🚀. Socket Launch Week Day 3:Socket Firewall Now Blocks Malicious VS Code and Open VSX Extensions.Learn more
Sign In

openssl

Package Overview
Dependencies
Maintainers
1
Versions
174
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

openssl - cargo Package Compare versions

Comparing version
0.10.80
 to
0.10.81
+1
-1
.cargo_vcs_info.json
{
"git": {
"sha1": "35be7ae43b207fc0448a648a21e9156bc360c9af"
"sha1": "db9c9e2f5db2ad7b45fd894e8d297ee15bfd0c7c"
},
"path_in_vcs": "openssl"
}
+5
-5
Cargo.lock

@@ -46,5 +46,5 @@ # This file is automatically @generated by Cargo.

name = "aws-lc-sys"
version = "0.39.1"
version = "0.41.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "83a25cf98105baa966497416dbd42565ce3a8cf8dbfd59803ec9ad46f3126399"
checksum = "1a2f9779ce85b93ab6170dd940ad0169b5766ff848247aff13bb788b832fe3f4"
dependencies = [

@@ -266,3 +266,3 @@ "bindgen",

name = "openssl"
version = "0.10.80"
version = "0.10.81"
dependencies = [

@@ -300,5 +300,5 @@ "bitflags",

name = "openssl-sys"
version = "0.9.116"
version = "0.9.117"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f28a22dc7140cda5f096e5e7724a6962ca81a7f8bfd2979f9b18c11af56318c4"
checksum = "b47e7e6bb2c38cd930d25a23b40fa52e068c10e85f3e03a7f5ba5aaca5713695"
dependencies = [

@@ -305,0 +305,0 @@ "aws-lc-fips-sys",

+2
-2
Cargo.toml

@@ -16,3 +16,3 @@ # THIS FILE IS AUTOMATICALLY GENERATED BY CARGO

name = "openssl"
version = "0.10.80"
version = "0.10.81"
authors = ["Steven Fackler <sfackler@gmail.com>"]

@@ -67,3 +67,3 @@ build = "build.rs"

[dependencies.ffi]
version = "0.9.116"
version = "0.9.117"
package = "openssl-sys"

@@ -70,0 +70,0 @@ 

+19
-1
CHANGELOG.md

@@ -5,2 +5,19 @@ # Change Log

## [v0.10.81] - 2026-06-12
### Fixed
* `SslContextRef::verify_mode` and `SslRef::verify_mode` no longer panic when the verify mode contains bits not modeled by `SslVerifyMode`.
### Added
* Added `SslVerifyMode::CLIENT_ONCE` and `SslVerifyMode::POST_HANDSHAKE`.
* Added `X509CrlBuilder` and `X509RevokedBuilder`, for building and signing CRLs, along with the `CrlNumber` extension builder.
* Added `Nid::BRAINPOOL_P224R1` and `Nid::BRAINPOOL_P224T1`.
* Added `Asn1StringRef::to_string`, which converts the string to UTF-8 without truncating at interior NUL bytes.
### Changed
* Deprecated `Asn1StringRef::as_utf8`, which truncates at the first interior NUL byte, in favor of `Asn1StringRef::to_string`.
## [v0.10.80] - 2026-05-16

@@ -1104,3 +1121,4 @@

[Unreleased]: https://github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.80...master
[Unreleased]: https://github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.81...master
[v0.10.81]: https://github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.80...openssl-v0.10.81
[v0.10.80]: https://github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.79...openssl-v0.10.80

@@ -1107,0 +1125,0 @@ [v0.10.79]: https://github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.78...openssl-v0.10.79

+107
-5
src/asn1.rs

@@ -28,3 +28,3 @@ #![deny(missing_docs)]

use foreign_types::{ForeignType, ForeignTypeRef};
use libc::{c_char, c_int, c_long, time_t};
use libc::{c_char, c_int, c_long, c_void, time_t};
use std::cmp::Ordering;

@@ -447,2 +447,6 @@ use std::convert::TryInto;

#[corresponds(ASN1_STRING_to_UTF8)]
#[deprecated(
since = "0.10.81",
note = "truncates at the first interior NUL byte; use `to_string` instead"
)]
pub fn as_utf8(&self) -> Result<OpensslString, ErrorStack> {

@@ -460,8 +464,60 @@ unsafe {

/// Converts the ASN.1 underlying format to a UTF-8 string.
///
/// ASN.1 strings may utilize UTF-16, ASCII, BMP, or UTF8. This is important to
/// consume the string in a meaningful way without knowing the underlying
/// format.
///
/// The full contents of the string are preserved, including any interior
/// NUL bytes. Any bytes that do not form valid UTF-8 after conversion are
/// replaced with U+FFFD.
#[corresponds(ASN1_STRING_to_UTF8)]
pub fn to_string(&self) -> Result<String, ErrorStack> {
// For string types whose conversion to UTF-8 is the identity
// function, copy directly out of the underlying buffer, avoiding
// ASN1_STRING_to_UTF8's intermediate allocation of it.
match unsafe { ffi::ASN1_STRING_type(self.as_ptr()) } {
ffi::V_ASN1_UTF8STRING => {
if let Ok(s) = str::from_utf8(self.as_slice()) {
return Ok(s.to_owned());
}
}
// Latin-1 types, whose UTF-8 conversion is the identity on ASCII.
ffi::V_ASN1_NUMERICSTRING
| ffi::V_ASN1_PRINTABLESTRING
| ffi::V_ASN1_T61STRING
| ffi::V_ASN1_IA5STRING
| ffi::V_ASN1_VISIBLESTRING => {
let slice = self.as_slice();
if slice.is_ascii() {
// SAFETY: ASCII is valid UTF-8.
return Ok(unsafe { str::from_utf8_unchecked(slice) }.to_owned());
}
}
_ => {}
}
unsafe {
let mut ptr = ptr::null_mut();
let len = ffi::ASN1_STRING_to_UTF8(&mut ptr, self.as_ptr());
if len < 0 {
return Err(ErrorStack::get());
}
// This copies the buffer exactly once: for valid UTF-8,
// from_utf8_lossy is a no-op returning Cow::Borrowed and
// into_owned performs the copy; for invalid UTF-8, from_utf8_lossy
// copies with replacements and into_owned is a no-op.
let s = String::from_utf8_lossy(util::from_raw_parts(ptr, len as usize)).into_owned();
openssl_free(ptr.cast());
Ok(s)
}
}
/// Return the string as an array of bytes.
///
/// The bytes do not directly correspond to UTF-8 encoding. To interact with
/// strings in rust, it is preferable to use [`as_utf8`]
/// strings in rust, it is preferable to use [`to_string`]
///
/// [`as_utf8`]: struct.Asn1String.html#method.as_utf8
/// [`to_string`]: struct.Asn1StringRef.html#method.to_string
#[corresponds(ASN1_STRING_get0_data)]

@@ -486,4 +542,4 @@ pub fn as_slice(&self) -> &[u8] {

fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result {
match self.as_utf8() {
Ok(openssl_string) => openssl_string.fmt(fmt),
match self.to_string() {
Ok(string) => string.fmt(fmt),
Err(_) => fmt.write_str("error"),

@@ -494,2 +550,18 @@ }

#[inline]
#[cfg(not(any(boringssl, awslc)))]
unsafe fn openssl_free(buf: *mut c_void) {
ffi::OPENSSL_free(buf);
}
#[inline]
#[cfg(any(boringssl, awslc))]
unsafe fn openssl_free(buf: *mut c_void) {
ffi::CRYPTO_free(
buf,
concat!(file!(), "\0").as_ptr() as *const c_char,
line!() as c_int,
);
}
foreign_type_and_impl_send_sync! {

@@ -815,3 +887,33 @@ type CType = ffi::ASN1_INTEGER;

/// Tests that interior NUL bytes are preserved when converting to UTF-8.
#[test]
fn string_with_interior_nul() {
fn make_string(typ: c_int, data: &[u8]) -> Asn1String {
unsafe {
let ptr = cvt_p(ffi::ASN1_STRING_type_new(typ)).unwrap();
let s = Asn1String::from_ptr(ptr);
cvt(ffi::ASN1_STRING_set(
s.as_ptr(),
data.as_ptr().cast(),
data.len().try_into().unwrap(),
))
.unwrap();
s
}
}
// Copied directly out of the underlying buffer.
let s = make_string(ffi::V_ASN1_UTF8STRING, b"foo\0bar.com");
assert_eq!(s.as_slice(), b"foo\0bar.com");
assert_eq!(s.to_string().unwrap(), "foo\0bar.com");
let s = make_string(ffi::V_ASN1_IA5STRING, b"foo\0bar.com");
assert_eq!(s.to_string().unwrap(), "foo\0bar.com");
// Converted through ASN1_STRING_to_UTF8.
let s = make_string(ffi::V_ASN1_BMPSTRING, b"\0f\0\0\0o");
assert_eq!(s.to_string().unwrap(), "f\0o");
}
#[test]
fn time_from_str() {

@@ -818,0 +920,0 @@ Asn1Time::from_str("99991231235959Z").unwrap();

+21
-0
src/ssl/test/mod.rs

@@ -699,2 +699,23 @@ #![allow(unused_imports)]

#[test]
fn verify_mode_round_trip() {
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
let mut mode = SslVerifyMode::PEER;
mode |= SslVerifyMode::FAIL_IF_NO_PEER_CERT;
#[cfg(not(any(boringssl, awslc)))]
{
mode |= SslVerifyMode::CLIENT_ONCE;
}
#[cfg(ossl111)]
{
mode |= SslVerifyMode::POST_HANDSHAKE;
}
ctx.set_verify(mode);
let ctx = ctx.build();
assert_eq!(ctx.verify_mode(), mode);
let ssl = Ssl::new(&ctx).unwrap();
assert_eq!(ssl.verify_mode(), mode);
}
#[test]
fn add_extra_chain_cert() {

@@ -701,0 +722,0 @@ let cert = X509::from_pem(CERT).unwrap();

+35
-1
src/x509/extension.rs

@@ -21,3 +21,5 @@ //! Add extensions to an `X509` certificate or certificate request.

use crate::asn1::Asn1Object;
use crate::asn1::{Asn1Integer, Asn1Object};
use crate::bn::BigNum;
use crate::cvt_p;
use crate::error::ErrorStack;

@@ -559,2 +561,34 @@ use crate::nid::Nid;

/// An extension that provides a means of versionning the CRL.
pub struct CrlNumber(Asn1Integer);
impl CrlNumber {
/// Construct a new `CrlNumber` extension.
pub fn new(number: BigNum) -> Result<Self, ErrorStack> {
let mut max = BigNum::new()?;
max.lshift(BigNum::from_u32(1)?.as_ref(), 159)?;
assert!(
!number.is_negative() && number < max,
"CrlNumber must be an ASN.1 integer greater than or equal to 0 and less than 2^159"
);
Ok(Self(Asn1Integer::from_bn(&number)?))
}
/// Return a `CrlNumber` extension as an `X509Extension`.
pub fn build(self) -> Result<X509Extension, ErrorStack> {
unsafe {
ffi::init();
cvt_p(ffi::X509V3_EXT_i2d(
Nid::CRL_NUMBER.as_raw(),
0,
self.0.as_ptr().cast(),
))
.map(X509Extension)
}
}
}
fn append(value: &mut String, first: &mut bool, should: bool, element: &str) {

@@ -561,0 +595,0 @@ if !should {

+130
-6
src/x509/tests.rs

@@ -5,5 +5,6 @@ use std::cmp::Ordering;

use crate::bn::{BigNum, MsbOption};
use crate::error::ErrorStack;
use crate::hash::MessageDigest;
use crate::nid::Nid;
use crate::pkey::{PKey, Private};
use crate::pkey::{PKey, PKeyRef, Private};
use crate::rsa::Rsa;

@@ -23,3 +24,3 @@ #[cfg(not(any(boringssl, awslc)))]

use crate::x509::X509PurposeId;
use crate::x509::X509PurposeRef;
use crate::x509::{CrlNumber, X509CrlBuilder, X509PurposeRef, X509Ref, X509RevokedBuilder};
#[cfg(ossl110)]

@@ -115,3 +116,3 @@ use crate::x509::{CrlReason, X509Builder};

let friendly = subject.entries_by_nid(Nid::FRIENDLYNAME).next().unwrap();
assert_eq!(&**friendly.data().as_utf8().unwrap(), "Example");
assert_eq!(friendly.data().to_string().unwrap(), "Example");
}

@@ -139,3 +140,3 @@

assert_eq!(friendly.object().nid().as_raw(), Nid::FRIENDLYNAME.as_raw());
assert_eq!(&**friendly.data().as_utf8().unwrap(), "Example");
assert_eq!(friendly.data().to_string().unwrap(), "Example");

@@ -226,6 +227,6 @@ if all_entries.next().is_some() {

let mut o = dn.entries_by_nid(Nid::ORGANIZATIONNAME);
let o = o.next().unwrap().data().as_utf8().unwrap();
let o = o.next().unwrap().data().to_string().unwrap();
assert_eq!(o.as_bytes(), b"PyCA");
let mut cn = dn.entries_by_nid(Nid::COMMONNAME);
let cn = cn.next().unwrap().data().as_utf8().unwrap();
let cn = cn.next().unwrap().data().to_string().unwrap();
assert_eq!(cn.as_bytes(), b"cryptography.io");

@@ -387,2 +388,3 @@

let builder = X509::builder().unwrap();
let bn = BigNum::from_u32(42).unwrap();

@@ -418,2 +420,9 @@ for (ext, expected) in [

),
(
CrlNumber::new(bn)
.unwrap()
.build()
.unwrap(),
b"\x30\x0a\x06\x03\x55\x1d\x14\x04\x03\x02\x01\x2a",
),
] {

@@ -1268,1 +1277,116 @@ assert_eq!(&ext.to_der().unwrap(), expected);

}
#[test]
fn test_x509_revoked_builder() {
let mut builder = X509RevokedBuilder::new().unwrap();
let bn = BigNum::from_u32(1024).unwrap();
let d = Asn1Time::from_unix(0).unwrap();
builder
.set_serial_number(&bn.to_asn1_integer().unwrap())
.unwrap();
builder.set_revocation_date(&d).unwrap();
let revoked = builder.build();
assert_eq!(revoked.serial_number().to_bn().unwrap(), bn);
assert_eq!(
revoked.revocation_date().compare(&d).unwrap(),
Ordering::Equal
)
}
fn build_ca() -> Result<(PKey<Private>, X509), ErrorStack> {
let rsa = Rsa::generate(2048)?;
let pkey = PKey::from_rsa(rsa)?;
let mut name = X509Name::builder()?;
name.append_entry_by_nid(Nid::COMMONNAME, "foorbar.com")?;
let name = name.build();
// Build certificate
let mut builder = X509::builder()?;
builder.set_version(2)?;
builder.set_subject_name(&name)?;
builder.set_issuer_name(&name)?;
builder.set_pubkey(&pkey)?;
builder.set_not_before(&*Asn1Time::days_from_now(0)?)?;
builder.set_not_after(&*Asn1Time::days_from_now(365)?)?;
let exts = {
let ctx = builder.x509v3_context(None, None);
let san = SubjectAlternativeName::new()
.dns("foobar.com")
.build(&ctx)?;
vec![san]
};
for ext in exts {
builder.append_extension(ext)?;
}
builder.sign(&pkey, MessageDigest::sha256())?;
let ca_cert = builder.build();
Ok((pkey, ca_cert))
}
fn build_crl(
key: &PKeyRef<Private>,
cert: &X509Ref,
extensions: Vec<X509Extension>,
) -> Result<X509Crl, ErrorStack> {
let mut builder = X509RevokedBuilder::new()?;
let bn = BigNum::from_u32(1024)?;
let d = Asn1Time::from_unix(0)?;
builder.set_serial_number(&*bn.to_asn1_integer()?)?;
builder.set_revocation_date(&d)?;
let revoked = builder.build();
let revokeds = vec![revoked];
let mut builder = X509CrlBuilder::new()?;
builder.set_issuer_name(cert.issuer_name())?;
builder.set_last_update(&*Asn1Time::days_from_now(0)?)?;
builder.set_next_update(&*Asn1Time::days_from_now(30)?)?;
for ext in extensions {
builder.append_extension(ext)?;
}
for revoked in revokeds {
builder.add_revoked(revoked)?;
}
builder.sign(key, MessageDigest::sha256())?;
builder.build()
}
#[test]
fn test_x509_crl_builder() {
let (pkey, ca_cert) = build_ca().unwrap();
let dummy = X509::builder().unwrap();
let ctx = dummy.x509v3_context(Some(ca_cert.as_ref()), None);
let aki = AuthorityKeyIdentifier::new()
.issuer(true)
.build(&ctx)
.unwrap();
let n = CrlNumber::new(BigNum::from_u32(42).unwrap())
.unwrap()
.build()
.unwrap();
let exts = vec![aki, n];
let crl = build_crl(&pkey, &ca_cert, exts).unwrap();
assert!(crl.verify(&pkey).unwrap());
assert_eq!(crl.get_revoked().unwrap().len(), 1);
let (critical, n) = crl
.extension::<CrlNumber>()
.unwrap()
.expect("Crl Number extension should be present");
assert!(!critical, "Crl Number extension is not critical");
assert_eq!(n.to_bn().unwrap().to_string(), "42");
}
Cargo.toml.orig

Sorry, the diff of this file is not supported yet

src/nid.rs

Sorry, the diff of this file is too big to display

src/ssl/mod.rs

Sorry, the diff of this file is too big to display

src/x509/mod.rs

Sorry, the diff of this file is too big to display