Merge updates from upstream #22
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…dded Originally added in sfackler/rust-openssl#1371
Since X509Name is more complex than a single value (it's a a sequence
of entries) it's useful to be able to serialise/deserialise to/from
flat data, and DER is a natural form for this.
So add a {i2d,d2i}_X509_NAME -sys functions, and to_der/from_der
wrappers in X509NameRef and X509Name respectively.
Originally added in sfackler/rust-openssl#1534
… requires it for some extensions (and segfaults without)
Notable commits that cause code changes here: X509 fields notBefore and notAfter need to be specified https://boringssl-review.googlesource.com/c/boringssl/+/49349 X509ReqBuilder only accepts X509v1 now https://boringssl-review.googlesource.com/c/boringssl/+/52605 Some functions switched from int to size_t https://boringssl-review.googlesource.com/c/boringssl/+/54985 CECPQ2 support was dropped https://boringssl-review.googlesource.com/c/boringssl/+/58645 This is a breaking change.
Signed-off-by: Piotr Sikora <[email protected]>
Bump bindgen to 0.65.1
psuedo → pseudo
Update BoringCrypto to FIPS 140-2 certificate 4407.
Update boringssl to latest upstream commit (fixes cloudflare#100)
boring: Fix memory leak in `Deriver`
Port security fixes from the openssl crate (fixes cloudflare#111)
Implement ToOwned for X509StoreRef and Clone for X509Store
Revert "Merge pull request cloudflare#108 from nox/store-clone"
Add RPK and PQ crypto features
Make the later compatible with `rpk` feature.
This commit modifies the Cargo `include` field for `boring-sys` to include all the files necessary to actually build the FIPS-certified revision of BoringSSL. Currently, some of these files are missing (see cloudflare#157 for details on this). This branch improves on my previous approach in PR cloudflare#158, which switched from using a Cargo `include` to a Cargo `exclude`. Using `exclude` rather than `include` resulted in a much larger crates.io package, but at the time, I thought this was less likely to result in breakage in the future, because I was concerned about the inability to verify that the set of excludes/includes can build a new pinned `boringssl` git revision without having to actually publish a crates.io release. However, as @nox pointed out in [this comment][1], `cargo package` can be used to verify a build with the `exclude`s/`include`s applied. This branch therefore adds `cargo package` steps to CI that check that the package can actually be built. This way, we are able to make a much smaller change to the included files, resulting in a smaller package published to crates.io. On this branch, the package is 6.7MiB compressed, which is not much larger than it was previously: ``` Finished dev [unoptimized + debuginfo] target(s) in 55.65s Packaged 1851 files, 33.7MiB (6.7MiB compressed) ``` Fixes cloudflare#157 Closes cloudflare#158 [1]: cloudflare#158 (comment),
As suggested by @inikulin in cloudflare#159 (comment)
Overwrite boringSSL's default key exchange preferences with safe defaults using feature flags: * "kx-pq-supported" enables support for PQ key exchange algorithms. Classical key exchange is still preferred, but will be upgraded to PQ if requested. * "kx-pq-preferred" enables preference for PQ key exchange, with fallback to classical key exchange if requested. * "kx-nist-required" disables non-NIST key exchange. Each feature implies "kx-safe-default". When this feature is enabled, don't compile bindings for `SSL_CTX_set1_curves()` and `SslCurve`. This is to prevent the feature flags from silently overriding curve preferences chosen by the user. Ideally we'd allow both: that is, use "kx-*" to set defaults, but still allow the user to manually override them. However, this doesn't work because by the time the `SSL_CTX` is constructed, we don't yet know whether we're the client or server. (The "kx-*" features set different preferences for each.) If "kx-sfe-default" is set, then the curve preferences are set just before initiating a TLS handshake (`SslStreamBuilder::connect()`) or waiting for a TLS handshake (`SslStreamBuilder::accept()`).
jrose-signal
force-pushed
the
jrose/update
branch
from
9ff063d to
486ce82
Compare
jrose-signal
force-pushed
the
jrose/update
branch
from
486ce82 to
02e4a3f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This also removes Mac Catalyst support, since we are no longer testing it. There shouldn't be any incompatibility, but it's a divergence from upstream that Signal is not supporting.