/openssl/src/md_ctx.rs index c4d3f06b94..156f3c2fc9 100644 --- a/openssl/src/md_ctx.rs +++ b/openssl/src/md_ctx.rs @@ -93,7 +93,7 @@ use std::convert::TryFrom; use std::ptr; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, boringssl))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs index 68cf64b036..f155b12dfe 100644 --- a/openssl/src/rsa.rs +++ b/openssl/src/rsa.rs @@ -581,7 +581,7 @@ impl fmt::Debug for Rsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{ RSA_get0_key, RSA_get0_factors, RSA_get0_crt_params, RSA_set0_key, RSA_set0_factors, RSA_set0_crt_params, From a3b6cb5fdc7df2754ab9a5d3f4039e469e42d332 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Jun 2023 08:55:49 +0800 Subject: [PATCH 188/209] add get_asn1_flag to EcGroupRef --- openssl-sys/src/handwritten/ec.rs | 2 ++ openssl/src/ec.rs | 13 +++++++++++++ 2 files changed, 15 insertions(+) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index 6ee475f327..ec781a715a 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -46,6 +46,8 @@ extern "C" { pub fn EC_GROUP_set_asn1_flag(key: *mut EC_GROUP, flag: c_int); + pub fn EC_GROUP_get_asn1_flag(group: *const EC_GROUP) -> c_int; + pub fn EC_GROUP_get_curve_GFp( group: *const EC_GROUP, p: *mut BIGNUM, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 248ced3e41..55523fee0a 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -294,6 +294,12 @@ impl EcGroupRef { } } + /// Gets the flag determining if the group corresponds to a named curve. + #[corresponds(EC_GROUP_get_asn1_flag)] + pub fn get_asn1_flag(&mut self) -> Asn1Flag { + unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } + } + /// Returns the name of the curve, if a name is associated. #[corresponds(EC_GROUP_get_curve_name)] pub fn curve_name(&self) -> Option { @@ -1265,4 +1271,11 @@ mod test { let group2 = EcGroup::from_curve_name(Nid::X9_62_PRIME239V3).unwrap(); assert!(!g.is_on_curve(&group2, &mut ctx).unwrap()); } + + #[test] + fn get_flags() { + let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let flag = group.get_asn1_flag(); + assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); + } } From faae7bb9ad7d569e16b7d21295d813dd4672ef07 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Jun 2023 12:33:47 +0800 Subject: [PATCH 189/209] rename and test on openssl 1.1.0+ --- openssl/src/ec.rs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 55523fee0a..d6ef049101 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -296,7 +296,7 @@ impl EcGroupRef { /// Gets the flag determining if the group corresponds to a named curve. #[corresponds(EC_GROUP_get_asn1_flag)] - pub fn get_asn1_flag(&mut self) -> Asn1Flag { + pub fn asn1_flag(&mut self) -> Asn1Flag { unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } } @@ -1273,9 +1273,10 @@ mod test { } #[test] - fn get_flags() { + #[cfg(not(any(ossl102, ossl101)))] + fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); - let flag = group.get_asn1_flag(); + let flag = group.asn1_flag(); assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); } } From 38a54607ad8901819fa8292f69757b51ce59e8d9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 07:08:20 +0800 Subject: [PATCH 190/209] partialeq on asn1flag --- openssl/src/ec.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index d6ef049101..446697f527 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -57,7 +57,7 @@ impl PointConversionForm { /// Named Curve or Explicit /// /// This type acts as a boolean as to whether the `EcGroup` is named or explicit. -#[derive(Copy, Clone)] +#[derive(Copy, Clone, PartialEq)] pub struct Asn1Flag(c_int); impl Asn1Flag { @@ -1277,6 +1277,6 @@ mod test { fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); - assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); + assert_eq!(flag, Asn1Flag::NAMED_CURVE); } } From 37966b326fd417142f912f18dd67ad3e27bac570 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 07:20:20 +0800 Subject: [PATCH 191/209] fix test target configs, add debug derive --- openssl/src/ec.