feat: upgrade OpenMLS 0.5 → 0.8 for security patches and GREASE support

Migrates all MLS code in quicprochat-core from OpenMLS 0.5 to 0.8: - StorageProvider replaces OpenMlsKeyStore (keystore.rs full rewrite) - HybridCryptoProvider updated for new OpenMlsProvider trait - Group operations updated for new API signatures - MLS state persistence via MemoryStorage serialization - tls_codec 0.3 → 0.4, openmls_traits/rust_crypto 0.2 → 0.5
2026-03-08 17:50:15 +01:00
parent 077f48f19c
commit a05da9b751
20 changed files with 1433 additions and 657 deletions
--- a/crates/quicprochat-core/src/hybrid_crypto.rs
+++ b/crates/quicprochat-core/src/hybrid_crypto.rs
@@ -27,8 +27,9 @@ use openmls_traits::{
    crypto::OpenMlsCrypto,
    types::{
        CryptoError, ExporterSecret, HpkeCiphertext, HpkeConfig, HpkeKeyPair, HpkeKemType,
+        KemOutput,
    },
-    OpenMlsCryptoProvider,
+    OpenMlsProvider,
 };
 use tls_codec::SecretVLBytes;

@@ -128,6 +129,15 @@ impl OpenMlsCrypto for HybridCrypto {
        self.rust_crypto.hkdf_extract(hash_type, salt, ikm)
    }

+    fn hmac(
+        &self,
+        hash_type: HashType,
+        key: &[u8],
+        message: &[u8],
+    ) -> Result<SecretVLBytes, CryptoError> {
+        self.rust_crypto.hmac(hash_type, key, message)
+    }
+
    fn hkdf_expand(
        &self,
        hash_type: HashType,
@@ -189,25 +199,18 @@ impl OpenMlsCrypto for HybridCrypto {
        info: &[u8],
        aad: &[u8],
        ptxt: &[u8],
-    ) -> HpkeCiphertext {
+    ) -> Result<HpkeCiphertext, CryptoError> {
        if Self::is_hybrid_public_key(pk_r) {
-            // The trait `OpenMlsCrypto::hpke_seal` returns `HpkeCiphertext` (not
-            // `Result`), so we cannot propagate errors through the return type.
-            // Returning an empty ciphertext would silently cause data loss.
-            // Instead, panic on failure — a hybrid key that passes the length
-            // check but fails deserialization or encryption indicates a critical
-            // bug (corrupted key material), not a recoverable condition.
            let recipient_pk = HybridPublicKey::from_bytes(pk_r)
-                .expect("hybrid public key deserialization failed — key material is corrupted");
-            // Pass HPKE info and aad through for proper context binding (RFC 9180).
+                .map_err(|_| CryptoError::CryptoLibraryError)?;
            let envelope = hybrid_encrypt(&recipient_pk, ptxt, info, aad)
-                .expect("hybrid HPKE encryption failed — critical crypto error");
+                .map_err(|_| CryptoError::CryptoLibraryError)?;
            let kem_output = envelope[..HYBRID_KEM_OUTPUT_LEN].to_vec();
            let ciphertext = envelope[HYBRID_KEM_OUTPUT_LEN..].to_vec();
-            HpkeCiphertext {
+            Ok(HpkeCiphertext {
                kem_output: kem_output.into(),
                ciphertext: ciphertext.into(),
-            }
+            })
        } else {
            self.rust_crypto.hpke_seal(config, pk_r, info, aad, ptxt)
        }
@@ -245,7 +248,7 @@ impl OpenMlsCrypto for HybridCrypto {
        info: &[u8],
        exporter_context: &[u8],
        exporter_length: usize,
-    ) -> Result<(Vec<u8>, ExporterSecret), CryptoError> {
+    ) -> Result<(KemOutput, ExporterSecret), CryptoError> {
        if Self::is_hybrid_public_key(pk_r) {
            // A key that passes the hybrid length check but fails deserialization
            // is corrupted — return an error instead of silently downgrading to
@@ -286,14 +289,14 @@ impl OpenMlsCrypto for HybridCrypto {
        }
    }

-    fn derive_hpke_keypair(&self, config: HpkeConfig, ikm: &[u8]) -> HpkeKeyPair {
+    fn derive_hpke_keypair(&self, config: HpkeConfig, ikm: &[u8]) -> Result<HpkeKeyPair, CryptoError> {
        if self.hybrid_enabled && config.0 == HpkeKemType::DhKem25519 {
            let kp = HybridKeypair::derive_from_ikm(ikm);
            let private_bytes = kp.private_to_bytes();
-            HpkeKeyPair {
+            Ok(HpkeKeyPair {
                private: private_bytes.as_slice().into(),
                public: kp.public_key().to_bytes(),
-            }
+            })
        } else {
            self.rust_crypto.derive_hpke_keypair(config, ikm)
        }
@@ -343,10 +346,10 @@ impl Default for HybridCryptoProvider {
    }
 }

-impl OpenMlsCryptoProvider for HybridCryptoProvider {
+impl OpenMlsProvider for HybridCryptoProvider {
    type CryptoProvider = HybridCrypto;
    type RandProvider = RustCrypto;
-    type KeyStoreProvider = DiskKeyStore;
+    type StorageProvider = DiskKeyStore;

    fn crypto(&self) -> &Self::CryptoProvider {
        &self.crypto
@@ -356,7 +359,7 @@ impl OpenMlsCryptoProvider for HybridCryptoProvider {
        self.crypto.rust_crypto()
    }

-    fn key_store(&self) -> &Self::KeyStoreProvider {
+    fn storage(&self) -> &Self::StorageProvider {
        &self.key_store
    }
 }
@@ -383,7 +386,7 @@ mod tests {
        let crypto = HybridCrypto::new();
        let ikm = b"test-ikm-for-hybrid-hpke-keypair";

-        let keypair = crypto.derive_hpke_keypair(hpke_config_dhkem_x25519(), ikm);
+        let keypair = crypto.derive_hpke_keypair(hpke_config_dhkem_x25519(), ikm).unwrap();
        assert_eq!(keypair.public.len(), HYBRID_PUBLIC_KEY_LEN);
        assert_eq!(keypair.private.as_ref().len(), HYBRID_PRIVATE_KEY_LEN);

@@ -397,7 +400,7 @@ mod tests {
            info,
            aad,
            plaintext,
-        );
+        ).unwrap();
        assert!(!ct.kem_output.as_slice().is_empty());
        assert!(!ct.ciphertext.as_slice().is_empty());

@@ -419,7 +422,7 @@ mod tests {
        let crypto = HybridCrypto::new();
        let ikm = b"exporter-ikm";

-        let keypair = crypto.derive_hpke_keypair(hpke_config_dhkem_x25519(), ikm);
+        let keypair = crypto.derive_hpke_keypair(hpke_config_dhkem_x25519(), ikm).unwrap();
        let info = b"";
        let exporter_context = b"MLS 1.0 external init";
        let exporter_length = 32;
@@ -457,7 +460,7 @@ mod tests {
        let crypto = HybridCrypto::new_classical();
        let ikm = b"test-ikm-for-classical-hpke";

-        let keypair = crypto.derive_hpke_keypair(hpke_config_dhkem_x25519(), ikm);
+        let keypair = crypto.derive_hpke_keypair(hpke_config_dhkem_x25519(), ikm).unwrap();
        // Classical X25519 keys are 32 bytes
        assert_eq!(keypair.public.len(), 32);
        assert_eq!(keypair.private.as_ref().len(), 32);
@@ -469,7 +472,7 @@ mod tests {
        let crypto = HybridCrypto::new_classical();
        let ikm = b"test-ikm-for-classical-round-trip";

-        let keypair = crypto.derive_hpke_keypair(hpke_config_dhkem_x25519(), ikm);
+        let keypair = crypto.derive_hpke_keypair(hpke_config_dhkem_x25519(), ikm).unwrap();
        assert_eq!(keypair.public.len(), 32); // classical key

        let plaintext = b"hello classical MLS";
@@ -482,7 +485,7 @@ mod tests {
            info,
            aad,
            plaintext,
-        );
+        ).unwrap();
        assert!(!ct.kem_output.as_slice().is_empty());

        let decrypted = crypto
@@ -501,7 +504,7 @@ mod tests {
    #[test]
    fn key_package_generation_with_hybrid_provider() {
        use openmls::prelude::{
-            Credential, CredentialType, CredentialWithKey, CryptoConfig, KeyPackage,
+            BasicCredential, CredentialWithKey, KeyPackage,
        };
        use std::sync::Arc;
        use tls_codec::Serialize;
@@ -514,26 +517,24 @@ mod tests {
        let provider = HybridCryptoProvider::default();
        let identity = Arc::new(IdentityKeypair::generate());

-        let credential = Credential::new(
-            identity.public_key_bytes().to_vec(),
-            CredentialType::Basic,
-        )
-        .unwrap();
+        let credential: openmls::prelude::Credential =
+            BasicCredential::new(identity.public_key_bytes().to_vec()).into();
        let credential_with_key = CredentialWithKey {
            credential,
            signature_key: identity.public_key_bytes().to_vec().into(),
        };

-        let key_package = KeyPackage::builder()
+        let key_package_bundle = KeyPackage::builder()
            .build(
-                CryptoConfig::with_default_version(CIPHERSUITE),
+                CIPHERSUITE,
                &provider,
                identity.as_ref(),
                credential_with_key,
            )
            .expect("KeyPackage with hybrid HPKE");

-        let bytes = key_package
+        let bytes = key_package_bundle
+            .key_package()
            .tls_serialize_detached()
            .expect("serialize KeyPackage");
        assert!(!bytes.is_empty());