diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index e7120133ea2..1e329c568a3 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -20,8 +20,8 @@ env: RUST_SCRIPT_NIGHTLY_TOOLCHAIN: nightly-2024-05-22 # Mirai version tag, updates this whenever a new version # is released. - MIRAI_TOOLCHAIN: nightly-2023-05-09 - MIRAI_TAG: v1.1.8 + MIRAI_TOOLCHAIN: nightly-2023-12-30 + MIRAI_TAG: v1.1.9 jobs: rustfmt: @@ -222,21 +222,19 @@ jobs: - name: Set Rust toolchain override run: rustup override set ${{ steps.toolchain.outputs.name }} - # https://github.com/facebookexperimental/MIRAI/blob/main/documentation/InstallationGuide.md#installing-mirai-into-cargo + # https://github.com/endorlabs/MIRAI/blob/main/documentation/InstallationGuide.md#installing-mirai-into-cargo - name: Install MIRAI run: | MIRAI_TMP_SRC=$(mktemp -d) - git clone --depth 1 --branch ${{ env.MIRAI_TAG }} https://github.com/facebookexperimental/MIRAI.git ${MIRAI_TMP_SRC} + git clone --depth 1 --branch ${{ env.MIRAI_TAG }} https://github.com/endorlabs/MIRAI.git ${MIRAI_TMP_SRC} pushd ${MIRAI_TMP_SRC} - cargo install --locked --force --path ./checker --no-default-features + cargo install --locked --force --path ./checker popd rm -rf ${MIRAI_TMP_SRC} - name: Run MIRAI working-directory: ./aws-lc-rs run: | - cargo update - cargo update -p clap --precise 4.4.18 cargo mirai minimal-versions: diff --git a/aws-lc-rs/src/rsa/encryption/oaep.rs b/aws-lc-rs/src/rsa/encryption/oaep.rs index 45d4e723a71..2b03b5cf922 100644 --- a/aws-lc-rs/src/rsa/encryption/oaep.rs +++ b/aws-lc-rs/src/rsa/encryption/oaep.rs @@ -167,7 +167,11 @@ impl OaepPublicEncryptingKey { }; // The RSA-OAEP algorithms we support use the hashing algorithm for the hash and mgf1 functions. - self.key_size_bytes() - 2 * hash_len - 2 + self.key_size_bytes() + .checked_sub(2 * hash_len) + .unwrap() + .checked_sub(2) + .unwrap() } /// Returns the max ciphertext size that will be output by `Self::encrypt`. diff --git a/aws-lc-rs/src/rsa/encryption/pkcs1.rs b/aws-lc-rs/src/rsa/encryption/pkcs1.rs index 002d422dd46..63095d12156 100644 --- a/aws-lc-rs/src/rsa/encryption/pkcs1.rs +++ b/aws-lc-rs/src/rsa/encryption/pkcs1.rs @@ -81,7 +81,9 @@ impl Pkcs1PublicEncryptingKey { #[must_use] pub fn max_plaintext_size(&self) -> usize { const RSA_PKCS1_PADDING_SIZE: usize = 11; // crypto/fipsmodule/rsa/internal.h - self.key_size_bytes() - RSA_PKCS1_PADDING_SIZE + self.key_size_bytes() + .checked_sub(RSA_PKCS1_PADDING_SIZE) + .unwrap() } /// Returns the max ciphertext size that will be output by `Self::encrypt`. diff --git a/aws-lc-rs/tests/aead_test.rs b/aws-lc-rs/tests/aead_test.rs index 96ca9ad79bb..4dcb9a91c11 100644 --- a/aws-lc-rs/tests/aead_test.rs +++ b/aws-lc-rs/tests/aead_test.rs @@ -476,7 +476,7 @@ fn test_aead_key_sizes(aead_alg: &'static aead::Algorithm) { #[test] fn test_aead_nonce_sizes() { let nonce_len = NONCE_LEN; - let nonce = vec![0u8; nonce_len * 2]; + let nonce = vec![0u8; nonce_len.checked_mul(2).unwrap()]; assert!(Nonce::try_assume_unique_for_key(&nonce[..nonce_len]).is_ok()); assert!(Nonce::try_assume_unique_for_key(&nonce[..(nonce_len - 1)]).is_err()); diff --git a/aws-lc-rs/tests/cipher_test.rs b/aws-lc-rs/tests/cipher_test.rs index bbf844d89c2..004dac0ec9b 100644 --- a/aws-lc-rs/tests/cipher_test.rs +++ b/aws-lc-rs/tests/cipher_test.rs @@ -27,7 +27,11 @@ fn step_encrypt( if in_end > n { in_end = n; } - let out_end = out_idx + (in_end - in_idx) + alg.block_len(); + let out_end = out_idx + .checked_add(in_end - in_idx) + .unwrap() + .checked_add(alg.block_len()) + .unwrap(); let output = encrypting_key .update( &plaintext[in_idx..in_end], @@ -35,17 +39,17 @@ fn step_encrypt( ) .unwrap(); in_idx += step; - out_idx += output.written().len(); + out_idx = out_idx.checked_add(output.written().len()).unwrap(); if in_idx >= n { break; } } - let out_end = out_idx + alg.block_len(); + let out_end = out_idx.checked_add(alg.block_len()).unwrap(); let (decrypt_iv, output) = encrypting_key .finish(&mut ciphertext[out_idx..out_end]) .unwrap(); let outlen = output.written().len(); - ciphertext.truncate(out_idx + outlen); + ciphertext.truncate(out_idx.checked_add(outlen).unwrap()); match mode { OperatingMode::CBC => { assert!