Conversation
pin home to an older version on MSRV CI
Implement set_rsa_oaep_label for AWS-LC/BoringSSL
sys/evp: add EVP_MAC symbols
The OCSP find_status function was unsound because it treated next_update as always present, even though it's optional per RFC 6960. When absent, the null pointer from FFI was passed to from_ptr which doesn't check for null, causing undefined behavior. Fixed by using from_const_ptr_opt to safely handle the null case. Added next_update() method returning Option<&Asn1GeneralizedTimeRef> and deprecated the existing field which now contains a sentinel max time value (99991231235959Z) for backwards compatibility. Fixes rust-openssl#2516
…tatus-011CUqcGFNKeKJitnywzYCna Fix unsound OCSP find_status handling of optional next_update field
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Release openssl v0.10.75 and openssl-sys v0.9.111
…nssl-sys feat: New methods EVP_PKEY_new_raw_*_key_ex and EVP_PKEY_is_a
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…hub_actions/actions/checkout-6 Bump actions/checkout from 5 to 6
Bump aws-lc-sys from 0.27 to 0.34
Remove the version restriction (#[cfg(any(ossl110, libressl))]) from X509_NAME_dup in openssl-sys and the corresponding X509NameRef::to_owned() method in openssl. This function has been available since early versions of OpenSSL, so there's no need to restrict it to 1.1.0+. Also removes the version restriction from the test_name_to_owned test.
…e-dup-0154FWsTS14aTYCmYpqJiiap Expose X509_NAME_dup on all versions of OpenSSL
This reintroduces support for GENERAL_NAME values of type GEN_DIRNAME without relying on OpenSSL’s configuration mini-language. The deprecated dir_name(&str) constructor remains unchanged and continues to panic. A new method, dir_name2(X509Name), is added to construct directoryName SAN entries using an owned X509Name. Internally, this uses safe duplication (.to_owned()) and manually builds a GENERAL_NAME with GEN_DIRNAME, following the same pattern used for other_name2. This avoids the vulnerability described in RUSTSEC-2023-0023 while restoring needed functionality for consumers that rely on DirectoryName SANs (e.g., government CSR specifications). New tests verify correctness, pointer ownership, and OpenSSL/BoringSSL/AWS-LC union handling.
reintroduce dir_name support for subject_alt_names
OpenSSL does in fact _not_ return pointers to static structs; depending on the state of the library you can get different pointers. This fixes the internal implementation of `Cipher::is_ccm` and `Cipher::is_ocb` by doing the comparison with NID instead pointers, which is a stable identifier of the algorithm, regardless of the state of the OpenSSL library.
Add HKDF support
Currently, doing this:
println!("{:?}", Nid::SECP521R1);
outputs:
Nid(716)
Which is not as helpful as it could be.
This commit switches Nid over to a manual implementation of Debug which
prints the Nid's integer value, and, additionally, the Nid's short name
if it has one. This changes the output of the command above to:
Nid { nid: 716, short_name: "secp521r1" }
And the output of this:
println!("{:?}", Nid::from_raw(123456789));
becomes:
Nid { nid: 123456789 }
Enhance Debug implementation for Nid
This allows deriving Debug on user-defined structs that contain
instances of EcGroup.
For standard groups, the debug output will look something like this:
EcGroup { curve_name: "secp521r1" }
For groups not based on a standard curve, the Debug impl will try to
extract and print the curve's components, such that:
let mut p = BigNum::new().unwrap();
let mut a = BigNum::new().unwrap();
let mut b = BigNum::new().unwrap();
let mut ctx = BigNumContext::new().unwrap();
EcGroup::from_curve_name(Nid::SECP224R1)
.unwrap()
.components_gfp(&mut p, &mut a, &mut b, &mut ctx)
.unwrap();
// reconstruct the group from its components
let group = EcGroup::from_components(p, a, b, &mut ctx).unwrap();
println!("{:#?}", group);
will print:
EcGroup {
p: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
a: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
b: "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
}
If EcGroup::components_gfp() fails, or if any other error occurs, we'll
instead print only:
EcGroup
Calling EcGroup::components_gfp() on a curve over GF(2^m) unexpectedly
works, and there does not seem to be an explicit way to distinguish
custom curves over GF(2^m) from custom curves over GF(p), and so, custom
curves over GF(2^m) will be Debug'd by the same logic. (rust-openssl
does not allow constructing custom curves over GF(2^m), so we can't add
test cases for this.)
test against openssl 3.6.0 in ci
In version.rs there's no reason for aws-lc and boringssl to use the old SSLeay aliases. The parts of the diff touching openssl-sys are not compiled for aws-lc and boringssl.
Also enable the minimal test for BoringSSL and AWS-LC.
Migrates systest to the ctest 0.5 API: type_name split into rename_type/rename_struct_ty, skip callbacks now take typed objects instead of &str, generate replaced by generate_files, and other renames. Also skips X509_L_ADD_DIR which ctest 0.5 now discovers inside a function body. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
wasip2 1.0.2 (released Jan 15, 2026) bumped its wit-bindgen dependency to ^0.51.0 which uses edition 2024. This breaks cargo on Rust 1.70 which can't parse edition 2024 manifests. Pin to 1.0.1 which uses wit-bindgen ^0.46.0 (edition 2021). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Upgrade ctest to 0.5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.