diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 212183e2c..6be72d76e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -154,7 +154,7 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.4.0-beta1 + version: 3.4.0 - name: openssl version: 3.3.0 - name: openssl @@ -216,7 +216,7 @@ jobs: name: libressl version: 4.0.0 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 env: OPENSSL_DIR: /opt/openssl CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_LINKER: arm-linux-gnueabihf-gcc @@ -248,7 +248,7 @@ jobs: - uses: actions/cache@v4 with: path: /opt/openssl - key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-6 + key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-7 if: matrix.library.version != 'vendored' id: openssl-cache - run: | diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 641f0d4b7..03b76736e 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.9.105] - 2025-02-02 + +### Added + +* Added `DTLS_server_method` and `DTLS_client_method`. + ## [v0.9.104] - 2024-10-15 ### Added diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index f82dbd3f1..406c793a8 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.104" +version = "0.9.105" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index cd03888e6..ca9970740 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -68,6 +68,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x4_00_00_00_0 { cfgs.push("libressl400"); } + if libressl_version >= 0x4_01_00_00_0 { + cfgs.push("libressl410"); + } } else { let openssl_version = openssl_version.unwrap(); diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index f379e1e6b..e6a3db397 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -103,6 +103,7 @@ fn main() { println!("cargo:rustc-check-cfg=cfg(libressl382)"); println!("cargo:rustc-check-cfg=cfg(libressl390)"); println!("cargo:rustc-check-cfg=cfg(libressl400)"); + println!("cargo:rustc-check-cfg=cfg(libressl410)"); println!("cargo:rustc-check-cfg=cfg(ossl101)"); println!("cargo:rustc-check-cfg=cfg(ossl102)"); diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index f199bc891..19d93a55e 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -9,6 +9,7 @@ pub enum point_conversion_form_t { POINT_CONVERSION_HYBRID = 6, } +#[cfg(not(libressl410))] pub enum EC_METHOD {} pub enum EC_GROUP {} pub enum EC_POINT {} @@ -17,6 +18,7 @@ extern "C" { #[cfg(not(osslconf = "OPENSSL_NO_EC2M"))] pub fn EC_GF2m_simple_method() -> *const EC_METHOD; + #[cfg(not(libressl410))] pub fn EC_GROUP_new(meth: *const EC_METHOD) -> *mut EC_GROUP; pub fn EC_GROUP_free(group: *mut EC_GROUP); diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index b86a54cbe..163c75aed 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -701,6 +701,10 @@ cfg_if! { pub fn TLS_server_method() -> *const SSL_METHOD; pub fn TLS_client_method() -> *const SSL_METHOD; + + pub fn DTLS_server_method() -> *const SSL_METHOD; + + pub fn DTLS_client_method() -> *const SSL_METHOD; } } else { extern "C" { diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index bc314c2ed..e69b26570 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,16 @@ ## [Unreleased] +## [v0.10.70] - 2025-02-02 + +### Fixed + +* Fixed improper lifetime constraints in `ssl::select_next_proto` that allowed a use after free. + +### Added + +* Added `SslMethod::dtls_client` and `SslMethod::dtls_server`. + ## [v0.10.69] - 2025-01-25 ### Fixed diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 43cef06d2..d3a3f45c1 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.69" +version = "0.10.70" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -31,7 +31,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.1", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.104", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.105", path = "../openssl-sys" } [dev-dependencies] hex = "0.4" diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index c341642a2..e15c48b6d 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -364,6 +364,20 @@ impl SslMethod { unsafe { SslMethod(TLS_server_method()) } } + /// Support all versions of the DTLS protocol, explicitly as a client. + #[corresponds(DTLS_client_method)] + #[cfg(any(boringssl, ossl110, libressl291))] + pub fn dtls_client() -> SslMethod { + unsafe { SslMethod(DTLS_client_method()) } + } + + /// Support all versions of the DTLS protocol, explicitly as a server. + #[corresponds(DTLS_server_method)] + #[cfg(any(boringssl, ossl110, libressl291))] + pub fn dtls_server() -> SslMethod { + unsafe { SslMethod(DTLS_server_method()) } + } + /// Constructs an `SslMethod` from a pointer to the underlying OpenSSL value. /// /// # Safety @@ -695,7 +709,7 @@ cfg_if! { /// /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos #[corresponds(SSL_select_next_proto)] -pub fn select_next_proto<'a>(server: &[u8], client: &'a [u8]) -> Option<&'a [u8]> { +pub fn select_next_proto<'a>(server: &'a [u8], client: &'a [u8]) -> Option<&'a [u8]> { unsafe { let mut out = ptr::null_mut(); let mut outlen = 0; @@ -4288,7 +4302,7 @@ cfg_if! { } cfg_if! { if #[cfg(any(boringssl, ossl110, libressl291))] { - use ffi::{TLS_method, DTLS_method, TLS_client_method, TLS_server_method}; + use ffi::{TLS_method, DTLS_method, TLS_client_method, TLS_server_method, DTLS_server_method, DTLS_client_method}; } else { use ffi::{ SSLv23_method as TLS_method, DTLSv1_method as DTLS_method, SSLv23_client_method as TLS_client_method,