From 6d6944767c30cd43fefec920eb29ef1acf4e55b9 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 15:11:36 +0100 Subject: [PATCH 001/126] Prepared openssl-sys for pkcs7 and x509 extensions. --- openssl-sys/build/cfgs.rs | 3 + openssl-sys/src/handwritten/asn1.rs | 49 ++++- openssl-sys/src/handwritten/mod.rs | 2 + openssl-sys/src/handwritten/pkcs7.rs | 245 ++++++++++++++++++++++- openssl-sys/src/handwritten/types.rs | 16 +- openssl-sys/src/handwritten/x509.rs | 36 +++- openssl-sys/src/handwritten/x509_attr.rs | 60 ++++++ 7 files changed, 396 insertions(+), 15 deletions(-) create mode 100644 openssl-sys/src/handwritten/x509_attr.rs diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index d925d90ad7..960515f00f 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -31,6 +31,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x2_09_01_00_0 { cfgs.push("libressl291"); } + if libressl_version >= 0x3_01_00_00_0 { + cfgs.push("libressl310"); + } if libressl_version >= 0x3_02_01_00_0 { cfgs.push("libressl321"); } diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 844f9102a9..e866b1ea90 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,23 +10,60 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); + pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } +pub enum ASN1_OBJECT {} + stack!(stack_st_ASN1_OBJECT); +#[repr(C)] +pub struct ASN1_TYPE { + pub type_: c_int, + pub value: ASN1_TYPE_value, +} +#[repr(C)] +pub union ASN1_TYPE_value { + pub ptr: *mut c_char, + pub boolean: ASN1_BOOLEAN, + pub asn1_string: *mut ASN1_STRING, + pub object: *mut ASN1_OBJECT, + pub integer: *mut ASN1_INTEGER, + pub enumerated: *mut ASN1_ENUMERATED, + pub bit_string: *mut ASN1_BIT_STRING, + pub octet_string: *mut ASN1_OCTET_STRING, + pub printablestring: *mut ASN1_PRINTABLESTRING, + pub t61string: *mut ASN1_T61STRING, + pub ia5string: *mut ASN1_IA5STRING, + pub generalstring: *mut ASN1_GENERALSTRING, + pub bmpstring: *mut ASN1_BMPSTRING, + pub universalstring: *mut ASN1_UNIVERSALSTRING, + pub utctime: *mut ASN1_UTCTIME, + pub generalizedtime: *mut ASN1_GENERALIZEDTIME, + pub visiblestring: *mut ASN1_VISIBLESTRING, + pub utf8string: *mut ASN1_UTF8STRING, + /* + * set and sequence are left complete and still contain the set or + * sequence bytes + */ + pub set: *mut ASN1_STRING, + pub sequence: *mut ASN1_STRING, + pub asn1_value: *mut ASN1_VALUE, +} + extern "C" { pub fn ASN1_STRING_type_new(ty: c_int) -> *mut ASN1_STRING; #[cfg(any(ossl110, libressl273))] pub fn ASN1_STRING_get0_data(x: *const ASN1_STRING) -> *const c_uchar; #[cfg(any(all(ossl101, not(ossl110)), libressl))] pub fn ASN1_STRING_data(x: *mut ASN1_STRING) -> *mut c_uchar; - - pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); - + pub fn ASN1_STRING_new() -> *mut ASN1_STRING; pub fn ASN1_STRING_free(x: *mut ASN1_STRING); pub fn ASN1_STRING_length(x: *const ASN1_STRING) -> c_int; + pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len_in: c_int) -> c_int; - pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len: c_int) -> c_int; + pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); + pub fn ASN1_OCTET_STRING_free(x: *mut ASN1_OCTET_STRING); pub fn ASN1_GENERALIZEDTIME_free(tm: *mut ASN1_GENERALIZEDTIME); pub fn ASN1_GENERALIZEDTIME_print(b: *mut BIO, tm: *const ASN1_GENERALIZEDTIME) -> c_int; @@ -51,10 +88,14 @@ extern "C" { pub fn ASN1_TIME_set_string(s: *mut ASN1_TIME, str: *const c_char) -> c_int; #[cfg(ossl111)] pub fn ASN1_TIME_set_string_X509(s: *mut ASN1_TIME, str: *const c_char) -> c_int; + + pub fn ASN1_TYPE_free(x: *mut ASN1_TYPE); } const_ptr_api! { extern "C" { pub fn ASN1_STRING_to_UTF8(out: *mut *mut c_uchar, s: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; + pub fn ASN1_STRING_type(x: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; + pub fn ASN1_generate_v3(str: #[const_ptr_if(any(ossl110, libressl280))] c_char, cnf: *mut X509V3_CTX) -> *mut ASN1_TYPE; } } diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 28aa4aecd0..fea7549898 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -28,6 +28,7 @@ pub use self::stack::*; pub use self::tls1::*; pub use self::types::*; pub use self::x509::*; +pub use self::x509_attr::*; pub use self::x509_vfy::*; pub use self::x509v3::*; @@ -61,5 +62,6 @@ mod stack; mod tls1; mod types; mod x509; +mod x509_attr; mod x509_vfy; mod x509v3; diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index fc0239e7b8..2f76cab9c2 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -1,12 +1,195 @@ use libc::*; use *; -pub enum PKCS7_SIGNED {} -pub enum PKCS7_ENVELOPE {} -pub enum PKCS7_SIGN_ENVELOPE {} -pub enum PKCS7_DIGEST {} -pub enum PKCS7_ENCRYPT {} -pub enum PKCS7 {} +// use x509::stack_st_X509; +// use x509_attr::stack_st_X509_ATTRIBUTE; + +#[cfg(ossl300)] +#[repr(C)] +pub struct PKCS7_CTX { + libctx: *mut OSSL_LIB_CTX, + propq: *mut c_char, +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_SIGNED { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub contents: *mut PKCS7, + } + } else { + pub enum PKCS7_SIGNED {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENC_CONTENT { + pub content_type: *mut ASN1_OBJECT, + pub algorithm: *mut X509_ALGOR, + pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ + pub cipher: *const EVP_CIPHER, + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, + } + } else { + pub enum PKCS7_ENC_CONTENT {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + } + } else { + pub enum PKCS7_ENVELOPE {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_SIGN_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO + } + } else { + pub enum PKCS7_SIGN_ENVELOPE {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_DIGEST { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub md: *mut X509_ALGOR, /* md used */ + pub contents: *mut PKCS7, + pub digest: *mut ASN1_OCTET_STRING, + } + } else { + pub enum PKCS7_DIGEST {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7_ENCRYPT { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub enc_data: *mut PKCS7_ENC_CONTENT, + } + } else { + pub enum PKCS7_ENCRYPT {} + } +} + +extern "C" { + pub fn PKCS7_SIGNED_free(info: *mut PKCS7_SIGNED); + pub fn PKCS7_ENC_CONTENT_free(info: *mut PKCS7_ENC_CONTENT); + pub fn PKCS7_ENVELOPE_free(info: *mut PKCS7_ENVELOPE); + pub fn PKCS7_SIGN_ENVELOPE_free(info: *mut PKCS7_SIGN_ENVELOPE); + pub fn PKCS7_DIGEST_free(info: *mut PKCS7_DIGEST); + pub fn PKCS7_SIGNER_INFO_free(info: *mut PKCS7_SIGNER_INFO); +} + +cfg_if! { + if #[cfg(any(ossl101, libressl251))] { + #[repr(C)] + pub struct PKCS7 { + /* + * The following is non NULL if it contains ASN1 encoding of this + * structure + */ + pub asn1: *mut c_uchar, + pub length: c_long, + // # define PKCS7_S_HEADER 0 + // # define PKCS7_S_BODY 1 + // # define PKCS7_S_TAIL 2 + pub state: c_int, /* used during processing */ + pub detached: c_int, + pub type_: *mut ASN1_OBJECT, + /* content as defined by the type */ + /* + * all encryption/message digests are applied to the 'contents', leaving + * out the 'type' field. + */ + pub d: PKCS7_data, + #[cfg(ossl300)] + pub ctx: PKCS7_CTX, + } + #[repr(C)] + pub union PKCS7_data { + pub ptr: *mut c_char, + /* NID_pkcs7_data */ + pub data: *mut ASN1_OCTET_STRING, + /* NID_pkcs7_signed */ + pub sign: *mut PKCS7_SIGNED, + /* NID_pkcs7_enveloped */ + pub enveloped: *mut PKCS7_ENVELOPE, + /* NID_pkcs7_signedAndEnveloped */ + pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, + /* NID_pkcs7_digest */ + pub digest: *mut PKCS7_DIGEST, + /* NID_pkcs7_encrypted */ + pub encrypted: *mut PKCS7_ENCRYPT, + /* Anything else */ + pub other: *mut ASN1_TYPE, + } + } else { + pub enum PKCS7 {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl))] { + #[repr(C)] + pub struct PKCS7_ISSUER_AND_SERIAL { + pub issuer: *mut X509_NAME, + pub serial: *mut ASN1_INTEGER, + } + } else { + pub enum PKCS7_ISSUER_AND_SERIAL {} + } +} + +cfg_if! { + if #[cfg(any(ossl101, libressl))] { + #[repr(C)] + pub struct PKCS7_SIGNER_INFO { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub digest_alg: *mut X509_ALGOR, + pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ + pub digest_enc_alg: *mut X509_ALGOR, + pub enc_digest: *mut ASN1_OCTET_STRING, + pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, + } + } else { + pub enum PKCS7_SIGNER_INFO {} + } +} + +stack!(stack_st_PKCS7_SIGNER_INFO); +stack!(stack_st_PKCS7_RECIP_INFO); extern "C" { pub fn d2i_PKCS7(a: *mut *mut PKCS7, pp: *mut *const c_uchar, length: c_long) -> *mut PKCS7; @@ -15,6 +198,7 @@ extern "C" { const_ptr_api! { extern "C" { pub fn i2d_PKCS7(a: #[const_ptr_if(ossl300)] PKCS7, buf: *mut *mut u8) -> c_int; + pub fn i2d_PKCS7_bio(bio: *mut BIO, p7: #[const_ptr_if(ossl300)] PKCS7) -> c_int; } } @@ -67,4 +251,53 @@ extern "C" { ) -> c_int; pub fn SMIME_read_PKCS7(bio: *mut BIO, bcont: *mut *mut BIO) -> *mut PKCS7; + + pub fn PKCS7_new() -> *mut PKCS7; + + pub fn PKCS7_set_type(p7: *mut PKCS7, nid_pkcs7: c_int) -> c_int; + + pub fn PKCS7_add_certificate(p7: *mut PKCS7, x509: *mut X509) -> c_int; + + pub fn PKCS7_add_signature( + p7: *mut PKCS7, + x509: *mut X509, + pkey: *mut EVP_PKEY, + digest: *const EVP_MD, + ) -> *mut PKCS7_SIGNER_INFO; + + pub fn PKCS7_set_signed_attributes( + p7si: *mut PKCS7_SIGNER_INFO, + attributes: *mut stack_st_X509_ATTRIBUTE, + ) -> c_int; + + pub fn PKCS7_add_signed_attribute( + p7si: *mut PKCS7_SIGNER_INFO, + nid: c_int, + attrtype: c_int, + data: *mut c_void, + ) -> c_int; + + pub fn PKCS7_content_new(p7: *mut PKCS7, nid_pkcs7: c_int) -> c_int; + + pub fn PKCS7_dataInit(p7: *mut PKCS7, bio: *mut BIO) -> *mut BIO; + + pub fn PKCS7_dataFinal(p7: *mut PKCS7, bio: *mut BIO) -> c_int; + + pub fn PKCS7_get_signer_info(p7: *mut PKCS7) -> *mut stack_st_PKCS7_SIGNER_INFO; + + pub fn PKCS7_SIGNER_INFO_get0_algs( + si: *mut PKCS7_SIGNER_INFO, + pk: *mut *mut EVP_PKEY, + pdig: *mut *mut X509_ALGOR, + psig: *mut *mut X509_ALGOR, + ); +} + +const_ptr_api! { + extern "C" { + pub fn PKCS7_get_signed_attribute( + si: #[const_ptr_if(ossl300)] PKCS7_SIGNER_INFO, + nid: c_int + ) -> *mut ASN1_TYPE; + } } diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 476578c051..addc599abb 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -3,14 +3,26 @@ use libc::*; #[allow(unused_imports)] use *; +#[derive(Copy, Clone)] +pub enum ASN1_BOOLEAN {} +pub enum ASN1_ENUMERATED {} pub enum ASN1_INTEGER {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} pub enum ASN1_TIME {} -pub enum ASN1_TYPE {} pub enum ASN1_OBJECT {} pub enum ASN1_OCTET_STRING {} +pub enum ASN1_PRINTABLESTRING {} +pub enum ASN1_T61STRING {} +pub enum ASN1_IA5STRING {} +pub enum ASN1_GENERALSTRING {} +pub enum ASN1_BMPSTRING {} +pub enum ASN1_UNIVERSALSTRING {} +pub enum ASN1_UTCTIME {} +pub enum ASN1_VISIBLESTRING {} +pub enum ASN1_UTF8STRING {} +pub enum ASN1_VALUE {} pub enum bio_st {} // FIXME remove cfg_if! { @@ -325,6 +337,8 @@ cfg_if! { } } +stack!(stack_st_X509_ALGOR); + pub enum X509_LOOKUP_METHOD {} pub enum X509_NAME {} diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 047f3df262..486f712c34 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -15,8 +15,6 @@ pub enum X509_EXTENSION {} stack!(stack_st_X509_EXTENSION); -stack!(stack_st_X509_ATTRIBUTE); - cfg_if! { if #[cfg(any(ossl110, libressl350))] { pub enum X509_REQ_INFO {} @@ -27,7 +25,7 @@ cfg_if! { pub version: *mut ::ASN1_INTEGER, pub subject: *mut ::X509_NAME, pubkey: *mut c_void, - pub attributes: *mut stack_st_X509_ATTRIBUTE, + pub attributes: *mut ::stack_st_X509_ATTRIBUTE, } } } @@ -271,9 +269,12 @@ extern "C" { pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION); + pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_NAME_ENTRY_free(x: *mut X509_NAME_ENTRY); pub fn X509_NAME_new() -> *mut X509_NAME; + pub fn X509_NAME_cmp(x: *const X509_NAME, y: *const X509_NAME) -> c_int; pub fn X509_NAME_free(x: *mut X509_NAME); pub fn X509_new() -> *mut X509; @@ -359,6 +360,33 @@ const_ptr_api! { -> c_int; } } +extern "C" { + pub fn X509_REQ_get_attr_count(req: *const X509_REQ) -> c_int; + pub fn X509_REQ_get_attr_by_NID(req: *const X509_REQ, nid: c_int, lastpos: c_int) -> c_int; + pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_add1_attr_by_txt( + req: *mut X509_REQ, + attrname: *const c_char, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; + pub fn X509_REQ_add1_attr_by_NID( + req: *mut X509_REQ, + nid: c_int, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; + pub fn X509_REQ_add1_attr_by_OBJ( + req: *mut X509_REQ, + obj: *const ASN1_OBJECT, + chtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> c_int; +} extern "C" { pub fn X509_set_pubkey(x: *mut X509, pkey: *mut EVP_PKEY) -> c_int; pub fn X509_REQ_verify(req: *mut X509_REQ, pkey: *mut EVP_PKEY) -> c_int; @@ -607,6 +635,7 @@ const_ptr_api! { pub fn X509_STORE_get0_objects(ctx: #[const_ptr_if(ossl300)] X509_STORE) -> *mut stack_st_X509_OBJECT; } } + #[cfg(any(ossl110, libressl270))] extern "C" { pub fn X509_OBJECT_get0_X509(x: *const X509_OBJECT) -> *mut X509; @@ -633,7 +662,6 @@ extern "C" { extern "C" { pub fn X509_cmp(a: *const X509, b: *const X509) -> c_int; - pub fn X509_NAME_cmp(a: *const X509_NAME, b: *const X509_NAME) -> c_int; pub fn X509_issuer_and_serial_cmp(a: *const X509, b: *const X509) -> c_int; pub fn X509_issuer_name_cmp(a: *const X509, b: *const X509) -> c_int; pub fn X509_subject_name_cmp(a: *const X509, b: *const X509) -> c_int; diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs new file mode 100644 index 0000000000..b14be38619 --- /dev/null +++ b/openssl-sys/src/handwritten/x509_attr.rs @@ -0,0 +1,60 @@ +use libc::*; + +use *; + +pub enum X509_ATTRIBUTE {} + +stack!(stack_st_X509_ATTRIBUTE); + +extern "C" { + pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create( + nid: c_int, + atrtype: c_int, + value: *mut c_void, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_NID( + attr: *mut *mut X509_ATTRIBUTE, + nid: c_int, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_OBJ( + attr: *mut *mut X509_ATTRIBUTE, + obj: *const ASN1_OBJECT, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_txt( + attr: *mut *mut X509_ATTRIBUTE, + atrname: *const c_char, + atrtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; + pub fn X509_ATTRIBUTE_set1_data( + attr: *mut X509_ATTRIBUTE, + attrtype: c_int, + data: *const c_void, + len: c_int, + ) -> c_int; + pub fn X509_ATTRIBUTE_get0_data( + attr: *mut X509_ATTRIBUTE, + idx: c_int, + atrtype: c_int, + data: *mut c_void, + ) -> *mut c_void; + pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; + pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; + +} +const_ptr_api! { + extern "C" { + pub fn X509_ATTRIBUTE_count( + attr: #[const_ptr_if(any(ossl110, libressl291))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 + ) -> c_int; + } +} From d2e30181e586929abf1ee93d5c8152f8d034385c Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 13 Jan 2023 16:17:48 +0100 Subject: [PATCH 002/126] Fixed systest. --- systest/build.rs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/systest/build.rs b/systest/build.rs index e54438114b..02c820b3e7 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -108,7 +108,10 @@ fn main() { || s.starts_with("CRYPTO_EX_") }); cfg.skip_struct(|s| { - s == "ProbeResult" || s == "X509_OBJECT_data" // inline union + s == "ProbeResult" || + s == "X509_OBJECT_data" || // inline union + s == "PKCS7_data" || + s == "ASN1_TYPE_value" }); cfg.skip_fn(move |s| { s == "CRYPTO_memcmp" || // uses volatile @@ -128,7 +131,9 @@ fn main() { cfg.skip_field_type(|s, field| { (s == "EVP_PKEY" && field == "pkey") || // union (s == "GENERAL_NAME" && field == "d") || // union - (s == "X509_OBJECT" && field == "data") // union + (s == "X509_OBJECT" && field == "data") || // union + (s == "PKCS7" && field == "d") || // union + (s == "ASN1_TYPE" && field == "value") // union }); cfg.skip_signededness(|s| { s.ends_with("_cb") From 920ec61a584053b719b547ee0fb444f5087e0377 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 16 Jan 2023 14:37:54 +0100 Subject: [PATCH 003/126] Trigger build From b821f00a1d0fa45a653d401538e68977a332ab71 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:29:33 +0100 Subject: [PATCH 004/126] Fixed review comments. --- openssl-sys/src/handwritten/asn1.rs | 7 --- openssl-sys/src/handwritten/object.rs | 1 + openssl-sys/src/handwritten/pkcs7.rs | 18 +++++- openssl-sys/src/handwritten/types.rs | 9 +-- openssl-sys/src/handwritten/x509.rs | 70 +++++++++++++++++++++++- openssl-sys/src/handwritten/x509_attr.rs | 60 -------------------- 6 files changed, 88 insertions(+), 77 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index e866b1ea90..6e1f8c9b66 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,11 +10,8 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); - pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } -pub enum ASN1_OBJECT {} - stack!(stack_st_ASN1_OBJECT); #[repr(C)] @@ -42,10 +39,6 @@ pub union ASN1_TYPE_value { pub generalizedtime: *mut ASN1_GENERALIZEDTIME, pub visiblestring: *mut ASN1_VISIBLESTRING, pub utf8string: *mut ASN1_UTF8STRING, - /* - * set and sequence are left complete and still contain the set or - * sequence bytes - */ pub set: *mut ASN1_STRING, pub sequence: *mut ASN1_STRING, pub asn1_value: *mut ASN1_VALUE, diff --git a/openssl-sys/src/handwritten/object.rs b/openssl-sys/src/handwritten/object.rs index d2c525b806..5b4599c20a 100644 --- a/openssl-sys/src/handwritten/object.rs +++ b/openssl-sys/src/handwritten/object.rs @@ -27,4 +27,5 @@ extern "C" { pub fn OBJ_length(obj: *const ASN1_OBJECT) -> libc::size_t; #[cfg(ossl111)] pub fn OBJ_get0_data(obj: *const ASN1_OBJECT) -> *const c_uchar; + pub fn OBJ_cmp(a: *const ASN1_OBJECT, b: *const ASN1_OBJECT) -> c_int; } diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 2f76cab9c2..332586515a 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -1,9 +1,6 @@ use libc::*; use *; -// use x509::stack_st_X509; -// use x509_attr::stack_st_X509_ATTRIBUTE; - #[cfg(ossl300)] #[repr(C)] pub struct PKCS7_CTX { @@ -106,6 +103,9 @@ extern "C" { pub fn PKCS7_SIGN_ENVELOPE_free(info: *mut PKCS7_SIGN_ENVELOPE); pub fn PKCS7_DIGEST_free(info: *mut PKCS7_DIGEST); pub fn PKCS7_SIGNER_INFO_free(info: *mut PKCS7_SIGNER_INFO); + pub fn PKCS7_ENCRYPT_free(enc: *mut PKCS7_ENCRYPT); + pub fn PKCS7_ISSUER_AND_SERIAL_free(ias: *mut PKCS7_ISSUER_AND_SERIAL); + pub fn PKCS7_RECIP_INFO_free(info: *mut PKCS7_RECIP_INFO); } cfg_if! { @@ -189,6 +189,18 @@ cfg_if! { } stack!(stack_st_PKCS7_SIGNER_INFO); + +#[repr(C)] +pub struct PKCS7_RECIP_INFO { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub key_enc_algor: *mut X509_ALGOR, + pub enc_key: *mut ASN1_OCTET_STRING, + pub cert: *mut X509, /* get the pub-key from this */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, +} + stack!(stack_st_PKCS7_RECIP_INFO); extern "C" { diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index addc599abb..181340d486 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -3,16 +3,18 @@ use libc::*; #[allow(unused_imports)] use *; -#[derive(Copy, Clone)] -pub enum ASN1_BOOLEAN {} +pub enum ASN1_OBJECT {} +pub enum ASN1_VALUE {} + +pub type ASN1_BOOLEAN = c_int; pub enum ASN1_ENUMERATED {} pub enum ASN1_INTEGER {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} pub enum ASN1_TIME {} -pub enum ASN1_OBJECT {} pub enum ASN1_OCTET_STRING {} +pub enum ASN1_NULL {} pub enum ASN1_PRINTABLESTRING {} pub enum ASN1_T61STRING {} pub enum ASN1_IA5STRING {} @@ -22,7 +24,6 @@ pub enum ASN1_UNIVERSALSTRING {} pub enum ASN1_UTCTIME {} pub enum ASN1_VISIBLESTRING {} pub enum ASN1_UTF8STRING {} -pub enum ASN1_VALUE {} pub enum bio_st {} // FIXME remove cfg_if! { diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 486f712c34..fc94bbb741 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -15,6 +15,10 @@ pub enum X509_EXTENSION {} stack!(stack_st_X509_EXTENSION); +pub enum X509_ATTRIBUTE {} + +stack!(stack_st_X509_ATTRIBUTE); + cfg_if! { if #[cfg(any(ossl110, libressl350))] { pub enum X509_REQ_INFO {} @@ -269,8 +273,6 @@ extern "C" { pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION); - pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); - pub fn X509_NAME_ENTRY_free(x: *mut X509_NAME_ENTRY); pub fn X509_NAME_new() -> *mut X509_NAME; @@ -689,6 +691,68 @@ pub struct X509_PURPOSE { const_ptr_api! { extern "C" { pub fn X509_PURPOSE_get_by_sname(sname: #[const_ptr_if(any(ossl110, libressl280))] c_char) -> c_int; - pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; + } +} +extern "C" { + pub fn X509_PURPOSE_get0(idx: c_int) -> *mut X509_PURPOSE; +} + +extern "C" { + pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_ATTRIBUTE_create( + nid: c_int, + atrtype: c_int, + value: *mut c_void, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_NID( + attr: *mut *mut X509_ATTRIBUTE, + nid: c_int, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_OBJ( + attr: *mut *mut X509_ATTRIBUTE, + obj: *const ASN1_OBJECT, + atrtype: c_int, + data: *const c_void, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_create_by_txt( + attr: *mut *mut X509_ATTRIBUTE, + atrname: *const c_char, + atrtype: c_int, + bytes: *const c_uchar, + len: c_int, + ) -> *mut X509_ATTRIBUTE; + pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; + pub fn X509_ATTRIBUTE_set1_data( + attr: *mut X509_ATTRIBUTE, + attrtype: c_int, + data: *const c_void, + len: c_int, + ) -> c_int; + pub fn X509_ATTRIBUTE_get0_data( + attr: *mut X509_ATTRIBUTE, + idx: c_int, + atrtype: c_int, + data: *mut c_void, + ) -> *mut c_void; + pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; + pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; + pub fn d2i_X509_ATTRIBUTE( + a: *mut *mut X509_ATTRIBUTE, + pp: *mut *const c_uchar, + length: c_long, + ) -> *mut X509_ATTRIBUTE; +} +const_ptr_api! { + extern "C" { + pub fn X509_ATTRIBUTE_count( + attr: #[const_ptr_if(any(ossl110, libressl280))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 + ) -> c_int; + pub fn i2d_X509_ATTRIBUTE(x: #[const_ptr_if(ossl300)] X509_ATTRIBUTE, buf: *mut *mut u8) -> c_int; + pub fn X509_ATTRIBUTE_dup(x: #[const_ptr_if(ossl300)] X509_ATTRIBUTE) -> *mut X509_ATTRIBUTE; } } diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs index b14be38619..e69de29bb2 100644 --- a/openssl-sys/src/handwritten/x509_attr.rs +++ b/openssl-sys/src/handwritten/x509_attr.rs @@ -1,60 +0,0 @@ -use libc::*; - -use *; - -pub enum X509_ATTRIBUTE {} - -stack!(stack_st_X509_ATTRIBUTE); - -extern "C" { - pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create( - nid: c_int, - atrtype: c_int, - value: *mut c_void, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_NID( - attr: *mut *mut X509_ATTRIBUTE, - nid: c_int, - atrtype: c_int, - data: *const c_void, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_OBJ( - attr: *mut *mut X509_ATTRIBUTE, - obj: *const ASN1_OBJECT, - atrtype: c_int, - data: *const c_void, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_create_by_txt( - attr: *mut *mut X509_ATTRIBUTE, - atrname: *const c_char, - atrtype: c_int, - bytes: *const c_uchar, - len: c_int, - ) -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_set1_object(attr: *mut X509_ATTRIBUTE, obj: *const ASN1_OBJECT) -> c_int; - pub fn X509_ATTRIBUTE_set1_data( - attr: *mut X509_ATTRIBUTE, - attrtype: c_int, - data: *const c_void, - len: c_int, - ) -> c_int; - pub fn X509_ATTRIBUTE_get0_data( - attr: *mut X509_ATTRIBUTE, - idx: c_int, - atrtype: c_int, - data: *mut c_void, - ) -> *mut c_void; - pub fn X509_ATTRIBUTE_get0_object(attr: *mut X509_ATTRIBUTE) -> *mut ASN1_OBJECT; - pub fn X509_ATTRIBUTE_get0_type(attr: *mut X509_ATTRIBUTE, idx: c_int) -> *mut ASN1_TYPE; - -} -const_ptr_api! { - extern "C" { - pub fn X509_ATTRIBUTE_count( - attr: #[const_ptr_if(any(ossl110, libressl291))] X509_ATTRIBUTE // const since OpenSSL v1.1.0 - ) -> c_int; - } -} From d77c6518873b063de9cc6bca4f708b765ffbb284 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:37:23 +0100 Subject: [PATCH 005/126] Removed emtpy x509_attr.rs --- openssl-sys/src/handwritten/mod.rs | 2 -- openssl-sys/src/handwritten/x509_attr.rs | 0 2 files changed, 2 deletions(-) delete mode 100644 openssl-sys/src/handwritten/x509_attr.rs diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index fea7549898..28aa4aecd0 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -28,7 +28,6 @@ pub use self::stack::*; pub use self::tls1::*; pub use self::types::*; pub use self::x509::*; -pub use self::x509_attr::*; pub use self::x509_vfy::*; pub use self::x509v3::*; @@ -62,6 +61,5 @@ mod stack; mod tls1; mod types; mod x509; -mod x509_attr; mod x509_vfy; mod x509v3; diff --git a/openssl-sys/src/handwritten/x509_attr.rs b/openssl-sys/src/handwritten/x509_attr.rs deleted file mode 100644 index e69de29bb2..0000000000 From 0bd4876a951f2fe7da227daa2ee2e67cc7ee3ed3 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Fri, 24 Feb 2023 17:57:16 +0100 Subject: [PATCH 006/126] clippy. --- openssl-sys/src/handwritten/x509.rs | 6 +++--- openssl/src/sign.rs | 2 +- openssl/src/x509/mod.rs | 12 ++++++++++-- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index fc94bbb741..46ec3e14a9 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -365,8 +365,8 @@ const_ptr_api! { extern "C" { pub fn X509_REQ_get_attr_count(req: *const X509_REQ) -> c_int; pub fn X509_REQ_get_attr_by_NID(req: *const X509_REQ, nid: c_int, lastpos: c_int) -> c_int; - pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; - pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut ::X509_ATTRIBUTE; + pub fn X509_REQ_get_attr(req: *const X509_REQ, loc: c_int) -> *mut X509_ATTRIBUTE; + pub fn X509_REQ_delete_attr(req: *mut X509_REQ, loc: c_int) -> *mut X509_ATTRIBUTE; pub fn X509_REQ_add1_attr_by_txt( req: *mut X509_REQ, attrname: *const c_char, @@ -699,7 +699,7 @@ extern "C" { extern "C" { pub fn X509_ATTRIBUTE_new() -> *mut X509_ATTRIBUTE; - pub fn X509_ATTRIBUTE_free(attr: *mut ::X509_ATTRIBUTE); + pub fn X509_ATTRIBUTE_free(attr: *mut X509_ATTRIBUTE); pub fn X509_ATTRIBUTE_create( nid: c_int, atrtype: c_int, diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 9cfda48105..51738651c6 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -711,7 +711,7 @@ mod test { #[cfg(not(boringssl))] fn test_hmac(ty: MessageDigest, tests: &[(Vec, Vec, Vec)]) { - for &(ref key, ref data, ref res) in tests.iter() { + for (key, data, res) in tests.iter() { let pkey = PKey::hmac(key).unwrap(); let mut signer = Signer::new(ty, &pkey).unwrap(); signer.update(data).unwrap(); diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d29a21e4af..2da41bd1a5 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -388,7 +388,10 @@ impl X509Ref { /// Returns the hash of the certificates subject #[corresponds(X509_subject_name_hash)] pub fn subject_name_hash(&self) -> u32 { - unsafe { ffi::X509_subject_name_hash(self.as_ptr()) as u32 } + #[allow(clippy::unnecessary_cast)] + unsafe { + ffi::X509_subject_name_hash(self.as_ptr()) as u32 + } } /// Returns this certificate's issuer name. @@ -403,7 +406,10 @@ impl X509Ref { /// Returns the hash of the certificates issuer #[corresponds(X509_issuer_name_hash)] pub fn issuer_name_hash(&self) -> u32 { - unsafe { ffi::X509_issuer_name_hash(self.as_ptr()) as u32 } + #[allow(clippy::unnecessary_cast)] + unsafe { + ffi::X509_issuer_name_hash(self.as_ptr()) as u32 + } } /// Returns this certificate's subject alternative name entries, if they exist. @@ -545,6 +551,7 @@ impl X509Ref { /// Note that `0` return value stands for version 1, `1` for version 2 and so on. #[corresponds(X509_get_version)] #[cfg(ossl110)] + #[allow(clippy::unnecessary_cast)] pub fn version(&self) -> i32 { unsafe { ffi::X509_get_version(self.as_ptr()) as i32 } } @@ -1359,6 +1366,7 @@ impl X509ReqRef { /// This corresponds to [`X509_REQ_get_version`] /// /// [`X509_REQ_get_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_version.html + #[allow(clippy::unnecessary_cast)] pub fn version(&self) -> i32 { unsafe { X509_REQ_get_version(self.as_ptr()) as i32 } } From 9f8c82161361da1eef0169fce7e4cac2b6094e53 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 08:16:05 +0100 Subject: [PATCH 007/126] Removed invalid path operator. --- openssl-sys/src/handwritten/x509.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 46ec3e14a9..917b41e425 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -29,7 +29,7 @@ cfg_if! { pub version: *mut ::ASN1_INTEGER, pub subject: *mut ::X509_NAME, pubkey: *mut c_void, - pub attributes: *mut ::stack_st_X509_ATTRIBUTE, + pub attributes: *mut stack_st_X509_ATTRIBUTE, } } } From f13427168389420bc21011903ddb21c9d59be351 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 09:44:10 +0100 Subject: [PATCH 008/126] Removed unnecessary cfg_if's. --- openssl-sys/src/handwritten/pkcs7.rs | 252 +++++++++++---------------- 1 file changed, 97 insertions(+), 155 deletions(-) diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 332586515a..60dcfe0d64 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -8,92 +8,51 @@ pub struct PKCS7_CTX { propq: *mut c_char, } -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_SIGNED { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ - pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, - pub contents: *mut PKCS7, - } - } else { - pub enum PKCS7_SIGNED {} - } +#[repr(C)] +pub struct PKCS7_SIGNED { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub contents: *mut PKCS7, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENC_CONTENT { - pub content_type: *mut ASN1_OBJECT, - pub algorithm: *mut X509_ALGOR, - pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ - pub cipher: *const EVP_CIPHER, - #[cfg(ossl300)] - pub ctx: *const PKCS7_CTX, - } - } else { - pub enum PKCS7_ENC_CONTENT {} - } +#[repr(C)] +pub struct PKCS7_ENC_CONTENT { + pub content_type: *mut ASN1_OBJECT, + pub algorithm: *mut X509_ALGOR, + pub enc_data: *mut ASN1_OCTET_STRING, /* [ 0 ] */ + pub cipher: *const EVP_CIPHER, + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, - pub enc_data: *mut PKCS7_ENC_CONTENT, - } - } else { - pub enum PKCS7_ENVELOPE {} - } +#[repr(C)] +pub struct PKCS7_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_SIGN_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ - pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, - pub enc_data: *mut PKCS7_ENC_CONTENT, - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO - } - } else { - pub enum PKCS7_SIGN_ENVELOPE {} - } +#[repr(C)] +pub struct PKCS7_SIGN_ENVELOPE { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, + pub enc_data: *mut PKCS7_ENC_CONTENT, + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_DIGEST { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub md: *mut X509_ALGOR, /* md used */ - pub contents: *mut PKCS7, - pub digest: *mut ASN1_OCTET_STRING, - } - } else { - pub enum PKCS7_DIGEST {} - } +#[repr(C)] +pub struct PKCS7_DIGEST { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub md: *mut X509_ALGOR, /* md used */ + pub contents: *mut PKCS7, + pub digest: *mut ASN1_OCTET_STRING, } - -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7_ENCRYPT { - pub version: *mut ASN1_INTEGER, /* version 0 */ - pub enc_data: *mut PKCS7_ENC_CONTENT, - } - } else { - pub enum PKCS7_ENCRYPT {} - } +#[repr(C)] +pub struct PKCS7_ENCRYPT { + pub version: *mut ASN1_INTEGER, /* version 0 */ + pub enc_data: *mut PKCS7_ENC_CONTENT, } extern "C" { @@ -108,84 +67,67 @@ extern "C" { pub fn PKCS7_RECIP_INFO_free(info: *mut PKCS7_RECIP_INFO); } -cfg_if! { - if #[cfg(any(ossl101, libressl251))] { - #[repr(C)] - pub struct PKCS7 { - /* - * The following is non NULL if it contains ASN1 encoding of this - * structure - */ - pub asn1: *mut c_uchar, - pub length: c_long, - // # define PKCS7_S_HEADER 0 - // # define PKCS7_S_BODY 1 - // # define PKCS7_S_TAIL 2 - pub state: c_int, /* used during processing */ - pub detached: c_int, - pub type_: *mut ASN1_OBJECT, - /* content as defined by the type */ - /* - * all encryption/message digests are applied to the 'contents', leaving - * out the 'type' field. - */ - pub d: PKCS7_data, - #[cfg(ossl300)] - pub ctx: PKCS7_CTX, - } - #[repr(C)] - pub union PKCS7_data { - pub ptr: *mut c_char, - /* NID_pkcs7_data */ - pub data: *mut ASN1_OCTET_STRING, - /* NID_pkcs7_signed */ - pub sign: *mut PKCS7_SIGNED, - /* NID_pkcs7_enveloped */ - pub enveloped: *mut PKCS7_ENVELOPE, - /* NID_pkcs7_signedAndEnveloped */ - pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, - /* NID_pkcs7_digest */ - pub digest: *mut PKCS7_DIGEST, - /* NID_pkcs7_encrypted */ - pub encrypted: *mut PKCS7_ENCRYPT, - /* Anything else */ - pub other: *mut ASN1_TYPE, - } - } else { - pub enum PKCS7 {} - } +#[repr(C)] +pub struct PKCS7 { + /* + * The following is non NULL if it contains ASN1 encoding of this + * structure + */ + pub asn1: *mut c_uchar, + pub length: c_long, + // # define PKCS7_S_HEADER 0 + // # define PKCS7_S_BODY 1 + // # define PKCS7_S_TAIL 2 + pub state: c_int, /* used during processing */ + pub detached: c_int, + pub type_: *mut ASN1_OBJECT, + /* content as defined by the type */ + /* + * all encryption/message digests are applied to the 'contents', leaving + * out the 'type' field. + */ + pub d: PKCS7_data, + #[cfg(ossl300)] + pub ctx: PKCS7_CTX, } -cfg_if! { - if #[cfg(any(ossl101, libressl))] { - #[repr(C)] - pub struct PKCS7_ISSUER_AND_SERIAL { - pub issuer: *mut X509_NAME, - pub serial: *mut ASN1_INTEGER, - } - } else { - pub enum PKCS7_ISSUER_AND_SERIAL {} - } +#[repr(C)] +pub union PKCS7_data { + pub ptr: *mut c_char, + /* NID_pkcs7_data */ + pub data: *mut ASN1_OCTET_STRING, + /* NID_pkcs7_signed */ + pub sign: *mut PKCS7_SIGNED, + /* NID_pkcs7_enveloped */ + pub enveloped: *mut PKCS7_ENVELOPE, + /* NID_pkcs7_signedAndEnveloped */ + pub signed_and_enveloped: *mut PKCS7_SIGN_ENVELOPE, + /* NID_pkcs7_digest */ + pub digest: *mut PKCS7_DIGEST, + /* NID_pkcs7_encrypted */ + pub encrypted: *mut PKCS7_ENCRYPT, + /* Anything else */ + pub other: *mut ASN1_TYPE, } -cfg_if! { - if #[cfg(any(ossl101, libressl))] { - #[repr(C)] - pub struct PKCS7_SIGNER_INFO { - pub version: *mut ASN1_INTEGER, /* version 1 */ - pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, - pub digest_alg: *mut X509_ALGOR, - pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ - pub digest_enc_alg: *mut X509_ALGOR, - pub enc_digest: *mut ASN1_OCTET_STRING, - pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ - pub pkey: *mut EVP_PKEY, /* The private key to sign with */ - #[cfg(ossl300)] - pub ctx: *const PKCS7_CTX, - } - } else { - pub enum PKCS7_SIGNER_INFO {} - } +#[repr(C)] +pub struct PKCS7_ISSUER_AND_SERIAL { + pub issuer: *mut X509_NAME, + pub serial: *mut ASN1_INTEGER, +} + +#[repr(C)] +pub struct PKCS7_SIGNER_INFO { + pub version: *mut ASN1_INTEGER, /* version 1 */ + pub issuer_and_serial: *mut PKCS7_ISSUER_AND_SERIAL, + pub digest_alg: *mut X509_ALGOR, + pub auth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 0 ] */ + pub digest_enc_alg: *mut X509_ALGOR, + pub enc_digest: *mut ASN1_OCTET_STRING, + pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + #[cfg(ossl300)] + pub ctx: *const PKCS7_CTX, } stack!