tuxmain/boring-rustls-provider
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Fork of github.com/janrueth/boring-rustls-provider
28 commits 1 branch 0 tags 217 KiB
  • Rust 99.7%
  • Makefile 0.3%
Find a file
Jan Rüth b88c87235d Harden crypto provider error handling and FIPS reporting 
Implement provider-wide FIPS semantics by filtering non-FIPS suites in provider_with_ciphers() and wiring fips() reporting across provider components, KX groups, AEADs, and signature verifiers.

Replace panic-prone hotpath behavior with error returns across TLS/QUIC AEAD setup and header protection, enforce HKDF output bounds, and remove shared HMAC context cloning to tighten runtime safety.

Rework signing and verification paths to support SEC1 EC key loading, curve-aware scheme selection, and consistent malformed-input error handling without panics.

Add comprehensive regression coverage for malformed KX shares, verifier inputs, AEAD truncation and constructor failures, plus a panic-surface test that scans runtime provider/additions code for new panic constructs unless explicitly allowlisted.

Update the example client to return Result and eliminate non-test unwrap-style exits.
2026-04-10 17:17:44 +02:00
.github/workflows Add X25519MLKEM768 post-quantum hybrid key exchange 2026-04-10 15:34:22 +02:00
boring-additions Harden crypto provider error handling and FIPS reporting 2026-04-10 17:17:44 +02:00
boring-rustls-provider Harden crypto provider error handling and FIPS reporting 2026-04-10 17:17:44 +02:00
boring-sys-additions Bump and cleanup deps and fix lints 2025-10-07 18:44:13 +02:00
examples Harden crypto provider error handling and FIPS reporting 2026-04-10 17:17:44 +02:00
.gitignore Initial dump for a boring-rustls-provider 2023-11-19 17:49:03 +01:00
Cargo.toml Bump boring to v5, align FIPS to SP 800-52r2, clean up features 2026-04-10 12:38:26 +02:00
LICENSE Initial commit 2023-11-19 17:46:39 +01:00
Makefile Bump boring to v5, align FIPS to SP 800-52r2, clean up features 2026-04-10 12:38:26 +02:00
Readme.md Drop X448, P-521, FFDHE2048 to match boring's default group list 2026-04-10 15:34:22 +02:00

Readme.md

boring-rustls-provider

Build Status

A BoringSSL-based rustls crypto provider.

Built on boring v5 and rustls 0.23.

Features

No features are enabled by default. The provider ships with TLS 1.3 support out of the box; additional capabilities are opt-in.

Feature Description
fips Build against FIPS-validated BoringSSL and restrict the provider to FIPS-approved algorithms only (SP 800-52r2). Implies mlkem. See FIPS mode below.
fips-precompiled Deprecated alias for fips. Matches the boring crate's feature name.
mlkem Enable the X25519MLKEM768 post-quantum hybrid key exchange group (draft-ietf-tls-ecdhe-mlkem-00). Uses ML-KEM-768 (FIPS 203) combined with X25519. See Post-quantum key exchange.
tls12 Enable TLS 1.2 cipher suites (ECDHE-ECDSA and ECDHE-RSA with AES-GCM and ChaCha20-Poly1305). Without this only TLS 1.3 is available.
logging Enable debug logging of BoringSSL errors and provider internals via the log crate.

Supported Algorithms

Cipher Suites

TLS 1.3 (always available):

AES_128_GCM_SHA256
AES_256_GCM_SHA384
CHACHA20_POLY1305_SHA256

TLS 1.2 (requires tls12 feature):

ECDHE_ECDSA_AES128_GCM_SHA256
ECDHE_RSA_AES128_GCM_SHA256
ECDHE_ECDSA_AES256_GCM_SHA384
ECDHE_RSA_AES256_GCM_SHA384
ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Key Exchange Groups

Matches boring's default supported group list:

X25519MLKEM768 (0x11ec, requires mlkem feature, TLS 1.3 only)
X25519
secp256r1 (P-256)
secp384r1 (P-384)

When mlkem is enabled, X25519MLKEM768 is the preferred (first) group in both FIPS and non-FIPS configurations.

Signature Algorithms

RSA_PKCS1_SHA256
RSA_PKCS1_SHA384
RSA_PKCS1_SHA512
RSA_PSS_SHA256
RSA_PSS_SHA384
RSA_PSS_SHA512
ECDSA_NISTP256_SHA256
ECDSA_NISTP384_SHA384
ECDSA_NISTP521_SHA512
ED25519
ED448

Post-Quantum Key Exchange

The mlkem feature enables the X25519MLKEM768 hybrid key exchange group per draft-ietf-tls-ecdhe-mlkem-00. This combines classical X25519 Diffie-Hellman with ML-KEM-768 (FIPS 203) post-quantum key encapsulation, ensuring that connections are secure against both classical and quantum adversaries.

The fips feature implies mlkem, so X25519MLKEM768 is always available in FIPS mode.

Wire format (ML-KEM component first in all encodings):

  • Client key share: mlkem_pk(1184) || x25519_pk(32) = 1216 bytes
  • Server key share: mlkem_ct(1088) || x25519_pk(32) = 1120 bytes
  • Shared secret: mlkem_ss(32) || x25519_ss(32) = 64 bytes

Interoperability has been verified against Cloudflare's PQ endpoints (pq.cloudflareresearch.com).

FIPS Mode

When the fips feature is enabled the provider builds against a FIPS-validated version of BoringSSL and restricts all algorithm selections to those approved under SP 800-52r2, aligned with boring's fips202205 compliance policy:

  • Cipher suites: AES-GCM only (no ChaCha20-Poly1305).
  • Key exchange groups: X25519MLKEM768 (preferred), P-256, and P-384 only (no standalone X25519).
  • Signature algorithms: RSA PKCS#1 / PSS and ECDSA with P-256 or P-384 only (no P-521, Ed25519, or Ed448).

Workspace Structure

Crate Purpose
boring-rustls-provider The main rustls crypto provider.
boring-additions Safe Rust wrappers for BoringSSL APIs not yet exposed by the boring crate (AEAD, EVP_PKEY_CTX, HMAC_CTX). Intended for upstreaming.
boring-sys-additions Raw FFI binding for CRYPTO_tls1_prf (internal BoringSSL symbol used for FIPS-compliant TLS 1.2 PRF). Intended for upstreaming.
examples Example client binary.

License

MIT