From 319029f2d4da9560fb117542137f69e1d6fba40a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20R=C3=BCth?= Date: Mon, 20 Nov 2023 20:36:55 +0100 Subject: [PATCH] Fix AES256 using wrong hash Add TLS 1.2 Move aead crypter to boring-additions crate --- Cargo.toml | 4 + Readme.md | 2 +- boring-additions/Cargo.toml | 18 +++ .../src/aead/mod.rs | 0 boring-additions/src/helper.rs | 29 ++++ boring-additions/src/lib.rs | 2 + boring-rustls-provider/Cargo.toml | 9 +- boring-rustls-provider/src/aead.rs | 142 ++++++++++++++---- boring-rustls-provider/src/aead/aes.rs | 20 ++- boring-rustls-provider/src/aead/chacha20.rs | 12 +- boring-rustls-provider/src/hash.rs | 1 + boring-rustls-provider/src/hkdf.rs | 7 + boring-rustls-provider/src/hmac.rs | 1 + boring-rustls-provider/src/lib.rs | 73 +++++++-- boring-rustls-provider/src/tls12.rs | 89 +++++++++++ boring-rustls-provider/src/tls13.rs | 8 +- boring-rustls-provider/src/verify.rs | 58 +++++++ 17 files changed, 424 insertions(+), 51 deletions(-) create mode 100644 boring-additions/Cargo.toml rename boring-rustls-provider/src/aead/aead2.rs => boring-additions/src/aead/mod.rs (100%) create mode 100644 boring-additions/src/helper.rs create mode 100644 boring-additions/src/lib.rs create mode 100644 boring-rustls-provider/src/tls12.rs diff --git a/Cargo.toml b/Cargo.toml index 4565544..78ca777 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,7 @@ [workspace] members = [ + # things that should probably be in boring crate + "boring-additions", # the main library and tests "boring-rustls-provider", # tests and example code @@ -13,4 +15,6 @@ default-members = [ resolver = "2" [workspace.dependencies] +boring = { version = "4.0", default-features = false } +boring-sys = { version = "4.0", default-features = false } rustls = { version = "=0.22.0-alpha.4", default-features = false } diff --git a/Readme.md b/Readme.md index 8b34586..3b44f4f 100644 --- a/Readme.md +++ b/Readme.md @@ -13,7 +13,7 @@ Further, the rustls crypto provider API is still not stable it seems. This works Currently, supports only TLS 1.3: ``` AES_128_GCM_SHA256 -AES_256_GCM_SHA256 +AES_256_GCM_SHA384 CHACHA20_POLY1305_SHA256 ``` diff --git a/boring-additions/Cargo.toml b/boring-additions/Cargo.toml new file mode 100644 index 0000000..88d8c52 --- /dev/null +++ b/boring-additions/Cargo.toml @@ -0,0 +1,18 @@ +[package] +name = "boring-additions" +version = "0.0.1" +authors = ["Jan RĂ¼th "] +edition = "2021" +license = "MIT" +description = "Boring additions" +publish = false + +[dependencies] +aead = { version = "0.5", default_features = false, features = ["alloc"] } +boring = { workspace = true } +boring-sys = { workspace = true } +foreign-types = "0.5" + + + + diff --git a/boring-rustls-provider/src/aead/aead2.rs b/boring-additions/src/aead/mod.rs similarity index 100% rename from boring-rustls-provider/src/aead/aead2.rs rename to boring-additions/src/aead/mod.rs diff --git a/boring-additions/src/helper.rs b/boring-additions/src/helper.rs new file mode 100644 index 0000000..62255cc --- /dev/null +++ b/boring-additions/src/helper.rs @@ -0,0 +1,29 @@ +use std::os::raw::c_int; + +use boring::error::ErrorStack; + +/// Check the value returned from a BoringSSL ffi call +/// that returns a pointer. +/// +/// If the pointer is null, this method returns the BoringSSL +/// ErrorStack as Err, the pointer otherwise. +pub(crate) fn cvt_p(r: *mut T) -> Result<*mut T, ErrorStack> { + if r.is_null() { + Err(ErrorStack::get()) + } else { + Ok(r) + } +} + +/// Check the value returned from a BoringSSL ffi call that +/// returns a integer. +/// +/// Returns the BoringSSL Errorstack when the result is <= 0. +/// And forwards the return code otherwise +pub(crate) fn cvt(r: c_int) -> Result { + if r <= 0 { + Err(ErrorStack::get()) + } else { + Ok(r) + } +} diff --git a/boring-additions/src/lib.rs b/boring-additions/src/lib.rs new file mode 100644 index 0000000..c98fc88 --- /dev/null +++ b/boring-additions/src/lib.rs @@ -0,0 +1,2 @@ +pub mod aead; +pub(crate) mod helper; diff --git a/boring-rustls-provider/Cargo.toml b/boring-rustls-provider/Cargo.toml index 0bc5487..3f38b4f 100644 --- a/boring-rustls-provider/Cargo.toml +++ b/boring-rustls-provider/Cargo.toml @@ -8,16 +8,19 @@ description = "Boringssl rustls provider" publish = false [features] -default = [] +default = ["tls12"] # Use a FIPS-validated version of boringssl. #fips = ["boring/fips", "boring-sys/fips"] logging = ["log"] +fips-only = [] +tls12 = ["rustls/tls12"] [dependencies] aead = {version = "0.5", default_features = false, features = ["alloc"] } -boring = { version = "4.0", default-features = false } -boring-sys = { version = "4.0", default-features = false } +boring = { workspace = true } +boring-additions = { path = "../boring-additions" } +boring-sys = { workspace = true } foreign-types = "0.5" lazy_static = "1.4" log = { version = "0.4.4", optional = true } diff --git a/boring-rustls-provider/src/aead.rs b/boring-rustls-provider/src/aead.rs index 6605e23..7fa01c6 100644 --- a/boring-rustls-provider/src/aead.rs +++ b/boring-rustls-provider/src/aead.rs @@ -2,28 +2,37 @@ use std::marker::PhantomData; use aead::{AeadCore, AeadInPlace, Nonce, Tag}; use boring::error::ErrorStack; -use rustls::crypto::cipher::{self, make_tls13_aad, Iv}; +use boring_additions::aead::Algorithm; +use rustls::crypto::cipher::{self, make_tls12_aad, make_tls13_aad, Iv}; use rustls::{ConnectionTrafficSecrets, ContentType, ProtocolVersion}; use crate::helper::error_stack_to_aead_error; -use self::aead2::Algorithm; - -pub(crate) mod aead2; pub(crate) mod aes; pub(crate) mod chacha20; pub(crate) trait BoringCipher { + /// Constructs a new instance of this cipher as an AEAD algorithm fn new() -> Algorithm; + /// The key size in bytes fn key_size() -> usize; + /// The IV's fixed length (Not the full IV length, only the part that doesn't change). + /// Together with [`BoringCipher::explicit_nonce_len`] it determines the total + /// lengths of the used nonce. + fn fixed_iv_len() -> usize; + /// The lengths of the explicit nonce. (Not the full nonce length, only the part that changes) + /// See also [`BoringCipher::fixed_iv_len`] + fn explicit_nonce_len() -> usize; + /// Extract keys fn extract_keys(key: cipher::AeadKey, iv: cipher::Iv) -> ConnectionTrafficSecrets; } pub(crate) trait BoringAead: BoringCipher + AeadCore + Send + Sync {} pub(crate) struct BoringAeadCrypter { - crypter: aead2::Crypter, + crypter: boring_additions::aead::Crypter, iv: Iv, + tls_version: ProtocolVersion, phantom: PhantomData, } @@ -41,7 +50,14 @@ impl AeadCore for BoringAeadCrypter { } impl BoringAeadCrypter { - pub fn new(iv: Iv, key: &[u8]) -> Result { + pub fn new(iv: Iv, key: &[u8], tls_version: ProtocolVersion) -> Result { + assert!(match tls_version { + #[cfg(feature = "tls12")] + ProtocolVersion::TLSv1_2 => true, + ProtocolVersion::TLSv1_3 => true, + _ => false, + }); + let cipher = ::new(); assert_eq!( @@ -50,8 +66,9 @@ impl BoringAeadCrypter { ); let crypter = BoringAeadCrypter { - crypter: aead2::Crypter::new(cipher, key)?, + crypter: boring_additions::aead::Crypter::new(cipher, key)?, iv, + tls_version, phantom: PhantomData, }; Ok(crypter) @@ -104,17 +121,34 @@ where let nonce = cipher::Nonce::new(&self.iv, seq); - let aad = cipher::make_tls13_aad(total_len); - self.encrypt_in_place(Nonce::::from_slice(&nonce.0), &aad, &mut payload) - .map_err(|_| rustls::Error::EncryptError) - .map(|_| { - cipher::OpaqueMessage::new( - ContentType::ApplicationData, - ProtocolVersion::TLSv1_2, - payload, - ) - }) + match self.tls_version { + #[cfg(feature = "tls12")] + ProtocolVersion::TLSv1_2 => { + let aad = cipher::make_tls12_aad(seq, msg.typ, msg.version, total_len); + self.encrypt_in_place(Nonce::::from_slice(&nonce.0), &aad, &mut payload) + .map_err(|_| rustls::Error::EncryptError) + .map(|_| cipher::OpaqueMessage::new(msg.typ, msg.version, payload)) + } + ProtocolVersion::TLSv1_3 => { + let aad = cipher::make_tls13_aad(total_len); + self.encrypt_in_place(Nonce::::from_slice(&nonce.0), &aad, &mut payload) + .map_err(|_| rustls::Error::EncryptError) + .map(|_| { + cipher::OpaqueMessage::new( + ContentType::ApplicationData, + ProtocolVersion::TLSv1_2, + payload, + ) + }) + } + _ => unimplemented!(), + } } + + // Next version seems to add this + // fn encrypted_payload_len(&self, payload_len: usize) -> usize { + // payload_len + 1 + self.crypter.max_overhead() + // } } impl cipher::MessageDecrypter for BoringAeadCrypter @@ -126,18 +160,26 @@ where mut m: cipher::OpaqueMessage, seq: u64, ) -> Result { - let payload = m.payload_mut(); - // construct nonce let nonce = cipher::Nonce::new(&self.iv, seq); - // construct the aad - let aad = make_tls13_aad(payload.len()); - - // decrypt on clone to ensure this can be done in parallel - self.decrypt_in_place(Nonce::::from_slice(&nonce.0), &aad, payload) - .map_err(|_| rustls::Error::DecryptError) - .and_then(|_| m.into_tls13_unpadded_message()) + // construct the aad and decrypt + match self.tls_version { + #[cfg(feature = "tls12")] + ProtocolVersion::TLSv1_2 => { + let aad = make_tls12_aad(seq, m.typ, m.version, m.payload().len()); + self.decrypt_in_place(Nonce::::from_slice(&nonce.0), &aad, m.payload_mut()) + .map_err(|_| rustls::Error::DecryptError) + .map(|_| m.into_plain_message()) + } + ProtocolVersion::TLSv1_3 => { + let aad = make_tls13_aad(m.payload().len()); + self.decrypt_in_place(Nonce::::from_slice(&nonce.0), &aad, m.payload_mut()) + .map_err(|_| rustls::Error::DecryptError) + .and_then(|_| m.into_tls13_unpadded_message()) + } + _ => unimplemented!