From e5bd08f9be876e3ba760cf166eb9eddb74feebdd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 21 Jul 2024 13:24:32 -0400 Subject: [PATCH 01/69] Added a utility function to ensure we never have an issue with 0-length slices from pointers again Added a clippy lint to ensure we use it. --- clippy.toml | 4 ++++ openssl/src/asn1.rs | 11 +++++------ openssl/src/bio.rs | 8 ++------ openssl/src/ssl/bio.rs | 7 +++---- openssl/src/ssl/callbacks.rs | 22 +++++++++++----------- openssl/src/ssl/mod.rs | 22 +++++++++++----------- openssl/src/util.rs | 27 ++++++++++++++++++++++++++- openssl/src/x509/mod.rs | 9 ++++----- 8 files changed, 66 insertions(+), 44 deletions(-) create mode 100644 clippy.toml diff --git a/clippy.toml b/clippy.toml new file mode 100644 index 0000000000..ead90b492f --- /dev/null +++ b/clippy.toml @@ -0,0 +1,4 @@ +disallowed-methods = [ + { path = "std::slice::from_raw_parts", reason = "use util::from_raw_parts instead" }, + { path = "std::slice::from_raw_parts_mut", reason = "use util::from_raw_parts_mut instead" }, +] diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 8618be0e92..03340820d0 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -32,7 +32,6 @@ use std::convert::TryInto; use std::ffi::CString; use std::fmt; use std::ptr; -use std::slice; use std::str; use crate::bio::MemBio; @@ -41,7 +40,7 @@ use crate::error::ErrorStack; use crate::nid::Nid; use crate::stack::Stackable; use crate::string::OpensslString; -use crate::{cvt, cvt_p}; +use crate::{cvt, cvt_p, util}; use openssl_macros::corresponds; foreign_type_and_impl_send_sync! { @@ -457,7 +456,7 @@ impl Asn1StringRef { /// [`as_utf8`]: struct.Asn1String.html#method.as_utf8 #[corresponds(ASN1_STRING_get0_data)] pub fn as_slice(&self) -> &[u8] { - unsafe { slice::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr()), self.len()) } + unsafe { util::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr()), self.len()) } } /// Returns the number of bytes in the string. @@ -597,7 +596,7 @@ impl Asn1BitStringRef { /// Returns the Asn1BitString as a slice. #[corresponds(ASN1_STRING_get0_data)] pub fn as_slice(&self) -> &[u8] { - unsafe { slice::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr() as *mut _), self.len()) } + unsafe { util::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr() as *mut _), self.len()) } } /// Returns the number of bytes in the string. @@ -637,7 +636,7 @@ impl Asn1OctetStringRef { /// Returns the octet string as an array of bytes. #[corresponds(ASN1_STRING_get0_data)] pub fn as_slice(&self) -> &[u8] { - unsafe { slice::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr().cast()), self.len()) } + unsafe { util::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr().cast()), self.len()) } } /// Returns the number of bytes in the octet string. @@ -701,7 +700,7 @@ impl Asn1Object { pub fn as_slice(&self) -> &[u8] { unsafe { let len = ffi::OBJ_length(self.as_ptr()); - slice::from_raw_parts(ffi::OBJ_get0_data(self.as_ptr()), len) + util::from_raw_parts(ffi::OBJ_get0_data(self.as_ptr()), len) } } } diff --git a/openssl/src/bio.rs b/openssl/src/bio.rs index 1595f89f1b..d5232d2ee1 100644 --- a/openssl/src/bio.rs +++ b/openssl/src/bio.rs @@ -2,10 +2,10 @@ use cfg_if::cfg_if; use libc::c_int; use std::marker::PhantomData; use std::ptr; -use std::slice; use crate::cvt_p; use crate::error::ErrorStack; +use crate::util; pub struct MemBioSlice<'a>(*mut ffi::BIO, PhantomData<&'a [u8]>); @@ -63,11 +63,7 @@ impl MemBio { unsafe { let mut ptr = ptr::null_mut(); let len = ffi::BIO_get_mem_data(self.0, &mut ptr); - if len == 0 { - &[] - } else { - slice::from_raw_parts(ptr as *const _ as *const _, len as usize) - } + util::from_raw_parts(ptr as *const _ as *const _, len as usize) } } diff --git a/openssl/src/ssl/bio.rs b/openssl/src/ssl/bio.rs index a5561dc722..16485624fe 100644 --- a/openssl/src/ssl/bio.rs +++ b/openssl/src/ssl/bio.rs @@ -9,10 +9,9 @@ use std::io; use std::io::prelude::*; use std::panic::{catch_unwind, AssertUnwindSafe}; use std::ptr; -use std::slice; -use crate::cvt_p; use crate::error::ErrorStack; +use crate::{cvt_p, util}; pub struct StreamState { pub stream: S, @@ -89,7 +88,7 @@ unsafe extern "C" fn bwrite(bio: *mut BIO, buf: *const c_char, len: c_ BIO_clear_retry_flags(bio); let state = state::(bio); - let buf = slice::from_raw_parts(buf as *const _, len as usize); + let buf = util::from_raw_parts(buf as *const _, len as usize); match catch_unwind(AssertUnwindSafe(|| state.stream.write(buf))) { Ok(Ok(len)) => len as c_int, @@ -111,7 +110,7 @@ unsafe extern "C" fn bread(bio: *mut BIO, buf: *mut c_char, len: c_int) BIO_clear_retry_flags(bio); let state = state::(bio); - let buf = slice::from_raw_parts_mut(buf as *mut _, len as usize); + let buf = util::from_raw_parts_mut(buf as *mut _, len as usize); match catch_unwind(AssertUnwindSafe(|| state.stream.read(buf))) { Ok(Ok(len)) => len as c_int, diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index be8909ee4a..ccf5308509 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -10,7 +10,6 @@ use libc::{c_int, c_uchar, c_uint, c_void}; use std::ffi::CStr; use std::mem; use std::ptr; -use std::slice; #[cfg(any(ossl111, boringssl))] use std::str; use std::sync::Arc; @@ -28,6 +27,7 @@ use crate::ssl::{ }; #[cfg(ossl111)] use crate::ssl::{ClientHelloResponse, ExtensionContext}; +use crate::util; #[cfg(any(ossl111, boringssl))] use crate::util::ForeignTypeRefExt; #[cfg(ossl111)] @@ -85,9 +85,9 @@ where None }; // Give the callback mutable slices into which it can write the identity and psk. - let identity_sl = slice::from_raw_parts_mut(identity as *mut u8, max_identity_len as usize); + let identity_sl = util::from_raw_parts_mut(identity as *mut u8, max_identity_len as usize); #[allow(clippy::unnecessary_cast)] - let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); + let psk_sl = util::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); match (*callback)(ssl, hint, identity_sl, psk_sl) { Ok(psk_len) => psk_len as u32, Err(e) => { @@ -126,7 +126,7 @@ where }; // Give the callback mutable slices into which it can write the psk. #[allow(clippy::unnecessary_cast)] - let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); + let psk_sl = util::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); match (*callback)(ssl, identity, psk_sl) { Ok(psk_len) => psk_len as u32, Err(e) => { @@ -197,7 +197,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: alpn callback missing") as *const F; #[allow(clippy::unnecessary_cast)] - let protos = slice::from_raw_parts(inbuf as *const u8, inlen as usize); + let protos = util::from_raw_parts(inbuf as *const u8, inlen as usize); match (*callback)(ssl, protos) { Ok(proto) => { @@ -416,7 +416,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: get session callback missing") as *const F; #[allow(clippy::unnecessary_cast)] - let data = slice::from_raw_parts(data as *const u8, len as usize); + let data = util::from_raw_parts(data as *const u8, len as usize); match (*callback)(ssl, data) { Some(session) => { @@ -460,7 +460,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: stateless cookie generate callback missing") as *const F; #[allow(clippy::unnecessary_cast)] - let slice = slice::from_raw_parts_mut(cookie as *mut u8, ffi::SSL_COOKIE_LENGTH as usize); + let slice = util::from_raw_parts_mut(cookie as *mut u8, ffi::SSL_COOKIE_LENGTH as usize); match (*callback)(ssl, slice) { Ok(len) => { *cookie_len = len as size_t; @@ -488,7 +488,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: stateless cookie verify callback missing") as *const F; #[allow(clippy::unnecessary_cast)] - let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len); + let slice = util::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len); (*callback)(ssl, slice) as c_int } @@ -511,7 +511,7 @@ where // compatibility. See comments in dtls1.h. #[allow(clippy::unnecessary_cast)] let slice = - slice::from_raw_parts_mut(cookie as *mut u8, ffi::DTLS1_COOKIE_LENGTH as usize - 1); + util::from_raw_parts_mut(cookie as *mut u8, ffi::DTLS1_COOKIE_LENGTH as usize - 1); match (*callback)(ssl, slice) { Ok(len) => { *cookie_len = len as c_uint; @@ -551,7 +551,7 @@ where .expect("BUG: cookie verify callback missing") as *const F; #[allow(clippy::unnecessary_cast)] let slice = - slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize); + util::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize); (*callback)(ssl, slice) as c_int } } @@ -663,7 +663,7 @@ where .expect("BUG: custom ext parse callback missing") as *const F; let ectx = ExtensionContext::from_bits_truncate(context); #[allow(clippy::unnecessary_cast)] - let slice = slice::from_raw_parts(input as *const u8, inlen); + let slice = util::from_raw_parts(input as *const u8, inlen); let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index a540d41468..322ca9541a 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -77,6 +77,7 @@ use crate::ssl::bio::BioMethod; use crate::ssl::callbacks::*; use crate::ssl::error::InnerError; use crate::stack::{Stack, StackRef, Stackable}; +use crate::util; use crate::util::{ForeignTypeExt, ForeignTypeRefExt}; use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; #[cfg(any(ossl102, boringssl, libressl261))] @@ -101,7 +102,6 @@ use std::ops::{Deref, DerefMut}; use std::panic::resume_unwind; use std::path::Path; use std::ptr; -use std::slice; use std::str; use std::sync::{Arc, Mutex}; @@ -708,7 +708,7 @@ pub fn select_next_proto<'a>(server: &[u8], client: &'a [u8]) -> Option<&'a [u8] client.len() as c_uint, ); if r == ffi::OPENSSL_NPN_NEGOTIATED { - Some(slice::from_raw_parts(out as *const u8, outlen as usize)) + Some(util::from_raw_parts(out as *const u8, outlen as usize)) } else { None } @@ -2174,7 +2174,7 @@ impl SslSessionRef { let mut len = 0; let p = ffi::SSL_SESSION_get_id(self.as_ptr(), &mut len); #[allow(clippy::unnecessary_cast)] - slice::from_raw_parts(p as *const u8, len as usize) + util::from_raw_parts(p as *const u8, len as usize) } } @@ -2650,7 +2650,7 @@ impl SslRef { if data.is_null() { None } else { - Some(slice::from_raw_parts(data, len as usize)) + Some(util::from_raw_parts(data, len as usize)) } } } @@ -2928,7 +2928,7 @@ impl SslRef { if len < 0 { None } else { - Some(slice::from_raw_parts(p as *const u8, len as usize)) + Some(util::from_raw_parts(p as *const u8, len as usize)) } } } @@ -3099,7 +3099,7 @@ impl SslRef { if len == 0 { None } else { - Some(slice::from_raw_parts(ptr, len)) + Some(util::from_raw_parts(ptr, len)) } } } @@ -3118,7 +3118,7 @@ impl SslRef { if len == 0 { None } else { - Some(slice::from_raw_parts(ptr, len)) + Some(util::from_raw_parts(ptr, len)) } } } @@ -3137,7 +3137,7 @@ impl SslRef { if len == 0 { None } else { - Some(slice::from_raw_parts(ptr, len)) + Some(util::from_raw_parts(ptr, len)) } } } @@ -3191,7 +3191,7 @@ impl SslRef { if len == 0 { None } else { - Some(slice::from_raw_parts(ptr, len)) + Some(util::from_raw_parts(ptr, len)) } } } @@ -3764,7 +3764,7 @@ impl SslStream { pub fn ssl_read(&mut self, buf: &mut [u8]) -> Result { // SAFETY: `ssl_read_uninit` does not de-initialize the buffer. unsafe { - self.ssl_read_uninit(slice::from_raw_parts_mut( + self.ssl_read_uninit(util::from_raw_parts_mut( buf.as_mut_ptr().cast::>(), buf.len(), )) @@ -3997,7 +3997,7 @@ impl Read for SslStream { fn read(&mut self, buf: &mut [u8]) -> io::Result { // SAFETY: `read_uninit` does not de-initialize the buffer unsafe { - self.read_uninit(slice::from_raw_parts_mut( + self.read_uninit(util::from_raw_parts_mut( buf.as_mut_ptr().cast::>(), buf.len(), )) diff --git a/openssl/src/util.rs b/openssl/src/util.rs index d852a4b9d8..c903a32092 100644 --- a/openssl/src/util.rs +++ b/openssl/src/util.rs @@ -1,4 +1,5 @@ use crate::error::ErrorStack; +use crate::util; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_char, c_int, c_void}; use std::any::Any; @@ -49,7 +50,7 @@ where let callback = &mut *(cb_state as *mut CallbackState); let result = panic::catch_unwind(AssertUnwindSafe(|| { - let pass_slice = slice::from_raw_parts_mut(buf as *mut u8, size as usize); + let pass_slice = util::from_raw_parts_mut(buf as *mut u8, size as usize); callback.cb.take().unwrap()(pass_slice) })); @@ -91,3 +92,27 @@ pub trait ForeignTypeRefExt: ForeignTypeRef { } } impl ForeignTypeRefExt for FT {} + +/// The same as `slice::from_raw_parts`, except that `data` may be `NULL` if +/// `len` is 0. +pub unsafe fn from_raw_parts<'a, T>(data: *const T, len: usize) -> &'a [T] { + if len == 0 { + &[] + } else { + // Using this to implement the preferred API + #[allow(clippy::disallowed_methods)] + slice::from_raw_parts(data, len) + } +} + +/// The same as `slice::from_raw_parts_mut`, except that `data` may be `NULL` +/// if `len` is 0. +pub unsafe fn from_raw_parts_mut<'a, T>(data: *mut T, len: usize) -> &'a mut [T] { + if len == 0 { + &mut [] + } else { + // Using this to implement the preferred API + #[allow(clippy::disallowed_methods)] + slice::from_raw_parts_mut(data, len) + } +} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 05aec9a9c7..df0991a4dc 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -20,7 +20,6 @@ use std::mem; use std::net::IpAddr; use std::path::Path; use std::ptr; -use std::slice; use std::str; use crate::asn1::{ @@ -37,7 +36,7 @@ use crate::pkey::{HasPrivate, HasPublic, PKey, PKeyRef, Public}; use crate::ssl::SslRef; use crate::stack::{Stack, StackRef, Stackable}; use crate::string::OpensslString; -use crate::util::{ForeignTypeExt, ForeignTypeRefExt}; +use crate::util::{self, ForeignTypeExt, ForeignTypeRefExt}; use crate::{cvt, cvt_n, cvt_p, cvt_p_const}; use openssl_macros::corresponds; @@ -662,7 +661,7 @@ impl X509Ref { if ptr.is_null() { None } else { - Some(slice::from_raw_parts(ptr, len as usize)) + Some(util::from_raw_parts(ptr, len as usize)) } } } @@ -2157,7 +2156,7 @@ impl GeneralNameRef { let len = ffi::ASN1_STRING_length(d as *mut _); #[allow(clippy::unnecessary_cast)] - let slice = slice::from_raw_parts(ptr as *const u8, len as usize); + let slice = util::from_raw_parts(ptr as *const u8, len as usize); // IA5Strings are stated to be ASCII (specifically IA5). Hopefully // OpenSSL checks that when loading a certificate but if not we'll // use this instead of from_utf8_unchecked just in case. @@ -2211,7 +2210,7 @@ impl GeneralNameRef { let len = ffi::ASN1_STRING_length(d as *mut _); #[allow(clippy::unnecessary_cast)] - Some(slice::from_raw_parts(ptr as *const u8, len as usize)) + Some(util::from_raw_parts(ptr as *const u8, len as usize)) } } } From fe8088ebefd76e63b0de0d7065778fc666800a15 Mon Sep 17 00:00:00 2001 From: sanketh Date: Sat, 27 Jul 2024 20:24:54 -0400 Subject: [PATCH 02/69] Add binding for EVP_DigestSqueeze --- openssl-sys/src/handwritten/evp.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 9e277453e2..aa83c92122 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -93,6 +93,8 @@ extern "C" { pub fn EVP_DigestFinal(ctx: *mut EVP_MD_CTX, res: *mut u8, n: *mut u32) -> c_int; #[cfg(ossl111)] pub fn EVP_DigestFinalXOF(ctx: *mut EVP_MD_CTX, res: *mut u8, len: usize) -> c_int; + #[cfg(ossl330)] + pub fn EVP_DigestSqueeze(ctx: *mut EVP_MD_CTX, res: *mut u8, len: usize) -> c_int; #[cfg(ossl300)] pub fn EVP_MD_fetch( From 1915d6258d598bb88bb6f1412c99586a96aebbfc Mon Sep 17 00:00:00 2001 From: sanketh Date: Sat, 27 Jul 2024 21:28:37 -0400 Subject: [PATCH 03/69] Add support for XOF squeeze --- openssl/src/hash.rs | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index f2f2698f3e..641192cdfe 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -199,6 +199,7 @@ unsafe impl Send for MessageDigest {} enum State { Reset, Updated, + Squeeze, Finalized, } @@ -265,6 +266,7 @@ impl Hasher { Updated => { self.finish()?; } + Squeeze => (), Finalized => (), } unsafe { @@ -290,6 +292,21 @@ impl Hasher { Ok(()) } + /// Squeezes buf out of the hasher. + /// The output will be as long as the buf. + #[cfg(ossl330)] + pub fn squeeze_xof(&mut self, buf: &mut [u8]) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::EVP_DigestSqueeze( + self.ctx, + buf.as_mut_ptr(), + buf.len(), + ))?; + self.state = Squeeze; + Ok(()) + } + } + /// Returns the hash of the data written and resets the non-XOF hasher. pub fn finish(&mut self) -> Result { if self.state == Finalized { @@ -486,6 +503,21 @@ mod tests { assert_eq!(buf, expected); } + /// Squeezes the expected length by doing two squeezes. + #[cfg(ossl330)] + fn hash_xof_squeeze_test(hashtype: MessageDigest, hashtest: &(&str, &str)) { + let data = Vec::from_hex(hashtest.0).unwrap(); + let mut h = Hasher::new(hashtype).unwrap(); + h.update(&data).unwrap(); + + let expected = Vec::from_hex(hashtest.1).unwrap(); + let mut buf = vec![0; expected.len()]; + assert!(expected.len() > 10); + h.squeeze_xof(&mut buf[..10]).unwrap(); + h.squeeze_xof(&mut buf[10..]).unwrap(); + assert_eq!(buf, expected); + } + fn hash_recycle_test(h: &mut Hasher, hashtest: &(&str, &str)) { h.write_all(&Vec::from_hex(hashtest.0).unwrap()).unwrap(); let res = h.finish().unwrap(); @@ -715,6 +747,8 @@ mod tests { for test in tests.iter() { hash_xof_test(MessageDigest::shake_128(), test); + #[cfg(ossl330)] + hash_xof_squeeze_test(MessageDigest::shake_128(), test); } assert_eq!(MessageDigest::shake_128().block_size(), 168); @@ -735,6 +769,8 @@ mod tests { for test in tests.iter() { hash_xof_test(MessageDigest::shake_256(), test); + #[cfg(ossl330)] + hash_xof_squeeze_test(MessageDigest::shake_256(), test); } assert_eq!(MessageDigest::shake_256().block_size(), 136); From d9a11b314df984fc9dfa192b1b4cd23c95005f9d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jul 2024 00:41:52 -0400 Subject: [PATCH 04/69] Fix CI for the latest rustc --- .github/workflows/ci.yml | 2 +- openssl-sys/build/main.rs | 2 +- openssl/build.rs | 2 +- openssl/src/x509/mod.rs | 1 + 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b25057dd69..efc975dbd2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -152,7 +152,7 @@ jobs: - false library: - name: boringssl - version: 2db0eb3f96a5756298dcd7f9319e56a98585bd10 + version: e23fe9b6eecc10e4f9ea1f0027fea5eaee7bd6b6 - name: openssl version: vendored - name: openssl diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 98d6926fcb..50ecc0f084 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -74,7 +74,7 @@ fn check_ssl_kind() { } fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\"))"); println!("cargo:rustc-check-cfg=cfg(openssl)"); println!("cargo:rustc-check-cfg=cfg(libressl)"); diff --git a/openssl/build.rs b/openssl/build.rs index 58f5fb9aad..16101ea309 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -7,7 +7,7 @@ use std::env; fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_EC\"))"); println!("cargo:rustc-check-cfg=cfg(libressl)"); println!("cargo:rustc-check-cfg=cfg(boringssl)"); diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index df0991a4dc..e583518dae 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -2544,6 +2544,7 @@ impl X509PurposeRef { /// - "any", /// - "ocsphelper", /// - "timestampsign" + /// /// The index can be used with `X509PurposeRef::from_idx()` to get the purpose. #[allow(clippy::unnecessary_cast)] pub fn get_by_sname(sname: &str) -> Result { From dc7db607fd85fc29e12ed6dce80603a6e446856f Mon Sep 17 00:00:00 2001 From: sanketh Date: Wed, 7 Aug 2024 22:28:55 -0400 Subject: [PATCH 05/69] update docstring --- openssl/src/hash.