rust/rustls
rust
/
rustls
mirror of https://github.com/ctz/rustls
1
0
Fork 0
Code Issues Releases Wiki Activity

Format imports with `cargo +nightly fmt-unstable` 

Run with nightly-2024-02-21
This commit is contained in:
Joseph Birr-Pixton 2024-02-28 09:10:20 +00:00 committed by Joe Birr-Pixton
parent 2d66fe4d9b
commit 546a85d912
84 changed files with 552 additions and 652 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ci-bench/src/util.rs
View File

@ -401,10 +401,12 @@ pub mod transport {
//! but that doesn't matter (we are measuring performance differences, and overhead is automatically
//! ignored as long as it remains constant).
use super::async_io::{AsyncRead, AsyncWrite};
use std::io::{Cursor, Read, Write};
use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
use rustls::{ClientConnection, ConnectionCommon, ServerConnection, SideData};
use std::io::{Cursor, Read, Write};
use super::async_io::{AsyncRead, AsyncWrite};
/// Sends one side's handshake data to the other side in one go.
///

1
connect-tests/tests/ech.rs
View File

@ -3,7 +3,6 @@ mod ech_config {
use hickory_resolver::proto::rr::rdata::svcb::{SvcParamKey, SvcParamValue};
use hickory_resolver::proto::rr::{RData, RecordType};
use hickory_resolver::Resolver;
use rustls::internal::msgs::codec::{Codec, Reader};
use rustls::internal::msgs::enums::EchVersion;
use rustls::internal::msgs::handshake::EchConfig;

3
examples/src/bin/limitedclient.rs
View File

@ -2,11 +2,12 @@
//! so that unused cryptography in rustls can be discarded by the linker. You can
//! observe using `nm` that the binary of this program does not contain any AES code.
use rustls::crypto::{aws_lc_rs as provider, CryptoProvider};
use std::io::{stdout, Read, Write};
use std::net::TcpStream;
use std::sync::Arc;
use rustls::crypto::{aws_lc_rs as provider, CryptoProvider};
fn main() {
let root_store = rustls::RootCertStore::from_iter(
webpki_roots::TLS_SERVER_ROOTS

3
examples/src/bin/server_acceptor.rs
View File

@ -13,13 +13,12 @@ use std::time::Duration;
use std::{fs, thread};
use docopt::Docopt;
use serde_derive::Deserialize;
use rustls::pki_types::{
CertificateDer, CertificateRevocationListDer, PrivateKeyDer, PrivatePkcs8KeyDer,
};
use rustls::server::{Acceptor, ClientHello, ServerConfig, WebPkiClientVerifier};
use rustls::RootCertStore;
use serde_derive::Deserialize;
fn main() {
let version = concat!(

3
examples/src/bin/tlsclient-mio.rs
View File

@ -26,11 +26,10 @@ use std::{fs, process, str};
use docopt::Docopt;
use mio::net::TcpStream;
use serde::Deserialize;
use rustls::crypto::{aws_lc_rs as provider, CryptoProvider};
use rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName};
use rustls::RootCertStore;
use serde::Deserialize;
const CLIENT: mio::Token = mio::Token(0);

3
examples/src/bin/tlsserver-mio.rs
View File

@ -27,12 +27,11 @@ use std::{fs, net};
use docopt::Docopt;
use log::{debug, error};
use mio::net::{TcpListener, TcpStream};
use serde::Deserialize;
use rustls::crypto::{aws_lc_rs as provider, CryptoProvider};
use rustls::pki_types::{CertificateDer, CertificateRevocationListDer, PrivateKeyDer};
use rustls::server::WebPkiClientVerifier;
use rustls::RootCertStore;
use serde::Deserialize;
// Token for our listening socket.
const LISTENER: mio::Token = mio::Token(0);

3
openssl-tests/src/ffdhe_kx_with_openssl.rs
View File

@ -4,6 +4,7 @@ use std::net::{TcpListener, TcpStream};
use std::sync::Arc;
use std::{str, thread};
use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod};
use rustls::crypto::{aws_lc_rs as provider, CryptoProvider};
use rustls::version::{TLS12, TLS13};
use rustls::{ClientConfig, RootCertStore, ServerConfig, SupportedProtocolVersion};
@ -13,8 +14,6 @@ use rustls_pki_types::{CertificateDer, PrivateKeyDer};
use crate::ffdhe::{self, FfdheKxGroup};
use crate::utils::verify_openssl3_available;
use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod};
#[test]
fn rustls_server_with_ffdhe_kx_tls13() {
test_rustls_server_with_ffdhe_kx(&TLS13, 1)

8
rustls/benches/benchmarks.rs
View File

@ -1,18 +1,16 @@
#![cfg(feature = "ring")]
use bencher::{benchmark_group, benchmark_main, Bencher};
use rustls::crypto::ring as provider;
#[path = "../tests/common/mod.rs"]
mod test_utils;
use test_utils::*;
use rustls::ServerConnection;
use std::io;
use std::sync::Arc;
use rustls::ServerConnection;
use test_utils::*;
fn bench_ewouldblock(c: &mut Bencher) {
let server_config = make_server_config(KeyType::Rsa);
let mut server = ServerConnection::new(Arc::new(server_config)).unwrap();

15
rustls/examples/internal/bench_impl.rs
View File

@ -3,16 +3,13 @@
// Note: we don't use any of the standard 'cargo bench', 'test::Bencher',
// etc. because it's unstable at the time of writing.
use std::env;
use std::fs;
use std::io::{self, Read, Write};
use std::ops::Deref;
use std::ops::DerefMut;
use std::ops::{Deref, DerefMut};
use std::sync::Arc;
use std::time::{Duration, Instant};
use std::{env, fs};
use pki_types::{CertificateDer, PrivateKeyDer};
use rustls::client::Resumption;
#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
use rustls::crypto::aws_lc_rs as provider;
@ -24,10 +21,10 @@ use rustls::crypto::ring as provider;
use rustls::crypto::ring::{cipher_suite, Ticketer};
use rustls::crypto::CryptoProvider;
use rustls::server::{NoServerSessionStorage, ServerSessionMemoryCache, WebPkiClientVerifier};
use rustls::RootCertStore;
use rustls::{ClientConfig, ClientConnection};
use rustls::{ConnectionCommon, SideData};
use rustls::{ServerConfig, ServerConnection};
use rustls::{
ClientConfig, ClientConnection, ConnectionCommon, RootCertStore, ServerConfig,
ServerConnection, SideData,
};
pub fn main() {
let mut args = std::env::args();

25
rustls/examples/internal/bogo_shim_impl.rs
View File

@ -4,8 +4,19 @@
// https://boringssl.googlesource.com/boringssl/+/master/ssl/test
//
use std::fmt::{Debug, Formatter};
use std::io::{self, BufReader, Read, Write};
use std::sync::Arc;
use std::{env, fs, net, process, thread, time};
use base64::prelude::{Engine, BASE64_STANDARD};
use pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime};
use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
use rustls::client::{ClientConfig, ClientConnection, Resumption, WebPkiServerVerifier};
#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
use rustls::crypto::aws_lc_rs as provider;
#[cfg(feature = "ring")]
use rustls::crypto::ring as provider;
use rustls::crypto::{CryptoProvider, SupportedKxGroup};
use rustls::internal::msgs::codec::Codec;
use rustls::internal::msgs::persist::ServerSessionValue;
@ -18,20 +29,6 @@ use rustls::{
SupportedProtocolVersion,
};
#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
use rustls::crypto::aws_lc_rs as provider;
#[cfg(feature = "ring")]
use rustls::crypto::ring as provider;
use base64::prelude::{Engine, BASE64_STANDARD};
use pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime};
use std::fmt::{Debug, Formatter};
use std::io::{self, BufReader, Read, Write};
use std::sync::Arc;
use std::time;
use std::{env, fs, net, process, thread};
static BOGO_NACK: i32 = 89;
macro_rules! println_err(

3
rustls/src/bs_debug.rs
View File

@ -41,10 +41,11 @@ impl<'a> fmt::Debug for BsDebug<'a> {
#[cfg(test)]
mod tests {
use super::BsDebug;
use std::format;
use std::prelude::v1::*;
use super::BsDebug;
#[test]
fn debug() {
let vec: Vec<_> = (0..0x100).map(|b| b as u8).collect();

10
rustls/src/builder.rs
View File

@ -1,14 +1,14 @@
use crate::error::Error;
use crate::time_provider::TimeProvider;
use crate::versions;
use crate::{crypto::CryptoProvider, msgs::handshake::ALL_KEY_EXCHANGE_ALGORITHMS};
use alloc::format;
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::fmt;
use core::marker::PhantomData;
use crate::crypto::CryptoProvider;
use crate::error::Error;
use crate::msgs::handshake::ALL_KEY_EXCHANGE_ALGORITHMS;
use crate::time_provider::TimeProvider;
use crate::versions;
#[cfg(doc)]
use crate::{ClientConfig, ServerConfig};

18
rustls/src/client/builder.rs
View File

@ -1,6 +1,12 @@
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::marker::PhantomData;
use pki_types::{CertificateDer, PrivateKeyDer};
use super::client_conn::Resumption;
use crate::builder::{ConfigBuilder, WantsVerifier};
use crate::client::handy;
use crate::client::{ClientConfig, ResolvesClientCert};
use crate::client::{handy, ClientConfig, ResolvesClientCert};
use crate::crypto::CryptoProvider;
use crate::error::Error;
use crate::key_log::NoKeyLog;
@ -9,14 +15,6 @@ use crate::time_provider::TimeProvider;
use crate::webpki::{self, WebPkiServerVerifier};
use crate::{verify, versions};
use super::client_conn::Resumption;
use pki_types::{CertificateDer, PrivateKeyDer};
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::marker::PhantomData;
impl ConfigBuilder<ClientConfig, WantsVerifier> {
/// Choose how to verify server certificates.
///

44
rustls/src/client/client_conn.rs
View File

@ -1,3 +1,13 @@
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::marker::PhantomData;
use core::ops::{Deref, DerefMut};
use core::{fmt, mem};
use pki_types::{ServerName, UnixTime};
use super::handy::NoClientSessionStorage;
use super::hs;
use crate::builder::ConfigBuilder;
use crate::common_state::{CommonState, Protocol, Side};
use crate::conn::{ConnectionCore, UnbufferedConnectionCommon};
@ -9,32 +19,16 @@ use crate::log::trace;
use crate::msgs::enums::NamedGroup;
use crate::msgs::handshake::ClientExtension;
use crate::msgs::persist;
use crate::sign;
use crate::suites::SupportedCipherSuite;
#[cfg(feature = "std")]
use crate::time_provider::DefaultTimeProvider;
use crate::time_provider::TimeProvider;
use crate::unbuffered::{EncryptError, TransmitTlsData};
use crate::versions;
use crate::KeyLog;
#[cfg(feature = "std")]
use crate::WantsVerifier;
use crate::{verify, WantsVersions};
use super::handy::NoClientSessionStorage;
use super::hs;
use pki_types::{ServerName, UnixTime};
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::fmt;
use core::marker::PhantomData;
use core::mem;
use core::ops::{Deref, DerefMut};
#[cfg(doc)]
use crate::{crypto, DistinguishedName};
use crate::{sign, verify, versions, KeyLog, WantsVersions};
/// A trait for the ability to store client session data, so that sessions
/// can be resumed in future connections.
@ -584,22 +578,20 @@ impl EarlyData {
#[cfg(feature = "std")]
mod connection {
use crate::common_state::Protocol;
use crate::conn::ConnectionCommon;
use crate::conn::ConnectionCore;
use crate::error::Error;
use crate::suites::ExtractedSecrets;
use crate::ClientConfig;
use pki_types::ServerName;
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::fmt;
use core::ops::{Deref, DerefMut};
use std::io;
use pki_types::ServerName;
use super::ClientConnectionData;
use crate::common_state::Protocol;
use crate::conn::{ConnectionCommon, ConnectionCore};
use crate::error::Error;
use crate::suites::ExtractedSecrets;
use crate::ClientConfig;
/// Stub that implements io::Write and dispatches to `write_early_data`.
pub struct WriteEarlyData<'a> {

