rust/rustls
rust
/
rustls
mirror of https://github.com/ctz/rustls
1
0
Fork 0
Code Issues Releases Wiki Activity
1,004 Commits 46 Branches 69 Tags 31 MiB
Commit Graph

84 Commits

Author SHA1 Message Date
Joseph Birr-Pixton bad9bd7454 Fix at base64 0.12.1 
0.12.2 has a breaking MSRV change
 2020-06-20 13:25:21 +01:00
Joseph Birr-Pixton 02910b186f Remove unused use of Error 2020-06-20 13:10:53 +01:00
Joseph Birr-Pixton ac3573bf98 Remove dependency on tempfile 
This broke the MSRV build, and was bringing in the whole
of rand, wasi, and a ton of other stuff.  All so we could
have a temporary directory during a few tests.  6 crates for
generating randomness just for that!

This accounted for 10% of the size of Cargo.lock alone.
 2020-06-20 13:04:59 +01:00
Joseph Birr-Pixton 1b99071bc4 Test that OwnedTrustAnchor::to_trust_anchor is public 2020-06-20 11:50:26 +01:00
Joseph Birr-Pixton 5efd23a068 Rewrite x509::wrap_in_sequence to be more general 
Actually, it's only slightly more complex to make this
work for all possible usize values.  So let's do that.
 2020-06-12 21:01:48 +01:00
Joseph Birr-Pixton cac66a8c18 error description() is deprecated; avoid it 2020-06-08 21:33:03 +01:00
Joseph Birr-Pixton 227d9a2aff Assert x.509 name is shorter than 64KB 
Otherwise this function produces incorrect output.
 2020-06-08 21:06:06 +01:00
Joseph Birr-Pixton 22a9a49bd4 Test for 64KB certificate chain limit 2020-06-07 18:29:24 +01:00
Joseph Birr-Pixton 1803e8e7ad Improve msgs::message coverage 2020-06-07 17:21:11 +01:00
Joseph Birr-Pixton 39175e7252 Refactor state machine message checking 
Instead of having check_message called separately, do all
checking inside the state transition functions.

This means certain errors need to be detected to get
the right alert behaviour.  But it dramatically
decreases the number of .unwrap()s and makes things
simpler.
 2020-06-07 16:50:03 +01:00
Joseph Birr-Pixton 46c259bd8e Assert if we send several fatal alerts in session 2020-05-24 10:58:29 +01:00
Benjamin Saunders cf457c4315 Fix out-of-phase key update 
We were returning keys from the previous phase rather than the current
one.
 2020-05-24 10:28:58 +01:00
Benjamin Saunders b940acce5e Improve concision 2020-05-24 10:28:58 +01:00
Benjamin Saunders 70c558b186 Don't set legacy_session_id for QUIC 2020-05-24 10:28:58 +01:00
Joseph Birr-Pixton f07f8b135d Refactor deframer to hopefully improve clarity 
There were some unwraps here that we can get rid of if we unduplicate
the work Message::read already does.  That goes in Message::read_with_detailed_error.

Delete a fuzz corpus file that was actually wrong, but allowed by Message::read's
previous lax semantics.
 2020-05-16 18:26:02 +01:00
Joseph Birr-Pixton e680b3b6c7 Remove writev_tls; use std::io::Write::write_vectored 
This is just a whole lot better.
 2020-05-15 21:42:03 +01:00
Marc-Antoine Perennou 2912dbffde stream: implement write_vectored 
Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
 2020-05-15 20:40:07 +01:00
Joseph Birr-Pixton 63584de444 Remove checks on certtypes in CertificateRequest 2020-05-15 20:32:36 +01:00
Joseph Birr-Pixton 1c83b3ac03 Coverage improvements in suites/server 2020-05-08 18:51:05 +01:00
Joseph Birr-Pixton 7225c99f5f Further handshake.rs coverage 2020-05-08 16:55:34 +01:00
Joseph Birr-Pixton 79b0b5d775 Remove unused code 2020-05-08 16:55:34 +01:00
Joseph Birr-Pixton fb1970c8fc Tests for keylog.rs 2020-05-08 16:55:34 +01:00
Joseph Birr-Pixton cb397f0e15 Test detection of truncated handshake messages 2020-05-08 16:55:34 +01:00
Benjamin Saunders 59ee30545e Format quic 2020-05-05 19:48:07 +01:00
Benjamin Saunders 96acad1d55 quic: Expose keys rather than secrets 
Strengthens protection of sensitive internal state and makes life
easier for QUIC implementations.
 2020-05-05 19:48:07 +01:00
Nicolas Viennot a40724db72 bench: read server entirely before sending buffer to client 
Previously, write_tls() was always getting aligned buffers,
avoiding testing certain code paths.
 2020-04-12 16:57:10 +01:00
Nicolas Viennot cfde038d29 bench: allow MTU to be specified for the server bulk bench 2020-04-12 16:56:02 +01:00
Nicolas Viennot cc1267ed4e Improve tls_read() performance 
Changing a for loop in deframer with memmove() reduces CPU utilization
by 30% when downloading a 1G file over https.
 2020-04-12 16:26:43 +01:00
Joseph Birr-Pixton 339923fc53 Get new bogo version working 2020-04-12 11:34:22 +01:00
Joseph Birr-Pixton 42c3a8c17c Detect and reject server changing suite with 0rtt resume 2020-04-12 11:34:22 +01:00
Joseph Birr-Pixton 614abdeb0f Clean up checking of hs joiner state 
- Also check at the end of a handshake flight (bogo now has tests for this).
- Unduplicate the code for CCS checking.
- Send a more accurate alert type.
 2020-04-12 11:34:22 +01:00
Joseph Birr-Pixton 222bfa8d12 TLS1.3: swallow user_cancelled warning alerts 2020-04-12 11:34:22 +01:00
Joseph Birr-Pixton 82da9c2011 Fix client detection of bad CertificateRequests 
A certificate request with no signature schemes is meaningless.
In TLS1.3 we reject this outright, but it was allowed in TLS1.2.
Fix that first.

