diff options
| -rw-r--r-- | README.md | 11 | ||||
| -rw-r--r-- | openssl-sys/build.rs | 17 | ||||
| -rw-r--r-- | openssl/src/hash.rs | 4 | ||||
| -rw-r--r-- | openssl/src/pkcs5.rs | 2 | ||||
| -rw-r--r-- | openssl/src/pkey.rs | 3 | ||||
| -rw-r--r-- | openssl/src/sign.rs | 13 | ||||
| -rw-r--r-- | openssl/src/ssl/bio.rs | 14 | ||||
| -rw-r--r-- | openssl/src/ssl/connector.rs | 2 | ||||
| -rw-r--r-- | openssl/src/symm.rs | 8 | ||||
| -rw-r--r-- | openssl/src/version.rs | 7 |
10 files changed, 51 insertions, 30 deletions
@@ -12,8 +12,8 @@ for that README. ## Building -rust-openssl depends on the OpenSSL runtime libraries version 1.0.1 or above. -Currently the libraries need to be present in the build environment before this +rust-openssl depends on OpenSSL version 1.0.1 or above, or LibreSSL. Both the +libraries and headers need to be present in the build environment before this crate is compiled, and some instructions of how to do this are in the sections below. @@ -49,14 +49,17 @@ make install ### OSX Although OpenSSL 0.9.8 is preinstalled on OSX this library is being phased out -of OSX and this crate also does not support this version of OpenSSL. To use this +of OSX and this crate also does not support that version of OpenSSL. To use this crate on OSX you'll need to install OpenSSL via some alternate means, typically -homebrew: +Homebrew: ```bash brew install openssl ``` +If Homebrew is installed to the default location of `/usr/local`, OpenSSL will be +automatically detected. + ### Windows MSVC On MSVC it's unfortunately not always a trivial process acquiring OpenSSL. diff --git a/openssl-sys/build.rs b/openssl-sys/build.rs index b530c2e3..c59a76d4 100644 --- a/openssl-sys/build.rs +++ b/openssl-sys/build.rs @@ -184,9 +184,20 @@ Used pkg-config to discover the OpenSSL installation, but pkg-config did not return any include paths for the installation. This crate needs to take a peek at the header files so it cannot proceed unless they're found. -You can try fixing this by setting the `OPENSSL_DIR` environment variable -pointing to your OpenSSL installation. - +You can try fixing this setting the `OPENSSL_DIR` environment variable +pointing to your OpenSSL installation or installing OpenSSL headers package +specific to your distribution: + + # On Ubuntu + sudo apt-get install libssl-dev + # On Arch Linux + sudo pacman -S openssl + # On Fedora + sudo dnf install openssl-devel + +See rust-openssl README for more information: + + https://github.com/sfackler/rust-openssl#linux "); } diff --git a/openssl/src/hash.rs b/openssl/src/hash.rs index 1d2089ef..47d6dc7a 100644 --- a/openssl/src/hash.rs +++ b/openssl/src/hash.rs @@ -60,7 +60,7 @@ use self::State::*; /// /// # Examples /// -/// Calculate a hash in one go. +/// Calculate a hash in one go: /// /// ``` /// use openssl::hash::{hash, MessageDigest}; @@ -71,7 +71,7 @@ use self::State::*; /// assert_eq!(res, spec); /// ``` /// -/// Use the `Write` trait to supply the input in chunks. +/// Supply the input in chunks: /// /// ``` /// use openssl::hash::{Hasher, MessageDigest}; diff --git a/openssl/src/pkcs5.rs b/openssl/src/pkcs5.rs index 8d6dcce8..9e1c2d26 100644 --- a/openssl/src/pkcs5.rs +++ b/openssl/src/pkcs5.rs @@ -22,7 +22,7 @@ pub struct KeyIvPair { /// v1.5 or PBKDF1 from PKCS#5 v2.0. /// /// New applications should not use this and instead use -/// `pkcs5_pbkdf2_hmac_sha1` or another more modern key derivation algorithm. +/// `pbkdf2_hmac` or another more modern key derivation algorithm. pub fn bytes_to_key(cipher: Cipher, digest: MessageDigest, data: &[u8], diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 7f031244..7a32692b 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -117,6 +117,9 @@ impl PKey { } /// Creates a new `PKey` containing an HMAC key. + /// + /// # Note + /// To compute HMAC values, use the `sign` module. pub fn hmac(key: &[u8]) -> Result<PKey, ErrorStack> { unsafe { assert!(key.len() <= c_int::max_value() as usize); diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index ca7986ca..ec37c885 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -35,12 +35,13 @@ //! assert!(verifier.finish(&signature).unwrap()); //! ``` //! -//! Compute an HMAC (note that `Verifier` cannot be used with HMACs): +//! Compute an HMAC: //! //! ```rust -//! use openssl::sign::Signer; -//! use openssl::pkey::PKey; //! use openssl::hash::MessageDigest; +//! use openssl::memcmp; +//! use openssl::pkey::PKey; +//! use openssl::sign::Signer; //! //! // Create a PKey //! let key = PKey::hmac(b"my secret").unwrap(); @@ -53,6 +54,12 @@ //! signer.update(data).unwrap(); //! signer.update(data2).unwrap(); //! let hmac = signer.finish().unwrap(); +//! +//! // `Verifier` cannot be used with HMACs; use the `memcmp::eq` function instead +//! // +//! // Do not simply check for equality with `==`! +//! # let target = hmac.clone(); +//! assert!(memcmp::eq(&hmac, &target)); //! ``` use ffi; use std::io::{self, Write}; diff --git a/openssl/src/ssl/bio.rs b/openssl/src/ssl/bio.rs index c5152a41..4dc7cbd4 100644 --- a/openssl/src/ssl/bio.rs +++ b/openssl/src/ssl/bio.rs @@ -68,10 +68,10 @@ pub unsafe fn get_mut<'a, S: 'a>(bio: *mut BIO) -> &'a mut S { } unsafe fn state<'a, S: 'a>(bio: *mut BIO) -> &'a mut StreamState<S> { - mem::transmute(compat::BIO_get_data(bio)) + &mut *(compat::BIO_get_data(bio) as *mut _) } -unsafe extern "C" fn bwrite<S: Write>(bio: *mut BIO, buf: *const c_char, len: c_int) -> c_int { +unsafe extern fn bwrite<S: Write>(bio: *mut BIO, buf: *const c_char, len: c_int) -> c_int { BIO_clear_retry_flags(bio); let state = state::<S>(bio); @@ -93,7 +93,7 @@ unsafe extern "C" fn bwrite<S: Write>(bio: *mut BIO, buf: *const c_char, len: c_ } } -unsafe extern "C" fn bread<S: Read>(bio: *mut BIO, buf: *mut c_char, len: c_int) -> c_int { +unsafe extern fn bread<S: Read>(bio: *mut BIO, buf: *mut c_char, len: c_int) -> c_int { BIO_clear_retry_flags(bio); let state = state::<S>(bio); @@ -123,11 +123,11 @@ fn retriable_error(err: &io::Error) -> bool { } } -unsafe extern "C" fn bputs<S: Write>(bio: *mut BIO, s: *const c_char) -> c_int { +unsafe extern fn bputs<S: Write>(bio: *mut BIO, s: *const c_char) -> c_int { bwrite::<S>(bio, s, strlen(s) as c_int) } -unsafe extern "C" fn ctrl<S: Write>(bio: *mut BIO, +unsafe extern fn ctrl<S: Write>(bio: *mut BIO, cmd: c_int, _num: c_long, _ptr: *mut c_void) @@ -151,7 +151,7 @@ unsafe extern "C" fn ctrl<S: Write>(bio: *mut BIO, } } -unsafe extern "C" fn create(bio: *mut BIO) -> c_int { +unsafe extern fn create(bio: *mut BIO) -> c_int { compat::BIO_set_init(bio, 0); compat::BIO_set_num(bio, 0); compat::BIO_set_data(bio, ptr::null_mut()); @@ -159,7 +159,7 @@ unsafe extern "C" fn create(bio: *mut BIO) -> c_int { 1 } -unsafe extern "C" fn destroy<S>(bio: *mut BIO) -> c_int { +unsafe extern fn destroy<S>(bio: *mut BIO) -> c_int { if bio.is_null() { return 0; } diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index cc5c5273..43dad17d 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -379,7 +379,7 @@ mod verify { // the same thing we do here. // // The Public Suffix (https://www.publicsuffix.org/) list could - // potentically be used here, but it's both huge and updated frequently + // potentially be used here, but it's both huge and updated frequently // enough that management would be a PITA. if dot_idxs.next().is_none() { return None; diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs index d2cb0cc8..99ee4c67 100644 --- a/openssl/src/symm.rs +++ b/openssl/src/symm.rs @@ -369,6 +369,10 @@ fn cipher(t: Cipher, /// /// Additional Authenticated Data can be provided in the `aad` field, and the authentication tag /// will be copied into the `tag` field. +/// +/// The size of the `tag` buffer indicates the required size of the tag. While some ciphers support +/// a range of tag sizes, it is recommended to pick the maximum size. For AES GCM, this is 16 bytes, +/// for example. pub fn encrypt_aead(t: Cipher, key: &[u8], iv: Option<&[u8]>, @@ -390,10 +394,6 @@ pub fn encrypt_aead(t: Cipher, /// /// Additional Authenticated Data can be provided in the `aad` field, and the authentication tag /// should be provided in the `tag` field. -/// -/// The size of the `tag` buffer indicates the required size of the tag. While some ciphers support -/// a range of tag sizes, it is recommended to pick the maximum size. For AES GCM, this is 16 bytes, -/// for example. pub fn decrypt_aead(t: Cipher, key: &[u8], iv: Option<&[u8]>, diff --git a/openssl/src/version.rs b/openssl/src/version.rs index 2604914e..bf47695b 100644 --- a/openssl/src/version.rs +++ b/openssl/src/version.rs @@ -20,11 +20,8 @@ use ffi::{SSLEAY_VERSION as OPENSSL_VERSION, SSLEAY_CFLAGS as OPENSSL_CFLAGS, SSLeay_version as OpenSSL_version}; #[cfg(ossl110)] -use ffi::{OPENSSL_VERSION, OPENSSL_CFLAGS}; -#[cfg(ossl110)] -use ffi::{OPENSSL_BUILT_ON, OPENSSL_PLATFORM, OPENSSL_DIR}; -#[cfg(ossl110)] -use ffi::{OpenSSL_version_num, OpenSSL_version}; +use ffi::{OPENSSL_VERSION, OPENSSL_CFLAGS, OPENSSL_BUILT_ON, OPENSSL_PLATFORM, OPENSSL_DIR, + OpenSSL_version_num, OpenSSL_version}; /// OPENSSL_VERSION_NUMBER is a numeric release version identifier: /// |