From 2e8ad14f5968ded7f89ae583fedd508228c5d829 Mon Sep 17 00:00:00 2001 From: Evrard-Nil Daillet Date: Tue, 18 May 2021 20:16:16 +0200 Subject: [PATCH 01/21] Check for env var for pre-built binaries of bssl --- boring-sys/build.rs | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/boring-sys/build.rs b/boring-sys/build.rs index 4def81781..a440ec1f8 100644 --- a/boring-sys/build.rs +++ b/boring-sys/build.rs @@ -175,14 +175,17 @@ fn main() { use std::env; use std::path::PathBuf; - let mut cfg = get_boringssl_cmake_config(); + let bssl_dir = std::env::var("BORING_BSSL_PATH").unwrap_or_else(|_| { + let mut cfg = get_boringssl_cmake_config(); - if cfg!(feature = "fuzzing") { - cfg.cxxflag("-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE") - .cxxflag("-DBORINGSSL_UNSAFE_FUZZER_MODE"); - } + if cfg!(feature = "fuzzing") { + cfg.cxxflag("-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE") + .cxxflag("-DBORINGSSL_UNSAFE_FUZZER_MODE"); + } + + cfg.build_target("bssl").build().display().to_string() + }); - let bssl_dir = cfg.build_target("bssl").build().display().to_string(); let build_path = get_boringssl_platform_output_path(); let build_dir = format!("{}/build/{}", bssl_dir, build_path); println!("cargo:rustc-link-search=native={}", build_dir); @@ -195,7 +198,11 @@ fn main() { println!("cargo:rustc-cdylib-link-arg=-Wl,-undefined,dynamic_lookup"); } - let include_path = PathBuf::from("deps/boringssl/src/include"); + let include_path = PathBuf::from( + std::env::var("BORING_BSSL_INCLUDE_PATH") + .unwrap_or(String::from("deps/boringssl/src/include")), + ); + let mut builder = bindgen::Builder::default() .derive_copy(true) .derive_debug(true) From c5010de2aff2d3a2f0f54c447b027a430951a158 Mon Sep 17 00:00:00 2001 From: Evrard-Nil Daillet Date: Tue, 1 Jun 2021 10:52:36 +0200 Subject: [PATCH 02/21] pre-built binaries: Update readme and fix clippy --- README.md | 17 ++++++++++++++--- boring-sys/build.rs | 2 +- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 75967820f..75e9718b2 100644 --- a/README.md +++ b/README.md @@ -2,16 +2,27 @@ [![crates.io](https://img.shields.io/crates/v/boring.svg)](https://crates.io/crates/boring) -BoringSSL bindings for the Rust programming language and TLS adapters for [tokio](https://github.com/tokio-rs/tokio) +BoringSSL bindings for the Rust programming language and TLS adapters for [tokio](https://github.com/tokio-rs/tokio) and [hyper](https://github.com/hyperium/hyper) built on top of it. [Documentation](https://docs.rs/boring). ## Release Support -The crate statically links with the latest BoringSSL master branch. +By default, the crate statically links with the latest BoringSSL master branch. -### Contribution +## Support for pre-built binaries + +While this crate can build BoringSSL on its own, you may want to provide pre-built binaries instead. +To do so, specify the environment variable `BORING_BSSL_PATH` with the path to the binaries. + +You can also provide specific headers by setting `BORING_BSSL_INCLUDE_PATH`. + +_Notes_: The crate will look for headers in the `$BORING_BSSL_INCLUDE_PATH/openssl/` folder, make sure to place your headers there. + +_Warning_: When providing a different version of BoringSSL make sure to use a compatible one, the crate relies on the presence of certain functions. + +## Contribution Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 diff --git a/boring-sys/build.rs b/boring-sys/build.rs index a440ec1f8..2a0ee1d23 100644 --- a/boring-sys/build.rs +++ b/boring-sys/build.rs @@ -200,7 +200,7 @@ fn main() { let include_path = PathBuf::from( std::env::var("BORING_BSSL_INCLUDE_PATH") - .unwrap_or(String::from("deps/boringssl/src/include")), + .unwrap_or_else(|_| String::from("deps/boringssl/src/include")), ); let mut builder = bindgen::Builder::default() From 57eac7dfc33bade2402bf1f569afa5ad8c2e4308 Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Tue, 27 Jul 2021 16:21:13 -0400 Subject: [PATCH 03/21] Ignore bindgen warnings until they're fixed upstream We don't have any way of fixing these, and it's not feasible to switch away from bindgen. Ignore the warnings for now. --- boring-sys/src/lib.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/boring-sys/src/lib.rs b/boring-sys/src/lib.rs index 4c7832329..b32b91907 100644 --- a/boring-sys/src/lib.rs +++ b/boring-sys/src/lib.rs @@ -15,7 +15,11 @@ use std::convert::TryInto; use std::ffi::c_void; use std::os::raw::{c_char, c_int, c_uint, c_ulong}; -include!(concat!(env!("OUT_DIR"), "/bindings.rs")); +#[allow(deref_nullptr)] // TODO: remove this when https://github.com/rust-lang/rust-bindgen/issues/1651 finally gets fixed +mod generated { + include!(concat!(env!("OUT_DIR"), "/bindings.rs")); +} +pub use generated::*; #[cfg(target_pointer_width = "64")] pub type BN_ULONG = u64; From cedceb8213293aa0c04ff034f75913ac2aa57553 Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Tue, 27 Jul 2021 17:06:11 -0400 Subject: [PATCH 04/21] Fetch git submodule automatically Example output: ``` $ cargo check Compiling boring-sys v1.1.1 (/home/jnelson/src/boring/boring-sys) warning: fetching boringssl git submodule Finished dev [unoptimized + debuginfo] target(s) in 28.27s ``` --- boring-sys/build.rs | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/boring-sys/build.rs b/boring-sys/build.rs index 4def81781..f398c6adb 100644 --- a/boring-sys/build.rs +++ b/boring-sys/build.rs @@ -173,7 +173,25 @@ fn get_boringssl_cmake_config() -> cmake::Config { fn main() { use std::env; - use std::path::PathBuf; + use std::path::{Path, PathBuf}; + use std::process::Command; + + if !Path::new("deps/boringssl/CMakeLists.txt").exists() { + println!("cargo:warning=fetching boringssl git submodule"); + // fetch the boringssl submodule + let status = Command::new("git") + .args(&[ + "submodule", + "update", + "--init", + "--recursive", + "deps/boringssl", + ]) + .status(); + if !status.map_or(false, |status| status.success()) { + panic!("failed to fetch submodule - consider running `git submodule update --init --recursive deps/boringssl` yourself"); + } + } let mut cfg = get_boringssl_cmake_config(); From 3a0e2db75309cc06d0586cdbb7c3bd0a28879d1e Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Wed, 28 Jul 2021 15:20:59 -0400 Subject: [PATCH 05/21] Update documentation for tokio-boring This also adds an `examples/` directory, to make sure the example in the readme doesn't get out of date. --- tokio-boring/Cargo.toml | 1 + tokio-boring/README.md | 33 +++++++++++++++++++++------ tokio-boring/examples/simple-async.rs | 16 +++++++++++++ tokio-boring/src/lib.rs | 9 ++++---- 4 files changed, 47 insertions(+), 12 deletions(-) create mode 100644 tokio-boring/examples/simple-async.rs diff --git a/tokio-boring/Cargo.toml b/tokio-boring/Cargo.toml index 2d1d7e631..13b336446 100644 --- a/tokio-boring/Cargo.toml +++ b/tokio-boring/Cargo.toml @@ -19,3 +19,4 @@ tokio = "1" [dev-dependencies] futures = "0.3" tokio = { version = "1", features = ["full"] } +anyhow = "1" diff --git a/tokio-boring/README.md b/tokio-boring/README.md index 7f13d2958..068c881bc 100644 --- a/tokio-boring/README.md +++ b/tokio-boring/README.md @@ -13,18 +13,37 @@ First, add this to your `Cargo.toml`: tokio-boring = "1.0.0" ``` -Next, add this to your crate: +Then, use either `accept` or `connect` as appropriate. ```rust -use tokio_boring::{SslConnectorExt, SslAcceptorExt}; +use boring::ssl; +use tokio::net::TcpListener; + +#[tokio::main] +async fn main() -> anyhow::Result<()> { + let listener = TcpListener::bind("127.0.0.1:8080").await?; + let (tcp_stream, _addr) = listener.accept().await?; + + let server = ssl::SslMethod::tls_server(); + let mut ssl_builder = boring::ssl::SslAcceptor::mozilla_modern(server)?; + ssl_builder.set_default_verify_paths()?; + ssl_builder.set_verify(ssl::SslVerifyMode::PEER); + let acceptor = ssl_builder.build(); + let _ssl_stream = tokio_boring::accept(&acceptor, tcp_stream).await?; + Ok(()) +} ``` -This crate provides two extension traits, `SslConnectorExt` and -`SslAcceptorExt`, which augment the functionality provided by the [`boring` crate](https://github.com/cloudflare/boring). -These extension traits provide the ability to connect a stream -asynchronously and accept a socket asynchronously. Configuration of BoringSSL -parameters is still done through the support in the [`boring` crate](https://github.com/cloudflare/boring). +This library is an implementation of TLS streams using BoringSSL for +negotiating the connection. Each TLS stream implements the `Read` and +`Write` traits to interact and interoperate with the rest of the futures I/O +ecosystem. Client connections initiated from this crate verify hostnames +automatically and by default. +`tokio-boring` exports this ability through [`accept`] and [`connect`]. `accept` should +be used by servers, and `connect` by clients. These augment the functionality provided by the +[`boring`] crate, on which this crate is built. Configuration of TLS parameters is still +primarily done through the [`boring`] crate. # License diff --git a/tokio-boring/examples/simple-async.rs b/tokio-boring/examples/simple-async.rs new file mode 100644 index 000000000..f4a69a1c9 --- /dev/null +++ b/tokio-boring/examples/simple-async.rs @@ -0,0 +1,16 @@ +use boring::ssl; +use tokio::net::TcpListener; + +#[tokio::main] +async fn main() -> anyhow::Result<()> { + let listener = TcpListener::bind("127.0.0.1:8080").await?; + let (tcp_stream, _addr) = listener.accept().await?; + + let server = ssl::SslMethod::tls_server(); + let mut ssl_builder = boring::ssl::SslAcceptor::mozilla_modern(server)?; + ssl_builder.set_default_verify_paths()?; + ssl_builder.set_verify(ssl::SslVerifyMode::PEER); + let acceptor = ssl_builder.build(); + let _ssl_stream = tokio_boring::accept(&acceptor, tcp_stream).await?; + Ok(()) +} diff --git a/tokio-boring/src/lib.rs b/tokio-boring/src/lib.rs index ec3308442..c5c25044b 100644 --- a/tokio-boring/src/lib.rs +++ b/tokio-boring/src/lib.rs @@ -6,11 +6,10 @@ //! ecosystem. Client connections initiated from this crate verify hostnames //! automatically and by default. //! -//! This crate primarily exports this ability through two extension traits, -//! `SslConnectorExt` and `SslAcceptorExt`. These traits augment the -//! functionality provided by the [`boring` crate](https://github.com/cloudflare/boring) crate, -//! on which this crate is built. Configuration of TLS parameters is still primarily done through -//! the [`boring` crate](https://github.com/cloudflare/boring) +//! `tokio-boring` exports this ability through [`accept`] and [`connect`]. `accept` should +//! be used by servers, and `connect` by clients. These augment the functionality provided by the +//! [`boring`] crate, on which this crate is built. Configuration of TLS parameters is still +//! primarily done through the [`boring`] crate. #![warn(missing_docs)] use boring::ssl::{ From 6ddfee29b7ca81cca9afa17815ba0ee7f0bcde75 Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Thu, 29 Jul 2021 11:58:58 -0400 Subject: [PATCH 06/21] Fix clippy warnings for 1.54 --- boring/examples/mk_certs.rs | 6 +++--- boring/src/ssl/test/mod.rs | 2 +- boring/src/stack.rs | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/boring/examples/mk_certs.rs b/boring/examples/mk_certs.rs index bea8d5502..217786e26 100644 --- a/boring/examples/mk_certs.rs +++ b/boring/examples/mk_certs.rs @@ -65,7 +65,7 @@ fn mk_ca_cert() -> Result<(X509, PKey), ErrorStack> { /// Make a X509 request with the given private key fn mk_request(privkey: &PKey) -> Result { let mut req_builder = X509ReqBuilder::new()?; - req_builder.set_pubkey(&privkey)?; + req_builder.set_pubkey(privkey)?; let mut x509_name = X509NameBuilder::new()?; x509_name.append_entry_by_text("C", "US")?; @@ -75,7 +75,7 @@ fn mk_request(privkey: &PKey) -> Result { let x509_name = x509_name.build(); req_builder.set_subject_name(&x509_name)?; - req_builder.sign(&privkey, MessageDigest::sha256())?; + req_builder.sign(privkey, MessageDigest::sha256())?; let req = req_builder.build(); Ok(req) } @@ -133,7 +133,7 @@ fn mk_ca_signed_cert( .build(&cert_builder.x509v3_context(Some(ca_cert), None))?; cert_builder.append_extension(subject_alt_name)?; - cert_builder.sign(&ca_privkey, MessageDigest::sha256())?; + cert_builder.sign(ca_privkey, MessageDigest::sha256())?; let cert = cert_builder.build(); Ok((cert, privkey)) diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs index 7fddcd0bb..87a6c87d8 100644 --- a/boring/src/ssl/test/mod.rs +++ b/boring/src/ssl/test/mod.rs @@ -1074,7 +1074,7 @@ fn psk_ciphers() { client .ctx() .set_psk_client_callback(move |_, _, identity, psk| { - identity[..CLIENT_IDENT.len()].copy_from_slice(&CLIENT_IDENT); + identity[..CLIENT_IDENT.len()].copy_from_slice(CLIENT_IDENT); identity[CLIENT_IDENT.len()] = 0; psk[..PSK.len()].copy_from_slice(PSK); CLIENT_CALLED.store(true, Ordering::SeqCst); diff --git a/boring/src/stack.rs b/boring/src/stack.rs index 043ee178f..70f366f68 100644 --- a/boring/src/stack.rs +++ b/boring/src/stack.rs @@ -131,7 +131,7 @@ pub struct IntoIter { impl Drop for IntoIter { fn drop(&mut self) { unsafe { - while let Some(_) = self.next() {} + for _ in &mut *self {} OPENSSL_sk_free(self.stack as *mut _); } } From 080dfa7edfff53fea1410f79d29373ffb4de6bb6 Mon Sep 17 00:00:00 2001 From: Anthony Ramine Date: Thu, 29 Jul 2021 09:53:52 +0200 Subject: [PATCH 07/21] Update bindgen to 0.59 and bytes to 1 --- boring-sys/Cargo.toml | 2 +- hyper-boring/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml index f966b4960..77a4f7b7f 100644 --- a/boring-sys/Cargo.toml +++ b/boring-sys/Cargo.toml @@ -27,5 +27,5 @@ include = [ ] [build-dependencies] -bindgen = "0.57" +bindgen = "0.59" cmake = "0.1" diff --git a/hyper-boring/Cargo.toml b/hyper-boring/Cargo.toml index 46f90016a..892b20560 100644 --- a/hyper-boring/Cargo.toml +++ b/hyper-boring/Cargo.toml @@ -17,7 +17,7 @@ runtime = ["hyper/runtime"] [dependencies] antidote = "1.0.0" -bytes = "0.5" +bytes = "1" http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } linked_hash_set = "0.1" From 993f68ded2a9a35c52c919c87167400a3971663c Mon Sep 17 00:00:00 2001 From: Robin Lambertz Date: Mon, 14 Jun 2021 18:04:51 +0200 Subject: [PATCH 08/21] Remove unused dependency on bytes --- hyper-boring/Cargo.toml | 2 -- 1 file changed, 2 deletions(-) diff --git a/hyper-boring/Cargo.toml b/hyper-boring/Cargo.toml index 892b20560..fa21dfde0 100644 --- a/hyper-boring/Cargo.toml +++ b/hyper-boring/Cargo.toml @@ -17,13 +17,11 @@ runtime = ["hyper/runtime"] [dependencies] antidote = "1.0.0" -bytes = "1" http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } linked_hash_set = "0.1" once_cell = "1.0" boring = { version = "1.1.0", path = "../boring" } -boring-sys = { version = "1.1.0", path = "../boring-sys" } tokio = "1" tokio-boring = { version = "2", path = "../tokio-boring" } tower-layer = "0.3" From 03dda42d1ac95f89bae9d339dc15bb1b4269f717 Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Fri, 30 Jul 2021 12:30:48 -0400 Subject: [PATCH 09/21] Remove unused attribute --- boring/src/srtp.