diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6be72d76e..1d35e2224 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -72,6 +72,8 @@ jobs: restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile + - run: | + cargo update -p once_cell --precise 1.20.3 - uses: actions/cache@v4 with: path: ~/.cargo/registry/cache @@ -149,6 +151,10 @@ jobs: - true - false library: + - name: aws-lc + version: v1.48.2 + - name: aws-lc + version: vendored - name: boringssl version: e23fe9b6eecc10e4f9ea1f0027fea5eaee7bd6b6 - name: openssl @@ -274,18 +280,25 @@ jobs: url="https://boringssl.googlesource.com/boringssl/+archive/${{ matrix.library.version }}.tar.gz" tar_flags="" ;; + "aws-lc") + url="https://github.com/aws/aws-lc/archive/refs/tags/${{ matrix.library.version }}.tar.gz" + tar_flags="--strip-components=1" + ;; esac case "${{ matrix.target}}" in "x86_64-unknown-linux-gnu") + CPU=x86_64 OS_COMPILER=linux-x86_64 OS_FLAGS="" ;; "i686-unknown-linux-gnu") + CPU=i686 OS_COMPILER=linux-elf OS_FLAGS="-m32 -msse2" ;; "arm-unknown-linux-gnueabihf") + CPU=armv4 OS_COMPILER=linux-armv4 OS_FLAGS="" export AR=arm-linux-gnueabihf-ar @@ -315,7 +328,7 @@ jobs: cd build echo "set(CMAKE_SYSTEM_NAME Linux)" > toolchain.cmake - echo "set(CMAKE_SYSTEM_PROCESSOR $cpu)" >> toolchain.cmake + echo "set(CMAKE_SYSTEM_PROCESSOR $CPU)" >> toolchain.cmake echo "set(triple ${{ matrix.target }})" >> toolchain.cmake echo 'set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} '$OS_FLAGS '" CACHE STRING "c++ flags")' >> toolchain.cmake echo 'set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} '$OS_FLAGS '" CACHE STRING "c flags")' >> toolchain.cmake @@ -328,6 +341,22 @@ jobs: # Copy stuff around so it's all as the build system expects. cp -r ../rust/ "$OPENSSL_DIR/rust" cp -r ./ "$OPENSSL_DIR/build" + ;; + "aws-lc") + mkdir build + cd build + + echo "set(CMAKE_SYSTEM_NAME Linux)" > toolchain.cmake + echo "set(CMAKE_SYSTEM_PROCESSOR $CPU)" >> toolchain.cmake + echo "set(triple ${{ matrix.target }})" >> toolchain.cmake + echo 'set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} '$OS_FLAGS '" CACHE STRING "c++ flags")' >> toolchain.cmake + echo 'set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} '$OS_FLAGS '" CACHE STRING "c flags")' >> toolchain.cmake + echo 'set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} '$OS_FLAGS '" CACHE STRING "asm flags")' >> toolchain.cmake + + cmake .. -DCMAKE_INSTALL_PREFIX="${OPENSSL_DIR}" -DCMAKE_TOOLCHAIN_FILE=toolchain.cmake + make -j "$(nproc)" + make install + ;; esac if: matrix.library.version != 'vendored' && !steps.openssl-cache.outputs.cache-hit @@ -357,11 +386,11 @@ jobs: if [[ "${{ matrix.library.version }}" == "vendored" ]]; then features="--features vendored" fi - if [[ "${{ matrix.bindgen }}" == "true" && "${{ matrix.library.name }}" != "boringssl" ]]; then + if [[ "${{ matrix.bindgen }}" == "true" ]]; then features="$features --features bindgen" fi cargo run --manifest-path=systest/Cargo.toml --target ${{ matrix.target }} $features - if: matrix.library.name != 'boringssl' + if: ${{ !(matrix.library.name == 'boringssl' || matrix.library.name == 'aws-lc') }} - name: Test openssl run: | if [[ "${{ matrix.library.name }}" == "boringssl" && "${{ matrix.bindgen }}" != "true" ]]; then @@ -369,7 +398,11 @@ jobs: BORINGSSL_BUILD_DIR="$OPENSSL_DIR/build/" fi if [[ "${{ matrix.library.version }}" == "vendored" ]]; then - features="--features vendored" + if [[ "${{ matrix.library.name }}" == "aws-lc" ]]; then + features="--features aws-lc" + else + features="--features vendored" + fi fi if [[ "${{ matrix.bindgen }}" == "true" ]]; then features="$features --features bindgen" @@ -384,4 +417,4 @@ jobs: features="$features --features openssl-sys/bindgen" fi cargo test --manifest-path=openssl-errors/Cargo.toml --target ${{ matrix.target }} $features - if: matrix.library.name != 'boringssl' + if: ${{ !(matrix.library.name == 'boringssl' || matrix.library.name == 'aws-lc') }} diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 03b76736e..62f110d57 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,19 @@ ## [Unreleased] +## [v0.9.107] - 2025-04-04 + +### Added + +* Support for building with AWS-LC. + +## [v0.9.106] - 2025-02-15 + +### Added + +* Support building with `OPENSSL_NO_RC2`. +* Exposed `EVP_rc2_cbc` and `EVP_rc2_40_cbc`. + ## [v0.9.105] - 2025-02-02 ### Added @@ -629,7 +642,10 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.104..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.107..master +[v0.9.107]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.106...openssl-sys-v0.9.107 +[v0.9.106]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.105...openssl-sys-v0.9.106 +[v0.9.105]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.104...openssl-sys-v0.9.105 [v0.9.104]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.103...openssl-sys-v0.9.104 [v0.9.103]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.102...openssl-sys-v0.9.103 [v0.9.102]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.101...openssl-sys-v0.9.102 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 406c793a8..a38da8468 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.105" +version = "0.9.107" authors = [ "Alex Crichton ", "Steven Fackler ", @@ -18,10 +18,12 @@ rust-version = "1.63.0" [features] vendored = ['openssl-src'] unstable_boringssl = ['bssl-sys'] +aws-lc = ['dep:aws-lc-sys'] [dependencies] libc = "0.2" bssl-sys = { version = "0.1.0", optional = true } +aws-lc-sys = { version = "0.27", features = ["ssl"], optional = true } [build-dependencies] bindgen = { version = "0.69.0", optional = true, features = ["experimental"] } diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c index e171621dc..cebed1b70 100644 --- a/openssl-sys/build/expando.c +++ b/openssl-sys/build/expando.c @@ -19,6 +19,10 @@ VERSION(OPENSSL, OPENSSL_VERSION_NUMBER) RUST_OPENSSL_IS_BORINGSSL #endif +#ifdef OPENSSL_IS_AWSLC +RUST_OPENSSL_IS_AWSLC +#endif + #ifdef OPENSSL_NO_BF RUST_CONF_OPENSSL_NO_BF #endif @@ -87,6 +91,10 @@ RUST_CONF_OPENSSL_NO_PSK RUST_CONF_OPENSSL_NO_RC4 #endif +#ifdef OPENSSL_NO_RC2 +RUST_CONF_OPENSSL_NO_RC2 +#endif + #ifdef OPENSSL_NO_RFC3779 RUST_CONF_OPENSSL_NO_RFC3779 #endif @@ -138,3 +146,9 @@ RUST_CONF_OPENSSL_NO_SEED #ifdef OPENSSL_NO_SCRYPT RUST_CONF_OPENSSL_NO_SCRYPT #endif + +#define SYMBOL_PREFIX2(X) RUST_BINDGEN_SYMBOL_PREFIX_##X##_ +#define SYMBOL_PREFIX(X) SYMBOL_PREFIX2(X) +#if defined(OPENSSL_IS_AWSLC) && defined(BORINGSSL_PREFIX) +SYMBOL_PREFIX(BORINGSSL_PREFIX) +#endif diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index e6a3db397..c4ac240e3 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -24,6 +24,7 @@ enum Version { Openssl10x, Libressl, Boringssl, + AwsLc, } fn env_inner(name: &str) -> Option { @@ -71,14 +72,60 @@ fn check_ssl_kind() { // BoringSSL does not have any build logic, exit early std::process::exit(0); } + + let is_aws_lc = cfg!(feature = "aws-lc"); + + if is_aws_lc { + println!("cargo:rustc-cfg=awslc"); + println!("cargo:awslc=true"); + + // The aws-lc-sys crate uses a link name that embeds + // the version number of crate. Examples (crate-name => links name): + // * aws-lc-sys => aws_lc_0_26_0 + // This is done to avoid issues if the cargo dependency graph for an application + // were to resolve to multiple versions for the same crate. + // + // Due to this we need to determine what version of the AWS-LC has been selected (fips or non-fips) + // and then need to parse out the pieces we are interested in ignoring the version componenet of the name. + const AWS_LC_ENV_VAR_PREFIX: &str = "DEP_AWS_LC_"; + + let mut version = None; + for (name, _) in std::env::vars() { + if let Some(name) = name.strip_prefix(AWS_LC_ENV_VAR_PREFIX) { + if let Some(name) = name.strip_suffix("_INCLUDE") { + version = Some(name.to_owned()); + break; + } + } + } + let version = version.expect("aws-lc version detected"); + + // Read the OpenSSL configuration statements and emit rust-cfg for each. + if let Ok(vars) = std::env::var(format!("{AWS_LC_ENV_VAR_PREFIX}{version}_CONF")) { + for var in vars.split(',') { + println!("cargo:rustc-cfg=osslconf=\"{var}\""); + } + println!("cargo:conf={vars}"); + } + + // Emit the include header directory from the aws-lc(-fips)-sys crate so that it can be used if needed + // by crates consuming openssl-sys. + if let Ok(val) = std::env::var(format!("{AWS_LC_ENV_VAR_PREFIX}{version}_INCLUDE")) { + println!("cargo:include={val}"); + } + + // AWS-LC does not have any build logic, exit early + std::process::exit(0); + } } fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\", \"OPENSSL_NO_RC2\"))"); println!("cargo:rustc-check-cfg=cfg(openssl)"); println!("cargo:rustc-check-cfg=cfg(libressl)"); println!("cargo:rustc-check-cfg=cfg(boringssl)"); + println!("cargo:rustc-check-cfg=cfg(awslc)"); println!("cargo:rustc-check-cfg=cfg(libressl250)"); println!("cargo:rustc-check-cfg=cfg(libressl251)"); @@ -201,7 +248,10 @@ fn main() { // try to match the behavior for common platforms. For a more robust option, // this likely needs to be deferred to the caller with an environment // variable. - if version == Version::Boringssl && kind == "static" && env::var("CARGO_CFG_UNIX").is_ok() { + if (version == Version::Boringssl || version == Version::AwsLc) + && kind == "static" + && env::var("CARGO_CFG_UNIX").is_ok() + { let cpp_lib = match env::var("CARGO_CFG_TARGET_OS").unwrap().as_ref() { "macos" => "c++", _ => "stdc++", @@ -231,8 +281,8 @@ fn main() { fn postprocess(include_dirs: &[PathBuf]) -> Version { let version = validate_headers(include_dirs); - // Never run bindgen for BoringSSL, if it was needed we already ran it. - if version != Version::Boringssl { + // Never run bindgen for BoringSSL or AWS-LC, if it was needed we already ran it. + if !(version == Version::Boringssl || version == Version::AwsLc) { #[cfg(feature = "bindgen")] run_bindgen::run(&include_dirs); } @@ -296,14 +346,18 @@ See rust-openssl documentation for more information: let mut openssl_version = None; let mut libressl_version = None; let mut is_boringssl = false; + let mut is_awslc = false; + let mut bindgen_symbol_prefix: Option = None; for line in expanded.lines() { let line = line.trim(); let openssl_prefix = "RUST_VERSION_OPENSSL_"; let new_openssl_prefix = "RUST_VERSION_NEW_OPENSSL_"; let libressl_prefix = "RUST_VERSION_LIBRESSL_"; - let boringsl_prefix = "RUST_OPENSSL_IS_BORINGSSL"; + let boringssl_prefix = "RUST_OPENSSL_IS_BORINGSSL"; + let awslc_prefix = "RUST_OPENSSL_IS_AWSLC"; let conf_prefix = "RUST_CONF_"; + let symbol_prefix = "RUST_BINDGEN_SYMBOL_PREFIX_"; if let Some(version) = line.strip_prefix(openssl_prefix) { openssl_version = Some(parse_version(version)); } else if let Some(version) = line.strip_prefix(new_openssl_prefix) { @@ -312,8 +366,13 @@ See rust-openssl documentation for more information: libressl_version = Some(parse_version(version)); } else if let Some(conf) = line.strip_prefix(conf_prefix) { enabled.push(conf); - } else if line.starts_with(boringsl_prefix) { + } else if line.starts_with(boringssl_prefix) { is_boringssl = true; + } else if line.starts_with(awslc_prefix) { + is_awslc = true; + } else if line.starts_with(symbol_prefix) { + let sym_prefix = String::from(line.strip_prefix(symbol_prefix).unwrap()); + bindgen_symbol_prefix = Some(sym_prefix); } } @@ -329,6 +388,13 @@ See rust-openssl documentation for more information: return Version::Boringssl; } + if is_awslc { + println!("cargo:rustc-cfg=awslc"); + println!("cargo:awslc=true"); + run_bindgen::run_awslc(include_dirs, bindgen_symbol_prefix); + return Version::AwsLc; + } + // We set this for any non-BoringSSL lib. println!("cargo:rustc-cfg=openssl"); diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index 27bd482b3..cc0efd8b5 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -36,15 +36,20 @@ const INCLUDES: &str = " #include #include +#if !defined(OPENSSL_IS_AWSLC) // this must be included after ssl.h for libressl! #include +#endif -#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) +#if !(defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)) #include #endif -#if !defined(OPENSSL_IS_BORINGSSL) +#if !(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)) #include +#endif + +#if !defined(OPENSSL_IS_BORINGSSL) #include #endif @@ -60,7 +65,7 @@ const INCLUDES: &str = " #include #endif -#if defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) +#if defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) #include #endif @@ -216,6 +221,128 @@ pub fn run_boringssl(include_dirs: &[PathBuf]) { .compile("boring_static_wrapper"); } +#[cfg(feature = "bindgen")] +mod bindgen_options { + use bindgen::callbacks::{ItemInfo, ParseCallbacks}; + + #[derive(Debug)] + pub struct StripPrefixCallback { + remove_prefix: Option, + } + + impl StripPrefixCallback { + pub fn new(prefix: &str) -> StripPrefixCallback { + StripPrefixCallback { + remove_prefix: Some(prefix.to_string()), + } + } + } + + impl ParseCallbacks for StripPrefixCallback { + fn generated_name_override(&self, item_info: ItemInfo<'_>) -> Option { + self.remove_prefix + .as_ref() + .and_then(|s| item_info.name.strip_prefix(s.as_str()).map(String::from)) + } + } +} + +#[cfg(feature = "bindgen")] +pub fn run_awslc(include_dirs: &[PathBuf], symbol_prefix: Option) { + let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap()); + + fs::File::create(out_dir.join("awslc_static_wrapper.h")) + .expect("Failed to create awslc_static_wrapper.h") + .write_all(INCLUDES.as_bytes()) + .expect("Failed to write contents to awslc_static_wrapper.h"); + + let mut builder = bindgen::builder() + .rust_target(RustTarget::Stable_1_47) + .ctypes_prefix("::libc") + .raw_line("use libc::*;") + .derive_default(false) + .enable_function_attribute_detection() + .default_macro_constant_type(MacroTypeVariation::Signed) + .rustified_enum("point_conversion_form_t") + .allowlist_file(r".*(/|\\)openssl((/|\\)[^/\\]+)+\.h") + .wrap_static_fns(true) + .wrap_static_fns_path(out_dir.join("awslc_static_wrapper").display().to_string()) + .layout_tests(false) + .header(out_dir.join("awslc_static_wrapper.h").display().to_string()); + + if let Some(prefix) = symbol_prefix { + use bindgen_options::StripPrefixCallback; + let callback = StripPrefixCallback::new(prefix.as_str()); + builder = builder.parse_callbacks(Box::from(callback)); + } + + for include_dir in include_dirs { + builder = builder + .clang_arg("-I") + .clang_arg(include_dir.display().to_string()); + } + + builder + .generate() + .unwrap() + .write_to_file(out_dir.join("bindgen.rs")) + .unwrap(); + + cc::Build::new() + .file(out_dir.join("awslc_static_wrapper.c")) + .includes(include_dirs) + .compile("awslc_static_wrapper"); +} + +#[cfg(not(feature = "bindgen"))] +pub fn run_awslc(include_dirs: &[PathBuf], symbol_prefix: Option) { + if symbol_prefix.is_some() { + panic!("aws-lc installation has prefixed symbols, but bindgen-cli does not support removing prefixes. \ + Enable the bindgen crate feature to support this installation.") + } + + let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap()); + + fs::File::create(out_dir.join("awslc_static_wrapper.h")) + .expect("Failed to create awslc_static_wrapper.h") + .write_all(INCLUDES.as_bytes()) + .expect("Failed to write contents to awslc_static_wrapper.h"); + + let mut bindgen_cmd = process::Command::new("bindgen"); + bindgen_cmd + .arg("-o") + .arg(out_dir.join("bindgen.rs")) + // Must be a valid version from + // https://docs.rs/bindgen/latest/bindgen/enum.RustTarget.html + .arg("--rust-target=1.47") + .arg("--ctypes-prefix=::libc") + .arg("--raw-line=use libc::*;") + .arg("--no-derive-default") + .arg("--enable-function-attribute-detection") + .arg("--default-macro-constant-type=signed") + .arg("--rustified-enum=point_conversion_form_t") + .arg(r"--allowlist-file=.*(/|\\)openssl((/|\\)[^/\\]+)+\.h") + .arg("--experimental") + .arg("--wrap-static-fns") + .arg("--wrap-static-fns-path") + .arg(out_dir.join("awslc_static_wrapper").display().to_string()) + .arg(out_dir.join("awslc_static_wrapper.h")) + .arg("--") + .arg(format!("--target={}", env::var("TARGET").unwrap())); + + for include_dir in include_dirs { + bindgen_cmd.arg("-I").arg(include_dir.display().to_string()); + } + + let result = bindgen_cmd.status().expect("bindgen failed to execute"); + assert!