diff --git a/openssl-sys/build.rs b/openssl-sys/build.rs index bfdc3927..adae852a 100644 --- a/openssl-sys/build.rs +++ b/openssl-sys/build.rs @@ -194,7 +194,6 @@ fn main() { cfgs.push("ossl110"); cfgs.push("ossl110f"); cfgs.push("ossl110g"); - cfgs.push("ossl111"); for cfg in cfgs { println!("cargo:rustc-cfg={}", cfg); diff --git a/openssl-sys/src/evp.rs b/openssl-sys/src/evp.rs index 45507876..5cd3ecc3 100644 --- a/openssl-sys/src/evp.rs +++ b/openssl-sys/src/evp.rs @@ -7,13 +7,9 @@ pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption; pub const EVP_PKEY_DSA: c_int = NID_dsa; pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement; pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey; -#[cfg(ossl111)] pub const EVP_PKEY_X25519: c_int = NID_X25519; -#[cfg(ossl111)] pub const EVP_PKEY_ED25519: c_int = NID_ED25519; -#[cfg(ossl111)] pub const EVP_PKEY_X448: c_int = NID_X448; -#[cfg(ossl111)] pub const EVP_PKEY_ED448: c_int = NID_ED448; pub const EVP_CTRL_GCM_SET_IVLEN: c_int = 0x9; @@ -54,7 +50,6 @@ extern "C" { pub fn EVP_DigestFinal_ex(ctx: *mut EVP_MD_CTX, res: *mut u8, n: *mut u32) -> c_int; pub fn EVP_DigestInit(ctx: *mut EVP_MD_CTX, typ: *const EVP_MD) -> c_int; pub fn EVP_DigestFinal(ctx: *mut EVP_MD_CTX, res: *mut u8, n: *mut u32) -> c_int; - #[cfg(ossl111)] pub fn EVP_DigestFinalXOF(ctx: *mut EVP_MD_CTX, res: *mut u8, len: usize) -> c_int; pub fn EVP_BytesToKey( @@ -155,27 +150,24 @@ extern "C" { pub fn EVP_PKEY_size(pkey: *const EVP_PKEY) -> c_int; } -cfg_if! { - if #[cfg(ossl111)] { - extern "C" { - pub fn EVP_DigestSign( - ctx: *mut EVP_MD_CTX, - sigret: *mut c_uchar, - siglen: *mut size_t, - tbs: *const c_uchar, - tbslen: size_t - ) -> c_int; +extern "C" { + pub fn EVP_DigestSign( + ctx: *mut EVP_MD_CTX, + sigret: *mut c_uchar, + siglen: *mut size_t, + tbs: *const c_uchar, + tbslen: size_t, + ) -> c_int; - pub fn EVP_DigestVerify( - ctx: *mut EVP_MD_CTX, - sigret: *const c_uchar, - siglen: size_t, - tbs: *const c_uchar, - tbslen: size_t - ) -> c_int; - } - } + pub fn EVP_DigestVerify( + ctx: *mut EVP_MD_CTX, + sigret: *const c_uchar, + siglen: size_t, + tbs: *const c_uchar, + tbslen: size_t, + ) -> c_int; } + cfg_if! { if #[cfg(any(ossl102, libressl280))] { extern "C" { @@ -348,33 +340,29 @@ extern "C" { pub fn EVP_PKCS82PKEY(p8: *mut PKCS8_PRIV_KEY_INFO) -> *mut EVP_PKEY; } -cfg_if! { - if #[cfg(any(ossl111))] { - extern "C" { - pub fn EVP_PKEY_get_raw_public_key( - pkey: *const EVP_PKEY, - ppub: *mut c_uchar, - len: *mut size_t, - ) -> c_int; - pub fn EVP_PKEY_new_raw_public_key( - ttype: c_int, - e: *mut ENGINE, - key: *const c_uchar, - keylen: size_t, - ) -> *mut EVP_PKEY; - pub fn EVP_PKEY_get_raw_private_key( - pkey: *const EVP_PKEY, - ppriv: *mut c_uchar, - len: *mut size_t, - ) -> c_int; - pub fn EVP_PKEY_new_raw_private_key( - ttype: c_int, - e: *mut ENGINE, - key: *const c_uchar, - keylen: size_t, - ) -> *mut EVP_PKEY; - } - } +extern "C" { + pub fn EVP_PKEY_get_raw_public_key( + pkey: *const EVP_PKEY, + ppub: *mut c_uchar, + len: *mut size_t, + ) -> c_int; + pub fn EVP_PKEY_new_raw_public_key( + ttype: c_int, + e: *mut ENGINE, + key: *const c_uchar, + keylen: size_t, + ) -> *mut EVP_PKEY; + pub fn EVP_PKEY_get_raw_private_key( + pkey: *const EVP_PKEY, + ppriv: *mut c_uchar, + len: *mut size_t, + ) -> c_int; + pub fn EVP_PKEY_new_raw_private_key( + ttype: c_int, + e: *mut ENGINE, + key: *const c_uchar, + keylen: size_t, + ) -> *mut EVP_PKEY; } extern "C" { diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 7226a05d..de5cb8ca 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -95,10 +95,7 @@ pub fn init() { // explicitly initialize to work around https://github.com/openssl/openssl/issues/3505 static INIT: Once = Once::new(); - #[cfg(not(ossl111b))] let init_options = OPENSSL_INIT_LOAD_SSL_STRINGS; - #[cfg(ossl111b)] - let init_options = OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_NO_ATEXIT; INIT.call_once(|| unsafe { OPENSSL_init_ssl(init_options, ptr::null_mut()); diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs index e187a3f0..623f5acf 100644 --- a/openssl-sys/src/obj_mac.rs +++ b/openssl-sys/src/obj_mac.rs @@ -910,11 +910,7 @@ pub const NID_rc4_hmac_md5: c_int = 915; pub const NID_aes_128_cbc_hmac_sha1: c_int = 916; pub const NID_aes_192_cbc_hmac_sha1: c_int = 917; pub const NID_aes_256_cbc_hmac_sha1: c_int = 918; -#[cfg(ossl111)] pub const NID_X25519: c_int = 1034; -#[cfg(ossl111)] pub const NID_X448: c_int = 1035; -#[cfg(ossl111)] pub const NID_ED25519: c_int = 1087; -#[cfg(ossl111)] pub const NID_ED448: c_int = 1088; diff --git a/openssl-sys/src/rand.rs b/openssl-sys/src/rand.rs index 67d8aa82..93587861 100644 --- a/openssl-sys/src/rand.rs +++ b/openssl-sys/src/rand.rs @@ -2,9 +2,5 @@ use libc::*; extern "C" { pub fn RAND_bytes(buf: *mut u8, num: size_t) -> c_int; - - #[cfg(ossl111)] - pub fn RAND_keep_random_devices_open(keep: c_int); - pub fn RAND_status() -> c_int; } diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index 4d7c2810..15ec20f6 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -105,85 +105,6 @@ pub struct SRTP_PROTECTION_PROFILE { stack!(stack_st_SRTP_PROTECTION_PROFILE); -#[cfg(ossl111)] -pub const SSL_EXT_TLS_ONLY: c_uint = 0x0001; -/* This extension is only allowed in DTLS */ -#[cfg(ossl111)] -pub const SSL_EXT_DTLS_ONLY: c_uint = 0x0002; -/* Some extensions may be allowed in DTLS but we don't implement them for it */ -#[cfg(ossl111)] -pub const SSL_EXT_TLS_IMPLEMENTATION_ONLY: c_uint = 0x0004; -/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */ -#[cfg(ossl111)] -pub const SSL_EXT_SSL3_ALLOWED: c_uint = 0x0008; -/* Extension is only defined for TLS1.2 and below */ -#[cfg(ossl111)] -pub const SSL_EXT_TLS1_2_AND_BELOW_ONLY: c_uint = 0x0010; -/* Extension is only defined for TLS1.3 and above */ -#[cfg(ossl111)] -pub const SSL_EXT_TLS1_3_ONLY: c_uint = 0x0020; -/* Ignore this extension during parsing if we are resuming */ -#[cfg(ossl111)] -pub const SSL_EXT_IGNORE_ON_RESUMPTION: c_uint = 0x0040; -#[cfg(ossl111)] -pub const SSL_EXT_CLIENT_HELLO: c_uint = 0x0080; -/* Really means TLS1.2 or below */ -#[cfg(ossl111)] -pub const SSL_EXT_TLS1_2_SERVER_HELLO: c_uint = 0x0100; -#[cfg(ossl111)] -pub const SSL_EXT_TLS1_3_SERVER_HELLO: c_uint = 0x0200; -#[cfg(ossl111)] -pub const SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS: c_uint = 0x0400; -#[cfg(ossl111)] -pub const SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST: c_uint = 0x0800; -#[cfg(ossl111)] -pub const SSL_EXT_TLS1_3_CERTIFICATE: c_uint = 0x1000; -#[cfg(ossl111)] -pub const SSL_EXT_TLS1_3_NEW_SESSION_TICKET: c_uint = 0x2000; -#[cfg(ossl111)] -pub const SSL_EXT_TLS1_3_CERTIFICATE_REQUEST: c_uint = 0x4000; - -#[cfg(ossl111)] -pub type SSL_custom_ext_add_cb_ex = Option< - unsafe extern "C" fn( - ssl: *mut ::SSL, - ext_type: c_uint, - context: c_uint, - out: *mut *const c_uchar, - outlen: *mut size_t, - x: *mut ::X509, - chainidx: size_t, - al: *mut c_int, - add_arg: *mut c_void, - ) -> c_int, ->; - -#[cfg(ossl111)] -pub type SSL_custom_ext_free_cb_ex = Option< - unsafe extern "C" fn( - ssl: *mut ::SSL, - ext_type: c_uint, - context: c_uint, - out: *mut *const c_uchar, - add_arg: *mut c_void, - ), ->; - -#[cfg(ossl111)] -pub type SSL_custom_ext_parse_cb_ex = Option< - unsafe extern "C" fn( - ssl: *mut ::SSL, - ext_type: c_uint, - context: c_uint, - input: *const c_uchar, - inlen: size_t, - x: *mut ::X509, - chainidx: size_t, - al: *mut c_int, - parse_arg: *mut c_void, - ) -> c_int, ->; - pub const SSL_OP_LEGACY_SERVER_CONNECT: c_uint = 0x00000004; pub const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: c_uint = 0x00000800; @@ -202,9 +123,6 @@ cfg_if! { } } -#[cfg(ossl111)] -pub const SSL_OP_ENABLE_MIDDLEBOX_COMPAT: c_uint = 0x00100000; - pub const SSL_OP_CIPHER_SERVER_PREFERENCE: c_uint = 0x00400000; pub const SSL_OP_TLS_ROLLBACK_BUG: c_uint = 0x00800000; @@ -292,9 +210,6 @@ extern "C" { pub fn SSL_CTX_set_mode(ctx: *mut SSL_CTX, op: c_uint) -> c_uint; } -#[cfg(ossl111)] -pub const SSL_COOKIE_LENGTH: c_int = 4096; - extern "C" { pub fn SSL_CTX_get_options(ctx: *const SSL_CTX) -> c_uint; pub fn SSL_CTX_set_options(ctx: *mut SSL_CTX, op: c_uint) -> c_uint; @@ -348,18 +263,6 @@ cfg_if! { } extern "C" { - #[cfg(ossl111)] - pub fn SSL_CTX_set_stateless_cookie_verify_cb( - s: *mut SSL_CTX, - cb: Option< - unsafe extern "C" fn( - ssl: *mut SSL, - cookie: *const c_uchar, - cookie_len: size_t, - ) -> c_int, - >, - ); - pub fn SSL_CTX_set_next_protos_advertised_cb( ssl: *mut SSL_CTX, cb: extern "C" fn( @@ -448,23 +351,8 @@ extern "C" { ); } -#[cfg(ossl111)] -pub type SSL_CTX_keylog_cb_func = - Option; - extern "C" { - #[cfg(ossl111)] - pub fn SSL_CTX_set_keylog_callback(ctx: *mut SSL_CTX, cb: SSL_CTX_keylog_cb_func); - - #[cfg(ossl111)] - pub fn SSL_CTX_set_max_early_data(ctx: *mut SSL_CTX, max_early_data: u32) -> c_int; - #[cfg(ossl111)] - pub fn SSL_CTX_get_max_early_data(ctx: *const SSL_CTX) -> u32; - #[cfg(ossl111)] - pub fn SSL_set_max_early_data(ctx: *mut SSL, max_early_data: u32) -> c_int; - #[cfg(ossl111)] - pub fn SSL_get_max_early_data(ctx: *const SSL) -> u32; - + pub fn SSL_CTX_set_keylog_callback(ctx: *mut SSL_CTX, cb: Option); pub fn SSL_get_finished(s: *const SSL, buf: *mut c_void, count: size_t) -> size_t; pub fn SSL_get_peer_finished(s: *const SSL, buf: *mut c_void, count: size_t) -> size_t; @@ -488,8 +376,6 @@ pub const SSL_ERROR_WANT_READ: c_int = 2; pub const SSL_ERROR_WANT_WRITE: c_int = 3; pub const SSL_ERROR_WANT_X509_LOOKUP: c_int = 4; pub const SSL_ERROR_ZERO_RETURN: c_int = 6; -#[cfg(ossl111)] -pub const SSL_ERROR_WANT_CLIENT_HELLO_CB: c_int = 11; pub const SSL_VERIFY_NONE: c_int = 0; pub const SSL_VERIFY_PEER: c_int = 1; pub const SSL_VERIFY_FAIL_IF_NO_PEER_CERT: c_int = 2; @@ -499,8 +385,6 @@ pub const SSL_CTRL_GET_SESSION_REUSED: c_int = 8; pub const SSL_CTRL_OPTIONS: c_int = 32; #[cfg(any(libressl, all(ossl101, not(ossl110))))] pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; -#[cfg(ossl111)] -pub const SSL_CTRL_SET_GROUPS_LIST: c_int = 92; #[cfg(any(libressl, all(ossl102, not(ossl110))))] pub const SSL_CTRL_SET_ECDH_AUTO: c_int = 94; @@ -546,18 +430,13 @@ cfg_if! { } } extern "C" { - #[cfg(ossl111)] - pub fn SSL_CIPHER_get_handshake_digest(cipher: *const ::SSL_CIPHER) -> *const ::EVP_MD; pub fn SSL_CIPHER_get_name(cipher: *const SSL_CIPHER) -> *const c_char; - #[cfg(ossl111)] pub fn SSL_CIPHER_standard_name(cipher: *const SSL_CIPHER) -> *const c_char; pub fn SSL_pending(ssl: *const SSL) -> c_int; pub fn SSL_set_bio(ssl: *mut SSL, rbio: *mut BIO, wbio: *mut BIO); pub fn SSL_get_rbio(ssl: *const SSL) -> *mut BIO; pub fn SSL_get_wbio(ssl: *const SSL) -> *mut BIO; - #[cfg(ossl111)] - pub fn SSL_set_ciphersuites(ssl: *mut ::SSL, str: *const c_char) -> c_int; pub fn SSL_set_verify( ssl: *mut SSL, mode: c_int, @@ -593,11 +472,6 @@ extern "C" { #[cfg(ossl110)] pub fn SSL_SESSION_get_protocol_version(s: *const SSL_SESSION) -> u16; - #[cfg(ossl111)] - pub fn SSL_SESSION_set_max_early_data(ctx: *mut SSL_SESSION, max_early_data: u32) -> c_int; - #[cfg(ossl111)] - pub fn SSL_SESSION_get_max_early_data(ctx: *const SSL_SESSION) -> u32; - pub fn SSL_SESSION_get_id(s: *const SSL_SESSION, len: *mut c_uint) -> *const c_uchar; #[cfg(any(ossl110, libressl273))] pub fn SSL_SESSION_up_ref(ses: *mut SSL_SESSION) -> c_int; @@ -637,62 +511,15 @@ extern "C" { pub fn SSL_get0_param(ssl: *mut SSL) -> *mut X509_VERIFY_PARAM; } -#[cfg(ossl111)] -pub const SSL_CLIENT_HELLO_SUCCESS: c_int = 1; -#[cfg(ossl111)] -pub const SSL_CLIENT_HELLO_ERROR: c_int = 0; -#[cfg(ossl111)] -pub const SSL_CLIENT_HELLO_RETRY: c_int = -1; - -#[cfg(ossl111)] -pub type SSL_client_hello_cb_fn = - Option c_int>; extern "C" { - #[cfg(ossl111)] - pub fn SSL_client_hello_get1_extensions_present( - s: *mut SSL, - out: *mut *mut c_int, - outlen: *mut size_t, - ) -> c_int; - #[cfg(ossl111)] - pub fn SSL_client_hello_get0_ext( - s: *mut SSL, - type_: c_uint, - out: *mut *const c_uchar, - outlen: *mut size_t, - ) -> c_int; - pub fn SSL_free(ssl: *mut SSL); pub fn SSL_accept(ssl: *mut SSL) -> c_int; - #[cfg(ossl111)] - pub fn SSL_stateless(s: *mut SSL) -> c_int; pub fn SSL_connect(ssl: *mut SSL) -> c_int; pub fn SSL_read(ssl: *mut SSL, buf: *mut c_void, num: c_int) -> c_int; - #[cfg(ossl111)] - pub fn SSL_read_early_data( - s: *mut ::SSL, - buf: *mut c_void, - num: size_t, - readbytes: *mut size_t, - ) -> c_int; } -#[cfg(ossl111)] -pub const SSL_READ_EARLY_DATA_ERROR: c_int = 0; -#[cfg(ossl111)] -pub const SSL_READ_EARLY_DATA_SUCCESS: c_int = 1; -#[cfg(ossl111)] -pub const SSL_READ_EARLY_DATA_FINISH: c_int = 2; - extern "C" { pub fn SSL_write(ssl: *mut SSL, buf: *const c_void, num: c_int) -> c_int; - #[cfg(ossl111)] - pub fn SSL_write_early_data( - s: *mut SSL, - buf: *const c_void, - num: size_t, - written: *mut size_t, - ) -> c_int; } cfg_if! { @@ -868,10 +695,6 @@ extern "C" { cfg_if! { if #[cfg(osslconf = "OPENSSL_NO_COMP")] { - } else if #[cfg(ossl111b)] { - extern "C" { - pub fn