11
rustls/src/client/common.rs
View File

@ -1,15 +1,14 @@
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec::Vec;
use super::ResolvesClientCert;
#[cfg(feature = "logging")]
use crate::log::{debug, trace};
use crate::msgs::enums::ExtensionType;
use crate::msgs::handshake::ServerExtension;
use crate::msgs::handshake::{CertificateChain, DistinguishedName};
use crate::msgs::handshake::{CertificateChain, DistinguishedName, ServerExtension};
use crate::{sign, SignatureScheme};
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec::Vec;
#[derive(Debug)]
pub(super) struct ServerCertDetails<'a> {
pub(super) cert_chain: CertificateChain<'a>,

19
rustls/src/client/handy.rs
View File

@ -1,14 +1,12 @@
use crate::client;
use alloc::sync::Arc;
use pki_types::ServerName;
use crate::enums::SignatureScheme;
use crate::error::Error;
use crate::msgs::handshake::CertificateChain;
use crate::msgs::persist;
use crate::sign;
use crate::NamedGroup;
use pki_types::ServerName;
use alloc::sync::Arc;
use crate::{client, sign, NamedGroup};
/// An implementer of `ClientSessionStore` which does nothing.
#[derive(Debug)]
@ -42,12 +40,11 @@ mod cache {
use core::fmt;
use std::sync::Mutex;
use crate::limited_cache;
use crate::msgs::persist;
use crate::NamedGroup;
use pki_types::ServerName;
use crate::msgs::persist;
use crate::{limited_cache, NamedGroup};
const MAX_TLS13_TICKETS_PER_SERVER: usize = 8;
struct ServerData {

45
rustls/src/client/hs.rs
View File

@ -1,6 +1,21 @@
use alloc::borrow::ToOwned;
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
use core::ops::Deref;
use pki_types::ServerName;
#[cfg(feature = "tls12")]
use super::tls12;
use super::Tls12Resumption;
#[cfg(feature = "logging")]
use crate::bs_debug;
use crate::check::inappropriate_handshake_message;
use crate::client::client_conn::ClientConnectionData;
use crate::client::common::ClientHelloDetails;
use crate::client::{tls13, ClientConfig};
use crate::common_state::{CommonState, State};
use crate::conn::ConnectionRandoms;
use crate::crypto::{ActiveKeyExchange, KeyExchangeAlgorithm};
@ -10,35 +25,17 @@ use crate::hash_hs::HandshakeHashBuffer;
#[cfg(feature = "logging")]
use crate::log::{debug, trace};
use crate::msgs::base::Payload;
use crate::msgs::enums::{Compression, ExtensionType};
use crate::msgs::enums::{ECPointFormat, PSKKeyExchangeMode};
use crate::msgs::handshake::ConvertProtocolNameList;
use crate::msgs::handshake::{CertificateStatusRequest, ClientSessionTicket};
use crate::msgs::handshake::{ClientExtension, HasServerExtensions};
use crate::msgs::handshake::{ClientHelloPayload, HandshakeMessagePayload, HandshakePayload};
use crate::msgs::handshake::{HelloRetryRequest, KeyShareEntry};
use crate::msgs::handshake::{Random, SessionId};
use crate::msgs::enums::{Compression, ECPointFormat, ExtensionType, PSKKeyExchangeMode};
use crate::msgs::handshake::{
CertificateStatusRequest, ClientExtension, ClientHelloPayload, ClientSessionTicket,
ConvertProtocolNameList, HandshakeMessagePayload, HandshakePayload, HasServerExtensions,
HelloRetryRequest, KeyShareEntry, Random, SessionId,
};
use crate::msgs::message::{Message, MessagePayload};
use crate::msgs::persist;
use crate::tls13::key_schedule::KeyScheduleEarly;
use crate::SupportedCipherSuite;
#[cfg(feature = "tls12")]
use super::tls12;
use super::Tls12Resumption;
use crate::client::client_conn::ClientConnectionData;
use crate::client::common::ClientHelloDetails;
use crate::client::{tls13, ClientConfig};
use pki_types::ServerName;
use alloc::borrow::ToOwned;
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
use core::ops::Deref;
pub(super) type NextState<'a> = Box<dyn State<ClientConnectionData> + 'a>;
pub(super) type NextStateOrError<'a> = Result<NextState<'a>, Error>;
pub(super) type ClientContext<'a> = crate::common_state::Context<'a, ClientConnectionData>;

40
rustls/src/client/tls12.rs
View File

@ -1,9 +1,22 @@
use alloc::borrow::ToOwned;
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
use pki_types::ServerName;
pub(super) use server_hello::CompleteServerHelloHandling;
use subtle::ConstantTimeEq;
use super::client_conn::ClientConnectionData;
use super::hs::ClientContext;
use crate::check::{inappropriate_handshake_message, inappropriate_message};
use crate::client::common::{ClientAuthDetails, ServerCertDetails};
use crate::client::{hs, ClientConfig};
use crate::common_state::{CommonState, Side, State};
use crate::conn::ConnectionRandoms;
use crate::crypto::KeyExchangeAlgorithm;
use crate::enums::ProtocolVersion;
use crate::enums::{AlertDescription, ContentType, HandshakeType};
use crate::enums::{AlertDescription, ContentType, HandshakeType, ProtocolVersion};
use crate::error::{Error, InvalidMessage, PeerIncompatible, PeerMisbehaved};
use crate::hash_hs::HandshakeHash;
#[cfg(feature = "logging")]
@ -22,29 +35,10 @@ use crate::suites::{PartiallyExtractedSecrets, SupportedCipherSuite};
use crate::tls12::{self, ConnectionSecrets, Tls12CipherSuite};
use crate::verify::{self, DigitallySignedStruct};
use super::client_conn::ClientConnectionData;
use super::hs::ClientContext;
use crate::client::common::ClientAuthDetails;
use crate::client::common::ServerCertDetails;
use crate::client::{hs, ClientConfig};
use pki_types::ServerName;
use subtle::ConstantTimeEq;
use alloc::borrow::ToOwned;
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
pub(super) use server_hello::CompleteServerHelloHandling;
mod server_hello {
use crate::msgs::enums::ExtensionType;
use crate::msgs::handshake::HasServerExtensions;
use crate::msgs::handshake::ServerHelloPayload;
use super::*;
use crate::msgs::enums::ExtensionType;
use crate::msgs::handshake::{HasServerExtensions, ServerHelloPayload};
pub(in crate::client) struct CompleteServerHelloHandling {
pub(in crate::client) config: Arc<ClientConfig>,

52
rustls/src/client/tls13.rs
View File

@ -1,8 +1,18 @@
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
use pki_types::ServerName;
use subtle::ConstantTimeEq;
use super::client_conn::ClientConnectionData;
use super::hs::ClientContext;
use crate::check::inappropriate_handshake_message;
use crate::common_state::Protocol;
use crate::common_state::{CommonState, Side, State};
use crate::client::common::{ClientAuthDetails, ClientHelloDetails, ServerCertDetails};
use crate::client::{hs, ClientConfig, ClientSessionStore};
use crate::common_state::{CommonState, Protocol, Side, State};
use crate::conn::ConnectionRandoms;
use crate::crypto;
use crate::crypto::ActiveKeyExchange;
use crate::enums::{
AlertDescription, ContentType, HandshakeType, ProtocolVersion, SignatureScheme,
@ -13,40 +23,24 @@ use crate::hash_hs::{HandshakeHash, HandshakeHashBuffer};
use crate::log::{debug, trace, warn};
use crate::msgs::base::{Payload, PayloadU8};
use crate::msgs::ccs::ChangeCipherSpecPayload;
use crate::msgs::enums::ExtensionType;
use crate::msgs::enums::KeyUpdateRequest;
use crate::msgs::handshake::NewSessionTicketPayloadTls13;
use crate::msgs::handshake::{CertificateEntry, CertificatePayloadTls13};
use crate::msgs::handshake::{ClientExtension, ServerExtension};
use crate::msgs::handshake::{HandshakeMessagePayload, HandshakePayload};
use crate::msgs::handshake::{HasServerExtensions, ServerHelloPayload};
use crate::msgs::handshake::{PresharedKeyIdentity, PresharedKeyOffer};
use crate::msgs::enums::{ExtensionType, KeyUpdateRequest};
use crate::msgs::handshake::{
CertificateEntry, CertificatePayloadTls13, ClientExtension, HandshakeMessagePayload,
HandshakePayload, HasServerExtensions, NewSessionTicketPayloadTls13, PresharedKeyIdentity,
PresharedKeyOffer, ServerExtension, ServerHelloPayload,
};
use crate::msgs::message::{Message, MessagePayload};
use crate::msgs::persist;
use crate::sign::{CertifiedKey, Signer};
use crate::suites::PartiallyExtractedSecrets;
use crate::tls13::construct_client_verify_message;
use crate::tls13::construct_server_verify_message;
use crate::tls13::key_schedule::{
KeyScheduleEarly, KeyScheduleHandshake, KeySchedulePreHandshake, KeyScheduleTraffic,
};
use crate::tls13::Tls13CipherSuite;
use crate::tls13::{
construct_client_verify_message, construct_server_verify_message, Tls13CipherSuite,
};
use crate::verify::{self, DigitallySignedStruct};
use crate::KeyLog;
use super::client_conn::ClientConnectionData;
use super::hs::ClientContext;
use crate::client::common::ServerCertDetails;
use crate::client::common::{ClientAuthDetails, ClientHelloDetails};
use crate::client::{hs, ClientConfig, ClientSessionStore};
use pki_types::ServerName;
use subtle::ConstantTimeEq;
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
use crate::{crypto, KeyLog};
// Extensions we expect in plaintext in the ServerHello.
static ALLOWED_PLAINTEXT_EXTS: &[ExtensionType] = &[

16
rustls/src/common_state.rs
View File

@ -1,3 +1,8 @@
use alloc::boxed::Box;
use alloc::vec::Vec;
use pki_types::CertificateDer;
use crate::enums::{AlertDescription, ContentType, HandshakeType, ProtocolVersion};
use crate::error::{Error, InvalidMessage, PeerMisbehaved};
#[cfg(feature = "logging")]
@ -11,19 +16,12 @@ use crate::msgs::message::{
Message, MessagePayload, OutboundChunks, OutboundOpaqueMessage, OutboundPlainMessage,
PlainMessage,
};
use crate::quic;
use crate::record_layer;
use crate::suites::PartiallyExtractedSecrets;
use crate::suites::SupportedCipherSuite;
use crate::suites::{PartiallyExtractedSecrets, SupportedCipherSuite};
#[cfg(feature = "tls12")]
use crate::tls12::ConnectionSecrets;
use crate::unbuffered::{EncryptError, InsufficientSizeError};
use crate::vecbuf::ChunkVecBuffer;
use alloc::boxed::Box;
use alloc::vec::Vec;
use pki_types::CertificateDer;
use crate::{quic, record_layer};
/// Connection state common to both client and server connections.
pub struct CommonState {

24
rustls/src/conn.rs
View File

@ -1,3 +1,10 @@
use alloc::boxed::Box;
use core::fmt::Debug;
use core::mem;
use core::ops::{Deref, DerefMut};
#[cfg(feature = "std")]
use std::io;
use crate::common_state::{CommonState, Context, IoState, State, DEFAULT_BUFFER_LIMIT};
use crate::enums::{AlertDescription, ContentType};
use crate::error::{Error, PeerMisbehaved};
@ -9,17 +16,15 @@ use crate::msgs::message::{InboundPlainMessage, Message, MessagePayload};
use crate::suites::{ExtractedSecrets, PartiallyExtractedSecrets};
use crate::vecbuf::ChunkVecBuffer;
use alloc::boxed::Box;
use core::fmt::Debug;
use core::mem;
use core::ops::{Deref, DerefMut};
#[cfg(feature = "std")]
use std::io;
pub(crate) mod unbuffered;
#[cfg(feature = "std")]
mod connection {
use alloc::vec::Vec;
use core::fmt::Debug;
use core::ops::{Deref, DerefMut};
use std::io;
use crate::common_state::{CommonState, IoState};
use crate::error::Error;
use crate::msgs::message::OutboundChunks;
@ -27,11 +32,6 @@ mod connection {
use crate::vecbuf::ChunkVecBuffer;
use crate::ConnectionCommon;
use alloc::vec::Vec;
use core::fmt::Debug;
use core::ops::{Deref, DerefMut};
use std::io;
/// A client or server connection.
#[derive(Debug)]
pub enum Connection {

25
rustls/src/crypto/aws_lc_rs/mod.rs
View File

@ -1,14 +1,3 @@
use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom};
use crate::enums::SignatureScheme;
use crate::rand::GetRandomFailed;
use crate::sign::SigningKey;
use crate::suites::SupportedCipherSuite;
use crate::webpki::WebPkiSupportedAlgorithms;
use crate::Error;
use pki_types::PrivateKeyDer;
use webpki::aws_lc_rs as webpki_algs;
use alloc::sync::Arc;
use alloc::vec::Vec;
@ -17,6 +6,16 @@ use alloc::vec::Vec;
// ring-compatible crate, and `super::ring_shim` to bridge the gaps where they are
// small.
pub(crate) use aws_lc_rs as ring_like;
use pki_types::PrivateKeyDer;
use webpki::aws_lc_rs as webpki_algs;
use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom};
use crate::enums::SignatureScheme;
use crate::rand::GetRandomFailed;
use crate::sign::SigningKey;
use crate::suites::SupportedCipherSuite;
use crate::webpki::WebPkiSupportedAlgorithms;
use crate::Error;
/// Using software keys for authentication.
pub mod sign;
@ -219,9 +218,7 @@ static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms
///
/// [`ALL_KX_GROUPS`] is provided as an array of all of these values.
pub mod kx_group {
pub use super::kx::SECP256R1;
pub use super::kx::SECP384R1;
pub use super::kx::X25519;
pub use super::kx::{SECP256R1, SECP384R1, X25519};
}
pub use kx::ALL_KX_GROUPS;

27
rustls/src/crypto/aws_lc_rs/sign.rs
View File

@ -1,20 +1,19 @@
#![allow(clippy::duplicate_mod)]
use crate::enums::{SignatureAlgorithm, SignatureScheme};
use crate::error::Error;
use crate::sign::{Signer, SigningKey};
use alloc::boxed::Box;
use alloc::string::ToString;
use alloc::sync::Arc;
use alloc::vec::Vec;
use alloc::{format, vec};
use core::fmt::{self, Debug, Formatter};
use pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
use super::ring_like::rand::SystemRandom;
use super::ring_like::signature::{self, EcdsaKeyPair, Ed25519KeyPair, RsaKeyPair};
use pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
use alloc::boxed::Box;
use alloc::format;
use alloc::string::ToString;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
use core::fmt::{self, Debug, Formatter};
use crate::enums::{SignatureAlgorithm, SignatureScheme};
use crate::error::Error;
use crate::sign::{Signer, SigningKey};
/// Parse `der` as any supported key encoding/type, returning
/// the first which works.
@ -370,10 +369,12 @@ impl Debug for Ed25519Signer {
#[cfg(test)]
mod tests {
use super::*;
use alloc::format;
use pki_types::{PrivatePkcs1KeyDer, PrivateSec1KeyDer};
use super::*;
#[test]
fn can_load_ecdsa_nistp256_pkcs8() {
let key =

8
rustls/src/crypto/aws_lc_rs/tls12.rs
View File

@ -1,3 +1,7 @@
use alloc::boxed::Box;
use aws_lc_rs::{aead, tls_prf};
use crate::crypto::cipher::{
make_tls12_aad, AeadKey, InboundOpaqueMessage, Iv, KeyBlockShape, MessageDecrypter,
MessageEncrypter, Nonce, Tls12AeadAlgorithm, UnsupportedOperationError, NONCE_LEN,
@ -14,10 +18,6 @@ use crate::suites::{CipherSuiteCommon, ConnectionTrafficSecrets, SupportedCipher
use crate::tls12::Tls12CipherSuite;
use crate::version::TLS12;
use alloc::boxed::Box;
use aws_lc_rs::{aead, tls_prf};
/// The TLS1.2 ciphersuite TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256.
pub static TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
SupportedCipherSuite::Tls12(&Tls12CipherSuite {

6
rustls/src/crypto/aws_lc_rs/tls13.rs
View File

@ -1,5 +1,8 @@
use alloc::boxed::Box;
use aws_lc_rs::hkdf::KeyType;
use aws_lc_rs::{aead, hkdf, hmac};
use crate::crypto;
use crate::crypto::cipher::{
make_tls13_aad, AeadKey, InboundOpaqueMessage, Iv, MessageDecrypter, MessageEncrypter, Nonce,
@ -14,9 +17,6 @@ use crate::msgs::message::{
use crate::suites::{CipherSuiteCommon, ConnectionTrafficSecrets, SupportedCipherSuite};
use crate::tls13::Tls13CipherSuite;
use aws_lc_rs::hkdf::KeyType;
use aws_lc_rs::{aead, hkdf, hmac};
/// The TLS1.3 ciphersuite TLS_CHACHA20_POLY1305_SHA256
pub static TLS13_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
SupportedCipherSuite::Tls13(TLS13_CHACHA20_POLY1305_SHA256_INTERNAL);

4
rustls/src/crypto/cipher.rs
View File

@ -2,6 +2,8 @@ use alloc::boxed::Box;
use alloc::string::ToString;
use core::fmt;
use zeroize::Zeroize;
use crate::enums::{ContentType, ProtocolVersion};
use crate::error::Error;
use crate::msgs::codec;
@ -11,8 +13,6 @@ pub use crate::msgs::message::{
};
use crate::suites::ConnectionTrafficSecrets;
use zeroize::Zeroize;
/// Factory trait for building `MessageEncrypter` and `MessageDecrypter` for a TLS1.3 cipher suite.
pub trait Tls13AeadAlgorithm: Send + Sync {
/// Build a `MessageEncrypter` for the given key/iv.

4
rustls/src/crypto/hash.rs
View File

@ -1,7 +1,7 @@
pub use crate::msgs::enums::HashAlgorithm;
use alloc::boxed::Box;
pub use crate::msgs::enums::HashAlgorithm;
/// Describes a single cryptographic hash function.
///
/// This interface can do both one-shot and incremental hashing, using

23
rustls/src/crypto/mod.rs
View File

@ -1,7 +1,3 @@
use crate::sign::SigningKey;
use crate::{suites, ProtocolVersion, SupportedProtocolVersion};
use crate::{Error, NamedGroup};
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec::Vec;
@ -11,10 +7,13 @@ use core::fmt::Debug;
use once_cell::race::OnceBox;
#[cfg(feature = "std")]
use once_cell::sync::OnceCell;
use pki_types::PrivateKeyDer;
use zeroize::Zeroize;
use crate::sign::SigningKey;
pub use crate::webpki::{
verify_tls12_signature, verify_tls13_signature, WebPkiSupportedAlgorithms,
};
#[cfg(all(doc, feature = "tls12"))]
use crate::Tls12CipherSuite;
#[cfg(doc)]
@ -22,10 +21,7 @@ use crate::{
client, crypto, server, sign, ClientConfig, ConfigBuilder, ServerConfig, SupportedCipherSuite,
Tls13CipherSuite,
};
pub use crate::webpki::{
verify_tls12_signature, verify_tls13_signature, WebPkiSupportedAlgorithms,
};
use crate::{suites, Error, NamedGroup, ProtocolVersion, SupportedProtocolVersion};
/// *ring* based CryptoProvider.
#[cfg(feature = "ring")]
@ -59,11 +55,9 @@ pub mod hpke;
// avoid having two import paths to the same types.
pub(crate) mod signer;
pub use crate::rand::GetRandomFailed;
pub use crate::suites::CipherSuiteCommon;
pub use crate::msgs::handshake::KeyExchangeAlgorithm;
pub use crate::rand::GetRandomFailed;
pub use crate::suites::CipherSuiteCommon;
/// Controls core cryptography used by rustls.
///
@ -552,9 +546,10 @@ pub fn default_fips_provider() -> CryptoProvider {
#[cfg(test)]
mod tests {
use super::SharedSecret;
use std::vec;
use super::SharedSecret;
#[test]
fn test_shared_secret_strip_leading_zeros() {
let test_cases = [

4
rustls/src/crypto/ring/hash.rs
View File

@ -1,11 +1,11 @@
#![allow(clippy::duplicate_mod)]
use alloc::boxed::Box;
use super::ring_like::digest;
use crate::crypto;
use crate::msgs::enums::HashAlgorithm;
use alloc::boxed::Box;
pub(crate) static SHA256: Hash = Hash(&digest::SHA256, HashAlgorithm::SHA256);
pub(crate) static SHA384: Hash = Hash(&digest::SHA384, HashAlgorithm::SHA384);