(), + } } } @@ -153,13 +195,15 @@ impl Aead { impl cipher::Tls13AeadAlgorithm for Aead { fn encrypter(&self, key: cipher::AeadKey, iv: cipher::Iv) -> Box { Box::new( - BoringAeadCrypter::::new(iv, key.as_ref()).expect("failed to create AEAD crypter"), + BoringAeadCrypter::::new(iv, key.as_ref(), ProtocolVersion::TLSv1_3) + .expect("failed to create AEAD crypter"), ) } fn decrypter(&self, key: cipher::AeadKey, iv: cipher::Iv) -> Box { Box::new( - BoringAeadCrypter::::new(iv, key.as_ref()).expect("failed to create AEAD crypter"), + BoringAeadCrypter::::new(iv, key.as_ref(), ProtocolVersion::TLSv1_3) + .expect("failed to create AEAD crypter"), ) } @@ -175,3 +219,45 @@ impl cipher::Tls13AeadAlgorithm for Aead { Ok(::extract_keys(key, iv)) } } + +#[cfg(feature = "tls12")] +impl cipher::Tls12AeadAlgorithm for Aead { + fn encrypter( + &self, + key: cipher::AeadKey, + iv: &[u8], + _extra: &[u8], + ) -> Box { + Box::new( + BoringAeadCrypter::::new(Iv::copy(iv), key.as_ref(), ProtocolVersion::TLSv1_2) + .expect("failed to create AEAD crypter"), + ) + } + + fn decrypter(&self, key: cipher::AeadKey, iv: &[u8]) -> Box { + Box::new( + BoringAeadCrypter::::new(Iv::copy(iv), key.as_ref(), ProtocolVersion::TLSv1_2) + .expect("failed to create AEAD crypter"), + ) + } + + fn key_block_shape(&self) -> cipher::KeyBlockShape { + cipher::KeyBlockShape { + enc_key_len: ::key_size(), + // there is no benefit of splitting these up here, we'd need to stich them anyways + // by only setting fixed_iv_len we get the full lengths + fixed_iv_len: ::fixed_iv_len() + + ::explicit_nonce_len(), + explicit_nonce_len: 0, + } + } + + fn extract_keys( + &self, + key: cipher::AeadKey, + iv: &[u8], + _explicit: &[u8], + ) -> Result { + Ok(::extract_keys(key, Iv::copy(iv))) + } +} diff --git a/boring-rustls-provider/src/aead/aes.rs b/boring-rustls-provider/src/aead/aes.rs index ea3acf4..5a5239b 100644 --- a/boring-rustls-provider/src/aead/aes.rs +++ b/boring-rustls-provider/src/aead/aes.rs @@ -1,8 +1,8 @@ +use super::{BoringAead, BoringCipher}; use aead::consts::{U12, U16}; +use boring_additions::aead::Algorithm; use rustls::{crypto::cipher, ConnectionTrafficSecrets}; -use super::{aead2::Algorithm, BoringAead, BoringCipher}; - pub struct Aes128 {} impl BoringAead for Aes128 {} @@ -21,6 +21,14 @@ impl BoringCipher for Aes128 { fn extract_keys(key: cipher::AeadKey, iv: cipher::Iv) -> ConnectionTrafficSecrets { ConnectionTrafficSecrets::Aes128Gcm { key, iv } } + + fn fixed_iv_len() -> usize { + 4 + } + + fn explicit_nonce_len() -> usize { + 8 + } } impl aead::AeadCore for Aes128 { @@ -47,6 +55,14 @@ impl BoringCipher for Aes256 { fn extract_keys(key: cipher::AeadKey, iv: cipher::Iv) -> ConnectionTrafficSecrets { ConnectionTrafficSecrets::Aes256Gcm { key, iv } } + + fn fixed_iv_len() -> usize { + 4 + } + + fn explicit_nonce_len() -> usize { + 8 + } } impl aead::AeadCore for Aes256 { diff --git a/boring-rustls-provider/src/aead/chacha20.rs b/boring-rustls-provider/src/aead/chacha20.rs index efc3cd7..b3f1395 100644 --- a/boring-rustls-provider/src/aead/chacha20.rs +++ b/boring-rustls-provider/src/aead/chacha20.rs @@ -1,11 +1,11 @@ +use super::{BoringAead, BoringCipher}; use aead::{ consts::{U12, U16}, AeadCore, }; +use boring_additions::aead::Algorithm; use rustls::{crypto::cipher, ConnectionTrafficSecrets}; -use super::{aead2::Algorithm, BoringAead, BoringCipher}; - pub struct ChaCha20Poly1305 {} impl BoringAead for ChaCha20Poly1305 {} @@ -24,6 +24,14 @@ impl BoringCipher for ChaCha20Poly1305 { fn extract_keys(key: cipher::AeadKey, iv: cipher::Iv) -> ConnectionTrafficSecrets { ConnectionTrafficSecrets::Chacha20Poly1305 { key, iv } } + + fn fixed_iv_len() -> usize { + 4 + } + + fn explicit_nonce_len() -> usize { + 8 + } } impl AeadCore for ChaCha20Poly1305 { diff --git a/boring-rustls-provider/src/hash.rs b/boring-rustls-provider/src/hash.rs index fefaab0..825e9f2 100644 --- a/boring-rustls-provider/src/hash.rs +++ b/boring-rustls-provider/src/hash.rs @@ -1,6 +1,7 @@ use rustls::crypto::hash; pub const SHA256: &dyn hash::Hash = &Hash(boring::nid::Nid::SHA256); +pub const SHA384: &dyn hash::Hash = &Hash(boring::nid::Nid::SHA384); pub struct Hash(pub boring::nid::Nid); diff --git a/boring-rustls-provider/src/hkdf.rs b/boring-rustls-provider/src/hkdf.rs index 3654438..b00c27c 100644 --- a/boring-rustls-provider/src/hkdf.rs +++ b/boring-rustls-provider/src/hkdf.rs @@ -15,6 +15,13 @@ impl BoringHash for Sha256 { } } +pub struct Sha384(); +impl BoringHash for Sha384 { + fn new() -> boring::hash::MessageDigest { + boring::hash::MessageDigest::sha384() + } +} + pub struct Hkdf(PhantomData); impl Hkdf { diff --git a/boring-rustls-provider/src/hmac.rs b/boring-rustls-provider/src/hmac.rs index 2ac8652..e52d13f 100644 --- a/boring-rustls-provider/src/hmac.rs +++ b/boring-rustls-provider/src/hmac.rs @@ -7,6 +7,7 @@ use crate::helper::{cvt, cvt_p}; #[allow(unused)] pub const SHA256: &dyn crypto::hmac::Hmac = &BoringHmac(boring::nid::Nid::SHA256); +pub const SHA384: &dyn crypto::hmac::Hmac = &BoringHmac(boring::nid::Nid::SHA384); pub struct BoringHmac(pub boring::nid::Nid); diff --git a/boring-rustls-provider/src/lib.rs b/boring-rustls-provider/src/lib.rs index b3c0e27..91a60c1 100644 --- a/boring-rustls-provider/src/lib.rs +++ b/boring-rustls-provider/src/lib.rs @@ -13,6 +13,8 @@ mod hkdf; mod hmac; mod kx; mod sign; +#[cfg(feature = "tls12")] +mod tls12; mod tls13; mod verify; @@ -27,17 +29,23 @@ impl CryptoProvider for Provider { } fn default_cipher_suites(&self) -> &'static [SupportedCipherSuite] { - if boring::fips::enabled() { - ALL_FIPS_SUITES - } else { + #[cfg(feature = "fips-only")] + { + ALL_FIPS_CIPHER_SUITES + } + #[cfg(not(feature = "fips-only"))] + { ALL_CIPHER_SUITES } } fn default_kx_groups(&self) -> &'static [&'static dyn