mirror of https://github.com/ctz/rustls
Enable testing and benchmarking with aws-lc-rs
This commit is contained in:
Joseph Birr-Pixton
Joe Birr-Pixton
parent
aaf21d1cdf
commit
1379f12657
|
|
@ -51,6 +51,11 @@ jobs:
|
|||
env:
|
||||
RUST_BACKTRACE: 1
|
||||
|
||||
- name: cargo test (debug; aws-lc-rs)
|
||||
run: cargo test --no-default-features --features aws_lc_rs,tls12,quic,read_buf,logging
|
||||
env:
|
||||
RUST_BACKTRACE: 1
|
||||
|
||||
- name: cargo build (debug; rustls-provider-example)
|
||||
run: cargo build --locked -p rustls-provider-example
|
||||
|
||||
|
|
@ -95,6 +100,9 @@ jobs:
|
|||
- name: cargo test (debug; no default features; tls12)
|
||||
run: cargo test --locked --no-default-features --features tls12
|
||||
|
||||
- name: cargo test (debug; no default features; aws-lc-rs,tls12)
|
||||
run: cargo test --no-default-features --features aws_lc_rs,tls12
|
||||
|
||||
- name: cargo test (release; no run)
|
||||
run: cargo test --locked --release --no-run
|
||||
|
||||
|
|
@ -116,9 +124,17 @@ jobs:
|
|||
go-version: "1.20"
|
||||
cache: false
|
||||
|
||||
- name: Run test suite
|
||||
- name: Run test suite (ring)
|
||||
working-directory: bogo
|
||||
run: ./runme
|
||||
env:
|
||||
BOGO_SHIM_PROVIDER: ring
|
||||
|
||||
- name: Run test suite (aws-lc-rs)
|
||||
working-directory: bogo
|
||||
run: ./runme
|
||||
env:
|
||||
BOGO_SHIM_PROVIDER: aws-lc-rs
|
||||
|
||||
|
||||
fuzz:
|
||||
|
|
|
|||
17
bogo/runme
17
bogo/runme
|
|
@ -5,9 +5,20 @@
|
|||
|
||||
set -xe
|
||||
|
||||
if [ "x$USE_EXISTING_BOGO_SHIM" = "x" ] ; then
|
||||
cargo build --example bogo_shim --features quic
|
||||
fi
|
||||
case ${BOGO_SHIM_PROVIDER:-ring} in
|
||||
ring)
|
||||
cargo build --example bogo_shim --features quic
|
||||
;;
|
||||
aws-lc-rs)
|
||||
cargo build --example bogo_shim --no-default-features --features quic,aws_lc_rs,tls12,logging
|
||||
;;
|
||||
existing)
|
||||
;;
|
||||
*)
|
||||
echo "unsupported BOGO_SHIM_PROVIDER: supported are (ring|aws-lc-rs|existing)"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ ! -e bogo/ssl/test/runner/runner.test ] ; then
|
||||
./fetch-and-build
|
||||
|
|
|
|||
|
|
@ -14,5 +14,5 @@ fxhash = "0.2.1"
|
|||
itertools = "0.11.0"
|
||||
pki-types = { package = "rustls-pki-types", version = "0.2" }
|
||||
rayon = "1.7.0"
|
||||
rustls = { path = "../rustls" }
|
||||
rustls = { path = "../rustls", features = ["ring", "aws_lc_rs"] }
|
||||
rustls-pemfile = "2.0.0-alpha.1"
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
use std::sync::Arc;
|
||||
|
||||
use fxhash::{FxHashMap, FxHashSet};
|
||||
use itertools::Itertools;
|
||||
|
||||
|
|
@ -120,8 +122,12 @@ impl ResumptionKind {
|
|||
}
|
||||
|
||||
/// Parameters associated to a benchmark
|
||||
#[derive(Copy, Clone)]
|
||||
#[derive(Clone, Debug)]
|
||||
pub struct BenchmarkParams {
|
||||
/// Which `CryptoProvider` to test
|
||||
pub provider: &'static dyn rustls::crypto::CryptoProvider,
|
||||
/// How to make a suitable [`rustls::server::ProducesTickets`].
|
||||
pub ticketer: &'static fn() -> Arc<dyn rustls::server::ProducesTickets>,
|
||||
/// The type of key used to sign the TLS certificate
|
||||
pub key_type: KeyType,
|
||||
/// Cipher suite
|
||||
|
|
@ -129,18 +135,22 @@ pub struct BenchmarkParams {
|
|||
/// TLS version
|
||||
pub version: &'static rustls::SupportedProtocolVersion,
|
||||
/// A user-facing label that identifies these params
|
||||
pub label: &'static str,
|
||||
pub label: String,
|
||||
}
|
||||
|
||||
impl BenchmarkParams {
|
||||
/// Create a new set of benchmark params
|
||||
pub const fn new(
|
||||
provider: &'static dyn rustls::crypto::CryptoProvider,
|
||||
ticketer: &'static fn() -> Arc<dyn rustls::server::ProducesTickets>,
|
||||
key_type: KeyType,
|
||||
ciphersuite: rustls::SupportedCipherSuite,
|
||||
version: &'static rustls::SupportedProtocolVersion,
|
||||
label: &'static str,
|
||||
label: String,
|
||||
) -> Self {
|
||||
Self {
|
||||
provider,
|
||||
ticketer,
|
||||
key_type,
|
||||
ciphersuite,
|
||||
version,
|
||||
|
|
|
|||
|
|
@ -14,10 +14,11 @@ use itertools::Itertools;
|
|||
use rayon::iter::Either;
|
||||
use rayon::prelude::*;
|
||||
use rustls::client::Resumption;
|
||||
use rustls::crypto::ring::{cipher_suite, Ticketer};
|
||||
use rustls::crypto::{aws_lc_rs, ring};
|
||||
use rustls::server::{NoServerSessionStorage, ServerSessionMemoryCache, WebPkiClientVerifier};
|
||||
use rustls::{
|
||||
ClientConfig, ClientConnection, ProtocolVersion, RootCertStore, ServerConfig, ServerConnection,
|
||||
CipherSuite, ClientConfig, ClientConnection, ProtocolVersion, RootCertStore, ServerConfig,
|
||||
ServerConnection,
|
||||
};
|
||||
|
||||
use crate::benchmark::{
|
||||
|
|
@ -143,7 +144,7 @@ fn main() -> anyhow::Result<()> {
|
|||
|
||||
let handshake_buf = &mut [0u8; 262144];
|
||||
let resumption_kind = black_box(bench.kind.resumption_kind());
|
||||
let params = black_box(bench.params);
|
||||
let params = black_box(&bench.params);
|
||||
let io = StepperIo {
|
||||
reader: &mut stdin,
|
||||
writer: &mut stdout,
|
||||
|
|
@ -153,7 +154,7 @@ fn main() -> anyhow::Result<()> {
|
|||
Side::Server => run_bench(
|
||||
ServerSideStepper {
|
||||
io,
|
||||
config: ServerSideStepper::make_config(¶ms, resumption_kind),
|
||||
config: ServerSideStepper::make_config(params, resumption_kind),
|
||||
},
|
||||
bench.kind,
|
||||
),
|
||||
|
|
@ -161,7 +162,7 @@ fn main() -> anyhow::Result<()> {
|
|||
ClientSideStepper {
|
||||
io,
|
||||
resumption_kind,
|
||||
config: ClientSideStepper::make_config(¶ms, resumption_kind),
|
||||
config: ClientSideStepper::make_config(params, resumption_kind),
|
||||
},
|
||||
bench.kind,
|
||||
),
|
||||
|
|
@ -198,7 +199,7 @@ fn main() -> anyhow::Result<()> {
|
|||
/// Returns all benchmarks
|
||||
fn all_benchmarks() -> anyhow::Result<Vec<Benchmark>> {
|
||||
let mut benchmarks = Vec::new();
|
||||
for ¶m in ALL_BENCHMARK_PARAMS {
|
||||
for param in all_benchmarks_params() {
|
||||
add_benchmark_group(&mut benchmarks, param);
|
||||
}
|
||||
|
||||
|
|
@ -207,38 +208,86 @@ fn all_benchmarks() -> anyhow::Result<Vec<Benchmark>> {
|
|||
}
|
||||
|
||||
/// The benchmark params to use for each group of benchmarks
|
||||
static ALL_BENCHMARK_PARAMS: &[BenchmarkParams] = &[
|
||||
BenchmarkParams::new(
|
||||
KeyType::Rsa,
|
||||
cipher_suite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
&rustls::version::TLS12,
|
||||
"1.2_rsa_aes",
|
||||
),
|
||||
BenchmarkParams::new(
|
||||
KeyType::Rsa,
|
||||
cipher_suite::TLS13_AES_128_GCM_SHA256,
|
||||
&rustls::version::TLS13,
|
||||
"1.3_rsa_aes",
|
||||
),
|
||||
BenchmarkParams::new(
|
||||
KeyType::Ecdsa,
|
||||
cipher_suite::TLS13_AES_128_GCM_SHA256,
|
||||
&rustls::version::TLS13,
|
||||
"1.3_ecdsa_aes",
|
||||
),
|
||||
BenchmarkParams::new(
|
||||
KeyType::Rsa,
|
||||
cipher_suite::TLS13_CHACHA20_POLY1305_SHA256,
|
||||
&rustls::version::TLS13,
|
||||
"1.3_rsa_chacha",
|
||||
),
|
||||
BenchmarkParams::new(
|
||||
KeyType::Ecdsa,
|
||||
cipher_suite::TLS13_CHACHA20_POLY1305_SHA256,
|
||||
&rustls::version::TLS13,
|
||||
"1.3_ecdsa_chacha",
|
||||
),
|
||||
];
|
||||
fn all_benchmarks_params() -> Vec<BenchmarkParams> {
|
||||
let mut all = Vec::new();
|
||||
|
||||
for (provider, suites, ticketer, provider_name) in [
|
||||
