diff --git a/.circleci/config.yml b/.circleci/config.yml index d1648b37c7..24f771cabe 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -17,7 +17,7 @@ save_openssl: &SAVE_OPENSSL paths: - /openssl deps_key: &DEPS_KEY - key: deps-1.19.0-{{ checksum "Cargo.lock" }}-{{ checksum "~/lib_key" }}-2 + key: deps-1.21.0-{{ checksum "Cargo.lock" }}-{{ checksum "~/lib_key" }}-2 restore_deps: &RESTORE_DEPS restore_cache: <<: *DEPS_KEY @@ -31,7 +31,7 @@ save_deps: &SAVE_DEPS job: &JOB working_directory: ~/build docker: - - image: rust:1.19.0 + - image: rust:1.21.0 steps: - checkout - run: apt-get update @@ -45,7 +45,6 @@ job: &JOB - run: ./test/build_openssl.sh - *SAVE_OPENSSL - *RESTORE_DEPS - - run: cargo run --manifest-path=systest/Cargo.toml --target $TARGET - run: | ulimit -c unlimited export PATH=$OPENSSL_DIR/bin:$PATH @@ -77,7 +76,7 @@ macos_job: &MACOS_JOB - checkout - run: sudo mkdir /opt - run: sudo chown -R $USER /usr/local /opt - - run: curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain 1.19.0 + - run: curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain 1.21.0 - run: sudo ln -s $CARGO_HOME/bin/* /usr/local/bin - *RESTORE_REGISTRY - run: cargo generate-lockfile @@ -90,6 +89,9 @@ macos_job: &MACOS_JOB cargo test --manifest-path=openssl/Cargo.toml --all-features - *SAVE_DEPS +openssl_111: &OPENSSL_111 + LIBRARY: openssl + VERSION: 1.1.1 openssl_110: &OPENSSL_110 LIBRARY: openssl VERSION: 1.1.0g @@ -125,6 +127,10 @@ base: &BASE version: 2 jobs: + x86_64-openssl-1.1.1: + <<: *JOB + environment: + <<: [*OPENSSL_111, *X86_64, *BASE] x86_64-openssl-1.1.0: <<: *JOB environment: @@ -137,6 +143,10 @@ jobs: <<: *JOB environment: <<: [*OPENSSL_101, *X86_64, *BASE] + i686-openssl-1.1.1: + <<: *JOB + environment: + <<: [*OPENSSL_111, *I686, *BASE] i686-openssl-1.1.0: <<: *JOB environment: @@ -149,6 +159,10 @@ jobs: <<: *JOB environment: <<: [*OPENSSL_101, *I686, *BASE] + armhf-openssl-1.1.1: + <<: *JOB + environment: + <<: [*OPENSSL_111, *ARMHF, *BASE] armhf-openssl-1.1.0: <<: *JOB environment: @@ -175,12 +189,15 @@ workflows: version: 2 tests: jobs: + - x86_64-openssl-1.1.1 - x86_64-openssl-1.1.0 - x86_64-openssl-1.0.2 - x86_64-openssl-1.0.1 + - i686-openssl-1.1.1 - i686-openssl-1.1.0 - i686-openssl-1.0.2 - i686-openssl-1.0.1 + - armhf-openssl-1.1.1 - armhf-openssl-1.1.0 - armhf-openssl-1.0.2 - armhf-openssl-1.0.1 diff --git a/Cargo.toml b/Cargo.toml index 2ef99c175a..f1191549ba 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,2 +1,2 @@ [workspace] -members = ["openssl", "openssl-sys", "systest"] +members = ["openssl"] diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 890a54eceb..9f263c7d62 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -23,7 +23,7 @@ bitflags = "0.9" foreign-types = "0.3.1" lazy_static = "1" libc = "0.2" -openssl-sys = { version = "0.9.23", path = "../openssl-sys" } +openssl-sys = "0.9.23" [dev-dependencies] tempdir = "0.3" diff --git a/openssl/build.rs b/openssl/build.rs index eb8894fd3f..6af69b40dd 100644 --- a/openssl/build.rs +++ b/openssl/build.rs @@ -12,6 +12,11 @@ fn main() { } Ok(ref v) if v == "110" => { println!("cargo:rustc-cfg=ossl110"); + println!("cargo:rustc-cfg=ossl11x"); + } + Ok(ref v) if v == "111" => { + println!("cargo:rustc-cfg=ossl111"); + println!("cargo:rustc-cfg=ossl11x"); } _ => panic!