From ddd04786155e7c3855e5c3f4303a7d2b8c908d76 Mon Sep 17 00:00:00 2001 From: Alexis Mousset Date: Mon, 17 Jul 2023 01:28:15 +0200 Subject: [PATCH 01/37] Update vendored openssl to version 3.1 --- openssl-sys/Cargo.toml | 2 +- openssl-sys/build/main.rs | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 9b102fa8dc..f49afa42fe 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -25,7 +25,7 @@ bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } cc = "1.0.61" -openssl-src = { version = "111", optional = true } +openssl-src = { version = "300.1.2", optional = true, features = ["legacy"] } pkg-config = "0.3.9" vcpkg = "0.2.8" diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 21ccf3d037..7122b48627 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -115,6 +115,16 @@ fn main() { println!("cargo:rustc-link-lib={}={}", kind, lib); } + // https://github.com/openssl/openssl/pull/15086 + if version == Version::Openssl3xx + && kind == "static" + && (env::var("CARGO_CFG_TARGET_OS").unwrap() == "linux" + || env::var("CARGO_CFG_TARGET_OS").unwrap() == "android") + && env::var("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap() == "32" + { + println!("cargo:rustc-link-lib=dylib=atomic"); + } + if kind == "static" && target.contains("windows") { println!("cargo:rustc-link-lib=dylib=gdi32"); println!("cargo:rustc-link-lib=dylib=user32"); From cc8eced7e2cbb0391b3a32fc7f9e1bf3bf3ad8e0 Mon Sep 17 00:00:00 2001 From: Geoff Thomas Date: Tue, 25 Jul 2023 14:26:43 +0100 Subject: [PATCH 02/37] Add support for CRL extensions and the Authority Information Access extension --- openssl/src/x509/mod.rs | 41 +++++++++++++++++++++++++++++++ openssl/src/x509/tests.rs | 13 +++++++++- openssl/test/entry_extensions.crl | 17 +++++++------ 3 files changed, 62 insertions(+), 9 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 4325b132e3..2ebfb4376a 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1746,6 +1746,17 @@ unsafe impl ExtensionType for CertificateIssuer { type Output = Stack; } +/// The CRL extension identifying how to access information and services for the issuer of the CRL +pub enum AuthorityInformationAccess {} + +// SAFETY: AuthorityInformationAccess is defined to be a stack of AccessDescription in the RFC +// and in OpenSSL. +unsafe impl ExtensionType for AuthorityInformationAccess { + const NID: Nid = Nid::from_raw(ffi::NID_info_access); + + type Output = Stack; +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_CRL; fn drop = ffi::X509_CRL_free; @@ -1915,6 +1926,36 @@ impl X509CrlRef { { unsafe { cvt_n(ffi::X509_CRL_verify(self.as_ptr(), key.as_ptr())).map(|n| n != 0) } } + + /// Get the criticality and value of an extension. + /// + /// This returns None if the extension is not present or occurs multiple times. + #[corresponds(X509_CRL_get_ext_d2i)] + pub fn extension(&self) -> Result, ErrorStack> { + let mut critical = -1; + let out = unsafe { + // SAFETY: self.as_ptr() is a valid pointer to an X509_CRL. + let ext = ffi::X509_CRL_get_ext_d2i( + self.as_ptr(), + T::NID.as_raw(), + &mut critical as *mut _, + ptr::null_mut(), + ); + // SAFETY: Extensions's contract promises that the type returned by + // OpenSSL here is T::Output. + T::Output::from_ptr_opt(ext as *mut _) + }; + match (critical, out) { + (0, Some(out)) => Ok(Some((false, out))), + (1, Some(out)) => Ok(Some((true, out))), + // -1 means the extension wasn't found, -2 means multiple were found. + (-1 | -2, _) => Ok(None), + // A critical value of 0 or 1 suggests success, but a null pointer + // was returned so something went wrong. + (0 | 1, None) => Err(ErrorStack::get()), + (c_int::MIN..=-2 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), + } + } } /// The result of peer certificate verification. diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index da3ce2fed2..69a9ca5cc4 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -34,7 +34,7 @@ use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] use libc::time_t; -use super::{CertificateIssuer, ReasonCode}; +use super::{AuthorityInformationAccess, CertificateIssuer, ReasonCode}; fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); @@ -701,6 +701,17 @@ fn test_crl_entry_extensions() { let crl = include_bytes!("../../test/entry_extensions.crl"); let crl = X509Crl::from_pem(crl).unwrap(); + let (critical, access_info) = crl + .extension::() + .unwrap() + .expect("Authority Information Access extension should be present"); + assert!(!critical, "Authority Information Access extension is not critical"); + assert_eq!(access_info.len(), 1, "Authority Information Access should have one entry"); + assert_eq!(access_info[0].method().to_string(), "CA Issuers"); + assert_eq!( + access_info[0].location().uri(), + Some("http://www.example.com/ca.crt") + ); let revoked_certs = crl.get_revoked().unwrap(); let entry = &revoked_certs[0]; diff --git a/openssl/test/entry_extensions.crl b/openssl/test/entry_extensions.crl index 9654171cf1..5b0ee298ed 100644 --- a/openssl/test/entry_extensions.crl +++ b/openssl/test/entry_extensions.crl @@ -1,10 +1,11 @@ -----BEGIN X509 CRL----- -MIIBXDCCAQICAQEwCgYIKoZIzj0EAwIwETEPMA0GA1UEAwwGQ1JMIENBFw0yMzAz -MjgwOTQ5MThaFw0yMzA0MDQwOTUwMDdaMIGAMH4CFE+Y95/1pOqa6c9fUEJ8c04k -xu2PFw0yMzAzMjgwOTQ3MzNaMFcwLwYDVR0dAQH/BCUwI6QhMB8xCzAJBgNVBAYT -AkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgGA1UdGAQRGA8yMDIz -MDMyODA5NDQ0MFqgPTA7MB8GA1UdIwQYMBaAFNX1GZ0RWuC+4gz1wuy5H32T2W+R -MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wCgYIKoZIzj0EAwIDSAAwRQIgbl7x -W+WVAb+zlvKcJLmHVuC+gbqR4jqwGIHHgQl2J8kCIQCo/sAF5sDqy/cL+fbzBeUe -YoY2h6lIkj9ENwU8ZCt03w== +MIIBojCCAUkCAQEwCgYIKoZIzj0EAwIwHTEbMBkGA1UEAwwSY3J5cHRvZ3JhcGh5 +LmlvIENBFw0yMzA3MjUxNDA1MzlaFw0yMzA4MDExNDA1MzlaMIGAMH4CFE+Y95/1 +pOqa6c9fUEJ8c04kxu2PFw0yMzA3MjUxNDA1MzlaMFcwLwYDVR0dAQH/BCUwI6Qh +MB8xCzAJBgNVBAYTAkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgG +A1UdGAQRGA8yMDIzMDcyNTE0MDUzOVqgeDB2MB8GA1UdIwQYMBaAFK6qKNgsGefh +XexO9WsIwiQ/73R8MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wOQYIKwYBBQUH +AQEELTArMCkGCCsGAQUFBzAChh1odHRwOi8vd3d3LmV4YW1wbGUuY29tL2NhLmNy +dDAKBggqhkjOPQQDAgNHADBEAiB22SXxFnQUB41uxfyCvg2dAs2nFiR0r8jft/cd +G8zcKAIgeYkNOzRn4lyopK6J94rhm8jIIuJRj3Ns9XcH+91N370= -----END X509 CRL----- From c63efb942cc0bf67358d5d8b36097a7eff7176d8 Mon Sep 17 00:00:00 2001 From: Geoff Thomas Date: Tue, 25 Jul 2023 15:14:55 +0100 Subject: [PATCH 03/37] cargo fmt --- openssl/src/x509/tests.rs | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 69a9ca5cc4..a4a3de970c 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -705,8 +705,15 @@ fn test_crl_entry_extensions() { .extension::() .unwrap() .expect("Authority Information Access extension should be present"); - assert!(!critical, "Authority Information Access extension is not critical"); - assert_eq!(access_info.len(), 1, "Authority Information Access should have one entry"); + assert!( + !critical, + "Authority Information Access extension is not critical" + ); + assert_eq!( + access_info.len(), + 1, + "Authority Information Access should have one entry" + ); assert_eq!(access_info[0].method().to_string(), "CA Issuers"); assert_eq!( access_info[0].location().uri(), From fc1ca1f6c7251e79e51284d10bb2310eda7f9355 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 1 Sep 2023 08:51:22 -0400 Subject: [PATCH 04/37] LibreSSL 3.8.1 support --- .github/workflows/ci.yml | 2 +- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/build/main.rs | 5 +++-- openssl-sys/src/crypto.rs | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dcdd28f32a..196f41f450 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -202,7 +202,7 @@ jobs: bindgen: false library: name: libressl - version: 3.8.0 + version: 3.8.1 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 2f3ff3eafd..34a58f7d68 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -53,6 +53,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_07_00_00_0 { cfgs.push("libressl370"); } + if libressl_version >= 0x3_08_01_00_0 { + cfgs.push("libressl381"); + } } else { let openssl_version = openssl_version.unwrap(); diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 21ccf3d037..82013b6c7d 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -273,6 +273,7 @@ See rust-openssl documentation for more information: (3, 7, 1) => ('3', '7', '1'), (3, 7, _) => ('3', '7', 'x'), (3, 8, 0) => ('3', '8', '0'), + (3, 8, 1) => ('3', '8', '1'), _ => version_error(), }; @@ -314,8 +315,8 @@ fn version_error() -> ! { panic!( " -This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.8.0, but a different version of OpenSSL was found. The build is now aborting +This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3), or LibreSSL 2.5 +through 3.8.1, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " diff --git a/openssl-sys/src/crypto.rs b/openssl-sys/src/crypto.rs index 35be07eada..bdc0add156 100644 --- a/openssl-sys/src/crypto.rs +++ b/openssl-sys/src/crypto.rs @@ -106,7 +106,7 @@ pub const CRYPTO_LOCK_SSL_CTX: c_int = 12; pub const CRYPTO_LOCK_SSL_SESSION: c_int = 14; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl381))] { pub const CRYPTO_EX_INDEX_SSL: c_int = 0; pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1; } else if #[cfg(libressl)] { From 6b3b9fc039d45446c8308aceeee8dfc5e3ff69fa Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 4 Sep 2023 16:04:07 -0400 Subject: [PATCH 05/37] Release openssl-sys v0.9.93 --- openssl-sys/CHANGELOG.md | 13 ++++++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 9166bd5aca..8d2a65574b 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,16 @@ ## [Unreleased] +## [v0.9.93] - 2023-09-04 + +### Changed + +* The `vendored` Cargo feature now builds OpenSSL 3.1, as 1.1.1 is reaching its EOL. + +### Added + +* Added support for LibreSSL 3.8.1. + ## [v0.9.92] - 2023-08-27 ### Added @@ -498,7 +508,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93..master +[v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92...openssl-sys-v0.9.93 [v0.9.92]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91...openssl-sys-v0.9.92 [v0.9.91]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91 [v0.9.90]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89...openssl-sys-v0.9.90 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 885f105832..44fc45a71b 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.92" +version = "0.9.93" authors = [ "Alex Crichton ", "Steven Fackler ", From d27ab95cdca2e05275b78158bbb222009a24c290 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 8 Sep 2023 16:44:47 -0400 Subject: [PATCH 06/37] Test against 3.2.0-alpha1 --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 196f41f450..54e7fd2e84 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,6 +157,9 @@ jobs: version: bcecc7d834fc44ad257b2f23f88e1cf597ab2736 - name: openssl version: vendored + - name: openssl + version: 3.2.0-alpha1 + dl-path: / - name: openssl version: 3.1.2 dl-path: / From efefb22d15034e270fbebd91cb29b1ca156a6da3 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 8 Sep 2023 18:53:50 -0400 Subject: [PATCH 07/37] Fix const --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/src/x509v3.rs | 10 +++++++++- openssl/build.rs | 3 +++ openssl/src/x509/mod.rs | 2 ++ 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 34a58f7d68..8ee6f62373 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -59,6 +59,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& } else { let openssl_version = openssl_version.unwrap(); + if openssl_version >= 0x3_02_00_00_0 { + cfgs.push("ossl320"); + } if openssl_version >= 0x3_00_00_00_0 { cfgs.push("ossl300"); } diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index d2ff53489e..230dea1736 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -89,8 +89,16 @@ pub const X509_PURPOSE_CRL_SIGN: c_int = 6; pub const X509_PURPOSE_ANY: c_int = 7; pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; +#[cfg(ossl320)] +pub const X509_PURPOSE_CODE_SIGN: c_int = 10; pub const X509_PURPOSE_MIN: c_int = 1; -pub const X509_PURPOSE_MAX: c_int = 9; +cfg_if! { + if #[cfg(ossl320)] { + pub const X509_PURPOSE_MAX: c_int = 10; + } else { + pub const X509_PURPOSE_MAX: c_int = 9; + } +} pub const CRL_REASON_UNSPECIFIED: c_int = 0; pub const CRL_REASON_KEY_COMPROMISE: c_int = 1; diff --git a/openssl/build.rs b/openssl/build.rs index 0a974b33e6..d5a7ac4039 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -102,6 +102,9 @@ fn main() { if version >= 0x3_01_00_00_0 { println!("cargo:rustc-cfg=ossl310"); } + if version >= 0x3_02_00_00_0 { + println!("cargo:rustc-cfg=ossl320"); + } } if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 24605df806..cc900e3936 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -2459,6 +2459,8 @@ impl X509PurposeId { pub const ANY: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_ANY); pub const OCSP_HELPER: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_OCSP_HELPER); pub const TIMESTAMP_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_TIMESTAMP_SIGN); + #[cfg(ossl320)] + pub const CODE_SIGN: X509PurposeId = X509PurposeId(ffi::X509_PURPOSE_CODE_SIGN); /// Constructs an `X509PurposeId` from a raw OpenSSL value. pub fn from_raw(id: c_int) -> Self { From d9348649ac98fda3dac3315b7da9fdf55f729515 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 9 Sep 2023 12:41:57 -0400 Subject: [PATCH 08/37] Removed reference to non-existent method --- openssl/src/cipher_ctx.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index f9031d2976..1769ee9716 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -548,7 +548,7 @@ impl CipherCtxRef { /// # Panics /// /// Panics if `output` doesn't contain enough space for data to be - /// written as specified by [`Self::minimal_output_size`]. + /// written. #[corresponds(EVP_CipherUpdate)] pub fn cipher_update( &mut self, From 1bedd863e3add9e4c6d5b5adf55ccc3f1765a0bd Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 11 Sep 2023 11:32:43 -0400 Subject: [PATCH 09/37] Bump CI to 1.1.1w --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 54e7fd2e84..7638597ef1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -164,7 +164,7 @@ jobs: version: 3.1.2 dl-path: / - name: openssl - version: 1.1.1v + version: 1.1.1w dl-path: / - name: openssl version: 1.1.0l From ee008fccda2cbd001efd33f7df8f260d393b81f8 Mon Sep 17 00:00:00 2001 From: John Gallagher Date: Tue, 12 Sep 2023 15:29:38 -0400 Subject: [PATCH 10/37] [openssl-sys] Add X509_check_{host,email,ip,ip_asc} fns --- openssl-sys/src/handwritten/x509v3.rs | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 2ee0452597..69a3bc2ff2 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -145,3 +145,21 @@ extern "C" { pub fn DIST_POINT_free(dist_point: *mut DIST_POINT); pub fn DIST_POINT_NAME_free(dist_point: *mut DIST_POINT_NAME); } + +extern "C" { + pub fn X509_check_host( + x: *mut X509, + chk: *const c_char, + chklen: usize, + flags: c_uint, + peername: *mut *mut c_char, + ) -> c_int; + pub fn X509_check_email( + x: *mut X509, + chk: *const c_char, + chklen: usize, + flags: c_uint, + ) -> c_int; + pub fn X509_check_ip(x: *mut X509, chk: *const c_uchar, chklen: usize, flags: c_uint) -> c_int; + pub fn X509_check_ip_asc(x: *mut X509, ipasc: *const c_char, flags: c_uint) -> c_int; +} From 2dc8f96dd78431d557e243bd839efd710297bd6c Mon Sep 17 00:00:00 2001 From: John Gallagher Date: Tue, 12 Sep 2023 15:58:16 -0400 Subject: [PATCH 11/37] add cfg guard --- openssl-sys/src/handwritten/x509v3.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 69a3bc2ff2..2f59bf6663 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -146,6 +146,7 @@ extern "C" { pub fn DIST_POINT_NAME_free(dist_point: *mut DIST_POINT_NAME); } +#[cfg(ossl102)] extern "C" { pub fn X509_check_host( x: *mut X509, From 2f269c9ecd262bb5f4a9e78524449788d7d33de0 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 19 Sep 2023 09:57:00 -0400 Subject: [PATCH 12/37] Bump CI to 3.1.3 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7638597ef1..bf58049444 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -161,7 +161,7 @@ jobs: version: 3.2.0-alpha1 dl-path: / - name: openssl - version: 3.1.2 + version: 3.1.3 dl-path: / - name: openssl version: 1.1.1w From 5f502a2918afcefecde80e59cf25d0525809a930 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 26 Sep 2023 18:44:33 -0400 Subject: [PATCH 13/37] Expose CBC mode for several more (bad) ciphers --- openssl-sys/src/handwritten/evp.rs | 10 ++++++++++ openssl/src/symm.rs | 25 +++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index e8ad6aa2d7..96cc814cc2 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -396,23 +396,33 @@ extern "C" { #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_128_ecb() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_128_cbc() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_192_cfb128() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_192_ecb() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_192_cbc() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_256_cfb128() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] pub fn EVP_camellia_256_ecb() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn EVP_camellia_256_cbc() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn EVP_cast5_cfb64() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] pub fn EVP_cast5_ecb() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + pub fn EVP_cast5_cbc() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] pub fn EVP_idea_cfb64() -> *const EVP_CIPHER; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] pub fn EVP_idea_ecb() -> *const EVP_CIPHER; + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn EVP_idea_cbc() -> *const EVP_CIPHER; #[cfg(not(ossl110))] pub fn OPENSSL_add_all_algorithms_noconf(); diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 7ebb70338e..52dc1f0bc6 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -288,6 +288,26 @@ impl Cipher { unsafe { Cipher(ffi::EVP_rc4()) } } + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia_128_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_128_cbc()) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia_192_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_192_cbc()) } + } + + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + pub fn camellia_256_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_camellia_256_cbc()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] + pub fn cast5_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_cast5_cbc()) } + } + /// Requires OpenSSL 1.1.0 or newer. #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20() -> Cipher { @@ -300,6 +320,11 @@ impl Cipher { unsafe { Cipher(ffi::EVP_chacha20_poly1305()) } } + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + pub fn idea_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_idea_cbc()) } + } + #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] pub fn seed_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_seed_cbc()) } From f1f5169b19a21b42cbca43cc723b3fc9da5576cf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 27 Sep 2023 07:22:21 -0400 Subject: [PATCH 14/37] Expose two additional Pkey IDs --- openssl-sys/src/evp.rs | 4 ++++ openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/pkey.rs | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index d2ca215407..fcbee00ec6 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -7,8 +7,12 @@ pub const PKCS5_SALT_LEN: c_int = 8; pub const PKCS12_DEFAULT_ITER: c_int = 2048; pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; +#[cfg(any(openssl111, boringssl))] +pub const EVP_PKEY_RSA_PSS: c_int = NID_rsassaPss; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; +#[cfg(ossl110)] +pub const EVP_PKEY_DHX: c_int = NID_dhpublicnumber; pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey; #[cfg(ossl111)] pub const EVP_PKEY_SM2: c_int = NID_sm2; diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 6ae48834b5..1b24c3cbd8 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -135,6 +135,8 @@ pub const NID_sha512WithRSAEncryption: c_int = 670; pub const NID_sha224WithRSAEncryption: c_int = 671; pub const NID_pkcs3: c_int = 27; pub const NID_dhKeyAgreement: c_int = 28; +#[cfg(ossl110)] +pub const NID_dhpublicnumber: c_int = 920; pub const NID_pkcs5: c_int = 187; pub const NID_pbeWithMD2AndDES_CBC: c_int = 9; pub const NID_pbeWithMD5AndDES_CBC: c_int = 10; diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 453aeed72f..fab4f5d118 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -78,12 +78,16 @@ pub struct Id(c_int); impl Id { pub const RSA: Id = Id(ffi::EVP_PKEY_RSA); + #[cfg(any(openssl111, boringssl))] + pub const RSA_PSS: Id = Id(ffi::EVP_PKEY_RSA_PSS); #[cfg(not(boringssl))] pub const HMAC: Id = Id(ffi::EVP_PKEY_HMAC); #[cfg(not(boringssl))] pub const CMAC: Id = Id(ffi::EVP_PKEY_CMAC); pub const DSA: Id = Id(ffi::EVP_PKEY_DSA); pub const DH: Id = Id(ffi::EVP_PKEY_DH); + #[cfg(ossl110)] + pub const DHX: Id = Id(ffi::EVP_PKEY_DHX); pub const EC: Id = Id(ffi::EVP_PKEY_EC); #[cfg(ossl111)] pub const SM2: Id = Id(ffi::EVP_PKEY_SM2); From f2217fd13903601ecd0e547cd5ce79d751c7c348 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 28 Sep 2023 14:32:52 -0400 Subject: [PATCH 15/37] Bump CI to 3.2.0-alpha2 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bf58049444..02dc46598f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -158,7 +158,7 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.2.0-alpha1 + version: 3.2.0-alpha2 dl-path: / - name: openssl version: 3.1.3 From 7e52fe6d828c3c5d6bb30c7e96a0f708a910132f Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 10 Oct 2023 14:00:16 +0200 Subject: [PATCH 16/37] Fix clippy error indicating error in implementation --- openssl/src/bn.rs | 2 +- openssl/src/x509/mod.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index c75fac1d70..a67d0807aa 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -1229,7 +1229,7 @@ impl Ord for BigNumRef { impl PartialOrd for BigNum { fn partial_cmp(&self, oth: &BigNum) -> Option { - self.deref().partial_cmp(oth.deref()) + Some(self.cmp(oth)) } } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d211006b78..97242ff4d8 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -832,7 +832,7 @@ impl Ord for X509 { impl PartialOrd for X509 { fn partial_cmp(&self, other: &Self) -> Option { - X509Ref::partial_cmp(self, other) + Some(self.cmp(other)) } } From 0773149c60436ed01559dee161de58eaf7ca0019 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 10 Oct 2023 14:00:38 +0200 Subject: [PATCH 17/37] Upgrade ctest2 to mitigate `mem::forget` warnings --- systest/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systest/Cargo.toml b/systest/Cargo.toml index 97a5405b0e..d1e55ac3f2 100644 --- a/systest/Cargo.toml +++ b/systest/Cargo.toml @@ -9,7 +9,7 @@ libc = "0.2" openssl-sys = { path = "../openssl-sys" } [build-dependencies] -ctest2 = "0.4" +ctest2 = "0.4.7" [features] vendored = ['openssl-sys/vendored'] From 32734b756a9cbf7c3312dd14a27a1046e010e528 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Wed, 11 Oct 2023 12:27:35 +0200 Subject: [PATCH 18/37] Fix `hostent` re-export warning by explicitly re-exporting only `c_int` --- openssl-sys/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 784b7637e1..0e23386fd3 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -11,7 +11,7 @@ #![recursion_limit = "128"] // configure fixed limit across all rust versions extern crate libc; -pub use libc::*; +pub use libc::c_int; #[cfg(feature = "unstable_boringssl")] extern crate bssl_sys; From 043b83d3a3f33f5b9020cde6f7dd2bfe84477c66 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 12 Oct 2023 13:05:10 -0400 Subject: [PATCH 19/37] Use osslconf on BoringSSL This reduces a bunch of special casing. Relies on changes from the latest BoringSSL HEAD. --- .github/workflows/ci.yml | 12 +++++------- openssl-sys/build/main.rs | 18 +++++++++++++----- openssl-sys/src/handwritten/evp.rs | 30 +++++++++++++++--------------- openssl/build.rs | 1 - openssl/src/cipher.rs | 26 ++++++++++---------------- openssl/src/dh.rs | 2 +- openssl/src/ec.rs | 6 +++--- openssl/src/hash.rs | 4 ++-- openssl/src/lib.rs | 4 ++-- openssl/src/md.rs | 2 -- openssl/src/symm.rs | 28 ++++++++++++++-------------- 11 files changed, 65 insertions(+), 68 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 02dc46598f..318441aa65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -154,7 +154,7 @@ jobs: - false library: - name: boringssl - version: bcecc7d834fc44ad257b2f23f88e1cf597ab2736 + version: 8d71d244c0debac4079beeb02b5802fde59b94bd - name: openssl version: vendored - name: openssl @@ -239,7 +239,7 @@ jobs: - uses: actions/cache@v3 with: path: /opt/openssl - key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-2 + key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-6 if: matrix.library.version != 'vendored' id: openssl-cache - run: | @@ -313,11 +313,8 @@ jobs: make install # Copy stuff around so it's all as the build system expects. - cp -r rust/ "$OPENSSL_DIR/rust" - mkdir -p "$OPENSSL_DIR/crypto/" - mkdir -p "$OPENSSL_DIR/ssl/" - cp "$OPENSSL_DIR/lib/libcrypto.a" "$OPENSSL_DIR/crypto/" - cp "$OPENSSL_DIR/lib/libssl.a" "$OPENSSL_DIR/ssl/" + cp -r ../rust/ "$OPENSSL_DIR/rust" + cp -r ./ "$OPENSSL_DIR/build" esac if: matrix.library.version != 'vendored' && !steps.openssl-cache.outputs.cache-hit @@ -356,6 +353,7 @@ jobs: run: | if [[ "${{ matrix.library.name }}" == "boringssl" && "${{ matrix.bindgen }}" != "true" ]]; then features="--features unstable_boringssl" + BORINGSSL_BUILD_DIR="$OPENSSL_DIR/build/" fi if [[ "${{ matrix.library.version }}" == "vendored" ]]; then features="--features vendored" diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 738987b602..cd732ca46a 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -60,6 +60,14 @@ fn check_ssl_kind() { if cfg!(feature = "unstable_boringssl") { println!("cargo:rustc-cfg=boringssl"); println!("cargo:boringssl=true"); + + if let Ok(vars) = env::var("DEP_BSSL_CONF") { + for var in vars.split(',') { + println!("cargo:rustc-cfg=osslconf=\"{}\"", var); + } + println!("cargo:conf={}", vars); + } + // BoringSSL does not have any build logic, exit early std::process::exit(0); } @@ -223,6 +231,11 @@ See rust-openssl documentation for more information: } } + for enabled in &enabled { + println!("cargo:rustc-cfg=osslconf=\"{}\"", enabled); + } + println!("cargo:conf={}", enabled.join(",")); + if is_boringssl { println!("cargo:rustc-cfg=boringssl"); println!("cargo:boringssl=true"); @@ -233,11 +246,6 @@ See rust-openssl documentation for more information: // We set this for any non-BoringSSL lib. println!("cargo:rustc-cfg=openssl"); - for enabled in &enabled { - println!("cargo:rustc-cfg=osslconf=\"{}\"", enabled); - } - println!("cargo:conf={}", enabled.join(",")); - for cfg in cfgs::get(openssl_version, libressl_version) { println!("cargo:rustc-cfg={}", cfg); } diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 96cc814cc2..5a112fe8a1 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -391,37 +391,37 @@ extern "C" { #[cfg(all(any(ossl111, libressl291), not(osslconf = "OPENSSL_NO_SM4")))] pub fn EVP_sm4_ctr() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_128_cfb128() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_128_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_128_cbc() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_192_cfb128() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_192_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_192_cbc() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_256_cfb128() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_256_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn EVP_camellia_256_cbc() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn EVP_cast5_cfb64() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn EVP_cast5_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn EVP_cast5_cbc() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn EVP_idea_cfb64() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn EVP_idea_ecb() -> *const EVP_CIPHER; - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn EVP_idea_cbc() -> *const EVP_CIPHER; #[cfg(not(ossl110))] diff --git a/openssl/build.rs b/openssl/build.rs index d5a7ac4039..4a5b6289ae 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -13,7 +13,6 @@ fn main() { if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { println!("cargo:rustc-cfg=boringssl"); - return; } if let Ok(v) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 2b89861365..088f393516 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -343,13 +343,11 @@ impl Cipher { } #[cfg(not(osslconf = "OPENSSL_NO_BF"))] - #[cfg(not(boringssl))] pub fn bf_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_bf_cfb64() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_BF"))] - #[cfg(not(boringssl))] pub fn bf_ofb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_bf_ofb() as *mut _) } } @@ -380,52 +378,52 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_rc4() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia128_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_cfb128() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia128_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_128_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia192_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_cfb128() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia192_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_192_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia256_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_cfb128() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia256_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_camellia_256_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn cast5_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_cfb64() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAST")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAST"))] pub fn cast5_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_cast5_ecb() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn idea_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_idea_cfb64() as *mut _) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn idea_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_idea_ecb() as *mut _) } } @@ -441,25 +439,21 @@ impl Cipher { } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_cbc() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_cbc() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_cfb128() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_cfb128() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_ecb() as *mut _) } } #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] - #[cfg(not(boringssl))] pub fn seed_ofb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_seed_ofb() as *mut _) } } diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index 7445e3408c..d46b9ee466 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -475,6 +475,6 @@ mod tests { let g = BigNum::from_hex_str("02").unwrap(); let dh2 = Dh::from_pqg(p, None, g).unwrap(); assert!(dh1.check_key().unwrap()); - assert!(!dh2.check_key().unwrap()); + assert!(matches!(dh2.check_key(), Ok(false) | Err(_))); } } diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index d541ddfc23..0dda1dbbce 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -195,7 +195,7 @@ impl EcGroupRef { /// a term in the polynomial. It will be set to 3 `1`s or 5 `1`s depending on /// using a trinomial or pentanomial. #[corresponds(EC_GROUP_get_curve_GF2m)] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_EC2M")))] + #[cfg(not(osslconf = "OPENSSL_NO_EC2M"))] pub fn components_gf2m( &self, p: &mut BigNumRef, @@ -586,7 +586,7 @@ impl EcPointRef { /// Places affine coordinates of a curve over a binary field in the provided /// `x` and `y` `BigNum`s #[corresponds(EC_POINT_get_affine_coordinates_GF2m)] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_EC2M")))] + #[cfg(not(osslconf = "OPENSSL_NO_EC2M"))] pub fn affine_coordinates_gf2m( &self, group: &EcGroupRef, @@ -1324,7 +1324,7 @@ mod test { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_EC2M")))] + #[cfg(not(osslconf = "OPENSSL_NO_EC2M"))] fn is_on_curve() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let mut ctx = BigNumContext::new().unwrap(); diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 52d73deed4..7592758101 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -157,7 +157,7 @@ impl MessageDigest { unsafe { MessageDigest(ffi::EVP_shake256()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_RMD160")))] + #[cfg(not(osslconf = "OPENSSL_NO_RMD160"))] pub fn ripemd160() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_ripemd160()) } } @@ -745,7 +745,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(osslconf = "OPENSSL_NO_RMD160"))] #[cfg_attr(ossl300, ignore)] fn test_ripemd160() { #[cfg(ossl300)] diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index fe29d02293..bc9d2b3455 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -140,7 +140,7 @@ pub mod base64; pub mod bn; pub mod cipher; pub mod cipher_ctx; -#[cfg(all(not(boringssl), not(libressl), not(osslconf = "OPENSSL_NO_CMS")))] +#[cfg(all(not(libressl), not(osslconf = "OPENSSL_NO_CMS")))] pub mod cms; pub mod conf; pub mod derive; @@ -162,7 +162,7 @@ pub mod md; pub mod md_ctx; pub mod memcmp; pub mod nid; -#[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_OCSP")))] +#[cfg(not(osslconf = "OPENSSL_NO_OCSP"))] pub mod ocsp; pub mod pkcs12; pub mod pkcs5; diff --git a/openssl/src/md.rs b/openssl/src/md.rs index 4ade8e870d..8f191afebe 100644 --- a/openssl/src/md.rs +++ b/openssl/src/md.rs @@ -188,14 +188,12 @@ impl Md { #[cfg(not(osslconf = "OPENSSL_NO_RMD160"))] #[inline] - #[cfg(not(boringssl))] pub fn ripemd160() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_ripemd160() as *mut _) } } #[cfg(all(any(ossl111, libressl291), not(osslconf = "OPENSSL_NO_SM3")))] #[inline] - #[cfg(not(boringssl))] pub fn sm3() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sm3() as *mut _) } } diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 52dc1f0bc6..7cf152e3c1 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -252,12 +252,12 @@ impl Cipher { unsafe { Cipher(ffi::EVP_bf_ecb()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_BF")))] + #[cfg(not(osslconf = "OPENSSL_NO_BF"))] pub fn bf_cfb64() -> Cipher { unsafe { Cipher(ffi::EVP_bf_cfb64()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_BF")))] + #[cfg(not(osslconf = "OPENSSL_NO_BF"))] pub fn bf_ofb() -> Cipher { unsafe { Cipher(ffi::EVP_bf_ofb()) } } @@ -288,17 +288,17 @@ impl Cipher { unsafe { Cipher(ffi::EVP_rc4()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia_128_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_camellia_128_cbc()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia_192_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_camellia_192_cbc()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_CAMELLIA")))] + #[cfg(not(osslconf = "OPENSSL_NO_CAMELLIA"))] pub fn camellia_256_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_camellia_256_cbc()) } } @@ -320,27 +320,27 @@ impl Cipher { unsafe { Cipher(ffi::EVP_chacha20_poly1305()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_IDEA")))] + #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn idea_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_idea_cbc()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_cbc() -> Cipher { unsafe { Cipher(ffi::EVP_seed_cbc()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_cfb128() -> Cipher { unsafe { Cipher(ffi::EVP_seed_cfb128()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_ecb() -> Cipher { unsafe { Cipher(ffi::EVP_seed_ecb()) } } - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED")))] + #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn seed_ofb() -> Cipher { unsafe { Cipher(ffi::EVP_seed_ofb()) } } @@ -1559,7 +1559,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_cbc() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1573,7 +1573,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_cfb128() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1587,7 +1587,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_ecb() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1601,7 +1601,7 @@ mod tests { } #[test] - #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_SEED", ossl300)))] + #[cfg(not(any(osslconf = "OPENSSL_NO_SEED", ossl300)))] fn test_seed_ofb() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); From 35c8e90b76d0f7a0b4064a0299d2fc529f9707a3 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 01:33:10 +0200 Subject: [PATCH 20/37] Make X509_ALGOR opaque for LibreSSL The struct is still public because that is also the case in OpenSSL, but it should no longer be accessed directly. --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/src/handwritten/types.rs | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 8ee6f62373..ac7fe28596 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -56,6 +56,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_08_01_00_0 { cfgs.push("libressl381"); } + if libressl_version >= 0x3_08_02_00_0 { + cfgs.push("libressl382"); + } } else { let openssl_version = openssl_version.unwrap(); diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 06354728f2..a03a878305 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -329,7 +329,7 @@ cfg_if! { } } cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl382))] { pub enum X509_ALGOR {} } else { #[repr(C)] From ac2640d4c132439a02a4392a8fe64041d5483c2f Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 15:45:05 +0200 Subject: [PATCH 21/37] Don't ignore ECDSA tests without GF2m support This looks like a typo. We can't do ECDSA without EC support, but ECDSA for the prime curve P-256 works just fine without GF2m support. --- openssl/src/ecdsa.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/ecdsa.rs b/openssl/src/ecdsa.rs index f3b27b3953..3dc17c68dd 100644 --- a/openssl/src/ecdsa.rs +++ b/openssl/src/ecdsa.rs @@ -158,7 +158,7 @@ mod test { } #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] + #[cfg_attr(osslconf = "OPENSSL_NO_EC", ignore)] fn sign_and_verify() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let private_key = EcKey::generate(&group).unwrap(); @@ -186,7 +186,7 @@ mod test { } #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] + #[cfg_attr(osslconf = "OPENSSL_NO_EC", ignore)] fn check_private_components() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let private_key = EcKey::generate(&group).unwrap(); @@ -206,7 +206,7 @@ mod test { } #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] + #[cfg_attr(osslconf = "OPENSSL_NO_EC", ignore)] fn serialize_deserialize() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let private_key = EcKey::generate(&group).unwrap(); From 6218635e6523fbfe893feacd2d747b8f509000d0 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 16:23:14 +0200 Subject: [PATCH 22/37] Clarify 'possible LibreSSL bug' These test fail by default because of lack of PSK support in LibreSSL's TLSv1.3 stack. They do work with SslOptions::NO_TLSV1_3 but it seems preferable to keep ignoring the tests until they are properly supported. --- openssl/src/ssl/test/mod.rs | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 7707af238f..6013614118 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1023,7 +1023,9 @@ fn idle_session() { assert!(ssl.session().is_none()); } -/// possible LibreSSL bug since 3.2.1 +/// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do +/// not work due to lack of PSK support. The test passes with NO_TLSV1_3, +/// but let's ignore it until LibreSSL supports it out of the box. #[test] #[cfg_attr(libressl321, ignore)] fn active_session() { @@ -1081,7 +1083,9 @@ fn status_callbacks() { assert!(CALLED_BACK_CLIENT.load(Ordering::SeqCst)); } -/// possible LibreSSL bug since 3.2.1 +/// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do +/// not work due to lack of PSK support. The test passes with NO_TLSV1_3, +/// but let's ignore it until LibreSSL supports it out of the box. #[test] #[cfg_attr(libressl321, ignore)] fn new_session_callback() { @@ -1106,7 +1110,9 @@ fn new_session_callback() { assert!(CALLED_BACK.load(Ordering::SeqCst)); } -/// possible LibreSSL bug since 3.2.1 +/// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do +/// not work due to lack of PSK support. The test passes with NO_TLSV1_3, +/// but let's ignore it until LibreSSL supports it out of the box. #[test] #[cfg_attr(libressl321, ignore)] fn new_session_callback_swapped_ctx() { From dab8c7a52387b3a570cc7f21fdd9e380d3f52e11 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 16:55:34 +0200 Subject: [PATCH 23/37] Enable BN_mod_sqrt() for upcoming LibreSSL 3.8.2 This API was inherited from OpenSSL, so it has always been present. Enable it for the upcoming LibreSSL release. The test as it was written would fail since LibreSSL returns the other square root. Improve the test to work with all possible implementations with a more interesting test case. Also check for error in the simplest situation where no square root exists. --- openssl-sys/src/handwritten/bn.rs | 2 +- openssl/src/bn.rs | 19 +++++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index fc42c13946..c93521ad91 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -75,7 +75,7 @@ extern "C" { m: *const BIGNUM, ctx: *mut BN_CTX, ) -> c_int; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl382))] pub fn BN_mod_sqrt( ret: *mut BIGNUM, a: *const BIGNUM, diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index a67d0807aa..e1cde2c878 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -655,7 +655,7 @@ impl BigNumRef { /// Places into `self` the modular square root of `a` such that `self^2 = a (mod p)` #[corresponds(BN_mod_sqrt)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl382))] pub fn mod_sqrt( &mut self, a: &BigNumRef, @@ -1490,17 +1490,24 @@ mod tests { assert!(b.is_const_time()) } - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl382))] #[test] fn test_mod_sqrt() { let mut ctx = BigNumContext::new().unwrap(); - let s = BigNum::from_hex_str("47A8DD7626B9908C80ACD7E0D3344D69").unwrap(); - let p = BigNum::from_hex_str("81EF47265B58BCE5").unwrap(); + let s = BigNum::from_hex_str("2").unwrap(); + let p = BigNum::from_hex_str("7DEB1").unwrap(); + let mut sqrt = BigNum::new().unwrap(); let mut out = BigNum::new().unwrap(); - out.mod_sqrt(&s, &p, &mut ctx).unwrap(); - assert_eq!(out, BigNum::from_hex_str("7C6D179E19B97BDD").unwrap()); + // Square the root because OpenSSL randomly returns one of 2E42C or 4FA85 + sqrt.mod_sqrt(&s, &p, &mut ctx).unwrap(); + out.mod_sqr(&sqrt, &p, &mut ctx).unwrap(); + assert!(out == s); + + let s = BigNum::from_hex_str("3").unwrap(); + let p = BigNum::from_hex_str("5").unwrap(); + assert!(out.mod_sqrt(&s, &p, &mut ctx).is_err()); } #[test] From c84e3fcd6b7bfbfb0669d955eac0d88fc0ba9d59 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 17:11:11 +0200 Subject: [PATCH 24/37] Enable BN_mod_sqrt() unconditionally --- openssl-sys/src/handwritten/bn.rs | 1 - openssl/src/bn.rs | 2 -- 2 files changed, 3 deletions(-) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index c93521ad91..fb55f6b82c 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -75,7 +75,6 @@ extern "C" { m: *const BIGNUM, ctx: *mut BN_CTX, ) -> c_int; - #[cfg(any(ossl110, libressl382))] pub fn BN_mod_sqrt( ret: *mut BIGNUM, a: *const BIGNUM, diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index e1cde2c878..1ae450bb75 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -655,7 +655,6 @@ impl BigNumRef { /// Places into `self` the modular square root of `a` such that `self^2 = a (mod p)` #[corresponds(BN_mod_sqrt)] - #[cfg(any(ossl110, libressl382))] pub fn mod_sqrt( &mut self, a: &BigNumRef, @@ -1490,7 +1489,6 @@ mod tests { assert!