(
|
||||
ring::RING,
|
||||
ring::ALL_CIPHER_SUITES,
|
||||
&(ring_ticketer as fn() -> Arc<dyn rustls::server::ProducesTickets>),
|
||||
"ring",
|
||||
),
|
||||
(
|
||||
aws_lc_rs::AWS_LC_RS,
|
||||
aws_lc_rs::ALL_CIPHER_SUITES,
|
||||
&(aws_lc_rs_ticketer as fn() -> Arc<dyn rustls::server::ProducesTickets>),
|
||||
"aws_lc_rs",
|
||||
),
|
||||
] {
|
||||
for (key_type, suite_name, version, name) in [
|
||||
(
|
||||
KeyType::Rsa,
|
||||
CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
&rustls::version::TLS12,
|
||||
"1.2_rsa_aes",
|
||||
),
|
||||
(
|
||||
KeyType::Rsa,
|
||||
CipherSuite::TLS13_AES_128_GCM_SHA256,
|
||||
&rustls::version::TLS13,
|
||||
"1.3_rsa_aes",
|
||||
),
|
||||
(
|
||||
KeyType::Ecdsa,
|
||||
CipherSuite::TLS13_AES_128_GCM_SHA256,
|
||||
&rustls::version::TLS13,
|
||||
"1.3_ecdsa_aes",
|
||||
),
|
||||
(
|
||||
KeyType::Rsa,
|
||||
CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
|
||||
&rustls::version::TLS13,
|
||||
"1.3_rsa_chacha",
|
||||
),
|
||||
(
|
||||
KeyType::Ecdsa,
|
||||
CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
|
||||
&rustls::version::TLS13,
|
||||
"1.3_ecdsa_chacha",
|
||||
),
|
||||
] {
|
||||
all.push(BenchmarkParams::new(
|
||||
provider,
|
||||
ticketer,
|
||||
key_type,
|
||||
find_suite(suites, suite_name),
|
||||
version,
|
||||
format!("{provider_name}_{name}"),
|
||||
));
|
||||
}
|
||||
}
|
||||
|
||||
all
|
||||
}
|
||||
|
||||
fn find_suite(
|
||||
all: &[rustls::SupportedCipherSuite],
|
||||
name: CipherSuite,
|
||||
) -> rustls::SupportedCipherSuite {
|
||||
all.iter()
|
||||
.find(|suite| suite.suite() == name)
|
||||
.expect(&format!("cannot find cipher suite {name:?}"))
|
||||
.clone()
|
||||
}
|
||||
|
||||
fn ring_ticketer() -> Arc<dyn rustls::server::ProducesTickets> {
|
||||
ring::Ticketer::new().unwrap()
|
||||
}
|
||||
|
||||
fn aws_lc_rs_ticketer() -> Arc<dyn rustls::server::ProducesTickets> {
|
||||
aws_lc_rs::Ticketer::new().unwrap()
|
||||
}
|
||||
|
||||
/// Adds a group of benchmarks for the specified parameters
|
||||
///
|
||||
|
|
@ -249,14 +298,14 @@ static ALL_BENCHMARK_PARAMS: &[BenchmarkParams] = &[
|
|||
/// - Handshake with ticket resumption
|
||||
/// - Transfer a 1MB data stream from the server to the client
|
||||
fn add_benchmark_group(benchmarks: &mut Vec<Benchmark>, params: BenchmarkParams) {
|
||||
let params_label = params.label;
|
||||
let params_label = params.label.clone();
|
||||
|
||||
// Create handshake benchmarks for all resumption kinds
|
||||
for &resumption_param in ResumptionKind::ALL {
|
||||
let handshake_bench = Benchmark::new(
|
||||
format!("handshake_{}_{params_label}", resumption_param.label()),
|
||||
BenchmarkKind::Handshake(resumption_param),
|
||||
params,
|
||||
params.clone(),
|
||||
);
|
||||
|
||||
let handshake_bench = if resumption_param != ResumptionKind::No {
|
||||
|
|
@ -276,7 +325,7 @@ fn add_benchmark_group(benchmarks: &mut Vec<Benchmark>, params: BenchmarkParams)
|
|||
Benchmark::new(
|
||||
format!("transfer_no_resume_{params_label}"),
|
||||
BenchmarkKind::Transfer,
|
||||
params,
|
||||
params.clone(),
|
||||
)
|
||||
.exclude_setup_instructions(format!("handshake_no_resume_{params_label}")),
|
||||
);
|
||||
|
|
@ -357,7 +406,7 @@ impl ClientSideStepper<'_> {
|
|||
rustls_pemfile::certs(&mut rootbuf).map(|result| result.unwrap()),
|
||||
);
|
||||
|
||||
let mut cfg = ClientConfig::builder()
|
||||
let mut cfg = ClientConfig::builder_with_provider(params.provider)
|
||||
.with_cipher_suites(&[params.ciphersuite])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(&[params.version])
|
||||
|
|
@ -428,7 +477,7 @@ impl ServerSideStepper<'_> {
|
|||
fn make_config(params: &BenchmarkParams, resume: ResumptionKind) -> Arc<ServerConfig> {
|
||||
assert_eq!(params.ciphersuite.version(), params.version);
|
||||
|
||||
let mut cfg = ServerConfig::builder()
|
||||
let mut cfg = ServerConfig::builder_with_provider(params.provider)
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(&[params.version])
|
||||
|
|
@ -440,7 +489,7 @@ impl ServerSideStepper<'_> {
|
|||
if resume == ResumptionKind::SessionId {
|
||||
cfg.session_storage = ServerSessionMemoryCache::new(128);
|
||||
} else if resume == ResumptionKind::Tickets {
|
||||
cfg.ticketer = Ticketer::new().unwrap();
|
||||
cfg.ticketer = (params.ticketer)();
|
||||
} else {
|
||||
cfg.session_storage = Arc::new(NoServerSessionStorage {});
|
||||
}
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ base64 = "0.21"
|
|||
[[example]]
|
||||
name = "bogo_shim"
|
||||
path = "examples/internal/bogo_shim.rs"
|
||||
required-features = ["quic", "tls12", "ring"]
|
||||
required-features = ["quic", "tls12"]
|
||||
|
||||
[[example]]
|
||||
name = "bench"
|
||||
|
|
|
|||
|
|
@ -6,7 +6,6 @@
|
|||
|
||||
use rustls::client::danger::HandshakeSignatureValid;
|
||||
use rustls::client::{ClientConfig, ClientConnection, Resumption, WebPkiServerVerifier};
|
||||
use rustls::crypto::ring::{kx_group, Ticketer, ALL_KX_GROUPS};
|
||||
use rustls::crypto::SupportedKxGroup;
|
||||
use rustls::internal::msgs::codec::Codec;
|
||||
use rustls::internal::msgs::persist::ServerSessionValue;
|
||||
|
|
@ -18,6 +17,11 @@ use rustls::{
|
|||
SupportedProtocolVersion,
|
||||
};
|
||||
|
||||
#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
|
||||
use rustls::crypto::aws_lc_rs as provider;
|
||||
#[cfg(feature = "ring")]
|
||||
use rustls::crypto::ring as provider;
|
||||
|
||||
use base64::prelude::{Engine, BASE64_STANDARD};
|
||||
use pki_types::{CertificateDer, PrivateKeyDer, UnixTime};
|
||||
|
||||
|
|
@ -358,9 +362,9 @@ fn lookup_scheme(scheme: u16) -> SignatureScheme {
|
|||
|
||||
fn lookup_kx_group(group: u16) -> &'static dyn SupportedKxGroup {
|
||||
match group {
|
||||
0x001d => kx_group::X25519,
|
||||
0x0017 => kx_group::SECP256R1,
|
||||
0x0018 => kx_group::SECP384R1,
|
||||
0x001d => provider::kx_group::X25519,
|
||||
0x0017 => provider::kx_group::SECP256R1,
|
||||
0x0018 => provider::kx_group::SECP384R1,
|
||||
_ => {
|
||||
println_err!("Unsupported kx group {:04x}", group);
|
||||
process::exit(BOGO_NACK);
|
||||
|
|
@ -445,7 +449,7 @@ fn make_server_cfg(opts: &Options) -> Arc<ServerConfig> {
|
|||
.map(|curveid| lookup_kx_group(*curveid))
|
||||
.collect()
|
||||
} else {
|
||||
ALL_KX_GROUPS.to_vec()
|
||||
provider::ALL_KX_GROUPS.to_vec()
|
||||
};
|
||||
|
||||
let mut cfg = ServerConfig::builder()
|
||||
|
|
@ -470,7 +474,7 @@ fn make_server_cfg(opts: &Options) -> Arc<ServerConfig> {
|
|||
}
|
||||
|
||||
if opts.tickets {
|
||||
cfg.ticketer = Ticketer::new().unwrap();
|
||||
cfg.ticketer = provider::Ticketer::new().unwrap();
|
||||
} else if opts.resumes == 0 {
|
||||
cfg.session_storage = Arc::new(server::NoServerSessionStorage {});
|
||||
}
|
||||
|
|
@ -561,7 +565,7 @@ fn make_client_cfg(opts: &Options) -> Arc<ClientConfig> {
|
|||
.map(|curveid| lookup_kx_group(*curveid))
|
||||
.collect()
|
||||
} else {
|
||||
ALL_KX_GROUPS.to_vec()
|
||||
provider::ALL_KX_GROUPS.to_vec()
|
||||
};
|
||||
|
||||
let cfg = ClientConfig::builder()
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#![cfg(feature = "ring")]
|
||||
#![cfg(any(feature = "ring", feature = "aws_lc_rs"))]
|
||||
#![cfg_attr(read_buf, feature(read_buf))]
|
||||
//! Assorted public API tests.
|
||||
use std::cell::RefCell;
|
||||
|
|
@ -11,17 +11,15 @@ use std::sync::Arc;
|
|||
use std::sync::Mutex;
|
||||
|
||||
use pki_types::{CertificateDer, PrivateKeyDer, UnixTime};
|
||||
use rustls::client::{
|
||||
verify_server_cert_signed_by_trust_anchor, ResolvesClientCert, Resumption, WebPkiServerVerifier,
|
||||
};
|
||||
use rustls::crypto::ring::sign::RsaSigningKey;
|
||||
use rustls::crypto::ring::{cipher_suite, ALL_CIPHER_SUITES};
|
||||
use primary_provider::cipher_suite;
|
||||
use primary_provider::sign::RsaSigningKey;
|
||||
use rustls::client::{verify_server_cert_signed_by_trust_anchor, ResolvesClientCert, Resumption};
|
||||
use rustls::internal::msgs::base::Payload;
|
||||
use rustls::internal::msgs::codec::Codec;
|
||||
use rustls::internal::msgs::enums::AlertLevel;
|
||||
use rustls::internal::msgs::handshake::{ClientExtension, HandshakePayload};
|
||||
use rustls::internal::msgs::message::{Message, MessagePayload, PlainMessage};
|
||||
use rustls::server::{ClientHello, ParsedCertificate, ResolvesServerCert, WebPkiClientVerifier};
|
||||
use rustls::server::{ClientHello, ParsedCertificate, ResolvesServerCert};
|
||||
use rustls::SupportedCipherSuite;
|
||||
use rustls::{
|
||||
sign, AlertDescription, CertificateError, ConnectionCommon, ContentType, Error, KeyLog,
|
||||
|
|
@ -223,7 +221,7 @@ fn check_read_buf_err(reader: &mut dyn io::Read, err_kind: io::ErrorKind) {
|
|||
#[test]
|
||||
fn config_builder_for_client_rejects_empty_kx_groups() {
|
||||
assert_eq!(
|
||||
ClientConfig::builder()
|
||||
client_config_builder()
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_kx_groups(&[])
|
||||
.with_safe_default_protocol_versions()
|
||||
|
|
@ -235,7 +233,7 @@ fn config_builder_for_client_rejects_empty_kx_groups() {
|
|||
#[test]
|
||||
fn config_builder_for_client_rejects_empty_cipher_suites() {
|
||||
assert_eq!(
|
||||
ClientConfig::builder()
|
||||
client_config_builder()
|
||||
.with_cipher_suites(&[])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_safe_default_protocol_versions()
|
||||
|
|
@ -248,7 +246,7 @@ fn config_builder_for_client_rejects_empty_cipher_suites() {
|
|||
#[test]
|
||||
fn config_builder_for_client_rejects_incompatible_cipher_suites() {
|
||||
assert_eq!(
|
||||
ClientConfig::builder()
|
||||
client_config_builder()
|
||||
.with_cipher_suites(&[cipher_suite::TLS13_AES_256_GCM_SHA384])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(&[&rustls::version::TLS12])
|
||||
|
|
@ -260,7 +258,7 @@ fn config_builder_for_client_rejects_incompatible_cipher_suites() {
|
|||
#[test]
|
||||
fn config_builder_for_server_rejects_empty_kx_groups() {
|
||||
assert_eq!(
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_kx_groups(&[])
|
||||
.with_safe_default_protocol_versions()
|
||||
|
|
@ -272,7 +270,7 @@ fn config_builder_for_server_rejects_empty_kx_groups() {
|
|||
#[test]
|
||||
fn config_builder_for_server_rejects_empty_cipher_suites() {
|
||||
assert_eq!(
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_cipher_suites(&[])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_safe_default_protocol_versions()
|
||||
|
|
@ -285,7 +283,7 @@ fn config_builder_for_server_rejects_empty_cipher_suites() {
|
|||
#[test]
|
||||
fn config_builder_for_server_rejects_incompatible_cipher_suites() {
|
||||
assert_eq!(
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_cipher_suites(&[cipher_suite::TLS13_AES_256_GCM_SHA384])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(&[&rustls::version::TLS12])
|
||||
|
|
@ -446,15 +444,16 @@ fn server_can_get_client_cert_after_resumption() {
|
|||
}
|
||||
|
||||
#[test]
|
||||
#[cfg(feature = "ring")]
|
||||
fn test_config_builders_debug() {
|
||||
let b = ServerConfig::builder();
|
||||
let b = server_config_builder();
|
||||
assert_eq!(
|
||||
"ConfigBuilder<ServerConfig, _> { state: WantsCipherSuites(Ring) }",
|
||||
format!("{:?}", b)
|
||||
);
|
||||
let b = b.with_cipher_suites(&[cipher_suite::TLS13_CHACHA20_POLY1305_SHA256]);
|
||||
assert_eq!("ConfigBuilder<ServerConfig, _> { state: WantsKxGroups { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], provider: Ring } }", format!("{:?}", b));
|
||||
let b = b.with_kx_groups(&[rustls::crypto::ring::kx_group::X25519]);
|
||||
let b = b.with_kx_groups(&[primary_provider::kx_group::X25519]);
|
||||
assert_eq!("ConfigBuilder<ServerConfig, _> { state: WantsVersions { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], kx_groups: [X25519], provider: Ring } }", format!("{:?}", b));
|
||||
let b = b
|
||||
.with_protocol_versions(&[&rustls::version::TLS13])
|
||||
|
|
@ -462,14 +461,14 @@ fn test_config_builders_debug() {
|
|||
let b = b.with_no_client_auth();
|
||||
assert_eq!("ConfigBuilder<ServerConfig, _> { state: WantsServerCert { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], kx_groups: [X25519], provider: Ring, versions: [TLSv1_3], verifier: dyn ClientCertVerifier } }", format!("{:?}", b));
|
||||
|
||||
let b = ClientConfig::builder();
|
||||
let b = client_config_builder();
|
||||
assert_eq!(
|
||||
"ConfigBuilder<ClientConfig, _> { state: WantsCipherSuites(Ring) }",
|
||||
format!("{:?}", b)
|
||||
);
|
||||
let b = b.with_cipher_suites(&[cipher_suite::TLS13_CHACHA20_POLY1305_SHA256]);
|
||||
assert_eq!("ConfigBuilder<ClientConfig, _> { state: WantsKxGroups { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], provider: Ring } }", format!("{:?}", b));
|
||||
let b = b.with_kx_groups(&[rustls::crypto::ring::kx_group::X25519]);
|
||||
let b = b.with_kx_groups(&[primary_provider::kx_group::X25519]);
|
||||
assert_eq!("ConfigBuilder<ClientConfig, _> { state: WantsVersions { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], kx_groups: [X25519], provider: Ring } }", format!("{:?}", b));
|
||||
let b = b
|
||||
.with_protocol_versions(&[&rustls::version::TLS13])
|
||||
|
|
@ -486,12 +485,12 @@ fn server_allow_any_anonymous_or_authenticated_client() {
|
|||
let kt = KeyType::Rsa;
|
||||
for client_cert_chain in [None, Some(kt.get_client_chain())].iter() {
|
||||
let client_auth_roots = get_client_root_store(kt);
|
||||
let client_auth = WebPkiClientVerifier::builder(client_auth_roots.clone())
|
||||
let client_auth = webpki_client_verifier_builder(client_auth_roots.clone())
|
||||
.allow_unauthenticated()
|
||||
.build()
|
||||
.unwrap();
|
||||
|
||||
let server_config = ServerConfig::builder()
|
||||
let server_config = server_config_builder()
|
||||
.with_safe_defaults()
|
||||
.with_client_cert_verifier(client_auth)
|
||||
.with_single_cert(kt.get_chain(), kt.get_key())
|
||||
|
|
@ -899,7 +898,7 @@ fn check_sigalgs_reduced_by_ciphersuite(
|
|||
) {
|
||||
let client_config = finish_client_config(
|
||||
kt,
|
||||
ClientConfig::builder()
|
||||
client_config_builder()
|
||||
.with_cipher_suites(&[find_suite(suite)])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_safe_default_protocol_versions()
|
||||
|
|
@ -1066,7 +1065,7 @@ fn client_check_server_certificate_ee_revoked() {
|
|||
|
||||
// Setup a server verifier that will check the EE certificate's revocation status.
