Merge remote-tracking branch 'openssl/master'

G3-OSS · Jan 20, 2024 · 22237bb · 22237bb
2 parents 8d2894c + cc2850f
commit 22237bb
Show file tree

Hide file tree

Showing 5 changed files with 173 additions and 7 deletions.
diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md
@@ -2,6 +2,17 @@
 
 ## [Unreleased]
 
+## [v0.9.99] - 2024-01-19
+
+### Added
+
+* On macOS added Homebrew's `openssl@3.0` to the list of candidates to build against.
+* `NID_brainpoolP256r1`, `NID_brainpoolP320r1`, `NID_brainpoolP384r1`, and `NID_brainpoolP512r1` are now available on LibreSSL.
+
+### Changed
+
+* `X509_PURPOSE` is now opaque on LibreSSL 3.9.0+.
+
 ## [v0.9.98] - 2023-12-22
 
 ### Added
@@ -567,7 +578,8 @@ Fixed builds against OpenSSL built with `no-cast`.
 * Added `X509_verify` and `X509_REQ_verify`.
 * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`.
 
-[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.98..master
+[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.99..master
+[v0.9.99]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.98...openssl-sys-v0.9.99
 [v0.9.98]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.97...openssl-sys-v0.9.98
 [v0.9.97]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.96...openssl-sys-v0.9.97
 [v0.9.96]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.95...openssl-sys-v0.9.96

diff --git a/openssl-sys/src/obj_mac.rs b/openssl-sys/src/obj_mac.rs
@@ -94,14 +94,27 @@ pub const NID_sect409k1: c_int = 731;
 pub const NID_sect409r1: c_int = 732;
 pub const NID_sect571k1: c_int = 733;
 pub const NID_sect571r1: c_int = 734;
+
 #[cfg(ossl110)]
 pub const NID_brainpoolP256r1: c_int = 927;
+#[cfg(libressl)]
+pub const NID_brainpoolP256r1: c_int = 928;
+
 #[cfg(ossl110)]
 pub const NID_brainpoolP320r1: c_int = 929;
+#[cfg(libressl)]
+pub const NID_brainpoolP320r1: c_int = 930;
+
 #[cfg(ossl110)]
 pub const NID_brainpoolP384r1: c_int = 931;
+#[cfg(libressl)]
+pub const NID_brainpoolP384r1: c_int = 932;
+
 #[cfg(ossl110)]
 pub const NID_brainpoolP512r1: c_int = 933;
+#[cfg(libressl)]
+pub const NID_brainpoolP512r1: c_int = 934;
+
 pub const NID_wap_wsg_idm_ecid_wtls1: c_int = 735;
 pub const NID_wap_wsg_idm_ecid_wtls3: c_int = 736;
 pub const NID_wap_wsg_idm_ecid_wtls4: c_int = 737;

diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md
@@ -2,6 +2,21 @@
 
 ## [Unreleased]
 
+## [v0.10.63] - 2024-01-19
+
+### Added
+
+* Added `Pkcs7Ref::{type_,signed}`.
+* Added `Pkcs7SignedRef::certificates`.
+* Added `Cipher::{aes_256_xts,des_ede3_ecb,des_ede3_cfb8,des_ede3_ofb,camellia128_ofb,camellia192_ofb,camellia256_ofb,cast5_ofb,idea_ofb}`
+* Added `PKey::from_dhx`
+* Added `PKey::{public_key_from_pem_passphrase,public_key_from_pem_callback}`.
+
+### Changed
+
+* `Cipher::aes_128_ofb` is now available on BoringSSL
+* `Nid::{BRAINPOOL_P256R1,BRAINPOOL_P320R1,BRAINPOOL_P384R1,BRAINPOOL_P512R1}` are now available on LibreSSL.
+
 ## [v0.10.62] - 2023-12-22
 
 ### Added
@@ -869,7 +884,8 @@
 
 Look at the [release tags] for information about older releases.
 