4
rustls/src/crypto/ring/hmac.rs
View File

@ -1,10 +1,10 @@
#![allow(clippy::duplicate_mod)]
use alloc::boxed::Box;
use super::ring_like;
use crate::crypto;
use alloc::boxed::Box;
#[cfg(feature = "tls12")]
pub(crate) static HMAC_SHA256: Hmac = Hmac(&ring_like::hmac::HMAC_SHA256);
#[cfg(feature = "tls12")]

11
rustls/src/crypto/ring/kx.rs
View File

@ -1,16 +1,15 @@
#![allow(clippy::duplicate_mod)]
use alloc::boxed::Box;
use core::fmt;
use super::ring_like::agreement;
use super::ring_like::rand::SystemRandom;
use crate::crypto::{ActiveKeyExchange, SharedSecret, SupportedKxGroup};
use crate::error::{Error, PeerMisbehaved};
use crate::msgs::enums::NamedGroup;
use crate::rand::GetRandomFailed;
use super::ring_like::agreement;
use super::ring_like::rand::SystemRandom;
use alloc::boxed::Box;
use core::fmt;
/// A key-exchange group supported by *ring*.
///
/// All possible instances of this class are provided by the library in

17
rustls/src/crypto/ring/mod.rs
View File

@ -1,3 +1,9 @@
use alloc::sync::Arc;
use pki_types::PrivateKeyDer;
pub(crate) use ring as ring_like;
use webpki::ring as webpki_algs;
use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom};
use crate::enums::SignatureScheme;
use crate::rand::GetRandomFailed;
@ -6,13 +12,6 @@ use crate::suites::SupportedCipherSuite;
use crate::webpki::WebPkiSupportedAlgorithms;
use crate::Error;
use pki_types::PrivateKeyDer;
use webpki::ring as webpki_algs;
use alloc::sync::Arc;
pub(crate) use ring as ring_like;
/// Using software keys for authentication.
pub mod sign;
@ -167,9 +166,7 @@ static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms
///
/// [`ALL_KX_GROUPS`] is provided as an array of all of these values.
pub mod kx_group {
pub use super::kx::SECP256R1;
pub use super::kx::SECP384R1;
pub use super::kx::X25519;
pub use super::kx::{SECP256R1, SECP384R1, X25519};
}
pub use kx::ALL_KX_GROUPS;

7
rustls/src/crypto/ring/quic.rs
View File

@ -1,12 +1,11 @@
#![allow(clippy::duplicate_mod)]
use crate::crypto::cipher::{AeadKey, Iv, Nonce};
use crate::error::Error;
use crate::quic;
use alloc::boxed::Box;
use super::ring_like::aead;
use crate::crypto::cipher::{AeadKey, Iv, Nonce};
use crate::error::Error;
use crate::quic;
pub(crate) struct HeaderProtectionKey(aead::quic::HeaderProtectionKey);

29
rustls/src/crypto/ring/sign.rs
View File

@ -1,22 +1,21 @@
#![allow(clippy::duplicate_mod)]
use crate::enums::{SignatureAlgorithm, SignatureScheme};
use crate::error::Error;
use crate::sign::{Signer, SigningKey};
use crate::x509::{asn1_wrap, wrap_in_sequence};
use alloc::boxed::Box;
use alloc::string::ToString;
use alloc::sync::Arc;
use alloc::vec::Vec;
use alloc::{format, vec};
use core::fmt::{self, Debug, Formatter};
use pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
use super::ring_like::io::der;
use super::ring_like::rand::{SecureRandom, SystemRandom};
use super::ring_like::signature::{self, EcdsaKeyPair, Ed25519KeyPair, RsaKeyPair};
use pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
use alloc::boxed::Box;
use alloc::format;
use alloc::string::ToString;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
use core::fmt::{self, Debug, Formatter};
use crate::enums::{SignatureAlgorithm, SignatureScheme};
use crate::error::Error;
use crate::sign::{Signer, SigningKey};
use crate::x509::{asn1_wrap, wrap_in_sequence};
/// Parse `der` as any supported key encoding/type, returning
/// the first which works.
@ -408,10 +407,12 @@ impl Debug for Ed25519Signer {
#[cfg(test)]
mod tests {
use super::*;
use alloc::format;
use pki_types::{PrivatePkcs1KeyDer, PrivateSec1KeyDer};
use super::*;
#[test]
fn can_load_ecdsa_nistp256_pkcs8() {
let key =

23
rustls/src/crypto/ring/ticketer.rs
View File

@ -1,19 +1,18 @@
#![allow(clippy::duplicate_mod)]
use crate::error::Error;
use crate::rand::GetRandomFailed;
use crate::server::ProducesTickets;
use super::ring_like::aead;
use super::ring_like::rand::{SecureRandom, SystemRandom};
use super::TICKETER_AEAD;
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::fmt;
use core::fmt::{Debug, Formatter};
use super::ring_like::aead;
use super::ring_like::rand::{SecureRandom, SystemRandom};
use super::TICKETER_AEAD;
use crate::error::Error;
use crate::rand::GetRandomFailed;
use crate::server::ProducesTickets;
/// A concrete, safe ticket creation mechanism.
pub struct Ticketer {}
@ -121,11 +120,12 @@ impl Debug for AeadTicketer {
#[cfg(test)]
mod tests {
use super::*;
use core::time::Duration;
use pki_types::UnixTime;
use super::*;
#[test]
fn basic_pairwise_test() {
let t = Ticketer::new().unwrap();
@ -198,9 +198,10 @@ mod tests {
#[test]
fn aeadticketer_is_debug_and_producestickets() {
use super::*;
use alloc::format;
use super::*;
let t = make_ticket_generator().unwrap();
let expect = format!("AeadTicketer {{ alg: {TICKETER_AEAD:?}, lifetime: 43200 }}");

7
rustls/src/crypto/ring/tls12.rs
View File

@ -1,3 +1,6 @@
use alloc::boxed::Box;
use super::ring_like::aead;
use crate::crypto::cipher::{
make_tls12_aad, AeadKey, InboundOpaqueMessage, Iv, KeyBlockShape, MessageDecrypter,
MessageEncrypter, Nonce, Tls12AeadAlgorithm, UnsupportedOperationError, NONCE_LEN,
@ -13,10 +16,6 @@ use crate::msgs::message::{
use crate::suites::{CipherSuiteCommon, ConnectionTrafficSecrets, SupportedCipherSuite};
use crate::tls12::Tls12CipherSuite;
use alloc::boxed::Box;
use super::ring_like::aead;
/// The TLS1.2 ciphersuite TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256.
pub static TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
SupportedCipherSuite::Tls12(&Tls12CipherSuite {

5
rustls/src/crypto/ring/tls13.rs
View File

@ -1,5 +1,7 @@
use alloc::boxed::Box;
use super::ring_like::hkdf::KeyType;
use super::ring_like::{aead, hkdf, hmac};
use crate::crypto;
use crate::crypto::cipher::{
make_tls13_aad, AeadKey, InboundOpaqueMessage, Iv, MessageDecrypter, MessageEncrypter, Nonce,
@ -14,9 +16,6 @@ use crate::msgs::message::{
use crate::suites::{CipherSuiteCommon, ConnectionTrafficSecrets, SupportedCipherSuite};
use crate::tls13::Tls13CipherSuite;
use super::ring_like::hkdf::KeyType;
use super::ring_like::{aead, hkdf, hmac};
/// The TLS1.3 ciphersuite TLS_CHACHA20_POLY1305_SHA256
pub static TLS13_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
SupportedCipherSuite::Tls13(TLS13_CHACHA20_POLY1305_SHA256_INTERNAL);

10
rustls/src/crypto/signer.rs
View File

@ -1,13 +1,13 @@
use crate::enums::{SignatureAlgorithm, SignatureScheme};
use crate::error::Error;
use pki_types::CertificateDer;
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::fmt::Debug;
use pki_types::CertificateDer;
use crate::enums::{SignatureAlgorithm, SignatureScheme};
use crate::error::Error;
/// An abstract signing key.
///
/// This interface is used by rustls to use a private signing key

7
rustls/src/crypto/tls12.rs
View File

@ -1,10 +1,9 @@
use super::hmac;
use super::ActiveKeyExchange;
use alloc::boxed::Box;
use super::{hmac, ActiveKeyExchange};
use crate::error::Error;
use crate::version::TLS12;
use alloc::boxed::Box;
/// Implements [`Prf`] using a [`hmac::Hmac`].
pub struct PrfUsingHmac<'a>(pub &'a dyn hmac::Hmac);

13
rustls/src/crypto/tls13.rs
View File

@ -1,11 +1,11 @@
use super::hmac;
use super::ActiveKeyExchange;
use alloc::boxed::Box;
use zeroize::Zeroize;
use super::{hmac, ActiveKeyExchange};
use crate::error::Error;
use crate::version::TLS13;
use alloc::boxed::Box;
use zeroize::Zeroize;
/// Implementation of `HkdfExpander` via `hmac::Key`.
pub struct HkdfExpanderUsingHmac(Box<dyn hmac::Key>);
@ -247,11 +247,12 @@ pub struct OutputLengthError;
#[cfg(all(test, feature = "ring"))]
mod tests {
use std::prelude::v1::*;
use super::{expand, Hkdf, HkdfUsingHmac};
// nb: crypto::aws_lc_rs provider doesn't provide (or need) hmac,
// so cannot be used for this test.
use crate::crypto::ring::hmac;
use std::prelude::v1::*;
struct ByteArray<const N: usize>([u8; N]);

14
rustls/src/error.rs
View File

@ -1,7 +1,3 @@
use crate::enums::{AlertDescription, ContentType, HandshakeType};
use crate::msgs::handshake::KeyExchangeAlgorithm;
use crate::rand;
use alloc::format;
use alloc::string::String;
use alloc::vec::Vec;
@ -9,6 +5,10 @@ use core::fmt;
#[cfg(feature = "std")]
use std::time::SystemTimeError;
use crate::enums::{AlertDescription, ContentType, HandshakeType};
use crate::msgs::handshake::KeyExchangeAlgorithm;
use crate::rand;
/// rustls reports protocol errors using this type.
#[non_exhaustive]
#[derive(Debug, PartialEq, Clone)]
@ -600,12 +600,12 @@ pub use other_error::OtherError;
#[cfg(test)]
mod tests {
use super::{Error, InvalidMessage};
use crate::error::CertRevocationListError;
use crate::error::OtherError;
use std::prelude::v1::*;
use std::{println, vec};
use super::{Error, InvalidMessage};
use crate::error::{CertRevocationListError, OtherError};
#[test]
fn certificate_error_equality() {
use super::CertificateError::*;

8
rustls/src/hash_hs.rs
View File

@ -1,13 +1,13 @@
use alloc::boxed::Box;
use alloc::vec::Vec;
use core::mem;
use crate::crypto::hash;
use crate::msgs::codec::Codec;
use crate::msgs::enums::HashAlgorithm;
use crate::msgs::handshake::HandshakeMessagePayload;
use crate::msgs::message::{Message, MessagePayload};
use alloc::boxed::Box;
use alloc::vec::Vec;
use core::mem;
/// Early stage buffering of handshake payloads.
///
/// Before we know the hash algorithm to use to verify the handshake, we just buffer the messages.

17
rustls/src/key_log_file.rs
View File

@ -1,16 +1,15 @@
use alloc::vec::Vec;
use core::fmt::{Debug, Formatter};
use std::ffi::OsString;
use std::fs::{File, OpenOptions};
use std::io::Write;
use std::sync::Mutex;
use std::{env, io};
#[cfg(feature = "logging")]
use crate::log::warn;
use crate::KeyLog;
use alloc::vec::Vec;
use core::fmt::{Debug, Formatter};
use std::env;
use std::ffi::OsString;
use std::fs::{File, OpenOptions};
use std::io;
use std::io::Write;
use std::sync::Mutex;
// Internal mutable state for KeyLogFile
struct KeyLogFileInner {
file: Option<File>,

24
rustls/src/lib.rs
View File

@ -360,13 +360,13 @@ extern crate std;
#[allow(unused_extern_crates)]
extern crate test;
#[cfg(doc)]
use crate::crypto::CryptoProvider;
// log for logging (optional).
#[cfg(feature = "logging")]
use log;
#[cfg(doc)]
use crate::crypto::CryptoProvider;
#[cfg(not(feature = "logging"))]
#[macro_use]
mod log {
@ -554,13 +554,11 @@ pub mod client {
pub use crate::verify::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
}
pub use crate::msgs::persist::{Tls12ClientSessionValue, Tls13ClientSessionValue};
pub use crate::webpki::{
verify_server_cert_signed_by_trust_anchor, verify_server_name, ServerCertVerifierBuilder,
VerifierBuilderError, WebPkiServerVerifier,
};
pub use crate::msgs::persist::Tls12ClientSessionValue;
pub use crate::msgs::persist::Tls13ClientSessionValue;
}
pub use client::ClientConfig;
@ -578,23 +576,23 @@ pub mod server {
mod tls12;
mod tls13;
pub use crate::verify::NoClientAuth;
pub use crate::webpki::{
ClientCertVerifierBuilder, ParsedCertificate, VerifierBuilderError, WebPkiClientVerifier,
};
pub use builder::WantsServerCert;
pub use handy::NoServerSessionStorage;
#[cfg(feature = "std")]
pub use handy::ResolvesServerCertUsingSni;
#[cfg(feature = "std")]
pub use handy::ServerSessionMemoryCache;
pub use server_conn::StoresServerSessions;
pub use server_conn::{
Accepted, ServerConfig, ServerConnectionData, UnbufferedServerConnection,
Accepted, ClientHello, ProducesTickets, ResolvesServerCert, ServerConfig,
ServerConnectionData, StoresServerSessions, UnbufferedServerConnection,
};
#[cfg(feature = "std")]
pub use server_conn::{AcceptedAlert, Acceptor, ReadEarlyData, ServerConnection};
pub use server_conn::{ClientHello, ProducesTickets, ResolvesServerCert};
pub use crate::verify::NoClientAuth;
pub use crate::webpki::{
ClientCertVerifierBuilder, ParsedCertificate, VerifierBuilderError, WebPkiClientVerifier,
};
/// Dangerous configuration that should be audited and used with extreme care.
pub mod danger {

4
rustls/src/msgs/alert.rs
View File

@ -1,10 +1,10 @@
use alloc::vec::Vec;
use crate::enums::AlertDescription;
use crate::error::InvalidMessage;
use crate::msgs::codec::{Codec, Reader};
use crate::msgs::enums::AlertLevel;
use alloc::vec::Vec;
#[derive(Debug)]
pub struct AlertMessagePayload {
pub level: AlertLevel,

8
rustls/src/msgs/base.rs
View File

@ -1,13 +1,13 @@
use crate::error::InvalidMessage;
use crate::msgs::codec;
use crate::msgs::codec::{Codec, Reader};
use alloc::vec::Vec;
use core::fmt;
use pki_types::CertificateDer;
use zeroize::Zeroize;
use crate::error::InvalidMessage;
use crate::msgs::codec;
use crate::msgs::codec::{Codec, Reader};
/// An externally length'd payload
#[derive(Clone, Eq, PartialEq)]
pub enum Payload<'a> {

10
rustls/src/msgs/codec.rs
View File

@ -1,7 +1,8 @@
use crate::error::InvalidMessage;
use alloc::vec::Vec;
use core::{fmt::Debug, mem};
use core::fmt::Debug;
use core::mem;
use crate::error::InvalidMessage;
/// Wrapper over a slice of bytes that allows reading chunks from
/// with the current position state held using a cursor.
@ -377,10 +378,11 @@ impl<'a> Drop for LengthPrefixedBuffer<'a> {
#[cfg(test)]
mod tests {
use super::*;
use std::prelude::v1::*;
use std::vec;
use super::*;
#[test]
fn interrupted_length_prefixed_buffer_leaves_maximum_length() {
let mut buf = Vec::new();

3
rustls/src/msgs/deframer.rs
View File

@ -712,11 +712,10 @@ mod tests {
use std::prelude::v1::*;
use std::vec;
use super::*;
use crate::crypto::cipher::PlainMessage;
use crate::msgs::message::Message;
use super::*;
#[test]
fn check_incremental() {
let mut d = BufferedDeframer::default();

3
rustls/src/msgs/enums.rs
View File

@ -349,9 +349,10 @@ pub(crate) mod tests {
//! These tests are intended to provide coverage and
//! check panic-safety of relatively unused values.
use super::*;
use std::prelude::v1::*;
use super::*;
#[test]
fn test_enums() {
test_enum8::<HashAlgorithm>(HashAlgorithm::NONE, HashAlgorithm::SHA512);

13
rustls/src/msgs/fragmenter.rs
View File

@ -1,5 +1,4 @@
use crate::enums::ContentType;
use crate::enums::ProtocolVersion;
use crate::enums::{ContentType, ProtocolVersion};
use crate::msgs::message::{OutboundChunks, OutboundPlainMessage, PlainMessage};
use crate::Error;
pub(crate) const MAX_FRAGMENT_LEN: usize = 16384;
@ -105,14 +104,14 @@ impl<'a> ExactSizeIterator for Chunker<'a> {
#[cfg(test)]
mod tests {
use super::{MessageFragmenter, PACKET_OVERHEAD};
use crate::enums::ContentType;
use crate::enums::ProtocolVersion;
use crate::msgs::base::Payload;
use crate::msgs::message::{OutboundChunks, OutboundPlainMessage, PlainMessage};
use std::prelude::v1::*;
use std::vec;
use super::{MessageFragmenter, PACKET_OVERHEAD};
use crate::enums::{ContentType, ProtocolVersion};
use crate::msgs::base::Payload;
use crate::msgs::message::{OutboundChunks, OutboundPlainMessage, PlainMessage};
fn msg_eq(
m: &OutboundPlainMessage,
total_len: usize,

20
rustls/src/msgs/handshake.rs
View File

@ -1,5 +1,15 @@
#![allow(non_camel_case_types)]
use alloc::collections::BTreeSet;
#[cfg(feature = "logging")]
use alloc::string::String;
use alloc::vec;
use alloc::vec::Vec;
use core::fmt;
use core::ops::Deref;
use pki_types::{CertificateDer, DnsName};
#[cfg(feature = "tls12")]
use crate::crypto::ActiveKeyExchange;
use crate::crypto::SecureRandom;
@ -20,16 +30,6 @@ use crate::rand;
use crate::verify::DigitallySignedStruct;
use crate::x509::wrap_in_sequence;
use pki_types::{CertificateDer, DnsName};
use alloc::collections::BTreeSet;
#[cfg(feature = "logging")]
use alloc::string::String;
use alloc::vec;
use alloc::vec::Vec;
use core::fmt;
use core::ops::Deref;
/// Create a newtype wrapper around a given type.
///
/// This is used to create newtypes for the various TLS message types which is used to wrap

13
rustls/src/msgs/handshake_test.rs
View File

@ -1,3 +1,9 @@
use std::prelude::v1::*;
use std::{format, println, vec};
use pki_types::{CertificateDer, DnsName};
use super::handshake::{ServerDhParams, ServerKeyExchange, ServerKeyExchangeParams};
use crate::enums::{CipherSuite, HandshakeType, ProtocolVersion, SignatureScheme};
use crate::msgs::base::{Payload, PayloadU16, PayloadU24, PayloadU8};
use crate::msgs::codec::{put_u16, Codec, Reader};
@ -18,13 +24,6 @@ use crate::msgs::handshake::{
};
use crate::verify::DigitallySignedStruct;
use pki_types::{CertificateDer, DnsName};
use super::handshake::{ServerDhParams, ServerKeyExchange, ServerKeyExchangeParams};
use std::prelude::v1::*;
use std::{format, println, vec};
#[test]
fn rejects_short_random() {
let bytes = [0x01; 31];

4
rustls/src/msgs/message/inbound.rs
View File

@ -1,3 +1,5 @@
use core::ops::{Deref, DerefMut};
use super::outbound::read_opaque_message_header;
use super::MessageError;
use crate::enums::{ContentType, ProtocolVersion};
@ -5,8 +7,6 @@ use crate::error::{Error, PeerMisbehaved};
use crate::msgs::codec::ReaderMut;
use crate::msgs::fragmenter::MAX_FRAGMENT_LEN;
use core::ops::{Deref, DerefMut};
/// A TLS frame, named TLSPlaintext in the standard.
///
/// This inbound type borrows its encrypted payload from a `[MessageDeframer]`.

4
rustls/src/msgs/message/mod.rs
View File

@ -11,10 +11,10 @@ mod inbound;
pub use inbound::{BorrowedPayload, InboundOpaqueMessage, InboundPlainMessage};
mod outbound;
pub use outbound::{OutboundChunks, OutboundOpaqueMessage, OutboundPlainMessage, PrefixedPayload};
use alloc::vec::Vec;
pub use outbound::{OutboundChunks, OutboundOpaqueMessage, OutboundPlainMessage, PrefixedPayload};
#[derive(Debug)]
pub enum MessagePayload<'a> {
Alert(AlertMessagePayload),

4
rustls/src/msgs/message/outbound.rs
View File

@ -1,11 +1,11 @@
use alloc::vec::Vec;
use super::{MessageError, PlainMessage, HEADER_SIZE, MAX_PAYLOAD};
use crate::enums::{ContentType, ProtocolVersion};
use crate::internal::record_layer::RecordLayer;
use crate::msgs::base::Payload;
use crate::msgs::codec::{Codec, Reader};
use alloc::vec::Vec;
/// A TLS frame, named `TLSPlaintext` in the standard.
///
/// This outbound type borrows its "to be encrypted" payload from the "user".