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 641192cdfe..5eb4a4d3ca 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -292,7 +292,7 @@ impl Hasher { Ok(()) } - /// Squeezes buf out of the hasher. + /// Squeezes buf out of the hasher. Can be called multiple times, unlike `finish_xof`. /// The output will be as long as the buf. #[cfg(ossl330)] pub fn squeeze_xof(&mut self, buf: &mut [u8]) -> Result<(), ErrorStack> { From 003e6f2cc93a2e04cc173684c00637d00f951821 Mon Sep 17 00:00:00 2001 From: sanketh Date: Wed, 7 Aug 2024 22:35:58 -0400 Subject: [PATCH 06/69] address clippy warning --- openssl/src/hash.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 5eb4a4d3ca..a917eeb300 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -199,6 +199,7 @@ unsafe impl Send for MessageDigest {} enum State { Reset, Updated, + #[cfg(ossl330)] Squeeze, Finalized, } @@ -266,6 +267,7 @@ impl Hasher { Updated => { self.finish()?; } + #[cfg(ossl330)] Squeeze => (), Finalized => (), } From 70496c9f7dfe3e7ab3d8bf4faf6e1465aaad066f Mon Sep 17 00:00:00 2001 From: sanketh Date: Wed, 7 Aug 2024 23:13:21 -0400 Subject: [PATCH 07/69] address review comments --- openssl/src/hash.rs | 50 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 44 insertions(+), 6 deletions(-) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index a917eeb300..6053658ea4 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -280,8 +280,11 @@ impl Hasher { /// Feeds data into the hasher. pub fn update(&mut self, data: &[u8]) -> Result<(), ErrorStack> { - if self.state == Finalized { - self.init()?; + match self.state { + #[cfg(ossl330)] + Squeeze => self.init()?, + Finalized => self.init()?, + _ => {} } unsafe { cvt(ffi::EVP_DigestUpdate( @@ -298,6 +301,9 @@ impl Hasher { /// The output will be as long as the buf. #[cfg(ossl330)] pub fn squeeze_xof(&mut self, buf: &mut [u8]) -> Result<(), ErrorStack> { + if self.state == Finalized { + self.init()?; + } unsafe { cvt(ffi::EVP_DigestSqueeze( self.ctx, @@ -311,8 +317,11 @@ impl Hasher { /// Returns the hash of the data written and resets the non-XOF hasher. pub fn finish(&mut self) -> Result { - if self.state == Finalized { - self.init()?; + match self.state { + #[cfg(ossl330)] + Squeeze => self.init()?, + Finalized => self.init()?, + _ => {} } unsafe { #[cfg(not(boringssl))] @@ -337,8 +346,11 @@ impl Hasher { /// The hash will be as long as the buf. #[cfg(ossl111)] pub fn finish_xof(&mut self, buf: &mut [u8]) -> Result<(), ErrorStack> { - if self.state == Finalized { - self.init()?; + match self.state { + #[cfg(ossl330)] + Squeeze => self.init()?, + Finalized => self.init()?, + _ => {} } unsafe { cvt(ffi::EVP_DigestFinalXOF( @@ -576,6 +588,32 @@ mod tests { assert_eq!(&*res, &*null); } + #[cfg(ossl330)] + #[test] + fn test_finish_then_squeeze() { + let digest = MessageDigest::shake_128(); + let mut h = Hasher::new(digest).unwrap(); + let mut buf = vec![0; digest.size()]; + h.finish_xof(&mut buf).unwrap(); + h.squeeze_xof(&mut buf).unwrap(); + let null = hash(digest, &[]).unwrap(); + assert_eq!(&*buf, &*null); + } + + #[cfg(ossl330)] + #[test] + fn test_squeeze_then_update() { + let digest = MessageDigest::shake_128(); + let data = Vec::from_hex(MD5_TESTS[6].0).unwrap(); + let mut h = Hasher::new(digest).unwrap(); + let mut buf = vec![0; digest.size()]; + h.squeeze_xof(&mut buf).unwrap(); + h.update(&data).unwrap(); + h.squeeze_xof(&mut buf).unwrap(); + let null = hash(digest, &data).unwrap(); + assert_eq!(&*buf, &*null); + } + #[test] #[allow(clippy::redundant_clone)] fn test_clone() { From 47862ea6dfc674a1df3d18cb8252a5f631c6c761 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 16 Aug 2024 10:40:29 +0200 Subject: [PATCH 08/69] libressl 4.0: const correctness for X509_LOOKUP_METHOD --- openssl-sys/src/handwritten/x509_vfy.rs | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index a560e586d8..31928f8979 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -9,10 +9,14 @@ extern "C" { pub fn X509_LOOKUP_meth_free(method: *mut X509_LOOKUP_METHOD); } +const_ptr_api! { + extern "C" { + pub fn X509_LOOKUP_hash_dir() -> #[const_ptr_if(libressl400)] X509_LOOKUP_METHOD; + pub fn X509_LOOKUP_file() -> #[const_ptr_if(libressl400)] X509_LOOKUP_METHOD; + } +} extern "C" { pub fn X509_LOOKUP_free(ctx: *mut X509_LOOKUP); - pub fn X509_LOOKUP_hash_dir() -> *mut X509_LOOKUP_METHOD; - pub fn X509_LOOKUP_file() -> *mut X509_LOOKUP_METHOD; pub fn X509_LOOKUP_ctrl( ctx: *mut X509_LOOKUP, cmd: c_int, @@ -41,11 +45,6 @@ extern "C" { pub fn X509_STORE_add_cert(store: *mut X509_STORE, x: *mut X509) -> c_int; - pub fn X509_STORE_add_lookup( - store: *mut X509_STORE, - meth: *mut X509_LOOKUP_METHOD, - ) -> *mut X509_LOOKUP; - pub fn X509_STORE_set_default_paths(store: *mut X509_STORE) -> c_int; pub fn X509_STORE_set_flags(store: *mut X509_STORE, flags: c_ulong) -> c_int; pub fn X509_STORE_set_purpose(ctx: *mut X509_STORE, purpose: c_int) -> c_int; @@ -55,6 +54,10 @@ extern "C" { const_ptr_api! { extern "C" { + pub fn X509_STORE_add_lookup( + store: *mut X509_STORE, + meth: #[const_ptr_if(libressl400)] X509_LOOKUP_METHOD, + ) -> *mut X509_LOOKUP; pub fn X509_STORE_set1_param(store: *mut X509_STORE, pm: #[const_ptr_if(ossl300)] X509_VERIFY_PARAM) -> c_int; } } From 6c21e3a8e1aa0708334a8cdd81adefbfb5b0f5fc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 09:36:11 -0400 Subject: [PATCH 09/69] Bump hex dev-dependency version --- openssl/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index cc8ef0accc..e268d1dc39 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -33,4 +33,4 @@ openssl-macros = { version = "0.1.0", path = "../openssl-macros" } ffi = { package = "openssl-sys", version = "0.9.103", path = "../openssl-sys" } [dev-dependencies] -hex = "0.3" +hex = "0.4" From ff1ce6ddfcaa00fdcdf365714a1e016d1afaf315 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 09:43:33 -0400 Subject: [PATCH 10/69] bindgen 0.66 --- openssl-sys/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 131ebe684e..3d809b546c 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -23,7 +23,7 @@ libc = "0.2" bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] -bindgen = { version = "0.65.0", optional = true, features = ["experimental"] } +bindgen = { version = "0.66.0", optional = true, features = ["experimental"] } cc = "1.0.61" openssl-src = { version = "300.2.0", optional = true, features = ["legacy"] } pkg-config = "0.3.9" From ea204f539ebd3bf88b75f4c0f6ae435dfc198f27 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 10:03:01 -0400 Subject: [PATCH 11/69] Raise MSRV to 1.63 --- .github/workflows/ci.yml | 4 +--- openssl-errors/Cargo.toml | 1 + openssl-macros/Cargo.toml | 1 + openssl-sys/Cargo.toml | 1 + openssl/Cargo.toml | 1 + 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index efc975dbd2..52e712a11d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,7 +62,7 @@ jobs: # Remember to also update `--rust-target` in `openssl-sys/build/run_bindgen.rs` - uses: sfackler/actions/rustup@master with: - version: 1.56.0 + version: 1.63.0 - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - uses: actions/cache@v4 @@ -72,8 +72,6 @@ jobs: restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - run: | - cargo update -p cc --precise 1.0.94 - uses: actions/cache@v4 with: path: ~/.cargo/registry/cache diff --git a/openssl-errors/Cargo.toml b/openssl-errors/Cargo.toml index 5285b266e1..a95312dc30 100644 --- a/openssl-errors/Cargo.toml +++ b/openssl-errors/Cargo.toml @@ -8,6 +8,7 @@ description = "Custom error library support for the openssl crate." repository = "https://github.com/sfackler/rust-openssl" readme = "README.md" categories = ["api-bindings"] +rust-version = "1.63.0" [dependencies] cfg-if = "1.0" diff --git a/openssl-macros/Cargo.toml b/openssl-macros/Cargo.toml index 90abfdfa2a..c62e299716 100644 --- a/openssl-macros/Cargo.toml +++ b/openssl-macros/Cargo.toml @@ -5,6 +5,7 @@ edition = "2018" license = "MIT OR Apache-2.0" description = "Internal macros used by the openssl crate." repository = "https://github.com/sfackler/rust-openssl" +rust-version = "1.63.0" [lib] proc-macro = true diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 3d809b546c..0859f9573f 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -13,6 +13,7 @@ categories = ["cryptography", "external-ffi-bindings"] links = "openssl" build = "build/main.rs" edition = "2018" +rust-version = "1.63.0" [features] vendored = ['openssl-src'] diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index cc8ef0accc..1764c9a3a1 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -9,6 +9,7 @@ readme = "README.md" keywords = ["crypto", "tls", "ssl", "dtls"] categories = ["cryptography", "api-bindings"] edition = "2018" +rust-version = "1.63.0" # these are deprecated and don't do anything anymore [features] From de7d1dc232b0c05ef89f4cdbe29dc8ee0c7bf762 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 10:13:52 -0400 Subject: [PATCH 12/69] bindgen 0.68 --- openssl-sys/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 0859f9573f..357ce333f1 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -24,7 +24,7 @@ libc = "0.2" bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] -bindgen = { version = "0.66.0", optional = true, features = ["experimental"] } +bindgen = { version = "0.68.0", optional = true, features = ["experimental"] } cc = "1.0.61" openssl-src = { version = "300.2.0", optional = true, features = ["legacy"] } pkg-config = "0.3.9" From 0f8ac0f094907f2fb9ba043a53f2754667aa5e53 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 10:23:08 -0400 Subject: [PATCH 13/69] bindgen 0.69 --- openssl-sys/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 357ce333f1..b9fd232f08 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -24,7 +24,7 @@ libc = "0.2" bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] -bindgen = { version = "0.68.0", optional = true, features = ["experimental"] } +bindgen = { version = "0.69.0", optional = true, features = ["experimental"] } cc = "1.0.61" openssl-src = { version = "300.2.0", optional = true, features = ["legacy"] } pkg-config = "0.3.9" From 8141d07a7382f93e0f9b433c1df97b2f8241825b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 10:33:14 -0400 Subject: [PATCH 14/69] Switch to 2021 edition --- openssl-errors/Cargo.toml | 2 +- openssl-macros/Cargo.toml | 2 +- openssl-sys/Cargo.toml | 2 +- openssl/Cargo.toml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl-errors/Cargo.toml b/openssl-errors/Cargo.toml index a95312dc30..24f724678f 100644 --- a/openssl-errors/Cargo.toml +++ b/openssl-errors/Cargo.toml @@ -2,7 +2,7 @@ name = "openssl-errors" version = "0.2.0" authors = ["Steven Fackler "] -edition = "2018" +edition = "2021" license = "MIT OR Apache-2.0" description = "Custom error library support for the openssl crate." repository = "https://github.com/sfackler/rust-openssl" diff --git a/openssl-macros/Cargo.toml b/openssl-macros/Cargo.toml index c62e299716..40134616b3 100644 --- a/openssl-macros/Cargo.toml +++ b/openssl-macros/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "openssl-macros" version = "0.1.1" -edition = "2018" +edition = "2021" license = "MIT OR Apache-2.0" description = "Internal macros used by the openssl crate." repository = "https://github.com/sfackler/rust-openssl" diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index b9fd232f08..7ec1038dc7 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -12,7 +12,7 @@ readme = "README.md" categories = ["cryptography", "external-ffi-bindings"] links = "openssl" build = "build/main.rs" -edition = "2018" +edition = "2021" rust-version = "1.63.0" [features] diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 1764c9a3a1..85426ad32b 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -8,7 +8,7 @@ repository = "https://github.com/sfackler/rust-openssl" readme = "README.md" keywords = ["crypto", "tls", "ssl", "dtls"] categories = ["cryptography", "api-bindings"] -edition = "2018" +edition = "2021" rust-version = "1.63.0" # these are deprecated and don't do anything anymore From 149f66259f13d81a5a76ff2e9679a0174c240737 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 18:36:37 -0400 Subject: [PATCH 15/69] Ensure Rsa::check_key doesn't leave errors on the stack --- openssl/src/rsa.rs | 31 ++++++++++++++++++++++++++----- openssl/test/corrupted-rsa.pem | 28 ++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+), 5 deletions(-) create mode 100644 openssl/test/corrupted-rsa.pem diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs index 9ef56942bf..2e6614aed3 100644 --- a/openssl/src/rsa.rs +++ b/openssl/src/rsa.rs @@ -234,14 +234,18 @@ where /// Validates RSA parameters for correctness #[corresponds(RSA_check_key)] - #[allow(clippy::unnecessary_cast)] pub fn check_key(&self) -> Result { unsafe { - let result = ffi::RSA_check_key(self.as_ptr()) as i32; - if result == -1 { - Err(ErrorStack::get()) + let result = ffi::RSA_check_key(self.as_ptr()); + if result != 1 { + let errors = ErrorStack::get(); + if errors.errors().is_empty() { + Ok(false) + } else { + Err(errors) + } } else { - Ok(result == 1) + Ok(true) } } } @@ -849,4 +853,21 @@ mod test { let e = BigNum::from_u32(0x10001).unwrap(); Rsa::generate_with_e(2048, &e).unwrap(); } + + #[test] + fn test_check_key() { + let k = Rsa::private_key_from_pem_passphrase( + include_bytes!("../test/rsa-encrypted.pem"), + b"mypass", + ) + .unwrap(); + assert!(matches!(k.check_key(), Ok(true))); + assert!(ErrorStack::get().errors().is_empty()); + + // BoringSSL simply rejects this key, because its corrupted! + if let Ok(k) = Rsa::private_key_from_pem(include_bytes!("../test/corrupted-rsa.pem")) { + assert!(matches!(k.check_key(), Ok(false) | Err(_))); + assert!(ErrorStack::get().errors().is_empty()); + } + } } diff --git a/openssl/test/corrupted-rsa.pem b/openssl/test/corrupted-rsa.pem new file mode 100644 index 0000000000..fa2cc3b130 --- /dev/null +++ b/openssl/test/corrupted-rsa.pem @@ -0,0 +1,28 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyiHMQLLOSG6T6 +AYpMTJj9f4WzXQF0+T0Ri/Mk6vcJMQdnLMrlEMIJA/4iCn32zvpQ0raYcuZZoyso +/Svqg7tAeC3aQ/iFopYWfaR+SDMEnpKMl26qwiIxlPcj9J8hAQw/9WA7YneBXq+T +ypONX4EeDn+bsp/mSNSZKYJBmwXevQ9xbnOOxmBrVd5OS07ZwYuQXy8uVsYe4IXX +7/F+BIyULnIlUxRcVRjKp9++PeS53KLJX04H6HeqUiWC8Ntd+DuD3df0a067L38o +sc+CVzwKXqvh75RwlXCR4/B3D9qEqSYmY7lxp9vA3hirWcSJn0xUIbHb7q1hzE0H +rL65mLwnAgMBAAECggEADePYJpKBGBAm35KTcB3ngJWAJp/I92ZVbieNb7peJOzC +btsJIBWT2xVgm2+7NCK5+Tl486xrfTQuLUlhNiTbQof3HUumKr4nCjHqmdlD1YtW +yzG+7kceAkMyOoMThwL+Bn3bPP42CQPVCjJmahyGPvs8H2DK2E+jRr/4KTgxQTki +s/MXmJa4+xhvfF4CmFVj8imkKCyUTFoaqvYevHDMrJ3cohXFONBPv0MT8X/Y0sgw +UVaZ1aw3dbLC2PBpZFotILGxch2rODXgOcer/GBC41aGQTBB8mLPwKb6KMh0xdPd +1E5NwyODA3YJ6W3fGe8WE0MIHoYlOkX+ukf4W4+U0wKBgQDhueBkZwrd1HdhqwhG +QKt1/itCx24Go75G/+5vJUCB4bcdaJP49aH0/H4BiSsKI8r+GVsVJcrKP8h3tgjw +hhuLLPSaWi9TiUsWeDTw0JrAJc7w6hwL1EYbnwcto5mRQdbfugitlkhh17yUmgdj +gczAKLfV3igxslnR67iNOEYrlwKBgQDKejyWNnxhBJoXerpR/hijoXhMaHqV6Z7T +gUy6F0BiJ5CqN+TOTaC17CEnsMmI28o1rWJ6bIKwOUPFXOE9Z5gyxuIJhY9M8n30 +iwm/Ug2oBTFAdZQyyCuCmPiNURnGo+Hhu1EtVwMWLt3Z0L+/DdI6pgPX8mG0NNZm ++pS96Lg9owKBgHOzCslr5638kZSGTh90Vm6McTAxeLv+gjFyTYy6022/fFSenfom +LXWdVhkDbgQshIfqBz23uVIhj2eM7tgaZVPZHydewpNW9B34T2qAAlIrDv99gBKw +I59UzCEgkj5aOQFEId6YAVHlesvQh6kBhymXtWLyFDgk6tUmtdns1krRAoGBAJj0 +pnhDSMpxk4ZRLBdsgGh8PkhaVOCSz2yvrKqXjgeYI+yytKI0ekdzzcgSAOzmPGc4 +R8B74G4HlG6vr2eXrp4NKAxRXOOf/A6UShTBg5d99KrhJ8cE9/l8XadDsNkiTC0e +OECsDqTfWrCExZUqd7neV+D2NWDQ2XaJrXuZJjVJAoGAIGA5ktXIxWIDeXkxo06b +nHeTEmOAgER/5UIikHnoSAnXo5JNZyFxqoylthWuA1fMPQw/UphAeawDwEXVKp1J +NEhLUfVAO/p1RBUsQi8LQVoO9Nql5u5dFjqoCnlRv5tbeAAzZH5magZk7/1rOS5T +Cj7WW2zW+iL20suUmXfCQGU= +-----END RSA PRIVATE KEY----- From da75d41f405aa15c900852872986695d1648577d Mon Sep 17 00:00:00 2001 From: Rushil Mehra Date: Sat, 24 Aug 2024 23:02:45 -0700 Subject: [PATCH 16/69] Update some docs to use the corresponds macro --- openssl/src/cipher_ctx.rs | 4 -- openssl/src/hash.rs | 11 ++--- openssl/src/nid.rs | 2 - openssl/src/sign.rs | 92 +++++++++------------------------------ openssl/src/ssl/mod.rs | 55 +++-------------------- openssl/src/symm.rs | 11 ++--- openssl/src/x509/mod.rs | 83 ++++++++--------------------------- 7 files changed, 50 insertions(+), 208 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index abb1f11ef3..d31830ad0c 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -328,10 +328,6 @@ impl CipherCtxRef { /// /// Panics if the context has not been initialized with a cipher or if the buffer is smaller than the cipher's key /// length. - /// - /// This corresponds to [`EVP_CIPHER_CTX_rand_key`]. - /// - /// [`EVP_CIPHER_CTX_rand_key`]: https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_CTX_rand_key.html #[corresponds(EVP_CIPHER_CTX_rand_key)] #[cfg(not(boringssl))] pub fn rand_key(&self, buf: &mut [u8]) -> Result<(), ErrorStack> { diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index f2f2698f3e..b25eded944 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -41,6 +41,7 @@ use std::ptr; use crate::error::ErrorStack; use crate::nid::Nid; use crate::{cvt, cvt_p}; +use openssl_macros::corresponds; cfg_if! { if #[cfg(any(ossl110, boringssl, libressl382))] { @@ -65,10 +66,7 @@ impl MessageDigest { } /// Returns the `MessageDigest` corresponding to an `Nid`. - /// - /// This corresponds to [`EVP_get_digestbynid`]. - /// - /// [`EVP_get_digestbynid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html + #[corresponds(EVP_get_digestbynid)] pub fn from_nid(type_: Nid) -> Option { ffi::init(); unsafe { @@ -82,10 +80,7 @@ impl MessageDigest { } /// Returns the `MessageDigest` corresponding to an algorithm name. - /// - /// This corresponds to [`EVP_get_digestbyname`]. - /// - /// [`EVP_get_digestbyname`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html + #[corresponds(EVP_get_digestbyname)] pub fn from_name(name: &str) -> Option { ffi::init(); let name = CString::new(name).ok()?; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index e50feb0683..d093c67633 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -79,8 +79,6 @@ impl Nid { } /// Returns the `Nid`s of the digest and public key algorithms associated with a signature ID. - /// - /// This corresponds to `OBJ_find_sigid_algs`. #[corresponds(OBJ_find_sigid_algs)] #[allow(clippy::trivially_copy_pass_by_ref)] pub fn signature_algorithms(&self) -> Option { diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 0154b1d4b7..dd012128a2 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -79,6 +79,7 @@ use crate::hash::MessageDigest; use crate::pkey::{HasPrivate, HasPublic, PKeyRef}; use crate::rsa::Padding; use crate::{cvt, cvt_p}; +use openssl_macros::corresponds; cfg_if! { if #[cfg(any(ossl110, libressl382))] { @@ -135,10 +136,7 @@ impl Signer<'_> { /// /// This cannot be used with Ed25519 or Ed448 keys. Please refer to /// `new_without_digest`. - /// - /// OpenSSL documentation at [`EVP_DigestSignInit`]. - /// - /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html + #[corresponds(EVP_DigestSignInit)] pub fn new<'a, T>(type_: MessageDigest, pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, @@ -150,10 +148,7 @@ impl Signer<'_> { /// /// This is the only way to create a `Verifier` for Ed25519 or Ed448 keys. /// It can also be used to create a CMAC. - /// - /// OpenSSL documentation at [`EVP_DigestSignInit`]. - /// - /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html + #[corresponds(EVP_DigestSignInit)] pub fn new_without_digest<'a, T>(pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, @@ -198,8 +193,7 @@ impl Signer<'_> { /// Returns the RSA padding mode in use. /// /// This is only useful for RSA keys. - /// - /// This corresponds to `EVP_PKEY_CTX_get_rsa_padding`. + #[corresponds(EVP_PKEY_CTX_get_rsa_padding)] pub fn rsa_padding(&self) -> Result { unsafe { let mut pad = 0; @@ -211,10 +205,7 @@ impl Signer<'_> { /// Sets the RSA padding mode. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html + #[corresponds(EVP_PKEY_CTX_set_rsa_padding)] pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( @@ -228,10 +219,7 @@ impl Signer<'_> { /// Sets the RSA PSS salt length. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html + #[corresponds(EVP_PKEY_CTX_set_rsa_pss_saltlen)] pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen( @@ -245,10 +233,7 @@ impl Signer<'_> { /// Sets the RSA MGF1 algorithm. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_mgf1_md`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_mgf1_md`]: https://www.openssl.org/docs/manmaster/man7/RSA-PSS.html + #[corresponds(EVP_PKEY_CTX_set_rsa_mgf1_md)] pub fn set_rsa_mgf1_md(&mut self, md: MessageDigest) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_mgf1_md( @@ -263,10 +248,7 @@ impl Signer<'_> { /// /// Please note that PureEdDSA (Ed25519 and Ed448 keys) do not support streaming. /// Use `sign_oneshot` instead. - /// - /// OpenSSL documentation at [`EVP_DigestUpdate`]. - /// - /// [`EVP_DigestUpdate`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit.html + #[corresponds(EVP_DigestUpdate)] pub fn update(&mut self, buf: &[u8]) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_DigestUpdate( @@ -282,10 +264,7 @@ impl Signer<'_> { /// /// The actual signature may be shorter than this value. Check the return value of /// `sign` to get the exact length. - /// - /// OpenSSL documentation at [`EVP_DigestSignFinal`]. - /// - /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestSignFinal.html + #[corresponds(EVP_DigestSignFinal)] pub fn len(&self) -> Result { self.len_intern() } @@ -322,10 +301,7 @@ impl Signer<'_> { /// /// This method will fail if the buffer is not large enough for the signature. Use the `len` /// method to get an upper bound on the required size. - /// - /// OpenSSL documentation at [`EVP_DigestSignFinal`]. - /// - /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestSignFinal.html + #[corresponds(EVP_DigestSignFinal)] pub fn sign(&self, buf: &mut [u8]) -> Result { unsafe { let mut len = buf.len(); @@ -356,10 +332,7 @@ impl Signer<'_> { /// /// This method will fail if the buffer is not large enough for the signature. Use the `len` /// method to get an upper bound on the required size. - /// - /// OpenSSL documentation at [`EVP_DigestSign`]. - /// - /// [`EVP_DigestSign`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestSign.html + #[corresponds(EVP_DigestSign)] #[cfg(any(ossl111, boringssl, libressl370))] pub fn sign_oneshot( &mut self, @@ -429,10 +402,7 @@ impl<'a> Verifier<'a> { /// /// This cannot be used with Ed25519 or Ed448 keys. Please refer to /// [`Verifier::new_without_digest`]. - /// - /// OpenSSL documentation at [`EVP_DigestVerifyInit`]. - /// - /// [`EVP_DigestVerifyInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestVerifyInit.html + #[corresponds(EVP_DigestVerifyInit)] pub fn new(type_: MessageDigest, pkey: &'a PKeyRef) -> Result, ErrorStack> where T: HasPublic, @@ -443,10 +413,7 @@ impl<'a> Verifier<'a> { /// Creates a new `Verifier` without a digest. /// /// This is the only way to create a `Verifier` for Ed25519 or Ed448 keys. - /// - /// OpenSSL documentation at [`EVP_DigestVerifyInit`]. - /// - /// [`EVP_DigestVerifyInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestVerifyInit.html + #[corresponds(EVP_DigestVerifyInit)] pub fn new_without_digest(pkey: &'a PKeyRef) -> Result, ErrorStack> where T: HasPublic, @@ -491,8 +458,7 @@ impl<'a> Verifier<'a> { /// Returns the RSA padding mode in use. /// /// This is only useful for RSA keys. - /// - /// This corresponds to `EVP_PKEY_CTX_get_rsa_padding`. + #[corresponds(EVP_PKEY_CTX_get_rsa_padding)] pub fn rsa_padding(&self) -> Result { unsafe { let mut pad = 0; @@ -504,10 +470,7 @@ impl<'a> Verifier<'a> { /// Sets the RSA padding mode. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html + #[corresponds(EVP_PKEY_CTX_set_rsa_padding)] pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( @@ -521,10 +484,7 @@ impl<'a> Verifier<'a> { /// Sets the RSA PSS salt length. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html + #[corresponds(EVP_PKEY_CTX_set_rsa_pss_saltlen)] pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen( @@ -538,10 +498,7 @@ impl<'a> Verifier<'a> { /// Sets the RSA MGF1 algorithm. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_mgf1_md`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_mgf1_md`]: https://www.openssl.org/docs/manmaster/man7/RSA-PSS.html + #[corresponds(EVP_PKEY_CTX_set_rsa_mgf1_md)] pub fn set_rsa_mgf1_md(&mut self, md: MessageDigest) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_mgf1_md( @@ -556,10 +513,7 @@ impl<'a> Verifier<'a> { /// /// Please note that PureEdDSA (Ed25519 and Ed448 keys) do not support streaming. /// Use [`Verifier::verify_oneshot`] instead. - /// - /// OpenSSL documentation at [`EVP_DigestUpdate`]. - /// - /// [`EVP_DigestUpdate`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit.html + #[corresponds(EVP_DigestUpdate)] pub fn update(&mut self, buf: &[u8]) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_DigestUpdate( @@ -572,10 +526,7 @@ impl<'a> Verifier<'a> { } /// Determines if the data fed into the `Verifier` matches the provided signature. - /// - /// OpenSSL documentation at [`EVP_DigestVerifyFinal`]. - /// - /// [`EVP_DigestVerifyFinal`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestVerifyFinal.html + #[corresponds(EVP_DigestVerifyFinal)] pub fn verify(&self, signature: &[u8]) -> Result { unsafe { let r = @@ -592,10 +543,7 @@ impl<'a> Verifier<'a> { } /// Determines if the data given in `buf` matches the provided signature. - /// - /// OpenSSL documentation at [`EVP_DigestVerify`]. - /// - /// [`EVP_DigestVerify`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestVerify.html + #[corresponds(EVP_DigestVerify)] #[cfg(any(ossl111, boringssl, libressl370))] pub fn verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result { unsafe { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 322ca9541a..d9b2a724f6 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -2297,10 +2297,6 @@ impl Ssl { } /// Creates a new `Ssl`. - /// - /// This corresponds to [`SSL_new`]. - /// - /// [`SSL_new`]: https://www.openssl.org/docs/manmaster/ssl/SSL_new.html #[corresponds(SSL_new)] pub fn new(ctx: &SslContextRef) -> Result { let session_ctx_index = try_get_session_ctx_index()?; @@ -2314,15 +2310,10 @@ impl Ssl { } /// Initiates a client-side TLS handshake. - /// - /// This corresponds to [`SSL_connect`]. - /// /// # Warning /// /// OpenSSL's default configuration is insecure. It is highly recommended to use /// `SslConnector` rather than `Ssl` directly, as it manages that configuration. - /// - /// [`SSL_connect`]: https://www.openssl.org/docs/manmaster/man3/SSL_connect.html #[corresponds(SSL_connect)] #[allow(deprecated)] pub fn connect(self, stream: S) -> Result, HandshakeError> @@ -2334,14 +2325,10 @@ impl Ssl { /// Initiates a server-side TLS handshake. /// - /// This corresponds to [`SSL_accept`]. - /// /// # Warning /// /// OpenSSL's default configuration is insecure. It is highly recommended to use /// `SslAcceptor` rather than `Ssl` directly, as it manages that configuration. - /// - /// [`SSL_accept`]: https://www.openssl.org/docs/manmaster/man3/SSL_accept.html #[corresponds(SSL_accept)] #[allow(deprecated)] pub fn accept(self, stream: S) -> Result, HandshakeError> @@ -2656,10 +2643,6 @@ impl SslRef { } /// Enables the DTLS extension "use_srtp" as defined in RFC5764. - /// - /// This corresponds to [`SSL_set_tlsext_use_srtp`]. - /// - /// [`SSL_set_tlsext_use_srtp`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_tlsext_use_srtp.html #[corresponds(SSL_set_tlsext_use_srtp)] pub fn set_tlsext_use_srtp(&mut self, protocols: &str) -> Result<(), ErrorStack> { unsafe { @@ -2678,10 +2661,6 @@ impl SslRef { /// Gets all SRTP profiles that are enabled for handshake via set_tlsext_use_srtp /// /// DTLS extension "use_srtp" as defined in RFC5764 has to be enabled. - /// - /// This corresponds to [`SSL_get_srtp_profiles`]. - /// - /// [`SSL_get_srtp_profiles`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_tlsext_use_srtp.html #[corresponds(SSL_get_srtp_profiles)] pub fn srtp_profiles(&self) -> Option<&StackRef> { unsafe { @@ -3526,9 +3505,7 @@ where { /// Restarts the handshake process. /// - /// This corresponds to [`SSL_do_handshake`]. - /// - /// [`SSL_do_handshake`]: https://www.openssl.org/docs/manmaster/man3/SSL_do_handshake.html + #[corresponds(SSL_do_handshake)] pub fn handshake(mut self) -> Result, HandshakeError> { match self.stream.do_handshake() { Ok(()) => Ok(self.stream), @@ -4056,10 +4033,7 @@ where /// `accept`. If a HelloRetryRequest containing a fresh cookie was /// transmitted, `Ok(false)` is returned instead. If the handshake cannot /// proceed at all, `Err` is returned. - /// - /// This corresponds to [`SSL_stateless`] - /// - /// [`SSL_stateless`]: https://www.openssl.org/docs/manmaster/man3/SSL_stateless.html + #[corresponds(SSL_stateless)] #[cfg(ossl111)] pub fn stateless(&mut self) -> Result { match unsafe { ffi::SSL_stateless(self.inner.ssl.as_ptr()) } { @@ -4071,19 +4045,13 @@ where } /// Configure as an outgoing stream from a client. - /// - /// This corresponds to [`SSL_set_connect_state`]. - /// - /// [`SSL_set_connect_state`]: https://www.openssl.org/docs/manmaster/man3/SSL_set_connect_state.html + #[corresponds(SSL_set_connect_state)] pub fn set_connect_state(&mut self) { unsafe { ffi::SSL_set_connect_state(self.inner.ssl.as_ptr()) } } /// Configure as an incoming stream to a server. - /// - /// This corresponds to [`SSL_set_accept_state`]. - /// - /// [`SSL_set_accept_state`]: https://www.openssl.org/docs/manmaster/man3/SSL_set_accept_state.html + #[corresponds(SSL_set_accept_state)] pub fn set_accept_state(&mut self) { unsafe { ffi::SSL_set_accept_state(self.inner.ssl.as_ptr()) } } @@ -4129,10 +4097,7 @@ where /// Initiates the handshake. /// /// This will fail if `set_accept_state` or `set_connect_state` was not called first. - /// - /// This corresponds to [`SSL_do_handshake`]. - /// - /// [`SSL_do_handshake`]: https://www.openssl.org/docs/manmaster/man3/SSL_do_handshake.html + #[corresponds(SSL_do_handshake)] pub fn handshake(mut self) -> Result, HandshakeError> { match self.inner.do_handshake() { Ok(()) => Ok(self.inner), @@ -4160,10 +4125,7 @@ where /// Returns `Ok(0)` if all early data has been read. /// /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. - /// - /// This corresponds to [`SSL_read_early_data`]. - /// - /// [`SSL_read_early_data`]: https://www.openssl.org/docs/manmaster/man3/SSL_read_early_data.html + #[corresponds(SSL_read_early_data)] #[cfg(any(ossl111, libressl340))] pub fn read_early_data(&mut self, buf: &mut [u8]) -> Result { self.inner.read_early_data(buf) @@ -4175,10 +4137,7 @@ where /// `set_connect_state` first. /// /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. - /// - /// This corresponds to [`SSL_write_early_data`]. - /// - /// [`SSL_write_early_data`]: https://www.openssl.org/docs/manmaster/man3/SSL_write_early_data.html + #[corresponds(SSL_write_early_data)] #[cfg(any(ossl111, libressl340))] pub fn write_early_data(&mut self, buf: &[u8]) -> Result { self.inner.write_early_data(buf) diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 0aae69db4f..3929c59404 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -57,6 +57,7 @@ use crate::error::ErrorStack; use crate::nid::Nid; use cfg_if::cfg_if; use foreign_types::ForeignTypeRef; +use openssl_macros::corresponds; #[derive(Copy, Clone)] pub enum Mode { @@ -74,10 +75,7 @@ pub struct Cipher(*const ffi::EVP_CIPHER); impl Cipher { /// Looks up the cipher for a certain nid. - /// - /// This corresponds to [`EVP_get_cipherbynid`] - /// - /// [`EVP_get_cipherbynid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_get_cipherbyname.html + #[corresponds(EVP_get_cipherbynid)] pub fn from_nid(nid: Nid) -> Option { let ptr = unsafe { ffi::EVP_get_cipherbyname(ffi::OBJ_nid2sn(nid.as_raw())) }; if ptr.is_null() { @@ -88,10 +86,7 @@ impl Cipher { } /// Returns the cipher's Nid. - /// - /// This corresponds to [`EVP_CIPHER_nid`] - /// - /// [`EVP_CIPHER_nid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_CIPHER_nid.html + #[corresponds(EVP_CIPHER_nid)] pub fn nid(&self) -> Nid { let nid = unsafe { ffi::EVP_CIPHER_nid(self.0) }; Nid::from_raw(nid) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index e583518dae..d0cd00e3e6 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1085,10 +1085,7 @@ impl X509NameBuilder { } /// Add a field entry by str. - /// - /// This corresponds to [`X509_NAME_add_entry_by_txt`]. - /// - /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_txt.html + #[corresponds(X509_NAME_add_entry_by_txt)] pub fn append_entry_by_text(&mut self, field: &str, value: &str) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); @@ -1107,10 +1104,7 @@ impl X509NameBuilder { } /// Add a field entry by str with a specific type. - /// - /// This corresponds to [`X509_NAME_add_entry_by_txt`]. - /// - /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_txt.html + #[corresponds(X509_NAME_add_entry_by_txt)] pub fn append_entry_by_text_with_type( &mut self, field: &str, @@ -1134,10 +1128,7 @@ impl X509NameBuilder { } /// Add a field entry by NID. - /// - /// This corresponds to [`X509_NAME_add_entry_by_NID`]. - /// - /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html + #[corresponds(X509_NAME_add_entry_by_NID)] pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> { unsafe { assert!(value.len() <= crate::SLenType::MAX as usize); @@ -1155,10 +1146,7 @@ impl X509NameBuilder { } /// Add a field entry by NID with a specific type. - /// - /// This corresponds to [`X509_NAME_add_entry_by_NID`]. - /// - /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html + #[corresponds(X509_NAME_add_entry_by_NID)] pub fn append_entry_by_nid_with_type( &mut self, field: Nid, @@ -1336,10 +1324,7 @@ foreign_type_and_impl_send_sync! { impl X509NameEntryRef { /// Returns the field value of an `X509NameEntry`. - /// - /// This corresponds to [`X509_NAME_ENTRY_get_data`]. - /// - /// [`X509_NAME_ENTRY_get_data`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_ENTRY_get_data.html + #[corresponds(X509_NAME_ENTRY_get_data)] pub fn data(&self) -> &Asn1StringRef { unsafe { let data = ffi::X509_NAME_ENTRY_get_data(self.as_ptr()); @@ -1349,10 +1334,7 @@ impl X509NameEntryRef { /// Returns the `Asn1Object` value of an `X509NameEntry`. /// This is useful for finding out about the actual `Nid` when iterating over all `X509NameEntries`. - /// - /// This corresponds to [`X509_NAME_ENTRY_get_object`]. - /// - /// [`X509_NAME_ENTRY_get_object`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_ENTRY_get_object.html + #[corresponds(X509_NAME_ENTRY_get_object)] pub fn object(&self) -> &Asn1ObjectRef { unsafe { let object = ffi::X509_NAME_ENTRY_get_object(self.as_ptr()); @@ -1372,10 +1354,7 @@ pub struct X509ReqBuilder(X509Req); impl X509ReqBuilder { /// Returns a builder for a certificate request. - /// - /// This corresponds to [`X509_REQ_new`]. - /// - ///[`X509_REQ_new`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_new.html + #[corresponds(X509_REQ_new)] pub fn new() -> Result { unsafe { ffi::init(); @@ -1384,10 +1363,7 @@ impl X509ReqBuilder { } /// Set the numerical value of the version field. - /// - /// This corresponds to [`X509_REQ_set_version`]. - /// - ///[`X509_REQ_set_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_version.html + #[corresponds(X509_REQ_set_version)] #[allow(clippy::useless_conversion)] pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> { unsafe { @@ -1400,10 +1376,7 @@ impl X509ReqBuilder { } /// Set the issuer name. - /// - /// This corresponds to [`X509_REQ_set_subject_name`]. - /// - /// [`X509_REQ_set_subject_name`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_subject_name.html + #[corresponds(X509_REQ_set_subject_name)] pub fn set_subject_name(&mut self, subject_name: &X509NameRef) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_REQ_set_subject_name( @@ -1415,10 +1388,7 @@ impl X509ReqBuilder { } /// Set the public key. - /// - /// This corresponds to [`X509_REQ_set_pubkey`]. - /// - /// [`X509_REQ_set_pubkey`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_pubkey.html + #[corresponds(X509_REQ_set_pubkey)] pub fn set_pubkey(&mut self, key: &PKeyRef) -> Result<(), ErrorStack> where T: HasPublic, @@ -1465,10 +1435,7 @@ impl X509ReqBuilder { } /// Sign the request using a private key. - /// - /// This corresponds to [`X509_REQ_sign`]. - /// - /// [`X509_REQ_sign`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_sign.html + #[corresponds(X509_REQ_sign)] pub fn sign(&mut self, key: &PKeyRef, hash: MessageDigest) -> Result<(), ErrorStack> where T: HasPrivate, @@ -1561,20 +1528,14 @@ impl X509ReqRef { } /// Returns the numerical value of the version field of the certificate request. - /// - /// This corresponds to [`X509_REQ_get_version`] - /// - /// [`X509_REQ_get_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_version.html + #[corresponds(X509_REQ_get_version)] #[allow(clippy::unnecessary_cast)] pub fn version(&self) -> i32 { unsafe { X509_REQ_get_version(self.as_ptr()) as i32 } } /// Returns the subject name of the certificate request. - /// - /// This corresponds to [`X509_REQ_get_subject_name`] - /// - /// [`X509_REQ_get_subject_name`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_subject_name.html + #[corresponds(X509_REQ_get_subject_name)] pub fn subject_name(&self) -> &X509NameRef { unsafe { let name = X509_REQ_get_subject_name(self.as_ptr()); @@ -1583,10 +1544,7 @@ impl X509ReqRef { } /// Returns the public key of the certificate request. - /// - /// This corresponds to [`X509_REQ_get_pubkey"] - /// - /// [`X509_REQ_get_pubkey`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_pubkey.html + #[corresponds(X509_REQ_get_pubkey)] pub fn public_key(&self) -> Result, ErrorStack> { unsafe { let key = cvt_p(ffi::X509_REQ_get_pubkey(self.as_ptr()))?; @@ -1597,10 +1555,7 @@ impl X509ReqRef { /// Check if the certificate request is signed using the given public key. /// /// Returns `true` if verification succeeds. - /// - /// This corresponds to [`X509_REQ_verify"]. - /// - /// [`X509_REQ_verify`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_verify.html + #[corresponds(X509_REQ_verify)] pub fn verify(&self, key: &PKeyRef) -> Result where T: HasPublic, @@ -1609,8 +1564,7 @@ impl X509ReqRef { } /// Returns the extensions of the certificate request. - /// - /// This corresponds to [`X509_REQ_get_extensions"] + #[corresponds(X509_REQ_get_extensions)] pub fn extensions(&self) -> Result, ErrorStack> { unsafe { let extensions = cvt_p(ffi::X509_REQ_get_extensions(self.as_ptr()))?; @@ -2012,10 +1966,7 @@ impl X509VerifyResult { } /// Return a human readable error string from the verification error. - /// - /// This corresponds to [`X509_verify_cert_error_string`]. - /// - /// [`X509_verify_cert_error_string`]: https://www.openssl.org/docs/manmaster/crypto/X509_verify_cert_error_string.html + #[corresponds(X509_verify_cert_error_string)] #[allow(clippy::trivially_copy_pass_by_ref)] pub fn error_string(&self) -> &'static str { ffi::init(); From 4d49588a78f127296cbc463f4e807abf32176116 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Aug 2024 16:25:31 -0400 Subject: [PATCH 17/69] Don't leave errors on the stack in `MdCtxRef::digest_verify_final` --- openssl/src/md_ctx.rs | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/openssl/src/md_ctx.rs b/openssl/src/md_ctx.rs index 30e0337b47..36be3e9964 100644 --- a/openssl/src/md_ctx.rs +++ b/openssl/src/md_ctx.rs @@ -85,7 +85,7 @@ use crate::error::ErrorStack; use crate::md::MdRef; use crate::pkey::{HasPrivate, HasPublic, PKeyRef}; use crate::pkey_ctx::PkeyCtxRef; -use crate::{cvt, cvt_n, cvt_p}; +use crate::{cvt, cvt_p}; use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use openssl_macros::corresponds; @@ -309,12 +309,21 @@ impl MdCtxRef { #[inline] pub fn digest_verify_final(&mut self, signature: &[u8]) -> Result { unsafe { - let r = cvt_n(ffi::EVP_DigestVerifyFinal( + let r = ffi::EVP_DigestVerifyFinal( self.as_ptr(), signature.as_ptr() as *mut _, signature.len(), - ))?; - Ok(r == 1) + ); + if r == 1 { + Ok(true) + } else { + let errors = ErrorStack::get(); + if errors.errors().is_empty() { + Ok(false) + } else { + Err(errors) + } + } } } @@ -424,8 +433,11 @@ mod test { ctx.digest_verify_init(Some(md), &key1).unwrap(); ctx.digest_verify_update(bad_data).unwrap(); - let valid = ctx.digest_verify_final(&signature).unwrap(); - assert!