Upgrade to rustls v0.22 (#15)

* Upgrade to rustls v0.22 * Apply suggestions from code review Co-authored-by: YX Cao <[email protected]> --------- Co-authored-by: Arash Sahebolamri <[email protected]> Co-authored-by: YX Cao <[email protected]>
fortanix · Dec 6, 2023 · 003f727 · 003f727
1 parent a04c185
commit 003f727
Show file tree

Hide file tree

Showing 17 changed files with 225 additions and 733 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/examples/Cargo.toml b/examples/Cargo.toml
@@ -7,8 +7,10 @@ description = "rustls-mbedtls-provider example code."
 publish = false
 
 [dependencies]
-rustls-mbedcrypto-provider = { path = "../rustls-mbedcrypto-provider" }
+rustls-mbedcrypto-provider = { path = "../rustls-mbedcrypto-provider", features = ["tls12"] }
 rustls-mbedpki-provider = { path = "../rustls-mbedpki-provider" }
 env_logger = "0.10"
-rustls = { version = "0.22.0-alpha.4", default-features = false }
+rustls = { version = "0.22.0", default-features = false }
 rustls-native-certs = "0.6.3"
+rustls-pki-types = "1"
+rustls-pemfile = "2"
diff --git a/examples/src/main.rs b/examples/src/main.rs
@@ -9,7 +9,7 @@ use std::io::{stderr, stdout, Read, Write};
 use std::net::TcpStream;
 use std::sync::Arc;
 
-use rustls_mbedcrypto_provider::MBEDTLS;
+use rustls_mbedcrypto_provider::mbedtls_crypto_provider;
 use rustls_mbedpki_provider::MbedTlsServerCertVerifier;
 
 fn main() {
@@ -21,9 +21,7 @@ fn main() {
         .map(|cert| cert.0.into())
         .collect();
     let server_cert_verifier = MbedTlsServerCertVerifier::new(&root_certs).unwrap();
-    let config = rustls::ClientConfig::builder_with_provider(MBEDTLS)
-        .with_safe_default_cipher_suites()
-        .with_safe_default_kx_groups()
+    let config = rustls::ClientConfig::builder_with_provider(mbedtls_crypto_provider().into())
         .with_safe_default_protocol_versions()
         .unwrap()
         .dangerous()

diff --git a/rustls-mbedcrypto-provider/Cargo.toml b/rustls-mbedcrypto-provider/Cargo.toml
@@ -12,15 +12,15 @@ categories = ["network-programming", "cryptography"]
 resolver = "2"
 
 [dependencies]
-rustls = { version = "0.22.0-alpha.4", default-features = false }
+rustls = { version = "0.22.0", default-features = false }
 mbedtls = { version = "0.12.0-alpha.2", default-features = false, features = [
     "std",
 ] }
 log = { version = "0.4.4", optional = true }
-pki-types = { package = "rustls-pki-types", version = "0.2.1", features = [
+pki-types = { package = "rustls-pki-types", version = "1", features = [
     "std",
 ] }
-webpki = { package = "rustls-webpki", version = "0.102.0-alpha.6", features = [
+webpki = { package = "rustls-webpki", version = "0.102.0", features = [
     "alloc",
     "std",
 ], default-features = false }
@@ -36,16 +36,11 @@ mbedtls = { version = "0.12.0-alpha.2", default-features = false, features = [
 ] }
 
 [dev-dependencies]
-rustls = { version = "0.22.0-alpha.4", default-features = false, features = [
+rustls = { version = "0.22.0", default-features = false, features = [
     "ring",
 ] }
-webpki = { package = "rustls-webpki", version = "0.102.0-alpha.1", default-features = false, features = [
-    "alloc",
-    "std",
-] }
-pki-types = { package = "rustls-pki-types", version = "0.2.0" }
-webpki-roots = "0.26.0-alpha.2"
-rustls-pemfile = "=2.0.0-alpha.2"
+webpki-roots = "0.26.0"
+rustls-pemfile = "2"
 env_logger = "0.10"
 log = { version = "0.4.4" }
 

diff --git a/rustls-mbedcrypto-provider/examples/client.rs b/rustls-mbedcrypto-provider/examples/client.rs
@@ -9,7 +9,7 @@ use std::io::{stdout, Read, Write};
 use std::net::TcpStream;
 use std::sync::Arc;
 
-use rustls_mbedcrypto_provider::MBEDTLS;
+use rustls_mbedcrypto_provider::mbedtls_crypto_provider;
 
 fn main() {
     env_logger::init();
@@ -21,8 +21,9 @@ fn main() {
             .cloned(),
     );
 
-    let config = rustls::ClientConfig::builder_with_provider(MBEDTLS)
-        .with_safe_defaults()
+    let config = rustls::ClientConfig::builder_with_provider(mbedtls_crypto_provider().into())
+        .with_safe_default_protocol_versions()
+        .unwrap()
         .with_root_certificates(root_store)
         .with_no_client_auth();
 

diff --git a/rustls-mbedcrypto-provider/examples/internal/bench.rs b/rustls-mbedcrypto-provider/examples/internal/bench.rs
@@ -22,6 +22,7 @@ use pki_types::{CertificateDer, PrivateKeyDer};
 
 use rustls::client::Resumption;
 use rustls::crypto::ring::{cipher_suite, Ticketer};
+use rustls::crypto::CryptoProvider;
 use rustls::server::{NoServerSessionStorage, ServerSessionMemoryCache, WebPkiClientVerifier};
 use rustls::RootCertStore;
 use rustls::{ClientConfig, ClientConnection};
@@ -298,9 +299,7 @@ fn make_server_config(
         ClientAuth::No => WebPkiClientVerifier::no_client_auth(),
     };
 
-    let mut cfg = ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS)
-        .with_safe_default_cipher_suites()
-        .with_safe_default_kx_groups()
+    let mut cfg = ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::mbedtls_crypto_provider().into())
         .with_protocol_versions(&[params.version])
         .unwrap()
         .with_client_cert_verifier(client_auth)
@@ -324,12 +323,16 @@ fn make_client_config(params: &BenchmarkParam, clientauth: ClientAuth, resume: R
     let mut rootbuf = io::BufReader::new(fs::File::open(params.key_type.path_for("ca.cert")).unwrap());
     root_store.add_parsable_certificates(rustls_pemfile::certs(&mut rootbuf).map(|result| result.unwrap()));
 
-    let cfg = ClientConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS)
-        .with_cipher_suites(&[params.ciphersuite])
-        .with_safe_default_kx_groups()
-        .with_protocol_versions(&[params.version])
-        .unwrap()
-        .with_root_certificates(root_store);
+    let cfg = ClientConfig::builder_with_provider(
+        CryptoProvider {
+            cipher_suites: vec![params.ciphersuite],
+            ..rustls_mbedcrypto_provider::mbedtls_crypto_provider()
+        }
+        .into(),
+    )
+    .with_protocol_versions(&[params.version])
+    .unwrap()
+    .with_root_certificates(root_store);
 
     let mut cfg = if clientauth == ClientAuth::Yes {
         cfg.with_client_auth_cert(params.key_type.get_client_chain(), params.key_type.get_client_key())

diff --git a/rustls-mbedcrypto-provider/src/lib.rs b/rustls-mbedcrypto-provider/src/lib.rs
@@ -91,7 +91,10 @@ pub(crate) mod tls12;
 pub(crate) mod tls13;
 
 use mbedtls::rng::Random;
-use rustls::{SignatureScheme, SupportedCipherSuite, WebPkiSupportedAlgorithms};
+use rustls::{
+    crypto::{CryptoProvider, KeyProvider, SecureRandom, WebPkiSupportedAlgorithms},
+    SignatureScheme, SupportedCipherSuite,
+};
 
 /// RNG supported by *mbedtls*
 pub mod rng {
@@ -115,43 +118,43 @@ pub mod rng {
     }
 }
 
-/// A `CryptoProvider` backed by the [*mbedtls*] crate.
+/// returns a `CryptoProvider` backed by the [*mbedtls*] crate.
 ///
 /// [*mbedtls*]: https://github.com/fortanix/rust-mbedtls
-pub static MBEDTLS: &'static dyn rustls::crypto::CryptoProvider = &Mbedtls;
+pub fn mbedtls_crypto_provider() -> CryptoProvider {
+    CryptoProvider {
+        cipher_suites: ALL_CIPHER_SUITES.to_vec(),
+        kx_groups: ALL_KX_GROUPS.to_vec(),
+        signature_verification_algorithms: SUPPORTED_SIG_ALGS,
+        secure_random: &MbedtlsSecureRandom,
+        key_provider: &MbedtlsKeyProvider,
+    }
+}
 
-/// Crypto provider based on the [*mbedtls*] crate.
-///
-/// [*mbedtls*]: https://github.com/fortanix/rust-mbedtls
 #[derive(Debug)]
-struct Mbedtls;
+/// Implements `SecureRandom` using `mbedtls`
+pub struct MbedtlsSecureRandom;
 
-impl rustls::crypto::CryptoProvider for Mbedtls {
-    fn fill_random(&self, bytes: &mut [u8]) -> Result<(), rustls::crypto::GetRandomFailed> {
+impl SecureRandom for MbedtlsSecureRandom {
+    fn fill(&self, buf: &mut [u8]) -> Result<(), rustls::crypto::GetRandomFailed> {
         rng::rng_new()
             .ok_or(rustls::crypto::GetRandomFailed)?
-            .random(bytes)
+            .random(buf)
             .map_err(|_| rustls::crypto::GetRandomFailed)
     }
+}
 
-    fn default_cipher_suites(&self) -> &'static [SupportedCipherSuite] {
-        ALL_CIPHER_SUITES
-    }
-
-    fn default_kx_groups(&self) -> &'static [&'static dyn rustls::crypto::SupportedKxGroup] {
-        ALL_KX_GROUPS
-    }
+#[derive(Debug)]
+/// Implements `KeyProvider` using `mbedtls`
+pub struct MbedtlsKeyProvider;
 
+impl KeyProvider for MbedtlsKeyProvider {
     fn load_private_key(
         &self,
-        key_der: pki_types::PrivateKeyDer<'static>,
+        key_der: webpki::types::PrivateKeyDer<'static>,
     ) -> Result<alloc::sync::Arc<dyn rustls::sign::SigningKey>, rustls::Error> {
         Ok(alloc::sync::Arc::new(sign::MbedTlsPkSigningKey::new(&key_der)?))
     }
-
-    fn signature_verification_algorithms(&self) -> WebPkiSupportedAlgorithms {
-        SUPPORTED_SIG_ALGS
-    }
 }
 
 /// The cipher suite configuration that an application should use by default.