Skip to content

Commit

Permalink
Update to v22
Browse files Browse the repository at this point in the history
  • Loading branch information
Jan Rüth committed Dec 8, 2023
1 parent 107b463 commit 024c3be
Show file tree
Hide file tree
Showing 8 changed files with 82 additions and 87 deletions.
12 changes: 6 additions & 6 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@ resolver = "2"
[workspace.dependencies]
boring = { version = "4", default-features = false }
boring-sys = { version = "4", default-features = false }
rustls = { version = "=0.22.0-alpha.6", default-features = false }
rustls-pemfile = { version = "=2.0.0-alpha.2" }
rustls-pki-types = { version = "0.2.3" }
tokio-rustls = { version = "0.25.0-alpha.4" }
webpki = { package = "rustls-webpki", version = "0.102.0-alpha.7", default-features = false }
webpki-roots = { version = "=0.26.0-alpha.2" }
rustls = { version = "0.22", default-features = false }
rustls-pemfile = { version = "2" }
rustls-pki-types = { version = "1" }
tokio-rustls = { version = "0.25" }
webpki = { package = "rustls-webpki", version = "0.102", default-features = false }
webpki-roots = { version = "0.26" }
67 changes: 30 additions & 37 deletions boring-rustls-provider/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -21,56 +21,49 @@ pub mod tls12;
pub mod tls13;
pub mod verify;

/// The boringssl-based Rustls Crypto provider
pub static PROVIDER: &'static dyn CryptoProvider = &Provider;

#[derive(Debug)]
struct Provider;

impl CryptoProvider for Provider {
fn fill_random(&self, bytes: &mut [u8]) -> Result<(), GetRandomFailed> {
boring::rand::rand_bytes(bytes).map_err(|e| log_and_map("rand_bytes", e, GetRandomFailed))
pub fn provider() -> CryptoProvider {
#[cfg(feature = "fips-only")]
{
provider_with_ciphers(ALL_FIPS_CIPHER_SUITES.to_vec())
}
#[cfg(not(feature = "fips-only"))]
{
provider_with_ciphers(ALL_CIPHER_SUITES.to_vec())
}
}

fn default_cipher_suites(&self) -> &'static [SupportedCipherSuite] {
pub fn provider_with_ciphers(ciphers: Vec<rustls::SupportedCipherSuite>) -> CryptoProvider {
CryptoProvider {
cipher_suites: ciphers,
#[cfg(feature = "fips-only")]
{
ALL_FIPS_CIPHER_SUITES
}
kx_groups: ALL_FIPS_KX_GROUPS.to_vec(),
#[cfg(not(feature = "fips-only"))]
{
ALL_CIPHER_SUITES
}
}

fn default_kx_groups(&self) -> &'static [&'static dyn SupportedKxGroup] {
kx_groups: ALL_KX_GROUPS.to_vec(),
#[cfg(feature = "fips-only")]
{
ALL_FIPS_KX_GROUPS
}
signature_verification_algorithms: verify::ALL_FIPS_ALGORITHMS,
#[cfg(not(feature = "fips-only"))]
{
ALL_KX_GROUPS
}
signature_verification_algorithms: verify::ALL_ALGORITHMS,
secure_random: &Provider,
key_provider: &Provider,
}
}

#[derive(Debug)]
struct Provider;

impl rustls::crypto::SecureRandom for Provider {
fn fill(&self, bytes: &mut [u8]) -> Result<(), rustls::crypto::GetRandomFailed> {
boring::rand::rand_bytes(bytes).map_err(|e| log_and_map("rand_bytes", e, GetRandomFailed))
}
}

impl rustls::crypto::KeyProvider for Provider {
fn load_private_key(
&self,
key_der: PrivateKeyDer<'static>,
) -> Result<std::sync::Arc<dyn rustls::sign::SigningKey>, rustls::Error> {
) -> Result<Arc<dyn rustls::sign::SigningKey>, rustls::Error> {
sign::BoringPrivateKey::try_from(key_der).map(|x| Arc::new(x) as _)
}

fn signature_verification_algorithms(&self) -> rustls::WebPkiSupportedAlgorithms {
#[cfg(feature = "fips-only")]
{
verify::ALL_FIPS_ALGORITHMS
}
#[cfg(not(feature = "fips-only"))]
{
verify::ALL_ALGORITHMS
}
}
}