(!valid); + assert!(matches!( + ctx.digest_verify_final(&signature), + Ok(false) | Err(_) + )); + assert!(ErrorStack::get().errors().is_empty()); } #[test] From 669b7d84d8523a52c24445f407aa8997599ad532 Mon Sep 17 00:00:00 2001 From: Kornel Date: Wed, 28 Aug 2024 15:03:29 +0100 Subject: [PATCH 18/69] Explicit rustfmt config --- .rustfmt.toml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .rustfmt.toml diff --git a/.rustfmt.toml b/.rustfmt.toml new file mode 100644 index 0000000000..bcb7e2d7f8 --- /dev/null +++ b/.rustfmt.toml @@ -0,0 +1 @@ +# this project uses the default rustfmt settings From dbf2d68359e3c539515c8efbd6676b6c60a7bf22 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 30 Aug 2024 14:34:42 +0200 Subject: [PATCH 19/69] db_meth will be removed from X509V3_CTX --- openssl-sys/src/handwritten/types.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 8c69c3efb3..593e20cdb2 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -472,6 +472,7 @@ pub struct X509V3_CTX { subject_cert: *mut c_void, subject_req: *mut c_void, crl: *mut c_void, + #[cfg(not(libressl400))] db_meth: *mut c_void, db: *mut c_void, #[cfg(ossl300)] From 337325d6100ec4add6ea45d7aed0f2bf712386d5 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 30 Aug 2024 14:45:32 +0200 Subject: [PATCH 20/69] disable the conf module for LibreSSL 4 --- openssl/build.rs | 4 ++++ openssl/src/conf.rs | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/openssl/build.rs b/openssl/build.rs index 16101ea309..41a047d97f 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -31,6 +31,7 @@ fn main() { println!("cargo:rustc-check-cfg=cfg(libressl380)"); println!("cargo:rustc-check-cfg=cfg(libressl382)"); println!("cargo:rustc-check-cfg=cfg(libressl390)"); + println!("cargo:rustc-check-cfg=cfg(libressl400)"); println!("cargo:rustc-check-cfg=cfg(ossl101)"); println!("cargo:rustc-check-cfg=cfg(ossl102)"); @@ -112,6 +113,9 @@ fn main() { if version >= 0x3_09_00_00_0 { println!("cargo:rustc-cfg=libressl390"); } + if version >= 0x4_00_00_00_0 { + println!("cargo:rustc-cfg=libressl400"); + } } if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { diff --git a/openssl/src/conf.rs b/openssl/src/conf.rs index 715519c595..88740298b3 100644 --- a/openssl/src/conf.rs +++ b/openssl/src/conf.rs @@ -8,7 +8,7 @@ foreign_type_and_impl_send_sync! { pub struct ConfRef; } -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, libressl400)))] mod methods { use super::Conf; use crate::cvt_p; @@ -61,5 +61,5 @@ mod methods { } } } -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, libressl400)))] pub use methods::*; From 44c2be5792ae2839e6308c59e66338f5bd6900be Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 30 Aug 2024 14:35:15 +0200 Subject: [PATCH 21/69] const correct NCONF_new(), remove NCONF_default() --- openssl-sys/src/handwritten/conf.rs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/conf.rs b/openssl-sys/src/handwritten/conf.rs index 2348d7d4c9..fa05c5554f 100644 --- a/openssl-sys/src/handwritten/conf.rs +++ b/openssl-sys/src/handwritten/conf.rs @@ -1,7 +1,13 @@ use super::super::*; +const_ptr_api! { + extern "C" { + pub fn NCONF_new(meth: #[const_ptr_if(libressl400)] CONF_METHOD) -> *mut CONF; + } +} + extern "C" { - pub fn NCONF_new(meth: *mut CONF_METHOD) -> *mut CONF; + #[cfg(not(libressl400))] pub fn NCONF_default() -> *mut CONF_METHOD; pub fn NCONF_free(conf: *mut CONF); } From 3291ea16ef45f5d5632159137ff3e9ce8e114ecd Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 13:07:53 -0700 Subject: [PATCH 22/69] add basic EVP_KDF bindings --- openssl-sys/src/handwritten/kdf.rs | 8 ++++++++ openssl-sys/src/handwritten/params.rs | 7 +++++++ openssl-sys/src/handwritten/types.rs | 5 +++++ 3 files changed, 20 insertions(+) diff --git a/openssl-sys/src/handwritten/kdf.rs b/openssl-sys/src/handwritten/kdf.rs index 0f14b63a9c..d34f27450c 100644 --- a/openssl-sys/src/handwritten/kdf.rs +++ b/openssl-sys/src/handwritten/kdf.rs @@ -21,6 +21,14 @@ cfg_if! { info: *const u8, infolen: c_int, ) -> c_int; + pub fn EVP_KDF_CTX_new(kdf: *mut EVP_KDF) -> *mut EVP_KDF_CTX; + pub fn EVP_KDF_CTX_free(ctx: *mut EVP_KDF_CTX); + pub fn EVP_KDF_CTX_reset(ctx: *mut EVP_KDF_CTX); + pub fn EVP_KDF_CTX_get_kdf_size(ctx: *mut EVP_KDF_CTX) -> size_t; + pub fn EVP_KDF_derive(ctx: *mut EVP_KDF_CTX, key: *mut u8, keylen: size_t, params: *const OSSL_PARAM) -> c_int; + pub fn EVP_KDF_fetch(ctx: *mut OSSL_LIB_CTX, algorithm: *const c_char, properties: *const c_char) -> *mut EVP_KDF; + pub fn EVP_KDF_free(kdf: *mut EVP_KDF); } + } } diff --git a/openssl-sys/src/handwritten/params.rs b/openssl-sys/src/handwritten/params.rs index 3ed00c0488..542cef3374 100644 --- a/openssl-sys/src/handwritten/params.rs +++ b/openssl-sys/src/handwritten/params.rs @@ -6,4 +6,11 @@ extern "C" { pub fn OSSL_PARAM_construct_uint(key: *const c_char, buf: *mut c_uint) -> OSSL_PARAM; #[cfg(ossl300)] pub fn OSSL_PARAM_construct_end() -> OSSL_PARAM; + #[cfg(ossl300)] + pub fn OSSL_PARAM_construct_octet_string( + key: *const c_char, + buf: *mut c_void, + bsize: size_t, + ) -> OSSL_PARAM; + } diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 593e20cdb2..df7d050da8 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -1139,3 +1139,8 @@ pub struct OSSL_PARAM { data_size: size_t, return_size: size_t, } + +#[cfg(ossl300)] +pub enum EVP_KDF {} +#[cfg(ossl300)] +pub enum EVP_KDF_CTX {} \ No newline at end of file From 3ed6fe2a010bcc49d31fd0715f18bb87db34775b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 13:15:44 -0700 Subject: [PATCH 23/69] fmt --- openssl-sys/src/handwritten/types.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index df7d050da8..d465a44148 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -1143,4 +1143,4 @@ pub struct OSSL_PARAM { #[cfg(ossl300)] pub enum EVP_KDF {} #[cfg(ossl300)] -pub enum EVP_KDF_CTX {} \ No newline at end of file +pub enum EVP_KDF_CTX {} From 2d340cb6b0df569ebd8ffe03a7cd75cd2c1efbf0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 13:28:39 -0700 Subject: [PATCH 24/69] add argon2id support for ossl 3.2+ --- openssl/src/argon2.rs | 147 ++++++++++++++++++++++++++++++++++++++++++ openssl/src/lib.rs | 2 + 2 files changed, 149 insertions(+) create mode 100644 openssl/src/argon2.rs diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs new file mode 100644 index 0000000000..af9fda00d9 --- /dev/null +++ b/openssl/src/argon2.rs @@ -0,0 +1,147 @@ +use libc::c_void; +use std::ffi::CStr; +use std::ptr; + +use crate::error::ErrorStack; +use crate::{cvt, cvt_p}; + +/// Derives a key using the argon2id algorithm. +/// +/// Requires OpenSSL 3.2.0 or newer. +#[allow(clippy::too_many_arguments)] +pub fn argon2id( + pass: &[u8], + salt: &[u8], + ad: Option<&[u8]>, + secret: Option<&[u8]>, + mut iter: u32, + mut threads: u32, + mut lanes: u32, + mut memcost: u32, + out: &mut [u8], +) -> Result<(), ErrorStack> { + // We only support single-threaded operation for now since rust-openssl doesn't + // bind OSSL_set_max_threads + assert!(threads == 1); + let pass_field = CStr::from_bytes_with_nul(b"pass\0").unwrap(); + let salt_field = CStr::from_bytes_with_nul(b"salt\0").unwrap(); + let ad_field = CStr::from_bytes_with_nul(b"ad\0").unwrap(); + let secret_field = CStr::from_bytes_with_nul(b"secret\0").unwrap(); + let iter_field = CStr::from_bytes_with_nul(b"iter\0").unwrap(); + let size_field = CStr::from_bytes_with_nul(b"size\0").unwrap(); + let threads_field = CStr::from_bytes_with_nul(b"threads\0").unwrap(); + let lanes_field = CStr::from_bytes_with_nul(b"lanes\0").unwrap(); + let memcost_field = CStr::from_bytes_with_nul(b"memcost\0").unwrap(); + unsafe { + ffi::init(); + let mut params = vec![]; + let param_pass = ffi::OSSL_PARAM_construct_octet_string( + pass_field.as_ptr(), + pass.as_ptr() as *mut c_void, + pass.len(), + ); + params.push(param_pass); + let param_salt = ffi::OSSL_PARAM_construct_octet_string( + salt_field.as_ptr(), + salt.as_ptr() as *mut c_void, + salt.len(), + ); + params.push(param_salt); + if let Some(ad) = ad { + let param_ad = ffi::OSSL_PARAM_construct_octet_string( + ad_field.as_ptr(), + ad.as_ptr() as *mut c_void, + ad.len(), + ); + params.push(param_ad); + } + if let Some(secret) = secret { + let param_secret = ffi::OSSL_PARAM_construct_octet_string( + secret_field.as_ptr(), + secret.as_ptr() as *mut c_void, + secret.len(), + ); + params.push(param_secret); + } + let param_threads = ffi::OSSL_PARAM_construct_uint(threads_field.as_ptr(), &mut threads); + params.push(param_threads); + let param_lanes = ffi::OSSL_PARAM_construct_uint(lanes_field.as_ptr(), &mut lanes); + params.push(param_lanes); + let param_memcost = ffi::OSSL_PARAM_construct_uint(memcost_field.as_ptr(), &mut memcost); + params.push(param_memcost); + let param_iter = ffi::OSSL_PARAM_construct_uint(iter_field.as_ptr(), &mut iter); + params.push(param_iter); + let mut size = out.len() as u32; + let param_size = ffi::OSSL_PARAM_construct_uint(size_field.as_ptr(), &mut size); + params.push(param_size); + let param_end = ffi::OSSL_PARAM_construct_end(); + params.push(param_end); + + let argon2id_field = CStr::from_bytes_with_nul(b"ARGON2ID\0").unwrap(); + let argon2 = cvt_p(ffi::EVP_KDF_fetch( + ptr::null_mut(), + argon2id_field.as_ptr(), + ptr::null(), + ))?; // This needs to be freed + let ctx = cvt_p(ffi::EVP_KDF_CTX_new(argon2))?; // this also needs to be freed + cvt(ffi::EVP_KDF_derive( + ctx, + out.as_mut_ptr(), + out.len(), + params.as_ptr(), + )) + .map(|_| ()) + } +} + +#[cfg(test)] +mod tests { + #[test] + fn argon2id() { + // RFC 9106 test vector for argon2id + let pass = hex::decode("0101010101010101010101010101010101010101010101010101010101010101") + .unwrap(); + let salt = hex::decode("02020202020202020202020202020202").unwrap(); + let secret = hex::decode("0303030303030303").unwrap(); + let ad = hex::decode("040404040404040404040404").unwrap(); + let expected = "0d640df58d78766c08c037a34a8b53c9d01ef0452d75b65eb52520e96b01e659"; + + let mut actual = [0 as u8; 32]; + super::argon2id( + &pass, + &salt, + Some(&ad), + Some(&secret), + 3, + 1, + 4, + 32, + &mut actual, + ) + .unwrap(); + assert_eq!(hex::encode(&actual[..]), expected); + } + + #[test] + fn argon2id_no_ad_secret() { + // Test vector from OpenSSL + let pass = ""; + let salt = hex::decode("02020202020202020202020202020202").unwrap(); + let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; + + let mut actual = [0 as u8; 32]; + super::argon2id( + &pass.as_bytes(), + &salt, + None, + None, + 3, + 1, + 4, + 32, + &mut actual, + ) + .unwrap(); + assert_eq!(hex::encode(&actual[..]), expected); + } +} diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 555eda9720..1ba33349ba 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -147,6 +147,8 @@ mod bio; #[macro_use] mod util; pub mod aes; +#[cfg(ossl320)] +pub mod argon2; pub mod asn1; pub mod base64; pub mod bn; From 6ed35b28f8d6a54a4103858fbc7db24655e07822 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 19:29:01 -0700 Subject: [PATCH 25/69] review feedback, support OPENSSL_NO_ARGON2 --- openssl/build.rs | 2 +- openssl/src/argon2.rs | 70 +++++++++++++++++++++++++++---------------- openssl/src/lib.rs | 1 + 3 files changed, 46 insertions(+), 27 deletions(-) diff --git a/openssl/build.rs b/openssl/build.rs index 41a047d97f..33372efd51 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -7,7 +7,7 @@ use std::env; fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_EC\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_ARGON2\"))"); println!("cargo:rustc-check-cfg=cfg(libressl)"); println!("cargo:rustc-check-cfg=cfg(boringssl)"); diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs index af9fda00d9..1e955b6ad4 100644 --- a/openssl/src/argon2.rs +++ b/openssl/src/argon2.rs @@ -1,10 +1,33 @@ -use libc::c_void; -use std::ffi::CStr; +use std::ffi::c_void; use std::ptr; use crate::error::ErrorStack; use crate::{cvt, cvt_p}; +struct EvpKdf { + kdf: *mut ffi::EVP_KDF, +} + +impl Drop for EvpKdf { + fn drop(&mut self) { + unsafe { + ffi::EVP_KDF_free(self.kdf); + } + } +} + +struct EvpKdfCtx { + ctx: *mut ffi::EVP_KDF_CTX, +} + +impl Drop for EvpKdfCtx { + fn drop(&mut self) { + unsafe { + ffi::EVP_KDF_CTX_free(self.ctx); + } + } +} + /// Derives a key using the argon2id algorithm. /// /// Requires OpenSSL 3.2.0 or newer. @@ -23,33 +46,24 @@ pub fn argon2id( // We only support single-threaded operation for now since rust-openssl doesn't // bind OSSL_set_max_threads assert!(threads == 1); - let pass_field = CStr::from_bytes_with_nul(b"pass\0").unwrap(); - let salt_field = CStr::from_bytes_with_nul(b"salt\0").unwrap(); - let ad_field = CStr::from_bytes_with_nul(b"ad\0").unwrap(); - let secret_field = CStr::from_bytes_with_nul(b"secret\0").unwrap(); - let iter_field = CStr::from_bytes_with_nul(b"iter\0").unwrap(); - let size_field = CStr::from_bytes_with_nul(b"size\0").unwrap(); - let threads_field = CStr::from_bytes_with_nul(b"threads\0").unwrap(); - let lanes_field = CStr::from_bytes_with_nul(b"lanes\0").unwrap(); - let memcost_field = CStr::from_bytes_with_nul(b"memcost\0").unwrap(); unsafe { ffi::init(); let mut params = vec![]; let param_pass = ffi::OSSL_PARAM_construct_octet_string( - pass_field.as_ptr(), + b"pass\0".as_ptr() as *const i8, pass.as_ptr() as *mut c_void, pass.len(), ); params.push(param_pass); let param_salt = ffi::OSSL_PARAM_construct_octet_string( - salt_field.as_ptr(), + b"salt\0".as_ptr() as *const i8, salt.as_ptr() as *mut c_void, salt.len(), ); params.push(param_salt); if let Some(ad) = ad { let param_ad = ffi::OSSL_PARAM_construct_octet_string( - ad_field.as_ptr(), + b"ad\0".as_ptr() as *const i8, ad.as_ptr() as *mut c_void, ad.len(), ); @@ -57,35 +71,39 @@ pub fn argon2id( } if let Some(secret) = secret { let param_secret = ffi::OSSL_PARAM_construct_octet_string( - secret_field.as_ptr(), + b"secret\0".as_ptr() as *const i8, secret.as_ptr() as *mut c_void, secret.len(), ); params.push(param_secret); } - let param_threads = ffi::OSSL_PARAM_construct_uint(threads_field.as_ptr(), &mut threads); + let param_threads = + ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const i8, &mut threads); params.push(param_threads); - let param_lanes = ffi::OSSL_PARAM_construct_uint(lanes_field.as_ptr(), &mut lanes); + let param_lanes = + ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const i8, &mut lanes); params.push(param_lanes); - let param_memcost = ffi::OSSL_PARAM_construct_uint(memcost_field.as_ptr(), &mut memcost); + let param_memcost = + ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const i8, &mut memcost); params.push(param_memcost); - let param_iter = ffi::OSSL_PARAM_construct_uint(iter_field.as_ptr(), &mut iter); + let param_iter = ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const i8, &mut iter); params.push(param_iter); let mut size = out.len() as u32; - let param_size = ffi::OSSL_PARAM_construct_uint(size_field.as_ptr(), &mut size); + let param_size = ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const i8, &mut size); params.push(param_size); let param_end = ffi::OSSL_PARAM_construct_end(); params.push(param_end); - let argon2id_field = CStr::from_bytes_with_nul(b"ARGON2ID\0").unwrap(); - let argon2 = cvt_p(ffi::EVP_KDF_fetch( + let argon2_p = cvt_p(ffi::EVP_KDF_fetch( ptr::null_mut(), - argon2id_field.as_ptr(), + b"ARGON2ID\0".as_ptr() as *const i8, ptr::null(), - ))?; // This needs to be freed - let ctx = cvt_p(ffi::EVP_KDF_CTX_new(argon2))?; // this also needs to be freed + ))?; + let argon2 = EvpKdf { kdf: argon2_p }; + let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.kdf))?; + let ctx = EvpKdfCtx { ctx: ctx_p }; cvt(ffi::EVP_KDF_derive( - ctx, + ctx.ctx, out.as_mut_ptr(), out.len(), params.as_ptr(), diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 1ba33349ba..d758d50852 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -148,6 +148,7 @@ mod bio; mod util; pub mod aes; #[cfg(ossl320)] +#[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] pub mod argon2; pub mod asn1; pub mod base64; From 05d9f2ef6e70f6b610b0f94ee308e87ad00a7c39 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 20:20:10 -0700 Subject: [PATCH 26/69] simplify, use CStr to hopefully handle i8/u8 nonsense --- openssl/src/argon2.rs | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs index 1e955b6ad4..f46bdc2aff 100644 --- a/openssl/src/argon2.rs +++ b/openssl/src/argon2.rs @@ -1,29 +1,25 @@ -use std::ffi::c_void; +use std::ffi::{c_void, CStr}; use std::ptr; use crate::error::ErrorStack; use crate::{cvt, cvt_p}; -struct EvpKdf { - kdf: *mut ffi::EVP_KDF, -} +struct EvpKdf(*mut ffi::EVP_KDF); impl Drop for EvpKdf { fn drop(&mut self) { unsafe { - ffi::EVP_KDF_free(self.kdf); + ffi::EVP_KDF_free(self.0); } } } -struct EvpKdfCtx { - ctx: *mut ffi::EVP_KDF_CTX, -} +struct EvpKdfCtx(*mut ffi::EVP_KDF_CTX); impl Drop for EvpKdfCtx { fn drop(&mut self) { unsafe { - ffi::EVP_KDF_CTX_free(self.ctx); + ffi::EVP_KDF_CTX_free(self.0); } } } @@ -94,16 +90,17 @@ pub fn argon2id( let param_end = ffi::OSSL_PARAM_construct_end(); params.push(param_end); + let argon2id = CStr::from_bytes_with_nul(b"ARGON2ID\0").unwrap(); let argon2_p = cvt_p(ffi::EVP_KDF_fetch( ptr::null_mut(), - b"ARGON2ID\0".as_ptr() as *const i8, + argon2id.as_ptr(), ptr::null(), ))?; - let argon2 = EvpKdf { kdf: argon2_p }; - let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.kdf))?; - let ctx = EvpKdfCtx { ctx: ctx_p }; + let argon2 = EvpKdf(argon2_p); + let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.0))?; + let ctx = EvpKdfCtx(ctx_p); cvt(ffi::EVP_KDF_derive( - ctx.ctx, + ctx.0, out.as_mut_ptr(), out.len(), params.as_ptr(), From 04ffcf1e10d267a716376531ccbb0605a555bc70 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 21:50:12 -0700 Subject: [PATCH 27/69] speeeeeeed --- openssl/src/argon2.rs | 51 ++++++++++++++++++++++--------------------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs index f46bdc2aff..f28c17794f 100644 --- a/openssl/src/argon2.rs +++ b/openssl/src/argon2.rs @@ -1,4 +1,5 @@ use std::ffi::{c_void, CStr}; +use std::mem::MaybeUninit; use std::ptr; use crate::error::ErrorStack; @@ -44,51 +45,51 @@ pub fn argon2id( assert!