Skip to content

Add experimental rustls backend that uses the ossl bindings#454

Open
simo5 wants to merge 16 commits into
latchset:mainfrom
simo5:rustls
Open

Add experimental rustls backend that uses the ossl bindings#454
simo5 wants to merge 16 commits into
latchset:mainfrom
simo5:rustls

Conversation

@simo5

@simo5 simo5 commented May 22, 2026

Copy link
Copy Markdown
Member

Description

Add a somewhat complete implementation for a cryptography backend usable with rustls.

Missing support for ChaCha20Poly1305, but otherwise can deal with TLS1.2 and TLS1.3 using AES GCM

This compiles with rustls 0.23.40 but not the latest development branch which reworks a bunch of details of the CrytoProvider traits.

Checklist

  • Test suite updated
  • Rustdoc string were added or updated
  • CHANGELOG and/or other documentation added or updated
  • This is not a code change

Reviewer's checklist:

  • Any issues marked for closing are fully addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • A changelog entry is added if the change is significant
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible text
  • Doc string are properly updated

@simo5 simo5 marked this pull request as draft May 22, 2026 10:41

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new rustls-ossl crate that implements a rustls CryptoProvider using the project's OpenSSL bindings. It significantly expands the ossl wrapper to support FIPS enforcement, post-quantum algorithms (ML-DSA, ML-KEM, SLH-DSA), and TLS-specific cryptographic operations. Feedback highlights several critical issues, including a memory leak in the MAC availability check, incorrect parsing of SubjectPublicKeyInfo (SPKI) structures during key loading and signature verification, and potential performance and robustness concerns in the KDF and key exchange implementations.

Comment thread ossl/src/mac.rs
Comment thread rustls/ossl/src/verify.rs
Comment thread ossl/src/pkey.rs Outdated
Comment thread rustls/ossl/src/keyex.rs Outdated
Comment thread rustls/ossl/src/kdf.rs Outdated
@simo5 simo5 force-pushed the rustls branch 3 times, most recently from 8461dc8 to c2f472a Compare May 26, 2026 10:14
@simo5 simo5 marked this pull request as ready for review May 26, 2026 10:15
@simo5

simo5 commented May 26, 2026

Copy link
Copy Markdown
Member Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new rustls-ossl crate, which provides a Rustls crypto provider backed by OpenSSL bindings (ossl). It also adds support for ChaCha20 and ChaCha20-Poly1305 ciphers, in-place cipher updates, TLS1 PRF derivation, and various helper functions for checking algorithm availability. The review comments identify several critical and high-severity issues, including a potential integer underflow/DoS vulnerability in TLS 1.2 decryption, incorrect parsing of SPKI public keys in signature verification, a logical typo and potential panic in HKDF info expansion, and OpenSSL error queue pollution. Additionally, opportunities for performance optimization (avoiding heap allocations in HMAC) and code cleanup (removing redundant ? operators) were highlighted.

Comment thread rustls/ossl/src/tls12.rs
Comment thread rustls/ossl/src/verify.rs
Comment thread ossl/src/pkey.rs
Comment thread rustls/ossl/src/kdf.rs
Comment thread ossl/src/mac.rs
Comment thread ossl/src/digest.rs
Comment thread rustls/ossl/src/hmac.rs
Comment thread rustls/ossl/src/keyex.rs
simo5 added 5 commits May 26, 2026 10:37
Signed-off-by: Simo Sorce <simo@redhat.com>
Introduces the `rustls-ossl` workspace crate to enable using OpenSSL as the
cryptographic backend for `rustls`.

The `ossl` crate bindings are updated to expose OpenSSL's RAND functions
(`RAND_bytes` and `RAND_priv_bytes`), which are then utilized by the new crate
to implement `rustls::crypto::SecureRandom`. Additionally, this includes a
stub for `KeyProvider` and updates to formatting targets in the Makefile.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
This adds the ability to load DER-encoded private keys in the rustls OpenSSL
provider by implementing the `KeyProvider` trait, enabling signing operations.

To support this, `EvpPkey::from_der`, `get_type`, and `spki_der` methods were
added to the `ossl` crate to handle DER parsing (`d2i_AutoPrivateKey_ex`) and
public key extraction (`i2d_PUBKEY`). Additionally, an `OsslSigningKey` struct
was created to map OpenSSL key types to rustls signature algorithms, and a
lazy global `OsslContext` was introduced to manage the required library
context.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Add `OsslSigner` to implement the `rustls::sign::Signer` trait, enabling
message signing via OpenSSL. The `choose_scheme` method is implemented in
`OsslSigningKey` to negotiate and instantiate the correct signer based on the
key type and offered schemes.

To support the immutable requirements of the `Signer` trait, `EvpPkey` and
`OsslSignature` operations were updated to accept `&self` instead of `&mut
self`. Additionally, `Clone` was implemented for `EvpPkey` using
`EVP_PKEY_up_ref` to handle key references safely.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Implement the `SignatureVerificationAlgorithm` trait for various signature
schemes (ML-DSA, EdDSA, ECDSA, RSA) using the OpenSSL backend. The supported
algorithms are dynamically detected based on their availability in the OpenSSL
context and wired into the default `CryptoProvider` to enable certificate and
handshake signature validation.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5 simo5 force-pushed the rustls branch 2 times, most recently from 8990af9 to 16a11f7 Compare May 26, 2026 15:06
simo5 added 9 commits May 26, 2026 11:21
Add `hash` and `hmac` modules to the rustls provider to support rustls
cryptographic operations using OpenSSL primitives.

