Skip to content

Commit

Permalink
Put mechanism variants behind feature flags
Browse files Browse the repository at this point in the history
This makes sure that applications explicitly enable those mechanism
that they need and unused mechanisms can easily be disabled.

Fixes: #159
  • Loading branch information
robin-nitrokey committed Dec 19, 2024
1 parent e229e33 commit 3261759
Show file tree
Hide file tree
Showing 38 changed files with 973 additions and 859 deletions.
24 changes: 23 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,28 @@ jobs:
done
if: matrix.target == 'x86_64-unknown-linux-gnu'

- name: Check all targets with only one mechanism feature
run: |
# trussed-core + trussed
for mechanism in \
aes256-cbc chacha8-poly1305 ed255 hmac-blake2s hmac-sha1 hmac-sha256 hmac-sha512 \
p256 p384 p521 sha256 shared-secret tdes totp trng x255
do
for package in trussed-core trussed
do
echo "${package}: ${mechanism}"
cargo check --package ${package} --all-targets --no-default-features --features crypto-client,${mechanism}
done
done
# trussed-core only
for mechanism in \
brainpoolp256r1 brainpoolp384r1 brainpoolp512r1 rsa2048 rsa3072 rsa4096 secp256k1
do
echo "trussed-core: ${mechanism}"
cargo check --package trussed-core --all-targets --no-default-features --features crypto-client,${mechanism}
done
if: matrix.target == 'x86_64-unknown-linux-gnu'

- name: Check all targets with default features
run: |
cargo check --workspace --all-targets
Expand All @@ -66,7 +88,7 @@ jobs:
if: matrix.target == 'x86_64-unknown-linux-gnu'

- name: Run tests
run: cargo test --workspace --features serde-extensions,virt,p384,p521
run: cargo test --workspace --all-features
if: matrix.target == 'x86_64-unknown-linux-gnu'

- name: Check formatting
Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Changed `Id::hex_clean` to format zero as `"00"`.
- Change client and mechanism selection:
- Put all client traits, requests, replies and implementations behind feature flags.
- Put all mechanisms behind feature flags.
- Move `CryptoClient::attest` into new `AttestationClient`.

### Fixed
Expand Down
80 changes: 62 additions & 18 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -109,25 +109,27 @@ default-mechanisms = [
# "hmac-sha512",
"p256",
"sha256",
"shared-secret",
"tdes",
"totp",
"trng",
]
aes256-cbc = []
chacha8-poly1305 = []
ed255 = []
x255 = []
hmac-blake2s = ["blake2"]
hmac-sha1 = []
hmac-sha256 = []
hmac-sha512 = []
p256 = []
p384 = ["dep:p384"]
p521 = ["dep:p521", "dep:ecdsa"]
sha256 = []
tdes = ["des"]
totp = ["sha-1"]
trng = ["sha-1"]
aes256-cbc = ["trussed-core/aes256-cbc"]
chacha8-poly1305 = ["trussed-core/chacha8-poly1305"]
ed255 = ["trussed-core/ed255"]
x255 = ["trussed-core/x255"]
hmac-blake2s = ["trussed-core/hmac-blake2s", "blake2"]
hmac-sha1 = ["trussed-core/hmac-sha1", "sha-1"]
hmac-sha256 = ["trussed-core/hmac-sha256"]
hmac-sha512 = ["trussed-core/hmac-sha512"]
p256 = ["trussed-core/p256"]
p384 = ["trussed-core/p384", "dep:p384"]
p521 = ["trussed-core/p521", "dep:p521", "dep:ecdsa"]
sha256 = ["trussed-core/sha256"]
shared-secret = ["trussed-core/shared-secret"]
tdes = ["trussed-core/tdes", "des"]
totp = ["trussed-core/totp", "sha-1"]
trng = ["trussed-core/trng", "sha-1"]

# clients
all-clients = [
Expand All @@ -139,7 +141,7 @@ all-clients = [
"management-client",
"ui-client",
]
attestation-client = ["crypto-client", "trussed-core/attestation-client"]
attestation-client = ["crypto-client", "ed255", "p256", "trussed-core/attestation-client"]
certificate-client = ["trussed-core/certificate-client"]
crypto-client = ["trussed-core/crypto-client"]
counter-client = ["trussed-core/counter-client"]
Expand All @@ -161,8 +163,50 @@ clients-11 = []
clients-12 = []

test-attestation-cert-ids = []
# [patch.crates-io]
# interchange = { git = "https://github.com/trussed-dev/interchange", branch = "main" }

[[test]]
name = "aes256cbc"
required-features = ["crypto-client", "default-mechanisms", "virt"]

[[test]]
name = "backends"
required-features = ["filesystem-client", "virt"]

[[test]]
name = "certificate"
required-features = ["certificate-client", "virt"]

[[test]]
name = "counter"
required-features = ["counter-client", "virt"]

[[test]]
name = "filesystem"
required-features = ["crypto-client", "default-mechanisms", "filesystem-client", "virt"]

[[test]]
name = "key_confusion"
required-features = ["crypto-client", "default-mechanisms", "hmac-blake2s", "hmac-sha512", "virt"]

[[test]]
name = "p256"
required-features = ["crypto-client", "default-mechanisms", "virt"]

[[test]]
name = "serde_extensions"
required-features = ["serde-extensions", "virt"]

[[test]]
name = "tdes"
required-features = ["crypto-client", "tdes", "virt"]

[[test]]
name = "virt"
required-features = ["filesystem-client", "management-client", "virt"]

[[test]]
name = "x255"
required-features = ["crypto-client", "default-mechanisms", "virt"]

[package.metadata.docs.rs]
features = ["serde-extensions", "virt"]
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ Very much WIP. Actively developed. Unstable APIs.
## Running tests

```bash
cargo test --features serde-extensions,virt
cargo test --all-features
```

#### License
Expand Down
28 changes: 27 additions & 1 deletion core/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ serde.workspace = true
serde-indexed = "0.1"

[features]
serde-extensions = []

# client traits
attestation-client = []
certificate-client = []
crypto-client = []
Expand All @@ -24,4 +27,27 @@ filesystem-client = []
management-client = []
ui-client = []

serde-extensions = []
# mechanisms
aes256-cbc = []
brainpoolp256r1 = []
brainpoolp384r1 = []
brainpoolp512r1 = []
chacha8-poly1305 = []
ed255 = []
hmac-blake2s = []
hmac-sha1 = []
hmac-sha256 = []
hmac-sha512 = []
p256 = []
p384 = []
p521 = []
rsa2048 = []
rsa3072 = []
rsa4096 = []
secp256k1 = []
sha256 = []
shared-secret = []
tdes = []
totp = []
trng = []
x255 = []
5 changes: 1 addition & 4 deletions core/src/client.rs
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,7 @@ pub use certificate::CertificateClient;
#[cfg(feature = "counter-client")]
pub use counter::CounterClient;
#[cfg(feature = "crypto-client")]
pub use crypto::{
Aes256Cbc, Chacha8Poly1305, CryptoClient, Ed255, HmacBlake2s, HmacSha1, HmacSha256, HmacSha512,
Sha256, Tdes, Totp, P256, P384, P521, X255,
};
pub use crypto::*;
#[cfg(feature = "filesystem-client")]
pub use filesystem::FilesystemClient;
#[cfg(feature = "management-client")]
Expand Down
14 changes: 14 additions & 0 deletions core/src/client/crypto.rs
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,7 @@ pub trait CryptoClient: PollClient {
}
}

#[cfg(feature = "aes256-cbc")]
pub trait Aes256Cbc: CryptoClient {
fn decrypt_aes256cbc<'c>(
&'c mut self,
Expand All @@ -309,6 +310,7 @@ pub trait Aes256Cbc: CryptoClient {
}
}

#[cfg(feature = "chacha8-poly1305")]
pub trait Chacha8Poly1305: CryptoClient {
fn decrypt_chacha8poly1305<'c>(
&'c mut self,
Expand Down Expand Up @@ -388,6 +390,7 @@ pub trait Chacha8Poly1305: CryptoClient {
}
}

#[cfg(feature = "hmac-blake2s")]
pub trait HmacBlake2s: CryptoClient {
fn hmacblake2s_derive_key(
&mut self,
Expand Down Expand Up @@ -417,6 +420,7 @@ pub trait HmacBlake2s: CryptoClient {
}
}

#[cfg(feature = "hmac-sha1")]
pub trait HmacSha1: CryptoClient {
fn hmacsha1_derive_key(
&mut self,
Expand Down Expand Up @@ -446,6 +450,7 @@ pub trait HmacSha1: CryptoClient {
}
}

#[cfg(feature = "hmac-sha256")]
pub trait HmacSha256: CryptoClient {
fn hmacsha256_derive_key(
&mut self,
Expand Down Expand Up @@ -475,6 +480,7 @@ pub trait HmacSha256: CryptoClient {
}
}

#[cfg(feature = "hmac-sha512")]
pub trait HmacSha512: CryptoClient {
fn hmacsha512_derive_key(
&mut self,
Expand Down Expand Up @@ -504,6 +510,7 @@ pub trait HmacSha512: CryptoClient {
}
}

#[cfg(feature = "ed255")]
pub trait Ed255: CryptoClient {
fn generate_ed255_private_key(
&mut self,
Expand Down Expand Up @@ -569,6 +576,7 @@ pub trait Ed255: CryptoClient {
}
}

#[cfg(feature = "p256")]
pub trait P256: CryptoClient {
fn generate_p256_private_key(
&mut self,
Expand Down Expand Up @@ -655,6 +663,7 @@ pub trait P256: CryptoClient {
}
}

#[cfg(feature = "p384")]
pub trait P384: CryptoClient {
fn generate_p384_private_key(
&mut self,
Expand Down Expand Up @@ -741,6 +750,7 @@ pub trait P384: CryptoClient {
}
}

#[cfg(feature = "p521")]
pub trait P521: CryptoClient {
fn generate_p521_private_key(
&mut self,
Expand Down Expand Up @@ -827,6 +837,7 @@ pub trait P521: CryptoClient {
}
}

#[cfg(feature = "sha256")]
pub trait Sha256: CryptoClient {
fn sha256_derive_key(
&mut self,
Expand All @@ -849,6 +860,7 @@ pub trait Sha256: CryptoClient {
}
}

#[cfg(feature = "tdes")]
pub trait Tdes: CryptoClient {
fn decrypt_tdes<'c>(
&'c mut self,
Expand All @@ -867,6 +879,7 @@ pub trait Tdes: CryptoClient {
}
}

#[cfg(feature = "totp")]
pub trait Totp: CryptoClient {
fn sign_totp(&mut self, key: KeyId, timestamp: u64) -> ClientResult<'_, reply::Sign, Self> {
self.sign(
Expand All @@ -878,6 +891,7 @@ pub trait Totp: CryptoClient {
}
}

#[cfg(feature = "x255")]
pub trait X255: CryptoClient {
fn generate_x255_secret_key(
&mut self,
Expand Down
Loading

0 comments on commit 3261759

Please sign in to comment.