Add tests using wycheproof test vectors (#15)

- Remove the hack to patch into rustls, and the use of no_std
- Update tls12 to use aead module

Author: tofay

.github/workflows/ci.yml

@@ -45,33 +45,3 @@ jobs:
         run: cargo fmt -- --check -l
       - name: cargo clippy (warnings)
         run: cargo clippy --all-targets --all-features -- -D warnings
-  rustls_provider_tests:
-    name: Test using rustls provider
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ./rustls
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-        with:
-          path: rustls-openssl
-      - name: Check out repository
-        uses: actions/checkout@v4
-        with:
-          repository: rustls/rustls
-          path: rustls
-      - name: Install toolchain
-        uses: dtolnay/rust-toolchain@v1
-        with:
-          toolchain: stable
-      - name: Cache build artifacts
-        uses: Swatinem/rust-cache@v2
-        with:
-          workspaces: rustls
-      - name: Patch rustls
-        run: ../rustls-openssl/tests/patch.sh
-      - name: find
-        run: find .
-      - name: cargo test test_with_openssl
-        run: cargo test test_with_openssl

Cargo.toml

@@ -30,4 +30,6 @@ rstest = "0.23.0"
 # Use aws_lc_rs to test our provider
 rustls = { version = "0.23.0", features = ["aws_lc_rs"] }
 rustls-pemfile = "2"
+serde = { version = "1.0.215", features = ["derive"] }
+serde_json = "1.0.133"
 webpki-roots = "0.26"