13
rustls/src/msgs/message_test.rs
View File

@ -1,15 +1,14 @@
use crate::enums::{AlertDescription, HandshakeType};
use crate::msgs::base::{PayloadU16, PayloadU24, PayloadU8};
use std::io::Read;
use std::path::{Path, PathBuf};
use std::prelude::v1::*;
use std::{format, fs, println, vec};
use super::base::Payload;
use super::codec::Reader;
use super::enums::AlertLevel;
use super::message::{Message, OutboundOpaqueMessage, PlainMessage};
use std::io::Read;
use std::path::{Path, PathBuf};
use std::prelude::v1::*;
use std::{format, fs, println, vec};
use crate::enums::{AlertDescription, HandshakeType};
use crate::msgs::base::{PayloadU16, PayloadU24, PayloadU8};
#[test]
fn test_read_fuzz_corpus() {

16
rustls/src/msgs/persist.rs
View File

@ -1,3 +1,11 @@
use alloc::vec::Vec;
use core::cmp;
#[cfg(feature = "tls12")]
use core::mem;
use pki_types::{DnsName, UnixTime};
use zeroize::Zeroizing;
use crate::enums::{CipherSuite, ProtocolVersion};
use crate::error::InvalidMessage;
use crate::msgs::base::{PayloadU16, PayloadU8};
@ -9,14 +17,6 @@ use crate::msgs::handshake::SessionId;
use crate::tls12::Tls12CipherSuite;
use crate::tls13::Tls13CipherSuite;
use pki_types::{DnsName, UnixTime};
use zeroize::Zeroizing;
use alloc::vec::Vec;
use core::cmp;
#[cfg(feature = "tls12")]
use core::mem;
pub(crate) struct Retrieved<T> {
pub(crate) value: T,
retrieved_at: UnixTime,

34
rustls/src/quic.rs
View File

@ -1,3 +1,9 @@
use alloc::boxed::Box;
use alloc::collections::VecDeque;
use alloc::vec::Vec;
#[cfg(feature = "std")]
use core::fmt::Debug;
/// This module contains optional APIs for implementing QUIC TLS.
use crate::common_state::Side;
use crate::crypto::cipher::{AeadKey, Iv};
@ -9,14 +15,17 @@ use crate::tls13::key_schedule::{
};
use crate::tls13::Tls13CipherSuite;
use alloc::boxed::Box;
use alloc::collections::VecDeque;
use alloc::vec::Vec;
#[cfg(feature = "std")]
use core::fmt::Debug;
#[cfg(feature = "std")]
mod connection {
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
use core::fmt::{self, Debug};
use core::ops::{Deref, DerefMut};
use pki_types::ServerName;
use super::{DirectionalKeys, KeyChange, Version};
use crate::client::{ClientConfig, ClientConnectionData};
use crate::common_state::{CommonState, Protocol, DEFAULT_BUFFER_LIMIT};
use crate::conn::{ConnectionCore, SideData};
@ -27,16 +36,6 @@ mod connection {
use crate::server::{ServerConfig, ServerConnectionData};
use crate::vecbuf::ChunkVecBuffer;
use pki_types::ServerName;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
use core::fmt::{self, Debug};
use core::ops::{Deref, DerefMut};
use super::{DirectionalKeys, KeyChange, Version};
/// A QUIC client or server connection.
#[derive(Debug)]
pub enum Connection {
@ -966,9 +965,10 @@ impl Default for Version {
#[cfg(test)]
mod tests {
use std::prelude::v1::*;
use super::PacketKey;
use crate::quic::HeaderProtectionKey;
use std::prelude::v1::*;
#[test]
fn auto_traits() {

4
rustls/src/rand.rs
View File

@ -1,10 +1,10 @@
//! The single place where we generate random material for our own use.
use crate::crypto::SecureRandom;
use alloc::vec;
use alloc::vec::Vec;
use crate::crypto::SecureRandom;
/// Make a [`Vec<u8>`] of the given size containing random material.
pub(crate) fn random_vec(
secure_random: &dyn SecureRandom,

6
rustls/src/record_layer.rs
View File

@ -1,13 +1,11 @@
use alloc::boxed::Box;
use core::num::NonZeroU64;
use crate::crypto::cipher::{InboundOpaqueMessage, MessageDecrypter, MessageEncrypter};
use crate::error::Error;
use crate::msgs::message::{InboundPlainMessage, OutboundOpaqueMessage, OutboundPlainMessage};
#[cfg(feature = "logging")]
use crate::log::trace;
use alloc::boxed::Box;
use crate::msgs::message::{InboundPlainMessage, OutboundOpaqueMessage, OutboundPlainMessage};
static SEQ_SOFT_LIMIT: u64 = 0xffff_ffff_ffff_0000u64;
static SEQ_HARD_LIMIT: u64 = 0xffff_ffff_ffff_fffeu64;

18
rustls/src/server/builder.rs
View File

@ -1,19 +1,17 @@
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::marker::PhantomData;
use pki_types::{CertificateDer, PrivateKeyDer};
use crate::builder::{ConfigBuilder, WantsVerifier};
use crate::crypto::CryptoProvider;
use crate::error::Error;
use crate::msgs::handshake::CertificateChain;
use crate::server::handy;
use crate::server::{ResolvesServerCert, ServerConfig};
use crate::server::{handy, ResolvesServerCert, ServerConfig};
use crate::time_provider::TimeProvider;
use crate::verify::{ClientCertVerifier, NoClientAuth};
use crate::versions;
use crate::NoKeyLog;
use pki_types::{CertificateDer, PrivateKeyDer};
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::marker::PhantomData;
use crate::{versions, NoKeyLog};
impl ConfigBuilder<ServerConfig, WantsVerifier> {
/// Choose how to verify client certificates.

4
rustls/src/server/common.rs
View File

@ -1,7 +1,7 @@
use crate::sign;
use pki_types::CertificateDer;
use crate::sign;
/// ActiveCertifiedKey wraps [`sign::CertifiedKey`] and tracks OSCP state in a single handshake.
pub(super) struct ActiveCertifiedKey<'a> {
key: &'a sign::CertifiedKey,

38
rustls/src/server/handy.rs
View File

@ -1,12 +1,11 @@
use crate::msgs::handshake::CertificateChain;
use crate::server;
use crate::server::ClientHello;
use crate::sign;
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::fmt::Debug;
use crate::msgs::handshake::CertificateChain;
use crate::server::ClientHello;
use crate::{server, sign};
/// Something which never stores sessions.
#[derive(Debug)]
pub struct NoServerSessionStorage {}
@ -28,14 +27,13 @@ impl server::StoresServerSessions for NoServerSessionStorage {
#[cfg(feature = "std")]
mod cache {
use crate::limited_cache;
use crate::server;
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::fmt::{Debug, Formatter};
use std::sync::Mutex;
use crate::{limited_cache, server};
/// An implementer of `StoresServerSessions` that stores everything
/// in memory. If enforces a limit on the number of stored sessions
/// to bound memory usage.
@ -89,9 +87,10 @@ mod cache {
#[cfg(test)]
mod tests {
use std::vec;
use super::*;
use crate::server::StoresServerSessions;
use std::vec;
#[test]
fn test_serversessionmemorycache_accepts_put() {
@ -198,19 +197,18 @@ impl server::ResolvesServerCert for AlwaysResolvesChain {
#[cfg(feature = "std")]
mod sni_resolver {
use crate::error::Error;
use crate::server;
use crate::server::ClientHello;
use crate::sign;
use crate::webpki::{verify_server_name, ParsedCertificate};
use pki_types::{DnsName, ServerName};
use alloc::string::{String, ToString};
use alloc::sync::Arc;
use core::fmt::Debug;
use std::collections::HashMap;
use pki_types::{DnsName, ServerName};
use crate::error::Error;
use crate::server::ClientHello;
use crate::webpki::{verify_server_name, ParsedCertificate};
use crate::{server, sign};
/// Something that resolves do different cert chains/keys based
/// on client-supplied server name (via SNI).
#[derive(Debug)]
@ -302,11 +300,11 @@ pub use sni_resolver::ResolvesServerCertUsingSni;
#[cfg(test)]
mod tests {
use super::*;
use crate::server::ProducesTickets;
use crate::server::StoresServerSessions;
use std::vec;
use super::*;
use crate::server::{ProducesTickets, StoresServerSessions};
#[test]
fn test_noserversessionstorage_drops_put() {
let c = NoServerSessionStorage {};

33
rustls/src/server/hs.rs
View File

@ -1,3 +1,13 @@
use alloc::borrow::ToOwned;
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec::Vec;
use pki_types::DnsName;
use super::server_conn::ServerConnectionData;
#[cfg(feature = "tls12")]
use super::tls12;
use crate::common_state::{Protocol, State};
use crate::conn::ConnectionRandoms;
use crate::crypto::SupportedKxGroup;
@ -12,26 +22,15 @@ use crate::log::{debug, trace};
use crate::msgs::enums::{Compression, ExtensionType, NamedGroup};
#[cfg(feature = "tls12")]
use crate::msgs::handshake::SessionId;
use crate::msgs::handshake::{ClientHelloPayload, KeyExchangeAlgorithm, Random, ServerExtension};
use crate::msgs::handshake::{ConvertProtocolNameList, ConvertServerNameList, HandshakePayload};
use crate::msgs::handshake::{
ClientHelloPayload, ConvertProtocolNameList, ConvertServerNameList, HandshakePayload,
KeyExchangeAlgorithm, Random, ServerExtension,
};
use crate::msgs::message::{Message, MessagePayload};
use crate::msgs::persist;
use crate::server::{ClientHello, ServerConfig};
use crate::suites;
use crate::SupportedCipherSuite;
use super::server_conn::ServerConnectionData;
#[cfg(feature = "tls12")]
use super::tls12;
use crate::server::common::ActiveCertifiedKey;
use crate::server::tls13;
use pki_types::DnsName;
use alloc::borrow::ToOwned;
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec::Vec;
use crate::server::{tls13, ClientHello, ServerConfig};
use crate::{suites, SupportedCipherSuite};
pub(super) type NextState<'a> = Box<dyn State<ServerConnectionData> + 'a>;
pub(super) type NextStateOrError<'a> = Result<NextState<'a>, Error>;

53
rustls/src/server/server_conn.rs
View File

@ -1,8 +1,23 @@
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::fmt;
use core::fmt::{Debug, Formatter};
use core::marker::PhantomData;
use core::ops::{Deref, DerefMut};
#[cfg(feature = "std")]
use std::io;
use pki_types::{DnsName, UnixTime};
use super::hs;
use crate::builder::ConfigBuilder;
#[cfg(feature = "std")]
use crate::common_state::Protocol;
use crate::common_state::{CommonState, Side, State};
use crate::conn::{ConnectionCommon, ConnectionCore, UnbufferedConnectionCommon};
#[cfg(doc)]
use crate::crypto;
use crate::crypto::CryptoProvider;
use crate::enums::{CipherSuite, ProtocolVersion, SignatureScheme};
use crate::error::Error;
@ -15,29 +30,9 @@ use crate::msgs::message::Message;
use crate::time_provider::DefaultTimeProvider;
use crate::time_provider::TimeProvider;
use crate::vecbuf::ChunkVecBuffer;
use crate::verify;
use crate::versions;
use crate::KeyLog;
#[cfg(feature = "std")]
use crate::WantsVerifier;
use crate::{sign, WantsVersions};
use super::hs;
use pki_types::{DnsName, UnixTime};
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec::Vec;
use core::fmt;
use core::fmt::{Debug, Formatter};
use core::marker::PhantomData;
use core::ops::{Deref, DerefMut};
#[cfg(feature = "std")]
use std::io;
#[cfg(doc)]
use crate::crypto;
use crate::{sign, verify, versions, KeyLog, WantsVersions};
/// A trait for the ability to store server session data.
///
@ -503,13 +498,6 @@ impl ServerConfig {
#[cfg(feature = "std")]
mod connection {
use crate::common_state::{CommonState, Context, Side};
use crate::conn::{ConnectionCommon, ConnectionCore};
use crate::error::Error;
use crate::server::hs;
use crate::suites::ExtractedSecrets;
use crate::vecbuf::ChunkVecBuffer;
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec::Vec;
@ -519,6 +507,12 @@ mod connection {
use std::io;
use super::{Accepted, Accepting, EarlyDataState, ServerConfig, ServerConnectionData};
use crate::common_state::{CommonState, Context, Side};
use crate::conn::{ConnectionCommon, ConnectionCore};
use crate::error::Error;
use crate::server::hs;
use crate::suites::ExtractedSecrets;
use crate::vecbuf::ChunkVecBuffer;
/// Allows reading of early data in resumed TLS1.3 connections.
///
@ -1099,9 +1093,10 @@ impl crate::conn::SideData for ServerConnectionData {}
#[cfg(feature = "std")]
#[cfg(test)]
mod tests {
use super::*;
use std::format;
use super::*;
// these branches not reachable externally, unless something else goes wrong.
#[test]
fn test_read_in_new_state() {

51
rustls/src/server/tls12.rs
View File

@ -1,9 +1,22 @@
use alloc::borrow::ToOwned;
use alloc::boxed::Box;
use alloc::string::ToString;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
pub(super) use client_hello::CompleteClientHelloHandling;
use pki_types::UnixTime;
use subtle::ConstantTimeEq;
use super::common::ActiveCertifiedKey;
use super::hs::{self, ServerContext};
use super::server_conn::{ProducesTickets, ServerConfig, ServerConnectionData};
use crate::check::inappropriate_message;
use crate::common_state::{CommonState, Side, State};
use crate::conn::ConnectionRandoms;
use crate::crypto::ActiveKeyExchange;
use crate::enums::ProtocolVersion;
use crate::enums::{AlertDescription, ContentType, HandshakeType};
use crate::enums::{AlertDescription, ContentType, HandshakeType, ProtocolVersion};
use crate::error::{Error, PeerIncompatible, PeerMisbehaved};
use crate::hash_hs::HandshakeHash;
#[cfg(feature = "logging")]
@ -13,47 +26,29 @@ use crate::msgs::ccs::ChangeCipherSpecPayload;
use crate::msgs::codec::Codec;
use crate::msgs::handshake::{
CertificateChain, ClientKeyExchangeParams, HandshakeMessagePayload, HandshakePayload,
NewSessionTicketPayload, SessionId,
};
use crate::msgs::handshake::{NewSessionTicketPayload, SessionId};
use crate::msgs::message::{Message, MessagePayload};
use crate::msgs::persist;
use crate::suites::PartiallyExtractedSecrets;
use crate::tls12::{self, ConnectionSecrets, Tls12CipherSuite};
use crate::verify;
use super::common::ActiveCertifiedKey;
use super::hs::{self, ServerContext};
use super::server_conn::{ProducesTickets, ServerConfig, ServerConnectionData};
use pki_types::UnixTime;
use subtle::ConstantTimeEq;
use alloc::borrow::ToOwned;
use alloc::boxed::Box;
use alloc::string::ToString;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
pub(super) use client_hello::CompleteClientHelloHandling;
mod client_hello {
use pki_types::CertificateDer;
use super::*;
use crate::crypto::SupportedKxGroup;
use crate::enums::SignatureScheme;
use crate::msgs::enums::ECPointFormat;
use crate::msgs::enums::{ClientCertificateType, Compression};
use crate::msgs::handshake::CertificateStatus;
use crate::msgs::handshake::{CertificateRequestPayload, ClientSessionTicket, Random};
use crate::msgs::handshake::{ClientExtension, ClientHelloPayload, ServerHelloPayload};
use crate::msgs::handshake::{ServerExtension, ServerKeyExchangePayload};
use crate::msgs::handshake::{ServerKeyExchange, ServerKeyExchangeParams};
use crate::msgs::enums::{ClientCertificateType, Compression, ECPointFormat};
use crate::msgs::handshake::{
CertificateRequestPayload, CertificateStatus, ClientExtension, ClientHelloPayload,
ClientSessionTicket, Random, ServerExtension, ServerHelloPayload, ServerKeyExchange,
ServerKeyExchangeParams, ServerKeyExchangePayload,
};
use crate::sign;
use crate::verify::DigitallySignedStruct;
use super::*;
pub(in crate::server) struct CompleteClientHelloHandling {
pub(in crate::server) config: Arc<ServerConfig>,
pub(in crate::server) transcript: HandshakeHash,

83
rustls/src/server/tls13.rs
View File

@ -1,66 +1,51 @@
use crate::check::inappropriate_handshake_message;
use crate::check::inappropriate_message;
use crate::common_state::Protocol;
use crate::common_state::{CommonState, Side, State};
use crate::conn::ConnectionRandoms;
use crate::enums::ProtocolVersion;
use crate::enums::{AlertDescription, ContentType, HandshakeType};
use crate::error::{Error, PeerIncompatible, PeerMisbehaved};
use crate::hash_hs::HandshakeHash;
#[cfg(feature = "logging")]
use crate::log::{debug, trace, warn};
use crate::msgs::codec::Codec;
use crate::msgs::enums::KeyUpdateRequest;
use crate::msgs::handshake::CertificateChain;
use crate::msgs::handshake::HandshakeMessagePayload;
use crate::msgs::handshake::HandshakePayload;
use crate::msgs::handshake::{NewSessionTicketExtension, NewSessionTicketPayloadTls13};
use crate::msgs::message::{Message, MessagePayload};
use crate::msgs::persist;
use crate::rand;
use crate::server::ServerConfig;
use crate::suites::PartiallyExtractedSecrets;
use crate::tls13::construct_client_verify_message;
use crate::tls13::construct_server_verify_message;
use crate::tls13::key_schedule::{KeyScheduleTraffic, KeyScheduleTrafficWithClientFinishedPending};
use crate::tls13::Tls13CipherSuite;
use crate::verify;
use super::hs::{self, HandshakeHashOrBuffer, ServerContext};
use super::server_conn::ServerConnectionData;
use alloc::borrow::ToOwned;
use alloc::boxed::Box;
use alloc::sync::Arc;
use alloc::vec;
use alloc::vec::Vec;
pub(super) use client_hello::CompleteClientHelloHandling;
use pki_types::{CertificateDer, UnixTime};
use subtle::ConstantTimeEq;
pub(super) use client_hello::CompleteClientHelloHandling;
use super::hs::{self, HandshakeHashOrBuffer, ServerContext};
use super::server_conn::ServerConnectionData;
use crate::check::{inappropriate_handshake_message, inappropriate_message};
use crate::common_state::{CommonState, Protocol, Side, State};
use crate::conn::ConnectionRandoms;
use crate::enums::{AlertDescription, ContentType, HandshakeType, ProtocolVersion};
use crate::error::{Error, PeerIncompatible, PeerMisbehaved};
use crate::hash_hs::HandshakeHash;
#[cfg(feature = "logging")]
use crate::log::{debug, trace, warn};
use crate::msgs::codec::Codec;
use crate::msgs::enums::KeyUpdateRequest;
use crate::msgs::handshake::{
CertificateChain, HandshakeMessagePayload, HandshakePayload, NewSessionTicketExtension,
NewSessionTicketPayloadTls13,
};
use crate::msgs::message::{Message, MessagePayload};
use crate::msgs::persist;
use crate::server::ServerConfig;
use crate::suites::PartiallyExtractedSecrets;
use crate::tls13::key_schedule::{KeyScheduleTraffic, KeyScheduleTrafficWithClientFinishedPending};
use crate::tls13::{
construct_client_verify_message, construct_server_verify_message, Tls13CipherSuite,
};
use crate::{rand, verify};
mod client_hello {
use super::*;
use crate::crypto::SupportedKxGroup;
use crate::enums::SignatureScheme;
use crate::msgs::base::{Payload, PayloadU8};
use crate::msgs::ccs::ChangeCipherSpecPayload;
use crate::msgs::enums::NamedGroup;
use crate::msgs::enums::{Compression, PSKKeyExchangeMode};
use crate::msgs::handshake::CertReqExtension;
use crate::msgs::handshake::CertificateEntry;
use crate::msgs::handshake::CertificateExtension;
use crate::msgs::handshake::CertificatePayloadTls13;
use crate::msgs::handshake::CertificateRequestPayloadTls13;
use crate::msgs::handshake::CertificateStatus;
use crate::msgs::handshake::ClientHelloPayload;
use crate::msgs::handshake::HelloRetryExtension;
use crate::msgs::handshake::HelloRetryRequest;
use crate::msgs::handshake::KeyShareEntry;
use crate::msgs::handshake::Random;
use crate::msgs::handshake::ServerExtension;
use crate::msgs::handshake::ServerHelloPayload;
use crate::msgs::handshake::SessionId;
use crate::msgs::enums::{Compression, NamedGroup, PSKKeyExchangeMode};
use crate::msgs::handshake::{
CertReqExtension, CertificateEntry, CertificateExtension, CertificatePayloadTls13,
CertificateRequestPayloadTls13, CertificateStatus, ClientHelloPayload, HelloRetryExtension,
HelloRetryRequest, KeyShareEntry, Random, ServerExtension, ServerHelloPayload, SessionId,
};
use crate::server::common::ActiveCertifiedKey;
use crate::sign;
use crate::tls13::key_schedule::{
@ -68,8 +53,6 @@ mod client_hello {
};
use crate::verify::DigitallySignedStruct;
use super::*;
#[derive(PartialEq)]
pub(super) enum EarlyDataDecision {
Disabled,

7
rustls/src/stream.rs
View File

@ -1,8 +1,8 @@
use crate::conn::{ConnectionCommon, SideData};
use core::ops::{Deref, DerefMut};
use std::io::{IoSlice, Read, Result, Write};
use crate::conn::{ConnectionCommon, SideData};
/// This type implements `io::Read` and `io::Write`, encapsulating
/// a Connection `C` and an underlying transport `T`, such as a socket.
///
@ -221,10 +221,11 @@ where
#[cfg(test)]
mod tests {
use std::net::TcpStream;
use super::{Stream, StreamOwned};
use crate::client::ClientConnection;
use crate::server::ServerConnection;
use std::net::TcpStream;
#[test]
fn stream_can_be_created_for_connection_and_tcpstream() {

4
rustls/src/suites.rs
View File

@ -1,3 +1,5 @@
use core::fmt;
use crate::common_state::Protocol;
use crate::crypto::cipher::{AeadKey, Iv};
use crate::crypto::{self, KeyExchangeAlgorithm};
@ -10,8 +12,6 @@ use crate::tls13::Tls13CipherSuite;
use crate::versions::TLS12;
use crate::versions::{SupportedProtocolVersion, TLS13};
use core::fmt;
/// Common state for cipher suites (both for TLS 1.2 and TLS 1.3)
pub struct CipherSuiteCommon {
/// The TLS enumeration naming this cipher suite.

