From e5bd08f9be876e3ba760cf166eb9eddb74feebdd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 21 Jul 2024 13:24:32 -0400 Subject: [PATCH 01/46] Added a utility function to ensure we never have an issue with 0-length slices from pointers again Added a clippy lint to ensure we use it. --- clippy.toml | 4 ++++ openssl/src/asn1.rs | 11 +++++------ openssl/src/bio.rs | 8 ++------ openssl/src/ssl/bio.rs | 7 +++---- openssl/src/ssl/callbacks.rs | 22 +++++++++++----------- openssl/src/ssl/mod.rs | 22 +++++++++++----------- openssl/src/util.rs | 27 ++++++++++++++++++++++++++- openssl/src/x509/mod.rs | 9 ++++----- 8 files changed, 66 insertions(+), 44 deletions(-) create mode 100644 clippy.toml diff --git a/clippy.toml b/clippy.toml new file mode 100644 index 0000000000..ead90b492f --- /dev/null +++ b/clippy.toml @@ -0,0 +1,4 @@ +disallowed-methods = [ + { path = "std::slice::from_raw_parts", reason = "use util::from_raw_parts instead" }, + { path = "std::slice::from_raw_parts_mut", reason = "use util::from_raw_parts_mut instead" }, +] diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 8618be0e92..03340820d0 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -32,7 +32,6 @@ use std::convert::TryInto; use std::ffi::CString; use std::fmt; use std::ptr; -use std::slice; use std::str; use crate::bio::MemBio; @@ -41,7 +40,7 @@ use crate::error::ErrorStack; use crate::nid::Nid; use crate::stack::Stackable; use crate::string::OpensslString; -use crate::{cvt, cvt_p}; +use crate::{cvt, cvt_p, util}; use openssl_macros::corresponds; foreign_type_and_impl_send_sync! { @@ -457,7 +456,7 @@ impl Asn1StringRef { /// [`as_utf8`]: struct.Asn1String.html#method.as_utf8 #[corresponds(ASN1_STRING_get0_data)] pub fn as_slice(&self) -> &[u8] { - unsafe { slice::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr()), self.len()) } + unsafe { util::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr()), self.len()) } } /// Returns the number of bytes in the string. @@ -597,7 +596,7 @@ impl Asn1BitStringRef { /// Returns the Asn1BitString as a slice. #[corresponds(ASN1_STRING_get0_data)] pub fn as_slice(&self) -> &[u8] { - unsafe { slice::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr() as *mut _), self.len()) } + unsafe { util::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr() as *mut _), self.len()) } } /// Returns the number of bytes in the string. @@ -637,7 +636,7 @@ impl Asn1OctetStringRef { /// Returns the octet string as an array of bytes. #[corresponds(ASN1_STRING_get0_data)] pub fn as_slice(&self) -> &[u8] { - unsafe { slice::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr().cast()), self.len()) } + unsafe { util::from_raw_parts(ASN1_STRING_get0_data(self.as_ptr().cast()), self.len()) } } /// Returns the number of bytes in the octet string. @@ -701,7 +700,7 @@ impl Asn1Object { pub fn as_slice(&self) -> &[u8] { unsafe { let len = ffi::OBJ_length(self.as_ptr()); - slice::from_raw_parts(ffi::OBJ_get0_data(self.as_ptr()), len) + util::from_raw_parts(ffi::OBJ_get0_data(self.as_ptr()), len) } } } diff --git a/openssl/src/bio.rs b/openssl/src/bio.rs index 1595f89f1b..d5232d2ee1 100644 --- a/openssl/src/bio.rs +++ b/openssl/src/bio.rs @@ -2,10 +2,10 @@ use cfg_if::cfg_if; use libc::c_int; use std::marker::PhantomData; use std::ptr; -use std::slice; use crate::cvt_p; use crate::error::ErrorStack; +use crate::util; pub struct MemBioSlice<'a>(*mut ffi::BIO, PhantomData<&'a [u8]>); @@ -63,11 +63,7 @@ impl MemBio { unsafe { let mut ptr = ptr::null_mut(); let len = ffi::BIO_get_mem_data(self.0, &mut ptr); - if len == 0 { - &[] - } else { - slice::from_raw_parts(ptr as *const _ as *const _, len as usize) - } + util::from_raw_parts(ptr as *const _ as *const _, len as usize) } } diff --git a/openssl/src/ssl/bio.rs b/openssl/src/ssl/bio.rs index a5561dc722..16485624fe 100644 --- a/openssl/src/ssl/bio.rs +++ b/openssl/src/ssl/bio.rs @@ -9,10 +9,9 @@ use std::io; use std::io::prelude::*; use std::panic::{catch_unwind, AssertUnwindSafe}; use std::ptr; -use std::slice; -use crate::cvt_p; use crate::error::ErrorStack; +use crate::{cvt_p, util}; pub struct StreamState { pub stream: S, @@ -89,7 +88,7 @@ unsafe extern "C" fn bwrite(bio: *mut BIO, buf: *const c_char, len: c_ BIO_clear_retry_flags(bio); let state = state::(bio); - let buf = slice::from_raw_parts(buf as *const _, len as usize); + let buf = util::from_raw_parts(buf as *const _, len as usize); match catch_unwind(AssertUnwindSafe(|| state.stream.write(buf))) { Ok(Ok(len)) => len as c_int, @@ -111,7 +110,7 @@ unsafe extern "C" fn bread(bio: *mut BIO, buf: *mut c_char, len: c_int) BIO_clear_retry_flags(bio); let state = state::(bio); - let buf = slice::from_raw_parts_mut(buf as *mut _, len as usize); + let buf = util::from_raw_parts_mut(buf as *mut _, len as usize); match catch_unwind(AssertUnwindSafe(|| state.stream.read(buf))) { Ok(Ok(len)) => len as c_int, diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index be8909ee4a..ccf5308509 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -10,7 +10,6 @@ use libc::{c_int, c_uchar, c_uint, c_void}; use std::ffi::CStr; use std::mem; use std::ptr; -use std::slice; #[cfg(any(ossl111, boringssl))] use std::str; use std::sync::Arc; @@ -28,6 +27,7 @@ use crate::ssl::{ }; #[cfg(ossl111)] use crate::ssl::{ClientHelloResponse, ExtensionContext}; +use crate::util; #[cfg(any(ossl111, boringssl))] use crate::util::ForeignTypeRefExt; #[cfg(ossl111)] @@ -85,9 +85,9 @@ where None }; // Give the callback mutable slices into which it can write the identity and psk. - let identity_sl = slice::from_raw_parts_mut(identity as *mut u8, max_identity_len as usize); + let identity_sl = util::from_raw_parts_mut(identity as *mut u8, max_identity_len as usize); #[allow(clippy::unnecessary_cast)] - let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); + let psk_sl = util::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); match (*callback)(ssl, hint, identity_sl, psk_sl) { Ok(psk_len) => psk_len as u32, Err(e) => { @@ -126,7 +126,7 @@ where }; // Give the callback mutable slices into which it can write the psk. #[allow(clippy::unnecessary_cast)] - let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); + let psk_sl = util::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); match (*callback)(ssl, identity, psk_sl) { Ok(psk_len) => psk_len as u32, Err(e) => { @@ -197,7 +197,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: alpn callback missing") as *const F; #[allow(clippy::unnecessary_cast)] - let protos = slice::from_raw_parts(inbuf as *const u8, inlen as usize); + let protos = util::from_raw_parts(inbuf as *const u8, inlen as usize); match (*callback)(ssl, protos) { Ok(proto) => { @@ -416,7 +416,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: get session callback missing") as *const F; #[allow(clippy::unnecessary_cast)] - let data = slice::from_raw_parts(data as *const u8, len as usize); + let data = util::from_raw_parts(data as *const u8, len as usize); match (*callback)(ssl, data) { Some(session) => { @@ -460,7 +460,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: stateless cookie generate callback missing") as *const F; #[allow(clippy::unnecessary_cast)] - let slice = slice::from_raw_parts_mut(cookie as *mut u8, ffi::SSL_COOKIE_LENGTH as usize); + let slice = util::from_raw_parts_mut(cookie as *mut u8, ffi::SSL_COOKIE_LENGTH as usize); match (*callback)(ssl, slice) { Ok(len) => { *cookie_len = len as size_t; @@ -488,7 +488,7 @@ where .ex_data(SslContext::cached_ex_index::()) .expect("BUG: stateless cookie verify callback missing") as *const F; #[allow(clippy::unnecessary_cast)] - let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len); + let slice = util::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len); (*callback)(ssl, slice) as c_int } @@ -511,7 +511,7 @@ where // compatibility. See comments in dtls1.h. #[allow(clippy::unnecessary_cast)] let slice = - slice::from_raw_parts_mut(cookie as *mut u8, ffi::DTLS1_COOKIE_LENGTH as usize - 1); + util::from_raw_parts_mut(cookie as *mut u8, ffi::DTLS1_COOKIE_LENGTH as usize - 1); match (*callback)(ssl, slice) { Ok(len) => { *cookie_len = len as c_uint; @@ -551,7 +551,7 @@ where .expect("BUG: cookie verify callback missing") as *const F; #[allow(clippy::unnecessary_cast)] let slice = - slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize); + util::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize); (*callback)(ssl, slice) as c_int } } @@ -663,7 +663,7 @@ where .expect("BUG: custom ext parse callback missing") as *const F; let ectx = ExtensionContext::from_bits_truncate(context); #[allow(clippy::unnecessary_cast)] - let slice = slice::from_raw_parts(input as *const u8, inlen); + let slice = util::from_raw_parts(input as *const u8, inlen); let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index a540d41468..322ca9541a 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -77,6 +77,7 @@ use crate::ssl::bio::BioMethod; use crate::ssl::callbacks::*; use crate::ssl::error::InnerError; use crate::stack::{Stack, StackRef, Stackable}; +use crate::util; use crate::util::{ForeignTypeExt, ForeignTypeRefExt}; use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; #[cfg(any(ossl102, boringssl, libressl261))] @@ -101,7 +102,6 @@ use std::ops::{Deref, DerefMut}; use std::panic::resume_unwind; use std::path::Path; use std::ptr; -use std::slice; use std::str; use std::sync::{Arc, Mutex}; @@ -708,7 +708,7 @@ pub fn select_next_proto<'a>(server: &[u8], client: &'a [u8]) -> Option<&'a [u8] client.len() as c_uint, ); if r == ffi::OPENSSL_NPN_NEGOTIATED { - Some(slice::from_raw_parts(out as *const u8, outlen as usize)) + Some(util::from_raw_parts(out as *const u8, outlen as usize)) } else { None } @@ -2174,7 +2174,7 @@ impl SslSessionRef { let mut len = 0; let p = ffi::SSL_SESSION_get_id(self.as_ptr(), &mut len); #[allow(clippy::unnecessary_cast)] - slice::from_raw_parts(p as *const u8, len as usize) + util::from_raw_parts(p as *const u8, len as usize) } } @@ -2650,7 +2650,7 @@ impl SslRef { if data.is_null() { None } else { - Some(slice::from_raw_parts(data, len as usize)) + Some(util::from_raw_parts(data, len as usize)) } } } @@ -2928,7 +2928,7 @@ impl SslRef { if len < 0 { None } else { - Some(slice::from_raw_parts(p as *const u8, len as usize)) + Some(util::from_raw_parts(p as *const u8, len as usize)) } } } @@ -3099,7 +3099,7 @@ impl SslRef { if len == 0 { None } else { - Some(slice::from_raw_parts(ptr, len)) + Some(util::from_raw_parts(ptr, len)) } } } @@ -3118,7 +3118,7 @@ impl SslRef { if len == 0 { None } else { - Some(slice::from_raw_parts(ptr, len)) + Some(util::from_raw_parts(ptr, len)) } } } @@ -3137,7 +3137,7 @@ impl SslRef { if len == 0 { None } else { - Some(slice::from_raw_parts(ptr, len)) + Some(util::from_raw_parts(ptr, len)) } } } @@ -3191,7 +3191,7 @@ impl SslRef { if len == 0 { None } else { - Some(slice::from_raw_parts(ptr, len)) + Some(util::from_raw_parts(ptr, len)) } } } @@ -3764,7 +3764,7 @@ impl SslStream { pub fn ssl_read(&mut self, buf: &mut [u8]) -> Result { // SAFETY: `ssl_read_uninit` does not de-initialize the buffer. unsafe { - self.ssl_read_uninit(slice::from_raw_parts_mut( + self.ssl_read_uninit(util::from_raw_parts_mut( buf.as_mut_ptr().cast::>(), buf.len(), )) @@ -3997,7 +3997,7 @@ impl Read for SslStream { fn read(&mut self, buf: &mut [u8]) -> io::Result { // SAFETY: `read_uninit` does not de-initialize the buffer unsafe { - self.read_uninit(slice::from_raw_parts_mut( + self.read_uninit(util::from_raw_parts_mut( buf.as_mut_ptr().cast::>(), buf.len(), )) diff --git a/openssl/src/util.rs b/openssl/src/util.rs index d852a4b9d8..c903a32092 100644 --- a/openssl/src/util.rs +++ b/openssl/src/util.rs @@ -1,4 +1,5 @@ use crate::error::ErrorStack; +use crate::util; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_char, c_int, c_void}; use std::any::Any; @@ -49,7 +50,7 @@ where let callback = &mut *(cb_state as *mut CallbackState); let result = panic::catch_unwind(AssertUnwindSafe(|| { - let pass_slice = slice::from_raw_parts_mut(buf as *mut u8, size as usize); + let pass_slice = util::from_raw_parts_mut(buf as *mut u8, size as usize); callback.cb.take().unwrap()(pass_slice) })); @@ -91,3 +92,27 @@ pub trait ForeignTypeRefExt: ForeignTypeRef { } } impl ForeignTypeRefExt for FT {} + +/// The same as `slice::from_raw_parts`, except that `data` may be `NULL` if +/// `len` is 0. +pub unsafe fn from_raw_parts<'a, T>(data: *const T, len: usize) -> &'a [T] { + if len == 0 { + &[] + } else { + // Using this to implement the preferred API + #[allow(clippy::disallowed_methods)] + slice::from_raw_parts(data, len) + } +} + +/// The same as `slice::from_raw_parts_mut`, except that `data` may be `NULL` +/// if `len` is 0. +pub unsafe fn from_raw_parts_mut<'a, T>(data: *mut T, len: usize) -> &'a mut [T] { + if len == 0 { + &mut [] + } else { + // Using this to implement the preferred API + #[allow(clippy::disallowed_methods)] + slice::from_raw_parts_mut(data, len) + } +} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 05aec9a9c7..df0991a4dc 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -20,7 +20,6 @@ use std::mem; use std::net::IpAddr; use std::path::Path; use std::ptr; -use std::slice; use std::str; use crate::asn1::{ @@ -37,7 +36,7 @@ use crate::pkey::{HasPrivate, HasPublic, PKey, PKeyRef, Public}; use crate::ssl::SslRef; use crate::stack::{Stack, StackRef, Stackable}; use crate::string::OpensslString; -use crate::util::{ForeignTypeExt, ForeignTypeRefExt}; +use crate::util::{self, ForeignTypeExt, ForeignTypeRefExt}; use crate::{cvt, cvt_n, cvt_p, cvt_p_const}; use openssl_macros::corresponds; @@ -662,7 +661,7 @@ impl X509Ref { if ptr.is_null() { None } else { - Some(slice::from_raw_parts(ptr, len as usize)) + Some(util::from_raw_parts(ptr, len as usize)) } } } @@ -2157,7 +2156,7 @@ impl GeneralNameRef { let len = ffi::ASN1_STRING_length(d as *mut _); #[allow(clippy::unnecessary_cast)] - let slice = slice::from_raw_parts(ptr as *const u8, len as usize); + let slice = util::from_raw_parts(ptr as *const u8, len as usize); // IA5Strings are stated to be ASCII (specifically IA5). Hopefully // OpenSSL checks that when loading a certificate but if not we'll // use this instead of from_utf8_unchecked just in case. @@ -2211,7 +2210,7 @@ impl GeneralNameRef { let len = ffi::ASN1_STRING_length(d as *mut _); #[allow(clippy::unnecessary_cast)] - Some(slice::from_raw_parts(ptr as *const u8, len as usize)) + Some(util::from_raw_parts(ptr as *const u8, len as usize)) } } } From fe8088ebefd76e63b0de0d7065778fc666800a15 Mon Sep 17 00:00:00 2001 From: sanketh Date: Sat, 27 Jul 2024 20:24:54 -0400 Subject: [PATCH 02/46] Add binding for EVP_DigestSqueeze --- openssl-sys/src/handwritten/evp.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssl-sys/src/handwritten/evp.rs b/openssl-sys/src/handwritten/evp.rs index 9e277453e2..aa83c92122 100644 --- a/openssl-sys/src/handwritten/evp.rs +++ b/openssl-sys/src/handwritten/evp.rs @@ -93,6 +93,8 @@ extern "C" { pub fn EVP_DigestFinal(ctx: *mut EVP_MD_CTX, res: *mut u8, n: *mut u32) -> c_int; #[cfg(ossl111)] pub fn EVP_DigestFinalXOF(ctx: *mut EVP_MD_CTX, res: *mut u8, len: usize) -> c_int; + #[cfg(ossl330)] + pub fn EVP_DigestSqueeze(ctx: *mut EVP_MD_CTX, res: *mut u8, len: usize) -> c_int; #[cfg(ossl300)] pub fn EVP_MD_fetch( From d9a11b314df984fc9dfa192b1b4cd23c95005f9d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jul 2024 00:41:52 -0400 Subject: [PATCH 03/46] Fix CI for the latest rustc --- .github/workflows/ci.yml | 2 +- openssl-sys/build/main.rs | 2 +- openssl/build.rs | 2 +- openssl/src/x509/mod.rs | 1 + 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b25057dd69..efc975dbd2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -152,7 +152,7 @@ jobs: - false library: - name: boringssl - version: 2db0eb3f96a5756298dcd7f9319e56a98585bd10 + version: e23fe9b6eecc10e4f9ea1f0027fea5eaee7bd6b6 - name: openssl version: vendored - name: openssl diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 98d6926fcb..50ecc0f084 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -74,7 +74,7 @@ fn check_ssl_kind() { } fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\"))"); println!("cargo:rustc-check-cfg=cfg(openssl)"); println!("cargo:rustc-check-cfg=cfg(libressl)"); diff --git a/openssl/build.rs b/openssl/build.rs index 58f5fb9aad..16101ea309 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -7,7 +7,7 @@ use std::env; fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_EC\"))"); println!("cargo:rustc-check-cfg=cfg(libressl)"); println!("cargo:rustc-check-cfg=cfg(boringssl)"); diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index df0991a4dc..e583518dae 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -2544,6 +2544,7 @@ impl X509PurposeRef { /// - "any", /// - "ocsphelper", /// - "timestampsign" + /// /// The index can be used with `X509PurposeRef::from_idx()` to get the purpose. #[allow(clippy::unnecessary_cast)] pub fn get_by_sname(sname: &str) -> Result { From 47862ea6dfc674a1df3d18cb8252a5f631c6c761 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 16 Aug 2024 10:40:29 +0200 Subject: [PATCH 04/46] libressl 4.0: const correctness for X509_LOOKUP_METHOD --- openssl-sys/src/handwritten/x509_vfy.rs | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/openssl-sys/src/handwritten/x509_vfy.rs b/openssl-sys/src/handwritten/x509_vfy.rs index a560e586d8..31928f8979 100644 --- a/openssl-sys/src/handwritten/x509_vfy.rs +++ b/openssl-sys/src/handwritten/x509_vfy.rs @@ -9,10 +9,14 @@ extern "C" { pub fn X509_LOOKUP_meth_free(method: *mut X509_LOOKUP_METHOD); } +const_ptr_api! { + extern "C" { + pub fn X509_LOOKUP_hash_dir() -> #[const_ptr_if(libressl400)] X509_LOOKUP_METHOD; + pub fn X509_LOOKUP_file() -> #[const_ptr_if(libressl400)] X509_LOOKUP_METHOD; + } +} extern "C" { pub fn X509_LOOKUP_free(ctx: *mut X509_LOOKUP); - pub fn X509_LOOKUP_hash_dir() -> *mut X509_LOOKUP_METHOD; - pub fn X509_LOOKUP_file() -> *mut X509_LOOKUP_METHOD; pub fn X509_LOOKUP_ctrl( ctx: *mut X509_LOOKUP, cmd: c_int, @@ -41,11 +45,6 @@ extern "C" { pub fn X509_STORE_add_cert(store: *mut X509_STORE, x: *mut X509) -> c_int; - pub fn X509_STORE_add_lookup( - store: *mut X509_STORE, - meth: *mut X509_LOOKUP_METHOD, - ) -> *mut X509_LOOKUP; - pub fn X509_STORE_set_default_paths(store: *mut X509_STORE) -> c_int; pub fn X509_STORE_set_flags(store: *mut X509_STORE, flags: c_ulong) -> c_int; pub fn X509_STORE_set_purpose(ctx: *mut X509_STORE, purpose: c_int) -> c_int; @@ -55,6 +54,10 @@ extern "C" { const_ptr_api! { extern "C" { + pub fn X509_STORE_add_lookup( + store: *mut X509_STORE, + meth: #[const_ptr_if(libressl400)] X509_LOOKUP_METHOD, + ) -> *mut X509_LOOKUP; pub fn X509_STORE_set1_param(store: *mut X509_STORE, pm: #[const_ptr_if(ossl300)] X509_VERIFY_PARAM) -> c_int; } } From 6c21e3a8e1aa0708334a8cdd81adefbfb5b0f5fc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 09:36:11 -0400 Subject: [PATCH 05/46] Bump hex dev-dependency version --- openssl/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index cc8ef0accc..e268d1dc39 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -33,4 +33,4 @@ openssl-macros = { version = "0.1.0", path = "../openssl-macros" } ffi = { package = "openssl-sys", version = "0.9.103", path = "../openssl-sys" } [dev-dependencies] -hex = "0.3" +hex = "0.4" From ff1ce6ddfcaa00fdcdf365714a1e016d1afaf315 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 09:43:33 -0400 Subject: [PATCH 06/46] bindgen 0.66 --- openssl-sys/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 131ebe684e..3d809b546c 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -23,7 +23,7 @@ libc = "0.2" bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] -bindgen = { version = "0.65.0", optional = true, features = ["experimental"] } +bindgen = { version = "0.66.0", optional = true, features = ["experimental"] } cc = "1.0.61" openssl-src = { version = "300.2.0", optional = true, features = ["legacy"] } pkg-config = "0.3.9" From ea204f539ebd3bf88b75f4c0f6ae435dfc198f27 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 10:03:01 -0400 Subject: [PATCH 07/46] Raise MSRV to 1.63 --- .github/workflows/ci.yml | 4 +--- openssl-errors/Cargo.toml | 1 + openssl-macros/Cargo.toml | 1 + openssl-sys/Cargo.toml | 1 + openssl/Cargo.toml | 1 + 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index efc975dbd2..52e712a11d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,7 +62,7 @@ jobs: # Remember to also update `--rust-target` in `openssl-sys/build/run_bindgen.rs` - uses: sfackler/actions/rustup@master with: - version: 1.56.0 + version: 1.63.0 - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT id: rust-version - uses: actions/cache@v4 @@ -72,8 +72,6 @@ jobs: restore-keys: | index-${{ runner.os }}- - run: cargo generate-lockfile - - run: | - cargo update -p cc --precise 1.0.94 - uses: actions/cache@v4 with: path: ~/.cargo/registry/cache diff --git a/openssl-errors/Cargo.toml b/openssl-errors/Cargo.toml index 5285b266e1..a95312dc30 100644 --- a/openssl-errors/Cargo.toml +++ b/openssl-errors/Cargo.toml @@ -8,6 +8,7 @@ description = "Custom error library support for the openssl crate." repository = "https://github.com/sfackler/rust-openssl" readme = "README.md" categories = ["api-bindings"] +rust-version = "1.63.0" [dependencies] cfg-if = "1.0" diff --git a/openssl-macros/Cargo.toml b/openssl-macros/Cargo.toml index 90abfdfa2a..c62e299716 100644 --- a/openssl-macros/Cargo.toml +++ b/openssl-macros/Cargo.toml @@ -5,6 +5,7 @@ edition = "2018" license = "MIT OR Apache-2.0" description = "Internal macros used by the openssl crate." repository = "https://github.com/sfackler/rust-openssl" +rust-version = "1.63.0" [lib] proc-macro = true diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 3d809b546c..0859f9573f 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -13,6 +13,7 @@ categories = ["cryptography", "external-ffi-bindings"] links = "openssl" build = "build/main.rs" edition = "2018" +rust-version = "1.63.0" [features] vendored = ['openssl-src'] diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index cc8ef0accc..1764c9a3a1 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -9,6 +9,7 @@ readme = "README.md" keywords = ["crypto", "tls", "ssl", "dtls"] categories = ["cryptography", "api-bindings"] edition = "2018" +rust-version = "1.63.0" # these are deprecated and don't do anything anymore [features] From de7d1dc232b0c05ef89f4cdbe29dc8ee0c7bf762 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 10:13:52 -0400 Subject: [PATCH 08/46] bindgen 0.68 --- openssl-sys/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 0859f9573f..357ce333f1 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -24,7 +24,7 @@ libc = "0.2" bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] -bindgen = { version = "0.66.0", optional = true, features = ["experimental"] } +bindgen = { version = "0.68.0", optional = true, features = ["experimental"] } cc = "1.0.61" openssl-src = { version = "300.2.0", optional = true, features = ["legacy"] } pkg-config = "0.3.9" From 0f8ac0f094907f2fb9ba043a53f2754667aa5e53 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 10:23:08 -0400 Subject: [PATCH 09/46] bindgen 0.69 --- openssl-sys/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 357ce333f1..b9fd232f08 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -24,7 +24,7 @@ libc = "0.2" bssl-sys = { version = "0.1.0", optional = true } [build-dependencies] -bindgen = { version = "0.68.0", optional = true, features = ["experimental"] } +bindgen = { version = "0.69.0", optional = true, features = ["experimental"] } cc = "1.0.61" openssl-src = { version = "300.2.0", optional = true, features = ["legacy"] } pkg-config = "0.3.9" From 8141d07a7382f93e0f9b433c1df97b2f8241825b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 10:33:14 -0400 Subject: [PATCH 10/46] Switch to 2021 edition --- openssl-errors/Cargo.toml | 2 +- openssl-macros/Cargo.toml | 2 +- openssl-sys/Cargo.toml | 2 +- openssl/Cargo.toml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl-errors/Cargo.toml b/openssl-errors/Cargo.toml index a95312dc30..24f724678f 100644 --- a/openssl-errors/Cargo.toml +++ b/openssl-errors/Cargo.toml @@ -2,7 +2,7 @@ name = "openssl-errors" version = "0.2.0" authors = ["Steven Fackler "] -edition = "2018" +edition = "2021" license = "MIT OR Apache-2.0" description = "Custom error library support for the openssl crate." repository = "https://github.com/sfackler/rust-openssl" diff --git a/openssl-macros/Cargo.toml b/openssl-macros/Cargo.toml index c62e299716..40134616b3 100644 --- a/openssl-macros/Cargo.toml +++ b/openssl-macros/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "openssl-macros" version = "0.1.1" -edition = "2018" +edition = "2021" license = "MIT OR Apache-2.0" description = "Internal macros used by the openssl crate." repository = "https://github.com/sfackler/rust-openssl" diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index b9fd232f08..7ec1038dc7 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -12,7 +12,7 @@ readme = "README.md" categories = ["cryptography", "external-ffi-bindings"] links = "openssl" build = "build/main.rs" -edition = "2018" +edition = "2021" rust-version = "1.63.0" [features] diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 1764c9a3a1..85426ad32b 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -8,7 +8,7 @@ repository = "https://github.com/sfackler/rust-openssl" readme = "README.md" keywords = ["crypto", "tls", "ssl", "dtls"] categories = ["cryptography", "api-bindings"] -edition = "2018" +edition = "2021" rust-version = "1.63.0" # these are deprecated and don't do anything anymore From 149f66259f13d81a5a76ff2e9679a0174c240737 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Aug 2024 18:36:37 -0400 Subject: [PATCH 11/46] Ensure Rsa::check_key doesn't leave errors on the stack --- openssl/src/rsa.rs | 31 ++++++++++++++++++++++++++----- openssl/test/corrupted-rsa.pem | 28 ++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+), 5 deletions(-) create mode 100644 openssl/test/corrupted-rsa.pem diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs index 9ef56942bf..2e6614aed3 100644 --- a/openssl/src/rsa.rs +++ b/openssl/src/rsa.rs @@ -234,14 +234,18 @@ where /// Validates RSA parameters for correctness #[corresponds(RSA_check_key)] - #[allow(clippy::unnecessary_cast)] pub fn check_key(&self) -> Result { unsafe { - let result = ffi::RSA_check_key(self.as_ptr()) as i32; - if result == -1 { - Err(ErrorStack::get()) + let result = ffi::RSA_check_key(self.as_ptr()); + if result != 1 { + let errors = ErrorStack::get(); + if errors.errors().is_empty() { + Ok(false) + } else { + Err(errors) + } } else { - Ok(result == 1) + Ok(true) } } } @@ -849,4 +853,21 @@ mod test { let e = BigNum::from_u32(0x10001).unwrap(); Rsa::generate_with_e(2048, &e).unwrap(); } + + #[test] + fn test_check_key() { + let k = Rsa::private_key_from_pem_passphrase( + include_bytes!("../test/rsa-encrypted.pem"), + b"mypass", + ) + .unwrap(); + assert!(matches!(k.check_key(), Ok(true))); + assert!(ErrorStack::get().errors().is_empty()); + + // BoringSSL simply rejects this key, because its corrupted! + if let Ok(k) = Rsa::private_key_from_pem(include_bytes!("../test/corrupted-rsa.pem")) { + assert!(matches!(k.check_key(), Ok(false) | Err(_))); + assert!(ErrorStack::get().errors().is_empty()); + } + } } diff --git a/openssl/test/corrupted-rsa.pem b/openssl/test/corrupted-rsa.pem new file mode 100644 index 0000000000..fa2cc3b130 --- /dev/null +++ b/openssl/test/corrupted-rsa.pem @@ -0,0 +1,28 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyiHMQLLOSG6T6 +AYpMTJj9f4WzXQF0+T0Ri/Mk6vcJMQdnLMrlEMIJA/4iCn32zvpQ0raYcuZZoyso +/Svqg7tAeC3aQ/iFopYWfaR+SDMEnpKMl26qwiIxlPcj9J8hAQw/9WA7YneBXq+T +ypONX4EeDn+bsp/mSNSZKYJBmwXevQ9xbnOOxmBrVd5OS07ZwYuQXy8uVsYe4IXX +7/F+BIyULnIlUxRcVRjKp9++PeS53KLJX04H6HeqUiWC8Ntd+DuD3df0a067L38o +sc+CVzwKXqvh75RwlXCR4/B3D9qEqSYmY7lxp9vA3hirWcSJn0xUIbHb7q1hzE0H +rL65mLwnAgMBAAECggEADePYJpKBGBAm35KTcB3ngJWAJp/I92ZVbieNb7peJOzC +btsJIBWT2xVgm2+7NCK5+Tl486xrfTQuLUlhNiTbQof3HUumKr4nCjHqmdlD1YtW +yzG+7kceAkMyOoMThwL+Bn3bPP42CQPVCjJmahyGPvs8H2DK2E+jRr/4KTgxQTki +s/MXmJa4+xhvfF4CmFVj8imkKCyUTFoaqvYevHDMrJ3cohXFONBPv0MT8X/Y0sgw +UVaZ1aw3dbLC2PBpZFotILGxch2rODXgOcer/GBC41aGQTBB8mLPwKb6KMh0xdPd +1E5NwyODA3YJ6W3fGe8WE0MIHoYlOkX+ukf4W4+U0wKBgQDhueBkZwrd1HdhqwhG +QKt1/itCx24Go75G/+5vJUCB4bcdaJP49aH0/H4BiSsKI8r+GVsVJcrKP8h3tgjw +hhuLLPSaWi9TiUsWeDTw0JrAJc7w6hwL1EYbnwcto5mRQdbfugitlkhh17yUmgdj +gczAKLfV3igxslnR67iNOEYrlwKBgQDKejyWNnxhBJoXerpR/hijoXhMaHqV6Z7T +gUy6F0BiJ5CqN+TOTaC17CEnsMmI28o1rWJ6bIKwOUPFXOE9Z5gyxuIJhY9M8n30 +iwm/Ug2oBTFAdZQyyCuCmPiNURnGo+Hhu1EtVwMWLt3Z0L+/DdI6pgPX8mG0NNZm ++pS96Lg9owKBgHOzCslr5638kZSGTh90Vm6McTAxeLv+gjFyTYy6022/fFSenfom +LXWdVhkDbgQshIfqBz23uVIhj2eM7tgaZVPZHydewpNW9B34T2qAAlIrDv99gBKw +I59UzCEgkj5aOQFEId6YAVHlesvQh6kBhymXtWLyFDgk6tUmtdns1krRAoGBAJj0 +pnhDSMpxk4ZRLBdsgGh8PkhaVOCSz2yvrKqXjgeYI+yytKI0ekdzzcgSAOzmPGc4 +R8B74G4HlG6vr2eXrp4NKAxRXOOf/A6UShTBg5d99KrhJ8cE9/l8XadDsNkiTC0e +OECsDqTfWrCExZUqd7neV+D2NWDQ2XaJrXuZJjVJAoGAIGA5ktXIxWIDeXkxo06b +nHeTEmOAgER/5UIikHnoSAnXo5JNZyFxqoylthWuA1fMPQw/UphAeawDwEXVKp1J +NEhLUfVAO/p1RBUsQi8LQVoO9Nql5u5dFjqoCnlRv5tbeAAzZH5magZk7/1rOS5T +Cj7WW2zW+iL20suUmXfCQGU= +-----END RSA PRIVATE KEY----- From da75d41f405aa15c900852872986695d1648577d Mon Sep 17 00:00:00 2001 From: Rushil Mehra Date: Sat, 24 Aug 2024 23:02:45 -0700 Subject: [PATCH 12/46] Update some docs to use the corresponds macro --- openssl/src/cipher_ctx.rs | 4 -- openssl/src/hash.rs | 11 ++--- openssl/src/nid.rs | 2 - openssl/src/sign.rs | 92 +++++++++------------------------------ openssl/src/ssl/mod.rs | 55 +++-------------------- openssl/src/symm.rs | 11 ++--- openssl/src/x509/mod.rs | 83 ++++++++--------------------------- 7 files changed, 50 insertions(+), 208 deletions(-) diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs index abb1f11ef3..d31830ad0c 100644 --- a/openssl/src/cipher_ctx.rs +++ b/openssl/src/cipher_ctx.rs @@ -328,10 +328,6 @@ impl CipherCtxRef { /// /// Panics if the context has not been initialized with a cipher or if the buffer is smaller than the cipher's key /// length. - /// - /// This corresponds to [`EVP_CIPHER_CTX_rand_key`]. - /// - /// [`EVP_CIPHER_CTX_rand_key`]: https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_CTX_rand_key.html #[corresponds(EVP_CIPHER_CTX_rand_key)] #[cfg(not(boringssl))] pub fn rand_key(&self, buf: &mut [u8]) -> Result<(), ErrorStack> { diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index f2f2698f3e..b25eded944 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -41,6 +41,7 @@ use std::ptr; use crate::error::ErrorStack; use crate::nid::Nid; use crate::{cvt, cvt_p}; +use openssl_macros::corresponds; cfg_if! { if #[cfg(any(ossl110, boringssl, libressl382))] { @@ -65,10 +66,7 @@ impl MessageDigest { } /// Returns the `MessageDigest` corresponding to an `Nid`. - /// - /// This corresponds to [`EVP_get_digestbynid`]. - /// - /// [`EVP_get_digestbynid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html + #[corresponds(EVP_get_digestbynid)] pub fn from_nid(type_: Nid) -> Option { ffi::init(); unsafe { @@ -82,10 +80,7 @@ impl MessageDigest { } /// Returns the `MessageDigest` corresponding to an algorithm name. - /// - /// This corresponds to [`EVP_get_digestbyname`]. - /// - /// [`EVP_get_digestbyname`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html + #[corresponds(EVP_get_digestbyname)] pub fn from_name(name: &str) -> Option { ffi::init(); let name = CString::new(name).ok()?; diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index e50feb0683..d093c67633 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -79,8 +79,6 @@ impl Nid { } /// Returns the `Nid`s of the digest and public key algorithms associated with a signature ID. - /// - /// This corresponds to `OBJ_find_sigid_algs`. #[corresponds(OBJ_find_sigid_algs)] #[allow(clippy::trivially_copy_pass_by_ref)] pub fn signature_algorithms(&self) -> Option { diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 0154b1d4b7..dd012128a2 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -79,6 +79,7 @@ use crate::hash::MessageDigest; use crate::pkey::{HasPrivate, HasPublic, PKeyRef}; use crate::rsa::Padding; use crate::{cvt, cvt_p}; +use openssl_macros::corresponds; cfg_if! { if #[cfg(any(ossl110, libressl382))] { @@ -135,10 +136,7 @@ impl Signer<'_> { /// /// This cannot be used with Ed25519 or Ed448 keys. Please refer to /// `new_without_digest`. - /// - /// OpenSSL documentation at [`EVP_DigestSignInit`]. - /// - /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html + #[corresponds(EVP_DigestSignInit)] pub fn new<'a, T>(type_: MessageDigest, pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, @@ -150,10 +148,7 @@ impl Signer<'_> { /// /// This is the only way to create a `Verifier` for Ed25519 or Ed448 keys. /// It can also be used to create a CMAC. - /// - /// OpenSSL documentation at [`EVP_DigestSignInit`]. - /// - /// [`EVP_DigestSignInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html + #[corresponds(EVP_DigestSignInit)] pub fn new_without_digest<'a, T>(pkey: &PKeyRef) -> Result, ErrorStack> where T: HasPrivate, @@ -198,8 +193,7 @@ impl Signer<'_> { /// Returns the RSA padding mode in use. /// /// This is only useful for RSA keys. - /// - /// This corresponds to `EVP_PKEY_CTX_get_rsa_padding`. + #[corresponds(EVP_PKEY_CTX_get_rsa_padding)] pub fn rsa_padding(&self) -> Result { unsafe { let mut pad = 0; @@ -211,10 +205,7 @@ impl Signer<'_> { /// Sets the RSA padding mode. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html + #[corresponds(EVP_PKEY_CTX_set_rsa_padding)] pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( @@ -228,10 +219,7 @@ impl Signer<'_> { /// Sets the RSA PSS salt length. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html + #[corresponds(EVP_PKEY_CTX_set_rsa_pss_saltlen)] pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen( @@ -245,10 +233,7 @@ impl Signer<'_> { /// Sets the RSA MGF1 algorithm. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_mgf1_md`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_mgf1_md`]: https://www.openssl.org/docs/manmaster/man7/RSA-PSS.html + #[corresponds(EVP_PKEY_CTX_set_rsa_mgf1_md)] pub fn set_rsa_mgf1_md(&mut self, md: MessageDigest) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_mgf1_md( @@ -263,10 +248,7 @@ impl Signer<'_> { /// /// Please note that PureEdDSA (Ed25519 and Ed448 keys) do not support streaming. /// Use `sign_oneshot` instead. - /// - /// OpenSSL documentation at [`EVP_DigestUpdate`]. - /// - /// [`EVP_DigestUpdate`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit.html + #[corresponds(EVP_DigestUpdate)] pub fn update(&mut self, buf: &[u8]) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_DigestUpdate( @@ -282,10 +264,7 @@ impl Signer<'_> { /// /// The actual signature may be shorter than this value. Check the return value of /// `sign` to get the exact length. - /// - /// OpenSSL documentation at [`EVP_DigestSignFinal`]. - /// - /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestSignFinal.html + #[corresponds(EVP_DigestSignFinal)] pub fn len(&self) -> Result { self.len_intern() } @@ -322,10 +301,7 @@ impl Signer<'_> { /// /// This method will fail if the buffer is not large enough for the signature. Use the `len` /// method to get an upper bound on the required size. - /// - /// OpenSSL documentation at [`EVP_DigestSignFinal`]. - /// - /// [`EVP_DigestSignFinal`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestSignFinal.html + #[corresponds(EVP_DigestSignFinal)] pub fn sign(&self, buf: &mut [u8]) -> Result { unsafe { let mut len = buf.len(); @@ -356,10 +332,7 @@ impl Signer<'_> { /// /// This method will fail if the buffer is not large enough for the signature. Use the `len` /// method to get an upper bound on the required size. - /// - /// OpenSSL documentation at [`EVP_DigestSign`]. - /// - /// [`EVP_DigestSign`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestSign.html + #[corresponds(EVP_DigestSign)] #[cfg(any(ossl111, boringssl, libressl370))] pub fn sign_oneshot( &mut self, @@ -429,10 +402,7 @@ impl<'a> Verifier<'a> { /// /// This cannot be used with Ed25519 or Ed448 keys. Please refer to /// [`Verifier::new_without_digest`]. - /// - /// OpenSSL documentation at [`EVP_DigestVerifyInit`]. - /// - /// [`EVP_DigestVerifyInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestVerifyInit.html + #[corresponds(EVP_DigestVerifyInit)] pub fn new(type_: MessageDigest, pkey: &'a PKeyRef) -> Result, ErrorStack> where T: HasPublic, @@ -443,10 +413,7 @@ impl<'a> Verifier<'a> { /// Creates a new `Verifier` without a digest. /// /// This is the only way to create a `Verifier` for Ed25519 or Ed448 keys. - /// - /// OpenSSL documentation at [`EVP_DigestVerifyInit`]. - /// - /// [`EVP_DigestVerifyInit`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestVerifyInit.html + #[corresponds(EVP_DigestVerifyInit)] pub fn new_without_digest(pkey: &'a PKeyRef) -> Result, ErrorStack> where T: HasPublic, @@ -491,8 +458,7 @@ impl<'a> Verifier<'a> { /// Returns the RSA padding mode in use. /// /// This is only useful for RSA keys. - /// - /// This corresponds to `EVP_PKEY_CTX_get_rsa_padding`. + #[corresponds(EVP_PKEY_CTX_get_rsa_padding)] pub fn rsa_padding(&self) -> Result { unsafe { let mut pad = 0; @@ -504,10 +470,7 @@ impl<'a> Verifier<'a> { /// Sets the RSA padding mode. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_padding`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_padding`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_padding.html + #[corresponds(EVP_PKEY_CTX_set_rsa_padding)] pub fn set_rsa_padding(&mut self, padding: Padding) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_padding( @@ -521,10 +484,7 @@ impl<'a> Verifier<'a> { /// Sets the RSA PSS salt length. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_pss_saltlen`]: https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_CTX_set_rsa_pss_saltlen.html + #[corresponds(EVP_PKEY_CTX_set_rsa_pss_saltlen)] pub fn set_rsa_pss_saltlen(&mut self, len: RsaPssSaltlen) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_pss_saltlen( @@ -538,10 +498,7 @@ impl<'a> Verifier<'a> { /// Sets the RSA MGF1 algorithm. /// /// This is only useful for RSA keys. - /// - /// This corresponds to [`EVP_PKEY_CTX_set_rsa_mgf1_md`]. - /// - /// [`EVP_PKEY_CTX_set_rsa_mgf1_md`]: https://www.openssl.org/docs/manmaster/man7/RSA-PSS.html + #[corresponds(EVP_PKEY_CTX_set_rsa_mgf1_md)] pub fn set_rsa_mgf1_md(&mut self, md: MessageDigest) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_PKEY_CTX_set_rsa_mgf1_md( @@ -556,10 +513,7 @@ impl<'a> Verifier<'a> { /// /// Please note that PureEdDSA (Ed25519 and Ed448 keys) do not support streaming. /// Use [`Verifier::verify_oneshot`] instead. - /// - /// OpenSSL documentation at [`EVP_DigestUpdate`]. - /// - /// [`EVP_DigestUpdate`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit.html + #[corresponds(EVP_DigestUpdate)] pub fn update(&mut self, buf: &[u8]) -> Result<(), ErrorStack> { unsafe { cvt(ffi::EVP_DigestUpdate( @@ -572,10 +526,7 @@ impl<'a> Verifier<'a> { } /// Determines if the data fed into the `Verifier` matches the provided signature. - /// - /// OpenSSL documentation at [`EVP_DigestVerifyFinal`]. - /// - /// [`EVP_DigestVerifyFinal`]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestVerifyFinal.html + #[corresponds(EVP_DigestVerifyFinal)] pub fn verify(&self, signature: &[u8]) -> Result { unsafe { let r = @@ -592,10 +543,7 @@ impl<'a> Verifier<'a> { } /// Determines if the data given in `buf` matches the provided signature. - /// - /// OpenSSL documentation at [`EVP_DigestVerify`]. - /// - /// [`EVP_DigestVerify`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestVerify.html + #[corresponds(EVP_DigestVerify)] #[cfg(any(ossl111, boringssl, libressl370))] pub fn verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result { unsafe { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 322ca9541a..d9b2a724f6 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -2297,10 +2297,6 @@ impl Ssl { } /// Creates a new `Ssl`. - /// - /// This corresponds to [`SSL_new`]. - /// - /// [`SSL_new`]: https://www.openssl.org/docs/manmaster/ssl/SSL_new.html #[corresponds(SSL_new)] pub fn new(ctx: &SslContextRef) -> Result { let session_ctx_index = try_get_session_ctx_index()?; @@ -2314,15 +2310,10 @@ impl Ssl { } /// Initiates a client-side TLS handshake. - /// - /// This corresponds to [`SSL_connect`]. - /// /// # Warning /// /// OpenSSL's default configuration is insecure. It is highly recommended to use /// `SslConnector` rather than `Ssl` directly, as it manages that configuration. - /// - /// [`SSL_connect`]: https://www.openssl.org/docs/manmaster/man3/SSL_connect.html #[corresponds(SSL_connect)] #[allow(deprecated)] pub fn connect(self, stream: S) -> Result, HandshakeError> @@ -2334,14 +2325,10 @@ impl Ssl { /// Initiates a server-side TLS handshake. /// - /// This corresponds to [`SSL_accept`]. - /// /// # Warning /// /// OpenSSL's default configuration is insecure. It is highly recommended to use /// `SslAcceptor` rather than `Ssl` directly, as it manages that configuration. - /// - /// [`SSL_accept`]: https://www.openssl.org/docs/manmaster/man3/SSL_accept.html #[corresponds(SSL_accept)] #[allow(deprecated)] pub fn accept(self, stream: S) -> Result, HandshakeError> @@ -2656,10 +2643,6 @@ impl SslRef { } /// Enables the DTLS extension "use_srtp" as defined in RFC5764. - /// - /// This corresponds to [`SSL_set_tlsext_use_srtp`]. - /// - /// [`SSL_set_tlsext_use_srtp`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_tlsext_use_srtp.html #[corresponds(SSL_set_tlsext_use_srtp)] pub fn set_tlsext_use_srtp(&mut self, protocols: &str) -> Result<(), ErrorStack> { unsafe { @@ -2678,10 +2661,6 @@ impl SslRef { /// Gets all SRTP profiles that are enabled for handshake via set_tlsext_use_srtp /// /// DTLS extension "use_srtp" as defined in RFC5764 has to be enabled. - /// - /// This corresponds to [`SSL_get_srtp_profiles`]. - /// - /// [`SSL_get_srtp_profiles`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_tlsext_use_srtp.html #[corresponds(SSL_get_srtp_profiles)] pub fn srtp_profiles(&self) -> Option<&StackRef> { unsafe { @@ -3526,9 +3505,7 @@ where { /// Restarts the handshake process. /// - /// This corresponds to [`SSL_do_handshake`]. - /// - /// [`SSL_do_handshake`]: https://www.openssl.org/docs/manmaster/man3/SSL_do_handshake.html + #[corresponds(SSL_do_handshake)] pub fn handshake(mut self) -> Result, HandshakeError> { match self.stream.do_handshake() { Ok(()) => Ok(self.stream), @@ -4056,10 +4033,7 @@ where /// `accept`. If a HelloRetryRequest containing a fresh cookie was /// transmitted, `Ok(false)` is returned instead. If the handshake cannot /// proceed at all, `Err` is returned. - /// - /// This corresponds to [`SSL_stateless`] - /// - /// [`SSL_stateless`]: https://www.openssl.org/docs/manmaster/man3/SSL_stateless.html + #[corresponds(SSL_stateless)] #[cfg(ossl111)] pub fn stateless(&mut self) -> Result { match unsafe { ffi::SSL_stateless(self.inner.ssl.as_ptr()) } { @@ -4071,19 +4045,13 @@ where } /// Configure as an outgoing stream from a client. - /// - /// This corresponds to [`SSL_set_connect_state`]. - /// - /// [`SSL_set_connect_state`]: https://www.openssl.org/docs/manmaster/man3/SSL_set_connect_state.html + #[corresponds(SSL_set_connect_state)] pub fn set_connect_state(&mut self) { unsafe { ffi::SSL_set_connect_state(self.inner.ssl.as_ptr()) } } /// Configure as an incoming stream to a server. - /// - /// This corresponds to [`SSL_set_accept_state`]. - /// - /// [`SSL_set_accept_state`]: https://www.openssl.org/docs/manmaster/man3/SSL_set_accept_state.html + #[corresponds(SSL_set_accept_state)] pub fn set_accept_state(&mut self) { unsafe { ffi::SSL_set_accept_state(self.inner.ssl.as_ptr()) } } @@ -4129,10 +4097,7 @@ where /// Initiates the handshake. /// /// This will fail if `set_accept_state` or `set_connect_state` was not called first. - /// - /// This corresponds to [`SSL_do_handshake`]. - /// - /// [`SSL_do_handshake`]: https://www.openssl.org/docs/manmaster/man3/SSL_do_handshake.html + #[corresponds(SSL_do_handshake)] pub fn handshake(mut self) -> Result, HandshakeError> { match self.inner.do_handshake() { Ok(()) => Ok(self.inner), @@ -4160,10 +4125,7 @@ where /// Returns `Ok(0)` if all early data has been read. /// /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. - /// - /// This corresponds to [`SSL_read_early_data`]. - /// - /// [`SSL_read_early_data`]: https://www.openssl.org/docs/manmaster/man3/SSL_read_early_data.html + #[corresponds(SSL_read_early_data)] #[cfg(any(ossl111, libressl340))] pub fn read_early_data(&mut self, buf: &mut [u8]) -> Result { self.inner.read_early_data(buf) @@ -4175,10 +4137,7 @@ where /// `set_connect_state` first. /// /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer. - /// - /// This corresponds to [`SSL_write_early_data`]. - /// - /// [`SSL_write_early_data`]: https://www.openssl.org/docs/manmaster/man3/SSL_write_early_data.html + #[corresponds(SSL_write_early_data)] #[cfg(any(ossl111, libressl340))] pub fn write_early_data(&mut self, buf: &[u8]) -> Result { self.inner.write_early_data(buf) diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 0aae69db4f..3929c59404 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -57,6 +57,7 @@ use crate::error::ErrorStack; use crate::nid::Nid; use cfg_if::cfg_if; use foreign_types::ForeignTypeRef; +use openssl_macros::corresponds; #[derive(Copy, Clone)] pub enum Mode { @@ -74,10 +75,7 @@ pub struct Cipher(*const ffi::EVP_CIPHER); impl Cipher { /// Looks up the cipher for a certain nid. - /// - /// This corresponds to [`EVP_get_cipherbynid`] - /// - /// [`EVP_get_cipherbynid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_get_cipherbyname.html + #[corresponds(EVP_get_cipherbynid)] pub fn from_nid(nid: Nid) -> Option { let ptr = unsafe { ffi::EVP_get_cipherbyname(ffi::OBJ_nid2sn(nid.as_raw())) }; if ptr.is_null() { @@ -88,10 +86,7 @@ impl Cipher { } /// Returns the cipher's Nid. - /// - /// This corresponds to [`EVP_CIPHER_nid`] - /// - /// [`EVP_CIPHER_nid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_CIPHER_nid.html + #[corresponds(EVP_CIPHER_nid)] pub fn nid(&self) -> Nid { let nid = unsafe { ffi::EVP_CIPHER_nid(self.0) }; Nid::from_raw(nid) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index e583518dae..d0cd00e3e6 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1085,10 +1085,7 @@ impl X509NameBuilder { } /// Add a field entry by str. - /// - /// This corresponds to [`X509_NAME_add_entry_by_txt`]. - /// - /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_txt.html + #[corresponds(X509_NAME_add_entry_by_txt)] pub fn append_entry_by_text(&mut self, field: &str, value: &str) -> Result<(), ErrorStack> { unsafe { let field = CString::new(field).unwrap(); @@ -1107,10 +1104,7 @@ impl X509NameBuilder { } /// Add a field entry by str with a specific type. - /// - /// This corresponds to [`X509_NAME_add_entry_by_txt`]. - /// - /// [`X509_NAME_add_entry_by_txt`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_txt.html + #[corresponds(X509_NAME_add_entry_by_txt)] pub fn append_entry_by_text_with_type( &mut self, field: &str, @@ -1134,10 +1128,7 @@ impl X509NameBuilder { } /// Add a field entry by NID. - /// - /// This corresponds to [`X509_NAME_add_entry_by_NID`]. - /// - /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html + #[corresponds(X509_NAME_add_entry_by_NID)] pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> { unsafe { assert!