#tls #dtls #api-bindings #crypto

variant-ssl

Bindings for OpenSSL variants such as BoringSSL / AWS-LC / Tongsuo

35 releases (4 breaking)

new 0.15.7 Nov 16, 2024
0.15.5 Oct 16, 2024
0.14.10 Jul 22, 2024
0.14.2 Mar 20, 2024

#582 in Cryptography

Download history 1970/week @ 2024-07-30 2064/week @ 2024-08-06 3474/week @ 2024-08-13 3433/week @ 2024-08-20 2469/week @ 2024-08-27 4200/week @ 2024-09-03 2549/week @ 2024-09-10 3001/week @ 2024-09-17 2396/week @ 2024-09-24 2019/week @ 2024-10-01 5036/week @ 2024-10-08 2781/week @ 2024-10-15 2507/week @ 2024-10-22 1876/week @ 2024-10-29 2099/week @ 2024-11-05 8224/week @ 2024-11-12

14,809 downloads per month

Apache-2.0

1.5MB
37K SLoC

variant-ssl

Rust bindings for OpenSSL variants, such as BoringSSL / AWS-LC / Tongsuo, based on rust-openssl.

Documentation.

Release Support

The current supported release of variant-ssl is 0.15 and variant-ssl-sys is 0.15.

We will pull in changes from rust-openssl.

Contribution

Changes should be sent to rust-openssl first, and then we can pull them in after merged.

If rejected or ignored (e.g. Tongsuo / AWS-LC specific), you can submit PRs in this repo.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed under the terms of both the Apache License, Version 2.0 and the MIT license without any additional terms or conditions.


lib.rs:

Bindings to OpenSSL

This crate provides a safe interface to the popular OpenSSL cryptography library. OpenSSL versions 1.0.1 through 3.x.x and LibreSSL versions 2.5 through 3.7.x are supported.

Building

Both OpenSSL libraries and headers are required to build this crate. There are multiple options available to locate OpenSSL.

Vendored

If the vendored Cargo feature is enabled, the openssl-src crate will be used to compile and statically link to a copy of OpenSSL. The build process requires a C compiler, perl (and perl-core), and make. The OpenSSL version will generally track the newest OpenSSL release, and changes to the version are not considered breaking changes.

[dependencies]
openssl = { version = "0.10", features = ["vendored"] }

The vendored copy will be configured to automatically find a configuration and root certificates at /usr/local/ssl. This path can be overridden with an environment variable (see the manual section below). Alternatively, the openssl-probe crate can be used to find root certificates at runtime.

Automatic

The openssl-sys crate will automatically detect OpenSSL installations via Homebrew on macOS and vcpkg on Windows. Additionally, it will use pkg-config on Unix-like systems to find the system installation.

$ brew install openssl@3

$ sudo port install openssl

$ sudo pkgin install openssl

$ sudo pacman -S pkgconf openssl

$ sudo apt-get install pkg-config libssl-dev

$ sudo dnf install pkgconf perl-FindBin perl-IPC-Cmd openssl-devel

$ apk add pkgconf openssl-dev

$ sudo zypper in libopenssl-devel

Manual

A set of environment variables can be used to point openssl-sys towards an OpenSSL installation. They will override the automatic detection logic.

  • OPENSSL_DIR - If specified, the directory of an OpenSSL installation. The directory should contain lib and include subdirectories containing the libraries and headers respectively.
  • OPENSSL_LIB_DIR and OPENSSL_INCLUDE_DIR - If specified, the directories containing the OpenSSL libraries and headers respectively. This can be used if the OpenSSL installation is split in a nonstandard directory layout.
  • OPENSSL_STATIC - If set, the crate will statically link to OpenSSL rather than dynamically link.
  • OPENSSL_LIBS - If set, a :-separated list of library names to link to (e.g. ssl:crypto). This can be used if nonstandard library names were used for whatever reason.
  • OPENSSL_NO_VENDOR - If set, always find OpenSSL in the system, even if the vendored feature is enabled.

If the vendored Cargo feature is enabled, the following environment variable can also be used to further configure the OpenSSL build.

  • OPENSSL_CONFIG_DIR - If set, the copy of OpenSSL built by the openssl-src crate will be configured to look for configuration files and root certificates in this directory.

Additionally, these variables can be prefixed with the upper-cased target architecture (e.g. X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR), which can be useful when cross compiling.

Feature Detection

APIs have been added to and removed from the various supported OpenSSL versions, and this library exposes the functionality available in the version being linked against. This means that methods, constants, and even modules will be present when building against one version of OpenSSL but not when building against another! APIs will document any version-specific availability restrictions.

A build script can be used to detect the OpenSSL or LibreSSL version at compile time if needed. The openssl-sys crate propagates the version via the DEP_OPENSSL_VERSION_NUMBER and DEP_OPENSSL_LIBRESSL_VERSION_NUMBER environment variables to build scripts. The version format is a hex-encoding of the OpenSSL release version: 0xMNNFFPPS. For example, version 1.0.2g's encoding is 0x1_00_02_07_0.

For example, let's say we want to adjust the TLSv1.3 cipher suites used by a client, but also want to compile against OpenSSL versions that don't support TLSv1.3:

Cargo.toml:

[dependencies]
openssl-sys = "0.9"
openssl = "0.10"

build.rs:

use std::env;

fn main() {
    if let Ok(v) = env::var("DEP_OPENSSL_VERSION_NUMBER") {
        let version = u64::from_str_radix(&v, 16).unwrap();

        if version >= 0x1_01_01_00_0 {
            println!("cargo:rustc-cfg=openssl111");
        }
    }
}

lib.rs:

use openssl::ssl::{SslConnector, SslMethod};

let mut ctx = SslConnector::builder(SslMethod::tls()).unwrap();

// set_ciphersuites was added in OpenSSL 1.1.1, so we can only call it when linking against that version
#[cfg(openssl111)]
ctx.set_ciphersuites("TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256").unwrap();

Dependencies

~0.3–11MB
~324K SLoC