(result.success()); + + cc::Build::new() + .file(out_dir.join("awslc_static_wrapper.c")) + .includes(include_dirs) + .compile("awslc_static_wrapper"); +} + #[cfg(feature = "bindgen")] #[derive(Debug)] struct OpensslCallbacks; diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 4d26f0f60..5fad4b977 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -7,7 +7,7 @@ pub const PKCS5_SALT_LEN: c_int = 8; pub const PKCS12_DEFAULT_ITER: c_int = 2048; pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; -#[cfg(any(ossl111, libressl310, boringssl))] +#[cfg(any(ossl111, libressl310, boringssl, awslc))] pub const EVP_PKEY_RSA_PSS: c_int = NID_rsassaPss; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; @@ -313,7 +313,7 @@ pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info( ) } -#[cfg(all(not(ossl300), not(boringssl)))] +#[cfg(not(any(ossl300, boringssl, awslc)))] pub unsafe fn EVP_PKEY_CTX_set_signature_md(cxt: *mut EVP_PKEY_CTX, md: *mut EVP_MD) -> c_int { EVP_PKEY_CTX_ctrl( cxt, diff --git a/openssl-sys/src/handwritten/ec.rs b/openssl-sys/src/handwritten/ec.rs index 19d93a55e..849251000 100644 --- a/openssl-sys/src/handwritten/ec.rs +++ b/openssl-sys/src/handwritten/ec.rs @@ -103,7 +103,7 @@ extern "C" { pub fn EC_POINT_dup(p: *const EC_POINT, group: *const EC_GROUP) -> *mut EC_POINT; - #[cfg(any(ossl111, boringssl, libressl350))] + #[cfg(any(ossl111, boringssl, libressl350, awslc))] pub fn EC_POINT_get_affine_coordinates( group: *const EC_GROUP, p: *const EC_POINT, diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index aa83c9212..a1be1da68 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -440,6 +440,11 @@ extern "C" { #[cfg(not(osslconf = "OPENSSL_NO_IDEA"))] pub fn EVP_idea_ofb() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_RC2"))] + pub fn EVP_rc2_cbc() -> *const EVP_CIPHER; + #[cfg(not(osslconf = "OPENSSL_NO_RC2"))] + pub fn EVP_rc2_40_cbc() -> *const EVP_CIPHER; + #[cfg(not(ossl110))] pub fn OPENSSL_add_all_algorithms_noconf(); diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 0e23386fd..0e8923bac 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -6,7 +6,6 @@ non_upper_case_globals, unused_imports )] -#![cfg_attr(feature = "unstable_boringssl", allow(ambiguous_glob_reexports))] #![doc(html_root_url = "https://docs.rs/openssl-sys/0.9")] #![recursion_limit = "128"] // configure fixed limit across all rust versions @@ -15,22 +14,47 @@ pub use libc::c_int; #[cfg(feature = "unstable_boringssl")] extern crate bssl_sys; -#[cfg(feature = "unstable_boringssl")] -pub use bssl_sys::*; -#[cfg(all(boringssl, not(feature = "unstable_boringssl")))] +#[cfg(boringssl)] #[path = "."] mod boringssl { + #[cfg(feature = "unstable_boringssl")] + pub use bssl_sys::*; + #[cfg(not(feature = "unstable_boringssl"))] + include!(concat!(env!("OUT_DIR"), "/bindgen.rs")); + + // BoringSSL does not require initialization. + pub fn init() {} +} +#[cfg(boringssl)] +pub use boringssl::*; + +#[cfg(feature = "aws-lc")] +extern crate aws_lc_sys; + +#[cfg(awslc)] +#[path = "."] +mod aws_lc { + #[cfg(feature = "aws-lc")] + pub use aws_lc_sys::*; + + #[cfg(not(feature = "aws-lc"))] include!(concat!(env!("OUT_DIR"), "/bindgen.rs")); + use libc::{c_char, c_long, c_void}; + pub fn init() { - unsafe { - CRYPTO_library_init(); - } + unsafe { CRYPTO_library_init() } + } + + // BIO_get_mem_data is a C preprocessor macro by definition + #[allow(non_snake_case, clippy::not_unsafe_ptr_arg_deref)] + pub fn BIO_get_mem_data(b: *mut BIO, pp: *mut *mut c_char) -> c_long { + unsafe { BIO_ctrl(b, BIO_CTRL_INFO, 0, pp.cast::()) } } } -#[cfg(all(boringssl, not(feature = "unstable_boringssl")))] -pub use boringssl::*; +#[cfg(awslc)] +pub use aws_lc::*; #[cfg(openssl)] #[path = "."] diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index e69b26570..da2db978f 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,22 @@ ## [Unreleased] +## [v0.10.72] - 2025-04-04 + +### Fixed + +* Fixed use-after-free in `Md::fetch` and `Cipher::fetch` when `properties` is `Some(...)`. In practice this use-after-free most likely resulted in OpenSSL treating the `properties` as `b""`. + +### Added + +* Support for building with AWS-LC. + +## [v0.10.71] - 2025-02-15 + +### Added + +* Added `Cipher::rc2_cbc` and `Cipher::rc2_40_cbc`. + ## [v0.10.70] - 2025-02-02 ### Fixed @@ -953,7 +969,11 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.68...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...master +[v0.10.72]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.71...openssl-v0.10.72 +[v0.10.71]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.70...openssl-v0.10.71 +[v0.10.70]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.69...openssl-v0.10.70 +[v0.10.69]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.68...openssl-v0.10.69 [v0.10.68]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.67...openssl-v0.10.68 [v0.10.67]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.66...openssl-v0.10.67 [v0.10.66]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.65...openssl-v0.10.66 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index d3a3f45c1..75d440496 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.70" +version = "0.10.72" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -21,6 +21,7 @@ v111 = [] vendored = ['ffi/vendored'] bindgen = ['ffi/bindgen'] unstable_boringssl = ["ffi/unstable_boringssl"] +aws-lc = ["ffi/aws-lc"] default = [] [dependencies] @@ -31,7 +32,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.1", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.105", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.107", path = "../openssl-sys" } [dev-dependencies] hex = "0.4" diff --git a/openssl/LICENSE-APACHE b/openssl/LICENSE-APACHE new file mode 100644 index 000000000..8f71f43fe --- /dev/null +++ b/openssl/LICENSE-APACHE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/openssl/build.rs b/openssl/build.rs index 33372efd5..d6d65798f 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -7,10 +7,11 @@ use std::env; fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_ARGON2\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_ARGON2\", \"OPENSSL_NO_RC2\"))"); println!("cargo:rustc-check-cfg=cfg(libressl)"); println!("cargo:rustc-check-cfg=cfg(boringssl)"); + println!("cargo:rustc-check-cfg=cfg(awslc)"); println!("cargo:rustc-check-cfg=cfg(libressl250)"); println!("cargo:rustc-check-cfg=cfg(libressl251)"); @@ -32,6 +33,7 @@ fn main() { println!("cargo:rustc-check-cfg=cfg(libressl382)"); println!("cargo:rustc-check-cfg=cfg(libressl390)"); println!("cargo:rustc-check-cfg=cfg(libressl400)"); + println!("cargo:rustc-check-cfg=cfg(libressl410)"); println!("cargo:rustc-check-cfg=cfg(ossl101)"); println!("cargo:rustc-check-cfg=cfg(ossl102)"); @@ -53,6 +55,10 @@ fn main() { println!("cargo:rustc-cfg=boringssl"); } + if env::var("DEP_OPENSSL_AWSLC").is_ok() { + println!("cargo:rustc-cfg=awslc"); + } + if let Ok(v) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { let version = u64::from_str_radix(&v, 16).unwrap(); @@ -116,6 +122,9 @@ fn main() { if version >= 0x4_00_00_00_0 { println!("cargo:rustc-cfg=libressl400"); } + if version >= 0x4_01_00_00_0 { + println!("cargo:rustc-cfg=libressl410"); + } } if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { diff --git a/openssl/src/aes.rs b/openssl/src/aes.rs index cd1f3ed11..25de83d5c 100644 --- a/openssl/src/aes.rs +++ b/openssl/src/aes.rs @@ -23,7 +23,11 @@ //! # Examples #![cfg_attr( - all(not(boringssl), not(osslconf = "OPENSSL_NO_DEPRECATED_3_0")), + all( + not(boringssl), + not(awslc), + not(osslconf = "OPENSSL_NO_DEPRECATED_3_0") + ), doc = r#"\ ## AES IGE ```rust @@ -65,7 +69,7 @@ use libc::{c_int, c_uint}; use std::mem::MaybeUninit; use std::ptr; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use crate::symm::Mode; use openssl_macros::corresponds; @@ -77,7 +81,7 @@ pub struct KeyError(()); pub struct AesKey(ffi::AES_KEY); cfg_if! { - if #[cfg(boringssl)] { + if #[cfg(any(boringssl, awslc))] { type AesBitType = c_uint; type AesSizeType = usize; } else { @@ -155,7 +159,7 @@ impl AesKey { /// /// Panics if `in_` is not the same length as `out`, if that length is not a multiple of 16, or if /// `iv` is not at least 32 bytes. -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] #[corresponds(AES_ige_encrypt)] pub fn aes_ige(in_: &[u8], out: &mut [u8], key: &AesKey, iv: &mut [u8], mode: Mode) { @@ -263,12 +267,12 @@ mod test { use hex::FromHex; use super::*; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] use crate::symm::Mode; // From https://www.mgp25.com/AESIGE/ #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))] fn ige_vector_1() { let raw_key = "000102030405060708090A0B0C0D0E0F"; diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 19bd3b57b..06df31a03 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -165,7 +165,7 @@ impl Asn1Type { /// [`diff`]: struct.Asn1TimeRef.html#method.diff /// [`Asn1TimeRef`]: struct.Asn1TimeRef.html #[derive(Debug, Clone, PartialEq, Eq, Hash)] -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] pub struct TimeDiff { /// Difference in days pub days: c_int, @@ -198,7 +198,7 @@ foreign_type_and_impl_send_sync! { impl Asn1TimeRef { /// Find difference between two times #[corresponds(ASN1_TIME_diff)] - #[cfg(any(ossl102, boringssl))] + #[cfg(any(ossl102, boringssl, awslc))] pub fn diff(&self, compare: &Self) -> Result { let mut days = 0; let mut secs = 0; @@ -214,7 +214,7 @@ impl Asn1TimeRef { /// Compare two times #[corresponds(ASN1_TIME_compare)] - #[cfg(any(ossl102, boringssl))] + #[cfg(any(ossl102, boringssl, awslc))] pub fn compare(&self, other: &Self) -> Result { let d = self.diff(other)?; if d.days > 0 || d.secs > 0 { @@ -228,7 +228,7 @@ impl Asn1TimeRef { } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl PartialEq for Asn1TimeRef { fn eq(&self, other: &Asn1TimeRef) -> bool { self.diff(other) @@ -237,7 +237,7 @@ impl PartialEq for Asn1TimeRef { } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl PartialEq for Asn1TimeRef { fn eq(&self, other: &Asn1Time) -> bool { self.diff(other) @@ -246,7 +246,7 @@ impl PartialEq for Asn1TimeRef { } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl PartialEq for &Asn1TimeRef { fn eq(&self, other: &Asn1Time) -> bool { self.diff(other) @@ -255,21 +255,21 @@ impl PartialEq for &Asn1TimeRef { } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl PartialOrd for Asn1TimeRef { fn partial_cmp(&self, other: &Asn1TimeRef) -> Option { self.compare(other).ok() } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl PartialOrd for Asn1TimeRef { fn partial_cmp(&self, other: &Asn1Time) -> Option { self.compare(other).ok() } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl PartialOrd for &Asn1TimeRef { fn partial_cmp(&self, other: &Asn1Time) -> Option { self.compare(other).ok() @@ -353,7 +353,7 @@ impl Asn1Time { /// /// Requires BoringSSL or OpenSSL 1.1.1 or newer. #[corresponds(ASN1_TIME_set_string_X509)] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, awslc))] pub fn from_str_x509(s: &str) -> Result { unsafe { let s = CString::new(s).unwrap(); @@ -366,7 +366,7 @@ impl Asn1Time { } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl PartialEq for Asn1Time { fn eq(&self, other: &Asn1Time) -> bool { self.diff(other) @@ -375,7 +375,7 @@ impl PartialEq for Asn1Time { } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl PartialEq for Asn1Time { fn eq(&self, other: &Asn1TimeRef) -> bool { self.diff(other) @@ -384,7 +384,7 @@ impl PartialEq for Asn1Time { } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl<'a> PartialEq<&'a Asn1TimeRef> for Asn1Time { fn eq(&self, other: &&'a Asn1TimeRef) -> bool { self.diff(other) @@ -393,21 +393,21 @@ impl<'a> PartialEq<&'a Asn1TimeRef> for Asn1Time { } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl PartialOrd for Asn1Time { fn partial_cmp(&self, other: &Asn1Time) -> Option { self.compare(other).ok() } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl PartialOrd for Asn1Time { fn partial_cmp(&self, other: &Asn1TimeRef) -> Option { self.compare(other).ok() } } -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] impl<'a> PartialOrd<&'a Asn1TimeRef> for Asn1Time { fn partial_cmp(&self, other: &&'a Asn1TimeRef) -> Option { self.compare(other).ok() @@ -737,7 +737,7 @@ impl fmt::Debug for Asn1ObjectRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273, boringssl))] { + if #[cfg(any(ossl110, libressl273, boringssl, awslc))] { use ffi::ASN1_STRING_get0_data; } else { #[allow(bad_style)] @@ -808,7 +808,7 @@ mod tests { } #[test] - #[cfg(any(ossl102, boringssl))] + #[cfg(any(ossl102, boringssl, awslc))] fn time_eq() { let a = Asn1Time::from_str("99991231235959Z").unwrap(); let b = Asn1Time::from_str("99991231235959Z").unwrap(); @@ -827,7 +827,7 @@ mod tests { } #[test] - #[cfg(any(ossl102, boringssl))] + #[cfg(any(ossl102, boringssl, awslc))] fn time_ord() { let a = Asn1Time::from_str("99991231235959Z").unwrap(); let b = Asn1Time::from_str("99991231235959Z").unwrap(); diff --git a/openssl/src/bio.rs b/openssl/src/bio.rs index e97374b8d..ebd079f20 100644 --- a/openssl/src/bio.rs +++ b/openssl/src/bio.rs @@ -67,14 +67,14 @@ impl MemBio { } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub unsafe fn from_ptr(bio: *mut ffi::BIO) -> MemBio { MemBio(bio) } } cfg_if! { - if #[cfg(any(ossl102, boringssl))] { + if #[cfg(any(ossl102, boringssl, awslc))] { use ffi::BIO_new_mem_buf; } else { #[allow(bad_style)] diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 99292fd0f..910dae0dd 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -37,18 +37,15 @@ use crate::{cvt, cvt_n, cvt_p, LenType}; use openssl_macros::corresponds; cfg_if! { - if #[cfg(any(ossl110, libressl350))] { + if #[cfg(any(ossl110, libressl350, awslc))] { use ffi::{ - BN_get_rfc2409_prime_1024, BN_get_rfc2409_prime_768, BN_get_rfc3526_prime_1536, - BN_get_rfc3526_prime_2048, BN_get_rfc3526_prime_3072, BN_get_rfc3526_prime_4096, + BN_get_rfc3526_prime_1536, BN_get_rfc3526_prime_2048, BN_get_rfc3526_prime_3072, BN_get_rfc3526_prime_4096, BN_get_rfc3526_prime_6144, BN_get_rfc3526_prime_8192, BN_is_negative, }; } else if #[cfg(boringssl)] { use ffi::BN_is_negative; } else { use ffi::{ - get_rfc2409_prime_1024 as BN_get_rfc2409_prime_1024, - get_rfc2409_prime_768 as BN_get_rfc2409_prime_768, get_rfc3526_prime_1536 as BN_get_rfc3526_prime_1536, get_rfc3526_prime_2048 as BN_get_rfc3526_prime_2048, get_rfc3526_prime_3072 as BN_get_rfc3526_prime_3072, @@ -64,6 +61,19 @@ cfg_if! { } } +cfg_if! { + if #[cfg(any(ossl110, libressl350))] { + use ffi::{ + BN_get_rfc2409_prime_1024, BN_get_rfc2409_prime_768 + }; + } else if #[cfg(not(any(boringssl, awslc)))] { + use ffi::{ + get_rfc2409_prime_1024 as BN_get_rfc2409_prime_1024, + get_rfc2409_prime_768 as BN_get_rfc2409_prime_768, + }; + } +} + /// Options for the most significant bits of a randomly generated `BigNum`. pub struct MsbOption(c_int); @@ -337,14 +347,14 @@ impl BigNumRef { /// Returns `true` is `self` is even. #[corresponds(BN_is_even)] - #[cfg(any(ossl110, boringssl, libressl350))] + #[cfg(any(ossl110, boringssl, libressl350, awslc))] pub fn is_even(&self) -> bool { !self.is_odd() } /// Returns `true` is `self` is odd. #[corresponds(BN_is_odd)] - #[cfg(any(ossl110, boringssl, libressl350))] + #[cfg(any(ossl110, boringssl, libressl350, awslc))] pub fn is_odd(&self) -> bool { unsafe { ffi::BN_is_odd(self.as_ptr()) == 1 } } @@ -847,7 +857,7 @@ impl BigNumRef { /// assert_eq!