Skip to content

Use X509_PURPOSE_get_id instead of struct access#2115

Merged
alex merged 2 commits intorust-openssl:masterfrom
davidben:x509-purpose-get-id
Dec 2, 2023
Merged

Use X509_PURPOSE_get_id instead of struct access#2115
alex merged 2 commits intorust-openssl:masterfrom
davidben:x509-purpose-get-id

Conversation

@davidben
Copy link
Copy Markdown
Contributor

@davidben davidben commented Dec 2, 2023

The accessor was added at the same version as the struct, so better to just use it. As with X509_PURPOSE_get_by_sname, it was const-corrected later on.

@davidben
Use X509_PURPOSE_get_id instead of struct access
25606f0 
The accessor was added at the same version as the struct, so better to
just use it. As with X509_PURPOSE_get_by_sname, it was const-corrected
later on.
alex
alex approved these changes Dec 2, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@alex alex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sfackler are there backwards compataibility issues with making teh struct opaque?

Otherwise the PR looks good to me.

@sfackler
Copy link
Copy Markdown
Collaborator

sfackler commented Dec 2, 2023

Yeah, we should really keep the struct definition as-is to preserve back compat. If you want, we could make it opaque for future open/boring/libre releases though.

@davidben
Copy link
Copy Markdown
Contributor Author

davidben commented Dec 2, 2023

We will never, ever support using the handwritten bindings with BoringSSL because of memory safety, so I can just put it back. Though you all really should rethink the stability expectations there.

@botovq
Copy link
Copy Markdown
Contributor

botovq commented Dec 2, 2023 via email

@davidben
Copy link
Copy Markdown
Contributor Author

davidben commented Dec 2, 2023

X509_PURPOSE_get0() returns a pointer to it (or worse application configured global mutable state if someone called X509_PURPOSE_add()), so X509PurposeRef::from_idx() exposes a pointer to global mutable state to Rust.

Oh, the entire X509PurposeRef API should be removed. It makes no sense in the first place. This is just the usual issue where binding APIs without thinking through use cases leads to problems.

The only thing one can do with X509_PURPOSE_get_by_sname is to then chain it with X509_PURPOSE_get0, followed by X509_PURPOSE_get_id, and then configure it on an X509_STORE. Not only that, short of X509_PURPOSE_add (which is globally not thread-safe, so it is impossible to expose in Rust safety), the only possible outputs of X509_PURPOSE_get_by_sname are the predefined constants anyway.

That means the only APIs here that made sense were the built-in X509PurposeId constants and set_purpose. Everything else was just a mistake and should be removed.

@davidben davidben mentioned this pull request Dec 2, 2023
Open
@davidben
Copy link
Copy Markdown
Contributor Author

davidben commented Dec 2, 2023

I plan on changing that in libre

BoringSSL will be doing that too. Note that, similar to #2113, it may run into a design flaw in foreign-types. From talking with @alex, it sounds like that crate uses exclusively mut pointers and doesn't honor const in C? This is, of course, a pretty serious safety issue.

I think I'll also just remove the APIs that X509PurposeRef relies on, since it's now clear rust-openssl's use is invalid.

@alex alex merged commit ea075d1 into rust-openssl:master Dec 2, 2023
@botovq botovq mentioned this pull request Jan 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alex alex alex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@davidben @sfackler @botovq @alex