New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update vendored version to openssl 3 #1925
Conversation
bc91c55
to
f8aabd6
Compare
@@ -25,7 +25,7 @@ bssl-sys = { version = "0.1.0", optional = true } | |||
[build-dependencies] | |||
bindgen = { version = "0.64.0", optional = true, features = ["experimental"] } | |||
cc = "1.0.61" | |||
openssl-src = { version = "111", optional = true } | |||
openssl-src = { version = "300.1.2", optional = true, features = ["legacy"] } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Legacy feature is required for the tests at least.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does seem like we realistically probably want to enable this - thoughts @alex?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We enable it by default in pyca/cryptography, its required for basically any encrypted key serialization (since they all use garbage algorithms).
|| env::var("CARGO_CFG_TARGET_OS").unwrap() == "android") | ||
&& env::var("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap() == "32" | ||
{ | ||
println!("cargo:rustc-link-lib=dylib=atomic"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When upgrading to 3.1, vendored tests on arm-unknown-linux-gnueabihf fail with undefined reference to __atomic_stuff
link errors, fixed by re-applying the patch removed in 32a303a. I did not dig the problem deeper.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I guess I'll need to poke around a bit to see if the commit that fixed this was reverted or something.
This is also something that may actually be best off moved to openssl-src.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I think we just need to update the logic in openssl-src to include atomic
as a lib when appropriate: https://github.com/alexcrichton/openssl-src-rs/blob/main/src/lib.rs#L549
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The libs to link don't seem to come from openssl-src (only the library path is used) but are redefined in openssl-sys. We could try to take lib list from openssl-src but it would still require defining them for non-vendored cases so I'm not sure it would make sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sfackler We're new ~ 1 week from 1.1 EOL, is the current PR acceptable or do you want additional changes? As stated in the previous comment it does not seem practical to include the atomic lib on the openssl-src side.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I Know this is merged already, but i wanted to provide my feedback.
This now broke armv6 arm-unknown-linux-gnueabi
again, for which this was removed.
If this really is needed for vendored tests, then maybe only enable this when vendored is enabled, or, as i do this in my build scripts add it when needed like this RUSTFLAGS="-Clink-args=-latomic"
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The issue about the resulting regression is here: #2043
It broke my musl
builds as well: deltachat/deltachat-core-rust#4799
@sfackler Fixed test issues, ready for review. |
Since sfackler#1925 building static binaries fails because of a hardcoded `dylib`. Removing the `dylib` but still let rust search for the dependency it will still link it. This should still keep sfackler#1645 fixed but also fixes sfackler#2043. I have tested this by building Vaultwarden for both dynamically linked debian based image, and a statically linked musl/alpine based image. But are using OpenSSL v3.x.x.
…, r=weihanglo chore(deps): update rust crate openssl to 0.10.60 [security] [![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [openssl](https://togithub.com/sfackler/rust-openssl) | workspace.dependencies | patch | `0.10.57` -> `0.10.60` | ### GitHub Vulnerability Alerts #### [GHSA-xphf-cx8h-7q9g](https://togithub.com/sfackler/rust-openssl/issues/2096) This function returned a reference into an OpenSSL datastructure, but there was no way to ensure OpenSSL would not mutate the datastructure behind one's back. Use of this function should be replaced with `X509StoreRef::all_certificates`. --- ### Release Notes <details> <summary>sfackler/rust-openssl (openssl)</summary> ### [`v0.10.60`](https://togithub.com/sfackler/rust-openssl/releases/tag/openssl-v0.10.60) [Compare Source](https://togithub.com/sfackler/rust-openssl/compare/openssl-v0.10.59...openssl-v0.10.60) #### What's Changed - Correct off-by-one in minimum output buffer size computation by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2088 - Expose a few more (bad) ciphers in cipher::Cipher by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2084 - add temp key bindings by [`@​jmayclin](https://togithub.com/jmayclin)` in [sfackler/rust-openssl#2076 - Expose ChaCha20 on LibreSSL by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2093 - Revert "Correct off-by-one in minimum output buffer size computation" by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2090 - Added `update_unchecked` to `symm::Crypter` by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2100 - fixes [#​2096](https://togithub.com/sfackler/rust-openssl/issues/2096) -- deprecate `X509StoreRef::objects`, it is unsound by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2099 - Don't leak when overwriting ex data by [`@​sfackler](https://togithub.com/sfackler)` in [sfackler/rust-openssl#2102 - Release openssl v0.10.60 and openssl-sys v0.9.96 by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2104 **Full Changelog**: sfackler/rust-openssl@openssl-v0.10.59...openssl-v0.10.60 ### [`v0.10.59`](https://togithub.com/sfackler/rust-openssl/releases/tag/openssl-v0.10.59) [Compare Source](https://togithub.com/sfackler/rust-openssl/compare/openssl-v0.10.58...openssl-v0.10.59) #### What's Changed - Add binding to NID of Chacha20-Poly1305 cipher by [`@​Arnavion](https://togithub.com/Arnavion)` in [sfackler/rust-openssl#2081 - Fixed cfg for RSA_PSS by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2079 - fixes [#​2050](https://togithub.com/sfackler/rust-openssl/issues/2050) -- build and test on libressl 3.8.2 by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2082 - Release openssl v0.10.59 and openssl-sys v0.9.95 by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2083 #### New Contributors - [`@​Arnavion](https://togithub.com/Arnavion)` made their first contribution in [sfackler/rust-openssl#2081 **Full Changelog**: sfackler/rust-openssl@openssl-v0.10.58...openssl-v0.10.59 ### [`v0.10.58`](https://togithub.com/sfackler/rust-openssl/releases/tag/openssl-v0.10.58) [Compare Source](https://togithub.com/sfackler/rust-openssl/compare/openssl-v0.10.57...openssl-v0.10.58) #### What's Changed - LibreSSL 3.8.1 support by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2035 - Update vendored version to openssl 3 by [`@​amousset](https://togithub.com/amousset)` in [sfackler/rust-openssl#1925 - Test against 3.2.0-alpha1 by [`@​sfackler](https://togithub.com/sfackler)` in [sfackler/rust-openssl#2037 - Removed reference to non-existent method by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2039 - Bump CI to 1.1.1w by [`@​sfackler](https://togithub.com/sfackler)` in [sfackler/rust-openssl#2040 - \[openssl-sys] Add X509\_check\_{host,email,ip,ip_asc} fns by [`@​jgallagher](https://togithub.com/jgallagher)` in [sfackler/rust-openssl#2042 - Expose CBC mode for several more (bad) ciphers by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2045 - Expose two additional Pkey IDs by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2046 - Add support for CRL extensions and the Authority Information Access e… by [`@​AdmiralGT](https://togithub.com/AdmiralGT)` in [sfackler/rust-openssl#2003 - Fix clippy warnings produced by newer Rust by [`@​wiktor-k](https://togithub.com/wiktor-k)` in [sfackler/rust-openssl#2052 - Use osslconf on BoringSSL by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2056 - Make X509\_ALGOR opaque for LibreSSL by [`@​botovq](https://togithub.com/botovq)` in [sfackler/rust-openssl#2060 - Don't ignore ECDSA tests without GF2m support by [`@​botovq](https://togithub.com/botovq)` in [sfackler/rust-openssl#2061 - Clarify 'possible LibreSSL bug' by [`@​botovq](https://togithub.com/botovq)` in [sfackler/rust-openssl#2062 - Enable BN_mod_sqrt() for upcoming LibreSSL 3.8.2 by [`@​botovq](https://togithub.com/botovq)` in [sfackler/rust-openssl#2063 - Enable SHA-3 for LibreSSL 3.8.0 by [`@​botovq](https://togithub.com/botovq)` in [sfackler/rust-openssl#2064 - Remove DH_generate_parameters for LibreSSL 3.8.2 by [`@​botovq](https://togithub.com/botovq)` in [sfackler/rust-openssl#2065 - Use EVP_MD_CTX\_{new,free}() in LibreSSL 3.8.2 by [`@​botovq](https://togithub.com/botovq)` in [sfackler/rust-openssl#2067 - Enable HKDF support for LibreSSL >= 3.6.0 by [`@​botovq](https://togithub.com/botovq)` in [sfackler/rust-openssl#2066 - Two build script fixes for LibreSSL by [`@​botovq](https://togithub.com/botovq)` in [sfackler/rust-openssl#2068 - Respect OPENSSL_NO_OCB on AES functions by [`@​GuyLewin](https://togithub.com/GuyLewin)` in [sfackler/rust-openssl#2070 - Support OPENSSL_NO_SCRYPT by [`@​GuyLewin](https://togithub.com/GuyLewin)` in [sfackler/rust-openssl#2071 - Bump 3.2.0 beta by [`@​sfackler](https://togithub.com/sfackler)` in [sfackler/rust-openssl#2073 - add security level bindings by [`@​jmayclin](https://togithub.com/jmayclin)` in [sfackler/rust-openssl#2074 - Release openssl v0.10.58 and openssl-sys v0.9.94 by [`@​alex](https://togithub.com/alex)` in [sfackler/rust-openssl#2078 #### New Contributors - [`@​amousset](https://togithub.com/amousset)` made their first contribution in [sfackler/rust-openssl#1925 - [`@​jgallagher](https://togithub.com/jgallagher)` made their first contribution in [sfackler/rust-openssl#2042 - [`@​AdmiralGT](https://togithub.com/AdmiralGT)` made their first contribution in [sfackler/rust-openssl#2003 - [`@​botovq](https://togithub.com/botovq)` made their first contribution in [sfackler/rust-openssl#2060 - [`@​GuyLewin](https://togithub.com/GuyLewin)` made their first contribution in [sfackler/rust-openssl#2070 - [`@​jmayclin](https://togithub.com/jmayclin)` made their first contribution in [sfackler/rust-openssl#2074 **Full Changelog**: sfackler/rust-openssl@openssl-v0.10.57...openssl-v0.10.58 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/rust-lang/cargo). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41OS44IiwidXBkYXRlZEluVmVyIjoiMzcuNTkuOCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9-->
Fixes #1645.