(ciphertext.len() > plaintext.len()); @@ -77,7 +81,11 @@ fn step_decrypt( if in_end > n { in_end = n; } - let out_end = out_idx + (in_end - in_idx) + alg.block_len(); + let out_end = out_idx + .checked_add(in_end - in_idx) + .unwrap() + .checked_add(alg.block_len()) + .unwrap(); let output = decrypting_key .update( &ciphertext[in_idx..in_end], @@ -85,21 +93,21 @@ fn step_decrypt( ) .unwrap(); in_idx += step; - out_idx += output.written().len(); + out_idx = out_idx.checked_add(output.written().len()).unwrap(); if in_idx >= n { break; } } - let out_end = out_idx + alg.block_len(); + let out_end = out_idx.checked_add(alg.block_len()).unwrap(); let output = decrypting_key .finish(&mut plaintext[out_idx..out_end]) .unwrap(); let outlen = output.written().len(); - plaintext.truncate(out_idx + outlen); + plaintext.truncate(out_idx.checked_add(outlen).unwrap()); match mode { OperatingMode::CBC => { assert!(ciphertext.len() > plaintext.len()); - assert!(ciphertext.len() <= plaintext.len() + alg.block_len()); + assert!(ciphertext.len() <= plaintext.len().checked_add(alg.block_len()).unwrap()); } OperatingMode::CTR => { assert_eq!(ciphertext.len(), plaintext.len()); diff --git a/aws-lc-rs/tests/hkdf_test.rs b/aws-lc-rs/tests/hkdf_test.rs index 1af6fa453ee..df092da403a 100644 --- a/aws-lc-rs/tests/hkdf_test.rs +++ b/aws-lc-rs/tests/hkdf_test.rs @@ -55,7 +55,9 @@ fn hkdf_output_len_tests() { assert_eq!(&result.0, &[]); } - let max_out_len = MAX_BLOCKS * alg.hmac_algorithm().digest_algorithm().output_len; + let max_out_len = MAX_BLOCKS + .checked_mul(alg.hmac_algorithm().digest_algorithm().output_len) + .unwrap(); { // Test maximum length output succeeds. @@ -66,7 +68,9 @@ fn hkdf_output_len_tests() { { // Test too-large output fails. - assert!(prk.expand(&[b"info"], My(max_out_len + 1)).is_err()); + assert!(prk + .expand(&[b"info"], My(max_out_len.checked_add(1).unwrap())) + .is_err()); } { diff --git a/aws-lc-rs/tests/pbkdf2_test.rs b/aws-lc-rs/tests/pbkdf2_test.rs index b67c0139bdf..755fa781dc4 100644 --- a/aws-lc-rs/tests/pbkdf2_test.rs +++ b/aws-lc-rs/tests/pbkdf2_test.rs @@ -5,6 +5,7 @@ use aws_lc_rs::{digest, error, pbkdf2, test, test_file}; use core::num::NonZeroU32; +use mirai_annotations::unrecoverable; /// Test vectors from `BoringSSL`, Go, and other sources. #[test] @@ -35,7 +36,7 @@ fn pbkdf2_tests() { let verify_expected_result = match verify_expected_result.as_str() { "OK" => Ok(()), "Err" => Err(error::Unspecified), - _ => panic!("Unsupported value of \"Verify\""), + _ => unrecoverable!("Unsupported value of \"Verify\""), }; { diff --git a/aws-lc-rs/tests/rsa_test.rs b/aws-lc-rs/tests/rsa_test.rs index 5550b826476..37946eb1ffc 100644 --- a/aws-lc-rs/tests/rsa_test.rs +++ b/aws-lc-rs/tests/rsa_test.rs @@ -581,7 +581,8 @@ macro_rules! round_trip_oaep_algorithm { // max_plaintext_size+1 message { - let message = vec![1u8; public_key.max_plaintext_size($alg) + 1]; + let msg_len: usize = public_key.max_plaintext_size($alg).checked_add(1).unwrap(); + let message = vec![1u8; msg_len]; let mut ciphertext = vec![0u8; private_key.min_output_size()]; public_key @@ -903,7 +904,13 @@ fn errors_on_larger_than_max_plaintext() { let oaep_parsed_public = OaepPublicEncryptingKey::new(parsed_public_key.clone()).expect("supported key"); - let message = vec![42u8; oaep_parsed_public.max_plaintext_size(&OAEP_SHA256_MGF1SHA256) + 1]; + let message = vec![ + 42u8; + oaep_parsed_public + .max_plaintext_size(&OAEP_SHA256_MGF1SHA256) + .checked_add(1) + .unwrap() + ]; let mut ciphertext = vec![0u8; oaep_parsed_public.ciphertext_size()]; oaep_parsed_public @@ -913,7 +920,13 @@ fn errors_on_larger_than_max_plaintext() { let pkcs1_parsed_public = Pkcs1PublicEncryptingKey::new(parsed_public_key.clone()).expect("supported key"); - let message = vec![42u8; pkcs1_parsed_public.max_plaintext_size() + 1]; + let message = vec![ + 42u8; + pkcs1_parsed_public + .max_plaintext_size() + .checked_add(1) + .unwrap() + ]; let mut ciphertext = vec![0u8; pkcs1_parsed_public.ciphertext_size()]; pkcs1_parsed_public