Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add build-time OpenSSL version checks #418

Merged
merged 1 commit into from
Feb 12, 2024

Conversation

micolous
Copy link
Collaborator

@micolous micolous commented Feb 12, 2024

The webauthn-rs OpenSSL policy is currently only "enforced" for webauthn-authenticator-rs.

This PR adds OpenSSL version number checks to attestation-ca and webauthn-rs-core using OPENSSL_VERSION_NUMBER. Every other package in this repo with an OpenSSL dependency depends on one of these two packages, so can be handled transitively.

This will make builds fail with OpenSSL v1.x, in line with our OpenSSL policy.

OpenSSL alternatives

We don't currently support OpenSSL alternatives, but I've attempted to avoid breaking them with this PR:

I haven't tested with either.

What failures look like

When building with outdated OpenSSL, this PR now makes it so you get a build-time error:

error: failed to run custom build command for `webauthn-attestation-ca v0.1.0`

Caused by:
  process didn't exit successfully: `/target/debug/build/webauthn-attestation-ca-2944cc0bf508a0c6/build-script-build` (exit status: 101)
  --- stdout

  Your version of OpenSSL is out of date, and not supported by this library.

  Please upgrade to OpenSSL v3.0.0 or later.

  More info: https://github.com/kanidm/webauthn-rs/blob/master/OpenSSL.md
  OpenSSL version string: OpenSSL x.x.x 29 Feb 1985


  --- stderr
  thread 'main' panicked at attestation-ca/build.rs:18:9:
  The installed version of OpenSSL is unusable.
  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...
  • cargo test has been run and passes
  • documentation has been updated with relevant examples (if relevant)

@micolous micolous force-pushed the ossl-explicit-version-check branch from b3866da to c089ab8 Compare February 12, 2024 01:49
@micolous micolous force-pushed the ossl-explicit-version-check branch from c089ab8 to 0c9e080 Compare February 12, 2024 03:11
@micolous micolous changed the title Add build-time version OpenSSL checks to attestation-ca and webauthn-rs-core Add build-time OpenSSL version checks Feb 12, 2024
@micolous micolous marked this pull request as ready for review February 12, 2024 04:01
@yaleman yaleman merged commit f6451de into kanidm:master Feb 12, 2024
32 of 33 checks passed
arthurgleckler pushed a commit to arthurgleckler/webauthn-rs that referenced this pull request Apr 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants