Fix mirai-analysis CI

.github/workflows/analysis.yml

@@ -20,8 +20,8 @@ env:
   RUST_SCRIPT_NIGHTLY_TOOLCHAIN: nightly-2024-05-22
   # Mirai version tag, updates this whenever a new version
   # is released.
-  MIRAI_TOOLCHAIN: nightly-2023-05-09
-  MIRAI_TAG: v1.1.8
+  MIRAI_TOOLCHAIN: nightly-2023-12-30
+  MIRAI_TAG: v1.1.9
 
 jobs:
   rustfmt:
@@ -213,31 +213,32 @@ jobs:
         with:
           submodules: 'recursive'
           lfs: true
-
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
       - uses: dtolnay/rust-toolchain@master
         id: toolchain
         with:
           toolchain: ${{ env.MIRAI_TOOLCHAIN }}
-          components: rust-src, rustc-dev, llvm-tools-preview
-      - name: Set Rust toolchain override
-        run: rustup override set ${{ steps.toolchain.outputs.name }}
+          components: rust-src, rust-std, rustc-dev, llvm-tools, clippy, rustfmt
 
-      # https://github.com/facebookexperimental/MIRAI/blob/main/documentation/InstallationGuide.md#installing-mirai-into-cargo
+      # https://github.com/endorlabs/MIRAI/blob/main/documentation/InstallationGuide.md#installing-mirai-into-cargo
       - name: Install MIRAI
         run: |
           MIRAI_TMP_SRC=$(mktemp -d)
-          git clone --depth 1 --branch ${{ env.MIRAI_TAG }} https://github.com/facebookexperimental/MIRAI.git ${MIRAI_TMP_SRC}
+          git clone --depth 1 --branch ${{ env.MIRAI_TAG }} https://github.com/endorlabs/MIRAI.git ${MIRAI_TMP_SRC}
           pushd ${MIRAI_TMP_SRC}
-          cargo install --locked --force --path ./checker --no-default-features
+          cargo install --locked --force --path ./checker 
           popd
           rm -rf ${MIRAI_TMP_SRC}
 
       - name: Run MIRAI
         working-directory: ./aws-lc-rs
         run: |
+          cargo install cargo-audit
           cargo update
-          cargo update -p clap --precise 4.4.18
-          cargo mirai
+          cargo update -p libc --precise 0.2.156
+          cargo +${{ env.MIRAI_TOOLCHAIN }} mirai
 
   minimal-versions:
     if: github.repository_owner == 'aws'

aws-lc-rs/src/rsa/encryption/oaep.rs

@@ -156,6 +156,7 @@ impl OaepPublicEncryptingKey {
 
     /// Returns the max plaintext that could be decrypted using this key and with the provided algorithm.
     #[must_use]
+    #[allow(clippy::missing_panics_doc)]
     pub fn max_plaintext_size(&self, algorithm: &'static OaepAlgorithm) -> usize {
         #[allow(unreachable_patterns)]
         let hash_len: usize = match algorithm.id() {
@@ -167,7 +168,11 @@ impl OaepPublicEncryptingKey {
         };
 
         // The RSA-OAEP algorithms we support use the hashing algorithm for the hash and mgf1 functions.
-        self.key_size_bytes() - 2 * hash_len - 2
+        self.key_size_bytes()
+            .checked_sub(2 * hash_len)
+            .unwrap()
+            .checked_sub(2)
+            .unwrap()
     }
 
     /// Returns the max ciphertext size that will be output by `Self::encrypt`.

aws-lc-rs/src/rsa/encryption/pkcs1.rs

@@ -79,9 +79,12 @@ impl Pkcs1PublicEncryptingKey {
 
     /// Returns the max plaintext that could be encrypted using this key.
     #[must_use]
+    #[allow(clippy::missing_panics_doc)]
     pub fn max_plaintext_size(&self) -> usize {
         const RSA_PKCS1_PADDING_SIZE: usize = 11; // crypto/fipsmodule/rsa/internal.h
-        self.key_size_bytes() - RSA_PKCS1_PADDING_SIZE
+        self.key_size_bytes()
+            .checked_sub(RSA_PKCS1_PADDING_SIZE)
+            .unwrap()
     }
 
     /// Returns the max ciphertext size that will be output by `Self::encrypt`.

aws-lc-rs/tests/aead_test.rs

@@ -476,7 +476,7 @@ fn test_aead_key_sizes(aead_alg: &'static aead::Algorithm) {
 #[test]
 fn test_aead_nonce_sizes() {
     let nonce_len = NONCE_LEN;
-    let nonce = vec![0u8; nonce_len * 2];
+    let nonce = vec![0u8; nonce_len.checked_mul(2).unwrap()];
 
     assert!(Nonce::try_assume_unique_for_key(&nonce[..nonce_len]).is_ok());
     assert!(Nonce::try_assume_unique_for_key(&nonce[..(nonce_len - 1)]).is_err());

