Fix rust warnings when building with BoringSSL (#10408)

noxfile.py

@@ -292,7 +292,7 @@ def local(session):
         "noxfile.py",
     )
 
-    install(session, "cryptography @ .")
+    install(session, ".")
 
     if session.posargs:
         tests = session.posargs

src/rust/cryptography-openssl/src/aead.rs

@@ -17,15 +17,19 @@ foreign_types::foreign_type! {
     pub struct AeadCtxRef;
 }
 
+// SAFETY: Can safely be used from multiple threads concurrently.
 unsafe impl Sync for AeadCtx {}
+// SAFETY: Can safely be sent between threads.
 unsafe impl Send for AeadCtx {}
 
 impl AeadCtx {
     pub fn new(aead: AeadType, key: &[u8]) -> OpenSSLResult<AeadCtx> {
         let aead = match aead {
+            // SAFETY: No preconditions.
             AeadType::ChaCha20Poly1305 => unsafe { ffi::EVP_aead_chacha20_poly1305() },
         };
 
+        // SAFETY: We're passing a valid key and aead.
         unsafe {
             let ctx = cvt_p(ffi::EVP_AEAD_CTX_new(
                 aead,
@@ -47,6 +51,7 @@ impl AeadCtxRef {
         out: &mut [u8],
     ) -> OpenSSLResult<()> {
         let mut out_len = out.len();
+        // SAFETY: All the lengths and pointers are known valid.
         unsafe {
             cvt(ffi::EVP_AEAD_CTX_seal(
                 self.as_ptr(),
@@ -72,6 +77,7 @@ impl AeadCtxRef {
         out: &mut [u8],
     ) -> OpenSSLResult<()> {
         let mut out_len = out.len();
+        // SAFETY: All the lengths and pointers are known valid.
         unsafe {
             cvt(ffi::EVP_AEAD_CTX_open(
                 self.as_ptr(),

src/rust/cryptography-openssl/src/hmac.rs

@@ -22,6 +22,9 @@ unsafe impl Sync for Hmac {}
 unsafe impl Send for Hmac {}
 
 impl Hmac {
+    // On BoringSSL, the length is a size_t, so the length conversion is a
+    // no-op.
+    #[cfg_attr(CRYPTOGRAPHY_IS_BORINGSSL, allow(clippy::useless_conversion))]
     pub fn new(key: &[u8], md: openssl::hash::MessageDigest) -> OpenSSLResult<Hmac> {
         // SAFETY: All FFI conditions are handled.
         unsafe {

src/rust/src/backend/aead.rs

@@ -276,6 +276,7 @@ struct LazyEvpCipherAead {
 }
 
 impl LazyEvpCipherAead {
+    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     fn new(
         cipher: &'static openssl::cipher::CipherRef,
         key: pyo3::Py<pyo3::PyAny>,
@@ -706,12 +707,15 @@ impl AesCcm {
     ) -> CryptographyResult<AesCcm> {
         cfg_if::cfg_if! {
             if #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] {
-                return Err(CryptographyError::from(
+                let _ = py;
+                let _ = key;
+                let _ = tag_length;
+                Err(CryptographyError::from(
                     exceptions::UnsupportedAlgorithm::new_err((
                         "AES-CCM is not supported by this version of OpenSSL",
                         exceptions::Reasons::UNSUPPORTED_CIPHER,
                     )),
-                ));
+                ))
             } else {
                 let key_buf = key.extract::<CffiBuf<'_>>(py)?;
                 let cipher = match key_buf.as_bytes().len() {

src/rust/src/backend/keys.rs

@@ -243,9 +243,11 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu
 
 #[cfg(test)]
 mod tests {
+    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     use super::public_key_from_pkey;
 
     #[test]
+    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     fn test_public_key_from_pkey_unknown_key() {
         pyo3::prepare_freethreaded_python();
 

src/rust/src/lib.rs

@@ -4,9 +4,11 @@
 
 #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)]
 
+#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
 use crate::error::CryptographyResult;
 #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
 use openssl::provider;
+#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
 use std::env;
 
 mod asn1;

src/rust/src/pkcs7.rs

@@ -345,12 +345,14 @@ fn load_pem_pkcs7_certificates<'p>(
             })?;
             load_pkcs7_certificates(py, pkcs7_decoded)
         } else {
-            return Err(CryptographyError::from(
+            let _ = py;
+            let _ = data;
+            Err(CryptographyError::from(
                 exceptions::UnsupportedAlgorithm::new_err((
                     "PKCS#7 is not supported by this backend.",
                     exceptions::Reasons::UNSUPPORTED_SERIALIZATION,
                 )),
-            ));
+            ))
         }
     }
 }
@@ -369,12 +371,14 @@ fn load_der_pkcs7_certificates<'p>(
             })?;
             load_pkcs7_certificates(py, pkcs7_decoded)
         } else {
-            return Err(CryptographyError::from(
+            let _ = py;
+            let _ = data;
+            Err(CryptographyError::from(
                 exceptions::UnsupportedAlgorithm::new_err((
                     "PKCS#7 is not supported by this backend.",
                     exceptions::Reasons::UNSUPPORTED_SERIALIZATION,
                 )),
-            ));
+            ))
         }
     }
 }

src/rust/src/types.rs

@@ -473,21 +473,25 @@ pub static AES256: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.ciphers.algorithms",
     &["AES256"],
 );
+#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))]
 pub static SM4: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.ciphers.algorithms",
     &["SM4"],
 );
 #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))]
 pub static SEED: LazyPyImport =
     LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["SEED"]);
+#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))]
 pub static CAMELLIA: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.ciphers.algorithms",
     &["Camellia"],
 );
+#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))]
 pub static BLOWFISH: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.decrepit.ciphers.algorithms",
     &["Blowfish"],
 );
+#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))]
 pub static CAST5: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.decrepit.ciphers.algorithms",
     &["CAST5"],