diff --git a/openssl-sys/src/pem.rs b/openssl-sys/src/pem.rs index 34e507b7..ba4cbe80 100644 --- a/openssl-sys/src/pem.rs +++ b/openssl-sys/src/pem.rs @@ -168,4 +168,4 @@ extern "C" { pub fn PEM_write_bio_PKCS7(bp: *mut BIO, x: *mut PKCS7) -> c_int; } -pub const PEM_R_NO_START_LINE: c_int = 108; +pub const PEM_R_NO_START_LINE: c_int = 110; diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index 0e73f8fb..52dc51c3 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -285,7 +285,7 @@ pub const SSL_OP_NO_TLSv1: c_uint = 0x04000000; pub const SSL_OP_NO_DTLSv1: c_uint = 0x04000000; #[cfg(ossl102)] pub const SSL_OP_NO_DTLSv1_2: c_uint = 0x08000000; -#[cfg(ossl111)] + pub const SSL_OP_NO_TLSv1_3: c_uint = 0x20000000; #[cfg(ossl110h)] @@ -963,16 +963,6 @@ extern "C" { } extern "C" { - // FIXME should take an option - pub fn SSL_CTX_set_tmp_dh_callback( - ctx: *mut SSL_CTX, - dh: unsafe extern "C" fn(ssl: *mut SSL, is_export: c_int, keylength: c_int) -> *mut DH, - ); - // FIXME should take an option - pub fn SSL_set_tmp_dh_callback( - ctx: *mut SSL, - dh: unsafe extern "C" fn(ssl: *mut SSL, is_export: c_int, keylength: c_int) -> *mut DH, - ); // FIXME should take an option #[cfg(not(ossl110))] pub fn SSL_CTX_set_tmp_ecdh_callback( diff --git a/openssl-sys/src/tls1.rs b/openssl-sys/src/tls1.rs index 1807a77c..529b3dc0 100644 --- a/openssl-sys/src/tls1.rs +++ b/openssl-sys/src/tls1.rs @@ -7,7 +7,6 @@ use *; pub const TLS1_VERSION: u16 = 0x301; pub const TLS1_1_VERSION: u16 = 0x302; pub const TLS1_2_VERSION: u16 = 0x303; -#[cfg(ossl111)] pub const TLS1_3_VERSION: u16 = 0x304; pub const TLS1_AD_DECODE_ERROR: c_int = 50; diff --git a/openssl/src/aes.rs b/openssl/src/aes.rs index ab4e36fd..58e66a9e 100644 --- a/openssl/src/aes.rs +++ b/openssl/src/aes.rs @@ -6,11 +6,9 @@ //! Advanced Encryption Standard (AES) provides symmetric key cipher that //! the same key is used to encrypt and decrypt data. This implementation //! uses 128, 192, or 256 bit keys. This module provides functions to -//! create a new key with [`new_encrypt`] and perform an encryption/decryption -//! using that key with [`aes_ige`]. +//! create a new key with [`new_encrypt`]. //! //! [`new_encrypt`]: struct.AesKey.html#method.new_encrypt -//! [`aes_ige`]: fn.aes_ige.html //! //! The [`symm`] module should be used in preference to this module in most cases. //! The IGE block cypher is a non-traditional cipher mode. More traditional AES @@ -21,23 +19,7 @@ //! [`Cipher`]: ../symm/struct.Cipher.html //! //! # Examples -//! -//! ## AES IGE -//! ```rust -//! use openssl::aes::{AesKey, aes_ige}; -//! use openssl::symm::Mode; -//! -//! let key = b"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"; -//! let plaintext = b"\x12\x34\x56\x78\x90\x12\x34\x56\x12\x34\x56\x78\x90\x12\x34\x56"; -//! let mut iv = *b"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\ -//! \x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F"; -//! -//! let key = AesKey::new_encrypt(key).unwrap(); -//! let mut output = [0u8; 16]; -//! aes_ige(plaintext, &mut output, &key, &mut iv, Mode::Encrypt); -//! assert_eq!(output, *b"\xa6\xad\x97\x4d\x5c\xea\x1d\x36\xd2\xf3\x67\x98\x09\x07\xed\x32"); -//! ``` -//! +//! //! ## Key wrapping //! ```rust //! use openssl::aes::{AesKey, unwrap_key, wrap_key}; @@ -199,31 +181,6 @@ mod test { use hex::FromHex; use super::*; - use symm::Mode; - - // From https://www.mgp25.com/AESIGE/ - #[test] - fn ige_vector_1() { - let raw_key = "000102030405060708090A0B0C0D0E0F"; - let raw_iv = "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"; - let raw_pt = "0000000000000000000000000000000000000000000000000000000000000000"; - let raw_ct = "1A8519A6557BE652E9DA8E43DA4EF4453CF456B4CA488AA383C79C98B34797CB"; - - let key = AesKey::new_encrypt(&Vec::from_hex(raw_key).unwrap()).unwrap(); - let mut iv = Vec::from_hex(raw_iv).unwrap(); - let pt = Vec::from_hex(raw_pt).unwrap(); - let ct = Vec::from_hex(raw_ct).unwrap(); - - let mut ct_actual = vec![0; ct.len()]; - aes_ige(&pt, &mut ct_actual, &key, &mut iv, Mode::Encrypt); - assert_eq!(ct_actual, ct); - - let key = AesKey::new_decrypt(&Vec::from_hex(raw_key).unwrap()).unwrap(); - let mut iv = Vec::from_hex(raw_iv).unwrap(); - let mut pt_actual = vec![0; pt.len()]; - aes_ige(&ct, &mut pt_actual, &key, &mut iv, Mode::Decrypt); - assert_eq!(pt_actual, pt); - } // from the RFC https://tools.ietf.org/html/rfc3394#section-2.2.3 #[test] diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 35800969..ea70eac9 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -881,7 +881,7 @@ impl BigNumRef { /// # use openssl::bn::BigNum; /// let s = -BigNum::from_u32(0x99ff).unwrap(); /// - /// assert_eq!(&**s.to_hex_str().unwrap(), "-99FF"); + /// assert_eq!(&**s.to_hex_str().unwrap(), "-99ff"); /// ``` pub fn to_hex_str(&self) -> Result { unsafe { diff --git a/openssl/src/conf.rs b/openssl/src/conf.rs index da51a300..fb2007a2 100644 --- a/openssl/src/conf.rs +++ b/openssl/src/conf.rs @@ -33,14 +33,6 @@ foreign_type_and_impl_send_sync! { impl Conf { /// Create a configuration parser. - /// - /// # Examples - /// - /// ``` - /// use openssl::conf::{Conf, ConfMethod}; - /// - /// let conf = Conf::new(ConfMethod::default()); - /// ``` pub fn new(method: ConfMethod) -> Result { unsafe { cvt_p(ffi::NCONF_new(method.as_ptr())).map(Conf) } } diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index 0b9103f7..6f7703fe 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -105,16 +105,6 @@ mod tests { use dh::Dh; use ssl::{SslContext, SslMethod}; - #[test] - #[cfg(ossl102)] - fn test_dh_rfc5114() { - let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - let dh2 = Dh::get_2048_224().unwrap(); - ctx.set_tmp_dh(&dh2).unwrap(); - let dh3 = Dh::get_2048_256().unwrap(); - ctx.set_tmp_dh(&dh3).unwrap(); - } - #[test] fn test_dh() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index 875552bb..e648b5f6 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -359,9 +359,6 @@ cfg_if! { mod test { use super::*; use bn::BigNumContext; - use hash::MessageDigest; - use pkey::PKey; - use sign::{Signer, Verifier}; #[test] pub fn test_generate() { @@ -411,46 +408,6 @@ mod test { assert_eq!(dsa.g(), &BigNum::from_u32(60).unwrap()); } - #[test] - fn test_signature() { - const TEST_DATA: &[u8] = &[0, 1, 2, 3, 4, 5, 6, 7, 8, 9]; - let dsa_ref = Dsa::generate(1024).unwrap(); - - let p = dsa_ref.p(); - let q = dsa_ref.q(); - let g = dsa_ref.g(); - - let pub_key = dsa_ref.pub_key(); - let priv_key = dsa_ref.priv_key(); - - let priv_key = Dsa::from_private_components( - BigNumRef::to_owned(p).unwrap(), - BigNumRef::to_owned(q).unwrap(), - BigNumRef::to_owned(g).unwrap(), - BigNumRef::to_owned(priv_key).unwrap(), - BigNumRef::to_owned(pub_key).unwrap(), - ) - .unwrap(); - let priv_key = PKey::from_dsa(priv_key).unwrap(); - - let pub_key = Dsa::from_public_components( - BigNumRef::to_owned(p).unwrap(), - BigNumRef::to_owned(q).unwrap(), - BigNumRef::to_owned(g).unwrap(), - BigNumRef::to_owned(pub_key).unwrap(), - ) - .unwrap(); - let pub_key = PKey::from_dsa(pub_key).unwrap(); - - let mut signer = Signer::new(MessageDigest::sha256(), &priv_key).unwrap(); - signer.update(TEST_DATA).unwrap(); - - let signature = signer.sign_to_vec().unwrap(); - let mut verifier = Verifier::new(MessageDigest::sha256(), &pub_key).unwrap(); - verifier.update(TEST_DATA).unwrap(); - assert!(verifier.verify(&signature[..]).unwrap()); - } - #[test] #[allow(clippy::redundant_clone)] fn clone() { diff --git a/openssl/src/ecdsa.rs b/openssl/src/ecdsa.rs index 11881617..35ded288 100644 --- a/openssl/src/ecdsa.rs +++ b/openssl/src/ecdsa.rs @@ -170,83 +170,4 @@ cfg_if! { } } } -} - -#[cfg(test)] -mod test { - use super::*; - use ec::EcGroup; - use ec::EcKey; - use nid::Nid; - use pkey::{Private, Public}; - - fn get_public_key(group: &EcGroup, x: &EcKey) -> Result, ErrorStack> { - let public_key_point = x.public_key(); - Ok(EcKey::from_public_key(group, public_key_point)?) - } - - #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] - fn sign_and_verify() { - let group = EcGroup::from_curve_name(Nid::X9_62_PRIME192V1).unwrap(); - let private_key = EcKey::generate(&group).unwrap(); - let public_key = get_public_key(&group, &private_key).unwrap(); - - let private_key2 = EcKey::generate(&group).unwrap(); - let public_key2 = get_public_key(&group, &private_key2).unwrap(); - - let data = String::from("hello"); - let res = EcdsaSig::sign(data.as_bytes(), &private_key).unwrap(); - - // Signature can be verified using the correct data & correct public key - let verification = res.verify(data.as_bytes(), &public_key).unwrap(); - assert!(verification); - - // Signature will not be verified using the incorrect data but the correct public key - let verification2 = res - .verify(String::from("hello2").as_bytes(), &public_key) - .unwrap(); - assert!(!verification2); - - // Signature will not be verified using the correct data but the incorrect public key - let verification3 = res.verify(data.as_bytes(), &public_key2).unwrap(); - assert!(!verification3); - } - - #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] - fn check_private_components() { - let group = EcGroup::from_curve_name(Nid::X9_62_PRIME192V1).unwrap(); - let private_key = EcKey::generate(&group).unwrap(); - let public_key = get_public_key(&group, &private_key).unwrap(); - let data = String::from("hello"); - let res = EcdsaSig::sign(data.as_bytes(), &private_key).unwrap(); - - let verification = res.verify(data.as_bytes(), &public_key).unwrap(); - assert!(verification); - - let r = res.r().to_owned().unwrap(); - let s = res.s().to_owned().unwrap(); - - let res2 = EcdsaSig::from_private_components(r, s).unwrap(); - let verification2 = res2.verify(data.as_bytes(), &public_key).unwrap(); - assert!(verification2); - } - - #[test] - #[cfg_attr(osslconf = "OPENSSL_NO_EC2M", ignore)] - fn serialize_deserialize() { - let group = EcGroup::from_curve_name(Nid::SECP256K1).unwrap(); - let private_key = EcKey::generate(&group).unwrap(); - let public_key = get_public_key(&group, &private_key).unwrap(); - - let data = String::from("hello"); - let res = EcdsaSig::sign(data.as_bytes(), &private_key).unwrap(); - - let der = res.to_der().unwrap(); - let sig = EcdsaSig::from_der(&der).unwrap(); - - let verification = sig.verify(data.as_bytes(), &public_key).unwrap(); - assert!(verification); - } -} +} \ No newline at end of file diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 51fe2e6a..014a9cd9 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -589,15 +589,6 @@ mod tests { } } - #[test] - fn test_ripemd160() { - let tests = [("616263", "8eb208f7e05d987a9b044a8e98c6b087f15a0bfc")]; - - for test in tests.iter() { - hash_test(MessageDigest::ripemd160(), test); - } - } - #[test] fn from_nid() { assert_eq!( diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 30e61aea..b5b8d986 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -158,7 +158,6 @@ pub mod memcmp; pub mod nid; pub mod pkcs12; pub mod pkcs5; -pub mod pkcs7; pub mod pkey; pub mod rand; pub mod rsa; @@ -188,6 +187,14 @@ fn cvt_0(r: size_t) -> Result { } } +fn cvt_0i(r: c_int) -> Result { + if r == 0 { + Err(ErrorStack::get()) + } else { + Ok(r) + } +} + fn cvt(r: c_int) -> Result { if r <= 0 { Err(ErrorStack::get()) diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index 87f87f95..cbfe1bf8 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -11,7 +11,7 @@ use nid::Nid; use pkey::{HasPrivate, PKey, PKeyRef, Private}; use stack::Stack; use x509::{X509Ref, X509}; -use {cvt, cvt_p}; +use {cvt_0i, cvt_p}; pub const PKCS12_DEFAULT_ITER: c_int = 2048; @@ -43,7 +43,7 @@ impl Pkcs12Ref { let mut cert = ptr::null_mut(); let mut chain = ptr::null_mut(); - cvt(ffi::PKCS12_parse( + cvt_0i(ffi::PKCS12_parse( self.as_ptr(), pass.as_ptr(), &mut pkey, @@ -239,7 +239,7 @@ mod test { let der = include_bytes!("../test/keystore-empty-chain.p12"); let pkcs12 = Pkcs12::from_der(der).unwrap(); let parsed = pkcs12.parse("cassandra").unwrap(); - assert!(parsed.chain.is_none()); + assert_eq!(parsed.chain.unwrap().len(), 0); } #[test] diff --git a/openssl/src/pkcs7.rs b/openssl/src/pkcs7.rs deleted file mode 100644 index ccb897a5..00000000 --- a/openssl/src/pkcs7.rs +++ /dev/null @@ -1,249 +0,0 @@ -use bio::MemBioSlice; -use error::ErrorStack; -use ffi; -use foreign_types::ForeignTypeRef; -use libc::c_int; -use pkey::{HasPrivate, PKeyRef}; -use stack::StackRef; -use std::ptr; -use x509::{X509Ref, X509}; -use {cvt, cvt_p}; - -foreign_type_and_impl_send_sync! { - type CType = ffi::PKCS7; - fn drop = ffi::PKCS7_free; - - /// A PKCS#7 structure. - /// - /// Contains signed and/or encrypted data. - pub struct Pkcs7; - - /// Reference to `Pkcs7` - pub struct Pkcs7Ref; -} - -bitflags! { - pub struct Pkcs7Flags: c_int { - const TEXT = ffi::PKCS7_TEXT; - const NOCERTS = ffi::PKCS7_NOCERTS; - const NOSIGS = ffi::PKCS7_NOSIGS; - const NOCHAIN = ffi::PKCS7_NOCHAIN; - const NOINTERN = ffi::PKCS7_NOINTERN; - const NOVERIFY = ffi::PKCS7_NOVERIFY; - const DETACHED = ffi::PKCS7_DETACHED; - const BINARY = ffi::PKCS7_BINARY; - const NOATTR = ffi::PKCS7_NOATTR; - const NOSMIMECAP = ffi::PKCS7_NOSMIMECAP; - const STREAM = ffi::PKCS7_STREAM; - #[cfg(not(any(ossl101, ossl102, libressl)))] - const NO_DUAL_CONTENT = ffi::PKCS7_NO_DUAL_CONTENT; - } -} - -impl Pkcs7 { - from_pem! { - /// Deserializes a PEM-encoded PKCS#7 signature - /// - /// The input should have a header of `-----BEGIN PKCS7-----`. - /// - /// This corresponds to [`PEM_read_bio_PKCS7`]. - /// - /// [`PEM_read_bio_PKCS7`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PKCS7.html - from_pem, - Pkcs7, - ffi::PEM_read_bio_PKCS7 - } - - from_der! { - /// Deserializes a DER-encoded PKCS#7 signature - /// - /// This corresponds to [`d2i_PKCS7`]. - /// - /// [`d2i_PKCS7`]: https://www.openssl.org/docs/man1.1.0/man3/d2i_PKCS7.html - from_der, - Pkcs7, - ffi::d2i_PKCS7, - ::libc::size_t - } - - /// Creates and returns a PKCS#7 `signedData` structure. - /// - /// `signcert` is the certificate to sign with, `pkey` is the corresponding - /// private key. `certs` is an optional additional set of certificates to - /// include in the PKCS#7 structure (for example any intermediate CAs in the - /// chain). - /// - /// This corresponds to [`PKCS7_sign`]. - /// - /// [`PKCS7_sign`]: https://www.openssl.org/docs/man1.0.2/crypto/PKCS7_sign.html - pub fn sign( - signcert: &X509Ref, - pkey: &PKeyRef, - certs: &StackRef, - input: &[u8], - flags: Pkcs7Flags, - ) -> Result - where - PT: HasPrivate, - { - let input_bio = MemBioSlice::new(input)?; - unsafe { - cvt_p(ffi::PKCS7_sign( - signcert.as_ptr(), - pkey.as_ptr(), - certs.as_ptr(), - input_bio.as_ptr(), - flags.bits, - )) - .map(Pkcs7) - } - } -} - -impl Pkcs7Ref { - to_pem! { - /// Serializes the data into a PEM-encoded PKCS#7 structure. - /// - /// The output will have a header of `-----BEGIN PKCS7-----`. - /// - /// This corresponds to [`PEM_write_bio_PKCS7`]. - /// - /// [`PEM_write_bio_PKCS7`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_write_bio_PKCS7.html - to_pem, - ffi::PEM_write_bio_PKCS7 - } - - to_der! { - /// Serializes the data into a DER-encoded PKCS#7 structure. - /// - /// This corresponds to [`i2d_PKCS7`]. - /// - /// [`i2d_PKCS7`]: https://www.openssl.org/docs/man1.1.0/man3/i2d_PKCS7.html - to_der, - ffi::i2d_PKCS7 - } -} - -#[cfg(test)] -mod tests { - use pkcs7::{Pkcs7, Pkcs7Flags}; - use pkey::PKey; - use stack::Stack; - use symm::Cipher; - use x509::store::X509StoreBuilder; - use x509::X509; - - #[test] - fn encrypt_decrypt_test() { - let cert = include_bytes!("../test/certs.pem"); - let cert = X509::from_pem(cert).unwrap(); - let mut certs = Stack::new().unwrap(); - certs.push(cert.clone()).unwrap(); - let message: String = String::from("foo"); - let cypher = Cipher::des_ede3_cbc(); - let flags = Pkcs7Flags::STREAM; - let pkey = include_bytes!("../test/key.pem"); - let pkey = PKey::private_key_from_pem(pkey).unwrap(); - - let pkcs7 = - Pkcs7::encrypt(&certs, message.as_bytes(), cypher, flags).expect("should succeed"); - - let encrypted = pkcs7 - .to_smime(message.as_bytes(), flags) - .expect("should succeed"); - - let (pkcs7_decoded, _) = Pkcs7::from_smime(encrypted.as_slice()).expect("should succeed"); - - let decoded = pkcs7_decoded - .decrypt(&pkey, &cert, Pkcs7Flags::empty()) - .expect("should succeed"); - - assert_eq!(decoded, message.into_bytes()); - } - - #[test] - fn sign_verify_test_detached() { - let cert = include_bytes!("../test/cert.pem"); - let cert = X509::from_pem(cert).unwrap(); - let certs = Stack::new().unwrap(); - let message = "foo"; - let flags = Pkcs7Flags::STREAM | Pkcs7Flags::DETACHED; - let pkey = include_bytes!("../test/key.pem"); - let pkey = PKey::private_key_from_pem(pkey).unwrap(); - let mut store_builder = X509StoreBuilder::new().expect("should succeed"); - - let root_ca = include_bytes!("../test/root-ca.pem"); - let root_ca = X509::from_pem(root_ca).unwrap(); - store_builder.add_cert(root_ca).expect("should succeed"); - - let store = store_builder.build(); - - let pkcs7 = - Pkcs7::sign(&cert, &pkey, &certs, message.as_bytes(), flags).expect("should succeed"); - - let signed = pkcs7 - .to_smime(message.as_bytes(), flags) - .expect("should succeed"); - println!("{:?}", String::from_utf8(signed.clone()).unwrap()); - let (pkcs7_decoded, content) = - Pkcs7::from_smime(signed.as_slice()).expect("should succeed"); - - let mut output = Vec::new(); - pkcs7_decoded - .verify( - &certs, - &store, - Some(message.as_bytes()), - Some(&mut output), - flags, - ) - .expect("should succeed"); - - assert_eq!(output, message.as_bytes()); - assert_eq!(content.expect("should be non-empty"), message.as_bytes()); - } - - #[test] - fn sign_verify_test_normal() { - let cert = include_bytes!("../test/cert.pem"); - let cert = X509::from_pem(cert).unwrap(); - let certs = Stack::new().unwrap(); - let message = "foo"; - let flags = Pkcs7Flags::STREAM; - let pkey = include_bytes!("../test/key.pem"); - let pkey = PKey::private_key_from_pem(pkey).unwrap(); - let mut store_builder = X509StoreBuilder::new().expect("should succeed"); - - let root_ca = include_bytes!("../test/root-ca.pem"); - let root_ca = X509::from_pem(root_ca).unwrap(); - store_builder.add_cert(root_ca).expect("should succeed"); - - let store = store_builder.build(); - - let pkcs7 = - Pkcs7::sign(&cert, &pkey, &certs, message.as_bytes(), flags).expect("should succeed"); - - let signed = pkcs7 - .to_smime(message.as_bytes(), flags) - .expect("should succeed"); - - let (pkcs7_decoded, content) = - Pkcs7::from_smime(signed.as_slice()).expect("should succeed"); - - let mut output = Vec::new(); - pkcs7_decoded - .verify(&certs, &store, None, Some(&mut output), flags) - .expect("should succeed"); - - assert_eq!(output, message.as_bytes()); - assert!(content.is_none()); - } - - #[test] - fn invalid_from_smime() { - let input = String::from("Invalid SMIME Message"); - let result = Pkcs7::from_smime(input.as_bytes()); - - assert_eq!(result.is_err(), true) - } -} diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index f5688bb7..ec5fb460 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -332,44 +332,6 @@ impl PKey { } } - /// Creates a new `PKey` containing a DSA key. - /// - /// This corresponds to [`EVP_PKEY_assign_DSA`]. - /// - /// [`EVP_PKEY_assign_DSA`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_assign_DSA.html - pub fn from_dsa(dsa: Dsa) -> Result, ErrorStack> { - unsafe { - let evp = cvt_p(ffi::EVP_PKEY_new())?; - let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DSA, - dsa.as_ptr() as *mut _, - ))?; - mem::forget(dsa); - Ok(pkey) - } - } - - /// Creates a new `PKey` containing a Diffie-Hellman key. - /// - /// This corresponds to [`EVP_PKEY_assign_DH`]. - /// - /// [`EVP_PKEY_assign_DH`]: https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_assign_DH.html - pub fn from_dh(dh: Dh) -> Result, ErrorStack> { - unsafe { - let evp = cvt_p(ffi::EVP_PKEY_new())?; - let pkey = PKey::from_ptr(evp); - cvt(ffi::EVP_PKEY_assign( - pkey.0, - ffi::EVP_PKEY_DH, - dh.as_ptr() as *mut _, - ))?; - mem::forget(dh); - Ok(pkey) - } - } - /// Creates a new `PKey` containing an elliptic curve key. /// /// This corresponds to [`EVP_PKEY_assign_EC_KEY`]. @@ -573,8 +535,6 @@ cfg_if! { #[cfg(test)] mod tests { - use dh::Dh; - use dsa::Dsa; use ec::EcKey; use nid::Nid; use rsa::Rsa; @@ -665,25 +625,6 @@ mod tests { assert!(pkey.dsa().is_err()); } - #[test] - fn test_dsa_accessor() { - let dsa = Dsa::generate(2048).unwrap(); - let pkey = PKey::from_dsa(dsa).unwrap(); - pkey.dsa().unwrap(); - assert_eq!(pkey.id(), Id::DSA); - assert!(pkey.rsa().is_err()); - } - - #[test] - fn test_dh_accessor() { - let dh = include_bytes!("../test/dhparams.pem"); - let dh = Dh::params_from_pem(dh).unwrap(); - let pkey = PKey::from_dh(dh).unwrap(); - pkey.dh().unwrap(); - assert_eq!(pkey.id(), Id::DH); - assert!(pkey.rsa().is_err()); - } - #[test] fn test_ec_key_accessor() { let ec_key = EcKey::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index 5678d9d6..dfacd203 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -34,33 +34,6 @@ //! verifier.update(data2).unwrap(); //! assert!(verifier.verify(&signature).unwrap()); //! ``` -//! -//! Compute an HMAC: -//! -//! ```rust -//! use openssl::hash::MessageDigest; -//! use openssl::memcmp; -//! use openssl::pkey::PKey; -//! use openssl::sign::Signer; -//! -//! // Create a PKey -//! let key = PKey::hmac(b"my secret").unwrap(); -//! -//! let data = b"hello, world!"; -//! let data2 = b"hola, mundo!"; -//! -//! // Compute the HMAC -//! let mut signer = Signer::new(MessageDigest::sha256(), &key).unwrap(); -//! signer.update(data).unwrap(); -//! signer.update(data2).unwrap(); -//! let hmac = signer.sign_to_vec().unwrap(); -//! -//! // `Verifier` cannot be used with HMACs; use the `memcmp::eq` function instead -//! // -//! // Do not simply check for equality with `==`! -//! # let target = hmac.clone(); -//! assert!(memcmp::eq(&hmac, &target)); -//! ``` use ffi; use foreign_types::ForeignTypeRef; use libc::c_int; @@ -637,14 +610,13 @@ unsafe fn EVP_DigestVerifyFinal( #[cfg(test)] mod test { use hex::{self, FromHex}; - use std::iter; use ec::{EcGroup, EcKey}; use hash::MessageDigest; use nid::Nid; use pkey::PKey; use rsa::{Padding, Rsa}; - use sign::{RsaPssSaltlen, Signer, Verifier}; + use sign::{Signer, Verifier}; const INPUT: &str = "65794a68624763694f694a53557a49314e694a392e65794a7063334d694f694a71623255694c41304b49434a6c\ @@ -698,124 +670,6 @@ mod test { assert!(!verifier.verify(&Vec::from_hex(SIGNATURE).unwrap()).unwrap()); } - fn test_hmac(ty: MessageDigest, tests: &[(Vec, Vec, Vec)]) { - for &(ref key, ref data, ref res) in tests.iter() { - let pkey = PKey::hmac(key).unwrap(); - let mut signer = Signer::new(ty, &pkey).unwrap(); - signer.update(data).unwrap(); - assert_eq!(signer.sign_to_vec().unwrap(), *res); - } - } - - #[test] - fn hmac_md5() { - // test vectors from RFC 2202 - let tests: [(Vec, Vec, Vec); 7] = [ - ( - iter::repeat(0x0b_u8).take(16).collect(), - b"Hi There".to_vec(), - Vec::from_hex("9294727a3638bb1c13f48ef8158bfc9d").unwrap(), - ), - ( - b"Jefe".to_vec(), - b"what do ya want for nothing?".to_vec(), - Vec::from_hex("750c783e6ab0b503eaa86e310a5db738").unwrap(), - ), - ( - iter::repeat(0xaa_u8).take(16).collect(), - iter::repeat(0xdd_u8).take(50).collect(), - Vec::from_hex("56be34521d144c88dbb8c733f0e8b3f6").unwrap(), - ), - ( - Vec::from_hex("0102030405060708090a0b0c0d0e0f10111213141516171819").unwrap(), - iter::repeat(0xcd_u8).take(50).collect(), - Vec::from_hex("697eaf0aca3a3aea3a75164746ffaa79").unwrap(), - ), - ( - iter::repeat(0x0c_u8).take(16).collect(), - b"Test With Truncation".to_vec(), - Vec::from_hex("56461ef2342edc00f9bab995690efd4c").unwrap(), - ), - ( - iter::repeat(0xaa_u8).take(80).collect(), - b"Test Using Larger Than Block-Size Key - Hash Key First".to_vec(), - Vec::from_hex("6b1ab7fe4bd7bf8f0b62e6ce61b9d0cd").unwrap(), - ), - ( - iter::repeat(0xaa_u8).take(80).collect(), - b"Test Using Larger Than Block-Size Key \ - and Larger Than One Block-Size Data" - .to_vec(), - Vec::from_hex("6f630fad67cda0ee1fb1f562db3aa53e").unwrap(), - ), - ]; - - test_hmac(MessageDigest::md5(), &tests); - } - - #[test] - fn hmac_sha1() { - // test vectors from RFC 2202 - let tests: [(Vec, Vec, Vec); 7] = [ - ( - iter::repeat(0x0b_u8).take(20).collect(), - b"Hi There".to_vec(), - Vec::from_hex("b617318655057264e28bc0b6fb378c8ef146be00").unwrap(), - ), - ( - b"Jefe".to_vec(), - b"what do ya want for nothing?".to_vec(), - Vec::from_hex("effcdf6ae5eb2fa2d27416d5f184df9c259a7c79").unwrap(), - ), - ( - iter::repeat(0xaa_u8).take(20).collect(), - iter::repeat(0xdd_u8).take(50).collect(), - Vec::from_hex("125d7342b9ac11cd91a39af48aa17b4f63f175d3").unwrap(), - ), - ( - Vec::from_hex("0102030405060708090a0b0c0d0e0f10111213141516171819").unwrap(), - iter::repeat(0xcd_u8).take(50).collect(), - Vec::from_hex("4c9007f4026250c6bc8414f9bf50c86c2d7235da").unwrap(), - ), - ( - iter::repeat(0x0c_u8).take(20).collect(), - b"Test With Truncation".to_vec(), - Vec::from_hex("4c1a03424b55e07fe7f27be1d58bb9324a9a5a04").unwrap(), - ), - ( - iter::repeat(0xaa_u8).take(80).collect(), - b"Test Using Larger Than Block-Size Key - Hash Key First".to_vec(), - Vec::from_hex("aa4ae5e15272d00e95705637ce8a3b55ed402112").unwrap(), - ), - ( - iter::repeat(0xaa_u8).take(80).collect(), - b"Test Using Larger Than Block-Size Key \ - and Larger Than One Block-Size Data" - .to_vec(), - Vec::from_hex("e8e99d0f45237d786d6bbaa7965c7808bbff1a91").unwrap(), - ), - ]; - - test_hmac(MessageDigest::sha1(), &tests); - } - - #[test] - #[cfg(ossl110)] - fn test_cmac() { - let cipher = ::symm::Cipher::aes_128_cbc(); - let key = Vec::from_hex("9294727a3638bb1c13f48ef8158bfc9d").unwrap(); - let pkey = PKey::cmac(&cipher, &key).unwrap(); - let mut signer = Signer::new_without_digest(&pkey).unwrap(); - - let data = b"Hi There"; - signer.update(data as &[u8]).unwrap(); - - let expected = vec![ - 136, 101, 61, 167, 61, 30, 248, 234, 124, 166, 196, 157, 203, 52, 171, 19, - ]; - assert_eq!(signer.sign_to_vec().unwrap(), expected); - } - #[test] fn ec() { let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index 5d35b0f6..2022448c 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -15,11 +15,9 @@ use std::slice; use std::str; use std::sync::Arc; -use dh::Dh; #[cfg(all(ossl101, not(ossl110)))] use ec::EcKey; use error::ErrorStack; -use pkey::Params; #[cfg(any(ossl102, libressl261))] use ssl::AlpnError; #[cfg(ossl111)] @@ -205,33 +203,6 @@ where } } -pub unsafe extern "C" fn raw_tmp_dh( - ssl: *mut ffi::SSL, - is_export: c_int, - keylength: c_int, -) -> *mut ffi::DH -where - F: Fn(&mut SslRef, bool, u32) -> Result, ErrorStack> + 'static + Sync + Send, -{ - let ssl = SslRef::from_ptr_mut(ssl); - let callback = ssl - .ssl_context() - .ex_data(SslContext::cached_ex_index::()) - .expect("BUG: tmp dh callback missing") as *const F; - - match (*callback)(ssl, is_export != 0, keylength as u32) { - Ok(dh) => { - let ptr = dh.as_ptr(); - mem::forget(dh); - ptr - } - Err(e) => { - e.put(); - ptr::null_mut() - } - } -} - #[cfg(all(ossl101, not(ossl110)))] pub unsafe extern "C" fn raw_tmp_ecdh( ssl: *mut ffi::SSL, @@ -260,33 +231,6 @@ where } } -pub unsafe extern "C" fn raw_tmp_dh_ssl( - ssl: *mut ffi::SSL, - is_export: c_int, - keylength: c_int, -) -> *mut ffi::DH -where - F: Fn(&mut SslRef, bool, u32) -> Result, ErrorStack> + 'static + Sync + Send, -{ - let ssl = SslRef::from_ptr_mut(ssl); - let callback = ssl - .ex_data(Ssl::cached_ex_index::>()) - .expect("BUG: ssl tmp dh callback missing") - .clone(); - - match callback(ssl, is_export != 0, keylength as u32) { - Ok(dh) => { - let ptr = dh.as_ptr(); - mem::forget(dh); - ptr - } - Err(e) => { - e.put(); - ptr::null_mut() - } - } -} - #[cfg(all(ossl101, not(ossl110)))] pub unsafe extern "C" fn raw_tmp_ecdh_ssl( ssl: *mut ffi::SSL, diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 96ec4588..9a5c6694 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -78,7 +78,7 @@ use std::slice; use std::str; use std::sync::{Arc, Mutex}; -use dh::{Dh, DhRef}; +use dh::DhRef; #[cfg(all(ossl101, not(ossl110)))] use ec::EcKey; use ec::EcKeyRef; @@ -197,7 +197,6 @@ bitflags! { /// Disables the use of TLSv1.3. /// /// Requires OpenSSL 1.1.1 or newer. - #[cfg(ossl111)] const NO_TLSV1_3 = ffi::SSL_OP_NO_TLSv1_3; /// Disables the use of DTLSv1.0 @@ -796,26 +795,6 @@ impl SslContextBuilder { unsafe { cvt(ffi::SSL_CTX_set_tmp_dh(self.as_ptr(), dh.as_ptr()) as c_int).map(|_| ()) } } - /// Sets the callback which will generate parameters to be used during ephemeral Diffie-Hellman - /// key exchange. - /// - /// The callback is provided with a reference to the `Ssl` for the session, as well as a boolean - /// indicating if the selected cipher is export-grade, and the key length. The export and key - /// length options are archaic and should be ignored in almost all cases. - /// - /// This corresponds to [`SSL_CTX_set_tmp_dh_callback`]. - /// - /// [`SSL_CTX_set_tmp_dh_callback`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_tmp_dh.html - pub fn set_tmp_dh_callback(&mut self, callback: F) - where - F: Fn(&mut SslRef, bool, u32) -> Result, ErrorStack> + 'static + Sync + Send, - { - unsafe { - self.set_ex_data(SslContext::cached_ex_index::(), callback); - ffi::SSL_CTX_set_tmp_dh_callback(self.as_ptr(), raw_tmp_dh::); - } - } - /// Sets the parameters to be used during ephemeral elliptic curve Diffie-Hellman key exchange. /// /// This corresponds to `SSL_CTX_set_tmp_ecdh`. @@ -2414,23 +2393,6 @@ impl SslRef { unsafe { cvt(ffi::SSL_set_tmp_dh(self.as_ptr(), dh.as_ptr()) as c_int).map(|_| ()) } } - /// Like [`SslContextBuilder::set_tmp_dh_callback`]. - /// - /// This corresponds to [`SSL_set_tmp_dh_callback`]. - /// - /// [`SslContextBuilder::set_tmp_dh_callback`]: struct.SslContextBuilder.html#method.set_tmp_dh_callback - /// [`SSL_set_tmp_dh_callback`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_tmp_dh.html - pub fn set_tmp_dh_callback(&mut self, callback: F) - where - F: Fn(&mut SslRef, bool, u32) -> Result, ErrorStack> + 'static + Sync + Send, - { - unsafe { - // this needs to be in an Arc since the callback can register a new callback! - self.set_ex_data(Ssl::cached_ex_index(), Arc::new(callback)); - ffi::SSL_set_tmp_dh_callback(self.as_ptr(), raw_tmp_dh_ssl::); - } - } - /// Like [`SslContextBuilder::set_tmp_ecdh`]. /// /// This corresponds to `SSL_set_tmp_ecdh`. diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs index 8233e6f7..a677b3ab 100644 --- a/openssl/src/ssl/test/mod.rs +++ b/openssl/src/ssl/test/mod.rs @@ -19,7 +19,6 @@ use tempdir::TempDir; use dh::Dh; use error::ErrorStack; use hash::MessageDigest; -use ocsp::{OcspResponse, OcspResponseStatus}; use pkey::PKey; use srtp::SrtpProfileId; use ssl; @@ -296,7 +295,8 @@ fn state() { let server = Server::builder().build(); let s = server.client().connect(); - assert_eq!(s.ssl().state_string(), "SSLOK "); + // NOTE: Boring returs a placeholder string for state_string + assert_eq!(s.ssl().state_string(), "!!!!!!"); assert_eq!( s.ssl().state_string_long(), "SSL negotiation finished successfully" @@ -453,16 +453,17 @@ fn test_alpn_server_advertise_multiple() { #[cfg(any(ossl110))] fn test_alpn_server_select_none_fatal() { let mut server = Server::builder(); + // NOTE: in Boring all alpn errors are treated as SSL_TLSEXT_ERR_NOACK server.ctx().set_alpn_select_callback(|_, client| { ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client) .ok_or(ssl::AlpnError::ALERT_FATAL) }); - server.should_error(); let server = server.build(); let mut client = server.client(); client.ctx().set_alpn_protos(b"\x06http/2").unwrap(); - client.connect_err(); + let s = client.connect(); + assert_eq!(None, s.ssl().selected_alpn_protocol()); } #[test] @@ -840,29 +841,6 @@ fn cert_store() { client.connect(); } -#[test] -fn tmp_dh_callback() { - static CALLED_BACK: AtomicBool = AtomicBool::new(false); - - let mut server = Server::builder(); - server.ctx().set_tmp_dh_callback(|_, _, _| { - CALLED_BACK.store(true, Ordering::SeqCst); - let dh = include_bytes!("../../../test/dhparams.pem"); - Dh::params_from_pem(dh) - }); - - let server = server.build(); - - let mut client = server.client(); - // TLS 1.3 has no DH suites, so make sure we don't pick that version - #[cfg(ossl111)] - client.ctx().set_options(super::SslOptions::NO_TLSV1_3); - client.ctx().set_cipher_list("EDH").unwrap(); - client.connect(); - - assert!(CALLED_BACK.load(Ordering::SeqCst)); -} - #[test] #[cfg(all(ossl101, not(ossl110)))] fn tmp_ecdh_callback() { @@ -886,31 +864,6 @@ fn tmp_ecdh_callback() { assert!(CALLED_BACK.load(Ordering::SeqCst)); } -#[test] -fn tmp_dh_callback_ssl() { - static CALLED_BACK: AtomicBool = AtomicBool::new(false); - - let mut server = Server::builder(); - server.ssl_cb(|ssl| { - ssl.set_tmp_dh_callback(|_, _, _| { - CALLED_BACK.store(true, Ordering::SeqCst); - let dh = include_bytes!("../../../test/dhparams.pem"); - Dh::params_from_pem(dh) - }); - }); - - let server = server.build(); - - let mut client = server.client(); - // TLS 1.3 has no DH suites, so make sure we don't pick that version - #[cfg(ossl111)] - client.ctx().set_options(super::SslOptions::NO_TLSV1_3); - client.ctx().set_cipher_list("EDH").unwrap(); - client.connect(); - - assert!(CALLED_BACK.load(Ordering::SeqCst)); -} - #[test] #[cfg(all(ossl101, not(ossl110)))] fn tmp_ecdh_callback_ssl() { @@ -959,44 +912,6 @@ fn active_session() { assert_eq!(copied, len); } -#[test] -fn status_callbacks() { - static CALLED_BACK_SERVER: AtomicBool = AtomicBool::new(false); - static CALLED_BACK_CLIENT: AtomicBool = AtomicBool::new(false); - - let mut server = Server::builder(); - server - .ctx() - .set_status_callback(|ssl| { - CALLED_BACK_SERVER.store(true, Ordering::SeqCst); - let response = OcspResponse::create(OcspResponseStatus::UNAUTHORIZED, None).unwrap(); - let response = response.to_der().unwrap(); - ssl.set_ocsp_status(&response).unwrap(); - Ok(true) - }) - .unwrap(); - - let server = server.build(); - - let mut client = server.client(); - client - .ctx() - .set_status_callback(|ssl| { - CALLED_BACK_CLIENT.store(true, Ordering::SeqCst); - let response = OcspResponse::from_der(ssl.ocsp_status().unwrap()).unwrap(); - assert_eq!(response.status(), OcspResponseStatus::UNAUTHORIZED); - Ok(true) - }) - .unwrap(); - - let mut client = client.build().builder(); - client.ssl().set_status_type(StatusType::OCSP).unwrap(); - - client.connect(); - - assert!(CALLED_BACK_SERVER.load(Ordering::SeqCst)); - assert!(CALLED_BACK_CLIENT.load(Ordering::SeqCst)); -} #[test] fn new_session_callback() { @@ -1326,7 +1241,6 @@ fn psk_ciphers() { let mut client = server.client(); // This test relies on TLS 1.2 suites - #[cfg(ossl111)] client.ctx().set_options(super::SslOptions::NO_TLSV1_3); client.ctx().set_cipher_list(CIPHER).unwrap(); client diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index 08604849..9e5093de 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -834,37 +834,6 @@ mod tests { } } - fn cipher_test_nopad(ciphertype: super::Cipher, pt: &str, ct: &str, key: &str, iv: &str) { - let pt = Vec::from_hex(pt).unwrap(); - let ct = Vec::from_hex(ct).unwrap(); - let key = Vec::from_hex(key).unwrap(); - let iv = Vec::from_hex(iv).unwrap(); - - let computed = { - let mut c = Crypter::new(ciphertype, Mode::Decrypt, &key, Some(&iv)).unwrap(); - c.pad(false); - let mut out = vec![0; ct.len() + ciphertype.block_size()]; - let count = c.update(&ct, &mut out).unwrap(); - let rest = c.finalize(&mut out[count..]).unwrap(); - out.truncate(count + rest); - out - }; - let expected = pt; - - if computed != expected { - println!("Computed: {}", hex::encode(&computed)); - println!("Expected: {}", hex::encode(&expected)); - if computed.len() != expected.len() { - println!( - "Lengths differ: {} in computed vs {} expected", - computed.len(), - expected.len() - ); - } - panic!("test failure"); - } - } - #[test] fn test_rc4() { let pt = "0000000000000000000000000000000000000000000000000000000000000000000000000000"; @@ -875,21 +844,6 @@ mod tests { cipher_test(super::Cipher::rc4(), pt, ct, key, iv); } - #[test] - fn test_aes256_xts() { - // Test case 174 from - // http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip - let pt = "77f4ef63d734ebd028508da66c22cdebdd52ecd6ee2ab0a50bc8ad0cfd692ca5fcd4e6dedc45df7f\ - 6503f462611dc542"; - let ct = "ce7d905a7776ac72f240d22aafed5e4eb7566cdc7211220e970da634ce015f131a5ecb8d400bc9e8\ - 4f0b81d8725dbbc7"; - let key = "b6bfef891f83b5ff073f2231267be51eb084b791fa19a154399c0684c8b2dfcb37de77d28bbda3b\ - 4180026ad640b74243b3133e7b9fae629403f6733423dae28"; - let iv = "db200efb7eaaa737dbdf40babb68953f"; - - cipher_test(super::Cipher::aes_256_xts(), pt, ct, key, iv); - } - #[test] fn test_aes128_ctr() { let pt = "6BC1BEE22E409F96E93D7E117393172AAE2D8A571E03AC9C9EB76FAC45AF8E5130C81C46A35CE411\ @@ -902,38 +856,6 @@ mod tests { cipher_test(super::Cipher::aes_128_ctr(), pt, ct, key, iv); } - #[test] - fn test_aes128_cfb1() { - // Lifted from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf - - let pt = "6bc1"; - let ct = "68b3"; - let key = "2b7e151628aed2a6abf7158809cf4f3c"; - let iv = "000102030405060708090a0b0c0d0e0f"; - - cipher_test(super::Cipher::aes_128_cfb1(), pt, ct, key, iv); - } - - #[test] - fn test_aes128_cfb128() { - let pt = "6bc1bee22e409f96e93d7e117393172a"; - let ct = "3b3fd92eb72dad20333449f8e83cfb4a"; - let key = "2b7e151628aed2a6abf7158809cf4f3c"; - let iv = "000102030405060708090a0b0c0d0e0f"; - - cipher_test(super::Cipher::aes_128_cfb128(), pt, ct, key, iv); - } - - #[test] - fn test_aes128_cfb8() { - let pt = "6bc1bee22e409f96e93d7e117393172aae2d"; - let ct = "3b79424c9c0dd436bace9e0ed4586a4f32b9"; - let key = "2b7e151628aed2a6abf7158809cf4f3c"; - let iv = "000102030405060708090a0b0c0d0e0f"; - - cipher_test(super::Cipher::aes_128_cfb8(), pt, ct, key, iv); - } - #[test] fn test_aes128_ofb() { // Lifted from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf @@ -958,42 +880,6 @@ mod tests { cipher_test(super::Cipher::aes_192_ctr(), pt, ct, key, iv); } - #[test] - fn test_aes192_cfb1() { - // Lifted from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf - - let pt = "6bc1"; - let ct = "9359"; - let key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; - let iv = "000102030405060708090a0b0c0d0e0f"; - - cipher_test(super::Cipher::aes_192_cfb1(), pt, ct, key, iv); - } - - #[test] - fn test_aes192_cfb128() { - // Lifted from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf - - let pt = "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"; - let ct = "cdc80d6fddf18cab34c25909c99a417467ce7f7f81173621961a2b70171d3d7a2e1e8a1dd59b88b1c8e60fed1efac4c9c05f9f9ca9834fa042ae8fba584b09ff"; - let key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; - let iv = "000102030405060708090a0b0c0d0e0f"; - - cipher_test(super::Cipher::aes_192_cfb128(), pt, ct, key, iv); - } - - #[test] - fn test_aes192_cfb8() { - // Lifted from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf - - let pt = "6bc1bee22e409f96e93d7e117393172aae2d"; - let ct = "cda2521ef0a905ca44cd057cbf0d47a0678a"; - let key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"; - let iv = "000102030405060708090a0b0c0d0e0f"; - - cipher_test(super::Cipher::aes_192_cfb8(), pt, ct, key, iv); - } - #[test] fn test_aes192_ofb() { // Lifted from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf @@ -1006,36 +892,6 @@ mod tests { cipher_test(super::Cipher::aes_192_ofb(), pt, ct, key, iv); } - #[test] - fn test_aes256_cfb1() { - let pt = "6bc1"; - let ct = "9029"; - let key = "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"; - let iv = "000102030405060708090a0b0c0d0e0f"; - - cipher_test(super::Cipher::aes_256_cfb1(), pt, ct, key, iv); - } - - #[test] - fn test_aes256_cfb128() { - let pt = "6bc1bee22e409f96e93d7e117393172a"; - let ct = "dc7e84bfda79164b7ecd8486985d3860"; - let key = "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"; - let iv = "000102030405060708090a0b0c0d0e0f"; - - cipher_test(super::Cipher::aes_256_cfb128(), pt, ct, key, iv); - } - - #[test] - fn test_aes256_cfb8() { - let pt = "6bc1bee22e409f96e93d7e117393172aae2d"; - let ct = "dc1f1a8520a64db55fcc8ac554844e889700"; - let key = "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"; - let iv = "000102030405060708090a0b0c0d0e0f"; - - cipher_test(super::Cipher::aes_256_cfb8(), pt, ct, key, iv); - } - #[test] fn test_aes256_ofb() { // Lifted from http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf @@ -1048,48 +904,6 @@ mod tests { cipher_test(super::Cipher::aes_256_ofb(), pt, ct, key, iv); } - #[test] - fn test_bf_cbc() { - // https://www.schneier.com/code/vectors.txt - - let pt = "37363534333231204E6F77206973207468652074696D6520666F722000000000"; - let ct = "6B77B4D63006DEE605B156E27403979358DEB9E7154616D959F1652BD5FF92CC"; - let key = "0123456789ABCDEFF0E1D2C3B4A59687"; - let iv = "FEDCBA9876543210"; - - cipher_test_nopad(super::Cipher::bf_cbc(), pt, ct, key, iv); - } - - #[test] - fn test_bf_ecb() { - let pt = "5CD54CA83DEF57DA"; - let ct = "B1B8CC0B250F09A0"; - let key = "0131D9619DC1376E"; - let iv = "0000000000000000"; - - cipher_test_nopad(super::Cipher::bf_ecb(), pt, ct, key, iv); - } - - #[test] - fn test_bf_cfb64() { - let pt = "37363534333231204E6F77206973207468652074696D6520666F722000"; - let ct = "E73214A2822139CAF26ECF6D2EB9E76E3DA3DE04D1517200519D57A6C3"; - let key = "0123456789ABCDEFF0E1D2C3B4A59687"; - let iv = "FEDCBA9876543210"; - - cipher_test_nopad(super::Cipher::bf_cfb64(), pt, ct, key, iv); - } - - #[test] - fn test_bf_ofb() { - let pt = "37363534333231204E6F77206973207468652074696D6520666F722000"; - let ct = "E73214A2822139CA62B343CC5B65587310DD908D0C241B2263C2CF80DA"; - let key = "0123456789ABCDEFF0E1D2C3B4A59687"; - let iv = "FEDCBA9876543210"; - - cipher_test_nopad(super::Cipher::bf_ofb(), pt, ct, key, iv); - } - #[test] fn test_des_cbc() { let pt = "54686973206973206120746573742e"; @@ -1130,16 +944,6 @@ mod tests { cipher_test(super::Cipher::des_ede3_cbc(), pt, ct, key, iv); } - #[test] - fn test_des_ede3_cfb64() { - let pt = "2b1773784b5889dc788477367daa98ad"; - let ct = "6f2867cfefda048a4046ef7e556c7132"; - let key = "7cb66337f3d3c0fe7cb66337f3d3c0fe7cb66337f3d3c0fe"; - let iv = "0001020304050607"; - - cipher_test(super::Cipher::des_ede3_cfb64(), pt, ct, key, iv); - } - #[test] fn test_aes128_gcm() { let key = "0e00c76561d2bd9b40c3c15427e2b08f"; @@ -1181,228 +985,4 @@ mod tests { .unwrap(); assert_eq!(pt, hex::encode(out)); } - - #[test] - fn test_aes128_ccm() { - let key = "3ee186594f110fb788a8bf8aa8be5d4a"; - let nonce = "44f705d52acf27b7f17196aa9b"; - let aad = "2c16724296ff85e079627be3053ea95adf35722c21886baba343bd6c79b5cb57"; - - let pt = "d71864877f2578db092daba2d6a1f9f4698a9c356c7830a1"; - let ct = "b4dd74e7a0cc51aea45dfb401a41d5822c96901a83247ea0"; - let tag = "d6965f5aa6e31302a9cc2b36"; - - let mut actual_tag = [0; 12]; - let out = encrypt_aead( - Cipher::aes_128_ccm(), - &Vec::from_hex(key).unwrap(), - Some(&Vec::from_hex(nonce).unwrap()), - &Vec::from_hex(aad).unwrap(), - &Vec::from_hex(pt).unwrap(), - &mut actual_tag, - ) - .unwrap(); - - assert_eq!(ct, hex::encode(out)); - assert_eq!(tag, hex::encode(actual_tag)); - - let out = decrypt_aead( - Cipher::aes_128_ccm(), - &Vec::from_hex(key).unwrap(), - Some(&Vec::from_hex(nonce).unwrap()), - &Vec::from_hex(aad).unwrap(), - &Vec::from_hex(ct).unwrap(), - &Vec::from_hex(tag).unwrap(), - ) - .unwrap(); - assert_eq!(pt, hex::encode(out)); - } - - #[test] - fn test_aes128_ccm_verify_fail() { - let key = "3ee186594f110fb788a8bf8aa8be5d4a"; - let nonce = "44f705d52acf27b7f17196aa9b"; - let aad = "2c16724296ff85e079627be3053ea95adf35722c21886baba343bd6c79b5cb57"; - - let ct = "b4dd74e7a0cc51aea45dfb401a41d5822c96901a83247ea0"; - let tag = "00005f5aa6e31302a9cc2b36"; - - let out = decrypt_aead( - Cipher::aes_128_ccm(), - &Vec::from_hex(key).unwrap(), - Some(&Vec::from_hex(nonce).unwrap()), - &Vec::from_hex(aad).unwrap(), - &Vec::from_hex(ct).unwrap(), - &Vec::from_hex(tag).unwrap(), - ); - assert!(out.is_err()); - } - - #[test] - fn test_aes256_ccm() { - let key = "7f4af6765cad1d511db07e33aaafd57646ec279db629048aa6770af24849aa0d"; - let nonce = "dde2a362ce81b2b6913abc3095"; - let aad = "404f5df97ece7431987bc098cce994fc3c063b519ffa47b0365226a0015ef695"; - - let pt = "7ebef26bf4ecf6f0ebb2eb860edbf900f27b75b4a6340fdb"; - let ct = "353022db9c568bd7183a13c40b1ba30fcc768c54264aa2cd"; - let tag = "2927a053c9244d3217a7ad05"; - - let mut actual_tag = [0; 12]; - let out = encrypt_aead( - Cipher::aes_256_ccm(), - &Vec::from_hex(key).unwrap(), - Some(&Vec::from_hex(nonce).unwrap()), - &Vec::from_hex(aad).unwrap(), - &Vec::from_hex(pt).unwrap(), - &mut actual_tag, - ) - .unwrap(); - - assert_eq!(ct, hex::encode(out)); - assert_eq!(tag, hex::encode(actual_tag)); - - let out = decrypt_aead( - Cipher::aes_256_ccm(), - &Vec::from_hex(key).unwrap(), - Some(&Vec::from_hex(nonce).unwrap()), - &Vec::from_hex(aad).unwrap(), - &Vec::from_hex(ct).unwrap(), - &Vec::from_hex(tag).unwrap(), - ) - .unwrap(); - assert_eq!(pt, hex::encode(out)); - } - - #[test] - fn test_aes256_ccm_verify_fail() { - let key = "7f4af6765cad1d511db07e33aaafd57646ec279db629048aa6770af24849aa0d"; - let nonce = "dde2a362ce81b2b6913abc3095"; - let aad = "404f5df97ece7431987bc098cce994fc3c063b519ffa47b0365226a0015ef695"; - - let ct = "353022db9c568bd7183a13c40b1ba30fcc768c54264aa2cd"; - let tag = "0000a053c9244d3217a7ad05"; - - let out = decrypt_aead( - Cipher::aes_256_ccm(), - &Vec::from_hex(key).unwrap(), - Some(&Vec::from_hex(nonce).unwrap()), - &Vec::from_hex(aad).unwrap(), - &Vec::from_hex(ct).unwrap(), - &Vec::from_hex(tag).unwrap(), - ); - assert!(out.is_err()); - } - - #[test] - #[cfg(ossl110)] - fn test_aes_128_ocb() { - let key = "000102030405060708090a0b0c0d0e0f"; - let aad = "0001020304050607"; - let tag = "16dc76a46d47e1ead537209e8a96d14e"; - let iv = "000102030405060708090a0b"; - let pt = "0001020304050607"; - let ct = "92b657130a74b85a"; - - let mut actual_tag = [0; 16]; - let out = encrypt_aead( - Cipher::aes_128_ocb(), - &Vec::from_hex(key).unwrap(), - Some(&Vec::from_hex(iv).unwrap()), - &Vec::from_hex(aad).unwrap(), - &Vec::from_hex(pt).unwrap(), - &mut actual_tag, - ) - .unwrap(); - - assert_eq!(ct, hex::encode(out)); - assert_eq!(tag, hex::encode(actual_tag)); - - let out = decrypt_aead( - Cipher::aes_128_ocb(), - &Vec::from_hex(key).unwrap(), - Some(&Vec::from_hex(iv).unwrap()), - &Vec::from_hex(aad).unwrap(), - &Vec::from_hex(ct).unwrap(), - &Vec::from_hex(tag).unwrap(), - ) - .unwrap(); - assert_eq!(pt, hex::encode(out)); - } - - #[test] - #[cfg(ossl110)] - fn test_aes_128_ocb_fail() { - let key = "000102030405060708090a0b0c0d0e0f"; - let aad = "0001020304050607"; - let tag = "16dc76a46d47e1ead537209e8a96d14e"; - let iv = "000000000405060708090a0b"; - let ct = "92b657130a74b85a"; - - let out = decrypt_aead( - Cipher::aes_128_ocb(), - &Vec::from_hex(key).unwrap(), - Some(&Vec::from_hex(iv).unwrap()), - &Vec::from_hex(aad).unwrap(), - &Vec::from_hex(ct).unwrap(), - &Vec::from_hex(tag).unwrap(), - ); - assert!(out.is_err()); - } - - #[test] - #[cfg(any(ossl110))] - fn test_chacha20() { - let key = "0000000000000000000000000000000000000000000000000000000000000000"; - let iv = "00000000000000000000000000000000"; - let pt = - "000000000000000000000000000000000000000000000000000000000000000000000000000000000\ - 00000000000000000000000000000000000000000000000"; - let ct = - "76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7\ - 724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586"; - - cipher_test(Cipher::chacha20(), pt, ct, key, iv); - } - - #[test] - #[cfg(any(ossl110))] - fn test_chacha20_poly1305() { - let key = "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"; - let iv = "070000004041424344454647"; - let aad = "50515253c0c1c2c3c4c5c6c7"; - let pt = - "4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393\ - a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f722074\ - 6865206675747572652c2073756e73637265656e20776f756c642062652069742e"; - let ct = - "d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca967128\ - 2fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fa\ - b324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116"; - let tag = "1ae10b594f09e26a7e902ecbd0600691"; - - let mut actual_tag = [0; 16]; - let out = encrypt_aead( - Cipher::chacha20_poly1305(), - &Vec::from_hex(key).unwrap(), - Some(&Vec::from_hex(iv).unwrap()), - &Vec::from_hex(aad).unwrap(), - &Vec::from_hex(pt).unwrap(), - &mut actual_tag, - ) - .unwrap(); - assert_eq!(ct, hex::encode(out)); - assert_eq!(tag, hex::encode(actual_tag)); - - let out = decrypt_aead( - Cipher::chacha20_poly1305(), - &Vec::from_hex(key).unwrap(), - Some(&Vec::from_hex(iv).unwrap()), - &Vec::from_hex(aad).unwrap(), - &Vec::from_hex(ct).unwrap(), - &Vec::from_hex(tag).unwrap(), - ) - .unwrap(); - assert_eq!(pt, hex::encode(out)); - } } diff --git a/openssl/src/version.rs b/openssl/src/version.rs index 0d2d5bb6..7c2d4085 100644 --- a/openssl/src/version.rs +++ b/openssl/src/version.rs @@ -114,17 +114,8 @@ fn test_versions() { println!("Platform: '{}'", platform()); println!("Dir: '{}'", dir()); - #[cfg(not(libressl))] - fn expected_name() -> &'static str { - "OpenSSL" - } - #[cfg(libressl)] - fn expected_name() -> &'static str { - "LibreSSL" - } - assert!(number() > 0); - assert!(version().starts_with(expected_name())); + assert!(version().starts_with("BoringSSL")); assert!(c_flags().starts_with("compiler:")); assert!(built_on().starts_with("built on:")); assert!(dir().starts_with("OPENSSLDIR:")); diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 0aa75582..9cc7352c 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -655,6 +655,7 @@ impl X509 { ffi::PEM_read_bio_X509(bio.as_ptr(), ptr::null_mut(), None, ptr::null_mut()); if r.is_null() { let err = ffi::ERR_peek_last_error(); + if ffi::ERR_GET_LIB(err) == ffi::ERR_LIB_PEM && ffi::ERR_GET_REASON(err) == ffi::PEM_R_NO_START_LINE { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 1f636b30..dbd3920b 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -36,7 +36,8 @@ fn test_debug() { let cert = include_bytes!("../../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); let debugged = format!("{:#?}", cert); - assert!(debugged.contains(r#"serial_number: "8771F7BDEE982FA5""#)); + + assert!(debugged.contains(r#"serial_number: "8771f7bdee982fa5""#)); assert!(debugged.contains(r#"signature_algorithm: sha256WithRSAEncryption"#)); assert!(debugged.contains(r#"countryName = "AU""#)); assert!(debugged.contains(r#"stateOrProvinceName = "Some-State""#));