-[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.62...master
+[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.63...master
+[v0.10.63]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.62...openssl-v0.10.63
 [v0.10.62]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.61...openssl-v0.10.62
 [v0.10.61]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.60...openssl-v0.10.61
 [v0.10.60]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.59...openssl-v0.10.60

diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs
@@ -215,13 +215,13 @@ impl Nid {
     pub const SECT409R1: Nid = Nid(ffi::NID_sect409r1);
     pub const SECT571K1: Nid = Nid(ffi::NID_sect571k1);
     pub const SECT571R1: Nid = Nid(ffi::NID_sect571r1);
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl))]
     pub const BRAINPOOL_P256R1: Nid = Nid(ffi::NID_brainpoolP256r1);
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl))]
     pub const BRAINPOOL_P320R1: Nid = Nid(ffi::NID_brainpoolP320r1);
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl))]
     pub const BRAINPOOL_P384R1: Nid = Nid(ffi::NID_brainpoolP384r1);
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl))]
     pub const BRAINPOOL_P512R1: Nid = Nid(ffi::NID_brainpoolP512r1);
     pub const WAP_WSG_IDM_ECID_WTLS1: Nid = Nid(ffi::NID_wap_wsg_idm_ecid_wtls1);
     pub const WAP_WSG_IDM_ECID_WTLS3: Nid = Nid(ffi::NID_wap_wsg_idm_ecid_wtls3);

diff --git a/openssl/src/pkcs7.rs b/openssl/src/pkcs7.rs
@@ -4,16 +4,31 @@ use libc::c_int;
 use std::mem;
 use std::ptr;
 
+use crate::asn1::Asn1ObjectRef;
 use crate::bio::{MemBio, MemBioSlice};
 use crate::error::ErrorStack;
+use crate::nid::Nid;
 use crate::pkey::{HasPrivate, PKeyRef};
-use crate::stack::{Stack, StackRef};
+use crate::stack::{Stack, StackRef, Stackable};
 use crate::symm::Cipher;
+use crate::util::ForeignTypeRefExt;
 use crate::x509::store::X509StoreRef;
 use crate::x509::{X509Ref, X509};
 use crate::{cvt, cvt_p};
 use openssl_macros::corresponds;
 
+foreign_type_and_impl_send_sync! {
+    type CType = ffi::PKCS7_SIGNER_INFO;
+    fn drop = ffi::PKCS7_SIGNER_INFO_free;
+
+    pub struct Pkcs7SignerInfo;
+    pub struct Pkcs7SignerInfoRef;
+}
+
+impl Stackable for Pkcs7SignerInfo {
+    type StackType = ffi::stack_st_PKCS7_SIGNER_INFO;
+}
+
 foreign_type_and_impl_send_sync! {
     type CType = ffi::PKCS7;
     fn drop = ffi::PKCS7_free;
@@ -27,6 +42,19 @@ foreign_type_and_impl_send_sync! {
     pub struct Pkcs7Ref;
 }
 
+foreign_type_and_impl_send_sync! {
+    type CType = ffi::PKCS7_SIGNED;
+    fn drop = ffi::PKCS7_SIGNED_free;
+
+    /// A PKCS#7 signed data structure.
+    ///
+    /// Contains signed data.
+    pub struct Pkcs7Signed;
+
+    /// Reference to `Pkcs7Signed`
+    pub struct Pkcs7SignedRef;
+}
+
 bitflags! {
     #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
     #[repr(transparent)]
@@ -281,11 +309,43 @@ impl Pkcs7Ref {
             Ok(stack)
         }
     }
+
+    /// Return the type of a PKCS#7 structure as an Asn1Object
+    pub fn type_(&self) -> Option<&Asn1ObjectRef> {
+        unsafe {
+            let ptr = (*self.as_ptr()).type_;
+            Asn1ObjectRef::from_const_ptr_opt(ptr)
+        }
+    }
+
+    /// Get the signed data of a PKCS#7 structure of type PKCS7_SIGNED
+    pub fn signed(&self) -> Option<&Pkcs7SignedRef> {
+        unsafe {
+            if self.type_().map(|x| x.nid()) != Some(Nid::PKCS7_SIGNED) {
+                return None;
+            }
+            let signed_data = (*self.as_ptr()).d.sign;
+            Pkcs7SignedRef::from_const_ptr_opt(signed_data)
+        }
+    }
+}
+
+impl Pkcs7SignedRef {
+    /// Get the stack of certificates from the PKCS7_SIGNED object
+    pub fn certificates(&self) -> Option<&StackRef<X509>> {
+        unsafe {
+            self.as_ptr()
+                .as_ref()
+                .and_then(|x| x.cert.as_mut())
+                .and_then(|x| StackRef::<X509>::from_const_ptr_opt(x))
+        }
+    }
 }
 
 #[cfg(test)]
 mod tests {
     use crate::hash::MessageDigest;
+    use crate::nid::Nid;
     use crate::pkcs7::{Pkcs7, Pkcs7Flags};
     use crate::pkey::PKey;
     use crate::stack::Stack;
@@ -307,6 +367,10 @@ mod tests {
 
         let pkcs7 =
             Pkcs7::encrypt(&certs, message.as_bytes(), cipher, flags).expect("should succeed");
+        assert_eq!(
+            pkcs7.type_().expect("PKCS7 should have a type").nid(),
+            Nid::PKCS7_ENVELOPED
+        );
 
         let encrypted = pkcs7
             .to_smime(message.as_bytes(), flags)
@@ -340,6 +404,10 @@ mod tests {
 
         let pkcs7 =
             Pkcs7::sign(&cert, &pkey, &certs, message.as_bytes(), flags).expect("should succeed");
+        assert_eq!(
+            pkcs7.type_().expect("PKCS7 should have a type").nid(),
+            Nid::PKCS7_SIGNED
+        );
 
         let signed = pkcs7
             .to_smime(message.as_bytes(), flags)
@@ -384,6 +452,10 @@ mod tests {
 
         let pkcs7 =
             Pkcs7::sign(&cert, &pkey, &certs, message.as_bytes(), flags).expect("should succeed");
+        assert_eq!(
+            pkcs7.type_().expect("PKCS7 should have a type").nid(),
+            Nid::PKCS7_SIGNED
+        );
 
         let signed = pkcs7
             .to_smime(message.as_bytes(), flags)
@@ -421,6 +493,10 @@ mod tests {
 
         let pkcs7 =
             Pkcs7::sign(&cert, &pkey, &certs, message.as_bytes(), flags).expect("should succeed");
+        assert_eq!(
+            pkcs7.type_().expect("PKCS7 should have a type").nid(),
+            Nid::PKCS7_SIGNED
+        );
 
         let signed = pkcs7
             .to_smime(message.as_bytes(), flags)
@@ -445,4 +521,53 @@ mod tests {
 
         assert!(result.is_err());
     }
+
+    #[test]
+    fn signed_data_certificates() {
+        let cert = include_bytes!("../test/cert.pem");
+        let cert = X509::from_pem(cert).unwrap();
+        let mut extra_certs = Stack::<X509>::new().unwrap();
+        for cert in
+            X509::stack_from_pem(include_bytes!("../test/certs.pem")).expect("should succeed")
+        {
+            extra_certs.push(cert).expect("should succeed");
+        }
+
+        let message = "foo";
+        let flags = Pkcs7Flags::STREAM;
+        let pkey = include_bytes!("../test/key.pem");
+        let pkey = PKey::private_key_from_pem(pkey).unwrap();
+
+        let pkcs7 = Pkcs7::sign(&cert, &pkey, &extra_certs, message.as_bytes(), flags)
+            .expect("should succeed");
+        assert_eq!(
+            pkcs7.type_().expect("PKCS7 should have a type").nid(),
+            Nid::PKCS7_SIGNED
+        );
+        let signed_data_certs = pkcs7.signed().and_then(|x| x.certificates());
+        assert_eq!(signed_data_certs.expect("should succeed").len(), 3);
+    }
+
+    #[test]
+    fn signed_data_certificates_no_signed_data() {
+        let cert = include_bytes!("../test/certs.pem");
+        let cert = X509::from_pem(cert).unwrap();
+        let mut certs = Stack::new().unwrap();
+        certs.push(cert).unwrap();
+        let message: String = String::from("foo");
+        let cipher = Cipher::des_ede3_cbc();
+        let flags = Pkcs7Flags::STREAM;
+
+        // Use `Pkcs7::encrypt` since it populates the PKCS7_ENVELOPE struct rather than
+        // PKCS7_SIGNED
+        let pkcs7 =
+            Pkcs7::encrypt(&certs, message.as_bytes(), cipher, flags).expect("should succeed");
+        assert_eq!(
+            pkcs7.type_().expect("PKCS7 should have a type").nid(),
+            Nid::PKCS7_ENVELOPED
+        );
+
+        let signed_data_certs = pkcs7.signed().and_then(|x| x.certificates());
+        assert!(signed_data_certs.is_none())
+    }
 }