diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index b344dfb0..d69763cd 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -376,7 +376,6 @@ extern "C" { pub fn SSL_CTX_set_client_CA_list(ctx: *mut SSL_CTX, list: *mut stack_st_X509_NAME); - #[cfg(not(libressl))] pub fn SSL_CTX_add_client_CA(ctx: *mut SSL_CTX, cacert: *mut X509) -> c_int; pub fn SSL_CTX_set_default_verify_paths(ctx: *mut SSL_CTX) -> c_int; diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index b0c8e7b3..c3107eb7 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -1,113 +1,7 @@ //! Bindings to OpenSSL //! -//! This crate provides a safe interface to the popular OpenSSL cryptography library. OpenSSL versions 1.0.1 through -//! 1.1.1 and LibreSSL versions 2.5 through 2.8 are supported. -//! -//! # Building -//! -//! Both OpenSSL libraries and headers are required to build this crate. There are multiple options available to locate -//! OpenSSL. -//! -//! ## Vendored -//! -//! If the `vendored` Cargo feature is enabled, the `openssl-src` crate will be used to compile and statically link to -//! a copy of OpenSSL. The build process requires a C compiler, perl, and make. The OpenSSL version will generally track -//! the newest OpenSSL release, and changes to the version are *not* considered breaking changes. -//! -//! ```toml -//! [dependencies] -//! openssl = { version = "0.10", features = ["vendored"] } -//! ``` -//! -//! The vendored copy will not be configured to automatically find the system's root certificates, but the -//! `openssl-probe` crate can be used to do that instead. -//! -//! ## Automatic -//! -//! The `openssl-sys` crate will automatically detect OpenSSL installations via Homebrew on macOS and vcpkg on Windows. -//! Additionally, it will use `pkg-config` on Unix-like systems to find the system installation. -//! -//! ```not_rust -//! # macOS -//! $ brew install openssl@1.1 -//! -//! # Arch Linux -//! $ sudo pacman -S pkg-config openssl -//! -//! # Debian and Ubuntu -//! $ sudo apt-get install pkg-config libssl-dev -//! -//! # Fedora -//! $ sudo dnf install pkg-config openssl-devel -//! ``` -//! -//! ## Manual -//! -//! A set of environment variables can be used to point `openssl-sys` towards an OpenSSL installation. They will -//! override the automatic detection logic. -//! -//! * `OPENSSL_DIR` - If specified, the directory of an OpenSSL installation. The directory should contain `lib` and -//! `include` subdirectories containing the libraries and headers respectively. -//! * `OPENSSL_LIB_DIR` and `OPENSSL_INCLUDE_DIR` - If specified, the directories containing the OpenSSL libraries and -//! headers respectively. This can be used if the OpenSSL installation is split in a nonstandard directory layout. -//! * `OPENSSL_STATIC` - If set, the crate will statically link to OpenSSL rather than dynamically link. -//! * `OPENSSL_LIBS` - If set, a `:`-separated list of library names to link to (e.g. `ssl:crypto`). This can be used -//! if nonstandard library names were used for whatever reason. -//! * `OPENSSL_NO_VENDOR` - If set, always find OpenSSL in the system, even if the `vendored` feature is enabled. -//! -//! Additionally, these variables can be prefixed with the upper-cased target architecture (e.g. -//! `X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR`), which can be useful when cross compiling. -//! -//! # Feature Detection -//! -//! APIs have been added to and removed from the various supported OpenSSL versions, and this library exposes the -//! functionality available in the version being linked against. This means that methods, constants, and even modules -//! will be present when building against one version of OpenSSL but not when building against another! APIs will -//! document any version-specific availability restrictions. -//! -//! A build script can be used to detect the OpenSSL or LibreSSL version at compile time if needed. The `openssl-sys` -//! crate propagates the version via the `DEP_OPENSSL_VERSION_NUMBER` and `DEP_OPENSSL_LIBRESSL_VERSION_NUMBER` -//! environment variables to build scripts. The version format is a hex-encoding of the OpenSSL release version: -//! `0xMNNFFPPS`. For example, version 1.0.2g's encoding is `0x1_00_02_07_0`. -//! -//! For example, let's say we want to adjust the TLSv1.3 cipher suites used by a client, but also want to compile -//! against OpenSSL versions that don't support TLSv1.3: -//! -//! Cargo.toml: -//! -//! ```toml -//! [dependencies] -//! openssl-sys = "0.9" -//! openssl = "0.10" -//! ``` -//! -//! build.rs: -//! -//! ``` -//! use std::env; -//! -//! fn main() { -//! if let Ok(v) = env::var("DEP_OPENSSL_VERSION_NUMBER") { -//! let version = u64::from_str_radix(&v, 16).unwrap(); -//! -//! if version >= 0x1_01_01_00_0 { -//! println!("cargo:rustc-cfg=openssl111"); -//! } -//! } -//! } -//! ``` -//! -//! lib.rs: -//! -//! ``` -//! use openssl::ssl::{SslConnector, SslMethod}; -//! -//! let mut ctx = SslConnector::builder(SslMethod::tls()).unwrap(); -//! -//! // set_ciphersuites was added in OpenSSL 1.1.1, so we can only call it when linking against that version -//! #[cfg(openssl111)] -//! ctx.set_ciphersuites("TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256").unwrap(); -//! ``` +//! This crate provides a safe interface to the BoringSSL cryptography library. + #![doc(html_root_url = "https://docs.rs/openssl/0.10")] #[macro_use] @@ -149,7 +43,6 @@ pub mod ec; pub mod ecdsa; pub mod error; pub mod ex_data; -#[cfg(not(libressl))] pub mod fips; pub mod hash; pub mod memcmp; diff --git a/openssl/src/pkcs5.rs b/openssl/src/pkcs5.rs index cd3f15da..1d19f9fa 100644 --- a/openssl/src/pkcs5.rs +++ b/openssl/src/pkcs5.rs @@ -110,8 +110,6 @@ pub fn pbkdf2_hmac( } /// Derives a key from a password and salt using the scrypt algorithm. -/// -/// Requires OpenSSL 1.1.0 or newer. pub fn scrypt( pass: &[u8], salt: &[u8], diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index d17ce315..001d3d70 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -136,13 +136,9 @@ bitflags! { ffi::SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; /// Creates a new key for each session when using ECDHE. - /// - /// This is always enabled in OpenSSL 1.1.0. const SINGLE_ECDH_USE = ffi::SSL_OP_SINGLE_ECDH_USE; /// Creates a new key for each session when using DHE. - /// - /// This is always enabled in OpenSSL 1.1.0. const SINGLE_DH_USE = ffi::SSL_OP_SINGLE_DH_USE; /// Use the server's preferences rather than the client's when selecting a cipher. @@ -169,23 +165,15 @@ bitflags! { const NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2; /// Disables the use of TLSv1.3. - /// - /// Requires OpenSSL 1.1.1 or newer. const NO_TLSV1_3 = ffi::SSL_OP_NO_TLSv1_3; /// Disables the use of DTLSv1.0 - /// - /// Requires OpenSSL 1.0.2 or newer. const NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1; /// Disables the use of DTLSv1.2. - /// - /// Requires OpenSSL 1.0.2, or newer. const NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2; /// Disallow all renegotiation in TLSv1.2 and earlier. - /// - /// Requires OpenSSL 1.1.0h or newer. const NO_RENEGOTIATION = ffi::SSL_OP_NO_RENEGOTIATION; } } @@ -234,7 +222,6 @@ bitflags! { /// attempted to downgrade the protocol version of the session. /// /// Do not use this unless you know what you're doing! - #[cfg(not(libressl))] const SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV; } } @@ -465,15 +452,11 @@ impl SslAlert { } /// An error returned from an ALPN selection callback. -/// -/// Requires OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. #[derive(Debug, Copy, Clone, PartialEq, Eq)] pub struct AlpnError(c_int); impl AlpnError { /// Terminate the handshake with a fatal alert. - /// - /// Requires OpenSSL 1.1.0 or newer. pub const ALERT_FATAL: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_ALERT_FATAL); /// Do not select a protocol, but continue the handshake. @@ -642,8 +625,6 @@ impl SslContextBuilder { /// Sets a custom certificate store for verifying peer certificates. /// - /// Requires OpenSSL 1.0.2 or newer. - /// /// This corresponds to [`SSL_CTX_set0_verify_cert_store`]. /// /// [`SSL_CTX_set0_verify_cert_store`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set0_verify_cert_store.html @@ -765,7 +746,6 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_add_client_CA`]. /// /// [`SSL_CTX_add_client_CA`]: https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_client_CA_list.html - #[cfg(not(libressl))] pub fn add_client_ca(&mut self, cacert: &X509Ref) -> Result<(), ErrorStack> { unsafe { cvt(ffi::SSL_CTX_add_client_CA(self.as_ptr(), cacert.as_ptr())).map(|_| ()) } } @@ -965,8 +945,6 @@ impl SslContextBuilder { /// /// This corresponds to [`SSL_CTX_set_min_proto_version`]. /// - /// Requires OpenSSL 1.1.0 or LibreSSL 2.6.1 or newer. - /// /// [`SSL_CTX_set_min_proto_version`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_min_proto_version.html pub fn set_min_proto_version(&mut self, version: Option) -> Result<(), ErrorStack> { unsafe { @@ -985,8 +963,6 @@ impl SslContextBuilder { /// /// This corresponds to [`SSL_CTX_set_max_proto_version`]. /// - /// Requires OpenSSL 1.1.0 or or LibreSSL 2.6.1 or newer. - /// /// [`SSL_CTX_set_max_proto_version`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_min_proto_version.html pub fn set_max_proto_version(&mut self, version: Option) -> Result<(), ErrorStack> { unsafe { @@ -1005,8 +981,6 @@ impl SslContextBuilder { /// /// This corresponds to [`SSL_CTX_get_min_proto_version`]. /// - /// Requires OpenSSL 1.1.0g or LibreSSL 2.7.0 or newer. - /// /// [`SSL_CTX_get_min_proto_version`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_min_proto_version.html pub fn min_proto_version(&mut self) -> Option { unsafe { @@ -1026,8 +1000,6 @@ impl SslContextBuilder { /// /// This corresponds to [`SSL_CTX_get_max_proto_version`]. /// - /// Requires OpenSSL 1.1.0g or LibreSSL 2.7.0 or newer. - /// /// [`SSL_CTX_get_max_proto_version`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_min_proto_version.html pub fn max_proto_version(&mut self) -> Option { unsafe { @@ -1049,8 +1021,6 @@ impl SslContextBuilder { /// /// This corresponds to [`SSL_CTX_set_alpn_protos`]. /// - /// Requires OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. - /// /// [`SSL_CTX_set_alpn_protos`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_alpn_protos.html pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> { unsafe { @@ -1098,8 +1068,6 @@ impl SslContextBuilder { /// /// This corresponds to [`SSL_CTX_set_alpn_select_cb`]. /// - /// Requires OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. - /// /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos /// [`select_next_proto`]: fn.select_next_proto.html /// [`SSL_CTX_set_alpn_select_cb`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_alpn_protos.html @@ -1306,8 +1274,6 @@ impl SslContextBuilder { /// SSLKEYLOGFILE-formatted text. This can be used by tools like Wireshark to decrypt message /// traffic. The line does not contain a trailing newline. /// - /// Requires OpenSSL 1.1.1 or newer. - /// /// This corresponds to [`SSL_CTX_set_keylog_callback`]. /// /// [`SSL_CTX_set_keylog_callback`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_keylog_callback.html @@ -1371,8 +1337,6 @@ impl SslContextBuilder { /// /// This corresponds to [`SSL_CTX_set1_sigalgs_list`]. /// - /// Requires OpenSSL 1.0.2 or newer. - /// /// [`SSL_CTX_set1_sigalgs_list`]: https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set1_sigalgs_list.html pub fn set_sigalgs_list(&mut self, sigalgs: &str) -> Result<(), ErrorStack> { let sigalgs = CString::new(sigalgs).unwrap(); @@ -1464,8 +1428,6 @@ impl SslContext { impl SslContextRef { /// Returns the certificate associated with this `SslContext`, if present. /// - /// Requires OpenSSL 1.0.2 or newer. - /// /// This corresponds to [`SSL_CTX_get0_certificate`]. /// /// [`SSL_CTX_get0_certificate`]: https://www.openssl.org/docs/man1.1.0/ssl/ssl.html @@ -1482,8 +1444,6 @@ impl SslContextRef { /// Returns the private key associated with this `SslContext`, if present. /// - /// Requires OpenSSL 1.0.2 or newer. - /// /// This corresponds to [`SSL_CTX_get0_privatekey`]. /// /// [`SSL_CTX_get0_privatekey`]: https://www.openssl.org/docs/man1.1.0/ssl/ssl.html @@ -1656,8 +1616,6 @@ impl SslCipherRef { /// Returns the RFC-standard name of the cipher, if one exists. /// - /// Requires OpenSSL 1.1.1 or newer. - /// /// This corresponds to [`SSL_CIPHER_standard_name`]. /// /// [`SSL_CIPHER_standard_name`]: https://www.openssl.org/docs/manmaster/man3/SSL_CIPHER_get_name.html @@ -1719,8 +1677,6 @@ impl SslCipherRef { /// Returns the NID corresponding to the cipher. /// - /// Requires OpenSSL 1.1.0 or newer. - /// /// This corresponds to [`SSL_CIPHER_get_cipher_nid`]. /// /// [`SSL_CIPHER_get_cipher_nid`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CIPHER_get_cipher_nid.html @@ -1838,8 +1794,6 @@ impl SslSessionRef { /// Returns the session's TLS protocol version. /// - /// Requires OpenSSL 1.1.0 or newer. - /// /// This corresponds to [`SSL_SESSION_get_protocol_version`]. /// /// [`SSL_SESSION_get_protocol_version`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_SESSION_get_protocol_version.html @@ -2057,8 +2011,6 @@ impl SslRef { /// Like [`SslContextBuilder::set_alpn_protos`]. /// - /// Requires OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. - /// /// This corresponds to [`SSL_set_alpn_protos`]. /// /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos @@ -2247,8 +2199,6 @@ impl SslRef { /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client /// to interpret it. /// - /// Requires OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer. - /// /// This corresponds to [`SSL_get0_alpn_selected`]. /// /// [`SSL_get0_alpn_selected`]: https://www.openssl.org/docs/manmaster/man3/SSL_get0_next_proto_negotiated.html @@ -2402,8 +2352,6 @@ impl SslRef { /// Returns a mutable reference to the X509 verification configuration. /// - /// Requires OpenSSL 1.0.2 or newer. - /// /// This corresponds to [`SSL_get0_param`]. /// /// [`SSL_get0_param`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_get0_param.html @@ -2441,8 +2389,6 @@ impl SslRef { /// Returns the number of bytes copied, or if the buffer is empty, the size of the client_random /// value. /// - /// Requires OpenSSL 1.1.0 or newer. - /// /// This corresponds to [`SSL_get_client_random`]. /// /// [`SSL_get_client_random`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_get_client_random.html @@ -2457,8 +2403,6 @@ impl SslRef { /// Returns the number of bytes copied, or if the buffer is empty, the size of the server_random /// value. /// - /// Requires OpenSSL 1.1.0 or newer. - /// /// This corresponds to [`SSL_get_server_random`]. /// /// [`SSL_get_server_random`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_get_client_random.html diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 93c27545..3e0b41ae 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -301,7 +301,6 @@ fn state() { /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. #[test] -#[cfg_attr(libressl291, ignore)] fn test_connect_with_srtp_ctx() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let addr = listener.local_addr().unwrap(); @@ -360,7 +359,6 @@ fn test_connect_with_srtp_ctx() { /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. #[test] -#[cfg_attr(libressl291, ignore)] fn test_connect_with_srtp_ssl() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let addr = listener.local_addr().unwrap(); @@ -589,7 +587,6 @@ fn refcount_ssl_context() { } #[test] -#[cfg_attr(libressl250, ignore)] #[cfg_attr(target_os = "windows", ignore)] #[cfg_attr(all(target_os = "macos", feature = "vendored"), ignore)] fn default_verify_paths() {