Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use X509_PURPOSE_get_id instead of struct access #2115

Merged
merged 2 commits into from
Dec 2, 2023
Merged

Use X509_PURPOSE_get_id instead of struct access #2115

merged 2 commits into from
Dec 2, 2023

Conversation

davidben
Copy link
Contributor

@davidben davidben commented Dec 2, 2023

The accessor was added at the same version as the struct, so better to just use it. As with X509_PURPOSE_get_by_sname, it was const-corrected later on.

@davidben
Use X509_PURPOSE_get_id instead of struct access
25606f0 
The accessor was added at the same version as the struct, so better to
just use it. As with X509_PURPOSE_get_by_sname, it was const-corrected
later on.
alex
alex approved these changes Dec 2, 2023
View reviewed changes
Copy link
Collaborator

@alex alex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sfackler are there backwards compataibility issues with making teh struct opaque?

Otherwise the PR looks good to me.

@sfackler
Copy link
Owner

sfackler commented Dec 2, 2023

Yeah, we should really keep the struct definition as-is to preserve back compat. If you want, we could make it opaque for future open/boring/libre releases though.

@davidben
Copy link
Contributor Author

davidben commented Dec 2, 2023

We will never, ever support using the handwritten bindings with BoringSSL because of memory safety, so I can just put it back. Though you all really should rethink the stability expectations there.

@botovq
Copy link
Contributor

botovq commented Dec 2, 2023 via email

@davidben
Copy link
Contributor Author

davidben commented Dec 2, 2023

X509_PURPOSE_get0() returns a pointer to it (or worse application configured global mutable state if someone called X509_PURPOSE_add()), so X509PurposeRef::from_idx() exposes a pointer to global mutable state to Rust.

Oh, the entire X509PurposeRef API should be removed. It makes no sense in the first place. This is just the usual issue where binding APIs without thinking through use cases leads to problems.

The only thing one can do with X509_PURPOSE_get_by_sname is to then chain it with X509_PURPOSE_get0, followed by X509_PURPOSE_get_id, and then configure it on an X509_STORE. Not only that, short of X509_PURPOSE_add (which is globally not thread-safe, so it is impossible to expose in Rust safety), the only possible outputs of X509_PURPOSE_get_by_sname are the predefined constants anyway.

That means the only APIs here that made sense were the built-in X509PurposeId constants and set_purpose. Everything else was just a mistake and should be removed.

@davidben davidben mentioned this pull request Dec 2, 2023
Open
@davidben
Copy link
Contributor Author

davidben commented Dec 2, 2023

I plan on changing that in libre

BoringSSL will be doing that too. Note that, similar to #2113, it may run into a design flaw in foreign-types. From talking with @alex, it sounds like that crate uses exclusively mut pointers and doesn't honor const in C? This is, of course, a pretty serious safety issue.

I think I'll also just remove the APIs that X509PurposeRef relies on, since it's now clear rust-openssl's use is invalid.

@alex alex merged commit ea075d1 into sfackler:master Dec 2, 2023
53 checks passed
@botovq botovq mentioned this pull request Jan 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alex alex alex approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@davidben @sfackler @botovq @alex