SSL_get_current_compression(ssl: *const SSL) -> *const COMP_METHOD; - } } else { extern "C" { pub fn SSL_get_current_compression(ssl: *mut SSL) -> *const COMP_METHOD; @@ -911,8 +734,6 @@ cfg_if! { #[cfg(ossl110)] pub const OPENSSL_INIT_LOAD_SSL_STRINGS: u64 = 0x00200000; -#[cfg(ossl111b)] -pub const OPENSSL_INIT_NO_ATEXIT: u64 = 0x00080000; extern "C" { #[cfg(ossl110)] diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index 529b3dc0..29a596d3 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -29,17 +29,6 @@ extern "C" { use_context: c_int, ) -> c_int; - #[cfg(ossl111)] - pub fn SSL_export_keying_material_early( - s: *mut ::SSL, - out: *mut c_uchar, - olen: size_t, - label: *const c_char, - llen: size_t, - context: *const c_uchar, - contextlen: size_t, - ) -> c_int; - pub fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_int; pub fn SSL_set_tlsext_status_type(s: *mut SSL, type_: c_int) -> c_int; pub fn SSL_get_tlsext_status_ocsp_resp(ssl: *const SSL, resp: *mut *const c_uchar) -> size_t; diff --git a/openssl/build.rs b/openssl/build.rs index 91984ce6..4efd86e0 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -8,7 +8,6 @@ fn main() { cfgs.push("ossl110"); cfgs.push("ossl110f"); cfgs.push("ossl110g"); - cfgs.push("ossl111"); for cfg in cfgs { println!("cargo:rustc-cfg={}", cfg); diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 9534a5b1..19c794a7 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -218,7 +218,6 @@ impl Hasher { /// Writes the hash of the data into the supplied buf and resets the XOF hasher. /// The hash will be as long as the buf. - #[cfg(ossl111)] pub fn finish_xof(&mut self, buf: &mut [u8]) -> Result<(), ErrorStack> { if self.state == Finalized { self.init()?; @@ -330,7 +329,6 @@ pub fn hash(t: MessageDigest, data: &[u8]) -> Result { } /// Computes the hash of the `data` with the XOF hasher `t` and stores it in `buf`. -#[cfg(ossl111)] pub fn hash_xof(t: MessageDigest, data: &[u8], buf: &mut [u8]) -> Result<(), ErrorStack> { let mut h = Hasher::new(t)?; h.update(data)?; diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 97ab35a9..6a6f0804 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -80,14 +80,9 @@ impl Id { pub const DSA: Id = Id(ffi::EVP_PKEY_DSA); pub const DH: Id = Id(ffi::EVP_PKEY_DH); pub const EC: Id = Id(ffi::EVP_PKEY_EC); - - #[cfg(ossl111)] pub const ED25519: Id = Id(ffi::EVP_PKEY_ED25519); - #[cfg(ossl111)] pub const ED448: Id = Id(ffi::EVP_PKEY_ED448); - #[cfg(ossl111)] pub const X25519: Id = Id(ffi::EVP_PKEY_X25519); - #[cfg(ossl111)] pub const X448: Id = Id(ffi::EVP_PKEY_X448); /// Creates a `Id` from an integer representation. @@ -295,9 +290,7 @@ impl fmt::Debug for PKey { Id::DSA => "DSA", Id::DH => "DH", Id::EC => "EC", - #[cfg(ossl111)] Id::ED25519 => "Ed25519", - #[cfg(ossl111)] Id::ED448 => "Ed448", _ => "unknown", }; diff --git a/openssl/src/rand.rs b/openssl/src/rand.rs index 9c2bdfe8..f039838e 100644 --- a/openssl/src/rand.rs +++ b/openssl/src/rand.rs @@ -40,20 +40,6 @@ pub fn rand_bytes(buf: &mut [u8]) -> Result<(), ErrorStack> { } } -/// Controls random device file descriptor behavior. -/// -/// Requires OpenSSL 1.1.1 or newer. -/// -/// This corresponds to [`RAND_keep_random_devices_open`]. -/// -/// [`RAND_keep_random_devices_open`]: https://www.openssl.org/docs/manmaster/man3/RAND_keep_random_devices_open.html -#[cfg(ossl111)] -pub fn keep_random_devices_open(keep: bool) { - unsafe { - ffi::RAND_keep_random_devices_open(keep as c_int); - } -} - #[cfg(test)] mod tests { use super::rand_bytes; diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 31c67d6d..3976d4ae 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -257,20 +257,6 @@ impl<'a> Signer<'a> { self.len_intern() } - #[cfg(not(ossl111))] - fn len_intern(&self) -> Result { - unsafe { - let mut len = 0; - cvt(ffi::EVP_DigestSignFinal( - self.md_ctx, - ptr::null_mut(), - &mut len, - ))?; - Ok(len) - } - } - - #[cfg(ossl111)] fn len_intern(&self) -> Result { unsafe { let mut len = 0; @@ -327,7 +313,6 @@ impl<'a> Signer<'a> { /// OpenSSL documentation at [`EVP_DigestSign`]. /// /// [`EVP_DigestSign`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestSign.html - #[cfg(ossl111)] pub fn sign_oneshot( &mut self, sig_buf: &mut [u8], @@ -349,7 +334,6 @@ impl<'a> Signer<'a> { /// Returns the signature. /// /// This is a simple convenience wrapper over `len` and `sign_oneshot`. - #[cfg(ossl111)] pub fn sign_oneshot_to_vec(&mut self, data_buf: &[u8]) -> Result, ErrorStack> { let mut sig_buf = vec![0; self.len()?]; let len = self.sign_oneshot(&mut sig_buf, data_buf)?; @@ -561,7 +545,6 @@ impl<'a> Verifier<'a> { /// OpenSSL documentation at [`EVP_DigestVerify`]. /// /// [`EVP_DigestVerify`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestVerify.html - #[cfg(ossl111)] pub fn verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result { unsafe { let r = ffi::EVP_DigestVerify( @@ -687,7 +670,6 @@ mod test { } #[test] - #[cfg(ossl111)] fn rsa_sign_verify() { let key = include_bytes!("../test/rsa.pem"); let private_key = Rsa::private_key_from_pem(key).unwrap(); diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index b96832c4..ff0a8ebd 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -1,17 +1,12 @@ use ffi; use foreign_types::ForeignType; use foreign_types::ForeignTypeRef; -#[cfg(any(ossl111, not(osslconf = "OPENSSL_NO_PSK")))] use libc::c_char; -#[cfg(ossl111)] -use libc::size_t; use libc::{c_int, c_uchar, c_uint, c_void}; -#[cfg(any(ossl111, not(osslconf = "OPENSSL_NO_PSK")))] use std::ffi::CStr; use std::mem; use std::ptr; use std::slice; -#[cfg(ossl111)] use std::str; use std::sync::Arc; @@ -359,7 +354,6 @@ where } } -#[cfg(ossl111)] pub unsafe extern "C" fn raw_keylog(ssl: *const ffi::SSL, line: *const c_char) where F: Fn(&SslRef, &str) + 'static + Sync + Send, @@ -373,22 +367,4 @@ where let line = str::from_utf8_unchecked(line); callback(ssl, line); -} - -#[cfg(ossl111)] -pub unsafe extern "C" fn raw_stateless_cookie_verify( - ssl: *mut ffi::SSL, - cookie: *const c_uchar, - cookie_len: size_t, -) -> c_int -where - F: Fn(&mut SslRef, &[u8]) -> bool + 'static + Sync + Send, -{ - let ssl = SslRef::from_ptr_mut(ssl); - let callback = ssl - .ssl_context() - .ex_data(SslContext::cached_ex_index::()) - .expect("BUG: stateless cookie verify callback missing") as *const F; - let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize); - (*callback)(ssl, slice) as c_int } \ No newline at end of file diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index af73cfcb..6edc6fd1 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -241,7 +241,6 @@ impl SslAcceptor { pub fn mozilla_intermediate(method: SslMethod) -> Result { let mut ctx = ctx(method)?; ctx.set_options(SslOptions::CIPHER_SERVER_PREFERENCE); - #[cfg(ossl111)] ctx.set_options(SslOptions::NO_TLSV1_3); let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?; ctx.set_tmp_dh(&dh)?; @@ -271,7 +270,6 @@ impl SslAcceptor { ctx.set_options( SslOptions::CIPHER_SERVER_PREFERENCE | SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1, ); - #[cfg(ossl111)] ctx.set_options(SslOptions::NO_TLSV1_3); setup_curves(&mut ctx)?; ctx.set_cipher_list( diff --git a/openssl/src/ssl/error.rs b/openssl/src/ssl/error.rs index e397efde..91bdbb4e 100644 --- a/openssl/src/ssl/error.rs +++ b/openssl/src/ssl/error.rs @@ -33,12 +33,6 @@ impl ErrorCode { /// An error occurred in the SSL library. pub const SSL: ErrorCode = ErrorCode(ffi::SSL_ERROR_SSL); - /// The client hello callback indicated that it needed to be retried. - /// - /// Requires OpenSSL 1.1.1 or newer. - #[cfg(ossl111)] - pub const WANT_CLIENT_HELLO_CB: ErrorCode = ErrorCode(ffi::SSL_ERROR_WANT_CLIENT_HELLO_CB); - pub fn from_raw(raw: c_int) -> ErrorCode { ErrorCode(raw) } diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 99071b72..59032a0c 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -84,8 +84,6 @@ use ec::EcKey; use ec::EcKeyRef; use error::ErrorStack; use ex_data::Index; -#[cfg(ossl111)] -use hash::MessageDigest; #[cfg(ossl110)] use nid::Nid; use pkey::{HasPrivate, PKeyRef, Params, Private}; @@ -196,13 +194,6 @@ bitflags! { /// Requires OpenSSL 1.1.0h or newer. #[cfg(ossl110h)] const NO_RENEGOTIATION = ffi::SSL_OP_NO_RENEGOTIATION; - - /// Enable TLSv1.3 Compatibility mode. - /// - /// Requires OpenSSL 1.1.1 or newer. This is on by default in 1.1.1, but a future version - /// may have this disabled by default. - #[cfg(ossl111)] - const ENABLE_MIDDLEBOX_COMPAT = ffi::SSL_OP_ENABLE_MIDDLEBOX_COMPAT; } } @@ -369,36 +360,6 @@ bitflags! { } } -#[cfg(ossl111)] -bitflags! { - /// Which messages and under which conditions an extension should be added or expected. - pub struct ExtensionContext: c_uint { - /// This extension is only allowed in TLS - const TLS_ONLY = ffi::SSL_EXT_TLS_ONLY; - /// This extension is only allowed in DTLS - const DTLS_ONLY = ffi::SSL_EXT_DTLS_ONLY; - /// Some extensions may be allowed in DTLS but we don't implement them for it - const TLS_IMPLEMENTATION_ONLY = ffi::SSL_EXT_TLS_IMPLEMENTATION_ONLY; - /// Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is - const SSL3_ALLOWED = ffi::SSL_EXT_SSL3_ALLOWED; - /// Extension is only defined for TLS1.2 and below - const TLS1_2_AND_BELOW_ONLY = ffi::SSL_EXT_TLS1_2_AND_BELOW_ONLY; - /// Extension is only defined for TLS1.3 and above - const TLS1_3_ONLY = ffi::SSL_EXT_TLS1_3_ONLY; - /// Ignore this extension during parsing if we are resuming - const IGNORE_ON_RESUMPTION = ffi::SSL_EXT_IGNORE_ON_RESUMPTION; - const CLIENT_HELLO = ffi::SSL_EXT_CLIENT_HELLO; - /// Really means TLS1.2 or below - const TLS1_2_SERVER_HELLO = ffi::SSL_EXT_TLS1_2_SERVER_HELLO; - const TLS1_3_SERVER_HELLO = ffi::SSL_EXT_TLS1_3_SERVER_HELLO; - const TLS1_3_ENCRYPTED_EXTENSIONS = ffi::SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS; - const TLS1_3_HELLO_RETRY_REQUEST = ffi::SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST; - const TLS1_3_CERTIFICATE = ffi::SSL_EXT_TLS1_3_CERTIFICATE; - const TLS1_3_NEW_SESSION_TICKET = ffi::SSL_EXT_TLS1_3_NEW_SESSION_TICKET; - const TLS1_3_CERTIFICATE_REQUEST = ffi::SSL_EXT_TLS1_3_CERTIFICATE_REQUEST; - } -} - /// An identifier of the format of a certificate or key file. #[derive(Copy, Clone)] pub struct SslFiletype(c_int); @@ -529,22 +490,6 @@ impl AlpnError { pub const NOACK: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_NOACK); } -/// The result of a client hello callback. -/// -/// Requires OpenSSL 1.1.1 or newer. -#[cfg(ossl111)] -#[derive(Debug, Copy, Clone, PartialEq, Eq)] -pub struct ClientHelloResponse(c_int); - -#[cfg(ossl111)] -impl ClientHelloResponse { - /// Continue the handshake. - pub const SUCCESS: ClientHelloResponse = ClientHelloResponse(ffi::SSL_CLIENT_HELLO_SUCCESS); - - /// Return from the handshake with an `ErrorCode::WANT_CLIENT_HELLO_CB` error. - pub const RETRY: ClientHelloResponse = ClientHelloResponse(ffi::SSL_CLIENT_HELLO_RETRY); -} - /// An SSL/TLS protocol version. #[derive(Debug, Copy, Clone, PartialEq, Eq)] pub struct SslVersion(u16); @@ -563,9 +508,6 @@ impl SslVersion { pub const TLS1_2: SslVersion = SslVersion(ffi::TLS1_2_VERSION); /// TLSv1.3 - /// - /// Requires OpenSSL 1.1.1 or newer. - #[cfg(ossl111)] pub const TLS1_3: SslVersion = SslVersion(ffi::TLS1_3_VERSION); } @@ -1419,7 +1361,6 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_set_keylog_callback`]. /// /// [`SSL_CTX_set_keylog_callback`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_keylog_callback.html - #[cfg(ossl111)] pub fn set_keylog_callback(&mut self, callback: F) where F: Fn(&SslRef, &str) + 'static + Sync + Send, @@ -1444,30 +1385,6 @@ impl SslContextBuilder { } } - /// Sets the callback for verifying an application cookie for TLS1.3 - /// stateless handshakes. - /// - /// The callback will be called with the SSL context and the cookie supplied by the - /// client. It should return true if and only if the cookie is valid. - /// - /// Note that the OpenSSL implementation independently verifies the integrity of - /// application cookies using an HMAC before invoking the supplied callback. - /// - /// This corresponds to `SSL_CTX_set_stateless_cookie_verify_cb`. - #[cfg(ossl111)] - pub fn set_stateless_cookie_verify_cb(&mut self, callback: F) - where - F: Fn(&mut SslRef, &[u8]) -> bool + 'static + Sync + Send, - { - unsafe { - self.set_ex_data(SslContext::cached_ex_index::(), callback); - ffi::SSL_CTX_set_stateless_cookie_verify_cb( - self.as_ptr(), - Some(raw_stateless_cookie_verify::), - ) - } - } - /// Sets the extra data at the specified index. /// /// This can be used to provide data to callbacks registered with the context. Use the @@ -1488,24 +1405,6 @@ impl SslContextBuilder { } } - /// Sets the maximum amount of early data that will be accepted on incoming connections. - /// - /// Defaults to 0. - /// - /// Requires OpenSSL 1.1.1 or newer. - /// - /// This corresponds to [`SSL_CTX_set_max_early_data`]. - /// - /// [`SSL_CTX_set_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_max_early_data.html - #[cfg(ossl111)] - pub fn set_max_early_data(&mut self, bytes: u32) -> Result<(), ErrorStack> { - if unsafe { ffi::SSL_CTX_set_max_early_data(self.as_ptr(), bytes) } == 1 { - Ok(()) - } else { - Err(ErrorStack::get()) - } - } - /// Sets the context's session cache size limit, returning the previous limit. /// /// A value of 0 means that the cache size is unbounded. @@ -1689,18 +1588,6 @@ impl SslContextRef { } } - /// Gets the maximum amount of early data that will be accepted on incoming connections. - /// - /// Requires OpenSSL 1.1.1 or newer. - /// - /// This corresponds to [`SSL_CTX_get_max_early_data`]. - /// - /// [`SSL_CTX_get_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_max_early_data.html - #[cfg(ossl111)] - pub fn max_early_data(&self) -> u32 { - unsafe { ffi::SSL_CTX_get_max_early_data(self.as_ptr()) } - } - /// Adds a session to the context's cache. /// /// Returns `true` if the session was successfully added to the cache, and `false` if it was already present. @@ -1827,7 +1714,6 @@ impl SslCipherRef { /// This corresponds to [`SSL_CIPHER_standard_name`]. /// /// [`SSL_CIPHER_standard_name`]: https://www.openssl.org/docs/manmaster/man3/SSL_CIPHER_get_name.html - #[cfg(ossl111)] pub fn standard_name(&self) -> Option<&'static str> { unsafe { let ptr = ffi::SSL_CIPHER_standard_name(self.as_ptr()); @@ -1884,25 +1770,6 @@ impl SslCipherRef { } } - /// Returns the handshake digest of the cipher. - /// - /// Requires OpenSSL 1.1.1 or newer. - /// - /// This corresponds to [`SSL_CIPHER_get_handshake_digest`]. - /// - /// [`SSL_CIPHER_get_handshake_digest`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_handshake_digest.html - #[cfg(ossl111)] - pub fn handshake_digest(&self) -> Option { - unsafe { - let ptr = ffi::SSL_CIPHER_get_handshake_digest(self.as_ptr()); - if ptr.is_null() { - None - } else { - Some(MessageDigest::from_ptr(ptr)) - } - } - } - /// Returns the NID corresponding to the cipher. /// /// Requires OpenSSL 1.1.0 or newer. @@ -2001,18 +1868,6 @@ impl SslSessionRef { unsafe { SSL_SESSION_get_master_key(self.as_ptr(), buf.as_mut_ptr(), buf.len()) } } - /// Gets the maximum amount of early data that can be sent on this session. - /// - /// Requires OpenSSL 1.1.1 or newer. - /// - /// This corresponds to [`SSL_SESSION_get_max_early_data`]. - /// - /// [`SSL_SESSION_get_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_SESSION_get_max_early_data.html - #[cfg(ossl111)] - pub fn max_early_data(&self) -> u32 { - unsafe { ffi::SSL_SESSION_get_max_early_data(self.as_ptr()) } - } - /// Returns the time at which the session was established, in seconds since the Unix epoch. /// /// This corresponds to [`SSL_SESSION_get_time`]. @@ -2735,37 +2590,6 @@ impl SslRef { } } - /// Derives keying material for application use in accordance to RFC 5705. - /// - /// This function is only usable with TLSv1.3, wherein there is no distinction between an empty context and no - /// context. Therefore, unlike `export_keying_material`, `context` must always be supplied. - /// - /// Requires OpenSSL 1.1.1 or newer. - /// - /// This corresponds to [`SSL_export_keying_material_early`]. - /// - /// [`SSL_export_keying_material_early`]: https://www.openssl.org/docs/manmaster/man3/SSL_export_keying_material_early.html - #[cfg(ossl111)] - pub fn export_keying_material_early( - &self, - out: &mut [u8], - label: &str, - context: &[u8], - ) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::SSL_export_keying_material_early( - self.as_ptr(), - out.as_mut_ptr() as *mut c_uchar, - out.len(), - label.as_ptr() as *const c_char, - label.len(), - context.as_ptr() as *const c_uchar, - context.len(), - )) - .map(|_| ()) - } - } - /// Sets the session to be used. /// /// This should be called before the handshake to attempt to reuse a previously established @@ -2901,34 +2725,6 @@ impl SslRef { } } - /// Sets the maximum amount of early data that will be accepted on this connection. - /// - /// Requires OpenSSL 1.1.1 or newer. - /// - /// This corresponds to [`SSL_set_max_early_data`]. - /// - /// [`SSL_set_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_max_early_data.html - #[cfg(ossl111)] - pub fn set_max_early_data(&mut self, bytes: u32) -> Result<(), ErrorStack> { - if unsafe { ffi::SSL_set_max_early_data(self.as_ptr(), bytes) } == 1 { - Ok(()) - } else { - Err(ErrorStack::get()) - } - } - - /// Gets the maximum amount of early data that can be sent on this connection. - /// - /// Requires OpenSSL 1.1.1 or newer. - /// - /// This corresponds to [`SSL_get_max_early_data`]. - /// - /// [`SSL_get_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_get_max_early_data.html - #[cfg(ossl111)] - pub fn max_early_data(&self) -> u32 { - unsafe { ffi::SSL_get_max_early_data(self.as_ptr()) } - } - /// Copies the contents of the last Finished message sent to the peer into the provided buffer. /// /// The total size of the message is returned, so this can be used to determine the size of the @@ -3292,30 +3088,6 @@ where } } - /// Perform a stateless server-side handshake - /// - /// Requires that cookie generation and verification callbacks were - /// set on the SSL context. - /// - /// Returns `Ok(true)` if a complete ClientHello containing a valid cookie - /// was read, in which case the handshake should be continued via - /// `accept`. If a HelloRetryRequest containing a fresh cookie was - /// transmitted, `Ok(false)` is returned instead. If the handshake cannot - /// proceed at all, `Err` is returned. - /// - /// This corresponds to [`SSL_stateless`] - /// - /// [`SSL_stateless`]: https://www.openssl.org/docs/manmaster/man3/SSL_stateless.html - #[cfg(ossl111)] - pub fn stateless(&mut self) -> Result { - match unsafe { ffi::SSL_stateless(self.inner.ssl.as_ptr()) } { - 1 => Ok(true), - 0 => Ok(false), - -1 => Err(ErrorStack::get()), - _ => unreachable!(), - } - } - /// Configure as an outgoing stream from a client. /// /// This corresponds to [`SSL_set_connect_state`]. @@ -3408,66 +3180,6 @@ where } } } - - /// Read application data transmitted by a client before handshake - /// completion. - /// - /// Useful for reducing latency, but vulnerable to replay attacks. Call - /// `set_accept_state` first. - /// - /// Returns `Ok(0)` if all early data has been read. - /// - /// Requires OpenSSL 1.1.1 or newer. - /// - /// This corresponds to [`SSL_read_early_data`]. - /// - /// [`SSL_read_early_data`]: https://www.openssl.org/docs/manmaster/man3/SSL_read_early_data.html - #[cfg(ossl111)] - pub fn read_early_data(&mut self, buf: &mut [u8]) -> Result { - let mut read = 0; - let ret = unsafe { - ffi::SSL_read_early_data( - self.inner.ssl.as_ptr(), - buf.as_ptr() as *mut c_void, - buf.len(), - &mut read, - ) - }; - match ret { - ffi::SSL_READ_EARLY_DATA_ERROR => Err(self.inner.make_error(ret)), - ffi::SSL_READ_EARLY_DATA_SUCCESS => Ok(read), - ffi::SSL_READ_EARLY_DATA_FINISH => Ok(0), - _ => unreachable!(), - } - } - - /// Send data to the server without blocking on handshake completion. - /// - /// Useful for reducing latency, but vulnerable to replay attacks. Call - /// `set_connect_state` first. - /// - /// Requires OpenSSL 1.1.1 or newer. - /// - /// This corresponds to [`SSL_write_early_data`]. - /// - /// [`SSL_write_early_data`]: https://www.openssl.org/docs/manmaster/man3/SSL_write_early_data.html - #[cfg(ossl111)] - pub fn write_early_data(&mut self, buf: &[u8]) -> Result { - let mut written = 0; - let ret = unsafe { - ffi::SSL_write_early_data( - self.inner.ssl.as_ptr(), - buf.as_ptr() as *const c_void, - buf.len(), - &mut written, - ) - }; - if ret > 0 { - Ok(written as usize) - } else { - Err(self.inner.make_error(ret)) - } - } } impl SslStreamBuilder { diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index e2e8c9a6..ba550d3a 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -23,10 +23,7 @@ use pkey::PKey; use srtp::SrtpProfileId; use ssl; use ssl::test::server::Server; -#[cfg(any(ossl110, ossl111, libressl261))] use ssl::SslVersion; -#[cfg(ossl111)] -use ssl::{ClientHelloResponse, ExtensionContext}; use ssl::{ Error, HandshakeError, MidHandshakeSslStream, ShutdownResult, ShutdownState, Ssl, SslAcceptor, SslAcceptorBuilder, SslConnector, SslContext, SslContextBuilder, SslFiletype, SslMethod, @@ -793,7 +790,6 @@ fn connector_client_server_mozilla_intermediate_v5() { test_mozilla_server(SslAcceptor::mozilla_intermediate_v5); } - #[test] fn shutdown() { let mut server = Server::builder(); @@ -907,7 +903,6 @@ fn active_session() { assert_eq!(copied, len); } - #[test] fn new_session_callback() { static CALLED_BACK: AtomicBool = AtomicBool::new(false);