Merge pull request #117 from nox/bump-boringssl

Update boringssl to latest upstream commit (fixes #100)

boring-sys/deps/boringssl

@@ -1 +1 @@
-Subproject commit f1c75347daa2ea81a941e953f2263e0a4d970c8d
+Subproject commit 44b3df6f03d85c901767250329c571db405122d5

boring/src/bio.rs

@@ -1,6 +1,5 @@
 use crate::ffi;
 use crate::ffi::BIO_new_mem_buf;
-use libc::c_int;
 use std::marker::PhantomData;
 use std::ptr;
 use std::slice;
@@ -20,13 +19,18 @@ impl<'a> Drop for MemBioSlice<'a> {
 
 impl<'a> MemBioSlice<'a> {
     pub fn new(buf: &'a [u8]) -> Result<MemBioSlice<'a>, ErrorStack> {
+        #[cfg(not(feature = "fips"))]
+        type BufLen = isize;
+        #[cfg(feature = "fips")]
+        type BufLen = libc::c_int;
+
         ffi::init();
 
-        assert!(buf.len() <= c_int::max_value() as usize);
+        assert!(buf.len() <= BufLen::max_value() as usize);
         let bio = unsafe {
             cvt_p(BIO_new_mem_buf(
                 buf.as_ptr() as *const _,
-                buf.len() as c_int,
+                buf.len() as BufLen,
             ))?
         };
 

boring/src/ssl/mod.rs

@@ -621,8 +621,6 @@ impl SslCurve {
     pub const SECP521R1: SslCurve = SslCurve(ffi::NID_secp521r1);
 
     pub const X25519: SslCurve = SslCurve(ffi::NID_X25519);
-
-    pub const CECPQ2: SslCurve = SslCurve(ffi::NID_CECPQ2);
 }
 
 /// A standard implementation of protocol selection for Application Layer Protocol Negotiation
@@ -1165,11 +1163,14 @@ impl SslContextBuilder {
     /// [`SSL_CTX_set_alpn_protos`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_alpn_protos.html
     pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> {
         unsafe {
-            assert!(protocols.len() <= c_uint::max_value() as usize);
+            #[cfg_attr(not(feature = "fips"), allow(clippy::unnecessary_cast))]
+            {
+                assert!(protocols.len() <= ProtosLen::max_value() as usize);
+            }
             let r = ffi::SSL_CTX_set_alpn_protos(
                 self.as_ptr(),
                 protocols.as_ptr(),
-                protocols.len() as c_uint,
+                protocols.len() as ProtosLen,
             );
             // fun fact, SSL_CTX_set_alpn_protos has a reversed return code D:
             if r == 0 {
@@ -1768,6 +1769,11 @@ impl SslContextRef {
     }
 }
 
+#[cfg(not(feature = "fips"))]
+type ProtosLen = usize;
+#[cfg(feature = "fips")]
+type ProtosLen = libc::c_uint;
+
 /// Information about the state of a cipher.
 pub struct CipherBits {
     /// The number of secret bits used for the cipher.
@@ -2266,11 +2272,14 @@ impl SslRef {
     /// [`SSL_set_alpn_protos`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_alpn_protos.html
     pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> {
         unsafe {
-            assert!(protocols.len() <= c_uint::max_value() as usize);
+            #[cfg_attr(not(feature = "fips"), allow(clippy::unnecessary_cast))]
+            {
+                assert!(protocols.len() <= ProtosLen::max_value() as usize);
+            }
             let r = ffi::SSL_set_alpn_protos(
                 self.as_ptr(),
                 protocols.as_ptr(),
-                protocols.len() as c_uint,
+                protocols.len() as ProtosLen,
             );
             // fun fact, SSL_set_alpn_protos has a reversed return code D:
             if r == 0 {

boring/src/x509/mod.rs

@@ -809,13 +809,13 @@ impl X509NameBuilder {
     pub fn append_entry_by_text(&mut self, field: &str, value: &str) -> Result<(), ErrorStack> {
         unsafe {
             let field = CString::new(field).unwrap();
-            assert!(value.len() <= c_int::max_value() as usize);
+            assert!(value.len() <= ValueLen::max_value() as usize);
             cvt(ffi::X509_NAME_add_entry_by_txt(
                 self.0.as_ptr(),
                 field.as_ptr() as *mut _,
                 ffi::MBSTRING_UTF8,
                 value.as_ptr(),
-                value.len() as c_int,
+                value.len() as ValueLen,
                 -1,
                 0,
             ))
@@ -830,13 +830,13 @@ impl X509NameBuilder {
     /// [`X509_NAME_add_entry_by_NID`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_NAME_add_entry_by_NID.html
     pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> {
         unsafe {
-            assert!(value.len() <= c_int::max_value() as usize);
+            assert!(value.len() <= ValueLen::max_value() as usize);
             cvt(ffi::X509_NAME_add_entry_by_NID(
                 self.0.as_ptr(),
                 field.as_raw(),
                 ffi::MBSTRING_UTF8,
                 value.as_ptr() as *mut _,
-                value.len() as c_int,
+                value.len() as ValueLen,
                 -1,
                 0,
             ))
@@ -850,6 +850,11 @@ impl X509NameBuilder {
     }
 }
 
+#[cfg(not(feature = "fips"))]
+type ValueLen = isize;
+#[cfg(feature = "fips")]
+type ValueLen = i32;
+
 foreign_type_and_impl_send_sync! {
     type CType = ffi::X509_NAME;
     fn drop = ffi::X509_NAME_free;

boring/src/x509/store.rs

@@ -8,6 +8,7 @@
 //! ```rust
 //! use boring::x509::store::{X509StoreBuilder, X509Store};
 //! use boring::x509::{X509, X509Name};
+//! use boring::asn1::Asn1Time;
 //! use boring::pkey::PKey;
 //! use boring::hash::MessageDigest;
 //! use boring::rsa::Rsa;
@@ -22,10 +23,15 @@
 //! let name = name.build();
 //! let mut builder = X509::builder().unwrap();
 //!
+//! // Sep 27th, 2016
+//! let sample_time = Asn1Time::from_unix(1474934400).unwrap();
+//!
 //! builder.set_version(2).unwrap();
 //! builder.set_subject_name(&name).unwrap();
 //! builder.set_issuer_name(&name).unwrap();
 //! builder.set_pubkey(&pkey).unwrap();
+//! builder.set_not_before(&sample_time);
+//! builder.set_not_after(&sample_time);
 //! builder.sign(&pkey, MessageDigest::sha256()).unwrap();
 //!
 //! let certificate: X509 = builder.build();

boring/src/x509/tests.rs

@@ -260,7 +260,7 @@ fn x509_req_builder() {
     let name = name.build();
 
     let mut builder = X509Req::builder().unwrap();
-    builder.set_version(2).unwrap();
+    builder.set_version(0).unwrap();
     builder.set_subject_name(&name).unwrap();
     builder.set_pubkey(&pkey).unwrap();