Adds support for linking against boringssl

The boringssl-sys crate is specific to the revision of boringssl you are using, so you will need to generate it from a boringssl build tree and point the openssl crate at it via cargo source replacement, or place the build tree next to rust-openssl while building. Co-authored-by: Matthew Maurer <[email protected]> Co-authored-by: Andrew Scull <[email protected]>
sfackler · Jun 2, 2022 · 2b41512 · 2b41512
1 parent e062862
commit 2b41512
Show file tree

Hide file tree

Showing 37 changed files with 604 additions and 141 deletions.
diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml
@@ -19,6 +19,8 @@ v111 = []
 
 vendored = ['ffi/vendored']
 bindgen = ['ffi/bindgen']
+boringssl = ["bssl-ffi"]
+default = ["ffi"]
 
 [dependencies]
 bitflags = "1.0"
@@ -28,7 +30,8 @@ libc = "0.2"
 once_cell = "1.5.2"
 
 openssl-macros = { version = "0.1.0", path = "../openssl-macros" }
-ffi = { package = "openssl-sys", version = "0.9.73", path = "../openssl-sys" }
+ffi = { package = "openssl-sys", version = "0.9.73", path = "../openssl-sys", optional = true }
+bssl-ffi = { package = "bssl-sys", version = "0.1.0", path = "../../boringssl/build/rust", optional=true }
 
 [dev-dependencies]
 hex = "0.3"
diff --git a/openssl/build.rs b/openssl/build.rs
@@ -7,6 +7,11 @@ fn main() {
         println!("cargo:rustc-cfg=libressl");
     }
 
+    if env::var("CARGO_FEATURE_BORINGSSL").is_ok() {
+        println!("cargo:rustc-cfg=boringssl");
+        return;
+    }
+
     if let Ok(v) = env::var("DEP_OPENSSL_LIBRESSL_VERSION") {
         println!("cargo:rustc-cfg=libressl{}", v);
     }

diff --git a/openssl/src/aes.rs b/openssl/src/aes.rs
@@ -55,6 +55,7 @@
 //! assert_eq!(&orig_key[..], &key_to_wrap[..]);
 //! ```
 //!
+use cfg_if::cfg_if;
 use libc::{c_int, c_uint};
 use std::mem::MaybeUninit;
 use std::ptr;
@@ -69,6 +70,16 @@ pub struct KeyError(());
 /// The key used to encrypt or decrypt cipher blocks.
 pub struct AesKey(ffi::AES_KEY);
 
+cfg_if! {
+    if #[cfg(boringssl)] {
+        type AesBitType = c_uint;
+        type AesSizeType = usize;
+    } else {
+        type AesBitType = c_int;
+        type AesSizeType = c_uint;
+    }
+}
+
 impl AesKey {
     /// Prepares a key for encryption.
     ///
@@ -83,7 +94,7 @@ impl AesKey {
             let mut aes_key = MaybeUninit::uninit();
             let r = ffi::AES_set_encrypt_key(
                 key.as_ptr() as *const _,
-                key.len() as c_int * 8,
+                key.len() as AesBitType * 8,
                 aes_key.as_mut_ptr(),
             );
             if r == 0 {
@@ -107,7 +118,7 @@ impl AesKey {
             let mut aes_key = MaybeUninit::uninit();
             let r = ffi::AES_set_decrypt_key(
                 key.as_ptr() as *const _,
-                key.len() as c_int * 8,
+                key.len() as AesBitType * 8,
                 aes_key.as_mut_ptr(),
             );
 
@@ -138,6 +149,7 @@ impl AesKey {
 ///
 /// Panics if `in_` is not the same length as `out`, if that length is not a multiple of 16, or if
 /// `iv` is not at least 32 bytes.
+#[cfg(not(boringssl))]
 #[corresponds(AES_ige_encrypt)]
 pub fn aes_ige(in_: &[u8], out: &mut [u8], key: &AesKey, iv: &mut [u8], mode: Mode) {
     unsafe {
@@ -189,7 +201,7 @@ pub fn wrap_key(
                 .map_or(ptr::null(), |iv| iv.as_ptr() as *const _),
             out.as_ptr() as *mut _,
             in_.as_ptr() as *const _,
-            in_.len() as c_uint,
+            in_.len() as AesSizeType,
         );
         if written <= 0 {
             Err(KeyError(()))
@@ -228,7 +240,7 @@ pub fn unwrap_key(
                 .map_or(ptr::null(), |iv| iv.as_ptr() as *const _),
             out.as_ptr() as *mut _,
             in_.as_ptr() as *const _,
-            in_.len() as c_uint,
+            in_.len() as AesSizeType,
         );
 
         if written <= 0 {
@@ -248,6 +260,7 @@ mod test {
 
     // From https://www.mgp25.com/AESIGE/
     #[test]
+    #[cfg(not(boringssl))]
     fn ige_vector_1() {
         let raw_key = "000102030405060708090A0B0C0D0E0F";
         let raw_iv = "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F";

diff --git a/openssl/src/base64.rs b/openssl/src/base64.rs
@@ -1,8 +1,13 @@
 //! Base64 encoding support.
 use crate::cvt_n;
 use crate::error::ErrorStack;
-use libc::c_int;
 use openssl_macros::corresponds;
+use libc::{c_int, size_t};
+
+#[cfg(not(boringssl))]
+type LenType = c_int;
+#[cfg(boringssl)]
+type LenType = size_t;
 
 /// Encodes a slice of bytes to a base64 string.
 ///
@@ -12,7 +17,7 @@ use openssl_macros::corresponds;
 #[corresponds(EVP_EncodeBlock)]
 pub fn encode_block(src: &[u8]) -> String {
     assert!(src.len() <= c_int::max_value() as usize);
-    let src_len = src.len() as c_int;
+    let src_len = src.len() as LenType;
 
     let len = encoded_len(src_len).unwrap();
     let mut out = Vec::with_capacity(len as usize);
@@ -43,7 +48,7 @@ pub fn decode_block(src: &str) -> Result<Vec<u8>, ErrorStack> {
     }
 
     assert!(src.len() <= c_int::max_value() as usize);
-    let src_len = src.len() as c_int;
+    let src_len = src.len() as LenType;
 
     let len = decoded_len(src_len).unwrap();
     let mut out = Vec::with_capacity(len as usize);
@@ -72,7 +77,7 @@ pub fn decode_block(src: &str) -> Result<Vec<u8>, ErrorStack> {
     Ok(out)
 }
 
-fn encoded_len(src_len: c_int) -> Option<c_int> {
+fn encoded_len(src_len: LenType) -> Option<LenType> {
     let mut len = (src_len / 3).checked_mul(4)?;
 
     if src_len % 3 != 0 {
@@ -84,7 +89,7 @@ fn encoded_len(src_len: c_int) -> Option<c_int> {
     Some(len)
 }
 
-fn decoded_len(src_len: c_int) -> Option<c_int> {
+fn decoded_len(src_len: LenType) -> Option<LenType> {
     let mut len = (src_len / 4).checked_mul(3)?;
 
     if src_len % 4 != 0 {

diff --git a/openssl/src/bn.rs b/openssl/src/bn.rs
@@ -43,6 +43,8 @@ cfg_if! {
             BN_get_rfc3526_prime_2048, BN_get_rfc3526_prime_3072, BN_get_rfc3526_prime_4096,
             BN_get_rfc3526_prime_6144, BN_get_rfc3526_prime_8192, BN_is_negative,
         };
+    } else if #[cfg(boringssl)] {
+        use ffi::BN_is_negative;
     } else {
         use ffi::{
             get_rfc2409_prime_1024 as BN_get_rfc2409_prime_1024,
@@ -946,6 +948,7 @@ impl BigNum {
     ///
     /// [`RFC 2409`]: https://tools.ietf.org/html/rfc2409#page-21
     #[corresponds(BN_get_rfc2409_prime_768)]
+    #[cfg(not(boringssl))]
     pub fn get_rfc2409_prime_768() -> Result<BigNum, ErrorStack> {
         unsafe {
             ffi::init();
@@ -959,6 +962,7 @@ impl BigNum {
     ///
     /// [`RFC 2409`]: https://tools.ietf.org/html/rfc2409#page-21
     #[corresponds(BN_get_rfc2409_prime_1024)]
+    #[cfg(not(boringssl))]
     pub fn get_rfc2409_prime_1024() -> Result<BigNum, ErrorStack> {
         unsafe {
             ffi::init();
@@ -972,6 +976,7 @@ impl BigNum {
     ///
     /// [`RFC 3526`]: https://tools.ietf.org/html/rfc3526#page-3
     #[corresponds(BN_get_rfc3526_prime_1536)]
+    #[cfg(not(boringssl))]
     pub fn get_rfc3526_prime_1536() -> Result<BigNum, ErrorStack> {
         unsafe {
             ffi::init();
@@ -985,6 +990,7 @@ impl BigNum {
     ///
     /// [`RFC 3526`]: https://tools.ietf.org/html/rfc3526#page-3
     #[corresponds(BN_get_rfc3526_prime_2048)]
+    #[cfg(not(boringssl))]
     pub fn get_rfc3526_prime_2048() -> Result<BigNum, ErrorStack> {
         unsafe {
             ffi::init();
@@ -998,6 +1004,7 @@ impl BigNum {
     ///
     /// [`RFC 3526`]: https://tools.ietf.org/html/rfc3526#page-4
     #[corresponds(BN_get_rfc3526_prime_3072)]
+    #[cfg(not(boringssl))]
     pub fn get_rfc3526_prime_3072() -> Result<BigNum, ErrorStack> {
         unsafe {
             ffi::init();
@@ -1011,6 +1018,7 @@ impl BigNum {
     ///
     /// [`RFC 3526`]: https://tools.ietf.org/html/rfc3526#page-4
     #[corresponds(BN_get_rfc3526_prime_4096)]
+    #[cfg(not(boringssl))]
     pub fn get_rfc3526_prime_4096() -> Result<BigNum, ErrorStack> {
         unsafe {
             ffi::init();
@@ -1024,6 +1032,7 @@ impl BigNum {
     ///
     /// [`RFC 3526`]: https://tools.ietf.org/html/rfc3526#page-6
     #[corresponds(BN_get_rfc3526_prime_6114)]
+    #[cfg(not(boringssl))]
     pub fn get_rfc3526_prime_6144() -> Result<BigNum, ErrorStack> {
         unsafe {
             ffi::init();
@@ -1037,6 +1046,7 @@ impl BigNum {
     ///
     /// [`RFC 3526`]: https://tools.ietf.org/html/rfc3526#page-6
     #[corresponds(BN_get_rfc3526_prime_8192)]
+    #[cfg(not(boringssl))]
     pub fn get_rfc3526_prime_8192() -> Result<BigNum, ErrorStack> {
         unsafe {
             ffi::init();
@@ -1061,12 +1071,12 @@ impl BigNum {
         unsafe {
             ffi::init();
             assert!(n.len() <= c_int::max_value() as usize);
-            cvt_p(ffi::BN_bin2bn(
-                n.as_ptr(),
-                n.len() as c_int,
-                ptr::null_mut(),
-            ))
-            .map(|p| BigNum::from_ptr(p))
+            #[cfg(boringssl)]
+            let len = n.len();
+            #[cfg(not(boringssl))]
+            let len = n.len() as c_int;
+
+            cvt_p(ffi::BN_bin2bn(n.as_ptr(), len, ptr::null_mut())).map(|p| BigNum::from_ptr(p))
         }
     }
 }

diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs
@@ -16,7 +16,7 @@ use std::ffi::CString;
 use std::ptr;
 
 cfg_if! {
-    if #[cfg(any(ossl110, libressl273))] {
+    if #[cfg(any(boringssl, ossl110, libressl273))] {
         use ffi::{EVP_CIPHER_block_size, EVP_CIPHER_iv_length, EVP_CIPHER_key_length};
     } else {
         use libc::c_int;
@@ -145,34 +145,42 @@ impl Cipher {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_cbc() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_128_xts() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_xts() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_128_ctr() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_ctr() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_128_cfb1() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_cfb1() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_128_cfb128() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_cfb128() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_128_cfb8() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_cfb8() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_128_gcm() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_gcm() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_128_ccm() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_ccm() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_128_ofb() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_128_ofb() as *mut _) }
     }
@@ -195,6 +203,7 @@ impl Cipher {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_ctr() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_192_cfb1() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_cfb1() as *mut _) }
     }
@@ -203,6 +212,7 @@ impl Cipher {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_cfb128() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_192_cfb8() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_cfb8() as *mut _) }
     }
@@ -211,6 +221,7 @@ impl Cipher {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_gcm() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_192_ccm() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_192_ccm() as *mut _) }
     }
@@ -237,6 +248,7 @@ impl Cipher {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_ctr() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_256_cfb1() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_cfb1() as *mut _) }
     }
@@ -245,6 +257,7 @@ impl Cipher {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_cfb128() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_256_cfb8() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_cfb8() as *mut _) }
     }
@@ -253,6 +266,7 @@ impl Cipher {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_gcm() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn aes_256_ccm() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_aes_256_ccm() as *mut _) }
     }
@@ -278,11 +292,13 @@ impl Cipher {
     }
 
     #[cfg(not(osslconf = "OPENSSL_NO_BF"))]
+    #[cfg(not(boringssl))]
     pub fn bf_cfb64() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_bf_cfb64() as *mut _) }
     }
 
     #[cfg(not(osslconf = "OPENSSL_NO_BF"))]
+    #[cfg(not(boringssl))]
     pub fn bf_ofb() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_bf_ofb() as *mut _) }
     }
@@ -303,6 +319,7 @@ impl Cipher {
         unsafe { CipherRef::from_ptr(ffi::EVP_des_ede3_cbc() as *mut _) }
     }
 
+    #[cfg(not(boringssl))]
     pub fn des_ede3_cfb64() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_des_ede3_cfb64() as *mut _) }
     }
@@ -322,21 +339,25 @@ impl Cipher {
     }
 
     #[cfg(not(osslconf = "OPENSSL_NO_SEED"))]
+    #[cfg(not(boringssl))]
     pub fn seed_cbc() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_seed_cbc() as *mut _) }
     }
 
     #[cfg(not(osslconf = "OPENSSL_NO_SEED"))]
+    #[cfg(not(boringssl))]
     pub fn seed_cfb128() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_seed_cfb128() as *mut _) }
     }
 
     #[cfg(not(osslconf = "OPENSSL_NO_SEED"))]
+    #[cfg(not(boringssl))]
     pub fn seed_ecb() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_seed_ecb() as *mut _) }
     }
 
     #[cfg(not(osslconf = "OPENSSL_NO_SEED"))]
+    #[cfg(not(boringssl))]
     pub fn seed_ofb() -> &'static CipherRef {
         unsafe { CipherRef::from_ptr(ffi::EVP_seed_ofb() as *mut _) }
     }