From 38dac452134e2b7e139e538f3b65d5c1cc7bbc36 Mon Sep 17 00:00:00 2001 From: Kornel Date: Tue, 26 Nov 2024 16:05:45 +0000 Subject: [PATCH] Fix fips-compat build --- .github/workflows/ci.yml | 4 +++- boring/src/bio.rs | 7 ++++--- boring/src/ssl/mod.rs | 17 ++++++++++------- boring/src/ssl/test/mod.rs | 4 ++-- boring/src/x509/mod.rs | 17 +++++++++++------ 5 files changed, 30 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 32aa3afe..1d35a6d2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -256,8 +256,10 @@ jobs: - name: Add clang++-12 link working-directory: ${{ runner.temp }}/llvm/bin run: ln -s clang clang++-12 - - name: Run tests + - name: Run FIPS tests run: cargo test --features fips + - name: Check fips-compat + run: cargo check --features fips-compat --all-targets - name: Test boring-sys cargo publish (FIPS) # Running `cargo publish --dry-run` tests two things: # diff --git a/boring/src/bio.rs b/boring/src/bio.rs index a0c882a2..8915b19f 100644 --- a/boring/src/bio.rs +++ b/boring/src/bio.rs @@ -19,18 +19,19 @@ impl<'a> Drop for MemBioSlice<'a> { impl<'a> MemBioSlice<'a> { pub fn new(buf: &'a [u8]) -> Result, ErrorStack> { - #[cfg(not(feature = "fips-compat"))] + #[cfg(not(feature = "fips"))] type BufLen = isize; - #[cfg(feature = "fips-compat")] + #[cfg(feature = "fips")] type BufLen = libc::c_int; ffi::init(); assert!(buf.len() <= BufLen::MAX as usize); let bio = unsafe { + #[allow(clippy::useless_conversion)] cvt_p(BIO_new_mem_buf( buf.as_ptr() as *const _, - buf.len() as BufLen, + buf.len().try_into().unwrap(), ))? }; diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index f0849589..1892f14f 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -708,7 +708,7 @@ impl SslCurve { pub const X25519: SslCurve = SslCurve(ffi::SSL_CURVE_X25519 as _); - #[cfg(not(feature = "fips"))] + #[cfg(not(feature = "fips-compat"))] pub const X25519_KYBER768_DRAFT00: SslCurve = SslCurve(ffi::SSL_CURVE_X25519_KYBER768_DRAFT00 as _); @@ -757,7 +757,7 @@ impl SslCurve { ffi::SSL_CURVE_SECP384R1 => Some(ffi::NID_secp384r1), ffi::SSL_CURVE_SECP521R1 => Some(ffi::NID_secp521r1), ffi::SSL_CURVE_X25519 => Some(ffi::NID_X25519), - #[cfg(not(feature = "fips"))] + #[cfg(not(feature = "fips-compat"))] ffi::SSL_CURVE_X25519_KYBER768_DRAFT00 => Some(ffi::NID_X25519Kyber768Draft00), #[cfg(feature = "pq-experimental")] ffi::SSL_CURVE_X25519_KYBER768_DRAFT00_OLD => Some(ffi::NID_X25519Kyber768Draft00Old), @@ -1522,10 +1522,11 @@ impl SslContextBuilder { { assert!(protocols.len() <= ProtosLen::MAX as usize); } + #[allow(clippy::useless_conversion)] let r = ffi::SSL_CTX_set_alpn_protos( self.as_ptr(), protocols.as_ptr(), - protocols.len() as ProtosLen, + protocols.len().try_into().unwrap(), ); // fun fact, SSL_CTX_set_alpn_protos has a reversed return code D: if r == 0 { @@ -2209,9 +2210,9 @@ impl SslContextRef { #[derive(Debug)] pub struct GetSessionPendingError; -#[cfg(not(feature = "fips-compat"))] +#[cfg(not(feature = "fips"))] type ProtosLen = usize; -#[cfg(feature = "fips-compat")] +#[cfg(feature = "fips")] type ProtosLen = libc::c_uint; /// Information about the state of a cipher. @@ -2947,10 +2948,11 @@ impl SslRef { { assert!(protocols.len() <= ProtosLen::MAX as usize); } + #[allow(clippy::useless_conversion)] let r = ffi::SSL_set_alpn_protos( self.as_ptr(), protocols.as_ptr(), - protocols.len() as ProtosLen, + protocols.len().try_into().unwrap(), ); // fun fact, SSL_set_alpn_protos has a reversed return code D: if r == 0 { @@ -3445,7 +3447,8 @@ impl SslRef { pub fn set_ocsp_status(&mut self, response: &[u8]) -> Result<(), ErrorStack> { unsafe { assert!(response.len() <= c_int::MAX as usize); - let p = cvt_p(ffi::OPENSSL_malloc(response.len() as _))?; + #[allow(clippy::useless_conversion)] + let p = cvt_p(ffi::OPENSSL_malloc(response.len().try_into().unwrap()))?; ptr::copy_nonoverlapping(response.as_ptr(), p as *mut u8, response.len()); cvt(ffi::SSL_set_tlsext_status_ocsp_resp( self.as_ptr(), diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs index 6010cf98..9b045ec1 100644 --- a/boring/src/ssl/test/mod.rs +++ b/boring/src/ssl/test/mod.rs @@ -21,7 +21,7 @@ use crate::ssl::{ use crate::x509::verify::X509CheckFlags; use crate::x509::{X509Name, X509}; -#[cfg(not(feature = "fips"))] +#[cfg(not(feature = "fips-compat"))] use super::CompliancePolicy; mod cert_verify; @@ -987,7 +987,7 @@ fn test_get_ciphers() { } #[test] -#[cfg(not(feature = "fips"))] +#[cfg(not(feature = "fips-compat"))] fn test_set_compliance() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_compliance_policy(CompliancePolicy::FIPS_202205) diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs index af1d5040..da2d5b43 100644 --- a/boring/src/x509/mod.rs +++ b/boring/src/x509/mod.rs @@ -885,12 +885,13 @@ impl X509NameBuilder { unsafe { let field = CString::new(field).unwrap(); assert!(value.len() <= ValueLen::MAX as usize); + #[allow(clippy::useless_conversion)] cvt(ffi::X509_NAME_add_entry_by_txt( self.0.as_ptr(), field.as_ptr() as *mut _, ffi::MBSTRING_UTF8, value.as_ptr(), - value.len() as ValueLen, + value.len().try_into().unwrap(), -1, 0, )) @@ -912,12 +913,13 @@ impl X509NameBuilder { unsafe { let field = CString::new(field).unwrap(); assert!(value.len() <= ValueLen::MAX as usize); + #[allow(clippy::useless_conversion)] cvt(ffi::X509_NAME_add_entry_by_txt( self.0.as_ptr(), field.as_ptr() as *mut _, ty.as_raw(), value.as_ptr(), - value.len() as ValueLen, + value.len().try_into().unwrap(), -1, 0, )) @@ -933,12 +935,13 @@ impl X509NameBuilder { pub fn append_entry_by_nid(&mut self, field: Nid, value: &str) -> Result<(), ErrorStack> { unsafe { assert!(value.len() <= ValueLen::MAX as usize); + #[allow(clippy::useless_conversion)] cvt(ffi::X509_NAME_add_entry_by_NID( self.0.as_ptr(), field.as_raw(), ffi::MBSTRING_UTF8, value.as_ptr() as *mut _, - value.len() as ValueLen, + value.len().try_into().unwrap(), -1, 0, )) @@ -959,12 +962,13 @@ impl X509NameBuilder { ) -> Result<(), ErrorStack> { unsafe { assert!(value.len() <= ValueLen::MAX as usize); + #[allow(clippy::useless_conversion)] cvt(ffi::X509_NAME_add_entry_by_NID( self.0.as_ptr(), field.as_raw(), ty.as_raw(), value.as_ptr() as *mut _, - value.len() as ValueLen, + value.len().try_into().unwrap(), -1, 0, )) @@ -981,9 +985,9 @@ impl X509NameBuilder { } } -#[cfg(not(feature = "fips-compat"))] +#[cfg(not(feature = "fips"))] type ValueLen = isize; -#[cfg(feature = "fips-compat")] +#[cfg(feature = "fips")] type ValueLen = i32; foreign_type_and_impl_send_sync! { @@ -1549,6 +1553,7 @@ impl GeneralName { let gn = GeneralName::from_ptr(cvt_p(ffi::GENERAL_NAME_new())?); (*gn.as_ptr()).type_ = type_; let s = cvt_p(ffi::ASN1_STRING_type_new(asn1_type.as_raw()))?; + #[allow(clippy::useless_conversion)] ffi::ASN1_STRING_set(s, value.as_ptr().cast(), value.len().try_into().unwrap()); (*gn.as_ptr()).d.ptr = s.cast();