Secondly, fix the TLS1.2 behaviour when `choose_scheme` fails:
we want to avoid any client auth in this case, not send a certificate
but be unable to send the matching CertificateVerify.
 2020-04-10 17:25:01 +01:00
Joseph Birr-Pixton 1e98fa2eb1 Allow verifiers to override signature verification 2020-03-29 21:08:20 +01:00
dependabot-preview[bot] bdaf35b2cc Update base64 requirement from 0.11 to 0.12 
Updates the requirements on [base64](https://github.com/marshallpierce/rust-base64) to permit the latest version.
- [Release notes](https://github.com/marshallpierce/rust-base64/releases)
- [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md)
- [Commits](https://github.com/marshallpierce/rust-base64/compare/v0.11.0...v0.12.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2020-03-15 08:37:36 +00:00
Joseph Birr-Pixton 9e92828b2f Fix typo. 2020-02-24 21:26:08 +00:00
Joseph Birr-Pixton 92600efb4f Prepare 0.17.0 2020-02-22 20:40:52 +00:00
Joseph Birr-Pixton 8a9fd05029 Don't panic on invalid private keys for client auth. 
This is a breaking change, because these APIs didn't report
failures before.
 2020-02-22 20:14:06 +00:00
Joseph Birr-Pixton 98a847df71 Require ring 0.16.11 for bug fix 2020-02-22 20:12:34 +00:00
Joseph Birr-Pixton 061b4f2767 Extend design documentation 2020-02-22 20:12:34 +00:00
Aaron Loucks 98d88f9a7a Enable documentation on docs.rs for items behind feature flags 2020-02-20 20:57:13 +00:00
dependabot-preview[bot] f6d35511e4 Update webpki-roots requirement from 0.18.0 to 0.19.0 
Updates the requirements on [webpki-roots](https://github.com/ctz/webpki-roots) to permit the latest version.
- [Release notes](https://github.com/ctz/webpki-roots/releases)
- [Commits](https://github.com/ctz/webpki-roots/compare/v/0.18.0...v/0.19.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2020-02-20 20:55:25 +00:00
Joseph Birr-Pixton 03b1ef03da Improvements to previous commit: 
- Don't report TLSError::AlertReceived from server when it sends
  an alert -- this error means an alert was received from the peer.
- Avoid SNI-specific alert types for client auth rejections.
- Improve new tests to also check alerts received by client.
- Improve/fix docs.
 2020-01-01 15:57:23 +00:00
Ryan Gorup 9c59aa91f5 Allow server to choose root cert for client auth based on SNI 2020-01-01 11:48:56 +00:00
Joseph Birr-Pixton 3882b3886a Delete std::error::Error::description impl 
It's deprecated.
 2020-01-01 10:52:50 +00:00
Joseph Birr-Pixton a511a2e976 Fix minor formatting weirdness 2020-01-01 10:35:13 +00:00
Joseph Birr-Pixton 866dd055b6 Test server rejection of tls1.3 kx overlap failure 2019-12-31 20:58:36 +00:00
Joseph Birr-Pixton 9636251d21 Refactor and test SNI server behaviour 2019-12-31 18:20:04 +00:00
thekuwayama fbdc4cb273 server rejects SNI containing multiple hostnames 2019-12-31 16:25:01 +00:00
Joseph Birr-Pixton 1287510bec Clippy cleanups 2019-12-22 16:39:33 +00:00