Skip to content

Code for QUIC support #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
helkoulak wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Code for QUIC support #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
49d2fce
Adding required code to support QUIC
helkoulak Jul 21, 2025
3b6baae
Code fixes and tests
helkoulak Jul 24, 2025
d8eb6c5
Code fixes and formatting
helkoulak Sep 23, 2025
c1bdc1a
Fix build errors in wolfcrypt-rs
helkoulak Sep 26, 2025
9143871
Adjust workflow to build features code
helkoulak Sep 26, 2025
ef849ed
Add features to building and testing for macos
helkoulak Sep 29, 2025
8b34946
Add missing algorithm identifier
helkoulak Nov 4, 2025
cd879e1
Decrypt function should not panic in case of decrypt error to handle …
helkoulak Nov 4, 2025
3bfcf11
See commit cd879e183305c7793c12e11fbca475f43e9d8025
helkoulak Nov 24, 2025
9ebcf7a
In case peer misbehaves and sends plain text after it is not anymore …
helkoulak Nov 24, 2025
b5e14d3
function copy_from_slice requires both source and destination to be o…
helkoulak Nov 24, 2025
afb2ffd
function extract_key_pair is a workaround for the faulty function wc_…
helkoulak Nov 24, 2025
8291d46
Make the order of supported cipher suites compatible with other provi…
helkoulak Nov 24, 2025
560944e
Consider the case where nither the SET OF attributes nor the public k…
helkoulak Nov 24, 2025
35686aa
Create key object only if needed and store pub key value if provided …
helkoulak Nov 25, 2025
bdd5acb
Minor code changes to make wolfcrypt-provider more compatible with ru…
helkoulak Nov 25, 2025
b0ed669
The implementation of this function is required by some tests in suit…
helkoulak Nov 27, 2025
ea2ec86
Adjust ubuntu and macos work flows to run tests against rustlsv0.23.35
helkoulak Nov 27, 2025
7d5a50b
Install go as it is required for installing aws-lc-fips-sys v0.13.10
helkoulak Dec 2, 2025
2d63a95
Key must be set before encrypting with aes object to get correct tag
helkoulak Dec 16, 2025
bdef49c
For correct tag calculation in AES GCM mode in macOS the function wc_…
helkoulak Dec 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 30 additions & 2 deletions .github/workflows/macos-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ jobs:
- name: Install Build Prerequisites
run: |
brew install autoconf libtool automake
brew install go

- name: Install Rust
uses: dtolnay/rust-toolchain@master
Expand Down Expand Up @@ -56,6 +57,33 @@ jobs:
- name: Run clippy
run: |
cd wolfcrypt-rs
cargo clippy -- -D warnings
cargo clippy --all-features -- -D warnings
cd ../rustls-wolfcrypt-provider
cargo clippy -- -D warnings
cargo clippy --all-features -- -D warnings

- name: Run tests of rustls v0.23.35
run: |
mkdir rustlsv0.23.35-test-workspace
cd rustlsv0.23.35-test-workspace
git clone https://github.com/rustls/rustls.git
cd rustls
git fetch --tags
selected_tag=$(git tag -l "v/0\.23\.35")
git checkout "$selected_tag"
Copy link
Contributor

@gasbytes gasbytes Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe instead of using git tag -l followed by checkout, it might be easier to do a checkout directly like this:
git checkout v/0.23.35

Copy link
Member

@julek-wolfssl julek-wolfssl Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. Using the checkout action is the correct way.

cd ..
git clone https://github.com/helkoulak/rustls-wolfcrypt-provider.git
cd rustls-wolfcrypt-provider/
git checkout quic-support
cd wolfcrypt-rs/
make build
cd ../rustls-wolfcrypt-provider/
cargo build --all-features --release
cd ../..
git clone https://github.com/helkoulak/rustls_v0.23.35_test_files.git
cp -r ./rustls_v0.23.35_test_files/tests .
cp ./rustls_v0.23.35_test_files/Cargo.toml .
cp ./rustls_v0.23.35_test_files/provider_files/Cargo.toml ./rustls-wolfcrypt-provider/rustls-wolfcrypt-provider/
rm -rf rustls_v0.23.35_test_files
cargo test -p tests --test all_suites --all-features
cd ..
rm -rf rustlsv0.23.35-test-workspace
32 changes: 30 additions & 2 deletions .github/workflows/ubuntu-build.yml
View file
Open in desktop
Copy link
Member

@julek-wolfssl julek-wolfssl Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same comments apply to macos-build.yml.

