Introducing the Boring crypto provider.

Also adding examples and basic documentation.

Author: nmittler

.github/workflows/rust.yml

@@ -8,88 +8,125 @@ on:
     - cron: "21 3 * * 5"
 
 jobs:
-  test-freebsd:
-  # see https://github.com/actions/runner/issues/385
-  # use https://github.com/vmactions/freebsd-vm for now
-    name: test on freebsd
-    runs-on: macos-12
-    steps:
-      - uses: actions/checkout@v2
-      - name: test on freebsd
-        uses: vmactions/freebsd-vm@v0
-        with:
-          usesh: true
-          mem: 4096
-          copyback: false
-          prepare: |
-            pkg install -y curl
-            curl https://sh.rustup.rs -sSf --output rustup.sh
-            sh rustup.sh -y --profile minimal --default-toolchain stable
-            echo "~~~~ rustc --version ~~~~"
-            $HOME/.cargo/bin/rustc --version
-          run: |
-            freebsd-version
-            $HOME/.cargo/bin/cargo build --all-targets
-            $HOME/.cargo/bin/cargo test
+
+# TODO(nmittler): Investigate why tests get "unknown CA" on windows.
+#  test-windows:
+#    name: test (windows-latest, stable)
+#    runs-on: windows-latest
+#
+#    steps:
+#      - name: Checkout source
+#        uses: actions/checkout@v2
+#        with:
+#          submodules: 'recursive'
+#      - name: Install nasm
+#        uses: crazy-max/ghaction-chocolatey@v1
+#        with:
+#          args: install nasm
+#      - name: Install rust toolchain
+#        uses: actions-rs/toolchain@v1
+#        with:
+#          profile: minimal
+#          toolchain: stable
+#          override: true
+#      - name: Cargo Build
+#        uses: actions-rs/cargo@v1
+#        with:
+#          command: build
+#          args: --all-targets
+#      - name: Cargo Test
+#        uses: actions-rs/cargo@v1
+#        with:
+#          command: test
+#          args: --verbose --all-targets
+
   test:
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        rust: [stable, beta, 1.59.0]
+        os: [ubuntu-latest, macos-latest]
+        rust: [stable, beta]
         exclude:
           - os: macos-latest
             rust: beta
-          - os: macos-latest
-            rust: 1.59.0
-          - os: windows-latest
-            rust: beta
-          - os: windows-latest
-            rust: 1.59.0
 
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/toolchain@v1
+      - name: Checkout source
+        uses: actions/checkout@v2
+        with:
+          submodules: 'recursive'
+      - name: Install rust toolchain
+        uses: actions-rs/toolchain@v1
         with:
           profile: minimal
           toolchain: ${{ matrix.rust }}
           override: true
-      - uses: Swatinem/rust-cache@v1
-      - uses: actions-rs/cargo@v1
+      - name: Cargo Build
+        uses: actions-rs/cargo@v1
         with:
           command: build
           args: --all-targets
-      - uses: actions-rs/cargo@v1
+      - name: Cargo Test
+        uses: actions-rs/cargo@v1
         with:
           command: test
 
+# TODO(nmittler): Investigate build issues.
+#  test-fips:
+#    name: test fips
+#    runs-on: ubuntu-20.04
+#    steps:
+#      - name: Checkout source
+#        uses: actions/checkout@v2
+#        with:
+#          submodules: 'recursive'
+#      - name: Install Clang 7
+#        uses: egor-tensin/setup-clang@v1
+#        with:
+#          version: "7"
+#      - name: Install rust toolchain
+#        uses: actions-rs/toolchain@v1
+#        with:
+#          profile: minimal
+#          toolchain: stable
+#          override: true
+#      - name: Cargo Build
+#        uses: actions-rs/cargo@v1
+#        with:
+#          command: build
+#          args: --all-targets --features fips
+#      - name: Cargo Test
+#        uses: actions-rs/cargo@v1
+#        with:
+#          command: test
+#          args: --features fips
+
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/toolchain@v1
+      - name: Checkout source
+        uses: actions/checkout@v2
+        with:
+          submodules: 'recursive'
+      - name: Install rust toolchain
+        uses: actions-rs/toolchain@v1
         with:
           profile: minimal
           toolchain: stable
           override: true
           components: rustfmt, clippy
-      - uses: Swatinem/rust-cache@v1
-      - uses: actions-rs/cargo@v1
+      - name: Cargo fmt
+        uses: actions-rs/cargo@v1
         with:
           command: fmt
           args: --all -- --check
-      - uses: actions-rs/cargo@v1
+      - name: Cargo clippy
+        uses: actions-rs/cargo@v1
         with:
           command: clippy
           args: --all-targets -- -D warnings
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-          components: clippy
-      - name: doc
+      - name: Cargo doc
         run: cargo doc --no-deps --document-private-items
         env:
           RUSTDOCFLAGS: -Dwarnings

