feat: add blapi feature to bypass PKCS#11 in RecordProtection

Calls freebl AES-GCM and ChaCha20-Poly1305 primitives directly instead
of going through `PK11_AEADOp` → softoken, eliminating the
`sftk_SessionFromHandle` mutex and hash-table overhead (~7.6% CPU on
the hot path).

`RecordProtection::new` takes a `Mode` so callers that know their
direction (send vs. receive) create only the context they need.

NOTE: bypasses softoken's FIPS self-test gate.  Intentional for neqo
(non-FIPS).

Author: larseggert

.github/actions/check-android/action.yml

@@ -47,7 +47,7 @@ runs:
       with:
         version: stable
         targets: ${{ inputs.target }}
-        tools: cargo-ndk@^4
+        tools: cargo-ndk@^4, cargo-hack
         token: ${{ inputs.github-token }}
 
     - uses: mozilla/actions/nss@27cbe8fb5d338c2861b787e5de10410559065db1 # v1.1.3
@@ -62,7 +62,7 @@ runs:
         TARGET: ${{ startsWith(inputs.target, 'arm') && 'arm64-v8a' || inputs.target }}
         API_LEVEL: ${{ inputs.api-level }}
         WD: ${{ inputs.working-directory }}
-      run: cd "$WD" && cargo ndk --platform "$API_LEVEL" --target "$TARGET" test --no-run
+      run: cd "$WD" && cargo hack --feature-powerset --exclude-features gecko,blapi ndk --platform "$API_LEVEL" --target "$TARGET" test --no-run
 
     # FIXME: Enable emulator testing for aarch64 once Google ships Android
     # emulator binaries for ARM64 Linux hosts.

.github/actions/check-vm/action.yml

@@ -102,12 +102,15 @@ runs:
                         ;;
           esac
           cargo fmt --all -- --check
+          cargo install cargo-hack --locked
           case "$PLATFORM" in
             freebsd)    cargo install cargo-llvm-cov --locked
                         cargo llvm-cov test --locked --no-fail-fast --codecov --output-path codecov.json
+                        cargo hack test --locked --no-fail-fast --feature-powerset --exclude-features gecko,blapi
                         ;;
             *)          # FIXME: No profiler support on other platforms, error is: cannot find crate for profiler_builtins
                         cargo test --locked --no-fail-fast # We do this instead for now
+                        cargo hack test --locked --no-fail-fast --feature-powerset --exclude-features gecko,blapi
                         ;;
           esac
           cargo test --locked --no-fail-fast --release

.github/workflows/check.yml

@@ -83,7 +83,7 @@ jobs:
         with:
           version: ${{ matrix.rust-toolchain }}
           components: ${{ matrix.rust-toolchain == 'stable' && 'llvm-tools' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'rust-src ' || '' }}
-          tools: ${{ matrix.rust-toolchain == 'stable' && 'cargo-llvm-cov' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'cargo-careful ' || '' }}
+          tools: ${{ matrix.rust-toolchain == 'stable' && 'cargo-llvm-cov' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'cargo-careful ' || '' }} cargo-hack
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: mozilla/actions/nss@27cbe8fb5d338c2861b787e5de10410559065db1 # v1.1.3
@@ -96,6 +96,11 @@ jobs:
           # shellcheck disable=SC2086
           cargo check $BUILD_TYPE --locked --all-targets
 
+      - name: Check feature powerset
+        run: |
+          # shellcheck disable=SC2086
+          cargo hack check $BUILD_TYPE --locked --feature-powerset --no-dev-deps --exclude-features gecko --mutually-exclusive-features blapi,disable-encryption
+
       - name: Run tests and determine coverage
         env:
           RUST_LOG: trace
@@ -119,6 +124,11 @@ jobs:
             cargo $CAREFUL test $BUILD_TYPE --locked $TRIPLE
           fi
 
+      - name: Test feature powerset
+        run: |
+          # shellcheck disable=SC2086
+          cargo hack test $BUILD_TYPE --locked --feature-powerset --exclude-features gecko --mutually-exclusive-features blapi,disable-encryption
+
       - name: CodeCov Windows workaround
         if: ${{ startsWith(matrix.os, 'windows') && matrix.type == 'debug' && matrix.rust-toolchain == 'stable' }}
         run: |