(threads == 1); unsafe { ffi::init(); - let mut params = vec![]; - let param_pass = ffi::OSSL_PARAM_construct_octet_string( + let mut params: [ffi::OSSL_PARAM; 10] = + core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); + let mut idx = 0; + params[idx] = ffi::OSSL_PARAM_construct_octet_string( b"pass\0".as_ptr() as *const i8, pass.as_ptr() as *mut c_void, pass.len(), ); - params.push(param_pass); - let param_salt = ffi::OSSL_PARAM_construct_octet_string( + idx += 1; + params[idx] = ffi::OSSL_PARAM_construct_octet_string( b"salt\0".as_ptr() as *const i8, salt.as_ptr() as *mut c_void, salt.len(), ); - params.push(param_salt); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const i8, &mut threads); + idx += 1; + params[idx] = ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const i8, &mut lanes); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const i8, &mut memcost); + idx += 1; + params[idx] = ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const i8, &mut iter); + idx += 1; + let mut size = out.len() as u32; + params[idx] = ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const i8, &mut size); + idx += 1; if let Some(ad) = ad { - let param_ad = ffi::OSSL_PARAM_construct_octet_string( + params[idx] = ffi::OSSL_PARAM_construct_octet_string( b"ad\0".as_ptr() as *const i8, ad.as_ptr() as *mut c_void, ad.len(), ); - params.push(param_ad); + idx += 1; } if let Some(secret) = secret { - let param_secret = ffi::OSSL_PARAM_construct_octet_string( + params[idx] = ffi::OSSL_PARAM_construct_octet_string( b"secret\0".as_ptr() as *const i8, secret.as_ptr() as *mut c_void, secret.len(), ); - params.push(param_secret); + idx += 1; } - let param_threads = - ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const i8, &mut threads); - params.push(param_threads); - let param_lanes = - ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const i8, &mut lanes); - params.push(param_lanes); - let param_memcost = - ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const i8, &mut memcost); - params.push(param_memcost); - let param_iter = ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const i8, &mut iter); - params.push(param_iter); - let mut size = out.len() as u32; - let param_size = ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const i8, &mut size); - params.push(param_size); - let param_end = ffi::OSSL_PARAM_construct_end(); - params.push(param_end); + params[idx] = ffi::OSSL_PARAM_construct_end(); let argon2id = CStr::from_bytes_with_nul(b"ARGON2ID\0").unwrap(); let argon2_p = cvt_p(ffi::EVP_KDF_fetch( From 826f2a0a82e57ccd16941f75daa5e7bc24b5e89e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 06:56:40 -0700 Subject: [PATCH 28/69] use c_char --- openssl/src/argon2.rs | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs index f28c17794f..836b45dce0 100644 --- a/openssl/src/argon2.rs +++ b/openssl/src/argon2.rs @@ -1,4 +1,4 @@ -use std::ffi::{c_void, CStr}; +use std::ffi::{c_char, c_void}; use std::mem::MaybeUninit; use std::ptr; @@ -49,33 +49,36 @@ pub fn argon2id( core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); let mut idx = 0; params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"pass\0".as_ptr() as *const i8, + b"pass\0".as_ptr() as *const c_char, pass.as_ptr() as *mut c_void, pass.len(), ); idx += 1; params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"salt\0".as_ptr() as *const i8, + b"salt\0".as_ptr() as *const c_char, salt.as_ptr() as *mut c_void, salt.len(), ); idx += 1; params[idx] = - ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const i8, &mut threads); + ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const c_char, &mut threads); idx += 1; - params[idx] = ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const i8, &mut lanes); + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const c_char, &mut lanes); idx += 1; params[idx] = - ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const i8, &mut memcost); + ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const c_char, &mut memcost); idx += 1; - params[idx] = ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const i8, &mut iter); + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const c_char, &mut iter); idx += 1; let mut size = out.len() as u32; - params[idx] = ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const i8, &mut size); + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const c_char, &mut size); idx += 1; if let Some(ad) = ad { params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"ad\0".as_ptr() as *const i8, + b"ad\0".as_ptr() as *const c_char, ad.as_ptr() as *mut c_void, ad.len(), ); @@ -83,7 +86,7 @@ pub fn argon2id( } if let Some(secret) = secret { params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"secret\0".as_ptr() as *const i8, + b"secret\0".as_ptr() as *const c_char, secret.as_ptr() as *mut c_void, secret.len(), ); @@ -91,10 +94,9 @@ pub fn argon2id( } params[idx] = ffi::OSSL_PARAM_construct_end(); - let argon2id = CStr::from_bytes_with_nul(b"ARGON2ID\0").unwrap(); let argon2_p = cvt_p(ffi::EVP_KDF_fetch( ptr::null_mut(), - argon2id.as_ptr(), + b"ARGON2ID\0".as_ptr() as *const c_char, ptr::null(), ))?; let argon2 = EvpKdf(argon2_p); From 5ff8594e9c98f2ffbaf677c663dce8d4ff72fa88 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 14:49:20 -0700 Subject: [PATCH 29/69] rename to kdf, remove thread arg --- openssl/src/argon2.rs | 165 ------------------------------------------ openssl/src/kdf.rs | 162 +++++++++++++++++++++++++++++++++++++++++ openssl/src/lib.rs | 3 +- 3 files changed, 163 insertions(+), 167 deletions(-) delete mode 100644 openssl/src/argon2.rs create mode 100644 openssl/src/kdf.rs diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs deleted file mode 100644 index 836b45dce0..0000000000 --- a/openssl/src/argon2.rs +++ /dev/null @@ -1,165 +0,0 @@ -use std::ffi::{c_char, c_void}; -use std::mem::MaybeUninit; -use std::ptr; - -use crate::error::ErrorStack; -use crate::{cvt, cvt_p}; - -struct EvpKdf(*mut ffi::EVP_KDF); - -impl Drop for EvpKdf { - fn drop(&mut self) { - unsafe { - ffi::EVP_KDF_free(self.0); - } - } -} - -struct EvpKdfCtx(*mut ffi::EVP_KDF_CTX); - -impl Drop for EvpKdfCtx { - fn drop(&mut self) { - unsafe { - ffi::EVP_KDF_CTX_free(self.0); - } - } -} - -/// Derives a key using the argon2id algorithm. -/// -/// Requires OpenSSL 3.2.0 or newer. -#[allow(clippy::too_many_arguments)] -pub fn argon2id( - pass: &[u8], - salt: &[u8], - ad: Option<&[u8]>, - secret: Option<&[u8]>, - mut iter: u32, - mut threads: u32, - mut lanes: u32, - mut memcost: u32, - out: &mut [u8], -) -> Result<(), ErrorStack> { - // We only support single-threaded operation for now since rust-openssl doesn't - // bind OSSL_set_max_threads - assert!(threads == 1); - unsafe { - ffi::init(); - let mut params: [ffi::OSSL_PARAM; 10] = - core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); - let mut idx = 0; - params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"pass\0".as_ptr() as *const c_char, - pass.as_ptr() as *mut c_void, - pass.len(), - ); - idx += 1; - params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"salt\0".as_ptr() as *const c_char, - salt.as_ptr() as *mut c_void, - salt.len(), - ); - idx += 1; - params[idx] = - ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const c_char, &mut threads); - idx += 1; - params[idx] = - ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const c_char, &mut lanes); - idx += 1; - params[idx] = - ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const c_char, &mut memcost); - idx += 1; - params[idx] = - ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const c_char, &mut iter); - idx += 1; - let mut size = out.len() as u32; - params[idx] = - ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const c_char, &mut size); - idx += 1; - if let Some(ad) = ad { - params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"ad\0".as_ptr() as *const c_char, - ad.as_ptr() as *mut c_void, - ad.len(), - ); - idx += 1; - } - if let Some(secret) = secret { - params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"secret\0".as_ptr() as *const c_char, - secret.as_ptr() as *mut c_void, - secret.len(), - ); - idx += 1; - } - params[idx] = ffi::OSSL_PARAM_construct_end(); - - let argon2_p = cvt_p(ffi::EVP_KDF_fetch( - ptr::null_mut(), - b"ARGON2ID\0".as_ptr() as *const c_char, - ptr::null(), - ))?; - let argon2 = EvpKdf(argon2_p); - let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.0))?; - let ctx = EvpKdfCtx(ctx_p); - cvt(ffi::EVP_KDF_derive( - ctx.0, - out.as_mut_ptr(), - out.len(), - params.as_ptr(), - )) - .map(|_| ()) - } -} - -#[cfg(test)] -mod tests { - #[test] - fn argon2id() { - // RFC 9106 test vector for argon2id - let pass = hex::decode("0101010101010101010101010101010101010101010101010101010101010101") - .unwrap(); - let salt = hex::decode("02020202020202020202020202020202").unwrap(); - let secret = hex::decode("0303030303030303").unwrap(); - let ad = hex::decode("040404040404040404040404").unwrap(); - let expected = "0d640df58d78766c08c037a34a8b53c9d01ef0452d75b65eb52520e96b01e659"; - - let mut actual = [0 as u8; 32]; - super::argon2id( - &pass, - &salt, - Some(&ad), - Some(&secret), - 3, - 1, - 4, - 32, - &mut actual, - ) - .unwrap(); - assert_eq!(hex::encode(&actual[..]), expected); - } - - #[test] - fn argon2id_no_ad_secret() { - // Test vector from OpenSSL - let pass = ""; - let salt = hex::decode("02020202020202020202020202020202").unwrap(); - let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; - - let mut actual = [0 as u8; 32]; - super::argon2id( - &pass.as_bytes(), - &salt, - None, - None, - 3, - 1, - 4, - 32, - &mut actual, - ) - .unwrap(); - assert_eq!(hex::encode(&actual[..]), expected); - } -} diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs new file mode 100644 index 0000000000..4bd89cc6d1 --- /dev/null +++ b/openssl/src/kdf.rs @@ -0,0 +1,162 @@ +#[cfg(ossl300)] +struct EvpKdf(*mut ffi::EVP_KDF); + +#[cfg(ossl300)] +impl Drop for EvpKdf { + fn drop(&mut self) { + unsafe { + ffi::EVP_KDF_free(self.0); + } + } +} + +#[cfg(ossl300)] +struct EvpKdfCtx(*mut ffi::EVP_KDF_CTX); + +#[cfg(ossl300)] +impl Drop for EvpKdfCtx { + fn drop(&mut self) { + unsafe { + ffi::EVP_KDF_CTX_free(self.0); + } + } +} + +cfg_if::cfg_if! { + if #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] { + use std::ffi::{c_char, c_void}; + use std::mem::MaybeUninit; + use std::ptr; + use crate::{cvt, cvt_p}; + use crate::error::ErrorStack; + + /// Derives a key using the argon2id algorithm. + /// + /// This function currently does not support multi-threaded operation, so + /// lanes greater than 1 will be processed sequentially. + /// + /// Requires OpenSSL 3.2.0 or newer. + #[allow(clippy::too_many_arguments)] + pub fn argon2id( + pass: &[u8], + salt: &[u8], + ad: Option<&[u8]>, + secret: Option<&[u8]>, + mut iter: u32, + mut lanes: u32, + mut memcost: u32, + out: &mut [u8], + ) -> Result<(), ErrorStack> { + unsafe { + ffi::init(); + let mut threads = 1; + let mut params: [ffi::OSSL_PARAM; 10] = + core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); + let mut idx = 0; + params[idx] = ffi::OSSL_PARAM_construct_octet_string( + b"pass\0".as_ptr() as *const c_char, + pass.as_ptr() as *mut c_void, + pass.len(), + ); + idx += 1; + params[idx] = ffi::OSSL_PARAM_construct_octet_string( + b"salt\0".as_ptr() as *const c_char, + salt.as_ptr() as *mut c_void, + salt.len(), + ); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const c_char, &mut threads); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const c_char, &mut lanes); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const c_char, &mut memcost); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const c_char, &mut iter); + idx += 1; + let mut size = out.len() as u32; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const c_char, &mut size); + idx += 1; + if let Some(ad) = ad { + params[idx] = ffi::OSSL_PARAM_construct_octet_string( + b"ad\0".as_ptr() as *const c_char, + ad.as_ptr() as *mut c_void, + ad.len(), + ); + idx += 1; + } + if let Some(secret) = secret { + params[idx] = ffi::OSSL_PARAM_construct_octet_string( + b"secret\0".as_ptr() as *const c_char, + secret.as_ptr() as *mut c_void, + secret.len(), + ); + idx += 1; + } + params[idx] = ffi::OSSL_PARAM_construct_end(); + + let argon2_p = cvt_p(ffi::EVP_KDF_fetch( + ptr::null_mut(), + b"ARGON2ID\0".as_ptr() as *const c_char, + ptr::null(), + ))?; + let argon2 = EvpKdf(argon2_p); + let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.0))?; + let ctx = EvpKdfCtx(ctx_p); + cvt(ffi::EVP_KDF_derive( + ctx.0, + out.as_mut_ptr(), + out.len(), + params.as_ptr(), + )) + .map(|_| ()) + } + } + } +} + +#[cfg(test)] +mod tests { + #[test] + #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] + fn argon2id() { + // RFC 9106 test vector for argon2id + let pass = hex::decode("0101010101010101010101010101010101010101010101010101010101010101") + .unwrap(); + let salt = hex::decode("02020202020202020202020202020202").unwrap(); + let secret = hex::decode("0303030303030303").unwrap(); + let ad = hex::decode("040404040404040404040404").unwrap(); + let expected = "0d640df58d78766c08c037a34a8b53c9d01ef0452d75b65eb52520e96b01e659"; + + let mut actual = [0 as u8; 32]; + super::argon2id( + &pass, + &salt, + Some(&ad), + Some(&secret), + 3, + 4, + 32, + &mut actual, + ) + .unwrap(); + assert_eq!(hex::encode(&actual[..]), expected); + } + + #[test] + #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] + fn argon2id_no_ad_secret() { + // Test vector from OpenSSL + let pass = ""; + let salt = hex::decode("02020202020202020202020202020202").unwrap(); + let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; + + let mut actual = [0 as u8; 32]; + super::argon2id(&pass.as_bytes(), &salt, None, None, 3, 4, 32, &mut actual).unwrap(); + assert_eq!(hex::encode(&actual[..]), expected); + } +} diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index d758d50852..5942734f58 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -148,8 +148,6 @@ mod bio; mod util; pub mod aes; #[cfg(ossl320)] -#[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] -pub mod argon2; pub mod asn1; pub mod base64; pub mod bn; @@ -171,6 +169,7 @@ pub mod ex_data; #[cfg(not(any(libressl, ossl300)))] pub mod fips; pub mod hash; +pub mod kdf; #[cfg(ossl300)] pub mod lib_ctx; pub mod md; From 3e57d9a1d735f81268a2468c2efdb990fd6013c2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 14:55:59 -0700 Subject: [PATCH 30/69] oops + clippy --- openssl/src/kdf.rs | 6 +++--- openssl/src/lib.rs | 1 - 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index 4bd89cc6d1..f60ee2e054 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -132,7 +132,7 @@ mod tests { let ad = hex::decode("040404040404040404040404").unwrap(); let expected = "0d640df58d78766c08c037a34a8b53c9d01ef0452d75b65eb52520e96b01e659"; - let mut actual = [0 as u8; 32]; + let mut actual = [0u8; 32]; super::argon2id( &pass, &salt, @@ -155,8 +155,8 @@ mod tests { let salt = hex::decode("02020202020202020202020202020202").unwrap(); let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; - let mut actual = [0 as u8; 32]; - super::argon2id(&pass.as_bytes(), &salt, None, None, 3, 4, 32, &mut actual).unwrap(); + let mut actual = [0u8; 32]; + super::argon2id(pass.as_bytes(), &salt, None, None, 3, 4, 32, &mut actual).unwrap(); assert_eq!(hex::encode(&actual[..]), expected); } } diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 5942734f58..c58e5bf598 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -147,7 +147,6 @@ mod bio; #[macro_use] mod util; pub mod aes; -#[cfg(ossl320)] pub mod asn1; pub mod base64; pub mod bn; From bef571b737f24a0732e7e64bbd5d7f6fc01d7b5b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 15:02:33 -0700 Subject: [PATCH 31/69] EvpKdf and EvpKdfCtx are available in 3.0.0, but mark them ossl320 We don't use them anywhere that isn't 3.2.0+ right now and that makes clippy angry. It can be changed if and when these get used for methods on older versions --- openssl/src/kdf.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index f60ee2e054..ff0c3e68ac 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -1,7 +1,7 @@ -#[cfg(ossl300)] +#[cfg(ossl320)] struct EvpKdf(*mut ffi::EVP_KDF); -#[cfg(ossl300)] +#[cfg(ossl320)] impl Drop for EvpKdf { fn drop(&mut self) { unsafe { @@ -10,10 +10,10 @@ impl Drop for EvpKdf { } } -#[cfg(ossl300)] +#[cfg(ossl320)] struct EvpKdfCtx(*mut ffi::EVP_KDF_CTX); -#[cfg(ossl300)] +#[cfg(ossl320)] impl Drop for EvpKdfCtx { fn drop(&mut self) { unsafe { From 700f6acdb5268bd48588541804d03af7c98eb4a2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 13:29:06 -0700 Subject: [PATCH 32/69] add ossl3 thread pool bindings --- openssl-sys/build/main.rs | 2 +- openssl-sys/build/run_bindgen.rs | 4 ++++ openssl-sys/src/handwritten/mod.rs | 4 ++++ openssl-sys/src/handwritten/thread.rs | 7 +++++++ systest/build.rs | 4 ++++ 5 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 openssl-sys/src/handwritten/thread.rs diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 50ecc0f084..c5ed229619 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -74,7 +74,7 @@ fn check_ssl_kind() { } fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_THREADS\", \"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\"))"); println!("cargo:rustc-check-cfg=cfg(openssl)"); println!("cargo:rustc-check-cfg=cfg(libressl)"); diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index ffaecdc81b..db31cbb631 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -63,6 +63,10 @@ const INCLUDES: &str = " #if defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) #include #endif + +#if OPENSSL_VERSION_NUMBER >= 0x30200000 && defined(OPENSSL_THREADS) +#include +#endif "; #[cfg(feature = "bindgen")] diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index f54ec9be5e..35776486d1 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -29,6 +29,8 @@ pub use self::sha::*; pub use self::srtp::*; pub use self::ssl::*; pub use self::stack::*; +#[cfg(all(ossl320, osslconf = "OPENSSL_THREADS"))] +pub use self::thread::*; pub use self::tls1::*; pub use self::types::*; pub use self::x509::*; @@ -66,6 +68,8 @@ mod sha; mod srtp; mod ssl; mod stack; +#[cfg(all(ossl320, osslconf = "OPENSSL_THREADS"))] +mod thread; mod tls1; mod types; mod x509; diff --git a/openssl-sys/src/handwritten/thread.rs b/openssl-sys/src/handwritten/thread.rs new file mode 100644 index 0000000000..de661e1c5c --- /dev/null +++ b/openssl-sys/src/handwritten/thread.rs @@ -0,0 +1,7 @@ +use super::super::*; +use libc::*; + +extern "C" { + pub fn OSSL_set_max_threads(ctx: *mut OSSL_LIB_CTX, max_threads: u64) -> c_int; + pub fn OSSL_get_max_threads(ctx: *mut OSSL_LIB_CTX) -> u64; +} diff --git a/systest/build.rs b/systest/build.rs index 56230ada60..dde28b5009 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -85,6 +85,10 @@ fn main() { if version >= 0x30000000 { cfg.header("openssl/provider.h"); } + if version >= 0x30200000 { + // thread is present as a header even if OPENSSL_THREADS is not defined + cfg.header("openssl/thread.h"); + } } #[allow(clippy::if_same_then_else)] From 98521685baa9ef9e1330fdccd6be40bf88f81f64 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 16:53:17 -0700 Subject: [PATCH 33/69] Apply suggestions from code review Co-authored-by: Alex Gaynor --- openssl/src/kdf.rs | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index ff0c3e68ac..dbe5680253 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -99,14 +99,12 @@ cfg_if::cfg_if! { } params[idx] = ffi::OSSL_PARAM_construct_end(); - let argon2_p = cvt_p(ffi::EVP_KDF_fetch( + let argon2 = EvpKdf(cvt_p(ffi::EVP_KDF_fetch( ptr::null_mut(), b"ARGON2ID\0".as_ptr() as *const c_char, ptr::null(), - ))?; - let argon2 = EvpKdf(argon2_p); - let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.0))?; - let ctx = EvpKdfCtx(ctx_p); + ))?); + let ctx = EvpKdfCtx(cvt_p(ffi::EVP_KDF_CTX_new(argon2.0))?); cvt(ffi::EVP_KDF_derive( ctx.0, out.as_mut_ptr(), @@ -151,12 +149,12 @@ mod tests { #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] fn argon2id_no_ad_secret() { // Test vector from OpenSSL - let pass = ""; + let pass = b""; let salt = hex::decode("02020202020202020202020202020202").unwrap(); let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; let mut actual = [0u8; 32]; - super::argon2id(pass.as_bytes(), &salt, None, None, 3, 4, 32, &mut actual).unwrap(); + super::argon2id(pass, &salt, None, None, 3, 4, 32, &mut actual).unwrap(); assert_eq!(hex::encode(&actual[..]), expected); } } From 4ad92493646f11a9e689e2bb6f4231e04a15e001 Mon Sep 17 00:00:00 2001 From: sanketh Date: Mon, 2 Sep 2024 14:48:08 -0400 Subject: [PATCH 34/69] do not silently reinit after squeeze --- openssl/src/hash.rs | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 6053658ea4..c74b594d38 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -281,8 +281,6 @@ impl Hasher { /// Feeds data into the hasher. pub fn update(&mut self, data: &[u8]) -> Result<(), ErrorStack> { match self.state { - #[cfg(ossl330)] - Squeeze => self.init()?, Finalized => self.init()?, _ => {} } @@ -301,9 +299,6 @@ impl Hasher { /// The output will be as long as the buf. #[cfg(ossl330)] pub fn squeeze_xof(&mut self, buf: &mut [u8]) -> Result<(), ErrorStack> { - if self.state == Finalized { - self.init()?; - } unsafe { cvt(ffi::EVP_DigestSqueeze( self.ctx, @@ -318,8 +313,6 @@ impl Hasher { /// Returns the hash of the data written and resets the non-XOF hasher. pub fn finish(&mut self) -> Result { match self.state { - #[cfg(ossl330)] - Squeeze => self.init()?, Finalized => self.init()?, _ => {} } @@ -347,8 +340,6 @@ impl Hasher { #[cfg(ossl111)] pub fn finish_xof(&mut self, buf: &mut [u8]) -> Result<(), ErrorStack> { match self.state { - #[cfg(ossl330)] - Squeeze => self.init()?, Finalized => self.init()?, _ => {} } @@ -595,9 +586,7 @@ mod tests { let mut h = Hasher::new(digest).unwrap(); let mut buf = vec![0; digest.size()]; h.finish_xof(&mut buf).unwrap(); - h.squeeze_xof(&mut buf).unwrap(); - let null = hash(digest, &[]).unwrap(); - assert_eq!(&*buf, &*null); + h.squeeze_xof(&mut buf).expect_err("squeezing after finalize should fail"); } #[cfg(ossl330)] @@ -608,10 +597,18 @@ mod tests { let mut h = Hasher::new(digest).unwrap(); let mut buf = vec![0; digest.size()]; h.squeeze_xof(&mut buf).unwrap(); - h.update(&data).unwrap(); + h.update(&data).expect_err("updating after squeeze should fail"); + } + + #[cfg(ossl330)] + #[test] + fn test_squeeze_then_finalize() { + let digest = MessageDigest::shake_128(); + let data = Vec::from_hex(MD5_TESTS[6].0).unwrap(); + let mut h = Hasher::new(digest).unwrap(); + let mut buf = vec![0; digest.size()]; h.squeeze_xof(&mut buf).unwrap(); - let null = hash(digest, &data).unwrap(); - assert_eq!(&*buf, &*null); + h.finish_xof(&mut buf).expect_err("finalize after squeeze should fail"); } #[test] From e35ec91dbce906011be9415a3949aee2b7103344 Mon Sep 17 00:00:00 2001 From: sanketh Date: Mon, 2 Sep 2024 15:13:06 -0400 Subject: [PATCH 35/69] minimize diffs --- openssl/src/hash.rs | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index c74b594d38..fb039817bf 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -280,9 +280,8 @@ impl Hasher { /// Feeds data into the hasher. pub fn update(&mut self, data: &[u8]) -> Result<(), ErrorStack> { - match self.state { - Finalized => self.init()?, - _ => {} + if self.state == Finalized { + self.init()?; } unsafe { cvt(ffi::EVP_DigestUpdate( @@ -312,9 +311,8 @@ impl Hasher { /// Returns the hash of the data written and resets the non-XOF hasher. pub fn finish(&mut self) -> Result { - match self.state { - Finalized => self.init()?, - _ => {} + if self.state == Finalized { + self.init()?; } unsafe { #[cfg(not(boringssl))] @@ -339,9 +337,8 @@ impl Hasher { /// The hash will be as long as the buf. #[cfg(ossl111)] pub fn finish_xof(&mut self, buf: &mut [u8]) -> Result<(), ErrorStack> { - match self.state { - Finalized => self.init()?, - _ => {} + if self.state == Finalized { + self.init()?; } unsafe { cvt(ffi::EVP_DigestFinalXOF( @@ -604,7 +601,6 @@ mod tests { #[test] fn test_squeeze_then_finalize() { let digest = MessageDigest::shake_128(); - let data = Vec::from_hex(MD5_TESTS[6].0).unwrap(); let mut h = Hasher::new(digest).unwrap(); let mut buf = vec![0; digest.size()]; h.squeeze_xof(&mut buf).unwrap(); From 680136daef7a90ebc7af5256d32352d328ab38ad Mon Sep 17 00:00:00 2001 From: sanketh Date: Mon, 2 Sep 2024 15:14:36 -0400 Subject: [PATCH 36/69] run cargo fmt --- openssl/src/hash.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index fb039817bf..5d0203294d 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -583,7 +583,8 @@ mod tests { let mut h = Hasher::new(digest).unwrap(); let mut buf = vec![0; digest.size()]; h.finish_xof(&mut buf).unwrap(); - h.squeeze_xof(&mut buf).expect_err("squeezing after finalize should fail"); + h.squeeze_xof(&mut buf) + .expect_err("squeezing after finalize should fail"); } #[cfg(ossl330)] @@ -594,7 +595,8 @@ mod tests { let mut h = Hasher::new(digest).unwrap(); let mut buf = vec![0; digest.size()]; h.squeeze_xof(&mut buf).unwrap(); - h.update(&data).expect_err("updating after squeeze should fail"); + h.update(&data) + .expect_err("updating after squeeze should fail"); } #[cfg(ossl330)] @@ -604,7 +606,8 @@ mod tests { let mut h = Hasher::new(digest).unwrap(); let mut buf = vec![0; digest.size()]; h.squeeze_xof(&mut buf).unwrap(); - h.finish_xof(&mut buf).expect_err("finalize after squeeze should fail"); + h.finish_xof(&mut buf) + .expect_err("finalize after squeeze should fail"); } #[test] From ad7d2c55f49c5b97155c5d26e9cf763ab5a0157f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 2 Sep 2024 20:18:06 -0700 Subject: [PATCH 37/69] fix 3.2.0 thread support and simplify --- openssl-sys/build/main.rs | 2 +- openssl-sys/build/run_bindgen.rs | 2 +- openssl-sys/src/handwritten/mod.rs | 4 ++-- systest/build.rs | 1 - 4 files changed, 4 insertions(+), 5 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index c5ed229619..50ecc0f084 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -74,7 +74,7 @@ fn check_ssl_kind() { } fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_THREADS\", \"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\"))"); println!("cargo:rustc-check-cfg=cfg(openssl)"); println!("cargo:rustc-check-cfg=cfg(libressl)"); diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index db31cbb631..27bd482b38 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -64,7 +64,7 @@ const INCLUDES: &str = " #include #endif -#if OPENSSL_VERSION_NUMBER >= 0x30200000 && defined(OPENSSL_THREADS) +#if OPENSSL_VERSION_NUMBER >= 0x30200000 #include #endif "; diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 35776486d1..47b3360fd8 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -29,7 +29,7 @@ pub use self::sha::*; pub use self::srtp::*; pub use self::ssl::*; pub use self::stack::*; -#[cfg(all(ossl320, osslconf = "OPENSSL_THREADS"))] +#[cfg(ossl320)] pub use self::thread::*; pub use self::tls1::*; pub use self::types::*; @@ -68,7 +68,7 @@ mod sha; mod srtp; mod ssl; mod stack; -#[cfg(all(ossl320, osslconf = "OPENSSL_THREADS"))] +#[cfg(ossl320)] mod thread; mod tls1; mod types; diff --git a/systest/build.rs b/systest/build.rs index dde28b5009..fc970f410a 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -86,7 +86,6 @@ fn main() { cfg.header("openssl/provider.h"); } if version >= 0x30200000 { - // thread is present as a header even if OPENSSL_THREADS is not defined cfg.header("openssl/thread.h"); } } From 5ea9a1238812e417964d421f89254e5984fc2404 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 2 Sep 2024 20:36:41 -0700 Subject: [PATCH 38/69] add libctx arg to argon2id --- openssl/src/kdf.rs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index dbe5680253..4e3ab157b2 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -27,7 +27,9 @@ cfg_if::cfg_if! { use std::ffi::{c_char, c_void}; use std::mem::MaybeUninit; use std::ptr; + use foreign_types::ForeignTypeRef; use crate::{cvt, cvt_p}; + use crate::lib_ctx::LibCtxRef; use crate::error::ErrorStack; /// Derives a key using the argon2id algorithm. @@ -38,6 +40,7 @@ cfg_if::cfg_if! { /// Requires OpenSSL 3.2.0 or newer. #[allow(clippy::too_many_arguments)] pub fn argon2id( + ctx: Option<&LibCtxRef>, pass: &[u8], salt: &[u8], ad: Option<&[u8]>, @@ -49,6 +52,8 @@ cfg_if::cfg_if! { ) -> Result<(), ErrorStack> { unsafe { ffi::init(); + let libctx = ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr); + let mut threads = 1; let mut params: [ffi::OSSL_PARAM; 10] = core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); @@ -100,7 +105,7 @@ cfg_if::cfg_if! { params[idx] = ffi::OSSL_PARAM_construct_end(); let argon2 = EvpKdf(cvt_p(ffi::EVP_KDF_fetch( - ptr::null_mut(), + libctx, b"ARGON2ID\0".as_ptr() as *const c_char, ptr::null(), ))?); @@ -132,6 +137,7 @@ mod tests { let mut actual = [0u8; 32]; super::argon2id( + None, &pass, &salt, Some(&ad), @@ -154,7 +160,7 @@ mod tests { let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; let mut actual = [0u8; 32]; - super::argon2id(pass, &salt, None, None, 3, 4, 32, &mut actual).unwrap(); + super::argon2id(None, pass, &salt, None, None, 3, 4, 32, &mut actual).unwrap(); assert_eq!(hex::encode(&actual[..]), expected); } } From b3bb5f40b55b1bccbfadf7cc24d5d44fad22c7df Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 2 Sep 2024 20:49:29 -0700 Subject: [PATCH 39/69] support using threads in argon2id --- openssl/src/kdf.rs | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index 4e3ab157b2..4f6b1f8aab 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -24,6 +24,7 @@ impl Drop for EvpKdfCtx { cfg_if::cfg_if! { if #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] { + use std::cmp; use std::ffi::{c_char, c_void}; use std::mem::MaybeUninit; use std::ptr; @@ -34,8 +35,9 @@ cfg_if::cfg_if! { /// Derives a key using the argon2id algorithm. /// - /// This function currently does not support multi-threaded operation, so - /// lanes greater than 1 will be processed sequentially. + /// To use multiple cores to process the lanes in parallel you must + /// set a global max thread count using `OSSL_set_max_threads`. On + /// builds with no threads all lanes will be processed sequentially. /// /// Requires OpenSSL 3.2.0 or newer. #[allow(clippy::too_many_arguments)] @@ -54,7 +56,14 @@ cfg_if::cfg_if! { ffi::init(); let libctx = ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr); + let max_threads = ffi::OSSL_get_max_threads(libctx); let mut threads = 1; + // If max_threads is 0, then this isn't a threaded build. + // If max_threads is > u32::MAX we need to clamp since + // argon2id's threads parameter is a u32. + if max_threads > 0 { + threads = cmp::min(lanes, cmp::min(max_threads, u32::MAX as u64) as u32); + } let mut params: [ffi::OSSL_PARAM; 10] = core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); let mut idx = 0; From 350f1c26e0c0d0b148378ef7d408685fba5c185d Mon Sep 17 00:00:00 2001 From: Kornel Date: Wed, 28 Aug 2024 14:19:45 +0100 Subject: [PATCH 40/69] Print fatal error without backtrace noise --- openssl-sys/build/find_normal.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 1e910a0eee..facb80ce94 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -187,7 +187,8 @@ https://github.com/sfackler/rust-openssl#windows ); } - panic!("{}", msg); + eprintln!("{}", msg); + std::process::exit(101); // same as panic previously } /// Attempt to find OpenSSL through pkg-config. From 3815c15092004b8124846b49a24689c6342cf80c Mon Sep 17 00:00:00 2001 From: Kornel Date: Wed, 28 Aug 2024 14:41:14 +0100 Subject: [PATCH 41/69] Format pkg_config error --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index facb80ce94..73613760b9 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -213,7 +213,7 @@ fn try_pkg_config() { { Ok(lib) => lib, Err(e) => { - println!("run pkg_config fail: {:?}", e); + println!("\n\nCould not find openssl via pkg-config:\n{}\n", e); return; } }; From eeb920f85179af6dbe373caf048f0deffa378c1a Mon Sep 17 00:00:00 2001 From: Kornel Date: Wed, 28 Aug 2024 14:41:29 +0100 Subject: [PATCH 42/69] Emit cargo:warning as well --- openssl-sys/build/find_normal.rs | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 73613760b9..1439e9ab30 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -102,13 +102,21 @@ fn find_openssl_dir(target: &str) -> OsString { return OsString::from("/usr/local"); } + let msg_header = + "Could not find directory of OpenSSL installation, and this `-sys` crate cannot +proceed without this knowledge. If OpenSSL is installed and this crate had +trouble finding it, you can set the `OPENSSL_DIR` environment variable for the +compilation process."; + + println!( + "cargo:warning={} See stderr section below for further information.", + msg_header.replace('\n', " ") + ); + let mut msg = format!( " -Could not find directory of OpenSSL installation, and this `-sys` crate cannot -proceed without this knowledge. If OpenSSL is installed and this crate had -trouble finding it, you can set the `OPENSSL_DIR` environment variable for the -compilation process. +{} Make sure you also have the development packages of openssl installed. For example, `libssl-dev` on Ubuntu or `openssl-devel` on Fedora. @@ -122,6 +130,7 @@ $TARGET = {} openssl-sys = {} ", + msg_header, host, target, env!("CARGO_PKG_VERSION") From 2dd76ef8186fe3eacaab5ecbc7821d4e8bb1fc02 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Sep 2024 15:38:15 -0400 Subject: [PATCH 43/69] Test against 3.4.0-alpha1 --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 52e712a11d..5366e8ff49 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -153,6 +153,8 @@ jobs: version: e23fe9b6eecc10e4f9ea1f0027fea5eaee7bd6b6 - name: openssl version: vendored + - name: openssl + version: 3.4.0-alpha1 - name: openssl version: 3.3.0 - name: openssl From 6654131d6a176bada798427568066fd62c1e8699 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Sep 2024 15:53:41 -0400 Subject: [PATCH 44/69] download from github --- .github/workflows/ci.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5366e8ff49..b1c7b188f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -159,18 +159,19 @@ jobs: version: 3.3.0 - name: openssl version: 3.2.0 - dl-path: / - name: openssl version: 1.1.1w - dl-path: / - name: openssl version: 1.1.0l + old: true dl-path: /old/1.1.0 - name: openssl version: 1.0.2u + old: true dl-path: /old/1.0.2 - name: openssl version: 1.0.1u + old: true dl-path: /old/1.0.1 include: - target: x86_64-unknown-linux-gnu @@ -257,7 +258,11 @@ jobs: run: | case "${{ matrix.library.name }}" in "openssl") - url="https://www.openssl.org/source${{ matrix.library.dl-path }}/openssl-${{ matrix.library.version }}.tar.gz" + if [[ "${{ matrix.library.old }}" == "true" ]]; then + url="https://www.openssl.org/source${{ matrix.library.dl-path }}/openssl-${{ matrix.library.version }}.tar.gz" + else + url="https://github.com/openssl/openssl/releases/download/openssl-${{ matrix.library.version }}/openssl-${{ matrix.library.version }}.tar.gz" + fi tar_flags="--strip-components=1" ;; "libressl") From 16e41768f254af561ea96e0274744fb35758fb83 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Sep 2024 16:12:25 -0400 Subject: [PATCH 45/69] fixes --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/build/main.rs | 1 + openssl-sys/src/evp.rs | 26 +++++++++++++++++++++----- openssl-sys/src/obj_mac.rs | 8 +++++++- 4 files changed, 32 insertions(+), 6 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index bbd3be59f3..cd03888e62 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -71,6 +71,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& } else { let openssl_version = openssl_version.unwrap(); + if openssl_version >= 0x3_04_00_00_0 { + cfgs.push("ossl340"); + } if openssl_version >= 0x3_03_00_00_0 { cfgs.push("ossl330"); } diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 50ecc0f084..c9bddf5382 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -120,6 +120,7 @@ fn main() { println!("cargo:rustc-check-cfg=cfg(ossl310)"); println!("cargo:rustc-check-cfg=cfg(ossl320)"); println!("cargo:rustc-check-cfg=cfg(ossl330)"); + println!