Honor OPENSSL_NO_OCB if OpenSSL was built this way

davidben · davidben · commit e476f9a08a40 · 2023-06-04T13:22:08.000-04:00
Setting ossl110 in the BoringSSL build (see #1944) causes rust-openssl to expect OCB support. However, OpenSSL already has a feature guard for OCB, which BoringSSL sets. rust-openssl just isn't honoring it. This fixes building against an OpenSSL built with ./config no-ocb
diff --git a/openssl-sys/build/expando.c b/openssl-sys/build/expando.c
@@ -75,6 +75,10 @@ RUST_CONF_OPENSSL_NO_NEXTPROTONEG
 RUST_CONF_OPENSSL_NO_OCSP
 #endif
 
+#ifdef OPENSSL_NO_OCB
+RUST_CONF_OPENSSL_NO_OCB
+#endif
+
 #ifdef OPENSSL_NO_PSK
 RUST_CONF_OPENSSL_NO_PSK
 #endif
diff --git a/openssl/src/symm.rs b/openssl/src/symm.rs
@@ -142,7 +142,7 @@ impl Cipher {
     }
 
     /// Requires OpenSSL 1.1.0 or newer.
-    #[cfg(ossl110)]
+    #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]
     pub fn aes_128_ocb() -> Cipher {
         unsafe { Cipher(ffi::EVP_aes_128_ocb()) }
     }
@@ -187,7 +187,7 @@ impl Cipher {
     }
 
     /// Requires OpenSSL 1.1.0 or newer.
-    #[cfg(ossl110)]
+    #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]
     pub fn aes_192_ocb() -> Cipher {
         unsafe { Cipher(ffi::EVP_aes_192_ocb()) }
     }
@@ -237,7 +237,7 @@ impl Cipher {
     }
 
     /// Requires OpenSSL 1.1.0 or newer.
-    #[cfg(ossl110)]
+    #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]
     pub fn aes_256_ocb() -> Cipher {
         unsafe { Cipher(ffi::EVP_aes_256_ocb()) }
     }
@@ -402,14 +402,14 @@ impl Cipher {
     }
 
     /// Determines whether the cipher is using OCB mode
-    #[cfg(ossl110)]
+    #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]
     fn is_ocb(self) -> bool {
         self == Cipher::aes_128_ocb()
             || self == Cipher::aes_192_ocb()
             || self == Cipher::aes_256_ocb()
     }
 
-    #[cfg(not(ossl110))]
+    #[cfg(any(not(ossl110), osslconf = "OPENSSL_NO_OCB"))]
     const fn is_ocb(self) -> bool {
         false
     }
@@ -1422,7 +1422,7 @@ mod tests {
     }
 
     #[test]
-    #[cfg(ossl110)]
+    #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]
     fn test_aes_128_ocb() {
         let key = "000102030405060708090a0b0c0d0e0f";
         let aad = "0001020304050607";
@@ -1458,7 +1458,7 @@ mod tests {
     }
 
     #[test]
-    #[cfg(ossl110)]
+    #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]
     fn test_aes_128_ocb_fail() {
         let key = "000102030405060708090a0b0c0d0e0f";
         let aad = "0001020304050607";

Original file line number	Diff line number	Diff line change
`@@ -142,7 +142,7 @@ impl Cipher {`
`142`	`142`	`}`
`143`	`143`
`144`	`144`	`/// Requires OpenSSL 1.1.0 or newer.`
`145`		`- #[cfg(ossl110)]`
	`145`	`+ #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]`
`146`	`146`	`pub fn aes_128_ocb() -> Cipher {`
`147`	`147`	`unsafe { Cipher(ffi::EVP_aes_128_ocb()) }`
`148`	`148`	`}`
`@@ -187,7 +187,7 @@ impl Cipher {`
`187`	`187`	`}`
`188`	`188`
`189`	`189`	`/// Requires OpenSSL 1.1.0 or newer.`
`190`		`- #[cfg(ossl110)]`
	`190`	`+ #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]`
`191`	`191`	`pub fn aes_192_ocb() -> Cipher {`
`192`	`192`	`unsafe { Cipher(ffi::EVP_aes_192_ocb()) }`
`193`	`193`	`}`
`@@ -237,7 +237,7 @@ impl Cipher {`
`237`	`237`	`}`
`238`	`238`
`239`	`239`	`/// Requires OpenSSL 1.1.0 or newer.`
`240`		`- #[cfg(ossl110)]`
	`240`	`+ #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]`
`241`	`241`	`pub fn aes_256_ocb() -> Cipher {`
`242`	`242`	`unsafe { Cipher(ffi::EVP_aes_256_ocb()) }`
`243`	`243`	`}`
`@@ -402,14 +402,14 @@ impl Cipher {`
`402`	`402`	`}`
`403`	`403`
`404`	`404`	`/// Determines whether the cipher is using OCB mode`
`405`		`- #[cfg(ossl110)]`
	`405`	`+ #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]`
`406`	`406`	`fn is_ocb(self) -> bool {`
`407`	`407`	`self == Cipher::aes_128_ocb()`
`408`	`408`	`\|\| self == Cipher::aes_192_ocb()`
`409`	`409`	`\|\| self == Cipher::aes_256_ocb()`
`410`	`410`	`}`
`411`	`411`
`412`		`- #[cfg(not(ossl110))]`
	`412`	`+ #[cfg(any(not(ossl110), osslconf = "OPENSSL_NO_OCB"))]`
`413`	`413`	`const fn is_ocb(self) -> bool {`
`414`	`414`	`false`
`415`	`415`	`}`
`@@ -1422,7 +1422,7 @@ mod tests {`
`1422`	`1422`	`}`
`1423`	`1423`
`1424`	`1424`	`#[test]`
`1425`		`- #[cfg(ossl110)]`
	`1425`	`+ #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]`
`1426`	`1426`	`fn test_aes_128_ocb() {`
`1427`	`1427`	`let key = "000102030405060708090a0b0c0d0e0f";`
`1428`	`1428`	`let aad = "0001020304050607";`
`@@ -1458,7 +1458,7 @@ mod tests {`
`1458`	`1458`	`}`
`1459`	`1459`
`1460`	`1460`	`#[test]`
`1461`		`- #[cfg(ossl110)]`
	`1461`	`+ #[cfg(all(ossl110, not(osslconf = "OPENSSL_NO_OCB")))]`
`1462`	`1462`	`fn test_aes_128_ocb_fail() {`
`1463`	`1463`	`let key = "000102030405060708090a0b0c0d0e0f";`
`1464`	`1464`	`let aad = "0001020304050607";`