Compare commits
1 Commits
main
...
jrose/bori
| Author | SHA1 | Date | |
|---|---|---|---|
|
f23bb2d478 |
10
.github/workflows/ci.yml
vendored
10
.github/workflows/ci.yml
vendored
@ -4,6 +4,7 @@ on:
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- v4.x
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
@ -225,15 +226,6 @@ jobs:
|
||||
RUSTC_BOOTSTRAP: 1 # for -Z checksum-freshness
|
||||
# CI's Windows doesn't have required root certs
|
||||
extra_test_args: --workspace --exclude tokio-boring --exclude hyper-boring -Z checksum-freshness
|
||||
- thing: x86_64-msvc-static
|
||||
target: x86_64-pc-windows-msvc
|
||||
rust: stable-x86_64-msvc
|
||||
os: windows-latest
|
||||
custom_env:
|
||||
RUSTC_BOOTSTRAP: 1 # for -Z checksum-freshness
|
||||
RUSTFLAGS: -Dwarnings -C target-feature=+crt-static
|
||||
# CI's Windows doesn't have required root certs
|
||||
extra_test_args: --workspace --exclude tokio-boring --exclude hyper-boring -Z checksum-freshness
|
||||
env:
|
||||
CARGO_HOME: ${{ github.workspace }}/.cache/cargo
|
||||
CARGO_BUILD_BUILD_DIR: ${{ github.workspace }}/.cache/build-dir
|
||||
|
||||
@ -8,7 +8,7 @@ members = [
|
||||
resolver = "2"
|
||||
|
||||
[workspace.package]
|
||||
version = "5.0.2"
|
||||
version = "5.0.1"
|
||||
rust-version = "1.85"
|
||||
repository = "https://github.com/cloudflare/boring"
|
||||
edition = "2021"
|
||||
@ -20,9 +20,9 @@ tag-prefix = ""
|
||||
publish = false
|
||||
|
||||
[workspace.dependencies]
|
||||
boring-sys = { version = "5.0.2", path = "./boring-sys", default-features = false }
|
||||
boring = { version = "5.0.2", path = "./boring", default-features = false }
|
||||
tokio-boring = { version = "5.0.2", path = "./tokio-boring", default-features = false }
|
||||
boring-sys = { version = "5.0.1", path = "./boring-sys", default-features = false }
|
||||
boring = { version = "5.0.1", path = "./boring", default-features = false }
|
||||
tokio-boring = { version = "5.0.1", path = "./tokio-boring", default-features = false }
|
||||
|
||||
bindgen = { version = "0.72.0", default-features = false, features = ["runtime"] }
|
||||
bitflags = "2.9"
|
||||
|
||||
@ -12,7 +12,6 @@ pub(crate) struct Config {
|
||||
pub(crate) target_os: String,
|
||||
pub(crate) unix: bool,
|
||||
pub(crate) target_env: String,
|
||||
pub(crate) target_features: Vec<String>,
|
||||
pub(crate) features: Features,
|
||||
pub(crate) env: Env,
|
||||
}
|
||||
@ -49,12 +48,6 @@ impl Config {
|
||||
let target_env = env::var("CARGO_CFG_TARGET_ENV").unwrap();
|
||||
let unix = env::var("CARGO_CFG_UNIX").is_ok();
|
||||
|
||||
let target_features = env::var("CARGO_CFG_TARGET_FEATURE")
|
||||
.unwrap_or_default()
|
||||
.split(',')
|
||||
.map(|s| s.to_owned())
|
||||
.collect();
|
||||
|
||||
let features = Features::from_env();
|
||||
let env = Env::from_env(&host, &target, features.is_fips_like());
|
||||
|
||||
@ -73,7 +66,6 @@ impl Config {
|
||||
target_os,
|
||||
unix,
|
||||
target_env,
|
||||
target_features,
|
||||
features,
|
||||
env,
|
||||
};
|
||||
|
||||
@ -161,7 +161,7 @@ fn get_boringssl_source_path(config: &Config) -> &Path {
|
||||
/// MSVC generator on Windows place static libs in a target sub-folder,
|
||||
/// so adjust library location based on platform and build target.
|
||||
/// See issue: <https://github.com/alexcrichton/cmake-rs/issues/18>
|
||||
fn msvc_lib_subdir(config: &Config) -> Option<&'static str> {
|
||||
fn get_boringssl_platform_output_path(config: &Config) -> String {
|
||||
if config.target.ends_with("-msvc") {
|
||||
// Code under this branch should match the logic in cmake-rs
|
||||
let debug_env_var = config
|
||||
@ -195,9 +195,9 @@ fn msvc_lib_subdir(config: &Config) -> Option<&'static str> {
|
||||
_ => panic!("Unknown OPT_LEVEL={opt_env_var:?} env var."),
|
||||
};
|
||||
|
||||
Some(subdir)
|
||||
subdir.to_string()
|
||||
} else {
|
||||
None
|
||||
String::new()
|
||||
}
|
||||
}
|
||||
|
||||
@ -217,11 +217,7 @@ fn get_boringssl_cmake_config(config: &Config) -> cmake::Config {
|
||||
// This is required now because newest BoringSSL requires CMake 3.22 which
|
||||
// uses the new logic with CMAKE_MSVC_RUNTIME_LIBRARY introduced in CMake 3.15.
|
||||
// https://github.com/rust-lang/cmake-rs/pull/30#issuecomment-2969758499
|
||||
if config.target_features.iter().any(|f| f == "crt-static") {
|
||||
boringssl_cmake.define("CMAKE_MSVC_RUNTIME_LIBRARY", "MultiThreaded");
|
||||
} else {
|
||||
boringssl_cmake.define("CMAKE_MSVC_RUNTIME_LIBRARY", "MultiThreadedDLL");
|
||||
}
|
||||
boringssl_cmake.define("CMAKE_MSVC_RUNTIME_LIBRARY", "MultiThreadedDLL");
|
||||
}
|
||||
|
||||
if config.host == config.target {
|
||||
@ -527,7 +523,7 @@ fn run_command(command: &mut Command) -> io::Result<Output> {
|
||||
Ok(out)
|
||||
}
|
||||
|
||||
fn build_boringssl_or_get_prebuilt(config: &Config) -> &Path {
|
||||
fn built_boring_source_path(config: &Config) -> &PathBuf {
|
||||
static BUILD_SOURCE_PATH: OnceLock<PathBuf> = OnceLock::new();
|
||||
|
||||
BUILD_SOURCE_PATH.get_or_init(|| {
|
||||
@ -557,13 +553,7 @@ fn build_boringssl_or_get_prebuilt(config: &Config) -> &Path {
|
||||
}
|
||||
|
||||
cfg.build_target("ssl").build();
|
||||
let path = cfg.build_target("crypto").build();
|
||||
let build_dir = path.join("build");
|
||||
if build_dir.exists() {
|
||||
build_dir
|
||||
} else {
|
||||
path
|
||||
}
|
||||
cfg.build_target("crypto").build()
|
||||
})
|
||||
}
|
||||
|
||||
@ -590,23 +580,36 @@ fn main() {
|
||||
}
|
||||
|
||||
fn emit_link_directives(config: &Config) {
|
||||
let bssl_dir = build_boringssl_or_get_prebuilt(config);
|
||||
let msvc_lib_subdir = msvc_lib_subdir(config);
|
||||
let bssl_dir = built_boring_source_path(config);
|
||||
let build_path = get_boringssl_platform_output_path(config);
|
||||
|
||||
let subdirs =
|
||||
if config.is_bazel || (config.features.is_fips_like() && config.env.path.is_some()) {
|
||||
&["lib"][..]
|
||||
} else {
|
||||
&["lib", "crypto", "ssl", ""][..]
|
||||
};
|
||||
|
||||
for subdir in subdirs {
|
||||
let dir = bssl_dir.join(subdir);
|
||||
let dir = msvc_lib_subdir
|
||||
.map(|s| dir.join(s))
|
||||
.filter(|d| d.exists())
|
||||
.unwrap_or(dir);
|
||||
println!("cargo:rustc-link-search=native={}", dir.display());
|
||||
if config.is_bazel || (config.features.is_fips_like() && config.env.path.is_some()) {
|
||||
println!(
|
||||
"cargo:rustc-link-search=native={}/lib/{}",
|
||||
bssl_dir.display(),
|
||||
build_path
|
||||
);
|
||||
} else {
|
||||
// todo(rmehra): clean this up, I think these are pretty redundant
|
||||
println!(
|
||||
"cargo:rustc-link-search=native={}/build/crypto/{}",
|
||||
bssl_dir.display(),
|
||||
build_path
|
||||
);
|
||||
println!(
|
||||
"cargo:rustc-link-search=native={}/build/ssl/{}",
|
||||
bssl_dir.display(),
|
||||
build_path
|
||||
);
|
||||
println!(
|
||||
"cargo:rustc-link-search=native={}/build/{}",
|
||||
bssl_dir.display(),
|
||||
build_path
|
||||
);
|
||||
println!(
|
||||
"cargo:rustc-link-search=native={}/build",
|
||||
bssl_dir.display(),
|
||||
);
|
||||
}
|
||||
|
||||
if let Some(cpp_lib) = get_cpp_runtime_lib(config) {
|
||||
|
||||
@ -49,10 +49,6 @@ rpk = ["credential", "boring-sys/rpk"]