(value.len() <= crate::SLenType::MAX as usize); @@ -1155,10 +1146,7 @@ impl X509NameBuilder { } /// Add a field entry by NID with a specific type. - /// - /// This corresponds to [`X509_NAME_add_entry_by_NID`]. - /// - /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_add_entry_by_NID.html + #[corresponds(X509_NAME_add_entry_by_NID)] pub fn append_entry_by_nid_with_type( &mut self, field: Nid, @@ -1336,10 +1324,7 @@ foreign_type_and_impl_send_sync! { impl X509NameEntryRef { /// Returns the field value of an `X509NameEntry`. - /// - /// This corresponds to [`X509_NAME_ENTRY_get_data`]. - /// - /// [`X509_NAME_ENTRY_get_data`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_ENTRY_get_data.html + #[corresponds(X509_NAME_ENTRY_get_data)] pub fn data(&self) -> &Asn1StringRef { unsafe { let data = ffi::X509_NAME_ENTRY_get_data(self.as_ptr()); @@ -1349,10 +1334,7 @@ impl X509NameEntryRef { /// Returns the `Asn1Object` value of an `X509NameEntry`. /// This is useful for finding out about the actual `Nid` when iterating over all `X509NameEntries`. - /// - /// This corresponds to [`X509_NAME_ENTRY_get_object`]. - /// - /// [`X509_NAME_ENTRY_get_object`]: https://www.openssl.org/docs/manmaster/crypto/X509_NAME_ENTRY_get_object.html + #[corresponds(X509_NAME_ENTRY_get_object)] pub fn object(&self) -> &Asn1ObjectRef { unsafe { let object = ffi::X509_NAME_ENTRY_get_object(self.as_ptr()); @@ -1372,10 +1354,7 @@ pub struct X509ReqBuilder(X509Req); impl X509ReqBuilder { /// Returns a builder for a certificate request. - /// - /// This corresponds to [`X509_REQ_new`]. - /// - ///[`X509_REQ_new`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_new.html + #[corresponds(X509_REQ_new)] pub fn new() -> Result { unsafe { ffi::init(); @@ -1384,10 +1363,7 @@ impl X509ReqBuilder { } /// Set the numerical value of the version field. - /// - /// This corresponds to [`X509_REQ_set_version`]. - /// - ///[`X509_REQ_set_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_version.html + #[corresponds(X509_REQ_set_version)] #[allow(clippy::useless_conversion)] pub fn set_version(&mut self, version: i32) -> Result<(), ErrorStack> { unsafe { @@ -1400,10 +1376,7 @@ impl X509ReqBuilder { } /// Set the issuer name. - /// - /// This corresponds to [`X509_REQ_set_subject_name`]. - /// - /// [`X509_REQ_set_subject_name`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_subject_name.html + #[corresponds(X509_REQ_set_subject_name)] pub fn set_subject_name(&mut self, subject_name: &X509NameRef) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_REQ_set_subject_name( @@ -1415,10 +1388,7 @@ impl X509ReqBuilder { } /// Set the public key. - /// - /// This corresponds to [`X509_REQ_set_pubkey`]. - /// - /// [`X509_REQ_set_pubkey`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_set_pubkey.html + #[corresponds(X509_REQ_set_pubkey)] pub fn set_pubkey(&mut self, key: &PKeyRef) -> Result<(), ErrorStack> where T: HasPublic, @@ -1465,10 +1435,7 @@ impl X509ReqBuilder { } /// Sign the request using a private key. - /// - /// This corresponds to [`X509_REQ_sign`]. - /// - /// [`X509_REQ_sign`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_sign.html + #[corresponds(X509_REQ_sign)] pub fn sign(&mut self, key: &PKeyRef, hash: MessageDigest) -> Result<(), ErrorStack> where T: HasPrivate, @@ -1561,20 +1528,14 @@ impl X509ReqRef { } /// Returns the numerical value of the version field of the certificate request. - /// - /// This corresponds to [`X509_REQ_get_version`] - /// - /// [`X509_REQ_get_version`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_version.html + #[corresponds(X509_REQ_get_version)] #[allow(clippy::unnecessary_cast)] pub fn version(&self) -> i32 { unsafe { X509_REQ_get_version(self.as_ptr()) as i32 } } /// Returns the subject name of the certificate request. - /// - /// This corresponds to [`X509_REQ_get_subject_name`] - /// - /// [`X509_REQ_get_subject_name`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_subject_name.html + #[corresponds(X509_REQ_get_subject_name)] pub fn subject_name(&self) -> &X509NameRef { unsafe { let name = X509_REQ_get_subject_name(self.as_ptr()); @@ -1583,10 +1544,7 @@ impl X509ReqRef { } /// Returns the public key of the certificate request. - /// - /// This corresponds to [`X509_REQ_get_pubkey"] - /// - /// [`X509_REQ_get_pubkey`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_get_pubkey.html + #[corresponds(X509_REQ_get_pubkey)] pub fn public_key(&self) -> Result, ErrorStack> { unsafe { let key = cvt_p(ffi::X509_REQ_get_pubkey(self.as_ptr()))?; @@ -1597,10 +1555,7 @@ impl X509ReqRef { /// Check if the certificate request is signed using the given public key. /// /// Returns `true` if verification succeeds. - /// - /// This corresponds to [`X509_REQ_verify"]. - /// - /// [`X509_REQ_verify`]: https://www.openssl.org/docs/manmaster/crypto/X509_REQ_verify.html + #[corresponds(X509_REQ_verify)] pub fn verify(&self, key: &PKeyRef) -> Result where T: HasPublic, @@ -1609,8 +1564,7 @@ impl X509ReqRef { } /// Returns the extensions of the certificate request. - /// - /// This corresponds to [`X509_REQ_get_extensions"] + #[corresponds(X509_REQ_get_extensions)] pub fn extensions(&self) -> Result, ErrorStack> { unsafe { let extensions = cvt_p(ffi::X509_REQ_get_extensions(self.as_ptr()))?; @@ -2012,10 +1966,7 @@ impl X509VerifyResult { } /// Return a human readable error string from the verification error. - /// - /// This corresponds to [`X509_verify_cert_error_string`]. - /// - /// [`X509_verify_cert_error_string`]: https://www.openssl.org/docs/manmaster/crypto/X509_verify_cert_error_string.html + #[corresponds(X509_verify_cert_error_string)] #[allow(clippy::trivially_copy_pass_by_ref)] pub fn error_string(&self) -> &'static str { ffi::init(); From 4d49588a78f127296cbc463f4e807abf32176116 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Aug 2024 16:25:31 -0400 Subject: [PATCH 13/46] Don't leave errors on the stack in `MdCtxRef::digest_verify_final` --- openssl/src/md_ctx.rs | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/openssl/src/md_ctx.rs b/openssl/src/md_ctx.rs index 30e0337b47..36be3e9964 100644 --- a/openssl/src/md_ctx.rs +++ b/openssl/src/md_ctx.rs @@ -85,7 +85,7 @@ use crate::error::ErrorStack; use crate::md::MdRef; use crate::pkey::{HasPrivate, HasPublic, PKeyRef}; use crate::pkey_ctx::PkeyCtxRef; -use crate::{cvt, cvt_n, cvt_p}; +use crate::{cvt, cvt_p}; use cfg_if::cfg_if; use foreign_types::{ForeignType, ForeignTypeRef}; use openssl_macros::corresponds; @@ -309,12 +309,21 @@ impl MdCtxRef { #[inline] pub fn digest_verify_final(&mut self, signature: &[u8]) -> Result { unsafe { - let r = cvt_n(ffi::EVP_DigestVerifyFinal( + let r = ffi::EVP_DigestVerifyFinal( self.as_ptr(), signature.as_ptr() as *mut _, signature.len(), - ))?; - Ok(r == 1) + ); + if r == 1 { + Ok(true) + } else { + let errors = ErrorStack::get(); + if errors.errors().is_empty() { + Ok(false) + } else { + Err(errors) + } + } } } @@ -424,8 +433,11 @@ mod test { ctx.digest_verify_init(Some(md), &key1).unwrap(); ctx.digest_verify_update(bad_data).unwrap(); - let valid = ctx.digest_verify_final(&signature).unwrap(); - assert!(!valid); + assert!(matches!( + ctx.digest_verify_final(&signature), + Ok(false) | Err(_) + )); + assert!(ErrorStack::get().errors().is_empty()); } #[test] From 669b7d84d8523a52c24445f407aa8997599ad532 Mon Sep 17 00:00:00 2001 From: Kornel Date: Wed, 28 Aug 2024 15:03:29 +0100 Subject: [PATCH 14/46] Explicit rustfmt config --- .rustfmt.toml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .rustfmt.toml diff --git a/.rustfmt.toml b/.rustfmt.toml new file mode 100644 index 0000000000..bcb7e2d7f8 --- /dev/null +++ b/.rustfmt.toml @@ -0,0 +1 @@ +# this project uses the default rustfmt settings From dbf2d68359e3c539515c8efbd6676b6c60a7bf22 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 30 Aug 2024 14:34:42 +0200 Subject: [PATCH 15/46] db_meth will be removed from X509V3_CTX --- openssl-sys/src/handwritten/types.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 8c69c3efb3..593e20cdb2 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -472,6 +472,7 @@ pub struct X509V3_CTX { subject_cert: *mut c_void, subject_req: *mut c_void, crl: *mut c_void, + #[cfg(not(libressl400))] db_meth: *mut c_void, db: *mut c_void, #[cfg(ossl300)] From 337325d6100ec4add6ea45d7aed0f2bf712386d5 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 30 Aug 2024 14:45:32 +0200 Subject: [PATCH 16/46] disable the conf module for LibreSSL 4 --- openssl/build.rs | 4 ++++ openssl/src/conf.rs | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/openssl/build.rs b/openssl/build.rs index 16101ea309..41a047d97f 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -31,6 +31,7 @@ fn main() { println!("cargo:rustc-check-cfg=cfg(libressl380)"); println!("cargo:rustc-check-cfg=cfg(libressl382)"); println!("cargo:rustc-check-cfg=cfg(libressl390)"); + println!("cargo:rustc-check-cfg=cfg(libressl400)"); println!("cargo:rustc-check-cfg=cfg(ossl101)"); println!("cargo:rustc-check-cfg=cfg(ossl102)"); @@ -112,6 +113,9 @@ fn main() { if version >= 0x3_09_00_00_0 { println!("cargo:rustc-cfg=libressl390"); } + if version >= 0x4_00_00_00_0 { + println!("cargo:rustc-cfg=libressl400"); + } } if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { diff --git a/openssl/src/conf.rs b/openssl/src/conf.rs index 715519c595..88740298b3 100644 --- a/openssl/src/conf.rs +++ b/openssl/src/conf.rs @@ -8,7 +8,7 @@ foreign_type_and_impl_send_sync! { pub struct ConfRef; } -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, libressl400)))] mod methods { use super::Conf; use crate::cvt_p; @@ -61,5 +61,5 @@ mod methods { } } } -#[cfg(not(boringssl))] +#[cfg(not(any(boringssl, libressl400)))] pub use methods::*; From 44c2be5792ae2839e6308c59e66338f5bd6900be Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 30 Aug 2024 14:35:15 +0200 Subject: [PATCH 17/46] const correct NCONF_new(), remove NCONF_default() --- openssl-sys/src/handwritten/conf.rs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/conf.rs b/openssl-sys/src/handwritten/conf.rs index 2348d7d4c9..fa05c5554f 100644 --- a/openssl-sys/src/handwritten/conf.rs +++ b/openssl-sys/src/handwritten/conf.rs @@ -1,7 +1,13 @@ use super::super::*; +const_ptr_api! { + extern "C" { + pub fn NCONF_new(meth: #[const_ptr_if(libressl400)] CONF_METHOD) -> *mut CONF; + } +} + extern "C" { - pub fn NCONF_new(meth: *mut CONF_METHOD) -> *mut CONF; + #[cfg(not(libressl400))] pub fn NCONF_default() -> *mut CONF_METHOD; pub fn NCONF_free(conf: *mut CONF); } From 3291ea16ef45f5d5632159137ff3e9ce8e114ecd Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 13:07:53 -0700 Subject: [PATCH 18/46] add basic EVP_KDF bindings --- openssl-sys/src/handwritten/kdf.rs | 8 ++++++++ openssl-sys/src/handwritten/params.rs | 7 +++++++ openssl-sys/src/handwritten/types.rs | 5 +++++ 3 files changed, 20 insertions(+) diff --git a/openssl-sys/src/handwritten/kdf.rs b/openssl-sys/src/handwritten/kdf.rs index 0f14b63a9c..d34f27450c 100644 --- a/openssl-sys/src/handwritten/kdf.rs +++ b/openssl-sys/src/handwritten/kdf.rs @@ -21,6 +21,14 @@ cfg_if! { info: *const u8, infolen: c_int, ) -> c_int; + pub fn EVP_KDF_CTX_new(kdf: *mut EVP_KDF) -> *mut EVP_KDF_CTX; + pub fn EVP_KDF_CTX_free(ctx: *mut EVP_KDF_CTX); + pub fn EVP_KDF_CTX_reset(ctx: *mut EVP_KDF_CTX); + pub fn EVP_KDF_CTX_get_kdf_size(ctx: *mut EVP_KDF_CTX) -> size_t; + pub fn EVP_KDF_derive(ctx: *mut EVP_KDF_CTX, key: *mut u8, keylen: size_t, params: *const OSSL_PARAM) -> c_int; + pub fn EVP_KDF_fetch(ctx: *mut OSSL_LIB_CTX, algorithm: *const c_char, properties: *const c_char) -> *mut EVP_KDF; + pub fn EVP_KDF_free(kdf: *mut EVP_KDF); } + } } diff --git a/openssl-sys/src/handwritten/params.rs b/openssl-sys/src/handwritten/params.rs index 3ed00c0488..542cef3374 100644 --- a/openssl-sys/src/handwritten/params.rs +++ b/openssl-sys/src/handwritten/params.rs @@ -6,4 +6,11 @@ extern "C" { pub fn OSSL_PARAM_construct_uint(key: *const c_char, buf: *mut c_uint) -> OSSL_PARAM; #[cfg(ossl300)] pub fn OSSL_PARAM_construct_end() -> OSSL_PARAM; + #[cfg(ossl300)] + pub fn OSSL_PARAM_construct_octet_string( + key: *const c_char, + buf: *mut c_void, + bsize: size_t, + ) -> OSSL_PARAM; + } diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index 593e20cdb2..df7d050da8 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -1139,3 +1139,8 @@ pub struct OSSL_PARAM { data_size: size_t, return_size: size_t, } + +#[cfg(ossl300)] +pub enum EVP_KDF {} +#[cfg(ossl300)] +pub enum EVP_KDF_CTX {} \ No newline at end of file From 3ed6fe2a010bcc49d31fd0715f18bb87db34775b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 13:15:44 -0700 Subject: [PATCH 19/46] fmt --- openssl-sys/src/handwritten/types.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/src/handwritten/types.rs b/openssl-sys/src/handwritten/types.rs index df7d050da8..d465a44148 100644 --- a/openssl-sys/src/handwritten/types.rs +++ b/openssl-sys/src/handwritten/types.rs @@ -1143,4 +1143,4 @@ pub struct OSSL_PARAM { #[cfg(ossl300)] pub enum EVP_KDF {} #[cfg(ossl300)] -pub enum EVP_KDF_CTX {} \ No newline at end of file +pub enum EVP_KDF_CTX {} From 2d340cb6b0df569ebd8ffe03a7cd75cd2c1efbf0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 13:28:39 -0700 Subject: [PATCH 20/46] add argon2id support for ossl 3.2+ --- openssl/src/argon2.rs | 147 ++++++++++++++++++++++++++++++++++++++++++ openssl/src/lib.rs | 2 + 2 files changed, 149 insertions(+) create mode 100644 openssl/src/argon2.rs diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs new file mode 100644 index 0000000000..af9fda00d9 --- /dev/null +++ b/openssl/src/argon2.rs @@ -0,0 +1,147 @@ +use libc::c_void; +use std::ffi::CStr; +use std::ptr; + +use crate::error::ErrorStack; +use crate::{cvt, cvt_p}; + +/// Derives a key using the argon2id algorithm. +/// +/// Requires OpenSSL 3.2.0 or newer. +#[allow(clippy::too_many_arguments)] +pub fn argon2id( + pass: &[u8], + salt: &[u8], + ad: Option<&[u8]>, + secret: Option<&[u8]>, + mut iter: u32, + mut threads: u32, + mut lanes: u32, + mut memcost: u32, + out: &mut [u8], +) -> Result<(), ErrorStack> { + // We only support single-threaded operation for now since rust-openssl doesn't + // bind OSSL_set_max_threads + assert!(threads == 1); + let pass_field = CStr::from_bytes_with_nul(b"pass\0").unwrap(); + let salt_field = CStr::from_bytes_with_nul(b"salt\0").unwrap(); + let ad_field = CStr::from_bytes_with_nul(b"ad\0").unwrap(); + let secret_field = CStr::from_bytes_with_nul(b"secret\0").unwrap(); + let iter_field = CStr::from_bytes_with_nul(b"iter\0").unwrap(); + let size_field = CStr::from_bytes_with_nul(b"size\0").unwrap(); + let threads_field = CStr::from_bytes_with_nul(b"threads\0").unwrap(); + let lanes_field = CStr::from_bytes_with_nul(b"lanes\0").unwrap(); + let memcost_field = CStr::from_bytes_with_nul(b"memcost\0").unwrap(); + unsafe { + ffi::init(); + let mut params = vec![]; + let param_pass = ffi::OSSL_PARAM_construct_octet_string( + pass_field.as_ptr(), + pass.as_ptr() as *mut c_void, + pass.len(), + ); + params.push(param_pass); + let param_salt = ffi::OSSL_PARAM_construct_octet_string( + salt_field.as_ptr(), + salt.as_ptr() as *mut c_void, + salt.len(), + ); + params.push(param_salt); + if let Some(ad) = ad { + let param_ad = ffi::OSSL_PARAM_construct_octet_string( + ad_field.as_ptr(), + ad.as_ptr() as *mut c_void, + ad.len(), + ); + params.push(param_ad); + } + if let Some(secret) = secret { + let param_secret = ffi::OSSL_PARAM_construct_octet_string( + secret_field.as_ptr(), + secret.as_ptr() as *mut c_void, + secret.len(), + ); + params.push(param_secret); + } + let param_threads = ffi::OSSL_PARAM_construct_uint(threads_field.as_ptr(), &mut threads); + params.push(param_threads); + let param_lanes = ffi::OSSL_PARAM_construct_uint(lanes_field.as_ptr(), &mut lanes); + params.push(param_lanes); + let param_memcost = ffi::OSSL_PARAM_construct_uint(memcost_field.as_ptr(), &mut memcost); + params.push(param_memcost); + let param_iter = ffi::OSSL_PARAM_construct_uint(iter_field.as_ptr(), &mut iter); + params.push(param_iter); + let mut size = out.len() as u32; + let param_size = ffi::OSSL_PARAM_construct_uint(size_field.as_ptr(), &mut size); + params.push(param_size); + let param_end = ffi::OSSL_PARAM_construct_end(); + params.push(param_end); + + let argon2id_field = CStr::from_bytes_with_nul(b"ARGON2ID\0").unwrap(); + let argon2 = cvt_p(ffi::EVP_KDF_fetch( + ptr::null_mut(), + argon2id_field.as_ptr(), + ptr::null(), + ))?; // This needs to be freed + let ctx = cvt_p(ffi::EVP_KDF_CTX_new(argon2))?; // this also needs to be freed + cvt(ffi::EVP_KDF_derive( + ctx, + out.as_mut_ptr(), + out.len(), + params.as_ptr(), + )) + .map(|_| ()) + } +} + +#[cfg(test)] +mod tests { + #[test] + fn argon2id() { + // RFC 9106 test vector for argon2id + let pass = hex::decode("0101010101010101010101010101010101010101010101010101010101010101") + .unwrap(); + let salt = hex::decode("02020202020202020202020202020202").unwrap(); + let secret = hex::decode("0303030303030303").unwrap(); + let ad = hex::decode("040404040404040404040404").unwrap(); + let expected = "0d640df58d78766c08c037a34a8b53c9d01ef0452d75b65eb52520e96b01e659"; + + let mut actual = [0 as u8; 32]; + super::argon2id( + &pass, + &salt, + Some(&ad), + Some(&secret), + 3, + 1, + 4, + 32, + &mut actual, + ) + .unwrap(); + assert_eq!(hex::encode(&actual[..]), expected); + } + + #[test] + fn argon2id_no_ad_secret() { + // Test vector from OpenSSL + let pass = ""; + let salt = hex::decode("02020202020202020202020202020202").unwrap(); + let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; + + let mut actual = [0 as u8; 32]; + super::argon2id( + &pass.as_bytes(), + &salt, + None, + None, + 3, + 1, + 4, + 32, + &mut actual, + ) + .unwrap(); + assert_eq!(hex::encode(&actual[..]), expected); + } +} diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 555eda9720..1ba33349ba 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -147,6 +147,8 @@ mod bio; #[macro_use] mod util; pub mod aes; +#[cfg(ossl320)] +pub mod argon2; pub mod asn1; pub mod base64; pub mod bn; From 6ed35b28f8d6a54a4103858fbc7db24655e07822 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 19:29:01 -0700 Subject: [PATCH 21/46] review feedback, support OPENSSL_NO_ARGON2 --- openssl/build.rs | 2 +- openssl/src/argon2.rs | 70 +++++++++++++++++++++++++++---------------- openssl/src/lib.rs | 1 + 3 files changed, 46 insertions(+), 27 deletions(-) diff --git a/openssl/build.rs b/openssl/build.rs index 41a047d97f..33372efd51 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -7,7 +7,7 @@ use std::env; fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_EC\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_ARGON2\"))"); println!("cargo:rustc-check-cfg=cfg(libressl)"); println!("cargo:rustc-check-cfg=cfg(boringssl)"); diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs index af9fda00d9..1e955b6ad4 100644 --- a/openssl/src/argon2.rs +++ b/openssl/src/argon2.rs @@ -1,10 +1,33 @@ -use libc::c_void; -use std::ffi::CStr; +use std::ffi::c_void; use std::ptr; use crate::error::ErrorStack; use crate::{cvt, cvt_p}; +struct EvpKdf { + kdf: *mut ffi::EVP_KDF, +} + +impl Drop for EvpKdf { + fn drop(&mut self) { + unsafe { + ffi::EVP_KDF_free(self.kdf); + } + } +} + +struct EvpKdfCtx { + ctx: *mut ffi::EVP_KDF_CTX, +} + +impl Drop for EvpKdfCtx { + fn drop(&mut self) { + unsafe { + ffi::EVP_KDF_CTX_free(self.ctx); + } + } +} + /// Derives a key using the argon2id algorithm. /// /// Requires OpenSSL 3.2.0 or newer. @@ -23,33 +46,24 @@ pub fn argon2id( // We only support single-threaded operation for now since rust-openssl doesn't // bind OSSL_set_max_threads assert!(threads == 1); - let pass_field = CStr::from_bytes_with_nul(b"pass\0").unwrap(); - let salt_field = CStr::from_bytes_with_nul(b"salt\0").unwrap(); - let ad_field = CStr::from_bytes_with_nul(b"ad\0").unwrap(); - let secret_field = CStr::from_bytes_with_nul(b"secret\0").unwrap(); - let iter_field = CStr::from_bytes_with_nul(b"iter\0").unwrap(); - let size_field = CStr::from_bytes_with_nul(b"size\0").unwrap(); - let threads_field = CStr::from_bytes_with_nul(b"threads\0").unwrap(); - let lanes_field = CStr::from_bytes_with_nul(b"lanes\0").unwrap(); - let memcost_field = CStr::from_bytes_with_nul(b"memcost\0").unwrap(); unsafe { ffi::init(); let mut params = vec![]; let param_pass = ffi::OSSL_PARAM_construct_octet_string( - pass_field.as_ptr(), + b"pass\0".as_ptr() as *const i8, pass.as_ptr() as *mut c_void, pass.len(), ); params.push(param_pass); let param_salt = ffi::OSSL_PARAM_construct_octet_string( - salt_field.as_ptr(), + b"salt\0".as_ptr() as *const i8, salt.as_ptr() as *mut c_void, salt.len(), ); params.push(param_salt); if let Some(ad) = ad { let param_ad = ffi::OSSL_PARAM_construct_octet_string( - ad_field.as_ptr(), + b"ad\0".as_ptr() as *const i8, ad.as_ptr() as *mut c_void, ad.len(), ); @@ -57,35 +71,39 @@ pub fn argon2id( } if let Some(secret) = secret { let param_secret = ffi::OSSL_PARAM_construct_octet_string( - secret_field.as_ptr(), + b"secret\0".as_ptr() as *const i8, secret.as_ptr() as *mut c_void, secret.len(), ); params.push(param_secret); } - let param_threads = ffi::OSSL_PARAM_construct_uint(threads_field.as_ptr(), &mut threads); + let param_threads = + ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const i8, &mut threads); params.push(param_threads); - let param_lanes = ffi::OSSL_PARAM_construct_uint(lanes_field.as_ptr(), &mut lanes); + let param_lanes = + ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const i8, &mut lanes); params.push(param_lanes); - let param_memcost = ffi::OSSL_PARAM_construct_uint(memcost_field.as_ptr(), &mut memcost); + let param_memcost = + ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const i8, &mut memcost); params.push(param_memcost); - let param_iter = ffi::OSSL_PARAM_construct_uint(iter_field.as_ptr(), &mut iter); + let param_iter = ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const i8, &mut iter); params.push(param_iter); let mut size = out.len() as u32; - let param_size = ffi::OSSL_PARAM_construct_uint(size_field.as_ptr(), &mut size); + let param_size = ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const i8, &mut size); params.push(param_size); let param_end = ffi::OSSL_PARAM_construct_end(); params.push(param_end); - let argon2id_field = CStr::from_bytes_with_nul(b"ARGON2ID\0").unwrap(); - let argon2 = cvt_p(ffi::EVP_KDF_fetch( + let argon2_p = cvt_p(ffi::EVP_KDF_fetch( ptr::null_mut(), - argon2id_field.as_ptr(), + b"ARGON2ID\0".as_ptr() as *const i8, ptr::null(), - ))?; // This needs to be freed - let ctx = cvt_p(ffi::EVP_KDF_CTX_new(argon2))?; // this also needs to be freed + ))?; + let argon2 = EvpKdf { kdf: argon2_p }; + let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.kdf))?; + let ctx = EvpKdfCtx { ctx: ctx_p }; cvt(ffi::EVP_KDF_derive( - ctx, + ctx.ctx, out.as_mut_ptr(), out.len(), params.as_ptr(), diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 1ba33349ba..d758d50852 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -148,6 +148,7 @@ mod bio; mod util; pub mod aes; #[cfg(ossl320)] +#[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] pub mod argon2; pub mod asn1; pub mod base64; From 05d9f2ef6e70f6b610b0f94ee308e87ad00a7c39 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 20:20:10 -0700 Subject: [PATCH 22/46] simplify, use CStr to hopefully handle i8/u8 nonsense --- openssl/src/argon2.rs | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs index 1e955b6ad4..f46bdc2aff 100644 --- a/openssl/src/argon2.rs +++ b/openssl/src/argon2.rs @@ -1,29 +1,25 @@ -use std::ffi::c_void; +use std::ffi::{c_void, CStr}; use std::ptr; use crate::error::ErrorStack; use crate::{cvt, cvt_p}; -struct EvpKdf { - kdf: *mut ffi::EVP_KDF, -} +struct EvpKdf(*mut ffi::EVP_KDF); impl Drop for EvpKdf { fn drop(&mut self) { unsafe { - ffi::EVP_KDF_free(self.kdf); + ffi::EVP_KDF_free(self.0); } } } -struct EvpKdfCtx { - ctx: *mut ffi::EVP_KDF_CTX, -} +struct EvpKdfCtx(*mut ffi::EVP_KDF_CTX); impl Drop for EvpKdfCtx { fn drop(&mut self) { unsafe { - ffi::EVP_KDF_CTX_free(self.ctx); + ffi::EVP_KDF_CTX_free(self.0); } } } @@ -94,16 +90,17 @@ pub fn argon2id( let param_end = ffi::OSSL_PARAM_construct_end(); params.push(param_end); + let argon2id = CStr::from_bytes_with_nul(b"ARGON2ID\0").unwrap(); let argon2_p = cvt_p(ffi::EVP_KDF_fetch( ptr::null_mut(), - b"ARGON2ID\0".as_ptr() as *const i8, + argon2id.as_ptr(), ptr::null(), ))?; - let argon2 = EvpKdf { kdf: argon2_p }; - let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.kdf))?; - let ctx = EvpKdfCtx { ctx: ctx_p }; + let argon2 = EvpKdf(argon2_p); + let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.0))?; + let ctx = EvpKdfCtx(ctx_p); cvt(ffi::EVP_KDF_derive( - ctx.ctx, + ctx.0, out.as_mut_ptr(), out.len(), params.as_ptr(), From 04ffcf1e10d267a716376531ccbb0605a555bc70 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 31 Aug 2024 21:50:12 -0700 Subject: [PATCH 23/46] speeeeeeed --- openssl/src/argon2.rs | 51 ++++++++++++++++++++++--------------------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs index f46bdc2aff..f28c17794f 100644 --- a/openssl/src/argon2.rs +++ b/openssl/src/argon2.rs @@ -1,4 +1,5 @@ use std::ffi::{c_void, CStr}; +use std::mem::MaybeUninit; use std::ptr; use crate::error::ErrorStack; @@ -44,51 +45,51 @@ pub fn argon2id( assert!(threads == 1); unsafe { ffi::init(); - let mut params = vec![]; - let param_pass = ffi::OSSL_PARAM_construct_octet_string( + let mut params: [ffi::OSSL_PARAM; 10] = + core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); + let mut idx = 0; + params[idx] = ffi::OSSL_PARAM_construct_octet_string( b"pass\0".as_ptr() as *const i8, pass.as_ptr() as *mut c_void, pass.len(), ); - params.push(param_pass); - let param_salt = ffi::OSSL_PARAM_construct_octet_string( + idx += 1; + params[idx] = ffi::OSSL_PARAM_construct_octet_string( b"salt\0".as_ptr() as *const i8, salt.as_ptr() as *mut c_void, salt.len(), ); - params.push(param_salt); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const i8, &mut threads); + idx += 1; + params[idx] = ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const i8, &mut lanes); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const i8, &mut memcost); + idx += 1; + params[idx] = ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const i8, &mut iter); + idx += 1; + let mut size = out.len() as u32; + params[idx] = ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const i8, &mut size); + idx += 1; if let Some(ad) = ad { - let param_ad = ffi::OSSL_PARAM_construct_octet_string( + params[idx] = ffi::OSSL_PARAM_construct_octet_string( b"ad\0".as_ptr() as *const i8, ad.as_ptr() as *mut c_void, ad.len(), ); - params.push(param_ad); + idx += 1; } if let Some(secret) = secret { - let param_secret = ffi::OSSL_PARAM_construct_octet_string( + params[idx] = ffi::OSSL_PARAM_construct_octet_string( b"secret\0".as_ptr() as *const i8, secret.as_ptr() as *mut c_void, secret.len(), ); - params.push(param_secret); + idx += 1; } - let param_threads = - ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const i8, &mut threads); - params.push(param_threads); - let param_lanes = - ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const i8, &mut lanes); - params.push(param_lanes); - let param_memcost = - ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const i8, &mut memcost); - params.push(param_memcost); - let param_iter = ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const i8, &mut iter); - params.push(param_iter); - let mut size = out.len() as u32; - let param_size = ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const i8, &mut size); - params.push(param_size); - let param_end = ffi::OSSL_PARAM_construct_end(); - params.push(param_end); + params[idx] = ffi::OSSL_PARAM_construct_end(); let argon2id = CStr::from_bytes_with_nul(b"ARGON2ID\0").unwrap(); let argon2_p = cvt_p(ffi::EVP_KDF_fetch( From 826f2a0a82e57ccd16941f75daa5e7bc24b5e89e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 06:56:40 -0700 Subject: [PATCH 24/46] use c_char --- openssl/src/argon2.rs | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs index f28c17794f..836b45dce0 100644 --- a/openssl/src/argon2.rs +++ b/openssl/src/argon2.rs @@ -1,4 +1,4 @@ -use std::ffi::{c_void, CStr}; +use std::ffi::{c_char, c_void}; use std::mem::MaybeUninit; use std::ptr; @@ -49,33 +49,36 @@ pub fn argon2id( core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); let mut idx = 0; params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"pass\0".as_ptr() as *const i8, + b"pass\0".as_ptr() as *const c_char, pass.as_ptr() as *mut c_void, pass.len(), ); idx += 1; params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"salt\0".as_ptr() as *const i8, + b"salt\0".as_ptr() as *const c_char, salt.as_ptr() as *mut c_void, salt.len(), ); idx += 1; params[idx] = - ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const i8, &mut threads); + ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const c_char, &mut threads); idx += 1; - params[idx] = ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const i8, &mut lanes); + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const c_char, &mut lanes); idx += 1; params[idx] = - ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const i8, &mut memcost); + ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const c_char, &mut memcost); idx += 1; - params[idx] = ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const i8, &mut iter); + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const c_char, &mut iter); idx += 1; let mut size = out.len() as u32; - params[idx] = ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const i8, &mut size); + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const c_char, &mut size); idx += 1; if let Some(ad) = ad { params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"ad\0".as_ptr() as *const i8, + b"ad\0".as_ptr() as *const c_char, ad.as_ptr() as *mut c_void, ad.len(), ); @@ -83,7 +86,7 @@ pub fn argon2id( } if let Some(secret) = secret { params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"secret\0".as_ptr() as *const i8, + b"secret\0".as_ptr() as *const c_char, secret.as_ptr() as *mut c_void, secret.len(), ); @@ -91,10 +94,9 @@ pub fn argon2id( } params[idx] = ffi::OSSL_PARAM_construct_end(); - let argon2id = CStr::from_bytes_with_nul(b"ARGON2ID\0").unwrap(); let argon2_p = cvt_p(ffi::EVP_KDF_fetch( ptr::null_mut(), - argon2id.as_ptr(), + b"ARGON2ID\0".as_ptr() as *const c_char, ptr::null(), ))?; let argon2 = EvpKdf(argon2_p); From 5ff8594e9c98f2ffbaf677c663dce8d4ff72fa88 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 14:49:20 -0700 Subject: [PATCH 25/46] rename to kdf, remove thread arg --- openssl/src/argon2.rs | 165 ------------------------------------------ openssl/src/kdf.rs | 162 +++++++++++++++++++++++++++++++++++++++++ openssl/src/lib.rs | 3 +- 3 files changed, 163 insertions(+), 167 deletions(-) delete mode 100644 openssl/src/argon2.rs create mode 100644 openssl/src/kdf.rs diff --git a/openssl/src/argon2.rs b/openssl/src/argon2.rs deleted file mode 100644 index 836b45dce0..0000000000 --- a/openssl/src/argon2.rs +++ /dev/null @@ -1,165 +0,0 @@ -use std::ffi::{c_char, c_void}; -use std::mem::MaybeUninit; -use std::ptr; - -use crate::error::ErrorStack; -use crate::{cvt, cvt_p}; - -struct EvpKdf(*mut ffi::EVP_KDF); - -impl Drop for EvpKdf { - fn drop(&mut self) { - unsafe { - ffi::EVP_KDF_free(self.0); - } - } -} - -struct EvpKdfCtx(*mut ffi::EVP_KDF_CTX); - -impl Drop for EvpKdfCtx { - fn drop(&mut self) { - unsafe { - ffi::EVP_KDF_CTX_free(self.0); - } - } -} - -/// Derives a key using the argon2id algorithm. -/// -/// Requires OpenSSL 3.2.0 or newer. -#[allow(clippy::too_many_arguments)] -pub fn argon2id( - pass: &[u8], - salt: &[u8], - ad: Option<&[u8]>, - secret: Option<&[u8]>, - mut iter: u32, - mut threads: u32, - mut lanes: u32, - mut memcost: u32, - out: &mut [u8], -) -> Result<(), ErrorStack> { - // We only support single-threaded operation for now since rust-openssl doesn't - // bind OSSL_set_max_threads - assert!(threads == 1); - unsafe { - ffi::init(); - let mut params: [ffi::OSSL_PARAM; 10] = - core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); - let mut idx = 0; - params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"pass\0".as_ptr() as *const c_char, - pass.as_ptr() as *mut c_void, - pass.len(), - ); - idx += 1; - params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"salt\0".as_ptr() as *const c_char, - salt.as_ptr() as *mut c_void, - salt.len(), - ); - idx += 1; - params[idx] = - ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const c_char, &mut threads); - idx += 1; - params[idx] = - ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const c_char, &mut lanes); - idx += 1; - params[idx] = - ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const c_char, &mut memcost); - idx += 1; - params[idx] = - ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const c_char, &mut iter); - idx += 1; - let mut size = out.len() as u32; - params[idx] = - ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const c_char, &mut size); - idx += 1; - if let Some(ad) = ad { - params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"ad\0".as_ptr() as *const c_char, - ad.as_ptr() as *mut c_void, - ad.len(), - ); - idx += 1; - } - if let Some(secret) = secret { - params[idx] = ffi::OSSL_PARAM_construct_octet_string( - b"secret\0".as_ptr() as *const c_char, - secret.as_ptr() as *mut c_void, - secret.len(), - ); - idx += 1; - } - params[idx] = ffi::OSSL_PARAM_construct_end(); - - let argon2_p = cvt_p(ffi::EVP_KDF_fetch( - ptr::null_mut(), - b"ARGON2ID\0".as_ptr() as *const c_char, - ptr::null(), - ))?; - let argon2 = EvpKdf(argon2_p); - let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.0))?; - let ctx = EvpKdfCtx(ctx_p); - cvt(ffi::EVP_KDF_derive( - ctx.0, - out.as_mut_ptr(), - out.len(), - params.as_ptr(), - )) - .map(|_| ()) - } -} - -#[cfg(test)] -mod tests { - #[test] - fn argon2id() { - // RFC 9106 test vector for argon2id - let pass = hex::decode("0101010101010101010101010101010101010101010101010101010101010101") - .unwrap(); - let salt = hex::decode("02020202020202020202020202020202").unwrap(); - let secret = hex::decode("0303030303030303").unwrap(); - let ad = hex::decode("040404040404040404040404").unwrap(); - let expected = "0d640df58d78766c08c037a34a8b53c9d01ef0452d75b65eb52520e96b01e659"; - - let mut actual = [0 as u8; 32]; - super::argon2id( - &pass, - &salt, - Some(&ad), - Some(&secret), - 3, - 1, - 4, - 32, - &mut actual, - ) - .unwrap(); - assert_eq!(hex::encode(&actual[..]), expected); - } - - #[test] - fn argon2id_no_ad_secret() { - // Test vector from OpenSSL - let pass = ""; - let salt = hex::decode("02020202020202020202020202020202").unwrap(); - let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; - - let mut actual = [0 as u8; 32]; - super::argon2id( - &pass.as_bytes(), - &salt, - None, - None, - 3, - 1, - 4, - 32, - &mut actual, - ) - .unwrap(); - assert_eq!(hex::encode(&actual[..]), expected); - } -} diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs new file mode 100644 index 0000000000..4bd89cc6d1 --- /dev/null +++ b/openssl/src/kdf.rs @@ -0,0 +1,162 @@ +#[cfg(ossl300)] +struct EvpKdf(*mut ffi::EVP_KDF); + +#[cfg(ossl300)] +impl Drop for EvpKdf { + fn drop(&mut self) { + unsafe { + ffi::EVP_KDF_free(self.0); + } + } +} + +#[cfg(ossl300)] +struct EvpKdfCtx(*mut ffi::EVP_KDF_CTX); + +#[cfg(ossl300)] +impl Drop for EvpKdfCtx { + fn drop(&mut self) { + unsafe { + ffi::EVP_KDF_CTX_free(self.0); + } + } +} + +cfg_if::cfg_if! { + if #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] { + use std::ffi::{c_char, c_void}; + use std::mem::MaybeUninit; + use std::ptr; + use crate::{cvt, cvt_p}; + use crate::error::ErrorStack; + + /// Derives a key using the argon2id algorithm. + /// + /// This function currently does not support multi-threaded operation, so + /// lanes greater than 1 will be processed sequentially. + /// + /// Requires OpenSSL 3.2.0 or newer. + #[allow(clippy::too_many_arguments)] + pub fn argon2id( + pass: &[u8], + salt: &[u8], + ad: Option<&[u8]>, + secret: Option<&[u8]>, + mut iter: u32, + mut lanes: u32, + mut memcost: u32, + out: &mut [u8], + ) -> Result<(), ErrorStack> { + unsafe { + ffi::init(); + let mut threads = 1; + let mut params: [ffi::OSSL_PARAM; 10] = + core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); + let mut idx = 0; + params[idx] = ffi::OSSL_PARAM_construct_octet_string( + b"pass\0".as_ptr() as *const c_char, + pass.as_ptr() as *mut c_void, + pass.len(), + ); + idx += 1; + params[idx] = ffi::OSSL_PARAM_construct_octet_string( + b"salt\0".as_ptr() as *const c_char, + salt.as_ptr() as *mut c_void, + salt.len(), + ); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"threads\0".as_ptr() as *const c_char, &mut threads); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"lanes\0".as_ptr() as *const c_char, &mut lanes); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"memcost\0".as_ptr() as *const c_char, &mut memcost); + idx += 1; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"iter\0".as_ptr() as *const c_char, &mut iter); + idx += 1; + let mut size = out.len() as u32; + params[idx] = + ffi::OSSL_PARAM_construct_uint(b"size\0".as_ptr() as *const c_char, &mut size); + idx += 1; + if let Some(ad) = ad { + params[idx] = ffi::OSSL_PARAM_construct_octet_string( + b"ad\0".as_ptr() as *const c_char, + ad.as_ptr() as *mut c_void, + ad.len(), + ); + idx += 1; + } + if let Some(secret) = secret { + params[idx] = ffi::OSSL_PARAM_construct_octet_string( + b"secret\0".as_ptr() as *const c_char, + secret.as_ptr() as *mut c_void, + secret.len(), + ); + idx += 1; + } + params[idx] = ffi::OSSL_PARAM_construct_end(); + + let argon2_p = cvt_p(ffi::EVP_KDF_fetch( + ptr::null_mut(), + b"ARGON2ID\0".as_ptr() as *const c_char, + ptr::null(), + ))?; + let argon2 = EvpKdf(argon2_p); + let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.0))?; + let ctx = EvpKdfCtx(ctx_p); + cvt(ffi::EVP_KDF_derive( + ctx.0, + out.as_mut_ptr(), + out.len(), + params.as_ptr(), + )) + .map(|_| ()) + } + } + } +} + +#[cfg(test)] +mod tests { + #[test] + #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] + fn argon2id() { + // RFC 9106 test vector for argon2id + let pass = hex::decode("0101010101010101010101010101010101010101010101010101010101010101") + .unwrap(); + let salt = hex::decode("02020202020202020202020202020202").unwrap(); + let secret = hex::decode("0303030303030303").unwrap(); + let ad = hex::decode("040404040404040404040404").unwrap(); + let expected = "0d640df58d78766c08c037a34a8b53c9d01ef0452d75b65eb52520e96b01e659"; + + let mut actual = [0 as u8; 32]; + super::argon2id( + &pass, + &salt, + Some(&ad), + Some(&secret), + 3, + 4, + 32, + &mut actual, + ) + .unwrap(); + assert_eq!(hex::encode(&actual[..]), expected); + } + + #[test] + #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] + fn argon2id_no_ad_secret() { + // Test vector from OpenSSL + let pass = ""; + let salt = hex::decode("02020202020202020202020202020202").unwrap(); + let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; + + let mut actual = [0 as u8; 32]; + super::argon2id(&pass.as_bytes(), &salt, None, None, 3, 4, 32, &mut actual).unwrap(); + assert_eq!(hex::encode(&actual[..]), expected); + } +} diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index d758d50852..5942734f58 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -148,8 +148,6 @@ mod bio; mod util; pub mod aes; #[cfg(ossl320)] -#[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] -pub mod argon2; pub mod asn1; pub mod base64; pub mod bn; @@ -171,6 +169,7 @@ pub mod ex_data; #[cfg(not(any(libressl, ossl300)))] pub mod fips; pub mod hash; +pub mod kdf; #[cfg(ossl300)] pub mod lib_ctx; pub mod md; From 3e57d9a1d735f81268a2468c2efdb990fd6013c2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 14:55:59 -0700 Subject: [PATCH 26/46] oops + clippy --- openssl/src/kdf.rs | 6 +++--- openssl/src/lib.rs | 1 - 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index 4bd89cc6d1..f60ee2e054 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -132,7 +132,7 @@ mod tests { let ad = hex::decode("040404040404040404040404").unwrap(); let expected = "0d640df58d78766c08c037a34a8b53c9d01ef0452d75b65eb52520e96b01e659"; - let mut actual = [0 as u8; 32]; + let mut actual = [0u8; 32]; super::argon2id( &pass, &salt, @@ -155,8 +155,8 @@ mod tests { let salt = hex::decode("02020202020202020202020202020202").unwrap(); let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; - let mut actual = [0 as u8; 32]; - super::argon2id(&pass.as_bytes(), &salt, None, None, 3, 4, 32, &mut actual).unwrap(); + let mut actual = [0u8; 32]; + super::argon2id(pass.as_bytes(), &salt, None, None, 3, 4, 32, &mut actual).unwrap(); assert_eq!(hex::encode(&actual[..]), expected); } } diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 5942734f58..c58e5bf598 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -147,7 +147,6 @@ mod bio; #[macro_use] mod util; pub mod aes; -#[cfg(ossl320)] pub mod asn1; pub mod base64; pub mod bn; From bef571b737f24a0732e7e64bbd5d7f6fc01d7b5b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 15:02:33 -0700 Subject: [PATCH 27/46] EvpKdf and EvpKdfCtx are available in 3.0.0, but mark them ossl320 We don't use them anywhere that isn't 3.2.0+ right now and that makes clippy angry. It can be changed if and when these get used for methods on older versions --- openssl/src/kdf.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index f60ee2e054..ff0c3e68ac 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -1,7 +1,7 @@ -#[cfg(ossl300)] +#[cfg(ossl320)] struct EvpKdf(*mut ffi::EVP_KDF); -#[cfg(ossl300)] +#[cfg(ossl320)] impl Drop for EvpKdf { fn drop(&mut self) { unsafe { @@ -10,10 +10,10 @@ impl Drop for EvpKdf { } } -#[cfg(ossl300)] +#[cfg(ossl320)] struct EvpKdfCtx(*mut ffi::EVP_KDF_CTX); -#[cfg(ossl300)] +#[cfg(ossl320)] impl Drop for EvpKdfCtx { fn drop(&mut self) { unsafe { From 700f6acdb5268bd48588541804d03af7c98eb4a2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 13:29:06 -0700 Subject: [PATCH 28/46] add ossl3 thread pool bindings --- openssl-sys/build/main.rs | 2 +- openssl-sys/build/run_bindgen.rs | 4 ++++ openssl-sys/src/handwritten/mod.rs | 4 ++++ openssl-sys/src/handwritten/thread.rs | 7 +++++++ systest/build.rs | 4 ++++ 5 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 openssl-sys/src/handwritten/thread.rs diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 50ecc0f084..c5ed229619 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -74,7 +74,7 @@ fn check_ssl_kind() { } fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_THREADS\", \"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\"))"); println!("cargo:rustc-check-cfg=cfg(openssl)"); println!("cargo:rustc-check-cfg=cfg(libressl)"); diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index ffaecdc81b..db31cbb631 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -63,6 +63,10 @@ const INCLUDES: &str = " #if defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) #include #endif + +#if OPENSSL_VERSION_NUMBER >= 0x30200000 && defined(OPENSSL_THREADS) +#include +#endif "; #[cfg(feature = "bindgen")] diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index f54ec9be5e..35776486d1 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -29,6 +29,8 @@ pub use self::sha::*; pub use self::srtp::*; pub use self::ssl::*; pub use self::stack::*; +#[cfg(all(ossl320, osslconf = "OPENSSL_THREADS"))] +pub use self::thread::*; pub use self::tls1::*; pub use self::types::*; pub use self::x509::*; @@ -66,6 +68,8 @@ mod sha; mod srtp; mod ssl; mod stack; +#[cfg(all(ossl320, osslconf = "OPENSSL_THREADS"))] +mod thread; mod tls1; mod types; mod x509; diff --git a/openssl-sys/src/handwritten/thread.rs b/openssl-sys/src/handwritten/thread.rs new file mode 100644 index 0000000000..de661e1c5c --- /dev/null +++ b/openssl-sys/src/handwritten/thread.rs @@ -0,0 +1,7 @@ +use super::super::*; +use libc::*; + +extern "C" { + pub fn OSSL_set_max_threads(ctx: *mut OSSL_LIB_CTX, max_threads: u64) -> c_int; + pub fn OSSL_get_max_threads(ctx: *mut OSSL_LIB_CTX) -> u64; +} diff --git a/systest/build.rs b/systest/build.rs index 56230ada60..dde28b5009 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -85,6 +85,10 @@ fn main() { if version >= 0x30000000 { cfg.header("openssl/provider.h"); } + if version >= 0x30200000 { + // thread is present as a header even if OPENSSL_THREADS is not defined + cfg.header("openssl/thread.h"); + } } #[allow(clippy::if_same_then_else)] From 98521685baa9ef9e1330fdccd6be40bf88f81f64 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Sep 2024 16:53:17 -0700 Subject: [PATCH 29/46] Apply suggestions from code review Co-authored-by: Alex Gaynor --- openssl/src/kdf.rs | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index ff0c3e68ac..dbe5680253 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -99,14 +99,12 @@ cfg_if::cfg_if! { } params[idx] = ffi::OSSL_PARAM_construct_end(); - let argon2_p = cvt_p(ffi::EVP_KDF_fetch( + let argon2 = EvpKdf(cvt_p(ffi::EVP_KDF_fetch( ptr::null_mut(), b"ARGON2ID\0".as_ptr() as *const c_char, ptr::null(), - ))?; - let argon2 = EvpKdf(argon2_p); - let ctx_p = cvt_p(ffi::EVP_KDF_CTX_new(argon2.0))?; - let ctx = EvpKdfCtx(ctx_p); + ))?); + let ctx = EvpKdfCtx(cvt_p(ffi::EVP_KDF_CTX_new(argon2.0))?); cvt(ffi::EVP_KDF_derive( ctx.0, out.as_mut_ptr(), @@ -151,12 +149,12 @@ mod tests { #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] fn argon2id_no_ad_secret() { // Test vector from OpenSSL - let pass = ""; + let pass = b""; let salt = hex::decode("02020202020202020202020202020202").unwrap(); let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; let mut actual = [0u8; 32]; - super::argon2id(pass.as_bytes(), &salt, None, None, 3, 4, 32, &mut actual).unwrap(); + super::argon2id(pass, &salt, None, None, 3, 4, 32, &mut actual).unwrap(); assert_eq!(hex::encode(&actual[..]), expected); } } From ad7d2c55f49c5b97155c5d26e9cf763ab5a0157f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 2 Sep 2024 20:18:06 -0700 Subject: [PATCH 30/46] fix 3.2.0 thread support and simplify --- openssl-sys/build/main.rs | 2 +- openssl-sys/build/run_bindgen.rs | 2 +- openssl-sys/src/handwritten/mod.rs | 4 ++-- systest/build.rs | 1 - 4 files changed, 4 insertions(+), 5 deletions(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index c5ed229619..50ecc0f084 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -74,7 +74,7 @@ fn check_ssl_kind() { } fn main() { - println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_THREADS\", \"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\"))"); + println!("cargo:rustc-check-cfg=cfg(osslconf, values(\"OPENSSL_NO_OCB\", \"OPENSSL_NO_SM4\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_CHACHA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_RC4\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_PSK\", \"OPENSSL_NO_DEPRECATED_3_0\", \"OPENSSL_NO_SCRYPT\", \"OPENSSL_NO_SM3\", \"OPENSSL_NO_RMD160\", \"OPENSSL_NO_EC2M\", \"OPENSSL_NO_OCSP\", \"OPENSSL_NO_CMS\", \"OPENSSL_NO_COMP\", \"OPENSSL_NO_SOCK\", \"OPENSSL_NO_STDIO\", \"OPENSSL_NO_EC\", \"OPENSSL_NO_SSL3_METHOD\", \"OPENSSL_NO_KRB5\", \"OPENSSL_NO_TLSEXT\", \"OPENSSL_NO_SRP\", \"OPENSSL_NO_RFC3779\", \"OPENSSL_NO_SHA\", \"OPENSSL_NO_NEXTPROTONEG\", \"OPENSSL_NO_ENGINE\", \"OPENSSL_NO_BUF_FREELISTS\"))"); println!("cargo:rustc-check-cfg=cfg(openssl)"); println!("cargo:rustc-check-cfg=cfg(libressl)"); diff --git a/openssl-sys/build/run_bindgen.rs b/openssl-sys/build/run_bindgen.rs index db31cbb631..27bd482b38 100644 --- a/openssl-sys/build/run_bindgen.rs +++ b/openssl-sys/build/run_bindgen.rs @@ -64,7 +64,7 @@ const INCLUDES: &str = " #include #endif -#if OPENSSL_VERSION_NUMBER >= 0x30200000 && defined(OPENSSL_THREADS) +#if OPENSSL_VERSION_NUMBER >= 0x30200000 #include #endif "; diff --git a/openssl-sys/src/handwritten/mod.rs b/openssl-sys/src/handwritten/mod.rs index 35776486d1..47b3360fd8 100644 --- a/openssl-sys/src/handwritten/mod.rs +++ b/openssl-sys/src/handwritten/mod.rs @@ -29,7 +29,7 @@ pub use self::sha::*; pub use self::srtp::*; pub use self::ssl::*; pub use self::stack::*; -#[cfg(all(ossl320, osslconf = "OPENSSL_THREADS"))] +#[cfg(ossl320)] pub use self::thread::*; pub use self::tls1::*; pub use self::types::*; @@ -68,7 +68,7 @@ mod sha; mod srtp; mod ssl; mod stack; -#[cfg(all(ossl320, osslconf = "OPENSSL_THREADS"))] +#[cfg(ossl320)] mod thread; mod tls1; mod types; diff --git a/systest/build.rs b/systest/build.rs index dde28b5009..fc970f410a 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -86,7 +86,6 @@ fn main() { cfg.header("openssl/provider.h"); } if version >= 0x30200000 { - // thread is present as a header even if OPENSSL_THREADS is not defined cfg.header("openssl/thread.h"); } } From 5ea9a1238812e417964d421f89254e5984fc2404 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 2 Sep 2024 20:36:41 -0700 Subject: [PATCH 31/46] add libctx arg to argon2id --- openssl/src/kdf.rs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index dbe5680253..4e3ab157b2 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -27,7 +27,9 @@ cfg_if::cfg_if! { use std::ffi::{c_char, c_void}; use std::mem::MaybeUninit; use std::ptr; + use foreign_types::ForeignTypeRef; use crate::{cvt, cvt_p}; + use crate::lib_ctx::LibCtxRef; use crate::error::ErrorStack; /// Derives a key using the argon2id algorithm. @@ -38,6 +40,7 @@ cfg_if::cfg_if! { /// Requires OpenSSL 3.2.0 or newer. #[allow(clippy::too_many_arguments)] pub fn argon2id( + ctx: Option<&LibCtxRef>, pass: &[u8], salt: &[u8], ad: Option<&[u8]>, @@ -49,6 +52,8 @@ cfg_if::cfg_if! { ) -> Result<(), ErrorStack> { unsafe { ffi::init(); + let libctx = ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr); + let mut threads = 1; let mut params: [ffi::OSSL_PARAM; 10] = core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); @@ -100,7 +105,7 @@ cfg_if::cfg_if! { params[idx] = ffi::OSSL_PARAM_construct_end(); let argon2 = EvpKdf(cvt_p(ffi::EVP_KDF_fetch( - ptr::null_mut(), + libctx, b"ARGON2ID\0".as_ptr() as *const c_char, ptr::null(), ))?); @@ -132,6 +137,7 @@ mod tests { let mut actual = [0u8; 32]; super::argon2id( + None, &pass, &salt, Some(&ad), @@ -154,7 +160,7 @@ mod tests { let expected = "0a34f1abde67086c82e785eaf17c68382259a264f4e61b91cd2763cb75ac189a"; let mut actual = [0u8; 32]; - super::argon2id(pass, &salt, None, None, 3, 4, 32, &mut actual).unwrap(); + super::argon2id(None, pass, &salt, None, None, 3, 4, 32, &mut actual).unwrap(); assert_eq!(hex::encode(&actual[..]), expected); } } From b3bb5f40b55b1bccbfadf7cc24d5d44fad22c7df Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 2 Sep 2024 20:49:29 -0700 Subject: [PATCH 32/46] support using threads in argon2id --- openssl/src/kdf.rs | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index 4e3ab157b2..4f6b1f8aab 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -24,6 +24,7 @@ impl Drop for EvpKdfCtx { cfg_if::cfg_if! { if #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] { + use std::cmp; use std::ffi::{c_char, c_void}; use std::mem::MaybeUninit; use std::ptr; @@ -34,8 +35,9 @@ cfg_if::cfg_if! { /// Derives a key using the argon2id algorithm. /// - /// This function currently does not support multi-threaded operation, so - /// lanes greater than 1 will be processed sequentially. + /// To use multiple cores to process the lanes in parallel you must + /// set a global max thread count using `OSSL_set_max_threads`. On + /// builds with no threads all lanes will be processed sequentially. /// /// Requires OpenSSL 3.2.0 or newer. #[allow(clippy::too_many_arguments)] @@ -54,7 +56,14 @@ cfg_if::cfg_if! { ffi::init(); let libctx = ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr); + let max_threads = ffi::OSSL_get_max_threads(libctx); let mut threads = 1; + // If max_threads is 0, then this isn't a threaded build. + // If max_threads is > u32::MAX we need to clamp since + // argon2id's threads parameter is a u32. + if max_threads > 0 { + threads = cmp::min(lanes, cmp::min(max_threads, u32::MAX as u64) as u32); + } let mut params: [ffi::OSSL_PARAM; 10] = core::array::from_fn(|_| MaybeUninit::::zeroed().assume_init()); let mut idx = 0; From 350f1c26e0c0d0b148378ef7d408685fba5c185d Mon Sep 17 00:00:00 2001 From: Kornel Date: Wed, 28 Aug 2024 14:19:45 +0100 Subject: [PATCH 33/46] Print fatal error without backtrace noise --- openssl-sys/build/find_normal.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 1e910a0eee..facb80ce94 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -187,7 +187,8 @@ https://github.com/sfackler/rust-openssl#windows ); } - panic!("{}", msg); + eprintln!("{}", msg); + std::process::exit(101); // same as panic previously } /// Attempt to find OpenSSL through pkg-config. From 3815c15092004b8124846b49a24689c6342cf80c Mon Sep 17 00:00:00 2001 From: Kornel Date: Wed, 28 Aug 2024 14:41:14 +0100 Subject: [PATCH 34/46] Format pkg_config error --- openssl-sys/build/find_normal.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index facb80ce94..73613760b9 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -213,7 +213,7 @@ fn try_pkg_config() { { Ok(lib) => lib, Err(e) => { - println!("run pkg_config fail: {:?}", e); + println!("\n\nCould not find openssl via pkg-config:\n{}\n", e); return; } }; From eeb920f85179af6dbe373caf048f0deffa378c1a Mon Sep 17 00:00:00 2001 From: Kornel Date: Wed, 28 Aug 2024 14:41:29 +0100 Subject: [PATCH 35/46] Emit cargo:warning as well --- openssl-sys/build/find_normal.rs | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/openssl-sys/build/find_normal.rs b/openssl-sys/build/find_normal.rs index 73613760b9..1439e9ab30 100644 --- a/openssl-sys/build/find_normal.rs +++ b/openssl-sys/build/find_normal.rs @@ -102,13 +102,21 @@ fn find_openssl_dir(target: &str) -> OsString { return OsString::from("/usr/local"); } + let msg_header = + "Could not find directory of OpenSSL installation, and this `-sys` crate cannot +proceed without this knowledge. If OpenSSL is installed and this crate had +trouble finding it, you can set the `OPENSSL_DIR` environment variable for the +compilation process."; + + println!( + "cargo:warning={} See stderr section below for further information.", + msg_header.replace('\n', " ") + ); + let mut msg = format!( " -Could not find directory of OpenSSL installation, and this `-sys` crate cannot -proceed without this knowledge. If OpenSSL is installed and this crate had -trouble finding it, you can set the `OPENSSL_DIR` environment variable for the -compilation process. +{} Make sure you also have the development packages of openssl installed. For example, `libssl-dev` on Ubuntu or `openssl-devel` on Fedora. @@ -122,6 +130,7 @@ $TARGET = {} openssl-sys = {} ", + msg_header, host, target, env!("CARGO_PKG_VERSION") From 2dd76ef8186fe3eacaab5ecbc7821d4e8bb1fc02 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Sep 2024 15:38:15 -0400 Subject: [PATCH 36/46] Test against 3.4.0-alpha1 --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 52e712a11d..5366e8ff49 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -153,6 +153,8 @@ jobs: version: e23fe9b6eecc10e4f9ea1f0027fea5eaee7bd6b6 - name: openssl version: vendored + - name: openssl + version: 3.4.0-alpha1 - name: openssl version: 3.3.0 - name: openssl From 6654131d6a176bada798427568066fd62c1e8699 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Sep 2024 15:53:41 -0400 Subject: [PATCH 37/46] download from github --- .github/workflows/ci.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5366e8ff49..b1c7b188f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -159,18 +159,19 @@ jobs: version: 3.3.0 - name: openssl version: 3.2.0 - dl-path: / - name: openssl version: 1.1.1w - dl-path: / - name: openssl version: 1.1.0l + old: true dl-path: /old/1.1.0 - name: openssl version: 1.0.2u + old: true dl-path: /old/1.0.2 - name: openssl version: 1.0.1u + old: true dl-path: /old/1.0.1 include: - target: x86_64-unknown-linux-gnu @@ -257,7 +258,11 @@ jobs: run: | case "${{ matrix.library.name }}" in "openssl") - url="https://www.openssl.org/source${{ matrix.library.dl-path }}/openssl-${{ matrix.library.version }}.tar.gz" + if [[ "${{ matrix.library.old }}" == "true" ]]; then + url="https://www.openssl.org/source${{ matrix.library.dl-path }}/openssl-${{ matrix.library.version }}.tar.gz" + else + url="https://github.com/openssl/openssl/releases/download/openssl-${{ matrix.library.version }}/openssl-${{ matrix.library.version }}.tar.gz" + fi tar_flags="--strip-components=1" ;; "libressl") From 16e41768f254af561ea96e0274744fb35758fb83 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Sep 2024 16:12:25 -0400 Subject: [PATCH 38/46] fixes --- openssl-sys/build/cfgs.rs | 3 +++ openssl-sys/build/main.rs | 1 + openssl-sys/src/evp.rs | 26 +++++++++++++++++++++----- openssl-sys/src/obj_mac.rs | 8 +++++++- 4 files changed, 32 insertions(+), 6 deletions(-) diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs index bbd3be59f3..cd03888e62 100644 --- a/openssl-sys/build/cfgs.rs +++ b/openssl-sys/build/cfgs.rs @@ -71,6 +71,9 @@ pub fn get(openssl_version: Option, libressl_version: Option) -> Vec<& } else { let openssl_version = openssl_version.unwrap(); + if openssl_version >= 0x3_04_00_00_0 { + cfgs.push("ossl340"); + } if openssl_version >= 0x3_03_00_00_0 { cfgs.push("ossl330"); } diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index 50ecc0f084..c9bddf5382 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -120,6 +120,7 @@ fn main() { println!("cargo:rustc-check-cfg=cfg(ossl310)"); println!("cargo:rustc-check-cfg=cfg(ossl320)"); println!("cargo:rustc-check-cfg=cfg(ossl330)"); + println!("cargo:rustc-check-cfg=cfg(ossl340)"); check_ssl_kind(); diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index a3a8a84fb5..4d26f0f607 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -184,12 +184,28 @@ cfg_if! { pub const EVP_PKEY_OP_DERIVE: c_int = 1 << 10; } } +#[cfg(ossl340)] +pub const EVP_PKEY_OP_SIGNMSG: c_int = 1 << 14; +#[cfg(ossl340)] +pub const EVP_PKEY_OP_VERIFYMSG: c_int = 1 << 15; -pub const EVP_PKEY_OP_TYPE_SIG: c_int = EVP_PKEY_OP_SIGN - | EVP_PKEY_OP_VERIFY - | EVP_PKEY_OP_VERIFYRECOVER - | EVP_PKEY_OP_SIGNCTX - | EVP_PKEY_OP_VERIFYCTX; +cfg_if! { + if #[cfg(ossl340)] { + pub const EVP_PKEY_OP_TYPE_SIG: c_int = EVP_PKEY_OP_SIGN + | EVP_PKEY_OP_SIGNMSG + | EVP_PKEY_OP_VERIFY + | EVP_PKEY_OP_VERIFYMSG + | EVP_PKEY_OP_VERIFYRECOVER + | EVP_PKEY_OP_SIGNCTX + | EVP_PKEY_OP_VERIFYCTX; + } else { + pub const EVP_PKEY_OP_TYPE_SIG: c_int = EVP_PKEY_OP_SIGN + | EVP_PKEY_OP_VERIFY + | EVP_PKEY_OP_VERIFYRECOVER + | EVP_PKEY_OP_SIGNCTX + | EVP_PKEY_OP_VERIFYCTX; + } +} pub const EVP_PKEY_OP_TYPE_CRYPT: c_int = EVP_PKEY_OP_ENCRYPT | EVP_PKEY_OP_DECRYPT; diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index 400f73388f..8dd720a7ac 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -346,7 +346,6 @@ pub const NID_id_mod_cmp2000: c_int = 284; pub const NID_info_access: c_int = 177; pub const NID_biometricInfo: c_int = 285; pub const NID_qcStatements: c_int = 286; -pub const NID_ac_auditEntity: c_int = 287; pub const NID_ac_targeting: c_int = 288; pub const NID_aaControls: c_int = 289; pub const NID_sbgp_ipAddrBlock: c_int = 290; @@ -1015,3 +1014,10 @@ pub const NID_shake256: c_int = 1101; pub const NID_chacha20_poly1305: c_int = 1018; #[cfg(libressl271)] pub const NID_chacha20_poly1305: c_int = 967; +cfg_if! { + if #[cfg(ossl340)] { + pub const NID_ac_auditEntity: c_int = 1323; + } else { + pub const NID_ac_auditEntity: c_int = 287; + } +} From 92130d57d3ff4a2c2bf487f85ecdb164cc712b1d Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Sep 2024 16:25:51 -0400 Subject: [PATCH 39/46] remove bad test check --- openssl/src/version.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/openssl/src/version.rs b/openssl/src/version.rs index f1a324c12c..12ab3d8aec 100644 --- a/openssl/src/version.rs +++ b/openssl/src/version.rs @@ -131,5 +131,4 @@ fn test_versions() { if !built_on().is_empty() { assert!(built_on().starts_with("built on:")); } - assert!(dir().starts_with("OPENSSLDIR:")); } From 30607429a5fc0d3e283c302090f6e629649eacea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 5 Oct 2024 08:04:57 -0500 Subject: [PATCH 40/46] Resolve clippy warnings from nightly --- .github/workflows/ci.yml | 1 + openssl/src/asn1.rs | 4 ++-- openssl/src/bio.rs | 2 +- openssl/src/bn.rs | 22 +++++++++++----------- openssl/src/derive.rs | 6 +++--- openssl/src/encrypt.rs | 12 ++++++------ openssl/src/ocsp.rs | 2 +- openssl/src/sign.rs | 10 +++++----- openssl/src/ssl/test/mod.rs | 6 +++--- openssl/src/stack.rs | 4 ++-- openssl/src/x509/mod.rs | 4 ++-- 11 files changed, 37 insertions(+), 36 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b1c7b188f5..2115a8ea3c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -160,6 +160,7 @@ jobs: - name: openssl version: 3.2.0 - name: openssl + old: true version: 1.1.1w - name: openssl version: 1.1.0l diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 03340820d0..19bd3b57bc 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -247,7 +247,7 @@ impl PartialEq for Asn1TimeRef { } #[cfg(any(ossl102, boringssl))] -impl<'a> PartialEq for &'a Asn1TimeRef { +impl PartialEq for &Asn1TimeRef { fn eq(&self, other: &Asn1Time) -> bool { self.diff(other) .map(|t| t.days == 0 && t.secs == 0) @@ -270,7 +270,7 @@ impl PartialOrd for Asn1TimeRef { } #[cfg(any(ossl102, boringssl))] -impl<'a> PartialOrd for &'a Asn1TimeRef { +impl PartialOrd for &Asn1TimeRef { fn partial_cmp(&self, other: &Asn1Time) -> Option { self.compare(other).ok() } diff --git a/openssl/src/bio.rs b/openssl/src/bio.rs index d5232d2ee1..e97374b8dd 100644 --- a/openssl/src/bio.rs +++ b/openssl/src/bio.rs @@ -9,7 +9,7 @@ use crate::util; pub struct MemBioSlice<'a>(*mut ffi::BIO, PhantomData<&'a [u8]>); -impl<'a> Drop for MemBioSlice<'a> { +impl Drop for MemBioSlice<'_> { fn drop(&mut self) { unsafe { ffi::BIO_free_all(self.0); diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index ba784aab1a..99292fd0fb 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -1272,7 +1272,7 @@ macro_rules! delegate { }; } -impl<'a, 'b> Add<&'b BigNumRef> for &'a BigNumRef { +impl Add<&BigNumRef> for &BigNumRef { type Output = BigNum; fn add(self, oth: &BigNumRef) -> BigNum { @@ -1284,7 +1284,7 @@ impl<'a, 'b> Add<&'b BigNumRef> for &'a BigNumRef { delegate!(Add, add); -impl<'a, 'b> Sub<&'b BigNumRef> for &'a BigNumRef { +impl Sub<&BigNumRef> for &BigNumRef { type Output = BigNum; fn sub(self, oth: &BigNumRef) -> BigNum { @@ -1296,7 +1296,7 @@ impl<'a, 'b> Sub<&'b BigNumRef> for &'a BigNumRef { delegate!(Sub, sub); -impl<'a, 'b> Mul<&'b BigNumRef> for &'a BigNumRef { +impl Mul<&BigNumRef> for &BigNumRef { type Output = BigNum; fn mul(self, oth: &BigNumRef) -> BigNum { @@ -1309,7 +1309,7 @@ impl<'a, 'b> Mul<&'b BigNumRef> for &'a BigNumRef { delegate!(Mul, mul); -impl<'a, 'b> Div<&'b BigNumRef> for &'a BigNumRef { +impl<'b> Div<&'b BigNumRef> for &BigNumRef { type Output = BigNum; fn div(self, oth: &'b BigNumRef) -> BigNum { @@ -1322,7 +1322,7 @@ impl<'a, 'b> Div<&'b BigNumRef> for &'a BigNumRef { delegate!(Div, div); -impl<'a, 'b> Rem<&'b BigNumRef> for &'a BigNumRef { +impl<'b> Rem<&'b BigNumRef> for &BigNumRef { type Output = BigNum; fn rem(self, oth: &'b BigNumRef) -> BigNum { @@ -1335,7 +1335,7 @@ impl<'a, 'b> Rem<&'b BigNumRef> for &'a BigNumRef { delegate!(Rem, rem); -impl<'a> Shl for &'a BigNumRef { +impl Shl for &BigNumRef { type Output = BigNum; fn shl(self, n: i32) -> BigNum { @@ -1345,7 +1345,7 @@ impl<'a> Shl for &'a BigNumRef { } } -impl<'a> Shl for &'a BigNum { +impl Shl for &BigNum { type Output = BigNum; fn shl(self, n: i32) -> BigNum { @@ -1353,7 +1353,7 @@ impl<'a> Shl for &'a BigNum { } } -impl<'a> Shr for &'a BigNumRef { +impl Shr for &BigNumRef { type Output = BigNum; fn shr(self, n: i32) -> BigNum { @@ -1363,7 +1363,7 @@ impl<'a> Shr for &'a BigNumRef { } } -impl<'a> Shr for &'a BigNum { +impl Shr for &BigNum { type Output = BigNum; fn shr(self, n: i32) -> BigNum { @@ -1371,7 +1371,7 @@ impl<'a> Shr for &'a BigNum { } } -impl<'a> Neg for &'a BigNumRef { +impl Neg for &BigNumRef { type Output = BigNum; fn neg(self) -> BigNum { @@ -1379,7 +1379,7 @@ impl<'a> Neg for &'a BigNumRef { } } -impl<'a> Neg for &'a BigNum { +impl Neg for &BigNum { type Output = BigNum; fn neg(self) -> BigNum { diff --git a/openssl/src/derive.rs b/openssl/src/derive.rs index 424c5f92d7..90a5650c0c 100644 --- a/openssl/src/derive.rs +++ b/openssl/src/derive.rs @@ -61,8 +61,8 @@ use openssl_macros::corresponds; /// A type used to derive a shared secret between two keys. pub struct Deriver<'a>(*mut ffi::EVP_PKEY_CTX, PhantomData<&'a ()>); -unsafe impl<'a> Sync for Deriver<'a> {} -unsafe impl<'a> Send for Deriver<'a> {} +unsafe impl Sync for Deriver<'_> {} +unsafe impl Send for Deriver<'_> {} #[allow(clippy::len_without_is_empty)] impl<'a> Deriver<'a> { @@ -163,7 +163,7 @@ impl<'a> Deriver<'a> { } } -impl<'a> Drop for Deriver<'a> { +impl Drop for Deriver<'_> { fn drop(&mut self) { unsafe { ffi::EVP_PKEY_CTX_free(self.0); diff --git a/openssl/src/encrypt.rs b/openssl/src/encrypt.rs index 4522146f89..c50be081cf 100644 --- a/openssl/src/encrypt.rs +++ b/openssl/src/encrypt.rs @@ -56,10 +56,10 @@ pub struct Encrypter<'a> { _p: PhantomData<&'a ()>, } -unsafe impl<'a> Sync for Encrypter<'a> {} -unsafe impl<'a> Send for Encrypter<'a> {} +unsafe impl Sync for Encrypter<'_> {} +unsafe impl Send for Encrypter<'_> {} -impl<'a> Drop for Encrypter<'a> { +impl Drop for Encrypter<'_> { fn drop(&mut self) { unsafe { ffi::EVP_PKEY_CTX_free(self.pctx); @@ -260,10 +260,10 @@ pub struct Decrypter<'a> { _p: PhantomData<&'a ()>, } -unsafe impl<'a> Sync for Decrypter<'a> {} -unsafe impl<'a> Send for Decrypter<'a> {} +unsafe impl Sync for Decrypter<'_> {} +unsafe impl Send for Decrypter<'_> {} -impl<'a> Drop for Decrypter<'a> { +impl Drop for Decrypter<'_> { fn drop(&mut self) { unsafe { ffi::EVP_PKEY_CTX_free(self.pctx); diff --git a/openssl/src/ocsp.rs b/openssl/src/ocsp.rs index 93a5d36b7e..570b8c2d0b 100644 --- a/openssl/src/ocsp.rs +++ b/openssl/src/ocsp.rs @@ -122,7 +122,7 @@ pub struct OcspStatus<'a> { pub next_update: &'a Asn1GeneralizedTimeRef, } -impl<'a> OcspStatus<'a> { +impl OcspStatus<'_> { /// Checks validity of the `this_update` and `next_update` fields. /// /// The `nsec` parameter specifies an amount of slack time that will be used when comparing diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index dd012128a2..bea91a5a43 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -365,7 +365,7 @@ impl Signer<'_> { } } -impl<'a> Write for Signer<'a> { +impl Write for Signer<'_> { fn write(&mut self, buf: &[u8]) -> io::Result { self.update(buf)?; Ok(buf.len()) @@ -384,10 +384,10 @@ pub struct Verifier<'a> { pkey_pd: PhantomData<&'a ()>, } -unsafe impl<'a> Sync for Verifier<'a> {} -unsafe impl<'a> Send for Verifier<'a> {} +unsafe impl Sync for Verifier<'_> {} +unsafe impl Send for Verifier<'_> {} -impl<'a> Drop for Verifier<'a> { +impl Drop for Verifier<'_> { fn drop(&mut self) { // pkey_ctx is owned by the md_ctx, so no need to explicitly free it. unsafe { @@ -566,7 +566,7 @@ impl<'a> Verifier<'a> { } } -impl<'a> Write for Verifier<'a> { +impl Write for Verifier<'_> { fn write(&mut self, buf: &[u8]) -> io::Result { self.update(buf)?; Ok(buf.len()) diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index a98bc5644d..2c5fd000a3 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -1367,20 +1367,20 @@ fn stateless() { pub struct Outgoing<'a>(&'a mut Vec); - impl<'a> Drop for Outgoing<'a> { + impl Drop for Outgoing<'_> { fn drop(&mut self) { self.0.clear(); } } - impl<'a> ::std::ops::Deref for Outgoing<'a> { + impl ::std::ops::Deref for Outgoing<'_> { type Target = [u8]; fn deref(&self) -> &[u8] { self.0 } } - impl<'a> AsRef<[u8]> for Outgoing<'a> { + impl AsRef<[u8]> for Outgoing<'_> { fn as_ref(&self) -> &[u8] { self.0 } diff --git a/openssl/src/stack.rs b/openssl/src/stack.rs index 58acac61ad..112aa7f649 100644 --- a/openssl/src/stack.rs +++ b/openssl/src/stack.rs @@ -343,7 +343,7 @@ impl<'a, T: Stackable> DoubleEndedIterator for Iter<'a, T> { } } -impl<'a, T: Stackable> ExactSizeIterator for Iter<'a, T> {} +impl ExactSizeIterator for Iter<'_, T> {} /// A mutable iterator over the stack's contents. pub struct IterMut<'a, T: Stackable> { @@ -377,4 +377,4 @@ impl<'a, T: Stackable> DoubleEndedIterator for IterMut<'a, T> { } } -impl<'a, T: Stackable> ExactSizeIterator for IterMut<'a, T> {} +impl ExactSizeIterator for IterMut<'_, T> {} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d0cd00e3e6..67c86ee3d4 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -135,7 +135,7 @@ impl X509StoreContextRef { { struct Cleanup<'a>(&'a mut X509StoreContextRef); - impl<'a> Drop for Cleanup<'a> { + impl Drop for Cleanup<'_> { fn drop(&mut self) { unsafe { ffi::X509_STORE_CTX_cleanup(self.0.as_ptr()); @@ -873,7 +873,7 @@ impl Eq for X509 {} /// A context object required to construct certain `X509` extension values. pub struct X509v3Context<'a>(ffi::X509V3_CTX, PhantomData<(&'a X509Ref, &'a ConfRef)>); -impl<'a> X509v3Context<'a> { +impl X509v3Context<'_> { pub fn as_ptr(&self) -> *mut ffi::X509V3_CTX { &self.0 as *const _ as *mut _ } From bc85958769b672a7878003d4126c598aac743acc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 5 Oct 2024 10:03:55 -0500 Subject: [PATCH 41/46] fixes #2311 -- silencer resolver warnings --- Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/Cargo.toml b/Cargo.toml index c33c3475a7..63194cb3fd 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,4 +1,5 @@ [workspace] +resolver = "2" members = [ "openssl", "openssl-errors", From de8a97c1b55800104ae6f3c6f52aab1e17df3b3c Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 7 Oct 2024 06:59:40 -0700 Subject: [PATCH 42/46] Bump to 3.4.0-beta1 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2115a8ea3c..e2e6881f86 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -154,7 +154,7 @@ jobs: - name: openssl version: vendored - name: openssl - version: 3.4.0-alpha1 + version: 3.4.0-beta1 - name: openssl version: 3.3.0 - name: openssl From f9027b7549e7d557d627aeadc157097b2c5c018b Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Tue, 15 Oct 2024 08:05:19 +0200 Subject: [PATCH 43/46] LibreSSL 4.0.0 is released & stable --- openssl-sys/build/main.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openssl-sys/build/main.rs b/openssl-sys/build/main.rs index c9bddf5382..f379e1e6b3 100644 --- a/openssl-sys/build/main.rs +++ b/openssl-sys/build/main.rs @@ -380,6 +380,8 @@ See rust-openssl documentation for more information: (3, 8, _) => ('3', '8', 'x'), (3, 9, 0) => ('3', '9', '0'), (3, 9, _) => ('3', '9', 'x'), + (4, 0, 0) => ('4', '0', '0'), + (4, 0, _) => ('4', '0', 'x'), _ => version_error(), }; @@ -422,7 +424,7 @@ fn version_error() -> ! { " This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3), or LibreSSL 2.5 -through 3.9.x, but a different version of OpenSSL was found. The build is now aborting +through 4.0.x, but a different version of OpenSSL was found. The build is now aborting due to this version mismatch. " From c4dabc2fc2f76d734fc361401c3bae1a911bc405 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Tue, 15 Oct 2024 07:59:54 +0200 Subject: [PATCH 44/46] CI: Update LibreSSL CI LibreSSL 3.7 is out of support, so replace it with just released 4.0. Bump 3.9 branch to 3.9.2 and 3.8 branch to 3.8.4. --- .github/workflows/ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e2e6881f86..212183e2c4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -184,17 +184,17 @@ jobs: bindgen: true library: name: libressl - version: 3.7.3 + version: 3.8.4 - target: x86_64-unknown-linux-gnu bindgen: true library: name: libressl - version: 3.8.3 + version: 3.9.2 - target: x86_64-unknown-linux-gnu bindgen: true library: name: libressl - version: 3.9.1 + version: 4.0.0 - target: x86_64-unknown-linux-gnu bindgen: false library: @@ -204,17 +204,17 @@ jobs: bindgen: false library: name: libressl - version: 3.7.3 + version: 3.8.4 - target: x86_64-unknown-linux-gnu bindgen: false library: name: libressl - version: 3.8.3 + version: 3.9.2 - target: x86_64-unknown-linux-gnu bindgen: false library: name: libressl - version: 3.9.1 + version: 4.0.0 name: ${{ matrix.target }}-${{ matrix.library.name }}-${{ matrix.library.version }}-${{ matrix.bindgen }} runs-on: ubuntu-latest env: From b510e8c2c2a37e86bf940ede4c46f858d0241fa2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 15 Oct 2024 07:30:14 -0400 Subject: [PATCH 45/46] Release openssl v0.10.67 and openssl-sys v0.9.104 --- openssl-sys/CHANGELOG.md | 19 ++++++++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 20 +++++++++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 40 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 37f35e0a66..641f0d4b7a 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,22 @@ ## [Unreleased] +## [v0.9.104] - 2024-10-15 + +### Added + +* Added support for LibreSSL 4.0.x. +* Added `EVP_KDF_*` and `EVP_KDF_CTX_*` bindings. +* Added `EVP_DigestSqueeze`. +* Added `OSSL_PARAM_construct_octet_string`. +* Added `OSSL_set_max_threads` and `OSSL_get_max_threads`. + +### Changed + +* `openssl-sys` is now a 2021 edition crate +* Explicitly specify the MSRV in `Cargo.toml` +* Raised the `bindgen` (optional) dependency from 0.65 to 0.69 + ## [v0.9.103] - 2024-07-20 ### Added @@ -607,7 +623,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.103..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.104..master +[v0.9.104]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.103...openssl-sys-v0.9.104 [v0.9.103]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.102...openssl-sys-v0.9.103 [v0.9.102]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.101...openssl-sys-v0.9.102 [v0.9.101]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.100...openssl-sys-v0.9.101 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7ec1038dc7..f82dbd3f1a 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.103" +version = "0.9.104" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index e3d1045ac0..259614ceea 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,23 @@ ## [Unreleased] +## [v0.10.67] - 2024-10-15 + +### Added + +* Added support for LibreSSL 4.0.x. +* Added `argon2id` + +### Fixed + +* Fixed a case where `MdCtxRef::digest_verify_final` could leave an error on the stack. +* Fixed a case where `RsaRef::check_key` could leave an errror on the stack. + +### Changed + +* `openssl` is now a 2021 edition crate +* Explicitly specify the MSRV in `Cargo.toml` + ## [v0.10.66] - 2024-07-21 ### Fixed @@ -908,7 +925,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.66...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.67...master +[v0.10.67]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.66...openssl-v0.10.67 [v0.10.66]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.65...openssl-v0.10.66 [v0.10.65]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.64...openssl-v0.10.65 [v0.10.64]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.63...openssl-v0.10.64 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 23ccc91d9b..88bfcaf773 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.66" +version = "0.10.67" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -31,7 +31,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.103", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.104", path = "../openssl-sys" } [dev-dependencies] hex = "0.4" From 065cc77d0c574d0f713af4f2b37fb9040b3537cf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 16 Oct 2024 18:14:59 -0400 Subject: [PATCH 46/46] fixes #2317 -- restore compatibility with our MSRV and release openssl 0.9.68 --- openssl/CHANGELOG.md | 9 ++++++++- openssl/Cargo.toml | 2 +- openssl/src/kdf.rs | 3 ++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 259614ceea..e939d4784a 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v0.10.68] - 2024-10-16 + +### Fixed + +* Fixed building on Rust 1.63.0 (our MSRV) with OpenSSL 3.2 or newer. + ## [v0.10.67] - 2024-10-15 ### Added @@ -925,7 +931,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.67...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.68...master +[v0.10.68]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.67...openssl-v0.10.68 [v0.10.67]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.66...openssl-v0.10.67 [v0.10.66]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.65...openssl-v0.10.66 [v0.10.65]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.64...openssl-v0.10.65 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 88bfcaf773..7bd6bdbb4f 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.67" +version = "0.10.68" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" diff --git a/openssl/src/kdf.rs b/openssl/src/kdf.rs index 4f6b1f8aab..a5da352505 100644 --- a/openssl/src/kdf.rs +++ b/openssl/src/kdf.rs @@ -25,10 +25,11 @@ impl Drop for EvpKdfCtx { cfg_if::cfg_if! { if #[cfg(all(ossl320, not(osslconf = "OPENSSL_NO_ARGON2")))] { use std::cmp; - use std::ffi::{c_char, c_void}; + use std::ffi::c_void; use std::mem::MaybeUninit; use std::ptr; use foreign_types::ForeignTypeRef; + use libc::c_char; use crate::{cvt, cvt_p}; use crate::lib_ctx::LibCtxRef; use crate::error::ErrorStack; pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy