Fix fips-compat build

cloudflare · Nov 26, 2024 · 38dac45 · 38dac45
1 parent 2b75e1e
commit 38dac45
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 19 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -256,8 +256,10 @@ jobs:
     - name: Add clang++-12 link
       working-directory: ${{ runner.temp }}/llvm/bin
       run: ln -s clang clang++-12
-    - name: Run tests
+    - name: Run FIPS tests
       run: cargo test --features fips
+    - name: Check fips-compat
+      run: cargo check --features fips-compat --all-targets
     - name: Test boring-sys cargo publish (FIPS)
       # Running `cargo publish --dry-run` tests two things:
       #

diff --git a/boring/src/bio.rs b/boring/src/bio.rs
@@ -19,18 +19,19 @@ impl<'a> Drop for MemBioSlice<'a> {
 
 impl<'a> MemBioSlice<'a> {
     pub fn new(buf: &'a [u8]) -> Result<MemBioSlice<'a>, ErrorStack> {
-        #[cfg(not(feature = "fips-compat"))]
+        #[cfg(not(feature = "fips"))]
         type BufLen = isize;
-        #[cfg(feature = "fips-compat")]
+        #[cfg(feature = "fips")]
         type BufLen = libc::c_int;
 
         ffi::init();
 
         assert!(buf.len() <= BufLen::MAX as usize);
         let bio = unsafe {
+            #[allow(clippy::useless_conversion)]
             cvt_p(BIO_new_mem_buf(
                 buf.as_ptr() as *const _,
-                buf.len() as BufLen,
+                buf.len().try_into().unwrap(),
             ))?
         };
 

diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
@@ -708,7 +708,7 @@ impl SslCurve {
 
     pub const X25519: SslCurve = SslCurve(ffi::SSL_CURVE_X25519 as _);
 
-    #[cfg(not(feature = "fips"))]
+    #[cfg(not(feature = "fips-compat"))]
     pub const X25519_KYBER768_DRAFT00: SslCurve =
         SslCurve(ffi::SSL_CURVE_X25519_KYBER768_DRAFT00 as _);
 
@@ -757,7 +757,7 @@ impl SslCurve {
             ffi::SSL_CURVE_SECP384R1 => Some(ffi::NID_secp384r1),
             ffi::SSL_CURVE_SECP521R1 => Some(ffi::NID_secp521r1),
             ffi::SSL_CURVE_X25519 => Some(ffi::NID_X25519),
-            #[cfg(not(feature = "fips"))]
+            #[cfg(not(feature = "fips-compat"))]
             ffi::SSL_CURVE_X25519_KYBER768_DRAFT00 => Some(ffi::NID_X25519Kyber768Draft00),
             #[cfg(feature = "pq-experimental")]
             ffi::SSL_CURVE_X25519_KYBER768_DRAFT00_OLD => Some(ffi::NID_X25519Kyber768Draft00Old),
@@ -1522,10 +1522,11 @@ impl SslContextBuilder {
             {
                 assert!(protocols.len() <= ProtosLen::MAX as usize);
             }
+            #[allow(clippy::useless_conversion)]
             let r = ffi::SSL_CTX_set_alpn_protos(
                 self.as_ptr(),
                 protocols.as_ptr(),
-                protocols.len() as ProtosLen,
+                protocols.len().try_into().unwrap(),
             );
             // fun fact, SSL_CTX_set_alpn_protos has a reversed return code D:
             if r == 0 {
@@ -2209,9 +2210,9 @@ impl SslContextRef {
 #[derive(Debug)]
 pub struct GetSessionPendingError;
 
-#[cfg(not(feature = "fips-compat"))]
+#[cfg(not(feature = "fips"))]
 type ProtosLen = usize;
-#[cfg(feature = "fips-compat")]
+#[cfg(feature = "fips")]
 type ProtosLen = libc::c_uint;
 