README.md

@@ -44,7 +44,3 @@ SECP256R1
 X25519 // Requires the `x25519` feature
 ```
 
-# Tests
-
-In addition to the tests in this repo, CI also runs rustls tests that run against all providers.
-This is done by patching this repo as a module into a rustls checkout repo, hence this repo mirroring the `rustls::crypto::<provider>` module structure.

build.rs

@@ -19,7 +19,7 @@ fn main() {
 
     // Enable the `chacha` cfg if the `OPENSSL_NO_CHACHA` OpenSSL config is not set.
     if std::env::var("DEP_OPENSSL_CONF")
-        .map(|conf_string| !conf_string.split(",").any(|conf| conf == OPENSSL_NO_CHACHA))
+        .map(|conf_string| !conf_string.split(',').any(|conf| conf == OPENSSL_NO_CHACHA))
         .unwrap_or(true)
     {
         println!("cargo:rustc-cfg=chacha");

src/aead.rs

@@ -1,18 +1,7 @@
-use alloc::format;
-use openssl::{
-    cipher::{Cipher, CipherRef},
-    cipher_ctx::CipherCtx,
-};
-use rustls::{
-    crypto::cipher::{AeadKey, Iv, Nonce},
-    Error,
-};
-
-pub(crate) struct MessageCrypter {
-    pub algo: Algorithm,
-    pub key: AeadKey,
-    pub iv: Iv,
-}
+use openssl::cipher::{Cipher, CipherRef};
+use openssl::cipher_ctx::CipherCtx;
+use rustls::crypto::cipher::NONCE_LEN;
+use rustls::Error;
 
 #[derive(Debug, Clone, Copy)]
 pub(crate) enum Algorithm {
@@ -26,31 +15,30 @@ pub(crate) enum Algorithm {
 pub(crate) const TAG_LEN: usize = 16;
 
 impl Algorithm {
-    pub(crate) fn openssl_cipher(self) -> &'static CipherRef {
+    fn openssl_cipher(self) -> &'static CipherRef {
         match self {
             Self::Aes128Gcm => Cipher::aes_128_gcm(),
             Self::Aes256Gcm => Cipher::aes_256_gcm(),
             #[cfg(chacha)]
             Self::ChaCha20Poly1305 => Cipher::chacha20_poly1305(),
         }
     }
-}
 
-impl MessageCrypter {
-    /// Encrypts the data in place and returns the tag.
+    pub(crate) fn key_size(self) -> usize {
+        self.openssl_cipher().key_length()
+    }
+
+    /// Encrypts data in place and returns the tag.
     pub(crate) fn encrypt_in_place(
-        &self,
-        sequence_number: u64,
+        self,
+        key: &[u8],
+        nonce: &[u8; NONCE_LEN],
         aad: &[u8],
         data: &mut [u8],
     ) -> Result<[u8; TAG_LEN], Error> {
         CipherCtx::new()
             .and_then(|mut ctx| {
-                ctx.encrypt_init(
-                    Some(self.algo.openssl_cipher()),
-                    Some(self.key.as_ref()),
-                    Some(&Nonce::new(&self.iv, sequence_number).0),
-                )?;
+                ctx.encrypt_init(Some(self.openssl_cipher()), Some(key), Some(nonce))?;
                 // Providing no output buffer implies input is AAD.
                 ctx.cipher_update(aad, None)?;
                 // The ciphers are all stream ciphers, so we shound encrypt the same amount of data...
@@ -70,8 +58,9 @@ impl MessageCrypter {
     /// plaintext.
     /// The data is expected to be in the form of [ciphertext, tag].
     pub(crate) fn decrypt_in_place(
-        &self,
-        sequence_number: u64,
+        self,
+        key: &[u8],
+        nonce: &[u8; NONCE_LEN],
         aad: &[u8],
         data: &mut [u8],
     ) -> Result<usize, Error> {
@@ -84,11 +73,7 @@ impl MessageCrypter {
 
         CipherCtx::new()
             .and_then(|mut ctx| {
-                ctx.decrypt_init(
-                    Some(self.algo.openssl_cipher()),
-                    Some(self.key.as_ref()),
-                    Some(&Nonce::new(&self.iv, sequence_number).0),
-                )?;
+                ctx.decrypt_init(Some(self.openssl_cipher()), Some(key), Some(nonce))?;
                 ctx.cipher_update(aad, None)?;
                 ctx.set_tag(tag)?;
                 let count = ctx.cipher_update_inplace(ciphertext, ciphertext.len())?;
@@ -100,3 +85,130 @@ impl MessageCrypter {
             .map_err(|e| Error::General(format!("OpenSSL error: {e}")))
     }
 }
+
+#[cfg(test)]
+mod test {
+
+    use crate::test::schemas::aead;
+    use std::{fs, path::PathBuf};
+
+    fn test_aes(alg: super::Algorithm) {
+        let path = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
+            .join("src")
+            .join("test")
+            .join("vectors")
+            .join("aes_gcm_test.json");
+        let tests: aead::AeadTestFile =
+            serde_json::from_str(&fs::read_to_string(path).unwrap()).unwrap();
+
+        for group in tests
+            .test_groups
+            .unwrap()
+            .iter()
+            .filter(|group| group.key_size.unwrap() == 8 * i64::try_from(alg.key_size()).unwrap())
+            .filter(|group| group.iv_size.unwrap() == 96)
+        {
+            for test in group.tests.as_ref().unwrap() {
+                dbg!(test.tc_id);
+                let key = test
+                    .key
+                    .as_deref()
+                    .map(|key| hex::decode(key).unwrap())
+                    .unwrap();
+                let iv = test
+                    .iv
+                    .as_deref()
+                    .map(|iv| hex::decode(iv).unwrap())
+                    .unwrap();
+                let aad = test
+                    .aad
+                    .as_deref()
+                    .map(|aad| hex::decode(aad).unwrap())
+                    .unwrap();
+                let msg = test
+                    .msg
+                    .as_deref()
+                    .map(|msg| hex::decode(msg).unwrap())
+                    .unwrap();
+                let ciphertext = test
+                    .ct
+                    .as_deref()
+                    .map(|ct| hex::decode(ct).unwrap())
+                    .unwrap();
+                let tag = test
+                    .tag
+                    .as_deref()
+                    .map(|tag| hex::decode(tag).unwrap())
+                    .unwrap();
+
+                let mut iv_bytes = [0u8; 12];
+                iv_bytes.copy_from_slice(&iv[0..12]);
+
+                let mut actual_ciphertext = msg.clone();
+                let actual_tag = alg
+                    .encrypt_in_place(&key, &iv_bytes, &aad, &mut actual_ciphertext)
+                    .unwrap();
+
+                match test.result.as_ref().unwrap() {
+                    aead::Result::Invalid => {
+                        if test
+                            .flags
+                            .as_ref()
+                            .unwrap()
+                            .iter()
+                            .any(|flag| flag == "ModifiedTag")
+                        {
+                            assert_ne!(
+                                actual_tag[..],
+                                tag[..],
+                                "Expected incorrect tag. Id {}: {}",
+                                test.tc_id.unwrap(),
+                                test.comment.as_deref().unwrap()
+                            );
+                        }
+                    }
+                    aead::Result::Valid | aead::Result::Acceptable => {
+                        assert_eq!(
+                            actual_ciphertext,
+                            ciphertext,
+                            "Test case failed {}: {}",
+                            test.tc_id.unwrap(),
+                            test.comment.as_deref().unwrap()
+                        );
+                        assert_eq!(
+                            actual_tag[..],
+                            tag[..],
+                            "Test case failed {}: {}",
+                            test.tc_id.unwrap(),
+                            test.comment.as_deref().unwrap()
+                        );
+                    }
+                }
+
+                let mut data = ciphertext.to_vec();
+                data.extend_from_slice(&tag);
+                let res = alg.decrypt_in_place(&key, &iv_bytes, &aad, &mut data);
+
+                match test.result.as_ref().unwrap() {
+                    aead::Result::Invalid => {
+                        assert!(res.is_err());
+                    }
+                    aead::Result::Valid | aead::Result::Acceptable => {
+                        assert_eq!(res, Ok(msg.len()));
+                        assert_eq!(&data[..res.unwrap()], &msg[..]);
+                    }
+                }
+            }
+        }
+    }
+
+    #[test]
+    fn test_aes_128() {
+        test_aes(super::Algorithm::Aes128Gcm);
+    }
+
+    #[test]
+    fn test_aes_256() {
+        test_aes(super::Algorithm::Aes256Gcm);
+    }
+}

src/hash.rs

@@ -1,5 +1,4 @@
 //! Provide Rustls `Hash` implementation using OpenSSL `MessageDigest`.
-use alloc::boxed::Box;
 use openssl::hash::MessageDigest;
 use openssl::md::{Md, MdRef};
 use openssl::sha::{self, sha256, sha384};
@@ -23,14 +22,14 @@ enum Context {
 }
 
 impl Algorithm {
-    pub(crate) fn mdref(&self) -> &'static MdRef {
+    pub(crate) fn mdref(self) -> &'static MdRef {
         match &self {
             Algorithm::SHA256 => Md::sha256(),
             Algorithm::SHA384 => Md::sha384(),
         }
     }
 
-    pub(crate) fn message_digest(&self) -> MessageDigest {
+    pub(crate) fn message_digest(self) -> MessageDigest {
         match &self {
             Algorithm::SHA256 => MessageDigest::sha256(),
             Algorithm::SHA384 => MessageDigest::sha384(),