(stack_st_PKCS7_SIGNER_INFO); From 9c30e4e418c26c9e4adfff4bd64aae2713897564 Mon Sep 17 00:00:00 2001 From: Bernd Krietenstein Date: Mon, 27 Feb 2023 09:56:23 +0100 Subject: [PATCH 009/126] rustfmt hit me once more --- openssl-sys/src/handwritten/pkcs7.rs | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/openssl-sys/src/handwritten/pkcs7.rs b/openssl-sys/src/handwritten/pkcs7.rs index 60dcfe0d64..754fc9e2b8 100644 --- a/openssl-sys/src/handwritten/pkcs7.rs +++ b/openssl-sys/src/handwritten/pkcs7.rs @@ -10,10 +10,10 @@ pub struct PKCS7_CTX { #[repr(C)] pub struct PKCS7_SIGNED { - pub version: *mut ASN1_INTEGER, /* version 1 */ + pub version: *mut ASN1_INTEGER, /* version 1 */ pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, pub contents: *mut PKCS7, } @@ -34,18 +34,18 @@ pub struct PKCS7_ENVELOPE { } #[repr(C)] pub struct PKCS7_SIGN_ENVELOPE { - pub version: *mut ASN1_INTEGER, /* version 1 */ + pub version: *mut ASN1_INTEGER, /* version 1 */ pub md_algs: *mut stack_st_X509_ALGOR, /* md used */ - pub cert: *mut stack_st_X509, /* [ 0 ] */ - pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ + pub cert: *mut stack_st_X509, /* [ 0 ] */ + pub crl: *mut stack_st_X509_CRL, /* [ 1 ] */ pub signer_info: *mut stack_st_PKCS7_SIGNER_INFO, pub enc_data: *mut PKCS7_ENC_CONTENT, - pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO + pub recipientinfo: *mut stack_st_PKCS7_RECIP_INFO, } #[repr(C)] pub struct PKCS7_DIGEST { pub version: *mut ASN1_INTEGER, /* version 0 */ - pub md: *mut X509_ALGOR, /* md used */ + pub md: *mut X509_ALGOR, /* md used */ pub contents: *mut PKCS7, pub digest: *mut ASN1_OCTET_STRING, } @@ -125,7 +125,7 @@ pub struct PKCS7_SIGNER_INFO { pub digest_enc_alg: *mut X509_ALGOR, pub enc_digest: *mut ASN1_OCTET_STRING, pub unauth_attr: *mut stack_st_X509_ATTRIBUTE, /* [ 1 ] */ - pub pkey: *mut EVP_PKEY, /* The private key to sign with */ + pub pkey: *mut EVP_PKEY, /* The private key to sign with */ #[cfg(ossl300)] pub ctx: *const PKCS7_CTX, } From 7632ba6e56812f8a56410730c439bbd83b10783c Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Fri, 17 Mar 2023 18:19:28 +0000 Subject: [PATCH 010/126] Add issuer_name and reason_code to X509RevokedRef --- openssl-sys/src/handwritten/asn1.rs | 4 ++ openssl-sys/src/handwritten/types.rs | 1 + openssl-sys/src/x509v3.rs | 11 ++++ openssl/src/asn1.rs | 26 ++++++++ openssl/src/x509/mod.rs | 93 +++++++++++++++++++++++++++- 5 files changed, 133 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 7163a69d5e..f1bcc73f34 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -51,6 +51,10 @@ extern "C" { pub fn ASN1_TIME_set_string(s: *mut ASN1_TIME, str: *const c_char) -> c_int; #[cfg(ossl111)] pub fn ASN1_TIME_set_string_X509(s: *mut ASN1_TIME, str: *const c_char) -> c_int; + + pub fn ASN1_ENUMERATED_free(a: *mut ASN1_ENUMERATED); + #[cfg(ossl110)] + pub fn ASN1_ENUMERATED_get_int64(pr: *mut i64, a: *const ASN1_ENUMERATED) -> c_int; } const_ptr_api! { diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index b229a37597..3351ceabc4 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -4,6 +4,7 @@ use libc::*; use super::super::*; pub enum ASN1_INTEGER {} +pub enum ASN1_ENUMERATED {} pub enum ASN1_GENERALIZEDTIME {} pub enum ASN1_STRING {} pub enum ASN1_BIT_STRING {} diff --git a/openssl-sys/src/x509v3.rs b/openssl-sys/src/x509v3.rs index 5ae4439083..d2ff53489e 100644 --- a/openssl-sys/src/x509v3.rs +++ b/openssl-sys/src/x509v3.rs @@ -91,3 +91,14 @@ pub const X509_PURPOSE_OCSP_HELPER: c_int = 8; pub const X509_PURPOSE_TIMESTAMP_SIGN: c_int = 9; pub const X509_PURPOSE_MIN: c_int = 1; pub const X509_PURPOSE_MAX: c_int = 9; + +pub const CRL_REASON_UNSPECIFIED: c_int = 0; +pub const CRL_REASON_KEY_COMPROMISE: c_int = 1; +pub const CRL_REASON_CA_COMPROMISE: c_int = 2; +pub const CRL_REASON_AFFILIATION_CHANGED: c_int = 3; +pub const CRL_REASON_SUPERSEDED: c_int = 4; +pub const CRL_REASON_CESSATION_OF_OPERATION: c_int = 5; +pub const CRL_REASON_CERTIFICATE_HOLD: c_int = 6; +pub const CRL_REASON_REMOVE_FROM_CRL: c_int = 8; +pub const CRL_REASON_PRIVILEGE_WITHDRAWN: c_int = 9; +pub const CRL_REASON_AA_COMPROMISE: c_int = 10; diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index c0178c7e65..db752ad9f1 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -666,6 +666,32 @@ cfg_if! { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::ASN1_ENUMERATED; + fn drop = ffi::ASN1_ENUMERATED_free; + + /// An ASN.1 enumerated. + pub struct Asn1Enumerated; + /// A reference to an [`Asn1Enumerated`]. + pub struct Asn1EnumeratedRef; +} + +impl Asn1EnumeratedRef { + /// Get the value, if it fits in the required bounds. + #[corresponds(ASN1_ENUMERATED_get)] + #[cfg(ossl110)] + pub fn get_i64(&self) -> Result { + let mut crl_reason = 0; + unsafe { + cvt(ffi::ASN1_ENUMERATED_get_int64( + &mut crl_reason, + self.as_ptr(), + ))?; + } + Ok(crl_reason) + } +} + #[cfg(test)] mod tests { use super::*; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 5b55918750..e628e64a6d 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -24,8 +24,8 @@ use std::slice; use std::str; use crate::asn1::{ - Asn1BitStringRef, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, Asn1TimeRef, - Asn1Type, + Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, + Asn1TimeRef, Asn1Type, }; use crate::bio::MemBioSlice; use crate::conf::ConfRef; @@ -1481,6 +1481,37 @@ impl X509ReqRef { } } +/// The reason that a certificate was revoked. +#[derive(Debug, Copy, Clone, PartialEq, Eq)] +pub struct CrlReason(i64); + +#[allow(missing_docs)] // no need to document the constants +impl CrlReason { + pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED as i64); + pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE as i64); + pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE as i64); + pub const AFFILIATION_CHANGED: CrlReason = + CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED as i64); + pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED as i64); + pub const CESSATION_OF_OPERATION: CrlReason = + CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION as i64); + pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD as i64); + pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL as i64); + pub const PRIVILEGE_WITHDRAWN: CrlReason = + CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN as i64); + pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE as i64); + + /// Constructs an `CrlReason` from a raw OpenSSL value. + pub fn from_raw(value: i64) -> Self { + CrlReason(value) + } + + /// Returns the raw OpenSSL value represented by this type. + pub fn as_raw(&self) -> i64 { + self.0 + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; @@ -1513,6 +1544,13 @@ impl X509RevokedRef { ffi::i2d_X509_REVOKED } + /// Copies the entry to a new `X509Revoked`. + #[corresponds(X509_NAME_dup)] + #[cfg(any(boringssl, ossl110, libressl270))] + pub fn to_owned(&self) -> Result { + unsafe { cvt_p(ffi::X509_REVOKED_dup(self.as_ptr())).map(|n| X509Revoked::from_ptr(n)) } + } + /// Get the date that the certificate was revoked #[corresponds(X509_REVOKED_get0_revocationDate)] pub fn revocation_date(&self) -> &Asn1TimeRef { @@ -1532,6 +1570,46 @@ impl X509RevokedRef { Asn1IntegerRef::from_ptr(r as *mut _) } } + + /// Get the issuer name of the revoked certificate + #[corresponds(X509_REVOKED_get_ext_d2i)] + pub fn issuer_name(&self) -> Option> { + // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. + unsafe { + let issuer_names = ffi::X509_REVOKED_get_ext_d2i( + self.as_ptr() as *const _, + // NID_certificate_issuer is a X509_REVOKED extension that + // returns a GENERAL_NAMES, which is a Stack + ffi::NID_certificate_issuer, + // Only one instance of the extension is permissable + ptr::null_mut(), + // Don't care if the extension is critical + ptr::null_mut(), + ); + Stack::from_ptr_opt(issuer_names as *mut _) + } + } + + /// Get the reason that the certificate was revoked + #[corresponds(X509_REVOKED_get_ext_d2i)] + #[cfg(ossl110)] + pub fn reason_code(&self) -> Option> { + let reason_code = unsafe { + // The return value may be NULL if the extension wasn't found or + // there were multiple, and we require only one. + Asn1Enumerated::from_ptr_opt(ffi::X509_REVOKED_get_ext_d2i( + // self.as_ptr() is a valid pointer to a X509_REVOKED + self.as_ptr() as *const _, + // NID_crl_reason is an X509_REVOKED extension that is an ASN1_ENUMERATED + ffi::NID_crl_reason, + // Only one instance of the extension is permissable + ptr::null_mut(), + // Don't care if the extension is critical + ptr::null_mut(), + ) as *mut _) + }?; + Some(reason_code.get_i64().map(CrlReason::from_raw)) + } } foreign_type_and_impl_send_sync! { @@ -1872,6 +1950,17 @@ impl GeneralNameRef { self.ia5_string(ffi::GEN_EMAIL) } + /// Returns the contents of this `GeneralName` if it is a `directoryName`. + pub fn directory_name(&self) -> Option<&X509NameRef> { + unsafe { + if (*self.as_ptr()).type_ != ffi::GEN_DIRNAME { + return None; + } + + Some(X509NameRef::from_const_ptr((*self.as_ptr()).d as *const _)) + } + } + /// Returns the contents of this `GeneralName` if it is a `dNSName`. pub fn dnsname(&self) -> Option<&str> { self.ia5_string(ffi::GEN_DNS) From 30aa4085e71c85637d6b1a9f9c4107e977a4a3d6 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Mon, 27 Mar 2023 17:52:14 +0100 Subject: [PATCH 011/126] Expose X509_REVOKED_get_ext_d2i more directly --- openssl/src/asn1.rs | 2 +- openssl/src/nid.rs | 4 +- openssl/src/x509/mod.rs | 125 ++++++++++++++++++++++++---------------- 3 files changed, 78 insertions(+), 53 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index db752ad9f1..8599539add 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -678,7 +678,7 @@ foreign_type_and_impl_send_sync! { impl Asn1EnumeratedRef { /// Get the value, if it fits in the required bounds. - #[corresponds(ASN1_ENUMERATED_get)] + #[corresponds(ASN1_ENUMERATED_get_int64)] #[cfg(ossl110)] pub fn get_i64(&self) -> Result { let mut crl_reason = 0; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index e4562a1c27..81b74d342f 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -51,13 +51,13 @@ pub struct Nid(c_int); #[allow(non_snake_case)] impl Nid { /// Create a `Nid` from an integer representation. - pub fn from_raw(raw: c_int) -> Nid { + pub const fn from_raw(raw: c_int) -> Nid { Nid(raw) } /// Return the integer representation of a `Nid`. #[allow(clippy::trivially_copy_pass_by_ref)] - pub fn as_raw(&self) -> c_int { + pub const fn as_raw(&self) -> c_int { self.0 } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index e628e64a6d..decb005efd 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -50,6 +50,15 @@ pub mod store; #[cfg(test)] mod tests; +/// A type of X509 extension. +/// +/// # Safety +/// The value of NID and Output must match those in OpenSSL so that +pub unsafe trait ExtensionType { + const NID: Nid; + type Output: ForeignType; +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_STORE_CTX; fn drop = ffi::X509_STORE_CTX_free; @@ -1483,31 +1492,28 @@ impl X509ReqRef { /// The reason that a certificate was revoked. #[derive(Debug, Copy, Clone, PartialEq, Eq)] -pub struct CrlReason(i64); +pub struct CrlReason(c_int); #[allow(missing_docs)] // no need to document the constants impl CrlReason { - pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED as i64); - pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE as i64); - pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE as i64); - pub const AFFILIATION_CHANGED: CrlReason = - CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED as i64); - pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED as i64); - pub const CESSATION_OF_OPERATION: CrlReason = - CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION as i64); - pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD as i64); - pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL as i64); - pub const PRIVILEGE_WITHDRAWN: CrlReason = - CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN as i64); - pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE as i64); + pub const UNSPECIFIED: CrlReason = CrlReason(ffi::CRL_REASON_UNSPECIFIED); + pub const KEY_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_KEY_COMPROMISE); + pub const CA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_CA_COMPROMISE); + pub const AFFILIATION_CHANGED: CrlReason = CrlReason(ffi::CRL_REASON_AFFILIATION_CHANGED); + pub const SUPERSEDED: CrlReason = CrlReason(ffi::CRL_REASON_SUPERSEDED); + pub const CESSATION_OF_OPERATION: CrlReason = CrlReason(ffi::CRL_REASON_CESSATION_OF_OPERATION); + pub const CERTIFICATE_HOLD: CrlReason = CrlReason(ffi::CRL_REASON_CERTIFICATE_HOLD); + pub const REMOVE_FROM_CRL: CrlReason = CrlReason(ffi::CRL_REASON_REMOVE_FROM_CRL); + pub const PRIVILEGE_WITHDRAWN: CrlReason = CrlReason(ffi::CRL_REASON_PRIVILEGE_WITHDRAWN); + pub const AA_COMPROMISE: CrlReason = CrlReason(ffi::CRL_REASON_AA_COMPROMISE); /// Constructs an `CrlReason` from a raw OpenSSL value. - pub fn from_raw(value: i64) -> Self { + pub const fn from_raw(value: c_int) -> Self { CrlReason(value) } /// Returns the raw OpenSSL value represented by this type. - pub fn as_raw(&self) -> i64 { + pub const fn as_raw(&self) -> c_int { self.0 } } @@ -1571,45 +1577,59 @@ impl X509RevokedRef { } } - /// Get the issuer name of the revoked certificate + /// Get the criticality and value of an extension. + /// + /// This returns None if the extension is not present or occurs multiple times. #[corresponds(X509_REVOKED_get_ext_d2i)] - pub fn issuer_name(&self) -> Option> { - // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. - unsafe { - let issuer_names = ffi::X509_REVOKED_get_ext_d2i( - self.as_ptr() as *const _, - // NID_certificate_issuer is a X509_REVOKED extension that - // returns a GENERAL_NAMES, which is a Stack - ffi::NID_certificate_issuer, - // Only one instance of the extension is permissable - ptr::null_mut(), - // Don't care if the extension is critical + pub fn extension(&self) -> Result, ErrorStack> { + let mut critical = -1; + let out = unsafe { + // SAFETY: self.as_ptr() is a valid pointer to an X509_REVOKED. + let ext = ffi::X509_REVOKED_get_ext_d2i( + self.as_ptr(), + T::NID.as_raw(), + &mut critical as *mut _, ptr::null_mut(), ); - Stack::from_ptr_opt(issuer_names as *mut _) + // SAFETY: Extensions's contract promises that the type returned by + // OpenSSL here is T::Output. + T::Output::from_ptr_opt(ext as *mut _) + }; + match (critical, out) { + (0, Some(out)) => Ok(Some((false, out))), + (1, Some(out)) => Ok(Some((true, out))), + // -1 means the extension wasn't found, -2 means multiple were found. + (-1 | -2, _) => Ok(None), + // A critical value of 0 or 1 suggests success, but a null pointer + // was returned so something went wrong. + (0 | 1, None) => Err(ErrorStack::get()), + (..=-3 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), } } +} - /// Get the reason that the certificate was revoked - #[corresponds(X509_REVOKED_get_ext_d2i)] - #[cfg(ossl110)] - pub fn reason_code(&self) -> Option> { - let reason_code = unsafe { - // The return value may be NULL if the extension wasn't found or - // there were multiple, and we require only one. - Asn1Enumerated::from_ptr_opt(ffi::X509_REVOKED_get_ext_d2i( - // self.as_ptr() is a valid pointer to a X509_REVOKED - self.as_ptr() as *const _, - // NID_crl_reason is an X509_REVOKED extension that is an ASN1_ENUMERATED - ffi::NID_crl_reason, - // Only one instance of the extension is permissable - ptr::null_mut(), - // Don't care if the extension is critical - ptr::null_mut(), - ) as *mut _) - }?; - Some(reason_code.get_i64().map(CrlReason::from_raw)) - } +/// The CRL entry extension identifying the reason for revocation see [`CrlReason`], +/// this is as defined in RFC 5280 Section 5.3.1. +pub enum ReasonCode {} + +// SAFETY: CertificateIssuer is defined to be a stack of GeneralName in the RFC +// and in OpenSSL. +unsafe impl ExtensionType for ReasonCode { + const NID: Nid = Nid::from_raw(ffi::NID_crl_reason); + + type Output = Asn1Enumerated; +} + +/// The CRL entry extension identifying the issuer of a certificate used in +/// indirect CRLs, as defined in RFC 5280 Section 5.3.3. +pub enum CertificateIssuer {} + +// SAFETY: CertificateIssuer is defined to be a stack of GeneralName in the RFC +// and in OpenSSL. +unsafe impl ExtensionType for CertificateIssuer { + const NID: Nid = Nid::from_raw(ffi::NID_certificate_issuer); + + type Output = Stack; } foreign_type_and_impl_send_sync! { @@ -1957,7 +1977,12 @@ impl GeneralNameRef { return None; } - Some(X509NameRef::from_const_ptr((*self.as_ptr()).d as *const _)) + #[cfg(boringssl)] + let d = (*self.as_ptr()).d.ptr; + #[cfg(not(boringssl))] + let d = (*self.as_ptr()).d; + + Some(X509NameRef::from_const_ptr(d as *const _)) } } From 3b25d11504f8547637b591fa4360df78cc6c2ac1 Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Mon, 27 Mar 2023 18:40:19 +0100 Subject: [PATCH 012/126] Use range pattern compatible with MSRV --- openssl/src/x509/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index decb005efd..a6ead63a2e 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1603,7 +1603,7 @@ impl X509RevokedRef { // A critical value of 0 or 1 suggests success, but a null pointer // was returned so something went wrong. (0 | 1, None) => Err(ErrorStack::get()), - (..=-3 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), + (c_int::MIN..=-2 | 2.., _) => panic!("OpenSSL should only return -2, -1, 0, or 1 for an extension's criticality but it returned {}", critical), } } } From 95680c816c55b617d2f5949cf2aedd060082840d Mon Sep 17 00:00:00 2001 From: Jack Rickard Date: Tue, 28 Mar 2023 12:08:27 +0100 Subject: [PATCH 013/126] Add test for CRL entry extensions --- openssl/src/x509/mod.rs | 1 + openssl/src/x509/tests.rs | 42 +++++++++++++++++++++++++++++-- openssl/test/entry_extensions.crl | 10 ++++++++ 3 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 openssl/test/entry_extensions.crl diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index a6ead63a2e..e30dd80730 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -54,6 +54,7 @@ mod tests; /// /// # Safety /// The value of NID and Output must match those in OpenSSL so that +/// `Output::from_ptr_opt(*_get_ext_d2i(*, NID, ...))` is valid. pub unsafe trait ExtensionType { const NID: Nid; type Output: ForeignType; diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 57734f2665..7fb383631f 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -18,12 +18,12 @@ use crate::x509::store::X509Lookup; use crate::x509::store::X509StoreBuilder; #[cfg(any(ossl102, libressl261))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; -#[cfg(ossl110)] -use crate::x509::X509Builder; #[cfg(ossl102)] use crate::x509::X509PurposeId; #[cfg(any(ossl102, libressl261))] use crate::x509::X509PurposeRef; +#[cfg(ossl110)] +use crate::x509::{CrlReason, X509Builder}; use crate::x509::{ CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, }; @@ -31,6 +31,8 @@ use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] use libc::time_t; +use super::{CertificateIssuer, ReasonCode}; + fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); PKey::from_rsa(rsa).unwrap() @@ -611,6 +613,42 @@ fn test_load_crl() { ); } +#[test] +fn test_crl_entry_extensions() { + let crl = include_bytes!("../../test/entry_extensions.crl"); + let crl = X509Crl::from_pem(crl).unwrap(); + + let revoked_certs = crl.get_revoked().unwrap(); + let entry = &revoked_certs[0]; + + let (critical, issuer) = entry + .extension::() + .unwrap() + .expect("Certificate issuer extension should be present"); + assert!(critical, "Certificate issuer extension is critical"); + assert_eq!(issuer.len(), 1, "Certificate issuer should have one entry"); + let issuer = issuer[0] + .directory_name() + .expect("Issuer should be a directory name"); + assert_eq!( + format!("{:?}", issuer), + r#"[countryName = "GB", commonName = "Test CA"]"# + ); + + // reason_code can't be inspected without ossl110 + #[allow(unused_variables)] + let (critical, reason_code) = entry + .extension::() + .unwrap() + .expect("Reason code extension should be present"); + assert!(!critical, "Reason code extension is not critical"); + #[cfg(ossl110)] + assert_eq!( + CrlReason::KEY_COMPROMISE, + CrlReason::from_raw(reason_code.get_i64().unwrap() as ffi::c_int) + ); +} + #[test] fn test_save_subject_der() { let cert = include_bytes!("../../test/cert.pem"); diff --git a/openssl/test/entry_extensions.crl b/openssl/test/entry_extensions.crl new file mode 100644 index 0000000000..9654171cf1 --- /dev/null +++ b/openssl/test/entry_extensions.crl @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBXDCCAQICAQEwCgYIKoZIzj0EAwIwETEPMA0GA1UEAwwGQ1JMIENBFw0yMzAz +MjgwOTQ5MThaFw0yMzA0MDQwOTUwMDdaMIGAMH4CFE+Y95/1pOqa6c9fUEJ8c04k +xu2PFw0yMzAzMjgwOTQ3MzNaMFcwLwYDVR0dAQH/BCUwI6QhMB8xCzAJBgNVBAYT +AkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgGA1UdGAQRGA8yMDIz +MDMyODA5NDQ0MFqgPTA7MB8GA1UdIwQYMBaAFNX1GZ0RWuC+4gz1wuy5H32T2W+R +MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wCgYIKoZIzj0EAwIDSAAwRQIgbl7x +W+WVAb+zlvKcJLmHVuC+gbqR4jqwGIHHgQl2J8kCIQCo/sAF5sDqy/cL+fbzBeUe +YoY2h6lIkj9ENwU8ZCt03w== +-----END X509 CRL----- From a27dd4d799702c44578b62572f2dcfed2022496b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 10 Apr 2023 14:45:28 +0800 Subject: [PATCH 014/126] update documentation to reflect libressl support --- openssl/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 5678298a03..7829b79cba 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -1,7 +1,7 @@ //! Bindings to OpenSSL //! //! This crate provides a safe interface to the popular OpenSSL cryptography library. OpenSSL versions 1.0.1 through -//! 3.x.x and LibreSSL versions 2.5 through 3.4.1 are supported. +//! 3.x.x and LibreSSL versions 2.5 through 3.7.x are supported. //! //! # Building //! From c2fbe9a1d6c85d1d43470b3f1188bf74056f0d51 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 15 Apr 2023 19:11:26 -0400 Subject: [PATCH 015/126] Fixes #1882 -- added APIs for setting public keys on Dh --- openssl/src/dh.rs | 46 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index e781543e27..f7246975b3 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -7,7 +7,7 @@ use std::ptr; use crate::bn::{BigNum, BigNumRef}; use crate::error::ErrorStack; -use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private}; +use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private, Public}; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -66,6 +66,16 @@ impl Dh { } } + /// Sets the public key on the DH object. + pub fn set_public_key(self, pub_key: BigNum) -> Result, ErrorStack> { + unsafe { + let dh_ptr = self.0; + cvt(DH_set0_key(dh_ptr, pub_key.as_ptr(), ptr::null_mut()))?; + mem::forget((self, pub_key)); + Ok(Dh::from_ptr(dh_ptr)) + } + } + /// Sets the private key on the DH object and recomputes the public key. pub fn set_private_key(self, priv_key: BigNum) -> Result, ErrorStack> { unsafe { @@ -79,6 +89,16 @@ impl Dh { } } + /// Sets the public and private keys on the DH object. + pub fn set_key(self, pub_key: BigNum, priv_key: BigNum) -> Result, ErrorStack> { + unsafe { + let dh_ptr = self.0; + cvt(DH_set0_key(dh_ptr, pub_key.as_ptr(), priv_key.as_ptr()))?; + mem::forget((self, pub_key, priv_key)); + Ok(Dh::from_ptr(dh_ptr)) + } + } + /// Generates DH params based on the given `prime_len` and a fixed `generator` value. #[corresponds(DH_generate_parameters_ex)] pub fn generate_params(prime_len: u32, generator: u32) -> Result, ErrorStack> { @@ -367,6 +387,30 @@ mod tests { assert_eq!(key1.private_key(), key2.private_key()); } + #[test] + #[cfg(ossl102)] + fn test_set_keys() { + let dh1 = Dh::get_2048_256().unwrap(); + let key1 = dh1.generate_key().unwrap(); + + let dh2 = Dh::get_2048_256().unwrap(); + let key2 = dh2 + .set_public_key(key1.public_key().to_owned().unwrap()) + .unwrap(); + + assert_eq!(key1.public_key(), key2.public_key()); + + let dh3 = Dh::get_2048_256().unwrap(); + let key3 = dh3 + .set_key( + key1.public_key().to_owned().unwrap(), + key1.private_key().to_owned().unwrap(), + ) + .unwrap(); + assert_eq!(key1.public_key(), key3.public_key()); + assert_eq!(key1.private_key(), key3.private_key()); + } + #[test] fn test_dh_from_pem() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); From 5e4815810b4ffe924a0dd7344bb5e584d58087fb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 16 Apr 2023 17:20:30 -0400 Subject: [PATCH 016/126] Fixes #1884 -- don't leave an error on the stack in public_eq --- openssl/src/pkey.rs | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index bec4bfdafc..c03b181c80 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -244,7 +244,11 @@ where where U: HasPublic, { - unsafe { ffi::EVP_PKEY_cmp(self.as_ptr(), other.as_ptr()) == 1 } + let res = unsafe { ffi::EVP_PKEY_cmp(self.as_ptr(), other.as_ptr()) == 1 }; + // Clear the stack. OpenSSL will put an error on the stack when the + // keys are different types in some situations. + let _ = ErrorStack::get(); + res } /// Raw byte representation of a public key. @@ -885,6 +889,7 @@ mod tests { use crate::dh::Dh; use crate::dsa::Dsa; use crate::ec::EcKey; + use crate::error::Error; use crate::nid::Nid; use crate::rsa::Rsa; use crate::symm::Cipher; @@ -1168,4 +1173,17 @@ mod tests { let key = PKey::ec_gen("prime256v1").unwrap(); assert!(key.ec_key().is_ok()); } + + #[test] + fn test_public_eq() { + let rsa = Rsa::generate(2048).unwrap(); + let pkey1 = PKey::from_rsa(rsa).unwrap(); + + let group = crate::ec::EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let ec_key = EcKey::generate(&group).unwrap(); + let pkey2 = PKey::from_ec_key(ec_key).unwrap(); + + assert!(!pkey1.public_eq(&pkey2)); + assert!(Error::get().is_none()); + } } From f0b752d251608e4c07d707ff688ce4fe23cf00d4 Mon Sep 17 00:00:00 2001 From: Martin Algesten Date: Tue, 18 Apr 2023 09:23:40 +0200 Subject: [PATCH 017/126] DTLS1 and DTLS1_2 SslVersion for set_min_proto_version() Expose constants to allow limiting the DTLS version. --- openssl-sys/src/tls1.rs | 3 +++ openssl/src/ssl/mod.rs | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index f7ae302046..fd83da7ae4 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -10,6 +10,9 @@ pub const TLS1_2_VERSION: c_int = 0x303; #[cfg(any(ossl111, libressl340))] pub const TLS1_3_VERSION: c_int = 0x304; +pub const DTLS1_VERSION: c_int = 0xFEFF; +pub const DTLS1_2_VERSION: c_int = 0xFEFD; + pub const TLS1_AD_DECODE_ERROR: c_int = 50; pub const TLS1_AD_UNRECOGNIZED_NAME: c_int = 112; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 6ef356d36d..4ebf47dd09 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -644,6 +644,16 @@ impl SslVersion { /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. #[cfg(any(ossl111, libressl340))] pub const TLS1_3: SslVersion = SslVersion(ffi::TLS1_3_VERSION); + + /// DTLSv1.0 + /// + /// DTLS 1.0 corresponds to TLS 1.1. + pub const DTLS1: SslVersion = SslVersion(ffi::DTLS1_VERSION); + + /// DTLSv1.2 + /// + /// DTLS 1.2 corresponds to TLS 1.2 to harmonize versions. There was never a DTLS 1.1. + pub const DTLS1_2: SslVersion = SslVersion(ffi::DTLS1_2_VERSION); } cfg_if! { From 36fd9651f6239349fa4c750371615f90c45182fa Mon Sep 17 00:00:00 2001 From: Martin Algesten Date: Tue, 18 Apr 2023 10:01:39 +0200 Subject: [PATCH 018/126] Limit DTLS1.2 to openssl 1.0.2 and libressl 3.3.2 --- openssl-sys/src/tls1.rs | 1 + openssl/src/ssl/mod.rs | 1 + 2 files changed, 2 insertions(+) diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index fd83da7ae4..2cb08a91f3 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -11,6 +11,7 @@ pub const TLS1_2_VERSION: c_int = 0x303; pub const TLS1_3_VERSION: c_int = 0x304; pub const DTLS1_VERSION: c_int = 0xFEFF; +#[cfg(any(ossl102, libressl332))] pub const DTLS1_2_VERSION: c_int = 0xFEFD; pub const TLS1_AD_DECODE_ERROR: c_int = 50; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 4ebf47dd09..5b8775c98c 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -653,6 +653,7 @@ impl SslVersion { /// DTLSv1.2 /// /// DTLS 1.2 corresponds to TLS 1.2 to harmonize versions. There was never a DTLS 1.1. + #[cfg(any(ossl102, libressl332))] pub const DTLS1_2: SslVersion = SslVersion(ffi::DTLS1_2_VERSION); } From 428a7e595cff993a6a869e9fafd8b34743e4bfbe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Apr 2023 20:01:17 -0400 Subject: [PATCH 019/126] Remove size_t-is-usize argument to bindgen It's been on by default for a while: https://github.com/rust-lang/rust-bindgen/commit/cc78b6fdb6e829e5fb8fa1639f2182cb49333569 --- openssl-sys/build/run_bindgen.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 0c127ae5c6..3361786357 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -111,7 +111,6 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .ctypes_prefix("::libc") .derive_default(false) .enable_function_attribute_detection() - .size_t_is_usize(true) .default_macro_constant_type(MacroTypeVariation::Signed) .rustified_enum("point_conversion_form_t") .allowlist_file(".*/openssl/[^/]+\\.h") @@ -167,7 +166,6 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .arg("--ctypes-prefix=::libc") .arg("--no-derive-default") .arg("--enable-function-attribute-detection") - .arg("--size_t-is-usize") .arg("--default-macro-constant-type=signed") .arg("--rustified-enum=point_conversion_form_t") .arg("--allowlist-file=.*/openssl/[^/]+\\.h") From c7f91fc4e6b505d50c7ecaaaef5a74919672b425 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Apr 2023 20:38:00 -0400 Subject: [PATCH 020/126] Update BoringSSL in CI --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8bf8c9c86..b8314824b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -153,7 +153,7 @@ jobs: - false library: - name: boringssl - version: 93e8d4463d59d671e9c5c6171226341f04b07907 + version: bcecc7d834fc44ad257b2f23f88e1cf597ab2736 - name: openssl version: vendored - name: openssl From a0bfb99e44e9709b4606a3a8ab5b76134a056b25 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 04:12:28 -0400 Subject: [PATCH 021/126] Fix build for changes in boringssl paths --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b8314824b5..71deb57ab9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -310,7 +310,7 @@ jobs: - run: | mkdir -p .cargo echo '[patch.crates-io]' > .cargo/config.toml - echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust" }' >> .cargo/config.toml + echo 'bssl-sys = { path = "'$OPENSSL_DIR'/rust/bssl-sys" }' >> .cargo/config.toml if: matrix.library.name == 'boringssl' && !matrix.bindgen - uses: actions/cache@v3 with: From b2ca7210f258c2cf32b8e045d5d03e4f4a365260 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 04:12:40 -0400 Subject: [PATCH 022/126] Fix types for boringssl changes --- openssl/src/x509/mod.rs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 00b467fb77..774fc4289b 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -986,13 +986,13 @@ impl X509NameBuilder { pub fn append_entry_by_text(&mut self, field: &str, value: &str) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_txt( self.0.as_ptr(), field.as_ptr() as *mut _, ffi::MBSTRING_UTF8, value.as_ptr(), - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1013,13 +1013,13 @@ impl X509NameBuilder { ) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_txt( self.0.as_ptr(), field.as_ptr() as *mut _, ty.as_raw(), value.as_ptr(), - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1034,13 +1034,13 @@ impl X509NameBuilder { /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> { unsafe { - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_NID( self.0.as_ptr(), field.as_raw(), ffi::MBSTRING_UTF8, value.as_ptr() as *mut _, - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) @@ -1060,13 +1060,13 @@ impl X509NameBuilder { ty: Asn1Type, ) -> Result<(), ErrorStack> { unsafe { - assert!(value.len() <= c_int::max_value() as usize); + assert!(value.len() <= crate::SLenType::max_value() as usize); cvt(ffi::X509_NAME_add_entry_by_NID( self.0.as_ptr(), field.as_raw(), ty.as_raw(), value.as_ptr() as *mut _, - value.len() as c_int, + value.len() as crate::SLenType, -1, 0, )) From 9f9009392c8788b1b4e984b8a81ff919c28754e5 Mon Sep 17 00:00:00 2001 From: remigranotier <42846930+remigranotier@users.noreply.github.com> Date: Thu, 20 Apr 2023 16:54:09 +0200 Subject: [PATCH 023/126] Documentation typo for X509Crl Fixed x509Crl description from "a X509 certificate request" to "a X509 certificate revocation list" --- openssl/src/x509/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 774fc4289b..971fb982a6 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1545,7 +1545,7 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; - /// An `X509` certificate request. + /// An `X509` certificate revocation list. pub struct X509Revoked; /// Reference to `X509Crl`. pub struct X509RevokedRef; From 75a6e0e47db672987eed0cef48dc3860e8b153cf Mon Sep 17 00:00:00 2001 From: remigranotier <42846930+remigranotier@users.noreply.github.com> Date: Thu, 20 Apr 2023 16:59:03 +0200 Subject: [PATCH 024/126] [Documentation] fixed X509Crl and X509Revoked description in doc Pardon my previous MR, Ctrl+F tricked me... This one fixes (for good) descriptions for both X509Crl and X509Revoked --- openssl/src/x509/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 971fb982a6..030770587e 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1545,9 +1545,9 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_REVOKED; fn drop = ffi::X509_REVOKED_free; - /// An `X509` certificate revocation list. + /// An `X509` certificate revocation status. pub struct X509Revoked; - /// Reference to `X509Crl`. + /// Reference to `X509Revoked`. pub struct X509RevokedRef; } @@ -1659,7 +1659,7 @@ foreign_type_and_impl_send_sync! { type CType = ffi::X509_CRL; fn drop = ffi::X509_CRL_free; - /// An `X509` certificate request. + /// An `X509` certificate revocation list. pub struct X509Crl; /// Reference to `X509Crl`. pub struct X509CrlRef; From 2ac0d838ff5f78cd019c225075a3745e65ef6675 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 13:15:44 -0600 Subject: [PATCH 025/126] add asn1octetstring creation support --- openssl-sys/src/handwritten/asn1.rs | 6 ++++ openssl/src/asn1.rs | 48 +++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 13c233a473..fa43a7a5c1 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -51,9 +51,15 @@ extern "C" { #[cfg(any(all(ossl101, not(ossl110)), libressl))] pub fn ASN1_STRING_data(x: *mut ASN1_STRING) -> *mut c_uchar; pub fn ASN1_STRING_new() -> *mut ASN1_STRING; + pub fn ASN1_OCTET_STRING_new() -> *mut ASN1_OCTET_STRING; pub fn ASN1_STRING_free(x: *mut ASN1_STRING); pub fn ASN1_STRING_length(x: *const ASN1_STRING) -> c_int; pub fn ASN1_STRING_set(x: *mut ASN1_STRING, data: *const c_void, len_in: c_int) -> c_int; + pub fn ASN1_OCTET_STRING_set( + x: *mut ASN1_OCTET_STRING, + data: *const c_uchar, + len_in: c_int, + ) -> c_int; pub fn ASN1_BIT_STRING_free(x: *mut ASN1_BIT_STRING); pub fn ASN1_OCTET_STRING_free(x: *mut ASN1_OCTET_STRING); diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 8956f8d709..d75e05166e 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -28,6 +28,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_char, c_int, c_long, time_t}; use std::cmp::Ordering; +use std::convert::TryInto; use std::ffi::CString; use std::fmt; use std::ptr; @@ -611,6 +612,46 @@ impl Asn1BitStringRef { } } +foreign_type_and_impl_send_sync! { + type CType = ffi::ASN1_OCTET_STRING; + fn drop = ffi::ASN1_OCTET_STRING_free; + /// ASN.1 OCTET STRING type + pub struct Asn1OctetString; + /// A reference to an [`Asn1OctetString`]. + pub struct Asn1OctetStringRef; +} + +impl Asn1OctetString { + /// Creates an Asn1OctetString from bytes + pub fn new_from_bytes(value: &[u8]) -> Result { + ffi::init(); + unsafe { + let s = cvt_p(ffi::ASN1_OCTET_STRING_new())?; + ffi::ASN1_OCTET_STRING_set(s, value.as_ptr(), value.len().try_into().unwrap()); + Ok(Self::from_ptr(s)) + } + } +} + +impl Asn1OctetStringRef { + /// Returns the octet string as an array of bytes. + #[corresponds(ASN1_STRING_get0_data)] + pub fn as_slice(&self) -> &[u8] { + unsafe { slice::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr().cast()), self.len()) } + } + + /// Returns the number of bytes in the octet string. + #[corresponds(ASN1_STRING_length)] + pub fn len(&self) -> usize { + unsafe { ffi::ASN1_STRING_length(self.as_ptr().cast()) as usize } + } + + /// Determines if the string is empty. + pub fn is_empty(&self) -> bool { + self.len() == 0 + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::ASN1_OBJECT; fn drop = ffi::ASN1_OBJECT_free; @@ -859,4 +900,11 @@ mod tests { &[0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01], ); } + + #[test] + fn asn1_octet_string() { + let octet_string = Asn1OctetString::new_from_bytes(b"hello world").unwrap(); + assert_eq!(octet_string.as_slice(), b"hello world"); + assert_eq!(octet_string.len(), 11); + } } From 4e1bbee5f07d6edc505876566ad958edd0232bfa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 13 Apr 2023 19:35:45 -0400 Subject: [PATCH 026/126] Introduce X509Extension::new_from_der and deprecate the bad APIs --- openssl/src/x509/extension.rs | 12 +++++++++ openssl/src/x509/mod.rs | 47 +++++++++++++++++++++++++++++++++-- openssl/src/x509/tests.rs | 18 +++++++++++++- 3 files changed, 74 insertions(+), 3 deletions(-) diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index f04d227960..075227dec3 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -67,6 +67,9 @@ impl BasicConstraints { } /// Return the `BasicConstraints` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self) -> Result { let mut value = String::new(); if self.critical { @@ -183,6 +186,9 @@ impl KeyUsage { } /// Return the `KeyUsage` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self) -> Result { let mut value = String::new(); let mut first = true; @@ -346,6 +352,9 @@ impl SubjectKeyIdentifier { } /// Return a `SubjectKeyIdentifier` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self, ctx: &X509v3Context<'_>) -> Result { let mut value = String::new(); let mut first = true; @@ -398,6 +407,9 @@ impl AuthorityKeyIdentifier { } /// Return a `AuthorityKeyIdentifier` extension as an `X509Extension`. + // Temporarily silence the deprecation warning - this should be ported to + // `X509Extension::new_internal`. + #[allow(deprecated)] pub fn build(&self, ctx: &X509v3Context<'_>) -> Result { let mut value = String::new(); let mut first = true; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 030770587e..ea6fc13b72 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -24,8 +24,8 @@ use std::slice; use std::str; use crate::asn1::{ - Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1StringRef, - Asn1TimeRef, Asn1Type, + Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, + Asn1OctetStringRef, Asn1StringRef, Asn1TimeRef, Asn1Type, }; use crate::bio::MemBioSlice; use crate::conf::ConfRef; @@ -842,6 +842,13 @@ impl X509Extension { /// mini-language that can read arbitrary files. /// /// See the extension module for builder types which will construct certain common extensions. + /// + /// This function is deprecated, `X509Extension::new_from_der` or the + /// types in `x509::extension` should be used in its place. + #[deprecated( + note = "Use x509::extension types or new_from_der instead", + since = "0.10.51" + )] pub fn new( conf: Option<&ConfRef>, context: Option<&X509v3Context<'_>>, @@ -887,6 +894,13 @@ impl X509Extension { /// mini-language that can read arbitrary files. /// /// See the extension module for builder types which will construct certain common extensions. + /// + /// This function is deprecated, `X509Extension::new_from_der` or the + /// types in `x509::extension` should be used in its place. + #[deprecated( + note = "Use x509::extension types or new_from_der instead", + since = "0.10.51" + )] pub fn new_nid( conf: Option<&ConfRef>, context: Option<&X509v3Context<'_>>, @@ -921,6 +935,31 @@ impl X509Extension { } } + /// Constructs a new X509 extension value from its OID, whether it's + /// critical, and its DER contents. + /// + /// The extent structure of the DER value will vary based on the + /// extension type, and can generally be found in the RFC defining the + /// extension. + /// + /// For common extension types, there are Rust APIs provided in + /// `openssl::x509::extensions` which are more ergonomic. + pub fn new_from_der( + oid: &Asn1ObjectRef, + critical: bool, + der_contents: &Asn1OctetStringRef, + ) -> Result { + unsafe { + cvt_p(ffi::X509_EXTENSION_create_by_OBJ( + ptr::null_mut(), + oid.as_ptr(), + critical as _, + der_contents.as_ptr(), + )) + .map(X509Extension) + } + } + pub(crate) unsafe fn new_internal( nid: Nid, critical: bool, @@ -936,6 +975,10 @@ impl X509Extension { /// /// This method modifies global state without locking and therefore is not thread safe #[corresponds(X509V3_EXT_add_alias)] + #[deprecated( + note = "Use x509::extension types or new_from_der and then this is not necessary", + since = "0.10.51" + )] pub unsafe fn add_alias(to: Nid, from: Nid) -> Result<(), ErrorStack> { ffi::init(); cvt(ffi::X509V3_EXT_add_alias(to.as_raw(), from.as_raw())).map(|_| ()) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 81801358b1..4e01d8d8a3 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -1,6 +1,6 @@ use std::cmp::Ordering; -use crate::asn1::Asn1Time; +use crate::asn1::{Asn1Object, Asn1OctetString, Asn1Time}; use crate::bn::{BigNum, MsbOption}; use crate::hash::MessageDigest; use crate::nid::Nid; @@ -290,6 +290,8 @@ fn x509_builder() { } #[test] +// This tests `X509Extension::new`, even though its deprecated. +#[allow(deprecated)] fn x509_extension_new() { assert!(X509Extension::new(None, None, "crlDistributionPoints", "section").is_err()); assert!(X509Extension::new(None, None, "proxyCertInfo", "").is_err()); @@ -297,6 +299,20 @@ fn x509_extension_new() { assert!(X509Extension::new(None, None, "subjectAltName", "dirName:section").is_err()); } +#[test] +fn x509_extension_new_from_der() { + let ext = X509Extension::new_from_der( + &Asn1Object::from_str("2.5.29.19").unwrap(), + true, + &Asn1OctetString::new_from_bytes(b"\x30\x03\x01\x01\xff").unwrap(), + ) + .unwrap(); + assert_eq!( + ext.to_der().unwrap(), + b"0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff" + ); +} + #[test] fn x509_extension_to_der() { let builder = X509::builder().unwrap(); From babb61c3812f85c25bb4fd105d46a2659823a8f9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 16:30:40 -0600 Subject: [PATCH 027/126] Release openssl v0.10.51 and openssl-sys v0.9.86 --- openssl-sys/CHANGELOG.md | 16 ++++++++++++++-- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 17 ++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 33 insertions(+), 6 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index b5d487759b..20e599b8ab 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.86] - 2023-04-20 + +### Fixed + +* Fixed BoringSSL support with the latest bindgen release. + +### Added + +* Added bindings for PKCS#7 functions and more X.509 functions. + + ## [v0.9.85] - 2023-04-09 ### Added @@ -424,8 +435,9 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85..master -[v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.85 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86..master +[v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 +[v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 [v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 [v0.9.83]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82...openssl-sys-v0.9.83 [v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index cad799a3a4..c5cced2880 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.85" +version = "0.9.86" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 3730cf5ce5..f4eca89166 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,20 @@ ## [Unreleased] +## [v0.10.51] - 2023-04-20 + +### Added + +* Added `X509RevokedRef::issuer_name` and `X509RevokedRef::reason_code`. +* Added `Dh::set_key` and `Dh::set_public_key` +* Added `Asn1OctetString` and `Asn1OctetStringRef1` +* Added `X509Extension::new_from_der` + +### Deprecated + +* Deprecated `X509Extension::new` and `X509Extension::new_nid` in favor of `X509Extension::new_from_der` and the `extensions` module. +* Deprecated `X509Extension::add_alias`, it is not required with `new_from_der` or the `extensions` module. + ## [v0.10.50] - 2023-04-09 ### Added @@ -724,7 +738,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...master +[v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 [v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 [v0.10.48]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 699273d114..ba72250c92 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.50" +version = "0.10.51" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.85", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.86", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 0a3cca2178a08a318cacc5c4d4938daf55ac3979 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Apr 2023 18:37:40 -0600 Subject: [PATCH 028/126] Expose BigNum::to_vec_padded on libressl --- openssl-sys/src/handwritten/bn.rs | 2 +- openssl/src/bn.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index 81348f692a..5457f61710 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -23,7 +23,7 @@ extern "C" { pub fn BN_clear_free(bn: *mut BIGNUM); pub fn BN_bin2bn(s: *const u8, size: c_int, ret: *mut BIGNUM) -> *mut BIGNUM; pub fn BN_bn2bin(a: *const BIGNUM, to: *mut u8) -> c_int; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl340))] pub fn BN_bn2binpad(a: *const BIGNUM, to: *mut u8, tolen: c_int) -> c_int; pub fn BN_sub(r: *mut BIGNUM, a: *const BIGNUM, b: *const BIGNUM) -> c_int; pub fn BN_add(r: *mut BIGNUM, a: *const BIGNUM, b: *const BIGNUM) -> c_int; diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 0328730a23..5cfe4b375d 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -814,7 +814,7 @@ impl BigNumRef { /// assert_eq!(&bn_vec, &[0, 0, 0x45, 0x43]); /// ``` #[corresponds(BN_bn2binpad)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl340, boringssl))] pub fn to_vec_padded(&self, pad_to: i32) -> Result, ErrorStack> { let mut v = Vec::with_capacity(pad_to as usize); unsafe { From 4438bd5092f396111dc367fbda6abd54ff6f126f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 20:54:16 -0600 Subject: [PATCH 029/126] add support for DH check key I am sorry, no one should need this. Stop doing finite field DH. Fields weren't meant to be finite --- openssl-sys/src/handwritten/dh.rs | 1 + openssl/src/dh.rs | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/openssl-sys/src/handwritten/dh.rs b/openssl-sys/src/handwritten/dh.rs index a4de122eac..87a0817ce5 100644 --- a/openssl-sys/src/handwritten/dh.rs +++ b/openssl-sys/src/handwritten/dh.rs @@ -3,6 +3,7 @@ use super::super::*; extern "C" { pub fn DH_new() -> *mut DH; pub fn DH_free(dh: *mut DH); + pub fn DH_check(dh: *const DH, codes: *mut c_int) -> c_int; pub fn DH_generate_parameters( prime_len: c_int, diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index f7246975b3..7445e3408c 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -39,6 +39,16 @@ where params_to_der, ffi::i2d_DHparams } + + /// Validates DH parameters for correctness + #[corresponds(DH_check_key)] + pub fn check_key(&self) -> Result { + unsafe { + let mut codes = 0; + cvt(ffi::DH_check(self.as_ptr(), &mut codes))?; + Ok(codes == 0) + } + } } impl Dh { @@ -457,4 +467,14 @@ mod tests { assert_eq!(shared_a, shared_b); } + + #[test] + fn test_dh_check_key() { + let dh1 = Dh::generate_params(512, 2).unwrap(); + let p = BigNum::from_hex_str("04").unwrap(); + let g = BigNum::from_hex_str("02").unwrap(); + let dh2 = Dh::from_pqg(p, None, g).unwrap(); + assert!(dh1.check_key().unwrap()); + assert!(!dh2.check_key().unwrap()); + } } From 1c46f360af0c141ae755562bd7090e25264f3e9f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Apr 2023 21:58:04 -0600 Subject: [PATCH 030/126] add poly1305 EVP_PKEY type --- openssl-sys/src/evp.rs | 2 ++ openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/pkey.rs | 2 ++ 3 files changed, 6 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 69b49fbb0b..72ca2434fc 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -20,6 +20,8 @@ pub const EVP_PKEY_X448: c_int = NID_X448; pub const EVP_PKEY_ED448: c_int = NID_ED448; pub const EVP_PKEY_HMAC: c_int = NID_hmac; pub const EVP_PKEY_CMAC: c_int = NID_cmac; +#[cfg(ossl111)] +pub const EVP_PKEY_POLY1305: c_int = NID_poly1305; #[cfg(ossl110)] pub const EVP_PKEY_HKDF: c_int = NID_hkdf; diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 1f8e10003a..22bfccba3f 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -927,6 +927,8 @@ pub const NID_X448: c_int = 1035; #[cfg(ossl110)] pub const NID_hkdf: c_int = 1036; #[cfg(ossl111)] +pub const NID_poly1305: c_int = 1061; +#[cfg(ossl111)] pub const NID_ED25519: c_int = 1087; #[cfg(libressl370)] pub const NID_ED25519: c_int = 952; diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index c03b181c80..cec1c482e1 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -97,6 +97,8 @@ impl Id { pub const X25519: Id = Id(ffi::EVP_PKEY_X25519); #[cfg(ossl111)] pub const X448: Id = Id(ffi::EVP_PKEY_X448); + #[cfg(ossl111)] + pub const POLY1305: Id = Id(ffi::EVP_PKEY_POLY1305); /// Creates a `Id` from an integer representation. pub fn from_raw(value: c_int) -> Id { From e073b4d2b06596acfa6cf380c030ca7843a78fda Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 18 Apr 2023 23:36:09 +0800 Subject: [PATCH 031/126] add more x509 extension helper functions --- openssl-sys/src/handwritten/x509v3.rs | 8 ++++++ openssl/src/x509/mod.rs | 40 +++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 4a15f3df5f..fb517df904 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -102,6 +102,14 @@ extern "C" { pub fn X509_get_key_usage(x: *mut X509) -> u32; #[cfg(ossl110)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; + #[cfg(ossl110)] + pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; + #[cfg(ossl110)] + pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; + #[cfg(ossl110)] + pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; + #[cfg(ossl110)] + pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } #[repr(C)] diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index ea6fc13b72..796ee2f09f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -483,6 +483,46 @@ impl X509Ref { } } + /// Returns this certificate's subject key id, if it exists. + #[corresponds(X509_get0_subject_key_id)] + #[cfg(ossl110)] + pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { + unsafe { + let data = ffi::X509_get0_subject_key_id(self.as_ptr()); + Asn1StringRef::from_const_ptr_opt(data as *const _) + } + } + + /// Returns this certificate's authority key id, if it exists. + #[corresponds(X509_get0_authority_key_id)] + #[cfg(ossl110)] + pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { + unsafe { + let data = ffi::X509_get0_authority_key_id(self.as_ptr()); + Asn1StringRef::from_const_ptr_opt(data as *const _) + } + } + + /// Returns this certificate's authority issuer name entries, if they exist. + #[corresponds(X509_get0_authority_issuer)] + #[cfg(ossl110)] + pub fn authority_issuer(&self) -> Option> { + unsafe { + let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); + Stack::from_ptr_opt(stack as *mut _) + } + } + + /// Returns this certificate's authority serial number, if it exists. + #[corresponds(X509_get0_authority_serial)] + #[cfg(ossl110)] + pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { + unsafe { + let r = ffi::X509_get0_authority_serial(self.as_ptr()); + Asn1IntegerRef::from_const_ptr_opt(r) + } + } + #[corresponds(X509_get_pubkey)] pub fn public_key(&self) -> Result, ErrorStack> { unsafe { From e8108cb202dc38b0f272c7df1fee79d0723bc6d8 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 18 Apr 2023 23:46:11 +0800 Subject: [PATCH 032/126] update cfg flag --- openssl-sys/src/handwritten/x509v3.rs | 14 +++++++------- openssl/src/x509/mod.rs | 8 ++++---- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index fb517df904..08f1648435 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,19 +96,19 @@ extern "C" { indent: c_int, ) -> c_int; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_key_usage(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 796ee2f09f..d0ca9d3c63 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -485,7 +485,7 @@ impl X509Ref { /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { unsafe { let data = ffi::X509_get0_subject_key_id(self.as_ptr()); @@ -495,7 +495,7 @@ impl X509Ref { /// Returns this certificate's authority key id, if it exists. #[corresponds(X509_get0_authority_key_id)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { unsafe { let data = ffi::X509_get0_authority_key_id(self.as_ptr()); @@ -505,7 +505,7 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_issuer(&self) -> Option> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); @@ -515,7 +515,7 @@ impl X509Ref { /// Returns this certificate's authority serial number, if it exists. #[corresponds(X509_get0_authority_serial)] - #[cfg(ossl110)] + #[cfg(ossl111)] pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { unsafe { let r = ffi::X509_get0_authority_serial(self.as_ptr()); From eefdcd0435626e3689a18d394769b35798c0bf63 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Fri, 21 Apr 2023 22:18:55 +0800 Subject: [PATCH 033/126] update cfg condition and use new Asn1OctetString --- openssl-sys/src/handwritten/x509v3.rs | 10 +++++----- openssl/src/x509/mod.rs | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 08f1648435..09a92640b6 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,15 +96,15 @@ extern "C" { indent: c_int, ) -> c_int; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_key_usage(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get_extended_key_usage(x: *mut X509) -> u32; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl111)] + #[cfg(ossl110)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; #[cfg(ossl111)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d0ca9d3c63..2946ee1e63 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -485,21 +485,21 @@ impl X509Ref { /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] - #[cfg(ossl111)] - pub fn subject_key_id(&self) -> Option<&Asn1StringRef> { + #[cfg(ossl110)] + pub fn subject_key_id(&self) -> Option<&Asn1OctetStringRef> { unsafe { let data = ffi::X509_get0_subject_key_id(self.as_ptr()); - Asn1StringRef::from_const_ptr_opt(data as *const _) + Asn1OctetStringRef::from_const_ptr_opt(data) } } /// Returns this certificate's authority key id, if it exists. #[corresponds(X509_get0_authority_key_id)] - #[cfg(ossl111)] - pub fn authority_key_id(&self) -> Option<&Asn1StringRef> { + #[cfg(ossl110)] + pub fn authority_key_id(&self) -> Option<&Asn1OctetStringRef> { unsafe { let data = ffi::X509_get0_authority_key_id(self.as_ptr()); - Asn1StringRef::from_const_ptr_opt(data as *const _) + Asn1OctetStringRef::from_const_ptr_opt(data) } } From ec747f417ed9c18f43498c175ac656edb635b915 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 22 Apr 2023 09:07:52 -0600 Subject: [PATCH 034/126] Don't restrict the Signer lifetime Creating a new EVP_PKEY_CTX uprefs the EVP_PKEY --- openssl/src/sign.rs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 406bb42e8f..a32f5c9144 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -117,10 +117,10 @@ pub struct Signer<'a> { _p: PhantomData<&'a ()>, } -unsafe impl<'a> Sync for Signer<'a> {} -unsafe impl<'a> Send for Signer<'a> {} +unsafe impl Sync for Signer<'_> {} +unsafe impl Send for Signer<'_> {} -impl<'a> Drop for Signer<'a> { +impl Drop for Signer<'_> { fn drop(&mut self) { // pkey_ctx is owned by the md_ctx, so no need to explicitly free it. unsafe { @@ -130,7 +130,7 @@ impl<'a> Drop for Signer<'a> { } #[allow(clippy::len_without_is_empty)] -impl<'a> Signer<'a> { +impl Signer<'_> { /// Creates a new `Signer`. /// /// This cannot be used with Ed25519 or Ed448 keys. Please refer to @@ -139,7 +139,7 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSignInit`]. /// /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html - pub fn new(type_: MessageDigest, pkey: &'a PKeyRef) -> Result, ErrorStack> + pub fn new<'a, T>(type_: MessageDigest, pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, { @@ -154,16 +154,16 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSignInit`]. /// /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html - pub fn new_without_digest(pkey: &'a PKeyRef) -> Result, ErrorStack> + pub fn new_without_digest<'a, T>(pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, { Self::new_intern(None, pkey) } - fn new_intern( + fn new_intern<'a, T>( type_: Option, - pkey: &'a PKeyRef, + pkey: &PKeyRef, ) -> Result, ErrorStack> where T: HasPrivate, From 3f2e02bbff532f2c6aa28950cfe8dd1108144f5e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 13:42:21 -0600 Subject: [PATCH 035/126] add low level cmac bindings these are deprecated in ossl3, but the only common interface across openssl, libressl, and boring --- openssl-sys/src/handwritten/cmac.rs | 18 ++++++++++++++++++ openssl-sys/src/handwritten/mod.rs | 2 ++ openssl-sys/src/handwritten/types.rs | 2 ++ systest/build.rs | 1 + 4 files changed, 23 insertions(+) create mode 100644 openssl-sys/src/handwritten/cmac.rs diff --git a/openssl-sys/src/handwritten/cmac.rs b/openssl-sys/src/handwritten/cmac.rs new file mode 100644 index 0000000000..e44094d21a --- /dev/null +++ b/openssl-sys/src/handwritten/cmac.rs @@ -0,0 +1,18 @@ +use libc::*; + +use super::super::*; + +extern "C" { + pub fn CMAC_CTX_new() -> *mut CMAC_CTX; + pub fn CMAC_CTX_free(ctx: *mut CMAC_CTX); + pub fn CMAC_Init( + ctx: *mut CMAC_CTX, + key: *const c_void, + len: size_t, + cipher: *const EVP_CIPHER, + impl_: *mut ENGINE, + ) -> c_int; + pub fn CMAC_Update(ctx: *mut CMAC_CTX, data: *const c_void, len: size_t) -> c_int; + pub fn CMAC_Final(ctx: *mut CMAC_CTX, out: *mut c_uchar, len: *mut size_t) -> c_int; + pub fn CMAC_CTX_copy(dst: *mut CMAC_CTX, src: *const CMAC_CTX) -> c_int; +} diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 28aa4aecd0..9c0f844501 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -2,6 +2,7 @@ pub use self::aes::*; pub use self::asn1::*; pub use self::bio::*; pub use self::bn::*; +pub use self::cmac::*; pub use self::cms::*; pub use self::conf::*; pub use self::crypto::*; @@ -35,6 +36,7 @@ mod aes; mod asn1; mod bio; mod bn; +mod cmac; mod cms; mod conf; mod crypto; diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 84724f35ef..06354728f2 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -125,6 +125,8 @@ pub enum EVP_PKEY_ASN1_METHOD {} pub enum EVP_PKEY_CTX {} +pub enum CMAC_CTX {} + cfg_if! { if #[cfg(any(ossl110, libressl280))] { pub enum HMAC_CTX {} diff --git a/systest/build.rs b/systest/build.rs index 2efcdfe1bf..6d3ac3a3d3 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -56,6 +56,7 @@ fn main() { .header("openssl/bio.h") .header("openssl/x509v3.h") .header("openssl/safestack.h") + .header("openssl/cmac.h") .header("openssl/hmac.h") .header("openssl/obj_mac.h") .header("openssl/ssl.h") From 0dc14f7ffa279e0b6a29ef35d6ce832da3ca53d1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 13:53:22 -0600 Subject: [PATCH 036/126] add cmac to bindgen too --- openssl-sys/build/run_bindgen.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 3361786357..4fa9ec66f2 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -12,6 +12,7 @@ const INCLUDES: &str = " #include #include #include +#include #include #include #include From 0257e2611d01127607b724a043642b01adf41706 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 22 Apr 2023 14:45:19 -0600 Subject: [PATCH 037/126] Expose pbkdf2_hmac and scrypt on BoringSSL --- openssl/src/lib.rs | 1 - openssl/src/pkcs5.rs | 26 +++++++++++++++----------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 7829b79cba..c2c390cc1b 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -165,7 +165,6 @@ pub mod nid; #[cfg(not(any(boringssl, osslconf = "OPENSSL_NO_OCSP")))] pub mod ocsp; pub mod pkcs12; -#[cfg(not(boringssl))] pub mod pkcs5; #[cfg(not(boringssl))] pub mod pkcs7; diff --git a/openssl/src/pkcs5.rs b/openssl/src/pkcs5.rs index c15ce47761..cd704e8256 100644 --- a/openssl/src/pkcs5.rs +++ b/openssl/src/pkcs5.rs @@ -1,9 +1,13 @@ +#[cfg(not(boringssl))] use libc::c_int; +use std::convert::TryInto; +#[cfg(not(boringssl))] use std::ptr; use crate::cvt; use crate::error::ErrorStack; use crate::hash::MessageDigest; +#[cfg(not(boringssl))] use crate::symm::Cipher; use openssl_macros::corresponds; @@ -25,6 +29,7 @@ pub struct KeyIvPair { /// `pbkdf2_hmac` or another more modern key derivation algorithm. #[corresponds(EVP_BytesToKey)] #[allow(clippy::useless_conversion)] +#[cfg(not(boringssl))] pub fn bytes_to_key( cipher: Cipher, digest: MessageDigest, @@ -91,19 +96,15 @@ pub fn pbkdf2_hmac( key: &mut [u8], ) -> Result<(), ErrorStack> { unsafe { - assert!(pass.len() <= c_int::max_value() as usize); - assert!(salt.len() <= c_int::max_value() as usize); - assert!(key.len() <= c_int::max_value() as usize); - ffi::init(); cvt(ffi::PKCS5_PBKDF2_HMAC( pass.as_ptr() as *const _, - pass.len() as c_int, + pass.len().try_into().unwrap(), salt.as_ptr(), - salt.len() as c_int, - iter as c_int, + salt.len().try_into().unwrap(), + iter.try_into().unwrap(), hash.as_ptr(), - key.len() as c_int, + key.len().try_into().unwrap(), key.as_mut_ptr(), )) .map(|_| ()) @@ -114,7 +115,8 @@ pub fn pbkdf2_hmac( /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PBE_scrypt)] -#[cfg(any(ossl110))] +#[cfg(any(ossl110, boringssl))] +#[allow(clippy::useless_conversion)] pub fn scrypt( pass: &[u8], salt: &[u8], @@ -134,7 +136,7 @@ pub fn scrypt( n, r, p, - maxmem, + maxmem.try_into().unwrap(), key.as_mut_ptr() as *mut _, key.len(), )) @@ -145,6 +147,7 @@ pub fn scrypt( #[cfg(test)] mod tests { use crate::hash::MessageDigest; + #[cfg(not(boringssl))] use crate::symm::Cipher; // Test vectors from @@ -246,6 +249,7 @@ mod tests { } #[test] + #[cfg(not(boringssl))] fn bytes_to_key() { let salt = [16_u8, 34_u8, 19_u8, 23_u8, 141_u8, 4_u8, 207_u8, 221_u8]; @@ -282,7 +286,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(any(ossl110, boringssl))] fn scrypt() { let pass = "pleaseletmein"; let salt = "SodiumChloride"; From 8f23c2f6fa527657fa4d98cd6ac808d301d1aae7 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 22 Apr 2023 16:13:48 -0600 Subject: [PATCH 038/126] binding to get fips status for ossl300 --- openssl-sys/src/handwritten/evp.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 1a05b7eae3..050d2c88bb 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -65,6 +65,14 @@ cfg_if! { } } +cfg_if! { + if #[cfg(ossl300)] { + extern "C" { + pub fn EVP_default_properties_is_fips_enabled(libctx: *mut OSSL_LIB_CTX) -> c_int; + } + } +} + extern "C" { pub fn EVP_DigestInit_ex(ctx: *mut EVP_MD_CTX, typ: *const EVP_MD, imple: *mut ENGINE) -> c_int; From bdba0d3f39b46dadceeca6b08aef142039ddb949 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 19:25:27 +0800 Subject: [PATCH 039/126] addi ski and aki tests --- openssl/src/x509/mod.rs | 4 ++-- openssl/src/x509/tests.rs | 26 ++++++++++++++++++++++++++ openssl/test/github.pem | 31 +++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 openssl/test/github.pem diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2946ee1e63..2753d09124 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -506,10 +506,10 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] #[cfg(ossl111)] - pub fn authority_issuer(&self) -> Option> { + pub fn authority_issuer(&self) -> Option<&StackRef> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); - Stack::from_ptr_opt(stack as *mut _) + StackRef::from_const_ptr_opt(stack) } } diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 4e01d8d8a3..d33f0c0821 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -168,6 +168,32 @@ fn test_subject_alt_name() { assert_eq!(Some("http://www.example.com"), subject_alt_names[4].uri()); } +#[test] +#[cfg(ossl110)] +fn test_subject_key_id() { + let cert = include_bytes!("../../test/github.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let subject_key_id = cert.subject_key_id().unwrap(); + assert_eq!( + subject_key_id.as_slice(), + &b"\xC7\x07\x27\x78\x85\xF2\x9D\x33\xC9\x4C\x5E\x56\x7D\x5C\xD6\x8E\x72\x67\xEB\xDE"[..] + ); +} + +#[test] +#[cfg(ossl110)] +fn test_authority_key_id() { + let cert = include_bytes!("../../test/github.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let subject_key_id = cert.authority_key_id().unwrap(); + assert_eq!( + subject_key_id.as_slice(), + &b"\x0A\xBC\x08\x29\x17\x8C\xA5\x39\x6D\x7A\x0E\xCE\x33\xC7\x2E\xB3\xED\xFB\xC3\x7A"[..] + ); +} + #[test] fn test_subject_alt_name_iter() { let cert = include_bytes!("../../test/alt_name_cert.pem"); diff --git a/openssl/test/github.pem b/openssl/test/github.pem new file mode 100644 index 0000000000..34bcb44322 --- /dev/null +++ b/openssl/test/github.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFajCCBPGgAwIBAgIQDNCovsYyz+ZF7KCpsIT7HDAKBggqhkjOPQQDAzBWMQsw +CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp +Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjMwMjE0MDAw +MDAwWhcNMjQwMzE0MjM1OTU5WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs +aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHVi +LCBJbmMuMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAEo6QDRgPfRlFWy8k5qyLN52xZlnqToPu5QByQMog2xgl2nFD1Vfd2Xmgg +nO4i7YMMFTAQQUReMqyQodWq8uVDs6OCA48wggOLMB8GA1UdIwQYMBaAFAq8CCkX +jKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBTHByd4hfKdM8lMXlZ9XNaOcmfr3jAl +BgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNvbTAOBgNVHQ8BAf8E +BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGbBgNVHR8EgZMw +gZAwRqBEoEKGQGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5 +YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5jcmwwRqBEoEKGQGh0dHA6Ly9jcmw0LmRp +Z2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5j +cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3 +dy5kaWdpY2VydC5jb20vQ1BTMIGFBggrBgEFBQcBAQR5MHcwJAYIKwYBBQUHMAGG +GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcwAoZDaHR0cDovL2Nh +Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAy +MENBMS0xLmNydDAJBgNVHRMEAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoA +dwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYZQ3Rv6AAAEAwBI +MEYCIQDkFq7T4iy6gp+pefJLxpRS7U3gh8xQymmxtI8FdzqU6wIhALWfw/nLD63Q +YPIwG3EFchINvWUfB6mcU0t2lRIEpr8uAHYASLDja9qmRzQP5WoC+p0w6xxSActW +3SyB2bu/qznYhHMAAAGGUN0cKwAABAMARzBFAiAePGAyfiBR9dbhr31N9ZfESC5G +V2uGBTcyTyUENrH3twIhAPwJfsB8A4MmNr2nW+sdE1n2YiCObW+3DTHr2/UR7lvU +AHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGGUN0cOgAABAMA +SDBGAiEAzOBr9OZ0+6OSZyFTiywN64PysN0FLeLRyL5jmEsYrDYCIQDu0jtgWiMI +KU6CM0dKcqUWLkaFE23c2iWAhYAHqrFRRzAKBggqhkjOPQQDAwNnADBkAjAE3A3U +3jSZCpwfqOHBdlxi9ASgKTU+wg0qw3FqtfQ31OwLYFdxh0MlNk/HwkjRSWgCMFbQ +vMkXEPvNvv4t30K6xtpG26qmZ+6OiISBIIXMljWnsiYR1gyZnTzIg3AQSw4Vmw== +-----END CERTIFICATE----- From 57bd34d614db206703ee2435a3d62cf3a7eb6481 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 22:39:19 +0800 Subject: [PATCH 040/126] add more tests --- openssl/src/x509/tests.rs | 33 ++++++++++++++++++----- openssl/test/authority_key_identifier.pem | 19 +++++++++++++ openssl/test/github.pem | 31 --------------------- 3 files changed, 46 insertions(+), 37 deletions(-) create mode 100644 openssl/test/authority_key_identifier.pem delete mode 100644 openssl/test/github.pem diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index d33f0c0821..748d70dbba 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -171,29 +171,50 @@ fn test_subject_alt_name() { #[test] #[cfg(ossl110)] fn test_subject_key_id() { - let cert = include_bytes!("../../test/github.pem"); + let cert = include_bytes!("../../test/certv3.pem"); let cert = X509::from_pem(cert).unwrap(); let subject_key_id = cert.subject_key_id().unwrap(); assert_eq!( subject_key_id.as_slice(), - &b"\xC7\x07\x27\x78\x85\xF2\x9D\x33\xC9\x4C\x5E\x56\x7D\x5C\xD6\x8E\x72\x67\xEB\xDE"[..] + &b"\xB6\x73\x2F\x61\xA5\x4B\xA1\xEF\x48\x2C\x15\xB1\x9F\xF3\xDC\x34\x2F\xBC\xAC\x30"[..] ); } #[test] #[cfg(ossl110)] fn test_authority_key_id() { - let cert = include_bytes!("../../test/github.pem"); + let cert = include_bytes!("../../test/certv3.pem"); let cert = X509::from_pem(cert).unwrap(); - let subject_key_id = cert.authority_key_id().unwrap(); + let authority_key_id = cert.authority_key_id().unwrap(); assert_eq!( - subject_key_id.as_slice(), - &b"\x0A\xBC\x08\x29\x17\x8C\xA5\x39\x6D\x7A\x0E\xCE\x33\xC7\x2E\xB3\xED\xFB\xC3\x7A"[..] + authority_key_id.as_slice(), + &b"\x6C\xD3\xA5\x03\xAB\x0D\x5F\x2C\xC9\x8D\x8A\x9C\x88\xA7\x88\x77\xB8\x37\xFD\x9A"[..] ); } +#[test] +fn test_authority_issuer_and_serial() { + let cert = include_bytes!("../../test/authority_key_identifier.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let authority_issuer = cert.authority_issuer().unwrap(); + assert_eq!(1, authority_issuer.len()); + let dn = authority_issuer[0].directory_name().unwrap(); + let mut o = dn.entries_by_nid(Nid::ORGANIZATIONNAME); + let o = o.next().unwrap().data().as_utf8().unwrap(); + assert_eq!(o.as_bytes(), b"PyCA"); + let mut cn = dn.entries_by_nid(Nid::COMMONNAME); + let cn = cn.next().unwrap().data().as_utf8().unwrap(); + assert_eq!(cn.as_bytes(), b"cryptography.io"); + + let authority_serial = cert.authority_serial().unwrap(); + let serial = authority_serial.to_bn().unwrap(); + let expected = BigNum::from_u32(3).unwrap(); + assert_eq!(serial, expected); +} + #[test] fn test_subject_alt_name_iter() { let cert = include_bytes!("../../test/alt_name_cert.pem"); diff --git a/openssl/test/authority_key_identifier.pem b/openssl/test/authority_key_identifier.pem new file mode 100644 index 0000000000..cbe9169fc9 --- /dev/null +++ b/openssl/test/authority_key_identifier.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDIjCCAgqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADApMQ0wCwYDVQQKDARQeUNB +MRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wHhcNMTUwNTAzMDk0OTU2WhcNMTYw +NTAyMDk0OTU2WjApMQ0wCwYDVQQKDARQeUNBMRgwFgYDVQQDDA9jcnlwdG9ncmFw +aHkuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCadi1UZioxdnP +ajqlRZHeKsSxvXXhgrWvlt91P3gV0dBThRFhJsLOhjNLz6PO6KeRbjz9GhTA2hdk +xtIpXrjvTv9dEJ1/k0xebsHWgFC43aTlgekw0U4cMwMe5NGeeg1tfzbJwldIN+cK +vabc08ADlkmM6DMnUArkzA2yii0DErRFMSIGrkDr6E9puord3h6Mh8Jfnc3TDAq8 +Qo1DI2XM7oFSWNfecQ9KbIC5wzzT+7Shoyz7QmCk/XhRzt8Xcfc3yAXIwazvLf8b +YP1auaSG11a5E+w6onj91h8UHKKOXu+rdq5YYPZ+qUYpxA7ZJ/VAGadMulYbXaO8 +Syi39HTpAgMBAAGjVTBTMFEGA1UdIwRKMEiAFDlFPso9Yh3qhkn2WqtAt6RwmPHs +oS2kKzApMQ0wCwYDVQQKDARQeUNBMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW+C +AQMwDQYJKoZIhvcNAQEFBQADggEBAFbZYy6aZJUK/f7nJx2Rs/ht6hMbM32/RoXZ +JGbYapNVqVu/vymcfc/se3FHS5OVmPsnRlo/FIKDn/r5DGl73Sn/FvDJiLJZFucT +msyYuHZ+ZRYWzWmN2fcB3cfxj0s3qps6f5OoCOqoINOSe4HRGlw4X9keZSD+3xAt +vHNwQdlPC7zWbPdrzLT+FqR0e/O81vFJJS6drHJWqPcR3NQVtZw+UF7A/HKwbfeL +Nu2zj6165hzOi9HUxa2/mPr/eLUUV1sTzXp2+TFjt3rVCjW1XnpMLdwNBHzjpyAB +dTOX3iw0+BPy3s2jtnCW1PLpc74kvSTaBwhg74sq39EXfIKax00= +-----END CERTIFICATE----- diff --git a/openssl/test/github.pem b/openssl/test/github.pem deleted file mode 100644 index 34bcb44322..0000000000 --- a/openssl/test/github.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFajCCBPGgAwIBAgIQDNCovsYyz+ZF7KCpsIT7HDAKBggqhkjOPQQDAzBWMQsw -CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp -Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjMwMjE0MDAw -MDAwWhcNMjQwMzE0MjM1OTU5WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs -aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHVi -LCBJbmMuMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D -AQcDQgAEo6QDRgPfRlFWy8k5qyLN52xZlnqToPu5QByQMog2xgl2nFD1Vfd2Xmgg -nO4i7YMMFTAQQUReMqyQodWq8uVDs6OCA48wggOLMB8GA1UdIwQYMBaAFAq8CCkX -jKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBTHByd4hfKdM8lMXlZ9XNaOcmfr3jAl -BgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNvbTAOBgNVHQ8BAf8E -BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGbBgNVHR8EgZMw -gZAwRqBEoEKGQGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5 -YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5jcmwwRqBEoEKGQGh0dHA6Ly9jcmw0LmRp -Z2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5j -cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3 -dy5kaWdpY2VydC5jb20vQ1BTMIGFBggrBgEFBQcBAQR5MHcwJAYIKwYBBQUHMAGG -GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcwAoZDaHR0cDovL2Nh -Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAy -MENBMS0xLmNydDAJBgNVHRMEAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoA -dwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYZQ3Rv6AAAEAwBI -MEYCIQDkFq7T4iy6gp+pefJLxpRS7U3gh8xQymmxtI8FdzqU6wIhALWfw/nLD63Q -YPIwG3EFchINvWUfB6mcU0t2lRIEpr8uAHYASLDja9qmRzQP5WoC+p0w6xxSActW -3SyB2bu/qznYhHMAAAGGUN0cKwAABAMARzBFAiAePGAyfiBR9dbhr31N9ZfESC5G -V2uGBTcyTyUENrH3twIhAPwJfsB8A4MmNr2nW+sdE1n2YiCObW+3DTHr2/UR7lvU -AHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGGUN0cOgAABAMA -SDBGAiEAzOBr9OZ0+6OSZyFTiywN64PysN0FLeLRyL5jmEsYrDYCIQDu0jtgWiMI -KU6CM0dKcqUWLkaFE23c2iWAhYAHqrFRRzAKBggqhkjOPQQDAwNnADBkAjAE3A3U -3jSZCpwfqOHBdlxi9ASgKTU+wg0qw3FqtfQ31OwLYFdxh0MlNk/HwkjRSWgCMFbQ -vMkXEPvNvv4t30K6xtpG26qmZ+6OiISBIIXMljWnsiYR1gyZnTzIg3AQSw4Vmw== ------END CERTIFICATE----- From c9db15a8ef94f1404b931107f4637cab77f071d6 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Sun, 23 Apr 2023 22:41:58 +0800 Subject: [PATCH 041/126] add missing feature flag --- openssl/src/x509/tests.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 748d70dbba..d4dbf316d2 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -195,6 +195,7 @@ fn test_authority_key_id() { } #[test] +#[cfg(ossl111)] fn test_authority_issuer_and_serial() { let cert = include_bytes!("../../test/authority_key_identifier.pem"); let cert = X509::from_pem(cert).unwrap(); From 5ddf89fcd828890c38c36deff9a6bd58df9ce857 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 24 Apr 2023 15:56:02 -0600 Subject: [PATCH 042/126] changelog and version bumps for openssl and openssl-sys --- openssl-sys/CHANGELOG.md | 14 +++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 12 +++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 20e599b8ab..324ff1a82a 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.87] - 2023-04-24 + +### Added + +* Added `DH_CHECK`. +* Added `CMAC_CTX_new`, `CMAC_CTX_free`, `CMAC_Init`, `CMAC_Update`, `CMAC_Final`, and `CMAC_CTX_copy`. +* Added `EVP_default_properties_is_fips_enabled`. +* Added `X509_get0_subject_key_id`, `X509_get0_authority_key_id`, `X509_get0_authority_issuer`, and `X509_get0_authority_serial`. +* Added `NID_poly1305`. + + ## [v0.9.86] - 2023-04-20 ### Fixed @@ -435,7 +446,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87..master +[v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 [v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 [v0.9.84]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83...openssl-sys-v0.9.84 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index c5cced2880..811318bbaf 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.86" +version = "0.9.87" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index f4eca89166..c62da00a1b 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,15 @@ ## [Unreleased] +## [v0.10.52] - 2023-04-24 + +### Added + +* Added `DhRef::check_key`. +* Added `Id::POLY1305`. +* Added `X509Ref::subject_key_id`, `X509Ref::authority_key_id`, `X509Ref::authority_issuer`, and `X509Ref::authority_serial`. + + ## [v0.10.51] - 2023-04-20 ### Added @@ -738,7 +747,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...master +[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 [v0.10.49]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...openssl-v0.10.49 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index ba72250c92..addf5cb060 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.51" +version = "0.10.52" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.86", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.87", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From e483e782c2b0204787501281a35aadc352f7a2ad Mon Sep 17 00:00:00 2001 From: Andrew Walbran Date: Wed, 26 Apr 2023 15:43:13 +0100 Subject: [PATCH 043/126] Update to bitflags 2.2.1. This is a new major version so some code changes are required. --- openssl/Cargo.toml | 2 +- openssl/src/cms.rs | 2 ++ openssl/src/ocsp.rs | 2 ++ openssl/src/pkcs7.rs | 14 ++++++++------ openssl/src/ssl/mod.rs | 36 ++++++++++++++++++++++++++---------- openssl/src/x509/verify.rs | 18 ++++++++++++++---- 6 files changed, 53 insertions(+), 21 deletions(-) diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index addf5cb060..67ad335675 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -23,7 +23,7 @@ unstable_boringssl = ["ffi/unstable_boringssl"] default = [] [dependencies] -bitflags = "1.0" +bitflags = "2.2.1" cfg-if = "1.0" foreign-types = "0.3.1" libc = "0.2" diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index 6b6aa9fd8c..d11443b5ce 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -20,6 +20,8 @@ use crate::{cvt, cvt_p}; use openssl_macros::corresponds; bitflags! { + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct CMSOptions : c_uint { const TEXT = ffi::CMS_TEXT; const CMS_NOCERTS = ffi::CMS_NOCERTS; diff --git a/openssl/src/ocsp.rs b/openssl/src/ocsp.rs index 7506d34fb3..93a5d36b7e 100644 --- a/openssl/src/ocsp.rs +++ b/openssl/src/ocsp.rs @@ -15,6 +15,8 @@ use crate::{cvt, cvt_p}; use openssl_macros::corresponds; bitflags! { + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct OcspFlag: c_ulong { const NO_CERTS = ffi::OCSP_NOCERTS; const NO_INTERN = ffi::OCSP_NOINTERN; diff --git a/openssl/src/pkcs7.rs b/openssl/src/pkcs7.rs index ae4571db85..a272c598b8 100644 --- a/openssl/src/pkcs7.rs +++ b/openssl/src/pkcs7.rs @@ -28,6 +28,8 @@ foreign_type_and_impl_send_sync! { } bitflags! { + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct Pkcs7Flags: c_int { const TEXT = ffi::PKCS7_TEXT; const NOCERTS = ffi::PKCS7_NOCERTS; @@ -111,7 +113,7 @@ impl Pkcs7 { certs.as_ptr(), input_bio.as_ptr(), cipher.as_ptr(), - flags.bits, + flags.bits(), )) .map(Pkcs7) } @@ -141,7 +143,7 @@ impl Pkcs7 { pkey.as_ptr(), certs.as_ptr(), input_bio.as_ptr(), - flags.bits, + flags.bits(), )) .map(Pkcs7) } @@ -159,7 +161,7 @@ impl Pkcs7Ref { output.as_ptr(), self.as_ptr(), input_bio.as_ptr(), - flags.bits, + flags.bits(), )) .map(|_| output.get_buf().to_owned()) } @@ -205,7 +207,7 @@ impl Pkcs7Ref { pkey.as_ptr(), cert.as_ptr(), output.as_ptr(), - flags.bits, + flags.bits(), )) .map(|_| output.get_buf().to_owned()) } @@ -241,7 +243,7 @@ impl Pkcs7Ref { store.as_ptr(), indata_bio_ptr, out_bio.as_ptr(), - flags.bits, + flags.bits(), )) .map(|_| ())? } @@ -265,7 +267,7 @@ impl Pkcs7Ref { let ptr = cvt_p(ffi::PKCS7_get0_signers( self.as_ptr(), certs.as_ptr(), - flags.bits, + flags.bits(), ))?; // The returned stack is owned by the caller, but the certs inside are not! Our stack interface can't deal diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 5b8775c98c..b9e4e20bc8 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -143,6 +143,8 @@ cfg_if! { bitflags! { /// Options controlling the behavior of an `SslContext`. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct SslOptions: SslOptionsRepr { /// Disables a countermeasure against an SSLv3/TLSv1.0 vulnerability affecting CBC ciphers. const DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS as SslOptionsRepr; @@ -281,6 +283,8 @@ bitflags! { bitflags! { /// Options controlling the behavior of an `SslContext`. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct SslMode: SslBitType { /// Enables "short writes". /// @@ -378,6 +382,8 @@ unsafe impl Send for SslMethod {} bitflags! { /// Options controlling the behavior of certificate verification. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct SslVerifyMode: i32 { /// Verifies that the peer's certificate is trusted. /// @@ -410,6 +416,8 @@ type SslTimeTy = c_long; bitflags! { /// Options controlling the behavior of session caching. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct SslSessionCacheMode: SslBitType { /// No session caching for the client or server takes place. const OFF = ffi::SSL_SESS_CACHE_OFF; @@ -447,6 +455,8 @@ bitflags! { #[cfg(ossl111)] bitflags! { /// Which messages and under which conditions an extension should be added or expected. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct ExtensionContext: c_uint { /// This extension is only allowed in TLS const TLS_ONLY = ffi::SSL_EXT_TLS_ONLY; @@ -735,7 +745,7 @@ impl SslContextBuilder { #[corresponds(SSL_CTX_set_verify)] pub fn set_verify(&mut self, mode: SslVerifyMode) { unsafe { - ffi::SSL_CTX_set_verify(self.as_ptr(), mode.bits as c_int, None); + ffi::SSL_CTX_set_verify(self.as_ptr(), mode.bits() as c_int, None); } } @@ -752,7 +762,7 @@ impl SslContextBuilder { { unsafe { self.set_ex_data(SslContext::cached_ex_index::(), verify); - ffi::SSL_CTX_set_verify(self.as_ptr(), mode.bits as c_int, Some(raw_verify::)); + ffi::SSL_CTX_set_verify(self.as_ptr(), mode.bits() as c_int, Some(raw_verify::)); } } @@ -839,7 +849,7 @@ impl SslContextBuilder { pub fn set_mode(&mut self, mode: SslMode) -> SslMode { unsafe { let bits = ffi::SSL_CTX_set_mode(self.as_ptr(), mode.bits() as MtuTy) as SslBitType; - SslMode { bits } + SslMode::from_bits_retain(bits) } } @@ -1111,14 +1121,14 @@ impl SslContextBuilder { pub fn set_options(&mut self, option: SslOptions) -> SslOptions { let bits = unsafe { ffi::SSL_CTX_set_options(self.as_ptr(), option.bits()) } as SslOptionsRepr; - SslOptions { bits } + SslOptions::from_bits_retain(bits) } /// Returns the options used by the context. #[corresponds(SSL_CTX_get_options)] pub fn options(&self) -> SslOptions { let bits = unsafe { ffi::SSL_CTX_get_options(self.as_ptr()) } as SslOptionsRepr; - SslOptions { bits } + SslOptions::from_bits_retain(bits) } /// Clears the options used by the context, returning the old set. @@ -1126,7 +1136,7 @@ impl SslContextBuilder { pub fn clear_options(&mut self, option: SslOptions) -> SslOptions { let bits = unsafe { ffi::SSL_CTX_clear_options(self.as_ptr(), option.bits()) } as SslOptionsRepr; - SslOptions { bits } + SslOptions::from_bits_retain(bits) } /// Sets the minimum supported protocol version. @@ -1475,7 +1485,7 @@ impl SslContextBuilder { pub fn set_session_cache_mode(&mut self, mode: SslSessionCacheMode) -> SslSessionCacheMode { unsafe { let bits = ffi::SSL_CTX_set_session_cache_mode(self.as_ptr(), mode.bits()); - SslSessionCacheMode { bits } + SslSessionCacheMode::from_bits_retain(bits) } } @@ -2333,7 +2343,7 @@ impl SslRef { /// [`SslContextBuilder::set_verify`]: struct.SslContextBuilder.html#method.set_verify #[corresponds(SSL_set_verify)] pub fn set_verify(&mut self, mode: SslVerifyMode) { - unsafe { ffi::SSL_set_verify(self.as_ptr(), mode.bits as c_int, None) } + unsafe { ffi::SSL_set_verify(self.as_ptr(), mode.bits() as c_int, None) } } /// Returns the verify mode that was set using `set_verify`. @@ -2354,7 +2364,11 @@ impl SslRef { unsafe { // this needs to be in an Arc since the callback can register a new callback! self.set_ex_data(Ssl::cached_ex_index(), Arc::new(verify)); - ffi::SSL_set_verify(self.as_ptr(), mode.bits as c_int, Some(ssl_raw_verify::)); + ffi::SSL_set_verify( + self.as_ptr(), + mode.bits() as c_int, + Some(ssl_raw_verify::), + ); } } @@ -3666,7 +3680,7 @@ impl SslStream { pub fn get_shutdown(&mut self) -> ShutdownState { unsafe { let bits = ffi::SSL_get_shutdown(self.ssl.as_ptr()); - ShutdownState { bits } + ShutdownState::from_bits_retain(bits) } } @@ -3999,6 +4013,8 @@ pub enum ShutdownResult { bitflags! { /// The shutdown state of a session. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct ShutdownState: c_int { /// A close notify message has been sent to the peer. const SENT = ffi::SSL_SENT_SHUTDOWN; diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index b0e22ef462..edd50764eb 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -11,6 +11,8 @@ use openssl_macros::corresponds; bitflags! { /// Flags used to check an `X509` certificate. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct X509CheckFlags: c_uint { const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT; const NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS; @@ -28,6 +30,8 @@ bitflags! { bitflags! { /// Flags used to verify an `X509` certificate chain. + #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] + #[repr(transparent)] pub struct X509VerifyFlags: c_ulong { const CB_ISSUER_CHECK = ffi::X509_V_FLAG_CB_ISSUER_CHECK; const USE_CHECK_TIME = ffi::X509_V_FLAG_USE_CHECK_TIME; @@ -87,14 +91,20 @@ impl X509VerifyParamRef { #[corresponds(X509_VERIFY_PARAM_set_hostflags)] pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) { unsafe { - ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits); + ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits()); } } /// Set verification flags. #[corresponds(X509_VERIFY_PARAM_set_flags)] pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> { - unsafe { cvt(ffi::X509_VERIFY_PARAM_set_flags(self.as_ptr(), flags.bits)).map(|_| ()) } + unsafe { + cvt(ffi::X509_VERIFY_PARAM_set_flags( + self.as_ptr(), + flags.bits(), + )) + .map(|_| ()) + } } /// Clear verification flags. @@ -103,7 +113,7 @@ impl X509VerifyParamRef { unsafe { cvt(ffi::X509_VERIFY_PARAM_clear_flags( self.as_ptr(), - flags.bits, + flags.bits(), )) .map(|_| ()) } @@ -113,7 +123,7 @@ impl X509VerifyParamRef { #[corresponds(X509_VERIFY_PARAM_get_flags)] pub fn flags(&mut self) -> X509VerifyFlags { let bits = unsafe { ffi::X509_VERIFY_PARAM_get_flags(self.as_ptr()) }; - X509VerifyFlags { bits } + X509VerifyFlags::from_bits_retain(bits) } /// Set the expected DNS hostname. From 7756ab8a9a0faed77b674f2b44736ec31a726713 Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 14:46:10 -0700 Subject: [PATCH 044/126] Fix link errors for X509_get0_authority_xxx methods on Ubuntu/bionic --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/src/handwritten/x509v3.rs | 4 ++-- openssl/src/x509/mod.rs | 4 ++-- openssl/src/x509/tests.rs | 2 +- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 960515f00f..f09ec29b53 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -91,6 +91,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if openssl_version >= 0x1_01_01_03_0 { cfgs.push("ossl111c"); } + if openssl_version >= 0x1_01_01_04_0 { + cfgs.push("ossl111d"); + } } cfgs diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 09a92640b6..7789b629a6 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -106,9 +106,9 @@ extern "C" { pub fn X509_get0_subject_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; #[cfg(ossl110)] pub fn X509_get0_authority_key_id(x: *mut X509) -> *const ASN1_OCTET_STRING; - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn X509_get0_authority_issuer(x: *mut X509) -> *const stack_st_GENERAL_NAME; - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn X509_get0_authority_serial(x: *mut X509) -> *const ASN1_INTEGER; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2753d09124..a8e298bf3f 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -505,7 +505,7 @@ impl X509Ref { /// Returns this certificate's authority issuer name entries, if they exist. #[corresponds(X509_get0_authority_issuer)] - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn authority_issuer(&self) -> Option<&StackRef> { unsafe { let stack = ffi::X509_get0_authority_issuer(self.as_ptr()); @@ -515,7 +515,7 @@ impl X509Ref { /// Returns this certificate's authority serial number, if it exists. #[corresponds(X509_get0_authority_serial)] - #[cfg(ossl111)] + #[cfg(ossl111d)] pub fn authority_serial(&self) -> Option<&Asn1IntegerRef> { unsafe { let r = ffi::X509_get0_authority_serial(self.as_ptr()); diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index d4dbf316d2..c5ea6accf3 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -195,7 +195,7 @@ fn test_authority_key_id() { } #[test] -#[cfg(ossl111)] +#[cfg(ossl111d)] fn test_authority_issuer_and_serial() { let cert = include_bytes!("../../test/authority_key_identifier.pem"); let cert = X509::from_pem(cert).unwrap(); From 34260b833fe5fc66b8322ce106f0f970cb99a10e Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 15:24:33 -0700 Subject: [PATCH 045/126] Check for OPENSSL_NO_RC4 when using EVP_rc4 --- openssl-sys/build/expando.c | 4 ++++ openssl-sys/src/handwritten/evp.rs | 1 + openssl/src/cipher.rs | 1 + openssl/src/symm.rs | 1 + 4 files changed, 7 insertions(+) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 11fb04db0c..54681a0b95 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -79,6 +79,10 @@ RUST_CONF_OPENSSL_NO_OCSP RUST_CONF_OPENSSL_NO_PSK #endif +#ifdef OPENSSL_NO_RC4 +RUST_CONF_OPENSSL_NO_RC4 +#endif + #ifdef OPENSSL_NO_RFC3779 RUST_CONF_OPENSSL_NO_RFC3779 #endif diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 050d2c88bb..db018e9a42 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -311,6 +311,7 @@ extern "C" { pub fn EVP_des_ede3_cbc() -> *const EVP_CIPHER; pub fn EVP_des_ede3_cfb64() -> *const EVP_CIPHER; pub fn EVP_des_cbc() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn EVP_rc4() -> *const EVP_CIPHER; pub fn EVP_bf_ecb() -> *const EVP_CIPHER; pub fn EVP_bf_cbc() -> *const EVP_CIPHER; diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index aeedf459aa..87f7660cde 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -324,6 +324,7 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_des_ede3_cfb64() as *mut _) } } + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn rc4() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_rc4() as *mut _) } } diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 911a7ab2e7..611080805f 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -283,6 +283,7 @@ impl Cipher { unsafe { Cipher(ffi::EVP_des_ede3_cfb64()) } } + #[cfg(not(osslconf = "OPENSSL_NO_RC4"))] pub fn rc4() -> Cipher { unsafe { Cipher(ffi::EVP_rc4()) } } From cd3803ec016258366b56607355f1a63738ddaf2c Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Wed, 26 Apr 2023 15:53:11 -0700 Subject: [PATCH 046/126] Fix tests on Ubuntu/bionic too --- openssl-sys/src/handwritten/ssl.rs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index f179a04ab1..039e2d9116 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -905,9 +905,13 @@ extern "C" { #[cfg(ossl111)] pub fn SSL_set_num_tickets(s: *mut SSL, num_tickets: size_t) -> c_int; - #[cfg(ossl111)] + #[cfg(ossl111b)] pub fn SSL_CTX_get_num_tickets(ctx: *const SSL_CTX) -> size_t; + #[cfg(all(ossl111, not(ossl111b)))] + pub fn SSL_CTX_get_num_tickets(ctx: *mut SSL_CTX) -> size_t; - #[cfg(ossl111)] + #[cfg(ossl111b)] pub fn SSL_get_num_tickets(s: *const SSL) -> size_t; + #[cfg(all(ossl111, not(ossl111b)))] + pub fn SSL_get_num_tickets(s: *mut SSL) -> size_t; } From dd2ce585e469979e70fa5a368bc0ed975ba7d016 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Tue, 2 May 2023 22:39:01 +0800 Subject: [PATCH 047/126] add X509::pathlen --- openssl-sys/src/handwritten/x509v3.rs | 2 ++ openssl/src/x509/mod.rs | 8 ++++++++ openssl/src/x509/tests.rs | 16 ++++++++++++++++ 3 files changed, 26 insertions(+) diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index 7789b629a6..f92441134e 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -96,6 +96,8 @@ extern "C" { indent: c_int, ) -> c_int; + #[cfg(ossl110)] + pub fn X509_get_pathlen(x: *mut X509) -> c_long; #[cfg(ossl110)] pub fn X509_get_extension_flags(x: *mut X509) -> u32; #[cfg(ossl110)] diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index a8e298bf3f..2b2f8a50d8 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -483,6 +483,14 @@ impl X509Ref { } } + /// Retrieves the path length extension from a certificate, if it exists. + #[corresponds(X509_get_pathlen)] + #[cfg(ossl110)] + pub fn pathlen(&self) -> Option { + let v = unsafe { ffi::X509_get_pathlen(self.as_ptr()) }; + u32::try_from(v).ok() + } + /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] #[cfg(ossl110)] diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index c5ea6accf3..a3f3cd8803 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -168,6 +168,22 @@ fn test_subject_alt_name() { assert_eq!(Some("http://www.example.com"), subject_alt_names[4].uri()); } +#[test] +#[cfg(ossl110)] +fn test_retrieve_pathlen() { + let cert = include_bytes!("../../test/root-ca.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), None); + + let cert = include_bytes!("../../test/intermediate-ca.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), Some(0)); + + let cert = include_bytes!("../../test/alt_name_cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + assert_eq!(cert.pathlen(), None); +} + #[test] #[cfg(ossl110)] fn test_subject_key_id() { From 7e6d518499c98b554ceb2707ed3f7724cd4716f5 Mon Sep 17 00:00:00 2001 From: Louis Hampton Date: Fri, 12 May 2023 10:36:51 +0100 Subject: [PATCH 048/126] Add bindings to SSL_bytes_to_cipher_list --- openssl-sys/src/handwritten/ssl.rs | 9 +++++ openssl/src/ssl/mod.rs | 54 +++++++++++++++++++++++++++++- openssl/src/ssl/test/mod.rs | 3 ++ 3 files changed, 65 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index 039e2d9116..d4f4b619f4 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -648,6 +648,15 @@ extern "C" { num: size_t, readbytes: *mut size_t, ) -> c_int; + #[cfg(ossl111)] + pub fn SSL_bytes_to_cipher_list( + s: *mut SSL, + bytes: *const c_uchar, + len: size_t, + isv2format: c_int, + sk: *mut *mut stack_st_SSL_CIPHER, + scsvs: *mut *mut stack_st_SSL_CIPHER, + ) -> c_int; } extern "C" { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 5b8775c98c..3bd10052ed 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -72,7 +72,7 @@ use crate::srtp::{SrtpProtectionProfile, SrtpProtectionProfileRef}; use crate::ssl::bio::BioMethod; use crate::ssl::callbacks::*; use crate::ssl::error::InnerError; -use crate::stack::{Stack, StackRef}; +use crate::stack::{Stack, StackRef, Stackable}; use crate::util::{ForeignTypeExt, ForeignTypeRefExt}; use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; #[cfg(any(ossl102, libressl261))] @@ -1940,6 +1940,10 @@ impl ForeignType for SslCipher { } } +impl Stackable for SslCipher { + type StackType = ffi::stack_st_SSL_CIPHER; +} + impl Deref for SslCipher { type Target = SslCipherRef; @@ -2056,6 +2060,19 @@ impl SslCipherRef { } } +impl fmt::Debug for SslCipherRef { + fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result { + write!(fmt, "{}", self.name()) + } +} + +/// A stack of selected ciphers, and a stack of selected signalling cipher suites +#[derive(Debug)] +pub struct CipherLists { + pub suites: Stack, + pub signalling_suites: Stack, +} + foreign_type_and_impl_send_sync! { type CType = ffi::SSL_SESSION; fn drop = ffi::SSL_SESSION_free; @@ -3083,6 +3100,41 @@ impl SslRef { } } + /// Decodes a slice of wire-format cipher suite specification bytes. Unsupported cipher suites + /// are ignored. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[corresponds(SSL_bytes_to_cipher_list)] + #[cfg(ossl111)] + pub fn bytes_to_ciphers_stack( + &self, + bytes: &[u8], + isv2format: bool, + ) -> Result { + unsafe { + let ptr = bytes.as_ptr(); + let len = bytes.len(); + let mut sk = ptr::null_mut(); + let mut scsvs = ptr::null_mut(); + let res = ffi::SSL_bytes_to_cipher_list( + self.as_ptr(), + ptr, + len, + isv2format as c_int, + &mut sk, + &mut scsvs, + ); + if res == 1 { + Ok(CipherLists { + suites: Stack::from_ptr(sk), + signalling_suites: Stack::from_ptr(scsvs), + }) + } else { + Err(ErrorStack::get()) + } + } + } + /// Returns the compression methods field of the client's hello message. /// /// This can only be used inside of the client hello callback. Otherwise, `None` is returned. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index a34309a7d6..bbad911ca8 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1458,6 +1458,9 @@ fn client_hello() { assert!(ssl.client_hello_session_id().is_some()); assert!(ssl.client_hello_ciphers().is_some()); assert!(ssl.client_hello_compression_methods().is_some()); + assert!(ssl + .bytes_to_ciphers_stack(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) + .is_ok()); CALLED_BACK.store(true, Ordering::SeqCst); Ok(ClientHelloResponse::SUCCESS) From da9eeddb05a2fd0d56b1cea16878f501bc987b0f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 14 May 2023 20:14:24 -0400 Subject: [PATCH 049/126] rename --- openssl/src/ssl/mod.rs | 2 +- openssl/src/ssl/test/mod.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 3bd10052ed..0feaced213 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -3106,7 +3106,7 @@ impl SslRef { /// Requires OpenSSL 1.1.1 or newer. #[corresponds(SSL_bytes_to_cipher_list)] #[cfg(ossl111)] - pub fn bytes_to_ciphers_stack( + pub fn bytes_to_cipher_list( &self, bytes: &[u8], isv2format: bool, diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index bbad911ca8..39cc054df2 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1459,7 +1459,7 @@ fn client_hello() { assert!(ssl.client_hello_ciphers().is_some()); assert!(ssl.client_hello_compression_methods().is_some()); assert!(ssl - .bytes_to_ciphers_stack(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) + .bytes_to_cipher_list(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) .is_ok()); CALLED_BACK.store(true, Ordering::SeqCst); From 0194e3f9decf0820615ce5b70f26433ac15eaba7 Mon Sep 17 00:00:00 2001 From: Andrew Scull Date: Mon, 15 May 2023 21:39:50 +0000 Subject: [PATCH 050/126] Add boringssl hkdf derivation --- openssl/src/pkey.rs | 2 +- openssl/src/pkey_ctx.rs | 21 +++++++++++++++------ 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index cec1c482e1..82a0a9d136 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -86,7 +86,7 @@ impl Id { pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); #[cfg(any(ossl111, boringssl, libressl370))] diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 42289b9f48..aba8a66a32 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -485,7 +485,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_md)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_md(&mut self, digest: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -527,10 +527,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_key(&mut self, key: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(key.len()).unwrap(); + #[cfg(boringssl)] + let len = key.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_set1_hkdf_key( @@ -549,10 +552,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn set_hkdf_salt(&mut self, salt: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(salt.len()).unwrap(); + #[cfg(boringssl)] + let len = salt.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_set1_hkdf_salt( @@ -571,10 +577,13 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] #[inline] pub fn add_hkdf_info(&mut self, info: &[u8]) -> Result<(), ErrorStack> { + #[cfg(not(boringssl))] let len = c_int::try_from(info.len()).unwrap(); + #[cfg(boringssl)] + let len = info.len(); unsafe { cvt(ffi::EVP_PKEY_CTX_add1_hkdf_info( @@ -632,7 +641,7 @@ mod test { #[cfg(not(boringssl))] use crate::cipher::Cipher; use crate::ec::{EcGroup, EcKey}; - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl))] use crate::md::Md; use crate::nid::Nid; use crate::pkey::PKey; @@ -717,7 +726,7 @@ mod test { } #[test] - #[cfg(ossl110)] + #[cfg(any(ossl110, boringssl))] fn hkdf() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); From 56e94e335ce7519b0c5e2ae7e530730a83220d18 Mon Sep 17 00:00:00 2001 From: Felix Huettner Date: Mon, 1 May 2023 21:14:10 +0200 Subject: [PATCH 051/126] add other name support the issue with other name SANs is that they can contain arbitary data. As we can no longer use the old method for other_name for security reasons we now add `other_name2` as an alternative. --- openssl-sys/src/handwritten/asn1.rs | 9 ++++++++ openssl-sys/src/handwritten/x509v3.rs | 5 +++++ openssl/src/asn1.rs | 1 + openssl/src/x509/extension.rs | 23 +++++++++++++++----- openssl/src/x509/mod.rs | 31 +++++++++++++++++++++++++++ openssl/src/x509/tests.rs | 28 ++++++++++++++++++++++++ 6 files changed, 92 insertions(+), 5 deletions(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index fa43a7a5c1..16ffcccfe7 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -10,6 +10,7 @@ pub struct ASN1_ENCODING { extern "C" { pub fn ASN1_OBJECT_free(x: *mut ASN1_OBJECT); + pub fn OBJ_dup(x: *const ASN1_OBJECT) -> *mut ASN1_OBJECT; } stack!(stack_st_ASN1_OBJECT); @@ -94,7 +95,14 @@ extern "C" { #[cfg(ossl110)] pub fn ASN1_ENUMERATED_get_int64(pr: *mut i64, a: *const ASN1_ENUMERATED) -> c_int; + pub fn ASN1_TYPE_new() -> *mut ASN1_TYPE; + pub fn ASN1_TYPE_set(a: *mut ASN1_TYPE, type_: c_int, value: *mut c_void); pub fn ASN1_TYPE_free(x: *mut ASN1_TYPE); + pub fn d2i_ASN1_TYPE( + k: *mut *mut ASN1_TYPE, + buf: *mut *const u8, + len: c_long, + ) -> *mut ASN1_TYPE; } const_ptr_api! { @@ -102,5 +110,6 @@ const_ptr_api! { pub fn ASN1_STRING_to_UTF8(out: *mut *mut c_uchar, s: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; pub fn ASN1_STRING_type(x: #[const_ptr_if(any(ossl110, libressl280))] ASN1_STRING) -> c_int; pub fn ASN1_generate_v3(str: #[const_ptr_if(any(ossl110, libressl280))] c_char, cnf: *mut X509V3_CTX) -> *mut ASN1_TYPE; + pub fn i2d_ASN1_TYPE(a: #[const_ptr_if(ossl300)] ASN1_TYPE, pp: *mut *mut c_uchar) -> c_int; } } diff --git a/openssl-sys/src/handwritten/x509v3.rs b/openssl-sys/src/handwritten/x509v3.rs index f92441134e..2ee0452597 100644 --- a/openssl-sys/src/handwritten/x509v3.rs +++ b/openssl-sys/src/handwritten/x509v3.rs @@ -6,6 +6,11 @@ pub enum CONF_METHOD {} extern "C" { pub fn GENERAL_NAME_new() -> *mut GENERAL_NAME; pub fn GENERAL_NAME_free(name: *mut GENERAL_NAME); + pub fn GENERAL_NAME_set0_othername( + gen: *mut GENERAL_NAME, + oid: *mut ASN1_OBJECT, + value: *mut ASN1_TYPE, + ) -> c_int; } #[repr(C)] diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index d75e05166e..0e720ae0b3 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -655,6 +655,7 @@ impl Asn1OctetStringRef { foreign_type_and_impl_send_sync! { type CType = ffi::ASN1_OBJECT; fn drop = ffi::ASN1_OBJECT_free; + fn clone = ffi::OBJ_dup; /// Object Identifier /// diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index 075227dec3..11e0151530 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -434,6 +434,7 @@ enum RustGeneralName { Uri(String), Ip(String), Rid(String), + OtherName(Asn1Object, Vec), } /// An extension that allows additional identities to be bound to the subject @@ -506,12 +507,21 @@ impl SubjectAlternativeName { /// Sets the `otherName` flag. /// - /// Not currently actually supported, always panics. - #[deprecated = "other_name is deprecated and always panics. Please file a bug if you have a use case for this."] + /// Not currently actually supported, always panics. Please use other_name2 + #[deprecated = "other_name is deprecated and always panics. Please use other_name2."] pub fn other_name(&mut self, _other_name: &str) -> &mut SubjectAlternativeName { - unimplemented!( - "This has not yet been adapted for the new internals. File a bug if you need this." - ); + unimplemented!("This has not yet been adapted for the new internals. Use other_name2."); + } + + /// Sets the `otherName` flag. + /// + /// `content` must be a valid der encoded ASN1_TYPE + /// + /// If you want to add just a ia5string use `other_name_ia5string` + pub fn other_name2(&mut self, oid: Asn1Object, content: &[u8]) -> &mut SubjectAlternativeName { + self.items + .push(RustGeneralName::OtherName(oid, content.into())); + self } /// Return a `SubjectAlternativeName` extension as an `X509Extension`. @@ -526,6 +536,9 @@ impl SubjectAlternativeName { GeneralName::new_ip(s.parse().map_err(|_| ErrorStack::get())?)? } RustGeneralName::Rid(s) => GeneralName::new_rid(Asn1Object::from_str(s)?)?, + RustGeneralName::OtherName(oid, content) => { + GeneralName::new_other_name(oid.clone(), content)? + } }; stack.push(gn)?; } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2b2f8a50d8..4325b132e3 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -2054,6 +2054,37 @@ impl GeneralName { Ok(GeneralName::from_ptr(gn)) } } + + pub(crate) fn new_other_name( + oid: Asn1Object, + value: &Vec, + ) -> Result { + unsafe { + ffi::init(); + + let typ = cvt_p(ffi::d2i_ASN1_TYPE( + ptr::null_mut(), + &mut value.as_ptr().cast(), + value.len().try_into().unwrap(), + ))?; + + let gn = cvt_p(ffi::GENERAL_NAME_new())?; + (*gn).type_ = ffi::GEN_OTHERNAME; + + if let Err(e) = cvt(ffi::GENERAL_NAME_set0_othername( + gn, + oid.as_ptr().cast(), + typ, + )) { + ffi::GENERAL_NAME_free(gn); + return Err(e); + } + + mem::forget(oid); + + Ok(GeneralName::from_ptr(gn)) + } + } } impl GeneralNameRef { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index a3f3cd8803..da3ce2fed2 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -27,6 +27,9 @@ use crate::x509::{CrlReason, X509Builder}; use crate::x509::{ CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509, }; + +#[cfg(ossl110)] +use foreign_types::ForeignType; use hex::{self, FromHex}; #[cfg(any(ossl102, libressl261))] use libc::time_t; @@ -1105,6 +1108,31 @@ fn ipv6_as_subject_alternative_name_is_formatted_in_debug() { ]); } +#[cfg(ossl110)] +#[test] +fn other_name_as_subject_alternative_name() { + let oid = Asn1Object::from_str("1.3.6.1.5.5.7.8.11").unwrap(); + // this is the hex representation of "test" encoded as a ia5string + let content = [0x16, 0x04, 0x74, 0x65, 0x73, 0x74]; + + let mut builder = X509Builder::new().unwrap(); + let san = SubjectAlternativeName::new() + .other_name2(oid, &content) + .build(&builder.x509v3_context(None, None)) + .unwrap(); + builder.append_extension(san).unwrap(); + let cert = builder.build(); + let general_name = cert + .subject_alt_names() + .into_iter() + .flatten() + .next() + .unwrap(); + unsafe { + assert_eq!((*general_name.as_ptr()).type_, 0); + } +} + #[test] fn test_dist_point() { let cert = include_bytes!("../../test/certv3.pem"); From 8436f088898a7a286fb1af7e552d644d411e95db Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Sat, 27 May 2023 11:30:13 -0400 Subject: [PATCH 052/126] Allow LibreSSL 3.8.0 --- openssl-sys/build/main.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index ba149c17ff..1762068d75 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -285,6 +285,7 @@ See rust-openssl documentation for more information: (3, 7, 0) => ('3', '7', '0'), (3, 7, 1) => ('3', '7', '1'), (3, 7, _) => ('3', '7', 'x'), + (3, 8, 0) => ('3', '8', '0'), _ => version_error(), }; @@ -327,7 +328,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.7.x, but a different version of OpenSSL was found. The build is now aborting +through 3.8.0, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From e41a13249630a9b3bed7dd84e243bf85f4d2fd4b Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Sat, 27 May 2023 11:31:02 -0400 Subject: [PATCH 053/126] CI: bump LibreSSL --- .github/workflows/ci.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71deb57ab9..75117ffab8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -181,7 +181,12 @@ jobs: bindgen: true library: name: libressl - version: 3.7.2 + version: 3.7.3 + - target: x86_64-unknown-linux-gnu + bindgen: true + library: + name: libressl + version: 3.8.0 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -191,7 +196,12 @@ jobs: bindgen: false library: name: libressl - version: 3.7.2 + version: 3.7.3 + - target: x86_64-unknown-linux-gnu + bindgen: false + library: + name: libressl + version: 3.8.0 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: From b937b66ae6c3c1828c33477f234cdf6fe7f31700 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 May 2023 04:46:03 -0500 Subject: [PATCH 054/126] add Dsa with some helper functions DSA is terrible, I'm sorry we have to add this --- openssl/src/dsa.rs | 63 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index c550f6548b..d8dcaa9fdb 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -14,7 +14,7 @@ use std::ptr; use crate::bn::{BigNum, BigNumRef}; use crate::error::ErrorStack; -use crate::pkey::{HasParams, HasPrivate, HasPublic, Private, Public}; +use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private, Public}; use crate::util::ForeignTypeRefExt; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -183,6 +183,49 @@ type BitType = libc::c_uint; #[cfg(not(boringssl))] type BitType = c_int; +impl Dsa { + /// Creates a DSA params based upon the given parameters. + #[corresponds(DSA_set0_pqg)] + pub fn from_pqg(p: BigNum, q: BigNum, g: BigNum) -> Result, ErrorStack> { + unsafe { + let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); + cvt(DSA_set0_pqg(dsa.0, p.as_ptr(), q.as_ptr(), g.as_ptr()))?; + mem::forget((p, q, g)); + Ok(dsa) + } + } + + /// Generates DSA params based on the given number of bits. + #[corresponds(DSA_generate_parameters_ex)] + pub fn generate_params(bits: u32) -> Result, ErrorStack> { + ffi::init(); + unsafe { + let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); + cvt(ffi::DSA_generate_parameters_ex( + dsa.0, + bits as BitType, + ptr::null(), + 0, + ptr::null_mut(), + ptr::null_mut(), + ptr::null_mut(), + ))?; + Ok(dsa) + } + } + + /// Generates a private key based on the DSA params. + #[corresponds(DSA_generate_key)] + pub fn generate_key(self) -> Result, ErrorStack> { + unsafe { + let dsa_ptr = self.0; + cvt(ffi::DSA_generate_key(dsa_ptr))?; + mem::forget(self); + Ok(Dsa::from_ptr(dsa_ptr)) + } + } +} + impl Dsa { /// Generate a DSA key pair. /// @@ -556,6 +599,24 @@ mod test { assert_eq!(dsa.g(), &BigNum::from_u32(60).unwrap()); } + #[test] + fn test_params() { + let params = Dsa::generate_params(1024).unwrap(); + let p = params.p().to_owned().unwrap(); + let q = params.q().to_owned().unwrap(); + let g = params.g().to_owned().unwrap(); + let key = params.generate_key().unwrap(); + let params2 = Dsa::from_pqg( + key.p().to_owned().unwrap(), + key.q().to_owned().unwrap(), + key.g().to_owned().unwrap(), + ) + .unwrap(); + assert_eq!(p, *params2.p()); + assert_eq!(q, *params2.q()); + assert_eq!(g, *params2.g()); + } + #[test] #[cfg(not(boringssl))] fn test_signature() { From c972e700df5ab3edafc3d966d74eaa99bc9d460a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 May 2023 09:18:18 -0500 Subject: [PATCH 055/126] reimplement Dsa::generate in terms of generate_params/generate_key --- openssl/src/dsa.rs | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index d8dcaa9fdb..1f594f28b4 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -229,29 +229,10 @@ impl Dsa { impl Dsa { /// Generate a DSA key pair. /// - /// Calls [`DSA_generate_parameters_ex`] to populate the `p`, `g`, and `q` values. - /// These values are used to generate the key pair with [`DSA_generate_key`]. - /// /// The `bits` parameter corresponds to the length of the prime `p`. - /// - /// [`DSA_generate_parameters_ex`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_parameters_ex.html - /// [`DSA_generate_key`]: https://www.openssl.org/docs/manmaster/crypto/DSA_generate_key.html pub fn generate(bits: u32) -> Result, ErrorStack> { - ffi::init(); - unsafe { - let dsa = Dsa::from_ptr(cvt_p(ffi::DSA_new())?); - cvt(ffi::DSA_generate_parameters_ex( - dsa.0, - bits as BitType, - ptr::null(), - 0, - ptr::null_mut(), - ptr::null_mut(), - ptr::null_mut(), - ))?; - cvt(ffi::DSA_generate_key(dsa.0))?; - Ok(dsa) - } + let params = Dsa::generate_params(bits)?; + params.generate_key() } /// Create a DSA key pair with the given parameters From b3cdda01b571535afe596927b59cf4690b47b806 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 May 2023 14:24:25 -0400 Subject: [PATCH 056/126] Added DER serialization for `DSAPrivateKey` --- openssl/src/dsa.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 1f594f28b4..1463ee4115 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -127,6 +127,13 @@ where ffi::PEM_write_bio_DSAPrivateKey } + to_der! { + /// Serializes the private_key to a DER-encoded `DSAPrivateKey` structure. + #[corresponds(i2d_DSAPrivateKey)] + private_key_to_der, + ffi::i2d_DSAPrivateKey + } + /// Returns a reference to the private key component of `self`. #[corresponds(DSA_get0_key)] pub fn priv_key(&self) -> &BigNumRef { From 6a65a2b5138c012f1bc60e947ddc52d20795454a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 May 2023 09:01:23 +0800 Subject: [PATCH 057/126] version bump 0.9.88 and 0.10.53 --- openssl-sys/CHANGELOG.md | 15 ++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 10 +++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 26 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 324ff1a82a..48029f8aab 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,18 @@ ## [Unreleased] +## [v0.9.88] - 2023-05-30 + +### Added + +* Added support for the LibreSSL 3.8.0. +* Added support for detecting `OPENSSL_NO_RC4`. +* Added `OBJ_dup`. +* Added `ASN1_TYPE_new`, `ASN1_TYPE_set`, `d2i_ASN1_TYPE`, and `i2d_ASN1_TYPE`. +* Added `SSL_bytes_to_cipher_list`, `SSL_CTX_get_num_tickets`, and `SSL_get_num_tickets`. +* Added `GENERAL_NAME_set0_othername`. +* Added `X509_get_pathlen`. + ## [v0.9.87] - 2023-04-24 ### Added @@ -446,7 +458,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88..master +[v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 [v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 [v0.9.85]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.84...openssl-sys-v0.9.85 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 811318bbaf..7589a3ca0e 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.87" +version = "0.9.88" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index c62da00a1b..79e0d9c1ff 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,13 @@ ## [Unreleased] +## [v0.10.53] - 2023-05-30 + +### Added + +* Added `Dsa::from_pqg`, `Dsa::generate_key`, and `Dsa::generate_params`. +* Added `SslRef::bytes_to_cipher_list`. + ## [v0.10.52] - 2023-04-24 ### Added @@ -747,7 +754,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...master +[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index addf5cb060..e6f5e4d565 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.52" +version = "0.10.53" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.87", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.88", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 7a040da108ced53e227fa48225759f3fce7487e0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 May 2023 09:29:45 +0800 Subject: [PATCH 058/126] Update openssl/CHANGELOG.md Co-authored-by: Alex Gaynor --- openssl/CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 79e0d9c1ff..b174156a5a 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -8,6 +8,7 @@ * Added `Dsa::from_pqg`, `Dsa::generate_key`, and `Dsa::generate_params`. * Added `SslRef::bytes_to_cipher_list`. +* Added `SubjectAlternativeName::other_name2` ## [v0.10.52] - 2023-04-24 From b83aec7f30ab295011c23cd6e479abcc69039bbe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 31 May 2023 13:49:34 -0400 Subject: [PATCH 059/126] Remove converting PKCS#8 passphrase to CString It's not required, there's an explicit length. --- openssl/src/pkey.rs | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 82a0a9d136..af41421768 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -57,7 +57,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, c_long}; use openssl_macros::corresponds; -use std::convert::TryFrom; +use std::convert::{TryFrom, TryInto}; use std::ffi::CString; use std::fmt; use std::mem; @@ -350,10 +350,6 @@ where /// Serializes a private key into a DER-formatted PKCS#8, using the supplied password to /// encrypt the key. - /// - /// # Panics - /// - /// Panics if `passphrase` contains an embedded null. #[corresponds(i2d_PKCS8PrivateKey_bio)] pub fn private_key_to_pkcs8_passphrase( &self, @@ -362,14 +358,12 @@ where ) -> Result, ErrorStack> { unsafe { let bio = MemBio::new()?; - let len = passphrase.len(); - let passphrase = CString::new(passphrase).unwrap(); cvt(ffi::i2d_PKCS8PrivateKey_bio( bio.as_ptr(), self.as_ptr(), cipher.as_ptr(), passphrase.as_ptr() as *const _ as *mut _, - len as ::libc::c_int, + passphrase.len().try_into().unwrap(), None, ptr::null_mut(), ))?; From 68ff80a935857c3e6a0b99905292e81af600e250 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 31 May 2023 21:31:38 -0400 Subject: [PATCH 060/126] Version bump for openssl v0.10.54 release --- openssl/CHANGELOG.md | 11 +++++++++-- openssl/Cargo.toml | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index b174156a5a..29af6ca816 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.10.54] - 2023-05-31 + +### Fixed + +* `PKey::private_key_to_pkcs8_passphrase` no longer panics if a `passphrase` contains a NUL byte. + ## [v0.10.53] - 2023-05-30 ### Added @@ -755,8 +761,9 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...master -[v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...master +[v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 +[v0.10.53]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 [v0.10.51]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.50...openssl-v0.10.51 [v0.10.50]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.49...openssl-v0.10.50 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index e6f5e4d565..c4367cd4c6 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.53" +version = "0.10.54" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" From 90d9199f858c0fc887f2a6778bb05f611a0ff456 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Jun 2023 21:36:33 -0400 Subject: [PATCH 061/126] Fix warnings from BoringSSL on Rust 1.70 --- openssl-sys/build/run_bindgen.rs | 8 ++++++++ openssl-sys/src/lib.rs | 1 + 2 files changed, 9 insertions(+) diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 4fa9ec66f2..87b748f23b 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -110,11 +110,15 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { let mut builder = bindgen::builder() .rust_target(RustTarget::Stable_1_47) .ctypes_prefix("::libc") + .raw_line("use libc::*;") .derive_default(false) .enable_function_attribute_detection() .default_macro_constant_type(MacroTypeVariation::Signed) .rustified_enum("point_conversion_form_t") .allowlist_file(".*/openssl/[^/]+\\.h") + .allowlist_recursively(false) + .blocklist_function("BIO_vsnprintf") + .blocklist_function("OPENSSL_vasprintf") .wrap_static_fns(true) .wrap_static_fns_path(out_dir.join("boring_static_wrapper").display().to_string()) .layout_tests(false) @@ -165,11 +169,15 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .arg(out_dir.join("bindgen.rs")) .arg("--rust-target=1.47") .arg("--ctypes-prefix=::libc") + .arg("--raw-line=use libc::*;") .arg("--no-derive-default") .arg("--enable-function-attribute-detection") .arg("--default-macro-constant-type=signed") .arg("--rustified-enum=point_conversion_form_t") .arg("--allowlist-file=.*/openssl/[^/]+\\.h") + .arg("--no-recursive-allowlist") + .arg("--blocklist-function=BIO_vsnprintf") + .arg("--blocklist-function=OPENSSL_vasprintf") .arg("--experimental") .arg("--wrap-static-fns") .arg("--wrap-static-fns-path") diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index c3084755cc..5a65e8b349 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -10,6 +10,7 @@ overflowing_literals, unused_imports )] +#![cfg_attr(feature = "unstable_boringssl", allow(ambiguous_glob_reexports))] #![doc(html_root_url = "https://docs.rs/openssl-sys/0.9")] #![recursion_limit = "128"] // configure fixed limit across all rust versions From e476f9a08a40c1cde55950f26f1e5203c51d0889 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sun, 4 Jun 2023 13:15:22 -0400 Subject: [PATCH 062/126] Honor OPENSSL_NO_OCB if OpenSSL was built this way Setting ossl110 in the BoringSSL build (see #1944) causes rust-openssl to expect OCB support. However, OpenSSL already has a feature guard for OCB, which BoringSSL sets. rust-openssl just isn't honoring it. This fixes building against an OpenSSL built with ./config no-ocb --- openssl-sys/build/expando.c | 4 ++++ openssl/src/symm.rs | 14 +++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 54681a0b95..5d003d9022 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -75,6 +75,10 @@ RUST_CONF_OPENSSL_NO_NEXTPROTONEG RUST_CONF_OPENSSL_NO_OCSP #endif +#ifdef OPENSSL_NO_OCB +RUST_CONF_OPENSSL_NO_OCB +#endif + #ifdef OPENSSL_NO_PSK RUST_CONF_OPENSSL_NO_PSK #endif diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 611080805f..8da341f7f6 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -142,7 +142,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_128_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_128_ocb()) } } @@ -187,7 +187,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_192_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_192_ocb()) } } @@ -237,7 +237,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] pub fn aes_256_ocb() -> Cipher { unsafe { Cipher(ffi::EVP_aes_256_ocb()) } } @@ -402,14 +402,14 @@ impl Cipher { } /// Determines whether the cipher is using OCB mode - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn is_ocb(self) -> bool { self == Cipher::aes_128_ocb() || self == Cipher::aes_192_ocb() || self == Cipher::aes_256_ocb() } - #[cfg(not(ossl110))] + #[cfg(any(not(ossl110), osslconf = "OPENSSL_NO_OCB"))] const fn is_ocb(self) -> bool { false } @@ -1422,7 +1422,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn test_aes_128_ocb() { let key = "000102030405060708090a0b0c0d0e0f"; let aad = "0001020304050607"; @@ -1458,7 +1458,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))] fn test_aes_128_ocb_fail() { let key = "000102030405060708090a0b0c0d0e0f"; let aad = "0001020304050607"; From 5283d7c994541a99bab9b33f809bd662a5aa47a7 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 3 Jun 2023 11:44:10 -0400 Subject: [PATCH 063/126] Fix some deprecated patterns when using BoringSSL The RSA and DSA changes will be needed to avoid build breakage soon. The others are mostly tidying up. There's another place around BIO that we'd ideally also switch over, but that depends on resolving the __fixed_rust mess first. This addresses a symptom of #1944, but not the root cause. --- openssl/src/asn1.rs | 2 +- openssl/src/dsa.rs | 5 +++-- openssl/src/ecdsa.rs | 2 +- openssl/src/hash.rs | 2 +- openssl/src/md_ctx.rs | 2 +- openssl/src/rsa.rs | 2 +- 6 files changed, 8 insertions(+), 7 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 0e720ae0b3..801310d411 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -738,7 +738,7 @@ impl fmt::Debug for Asn1ObjectRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::ASN1_STRING_get0_data; } else { #[allow(bad_style)] diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 1463ee4115..1a63e8ad8f 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -7,6 +7,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; +#[cfg(not(boringssl))] use libc::c_int; use std::fmt; use std::mem; @@ -314,7 +315,7 @@ impl fmt::Debug for Dsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{DSA_get0_key, DSA_get0_pqg, DSA_set0_key, DSA_set0_pqg}; } else { #[allow(bad_style)] @@ -493,7 +494,7 @@ impl DsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{DSA_SIG_set0, DSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/ecdsa.rs b/openssl/src/ecdsa.rs index 0a960e7b9e..f3b27b3953 100644 --- a/openssl/src/ecdsa.rs +++ b/openssl/src/ecdsa.rs @@ -110,7 +110,7 @@ impl EcdsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{ECDSA_SIG_set0, ECDSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 37442fb274..52d73deed4 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -43,7 +43,7 @@ use crate::nid::Nid; use crate::{cvt, cvt_p}; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, boringssl))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/md_ctx.rs b/openssl/src/md_ctx.rs index c4d3f06b94..156f3c2fc9 100644 --- a/openssl/src/md_ctx.rs +++ b/openssl/src/md_ctx.rs @@ -93,7 +93,7 @@ use std::convert::TryFrom; use std::ptr; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, boringssl))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs index 68cf64b036..f155b12dfe 100644 --- a/openssl/src/rsa.rs +++ b/openssl/src/rsa.rs @@ -581,7 +581,7 @@ impl fmt::Debug for Rsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273))] { + if #[cfg(any(ossl110, libressl273, boringssl))] { use ffi::{ RSA_get0_key, RSA_get0_factors, RSA_get0_crt_params, RSA_set0_key, RSA_set0_factors, RSA_set0_crt_params, From a3b6cb5fdc7df2754ab9a5d3f4039e469e42d332 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Jun 2023 08:55:49 +0800 Subject: [PATCH 064/126] add get_asn1_flag to EcGroupRef --- openssl-sys/src/handwritten/ec.rs | 2 ++ openssl/src/ec.rs | 13 +++++++++++++ 2 files changed, 15 insertions(+) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index 6ee475f327..ec781a715a 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -46,6 +46,8 @@ extern "C" { pub fn EC_GROUP_set_asn1_flag(key: *mut EC_GROUP, flag: c_int); + pub fn EC_GROUP_get_asn1_flag(group: *const EC_GROUP) -> c_int; + pub fn EC_GROUP_get_curve_GFp( group: *const EC_GROUP, p: *mut BIGNUM, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 248ced3e41..55523fee0a 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -294,6 +294,12 @@ impl EcGroupRef { } } + /// Gets the flag determining if the group corresponds to a named curve. + #[corresponds(EC_GROUP_get_asn1_flag)] + pub fn get_asn1_flag(&mut self) -> Asn1Flag { + unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } + } + /// Returns the name of the curve, if a name is associated. #[corresponds(EC_GROUP_get_curve_name)] pub fn curve_name(&self) -> Option { @@ -1265,4 +1271,11 @@ mod test { let group2 = EcGroup::from_curve_name(Nid::X9_62_PRIME239V3).unwrap(); assert!(!g.is_on_curve(&group2, &mut ctx).unwrap()); } + + #[test] + fn get_flags() { + let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let flag = group.get_asn1_flag(); + assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); + } } From faae7bb9ad7d569e16b7d21295d813dd4672ef07 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Jun 2023 12:33:47 +0800 Subject: [PATCH 065/126] rename and test on openssl 1.1.0+ --- openssl/src/ec.rs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 55523fee0a..d6ef049101 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -296,7 +296,7 @@ impl EcGroupRef { /// Gets the flag determining if the group corresponds to a named curve. #[corresponds(EC_GROUP_get_asn1_flag)] - pub fn get_asn1_flag(&mut self) -> Asn1Flag { + pub fn asn1_flag(&mut self) -> Asn1Flag { unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } } @@ -1273,9 +1273,10 @@ mod test { } #[test] - fn get_flags() { + #[cfg(not(any(ossl102, ossl101)))] + fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); - let flag = group.get_asn1_flag(); + let flag = group.asn1_flag(); assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); } } From 38a54607ad8901819fa8292f69757b51ce59e8d9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 07:08:20 +0800 Subject: [PATCH 066/126] partialeq on asn1flag --- openssl/src/ec.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index d6ef049101..446697f527 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -57,7 +57,7 @@ impl PointConversionForm { /// Named Curve or Explicit /// /// This type acts as a boolean as to whether the `EcGroup` is named or explicit. -#[derive(Copy, Clone)] +#[derive(Copy, Clone, PartialEq)] pub struct Asn1Flag(c_int); impl Asn1Flag { @@ -1277,6 +1277,6 @@ mod test { fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); - assert_eq!(flag.0, Asn1Flag::NAMED_CURVE.0); + assert_eq!(flag, Asn1Flag::NAMED_CURVE); } } From 37966b326fd417142f912f18dd67ad3e27bac570 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 07:20:20 +0800 Subject: [PATCH 067/126] fix test target configs, add debug derive --- openssl/src/ec.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 446697f527..22d6d1888d 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -57,7 +57,7 @@ impl PointConversionForm { /// Named Curve or Explicit /// /// This type acts as a boolean as to whether the `EcGroup` is named or explicit. -#[derive(Copy, Clone, PartialEq)] +#[derive(Copy, Clone, Debug, PartialEq)] pub struct Asn1Flag(c_int); impl Asn1Flag { @@ -1273,7 +1273,7 @@ mod test { } #[test] - #[cfg(not(any(ossl102, ossl101)))] + #[cfg(any(boringssl, ossl111, libressl350))] fn asn1_flag() { let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); From d52ac4e4f08b4d0c4d1b2d181d6baee3f042e972 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 19:42:34 -0400 Subject: [PATCH 068/126] Fixed type mutability on asn1_flag --- openssl/src/ec.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 22d6d1888d..6993e4edda 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -296,7 +296,7 @@ impl EcGroupRef { /// Gets the flag determining if the group corresponds to a named curve. #[corresponds(EC_GROUP_get_asn1_flag)] - pub fn asn1_flag(&mut self) -> Asn1Flag { + pub fn asn1_flag(&self) -> Asn1Flag { unsafe { Asn1Flag(ffi::EC_GROUP_get_asn1_flag(self.as_ptr())) } } From 1b9fba4e782affd312f9c9ad6f80d57eb8a82be1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 19:47:47 -0400 Subject: [PATCH 069/126] Update ec.rs --- openssl/src/ec.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 6993e4edda..5310564ecc 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -1275,7 +1275,7 @@ mod test { #[test] #[cfg(any(boringssl, ossl111, libressl350))] fn asn1_flag() { - let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); assert_eq!(flag, Asn1Flag::NAMED_CURVE); } From 7b18e903c6c1a0adc09b0eb7ea1876fad70fbe37 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 08:19:17 +0800 Subject: [PATCH 070/126] allow affine_coordinates on boring and libre --- openssl-sys/src/handwritten/ec.rs | 2 +- openssl/src/ec.rs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index ec781a715a..182a5559a3 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -101,7 +101,7 @@ extern "C" { pub fn EC_POINT_dup(p: *const EC_POINT, group: *const EC_GROUP) -> *mut EC_POINT; - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] pub fn EC_POINT_get_affine_coordinates( group: *const EC_GROUP, p: *const EC_POINT, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 5310564ecc..b648aec334 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -491,7 +491,7 @@ impl EcPointRef { /// Places affine coordinates of a curve over a prime field in the provided /// `x` and `y` `BigNum`s. #[corresponds(EC_POINT_get_affine_coordinates)] - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] pub fn affine_coordinates( &self, group: &EcGroupRef, @@ -1197,7 +1197,7 @@ mod test { assert!(ec_key.check_key().is_ok()); } - #[cfg(ossl111)] + #[cfg(any(ossl111, boringssl, libressl350))] #[test] fn get_affine_coordinates() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); From f783cbe145cc084a160e478dfe1fb9dc50dcdcab Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 5 Jun 2023 09:27:04 +0800 Subject: [PATCH 071/126] add support for EVP_PKEY_derive_set_peer_ex in OpenSSL 3 via Deriver::set_peer_ex --- openssl-sys/src/handwritten/evp.rs | 6 +++++ openssl/src/derive.rs | 38 ++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index db018e9a42..4041d8b671 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -522,6 +522,12 @@ extern "C" { pub fn EVP_PKEY_derive_init(ctx: *mut EVP_PKEY_CTX) -> c_int; pub fn EVP_PKEY_derive_set_peer(ctx: *mut EVP_PKEY_CTX, peer: *mut EVP_PKEY) -> c_int; + #[cfg(ossl300)] + pub fn EVP_PKEY_derive_set_peer_ex( + ctx: *mut EVP_PKEY_CTX, + peer: *mut EVP_PKEY, + validate_peer: c_int, + ) -> c_int; pub fn EVP_PKEY_derive(ctx: *mut EVP_PKEY_CTX, key: *mut c_uchar, size: *mut size_t) -> c_int; #[cfg(ossl300)] diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index 5d422f6976..ef1f61424d 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -93,6 +93,30 @@ impl<'a> Deriver<'a> { unsafe { cvt(ffi::EVP_PKEY_derive_set_peer(self.0, key.as_ptr())).map(|_| ()) } } + /// Sets the peer key used for secret derivation along with optionally validating the peer public key. + /// + /// This corresponds to [`EVP_PKEY_derive_set_peer_ex`]: + /// + /// [`EVP_PKEY_derive_set_peer_ex`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_set_peer_ex.html + #[cfg(ossl300)] + pub fn set_peer_ex( + &mut self, + key: &'a PKeyRef, + validate_peer: bool, + ) -> Result<(), ErrorStack> + where + T: HasPublic, + { + unsafe { + cvt(ffi::EVP_PKEY_derive_set_peer_ex( + self.0, + key.as_ptr(), + validate_peer as i32, + )) + .map(|_| ()) + } + } + /// Returns the size of the shared secret. /// /// It can be used to size the buffer passed to [`Deriver::derive`]. @@ -179,4 +203,18 @@ mod test { let shared = deriver.derive_to_vec().unwrap(); assert!(!shared.is_empty()); } + + #[test] + #[cfg(ossl300)] + fn test_ec_key_derive_ex() { + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let ec_key = EcKey::generate(&group).unwrap(); + let ec_key2 = EcKey::generate(&group).unwrap(); + let pkey = PKey::from_ec_key(ec_key).unwrap(); + let pkey2 = PKey::from_ec_key(ec_key2).unwrap(); + let mut deriver = Deriver::new(&pkey).unwrap(); + deriver.set_peer_ex(&pkey2, true).unwrap(); + let shared = deriver.derive_to_vec().unwrap(); + assert!(!shared.is_empty()); + } } From 45e4fc23c8a68685ce076ead1ab01f21970633c0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 08:26:57 +0800 Subject: [PATCH 072/126] Update openssl/src/derive.rs Co-authored-by: Steven Fackler --- openssl/src/derive.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index ef1f61424d..e5ecaadbc2 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -95,9 +95,8 @@ impl<'a> Deriver<'a> { /// Sets the peer key used for secret derivation along with optionally validating the peer public key. /// - /// This corresponds to [`EVP_PKEY_derive_set_peer_ex`]: - /// - /// [`EVP_PKEY_derive_set_peer_ex`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_set_peer_ex.html + /// Requires OpenSSL 3.0.0 or newer. + #[corresponds(EVP_PKEY_derive_set_peer_ex)] #[cfg(ossl300)] pub fn set_peer_ex( &mut self, From 50ac347ad63974857e57742c8fcebeb6c9e9e59e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:07:06 +0800 Subject: [PATCH 073/126] add missing import --- openssl/src/derive.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index e5ecaadbc2..bfb85a6aba 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -56,6 +56,7 @@ use std::ptr; use crate::error::ErrorStack; use crate::pkey::{HasPrivate, HasPublic, PKeyRef}; use crate::{cvt, cvt_p}; +use openssl_macros::corresponds; /// A type used to derive a shared secret between two keys. pub struct Deriver<'a>(*mut ffi::EVP_PKEY_CTX, PhantomData<&'a ()>); From 87f1a1a1e8c5089de2810c358204a1822ea0b1ed Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:14:58 +0800 Subject: [PATCH 074/126] add another corresponds to avoid warnings about no use --- openssl/src/derive.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index bfb85a6aba..c62b902161 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -87,6 +87,7 @@ impl<'a> Deriver<'a> { /// This corresponds to [`EVP_PKEY_derive_set_peer`]: /// /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html + #[corresponds(EVP_PKEY_derive_set_peer)] pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where T: HasPublic, From 2604033874debae65cad42ecef47613f6a147e85 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 7 Jun 2023 10:21:03 +0800 Subject: [PATCH 075/126] remove outdated comment --- openssl/src/derive.rs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index c62b902161..424c5f92d7 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -83,10 +83,6 @@ impl<'a> Deriver<'a> { } /// Sets the peer key used for secret derivation. - /// - /// This corresponds to [`EVP_PKEY_derive_set_peer`]: - /// - /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_derive_init.html #[corresponds(EVP_PKEY_derive_set_peer)] pub fn set_peer(&mut self, key: &'a PKeyRef) -> Result<(), ErrorStack> where From c2f4d5875aaac9b4748a6734fb20af044d408c7b Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 8 Jun 2023 12:45:21 -0400 Subject: [PATCH 076/126] Use type-safe wrappers instead of EVP_PKEY_assign In OpenSSL, these are macros, so they didn't get imported by bindgen, but they're proper functions in BoringSSL and we'd prefer callers use those for safety. For OpenSSL, just add the corresponding functions in openssl-sys, matching how rust-openssl handles EVP_PKEY_CTX_ctrl. Using the type-safe wrappers flags that rust-openssl was trying to convert DH to EVP_PKEY, but BoringSSL doesn't actually support this. (DH is a legacy primitive, so we haven't routed it to EVP_PKEY right now.) --- openssl-sys/src/evp.rs | 16 ++++++++++++++++ openssl/src/pkey.rs | 26 ++++++-------------------- 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 72ca2434fc..07fae49eb5 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -285,3 +285,19 @@ pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info( info as *mut c_void, ) } + +pub unsafe fn EVP_PKEY_assign_RSA(pkey: *mut EVP_PKEY, rsa: *mut RSA) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_DSA(pkey: *mut EVP_PKEY, dsa: *mut DSA) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_DSA, dsa as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_DH(pkey: *mut EVP_PKEY, dh: *mut DH) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh as *mut c_void) +} + +pub unsafe fn EVP_PKEY_assign_EC_KEY(pkey: *mut EVP_PKEY, ec_key: *mut EC_KEY) -> c_int { + EVP_PKEY_assign(pkey, EVP_PKEY_EC, ec_key as *mut c_void) +} diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index af41421768..130024da3d 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -406,11 +406,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_RSA, - rsa.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_RSA(pkey.0, rsa.as_ptr()))?; mem::forget(rsa); Ok(pkey) } @@ -422,11 +418,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DSA, - dsa.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_DSA(pkey.0, dsa.as_ptr()))?; mem::forget(dsa); Ok(pkey) } @@ -434,15 +426,12 @@ impl PKey { /// Creates a new `PKey` containing a Diffie-Hellman key. #[corresponds(EVP_PKEY_assign_DH)] + #[cfg(not(boringssl))] pub fn from_dh(dh: Dh) -> Result, ErrorStack> { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DH, - dh.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_DH(pkey.0, dh.as_ptr()))?; mem::forget(dh); Ok(pkey) } @@ -454,11 +443,7 @@ impl PKey { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_EC, - ec_key.as_ptr() as *mut _, - ))?; + cvt(ffi::EVP_PKEY_assign_EC_KEY(pkey.0, ec_key.as_ptr()))?; mem::forget(ec_key); Ok(pkey) } @@ -861,6 +846,7 @@ impl TryFrom> for Dsa { } } +#[cfg(not(boringssl))] impl TryFrom> for PKey { type Error = ErrorStack; From 7c0f0a79d98608c7570baa25a379e7f312453c06 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Wed, 14 Jun 2023 10:24:00 +0800 Subject: [PATCH 077/126] add NID SM2 --- openssl-sys/src/obj_mac.rs | 2 ++ openssl/src/nid.rs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 22bfccba3f..6ae48834b5 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -935,6 +935,8 @@ pub const NID_ED25519: c_int = 952; #[cfg(ossl111)] pub const NID_ED448: c_int = 1088; #[cfg(ossl111)] +pub const NID_sm2: c_int = 1172; +#[cfg(ossl111)] pub const NID_sm3: c_int = 1143; #[cfg(libressl291)] pub const NID_sm3: c_int = 968; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index c8c60885f1..91fcdeca9d 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -1074,6 +1074,8 @@ impl Nid { pub const AES_128_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_128_cbc_hmac_sha1); pub const AES_192_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_192_cbc_hmac_sha1); pub const AES_256_CBC_HMAC_SHA1: Nid = Nid(ffi::NID_aes_256_cbc_hmac_sha1); + #[cfg(ossl111)] + pub const SM2: Nid = Nid(ffi::NID_sm2); #[cfg(any(ossl111, libressl291))] pub const SM3: Nid = Nid(ffi::NID_sm3); #[cfg(ossl111)] From 9840b534e0996e39cde8ac5faedf81b68f3d2c3a Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Wed, 14 Jun 2023 10:34:58 +0800 Subject: [PATCH 078/126] add pkey Id SM2 --- openssl-sys/src/evp.rs | 2 ++ openssl/src/pkey.rs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 07fae49eb5..56eaa4bbff 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -10,6 +10,8 @@ pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey; +#[cfg(ossl111)] +pub const EVP_PKEY_SM2: c_int = NID_sm2; #[cfg(any(ossl111, libressl370))] pub const EVP_PKEY_X25519: c_int = NID_X25519; #[cfg(any(ossl111, libressl370))] diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 130024da3d..453aeed72f 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -85,6 +85,8 @@ impl Id { pub const DSA: Id = Id(ffi::EVP_PKEY_DSA); pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); + #[cfg(ossl111)] + pub const SM2: Id = Id(ffi::EVP_PKEY_SM2); #[cfg(any(ossl110, boringssl))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); From fb5ae60cbb1dbbb2e34d47e113b25bc31f4acc37 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:16:03 +0700 Subject: [PATCH 079/126] clippy: remove unused allow attributes --- openssl-sys/build/cfgs.rs | 1 + openssl-sys/build/main.rs | 9 +-------- openssl-sys/src/lib.rs | 4 ---- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index f09ec29b53..2f3ff3eafd 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -1,3 +1,4 @@ +#[allow(clippy::unusual_byte_groupings)] pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<&'static str> { let mut cfgs = vec![]; diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 1762068d75..306482d1a8 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -1,9 +1,3 @@ -#![allow( - clippy::inconsistent_digit_grouping, - clippy::uninlined_format_args, - clippy::unusual_byte_groupings -)] - #[cfg(feature = "bindgen")] extern crate bindgen; extern crate cc; @@ -131,7 +125,6 @@ fn main() { } } -#[allow(clippy::let_and_return)] fn postprocess(include_dirs: &[PathBuf]) -> Version { let version = validate_headers(include_dirs); @@ -146,7 +139,7 @@ fn postprocess(include_dirs: &[PathBuf]) -> Version { /// Validates the header files found in `include_dir` and then returns the /// version string of OpenSSL. -#[allow(clippy::manual_strip)] // we need to support pre-1.45.0 +#[allow(clippy::unusual_byte_groupings)] fn validate_headers(include_dirs: &[PathBuf]) -> Version { // This `*-sys` crate only works with OpenSSL 1.0.1, 1.0.2, 1.1.0, 1.1.1 and 3.0.0. // To correctly expose the right API from this crate, take a look at diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 5a65e8b349..784b7637e1 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1,13 +1,9 @@ #![allow( clippy::missing_safety_doc, - clippy::unreadable_literal, - clippy::uninlined_format_args, - clippy::upper_case_acronyms, dead_code, non_camel_case_types, non_snake_case, non_upper_case_globals, - overflowing_literals, unused_imports )] #![cfg_attr(feature = "unstable_boringssl", allow(ambiguous_glob_reexports))] From b1e16e927622b8c044f88de802523dead0b0ec5e Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:17:07 +0700 Subject: [PATCH 080/126] clippy: use strip_prefix instead of manually strip --- openssl-sys/build/main.rs | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 306482d1a8..6fb8c3ed82 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -203,17 +203,14 @@ See rust-openssl documentation for more information: let libressl_prefix = "RUST_VERSION_LIBRESSL_"; let boringsl_prefix = "RUST_OPENSSL_IS_BORINGSSL"; let conf_prefix = "RUST_CONF_"; - if line.starts_with(openssl_prefix) { - let version = &line[openssl_prefix.len()..]; + if let Some(version) = line.strip_prefix(openssl_prefix) { openssl_version = Some(parse_version(version)); - } else if line.starts_with(new_openssl_prefix) { - let version = &line[new_openssl_prefix.len()..]; + } else if let Some(version) = line.strip_prefix(new_openssl_prefix) { openssl_version = Some(parse_new_version(version)); - } else if line.starts_with(libressl_prefix) { - let version = &line[libressl_prefix.len()..]; + } else if let Some(version) = line.strip_prefix(libressl_prefix) { libressl_version = Some(parse_version(version)); - } else if line.starts_with(conf_prefix) { - enabled.push(&line[conf_prefix.len()..]); + } else if let Some(conf) = line.strip_prefix(conf_prefix) { + enabled.push(conf); } else if line.starts_with(boringsl_prefix) { is_boringssl = true; } From 8587ff88431fc9ef495eda1b5bcfab4d310ef3cd Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:18:11 +0700 Subject: [PATCH 081/126] chore: use pre-existing clean APIs instead --- openssl-sys/build/main.rs | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 6fb8c3ed82..3359165a33 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -155,9 +155,7 @@ fn validate_headers(include_dirs: &[PathBuf]) -> Version { // account for compile differences and such. println!("cargo:rerun-if-changed=build/expando.c"); let mut gcc = cc::Build::new(); - for include_dir in include_dirs { - gcc.include(include_dir); - } + gcc.includes(include_dirs); let expanded = match gcc.file("build/expando.c").try_expand() { Ok(expanded) => expanded, Err(e) => { @@ -326,18 +324,13 @@ due to this version mismatch. } // parses a string that looks like "0x100020cfL" -#[allow(deprecated)] // trim_right_matches is now trim_end_matches -#[allow(clippy::match_like_matches_macro)] // matches macro requires rust 1.42.0 fn parse_version(version: &str) -> u64 { // cut off the 0x prefix assert!(version.starts_with("0x")); let version = &version[2..]; // and the type specifier suffix - let version = version.trim_right_matches(|c: char| match c { - '0'..='9' | 'a'..='f' | 'A'..='F' => false, - _ => true, - }); + let version = version.trim_end_matches(|c: char| !c.is_ascii_hexdigit()); u64::from_str_radix(version, 16).unwrap() } From 8ab3c3f3a8e6102b734d849132aaeb9728cec669 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:22:34 +0700 Subject: [PATCH 082/126] update min-version passed to bindgen --- .github/workflows/ci.yml | 1 + openssl-sys/build/run_bindgen.rs | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 75117ffab8..33c352cd2c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,6 +59,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + # Remember to also update `--rust-target` in `openssl-sys/build/run_bindgen.rs` - uses: sfackler/actions/rustup@master with: version: 1.56.0 diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 87b748f23b..6743403161 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -167,7 +167,7 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { bindgen_cmd .arg("-o") .arg(out_dir.join("bindgen.rs")) - .arg("--rust-target=1.47") + .arg("--rust-target=1.56") .arg("--ctypes-prefix=::libc") .arg("--raw-line=use libc::*;") .arg("--no-derive-default") From 978435639b0e1a93a953a7f211216c33aaedc450 Mon Sep 17 00:00:00 2001 From: Lzu Tao Date: Fri, 16 Jun 2023 20:33:56 +0700 Subject: [PATCH 083/126] chore: simplify cfg attributes --- openssl/src/ssl/mod.rs | 4 ++-- openssl/src/ssl/test/mod.rs | 2 +- openssl/src/symm.rs | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 0feaced213..27e817f307 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -599,7 +599,7 @@ impl AlpnError { /// Terminate the handshake with a fatal alert. /// /// Requires OpenSSL 1.1.0 or newer. - #[cfg(any(ossl110))] + #[cfg(ossl110)] pub const ALERT_FATAL: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_ALERT_FATAL); /// Do not select a protocol, but continue the handshake. @@ -2413,7 +2413,7 @@ impl SslRef { /// /// Requires OpenSSL 1.0.1 or 1.0.2. #[corresponds(SSL_set_tmp_ecdh_callback)] - #[cfg(any(all(ossl101, not(ossl110))))] + #[cfg(all(ossl101, not(ossl110)))] #[deprecated(note = "this function leaks memory and does not exist on newer OpenSSL versions")] pub fn set_tmp_ecdh_callback(&mut self, callback: F) where diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 39cc054df2..7707af238f 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -467,7 +467,7 @@ fn test_alpn_server_advertise_multiple() { } #[test] -#[cfg(any(ossl110))] +#[cfg(ossl110)] fn test_alpn_server_select_none_fatal() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 8da341f7f6..c1dbdfee7b 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -1478,7 +1478,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(ossl110)] fn test_chacha20() { let key = "0000000000000000000000000000000000000000000000000000000000000000"; let iv = "00000000000000000000000000000000"; @@ -1493,7 +1493,7 @@ mod tests { } #[test] - #[cfg(any(ossl110))] + #[cfg(ossl110)] fn test_chacha20_poly1305() { let key = "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"; let iv = "070000004041424344454647"; From 155b3dc71700d2ff31651bbc99b991765a718c4e Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 19 Jun 2023 13:10:09 -0400 Subject: [PATCH 084/126] Fix handling of empty host strings --- openssl/src/x509/verify.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index b0e22ef462..e8481c551c 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -120,9 +120,11 @@ impl X509VerifyParamRef { #[corresponds(X509_VERIFY_PARAM_set1_host)] pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { unsafe { + // len == 0 means "run strlen" :( + let raw_host = if host.is_empty() { "\0" } else { host }; cvt(ffi::X509_VERIFY_PARAM_set1_host( self.as_ptr(), - host.as_ptr() as *const _, + raw_host.as_ptr() as *const _, host.len(), )) .map(|_| ()) From 983b9e210ac27895a39e0ed11a407b7936192313 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Jun 2023 16:25:18 -0400 Subject: [PATCH 085/126] Release openssl v0.10.55 and openssl-sys v0.9.89 --- openssl-sys/CHANGELOG.md | 18 +++++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 18 +++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 37 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 48029f8aab..13c3f32a6c 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,21 @@ ## [Unreleased] +## [v0.9.89] - 2023-06-20 + +### Fixed + +* Fixed compilation with recent versions of BoringSSL. + +### Added + +* Added support for detecting OpenSSL compiled with `OPENSSL_NO_OCB`. +* Added `EVP_PKEY_SM2` and `NID_sm2`. +* Added `EVP_PKEY_assign_RSA`, `EVP_PKEY_assign_DSA`, `EVP_PKEY_assign_DH`, and `EVP_PKEY_assign_EC_KEY`. +* Added `EC_GROUP_get_asn1_flag`. +* Expose `EC_POINT_get_affine_coordinates` on BoringSSL and LibreSSL. +* Added `EVP_PKEY_derive_set_peer_ex`. + ## [v0.9.88] - 2023-05-30 ### Added @@ -458,7 +473,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89..master +[v0.9.89]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.89 [v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 [v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 [v0.9.86]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.85...openssl-sys-v0.9.86 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7589a3ca0e..0c261c5719 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.88" +version = "0.9.89" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 29af6ca816..a0622ecccd 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,21 @@ ## [Unreleased] +## [v0.10.55] - 2023-06-20 + +### Fixed + +* Fixed compilation with the latest version of BoringSSL. +* Fixed compilation when OpenSSL is compiled with `OPENSSL_NO_OCB`. +* Fixed a segfault in `X509VerifyParamRef::set_host` when called with an empty string. + +### Added + +* Added `Deriver::set_peer_ex`. +* Added `EcGroupRef::asn1_flag`. +* Exposed `EcPointRef::affine_coordinates` on BoringSSL and LibreSSL. +* Added `Nid::SM2` and `Id::SM2` + ## [v0.10.54] - 2023-05-31 ### Fixed @@ -761,7 +776,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...master +[v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 [v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 [v0.10.53]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 [v0.10.52]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.51...openssl-v0.10.52 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index c4367cd4c6..956d08cf9e 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.54" +version = "0.10.55" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.88", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.89", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 28a3a31b17cb8fafc8970da59e386fc7487821a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Jun 2023 17:17:24 -0400 Subject: [PATCH 086/126] Fix regression in building BoringSSL This configuration is not currently tested. --- openssl-sys/CHANGELOG.md | 9 ++++++++- openssl-sys/Cargo.toml | 2 +- openssl-sys/build/run_bindgen.rs | 4 +++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 13c3f32a6c..4554a58def 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.9.90] - 2023-06-20 + +### Fixed + +* Fixed compilation with BoringSSL when building with the bindgen CLI. + ## [v0.9.89] - 2023-06-20 ### Fixed @@ -473,7 +479,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90..master +[v0.9.90]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89...openssl-sys-v0.9.90 [v0.9.89]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.89 [v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 [v0.9.87]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.86...openssl-sys-v0.9.87 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 0c261c5719..4a22c918db 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.89" +version = "0.9.90" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 6743403161..5d307503f6 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -167,7 +167,9 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { bindgen_cmd .arg("-o") .arg(out_dir.join("bindgen.rs")) - .arg("--rust-target=1.56") + // Must be a valid version from + // https://docs.rs/bindgen/latest/bindgen/enum.RustTarget.html + .arg("--rust-target=1.47") .arg("--ctypes-prefix=::libc") .arg("--raw-line=use libc::*;") .arg("--no-derive-default") From 21afcf0b333dbbc1e48d9d9c018a862a66cafa5c Mon Sep 17 00:00:00 2001 From: Alex Page Date: Tue, 20 Jun 2023 21:58:49 -0400 Subject: [PATCH 087/126] bn: Add mod_sqrt --- openssl-sys/src/handwritten/bn.rs | 7 +++++++ openssl/src/bn.rs | 20 ++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index 5457f61710..03b1f9ccb5 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -73,6 +73,13 @@ extern "C" { m: *const BIGNUM, ctx: *mut BN_CTX, ) -> c_int; + #[cfg(ossl110)] + pub fn BN_mod_sqrt( + ret: *mut BIGNUM, + a: *const BIGNUM, + p: *const BIGNUM, + ctx: *mut BN_CTX, + ) -> *mut BIGNUM; pub fn BN_mod_word(r: *const BIGNUM, w: BN_ULONG) -> BN_ULONG; pub fn BN_div_word(r: *mut BIGNUM, w: BN_ULONG) -> BN_ULONG; diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 5cfe4b375d..b501b45ffa 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -639,6 +639,26 @@ impl BigNumRef { } } + /// Places into `self` the modular square root of `a` such that `self^2 = a (mod p)` + #[corresponds(BN_mod_sqrt)] + #[cfg(ossl110)] + pub fn mod_sqrt( + &mut self, + a: &BigNumRef, + p: &BigNumRef, + ctx: &mut BigNumContextRef, + ) -> Result<(), ErrorStack> { + unsafe { + cvt_p(ffi::BN_mod_sqrt( + self.as_ptr(), + a.as_ptr(), + p.as_ptr(), + ctx.as_ptr(), + )) + .map(|_| ()) + } + } + /// Places the result of `a^p` in `self`. #[corresponds(BN_exp)] pub fn exp( From 3834005a4b99d280ffd27ea5d573755ddc9cc1ca Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 22 Jun 2023 10:06:25 -0700 Subject: [PATCH 088/126] Remove duplicate binding definitions --- openssl-sys/src/handwritten/evp.rs | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 4041d8b671..ad70e0578b 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -413,22 +413,6 @@ cfg_if! { pub fn EVP_PKEY_get_bits(key: *const EVP_PKEY) -> c_int; pub fn EVP_PKEY_get_security_bits(key: *const EVP_PKEY) -> c_int; } - - #[inline] - pub unsafe fn EVP_PKEY_id(pkey: *const EVP_PKEY) -> c_int { - EVP_PKEY_get_id(pkey) - } - - #[inline] - pub unsafe fn EVP_PKEY_bits(pkey: *const EVP_PKEY) -> c_int { - EVP_PKEY_get_bits(pkey) - } - - #[inline] - pub unsafe fn EVP_PKEY_security_bits(pkey: *const EVP_PKEY) -> c_int { - EVP_PKEY_get_security_bits(pkey) - } - } else { extern "C" { pub fn EVP_PKEY_id(pkey: *const EVP_PKEY) -> c_int; From 702319d1338d088d604571e67f06846e5423f23c Mon Sep 17 00:00:00 2001 From: Ming-Wei Shih Date: Mon, 19 Jun 2023 15:11:46 -0700 Subject: [PATCH 089/126] Support AES wrap and wrap_pad in Cipher Signed-off-by: Ming-Wei Shih --- openssl-sys/src/evp.rs | 3 + openssl-sys/src/handwritten/evp.rs | 13 +++ openssl/src/cipher.rs | 36 ++++++ openssl/src/cipher_ctx.rs | 180 +++++++++++++++++++++++++++++ 4 files changed, 232 insertions(+) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 56eaa4bbff..63a653cc49 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -27,6 +27,9 @@ pub const EVP_PKEY_POLY1305: c_int = NID_poly1305; #[cfg(ossl110)] pub const EVP_PKEY_HKDF: c_int = NID_hkdf; +#[cfg(ossl102)] +pub const EVP_CIPHER_CTX_FLAG_WRAP_ALLOW: c_int = 0x1; + pub const EVP_CTRL_GCM_SET_IVLEN: c_int = 0x9; pub const EVP_CTRL_GCM_GET_TAG: c_int = 0x10; pub const EVP_CTRL_GCM_SET_TAG: c_int = 0x11; diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 4041d8b671..6920510431 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -283,6 +283,7 @@ extern "C" { ptr: *mut c_void, ) -> c_int; pub fn EVP_CIPHER_CTX_rand_key(ctx: *mut EVP_CIPHER_CTX, key: *mut c_uchar) -> c_int; + pub fn EVP_CIPHER_CTX_set_flags(ctx: *mut EVP_CIPHER_CTX, flags: c_int); pub fn EVP_md_null() -> *const EVP_MD; pub fn EVP_md5() -> *const EVP_MD; @@ -329,6 +330,10 @@ extern "C" { pub fn EVP_aes_128_ofb() -> *const EVP_CIPHER; #[cfg(ossl110)] pub fn EVP_aes_128_ocb() -> *const EVP_CIPHER; + #[cfg(ossl102)] + pub fn EVP_aes_128_wrap() -> *const EVP_CIPHER; + #[cfg(ossl110)] + pub fn EVP_aes_128_wrap_pad() -> *const EVP_CIPHER; pub fn EVP_aes_192_ecb() -> *const EVP_CIPHER; pub fn EVP_aes_192_cbc() -> *const EVP_CIPHER; pub fn EVP_aes_192_cfb1() -> *const EVP_CIPHER; @@ -340,6 +345,10 @@ extern "C" { pub fn EVP_aes_192_ofb() -> *const EVP_CIPHER; #[cfg(ossl110)] pub fn EVP_aes_192_ocb() -> *const EVP_CIPHER; + #[cfg(ossl102)] + pub fn EVP_aes_192_wrap() -> *const EVP_CIPHER; + #[cfg(ossl110)] + pub fn EVP_aes_192_wrap_pad() -> *const EVP_CIPHER; pub fn EVP_aes_256_ecb() -> *const EVP_CIPHER; pub fn EVP_aes_256_cbc() -> *const EVP_CIPHER; pub fn EVP_aes_256_cfb1() -> *const EVP_CIPHER; @@ -352,6 +361,10 @@ extern "C" { pub fn EVP_aes_256_ofb() -> *const EVP_CIPHER; #[cfg(ossl110)] pub fn EVP_aes_256_ocb() -> *const EVP_CIPHER; + #[cfg(ossl102)] + pub fn EVP_aes_256_wrap() -> *const EVP_CIPHER; + #[cfg(ossl110)] + pub fn EVP_aes_256_wrap_pad() -> *const EVP_CIPHER; #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn EVP_chacha20() -> *const EVP_CIPHER; #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 87f7660cde..8677886e16 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -191,6 +191,18 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_ocb() as *mut _) } } + /// Requires OpenSSL 1.0.2 or newer. + #[cfg(ossl102)] + pub fn aes_128_wrap() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_wrap() as *mut _) } + } + + /// Requires OpenSSL 1.1.0 or newer. + #[cfg(ossl110)] + pub fn aes_128_wrap_pad() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_wrap_pad() as *mut _) } + } + pub fn aes_192_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_ecb() as *mut _) } } @@ -236,6 +248,18 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_ocb() as *mut _) } } + /// Requires OpenSSL 1.0.2 or newer. + #[cfg(ossl102)] + pub fn aes_192_wrap() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_wrap() as *mut _) } + } + + /// Requires OpenSSL 1.1.0 or newer. + #[cfg(ossl110)] + pub fn aes_192_wrap_pad() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_wrap_pad() as *mut _) } + } + pub fn aes_256_ecb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_ecb() as *mut _) } } @@ -281,6 +305,18 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_ocb() as *mut _) } } + /// Requires OpenSSL 1.0.2 or newer. + #[cfg(ossl102)] + pub fn aes_256_wrap() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_wrap() as *mut _) } + } + + /// Requires OpenSSL 1.1.0 or newer. + #[cfg(ossl110)] + pub fn aes_256_wrap_pad() -> &'static CipherRef { + unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_wrap_pad() as *mut _) } + } + #[cfg(not(osslconf = "OPENSSL_NO_BF"))] pub fn bf_cbc() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_bf_cbc() as *mut _) } diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 216c09e5b0..56d0d26700 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -55,6 +55,8 @@ use crate::error::ErrorStack; #[cfg(not(boringssl))] use crate::pkey::{HasPrivate, HasPublic, PKey, PKeyRef}; use crate::{cvt, cvt_p}; +#[cfg(ossl102)] +use bitflags::bitflags; use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, c_uchar}; @@ -80,6 +82,15 @@ foreign_type_and_impl_send_sync! { pub struct CipherCtxRef; } +#[cfg(ossl102)] +bitflags! { + /// Flags for `EVP_CIPHER_CTX`. + pub struct CipherCtxFlags : c_int { + /// The flag used to opt into AES key wrap ciphers. + const FLAG_WRAP_ALLOW = ffi::EVP_CIPHER_CTX_FLAG_WRAP_ALLOW; + } +} + impl CipherCtx { /// Creates a new context. #[corresponds(EVP_CIPHER_CTX_new)] @@ -509,6 +520,17 @@ impl CipherCtxRef { Ok(()) } + /// Set ctx flags. + /// + /// This function is currently used to enable AES key wrap feature supported by OpenSSL 1.0.2 or newer. + #[corresponds(EVP_CIPHER_CTX_set_flags)] + #[cfg(ossl102)] + pub fn set_flags(&mut self, flags: CipherCtxFlags) { + unsafe { + ffi::EVP_CIPHER_CTX_set_flags(self.as_ptr(), flags.bits()); + } + } + /// Writes data into the context. /// /// Providing no output buffer will cause the input to be considered additional authenticated data (AAD). @@ -915,4 +937,162 @@ mod test { ctx.cipher_update(&vec![0; block_size + 1], Some(&mut vec![0; block_size - 1])) .unwrap(); } + + #[cfg(ossl102)] + fn cipher_wrap_test(cipher: &CipherRef, pt: &str, ct: &str, key: &str, iv: Option<&str>) { + let pt = hex::decode(pt).unwrap(); + let key = hex::decode(key).unwrap(); + let expected = hex::decode(ct).unwrap(); + let iv = iv.map(|v| hex::decode(v).unwrap()); + let padding = 8 - pt.len() % 8; + let mut computed = vec![0; pt.len() + padding + cipher.block_size() * 2]; + let mut ctx = CipherCtx::new().unwrap(); + + ctx.set_flags(CipherCtxFlags::FLAG_WRAP_ALLOW); + ctx.encrypt_init(Some(cipher), Some(&key), iv.as_deref()) + .unwrap(); + + let count = ctx.cipher_update(&pt, Some(&mut computed)).unwrap(); + let rest = ctx.cipher_final(&mut computed[count..]).unwrap(); + computed.truncate(count + rest); + + if computed != expected { + println!("Computed: {}", hex::encode(&computed)); + println!("Expected: {}", hex::encode(&expected)); + if computed.len() != expected.len() { + println!( + "Lengths differ: {} in computed vs {} expected", + computed.len(), + expected.len() + ); + } + panic!("test failure"); + } + } + + #[test] + #[cfg(ossl102)] + fn test_aes128_wrap() { + let pt = "00112233445566778899aabbccddeeff"; + let ct = "7940ff694448b5bb5139c959a4896832e55d69aa04daa27e"; + let key = "2b7e151628aed2a6abf7158809cf4f3c"; + let iv = "0001020304050607"; + + cipher_wrap_test(Cipher::aes_128_wrap(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl102)] + fn test_aes128_wrap_default_iv() { + let pt = "00112233445566778899aabbccddeeff"; + let ct = "38f1215f0212526f8a70b51955b9fbdc9fe3041d9832306e"; + let key = "2b7e151628aed2a6abf7158809cf4f3c"; + + cipher_wrap_test(Cipher::aes_128_wrap(), pt, ct, key, None); + } + + #[test] + #[cfg(ossl110)] + fn test_aes128_wrap_pad() { + let pt = "00112233445566778899aabbccddee"; + let ct = "f13998f5ab32ef82a1bdbcbe585e1d837385b529572a1e1b"; + let key = "2b7e151628aed2a6abf7158809cf4f3c"; + let iv = "00010203"; + + cipher_wrap_test(Cipher::aes_128_wrap_pad(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl110)] + fn test_aes128_wrap_pad_default_iv() { + let pt = "00112233445566778899aabbccddee"; + let ct = "3a501085fb8cf66f4186b7df851914d471ed823411598add"; + let key = "2b7e151628aed2a6abf7158809cf4f3c"; + + cipher_wrap_test(Cipher::aes_128_wrap_pad(), pt, ct, key, None); + } + + #[test] + #[cfg(ossl102)] + fn test_aes192_wrap() { + let pt = "9f6dee187d35302116aecbfd059657efd9f7589c4b5e7f5b"; + let ct = "83b89142dfeeb4871e078bfb81134d33e23fedc19b03a1cf689973d3831b6813"; + let key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; + let iv = "0001020304050607"; + + cipher_wrap_test(Cipher::aes_192_wrap(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl102)] + fn test_aes192_wrap_default_iv() { + let pt = "9f6dee187d35302116aecbfd059657efd9f7589c4b5e7f5b"; + let ct = "c02c2cf11505d3e4851030d5534cbf5a1d7eca7ba8839adbf239756daf1b43e6"; + let key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; + + cipher_wrap_test(Cipher::aes_192_wrap(), pt, ct, key, None); + } + + #[test] + #[cfg(ossl110)] + fn test_aes192_wrap_pad() { + let pt = "00112233445566778899aabbccddee"; + let ct = "b4f6bb167ef7caf061a74da82b36ad038ca057ab51e98d3a"; + let key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; + let iv = "00010203"; + + cipher_wrap_test(Cipher::aes_192_wrap_pad(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl110)] + fn test_aes192_wrap_pad_default_iv() { + let pt = "00112233445566778899aabbccddee"; + let ct = "b2c37a28cc602753a7c944a4c2555a2df9c98b2eded5312e"; + let key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; + + cipher_wrap_test(Cipher::aes_192_wrap_pad(), pt, ct, key, None); + } + + #[test] + #[cfg(ossl102)] + fn test_aes256_wrap() { + let pt = "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"; + let ct = "cc05da2a7f56f7dd0c144231f90bce58648fa20a8278f5a6b7d13bba6aa57a33229d4333866b7fd6"; + let key = "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"; + let iv = "0001020304050607"; + + cipher_wrap_test(Cipher::aes_256_wrap(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl102)] + fn test_aes256_wrap_default_iv() { + let pt = "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"; + let ct = "0b24f068b50e52bc6987868411c36e1b03900866ed12af81eb87cef70a8d1911731c1d7abf789d88"; + let key = "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"; + + cipher_wrap_test(Cipher::aes_256_wrap(), pt, ct, key, None); + } + + #[test] + #[cfg(ossl110)] + fn test_aes256_wrap_pad() { + let pt = "00112233445566778899aabbccddee"; + let ct = "91594e044ccc06130d60e6c84a996aa4f96a9faff8c5f6e7"; + let key = "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"; + let iv = "00010203"; + + cipher_wrap_test(Cipher::aes_256_wrap_pad(), pt, ct, key, Some(iv)); + } + + #[test] + #[cfg(ossl110)] + fn test_aes256_wrap_pad_default_iv() { + let pt = "00112233445566778899aabbccddee"; + let ct = "dc3c166a854afd68aea624a4272693554bf2e4fcbae602cd"; + let key = "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"; + + cipher_wrap_test(Cipher::aes_256_wrap_pad(), pt, ct, key, None); + } } From fa460ea62bc47404d1f2ef297e8ebd8c3a802892 Mon Sep 17 00:00:00 2001 From: Alex Page Date: Fri, 23 Jun 2023 00:35:30 -0400 Subject: [PATCH 090/126] bn: Add simple test for mod_sqrt --- openssl/src/bn.rs | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index b501b45ffa..b406668a0f 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -1475,4 +1475,17 @@ mod tests { b.set_const_time(); assert!(b.is_const_time()) } + + #[cfg(ossl110)] + #[test] + fn test_mod_sqrt() { + let mut ctx = BigNumContext::new().unwrap(); + + let s = BigNum::from_hex_str("47A8DD7626B9908C80ACD7E0D3344D69").unwrap(); + let p = BigNum::from_hex_str("81EF47265B58BCE5").unwrap(); + let mut out = BigNum::new().unwrap(); + + out.mod_sqrt(&s, &p, &mut ctx).unwrap(); + assert_eq!(out, BigNum::from_hex_str("7C6D179E19B97BDD").unwrap()); + } } From 4c19f4b6f9de20b3020c0f110a29882fdd109b87 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 24 Jun 2023 23:48:27 -0400 Subject: [PATCH 091/126] Allow setting the MD on signature PkeyCtx --- openssl-sys/src/evp.rs | 14 +++++++++++ openssl-sys/src/handwritten/evp.rs | 3 +++ openssl/src/pkey_ctx.rs | 40 +++++++++++++++++++++++++++++- 3 files changed, 56 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 56eaa4bbff..41c1caf518 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -186,6 +186,8 @@ pub const EVP_PKEY_OP_TYPE_SIG: c_int = EVP_PKEY_OP_SIGN pub const EVP_PKEY_OP_TYPE_CRYPT: c_int = EVP_PKEY_OP_ENCRYPT | EVP_PKEY_OP_DECRYPT; +pub const EVP_PKEY_CTRL_MD: c_int = 1; + pub const EVP_PKEY_CTRL_SET_MAC_KEY: c_int = 6; pub const EVP_PKEY_CTRL_CIPHER: c_int = 12; @@ -288,6 +290,18 @@ pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info( ) } +#[cfg(all(not(ossl300), not(boringssl)))] +pub unsafe fn EVP_PKEY_CTX_set_signature_md(cxt: *mut EVP_PKEY_CTX, md: *mut EVP_MD) -> c_int { + EVP_PKEY_CTX_ctrl( + cxt, + -1, + EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_MD, + 0, + md as *mut c_void, + ) +} + pub unsafe fn EVP_PKEY_assign_RSA(pkey: *mut EVP_PKEY, rsa: *mut RSA) -> c_int { EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa as *mut c_void) } diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index ad70e0578b..190ffc26f8 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -497,6 +497,9 @@ extern "C" { p2: *mut c_void, ) -> c_int; + #[cfg(ossl300)] + pub fn EVP_PKEY_CTX_set_signature_md(ctx: *mut EVP_PKEY_CTX, md: *const EVP_MD) -> c_int; + pub fn EVP_PKEY_new_mac_key( type_: c_int, e: *mut ENGINE, diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index aba8a66a32..8f7a10515d 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -351,6 +351,22 @@ impl PkeyCtxRef { Ok(()) } + /// Sets which algorithm was used to compute the digest used in a + /// signature. With RSA signatures this causes the signature to be wrapped + /// in a `DigestInfo` structure. This is almost always what you want with + /// RSA signatures. + #[corresponds(EVP_PKEY_CTX_set_signature_md)] + #[inline] + pub fn set_signature_md(&self, md: &MdRef) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::EVP_PKEY_CTX_set_signature_md( + self.as_ptr(), + md.as_ptr(), + ))?; + } + Ok(()) + } + /// Returns the RSA padding mode in use. /// /// This is only useful for RSA keys. @@ -641,11 +657,12 @@ mod test { #[cfg(not(boringssl))] use crate::cipher::Cipher; use crate::ec::{EcGroup, EcKey}; - #[cfg(any(ossl102, libressl310, boringssl))] + use crate::hash::{hash, MessageDigest}; use crate::md::Md; use crate::nid::Nid; use crate::pkey::PKey; use crate::rsa::Rsa; + use crate::sign::Verifier; #[test] fn rsa() { @@ -698,6 +715,27 @@ mod test { assert_eq!(pt, out); } + #[test] + fn rsa_sign() { + let key = include_bytes!("../test/rsa.pem"); + let rsa = Rsa::private_key_from_pem(key).unwrap(); + let pkey = PKey::from_rsa(rsa).unwrap(); + + let mut ctx = PkeyCtx::new(&pkey).unwrap(); + ctx.sign_init().unwrap(); + ctx.set_rsa_padding(Padding::PKCS1).unwrap(); + ctx.set_signature_md(Md::sha384()).unwrap(); + + let msg = b"hello world"; + let digest = hash(MessageDigest::sha384(), msg).unwrap(); + let mut signature = vec![]; + ctx.sign_to_vec(&digest, &mut signature).unwrap(); + + let mut verifier = Verifier::new(MessageDigest::sha384(), &pkey).unwrap(); + verifier.update(msg).unwrap(); + assert!(matches!(verifier.verify(&signature), Ok(true))); + } + #[test] fn derive() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); From c10bbd094cd9c34e160044b3d54c0597a2a30ed0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Jun 2023 10:21:13 -0400 Subject: [PATCH 092/126] Added set_rsa_pss_saltlen to PkeyCtx --- openssl/src/pkey_ctx.rs | 42 +++++++++++++++++++++++++++++++++++++++++ openssl/src/sign.rs | 2 +- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 8f7a10515d..3c6c7430c5 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -70,6 +70,7 @@ use crate::error::ErrorStack; use crate::md::MdRef; use crate::pkey::{HasPrivate, HasPublic, Id, PKey, PKeyRef, Private}; use crate::rsa::Padding; +use crate::sign::RsaPssSaltlen; use crate::{cvt, cvt_n, cvt_p}; use foreign_types::{ForeignType, ForeignTypeRef}; #[cfg(not(boringssl))] @@ -397,6 +398,21 @@ impl PkeyCtxRef { Ok(()) } + /// Sets the RSA PSS salt length. + /// + /// This is only useful for RSA keys. + #[corresponds(EVP_PKEY_CTX_set_rsa_pss_saltlen)] + #[inline] + pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen( + self.as_ptr(), + len.as_raw(), + )) + .map(|_| ()) + } + } + /// Sets the RSA MGF1 algorithm. /// /// This is only useful for RSA keys. @@ -736,6 +752,32 @@ mod test { assert!(matches!(verifier.verify(&signature), Ok(true))); } + #[test] + fn rsa_sign_pss() { + let key = include_bytes!("../test/rsa.pem"); + let rsa = Rsa::private_key_from_pem(key).unwrap(); + let pkey = PKey::from_rsa(rsa).unwrap(); + + let mut ctx = PkeyCtx::new(&pkey).unwrap(); + ctx.sign_init().unwrap(); + ctx.set_rsa_padding(Padding::PKCS1_PSS).unwrap(); + ctx.set_signature_md(Md::sha384()).unwrap(); + ctx.set_rsa_pss_saltlen(RsaPssSaltlen::custom(14)).unwrap(); + + let msg = b"hello world"; + let digest = hash(MessageDigest::sha384(), msg).unwrap(); + let mut signature = vec![]; + ctx.sign_to_vec(&digest, &mut signature).unwrap(); + + let mut verifier = Verifier::new(MessageDigest::sha384(), &pkey).unwrap(); + verifier.set_rsa_padding(Padding::PKCS1_PSS).unwrap(); + verifier + .set_rsa_pss_saltlen(RsaPssSaltlen::custom(14)) + .unwrap(); + verifier.update(msg).unwrap(); + assert!(matches!(verifier.verify(&signature), Ok(true))); + } + #[test] fn derive() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index a32f5c9144..1c770d18b7 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -93,7 +93,7 @@ pub struct RsaPssSaltlen(c_int); impl RsaPssSaltlen { /// Returns the integer representation of `RsaPssSaltlen`. - fn as_raw(&self) -> c_int { + pub(crate) fn as_raw(&self) -> c_int { self.0 } From 246389861bbf6d82f87ab9a370370ddea9c54aea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Jun 2023 13:23:09 -0400 Subject: [PATCH 093/126] Added is_even and is_odd on BN --- openssl-sys/src/handwritten/bn.rs | 2 ++ openssl/src/bn.rs | 27 +++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/openssl-sys/src/handwritten/bn.rs b/openssl-sys/src/handwritten/bn.rs index 03b1f9ccb5..fc42c13946 100644 --- a/openssl-sys/src/handwritten/bn.rs +++ b/openssl-sys/src/handwritten/bn.rs @@ -32,6 +32,8 @@ extern "C" { pub fn BN_set_negative(bn: *mut BIGNUM, n: c_int); #[cfg(any(ossl110, libressl350))] pub fn BN_is_negative(b: *const BIGNUM) -> c_int; + #[cfg(any(ossl110, libressl350))] + pub fn BN_is_odd(b: *const BIGNUM) -> c_int; pub fn BN_div( dv: *mut BIGNUM, diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index b406668a0f..c75fac1d70 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -335,6 +335,20 @@ impl BigNumRef { unsafe { BN_is_negative(self.as_ptr()) == 1 } } + /// Returns `true` is `self` is even. + #[corresponds(BN_is_even)] + #[cfg(any(ossl110, boringssl, libressl350))] + pub fn is_even(&self) -> bool { + !self.is_odd() + } + + /// Returns `true` is `self` is odd. + #[corresponds(BN_is_odd)] + #[cfg(any(ossl110, boringssl, libressl350))] + pub fn is_odd(&self) -> bool { + unsafe { ffi::BN_is_odd(self.as_ptr()) == 1 } + } + /// Returns the number of significant bits in `self`. #[corresponds(BN_num_bits)] #[allow(clippy::unnecessary_cast)] @@ -1488,4 +1502,17 @@ mod tests { out.mod_sqrt(&s, &p, &mut ctx).unwrap(); assert_eq!(out, BigNum::from_hex_str("7C6D179E19B97BDD").unwrap()); } + + #[test] + #[cfg(any(ossl110, boringssl, libressl350))] + fn test_odd_even() { + let a = BigNum::from_u32(17).unwrap(); + let b = BigNum::from_u32(18).unwrap(); + + assert!(a.is_odd()); + assert!(!b.is_odd()); + + assert!(!a.is_even()); + assert!(b.is_even()); + } } From 9eafd8221edff79bac0d883875926c862d2d94bc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 23 Jun 2023 17:19:17 -0400 Subject: [PATCH 094/126] Correctly handle errors being on the stack when EVP_PKEY_verify returns 0 --- openssl/src/pkey_ctx.rs | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 3c6c7430c5..3e1a67426c 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -71,7 +71,7 @@ use crate::md::MdRef; use crate::pkey::{HasPrivate, HasPublic, Id, PKey, PKeyRef, Private}; use crate::rsa::Padding; use crate::sign::RsaPssSaltlen; -use crate::{cvt, cvt_n, cvt_p}; +use crate::{cvt, cvt_p}; use foreign_types::{ForeignType, ForeignTypeRef}; #[cfg(not(boringssl))] use libc::c_int; @@ -210,13 +210,25 @@ where #[inline] pub fn verify(&mut self, data: &[u8], sig: &[u8]) -> Result { unsafe { - let r = cvt_n(ffi::EVP_PKEY_verify( + let r = ffi::EVP_PKEY_verify( self.as_ptr(), sig.as_ptr(), sig.len(), data.as_ptr(), data.len(), - ))?; + ); + // `EVP_PKEY_verify` is not terribly consistent about how it, + // reports errors. It does not clearly distinguish between 0 and + // -1, and may put errors on the stack in both cases. If there's + // errors on the stack, we return `Err()`, else we return + // `Ok(false)`. + if r <= 0 { + let errors = ErrorStack::get(); + if !errors.errors().is_empty() { + return Err(errors); + } + } + Ok(r == 1) } } @@ -889,5 +901,19 @@ mod test { ctx.verify_init().unwrap(); let valid = ctx.verify(bad_data, &signature).unwrap(); assert!(!valid); + assert!(ErrorStack::get().errors().is_empty()); + } + + #[test] + fn verify_fail_ec() { + let key1 = + EcKey::generate(&EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap()).unwrap(); + let key1 = PKey::from_ec_key(key1).unwrap(); + + let data = b"Some Crypto Text"; + let mut ctx = PkeyCtx::new(&key1).unwrap(); + ctx.verify_init().unwrap(); + assert!(matches!(ctx.verify(data, &[0; 64]), Ok(false) | Err(_))); + assert!(ErrorStack::get().errors().is_empty()); } } From 813cdf62891aff0bb320d976eab46f7dc3f0aa06 Mon Sep 17 00:00:00 2001 From: Michael Farrell Date: Tue, 27 Jun 2023 18:32:47 +1000 Subject: [PATCH 095/126] Allow running vcpkg on any windows target --- openssl-sys/Cargo.toml | 2 -- openssl-sys/build/find_normal.rs | 9 +++++---- openssl-sys/build/main.rs | 1 - 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 4a22c918db..9b102fa8dc 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -27,8 +27,6 @@ bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } cc = "1.0.61" openssl-src = { version = "111", optional = true } pkg-config = "0.3.9" - -[target.'cfg(target_env = "msvc")'.build-dependencies] vcpkg = "0.2.8" # We don't actually use metadeps for annoying reasons but this is still here for tooling diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 791fc33985..ff25ac6412 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -232,8 +232,12 @@ fn try_pkg_config() { /// /// Note that if this succeeds then the function does not return as vcpkg /// should emit all of the cargo metadata that we need. -#[cfg(target_env = "msvc")] fn try_vcpkg() { + let target = env::var("TARGET").unwrap(); + if !target.contains("windows") { + return; + } + // vcpkg will not emit any metadata if it can not find libraries // appropriate for the target triple with the desired linkage. @@ -257,9 +261,6 @@ fn try_vcpkg() { process::exit(0); } -#[cfg(not(target_env = "msvc"))] -fn try_vcpkg() {} - fn execute_command_and_get_output(cmd: &str, args: &[&str]) -> Option { let out = Command::new(cmd).args(args).output(); if let Ok(ref r1) = out { diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 3359165a33..21ccf3d037 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -4,7 +4,6 @@ extern crate cc; #[cfg(feature = "vendored")] extern crate openssl_src; extern crate pkg_config; -#[cfg(target_env = "msvc")] extern crate vcpkg; use std::collections::HashSet; From 7faa7d590fec01986c5f9b86df651036ba95f6d2 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 15:43:59 +0200 Subject: [PATCH 096/126] OpenBSD case, specify /usr to find_openssl_dir --- openssl-sys/build/find_normal.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 791fc33985..1f6e718db7 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -97,6 +97,11 @@ fn find_openssl_dir(target: &str) -> OsString { return OsString::from("/usr"); } + // OpenBSD ships with OpenSSL but doesn't include a pkg-config file :( + if host == target && target.contains("openbsd") { + return OsString::from("/usr"); + } + // DragonFly has libressl (or openssl) in ports, but this doesn't include a pkg-config file if host == target && target.contains("dragonfly") { return OsString::from("/usr/local"); From 02d70b5135b38ccf0455867a44ba2697b270cfd6 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 15:46:09 +0200 Subject: [PATCH 097/126] improve comment --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 1f6e718db7..16d1908783 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -97,7 +97,7 @@ fn find_openssl_dir(target: &str) -> OsString { return OsString::from("/usr"); } - // OpenBSD ships with OpenSSL but doesn't include a pkg-config file :( + // OpenBSD ships with LibreSSL but doesn't include a pkg-config file :( if host == target && target.contains("openbsd") { return OsString::from("/usr"); } From 86f0a0b82aa01cee172e93300c3cbd8b483ea701 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 16:19:26 +0200 Subject: [PATCH 098/126] https://github.com/sfackler/rust-openssl/pull/1983#discussion_r1243795604 --- openssl-sys/build/find_normal.rs | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 16d1908783..99e84ce531 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -92,13 +92,8 @@ fn find_openssl_dir(target: &str) -> OsString { try_pkg_config(); try_vcpkg(); - // FreeBSD ships with OpenSSL but doesn't include a pkg-config file :( - if host == target && target.contains("freebsd") { - return OsString::from("/usr"); - } - - // OpenBSD ships with LibreSSL but doesn't include a pkg-config file :( - if host == target && target.contains("openbsd") { + // FreeBSD and OpenBSD ship with Libre|OpenSSL but don't include a pkg-config file + if host == target && target.contains("freebsd") || target.contains("openbsd")) { return OsString::from("/usr"); } From 101331555013099dec60e1b9af7c143b9aafc0fa Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 16:24:26 +0200 Subject: [PATCH 099/126] oups fix missing '('! /o\ --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 99e84ce531..3ca192c936 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -93,7 +93,7 @@ fn find_openssl_dir(target: &str) -> OsString { try_vcpkg(); // FreeBSD and OpenBSD ship with Libre|OpenSSL but don't include a pkg-config file - if host == target && target.contains("freebsd") || target.contains("openbsd")) { + if host == target && target.contains(("freebsd") || target.contains("openbsd")) { return OsString::from("/usr"); } From 92d23a63897378ddb6594982a585001c18e502b0 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 16:29:10 +0200 Subject: [PATCH 100/126] fix bad parenthesis --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 3ca192c936..624e8e425d 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -93,7 +93,7 @@ fn find_openssl_dir(target: &str) -> OsString { try_vcpkg(); // FreeBSD and OpenBSD ship with Libre|OpenSSL but don't include a pkg-config file - if host == target && target.contains(("freebsd") || target.contains("openbsd")) { + if host == target && (target.contains("freebsd") || target.contains("openbsd")) { return OsString::from("/usr"); } From e89f0870645e1417fdff348b346ec0616ead1f94 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Camguilhem Date: Tue, 27 Jun 2023 16:36:00 +0200 Subject: [PATCH 101/126] fmt: remove trailing space --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 624e8e425d..3508d68bdd 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -92,7 +92,7 @@ fn find_openssl_dir(target: &str) -> OsString { try_pkg_config(); try_vcpkg(); - // FreeBSD and OpenBSD ship with Libre|OpenSSL but don't include a pkg-config file + // FreeBSD and OpenBSD ship with Libre|OpenSSL but don't include a pkg-config file if host == target && (target.contains("freebsd") || target.contains("openbsd")) { return OsString::from("/usr"); } From 9ac03bce4b3e058633761b66a85a7d014a396d38 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 28 Jun 2023 21:44:10 -0400 Subject: [PATCH 102/126] Added support for recovering signed data from signatures --- openssl-sys/src/handwritten/evp.rs | 8 +++ openssl/src/pkey_ctx.rs | 83 ++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 65b809b917..7da92eeeb8 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -572,6 +572,14 @@ extern "C" { pin: *const c_uchar, pinlen: size_t, ) -> c_int; + pub fn EVP_PKEY_verify_recover_init(ctx: *mut EVP_PKEY_CTX) -> c_int; + pub fn EVP_PKEY_verify_recover( + ctx: *mut EVP_PKEY_CTX, + rout: *mut c_uchar, + routlen: *mut size_t, + sig: *const c_uchar, + siglen: size_t, + ) -> c_int; } const_ptr_api! { diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 3e1a67426c..39bb406a5e 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -165,6 +165,17 @@ where Ok(()) } + /// Prepares the context for signature recovery using the public key. + #[corresponds(EVP_PKEY_verify_recover_init)] + #[inline] + pub fn verify_recover_init(&mut self) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::EVP_PKEY_verify_recover_init(self.as_ptr()))?; + } + + Ok(()) + } + /// Encrypts data using the public key. /// /// If `to` is set to `None`, an upper bound on the number of bytes required for the output buffer will be @@ -232,6 +243,32 @@ where Ok(r == 1) } } + + /// Recovers the original data signed by the private key. You almost + /// always want `verify` instead. + /// + /// Returns the number of bytes written to `to`, or the number of bytes + /// that would be written, if `to` is `None. + #[corresponds(EVP_PKEY_verify_recover)] + #[inline] + pub fn verify_recover( + &mut self, + sig: &[u8], + to: Option<&mut [u8]>, + ) -> Result { + let mut written = to.as_ref().map_or(0, |b| b.len()); + unsafe { + cvt(ffi::EVP_PKEY_verify_recover( + self.as_ptr(), + to.map_or(ptr::null_mut(), |b| b.as_mut_ptr()), + &mut written, + sig.as_ptr(), + sig.len(), + ))?; + } + + Ok(written) + } } impl PkeyCtxRef @@ -916,4 +953,50 @@ mod test { assert!(matches!(ctx.verify(data, &[0; 64]), Ok(false) | Err(_))); assert!(ErrorStack::get().errors().is_empty()); } + + #[test] + fn test_verify_recover() { + let key = Rsa::generate(2048).unwrap(); + let key = PKey::from_rsa(key).unwrap(); + + let digest = [ + 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, + 24, 25, 26, 27, 28, 29, 30, 31, + ]; + + let mut ctx = PkeyCtx::new(&key).unwrap(); + ctx.sign_init().unwrap(); + ctx.set_rsa_padding(Padding::PKCS1).unwrap(); + ctx.set_signature_md(Md::sha256()).unwrap(); + let mut signature = vec![]; + ctx.sign_to_vec(&digest, &mut signature).unwrap(); + + // Attempt recovery of just the digest. + let mut ctx = PkeyCtx::new(&key).unwrap(); + ctx.verify_recover_init().unwrap(); + ctx.set_rsa_padding(Padding::PKCS1).unwrap(); + ctx.set_signature_md(Md::sha256()).unwrap(); + let length = ctx.verify_recover(&signature, None).unwrap(); + let mut result_buf = vec![0; length]; + let length = ctx + .verify_recover(&signature, Some(&mut result_buf)) + .unwrap(); + assert_eq!(length, digest.len()); + // result_buf contains the digest + assert_eq!(result_buf[..length], digest); + + // Attempt recovery of teh entire DigestInfo + let mut ctx = PkeyCtx::new(&key).unwrap(); + ctx.verify_recover_init().unwrap(); + ctx.set_rsa_padding(Padding::PKCS1).unwrap(); + let length = ctx.verify_recover(&signature, None).unwrap(); + let mut result_buf = vec![0; length]; + let length = ctx + .verify_recover(&signature, Some(&mut result_buf)) + .unwrap(); + // 32-bytes of SHA256 digest + the ASN.1 DigestInfo structure == 51 bytes + assert_eq!(length, 51); + // The digest is the end of the DigestInfo structure. + assert_eq!(result_buf[length - digest.len()..length], digest); + } } From 8ae5dcf463126c966c329bcfba770c4635f91d2c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 29 Jun 2023 08:52:30 -0400 Subject: [PATCH 103/126] Expose PkeyCtx::set_rsa_oaep_md on BoringSSL --- openssl/src/pkey_ctx.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index 39bb406a5e..dffad039bb 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -482,7 +482,7 @@ impl PkeyCtxRef { /// /// This is only useful for RSA keys. #[corresponds(EVP_PKEY_CTX_set_rsa_oaep_md)] - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl))] #[inline] pub fn set_rsa_oaep_md(&mut self, md: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -753,7 +753,7 @@ mod test { } #[test] - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl))] fn rsa_oaep() { let key = include_bytes!("../test/rsa.pem"); let rsa = Rsa::private_key_from_pem(key).unwrap(); From 3dd78a71553e3d9d12baf21abf5ffec0db07b879 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 5 Jul 2023 07:07:36 -0400 Subject: [PATCH 104/126] Expose Cipher::aes_128_gcm on boringssl --- openssl/src/cipher.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index 8677886e16..d26b93c261 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -170,7 +170,6 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_cfb8() as *mut _) } } - #[cfg(not(boringssl))] pub fn aes_128_gcm() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_gcm() as *mut _) } } From f951978a7154417bf98623c7bc2105d8ef724ae7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 5 Jul 2023 07:13:40 -0400 Subject: [PATCH 105/126] Make test more flexible, sometimes this returns errors instead of invalid --- openssl/src/pkey_ctx.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index dffad039bb..4ac32a8517 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -936,8 +936,8 @@ mod test { let bad_data = b"Some Crypto text"; ctx.verify_init().unwrap(); - let valid = ctx.verify(bad_data, &signature).unwrap(); - assert!(!valid); + let valid = ctx.verify(bad_data, &signature); + assert!(matches!(valid, Ok(false) | Err(_))); assert!(ErrorStack::get().errors().is_empty()); } From 8de2783b7f96cf8ceb99a9e5f7f82e4ee2ff731f Mon Sep 17 00:00:00 2001 From: Michael Farrell Date: Thu, 6 Jul 2023 16:00:29 +1000 Subject: [PATCH 106/126] allow running pkg-config when targetting windows from non-windows hosts --- openssl-sys/build/find_normal.rs | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 3508d68bdd..68af5cc6c2 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -196,15 +196,13 @@ https://github.com/sfackler/rust-openssl#windows /// typically tells us all the information that we need. fn try_pkg_config() { let target = env::var("TARGET").unwrap(); - let host = env::var("HOST").unwrap(); - // If we're going to windows-gnu we can use pkg-config, but only so long as - // we're coming from a windows host. - // - // Otherwise if we're going to windows we probably can't use pkg-config. - if target.contains("windows-gnu") && host.contains("windows") { + // If we're using mingw (windows-gnu*), we can use pkg-config, but we need + // to allow mismatched host/target. + if target.contains("windows-gnu") { env::set_var("PKG_CONFIG_ALLOW_CROSS", "1"); } else if target.contains("windows") { + // MSVC targets use vcpkg instead. return; } From 4d2379f246d53e33d8cf37331de6021e7a6dd016 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 6 Jul 2023 16:45:49 -0700 Subject: [PATCH 107/126] Tweak pkg-config logic We don't want to broaden the contexts that we automatically enable PKG_CONFIG_ALLOW_CROSS --- openssl-sys/build/find_normal.rs | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 68af5cc6c2..67dc07d586 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -197,11 +197,10 @@ https://github.com/sfackler/rust-openssl#windows fn try_pkg_config() { let target = env::var("TARGET").unwrap(); - // If we're using mingw (windows-gnu*), we can use pkg-config, but we need - // to allow mismatched host/target. - if target.contains("windows-gnu") { + // FIXME we really shouldn't be automatically enabling this + if target.contains("windows-gnu") && host.contains("windows") { env::set_var("PKG_CONFIG_ALLOW_CROSS", "1"); - } else if target.contains("windows") { + } else if target.contains("windows-msvc") { // MSVC targets use vcpkg instead. return; } From 41c03d6d8e7acd0df07bc70aaa824fb23b1e2a19 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Thu, 6 Jul 2023 16:50:02 -0700 Subject: [PATCH 108/126] Un-break the build --- openssl-sys/build/find_normal.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 67dc07d586..0f45cce11b 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -196,6 +196,7 @@ https://github.com/sfackler/rust-openssl#windows /// typically tells us all the information that we need. fn try_pkg_config() { let target = env::var("TARGET").unwrap(); + let host = env::var("HOST").unwrap(); // FIXME we really shouldn't be automatically enabling this if target.contains("windows-gnu") && host.contains("windows") { From ddd04786155e7c3855e5c3f4303a7d2b8c908d76 Mon Sep 17 00:00:00 2001 From: Alexis Mousset Date: Mon, 17 Jul 2023 01:28:15 +0200 Subject: [PATCH 109/126] Update vendored openssl to version 3.1 --- openssl-sys/Cargo.toml | 2 +- openssl-sys/build/main.rs | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 9b102fa8dc..f49afa42fe 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -25,7 +25,7 @@ bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } cc = "1.0.61" -openssl-src = { version = "111", optional = true } +openssl-src = { version = "300.1.2", optional = true, features = ["legacy"] } pkg-config = "0.3.9" vcpkg = "0.2.8" diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 21ccf3d037..7122b48627 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -115,6 +115,16 @@ fn main() { println!("cargo:rustc-link-lib={}={}", kind, lib); } + // https://github.com/openssl/openssl/pull/15086 + if version == Version::Openssl3xx + && kind == "static" + && (env::var("CARGO_CFG_TARGET_OS").unwrap() == "linux" + || env::var("CARGO_CFG_TARGET_OS").unwrap() == "android") + && env::var("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap() == "32" + { + println!("cargo:rustc-link-lib=dylib=atomic"); + } + if kind == "static" && target.contains("windows") { println!("cargo:rustc-link-lib=dylib=gdi32"); println!("cargo:rustc-link-lib=dylib=user32"); From 55ee0da8d09683a6aa97a8d9ff2eb0bc778112a6 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Wed, 19 Jul 2023 14:58:36 +0200 Subject: [PATCH 110/126] Expose Poly1305 bindings on libressl and boringssl --- openssl-sys/CHANGELOG.md | 4 ++++ openssl-sys/build/run_bindgen.rs | 4 ++++ openssl-sys/src/handwritten/mod.rs | 4 ++++ openssl-sys/src/handwritten/poly1305.rs | 23 +++++++++++++++++++++++ systest/build.rs | 4 ++++ 5 files changed, 39 insertions(+) create mode 100644 openssl-sys/src/handwritten/poly1305.rs diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 4554a58def..1fbbbd499b 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,10 @@ ## [Unreleased] +### Added + +* Expose `poly1305_state`, `CRYPTO_poly1305_init`, `CRYPTO_poly1305_update`, and `CRYPTO_poly1305_finish` on BoringSSL and LibreSSL. + ## [v0.9.90] - 2023-06-20 ### Fixed diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 5d307503f6..1eeaad225d 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -55,6 +55,10 @@ const INCLUDES: &str = " #if OPENSSL_VERSION_NUMBER >= 0x30000000 #include #endif + +#if defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) +#include +#endif "; #[cfg(feature = "bindgen")] diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 9c0f844501..d3adfa5a13 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -18,6 +18,8 @@ pub use self::ocsp::*; pub use self::pem::*; pub use self::pkcs12::*; pub use self::pkcs7::*; +#[cfg(libressl)] +pub use self::poly1305::*; pub use self::provider::*; pub use self::rand::*; pub use self::rsa::*; @@ -52,6 +54,8 @@ mod ocsp; mod pem; mod pkcs12; mod pkcs7; +#[cfg(libressl)] +mod poly1305; mod provider; mod rand; mod rsa; diff --git a/openssl-sys/src/handwritten/poly1305.rs b/openssl-sys/src/handwritten/poly1305.rs new file mode 100644 index 0000000000..8ff22f3580 --- /dev/null +++ b/openssl-sys/src/handwritten/poly1305.rs @@ -0,0 +1,23 @@ +use super::super::*; +use libc::*; + +cfg_if! { + if #[cfg(libressl)] { + #[repr(C)] + #[derive(Debug, Copy, Clone)] + pub struct poly1305_context { + pub aligner: usize, + pub opaque: [::libc::c_uchar; 136usize], + } + pub type poly1305_state = poly1305_context; + extern "C" { + pub fn CRYPTO_poly1305_init(ctx: *mut poly1305_context, key: *const ::libc::c_uchar); + pub fn CRYPTO_poly1305_update( + ctx: *mut poly1305_context, + in_: *const ::libc::c_uchar, + len: usize, + ); + pub fn CRYPTO_poly1305_finish(ctx: *mut poly1305_context, mac: *mut ::libc::c_uchar); + } + } +} diff --git a/systest/build.rs b/systest/build.rs index 6d3ac3a3d3..53407eafad 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -69,6 +69,10 @@ fn main() { .header("openssl/evp.h") .header("openssl/x509_vfy.h"); + if libressl_version.is_some() { + cfg.header("openssl/poly1305.h"); + } + if let Some(version) = openssl_version { cfg.header("openssl/cms.h"); if version >= 0x10100000 { From eb883a1a7b31a0280a1ed2dc4ebfab5d3d01fb67 Mon Sep 17 00:00:00 2001 From: Andrea Frigido Date: Thu, 20 Jul 2023 18:43:34 +0100 Subject: [PATCH 111/126] Update license field following SPDX 2.1 license expression standard --- openssl-errors/Cargo.toml | 2 +- openssl-macros/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl-errors/Cargo.toml b/openssl-errors/Cargo.toml index 1f60f0ee08..5285b266e1 100644 --- a/openssl-errors/Cargo.toml +++ b/openssl-errors/Cargo.toml @@ -3,7 +3,7 @@ name = "openssl-errors" version = "0.2.0" authors = ["Steven Fackler "] edition = "2018" -license = "MIT/Apache-2.0" +license = "MIT OR Apache-2.0" description = "Custom error library support for the openssl crate." repository = "https://github.com/sfackler/rust-openssl" readme = "README.md" diff --git a/openssl-macros/Cargo.toml b/openssl-macros/Cargo.toml index 5337de751e..7f0c1c7e44 100644 --- a/openssl-macros/Cargo.toml +++ b/openssl-macros/Cargo.toml @@ -2,7 +2,7 @@ name = "openssl-macros" version = "0.1.1" edition = "2018" -license = "MIT/Apache-2.0" +license = "MIT OR Apache-2.0" description = "Internal macros used by the openssl crate." [lib] From ebf8027a921a528b91ce3515a3454a502ecd8c27 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Thu, 20 Jul 2023 15:46:10 +0800 Subject: [PATCH 112/126] add EcPointRef::to_hex_str and EcPoint::from_hex_str --- openssl-sys/src/handwritten/ec.rs | 14 +++++++ openssl/src/ec.rs | 63 +++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index 182a5559a3..f199bc891c 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -152,6 +152,20 @@ extern "C" { ctx: *mut BN_CTX, ) -> c_int; + pub fn EC_POINT_point2hex( + group: *const EC_GROUP, + p: *const EC_POINT, + form: point_conversion_form_t, + ctx: *mut BN_CTX, + ) -> *mut c_char; + + pub fn EC_POINT_hex2point( + group: *const EC_GROUP, + s: *const c_char, + p: *mut EC_POINT, + ctx: *mut BN_CTX, + ) -> *mut EC_POINT; + pub fn EC_POINT_add( group: *const EC_GROUP, r: *mut EC_POINT, diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index b648aec334..d541ddfc23 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -15,6 +15,7 @@ //! [`EcGroup`]: struct.EcGroup.html //! [`Nid`]: ../nid/struct.Nid.html //! [Elliptic Curve Cryptography]: https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography +use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::c_int; use std::fmt; @@ -28,6 +29,13 @@ use crate::util::ForeignTypeRefExt; use crate::{cvt, cvt_n, cvt_p, init}; use openssl_macros::corresponds; +cfg_if! { + if #[cfg(not(boringssl))] { + use std::ffi::CString; + use crate::string::OpensslString; + } +} + /// Compressed or Uncompressed conversion /// /// Conversion from the binary value of the point on the curve is performed in one of @@ -463,6 +471,26 @@ impl EcPointRef { } } + /// Serializes the point to a hexadecimal string representation. + #[corresponds(EC_POINT_point2hex)] + #[cfg(not(boringssl))] + pub fn to_hex_str( + &self, + group: &EcGroupRef, + form: PointConversionForm, + ctx: &mut BigNumContextRef, + ) -> Result { + unsafe { + let buf = cvt_p(ffi::EC_POINT_point2hex( + group.as_ptr(), + self.as_ptr(), + form.0, + ctx.as_ptr(), + ))?; + Ok(OpensslString::from_ptr(buf)) + } + } + /// Creates a new point on the specified curve with the same value. #[corresponds(EC_POINT_dup)] pub fn to_owned(&self, group: &EcGroupRef) -> Result { @@ -631,6 +659,27 @@ impl EcPoint { } Ok(point) } + + /// Creates point from a hexadecimal string representation + #[corresponds(EC_POINT_hex2point)] + #[cfg(not(boringssl))] + pub fn from_hex_str( + group: &EcGroupRef, + s: &str, + ctx: &mut BigNumContextRef, + ) -> Result { + let point = EcPoint::new(group)?; + unsafe { + let c_str = CString::new(s.as_bytes()).unwrap(); + cvt_p(ffi::EC_POINT_hex2point( + group.as_ptr(), + c_str.as_ptr() as *const _, + point.as_ptr(), + ctx.as_ptr(), + ))?; + } + Ok(point) + } } generic_foreign_type_and_impl_send_sync! { @@ -1121,6 +1170,20 @@ mod test { assert!(point.eq(&group, &point2, &mut ctx).unwrap()); } + #[test] + #[cfg(not(boringssl))] + fn point_hex_str() { + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let key = EcKey::generate(&group).unwrap(); + let point = key.public_key(); + let mut ctx = BigNumContext::new().unwrap(); + let hex = point + .to_hex_str(&group, PointConversionForm::COMPRESSED, &mut ctx) + .unwrap(); + let point2 = EcPoint::from_hex_str(&group, &hex, &mut ctx).unwrap(); + assert!(point.eq(&group, &point2, &mut ctx).unwrap()); + } + #[test] fn point_owned() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); From c8b6077ca8b0d741383abcd1586d3ba4bbbaadd5 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 24 Jul 2023 13:00:37 -0400 Subject: [PATCH 113/126] Gate BIO_new_socket in OPENSSL_NO_SOCK in handwritten bindings OpenSSL conditions the availability of this symbol on OPENSSL_NO_SOCK. Match that in the handwritten bindings. This doesn't really matter as it's only in the handwritten bindings and not used by rust-openssl, but we may as well make it match OpenSSL. --- openssl-sys/build/expando.c | 4 ++++ openssl-sys/src/handwritten/bio.rs | 1 + 2 files changed, 5 insertions(+) diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index 5d003d9022..cd7456b4f0 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -111,6 +111,10 @@ RUST_CONF_OPENSSL_NO_SSL3_METHOD RUST_CONF_OPENSSL_NO_TLSEXT #endif +#ifdef OPENSSL_NO_SOCK +RUST_CONF_OPENSSL_NO_SOCK +#endif + #ifdef OPENSSL_NO_STDIO RUST_CONF_OPENSSL_NO_STDIO #endif diff --git a/openssl-sys/src/handwritten/bio.rs b/openssl-sys/src/handwritten/bio.rs index 7d97522251..5f65ec5e5c 100644 --- a/openssl-sys/src/handwritten/bio.rs +++ b/openssl-sys/src/handwritten/bio.rs @@ -58,6 +58,7 @@ const_ptr_api! { } extern "C" { + #[cfg(not(osslconf = "OPENSSL_NO_SOCK"))] pub fn BIO_new_socket(sock: c_int, close_flag: c_int) -> *mut BIO; #[cfg(any(ossl110, libressl273))] From ee4c126f89c31367c5ee202bd98ae5a99a9b8df5 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 1 Aug 2023 11:19:26 -0400 Subject: [PATCH 114/126] bump ci versions --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 33c352cd2c..dcdd28f32a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -158,10 +158,10 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.1.0 + version: 3.1.2 dl-path: / - name: openssl - version: 1.1.1t + version: 1.1.1v dl-path: / - name: openssl version: 1.1.0l From 8449b822854e29213756ad339abbfb833a73216e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 5 Aug 2023 12:40:24 -0400 Subject: [PATCH 115/126] Implement Deref[Mut] for Cipher on older OpenSSLs They don't do anything, but this can be useful when writing code that works with multiple versions of OpenSSL. --- openssl/src/cipher.rs | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index d26b93c261..f81895e513 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -12,6 +12,7 @@ use foreign_types::{ForeignTypeRef, Opaque}; use openssl_macros::corresponds; #[cfg(ossl300)] use std::ffi::CString; +use std::ops::{Deref, DerefMut}; #[cfg(ossl300)] use std::ptr; @@ -41,7 +42,6 @@ cfg_if! { cfg_if! { if #[cfg(ossl300)] { use foreign_types::ForeignType; - use std::ops::{Deref, DerefMut}; type Inner = *mut ffi::EVP_CIPHER; @@ -90,6 +90,22 @@ cfg_if! { } } else { enum Inner {} + + impl Deref for Cipher { + type Target = CipherRef; + + #[inline] + fn deref(&self) -> &Self::Target { + match self.0 {} + } + } + + impl DerefMut for Cipher { + #[inline] + fn deref_mut(&mut self) -> &mut Self::Target { + match self.0 {} + } + } } } From 12ee78d277e4f986ff7da5572d42059810b0f8e3 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 6 Aug 2023 19:02:25 +1200 Subject: [PATCH 116/126] changelog and version bump --- openssl-sys/CHANGELOG.md | 10 +++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 14 +++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 1fbbbd499b..3a1a1f1865 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,9 +2,16 @@ ## [Unreleased] +## [v0.9.91] - 2023-08-06 + ### Added * Expose `poly1305_state`, `CRYPTO_poly1305_init`, `CRYPTO_poly1305_update`, and `CRYPTO_poly1305_finish` on BoringSSL and LibreSSL. +* Fix detection of libraries on OpenBSD. +* Added `EC_POINT_point2hex` and `EC_POINT_hex2point`. +* Added `EVP_PKEY_verify_recover_init`, `EVP_PKEY_verify_recover`, and `EVP_PKEY_CTX_set_signature_md`. +* Added `EVP_CIPHER_CTX_FLAG_WRAP_ALLOW` and `EVP_CTX_set_flags`. +* Added `BN_mod_sqrt`. ## [v0.9.90] - 2023-06-20 @@ -483,7 +490,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91..master +[v0.9.91]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91 [v0.9.90]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89...openssl-sys-v0.9.90 [v0.9.89]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.89 [v0.9.88]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.87...openssl-sys-v0.9.88 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 9b102fa8dc..3caa72fa79 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.90" +version = "0.9.91" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index a0622ecccd..b6bbbb9ce7 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.10.56] - 2023-08-06 + +## Added + +* Added `BigNumRef::mod_sqrt`. +* Added `PkeyCtxRef::set_signature_md` and `PkeyCtxRef::set_rsa_pss_saltlen`. +* Added `PkeyCtxRef::verify_recover_init` and `PkeyCtxRef::verify_recover`. +* Added `BigNumRef::is_even` and `BigNumRef::is_odd`. +* Added `EcPointRef::to_hex_str` and `EcPoint::from_hex_str`. +* Added support for AES key wrap and wrap pad. + ## [v0.10.55] - 2023-06-20 ### Fixed @@ -776,7 +787,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...master +[v0.10.56]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...openssl-v0.10.56 [v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 [v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 [v0.10.53]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.53 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 956d08cf9e..17f82ca843 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.55" +version = "0.10.56" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.89", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.91", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From ca438e2b32a4dff8d0500109a42eafb91eee74a2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 10 Aug 2023 18:59:36 -0400 Subject: [PATCH 117/126] Expose chacha20_poly1305 on LibreSSL --- openssl-sys/src/handwritten/evp.rs | 2 +- openssl/src/cipher.rs | 2 +- openssl/src/symm.rs | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 7da92eeeb8..9ebe212c42 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -367,7 +367,7 @@ extern "C" { pub fn EVP_aes_256_wrap_pad() -> *const EVP_CIPHER; #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn EVP_chacha20() -> *const EVP_CIPHER; - #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] + #[cfg(all(any(ossl110, libressl360), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn EVP_chacha20_poly1305() -> *const EVP_CIPHER; #[cfg(not(osslconf = "OPENSSL_NO_SEED"))] pub fn EVP_seed_cbc() -> *const EVP_CIPHER; diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index f81895e513..2b89861365 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -435,7 +435,7 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_chacha20() as *mut _) } } - #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] + #[cfg(all(any(ossl110, libressl360), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20_poly1305() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_chacha20_poly1305() as *mut _) } } diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index c1dbdfee7b..7ebb70338e 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -295,7 +295,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_CHACHA")))] + #[cfg(all(any(ossl110, libressl360), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20_poly1305() -> Cipher { unsafe { Cipher(ffi::EVP_chacha20_poly1305()) } } @@ -1493,7 +1493,7 @@ mod tests { } #[test] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl360))] fn test_chacha20_poly1305() { let key = "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"; let iv = "070000004041424344454647"; From 19b7a64b6dd93a2bccfbedd89e9f1db3f6711a83 Mon Sep 17 00:00:00 2001 From: John Tyner Date: Sun, 20 Aug 2023 19:46:03 -0400 Subject: [PATCH 118/126] Add openssl::cipher_ctx::CipherCtx::clone --- openssl-sys/src/handwritten/evp.rs | 2 ++ openssl/src/cipher_ctx.rs | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 9ebe212c42..e8ad6aa2d7 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -271,6 +271,8 @@ const_ptr_api! { extern "C" { pub fn EVP_CIPHER_CTX_new() -> *mut EVP_CIPHER_CTX; pub fn EVP_CIPHER_CTX_free(ctx: *mut EVP_CIPHER_CTX); + pub fn EVP_CIPHER_CTX_copy(dst: *mut EVP_CIPHER_CTX, src: *const EVP_CIPHER_CTX) -> c_int; + pub fn EVP_MD_CTX_copy_ex(dst: *mut EVP_MD_CTX, src: *const EVP_MD_CTX) -> c_int; #[cfg(ossl111)] pub fn EVP_MD_CTX_reset(ctx: *mut EVP_MD_CTX) -> c_int; diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 56d0d26700..714a0815af 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -102,6 +102,15 @@ impl CipherCtx { Ok(CipherCtx::from_ptr(ptr)) } } + + #[corresponds(EVP_CIPHER_CTX_copy)] + pub fn clone(&self) -> Result { + let n = CipherCtx::new()?; + unsafe { + cvt(ffi::EVP_CIPHER_CTX_copy(n.as_ptr(), self.as_ptr()))?; + } + Ok(n) + } } impl CipherCtxRef { From f3a35f87ce4d77c827abcf96b34419e955514bbb Mon Sep 17 00:00:00 2001 From: John Tyner Date: Mon, 21 Aug 2023 07:54:49 -0400 Subject: [PATCH 119/126] replace clone() with copy() to better mimic openssl interface --- openssl/src/cipher_ctx.rs | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 714a0815af..25d1060eba 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -102,18 +102,17 @@ impl CipherCtx { Ok(CipherCtx::from_ptr(ptr)) } } +} +impl CipherCtxRef { #[corresponds(EVP_CIPHER_CTX_copy)] - pub fn clone(&self) -> Result { - let n = CipherCtx::new()?; + pub fn copy(&mut self, src: &CipherCtx) -> Result<(), ErrorStack> { unsafe { - cvt(ffi::EVP_CIPHER_CTX_copy(n.as_ptr(), self.as_ptr()))?; + cvt(ffi::EVP_CIPHER_CTX_copy(self.as_ptr(), src.as_ptr()))?; + Ok(()) } - Ok(n) } -} -impl CipherCtxRef { /// Initializes the context for encryption. /// /// Normally this is called once to set all of the cipher, key, and IV. However, this process can be split up From d2663601fcf41ab9727a0dfa8d3540eb1419fcec Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 21 Aug 2023 17:54:02 -0700 Subject: [PATCH 120/126] Update openssl/src/cipher_ctx.rs --- openssl/src/cipher_ctx.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index 25d1060eba..f9031d2976 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -106,7 +106,7 @@ impl CipherCtx { impl CipherCtxRef { #[corresponds(EVP_CIPHER_CTX_copy)] - pub fn copy(&mut self, src: &CipherCtx) -> Result<(), ErrorStack> { + pub fn copy(&mut self, src: &CipherCtxRef) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_CIPHER_CTX_copy(self.as_ptr(), src.as_ptr()))?; Ok(()) From c317ffe6254c28be6fc4ca60b5ca54a37e556e49 Mon Sep 17 00:00:00 2001 From: Daniel Houck Date: Tue, 22 Aug 2023 19:46:34 -0400 Subject: [PATCH 121/126] Add X509VerifyParam::set_email This is substantially similar to the other X.509 verification parameter options like host. --- openssl-sys/src/handwritten/x509_vfy.rs | 6 ++++++ openssl/CHANGELOG.md | 3 +++ openssl/src/x509/verify.rs | 15 +++++++++++++++ 3 files changed, 24 insertions(+) diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index 9adf63fa0e..a560e586d8 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -118,6 +118,12 @@ extern "C" { #[cfg(any(ossl102, libressl261))] pub fn X509_VERIFY_PARAM_set_hostflags(param: *mut X509_VERIFY_PARAM, flags: c_uint); #[cfg(any(ossl102, libressl261))] + pub fn X509_VERIFY_PARAM_set1_email( + param: *mut X509_VERIFY_PARAM, + email: *const c_char, + emaillen: size_t, + ) -> c_int; + #[cfg(any(ossl102, libressl261))] pub fn X509_VERIFY_PARAM_set1_ip( param: *mut X509_VERIFY_PARAM, ip: *const c_uchar, diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index b6bbbb9ce7..6c7f532d85 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,9 @@ ## [Unreleased] +### Added + * Added `X509VerifyParam::set_email` + ## [v0.10.56] - 2023-08-06 ## Added diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index e8481c551c..9e2caa5500 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -131,6 +131,21 @@ impl X509VerifyParamRef { } } + /// Set the expected email address. + #[corresponds(X509_VERIFY_PARAM_set1_email)] + pub fn set_email(&mut self, email: &str) -> Result<(), ErrorStack> { + unsafe { + // len == 0 means "run strlen" :( + let raw_email = if email.is_empty() { "\0" } else { email }; + cvt(ffi::X509_VERIFY_PARAM_set1_email( + self.as_ptr(), + raw_email.as_ptr() as *const _, + email.len(), + )) + .map(|_| ()) + } + } + /// Set the expected IPv4 or IPv6 address. #[corresponds(X509_VERIFY_PARAM_set1_ip)] pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> { From 970895159a7817e384b4a9fdbedb2744e85e3e6f Mon Sep 17 00:00:00 2001 From: Jade Ellis Date: Sat, 26 Aug 2023 14:38:54 +0000 Subject: [PATCH 122/126] Add perl-FindBin dep for fedora Compilation in fedora fails without this installed with message: --- stderr Can't locate FindBin.pm in @INC (you may need to install the FindBin module) ... --- openssl/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index c2c390cc1b..fe29d02293 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -44,7 +44,7 @@ //! $ sudo apt-get install pkg-config libssl-dev //! //! # Fedora -//! $ sudo dnf install pkg-config openssl-devel +//! $ sudo dnf install pkg-config perl-FindBin openssl-devel //! //! # Alpine Linux //! $ apk add pkgconfig openssl-dev From 03bc8192d28373fdbe4da4f443c2990ff4180ce0 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 26 Aug 2023 10:57:17 -0400 Subject: [PATCH 123/126] clippy --- openssl-sys/src/rsa.rs | 2 +- openssl/src/encrypt.rs | 6 +++--- openssl/src/ssl/callbacks.rs | 9 +++++++++ openssl/src/ssl/mod.rs | 1 + openssl/src/x509/mod.rs | 2 ++ 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/openssl-sys/src/rsa.rs b/openssl-sys/src/rsa.rs index ff30cf1e23..64107cd6b2 100644 --- a/openssl-sys/src/rsa.rs +++ b/openssl-sys/src/rsa.rs @@ -76,7 +76,7 @@ pub unsafe fn EVP_PKEY_CTX_set0_rsa_oaep_label( EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_RSA_OAEP_LABEL, len, - label as *mut c_void, + label, ) } diff --git a/openssl/src/encrypt.rs b/openssl/src/encrypt.rs index d3db0fd414..4522146f89 100644 --- a/openssl/src/encrypt.rs +++ b/openssl/src/encrypt.rs @@ -40,7 +40,7 @@ //! assert_eq!(&*decrypted, data); //! ``` #[cfg(any(ossl102, libressl310))] -use libc::{c_int, c_void}; +use libc::c_int; use std::{marker::PhantomData, ptr}; use crate::error::ErrorStack; @@ -174,7 +174,7 @@ impl<'a> Encrypter<'a> { cvt(ffi::EVP_PKEY_CTX_set0_rsa_oaep_label( self.pctx, - p as *mut c_void, + p, label.len() as c_int, )) .map(|_| ()) @@ -378,7 +378,7 @@ impl<'a> Decrypter<'a> { cvt(ffi::EVP_PKEY_CTX_set0_rsa_oaep_label( self.pctx, - p as *mut c_void, + p, label.len() as c_int, )) .map(|_| ()) diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index 091b1fb771..c6414fb517 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -86,6 +86,7 @@ where }; // Give the callback mutable slices into which it can write the identity and psk. let identity_sl = slice::from_raw_parts_mut(identity as *mut u8, max_identity_len as usize); + #[allow(clippy::unnecessary_cast)] let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); match (*callback)(ssl, hint, identity_sl, psk_sl) { Ok(psk_len) => psk_len as u32, @@ -124,6 +125,7 @@ where Some(CStr::from_ptr(identity).to_bytes()) }; // Give the callback mutable slices into which it can write the psk. + #[allow(clippy::unnecessary_cast)] let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); match (*callback)(ssl, identity, psk_sl) { Ok(psk_len) => psk_len as u32, @@ -194,6 +196,7 @@ where .ssl_context() .ex_data(SslContext::cached_ex_index::()) .expect("BUG: alpn callback missing") as *const F; + #[allow(clippy::unnecessary_cast)] let protos = slice::from_raw_parts(inbuf as *const u8, inlen as usize); match (*callback)(ssl, protos) { @@ -412,6 +415,7 @@ where .expect("BUG: session context missing") .ex_data(SslContext::cached_ex_index::()) .expect("BUG: get session callback missing") as *const F; + #[allow(clippy::unnecessary_cast)] let data = slice::from_raw_parts(data as *const u8, len as usize); match (*callback)(ssl, data) { @@ -455,6 +459,7 @@ where .ssl_context() .ex_data(SslContext::cached_ex_index::()) .expect("BUG: stateless cookie generate callback missing") as *const F; + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts_mut(cookie as *mut u8, ffi::SSL_COOKIE_LENGTH as usize); match (*callback)(ssl, slice) { Ok(len) => { @@ -482,6 +487,7 @@ where .ssl_context() .ex_data(SslContext::cached_ex_index::()) .expect("BUG: stateless cookie verify callback missing") as *const F; + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len); (*callback)(ssl, slice) as c_int } @@ -503,6 +509,7 @@ where .expect("BUG: cookie generate callback missing") as *const F; // We subtract 1 from DTLS1_COOKIE_LENGTH as the ostensible value, 256, is erroneous but retained for // compatibility. See comments in dtls1.h. + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts_mut(cookie as *mut u8, ffi::DTLS1_COOKIE_LENGTH as usize - 1); match (*callback)(ssl, slice) { @@ -542,6 +549,7 @@ where .ssl_context() .ex_data(SslContext::cached_ex_index::()) .expect("BUG: cookie verify callback missing") as *const F; + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize); (*callback)(ssl, slice) as c_int @@ -654,6 +662,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: custom ext parse callback missing") as *const F; let ectx = ExtensionContext::from_bits_truncate(context); + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts(input as *const u8, inlen); let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 270b4dd87b..bdfbfc14f0 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -2132,6 +2132,7 @@ impl SslSessionRef { unsafe { let mut len = 0; let p = ffi::SSL_SESSION_get_id(self.as_ptr(), &mut len); + #[allow(clippy::unnecessary_cast)] slice::from_raw_parts(p as *const u8, len as usize) } } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 4325b132e3..24605df806 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -2102,6 +2102,7 @@ impl GeneralNameRef { let ptr = ASN1_STRING_get0_data(d as *mut _); let len = ffi::ASN1_STRING_length(d as *mut _); + #[allow(clippy::unnecessary_cast)] let slice = slice::from_raw_parts(ptr as *const u8, len as usize); // IA5Strings are stated to be ASCII (specifically IA5). Hopefully // OpenSSL checks that when loading a certificate but if not we'll @@ -2155,6 +2156,7 @@ impl GeneralNameRef { let ptr = ASN1_STRING_get0_data(d as *mut _); let len = ffi::ASN1_STRING_length(d as *mut _); + #[allow(clippy::unnecessary_cast)] Some(slice::from_raw_parts(ptr as *const u8, len as usize)) } } From 2d8f2f6a7f324b2676d99e382c095307e818dff8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 26 Aug 2023 20:30:35 -0400 Subject: [PATCH 124/126] Release openssl v0.10.57 and openssl-sys v0.9.92 --- openssl-sys/CHANGELOG.md | 11 ++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 12 ++++++++++-- openssl/Cargo.toml | 4 ++-- 4 files changed, 23 insertions(+), 6 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 3a1a1f1865..9166bd5aca 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,14 @@ ## [Unreleased] +## [v0.9.92] - 2023-08-27 + +### Added + +* Added `EVP_CIPHER_CTX_copy` +* Expose `EVP_chacha20_poly1305` on LibreSSL +* Added `X509_VERIFY_PARAM_set1_email` + ## [v0.9.91] - 2023-08-06 ### Added @@ -490,7 +498,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92..master +[v0.9.92]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91...openssl-sys-v0.9.92 [v0.9.91]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91 [v0.9.90]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89...openssl-sys-v0.9.90 [v0.9.89]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.89 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 3caa72fa79..98a7c793be 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.91" +version = "0.9.92" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 6c7f532d85..f5409b1222 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,8 +2,15 @@ ## [Unreleased] +## [v0.10.57] - 2023-08-27 + ### Added - * Added `X509VerifyParam::set_email` +* Added `X509VerifyParam::set_email` +* `Cipher::chacha20_poly1305` is now available on LibreSSL +* Added `CipherCtx::copy` + +### Changed +* Updated `bitflags` dependecy to the 2.x series ## [v0.10.56] - 2023-08-06 @@ -790,7 +797,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...master +[v0.10.57]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...openssl-v0.10.57 [v0.10.56]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...openssl-v0.10.56 [v0.10.55]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55 [v0.10.54]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 8a646b4502..ec8beaef9c 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.56" +version = "0.10.57" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.91", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.92", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From fc1ca1f6c7251e79e51284d10bb2310eda7f9355 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 1 Sep 2023 08:51:22 -0400 Subject: [PATCH 125/126] LibreSSL 3.8.1 support --- .github/workflows/ci.yml | 2 +- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/build/main.rs | 5 +++-- openssl-sys/src/crypto.rs | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dcdd28f32a..196f41f450 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -202,7 +202,7 @@ jobs: bindgen: false library: name: libressl - version: 3.8.0 + version: 3.8.1 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index 2f3ff3eafd..34a58f7d68 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -53,6 +53,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x3_07_00_00_0 { cfgs.push("libressl370"); } + if libressl_version >= 0x3_08_01_00_0 { + cfgs.push("libressl381"); + } } else { let openssl_version = openssl_version.unwrap(); diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 21ccf3d037..82013b6c7d 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -273,6 +273,7 @@ See rust-openssl documentation for more information: (3, 7, 1) => ('3', '7', '1'), (3, 7, _) => ('3', '7', 'x'), (3, 8, 0) => ('3', '8', '0'), + (3, 8, 1) => ('3', '8', '1'), _ => version_error(), }; @@ -314,8 +315,8 @@ fn version_error() -> ! { panic!( " -This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3.0.0), or LibreSSL 2.5 -through 3.8.0, but a different version of OpenSSL was found. The build is now aborting +This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3), or LibreSSL 2.5 +through 3.8.1, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " diff --git a/openssl-sys/src/crypto.rs b/openssl-sys/src/crypto.rs index 35be07eada..bdc0add156 100644 --- a/openssl-sys/src/crypto.rs +++ b/openssl-sys/src/crypto.rs @@ -106,7 +106,7 @@ pub const CRYPTO_LOCK_SSL_CTX: c_int = 12; pub const CRYPTO_LOCK_SSL_SESSION: c_int = 14; cfg_if! { - if #[cfg(ossl110)] { + if #[cfg(any(ossl110, libressl381))] { pub const CRYPTO_EX_INDEX_SSL: c_int = 0; pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1; } else if #[cfg(libressl)] { From 6b3b9fc039d45446c8308aceeee8dfc5e3ff69fa Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 4 Sep 2023 16:04:07 -0400 Subject: [PATCH 126/126] Release openssl-sys v0.9.93 --- openssl-sys/CHANGELOG.md | 13 ++++++++++++- openssl-sys/Cargo.toml | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 9166bd5aca..8d2a65574b 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,16 @@ ## [Unreleased] +## [v0.9.93] - 2023-09-04 + +### Changed + +* The `vendored` Cargo feature now builds OpenSSL 3.1, as 1.1.1 is reaching its EOL. + +### Added + +* Added support for LibreSSL 3.8.1. + ## [v0.9.92] - 2023-08-27 ### Added @@ -498,7 +508,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93..master +[v0.9.93]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92...openssl-sys-v0.9.93 [v0.9.92]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91...openssl-sys-v0.9.92 [v0.9.91]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91 [v0.9.90]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.89...openssl-sys-v0.9.90 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 885f105832..44fc45a71b 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.92" +version = "0.9.93" authors = [ "Alex Crichton ", "Steven Fackler ",