|
||||
let crls = vec![kt.end_entity_crl()];
|
||||
let builder = WebPkiServerVerifier::builder(get_client_root_store(*kt))
|
||||
let builder = webpki_server_verifier_builder(get_client_root_store(*kt))
|
||||
.with_crls(crls)
|
||||
.only_check_end_entity_revocation();
|
||||
|
||||
|
|
@ -1097,12 +1096,12 @@ fn client_check_server_certificate_ee_unknown_revocation() {
|
|||
// allow unknown revocation status (the default). We'll provide CRLs that are not relevant
|
||||
// to the EE cert to ensure its status is unknown.
|
||||
let unrelated_crls = vec![kt.intermediate_crl()];
|
||||
let forbid_unknown_verifier = WebPkiServerVerifier::builder(get_client_root_store(*kt))
|
||||
let forbid_unknown_verifier = webpki_server_verifier_builder(get_client_root_store(*kt))
|
||||
.with_crls(unrelated_crls.clone())
|
||||
.only_check_end_entity_revocation();
|
||||
|
||||
// Also set up a verifier builder that will allow unknown revocation status.
|
||||
let allow_unknown_verifier = WebPkiServerVerifier::builder(get_client_root_store(*kt))
|
||||
let allow_unknown_verifier = webpki_server_verifier_builder(get_client_root_store(*kt))
|
||||
.with_crls(unrelated_crls)
|
||||
.only_check_end_entity_revocation()
|
||||
.allow_unknown_revocation_status();
|
||||
|
|
@ -1145,13 +1144,14 @@ fn client_check_server_certificate_intermediate_revoked() {
|
|||
// that marks the intermediate certificate as revoked. We allow unknown revocation status
|
||||
// so the EE cert's unknown status doesn't cause an error.
|
||||
let crls = vec![kt.intermediate_crl()];
|
||||
let full_chain_verifier_builder = WebPkiServerVerifier::builder(get_client_root_store(*kt))
|
||||
.with_crls(crls.clone())
|
||||
.allow_unknown_revocation_status();
|
||||
let full_chain_verifier_builder =
|
||||
webpki_server_verifier_builder(get_client_root_store(*kt))
|
||||
.with_crls(crls.clone())
|
||||
.allow_unknown_revocation_status();
|
||||
|
||||
// Also set up a verifier builder that will use the same CRL, but only check the EE certificate
|
||||
// revocation status.
|
||||
let ee_verifier_builder = WebPkiServerVerifier::builder(get_client_root_store(*kt))
|
||||
let ee_verifier_builder = webpki_server_verifier_builder(get_client_root_store(*kt))
|
||||
.with_crls(crls.clone())
|
||||
.only_check_end_entity_revocation()
|
||||
.allow_unknown_revocation_status();
|
||||
|
|
@ -1351,7 +1351,7 @@ fn client_cert_resolve_server_no_hints() {
|
|||
// arguments.
|
||||
for key_type in ALL_KEY_TYPES.into_iter() {
|
||||
// Build a verifier with no hint subjects.
|
||||
let verifier = WebPkiClientVerifier::builder(get_client_root_store(key_type))
|
||||
let verifier = webpki_client_verifier_builder(get_client_root_store(key_type))
|
||||
.clear_root_hint_subjects();
|
||||
let server_config = make_server_config_with_client_verifier(key_type, verifier);
|
||||
let expected_root_hint_subjects = Vec::default(); // no hints expected.
|
||||
|
|
@ -1378,7 +1378,7 @@ fn client_cert_resolve_server_added_hint() {
|
|||
];
|
||||
// Create a verifier that adds the extra_name as a hint subject in addition to the ones
|
||||
// from the root cert store.
|
||||
let verifier = WebPkiClientVerifier::builder(get_client_root_store(key_type))
|
||||
let verifier = webpki_client_verifier_builder(get_client_root_store(key_type))
|
||||
.add_root_hint_subjects([DistinguishedName::from(extra_name.clone())].into_iter());
|
||||
let server_config = make_server_config_with_client_verifier(key_type, verifier);
|
||||
test_client_cert_resolve(key_type, server_config.into(), expected_hint_subjects);
|
||||
|
|
@ -1407,7 +1407,7 @@ fn client_mandatory_auth_client_revocation_works() {
|
|||
let relevant_crls = vec![kt.client_crl()];
|
||||
// Only check the EE certificate status. See client_mandatory_auth_intermediate_revocation_works
|
||||
// for testing revocation status of the whole chain.
|
||||
let ee_verifier_builder = WebPkiClientVerifier::builder(get_client_root_store(*kt))
|
||||
let ee_verifier_builder = webpki_client_verifier_builder(get_client_root_store(*kt))
|
||||
.with_crls(relevant_crls)
|
||||
.only_check_end_entity_revocation();
|
||||
let revoked_server_config = Arc::new(make_server_config_with_client_verifier(
|
||||
|
|
@ -1418,7 +1418,7 @@ fn client_mandatory_auth_client_revocation_works() {
|
|||
// Create a server configuration that includes a CRL that doesn't cover the client certificate,
|
||||
// and uses the default behaviour of treating unknown revocation status as an error.
|
||||
let unrelated_crls = vec![kt.intermediate_crl()];
|
||||
let ee_verifier_builder = WebPkiClientVerifier::builder(get_client_root_store(*kt))
|
||||
let ee_verifier_builder = webpki_client_verifier_builder(get_client_root_store(*kt))
|
||||
.with_crls(unrelated_crls.clone())
|
||||
.only_check_end_entity_revocation();
|
||||
let missing_client_crl_server_config = Arc::new(make_server_config_with_client_verifier(
|
||||
|
|
@ -1428,7 +1428,7 @@ fn client_mandatory_auth_client_revocation_works() {
|
|||
|
||||
// Create a server configuration that includes a CRL that doesn't cover the client certificate,
|
||||
// but change the builder to allow unknown revocation status.
|
||||
let ee_verifier_builder = WebPkiClientVerifier::builder(get_client_root_store(*kt))
|
||||
let ee_verifier_builder = webpki_client_verifier_builder(get_client_root_store(*kt))
|
||||
.with_crls(unrelated_crls.clone())
|
||||
.only_check_end_entity_revocation()
|
||||
.allow_unknown_revocation_status();
|
||||
|
|
@ -1478,9 +1478,10 @@ fn client_mandatory_auth_intermediate_revocation_works() {
|
|||
// is revoked. We check the full chain for revocation status (default), and allow unknown
|
||||
// revocation status so the EE's unknown revocation status isn't an error.
