Merge branch 'sfackler:master' into timestamping

.github/workflows/ci.yml

@@ -62,7 +62,7 @@ jobs:
       # Remember to also update `--rust-target` in `openssl-sys/build/run_bindgen.rs`
       - uses: sfackler/actions/rustup@master
         with:
-          version: 1.56.0
+          version: 1.63.0
       - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
         id: rust-version
       - uses: actions/cache@v4
@@ -72,8 +72,6 @@ jobs:
           restore-keys: |
             index-${{ runner.os }}-
       - run: cargo generate-lockfile
-      - run: |
-          cargo update -p cc --precise 1.0.94
       - uses: actions/cache@v4
         with:
           path: ~/.cargo/registry/cache

openssl-errors/Cargo.toml

@@ -2,12 +2,13 @@
 name = "openssl-errors"
 version = "0.2.0"
 authors = ["Steven Fackler <sfackler@gmail.com>"]
-edition = "2018"
+edition = "2021"
 license = "MIT OR Apache-2.0"
 description = "Custom error library support for the openssl crate."
 repository = "https://github.com/sfackler/rust-openssl"
 readme = "README.md"
 categories = ["api-bindings"]
+rust-version = "1.63.0"
 
 [dependencies]
 cfg-if = "1.0"

openssl-macros/Cargo.toml

@@ -1,10 +1,11 @@
 [package]
 name = "openssl-macros"
 version = "0.1.1"
-edition = "2018"
+edition = "2021"
 license = "MIT OR Apache-2.0"
 description = "Internal macros used by the openssl crate."
 repository = "https://github.com/sfackler/rust-openssl"
+rust-version = "1.63.0"
 
 [lib]
 proc-macro = true

openssl-sys/Cargo.toml

@@ -12,7 +12,8 @@ readme = "README.md"
 categories = ["cryptography", "external-ffi-bindings"]
 links = "openssl"
 build = "build/main.rs"
-edition = "2018"
+edition = "2021"
+rust-version = "1.63.0"
 
 [features]
 vendored = ['openssl-src']
@@ -23,7 +24,7 @@ libc = "0.2"
 bssl-sys = { version = "0.1.0", optional = true }
 
 [build-dependencies]
-bindgen = { version = "0.65.0", optional = true, features = ["experimental"] }
+bindgen = { version = "0.69.0", optional = true, features = ["experimental"] }
 cc = "1.0.61"
 openssl-src = { version = "300.2.0", optional = true, features = ["legacy"] }
 pkg-config = "0.3.9"

openssl-sys/src/handwritten/evp.rs

@@ -93,6 +93,8 @@ extern "C" {
     pub fn EVP_DigestFinal(ctx: *mut EVP_MD_CTX, res: *mut u8, n: *mut u32) -> c_int;
     #[cfg(ossl111)]
     pub fn EVP_DigestFinalXOF(ctx: *mut EVP_MD_CTX, res: *mut u8, len: usize) -> c_int;
+    #[cfg(ossl330)]
+    pub fn EVP_DigestSqueeze(ctx: *mut EVP_MD_CTX, res: *mut u8, len: usize) -> c_int;
 
     #[cfg(ossl300)]
     pub fn EVP_MD_fetch(

openssl-sys/src/handwritten/x509_vfy.rs

@@ -9,10 +9,14 @@ extern "C" {
     pub fn X509_LOOKUP_meth_free(method: *mut X509_LOOKUP_METHOD);
 }
 
+const_ptr_api! {
+    extern "C" {
+        pub fn X509_LOOKUP_hash_dir() -> #[const_ptr_if(libressl400)] X509_LOOKUP_METHOD;
+        pub fn X509_LOOKUP_file() -> #[const_ptr_if(libressl400)] X509_LOOKUP_METHOD;
+    }
+}
 extern "C" {
     pub fn X509_LOOKUP_free(ctx: *mut X509_LOOKUP);
-    pub fn X509_LOOKUP_hash_dir() -> *mut X509_LOOKUP_METHOD;
-    pub fn X509_LOOKUP_file() -> *mut X509_LOOKUP_METHOD;
     pub fn X509_LOOKUP_ctrl(
         ctx: *mut X509_LOOKUP,
         cmd: c_int,
@@ -41,11 +45,6 @@ extern "C" {
 
     pub fn X509_STORE_add_cert(store: *mut X509_STORE, x: *mut X509) -> c_int;
 
-    pub fn X509_STORE_add_lookup(
-        store: *mut X509_STORE,
-        meth: *mut X509_LOOKUP_METHOD,
-    ) -> *mut X509_LOOKUP;
-
     pub fn X509_STORE_set_default_paths(store: *mut X509_STORE) -> c_int;
     pub fn X509_STORE_set_flags(store: *mut X509_STORE, flags: c_ulong) -> c_int;
     pub fn X509_STORE_set_purpose(ctx: *mut X509_STORE, purpose: c_int) -> c_int;
@@ -55,6 +54,10 @@ extern "C" {
 
 const_ptr_api! {
     extern "C" {
+        pub fn X509_STORE_add_lookup(
+            store: *mut X509_STORE,
+            meth: #[const_ptr_if(libressl400)] X509_LOOKUP_METHOD,
+        ) -> *mut X509_LOOKUP;
         pub fn X509_STORE_set1_param(store: *mut X509_STORE, pm: #[const_ptr_if(ossl300)] X509_VERIFY_PARAM) -> c_int;
     }
 }

openssl/Cargo.toml

@@ -8,7 +8,8 @@ repository = "https://github.com/sfackler/rust-openssl"
 readme = "README.md"
 keywords = ["crypto", "tls", "ssl", "dtls"]
 categories = ["cryptography", "api-bindings"]
-edition = "2018"
+edition = "2021"
+rust-version = "1.63.0"
 
 # these are deprecated and don't do anything anymore
 [features]
@@ -33,4 +34,4 @@ openssl-macros = { version = "0.1.0", path = "../openssl-macros" }
 ffi = { package = "openssl-sys", version = "0.9.103", path = "../openssl-sys" }
 
 [dev-dependencies]
-hex = "0.3"
+hex = "0.4"

openssl/src/cipher_ctx.rs

@@ -328,10 +328,6 @@ impl CipherCtxRef {
     ///
     /// Panics if the context has not been initialized with a cipher or if the buffer is smaller than the cipher's key
     /// length.
-    ///
-    /// This corresponds to [`EVP_CIPHER_CTX_rand_key`].
-    ///
-    /// [`EVP_CIPHER_CTX_rand_key`]: https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_CTX_rand_key.html
     #[corresponds(EVP_CIPHER_CTX_rand_key)]
     #[cfg(not(boringssl))]
     pub fn rand_key(&self, buf: &mut [u8]) -> Result<(), ErrorStack> {

openssl/src/hash.rs

@@ -41,6 +41,7 @@ use std::ptr;
 use crate::error::ErrorStack;
 use crate::nid::Nid;
 use crate::{cvt, cvt_p};
+use openssl_macros::corresponds;
 
 cfg_if! {
     if #[cfg(any(ossl110, boringssl, libressl382))] {
@@ -65,10 +66,7 @@ impl MessageDigest {
     }
 
     /// Returns the `MessageDigest` corresponding to an `Nid`.
-    ///
-    /// This corresponds to [`EVP_get_digestbynid`].
-    ///
-    /// [`EVP_get_digestbynid`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html
+    #[corresponds(EVP_get_digestbynid)]
     pub fn from_nid(type_: Nid) -> Option<MessageDigest> {
         ffi::init();
         unsafe {
@@ -82,10 +80,7 @@ impl MessageDigest {
     }
 
     /// Returns the `MessageDigest` corresponding to an algorithm name.
-    ///
-    /// This corresponds to [`EVP_get_digestbyname`].
-    ///
-    /// [`EVP_get_digestbyname`]: https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html
+    #[corresponds(EVP_get_digestbyname)]
     pub fn from_name(name: &str) -> Option<MessageDigest> {
         ffi::init();
         let name = CString::new(name).ok()?;

openssl/src/md_ctx.rs

@@ -85,7 +85,7 @@ use crate::error::ErrorStack;
 use crate::md::MdRef;
 use crate::pkey::{HasPrivate, HasPublic, PKeyRef};
 use crate::pkey_ctx::PkeyCtxRef;
-use crate::{cvt, cvt_n, cvt_p};
+use crate::{cvt, cvt_p};
 use cfg_if::cfg_if;
 use foreign_types::{ForeignType, ForeignTypeRef};
 use openssl_macros::corresponds;
@@ -309,12 +309,21 @@ impl MdCtxRef {
     #[inline]
     pub fn digest_verify_final(&mut self, signature: &[u8]) -> Result<bool, ErrorStack> {
         unsafe {
-            let r = cvt_n(ffi::EVP_DigestVerifyFinal(
+            let r = ffi::EVP_DigestVerifyFinal(
                 self.as_ptr(),
                 signature.as_ptr() as *mut _,
                 signature.len(),
-            ))?;
-            Ok(r == 1)
+            );
+            if r == 1 {
+                Ok(true)
+            } else {
+                let errors = ErrorStack::get();
+                if errors.errors().is_empty() {
+                    Ok(false)
+                } else {
+                    Err(errors)
+                }
+            }
         }
     }
 
@@ -424,8 +433,11 @@ mod test {
 
         ctx.digest_verify_init(Some(md), &key1).unwrap();
         ctx.digest_verify_update(bad_data).unwrap();
-        let valid = ctx.digest_verify_final(&signature).unwrap();
-        assert!(!valid);
+        assert!(matches!(
+            ctx.digest_verify_final(&signature),
+            Ok(false) | Err(_)
+        ));
+        assert!(ErrorStack::get().errors().is_empty());
     }
 
     #[test]

openssl/src/nid.rs

@@ -79,8 +79,6 @@ impl Nid {
     }
 
     /// Returns the `Nid`s of the digest and public key algorithms associated with a signature ID.
-    ///
-    /// This corresponds to `OBJ_find_sigid_algs`.
     #[corresponds(OBJ_find_sigid_algs)]
     #[allow(clippy::trivially_copy_pass_by_ref)]
     pub fn signature_algorithms(&self) -> Option<SignatureAlgorithms> {

openssl/src/rsa.rs

@@ -234,14 +234,18 @@ where
 
     /// Validates RSA parameters for correctness
     #[corresponds(RSA_check_key)]
-    #[allow(clippy::unnecessary_cast)]
     pub fn check_key(&self) -> Result<bool, ErrorStack> {
         unsafe {
-            let result = ffi::RSA_check_key(self.as_ptr()) as i32;
-            if result == -1 {
-                Err(ErrorStack::get())
+            let result = ffi::RSA_check_key(self.as_ptr());
+            if result != 1 {
+                let errors = ErrorStack::get();
+                if errors.errors().is_empty() {
+                    Ok(false)
+                } else {
+                    Err(errors)
+                }
             } else {
-                Ok(result == 1)
+                Ok(true)
             }
         }
     }
@@ -849,4 +853,21 @@ mod test {
         let e = BigNum::from_u32(0x10001).unwrap();
         Rsa::generate_with_e(2048, &e).unwrap();
     }
+
+    #[test]
+    fn test_check_key() {
+        let k = Rsa::private_key_from_pem_passphrase(
+            include_bytes!("../test/rsa-encrypted.pem"),
+            b"mypass",
+        )
+        .unwrap();
+        assert!(matches!(k.check_key(), Ok(true)));
+        assert!(ErrorStack::get().errors().is_empty());
+
+        // BoringSSL simply rejects this key, because its corrupted!
+        if let Ok(k) = Rsa::private_key_from_pem(include_bytes!("../test/corrupted-rsa.pem")) {
+            assert!(matches!(k.check_key(), Ok(false) | Err(_)));
+            assert!(ErrorStack::get().errors().is_empty());
+        }
+    }
 }