.github/workflows/clippy.yml

@@ -59,7 +59,7 @@ jobs:
       # respective default features only. Can reveal warnings otherwise
       # hidden given that a plain cargo clippy combines all features of the
       # workspace. See e.g. https://github.com/mozilla/neqo/pull/1695.
-      - run: cargo hack clippy --feature-powerset --no-dev-deps --exclude-features gecko -- -D warnings
+      - run: cargo hack clippy --feature-powerset --no-dev-deps --exclude-features gecko --mutually-exclusive-features blapi,disable-encryption -- -D warnings
       - run: cargo clippy --locked --workspace --all-targets -- -D warnings
       - run: cargo doc --locked --workspace --no-deps --document-private-items
         env:

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "nss-rs"
-version = "0.11.0"
+version = "0.12.0"
 authors = ["Martin Thomson <mt@lowentropy.net>", "Andy Leiserson <aleiserson@mozilla.com>", "John M. Schanck <jschanck@mozilla.com>", "Benjamin Beurdouche <beurdouche@mozilla.com>", "Anna Weine <anna.weine@mozilla.com>"]
 categories = ["network-programming", "web-programming"]
 keywords = ["nss", "crypto", "mozilla", "firefox"]
@@ -124,6 +124,9 @@ verbose_file_reads = "warn"
 
 [features]
 bench = ["log/release_max_level_info"]
+# Bypass PKCS#11 session layer for RecordProtection AEAD operations by calling
+# freebl directly. Improves performance but skips softoken's FIPS self-test gate.
+blapi = []
 disable-encryption = []
 disable-random = []
 gecko = ["mozbuild"]

Cargo.toml

@@ -229,6 +229,9 @@ fn dynamic_link() {
     for lib in dynamic_libs {
         println!("cargo:rustc-link-lib=dylib={lib}");
     }
+    if env::var("CARGO_FEATURE_BLAPI").is_ok() {
+        println!("cargo:rustc-link-lib=dylib=freebl3");
+    }
 }
 
 fn static_link() {
@@ -396,19 +399,39 @@ fn pkg_config() -> Result<Vec<String>, Box<dyn Error>> {
     let cfg_str = String::from_utf8(cfg)?;
 
     let mut flags: Vec<String> = Vec::new();
+    let mut lib_dirs: Vec<PathBuf> = Vec::new();
 
     for f in cfg_str.split_whitespace() {
         if f.starts_with("-I") {
             flags.push(String::from(f));
         } else if let Some(path) = f.strip_prefix("-L") {
             println!("cargo:rustc-link-search=native={path}");
+            lib_dirs.push(PathBuf::from(path));
         } else if let Some(lib) = f.strip_prefix("-l") {
             println!("cargo:rustc-link-lib=dylib={lib}");
         } else {
             println!("cargo:warning=Unknown flag from pkg-config: {f}");
         }
     }
 
+    if env::var("CARGO_FEATURE_BLAPI").is_ok() {
+        let dylib_ext = if env::var("CARGO_CFG_TARGET_OS").as_deref() == Ok("macos") {
+            "dylib"
+        } else {
+            "so"
+        };
+        if !lib_dirs
+            .iter()
+            .any(|dir| dir.join(format!("libfreebl3.{dylib_ext}")).exists())
+        {
+            panic!(
+                "blapi feature requires libfreebl3.{dylib_ext} in the pkg-config \
+                 library paths. Set NSS_DIR to a standalone NSS source build."
+            );
+        }
+        println!("cargo:rustc-link-lib=dylib=freebl3");
+    }
+
     Ok(flags)
 }
 

build.rs

@@ -4,27 +4,144 @@
 // option. This file may not be copied, modified, or distributed
 // except according to those terms.
 
+#[cfg(not(feature = "disable-encryption"))]
+use std::os::raw::{c_char, c_uint};
+#[cfg(not(feature = "disable-encryption"))]
+use std::ptr::null;
 use std::{os::raw::c_int, ptr::null_mut};
 
 #[cfg(feature = "disable-encryption")]
 pub use recprot::AEAD_NULL_TAG;
 pub use recprot::RecordProtection;
 
 use crate::{
-    SECItemBorrowed, SymKey,
-    err::{Error, Res},
+    Cipher, SECItemBorrowed, SymKey,
+    constants::{TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256},
+    err::{Error, Res, sec::SEC_ERROR_BAD_DATA},
     p11::{
         self, CK_ATTRIBUTE_TYPE, CK_GENERATOR_FUNCTION, CK_MECHANISM_TYPE, CKA_DECRYPT,
         CKA_ENCRYPT, CKA_NSS_MESSAGE, CKG_GENERATE_COUNTER_XOR, CKG_NO_GENERATE, CKM_AES_GCM,
         CKM_CHACHA20_POLY1305, Context, PK11_AEADOp, PK11_CreateContextBySymKey,
     },
     secstatus_to_res,
 };
+#[cfg(not(feature = "disable-encryption"))]
+use crate::{
+    Version,
+    hp::SSL_HkdfExpandLabelWithMech,
+    p11::{CKM_HKDF_DATA, PK11SymKey},
+};
+
+#[cfg(all(feature = "blapi", feature = "disable-encryption"))]
+compile_error!("`blapi` and `disable-encryption` are mutually exclusive features");
+
+/// Shared API contract for all `RecordProtection` backends.
+///
+/// Implemented by each cfg-selected `recprot*.rs` backend so that a
+/// signature change in one backend is caught at compile time across all.
+/// Import this trait to call AEAD methods on `RecordProtection`.
+pub trait RecordProtectionOps {
+    /// Get the expansion size (authentication tag length) for this AEAD.
+    #[must_use]
+    fn expansion(&self) -> usize;
+
+    /// Encrypt plaintext with associated data.
+    ///
+    /// # Errors
+    ///
+    /// Returns `Error` when encryption fails.
+    fn encrypt<'a>(
+        &self,
+        count: u64,
+        aad: &[u8],
+        input: &[u8],
+        output: &'a mut [u8],
+    ) -> Res<&'a [u8]>;
+
+    /// Encrypt plaintext in place with associated data.
+    ///
+    /// # Errors
+    ///
+    /// Returns `Error` when encryption fails.
+    fn encrypt_in_place(&self, count: u64, aad: &[u8], data: &mut [u8]) -> Res<usize>;
+
+    /// Decrypt ciphertext with associated data.
+    ///
+    /// # Errors
+    ///
+    /// Returns `Error` when decryption or authentication fails.
+    fn decrypt<'a>(
+        &self,
+        count: u64,
+        aad: &[u8],
+        input: &[u8],
+        output: &'a mut [u8],
+    ) -> Res<&'a [u8]>;
+
+    /// Decrypt ciphertext in place with associated data.
+    ///
+    /// # Errors
+    ///
+    /// Returns `Error` when decryption or authentication fails.
+    fn decrypt_in_place(&self, count: u64, aad: &[u8], data: &mut [u8]) -> Res<usize>;
+}
 
 #[cfg_attr(feature = "disable-encryption", path = "recprot_null.rs")]
-#[cfg_attr(not(feature = "disable-encryption"), path = "recprot.rs")]
+#[cfg_attr(
+    all(not(feature = "disable-encryption"), feature = "blapi"),
+    path = "recprot_blapi.rs"
+)]
+#[cfg_attr(
+    all(not(feature = "disable-encryption"), not(feature = "blapi")),
+    path = "recprot.rs"
+)]
 mod recprot;
 
+#[cfg(not(feature = "disable-encryption"))]
+fn expand_label(
+    version: Version,
+    cipher: Cipher,
+    secret: &SymKey,
+    label: &str,
+    mech: CK_MECHANISM_TYPE,
+    key_len: c_uint,
+) -> Res<SymKey> {
+    let mut ptr: *mut PK11SymKey = null_mut();
+    unsafe {
+        SSL_HkdfExpandLabelWithMech(
+            version,
+            cipher,
+            **secret,
+            null(),
+            0,
+            label.as_ptr().cast::<c_char>(),
+            c_uint::try_from(label.len())?,
+            mech,
+            key_len,
+            &raw mut ptr,
+        )
+    }?;
+    SymKey::from_ptr(ptr)
+}
+
+#[cfg(not(feature = "disable-encryption"))]
+fn expand_hkdf_label(
+    version: Version,
+    cipher: Cipher,
+    secret: &SymKey,
+    label: &str,
+    key_len: c_uint,
+) -> Res<SymKey> {
+    expand_label(
+        version,
+        cipher,
+        secret,
+        label,
+        CK_MECHANISM_TYPE::from(CKM_HKDF_DATA),
+        key_len,
+    )
+}
+
 /// All the nonces are the same length.  Exploit that.
 pub const NONCE_LEN: usize = 12;
 
@@ -46,6 +163,18 @@ fn xor_nonce(base: &[u8; NONCE_LEN], count: SequenceNumber) -> [u8; NONCE_LEN] {
 /// All of the AEAD functions here have a tag of this length, so use a fixed offset.
 const TAG_LEN: usize = 16;
 
+/// Split `data` into `(ct_len, tag)`, returning `SEC_ERROR_BAD_DATA` if it is
+/// too short to contain a tag.
+fn split_tag(data: &[u8]) -> Res<(usize, [u8; TAG_LEN])> {
+    let ct_len = data
+        .len()
+        .checked_sub(TAG_LEN)
+        .ok_or_else(|| Error::from(SEC_ERROR_BAD_DATA))?;
+    let mut tag = [0u8; TAG_LEN];
+    tag.copy_from_slice(&data[ct_len..]);
+    Ok((ct_len, tag))
+}
+
 pub type SequenceNumber = u64;
 
 /// All the lengths used by `PK11_AEADOp` are signed.  This converts to that.
@@ -82,20 +211,43 @@ pub enum AeadAlgorithms {
     ChaCha20Poly1305,
 }
 
+impl AeadAlgorithms {
+    #[must_use]
+    pub const fn key_len(self) -> usize {
+        match self {
+            Self::Aes128Gcm => 16,
+            Self::Aes256Gcm | Self::ChaCha20Poly1305 => 32,
+        }
+    }
+
+    #[must_use]
+    pub fn p11_mech(self) -> CK_MECHANISM_TYPE {
+        CK_MECHANISM_TYPE::from(match self {
+            Self::Aes128Gcm | Self::Aes256Gcm => CKM_AES_GCM,
+            Self::ChaCha20Poly1305 => CKM_CHACHA20_POLY1305,
+        })
+    }
+}
+
+impl TryFrom<Cipher> for AeadAlgorithms {
+    type Error = Error;
+    fn try_from(cipher: Cipher) -> Res<Self> {
+        match cipher {
+            TLS_AES_128_GCM_SHA256 => Ok(Self::Aes128Gcm),
+            TLS_AES_256_GCM_SHA384 => Ok(Self::Aes256Gcm),
+            TLS_CHACHA20_POLY1305_SHA256 => Ok(Self::ChaCha20Poly1305),
+            _ => Err(Error::UnsupportedCipher),
+        }
+    }
+}
+
 pub struct Aead {
     mode: Mode,
     ctx: Context,
     nonce_base: [u8; NONCE_LEN],
 }
 
 impl Aead {
-    fn mech(algorithm: AeadAlgorithms) -> CK_MECHANISM_TYPE {
-        CK_MECHANISM_TYPE::from(match algorithm {
-            AeadAlgorithms::Aes128Gcm | AeadAlgorithms::Aes256Gcm => CKM_AES_GCM,
-            AeadAlgorithms::ChaCha20Poly1305 => CKM_CHACHA20_POLY1305,
-        })
-    }
-
     pub fn import_key(algorithm: AeadAlgorithms, key: &[u8]) -> Result<SymKey, Error> {
         let slot = p11::Slot::internal().map_err(|_| Error::Internal)?;
 
@@ -105,7 +257,7 @@ impl Aead {
         let ptr = unsafe {
             p11::PK11_ImportSymKey(
                 *slot,
-                Self::mech(algorithm),
+                algorithm.p11_mech(),
                 p11::PK11Origin::PK11_OriginUnwrap,
                 CK_ATTRIBUTE_TYPE::from(CKA_ENCRYPT | CKA_DECRYPT),
                 key_item_ptr,
@@ -125,7 +277,7 @@ impl Aead {
 
         let ptr = unsafe {
             PK11_CreateContextBySymKey(
-                Self::mech(algorithm),
+                algorithm.p11_mech(),
                 mode.p11mode(),
                 **key,
                 SECItemBorrowed::wrap(&nonce_base[..])?.as_ref(),