Move key usage limits up into `CipherSuiteCommon`

2023-10-03 15:43:07 +01:00 · 2023-10-03 15:43:07 +01:00 · fdd1f8dd4f
parent cfec92ce70
commit fdd1f8dd4f
6 changed files with 41 additions and 11 deletions
--- a/provider-example/src/lib.rs
+++ b/provider-example/src/lib.rs
@ -57,6 +57,8 @@ pub static TLS13_CHACHA20_POLY1305_SHA256: rustls::SupportedCipherSuite =
        common: rustls::CipherSuiteCommon {
            suite: rustls::CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
            hash_provider: &hash::Sha256,
+            confidentiality_limit: u64::MAX,
+            integrity_limit: 1 << 36,
        },
        hkdf_provider: &rustls::crypto::tls13::HkdfUsingHmac(&hmac::Sha256Hmac),
        aead_alg: &aead::Chacha20Poly1305,
@ -68,6 +70,8 @@ pub static TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: rustls::SupportedCipherS
        common: rustls::CipherSuiteCommon {
            suite: rustls::CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
            hash_provider: &hash::Sha256,
+            confidentiality_limit: u64::MAX,
+            integrity_limit: 1 << 36,
        },
        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
        sign: &[
--- a/rustls/src/crypto/ring/quic.rs
+++ b/rustls/src/crypto/ring/quic.rs
@ -167,7 +167,7 @@ impl quic::PacketKey for PacketKey {
    /// See <https://www.rfc-editor.org/rfc/rfc9001.html#name-confidentiality-limit>.
    #[inline]
    fn confidentiality_limit(&self) -> u64 {
-        self.suite.confidentiality_limit
+        self.suite.common.confidentiality_limit
    }

    /// Number of times the packet key can be used without sacrificing integrity
@ -175,7 +175,7 @@ impl quic::PacketKey for PacketKey {
    /// See <https://www.rfc-editor.org/rfc/rfc9001.html#name-integrity-limit>.
    #[inline]
    fn integrity_limit(&self) -> u64 {
-        self.suite.integrity_limit
+        self.suite.common.integrity_limit
    }

    /// Tag length for the underlying AEAD algorithm
--- a/rustls/src/crypto/ring/tls12.rs
+++ b/rustls/src/crypto/ring/tls12.rs
@ -24,6 +24,8 @@ pub static TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
        common: CipherSuiteCommon {
            suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
            hash_provider: &super::hash::SHA256,
+            confidentiality_limit: u64::MAX,
+            integrity_limit: 1 << 36,
        },
        kx: KeyExchangeAlgorithm::ECDHE,
        sign: TLS12_ECDSA_SCHEMES,
@ -37,6 +39,8 @@ pub static TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
        common: CipherSuiteCommon {
            suite: CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
            hash_provider: &super::hash::SHA256,
+            confidentiality_limit: u64::MAX,
+            integrity_limit: 1 << 36,
        },
        kx: KeyExchangeAlgorithm::ECDHE,
        sign: TLS12_RSA_SCHEMES,
@ -50,6 +54,8 @@ pub static TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite =
        common: CipherSuiteCommon {
            suite: CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
            hash_provider: &super::hash::SHA256,
+            confidentiality_limit: 1 << 23,
+            integrity_limit: 1 << 52,
        },
        kx: KeyExchangeAlgorithm::ECDHE,
        sign: TLS12_RSA_SCHEMES,
@ -63,6 +69,8 @@ pub static TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite =
        common: CipherSuiteCommon {
            suite: CipherSuite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            hash_provider: &super::hash::SHA384,
+            confidentiality_limit: 1 << 23,
+            integrity_limit: 1 << 52,
        },
        kx: KeyExchangeAlgorithm::ECDHE,
        sign: TLS12_RSA_SCHEMES,
@ -76,6 +84,8 @@ pub static TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite =
        common: CipherSuiteCommon {
            suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
            hash_provider: &super::hash::SHA256,
+            confidentiality_limit: 1 << 23,
+            integrity_limit: 1 << 52,
        },
        kx: KeyExchangeAlgorithm::ECDHE,
        sign: TLS12_ECDSA_SCHEMES,
@ -89,6 +99,8 @@ pub static TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite =
        common: CipherSuiteCommon {
            suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
            hash_provider: &super::hash::SHA384,
+            confidentiality_limit: 1 << 23,
+            integrity_limit: 1 << 52,
        },
        kx: KeyExchangeAlgorithm::ECDHE,
        sign: TLS12_ECDSA_SCHEMES,
--- a/rustls/src/crypto/ring/tls13.rs
+++ b/rustls/src/crypto/ring/tls13.rs
@ -27,11 +27,11 @@ pub(crate) static TLS13_CHACHA20_POLY1305_SHA256_INTERNAL: &Tls13CipherSuite = &
    common: CipherSuiteCommon {
        suite: CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
        hash_provider: &super::hash::SHA256,
+        confidentiality_limit: u64::MAX,
+        integrity_limit: 1 << 36,
    },
    hkdf_provider: &RingHkdf(hkdf::HKDF_SHA256, hmac::HMAC_SHA256),
    aead_alg: &Chacha20Poly1305Aead(AeadAlgorithm(&aead::CHACHA20_POLY1305)),
-    confidentiality_limit: u64::MAX,
-    integrity_limit: 1 << 36,
    quic: Some(&super::quic::KeyBuilder(
        &aead::CHACHA20_POLY1305,
        &aead::quic::CHACHA20,
@ -44,11 +44,11 @@ pub static TLS13_AES_256_GCM_SHA384: SupportedCipherSuite =
        common: CipherSuiteCommon {
            suite: CipherSuite::TLS13_AES_256_GCM_SHA384,
            hash_provider: &super::hash::SHA384,
+            confidentiality_limit: 1 << 23,
+            integrity_limit: 1 << 52,
        },
        hkdf_provider: &RingHkdf(hkdf::HKDF_SHA384, hmac::HMAC_SHA384),
        aead_alg: &Aes256GcmAead(AeadAlgorithm(&aead::AES_256_GCM)),
-        confidentiality_limit: 1 << 23,
-        integrity_limit: 1 << 52,
        quic: Some(&super::quic::KeyBuilder(
            &aead::AES_256_GCM,
            &aead::quic::AES_256,
@ -63,11 +63,11 @@ pub(crate) static TLS13_AES_128_GCM_SHA256_INTERNAL: &Tls13CipherSuite = &Tls13C
    common: CipherSuiteCommon {
        suite: CipherSuite::TLS13_AES_128_GCM_SHA256,
        hash_provider: &super::hash::SHA256,
+        confidentiality_limit: 1 << 23,
+        integrity_limit: 1 << 52,
    },
    hkdf_provider: &RingHkdf(hkdf::HKDF_SHA256, hmac::HMAC_SHA256),
    aead_alg: &Aes128GcmAead(AeadAlgorithm(&aead::AES_128_GCM)),
-    confidentiality_limit: 1 << 23,
-    integrity_limit: 1 << 52,
    quic: Some(&super::quic::KeyBuilder(
        &aead::AES_128_GCM,
        &aead::quic::AES_128,
--- a/rustls/src/suites.rs
+++ b/rustls/src/suites.rs
@ -18,6 +18,23 @@ pub struct CipherSuiteCommon {

    /// Which hash function the suite uses.
    pub hash_provider: &'static dyn crypto::hash::Hash,
+
+    /// The number of messages that can be encrypted by a single
+    /// instance of `MessageEncrypter` produced for this suite before
+    /// an attacker gains an advantage in distinguishing it from an ideal
+    /// pseudorandom permutation (PRP).
+    ///
+    /// This is to be set on the assumption that messages are maximally sized --
+    /// at least 2 ** 14 bytes for TCP-TLS and 2 ** 16 for QUIC.
+    pub confidentiality_limit: u64,
+
+    /// The number of messages an attacker can be allowed to unsuccessfully
+    /// decrypt before the attacker gains an advantage in forging messages.
+    ///
+    /// This is not relevant for TLS over TCP (which is implemented in this crate)
+    /// because a single failed decryption is fatal to the connection.  However,
+    /// this quantity is used by QUIC.
+    pub integrity_limit: u64,
 }

 /// A cipher suite supported by rustls.
--- a/rustls/src/tls13/mod.rs
+++ b/rustls/src/tls13/mod.rs
@ -22,9 +22,6 @@ pub struct Tls13CipherSuite {
    /// [MessageEncrypter]: crate::crypto::cipher::MessageEncrypter
    pub aead_alg: &'static dyn crypto::cipher::Tls13AeadAlgorithm,

-    pub(crate) confidentiality_limit: u64,
-    pub(crate) integrity_limit: u64,
-
    /// How to create QUIC header and record protection algorithms
    /// for this suite.
    ///