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/boring/src/srtp.rs b/boring/src/srtp.rs index 4081868e6..cbb56fbb4 100644 --- a/boring/src/srtp.rs +++ b/boring/src/srtp.rs @@ -8,7 +8,6 @@ use std::str; /// fake free method, since SRTP_PROTECTION_PROFILE is static unsafe fn free(_profile: *mut ffi::SRTP_PROTECTION_PROFILE) {} -#[allow(unused_unsafe)] foreign_type_and_impl_send_sync! { type CType = ffi::SRTP_PROTECTION_PROFILE; fn drop = free; From 46787b7b6909cadf81cf3a8cd9dc351c9efdfdbd Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Thu, 12 Aug 2021 11:30:34 -0500 Subject: [PATCH 10/21] Run `cargo fix --edition --- boring/src/aes.rs | 2 +- boring/src/asn1.rs | 31 ++++++++++++----------- boring/src/base64.rs | 6 ++--- boring/src/bio.rs | 8 +++--- boring/src/bn.rs | 14 +++++------ boring/src/conf.rs | 6 ++--- boring/src/derive.rs | 14 +++++------ boring/src/dh.rs | 18 +++++++------- boring/src/dsa.rs | 14 +++++------ boring/src/ec.rs | 16 ++++++------ boring/src/ecdsa.rs | 14 +++++------ boring/src/error.rs | 2 +- boring/src/fips.rs | 6 ++--- boring/src/hash.rs | 10 ++++---- boring/src/lib.rs | 4 +-- boring/src/macros.rs | 46 +++++++++++++++++------------------ boring/src/memcmp.rs | 2 +- boring/src/nid.rs | 6 ++--- boring/src/pkcs12.rs | 28 ++++++++++----------- boring/src/pkcs5.rs | 14 +++++------ boring/src/pkey.rs | 28 ++++++++++----------- boring/src/rand.rs | 6 ++--- boring/src/rsa.rs | 14 +++++------ boring/src/sha.rs | 2 +- boring/src/sign.rs | 28 ++++++++++----------- boring/src/srtp.rs | 4 +-- boring/src/ssl/bio.rs | 8 +++--- boring/src/ssl/callbacks.rs | 12 ++++----- boring/src/ssl/connector.rs | 10 ++++---- boring/src/ssl/error.rs | 8 +++--- boring/src/ssl/mod.rs | 42 ++++++++++++++++---------------- boring/src/ssl/test/mod.rs | 24 +++++++++--------- boring/src/ssl/test/server.rs | 2 +- boring/src/stack.rs | 8 +++--- boring/src/string.rs | 6 ++--- boring/src/symm.rs | 10 ++++---- boring/src/util.rs | 2 +- boring/src/version.rs | 2 +- boring/src/x509/extension.rs | 6 ++--- boring/src/x509/mod.rs | 32 ++++++++++++------------ boring/src/x509/store.rs | 12 ++++----- boring/src/x509/tests.rs | 20 +++++++-------- boring/src/x509/verify.rs | 6 ++--- 43 files changed, 278 insertions(+), 275 deletions(-) diff --git a/boring/src/aes.rs b/boring/src/aes.rs index 4240a34b9..37ed8e7ea 100644 --- a/boring/src/aes.rs +++ b/boring/src/aes.rs @@ -37,7 +37,7 @@ //! assert_eq!(&orig_key[..], &key_to_wrap[..]); //! ``` //! -use ffi; +use crate::ffi; use libc::{c_int, c_uint, size_t}; use std::{mem, ptr}; diff --git a/boring/src/asn1.rs b/boring/src/asn1.rs index 0efd65699..7bc9d1edc 100644 --- a/boring/src/asn1.rs +++ b/boring/src/asn1.rs @@ -24,7 +24,7 @@ //! use boring::asn1::Asn1Time; //! let tomorrow = Asn1Time::days_from_now(1); //! ``` -use ffi; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_char, c_int, c_long, time_t}; use std::cmp::Ordering; @@ -34,12 +34,12 @@ use std::ptr; use std::slice; use std::str; -use bio::MemBio; -use bn::{BigNum, BigNumRef}; -use error::ErrorStack; -use nid::Nid; -use string::OpensslString; -use {cvt, cvt_p}; +use crate::bio::MemBio; +use crate::bn::{BigNum, BigNumRef}; +use crate::error::ErrorStack; +use crate::nid::Nid; +use crate::string::OpensslString; +use crate::{cvt, cvt_p}; foreign_type_and_impl_send_sync! { type CType = ffi::ASN1_GENERALIZEDTIME; @@ -418,7 +418,7 @@ impl Asn1IntegerRef { #[allow(missing_docs)] #[deprecated(since = "0.10.6", note = "use to_bn instead")] pub fn get(&self) -> i64 { - unsafe { ::ffi::ASN1_INTEGER_get(self.as_ptr()) as i64 } + unsafe { crate::ffi::ASN1_INTEGER_get(self.as_ptr()) as i64 } } /// Converts the integer to a `BigNum`. @@ -428,8 +428,11 @@ impl Asn1IntegerRef { /// [`ASN1_INTEGER_to_BN`]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_INTEGER_get.html pub fn to_bn(&self) -> Result { unsafe { - cvt_p(::ffi::ASN1_INTEGER_to_BN(self.as_ptr(), ptr::null_mut())) - .map(|p| BigNum::from_ptr(p)) + cvt_p(crate::ffi::ASN1_INTEGER_to_BN( + self.as_ptr(), + ptr::null_mut(), + )) + .map(|p| BigNum::from_ptr(p)) } } @@ -441,7 +444,7 @@ impl Asn1IntegerRef { /// [`bn`]: ../bn/struct.BigNumRef.html#method.to_asn1_integer /// [`ASN1_INTEGER_set`]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_INTEGER_set.html pub fn set(&mut self, value: i32) -> Result<(), ErrorStack> { - unsafe { cvt(::ffi::ASN1_INTEGER_set(self.as_ptr(), value as c_long)).map(|_| ()) } + unsafe { cvt(crate::ffi::ASN1_INTEGER_set(self.as_ptr(), value as c_long)).map(|_| ()) } } } @@ -551,14 +554,14 @@ impl fmt::Debug for Asn1ObjectRef { } } -use ffi::ASN1_STRING_get0_data; +use crate::ffi::ASN1_STRING_get0_data; #[cfg(test)] mod tests { use super::*; - use bn::BigNum; - use nid::Nid; + use crate::bn::BigNum; + use crate::nid::Nid; /// Tests conversion between BigNum and Asn1Integer. #[test] diff --git a/boring/src/base64.rs b/boring/src/base64.rs index 63d0725d4..1426fdc05 100644 --- a/boring/src/base64.rs +++ b/boring/src/base64.rs @@ -1,7 +1,7 @@ //! Base64 encoding support. -use cvt_n; -use error::ErrorStack; -use ffi; +use crate::cvt_n; +use crate::error::ErrorStack; +use crate::ffi; use libc::c_int; /// Encodes a slice of bytes to a base64 string. diff --git a/boring/src/bio.rs b/boring/src/bio.rs index 2f1ae1212..9c9a610bb 100644 --- a/boring/src/bio.rs +++ b/boring/src/bio.rs @@ -1,12 +1,12 @@ -use ffi; -use ffi::BIO_new_mem_buf; +use crate::ffi; +use crate::ffi::BIO_new_mem_buf; use libc::c_int; use std::marker::PhantomData; use std::ptr; use std::slice; -use cvt_p; -use error::ErrorStack; +use crate::cvt_p; +use crate::error::ErrorStack; pub struct MemBioSlice<'a>(*mut ffi::BIO, PhantomData<&'a [u8]>); diff --git a/boring/src/bn.rs b/boring/src/bn.rs index ad755a539..5b63e63fd 100644 --- a/boring/src/bn.rs +++ b/boring/src/bn.rs @@ -22,7 +22,7 @@ //! ``` //! //! [`BIGNUM`]: https://wiki.openssl.org/index.php/Manual:Bn_internal(3) -use ffi; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, size_t}; use std::cmp::Ordering; @@ -30,11 +30,11 @@ use std::ffi::CString; use std::ops::{Add, Deref, Div, Mul, Neg, Rem, Shl, Shr, Sub}; use std::{fmt, ptr}; -use asn1::Asn1Integer; -use error::ErrorStack; -use ffi::BN_is_negative; -use string::OpensslString; -use {cvt, cvt_n, cvt_p}; +use crate::asn1::Asn1Integer; +use crate::error::ErrorStack; +use crate::ffi::BN_is_negative; +use crate::string::OpensslString; +use crate::{cvt, cvt_n, cvt_p}; /// Options for the most significant bits of a randomly generated `BigNum`. pub struct MsbOption(c_int); @@ -1231,7 +1231,7 @@ impl Neg for BigNum { #[cfg(test)] mod tests { - use bn::{BigNum, BigNumContext}; + use crate::bn::{BigNum, BigNumContext}; #[test] fn test_to_from_slice() { diff --git a/boring/src/conf.rs b/boring/src/conf.rs index fb2007a2d..1b041b564 100644 --- a/boring/src/conf.rs +++ b/boring/src/conf.rs @@ -1,9 +1,9 @@ //! Interface for processing OpenSSL configuration files. -use ffi; +use crate::ffi; use libc::c_void; -use cvt_p; -use error::ErrorStack; +use crate::cvt_p; +use crate::error::ErrorStack; pub struct ConfMethod(*mut c_void); diff --git a/boring/src/derive.rs b/boring/src/derive.rs index 6c5175533..20fe5c2ea 100644 --- a/boring/src/derive.rs +++ b/boring/src/derive.rs @@ -1,12 +1,12 @@ //! Shared secret derivation. -use ffi; +use crate::ffi; use foreign_types::ForeignTypeRef; use std::marker::PhantomData; use std::ptr; -use error::ErrorStack; -use pkey::{HasPrivate, HasPublic, PKeyRef}; -use {cvt, cvt_p}; +use crate::error::ErrorStack; +use crate::pkey::{HasPrivate, HasPublic, PKeyRef}; +use crate::{cvt, cvt_p}; /// A type used to derive a shared secret between two keys. pub struct Deriver<'a>(*mut ffi::EVP_PKEY_CTX, PhantomData<&'a ()>); @@ -97,9 +97,9 @@ impl<'a> Deriver<'a> { mod test { use super::*; - use ec::{EcGroup, EcKey}; - use nid::Nid; - use pkey::PKey; + use crate::ec::{EcGroup, EcKey}; + use crate::nid::Nid; + use crate::pkey::PKey; #[test] fn derive_without_peer() { diff --git a/boring/src/dh.rs b/boring/src/dh.rs index 709f00a51..96a8c63d6 100644 --- a/boring/src/dh.rs +++ b/boring/src/dh.rs @@ -1,12 +1,12 @@ -use error::ErrorStack; -use ffi; +use crate::error::ErrorStack; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use std::mem; use std::ptr; -use bn::BigNum; -use pkey::{HasParams, Params}; -use {cvt, cvt_p}; +use crate::bn::BigNum; +use crate::pkey::{HasParams, Params}; +use crate::{cvt, cvt_p}; generic_foreign_type_and_impl_send_sync! { type CType = ffi::DH; @@ -80,13 +80,13 @@ impl Dh { } } -use ffi::DH_set0_pqg; +use crate::ffi::DH_set0_pqg; #[cfg(test)] mod tests { - use bn::BigNum; - use dh::Dh; - use ssl::{SslContext, SslMethod}; + use crate::bn::BigNum; + use crate::dh::Dh; + use crate::ssl::{SslContext, SslMethod}; #[test] fn test_dh() { diff --git a/boring/src/dsa.rs b/boring/src/dsa.rs index 350bdbc94..60c0c1970 100644 --- a/boring/src/dsa.rs +++ b/boring/src/dsa.rs @@ -5,17 +5,17 @@ //! using the private key that can be validated with the public key but not be generated //! without the private key. -use ffi; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::c_uint; use std::fmt; use std::mem; use std::ptr; -use bn::{BigNum, BigNumRef}; -use error::ErrorStack; -use pkey::{HasParams, HasPrivate, HasPublic, Private, Public}; -use {cvt, cvt_p}; +use crate::bn::{BigNum, BigNumRef}; +use crate::error::ErrorStack; +use crate::pkey::{HasParams, HasPrivate, HasPublic, Private, Public}; +use crate::{cvt, cvt_p}; generic_foreign_type_and_impl_send_sync! { type CType = ffi::DSA; @@ -293,12 +293,12 @@ impl fmt::Debug for Dsa { } } -use ffi::{DSA_get0_key, DSA_get0_pqg, DSA_set0_key, DSA_set0_pqg}; +use crate::ffi::{DSA_get0_key, DSA_get0_pqg, DSA_set0_key, DSA_set0_pqg}; #[cfg(test)] mod test { use super::*; - use bn::BigNumContext; + use crate::bn::BigNumContext; #[test] pub fn test_generate() { diff --git a/boring/src/ec.rs b/boring/src/ec.rs index 37fe61158..b3824d69c 100644 --- a/boring/src/ec.rs +++ b/boring/src/ec.rs @@ -15,17 +15,17 @@ //! [`EcGroup`]: struct.EcGroup.html //! [`Nid`]: ../nid/struct.Nid.html //! [Eliptic Curve Cryptography]: https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography -use ffi; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::c_int; use std::fmt; use std::ptr; -use bn::{BigNumContextRef, BigNumRef}; -use error::ErrorStack; -use nid::Nid; -use pkey::{HasParams, HasPrivate, HasPublic, Params, Private, Public}; -use {cvt, cvt_n, cvt_p, init}; +use crate::bn::{BigNumContextRef, BigNumRef}; +use crate::error::ErrorStack; +use crate::nid::Nid; +use crate::pkey::{HasParams, HasPrivate, HasPublic, Params, Private, Public}; +use crate::{cvt, cvt_n, cvt_p, init}; /// Compressed or Uncompressed conversion /// @@ -869,8 +869,8 @@ mod test { use hex::FromHex; use super::*; - use bn::{BigNum, BigNumContext}; - use nid::Nid; + use crate::bn::{BigNum, BigNumContext}; + use crate::nid::Nid; #[test] fn key_new_by_curve_name() { diff --git a/boring/src/ecdsa.rs b/boring/src/ecdsa.rs index 7ce1c3019..a9159fc99 100644 --- a/boring/src/ecdsa.rs +++ b/boring/src/ecdsa.rs @@ -1,16 +1,16 @@ //! Low level Elliptic Curve Digital Signature Algorithm (ECDSA) functions. -use ffi; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, size_t}; use std::mem; use std::ptr; -use bn::{BigNum, BigNumRef}; -use ec::EcKeyRef; -use error::ErrorStack; -use pkey::{HasPrivate, HasPublic}; -use {cvt_n, cvt_p}; +use crate::bn::{BigNum, BigNumRef}; +use crate::ec::EcKeyRef; +use crate::error::ErrorStack; +use crate::pkey::{HasPrivate, HasPublic}; +use crate::{cvt_n, cvt_p}; foreign_type_and_impl_send_sync! { type CType = ffi::ECDSA_SIG; @@ -136,4 +136,4 @@ impl EcdsaSigRef { } } -use ffi::{ECDSA_SIG_get0, ECDSA_SIG_set0}; +use crate::ffi::{ECDSA_SIG_get0, ECDSA_SIG_set0}; diff --git a/boring/src/error.rs b/boring/src/error.rs index 8ffc0651c..8a09dd613 100644 --- a/boring/src/error.rs +++ b/boring/src/error.rs @@ -24,7 +24,7 @@ use std::io; use std::ptr; use std::str; -use ffi; +use crate::ffi; /// Collection of [`Error`]s from OpenSSL. /// diff --git a/boring/src/fips.rs b/boring/src/fips.rs index 374a82991..2d68633d7 100644 --- a/boring/src/fips.rs +++ b/boring/src/fips.rs @@ -3,9 +3,9 @@ //! See [OpenSSL's documentation] for details. //! //! [OpenSSL's documentation]: https://www.openssl.org/docs/fips/UserGuide-2.0.pdf -use cvt; -use error::ErrorStack; -use ffi; +use crate::cvt; +use crate::error::ErrorStack; +use crate::ffi; /// Moves the library into or out of the FIPS 140-2 mode of operation. /// diff --git a/boring/src/hash.rs b/boring/src/hash.rs index 3d5020266..aa84b5209 100644 --- a/boring/src/hash.rs +++ b/boring/src/hash.rs @@ -1,4 +1,4 @@ -use ffi; +use crate::ffi; use std::convert::TryInto; use std::fmt; use std::io; @@ -6,10 +6,10 @@ use std::io::prelude::*; use std::ops::{Deref, DerefMut}; use std::ptr; -use error::ErrorStack; -use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; -use nid::Nid; -use {cvt, cvt_p}; +use crate::error::ErrorStack; +use crate::ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; +use crate::nid::Nid; +use crate::{cvt, cvt_p}; #[derive(Copy, Clone, PartialEq, Eq)] pub struct MessageDigest(*const ffi::EVP_MD); diff --git a/boring/src/lib.rs b/boring/src/lib.rs index ec1aca522..ef268161f 100644 --- a/boring/src/lib.rs +++ b/boring/src/lib.rs @@ -17,11 +17,11 @@ extern crate hex; extern crate tempdir; #[doc(inline)] -pub use ffi::init; +pub use crate::ffi::init; use libc::{c_int, size_t}; -use error::ErrorStack; +use crate::error::ErrorStack; #[macro_use] mod macros; diff --git a/boring/src/macros.rs b/boring/src/macros.rs index 8023d57e2..858341ecc 100644 --- a/boring/src/macros.rs +++ b/boring/src/macros.rs @@ -3,10 +3,10 @@ macro_rules! private_key_from_pem { from_pem!($(#[$m])* $n, $t, $f); $(#[$m2])* - pub fn $n2(pem: &[u8], passphrase: &[u8]) -> Result<$t, ::error::ErrorStack> { + pub fn $n2(pem: &[u8], passphrase: &[u8]) -> Result<$t, crate::error::ErrorStack> { unsafe { ffi::init(); - let bio = ::bio::MemBioSlice::new(pem)?; + let bio = crate::bio::MemBioSlice::new(pem)?; let passphrase = ::std::ffi::CString::new(passphrase).unwrap(); cvt_p($f(bio.as_ptr(), ptr::null_mut(), @@ -17,16 +17,16 @@ macro_rules! private_key_from_pem { } $(#[$m3])* - pub fn $n3(pem: &[u8], callback: F) -> Result<$t, ::error::ErrorStack> - where F: FnOnce(&mut [u8]) -> Result + pub fn $n3(pem: &[u8], callback: F) -> Result<$t, crate::error::ErrorStack> + where F: FnOnce(&mut [u8]) -> Result { unsafe { ffi::init(); - let mut cb = ::util::CallbackState::new(callback); - let bio = ::bio::MemBioSlice::new(pem)?; + let mut cb = crate::util::CallbackState::new(callback); + let bio = crate::bio::MemBioSlice::new(pem)?; cvt_p($f(bio.as_ptr(), ptr::null_mut(), - Some(::util::invoke_passwd_cb::), + Some(crate::util::invoke_passwd_cb::), &mut cb as *mut _ as *mut _)) .map(|p| ::foreign_types::ForeignType::from_ptr(p)) } @@ -37,9 +37,9 @@ macro_rules! private_key_from_pem { macro_rules! private_key_to_pem { ($(#[$m:meta])* $n:ident, $(#[$m2:meta])* $n2:ident, $f:path) => { $(#[$m])* - pub fn $n(&self) -> Result, ::error::ErrorStack> { + pub fn $n(&self) -> Result, crate::error::ErrorStack> { unsafe { - let bio = ::bio::MemBio::new()?; + let bio = crate::bio::MemBio::new()?; cvt($f(bio.as_ptr(), self.as_ptr(), ptr::null(), @@ -54,11 +54,11 @@ macro_rules! private_key_to_pem { $(#[$m2])* pub fn $n2( &self, - cipher: ::symm::Cipher, + cipher: crate::symm::Cipher, passphrase: &[u8] - ) -> Result, ::error::ErrorStack> { + ) -> Result, crate::error::ErrorStack> { unsafe { - let bio = ::bio::MemBio::new()?; + let bio = crate::bio::MemBio::new()?; assert!(passphrase.len() <= ::libc::c_int::max_value() as usize); cvt($f(bio.as_ptr(), self.as_ptr(), @@ -76,9 +76,9 @@ macro_rules! private_key_to_pem { macro_rules! to_pem { ($(#[$m:meta])* $n:ident, $f:path) => { $(#[$m])* - pub fn $n(&self) -> Result, ::error::ErrorStack> { + pub fn $n(&self) -> Result, crate::error::ErrorStack> { unsafe { - let bio = ::bio::MemBio::new()?; + let bio = crate::bio::MemBio::new()?; cvt($f(bio.as_ptr(), self.as_ptr()))?; Ok(bio.get_buf().to_owned()) } @@ -89,12 +89,12 @@ macro_rules! to_pem { macro_rules! to_der { ($(#[$m:meta])* $n:ident, $f:path) => { $(#[$m])* - pub fn $n(&self) -> Result, ::error::ErrorStack> { + pub fn $n(&self) -> Result, crate::error::ErrorStack> { unsafe { - let len = ::cvt($f(::foreign_types::ForeignTypeRef::as_ptr(self), + let len = crate::cvt($f(::foreign_types::ForeignTypeRef::as_ptr(self), ptr::null_mut()))?; let mut buf = vec![0; len as usize]; - ::cvt($f(::foreign_types::ForeignTypeRef::as_ptr(self), + crate::cvt($f(::foreign_types::ForeignTypeRef::as_ptr(self), &mut buf.as_mut_ptr()))?; Ok(buf) } @@ -105,11 +105,11 @@ macro_rules! to_der { macro_rules! from_der { ($(#[$m:meta])* $n:ident, $t:ty, $f:path, $len_ty:ty) => { $(#[$m])* - pub fn $n(der: &[u8]) -> Result<$t, ::error::ErrorStack> { + pub fn $n(der: &[u8]) -> Result<$t, crate::error::ErrorStack> { unsafe { - ::ffi::init(); + crate::ffi::init(); let len = ::std::cmp::min(der.len(), <$len_ty>::max_value() as usize) as $len_ty; - ::cvt_p($f(::std::ptr::null_mut(), &mut der.as_ptr(), len)) + crate::cvt_p($f(::std::ptr::null_mut(), &mut der.as_ptr(), len)) .map(|p| ::foreign_types::ForeignType::from_ptr(p)) } } @@ -119,10 +119,10 @@ macro_rules! from_der { macro_rules! from_pem { ($(#[$m:meta])* $n:ident, $t:ty, $f:path) => { $(#[$m])* - pub fn $n(pem: &[u8]) -> Result<$t, ::error::ErrorStack> { + pub fn $n(pem: &[u8]) -> Result<$t, crate::error::ErrorStack> { unsafe { - ::init(); - let bio = ::bio::MemBioSlice::new(pem)?; + crate::init(); + let bio = crate::bio::MemBioSlice::new(pem)?; cvt_p($f(bio.as_ptr(), ::std::ptr::null_mut(), None, ::std::ptr::null_mut())) .map(|p| ::foreign_types::ForeignType::from_ptr(p)) } diff --git a/boring/src/memcmp.rs b/boring/src/memcmp.rs index 76286dc41..c00b55409 100644 --- a/boring/src/memcmp.rs +++ b/boring/src/memcmp.rs @@ -29,7 +29,7 @@ //! assert!(!eq(&a, &b)); //! assert!(!eq(&a, &c)); //! ``` -use ffi; +use crate::ffi; use libc::size_t; /// Returns `true` iff `a` and `b` contain the same bytes. diff --git a/boring/src/nid.rs b/boring/src/nid.rs index 94ac988e6..52b0c2d6e 100644 --- a/boring/src/nid.rs +++ b/boring/src/nid.rs @@ -1,12 +1,12 @@ //! A collection of numerical identifiers for OpenSSL objects. -use ffi; +use crate::ffi; use libc::{c_char, c_int}; use std::ffi::CStr; use std::str; -use cvt_p; -use error::ErrorStack; +use crate::cvt_p; +use crate::error::ErrorStack; /// The digest and public-key algorithms associated with a signature. pub struct SignatureAlgorithms { diff --git a/boring/src/pkcs12.rs b/boring/src/pkcs12.rs index cbfe1bf85..fa01874d8 100644 --- a/boring/src/pkcs12.rs +++ b/boring/src/pkcs12.rs @@ -1,17 +1,17 @@ //! PKCS #12 archives. -use ffi; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::c_int; use std::ffi::CString; use std::ptr; -use error::ErrorStack; -use nid::Nid; -use pkey::{HasPrivate, PKey, PKeyRef, Private}; -use stack::Stack; -use x509::{X509Ref, X509}; -use {cvt_0i, cvt_p}; +use crate::error::ErrorStack; +use crate::nid::Nid; +use crate::pkey::{HasPrivate, PKey, PKeyRef, Private}; +use crate::stack::Stack; +use crate::x509::{X509Ref, X509}; +use crate::{cvt_0i, cvt_p}; pub const PKCS12_DEFAULT_ITER: c_int = 2048; @@ -203,15 +203,15 @@ impl Pkcs12Builder { #[cfg(test)] mod test { - use hash::MessageDigest; + use crate::hash::MessageDigest; use hex; - use asn1::Asn1Time; - use nid::Nid; - use pkey::PKey; - use rsa::Rsa; - use x509::extension::KeyUsage; - use x509::{X509Name, X509}; + use crate::asn1::Asn1Time; + use crate::nid::Nid; + use crate::pkey::PKey; + use crate::rsa::Rsa; + use crate::x509::extension::KeyUsage; + use crate::x509::{X509Name, X509}; use super::*; diff --git a/boring/src/pkcs5.rs b/boring/src/pkcs5.rs index 1d19f9fac..8503d0b34 100644 --- a/boring/src/pkcs5.rs +++ b/boring/src/pkcs5.rs @@ -1,11 +1,11 @@ -use ffi; +use crate::ffi; use libc::{c_int, c_uint}; use std::ptr; -use cvt; -use error::ErrorStack; -use hash::MessageDigest; -use symm::Cipher; +use crate::cvt; +use crate::error::ErrorStack; +use crate::hash::MessageDigest; +use crate::symm::Cipher; #[derive(Clone, Eq, PartialEq, Hash, Debug)] pub struct KeyIvPair { @@ -139,8 +139,8 @@ pub fn scrypt( #[cfg(test)] mod tests { - use hash::MessageDigest; - use symm::Cipher; + use crate::hash::MessageDigest; + use crate::symm::Cipher; // Test vectors from // https://git.lysator.liu.se/nettle/nettle/blob/nettle_3.1.1_release_20150424/testsuite/pbkdf2-test.c diff --git a/boring/src/pkey.rs b/boring/src/pkey.rs index 354c3314a..52169d145 100644 --- a/boring/src/pkey.rs +++ b/boring/src/pkey.rs @@ -40,7 +40,7 @@ //! println!("{:?}", str::from_utf8(pub_key.as_slice()).unwrap()); //! ``` -use ffi; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, c_long}; use std::ffi::CString; @@ -48,14 +48,14 @@ use std::fmt; use std::mem; use std::ptr; -use bio::MemBioSlice; -use dh::Dh; -use dsa::Dsa; -use ec::EcKey; -use error::ErrorStack; -use rsa::Rsa; -use util::{invoke_passwd_cb, CallbackState}; -use {cvt, cvt_p}; +use crate::bio::MemBioSlice; +use crate::dh::Dh; +use crate::dsa::Dsa; +use crate::ec::EcKey; +use crate::error::ErrorStack; +use crate::rsa::Rsa; +use crate::util::{invoke_passwd_cb, CallbackState}; +use crate::{cvt, cvt_p}; /// A tag type indicating that a key only has parameters. pub enum Params {} @@ -480,14 +480,14 @@ impl PKey { } } -use ffi::EVP_PKEY_up_ref; +use crate::ffi::EVP_PKEY_up_ref; #[cfg(test)] mod tests { - use ec::EcKey; - use nid::Nid; - use rsa::Rsa; - use symm::Cipher; + use crate::ec::EcKey; + use crate::nid::Nid; + use crate::rsa::Rsa; + use crate::symm::Cipher; use super::*; diff --git a/boring/src/rand.rs b/boring/src/rand.rs index fbb4fe9a3..c551b2f9e 100644 --- a/boring/src/rand.rs +++ b/boring/src/rand.rs @@ -10,11 +10,11 @@ //! let mut buf = [0; 256]; //! rand_bytes(&mut buf).unwrap(); //! ``` -use ffi; +use crate::ffi; use libc::c_int; -use cvt; -use error::ErrorStack; +use crate::cvt; +use crate::error::ErrorStack; /// Fill buffer with cryptographically strong pseudo-random bytes. /// diff --git a/boring/src/rsa.rs b/boring/src/rsa.rs index cedf75c48..01f460ff8 100644 --- a/boring/src/rsa.rs +++ b/boring/src/rsa.rs @@ -23,17 +23,17 @@ //! let mut buf = vec![0; rsa.size() as usize]; //! let encrypted_len = rsa.public_encrypt(data, &mut buf, Padding::PKCS1).unwrap(); //! ``` -use ffi; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::c_int; use std::fmt; use std::mem; use std::ptr; -use bn::{BigNum, BigNumRef}; -use error::ErrorStack; -use pkey::{HasPrivate, HasPublic, Private, Public}; -use {cvt, cvt_n, cvt_p}; +use crate::bn::{BigNum, BigNumRef}; +use crate::error::ErrorStack; +use crate::pkey::{HasPrivate, HasPublic, Private, Public}; +use crate::{cvt, cvt_n, cvt_p}; pub const EVP_PKEY_OP_SIGN: c_int = 1 << 3; pub const EVP_PKEY_OP_VERIFY: c_int = 1 << 4; @@ -689,14 +689,14 @@ impl fmt::Debug for Rsa { } } -use ffi::{ +use crate::ffi::{ RSA_get0_crt_params, RSA_get0_factors, RSA_get0_key, RSA_set0_crt_params, RSA_set0_factors, RSA_set0_key, }; #[cfg(test)] mod test { - use symm::Cipher; + use crate::symm::Cipher; use super::*; diff --git a/boring/src/sha.rs b/boring/src/sha.rs index ec1e4f51f..358089090 100644 --- a/boring/src/sha.rs +++ b/boring/src/sha.rs @@ -43,7 +43,7 @@ //! println!("Hash = {}", hex::encode(hash)); //! } //! ``` -use ffi; +use crate::ffi; use libc::c_void; use std::mem; diff --git a/boring/src/sign.rs b/boring/src/sign.rs index 7f1838cc6..5bfa2bc44 100644 --- a/boring/src/sign.rs +++ b/boring/src/sign.rs @@ -34,20 +34,20 @@ //! verifier.update(data2).unwrap(); //! assert!(verifier.verify(&signature).unwrap()); //! ``` -use ffi; +use crate::ffi; use foreign_types::ForeignTypeRef; use libc::c_int; use std::io::{self, Write}; use std::marker::PhantomData; use std::ptr; -use error::ErrorStack; -use hash::MessageDigest; -use pkey::{HasPrivate, HasPublic, PKeyRef}; -use rsa::Padding; -use {cvt, cvt_p}; +use crate::error::ErrorStack; +use crate::hash::MessageDigest; +use crate::pkey::{HasPrivate, HasPublic, PKeyRef}; +use crate::rsa::Padding; +use crate::{cvt, cvt_p}; -use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; +use crate::ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; /// Salt lengths that must be used with `set_rsa_pss_saltlen`. pub struct RsaPssSaltlen(c_int); @@ -571,19 +571,19 @@ impl<'a> Write for Verifier<'a> { } } -use ffi::EVP_DigestVerifyFinal; +use crate::ffi::EVP_DigestVerifyFinal; #[cfg(test)] mod test { use super::RsaPssSaltlen; use hex::{self, FromHex}; - use ec::{EcGroup, EcKey}; - use hash::MessageDigest; - use nid::Nid; - use pkey::PKey; - use rsa::{Padding, Rsa}; - use sign::{Signer, Verifier}; + use crate::ec::{EcGroup, EcKey}; + use crate::hash::MessageDigest; + use crate::nid::Nid; + use crate::pkey::PKey; + use crate::rsa::{Padding, Rsa}; + use crate::sign::{Signer, Verifier}; const INPUT: &str = "65794a68624763694f694a53557a49314e694a392e65794a7063334d694f694a71623255694c41304b49434a6c\ diff --git a/boring/src/srtp.rs b/boring/src/srtp.rs index cbb56fbb4..1cd5983a7 100644 --- a/boring/src/srtp.rs +++ b/boring/src/srtp.rs @@ -1,7 +1,7 @@ -use ffi; +use crate::ffi; +use crate::stack::Stackable; use foreign_types::ForeignTypeRef; use libc::c_ulong; -use stack::Stackable; use std::ffi::CStr; use std::str; diff --git a/boring/src/ssl/bio.rs b/boring/src/ssl/bio.rs index 9d02fc00e..8f17ea841 100644 --- a/boring/src/ssl/bio.rs +++ b/boring/src/ssl/bio.rs @@ -1,4 +1,4 @@ -use ffi::{ +use crate::ffi::{ self, BIO_clear_retry_flags, BIO_new, BIO_set_retry_read, BIO_set_retry_write, BIO, BIO_CTRL_DGRAM_QUERY_MTU, BIO_CTRL_FLUSH, }; @@ -10,8 +10,8 @@ use std::panic::{catch_unwind, AssertUnwindSafe}; use std::ptr; use std::slice; -use cvt_p; -use error::ErrorStack; +use crate::cvt_p; +use crate::error::ErrorStack; pub struct StreamState { pub stream: S, @@ -208,7 +208,7 @@ unsafe extern "C" fn destroy(bio: *mut BIO) -> c_int { 1 } -use ffi::{BIO_get_data, BIO_set_data, BIO_set_flags, BIO_set_init}; +use crate::ffi::{BIO_get_data, BIO_set_data, BIO_set_flags, BIO_set_init}; #[allow(bad_style)] unsafe fn BIO_set_num(_bio: *mut ffi::BIO, _num: c_int) {} diff --git a/boring/src/ssl/callbacks.rs b/boring/src/ssl/callbacks.rs index 64e7a05e4..d3293cb3f 100644 --- a/boring/src/ssl/callbacks.rs +++ b/boring/src/ssl/callbacks.rs @@ -1,4 +1,4 @@ -use ffi; +use crate::ffi; use foreign_types::ForeignType; use foreign_types::ForeignTypeRef; use libc::c_char; @@ -10,14 +10,14 @@ use std::slice; use std::str; use std::sync::Arc; -use error::ErrorStack; -use ssl::AlpnError; -use ssl::{ClientHello, SelectCertError}; -use ssl::{ +use crate::error::ErrorStack; +use crate::ssl::AlpnError; +use crate::ssl::{ClientHello, SelectCertError}; +use crate::ssl::{ SniError, Ssl, SslAlert, SslContext, SslContextRef, SslRef, SslSession, SslSessionRef, SESSION_CTX_INDEX, }; -use x509::{X509StoreContext, X509StoreContextRef}; +use crate::x509::{X509StoreContext, X509StoreContextRef}; pub extern "C" fn raw_verify(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int where diff --git a/boring/src/ssl/connector.rs b/boring/src/ssl/connector.rs index 12e486c89..f92874597 100644 --- a/boring/src/ssl/connector.rs +++ b/boring/src/ssl/connector.rs @@ -1,13 +1,13 @@ use std::io::{Read, Write}; use std::ops::{Deref, DerefMut}; -use dh::Dh; -use error::ErrorStack; -use ssl::{ +use crate::dh::Dh; +use crate::error::ErrorStack; +use crate::ssl::{ HandshakeError, Ssl, SslContext, SslContextBuilder, SslContextRef, SslMethod, SslMode, SslOptions, SslRef, SslStream, SslVerifyMode, }; -use version; +use crate::version; const FFDHE_2048: &str = " -----BEGIN DH PARAMETERS----- @@ -326,7 +326,7 @@ fn setup_verify(ctx: &mut SslContextBuilder) { } fn setup_verify_hostname(ssl: &mut SslRef, domain: &str) -> Result<(), ErrorStack> { - use x509::verify::X509CheckFlags; + use crate::x509::verify::X509CheckFlags; let param = ssl.param_mut(); param.set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS); diff --git a/boring/src/ssl/error.rs b/boring/src/ssl/error.rs index cfc32489b..f7772916b 100644 --- a/boring/src/ssl/error.rs +++ b/boring/src/ssl/error.rs @@ -1,13 +1,13 @@ -use ffi; +use crate::ffi; use libc::c_int; use std::error; use std::error::Error as StdError; use std::fmt; use std::io; -use error::ErrorStack; -use ssl::MidHandshakeSslStream; -use x509::X509VerifyResult; +use crate::error::ErrorStack; +use crate::ssl::MidHandshakeSslStream; +use crate::x509::X509VerifyResult; /// An error code returned from SSL functions. #[derive(Debug, Copy, Clone, PartialEq, Eq)] diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index 633d9e656..f47806ef2 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -57,7 +57,7 @@ //! } //! } //! ``` -use ffi; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_void}; use std::any::TypeId; @@ -78,26 +78,26 @@ use std::slice; use std::str; use std::sync::{Arc, Mutex}; -use dh::DhRef; -use ec::EcKeyRef; -use error::ErrorStack; -use ex_data::Index; -use nid::Nid; -use pkey::{HasPrivate, PKeyRef, Params, Private}; -use srtp::{SrtpProtectionProfile, SrtpProtectionProfileRef}; -use ssl::bio::BioMethod; -use ssl::callbacks::*; -use ssl::error::InnerError; -use stack::{Stack, StackRef}; -use x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; -use x509::verify::X509VerifyParamRef; -use x509::{X509Name, X509Ref, X509StoreContextRef, X509VerifyResult, X509}; -use {cvt, cvt_0i, cvt_n, cvt_p, init}; - -pub use ssl::connector::{ +use crate::dh::DhRef; +use crate::ec::EcKeyRef; +use crate::error::ErrorStack; +use crate::ex_data::Index; +use crate::nid::Nid; +use crate::pkey::{HasPrivate, PKeyRef, Params, Private}; +use crate::srtp::{SrtpProtectionProfile, SrtpProtectionProfileRef}; +use crate::ssl::bio::BioMethod; +use crate::ssl::callbacks::*; +use crate::ssl::error::InnerError; +use crate::stack::{Stack, StackRef}; +use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; +use crate::x509::verify::X509VerifyParamRef; +use crate::x509::{X509Name, X509Ref, X509StoreContextRef, X509VerifyResult, X509}; +use crate::{cvt, cvt_0i, cvt_n, cvt_p, init}; + +pub use crate::ssl::connector::{ ConnectConfiguration, SslAcceptor, SslAcceptorBuilder, SslConnector, SslConnectorBuilder, }; -pub use ssl::error::{Error, ErrorCode, HandshakeError}; +pub use crate::ssl::error::{Error, ErrorCode, HandshakeError}; mod bio; mod callbacks; @@ -3377,9 +3377,9 @@ bitflags! { } } -use ffi::{SSL_CTX_up_ref, SSL_SESSION_get_master_key, SSL_SESSION_up_ref, SSL_is_server}; +use crate::ffi::{SSL_CTX_up_ref, SSL_SESSION_get_master_key, SSL_SESSION_up_ref, SSL_is_server}; -use ffi::{DTLS_method, TLS_client_method, TLS_method, TLS_server_method}; +use crate::ffi::{DTLS_method, TLS_client_method, TLS_method, TLS_server_method}; use std::sync::Once; diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs index 87a6c87d8..b465634b1 100644 --- a/boring/src/ssl/test/mod.rs +++ b/boring/src/ssl/test/mod.rs @@ -16,23 +16,23 @@ use std::thread; use std::time::Duration; use tempdir::TempDir; -use dh::Dh; -use error::ErrorStack; -use hash::MessageDigest; -use pkey::PKey; -use srtp::SrtpProfileId; -use ssl; -use ssl::test::server::Server; -use ssl::SslVersion; -use ssl::{ +use crate::dh::Dh; +use crate::error::ErrorStack; +use crate::hash::MessageDigest; +use crate::pkey::PKey; +use crate::srtp::SrtpProfileId; +use crate::ssl; +use crate::ssl::test::server::Server; +use crate::ssl::SslVersion; +use crate::ssl::{ Error, ExtensionType, HandshakeError, MidHandshakeSslStream, ShutdownResult, ShutdownState, Ssl, SslAcceptor, SslAcceptorBuilder, SslConnector, SslContext, SslContextBuilder, SslFiletype, SslMethod, SslOptions, SslSessionCacheMode, SslStream, SslStreamBuilder, SslVerifyMode, StatusType, }; -use x509::store::X509StoreBuilder; -use x509::verify::X509CheckFlags; -use x509::{X509Name, X509StoreContext, X509VerifyResult, X509}; +use crate::x509::store::X509StoreBuilder; +use crate::x509::verify::X509CheckFlags; +use crate::x509::{X509Name, X509StoreContext, X509VerifyResult, X509}; mod server; diff --git a/boring/src/ssl/test/server.rs b/boring/src/ssl/test/server.rs index fe24531e1..41677e576 100644 --- a/boring/src/ssl/test/server.rs +++ b/boring/src/ssl/test/server.rs @@ -2,7 +2,7 @@ use std::io::{Read, Write}; use std::net::{SocketAddr, TcpListener, TcpStream}; use std::thread::{self, JoinHandle}; -use ssl::{Ssl, SslContext, SslContextBuilder, SslFiletype, SslMethod, SslRef, SslStream}; +use crate::ssl::{Ssl, SslContext, SslContextBuilder, SslFiletype, SslMethod, SslRef, SslStream}; pub struct Server { handle: Option>, diff --git a/boring/src/stack.rs b/boring/src/stack.rs index 70f366f68..1570eb878 100644 --- a/boring/src/stack.rs +++ b/boring/src/stack.rs @@ -1,4 +1,4 @@ -use ffi; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; use libc::size_t; use std::borrow::Borrow; @@ -9,10 +9,10 @@ use std::marker::PhantomData; use std::mem; use std::ops::{Deref, DerefMut, Index, IndexMut, Range}; -use error::ErrorStack; -use {cvt_0, cvt_p}; +use crate::error::ErrorStack; +use crate::{cvt_0, cvt_p}; -use ffi::{ +use crate::ffi::{ sk_free as OPENSSL_sk_free, sk_new_null as OPENSSL_sk_new_null, sk_num as OPENSSL_sk_num, sk_pop as OPENSSL_sk_pop, sk_push as OPENSSL_sk_push, sk_value as OPENSSL_sk_value, _STACK as OPENSSL_STACK, diff --git a/boring/src/string.rs b/boring/src/string.rs index 6416283da..0865c3e89 100644 --- a/boring/src/string.rs +++ b/boring/src/string.rs @@ -1,4 +1,4 @@ -use ffi; +use crate::ffi; use foreign_types::ForeignTypeRef; use libc::{c_char, c_void}; use std::convert::AsRef; @@ -7,7 +7,7 @@ use std::fmt; use std::ops::Deref; use std::str; -use stack::Stackable; +use crate::stack::Stackable; foreign_type_and_impl_send_sync! { type CType = c_char; @@ -81,5 +81,5 @@ impl fmt::Debug for OpensslStringRef { } unsafe fn free(buf: *mut c_char) { - ::ffi::OPENSSL_free(buf as *mut c_void); + crate::ffi::OPENSSL_free(buf as *mut c_void); } diff --git a/boring/src/symm.rs b/boring/src/symm.rs index 67d80e07c..55a60999d 100644 --- a/boring/src/symm.rs +++ b/boring/src/symm.rs @@ -52,14 +52,14 @@ //! println!("Decrypted: '{}'", output_string); //! ``` -use ffi; +use crate::ffi; use libc::{c_int, c_uint}; use std::cmp; use std::ptr; -use error::ErrorStack; -use nid::Nid; -use {cvt, cvt_p}; +use crate::error::ErrorStack; +use crate::nid::Nid; +use crate::{cvt, cvt_p}; #[derive(Copy, Clone)] pub enum Mode { @@ -684,7 +684,7 @@ pub fn decrypt_aead( Ok(out) } -use ffi::{EVP_CIPHER_block_size, EVP_CIPHER_iv_length, EVP_CIPHER_key_length}; +use crate::ffi::{EVP_CIPHER_block_size, EVP_CIPHER_iv_length, EVP_CIPHER_key_length}; #[cfg(test)] mod tests { diff --git a/boring/src/util.rs b/boring/src/util.rs index cda43755b..21591d2f4 100644 --- a/boring/src/util.rs +++ b/boring/src/util.rs @@ -3,7 +3,7 @@ use std::any::Any; use std::panic::{self, AssertUnwindSafe}; use std::slice; -use error::ErrorStack; +use crate::error::ErrorStack; /// Wraps a user-supplied callback and a slot for panics thrown inside the callback (while FFI /// frames are on the stack). diff --git a/boring/src/version.rs b/boring/src/version.rs index cf9cb84da..821441bd6 100644 --- a/boring/src/version.rs +++ b/boring/src/version.rs @@ -13,7 +13,7 @@ use std::ffi::CStr; -use ffi::{ +use crate::ffi::{ OpenSSL_version, OpenSSL_version_num, OPENSSL_BUILT_ON, OPENSSL_CFLAGS, OPENSSL_DIR, OPENSSL_PLATFORM, OPENSSL_VERSION, }; diff --git a/boring/src/x509/extension.rs b/boring/src/x509/extension.rs index 24cb89033..8bc33a44f 100644 --- a/boring/src/x509/extension.rs +++ b/boring/src/x509/extension.rs @@ -17,9 +17,9 @@ //! ``` use std::fmt::Write; -use error::ErrorStack; -use nid::Nid; -use x509::{X509Extension, X509v3Context}; +use crate::error::ErrorStack; +use crate::nid::Nid; +use crate::x509::{X509Extension, X509v3Context}; /// An extension which indicates whether a certificate is a CA certificate. pub struct BasicConstraints { diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs index 6771164e3..0257b6ea7 100644 --- a/boring/src/x509/mod.rs +++ b/boring/src/x509/mod.rs @@ -7,7 +7,7 @@ //! Internet protocols, including SSL/TLS, which is the basis for HTTPS, //! the secure protocol for browsing the web. -use ffi; +use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, c_long}; use std::convert::TryInto; @@ -21,18 +21,18 @@ use std::ptr; use std::slice; use std::str; -use asn1::{Asn1BitStringRef, Asn1IntegerRef, Asn1ObjectRef, Asn1StringRef, Asn1TimeRef}; -use bio::MemBioSlice; -use conf::ConfRef; -use error::ErrorStack; -use ex_data::Index; -use hash::{DigestBytes, MessageDigest}; -use nid::Nid; -use pkey::{HasPrivate, HasPublic, PKey, PKeyRef, Public}; -use ssl::SslRef; -use stack::{Stack, StackRef, Stackable}; -use string::OpensslString; -use {cvt, cvt_n, cvt_p}; +use crate::asn1::{Asn1BitStringRef, Asn1IntegerRef, Asn1ObjectRef, Asn1StringRef, Asn1TimeRef}; +use crate::bio::MemBioSlice; +use crate::conf::ConfRef; +use crate::error::ErrorStack; +use crate::ex_data::Index; +use crate::hash::{DigestBytes, MessageDigest}; +use crate::nid::Nid; +use crate::pkey::{HasPrivate, HasPublic, PKey, PKeyRef, Public}; +use crate::ssl::SslRef; +use crate::stack::{Stack, StackRef, Stackable}; +use crate::string::OpensslString; +use crate::{cvt, cvt_n, cvt_p}; pub mod extension; pub mod store; @@ -1418,14 +1418,14 @@ impl Stackable for X509Object { type StackType = ffi::stack_st_X509_OBJECT; } -use ffi::{X509_get0_signature, X509_getm_notAfter, X509_getm_notBefore, X509_up_ref}; +use crate::ffi::{X509_get0_signature, X509_getm_notAfter, X509_getm_notBefore, X509_up_ref}; -use ffi::{ +use crate::ffi::{ ASN1_STRING_get0_data, X509_ALGOR_get0, X509_REQ_get_subject_name, X509_REQ_get_version, X509_STORE_CTX_get0_chain, X509_set1_notAfter, X509_set1_notBefore, }; -use ffi::X509_OBJECT_get0_X509; +use crate::ffi::X509_OBJECT_get0_X509; #[allow(bad_style)] unsafe fn X509_OBJECT_free(x: *mut ffi::X509_OBJECT) { diff --git a/boring/src/x509/store.rs b/boring/src/x509/store.rs index 267451de3..f14470f5c 100644 --- a/boring/src/x509/store.rs +++ b/boring/src/x509/store.rs @@ -34,14 +34,14 @@ //! let store: X509Store = builder.build(); //! ``` -use ffi; +use crate::ffi; use foreign_types::ForeignTypeRef; use std::mem; -use error::ErrorStack; -use stack::StackRef; -use