|
||||
# `BORING_BSSL{,_FIPS}_ASSUME_PATCHED`.
|
||||
underscore-wildcards = ["boring-sys/underscore-wildcards"]
|
||||
|
||||
# **DO NOT USE** This will be removed without warning in future releases.
|
||||
# Alias for 'fips', only for backwards compatibility.
|
||||
fips-precompiled = ["fips"]
|
||||
|
||||
[dependencies]
|
||||
bitflags = { workspace = true }
|
||||
foreign-types = { workspace = true }
|
||||
|
||||
@ -10,7 +10,7 @@ use std::ptr;
|
||||
use crate::error::ErrorStack;
|
||||
use crate::nid::Nid;
|
||||
use crate::pkey::{HasPrivate, PKey, PKeyRef, Private};
|
||||
use crate::stack::{Stack, StackRef};
|
||||
use crate::stack::Stack;
|
||||
use crate::x509::{X509Ref, X509};
|
||||
use crate::{cvt_0i, cvt_p};
|
||||
|
||||
@ -31,43 +31,33 @@ impl Pkcs12Ref {
|
||||
ffi::i2d_PKCS12
|
||||
}
|
||||
|
||||
/// Extracts the contents of the `Pkcs12` with `pkey` and `cert` required.
|
||||
/// Extracts the contents of the `Pkcs12`.
|
||||
pub fn parse(&self, pass: &str) -> Result<ParsedPkcs12, ErrorStack> {
|
||||
let p2 = self.parse2(pass)?;
|
||||
Ok(ParsedPkcs12 {
|
||||
pkey: p2
|
||||
.pkey
|
||||
.ok_or_else(|| ErrorStack::internal_error_str("missing pkey"))?,
|
||||
cert: p2
|
||||
.cert
|
||||
.ok_or_else(|| ErrorStack::internal_error_str("missing cert"))?,
|
||||
chain: p2.ca,
|
||||
})
|
||||
}
|
||||
|
||||
/// Extracts the contents of the `Pkcs12` with `pkey` and `cert` optional.
|
||||
#[corresponds(PKCS12_parse)]
|
||||
pub fn parse2(&self, pass: &str) -> Result<ParsedPkcs12_2, ErrorStack> {
|
||||
unsafe {
|
||||
let pass = CString::new(pass.as_bytes()).map_err(ErrorStack::internal_error)?;
|
||||
|
||||
let mut pkey = ptr::null_mut();
|
||||
let mut cert = ptr::null_mut();
|
||||
let mut ca = ptr::null_mut();
|
||||
let mut chain = ptr::null_mut();
|
||||
|
||||
cvt_0i(ffi::PKCS12_parse(
|
||||
self.as_ptr(),
|
||||
pass.as_ptr(),
|
||||
&mut pkey,
|
||||
&mut cert,
|
||||
&mut ca,
|
||||
&mut chain,
|
||||
))?;
|
||||
|
||||
let pkey = (!pkey.is_null()).then(|| PKey::from_ptr(pkey));
|
||||
let cert = (!cert.is_null()).then(|| X509::from_ptr(cert));
|
||||
let ca = (!ca.is_null()).then(|| Stack::from_ptr(ca));
|
||||
let pkey = PKey::from_ptr(pkey);
|
||||
let cert = X509::from_ptr(cert);
|
||||
|
||||
Ok(ParsedPkcs12_2 { pkey, cert, ca })
|
||||
let chain = if chain.is_null() {
|
||||
None
|
||||
} else {
|
||||
Some(Stack::from_ptr(chain))
|
||||
};
|
||||
|
||||
Ok(ParsedPkcs12 { pkey, cert, chain })
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -110,19 +100,6 @@ pub struct ParsedPkcs12 {
|
||||
pub chain: Option<Stack<X509>>,
|
||||
}
|
||||
|
||||
/// [`ParsedPkcs12`] with optional fields
|
||||
pub struct ParsedPkcs12_2 {
|
||||
pub pkey: Option<PKey<Private>>,
|
||||
pub cert: Option<X509>,
|
||||
pub ca: Option<Stack<X509>>,
|
||||
}
|
||||
|
||||
impl ParsedPkcs12_2 {
|
||||
pub fn chain(&self) -> Option<&StackRef<X509>> {
|
||||
self.ca.as_deref()
|
||||
}
|
||||
}
|
||||
|
||||
pub struct Pkcs12Builder {
|
||||
nid_key: Nid,
|
||||
nid_cert: Nid,
|
||||
|
||||
@ -1272,26 +1272,15 @@ impl SslContextBuilder {
|
||||
/// The file should contain a sequence of PEM-formatted CA certificates.
|
||||
#[corresponds(SSL_CTX_load_verify_locations)]
|
||||
pub fn set_ca_file<P: AsRef<Path>>(&mut self, file: P) -> Result<(), ErrorStack> {
|
||||
self.load_verify_locations(Some(file.as_ref()), None)
|
||||
}
|
||||
|
||||
/// Loads trusted root certificates from a file and/or a directory.
|
||||
#[corresponds(SSL_CTX_load_verify_locations)]
|
||||
pub fn load_verify_locations(
|
||||
&mut self,
|
||||
ca_file: Option<&Path>,
|
||||
ca_path: Option<&Path>,
|
||||
) -> Result<(), ErrorStack> {
|
||||
self.ctx.check_x509();
|
||||
|
||||
let ca_file = ca_file.map(path_to_cstring).transpose()?;
|
||||
let ca_path = ca_path.map(path_to_cstring).transpose()?;
|
||||
|
||||
let file = CString::new(file.as_ref().as_os_str().as_encoded_bytes())
|
||||
.map_err(ErrorStack::internal_error)?;
|
||||
unsafe {
|
||||
cvt(ffi::SSL_CTX_load_verify_locations(
|
||||
self.as_ptr(),
|
||||
ca_file.as_ref().map_or(ptr::null(), |s| s.as_ptr()),
|
||||
ca_path.as_ref().map_or(ptr::null(), |s| s.as_ptr()),
|
||||
file.as_ptr(),
|
||||
ptr::null(),
|
||||
))
|
||||
}
|
||||
}
|
||||
@ -1352,7 +1341,8 @@ impl SslContextBuilder {
|
||||
) -> Result<(), ErrorStack> {
|
||||
self.ctx.check_x509();
|
||||
|
||||
let file = path_to_cstring(file.as_ref())?;
|
||||
let file = CString::new(file.as_ref().as_os_str().as_encoded_bytes())
|
||||
.map_err(ErrorStack::internal_error)?;
|
||||
unsafe {
|
||||
cvt(ffi::SSL_CTX_use_certificate_file(
|
||||
self.as_ptr(),
|
||||
@ -1372,7 +1362,8 @@ impl SslContextBuilder {
|
||||
&mut self,
|
||||
file: P,
|
||||
) -> Result<(), ErrorStack> {
|
||||
let file = path_to_cstring(file.as_ref())?;
|
||||
let file = CString::new(file.as_ref().as_os_str().as_encoded_bytes())
|
||||
.map_err(ErrorStack::internal_error)?;
|
||||
unsafe {
|
||||
cvt(ffi::SSL_CTX_use_certificate_chain_file(
|
||||
self.as_ptr(),
|
||||
@ -1412,7 +1403,8 @@ impl SslContextBuilder {
|
||||
file: P,
|
||||
file_type: SslFiletype,
|
||||
) -> Result<(), ErrorStack> {
|
||||
let file = path_to_cstring(file.as_ref())?;
|
||||
let file = CString::new(file.as_ref().as_os_str().as_encoded_bytes())
|
||||
.map_err(ErrorStack::internal_error)?;
|
||||
unsafe {
|
||||
cvt(ffi::SSL_CTX_use_PrivateKey_file(
|
||||
self.as_ptr(),
|
||||
@ -4582,7 +4574,3 @@ unsafe fn get_new_idx(f: ffi::CRYPTO_EX_free) -> c_int {
|
||||
unsafe fn get_new_ssl_idx(f: ffi::CRYPTO_EX_free) -> c_int {
|
||||
ffi::SSL_get_ex_new_index(0, ptr::null_mut(), ptr::null_mut(), None, f)
|
||||
}
|
||||
|
||||
fn path_to_cstring(path: &Path) -> Result<CString, ErrorStack> {
|
||||
CString::new(path.as_os_str().as_encoded_bytes()).map_err(ErrorStack::internal_error)
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user