Upgrade to use rustls 0.22.0-alpha.4 (#12)

* build: upgrade to use rustls 0.22.0-alpha.4

* feat: add signer impl

- Add crate `rustls-mbedtls-provider-utils`
- Add signer impl

* feat: add SignatureVerificationAlgorithm

* fix: fix tests

* test: update test code to fit with mbedtls

* fix implementation

* fix clippy

* test: add more unit tests

* test: add more unit tests

* ci: turn of CARGO_INCREMENTAL

Turn off CARGO_INCREMENTAL to ensure cache & test
coverage works correctly.

* style: fmt

* build: update ws default-members

Add rustls-mbedtls-provider-utils to default-members

* docs: fix rustdoc

* refactor: better prefer order

Update `RSA_SIGNATURE_SCHEME_PREFER_LIST` to have a better order.

.github/workflows/build.yml

@@ -17,6 +17,7 @@ on:
 env:
   CARGO_TERM_COLOR: always
   CARGO_NET_RETRY: 10
+  CARGO_INCREMENTAL: 0
 
 jobs:
   build:

.gitignore

@@ -11,3 +11,4 @@ admin/rustfmt
 **/._.DS_Store
 /.idea
 /default.profraw
+.cargo/

Cargo.toml

@@ -1,4 +1,9 @@
 [workspace]
-members = ["examples","rustls-mbedcrypto-provider", "rustls-mbedpki-provider"]
-default-members = ["rustls-mbedcrypto-provider", "rustls-mbedpki-provider"]
+members = [
+    "examples",
+    "rustls-mbedcrypto-provider",
+    "rustls-mbedpki-provider",
+    "rustls-mbedtls-provider-utils",
+]
+default-members = ["rustls-mbedcrypto-provider", "rustls-mbedpki-provider", "rustls-mbedtls-provider-utils"]
 resolver = "2"

examples/Cargo.toml

@@ -10,7 +10,5 @@ publish = false
 rustls-mbedcrypto-provider = { path = "../rustls-mbedcrypto-provider" }
 rustls-mbedpki-provider = { path = "../rustls-mbedpki-provider" }
 env_logger = "0.10"
-# TODO: upgrade to use formal 0.22.0 or 0.22.0-* versions when availabe
-rustls = { git = "https://github.com/rustls/rustls", rev = "b776a5778ad333653670c34ff9125d8ae59b6047", version = "0.22.0-alpha.4", default-features = false }
+rustls = { version = "0.22.0-alpha.4", default-features = false }
 rustls-native-certs = "0.6.3"
-

rustls-mbedcrypto-provider/Cargo.toml

@@ -12,12 +12,21 @@ categories = ["network-programming", "cryptography"]
 resolver = "2"
 
 [dependencies]
-# TODO: upgrade to use formal 0.22.0 or 0.22.0-* versions when availabe
-rustls = { git = "https://github.com/rustls/rustls", rev = "b776a5778ad333653670c34ff9125d8ae59b6047", version = "0.22.0-alpha.4", default-features = false }
+rustls = { version = "0.22.0-alpha.4", default-features = false }
 mbedtls = { version = "0.12.0-alpha.2", default-features = false, features = [
     "std",
 ] }
-log = { version = "0.4.20", optional = true }
+log = { version = "0.4.4", optional = true }
+pki-types = { package = "rustls-pki-types", version = "0.2.1", features = [
+    "std",
+] }
+webpki = { package = "rustls-webpki", version = "0.102.0-alpha.6", features = [
+    "alloc",
+    "std",
+], default-features = false }
+utils = { package = "rustls-mbedtls-provider-utils", path = "../rustls-mbedtls-provider-utils", version = "0.1.0-alpha.1" }
+yasna = { version = "0.3", default-features = false, features = ["bit-vec"] }
+bit-vec = "0.6.3"
 
 [target.'cfg(target_env = "msvc")'.dependencies]
 # mbedtls need feature `time` to build when targeting msvc
@@ -27,7 +36,7 @@ mbedtls = { version = "0.12.0-alpha.2", default-features = false, features = [
 ] }
 
 [dev-dependencies]
-rustls = { git = "https://github.com/rustls/rustls", rev = "b776a5778ad333653670c34ff9125d8ae59b6047", version = "0.22.0-alpha.4", default-features = false, features = [
+rustls = { version = "0.22.0-alpha.4", default-features = false, features = [
     "ring",
 ] }
 webpki = { package = "rustls-webpki", version = "0.102.0-alpha.1", default-features = false, features = [
@@ -38,7 +47,7 @@ pki-types = { package = "rustls-pki-types", version = "0.2.0" }
 webpki-roots = "0.26.0-alpha.2"
 rustls-pemfile = "=2.0.0-alpha.2"
 env_logger = "0.10"
-log = { version = "0.4.20" }
+log = { version = "0.4.4" }
 
 [features]
 default = ["logging", "tls12"]

rustls-mbedcrypto-provider/examples/internal/bench.rs

@@ -21,7 +21,7 @@ use std::time::{Duration, Instant};
 use pki_types::{CertificateDer, PrivateKeyDer};
 
 use rustls::client::Resumption;
-use rustls::crypto::ring::Ticketer;
+use rustls::crypto::ring::{cipher_suite, Ticketer};
 use rustls::server::{NoServerSessionStorage, ServerSessionMemoryCache, WebPkiClientVerifier};
 use rustls::RootCertStore;
 use rustls::{ClientConfig, ClientConnection};
@@ -178,68 +178,60 @@ static ALL_BENCHMARKS: &[BenchmarkParam] = &[
     #[cfg(feature = "tls12")]
     BenchmarkParam::new(
         KeyType::Rsa,
-        rustls::cipher_suite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+        cipher_suite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
         &rustls::version::TLS12,
     ),
     #[cfg(feature = "tls12")]
     BenchmarkParam::new(
         KeyType::Ecdsa,
-        rustls::cipher_suite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+        cipher_suite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
         &rustls::version::TLS12,
     ),
     #[cfg(feature = "tls12")]
     BenchmarkParam::new(
         KeyType::Rsa,
-        rustls::cipher_suite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+        cipher_suite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
         &rustls::version::TLS12,
     ),
     #[cfg(feature = "tls12")]
     BenchmarkParam::new(
         KeyType::Rsa,
-        rustls::cipher_suite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+        cipher_suite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
         &rustls::version::TLS12,
     ),
     #[cfg(feature = "tls12")]
     BenchmarkParam::new(
         KeyType::Rsa,
-        rustls::cipher_suite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+        cipher_suite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
         &rustls::version::TLS12,
     ),
     #[cfg(feature = "tls12")]
     BenchmarkParam::new(
         KeyType::Ecdsa,
-        rustls::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+        cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
         &rustls::version::TLS12,
     ),
     #[cfg(feature = "tls12")]
     BenchmarkParam::new(
         KeyType::Ecdsa,
-        rustls::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+        cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
         &rustls::version::TLS12,
     ),
     BenchmarkParam::new(
         KeyType::Rsa,
-        rustls::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256,
-        &rustls::version::TLS13,
-    ),
-    BenchmarkParam::new(
-        KeyType::Rsa,
-        rustls::cipher_suite::TLS13_AES_256_GCM_SHA384,
-        &rustls::version::TLS13,
-    ),
-    BenchmarkParam::new(
-        KeyType::Rsa,
-        rustls::cipher_suite::TLS13_AES_128_GCM_SHA256,
+        cipher_suite::TLS13_CHACHA20_POLY1305_SHA256,
         &rustls::version::TLS13,
     ),
+    BenchmarkParam::new(KeyType::Rsa, cipher_suite::TLS13_AES_256_GCM_SHA384, &rustls::version::TLS13),
+    BenchmarkParam::new(KeyType::Rsa, cipher_suite::TLS13_AES_128_GCM_SHA256, &rustls::version::TLS13),
     BenchmarkParam::new(
         KeyType::Ecdsa,
-        rustls::cipher_suite::TLS13_AES_128_GCM_SHA256,
+        cipher_suite::TLS13_AES_128_GCM_SHA256,
         &rustls::version::TLS13,
     ),
     BenchmarkParam::new(
         KeyType::Ed25519,
-        rustls::cipher_suite::TLS13_AES_128_GCM_SHA256,
+        cipher_suite::TLS13_AES_128_GCM_SHA256,
         &rustls::version::TLS13,
     ),
 ];

rustls-mbedcrypto-provider/src/hash.rs

@@ -43,6 +43,15 @@ pub(crate) static MBED_SHA_384: Algorithm = Algorithm {
     output_len: 384 / 8,
 };
 
+/// SHA-512 as specified in [FIPS 180-4].
+///
+/// [FIPS 180-4]: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
+pub(crate) static MBED_SHA_512: Algorithm = Algorithm {
+    hash_algorithm: HashAlgorithm::SHA512,
+    hash_type: mbedtls::hash::Type::Sha512,
+    output_len: 512 / 8,
+};
+
 impl hash::Hash for Hash {
     fn start(&self) -> Box<dyn hash::Context> {
         Box::new(HashContext(MbedHashContext::new(self.0)))

rustls-mbedcrypto-provider/src/kx.rs

@@ -8,7 +8,6 @@
 use super::agreement;
 use crate::error::mbedtls_err_to_rustls_general_error;
 
-use crate::log::error;
 use alloc::boxed::Box;
 use alloc::fmt;
 use alloc::format;
@@ -42,15 +41,12 @@ impl fmt::Debug for KxGroup {
 }
 
 impl SupportedKxGroup for KxGroup {
-    fn start(&self) -> Result<Box<dyn crypto::ActiveKeyExchange>, rustls::crypto::GetRandomFailed> {
+    fn start(&self) -> Result<Box<dyn crypto::ActiveKeyExchange>, Error> {
         let mut pk = PkMbed::generate_ec(
             &mut super::rng::rng_new().ok_or(rustls::crypto::GetRandomFailed)?,
             self.agreement_algorithm.group_id,
         )
-        .map_err(|_err| {
-            error!("Encountered error when generating ec key, mbedtls error: {}", _err);
-            rustls::crypto::GetRandomFailed
-        })?;
+        .map_err(|err| rustls::Error::General(format!("Encountered error when generating ec key, mbedtls error: {}", err)))?;
 
         fn get_key_pair(pk: &mut PkMbed, kx_group: &KxGroup) -> Result<KeyExchange, mbedtls::Error> {
             let group = EcGroup::new(kx_group.agreement_algorithm.group_id)?;
@@ -68,10 +64,7 @@ impl SupportedKxGroup for KxGroup {
 
         match get_key_pair(&mut pk, self) {
             Ok(group) => Ok(Box::new(group)),
-            Err(_err) => {
-                error!("Unexpected mbedtls error: {}", _err);
-                Err(rustls::crypto::GetRandomFailed)
-            }
+            Err(err) => Err(rustls::Error::General(format!("Unexpected mbedtls error: {}", err))),
         }
     }