|
||||
let crls = vec![kt.intermediate_crl()];
|
||||
let full_chain_verifier_builder = WebPkiClientVerifier::builder(get_client_root_store(*kt))
|
||||
.with_crls(crls.clone())
|
||||
.allow_unknown_revocation_status();
|
||||
let full_chain_verifier_builder =
|
||||
webpki_client_verifier_builder(get_client_root_store(*kt))
|
||||
.with_crls(crls.clone())
|
||||
.allow_unknown_revocation_status();
|
||||
let full_chain_server_config = Arc::new(make_server_config_with_client_verifier(
|
||||
*kt,
|
||||
full_chain_verifier_builder,
|
||||
|
|
@ -1488,7 +1489,7 @@ fn client_mandatory_auth_intermediate_revocation_works() {
|
|||
|
||||
// Also create a server configuration that uses the same CRL, but that only checks the EE
|
||||
// cert revocation status.
|
||||
let ee_only_verifier_builder = WebPkiClientVerifier::builder(get_client_root_store(*kt))
|
||||
let ee_only_verifier_builder = webpki_client_verifier_builder(get_client_root_store(*kt))
|
||||
.with_crls(crls)
|
||||
.only_check_end_entity_revocation()
|
||||
.allow_unknown_revocation_status();
|
||||
|
|
@ -2307,7 +2308,7 @@ fn make_disjoint_suite_configs() -> (ClientConfig, ServerConfig) {
|
|||
let kt = KeyType::Rsa;
|
||||
let server_config = finish_server_config(
|
||||
kt,
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_cipher_suites(&[cipher_suite::TLS13_CHACHA20_POLY1305_SHA256])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_safe_default_protocol_versions()
|
||||
|
|
@ -2316,7 +2317,7 @@ fn make_disjoint_suite_configs() -> (ClientConfig, ServerConfig) {
|
|||
|
||||
let client_config = finish_client_config(
|
||||
kt,
|
||||
ClientConfig::builder()
|
||||
client_config_builder()
|
||||
.with_cipher_suites(&[cipher_suite::TLS13_AES_256_GCM_SHA384])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_safe_default_protocol_versions()
|
||||
|
|
@ -2820,7 +2821,10 @@ fn do_suite_test(
|
|||
}
|
||||
|
||||
fn find_suite(suite: CipherSuite) -> SupportedCipherSuite {
|
||||
for scs in ALL_CIPHER_SUITES.iter().copied() {
|
||||
for scs in primary_provider::ALL_CIPHER_SUITES
|
||||
.iter()
|
||||
.copied()
|
||||
{
|
||||
if scs.suite() == suite {
|
||||
return scs;
|
||||
}
|
||||
|
|
@ -2897,7 +2901,10 @@ fn negotiated_ciphersuite_default() {
|
|||
|
||||
#[test]
|
||||
fn all_suites_covered() {
|
||||
assert_eq!(ALL_CIPHER_SUITES.len(), TEST_CIPHERSUITES.len());
|
||||
assert_eq!(
|
||||
primary_provider::ALL_CIPHER_SUITES.len(),
|
||||
TEST_CIPHERSUITES.len()
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
|
|
@ -2907,7 +2914,7 @@ fn negotiated_ciphersuite_client() {
|
|||
let scs = find_suite(suite);
|
||||
let client_config = finish_client_config(
|
||||
kt,
|
||||
ClientConfig::builder()
|
||||
client_config_builder()
|
||||
.with_cipher_suites(&[scs])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(&[version])
|
||||
|
|
@ -2925,7 +2932,7 @@ fn negotiated_ciphersuite_server() {
|
|||
let scs = find_suite(suite);
|
||||
let server_config = finish_server_config(
|
||||
kt,
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_cipher_suites(&[scs])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(&[version])
|
||||
|
|
@ -3557,7 +3564,7 @@ fn tls13_stateless_resumption() {
|
|||
let client_config = Arc::new(client_config);
|
||||
|
||||
let mut server_config = make_server_config(kt);
|
||||
server_config.ticketer = rustls::crypto::ring::Ticketer::new().unwrap();
|
||||
server_config.ticketer = primary_provider::Ticketer::new().unwrap();
|
||||
let storage = Arc::new(ServerStorage::new());
|
||||
server_config.session_storage = storage.clone();
|
||||
let server_config = Arc::new(server_config);
|
||||
|
|
@ -4053,6 +4060,7 @@ mod test_quic {
|
|||
}
|
||||
|
||||
#[test]
|
||||
#[cfg(feature = "ring")] // uses ring APIs directly
|
||||
fn test_quic_server_no_params_received() {
|
||||
let server_config =
|
||||
make_server_config_with_versions(KeyType::Ed25519, &[&rustls::version::TLS13]);
|
||||
|
|
@ -4065,7 +4073,6 @@ mod test_quic {
|
|||
)
|
||||
.unwrap();
|
||||
|
||||
use rustls::crypto::ring::RING;
|
||||
use rustls::internal::msgs::enums::{Compression, NamedGroup};
|
||||
use rustls::internal::msgs::handshake::{
|
||||
ClientHelloPayload, HandshakeMessagePayload, KeyShareEntry, Random, SessionId,
|
||||
|
|
@ -4073,7 +4080,9 @@ mod test_quic {
|
|||
use rustls::{CipherSuite, HandshakeType, SignatureScheme};
|
||||
|
||||
let mut random = [0; 32];
|
||||
RING.fill_random(&mut random).unwrap();
|
||||
PROVIDER
|
||||
.fill_random(&mut random)
|
||||
.unwrap();
|
||||
let random = Random::from(random);
|
||||
|
||||
let rng = ring::rand::SystemRandom::new();
|
||||
|
|
@ -4087,7 +4096,7 @@ mod test_quic {
|
|||
payload: HandshakePayload::ClientHello(ClientHelloPayload {
|
||||
client_version: ProtocolVersion::TLSv1_3,
|
||||
random,
|
||||
session_id: SessionId::random(RING).unwrap(),
|
||||
session_id: SessionId::random(PROVIDER).unwrap(),
|
||||
cipher_suites: vec![CipherSuite::TLS13_AES_128_GCM_SHA256],
|
||||
compression_methods: vec![Compression::Null],
|
||||
extensions: vec![
|
||||
|
|
@ -4113,13 +4122,13 @@ mod test_quic {
|
|||
}
|
||||
|
||||
#[test]
|
||||
#[cfg(feature = "ring")] // uses ring APIs directly
|
||||
fn test_quic_server_no_tls12() {
|
||||
let mut server_config =
|
||||
make_server_config_with_versions(KeyType::Ed25519, &[&rustls::version::TLS13]);
|
||||
server_config.alpn_protocols = vec!["foo".into()];
|
||||
let server_config = Arc::new(server_config);
|
||||
|
||||
use rustls::crypto::ring::RING;
|
||||
use rustls::internal::msgs::enums::{Compression, NamedGroup};
|
||||
use rustls::internal::msgs::handshake::{
|
||||
ClientHelloPayload, HandshakeMessagePayload, KeyShareEntry, Random, SessionId,
|
||||
|
|
@ -4127,7 +4136,9 @@ mod test_quic {
|
|||
use rustls::{CipherSuite, HandshakeType, SignatureScheme};
|
||||
|
||||
let mut random = [0; 32];
|
||||
RING.fill_random(&mut random).unwrap();
|
||||
PROVIDER
|
||||
.fill_random(&mut random)
|
||||
.unwrap();
|
||||
let random = Random::from(random);
|
||||
|
||||
let rng = ring::rand::SystemRandom::new();
|
||||
|
|
@ -4148,7 +4159,7 @@ mod test_quic {
|
|||
payload: HandshakePayload::ClientHello(ClientHelloPayload {
|
||||
client_version: ProtocolVersion::TLSv1_2,
|
||||
random,
|
||||
session_id: SessionId::random(RING).unwrap(),
|
||||
session_id: SessionId::random(PROVIDER).unwrap(),
|
||||
cipher_suites: vec![CipherSuite::TLS13_AES_128_GCM_SHA256],
|
||||
compression_methods: vec![Compression::Null],
|
||||
extensions: vec![
|
||||
|
|
@ -4426,26 +4437,20 @@ fn test_client_does_not_offer_sha1() {
|
|||
|
||||
#[test]
|
||||
fn test_client_config_keyshare() {
|
||||
let client_config = make_client_config_with_kx_groups(
|
||||
KeyType::Rsa,
|
||||
&[rustls::crypto::ring::kx_group::SECP384R1],
|
||||
);
|
||||
let server_config = make_server_config_with_kx_groups(
|
||||
KeyType::Rsa,
|
||||
&[rustls::crypto::ring::kx_group::SECP384R1],
|
||||
);
|
||||
let client_config =
|
||||
make_client_config_with_kx_groups(KeyType::Rsa, &[primary_provider::kx_group::SECP384R1]);
|
||||
let server_config =
|
||||
make_server_config_with_kx_groups(KeyType::Rsa, &[primary_provider::kx_group::SECP384R1]);
|
||||
let (mut client, mut server) = make_pair_for_configs(client_config, server_config);
|
||||
do_handshake_until_error(&mut client, &mut server).unwrap();
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_client_config_keyshare_mismatch() {
|
||||
let client_config = make_client_config_with_kx_groups(
|
||||
KeyType::Rsa,
|
||||
&[rustls::crypto::ring::kx_group::SECP384R1],
|
||||
);
|
||||
let client_config =
|
||||
make_client_config_with_kx_groups(KeyType::Rsa, &[primary_provider::kx_group::SECP384R1]);
|
||||
let server_config =
|
||||
make_server_config_with_kx_groups(KeyType::Rsa, &[rustls::crypto::ring::kx_group::X25519]);
|
||||
make_server_config_with_kx_groups(KeyType::Rsa, &[primary_provider::kx_group::X25519]);
|
||||
let (mut client, mut server) = make_pair_for_configs(client_config, server_config);
|
||||
assert!(do_handshake_until_error(&mut client, &mut server).is_err());
|
||||
}
|
||||
|
|
@ -4457,8 +4462,8 @@ fn test_client_sends_helloretryrequest() {
|
|||
let mut client_config = make_client_config_with_kx_groups(
|
||||
KeyType::Rsa,
|
||||
&[
|
||||
rustls::crypto::ring::kx_group::SECP384R1,
|
||||
rustls::crypto::ring::kx_group::X25519,
|
||||
primary_provider::kx_group::SECP384R1,
|
||||
primary_provider::kx_group::X25519,
|
||||
],
|
||||
);
|
||||
|
||||
|
|
@ -4467,7 +4472,7 @@ fn test_client_sends_helloretryrequest() {
|
|||
|
||||
// but server only accepts x25519, so a HRR is required
|
||||
let server_config =
|
||||
make_server_config_with_kx_groups(KeyType::Rsa, &[rustls::crypto::ring::kx_group::X25519]);
|
||||
make_server_config_with_kx_groups(KeyType::Rsa, &[primary_provider::kx_group::X25519]);
|
||||
|
||||
let (mut client, mut server) = make_pair_for_configs(client_config, server_config);
|
||||
|
||||
|
|
@ -4553,9 +4558,8 @@ fn test_client_sends_helloretryrequest() {
|
|||
|
||||
#[test]
|
||||
fn test_client_rejects_hrr_with_varied_session_id() {
|
||||
use rustls::crypto::ring::RING;
|
||||
use rustls::internal::msgs::handshake::SessionId;
|
||||
let different_session_id = SessionId::random(RING).unwrap();
|
||||
let different_session_id = SessionId::random(PROVIDER).unwrap();
|
||||
|
||||
let assert_client_sends_hello_with_secp384 = |msg: &mut Message| -> Altered {
|
||||
if let MessagePayload::Handshake { parsed, encoded } = &mut msg.payload {
|
||||
|
|
@ -4589,13 +4593,13 @@ fn test_client_rejects_hrr_with_varied_session_id() {
|
|||
let client_config = make_client_config_with_kx_groups(
|
||||
KeyType::Rsa,
|
||||
&[
|
||||
rustls::crypto::ring::kx_group::SECP384R1,
|
||||
rustls::crypto::ring::kx_group::X25519,
|
||||
primary_provider::kx_group::SECP384R1,
|
||||
primary_provider::kx_group::X25519,
|
||||
],
|
||||
);
|
||||
|
||||
let server_config =
|
||||
make_server_config_with_kx_groups(KeyType::Rsa, &[rustls::crypto::ring::kx_group::X25519]);
|
||||
make_server_config_with_kx_groups(KeyType::Rsa, &[primary_provider::kx_group::X25519]);
|
||||
|
||||
let (client, server) = make_pair_for_configs(client_config, server_config);
|
||||
let (mut client, mut server) = (client.into(), server.into());
|
||||
|
|
@ -4627,15 +4631,13 @@ fn test_client_attempts_to_use_unsupported_kx_group() {
|
|||
// first, client sends a x25519 and server agrees. x25519 is inserted
|
||||
// into kx group cache.
|
||||
let mut client_config_1 =
|
||||
make_client_config_with_kx_groups(KeyType::Rsa, &[rustls::crypto::ring::kx_group::X25519]);
|
||||
make_client_config_with_kx_groups(KeyType::Rsa, &[primary_provider::kx_group::X25519]);
|
||||
client_config_1.resumption = Resumption::store(shared_storage.clone());
|
||||
|
||||
// second, client only supports secp-384 and so kx group cache
|
||||
// contains an unusable value.
|
||||
let mut client_config_2 = make_client_config_with_kx_groups(
|
||||
KeyType::Rsa,
|
||||
&[rustls::crypto::ring::kx_group::SECP384R1],
|
||||
);
|
||||
let mut client_config_2 =
|
||||
make_client_config_with_kx_groups(KeyType::Rsa, &[primary_provider::kx_group::SECP384R1]);
|
||||
client_config_2.resumption = Resumption::store(shared_storage.clone());
|
||||
|
||||
let server_config = make_server_config(KeyType::Rsa);
|
||||
|
|
@ -4977,7 +4979,7 @@ fn test_client_tls12_no_resume_after_server_downgrade() {
|
|||
|
||||
let server_config_1 = Arc::new(common::finish_server_config(
|
||||
KeyType::Ed25519,
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(&[&rustls::version::TLS13])
|
||||
|
|
@ -4986,7 +4988,7 @@ fn test_client_tls12_no_resume_after_server_downgrade() {
|
|||
|
||||
let mut server_config_2 = common::finish_server_config(
|
||||
KeyType::Ed25519,
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(&[&rustls::version::TLS12])
|
||||
|
|
@ -5225,7 +5227,7 @@ fn test_secret_extraction_enabled() {
|
|||
println!("Testing suite {:?}", suite.suite().as_str());
|
||||
|
||||
// Only offer the cipher suite (and protocol version) that we're testing
|
||||
let mut server_config = ServerConfig::builder()
|
||||
let mut server_config = server_config_builder()
|
||||
.with_cipher_suites(&[suite])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(&[version])
|
||||
|
|
@ -5289,7 +5291,7 @@ fn test_secret_extraction_disabled_or_too_early() {
|
|||
let kt = KeyType::Rsa;
|
||||
|
||||
for (server_enable, client_enable) in [(true, false), (false, true)] {
|
||||
let mut server_config = ServerConfig::builder()
|
||||
let mut server_config = server_config_builder()
|
||||
.with_cipher_suites(&[suite])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_safe_default_protocol_versions()
|
||||
|
|
@ -5345,7 +5347,7 @@ fn test_received_plaintext_backpressure() {
|
|||
let kt = KeyType::Rsa;
|
||||
|
||||
let server_config = Arc::new(
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_cipher_suites(&[suite])
|
||||
.with_safe_default_kx_groups()
|
||||
.with_safe_default_protocol_versions()
|
||||
|
|
@ -5430,7 +5432,7 @@ fn test_debug_server_name_from_string() {
|
|||
)
|
||||
}
|
||||
|
||||
#[cfg(feature = "ring")]
|
||||
#[cfg(all(feature = "ring", feature = "aws_lc_rs"))]
|
||||
#[test]
|
||||
fn test_explicit_provider_selection() {
|
||||
let client_config = finish_client_config(
|
||||
|
|
@ -5440,7 +5442,7 @@ fn test_explicit_provider_selection() {
|
|||
);
|
||||
let server_config = finish_server_config(
|
||||
KeyType::Rsa,
|
||||
rustls::ServerConfig::builder_with_provider(rustls::crypto::ring::RING)
|
||||
rustls::ServerConfig::builder_with_provider(rustls::crypto::aws_lc_rs::AWS_LC_RS)
|
||||
.with_safe_defaults(),
|
||||
);
|
||||
|
||||
|
|
@ -5499,14 +5501,14 @@ impl rustls::crypto::CryptoProvider for FaultyRandomProvider {
|
|||
|
||||
#[test]
|
||||
fn test_client_construction_fails_if_random_source_fails_in_first_request() {
