This is complex because the choice of usable cipher suites depends
on selected protocol version, and the set of mutually supported
key exchange groups. Then, the usable set of key exchange groups
depends on the actually-selected cipher suite.
Prior to this, we preferred to avoid a `HelloRetryRequest` when
any supported `KeyShare` was supplied. But as [1] describes,
this means a client which sends a `KeyShare` for a less-preferred
group would end up using that, rather than a more-preferred group
supported by both peers.
[1]: https://www.ietf.org/archive/id/draft-davidben-tls-key-share-prediction-00.html#name-downgrades
By ignoring everything not precisely expected, these ran the risk
of incorrectly passing. eg, `assert_server_requests_retry_and_echoes_session_id`
would pass if the server sent a `ServerHello`.
The ConnectionCommon<T>::write_vectored was implemented by processing
each chunk, fragmenting them and wrapping each fragment in a
OutboundMessage before encrypting and sending it as separate TLS frames.
For very fragmented payloads this generates a lot of very small payloads
with most of the data being TLS headers.
OutboundChunks can contain an arbitrary amount of fragmented chunks.
This allows write_vectored to process all its chunks at once,
fragmenting it in place if needed and wrapping it in a OutboundMessage.
All the chunks are merged in a contiguous vector (taking atvantage of an
already existent copy) before being encrypted and sent as a single TLS
frame.
Signed-off-by: Eloi DEMOLIS <eloi.demolis@clever-cloud.com>
Co-Authored-By: Emmanuel Bosquet <bjokac@gmail.com>
While in general these examples shouldn't be written to handle errors,
the long-running MIO poll operation is especially prone to returning
interrupted syscall errors when a debugger is attached.
This commit updates each MIO example to ignore this class of error
rather than panicing, improving the debugging experience.
Prior to this, we chose one provider as a tie breaker (`crate::test_provider`)
if two were enabled. That meant the other provider was left untested.
Introduce a macro `test_for_each_provider!` which expands tests into
their own modules for each enabled provider. `bench_for_each_provider!` ditto.
Downside: this hides the test code from rustfmt :(
One can be installed with `CryptoProvider::install_default`.
First call wins.
The current value can be retrieved with `CryptoProvider::get_default()`.
This can be set from the crate features, if and only if they are unambigious,
by installing the result of `CryptoProvider::from_crate_features()`.
Use this for `ClientConfig::builder` and `ServerConfig::builder` et al.
Naturally, `ClientConfig::builder_with_provider` and co. continue to exist.