11
rustls/src/ticketer.rs
View File

@ -1,14 +1,13 @@
use crate::rand;
use crate::server::ProducesTickets;
use crate::Error;
use pki_types::UnixTime;
use alloc::boxed::Box;
use alloc::vec::Vec;
use core::mem;
use std::sync::{Mutex, MutexGuard};
use pki_types::UnixTime;
use crate::server::ProducesTickets;
use crate::{rand, Error};
#[derive(Debug)]
pub(crate) struct TicketSwitcherState {
next: Option<Box<dyn ProducesTickets>>,

14
rustls/src/tls12/mod.rs
View File

@ -1,3 +1,10 @@
use alloc::boxed::Box;
use alloc::vec;
use alloc::vec::Vec;
use core::fmt;
use zeroize::Zeroize;
use crate::common_state::{CommonState, Side};
use crate::conn::ConnectionRandoms;
use crate::crypto;
@ -9,13 +16,6 @@ use crate::msgs::codec::{Codec, Reader};
use crate::msgs::handshake::{KeyExchangeAlgorithm, KxDecode};
use crate::suites::{CipherSuiteCommon, PartiallyExtractedSecrets, SupportedCipherSuite};
use alloc::boxed::Box;
use alloc::vec;
use alloc::vec::Vec;
use core::fmt;
use zeroize::Zeroize;
/// A TLS 1.2 cipher suite supported by rustls.
pub struct Tls12CipherSuite {
/// Common cipher suite fields.

9
rustls/src/tls13/key_schedule.rs
View File

@ -1,14 +1,13 @@
use alloc::boxed::Box;
use alloc::string::ToString;
use crate::common_state::{CommonState, Side};
use crate::crypto::cipher::{AeadKey, Iv, MessageDecrypter};
use crate::crypto::tls13::{expand, Hkdf, HkdfExpander, OkmBlock, OutputLengthError};
use crate::crypto::{hash, hmac, ActiveKeyExchange};
use crate::error::Error;
use crate::quic;
use crate::suites::PartiallyExtractedSecrets;
use crate::{KeyLog, Tls13CipherSuite};
use alloc::boxed::Box;
use alloc::string::ToString;
use crate::{quic, KeyLog, Tls13CipherSuite};
/// Key schedule maintenance for TLS1.3

6
rustls/src/tls13/mod.rs
View File

@ -1,10 +1,10 @@
use alloc::vec::Vec;
use core::fmt;
use crate::crypto;
use crate::crypto::hash;
use crate::suites::{CipherSuiteCommon, SupportedCipherSuite};
use alloc::vec::Vec;
use core::fmt;
pub(crate) mod key_schedule;
/// A TLS 1.3 cipher suite supported by rustls.

6
rustls/src/verifybench.rs
View File

@ -6,13 +6,13 @@
use core::time::Duration;
use std::prelude::v1::*;
use pki_types::{CertificateDer, ServerName, UnixTime};
use webpki_roots;
use crate::crypto::CryptoProvider;
use crate::verify::ServerCertVerifier;
use crate::webpki::{RootCertStore, WebPkiServerVerifier};
use pki_types::{CertificateDer, ServerName, UnixTime};
use webpki_roots;
bench_for_each_provider! {
use super::Context;

1
rustls/src/webpki/anchors.rs
View File

@ -128,6 +128,7 @@ impl fmt::Debug for RootCertStore {
#[test]
fn root_cert_store_debug() {
use core::iter;
use pki_types::Der;
let ta = TrustAnchor {

11
rustls/src/webpki/client_verifier.rs
View File

@ -5,21 +5,20 @@ use pki_types::{CertificateDer, CertificateRevocationListDer, UnixTime};
use webpki::{CertRevocationList, RevocationCheckDepth, UnknownStatusPolicy};
use super::{pki_error, VerifierBuilderError};
#[cfg(doc)]
use crate::crypto;
use crate::crypto::{CryptoProvider, WebPkiSupportedAlgorithms};
#[cfg(doc)]
use crate::server::ServerConfig;
use crate::verify::{
ClientCertVerified, ClientCertVerifier, DigitallySignedStruct, HandshakeSignatureValid,
NoClientAuth,
};
use crate::webpki::parse_crls;
use crate::webpki::verify::{verify_tls12_signature, verify_tls13_signature, ParsedCertificate};
use crate::{DistinguishedName, Error, RootCertStore, SignatureScheme};
#[cfg(doc)]
use crate::crypto;
#[cfg(doc)]
use crate::server::ServerConfig;
#[cfg(doc)]
use crate::ConfigBuilder;
use crate::{DistinguishedName, Error, RootCertStore, SignatureScheme};
/// A builder for configuring a `webpki` client certificate verifier.
///

8
rustls/src/webpki/mod.rs
View File

@ -14,17 +14,14 @@ mod server_verifier;
mod verify;
pub use anchors::RootCertStore;
pub use client_verifier::{ClientCertVerifierBuilder, WebPkiClientVerifier};
pub use server_verifier::{ServerCertVerifierBuilder, WebPkiServerVerifier};
pub use verify::{verify_tls12_signature, verify_tls13_signature, WebPkiSupportedAlgorithms};
// Conditionally exported from crate.
#[allow(unreachable_pub)]
pub use verify::{
verify_server_cert_signed_by_trust_anchor, verify_server_name, ParsedCertificate,
};
pub use verify::{verify_tls12_signature, verify_tls13_signature, WebPkiSupportedAlgorithms};
/// An error that can occur when building a certificate verifier.
#[derive(Debug, Clone)]
@ -150,7 +147,8 @@ mod tests {
#[test]
fn crl_error_from_webpki() {
use super::{crl_error, CertRevocationListError::*};
use super::crl_error;
use super::CertRevocationListError::*;
let testcases = &[
(webpki::Error::InvalidCrlSignatureForPublicKey, BadSignature),

7
rustls/src/webpki/server_verifier.rs
View File

@ -1,5 +1,3 @@
#[cfg(feature = "logging")]
use crate::log::trace;
use alloc::sync::Arc;
use alloc::vec::Vec;
@ -7,6 +5,8 @@ use pki_types::{CertificateDer, CertificateRevocationListDer, ServerName, UnixTi
use webpki::{CertRevocationList, RevocationCheckDepth, UnknownStatusPolicy};
use crate::crypto::{CryptoProvider, WebPkiSupportedAlgorithms};
#[cfg(feature = "logging")]
use crate::log::trace;
use crate::verify::{
DigitallySignedStruct, HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier,
};
@ -15,10 +15,9 @@ use crate::webpki::verify::{
ParsedCertificate,
};
use crate::webpki::{parse_crls, verify_server_name, VerifierBuilderError};
use crate::{Error, RootCertStore, SignatureScheme};
#[cfg(doc)]
use crate::{crypto, ConfigBuilder, ServerConfig};
use crate::{Error, RootCertStore, SignatureScheme};
/// A builder for configuring a `webpki` server certificate verifier.
///

4
rustls/src/webpki/verify.rs
View File

@ -7,7 +7,6 @@ use super::anchors::RootCertStore;
use super::pki_error;
use crate::enums::SignatureScheme;
use crate::error::{Error, PeerMisbehaved};
use crate::verify::{DigitallySignedStruct, HandshakeSignatureValid};
/// Verify that the end-entity certificate `end_entity` is a valid server cert
@ -228,9 +227,10 @@ pub(crate) fn verify_server_cert_signed_by_trust_anchor_impl(
#[cfg(test)]
mod tests {
use super::*;
use std::format;
use super::*;
#[test]
fn certificate_debug() {
assert_eq!(

3
rustls/src/x509.rs
View File

@ -42,9 +42,10 @@ const DER_SEQUENCE_TAG: u8 = 0x30;
#[cfg(test)]
mod tests {
use super::*;
use std::vec;
use super::*;
#[test]
fn test_empty() {
assert_eq!(vec![0x30, 0x00], wrap_in_sequence(&[]));

13
rustls/tests/common/mod.rs
View File

@ -6,19 +6,16 @@ use std::ops::{Deref, DerefMut};
use std::sync::Arc;
use pki_types::{CertificateDer, CertificateRevocationListDer, PrivateKeyDer, ServerName};
use webpki::anchor_from_trusted_cert;
use rustls::client::{ServerCertVerifierBuilder, WebPkiServerVerifier};
use rustls::crypto::CryptoProvider;
use rustls::internal::msgs::codec::Reader;
use rustls::internal::msgs::message::{Message, OutboundOpaqueMessage, PlainMessage};
use rustls::server::{ClientCertVerifierBuilder, WebPkiClientVerifier};
use rustls::Connection;
use rustls::Error;
use rustls::RootCertStore;
use rustls::{ClientConfig, ClientConnection};
use rustls::{ConnectionCommon, ServerConfig, ServerConnection, SideData};
use rustls::{ProtocolVersion, SupportedCipherSuite};
use rustls::{
ClientConfig, ClientConnection, Connection, ConnectionCommon, Error, ProtocolVersion,
RootCertStore, ServerConfig, ServerConnection, SideData, SupportedCipherSuite,
};
use webpki::anchor_from_trusted_cert;
use super::provider;

1
rustls/tests/ech.rs
View File

@ -1,6 +1,5 @@
use base64::prelude::{Engine, BASE64_STANDARD};
use pki_types::DnsName;
use rustls::internal::msgs::codec::{Codec, Reader};
use rustls::internal::msgs::enums::{EchVersion, HpkeAead, HpkeKdf, HpkeKem};
use rustls::internal::msgs::handshake::{EchConfig, HpkeKeyConfig, HpkeSymmetricCipherSuite};

6
rustls/tests/key_log_file_env.rs
View File

@ -21,10 +21,8 @@
//! file was created successfully, with the right permissions, etc., and that it
//! contains something like what we expect.
use std::{
env,
sync::{Mutex, Once},
};
use std::env;
use std::sync::{Mutex, Once};
#[macro_use]
mod macros;

5
rustls/tests/process_provider.rs
View File

@ -4,15 +4,14 @@
//! executable, and runs tests in an indeterminate order. That restricts us
//! to doing all the desired tests, in series, in one function.
use rustls::crypto::CryptoProvider;
use rustls::ClientConfig;
#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
use rustls::crypto::aws_lc_rs as provider;
#[cfg(all(feature = "ring", not(feature = "aws_lc_rs")))]
use rustls::crypto::ring as provider;
#[cfg(all(feature = "ring", feature = "aws_lc_rs"))]
use rustls::crypto::ring as provider;
use rustls::crypto::CryptoProvider;
use rustls::ClientConfig;
mod common;
use crate::common::*;