x509::{X509Object, X509}; -use {cvt, cvt_p}; +use crate::error::ErrorStack; +use crate::stack::StackRef; +use crate::x509::{X509Object, X509}; +use crate::{cvt, cvt_p}; foreign_type_and_impl_send_sync! { type CType = ffi::X509_STORE; @@ -107,4 +107,4 @@ impl X509StoreRef { } } -use ffi::X509_STORE_get0_objects; +use crate::ffi::X509_STORE_get0_objects; diff --git a/boring/src/x509/tests.rs b/boring/src/x509/tests.rs index 0541e9f4f..3d942aaa7 100644 --- a/boring/src/x509/tests.rs +++ b/boring/src/x509/tests.rs @@ -1,18 +1,18 @@ use hex::{self, FromHex}; -use asn1::Asn1Time; -use bn::{BigNum, MsbOption}; -use hash::MessageDigest; -use nid::Nid; -use pkey::{PKey, Private}; -use rsa::Rsa; -use stack::Stack; -use x509::extension::{ +use crate::asn1::Asn1Time; +use crate::bn::{BigNum, MsbOption}; +use crate::hash::MessageDigest; +use crate::nid::Nid; +use crate::pkey::{PKey, Private}; +use crate::rsa::Rsa; +use crate::stack::Stack; +use crate::x509::extension::{ AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier, }; -use x509::store::X509StoreBuilder; -use x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; +use crate::x509::store::X509StoreBuilder; +use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); diff --git a/boring/src/x509/verify.rs b/boring/src/x509/verify.rs index 2dda373aa..3b66fd34f 100644 --- a/boring/src/x509/verify.rs +++ b/boring/src/x509/verify.rs @@ -1,10 +1,10 @@ -use ffi; +use crate::ffi; use foreign_types::ForeignTypeRef; use libc::c_uint; use std::net::IpAddr; -use cvt; -use error::ErrorStack; +use crate::cvt; +use crate::error::ErrorStack; bitflags! { /// Flags used to check an `X509` certificate. From c037a438f8d7b91533524570237afcfeffffe496 Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Thu, 12 Aug 2021 11:32:28 -0500 Subject: [PATCH 11/21] Switch to 2018 edition in boring --- boring/Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/boring/Cargo.toml b/boring/Cargo.toml index 963dab972..8f550c546 100644 --- a/boring/Cargo.toml +++ b/boring/Cargo.toml @@ -9,6 +9,7 @@ documentation = "https://docs.rs/boring" readme = "README.md" keywords = ["crypto", "tls", "ssl", "dtls"] categories = ["cryptography", "api-bindings"] +edition = "2018" [dependencies] bitflags = "1.0" From e46378d4defc3a4f9ae13fd7ba047f65e124c7e3 Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Mon, 9 Aug 2021 16:35:27 -0500 Subject: [PATCH 12/21] Update dependencies In particular, this updates `foreign-types`, which had a lot of breaking changes. - `ForeignType` is now an unsafe trait - `*Ref` types no longer need a separate macro call, they're generated automatically - Generated types now store `NonNull` instead of `*mut T` --- boring/Cargo.toml | 6 +++--- boring/src/bn.rs | 2 +- boring/src/conf.rs | 3 ++- boring/src/ec.rs | 8 +++++--- boring/src/macros.rs | 20 +++++++------------- boring/src/pkcs12.rs | 2 +- boring/src/ssl/mod.rs | 8 ++++---- boring/src/stack.rs | 4 ++-- boring/src/x509/mod.rs | 16 +++++++++------- boring/src/x509/store.rs | 4 ++-- 10 files changed, 36 insertions(+), 37 deletions(-) diff --git a/boring/Cargo.toml b/boring/Cargo.toml index 8f550c546..a7eb1a7f3 100644 --- a/boring/Cargo.toml +++ b/boring/Cargo.toml @@ -13,12 +13,12 @@ edition = "2018" [dependencies] bitflags = "1.0" -foreign-types = "0.3.1" +foreign-types = "0.5" lazy_static = "1" libc = "0.2" boring-sys = { version = "1.1.0", path = "../boring-sys" } [dev-dependencies] tempdir = "0.3" -hex = "0.3" -rusty-hook = "^0.10.1" +hex = "0.4" +rusty-hook = "^0.11" diff --git a/boring/src/bn.rs b/boring/src/bn.rs index 5b63e63fd..7c4e47821 100644 --- a/boring/src/bn.rs +++ b/boring/src/bn.rs @@ -80,7 +80,7 @@ impl BigNumContext { pub fn new() -> Result { unsafe { ffi::init(); - cvt_p(ffi::BN_CTX_new()).map(BigNumContext) + cvt_p(ffi::BN_CTX_new()).map(|p| BigNumContext::from_ptr(p)) } } } diff --git a/boring/src/conf.rs b/boring/src/conf.rs index 1b041b564..660dc26e5 100644 --- a/boring/src/conf.rs +++ b/boring/src/conf.rs @@ -1,5 +1,6 @@ //! Interface for processing OpenSSL configuration files. use crate::ffi; +use foreign_types::ForeignType; use libc::c_void; use crate::cvt_p; @@ -34,6 +35,6 @@ foreign_type_and_impl_send_sync! { impl Conf { /// Create a configuration parser. pub fn new(method: ConfMethod) -> Result { - unsafe { cvt_p(ffi::NCONF_new(method.as_ptr())).map(Conf) } + unsafe { cvt_p(ffi::NCONF_new(method.as_ptr())).map(|p| Conf::from_ptr(p)) } } } diff --git a/boring/src/ec.rs b/boring/src/ec.rs index b3824d69c..c6d1f1397 100644 --- a/boring/src/ec.rs +++ b/boring/src/ec.rs @@ -122,7 +122,7 @@ impl EcGroup { pub fn from_curve_name(nid: Nid) -> Result { unsafe { init(); - cvt_p(ffi::EC_GROUP_new_by_curve_name(nid.as_raw())).map(EcGroup) + cvt_p(ffi::EC_GROUP_new_by_curve_name(nid.as_raw())).map(|p| EcGroup::from_ptr(p)) } } } @@ -421,7 +421,9 @@ impl EcPointRef { /// /// [`EC_POINT_dup`]: https://www.openssl.org/docs/man1.1.0/crypto/EC_POINT_dup.html pub fn to_owned(&self, group: &EcGroupRef) -> Result { - unsafe { cvt_p(ffi::EC_POINT_dup(self.as_ptr(), group.as_ptr())).map(EcPoint) } + unsafe { + cvt_p(ffi::EC_POINT_dup(self.as_ptr(), group.as_ptr())).map(|p| EcPoint::from_ptr(p)) + } } /// Determines if this point is equal to another. @@ -479,7 +481,7 @@ impl EcPoint { /// /// [`EC_POINT_new`]: https://www.openssl.org/docs/man1.1.0/crypto/EC_POINT_new.html pub fn new(group: &EcGroupRef) -> Result { - unsafe { cvt_p(ffi::EC_POINT_new(group.as_ptr())).map(EcPoint) } + unsafe { cvt_p(ffi::EC_POINT_new(group.as_ptr())).map(|p| EcPoint::from_ptr(p)) } } /// Creates point from a binary representation diff --git a/boring/src/macros.rs b/boring/src/macros.rs index 858341ecc..68bb8db13 100644 --- a/boring/src/macros.rs +++ b/boring/src/macros.rs @@ -145,19 +145,13 @@ macro_rules! foreign_type_and_impl_send_sync { => { foreign_type! { $(#[$impl_attr])* - type CType = $ctype; - fn drop = $drop; - $(fn clone = $clone;)* $(#[$owned_attr])* - pub struct $owned; - $(#[$borrowed_attr])* - pub struct $borrowed; + pub unsafe type $owned: Send + Sync { + type CType = $ctype; + fn drop = $drop; + $(fn clone = $clone;)* + } } - - unsafe impl Send for $owned{} - unsafe impl Send for $borrowed{} - unsafe impl Sync for $owned{} - unsafe impl Sync for $borrowed{} }; } @@ -177,7 +171,7 @@ macro_rules! generic_foreign_type_and_impl_send_sync { pub struct $owned(*mut $ctype, ::std::marker::PhantomData); $(#[$impl_attr])* - impl ::foreign_types::ForeignType for $owned { + unsafe impl ::foreign_types::ForeignType for $owned { type CType = $ctype; type Ref = $borrowed; @@ -257,7 +251,7 @@ macro_rules! generic_foreign_type_and_impl_send_sync { pub struct $borrowed(::foreign_types::Opaque, ::std::marker::PhantomData); $(#[$impl_attr])* - impl ::foreign_types::ForeignTypeRef for $borrowed { + unsafe impl ::foreign_types::ForeignTypeRef for $borrowed { type CType = $ctype; } diff --git a/boring/src/pkcs12.rs b/boring/src/pkcs12.rs index fa01874d8..c4c65d1bd 100644 --- a/boring/src/pkcs12.rs +++ b/boring/src/pkcs12.rs @@ -196,7 +196,7 @@ impl Pkcs12Builder { self.mac_iter, keytype, )) - .map(Pkcs12) + .map(|p| Pkcs12::from_ptr(p)) } } } diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index f47806ef2..a52f46ef3 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -73,7 +73,7 @@ use std::mem::{self, ManuallyDrop}; use std::ops::{Deref, DerefMut}; use std::panic::resume_unwind; use std::path::Path; -use std::ptr; +use std::ptr::{self, NonNull}; use std::slice; use std::str; use std::sync::{Arc, Mutex}; @@ -1829,7 +1829,7 @@ impl ClientHello { /// Information about a cipher. pub struct SslCipher(*mut ffi::SSL_CIPHER); -impl ForeignType for SslCipher { +unsafe impl ForeignType for SslCipher { type CType = ffi::SSL_CIPHER; type Ref = SslCipherRef; @@ -1863,7 +1863,7 @@ impl DerefMut for SslCipher { /// [`SslCipher`]: struct.SslCipher.html pub struct SslCipherRef(Opaque); -impl ForeignTypeRef for SslCipherRef { +unsafe impl ForeignTypeRef for SslCipherRef { type CType = ffi::SSL_CIPHER; } @@ -1997,7 +1997,7 @@ impl ToOwned for SslSessionRef { fn to_owned(&self) -> SslSession { unsafe { SSL_SESSION_up_ref(self.as_ptr()); - SslSession(self.as_ptr()) + SslSession(NonNull::new_unchecked(self.as_ptr())) } } } diff --git a/boring/src/stack.rs b/boring/src/stack.rs index 1570eb878..5237608e0 100644 --- a/boring/src/stack.rs +++ b/boring/src/stack.rs @@ -89,7 +89,7 @@ impl Borrow> for Stack { } } -impl ForeignType for Stack { +unsafe impl ForeignType for Stack { type CType = T::StackType; type Ref = StackRef; @@ -170,7 +170,7 @@ pub struct StackRef(Opaque, PhantomData); unsafe impl Send for StackRef {} unsafe impl Sync for StackRef {} -impl ForeignTypeRef for StackRef { +unsafe impl ForeignTypeRef for StackRef { type CType = T::StackType; } diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs index 0257b6ea7..28b12fd3c 100644 --- a/boring/src/x509/mod.rs +++ b/boring/src/x509/mod.rs @@ -67,7 +67,7 @@ impl X509StoreContext { pub fn new() -> Result { unsafe { ffi::init(); - cvt_p(ffi::X509_STORE_CTX_new()).map(X509StoreContext) + cvt_p(ffi::X509_STORE_CTX_new()).map(|p| X509StoreContext::from_ptr(p)) } } } @@ -226,7 +226,7 @@ impl X509Builder { pub fn new() -> Result { unsafe { ffi::init(); - cvt_p(ffi::X509_new()).map(|p| X509Builder(X509(p))) + cvt_p(ffi::X509_new()).map(|p| X509Builder(X509::from_ptr(p))) } } @@ -664,7 +664,7 @@ impl X509 { return Err(ErrorStack::get()); } else { - certs.push(X509(r)); + certs.push(X509::from_ptr(r)); } } @@ -764,7 +764,8 @@ impl X509Extension { let name = name.as_ptr() as *mut _; let value = value.as_ptr() as *mut _; - cvt_p(ffi::X509V3_EXT_nconf(conf, context, name, value)).map(X509Extension) + cvt_p(ffi::X509V3_EXT_nconf(conf, context, name, value)) + .map(|p| X509Extension::from_ptr(p)) } } @@ -789,7 +790,8 @@ impl X509Extension { let name = name.as_raw(); let value = value.as_ptr() as *mut _; - cvt_p(ffi::X509V3_EXT_nconf_nid(conf, context, name, value)).map(X509Extension) + cvt_p(ffi::X509V3_EXT_nconf_nid(conf, context, name, value)) + .map(|p| X509Extension::from_ptr(p)) } } } @@ -802,7 +804,7 @@ impl X509NameBuilder { pub fn new() -> Result { unsafe { ffi::init(); - cvt_p(ffi::X509_NAME_new()).map(|p| X509NameBuilder(X509Name(p))) + cvt_p(ffi::X509_NAME_new()).map(|p| X509NameBuilder(X509Name::from_ptr(p))) } } @@ -1003,7 +1005,7 @@ impl X509ReqBuilder { pub fn new() -> Result { unsafe { ffi::init(); - cvt_p(ffi::X509_REQ_new()).map(|p| X509ReqBuilder(X509Req(p))) + cvt_p(ffi::X509_REQ_new()).map(|p| X509ReqBuilder(X509Req::from_ptr(p))) } } diff --git a/boring/src/x509/store.rs b/boring/src/x509/store.rs index f14470f5c..4fc56c856 100644 --- a/boring/src/x509/store.rs +++ b/boring/src/x509/store.rs @@ -35,7 +35,7 @@ //! ``` use crate::ffi; -use foreign_types::ForeignTypeRef; +use foreign_types::{ForeignType, ForeignTypeRef}; use std::mem; use crate::error::ErrorStack; @@ -61,7 +61,7 @@ impl X509StoreBuilder { unsafe { ffi::init(); - cvt_p(ffi::X509_STORE_new()).map(X509StoreBuilder) + cvt_p(ffi::X509_STORE_new()).map(|p| X509StoreBuilder::from_ptr(p)) } } From 057a81b9a498b933febf19c84b279fe715311025 Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Mon, 9 Aug 2021 16:41:07 -0500 Subject: [PATCH 13/21] Remove unused `*Ref` parameters to macro This doesn't actually do anything, it just makes it more clear that those parameters are ignored. --- boring/src/asn1.rs | 24 ------------------------ boring/src/bn.rs | 8 -------- boring/src/conf.rs | 1 - boring/src/ec.rs | 8 -------- boring/src/ecdsa.rs | 4 ---- boring/src/macros.rs | 2 -- boring/src/pkcs12.rs | 1 - boring/src/srtp.rs | 2 -- boring/src/ssl/mod.rs | 15 --------------- boring/src/string.rs | 1 - boring/src/x509/mod.rs | 19 ------------------- boring/src/x509/store.rs | 4 ---- boring/src/x509/verify.rs | 2 -- 13 files changed, 91 deletions(-) diff --git a/boring/src/asn1.rs b/boring/src/asn1.rs index 7bc9d1edc..3ab1aede2 100644 --- a/boring/src/asn1.rs +++ b/boring/src/asn1.rs @@ -57,10 +57,6 @@ foreign_type_and_impl_send_sync! { /// /// [ASN1_GENERALIZEDTIME_set]: https://www.openssl.org/docs/manmaster/man3/ASN1_GENERALIZEDTIME_set.html pub struct Asn1GeneralizedTime; - /// Reference to a [`Asn1GeneralizedTime`] - /// - /// [`Asn1GeneralizedTime`]: struct.Asn1GeneralizedTime.html - pub struct Asn1GeneralizedTimeRef; } impl fmt::Display for Asn1GeneralizedTimeRef { @@ -113,10 +109,6 @@ foreign_type_and_impl_send_sync! { /// /// [ASN_TIME_set]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_TIME_set.html pub struct Asn1Time; - /// Reference to an [`Asn1Time`] - /// - /// [`Asn1Time`]: struct.Asn1Time.html - pub struct Asn1TimeRef; } impl Asn1TimeRef { @@ -327,10 +319,6 @@ foreign_type_and_impl_send_sync! { /// /// [ASN1_STRING-to_UTF8]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_STRING_to_UTF8.html pub struct Asn1String; - /// Reference to [`Asn1String`] - /// - /// [`Asn1String`]: struct.Asn1String.html - pub struct Asn1StringRef; } impl Asn1StringRef { @@ -395,10 +383,6 @@ foreign_type_and_impl_send_sync! { /// [`bn`]: ../bn/index.html /// [`ASN1_INTEGER_set`]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_INTEGER_set.html pub struct Asn1Integer; - /// Reference to [`Asn1Integer`] - /// - /// [`Asn1Integer`]: struct.Asn1Integer.html - pub struct Asn1IntegerRef; } impl Asn1Integer { @@ -458,10 +442,6 @@ foreign_type_and_impl_send_sync! { /// /// [`x509`]: ../x509/struct.X509.html#method.signature pub struct Asn1BitString; - /// Reference to [`Asn1BitString`] - /// - /// [`Asn1BitString`]: struct.Asn1BitString.html - pub struct Asn1BitStringRef; } impl Asn1BitStringRef { @@ -499,10 +479,6 @@ foreign_type_and_impl_send_sync! { /// [`nid::COMMONNAME`]: ../nid/constant.COMMONNAME.html /// [`OBJ_nid2obj`]: https://www.openssl.org/docs/man1.1.0/crypto/OBJ_obj2nid.html pub struct Asn1Object; - /// Reference to [`Asn1Object`] - /// - /// [`Asn1Object`]: struct.Asn1Object.html - pub struct Asn1ObjectRef; } impl Asn1Object { diff --git a/boring/src/bn.rs b/boring/src/bn.rs index 7c4e47821..c37398898 100644 --- a/boring/src/bn.rs +++ b/boring/src/bn.rs @@ -65,10 +65,6 @@ foreign_type_and_impl_send_sync! { /// /// [`BN_CTX`]: https://www.openssl.org/docs/man1.1.0/crypto/BN_CTX_new.html pub struct BigNumContext; - /// Reference to [`BigNumContext`] - /// - /// [`BigNumContext`]: struct.BigNumContext.html - pub struct BigNumContextRef; } impl BigNumContext { @@ -113,10 +109,6 @@ foreign_type_and_impl_send_sync! { /// # fn main () { bignums(); } /// ``` pub struct BigNum; - /// Reference to a [`BigNum`] - /// - /// [`BigNum`]: struct.BigNum.html - pub struct BigNumRef; } impl BigNumRef { diff --git a/boring/src/conf.rs b/boring/src/conf.rs index 660dc26e5..c94dde4a8 100644 --- a/boring/src/conf.rs +++ b/boring/src/conf.rs @@ -29,7 +29,6 @@ foreign_type_and_impl_send_sync! { fn drop = ffi::NCONF_free; pub struct Conf; - pub struct ConfRef; } impl Conf { diff --git a/boring/src/ec.rs b/boring/src/ec.rs index c6d1f1397..5738344ee 100644 --- a/boring/src/ec.rs +++ b/boring/src/ec.rs @@ -107,10 +107,6 @@ foreign_type_and_impl_send_sync! { /// [wiki]: https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations /// [`Nid`]: ../nid/index.html pub struct EcGroup; - /// Reference to [`EcGroup`] - /// - /// [`EcGroup`]: struct.EcGroup.html - pub struct EcGroupRef; } impl EcGroup { @@ -259,10 +255,6 @@ foreign_type_and_impl_send_sync! { /// /// [`EC_POINT_new`]: https://www.openssl.org/docs/man1.1.0/crypto/EC_POINT_new.html pub struct EcPoint; - /// Reference to [`EcPoint`] - /// - /// [`EcPoint`]: struct.EcPoint.html - pub struct EcPointRef; } impl EcPointRef { diff --git a/boring/src/ecdsa.rs b/boring/src/ecdsa.rs index a9159fc99..0d333003c 100644 --- a/boring/src/ecdsa.rs +++ b/boring/src/ecdsa.rs @@ -22,10 +22,6 @@ foreign_type_and_impl_send_sync! { /// /// [`ECDSA_sign`]: https://www.openssl.org/docs/man1.1.0/crypto/ECDSA_sign.html pub struct EcdsaSig; - /// Reference to [`EcdsaSig`] - /// - /// [`EcdsaSig`]: struct.EcdsaSig.html - pub struct EcdsaSigRef; } impl EcdsaSig { diff --git a/boring/src/macros.rs b/boring/src/macros.rs index 68bb8db13..0dcc5faec 100644 --- a/boring/src/macros.rs +++ b/boring/src/macros.rs @@ -139,8 +139,6 @@ macro_rules! foreign_type_and_impl_send_sync { $(#[$owned_attr:meta])* pub struct $owned:ident; - $(#[$borrowed_attr:meta])* - pub struct $borrowed:ident; ) => { foreign_type! { diff --git a/boring/src/pkcs12.rs b/boring/src/pkcs12.rs index c4c65d1bd..4caec029a 100644 --- a/boring/src/pkcs12.rs +++ b/boring/src/pkcs12.rs @@ -20,7 +20,6 @@ foreign_type_and_impl_send_sync! { fn drop = ffi::PKCS12_free; pub struct Pkcs12; - pub struct Pkcs12Ref; } impl Pkcs12Ref { diff --git a/boring/src/srtp.rs b/boring/src/srtp.rs index 1cd5983a7..84deca9e3 100644 --- a/boring/src/srtp.rs +++ b/boring/src/srtp.rs @@ -13,8 +13,6 @@ foreign_type_and_impl_send_sync! { fn drop = free; pub struct SrtpProtectionProfile; - /// Reference to `SrtpProtectionProfile`. - pub struct SrtpProtectionProfileRef; } impl Stackable for SrtpProtectionProfile { diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index a52f46ef3..c3acfabcc 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -1585,11 +1585,6 @@ foreign_type_and_impl_send_sync! { /// Applications commonly configure a single `SslContext` that is shared by all of its /// `SslStreams`. pub struct SslContext; - - /// Reference to [`SslContext`] - /// - /// [`SslContext`]: struct.SslContext.html - pub struct SslContextRef; } impl Clone for SslContext { @@ -1964,11 +1959,6 @@ foreign_type_and_impl_send_sync! { /// /// These can be cached to share sessions across connections. pub struct SslSession; - - /// Reference to [`SslSession`]. - /// - /// [`SslSession`]: struct.SslSession.html - pub struct SslSessionRef; } impl Clone for SslSession { @@ -2092,11 +2082,6 @@ foreign_type_and_impl_send_sync! { /// /// [`SslContext`]: struct.SslContext.html pub struct Ssl; - - /// Reference to an [`Ssl`]. - /// - /// [`Ssl`]: struct.Ssl.html - pub struct SslRef; } impl fmt::Debug for Ssl { diff --git a/boring/src/string.rs b/boring/src/string.rs index 0865c3e89..6fca53971 100644 --- a/boring/src/string.rs +++ b/boring/src/string.rs @@ -14,7 +14,6 @@ foreign_type_and_impl_send_sync! { fn drop = free; pub struct OpensslString; - pub struct OpensslStringRef; } impl fmt::Display for OpensslString { diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs index 28b12fd3c..a02403f46 100644 --- a/boring/src/x509/mod.rs +++ b/boring/src/x509/mod.rs @@ -47,9 +47,6 @@ foreign_type_and_impl_send_sync! { /// An `X509` certificate store context. pub struct X509StoreContext; - - /// Reference to `X509StoreContext`. - pub struct X509StoreContextRef; } impl X509StoreContext { @@ -379,8 +376,6 @@ foreign_type_and_impl_send_sync! { /// An `X509` public key certificate. pub struct X509; - /// Reference to `X509`. - pub struct X509Ref; } impl X509Ref { @@ -733,8 +728,6 @@ foreign_type_and_impl_send_sync! { /// Permit additional fields to be added to an `X509` v3 certificate. pub struct X509Extension; - /// Reference to `X509Extension`. - pub struct X509ExtensionRef; } impl Stackable for X509Extension { @@ -863,8 +856,6 @@ foreign_type_and_impl_send_sync! { /// The names of an `X509` certificate. pub struct X509Name; - /// Reference to `X509Name`. - pub struct X509NameRef; } impl X509Name { @@ -956,8 +947,6 @@ foreign_type_and_impl_send_sync! { /// A name entry associated with a `X509Name`. pub struct X509NameEntry; - /// Reference to `X509NameEntry`. - pub struct X509NameEntryRef; } impl X509NameEntryRef { @@ -1114,8 +1103,6 @@ foreign_type_and_impl_send_sync! { /// An `X509` certificate request. pub struct X509Req; - /// Reference to `X509Req`. - pub struct X509ReqRef; } impl X509Req { @@ -1298,8 +1285,6 @@ foreign_type_and_impl_send_sync! { /// An `X509` certificate alternative names. pub struct GeneralName; - /// Reference to `GeneralName`. - pub struct GeneralNameRef; } impl GeneralNameRef { @@ -1377,8 +1362,6 @@ foreign_type_and_impl_send_sync! { /// An `X509` certificate signature algorithm. pub struct X509Algorithm; - /// Reference to `X509Algorithm`. - pub struct X509AlgorithmRef; } impl X509AlgorithmRef { @@ -1399,8 +1382,6 @@ foreign_type_and_impl_send_sync! { /// An `X509` or an X509 certificate revocation list. pub struct X509Object; - /// Reference to `X509Object` - pub struct X509ObjectRef; } impl X509ObjectRef { diff --git a/boring/src/x509/store.rs b/boring/src/x509/store.rs index 4fc56c856..d244c640b 100644 --- a/boring/src/x509/store.rs +++ b/boring/src/x509/store.rs @@ -49,8 +49,6 @@ foreign_type_and_impl_send_sync! { /// A builder type used to construct an `X509Store`. pub struct X509StoreBuilder; - /// Reference to an `X509StoreBuilder`. - pub struct X509StoreBuilderRef; } impl X509StoreBuilder { @@ -96,8 +94,6 @@ foreign_type_and_impl_send_sync! { /// A certificate store to hold trusted `X509` certificates. pub struct X509Store; - /// Reference to an `X509Store`. - pub struct X509StoreRef; } impl X509StoreRef { diff --git a/boring/src/x509/verify.rs b/boring/src/x509/verify.rs index 3b66fd34f..432491005 100644 --- a/boring/src/x509/verify.rs +++ b/boring/src/x509/verify.rs @@ -27,8 +27,6 @@ foreign_type_and_impl_send_sync! { /// Adjust parameters associated with certificate verification. pub struct X509VerifyParam; - /// Reference to `X509VerifyParam`. - pub struct X509VerifyParamRef; } impl X509VerifyParamRef { From 75d6ced4c931800b05610a0744642dacba28b91f Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Tue, 10 Aug 2021 15:48:41 -0500 Subject: [PATCH 14/21] Remove unused and deprecated `tempdir` dependency --- boring/Cargo.toml | 1 - boring/src/lib.rs | 2 -- boring/src/ssl/test/mod.rs | 1 - 3 files changed, 4 deletions(-) diff --git a/boring/Cargo.toml b/boring/Cargo.toml index a7eb1a7f3..1f5184ba3 100644 --- a/boring/Cargo.toml +++ b/boring/Cargo.toml @@ -19,6 +19,5 @@ libc = "0.2" boring-sys = { version = "1.1.0", path = "../boring-sys" } [dev-dependencies] -tempdir = "0.3" hex = "0.4" rusty-hook = "^0.11" diff --git a/boring/src/lib.rs b/boring/src/lib.rs index ef268161f..133353c9f 100644 --- a/boring/src/lib.rs +++ b/boring/src/lib.rs @@ -13,8 +13,6 @@ extern crate libc; #[cfg(test)] extern crate hex; -#[cfg(test)] -extern crate tempdir; #[doc(inline)] pub use crate::ffi::init; diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs index b465634b1..abb6b6c82 100644 --- a/boring/src/ssl/test/mod.rs +++ b/boring/src/ssl/test/mod.rs @@ -14,7 +14,6 @@ use std::process::{Child, ChildStdin, Command, Stdio}; use std::sync::atomic::{AtomicBool, Ordering}; use std::thread; use std::time::Duration; -use tempdir::TempDir; use crate::dh::Dh; use crate::error::ErrorStack; From dcbe1571b3710d00aa848f3aec4d328435af26f8 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Tue, 2 Nov 2021 16:58:52 +0000 Subject: [PATCH 15/21] boring-sys: Disable unnecessary bindgen dependencies `bindgen`'s default features include dependencies like `clap` and `env_logger` which are unnecessary when building `boring-sys`. When using tools like `cargo-deny` to audit dependencies with mismatched versions, these dependencies can easily conflict with application dependencies. This change disables `bindgen`'s default features to avoid unnecessary dependencies. --- boring-sys/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml index 77a4f7b7f..383fd5712 100644 --- a/boring-sys/Cargo.toml +++ b/boring-sys/Cargo.toml @@ -27,5 +27,5 @@ include = [ ] [build-dependencies] -bindgen = "0.59" +bindgen = { version = "0.59", default-features = false, features = ["runtime"] } cmake = "0.1" From c4e1f474973744b32579797c1ff51335002a4491 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Thu, 4 Nov 2021 17:16:08 +0000 Subject: [PATCH 16/21] Relax constraints on `Display for tokio-boring::HandshakeError` `tokio_boring::HandshakeError` currently requires that the inner stream implements `Debug` for its `Display` implementation. This constraint is unnecessary. This change removes this `Debug` constraint so `HandshakeError` always implements `Display`. --- tokio-boring/src/lib.rs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tokio-boring/src/lib.rs b/tokio-boring/src/lib.rs index c5c25044b..0de479c31 100644 --- a/tokio-boring/src/lib.rs +++ b/tokio-boring/src/lib.rs @@ -318,10 +318,7 @@ where } } -impl fmt::Display for HandshakeError -where - S: fmt::Debug, -{ +impl fmt::Display for HandshakeError { fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result { fmt::Display::fmt(&self.0, fmt) } From 44426292e061ec7030b4e049528c876bba26deba Mon Sep 17 00:00:00 2001 From: Robin Lindner Date: Wed, 6 Oct 2021 21:55:46 +0200 Subject: [PATCH 17/21] Remove PasswordCallback --- boring-sys/src/lib.rs | 8 -------- 1 file changed, 8 deletions(-) diff --git a/boring-sys/src/lib.rs b/boring-sys/src/lib.rs index b32b91907..fb09a14b2 100644 --- a/boring-sys/src/lib.rs +++ b/boring-sys/src/lib.rs @@ -64,14 +64,6 @@ const_fn! { } } -// FIXME remove -pub type PasswordCallback = unsafe extern "C" fn( - buf: *mut c_char, - size: c_int, - rwflag: c_int, - user_data: *mut c_void, -) -> c_int; - pub fn init() { use std::ptr; use std::sync::Once; From 18650f625e69d282c9bfdda3273c38ea8ed5e6d5 Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Thu, 16 Dec 2021 13:15:55 -0600 Subject: [PATCH 18/21] Bump versions for release - Major version for boring-sys: `PasswordCallback` was removed - Major version for boring: the public `*Ref` types were removed and `foreign-types` appears in our public api and had a major version bump - Patch version for tokio-boring: the only API change was removing the `S: Debug` bound - Patch version for hyper-boring: no API changes, only removed dependencies --- boring-sys/Cargo.toml | 2 +- boring/Cargo.toml | 4 ++-- hyper-boring/Cargo.toml | 4 ++-- tokio-boring/Cargo.toml | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml index 383fd5712..d0da3a187 100644 --- a/boring-sys/Cargo.toml +++ b/boring-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "boring-sys" -version = "1.1.1" +version = "2.0.0" authors = ["Alex Crichton ", "Steven Fackler ", "Ivan Nikulin "] diff --git a/boring/Cargo.toml b/boring/Cargo.toml index 1f5184ba3..72d011759 100644 --- a/boring/Cargo.toml +++ b/boring/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "boring" -version = "1.1.6" +version = "2.0.0" authors = ["Steven Fackler ", "Ivan Nikulin "] license = "Apache-2.0" description = "BoringSSL bindings" @@ -16,7 +16,7 @@ bitflags = "1.0" foreign-types = "0.5" lazy_static = "1" libc = "0.2" -boring-sys = { version = "1.1.0", path = "../boring-sys" } +boring-sys = { version = ">=1.1.0,<3.0.0", path = "../boring-sys" } [dev-dependencies] hex = "0.4" diff --git a/hyper-boring/Cargo.toml b/hyper-boring/Cargo.toml index fa21dfde0..74bce004d 100644 --- a/hyper-boring/Cargo.toml +++ b/hyper-boring/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hyper-boring" -version = "2.1.0" +version = "2.1.1" authors = ["Steven Fackler ", "Ivan Nikulin "] edition = "2018" description = "Hyper TLS support via BoringSSL" @@ -21,7 +21,7 @@ http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } linked_hash_set = "0.1" once_cell = "1.0" -boring = { version = "1.1.0", path = "../boring" } +boring = { version = ">=1.1.0,<3.0.0", path = "../boring" } tokio = "1" tokio-boring = { version = "2", path = "../tokio-boring" } tower-layer = "0.3" diff --git a/tokio-boring/Cargo.toml b/tokio-boring/Cargo.toml index 13b336446..15f6afb5f 100644 --- a/tokio-boring/Cargo.toml +++ b/tokio-boring/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "tokio-boring" -version = "2.1.3" +version = "2.1.4" authors = ["Alex Crichton ", "Ivan Nikulin "] license = "MIT/Apache-2.0" edition = "2018" @@ -12,8 +12,8 @@ An implementation of SSL streams for Tokio backed by BoringSSL """ [dependencies] -boring = { version = "1.1.0", path = "../boring" } -boring-sys = { version = "1.1.0", path = "../boring-sys" } +boring = { version = ">=1.1.0,<3.0.0", path = "../boring" } +boring-sys = { version = ">=1.1.0,<3.0.0", path = "../boring-sys" } tokio = "1" [dev-dependencies] From db6867b794303c7666c922c7f8ef5cf3d5f58396 Mon Sep 17 00:00:00 2001 From: Joshua Nelson Date: Thu, 16 Dec 2021 13:44:05 -0600 Subject: [PATCH 19/21] Add/update changelogs --- CHANGELOG.md | 11 +++++++++++ boring-sys/CHANGELOG.md | 17 +++++++++++++++++ hyper-boring/CHANGELOG.md | 6 ++++++ tokio-boring/CHANGELOG.md | 9 +++++++++ 4 files changed, 43 insertions(+) create mode 100644 CHANGELOG.md create mode 100644 boring-sys/CHANGELOG.md create mode 100644 tokio-boring/CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000..7b91eef3a --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,11 @@ +# Change Log + +## [Unreleased] + +## [v2.0.0] - 2021-12-16 + +### Changed + +* Updated `foreign-types` from 0.3 to 0.5. This is technically a breaking change if you used `foreign-types` in your own crate, but in practice this shouldn't have a large impact. +* Removed unused `*Ref` structs; these served no purpose and were not useful. +* Removed unused `tempdir` dependency diff --git a/boring-sys/CHANGELOG.md b/boring-sys/CHANGELOG.md new file mode 100644 index 000000000..66be56a8d --- /dev/null +++ b/boring-sys/CHANGELOG.md @@ -0,0 +1,17 @@ +# Change Log + +## [Unreleased] + +## [v2.0.0] - 2021-12-16 + +### Added + +* Allow using pre-built binaries of `bssl` using the `BORING_BSSL_PATH` env variable +* Automatically fetch the `boringssl` submodule if it doesn't yet exist + +### Changed + +* Removed unused `PasswordCallback` type +* Disable unused bindgen dependencies +* Update `bindgen` and `bytes` dependencies +* \ No newline at end of file diff --git a/hyper-boring/CHANGELOG.md b/hyper-boring/CHANGELOG.md index bab285de9..ddfe3aa12 100644 --- a/hyper-boring/CHANGELOG.md +++ b/hyper-boring/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +## [v2.1.1] - 2021-12-16 + +### Changed + +* Removed unnecessary `boring-sys` and `bytes` dependencies + ## [v0.8.0] - 2019-12-10 ### Changed diff --git a/tokio-boring/CHANGELOG.md b/tokio-boring/CHANGELOG.md new file mode 100644 index 000000000..9acd0c03e --- /dev/null +++ b/tokio-boring/CHANGELOG.md @@ -0,0 +1,9 @@ +# Change Log + +## [Unreleased] + +## [v2.1.4] - 2021-12-16 + +### Changed + +* Removed unnecessary `S: Debug` constraint for `HandshakeError` \ No newline at end of file From 5f327aba86aab67af58f0db44e61d5b71b6eb84e Mon Sep 17 00:00:00 2001 From: ilammy Date: Thu, 30 Dec 2021 20:16:54 +0900 Subject: [PATCH 20/21] boring: Suppress Clippy warnings about missing safety docs I'm not quite sure why these are unsafe traits, probably to prevent implementing them for random types accidentally. However, Clippy demands a "# Safety" section in their docs. Tell it to get lost. --- boring/src/pkey.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/boring/src/pkey.rs b/boring/src/pkey.rs index 52169d145..c62ee341d 100644 --- a/boring/src/pkey.rs +++ b/boring/src/pkey.rs @@ -93,6 +93,7 @@ impl Id { } /// A trait indicating that a key has parameters. +#[allow(clippy::missing_safety_doc)] pub unsafe trait HasParams {} unsafe impl HasParams for Params {} @@ -100,6 +101,7 @@ unsafe impl HasParams for Params {} unsafe impl HasParams for T where T: HasPublic {} /// A trait indicating that a key has public components. +#[allow(clippy::missing_safety_doc)] pub unsafe trait HasPublic {} unsafe impl HasPublic for Public {} @@ -107,6 +109,7 @@ unsafe impl HasPublic for Public {} unsafe impl HasPublic for T where T: HasPrivate {} /// A trait indicating that a key has private components. +#[allow(clippy::missing_safety_doc)] pub unsafe trait HasPrivate {} unsafe impl HasPrivate for Private {} From 1507689c5b49fa732cbf54f59e998116fab79287 Mon Sep 17 00:00:00 2001 From: Braden Ehrat Date: Mon, 31 Jan 2022 16:11:33 -0600 Subject: [PATCH 21/21] Add fips-3678 feature (#52) * Add rerun-if-env-changed instructions for BORING_* variables * Use X509_get0_notBefore() and X509_get0_notAfter() instead of X509_getm_notBefore() and X509_getm_notAfter(). According to https://www.openssl.org/docs/man1.1.0/man3/X509_getm_notBefore.html, "X509_getm_notBefore() and X509_getm_notAfter() are similar to X509_get0_notBefore() and X509_get0_notAfter() except they return non-constant mutable references to the associated date field of the certificate". * Only update boringssl submodule if BORING_BSSL_PATH not provided * Allow BORING_BSSL_LIB_PATH to control link search * Add fips feature * Use X509_set_notAfter unconditionally for FIPS compatibility This is equivalent according to https://boringssl.googlesource.com/boringssl/+/c947efabcbc38dcf93e8ad0e6a76206cf0ec8072 The version of boringssl that's FIPS-certified doesn't have `X509_set1_notAfter`. The only difference between that and `X509_set_notAfter` is whether they're const-correct, which doesn't seem worth having two different code-paths. * Check out fips commit automatically * Verify the version of the compiler used for building boringssl NIST specifies that it needs to be 7.0.1; I originally tried building with clang 10 and it failed. Theoretically this should check the versions of Go and Ninja too, but they haven't given me trouble in practice. Example error: ``` Compiling boring-sys v1.1.1 (/home/jnelson/work/boring/boring-sys) error: failed to run custom build command for `boring-sys v1.1.1 (/home/jnelson/work/boring/boring-sys)` Caused by: process didn't exit successfully: `/home/jnelson/work/boring/target/debug/build/boring-sys-31b8ce53031cfd83/build-script-build` (exit status: 101) --- stdout cargo:rerun-if-env-changed=BORING_BSSL_PATH --- stderr warning: missing clang-7, trying other compilers: Permission denied (os error 13) warning: FIPS requires clang version 7.0.1, skipping incompatible version "clang version 10.0.0-4ubuntu1 " thread 'main' panicked at 'unsupported clang version "cc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0": FIPS requires clang 7.0.1', boring-sys/build.rs:216:13 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ``` * Add Github actions workflow testing FIPS Co-authored-by: Joshua Nelson --- .github/workflows/ci.yml | 15 ++++ .gitmodules | 5 +- README.md | 12 +++ boring-sys/Cargo.toml | 4 + boring-sys/build.rs | 145 +++++++++++++++++++++++++------- boring-sys/deps/boringssl-fips | 1 + boring/Cargo.toml | 4 + boring/examples/fips_enabled.rs | 3 + boring/examples/mk_certs.rs | 9 ++ boring/src/fips.rs | 8 ++ boring/src/pkey.rs | 3 + boring/src/ssl/mod.rs | 5 ++ boring/src/ssl/test/mod.rs | 9 +- boring/src/x509/mod.rs | 27 +++--- hyper-boring/Cargo.toml | 1 + tokio-boring/Cargo.toml | 3 + 16 files changed, 209 insertions(+), 45 deletions(-) create mode 160000 boring-sys/deps/boringssl-fips create mode 100644 boring/examples/fips_enabled.rs diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e33e624f6..1af234c7e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -159,3 +159,18 @@ jobs: - if: "!startsWith(matrix.os, 'windows')" run: cargo test name: Run tests (not Windows) + + test-fips: + name: Test FIPS integration + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + submodules: 'recursive' + - name: Install Rust (rustup) + run: rustup update stable --no-self-update && rustup default stable + shell: bash + - name: Install Clang-7 + run: sudo apt-get install -y clang-7 + - run: cargo test --features fips + name: Run tests diff --git a/.gitmodules b/.gitmodules index 53b702f01..93bfb089f 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,4 +1,7 @@ [submodule "boring-sys/deps/boringssl"] path = boring-sys/deps/boringssl url = https://github.com/google/boringssl.git - ignore = dirty \ No newline at end of file + ignore = dirty +[submodule "boring-sys/deps/boringssl-fips"] + path = boring-sys/deps/boringssl-fips + url = https://github.com/google/boringssl.git diff --git a/README.md b/README.md index 75e9718b2..da8442105 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,18 @@ _Notes_: The crate will look for headers in the `$BORING_BSSL_INCLUDE_PATH/opens _Warning_: When providing a different version of BoringSSL make sure to use a compatible one, the crate relies on the presence of certain functions. +## Building with a FIPS-validated module + +Only BoringCrypto module version ae223d6138807a13006342edfeef32e813246b39, as +certified with [certificate +3678](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3678) +is supported by this crate. Support is enabled by this crate's `fips` feature. + +`boring-sys` comes with a test that FIPS is enabled/disabled depending on the feature flag. You can run it as follows: +```bash +$ cargo test --features fips fips::is_enabled +``` + ## Contribution Unless you explicitly state otherwise, any contribution intentionally diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml index d0da3a187..59bf5cfe9 100644 --- a/boring-sys/Cargo.toml +++ b/boring-sys/Cargo.toml @@ -29,3 +29,7 @@ include = [ [build-dependencies] bindgen = { version = "0.59", default-features = false, features = ["runtime"] } cmake = "0.1" + +[features] +# Use a FIPS-validated version of boringssl. +fips = [] diff --git a/boring-sys/build.rs b/boring-sys/build.rs index 8a848a796..513b8bcf7 100644 --- a/boring-sys/build.rs +++ b/boring-sys/build.rs @@ -1,3 +1,6 @@ +use std::path::{Path, PathBuf}; +use std::process::Command; + // NOTE: this build script is adopted from quiche (https://github.com/cloudflare/quiche) // Additional parameters for Android build of BoringSSL. @@ -85,6 +88,11 @@ fn get_boringssl_platform_output_path() -> String { } } +#[cfg(feature = "fips")] +const BORING_SSL_PATH: &str = "deps/boringssl-fips"; +#[cfg(not(feature = "fips"))] +const BORING_SSL_PATH: &str = "deps/boringssl"; + /// Returns a new cmake::Config for building BoringSSL. /// /// It will add platform-specific parameters if needed. @@ -93,7 +101,7 @@ fn get_boringssl_cmake_config() -> cmake::Config { let os = std::env::var("CARGO_CFG_TARGET_OS").unwrap(); let pwd = std::env::current_dir().unwrap(); - let mut boringssl_cmake = cmake::Config::new("deps/boringssl"); + let mut boringssl_cmake = cmake::Config::new(BORING_SSL_PATH); // Add platform-specific parameters. match os.as_ref() { @@ -105,6 +113,7 @@ fn get_boringssl_cmake_config() -> cmake::Config { }; // We need ANDROID_NDK_HOME to be set properly. + println!("cargo:rerun-if-env-changed=ANDROID_NDK_HOME"); let android_ndk_home = std::env::var("ANDROID_NDK_HOME") .expect("Please set ANDROID_NDK_HOME for Android build"); let android_ndk_home = std::path::Path::new(&android_ndk_home); @@ -161,7 +170,8 @@ fn get_boringssl_cmake_config() -> cmake::Config { if arch == "x86" && os != "windows" { boringssl_cmake.define( "CMAKE_TOOLCHAIN_FILE", - pwd.join("deps/boringssl/src/util/32-bit-toolchain.cmake") + pwd.join(BORING_SSL_PATH) + .join("src/util/32-bit-toolchain.cmake") .as_os_str(), ); } @@ -171,42 +181,107 @@ fn get_boringssl_cmake_config() -> cmake::Config { } } -fn main() { - use std::env; - use std::path::{Path, PathBuf}; - use std::process::Command; - - if !Path::new("deps/boringssl/CMakeLists.txt").exists() { - println!("cargo:warning=fetching boringssl git submodule"); - // fetch the boringssl submodule - let status = Command::new("git") - .args(&[ - "submodule", - "update", - "--init", - "--recursive", - "deps/boringssl", - ]) - .status(); - if !status.map_or(false, |status| status.success()) { - panic!("failed to fetch submodule - consider running `git submodule update --init --recursive deps/boringssl` yourself"); +/// Verify that the toolchains match https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf +/// See "Installation Instructions" under section 12.1. +// TODO: maybe this should also verify the Go and Ninja versions? But those haven't been an issue in practice ... +fn verify_fips_clang_version() -> (&'static str, &'static str) { + fn version(tool: &str) -> String { + let output = match Command::new(tool).arg("--version").output() { + Ok(o) => o, + Err(e) => { + eprintln!("warning: missing {}, trying other compilers: {}", tool, e); + // NOTE: hard-codes that the loop below checks the version + return String::new(); + } + }; + assert!