We're starting to land semver incompatible changes into `main`. This
commit bumps the crate version so that the semver detection job won't
cause spurious failures.
When building a client config or a server config using the default
provider we know that the ciphersuites will be compatible with any
choice of protocol version. By having the default `builder` method
configure itself with safe default versions, and offering
a `builder_with_protocol_versions` for customization we can transition
directly to `WantsVerifier` for these default provider builders,
removing a `Result` that will never be an error and making the API more
ergonomic in the common case.
This commit replaces the existing `CryptoProvider` trait with
a `CryptoProvider` struct. This has several advantages:
* it consolidates all of the cryptography related settings into one API
surface, the `CryptoProvider` struct members. Previously the provider
had methods to suggest default ciphersuites, key exchanges etc, but
the builder API methods could override them in confusing ways.
* it allows removing the `WantsCipherSuites` and `WantsKxGroups` builder
states - the "safe defaults" are automatically supplied by the choice
of a crypto provider. Customization is achieved by overriding the
provider's struct fields. Having fewer builder states makes the API
easier to understand and document.
* it makes customization easier: the end user can rely on "struct update
syntax"[0] to only specify fields values for the required
customization, and defer the rest to an existing `CryptoProvider`.
Achieving this requires a couple of additional changes:
* The cipher suite and key exchange groups are now expressed as `Vec`
elements. This avoids imposing a `&'static` lifetime that would
preclude runtime customization (e.g. the tls*-mio examples that
build the list of ciphersuites at runtime based on command line
flags).
* As a result of the `Vec` members we can no longer offer the concrete
`CryptoProvider`s as `static` members of their respective modules.
Instead we add `pub fn default_provider() -> CryptoProvider` methods
to the `ring` and `aws-lc-rs` module that construct the `CryptoProvider`
with the safe defaults, ready for further customization.
[0]: https://doc.rust-lang.org/book/ch05-01-defining-structs.html#creating-instances-from-other-instances-with-struct-update-syntax
This commit adds a `Debug` bound to the `ResolvesServerCert` trait in
addition to `Send` and `Sync`. Types implementing this trait are updated
to either derive `Debug` or implement it by hand as appropriate.
This version of webpki improves CRL ergonomics. Notable changes:
* use `with_status_policy builder` fn
The upstream crate added a more ergonomic interface we can use in
place of having to keep around a mutable builder and doing our own
matching.
* avoid CRL dyn trait hurdles
The upstream crate made working with CRLs easier by replacing the
`CertRevocationList` trait with an `enum` representation.
Notably this makes working with the `Vec<OwnedCertRevocationList>` that
the webpki verifier builders and verifiers hold much easier: we no long
have to do as many contortions to convert to a `&[&dyn
CertRevocationList]`.
Instead of the type `rustls::crypto:💍:Ring`, the value
`rustls::crypto:💍:RING` implements this, and is more
entertaining to write.
`ServerConfig::builder()` references this by default, and
is equivalent to `ServerConfig::builder_with_provider(crypto:💍:RING)`.
Some TLS 1.3 implementations send plaintext alerts (e.g. for an unknown
certificate issuer) early in the handshake.
Trying to decrypt these messages will produce a decrypt error (because
they're plaintext!). We also don't want to allow plaintext alerts to be
received after encrypted records have been exchanged, since this could
allow an active adversary to inject alerts.
As a compromise to support clients that send a plaintext alert before
any encrypted data, we adjust the deframer in this commit to pass
through plaintext alerts iff:
* The message type is alert, (e.g. not application data, etc)
* There have been no encrypted records received yet.
* The message payload is no more than 2 bytes in size (matching an
expected plaintext alert payload).
* The negotiated protocol version is TLS 1.3 - in TLS 1.2 the CCS
messages make whether to expect plaintext or not unambiguous. It's
only for TLS 1.3 that we need the heuristics mentioned above.
This retains protection against plaintext alerts being sent after
encrypted content while still allowing the server to log the correct
alert in the early-handshake condition, instead of a decrypt error.
For better code organization this commit moves the generic crypto
interface code from `src/crypto.rs` to `src/crypto/lib.rs`.
The *ring* specific code implementing the generic interfaces is moved to
`src/crypto/ring.rs` as a sub-module of `crypto. All imports are
adjusted accordingly.
This has the advantage of leaving `src/crypto/lib.rs` small, and without
any *ring* specific imports. In the future we may choose to feature-gate
the ring sub-module to allow building the crate without a dependency on
ring.
```
warning: unused `std::result::Result` that must be used
--> fuzzers/persist.rs:14:5
|
14 | T::read(&mut rdr);
| ^^^^^^^^^^^^^^^^^^
|
= note: `#[warn(unused_must_use)]` on by default
= note: this `Result` may be an `Err` variant, which should be handled
```
This commit adds a README to the `fuzz` subdirectory of the project
root. The README has a few small pointers to help a developer get
started running the fuzz tests locally, and a link to the upstream
cargo-fuzz docs for more information.
This avoids a couple of unnecessary allocations: the individual Payloads of the
fragmented messages were allocating and filling a Vec, and the call sites were
allocating a VecDeque to be filled with messages.
Instead, always return an iterator of BorrowedPlainMessage, which the caller can
iterate over.
Previously there were two paths that would check that a max_fragment_size was in
the acceptable range. Now there's just one path: calling set_max_fragment_size.
This provides a way to construct a MessageFragmenter with the default fragment
size that is error-free.
Joseph Birr-Pixton
Dirkjan Ochtman
Jacob Hoffman-Andrews
Daniel McCarney
Christian Poveda
Jorge Aparicio
Brian Smith