#[allow(unused)]
Expand Down
2 changes: 1 addition & 1 deletion boring-rustls-provider/src/prf.rs
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ pub struct PrfTls1WithDigest(pub boring::nid::Nid);
impl crypto::tls12::Prf for PrfTls1WithDigest {
fn for_key_exchange(
&self,
output: &mut [u8],
output: &mut [u8; 48],
kx: Box<dyn crypto::ActiveKeyExchange>,
peer_pub_key: &[u8],
label: &[u8],
Expand Down
12 changes: 6 additions & 6 deletions boring-rustls-provider/src/tls12.rs
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ const PRF_SHA256: prf::PrfTls1WithDigest = prf::PrfTls1WithDigest(boring::nid::N
const PRF_SHA384: prf::PrfTls1WithDigest = prf::PrfTls1WithDigest(boring::nid::Nid::SHA384);

pub static ECDHE_ECDSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon {
common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
hash_provider: hash::SHA256,
confidentiality_limit: 1 << 23,
Expand All @@ -36,7 +36,7 @@ pub static ECDHE_ECDSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite {
};

pub static ECDHE_RSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon {
common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
hash_provider: hash::SHA256,
confidentiality_limit: 1 << 23,
Expand All @@ -49,7 +49,7 @@ pub static ECDHE_RSA_AES128_GCM_SHA256: Tls12CipherSuite = Tls12CipherSuite {
};

pub static ECDHE_ECDSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon {
common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
hash_provider: hash::SHA384,
confidentiality_limit: 1 << 23,
Expand All @@ -62,7 +62,7 @@ pub static ECDHE_ECDSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite {
};

pub static ECDHE_RSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon {
common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
hash_provider: hash::SHA384,
confidentiality_limit: 1 << 23,
Expand All @@ -75,7 +75,7 @@ pub static ECDHE_RSA_AES256_GCM_SHA384: Tls12CipherSuite = Tls12CipherSuite {
};

pub static ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon {
common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
hash_provider: hash::SHA256,
confidentiality_limit: u64::MAX,
Expand All @@ -88,7 +88,7 @@ pub static ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: Tls12CipherSuite = Tls12Ci
};

pub static ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: Tls12CipherSuite = Tls12CipherSuite {
common: rustls::CipherSuiteCommon {
common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
hash_provider: hash::SHA256,
confidentiality_limit: u64::MAX,
Expand Down
6 changes: 3 additions & 3 deletions boring-rustls-provider/src/tls13.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ use rustls::Tls13CipherSuite;
use crate::{aead, hash, hkdf};

pub static AES_128_GCM_SHA256: Tls13CipherSuite = Tls13CipherSuite {
common: rustls::CipherSuiteCommon {
common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS13_AES_128_GCM_SHA256,
hash_provider: hash::SHA256,
confidentiality_limit: 1 << 23,
Expand All @@ -15,7 +15,7 @@ pub static AES_128_GCM_SHA256: Tls13CipherSuite = Tls13CipherSuite {
};

pub static AES_256_GCM_SHA384: Tls13CipherSuite = Tls13CipherSuite {
common: rustls::CipherSuiteCommon {
common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS13_AES_256_GCM_SHA384,
hash_provider: hash::SHA384,
confidentiality_limit: 1 << 23,
Expand All @@ -27,7 +27,7 @@ pub static AES_256_GCM_SHA384: Tls13CipherSuite = Tls13CipherSuite {
};

pub static CHACHA20_POLY1305_SHA256: Tls13CipherSuite = Tls13CipherSuite {
common: rustls::CipherSuiteCommon {
common: rustls::crypto::CipherSuiteCommon {
suite: rustls::CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
hash_provider: hash::SHA256,
confidentiality_limit: u64::MAX,
Expand Down
2 changes: 1 addition & 1 deletion boring-rustls-provider/src/verify.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use rustls::{SignatureScheme, WebPkiSupportedAlgorithms};
use rustls::{crypto::WebPkiSupportedAlgorithms, SignatureScheme};

pub(crate) mod ec;
pub(crate) mod ed;
Expand Down
56 changes: 29 additions & 27 deletions boring-rustls-provider/tests/e2e.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ use tokio::{
net::TcpStream,
};

use boring_rustls_provider::{tls12, tls13, PROVIDER};
use boring_rustls_provider::{tls12, tls13};
use rustls::{
version::{TLS12, TLS13},
ClientConfig, ServerConfig, SupportedCipherSuite,
Expand All @@ -28,13 +28,13 @@ async fn test_tls13_crypto() {
];

for cipher in ciphers {
let config = ClientConfig::builder_with_provider(PROVIDER)
.with_cipher_suites(&[cipher])
.with_safe_default_kx_groups()
.with_protocol_versions(&[&TLS13])
.unwrap()
.with_root_certificates(root_store.clone())
.with_no_client_auth();
let config = ClientConfig::builder_with_provider(Arc::new(
boring_rustls_provider::provider_with_ciphers([cipher].to_vec()),
))
.with_protocol_versions(&[&TLS13])
.unwrap()
.with_root_certificates(root_store.clone())
.with_no_client_auth();

do_exchange(config, server_config.clone()).await;
}
Expand All @@ -54,13 +54,13 @@ async fn test_tls12_ec_crypto() {
];

for cipher in ciphers {
let config = ClientConfig::builder_with_provider(PROVIDER)
.with_cipher_suites(&[cipher])
.with_safe_default_kx_groups()
.with_protocol_versions(&[&TLS12])
.unwrap()
.with_root_certificates(root_store.clone())
.with_no_client_auth();
let config = ClientConfig::builder_with_provider(Arc::new(
boring_rustls_provider::provider_with_ciphers([cipher].to_vec()),
))
.with_protocol_versions(&[&TLS12])
.unwrap()
.with_root_certificates(root_store.clone())
.with_no_client_auth();

do_exchange(config, server_config.clone()).await;
}
Expand All @@ -80,13 +80,13 @@ async fn test_tls12_rsa_crypto() {
];

for cipher in ciphers {
let config = ClientConfig::builder_with_provider(PROVIDER)
.with_cipher_suites(&[cipher])
.with_safe_default_kx_groups()
.with_protocol_versions(&[&TLS12])
.unwrap()
.with_root_certificates(root_store.clone())
.with_no_client_auth();
let config = ClientConfig::builder_with_provider(Arc::new(
boring_rustls_provider::provider_with_ciphers([cipher].to_vec()),
))
.with_protocol_versions(&[&TLS12])
.unwrap()
.with_root_certificates(root_store.clone())
.with_no_client_auth();

do_exchange(config, server_config.clone()).await;
}
Expand Down Expand Up @@ -176,11 +176,13 @@ impl TestPki {
}

fn server_config(self) -> Arc<ServerConfig> {
let mut server_config = ServerConfig::builder_with_provider(PROVIDER)
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(vec![self.server_cert_der], self.server_key_der)
.unwrap();
let mut server_config =
ServerConfig::builder_with_provider(Arc::new(boring_rustls_provider::provider()))
.with_protocol_versions(&[&TLS12, &TLS13])
.unwrap()
.with_no_client_auth()
.with_single_cert(vec![self.server_cert_der], self.server_key_der)
.unwrap();

server_config.key_log = Arc::new(rustls::KeyLogFile::new());

Expand Down
12 changes: 6 additions & 6 deletions examples/src/bin/client.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,18 @@ use std::io::{stdout, Read, Write};
use std::net::TcpStream;
use std::sync::Arc;

use boring_rustls_provider::PROVIDER;

fn main() {
env_logger::init();

let mut root_store = rustls::RootCertStore::empty();
root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());

let config = rustls::ClientConfig::builder_with_provider(PROVIDER)
.with_safe_defaults()
.with_root_certificates(root_store)
.with_no_client_auth();
let config =
rustls::ClientConfig::builder_with_provider(boring_rustls_provider::provider().into())
.with_safe_default_protocol_versions()
.unwrap()
.with_root_certificates(root_store)
.with_no_client_auth();

let server_name = "www.rust-lang.org".try_into().unwrap();
let mut conn = rustls::ClientConnection::new(Arc::new(config), server_name).unwrap();
Expand Down

0 comments on commit 024c3be

Please sign in to comment.