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 446697f527..22d6d1888d 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -57,7 +57,7 @@ impl PointConversionForm { /// Named Curve or Explicit /// /// This type acts as a boolean as to whether the `EcGroup` is named or explicit. -#[derive(Copy, Clone, PartialEq)] +#[derive(Copy, Clone, Debug, PartialEq)] pub struct Asn1Flag(c_int); impl Asn1Flag { @@ -1273,7 +1273,7 @@ mod test { } #[test] - #[cfg(not(any(ossl102, ossl101)))] + #[cfg(any(boringssl, ossl111, libressl350))] fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); From d52ac4e4f08b4d0c4d1b2d181d6baee3f042e972 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 19:42:34 -0400 Subject: [PATCH 192/209] Fixed type mutability on asn1_flag --- openssl/src/ec.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 22d6d1888d..6993e4edda 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -296,7 +296,7 @@ impl EcGroupRef { /// Gets the flag determining if the group corresponds to a named curve. #[corresponds(EC_GROUP_get_asn1_flag)] - pub fn asn1_flag(&mut self) -> Asn1Flag { + pub fn asn1_flag(&self) -> Asn1Flag { unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } } From 1b9fba4e782affd312f9c9ad6f80d57eb8a82be1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 19:47:47 -0400 Subject: [PATCH 193/209] Update ec.rs --- openssl/src/ec.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 6993e4edda..5310564ecc 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -1275,7 +1275,7 @@ mod test { #[test] #[cfg(any(boringssl, ossl111, libressl350))] fn asn1_flag() { - let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); assert_eq!(flag, Asn1Flag::NAMED_CURVE); } From 7b18e903c6c1a0adc09b0eb7ea1876fad70fbe37 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 08:19:17 +0800 Subject: [PATCH 194/209] allow affine_coordinates on boring and libre --- openssl-sys/src/handwritten/ec.rs | 2 +- openssl/src/ec.rs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index ec781a715a..182a5559a3 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -101,7 +101,7 @@ extern "C" { pub fn EC_POINT_dup(p: *const EC_POINT, group: *const EC_GROUP) -> *mut EC_POINT; - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] pub fn EC_POINT_get_affine_coordinates( group: *const EC_GROUP, p: *const EC_POINT, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 5310564ecc..b648aec334 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -491,7 +491,7 @@ impl EcPointRef { /// Places affine coordinates of a curve over a prime field in the provided /// `x` and `y` `BigNum`s. #[corresponds(EC_POINT_get_affine_coordinates)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] pub fn affine_coordinates( &self, group: &EcGroupRef, @@ -1197,7 +1197,7 @@ mod test { assert!(ec_key.check_key().is_ok()); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] #[test] fn get_affine_coordinates() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); From f783cbe145cc084a160e478dfe1fb9dc50dcdcab Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 09:27:04 +0800 Subject: [PATCH 195/209] add support for EVP_PKEY_derive_set_peer_ex in OpenSSL 3 via Deriver::set_peer_ex --- openssl-sys/src/handwritten/evp.rs | 6 +++++ openssl/src/derive.rs | 38 ++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index db018e9a42..4041d8b671 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -522,6 +522,12 @@ extern "C" { pub fn EVP_PKEY_derive_init(ctx: *mut EVP_PKEY_CTX) -> c_int; pub fn EVP_PKEY_derive_set_peer(ctx: *mut EVP_PKEY_CTX, peer: *mut EVP_PKEY) -> c_int; + #[cfg(ossl300)] + pub fn EVP_PKEY_derive_set_peer_ex( + ctx: *mut EVP_PKEY_CTX, + peer: *mut EVP_PKEY, + validate_peer: c_int, + ) -> c_int; pub fn EVP_PKEY_derive(ctx: *mut EVP_PKEY_CTX, key: *mut c_uchar, size: *mut size_t) -> c_int; #[cfg(ossl300)] diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index 5d422f6976..ef1f61424d 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -93,6 +93,30 @@ impl<'a> Deriver<'a> { unsafe { cvt(ffi::EVP_PKEY_derive_set_peer(self.0, key.as_ptr())).map(|_| ()) } } + /// Sets the peer key used for secret derivation along with optionally validating the peer public key. + /// + /// This corresponds to [`EVP_PKEY_derive_set_peer_ex`]: + /// + /// [`EVP_PKEY_derive_set_peer_ex`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_set_peer_ex.html + #[cfg(ossl300)] + pub fn set_peer_ex( + &mut self, + key: &'a PKeyRef, + validate_peer: bool, + ) -> Result<(), ErrorStack> + where + T: HasPublic, + { + unsafe { + cvt(ffi::EVP_PKEY_derive_set_peer_ex( + self.0, + key.as_ptr(), + validate_peer as i32, + )) + .map(|_| ()) + } + } + /// Returns the size of the shared secret. /// /// It can be used to size the buffer passed to [`Deriver::derive`]. @@ -179,4 +203,18 @@ mod test { let shared = deriver.derive_to_vec().unwrap(); assert!(!shared.is_empty()); } + + #[test] + #[cfg(ossl300)] + fn test_ec_key_derive_ex() { + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let ec_key = EcKey::generate(&group).unwrap(); + let ec_key2 = EcKey::generate(&group).unwrap(); + let pkey = PKey::from_ec_key(ec_key).unwrap(); + let pkey2 = PKey::from_ec_key(ec_key2).unwrap(); + let mut deriver = Deriver::new(&pkey).unwrap(); + deriver.set_peer_ex(&pkey2, true).unwrap(); + let shared = deriver.derive_to_vec().unwrap(); + assert!(!shared.is_empty()); + } } From 45e4fc23c8a68685ce076ead1ab01f21970633c0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 08:26:57 +0800 Subject: [PATCH 196/209] Update openssl/src/derive.rs Co-authored-by: Steven Fackler --- openssl/src/derive.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index ef1f61424d..e5ecaadbc2 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -95,9 +95,8 @@ impl<'a> Deriver<'a> { /// Sets the peer key used for secret derivation along with optionally validating the peer public key. /// - /// This corresponds to [`EVP_PKEY_derive_set_peer_ex`]: - /// - /// [`EVP_PKEY_derive_set_peer_ex`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_set_peer_ex.html + /// Requires OpenSSL 3.0.0 or newer. + #[corresponds(EVP_PKEY_derive_set_peer_ex)] #[cfg(ossl300)] pub fn set_peer_ex( &mut self, From 50ac347ad63974857e57742c8fcebeb6c9e9e59e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:07:06 +0800 Subject: [PATCH 197/209] add missing import --- openssl/src/derive.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index e5ecaadbc2..bfb85a6aba 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -56,6 +56,7 @@ use std::ptr; use crate::error::ErrorStack; use crate::pkey::{HasPrivate, HasPublic, PKeyRef}; use crate::{cvt, cvt_p}; +use openssl_macros::corresponds; /// A type used to derive a shared secret between two keys. pub struct Deriver<'a>(*mut ffi::EVP_PKEY_CTX, PhantomData<&'a ()>); From 87f1a1a1e8c5089de2810c358204a1822ea0b1ed Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:14:58 +0800 Subject: [PATCH 198/209] add another corresponds to avoid warnings about no use --- openssl/src/derive.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index bfb85a6aba..c62b902161 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -87,6 +87,7 @@ impl<'a> Deriver<'a> { /// This corresponds to [`EVP_PKEY_derive_set_peer`]: /// /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html + #[corresponds(EVP_PKEY_derive_set_peer)] pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where T: HasPublic, From 2604033874debae65cad42ecef47613f6a147e85 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:21:03 +0800 Subject: [PATCH 199/209] remove outdated comment --- openssl/src/derive.rs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index c62b902161..424c5f92d7 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -83,10 +83,6 @@ impl<'a> Deriver<'a> { } /// Sets the peer key used for secret derivation. - /// - /// This corresponds to [`EVP_PKEY_derive_set_peer`]: - /// - /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html #[corresponds(EVP_PKEY_derive_set_peer)] pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where From c2f4d5875aaac9b4748a6734fb20af044d408c7b Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 8 Jun 2023 12:45:21 -0400 Subject: [PATCH 200/209] Use type-safe wrappers instead of EVP_PKEY_assign In OpenSSL, these are macros, so they didn't get imported by bindgen, but they're proper functions in BoringSSL and we'd prefer callers use those for safety. For OpenSSL, just add the corresponding functions in openssl-sys, matching how rust-openssl handles EVP_PKEY_CTX_ctrl. Using the type-safe wrappers flags that rust-openssl was trying to convert DH to EVP_PKEY, but BoringSSL doesn't actually support this. (DH is a legacy primitive, so we haven't routed it to EVP_PKEY right now.) --- openssl-sys/src/evp.rs | 16 ++++++++++++++++ openssl/src/pkey.rs | 26 ++++++-------------------- 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 72ca2434fc..07fae49eb5 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -285,3 +285,19 @@ pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info( info as *mut c_void, ) } + +pub unsafe fn EVP_PKEY_assign_RSA(pkey: *mut EVP_PKEY, rsa: *mut RSA) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_DSA(pkey: *mut EVP_PKEY, dsa: *mut DSA) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_DSA, dsa as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_DH(pkey: *mut EVP_PKEY, dh: *mut DH) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_EC_KEY(pkey: *mut EVP_PKEY, ec_key: *mut EC_KEY) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_EC, ec_key as *mut c_void) +} diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index af41421768..130024da3d 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -406,11 +406,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_RSA, - rsa.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_RSA(pkey.0, rsa.as_ptr()))?; mem::forget(rsa); Ok(pkey) } @@ -422,11 +418,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DSA, - dsa.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_DSA(pkey.0, dsa.as_ptr()))?; mem::forget(dsa); Ok(pkey) } @@ -434,15 +426,12 @@ impl PKey { /// Creates a new `PKey` containing a Diffie-Hellman key. #[corresponds(EVP_PKEY_assign_DH)] + #[cfg(not(boringssl))] pub fn from_dh(dh: Dh) -> Result, ErrorStack> { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DH, - dh.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_DH(pkey.0, dh.as_ptr()))?; mem::forget(dh); Ok(pkey) } @@ -454,11 +443,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_EC, - ec_key.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_EC_KEY(pkey.0, ec_key.as_ptr()))?; mem::forget(ec_key); Ok(pkey) } @@ -861,6 +846,7 @@ impl TryFrom> for Dsa { } } +#[cfg(not(boringssl))] impl TryFrom> for PKey { type Error = ErrorStack; From 7c0f0a79d98608c7570baa25a379e7f312453c06 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Wed, 14 Jun 2023 10:24:00 +0800 Subject: [PATCH 201/209] add NID SM2 --- openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/nid.rs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 22bfccba3f..6ae48834b5 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -935,6 +935,8 @@ pub const NID_ED25519: c_int = 952; #[cfg(ossl111)] pub const NID_ED448: c_int = 1088; #[cfg(ossl111)] +pub const NID_sm2: c_int = 1172; +#[cfg(ossl111)] pub const NID_sm3: c_int = 1143; #[cfg(libressl291)] pub const NID_sm3: c_int = 968; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index c8c60885f1..91fcdeca9d 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1074,6 +1074,8 @@ impl Nid { pub const AES_128_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_128_cbc_hmac_sha1); pub const AES_192_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_192_cbc_hmac_sha1); pub const AES_256_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_256_cbc_hmac_sha1); + #[cfg(ossl111)] + pub const SM2: Nid = Nid(ffi::NID_sm2); #[cfg(any(ossl111, libressl291))] pub const SM3: Nid = Nid(ffi::NID_sm3); #[cfg(ossl111)] From 