(&bn_vec, &[0, 0, 0x45, 0x43]); /// ``` #[corresponds(BN_bn2binpad)] - #[cfg(any(ossl110, libressl340, boringssl))] + #[cfg(any(ossl110, libressl340, boringssl, awslc))] pub fn to_vec_padded(&self, pad_to: i32) -> Result, ErrorStack> { let mut v = Vec::with_capacity(pad_to as usize); unsafe { @@ -986,7 +996,7 @@ impl BigNum { /// /// [`RFC 2409`]: https://tools.ietf.org/html/rfc2409#page-21 #[corresponds(BN_get_rfc2409_prime_768)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn get_rfc2409_prime_768() -> Result { unsafe { ffi::init(); @@ -1000,7 +1010,7 @@ impl BigNum { /// /// [`RFC 2409`]: https://tools.ietf.org/html/rfc2409#page-21 #[corresponds(BN_get_rfc2409_prime_1024)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn get_rfc2409_prime_1024() -> Result { unsafe { ffi::init(); @@ -1509,7 +1519,7 @@ mod tests { } #[test] - #[cfg(any(ossl110, boringssl, libressl350))] + #[cfg(any(ossl110, boringssl, libressl350, awslc))] fn test_odd_even() { let a = BigNum::from_u32(17).unwrap(); let b = BigNum::from_u32(18).unwrap(); diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs index c4cb26043..f8ebd4d77 100644 --- a/openssl/src/cipher.rs +++ b/openssl/src/cipher.rs @@ -17,7 +17,7 @@ use std::ops::{Deref, DerefMut}; use std::ptr; cfg_if! { - if #[cfg(any(boringssl, ossl110, libressl273))] { + if #[cfg(any(boringssl, ossl110, libressl273, awslc))] { use ffi::{EVP_CIPHER_block_size, EVP_CIPHER_iv_length, EVP_CIPHER_key_length}; } else { use libc::c_int; @@ -146,7 +146,7 @@ impl Cipher { let ptr = cvt_p(ffi::EVP_CIPHER_fetch( ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr), algorithm.as_ptr(), - properties.map_or(ptr::null_mut(), |s| s.as_ptr()), + properties.as_ref().map_or(ptr::null_mut(), |s| s.as_ptr()), ))?; Ok(Cipher::from_ptr(ptr)) @@ -161,7 +161,7 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_cbc() as *mut _) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn aes_128_xts() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_xts() as *mut _) } } @@ -375,17 +375,17 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_des_ede3_cbc() as *mut _) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn des_ede3_cfb8() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_des_ede3_cfb8() as *mut _) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn des_ede3_cfb64() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_des_ede3_cfb64() as *mut _) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn des_ede3_ofb() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_des_ede3_ofb() as *mut _) } } @@ -500,7 +500,7 @@ impl Cipher { unsafe { CipherRef::from_ptr(ffi::EVP_chacha20() as *mut _) } } - #[cfg(all(any(ossl110, libressl360), not(osslconf = "OPENSSL_NO_CHACHA")))] + #[cfg(all(any(ossl110, libressl360, awslc), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20_poly1305() -> &'static CipherRef { unsafe { CipherRef::from_ptr(ffi::EVP_chacha20_poly1305() as *mut _) } } @@ -595,3 +595,15 @@ impl CipherRef { unsafe { EVP_CIPHER_block_size(self.as_ptr()) as usize } } } + +#[cfg(test)] +mod test { + #[cfg(ossl300)] + use super::Cipher; + + #[test] + #[cfg(ossl300)] + fn test_cipher_fetch_properties() { + assert!(Cipher::fetch(None, "AES-128-GCM", Some("provider=gibberish")).is_err()); + } +} diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index d31830ad0..dc8887239 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -52,7 +52,7 @@ use crate::cipher::CipherRef; use crate::error::ErrorStack; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use crate::pkey::{HasPrivate, HasPublic, PKey, PKeyRef}; use crate::{cvt, cvt_p}; #[cfg(ossl102)] @@ -202,7 +202,7 @@ impl CipherCtxRef { /// Panics if `pub_keys` is not the same size as `encrypted_keys`, the IV buffer is smaller than the cipher's IV /// size, or if an IV is provided before the cipher. #[corresponds(EVP_SealInit)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn seal_init( &mut self, type_: Option<&CipherRef>, @@ -259,7 +259,7 @@ impl CipherCtxRef { /// Panics if the IV buffer is smaller than the cipher's required IV size or if the IV is provided before the /// cipher. #[corresponds(EVP_OpenInit)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn open_init( &mut self, type_: Option<&CipherRef>, @@ -329,7 +329,7 @@ impl CipherCtxRef { /// Panics if the context has not been initialized with a cipher or if the buffer is smaller than the cipher's key /// length. #[corresponds(EVP_CIPHER_CTX_rand_key)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn rand_key(&self, buf: &mut [u8]) -> Result<(), ErrorStack> { assert!(buf.len() >= self.key_length()); @@ -728,11 +728,11 @@ impl CipherCtxRef { mod test { use super::*; use crate::{cipher::Cipher, rand::rand_bytes}; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] use std::slice; #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn seal_open() { let private_pem = include_bytes!("../test/rsa.pem"); let public_pem = include_bytes!("../test/rsa.pem.pub"); @@ -809,8 +809,173 @@ mod test { aes_128_cbc(cipher); } + #[cfg(not(boringssl))] + #[test] + fn default_aes_128_ccm() { + // from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/mac/ccmtestvectors.zip + let cipher = Cipher::aes_128_ccm(); + aes_ccm( + cipher, + "26511fb51fcfa75cb4b44da75a6e5a0e", + "ea98ec44f5a86715014783172e", + "4da40b80579c1d9a5309f7efecb7c059a2f914511ca5fc10", + "e4692b9f06b666c7451b146c8aeb07a6e30c629d28065c3dde5940325b14b810", + "1bf0ba0ebb20d8edba59f29a9371750c9c714078f73c335d", + "2f1322ac69b848b001476323aed84c47", + ); + } + + #[cfg(not(boringssl))] + #[test] + fn default_aes_192_ccm() { + // from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/mac/ccmtestvectors.zip + let cipher = Cipher::aes_192_ccm(); + aes_ccm( + cipher, + "26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886", + "ea98ec44f5a86715014783172e", + "4da40b80579c1d9a5309f7efecb7c059a2f914511ca5fc10", + "e4692b9f06b666c7451b146c8aeb07a6e30c629d28065c3dde5940325b14b810", + "30c154c616946eccc2e241d336ad33720953e449a0e6b0f0", + "dbf8e9464909bdf337e48093c082a10b", + ); + } + + #[cfg(not(boringssl))] + #[test] + fn default_aes_256_ccm() { + // from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/mac/ccmtestvectors.zip + let cipher = Cipher::aes_256_ccm(); + aes_ccm( + cipher, + "314a202f836f9f257e22d8c11757832ae5131d357a72df88f3eff0ffcee0da4e", + "3542fbe0f59a6d5f3abf619b7d", + "c5b3d71312ea14f2f8fae5bd1a453192b6604a45db75c5ed", + "dd4531f158a2fa3bc8a339f770595048f4a42bc1b03f2e824efc6ba4985119d8", + "39c2e8f6edfe663b90963b98eb79e2d4f7f28a5053ae8881", + "567a6b4426f1667136bed4a5e32a2bc1", + ); + } + + #[cfg(not(boringssl))] + fn aes_ccm( + cipher: &CipherRef, + key: &'static str, + iv: &'static str, + pt: &'static str, + aad: &'static str, + ct: &'static str, + tag: &'static str, + ) { + let key = hex::decode(key).unwrap(); + let iv = hex::decode(iv).unwrap(); + let pt = hex::decode(pt).unwrap(); + let ct = hex::decode(ct).unwrap(); + let aad = hex::decode(aad).unwrap(); + let tag = hex::decode(tag).unwrap(); + + let mut ctx = CipherCtx::new().unwrap(); + + ctx.encrypt_init(Some(cipher), None, None).unwrap(); + ctx.set_iv_length(iv.len()).unwrap(); + ctx.set_tag_length(tag.len()).unwrap(); + ctx.encrypt_init(None, Some(&key), Some(&iv)).unwrap(); + ctx.set_data_len(pt.len()).unwrap(); + + let mut buf = vec![]; + ctx.cipher_update(&aad, None).unwrap(); + ctx.cipher_update_vec(&pt, &mut buf).unwrap(); + ctx.cipher_final_vec(&mut buf).unwrap(); + assert_eq!(buf, ct); + + let mut out_tag = vec![0u8; tag.len()]; + ctx.tag(&mut out_tag).unwrap(); + assert_eq!(tag, out_tag); + + ctx.decrypt_init(Some(cipher), None, None).unwrap(); + ctx.set_iv_length(iv.len()).unwrap(); + ctx.set_tag(&tag).unwrap(); + ctx.decrypt_init(None, Some(&key), Some(&iv)).unwrap(); + ctx.set_data_len(pt.len()).unwrap(); + + let mut buf = vec![]; + ctx.cipher_update(&aad, None).unwrap(); + ctx.cipher_update_vec(&ct, &mut buf).unwrap(); + // Some older libraries don't support calling EVP_CipherFinal/EVP_DecryptFinal for CCM + // https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Decryption_using_CCM_mode + #[cfg(any(ossl111, awslc, boringssl))] + ctx.cipher_final_vec(&mut buf).unwrap(); + + assert_eq!(buf, pt); + } + + #[cfg(not(any(boringssl, awslc)))] + #[test] + fn default_aes_128_xts() { + // https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/aes/XTSTestVectors.zip + let cipher = Cipher::aes_128_xts(); + aes_xts( + cipher, + "a1b90cba3f06ac353b2c343876081762090923026e91771815f29dab01932f2f", + "4faef7117cda59c66e4b92013e768ad5", + "ebabce95b14d3c8d6fb350390790311c", + "778ae8b43cb98d5a825081d5be471c63", + ); + } + + #[cfg(not(boringssl))] + #[test] + fn default_aes_256_xts() { + // https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/aes/XTSTestVectors.zip + let cipher = Cipher::aes_256_xts(); + aes_xts(cipher, "1ea661c58d943a0e4801e42f4b0947149e7f9f8e3e68d0c7505210bd311a0e7cd6e13ffdf2418d8d1911c004cda58da3d619b7e2b9141e58318eea392cf41b08", "adf8d92627464ad2f0428e84a9f87564", "2eedea52cd8215e1acc647e810bbc3642e87287f8d2e57e36c0a24fbc12a202e", "cbaad0e2f6cea3f50b37f934d46a9b130b9d54f07e34f36af793e86f73c6d7db"); + } + + #[cfg(not(boringssl))] + fn aes_xts( + cipher: &CipherRef, + key: &'static str, + i: &'static str, + pt: &'static str, + ct: &'static str, + ) { + let key = hex::decode(key).unwrap(); + let i = hex::decode(i).unwrap(); + let pt = hex::decode(pt).unwrap(); + let ct = hex::decode(ct).unwrap(); + + let mut ctx = CipherCtx::new().unwrap(); + ctx.encrypt_init(Some(cipher), Some(&key), Some(&i)) + .unwrap(); + let mut buf = vec![]; + ctx.cipher_update_vec(&pt, &mut buf).unwrap(); + ctx.cipher_final_vec(&mut buf).unwrap(); + + assert_eq!(ct, buf); + + ctx.decrypt_init(Some(cipher), Some(&key), Some(&i)) + .unwrap(); + let mut buf = vec![]; + ctx.cipher_update_vec(&ct, &mut buf).unwrap(); + ctx.cipher_final_vec(&mut buf).unwrap(); + + assert_eq!(pt, buf); + } + #[test] fn test_stream_ciphers() { + #[cfg(not(boringssl))] + { + test_stream_cipher(Cipher::aes_128_cfb1()); + test_stream_cipher(Cipher::aes_128_cfb8()); + test_stream_cipher(Cipher::aes_128_cfb128()); + test_stream_cipher(Cipher::aes_192_cfb1()); + test_stream_cipher(Cipher::aes_192_cfb8()); + test_stream_cipher(Cipher::aes_192_cfb128()); + test_stream_cipher(Cipher::aes_256_cfb1()); + test_stream_cipher(Cipher::aes_256_cfb8()); + test_stream_cipher(Cipher::aes_256_cfb128()); + } test_stream_cipher(Cipher::aes_192_ctr()); test_stream_cipher(Cipher::aes_256_ctr()); } diff --git a/openssl/src/conf.rs b/openssl/src/conf.rs index 88740298b..8fc0d0542 100644 --- a/openssl/src/conf.rs +++ b/openssl/src/conf.rs @@ -8,7 +8,7 @@ foreign_type_and_impl_send_sync! { pub struct ConfRef; } -#[cfg(not(any(boringssl, libressl400)))] +#[cfg(not(any(boringssl, libressl400, awslc)))] mod methods { use super::Conf; use crate::cvt_p; @@ -61,5 +61,5 @@ mod methods { } } } -#[cfg(not(any(boringssl, libressl400)))] +#[cfg(not(any(boringssl, libressl400, awslc)))] pub use methods::*; diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index c8d135f30..92ea04424 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -269,7 +269,7 @@ where } cfg_if! { - if #[cfg(any(ossl110, libressl270, boringssl))] { + if #[cfg(any(ossl110, libressl270, boringssl, awslc))] { use ffi::{DH_set0_pqg, DH_get0_pqg, DH_get0_key, DH_set0_key}; } else { #[allow(bad_style)] @@ -334,7 +334,7 @@ cfg_if! { mod tests { use crate::bn::BigNum; use crate::dh::Dh; - #[cfg(all(not(boringssl), ossl110))] + #[cfg(all(not(any(boringssl, awslc)), ossl110))] use crate::pkey::PKey; use crate::ssl::{SslContext, SslMethod}; @@ -385,7 +385,7 @@ mod tests { } #[test] - #[cfg(all(not(boringssl), ossl110))] + #[cfg(all(not(any(boringssl, awslc)), ossl110))] fn test_from_dhx_serializes_q() { let p = BigNum::from_hex_str("00ad107e1e9123a9d0d660faa79559c51fa20d64e5683b9fd1b54b1597b61d0a75e6fa141df95a56dbaf9a3c407ba1df15eb3d688a309c180e1de6b85a1274a0a66d3f8152ad6ac2129037c9edefda4df8d91e8fef55b7394b7ad5b7d0b6c12207c9f98d11ed34dbf6c6ba0b2c8bbc27be6a00e0a0b9c49708b3bf8a317091883681286130bc8985db1602e714415d9330278273c7de31efdc7310f7121fd5a07415987d9adc0a486dcdf93acc44328387315d75e198c641a480cd86a1b9e587e8be60e69cc928b2b9c52172e413042e9b23f10b0e16e79763c9b53dcf4ba80a29e3fb73c16b8e75b97ef363e2ffa31f71cf9de5384e71b81c0ac4dffe0c10e64f").unwrap(); let g = BigNum::from_hex_str("00ac4032ef4f2d9ae39df30b5c8ffdac506cdebe7b89998caf74866a08cfe4ffe3a6824a4e10b9a6f0dd921f01a70c4afaab739d7700c29f52c57db17c620a8652be5e9001a8d66ad7c17669101999024af4d027275ac1348bb8a762d0521bc98ae247150422ea1ed409939d54da7460cdb5f6c6b250717cbef180eb34118e98d119529a45d6f834566e3025e316a330efbb77a86f0c1ab15b051ae3d428c8f8acb70a8137150b8eeb10e183edd19963ddd9e263e4770589ef6aa21e7f5f2ff381b539cce3409d13cd566afbb48d6c019181e1bcfe94b30269edfe72fe9b6aa4bd7b5a0f1c71cfff4c19c418e1f6ec017981bc087f2a7065b384b890d3191f2bfa").unwrap(); diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 1a63e8ad8..cceda212c 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -7,7 +7,7 @@ use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use libc::c_int; use std::fmt; use std::mem; @@ -186,9 +186,9 @@ where } } } -#[cfg(boringssl)] +#[cfg(any(boringssl, awslc))] type BitType = libc::c_uint; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] type BitType = c_int; impl Dsa { @@ -315,7 +315,7 @@ impl fmt::Debug for Dsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273, boringssl))] { + if #[cfg(any(ossl110, libressl273, boringssl, awslc))] { use ffi::{DSA_get0_key, DSA_get0_pqg, DSA_set0_key, DSA_set0_pqg}; } else { #[allow(bad_style)] @@ -494,7 +494,7 @@ impl DsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273, boringssl))] { + if #[cfg(any(ossl110, libressl273, boringssl, awslc))] { use ffi::{DSA_SIG_set0, DSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 0dda1dbbc..a52bb6708 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -30,7 +30,7 @@ use crate::{cvt, cvt_n, cvt_p, init}; use openssl_macros::corresponds; cfg_if! { - if #[cfg(not(boringssl))] { + if #[cfg(not(any(boringssl, awslc)))] { use std::ffi::CString; use crate::string::OpensslString; } @@ -473,7 +473,7 @@ impl EcPointRef { /// Serializes the point to a hexadecimal string representation. #[corresponds(EC_POINT_point2hex)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn to_hex_str( &self, group: &EcGroupRef, @@ -519,7 +519,7 @@ impl EcPointRef { /// Places affine coordinates of a curve over a prime field in the provided /// `x` and `y` `BigNum`s. #[corresponds(EC_POINT_get_affine_coordinates)] - #[cfg(any(ossl111, boringssl, libressl350))] + #[cfg(any(ossl111, boringssl, libressl350, awslc))] pub fn affine_coordinates( &self, group: &EcGroupRef, @@ -662,7 +662,7 @@ impl EcPoint { /// Creates point from a hexadecimal string representation #[corresponds(EC_POINT_hex2point)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn from_hex_str( group: &EcGroupRef, s: &str, @@ -1171,7 +1171,7 @@ mod test { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn point_hex_str() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let key = EcKey::generate(&group).unwrap(); @@ -1260,7 +1260,7 @@ mod test { assert!(ec_key.check_key().is_ok()); } - #[cfg(any(ossl111, boringssl, libressl350))] + #[cfg(any(ossl111, boringssl, libressl350, awslc))] #[test] fn get_affine_coordinates() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); @@ -1336,7 +1336,7 @@ mod test { } #[test] - #[cfg(any(boringssl, ossl111, libressl350))] + #[cfg(any(boringssl, ossl111, libressl350, awslc))] fn asn1_flag() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let flag = group.asn1_flag(); diff --git a/openssl/src/ecdsa.rs b/openssl/src/ecdsa.rs index 26c6ddd5f..0d962c718 100644 --- a/openssl/src/ecdsa.rs +++ b/openssl/src/ecdsa.rs @@ -110,7 +110,7 @@ impl EcdsaSigRef { } cfg_if! { - if #[cfg(any(ossl110, libressl273, boringssl))] { + if #[cfg(any(ossl110, libressl273, boringssl, awslc))] { use ffi::{ECDSA_SIG_set0, ECDSA_SIG_get0}; } else { #[allow(bad_style)] diff --git a/openssl/src/encrypt.rs b/openssl/src/encrypt.rs index c50be081c..cd08d6530 100644 --- a/openssl/src/encrypt.rs +++ b/openssl/src/encrypt.rs @@ -148,7 +148,7 @@ impl<'a> Encrypter<'a> { /// This corresponds to [`EVP_PKEY_CTX_set_rsa_oaep_md`]. /// /// [`EVP_PKEY_CTX_set_rsa_oaep_md`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set_rsa_oaep_md.html - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl, awslc))] pub fn set_rsa_oaep_md(&mut self, md: MessageDigest) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_oaep_md( @@ -352,7 +352,7 @@ impl<'a> Decrypter<'a> { /// This corresponds to [`EVP_PKEY_CTX_set_rsa_oaep_md`]. /// /// [`EVP_PKEY_CTX_set_rsa_oaep_md`]: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set_rsa_oaep_md.html - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl, awslc))] pub fn set_rsa_oaep_md(&mut self, md: MessageDigest) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_oaep_md( @@ -478,7 +478,7 @@ mod test { use hex::FromHex; use crate::encrypt::{Decrypter, Encrypter}; - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl, awslc))] use crate::hash::MessageDigest; use crate::pkey::PKey; use crate::rsa::{Padding, Rsa}; @@ -513,7 +513,7 @@ mod test { } #[test] - #[cfg(any(ossl102, libressl310))] + #[cfg(any(ossl102, libressl310, boringssl, awslc))] fn rsa_encrypt_decrypt_with_sha256() { let key = include_bytes!("../test/rsa.pem"); let private_key = Rsa::private_key_from_pem(key).unwrap(); diff --git a/openssl/src/error.rs b/openssl/src/error.rs index e097ce688..c4553c686 100644 --- a/openssl/src/error.rs +++ b/openssl/src/error.rs @@ -18,7 +18,7 @@ use cfg_if::cfg_if; use libc::{c_char, c_int}; use std::borrow::Cow; -#[cfg(boringssl)] +#[cfg(any(boringssl, awslc))] use std::convert::TryInto; use std::error; use std::ffi::CStr; @@ -27,9 +27,9 @@ use std::io; use std::ptr; use std::str; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] type ErrType = libc::c_ulong; -#[cfg(boringssl)] +#[cfg(any(boringssl, awslc))] type ErrType = libc::c_uint; /// Collection of [`Error`]s from OpenSSL. @@ -127,13 +127,13 @@ impl Error { let data = if flags & ffi::ERR_TXT_STRING != 0 { let bytes = CStr::from_ptr(data as *const _).to_bytes(); let data = str::from_utf8(bytes).unwrap(); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] let data = if flags & ffi::ERR_TXT_MALLOCED != 0 { Cow::Owned(data.to_string()) } else { Cow::Borrowed(data) }; - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] let data = Cow::Borrowed(data); Some(data) } else { @@ -204,9 +204,9 @@ impl Error { #[cfg(not(ossl300))] fn put_error(&self) { - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] let line = self.line; - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] let line = self.line.try_into().unwrap(); unsafe { ffi::ERR_put_error( @@ -238,7 +238,7 @@ impl Error { /// Returns the raw OpenSSL error constant for the library reporting the /// error. - // On BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on + // On AWS-LC and BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on // OpenSSL/LibreSSL they're safe. #[allow(unused_unsafe)] pub fn library_code(&self) -> libc::c_int { @@ -263,7 +263,7 @@ impl Error { } /// Returns the raw OpenSSL error constant for the reason for the error. - // On BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on + // On AWS-LC and BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on // OpenSSL/LibreSSL they're safe. #[allow(unused_unsafe)] pub fn reason_code(&self) -> libc::c_int { @@ -310,7 +310,7 @@ impl fmt::Debug for Error { } impl fmt::Display for Error { - // On BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on + // On AWS-LC and BoringSSL ERR_GET_{LIB,FUNC,REASON} are `unsafe`, but on // OpenSSL/LibreSSL they're safe. #[allow(unused_unsafe)] fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result { @@ -410,9 +410,9 @@ mod tests { fn test_error_library_code() { let stack = Nid::create("not-an-oid", "invalid", "invalid").unwrap_err(); let errors = stack.errors(); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] assert_eq!(errors[0].library_code(), ffi::ERR_LIB_ASN1); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] assert_eq!(errors[0].library_code(), ffi::ERR_LIB_OBJ as libc::c_int); } } diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index f66c5ce01..5acaf9250 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -44,7 +44,7 @@ use crate::{cvt, cvt_p}; use openssl_macros::corresponds; cfg_if! { - if #[cfg(any(ossl110, boringssl, libressl382))] { + if #[cfg(any(ossl110, boringssl, libressl382, awslc))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; @@ -123,32 +123,32 @@ impl MessageDigest { unsafe { MessageDigest(ffi::EVP_sha512()) } } - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] pub fn sha3_224() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_224()) } } - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] pub fn sha3_256() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_256()) } } - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] pub fn sha3_384() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_384()) } } - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] pub fn sha3_512() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_sha3_512()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] pub fn shake_128() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_shake128()) } } - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] pub fn shake_256() -> MessageDigest { unsafe { MessageDigest(ffi::EVP_shake256()) } } @@ -323,9 +323,9 @@ impl Hasher { self.init()?; } unsafe { - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] let mut len = ffi::EVP_MAX_MD_SIZE; - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] let mut len = ffi::EVP_MAX_MD_SIZE as u32; let mut buf = [0; ffi::EVP_MAX_MD_SIZE as usize]; cvt(ffi::EVP_DigestFinal_ex( @@ -343,7 +343,7 @@ impl Hasher { /// Writes the hash of the data into the supplied buf and resets the XOF hasher. /// The hash will be as long as the buf. - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] pub fn finish_xof(&mut self, buf: &mut [u8]) -> Result<(), ErrorStack> { if self.state == Finalized { self.init()?; @@ -481,7 +481,7 @@ pub fn hash(t: MessageDigest, data: &[u8]) -> Result { /// assert_eq!(buf, spec); /// ``` /// -#[cfg(ossl111)] +#[cfg(any(ossl111, awslc))] pub fn hash_xof(t: MessageDigest, data: &[u8], buf: &mut [u8]) -> Result<(), ErrorStack> { let mut h = Hasher::new(t)?; h.update(data)?; @@ -500,7 +500,7 @@ mod tests { assert_eq!(hex::encode(res), hashtest.1); } - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] fn hash_xof_test(hashtype: MessageDigest, hashtest: &(&str, &str)) { let expected = Vec::from_hex(hashtest.1).unwrap(); let mut buf = vec![0; expected.len()]; @@ -701,7 +701,7 @@ mod tests { ); } - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] #[test] fn test_sha3_224() { let tests = [( @@ -721,7 +721,7 @@ mod tests { ); } - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] #[test] fn test_sha3_256() { let tests = [( @@ -741,7 +741,7 @@ mod tests { ); } - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] #[test] fn test_sha3_384() { let tests = [("416c6c20796f75722062617365206172652062656c6f6e6720746f207573", @@ -761,7 +761,7 @@ mod tests { ); } - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] #[test] fn test_sha3_512() { let tests = [("416c6c20796f75722062617365206172652062656c6f6e6720746f207573", @@ -781,7 +781,7 @@ mod tests { ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] #[test] fn test_shake_128() { let tests = [( @@ -796,14 +796,17 @@ mod tests { } assert_eq!(MessageDigest::shake_128().block_size(), 168); + #[cfg(ossl111)] assert_eq!(MessageDigest::shake_128().size(), 16); + #[cfg(awslc)] + assert_eq!(MessageDigest::shake_128().size(), 0); assert_eq!( MessageDigest::shake_128().type_().as_raw(), Nid::SHAKE128.as_raw() ); } - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] #[test] fn test_shake_256() { let tests = [( @@ -818,7 +821,10 @@ mod tests { } assert_eq!(MessageDigest::shake_256().block_size(), 136); + #[cfg(ossl111)] assert_eq!(MessageDigest::shake_256().size(), 32); + #[cfg(awslc)] + assert_eq!(MessageDigest::shake_256().size(), 0); assert_eq!( MessageDigest::shake_256().type_().as_raw(), Nid::SHAKE256.as_raw() diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index c58e5bf59..1afe5de38 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -60,19 +60,19 @@ //! override the automatic detection logic. //! //! * `OPENSSL_DIR` - If specified, the directory of an OpenSSL installation. The directory should contain `lib` and -//! `include` subdirectories containing the libraries and headers respectively. +//! `include` subdirectories containing the libraries and headers respectively. //! * `OPENSSL_LIB_DIR` and `OPENSSL_INCLUDE_DIR` - If specified, the directories containing the OpenSSL libraries and -//! headers respectively. This can be used if the OpenSSL installation is split in a nonstandard directory layout. +//! headers respectively. This can be used if the OpenSSL installation is split in a nonstandard directory layout. //! * `OPENSSL_STATIC` - If set, the crate will statically link to OpenSSL rather than dynamically link. //! * `OPENSSL_LIBS` - If set, a `:`-separated list of library names to link to (e.g. `ssl:crypto`). This can be used -//! if nonstandard library names were used for whatever reason. +//! if nonstandard library names were used for whatever reason. //! * `OPENSSL_NO_VENDOR` - If set, always find OpenSSL in the system, even if the `vendored` feature is enabled. //! //! If the `vendored` Cargo feature is enabled, the following environment variable can also be used to further configure //! the OpenSSL build. //! //! * `OPENSSL_CONFIG_DIR` - If set, the copy of OpenSSL built by the `openssl-src` crate will be configured to look for -//! configuration files and root certificates in this directory. +//! configuration files and root certificates in this directory. //! //! Additionally, these variables can be prefixed with the upper-cased target architecture (e.g. //! `X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR`), which can be useful when cross compiling. @@ -161,7 +161,7 @@ pub mod dsa; pub mod ec; pub mod ecdsa; pub mod encrypt; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] pub mod envelope; pub mod error; pub mod ex_data; @@ -179,7 +179,7 @@ pub mod nid; pub mod ocsp; pub mod pkcs12; pub mod pkcs5; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] pub mod pkcs7; pub mod pkey; pub mod pkey_ctx; @@ -197,14 +197,14 @@ pub mod symm; pub mod version; pub mod x509; -#[cfg(boringssl)] +#[cfg(any(boringssl, awslc))] type LenType = libc::size_t; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] type LenType = libc::c_int; -#[cfg(boringssl)] +#[cfg(any(boringssl, awslc))] type SLenType = libc::ssize_t; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] type SLenType = libc::c_int; #[inline] diff --git a/openssl/src/md.rs b/openssl/src/md.rs index a9df31140..b02ddfddd 100644 --- a/openssl/src/md.rs +++ b/openssl/src/md.rs @@ -109,7 +109,7 @@ impl Md { let ptr = cvt_p(ffi::EVP_MD_fetch( ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr), algorithm.as_ptr(), - properties.map_or(ptr::null_mut(), |s| s.as_ptr()), + properties.as_ref().map_or(ptr::null_mut(), |s| s.as_ptr()), ))?; Ok(Md::from_ptr(ptr)) @@ -233,3 +233,15 @@ impl MdRef { unsafe { Nid::from_raw(ffi::EVP_MD_type(self.as_ptr())) } } } + +#[cfg(test)] +mod test { + #[cfg(ossl300)] + use super::Md; + + #[test] + #[cfg(ossl300)] + fn test_md_fetch_properties() { + assert!(Md::fetch(None, "SHA-256", Some("provider=gibberish")).is_err()); + } +} diff --git a/openssl/src/md_ctx.rs b/openssl/src/md_ctx.rs index 36be3e996..0182907ad 100644 --- a/openssl/src/md_ctx.rs +++ b/openssl/src/md_ctx.rs @@ -52,7 +52,7 @@ //! #![cfg_attr( - not(boringssl), + not(any(boringssl, awslc)), doc = r#"\ Compute and verify an HMAC-SHA256 @@ -93,7 +93,7 @@ use std::convert::TryFrom; use std::ptr; cfg_if! { - if #[cfg(any(ossl110, boringssl, libressl382))] { + if #[cfg(any(ossl110, boringssl, libressl382, awslc))] { use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; } else { use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; @@ -258,7 +258,7 @@ impl MdCtxRef { /// Requires OpenSSL 1.1.1 or newer. #[corresponds(EVP_DigestFinalXOF)] #[inline] - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] pub fn digest_final_xof(&mut self, out: &mut [u8]) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_DigestFinalXOF( diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index d093c6763..453a87c99 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -118,11 +118,11 @@ impl Nid { pub const UNDEF: Nid = Nid(ffi::NID_undef); pub const ITU_T: Nid = Nid(ffi::NID_itu_t); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub const CCITT: Nid = Nid(ffi::NID_ccitt); pub const ISO: Nid = Nid(ffi::NID_iso); pub const JOINT_ISO_ITU_T: Nid = Nid(ffi::NID_joint_iso_itu_t); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub const JOINT_ISO_CCITT: Nid = Nid(ffi::NID_joint_iso_ccitt); pub const MEMBER_BODY: Nid = Nid(ffi::NID_member_body); pub const IDENTIFIED_ORGANIZATION: Nid = Nid(ffi::NID_identified_organization); @@ -1078,19 +1078,19 @@ impl Nid { pub const SM2: Nid = Nid(ffi::NID_sm2); #[cfg(any(ossl111, libressl291))] pub const SM3: Nid = Nid(ffi::NID_sm3); - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] pub const SHA3_224: Nid = Nid(ffi::NID_sha3_224); - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] pub const SHA3_256: Nid = Nid(ffi::NID_sha3_256); - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] pub const SHA3_384: Nid = Nid(ffi::NID_sha3_384); - #[cfg(any(ossl111, libressl380))] + #[cfg(any(ossl111, libressl380, awslc))] pub const SHA3_512: Nid = Nid(ffi::NID_sha3_512); - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] pub const SHAKE128: Nid = Nid(ffi::NID_shake128); - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] pub const SHAKE256: Nid = Nid(ffi::NID_shake256); - #[cfg(any(ossl110, libressl271))] + #[cfg(any(ossl110, libressl271, awslc))] pub const CHACHA20_POLY1305: Nid = Nid(ffi::NID_chacha20_poly1305); } diff --git a/openssl/src/ocsp.rs b/openssl/src/ocsp.rs index 570b8c2d0..556499c9d 100644 --- a/openssl/src/ocsp.rs +++ b/openssl/src/ocsp.rs @@ -18,17 +18,17 @@ bitflags! { #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)] #[repr(transparent)] pub struct OcspFlag: c_ulong { - const NO_CERTS = ffi::OCSP_NOCERTS; - const NO_INTERN = ffi::OCSP_NOINTERN; - const NO_CHAIN = ffi::OCSP_NOCHAIN; - const NO_VERIFY = ffi::OCSP_NOVERIFY; - const NO_EXPLICIT = ffi::OCSP_NOEXPLICIT; - const NO_CA_SIGN = ffi::OCSP_NOCASIGN; - const NO_DELEGATED = ffi::OCSP_NODELEGATED; - const NO_CHECKS = ffi::OCSP_NOCHECKS; - const TRUST_OTHER = ffi::OCSP_TRUSTOTHER; - const RESPID_KEY = ffi::OCSP_RESPID_KEY; - const NO_TIME = ffi::OCSP_NOTIME; + const NO_CERTS = ffi::OCSP_NOCERTS as c_ulong; + const NO_INTERN = ffi::OCSP_NOINTERN as c_ulong; + const NO_CHAIN = ffi::OCSP_NOCHAIN as c_ulong; + const NO_VERIFY = ffi::OCSP_NOVERIFY as c_ulong; + const NO_EXPLICIT = ffi::OCSP_NOEXPLICIT as c_ulong; + const NO_CA_SIGN = ffi::OCSP_NOCASIGN as c_ulong; + const NO_DELEGATED = ffi::OCSP_NODELEGATED as c_ulong; + const NO_CHECKS = ffi::OCSP_NOCHECKS as c_ulong; + const TRUST_OTHER = ffi::OCSP_TRUSTOTHER as c_ulong; + const RESPID_KEY = ffi::OCSP_RESPID_KEY as c_ulong; + const NO_TIME = ffi::OCSP_NOTIME as c_ulong; } } diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index 5f171da9b..14d760afa 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -226,6 +226,8 @@ impl Pkcs12Builder { pub fn build2(&self, password: &str) -> Result { unsafe { let pass = CString::new(password).unwrap(); + #[cfg(not(boringssl))] + let pass_len = pass.as_bytes().len(); let pass = pass.as_ptr(); let friendly_name = self.name.as_ref().map_or(ptr::null(), |p| p.as_ptr()); let pkey = self.pkey.as_ref().map_or(ptr::null(), |p| p.as_ptr()); @@ -259,7 +261,7 @@ impl Pkcs12Builder { #[cfg(not(boringssl))] // BoringSSL does not support overriding the MAC and will always - // use SHA-1 + // use SHA-1. { let md_type = self .mac_md @@ -269,7 +271,7 @@ impl Pkcs12Builder { cvt(ffi::PKCS12_set_mac( pkcs12.as_ptr(), pass, - -1, + pass_len.try_into().unwrap(), ptr::null_mut(), 0, self.mac_iter, diff --git a/openssl/src/pkcs5.rs b/openssl/src/pkcs5.rs index 594b5fc4d..a72e0b1a1 100644 --- a/openssl/src/pkcs5.rs +++ b/openssl/src/pkcs5.rs @@ -1,13 +1,13 @@ -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use libc::c_int; use std::convert::TryInto; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use std::ptr; use crate::cvt; use crate::error::ErrorStack; use crate::hash::MessageDigest; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use crate::symm::Cipher; use openssl_macros::corresponds; @@ -29,7 +29,7 @@ pub struct KeyIvPair { /// `pbkdf2_hmac` or another more modern key derivation algorithm. #[corresponds(EVP_BytesToKey)] #[allow(clippy::useless_conversion)] -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] pub fn bytes_to_key( cipher: Cipher, digest: MessageDigest, @@ -115,7 +115,7 @@ pub fn pbkdf2_hmac( /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PBE_scrypt)] -#[cfg(all(any(ossl110, boringssl), not(osslconf = "OPENSSL_NO_SCRYPT")))] +#[cfg(all(any(ossl110, boringssl, awslc), not(osslconf = "OPENSSL_NO_SCRYPT")))] #[allow(clippy::useless_conversion)] pub fn scrypt( pass: &[u8], @@ -147,7 +147,7 @@ pub fn scrypt( #[cfg(test)] mod tests { use crate::hash::MessageDigest; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] use crate::symm::Cipher; // Test vectors from @@ -249,7 +249,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn bytes_to_key() { let salt = [16_u8, 34_u8, 19_u8, 23_u8, 141_u8, 4_u8, 207_u8, 221_u8]; @@ -286,7 +286,7 @@ mod tests { } #[test] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, awslc))] fn scrypt() { let pass = "pleaseletmein"; let salt = "SodiumChloride"; diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index f2cedd271..8d69e1cdc 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -47,7 +47,7 @@ use crate::dh::Dh; use crate::dsa::Dsa; use crate::ec::EcKey; use crate::error::ErrorStack; -#[cfg(any(ossl110, boringssl, libressl370))] +#[cfg(any(ossl110, boringssl, libressl370, awslc))] use crate::pkey_ctx::PkeyCtx; use crate::rsa::Rsa; use crate::symm::Cipher; @@ -60,7 +60,7 @@ use openssl_macros::corresponds; use std::convert::{TryFrom, TryInto}; use std::ffi::CString; use std::fmt; -#[cfg(all(not(boringssl), ossl110))] +#[cfg(all(not(any(boringssl, awslc)), ossl110))] use std::mem; use std::ptr; @@ -79,11 +79,11 @@ pub struct Id(c_int); impl Id { pub const RSA: Id = Id(ffi::EVP_PKEY_RSA); - #[cfg(any(ossl111, libressl310, boringssl))] + #[cfg(any(ossl111, libressl310, boringssl, awslc))] pub const RSA_PSS: Id = Id(ffi::EVP_PKEY_RSA_PSS); #[cfg(not(boringssl))] pub const HMAC: Id = Id(ffi::EVP_PKEY_HMAC); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub const CMAC: Id = Id(ffi::EVP_PKEY_CMAC); pub const DSA: Id = Id(ffi::EVP_PKEY_DSA); pub const DH: Id = Id(ffi::EVP_PKEY_DH); @@ -93,14 +93,14 @@ impl Id { #[cfg(ossl111)] pub const SM2: Id = Id(ffi::EVP_PKEY_SM2); - #[cfg(any(ossl110, boringssl, libressl360))] + #[cfg(any(ossl110, boringssl, libressl360, awslc))] pub const HKDF: Id = Id(ffi::EVP_PKEY_HKDF); - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] pub const ED25519: Id = Id(ffi::EVP_PKEY_ED25519); #[cfg(ossl111)] pub const ED448: Id = Id(ffi::EVP_PKEY_ED448); - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] pub const X25519: Id = Id(ffi::EVP_PKEY_X25519); #[cfg(ossl111)] pub const X448: Id = Id(ffi::EVP_PKEY_X448); @@ -265,7 +265,7 @@ where /// This function only works for algorithms that support raw public keys. /// Currently this is: [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_public_key)] - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] pub fn raw_public_key(&self) -> Result, ErrorStack> { unsafe { let mut len = 0; @@ -316,7 +316,7 @@ where /// This function only works for algorithms that support raw private keys. /// Currently this is: [`Id::HMAC`], [`Id::X25519`], [`Id::ED25519`], [`Id::X448`] or [`Id::ED448`]. #[corresponds(EVP_PKEY_get_raw_private_key)] - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] pub fn raw_private_key(&self) -> Result, ErrorStack> { unsafe { let mut len = 0; @@ -384,15 +384,31 @@ impl fmt::Debug for PKey { fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result { let alg = match self.id() { Id::RSA => "RSA", + #[cfg(any(ossl111, libressl310, boringssl, awslc))] + Id::RSA_PSS => "RSA-PSS", #[cfg(not(boringssl))] Id::HMAC => "HMAC", + #[cfg(not(any(boringssl, awslc)))] + Id::CMAC => "CMAC", Id::DSA => "DSA", Id::DH => "DH", + #[cfg(ossl110)] + Id::DHX => "DHX", Id::EC => "EC", #[cfg(ossl111)] + Id::SM2 => "SM2", + #[cfg(any(ossl110, boringssl, libressl360, awslc))] + Id::HKDF => "HKDF", + #[cfg(any(ossl111, boringssl, libressl370, awslc))] Id::ED25519 => "Ed25519", #[cfg(ossl111)] Id::ED448 => "Ed448", + #[cfg(any(ossl111, boringssl, libressl370, awslc))] + Id::X25519 => "X25519", + #[cfg(ossl111)] + Id::X448 => "X448", + #[cfg(ossl111)] + Id::POLY1305 => "POLY1305", _ => "unknown", }; fmt.debug_struct("PKey").field("algorithm", &alg).finish() @@ -444,7 +460,7 @@ impl PKey { } /// Creates a new `PKey` containing a Diffie-Hellman key with type DHX. - #[cfg(all(not(boringssl), ossl110))] + #[cfg(all(not(any(boringssl, awslc)), ossl110))] pub fn from_dhx(dh: Dh) -> Result, ErrorStack> { unsafe { let evp = cvt_p(ffi::EVP_PKEY_new())?; @@ -480,13 +496,17 @@ impl PKey { #[corresponds(EVP_PKEY_new_mac_key)] #[cfg(not(boringssl))] pub fn hmac(key: &[u8]) -> Result, ErrorStack> { + #[cfg(awslc)] + let key_len = key.len(); + #[cfg(not(awslc))] + let key_len = key.len() as c_int; unsafe { assert!(key.len() <= c_int::MAX as usize); let key = cvt_p(ffi::EVP_PKEY_new_mac_key( ffi::EVP_PKEY_HMAC, ptr::null_mut(), key.as_ptr() as *const _, - key.len() as c_int, + key_len, ))?; Ok(PKey::from_ptr(key)) } @@ -499,7 +519,7 @@ impl PKey { /// # Note /// /// To compute CMAC values, use the `sign` module. - #[cfg(all(not(boringssl), ossl110))] + #[cfg(all(not(any(boringssl, awslc)), ossl110))] #[allow(clippy::trivially_copy_pass_by_ref)] pub fn cmac(cipher: &Cipher, key: &[u8]) -> Result, ErrorStack> { let mut ctx = PkeyCtx::new_id(Id::CMAC)?; @@ -509,7 +529,7 @@ impl PKey { ctx.keygen() } - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] fn generate_eddsa(id: Id) -> Result, ErrorStack> { let mut ctx = PkeyCtx::new_id(id)?; ctx.keygen_init()?; @@ -539,7 +559,7 @@ impl PKey { /// assert_eq!(secret.len(), 32); /// # Ok(()) } /// ``` - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] pub fn generate_x25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::X25519) } @@ -593,7 +613,7 @@ impl PKey { /// assert_eq!(signature.len(), 64); /// # Ok(()) } /// ``` - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] pub fn generate_ed25519() -> Result, ErrorStack> { PKey::generate_eddsa(Id::ED25519) } @@ -743,7 +763,7 @@ impl PKey { /// /// Algorithm types that support raw private keys are HMAC, X25519, ED25519, X448 or ED448 #[corresponds(EVP_PKEY_new_raw_private_key)] - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] pub fn private_key_from_raw_bytes( bytes: &[u8], key_type: Id, @@ -794,7 +814,7 @@ impl PKey { /// /// Algorithm types that support raw public keys are X25519, ED25519, X448 or ED448 #[corresponds(EVP_PKEY_new_raw_public_key)] - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] pub fn public_key_from_raw_bytes( bytes: &[u8], key_type: Id, @@ -813,7 +833,7 @@ impl PKey { } cfg_if! { - if #[cfg(any(boringssl, ossl110, libressl270))] { + if #[cfg(any(boringssl, ossl110, libressl270, awslc))] { use ffi::EVP_PKEY_up_ref; } else { #[allow(bad_style)] @@ -909,7 +929,7 @@ mod tests { use super::*; - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] use crate::rand::rand_bytes; #[test] @@ -1102,7 +1122,7 @@ mod tests { assert_eq!(&g, dh_.generator()); } - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] fn test_raw_public_key(gen: fn() -> Result, ErrorStack>, key_type: Id) { // Generate a new key let key = gen().unwrap(); @@ -1118,7 +1138,7 @@ mod tests { ); } - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] fn test_raw_private_key(gen: fn() -> Result, ErrorStack>, key_type: Id) { // Generate a new key let key = gen().unwrap(); @@ -1134,29 +1154,29 @@ mod tests { ); } - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] #[test] fn test_raw_public_key_bytes() { test_raw_public_key(PKey::generate_x25519, Id::X25519); test_raw_public_key(PKey::generate_ed25519, Id::ED25519); - #[cfg(all(not(boringssl), not(libressl370)))] + #[cfg(not(any(boringssl, libressl370, awslc)))] test_raw_public_key(PKey::generate_x448, Id::X448); - #[cfg(all(not(boringssl), not(libressl370)))] + #[cfg(not(any(boringssl, libressl370, awslc)))] test_raw_public_key(PKey::generate_ed448, Id::ED448); } - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] #[test] fn test_raw_private_key_bytes() { test_raw_private_key(PKey::generate_x25519, Id::X25519); test_raw_private_key(PKey::generate_ed25519, Id::ED25519); - #[cfg(all(not(boringssl), not(libressl370)))] + #[cfg(not(any(boringssl, libressl370, awslc)))] test_raw_private_key(PKey::generate_x448, Id::X448); - #[cfg(all(not(boringssl), not(libressl370)))] + #[cfg(not(any(boringssl, libressl370, awslc)))] test_raw_private_key(PKey::generate_ed448, Id::ED448); } - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] #[test] fn test_raw_hmac() { let mut test_bytes = vec![0u8; 32]; @@ -1169,7 +1189,7 @@ mod tests { assert_eq!(key_bytes, test_bytes); } - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] #[test] fn test_raw_key_fail() { // Getting a raw byte representation will not work with Nist curves diff --git a/openssl/src/pkey_ctx.rs b/openssl/src/pkey_ctx.rs index f30f06973..aa39a0f9c 100644 --- a/openssl/src/pkey_ctx.rs +++ b/openssl/src/pkey_ctx.rs @@ -21,7 +21,7 @@ //! ``` #![cfg_attr( - not(boringssl), + not(any(boringssl, awslc)), doc = r#"\ Generate a CMAC key @@ -64,7 +64,7 @@ let cmac_key = ctx.keygen().unwrap(); //! let valid = ctx.verify(text, &signature).unwrap(); //! assert!(valid); //! ``` -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use crate::cipher::CipherRef; use crate::error::ErrorStack; use crate::md::MdRef; @@ -73,7 +73,7 @@ use crate::rsa::Padding; use crate::sign::RsaPssSaltlen; use crate::{cvt, cvt_p}; use foreign_types::{ForeignType, ForeignTypeRef}; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use libc::c_int; #[cfg(ossl320)] use libc::c_uint; @@ -148,7 +148,7 @@ impl PkeyCtx { impl PkeyCtx<()> { /// Creates a new pkey context for the specified algorithm ID. - #[corresponds(EVP_PKEY_new_id)] + #[corresponds(EVP_PKEY_CTX_new_id)] #[inline] pub fn new_id(id: Id) -> Result { unsafe { @@ -501,7 +501,7 @@ impl PkeyCtxRef { /// /// This is only useful for RSA keys. #[corresponds(EVP_PKEY_CTX_set_rsa_oaep_md)] - #[cfg(any(ossl102, libressl310, boringssl))] + #[cfg(any(ossl102, libressl310, boringssl, awslc))] #[inline] pub fn set_rsa_oaep_md(&mut self, md: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -518,7 +518,7 @@ impl PkeyCtxRef { /// /// This is only useful for RSA keys. #[corresponds(EVP_PKEY_CTX_set0_rsa_oaep_label)] - #[cfg(any(ossl102, libressl310, boringssl))] + #[cfg(any(ossl102, libressl310, boringssl, awslc))] pub fn set_rsa_oaep_label(&mut self, label: &[u8]) -> Result<(), ErrorStack> { use crate::LenType; let len = LenType::try_from(label.len()).unwrap(); @@ -542,7 +542,7 @@ impl PkeyCtxRef { } /// Sets the cipher used during key generation. - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] #[corresponds(EVP_PKEY_CTX_ctrl)] #[inline] pub fn set_keygen_cipher(&mut self, cipher: &CipherRef) -> Result<(), ErrorStack> { @@ -561,7 +561,7 @@ impl PkeyCtxRef { } /// Sets the key MAC key used during key generation. - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] #[corresponds(EVP_PKEY_CTX_ctrl)] #[inline] pub fn set_keygen_mac_key(&mut self, key: &[u8]) -> Result<(), ErrorStack> { @@ -585,7 +585,7 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set_hkdf_md)] - #[cfg(any(ossl110, boringssl, libressl360))] + #[cfg(any(ossl110, boringssl, libressl360, awslc))] #[inline] pub fn set_hkdf_md(&mut self, digest: &MdRef) -> Result<(), ErrorStack> { unsafe { @@ -627,12 +627,12 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_key)] - #[cfg(any(ossl110, boringssl, libressl360))] + #[cfg(any(ossl110, boringssl, libressl360, awslc))] #[inline] pub fn set_hkdf_key(&mut self, key: &[u8]) -> Result<(), ErrorStack> { - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] let len = c_int::try_from(key.len()).unwrap(); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] let len = key.len(); unsafe { @@ -652,12 +652,12 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_set1_hkdf_salt)] - #[cfg(any(ossl110, boringssl, libressl360))] + #[cfg(any(ossl110, boringssl, libressl360, awslc))] #[inline] pub fn set_hkdf_salt(&mut self, salt: &[u8]) -> Result<(), ErrorStack> { - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] let len = c_int::try_from(salt.len()).unwrap(); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] let len = salt.len(); unsafe { @@ -677,12 +677,12 @@ impl PkeyCtxRef { /// /// Requires OpenSSL 1.1.0 or newer. #[corresponds(EVP_PKEY_CTX_add1_hkdf_info)] - #[cfg(any(ossl110, boringssl, libressl360))] + #[cfg(any(ossl110, boringssl, libressl360, awslc))] #[inline] pub fn add_hkdf_info(&mut self, info: &[u8]) -> Result<(), ErrorStack> { - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] let len = c_int::try_from(info.len()).unwrap(); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] let len = info.len(); unsafe { @@ -785,7 +785,7 @@ impl PkeyCtxRef { #[cfg(test)] mod test { use super::*; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] use crate::cipher::Cipher; use crate::ec::{EcGroup, EcKey}; use crate::hash::{hash, MessageDigest}; @@ -819,7 +819,7 @@ mod test { } #[test] - #[cfg(any(ossl102, libressl310, boringssl))] + #[cfg(any(ossl102, libressl310, boringssl, awslc))] fn rsa_oaep() { let key = include_bytes!("../test/rsa.pem"); let rsa = Rsa::private_key_from_pem(key).unwrap(); @@ -910,7 +910,7 @@ mod test { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn cmac_keygen() { let mut ctx = PkeyCtx::new_id(Id::CMAC).unwrap(); ctx.keygen_init().unwrap(); @@ -921,7 +921,7 @@ mod test { } #[test] - #[cfg(any(ossl110, boringssl, libressl360))] + #[cfg(any(ossl110, boringssl, libressl360, awslc))] fn hkdf() { let mut ctx = PkeyCtx::new_id(Id::HKDF).unwrap(); ctx.derive_init().unwrap(); diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs index 2e6614aed..ea1548c79 100644 --- a/openssl/src/rsa.rs +++ b/openssl/src/rsa.rs @@ -585,7 +585,7 @@ impl fmt::Debug for Rsa { } cfg_if! { - if #[cfg(any(ossl110, libressl273, boringssl))] { + if #[cfg(any(ossl110, libressl273, boringssl, awslc))] { use ffi::{ RSA_get0_key, RSA_get0_factors, RSA_get0_crt_params, RSA_set0_key, RSA_set0_factors, RSA_set0_crt_params, diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index bea91a5a4..0e967a8e1 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -36,7 +36,7 @@ //! ``` #![cfg_attr( - not(boringssl), + not(any(boringssl, awslc)), doc = r#"\ Compute an HMAC: @@ -269,7 +269,7 @@ impl Signer<'_> { self.len_intern() } - #[cfg(all(not(ossl111), not(boringssl), not(libressl370)))] + #[cfg(not(any(ossl111, boringssl, libressl370, awslc)))] fn len_intern(&self) -> Result { unsafe { let mut len = 0; @@ -282,7 +282,7 @@ impl Signer<'_> { } } - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] fn len_intern(&self) -> Result { unsafe { let mut len = 0; @@ -333,7 +333,7 @@ impl Signer<'_> { /// This method will fail if the buffer is not large enough for the signature. Use the `len` /// method to get an upper bound on the required size. #[corresponds(EVP_DigestSign)] - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] pub fn sign_oneshot( &mut self, sig_buf: &mut [u8], @@ -355,7 +355,7 @@ impl Signer<'_> { /// Returns the signature. /// /// This is a simple convenience wrapper over `len` and `sign_oneshot`. - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] pub fn sign_oneshot_to_vec(&mut self, data_buf: &[u8]) -> Result, ErrorStack> { let mut sig_buf = vec![0; self.len()?]; let len = self.sign_oneshot(&mut sig_buf, data_buf)?; @@ -544,7 +544,7 @@ impl<'a> Verifier<'a> { /// Determines if the data given in `buf` matches the provided signature. #[corresponds(EVP_DigestVerify)] - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] pub fn verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result { unsafe { let r = ffi::EVP_DigestVerify( @@ -601,7 +601,7 @@ mod test { use crate::nid::Nid; use crate::pkey::PKey; use crate::rsa::{Padding, Rsa}; - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] use crate::sign::RsaPssSaltlen; use crate::sign::{Signer, Verifier}; @@ -794,7 +794,7 @@ mod test { } #[test] - #[cfg(any(ossl111, boringssl, libressl370))] + #[cfg(any(ossl111, boringssl, libressl370, awslc))] fn eddsa() { let key = PKey::generate_ed25519().unwrap(); @@ -806,7 +806,7 @@ mod test { } #[test] - #[cfg(ossl111)] + #[cfg(any(ossl111, awslc))] fn rsa_sign_verify() { let key = include_bytes!("../test/rsa.pem"); let private_key = Rsa::private_key_from_pem(key).unwrap(); diff --git a/openssl/src/srtp.rs b/openssl/src/srtp.rs index 595757dc0..44ef43465 100644 --- a/openssl/src/srtp.rs +++ b/openssl/src/srtp.rs @@ -46,10 +46,10 @@ impl SrtpProfileId { SrtpProfileId(ffi::SRTP_AES128_F8_SHA1_32 as c_ulong); pub const SRTP_NULL_SHA1_80: SrtpProfileId = SrtpProfileId(ffi::SRTP_NULL_SHA1_80 as c_ulong); pub const SRTP_NULL_SHA1_32: SrtpProfileId = SrtpProfileId(ffi::SRTP_NULL_SHA1_32 as c_ulong); - #[cfg(any(boringssl, ossl110))] + #[cfg(any(boringssl, ossl110, awslc))] pub const SRTP_AEAD_AES_128_GCM: SrtpProfileId = SrtpProfileId(ffi::SRTP_AEAD_AES_128_GCM as c_ulong); - #[cfg(any(boringssl, ossl110))] + #[cfg(any(boringssl, ossl110, awslc))] pub const SRTP_AEAD_AES_256_GCM: SrtpProfileId = SrtpProfileId(ffi::SRTP_AEAD_AES_256_GCM as c_ulong); diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index f7e51a5d3..22eb600f5 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -10,7 +10,7 @@ use libc::{c_int, c_uchar, c_uint, c_void}; use std::ffi::CStr; use std::mem; use std::ptr; -#[cfg(any(ossl111, boringssl))] +#[cfg(any(ossl111, boringssl, awslc))] use std::str; use std::sync::Arc; @@ -19,7 +19,7 @@ use crate::dh::Dh; use crate::ec::EcKey; use crate::error::ErrorStack; use crate::pkey::Params; -#[cfg(any(ossl102, libressl261, boringssl))] +#[cfg(any(ossl102, libressl261, boringssl, awslc))] use crate::ssl::AlpnError; use crate::ssl::{ try_get_session_ctx_index, SniError, Ssl, SslAlert, SslContext, SslContextRef, SslRef, @@ -28,7 +28,7 @@ use crate::ssl::{ #[cfg(ossl111)] use crate::ssl::{ClientHelloResponse, ExtensionContext}; use crate::util; -#[cfg(any(ossl111, boringssl))] +#[cfg(any(ossl111, boringssl, awslc))] use crate::util::ForeignTypeRefExt; #[cfg(ossl111)] use crate::x509::X509Ref; @@ -178,7 +178,7 @@ where } } -#[cfg(any(ossl102, libressl261, boringssl))] +#[cfg(any(ossl102, libressl261, boringssl, awslc))] pub extern "C" fn raw_alpn_select( ssl: *mut ffi::SSL, out: *mut *const c_uchar, @@ -391,7 +391,7 @@ pub unsafe extern "C" fn raw_remove_session( } cfg_if! { - if #[cfg(any(ossl110, libressl280, boringssl))] { + if #[cfg(any(ossl110, libressl280, boringssl, awslc))] { type DataPtr = *const c_uchar; } else { type DataPtr = *mut c_uchar; @@ -429,7 +429,7 @@ where } } -#[cfg(any(ossl111, boringssl))] +#[cfg(any(ossl111, boringssl, awslc))] pub unsafe extern "C" fn raw_keylog(ssl: *const ffi::SSL, line: *const c_char) where F: Fn(&SslRef, &str) + 'static + Sync + Send, @@ -492,7 +492,7 @@ where (*callback)(ssl, slice) as c_int } -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] pub extern "C" fn raw_cookie_generate( ssl: *mut ffi::SSL, cookie: *mut c_uchar, @@ -525,7 +525,7 @@ where } } -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] cfg_if! { if #[cfg(any(ossl110, libressl280))] { type CookiePtr = *const c_uchar; @@ -534,7 +534,7 @@ cfg_if! { } } -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] pub extern "C" fn raw_cookie_verify( ssl: *mut ffi::SSL, cookie: CookiePtr, diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 66d1bd893..8992f5a93 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -29,7 +29,7 @@ fn ctx(method: SslMethod) -> Result { let mut ctx = SslContextBuilder::new(method)?; cfg_if! { - if #[cfg(not(boringssl))] { + if #[cfg(not(any(boringssl, awslc)))] { let mut opts = SslOptions::ALL | SslOptions::NO_COMPRESSION | SslOptions::NO_SSLV2 diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index e15c48b6d..696be0134 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -80,7 +80,7 @@ use crate::stack::{Stack, StackRef, Stackable}; use crate::util; use crate::util::{ForeignTypeExt, ForeignTypeRefExt}; use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] use crate::x509::verify::X509VerifyParamRef; use crate::x509::{X509Name, X509Ref, X509StoreContextRef, X509VerifyResult, X509}; use crate::{cvt, cvt_n, cvt_p, init}; @@ -137,7 +137,7 @@ pub fn cipher_name(std_name: &str) -> &'static str { cfg_if! { if #[cfg(ossl300)] { type SslOptionsRepr = u64; - } else if #[cfg(boringssl)] { + } else if #[cfg(any(boringssl, awslc))] { type SslOptionsRepr = u32; } else { type SslOptionsRepr = libc::c_ulong; @@ -153,7 +153,7 @@ bitflags! { const DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS as SslOptionsRepr; /// A "reasonable default" set of options which enables compatibility flags. - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] const ALL = ffi::SSL_OP_ALL as SslOptionsRepr; /// Do not query the MTU. @@ -166,19 +166,19 @@ bitflags! { /// Only affects DTLS connections. /// /// [RFC 4347 Section 4.2.1]: https://tools.ietf.org/html/rfc4347#section-4.2.1 - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] const COOKIE_EXCHANGE = ffi::SSL_OP_COOKIE_EXCHANGE as SslOptionsRepr; /// Disables the use of session tickets for session resumption. const NO_TICKET = ffi::SSL_OP_NO_TICKET as SslOptionsRepr; /// Always start a new session when performing a renegotiation on the server side. - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] const NO_SESSION_RESUMPTION_ON_RENEGOTIATION = ffi::SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION as SslOptionsRepr; /// Disables the use of TLS compression. - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] const NO_COMPRESSION = ffi::SSL_OP_NO_COMPRESSION as SslOptionsRepr; /// Allow legacy insecure renegotiation with servers or clients that do not support secure @@ -222,19 +222,19 @@ bitflags! { /// Disables the use of TLSv1.3. /// /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. - #[cfg(any(boringssl, ossl111, libressl340))] + #[cfg(any(boringssl, ossl111, libressl340, awslc))] const NO_TLSV1_3 = ffi::SSL_OP_NO_TLSv1_3 as SslOptionsRepr; /// Disables the use of DTLSv1.0 /// /// Requires OpenSSL 1.0.2 or LibreSSL 3.3.2 or newer. - #[cfg(any(boringssl, ossl102, ossl110, libressl332))] + #[cfg(any(boringssl, ossl102, ossl110, libressl332, awslc))] const NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1 as SslOptionsRepr; /// Disables the use of DTLSv1.2. /// /// Requires OpenSSL 1.0.2 or LibreSSL 3.3.2 or newer. - #[cfg(any(boringssl, ossl102, ossl110, libressl332))] + #[cfg(any(boringssl, ossl102, ossl110, libressl332, awslc))] const NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2 as SslOptionsRepr; /// Disables the use of all (D)TLS protocol versions. @@ -258,7 +258,7 @@ bitflags! { /// Disallow all renegotiation in TLSv1.2 and earlier. /// /// Requires OpenSSL 1.1.0h or newer. - #[cfg(any(boringssl, ossl110h))] + #[cfg(any(boringssl, ossl110h, awslc))] const NO_RENEGOTIATION = ffi::SSL_OP_NO_RENEGOTIATION as SslOptionsRepr; /// Enable TLSv1.3 Compatibility mode. @@ -366,14 +366,14 @@ impl SslMethod { /// Support all versions of the DTLS protocol, explicitly as a client. #[corresponds(DTLS_client_method)] - #[cfg(any(boringssl, ossl110, libressl291))] + #[cfg(any(boringssl, ossl110, libressl291, awslc))] pub fn dtls_client() -> SslMethod { unsafe { SslMethod(DTLS_client_method()) } } /// Support all versions of the DTLS protocol, explicitly as a server. #[corresponds(DTLS_server_method)] - #[cfg(any(boringssl, ossl110, libressl291))] + #[cfg(any(boringssl, ossl110, libressl291, awslc))] pub fn dtls_server() -> SslMethod { unsafe { SslMethod(DTLS_server_method()) } } @@ -421,14 +421,14 @@ bitflags! { } } -#[cfg(boringssl)] +#[cfg(any(boringssl, awslc))] type SslBitType = c_int; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] type SslBitType = c_long; -#[cfg(boringssl)] +#[cfg(any(boringssl, awslc))] type SslTimeTy = u64; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] type SslTimeTy = c_long; bitflags! { @@ -616,17 +616,17 @@ impl SslAlert { /// An error returned from an ALPN selection callback. /// -/// Requires BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. -#[cfg(any(ossl102, libressl261, boringssl))] +/// Requires AWS-LC or BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. +#[cfg(any(ossl102, libressl261, boringssl, awslc))] #[derive(Debug, Copy, Clone, PartialEq, Eq)] pub struct AlpnError(c_int); -#[cfg(any(ossl102, libressl261, boringssl))] +#[cfg(any(ossl102, libressl261, boringssl, awslc))] impl AlpnError { /// Terminate the handshake with a fatal alert. /// - /// Requires BoringSSL or OpenSSL 1.1.0 or newer. - #[cfg(any(ossl110, boringssl))] + /// Requires AWS-LC or BoringSSL or OpenSSL 1.1.0 or newer. + #[cfg(any(ossl110, boringssl, awslc))] pub const ALERT_FATAL: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_ALERT_FATAL); /// Do not select a protocol, but continue the handshake. @@ -668,8 +668,8 @@ impl SslVersion { /// TLSv1.3 /// - /// Requires BoringSSL or OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. - #[cfg(any(ossl111, libressl340, boringssl))] + /// Requires AWS-LC or BoringSSL or OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. + #[cfg(any(ossl111, libressl340, boringssl, awslc))] pub const TLS1_3: SslVersion = SslVersion(ffi::TLS1_3_VERSION); /// DTLSv1.0 @@ -680,12 +680,12 @@ impl SslVersion { /// DTLSv1.2 /// /// DTLS 1.2 corresponds to TLS 1.2 to harmonize versions. There was never a DTLS 1.1. - #[cfg(any(ossl102, libressl332, boringssl))] + #[cfg(any(ossl102, libressl332, boringssl, awslc))] pub const DTLS1_2: SslVersion = SslVersion(ffi::DTLS1_2_VERSION); } cfg_if! { - if #[cfg(boringssl)] { + if #[cfg(any(boringssl, awslc))] { type SslCacheTy = i64; type SslCacheSize = libc::c_ulong; type MtuTy = u32; @@ -804,9 +804,9 @@ impl SslContextBuilder { // still stored in ex data to manage the lifetime. let arg = self.set_ex_data_inner(SslContext::cached_ex_index::(), callback); ffi::SSL_CTX_set_tlsext_servername_arg(self.as_ptr(), arg); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] ffi::SSL_CTX_set_tlsext_servername_callback(self.as_ptr(), Some(raw_sni::)); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] ffi::SSL_CTX_set_tlsext_servername_callback__fixed_rust( self.as_ptr(), Some(raw_sni::), @@ -890,9 +890,9 @@ impl SslContextBuilder { unsafe { self.set_ex_data(SslContext::cached_ex_index::(), callback); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] ffi::SSL_CTX_set_tmp_dh_callback__fixed_rust(self.as_ptr(), Some(raw_tmp_dh::)); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] ffi::SSL_CTX_set_tmp_dh_callback(self.as_ptr(), Some(raw_tmp_dh::)); } } @@ -1172,9 +1172,9 @@ impl SslContextBuilder { /// A value of `None` will enable protocol versions down to the lowest version supported by /// OpenSSL. /// - /// Requires BoringSSL or OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer. #[corresponds(SSL_CTX_set_min_proto_version)] - #[cfg(any(ossl110, libressl261, boringssl))] + #[cfg(any(ossl110, libressl261, boringssl, awslc))] pub fn set_min_proto_version(&mut self, version: Option) -> Result<(), ErrorStack> { unsafe { cvt(ffi::SSL_CTX_set_min_proto_version( @@ -1190,9 +1190,9 @@ impl SslContextBuilder { /// A value of `None` will enable protocol versions up to the highest version supported by /// OpenSSL. /// - /// Requires BoringSSL or OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer. #[corresponds(SSL_CTX_set_max_proto_version)] - #[cfg(any(ossl110, libressl261, boringssl))] + #[cfg(any(ossl110, libressl261, boringssl, awslc))] pub fn set_max_proto_version(&mut self, version: Option) -> Result<(), ErrorStack> { unsafe { cvt(ffi::SSL_CTX_set_max_proto_version( @@ -1248,9 +1248,9 @@ impl SslContextBuilder { /// and `http/1.1` is encoded as `b"\x06spdy/1\x08http/1.1"`. The protocols are ordered by /// preference. /// - /// Requires BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. #[corresponds(SSL_CTX_set_alpn_protos)] - #[cfg(any(ossl102, libressl261, boringssl))] + #[cfg(any(ossl102, libressl261, boringssl, awslc))] pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> { unsafe { assert!(protocols.len() <= c_uint::MAX as usize); @@ -1292,25 +1292,25 @@ impl SslContextBuilder { /// of those protocols on success. The [`select_next_proto`] function implements the standard /// protocol selection algorithm. /// - /// Requires BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. /// /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos /// [`select_next_proto`]: fn.select_next_proto.html #[corresponds(SSL_CTX_set_alpn_select_cb)] - #[cfg(any(ossl102, libressl261, boringssl))] + #[cfg(any(ossl102, libressl261, boringssl, awslc))] pub fn set_alpn_select_callback(&mut self, callback: F) where F: for<'a> Fn(&mut SslRef, &'a [u8]) -> Result<&'a [u8], AlpnError> + 'static + Sync + Send, { unsafe { self.set_ex_data(SslContext::cached_ex_index::(), callback); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] ffi::SSL_CTX_set_alpn_select_cb__fixed_rust( self.as_ptr(), Some(callbacks::raw_alpn_select::), ptr::null_mut(), ); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] ffi::SSL_CTX_set_alpn_select_cb( self.as_ptr(), Some(callbacks::raw_alpn_select::), @@ -1339,18 +1339,18 @@ impl SslContextBuilder { /// Returns a reference to the X509 verification configuration. /// - /// Requires BoringSSL or OpenSSL 1.0.2 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.0.2 or newer. #[corresponds(SSL_CTX_get0_param)] - #[cfg(any(ossl102, boringssl, libressl261))] + #[cfg(any(ossl102, boringssl, libressl261, awslc))] pub fn verify_param(&self) -> &X509VerifyParamRef { unsafe { X509VerifyParamRef::from_ptr(ffi::SSL_CTX_get0_param(self.as_ptr())) } } /// Returns a mutable reference to the X509 verification configuration. /// - /// Requires BoringSSL or OpenSSL 1.0.2 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.0.2 or newer. #[corresponds(SSL_CTX_get0_param)] - #[cfg(any(ossl102, boringssl, libressl261))] + #[cfg(any(ossl102, boringssl, libressl261, awslc))] pub fn verify_param_mut(&mut self) -> &mut X509VerifyParamRef { unsafe { X509VerifyParamRef::from_ptr_mut(ffi::SSL_CTX_get0_param(self.as_ptr())) } } @@ -1502,7 +1502,7 @@ impl SslContextBuilder { /// /// Requires OpenSSL 1.1.1 or newer. #[corresponds(SSL_CTX_set_keylog_callback)] - #[cfg(any(ossl111, boringssl))] + #[cfg(any(ossl111, boringssl, awslc))] pub fn set_keylog_callback(&mut self, callback: F) where F: Fn(&SslRef, &str) + 'static + Sync + Send, @@ -1572,7 +1572,7 @@ impl SslContextBuilder { /// The callback will be called with the SSL context and a slice into which the cookie /// should be written. The callback should return the number of bytes written. #[corresponds(SSL_CTX_set_cookie_generate_cb)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn set_cookie_generate_cb(&mut self, callback: F) where F: Fn(&mut SslRef, &mut [u8]) -> Result + 'static + Sync + Send, @@ -1588,7 +1588,7 @@ impl SslContextBuilder { /// The callback will be called with the SSL context and the cookie supplied by the /// client. It should return true if and only if the cookie is valid. #[corresponds(SSL_CTX_set_cookie_verify_cb)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn set_cookie_verify_cb(&mut self, callback: F) where F: Fn(&mut SslRef, &[u8]) -> bool + 'static + Sync + Send, @@ -1751,9 +1751,9 @@ impl SslContextBuilder { /// Sets the context's supported elliptic curve groups. /// - /// Requires BoringSSL or OpenSSL 1.1.1 or LibreSSL 2.5.1 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.1.1 or LibreSSL 2.5.1 or newer. #[corresponds(SSL_CTX_set1_groups_list)] - #[cfg(any(ossl111, boringssl, libressl251))] + #[cfg(any(ossl111, boringssl, libressl251, awslc))] pub fn set_groups_list(&mut self, groups: &str) -> Result<(), ErrorStack> { let groups = CString::new(groups).unwrap(); unsafe { @@ -1844,9 +1844,9 @@ impl SslContext { { unsafe { ffi::init(); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] let idx = cvt_n(get_new_idx(Some(free_data_box::)))?; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] let idx = cvt_n(get_new_idx(free_data_box::))?; Ok(Index::from_raw(idx)) } @@ -2305,9 +2305,9 @@ impl Ssl { { unsafe { ffi::init(); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] let idx = cvt_n(get_new_ssl_idx(Some(free_data_box::)))?; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] let idx = cvt_n(get_new_ssl_idx(free_data_box::))?; Ok(Index::from_raw(idx)) } @@ -2454,9 +2454,9 @@ impl SslRef { unsafe { // this needs to be in an Arc since the callback can register a new callback! self.set_ex_data(Ssl::cached_ex_index(), Arc::new(callback)); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] ffi::SSL_set_tmp_dh_callback(self.as_ptr(), Some(raw_tmp_dh_ssl::)); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] ffi::SSL_set_tmp_dh_callback__fixed_rust(self.as_ptr(), Some(raw_tmp_dh_ssl::)); } } @@ -2499,11 +2499,11 @@ impl SslRef { /// Like [`SslContextBuilder::set_alpn_protos`]. /// - /// Requires BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. /// /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos #[corresponds(SSL_set_alpn_protos)] - #[cfg(any(ossl102, libressl261, boringssl))] + #[cfg(any(ossl102, libressl261, boringssl, awslc))] pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> { unsafe { assert!(protocols.len() <= c_uint::MAX as usize); @@ -2655,9 +2655,9 @@ impl SslRef { /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client /// to interpret it. /// - /// Requires BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. #[corresponds(SSL_get0_alpn_selected)] - #[cfg(any(ossl102, libressl261, boringssl))] + #[cfg(any(ossl102, libressl261, boringssl, awslc))] pub fn selected_alpn_protocol(&self) -> Option<&[u8]> { unsafe { let mut data: *const c_uchar = ptr::null(); @@ -2780,9 +2780,9 @@ impl SslRef { /// Returns a mutable reference to the X509 verification configuration. /// - /// Requires BoringSSL or OpenSSL 1.0.2 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.0.2 or newer. #[corresponds(SSL_get0_param)] - #[cfg(any(ossl102, boringssl, libressl261))] + #[cfg(any(ossl102, boringssl, libressl261, awslc))] pub fn param_mut(&mut self) -> &mut X509VerifyParamRef { unsafe { X509VerifyParamRef::from_ptr_mut(ffi::SSL_get0_param(self.as_ptr())) } } @@ -2930,7 +2930,7 @@ impl SslRef { /// Returns the server's OCSP response, if present. #[corresponds(SSL_get_tlsext_status_ocsp_resp)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn ocsp_status(&self) -> Option<&[u8]> { unsafe { let mut p = ptr::null_mut(); @@ -2946,7 +2946,7 @@ impl SslRef { /// Sets the OCSP response to be returned to the client. #[corresponds(SSL_set_tlsext_status_oscp_resp)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn set_ocsp_status(&mut self, response: &[u8]) -> Result<(), ErrorStack> { unsafe { assert!(response.len() <= c_int::MAX as usize); @@ -3254,7 +3254,7 @@ impl SslRef { } /// Sets a new default TLS/SSL method for SSL objects - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn set_method(&mut self, method: SslMethod) -> Result<(), ErrorStack> { unsafe { cvt(ffi::SSL_set_ssl_method(self.as_ptr(), method.as_ptr()))?; @@ -3342,9 +3342,9 @@ impl SslRef { /// A value of `None` will enable protocol versions down to the lowest version supported by /// OpenSSL. /// - /// Requires BoringSSL or OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer. #[corresponds(SSL_set_min_proto_version)] - #[cfg(any(ossl110, libressl261, boringssl))] + #[cfg(any(ossl110, libressl261, boringssl, awslc))] pub fn set_min_proto_version(&mut self, version: Option) -> Result<(), ErrorStack> { unsafe { cvt(ffi::SSL_set_min_proto_version( @@ -3360,9 +3360,9 @@ impl SslRef { /// A value of `None` will enable protocol versions up to the highest version supported by /// OpenSSL. /// - /// Requires BoringSSL or OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer. + /// Requires AWS-LC or BoringSSL or OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer. #[corresponds(SSL_set_max_proto_version)] - #[cfg(any(ossl110, libressl261, boringssl))] + #[cfg(any(ossl110, libressl261, boringssl, awslc))] pub fn set_max_proto_version(&mut self, version: Option) -> Result<(), ErrorStack> { unsafe { cvt(ffi::SSL_set_max_proto_version( @@ -4243,7 +4243,7 @@ bitflags! { } cfg_if! { - if #[cfg(any(boringssl, ossl110, libressl273))] { + if #[cfg(any(boringssl, ossl110, libressl273, awslc))] { use ffi::{SSL_CTX_up_ref, SSL_SESSION_get_master_key, SSL_SESSION_up_ref, SSL_is_server}; } else { #[allow(bad_style)] @@ -4301,7 +4301,7 @@ cfg_if! { } } cfg_if! { - if #[cfg(any(boringssl, ossl110, libressl291))] { + if #[cfg(any(boringssl, ossl110, libressl291, awslc))] { use ffi::{TLS_method, DTLS_method, TLS_client_method, TLS_server_method, DTLS_server_method, DTLS_client_method}; } else { use ffi::{ @@ -4341,7 +4341,7 @@ cfg_if! { static ONCE: Once = Once::new(); ONCE.call_once(|| { cfg_if! { - if #[cfg(not(boringssl))] { + if #[cfg(not(any(boringssl, awslc)))] { ffi::SSL_CTX_get_ex_new_index(0, ptr::null_mut(), None, None, None); } else { ffi::SSL_CTX_get_ex_new_index(0, ptr::null_mut(), ptr::null_mut(), None, None); @@ -4350,7 +4350,7 @@ cfg_if! { }); cfg_if! { - if #[cfg(not(boringssl))] { + if #[cfg(not(any(boringssl, awslc)))] { ffi::SSL_CTX_get_ex_new_index(0, ptr::null_mut(), None, None, Some(f)) } else { ffi::SSL_CTX_get_ex_new_index(0, ptr::null_mut(), ptr::null_mut(), None, f) @@ -4362,15 +4362,15 @@ cfg_if! { // hack around https://rt.openssl.org/Ticket/Display.html?id=3710&user=guest&pass=guest static ONCE: Once = Once::new(); ONCE.call_once(|| { - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] ffi::SSL_get_ex_new_index(0, ptr::null_mut(), None, None, None); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] ffi::SSL_get_ex_new_index(0, ptr::null_mut(), ptr::null_mut(), None, None); }); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] return ffi::SSL_get_ex_new_index(0, ptr::null_mut(), None, None, Some(f)); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] return ffi::SSL_get_ex_new_index(0, ptr::null_mut(), ptr::null_mut(), None, f); } } diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 282558f80..69b947b90 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -17,7 +17,7 @@ use std::time::Duration; use crate::dh::Dh; use crate::error::ErrorStack; use crate::hash::MessageDigest; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use crate::ocsp::{OcspResponse, OcspResponseStatus}; use crate::pkey::{Id, PKey}; use crate::srtp::SrtpProfileId; @@ -264,7 +264,7 @@ fn set_ctx_options() { } #[test] -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] fn clear_ctx_options() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_options(SslOptions::ALL); @@ -309,17 +309,19 @@ fn pending() { #[test] fn state() { + const EXPECTED_STATE_STRING_LONG: &str = "SSL negotiation finished successfully"; + let server = Server::builder().build(); let s = server.client().connect(); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] assert_eq!(s.ssl().state_string().trim(), "SSLOK"); #[cfg(boringssl)] assert_eq!(s.ssl().state_string(), "!!!!!!"); - assert_eq!( - s.ssl().state_string_long(), - "SSL negotiation finished successfully" - ); + #[cfg(awslc)] + assert_eq!(s.ssl().state_string(), EXPECTED_STATE_STRING_LONG); + + assert_eq!(s.ssl().state_string_long(), EXPECTED_STATE_STRING_LONG); } // when a connection uses ECDHE P-384 key exchange, then the temp key APIs @@ -502,7 +504,7 @@ fn test_connect_with_srtp_ssl() { /// Tests that when the `SslStream` is created as a server stream, the protocols /// are correctly advertised to the client. #[test] -#[cfg(any(ossl102, libressl261, boringssl))] +#[cfg(any(ossl102, libressl261, boringssl, awslc))] fn test_alpn_server_advertise_multiple() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { @@ -517,7 +519,7 @@ fn test_alpn_server_advertise_multiple() { } #[test] -#[cfg(any(ossl110, boringssl))] +#[cfg(any(ossl110, boringssl, awslc))] fn test_alpn_server_select_none_fatal() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { @@ -533,7 +535,7 @@ fn test_alpn_server_select_none_fatal() { } #[test] -#[cfg(any(ossl102, libressl261, boringssl))] +#[cfg(any(ossl102, libressl261, boringssl, awslc))] fn test_alpn_server_select_none() { static CALLED_BACK: AtomicBool = AtomicBool::new(false); @@ -552,7 +554,7 @@ fn test_alpn_server_select_none() { } #[test] -#[cfg(any(boringssl, ossl102, libressl261))] +#[cfg(any(boringssl, ossl102, libressl261, awslc))] fn test_alpn_server_unilateral() { let server = Server::builder().build(); @@ -967,7 +969,7 @@ fn cert_store() { } #[test] -#[cfg_attr(any(all(libressl321, not(libressl340)), boringssl), ignore)] +#[cfg_attr(any(all(libressl321, not(libressl340)), boringssl, awslc), ignore)] fn tmp_dh_callback() { static CALLED_BACK: AtomicBool = AtomicBool::new(false); @@ -1015,7 +1017,7 @@ fn tmp_ecdh_callback() { } #[test] -#[cfg_attr(any(all(libressl321, not(libressl340)), boringssl), ignore)] +#[cfg_attr(any(all(libressl321, not(libressl340)), boringssl, awslc), ignore)] fn tmp_dh_callback_ssl() { static CALLED_BACK: AtomicBool = AtomicBool::new(false); @@ -1094,7 +1096,7 @@ fn active_session() { } #[test] -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] fn status_callbacks() { static CALLED_BACK_SERVER: AtomicBool = AtomicBool::new(false); static CALLED_BACK_CLIENT: AtomicBool = AtomicBool::new(false); @@ -1460,7 +1462,7 @@ fn psk_ciphers() { let mut client = server.client(); // This test relies on TLS 1.2 suites - #[cfg(any(boringssl, ossl111))] + #[cfg(any(boringssl, ossl111, awslc))] client.ctx().set_options(super::SslOptions::NO_TLSV1_3); client.ctx().set_cipher_list(CIPHER).unwrap(); client diff --git a/openssl/src/stack.rs b/openssl/src/stack.rs index 112aa7f64..9861f87c4 100644 --- a/openssl/src/stack.rs +++ b/openssl/src/stack.rs @@ -14,7 +14,7 @@ use crate::util::ForeignTypeExt; use crate::{cvt, cvt_p, LenType}; cfg_if! { - if #[cfg(any(ossl110, boringssl))] { + if #[cfg(any(ossl110, boringssl, awslc))] { use ffi::{ OPENSSL_sk_pop, OPENSSL_sk_free, OPENSSL_sk_num, OPENSSL_sk_value, OPENSSL_STACK, OPENSSL_sk_new_null, OPENSSL_sk_push, diff --git a/openssl/src/string.rs b/openssl/src/string.rs index 95494b567..55b33623f 100644 --- a/openssl/src/string.rs +++ b/openssl/src/string.rs @@ -80,13 +80,13 @@ impl fmt::Debug for OpensslStringRef { } #[inline] -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] unsafe fn free(buf: *mut c_char) { ffi::OPENSSL_free(buf as *mut c_void); } #[inline] -#[cfg(boringssl)] +#[cfg(any(boringssl, awslc))] unsafe fn free(buf: *mut c_char) { ffi::CRYPTO_free( buf as *mut c_void, diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 3929c5940..4675772f8 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -100,7 +100,7 @@ impl Cipher { unsafe { Cipher(ffi::EVP_aes_128_cbc()) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn aes_128_xts() -> Cipher { unsafe { Cipher(ffi::EVP_aes_128_xts()) } } @@ -172,7 +172,7 @@ impl Cipher { unsafe { Cipher(ffi::EVP_aes_192_gcm()) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn aes_192_ccm() -> Cipher { unsafe { Cipher(ffi::EVP_aes_192_ccm()) } } @@ -277,17 +277,17 @@ impl Cipher { unsafe { Cipher(ffi::EVP_des_ede3_ecb()) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn des_ede3_cfb64() -> Cipher { unsafe { Cipher(ffi::EVP_des_ede3_cfb64()) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn des_ede3_cfb8() -> Cipher { unsafe { Cipher(ffi::EVP_des_ede3_cfb8()) } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] pub fn des_ede3_ofb() -> Cipher { unsafe { Cipher(ffi::EVP_des_ede3_ofb()) } } @@ -384,7 +384,7 @@ impl Cipher { } /// Requires OpenSSL 1.1.0 or newer. - #[cfg(all(any(ossl110, libressl360), not(osslconf = "OPENSSL_NO_CHACHA")))] + #[cfg(all(any(ossl110, libressl360, awslc), not(osslconf = "OPENSSL_NO_CHACHA")))] pub fn chacha20_poly1305() -> Cipher { unsafe { Cipher(ffi::EVP_chacha20_poly1305()) } } @@ -454,6 +454,16 @@ impl Cipher { unsafe { Cipher(ffi::EVP_sm4_ofb()) } } + #[cfg(not(osslconf = "OPENSSL_NO_RC2"))] + pub fn rc2_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_rc2_cbc()) } + } + + #[cfg(not(osslconf = "OPENSSL_NO_RC2"))] + pub fn rc2_40_cbc() -> Cipher { + unsafe { Cipher(ffi::EVP_rc2_40_cbc()) } + } + /// Creates a `Cipher` from a raw pointer to its OpenSSL type. /// /// # Safety @@ -499,13 +509,13 @@ impl Cipher { } /// Determines whether the cipher is using CCM mode - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn is_ccm(self) -> bool { // NOTE: OpenSSL returns pointers to static structs, which makes this work as expected self == Cipher::aes_128_ccm() || self == Cipher::aes_256_ccm() } - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] fn is_ccm(self) -> bool { false } @@ -906,7 +916,7 @@ pub fn decrypt_aead( } cfg_if! { - if #[cfg(any(boringssl, ossl110, libressl273))] { + if #[cfg(any(boringssl, ossl110, libressl273, awslc))] { use ffi::{EVP_CIPHER_block_size, EVP_CIPHER_iv_length, EVP_CIPHER_key_length}; } else { use crate::LenType; @@ -1052,7 +1062,7 @@ mod tests { } } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn cipher_test_nopad(ciphertype: super::Cipher, pt: &str, ct: &str, key: &str, iv: &str) { let pt = Vec::from_hex(pt).unwrap(); let ct = Vec::from_hex(ct).unwrap(); @@ -1098,7 +1108,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes256_xts() { // Test case 174 from // http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip @@ -1126,7 +1136,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes128_cfb1() { // Lifted from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf @@ -1139,7 +1149,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes128_cfb128() { let pt = "6bc1bee22e409f96e93d7e117393172a"; let ct = "3b3fd92eb72dad20333449f8e83cfb4a"; @@ -1150,7 +1160,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes128_cfb8() { let pt = "6bc1bee22e409f96e93d7e117393172aae2d"; let ct = "3b79424c9c0dd436bace9e0ed4586a4f32b9"; @@ -1185,7 +1195,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes192_cfb1() { // Lifted from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf @@ -1198,7 +1208,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes192_cfb128() { // Lifted from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf @@ -1211,7 +1221,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes192_cfb8() { // Lifted from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf @@ -1236,7 +1246,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes256_cfb1() { let pt = "6bc1"; let ct = "9029"; @@ -1247,7 +1257,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes256_cfb128() { let pt = "6bc1bee22e409f96e93d7e117393172a"; let ct = "dc7e84bfda79164b7ecd8486985d3860"; @@ -1258,7 +1268,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes256_cfb8() { let pt = "6bc1bee22e409f96e93d7e117393172aae2d"; let ct = "dc1f1a8520a64db55fcc8ac554844e889700"; @@ -1282,7 +1292,7 @@ mod tests { #[test] #[cfg_attr(ossl300, ignore)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_bf_cbc() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1299,7 +1309,7 @@ mod tests { #[test] #[cfg_attr(ossl300, ignore)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_bf_ecb() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1314,7 +1324,7 @@ mod tests { #[test] #[cfg_attr(ossl300, ignore)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_bf_cfb64() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1329,7 +1339,7 @@ mod tests { #[test] #[cfg_attr(ossl300, ignore)] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_bf_ofb() { #[cfg(ossl300)] let _provider = crate::provider::Provider::try_load(None, "legacy", true).unwrap(); @@ -1389,7 +1399,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_des_ede3_cfb64() { let pt = "2b1773784b5889dc788477367daa98ad"; let ct = "6f2867cfefda048a4046ef7e556c7132"; @@ -1436,7 +1446,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes128_ccm() { let key = "3ee186594f110fb788a8bf8aa8be5d4a"; let nonce = "44f705d52acf27b7f17196aa9b"; @@ -1473,7 +1483,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes128_ccm_verify_fail() { let key = "3ee186594f110fb788a8bf8aa8be5d4a"; let nonce = "44f705d52acf27b7f17196aa9b"; @@ -1494,7 +1504,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes256_ccm() { let key = "7f4af6765cad1d511db07e33aaafd57646ec279db629048aa6770af24849aa0d"; let nonce = "dde2a362ce81b2b6913abc3095"; @@ -1531,7 +1541,7 @@ mod tests { } #[test] - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] fn test_aes256_ccm_verify_fail() { let key = "7f4af6765cad1d511db07e33aaafd57646ec279db629048aa6770af24849aa0d"; let nonce = "dde2a362ce81b2b6913abc3095"; @@ -1623,7 +1633,7 @@ mod tests { } #[test] - #[cfg(any(ossl110, libressl360))] + #[cfg(any(ossl110, libressl360, awslc))] fn test_chacha20_poly1305() { let key = "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"; let iv = "070000004041424344454647"; diff --git a/openssl/src/version.rs b/openssl/src/version.rs index 12ab3d8ae..aaadd3e4e 100644 --- a/openssl/src/version.rs +++ b/openssl/src/version.rs @@ -111,7 +111,7 @@ fn test_versions() { println!