|
||||
static PROVIDER: FaultyRandomProvider = FaultyRandomProvider {
|
||||
parent: rustls::crypto::ring::RING,
|
||||
static TEST_PROVIDER: FaultyRandomProvider = FaultyRandomProvider {
|
||||
parent: PROVIDER,
|
||||
rand_queue: Mutex::new(b""),
|
||||
};
|
||||
|
||||
let client_config = finish_client_config(
|
||||
KeyType::Rsa,
|
||||
rustls::ClientConfig::builder_with_provider(&PROVIDER).with_safe_defaults(),
|
||||
rustls::ClientConfig::builder_with_provider(&TEST_PROVIDER).with_safe_defaults(),
|
||||
);
|
||||
|
||||
assert_eq!(
|
||||
|
|
@ -5517,14 +5519,14 @@ fn test_client_construction_fails_if_random_source_fails_in_first_request() {
|
|||
|
||||
#[test]
|
||||
fn test_client_construction_fails_if_random_source_fails_in_second_request() {
|
||||
static PROVIDER: FaultyRandomProvider = FaultyRandomProvider {
|
||||
parent: rustls::crypto::ring::RING,
|
||||
static TEST_PROVIDER: FaultyRandomProvider = FaultyRandomProvider {
|
||||
parent: PROVIDER,
|
||||
rand_queue: Mutex::new(b"nice random number generator huh"),
|
||||
};
|
||||
|
||||
let client_config = finish_client_config(
|
||||
KeyType::Rsa,
|
||||
rustls::ClientConfig::builder_with_provider(&PROVIDER).with_safe_defaults(),
|
||||
rustls::ClientConfig::builder_with_provider(&TEST_PROVIDER).with_safe_defaults(),
|
||||
);
|
||||
|
||||
assert_eq!(
|
||||
|
|
@ -5535,8 +5537,8 @@ fn test_client_construction_fails_if_random_source_fails_in_second_request() {
|
|||
|
||||
#[test]
|
||||
fn test_client_construction_requires_64_bytes_of_random_material() {
|
||||
static PROVIDER: FaultyRandomProvider = FaultyRandomProvider {
|
||||
parent: rustls::crypto::ring::RING,
|
||||
static TEST_PROVIDER: FaultyRandomProvider = FaultyRandomProvider {
|
||||
parent: PROVIDER,
|
||||
rand_queue: Mutex::new(
|
||||
b"nice random number generator !!!\
|
||||
it's really not very good is it?",
|
||||
|
|
@ -5545,7 +5547,7 @@ fn test_client_construction_requires_64_bytes_of_random_material() {
|
|||
|
||||
let client_config = finish_client_config(
|
||||
KeyType::Rsa,
|
||||
rustls::ClientConfig::builder_with_provider(&PROVIDER).with_safe_defaults(),
|
||||
rustls::ClientConfig::builder_with_provider(&TEST_PROVIDER).with_safe_defaults(),
|
||||
);
|
||||
|
||||
ClientConnection::new(Arc::new(client_config), server_name("localhost"))
|
||||
|
|
|
|||
|
|
@ -7,10 +7,10 @@ mod common;
|
|||
use crate::common::{
|
||||
do_handshake_until_both_error, do_handshake_until_error, get_client_root_store,
|
||||
make_client_config_with_versions, make_client_config_with_versions_with_auth,
|
||||
make_pair_for_arc_configs, server_name, ErrorFromPeer, KeyType, ALL_KEY_TYPES,
|
||||
make_pair_for_arc_configs, server_config_builder, server_name, webpki_client_verifier_builder,
|
||||
ErrorFromPeer, KeyType, ALL_KEY_TYPES,
|
||||
};
|
||||
use rustls::client::danger::HandshakeSignatureValid;
|
||||
use rustls::client::WebPkiServerVerifier;
|
||||
use rustls::internal::msgs::handshake::DistinguishedName;
|
||||
use rustls::server::danger::{ClientCertVerified, ClientCertVerifier};
|
||||
use rustls::{
|
||||
|
|
@ -41,7 +41,7 @@ fn server_config_with_verifier(
|
|||
kt: KeyType,
|
||||
client_cert_verifier: MockClientVerifier,
|
||||
) -> ServerConfig {
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_safe_defaults()
|
||||
.with_client_cert_verifier(Arc::new(client_cert_verifier))
|
||||
.with_single_cert(kt.get_chain(), kt.get_key())
|
||||
|
|
@ -140,6 +140,7 @@ fn client_verifier_fails_properly() {
|
|||
}
|
||||
|
||||
pub struct MockClientVerifier {
|
||||
parent: Arc<dyn ClientCertVerifier>,
|
||||
pub verified: fn() -> Result<ClientCertVerified, Error>,
|
||||
pub subjects: Vec<DistinguishedName>,
|
||||
pub mandatory: bool,
|
||||
|
|
@ -149,6 +150,9 @@ pub struct MockClientVerifier {
|
|||
impl MockClientVerifier {
|
||||
pub fn new(verified: fn() -> Result<ClientCertVerified, Error>, kt: KeyType) -> Self {
|
||||
Self {
|
||||
parent: webpki_client_verifier_builder(get_client_root_store(kt))
|
||||
.build()
|
||||
.unwrap(),
|
||||
verified,
|
||||
subjects: get_client_root_store(kt).subjects(),
|
||||
mandatory: true,
|
||||
|
|
@ -181,7 +185,8 @@ impl ClientCertVerifier for MockClientVerifier {
|
|||
cert: &CertificateDer<'_>,
|
||||
dss: &DigitallySignedStruct,
|
||||
) -> Result<HandshakeSignatureValid, Error> {
|
||||
WebPkiServerVerifier::default_verify_tls12_signature(message, cert, dss)
|
||||
self.parent
|
||||
.verify_tls12_signature(message, cert, dss)
|
||||
}
|
||||
|
||||
fn verify_tls13_signature(
|
||||
|
|
@ -190,14 +195,15 @@ impl ClientCertVerifier for MockClientVerifier {
|
|||
cert: &CertificateDer<'_>,
|
||||
dss: &DigitallySignedStruct,
|
||||
) -> Result<HandshakeSignatureValid, Error> {
|
||||
WebPkiServerVerifier::default_verify_tls13_signature(message, cert, dss)
|
||||
self.parent
|
||||
.verify_tls13_signature(message, cert, dss)
|
||||
}
|
||||
|
||||
fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
|
||||
if let Some(schemes) = &self.offered_schemes {
|
||||
schemes.clone()
|
||||
} else {
|
||||
WebPkiServerVerifier::default_supported_verify_schemes()
|
||||
self.parent.supported_verify_schemes()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#![allow(dead_code)]
|
||||
#![cfg(feature = "ring")]
|
||||
#![cfg(any(feature = "ring", feature = "aws_lc_rs"))]
|
||||
|
||||
use std::io;
|
||||
use std::ops::{Deref, DerefMut};
|
||||
|
|
@ -8,7 +8,7 @@ use std::sync::Arc;
|
|||
use pki_types::{CertificateDer, CertificateRevocationListDer, PrivateKeyDer};
|
||||
use webpki::extract_trust_anchor;
|
||||
|
||||
use rustls::client::ServerCertVerifierBuilder;
|
||||
use rustls::client::{ServerCertVerifierBuilder, WebPkiServerVerifier};
|
||||
use rustls::internal::msgs::codec::Reader;
|
||||
use rustls::internal::msgs::message::{Message, OpaqueMessage, PlainMessage};
|
||||
use rustls::server::{ClientCertVerifierBuilder, WebPkiClientVerifier};
|
||||
|
|
@ -18,6 +18,15 @@ use rustls::RootCertStore;
|
|||
use rustls::{ClientConfig, ClientConnection};
|
||||
use rustls::{ConnectionCommon, ServerConfig, ServerConnection, SideData};
|
||||
|
||||
#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
|
||||
pub use rustls::crypto::aws_lc_rs as primary_provider;
|
||||
#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
|
||||
pub use rustls::crypto::aws_lc_rs::AWS_LC_RS as PROVIDER;
|
||||
#[cfg(feature = "ring")]
|
||||
pub use rustls::crypto::ring as primary_provider;
|
||||
#[cfg(feature = "ring")]
|
||||
pub use rustls::crypto::ring::RING as PROVIDER;
|
||||
|
||||
macro_rules! embed_files {
|
||||
(
|
||||
$(
|
||||
|
|
@ -261,6 +270,33 @@ impl KeyType {
|
|||
}
|
||||
}
|
||||
|
||||
pub fn server_config_builder() -> rustls::ConfigBuilder<ServerConfig, rustls::WantsCipherSuites> {
|
||||
// ensure `ServerConfig::builder()` is covered, even though it is
|
||||
// equivalent to `builder_with_provider(PROVIDER)`.
|
||||
#[cfg(feature = "ring")]
|
||||
{
|
||||
rustls::ServerConfig::builder()
|
||||
}
|
||||
#[cfg(not(feature = "ring"))]
|
||||
{
|
||||
rustls::ServerConfig::builder_with_provider(PROVIDER)
|
||||
}
|
||||
}
|
||||
|
||||
pub fn client_config_builder() -> rustls::ConfigBuilder<ClientConfig, rustls::WantsCipherSuites> {
|
||||
// ensure `ClientConfig::builder()` is covered, even though it is
|
||||
// equivalent to `builder_with_provider(PROVIDER)`.
|
||||
#[cfg(feature = "ring")]
|
||||
{
|
||||
rustls::ClientConfig::builder()
|
||||
}
|
||||
|
||||
#[cfg(not(feature = "ring"))]
|
||||
{
|
||||
rustls::ClientConfig::builder_with_provider(PROVIDER)
|
||||
}
|
||||
}
|
||||
|
||||
pub fn finish_server_config(
|
||||
kt: KeyType,
|
||||
conf: rustls::ConfigBuilder<ServerConfig, rustls::WantsVerifier>,
|
||||
|
|
@ -271,7 +307,7 @@ pub fn finish_server_config(
|
|||
}
|
||||
|
||||
pub fn make_server_config(kt: KeyType) -> ServerConfig {
|
||||
finish_server_config(kt, ServerConfig::builder().with_safe_defaults())
|
||||
finish_server_config(kt, server_config_builder().with_safe_defaults())
|
||||
}
|
||||
|
||||
pub fn make_server_config_with_versions(
|
||||
|
|
@ -280,7 +316,7 @@ pub fn make_server_config_with_versions(
|
|||
) -> ServerConfig {
|
||||
finish_server_config(
|
||||
kt,
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(versions)
|
||||
|
|
@ -294,7 +330,7 @@ pub fn make_server_config_with_kx_groups(
|
|||
) -> ServerConfig {
|
||||
finish_server_config(
|
||||
kt,
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_kx_groups(kx_groups)
|
||||
.with_safe_default_protocol_versions()
|
||||
|
|
@ -321,14 +357,14 @@ pub fn make_server_config_with_mandatory_client_auth_crls(
|
|||
) -> ServerConfig {
|
||||
make_server_config_with_client_verifier(
|
||||
kt,
|
||||
WebPkiClientVerifier::builder(get_client_root_store(kt)).with_crls(crls),
|
||||
webpki_client_verifier_builder(get_client_root_store(kt)).with_crls(crls),
|
||||
)
|
||||
}
|
||||
|
||||
pub fn make_server_config_with_mandatory_client_auth(kt: KeyType) -> ServerConfig {
|
||||
make_server_config_with_client_verifier(
|
||||
kt,
|
||||
WebPkiClientVerifier::builder(get_client_root_store(kt)),
|
||||
webpki_client_verifier_builder(get_client_root_store(kt)),
|
||||
)
|
||||
}
|
||||
|
||||
|
|
@ -338,7 +374,7 @@ pub fn make_server_config_with_optional_client_auth(
|
|||
) -> ServerConfig {
|
||||
make_server_config_with_client_verifier(
|
||||
kt,
|
||||
WebPkiClientVerifier::builder(get_client_root_store(kt))
|
||||
webpki_client_verifier_builder(get_client_root_store(kt))
|
||||
.with_crls(crls)
|
||||
.allow_unknown_revocation_status()
|
||||
.allow_unauthenticated(),
|
||||
|
|
@ -349,7 +385,7 @@ pub fn make_server_config_with_client_verifier(
|
|||
kt: KeyType,
|
||||
verifier_builder: ClientCertVerifierBuilder,
|
||||
) -> ServerConfig {
|
||||
ServerConfig::builder()
|
||||
server_config_builder()
|
||||
.with_safe_defaults()
|
||||
.with_client_cert_verifier(verifier_builder.build().unwrap())
|
||||
.with_single_cert(kt.get_chain(), kt.get_key())
|
||||
|
|
@ -389,14 +425,14 @@ pub fn finish_client_config_with_creds(
|
|||
}
|
||||
|
||||
pub fn make_client_config(kt: KeyType) -> ClientConfig {
|
||||
finish_client_config(kt, ClientConfig::builder().with_safe_defaults())
|
||||
finish_client_config(kt, client_config_builder().with_safe_defaults())
|
||||
}
|
||||
|
||||
pub fn make_client_config_with_kx_groups(
|
||||
kt: KeyType,
|
||||
kx_groups: &[&'static dyn rustls::crypto::SupportedKxGroup],
|
||||
) -> ClientConfig {
|
||||
let builder = ClientConfig::builder()
|
||||
let builder = client_config_builder()
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_kx_groups(kx_groups)
|
||||
.with_safe_default_protocol_versions()
|
||||
|
|
@ -408,7 +444,7 @@ pub fn make_client_config_with_versions(
|
|||
kt: KeyType,
|
||||
versions: &[&'static rustls::SupportedProtocolVersion],
|
||||
) -> ClientConfig {
|
||||
let builder = ClientConfig::builder()
|
||||
let builder = client_config_builder()
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(versions)
|
||||
|
|
@ -417,14 +453,14 @@ pub fn make_client_config_with_versions(
|
|||
}
|
||||
|
||||
pub fn make_client_config_with_auth(kt: KeyType) -> ClientConfig {
|
||||
finish_client_config_with_creds(kt, ClientConfig::builder().with_safe_defaults())
|
||||
finish_client_config_with_creds(kt, client_config_builder().with_safe_defaults())
|
||||
}
|
||||
|
||||
pub fn make_client_config_with_versions_with_auth(
|
||||
kt: KeyType,
|
||||
versions: &[&'static rustls::SupportedProtocolVersion],
|
||||
) -> ClientConfig {
|
||||
let builder = ClientConfig::builder()
|
||||
let builder = client_config_builder()
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(versions)
|
||||
|
|
@ -436,7 +472,7 @@ pub fn make_client_config_with_verifier(
|
|||
versions: &[&'static rustls::SupportedProtocolVersion],
|
||||
verifier_builder: ServerCertVerifierBuilder,
|
||||
) -> ClientConfig {
|
||||
ClientConfig::builder()
|
||||
client_config_builder()
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(versions)
|
||||
|
|
@ -446,6 +482,30 @@ pub fn make_client_config_with_verifier(
|
|||
.with_no_client_auth()
|
||||
}
|
||||
|
||||
pub fn webpki_client_verifier_builder(roots: Arc<RootCertStore>) -> ClientCertVerifierBuilder {
|
||||
#[cfg(feature = "ring")]
|
||||
{
|
||||
WebPkiClientVerifier::builder(roots)
|
||||
}
|
||||
|
||||
#[cfg(not(feature = "ring"))]
|
||||
{
|
||||
WebPkiClientVerifier::builder_with_provider(roots, PROVIDER)
|
||||
}
|
||||
}
|
||||
|
||||
pub fn webpki_server_verifier_builder(roots: Arc<RootCertStore>) -> ServerCertVerifierBuilder {
|
||||
#[cfg(feature = "ring")]
|
||||
{
|
||||
WebPkiServerVerifier::builder(roots)
|
||||
}
|
||||
|
||||
#[cfg(not(feature = "ring"))]
|
||||
{
|
||||
WebPkiServerVerifier::builder_with_provider(roots, PROVIDER)
|
||||
}
|
||||
}
|
||||
|
||||
pub fn make_pair(kt: KeyType) -> (ClientConnection, ServerConnection) {
|
||||
make_pair_for_configs(make_client_config(kt), make_server_config(kt))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ use crate::common::{
|
|||
make_pair_for_arc_configs, make_server_config, ErrorFromPeer, ALL_KEY_TYPES,
|
||||
};
|
||||
use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
|
||||
use rustls::client::WebPkiServerVerifier;
|
||||
use rustls::DigitallySignedStruct;
|
||||
use rustls::{AlertDescription, Error, InvalidMessage, SignatureScheme};
|
||||
|
||||
|
|
@ -264,7 +263,13 @@ impl Default for MockServerVerifier {
|
|||
cert_rejection_error: None,
|
||||
tls12_signature_error: None,
|
||||
tls13_signature_error: None,
|
||||
signature_schemes: WebPkiServerVerifier::default_supported_verify_schemes(),
|
||||
signature_schemes: vec![
|
||||
SignatureScheme::RSA_PSS_SHA256,
|
||||
SignatureScheme::RSA_PKCS1_SHA256,
|
||||
SignatureScheme::ED25519,
|
||||
SignatureScheme::ECDSA_NISTP256_SHA256,
|
||||
SignatureScheme::ECDSA_NISTP384_SHA384,
|
||||
],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue