Fix warnings on libressl (#10281)

2026-05-14 20:37:55 +00:00 · 2024-01-28 15:07:13 -05:00 · 2024-01-28 15:07:13 -05:00 · da3eb8fa22
commit da3eb8fa22
parent 83dcbc1901
6 changed files with 32 additions and 30 deletions
--- a/src/rust/Cargo.lock
+++ b/src/rust/Cargo.lock
@ -85,6 +85,7 @@ dependencies = [
 name = "cryptography-openssl"
 version = "0.1.0"
 dependencies = [
+ "cfg-if",
 "foreign-types",
 "foreign-types-shared",
 "openssl",
--- a/src/rust/cryptography-openssl/Cargo.toml
+++ b/src/rust/cryptography-openssl/Cargo.toml
@ -8,6 +8,7 @@ publish = false
 rust-version = "1.63.0"

 [dependencies]
+cfg-if = "1"
 openssl = "0.10.63"
 ffi = { package = "openssl-sys", version = "0.9.99" }
 foreign-types = "0.3"
--- a/src/rust/cryptography-openssl/src/fips.rs
+++ b/src/rust/cryptography-openssl/src/fips.rs
@ -9,25 +9,16 @@
 use std::ptr;

 pub fn is_enabled() -> bool {
-    #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))]
-    {
-        return false;
-    }
-
-    #[cfg(all(
-        CRYPTOGRAPHY_OPENSSL_300_OR_GREATER,
-        not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))
-    ))]
-    // SAFETY: No pre-conditions
-    unsafe {
-        ffi::EVP_default_properties_is_fips_enabled(ptr::null_mut()) == 1
-    }
-
-    #[cfg(all(
-        not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER),
-        not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))
-    ))]
-    {
-        return openssl::fips::enabled();
+    cfg_if::cfg_if! {
+        if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] {
+            false
+        } else if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] {
+            // SAFETY: No pre-conditions
+            unsafe {
+                ffi::EVP_default_properties_is_fips_enabled(ptr::null_mut()) == 1
+            }
+        } else {
+            openssl::fips::enabled()
+        }
    }
 }
--- a/src/rust/cryptography-openssl/src/poly1305.rs
+++ b/src/rust/cryptography-openssl/src/poly1305.rs
@ -18,9 +18,10 @@ impl Poly1305State {
        let mut ctx: Box<MaybeUninit<ffi::poly1305_state>> =
            Box::new(MaybeUninit::<ffi::poly1305_state>::uninit());

-        // After initializing the context, unwrap the Box<MaybeUninit<poly1305_state>> into
-        // a Box<poly1305_state> while keeping the same memory address. See the docstring of the
-        // Poly1305State struct above for the rationale.
+        // SAFETY: After initializing the context, unwrap the
+        // `Box<MaybeUninit<poly1305_state>>` into a `Box<poly1305_state>`
+        // while keeping the same memory address. See the docstring of the
+        // `Poly1305State` struct above for the rationale.
        let initialized_ctx: Box<ffi::poly1305_state> = unsafe {
            ffi::CRYPTO_poly1305_init(ctx.as_mut().as_mut_ptr(), key.as_ptr());
            let raw_ctx_ptr = (*Box::into_raw(ctx)).as_mut_ptr();
@ -32,14 +33,17 @@ impl Poly1305State {
        }
    }

-    pub fn update(&mut self, data: &[u8]) -> () {
+    pub fn update(&mut self, data: &[u8]) {
+        // SAFETY: context is valid, as is the data ptr.
        unsafe {
            ffi::CRYPTO_poly1305_update(self.context.as_mut(), data.as_ptr(), data.len());
        };
    }

-    pub fn finalize(&mut self, output: &mut [u8]) -> () {
+    pub fn finalize(&mut self, output: &mut [u8]) {
        assert_eq!(output.len(), 16);
+        // SAFETY: context is valid and we verified that the output is the
+        // right length.
        unsafe { ffi::CRYPTO_poly1305_finish(self.context.as_mut(), output.as_mut_ptr()) };
    }
 }
--- a/src/rust/src/backend/aead.rs
+++ b/src/rust/src/backend/aead.rs
@ -574,13 +574,14 @@ impl AesSiv {
                    ctx: EvpCipherAead::new(&cipher, key.as_bytes(), 16, true)?,
                })
            } else {
-                return Err(CryptographyError::from(
+                _ = cipher_name;
+
+                Err(CryptographyError::from(
                    exceptions::UnsupportedAlgorithm::new_err((
                        "AES-SIV is not supported by this version of OpenSSL",
                        exceptions::Reasons::UNSUPPORTED_CIPHER,
                    )),
-                ));
-
+                ))
            }
        }
    }
@ -641,12 +642,14 @@ impl AesOcb3 {
    fn new(key: CffiBuf<'_>) -> CryptographyResult<AesOcb3> {
        cfg_if::cfg_if! {
            if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] {
-                return Err(CryptographyError::from(
+                _ = key;
+
+                Err(CryptographyError::from(
                    exceptions::UnsupportedAlgorithm::new_err((
                        "AES-OCB3 is not supported by this version of OpenSSL",
                        exceptions::Reasons::UNSUPPORTED_CIPHER,
                    )),
-                ));
+                ))
            } else {
                if cryptography_openssl::fips::is_enabled() {
                    return Err(CryptographyError::from(
--- a/src/rust/src/types.rs
+++ b/src/rust/src/types.rs
@ -331,6 +331,7 @@ pub static HASHES_MODULE: LazyPyImport =
    LazyPyImport::new("cryptography.hazmat.primitives.hashes", &[]);
 pub static HASH_ALGORITHM: LazyPyImport =
    LazyPyImport::new("cryptography.hazmat.primitives.hashes", &["HashAlgorithm"]);
+#[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))]
 pub static EXTENDABLE_OUTPUT_FUNCTION: LazyPyImport = LazyPyImport::new(
    "cryptography.hazmat.primitives.hashes",
    &["ExtendableOutputFunction"],
@ -476,6 +477,7 @@ pub static SM4: LazyPyImport = LazyPyImport::new(
    "cryptography.hazmat.primitives.ciphers.algorithms",
    &["SM4"],
 );
+#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))]
 pub static SEED: LazyPyImport = LazyPyImport::new(
    "cryptography.hazmat.primitives.ciphers.algorithms",
    &["_SEEDInternal"],