tuxmain/boring-rustls-provider
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update to v22

Browse source
This commit is contained in:
Jan Rüth 2023-12-03 22:40:52 +01:00 committed by Jan
commit b1188e2ef1
8 changed files with 82 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

12
Cargo.toml
View file

@ -19,9 +19,9 @@ resolver = "2"
[workspace.dependencies] [workspace.dependencies]
boring = { version = "4", default-features = false } boring = { version = "4", default-features = false }
boring-sys = { version = "4", default-features = false } boring-sys = { version = "4", default-features = false }
rustls = { version = "=0.22.0-alpha.6", default-features = false } rustls = { version = "0.22", default-features = false }
rustls-pemfile = { version = "=2.0.0-alpha.2" } rustls-pemfile = { version = "2" }
rustls-pki-types = { version = "0.2.3" } rustls-pki-types = { version = "1" }
tokio-rustls = { version = "0.25.0-alpha.4" } tokio-rustls = { version = "0.25" }
webpki = { package = "rustls-webpki", version = "0.102.0-alpha.7", default-features = false } webpki = { package = "rustls-webpki", version = "0.102", default-features = false }
webpki-roots = { version = "=0.26.0-alpha.2" } webpki-roots = { version = "0.26" }

69
boring-rustls-provider/src/lib.rs
View file

@ -21,56 +21,49 @@ pub mod tls12;
pub mod tls13; pub mod tls13;
pub mod verify; pub mod verify;
/// The boringssl-based Rustls Crypto provider pub fn provider() -> CryptoProvider {
pub static PROVIDER: &'static dyn CryptoProvider = &Provider; #[cfg(feature = "fips-only")]
{
provider_with_ciphers(ALL_FIPS_CIPHER_SUITES.to_vec())
}
#[cfg(not(feature = "fips-only"))]
{
provider_with_ciphers(ALL_CIPHER_SUITES.to_vec())
}
}
pub fn provider_with_ciphers(ciphers: Vec<rustls::SupportedCipherSuite>) -> CryptoProvider {
CryptoProvider {
cipher_suites: ciphers,
#[cfg(feature = "fips-only")]
kx_groups: ALL_FIPS_KX_GROUPS.to_vec(),
#[cfg(not(feature = "fips-only"))]
kx_groups: ALL_KX_GROUPS.to_vec(),
#[cfg(feature = "fips-only")]
signature_verification_algorithms: verify::ALL_FIPS_ALGORITHMS,
#[cfg(not(feature = "fips-only"))]
signature_verification_algorithms: verify::ALL_ALGORITHMS,
secure_random: &Provider,
key_provider: &Provider,
}
}
#[derive(Debug)] #[derive(Debug)]
struct Provider; struct Provider;
impl CryptoProvider for Provider { impl rustls::crypto::SecureRandom for Provider {
fn fill_random(&self, bytes: &mut [u8]) -> Result<(), GetRandomFailed> { fn fill(&self, bytes: &mut [u8]) -> Result<(), rustls::crypto::GetRandomFailed> {
boring::rand::rand_bytes(bytes).map_err(|e| log_and_map("rand_bytes", e, GetRandomFailed)) boring::rand::rand_bytes(bytes).map_err(|e| log_and_map("rand_bytes", e, GetRandomFailed))
} }
}
fn default_cipher_suites(&self) -> &'static [SupportedCipherSuite] { impl rustls::crypto::KeyProvider for Provider {
#[cfg(feature = "fips-only")]
{
ALL_FIPS_CIPHER_SUITES
}
#[cfg(not(feature = "fips-only"))]
{
ALL_CIPHER_SUITES
}
}
fn default_kx_groups(&self) -> &'static [&'static dyn SupportedKxGroup] {
#[cfg(feature = "fips-only")]
{
ALL_FIPS_KX_GROUPS
}
#[cfg(not(feature = "fips-only"))]
{
ALL_KX_GROUPS
}
}
fn load_private_key( fn load_private_key(
&self, &self,
key_der: PrivateKeyDer<'static>, key_der: PrivateKeyDer<'static>,
) -> Result<std::sync::Arc<dyn rustls::sign::SigningKey>, rustls::Error> { ) -> Result<Arc<dyn rustls::sign::SigningKey>, rustls::Error> {
sign::BoringPrivateKey::try_from(key_der).map(|x| Arc::new(x) as _) sign::BoringPrivateKey::try_from(key_der).map(|x| Arc::new(x) as _)
} }
fn signature_verification_algorithms(&self) -> rustls::WebPkiSupportedAlgorithms {
#[cfg(feature = "fips-only")]
{
verify::ALL_FIPS_ALGORITHMS
}
#[cfg(not(feature = "fips-only"))]
{
verify::ALL_ALGORITHMS
}
}
} }
#[allow(unused)] #[allow(unused)]

2
boring-rustls-provider/src/prf.rs
View file

@ -10,7 +10,7 @@ pub struct PrfTls1WithDigest(pub boring::nid::Nid);
impl crypto::tls12::Prf for PrfTls1WithDigest { impl crypto::tls12::Prf for PrfTls1WithDigest {
fn for_key_exchange( fn for_key_exchange(
&self, &self,
output: &mut [u8], output: &mut [u8; 48],
kx: Box<dyn crypto::ActiveKeyExchange>, kx: Box<dyn crypto::ActiveKeyExchange>,
peer_pub_key: &[u8], peer_pub_key: &[u8],
label: &[u8], label: &[u8],

12
boring-rustls-provider/src/tls12.rs
View file

@ -23,7 +23,7 @@ const PRF_SHA256: prf::PrfTls1WithDigest = prf::PrfTls1WithDigest(boring::nid::N
const PRF_SHA384: prf::PrfTls1WithDigest = prf::PrfTls1WithDigest(boring::nid::Nid::SHA384); const PRF_SHA384: prf::PrfTls1WithDigest = prf::PrfTls1WithDigest(boring::nid::Nid::SHA384);
pub static ECDHE_ECDSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite { pub static ECDHE_ECDSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon { common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
hash_provider: hash::SHA256, hash_provider: hash::SHA256,
confidentiality_limit: 1 << 23, confidentiality_limit: 1 << 23,
@ -36,7 +36,7 @@ pub static ECDHE_ECDSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite {
}; };
pub static ECDHE_RSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite { pub static ECDHE_RSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon { common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
hash_provider: hash::SHA256, hash_provider: hash::SHA256,
confidentiality_limit: 1 << 23, confidentiality_limit: 1 << 23,
@ -49,7 +49,7 @@ pub static ECDHE_RSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite {
}; };
pub static ECDHE_ECDSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite { pub static ECDHE_ECDSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon { common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
hash_provider: hash::SHA384, hash_provider: hash::SHA384,
confidentiality_limit: 1 << 23, confidentiality_limit: 1 << 23,
@ -62,7 +62,7 @@ pub static ECDHE_ECDSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite {
}; };
pub static ECDHE_RSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite { pub static ECDHE_RSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon { common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
hash_provider: hash::SHA384, hash_provider: hash::SHA384,
confidentiality_limit: 1 << 23, confidentiality_limit: 1 << 23,
@ -75,7 +75,7 @@ pub static ECDHE_RSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite {
}; };
pub static ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: Tls12CipherSuite = Tls12CipherSuite { pub static ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon { common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
hash_provider: hash::SHA256, hash_provider: hash::SHA256,
confidentiality_limit: u64::MAX, confidentiality_limit: u64::MAX,
@ -88,7 +88,7 @@ pub static ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: Tls12CipherSuite = Tls12Ci
}; };
pub static ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: Tls12CipherSuite = Tls12CipherSuite { pub static ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon { common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
hash_provider: hash::SHA256, hash_provider: hash::SHA256,
confidentiality_limit: u64::MAX, confidentiality_limit: u64::MAX,

6
boring-rustls-provider/src/tls13.rs
View file

@ -3,7 +3,7 @@ use rustls::Tls13CipherSuite;
use crate::{aead, hash, hkdf}; use crate::{aead, hash, hkdf};
pub static AES_128_GCM_SHA256: Tls13CipherSuite = Tls13CipherSuite { pub static AES_128_GCM_SHA256: Tls13CipherSuite = Tls13CipherSuite {
common: rustls::CipherSuiteCommon { common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS13_AES_128_GCM_SHA256, suite: rustls::CipherSuite::TLS13_AES_128_GCM_SHA256,
hash_provider: hash::SHA256, hash_provider: hash::SHA256,
confidentiality_limit: 1 << 23, confidentiality_limit: 1 << 23,
@ -15,7 +15,7 @@ pub static AES_128_GCM_SHA256: Tls13CipherSuite = Tls13CipherSuite {
}; };
pub static AES_256_GCM_SHA384: Tls13CipherSuite = Tls13CipherSuite { pub static AES_256_GCM_SHA384: Tls13CipherSuite = Tls13CipherSuite {
common: rustls::CipherSuiteCommon { common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS13_AES_256_GCM_SHA384, suite: rustls::CipherSuite::TLS13_AES_256_GCM_SHA384,
hash_provider: hash::SHA384, hash_provider: hash::SHA384,
confidentiality_limit: 1 << 23, confidentiality_limit: 1 << 23,
@ -27,7 +27,7 @@ pub static AES_256_GCM_SHA384: Tls13CipherSuite = Tls13CipherSuite {
}; };
pub static CHACHA20_POLY1305_SHA256: Tls13CipherSuite = Tls13CipherSuite { pub static CHACHA20_POLY1305_SHA256: Tls13CipherSuite = Tls13CipherSuite {
common: rustls::CipherSuiteCommon { common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS13_CHACHA20_POLY1305_SHA256, suite: rustls::CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
hash_provider: hash::SHA256, hash_provider: hash::SHA256,
confidentiality_limit: u64::MAX, confidentiality_limit: u64::MAX,

2
boring-rustls-provider/src/verify.rs
View file

@ -1,4 +1,4 @@
use rustls::{SignatureScheme, WebPkiSupportedAlgorithms}; use rustls::{crypto::WebPkiSupportedAlgorithms, SignatureScheme};
pub(crate) mod ec; pub(crate) mod ec;
pub(crate) mod ed; pub(crate) mod ed;

26
boring-rustls-provider/tests/e2e.rs
View file

@ -5,7 +5,7 @@ use tokio::{
net::TcpStream, net::TcpStream,
}; };
use boring_rustls_provider::{tls12, tls13, PROVIDER}; use boring_rustls_provider::{tls12, tls13};
use rustls::{ use rustls::{
version::{TLS12, TLS13}, version::{TLS12, TLS13},
ClientConfig, ServerConfig, SupportedCipherSuite, ClientConfig, ServerConfig, SupportedCipherSuite,
@ -28,9 +28,9 @@ async fn test_tls13_crypto() {
]; ];
for cipher in ciphers { for cipher in ciphers {
let config = ClientConfig::builder_with_provider(PROVIDER) let config = ClientConfig::builder_with_provider(Arc::new(
.with_cipher_suites(&[cipher]) boring_rustls_provider::provider_with_ciphers([cipher].to_vec()),
.with_safe_default_kx_groups() ))
.with_protocol_versions(&[&TLS13]) .with_protocol_versions(&[&TLS13])
.unwrap() .unwrap()
.with_root_certificates(root_store.clone()) .with_root_certificates(root_store.clone())
@ -54,9 +54,9 @@ async fn test_tls12_ec_crypto() {
]; ];
for cipher in ciphers { for cipher in ciphers {
let config = ClientConfig::builder_with_provider(PROVIDER) let config = ClientConfig::builder_with_provider(Arc::new(
.with_cipher_suites(&[cipher]) boring_rustls_provider::provider_with_ciphers([cipher].to_vec()),
.with_safe_default_kx_groups() ))
.with_protocol_versions(&[&TLS12]) .with_protocol_versions(&[&TLS12])
.unwrap() .unwrap()
.with_root_certificates(root_store.clone()) .with_root_certificates(root_store.clone())
@ -80,9 +80,9 @@ async fn test_tls12_rsa_crypto() {
]; ];
for cipher in ciphers { for cipher in ciphers {
let config = ClientConfig::builder_with_provider(PROVIDER) let config = ClientConfig::builder_with_provider(Arc::new(
.with_cipher_suites(&[cipher]) boring_rustls_provider::provider_with_ciphers([cipher].to_vec()),
.with_safe_default_kx_groups() ))
.with_protocol_versions(&[&TLS12]) .with_protocol_versions(&[&TLS12])
.unwrap() .unwrap()
.with_root_certificates(root_store.clone()) .with_root_certificates(root_store.clone())
@ -176,8 +176,10 @@ impl TestPki {
} }
fn server_config(self) -> Arc<ServerConfig> { fn server_config(self) -> Arc<ServerConfig> {
let mut server_config = ServerConfig::builder_with_provider(PROVIDER) let mut server_config =
.with_safe_defaults() ServerConfig::builder_with_provider(Arc::new(boring_rustls_provider::provider()))
.with_protocol_versions(&[&TLS12, &TLS13])
.unwrap()
.with_no_client_auth() .with_no_client_auth()
.with_single_cert(vec![self.server_cert_der], self.server_key_der) .with_single_cert(vec![self.server_cert_der], self.server_key_der)
.unwrap(); .unwrap();

8
examples/src/bin/client.rs
View file

@ -2,16 +2,16 @@ use std::io::{stdout, Read, Write};
use std::net::TcpStream; use std::net::TcpStream;
use std::sync::Arc; use std::sync::Arc;
use boring_rustls_provider::PROVIDER;
fn main() { fn main() {
env_logger::init(); env_logger::init();
let mut root_store = rustls::RootCertStore::empty(); let mut root_store = rustls::RootCertStore::empty();
root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
let config = rustls::ClientConfig::builder_with_provider(PROVIDER) let config =
.with_safe_defaults() rustls::ClientConfig::builder_with_provider(boring_rustls_provider::provider().into())
.with_safe_default_protocol_versions()
.unwrap()
.with_root_certificates(root_store) .with_root_certificates(root_store)
.with_no_client_auth(); .with_no_client_auth();