("Unable to detect OpenSSL version"), } diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index d129235ae6..9c79f2f089 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -288,7 +288,7 @@ impl fmt::Display for Asn1ObjectRef { #[cfg(any(ossl101, ossl102))] use ffi::ASN1_STRING_data; -#[cfg(ossl110)] +#[cfg(ossl11x)] #[allow(bad_style)] unsafe fn ASN1_STRING_data(s: *mut ffi::ASN1_STRING) -> *mut ::libc::c_uchar { ffi::ASN1_STRING_get0_data(s) as *mut _ diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs index 82ec38b647..80152ec4a3 100644 --- a/openssl/src/bn.rs +++ b/openssl/src/bn.rs @@ -47,7 +47,7 @@ use ffi::{get_rfc2409_prime_768 as BN_get_rfc2409_prime_768, get_rfc3526_prime_6144 as BN_get_rfc3526_prime_6144, get_rfc3526_prime_8192 as BN_get_rfc3526_prime_8192}; -#[cfg(ossl110)] +#[cfg(ossl11x)] use ffi::{BN_get_rfc2409_prime_768, BN_get_rfc2409_prime_1024, BN_get_rfc3526_prime_1536, BN_get_rfc3526_prime_2048, BN_get_rfc3526_prime_3072, BN_get_rfc3526_prime_4096, BN_get_rfc3526_prime_6144, BN_get_rfc3526_prime_8192}; @@ -366,7 +366,7 @@ impl BigNumRef { unsafe { (*self.as_ptr()).neg == 1 } } - #[cfg(ossl110)] + #[cfg(ossl11x)] fn _is_negative(&self) -> bool { unsafe { ffi::BN_is_negative(self.as_ptr()) == 1 } } diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index 50d9da7b2f..e667eba352 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -40,7 +40,7 @@ impl Dh { from_der!(Dh, ffi::d2i_DHparams); /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn get_1024_160() -> Result { unsafe { ffi::init(); @@ -49,7 +49,7 @@ impl Dh { } /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn get_2048_224() -> Result { unsafe { ffi::init(); @@ -58,7 +58,7 @@ impl Dh { } /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn get_2048_256() -> Result { unsafe { ffi::init(); @@ -67,7 +67,7 @@ impl Dh { } } -#[cfg(ossl110)] +#[cfg(ossl11x)] mod compat { pub use ffi::DH_set0_pqg; } @@ -98,7 +98,7 @@ mod tests { use ssl::{SslMethod, SslContext}; #[test] - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_dh_rfc5114() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); let dh1 = Dh::get_1024_160().unwrap(); diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs index c687531e93..e1af63bde5 100644 --- a/openssl/src/dsa.rs +++ b/openssl/src/dsa.rs @@ -189,7 +189,7 @@ impl fmt::Debug for Dsa { } } -#[cfg(ossl110)] +#[cfg(ossl11x)] mod compat { use std::ptr; use ffi::{self, BIGNUM, DSA}; diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index bb60ed35e4..2bf54ec000 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -4,7 +4,7 @@ use std::ops::{Deref, DerefMut}; use std::fmt; use ffi; -#[cfg(ossl110)] +#[cfg(ossl11x)] use ffi::{EVP_MD_CTX_new, EVP_MD_CTX_free}; #[cfg(any(ossl101, ossl102))] use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 5c3e7cc884..56141f1da9 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -60,7 +60,7 @@ pub mod symm; pub mod types; pub mod version; pub mod x509; -#[cfg(any(ossl102, ossl110))] +#[cfg(any(ossl102, ossl11x))] mod verify; fn cvt_p(r: *mut T) -> Result<*mut T, ErrorStack> { diff --git a/openssl/src/pkcs5.rs b/openssl/src/pkcs5.rs index b37e4770e9..a619e11c13 100644 --- a/openssl/src/pkcs5.rs +++ b/openssl/src/pkcs5.rs @@ -108,7 +108,7 @@ pub fn pbkdf2_hmac( /// Derives a key from a password and salt using the scrypt algorithm. /// /// Requires the `v110` feature and OpenSSL 1.1.0. -#[cfg(all(feature = "v110", ossl110))] +#[cfg(all(feature = "v110", ossl11x))] pub fn scrypt( pass: &[u8], salt: &[u8], @@ -546,7 +546,7 @@ mod tests { } #[test] - #[cfg(all(feature = "v110", ossl110))] + #[cfg(all(feature = "v110", ossl11x))] fn scrypt() { use hex::ToHex; diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs index b02b92168c..1930f769e6 100644 --- a/openssl/src/rsa.rs +++ b/openssl/src/rsa.rs @@ -362,7 +362,7 @@ impl fmt::Debug for Rsa { } } -#[cfg(ossl110)] +#[cfg(ossl11x)] mod compat { use std::ptr; diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index a90d1570a4..1dca96430f 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -72,7 +72,7 @@ use hash::MessageDigest; use pkey::{PKeyCtxRef, PKeyRef}; use error::ErrorStack; -#[cfg(ossl110)] +#[cfg(ossl11x)] use ffi::{EVP_MD_CTX_free, EVP_MD_CTX_new}; #[cfg(any(ossl101, ossl102))] use ffi::{EVP_MD_CTX_create as EVP_MD_CTX_new, EVP_MD_CTX_destroy as EVP_MD_CTX_free}; diff --git a/openssl/src/ssl/bio.rs b/openssl/src/ssl/bio.rs index 4b792a7502..4c0c37db9c 100644 --- a/openssl/src/ssl/bio.rs +++ b/openssl/src/ssl/bio.rs @@ -173,7 +173,7 @@ unsafe extern "C" fn destroy(bio: *mut BIO) -> c_int { 1 } -#[cfg(ossl110)] +#[cfg(ossl11x)] #[allow(bad_style)] mod compat { use std::io::{Read, Write}; diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index d7c4805098..9df34e722d 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -12,7 +12,7 @@ use dh::Dh; #[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] use ec_key::EcKey; use ssl::{get_callback_idx, get_ssl_callback_idx, SslRef, SniError, NPN_PROTOS_IDX}; -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use ssl::ALPN_PROTOS_IDX; use x509::X509StoreContextRef; @@ -158,7 +158,7 @@ pub extern "C" fn raw_next_proto_select_cb( unsafe { select_proto_using(ssl, out, outlen, inbuf, inlen, *NPN_PROTOS_IDX) } } -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub extern "C" fn raw_alpn_select_cb( ssl: *mut ffi::SSL, out: *mut *const c_uchar, diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index a730cc49f8..1f73220f50 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -367,7 +367,7 @@ fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> { ctx._set_ecdh_auto(true) } -#[cfg(ossl110)] +#[cfg(ossl11x)] fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> { Ok(()) } @@ -390,7 +390,7 @@ impl SslAcceptor { } } -#[cfg(any(ossl102, ossl110))] +#[cfg(any(ossl102, ossl11x))] fn setup_verify(ctx: &mut SslContextBuilder) { ctx.set_verify(SSL_VERIFY_PEER); } @@ -409,7 +409,7 @@ fn setup_verify(ctx: &mut SslContextBuilder) { }); } -#[cfg(any(ossl102, ossl110))] +#[cfg(any(ossl102, ossl11x))] fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> { let param = ssl._param_mut(); param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 6ef399642c..dad9b4c7b0 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -99,9 +99,9 @@ use ec::EcKeyRef; use ec::EcKey; use x509::{X509, X509FileType, X509Name, X509Ref, X509StoreContextRef, X509VerifyError}; use x509::store::{X509StoreBuilderRef, X509StoreRef}; -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use x509::store::X509Store; -#[cfg(any(ossl102, ossl110))] +#[cfg(any(ossl102, ossl11x))] use verify::X509VerifyParamRef; use pkey::PKeyRef; use error::ErrorStack; @@ -211,15 +211,21 @@ bitflags! { /// Disables the use of TLSv1.2. const SSL_OP_NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2; + /// Disables the use of TLSv1.3. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[cfg(ossl111)] + const SSL_OP_NO_TLSV1_3 = ffi::SSL_OP_NO_TLSv1_3; + /// Disables the use of DTLSv1.0 /// /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] const SSL_OP_NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1; /// Disables the use of DTLSv1.2. /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] const SSL_OP_NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2; /// Disables the use of all (D)TLS protocol versions. @@ -237,8 +243,15 @@ bitflags! { /// /// let options = SSL_OP_NO_SSL_MASK & !SSL_OP_NO_TLSV1_2; /// ``` - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] const SSL_OP_NO_SSL_MASK = ffi::SSL_OP_NO_SSL_MASK; + + /// Enable TLSv1.3 Compatibility mode. + /// + /// Requires OpenSSL 1.1.1 or newer. This is on by default in 1.1.1, but a future version + /// may have this disabled by default. + #[cfg(ossl111)] + const SSL_OP_ENABLE_MIDDLEBOX_COMPAT = ffi::SSL_OP_ENABLE_MIDDLEBOX_COMPAT; } } @@ -398,7 +411,7 @@ lazy_static! { static ref NPN_PROTOS_IDX: c_int = get_new_idx::>(); } -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] lazy_static! { static ref ALPN_PROTOS_IDX: c_int = get_new_idx::>(); } @@ -578,7 +591,7 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_set0_verify_cert_store`]. /// /// [`SSL_CTX_set0_verify_cert_store`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set0_verify_cert_store.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn set_verify_cert_store(&mut self, cert_store: X509Store) -> Result<(), ErrorStack> { unsafe { let ptr = cert_store.as_ptr(); @@ -970,7 +983,7 @@ impl SslContextBuilder { /// /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. // FIXME overhaul - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn set_alpn_protocols(&mut self, protocols: &[&[u8]]) -> Result<(), ErrorStack> { let protocols: Box> = Box::new(ssl_encode_byte_strings(protocols)); unsafe { @@ -1190,7 +1203,7 @@ impl SslContextRef { /// This corresponds to [`SSL_CTX_get0_certificate`]. /// /// [`SSL_CTX_get0_certificate`]: https://www.openssl.org/docs/man1.1.0/ssl/ssl.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn certificate(&self) -> Option<&X509Ref> { unsafe { let ptr = ffi::SSL_CTX_get0_certificate(self.as_ptr()); @@ -1209,7 +1222,7 @@ impl SslContextRef { /// This corresponds to [`SSL_CTX_get0_privatekey`]. /// /// [`SSL_CTX_get0_privatekey`]: https://www.openssl.org/docs/man1.1.0/ssl/ssl.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn private_key(&self) -> Option<&PKeyRef> { unsafe { let ptr = ffi::SSL_CTX_get0_privatekey(self.as_ptr()); @@ -1794,7 +1807,7 @@ impl SslRef { /// This corresponds to [`SSL_get0_alpn_selected`]. /// /// [`SSL_get0_alpn_selected`]: https://www.openssl.org/docs/manmaster/man3/SSL_get0_next_proto_negotiated.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn selected_alpn_protocol(&self) -> Option<&[u8]> { unsafe { let mut data: *const c_uchar = ptr::null(); @@ -1894,12 +1907,12 @@ impl SslRef { /// This corresponds to [`SSL_get0_param`]. /// /// [`SSL_get0_param`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_get0_param.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn param_mut(&mut self) -> &mut X509VerifyParamRef { self._param_mut() } - #[cfg(any(ossl102, ossl110))] + #[cfg(any(ossl102, ossl11x))] fn _param_mut(&mut self) -> &mut X509VerifyParamRef { unsafe { X509VerifyParamRef::from_ptr_mut(ffi::SSL_get0_param(self.as_ptr())) } } @@ -2437,7 +2450,7 @@ pub enum ShutdownResult { Received, } -#[cfg(ossl110)] +#[cfg(ossl11x)] mod compat { use std::ptr; diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index 1cc36c7fe8..b5d5a8295c 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -22,7 +22,7 @@ use ssl::{SslMethod, HandshakeError, SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder, SslAcceptorBuilder, Error, SSL_VERIFY_PEER, SSL_VERIFY_NONE, STATUS_TYPE_OCSP}; use x509::{X509StoreContext, X509, X509Name, X509_FILETYPE_PEM}; -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; use pkey::PKey; @@ -138,14 +138,14 @@ macro_rules! run_test( use ssl::SSL_VERIFY_PEER; use hash::MessageDigest; use x509::X509StoreContext; - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use x509::X509; - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use x509::store::X509StoreBuilder; use hex::FromHex; use foreign_types::ForeignTypeRef; use super::Server; - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use super::ROOT_CERT; #[test] @@ -186,7 +186,7 @@ run_test!(verify_trusted, |method, stream| { } }); -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] run_test!(verify_trusted_with_set_cert, |method, stream| { let x509 = X509::from_pem(ROOT_CERT).unwrap(); let mut store = X509StoreBuilder::new().unwrap(); @@ -481,7 +481,7 @@ fn test_state() { /// Tests that connecting with the client using ALPN, but the server not does not /// break the existing connection behavior. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_connect_with_unilateral_alpn() { let (_s, stream) = Server::new(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -525,7 +525,7 @@ fn test_connect_with_unilateral_npn() { /// Tests that when both the client as well as the server use ALPN and their /// lists of supported protocols have an overlap, the correct protocol is chosen. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_connect_with_alpn_successful_multiple_matching() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -546,8 +546,10 @@ fn test_connect_with_alpn_successful_multiple_matching() { /// Tests that when both the client as well as the server use NPN and their /// lists of supported protocols have an overlap, the correct protocol is chosen. +// Ignore: NPN is removed on master. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[ignore] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_connect_with_npn_successful_multiple_matching() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -570,7 +572,7 @@ fn test_connect_with_npn_successful_multiple_matching() { /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_connect_with_alpn_successful_single_match() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -593,8 +595,10 @@ fn test_connect_with_alpn_successful_single_match() { /// Tests that when both the client as well as the server use NPN and their /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. +// Ignore: NPN is removed on master. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[ignore] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_connect_with_npn_successful_single_match() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -615,7 +619,9 @@ fn test_connect_with_npn_successful_single_match() { /// Tests that when the `SslStream` is created as a server stream, the protocols /// are correctly advertised to the client. +// Ignore: NPN is removed on master. #[test] +#[ignore] #[cfg(not(any(libressl261, libressl262, libressl26x)))] fn test_npn_server_advertise_multiple() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); @@ -659,7 +665,7 @@ fn test_npn_server_advertise_multiple() { /// Tests that when the `SslStream` is created as a server stream, the protocols /// are correctly advertised to the client. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_alpn_server_advertise_multiple() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let localhost = listener.local_addr().unwrap(); @@ -702,7 +708,7 @@ fn test_alpn_server_advertise_multiple() { /// Test that Servers supporting ALPN don't report a protocol when none of their protocols match /// the client's reported protocol. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_alpn_server_select_none() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let localhost = listener.local_addr().unwrap(); @@ -804,7 +810,9 @@ fn test_write_nonblocking() { stream.write(" there".as_bytes()).unwrap(); } +// Ignore: the test is removed in master. #[test] +#[ignore] #[cfg_attr(any(libressl, windows, target_arch = "arm"), ignore)] // FIXME(#467) fn test_read_nonblocking() { let (_s, stream) = Server::new(); @@ -967,7 +975,9 @@ fn default_verify_paths() { ctx.set_default_verify_paths().unwrap(); ctx.set_verify(SSL_VERIFY_PEER); let s = TcpStream::connect("google.com:443").unwrap(); - let mut socket = Ssl::new(&ctx.build()).unwrap().connect(s).unwrap(); + let mut ssl = Ssl::new(&ctx.build()).unwrap(); + ssl.set_hostname("google.com").unwrap(); + let mut socket = ssl.connect(s).unwrap(); socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); let mut result = vec![]; @@ -987,7 +997,7 @@ fn add_extra_chain_cert() { } #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn verify_valid_hostname() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); @@ -998,6 +1008,7 @@ fn verify_valid_hostname() { X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, ); ssl.param_mut().set_host("google.com").unwrap(); + ssl.set_hostname("google.com").unwrap(); let s = TcpStream::connect("google.com:443").unwrap(); let mut socket = ssl.connect(s).unwrap(); @@ -1012,7 +1023,7 @@ fn verify_valid_hostname() { } #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn verify_invalid_hostname() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); @@ -1052,7 +1063,10 @@ fn connector_invalid_hostname() { assert!(connector.connect("foobar.com", s).is_err()); } +// Ignored: Google's load balancer architecture changed. Connection without SNI will fail with +// self signed certs. #[test] +#[ignore] fn connector_invalid_no_hostname_verification() { let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build(); @@ -1231,6 +1245,8 @@ fn tmp_dh_callback() { let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + #[cfg(ossl111)] + ctx.set_options(super::SSL_OP_NO_TLSV1_3); ctx.set_cipher_list("EDH").unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.connect(stream).unwrap(); @@ -1298,6 +1314,8 @@ fn tmp_dh_callback_ssl() { let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + #[cfg(ossl111)] + ctx.set_options(super::SSL_OP_NO_TLSV1_3); ctx.set_cipher_list("EDH").unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.connect(stream).unwrap(); diff --git a/openssl/src/stack.rs b/openssl/src/stack.rs index d8589352d5..f15fdb39a6 100644 --- a/openssl/src/stack.rs +++ b/openssl/src/stack.rs @@ -15,7 +15,7 @@ use std::ops::{Deref, DerefMut, Index, IndexMut}; use ffi::{sk_pop as OPENSSL_sk_pop, sk_free as OPENSSL_sk_free, sk_num as OPENSSL_sk_num, sk_value as OPENSSL_sk_value, _STACK as OPENSSL_STACK, sk_new_null as OPENSSL_sk_new_null, sk_push as OPENSSL_sk_push}; -#[cfg(ossl110)] +#[cfg(ossl11x)] use ffi::{OPENSSL_sk_pop, OPENSSL_sk_free, OPENSSL_sk_num, OPENSSL_sk_value, OPENSSL_STACK, OPENSSL_sk_new_null, OPENSSL_sk_push}; diff --git a/openssl/src/string.rs b/openssl/src/string.rs index af58130e04..e24d8720aa 100644 --- a/openssl/src/string.rs +++ b/openssl/src/string.rs @@ -67,12 +67,12 @@ impl fmt::Debug for OpensslStringRef { } } -#[cfg(not(ossl110))] +#[cfg(not(ossl11x))] unsafe fn free(buf: *mut c_char) { ::ffi::CRYPTO_free(buf as *mut c_void); } -#[cfg(ossl110)] +#[cfg(ossl11x)] unsafe fn free(buf: *mut c_char) { ::ffi::CRYPTO_free( buf as *mut c_void, diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index e109b2a7d5..84a91d7745 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -138,13 +138,13 @@ impl Cipher { } /// Requires the `v110` feature and OpenSSL 1.1.0. - #[cfg(all(ossl110, feature = "v110"))] + #[cfg(all(ossl11x, feature = "v110"))] pub fn chacha20() -> Cipher { unsafe { Cipher(ffi::EVP_chacha20()) } } /// Requires the `v110` feature and OpenSSL 1.1.0. - #[cfg(all(ossl110, feature = "v110"))] + #[cfg(all(ossl11x, feature = "v110"))] pub fn chacha20_poly1305() -> Cipher { unsafe { Cipher(ffi::EVP_chacha20_poly1305()) } } @@ -589,7 +589,7 @@ pub fn decrypt_aead( Ok(out) } -#[cfg(ossl110)] +#[cfg(ossl11x)] use ffi::{EVP_CIPHER_iv_length, EVP_CIPHER_block_size, EVP_CIPHER_key_length}; #[cfg(ossl10x)] @@ -1076,7 +1076,7 @@ mod tests { } #[test] - #[cfg(all(ossl110, feature = "v110"))] + #[cfg(all(ossl11x, feature = "v110"))] fn test_chacha20() { let key = "0000000000000000000000000000000000000000000000000000000000000000"; let iv = "00000000000000000000000000000000"; @@ -1089,7 +1089,7 @@ mod tests { } #[test] - #[cfg(all(ossl110, feature = "v110"))] + #[cfg(all(ossl11x, feature = "v110"))] fn test_chacha20_poly1305() { let key = "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"; let iv = "070000004041424344454647"; diff --git a/openssl/src/verify.rs b/openssl/src/verify.rs index 65315e473a..b3a0db2cf3 100644 --- a/openssl/src/verify.rs +++ b/openssl/src/verify.rs @@ -15,7 +15,7 @@ bitflags! { const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS; /// Requires the `v110` feature and OpenSSL 1.1.0. - #[cfg(all(feature = "v110", ossl110))] + #[cfg(all(feature = "v110", ossl11x))] const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; } } diff --git a/openssl/src/version.rs b/openssl/src/version.rs index 7254d7ba85..3c775080ca 100644 --- a/openssl/src/version.rs +++ b/openssl/src/version.rs @@ -19,7 +19,7 @@ use ffi::{SSLEAY_VERSION as OPENSSL_VERSION, SSLEAY_CFLAGS as OPENSSL_CFLAGS, SSLEAY_DIR as OPENSSL_DIR, SSLeay as OpenSSL_version_num, SSLeay_version as OpenSSL_version}; -#[cfg(ossl110)] +#[cfg(ossl11x)] use ffi::{OPENSSL_VERSION, OPENSSL_CFLAGS, OPENSSL_BUILT_ON, OPENSSL_PLATFORM, OPENSSL_DIR, OpenSSL_version_num, OpenSSL_version}; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index dff652223a..16c80ed8c6 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -28,12 +28,12 @@ use ssl::SslRef; #[cfg(ossl10x)] use ffi::{X509_set_notBefore, X509_set_notAfter, ASN1_STRING_data, X509_STORE_CTX_get_chain}; -#[cfg(ossl110)] +#[cfg(ossl11x)] use ffi::{X509_set1_notBefore as X509_set_notBefore, X509_set1_notAfter as X509_set_notAfter, ASN1_STRING_get0_data as ASN1_STRING_data, X509_STORE_CTX_get0_chain as X509_STORE_CTX_get_chain}; -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub mod verify; use x509::extension::{ExtensionType, Extension}; @@ -1142,7 +1142,7 @@ impl X509AlgorithmRef { } } -#[cfg(ossl110)] +#[cfg(ossl11x)] mod compat { pub use ffi::X509_getm_notAfter as X509_get_notAfter; pub use ffi::X509_getm_notBefore as X509_get_notBefore;