aws-lc-rs/tests/cipher_test.rs

@@ -27,25 +27,29 @@ fn step_encrypt(
         if in_end > n {
             in_end = n;
         }
-        let out_end = out_idx + (in_end - in_idx) + alg.block_len();
+        let out_end = out_idx
+            .checked_add(in_end - in_idx)
+            .unwrap()
+            .checked_add(alg.block_len())
+            .unwrap();
         let output = encrypting_key
             .update(
                 &plaintext[in_idx..in_end],
                 &mut ciphertext[out_idx..out_end],
             )
             .unwrap();
         in_idx += step;
-        out_idx += output.written().len();
+        out_idx = out_idx.checked_add(output.written().len()).unwrap();
         if in_idx >= n {
             break;
         }
     }
-    let out_end = out_idx + alg.block_len();
+    let out_end = out_idx.checked_add(alg.block_len()).unwrap();
     let (decrypt_iv, output) = encrypting_key
         .finish(&mut ciphertext[out_idx..out_end])
         .unwrap();
     let outlen = output.written().len();
-    ciphertext.truncate(out_idx + outlen);
+    ciphertext.truncate(out_idx.checked_add(outlen).unwrap());
     match mode {
         OperatingMode::CBC => {
             assert!(ciphertext.len() > plaintext.len());
@@ -77,29 +81,33 @@ fn step_decrypt(
         if in_end > n {
             in_end = n;
         }
-        let out_end = out_idx + (in_end - in_idx) + alg.block_len();
+        let out_end = out_idx
+            .checked_add(in_end - in_idx)
+            .unwrap()
+            .checked_add(alg.block_len())
+            .unwrap();
         let output = decrypting_key
             .update(
                 &ciphertext[in_idx..in_end],
                 &mut plaintext[out_idx..out_end],
             )
             .unwrap();
         in_idx += step;
-        out_idx += output.written().len();
+        out_idx = out_idx.checked_add(output.written().len()).unwrap();
         if in_idx >= n {
             break;
         }
     }
-    let out_end = out_idx + alg.block_len();
+    let out_end = out_idx.checked_add(alg.block_len()).unwrap();
     let output = decrypting_key
         .finish(&mut plaintext[out_idx..out_end])
         .unwrap();
     let outlen = output.written().len();
-    plaintext.truncate(out_idx + outlen);
+    plaintext.truncate(out_idx.checked_add(outlen).unwrap());
     match mode {
         OperatingMode::CBC => {
             assert!(ciphertext.len() > plaintext.len());
-            assert!(ciphertext.len() <= plaintext.len() + alg.block_len());
+            assert!(ciphertext.len() <= plaintext.len().checked_add(alg.block_len()).unwrap());
         }
         OperatingMode::CTR => {
             assert_eq!(ciphertext.len(), plaintext.len());

aws-lc-rs/tests/hkdf_test.rs

@@ -55,7 +55,9 @@ fn hkdf_output_len_tests() {
             assert_eq!(&result.0, &[]);
         }
 
-        let max_out_len = MAX_BLOCKS * alg.hmac_algorithm().digest_algorithm().output_len;
+        let max_out_len = MAX_BLOCKS
+            .checked_mul(alg.hmac_algorithm().digest_algorithm().output_len)
+            .unwrap();
 
         {
             // Test maximum length output succeeds.
@@ -66,7 +68,9 @@ fn hkdf_output_len_tests() {
 
         {
             // Test too-large output fails.
-            assert!(prk.expand(&[b"info"], My(max_out_len + 1)).is_err());
+            assert!(prk
+                .expand(&[b"info"], My(max_out_len.checked_add(1).unwrap()))
+                .is_err());
         }
 
         {

aws-lc-rs/tests/pbkdf2_test.rs

@@ -5,6 +5,7 @@
 
 use aws_lc_rs::{digest, error, pbkdf2, test, test_file};
 use core::num::NonZeroU32;
+use mirai_annotations::unrecoverable;
 
 /// Test vectors from `BoringSSL`, Go, and other sources.
 #[test]
@@ -35,7 +36,7 @@ fn pbkdf2_tests() {
         let verify_expected_result = match verify_expected_result.as_str() {
             "OK" => Ok(()),
             "Err" => Err(error::Unspecified),
-            _ => panic!("Unsupported value of \"Verify\""),
+            _ => unrecoverable!("Unsupported value of \"Verify\""),
         };
 
         {

aws-lc-rs/tests/rsa_test.rs

@@ -581,7 +581,8 @@ macro_rules! round_trip_oaep_algorithm {
 
             // max_plaintext_size+1 message
             {
-                let message = vec![1u8; public_key.max_plaintext_size($alg) + 1];
+                let msg_len: usize = public_key.max_plaintext_size($alg).checked_add(1).unwrap();
+                let message = vec![1u8; msg_len];
                 let mut ciphertext = vec![0u8; private_key.min_output_size()];
 
                 public_key
@@ -903,7 +904,13 @@ fn errors_on_larger_than_max_plaintext() {
     let oaep_parsed_public =
         OaepPublicEncryptingKey::new(parsed_public_key.clone()).expect("supported key");
 
-    let message = vec![42u8; oaep_parsed_public.max_plaintext_size(&OAEP_SHA256_MGF1SHA256) + 1];
+    let message = vec![
+        42u8;
+        oaep_parsed_public
+            .max_plaintext_size(&OAEP_SHA256_MGF1SHA256)
+            .checked_add(1)
+            .unwrap()
+    ];
 
     let mut ciphertext = vec![0u8; oaep_parsed_public.ciphertext_size()];
     oaep_parsed_public
@@ -913,7 +920,13 @@ fn errors_on_larger_than_max_plaintext() {
     let pkcs1_parsed_public =
         Pkcs1PublicEncryptingKey::new(parsed_public_key.clone()).expect("supported key");
 
-    let message = vec![42u8; pkcs1_parsed_public.max_plaintext_size() + 1];
+    let message = vec![
+        42u8;
+        pkcs1_parsed_public
+            .max_plaintext_size()
+            .checked_add(1)
+            .unwrap()
+    ];
 
     let mut ciphertext = vec![0u8; pkcs1_parsed_public.ciphertext_size()];
     pkcs1_parsed_public