(b.is_const_time()) } - #[cfg(any(ossl110, libressl382))] #[test] fn test_mod_sqrt() { let mut ctx = BigNumContext::new().unwrap(); From ae74dec45d4fcfabf1ba211fdd15763ddca119e3 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 20 Oct 2023 23:09:26 +0200 Subject: [PATCH 25/37] Use EVP_MD_CTX_{new,free}() in LibreSSL 3.8.2 These functions have been available since LibreSSL 2.7.2. --- openssl-sys/src/handwritten/evp.rs | 2 +- openssl/src/hash.rs | 2 +- openssl/src/md_ctx.rs | 2 +- openssl/src/sign.rs | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 5a112fe8a1..3deeb9343c 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -52,7 +52,7 @@ cfg_if! { } cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl382))] { extern "C" { pub fn EVP_MD_CTX_new() -> *mut EVP_MD_CTX; pub fn EVP_MD_CTX_free(ctx: *mut EVP_MD_CTX); diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 7592758101..285ec8b528 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -43,7 +43,7 @@ use crate::nid::Nid; use crate::{cvt, cvt_p}; cfg_if! { - if #[cfg(any(ossl110, boringssl))] { + if #[cfg(any(ossl110, boringssl, libressl382))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/md_ctx.rs b/openssl/src/md_ctx.rs index 156f3c2fc9..30e0337b47 100644 --- a/openssl/src/md_ctx.rs +++ b/openssl/src/md_ctx.rs @@ -93,7 +93,7 @@ use std::convert::TryFrom; use std::ptr; cfg_if! { - if #[cfg(any(ossl110, boringssl))] { + if #[cfg(any(ossl110, boringssl, libressl382))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 1c770d18b7..0154b1d4b7 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -81,7 +81,7 @@ use crate::rsa::Padding; use crate::{cvt, cvt_p}; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl382))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; From 01cc521c7ee12fb2a907b7b83e372974c3f7c2bf Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Sat, 21 Oct 2023 00:24:12 +0200 Subject: [PATCH 26/37] Enable SHA-3 for LibreSSL 3.8.0 --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/src/handwritten/evp.rs | 8 ++++---- openssl-sys/src/obj_mac.rs | 8 ++++++++ openssl/build.rs | 3 +++ openssl/src/hash.rs | 16 ++++++++-------- openssl/src/md.rs | 8 ++++---- openssl/src/nid.rs | 8 ++++---- 7 files changed, 34 insertions(+), 20 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index ac7fe28596..2454ef66a4 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -53,6 +53,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_07_00_00_0 { cfgs.push("libressl370"); } + if libressl_version >= 0x3_08_00_00_0 { + cfgs.push("libressl380"); + } if libressl_version >= 0x3_08_01_00_0 { cfgs.push("libressl381"); } diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 5a112fe8a1..87deae2ac9 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -294,13 +294,13 @@ extern "C" { pub fn EVP_sha256() -> *const EVP_MD; pub fn EVP_sha384() -> *const EVP_MD; pub fn EVP_sha512() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_224() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_256() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_384() -> *const EVP_MD; - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn EVP_sha3_512() -> *const EVP_MD; #[cfg(ossl111)] pub fn EVP_shake128() -> *const EVP_MD; diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 1b24c3cbd8..93aa5cdff9 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -976,12 +976,20 @@ pub const NID_sm4_ctr: c_int = 1139; pub const NID_sm4_ctr: c_int = 979; #[cfg(ossl111)] pub const NID_sha3_224: c_int = 1096; +#[cfg(libressl380)] +pub const NID_sha3_224: c_int = 1031; #[cfg(ossl111)] pub const NID_sha3_256: c_int = 1097; +#[cfg(libressl380)] +pub const NID_sha3_256: c_int = 1032; #[cfg(ossl111)] pub const NID_sha3_384: c_int = 1098; +#[cfg(libressl380)] +pub const NID_sha3_384: c_int = 1033; #[cfg(ossl111)] pub const NID_sha3_512: c_int = 1099; +#[cfg(libressl380)] +pub const NID_sha3_512: c_int = 1034; #[cfg(ossl111)] pub const NID_shake128: c_int = 1100; #[cfg(ossl111)] diff --git a/openssl/build.rs b/openssl/build.rs index 4a5b6289ae..93ef534d27 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -66,6 +66,9 @@ fn main() { if version >= 0x3_07_00_00_0 { println!("cargo:rustc-cfg=libressl370"); } + if version >= 0x3_08_00_00_0 { + println!("cargo:rustc-cfg=libressl380"); + } } if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 7592758101..9fa9ef3e37 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -127,22 +127,22 @@ impl MessageDigest { unsafe { MessageDigest(ffi::EVP_sha512()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_224() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_224()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_256() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_256()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_384() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_384()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub fn sha3_512() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_512()) } } @@ -624,7 +624,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_224() { let tests = [( @@ -644,7 +644,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_256() { let tests = [( @@ -664,7 +664,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_384() { let tests = [("416c6c20796f75722062617365206172652062656c6f6e6720746f207573", @@ -684,7 +684,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[test] fn test_sha3_512() { let tests = [("416c6c20796f75722062617365206172652062656c6f6e6720746f207573", diff --git a/openssl/src/md.rs b/openssl/src/md.rs index 8f191afebe..08e4aacf3e 100644 --- a/openssl/src/md.rs +++ b/openssl/src/md.rs @@ -150,25 +150,25 @@ impl Md { unsafe { MdRef::from_ptr(ffi::EVP_sha512() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_224() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_224() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_256() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_256() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_384() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_384() as *mut _) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] #[inline] pub fn sha3_512() -> &'static MdRef { unsafe { MdRef::from_ptr(ffi::EVP_sha3_512() as *mut _) } diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index 91fcdeca9d..a78d0e660c 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1078,13 +1078,13 @@ impl Nid { pub const SM2: Nid = Nid(ffi::NID_sm2); #[cfg(any(ossl111, libressl291))] pub const SM3: Nid = Nid(ffi::NID_sm3); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_224: Nid = Nid(ffi::NID_sha3_224); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_256: Nid = Nid(ffi::NID_sha3_256); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_384: Nid = Nid(ffi::NID_sha3_384); - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl380))] pub const SHA3_512: Nid = Nid(ffi::NID_sha3_512); #[cfg(ossl111)] pub const SHAKE128: Nid = Nid(ffi::NID_shake128); From a4f2a38c8eae051266e419e0e676ce8385c25351 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Sat, 21 Oct 2023 09:30:16 +0200 Subject: [PATCH 27/37] Remove DH_generate_parameters for LibreSSL 3.8.2 OpenSSL 0.9.8 deprecated DH_generate_parameters nearly 20 years ago. In 62acbe3a3ed internals switched to using the _ex version. Let's remove it from the API surface consumed from LibreSSL so we can eventually remove it on our side and finally make some long overdue internal simplifications. --- openssl-sys/src/handwritten/dh.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/src/handwritten/dh.rs b/openssl-sys/src/handwritten/dh.rs index 87a0817ce5..c4671c969f 100644 --- a/openssl-sys/src/handwritten/dh.rs +++ b/openssl-sys/src/handwritten/dh.rs @@ -5,6 +5,7 @@ extern "C" { pub fn DH_free(dh: *mut DH); pub fn DH_check(dh: *const DH, codes: *mut c_int) -> c_int; + #[cfg(not(libressl382))] pub fn DH_generate_parameters( prime_len: c_int, generator: c_int, From 96567a222b43298b88e94da77907b25097b1c3e8 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Sat, 21 Oct 2023 01:27:47 +0200 Subject: [PATCH 28/37] Enable HKDF support for LibreSSL >= 3.6.0 --- openssl-sys/src/evp.rs | 28 ++++++++++++++-------------- openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/pkey.rs | 2 +- openssl/src/pkey_ctx.rs | 20 ++++++++++---------- systest/build.rs | 5 ++++- 5 files changed, 31 insertions(+), 26 deletions(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index fcbee00ec6..e317fea35c 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -28,7 +28,7 @@ pub const EVP_PKEY_HMAC: c_int = NID_hmac; pub const EVP_PKEY_CMAC: c_int = NID_cmac; #[cfg(ossl111)] pub const EVP_PKEY_POLY1305: c_int = NID_poly1305; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_HKDF: c_int = NID_hkdf; #[cfg(ossl102)] @@ -201,31 +201,31 @@ pub const EVP_PKEY_CTRL_CIPHER: c_int = 12; pub const EVP_PKEY_ALG_CTRL: c_int = 0x1000; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND: c_int = 0; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY: c_int = 1; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_HKDEF_MODE_EXPAND_ONLY: c_int = 2; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_MD: c_int = EVP_PKEY_ALG_CTRL + 3; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_SALT: c_int = EVP_PKEY_ALG_CTRL + 4; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_KEY: c_int = EVP_PKEY_ALG_CTRL + 5; -#[cfg(ossl110)] +#[cfg(any(ossl110, libressl360))] pub const EVP_PKEY_CTRL_HKDF_INFO: c_int = EVP_PKEY_ALG_CTRL + 6; -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub const EVP_PKEY_CTRL_HKDF_MODE: c_int = EVP_PKEY_ALG_CTRL + 7; -#[cfg(all(ossl111, not(ossl300)))] +#[cfg(any(all(ossl111, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set_hkdf_mode(ctx: *mut EVP_PKEY_CTX, mode: c_int) -> c_int { EVP_PKEY_CTX_ctrl( ctx, @@ -237,7 +237,7 @@ pub unsafe fn EVP_PKEY_CTX_set_hkdf_mode(ctx: *mut EVP_PKEY_CTX, mode: c_int) -> ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set_hkdf_md(ctx: *mut EVP_PKEY_CTX, md: *const EVP_MD) -> c_int { EVP_PKEY_CTX_ctrl( ctx, @@ -249,7 +249,7 @@ pub unsafe fn EVP_PKEY_CTX_set_hkdf_md(ctx: *mut EVP_PKEY_CTX, md: *const EVP_MD ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set1_hkdf_salt( ctx: *mut EVP_PKEY_CTX, salt: *const u8, @@ -265,7 +265,7 @@ pub unsafe fn EVP_PKEY_CTX_set1_hkdf_salt( ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_set1_hkdf_key( ctx: *mut EVP_PKEY_CTX, key: *const u8, @@ -281,7 +281,7 @@ pub unsafe fn EVP_PKEY_CTX_set1_hkdf_key( ) } -#[cfg(all(ossl110, not(ossl300)))] +#[cfg(any(all(ossl110, not(ossl300)), libressl360))] pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info( ctx: *mut EVP_PKEY_CTX, info: *const u8, diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 93aa5cdff9..9f4c7c12dd 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -928,6 +928,8 @@ pub const NID_X25519: c_int = 950; pub const NID_X448: c_int = 1035; #[cfg(ossl110)] pub const NID_hkdf: c_int = 1036; +#[cfg(libressl360)] +pub const NID_hkdf: c_int = 1022; #[cfg(ossl111)] pub const NID_poly1305: c_int = 1061; #[cfg(ossl111)] diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index fab4f5d118..ac5989c572 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -92,7 +92,7 @@ impl Id { #[cfg(ossl111)] pub const SM2: Id = Id(ffi::EVP_PKEY_SM2); - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); #[cfg(any(ossl111, boringssl, libressl370))] diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 4ac32a8517..85778e2166 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -80,10 +80,10 @@ use std::convert::TryFrom; use std::ptr; /// HKDF modes of operation. -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] pub struct HkdfMode(c_int); -#[cfg(ossl111)] +#[cfg(any(ossl111, libressl360))] impl HkdfMode { /// This is the default mode. Calling [`derive`][PkeyCtxRef::derive] on a [`PkeyCtxRef`] set up /// for HKDF will perform an extract followed by an expand operation in one go. The derived key @@ -566,7 +566,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_md)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn set_hkdf_md(&mut self, digest: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -589,7 +589,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.1 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_mode)] - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl360))] #[inline] pub fn set_hkdf_mode(&mut self, mode: HkdfMode) -> Result<(), ErrorStack> { unsafe { @@ -608,7 +608,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn set_hkdf_key(&mut self, key: &[u8]) -> Result<(), ErrorStack> { #[cfg(not(boringssl))] @@ -633,7 +633,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn set_hkdf_salt(&mut self, salt: &[u8]) -> Result<(), ErrorStack> { #[cfg(not(boringssl))] @@ -658,7 +658,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] #[inline] pub fn add_hkdf_info(&mut self, info: &[u8]) -> Result<(), ErrorStack> { #[cfg(not(boringssl))] @@ -855,7 +855,7 @@ mod test { } #[test] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, libressl360))] fn hkdf() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); @@ -877,7 +877,7 @@ mod test { } #[test] - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl360))] fn hkdf_expand() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); @@ -901,7 +901,7 @@ mod test { } #[test] - #[cfg(ossl111)] + #[cfg(any(ossl111, libressl360))] fn hkdf_extract() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); diff --git a/systest/build.rs b/systest/build.rs index 53407eafad..833e09fb5c 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -69,8 +69,11 @@ fn main() { .header("openssl/evp.h") .header("openssl/x509_vfy.h"); - if libressl_version.is_some() { + if let Some(version) = libressl_version { cfg.header("openssl/poly1305.h"); + if version >= 0x30600000 { + cfg.header("openssl/kdf.h"); + } } if let Some(version) = openssl_version { From fb578735d6d83c9f33814ecacd03ebb4466a4d80 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Sun, 22 Oct 2023 00:46:14 +0200 Subject: [PATCH 29/37] Add missing libressl382 config to openssl/build.rs In 04ffe960 and ae74dec45 I added conditionals on libressl382 but missed the build script. --- openssl/build.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssl/build.rs b/openssl/build.rs index 93ef534d27..19cb17e2ac 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -69,6 +69,9 @@ fn main() { if version >= 0x3_08_00_00_0 { println!("cargo:rustc-cfg=libressl380"); } + if version >= 0x3_08_02_00_0 { + println!("cargo:rustc-cfg=libressl382"); + } } if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { From a44fa61c537a72bfd2ac89bf755b1995215f23a8 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Sun, 22 Oct 2023 00:50:28 +0200 Subject: [PATCH 30/37] Remove stale near-duplicate version parser The DEP_OPENSSL_LIBRESSL_VERSION_NUMBER handling has two near-duplicate parsers. The new one added in 4ecaf691 was subsequently extended and the old one went stale: libressl250, 310, 370, 380 are missing from it. --- openssl/build.rs | 56 ------------------------------------------------ 1 file changed, 56 deletions(-) diff --git a/openssl/build.rs b/openssl/build.rs index 19cb17e2ac..87a9fa06f5 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -111,60 +111,4 @@ fn main() { println!("cargo:rustc-cfg=ossl320"); } } - - if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { - let version = u64::from_str_radix(&version, 16).unwrap(); - - if version >= 0x2_05_01_00_0 { - println!("cargo:rustc-cfg=libressl251"); - } - - if version >= 0x2_06_01_00_0 { - println!("cargo:rustc-cfg=libressl261"); - } - - if version >= 0x2_07_00_00_0 { - println!("cargo:rustc-cfg=libressl270"); - } - - if version >= 0x2_07_01_00_0 { - println!("cargo:rustc-cfg=libressl271"); - } - - if version >= 0x2_07_03_00_0 { - println!("cargo:rustc-cfg=libressl273"); - } - - if version >= 0x2_08_00_00_0 { - println!("cargo:rustc-cfg=libressl280"); - } - - if version >= 0x2_09_01_00_0 { - println!("cargo:rustc-cfg=libressl291"); - } - - if version >= 0x3_02_01_00_0 { - println!("cargo:rustc-cfg=libressl321"); - } - - if version >= 0x3_03_02_00_0 { - println!("cargo:rustc-cfg=libressl332"); - } - - if version >= 0x3_04_00_00_0 { - println!("cargo:rustc-cfg=libressl340"); - } - - if version >= 0x3_05_00_00_0 { - println!("cargo:rustc-cfg=libressl350"); - } - - if version >= 0x3_06_00_00_0 { - println!("cargo:rustc-cfg=libressl360"); - } - - if version >= 0x3_06_01_00_0 { - println!("cargo:rustc-cfg=libressl361"); - } - } } From 5e0a6ffec83afa4e210e8f422b83cfae9cf98e15 Mon Sep 17 00:00:00 2001 From: Guy Lewin Date: Mon, 23 Oct 2023 15:54:31 -0400 Subject: [PATCH 31/37] Respect OPENSSL_NO_OCB --- openssl/src/cipher.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 088f393516..892cae1db7 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -201,7 +201,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_128_ocb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_ocb() as *mut _) } } @@ -258,7 +258,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_192_ocb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_ocb() as *mut _) } } @@ -315,7 +315,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_256_ocb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_ocb() as *mut _) } } From 0e60f5dc1eafed89e2e758ce1b4044bc59ccb7f3 Mon Sep 17 00:00:00 2001 From: Guy Lewin Date: Mon, 23 Oct 2023 16:21:57 -0400 Subject: [PATCH 32/37] Support OPENSSL_NO_SCRYPT --- openssl-sys/build/expando.c | 4 ++++ openssl/src/pkcs5.rs | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index cd7456b4f0..e171621dca 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -134,3 +134,7 @@ RUST_CONF_OPENSSL_NO_DEPRECATED_3_0 #ifdef OPENSSL_NO_SEED RUST_CONF_OPENSSL_NO_SEED #endif + +#ifdef OPENSSL_NO_SCRYPT +RUST_CONF_OPENSSL_NO_SCRYPT +#endif diff --git a/openssl/src/pkcs5.rs b/openssl/src/pkcs5.rs index cd704e8256..afaae55a29 100644 --- a/openssl/src/pkcs5.rs +++ b/openssl/src/pkcs5.rs @@ -115,7 +115,7 @@ pub fn pbkdf2_hmac( /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PBE_scrypt)] -#[cfg(any(ossl110, boringssl))] +#[cfg(all(any(ossl110, boringssl), not(osslconf = "OPENSSL_NO_SCRYPT")))] #[allow(clippy::useless_conversion)] pub fn scrypt( pass: &[u8], From d40a28f28178ce4703b9ba74dbd57e990ae7fa77 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 24 Oct 2023 10:11:47 -0400 Subject: [PATCH 33/37] Bump CI version --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 318441aa65..1256386d3f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -161,7 +161,7 @@ jobs: version: 3.2.0-alpha2 dl-path: / - name: openssl - version: 3.1.3 + version: 3.1.4 dl-path: / - name: openssl version: 1.1.1w From d8df1056fe0aaef28310acf7c43d06864f762389 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 26 Oct 2023 09:55:56 -0400 Subject: [PATCH 34/37] Bump 3.2.0 beta --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1256386d3f..724c125cea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -158,7 +158,7 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.2.0-alpha2 + version: 3.2.0-beta1 dl-path: / - name: openssl version: 3.1.4 From aebfe8e72c4fec80cf1f0105449251fddd163376 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Fri, 27 Oct 2023 19:14:38 +0000 Subject: [PATCH 35/37] add security level bindings --- openssl-sys/src/handwritten/ssl.rs | 14 +++++++++++ openssl/src/ssl/mod.rs | 40 ++++++++++++++++++++++++++++++ openssl/src/ssl/test/mod.rs | 14 +++++++++++ 3 files changed, 68 insertions(+) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index d4f4b619f4..6b9a329ea8 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -924,3 +924,17 @@ extern "C" { #[cfg(all(ossl111, not(ossl111b)))] pub fn SSL_get_num_tickets(s: *mut SSL) -> size_t; } + +extern "C" { + #[cfg(ossl110)] + pub fn SSL_CTX_set_security_level(ctx: *mut SSL_CTX, level: c_int); + + #[cfg(ossl110)] + pub fn SSL_set_security_level(s: *mut SSL, level: c_int); + + #[cfg(ossl110)] + pub fn SSL_CTX_get_security_level(ctx: *const SSL_CTX) -> c_int; + + #[cfg(ossl110)] + pub fn SSL_get_security_level(s: *const SSL) -> c_int; +} diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index bdfbfc14f0..1e19d2a809 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1718,6 +1718,16 @@ impl SslContextBuilder { unsafe { cvt(ffi::SSL_CTX_set_num_tickets(self.as_ptr(), num_tickets)).map(|_| ()) } } + /// Set the context's security level, which controls the allowed parameters + /// and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_CTX_set_security_level)] + #[cfg(ossl110)] + pub fn set_security_level(&mut self, level: u32) { + unsafe { ffi::SSL_CTX_set_security_level(self.as_ptr(), level as c_int) } + } + /// Consumes the builder, returning a new `SslContext`. pub fn build(self) -> SslContext { self.0 @@ -1921,6 +1931,16 @@ impl SslContextRef { pub fn num_tickets(&self) -> usize { unsafe { ffi::SSL_CTX_get_num_tickets(self.as_ptr()) } } + + /// Get the context's security level, which controls the allowed parameters + /// and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_CTX_get_security_level)] + #[cfg(ossl110)] + pub fn security_level(&self) -> u32 { + unsafe { ffi::SSL_CTX_get_security_level(self.as_ptr()) as u32 } + } } /// Information about the state of a cipher. @@ -3405,6 +3425,26 @@ impl SslRef { pub fn num_tickets(&self) -> usize { unsafe { ffi::SSL_get_num_tickets(self.as_ptr()) } } + + /// Set the connection's security level, which controls the allowed parameters + /// and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_set_security_level)] + #[cfg(ossl110)] + pub fn set_security_level(&mut self, level: u32) { + unsafe { ffi::SSL_set_security_level(self.as_ptr(), level as c_int) } + } + + /// Get the connection's security level, which controls the allowed parameters + /// and algorithms. + /// + /// Requires OpenSSL 1.1.0 or newer. + #[corresponds(SSL_get_security_level)] + #[cfg(ossl110)] + pub fn security_level(&self) -> u32 { + unsafe { ffi::SSL_get_security_level(self.as_ptr()) as u32 } + } } /// An SSL stream midway through the handshake process. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 6013614118..542656cb04 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1574,3 +1574,17 @@ fn set_num_tickets() { let ssl = ssl; assert_eq!(5, ssl.num_tickets()); } + +#[test] +#[cfg(ossl110)] +fn set_security_level() { + let mut ctx = SslContext::builder(SslMethod::tls_server()).unwrap(); + ctx.set_security_level(3); + let ctx = ctx.build(); + assert_eq!(3, ctx.security_level()); + + let mut ssl = Ssl::new(&ctx).unwrap(); + ssl.set_security_level(4); + let ssl = ssl; + assert_eq!(4, ssl.security_level()); +} From d6591bb3cd9e5c36cb807b91c34c70f3103f2729 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Sat, 28 Oct 2023 21:00:04 +0000 Subject: [PATCH 36/37] address pr feedback * add libressl360 cfg statement * add 0-5 reference to documentation --- openssl-sys/src/handwritten/ssl.rs | 8 ++++---- openssl/src/ssl/mod.rs | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 6b9a329ea8..944a476618 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -926,15 +926,15 @@ extern "C" { } extern "C" { - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn SSL_CTX_set_security_level(ctx: *mut SSL_CTX, level: c_int); - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn SSL_set_security_level(s: *mut SSL, level: c_int); - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn SSL_CTX_get_security_level(ctx: *const SSL_CTX) -> c_int; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn SSL_get_security_level(s: *const SSL) -> c_int; } diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 1e19d2a809..d147c3c343 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1718,12 +1718,12 @@ impl SslContextBuilder { unsafe { cvt(ffi::SSL_CTX_set_num_tickets(self.as_ptr(), num_tickets)).map(|_| ()) } } - /// Set the context's security level, which controls the allowed parameters - /// and algorithms. + /// Set the context's security level to a value between 0 and 5, inclusive. + /// A security value of 0 allows allows all parameters and algorithms. /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(SSL_CTX_set_security_level)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn set_security_level(&mut self, level: u32) { unsafe { ffi::SSL_CTX_set_security_level(self.as_ptr(), level as c_int) } } @@ -1937,7 +1937,7 @@ impl SslContextRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(SSL_CTX_get_security_level)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn security_level(&self) -> u32 { unsafe { ffi::SSL_CTX_get_security_level(self.as_ptr()) as u32 } } @@ -3426,12 +3426,12 @@ impl SslRef { unsafe { ffi::SSL_get_num_tickets(self.as_ptr()) } } - /// Set the connection's security level, which controls the allowed parameters - /// and algorithms. + /// Set the context's security level to a value between 0 and 5, inclusive. + /// A security value of 0 allows allows all parameters and algorithms. /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(SSL_set_security_level)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn set_security_level(&mut self, level: u32) { unsafe { ffi::SSL_set_security_level(self.as_ptr(), level as c_int) } } @@ -3441,7 +3441,7 @@ impl SslRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(SSL_get_security_level)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] pub fn security_level(&self) -> u32 { unsafe { ffi::SSL_get_security_level(self.as_ptr()) as u32 } } From b7be1dc3040c31af72832f4392d7ddc54b7558f6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 1 Nov 2023 13:31:28 -0700 Subject: [PATCH 37/37] Release openssl v0.10.58 and openssl-sys v0.9.94 --- openssl-sys/CHANGELOG.md | 17 ++++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 21 ++++++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 39 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 8d2a65574b..b8120733f6 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,20 @@ ## [Unreleased] +## [v0.9.94] - 2023-11-01 + +### Changed + +* `X509_ALGOR` is now opaque on new LibreSSL releases + +### Added + +* Added support for building with `OPENSSL_NO_SCRYPT` +* Added `EVP_PKEY_RSA_PSS` and `EVP_PKEY_DHX` +* Functions and constants for using HKDF `EVP_PKEY` are now available on LibreSSL. +* Added `SSL_CTX_set_security_level`, `SSL_set_security_level`, `SSL_CTX_get_security_level`, `SSL_get_security_level` +* Added `X509_check_host`, `X509_check_email`, `X509_check_ip`, `X509_check_ip_asc` + ## [v0.9.93] - 2023-09-04 ### Changed @@ -508,7 +522,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.94..master +[v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93...openssl-sys-v0.9.94 [v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92...openssl-sys-v0.9.93 [v0.9.92]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91...openssl-sys-v0.9.92 [v0.9.91]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 44fc45a71b..980f41e92c 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.93" +version = "0.9.94" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index f5409b1222..f1acc1fccf 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,24 @@ ## [Unreleased] +## [v0.10.58] - 2023-11-01 + +### Added + +* Added `Id::{RSA_PSS,DHX}` constants +* Added `SslContextBuilder::set_security_level` +* Added `SslContextRef::security_level` +* Added `SslRef::set_security_level`, `SslRef::security_level` +* Added `Cipher::{camellia_128_cbc, camellia_192_cbc, camellia_256_cbc, cast5_cbc, idea_cbc}` +* Added `X509CrlRef::extension` +* Added `X509PurposeId::CODE_SIGN` + +### Changed + +* `Pkey` HKDF functionality now works on LibreSSL +* `BigNum::mod_sqrt` is now available on all OpenSSLs +* `MessageDigest::sha3*` are now available on LibreSSL + ## [v0.10.57] - 2023-08-27 ### Added @@ -797,7 +815,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.58...master +[v0.10.57]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...openssl-v0.10.58 [v0.10.57]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...openssl-v0.10.57 [v0.10.56]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...openssl-v0.10.56 [v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index ec8beaef9c..9a2f5016f5 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.57" +version = "0.10.58" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.92", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.94", path = "../openssl-sys" } [dev-dependencies] hex = "0.3"