Copy link
Member

@julek-wolfssl julek-wolfssl Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would consider moving the rustls tests into a separate workflow.

Copy link
Contributor

@gasbytes gasbytes Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing that I noticed is that you compile and run the tests with --all-features. I understand that with wolfcrypt-provider feature only the wolfcrypt provider is going to be used against the rustls testsuite, which is great, but with --all-features awc-lc-rs and ring get compiled too even if they are not used.
Is it possible to remove them? Or are they hardcoded dependencies used in some way in the testsuite?

I think the command to run the testsuite with only the wolfcrypt provider (which is already compiled in) is:
cargo test -p tests --test all_suites --features wolfcrypt-provider,tls12 --no-default-features
or something similar.

Copy link
Contributor

@gasbytes gasbytes Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Me and Juliusz were also thinking that it might be worth to add a feature to print the current provider being used via cargo, since you added the configuration option wolfcrypt-provider.
And add that step before running the testsuite, by grepping the output from stdout and confirming that we are running the full testsuite against the wolfcrypt-provider only.
That would be great.

Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,34 @@ jobs:
- name: Run clippy
run: |
cd wolfcrypt-rs
cargo clippy -- -D warnings
cargo clippy --all-features -- -D warnings
cd ../rustls-wolfcrypt-provider
cargo clippy -- -D warnings
cargo clippy --all-features -- -D warnings

- name: Run tests of rustls v0.23.35
run: |
mkdir rustlsv0.23.35-test-workspace
cd rustlsv0.23.35-test-workspace
git clone https://github.com/rustls/rustls.git
cd rustls
git fetch --tags
selected_tag=$(git tag -l "v/0\.23\.35")
git checkout "$selected_tag"
cd ..
git clone https://github.com/helkoulak/rustls-wolfcrypt-provider.git
cd rustls-wolfcrypt-provider/
git checkout quic-support
Comment on lines +66 to +76
Copy link
Member

@julek-wolfssl julek-wolfssl Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use https://github.com/marketplace/actions/checkout to fetch repos.

cd wolfcrypt-rs/
make build
cd ../rustls-wolfcrypt-provider/
cargo build --all-features --release
cd ../..
git clone https://github.com/helkoulak/rustls_v0.23.35_test_files.git
Copy link
Member

@julek-wolfssl julek-wolfssl Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Place these under .github/workflows/rustls or a similar path. I don't see a need to have this in a dedicated repo.

Copy link
Member

@julek-wolfssl julek-wolfssl Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, you are using these files to make modifications to rustls/rustls? If yes, then I would prefer to use a patch file for this. The patch file should be applied with patch -p1 < <path/to/patch/file> in the rustls/rustls root dir.

cp -r ./rustls_v0.23.35_test_files/tests .
cp ./rustls_v0.23.35_test_files/Cargo.toml .
cp ./rustls_v0.23.35_test_files/provider_files/Cargo.toml ./rustls-wolfcrypt-provider/rustls-wolfcrypt-provider/
rm -rf rustls_v0.23.35_test_files
cargo test -p tests --test all_suites --all-features
cd ..
rm -rf rustlsv0.23.35-test-workspace
Comment on lines +64 to +89
Copy link
Member

@julek-wolfssl julek-wolfssl Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's split this up into steps to make it easier to understand what failed for future devs.


2 changes: 2 additions & 0 deletions rustls-wolfcrypt-provider/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ lazy_static = "1.5.0"
hex-literal = "0.4.1"



Copy link
Contributor

@gasbytes gasbytes Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extra blank space.