SupportedKxGroup] { - if boring::fips::enabled() { + #[cfg(feature = "fips-only")] + { ALL_FIPS_KX_GROUPS - } else { + } + #[cfg(not(feature = "fips-only"))] + { ALL_KX_GROUPS } } @@ -52,22 +60,65 @@ impl CryptoProvider for Provider { } fn signature_verification_algorithms(&self) -> rustls::WebPkiSupportedAlgorithms { - verify::ALL_ALGORITHMS + #[cfg(feature = "fips-only")] + { + verify::ALL_FIPS_ALGORITHMS + } + #[cfg(not(feature = "fips-only"))] + { + verify::ALL_ALGORITHMS + } } } -static ALL_FIPS_SUITES: &[SupportedCipherSuite] = &[ +#[allow(unused)] +static ALL_FIPS_CIPHER_SUITES: &[SupportedCipherSuite] = &[ + SupportedCipherSuite::Tls13(&tls13::AES_256_GCM_SHA384), SupportedCipherSuite::Tls13(&tls13::AES_128_GCM_SHA256), - SupportedCipherSuite::Tls13(&tls13::AES_256_GCM_SHA256), + #[cfg(feature = "tls12")] + SupportedCipherSuite::Tls12(&tls12::ECDHE_ECDSA_AES256_GCM_SHA384), + #[cfg(feature = "tls12")] + SupportedCipherSuite::Tls12(&tls12::ECDHE_RSA_AES256_GCM_SHA384), + #[cfg(feature = "tls12")] + SupportedCipherSuite::Tls12(&tls12::ECDHE_ECDSA_AES128_GCM_SHA256), + #[cfg(feature = "tls12")] + SupportedCipherSuite::Tls12(&tls12::ECDHE_RSA_AES128_GCM_SHA256), ]; +#[allow(unused)] static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[ - SupportedCipherSuite::Tls13(&tls13::AES_128_GCM_SHA256), - SupportedCipherSuite::Tls13(&tls13::AES_256_GCM_SHA256), SupportedCipherSuite::Tls13(&tls13::CHACHA20_POLY1305_SHA256), + SupportedCipherSuite::Tls13(&tls13::AES_256_GCM_SHA384), + SupportedCipherSuite::Tls13(&tls13::AES_128_GCM_SHA256), + #[cfg(feature = "tls12")] + SupportedCipherSuite::Tls12(&tls12::ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256), + #[cfg(feature = "tls12")] + SupportedCipherSuite::Tls12(&tls12::ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), + #[cfg(feature = "tls12")] + SupportedCipherSuite::Tls12(&tls12::ECDHE_ECDSA_AES256_GCM_SHA384), + #[cfg(feature = "tls12")] + SupportedCipherSuite::Tls12(&tls12::ECDHE_RSA_AES256_GCM_SHA384), + #[cfg(feature = "tls12")] + SupportedCipherSuite::Tls12(&tls12::ECDHE_ECDSA_AES128_GCM_SHA256), + #[cfg(feature = "tls12")] + SupportedCipherSuite::Tls12(&tls12::ECDHE_RSA_AES128_GCM_SHA256), ]; -pub const ALL_FIPS_KX_GROUPS: &[&dyn SupportedKxGroup] = &[]; +/// Allowed KX curves for FIPS are recommended +/// in [NIST SP 800-186](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf) +/// +/// See Sec. 3.1.2 Table 2 +/// Ordered in decending order of security strength +#[allow(unused)] +pub const ALL_FIPS_KX_GROUPS: &[&dyn SupportedKxGroup] = &[ + &kx::Secp521r1 as _, // P-521 in FIPS lingo + &kx::X448 as _, // Curve448 in FIPS lingo + &kx::Secp384r1 as _, // P-384 in FIPS lingo + &kx::X25519 as _, // Curve25519 in FIPS lingo + &kx::Secp256r1 as _, // P-256 in FIPS lingo +]; + +#[allow(unused)] pub const ALL_KX_GROUPS: &[&dyn SupportedKxGroup] = &[ &kx::X25519 as _, &kx::X448 as _, diff --git a/boring-rustls-provider/src/tls12.rs b/boring-rustls-provider/src/tls12.rs new file mode 100644 index 0000000..4e35a6c --- /dev/null +++ b/boring-rustls-provider/src/tls12.rs @@ -0,0 +1,89 @@ +use rustls::{crypto, SignatureScheme, Tls12CipherSuite}; + +use crate::{aead, hash, hmac}; + +static ALL_ECDSA_SCHEMES: &[SignatureScheme] = &[ + SignatureScheme::ECDSA_NISTP256_SHA256, + SignatureScheme::ECDSA_NISTP384_SHA384, + SignatureScheme::ECDSA_NISTP521_SHA512, + SignatureScheme::ED25519, + SignatureScheme::ED448, +]; + +static ALL_RSA_SCHEMES: &[SignatureScheme] = &[ + SignatureScheme::RSA_PKCS1_SHA256, + SignatureScheme::RSA_PKCS1_SHA384, + SignatureScheme::RSA_PKCS1_SHA512, + SignatureScheme::RSA_PSS_SHA256, + SignatureScheme::RSA_PSS_SHA384, + SignatureScheme::RSA_PSS_SHA512, +]; + +const PRF_SHA256: crypto::tls12::PrfUsingHmac<'_> = crypto::tls12::PrfUsingHmac(hmac::SHA256); +const PRF_SHA384: crypto::tls12::PrfUsingHmac<'_> = crypto::tls12::PrfUsingHmac(hmac::SHA384); + +pub static ECDHE_ECDSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite { + common: rustls::CipherSuiteCommon { + suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + hash_provider: hash::SHA256, + }, + aead_alg: &aead::Aead::::DEFAULT, + prf_provider: &PRF_SHA256, + kx: crypto::KeyExchangeAlgorithm::ECDHE, + sign: ALL_ECDSA_SCHEMES, +}; + +pub static ECDHE_RSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite { + common: rustls::CipherSuiteCommon { + suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + hash_provider: hash::SHA256, + }, + aead_alg: &aead::Aead::::DEFAULT, + prf_provider: &PRF_SHA256, + kx: crypto::KeyExchangeAlgorithm::ECDHE, + sign: ALL_RSA_SCHEMES, +}; + +pub static ECDHE_ECDSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite { + common: rustls::CipherSuiteCommon { + suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + hash_provider: hash::SHA384, + }, + aead_alg: &aead::Aead::::DEFAULT, + prf_provider: &PRF_SHA384, + kx: crypto::KeyExchangeAlgorithm::ECDHE, + sign: ALL_ECDSA_SCHEMES, +}; + +pub static ECDHE_RSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite { + common: rustls::CipherSuiteCommon { + suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + hash_provider: hash::SHA384, + }, + aead_alg: &aead::Aead::::DEFAULT, + prf_provider: &PRF_SHA384, + kx: crypto::KeyExchangeAlgorithm::ECDHE, + sign: ALL_RSA_SCHEMES, +}; + +pub static ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: Tls12CipherSuite = Tls12CipherSuite { + common: rustls::CipherSuiteCommon { + suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + hash_provider: hash::SHA256, + }, + aead_alg: &aead::Aead::::DEFAULT, + prf_provider: &PRF_SHA256, + kx: crypto::KeyExchangeAlgorithm::ECDHE, + sign: ALL_ECDSA_SCHEMES, +}; + +pub static ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: Tls12CipherSuite = Tls12CipherSuite { + common: rustls::CipherSuiteCommon { + suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + hash_provider: hash::SHA256, + }, + aead_alg: &aead::Aead::::DEFAULT, + prf_provider: &PRF_SHA256, + kx: crypto::KeyExchangeAlgorithm::ECDHE, + sign: ALL_RSA_SCHEMES, +}; diff --git a/boring-rustls-provider/src/tls13.rs b/boring-rustls-provider/src/tls13.rs index 0d106b0..691d4c6 100644 --- a/boring-rustls-provider/src/tls13.rs +++ b/boring-rustls-provider/src/tls13.rs @@ -11,12 +11,12 @@ pub static AES_128_GCM_SHA256: Tls13CipherSuite = Tls13CipherSuite { aead_alg: &aead::Aead::::DEFAULT, }; -pub static AES_256_GCM_SHA256: Tls13CipherSuite = Tls13CipherSuite { +pub static AES_256_GCM_SHA384: Tls13CipherSuite = Tls13CipherSuite { common: rustls::CipherSuiteCommon { - suite: rustls::CipherSuite::TLS13_AES_128_GCM_SHA256, - hash_provider: hash::SHA256, + suite: rustls::CipherSuite::TLS13_AES_256_GCM_SHA384, + hash_provider: hash::SHA384, }, - hkdf_provider: &hkdf::Hkdf::::DEFAULT, + hkdf_provider: &hkdf::Hkdf::::DEFAULT, aead_alg: &aead::Aead::::DEFAULT, }; diff --git a/boring-rustls-provider/src/verify.rs b/boring-rustls-provider/src/verify.rs index 872d0f6..4b6107a 100644 --- a/boring-rustls-provider/src/verify.rs +++ b/boring-rustls-provider/src/verify.rs @@ -4,6 +4,7 @@ pub(crate) mod ec; mod ed; pub(crate) mod rsa; +#[allow(unused)] pub static ALL_ALGORITHMS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms { all: &[ &rsa::BoringRsaVerifier::RSA_PKCS1_SHA256, @@ -59,3 +60,60 @@ pub static ALL_ALGORITHMS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms (SignatureScheme::ED448, &[&ed::BoringEdVerifier::ED448]), ], }; + +#[allow(unused)] +pub static ALL_FIPS_ALGORITHMS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms { + all: &[ + &rsa::BoringRsaVerifier::RSA_PKCS1_SHA256, + &rsa::BoringRsaVerifier::RSA_PKCS1_SHA384, + &rsa::BoringRsaVerifier::RSA_PKCS1_SHA512, + &rsa::BoringRsaVerifier::RSA_PSS_SHA256, + &rsa::BoringRsaVerifier::RSA_PSS_SHA384, + &rsa::BoringRsaVerifier::RSA_PSS_SHA512, + &ec::BoringEcVerifier::ECDSA_NISTP256_SHA256, + &ec::BoringEcVerifier::ECDSA_NISTP384_SHA384, + &ec::BoringEcVerifier::ECDSA_NISTP521_SHA512, + //&ed::BoringEdVerifier::ED25519, // FIPS 186-5: requires SHA512 but boring doesn't want us to set a digest, correct? + //&ed::BoringEdVerifier::ED448, // FIPS 186-5: requires SHAKE256 but boring doesn't want us to set a digest, correct? + ], + mapping: &[ + ( + SignatureScheme::RSA_PKCS1_SHA256, + &[&rsa::BoringRsaVerifier::RSA_PKCS1_SHA256], + ), + ( + SignatureScheme::RSA_PKCS1_SHA384, + &[&rsa::BoringRsaVerifier::RSA_PKCS1_SHA384], + ), + ( + SignatureScheme::RSA_PKCS1_SHA512, + &[&rsa::BoringRsaVerifier::RSA_PKCS1_SHA512], + ), + ( + SignatureScheme::RSA_PSS_SHA256, + &[&rsa::BoringRsaVerifier::RSA_PSS_SHA256], + ), + ( + SignatureScheme::RSA_PSS_SHA384, + &[&rsa::BoringRsaVerifier::RSA_PSS_SHA384], + ), + ( + SignatureScheme::RSA_PSS_SHA512, + &[&rsa::BoringRsaVerifier::RSA_PSS_SHA512], + ), + ( + SignatureScheme::ECDSA_NISTP256_SHA256, + &[&ec::BoringEcVerifier::ECDSA_NISTP256_SHA256], + ), + ( + SignatureScheme::ECDSA_NISTP384_SHA384, + &[&ec::BoringEcVerifier::ECDSA_NISTP384_SHA384], + ), + ( + SignatureScheme::ECDSA_NISTP521_SHA512, + &[&ec::BoringEcVerifier::ECDSA_NISTP521_SHA512], + ), + // (SignatureScheme::ED25519, &[&ed::BoringEdVerifier::ED25519]), + // (SignatureScheme::ED448, &[&ed::BoringEdVerifier::ED448]), + ], +};