(output.status.success()); + let output = std::str::from_utf8(&output.stdout).expect("invalid utf8 output"); + output.lines().next().expect("empty output").to_string() + } + + const REQUIRED_CLANG_VERSION: &str = "7.0.1"; + for (cc, cxx) in [ + ("clang-7", "clang++-7"), + ("clang", "clang++"), + ("cc", "c++"), + ] { + let cc_version = version(cc); + if cc_version.contains(REQUIRED_CLANG_VERSION) { + assert!( + version(cxx).contains(REQUIRED_CLANG_VERSION), + "mismatched versions of cc and c++" + ); + return (cc, cxx); + } else if cc == "cc" { + panic!( + "unsupported clang version \"{}\": FIPS requires clang {}", + cc_version, REQUIRED_CLANG_VERSION + ); + } else if !cc_version.is_empty() { + eprintln!( + "warning: FIPS requires clang version {}, skipping incompatible version \"{}\"", + REQUIRED_CLANG_VERSION, cc_version + ); } } + unreachable!() +} + +fn main() { + use std::env; + println!("cargo:rerun-if-env-changed=BORING_BSSL_PATH"); let bssl_dir = std::env::var("BORING_BSSL_PATH").unwrap_or_else(|_| { + if !Path::new(BORING_SSL_PATH).join("CMakeLists.txt").exists() { + println!("cargo:warning=fetching boringssl git submodule"); + // fetch the boringssl submodule + let status = Command::new("git") + .args(&[ + "submodule", + "update", + "--init", + "--recursive", + BORING_SSL_PATH, + ]) + .status(); + if !status.map_or(false, |status| status.success()) { + panic!("failed to fetch submodule - consider running `git submodule update --init --recursive deps/boringssl` yourself"); + } + } + let mut cfg = get_boringssl_cmake_config(); if cfg!(feature = "fuzzing") { cfg.cxxflag("-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE") .cxxflag("-DBORINGSSL_UNSAFE_FUZZER_MODE"); } + if cfg!(feature = "fips") { + let (clang, clangxx) = verify_fips_clang_version(); + cfg.define("CMAKE_C_COMPILER", clang); + cfg.define("CMAKE_CXX_COMPILER", clangxx); + cfg.define("CMAKE_ASM_COMPILER", clang); + cfg.define("FIPS", "1"); + } cfg.build_target("bssl").build().display().to_string() }); let build_path = get_boringssl_platform_output_path(); - let build_dir = format!("{}/build/{}", bssl_dir, build_path); - println!("cargo:rustc-link-search=native={}", build_dir); + if cfg!(feature = "fips") { + println!( + "cargo:rustc-link-search=native={}/build/crypto/{}", + bssl_dir, build_path + ); + println!( + "cargo:rustc-link-search=native={}/build/ssl/{}", + bssl_dir, build_path + ); + } else { + println!( + "cargo:rustc-link-search=native={}/build/{}", + bssl_dir, build_path + ); + } println!("cargo:rustc-link-lib=static=crypto"); println!("cargo:rustc-link-lib=static=ssl"); @@ -216,10 +291,14 @@ fn main() { println!("cargo:rustc-cdylib-link-arg=-Wl,-undefined,dynamic_lookup"); } - let include_path = PathBuf::from( - std::env::var("BORING_BSSL_INCLUDE_PATH") - .unwrap_or_else(|_| String::from("deps/boringssl/src/include")), - ); + println!("cargo:rerun-if-env-changed=BORING_BSSL_INCLUDE_PATH"); + let include_path = std::env::var("BORING_BSSL_INCLUDE_PATH").unwrap_or_else(|_| { + if cfg!(feature = "fips") { + format!("{}/include", BORING_SSL_PATH) + } else { + format!("{}/src/include", BORING_SSL_PATH) + } + }); let mut builder = bindgen::Builder::default() .derive_copy(true) @@ -234,12 +313,13 @@ fn main() { .layout_tests(true) .prepend_enum_name(true) .rustfmt_bindings(true) - .clang_args(&["-I", include_path.to_str().unwrap()]); + .clang_args(&["-I", &include_path]); let headers = [ "aes.h", "asn1_mac.h", "asn1t.h", + #[cfg(not(feature = "fips"))] "blake2.h", "blowfish.h", "cast.h", @@ -264,11 +344,18 @@ fn main() { "ripemd.h", "siphash.h", "srtp.h", + #[cfg(not(feature = "fips"))] "trust_token.h", "x509v3.h", ]; for header in &headers { - builder = builder.header(include_path.join("openssl").join(header).to_str().unwrap()); + builder = builder.header( + Path::new(&include_path) + .join("openssl") + .join(header) + .to_str() + .unwrap(), + ); } let bindings = builder.generate().expect("Unable to generate bindings"); diff --git a/boring-sys/deps/boringssl-fips b/boring-sys/deps/boringssl-fips new file mode 160000 index 000000000..ae223d613 --- /dev/null +++ b/boring-sys/deps/boringssl-fips @@ -0,0 +1 @@ +Subproject commit ae223d6138807a13006342edfeef32e813246b39 diff --git a/boring/Cargo.toml b/boring/Cargo.toml index 72d011759..5d58c2756 100644 --- a/boring/Cargo.toml +++ b/boring/Cargo.toml @@ -21,3 +21,7 @@ boring-sys = { version = ">=1.1.0,<3.0.0", path = "../boring-sys" } [dev-dependencies] hex = "0.4" rusty-hook = "^0.11" + +[features] +# Use a FIPS-validated version of boringssl. +fips = ["boring-sys/fips"] diff --git a/boring/examples/fips_enabled.rs b/boring/examples/fips_enabled.rs new file mode 100644 index 000000000..7a57aee4f --- /dev/null +++ b/boring/examples/fips_enabled.rs @@ -0,0 +1,3 @@ +fn main() { + println!("boring::fips::enabled(): {}", boring::fips::enabled()); +} diff --git a/boring/examples/mk_certs.rs b/boring/examples/mk_certs.rs index 217786e26..b27b3974c 100644 --- a/boring/examples/mk_certs.rs +++ b/boring/examples/mk_certs.rs @@ -81,6 +81,7 @@ fn mk_request(privkey: &PKey) -> Result { } /// Make a certificate and private key signed by the given CA cert and private key +#[cfg_attr(feature = "fips", allow(unreachable_code, unused_variables))] fn mk_ca_signed_cert( ca_cert: &X509Ref, ca_privkey: &PKeyRef, @@ -98,7 +99,15 @@ fn mk_ca_signed_cert( serial.to_asn1_integer()? }; cert_builder.set_serial_number(&serial_number)?; + + #[cfg(not(feature = "fips"))] cert_builder.set_subject_name(req.subject_name())?; + #[cfg(feature = "fips")] + { + eprintln!("mk_certs not supported with FIPS module"); + std::process::exit(1); + } + cert_builder.set_issuer_name(ca_cert.subject_name())?; cert_builder.set_pubkey(&privkey)?; let not_before = Asn1Time::days_from_now(0)?; diff --git a/boring/src/fips.rs b/boring/src/fips.rs index 2d68633d7..baf044f74 100644 --- a/boring/src/fips.rs +++ b/boring/src/fips.rs @@ -20,3 +20,11 @@ pub fn enable(enabled: bool) -> Result<(), ErrorStack> { pub fn enabled() -> bool { unsafe { ffi::FIPS_mode() != 0 } } + +#[test] +fn is_enabled() { + #[cfg(feature = "fips")] + assert!(enabled()); + #[cfg(not(feature = "fips"))] + assert!(!enabled()); +} diff --git a/boring/src/pkey.rs b/boring/src/pkey.rs index c62ee341d..4054abd12 100644 --- a/boring/src/pkey.rs +++ b/boring/src/pkey.rs @@ -76,8 +76,10 @@ impl Id { pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); pub const ED25519: Id = Id(ffi::EVP_PKEY_ED25519); + #[cfg(not(feature = "fips"))] pub const ED448: Id = Id(ffi::EVP_PKEY_ED448); pub const X25519: Id = Id(ffi::EVP_PKEY_X25519); + #[cfg(not(feature = "fips"))] pub const X448: Id = Id(ffi::EVP_PKEY_X448); /// Creates a `Id` from an integer representation. @@ -289,6 +291,7 @@ impl fmt::Debug for PKey { Id::DH => "DH", Id::EC => "EC", Id::ED25519 => "Ed25519", + #[cfg(not(feature = "fips"))] Id::ED448 => "Ed448", _ => "unknown", }; diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index c3acfabcc..027678b9b 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -487,8 +487,10 @@ impl ExtensionType { pub const PADDING: Self = Self(ffi::TLSEXT_TYPE_padding as u16); pub const EXTENDED_MASTER_SECRET: Self = Self(ffi::TLSEXT_TYPE_extended_master_secret as u16); pub const TOKEN_BINDING: Self = Self(ffi::TLSEXT_TYPE_token_binding as u16); + #[cfg(not(feature = "fips"))] pub const QUIC_TRANSPORT_PARAMETERS_LEGACY: Self = Self(ffi::TLSEXT_TYPE_quic_transport_parameters_legacy as u16); + #[cfg(not(feature = "fips"))] pub const QUIC_TRANSPORT_PARAMETERS_STANDARD: Self = Self(ffi::TLSEXT_TYPE_quic_transport_parameters_standard as u16); pub const CERT_COMPRESSION: Self = Self(ffi::TLSEXT_TYPE_cert_compression as u16); @@ -505,8 +507,11 @@ impl ExtensionType { pub const KEY_SHARE: Self = Self(ffi::TLSEXT_TYPE_key_share as u16); pub const RENEGOTIATE: Self = Self(ffi::TLSEXT_TYPE_renegotiate as u16); pub const DELEGATED_CREDENTIAL: Self = Self(ffi::TLSEXT_TYPE_delegated_credential as u16); + #[cfg(not(feature = "fips"))] pub const APPLICATION_SETTINGS: Self = Self(ffi::TLSEXT_TYPE_application_settings as u16); + #[cfg(not(feature = "fips"))] pub const ENCRYPTED_CLIENT_HELLO: Self = Self(ffi::TLSEXT_TYPE_encrypted_client_hello as u16); + #[cfg(not(feature = "fips"))] pub const ECH_IS_INNER: Self = Self(ffi::TLSEXT_TYPE_ech_is_inner as u16); pub const CERTIFICATE_TIMESTAMP: Self = Self(ffi::TLSEXT_TYPE_certificate_timestamp as u16); pub const NEXT_PROTO_NEG: Self = Self(ffi::TLSEXT_TYPE_next_proto_neg as u16); diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs index abb6b6c82..137411f1e 100644 --- a/boring/src/ssl/test/mod.rs +++ b/boring/src/ssl/test/mod.rs @@ -1,6 +1,7 @@ #![allow(unused_imports)] use hex; +use std::cell::Cell; use std::env; use std::fs::File; use std::io::prelude::*; @@ -508,14 +509,16 @@ fn test_select_cert_error() { #[test] fn test_select_cert_unknown_extension() { let mut server = Server::builder(); - let unknown_extension = std::sync::Arc::new(std::sync::Mutex::new(None)); + let unknown_extension = std::sync::Arc::new(std::sync::Mutex::new(Some(vec![]))); server.ctx().set_select_certificate_callback({ let unknown = unknown_extension.clone(); move |client_hello| { - *unknown.lock().unwrap() = client_hello - .get_extension(ExtensionType::QUIC_TRANSPORT_PARAMETERS_LEGACY) + let ext = client_hello + .get_extension(ExtensionType::SERVER_NAME) .map(ToOwned::to_owned); + assert!(ext.is_none()); + *unknown.lock().unwrap() = ext; Ok(()) } }); diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs index a02403f46..08f102084 100644 --- a/boring/src/x509/mod.rs +++ b/boring/src/x509/mod.rs @@ -197,6 +197,7 @@ impl X509StoreContextRef { unsafe { ffi::X509_STORE_CTX_get_error_depth(self.as_ptr()) as u32 } } + #[cfg(not(feature = "fips"))] /// Returns a reference to a complete valid `X509` certificate chain. /// /// This corresponds to [`X509_STORE_CTX_get0_chain`]. @@ -229,12 +230,14 @@ impl X509Builder { /// Sets the notAfter constraint on the certificate. pub fn set_not_after(&mut self, not_after: &Asn1TimeRef) -> Result<(), ErrorStack> { - unsafe { cvt(X509_set1_notAfter(self.0.as_ptr(), not_after.as_ptr())).map(|_| ()) } + // TODO: once FIPS supports `set1_notAfter`, use that instead + unsafe { cvt(X509_set_notAfter(self.0.as_ptr(), not_after.as_ptr())).map(|_| ()) } } /// Sets the notBefore constraint on the certificate. pub fn set_not_before(&mut self, not_before: &Asn1TimeRef) -> Result<(), ErrorStack> { - unsafe { cvt(X509_set1_notBefore(self.0.as_ptr(), not_before.as_ptr())).map(|_| ()) } + // TODO: once FIPS supports `set1_notBefore`, use that instead + unsafe { cvt(X509_set_notBefore(self.0.as_ptr(), not_before.as_ptr())).map(|_| ()) } } /// Sets the version of the certificate. @@ -493,18 +496,18 @@ impl X509Ref { /// Returns the certificate's Not After validity period. pub fn not_after(&self) -> &Asn1TimeRef { unsafe { - let date = X509_getm_notAfter(self.as_ptr()); + let date = X509_get0_notAfter(self.as_ptr()); assert!(!date.is_null()); - Asn1TimeRef::from_ptr(date) + Asn1TimeRef::from_ptr(date as *mut _) } } /// Returns the certificate's Not Before validity period. pub fn not_before(&self) -> &Asn1TimeRef { unsafe { - let date = X509_getm_notBefore(self.as_ptr()); + let date = X509_get0_notBefore(self.as_ptr()); assert!(!date.is_null()); - Asn1TimeRef::from_ptr(date) + Asn1TimeRef::from_ptr(date as *mut _) } } @@ -1160,6 +1163,7 @@ impl X509ReqRef { ffi::i2d_X509_REQ } + #[cfg(not(feature = "fips"))] /// Returns the numerical value of the version field of the certificate request. /// /// This corresponds to [`X509_REQ_get_version`] @@ -1169,6 +1173,7 @@ impl X509ReqRef { unsafe { X509_REQ_get_version(self.as_ptr()) as i32 } } + #[cfg(not(feature = "fips"))] /// Returns the subject name of the certificate request. /// /// This corresponds to [`X509_REQ_get_subject_name`] @@ -1401,14 +1406,12 @@ impl Stackable for X509Object { type StackType = ffi::stack_st_X509_OBJECT; } -use crate::ffi::{X509_get0_signature, X509_getm_notAfter, X509_getm_notBefore, X509_up_ref}; - -use crate::ffi::{ - ASN1_STRING_get0_data, X509_ALGOR_get0, X509_REQ_get_subject_name, X509_REQ_get_version, - X509_STORE_CTX_get0_chain, X509_set1_notAfter, X509_set1_notBefore, -}; +use crate::ffi::{X509_get0_notAfter, X509_get0_notBefore, X509_get0_signature, X509_up_ref}; use crate::ffi::X509_OBJECT_get0_X509; +use crate::ffi::{ASN1_STRING_get0_data, X509_ALGOR_get0, X509_set_notAfter, X509_set_notBefore}; +#[cfg(not(feature = "fips"))] +use crate::ffi::{X509_REQ_get_subject_name, X509_REQ_get_version, X509_STORE_CTX_get0_chain}; #[allow(bad_style)] unsafe fn X509_OBJECT_free(x: *mut ffi::X509_OBJECT) { diff --git a/hyper-boring/Cargo.toml b/hyper-boring/Cargo.toml index 74bce004d..a00d14203 100644 --- a/hyper-boring/Cargo.toml +++ b/hyper-boring/Cargo.toml @@ -14,6 +14,7 @@ exclude = ["test/*"] default = ["runtime"] runtime = ["hyper/runtime"] +fips = ["tokio-boring/fips"] [dependencies] antidote = "1.0.0" diff --git a/tokio-boring/Cargo.toml b/tokio-boring/Cargo.toml index 15f6afb5f..9622b6715 100644 --- a/tokio-boring/Cargo.toml +++ b/tokio-boring/Cargo.toml @@ -20,3 +20,6 @@ tokio = "1" futures = "0.3" tokio = { version = "1", features = ["full"] } anyhow = "1" + +[features] +fips = ["boring/fips"]