rust/rustls
rust
/
rustls
mirror of https://github.com/ctz/rustls
1
0
Fork 0
Code Issues Releases Wiki Activity
410 Commits 46 Branches 72 Tags 35 MiB
Commit Graph

76 Commits

Author SHA1 Message Date
Joseph Birr-Pixton 3d874b17aa Require interior mutability from persistence impls 2017-06-17 14:27:08 +01:00
Joseph Birr-Pixton a1119e260e Prefer ? to try! 2017-06-04 18:11:27 +01:00
Joseph Birr-Pixton 02cccf3a07 Allow configuration of whole cert verifier 
This is hidden behind the dangerous_configuration feature.
 2017-05-13 18:08:20 +01:00
Joseph Birr-Pixton 3bb21abda5 Fix most clippy issues 2017-02-18 06:33:42 +00:00
Joseph Birr-Pixton 466ed6381a Support RFC7627 extended master secret 2017-02-17 02:10:39 +00:00
Joseph Birr-Pixton 61580744ac Refactor how ConnState/Handler works 
There's now one source of truth for the connection state:
Client/ServerSessionImpl.state.  It's the Handler (now renamed)
for the next message.

Rename a lot of the Handlers to clean things up.
 2017-02-05 19:27:26 -08:00
Joseph Birr-Pixton 55db8e108b Make ResolvesServerCert have same shape as client 2017-01-29 12:13:59 +00:00
Joseph Birr-Pixton c151a431fd Attach Send+Sync to traits, rather than uses 2017-01-29 12:05:41 +00:00
Joseph Birr-Pixton 3c01801b88 Expose ResolvesClientCert/ResolvesServerCert 
- make the types in these traits as standard as possible, to
  avoid exposing more internal types than necessary
- but need to expose SignatureScheme
- expose sign module too, because this is a return type of these
- improve assorted docs
- add some tests to check these are called with sane arguments

Addresses issue #44
 2017-01-28 22:50:14 +00:00
Joseph Birr-Pixton b7f0a7d9e3 Fix more bogo-found issues 
- in shim, support versions for server tests.
- check handshake defragmenter is aligned on key changes (like ccs)
- don't include SupportedVersions ext if it would be empty
- don't offer or support PSK_KE in clients (no pfs)
- tighten validation of hrr extensions
- tighten validation of encrypted extensions
- tighten validation of certificate extensions
- alter assorted alert descriptions
- if a server sends an ECPointFormats extension (they typically don't)
  check it contains Uncompressed.
- tighten validation of certificate messages/extensions
- tighten validation of client certreq message
- tighten validation of keyshares extensions received by server
- loosen suite compatiblity check on resumption by client
 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton a82414ed67 More bogo-found bug fixes: 
- Fix a duplicated enum.
- Don't special-case HelloRequest for TLS1.3
- Do extra TLS1.3-specific validation of ServerHello to check
  for inappropriate extensions.
- If the client doesn't offer DHE_KE, don't send a ticket or resume from one.
 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton ffff786577 Tighten up trailing data checks in: 
- ClientECDHParams
- ServerHelloDone
- ServerKeyExchangePayload
 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton 772f9cdbaa Send DecryptError alert on bad Finished 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton a909f736f9 Don't attempt to resume when suite varies 
This avoids an error in an unlikely case, and is safe,
and matches BoringSSL's behaviour.
 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton 4cf865ad48 Only do HRR once 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton 49b490226f Reduce signature schemes to those allowed in TLS1.3 
This prevents PKCS#1 being used, even though we must offer
it in ClientHello for TLS1.2 compat.
 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton 19064158a2 More alert/error case fixes 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton d34deab59d Fix server versions/HRR hashing 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton 84ab473fa4 Don't let handshake hash change 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton c1a3d5109e Send correct alerts for bad client certs 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton 3a7abe39e2 tls1.3: switch keys at the right times 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton 495fec681c Refactor cipher interfaces 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton 961828dfba Tighten up TLS1.3 requirements: 
- reject any offered compressions
- reject any warning-level non-closure alerts
 2017-01-22 19:12:12 +00:00
Joseph Birr-Pixton 365cfe7cdd Respect ticket lifetimes, and implement lifetime masking 2017-01-10 20:55:17 +00:00
Joseph Birr-Pixton 16ad9043ee Reformat uses of try!() 2017-01-08 20:28:54 +00:00
Joseph Birr-Pixton af6f17d1ce More reformatting 2017-01-06 23:44:16 +00:00
Joseph Birr-Pixton 2db5a44540 Server-side psk/ticket support 2017-01-06 23:32:55 +00:00
Joseph Birr-Pixton ed74784e58 Client-side tls1.3 ticket/PSK support 2017-01-05 21:20:57 +00:00
Joseph Birr-Pixton 36d4826b6d Server-side key updates (untested) 2017-01-05 21:20:52 +00:00
Joseph Birr-Pixton 2d7a359ee9 Allow switching versions on/off 
And seeing negotiated version.
 2017-01-05 21:20:32 +00:00
Joseph Birr-Pixton 924afe1afe Server-side client auth support 2017-01-05 21:19:46 +00:00
Joseph Birr-Pixton c44b246352 Server-side TLS1.3 
Most tests pass, except that client certs aren't yet implemented.
 2017-01-05 21:17:57 +00:00
Joseph Birr-Pixton 2a35c6c73b Support TLS1.3 KeyUpdate 
This involved quite a lot of reorganisation.
 2017-01-05 21:16:55 +00:00
Joseph Birr-Pixton deb4228b58 Basic unverified handshake works 2017-01-05 21:09:34 +00:00
Joseph Birr-Pixton 45d50a23ac Support assorted TLS1.3 types 2017-01-05 21:05:29 +00:00
Joseph Birr-Pixton dc1d0d08db cargo fmt 
Formatting only commit: no functional change.

More cargo fmt
 2017-01-04 19:49:01 +00:00
Joseph Birr-Pixton 76408b78f6 Boxed traits need to be Send and sometimes Sync 2016-10-05 21:31:14 +01:00
Corey Farwell 344ca1fb8f Remove redundant closure. 2016-09-27 22:15:30 -04:00
Joseph Birr-Pixton a62544ceeb unused import 2016-09-27 00:05:32 +01:00
Joseph Birr-Pixton 86267cef83 assert -> debug_assert in data path 2016-09-27 00:01:23 +01:00
Joseph Birr-Pixton 2a002bb335 Use Option::take instead of mem::replace 2016-09-26 19:39:34 +01:00
Joseph Birr-Pixton d97049df47 Further copy optimisations 2016-09-20 01:52:30 +01:00
Joseph Birr-Pixton ebea1df62f Reduce clones/copies of big application data 2016-09-20 00:42:11 +01:00
Joseph Birr-Pixton 3081d2b17b Support server tickets 
Needs tests
 2016-09-20 00:00:23 +01:00
Joseph Birr-Pixton 8f19bc7c77 Split up SessionRandoms/SessionSecrets 2016-09-11 22:01:27 +01:00
Corey Farwell 47d6139861 Prefer `is_empty` over existential `len` check. 2016-09-09 22:47:17 -04:00
Joseph Birr-Pixton 6810a7fcda improve SessionID type 
this actually limits itself to 32 bytes per the spec
 2016-09-03 14:48:00 +01:00
Joseph Birr-Pixton 3d60abd424 Basically working server resumption 
Works with limited manual testing, needs automated tests
 2016-09-03 13:45:19 +01:00
Joseph Birr-Pixton 7df444f637 Add Copy to enum types, delete some clones 2016-09-03 13:39:43 +01:00
Joseph Birr-Pixton a46c8afab5 Abolish KeyExchangeError error 
It doesn't really have a different resolution
than peer misbehaviour
 2016-08-24 06:46:04 +01:00