("Platform: '{}'", platform()); println!("Dir: '{}'", dir()); - #[cfg(not(any(libressl, boringssl)))] + #[cfg(not(any(libressl, boringssl, awslc)))] fn expected_name() -> &'static str { "OpenSSL" } @@ -123,6 +123,10 @@ fn test_versions() { fn expected_name() -> &'static str { "BoringSSL" } + #[cfg(awslc)] + fn expected_name() -> &'static str { + "AWS-LC" + } assert!(number() > 0); assert!(version().starts_with(expected_name())); diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 67c86ee3d..c4e0c5b4e 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -40,7 +40,7 @@ use crate::util::{self, ForeignTypeExt, ForeignTypeRefExt}; use crate::{cvt, cvt_n, cvt_p, cvt_p_const}; use openssl_macros::corresponds; -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] pub mod verify; pub mod extension; @@ -479,7 +479,7 @@ impl X509Ref { /// Retrieves the path length extension from a certificate, if it exists. #[corresponds(X509_get_pathlen)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, awslc))] pub fn pathlen(&self) -> Option { let v = unsafe { ffi::X509_get_pathlen(self.as_ptr()) }; u32::try_from(v).ok() @@ -487,7 +487,7 @@ impl X509Ref { /// Returns this certificate's subject key id, if it exists. #[corresponds(X509_get0_subject_key_id)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, awslc))] pub fn subject_key_id(&self) -> Option<&Asn1OctetStringRef> { unsafe { let data = ffi::X509_get0_subject_key_id(self.as_ptr()); @@ -497,7 +497,7 @@ impl X509Ref { /// Returns this certificate's authority key id, if it exists. #[corresponds(X509_get0_authority_key_id)] - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, awslc))] pub fn authority_key_id(&self) -> Option<&Asn1OctetStringRef> { unsafe { let data = ffi::X509_get0_authority_key_id(self.as_ptr()); @@ -1253,7 +1253,7 @@ impl X509NameRef { /// Copies the name to a new `X509Name`. #[corresponds(X509_NAME_dup)] - #[cfg(any(boringssl, ossl110, libressl270))] + #[cfg(any(boringssl, ossl110, libressl270, awslc))] pub fn to_owned(&self) -> Result { unsafe { cvt_p(ffi::X509_NAME_dup(self.as_ptr())).map(|n| X509Name::from_ptr(n)) } } @@ -1635,7 +1635,7 @@ impl X509RevokedRef { /// Copies the entry to a new `X509Revoked`. #[corresponds(X509_NAME_dup)] - #[cfg(any(boringssl, ossl110, libressl270))] + #[cfg(any(boringssl, ossl110, libressl270, awslc))] pub fn to_owned(&self) -> Result { unsafe { cvt_p(ffi::X509_REVOKED_dup(self.as_ptr())).map(|n| X509Revoked::from_ptr(n)) } } @@ -2006,11 +2006,11 @@ impl GeneralName { let s = cvt_p(ffi::ASN1_STRING_type_new(asn1_type.as_raw()))?; ffi::ASN1_STRING_set(s, value.as_ptr().cast(), value.len().try_into().unwrap()); - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] { (*gn.as_ptr()).d.ptr = s.cast(); } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] { (*gn.as_ptr()).d = s.cast(); } @@ -2047,11 +2047,11 @@ impl GeneralName { let gn = cvt_p(ffi::GENERAL_NAME_new())?; (*gn).type_ = ffi::GEN_RID; - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] { (*gn).d.registeredID = oid.as_ptr(); } - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] { (*gn).d = oid.as_ptr().cast(); } @@ -2098,9 +2098,9 @@ impl GeneralNameRef { return None; } - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] let d = (*self.as_ptr()).d.ptr; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] let d = (*self.as_ptr()).d; let ptr = ASN1_STRING_get0_data(d as *mut _); @@ -2127,9 +2127,9 @@ impl GeneralNameRef { return None; } - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] let d = (*self.as_ptr()).d.ptr; - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] let d = (*self.as_ptr()).d; Some(X509NameRef::from_const_ptr(d as *const _)) @@ -2152,9 +2152,9 @@ impl GeneralNameRef { if (*self.as_ptr()).type_ != ffi::GEN_IPADD { return None; } - #[cfg(boringssl)] + #[cfg(any(boringssl, awslc))] let d: *const ffi::ASN1_STRING = std::mem::transmute((*self.as_ptr()).d); - #[cfg(not(boringssl))] + #[cfg(not(any(boringssl, awslc)))] let d = (*self.as_ptr()).d; let ptr = ASN1_STRING_get0_data(d as *mut _); @@ -2306,7 +2306,7 @@ impl Stackable for X509Object { } cfg_if! { - if #[cfg(any(boringssl, ossl110, libressl273))] { + if #[cfg(any(boringssl, ossl110, libressl273, awslc))] { use ffi::{X509_getm_notAfter, X509_getm_notBefore, X509_up_ref, X509_get0_signature}; } else { #[allow(bad_style)] @@ -2347,7 +2347,7 @@ cfg_if! { } cfg_if! { - if #[cfg(any(boringssl, ossl110, libressl350))] { + if #[cfg(any(boringssl, ossl110, libressl350, awslc))] { use ffi::{ X509_ALGOR_get0, ASN1_STRING_get0_data, X509_STORE_CTX_get0_chain, X509_set1_notAfter, X509_set1_notBefore, X509_REQ_get_version, X509_REQ_get_subject_name, @@ -2387,7 +2387,7 @@ cfg_if! { } cfg_if! { - if #[cfg(any(ossl110, boringssl, libressl270))] { + if #[cfg(any(ossl110, boringssl, libressl270, awslc))] { use ffi::X509_OBJECT_get0_X509; } else { #[allow(bad_style)] @@ -2402,7 +2402,7 @@ cfg_if! { } cfg_if! { - if #[cfg(any(ossl110, libressl350, boringssl))] { + if #[cfg(any(ossl110, libressl350, boringssl, awslc))] { use ffi::X509_OBJECT_free; } else { #[allow(bad_style)] @@ -2414,7 +2414,7 @@ cfg_if! { } cfg_if! { - if #[cfg(any(ossl110, libressl350, boringssl))] { + if #[cfg(any(ossl110, libressl350, boringssl, awslc))] { use ffi::{ X509_CRL_get_issuer, X509_CRL_get0_nextUpdate, X509_CRL_get0_lastUpdate, X509_CRL_get_REVOKED, @@ -2502,7 +2502,7 @@ impl X509PurposeRef { unsafe { let sname = CString::new(sname).unwrap(); cfg_if! { - if #[cfg(any(ossl110, libressl280, boringssl))] { + if #[cfg(any(ossl110, libressl280, boringssl, awslc))] { let purpose = cvt_n(ffi::X509_PURPOSE_get_by_sname(sname.as_ptr() as *const _))?; } else { let purpose = cvt_n(ffi::X509_PURPOSE_get_by_sname(sname.as_ptr() as *mut _))?; @@ -2534,7 +2534,7 @@ impl X509PurposeRef { pub fn purpose(&self) -> X509PurposeId { unsafe { cfg_if! { - if #[cfg(any(ossl110, libressl280, boringssl))] { + if #[cfg(any(ossl110, libressl280, boringssl, awslc))] { let x509_purpose = self.as_ptr() as *const ffi::X509_PURPOSE; } else { let x509_purpose = self.as_ptr() as *mut ffi::X509_PURPOSE; diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index 3a173bea7..ad62ac725 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -46,20 +46,20 @@ use foreign_types::{ForeignType, ForeignTypeRef}; use std::mem; use crate::error::ErrorStack; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use crate::ssl::SslFiletype; #[cfg(ossl300)] use crate::stack::Stack; use crate::stack::StackRef; use crate::util::ForeignTypeRefExt; -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef}; use crate::x509::{X509Object, X509PurposeId, X509}; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use std::ffi::CString; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use std::path::Path; foreign_type_and_impl_send_sync! { @@ -123,7 +123,7 @@ impl X509StoreBuilderRef { /// Sets certificate chain validation related flags. #[corresponds(X509_STORE_set_flags)] - #[cfg(any(ossl102, boringssl, libressl261))] + #[cfg(any(ossl102, boringssl, libressl261, awslc))] pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits())).map(|_| ()) } } @@ -137,7 +137,7 @@ impl X509StoreBuilderRef { /// Sets certificate chain validation related parameters. #[corresponds[X509_STORE_set1_param]] - #[cfg(any(ossl102, boringssl, libressl261))] + #[cfg(any(ossl102, boringssl, libressl261, awslc))] pub fn set_param(&mut self, param: &X509VerifyParamRef) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_STORE_set1_param(self.as_ptr(), param.as_ptr())).map(|_| ()) } } @@ -170,7 +170,7 @@ impl X509Lookup { } } -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] impl X509LookupRef { /// Specifies a directory from which certificates and CRLs will be loaded /// on-demand. Must be used with `X509Lookup::hash_dir`. @@ -202,7 +202,7 @@ impl X509Lookup { } } -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] impl X509LookupRef { /// Specifies a file from which certificates will be loaded #[corresponds(X509_load_cert_file)] @@ -284,7 +284,7 @@ impl X509StoreRef { } cfg_if! { - if #[cfg(any(boringssl, ossl110, libressl270))] { + if #[cfg(any(boringssl, ossl110, libressl270, awslc))] { use ffi::X509_STORE_get0_objects; } else { #[allow(bad_style)] diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 25c2da012..e11f8bf22 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -6,21 +6,21 @@ use crate::hash::MessageDigest; use crate::nid::Nid; use crate::pkey::{PKey, Private}; use crate::rsa::Rsa; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use crate::ssl::SslFiletype; use crate::stack::Stack; use crate::x509::extension::{ AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier, }; -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] use crate::x509::store::X509Lookup; use crate::x509::store::X509StoreBuilder; -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] use crate::x509::verify::{X509VerifyFlags, X509VerifyParam}; -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] use crate::x509::X509PurposeId; -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] use crate::x509::X509PurposeRef; #[cfg(ossl110)] use crate::x509::{CrlReason, X509Builder}; @@ -31,7 +31,7 @@ use crate::x509::{ #[cfg(ossl110)] use foreign_types::ForeignType; use hex::{self, FromHex}; -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] use libc::time_t; use super::{AuthorityInformationAccess, CertificateIssuer, ReasonCode}; @@ -58,10 +58,10 @@ fn test_debug() { let cert = include_bytes!("../../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); let debugged = format!("{:#?}", cert); - #[cfg(boringssl)] - assert!(debugged.contains(r#"serial_number: "8771f7bdee982fa5""#)); - #[cfg(not(boringssl))] - assert!(debugged.contains(r#"serial_number: "8771F7BDEE982FA5""#)); + assert!( + debugged.contains(r#"serial_number: "8771F7BDEE982FA5""#) + || debugged.contains(r#"serial_number: "8771f7bdee982fa5""#) + ); assert!(debugged.contains(r#"signature_algorithm: sha256WithRSAEncryption"#)); assert!(debugged.contains(r#"countryName = "AU""#)); assert!(debugged.contains(r#"stateOrProvinceName = "Some-State""#)); @@ -172,7 +172,7 @@ fn test_subject_alt_name() { } #[test] -#[cfg(any(ossl110, boringssl))] +#[cfg(any(ossl110, boringssl, awslc))] fn test_retrieve_pathlen() { let cert = include_bytes!("../../test/root-ca.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -188,7 +188,7 @@ fn test_retrieve_pathlen() { } #[test] -#[cfg(any(ossl110, boringssl))] +#[cfg(any(ossl110, boringssl, awslc))] fn test_subject_key_id() { let cert = include_bytes!("../../test/certv3.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -201,7 +201,7 @@ fn test_subject_key_id() { } #[test] -#[cfg(any(ossl110, boringssl))] +#[cfg(any(ossl110, boringssl, awslc))] fn test_authority_key_id() { let cert = include_bytes!("../../test/certv3.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -557,7 +557,7 @@ fn test_verify_fails() { } #[test] -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] fn test_verify_fails_with_crl_flag_set_and_no_crl() { let cert = include_bytes!("../../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -584,7 +584,7 @@ fn test_verify_fails_with_crl_flag_set_and_no_crl() { } #[test] -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] fn test_verify_cert_with_purpose() { let cert = include_bytes!("../../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -611,7 +611,7 @@ fn test_verify_cert_with_purpose() { } #[test] -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] fn test_verify_cert_with_wrong_purpose_fails() { let cert = include_bytes!("../../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -836,7 +836,7 @@ fn test_name_cmp() { } #[test] -#[cfg(any(boringssl, ossl110, libressl270))] +#[cfg(any(boringssl, ossl110, libressl270, awslc))] fn test_name_to_owned() { let cert = include_bytes!("../../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -846,7 +846,7 @@ fn test_name_to_owned() { } #[test] -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] fn test_verify_param_set_time_fails_verification() { const TEST_T_2030: time_t = 1893456000; @@ -877,7 +877,7 @@ fn test_verify_param_set_time_fails_verification() { } #[test] -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] fn test_verify_param_set_time() { const TEST_T_2020: time_t = 1577836800; @@ -901,7 +901,7 @@ fn test_verify_param_set_time() { } #[test] -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] fn test_verify_param_set_depth() { let cert = include_bytes!("../../test/leaf.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -928,7 +928,7 @@ fn test_verify_param_set_depth() { } #[test] -#[cfg(any(ossl102, boringssl, libressl261))] +#[cfg(any(ossl102, boringssl, libressl261, awslc))] #[allow(clippy::bool_to_int_with_if)] fn test_verify_param_set_depth_fails_verification() { let cert = include_bytes!("../../test/leaf.pem"); @@ -944,7 +944,11 @@ fn test_verify_param_set_depth_fails_verification() { store_bldr.add_cert(ca).unwrap(); let mut verify_params = X509VerifyParam::new().unwrap(); // OpenSSL 1.1.0+ considers the root certificate to not be part of the chain, while 1.0.2 and LibreSSL do - let expected_depth = if cfg!(any(ossl110, boringssl)) { 0 } else { 1 }; + let expected_depth = if cfg!(any(ossl110, boringssl, awslc)) { + 0 + } else { + 1 + }; verify_params.set_depth(expected_depth); store_bldr.set_param(&verify_params).unwrap(); let store = store_bldr.build(); @@ -970,7 +974,7 @@ fn test_verify_param_set_depth_fails_verification() { } #[test] -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] fn test_load_cert_file() { let cert = include_bytes!("../../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -1003,7 +1007,7 @@ fn test_verify_param_auth_level() { } #[test] -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] fn test_set_purpose() { let cert = include_bytes!("../../test/leaf.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -1028,7 +1032,7 @@ fn test_set_purpose() { } #[test] -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] fn test_set_purpose_fails_verification() { let cert = include_bytes!("../../test/leaf.pem"); let cert = X509::from_pem(cert).unwrap(); @@ -1081,7 +1085,7 @@ fn test_add_name_entry() { } #[test] -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, awslc)))] fn test_load_crl_file_fail() { let mut store_bldr = X509StoreBuilder::new().unwrap(); let lookup = store_bldr.add_lookup(X509Lookup::file()).unwrap(); diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 2cde93f28..b719c6955 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -4,7 +4,7 @@ use libc::{c_int, c_uint, c_ulong, time_t}; use std::net::IpAddr; use crate::error::ErrorStack; -#[cfg(any(ossl102, boringssl))] +#[cfg(any(ossl102, boringssl, awslc))] use crate::x509::X509PurposeId; use crate::{cvt, cvt_p}; use openssl_macros::corresponds; @@ -48,7 +48,7 @@ bitflags! { const EXTENDED_CRL_SUPPORT = ffi::X509_V_FLAG_EXTENDED_CRL_SUPPORT as _; const USE_DELTAS = ffi::X509_V_FLAG_USE_DELTAS as _; const CHECK_SS_SIGNATURE = ffi::X509_V_FLAG_CHECK_SS_SIGNATURE as _; - #[cfg(any(ossl102, boringssl))] + #[cfg(any(ossl102, boringssl, awslc))] const TRUSTED_FIRST = ffi::X509_V_FLAG_TRUSTED_FIRST as _; #[cfg(ossl102)] const SUITEB_128_LOS_ONLY = ffi::X509_V_FLAG_SUITEB_128_LOS_ONLY; @@ -56,11 +56,11 @@ bitflags! { const SUITEB_192_LOS = ffi::X509_V_FLAG_SUITEB_128_LOS; #[cfg(ossl102)] const SUITEB_128_LOS = ffi::X509_V_FLAG_SUITEB_192_LOS; - #[cfg(any(ossl102, boringssl))] + #[cfg(any(ossl102, boringssl, awslc))] const PARTIAL_CHAIN = ffi::X509_V_FLAG_PARTIAL_CHAIN as _; - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, awslc))] const NO_ALT_CHAINS = ffi::X509_V_FLAG_NO_ALT_CHAINS as _; - #[cfg(any(ossl110, boringssl))] + #[cfg(any(ossl110, boringssl, awslc))] const NO_CHECK_TIME = ffi::X509_V_FLAG_NO_CHECK_TIME as _; } } @@ -208,7 +208,7 @@ impl X509VerifyParamRef { /// Sets the verification purpose #[corresponds(X509_VERIFY_PARAM_set_purpose)] - #[cfg(any(ossl102, boringssl))] + #[cfg(any(ossl102, boringssl, awslc))] pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_VERIFY_PARAM_set_purpose(self.as_ptr(), purpose.0)).map(|_| ()) } }