Cargo.toml

@@ -7,9 +7,42 @@ description = "BoringSSL crypto provider for quinn"
 keywords = ["quic"]
 categories = ["network-programming", "asynchronous"]
 edition = "2021"
-rust-version = "1.59"
 
 [badges]
 maintenance = { status = "passively-maintained" }
 
+[features]
+fips = ["boring/fips", "boring-sys/fips"]
+
 [dependencies]
+boring = "2.1.0"
+boring-sys = "2.1.0"
+bytes = "1"
+foreign-types-shared = "0.3.1"
+lru = "0.9.0"
+once_cell = "1.17"
+quinn = { version = "0.9.3", default_features = false, features = ["native-certs", "runtime-tokio"] }
+quinn-proto = { version = "0.9.3", default-features = false }
+rand = "0.8"
+tracing = "0.1"
+
+[dev-dependencies]
+anyhow = "1.0.22"
+assert_hex = "0.2.2"
+assert_matches = "1.1"
+clap = { version = "3.2", features = ["derive"] }
+directories-next = "2"
+hex-literal = "0.3.0"
+ring = "0.16.7"
+rcgen = "0.10.0"
+rustls-pemfile = "1.0.0"
+tokio = { version = "1.0.1", features = ["rt", "rt-multi-thread", "time", "macros", "sync"] }
+tracing-futures = { version = "0.2.0", default-features = false, features = ["std-future"] }
+tracing-subscriber = { version = "0.3.0", default-features = false, features = ["env-filter", "fmt", "ansi", "time", "local-time"] }
+url = "2"
+
+[[example]]
+name = "server"
+
+[[example]]
+name = "client"

README.md

@@ -1 +1,33 @@
-# TODO
+[![codecov](https://codecov.io/gh/quinn-rs/quinn/branch/main/graph/badge.svg)](https://codecov.io/gh/quinn-rs/quinn-boring)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE-MIT)
+[![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE-APACHE)
+
+A crypto provider for [quinn](https://github.com/quinn-rs/quinn) based on [BoringSSL](https://github.com/google/boringssl).
+
+## Getting Started
+
+The [examples](examples) directory provides example client and server applications, which can be run as follows: 
+
+```sh
+$ cargo run --example server ./
+$ cargo run --example client https://localhost:4433/Cargo.toml
+```
+
+This launches an HTTP 0.9 server on the loopback address serving the current
+working directory, with the client fetching `./Cargo.toml`. By default, the
+server generates a self-signed certificate and stores it to disk, where the
+client will automatically find and trust it.
+
+## Testing
+
+This repository relies on the [quinn_proto integration tests](https://github.com/quinn-rs/quinn/tree/main/quinn-proto/src/tests),
+which can be made to run with the BoringSSL provider.
+
+## FIPS
+
+The BoringSSL provider is based on the Cloudflare [Boring library](https://github.com/cloudflare/boring), which
+supports building against a FIPS-validated version of BoringSSL.
+
+## Authors
+
+* [Nathan Mittler](https://github.com/nmittler) - *Project owner*

deny.toml

@@ -0,0 +1,10 @@
+[licenses]
+allow-osi-fsf-free = "either"
+copyleft = "warn"
+exceptions = [{ allow = ["ISC", "MIT", "OpenSSL"], name = "ring" }]
+private = { ignore = true }
+
+[[licenses.clarify]]
+name = "ring"
+expression = "ISC AND MIT AND OpenSSL"
+license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]

examples/README.md

@@ -0,0 +1,45 @@
+## HTTP/0.9 File Serving Example
+
+The examples in this directory were copied from [quinn](https://github.com/quinn-rs/quinn/tree/main/quinn/examples)
+and modified to use BoringSSL.
+
+The `server` and `client` examples demonstrate fetching files using a HTTP-like toy protocol.
+
+1. Server (`server.rs`)
+
+The server listens for any client requesting a file.
+If the file path is valid and allowed, it returns the contents.
+
+Open up a terminal and execute:
+
+```text
+$ cargo run --example server ./
+```
+
+2. Client (`client.rs`)
+
+The client requests a file and prints it to the console.
+If the file is on the server, it will receive the response.
+
+In a new terminal execute:
+
+```test
+$ cargo run --example client https://localhost:4433/Cargo.toml
+```
+
+where `Cargo.toml` is any file in the directory passed to the server.
+
+**Result:**
+
+The output will be the contents of this README.
+
+**Troubleshooting:**
+
+If the client times out with no activity on the server, try forcing the server to run on IPv4 by
+running it with `cargo run --example server -- ./ --listen 127.0.0.1:4433`. The server listens on
+IPv6 by default, `localhost` tends to resolve to IPv4, and support for accepting IPv4 packets on
+IPv6 sockets varies between platforms.
+
+If the client prints `failed to process request: failed reading file`, the request was processed
+successfully but the path segment of the URL did not correspond to a file in the directory being
+served.