 /// Information about the state of a cipher.
@@ -2947,10 +2948,11 @@ impl SslRef {
             {
                 assert!(protocols.len() <= ProtosLen::MAX as usize);
             }
+            #[allow(clippy::useless_conversion)]
             let r = ffi::SSL_set_alpn_protos(
                 self.as_ptr(),
                 protocols.as_ptr(),
-                protocols.len() as ProtosLen,
+                protocols.len().try_into().unwrap(),
             );
             // fun fact, SSL_set_alpn_protos has a reversed return code D:
             if r == 0 {
@@ -3445,7 +3447,8 @@ impl SslRef {
     pub fn set_ocsp_status(&mut self, response: &[u8]) -> Result<(), ErrorStack> {
         unsafe {
             assert!(response.len() <= c_int::MAX as usize);
-            let p = cvt_p(ffi::OPENSSL_malloc(response.len() as _))?;
+            #[allow(clippy::useless_conversion)]
+            let p = cvt_p(ffi::OPENSSL_malloc(response.len().try_into().unwrap()))?;
             ptr::copy_nonoverlapping(response.as_ptr(), p as *mut u8, response.len());
             cvt(ffi::SSL_set_tlsext_status_ocsp_resp(
                 self.as_ptr(),

diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs
@@ -21,7 +21,7 @@ use crate::ssl::{
 use crate::x509::verify::X509CheckFlags;
 use crate::x509::{X509Name, X509};
 
-#[cfg(not(feature = "fips"))]
+#[cfg(not(feature = "fips-compat"))]
 use super::CompliancePolicy;
 
 mod cert_verify;
@@ -987,7 +987,7 @@ fn test_get_ciphers() {
 }
 
 #[test]
-#[cfg(not(feature = "fips"))]
+#[cfg(not(feature = "fips-compat"))]
 fn test_set_compliance() {
     let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
     ctx.set_compliance_policy(CompliancePolicy::FIPS_202205)

diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs
@@ -885,12 +885,13 @@ impl X509NameBuilder {
         unsafe {
             let field = CString::new(field).unwrap();
             assert!(value.len() <= ValueLen::MAX as usize);
+            #[allow(clippy::useless_conversion)]
             cvt(ffi::X509_NAME_add_entry_by_txt(
                 self.0.as_ptr(),
                 field.as_ptr() as *mut _,
                 ffi::MBSTRING_UTF8,
                 value.as_ptr(),
-                value.len() as ValueLen,
+                value.len().try_into().unwrap(),
                 -1,
                 0,
             ))
@@ -912,12 +913,13 @@ impl X509NameBuilder {
         unsafe {
             let field = CString::new(field).unwrap();
             assert!(value.len() <= ValueLen::MAX as usize);
+            #[allow(clippy::useless_conversion)]
             cvt(ffi::X509_NAME_add_entry_by_txt(
                 self.0.as_ptr(),
                 field.as_ptr() as *mut _,
                 ty.as_raw(),
                 value.as_ptr(),
-                value.len() as ValueLen,
+                value.len().try_into().unwrap(),
                 -1,
                 0,
             ))
@@ -933,12 +935,13 @@ impl X509NameBuilder {
     pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> {
         unsafe {
             assert!(value.len() <= ValueLen::MAX as usize);
+            #[allow(clippy::useless_conversion)]
             cvt(ffi::X509_NAME_add_entry_by_NID(
                 self.0.as_ptr(),
                 field.as_raw(),
                 ffi::MBSTRING_UTF8,
                 value.as_ptr() as *mut _,
-                value.len() as ValueLen,
+                value.len().try_into().unwrap(),
                 -1,
                 0,
             ))
@@ -959,12 +962,13 @@ impl X509NameBuilder {
     ) -> Result<(), ErrorStack> {
         unsafe {
             assert!(value.len() <= ValueLen::MAX as usize);
+            #[allow(clippy::useless_conversion)]
             cvt(ffi::X509_NAME_add_entry_by_NID(
                 self.0.as_ptr(),
                 field.as_raw(),
                 ty.as_raw(),
                 value.as_ptr() as *mut _,
-                value.len() as ValueLen,
+                value.len().try_into().unwrap(),
                 -1,
                 0,
             ))
@@ -981,9 +985,9 @@ impl X509NameBuilder {
     }
 }
 
-#[cfg(not(feature = "fips-compat"))]
+#[cfg(not(feature = "fips"))]
 type ValueLen = isize;
-#[cfg(feature = "fips-compat")]
+#[cfg(feature = "fips")]
 type ValueLen = i32;
 
 foreign_type_and_impl_send_sync! {
@@ -1549,6 +1553,7 @@ impl GeneralName {
         let gn = GeneralName::from_ptr(cvt_p(ffi::GENERAL_NAME_new())?);
         (*gn.as_ptr()).type_ = type_;
         let s = cvt_p(ffi::ASN1_STRING_type_new(asn1_type.as_raw()))?;
+        #[allow(clippy::useless_conversion)]
         ffi::ASN1_STRING_set(s, value.as_ptr().cast(), value.len().try_into().unwrap());
 
         (*gn.as_ptr()).d.ptr = s.cast();