9840b534e0996e39cde8ac5faedf81b68f3d2c3a Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Wed, 14 Jun 2023 10:34:58 +0800 Subject: [PATCH 202/209] add pkey Id SM2 --- openssl-sys/src/evp.rs | 2 ++ openssl/src/pkey.rs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 07fae49eb5..56eaa4bbff 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -10,6 +10,8 @@ pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey; +#[cfg(ossl111)] +pub const EVP_PKEY_SM2: c_int = NID_sm2; #[cfg(any(ossl111, libressl370))] pub const EVP_PKEY_X25519: c_int = NID_X25519; #[cfg(any(ossl111, libressl370))] diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 130024da3d..453aeed72f 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -85,6 +85,8 @@ impl Id { pub const DSA: Id = Id(ffi::EVP_PKEY_DSA); pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); + #[cfg(ossl111)] + pub const SM2: Id = Id(ffi::EVP_PKEY_SM2); #[cfg(any(ossl110, boringssl))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); From fb5ae60cbb1dbbb2e34d47e113b25bc31f4acc37 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:16:03 +0700 Subject: [PATCH 203/209] clippy: remove unused allow attributes --- openssl-sys/build/cfgs.rs | 1 + openssl-sys/build/main.rs | 9 +-------- openssl-sys/src/lib.rs | 4 ---- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index f09ec29b53..2f3ff3eafd 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -1,3 +1,4 @@ +#[allow(clippy::unusual_byte_groupings)] pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<&'static str> { let mut cfgs = vec![]; diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 1762068d75..306482d1a8 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -1,9 +1,3 @@ -#![allow( - clippy::inconsistent_digit_grouping, - clippy::uninlined_format_args, - clippy::unusual_byte_groupings -)] - #[cfg(feature = "bindgen")] extern crate bindgen; extern crate cc; @@ -131,7 +125,6 @@ fn main() { } } -#[allow(clippy::let_and_return)] fn postprocess(include_dirs: &[PathBuf]) -> Version { let version = validate_headers(include_dirs); @@ -146,7 +139,7 @@ fn postprocess(include_dirs: &[PathBuf]) -> Version { /// Validates the header files found in `include_dir` and then returns the /// version string of OpenSSL. -#[allow(clippy::manual_strip)] // we need to support pre-1.45.0 +#[allow(clippy::unusual_byte_groupings)] fn validate_headers(include_dirs: &[PathBuf]) -> Version { // This `*-sys` crate only works with OpenSSL 1.0.1, 1.0.2, 1.1.0, 1.1.1 and 3.0.0. // To correctly expose the right API from this crate, take a look at diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 5a65e8b349..784b7637e1 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1,13 +1,9 @@ #![allow( clippy::missing_safety_doc, - clippy::unreadable_literal, - clippy::uninlined_format_args, - clippy::upper_case_acronyms, dead_code, non_camel_case_types, non_snake_case, non_upper_case_globals, - overflowing_literals, unused_imports )] #![cfg_attr(feature = "unstable_boringssl", allow(ambiguous_glob_reexports))] From b1e16e927622b8c044f88de802523dead0b0ec5e Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:17:07 +0700 Subject: [PATCH 204/209] clippy: use strip_prefix instead of manually strip --- openssl-sys/build/main.rs | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 306482d1a8..6fb8c3ed82 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -203,17 +203,14 @@ See rust-openssl documentation for more information: let libressl_prefix = "RUST_VERSION_LIBRESSL_"; let boringsl_prefix = "RUST_OPENSSL_IS_BORINGSSL"; let conf_prefix = "RUST_CONF_"; - if line.starts_with(openssl_prefix) { - let version = &line[openssl_prefix.len()..]; + if let Some(version) = line.strip_prefix(openssl_prefix) { openssl_version = Some(parse_version(version)); - } else if line.starts_with(new_openssl_prefix) { - let version = &line[new_openssl_prefix.len()..]; + } else if let Some(version) = line.strip_prefix(new_openssl_prefix) { openssl_version = Some(parse_new_version(version)); - } else if line.starts_with(libressl_prefix) { - let version = &line[libressl_prefix.len()..]; + } else if let Some(version) = line.strip_prefix(libressl_prefix) { libressl_version = Some(parse_version(version)); - } else if line.starts_with(conf_prefix) { - enabled.push(&line[conf_prefix.len()..]); + } else if let Some(conf) = line.strip_prefix(conf_prefix) { + enabled.push(conf); } else if line.starts_with(boringsl_prefix) { is_boringssl = true; } From 8587ff88431fc9ef495eda1b5bcfab4d310ef3cd Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:18:11 +0700 Subject: [PATCH 205/209] chore: use pre-existing clean APIs instead --- openssl-sys/build/main.rs | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 6fb8c3ed82..3359165a33 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -155,9 +155,7 @@ fn validate_headers(include_dirs: &[PathBuf]) -> Version { // account for compile differences and such. println!("cargo:rerun-if-changed=build/expando.c"); let mut gcc = cc::Build::new(); - for include_dir in include_dirs { - gcc.include(include_dir); - } + gcc.includes(include_dirs); let expanded = match gcc.file("build/expando.c").try_expand() { Ok(expanded) => expanded, Err(e) => { @@ -326,18 +324,13 @@ due to this version mismatch. } // parses a string that looks like "0x100020cfL" -#[allow(deprecated)] // trim_right_matches is now trim_end_matches -#[allow(clippy::match_like_matches_macro)] // matches macro requires rust 1.42.0 fn parse_version(version: &str) -> u64 { // cut off the 0x prefix assert!(version.starts_with("0x")); let version = &version[2..]; // and the type specifier suffix - let version = version.trim_right_matches(|c: char| match c { - '0'..='9' | 'a'..='f' | 'A'..='F' => false, - _ => true, - }); + let version = version.trim_end_matches(|c: char| !c.is_ascii_hexdigit()); u64::from_str_radix(version, 16).unwrap() } From 8ab3c3f3a8e6102b734d849132aaeb9728cec669 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:22:34 +0700 Subject: [PATCH 206/209] update min-version passed to bindgen --- .github/workflows/ci.yml | 1 + openssl-sys/build/run_bindgen.rs | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 75117ffab8..33c352cd2c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,6 +59,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + # Remember to also update `--rust-target` in `openssl-sys/build/run_bindgen.rs` - uses: sfackler/actions/rustup@master with: version: 1.56.0 diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 87b748f23b..6743403161 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -167,7 +167,7 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { bindgen_cmd .arg("-o") .arg(out_dir.join("bindgen.rs")) - .arg("--rust-target=1.47") + .arg("--rust-target=1.56") .arg("--ctypes-prefix=::libc") .arg("--raw-line=use libc::*;") .arg("--no-derive-default") From 978435639b0e1a93a953a7f211216c33aaedc450 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:33:56 +0700 Subject: [PATCH 207/209] chore: simplify cfg attributes --- openssl/src/ssl/mod.rs | 4 ++-- openssl/src/ssl/test/mod.rs | 2 +- openssl/src/symm.rs | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 0feaced213..27e817f307 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -599,7 +599,7 @@ impl AlpnError { /// Terminate the handshake with a fatal alert. /// /// Requires OpenSSL 1.1.0 or newer. - #[cfg(any(ossl110))] + #[cfg(ossl110)] pub const ALERT_FATAL: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_ALERT_FATAL); /// Do not select a protocol, but continue the handshake. @@ -2413,7 +2413,7 @@ impl SslRef { /// /// Requires OpenSSL 1.0.1 or 1.0.2. #[corresponds(SSL_set_tmp_ecdh_callback)] - #[cfg(any(all(ossl101, not(ossl110))))] + #[cfg(all(ossl101, not(ossl110)))] #[deprecated(note = "this function leaks memory and does not exist on newer OpenSSL versions")] pub fn set_tmp_ecdh_callback(&mut self, callback: F) where diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 39cc054df2..7707af238f 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -467,7 +467,7 @@ fn test_alpn_server_advertise_multiple() { } #[test] -#[cfg(any(ossl110))] +#[cfg(ossl110)] fn test_alpn_server_select_none_fatal() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 8da341f7f6..c1dbdfee7b 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -1478,7 +1478,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(ossl110)] fn test_chacha20() { let key = "0000000000000000000000000000000000000000000000000000000000000000"; let iv = "00000000000000000000000000000000"; @@ -1493,7 +1493,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(ossl110)] fn test_chacha20_poly1305() { let key = "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"; let iv = "070000004041424344454647"; From 155b3dc71700d2ff31651bbc99b991765a718c4e Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 19 Jun 2023 13:10:09 -0400 Subject: [PATCH 208/209] Fix handling of empty host strings --- openssl/src/x509/verify.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index b0e22ef462..e8481c551c 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -120,9 +120,11 @@ impl X509VerifyParamRef { #[corresponds(X509_VERIFY_PARAM_set1_host)] pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { unsafe { + // len == 0 means "run strlen" :( + let raw_host = if host.is_empty() { "\0" } else { host }; cvt(ffi::X509_VERIFY_PARAM_set1_host( self.as_ptr(), - host.as_ptr() as *const _, + raw_host.as_ptr() as *const _, host.len(), )) .map(|_| ()) From 983b9e210ac27895a39e0ed11a407b7936192313 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Jun 2023 16:25:18 -0400 Subject: [PATCH 209/209] Release openssl v0.10.55 and openssl-sys v0.9.89 --- openssl-sys/CHANGELOG.md | 18 +++++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 18 +++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 37 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 48029f8aab..13c3f32a6c 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,21 @@ ## [Unreleased] +## [v0.9.89] - 2023-06-20 + +### Fixed + +* Fixed compilation with recent versions of BoringSSL. + +### Added + +* Added support for detecting OpenSSL compiled with `OPENSSL_NO_OCB`. +* Added `EVP_PKEY_SM2` and `NID_sm2`. +* Added `EVP_PKEY_assign_RSA`, `EVP_PKEY_assign_DSA`, `EVP_PKEY_assign_DH`, and `EVP_PKEY_assign_EC_KEY`. +* Added `EC_GROUP_get_asn1_flag`. +* Expose `EC_POINT_get_affine_coordinates` on BoringSSL and LibreSSL. +* Added `EVP_PKEY_derive_set_peer_ex`. + ## [v0.9.88] - 2023-05-30 ### Added @@ -458,7 +473,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89..master +[v0.9.89]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.89 [v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 [v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7589a3ca0e..0c261c5719 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.88" +version = "0.9.89" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 29af6ca816..a0622ecccd 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,21 @@ ## [Unreleased] +## [v0.10.55] - 2023-06-20 + +### Fixed + +* Fixed compilation with the latest version of BoringSSL. +* Fixed compilation when OpenSSL is compiled with `OPENSSL_NO_OCB`. +* Fixed a segfault in `X509VerifyParamRef::set_host` when called with an empty string. + +### Added + +* Added `Deriver::set_peer_ex`. +* Added `EcGroupRef::asn1_flag`. +* Exposed `EcPointRef::affine_coordinates` on BoringSSL and LibreSSL. +* Added `Nid::SM2` and `Id::SM2` + ## [v0.10.54] - 2023-05-31 ### Fixed @@ -761,7 +776,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...master +[v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 [v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 [v0.10.53]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index c4367cd4c6..956d08cf9e 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.54" +version = "0.10.55" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.88", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.89", path = "../openssl-sys" } [dev-dependencies] hex = "0.3"