Merge pull request #2155 from zh-jq/update-boringssl

enable x509 verify and groups list for boringssl

Author: alex

openssl/src/ssl/mod.rs

@@ -79,7 +79,7 @@ use crate::ssl::error::InnerError;
 use crate::stack::{Stack, StackRef, Stackable};
 use crate::util::{ForeignTypeExt, ForeignTypeRefExt};
 use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef};
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 use crate::x509::verify::X509VerifyParamRef;
 use crate::x509::{X509Name, X509Ref, X509StoreContextRef, X509VerifyResult, X509};
 use crate::{cvt, cvt_n, cvt_p, init};
@@ -1307,18 +1307,18 @@ impl SslContextBuilder {
 
     /// Returns a reference to the X509 verification configuration.
     ///
-    /// Requires OpenSSL 1.0.2 or newer.
+    /// Requires BoringSSL or OpenSSL 1.0.2 or newer.
     #[corresponds(SSL_CTX_get0_param)]
-    #[cfg(any(ossl102, libressl261))]
+    #[cfg(any(ossl102, boringssl, libressl261))]
     pub fn verify_param(&self) -> &X509VerifyParamRef {
         unsafe { X509VerifyParamRef::from_ptr(ffi::SSL_CTX_get0_param(self.as_ptr())) }
     }
 
     /// Returns a mutable reference to the X509 verification configuration.
     ///
-    /// Requires OpenSSL 1.0.2 or newer.
+    /// Requires BoringSSL or OpenSSL 1.0.2 or newer.
     #[corresponds(SSL_CTX_get0_param)]
-    #[cfg(any(ossl102, libressl261))]
+    #[cfg(any(ossl102, boringssl, libressl261))]
     pub fn verify_param_mut(&mut self) -> &mut X509VerifyParamRef {
         unsafe { X509VerifyParamRef::from_ptr_mut(ffi::SSL_CTX_get0_param(self.as_ptr())) }
     }
@@ -1719,9 +1719,9 @@ impl SslContextBuilder {
 
     /// Sets the context's supported elliptic curve groups.
     ///
-    /// Requires OpenSSL 1.1.1 or LibreSSL 2.5.1 or newer.
+    /// Requires BoringSSL or OpenSSL 1.1.1 or LibreSSL 2.5.1 or newer.
     #[corresponds(SSL_CTX_set1_groups_list)]
-    #[cfg(any(ossl111, libressl251))]
+    #[cfg(any(ossl111, boringssl, libressl251))]
     pub fn set_groups_list(&mut self, groups: &str) -> Result<(), ErrorStack> {
         let groups = CString::new(groups).unwrap();
         unsafe {
@@ -2769,9 +2769,9 @@ impl SslRef {
 
     /// Returns a mutable reference to the X509 verification configuration.
     ///
-    /// Requires OpenSSL 1.0.2 or newer.
+    /// Requires BoringSSL or OpenSSL 1.0.2 or newer.
     #[corresponds(SSL_get0_param)]
-    #[cfg(any(ossl102, libressl261))]
+    #[cfg(any(ossl102, boringssl, libressl261))]
     pub fn param_mut(&mut self) -> &mut X509VerifyParamRef {
         unsafe { X509VerifyParamRef::from_ptr_mut(ffi::SSL_get0_param(self.as_ptr())) }
     }

openssl/src/x509/mod.rs

@@ -41,7 +41,7 @@ use crate::util::{ForeignTypeExt, ForeignTypeRefExt};
 use crate::{cvt, cvt_n, cvt_p, cvt_p_const};
 use openssl_macros::corresponds;
 
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 pub mod verify;
 
 pub mod extension;

openssl/src/x509/store.rs

@@ -52,7 +52,7 @@ use crate::ssl::SslFiletype;
 use crate::stack::Stack;
 use crate::stack::StackRef;
 use crate::util::ForeignTypeRefExt;
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef};
 use crate::x509::{X509Object, X509PurposeId, X509};
 use crate::{cvt, cvt_p};
@@ -123,7 +123,7 @@ impl X509StoreBuilderRef {
 
     /// Sets certificate chain validation related flags.
     #[corresponds(X509_STORE_set_flags)]
-    #[cfg(any(ossl102, libressl261))]
+    #[cfg(any(ossl102, boringssl, libressl261))]
     pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
         unsafe { cvt(ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits())).map(|_| ()) }
     }
@@ -137,7 +137,7 @@ impl X509StoreBuilderRef {
 
     /// Sets certificate chain validation related parameters.
     #[corresponds[X509_STORE_set1_param]]
-    #[cfg(any(ossl102, libressl261))]
+    #[cfg(any(ossl102, boringssl, libressl261))]
     pub fn set_param(&mut self, param: &X509VerifyParamRef) -> Result<(), ErrorStack> {
         unsafe { cvt(ffi::X509_STORE_set1_param(self.as_ptr(), param.as_ptr())).map(|_| ()) }
     }

openssl/src/x509/tests.rs

@@ -16,11 +16,11 @@ use crate::x509::extension::{
 #[cfg(not(boringssl))]
 use crate::x509::store::X509Lookup;
 use crate::x509::store::X509StoreBuilder;
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 use crate::x509::verify::{X509VerifyFlags, X509VerifyParam};
-#[cfg(ossl102)]
+#[cfg(any(ossl102, boringssl))]
 use crate::x509::X509PurposeId;
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 use crate::x509::X509PurposeRef;
 #[cfg(ossl110)]
 use crate::x509::{CrlReason, X509Builder};
@@ -31,7 +31,7 @@ use crate::x509::{
 #[cfg(ossl110)]
 use foreign_types::ForeignType;
 use hex::{self, FromHex};
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 use libc::time_t;
 
 use super::{AuthorityInformationAccess, CertificateIssuer, ReasonCode};
@@ -557,7 +557,7 @@ fn test_verify_fails() {
 }
 
 #[test]
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 fn test_verify_fails_with_crl_flag_set_and_no_crl() {
     let cert = include_bytes!("../../test/cert.pem");
     let cert = X509::from_pem(cert).unwrap();
@@ -584,7 +584,7 @@ fn test_verify_fails_with_crl_flag_set_and_no_crl() {
 }
 
 #[test]
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 fn test_verify_cert_with_purpose() {
     let cert = include_bytes!("../../test/cert.pem");
     let cert = X509::from_pem(cert).unwrap();
@@ -611,7 +611,7 @@ fn test_verify_cert_with_purpose() {
 }
 
 #[test]
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 fn test_verify_cert_with_wrong_purpose_fails() {
     let cert = include_bytes!("../../test/cert.pem");
     let cert = X509::from_pem(cert).unwrap();
@@ -846,7 +846,7 @@ fn test_name_to_owned() {
 }
 
 #[test]
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 fn test_verify_param_set_time_fails_verification() {
     const TEST_T_2030: time_t = 1893456000;
 
@@ -877,7 +877,7 @@ fn test_verify_param_set_time_fails_verification() {
 }
 
 #[test]
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 fn test_verify_param_set_time() {
     const TEST_T_2020: time_t = 1577836800;
 
@@ -901,7 +901,7 @@ fn test_verify_param_set_time() {
 }
 
 #[test]
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 fn test_verify_param_set_depth() {
     let cert = include_bytes!("../../test/leaf.pem");
     let cert = X509::from_pem(cert).unwrap();
@@ -928,7 +928,7 @@ fn test_verify_param_set_depth() {
 }
 
 #[test]
-#[cfg(any(ossl102, libressl261))]
+#[cfg(any(ossl102, boringssl, libressl261))]
 #[allow(clippy::bool_to_int_with_if)]
 fn test_verify_param_set_depth_fails_verification() {
     let cert = include_bytes!("../../test/leaf.pem");
@@ -1003,7 +1003,7 @@ fn test_verify_param_auth_level() {
 }
 
 #[test]
-#[cfg(ossl102)]
+#[cfg(any(ossl102, boringssl))]
 fn test_set_purpose() {
     let cert = include_bytes!("../../test/leaf.pem");
     let cert = X509::from_pem(cert).unwrap();
@@ -1028,7 +1028,7 @@ fn test_set_purpose() {
 }
 
 #[test]
-#[cfg(ossl102)]
+#[cfg(any(ossl102, boringssl))]
 fn test_set_purpose_fails_verification() {
     let cert = include_bytes!("../../test/leaf.pem");
     let cert = X509::from_pem(cert).unwrap();

openssl/src/x509/verify.rs

@@ -4,7 +4,7 @@ use libc::{c_int, c_uint, c_ulong, time_t};
 use std::net::IpAddr;
 
 use crate::error::ErrorStack;
-#[cfg(ossl102)]
+#[cfg(any(ossl102, boringssl))]
 use crate::x509::X509PurposeId;
 use crate::{cvt, cvt_p};
 use openssl_macros::corresponds;
@@ -14,17 +14,17 @@ bitflags! {
     #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
     #[repr(transparent)]
     pub struct X509CheckFlags: c_uint {
-        const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
-        const NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
-        const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
-        const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
-        const SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS;
+        const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT as _;
+        const NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS as _;
+        const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS as _;
+        const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS as _;
+        const SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS as _;
         /// Requires OpenSSL 1.1.0 or newer.
         #[cfg(any(ossl110))]
         const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
 
         #[deprecated(since = "0.10.6", note = "renamed to NO_WILDCARDS")]
-        const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
+        const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS as _;
     }
 }
 
@@ -33,35 +33,35 @@ bitflags! {
     #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
     #[repr(transparent)]
     pub struct X509VerifyFlags: c_ulong {
-        const CB_ISSUER_CHECK = ffi::X509_V_FLAG_CB_ISSUER_CHECK;
-        const USE_CHECK_TIME = ffi::X509_V_FLAG_USE_CHECK_TIME;
-        const CRL_CHECK = ffi::X509_V_FLAG_CRL_CHECK;
-        const CRL_CHECK_ALL = ffi::X509_V_FLAG_CRL_CHECK_ALL;
-        const IGNORE_CRITICAL = ffi::X509_V_FLAG_IGNORE_CRITICAL;
-        const X509_STRICT = ffi::X509_V_FLAG_X509_STRICT;
-        const ALLOW_PROXY_CERTS = ffi::X509_V_FLAG_ALLOW_PROXY_CERTS;
-        const POLICY_CHECK = ffi::X509_V_FLAG_POLICY_CHECK;
-        const EXPLICIT_POLICY = ffi::X509_V_FLAG_EXPLICIT_POLICY;
-        const INHIBIT_ANY = ffi::X509_V_FLAG_INHIBIT_ANY;
-        const INHIBIT_MAP = ffi::X509_V_FLAG_INHIBIT_MAP;
-        const NOTIFY_POLICY = ffi::X509_V_FLAG_NOTIFY_POLICY;
-        const EXTENDED_CRL_SUPPORT = ffi::X509_V_FLAG_EXTENDED_CRL_SUPPORT;
-        const USE_DELTAS = ffi::X509_V_FLAG_USE_DELTAS;
-        const CHECK_SS_SIGNATURE = ffi::X509_V_FLAG_CHECK_SS_SIGNATURE;
-        #[cfg(ossl102)]
-        const TRUSTED_FIRST = ffi::X509_V_FLAG_TRUSTED_FIRST;
+        const CB_ISSUER_CHECK = ffi::X509_V_FLAG_CB_ISSUER_CHECK as _;
+        const USE_CHECK_TIME = ffi::X509_V_FLAG_USE_CHECK_TIME as _;
+        const CRL_CHECK = ffi::X509_V_FLAG_CRL_CHECK as _;
+        const CRL_CHECK_ALL = ffi::X509_V_FLAG_CRL_CHECK_ALL as _;
+        const IGNORE_CRITICAL = ffi::X509_V_FLAG_IGNORE_CRITICAL as _;
+        const X509_STRICT = ffi::X509_V_FLAG_X509_STRICT as _;
+        const ALLOW_PROXY_CERTS = ffi::X509_V_FLAG_ALLOW_PROXY_CERTS as _;
+        const POLICY_CHECK = ffi::X509_V_FLAG_POLICY_CHECK as _;
+        const EXPLICIT_POLICY = ffi::X509_V_FLAG_EXPLICIT_POLICY as _;
+        const INHIBIT_ANY = ffi::X509_V_FLAG_INHIBIT_ANY as _;
+        const INHIBIT_MAP = ffi::X509_V_FLAG_INHIBIT_MAP as _;
+        const NOTIFY_POLICY = ffi::X509_V_FLAG_NOTIFY_POLICY as _;
+        const EXTENDED_CRL_SUPPORT = ffi::X509_V_FLAG_EXTENDED_CRL_SUPPORT as _;
+        const USE_DELTAS = ffi::X509_V_FLAG_USE_DELTAS as _;
+        const CHECK_SS_SIGNATURE = ffi::X509_V_FLAG_CHECK_SS_SIGNATURE as _;
+        #[cfg(any(ossl102, boringssl))]
+        const TRUSTED_FIRST = ffi::X509_V_FLAG_TRUSTED_FIRST as _;
         #[cfg(ossl102)]
         const SUITEB_128_LOS_ONLY = ffi::X509_V_FLAG_SUITEB_128_LOS_ONLY;
         #[cfg(ossl102)]
         const SUITEB_192_LOS = ffi::X509_V_FLAG_SUITEB_128_LOS;
         #[cfg(ossl102)]
         const SUITEB_128_LOS = ffi::X509_V_FLAG_SUITEB_192_LOS;
-        #[cfg(ossl102)]
-        const PARTIAL_CHAIN = ffi::X509_V_FLAG_PARTIAL_CHAIN;
-        #[cfg(ossl110)]
-        const NO_ALT_CHAINS = ffi::X509_V_FLAG_NO_ALT_CHAINS;
-        #[cfg(ossl110)]
-        const NO_CHECK_TIME = ffi::X509_V_FLAG_NO_CHECK_TIME;
+        #[cfg(any(ossl102, boringssl))]
+        const PARTIAL_CHAIN = ffi::X509_V_FLAG_PARTIAL_CHAIN as _;
+        #[cfg(any(ossl110, boringssl))]
+        const NO_ALT_CHAINS = ffi::X509_V_FLAG_NO_ALT_CHAINS as _;
+        #[cfg(any(ossl110, boringssl))]
+        const NO_CHECK_TIME = ffi::X509_V_FLAG_NO_CHECK_TIME as _;
     }
 }
 
@@ -208,7 +208,7 @@ impl X509VerifyParamRef {
 
     /// Sets the verification purpose
     #[corresponds(X509_VERIFY_PARAM_set_purpose)]
-    #[cfg(ossl102)]
+    #[cfg(any(ossl102, boringssl))]
     pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> {
         unsafe { cvt(ffi::X509_VERIFY_PARAM_set_purpose(self.as_ptr(), purpose.0)).map(|_| ()) }
     }