From da3eb8fa220aa632504a17883e9845372fc55436 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 15:07:13 -0500 Subject: [PATCH] Fix warnings on libressl (#10281) --- src/rust/Cargo.lock | 1 + src/rust/cryptography-openssl/Cargo.toml | 1 + src/rust/cryptography-openssl/src/fips.rs | 31 +++++++------------ src/rust/cryptography-openssl/src/poly1305.rs | 14 ++++++--- src/rust/src/backend/aead.rs | 13 +++++--- src/rust/src/types.rs | 2 ++ 6 files changed, 32 insertions(+), 30 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 37bc849b6..d4a9a31ad 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -85,6 +85,7 @@ dependencies = [ name = "cryptography-openssl" version = "0.1.0" dependencies = [ + "cfg-if", "foreign-types", "foreign-types-shared", "openssl", diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 3a35c9fca..700704d0d 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,6 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] +cfg-if = "1" openssl = "0.10.63" ffi = { package = "openssl-sys", version = "0.9.99" } foreign-types = "0.3" diff --git a/src/rust/cryptography-openssl/src/fips.rs b/src/rust/cryptography-openssl/src/fips.rs index 9cdbd3f34..9c89f317e 100644 --- a/src/rust/cryptography-openssl/src/fips.rs +++ b/src/rust/cryptography-openssl/src/fips.rs @@ -9,25 +9,16 @@ use std::ptr; pub fn is_enabled() -> bool { - #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] - { - return false; - } - - #[cfg(all( - CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, - not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)) - ))] - // SAFETY: No pre-conditions - unsafe { - ffi::EVP_default_properties_is_fips_enabled(ptr::null_mut()) == 1 - } - - #[cfg(all( - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), - not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)) - ))] - { - return openssl::fips::enabled(); + cfg_if::cfg_if! { + if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] { + false + } else if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + // SAFETY: No pre-conditions + unsafe { + ffi::EVP_default_properties_is_fips_enabled(ptr::null_mut()) == 1 + } + } else { + openssl::fips::enabled() + } } } diff --git a/src/rust/cryptography-openssl/src/poly1305.rs b/src/rust/cryptography-openssl/src/poly1305.rs index 262062eed..e386bc2d7 100644 --- a/src/rust/cryptography-openssl/src/poly1305.rs +++ b/src/rust/cryptography-openssl/src/poly1305.rs @@ -18,9 +18,10 @@ impl Poly1305State { let mut ctx: Box> = Box::new(MaybeUninit::::uninit()); - // After initializing the context, unwrap the Box> into - // a Box while keeping the same memory address. See the docstring of the - // Poly1305State struct above for the rationale. + // SAFETY: After initializing the context, unwrap the + // `Box>` into a `Box` + // while keeping the same memory address. See the docstring of the + // `Poly1305State` struct above for the rationale. let initialized_ctx: Box = unsafe { ffi::CRYPTO_poly1305_init(ctx.as_mut().as_mut_ptr(), key.as_ptr()); let raw_ctx_ptr = (*Box::into_raw(ctx)).as_mut_ptr(); @@ -32,14 +33,17 @@ impl Poly1305State { } } - pub fn update(&mut self, data: &[u8]) -> () { + pub fn update(&mut self, data: &[u8]) { + // SAFETY: context is valid, as is the data ptr. unsafe { ffi::CRYPTO_poly1305_update(self.context.as_mut(), data.as_ptr(), data.len()); }; } - pub fn finalize(&mut self, output: &mut [u8]) -> () { + pub fn finalize(&mut self, output: &mut [u8]) { assert_eq!(output.len(), 16); + // SAFETY: context is valid and we verified that the output is the + // right length. unsafe { ffi::CRYPTO_poly1305_finish(self.context.as_mut(), output.as_mut_ptr()) }; } } diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 7c364dede..9fd8a91ce 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -574,13 +574,14 @@ impl AesSiv { ctx: EvpCipherAead::new(&cipher, key.as_bytes(), 16, true)?, }) } else { - return Err(CryptographyError::from( + _ = cipher_name; + + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "AES-SIV is not supported by this version of OpenSSL", exceptions::Reasons::UNSUPPORTED_CIPHER, )), - )); - + )) } } } @@ -641,12 +642,14 @@ impl AesOcb3 { fn new(key: CffiBuf<'_>) -> CryptographyResult { cfg_if::cfg_if! { if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] { - return Err(CryptographyError::from( + _ = key; + + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "AES-OCB3 is not supported by this version of OpenSSL", exceptions::Reasons::UNSUPPORTED_CIPHER, )), - )); + )) } else { if cryptography_openssl::fips::is_enabled() { return Err(CryptographyError::from( diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index e948f49e8..b7564955d 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -331,6 +331,7 @@ pub static HASHES_MODULE: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.hashes", &[]); pub static HASH_ALGORITHM: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.hashes", &["HashAlgorithm"]); +#[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] pub static EXTENDABLE_OUTPUT_FUNCTION: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.hashes", &["ExtendableOutputFunction"], @@ -476,6 +477,7 @@ pub static SM4: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["SM4"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] pub static SEED: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["_SEEDInternal"],