Provide shims for limited number of places where ring 0.17 and
aws-lc-rs (ring 0.16-era) APIs have diverged. This is a
short-term fix, as they are likely to diverge more over time.
Eventually we'll have to stop sharing the code like this.
For unit-like tests, export a `test_provider` alias that resolves
to a provider module, for use in these tests.
This resolves to:
- *ring* if cfg(feature = "ring"), else
- aws-lc-rs if cfg(feature = "aws_lc_rs"), else
- is absent
Add Bug report, Feature request, and Dependency update issue templates to help prompt users into providing the information that will get them the best help.
As of cargo-check-external-types v0.1.9 the tool can read its
configuration from the crate `Cargo.toml` metadata, removing the need
for a standalone TOML file and the `--config` arg. This commit switches
to that style of configuration.
This needs nightly, which is affixed as the version documneted as working by
cargo-check-external-types.
external-types.toml is a config file as a starting point: it allows all types from
pki-types.
This currently fails due to some `impl From<ExternalType>` on public types.
Running `cargo hack check --locked --feature-powerset` seems to be
failing, as it detects that the lockfile needs to be updated. Updating
the lockfile and re-running causes the same error. It looks as though
it is removing items from the lockfile based on which features it's
testing.
To prevent this test from failing, let's remove `--locked` and test the
feature powerset with relaxed handling of the `Cargo.lock` file.
Now that we're checking in `Cargo.lock` files we'll be getting more
Dependabot PRs for semver compatible Cargo dependency updates. This
commit switches the tool to run weekly instead of daily so that we don't
have to spend as much time triaging these on a day-by-day basis.
This is an example that builds a mostly-unchanged rustls example
(simpleclient), but only using crypto from the rust-crypto project
and elsewhere.
This is intended to be minimalistic, and not a complete replacement
for *ring*.
It implements:
- TLS1.3 TLS13_CHACHA20_POLY1305_SHA256 cipher suite.
- TLS1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suite.
- X25519 key exchange.
- RSA-PSS-SHA256 and RSA-PKCS1-SHA256 signature verification for
verifying the server, integrated into the webpki crate.
- random generation using `rand_core`.
This means it can fetch www.rust-lang.org.
TLS1.2 is not strictly necessary for this server, but serves to
demonstrate that part of the API.
Test the feature powerset of the crate using `cargo hack`. The runtime
of this is too large to use as part of the regular CI flow but it is
helpful for catching feature interaction breakages.
This better separates the connection tests from the example binary smoke
tests. In a subsequent commit we will add another job for running `cargo
hack`.
We are gradually adding other CI task here that aren't appropriate for
the main CI runs. Since it's no longer dedicated to just running the
connection tests we need a more representative name.
Since v4 of the `actions/setup-go` action, caching is enabled by default
and when a `go.sum` can't be found in the root of the project, a warning
is logged.
Since we don't have a `go.sum` in the project root, this warning was
being issued by both tasks that used the `setup-go` action:
* The BoGo test suite task
* The code coverage task
For the first of these, caching is disabled to avoid the warning - we
weren't benefiting from this to begin with and setting
`cache-dependency-path` to `bogo/bogo/go.sum` or `bogo/go.sum` wasn't
working.
For the second of these, it's not clear _why_ we were installing the Go
toolchain. The BoGo test suite is not being run by this task and so Go
is not required. Removing it fixes the warning.
MSRV is important (an tested separately) for the core crate
(and its dependencies) but doesn't apply to test code.
Run these daily to notice any breakage earlier.
This commit updates the `build.yml` GitHub actions workflow to
additionally include a step that checks semver compatibility w/
cargo-semver-checks[0].
Notably this check passing is necessary but not sufficient for knowing
that we're maintaining semver: if this tool produces a finding we know
we aren't matching semver, but if it doesn't, we may still be breaking
semver in a way the tool can't detect.
[0]: https://github.com/obi1kenobi/cargo-semver-checks
This commit adds `merge_group` to our CI task `on` triggers in
preparation for enabling the merge queue feature.
Per the GitHub docs[0]:
> You must use the merge_group event to trigger your GitHub Actions
> workflow when a pull request is added to a merge queue.
>
> Note: If your repository uses GitHub Actions to perform required
> checks on pull requests in your repository, you need to update the
> workflows to include the merge_group event as an additional trigger.
> Otherwise, status checks will not be triggered when you add a pull
> request to a merge queue. The merge will fail as the required status
> check will not be reported. The merge_group event is separate from the
> pull_request and push events.
[0]: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue
This commit adds a CI task that uses `cross` to cross-compile Rustls for
the 32bit `i686-unknown-linux-gnu` target. This can be used as
a smoke-test that we haven't broken 32bit compat. Unfortunately GitHub
doesn't offer 32bit action runners so we have to cross-compile to
achieve this test.
To install `cross` this commit relies on `install-action`[0]. This is
a new 3rd party action for the Rustls repo, but one that was already
being used in `webpki` for `llvm-cov` and `cargo deny`. If we'd prefer
to avoid that workflow dependency we could instead `cargo install cross`
at the cost of having to use nightly rust and longer CI execution time.
[0]: https://github.com/taiki-e/install-action
We want to catch breakages in these client examples when they occur, but
also don't want to run them during normal CI since they connect to
external hosts and may occasionally flake.
This commit adds `simpleclient`, `limitedclient`, and
`simple_0rtt_client` test runs to the `connect-tests.yml` CI
configuration we run on a weekly basis.
The `badssl.rs` and `topsites.rs` unit tests reach out to remote servers
and so can be sources of flakes, slow down local testing, and may not
operate correctly in the presence of HTTP(S) proxies.
This commit pulls those tests out of the `examples` crate and into
a `connect-tests` crate that *isn't* part of our default workspace. This
means running `cargo test --all-targets` and similar won't run these
tests. Instead they must be explicitly run from within the
`connect-tests` directory, or by specifying the crate's `Cargo.toml` as
a `--manifest-path`.
To ensure we don't have bitrot/formatting errors we continue to lint
the connectivity examples during our regular CI, but don't actually run
the tests. Instead a separate cron-based workflow runs the tests once
a week. Hopefully this will be a good balance between maintaining the
coverage and not slowing down local tests, bumping into user HTTP(S)
proxies, or hitting flakes.
In #862, we added CIFuzz integration. This is great, but it runs until a
specific timeout (currently 600s), in addition to needing about 6 minutes
of setup time. This is more than 3 times as long as the next longest CI job
(coverage took about 4m in #1242 just now). Given that we already have
OSS-Fuzz spending quite a bit of time running fuzzing for us and that (as
far as I remember) we have yet to find any issues from the CIFuzz integration,
I feel safe reducing the runtime for CIFuzz to 150s. This should still cover
quite a bit of ground given that we're executing pretty fast Rust code.
Previously we ran clippy (both stable and nightly) only for
`--all-features` builds. This allows warnings specific to
`--no-default-features` to slip by.
This commit adds clippy invocations that build w/
`--no-default-features` so we can catch warnings specific to this
configuration during CI.
Previously the example directories weren't being tested with
`--no-default-features`, letting bitrot affect those configurations.
This commit includes those directories in the `--no-default-features`
task that run `cargo test`.
The `fuzz` subdirectory is set up as a separate workspace from the main
workspace that contains `rustls` and `examples`. Because of this running
`cargo fmt --all` and other similar tooling doesn't include the `fuzz`
directory. This can lead to formatting/clippy drift over time.
In this commit the `build.yml` config is extended to also run `clippy`
and `fmt` on the `fuzz` subdirectory using `--manifest-path`.
This commit updates the existing `.github/dependabot.yml` config that
monitors Cargo dependencies to also monitor GitHub actions (on a weekly
cadence).