To satisfy the rustls traits, which require state duplication (e.g.,
`Context::fork` and reusing HMAC keys), `Clone` is implemented for `EvpMdCtx`,
`OsslDigest`, `EvpMacCtx`, `OsslMac`, and `OsslSecret` in the base `ossl`
crate by wrapping OpenSSL's context duplication functions.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Adds in-place cipher updates and TLS 1 PRF derivation to the base OpenSSL
wrapper. For the rustls integration, it implements AES-GCM AEAD, HKDF, and TLS
1.2 PRF to assemble complete TLS 1.2 (via a feature flag) and TLS 1.3 cipher
suites. This provides the necessary symmetric encryption, decryption, and key
derivation capabilities required to secure TLS traffic.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
This introduces `keyex.rs` with implementations of `SupportedKxGroup` and
`ActiveKeyExchange` for ECDH (X25519, SECP curves) and ML-KEM. The `kx_groups`
field is now appropriately populated in the default `CryptoProvider`.

To support extracting key shares during key exchange, `EvpPkey::export_public`
is added. `EvpPkey::available` is also introduced to conditionally register
supported key exchange groups based on the OpenSSL context. Furthermore, key
parameter serialization and deserialization logic in `pkey.rs` is refactored
into type-specific structures to simplify and organize `EvpPkey` operations.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Introduces integration tests that spawn an OpenSSL `s_server` instance with
various key types (RSA, ECDSA, EdDSA) and connect to it using a rustls client
configured with the `rustls-ossl` crypto provider.

A custom certificate verifier is added to allow pinning dynamically generated
self-signed certificates. This ensures the provider can successfully perform
real-world TLS handshakes and signature verification across multiple supported
algorithms.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
This introduces FIPS provider loading and enforcement capabilities to the
OpenSSL context and adds dynamic availability checks for digests, MACs, and
public keys.

Additionally, it implements the `fips()` method across all rustls crypto
provider components (Hash, HMAC, KeyProvider, AEADs, etc.). This integration
ensures that the rustls OpenSSL backend can properly report FIPS compliance
and restrict operations to approved algorithms when the FIPS provider is
active.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
This adds the ChaCha20 stream cipher and the ChaCha20-Poly1305 AEAD cipher to
the supported encryption algorithms, integrating Poly1305 into the existing
AEAD setup flow.

Supporting these algorithms expands the library's cryptographic capabilities,
providing developers with a modern, highly secure, and performant alternative
to AES. Comprehensive test vectors for encryption, decryption, and
authentication tags are included to ensure correctness.

Signed-off-by: Simo Sorce <simo@redhat.com>
This adds `CHACHA20_POLY1305` to the supported AEAD algorithms, enabling the
corresponding cipher suites for TLS 1.2 and TLS 1.3. It also implements the
specific IV and nonce construction logic required for ChaCha20-Poly1305 in TLS
1.2, which does not use explicit nonces like AES-GCM.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Add support for the `secp521r1` (P-521) key exchange group and the `Ed448`
signature scheme to broaden the supported cryptographic capabilities.

Update the basic integration tests to verify functionality across multiple
protocol versions (TLS 1.2, TLS 1.3) and cipher suites (AES-128, AES-256,
ChaCha20) rather than relying on default negotiations. Additionally, the test
client now validates the connection by downloading and verifying a specific
file, ensuring accurate data transfer instead of just asserting a successful
handshake.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
simo5 added 2 commits May 27, 2026 06:42
Signed-off-by: Simo Sorce <simo@redhat.com>
EVP_MD_CTX_dup(0 is not available until 3.2.0, so raise the minimum
requirement for rustls

Signed-off-by: Simo Sorce <simo@redhat.com>
Comment thread ossl/src/pkey.rs
})
}

#[cfg(ossl_mlkem)]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#[cfg(ossl_mlkem)]
#[cfg(ossl_mldsa)]

Comment thread rustls/ossl/src/keyex.rs

use crate::osslctx;

/* whis will need to grop up to 1024 bytes if we ever add support for FFDH groups

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/* whis will need to grop up to 1024 bytes if we ever add support for FFDH groups
/* whis will need to grow up to 1024 bytes if we ever add support for FFDH groups

Comment thread rustls/ossl/src/lib.rs
},
hkdf_provider: &kdf::HKDF_SHA256,
aead_alg: &cipher::CHACHA20_POLY1305,
quic: None, /* TODO */

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO in this PR or next one?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Future PR

Comment thread rustls/ossl/src/pkey.rs
None
}

/* This is only for TLS1.2 which will never get ML-DSA or any PQ algorithm */

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
/* This is only for TLS1.2 which will never get ML-DSA or any PQ algorithm */
/* This is only for TLS1.2 which will never get ML-DSA nor any PQ algorithm */

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants