tuxmain/boring-rustls-provider
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Bump and cleanup deps and fix lints

Browse source
This commit is contained in:
Jan Rüth 2025-10-07 18:28:23 +02:00 committed by Jan
commit 490340afa7
11 changed files with 38 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

10
Cargo.toml
View file

@ -2,10 +2,10 @@
members = [ members = [
# things that should probably be in boring crate # things that should probably be in boring crate
"boring-additions", "boring-additions",
# things that should probably be in boring-sys crate
"boring-sys-additions",
# the main library and tests # the main library and tests
"boring-rustls-provider", "boring-rustls-provider",
# things that should probably be in boring-sys crate
"boring-sys-additions",
# tests and example code # tests and example code
"examples", "examples",
] ]
@ -22,6 +22,6 @@ boring-sys = { version = "4", default-features = false }
rustls = { version = "0.23", default-features = false } rustls = { version = "0.23", default-features = false }
rustls-pemfile = { version = "2" } rustls-pemfile = { version = "2" }
rustls-pki-types = { version = "1" } rustls-pki-types = { version = "1" }
tokio-rustls = { version = "0.26", default-features = false } tokio-rustls = { version = "0.26", default-features = false }
webpki = { package = "rustls-webpki", version = "0.102", default-features = false } webpki = { package = "rustls-webpki", version = "0.103", default-features = false }
webpki-roots = { version = "0.26" } webpki-roots = { version = "1.0" }

1
boring-additions/Cargo.toml
View file

@ -8,7 +8,6 @@ description = "Boring additions"
publish = false publish = false
[dependencies] [dependencies]
aead = { version = "0.5", default_features = false, features = ["alloc"] }
boring = { workspace = true } boring = { workspace = true }
boring-sys = { workspace = true } boring-sys = { workspace = true }
foreign-types = "0.5" foreign-types = "0.5"

9
boring-rustls-provider/Cargo.toml
View file

@ -16,22 +16,19 @@ fips-only = ["boring/fips", "boring-sys/fips"]
tls12 = ["rustls/tls12"] tls12 = ["rustls/tls12"]
[dependencies] [dependencies]
aead = {version = "0.5", default_features = false, features = ["alloc"] } aead = {version = "0.5", default-features = false, features = ["alloc"] }
boring = { workspace = true } boring = { workspace = true }
boring-additions = { path = "../boring-additions" } boring-additions = { path = "../boring-additions" }
boring-sys = { workspace = true } boring-sys = { workspace = true }
boring-sys-additions = { path = "../boring-sys-additions" } boring-sys-additions = { path = "../boring-sys-additions" }
foreign-types = "0.5" foreign-types = "0.5"
lazy_static = "1.4"
log = { version = "0.4.4", optional = true } log = { version = "0.4.4", optional = true }
once_cell = "1"
rustls = { workspace = true } rustls = { workspace = true }
rustls-pki-types = { workspace = true } rustls-pki-types = { workspace = true }
spki = "0.7" spki = "0.7"
webpki = { workspace = true, features = ["alloc", "std"] }
[dev-dependencies] [dev-dependencies]
hex-literal = "0.4" hex-literal = "1"
rcgen = "0.11.3" rcgen = "0.12"
tokio = { version = "1.34", features = ["macros", "rt", "net", "io-util", "io-std"] } tokio = { version = "1.34", features = ["macros", "rt", "net", "io-util", "io-std"] }
tokio-rustls = { workspace = true } tokio-rustls = { workspace = true }

12
boring-rustls-provider/src/kx.rs
View file

@ -16,7 +16,7 @@ enum DhKeyType {
pub struct X25519; pub struct X25519;
impl crypto::SupportedKxGroup for X25519 { impl crypto::SupportedKxGroup for X25519 {
fn start(&self) -> Result<Box<(dyn ActiveKeyExchange + 'static)>, rustls::Error> { fn start(&self) -> Result<Box<dyn ActiveKeyExchange + 'static>, rustls::Error> {
Ok(Box::new(ex::KeyExchange::with_x25519().map_err(|e| { Ok(Box::new(ex::KeyExchange::with_x25519().map_err(|e| {
log_and_map("X25519.start", e, crypto::GetRandomFailed) log_and_map("X25519.start", e, crypto::GetRandomFailed)
})?)) })?))
@ -32,7 +32,7 @@ impl crypto::SupportedKxGroup for X25519 {
pub struct X448; pub struct X448;
impl crypto::SupportedKxGroup for X448 { impl crypto::SupportedKxGroup for X448 {
fn start(&self) -> Result<Box<(dyn ActiveKeyExchange + 'static)>, rustls::Error> { fn start(&self) -> Result<Box<dyn ActiveKeyExchange + 'static>, rustls::Error> {
Ok(Box::new(ex::KeyExchange::with_x448().map_err(|e| { Ok(Box::new(ex::KeyExchange::with_x448().map_err(|e| {
log_and_map("X448.start", e, crypto::GetRandomFailed) log_and_map("X448.start", e, crypto::GetRandomFailed)
})?)) })?))
@ -48,7 +48,7 @@ impl crypto::SupportedKxGroup for X448 {
pub struct Secp256r1; pub struct Secp256r1;
impl crypto::SupportedKxGroup for Secp256r1 { impl crypto::SupportedKxGroup for Secp256r1 {
fn start(&self) -> Result<Box<(dyn ActiveKeyExchange + 'static)>, rustls::Error> { fn start(&self) -> Result<Box<dyn ActiveKeyExchange + 'static>, rustls::Error> {
Ok(Box::new(ex::KeyExchange::with_secp256r1().map_err( Ok(Box::new(ex::KeyExchange::with_secp256r1().map_err(
|e| log_and_map("Secp256r1.start", e, crypto::GetRandomFailed), |e| log_and_map("Secp256r1.start", e, crypto::GetRandomFailed),
)?)) )?))
@ -64,7 +64,7 @@ impl crypto::SupportedKxGroup for Secp256r1 {
pub struct Secp384r1; pub struct Secp384r1;
impl crypto::SupportedKxGroup for Secp384r1 { impl crypto::SupportedKxGroup for Secp384r1 {
fn start(&self) -> Result<Box<(dyn ActiveKeyExchange + 'static)>, rustls::Error> { fn start(&self) -> Result<Box<dyn ActiveKeyExchange + 'static>, rustls::Error> {
Ok(Box::new(ex::KeyExchange::with_secp384r1().map_err( Ok(Box::new(ex::KeyExchange::with_secp384r1().map_err(
|e| log_and_map("Secp384r1.start", e, crypto::GetRandomFailed), |e| log_and_map("Secp384r1.start", e, crypto::GetRandomFailed),
)?)) )?))
@ -80,7 +80,7 @@ impl crypto::SupportedKxGroup for Secp384r1 {
pub struct Secp521r1; pub struct Secp521r1;
impl crypto::SupportedKxGroup for Secp521r1 { impl crypto::SupportedKxGroup for Secp521r1 {
fn start(&self) -> Result<Box<(dyn ActiveKeyExchange + 'static)>, rustls::Error> { fn start(&self) -> Result<Box<dyn ActiveKeyExchange + 'static>, rustls::Error> {
Ok(Box::new(ex::KeyExchange::with_secp521r1().map_err( Ok(Box::new(ex::KeyExchange::with_secp521r1().map_err(
|e| log_and_map("Secp521r1.start", e, crypto::GetRandomFailed), |e| log_and_map("Secp521r1.start", e, crypto::GetRandomFailed),
)?)) )?))
@ -96,7 +96,7 @@ impl crypto::SupportedKxGroup for Secp521r1 {
pub struct FfDHe2048; pub struct FfDHe2048;
impl crypto::SupportedKxGroup for FfDHe2048 { impl crypto::SupportedKxGroup for FfDHe2048 {
fn start(&self) -> Result<Box<(dyn ActiveKeyExchange + 'static)>, rustls::Error> { fn start(&self) -> Result<Box<dyn ActiveKeyExchange + 'static>, rustls::Error> {
Ok(Box::new(dh::KeyExchange::generate_ffdhe_2048().map_err( Ok(Box::new(dh::KeyExchange::generate_ffdhe_2048().map_err(
|e| log_and_map("FfDHe2048.start", e, crypto::GetRandomFailed), |e| log_and_map("FfDHe2048.start", e, crypto::GetRandomFailed),
)?)) )?))

2
boring-rustls-provider/src/kx/dh.rs
View file

@ -31,7 +31,7 @@ impl KeyExchange {
let pubkey = boring_sys::DH_get0_pub_key(me.dh.as_ptr()); let pubkey = boring_sys::DH_get0_pub_key(me.dh.as_ptr());
// figure out how many bytes we need, round up to the next full byte // figure out how many bytes we need, round up to the next full byte
let size = (boring_sys::BN_num_bits(pubkey) as usize + 7) / 8; let size = (boring_sys::BN_num_bits(pubkey) as usize).div_ceil(8);
// alloc a vector with enough capacity // alloc a vector with enough capacity
let mut v = Vec::with_capacity(size); let mut v = Vec::with_capacity(size);

6
boring-rustls-provider/src/sign.rs
View file

@ -63,7 +63,7 @@ fn rsa_signer_from_params(
key: &PKeyRef<Private>, key: &PKeyRef<Private>,
digest: MessageDigest, digest: MessageDigest,
padding: Padding, padding: Padding,
) -> Signer { ) -> Signer<'_> {
let mut signer = Signer::new(digest, key).expect("failed getting signer"); let mut signer = Signer::new(digest, key).expect("failed getting signer");
signer signer
.set_rsa_padding(padding) .set_rsa_padding(padding)
@ -80,7 +80,7 @@ fn rsa_signer_from_params(
signer signer
} }
fn ec_signer_from_params(key: &PKeyRef<Private>, digest: MessageDigest) -> Signer { fn ec_signer_from_params(key: &PKeyRef<Private>, digest: MessageDigest) -> Signer<'_> {
let signer = Signer::new(digest, key).expect("failed getting signer"); let signer = Signer::new(digest, key).expect("failed getting signer");
signer signer
} }
@ -131,7 +131,7 @@ impl SigningKey for BoringPrivateKey {
pub struct BoringSigner(Arc<boring::pkey::PKey<Private>>, rustls::SignatureScheme); pub struct BoringSigner(Arc<boring::pkey::PKey<Private>>, rustls::SignatureScheme);
impl BoringSigner { impl BoringSigner {
fn get_signer(&self) -> Signer { fn get_signer(&self) -> Signer<'_> {
match self.1 { match self.1 {
SignatureScheme::RSA_PKCS1_SHA256 => { SignatureScheme::RSA_PKCS1_SHA256 => {
rsa_signer_from_params(self.0.as_ref(), MessageDigest::sha256(), Padding::PKCS1) rsa_signer_from_params(self.0.as_ref(), MessageDigest::sha256(), Padding::PKCS1)

12
boring-rustls-provider/src/verify/ec.rs
View file

@ -1,5 +1,5 @@
use boring::{error::ErrorStack, hash::MessageDigest}; use boring::{error::ErrorStack, hash::MessageDigest};
use rustls::SignatureScheme; use rustls::{pki_types::alg_id, SignatureScheme};
use rustls_pki_types::{InvalidSignature, SignatureVerificationAlgorithm}; use rustls_pki_types::{InvalidSignature, SignatureVerificationAlgorithm};
use crate::helper; use crate::helper;
@ -52,8 +52,8 @@ impl SignatureVerificationAlgorithm for BoringEcVerifier {
fn public_key_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier { fn public_key_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier {
match self.0 { match self.0 {
SignatureScheme::ECDSA_NISTP256_SHA256 => webpki::alg_id::ECDSA_P256, SignatureScheme::ECDSA_NISTP256_SHA256 => alg_id::ECDSA_P256,
SignatureScheme::ECDSA_NISTP384_SHA384 => webpki::alg_id::ECDSA_P384, SignatureScheme::ECDSA_NISTP384_SHA384 => alg_id::ECDSA_P384,
SignatureScheme::ECDSA_NISTP521_SHA512 => { SignatureScheme::ECDSA_NISTP521_SHA512 => {
// See rfc5480 appendix-A (secp521r1): 1.3.132.0.35 // See rfc5480 appendix-A (secp521r1): 1.3.132.0.35
rustls_pki_types::AlgorithmIdentifier::from_slice(&[ rustls_pki_types::AlgorithmIdentifier::from_slice(&[
@ -67,8 +67,8 @@ impl SignatureVerificationAlgorithm for BoringEcVerifier {
fn signature_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier { fn signature_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier {
match self.0 { match self.0 {
SignatureScheme::ECDSA_NISTP256_SHA256 => webpki::alg_id::ECDSA_SHA256, SignatureScheme::ECDSA_NISTP256_SHA256 => alg_id::ECDSA_SHA256,
SignatureScheme::ECDSA_NISTP384_SHA384 => webpki::alg_id::ECDSA_SHA384, SignatureScheme::ECDSA_NISTP384_SHA384 => alg_id::ECDSA_SHA384,
SignatureScheme::ECDSA_NISTP521_SHA512 => { SignatureScheme::ECDSA_NISTP521_SHA512 => {
// See rfc5480 appendix-A (ecdsa-with-SHA512): 1.2.840.10045.4.3.4 // See rfc5480 appendix-A (ecdsa-with-SHA512): 1.2.840.10045.4.3.4
rustls_pki_types::AlgorithmIdentifier::from_slice(&[ rustls_pki_types::AlgorithmIdentifier::from_slice(&[
@ -83,7 +83,7 @@ impl SignatureVerificationAlgorithm for BoringEcVerifier {
fn ec_verifier_from_params( fn ec_verifier_from_params(
key: &boring::pkey::PKeyRef<boring::pkey::Public>, key: &boring::pkey::PKeyRef<boring::pkey::Public>,
digest: MessageDigest, digest: MessageDigest,
) -> Result<boring::sign::Verifier, ErrorStack> { ) -> Result<boring::sign::Verifier<'_>, ErrorStack> {
boring::sign::Verifier::new(digest, key) boring::sign::Verifier::new(digest, key)
} }

6
boring-rustls-provider/src/verify/ed.rs
View file

@ -2,7 +2,7 @@ use std::ptr;
use boring::error::ErrorStack; use boring::error::ErrorStack;
use foreign_types::ForeignType; use foreign_types::ForeignType;
use rustls::SignatureScheme; use rustls::{pki_types::alg_id, SignatureScheme};
use rustls_pki_types::{InvalidSignature, SignatureVerificationAlgorithm}; use rustls_pki_types::{InvalidSignature, SignatureVerificationAlgorithm};
use crate::helper::{cvt_p, log_and_map}; use crate::helper::{cvt_p, log_and_map};
@ -41,7 +41,7 @@ impl SignatureVerificationAlgorithm for BoringEdVerifier {
fn signature_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier { fn signature_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier {
match self.0 { match self.0 {
SignatureScheme::ED25519 => webpki::alg_id::ED25519, SignatureScheme::ED25519 => alg_id::ED25519,
SignatureScheme::ED448 => { SignatureScheme::ED448 => {
// rfc8410#section-3: 1.3.101.113: -> DER: 06 03 2B 65 71 // rfc8410#section-3: 1.3.101.113: -> DER: 06 03 2B 65 71
rustls_pki_types::AlgorithmIdentifier::from_slice(&[0x06, 0x03, 0x2B, 0x65, 0x71]) rustls_pki_types::AlgorithmIdentifier::from_slice(&[0x06, 0x03, 0x2B, 0x65, 0x71])
@ -53,7 +53,7 @@ impl SignatureVerificationAlgorithm for BoringEdVerifier {
fn ed_verifier_from_params( fn ed_verifier_from_params(
key: &boring::pkey::PKeyRef<boring::pkey::Public>, key: &boring::pkey::PKeyRef<boring::pkey::Public>,
) -> Result<boring::sign::Verifier, ErrorStack> { ) -> Result<boring::sign::Verifier<'_>, ErrorStack> {
boring::sign::Verifier::new_without_digest(key) boring::sign::Verifier::new_without_digest(key)
} }

18
boring-rustls-provider/src/verify/rsa.rs
View file

@ -5,7 +5,7 @@ use boring::{
rsa::{Padding, Rsa}, rsa::{Padding, Rsa},
sign::RsaPssSaltlen, sign::RsaPssSaltlen,
}; };
use rustls::SignatureScheme; use rustls::{pki_types::alg_id, SignatureScheme};
use rustls_pki_types::{InvalidSignature, SignatureVerificationAlgorithm}; use rustls_pki_types::{InvalidSignature, SignatureVerificationAlgorithm};
use spki::der::Reader; use spki::der::Reader;
@ -73,18 +73,18 @@ impl SignatureVerificationAlgorithm for BoringRsaVerifier {
} }
fn public_key_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier { fn public_key_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier {
webpki::alg_id::RSA_ENCRYPTION alg_id::RSA_ENCRYPTION
} }
fn signature_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier { fn signature_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier {
match self.0 { match self.0 {
SignatureScheme::RSA_PKCS1_SHA256 => webpki::alg_id::RSA_PKCS1_SHA256, SignatureScheme::RSA_PKCS1_SHA256 => alg_id::RSA_PKCS1_SHA256,
SignatureScheme::RSA_PKCS1_SHA384 => webpki::alg_id::RSA_PKCS1_SHA384, SignatureScheme::RSA_PKCS1_SHA384 => alg_id::RSA_PKCS1_SHA384,
SignatureScheme::RSA_PKCS1_SHA512 => webpki::alg_id::RSA_PKCS1_SHA512, SignatureScheme::RSA_PKCS1_SHA512 => alg_id::RSA_PKCS1_SHA512,
SignatureScheme::RSA_PSS_SHA256 => webpki::alg_id::RSA_PSS_SHA256, SignatureScheme::RSA_PSS_SHA256 => alg_id::RSA_PSS_SHA256,
SignatureScheme::RSA_PSS_SHA384 => webpki::alg_id::RSA_PSS_SHA384, SignatureScheme::RSA_PSS_SHA384 => alg_id::RSA_PSS_SHA384,
SignatureScheme::RSA_PSS_SHA512 => webpki::alg_id::RSA_PSS_SHA512, SignatureScheme::RSA_PSS_SHA512 => alg_id::RSA_PSS_SHA512,
_ => unimplemented!(), _ => unimplemented!(),
} }
@ -95,7 +95,7 @@ fn rsa_verifier_from_params(
key: &boring::pkey::PKeyRef<boring::pkey::Public>, key: &boring::pkey::PKeyRef<boring::pkey::Public>,
digest: MessageDigest, digest: MessageDigest,
padding: Padding, padding: Padding,
) -> boring::sign::Verifier { ) -> boring::sign::Verifier<'_> {
let mut verifier = boring::sign::Verifier::new(digest, key).expect("failed getting verifier"); let mut verifier = boring::sign::Verifier::new(digest, key).expect("failed getting verifier");
verifier verifier
.set_rsa_padding(padding) .set_rsa_padding(padding)

2
boring-sys-additions/src/lib.rs
View file

@ -1,7 +1,7 @@
use std::ffi; use std::ffi;
extern "C" { extern "C" {
/// Calculates `out_len` bytes of the TLS PDF, using `digest`, and /// Calculates `out_len` bytes of the TLS PRF, using `digest`, and
/// writes them to `out`. It returns one on success and zero on error. /// writes them to `out`. It returns one on success and zero on error.
/// ///
/// This isn't part of the public headers in `BoringSSL` but it is exported /// This isn't part of the public headers in `BoringSSL` but it is exported

10
examples/Cargo.toml
View file

@ -7,15 +7,7 @@ description = "Boring Rustls provider example code and tests."
publish = false publish = false
[dependencies] [dependencies]
docopt = "~1.1" env_logger = "0.11"
env_logger = "0.10"
log = { version = "0.4.4" }
mio = { version = "0.8", features = ["net", "os-poll"] }
pki-types = { package = "rustls-pki-types", version = "0.2" }
rcgen = { version = "0.11.3", features = ["pem"], default-features = false }
rustls = { workspace = true, features = [ "logging", "std" ]} rustls = { workspace = true, features = [ "logging", "std" ]}
boring-rustls-provider = { path = "../boring-rustls-provider", features = ["logging"] } boring-rustls-provider = { path = "../boring-rustls-provider", features = ["logging"] }
rustls-pemfile = { workspace = true }
serde = "1.0"
serde_derive = "1.0"
webpki-roots = { workspace = true } webpki-roots = { workspace = true }