Fixes clippy and fmt
This commit is contained in:
@@ -4,12 +4,12 @@ use crate::ProtocolError;
|
||||
use crate::common::decrypted_buffer_info::DecryptedBufferInfo;
|
||||
use crate::common::decrypted_read_handler::DecryptedReadHandler;
|
||||
use crate::connection::{Handshake, State, decrypt_record};
|
||||
use crate::send_policy::FlushPolicy;
|
||||
use crate::key_schedule::KeySchedule;
|
||||
use crate::key_schedule::{ReadKeySchedule, WriteKeySchedule};
|
||||
use crate::read_buffer::ReadBuffer;
|
||||
use crate::record::{ClientRecord, ClientRecordHeader};
|
||||
use crate::record_reader::{RecordReader, RecordReaderBorrowMut};
|
||||
use crate::send_policy::FlushPolicy;
|
||||
use crate::write_buffer::{WriteBuffer, WriteBufferBorrowMut};
|
||||
use embedded_io::Error as _;
|
||||
use embedded_io::ErrorType;
|
||||
|
||||
@@ -3,12 +3,12 @@ use core::sync::atomic::Ordering;
|
||||
use crate::common::decrypted_buffer_info::DecryptedBufferInfo;
|
||||
use crate::common::decrypted_read_handler::DecryptedReadHandler;
|
||||
use crate::connection::{Handshake, State, decrypt_record};
|
||||
use crate::send_policy::FlushPolicy;
|
||||
use crate::key_schedule::KeySchedule;
|
||||
use crate::key_schedule::{ReadKeySchedule, WriteKeySchedule};
|
||||
use crate::read_buffer::ReadBuffer;
|
||||
use crate::record::{ClientRecord, ClientRecordHeader};
|
||||
use crate::record_reader::{RecordReader, RecordReaderBorrowMut};
|
||||
use crate::send_policy::FlushPolicy;
|
||||
use crate::write_buffer::{WriteBuffer, WriteBufferBorrowMut};
|
||||
use embedded_io::Error as _;
|
||||
use embedded_io::{BufRead, ErrorType, Read, Write};
|
||||
@@ -145,7 +145,9 @@ where
|
||||
|
||||
#[inline]
|
||||
fn flush_transport(&mut self) -> Result<(), ProtocolError> {
|
||||
self.delegate.flush().map_err(|e| ProtocolError::Io(e.kind()))
|
||||
self.delegate
|
||||
.flush()
|
||||
.map_err(|e| ProtocolError::Io(e.kind()))
|
||||
}
|
||||
|
||||
fn create_read_buffer(&mut self) -> ReadBuffer<'_> {
|
||||
@@ -382,7 +384,9 @@ where
|
||||
CipherSuite: TlsCipherSuite + 'static,
|
||||
{
|
||||
fn flush_transport(&mut self) -> Result<(), ProtocolError> {
|
||||
self.delegate.flush().map_err(|e| ProtocolError::Io(e.kind()))
|
||||
self.delegate
|
||||
.flush()
|
||||
.map_err(|e| ProtocolError::Io(e.kind()))
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -160,7 +160,8 @@ where
|
||||
let handshake_hash = unwrap!(self.certificate_transcript.take());
|
||||
let ctx_str = b"TLS 1.3, server CertificateVerify\x00";
|
||||
let mut msg: Vec<u8, 130> = Vec::new();
|
||||
msg.resize(64, 0x20).map_err(|_| ProtocolError::EncodeError)?;
|
||||
msg.resize(64, 0x20)
|
||||
.map_err(|_| ProtocolError::EncodeError)?;
|
||||
msg.extend_from_slice(ctx_str)
|
||||
.map_err(|_| ProtocolError::EncodeError)?;
|
||||
msg.extend_from_slice(&handshake_hash.finalize())
|
||||
|
||||
@@ -26,10 +26,8 @@ impl DecryptedReadHandler<'_> {
|
||||
&& self.source_buffer.contains(&slice_ptrs.end)
|
||||
);
|
||||
|
||||
let offset = unsafe {
|
||||
|
||||
slice_ptrs.start.offset_from(self.source_buffer.start) as usize
|
||||
};
|
||||
let offset =
|
||||
unsafe { slice_ptrs.start.offset_from(self.source_buffer.start) as usize };
|
||||
|
||||
self.buffer_info.offset = offset;
|
||||
self.buffer_info.len = slice.len();
|
||||
@@ -45,9 +43,7 @@ impl DecryptedReadHandler<'_> {
|
||||
}
|
||||
}
|
||||
ServerRecord::ChangeCipherSpec(_) => Err(ProtocolError::InternalError),
|
||||
ServerRecord::Handshake(ServerHandshake::NewSessionTicket(_)) => {
|
||||
Ok(())
|
||||
}
|
||||
ServerRecord::Handshake(ServerHandshake::NewSessionTicket(_)) => Ok(()),
|
||||
ServerRecord::Handshake(_) => {
|
||||
unimplemented!()
|
||||
}
|
||||
|
||||
@@ -97,7 +97,10 @@ where
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn verify_signature(&mut self, _verify: HandshakeVerifyRef) -> Result<(), crate::ProtocolError> {
|
||||
fn verify_signature(
|
||||
&mut self,
|
||||
_verify: HandshakeVerifyRef,
|
||||
) -> Result<(), crate::ProtocolError> {
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
@@ -206,11 +209,13 @@ impl<RNG: CryptoRngCore> SkipVerifyProvider<'_, (), RNG> {
|
||||
}
|
||||
|
||||
impl<'a, CipherSuite: TlsCipherSuite, RNG: CryptoRngCore> SkipVerifyProvider<'a, CipherSuite, RNG> {
|
||||
#[must_use]
|
||||
pub fn with_priv_key(mut self, priv_key: &'a [u8]) -> Self {
|
||||
self.priv_key = Some(priv_key);
|
||||
self
|
||||
}
|
||||
|
||||
#[must_use]
|
||||
pub fn with_cert(mut self, cert: Certificate<&'a [u8]>) -> Self {
|
||||
self.client_cert = Some(cert);
|
||||
self
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
use crate::config::{TlsCipherSuite, ConnectConfig};
|
||||
use crate::config::{ConnectConfig, TlsCipherSuite};
|
||||
use crate::handshake::{ClientHandshake, ServerHandshake};
|
||||
use crate::key_schedule::{KeySchedule, ReadKeySchedule, WriteKeySchedule};
|
||||
use crate::record::{ClientRecord, ServerRecord};
|
||||
use crate::record_reader::RecordReader;
|
||||
use crate::write_buffer::WriteBuffer;
|
||||
use crate::{HandshakeVerify, CryptoBackend, ProtocolError, Verifier};
|
||||
use crate::{CryptoBackend, HandshakeVerify, ProtocolError, Verifier};
|
||||
use crate::{
|
||||
alert::{Alert, AlertDescription, AlertLevel},
|
||||
handshake::{certificate::CertificateRef, certificate_request::CertificateRequest},
|
||||
@@ -43,8 +43,8 @@ where
|
||||
data: mut app_data,
|
||||
}) = record
|
||||
{
|
||||
let server_key = key_schedule.get_key()?;
|
||||
let nonce = key_schedule.get_nonce()?;
|
||||
let server_key = key_schedule.get_key();
|
||||
let nonce = key_schedule.get_nonce();
|
||||
|
||||
let crypto = <CipherSuite::Cipher as KeyInit>::new(server_key);
|
||||
crypto
|
||||
@@ -59,11 +59,11 @@ where
|
||||
.rfind(|(_, b)| **b != 0);
|
||||
if let Some((index, _)) = padding {
|
||||
app_data.truncate(index + 1);
|
||||
};
|
||||
}
|
||||
|
||||
// The last byte of the decrypted payload is the actual ContentType (RFC 8446 §5.4)
|
||||
let content_type =
|
||||
ContentType::of(*app_data.as_slice().last().unwrap()).ok_or(ProtocolError::InvalidRecord)?;
|
||||
let content_type = ContentType::of(*app_data.as_slice().last().unwrap())
|
||||
.ok_or(ProtocolError::InvalidRecord)?;
|
||||
|
||||
trace!("Decrypting: content type = {:?}", content_type);
|
||||
|
||||
@@ -102,8 +102,8 @@ pub(crate) fn encrypt<CipherSuite>(
|
||||
where
|
||||
CipherSuite: TlsCipherSuite,
|
||||
{
|
||||
let client_key = key_schedule.get_key()?;
|
||||
let nonce = key_schedule.get_nonce()?;
|
||||
let client_key = key_schedule.get_key();
|
||||
let nonce = key_schedule.get_nonce();
|
||||
let crypto = <CipherSuite::Cipher as KeyInit>::new(client_key);
|
||||
let len = buf.len() + <CipherSuite::Cipher as AeadCore>::TagSize::to_usize();
|
||||
|
||||
@@ -421,7 +421,10 @@ where
|
||||
ServerRecord::Handshake(server_handshake) => match server_handshake {
|
||||
ServerHandshake::ServerHello(server_hello) => {
|
||||
trace!("********* ServerHello");
|
||||
let secret = handshake.secret.take().ok_or(ProtocolError::InvalidHandshake)?;
|
||||
let secret = handshake
|
||||
.secret
|
||||
.take()
|
||||
.ok_or(ProtocolError::InvalidHandshake)?;
|
||||
let shared = server_hello
|
||||
.calculate_shared_secret(&secret)
|
||||
.ok_or(ProtocolError::InvalidKeyShare)?;
|
||||
@@ -430,9 +433,10 @@ where
|
||||
}
|
||||
_ => Err(ProtocolError::InvalidHandshake),
|
||||
},
|
||||
ServerRecord::Alert(alert) => {
|
||||
Err(ProtocolError::HandshakeAborted(alert.level, alert.description))
|
||||
}
|
||||
ServerRecord::Alert(alert) => Err(ProtocolError::HandshakeAborted(
|
||||
alert.level,
|
||||
alert.description,
|
||||
)),
|
||||
_ => Err(ProtocolError::InvalidRecord),
|
||||
}
|
||||
}
|
||||
@@ -472,7 +476,7 @@ where
|
||||
ServerHandshake::CertificateRequest(request) => {
|
||||
handshake.certificate_request.replace(request.try_into()?);
|
||||
}
|
||||
ServerHandshake::Finished(finished) => {
|
||||
ServerHandshake::Finished(finished) => {
|
||||
if !key_schedule.verify_server_finished(&finished)? {
|
||||
warn!("Server signature verification failed");
|
||||
return Err(ProtocolError::InvalidSignature);
|
||||
@@ -552,7 +556,8 @@ where
|
||||
let ctx_str = b"TLS 1.3, client CertificateVerify\x00";
|
||||
|
||||
let mut msg: heapless::Vec<u8, 146> = heapless::Vec::new();
|
||||
msg.resize(64, 0x20).map_err(|_| ProtocolError::EncodeError)?;
|
||||
msg.resize(64, 0x20)
|
||||
.map_err(|_| ProtocolError::EncodeError)?;
|
||||
msg.extend_from_slice(ctx_str)
|
||||
.map_err(|_| ProtocolError::EncodeError)?;
|
||||
msg.extend_from_slice(&key_schedule.transcript_hash().clone().finalize())
|
||||
|
||||
@@ -108,10 +108,7 @@ mod tests {
|
||||
#[test]
|
||||
fn test_parse_empty() {
|
||||
setup();
|
||||
let buffer = [
|
||||
0x00, 0x17,
|
||||
0x00, 0x00,
|
||||
];
|
||||
let buffer = [0x00, 0x17, 0x00, 0x00];
|
||||
let result = KeyShareEntry::parse(&mut ParseBuffer::new(&buffer)).unwrap();
|
||||
|
||||
assert_eq!(NamedGroup::Secp256r1, result.group);
|
||||
@@ -121,11 +118,7 @@ mod tests {
|
||||
#[test]
|
||||
fn test_parse() {
|
||||
setup();
|
||||
let buffer = [
|
||||
0x00, 0x17,
|
||||
0x00, 0x02,
|
||||
0xAA, 0xBB,
|
||||
];
|
||||
let buffer = [0x00, 0x17, 0x00, 0x02, 0xAA, 0xBB];
|
||||
let result = KeyShareEntry::parse(&mut ParseBuffer::new(&buffer)).unwrap();
|
||||
|
||||
assert_eq!(NamedGroup::Secp256r1, result.group);
|
||||
|
||||
@@ -28,6 +28,7 @@ impl MaxFragmentLength {
|
||||
}
|
||||
|
||||
pub fn encode(&self, buf: &mut CryptoBuffer) -> Result<(), ProtocolError> {
|
||||
buf.push(*self as u8).map_err(|_| ProtocolError::EncodeError)
|
||||
buf.push(*self as u8)
|
||||
.map_err(|_| ProtocolError::EncodeError)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -75,6 +75,7 @@ impl ExtensionType {
|
||||
}
|
||||
|
||||
pub fn encode(self, buf: &mut CryptoBuffer) -> Result<(), ProtocolError> {
|
||||
buf.push_u16(self as u16).map_err(|_| ProtocolError::EncodeError)
|
||||
buf.push_u16(self as u16)
|
||||
.map_err(|_| ProtocolError::EncodeError)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -14,6 +14,7 @@ pub struct CertificateRef<'a> {
|
||||
}
|
||||
|
||||
impl<'a> CertificateRef<'a> {
|
||||
#[must_use]
|
||||
pub fn with_context(request_context: &'a [u8]) -> Self {
|
||||
Self {
|
||||
raw_entries: &[],
|
||||
@@ -30,11 +31,15 @@ impl<'a> CertificateRef<'a> {
|
||||
}
|
||||
|
||||
pub fn parse(buf: &mut ParseBuffer<'a>) -> Result<Self, ProtocolError> {
|
||||
let request_context_len = buf.read_u8().map_err(|_| ProtocolError::InvalidCertificate)?;
|
||||
let request_context_len = buf
|
||||
.read_u8()
|
||||
.map_err(|_| ProtocolError::InvalidCertificate)?;
|
||||
let request_context = buf
|
||||
.slice(request_context_len as usize)
|
||||
.map_err(|_| ProtocolError::InvalidCertificate)?;
|
||||
let entries_len = buf.read_u24().map_err(|_| ProtocolError::InvalidCertificate)?;
|
||||
let entries_len = buf
|
||||
.read_u24()
|
||||
.map_err(|_| ProtocolError::InvalidCertificate)?;
|
||||
let mut raw_entries = buf
|
||||
.slice(entries_len as usize)
|
||||
.map_err(|_| ProtocolError::InvalidCertificate)?;
|
||||
|
||||
@@ -16,7 +16,9 @@ impl<'a> HandshakeVerifyRef<'a> {
|
||||
let signature_scheme =
|
||||
SignatureScheme::parse(buf).map_err(|_| ProtocolError::InvalidSignatureScheme)?;
|
||||
|
||||
let len = buf.read_u16().map_err(|_| ProtocolError::InvalidSignature)?;
|
||||
let len = buf
|
||||
.read_u16()
|
||||
.map_err(|_| ProtocolError::InvalidSignature)?;
|
||||
let signature = buf
|
||||
.slice(len as usize)
|
||||
.map_err(|_| ProtocolError::InvalidSignature)?;
|
||||
|
||||
@@ -8,7 +8,7 @@ use p256::elliptic_curve::rand_core::RngCore;
|
||||
use typenum::Unsigned;
|
||||
|
||||
use crate::ProtocolError;
|
||||
use crate::config::{TlsCipherSuite, ConnectConfig};
|
||||
use crate::config::{ConnectConfig, TlsCipherSuite};
|
||||
use crate::extensions::extension_data::alpn::AlpnProtocolNameList;
|
||||
use crate::extensions::extension_data::key_share::{KeyShareClientHello, KeyShareEntry};
|
||||
use crate::extensions::extension_data::pre_shared_key::PreSharedKeyClientHello;
|
||||
|
||||
@@ -202,11 +202,14 @@ impl<'a, CipherSuite: TlsCipherSuite> ServerHandshake<'a, CipherSuite> {
|
||||
}
|
||||
|
||||
fn parse(buf: &mut ParseBuffer<'a>) -> Result<Self, ProtocolError> {
|
||||
let handshake_type = HandshakeType::parse(buf).map_err(|_| ProtocolError::InvalidHandshake)?;
|
||||
let handshake_type =
|
||||
HandshakeType::parse(buf).map_err(|_| ProtocolError::InvalidHandshake)?;
|
||||
|
||||
trace!("handshake = {:?}", handshake_type);
|
||||
|
||||
let content_len = buf.read_u24().map_err(|_| ProtocolError::InvalidHandshake)?;
|
||||
let content_len = buf
|
||||
.read_u24()
|
||||
.map_err(|_| ProtocolError::InvalidHandshake)?;
|
||||
|
||||
let handshake = match handshake_type {
|
||||
HandshakeType::ServerHello => ServerHandshake::ServerHello(ServerHello::parse(buf)?),
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
use heapless::Vec;
|
||||
|
||||
use crate::cipher_suites::CipherSuite;
|
||||
use crate::cipher::CryptoEngine;
|
||||
use crate::cipher_suites::CipherSuite;
|
||||
use crate::extensions::extension_data::key_share::KeyShareEntry;
|
||||
use crate::extensions::messages::ServerHelloExtension;
|
||||
use crate::parse_buffer::ParseBuffer;
|
||||
@@ -18,7 +18,9 @@ pub struct ServerHello<'a> {
|
||||
impl<'a> ServerHello<'a> {
|
||||
pub fn parse(buf: &mut ParseBuffer<'a>) -> Result<ServerHello<'a>, ProtocolError> {
|
||||
// legacy_version is always 0x0303 in TLS 1.3; actual version is negotiated via extensions
|
||||
let _version = buf.read_u16().map_err(|_| ProtocolError::InvalidHandshake)?;
|
||||
let _version = buf
|
||||
.read_u16()
|
||||
.map_err(|_| ProtocolError::InvalidHandshake)?;
|
||||
|
||||
let mut random = [0; 32];
|
||||
buf.fill(&mut random)?;
|
||||
@@ -32,7 +34,8 @@ impl<'a> ServerHello<'a> {
|
||||
.slice(session_id_length as usize)
|
||||
.map_err(|_| ProtocolError::InvalidSessionIdLength)?;
|
||||
|
||||
let cipher_suite = CipherSuite::parse(buf).map_err(|_| ProtocolError::InvalidCipherSuite)?;
|
||||
let cipher_suite =
|
||||
CipherSuite::parse(buf).map_err(|_| ProtocolError::InvalidCipherSuite)?;
|
||||
|
||||
// compression_method: always 0x00 in TLS 1.3
|
||||
buf.read_u8()?;
|
||||
|
||||
@@ -70,7 +70,9 @@ where
|
||||
|
||||
match context_type {
|
||||
ContextType::None => {
|
||||
hkdf_label.push(0).map_err(|_| ProtocolError::InternalError)?;
|
||||
hkdf_label
|
||||
.push(0)
|
||||
.map_err(|_| ProtocolError::InternalError)?;
|
||||
}
|
||||
ContextType::Hash(context) => {
|
||||
hkdf_label
|
||||
@@ -156,18 +158,18 @@ where
|
||||
}
|
||||
|
||||
#[inline]
|
||||
pub fn get_key(&self) -> Result<&KeyArray<CipherSuite>, ProtocolError> {
|
||||
Ok(&self.key)
|
||||
pub fn get_key(&self) -> &KeyArray<CipherSuite> {
|
||||
&self.key
|
||||
}
|
||||
|
||||
#[inline]
|
||||
pub fn get_iv(&self) -> Result<&IvArray<CipherSuite>, ProtocolError> {
|
||||
Ok(&self.iv)
|
||||
pub fn get_iv(&self) -> &IvArray<CipherSuite> {
|
||||
&self.iv
|
||||
}
|
||||
|
||||
pub fn get_nonce(&self) -> Result<IvArray<CipherSuite>, ProtocolError> {
|
||||
let iv = self.get_iv()?;
|
||||
Ok(KeySchedule::<CipherSuite>::get_nonce(self.counter, iv))
|
||||
pub fn get_nonce(&self) -> IvArray<CipherSuite> {
|
||||
let iv = self.get_iv();
|
||||
KeySchedule::<CipherSuite>::get_nonce(self.counter, iv)
|
||||
}
|
||||
|
||||
fn calculate_traffic_secret(
|
||||
@@ -301,7 +303,6 @@ where
|
||||
// Per-record nonce: XOR the static IV with the zero-padded sequence counter (RFC 8446 §5.3)
|
||||
let counter = Self::pad::<CipherSuite::IvLen>(&counter.to_be_bytes());
|
||||
|
||||
|
||||
let mut nonce = GenericArray::default();
|
||||
|
||||
for (index, (l, r)) in iv[0..CipherSuite::IvLen::to_usize()]
|
||||
@@ -312,7 +313,6 @@ where
|
||||
nonce[index] = l ^ r;
|
||||
}
|
||||
|
||||
|
||||
nonce
|
||||
}
|
||||
|
||||
@@ -356,7 +356,6 @@ where
|
||||
// IKM is all-zeros at the master secret stage (RFC 8446 §7.1)
|
||||
self.shared.initialize(Self::zero().as_slice());
|
||||
|
||||
|
||||
self.calculate_traffic_secrets(b"c ap traffic", b"s ap traffic")?;
|
||||
self.shared.derived()
|
||||
}
|
||||
@@ -406,11 +405,11 @@ where
|
||||
self.state.increment_counter();
|
||||
}
|
||||
|
||||
pub(crate) fn get_key(&self) -> Result<&KeyArray<CipherSuite>, ProtocolError> {
|
||||
pub(crate) fn get_key(&self) -> &KeyArray<CipherSuite> {
|
||||
self.state.get_key()
|
||||
}
|
||||
|
||||
pub(crate) fn get_nonce(&self) -> Result<IvArray<CipherSuite>, ProtocolError> {
|
||||
pub(crate) fn get_nonce(&self) -> IvArray<CipherSuite> {
|
||||
self.state.get_nonce()
|
||||
}
|
||||
|
||||
@@ -453,11 +452,11 @@ where
|
||||
&mut self.transcript_hash
|
||||
}
|
||||
|
||||
pub(crate) fn get_key(&self) -> Result<&KeyArray<CipherSuite>, ProtocolError> {
|
||||
pub(crate) fn get_key(&self) -> &KeyArray<CipherSuite> {
|
||||
self.state.get_key()
|
||||
}
|
||||
|
||||
pub(crate) fn get_nonce(&self) -> Result<IvArray<CipherSuite>, ProtocolError> {
|
||||
pub(crate) fn get_nonce(&self) -> IvArray<CipherSuite> {
|
||||
self.state.get_nonce()
|
||||
}
|
||||
|
||||
|
||||
@@ -7,7 +7,6 @@
|
||||
clippy::missing_errors_doc
|
||||
)]
|
||||
|
||||
|
||||
pub(crate) mod fmt;
|
||||
|
||||
use parse_buffer::ParseError;
|
||||
@@ -16,20 +15,20 @@ mod application_data;
|
||||
pub mod blocking;
|
||||
mod buffer;
|
||||
mod change_cipher_spec;
|
||||
mod cipher;
|
||||
mod cipher_suites;
|
||||
mod common;
|
||||
mod config;
|
||||
mod connection;
|
||||
mod content_types;
|
||||
mod cipher;
|
||||
mod extensions;
|
||||
pub mod send_policy;
|
||||
mod handshake;
|
||||
mod key_schedule;
|
||||
mod parse_buffer;
|
||||
pub mod read_buffer;
|
||||
mod record;
|
||||
mod record_reader;
|
||||
pub mod send_policy;
|
||||
mod write_buffer;
|
||||
|
||||
pub use config::SkipVerifyProvider;
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
use crate::ProtocolError;
|
||||
use crate::config::{Certificate, TlsCipherSuite, TlsClock, Verifier};
|
||||
#[cfg(feature = "p384")]
|
||||
use crate::certificate::ECDSA_SHA384;
|
||||
#[cfg(feature = "ed25519")]
|
||||
@@ -7,6 +6,7 @@ use crate::certificate::ED25519;
|
||||
use crate::certificate::{DecodedCertificate, ECDSA_SHA256, Time};
|
||||
#[cfg(feature = "rsa")]
|
||||
use crate::certificate::{RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA512};
|
||||
use crate::config::{Certificate, TlsCipherSuite, TlsClock, Verifier};
|
||||
use crate::extensions::extension_data::signature_algorithms::SignatureScheme;
|
||||
use crate::handshake::{
|
||||
certificate::{
|
||||
@@ -126,7 +126,8 @@ where
|
||||
let handshake_hash = unwrap!(self.certificate_transcript.take());
|
||||
let ctx_str = b"TLS 1.3, server HandshakeVerify\x00";
|
||||
let mut msg: Vec<u8, 146> = Vec::new();
|
||||
msg.resize(64, 0x20).map_err(|_| ProtocolError::EncodeError)?;
|
||||
msg.resize(64, 0x20)
|
||||
.map_err(|_| ProtocolError::EncodeError)?;
|
||||
msg.extend_from_slice(ctx_str)
|
||||
.map_err(|_| ProtocolError::EncodeError)?;
|
||||
msg.extend_from_slice(&handshake_hash.finalize())
|
||||
@@ -165,8 +166,8 @@ fn verify_signature(
|
||||
match verify.signature_scheme {
|
||||
SignatureScheme::EcdsaSecp256r1Sha256 => {
|
||||
use p256::ecdsa::{Signature, VerifyingKey, signature::Verifier};
|
||||
let verifying_key =
|
||||
VerifyingKey::from_sec1_bytes(public_key).map_err(|_| ProtocolError::DecodeError)?;
|
||||
let verifying_key = VerifyingKey::from_sec1_bytes(public_key)
|
||||
.map_err(|_| ProtocolError::DecodeError)?;
|
||||
let signature =
|
||||
Signature::from_der(&verify.signature).map_err(|_| ProtocolError::DecodeError)?;
|
||||
verified = verifying_key.verify(message, &signature).is_ok();
|
||||
@@ -174,8 +175,8 @@ fn verify_signature(
|
||||
#[cfg(feature = "p384")]
|
||||
SignatureScheme::EcdsaSecp384r1Sha384 => {
|
||||
use p384::ecdsa::{Signature, VerifyingKey, signature::Verifier};
|
||||
let verifying_key =
|
||||
VerifyingKey::from_sec1_bytes(public_key).map_err(|_| ProtocolError::DecodeError)?;
|
||||
let verifying_key = VerifyingKey::from_sec1_bytes(public_key)
|
||||
.map_err(|_| ProtocolError::DecodeError)?;
|
||||
let signature =
|
||||
Signature::from_der(&verify.signature).map_err(|_| ProtocolError::DecodeError)?;
|
||||
verified = verifying_key.verify(message, &signature).is_ok();
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
use crate::ProtocolError;
|
||||
use crate::application_data::ApplicationData;
|
||||
use crate::change_cipher_spec::ChangeCipherSpec;
|
||||
use crate::config::{TlsCipherSuite, ConnectConfig};
|
||||
use crate::config::{ConnectConfig, TlsCipherSuite};
|
||||
use crate::content_types::ContentType;
|
||||
use crate::handshake::client_hello::ClientHello;
|
||||
use crate::handshake::{ClientHandshake, ServerHandshake};
|
||||
@@ -88,10 +88,7 @@ where
|
||||
}
|
||||
}
|
||||
|
||||
pub fn client_hello<CP>(
|
||||
config: &'config ConnectConfig<'config>,
|
||||
provider: &mut CP,
|
||||
) -> Self
|
||||
pub fn client_hello<CP>(config: &'config ConnectConfig<'config>, provider: &mut CP) -> Self
|
||||
where
|
||||
CP: CryptoBackend,
|
||||
{
|
||||
@@ -114,7 +111,7 @@ where
|
||||
match self {
|
||||
ClientRecord::Handshake(handshake, _) => handshake.encode(buf)?,
|
||||
ClientRecord::Alert(alert, _) => alert.encode(buf)?,
|
||||
};
|
||||
}
|
||||
|
||||
Ok(buf.len() - record_length_marker)
|
||||
}
|
||||
@@ -215,5 +212,4 @@ impl<'a, CipherSuite: TlsCipherSuite> ServerRecord<'a, CipherSuite> {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,25 +1,20 @@
|
||||
|
||||
/// Controls whether `flush()` calls also flush the underlying transport.
|
||||
///
|
||||
/// `Strict` (the default) ensures bytes reach the network immediately after every record.
|
||||
/// `Relaxed` leaves transport flushing to the caller, which can reduce syscall overhead.
|
||||
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
|
||||
#[derive(Default, Clone, Copy, Debug, PartialEq, Eq)]
|
||||
pub enum FlushPolicy {
|
||||
/// Only encrypt and hand bytes to the transport; do not call `transport.flush()`.
|
||||
Relaxed,
|
||||
|
||||
/// Call `transport.flush()` after writing each TLS record.
|
||||
#[default]
|
||||
Strict,
|
||||
}
|
||||
|
||||
impl FlushPolicy {
|
||||
#[must_use]
|
||||
pub fn flush_transport(&self) -> bool {
|
||||
matches!(self, Self::Strict)
|
||||
}
|
||||
}
|
||||
|
||||
impl Default for FlushPolicy {
|
||||
fn default() -> Self {
|
||||
FlushPolicy::Strict
|
||||
}
|
||||
}
|
||||
|
||||
@@ -29,7 +29,11 @@ pub struct EchoServer {
|
||||
}
|
||||
|
||||
impl EchoServer {
|
||||
pub fn new(server: TcpListener, mode: ServerMode, cfg: Arc<rustls::ServerConfig>) -> EchoServer {
|
||||
pub fn new(
|
||||
server: TcpListener,
|
||||
mode: ServerMode,
|
||||
cfg: Arc<rustls::ServerConfig>,
|
||||
) -> EchoServer {
|
||||
EchoServer {
|
||||
server,
|
||||
connections: HashMap::new(),
|
||||
|
||||
@@ -600,7 +600,8 @@ mod early_data {
|
||||
let test_dir = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests");
|
||||
|
||||
let certs = load_certs(&test_dir.join("fixtures").join("leaf-server.pem"));
|
||||
let privkey = load_private_key(&test_dir.join("fixtures").join("leaf-server-key.pem"));
|
||||
let privkey =
|
||||
load_private_key(&test_dir.join("fixtures").join("leaf-server-key.pem"));
|
||||
|
||||
let mut config = rustls::ServerConfig::builder()
|
||||
.with_cipher_suites(rustls::ALL_CIPHER_SUITES)
|
||||
@@ -701,7 +702,8 @@ mod client_cert {
|
||||
|
||||
let ca = load_certs(&test_dir.join("fixtures").join("root-ca.pem"));
|
||||
let certs = load_certs(&test_dir.join("fixtures").join("leaf-server.pem"));
|
||||
let privkey = load_private_key(&test_dir.join("fixtures").join("leaf-server-key.pem"));
|
||||
let privkey =
|
||||
load_private_key(&test_dir.join("fixtures").join("leaf-server-key.pem"));
|
||||
|
||||
let mut client_auth_roots = rustls::RootCertStore::empty();
|
||||
for root in ca.iter() {
|
||||
@@ -745,8 +747,10 @@ mod client_cert {
|
||||
|
||||
fn signer(
|
||||
&mut self,
|
||||
) -> Result<(impl signature::SignerMut<Self::Signature>, SignatureScheme), mote_tls::ProtocolError>
|
||||
{
|
||||
) -> Result<
|
||||
(impl signature::SignerMut<Self::Signature>, SignatureScheme),
|
||||
mote_tls::ProtocolError,
|
||||
> {
|
||||
let secret_key = SecretKey::from_sec1_der(self.priv_key)
|
||||
.map_err(|_| mote_tls::ProtocolError::InvalidPrivateKey)?;
|
||||
|
||||
@@ -938,7 +942,9 @@ mod cert_verify {
|
||||
mod native_pki {
|
||||
use embedded_io_adapters::tokio_1::FromTokio;
|
||||
use mote_tls::native_pki::CertVerifier;
|
||||
use mote_tls::{Aes128GcmSha256, CryptoBackend, SignatureScheme, ProtocolError as ConnectError, Verifier};
|
||||
use mote_tls::{
|
||||
Aes128GcmSha256, CryptoBackend, ProtocolError as ConnectError, SignatureScheme, Verifier,
|
||||
};
|
||||
use p256::SecretKey;
|
||||
use p256::ecdsa::{DerSignature, SigningKey};
|
||||
use rand_core::OsRng;
|
||||
@@ -971,7 +977,9 @@ mod native_pki {
|
||||
Ok(&mut self.verifier)
|
||||
}
|
||||
|
||||
fn signer(&mut self) -> Result<(impl SignerMut<Self::Signature>, SignatureScheme), ConnectError> {
|
||||
fn signer(
|
||||
&mut self,
|
||||
) -> Result<(impl SignerMut<Self::Signature>, SignatureScheme), ConnectError> {
|
||||
let key_der = self.priv_key.ok_or(ConnectError::InvalidPrivateKey)?;
|
||||
let secret_key =
|
||||
SecretKey::from_sec1_der(key_der).map_err(|_| ConnectError::InvalidPrivateKey)?;
|
||||
@@ -1013,7 +1021,11 @@ mod native_pki {
|
||||
|
||||
let ca = load_certs(&test_dir.join("fixtures").join("root-ca.pem"));
|
||||
let certs = load_certs(&test_dir.join("fixtures").join("chain.pem"));
|
||||
let privkey = load_private_key(&test_dir.join("fixtures").join("intermediate-server-key.pem"));
|
||||
let privkey = load_private_key(
|
||||
&test_dir
|
||||
.join("fixtures")
|
||||
.join("intermediate-server-key.pem"),
|
||||
);
|
||||
|
||||
let mut client_auth_roots = rustls::RootCertStore::empty();
|
||||
for root in ca.iter() {
|
||||
@@ -1135,7 +1147,10 @@ mod native_pki {
|
||||
use digest::FixedOutputReset;
|
||||
use embedded_io_adapters::tokio_1::FromTokio;
|
||||
use mote_tls::native_pki::CertVerifier;
|
||||
use mote_tls::{Aes128GcmSha256, CryptoBackend, SignatureScheme, ProtocolError as ConnectError, Verifier};
|
||||
use mote_tls::{
|
||||
Aes128GcmSha256, CryptoBackend, ProtocolError as ConnectError, SignatureScheme,
|
||||
Verifier,
|
||||
};
|
||||
use rand_core::{CryptoRngCore, OsRng};
|
||||
use rsa::pkcs8::DecodePrivateKey;
|
||||
use rustls::server::AllowAnyAnonymousOrAuthenticatedClient;
|
||||
@@ -1183,10 +1198,13 @@ mod native_pki {
|
||||
Ok(&mut self.verifier)
|
||||
}
|
||||
|
||||
fn signer(&mut self) -> Result<(impl SignerMut<Self::Signature>, SignatureScheme), ConnectError> {
|
||||
fn signer(
|
||||
&mut self,
|
||||
) -> Result<(impl SignerMut<Self::Signature>, SignatureScheme), ConnectError>
|
||||
{
|
||||
let key_der = self.priv_key.ok_or(ConnectError::InvalidPrivateKey)?;
|
||||
let private_key =
|
||||
rsa::RsaPrivateKey::from_pkcs8_der(key_der).map_err(|_| ConnectError::InvalidPrivateKey)?;
|
||||
let private_key = rsa::RsaPrivateKey::from_pkcs8_der(key_der)
|
||||
.map_err(|_| ConnectError::InvalidPrivateKey)?;
|
||||
let signer = RsaPssSigningKey {
|
||||
rng: &mut self.rng,
|
||||
key: rsa::pss::SigningKey::<Sha256>::new(private_key),
|
||||
@@ -1222,11 +1240,14 @@ mod native_pki {
|
||||
|
||||
let versions = &[&rustls::version::TLS13];
|
||||
|
||||
let test_dir = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests");
|
||||
let test_dir =
|
||||
std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests");
|
||||
|
||||
let ca = load_certs(&test_dir.join("fixtures").join("rsa-root-ca.pem"));
|
||||
let certs = load_certs(&test_dir.join("fixtures").join("rsa-leaf-server.pem"));
|
||||
let privkey = load_private_key(&test_dir.join("fixtures").join("rsa-leaf-server-key.pem"));
|
||||
let privkey = load_private_key(
|
||||
&test_dir.join("fixtures").join("rsa-leaf-server-key.pem"),
|
||||
);
|
||||
|
||||
let mut client_auth_roots = rustls::RootCertStore::empty();
|
||||
for root in ca.iter() {
|
||||
|
||||
Reference in New Issue
Block a user