[dev-dependencies]
rcgen = { version = "0.13" }
serial_test = { version = "3.2.0", default-features = false }
Expand All @@ -44,6 +45,7 @@ rustls-pemfile = { version = "2.2.0", default-features = false, features = ["std
[features]
default = []
std = ["pkcs8/std", "rustls/std", "wolfcrypt-rs/std"]
quic = []

[profile.release]
strip = true
Expand Down
4 changes: 2 additions & 2 deletions rustls-wolfcrypt-provider/examples/client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use rustls_wolfcrypt_provider::provider;
use rustls_wolfcrypt_provider::default_provider;
use std::io::{stdout, Read, Write};
use std::net::TcpStream;
use std::sync::Arc;
Expand All @@ -9,7 +9,7 @@ fn main() {
let root_store =
rustls::RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());

let config = rustls::ClientConfig::builder_with_provider(provider().into())
let config = rustls::ClientConfig::builder_with_provider(default_provider().into())
.with_safe_default_protocol_versions()
.unwrap()
.with_root_certificates(root_store)
Expand Down
4 changes: 2 additions & 2 deletions rustls-wolfcrypt-provider/examples/server.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ use std::sync::Arc;
use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
use rustls::server::Acceptor;
use rustls::ServerConfig;
use rustls_wolfcrypt_provider::provider;
use rustls_wolfcrypt_provider::default_provider;

fn main() {
env_logger::init();
Expand Down Expand Up @@ -90,7 +90,7 @@ impl TestPki {
}

fn server_config(self) -> Arc<ServerConfig> {
let mut server_config = ServerConfig::builder_with_provider(provider().into())
let mut server_config = ServerConfig::builder_with_provider(default_provider().into())
.with_safe_default_protocol_versions()
.unwrap()
.with_no_client_auth()
Expand Down
14 changes: 10 additions & 4 deletions rustls-wolfcrypt-provider/src/aead/aes128gcm.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,8 @@ impl Tls12AeadAlgorithm for Aes128Gcm {
) -> Result<ConnectionTrafficSecrets, UnsupportedOperationError> {
let mut iv_as_vec = vec![0u8; GCM_NONCE_LENGTH];

iv_as_vec.copy_from_slice(iv);
iv_as_vec.copy_from_slice(explicit);
iv_as_vec[..iv.len()].copy_from_slice(iv);
iv_as_vec[iv.len()..].copy_from_slice(explicit);

Ok(ConnectionTrafficSecrets::Aes128Gcm {
key,
Expand Down Expand Up @@ -172,6 +172,9 @@ impl MessageDecrypter for WCTls12Decrypter {
seq: u64,
) -> Result<InboundPlainMessage<'a>, rustls::Error> {
let payload = &mut m.payload;
if payload.len() < GCM_TAG_LENGTH {
return Err(rustls::Error::DecryptError);
}
let payload_len = payload.len();

// First we copy the implicit nonce followed by copying
Expand Down Expand Up @@ -225,7 +228,7 @@ impl MessageDecrypter for WCTls12Decrypter {
aad.len() as word32,
)
};
check_if_zero(ret).unwrap();
check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;

payload.copy_within(payload_start..(payload_len - GCM_TAG_LENGTH), 0);
payload.truncate(payload_len - ((payload_start) + GCM_TAG_LENGTH));
Expand Down Expand Up @@ -353,6 +356,9 @@ impl MessageDecrypter for WCTls13Cipher {
seq: u64,
) -> Result<InboundPlainMessage<'a>, rustls::Error> {
let payload = &mut m.payload;
if payload.len() < GCM_TAG_LENGTH {
return Err(rustls::Error::DecryptError);
}
let nonce = Nonce::new(&self.iv, seq);
let aad = make_tls13_aad(payload.len());
let mut auth_tag = [0u8; GCM_TAG_LENGTH];
Expand Down Expand Up @@ -390,7 +396,7 @@ impl MessageDecrypter for WCTls13Cipher {
aad.len() as word32,
)
};
check_if_zero(ret).unwrap();
check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;

payload.truncate(message_len);

