Skip to content

Commit

Permalink
enable x509 verify and groups list for boringssl
Browse files Browse the repository at this point in the history
  • Loading branch information
zh-jq committed Jan 25, 2024
1 parent 2ed3c60 commit e1d8559
Show file tree
Hide file tree
Showing 6 changed files with 58 additions and 58 deletions.
2 changes: 1 addition & 1 deletion openssl-sys/src/ssl.rs
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,7 @@ cfg_if! {
s as *const c_void as *mut c_void,
)
}
} else if #[cfg(libressl251)] {
} else if #[cfg(any(boringssl, libressl251))] {
extern "C" {
pub fn SSL_CTX_set1_groups_list(ctx: *mut SSL_CTX, s: *const c_char) -> c_int;
}
Expand Down
18 changes: 9 additions & 9 deletions openssl/src/ssl/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ use crate::ssl::error::InnerError;
use crate::stack::{Stack, StackRef, Stackable};
use crate::util::{ForeignTypeExt, ForeignTypeRefExt};
use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef};
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
use crate::x509::verify::X509VerifyParamRef;
use crate::x509::{X509Name, X509Ref, X509StoreContextRef, X509VerifyResult, X509};
use crate::{cvt, cvt_n, cvt_p, init};
Expand Down Expand Up @@ -1307,18 +1307,18 @@ impl SslContextBuilder {

/// Returns a reference to the X509 verification configuration.
///
/// Requires OpenSSL 1.0.2 or newer.
/// Requires BoringSSL or OpenSSL 1.0.2 or newer.
#[corresponds(SSL_CTX_get0_param)]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
pub fn verify_param(&self) -> &X509VerifyParamRef {
unsafe { X509VerifyParamRef::from_ptr(ffi::SSL_CTX_get0_param(self.as_ptr())) }
}

/// Returns a mutable reference to the X509 verification configuration.
///
/// Requires OpenSSL 1.0.2 or newer.
/// Requires BoringSSL or OpenSSL 1.0.2 or newer.
#[corresponds(SSL_CTX_get0_param)]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
pub fn verify_param_mut(&mut self) -> &mut X509VerifyParamRef {
unsafe { X509VerifyParamRef::from_ptr_mut(ffi::SSL_CTX_get0_param(self.as_ptr())) }
}
Expand Down Expand Up @@ -1719,9 +1719,9 @@ impl SslContextBuilder {

/// Sets the context's supported elliptic curve groups.
///
/// Requires OpenSSL 1.1.1 or LibreSSL 2.5.1 or newer.
/// Requires BoringSSL or OpenSSL 1.1.1 or LibreSSL 2.5.1 or newer.
#[corresponds(SSL_CTX_set1_groups_list)]
#[cfg(any(ossl111, libressl251))]
#[cfg(any(ossl111, boringssl, libressl251))]
pub fn set_groups_list(&mut self, groups: &str) -> Result<(), ErrorStack> {
let groups = CString::new(groups).unwrap();
unsafe {
Expand Down Expand Up @@ -2769,9 +2769,9 @@ impl SslRef {

/// Returns a mutable reference to the X509 verification configuration.
///
/// Requires OpenSSL 1.0.2 or newer.
/// Requires BoringSSL or OpenSSL 1.0.2 or newer.
#[corresponds(SSL_get0_param)]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
pub fn param_mut(&mut self) -> &mut X509VerifyParamRef {
unsafe { X509VerifyParamRef::from_ptr_mut(ffi::SSL_get0_param(self.as_ptr())) }
}
Expand Down
2 changes: 1 addition & 1 deletion openssl/src/x509/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ use crate::util::{ForeignTypeExt, ForeignTypeRefExt};
use crate::{cvt, cvt_n, cvt_p, cvt_p_const};
use openssl_macros::corresponds;

#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
pub mod verify;

pub mod extension;
Expand Down
6 changes: 3 additions & 3 deletions openssl/src/x509/store.rs
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ use crate::ssl::SslFiletype;
use crate::stack::Stack;
use crate::stack::StackRef;
use crate::util::ForeignTypeRefExt;
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef};
use crate::x509::{X509Object, X509PurposeId, X509};
use crate::{cvt, cvt_p};
Expand Down Expand Up @@ -123,7 +123,7 @@ impl X509StoreBuilderRef {

/// Sets certificate chain validation related flags.
#[corresponds(X509_STORE_set_flags)]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
unsafe { cvt(ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits())).map(|_| ()) }
}
Expand All @@ -137,7 +137,7 @@ impl X509StoreBuilderRef {

/// Sets certificate chain validation related parameters.
#[corresponds[X509_STORE_set1_param]]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
pub fn set_param(&mut self, param: &X509VerifyParamRef) -> Result<(), ErrorStack> {
unsafe { cvt(ffi::X509_STORE_set1_param(self.as_ptr(), param.as_ptr())).map(|_| ()) }
}
Expand Down
26 changes: 13 additions & 13 deletions openssl/src/x509/tests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,11 @@ use crate::x509::extension::{
#[cfg(not(boringssl))]
use crate::x509::store::X509Lookup;
use crate::x509::store::X509StoreBuilder;
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
use crate::x509::verify::{X509VerifyFlags, X509VerifyParam};
#[cfg(ossl102)]
#[cfg(any(ossl102, boringssl))]
use crate::x509::X509PurposeId;
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
use crate::x509::X509PurposeRef;
#[cfg(ossl110)]
use crate::x509::{CrlReason, X509Builder};
Expand All @@ -31,7 +31,7 @@ use crate::x509::{
#[cfg(ossl110)]
use foreign_types::ForeignType;
use hex::{self, FromHex};
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
use libc::time_t;

use super::{AuthorityInformationAccess, CertificateIssuer, ReasonCode};
Expand Down Expand Up @@ -557,7 +557,7 @@ fn test_verify_fails() {
}

#[test]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
fn test_verify_fails_with_crl_flag_set_and_no_crl() {
let cert = include_bytes!("../../test/cert.pem");
let cert = X509::from_pem(cert).unwrap();
Expand All @@ -584,7 +584,7 @@ fn test_verify_fails_with_crl_flag_set_and_no_crl() {
}

#[test]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
fn test_verify_cert_with_purpose() {
let cert = include_bytes!("../../test/cert.pem");
let cert = X509::from_pem(cert).unwrap();
Expand All @@ -611,7 +611,7 @@ fn test_verify_cert_with_purpose() {
}

#[test]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
fn test_verify_cert_with_wrong_purpose_fails() {
let cert = include_bytes!("../../test/cert.pem");
let cert = X509::from_pem(cert).unwrap();
Expand Down Expand Up @@ -846,7 +846,7 @@ fn test_name_to_owned() {
}

#[test]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
fn test_verify_param_set_time_fails_verification() {
const TEST_T_2030: time_t = 1893456000;

Expand Down Expand Up @@ -877,7 +877,7 @@ fn test_verify_param_set_time_fails_verification() {
}

#[test]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
fn test_verify_param_set_time() {
const TEST_T_2020: time_t = 1577836800;

Expand All @@ -901,7 +901,7 @@ fn test_verify_param_set_time() {
}

#[test]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
fn test_verify_param_set_depth() {
let cert = include_bytes!("../../test/leaf.pem");
let cert = X509::from_pem(cert).unwrap();
Expand All @@ -928,7 +928,7 @@ fn test_verify_param_set_depth() {
}

#[test]
#[cfg(any(ossl102, libressl261))]
#[cfg(any(ossl102, boringssl, libressl261))]
#[allow(clippy::bool_to_int_with_if)]
fn test_verify_param_set_depth_fails_verification() {
let cert = include_bytes!("../../test/leaf.pem");
Expand Down Expand Up @@ -1003,7 +1003,7 @@ fn test_verify_param_auth_level() {
}

#[test]
#[cfg(ossl102)]
#[cfg(any(ossl102, boringssl))]
fn test_set_purpose() {
let cert = include_bytes!("../../test/leaf.pem");
let cert = X509::from_pem(cert).unwrap();
Expand All @@ -1028,7 +1028,7 @@ fn test_set_purpose() {
}

#[test]
#[cfg(ossl102)]
#[cfg(any(ossl102, boringssl))]
fn test_set_purpose_fails_verification() {
let cert = include_bytes!("../../test/leaf.pem");
let cert = X509::from_pem(cert).unwrap();
Expand Down
62 changes: 31 additions & 31 deletions openssl/src/x509/verify.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ use libc::{c_int, c_uint, c_ulong, time_t};
use std::net::IpAddr;

use crate::error::ErrorStack;
#[cfg(ossl102)]
#[cfg(any(ossl102, boringssl))]
use crate::x509::X509PurposeId;
use crate::{cvt, cvt_p};
use openssl_macros::corresponds;
Expand All @@ -14,17 +14,17 @@ bitflags! {
#[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[repr(transparent)]
pub struct X509CheckFlags: c_uint {
const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
const NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
const SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS;
const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT as _;
const NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS as _;
const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS as _;
const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS as _;
const SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS as _;
/// Requires OpenSSL 1.1.0 or newer.
#[cfg(any(ossl110))]
const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;

#[deprecated(since = "0.10.6", note = "renamed to NO_WILDCARDS")]
const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS as _;
}
}

Expand All @@ -33,35 +33,35 @@ bitflags! {
#[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[repr(transparent)]
pub struct X509VerifyFlags: c_ulong {
const CB_ISSUER_CHECK = ffi::X509_V_FLAG_CB_ISSUER_CHECK;
const USE_CHECK_TIME = ffi::X509_V_FLAG_USE_CHECK_TIME;
const CRL_CHECK = ffi::X509_V_FLAG_CRL_CHECK;
const CRL_CHECK_ALL = ffi::X509_V_FLAG_CRL_CHECK_ALL;
const IGNORE_CRITICAL = ffi::X509_V_FLAG_IGNORE_CRITICAL;
const X509_STRICT = ffi::X509_V_FLAG_X509_STRICT;
const ALLOW_PROXY_CERTS = ffi::X509_V_FLAG_ALLOW_PROXY_CERTS;
const POLICY_CHECK = ffi::X509_V_FLAG_POLICY_CHECK;
const EXPLICIT_POLICY = ffi::X509_V_FLAG_EXPLICIT_POLICY;
const INHIBIT_ANY = ffi::X509_V_FLAG_INHIBIT_ANY;
const INHIBIT_MAP = ffi::X509_V_FLAG_INHIBIT_MAP;
const NOTIFY_POLICY = ffi::X509_V_FLAG_NOTIFY_POLICY;
const EXTENDED_CRL_SUPPORT = ffi::X509_V_FLAG_EXTENDED_CRL_SUPPORT;
const USE_DELTAS = ffi::X509_V_FLAG_USE_DELTAS;
const CHECK_SS_SIGNATURE = ffi::X509_V_FLAG_CHECK_SS_SIGNATURE;
#[cfg(ossl102)]
const TRUSTED_FIRST = ffi::X509_V_FLAG_TRUSTED_FIRST;
const CB_ISSUER_CHECK = ffi::X509_V_FLAG_CB_ISSUER_CHECK as _;
const USE_CHECK_TIME = ffi::X509_V_FLAG_USE_CHECK_TIME as _;
const CRL_CHECK = ffi::X509_V_FLAG_CRL_CHECK as _;
const CRL_CHECK_ALL = ffi::X509_V_FLAG_CRL_CHECK_ALL as _;
const IGNORE_CRITICAL = ffi::X509_V_FLAG_IGNORE_CRITICAL as _;
const X509_STRICT = ffi::X509_V_FLAG_X509_STRICT as _;
const ALLOW_PROXY_CERTS = ffi::X509_V_FLAG_ALLOW_PROXY_CERTS as _;
const POLICY_CHECK = ffi::X509_V_FLAG_POLICY_CHECK as _;
const EXPLICIT_POLICY = ffi::X509_V_FLAG_EXPLICIT_POLICY as _;
const INHIBIT_ANY = ffi::X509_V_FLAG_INHIBIT_ANY as _;
const INHIBIT_MAP = ffi::X509_V_FLAG_INHIBIT_MAP as _;
const NOTIFY_POLICY = ffi::X509_V_FLAG_NOTIFY_POLICY as _;
const EXTENDED_CRL_SUPPORT = ffi::X509_V_FLAG_EXTENDED_CRL_SUPPORT as _;
const USE_DELTAS = ffi::X509_V_FLAG_USE_DELTAS as _;
const CHECK_SS_SIGNATURE = ffi::X509_V_FLAG_CHECK_SS_SIGNATURE as _;
#[cfg(any(ossl102, boringssl))]
const TRUSTED_FIRST = ffi::X509_V_FLAG_TRUSTED_FIRST as _;
#[cfg(ossl102)]
const SUITEB_128_LOS_ONLY = ffi::X509_V_FLAG_SUITEB_128_LOS_ONLY;
#[cfg(ossl102)]
const SUITEB_192_LOS = ffi::X509_V_FLAG_SUITEB_128_LOS;
#[cfg(ossl102)]
const SUITEB_128_LOS = ffi::X509_V_FLAG_SUITEB_192_LOS;
#[cfg(ossl102)]
const PARTIAL_CHAIN = ffi::X509_V_FLAG_PARTIAL_CHAIN;
#[cfg(ossl110)]
const NO_ALT_CHAINS = ffi::X509_V_FLAG_NO_ALT_CHAINS;
#[cfg(ossl110)]
const NO_CHECK_TIME = ffi::X509_V_FLAG_NO_CHECK_TIME;
#[cfg(any(ossl102, boringssl))]
const PARTIAL_CHAIN = ffi::X509_V_FLAG_PARTIAL_CHAIN as _;
#[cfg(any(ossl110, boringssl))]
const NO_ALT_CHAINS = ffi::X509_V_FLAG_NO_ALT_CHAINS as _;
#[cfg(any(ossl110, boringssl))]
const NO_CHECK_TIME = ffi::X509_V_FLAG_NO_CHECK_TIME as _;
}
}

Expand Down Expand Up @@ -208,7 +208,7 @@ impl X509VerifyParamRef {

/// Sets the verification purpose
#[corresponds(X509_VERIFY_PARAM_set_purpose)]
#[cfg(ossl102)]
#[cfg(any(ossl102, boringssl))]
pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> {
unsafe { cvt(ffi::X509_VERIFY_PARAM_set_purpose(self.as_ptr(), purpose.0)).map(|_| ()) }
}
Expand Down

0 comments on commit e1d8559

Please sign in to comment.