no-std users must use the new ServerConfig::builder_with_details(),
which requires a `TimeProvider` to be provided up-front.
For std builds, the `ServerConfig` uses the `DefaultTimeProvider`
for existing, other `ServerConfig::builder*` functions.
For no-std users, the new `ClientConfig::builder_with_details()` must
be used, which requires a `TimeProvider` implementation up-front.
For std builds, the `ClientConfig` uses the `DefaultTimeProvider` for
existing `ClientConfig::builder*` functions.
Since aws-lc-rs doesn't support no-std it's moved from the default
features to the std features.
Similarly we must tweak our `once_cell` usage to provide the
`race` feature for builds without `std`.
See the upstream[0] docs section on "Does this crate support no_std?"
for some important caveats.
[0]: https://docs.rs/once_cell/latest/once_cell/
The previous commit introduced an `EncryptBufferAdapter` alongside
`BufferAdapter`. This commit renames `BufferAdapter` to
`DecryptBufferAdapter` to better represent its purpose.
PrefixedPayload holds a Vec<u8> with a 5 bytes padding before the
actual OpaqueMessage's payload. They will be filled when encoding the
OpaqueMessage avoiding an allocation and a copy.
Signed-off-by: Eloi DEMOLIS <eloi.demolis@clever-cloud.com>
The function very nicely constructs the `end_entity` variable, use it
throughout instead of selecting it again.
This makes it so that we use the position of `end_entity` in the chain
only once, and it makes it more clear that we're using the
previously-verified certificate.
This is complex because the choice of usable cipher suites depends
on selected protocol version, and the set of mutually supported
key exchange groups. Then, the usable set of key exchange groups
depends on the actually-selected cipher suite.
Prior to this, we preferred to avoid a `HelloRetryRequest` when
any supported `KeyShare` was supplied. But as [1] describes,
this means a client which sends a `KeyShare` for a less-preferred
group would end up using that, rather than a more-preferred group
supported by both peers.
[1]: https://www.ietf.org/archive/id/draft-davidben-tls-key-share-prediction-00.html#name-downgrades
By ignoring everything not precisely expected, these ran the risk
of incorrectly passing. eg, `assert_server_requests_retry_and_echoes_session_id`
would pass if the server sent a `ServerHello`.
The ConnectionCommon<T>::write_vectored was implemented by processing
each chunk, fragmenting them and wrapping each fragment in a
OutboundMessage before encrypting and sending it as separate TLS frames.
For very fragmented payloads this generates a lot of very small payloads
with most of the data being TLS headers.
OutboundChunks can contain an arbitrary amount of fragmented chunks.
This allows write_vectored to process all its chunks at once,
fragmenting it in place if needed and wrapping it in a OutboundMessage.
All the chunks are merged in a contiguous vector (taking atvantage of an
already existent copy) before being encrypted and sent as a single TLS
frame.
Signed-off-by: Eloi DEMOLIS <eloi.demolis@clever-cloud.com>
Co-Authored-By: Emmanuel Bosquet <bjokac@gmail.com>
While in general these examples shouldn't be written to handle errors,
the long-running MIO poll operation is especially prone to returning
interrupted syscall errors when a debugger is attached.
This commit updates each MIO example to ignore this class of error
rather than panicing, improving the debugging experience.