Expand Down
15 changes: 11 additions & 4 deletions rustls-wolfcrypt-provider/src/aead/aes256gcm.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,8 @@ impl Tls12AeadAlgorithm for Aes256Gcm {
) -> Result<ConnectionTrafficSecrets, UnsupportedOperationError> {
let mut iv_as_vec = vec![0u8; GCM_NONCE_LENGTH];

iv_as_vec.copy_from_slice(iv);
iv_as_vec.copy_from_slice(explicit);
iv_as_vec[..iv.len()].copy_from_slice(iv);
iv_as_vec[iv.len()..].copy_from_slice(explicit);

Ok(ConnectionTrafficSecrets::Aes256Gcm {
key,
Expand Down Expand Up @@ -172,6 +172,9 @@ impl MessageDecrypter for WCTls12Decrypter {
seq: u64,
) -> Result<InboundPlainMessage<'a>, rustls::Error> {
let payload = &mut m.payload;
if payload.len() < GCM_TAG_LENGTH {
return Err(rustls::Error::DecryptError);
}
let payload_len = payload.len();

// First we copy the implicit nonce followed by copying
Expand Down Expand Up @@ -225,7 +228,7 @@ impl MessageDecrypter for WCTls12Decrypter {
aad.len() as word32,
)
};
check_if_zero(ret).unwrap();
check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;

payload.copy_within(payload_start..(payload_len - GCM_TAG_LENGTH), 0);
payload.truncate(payload_len - ((payload_start) + GCM_TAG_LENGTH));
Expand Down Expand Up @@ -353,6 +356,10 @@ impl MessageDecrypter for WCTls13Cipher {
seq: u64,
) -> Result<InboundPlainMessage<'a>, rustls::Error> {
let payload = &mut m.payload;
// In case peer misbehaves and sends plain text after it is not anymore allowed
if payload.len() < GCM_TAG_LENGTH {
return Err(rustls::Error::DecryptError);
}
let nonce = Nonce::new(&self.iv, seq);
let aad = make_tls13_aad(payload.len());
let mut auth_tag = [0u8; GCM_TAG_LENGTH];
Expand Down Expand Up @@ -390,7 +397,7 @@ impl MessageDecrypter for WCTls13Cipher {
aad.len() as word32,
)
};
check_if_zero(ret).unwrap();
check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;

payload.truncate(message_len);

Expand Down
10 changes: 8 additions & 2 deletions rustls-wolfcrypt-provider/src/aead/chacha20.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,9 @@ impl MessageDecrypter for WCTls12Cipher {
seq: u64,
) -> Result<InboundPlainMessage<'a>, rustls::Error> {
let payload = &mut m.payload;
if payload.len() < CHACHAPOLY1305_OVERHEAD {
return Err(rustls::Error::DecryptError);
}

// We substract the tag, so this len will only consider
// the message that we are trying to decrypt.
Expand Down Expand Up @@ -160,7 +163,7 @@ impl MessageDecrypter for WCTls12Cipher {
payload[..message_len].as_mut_ptr(),
)
};
check_if_zero(ret).unwrap();
check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;

// We extract the final result...
payload.truncate(message_len);
Expand Down Expand Up @@ -276,6 +279,9 @@ impl MessageDecrypter for WCTls13Cipher {
seq: u64,
) -> Result<InboundPlainMessage<'a>, rustls::Error> {
let payload = &mut m.payload;
if payload.len() < CHACHAPOLY1305_OVERHEAD {
return Err(rustls::Error::DecryptError);
}
let nonce = Nonce::new(&self.iv, seq);
let aad = make_tls13_aad(payload.len());
let mut auth_tag = [0u8; CHACHAPOLY1305_OVERHEAD];
Expand All @@ -302,7 +308,7 @@ impl MessageDecrypter for WCTls13Cipher {
payload[..message_len].as_mut_ptr(),
)
};
check_if_zero(ret).unwrap();
check_if_zero(ret).map_err(|_| rustls::Error::DecryptError)?;

// We extract the final result...
payload.truncate(message_len);
Expand Down
Loading