("cargo:rustc-check-cfg=cfg(ossl340)"); check_ssl_kind(); diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index a3a8a84fb5..4d26f0f607 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -184,12 +184,28 @@ cfg_if! { pub const EVP_PKEY_OP_DERIVE: c_int = 1 << 10; } } +#[cfg(ossl340)] +pub const EVP_PKEY_OP_SIGNMSG: c_int = 1 << 14; +#[cfg(ossl340)] +pub const EVP_PKEY_OP_VERIFYMSG: c_int = 1 << 15; -pub const EVP_PKEY_OP_TYPE_SIG: c_int = EVP_PKEY_OP_SIGN - | EVP_PKEY_OP_VERIFY - | EVP_PKEY_OP_VERIFYRECOVER - | EVP_PKEY_OP_SIGNCTX - | EVP_PKEY_OP_VERIFYCTX; +cfg_if! { + if #[cfg(ossl340)] { + pub const EVP_PKEY_OP_TYPE_SIG: c_int = EVP_PKEY_OP_SIGN + | EVP_PKEY_OP_SIGNMSG + | EVP_PKEY_OP_VERIFY + | EVP_PKEY_OP_VERIFYMSG + | EVP_PKEY_OP_VERIFYRECOVER + | EVP_PKEY_OP_SIGNCTX + | EVP_PKEY_OP_VERIFYCTX; + } else { + pub const EVP_PKEY_OP_TYPE_SIG: c_int = EVP_PKEY_OP_SIGN + | EVP_PKEY_OP_VERIFY + | EVP_PKEY_OP_VERIFYRECOVER + | EVP_PKEY_OP_SIGNCTX + | EVP_PKEY_OP_VERIFYCTX; + } +} pub const EVP_PKEY_OP_TYPE_CRYPT: c_int = EVP_PKEY_OP_ENCRYPT | EVP_PKEY_OP_DECRYPT; diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 400f73388f..8dd720a7ac 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -346,7 +346,6 @@ pub const NID_id_mod_cmp2000: c_int = 284; pub const NID_info_access: c_int = 177; pub const NID_biometricInfo: c_int = 285; pub const NID_qcStatements: c_int = 286; -pub const NID_ac_auditEntity: c_int = 287; pub const NID_ac_targeting: c_int = 288; pub const NID_aaControls: c_int = 289; pub const NID_sbgp_ipAddrBlock: c_int = 290; @@ -1015,3 +1014,10 @@ pub const NID_shake256: c_int = 1101; pub const NID_chacha20_poly1305: c_int = 1018; #[cfg(libressl271)] pub const NID_chacha20_poly1305: c_int = 967; +cfg_if! { + if #[cfg(ossl340)] { + pub const NID_ac_auditEntity: c_int = 1323; + } else { + pub const NID_ac_auditEntity: c_int = 287; + } +} From 92130d57d3ff4a2c2bf487f85ecdb164cc712b1d Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Sep 2024 16:25:51 -0400 Subject: [PATCH 46/69] remove bad test check --- openssl/src/version.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/openssl/src/version.rs b/openssl/src/version.rs index f1a324c12c..12ab3d8aec 100644 --- a/openssl/src/version.rs +++ b/openssl/src/version.rs @@ -131,5 +131,4 @@ fn test_versions() { if !built_on().is_empty() { assert!(built_on().starts_with("built on:")); } - assert!(dir().starts_with("OPENSSLDIR:")); } From 30607429a5fc0d3e283c302090f6e629649eacea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 5 Oct 2024 08:04:57 -0500 Subject: [PATCH 47/69] Resolve clippy warnings from nightly --- .github/workflows/ci.yml | 1 + openssl/src/asn1.rs | 4 ++-- openssl/src/bio.rs | 2 +- openssl/src/bn.rs | 22 +++++++++++----------- openssl/src/derive.rs | 6 +++--- openssl/src/encrypt.rs | 12 ++++++------ openssl/src/ocsp.rs | 2 +- openssl/src/sign.rs | 10 +++++----- openssl/src/ssl/test/mod.rs | 6 +++--- openssl/src/stack.rs | 4 ++-- openssl/src/x509/mod.rs | 4 ++-- 11 files changed, 37 insertions(+), 36 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b1c7b188f5..2115a8ea3c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -160,6 +160,7 @@ jobs: - name: openssl version: 3.2.0 - name: openssl + old: true version: 1.1.1w - name: openssl version: 1.1.0l diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 03340820d0..19bd3b57bc 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -247,7 +247,7 @@ impl PartialEq for Asn1TimeRef { } #[cfg(any(ossl102, boringssl))] -impl<'a> PartialEq for &'a Asn1TimeRef { +impl PartialEq for &Asn1TimeRef { fn eq(&self, other: &Asn1Time) -> bool { self.diff(other) .map(|t| t.days == 0 && t.secs == 0) @@ -270,7 +270,7 @@ impl PartialOrd for Asn1TimeRef { } #[cfg(any(ossl102, boringssl))] -impl<'a> PartialOrd for &'a Asn1TimeRef { +impl PartialOrd for &Asn1TimeRef { fn partial_cmp(&self, other: &Asn1Time) -> Option { self.compare(other).ok() } diff --git a/openssl/src/bio.rs b/openssl/src/bio.rs index d5232d2ee1..e97374b8dd 100644 --- a/openssl/src/bio.rs +++ b/openssl/src/bio.rs @@ -9,7 +9,7 @@ use crate::util; pub struct MemBioSlice<'a>(*mut ffi::BIO, PhantomData<&'a [u8]>); -impl<'a> Drop for MemBioSlice<'a> { +impl Drop for MemBioSlice<'_> { fn drop(&mut self) { unsafe { ffi::BIO_free_all(self.0); diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index ba784aab1a..99292fd0fb 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -1272,7 +1272,7 @@ macro_rules! delegate { }; } -impl<'a, 'b> Add<&'b BigNumRef> for &'a BigNumRef { +impl Add<&BigNumRef> for &BigNumRef { type Output = BigNum; fn add(self, oth: &BigNumRef) -> BigNum { @@ -1284,7 +1284,7 @@ impl<'a, 'b> Add<&'b BigNumRef> for &'a BigNumRef { delegate!(Add, add); -impl<'a, 'b> Sub<&'b BigNumRef> for &'a BigNumRef { +impl Sub<&BigNumRef> for &BigNumRef { type Output = BigNum; fn sub(self, oth: &BigNumRef) -> BigNum { @@ -1296,7 +1296,7 @@ impl<'a, 'b> Sub<&'b BigNumRef> for &'a BigNumRef { delegate!(Sub, sub); -impl<'a, 'b> Mul<&'b BigNumRef> for &'a BigNumRef { +impl Mul<&BigNumRef> for &BigNumRef { type Output = BigNum; fn mul(self, oth: &BigNumRef) -> BigNum { @@ -1309,7 +1309,7 @@ impl<'a, 'b> Mul<&'b BigNumRef> for &'a BigNumRef { delegate!(Mul, mul); -impl<'a, 'b> Div<&'b BigNumRef> for &'a BigNumRef { +impl<'b> Div<&'b BigNumRef> for &BigNumRef { type Output = BigNum; fn div(self, oth: &'b BigNumRef) -> BigNum { @@ -1322,7 +1322,7 @@ impl<'a, 'b> Div<&'b BigNumRef> for &'a BigNumRef { delegate!(Div, div); -impl<'a, 'b> Rem<&'b BigNumRef> for &'a BigNumRef { +impl<'b> Rem<&'b BigNumRef> for &BigNumRef { type Output = BigNum; fn rem(self, oth: &'b BigNumRef) -> BigNum { @@ -1335,7 +1335,7 @@ impl<'a, 'b> Rem<&'b BigNumRef> for &'a BigNumRef { delegate!(Rem, rem); -impl<'a> Shl for &'a BigNumRef { +impl Shl for &BigNumRef { type Output = BigNum; fn shl(self, n: i32) -> BigNum { @@ -1345,7 +1345,7 @@ impl<'a> Shl for &'a BigNumRef { } } -impl<'a> Shl for &'a BigNum { +impl Shl for &BigNum { type Output = BigNum; fn shl(self, n: i32) -> BigNum { @@ -1353,7 +1353,7 @@ impl<'a> Shl for &'a BigNum { } } -impl<'a> Shr for &'a BigNumRef { +impl Shr for &BigNumRef { type Output = BigNum; fn shr(self, n: i32) -> BigNum { @@ -1363,7 +1363,7 @@ impl<'a> Shr for &'a BigNumRef { } } -impl<'a> Shr for &'a BigNum { +impl Shr for &BigNum { type Output = BigNum; fn shr(self, n: i32) -> BigNum { @@ -1371,7 +1371,7 @@ impl<'a> Shr for &'a BigNum { } } -impl<'a> Neg for &'a BigNumRef { +impl Neg for &BigNumRef { type Output = BigNum; fn neg(self) -> BigNum { @@ -1379,7 +1379,7 @@ impl<'a> Neg for &'a BigNumRef { } } -impl<'a> Neg for &'a BigNum { +impl Neg for &BigNum { type Output = BigNum; fn neg(self) -> BigNum { diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index 424c5f92d7..90a5650c0c 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -61,8 +61,8 @@ use openssl_macros::corresponds; /// A type used to derive a shared secret between two keys. pub struct Deriver<'a>(*mut ffi::EVP_PKEY_CTX, PhantomData<&'a ()>); -unsafe impl<'a> Sync for Deriver<'a> {} -unsafe impl<'a> Send for Deriver<'a> {} +unsafe impl Sync for Deriver<'_> {} +unsafe impl Send for Deriver<'_> {} #[allow(clippy::len_without_is_empty)] impl<'a> Deriver<'a> { @@ -163,7 +163,7 @@ impl<'a> Deriver<'a> { } } -impl<'a> Drop for Deriver<'a> { +impl Drop for Deriver<'_> { fn drop(&mut self) { unsafe { ffi::EVP_PKEY_CTX_free(self.0); diff --git a/openssl/src/encrypt.rs b/openssl/src/encrypt.rs index 4522146f89..c50be081cf 100644 --- a/openssl/src/encrypt.rs +++ b/openssl/src/encrypt.rs @@ -56,10 +56,10 @@ pub struct Encrypter<'a> { _p: PhantomData<&'a ()>, } -unsafe impl<'a> Sync for Encrypter<'a> {} -unsafe impl<'a> Send for Encrypter<'a> {} +unsafe impl Sync for Encrypter<'_> {} +unsafe impl Send for Encrypter<'_> {} -impl<'a> Drop for Encrypter<'a> { +impl Drop for Encrypter<'_> { fn drop(&mut self) { unsafe { ffi::EVP_PKEY_CTX_free(self.pctx); @@ -260,10 +260,10 @@ pub struct Decrypter<'a> { _p: PhantomData<&'a ()>, } -unsafe impl<'a> Sync for Decrypter<'a> {} -unsafe impl<'a> Send for Decrypter<'a> {} +unsafe impl Sync for Decrypter<'_> {} +unsafe impl Send for Decrypter<'_> {} -impl<'a> Drop for Decrypter<'a> { +impl Drop for Decrypter<'_> { fn drop(&mut self) { unsafe { ffi::EVP_PKEY_CTX_free(self.pctx); diff --git a/openssl/src/ocsp.rs b/openssl/src/ocsp.rs index 93a5d36b7e..570b8c2d0b 100644 --- a/openssl/src/ocsp.rs +++ b/openssl/src/ocsp.rs @@ -122,7 +122,7 @@ pub struct OcspStatus<'a> { pub next_update: &'a Asn1GeneralizedTimeRef, } -impl<'a> OcspStatus<'a> { +impl OcspStatus<'_> { /// Checks validity of the `this_update` and `next_update` fields. /// /// The `nsec` parameter specifies an amount of slack time that will be used when comparing diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index dd012128a2..bea91a5a43 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -365,7 +365,7 @@ impl Signer<'_> { } } -impl<'a> Write for Signer<'a> { +impl Write for Signer<'_> { fn write(&mut self, buf: &[u8]) -> io::Result { self.update(buf)?; Ok(buf.len()) @@ -384,10 +384,10 @@ pub struct Verifier<'a> { pkey_pd: PhantomData<&'a ()>, } -unsafe impl<'a> Sync for Verifier<'a> {} -unsafe impl<'a> Send for Verifier<'a> {} +unsafe impl Sync for Verifier<'_> {} +unsafe impl Send for Verifier<'_> {} -impl<'a> Drop for Verifier<'a> { +impl Drop for Verifier<'_> { fn drop(&mut self) { // pkey_ctx is owned by the md_ctx, so no need to explicitly free it. unsafe { @@ -566,7 +566,7 @@ impl<'a> Verifier<'a> { } } -impl<'a> Write for Verifier<'a> { +impl Write for Verifier<'_> { fn write(&mut self, buf: &[u8]) -> io::Result { self.update(buf)?; Ok(buf.len()) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index a98bc5644d..2c5fd000a3 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1367,20 +1367,20 @@ fn stateless() { pub struct Outgoing<'a>(&'a mut Vec); - impl<'a> Drop for Outgoing<'a> { + impl Drop for Outgoing<'_> { fn drop(&mut self) { self.0.clear(); } } - impl<'a> ::std::ops::Deref for Outgoing<'a> { + impl ::std::ops::Deref for Outgoing<'_> { type Target = [u8]; fn deref(&self) -> &[u8] { self.0 } } - impl<'a> AsRef<[u8]> for Outgoing<'a> { + impl AsRef<[u8]> for Outgoing<'_> { fn as_ref(&self) -> &[u8] { self.0 } diff --git a/openssl/src/stack.rs b/openssl/src/stack.rs index 58acac61ad..112aa7f649 100644 --- a/openssl/src/stack.rs +++ b/openssl/src/stack.rs @@ -343,7 +343,7 @@ impl<'a, T: Stackable> DoubleEndedIterator for Iter<'a, T> { } } -impl<'a, T: Stackable> ExactSizeIterator for Iter<'a, T> {} +impl ExactSizeIterator for Iter<'_, T> {} /// A mutable iterator over the stack's contents. pub struct IterMut<'a, T: Stackable> { @@ -377,4 +377,4 @@ impl<'a, T: Stackable> DoubleEndedIterator for IterMut<'a, T> { } } -impl<'a, T: Stackable> ExactSizeIterator for IterMut<'a, T> {} +impl ExactSizeIterator for IterMut<'_, T> {} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d0cd00e3e6..67c86ee3d4 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -135,7 +135,7 @@ impl X509StoreContextRef { { struct Cleanup<'a>(&'a mut X509StoreContextRef); - impl<'a> Drop for Cleanup<'a> { + impl Drop for Cleanup<'_> { fn drop(&mut self) { unsafe { ffi::X509_STORE_CTX_cleanup(self.0.as_ptr()); @@ -873,7 +873,7 @@ impl Eq for X509 {} /// A context object required to construct certain `X509` extension values. pub struct X509v3Context<'a>(ffi::X509V3_CTX, PhantomData<(&'a X509Ref, &'a ConfRef)>); -impl<'a> X509v3Context<'a> { +impl X509v3Context<'_> { pub fn as_ptr(&self) -> *mut ffi::X509V3_CTX { &self.0 as *const _ as *mut _ } From bc85958769b672a7878003d4126c598aac743acc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 5 Oct 2024 10:03:55 -0500 Subject: [PATCH 48/69] fixes #2311 -- silencer resolver warnings --- Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/Cargo.toml b/Cargo.toml index c33c3475a7..63194cb3fd 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,4 +1,5 @@ [workspace] +resolver = "2" members = [ "openssl", "openssl-errors", From de8a97c1b55800104ae6f3c6f52aab1e17df3b3c Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 7 Oct 2024 06:59:40 -0700 Subject: [PATCH 49/69] Bump to 3.4.0-beta1 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2115a8ea3c..e2e6881f86 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -154,7 +154,7 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.4.0-alpha1 + version: 3.4.0-beta1 - name: openssl version: 3.3.0 - name: openssl From f9027b7549e7d557d627aeadc157097b2c5c018b Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Tue, 15 Oct 2024 08:05:19 +0200 Subject: [PATCH 50/69] LibreSSL 4.0.0 is released & stable --- openssl-sys/build/main.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index c9bddf5382..f379e1e6b3 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -380,6 +380,8 @@ See rust-openssl documentation for more information: (3, 8, _) => ('3', '8', 'x'), (3, 9, 0) => ('3', '9', '0'), (3, 9, _) => ('3', '9', 'x'), + (4, 0, 0) => ('4', '0', '0'), + (4, 0, _) => ('4', '0', 'x'), _ => version_error(), }; @@ -422,7 +424,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3), or LibreSSL 2.5 -through 3.9.x, but a different version of OpenSSL was found. The build is now aborting +through 4.0.x, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From c4dabc2fc2f76d734fc361401c3bae1a911bc405 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Tue, 15 Oct 2024 07:59:54 +0200 Subject: [PATCH 51/69] CI: Update LibreSSL CI LibreSSL 3.7 is out of support, so replace it with just released 4.0. Bump 3.9 branch to 3.9.2 and 3.8 branch to 3.8.4. --- .github/workflows/ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e2e6881f86..212183e2c4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -184,17 +184,17 @@ jobs: bindgen: true library: name: libressl - version: 3.7.3 + version: 3.8.4 - target: x86_64-unknown-linux-gnu bindgen: true library: name: libressl - version: 3.8.3 + version: 3.9.2 - target: x86_64-unknown-linux-gnu bindgen: true library: name: libressl - version: 3.9.1 + version: 4.0.0 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -204,17 +204,17 @@ jobs: bindgen: false library: name: libressl - version: 3.7.3 + version: 3.8.4 - target: x86_64-unknown-linux-gnu bindgen: false library: name: libressl - version: 3.8.3 + version: 3.9.2 - target: x86_64-unknown-linux-gnu bindgen: false library: name: libressl - version: 3.9.1 + version: 4.0.0 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: From b510e8c2c2a37e86bf940ede4c46f858d0241fa2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 15 Oct 2024 07:30:14 -0400 Subject: [PATCH 52/69] Release openssl v0.10.67 and openssl-sys v0.9.104 --- openssl-sys/CHANGELOG.md | 19 ++++++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 20 +++++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 40 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 37f35e0a66..641f0d4b7a 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,22 @@ ## [Unreleased] +## [v0.9.104] - 2024-10-15 + +### Added + +* Added support for LibreSSL 4.0.x. +* Added `EVP_KDF_*` and `EVP_KDF_CTX_*` bindings. +* Added `EVP_DigestSqueeze`. +* Added `OSSL_PARAM_construct_octet_string`. +* Added `OSSL_set_max_threads` and `OSSL_get_max_threads`. + +### Changed + +* `openssl-sys` is now a 2021 edition crate +* Explicitly specify the MSRV in `Cargo.toml` +* Raised the `bindgen` (optional) dependency from 0.65 to 0.69 + ## [v0.9.103] - 2024-07-20 ### Added @@ -607,7 +623,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.103..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.104..master +[v0.9.104]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.103...openssl-sys-v0.9.104 [v0.9.103]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.102...openssl-sys-v0.9.103 [v0.9.102]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.101...openssl-sys-v0.9.102 [v0.9.101]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.100...openssl-sys-v0.9.101 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7ec1038dc7..f82dbd3f1a 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.103" +version = "0.9.104" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index e3d1045ac0..259614ceea 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,23 @@ ## [Unreleased] +## [v0.10.67] - 2024-10-15 + +### Added + +* Added support for LibreSSL 4.0.x. +* Added `argon2id` + +### Fixed + +* Fixed a case where `MdCtxRef::digest_verify_final` could leave an error on the stack. +* Fixed a case where `RsaRef::check_key` could leave an errror on the stack. + +### Changed + +* `openssl` is now a 2021 edition crate +* Explicitly specify the MSRV in `Cargo.toml` + ## [v0.10.66] - 2024-07-21 ### Fixed @@ -908,7 +925,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.66...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.67...master +[v0.10.67]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.66...openssl-v0.10.67 [v0.10.66]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.65...openssl-v0.10.66 [v0.10.65]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.64...openssl-v0.10.65 [v0.10.64]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.63...openssl-v0.10.64 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 23ccc91d9b..88bfcaf773 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.66" +version = "0.10.67" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -31,7 +31,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.103", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.104", path = "../openssl-sys" } [dev-dependencies] hex = "0.4" From 065cc77d0c574d0f713af4f2b37fb9040b3537cf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 16 Oct 2024 18:14:59 -0400 Subject: [PATCH 53/69] fixes #2317 -- restore compatibility with our MSRV and release openssl 0.9.68 --- openssl/CHANGELOG.md | 9 ++++++++- openssl/Cargo.toml | 2 +- openssl/src/kdf.rs | 3 ++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 259614ceea..e939d4784a 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.10.68] - 2024-10-16 + +### Fixed + +* Fixed building on Rust 1.63.0 (our MSRV) with OpenSSL 3.2 or newer. + ## [v0.10.67] - 2024-10-15 ### Added @@ -925,7 +931,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.67...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.68...master +[v0.10.68]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.67...openssl-v0.10.68 [v0.10.67]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.66...openssl-v0.10.67 [v0.10.66]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.65...openssl-v0.10.66 [v0.10.65]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.64...openssl-v0.10.65 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 88bfcaf773..7bd6bdbb4f 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.67" +version = "0.10.68" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index 4f6b1f8aab..a5da352505 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -25,10 +25,11 @@ impl Drop for EvpKdfCtx { cfg_if::cfg_if! { if #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] { use std::cmp; - use std::ffi::{c_char, c_void}; + use std::ffi::c_void; use std::mem::MaybeUninit; use std::ptr; use foreign_types::ForeignTypeRef; + use libc::c_char; use crate::{cvt, cvt_p}; use crate::lib_ctx::LibCtxRef; use crate::error::ErrorStack; From 360bfac99a6df2551c7a05a40c64dbeb1f82c831 Mon Sep 17 00:00:00 2001 From: Casper Meijn Date: Mon, 28 Oct 2024 11:43:19 +0100 Subject: [PATCH 54/69] build(deps): Update `openssl-macro` to version `0.1.1` The minimal version of `openssl-macros` needs to be the latest version. If `0.1.0` is used, then all kinds of compiler errors in the macro usage of `openssl` occur. I found this by running `cargo minimal-versions check` on crate `native-tls`. I don't know of any simple CI check to add to this project to detect this problem in the future. --- openssl/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 7bd6bdbb4f..42e5134328 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -30,7 +30,7 @@ foreign-types = "0.3.1" libc = "0.2" once_cell = "1.5.2" -openssl-macros = { version = "0.1.0", path = "../openssl-macros" } +openssl-macros = { version = "0.1.1", path = "../openssl-macros" } ffi = { package = "openssl-sys", version = "0.9.104", path = "../openssl-sys" } [dev-dependencies] From ef81d97a30ce0277be9eba813131f07f9328e3a6 Mon Sep 17 00:00:00 2001 From: Viktoriia Kovalova Date: Wed, 13 Nov 2024 15:42:48 +0000 Subject: [PATCH 55/69] Enable set_alpn_select_callback for BoringSSL --- openssl/src/ssl/callbacks.rs | 4 ++-- openssl/src/ssl/mod.rs | 21 ++++++++++++++------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index ccf5308509..f7e51a5d38 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -19,7 +19,7 @@ use crate::dh::Dh; use crate::ec::EcKey; use crate::error::ErrorStack; use crate::pkey::Params; -#[cfg(any(ossl102, libressl261))] +#[cfg(any(ossl102, libressl261, boringssl))] use crate::ssl::AlpnError; use crate::ssl::{ try_get_session_ctx_index, SniError, Ssl, SslAlert, SslContext, SslContextRef, SslRef, @@ -178,7 +178,7 @@ where } } -#[cfg(any(ossl102, libressl261))] +#[cfg(any(ossl102, libressl261, boringssl))] pub extern "C" fn raw_alpn_select( ssl: *mut ffi::SSL, out: *mut *const c_uchar, diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index d9b2a724f6..f5a696ab54 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -602,17 +602,17 @@ impl SslAlert { /// An error returned from an ALPN selection callback. /// -/// Requires OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. -#[cfg(any(ossl102, libressl261))] +/// Requires BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. +#[cfg(any(ossl102, libressl261, boringssl))] #[derive(Debug, Copy, Clone, PartialEq, Eq)] pub struct AlpnError(c_int); -#[cfg(any(ossl102, libressl261))] +#[cfg(any(ossl102, libressl261, boringssl))] impl AlpnError { /// Terminate the handshake with a fatal alert. /// - /// Requires OpenSSL 1.1.0 or newer. - #[cfg(ossl110)] + /// Requires BoringSSL or OpenSSL 1.1.0 or newer. + #[cfg(any(ossl110, boringssl))] pub const ALERT_FATAL: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_ALERT_FATAL); /// Do not select a protocol, but continue the handshake. @@ -1267,23 +1267,30 @@ impl SslContextBuilder { /// of those protocols on success. The [`select_next_proto`] function implements the standard /// protocol selection algorithm. /// - /// Requires OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. + /// Requires BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. /// /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos /// [`select_next_proto`]: fn.select_next_proto.html #[corresponds(SSL_CTX_set_alpn_select_cb)] - #[cfg(any(ossl102, libressl261))] + #[cfg(any(ossl102, libressl261, boringssl))] pub fn set_alpn_select_callback(&mut self, callback: F) where F: for<'a> Fn(&mut SslRef, &'a [u8]) -> Result<&'a [u8], AlpnError> + 'static + Sync + Send, { unsafe { self.set_ex_data(SslContext::cached_ex_index::(), callback); + #[cfg(not(boringssl))] ffi::SSL_CTX_set_alpn_select_cb__fixed_rust( self.as_ptr(), Some(callbacks::raw_alpn_select::), ptr::null_mut(), ); + #[cfg(boringssl)] + ffi::SSL_CTX_set_alpn_select_cb( + self.as_ptr(), + Some(callbacks::raw_alpn_select::), + ptr::null_mut(), + ); } } From cf40611ed321848d1df7e9d2d1e96361b802af3d Mon Sep 17 00:00:00 2001 From: Viktoriia Kovalova Date: Wed, 13 Nov 2024 15:42:48 +0000 Subject: [PATCH 56/69] Enable tests --- openssl/src/ssl/test/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 2c5fd000a3..282558f805 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -502,7 +502,7 @@ fn test_connect_with_srtp_ssl() { /// Tests that when the `SslStream` is created as a server stream, the protocols /// are correctly advertised to the client. #[test] -#[cfg(any(ossl102, libressl261))] +#[cfg(any(ossl102, libressl261, boringssl))] fn test_alpn_server_advertise_multiple() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { @@ -517,7 +517,7 @@ fn test_alpn_server_advertise_multiple() { } #[test] -#[cfg(ossl110)] +#[cfg(any(ossl110, boringssl))] fn test_alpn_server_select_none_fatal() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { @@ -533,7 +533,7 @@ fn test_alpn_server_select_none_fatal() { } #[test] -#[cfg(any(ossl102, libressl261))] +#[cfg(any(ossl102, libressl261, boringssl))] fn test_alpn_server_select_none() { static CALLED_BACK: AtomicBool = AtomicBool::new(false); From 331972087a4697c36ae0ef7fd29de718599867d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Fri, 15 Nov 2024 11:36:03 +0100 Subject: [PATCH 57/69] Switch the test to use prime256v1 based key Most of the prime* curves are disabled on openSUSE/SLE based systems, which causes this test to fail. The prime256v1 curve is still enabled and hence the test succeeds using that --- openssl/src/pkey_ctx.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index add7830484..f30f06973a 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -1087,14 +1087,14 @@ mod test { #[cfg(ossl320)] fn ecdsa_deterministic_signature() { let private_key_pem = "-----BEGIN PRIVATE KEY----- -MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhvqwNJNOTA/Jrmf1tWWanX0f79GH7g -n9Q= +MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCDJr6nYRbp1FmtcIVdnsdaTTlDD2zbo +mxJ7imIrEg9nIQ== -----END PRIVATE KEY-----"; let key1 = EcKey::private_key_from_pem(private_key_pem.as_bytes()).unwrap(); let key1 = PKey::from_ec_key(key1).unwrap(); let input = "sample"; - let expected_output = hex::decode("303502190098C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF021857A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64").unwrap(); + let expected_output = hex::decode("3044022061340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D3202206D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EB").unwrap(); let hashed_input = hash(MessageDigest::sha1(), input.as_bytes()).unwrap(); let mut ctx = PkeyCtx::new(&key1).unwrap(); From 769f0b22d29044814926ea8516d035e79e8d48cd Mon Sep 17 00:00:00 2001 From: sanketh Date: Fri, 20 Dec 2024 19:21:53 -0500 Subject: [PATCH 58/69] disallow updates after squeezes --- openssl/src/hash.rs | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 5d0203294d..117bb2fb0d 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -283,6 +283,18 @@ impl Hasher { if self.state == Finalized { self.init()?; } + if self.state == Squeeze { + // [`EVP_DigestUpdate`], depending on the implementation, may allow Updates after Squeezes. + // But, [FIPS 202], as shown in Figure 7, has a distinguished absorbing phase followed by a squeezing phase. + // Indeed, the [`sha3.c`] implmentation disallows Updates after Squeezes. + // For consistency, we always return an error when Update is called after Squeeze. + // + // [`EVP_DigestUpdate`]: https://github.com/openssl/openssl/blob/b3bb214720f20f3b126ae4b9c330e9a48b835415/crypto/evp/digest.c#L385-L393 + // [FIPS 202]: https://dx.doi.org/10.6028/NIST.FIPS.202 + // [`sha3.c`]: https://github.com/openssl/openssl/blob/b3bb214720f20f3b126ae4b9c330e9a48b835415/crypto/sha/sha3.c#L52-L63 + let errors = ErrorStack::get(); + return Err(errors); + } unsafe { cvt(ffi::EVP_DigestUpdate( self.ctx, From 95159d0d7ccb47eb38cf12554f938d29beab25ce Mon Sep 17 00:00:00 2001 From: sanketh Date: Fri, 20 Dec 2024 19:38:15 -0500 Subject: [PATCH 59/69] oops forgot compiler directive --- openssl/src/hash.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 8efb4239f1..f66c5ce013 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -278,6 +278,7 @@ impl Hasher { if self.state == Finalized { self.init()?; } + #[cfg(ossl330)] if self.state == Squeeze { // [`EVP_DigestUpdate`], depending on the implementation, may allow Updates after Squeezes. // But, [FIPS 202], as shown in Figure 7, has a distinguished absorbing phase followed by a squeezing phase. From 555d498f3860568486f552c996436b0b64f0e513 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 25 Jan 2025 13:51:32 -0500 Subject: [PATCH 60/69] Expose SSL_CTX_load_verify_locations --- openssl/src/ssl/mod.rs | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index f5a696ab54..c341642a2c 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -924,12 +924,23 @@ impl SslContextBuilder { /// The file should contain a sequence of PEM-formatted CA certificates. #[corresponds(SSL_CTX_load_verify_locations)] pub fn set_ca_file>(&mut self, file: P) -> Result<(), ErrorStack> { - let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap(); + self.load_verify_locations(Some(file.as_ref()), None) + } + + /// Loads trusted root certificates from a file and/or a directory. + #[corresponds(SSL_CTX_load_verify_locations)] + pub fn load_verify_locations( + &mut self, + ca_file: Option<&Path>, + ca_path: Option<&Path>, + ) -> Result<(), ErrorStack> { + let ca_file = ca_file.map(|p| CString::new(p.as_os_str().to_str().unwrap()).unwrap()); + let ca_path = ca_path.map(|p| CString::new(p.as_os_str().to_str().unwrap()).unwrap()); unsafe { cvt(ffi::SSL_CTX_load_verify_locations( self.as_ptr(), - file.as_ptr() as *const _, - ptr::null(), + ca_file.as_ref().map_or(ptr::null(), |s| s.as_ptr()), + ca_path.as_ref().map_or(ptr::null(), |s| s.as_ptr()), )) .map(|_| ()) } From b5fb3604188eec9b82a92ece9b8b2777a66b644c Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 25 Jan 2025 14:16:16 -0500 Subject: [PATCH 61/69] Release openssl v0.10.69 --- openssl/CHANGELOG.md | 12 ++++++++++++ openssl/Cargo.toml | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index e939d4784a..bc314c2edc 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,18 @@ ## [Unreleased] +## [v0.10.69] - 2025-01-25 + +### Fixed + +* Fixed the version constraint on `openssl-macros`. + +### Added + +* Added `SslContextBuilder::load_verify_locations`. +* Added `Hasher::squeeze_xof`. +* Added `SslContextBuilder::set_alpn_select_callback` support for boringssl. + ## [v0.10.68] - 2024-10-16 ### Fixed diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 42e5134328..43cef06d24 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.68" +version = "0.10.69" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" From b38052ad3865b6a1b030047c6ae7df1c3e20a197 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 31 Jan 2025 07:12:46 -0800 Subject: [PATCH 62/69] Attempt to fix CI by pinning to the Ubuntu 22.04 image --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 212183e2c4..927280505e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -216,7 +216,7 @@ jobs: name: libressl version: 4.0.0 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 env: OPENSSL_DIR: /opt/openssl CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABIHF_LINKER: arm-linux-gnueabihf-gcc @@ -248,7 +248,7 @@ jobs: - uses: actions/cache@v4 with: path: /opt/openssl - key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-6 + key: openssl-${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-7 if: matrix.library.version != 'vendored' id: openssl-cache - run: | From 36720a549b870e277be568830ba51c68591f5674 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 31 Jan 2025 07:36:30 +0100 Subject: [PATCH 63/69] Remove EC_METHOD and EC_GROUP_new for LibreSSL 4.1 --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/build/main.rs | 1 + openssl-sys/src/handwritten/ec.rs | 2 ++ 3 files changed, 6 insertions(+) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index cd03888e62..ca9970740b 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -68,6 +68,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& if libressl_version >= 0x4_00_00_00_0 { cfgs.push("libressl400"); } + if libressl_version >= 0x4_01_00_00_0 { + cfgs.push("libressl410"); + } } else { let openssl_version = openssl_version.unwrap(); diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index f379e1e6b3..e6a3db397e 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -103,6 +103,7 @@ fn main() { println!("cargo:rustc-check-cfg=cfg(libressl382)"); println!("cargo:rustc-check-cfg=cfg(libressl390)"); println!("cargo:rustc-check-cfg=cfg(libressl400)"); + println!("cargo:rustc-check-cfg=cfg(libressl410)"); println!("cargo:rustc-check-cfg=cfg(ossl101)"); println!("cargo:rustc-check-cfg=cfg(ossl102)"); diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index f199bc891c..19d93a55ea 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -9,6 +9,7 @@ pub enum point_conversion_form_t { POINT_CONVERSION_HYBRID = 6, } +#[cfg(not(libressl410))] pub enum EC_METHOD {} pub enum EC_GROUP {} pub enum EC_POINT {} @@ -17,6 +18,7 @@ extern "C" { #[cfg(not(osslconf = "OPENSSL_NO_EC2M"))] pub fn EC_GF2m_simple_method() -> *const EC_METHOD; + #[cfg(not(libressl410))] pub fn EC_GROUP_new(meth: *const EC_METHOD) -> *mut EC_GROUP; pub fn EC_GROUP_free(group: *mut EC_GROUP); From 4830f5bb93dafeeeddf32bf41dda83e2560f3d49 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 1 Feb 2025 11:13:16 -0800 Subject: [PATCH 64/69] Expose `SslMethod::{dtls_client,dtls_server}` --- openssl-sys/src/handwritten/ssl.rs | 4 ++++ openssl/src/ssl/mod.rs | 16 +++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs index b86a54cbed..163c75aed9 100644 --- a/openssl-sys/src/handwritten/ssl.rs +++ b/openssl-sys/src/handwritten/ssl.rs @@ -701,6 +701,10 @@ cfg_if! { pub fn TLS_server_method() -> *const SSL_METHOD; pub fn TLS_client_method() -> *const SSL_METHOD; + + pub fn DTLS_server_method() -> *const SSL_METHOD; + + pub fn DTLS_client_method() -> *const SSL_METHOD; } } else { extern "C" { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index c341642a2c..aac726a69e 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -364,6 +364,20 @@ impl SslMethod { unsafe { SslMethod(TLS_server_method()) } } + /// Support all versions of the DTLS protocol, explicitly as a client. + #[corresponds(DTLS_client_method)] + #[cfg(any(boringssl, ossl110, libressl291))] + pub fn dtls_client() -> SslMethod { + unsafe { SslMethod(DTLS_client_method()) } + } + + /// Support all versions of the DTLS protocol, explicitly as a server. + #[corresponds(DTLS_method)] + #[cfg(any(boringssl, ossl110, libressl291))] + pub fn dtls_server() -> SslMethod { + unsafe { SslMethod(DTLS_server_method()) } + } + /// Constructs an `SslMethod` from a pointer to the underlying OpenSSL value. /// /// # Safety @@ -4288,7 +4302,7 @@ cfg_if! { } cfg_if! { if #[cfg(any(boringssl, ossl110, libressl291))] { - use ffi::{TLS_method, DTLS_method, TLS_client_method, TLS_server_method}; + use ffi::{TLS_method, DTLS_method, TLS_client_method, TLS_server_method, DTLS_server_method, DTLS_client_method}; } else { use ffi::{ SSLv23_method as TLS_method, DTLSv1_method as DTLS_method, SSLv23_client_method as TLS_client_method, From 5ecb31d3fd252c54dbae5e0b5b7ad495b26ac339 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 1 Feb 2025 11:22:56 -0800 Subject: [PATCH 65/69] Update openssl/src/ssl/mod.rs Co-authored-by: Theo Buehler --- openssl/src/ssl/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index aac726a69e..fc414a2ffb 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -372,7 +372,7 @@ impl SslMethod { } /// Support all versions of the DTLS protocol, explicitly as a server. - #[corresponds(DTLS_method)] + #[corresponds(DTLS_server_method)] #[cfg(any(boringssl, ossl110, libressl291))] pub fn dtls_server() -> SslMethod { unsafe { SslMethod(DTLS_server_method()) } From 4c9fbb0c18e8a3ac1de9671d7828862b49c1cb87 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 1 Feb 2025 11:31:54 -0800 Subject: [PATCH 66/69] Test against 3.4.0 final release --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 927280505e..6be72d76ea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -154,7 +154,7 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.4.0-beta1 + version: 3.4.0 - name: openssl version: 3.3.0 - name: openssl From 8e6e30bbf7e7627845b801f83a3810d6ffc1f157 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 2 Feb 2025 12:19:46 -0500 Subject: [PATCH 67/69] Fix lifetimes in ssl::select_next_proto --- openssl/src/ssl/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index fc414a2ffb..e15c48b6d7 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -709,7 +709,7 @@ cfg_if! { /// /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos #[corresponds(SSL_select_next_proto)] -pub fn select_next_proto<'a>(server: &[u8], client: &'a [u8]) -> Option<&'a [u8]> { +pub fn select_next_proto<'a>(server: &'a [u8], client: &'a [u8]) -> Option<&'a [u8]> { unsafe { let mut out = ptr::null_mut(); let mut outlen = 0; From c9a33e286023f92b869c5f157b349be15985a799 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 2 Feb 2025 13:01:39 -0500 Subject: [PATCH 68/69] Release openssl-sys v0.9.105 --- openssl-sys/CHANGELOG.md | 6 ++++++ openssl-sys/Cargo.toml | 2 +- openssl/Cargo.toml | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 641f0d4b7a..03b76736e1 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.9.105] - 2025-02-02 + +### Added + +* Added `DTLS_server_method` and `DTLS_client_method`. + ## [v0.9.104] - 2024-10-15 ### Added diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index f82dbd3f1a..406c793a8f 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.104" +version = "0.9.105" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 43cef06d24..fbc2f6077c 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -31,7 +31,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.1", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.104", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.105", path = "../openssl-sys" } [dev-dependencies] hex = "0.4" From a4d399b0f1a3694cb2d1728edf74d318a3cac890 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 2 Feb 2025 13:04:32 -0500 Subject: [PATCH 69/69] Release openssl v0.10.70 --- openssl/CHANGELOG.md | 10 ++++++++++ openssl/Cargo.toml | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index bc314c2edc..e69b265701 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,16 @@ ## [Unreleased] +## [v0.10.70] - 2025-02-02 + +### Fixed + +* Fixed improper lifetime constraints in `ssl::select_next_proto` that allowed a use after free. + +### Added + +* Added `SslMethod::dtls_client` and `SslMethod::dtls_server`. + ## [v0.10.69] - 2025-01-25 ### Fixed diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index fbc2f6077c..d3a3f45c1e 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.69" +version = "0.10.70" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings"