min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove ossl111 feature gate

This commit is contained in:
Ivan Nikulin 2020-11-11 13:09:33 +00:00
parent 8e54554cf8
commit 96d14f9e4b
17 changed files with 40 additions and 621 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
openssl-sys/build.rs
View File

@ -194,7 +194,6 @@ fn main() {
cfgs.push("ossl110");
cfgs.push("ossl110f");
cfgs.push("ossl110g");
cfgs.push("ossl111");
for cfg in cfgs {
println!("cargo:rustc-cfg={}", cfg);

22
openssl-sys/src/evp.rs
View File

@ -7,13 +7,9 @@ pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption;
pub const EVP_PKEY_DSA: c_int = NID_dsa;
pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement;
pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey;
#[cfg(ossl111)]
pub const EVP_PKEY_X25519: c_int = NID_X25519;
#[cfg(ossl111)]
pub const EVP_PKEY_ED25519: c_int = NID_ED25519;
#[cfg(ossl111)]
pub const EVP_PKEY_X448: c_int = NID_X448;
#[cfg(ossl111)]
pub const EVP_PKEY_ED448: c_int = NID_ED448;
pub const EVP_CTRL_GCM_SET_IVLEN: c_int = 0x9;
@ -54,7 +50,6 @@ extern "C" {
pub fn EVP_DigestFinal_ex(ctx: *mut EVP_MD_CTX, res: *mut u8, n: *mut u32) -> c_int;
pub fn EVP_DigestInit(ctx: *mut EVP_MD_CTX, typ: *const EVP_MD) -> c_int;
pub fn EVP_DigestFinal(ctx: *mut EVP_MD_CTX, res: *mut u8, n: *mut u32) -> c_int;
#[cfg(ossl111)]
pub fn EVP_DigestFinalXOF(ctx: *mut EVP_MD_CTX, res: *mut u8, len: usize) -> c_int;
pub fn EVP_BytesToKey(
@ -155,15 +150,13 @@ extern "C" {
pub fn EVP_PKEY_size(pkey: *const EVP_PKEY) -> c_int;
}
cfg_if! {
if #[cfg(ossl111)] {
extern "C" {
extern "C" {
pub fn EVP_DigestSign(
ctx: *mut EVP_MD_CTX,
sigret: *mut c_uchar,
siglen: *mut size_t,
tbs: *const c_uchar,
tbslen: size_t
tbslen: size_t,
) -> c_int;
pub fn EVP_DigestVerify(
@ -171,11 +164,10 @@ cfg_if! {
sigret: *const c_uchar,
siglen: size_t,
tbs: *const c_uchar,
tbslen: size_t
tbslen: size_t,
) -> c_int;
}
}
}
cfg_if! {
if #[cfg(any(ossl102, libressl280))] {
extern "C" {
@ -348,9 +340,7 @@ extern "C" {
pub fn EVP_PKCS82PKEY(p8: *mut PKCS8_PRIV_KEY_INFO) -> *mut EVP_PKEY;
}
cfg_if! {
if #[cfg(any(ossl111))] {
extern "C" {
extern "C" {
pub fn EVP_PKEY_get_raw_public_key(
pkey: *const EVP_PKEY,
ppub: *mut c_uchar,
@ -373,8 +363,6 @@ cfg_if! {
key: *const c_uchar,
keylen: size_t,
) -> *mut EVP_PKEY;
}
}
}
extern "C" {

3
openssl-sys/src/lib.rs
View File

@ -95,10 +95,7 @@ pub fn init() {
// explicitly initialize to work around https://github.com/openssl/openssl/issues/3505
static INIT: Once = Once::new();
#[cfg(not(ossl111b))]
let init_options = OPENSSL_INIT_LOAD_SSL_STRINGS;
#[cfg(ossl111b)]
let init_options = OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_NO_ATEXIT;
INIT.call_once(|| unsafe {
OPENSSL_init_ssl(init_options, ptr::null_mut());

4
openssl-sys/src/obj_mac.rs
View File

@ -910,11 +910,7 @@ pub const NID_rc4_hmac_md5: c_int = 915;
pub const NID_aes_128_cbc_hmac_sha1: c_int = 916;
pub const NID_aes_192_cbc_hmac_sha1: c_int = 917;
pub const NID_aes_256_cbc_hmac_sha1: c_int = 918;
#[cfg(ossl111)]
pub const NID_X25519: c_int = 1034;
#[cfg(ossl111)]
pub const NID_X448: c_int = 1035;
#[cfg(ossl111)]
pub const NID_ED25519: c_int = 1087;
#[cfg(ossl111)]
pub const NID_ED448: c_int = 1088;

4
openssl-sys/src/rand.rs
View File

@ -2,9 +2,5 @@ use libc::*;
extern "C" {
pub fn RAND_bytes(buf: *mut u8, num: size_t) -> c_int;
#[cfg(ossl111)]
pub fn RAND_keep_random_devices_open(keep: c_int);
pub fn RAND_status() -> c_int;
}

181
openssl-sys/src/ssl.rs
View File

@ -105,85 +105,6 @@ pub struct SRTP_PROTECTION_PROFILE {
stack!(stack_st_SRTP_PROTECTION_PROFILE);
#[cfg(ossl111)]
pub const SSL_EXT_TLS_ONLY: c_uint = 0x0001;
/* This extension is only allowed in DTLS */
#[cfg(ossl111)]
pub const SSL_EXT_DTLS_ONLY: c_uint = 0x0002;
/* Some extensions may be allowed in DTLS but we don't implement them for it */
#[cfg(ossl111)]
pub const SSL_EXT_TLS_IMPLEMENTATION_ONLY: c_uint = 0x0004;
/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */
#[cfg(ossl111)]
pub const SSL_EXT_SSL3_ALLOWED: c_uint = 0x0008;
/* Extension is only defined for TLS1.2 and below */
#[cfg(ossl111)]
pub const SSL_EXT_TLS1_2_AND_BELOW_ONLY: c_uint = 0x0010;
/* Extension is only defined for TLS1.3 and above */
#[cfg(ossl111)]
pub const SSL_EXT_TLS1_3_ONLY: c_uint = 0x0020;
/* Ignore this extension during parsing if we are resuming */
#[cfg(ossl111)]
pub const SSL_EXT_IGNORE_ON_RESUMPTION: c_uint = 0x0040;
#[cfg(ossl111)]
pub const SSL_EXT_CLIENT_HELLO: c_uint = 0x0080;
/* Really means TLS1.2 or below */
#[cfg(ossl111)]
pub const SSL_EXT_TLS1_2_SERVER_HELLO: c_uint = 0x0100;
#[cfg(ossl111)]
pub const SSL_EXT_TLS1_3_SERVER_HELLO: c_uint = 0x0200;
#[cfg(ossl111)]
pub const SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS: c_uint = 0x0400;
#[cfg(ossl111)]
pub const SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST: c_uint = 0x0800;
#[cfg(ossl111)]
pub const SSL_EXT_TLS1_3_CERTIFICATE: c_uint = 0x1000;
#[cfg(ossl111)]
pub const SSL_EXT_TLS1_3_NEW_SESSION_TICKET: c_uint = 0x2000;
#[cfg(ossl111)]
pub const SSL_EXT_TLS1_3_CERTIFICATE_REQUEST: c_uint = 0x4000;
#[cfg(ossl111)]
pub type SSL_custom_ext_add_cb_ex = Option<
unsafe extern "C" fn(
ssl: *mut ::SSL,
ext_type: c_uint,
context: c_uint,
out: *mut *const c_uchar,
outlen: *mut size_t,
x: *mut ::X509,
chainidx: size_t,
al: *mut c_int,
add_arg: *mut c_void,
) -> c_int,
>;
#[cfg(ossl111)]
pub type SSL_custom_ext_free_cb_ex = Option<
unsafe extern "C" fn(
ssl: *mut ::SSL,
ext_type: c_uint,
context: c_uint,
out: *mut *const c_uchar,
add_arg: *mut c_void,
),
>;
#[cfg(ossl111)]
pub type SSL_custom_ext_parse_cb_ex = Option<
unsafe extern "C" fn(
ssl: *mut ::SSL,
ext_type: c_uint,
context: c_uint,
input: *const c_uchar,
inlen: size_t,
x: *mut ::X509,
chainidx: size_t,
al: *mut c_int,
parse_arg: *mut c_void,
) -> c_int,
>;
pub const SSL_OP_LEGACY_SERVER_CONNECT: c_uint = 0x00000004;
pub const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: c_uint = 0x00000800;
@ -202,9 +123,6 @@ cfg_if! {
}
}
#[cfg(ossl111)]
pub const SSL_OP_ENABLE_MIDDLEBOX_COMPAT: c_uint = 0x00100000;
pub const SSL_OP_CIPHER_SERVER_PREFERENCE: c_uint = 0x00400000;
pub const SSL_OP_TLS_ROLLBACK_BUG: c_uint = 0x00800000;
@ -292,9 +210,6 @@ extern "C" {
pub fn SSL_CTX_set_mode(ctx: *mut SSL_CTX, op: c_uint) -> c_uint;
}
#[cfg(ossl111)]
pub const SSL_COOKIE_LENGTH: c_int = 4096;
extern "C" {
pub fn SSL_CTX_get_options(ctx: *const SSL_CTX) -> c_uint;
pub fn SSL_CTX_set_options(ctx: *mut SSL_CTX, op: c_uint) -> c_uint;
@ -348,18 +263,6 @@ cfg_if! {
}
extern "C" {
#[cfg(ossl111)]
pub fn SSL_CTX_set_stateless_cookie_verify_cb(
s: *mut SSL_CTX,
cb: Option<
unsafe extern "C" fn(
ssl: *mut SSL,
cookie: *const c_uchar,
cookie_len: size_t,
) -> c_int,
>,
);
pub fn SSL_CTX_set_next_protos_advertised_cb(
ssl: *mut SSL_CTX,
cb: extern "C" fn(
@ -448,23 +351,8 @@ extern "C" {
);
}
#[cfg(ossl111)]
pub type SSL_CTX_keylog_cb_func =
Option<unsafe extern "C" fn(ssl: *const SSL, line: *const c_char)>;
extern "C" {
#[cfg(ossl111)]
pub fn SSL_CTX_set_keylog_callback(ctx: *mut SSL_CTX, cb: SSL_CTX_keylog_cb_func);
#[cfg(ossl111)]
pub fn SSL_CTX_set_max_early_data(ctx: *mut SSL_CTX, max_early_data: u32) -> c_int;
#[cfg(ossl111)]
pub fn SSL_CTX_get_max_early_data(ctx: *const SSL_CTX) -> u32;
#[cfg(ossl111)]
pub fn SSL_set_max_early_data(ctx: *mut SSL, max_early_data: u32) -> c_int;
#[cfg(ossl111)]
pub fn SSL_get_max_early_data(ctx: *const SSL) -> u32;
pub fn SSL_CTX_set_keylog_callback(ctx: *mut SSL_CTX, cb: Option<unsafe extern "C" fn(ssl: *const SSL, line: *const c_char)>);
pub fn SSL_get_finished(s: *const SSL, buf: *mut c_void, count: size_t) -> size_t;
pub fn SSL_get_peer_finished(s: *const SSL, buf: *mut c_void, count: size_t) -> size_t;
@ -488,8 +376,6 @@ pub const SSL_ERROR_WANT_READ: c_int = 2;
pub const SSL_ERROR_WANT_WRITE: c_int = 3;
pub const SSL_ERROR_WANT_X509_LOOKUP: c_int = 4;
pub const SSL_ERROR_ZERO_RETURN: c_int = 6;
#[cfg(ossl111)]
pub const SSL_ERROR_WANT_CLIENT_HELLO_CB: c_int = 11;
pub const SSL_VERIFY_NONE: c_int = 0;
pub const SSL_VERIFY_PEER: c_int = 1;
pub const SSL_VERIFY_FAIL_IF_NO_PEER_CERT: c_int = 2;
@ -499,8 +385,6 @@ pub const SSL_CTRL_GET_SESSION_REUSED: c_int = 8;
pub const SSL_CTRL_OPTIONS: c_int = 32;
#[cfg(any(libressl, all(ossl101, not(ossl110))))]
pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77;
#[cfg(ossl111)]
pub const SSL_CTRL_SET_GROUPS_LIST: c_int = 92;
#[cfg(any(libressl, all(ossl102, not(ossl110))))]
pub const SSL_CTRL_SET_ECDH_AUTO: c_int = 94;
@ -546,18 +430,13 @@ cfg_if! {
}
}
extern "C" {
#[cfg(ossl111)]
pub fn SSL_CIPHER_get_handshake_digest(cipher: *const ::SSL_CIPHER) -> *const ::EVP_MD;
pub fn SSL_CIPHER_get_name(cipher: *const SSL_CIPHER) -> *const c_char;
#[cfg(ossl111)]
pub fn SSL_CIPHER_standard_name(cipher: *const SSL_CIPHER) -> *const c_char;
pub fn SSL_pending(ssl: *const SSL) -> c_int;
pub fn SSL_set_bio(ssl: *mut SSL, rbio: *mut BIO, wbio: *mut BIO);
pub fn SSL_get_rbio(ssl: *const SSL) -> *mut BIO;
pub fn SSL_get_wbio(ssl: *const SSL) -> *mut BIO;
#[cfg(ossl111)]
pub fn SSL_set_ciphersuites(ssl: *mut ::SSL, str: *const c_char) -> c_int;
pub fn SSL_set_verify(
ssl: *mut SSL,
mode: c_int,
@ -593,11 +472,6 @@ extern "C" {
#[cfg(ossl110)]
pub fn SSL_SESSION_get_protocol_version(s: *const SSL_SESSION) -> u16;
#[cfg(ossl111)]
pub fn SSL_SESSION_set_max_early_data(ctx: *mut SSL_SESSION, max_early_data: u32) -> c_int;
#[cfg(ossl111)]
pub fn SSL_SESSION_get_max_early_data(ctx: *const SSL_SESSION) -> u32;
pub fn SSL_SESSION_get_id(s: *const SSL_SESSION, len: *mut c_uint) -> *const c_uchar;
#[cfg(any(ossl110, libressl273))]
pub fn SSL_SESSION_up_ref(ses: *mut SSL_SESSION) -> c_int;
@ -637,62 +511,15 @@ extern "C" {
pub fn SSL_get0_param(ssl: *mut SSL) -> *mut X509_VERIFY_PARAM;
}
#[cfg(ossl111)]
pub const SSL_CLIENT_HELLO_SUCCESS: c_int = 1;
#[cfg(ossl111)]
pub const SSL_CLIENT_HELLO_ERROR: c_int = 0;
#[cfg(ossl111)]
pub const SSL_CLIENT_HELLO_RETRY: c_int = -1;
#[cfg(ossl111)]
pub type SSL_client_hello_cb_fn =
Option<unsafe extern "C" fn(s: *mut SSL, al: *mut c_int, arg: *mut c_void) -> c_int>;
extern "C" {
#[cfg(ossl111)]
pub fn SSL_client_hello_get1_extensions_present(
s: *mut SSL,
out: *mut *mut c_int,
outlen: *mut size_t,
) -> c_int;
#[cfg(ossl111)]
pub fn SSL_client_hello_get0_ext(
s: *mut SSL,
type_: c_uint,
out: *mut *const c_uchar,
outlen: *mut size_t,
) -> c_int;
pub fn SSL_free(ssl: *mut SSL);
pub fn SSL_accept(ssl: *mut SSL) -> c_int;
#[cfg(ossl111)]
pub fn SSL_stateless(s: *mut SSL) -> c_int;
pub fn SSL_connect(ssl: *mut SSL) -> c_int;
pub fn SSL_read(ssl: *mut SSL, buf: *mut c_void, num: c_int) -> c_int;
#[cfg(ossl111)]
pub fn SSL_read_early_data(
s: *mut ::SSL,
buf: *mut c_void,
num: size_t,
readbytes: *mut size_t,
) -> c_int;
}
#[cfg(ossl111)]
pub const SSL_READ_EARLY_DATA_ERROR: c_int = 0;
#[cfg(ossl111)]
pub const SSL_READ_EARLY_DATA_SUCCESS: c_int = 1;
#[cfg(ossl111)]
pub const SSL_READ_EARLY_DATA_FINISH: c_int = 2;
extern "C" {
pub fn SSL_write(ssl: *mut SSL, buf: *const c_void, num: c_int) -> c_int;
#[cfg(ossl111)]
pub fn SSL_write_early_data(
s: *mut SSL,
buf: *const c_void,
num: size_t,
written: *mut size_t,
) -> c_int;
}
cfg_if! {
@ -868,10 +695,6 @@ extern "C" {
cfg_if! {
if #[cfg(osslconf = "OPENSSL_NO_COMP")] {
} else if #[cfg(ossl111b)] {
extern "C" {
pub fn SSL_get_current_compression(ssl: *const SSL) -> *const COMP_METHOD;
}
} else {
extern "C" {
pub fn SSL_get_current_compression(ssl: *mut SSL) -> *const COMP_METHOD;
@ -911,8 +734,6 @@ cfg_if! {
#[cfg(ossl110)]
pub const OPENSSL_INIT_LOAD_SSL_STRINGS: u64 = 0x00200000;
#[cfg(ossl111b)]
pub const OPENSSL_INIT_NO_ATEXIT: u64 = 0x00080000;
extern "C" {
#[cfg(ossl110)]

11
openssl-sys/src/tls1.rs
View File

@ -29,17 +29,6 @@ extern "C" {
use_context: c_int,
) -> c_int;
#[cfg(ossl111)]
pub fn SSL_export_keying_material_early(
s: *mut ::SSL,
out: *mut c_uchar,
olen: size_t,
label: *const c_char,
llen: size_t,
context: *const c_uchar,
contextlen: size_t,
) -> c_int;
pub fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_int;
pub fn SSL_set_tlsext_status_type(s: *mut SSL, type_: c_int) -> c_int;
pub fn SSL_get_tlsext_status_ocsp_resp(ssl: *const SSL, resp: *mut *const c_uchar) -> size_t;

1
openssl/build.rs
View File

@ -8,7 +8,6 @@ fn main() {
cfgs.push("ossl110");
cfgs.push("ossl110f");
cfgs.push("ossl110g");
cfgs.push("ossl111");
for cfg in cfgs {
println!("cargo:rustc-cfg={}", cfg);

2
openssl/src/hash.rs
View File

@ -218,7 +218,6 @@ impl Hasher {
/// Writes the hash of the data into the supplied buf and resets the XOF hasher.
/// The hash will be as long as the buf.
#[cfg(ossl111)]
pub fn finish_xof(&mut self, buf: &mut [u8]) -> Result<(), ErrorStack> {
if self.state == Finalized {
self.init()?;
@ -330,7 +329,6 @@ pub fn hash(t: MessageDigest, data: &[u8]) -> Result<DigestBytes, ErrorStack> {
}
/// Computes the hash of the `data` with the XOF hasher `t` and stores it in `buf`.
#[cfg(ossl111)]
pub fn hash_xof(t: MessageDigest, data: &[u8], buf: &mut [u8]) -> Result<(), ErrorStack> {
let mut h = Hasher::new(t)?;
h.update(data)?;

7
openssl/src/pkey.rs
View File

@ -80,14 +80,9 @@ impl Id {
pub const DSA: Id = Id(ffi::EVP_PKEY_DSA);
pub const DH: Id = Id(ffi::EVP_PKEY_DH);
pub const EC: Id = Id(ffi::EVP_PKEY_EC);
#[cfg(ossl111)]
pub const ED25519: Id = Id(ffi::EVP_PKEY_ED25519);
#[cfg(ossl111)]
pub const ED448: Id = Id(ffi::EVP_PKEY_ED448);
#[cfg(ossl111)]
pub const X25519: Id = Id(ffi::EVP_PKEY_X25519);
#[cfg(ossl111)]
pub const X448: Id = Id(ffi::EVP_PKEY_X448);
/// Creates a `Id` from an integer representation.
@ -295,9 +290,7 @@ impl<T> fmt::Debug for PKey<T> {
Id::DSA => "DSA",
Id::DH => "DH",
Id::EC => "EC",
#[cfg(ossl111)]
Id::ED25519 => "Ed25519",
#[cfg(ossl111)]
Id::ED448 => "Ed448",
_ => "unknown",
};

14
openssl/src/rand.rs
View File

@ -40,20 +40,6 @@ pub fn rand_bytes(buf: &mut [u8]) -> Result<(), ErrorStack> {
}
}
/// Controls random device file descriptor behavior.
///
/// Requires OpenSSL 1.1.1 or newer.
///
/// This corresponds to [`RAND_keep_random_devices_open`].
///
/// [`RAND_keep_random_devices_open`]: https://www.openssl.org/docs/manmaster/man3/RAND_keep_random_devices_open.html
#[cfg(ossl111)]
pub fn keep_random_devices_open(keep: bool) {
unsafe {
ffi::RAND_keep_random_devices_open(keep as c_int);
}
}
#[cfg(test)]
mod tests {
use super::rand_bytes;

18
openssl/src/sign.rs
View File

@ -257,20 +257,6 @@ impl<'a> Signer<'a> {
self.len_intern()
}
#[cfg(not(ossl111))]
fn len_intern(&self) -> Result<usize, ErrorStack> {
unsafe {
let mut len = 0;
cvt(ffi::EVP_DigestSignFinal(
self.md_ctx,
ptr::null_mut(),
&mut len,
))?;
Ok(len)
}
}
#[cfg(ossl111)]
fn len_intern(&self) -> Result<usize, ErrorStack> {
unsafe {
let mut len = 0;
@ -327,7 +313,6 @@ impl<'a> Signer<'a> {
/// OpenSSL documentation at [`EVP_DigestSign`].
///
/// [`EVP_DigestSign`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestSign.html
#[cfg(ossl111)]
pub fn sign_oneshot(
&mut self,
sig_buf: &mut [u8],
@ -349,7 +334,6 @@ impl<'a> Signer<'a> {
/// Returns the signature.
///
/// This is a simple convenience wrapper over `len` and `sign_oneshot`.
#[cfg(ossl111)]
pub fn sign_oneshot_to_vec(&mut self, data_buf: &[u8]) -> Result<Vec<u8>, ErrorStack> {
let mut sig_buf = vec![0; self.len()?];
let len = self.sign_oneshot(&mut sig_buf, data_buf)?;
@ -561,7 +545,6 @@ impl<'a> Verifier<'a> {
/// OpenSSL documentation at [`EVP_DigestVerify`].
///
/// [`EVP_DigestVerify`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestVerify.html
#[cfg(ossl111)]
pub fn verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result<bool, ErrorStack> {
unsafe {
let r = ffi::EVP_DigestVerify(
@ -687,7 +670,6 @@ mod test {
}
#[test]
#[cfg(ossl111)]
fn rsa_sign_verify() {
let key = include_bytes!("../test/rsa.pem");
let private_key = Rsa::private_key_from_pem(key).unwrap();

24
openssl/src/ssl/callbacks.rs
View File

@ -1,17 +1,12 @@
use ffi;
use foreign_types::ForeignType;
use foreign_types::ForeignTypeRef;
#[cfg(any(ossl111, not(osslconf = "OPENSSL_NO_PSK")))]
use libc::c_char;
#[cfg(ossl111)]
use libc::size_t;
use libc::{c_int, c_uchar, c_uint, c_void};
#[cfg(any(ossl111, not(osslconf = "OPENSSL_NO_PSK")))]
use std::ffi::CStr;
use std::mem;
use std::ptr;
use std::slice;
#[cfg(ossl111)]
use std::str;
use std::sync::Arc;
@ -359,7 +354,6 @@ where
}
}
#[cfg(ossl111)]
pub unsafe extern "C" fn raw_keylog<F>(ssl: *const ffi::SSL, line: *const c_char)
where
F: Fn(&SslRef, &str) + 'static + Sync + Send,
@ -374,21 +368,3 @@ where
callback(ssl, line);
}
#[cfg(ossl111)]
pub unsafe extern "C" fn raw_stateless_cookie_verify<F>(
ssl: *mut ffi::SSL,
cookie: *const c_uchar,
cookie_len: size_t,
) -> c_int
where
F: Fn(&mut SslRef, &[u8]) -> bool + 'static + Sync + Send,
{
let ssl = SslRef::from_ptr_mut(ssl);
let callback = ssl
.ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: stateless cookie verify callback missing") as *const F;
let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize);
(*callback)(ssl, slice) as c_int
}

2
openssl/src/ssl/connector.rs
View File

@ -241,7 +241,6 @@ impl SslAcceptor {
pub fn mozilla_intermediate(method: SslMethod) -> Result<SslAcceptorBuilder, ErrorStack> {
let mut ctx = ctx(method)?;
ctx.set_options(SslOptions::CIPHER_SERVER_PREFERENCE);
#[cfg(ossl111)]
ctx.set_options(SslOptions::NO_TLSV1_3);
let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?;
ctx.set_tmp_dh(&dh)?;
@ -271,7 +270,6 @@ impl SslAcceptor {
ctx.set_options(
SslOptions::CIPHER_SERVER_PREFERENCE | SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1,
);
#[cfg(ossl111)]
ctx.set_options(SslOptions::NO_TLSV1_3);
setup_curves(&mut ctx)?;
ctx.set_cipher_list(

6
openssl/src/ssl/error.rs
View File

@ -33,12 +33,6 @@ impl ErrorCode {
/// An error occurred in the SSL library.
pub const SSL: ErrorCode = ErrorCode(ffi::SSL_ERROR_SSL);
/// The client hello callback indicated that it needed to be retried.
///
/// Requires OpenSSL 1.1.1 or newer.
#[cfg(ossl111)]
pub const WANT_CLIENT_HELLO_CB: ErrorCode = ErrorCode(ffi::SSL_ERROR_WANT_CLIENT_HELLO_CB);
pub fn from_raw(raw: c_int) -> ErrorCode {
ErrorCode(raw)
}

288
openssl/src/ssl/mod.rs
View File

@ -84,8 +84,6 @@ use ec::EcKey;
use ec::EcKeyRef;
use error::ErrorStack;
use ex_data::Index;
#[cfg(ossl111)]
use hash::MessageDigest;
#[cfg(ossl110)]
use nid::Nid;
use pkey::{HasPrivate, PKeyRef, Params, Private};
@ -196,13 +194,6 @@ bitflags! {
/// Requires OpenSSL 1.1.0h or newer.
#[cfg(ossl110h)]
const NO_RENEGOTIATION = ffi::SSL_OP_NO_RENEGOTIATION;
/// Enable TLSv1.3 Compatibility mode.
///
/// Requires OpenSSL 1.1.1 or newer. This is on by default in 1.1.1, but a future version
/// may have this disabled by default.
#[cfg(ossl111)]
const ENABLE_MIDDLEBOX_COMPAT = ffi::SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
}
}
@ -369,36 +360,6 @@ bitflags! {
}
}
#[cfg(ossl111)]
bitflags! {
/// Which messages and under which conditions an extension should be added or expected.
pub struct ExtensionContext: c_uint {
/// This extension is only allowed in TLS
const TLS_ONLY = ffi::SSL_EXT_TLS_ONLY;
/// This extension is only allowed in DTLS
const DTLS_ONLY = ffi::SSL_EXT_DTLS_ONLY;
/// Some extensions may be allowed in DTLS but we don't implement them for it
const TLS_IMPLEMENTATION_ONLY = ffi::SSL_EXT_TLS_IMPLEMENTATION_ONLY;
/// Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is
const SSL3_ALLOWED = ffi::SSL_EXT_SSL3_ALLOWED;
/// Extension is only defined for TLS1.2 and below
const TLS1_2_AND_BELOW_ONLY = ffi::SSL_EXT_TLS1_2_AND_BELOW_ONLY;
/// Extension is only defined for TLS1.3 and above
const TLS1_3_ONLY = ffi::SSL_EXT_TLS1_3_ONLY;
/// Ignore this extension during parsing if we are resuming
const IGNORE_ON_RESUMPTION = ffi::SSL_EXT_IGNORE_ON_RESUMPTION;
const CLIENT_HELLO = ffi::SSL_EXT_CLIENT_HELLO;
/// Really means TLS1.2 or below
const TLS1_2_SERVER_HELLO = ffi::SSL_EXT_TLS1_2_SERVER_HELLO;
const TLS1_3_SERVER_HELLO = ffi::SSL_EXT_TLS1_3_SERVER_HELLO;
const TLS1_3_ENCRYPTED_EXTENSIONS = ffi::SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
const TLS1_3_HELLO_RETRY_REQUEST = ffi::SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST;
const TLS1_3_CERTIFICATE = ffi::SSL_EXT_TLS1_3_CERTIFICATE;
const TLS1_3_NEW_SESSION_TICKET = ffi::SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
const TLS1_3_CERTIFICATE_REQUEST = ffi::SSL_EXT_TLS1_3_CERTIFICATE_REQUEST;
}
}
/// An identifier of the format of a certificate or key file.
#[derive(Copy, Clone)]
pub struct SslFiletype(c_int);
@ -529,22 +490,6 @@ impl AlpnError {
pub const NOACK: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_NOACK);
}
/// The result of a client hello callback.
///
/// Requires OpenSSL 1.1.1 or newer.
#[cfg(ossl111)]
#[derive(Debug, Copy, Clone, PartialEq, Eq)]
pub struct ClientHelloResponse(c_int);
#[cfg(ossl111)]
impl ClientHelloResponse {
/// Continue the handshake.
pub const SUCCESS: ClientHelloResponse = ClientHelloResponse(ffi::SSL_CLIENT_HELLO_SUCCESS);
/// Return from the handshake with an `ErrorCode::WANT_CLIENT_HELLO_CB` error.
pub const RETRY: ClientHelloResponse = ClientHelloResponse(ffi::SSL_CLIENT_HELLO_RETRY);
}
/// An SSL/TLS protocol version.
#[derive(Debug, Copy, Clone, PartialEq, Eq)]
pub struct SslVersion(u16);
@ -563,9 +508,6 @@ impl SslVersion {
pub const TLS1_2: SslVersion = SslVersion(ffi::TLS1_2_VERSION);
/// TLSv1.3
///
/// Requires OpenSSL 1.1.1 or newer.
#[cfg(ossl111)]
pub const TLS1_3: SslVersion = SslVersion(ffi::TLS1_3_VERSION);
}
@ -1419,7 +1361,6 @@ impl SslContextBuilder {
/// This corresponds to [`SSL_CTX_set_keylog_callback`].
///
/// [`SSL_CTX_set_keylog_callback`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_keylog_callback.html
#[cfg(ossl111)]
pub fn set_keylog_callback<F>(&mut self, callback: F)
where
F: Fn(&SslRef, &str) + 'static + Sync + Send,
@ -1444,30 +1385,6 @@ impl SslContextBuilder {
}
}
/// Sets the callback for verifying an application cookie for TLS1.3
/// stateless handshakes.
///
/// The callback will be called with the SSL context and the cookie supplied by the
/// client. It should return true if and only if the cookie is valid.
///
/// Note that the OpenSSL implementation independently verifies the integrity of
/// application cookies using an HMAC before invoking the supplied callback.
///
/// This corresponds to `SSL_CTX_set_stateless_cookie_verify_cb`.
#[cfg(ossl111)]
pub fn set_stateless_cookie_verify_cb<F>(&mut self, callback: F)
where
F: Fn(&mut SslRef, &[u8]) -> bool + 'static + Sync + Send,
{
unsafe {
self.set_ex_data(SslContext::cached_ex_index::<F>(), callback);
ffi::SSL_CTX_set_stateless_cookie_verify_cb(
self.as_ptr(),
Some(raw_stateless_cookie_verify::<F>),
)
}
}
/// Sets the extra data at the specified index.
///
/// This can be used to provide data to callbacks registered with the context. Use the
@ -1488,24 +1405,6 @@ impl SslContextBuilder {
}
}
/// Sets the maximum amount of early data that will be accepted on incoming connections.
///
/// Defaults to 0.
///
/// Requires OpenSSL 1.1.1 or newer.
///
/// This corresponds to [`SSL_CTX_set_max_early_data`].
///
/// [`SSL_CTX_set_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_max_early_data.html
#[cfg(ossl111)]
pub fn set_max_early_data(&mut self, bytes: u32) -> Result<(), ErrorStack> {
if unsafe { ffi::SSL_CTX_set_max_early_data(self.as_ptr(), bytes) } == 1 {
Ok(())
} else {
Err(ErrorStack::get())
}
}
/// Sets the context's session cache size limit, returning the previous limit.
///
/// A value of 0 means that the cache size is unbounded.
@ -1689,18 +1588,6 @@ impl SslContextRef {
}
}
/// Gets the maximum amount of early data that will be accepted on incoming connections.
///
/// Requires OpenSSL 1.1.1 or newer.
///
/// This corresponds to [`SSL_CTX_get_max_early_data`].
///
/// [`SSL_CTX_get_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_max_early_data.html
#[cfg(ossl111)]
pub fn max_early_data(&self) -> u32 {
unsafe { ffi::SSL_CTX_get_max_early_data(self.as_ptr()) }
}
/// Adds a session to the context's cache.
///
/// Returns `true` if the session was successfully added to the cache, and `false` if it was already present.
@ -1827,7 +1714,6 @@ impl SslCipherRef {
/// This corresponds to [`SSL_CIPHER_standard_name`].
///
/// [`SSL_CIPHER_standard_name`]: https://www.openssl.org/docs/manmaster/man3/SSL_CIPHER_get_name.html
#[cfg(ossl111)]
pub fn standard_name(&self) -> Option<&'static str> {
unsafe {
let ptr = ffi::SSL_CIPHER_standard_name(self.as_ptr());
@ -1884,25 +1770,6 @@ impl SslCipherRef {
}
}
/// Returns the handshake digest of the cipher.
///
/// Requires OpenSSL 1.1.1 or newer.
///
/// This corresponds to [`SSL_CIPHER_get_handshake_digest`].
///
/// [`SSL_CIPHER_get_handshake_digest`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_handshake_digest.html
#[cfg(ossl111)]
pub fn handshake_digest(&self) -> Option<MessageDigest> {
unsafe {
let ptr = ffi::SSL_CIPHER_get_handshake_digest(self.as_ptr());
if ptr.is_null() {
None
} else {
Some(MessageDigest::from_ptr(ptr))
}
}
}
/// Returns the NID corresponding to the cipher.
///
/// Requires OpenSSL 1.1.0 or newer.
@ -2001,18 +1868,6 @@ impl SslSessionRef {
unsafe { SSL_SESSION_get_master_key(self.as_ptr(), buf.as_mut_ptr(), buf.len()) }
}
/// Gets the maximum amount of early data that can be sent on this session.
///
/// Requires OpenSSL 1.1.1 or newer.
///
/// This corresponds to [`SSL_SESSION_get_max_early_data`].
///
/// [`SSL_SESSION_get_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_SESSION_get_max_early_data.html
#[cfg(ossl111)]
pub fn max_early_data(&self) -> u32 {
unsafe { ffi::SSL_SESSION_get_max_early_data(self.as_ptr()) }
}
/// Returns the time at which the session was established, in seconds since the Unix epoch.
///
/// This corresponds to [`SSL_SESSION_get_time`].
@ -2735,37 +2590,6 @@ impl SslRef {
}
}
/// Derives keying material for application use in accordance to RFC 5705.
///
/// This function is only usable with TLSv1.3, wherein there is no distinction between an empty context and no
/// context. Therefore, unlike `export_keying_material`, `context` must always be supplied.
///
/// Requires OpenSSL 1.1.1 or newer.
///
/// This corresponds to [`SSL_export_keying_material_early`].
///
/// [`SSL_export_keying_material_early`]: https://www.openssl.org/docs/manmaster/man3/SSL_export_keying_material_early.html
#[cfg(ossl111)]
pub fn export_keying_material_early(
&self,
out: &mut [u8],
label: &str,
context: &[u8],
) -> Result<(), ErrorStack> {
unsafe {
cvt(ffi::SSL_export_keying_material_early(
self.as_ptr(),
out.as_mut_ptr() as *mut c_uchar,
out.len(),
label.as_ptr() as *const c_char,
label.len(),
context.as_ptr() as *const c_uchar,
context.len(),
))
.map(|_| ())
}
}
/// Sets the session to be used.
///
/// This should be called before the handshake to attempt to reuse a previously established
@ -2901,34 +2725,6 @@ impl SslRef {
}
}
/// Sets the maximum amount of early data that will be accepted on this connection.
///
/// Requires OpenSSL 1.1.1 or newer.
///
/// This corresponds to [`SSL_set_max_early_data`].
///
/// [`SSL_set_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_max_early_data.html
#[cfg(ossl111)]
pub fn set_max_early_data(&mut self, bytes: u32) -> Result<(), ErrorStack> {
if unsafe { ffi::SSL_set_max_early_data(self.as_ptr(), bytes) } == 1 {
Ok(())
} else {
Err(ErrorStack::get())
}
}
/// Gets the maximum amount of early data that can be sent on this connection.
///
/// Requires OpenSSL 1.1.1 or newer.
///
/// This corresponds to [`SSL_get_max_early_data`].
///
/// [`SSL_get_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_get_max_early_data.html
#[cfg(ossl111)]
pub fn max_early_data(&self) -> u32 {
unsafe { ffi::SSL_get_max_early_data(self.as_ptr()) }
}
/// Copies the contents of the last Finished message sent to the peer into the provided buffer.
///
/// The total size of the message is returned, so this can be used to determine the size of the
@ -3292,30 +3088,6 @@ where
}
}
/// Perform a stateless server-side handshake
///
/// Requires that cookie generation and verification callbacks were
/// set on the SSL context.
///
/// Returns `Ok(true)` if a complete ClientHello containing a valid cookie
/// was read, in which case the handshake should be continued via
/// `accept`. If a HelloRetryRequest containing a fresh cookie was
/// transmitted, `Ok(false)` is returned instead. If the handshake cannot
/// proceed at all, `Err` is returned.
///
/// This corresponds to [`SSL_stateless`]
///
/// [`SSL_stateless`]: https://www.openssl.org/docs/manmaster/man3/SSL_stateless.html
#[cfg(ossl111)]
pub fn stateless(&mut self) -> Result<bool, ErrorStack> {
match unsafe { ffi::SSL_stateless(self.inner.ssl.as_ptr()) } {
1 => Ok(true),
0 => Ok(false),
-1 => Err(ErrorStack::get()),
_ => unreachable!(),
}
}
/// Configure as an outgoing stream from a client.
///
/// This corresponds to [`SSL_set_connect_state`].
@ -3408,66 +3180,6 @@ where
}
}
}
/// Read application data transmitted by a client before handshake
/// completion.
///
/// Useful for reducing latency, but vulnerable to replay attacks. Call
/// `set_accept_state` first.
///
/// Returns `Ok(0)` if all early data has been read.
///
/// Requires OpenSSL 1.1.1 or newer.
///
/// This corresponds to [`SSL_read_early_data`].
///
/// [`SSL_read_early_data`]: https://www.openssl.org/docs/manmaster/man3/SSL_read_early_data.html
#[cfg(ossl111)]
pub fn read_early_data(&mut self, buf: &mut [u8]) -> Result<usize, Error> {
let mut read = 0;
let ret = unsafe {
ffi::SSL_read_early_data(
self.inner.ssl.as_ptr(),
buf.as_ptr() as *mut c_void,
buf.len(),
&mut read,
)
};
match ret {
ffi::SSL_READ_EARLY_DATA_ERROR => Err(self.inner.make_error(ret)),
ffi::SSL_READ_EARLY_DATA_SUCCESS => Ok(read),
ffi::SSL_READ_EARLY_DATA_FINISH => Ok(0),
_ => unreachable!(),
}
}
/// Send data to the server without blocking on handshake completion.
///
/// Useful for reducing latency, but vulnerable to replay attacks. Call
/// `set_connect_state` first.
///
/// Requires OpenSSL 1.1.1 or newer.
///
/// This corresponds to [`SSL_write_early_data`].
///
/// [`SSL_write_early_data`]: https://www.openssl.org/docs/manmaster/man3/SSL_write_early_data.html
#[cfg(ossl111)]
pub fn write_early_data(&mut self, buf: &[u8]) -> Result<usize, Error> {
let mut written = 0;
let ret = unsafe {
ffi::SSL_write_early_data(
self.inner.ssl.as_ptr(),
buf.as_ptr() as *const c_void,
buf.len(),
&mut written,
)
};
if ret > 0 {
Ok(written as usize)
} else {
Err(self.inner.make_error(ret))
}
}
}
impl<S> SslStreamBuilder<S> {

5
openssl/src/ssl/test/mod.rs
View File

@ -23,10 +23,7 @@ use pkey::PKey;
use srtp::SrtpProfileId;
use ssl;
use ssl::test::server::Server;
#[cfg(any(ossl110, ossl111, libressl261))]
use ssl::SslVersion;
#[cfg(ossl111)]
use ssl::{ClientHelloResponse, ExtensionContext};
use ssl::{
Error, HandshakeError, MidHandshakeSslStream, ShutdownResult, ShutdownState, Ssl, SslAcceptor,
SslAcceptorBuilder, SslConnector, SslContext, SslContextBuilder, SslFiletype, SslMethod,
@ -793,7 +790,6 @@ fn connector_client_server_mozilla_intermediate_v5() {
test_mozilla_server(SslAcceptor::mozilla_intermediate_v5);
}
#[test]
fn shutdown() {
let mut server = Server::builder();
@ -907,7 +903,6 @@ fn active_session() {
assert_eq!(copied, len);
}
#[test]
fn new_session_callback() {
static CALLED_BACK: AtomicBool = AtomicBool::new(false);