janrueth · janrueth · Nov 26, 2023 · Nov 26, 2023 · Nov 26, 2023
diff --git a/Readme.md b/Readme.md
@@ -17,7 +17,7 @@ AES_256_GCM_SHA384
 CHACHA20_POLY1305_SHA256
 ```
 
-TLS 1.2 prepared for (doesn't work yet):
+TLS 1.2 (only ECDSA is tested):
 ```
 ECDHE_ECDSA_AES128_GCM_SHA256
 ECDHE_RSA_AES128_GCM_SHA256

diff --git a/boring-rustls-provider/Cargo.toml b/boring-rustls-provider/Cargo.toml
@@ -33,6 +33,9 @@ webpki = { package = "rustls-webpki", version = "0.102.0-alpha.1", default-featu
 
 [dev-dependencies]
 hex-literal = "0.4"
+rcgen = "0.11.3"
+tokio = { version = "1.34", features = ["macros", "rt", "net", "io-util", "io-std"] }
+tokio-rustls = "0.25.0-alpha.2"
 
 
 
diff --git a/boring-rustls-provider/src/aead.rs b/boring-rustls-provider/src/aead.rs
@@ -111,23 +111,38 @@ where
         msg: cipher::BorrowedPlainMessage,
         seq: u64,
     ) -> Result<cipher::OpaqueMessage, rustls::Error> {
-        let total_len = msg.payload.len() + 1 + self.crypter.max_overhead();
-
-        let mut payload = Vec::with_capacity(total_len);
-        payload.extend_from_slice(msg.payload);
-        payload.push(msg.typ.get_u8());
-
         let nonce = cipher::Nonce::new(&self.iv, seq);
 
         match self.tls_version {
             #[cfg(feature = "tls12")]
             ProtocolVersion::TLSv1_2 => {
-                let aad = cipher::make_tls12_aad(seq, msg.typ, msg.version, total_len);
-                self.encrypt_in_place(Nonce::<T>::from_slice(&nonce.0), &aad, &mut payload)
+                let fixed_iv_len = <T as BoringCipher>::fixed_iv_len();
+                let explicit_nonce_len = <T as BoringCipher>::explicit_nonce_len();
+
+                let total_len =
+                    msg.payload.len() + self.crypter.max_overhead() + explicit_nonce_len;
+
+                let mut full_payload = Vec::with_capacity(total_len);
+                full_payload.extend_from_slice(&nonce.0.as_ref()[fixed_iv_len..]);
+                full_payload.extend_from_slice(msg.payload);
+                full_payload.extend_from_slice(&vec![0u8; self.crypter.max_overhead()]);
+
+                let (_, payload) = full_payload.split_at_mut(explicit_nonce_len);
+                let (payload, tag) = payload.split_at_mut(msg.payload.len());
+                let aad = cipher::make_tls12_aad(seq, msg.typ, msg.version, msg.payload.len());
+                self.crypter
+                    .seal_in_place(&nonce.0, &aad, payload, tag)
                     .map_err(|_| rustls::Error::EncryptError)
-                    .map(|_| cipher::OpaqueMessage::new(msg.typ, msg.version, payload))
+                    .map(|_| cipher::OpaqueMessage::new(msg.typ, msg.version, full_payload))
             }
+
             ProtocolVersion::TLSv1_3 => {
+                let total_len = msg.payload.len() + 1 + self.crypter.max_overhead();
+
+                let mut payload = Vec::with_capacity(total_len);
+                payload.extend_from_slice(msg.payload);
+                payload.push(msg.typ.get_u8());
+
                 let aad = cipher::make_tls13_aad(total_len);
                 self.encrypt_in_place(Nonce::<T>::from_slice(&nonce.0), &aad, &mut payload)
                     .map_err(|_| rustls::Error::EncryptError)
@@ -159,18 +174,56 @@ where
         seq: u64,
     ) -> Result<cipher::PlainMessage, rustls::Error> {
         // construct nonce
-        let nonce = cipher::Nonce::new(&self.iv, seq);
 
         // construct the aad and decrypt
         match self.tls_version {
             #[cfg(feature = "tls12")]
             ProtocolVersion::TLSv1_2 => {
-                let aad = make_tls12_aad(seq, m.typ, m.version, m.payload().len());
-                self.decrypt_in_place(Nonce::<T>::from_slice(&nonce.0), &aad, m.payload_mut())
+                let explicit_nonce_len = <T as BoringCipher>::explicit_nonce_len();
+
+                // payload is: [nonce] | [ciphertext] | [auth tag]
+                let actual_payload_length =
+                    m.payload().len() - self.crypter.max_overhead() - explicit_nonce_len;
+
+                let aad = make_tls12_aad(seq, m.typ, m.version, actual_payload_length);
+
+                let payload = m.payload_mut();
+
+                // get the nonce
+                let (explicit_nonce, payload) = payload.split_at_mut(explicit_nonce_len);
+
+                let nonce = {
+                    let fixed_iv_len = <T as BoringCipher>::fixed_iv_len();
+
+                    assert_eq!(explicit_nonce_len + fixed_iv_len, 12);
+
+                    // grab the IV by constructing a nonce, this is just an xor
+                    let iv = cipher::Nonce::new(&self.iv, 0).0;
+                    let mut nonce = [0u8; 12];
+                    nonce[..fixed_iv_len].copy_from_slice(&iv[..fixed_iv_len]);
+                    nonce[fixed_iv_len..].copy_from_slice(explicit_nonce);
+                    nonce
+                };
+
+                // split off the authentication tag
+                let (payload, tag) =
+                    payload.split_at_mut(payload.len() - self.crypter.max_overhead());
+
+                self.crypter
+                    .open_in_place(&nonce, &aad, payload, tag)
                     .map_err(|_| rustls::Error::DecryptError)
-                    .map(|_| m.into_plain_message())
+                    .map(|_| {
+                        // rotate the nonce to the end
+                        m.payload_mut().rotate_left(explicit_nonce_len);
+
+                        // truncate buffer to the actual payload
+                        m.payload_mut().truncate(actual_payload_length);
+
+                        m.into_plain_message()
+                    })
             }
             ProtocolVersion::TLSv1_3 => {
+                let nonce = cipher::Nonce::new(&self.iv, seq);
                 let aad = make_tls13_aad(m.payload().len());
                 self.decrypt_in_place(Nonce::<T>::from_slice(&nonce.0), &aad, m.payload_mut())
                     .map_err(|_| rustls::Error::DecryptError)
@@ -221,18 +274,29 @@ impl<T: BoringAead + 'static> cipher::Tls12AeadAlgorithm for Aead<T> {
         &self,
         key: cipher::AeadKey,
         iv: &[u8],
-        _extra: &[u8],
+        extra: &[u8],
     ) -> Box<dyn cipher::MessageEncrypter> {
+        let mut full_iv = Vec::with_capacity(iv.len() + extra.len());
+        full_iv.extend_from_slice(iv);
+        full_iv.extend_from_slice(extra);
         Box::new(
-            BoringAeadCrypter::<T>::new(Iv::copy(iv), key.as_ref(), ProtocolVersion::TLSv1_2)
+            BoringAeadCrypter::<T>::new(Iv::copy(&full_iv), key.as_ref(), ProtocolVersion::TLSv1_2)
                 .expect("failed to create AEAD crypter"),
         )
     }
 
     fn decrypter(&self, key: cipher::AeadKey, iv: &[u8]) -> Box<dyn cipher::MessageDecrypter> {
+        let mut pseudo_iv =
+            Vec::with_capacity(iv.len() + <T as BoringCipher>::explicit_nonce_len());
+        pseudo_iv.extend_from_slice(iv);
+        pseudo_iv.extend_from_slice(&vec![0u8; <T as BoringCipher>::explicit_nonce_len()]);
         Box::new(
-            BoringAeadCrypter::<T>::new(Iv::copy(iv), key.as_ref(), ProtocolVersion::TLSv1_2)
-                .expect("failed to create AEAD crypter"),
+            BoringAeadCrypter::<T>::new(
+                Iv::copy(&pseudo_iv),
+                key.as_ref(),
+                ProtocolVersion::TLSv1_2,
+            )
+            .expect("failed to create AEAD crypter"),
         )
     }
 
@@ -241,18 +305,29 @@ impl<T: BoringAead + 'static> cipher::Tls12AeadAlgorithm for Aead<T> {
             enc_key_len: <T as BoringCipher>::key_size(),
             // there is no benefit of splitting these up here, we'd need to stich them anyways
             // by only setting fixed_iv_len we get the full lengths
-            fixed_iv_len: <T as BoringCipher>::fixed_iv_len()
-                + <T as BoringCipher>::explicit_nonce_len(),
-            explicit_nonce_len: 0,
+            fixed_iv_len: <T as BoringCipher>::fixed_iv_len(),
+            explicit_nonce_len: <T as BoringCipher>::explicit_nonce_len(),
         }
     }
 
     fn extract_keys(
         &self,
         key: cipher::AeadKey,
         iv: &[u8],
-        _explicit: &[u8],
+        explicit: &[u8],
     ) -> Result<ConnectionTrafficSecrets, cipher::UnsupportedOperationError> {
-        Ok(<T as BoringCipher>::extract_keys(key, Iv::copy(iv)))
+        let nonce = {
+            let fixed_iv_len = <T as BoringCipher>::fixed_iv_len();
+            let explicit_nonce_len = <T as BoringCipher>::explicit_nonce_len();
+            assert_eq!(explicit_nonce_len + fixed_iv_len, 12);
+
+            // grab the IV by constructing a nonce, this is just an xor
+
+            let mut nonce = [0u8; 12];
+            nonce[..fixed_iv_len].copy_from_slice(&iv[..fixed_iv_len]);
+            nonce[fixed_iv_len..].copy_from_slice(explicit);
+            nonce
+        };
+        Ok(<T as BoringCipher>::extract_keys(key, Iv::copy(&nonce)))
     }
 }
diff --git a/boring-rustls-provider/src/hash.rs b/boring-rustls-provider/src/hash.rs
@@ -62,6 +62,24 @@ mod tests {
     use super::SHA256;
     use hex_literal::hex;
 
+    #[test]
+    fn test_context() {
+        let mut hash = SHA256.start();
+        hash.update(b"ABCDE");
+        let abcde = hash.fork_finish();
+        hash.update(b"FGHIJ");
+        let abcdefghij = hash.finish();
+
+        assert_eq!(
+            abcde.as_ref(),
+            hex!("f0393febe8baaa55e32f7be2a7cc180bf34e52137d99e056c817a9c07b8f239a")
+        );
+        assert_eq!(
+            abcdefghij.as_ref(),
+            hex!("261305762671a58cae5b74990bcfc236c2336fb04a0fbac626166d9491d2884c")
+        );
+    }
+
     #[test]
     fn test_sha256() {
         let hash = SHA256.hash("test".as_bytes());

diff --git a/boring-rustls-provider/src/lib.rs b/boring-rustls-provider/src/lib.rs
@@ -15,11 +15,11 @@ mod hmac;
 mod kx;
 #[cfg(feature = "tls12")]
 mod prf;
-mod sign;
+pub mod sign;
 #[cfg(feature = "tls12")]
-mod tls12;
-mod tls13;
-mod verify;
+pub mod tls12;
+pub mod tls13;
+pub mod verify;
 
 /// The boringssl-based Rustls Crypto provider
 pub static PROVIDER: &'static dyn CryptoProvider = &Provider;

diff --git a/boring-rustls-provider/src/sign.rs b/boring-rustls-provider/src/sign.rs
@@ -174,17 +174,21 @@ impl BoringSigner {
 
 impl rustls::sign::Signer for BoringSigner {
     fn sign(&self, message: &[u8]) -> Result<Vec<u8>, rustls::Error> {
-        let signer = self.get_signer();
-        let mut msg_with_sig =
-            Vec::<u8>::with_capacity(message.len() + boring_sys::EVP_MAX_MD_SIZE as usize);
-        msg_with_sig.extend_from_slice(message);
-        msg_with_sig.extend_from_slice(&[0u8; boring_sys::EVP_MAX_MD_SIZE as usize]);
-
-        let toatl_len = signer
-            .sign(&mut msg_with_sig[..])
-            .map_err(|e| log_and_map("sign", e, rustls::Error::General("failed signing".into())))?;
-        msg_with_sig.truncate(toatl_len);
-        Ok(msg_with_sig)
+        let mut signer = self.get_signer();
+        let max_sig_len = signer
+            .len()
+            .map_err(|e| log_and_map("len", e, rustls::Error::General("failed signing".into())))?;
+        let mut sig = vec![0u8; max_sig_len];
+
+        let sig_len = signer.sign_oneshot(&mut sig[..], message).map_err(|e| {
+            log_and_map(
+                "sign_oneshot",
+                e,
+                rustls::Error::General("failed signing".into()),
+            )
+        })?;
+        sig.truncate(sig_len);
+        Ok(sig)
     }
 
     fn scheme(&self) -> rustls::SignatureScheme {