diff --git a/Cargo.toml b/Cargo.toml index 5bda8df..72a4b52 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -2,10 +2,10 @@ members = [ # things that should probably be in boring crate "boring-additions", - # things that should probably be in boring-sys crate - "boring-sys-additions", # the main library and tests "boring-rustls-provider", + # things that should probably be in boring-sys crate + "boring-sys-additions", # tests and example code "examples", ] @@ -22,6 +22,6 @@ boring-sys = { version = "4", default-features = false } rustls = { version = "0.23", default-features = false } rustls-pemfile = { version = "2" } rustls-pki-types = { version = "1" } -tokio-rustls = { version = "0.26", default-features = false } -webpki = { package = "rustls-webpki", version = "0.102", default-features = false } -webpki-roots = { version = "0.26" } +tokio-rustls = { version = "0.26", default-features = false } +webpki = { package = "rustls-webpki", version = "0.103", default-features = false } +webpki-roots = { version = "1.0" } diff --git a/boring-additions/Cargo.toml b/boring-additions/Cargo.toml index ef0d341..388984f 100644 --- a/boring-additions/Cargo.toml +++ b/boring-additions/Cargo.toml @@ -8,7 +8,6 @@ description = "Boring additions" publish = false [dependencies] -aead = { version = "0.5", default_features = false, features = ["alloc"] } boring = { workspace = true } boring-sys = { workspace = true } foreign-types = "0.5" diff --git a/boring-rustls-provider/Cargo.toml b/boring-rustls-provider/Cargo.toml index 8b60daf..8a02f51 100644 --- a/boring-rustls-provider/Cargo.toml +++ b/boring-rustls-provider/Cargo.toml @@ -16,22 +16,19 @@ fips-only = ["boring/fips", "boring-sys/fips"] tls12 = ["rustls/tls12"] [dependencies] -aead = {version = "0.5", default_features = false, features = ["alloc"] } +aead = {version = "0.5", default-features = false, features = ["alloc"] } boring = { workspace = true } boring-additions = { path = "../boring-additions" } boring-sys = { workspace = true } boring-sys-additions = { path = "../boring-sys-additions" } foreign-types = "0.5" -lazy_static = "1.4" log = { version = "0.4.4", optional = true } -once_cell = "1" rustls = { workspace = true } rustls-pki-types = { workspace = true } spki = "0.7" -webpki = { workspace = true, features = ["alloc", "std"] } [dev-dependencies] -hex-literal = "0.4" -rcgen = "0.11.3" +hex-literal = "1" +rcgen = "0.12" tokio = { version = "1.34", features = ["macros", "rt", "net", "io-util", "io-std"] } tokio-rustls = { workspace = true } diff --git a/boring-rustls-provider/src/kx.rs b/boring-rustls-provider/src/kx.rs index 8ec7276..0796b69 100644 --- a/boring-rustls-provider/src/kx.rs +++ b/boring-rustls-provider/src/kx.rs @@ -16,7 +16,7 @@ enum DhKeyType { pub struct X25519; impl crypto::SupportedKxGroup for X25519 { - fn start(&self) -> Result, rustls::Error> { + fn start(&self) -> Result, rustls::Error> { Ok(Box::new(ex::KeyExchange::with_x25519().map_err(|e| { log_and_map("X25519.start", e, crypto::GetRandomFailed) })?)) @@ -32,7 +32,7 @@ impl crypto::SupportedKxGroup for X25519 { pub struct X448; impl crypto::SupportedKxGroup for X448 { - fn start(&self) -> Result, rustls::Error> { + fn start(&self) -> Result, rustls::Error> { Ok(Box::new(ex::KeyExchange::with_x448().map_err(|e| { log_and_map("X448.start", e, crypto::GetRandomFailed) })?)) @@ -48,7 +48,7 @@ impl crypto::SupportedKxGroup for X448 { pub struct Secp256r1; impl crypto::SupportedKxGroup for Secp256r1 { - fn start(&self) -> Result, rustls::Error> { + fn start(&self) -> Result, rustls::Error> { Ok(Box::new(ex::KeyExchange::with_secp256r1().map_err( |e| log_and_map("Secp256r1.start", e, crypto::GetRandomFailed), )?)) @@ -64,7 +64,7 @@ impl crypto::SupportedKxGroup for Secp256r1 { pub struct Secp384r1; impl crypto::SupportedKxGroup for Secp384r1 { - fn start(&self) -> Result, rustls::Error> { + fn start(&self) -> Result, rustls::Error> { Ok(Box::new(ex::KeyExchange::with_secp384r1().map_err( |e| log_and_map("Secp384r1.start", e, crypto::GetRandomFailed), )?)) @@ -80,7 +80,7 @@ impl crypto::SupportedKxGroup for Secp384r1 { pub struct Secp521r1; impl crypto::SupportedKxGroup for Secp521r1 { - fn start(&self) -> Result, rustls::Error> { + fn start(&self) -> Result, rustls::Error> { Ok(Box::new(ex::KeyExchange::with_secp521r1().map_err( |e| log_and_map("Secp521r1.start", e, crypto::GetRandomFailed), )?)) @@ -96,7 +96,7 @@ impl crypto::SupportedKxGroup for Secp521r1 { pub struct FfDHe2048; impl crypto::SupportedKxGroup for FfDHe2048 { - fn start(&self) -> Result, rustls::Error> { + fn start(&self) -> Result, rustls::Error> { Ok(Box::new(dh::KeyExchange::generate_ffdhe_2048().map_err( |e| log_and_map("FfDHe2048.start", e, crypto::GetRandomFailed), )?)) diff --git a/boring-rustls-provider/src/kx/dh.rs b/boring-rustls-provider/src/kx/dh.rs index b004e5b..8e7839d 100644 --- a/boring-rustls-provider/src/kx/dh.rs +++ b/boring-rustls-provider/src/kx/dh.rs @@ -31,7 +31,7 @@ impl KeyExchange { let pubkey = boring_sys::DH_get0_pub_key(me.dh.as_ptr()); // figure out how many bytes we need, round up to the next full byte - let size = (boring_sys::BN_num_bits(pubkey) as usize + 7) / 8; + let size = (boring_sys::BN_num_bits(pubkey) as usize).div_ceil(8); // alloc a vector with enough capacity let mut v = Vec::with_capacity(size); diff --git a/boring-rustls-provider/src/sign.rs b/boring-rustls-provider/src/sign.rs index 7817b81..41a2ead 100644 --- a/boring-rustls-provider/src/sign.rs +++ b/boring-rustls-provider/src/sign.rs @@ -63,7 +63,7 @@ fn rsa_signer_from_params( key: &PKeyRef, digest: MessageDigest, padding: Padding, -) -> Signer { +) -> Signer<'_> { let mut signer = Signer::new(digest, key).expect("failed getting signer"); signer .set_rsa_padding(padding) @@ -80,7 +80,7 @@ fn rsa_signer_from_params( signer } -fn ec_signer_from_params(key: &PKeyRef, digest: MessageDigest) -> Signer { +fn ec_signer_from_params(key: &PKeyRef, digest: MessageDigest) -> Signer<'_> { let signer = Signer::new(digest, key).expect("failed getting signer"); signer } @@ -131,7 +131,7 @@ impl SigningKey for BoringPrivateKey { pub struct BoringSigner(Arc>, rustls::SignatureScheme); impl BoringSigner { - fn get_signer(&self) -> Signer { + fn get_signer(&self) -> Signer<'_> { match self.1 { SignatureScheme::RSA_PKCS1_SHA256 => { rsa_signer_from_params(self.0.as_ref(), MessageDigest::sha256(), Padding::PKCS1) diff --git a/boring-rustls-provider/src/verify/ec.rs b/boring-rustls-provider/src/verify/ec.rs index 3de7165..f8984e3 100644 --- a/boring-rustls-provider/src/verify/ec.rs +++ b/boring-rustls-provider/src/verify/ec.rs @@ -1,5 +1,5 @@ use boring::{error::ErrorStack, hash::MessageDigest}; -use rustls::SignatureScheme; +use rustls::{pki_types::alg_id, SignatureScheme}; use rustls_pki_types::{InvalidSignature, SignatureVerificationAlgorithm}; use crate::helper; @@ -52,8 +52,8 @@ impl SignatureVerificationAlgorithm for BoringEcVerifier { fn public_key_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier { match self.0 { - SignatureScheme::ECDSA_NISTP256_SHA256 => webpki::alg_id::ECDSA_P256, - SignatureScheme::ECDSA_NISTP384_SHA384 => webpki::alg_id::ECDSA_P384, + SignatureScheme::ECDSA_NISTP256_SHA256 => alg_id::ECDSA_P256, + SignatureScheme::ECDSA_NISTP384_SHA384 => alg_id::ECDSA_P384, SignatureScheme::ECDSA_NISTP521_SHA512 => { // See rfc5480 appendix-A (secp521r1): 1.3.132.0.35 rustls_pki_types::AlgorithmIdentifier::from_slice(&[ @@ -67,8 +67,8 @@ impl SignatureVerificationAlgorithm for BoringEcVerifier { fn signature_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier { match self.0 { - SignatureScheme::ECDSA_NISTP256_SHA256 => webpki::alg_id::ECDSA_SHA256, - SignatureScheme::ECDSA_NISTP384_SHA384 => webpki::alg_id::ECDSA_SHA384, + SignatureScheme::ECDSA_NISTP256_SHA256 => alg_id::ECDSA_SHA256, + SignatureScheme::ECDSA_NISTP384_SHA384 => alg_id::ECDSA_SHA384, SignatureScheme::ECDSA_NISTP521_SHA512 => { // See rfc5480 appendix-A (ecdsa-with-SHA512): 1.2.840.10045.4.3.4 rustls_pki_types::AlgorithmIdentifier::from_slice(&[ @@ -83,7 +83,7 @@ impl SignatureVerificationAlgorithm for BoringEcVerifier { fn ec_verifier_from_params( key: &boring::pkey::PKeyRef, digest: MessageDigest, -) -> Result { +) -> Result, ErrorStack> { boring::sign::Verifier::new(digest, key) } diff --git a/boring-rustls-provider/src/verify/ed.rs b/boring-rustls-provider/src/verify/ed.rs index 5670c98..e7cb81e 100644 --- a/boring-rustls-provider/src/verify/ed.rs +++ b/boring-rustls-provider/src/verify/ed.rs @@ -2,7 +2,7 @@ use std::ptr; use boring::error::ErrorStack; use foreign_types::ForeignType; -use rustls::SignatureScheme; +use rustls::{pki_types::alg_id, SignatureScheme}; use rustls_pki_types::{InvalidSignature, SignatureVerificationAlgorithm}; use crate::helper::{cvt_p, log_and_map}; @@ -41,7 +41,7 @@ impl SignatureVerificationAlgorithm for BoringEdVerifier { fn signature_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier { match self.0 { - SignatureScheme::ED25519 => webpki::alg_id::ED25519, + SignatureScheme::ED25519 => alg_id::ED25519, SignatureScheme::ED448 => { // rfc8410#section-3: 1.3.101.113: -> DER: 06 03 2B 65 71 rustls_pki_types::AlgorithmIdentifier::from_slice(&[0x06, 0x03, 0x2B, 0x65, 0x71]) @@ -53,7 +53,7 @@ impl SignatureVerificationAlgorithm for BoringEdVerifier { fn ed_verifier_from_params( key: &boring::pkey::PKeyRef, -) -> Result { +) -> Result, ErrorStack> { boring::sign::Verifier::new_without_digest(key) } diff --git a/boring-rustls-provider/src/verify/rsa.rs b/boring-rustls-provider/src/verify/rsa.rs index 7dbfedb..5691369 100644 --- a/boring-rustls-provider/src/verify/rsa.rs +++ b/boring-rustls-provider/src/verify/rsa.rs @@ -5,7 +5,7 @@ use boring::{ rsa::{Padding, Rsa}, sign::RsaPssSaltlen, }; -use rustls::SignatureScheme; +use rustls::{pki_types::alg_id, SignatureScheme}; use rustls_pki_types::{InvalidSignature, SignatureVerificationAlgorithm}; use spki::der::Reader; @@ -73,18 +73,18 @@ impl SignatureVerificationAlgorithm for BoringRsaVerifier { } fn public_key_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier { - webpki::alg_id::RSA_ENCRYPTION + alg_id::RSA_ENCRYPTION } fn signature_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier { match self.0 { - SignatureScheme::RSA_PKCS1_SHA256 => webpki::alg_id::RSA_PKCS1_SHA256, - SignatureScheme::RSA_PKCS1_SHA384 => webpki::alg_id::RSA_PKCS1_SHA384, - SignatureScheme::RSA_PKCS1_SHA512 => webpki::alg_id::RSA_PKCS1_SHA512, + SignatureScheme::RSA_PKCS1_SHA256 => alg_id::RSA_PKCS1_SHA256, + SignatureScheme::RSA_PKCS1_SHA384 => alg_id::RSA_PKCS1_SHA384, + SignatureScheme::RSA_PKCS1_SHA512 => alg_id::RSA_PKCS1_SHA512, - SignatureScheme::RSA_PSS_SHA256 => webpki::alg_id::RSA_PSS_SHA256, - SignatureScheme::RSA_PSS_SHA384 => webpki::alg_id::RSA_PSS_SHA384, - SignatureScheme::RSA_PSS_SHA512 => webpki::alg_id::RSA_PSS_SHA512, + SignatureScheme::RSA_PSS_SHA256 => alg_id::RSA_PSS_SHA256, + SignatureScheme::RSA_PSS_SHA384 => alg_id::RSA_PSS_SHA384, + SignatureScheme::RSA_PSS_SHA512 => alg_id::RSA_PSS_SHA512, _ => unimplemented!(), } @@ -95,7 +95,7 @@ fn rsa_verifier_from_params( key: &boring::pkey::PKeyRef, digest: MessageDigest, padding: Padding, -) -> boring::sign::Verifier { +) -> boring::sign::Verifier<'_> { let mut verifier = boring::sign::Verifier::new(digest, key).expect("failed getting verifier"); verifier .set_rsa_padding(padding) diff --git a/boring-sys-additions/src/lib.rs b/boring-sys-additions/src/lib.rs index 3243570..5a2523e 100644 --- a/boring-sys-additions/src/lib.rs +++ b/boring-sys-additions/src/lib.rs @@ -1,7 +1,7 @@ use std::ffi; extern "C" { - /// Calculates `out_len` bytes of the TLS PDF, using `digest`, and + /// Calculates `out_len` bytes of the TLS PRF, using `digest`, and /// writes them to `out`. It returns one on success and zero on error. /// /// This isn't part of the public headers in `BoringSSL` but it is exported diff --git a/examples/Cargo.toml b/examples/Cargo.toml index 9d2084d..11b0573 100644 --- a/examples/Cargo.toml +++ b/examples/Cargo.toml @@ -7,15 +7,7 @@ description = "Boring Rustls provider example code and tests." publish = false [dependencies] -docopt = "~1.1" -env_logger = "0.10" -log = { version = "0.4.4" } -mio = { version = "0.8", features = ["net", "os-poll"] } -pki-types = { package = "rustls-pki-types", version = "0.2" } -rcgen = { version = "0.11.3", features = ["pem"], default-features = false } +env_logger = "0.11" rustls = { workspace = true, features = [ "logging", "std" ]} boring-rustls-provider = { path = "../boring-rustls-provider", features = ["logging"] } -rustls-pemfile = { workspace = true } -serde = "1.0" -serde_derive = "1.0" webpki-roots = { workspace = true }