Code for QUIC support

.github/workflows/macos-build.yml

@@ -16,6 +16,7 @@ jobs:
       - name: Install Build Prerequisites
         run: |
           brew install autoconf libtool automake
+          brew install go
 
       - name: Install Rust
         uses: dtolnay/rust-toolchain@master
@@ -56,6 +57,6 @@ jobs:
       - name: Run clippy
         run: |
           cd wolfcrypt-rs
-          cargo clippy -- -D warnings
+          cargo clippy --all-features -- -D warnings
           cd ../rustls-wolfcrypt-provider
-          cargo clippy -- -D warnings
+          cargo clippy --all-features -- -D warnings

.github/workflows/macos-rustls-tests.yml

@@ -0,0 +1,81 @@
+name: macOS rustls tests
+
+on:
+  push:
+    branches: [ 'main' ]
+  pull_request:
+    branches: [ 'main' ]
+
+jobs:
+  macos-build:
+    name: Build and Test (macOS)
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Build Prerequisites
+        run: |
+          brew install autoconf libtool automake
+          brew install go
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+          components: rustfmt, clippy
+
+      - name: Cache Rust dependencies
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: macos-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            macos-cargo-
+
+      - name: Checkout rustls v0.23.35
+        uses: actions/checkout@v4
+        with:
+          repository: rustls/rustls
+          ref: v0.23.35
+          path: rustlsv0.23.35-test-workspace/rustls
+
+      - name: Checkout rustls-wolfcrypt-provider (quic-support)
+        uses: actions/checkout@v4
+        with:
+          repository: helkoulak/rustls-wolfcrypt-provider
+          ref: quic-support
+          path: rustlsv0.23.35-test-workspace/rustls-wolfcrypt-provider
+
+      - name: Build wolfcrypt-rs
+        working-directory: rustlsv0.23.35-test-workspace/rustls-wolfcrypt-provider/wolfcrypt-rs
+        run: make build
+
+      - name: Build rustls-wolfcrypt-provider
+        working-directory: rustlsv0.23.35-test-workspace/rustls-wolfcrypt-provider
+        run: cargo build --all-features --release
+
+      - name: Checkout rustls v0.23.35 test files
+        uses: actions/checkout@v4
+        with:
+          repository: helkoulak/rustls_v0.23.35_test_files
+          path: rustlsv0.23.35-test-workspace/rustls_v0.23.35_test_files
+
+      - name: Prepare test workspace
+        working-directory: rustlsv0.23.35-test-workspace
+        run: |
+          cp -r rustls_v0.23.35_test_files/tests .
+          cp rustls_v0.23.35_test_files/Cargo.toml .
+          cp rustls_v0.23.35_test_files/provider_files/Cargo.toml \
+             rustls-wolfcrypt-provider/rustls-wolfcrypt-provider/
+
+      - name: Run test suite
+        working-directory: rustlsv0.23.35-test-workspace
+        run: |
+          cargo test -p tests --test all_suites \
+            --features wolfcrypt-provider,tls12,fips,zlib,prefer-post-quantum,logging \
+            --no-default-features
+
+

.github/workflows/ubuntu-build.yml

@@ -57,6 +57,7 @@ jobs:
       - name: Run clippy
         run: |
           cd wolfcrypt-rs
-          cargo clippy -- -D warnings
+          cargo clippy --all-features -- -D warnings
           cd ../rustls-wolfcrypt-provider
-          cargo clippy -- -D warnings
+          cargo clippy --all-features -- -D warnings
+

