rust/rustls
rust
/
rustls
mirror of https://github.com/ctz/rustls
1
0
Fork 0
Code Issues Releases Wiki Activity
2,903 Commits 45 Branches 69 Tags 32 MiB
Commit Graph

2903 Commits

Author SHA1 Message Date
Joseph Birr-Pixton 363910b701 Extract all straight lookups of suites and kx groups 2024-02-20 10:35:13 +00:00
Daniel McCarney fdf71f8ed0 Cargo: bump semver compat deps 
* clap v4.5.0 -> v4.5.1
* rustls-pemfile v2.0.0 -> v2.1.0
* rustls-pki-types v1.2.0 -> v1.3.0
* ring v0.17.7 -> v0.17.8
* aws-lc-rs v1.6.1 -> v1.6.2
 2024-02-19 22:08:52 +00:00
Joseph Birr-Pixton 114ae6f643 Inline `choose_ciphersuite_preferring_client` and co 
Test the behaviour of `ServerConfig::ignore_client_order` at
the public API level.
 2024-02-19 19:36:13 +00:00
Joseph Birr-Pixton 651b5a4f14 Select key exchange group and cipher suite together 
This is complex because the choice of usable cipher suites depends
on selected protocol version, and the set of mutually supported
key exchange groups.  Then, the usable set of key exchange groups
depends on the actually-selected cipher suite.
 2024-02-19 19:36:13 +00:00
Joseph Birr-Pixton d23e58c3db Prefer `supported_groups` extension in kx group choice 
Prior to this, we preferred to avoid a `HelloRetryRequest` when
any supported `KeyShare` was supplied.  But as [1] describes,
this means a client which sends a `KeyShare` for a less-preferred
group would end up using that, rather than a more-preferred group
supported by both peers.

[1]: https://www.ietf.org/archive/id/draft-davidben-tls-key-share-prediction-00.html#name-downgrades
 2024-02-19 19:36:13 +00:00
Joseph Birr-Pixton e178646af5 test_client_rejects_hrr_with_varied_session_id: tighten 
By ignoring everything not precisely expected, these ran the risk
of incorrectly passing.  eg, `assert_server_requests_retry_and_echoes_session_id`
would pass if the server sent a `ServerHello`.
 2024-02-19 19:36:13 +00:00
Joseph Birr-Pixton 30438654f3 tests/api.rs: minor formatting corrections 2024-02-19 19:36:13 +00:00
Joseph Birr-Pixton 9e4fd799d1 Pass through key exchange errors 
In 3355e06f9 we generalised the error type here, but we didn't
get rid of code that discarded the information-less error.
 2024-02-19 19:36:13 +00:00
Joseph Birr-Pixton cf619616d2 Remove unused `trait BorrowedPlainMessage` 
There are no uses of this trait inside the crate, so remove it
and transfer the used parts into the `OutboundMessage` inherent impl.
 2024-02-19 15:16:32 +00:00
Joseph Birr-Pixton 40a56fcca6 Simplify tests that inject alerts 2024-02-19 15:16:32 +00:00
Joseph Birr-Pixton f6cd567fc2 Improve linking to per-process default provider docs 2024-02-19 11:05:47 +00:00
Joseph Birr-Pixton 3a52829b17 ClientCertVerifierBuilder docs nits 2024-02-19 11:05:47 +00:00
Joseph Birr-Pixton 96dc28de32 Add manual section for FIPS 2024-02-19 11:05:47 +00:00
Joseph Birr-Pixton 3f0e0fc66f Fix broken link to `CryptoProvider` 2024-02-19 11:05:47 +00:00
Joseph Birr-Pixton 33d4f01e16 features.rs: label which are extensible 2024-02-19 11:05:47 +00:00
Joseph Birr-Pixton e2f1e604c4 features.rs: remove punctuation from list 2024-02-19 11:05:47 +00:00
Joseph Birr-Pixton 581b14d605 features.rs: de-duplicate 0rtt item 2024-02-19 11:05:47 +00:00
Joseph Birr-Pixton e2c5276cac Update manual::features and refer to it 2024-02-19 11:05:47 +00:00
Joseph Birr-Pixton a76614b719 Fix stray list in "Examples" section 2024-02-19 11:05:47 +00:00
Joseph Birr-Pixton fe0c345254 Publish pre-release documentation via github-pages 2024-02-19 11:05:47 +00:00
Eloi DEMOLIS cf09842ca5 Move is_valid_ccs as a method of InboundMessage 
Signed-off-by: Eloi DEMOLIS <eloi.demolis@clever-cloud.com>
 2024-02-16 09:10:13 +00:00
Eloi DEMOLIS 2f02ddc21b Create type OutboundChunks for OutboundMessage 
The ConnectionCommon<T>::write_vectored was implemented by processing
each chunk, fragmenting them and wrapping each fragment in a
OutboundMessage before encrypting and sending it as separate TLS frames.
For very fragmented payloads this generates a lot of very small payloads
with most of the data being TLS headers.

OutboundChunks can contain an arbitrary amount of fragmented chunks.
This allows write_vectored to process all its chunks at once,
fragmenting it in place if needed and wrapping it in a OutboundMessage.
All the chunks are merged in a contiguous vector (taking atvantage of an
already existent copy) before being encrypted and sent as a single TLS
frame.

Signed-off-by: Eloi DEMOLIS <eloi.demolis@clever-cloud.com>
Co-Authored-By: Emmanuel Bosquet <bjokac@gmail.com>
 2024-02-16 09:10:13 +00:00
Eloi DEMOLIS 9af53f25f9 Split BorrowedPlainMessage in inbound and outbound types 
Signed-off-by: Eloi DEMOLIS <eloi.demolis@clever-cloud.com>
 2024-02-16 09:10:13 +00:00
Daniel McCarney 1cdb10f8b4 examples: ignore interrupted syscalls for mio poll 
While in general these examples shouldn't be written to handle errors,
the long-running MIO poll operation is especially prone to returning
interrupted syscall errors when a debugger is attached.

This commit updates each MIO example to ignore this class of error
rather than panicing, improving the debugging experience.
 2024-02-15 14:59:33 +00:00
Joseph Birr-Pixton deffd3fa55 Update version of nightly for check-external-types 2024-02-15 12:02:31 +00:00
Richard Pringle 563c5c12dc Make peer-certificates lifetime explicit 2024-02-14 14:07:53 +00:00
Daniel McCarney 3179b925c2 ci: add Windows aws-lc-rs build reqs to daily-tests 2024-02-12 19:02:29 +00:00
Joseph Birr-Pixton 8e4afc6d14 Improve/extend docs of `default_fips_provider()` 2024-02-12 10:00:59 +00:00
Joseph Birr-Pixton 7415b5ff3d Change crate default provider to aws-lc-rs 2024-02-12 10:00:59 +00:00
Joseph Birr-Pixton abbc1bb501 examples: take provider references through alias 2024-02-12 10:00:59 +00:00
Dirkjan Ochtman c469593c90 Update semver-compatible dependencies 2024-02-12 09:27:07 +00:00
Dirkjan Ochtman fdeff32eb8 openssl-tests: bump asn1 to 0.16 2024-02-12 09:27:07 +00:00
Joe Birr-Pixton 95067cb333 provide codecov token for coverage job 2024-02-09 18:39:21 +00:00
Joseph Birr-Pixton 07747f6c56 Ensure integration tests happen for all providers 2024-02-09 12:52:26 +00:00
Joseph Birr-Pixton 94107b0376 tests: move `CountingLogger` and co to bottom 2024-02-09 12:52:26 +00:00
Joseph Birr-Pixton 1c21bdd5c8 Rework verifybench.rs: 
- cover all providers
- now we use test::Bencher elsewhere, use it
 2024-02-09 12:52:26 +00:00
Joseph Birr-Pixton 89b8f45ba5 Ensure unit tests happen for all enabled providers 
Prior to this, we chose one provider as a tie breaker (`crate::test_provider`)
if two were enabled.  That meant the other provider was left untested.

Introduce a macro `test_for_each_provider!` which expands tests into
their own modules for each enabled provider.  `bench_for_each_provider!` ditto.

Downside: this hides the test code from rustfmt :(
 2024-02-09 12:52:26 +00:00
Joseph Birr-Pixton e7a1b41852 Introduce concept of "process default" provider 
One can be installed with `CryptoProvider::install_default`.
First call wins.

The current value can be retrieved with `CryptoProvider::get_default()`.

This can be set from the crate features, if and only if they are unambigious,
by installing the result of `CryptoProvider::from_crate_features()`.

Use this for `ClientConfig::builder` and `ServerConfig::builder` et al.
Naturally, `ClientConfig::builder_with_provider` and co. continue to exist.
 2024-02-07 16:02:26 +00:00
Steve Fan 7e19ba171d docs: add rustls-rustcrypt to documented providers 2024-02-07 15:29:47 +00:00
Joseph Birr-Pixton 501f91c9e6 Take semver-compatible updated deps 2024-02-07 14:44:59 +00:00
Joseph Birr-Pixton e84c07b67e Take curve25519-dalek 4.1.2 2024-02-07 14:44:59 +00:00
Arash Sahebolamri 8c29d91ed3 Test FFDHE support against OpenSSL 
This commit adds a new test crate `openssl-tests` that includes tests of
FFDHE kx and validation of baked-in FFDHE parameters
 2024-02-07 14:02:26 +00:00
Arash Sahebolamri c8c56a7aef Implement FFDHE support 
+ Make server avoid cipher suites with kx without common kx groups with client
+ Handle FFDHE shared secret leading zeros correctly
 2024-02-07 14:02:26 +00:00
Arash Sahebolamri 1340ea95e6 Rename `emit_clientkx` to `emit_client_kx` 2024-02-07 14:02:26 +00:00
Arash Sahebolamri 616d0dde7a Avoid reallocating for `suitable_suites` in `server/hs.rs` 2024-02-07 14:02:26 +00:00
Arash Sahebolamri ec11229787 Refactor handshake kx types 2024-02-07 14:02:26 +00:00
Arash Sahebolamri 941d051196 Refactor TLS1.2 kx group selection logic 2024-02-07 14:02:26 +00:00
Arash Sahebolamri 32f3d50a87 Refactor `SharedSecret` definition 2024-02-07 14:02:26 +00:00
Arash Sahebolamri cb91090a60 Minor refactors in preparation for FFDHE work 2024-02-07 14:02:26 +00:00
Arash Sahebolamri d89d84f655 Do not require EC Point Formats extension in TLS 1.2 2024-02-07 14:02:26 +00:00