From 6d6944767c30cd43fefec920eb29ef1acf4e55b9 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 15:11:36 +0100 Subject: [PATCH 01/84] Prepared openssl-sys for pkcs7 and x509 extensions. --- openssl-sys/build/cfgs.rs | 3 + openssl-sys/src/handwritten/asn1.rs | 49 ++++- openssl-sys/src/handwritten/mod.rs | 2 + openssl-sys/src/handwritten/pkcs7.rs | 245 ++++++++++++++++++++++- openssl-sys/src/handwritten/types.rs | 16 +- openssl-sys/src/handwritten/x509.rs | 36 +++- openssl-sys/src/handwritten/x509_attr.rs | 60 ++++++ 7 files changed, 396 insertions(+), 15 deletions(-) create mode 100644 openssl-sys/src/handwritten/x509_attr.rs diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index d925d90ad7..960515f00f 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -31,6 +31,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x2_09_01_00_0 { cfgs.push("libressl291"); } + if libressl_version >= 0x3_01_00_00_0 { + cfgs.push("libressl310"); + } if libressl_version >= 0x3_02_01_00_0 { cfgs.push("libressl321"); } diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 844f9102a9..e866b1ea90 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,23 +10,60 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); + pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } +pub enum ASN1_OBJECT {} + stack!(stack_st_ASN1_OBJECT); +#[repr(C)] +pub struct ASN1_TYPE { + pub type_: c_int, + pub value: ASN1_TYPE_value, +} +#[repr(C)] +pub union ASN1_TYPE_value { + pub ptr: *mut c_char, + pub boolean: ASN1_BOOLEAN, + pub asn1_string: *mut ASN1_STRING, + pub object: *mut ASN1_OBJECT, + pub integer: *mut ASN1_INTEGER, + pub enumerated: *mut ASN1_ENUMERATED, + pub bit_string: *mut ASN1_BIT_STRING, + pub octet_string: *mut ASN1_OCTET_STRING, + pub printablestring: *mut ASN1_PRINTABLESTRING, + pub t61string: *mut ASN1_T61STRING, + pub ia5string: *mut ASN1_IA5STRING, + pub generalstring: *mut ASN1_GENERALSTRING, + pub bmpstring: *mut ASN1_BMPSTRING, + pub universalstring: *mut ASN1_UNIVERSALSTRING, + pub utctime: *mut ASN1_UTCTIME, + pub generalizedtime: *mut ASN1_GENERALIZEDTIME, + pub visiblestring: *mut ASN1_VISIBLESTRING, + pub utf8string: *mut ASN1_UTF8STRING, + /* + * set and sequence are left complete and still contain the set or + * sequence bytes + */ + pub set: *mut ASN1_STRING, + pub sequence: *mut ASN1_STRING, + pub asn1_value: *mut ASN1_VALUE, +} + extern "C" { pub fn ASN1_STRING_type_new(ty: c_int) -> *mut ASN1_STRING; #[cfg(any(ossl110, libressl273))] pub fn ASN1_STRING_get0_data(x: *const ASN1_STRING) -> *const c_uchar; #[cfg(any(all(ossl101, not(ossl110)), libressl))] pub fn ASN1_STRING_data(x: *mut ASN1_STRING) -> *mut c_uchar; - - pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); - + pub fn ASN1_STRING_new() -> *mut ASN1_STRING; pub fn ASN1_STRING_free(x: *mut ASN1_STRING); pub fn ASN1_STRING_length(x: *const ASN1_STRING) -> c_int; + pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len_in: c_int) -> c_int; - pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len: c_int) -> c_int; + pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); + pub fn ASN1_OCTET_STRING_free(x: *mut ASN1_OCTET_STRING); pub fn ASN1_GENERALIZEDTIME_free(tm: *mut ASN1_GENERALIZEDTIME); pub fn ASN1_GENERALIZEDTIME_print(b: *mut BIO, tm: *const ASN1_GENERALIZEDTIME) -> c_int; @@ -51,10 +88,14 @@ extern "C" { pub fn ASN1_TIME_set_string(s: *mut ASN1_TIME, str: *const c_char) -> c_int; #[cfg(ossl111)] pub fn ASN1_TIME_set_string_X509(s: *mut ASN1_TIME, str: *const c_char) -> c_int; + + pub fn ASN1_TYPE_free(x: *mut ASN1_TYPE); } const_ptr_api! { extern "C" { pub fn ASN1_STRING_to_UTF8(out: *mut *mut c_uchar, s: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; + pub fn ASN1_STRING_type(x: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; + pub fn ASN1_generate_v3(str: #[const_ptr_if(any(ossl110, libressl280))] c_char, cnf: *mut X509V3_CTX) -> *mut ASN1_TYPE; } } diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 28aa4aecd0..fea7549898 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -28,6 +28,7 @@ pub use self::stack::*; pub use self::tls1::*; pub use self::types::*; pub use self::x509::*; +pub use self::x509_attr::*; pub use self::x509_vfy::*; pub use self::x509v3::*; @@ -61,5 +62,6 @@ mod stack; mod tls1; mod types; mod x509; +mod x509_attr; mod x509_vfy; mod x509v3; diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index fc0239e7b8..2f76cab9c2 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -1,12 +1,195 @@ use libc::*; use *; -pub enum PKCS7_SIGNED {} -pub enum PKCS7_ENVELOPE {} -pub enum PKCS7_SIGN_ENVELOPE {} -pub enum PKCS7_DIGEST {} -pub enum PKCS7_ENCRYPT {} -pub enum PKCS7 {} +// use x509::stack_st_X509; +// use x509_attr::stack_st_X509_ATTRIBUTE; + +#[cfg(ossl300)] +#[repr(C)] +pub struct PKCS7_CTX { + libctx: *mut OSSL_LIB_CTX, + propq: *mut c_char, +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_SIGNED { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub contents: *mut PKCS7, + } + } else { + pub enum PKCS7_SIGNED {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENC_CONTENT { + pub content_type: *mut ASN1_OBJECT, + pub algorithm: *mut X509_ALGOR, + pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ + pub cipher: *const EVP_CIPHER, + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, + } + } else { + pub enum PKCS7_ENC_CONTENT {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + } + } else { + pub enum PKCS7_ENVELOPE {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_SIGN_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO + } + } else { + pub enum PKCS7_SIGN_ENVELOPE {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_DIGEST { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub md: *mut X509_ALGOR, /* md used */ + pub contents: *mut PKCS7, + pub digest: *mut ASN1_OCTET_STRING, + } + } else { + pub enum PKCS7_DIGEST {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENCRYPT { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub enc_data: *mut PKCS7_ENC_CONTENT, + } + } else { + pub enum PKCS7_ENCRYPT {} + } +} + +extern "C" { + pub fn PKCS7_SIGNED_free(info: *mut PKCS7_SIGNED); + pub fn PKCS7_ENC_CONTENT_free(info: *mut PKCS7_ENC_CONTENT); + pub fn PKCS7_ENVELOPE_free(info: *mut PKCS7_ENVELOPE); + pub fn PKCS7_SIGN_ENVELOPE_free(info: *mut PKCS7_SIGN_ENVELOPE); + pub fn PKCS7_DIGEST_free(info: *mut PKCS7_DIGEST); + pub fn PKCS7_SIGNER_INFO_free(info: *mut PKCS7_SIGNER_INFO); +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7 { + /* + * The following is non NULL if it contains ASN1 encoding of this + * structure + */ + pub asn1: *mut c_uchar, + pub length: c_long, + // # define PKCS7_S_HEADER 0 + // # define PKCS7_S_BODY 1 + // # define PKCS7_S_TAIL 2 + pub state: c_int, /* used during processing */ + pub detached: c_int, + pub type_: *mut ASN1_OBJECT, + /* content as defined by the type */ + /* + * all encryption/message digests are applied to the 'contents', leaving + * out the 'type' field. + */ + pub d: PKCS7_data, + #[cfg(ossl300)] + pub ctx: PKCS7_CTX, + } + #[repr(C)] + pub union PKCS7_data { + pub ptr: *mut c_char, + /* NID_pkcs7_data */ + pub data: *mut ASN1_OCTET_STRING, + /* NID_pkcs7_signed */ + pub sign: *mut PKCS7_SIGNED, + /* NID_pkcs7_enveloped */ + pub enveloped: *mut PKCS7_ENVELOPE, + /* NID_pkcs7_signedAndEnveloped */ + pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, + /* NID_pkcs7_digest */ + pub digest: *mut PKCS7_DIGEST, + /* NID_pkcs7_encrypted */ + pub encrypted: *mut PKCS7_ENCRYPT, + /* Anything else */ + pub other: *mut ASN1_TYPE, + } + } else { + pub enum PKCS7 {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl))] { + #[repr(C)] + pub struct PKCS7_ISSUER_AND_SERIAL { + pub issuer: *mut X509_NAME, + pub serial: *mut ASN1_INTEGER, + } + } else { + pub enum PKCS7_ISSUER_AND_SERIAL {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl))] { + #[repr(C)] + pub struct PKCS7_SIGNER_INFO { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub digest_alg: *mut X509_ALGOR, + pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ + pub digest_enc_alg: *mut X509_ALGOR, + pub enc_digest: *mut ASN1_OCTET_STRING, + pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, + } + } else { + pub enum PKCS7_SIGNER_INFO {} + } +} + +stack!(stack_st_PKCS7_SIGNER_INFO); +stack!(stack_st_PKCS7_RECIP_INFO); extern "C" { pub fn d2i_PKCS7(a: *mut *mut PKCS7, pp: *mut *const c_uchar, length: c_long) -> *mut PKCS7; @@ -15,6 +198,7 @@ extern "C" { const_ptr_api! { extern "C" { pub fn i2d_PKCS7(a: #[const_ptr_if(ossl300)] PKCS7, buf: *mut *mut u8) -> c_int; + pub fn i2d_PKCS7_bio(bio: *mut BIO, p7: #[const_ptr_if(ossl300)] PKCS7) -> c_int; } } @@ -67,4 +251,53 @@ extern "C" { ) -> c_int; pub fn SMIME_read_PKCS7(bio: *mut BIO, bcont: *mut *mut BIO) -> *mut PKCS7; + + pub fn PKCS7_new() -> *mut PKCS7; + + pub fn PKCS7_set_type(p7: *mut PKCS7, nid_pkcs7: c_int) -> c_int; + + pub fn PKCS7_add_certificate(p7: *mut PKCS7, x509: *mut X509) -> c_int; + + pub fn PKCS7_add_signature( + p7: *mut PKCS7, + x509: *mut X509, + pkey: *mut EVP_PKEY, + digest: *const EVP_MD, + ) -> *mut PKCS7_SIGNER_INFO; + + pub fn PKCS7_set_signed_attributes( + p7si: *mut PKCS7_SIGNER_INFO, + attributes: *mut stack_st_X509_ATTRIBUTE, + ) -> c_int; + + pub fn PKCS7_add_signed_attribute( + p7si: *mut PKCS7_SIGNER_INFO, + nid: c_int, + attrtype: c_int, + data: *mut c_void, + ) -> c_int; + + pub fn PKCS7_content_new(p7: *mut PKCS7, nid_pkcs7: c_int) -> c_int; + + pub fn PKCS7_dataInit(p7: *mut PKCS7, bio: *mut BIO) -> *mut BIO; + + pub fn PKCS7_dataFinal(p7: *mut PKCS7, bio: *mut BIO) -> c_int; + + pub fn PKCS7_get_signer_info(p7: *mut PKCS7) -> *mut stack_st_PKCS7_SIGNER_INFO; + + pub fn PKCS7_SIGNER_INFO_get0_algs( + si: *mut PKCS7_SIGNER_INFO, + pk: *mut *mut EVP_PKEY, + pdig: *mut *mut X509_ALGOR, + psig: *mut *mut X509_ALGOR, + ); +} + +const_ptr_api! { + extern "C" { + pub fn PKCS7_get_signed_attribute( + si: #[const_ptr_if(ossl300)] PKCS7_SIGNER_INFO, + nid: c_int + ) -> *mut ASN1_TYPE; + } } diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 476578c051..addc599abb 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -3,14 +3,26 @@ use libc::*; #[allow(unused_imports)] use *; +#[derive(Copy, Clone)] +pub enum ASN1_BOOLEAN {} +pub enum ASN1_ENUMERATED {} pub enum ASN1_INTEGER {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} pub enum ASN1_TIME {} -pub enum ASN1_TYPE {} pub enum ASN1_OBJECT {} pub enum ASN1_OCTET_STRING {} +pub enum ASN1_PRINTABLESTRING {} +pub enum ASN1_T61STRING {} +pub enum ASN1_IA5STRING {} +pub enum ASN1_GENERALSTRING {} +pub enum ASN1_BMPSTRING {} +pub enum ASN1_UNIVERSALSTRING {} +pub enum ASN1_UTCTIME {} +pub enum ASN1_VISIBLESTRING {} +pub enum ASN1_UTF8STRING {} +pub enum ASN1_VALUE {} pub enum bio_st {} // FIXME remove cfg_if! { @@ -325,6 +337,8 @@ cfg_if! { } } +stack!(stack_st_X509_ALGOR); + pub enum X509_LOOKUP_METHOD {} pub enum X509_NAME {} diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 047f3df262..486f712c34 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -15,8 +15,6 @@ pub enum X509_EXTENSION {} stack!(stack_st_X509_EXTENSION); -stack!(stack_st_X509_ATTRIBUTE); - cfg_if! { if #[cfg(any(ossl110, libressl350))] { pub enum X509_REQ_INFO {} @@ -27,7 +25,7 @@ cfg_if! { pub version: *mut ::ASN1_INTEGER, pub subject: *mut ::X509_NAME, pubkey: *mut c_void, - pub attributes: *mut stack_st_X509_ATTRIBUTE, + pub attributes: *mut ::stack_st_X509_ATTRIBUTE, } } } @@ -271,9 +269,12 @@ extern "C" { pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION); + pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_NAME_ENTRY_free(x: *mut X509_NAME_ENTRY); pub fn X509_NAME_new() -> *mut X509_NAME; + pub fn X509_NAME_cmp(x: *const X509_NAME, y: *const X509_NAME) -> c_int; pub fn X509_NAME_free(x: *mut X509_NAME); pub fn X509_new() -> *mut X509; @@ -359,6 +360,33 @@ const_ptr_api! { -> c_int; } } +extern "C" { + pub fn X509_REQ_get_attr_count(req: *const X509_REQ) -> c_int; + pub fn X509_REQ_get_attr_by_NID(req: *const X509_REQ, nid: c_int, lastpos: c_int) -> c_int; + pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_add1_attr_by_txt( + req: *mut X509_REQ, + attrname: *const c_char, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; + pub fn X509_REQ_add1_attr_by_NID( + req: *mut X509_REQ, + nid: c_int, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; + pub fn X509_REQ_add1_attr_by_OBJ( + req: *mut X509_REQ, + obj: *const ASN1_OBJECT, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; +} extern "C" { pub fn X509_set_pubkey(x: *mut X509, pkey: *mut EVP_PKEY) -> c_int; pub fn X509_REQ_verify(req: *mut X509_REQ, pkey: *mut EVP_PKEY) -> c_int; @@ -607,6 +635,7 @@ const_ptr_api! { pub fn X509_STORE_get0_objects(ctx: #[const_ptr_if(ossl300)] X509_STORE) -> *mut stack_st_X509_OBJECT; } } + #[cfg(any(ossl110, libressl270))] extern "C" { pub fn X509_OBJECT_get0_X509(x: *const X509_OBJECT) -> *mut X509; @@ -633,7 +662,6 @@ extern "C" { extern "C" { pub fn X509_cmp(a: *const X509, b: *const X509) -> c_int; - pub fn X509_NAME_cmp(a: *const X509_NAME, b: *const X509_NAME) -> c_int; pub fn X509_issuer_and_serial_cmp(a: *const X509, b: *const X509) -> c_int; pub fn X509_issuer_name_cmp(a: *const X509, b: *const X509) -> c_int; pub fn X509_subject_name_cmp(a: *const X509, b: *const X509) -> c_int; diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs new file mode 100644 index 0000000000..b14be38619 --- /dev/null +++ b/openssl-sys/src/handwritten/x509_attr.rs @@ -0,0 +1,60 @@ +use libc::*; + +use *; + +pub enum X509_ATTRIBUTE {} + +stack!(stack_st_X509_ATTRIBUTE); + +extern "C" { + pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create( + nid: c_int, + atrtype: c_int, + value: *mut c_void, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_NID( + attr: *mut *mut X509_ATTRIBUTE, + nid: c_int, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_OBJ( + attr: *mut *mut X509_ATTRIBUTE, + obj: *const ASN1_OBJECT, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_txt( + attr: *mut *mut X509_ATTRIBUTE, + atrname: *const c_char, + atrtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; + pub fn X509_ATTRIBUTE_set1_data( + attr: *mut X509_ATTRIBUTE, + attrtype: c_int, + data: *const c_void, + len: c_int, + ) -> c_int; + pub fn X509_ATTRIBUTE_get0_data( + attr: *mut X509_ATTRIBUTE, + idx: c_int, + atrtype: c_int, + data: *mut c_void, + ) -> *mut c_void; + pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; + pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; + +} +const_ptr_api! { + extern "C" { + pub fn X509_ATTRIBUTE_count( + attr: #[const_ptr_if(any(ossl110, libressl291))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 + ) -> c_int; + } +} From d2e30181e586929abf1ee93d5c8152f8d034385c Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 16:17:48 +0100 Subject: [PATCH 02/84] Fixed systest. --- systest/build.rs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/systest/build.rs b/systest/build.rs index e54438114b..02c820b3e7 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -108,7 +108,10 @@ fn main() { || s.starts_with("CRYPTO_EX_") }); cfg.skip_struct(|s| { - s == "ProbeResult" || s == "X509_OBJECT_data" // inline union + s == "ProbeResult" || + s == "X509_OBJECT_data" || // inline union + s == "PKCS7_data" || + s == "ASN1_TYPE_value" }); cfg.skip_fn(move |s| { s == "CRYPTO_memcmp" || // uses volatile @@ -128,7 +131,9 @@ fn main() { cfg.skip_field_type(|s, field| { (s == "EVP_PKEY" && field == "pkey") || // union (s == "GENERAL_NAME" && field == "d") || // union - (s == "X509_OBJECT" && field == "data") // union + (s == "X509_OBJECT" && field == "data") || // union + (s == "PKCS7" && field == "d") || // union + (s == "ASN1_TYPE" && field == "value") // union }); cfg.skip_signededness(|s| { s.ends_with("_cb") From 920ec61a584053b719b547ee0fb444f5087e0377 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 16 Jan 2023 14:37:54 +0100 Subject: [PATCH 03/84] Trigger build From b821f00a1d0fa45a653d401538e68977a332ab71 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:29:33 +0100 Subject: [PATCH 04/84] Fixed review comments. --- openssl-sys/src/handwritten/asn1.rs | 7 --- openssl-sys/src/handwritten/object.rs | 1 + openssl-sys/src/handwritten/pkcs7.rs | 18 +++++- openssl-sys/src/handwritten/types.rs | 9 +-- openssl-sys/src/handwritten/x509.rs | 70 +++++++++++++++++++++++- openssl-sys/src/handwritten/x509_attr.rs | 60 -------------------- 6 files changed, 88 insertions(+), 77 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index e866b1ea90..6e1f8c9b66 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,11 +10,8 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); - pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } -pub enum ASN1_OBJECT {} - stack!(stack_st_ASN1_OBJECT); #[repr(C)] @@ -42,10 +39,6 @@ pub union ASN1_TYPE_value { pub generalizedtime: *mut ASN1_GENERALIZEDTIME, pub visiblestring: *mut ASN1_VISIBLESTRING, pub utf8string: *mut ASN1_UTF8STRING, - /* - * set and sequence are left complete and still contain the set or - * sequence bytes - */ pub set: *mut ASN1_STRING, pub sequence: *mut ASN1_STRING, pub asn1_value: *mut ASN1_VALUE, diff --git a/openssl-sys/src/handwritten/object.rs b/openssl-sys/src/handwritten/object.rs index d2c525b806..5b4599c20a 100644 --- a/openssl-sys/src/handwritten/object.rs +++ b/openssl-sys/src/handwritten/object.rs @@ -27,4 +27,5 @@ extern "C" { pub fn OBJ_length(obj: *const ASN1_OBJECT) -> libc::size_t; #[cfg(ossl111)] pub fn OBJ_get0_data(obj: *const ASN1_OBJECT) -> *const c_uchar; + pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 2f76cab9c2..332586515a 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -1,9 +1,6 @@ use libc::*; use *; -// use x509::stack_st_X509; -// use x509_attr::stack_st_X509_ATTRIBUTE; - #[cfg(ossl300)] #[repr(C)] pub struct PKCS7_CTX { @@ -106,6 +103,9 @@ extern "C" { pub fn PKCS7_SIGN_ENVELOPE_free(info: *mut PKCS7_SIGN_ENVELOPE); pub fn PKCS7_DIGEST_free(info: *mut PKCS7_DIGEST); pub fn PKCS7_SIGNER_INFO_free(info: *mut PKCS7_SIGNER_INFO); + pub fn PKCS7_ENCRYPT_free(enc: *mut PKCS7_ENCRYPT); + pub fn PKCS7_ISSUER_AND_SERIAL_free(ias: *mut PKCS7_ISSUER_AND_SERIAL); + pub fn PKCS7_RECIP_INFO_free(info: *mut PKCS7_RECIP_INFO); } cfg_if! { @@ -189,6 +189,18 @@ cfg_if! { } stack!(stack_st_PKCS7_SIGNER_INFO); + +#[repr(C)] +pub struct PKCS7_RECIP_INFO { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub key_enc_algor: *mut X509_ALGOR, + pub enc_key: *mut ASN1_OCTET_STRING, + pub cert: *mut X509, /* get the pub-key from this */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, +} + stack!(stack_st_PKCS7_RECIP_INFO); extern "C" { diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index addc599abb..181340d486 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -3,16 +3,18 @@ use libc::*; #[allow(unused_imports)] use *; -#[derive(Copy, Clone)] -pub enum ASN1_BOOLEAN {} +pub enum ASN1_OBJECT {} +pub enum ASN1_VALUE {} + +pub type ASN1_BOOLEAN = c_int; pub enum ASN1_ENUMERATED {} pub enum ASN1_INTEGER {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} pub enum ASN1_TIME {} -pub enum ASN1_OBJECT {} pub enum ASN1_OCTET_STRING {} +pub enum ASN1_NULL {} pub enum ASN1_PRINTABLESTRING {} pub enum ASN1_T61STRING {} pub enum ASN1_IA5STRING {} @@ -22,7 +24,6 @@ pub enum ASN1_UNIVERSALSTRING {} pub enum ASN1_UTCTIME {} pub enum ASN1_VISIBLESTRING {} pub enum ASN1_UTF8STRING {} -pub enum ASN1_VALUE {} pub enum bio_st {} // FIXME remove cfg_if! { diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 486f712c34..fc94bbb741 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -15,6 +15,10 @@ pub enum X509_EXTENSION {} stack!(stack_st_X509_EXTENSION); +pub enum X509_ATTRIBUTE {} + +stack!(stack_st_X509_ATTRIBUTE); + cfg_if! { if #[cfg(any(ossl110, libressl350))] { pub enum X509_REQ_INFO {} @@ -269,8 +273,6 @@ extern "C" { pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION); - pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); - pub fn X509_NAME_ENTRY_free(x: *mut X509_NAME_ENTRY); pub fn X509_NAME_new() -> *mut X509_NAME; @@ -689,6 +691,68 @@ pub struct X509_PURPOSE { const_ptr_api! { extern "C" { pub fn X509_PURPOSE_get_by_sname(sname: #[const_ptr_if(any(ossl110, libressl280))] c_char) -> c_int; - pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; + } +} +extern "C" { + pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; +} + +extern "C" { + pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_ATTRIBUTE_create( + nid: c_int, + atrtype: c_int, + value: *mut c_void, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_NID( + attr: *mut *mut X509_ATTRIBUTE, + nid: c_int, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_OBJ( + attr: *mut *mut X509_ATTRIBUTE, + obj: *const ASN1_OBJECT, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_txt( + attr: *mut *mut X509_ATTRIBUTE, + atrname: *const c_char, + atrtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; + pub fn X509_ATTRIBUTE_set1_data( + attr: *mut X509_ATTRIBUTE, + attrtype: c_int, + data: *const c_void, + len: c_int, + ) -> c_int; + pub fn X509_ATTRIBUTE_get0_data( + attr: *mut X509_ATTRIBUTE, + idx: c_int, + atrtype: c_int, + data: *mut c_void, + ) -> *mut c_void; + pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; + pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; + pub fn d2i_X509_ATTRIBUTE( + a: *mut *mut X509_ATTRIBUTE, + pp: *mut *const c_uchar, + length: c_long, + ) -> *mut X509_ATTRIBUTE; +} +const_ptr_api! { + extern "C" { + pub fn X509_ATTRIBUTE_count( + attr: #[const_ptr_if(any(ossl110, libressl280))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 + ) -> c_int; + pub fn i2d_X509_ATTRIBUTE(x: #[const_ptr_if(ossl300)] X509_ATTRIBUTE, buf: *mut *mut u8) -> c_int; + pub fn X509_ATTRIBUTE_dup(x: #[const_ptr_if(ossl300)] X509_ATTRIBUTE) -> *mut X509_ATTRIBUTE; } } diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs index b14be38619..e69de29bb2 100644 --- a/openssl-sys/src/handwritten/x509_attr.rs +++ b/openssl-sys/src/handwritten/x509_attr.rs @@ -1,60 +0,0 @@ -use libc::*; - -use *; - -pub enum X509_ATTRIBUTE {} - -stack!(stack_st_X509_ATTRIBUTE); - -extern "C" { - pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create( - nid: c_int, - atrtype: c_int, - value: *mut c_void, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_NID( - attr: *mut *mut X509_ATTRIBUTE, - nid: c_int, - atrtype: c_int, - data: *const c_void, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_OBJ( - attr: *mut *mut X509_ATTRIBUTE, - obj: *const ASN1_OBJECT, - atrtype: c_int, - data: *const c_void, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_txt( - attr: *mut *mut X509_ATTRIBUTE, - atrname: *const c_char, - atrtype: c_int, - bytes: *const c_uchar, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; - pub fn X509_ATTRIBUTE_set1_data( - attr: *mut X509_ATTRIBUTE, - attrtype: c_int, - data: *const c_void, - len: c_int, - ) -> c_int; - pub fn X509_ATTRIBUTE_get0_data( - attr: *mut X509_ATTRIBUTE, - idx: c_int, - atrtype: c_int, - data: *mut c_void, - ) -> *mut c_void; - pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; - pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; - -} -const_ptr_api! { - extern "C" { - pub fn X509_ATTRIBUTE_count( - attr: #[const_ptr_if(any(ossl110, libressl291))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 - ) -> c_int; - } -} From d77c6518873b063de9cc6bca4f708b765ffbb284 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:37:23 +0100 Subject: [PATCH 05/84] Removed emtpy x509_attr.rs --- openssl-sys/src/handwritten/mod.rs | 2 -- openssl-sys/src/handwritten/x509_attr.rs | 0 2 files changed, 2 deletions(-) delete mode 100644 openssl-sys/src/handwritten/x509_attr.rs diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index fea7549898..28aa4aecd0 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -28,7 +28,6 @@ pub use self::stack::*; pub use self::tls1::*; pub use self::types::*; pub use self::x509::*; -pub use self::x509_attr::*; pub use self::x509_vfy::*; pub use self::x509v3::*; @@ -62,6 +61,5 @@ mod stack; mod tls1; mod types; mod x509; -mod x509_attr; mod x509_vfy; mod x509v3; diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs deleted file mode 100644 index e69de29bb2..0000000000 From 0bd4876a951f2fe7da227daa2ee2e67cc7ee3ed3 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:57:16 +0100 Subject: [PATCH 06/84] clippy. --- openssl-sys/src/handwritten/x509.rs | 6 +++--- openssl/src/sign.rs | 2 +- openssl/src/x509/mod.rs | 12 ++++++++++-- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index fc94bbb741..46ec3e14a9 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -365,8 +365,8 @@ const_ptr_api! { extern "C" { pub fn X509_REQ_get_attr_count(req: *const X509_REQ) -> c_int; pub fn X509_REQ_get_attr_by_NID(req: *const X509_REQ, nid: c_int, lastpos: c_int) -> c_int; - pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; - pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut X509_ATTRIBUTE; + pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut X509_ATTRIBUTE; pub fn X509_REQ_add1_attr_by_txt( req: *mut X509_REQ, attrname: *const c_char, @@ -699,7 +699,7 @@ extern "C" { extern "C" { pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_ATTRIBUTE_free(attr: *mut X509_ATTRIBUTE); pub fn X509_ATTRIBUTE_create( nid: c_int, atrtype: c_int, diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 9cfda48105..51738651c6 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -711,7 +711,7 @@ mod test { #[cfg(not(boringssl))] fn test_hmac(ty: MessageDigest, tests: &[(Vec, Vec, Vec)]) { - for &(ref key, ref data, ref res) in tests.iter() { + for (key, data, res) in tests.iter() { let pkey = PKey::hmac(key).unwrap(); let mut signer = Signer::new(ty, &pkey).unwrap(); signer.update(data).unwrap(); diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d29a21e4af..2da41bd1a5 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -388,7 +388,10 @@ impl X509Ref { /// Returns the hash of the certificates subject #[corresponds(X509_subject_name_hash)] pub fn subject_name_hash(&self) -> u32 { - unsafe { ffi::X509_subject_name_hash(self.as_ptr()) as u32 } + #[allow(clippy::unnecessary_cast)] + unsafe { + ffi::X509_subject_name_hash(self.as_ptr()) as u32 + } } /// Returns this certificate's issuer name. @@ -403,7 +406,10 @@ impl X509Ref { /// Returns the hash of the certificates issuer #[corresponds(X509_issuer_name_hash)] pub fn issuer_name_hash(&self) -> u32 { - unsafe { ffi::X509_issuer_name_hash(self.as_ptr()) as u32 } + #[allow(clippy::unnecessary_cast)] + unsafe { + ffi::X509_issuer_name_hash(self.as_ptr()) as u32 + } } /// Returns this certificate's subject alternative name entries, if they exist. @@ -545,6 +551,7 @@ impl X509Ref { /// Note that `0` return value stands for version 1, `1` for version 2 and so on. #[corresponds(X509_get_version)] #[cfg(ossl110)] + #[allow(clippy::unnecessary_cast)] pub fn version(&self) -> i32 { unsafe { ffi::X509_get_version(self.as_ptr()) as i32 } } @@ -1359,6 +1366,7 @@ impl X509ReqRef { /// This corresponds to [`X509_REQ_get_version`] /// /// [`X509_REQ_get_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_version.html + #[allow(clippy::unnecessary_cast)] pub fn version(&self) -> i32 { unsafe { X509_REQ_get_version(self.as_ptr()) as i32 } } From 9f8c82161361da1eef0169fce7e4cac2b6094e53 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 08:16:05 +0100 Subject: [PATCH 07/84] Removed invalid path operator. --- openssl-sys/src/handwritten/x509.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 46ec3e14a9..917b41e425 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -29,7 +29,7 @@ cfg_if! { pub version: *mut ::ASN1_INTEGER, pub subject: *mut ::X509_NAME, pubkey: *mut c_void, - pub attributes: *mut ::stack_st_X509_ATTRIBUTE, + pub attributes: *mut stack_st_X509_ATTRIBUTE, } } } From f13427168389420bc21011903ddb21c9d59be351 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 09:44:10 +0100 Subject: [PATCH 08/84] Removed unnecessary cfg_if's. --- openssl-sys/src/handwritten/pkcs7.rs | 252 +++++++++++---------------- 1 file changed, 97 insertions(+), 155 deletions(-) diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 332586515a..60dcfe0d64 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -8,92 +8,51 @@ pub struct PKCS7_CTX { propq: *mut c_char, } -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_SIGNED { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ - pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, - pub contents: *mut PKCS7, - } - } else { - pub enum PKCS7_SIGNED {} - } +#[repr(C)] +pub struct PKCS7_SIGNED { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub contents: *mut PKCS7, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENC_CONTENT { - pub content_type: *mut ASN1_OBJECT, - pub algorithm: *mut X509_ALGOR, - pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ - pub cipher: *const EVP_CIPHER, - #[cfg(ossl300)] - pub ctx: *const PKCS7_CTX, - } - } else { - pub enum PKCS7_ENC_CONTENT {} - } +#[repr(C)] +pub struct PKCS7_ENC_CONTENT { + pub content_type: *mut ASN1_OBJECT, + pub algorithm: *mut X509_ALGOR, + pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ + pub cipher: *const EVP_CIPHER, + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, - pub enc_data: *mut PKCS7_ENC_CONTENT, - } - } else { - pub enum PKCS7_ENVELOPE {} - } +#[repr(C)] +pub struct PKCS7_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_SIGN_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ - pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, - pub enc_data: *mut PKCS7_ENC_CONTENT, - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO - } - } else { - pub enum PKCS7_SIGN_ENVELOPE {} - } +#[repr(C)] +pub struct PKCS7_SIGN_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_DIGEST { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub md: *mut X509_ALGOR, /* md used */ - pub contents: *mut PKCS7, - pub digest: *mut ASN1_OCTET_STRING, - } - } else { - pub enum PKCS7_DIGEST {} - } +#[repr(C)] +pub struct PKCS7_DIGEST { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub md: *mut X509_ALGOR, /* md used */ + pub contents: *mut PKCS7, + pub digest: *mut ASN1_OCTET_STRING, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENCRYPT { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub enc_data: *mut PKCS7_ENC_CONTENT, - } - } else { - pub enum PKCS7_ENCRYPT {} - } +#[repr(C)] +pub struct PKCS7_ENCRYPT { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub enc_data: *mut PKCS7_ENC_CONTENT, } extern "C" { @@ -108,84 +67,67 @@ extern "C" { pub fn PKCS7_RECIP_INFO_free(info: *mut PKCS7_RECIP_INFO); } -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7 { - /* - * The following is non NULL if it contains ASN1 encoding of this - * structure - */ - pub asn1: *mut c_uchar, - pub length: c_long, - // # define PKCS7_S_HEADER 0 - // # define PKCS7_S_BODY 1 - // # define PKCS7_S_TAIL 2 - pub state: c_int, /* used during processing */ - pub detached: c_int, - pub type_: *mut ASN1_OBJECT, - /* content as defined by the type */ - /* - * all encryption/message digests are applied to the 'contents', leaving - * out the 'type' field. - */ - pub d: PKCS7_data, - #[cfg(ossl300)] - pub ctx: PKCS7_CTX, - } - #[repr(C)] - pub union PKCS7_data { - pub ptr: *mut c_char, - /* NID_pkcs7_data */ - pub data: *mut ASN1_OCTET_STRING, - /* NID_pkcs7_signed */ - pub sign: *mut PKCS7_SIGNED, - /* NID_pkcs7_enveloped */ - pub enveloped: *mut PKCS7_ENVELOPE, - /* NID_pkcs7_signedAndEnveloped */ - pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, - /* NID_pkcs7_digest */ - pub digest: *mut PKCS7_DIGEST, - /* NID_pkcs7_encrypted */ - pub encrypted: *mut PKCS7_ENCRYPT, - /* Anything else */ - pub other: *mut ASN1_TYPE, - } - } else { - pub enum PKCS7 {} - } +#[repr(C)] +pub struct PKCS7 { + /* + * The following is non NULL if it contains ASN1 encoding of this + * structure + */ + pub asn1: *mut c_uchar, + pub length: c_long, + // # define PKCS7_S_HEADER 0 + // # define PKCS7_S_BODY 1 + // # define PKCS7_S_TAIL 2 + pub state: c_int, /* used during processing */ + pub detached: c_int, + pub type_: *mut ASN1_OBJECT, + /* content as defined by the type */ + /* + * all encryption/message digests are applied to the 'contents', leaving + * out the 'type' field. + */ + pub d: PKCS7_data, + #[cfg(ossl300)] + pub ctx: PKCS7_CTX, } -cfg_if! { - if #[cfg(any(ossl101, libressl))] { - #[repr(C)] - pub struct PKCS7_ISSUER_AND_SERIAL { - pub issuer: *mut X509_NAME, - pub serial: *mut ASN1_INTEGER, - } - } else { - pub enum PKCS7_ISSUER_AND_SERIAL {} - } +#[repr(C)] +pub union PKCS7_data { + pub ptr: *mut c_char, + /* NID_pkcs7_data */ + pub data: *mut ASN1_OCTET_STRING, + /* NID_pkcs7_signed */ + pub sign: *mut PKCS7_SIGNED, + /* NID_pkcs7_enveloped */ + pub enveloped: *mut PKCS7_ENVELOPE, + /* NID_pkcs7_signedAndEnveloped */ + pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, + /* NID_pkcs7_digest */ + pub digest: *mut PKCS7_DIGEST, + /* NID_pkcs7_encrypted */ + pub encrypted: *mut PKCS7_ENCRYPT, + /* Anything else */ + pub other: *mut ASN1_TYPE, } -cfg_if! { - if #[cfg(any(ossl101, libressl))] { - #[repr(C)] - pub struct PKCS7_SIGNER_INFO { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, - pub digest_alg: *mut X509_ALGOR, - pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ - pub digest_enc_alg: *mut X509_ALGOR, - pub enc_digest: *mut ASN1_OCTET_STRING, - pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ - pub pkey: *mut EVP_PKEY, /* The private key to sign with */ - #[cfg(ossl300)] - pub ctx: *const PKCS7_CTX, - } - } else { - pub enum PKCS7_SIGNER_INFO {} - } +#[repr(C)] +pub struct PKCS7_ISSUER_AND_SERIAL { + pub issuer: *mut X509_NAME, + pub serial: *mut ASN1_INTEGER, +} + +#[repr(C)] +pub struct PKCS7_SIGNER_INFO { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub digest_alg: *mut X509_ALGOR, + pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ + pub digest_enc_alg: *mut X509_ALGOR, + pub enc_digest: *mut ASN1_OCTET_STRING, + pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, } stack!(stack_st_PKCS7_SIGNER_INFO); From 9c30e4e418c26c9e4adfff4bd64aae2713897564 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 09:56:23 +0100 Subject: [PATCH 09/84] rustfmt hit me once more --- openssl-sys/src/handwritten/pkcs7.rs | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 60dcfe0d64..754fc9e2b8 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -10,10 +10,10 @@ pub struct PKCS7_CTX { #[repr(C)] pub struct PKCS7_SIGNED { - pub version: *mut ASN1_INTEGER, /* version 1 */ + pub version: *mut ASN1_INTEGER, /* version 1 */ pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, pub contents: *mut PKCS7, } @@ -34,18 +34,18 @@ pub struct PKCS7_ENVELOPE { } #[repr(C)] pub struct PKCS7_SIGN_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 1 */ + pub version: *mut ASN1_INTEGER, /* version 1 */ pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, pub enc_data: *mut PKCS7_ENC_CONTENT, - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, } #[repr(C)] pub struct PKCS7_DIGEST { pub version: *mut ASN1_INTEGER, /* version 0 */ - pub md: *mut X509_ALGOR, /* md used */ + pub md: *mut X509_ALGOR, /* md used */ pub contents: *mut PKCS7, pub digest: *mut ASN1_OCTET_STRING, } @@ -125,7 +125,7 @@ pub struct PKCS7_SIGNER_INFO { pub digest_enc_alg: *mut X509_ALGOR, pub enc_digest: *mut ASN1_OCTET_STRING, pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ - pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ #[cfg(ossl300)] pub ctx: *const PKCS7_CTX, } From 7632ba6e56812f8a56410730c439bbd83b10783c Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Fri, 17 Mar 2023 18:19:28 +0000 Subject: [PATCH 10/84] Add issuer_name and reason_code to X509RevokedRef --- openssl-sys/src/handwritten/asn1.rs | 4 ++ openssl-sys/src/handwritten/types.rs | 1 + openssl-sys/src/x509v3.rs | 11 ++++ openssl/src/asn1.rs | 26 ++++++++ openssl/src/x509/mod.rs | 93 +++++++++++++++++++++++++++- 5 files changed, 133 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 7163a69d5e..f1bcc73f34 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -51,6 +51,10 @@ extern "C" { pub fn ASN1_TIME_set_string(s: *mut ASN1_TIME, str: *const c_char) -> c_int; #[cfg(ossl111)] pub fn ASN1_TIME_set_string_X509(s: *mut ASN1_TIME, str: *const c_char) -> c_int; + + pub fn ASN1_ENUMERATED_free(a: *mut ASN1_ENUMERATED); + #[cfg(ossl110)] + pub fn ASN1_ENUMERATED_get_int64(pr: *mut i64, a: *const ASN1_ENUMERATED) -> c_int; } const_ptr_api! { diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index b229a37597..3351ceabc4 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -4,6 +4,7 @@ use libc::*; use super::super::*; pub enum ASN1_INTEGER {} +pub enum ASN1_ENUMERATED {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index 5ae4439083..d2ff53489e 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -91,3 +91,14 @@ pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; pub const X509_PURPOSE_MIN: c_int = 1; pub const X509_PURPOSE_MAX: c_int = 9; + +pub const CRL_REASON_UNSPECIFIED: c_int = 0; +pub const CRL_REASON_KEY_COMPROMISE: c_int = 1; +pub const CRL_REASON_CA_COMPROMISE: c_int = 2; +pub const CRL_REASON_AFFILIATION_CHANGED: c_int = 3; +pub const CRL_REASON_SUPERSEDED: c_int = 4; +pub const CRL_REASON_CESSATION_OF_OPERATION: c_int = 5; +pub const CRL_REASON_CERTIFICATE_HOLD: c_int = 6; +pub const CRL_REASON_REMOVE_FROM_CRL: c_int = 8; +pub const CRL_REASON_PRIVILEGE_WITHDRAWN: c_int = 9; +pub const CRL_REASON_AA_COMPROMISE: c_int = 10; diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index c0178c7e65..db752ad9f1 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -666,6 +666,32 @@ cfg_if! { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::ASN1_ENUMERATED; + fn drop = ffi::ASN1_ENUMERATED_free; + + /// An ASN.1 enumerated. + pub struct Asn1Enumerated; + /// A reference to an [`Asn1Enumerated`]. + pub struct Asn1EnumeratedRef; +} + +impl Asn1EnumeratedRef { + /// Get the value, if it fits in the required bounds. + #[corresponds(ASN1_ENUMERATED_get)] + #[cfg(ossl110)] + pub fn get_i64(&self) -> Result { + let mut crl_reason = 0; + unsafe { + cvt(ffi::ASN1_ENUMERATED_get_int64( + &mut crl_reason, + self.as_ptr(), + ))?; + } + Ok(crl_reason) + } +} + #[cfg(test)] mod tests { use super::*; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 5b55918750..e628e64a6d 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -24,8 +24,8 @@ use std::slice; use std::str; use crate::asn1::{ - Asn1BitStringRef, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, Asn1TimeRef, - Asn1Type, + Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, + Asn1TimeRef, Asn1Type, }; use crate::bio::MemBioSlice; use crate::conf::ConfRef; @@ -1481,6 +1481,37 @@ impl X509ReqRef { } } +/// The reason that a certificate was revoked. +#[derive(Debug, Copy, Clone, PartialEq, Eq)] +pub struct CrlReason(i64); + +#[allow(missing_docs)] // no need to document the constants +impl CrlReason { + pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED as i64); + pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE as i64); + pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE as i64); + pub const AFFILIATION_CHANGED: CrlReason = + CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED as i64); + pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED as i64); + pub const CESSATION_OF_OPERATION: CrlReason = + CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION as i64); + pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD as i64); + pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL as i64); + pub const PRIVILEGE_WITHDRAWN: CrlReason = + CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN as i64); + pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE as i64); + + /// Constructs an `CrlReason` from a raw OpenSSL value. + pub fn from_raw(value: i64) -> Self { + CrlReason(value) + } + + /// Returns the raw OpenSSL value represented by this type. + pub fn as_raw(&self) -> i64 { + self.0 + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; @@ -1513,6 +1544,13 @@ impl X509RevokedRef { ffi::i2d_X509_REVOKED } + /// Copies the entry to a new `X509Revoked`. + #[corresponds(X509_NAME_dup)] + #[cfg(any(boringssl, ossl110, libressl270))] + pub fn to_owned(&self) -> Result { + unsafe { cvt_p(ffi::X509_REVOKED_dup(self.as_ptr())).map(|n| X509Revoked::from_ptr(n)) } + } + /// Get the date that the certificate was revoked #[corresponds(X509_REVOKED_get0_revocationDate)] pub fn revocation_date(&self) -> &Asn1TimeRef { @@ -1532,6 +1570,46 @@ impl X509RevokedRef { Asn1IntegerRef::from_ptr(r as *mut _) } } + + /// Get the issuer name of the revoked certificate + #[corresponds(X509_REVOKED_get_ext_d2i)] + pub fn issuer_name(&self) -> Option> { + // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. + unsafe { + let issuer_names = ffi::X509_REVOKED_get_ext_d2i( + self.as_ptr() as *const _, + // NID_certificate_issuer is a X509_REVOKED extension that + // returns a GENERAL_NAMES, which is a Stack + ffi::NID_certificate_issuer, + // Only one instance of the extension is permissable + ptr::null_mut(), + // Don't care if the extension is critical + ptr::null_mut(), + ); + Stack::from_ptr_opt(issuer_names as *mut _) + } + } + + /// Get the reason that the certificate was revoked + #[corresponds(X509_REVOKED_get_ext_d2i)] + #[cfg(ossl110)] + pub fn reason_code(&self) -> Option> { + let reason_code = unsafe { + // The return value may be NULL if the extension wasn't found or + // there were multiple, and we require only one. + Asn1Enumerated::from_ptr_opt(ffi::X509_REVOKED_get_ext_d2i( + // self.as_ptr() is a valid pointer to a X509_REVOKED + self.as_ptr() as *const _, + // NID_crl_reason is an X509_REVOKED extension that is an ASN1_ENUMERATED + ffi::NID_crl_reason, + // Only one instance of the extension is permissable + ptr::null_mut(), + // Don't care if the extension is critical + ptr::null_mut(), + ) as *mut _) + }?; + Some(reason_code.get_i64().map(CrlReason::from_raw)) + } } foreign_type_and_impl_send_sync! { @@ -1872,6 +1950,17 @@ impl GeneralNameRef { self.ia5_string(ffi::GEN_EMAIL) } + /// Returns the contents of this `GeneralName` if it is a `directoryName`. + pub fn directory_name(&self) -> Option<&X509NameRef> { + unsafe { + if (*self.as_ptr()).type_ != ffi::GEN_DIRNAME { + return None; + } + + Some(X509NameRef::from_const_ptr((*self.as_ptr()).d as *const _)) + } + } + /// Returns the contents of this `GeneralName` if it is a `dNSName`. pub fn dnsname(&self) -> Option<&str> { self.ia5_string(ffi::GEN_DNS) From 30aa4085e71c85637d6b1a9f9c4107e977a4a3d6 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Mon, 27 Mar 2023 17:52:14 +0100 Subject: [PATCH 11/84] Expose X509_REVOKED_get_ext_d2i more directly --- openssl/src/asn1.rs | 2 +- openssl/src/nid.rs | 4 +- openssl/src/x509/mod.rs | 125 ++++++++++++++++++++++++---------------- 3 files changed, 78 insertions(+), 53 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index db752ad9f1..8599539add 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -678,7 +678,7 @@ foreign_type_and_impl_send_sync! { impl Asn1EnumeratedRef { /// Get the value, if it fits in the required bounds. - #[corresponds(ASN1_ENUMERATED_get)] + #[corresponds(ASN1_ENUMERATED_get_int64)] #[cfg(ossl110)] pub fn get_i64(&self) -> Result { let mut crl_reason = 0; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index e4562a1c27..81b74d342f 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -51,13 +51,13 @@ pub struct Nid(c_int); #[allow(non_snake_case)] impl Nid { /// Create a `Nid` from an integer representation. - pub fn from_raw(raw: c_int) -> Nid { + pub const fn from_raw(raw: c_int) -> Nid { Nid(raw) } /// Return the integer representation of a `Nid`. #[allow(clippy::trivially_copy_pass_by_ref)] - pub fn as_raw(&self) -> c_int { + pub const fn as_raw(&self) -> c_int { self.0 } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index e628e64a6d..decb005efd 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -50,6 +50,15 @@ pub mod store; #[cfg(test)] mod tests; +/// A type of X509 extension. +/// +/// # Safety +/// The value of NID and Output must match those in OpenSSL so that +pub unsafe trait ExtensionType { + const NID: Nid; + type Output: ForeignType; +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_STORE_CTX; fn drop = ffi::X509_STORE_CTX_free; @@ -1483,31 +1492,28 @@ impl X509ReqRef { /// The reason that a certificate was revoked. #[derive(Debug, Copy, Clone, PartialEq, Eq)] -pub struct CrlReason(i64); +pub struct CrlReason(c_int); #[allow(missing_docs)] // no need to document the constants impl CrlReason { - pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED as i64); - pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE as i64); - pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE as i64); - pub const AFFILIATION_CHANGED: CrlReason = - CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED as i64); - pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED as i64); - pub const CESSATION_OF_OPERATION: CrlReason = - CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION as i64); - pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD as i64); - pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL as i64); - pub const PRIVILEGE_WITHDRAWN: CrlReason = - CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN as i64); - pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE as i64); + pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED); + pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE); + pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE); + pub const AFFILIATION_CHANGED: CrlReason = CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED); + pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED); + pub const CESSATION_OF_OPERATION: CrlReason = CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION); + pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD); + pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL); + pub const PRIVILEGE_WITHDRAWN: CrlReason = CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN); + pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE); /// Constructs an `CrlReason` from a raw OpenSSL value. - pub fn from_raw(value: i64) -> Self { + pub const fn from_raw(value: c_int) -> Self { CrlReason(value) } /// Returns the raw OpenSSL value represented by this type. - pub fn as_raw(&self) -> i64 { + pub const fn as_raw(&self) -> c_int { self.0 } } @@ -1571,45 +1577,59 @@ impl X509RevokedRef { } } - /// Get the issuer name of the revoked certificate + /// Get the criticality and value of an extension. + /// + /// This returns None if the extension is not present or occurs multiple times. #[corresponds(X509_REVOKED_get_ext_d2i)] - pub fn issuer_name(&self) -> Option> { - // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. - unsafe { - let issuer_names = ffi::X509_REVOKED_get_ext_d2i( - self.as_ptr() as *const _, - // NID_certificate_issuer is a X509_REVOKED extension that - // returns a GENERAL_NAMES, which is a Stack - ffi::NID_certificate_issuer, - // Only one instance of the extension is permissable - ptr::null_mut(), - // Don't care if the extension is critical + pub fn extension(&self) -> Result, ErrorStack> { + let mut critical = -1; + let out = unsafe { + // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. + let ext = ffi::X509_REVOKED_get_ext_d2i( + self.as_ptr(), + T::NID.as_raw(), + &mut critical as *mut _, ptr::null_mut(), ); - Stack::from_ptr_opt(issuer_names as *mut _) + // SAFETY: Extensions's contract promises that the type returned by + // OpenSSL here is T::Output. + T::Output::from_ptr_opt(ext as *mut _) + }; + match (critical, out) { + (0, Some(out)) => Ok(Some((false, out))), + (1, Some(out)) => Ok(Some((true, out))), + // -1 means the extension wasn't found, -2 means multiple were found. + (-1 | -2, _) => Ok(None), + // A critical value of 0 or 1 suggests success, but a null pointer + // was returned so something went wrong. + (0 | 1, None) => Err(ErrorStack::get()), + (..=-3 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), } } +} - /// Get the reason that the certificate was revoked - #[corresponds(X509_REVOKED_get_ext_d2i)] - #[cfg(ossl110)] - pub fn reason_code(&self) -> Option> { - let reason_code = unsafe { - // The return value may be NULL if the extension wasn't found or - // there were multiple, and we require only one. - Asn1Enumerated::from_ptr_opt(ffi::X509_REVOKED_get_ext_d2i( - // self.as_ptr() is a valid pointer to a X509_REVOKED - self.as_ptr() as *const _, - // NID_crl_reason is an X509_REVOKED extension that is an ASN1_ENUMERATED - ffi::NID_crl_reason, - // Only one instance of the extension is permissable - ptr::null_mut(), - // Don't care if the extension is critical - ptr::null_mut(), - ) as *mut _) - }?; - Some(reason_code.get_i64().map(CrlReason::from_raw)) - } +/// The CRL entry extension identifying the reason for revocation see [`CrlReason`], +/// this is as defined in RFC 5280 Section 5.3.1. +pub enum ReasonCode {} + +// SAFETY: CertificateIssuer is defined to be a stack of GeneralName in the RFC +// and in OpenSSL. +unsafe impl ExtensionType for ReasonCode { + const NID: Nid = Nid::from_raw(ffi::NID_crl_reason); + + type Output = Asn1Enumerated; +} + +/// The CRL entry extension identifying the issuer of a certificate used in +/// indirect CRLs, as defined in RFC 5280 Section 5.3.3. +pub enum CertificateIssuer {} + +// SAFETY: CertificateIssuer is defined to be a stack of GeneralName in the RFC +// and in OpenSSL. +unsafe impl ExtensionType for CertificateIssuer { + const NID: Nid = Nid::from_raw(ffi::NID_certificate_issuer); + + type Output = Stack; } foreign_type_and_impl_send_sync! { @@ -1957,7 +1977,12 @@ impl GeneralNameRef { return None; } - Some(X509NameRef::from_const_ptr((*self.as_ptr()).d as *const _)) + #[cfg(boringssl)] + let d = (*self.as_ptr()).d.ptr; + #[cfg(not(boringssl))] + let d = (*self.as_ptr()).d; + + Some(X509NameRef::from_const_ptr(d as *const _)) } } From 3b25d11504f8547637b591fa4360df78cc6c2ac1 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Mon, 27 Mar 2023 18:40:19 +0100 Subject: [PATCH 12/84] Use range pattern compatible with MSRV --- openssl/src/x509/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index decb005efd..a6ead63a2e 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1603,7 +1603,7 @@ impl X509RevokedRef { // A critical value of 0 or 1 suggests success, but a null pointer // was returned so something went wrong. (0 | 1, None) => Err(ErrorStack::get()), - (..=-3 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), + (c_int::MIN..=-2 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), } } } From 95680c816c55b617d2f5949cf2aedd060082840d Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Tue, 28 Mar 2023 12:08:27 +0100 Subject: [PATCH 13/84] Add test for CRL entry extensions --- openssl/src/x509/mod.rs | 1 + openssl/src/x509/tests.rs | 42 +++++++++++++++++++++++++++++-- openssl/test/entry_extensions.crl | 10 ++++++++ 3 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 openssl/test/entry_extensions.crl diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index a6ead63a2e..e30dd80730 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -54,6 +54,7 @@ mod tests; /// /// # Safety /// The value of NID and Output must match those in OpenSSL so that +/// `Output::from_ptr_opt(*_get_ext_d2i(*, NID, ...))` is valid. pub unsafe trait ExtensionType { const NID: Nid; type Output: ForeignType; diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 57734f2665..7fb383631f 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -18,12 +18,12 @@ use crate::x509::store::X509Lookup; use crate::x509::store::X509StoreBuilder; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; -#[cfg(ossl110)] -use crate::x509::X509Builder; #[cfg(ossl102)] use crate::x509::X509PurposeId; #[cfg(any(ossl102, libressl261))] use crate::x509::X509PurposeRef; +#[cfg(ossl110)] +use crate::x509::{CrlReason, X509Builder}; use crate::x509::{ CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, }; @@ -31,6 +31,8 @@ use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] use libc::time_t; +use super::{CertificateIssuer, ReasonCode}; + fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); PKey::from_rsa(rsa).unwrap() @@ -611,6 +613,42 @@ fn test_load_crl() { ); } +#[test] +fn test_crl_entry_extensions() { + let crl = include_bytes!("../../test/entry_extensions.crl"); + let crl = X509Crl::from_pem(crl).unwrap(); + + let revoked_certs = crl.get_revoked().unwrap(); + let entry = &revoked_certs[0]; + + let (critical, issuer) = entry + .extension::() + .unwrap() + .expect("Certificate issuer extension should be present"); + assert!(critical, "Certificate issuer extension is critical"); + assert_eq!(issuer.len(), 1, "Certificate issuer should have one entry"); + let issuer = issuer[0] + .directory_name() + .expect("Issuer should be a directory name"); + assert_eq!( + format!("{:?}", issuer), + r#"[countryName = "GB", commonName = "Test CA"]"# + ); + + // reason_code can't be inspected without ossl110 + #[allow(unused_variables)] + let (critical, reason_code) = entry + .extension::() + .unwrap() + .expect("Reason code extension should be present"); + assert!(!critical, "Reason code extension is not critical"); + #[cfg(ossl110)] + assert_eq!( + CrlReason::KEY_COMPROMISE, + CrlReason::from_raw(reason_code.get_i64().unwrap() as ffi::c_int) + ); +} + #[test] fn test_save_subject_der() { let cert = include_bytes!("../../test/cert.pem"); diff --git a/openssl/test/entry_extensions.crl b/openssl/test/entry_extensions.crl new file mode 100644 index 0000000000..9654171cf1 --- /dev/null +++ b/openssl/test/entry_extensions.crl @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBXDCCAQICAQEwCgYIKoZIzj0EAwIwETEPMA0GA1UEAwwGQ1JMIENBFw0yMzAz +MjgwOTQ5MThaFw0yMzA0MDQwOTUwMDdaMIGAMH4CFE+Y95/1pOqa6c9fUEJ8c04k +xu2PFw0yMzAzMjgwOTQ3MzNaMFcwLwYDVR0dAQH/BCUwI6QhMB8xCzAJBgNVBAYT +AkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgGA1UdGAQRGA8yMDIz +MDMyODA5NDQ0MFqgPTA7MB8GA1UdIwQYMBaAFNX1GZ0RWuC+4gz1wuy5H32T2W+R +MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wCgYIKoZIzj0EAwIDSAAwRQIgbl7x +W+WVAb+zlvKcJLmHVuC+gbqR4jqwGIHHgQl2J8kCIQCo/sAF5sDqy/cL+fbzBeUe +YoY2h6lIkj9ENwU8ZCt03w== +-----END X509 CRL----- From a27dd4d799702c44578b62572f2dcfed2022496b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 10 Apr 2023 14:45:28 +0800 Subject: [PATCH 14/84] update documentation to reflect libressl support --- openssl/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 5678298a03..7829b79cba 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -1,7 +1,7 @@ //! Bindings to OpenSSL //! //! This crate provides a safe interface to the popular OpenSSL cryptography library. OpenSSL versions 1.0.1 through -//! 3.x.x and LibreSSL versions 2.5 through 3.4.1 are supported. +//! 3.x.x and LibreSSL versions 2.5 through 3.7.x are supported. //! //! # Building //! From c2fbe9a1d6c85d1d43470b3f1188bf74056f0d51 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 15 Apr 2023 19:11:26 -0400 Subject: [PATCH 15/84] Fixes #1882 -- added APIs for setting public keys on Dh --- openssl/src/dh.rs | 46 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index e781543e27..f7246975b3 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -7,7 +7,7 @@ use std::ptr; use crate::bn::{BigNum, BigNumRef}; use crate::error::ErrorStack; -use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private}; +use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private, Public}; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -66,6 +66,16 @@ impl Dh { } } + /// Sets the public key on the DH object. + pub fn set_public_key(self, pub_key: BigNum) -> Result, ErrorStack> { + unsafe { + let dh_ptr = self.0; + cvt(DH_set0_key(dh_ptr, pub_key.as_ptr(), ptr::null_mut()))?; + mem::forget((self, pub_key)); + Ok(Dh::from_ptr(dh_ptr)) + } + } + /// Sets the private key on the DH object and recomputes the public key. pub fn set_private_key(self, priv_key: BigNum) -> Result, ErrorStack> { unsafe { @@ -79,6 +89,16 @@ impl Dh { } } + /// Sets the public and private keys on the DH object. + pub fn set_key(self, pub_key: BigNum, priv_key: BigNum) -> Result, ErrorStack> { + unsafe { + let dh_ptr = self.0; + cvt(DH_set0_key(dh_ptr, pub_key.as_ptr(), priv_key.as_ptr()))?; + mem::forget((self, pub_key, priv_key)); + Ok(Dh::from_ptr(dh_ptr)) + } + } + /// Generates DH params based on the given `prime_len` and a fixed `generator` value. #[corresponds(DH_generate_parameters_ex)] pub fn generate_params(prime_len: u32, generator: u32) -> Result, ErrorStack> { @@ -367,6 +387,30 @@ mod tests { assert_eq!(key1.private_key(), key2.private_key()); } + #[test] + #[cfg(ossl102)] + fn test_set_keys() { + let dh1 = Dh::get_2048_256().unwrap(); + let key1 = dh1.generate_key().unwrap(); + + let dh2 = Dh::get_2048_256().unwrap(); + let key2 = dh2 + .set_public_key(key1.public_key().to_owned().unwrap()) + .unwrap(); + + assert_eq!(key1.public_key(), key2.public_key()); + + let dh3 = Dh::get_2048_256().unwrap(); + let key3 = dh3 + .set_key( + key1.public_key().to_owned().unwrap(), + key1.private_key().to_owned().unwrap(), + ) + .unwrap(); + assert_eq!(key1.public_key(), key3.public_key()); + assert_eq!(key1.private_key(), key3.private_key()); + } + #[test] fn test_dh_from_pem() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); From 5e4815810b4ffe924a0dd7344bb5e584d58087fb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 16 Apr 2023 17:20:30 -0400 Subject: [PATCH 16/84] Fixes #1884 -- don't leave an error on the stack in public_eq --- openssl/src/pkey.rs | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index bec4bfdafc..c03b181c80 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -244,7 +244,11 @@ where where U: HasPublic, { - unsafe { ffi::EVP_PKEY_cmp(self.as_ptr(), other.as_ptr()) == 1 } + let res = unsafe { ffi::EVP_PKEY_cmp(self.as_ptr(), other.as_ptr()) == 1 }; + // Clear the stack. OpenSSL will put an error on the stack when the + // keys are different types in some situations. + let _ = ErrorStack::get(); + res } /// Raw byte representation of a public key. @@ -885,6 +889,7 @@ mod tests { use crate::dh::Dh; use crate::dsa::Dsa; use crate::ec::EcKey; + use crate::error::Error; use crate::nid::Nid; use crate::rsa::Rsa; use crate::symm::Cipher; @@ -1168,4 +1173,17 @@ mod tests { let key = PKey::ec_gen("prime256v1").unwrap(); assert!(key.ec_key().is_ok()); } + + #[test] + fn test_public_eq() { + let rsa = Rsa::generate(2048).unwrap(); + let pkey1 = PKey::from_rsa(rsa).unwrap(); + + let group = crate::ec::EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let ec_key = EcKey::generate(&group).unwrap(); + let pkey2 = PKey::from_ec_key(ec_key).unwrap(); + + assert!(!pkey1.public_eq(&pkey2)); + assert!(Error::get().is_none()); + } } From f0b752d251608e4c07d707ff688ce4fe23cf00d4 Mon Sep 17 00:00:00 2001 From: Martin Algesten Date: Tue, 18 Apr 2023 09:23:40 +0200 Subject: [PATCH 17/84] DTLS1 and DTLS1_2 SslVersion for set_min_proto_version() Expose constants to allow limiting the DTLS version. --- openssl-sys/src/tls1.rs | 3 +++ openssl/src/ssl/mod.rs | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index f7ae302046..fd83da7ae4 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -10,6 +10,9 @@ pub const TLS1_2_VERSION: c_int = 0x303; #[cfg(any(ossl111, libressl340))] pub const TLS1_3_VERSION: c_int = 0x304; +pub const DTLS1_VERSION: c_int = 0xFEFF; +pub const DTLS1_2_VERSION: c_int = 0xFEFD; + pub const TLS1_AD_DECODE_ERROR: c_int = 50; pub const TLS1_AD_UNRECOGNIZED_NAME: c_int = 112; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 6ef356d36d..4ebf47dd09 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -644,6 +644,16 @@ impl SslVersion { /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. #[cfg(any(ossl111, libressl340))] pub const TLS1_3: SslVersion = SslVersion(ffi::TLS1_3_VERSION); + + /// DTLSv1.0 + /// + /// DTLS 1.0 corresponds to TLS 1.1. + pub const DTLS1: SslVersion = SslVersion(ffi::DTLS1_VERSION); + + /// DTLSv1.2 + /// + /// DTLS 1.2 corresponds to TLS 1.2 to harmonize versions. There was never a DTLS 1.1. + pub const DTLS1_2: SslVersion = SslVersion(ffi::DTLS1_2_VERSION); } cfg_if! { From 36fd9651f6239349fa4c750371615f90c45182fa Mon Sep 17 00:00:00 2001 From: Martin Algesten Date: Tue, 18 Apr 2023 10:01:39 +0200 Subject: [PATCH 18/84] Limit DTLS1.2 to openssl 1.0.2 and libressl 3.3.2 --- openssl-sys/src/tls1.rs | 1 + openssl/src/ssl/mod.rs | 1 + 2 files changed, 2 insertions(+) diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index fd83da7ae4..2cb08a91f3 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -11,6 +11,7 @@ pub const TLS1_2_VERSION: c_int = 0x303; pub const TLS1_3_VERSION: c_int = 0x304; pub const DTLS1_VERSION: c_int = 0xFEFF; +#[cfg(any(ossl102, libressl332))] pub const DTLS1_2_VERSION: c_int = 0xFEFD; pub const TLS1_AD_DECODE_ERROR: c_int = 50; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 4ebf47dd09..5b8775c98c 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -653,6 +653,7 @@ impl SslVersion { /// DTLSv1.2 /// /// DTLS 1.2 corresponds to TLS 1.2 to harmonize versions. There was never a DTLS 1.1. + #[cfg(any(ossl102, libressl332))] pub const DTLS1_2: SslVersion = SslVersion(ffi::DTLS1_2_VERSION); } From 428a7e595cff993a6a869e9fafd8b34743e4bfbe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Apr 2023 20:01:17 -0400 Subject: [PATCH 19/84] Remove size_t-is-usize argument to bindgen It's been on by default for a while: https://github.com/rust-lang/rust-bindgen/commit/cc78b6fdb6e829e5fb8fa1639f2182cb49333569 --- openssl-sys/build/run_bindgen.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 0c127ae5c6..3361786357 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -111,7 +111,6 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .ctypes_prefix("::libc") .derive_default(false) .enable_function_attribute_detection() - .size_t_is_usize(true) .default_macro_constant_type(MacroTypeVariation::Signed) .rustified_enum("point_conversion_form_t") .allowlist_file(".*/openssl/[^/]+\\.h") @@ -167,7 +166,6 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .arg("--ctypes-prefix=::libc") .arg("--no-derive-default") .arg("--enable-function-attribute-detection") - .arg("--size_t-is-usize") .arg("--default-macro-constant-type=signed") .arg("--rustified-enum=point_conversion_form_t") .arg("--allowlist-file=.*/openssl/[^/]+\\.h") From c7f91fc4e6b505d50c7ecaaaef5a74919672b425 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Apr 2023 20:38:00 -0400 Subject: [PATCH 20/84] Update BoringSSL in CI --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8bf8c9c86..b8314824b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -153,7 +153,7 @@ jobs: - false library: - name: boringssl - version: 93e8d4463d59d671e9c5c6171226341f04b07907 + version: bcecc7d834fc44ad257b2f23f88e1cf597ab2736 - name: openssl version: vendored - name: openssl From a0bfb99e44e9709b4606a3a8ab5b76134a056b25 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 04:12:28 -0400 Subject: [PATCH 21/84] Fix build for changes in boringssl paths --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b8314824b5..71deb57ab9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -310,7 +310,7 @@ jobs: - run: | mkdir -p .cargo echo '[patch.crates-io]' > .cargo/config.toml - echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust" }' >> .cargo/config.toml + echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust/bssl-sys" }' >> .cargo/config.toml if: matrix.library.name == 'boringssl' && !matrix.bindgen - uses: actions/cache@v3 with: From b2ca7210f258c2cf32b8e045d5d03e4f4a365260 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 04:12:40 -0400 Subject: [PATCH 22/84] Fix types for boringssl changes --- openssl/src/x509/mod.rs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 00b467fb77..774fc4289b 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -986,13 +986,13 @@ impl X509NameBuilder { pub fn append_entry_by_text(&mut self, field: &str, value: &str) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_txt( self.0.as_ptr(), field.as_ptr() as *mut _, ffi::MBSTRING_UTF8, value.as_ptr(), - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1013,13 +1013,13 @@ impl X509NameBuilder { ) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_txt( self.0.as_ptr(), field.as_ptr() as *mut _, ty.as_raw(), value.as_ptr(), - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1034,13 +1034,13 @@ impl X509NameBuilder { /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> { unsafe { - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_NID( self.0.as_ptr(), field.as_raw(), ffi::MBSTRING_UTF8, value.as_ptr() as *mut _, - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1060,13 +1060,13 @@ impl X509NameBuilder { ty: Asn1Type, ) -> Result<(), ErrorStack> { unsafe { - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_NID( self.0.as_ptr(), field.as_raw(), ty.as_raw(), value.as_ptr() as *mut _, - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) From 9f9009392c8788b1b4e984b8a81ff919c28754e5 Mon Sep 17 00:00:00 2001 From: remigranotier <42846930+remigranotier@users.noreply.github.com> Date: Thu, 20 Apr 2023 16:54:09 +0200 Subject: [PATCH 23/84] Documentation typo for X509Crl Fixed x509Crl description from "a X509 certificate request" to "a X509 certificate revocation list" --- openssl/src/x509/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 774fc4289b..971fb982a6 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1545,7 +1545,7 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; - /// An `X509` certificate request. + /// An `X509` certificate revocation list. pub struct X509Revoked; /// Reference to `X509Crl`. pub struct X509RevokedRef; From 75a6e0e47db672987eed0cef48dc3860e8b153cf Mon Sep 17 00:00:00 2001 From: remigranotier <42846930+remigranotier@users.noreply.github.com> Date: Thu, 20 Apr 2023 16:59:03 +0200 Subject: [PATCH 24/84] [Documentation] fixed X509Crl and X509Revoked description in doc Pardon my previous MR, Ctrl+F tricked me... This one fixes (for good) descriptions for both X509Crl and X509Revoked --- openssl/src/x509/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 971fb982a6..030770587e 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1545,9 +1545,9 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; - /// An `X509` certificate revocation list. + /// An `X509` certificate revocation status. pub struct X509Revoked; - /// Reference to `X509Crl`. + /// Reference to `X509Revoked`. pub struct X509RevokedRef; } @@ -1659,7 +1659,7 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_CRL; fn drop = ffi::X509_CRL_free; - /// An `X509` certificate request. + /// An `X509` certificate revocation list. pub struct X509Crl; /// Reference to `X509Crl`. pub struct X509CrlRef; From 2ac0d838ff5f78cd019c225075a3745e65ef6675 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 13:15:44 -0600 Subject: [PATCH 25/84] add asn1octetstring creation support --- openssl-sys/src/handwritten/asn1.rs | 6 ++++ openssl/src/asn1.rs | 48 +++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 13c233a473..fa43a7a5c1 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -51,9 +51,15 @@ extern "C" { #[cfg(any(all(ossl101, not(ossl110)), libressl))] pub fn ASN1_STRING_data(x: *mut ASN1_STRING) -> *mut c_uchar; pub fn ASN1_STRING_new() -> *mut ASN1_STRING; + pub fn ASN1_OCTET_STRING_new() -> *mut ASN1_OCTET_STRING; pub fn ASN1_STRING_free(x: *mut ASN1_STRING); pub fn ASN1_STRING_length(x: *const ASN1_STRING) -> c_int; pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len_in: c_int) -> c_int; + pub fn ASN1_OCTET_STRING_set( + x: *mut ASN1_OCTET_STRING, + data: *const c_uchar, + len_in: c_int, + ) -> c_int; pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); pub fn ASN1_OCTET_STRING_free(x: *mut ASN1_OCTET_STRING); diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 8956f8d709..d75e05166e 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -28,6 +28,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_char, c_int, c_long, time_t}; use std::cmp::Ordering; +use std::convert::TryInto; use std::ffi::CString; use std::fmt; use std::ptr; @@ -611,6 +612,46 @@ impl Asn1BitStringRef { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::ASN1_OCTET_STRING; + fn drop = ffi::ASN1_OCTET_STRING_free; + /// ASN.1 OCTET STRING type + pub struct Asn1OctetString; + /// A reference to an [`Asn1OctetString`]. + pub struct Asn1OctetStringRef; +} + +impl Asn1OctetString { + /// Creates an Asn1OctetString from bytes + pub fn new_from_bytes(value: &[u8]) -> Result { + ffi::init(); + unsafe { + let s = cvt_p(ffi::ASN1_OCTET_STRING_new())?; + ffi::ASN1_OCTET_STRING_set(s, value.as_ptr(), value.len().try_into().unwrap()); + Ok(Self::from_ptr(s)) + } + } +} + +impl Asn1OctetStringRef { + /// Returns the octet string as an array of bytes. + #[corresponds(ASN1_STRING_get0_data)] + pub fn as_slice(&self) -> &[u8] { + unsafe { slice::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr().cast()), self.len()) } + } + + /// Returns the number of bytes in the octet string. + #[corresponds(ASN1_STRING_length)] + pub fn len(&self) -> usize { + unsafe { ffi::ASN1_STRING_length(self.as_ptr().cast()) as usize } + } + + /// Determines if the string is empty. + pub fn is_empty(&self) -> bool { + self.len() == 0 + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::ASN1_OBJECT; fn drop = ffi::ASN1_OBJECT_free; @@ -859,4 +900,11 @@ mod tests { &[0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01], ); } + + #[test] + fn asn1_octet_string() { + let octet_string = Asn1OctetString::new_from_bytes(b"hello world").unwrap(); + assert_eq!(octet_string.as_slice(), b"hello world"); + assert_eq!(octet_string.len(), 11); + } } From 4e1bbee5f07d6edc505876566ad958edd0232bfa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 13 Apr 2023 19:35:45 -0400 Subject: [PATCH 26/84] Introduce X509Extension::new_from_der and deprecate the bad APIs --- openssl/src/x509/extension.rs | 12 +++++++++ openssl/src/x509/mod.rs | 47 +++++++++++++++++++++++++++++++++-- openssl/src/x509/tests.rs | 18 +++++++++++++- 3 files changed, 74 insertions(+), 3 deletions(-) diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index f04d227960..075227dec3 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -67,6 +67,9 @@ impl BasicConstraints { } /// Return the `BasicConstraints` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self) -> Result { let mut value = String::new(); if self.critical { @@ -183,6 +186,9 @@ impl KeyUsage { } /// Return the `KeyUsage` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self) -> Result { let mut value = String::new(); let mut first = true; @@ -346,6 +352,9 @@ impl SubjectKeyIdentifier { } /// Return a `SubjectKeyIdentifier` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self, ctx: &X509v3Context<'_>) -> Result { let mut value = String::new(); let mut first = true; @@ -398,6 +407,9 @@ impl AuthorityKeyIdentifier { } /// Return a `AuthorityKeyIdentifier` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self, ctx: &X509v3Context<'_>) -> Result { let mut value = String::new(); let mut first = true; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 030770587e..ea6fc13b72 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -24,8 +24,8 @@ use std::slice; use std::str; use crate::asn1::{ - Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, - Asn1TimeRef, Asn1Type, + Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, + Asn1OctetStringRef, Asn1StringRef, Asn1TimeRef, Asn1Type, }; use crate::bio::MemBioSlice; use crate::conf::ConfRef; @@ -842,6 +842,13 @@ impl X509Extension { /// mini-language that can read arbitrary files. /// /// See the extension module for builder types which will construct certain common extensions. + /// + /// This function is deprecated, `X509Extension::new_from_der` or the + /// types in `x509::extension` should be used in its place. + #[deprecated( + note = "Use x509::extension types or new_from_der instead", + since = "0.10.51" + )] pub fn new( conf: Option<&ConfRef>, context: Option<&X509v3Context<'_>>, @@ -887,6 +894,13 @@ impl X509Extension { /// mini-language that can read arbitrary files. /// /// See the extension module for builder types which will construct certain common extensions. + /// + /// This function is deprecated, `X509Extension::new_from_der` or the + /// types in `x509::extension` should be used in its place. + #[deprecated( + note = "Use x509::extension types or new_from_der instead", + since = "0.10.51" + )] pub fn new_nid( conf: Option<&ConfRef>, context: Option<&X509v3Context<'_>>, @@ -921,6 +935,31 @@ impl X509Extension { } } + /// Constructs a new X509 extension value from its OID, whether it's + /// critical, and its DER contents. + /// + /// The extent structure of the DER value will vary based on the + /// extension type, and can generally be found in the RFC defining the + /// extension. + /// + /// For common extension types, there are Rust APIs provided in + /// `openssl::x509::extensions` which are more ergonomic. + pub fn new_from_der( + oid: &Asn1ObjectRef, + critical: bool, + der_contents: &Asn1OctetStringRef, + ) -> Result { + unsafe { + cvt_p(ffi::X509_EXTENSION_create_by_OBJ( + ptr::null_mut(), + oid.as_ptr(), + critical as _, + der_contents.as_ptr(), + )) + .map(X509Extension) + } + } + pub(crate) unsafe fn new_internal( nid: Nid, critical: bool, @@ -936,6 +975,10 @@ impl X509Extension { /// /// This method modifies global state without locking and therefore is not thread safe #[corresponds(X509V3_EXT_add_alias)] + #[deprecated( + note = "Use x509::extension types or new_from_der and then this is not necessary", + since = "0.10.51" + )] pub unsafe fn add_alias(to: Nid, from: Nid) -> Result<(), ErrorStack> { ffi::init(); cvt(ffi::X509V3_EXT_add_alias(to.as_raw(), from.as_raw())).map(|_| ()) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 81801358b1..4e01d8d8a3 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -1,6 +1,6 @@ use std::cmp::Ordering; -use crate::asn1::Asn1Time; +use crate::asn1::{Asn1Object, Asn1OctetString, Asn1Time}; use crate::bn::{BigNum, MsbOption}; use crate::hash::MessageDigest; use crate::nid::Nid; @@ -290,6 +290,8 @@ fn x509_builder() { } #[test] +// This tests `X509Extension::new`, even though its deprecated. +#[allow(deprecated)] fn x509_extension_new() { assert!(X509Extension::new(None, None, "crlDistributionPoints", "section").is_err()); assert!(X509Extension::new(None, None, "proxyCertInfo", "").is_err()); @@ -297,6 +299,20 @@ fn x509_extension_new() { assert!(X509Extension::new(None, None, "subjectAltName", "dirName:section").is_err()); } +#[test] +fn x509_extension_new_from_der() { + let ext = X509Extension::new_from_der( + &Asn1Object::from_str("2.5.29.19").unwrap(), + true, + &Asn1OctetString::new_from_bytes(b"\x30\x03\x01\x01\xff").unwrap(), + ) + .unwrap(); + assert_eq!( + ext.to_der().unwrap(), + b"0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff" + ); +} + #[test] fn x509_extension_to_der() { let builder = X509::builder().unwrap(); From babb61c3812f85c25bb4fd105d46a2659823a8f9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 16:30:40 -0600 Subject: [PATCH 27/84] Release openssl v0.10.51 and openssl-sys v0.9.86 --- openssl-sys/CHANGELOG.md | 16 ++++++++++++++-- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 17 ++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 33 insertions(+), 6 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index b5d487759b..20e599b8ab 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.86] - 2023-04-20 + +### Fixed + +* Fixed BoringSSL support with the latest bindgen release. + +### Added + +* Added bindings for PKCS#7 functions and more X.509 functions. + + ## [v0.9.85] - 2023-04-09 ### Added @@ -424,8 +435,9 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85..master -[v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.85 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86..master +[v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 +[v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 [v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 [v0.9.83]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82...openssl-sys-v0.9.83 [v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index cad799a3a4..c5cced2880 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.85" +version = "0.9.86" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 3730cf5ce5..f4eca89166 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,20 @@ ## [Unreleased] +## [v0.10.51] - 2023-04-20 + +### Added + +* Added `X509RevokedRef::issuer_name` and `X509RevokedRef::reason_code`. +* Added `Dh::set_key` and `Dh::set_public_key` +* Added `Asn1OctetString` and `Asn1OctetStringRef1` +* Added `X509Extension::new_from_der` + +### Deprecated + +* Deprecated `X509Extension::new` and `X509Extension::new_nid` in favor of `X509Extension::new_from_der` and the `extensions` module. +* Deprecated `X509Extension::add_alias`, it is not required with `new_from_der` or the `extensions` module. + ## [v0.10.50] - 2023-04-09 ### Added @@ -724,7 +738,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...master +[v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 [v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 [v0.10.48]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 699273d114..ba72250c92 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.50" +version = "0.10.51" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.85", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.86", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 0a3cca2178a08a318cacc5c4d4938daf55ac3979 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 18:37:40 -0600 Subject: [PATCH 28/84] Expose BigNum::to_vec_padded on libressl --- openssl-sys/src/handwritten/bn.rs | 2 +- openssl/src/bn.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index 81348f692a..5457f61710 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -23,7 +23,7 @@ extern "C" { pub fn BN_clear_free(bn: *mut BIGNUM); pub fn BN_bin2bn(s: *const u8, size: c_int, ret: *mut BIGNUM) -> *mut BIGNUM; pub fn BN_bn2bin(a: *const BIGNUM, to: *mut u8) -> c_int; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl340))] pub fn BN_bn2binpad(a: *const BIGNUM, to: *mut u8, tolen: c_int) -> c_int; pub fn BN_sub(r: *mut BIGNUM, a: *const BIGNUM, b: *const BIGNUM) -> c_int; pub fn BN_add(r: *mut BIGNUM, a: *const BIGNUM, b: *const BIGNUM) -> c_int; diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 0328730a23..5cfe4b375d 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -814,7 +814,7 @@ impl BigNumRef { /// assert_eq!(&bn_vec, &[0, 0, 0x45, 0x43]); /// ``` #[corresponds(BN_bn2binpad)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl340, boringssl))] pub fn to_vec_padded(&self, pad_to: i32) -> Result, ErrorStack> { let mut v = Vec::with_capacity(pad_to as usize); unsafe { From 4438bd5092f396111dc367fbda6abd54ff6f126f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 20:54:16 -0600 Subject: [PATCH 29/84] add support for DH check key I am sorry, no one should need this. Stop doing finite field DH. Fields weren't meant to be finite --- openssl-sys/src/handwritten/dh.rs | 1 + openssl/src/dh.rs | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/openssl-sys/src/handwritten/dh.rs b/openssl-sys/src/handwritten/dh.rs index a4de122eac..87a0817ce5 100644 --- a/openssl-sys/src/handwritten/dh.rs +++ b/openssl-sys/src/handwritten/dh.rs @@ -3,6 +3,7 @@ use super::super::*; extern "C" { pub fn DH_new() -> *mut DH; pub fn DH_free(dh: *mut DH); + pub fn DH_check(dh: *const DH, codes: *mut c_int) -> c_int; pub fn DH_generate_parameters( prime_len: c_int, diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index f7246975b3..7445e3408c 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -39,6 +39,16 @@ where params_to_der, ffi::i2d_DHparams } + + /// Validates DH parameters for correctness + #[corresponds(DH_check_key)] + pub fn check_key(&self) -> Result { + unsafe { + let mut codes = 0; + cvt(ffi::DH_check(self.as_ptr(), &mut codes))?; + Ok(codes == 0) + } + } } impl Dh { @@ -457,4 +467,14 @@ mod tests { assert_eq!(shared_a, shared_b); } + + #[test] + fn test_dh_check_key() { + let dh1 = Dh::generate_params(512, 2).unwrap(); + let p = BigNum::from_hex_str("04").unwrap(); + let g = BigNum::from_hex_str("02").unwrap(); + let dh2 = Dh::from_pqg(p, None, g).unwrap(); + assert!(dh1.check_key().unwrap()); + assert!(!dh2.check_key().unwrap()); + } } From 1c46f360af0c141ae755562bd7090e25264f3e9f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 21:58:04 -0600 Subject: [PATCH 30/84] add poly1305 EVP_PKEY type --- openssl-sys/src/evp.rs | 2 ++ openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/pkey.rs | 2 ++ 3 files changed, 6 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 69b49fbb0b..72ca2434fc 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -20,6 +20,8 @@ pub const EVP_PKEY_X448: c_int = NID_X448; pub const EVP_PKEY_ED448: c_int = NID_ED448; pub const EVP_PKEY_HMAC: c_int = NID_hmac; pub const EVP_PKEY_CMAC: c_int = NID_cmac; +#[cfg(ossl111)] +pub const EVP_PKEY_POLY1305: c_int = NID_poly1305; #[cfg(ossl110)] pub const EVP_PKEY_HKDF: c_int = NID_hkdf; diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 1f8e10003a..22bfccba3f 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -927,6 +927,8 @@ pub const NID_X448: c_int = 1035; #[cfg(ossl110)] pub const NID_hkdf: c_int = 1036; #[cfg(ossl111)] +pub const NID_poly1305: c_int = 1061; +#[cfg(ossl111)] pub const NID_ED25519: c_int = 1087; #[cfg(libressl370)] pub const NID_ED25519: c_int = 952; diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index c03b181c80..cec1c482e1 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -97,6 +97,8 @@ impl Id { pub const X25519: Id = Id(ffi::EVP_PKEY_X25519); #[cfg(ossl111)] pub const X448: Id = Id(ffi::EVP_PKEY_X448); + #[cfg(ossl111)] + pub const POLY1305: Id = Id(ffi::EVP_PKEY_POLY1305); /// Creates a `Id` from an integer representation. pub fn from_raw(value: c_int) -> Id { From e073b4d2b06596acfa6cf380c030ca7843a78fda Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 18 Apr 2023 23:36:09 +0800 Subject: [PATCH 31/84] add more x509 extension helper functions --- openssl-sys/src/handwritten/x509v3.rs | 8 ++++++ openssl/src/x509/mod.rs | 40 +++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 4a15f3df5f..fb517df904 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -102,6 +102,14 @@ extern "C" { pub fn X509_get_key_usage(x: *mut X509) -> u32; #[cfg(ossl110)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; + #[cfg(ossl110)] + pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; + #[cfg(ossl110)] + pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; + #[cfg(ossl110)] + pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; + #[cfg(ossl110)] + pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } #[repr(C)] diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index ea6fc13b72..796ee2f09f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -483,6 +483,46 @@ impl X509Ref { } } + /// Returns this certificate's subject key id, if it exists. + #[corresponds(X509_get0_subject_key_id)] + #[cfg(ossl110)] + pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { + unsafe { + let data = ffi::X509_get0_subject_key_id(self.as_ptr()); + Asn1StringRef::from_const_ptr_opt(data as *const _) + } + } + + /// Returns this certificate's authority key id, if it exists. + #[corresponds(X509_get0_authority_key_id)] + #[cfg(ossl110)] + pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { + unsafe { + let data = ffi::X509_get0_authority_key_id(self.as_ptr()); + Asn1StringRef::from_const_ptr_opt(data as *const _) + } + } + + /// Returns this certificate's authority issuer name entries, if they exist. + #[corresponds(X509_get0_authority_issuer)] + #[cfg(ossl110)] + pub fn authority_issuer(&self) -> Option> { + unsafe { + let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); + Stack::from_ptr_opt(stack as *mut _) + } + } + + /// Returns this certificate's authority serial number, if it exists. + #[corresponds(X509_get0_authority_serial)] + #[cfg(ossl110)] + pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { + unsafe { + let r = ffi::X509_get0_authority_serial(self.as_ptr()); + Asn1IntegerRef::from_const_ptr_opt(r) + } + } + #[corresponds(X509_get_pubkey)] pub fn public_key(&self) -> Result, ErrorStack> { unsafe { From e8108cb202dc38b0f272c7df1fee79d0723bc6d8 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 18 Apr 2023 23:46:11 +0800 Subject: [PATCH 32/84] update cfg flag --- openssl-sys/src/handwritten/x509v3.rs | 14 +++++++------- openssl/src/x509/mod.rs | 8 ++++---- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index fb517df904..08f1648435 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,19 +96,19 @@ extern "C" { indent: c_int, ) -> c_int; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_key_usage(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 796ee2f09f..d0ca9d3c63 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -485,7 +485,7 @@ impl X509Ref { /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { unsafe { let data = ffi::X509_get0_subject_key_id(self.as_ptr()); @@ -495,7 +495,7 @@ impl X509Ref { /// Returns this certificate's authority key id, if it exists. #[corresponds(X509_get0_authority_key_id)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { unsafe { let data = ffi::X509_get0_authority_key_id(self.as_ptr()); @@ -505,7 +505,7 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_issuer(&self) -> Option> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); @@ -515,7 +515,7 @@ impl X509Ref { /// Returns this certificate's authority serial number, if it exists. #[corresponds(X509_get0_authority_serial)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { unsafe { let r = ffi::X509_get0_authority_serial(self.as_ptr()); From eefdcd0435626e3689a18d394769b35798c0bf63 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Fri, 21 Apr 2023 22:18:55 +0800 Subject: [PATCH 33/84] update cfg condition and use new Asn1OctetString --- openssl-sys/src/handwritten/x509v3.rs | 10 +++++----- openssl/src/x509/mod.rs | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 08f1648435..09a92640b6 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,15 +96,15 @@ extern "C" { indent: c_int, ) -> c_int; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_key_usage(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; #[cfg(ossl111)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d0ca9d3c63..2946ee1e63 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -485,21 +485,21 @@ impl X509Ref { /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] - #[cfg(ossl111)] - pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { + #[cfg(ossl110)] + pub fn subject_key_id(&self) -> Option<&Asn1OctetStringRef> { unsafe { let data = ffi::X509_get0_subject_key_id(self.as_ptr()); - Asn1StringRef::from_const_ptr_opt(data as *const _) + Asn1OctetStringRef::from_const_ptr_opt(data) } } /// Returns this certificate's authority key id, if it exists. #[corresponds(X509_get0_authority_key_id)] - #[cfg(ossl111)] - pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { + #[cfg(ossl110)] + pub fn authority_key_id(&self) -> Option<&Asn1OctetStringRef> { unsafe { let data = ffi::X509_get0_authority_key_id(self.as_ptr()); - Asn1StringRef::from_const_ptr_opt(data as *const _) + Asn1OctetStringRef::from_const_ptr_opt(data) } } From ec747f417ed9c18f43498c175ac656edb635b915 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 22 Apr 2023 09:07:52 -0600 Subject: [PATCH 34/84] Don't restrict the Signer lifetime Creating a new EVP_PKEY_CTX uprefs the EVP_PKEY --- openssl/src/sign.rs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 406bb42e8f..a32f5c9144 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -117,10 +117,10 @@ pub struct Signer<'a> { _p: PhantomData<&'a ()>, } -unsafe impl<'a> Sync for Signer<'a> {} -unsafe impl<'a> Send for Signer<'a> {} +unsafe impl Sync for Signer<'_> {} +unsafe impl Send for Signer<'_> {} -impl<'a> Drop for Signer<'a> { +impl Drop for Signer<'_> { fn drop(&mut self) { // pkey_ctx is owned by the md_ctx, so no need to explicitly free it. unsafe { @@ -130,7 +130,7 @@ impl<'a> Drop for Signer<'a> { } #[allow(clippy::len_without_is_empty)] -impl<'a> Signer<'a> { +impl Signer<'_> { /// Creates a new `Signer`. /// /// This cannot be used with Ed25519 or Ed448 keys. Please refer to @@ -139,7 +139,7 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSignInit`]. /// /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html - pub fn new(type_: MessageDigest, pkey: &'a PKeyRef) -> Result, ErrorStack> + pub fn new<'a, T>(type_: MessageDigest, pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, { @@ -154,16 +154,16 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSignInit`]. /// /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html - pub fn new_without_digest(pkey: &'a PKeyRef) -> Result, ErrorStack> + pub fn new_without_digest<'a, T>(pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, { Self::new_intern(None, pkey) } - fn new_intern( + fn new_intern<'a, T>( type_: Option, - pkey: &'a PKeyRef, + pkey: &PKeyRef, ) -> Result, ErrorStack> where T: HasPrivate, From 3f2e02bbff532f2c6aa28950cfe8dd1108144f5e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 13:42:21 -0600 Subject: [PATCH 35/84] add low level cmac bindings these are deprecated in ossl3, but the only common interface across openssl, libressl, and boring --- openssl-sys/src/handwritten/cmac.rs | 18 ++++++++++++++++++ openssl-sys/src/handwritten/mod.rs | 2 ++ openssl-sys/src/handwritten/types.rs | 2 ++ systest/build.rs | 1 + 4 files changed, 23 insertions(+) create mode 100644 openssl-sys/src/handwritten/cmac.rs diff --git a/openssl-sys/src/handwritten/cmac.rs b/openssl-sys/src/handwritten/cmac.rs new file mode 100644 index 0000000000..e44094d21a --- /dev/null +++ b/openssl-sys/src/handwritten/cmac.rs @@ -0,0 +1,18 @@ +use libc::*; + +use super::super::*; + +extern "C" { + pub fn CMAC_CTX_new() -> *mut CMAC_CTX; + pub fn CMAC_CTX_free(ctx: *mut CMAC_CTX); + pub fn CMAC_Init( + ctx: *mut CMAC_CTX, + key: *const c_void, + len: size_t, + cipher: *const EVP_CIPHER, + impl_: *mut ENGINE, + ) -> c_int; + pub fn CMAC_Update(ctx: *mut CMAC_CTX, data: *const c_void, len: size_t) -> c_int; + pub fn CMAC_Final(ctx: *mut CMAC_CTX, out: *mut c_uchar, len: *mut size_t) -> c_int; + pub fn CMAC_CTX_copy(dst: *mut CMAC_CTX, src: *const CMAC_CTX) -> c_int; +} diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 28aa4aecd0..9c0f844501 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -2,6 +2,7 @@ pub use self::aes::*; pub use self::asn1::*; pub use self::bio::*; pub use self::bn::*; +pub use self::cmac::*; pub use self::cms::*; pub use self::conf::*; pub use self::crypto::*; @@ -35,6 +36,7 @@ mod aes; mod asn1; mod bio; mod bn; +mod cmac; mod cms; mod conf; mod crypto; diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 84724f35ef..06354728f2 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -125,6 +125,8 @@ pub enum EVP_PKEY_ASN1_METHOD {} pub enum EVP_PKEY_CTX {} +pub enum CMAC_CTX {} + cfg_if! { if #[cfg(any(ossl110, libressl280))] { pub enum HMAC_CTX {} diff --git a/systest/build.rs b/systest/build.rs index 2efcdfe1bf..6d3ac3a3d3 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -56,6 +56,7 @@ fn main() { .header("openssl/bio.h") .header("openssl/x509v3.h") .header("openssl/safestack.h") + .header("openssl/cmac.h") .header("openssl/hmac.h") .header("openssl/obj_mac.h") .header("openssl/ssl.h") From 0dc14f7ffa279e0b6a29ef35d6ce832da3ca53d1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 13:53:22 -0600 Subject: [PATCH 36/84] add cmac to bindgen too --- openssl-sys/build/run_bindgen.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 3361786357..4fa9ec66f2 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -12,6 +12,7 @@ const INCLUDES: &str = " #include #include #include +#include #include #include #include From 0257e2611d01127607b724a043642b01adf41706 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 22 Apr 2023 14:45:19 -0600 Subject: [PATCH 37/84] Expose pbkdf2_hmac and scrypt on BoringSSL --- openssl/src/lib.rs | 1 - openssl/src/pkcs5.rs | 26 +++++++++++++++----------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 7829b79cba..c2c390cc1b 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -165,7 +165,6 @@ pub mod nid; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_OCSP")))] pub mod ocsp; pub mod pkcs12; -#[cfg(not(boringssl))] pub mod pkcs5; #[cfg(not(boringssl))] pub mod pkcs7; diff --git a/openssl/src/pkcs5.rs b/openssl/src/pkcs5.rs index c15ce47761..cd704e8256 100644 --- a/openssl/src/pkcs5.rs +++ b/openssl/src/pkcs5.rs @@ -1,9 +1,13 @@ +#[cfg(not(boringssl))] use libc::c_int; +use std::convert::TryInto; +#[cfg(not(boringssl))] use std::ptr; use crate::cvt; use crate::error::ErrorStack; use crate::hash::MessageDigest; +#[cfg(not(boringssl))] use crate::symm::Cipher; use openssl_macros::corresponds; @@ -25,6 +29,7 @@ pub struct KeyIvPair { /// `pbkdf2_hmac` or another more modern key derivation algorithm. #[corresponds(EVP_BytesToKey)] #[allow(clippy::useless_conversion)] +#[cfg(not(boringssl))] pub fn bytes_to_key( cipher: Cipher, digest: MessageDigest, @@ -91,19 +96,15 @@ pub fn pbkdf2_hmac( key: &mut [u8], ) -> Result<(), ErrorStack> { unsafe { - assert!(pass.len() <= c_int::max_value() as usize); - assert!(salt.len() <= c_int::max_value() as usize); - assert!(key.len() <= c_int::max_value() as usize); - ffi::init(); cvt(ffi::PKCS5_PBKDF2_HMAC( pass.as_ptr() as *const _, - pass.len() as c_int, + pass.len().try_into().unwrap(), salt.as_ptr(), - salt.len() as c_int, - iter as c_int, + salt.len().try_into().unwrap(), + iter.try_into().unwrap(), hash.as_ptr(), - key.len() as c_int, + key.len().try_into().unwrap(), key.as_mut_ptr(), )) .map(|_| ()) @@ -114,7 +115,8 @@ pub fn pbkdf2_hmac( /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PBE_scrypt)] -#[cfg(any(ossl110))] +#[cfg(any(ossl110, boringssl))] +#[allow(clippy::useless_conversion)] pub fn scrypt( pass: &[u8], salt: &[u8], @@ -134,7 +136,7 @@ pub fn scrypt( n, r, p, - maxmem, + maxmem.try_into().unwrap(), key.as_mut_ptr() as *mut _, key.len(), )) @@ -145,6 +147,7 @@ pub fn scrypt( #[cfg(test)] mod tests { use crate::hash::MessageDigest; + #[cfg(not(boringssl))] use crate::symm::Cipher; // Test vectors from @@ -246,6 +249,7 @@ mod tests { } #[test] + #[cfg(not(boringssl))] fn bytes_to_key() { let salt = [16_u8, 34_u8, 19_u8, 23_u8, 141_u8, 4_u8, 207_u8, 221_u8]; @@ -282,7 +286,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(any(ossl110, boringssl))] fn scrypt() { let pass = "pleaseletmein"; let salt = "SodiumChloride"; From 8f23c2f6fa527657fa4d98cd6ac808d301d1aae7 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 16:13:48 -0600 Subject: [PATCH 38/84] binding to get fips status for ossl300 --- openssl-sys/src/handwritten/evp.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 1a05b7eae3..050d2c88bb 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -65,6 +65,14 @@ cfg_if! { } } +cfg_if! { + if #[cfg(ossl300)] { + extern "C" { + pub fn EVP_default_properties_is_fips_enabled(libctx: *mut OSSL_LIB_CTX) -> c_int; + } + } +} + extern "C" { pub fn EVP_DigestInit_ex(ctx: *mut EVP_MD_CTX, typ: *const EVP_MD, imple: *mut ENGINE) -> c_int; From bdba0d3f39b46dadceeca6b08aef142039ddb949 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 19:25:27 +0800 Subject: [PATCH 39/84] addi ski and aki tests --- openssl/src/x509/mod.rs | 4 ++-- openssl/src/x509/tests.rs | 26 ++++++++++++++++++++++++++ openssl/test/github.pem | 31 +++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 openssl/test/github.pem diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2946ee1e63..2753d09124 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -506,10 +506,10 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] #[cfg(ossl111)] - pub fn authority_issuer(&self) -> Option> { + pub fn authority_issuer(&self) -> Option<&StackRef> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); - Stack::from_ptr_opt(stack as *mut _) + StackRef::from_const_ptr_opt(stack) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 4e01d8d8a3..d33f0c0821 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -168,6 +168,32 @@ fn test_subject_alt_name() { assert_eq!(Some("http://www.example.com"), subject_alt_names[4].uri()); } +#[test] +#[cfg(ossl110)] +fn test_subject_key_id() { + let cert = include_bytes!("../../test/github.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let subject_key_id = cert.subject_key_id().unwrap(); + assert_eq!( + subject_key_id.as_slice(), + &b"\xC7\x07\x27\x78\x85\xF2\x9D\x33\xC9\x4C\x5E\x56\x7D\x5C\xD6\x8E\x72\x67\xEB\xDE"[..] + ); +} + +#[test] +#[cfg(ossl110)] +fn test_authority_key_id() { + let cert = include_bytes!("../../test/github.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let subject_key_id = cert.authority_key_id().unwrap(); + assert_eq!( + subject_key_id.as_slice(), + &b"\x0A\xBC\x08\x29\x17\x8C\xA5\x39\x6D\x7A\x0E\xCE\x33\xC7\x2E\xB3\xED\xFB\xC3\x7A"[..] + ); +} + #[test] fn test_subject_alt_name_iter() { let cert = include_bytes!("../../test/alt_name_cert.pem"); diff --git a/openssl/test/github.pem b/openssl/test/github.pem new file mode 100644 index 0000000000..34bcb44322 --- /dev/null +++ b/openssl/test/github.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFajCCBPGgAwIBAgIQDNCovsYyz+ZF7KCpsIT7HDAKBggqhkjOPQQDAzBWMQsw +CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp +Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjMwMjE0MDAw +MDAwWhcNMjQwMzE0MjM1OTU5WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs +aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHVi +LCBJbmMuMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAEo6QDRgPfRlFWy8k5qyLN52xZlnqToPu5QByQMog2xgl2nFD1Vfd2Xmgg +nO4i7YMMFTAQQUReMqyQodWq8uVDs6OCA48wggOLMB8GA1UdIwQYMBaAFAq8CCkX +jKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBTHByd4hfKdM8lMXlZ9XNaOcmfr3jAl +BgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNvbTAOBgNVHQ8BAf8E +BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGbBgNVHR8EgZMw +gZAwRqBEoEKGQGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5 +YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5jcmwwRqBEoEKGQGh0dHA6Ly9jcmw0LmRp +Z2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5j +cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3 +dy5kaWdpY2VydC5jb20vQ1BTMIGFBggrBgEFBQcBAQR5MHcwJAYIKwYBBQUHMAGG +GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcwAoZDaHR0cDovL2Nh +Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAy +MENBMS0xLmNydDAJBgNVHRMEAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoA +dwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYZQ3Rv6AAAEAwBI +MEYCIQDkFq7T4iy6gp+pefJLxpRS7U3gh8xQymmxtI8FdzqU6wIhALWfw/nLD63Q +YPIwG3EFchINvWUfB6mcU0t2lRIEpr8uAHYASLDja9qmRzQP5WoC+p0w6xxSActW +3SyB2bu/qznYhHMAAAGGUN0cKwAABAMARzBFAiAePGAyfiBR9dbhr31N9ZfESC5G +V2uGBTcyTyUENrH3twIhAPwJfsB8A4MmNr2nW+sdE1n2YiCObW+3DTHr2/UR7lvU +AHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGGUN0cOgAABAMA +SDBGAiEAzOBr9OZ0+6OSZyFTiywN64PysN0FLeLRyL5jmEsYrDYCIQDu0jtgWiMI +KU6CM0dKcqUWLkaFE23c2iWAhYAHqrFRRzAKBggqhkjOPQQDAwNnADBkAjAE3A3U +3jSZCpwfqOHBdlxi9ASgKTU+wg0qw3FqtfQ31OwLYFdxh0MlNk/HwkjRSWgCMFbQ +vMkXEPvNvv4t30K6xtpG26qmZ+6OiISBIIXMljWnsiYR1gyZnTzIg3AQSw4Vmw== +-----END CERTIFICATE----- From 57bd34d614db206703ee2435a3d62cf3a7eb6481 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 22:39:19 +0800 Subject: [PATCH 40/84] add more tests --- openssl/src/x509/tests.rs | 33 ++++++++++++++++++----- openssl/test/authority_key_identifier.pem | 19 +++++++++++++ openssl/test/github.pem | 31 --------------------- 3 files changed, 46 insertions(+), 37 deletions(-) create mode 100644 openssl/test/authority_key_identifier.pem delete mode 100644 openssl/test/github.pem diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index d33f0c0821..748d70dbba 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -171,29 +171,50 @@ fn test_subject_alt_name() { #[test] #[cfg(ossl110)] fn test_subject_key_id() { - let cert = include_bytes!("../../test/github.pem"); + let cert = include_bytes!("../../test/certv3.pem"); let cert = X509::from_pem(cert).unwrap(); let subject_key_id = cert.subject_key_id().unwrap(); assert_eq!( subject_key_id.as_slice(), - &b"\xC7\x07\x27\x78\x85\xF2\x9D\x33\xC9\x4C\x5E\x56\x7D\x5C\xD6\x8E\x72\x67\xEB\xDE"[..] + &b"\xB6\x73\x2F\x61\xA5\x4B\xA1\xEF\x48\x2C\x15\xB1\x9F\xF3\xDC\x34\x2F\xBC\xAC\x30"[..] ); } #[test] #[cfg(ossl110)] fn test_authority_key_id() { - let cert = include_bytes!("../../test/github.pem"); + let cert = include_bytes!("../../test/certv3.pem"); let cert = X509::from_pem(cert).unwrap(); - let subject_key_id = cert.authority_key_id().unwrap(); + let authority_key_id = cert.authority_key_id().unwrap(); assert_eq!( - subject_key_id.as_slice(), - &b"\x0A\xBC\x08\x29\x17\x8C\xA5\x39\x6D\x7A\x0E\xCE\x33\xC7\x2E\xB3\xED\xFB\xC3\x7A"[..] + authority_key_id.as_slice(), + &b"\x6C\xD3\xA5\x03\xAB\x0D\x5F\x2C\xC9\x8D\x8A\x9C\x88\xA7\x88\x77\xB8\x37\xFD\x9A"[..] ); } +#[test] +fn test_authority_issuer_and_serial() { + let cert = include_bytes!("../../test/authority_key_identifier.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let authority_issuer = cert.authority_issuer().unwrap(); + assert_eq!(1, authority_issuer.len()); + let dn = authority_issuer[0].directory_name().unwrap(); + let mut o = dn.entries_by_nid(Nid::ORGANIZATIONNAME); + let o = o.next().unwrap().data().as_utf8().unwrap(); + assert_eq!(o.as_bytes(), b"PyCA"); + let mut cn = dn.entries_by_nid(Nid::COMMONNAME); + let cn = cn.next().unwrap().data().as_utf8().unwrap(); + assert_eq!(cn.as_bytes(), b"cryptography.io"); + + let authority_serial = cert.authority_serial().unwrap(); + let serial = authority_serial.to_bn().unwrap(); + let expected = BigNum::from_u32(3).unwrap(); + assert_eq!(serial, expected); +} + #[test] fn test_subject_alt_name_iter() { let cert = include_bytes!("../../test/alt_name_cert.pem"); diff --git a/openssl/test/authority_key_identifier.pem b/openssl/test/authority_key_identifier.pem new file mode 100644 index 0000000000..cbe9169fc9 --- /dev/null +++ b/openssl/test/authority_key_identifier.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDIjCCAgqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADApMQ0wCwYDVQQKDARQeUNB +MRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wHhcNMTUwNTAzMDk0OTU2WhcNMTYw +NTAyMDk0OTU2WjApMQ0wCwYDVQQKDARQeUNBMRgwFgYDVQQDDA9jcnlwdG9ncmFw +aHkuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCadi1UZioxdnP +ajqlRZHeKsSxvXXhgrWvlt91P3gV0dBThRFhJsLOhjNLz6PO6KeRbjz9GhTA2hdk +xtIpXrjvTv9dEJ1/k0xebsHWgFC43aTlgekw0U4cMwMe5NGeeg1tfzbJwldIN+cK +vabc08ADlkmM6DMnUArkzA2yii0DErRFMSIGrkDr6E9puord3h6Mh8Jfnc3TDAq8 +Qo1DI2XM7oFSWNfecQ9KbIC5wzzT+7Shoyz7QmCk/XhRzt8Xcfc3yAXIwazvLf8b +YP1auaSG11a5E+w6onj91h8UHKKOXu+rdq5YYPZ+qUYpxA7ZJ/VAGadMulYbXaO8 +Syi39HTpAgMBAAGjVTBTMFEGA1UdIwRKMEiAFDlFPso9Yh3qhkn2WqtAt6RwmPHs +oS2kKzApMQ0wCwYDVQQKDARQeUNBMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW+C +AQMwDQYJKoZIhvcNAQEFBQADggEBAFbZYy6aZJUK/f7nJx2Rs/ht6hMbM32/RoXZ +JGbYapNVqVu/vymcfc/se3FHS5OVmPsnRlo/FIKDn/r5DGl73Sn/FvDJiLJZFucT +msyYuHZ+ZRYWzWmN2fcB3cfxj0s3qps6f5OoCOqoINOSe4HRGlw4X9keZSD+3xAt +vHNwQdlPC7zWbPdrzLT+FqR0e/O81vFJJS6drHJWqPcR3NQVtZw+UF7A/HKwbfeL +Nu2zj6165hzOi9HUxa2/mPr/eLUUV1sTzXp2+TFjt3rVCjW1XnpMLdwNBHzjpyAB +dTOX3iw0+BPy3s2jtnCW1PLpc74kvSTaBwhg74sq39EXfIKax00= +-----END CERTIFICATE----- diff --git a/openssl/test/github.pem b/openssl/test/github.pem deleted file mode 100644 index 34bcb44322..0000000000 --- a/openssl/test/github.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFajCCBPGgAwIBAgIQDNCovsYyz+ZF7KCpsIT7HDAKBggqhkjOPQQDAzBWMQsw -CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp -Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjMwMjE0MDAw -MDAwWhcNMjQwMzE0MjM1OTU5WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs -aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHVi -LCBJbmMuMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D -AQcDQgAEo6QDRgPfRlFWy8k5qyLN52xZlnqToPu5QByQMog2xgl2nFD1Vfd2Xmgg -nO4i7YMMFTAQQUReMqyQodWq8uVDs6OCA48wggOLMB8GA1UdIwQYMBaAFAq8CCkX -jKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBTHByd4hfKdM8lMXlZ9XNaOcmfr3jAl -BgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNvbTAOBgNVHQ8BAf8E -BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGbBgNVHR8EgZMw -gZAwRqBEoEKGQGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5 -YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5jcmwwRqBEoEKGQGh0dHA6Ly9jcmw0LmRp -Z2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5j -cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3 -dy5kaWdpY2VydC5jb20vQ1BTMIGFBggrBgEFBQcBAQR5MHcwJAYIKwYBBQUHMAGG -GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcwAoZDaHR0cDovL2Nh -Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAy -MENBMS0xLmNydDAJBgNVHRMEAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoA -dwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYZQ3Rv6AAAEAwBI -MEYCIQDkFq7T4iy6gp+pefJLxpRS7U3gh8xQymmxtI8FdzqU6wIhALWfw/nLD63Q -YPIwG3EFchINvWUfB6mcU0t2lRIEpr8uAHYASLDja9qmRzQP5WoC+p0w6xxSActW -3SyB2bu/qznYhHMAAAGGUN0cKwAABAMARzBFAiAePGAyfiBR9dbhr31N9ZfESC5G -V2uGBTcyTyUENrH3twIhAPwJfsB8A4MmNr2nW+sdE1n2YiCObW+3DTHr2/UR7lvU -AHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGGUN0cOgAABAMA -SDBGAiEAzOBr9OZ0+6OSZyFTiywN64PysN0FLeLRyL5jmEsYrDYCIQDu0jtgWiMI -KU6CM0dKcqUWLkaFE23c2iWAhYAHqrFRRzAKBggqhkjOPQQDAwNnADBkAjAE3A3U -3jSZCpwfqOHBdlxi9ASgKTU+wg0qw3FqtfQ31OwLYFdxh0MlNk/HwkjRSWgCMFbQ -vMkXEPvNvv4t30K6xtpG26qmZ+6OiISBIIXMljWnsiYR1gyZnTzIg3AQSw4Vmw== ------END CERTIFICATE----- From c9db15a8ef94f1404b931107f4637cab77f071d6 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 22:41:58 +0800 Subject: [PATCH 41/84] add missing feature flag --- openssl/src/x509/tests.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 748d70dbba..d4dbf316d2 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -195,6 +195,7 @@ fn test_authority_key_id() { } #[test] +#[cfg(ossl111)] fn test_authority_issuer_and_serial() { let cert = include_bytes!("../../test/authority_key_identifier.pem"); let cert = X509::from_pem(cert).unwrap(); From 5ddf89fcd828890c38c36deff9a6bd58df9ce857 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 24 Apr 2023 15:56:02 -0600 Subject: [PATCH 42/84] changelog and version bumps for openssl and openssl-sys --- openssl-sys/CHANGELOG.md | 14 +++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 12 +++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 20e599b8ab..324ff1a82a 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.87] - 2023-04-24 + +### Added + +* Added `DH_CHECK`. +* Added `CMAC_CTX_new`, `CMAC_CTX_free`, `CMAC_Init`, `CMAC_Update`, `CMAC_Final`, and `CMAC_CTX_copy`. +* Added `EVP_default_properties_is_fips_enabled`. +* Added `X509_get0_subject_key_id`, `X509_get0_authority_key_id`, `X509_get0_authority_issuer`, and `X509_get0_authority_serial`. +* Added `NID_poly1305`. + + ## [v0.9.86] - 2023-04-20 ### Fixed @@ -435,7 +446,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87..master +[v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 [v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 [v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index c5cced2880..811318bbaf 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.86" +version = "0.9.87" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index f4eca89166..c62da00a1b 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,15 @@ ## [Unreleased] +## [v0.10.52] - 2023-04-24 + +### Added + +* Added `DhRef::check_key`. +* Added `Id::POLY1305`. +* Added `X509Ref::subject_key_id`, `X509Ref::authority_key_id`, `X509Ref::authority_issuer`, and `X509Ref::authority_serial`. + + ## [v0.10.51] - 2023-04-20 ### Added @@ -738,7 +747,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...master +[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 [v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index ba72250c92..addf5cb060 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.51" +version = "0.10.52" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.86", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.87", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 7756ab8a9a0faed77b674f2b44736ec31a726713 Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 14:46:10 -0700 Subject: [PATCH 43/84] Fix link errors for X509_get0_authority_xxx methods on Ubuntu/bionic --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/src/handwritten/x509v3.rs | 4 ++-- openssl/src/x509/mod.rs | 4 ++-- openssl/src/x509/tests.rs | 2 +- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 960515f00f..f09ec29b53 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -91,6 +91,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if openssl_version >= 0x1_01_01_03_0 { cfgs.push("ossl111c"); } + if openssl_version >= 0x1_01_01_04_0 { + cfgs.push("ossl111d"); + } } cfgs diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 09a92640b6..7789b629a6 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -106,9 +106,9 @@ extern "C" { pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; #[cfg(ossl110)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2753d09124..a8e298bf3f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -505,7 +505,7 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn authority_issuer(&self) -> Option<&StackRef> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); @@ -515,7 +515,7 @@ impl X509Ref { /// Returns this certificate's authority serial number, if it exists. #[corresponds(X509_get0_authority_serial)] - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { unsafe { let r = ffi::X509_get0_authority_serial(self.as_ptr()); diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index d4dbf316d2..c5ea6accf3 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -195,7 +195,7 @@ fn test_authority_key_id() { } #[test] -#[cfg(ossl111)] +#[cfg(ossl111d)] fn test_authority_issuer_and_serial() { let cert = include_bytes!("../../test/authority_key_identifier.pem"); let cert = X509::from_pem(cert).unwrap(); From 34260b833fe5fc66b8322ce106f0f970cb99a10e Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 15:24:33 -0700 Subject: [PATCH 44/84] Check for OPENSSL_NO_RC4 when using EVP_rc4 --- openssl-sys/build/expando.c | 4 ++++ openssl-sys/src/handwritten/evp.rs | 1 + openssl/src/cipher.rs | 1 + openssl/src/symm.rs | 1 + 4 files changed, 7 insertions(+) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 11fb04db0c..54681a0b95 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -79,6 +79,10 @@ RUST_CONF_OPENSSL_NO_OCSP RUST_CONF_OPENSSL_NO_PSK #endif +#ifdef OPENSSL_NO_RC4 +RUST_CONF_OPENSSL_NO_RC4 +#endif + #ifdef OPENSSL_NO_RFC3779 RUST_CONF_OPENSSL_NO_RFC3779 #endif diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 050d2c88bb..db018e9a42 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -311,6 +311,7 @@ extern "C" { pub fn EVP_des_ede3_cbc() -> *const EVP_CIPHER; pub fn EVP_des_ede3_cfb64() -> *const EVP_CIPHER; pub fn EVP_des_cbc() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn EVP_rc4() -> *const EVP_CIPHER; pub fn EVP_bf_ecb() -> *const EVP_CIPHER; pub fn EVP_bf_cbc() -> *const EVP_CIPHER; diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index aeedf459aa..87f7660cde 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -324,6 +324,7 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_des_ede3_cfb64() as *mut _) } } + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn rc4() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_rc4() as *mut _) } } diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 911a7ab2e7..611080805f 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -283,6 +283,7 @@ impl Cipher { unsafe { Cipher(ffi::EVP_des_ede3_cfb64()) } } + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn rc4() -> Cipher { unsafe { Cipher(ffi::EVP_rc4()) } } From cd3803ec016258366b56607355f1a63738ddaf2c Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 15:53:11 -0700 Subject: [PATCH 45/84] Fix tests on Ubuntu/bionic too --- openssl-sys/src/handwritten/ssl.rs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index f179a04ab1..039e2d9116 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -905,9 +905,13 @@ extern "C" { #[cfg(ossl111)] pub fn SSL_set_num_tickets(s: *mut SSL, num_tickets: size_t) -> c_int; - #[cfg(ossl111)] + #[cfg(ossl111b)] pub fn SSL_CTX_get_num_tickets(ctx: *const SSL_CTX) -> size_t; + #[cfg(all(ossl111, not(ossl111b)))] + pub fn SSL_CTX_get_num_tickets(ctx: *mut SSL_CTX) -> size_t; - #[cfg(ossl111)] + #[cfg(ossl111b)] pub fn SSL_get_num_tickets(s: *const SSL) -> size_t; + #[cfg(all(ossl111, not(ossl111b)))] + pub fn SSL_get_num_tickets(s: *mut SSL) -> size_t; } From dd2ce585e469979e70fa5a368bc0ed975ba7d016 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 2 May 2023 22:39:01 +0800 Subject: [PATCH 46/84] add X509::pathlen --- openssl-sys/src/handwritten/x509v3.rs | 2 ++ openssl/src/x509/mod.rs | 8 ++++++++ openssl/src/x509/tests.rs | 16 ++++++++++++++++ 3 files changed, 26 insertions(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 7789b629a6..f92441134e 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,6 +96,8 @@ extern "C" { indent: c_int, ) -> c_int; + #[cfg(ossl110)] + pub fn X509_get_pathlen(x: *mut X509) -> c_long; #[cfg(ossl110)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; #[cfg(ossl110)] diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index a8e298bf3f..2b2f8a50d8 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -483,6 +483,14 @@ impl X509Ref { } } + /// Retrieves the path length extension from a certificate, if it exists. + #[corresponds(X509_get_pathlen)] + #[cfg(ossl110)] + pub fn pathlen(&self) -> Option { + let v = unsafe { ffi::X509_get_pathlen(self.as_ptr()) }; + u32::try_from(v).ok() + } + /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] #[cfg(ossl110)] diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index c5ea6accf3..a3f3cd8803 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -168,6 +168,22 @@ fn test_subject_alt_name() { assert_eq!(Some("http://www.example.com"), subject_alt_names[4].uri()); } +#[test] +#[cfg(ossl110)] +fn test_retrieve_pathlen() { + let cert = include_bytes!("../../test/root-ca.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), None); + + let cert = include_bytes!("../../test/intermediate-ca.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), Some(0)); + + let cert = include_bytes!("../../test/alt_name_cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), None); +} + #[test] #[cfg(ossl110)] fn test_subject_key_id() { From 7e6d518499c98b554ceb2707ed3f7724cd4716f5 Mon Sep 17 00:00:00 2001 From: Louis Hampton Date: Fri, 12 May 2023 10:36:51 +0100 Subject: [PATCH 47/84] Add bindings to SSL_bytes_to_cipher_list --- openssl-sys/src/handwritten/ssl.rs | 9 +++++ openssl/src/ssl/mod.rs | 54 +++++++++++++++++++++++++++++- openssl/src/ssl/test/mod.rs | 3 ++ 3 files changed, 65 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 039e2d9116..d4f4b619f4 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -648,6 +648,15 @@ extern "C" { num: size_t, readbytes: *mut size_t, ) -> c_int; + #[cfg(ossl111)] + pub fn SSL_bytes_to_cipher_list( + s: *mut SSL, + bytes: *const c_uchar, + len: size_t, + isv2format: c_int, + sk: *mut *mut stack_st_SSL_CIPHER, + scsvs: *mut *mut stack_st_SSL_CIPHER, + ) -> c_int; } extern "C" { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 5b8775c98c..3bd10052ed 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -72,7 +72,7 @@ use crate::srtp::{SrtpProtectionProfile, SrtpProtectionProfileRef}; use crate::ssl::bio::BioMethod; use crate::ssl::callbacks::*; use crate::ssl::error::InnerError; -use crate::stack::{Stack, StackRef}; +use crate::stack::{Stack, StackRef, Stackable}; use crate::util::{ForeignTypeExt, ForeignTypeRefExt}; use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; #[cfg(any(ossl102, libressl261))] @@ -1940,6 +1940,10 @@ impl ForeignType for SslCipher { } } +impl Stackable for SslCipher { + type StackType = ffi::stack_st_SSL_CIPHER; +} + impl Deref for SslCipher { type Target = SslCipherRef; @@ -2056,6 +2060,19 @@ impl SslCipherRef { } } +impl fmt::Debug for SslCipherRef { + fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result { + write!(fmt, "{}", self.name()) + } +} + +/// A stack of selected ciphers, and a stack of selected signalling cipher suites +#[derive(Debug)] +pub struct CipherLists { + pub suites: Stack, + pub signalling_suites: Stack, +} + foreign_type_and_impl_send_sync! { type CType = ffi::SSL_SESSION; fn drop = ffi::SSL_SESSION_free; @@ -3083,6 +3100,41 @@ impl SslRef { } } + /// Decodes a slice of wire-format cipher suite specification bytes. Unsupported cipher suites + /// are ignored. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_bytes_to_cipher_list)] + #[cfg(ossl111)] + pub fn bytes_to_ciphers_stack( + &self, + bytes: &[u8], + isv2format: bool, + ) -> Result { + unsafe { + let ptr = bytes.as_ptr(); + let len = bytes.len(); + let mut sk = ptr::null_mut(); + let mut scsvs = ptr::null_mut(); + let res = ffi::SSL_bytes_to_cipher_list( + self.as_ptr(), + ptr, + len, + isv2format as c_int, + &mut sk, + &mut scsvs, + ); + if res == 1 { + Ok(CipherLists { + suites: Stack::from_ptr(sk), + signalling_suites: Stack::from_ptr(scsvs), + }) + } else { + Err(ErrorStack::get()) + } + } + } + /// Returns the compression methods field of the client's hello message. /// /// This can only be used inside of the client hello callback. Otherwise, `None` is returned. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index a34309a7d6..bbad911ca8 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1458,6 +1458,9 @@ fn client_hello() { assert!(ssl.client_hello_session_id().is_some()); assert!(ssl.client_hello_ciphers().is_some()); assert!(ssl.client_hello_compression_methods().is_some()); + assert!(ssl + .bytes_to_ciphers_stack(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) + .is_ok()); CALLED_BACK.store(true, Ordering::SeqCst); Ok(ClientHelloResponse::SUCCESS) From da9eeddb05a2fd0d56b1cea16878f501bc987b0f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 14 May 2023 20:14:24 -0400 Subject: [PATCH 48/84] rename --- openssl/src/ssl/mod.rs | 2 +- openssl/src/ssl/test/mod.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 3bd10052ed..0feaced213 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3106,7 +3106,7 @@ impl SslRef { /// Requires OpenSSL 1.1.1 or newer. #[corresponds(SSL_bytes_to_cipher_list)] #[cfg(ossl111)] - pub fn bytes_to_ciphers_stack( + pub fn bytes_to_cipher_list( &self, bytes: &[u8], isv2format: bool, diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index bbad911ca8..39cc054df2 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1459,7 +1459,7 @@ fn client_hello() { assert!(ssl.client_hello_ciphers().is_some()); assert!(ssl.client_hello_compression_methods().is_some()); assert!(ssl - .bytes_to_ciphers_stack(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) + .bytes_to_cipher_list(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) .is_ok()); CALLED_BACK.store(true, Ordering::SeqCst); From 0194e3f9decf0820615ce5b70f26433ac15eaba7 Mon Sep 17 00:00:00 2001 From: Andrew Scull Date: Mon, 15 May 2023 21:39:50 +0000 Subject: [PATCH 49/84] Add boringssl hkdf derivation --- openssl/src/pkey.rs | 2 +- openssl/src/pkey_ctx.rs | 21 +++++++++++++++------ 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index cec1c482e1..82a0a9d136 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -86,7 +86,7 @@ impl Id { pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); #[cfg(any(ossl111, boringssl, libressl370))] diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 42289b9f48..aba8a66a32 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -485,7 +485,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_md)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_md(&mut self, digest: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -527,10 +527,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_key(&mut self, key: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(key.len()).unwrap(); + #[cfg(boringssl)] + let len = key.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_set1_hkdf_key( @@ -549,10 +552,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_salt(&mut self, salt: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(salt.len()).unwrap(); + #[cfg(boringssl)] + let len = salt.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_set1_hkdf_salt( @@ -571,10 +577,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn add_hkdf_info(&mut self, info: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(info.len()).unwrap(); + #[cfg(boringssl)] + let len = info.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_add1_hkdf_info( @@ -632,7 +641,7 @@ mod test { #[cfg(not(boringssl))] use crate::cipher::Cipher; use crate::ec::{EcGroup, EcKey}; - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl))] use crate::md::Md; use crate::nid::Nid; use crate::pkey::PKey; @@ -717,7 +726,7 @@ mod test { } #[test] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] fn hkdf() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); From 56e94e335ce7519b0c5e2ae7e530730a83220d18 Mon Sep 17 00:00:00 2001 From: Felix Huettner Date: Mon, 1 May 2023 21:14:10 +0200 Subject: [PATCH 50/84] add other name support the issue with other name SANs is that they can contain arbitary data. As we can no longer use the old method for other_name for security reasons we now add `other_name2` as an alternative. --- openssl-sys/src/handwritten/asn1.rs | 9 ++++++++ openssl-sys/src/handwritten/x509v3.rs | 5 +++++ openssl/src/asn1.rs | 1 + openssl/src/x509/extension.rs | 23 +++++++++++++++----- openssl/src/x509/mod.rs | 31 +++++++++++++++++++++++++++ openssl/src/x509/tests.rs | 28 ++++++++++++++++++++++++ 6 files changed, 92 insertions(+), 5 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index fa43a7a5c1..16ffcccfe7 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,6 +10,7 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); + pub fn OBJ_dup(x: *const ASN1_OBJECT) -> *mut ASN1_OBJECT; } stack!(stack_st_ASN1_OBJECT); @@ -94,7 +95,14 @@ extern "C" { #[cfg(ossl110)] pub fn ASN1_ENUMERATED_get_int64(pr: *mut i64, a: *const ASN1_ENUMERATED) -> c_int; + pub fn ASN1_TYPE_new() -> *mut ASN1_TYPE; + pub fn ASN1_TYPE_set(a: *mut ASN1_TYPE, type_: c_int, value: *mut c_void); pub fn ASN1_TYPE_free(x: *mut ASN1_TYPE); + pub fn d2i_ASN1_TYPE( + k: *mut *mut ASN1_TYPE, + buf: *mut *const u8, + len: c_long, + ) -> *mut ASN1_TYPE; } const_ptr_api! { @@ -102,5 +110,6 @@ const_ptr_api! { pub fn ASN1_STRING_to_UTF8(out: *mut *mut c_uchar, s: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; pub fn ASN1_STRING_type(x: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; pub fn ASN1_generate_v3(str: #[const_ptr_if(any(ossl110, libressl280))] c_char, cnf: *mut X509V3_CTX) -> *mut ASN1_TYPE; + pub fn i2d_ASN1_TYPE(a: #[const_ptr_if(ossl300)] ASN1_TYPE, pp: *mut *mut c_uchar) -> c_int; } } diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index f92441134e..2ee0452597 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -6,6 +6,11 @@ pub enum CONF_METHOD {} extern "C" { pub fn GENERAL_NAME_new() -> *mut GENERAL_NAME; pub fn GENERAL_NAME_free(name: *mut GENERAL_NAME); + pub fn GENERAL_NAME_set0_othername( + gen: *mut GENERAL_NAME, + oid: *mut ASN1_OBJECT, + value: *mut ASN1_TYPE, + ) -> c_int; } #[repr(C)] diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index d75e05166e..0e720ae0b3 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -655,6 +655,7 @@ impl Asn1OctetStringRef { foreign_type_and_impl_send_sync! { type CType = ffi::ASN1_OBJECT; fn drop = ffi::ASN1_OBJECT_free; + fn clone = ffi::OBJ_dup; /// Object Identifier /// diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index 075227dec3..11e0151530 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -434,6 +434,7 @@ enum RustGeneralName { Uri(String), Ip(String), Rid(String), + OtherName(Asn1Object, Vec), } /// An extension that allows additional identities to be bound to the subject @@ -506,12 +507,21 @@ impl SubjectAlternativeName { /// Sets the `otherName` flag. /// - /// Not currently actually supported, always panics. - #[deprecated = "other_name is deprecated and always panics. Please file a bug if you have a use case for this."] + /// Not currently actually supported, always panics. Please use other_name2 + #[deprecated = "other_name is deprecated and always panics. Please use other_name2."] pub fn other_name(&mut self, _other_name: &str) -> &mut SubjectAlternativeName { - unimplemented!( - "This has not yet been adapted for the new internals. File a bug if you need this." - ); + unimplemented!("This has not yet been adapted for the new internals. Use other_name2."); + } + + /// Sets the `otherName` flag. + /// + /// `content` must be a valid der encoded ASN1_TYPE + /// + /// If you want to add just a ia5string use `other_name_ia5string` + pub fn other_name2(&mut self, oid: Asn1Object, content: &[u8]) -> &mut SubjectAlternativeName { + self.items + .push(RustGeneralName::OtherName(oid, content.into())); + self } /// Return a `SubjectAlternativeName` extension as an `X509Extension`. @@ -526,6 +536,9 @@ impl SubjectAlternativeName { GeneralName::new_ip(s.parse().map_err(|_| ErrorStack::get())?)? } RustGeneralName::Rid(s) => GeneralName::new_rid(Asn1Object::from_str(s)?)?, + RustGeneralName::OtherName(oid, content) => { + GeneralName::new_other_name(oid.clone(), content)? + } }; stack.push(gn)?; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2b2f8a50d8..4325b132e3 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -2054,6 +2054,37 @@ impl GeneralName { Ok(GeneralName::from_ptr(gn)) } } + + pub(crate) fn new_other_name( + oid: Asn1Object, + value: &Vec, + ) -> Result { + unsafe { + ffi::init(); + + let typ = cvt_p(ffi::d2i_ASN1_TYPE( + ptr::null_mut(), + &mut value.as_ptr().cast(), + value.len().try_into().unwrap(), + ))?; + + let gn = cvt_p(ffi::GENERAL_NAME_new())?; + (*gn).type_ = ffi::GEN_OTHERNAME; + + if let Err(e) = cvt(ffi::GENERAL_NAME_set0_othername( + gn, + oid.as_ptr().cast(), + typ, + )) { + ffi::GENERAL_NAME_free(gn); + return Err(e); + } + + mem::forget(oid); + + Ok(GeneralName::from_ptr(gn)) + } + } } impl GeneralNameRef { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index a3f3cd8803..da3ce2fed2 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -27,6 +27,9 @@ use crate::x509::{CrlReason, X509Builder}; use crate::x509::{ CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, }; + +#[cfg(ossl110)] +use foreign_types::ForeignType; use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] use libc::time_t; @@ -1105,6 +1108,31 @@ fn ipv6_as_subject_alternative_name_is_formatted_in_debug() { ]); } +#[cfg(ossl110)] +#[test] +fn other_name_as_subject_alternative_name() { + let oid = Asn1Object::from_str("1.3.6.1.5.5.7.8.11").unwrap(); + // this is the hex representation of "test" encoded as a ia5string + let content = [0x16, 0x04, 0x74, 0x65, 0x73, 0x74]; + + let mut builder = X509Builder::new().unwrap(); + let san = SubjectAlternativeName::new() + .other_name2(oid, &content) + .build(&builder.x509v3_context(None, None)) + .unwrap(); + builder.append_extension(san).unwrap(); + let cert = builder.build(); + let general_name = cert + .subject_alt_names() + .into_iter() + .flatten() + .next() + .unwrap(); + unsafe { + assert_eq!((*general_name.as_ptr()).type_, 0); + } +} + #[test] fn test_dist_point() { let cert = include_bytes!("../../test/certv3.pem"); From 8436f088898a7a286fb1af7e552d644d411e95db Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Sat, 27 May 2023 11:30:13 -0400 Subject: [PATCH 51/84] Allow LibreSSL 3.8.0 --- openssl-sys/build/main.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index ba149c17ff..1762068d75 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -285,6 +285,7 @@ See rust-openssl documentation for more information: (3, 7, 0) => ('3', '7', '0'), (3, 7, 1) => ('3', '7', '1'), (3, 7, _) => ('3', '7', 'x'), + (3, 8, 0) => ('3', '8', '0'), _ => version_error(), }; @@ -327,7 +328,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.7.x, but a different version of OpenSSL was found. The build is now aborting +through 3.8.0, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From e41a13249630a9b3bed7dd84e243bf85f4d2fd4b Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Sat, 27 May 2023 11:31:02 -0400 Subject: [PATCH 52/84] CI: bump LibreSSL --- .github/workflows/ci.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71deb57ab9..75117ffab8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -181,7 +181,12 @@ jobs: bindgen: true library: name: libressl - version: 3.7.2 + version: 3.7.3 + - target: x86_64-unknown-linux-gnu + bindgen: true + library: + name: libressl + version: 3.8.0 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -191,7 +196,12 @@ jobs: bindgen: false library: name: libressl - version: 3.7.2 + version: 3.7.3 + - target: x86_64-unknown-linux-gnu + bindgen: false + library: + name: libressl + version: 3.8.0 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: From b937b66ae6c3c1828c33477f234cdf6fe7f31700 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 May 2023 04:46:03 -0500 Subject: [PATCH 53/84] add Dsa with some helper functions DSA is terrible, I'm sorry we have to add this --- openssl/src/dsa.rs | 63 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index c550f6548b..d8dcaa9fdb 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -14,7 +14,7 @@ use std::ptr; use crate::bn::{BigNum, BigNumRef}; use crate::error::ErrorStack; -use crate::pkey::{HasParams, HasPrivate, HasPublic, Private, Public}; +use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private, Public}; use crate::util::ForeignTypeRefExt; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -183,6 +183,49 @@ type BitType = libc::c_uint; #[cfg(not(boringssl))] type BitType = c_int; +impl Dsa { + /// Creates a DSA params based upon the given parameters. + #[corresponds(DSA_set0_pqg)] + pub fn from_pqg(p: BigNum, q: BigNum, g: BigNum) -> Result, ErrorStack> { + unsafe { + let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); + cvt(DSA_set0_pqg(dsa.0, p.as_ptr(), q.as_ptr(), g.as_ptr()))?; + mem::forget((p, q, g)); + Ok(dsa) + } + } + + /// Generates DSA params based on the given number of bits. + #[corresponds(DSA_generate_parameters_ex)] + pub fn generate_params(bits: u32) -> Result, ErrorStack> { + ffi::init(); + unsafe { + let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); + cvt(ffi::DSA_generate_parameters_ex( + dsa.0, + bits as BitType, + ptr::null(), + 0, + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + ))?; + Ok(dsa) + } + } + + /// Generates a private key based on the DSA params. + #[corresponds(DSA_generate_key)] + pub fn generate_key(self) -> Result, ErrorStack> { + unsafe { + let dsa_ptr = self.0; + cvt(ffi::DSA_generate_key(dsa_ptr))?; + mem::forget(self); + Ok(Dsa::from_ptr(dsa_ptr)) + } + } +} + impl Dsa { /// Generate a DSA key pair. /// @@ -556,6 +599,24 @@ mod test { assert_eq!(dsa.g(), &BigNum::from_u32(60).unwrap()); } + #[test] + fn test_params() { + let params = Dsa::generate_params(1024).unwrap(); + let p = params.p().to_owned().unwrap(); + let q = params.q().to_owned().unwrap(); + let g = params.g().to_owned().unwrap(); + let key = params.generate_key().unwrap(); + let params2 = Dsa::from_pqg( + key.p().to_owned().unwrap(), + key.q().to_owned().unwrap(), + key.g().to_owned().unwrap(), + ) + .unwrap(); + assert_eq!(p, *params2.p()); + assert_eq!(q, *params2.q()); + assert_eq!(g, *params2.g()); + } + #[test] #[cfg(not(boringssl))] fn test_signature() { From c972e700df5ab3edafc3d966d74eaa99bc9d460a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 May 2023 09:18:18 -0500 Subject: [PATCH 54/84] reimplement Dsa::generate in terms of generate_params/generate_key --- openssl/src/dsa.rs | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index d8dcaa9fdb..1f594f28b4 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -229,29 +229,10 @@ impl Dsa { impl Dsa { /// Generate a DSA key pair. /// - /// Calls [`DSA_generate_parameters_ex`] to populate the `p`, `g`, and `q` values. - /// These values are used to generate the key pair with [`DSA_generate_key`]. - /// /// The `bits` parameter corresponds to the length of the prime `p`. - /// - /// [`DSA_generate_parameters_ex`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_parameters_ex.html - /// [`DSA_generate_key`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_key.html pub fn generate(bits: u32) -> Result, ErrorStack> { - ffi::init(); - unsafe { - let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); - cvt(ffi::DSA_generate_parameters_ex( - dsa.0, - bits as BitType, - ptr::null(), - 0, - ptr::null_mut(), - ptr::null_mut(), - ptr::null_mut(), - ))?; - cvt(ffi::DSA_generate_key(dsa.0))?; - Ok(dsa) - } + let params = Dsa::generate_params(bits)?; + params.generate_key() } /// Create a DSA key pair with the given parameters From b3cdda01b571535afe596927b59cf4690b47b806 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 May 2023 14:24:25 -0400 Subject: [PATCH 55/84] Added DER serialization for `DSAPrivateKey` --- openssl/src/dsa.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 1f594f28b4..1463ee4115 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -127,6 +127,13 @@ where ffi::PEM_write_bio_DSAPrivateKey } + to_der! { + /// Serializes the private_key to a DER-encoded `DSAPrivateKey` structure. + #[corresponds(i2d_DSAPrivateKey)] + private_key_to_der, + ffi::i2d_DSAPrivateKey + } + /// Returns a reference to the private key component of `self`. #[corresponds(DSA_get0_key)] pub fn priv_key(&self) -> &BigNumRef { From 6a65a2b5138c012f1bc60e947ddc52d20795454a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 May 2023 09:01:23 +0800 Subject: [PATCH 56/84] version bump 0.9.88 and 0.10.53 --- openssl-sys/CHANGELOG.md | 15 ++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 10 +++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 26 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 324ff1a82a..48029f8aab 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,18 @@ ## [Unreleased] +## [v0.9.88] - 2023-05-30 + +### Added + +* Added support for the LibreSSL 3.8.0. +* Added support for detecting `OPENSSL_NO_RC4`. +* Added `OBJ_dup`. +* Added `ASN1_TYPE_new`, `ASN1_TYPE_set`, `d2i_ASN1_TYPE`, and `i2d_ASN1_TYPE`. +* Added `SSL_bytes_to_cipher_list`, `SSL_CTX_get_num_tickets`, and `SSL_get_num_tickets`. +* Added `GENERAL_NAME_set0_othername`. +* Added `X509_get_pathlen`. + ## [v0.9.87] - 2023-04-24 ### Added @@ -446,7 +458,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88..master +[v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 [v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 [v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 811318bbaf..7589a3ca0e 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.87" +version = "0.9.88" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index c62da00a1b..79e0d9c1ff 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,13 @@ ## [Unreleased] +## [v0.10.53] - 2023-05-30 + +### Added + +* Added `Dsa::from_pqg`, `Dsa::generate_key`, and `Dsa::generate_params`. +* Added `SslRef::bytes_to_cipher_list`. + ## [v0.10.52] - 2023-04-24 ### Added @@ -747,7 +754,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...master +[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index addf5cb060..e6f5e4d565 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.52" +version = "0.10.53" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.87", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.88", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 7a040da108ced53e227fa48225759f3fce7487e0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 May 2023 09:29:45 +0800 Subject: [PATCH 57/84] Update openssl/CHANGELOG.md Co-authored-by: Alex Gaynor --- openssl/CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 79e0d9c1ff..b174156a5a 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -8,6 +8,7 @@ * Added `Dsa::from_pqg`, `Dsa::generate_key`, and `Dsa::generate_params`. * Added `SslRef::bytes_to_cipher_list`. +* Added `SubjectAlternativeName::other_name2` ## [v0.10.52] - 2023-04-24 From b83aec7f30ab295011c23cd6e479abcc69039bbe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 31 May 2023 13:49:34 -0400 Subject: [PATCH 58/84] Remove converting PKCS#8 passphrase to CString It's not required, there's an explicit length. --- openssl/src/pkey.rs | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 82a0a9d136..af41421768 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -57,7 +57,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, c_long}; use openssl_macros::corresponds; -use std::convert::TryFrom; +use std::convert::{TryFrom, TryInto}; use std::ffi::CString; use std::fmt; use std::mem; @@ -350,10 +350,6 @@ where /// Serializes a private key into a DER-formatted PKCS#8, using the supplied password to /// encrypt the key. - /// - /// # Panics - /// - /// Panics if `passphrase` contains an embedded null. #[corresponds(i2d_PKCS8PrivateKey_bio)] pub fn private_key_to_pkcs8_passphrase( &self, @@ -362,14 +358,12 @@ where ) -> Result, ErrorStack> { unsafe { let bio = MemBio::new()?; - let len = passphrase.len(); - let passphrase = CString::new(passphrase).unwrap(); cvt(ffi::i2d_PKCS8PrivateKey_bio( bio.as_ptr(), self.as_ptr(), cipher.as_ptr(), passphrase.as_ptr() as *const _ as *mut _, - len as ::libc::c_int, + passphrase.len().try_into().unwrap(), None, ptr::null_mut(), ))?; From 68ff80a935857c3e6a0b99905292e81af600e250 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 31 May 2023 21:31:38 -0400 Subject: [PATCH 59/84] Version bump for openssl v0.10.54 release --- openssl/CHANGELOG.md | 11 +++++++++-- openssl/Cargo.toml | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index b174156a5a..29af6ca816 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.10.54] - 2023-05-31 + +### Fixed + +* `PKey::private_key_to_pkcs8_passphrase` no longer panics if a `passphrase` contains a NUL byte. + ## [v0.10.53] - 2023-05-30 ### Added @@ -755,8 +761,9 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...master -[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...master +[v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 +[v0.10.53]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index e6f5e4d565..c4367cd4c6 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.53" +version = "0.10.54" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" From 90d9199f858c0fc887f2a6778bb05f611a0ff456 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Jun 2023 21:36:33 -0400 Subject: [PATCH 60/84] Fix warnings from BoringSSL on Rust 1.70 --- openssl-sys/build/run_bindgen.rs | 8 ++++++++ openssl-sys/src/lib.rs | 1 + 2 files changed, 9 insertions(+) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 4fa9ec66f2..87b748f23b 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -110,11 +110,15 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { let mut builder = bindgen::builder() .rust_target(RustTarget::Stable_1_47) .ctypes_prefix("::libc") + .raw_line("use libc::*;") .derive_default(false) .enable_function_attribute_detection() .default_macro_constant_type(MacroTypeVariation::Signed) .rustified_enum("point_conversion_form_t") .allowlist_file(".*/openssl/[^/]+\\.h") + .allowlist_recursively(false) + .blocklist_function("BIO_vsnprintf") + .blocklist_function("OPENSSL_vasprintf") .wrap_static_fns(true) .wrap_static_fns_path(out_dir.join("boring_static_wrapper").display().to_string()) .layout_tests(false) @@ -165,11 +169,15 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .arg(out_dir.join("bindgen.rs")) .arg("--rust-target=1.47") .arg("--ctypes-prefix=::libc") + .arg("--raw-line=use libc::*;") .arg("--no-derive-default") .arg("--enable-function-attribute-detection") .arg("--default-macro-constant-type=signed") .arg("--rustified-enum=point_conversion_form_t") .arg("--allowlist-file=.*/openssl/[^/]+\\.h") + .arg("--no-recursive-allowlist") + .arg("--blocklist-function=BIO_vsnprintf") + .arg("--blocklist-function=OPENSSL_vasprintf") .arg("--experimental") .arg("--wrap-static-fns") .arg("--wrap-static-fns-path") diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index c3084755cc..5a65e8b349 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -10,6 +10,7 @@ overflowing_literals, unused_imports )] +#![cfg_attr(feature = "unstable_boringssl", allow(ambiguous_glob_reexports))] #![doc(html_root_url = "https://docs.rs/openssl-sys/0.9")] #![recursion_limit = "128"] // configure fixed limit across all rust versions From e476f9a08a40c1cde55950f26f1e5203c51d0889 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sun, 4 Jun 2023 13:15:22 -0400 Subject: [PATCH 61/84] Honor OPENSSL_NO_OCB if OpenSSL was built this way Setting ossl110 in the BoringSSL build (see #1944) causes rust-openssl to expect OCB support. However, OpenSSL already has a feature guard for OCB, which BoringSSL sets. rust-openssl just isn't honoring it. This fixes building against an OpenSSL built with ./config no-ocb --- openssl-sys/build/expando.c | 4 ++++ openssl/src/symm.rs | 14 +++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 54681a0b95..5d003d9022 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -75,6 +75,10 @@ RUST_CONF_OPENSSL_NO_NEXTPROTONEG RUST_CONF_OPENSSL_NO_OCSP #endif +#ifdef OPENSSL_NO_OCB +RUST_CONF_OPENSSL_NO_OCB +#endif + #ifdef OPENSSL_NO_PSK RUST_CONF_OPENSSL_NO_PSK #endif diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 611080805f..8da341f7f6 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -142,7 +142,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_128_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_128_ocb()) } } @@ -187,7 +187,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_192_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_192_ocb()) } } @@ -237,7 +237,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_256_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_256_ocb()) } } @@ -402,14 +402,14 @@ impl Cipher { } /// Determines whether the cipher is using OCB mode - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn is_ocb(self) -> bool { self == Cipher::aes_128_ocb() || self == Cipher::aes_192_ocb() || self == Cipher::aes_256_ocb() } - #[cfg(not(ossl110))] + #[cfg(any(not(ossl110), osslconf = "OPENSSL_NO_OCB"))] const fn is_ocb(self) -> bool { false } @@ -1422,7 +1422,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn test_aes_128_ocb() { let key = "000102030405060708090a0b0c0d0e0f"; let aad = "0001020304050607"; @@ -1458,7 +1458,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn test_aes_128_ocb_fail() { let key = "000102030405060708090a0b0c0d0e0f"; let aad = "0001020304050607"; From 5283d7c994541a99bab9b33f809bd662a5aa47a7 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 3 Jun 2023 11:44:10 -0400 Subject: [PATCH 62/84] Fix some deprecated patterns when using BoringSSL The RSA and DSA changes will be needed to avoid build breakage soon. The others are mostly tidying up. There's another place around BIO that we'd ideally also switch over, but that depends on resolving the __fixed_rust mess first. This addresses a symptom of #1944, but not the root cause. --- openssl/src/asn1.rs | 2 +- openssl/src/dsa.rs | 5 +++-- openssl/src/ecdsa.rs | 2 +- openssl/src/hash.rs | 2 +- openssl/src/md_ctx.rs | 2 +- openssl/src/rsa.rs | 2 +- 6 files changed, 8 insertions(+), 7 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 0e720ae0b3..801310d411 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -738,7 +738,7 @@ impl fmt::Debug for Asn1ObjectRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::ASN1_STRING_get0_data; } else { #[allow(bad_style)] diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 1463ee4115..1a63e8ad8f 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -7,6 +7,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; +#[cfg(not(boringssl))] use libc::c_int; use std::fmt; use std::mem; @@ -314,7 +315,7 @@ impl fmt::Debug for Dsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{DSA_get0_key, DSA_get0_pqg, DSA_set0_key, DSA_set0_pqg}; } else { #[allow(bad_style)] @@ -493,7 +494,7 @@ impl DsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{DSA_SIG_set0, DSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/ecdsa.rs b/openssl/src/ecdsa.rs index 0a960e7b9e..f3b27b3953 100644 --- a/openssl/src/ecdsa.rs +++ b/openssl/src/ecdsa.rs @@ -110,7 +110,7 @@ impl EcdsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{ECDSA_SIG_set0, ECDSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 37442fb274..52d73deed4 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -43,7 +43,7 @@ use crate::nid::Nid; use crate::{cvt, cvt_p}; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, boringssl))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/md_ctx.rs b/openssl/src/md_ctx.rs index c4d3f06b94..156f3c2fc9 100644 --- a/openssl/src/md_ctx.rs +++ b/openssl/src/md_ctx.rs @@ -93,7 +93,7 @@ use std::convert::TryFrom; use std::ptr; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, boringssl))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs index 68cf64b036..f155b12dfe 100644 --- a/openssl/src/rsa.rs +++ b/openssl/src/rsa.rs @@ -581,7 +581,7 @@ impl fmt::Debug for Rsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{ RSA_get0_key, RSA_get0_factors, RSA_get0_crt_params, RSA_set0_key, RSA_set0_factors, RSA_set0_crt_params, From a3b6cb5fdc7df2754ab9a5d3f4039e469e42d332 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Jun 2023 08:55:49 +0800 Subject: [PATCH 63/84] add get_asn1_flag to EcGroupRef --- openssl-sys/src/handwritten/ec.rs | 2 ++ openssl/src/ec.rs | 13 +++++++++++++ 2 files changed, 15 insertions(+) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index 6ee475f327..ec781a715a 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -46,6 +46,8 @@ extern "C" { pub fn EC_GROUP_set_asn1_flag(key: *mut EC_GROUP, flag: c_int); + pub fn EC_GROUP_get_asn1_flag(group: *const EC_GROUP) -> c_int; + pub fn EC_GROUP_get_curve_GFp( group: *const EC_GROUP, p: *mut BIGNUM, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 248ced3e41..55523fee0a 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -294,6 +294,12 @@ impl EcGroupRef { } } + /// Gets the flag determining if the group corresponds to a named curve. + #[corresponds(EC_GROUP_get_asn1_flag)] + pub fn get_asn1_flag(&mut self) -> Asn1Flag { + unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } + } + /// Returns the name of the curve, if a name is associated. #[corresponds(EC_GROUP_get_curve_name)] pub fn curve_name(&self) -> Option { @@ -1265,4 +1271,11 @@ mod test { let group2 = EcGroup::from_curve_name(Nid::X9_62_PRIME239V3).unwrap(); assert!(!g.is_on_curve(&group2, &mut ctx).unwrap()); } + + #[test] + fn get_flags() { + let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let flag = group.get_asn1_flag(); + assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); + } } From faae7bb9ad7d569e16b7d21295d813dd4672ef07 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Jun 2023 12:33:47 +0800 Subject: [PATCH 64/84] rename and test on openssl 1.1.0+ --- openssl/src/ec.rs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 55523fee0a..d6ef049101 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -296,7 +296,7 @@ impl EcGroupRef { /// Gets the flag determining if the group corresponds to a named curve. #[corresponds(EC_GROUP_get_asn1_flag)] - pub fn get_asn1_flag(&mut self) -> Asn1Flag { + pub fn asn1_flag(&mut self) -> Asn1Flag { unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } } @@ -1273,9 +1273,10 @@ mod test { } #[test] - fn get_flags() { + #[cfg(not(any(ossl102, ossl101)))] + fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); - let flag = group.get_asn1_flag(); + let flag = group.asn1_flag(); assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); } } From 38a54607ad8901819fa8292f69757b51ce59e8d9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 07:08:20 +0800 Subject: [PATCH 65/84] partialeq on asn1flag --- openssl/src/ec.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index d6ef049101..446697f527 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -57,7 +57,7 @@ impl PointConversionForm { /// Named Curve or Explicit /// /// This type acts as a boolean as to whether the `EcGroup` is named or explicit. -#[derive(Copy, Clone)] +#[derive(Copy, Clone, PartialEq)] pub struct Asn1Flag(c_int); impl Asn1Flag { @@ -1277,6 +1277,6 @@ mod test { fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); - assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); + assert_eq!(flag, Asn1Flag::NAMED_CURVE); } } From 37966b326fd417142f912f18dd67ad3e27bac570 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 07:20:20 +0800 Subject: [PATCH 66/84] fix test target configs, add debug derive --- openssl/src/ec.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 446697f527..22d6d1888d 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -57,7 +57,7 @@ impl PointConversionForm { /// Named Curve or Explicit /// /// This type acts as a boolean as to whether the `EcGroup` is named or explicit. -#[derive(Copy, Clone, PartialEq)] +#[derive(Copy, Clone, Debug, PartialEq)] pub struct Asn1Flag(c_int); impl Asn1Flag { @@ -1273,7 +1273,7 @@ mod test { } #[test] - #[cfg(not(any(ossl102, ossl101)))] + #[cfg(any(boringssl, ossl111, libressl350))] fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); From d52ac4e4f08b4d0c4d1b2d181d6baee3f042e972 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 19:42:34 -0400 Subject: [PATCH 67/84] Fixed type mutability on asn1_flag --- openssl/src/ec.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 22d6d1888d..6993e4edda 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -296,7 +296,7 @@ impl EcGroupRef { /// Gets the flag determining if the group corresponds to a named curve. #[corresponds(EC_GROUP_get_asn1_flag)] - pub fn asn1_flag(&mut self) -> Asn1Flag { + pub fn asn1_flag(&self) -> Asn1Flag { unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } } From 1b9fba4e782affd312f9c9ad6f80d57eb8a82be1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 19:47:47 -0400 Subject: [PATCH 68/84] Update ec.rs --- openssl/src/ec.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 6993e4edda..5310564ecc 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -1275,7 +1275,7 @@ mod test { #[test] #[cfg(any(boringssl, ossl111, libressl350))] fn asn1_flag() { - let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); assert_eq!(flag, Asn1Flag::NAMED_CURVE); } From 7b18e903c6c1a0adc09b0eb7ea1876fad70fbe37 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 08:19:17 +0800 Subject: [PATCH 69/84] allow affine_coordinates on boring and libre --- openssl-sys/src/handwritten/ec.rs | 2 +- openssl/src/ec.rs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index ec781a715a..182a5559a3 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -101,7 +101,7 @@ extern "C" { pub fn EC_POINT_dup(p: *const EC_POINT, group: *const EC_GROUP) -> *mut EC_POINT; - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] pub fn EC_POINT_get_affine_coordinates( group: *const EC_GROUP, p: *const EC_POINT, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 5310564ecc..b648aec334 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -491,7 +491,7 @@ impl EcPointRef { /// Places affine coordinates of a curve over a prime field in the provided /// `x` and `y` `BigNum`s. #[corresponds(EC_POINT_get_affine_coordinates)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] pub fn affine_coordinates( &self, group: &EcGroupRef, @@ -1197,7 +1197,7 @@ mod test { assert!(ec_key.check_key().is_ok()); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] #[test] fn get_affine_coordinates() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); From f783cbe145cc084a160e478dfe1fb9dc50dcdcab Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 09:27:04 +0800 Subject: [PATCH 70/84] add support for EVP_PKEY_derive_set_peer_ex in OpenSSL 3 via Deriver::set_peer_ex --- openssl-sys/src/handwritten/evp.rs | 6 +++++ openssl/src/derive.rs | 38 ++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index db018e9a42..4041d8b671 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -522,6 +522,12 @@ extern "C" { pub fn EVP_PKEY_derive_init(ctx: *mut EVP_PKEY_CTX) -> c_int; pub fn EVP_PKEY_derive_set_peer(ctx: *mut EVP_PKEY_CTX, peer: *mut EVP_PKEY) -> c_int; + #[cfg(ossl300)] + pub fn EVP_PKEY_derive_set_peer_ex( + ctx: *mut EVP_PKEY_CTX, + peer: *mut EVP_PKEY, + validate_peer: c_int, + ) -> c_int; pub fn EVP_PKEY_derive(ctx: *mut EVP_PKEY_CTX, key: *mut c_uchar, size: *mut size_t) -> c_int; #[cfg(ossl300)] diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index 5d422f6976..ef1f61424d 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -93,6 +93,30 @@ impl<'a> Deriver<'a> { unsafe { cvt(ffi::EVP_PKEY_derive_set_peer(self.0, key.as_ptr())).map(|_| ()) } } + /// Sets the peer key used for secret derivation along with optionally validating the peer public key. + /// + /// This corresponds to [`EVP_PKEY_derive_set_peer_ex`]: + /// + /// [`EVP_PKEY_derive_set_peer_ex`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_set_peer_ex.html + #[cfg(ossl300)] + pub fn set_peer_ex( + &mut self, + key: &'a PKeyRef, + validate_peer: bool, + ) -> Result<(), ErrorStack> + where + T: HasPublic, + { + unsafe { + cvt(ffi::EVP_PKEY_derive_set_peer_ex( + self.0, + key.as_ptr(), + validate_peer as i32, + )) + .map(|_| ()) + } + } + /// Returns the size of the shared secret. /// /// It can be used to size the buffer passed to [`Deriver::derive`]. @@ -179,4 +203,18 @@ mod test { let shared = deriver.derive_to_vec().unwrap(); assert!(!shared.is_empty()); } + + #[test] + #[cfg(ossl300)] + fn test_ec_key_derive_ex() { + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let ec_key = EcKey::generate(&group).unwrap(); + let ec_key2 = EcKey::generate(&group).unwrap(); + let pkey = PKey::from_ec_key(ec_key).unwrap(); + let pkey2 = PKey::from_ec_key(ec_key2).unwrap(); + let mut deriver = Deriver::new(&pkey).unwrap(); + deriver.set_peer_ex(&pkey2, true).unwrap(); + let shared = deriver.derive_to_vec().unwrap(); + assert!(!shared.is_empty()); + } } From 45e4fc23c8a68685ce076ead1ab01f21970633c0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 08:26:57 +0800 Subject: [PATCH 71/84] Update openssl/src/derive.rs Co-authored-by: Steven Fackler --- openssl/src/derive.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index ef1f61424d..e5ecaadbc2 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -95,9 +95,8 @@ impl<'a> Deriver<'a> { /// Sets the peer key used for secret derivation along with optionally validating the peer public key. /// - /// This corresponds to [`EVP_PKEY_derive_set_peer_ex`]: - /// - /// [`EVP_PKEY_derive_set_peer_ex`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_set_peer_ex.html + /// Requires OpenSSL 3.0.0 or newer. + #[corresponds(EVP_PKEY_derive_set_peer_ex)] #[cfg(ossl300)] pub fn set_peer_ex( &mut self, From 50ac347ad63974857e57742c8fcebeb6c9e9e59e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:07:06 +0800 Subject: [PATCH 72/84] add missing import --- openssl/src/derive.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index e5ecaadbc2..bfb85a6aba 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -56,6 +56,7 @@ use std::ptr; use crate::error::ErrorStack; use crate::pkey::{HasPrivate, HasPublic, PKeyRef}; use crate::{cvt, cvt_p}; +use openssl_macros::corresponds; /// A type used to derive a shared secret between two keys. pub struct Deriver<'a>(*mut ffi::EVP_PKEY_CTX, PhantomData<&'a ()>); From 87f1a1a1e8c5089de2810c358204a1822ea0b1ed Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:14:58 +0800 Subject: [PATCH 73/84] add another corresponds to avoid warnings about no use --- openssl/src/derive.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index bfb85a6aba..c62b902161 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -87,6 +87,7 @@ impl<'a> Deriver<'a> { /// This corresponds to [`EVP_PKEY_derive_set_peer`]: /// /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html + #[corresponds(EVP_PKEY_derive_set_peer)] pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where T: HasPublic, From 2604033874debae65cad42ecef47613f6a147e85 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:21:03 +0800 Subject: [PATCH 74/84] remove outdated comment --- openssl/src/derive.rs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index c62b902161..424c5f92d7 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -83,10 +83,6 @@ impl<'a> Deriver<'a> { } /// Sets the peer key used for secret derivation. - /// - /// This corresponds to [`EVP_PKEY_derive_set_peer`]: - /// - /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html #[corresponds(EVP_PKEY_derive_set_peer)] pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where From c2f4d5875aaac9b4748a6734fb20af044d408c7b Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 8 Jun 2023 12:45:21 -0400 Subject: [PATCH 75/84] Use type-safe wrappers instead of EVP_PKEY_assign In OpenSSL, these are macros, so they didn't get imported by bindgen, but they're proper functions in BoringSSL and we'd prefer callers use those for safety. For OpenSSL, just add the corresponding functions in openssl-sys, matching how rust-openssl handles EVP_PKEY_CTX_ctrl. Using the type-safe wrappers flags that rust-openssl was trying to convert DH to EVP_PKEY, but BoringSSL doesn't actually support this. (DH is a legacy primitive, so we haven't routed it to EVP_PKEY right now.) --- openssl-sys/src/evp.rs | 16 ++++++++++++++++ openssl/src/pkey.rs | 26 ++++++-------------------- 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 72ca2434fc..07fae49eb5 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -285,3 +285,19 @@ pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info( info as *mut c_void, ) } + +pub unsafe fn EVP_PKEY_assign_RSA(pkey: *mut EVP_PKEY, rsa: *mut RSA) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_DSA(pkey: *mut EVP_PKEY, dsa: *mut DSA) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_DSA, dsa as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_DH(pkey: *mut EVP_PKEY, dh: *mut DH) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_EC_KEY(pkey: *mut EVP_PKEY, ec_key: *mut EC_KEY) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_EC, ec_key as *mut c_void) +} diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index af41421768..130024da3d 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -406,11 +406,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_RSA, - rsa.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_RSA(pkey.0, rsa.as_ptr()))?; mem::forget(rsa); Ok(pkey) } @@ -422,11 +418,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DSA, - dsa.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_DSA(pkey.0, dsa.as_ptr()))?; mem::forget(dsa); Ok(pkey) } @@ -434,15 +426,12 @@ impl PKey { /// Creates a new `PKey` containing a Diffie-Hellman key. #[corresponds(EVP_PKEY_assign_DH)] + #[cfg(not(boringssl))] pub fn from_dh(dh: Dh) -> Result, ErrorStack> { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DH, - dh.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_DH(pkey.0, dh.as_ptr()))?; mem::forget(dh); Ok(pkey) } @@ -454,11 +443,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_EC, - ec_key.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_EC_KEY(pkey.0, ec_key.as_ptr()))?; mem::forget(ec_key); Ok(pkey) } @@ -861,6 +846,7 @@ impl TryFrom> for Dsa { } } +#[cfg(not(boringssl))] impl TryFrom> for PKey { type Error = ErrorStack; From 7c0f0a79d98608c7570baa25a379e7f312453c06 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Wed, 14 Jun 2023 10:24:00 +0800 Subject: [PATCH 76/84] add NID SM2 --- openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/nid.rs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 22bfccba3f..6ae48834b5 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -935,6 +935,8 @@ pub const NID_ED25519: c_int = 952; #[cfg(ossl111)] pub const NID_ED448: c_int = 1088; #[cfg(ossl111)] +pub const NID_sm2: c_int = 1172; +#[cfg(ossl111)] pub const NID_sm3: c_int = 1143; #[cfg(libressl291)] pub const NID_sm3: c_int = 968; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index c8c60885f1..91fcdeca9d 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1074,6 +1074,8 @@ impl Nid { pub const AES_128_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_128_cbc_hmac_sha1); pub const AES_192_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_192_cbc_hmac_sha1); pub const AES_256_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_256_cbc_hmac_sha1); + #[cfg(ossl111)] + pub const SM2: Nid = Nid(ffi::NID_sm2); #[cfg(any(ossl111, libressl291))] pub const SM3: Nid = Nid(ffi::NID_sm3); #[cfg(ossl111)] From 9840b534e0996e39cde8ac5faedf81b68f3d2c3a Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Wed, 14 Jun 2023 10:34:58 +0800 Subject: [PATCH 77/84] add pkey Id SM2 --- openssl-sys/src/evp.rs | 2 ++ openssl/src/pkey.rs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 07fae49eb5..56eaa4bbff 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -10,6 +10,8 @@ pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey; +#[cfg(ossl111)] +pub const EVP_PKEY_SM2: c_int = NID_sm2; #[cfg(any(ossl111, libressl370))] pub const EVP_PKEY_X25519: c_int = NID_X25519; #[cfg(any(ossl111, libressl370))] diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 130024da3d..453aeed72f 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -85,6 +85,8 @@ impl Id { pub const DSA: Id = Id(ffi::EVP_PKEY_DSA); pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); + #[cfg(ossl111)] + pub const SM2: Id = Id(ffi::EVP_PKEY_SM2); #[cfg(any(ossl110, boringssl))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); From fb5ae60cbb1dbbb2e34d47e113b25bc31f4acc37 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:16:03 +0700 Subject: [PATCH 78/84] clippy: remove unused allow attributes --- openssl-sys/build/cfgs.rs | 1 + openssl-sys/build/main.rs | 9 +-------- openssl-sys/src/lib.rs | 4 ---- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index f09ec29b53..2f3ff3eafd 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -1,3 +1,4 @@ +#[allow(clippy::unusual_byte_groupings)] pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<&'static str> { let mut cfgs = vec![]; diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 1762068d75..306482d1a8 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -1,9 +1,3 @@ -#![allow( - clippy::inconsistent_digit_grouping, - clippy::uninlined_format_args, - clippy::unusual_byte_groupings -)] - #[cfg(feature = "bindgen")] extern crate bindgen; extern crate cc; @@ -131,7 +125,6 @@ fn main() { } } -#[allow(clippy::let_and_return)] fn postprocess(include_dirs: &[PathBuf]) -> Version { let version = validate_headers(include_dirs); @@ -146,7 +139,7 @@ fn postprocess(include_dirs: &[PathBuf]) -> Version { /// Validates the header files found in `include_dir` and then returns the /// version string of OpenSSL. -#[allow(clippy::manual_strip)] // we need to support pre-1.45.0 +#[allow(clippy::unusual_byte_groupings)] fn validate_headers(include_dirs: &[PathBuf]) -> Version { // This `*-sys` crate only works with OpenSSL 1.0.1, 1.0.2, 1.1.0, 1.1.1 and 3.0.0. // To correctly expose the right API from this crate, take a look at diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 5a65e8b349..784b7637e1 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1,13 +1,9 @@ #![allow( clippy::missing_safety_doc, - clippy::unreadable_literal, - clippy::uninlined_format_args, - clippy::upper_case_acronyms, dead_code, non_camel_case_types, non_snake_case, non_upper_case_globals, - overflowing_literals, unused_imports )] #![cfg_attr(feature = "unstable_boringssl", allow(ambiguous_glob_reexports))] From b1e16e927622b8c044f88de802523dead0b0ec5e Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:17:07 +0700 Subject: [PATCH 79/84] clippy: use strip_prefix instead of manually strip --- openssl-sys/build/main.rs | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 306482d1a8..6fb8c3ed82 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -203,17 +203,14 @@ See rust-openssl documentation for more information: let libressl_prefix = "RUST_VERSION_LIBRESSL_"; let boringsl_prefix = "RUST_OPENSSL_IS_BORINGSSL"; let conf_prefix = "RUST_CONF_"; - if line.starts_with(openssl_prefix) { - let version = &line[openssl_prefix.len()..]; + if let Some(version) = line.strip_prefix(openssl_prefix) { openssl_version = Some(parse_version(version)); - } else if line.starts_with(new_openssl_prefix) { - let version = &line[new_openssl_prefix.len()..]; + } else if let Some(version) = line.strip_prefix(new_openssl_prefix) { openssl_version = Some(parse_new_version(version)); - } else if line.starts_with(libressl_prefix) { - let version = &line[libressl_prefix.len()..]; + } else if let Some(version) = line.strip_prefix(libressl_prefix) { libressl_version = Some(parse_version(version)); - } else if line.starts_with(conf_prefix) { - enabled.push(&line[conf_prefix.len()..]); + } else if let Some(conf) = line.strip_prefix(conf_prefix) { + enabled.push(conf); } else if line.starts_with(boringsl_prefix) { is_boringssl = true; } From 8587ff88431fc9ef495eda1b5bcfab4d310ef3cd Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:18:11 +0700 Subject: [PATCH 80/84] chore: use pre-existing clean APIs instead --- openssl-sys/build/main.rs | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 6fb8c3ed82..3359165a33 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -155,9 +155,7 @@ fn validate_headers(include_dirs: &[PathBuf]) -> Version { // account for compile differences and such. println!("cargo:rerun-if-changed=build/expando.c"); let mut gcc = cc::Build::new(); - for include_dir in include_dirs { - gcc.include(include_dir); - } + gcc.includes(include_dirs); let expanded = match gcc.file("build/expando.c").try_expand() { Ok(expanded) => expanded, Err(e) => { @@ -326,18 +324,13 @@ due to this version mismatch. } // parses a string that looks like "0x100020cfL" -#[allow(deprecated)] // trim_right_matches is now trim_end_matches -#[allow(clippy::match_like_matches_macro)] // matches macro requires rust 1.42.0 fn parse_version(version: &str) -> u64 { // cut off the 0x prefix assert!(version.starts_with("0x")); let version = &version[2..]; // and the type specifier suffix - let version = version.trim_right_matches(|c: char| match c { - '0'..='9' | 'a'..='f' | 'A'..='F' => false, - _ => true, - }); + let version = version.trim_end_matches(|c: char| !c.is_ascii_hexdigit()); u64::from_str_radix(version, 16).unwrap() } From 8ab3c3f3a8e6102b734d849132aaeb9728cec669 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:22:34 +0700 Subject: [PATCH 81/84] update min-version passed to bindgen --- .github/workflows/ci.yml | 1 + openssl-sys/build/run_bindgen.rs | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 75117ffab8..33c352cd2c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,6 +59,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + # Remember to also update `--rust-target` in `openssl-sys/build/run_bindgen.rs` - uses: sfackler/actions/rustup@master with: version: 1.56.0 diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 87b748f23b..6743403161 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -167,7 +167,7 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { bindgen_cmd .arg("-o") .arg(out_dir.join("bindgen.rs")) - .arg("--rust-target=1.47") + .arg("--rust-target=1.56") .arg("--ctypes-prefix=::libc") .arg("--raw-line=use libc::*;") .arg("--no-derive-default") From 978435639b0e1a93a953a7f211216c33aaedc450 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:33:56 +0700 Subject: [PATCH 82/84] chore: simplify cfg attributes --- openssl/src/ssl/mod.rs | 4 ++-- openssl/src/ssl/test/mod.rs | 2 +- openssl/src/symm.rs | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 0feaced213..27e817f307 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -599,7 +599,7 @@ impl AlpnError { /// Terminate the handshake with a fatal alert. /// /// Requires OpenSSL 1.1.0 or newer. - #[cfg(any(ossl110))] + #[cfg(ossl110)] pub const ALERT_FATAL: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_ALERT_FATAL); /// Do not select a protocol, but continue the handshake. @@ -2413,7 +2413,7 @@ impl SslRef { /// /// Requires OpenSSL 1.0.1 or 1.0.2. #[corresponds(SSL_set_tmp_ecdh_callback)] - #[cfg(any(all(ossl101, not(ossl110))))] + #[cfg(all(ossl101, not(ossl110)))] #[deprecated(note = "this function leaks memory and does not exist on newer OpenSSL versions")] pub fn set_tmp_ecdh_callback(&mut self, callback: F) where diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 39cc054df2..7707af238f 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -467,7 +467,7 @@ fn test_alpn_server_advertise_multiple() { } #[test] -#[cfg(any(ossl110))] +#[cfg(ossl110)] fn test_alpn_server_select_none_fatal() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 8da341f7f6..c1dbdfee7b 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -1478,7 +1478,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(ossl110)] fn test_chacha20() { let key = "0000000000000000000000000000000000000000000000000000000000000000"; let iv = "00000000000000000000000000000000"; @@ -1493,7 +1493,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(ossl110)] fn test_chacha20_poly1305() { let key = "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"; let iv = "070000004041424344454647"; From 155b3dc71700d2ff31651bbc99b991765a718c4e Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 19 Jun 2023 13:10:09 -0400 Subject: [PATCH 83/84] Fix handling of empty host strings --- openssl/src/x509/verify.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index b0e22ef462..e8481c551c 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -120,9 +120,11 @@ impl X509VerifyParamRef { #[corresponds(X509_VERIFY_PARAM_set1_host)] pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { unsafe { + // len == 0 means "run strlen" :( + let raw_host = if host.is_empty() { "\0" } else { host }; cvt(ffi::X509_VERIFY_PARAM_set1_host( self.as_ptr(), - host.as_ptr() as *const _, + raw_host.as_ptr() as *const _, host.len(), )) .map(|_| ()) From 983b9e210ac27895a39e0ed11a407b7936192313 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Jun 2023 16:25:18 -0400 Subject: [PATCH 84/84] Release openssl v0.10.55 and openssl-sys v0.9.89 --- openssl-sys/CHANGELOG.md | 18 +++++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 18 +++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 37 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 48029f8aab..13c3f32a6c 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,21 @@ ## [Unreleased] +## [v0.9.89] - 2023-06-20 + +### Fixed + +* Fixed compilation with recent versions of BoringSSL. + +### Added + +* Added support for detecting OpenSSL compiled with `OPENSSL_NO_OCB`. +* Added `EVP_PKEY_SM2` and `NID_sm2`. +* Added `EVP_PKEY_assign_RSA`, `EVP_PKEY_assign_DSA`, `EVP_PKEY_assign_DH`, and `EVP_PKEY_assign_EC_KEY`. +* Added `EC_GROUP_get_asn1_flag`. +* Expose `EC_POINT_get_affine_coordinates` on BoringSSL and LibreSSL. +* Added `EVP_PKEY_derive_set_peer_ex`. + ## [v0.9.88] - 2023-05-30 ### Added @@ -458,7 +473,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89..master +[v0.9.89]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.89 [v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 [v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7589a3ca0e..0c261c5719 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.88" +version = "0.9.89" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 29af6ca816..a0622ecccd 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,21 @@ ## [Unreleased] +## [v0.10.55] - 2023-06-20 + +### Fixed + +* Fixed compilation with the latest version of BoringSSL. +* Fixed compilation when OpenSSL is compiled with `OPENSSL_NO_OCB`. +* Fixed a segfault in `X509VerifyParamRef::set_host` when called with an empty string. + +### Added + +* Added `Deriver::set_peer_ex`. +* Added `EcGroupRef::asn1_flag`. +* Exposed `EcPointRef::affine_coordinates` on BoringSSL and LibreSSL. +* Added `Nid::SM2` and `Id::SM2` + ## [v0.10.54] - 2023-05-31 ### Fixed @@ -761,7 +776,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...master +[v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 [v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 [v0.10.53]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index c4367cd4c6..956d08cf9e 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.54" +version = "0.10.55" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.88", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.89", path = "../openssl-sys" } [dev-dependencies] hex = "0.3"