.github/workflows/ubuntu-rustls-tests.yml

@@ -0,0 +1,81 @@
+name: Ubuntu rustls tests
+
+on:
+  push:
+    branches: [ 'main' ]
+  pull_request:
+    branches: [ 'main' ]
+
+jobs:
+  ubuntu-build:
+    name: Build and Test (Ubuntu)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Build Prerequisites
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential autoconf libtool
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+          components: rustfmt, clippy
+
+      - name: Cache Rust dependencies
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ubuntu-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ubuntu-cargo-
+
+
+      - name: Checkout rustls v0.23.35
+        uses: actions/checkout@v4
+        with:
+          repository: rustls/rustls
+          ref: v0.23.35
+          path: rustlsv0.23.35-test-workspace/rustls
+
+      - name: Checkout rustls-wolfcrypt-provider (quic-support)
+        uses: actions/checkout@v4
+        with:
+          repository: helkoulak/rustls-wolfcrypt-provider
+          ref: quic-support
+          path: rustlsv0.23.35-test-workspace/rustls-wolfcrypt-provider
+
+      - name: Build wolfcrypt-rs
+        working-directory: rustlsv0.23.35-test-workspace/rustls-wolfcrypt-provider/wolfcrypt-rs
+        run: make build
+
+      - name: Build rustls-wolfcrypt-provider
+        working-directory: rustlsv0.23.35-test-workspace/rustls-wolfcrypt-provider
+        run: cargo build --all-features --release
+
+      - name: Checkout rustls v0.23.35 test files
+        uses: actions/checkout@v4
+        with:
+          repository: helkoulak/rustls_v0.23.35_test_files
+          path: rustlsv0.23.35-test-workspace/rustls_v0.23.35_test_files
+
+      - name: Prepare test workspace
+        working-directory: rustlsv0.23.35-test-workspace
+        run: |
+          cp -r rustls_v0.23.35_test_files/tests .
+          cp rustls_v0.23.35_test_files/Cargo.toml .
+          cp rustls_v0.23.35_test_files/provider_files/Cargo.toml \
+             rustls-wolfcrypt-provider/rustls-wolfcrypt-provider/
+
+      - name: Run test suite
+        working-directory: rustlsv0.23.35-test-workspace
+        run: |
+          cargo test -p tests --test all_suites \
+            --features wolfcrypt-provider,tls12,fips,zlib,prefer-post-quantum,logging \
+            --no-default-features
+

rustls-wolfcrypt-provider/Cargo.toml

@@ -44,6 +44,7 @@ rustls-pemfile = { version = "2.2.0", default-features = false, features = ["std
 [features]
 default = []
 std = ["pkcs8/std", "rustls/std", "wolfcrypt-rs/std"]
+quic = []
 
 [profile.release]
 strip = true

rustls-wolfcrypt-provider/examples/client.rs

@@ -1,4 +1,4 @@
-use rustls_wolfcrypt_provider::provider;
+use rustls_wolfcrypt_provider::default_provider;
 use std::io::{stdout, Read, Write};
 use std::net::TcpStream;
 use std::sync::Arc;
@@ -9,7 +9,7 @@ fn main() {
     let root_store =
         rustls::RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
 
-    let config = rustls::ClientConfig::builder_with_provider(provider().into())
+    let config = rustls::ClientConfig::builder_with_provider(default_provider().into())
         .with_safe_default_protocol_versions()
         .unwrap()
         .with_root_certificates(root_store)

rustls-wolfcrypt-provider/examples/server.rs

@@ -4,7 +4,7 @@ use std::sync::Arc;
 use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
 use rustls::server::Acceptor;
 use rustls::ServerConfig;
-use rustls_wolfcrypt_provider::provider;
+use rustls_wolfcrypt_provider::default_provider;
 
 fn main() {
     env_logger::init();
@@ -90,7 +90,7 @@ impl TestPki {
     }
 
     fn server_config(self) -> Arc<ServerConfig> {
-        let mut server_config = ServerConfig::builder_with_provider(provider().into())
+        let mut server_config = ServerConfig::builder_with_provider(default_provider().into())
             .with_safe_default_protocol_versions()
             .unwrap()
             .with_no_client_auth()

rustls-wolfcrypt-provider/src/aead/aes128gcm.rs

@@ -65,8 +65,8 @@ impl Tls12AeadAlgorithm for Aes128Gcm {
     ) -> Result<ConnectionTrafficSecrets, UnsupportedOperationError> {
         let mut iv_as_vec = vec![0u8; GCM_NONCE_LENGTH];
 
-        iv_as_vec.copy_from_slice(iv);
-        iv_as_vec.copy_from_slice(explicit);
+        iv_as_vec[..iv.len()].copy_from_slice(iv);
+        iv_as_vec[iv.len()..].copy_from_slice(explicit);
 
         Ok(ConnectionTrafficSecrets::Aes128Gcm {
             key,
@@ -172,6 +172,9 @@ impl MessageDecrypter for WCTls12Decrypter {
         seq: u64,
     ) -> Result<InboundPlainMessage<'a>, rustls::Error> {
         let payload = &mut m.payload;
+        if payload.len() < GCM_TAG_LENGTH {
+            return Err(rustls::Error::DecryptError);
+        }
         let payload_len = payload.len();
 
         // First we copy the implicit nonce followed by copying
@@ -225,7 +228,7 @@ impl MessageDecrypter for WCTls12Decrypter {
                 aad.len() as word32,
             )
         };
-        check_if_zero(ret).unwrap();
+        check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;
 
         payload.copy_within(payload_start..(payload_len - GCM_TAG_LENGTH), 0);
         payload.truncate(payload_len - ((payload_start) + GCM_TAG_LENGTH));
@@ -353,6 +356,9 @@ impl MessageDecrypter for WCTls13Cipher {
         seq: u64,
     ) -> Result<InboundPlainMessage<'a>, rustls::Error> {
         let payload = &mut m.payload;
+        if payload.len() < GCM_TAG_LENGTH {
+            return Err(rustls::Error::DecryptError);
+        }
         let nonce = Nonce::new(&self.iv, seq);
         let aad = make_tls13_aad(payload.len());
         let mut auth_tag = [0u8; GCM_TAG_LENGTH];
@@ -390,7 +396,7 @@ impl MessageDecrypter for WCTls13Cipher {
                 aad.len() as word32,
             )
         };
-        check_if_zero(ret).unwrap();
+        check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;
 
         payload.truncate(message_len);
 

rustls-wolfcrypt-provider/src/aead/aes256gcm.rs

@@ -65,8 +65,8 @@ impl Tls12AeadAlgorithm for Aes256Gcm {
     ) -> Result<ConnectionTrafficSecrets, UnsupportedOperationError> {
         let mut iv_as_vec = vec![0u8; GCM_NONCE_LENGTH];
 
-        iv_as_vec.copy_from_slice(iv);
-        iv_as_vec.copy_from_slice(explicit);
+        iv_as_vec[..iv.len()].copy_from_slice(iv);
+        iv_as_vec[iv.len()..].copy_from_slice(explicit);
 
         Ok(ConnectionTrafficSecrets::Aes256Gcm {
             key,
@@ -172,6 +172,9 @@ impl MessageDecrypter for WCTls12Decrypter {
         seq: u64,
     ) -> Result<InboundPlainMessage<'a>, rustls::Error> {
         let payload = &mut m.payload;
+        if payload.len() < GCM_TAG_LENGTH {
+            return Err(rustls::Error::DecryptError);
+        }
         let payload_len = payload.len();
 
         // First we copy the implicit nonce followed by copying
@@ -225,7 +228,7 @@ impl MessageDecrypter for WCTls12Decrypter {
                 aad.len() as word32,
             )
         };
-        check_if_zero(ret).unwrap();
+        check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;
 
         payload.copy_within(payload_start..(payload_len - GCM_TAG_LENGTH), 0);
         payload.truncate(payload_len - ((payload_start) + GCM_TAG_LENGTH));
@@ -353,6 +356,10 @@ impl MessageDecrypter for WCTls13Cipher {
         seq: u64,
     ) -> Result<InboundPlainMessage<'a>, rustls::Error> {
         let payload = &mut m.payload;
+        // In case peer misbehaves and sends plain text after it is not anymore allowed
+        if payload.len() < GCM_TAG_LENGTH {
+            return Err(rustls::Error::DecryptError);
+        }
         let nonce = Nonce::new(&self.iv, seq);
         let aad = make_tls13_aad(payload.len());
         let mut auth_tag = [0u8; GCM_TAG_LENGTH];
@@ -390,7 +397,7 @@ impl MessageDecrypter for WCTls13Cipher {
                 aad.len() as word32,
             )
         };
-        check_if_zero(ret).unwrap();
+        check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;
 
         payload.truncate(message_len);
 

rustls-wolfcrypt-provider/src/aead/chacha20.rs

@@ -133,6 +133,9 @@ impl MessageDecrypter for WCTls12Cipher {
         seq: u64,
     ) -> Result<InboundPlainMessage<'a>, rustls::Error> {
         let payload = &mut m.payload;
+        if payload.len() < CHACHAPOLY1305_OVERHEAD {
+            return Err(rustls::Error::DecryptError);
+        }
 
         // We substract the tag, so this len will only consider
         // the message that we are trying to decrypt.
@@ -160,7 +163,7 @@ impl MessageDecrypter for WCTls12Cipher {
                 payload[..message_len].as_mut_ptr(),
             )
         };
-        check_if_zero(ret).unwrap();
+        check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;
 
         // We extract the final result...
         payload.truncate(message_len);
@@ -276,6 +279,9 @@ impl MessageDecrypter for WCTls13Cipher {
         seq: u64,
     ) -> Result<InboundPlainMessage<'a>, rustls::Error> {
         let payload = &mut m.payload;
+        if payload.len() < CHACHAPOLY1305_OVERHEAD {
+            return Err(rustls::Error::DecryptError);
+        }
         let nonce = Nonce::new(&self.iv, seq);
         let aad = make_tls13_aad(payload.len());
         let mut auth_tag = [0u8; CHACHAPOLY1305_OVERHEAD];
@@ -302,7 +308,7 @@ impl MessageDecrypter for WCTls13Cipher {
                 payload[..message_len].as_mut_ptr(),
             )
         };
-        check_if_zero(ret).unwrap();
+        check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;
 
         // We extract the final result...
         payload.truncate(message_len);