From 082cf7bf16872f7019ac2a6b16b9fc70b7944023 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Sun, 3 Dec 2023 12:49:52 -0500 Subject: [PATCH 1/3] cipher: fix name of rustls_root_cert_store_builder_load_roots_from_file When the `rustls_client_config_builder_load_roots_from_file` fn was moved from the client config builder into the root cert store builder the name wasn't updated. This commit fixes that and regenerates the rustls header file. --- src/cipher.rs | 2 +- src/rustls.h | 6 +++--- tests/client.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/cipher.rs b/src/cipher.rs index 9d6a56db..61f4ba53 100644 --- a/src/cipher.rs +++ b/src/cipher.rs @@ -532,7 +532,7 @@ impl rustls_root_cert_store_builder { /// This may be useful on systems that have syntactically invalid root /// certificates. #[no_mangle] - pub extern "C" fn rustls_client_config_builder_load_roots_from_file( + pub extern "C" fn rustls_root_cert_store_builder_load_roots_from_file( builder: *mut rustls_root_cert_store_builder, filename: *const c_char, strict: bool, diff --git a/src/rustls.h b/src/rustls.h index 4d5ef838..4136d422 100644 --- a/src/rustls.h +++ b/src/rustls.h @@ -980,9 +980,9 @@ rustls_result rustls_root_cert_store_builder_add_pem(struct rustls_root_cert_sto * This may be useful on systems that have syntactically invalid root * certificates. */ -rustls_result rustls_client_config_builder_load_roots_from_file(struct rustls_root_cert_store_builder *builder, - const char *filename, - bool strict); +rustls_result rustls_root_cert_store_builder_load_roots_from_file(struct rustls_root_cert_store_builder *builder, + const char *filename, + bool strict); /** * Create a new `rustls_root_cert_store` from the builder. diff --git a/tests/client.c b/tests/client.c index 5f29a3e8..9353b2d8 100644 --- a/tests/client.c +++ b/tests/client.c @@ -433,7 +433,7 @@ main(int argc, const char **argv) if(getenv("CA_FILE")) { server_cert_root_store_builder = rustls_root_cert_store_builder_new(); - result = rustls_client_config_builder_load_roots_from_file( + result = rustls_root_cert_store_builder_load_roots_from_file( server_cert_root_store_builder, getenv("CA_FILE"), true); if(result != RUSTLS_RESULT_OK) { print_error("loading trusted certificates", result); From 8d041cdf3748245c7483f373a3c7f2185b295f29 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Mon, 4 Dec 2023 12:20:14 -0500 Subject: [PATCH 2/3] cipher: lift rustls_certificate_get_der out of impl block For some reason, since adding a lifetime to the `rustls_certificate` type, the `rustls_certificate_get_der` fn inside the `impl rustls_certificate` block isn't being picked up by cbindgen, removing it from the `rustls.h` generated header file. This commit lifts the fn out of the `impl` block into a free-standing function, now its properly included in `rustls.h` again. --- src/cipher.rs | 38 ++++++++++++++++++-------------------- src/rustls.h | 8 ++++++++ 2 files changed, 26 insertions(+), 20 deletions(-) diff --git a/src/cipher.rs b/src/cipher.rs index 61f4ba53..223fa07a 100644 --- a/src/cipher.rs +++ b/src/cipher.rs @@ -44,27 +44,25 @@ impl<'a> Castable for rustls_certificate<'a> { type RustType = CertificateDer<'a>; } -impl<'a> rustls_certificate<'a> { - /// Get the DER data of the certificate itself. - /// The data is owned by the certificate and has the same lifetime. - #[no_mangle] - pub extern "C" fn rustls_certificate_get_der( - cert: *const rustls_certificate, - out_der_data: *mut *const u8, - out_der_len: *mut size_t, - ) -> rustls_result { - ffi_panic_boundary! { - let cert = try_ref_from_ptr!(cert); - if out_der_data.is_null() || out_der_len.is_null() { - return NullParameter - } - let der = cert.as_ref(); - unsafe { - *out_der_data = der.as_ptr(); - *out_der_len = der.len(); - } - rustls_result::Ok +/// Get the DER data of the certificate itself. +/// The data is owned by the certificate and has the same lifetime. +#[no_mangle] +pub extern "C" fn rustls_certificate_get_der( + cert: *const rustls_certificate, + out_der_data: *mut *const u8, + out_der_len: *mut size_t, +) -> rustls_result { + ffi_panic_boundary! { + let cert = try_ref_from_ptr!(cert); + if out_der_data.is_null() || out_der_len.is_null() { + return NullParameter } + let der = cert.as_ref(); + unsafe { + *out_der_data = der.as_ptr(); + *out_der_len = der.len(); + } + rustls_result::Ok } } diff --git a/src/rustls.h b/src/rustls.h index 4136d422..0a3e88b0 100644 --- a/src/rustls.h +++ b/src/rustls.h @@ -836,6 +836,14 @@ rustls_result rustls_accepted_into_connection(struct rustls_accepted *accepted, */ void rustls_accepted_free(struct rustls_accepted *accepted); +/** + * Get the DER data of the certificate itself. + * The data is owned by the certificate and has the same lifetime. + */ +rustls_result rustls_certificate_get_der(const struct rustls_certificate *cert, + const uint8_t **out_der_data, + size_t *out_der_len); + /** * Return a 16-bit unsigned integer corresponding to this cipher suite's assignment from * . From 60f5f5fa6b640355d7914fc78b251ddbbd98a752 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Sun, 3 Dec 2023 12:51:59 -0500 Subject: [PATCH 3/3] docs: update CHANGELOG for 0.12 --- CHANGELOG.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 188ac346..a3631884 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,57 @@ # Changelog +## 0.12.0 (2023-12-03) + +This release updates to [Rustls 0.22], but does not yet expose support for +customizing the cryptographic provider. This will be added in a future release, +and 0.12.0 continues to use `*ring*` as the only cryptographic provider. + +[Rustls 0.22]: https://github.com/rustls/rustls/releases/tag/v%2F0.22.0 + +### Added + +* `RUSTLS_RESULT_CLIENT_CERT_VERIFIER_BUILDER_NO_ROOT_ANCHORS` error code, + returned when a client cert verifier is being built that hasn't provided any + root trust anchors. +* The server certificate verifier now supports CRL revocation checking through + policy and CRLs provided to the server certificate verifier builder. +* Client certificate verifier builder now supports controlling CRL revocation + status check depth and unknown revocation policy. + +### Changed + +* The root certificate store constructor (`rustls_root_cert_store_new`) and the + function to add PEM content (`rustls_root_cert_store_add_pem`) have been + replaced with a new `rustls_root_cert_store_builder` type, constructed with + `rustls_root_cert_store_builder_new`. PEM content can be added with + `rustls_root_cert_store_builder_add_pem` and + `rustls_root_cert_store_builder_load_roots_from_file`. +* The client verifier builders ( + `rustls_allow_any_anonymous_or_authenticated_client_builder`, and + `rustls_allow_any_authenticated_client_builder`) as well as the client + verifier types (`rustls_allow_any_anonymous_or_authenticated_client_verifier`, + `rustls_allow_any_authenticated_client_verifier`) have been replaced with + `rustls_web_pki_client_cert_verifier_builder` and `rustls_client_cert_verifier`. +* The server config client verifier setters + (`rustls_server_config_builder_set_client_verifier` and + `rustls_server_config_builder_set_client_verifier_optional`) have been + replaced with `rustls_server_config_builder_set_client_verifier`. +* The client config builder functions for specifying root trust anchors + (`rustls_client_config_builder_use_roots` and + `rustls_client_config_builder_load_roots_from_file`) have been replaced + with a server certificate verifier builder + (`rustls_web_pki_server_cert_verifier_builder`) constructed with + `rustls_web_pki_server_cert_verifier_builder_new` and + a `rustls_root_cert_store`. The built `rustls_web_pki_server_cert_verifier` + can be provided to a client config builder with + `rustls_client_config_builder_set_server_verifier`. +* CRL validation defaults to checking the full certificate chain, and treating + unknown revocation status as an error condition. + +### Removed + +* `RUSTLS_RESULT_CERT_SCT_*` error codes have been removed. + ## 0.11.0 (2023-07-14) ### Added