pub/latls
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixes clippy and fmt
Some checks failed
CI / build (push) Successful in 27s
Details
CI / no-std (push) Successful in 26s
Details
CI / clippy (push) Successful in 26s
Details
CI / test (push) Failing after 32s
Details

Browse Source
This commit is contained in:
Kris Kwiatkowski
2026-02-21 08:28:05 +00:00
parent 672d6d5aaa
commit d468a60276
21 changed files with 135 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/asynch.rs
View File

@@ -4,12 +4,12 @@ use crate::ProtocolError;
use crate::common::decrypted_buffer_info::DecryptedBufferInfo; use crate::common::decrypted_buffer_info::DecryptedBufferInfo;
use crate::common::decrypted_read_handler::DecryptedReadHandler; use crate::common::decrypted_read_handler::DecryptedReadHandler;
use crate::connection::{Handshake, State, decrypt_record}; use crate::connection::{Handshake, State, decrypt_record};
use crate::send_policy::FlushPolicy;
use crate::key_schedule::KeySchedule; use crate::key_schedule::KeySchedule;
use crate::key_schedule::{ReadKeySchedule, WriteKeySchedule}; use crate::key_schedule::{ReadKeySchedule, WriteKeySchedule};
use crate::read_buffer::ReadBuffer; use crate::read_buffer::ReadBuffer;
use crate::record::{ClientRecord, ClientRecordHeader}; use crate::record::{ClientRecord, ClientRecordHeader};
use crate::record_reader::{RecordReader, RecordReaderBorrowMut}; use crate::record_reader::{RecordReader, RecordReaderBorrowMut};
use crate::send_policy::FlushPolicy;
use crate::write_buffer::{WriteBuffer, WriteBufferBorrowMut}; use crate::write_buffer::{WriteBuffer, WriteBufferBorrowMut};
use embedded_io::Error as _; use embedded_io::Error as _;
use embedded_io::ErrorType; use embedded_io::ErrorType;

10
src/blocking.rs
View File

@@ -3,12 +3,12 @@ use core::sync::atomic::Ordering;
use crate::common::decrypted_buffer_info::DecryptedBufferInfo; use crate::common::decrypted_buffer_info::DecryptedBufferInfo;
use crate::common::decrypted_read_handler::DecryptedReadHandler; use crate::common::decrypted_read_handler::DecryptedReadHandler;
use crate::connection::{Handshake, State, decrypt_record}; use crate::connection::{Handshake, State, decrypt_record};
use crate::send_policy::FlushPolicy;
use crate::key_schedule::KeySchedule; use crate::key_schedule::KeySchedule;
use crate::key_schedule::{ReadKeySchedule, WriteKeySchedule}; use crate::key_schedule::{ReadKeySchedule, WriteKeySchedule};
use crate::read_buffer::ReadBuffer; use crate::read_buffer::ReadBuffer;
use crate::record::{ClientRecord, ClientRecordHeader}; use crate::record::{ClientRecord, ClientRecordHeader};
use crate::record_reader::{RecordReader, RecordReaderBorrowMut}; use crate::record_reader::{RecordReader, RecordReaderBorrowMut};
use crate::send_policy::FlushPolicy;
use crate::write_buffer::{WriteBuffer, WriteBufferBorrowMut}; use crate::write_buffer::{WriteBuffer, WriteBufferBorrowMut};
use embedded_io::Error as _; use embedded_io::Error as _;
use embedded_io::{BufRead, ErrorType, Read, Write}; use embedded_io::{BufRead, ErrorType, Read, Write};
@@ -145,7 +145,9 @@ where
#[inline] #[inline]
fn flush_transport(&mut self) -> Result<(), ProtocolError> { fn flush_transport(&mut self) -> Result<(), ProtocolError> {
self.delegate.flush().map_err(|e| ProtocolError::Io(e.kind())) self.delegate
.flush()
.map_err(|e| ProtocolError::Io(e.kind()))
} }
fn create_read_buffer(&mut self) -> ReadBuffer<'_> { fn create_read_buffer(&mut self) -> ReadBuffer<'_> {
@@ -382,7 +384,9 @@ where
CipherSuite: TlsCipherSuite + 'static, CipherSuite: TlsCipherSuite + 'static,
{ {
fn flush_transport(&mut self) -> Result<(), ProtocolError> { fn flush_transport(&mut self) -> Result<(), ProtocolError> {
self.delegate.flush().map_err(|e| ProtocolError::Io(e.kind())) self.delegate
.flush()
.map_err(|e| ProtocolError::Io(e.kind()))
} }
} }

3
src/cert_verify.rs
View File

@@ -160,7 +160,8 @@ where
let handshake_hash = unwrap!(self.certificate_transcript.take()); let handshake_hash = unwrap!(self.certificate_transcript.take());
let ctx_str = b"TLS 1.3, server CertificateVerify\x00"; let ctx_str = b"TLS 1.3, server CertificateVerify\x00";
let mut msg: Vec<u8, 130> = Vec::new(); let mut msg: Vec<u8, 130> = Vec::new();
msg.resize(64, 0x20).map_err(|_| ProtocolError::EncodeError)?; msg.resize(64, 0x20)
.map_err(|_| ProtocolError::EncodeError)?;
msg.extend_from_slice(ctx_str) msg.extend_from_slice(ctx_str)
.map_err(|_| ProtocolError::EncodeError)?; .map_err(|_| ProtocolError::EncodeError)?;
msg.extend_from_slice(&handshake_hash.finalize()) msg.extend_from_slice(&handshake_hash.finalize())

10
src/common/decrypted_read_handler.rs
View File

@@ -26,10 +26,8 @@ impl DecryptedReadHandler<'_> {
&& self.source_buffer.contains(&slice_ptrs.end) && self.source_buffer.contains(&slice_ptrs.end)
); );
let offset = unsafe { let offset =
unsafe { slice_ptrs.start.offset_from(self.source_buffer.start) as usize };
slice_ptrs.start.offset_from(self.source_buffer.start) as usize
};
self.buffer_info.offset = offset; self.buffer_info.offset = offset;
self.buffer_info.len = slice.len(); self.buffer_info.len = slice.len();
@@ -45,9 +43,7 @@ impl DecryptedReadHandler<'_> {
} }
} }
ServerRecord::ChangeCipherSpec(_) => Err(ProtocolError::InternalError), ServerRecord::ChangeCipherSpec(_) => Err(ProtocolError::InternalError),
ServerRecord::Handshake(ServerHandshake::NewSessionTicket(_)) => { ServerRecord::Handshake(ServerHandshake::NewSessionTicket(_)) => Ok(()),
Ok(())
}
ServerRecord::Handshake(_) => { ServerRecord::Handshake(_) => {
unimplemented!() unimplemented!()
} }

7
src/config.rs
View File

@@ -97,7 +97,10 @@ where
Ok(()) Ok(())
} }
fn verify_signature(&mut self, _verify: HandshakeVerifyRef) -> Result<(), crate::ProtocolError> { fn verify_signature(
&mut self,
_verify: HandshakeVerifyRef,
) -> Result<(), crate::ProtocolError> {
Ok(()) Ok(())
} }
} }
@@ -206,11 +209,13 @@ impl<RNG: CryptoRngCore> SkipVerifyProvider<'_, (), RNG> {
} }
impl<'a, CipherSuite: TlsCipherSuite, RNG: CryptoRngCore> SkipVerifyProvider<'a, CipherSuite, RNG> { impl<'a, CipherSuite: TlsCipherSuite, RNG: CryptoRngCore> SkipVerifyProvider<'a, CipherSuite, RNG> {
#[must_use]
pub fn with_priv_key(mut self, priv_key: &'a [u8]) -> Self { pub fn with_priv_key(mut self, priv_key: &'a [u8]) -> Self {
self.priv_key = Some(priv_key); self.priv_key = Some(priv_key);
self self
} }
#[must_use]
pub fn with_cert(mut self, cert: Certificate<&'a [u8]>) -> Self { pub fn with_cert(mut self, cert: Certificate<&'a [u8]>) -> Self {
self.client_cert = Some(cert); self.client_cert = Some(cert);
self self

35
src/connection.rs
View File

@@ -1,10 +1,10 @@
use crate::config::{TlsCipherSuite, ConnectConfig}; use crate::config::{ConnectConfig, TlsCipherSuite};
use crate::handshake::{ClientHandshake, ServerHandshake}; use crate::handshake::{ClientHandshake, ServerHandshake};
use crate::key_schedule::{KeySchedule, ReadKeySchedule, WriteKeySchedule}; use crate::key_schedule::{KeySchedule, ReadKeySchedule, WriteKeySchedule};
use crate::record::{ClientRecord, ServerRecord}; use crate::record::{ClientRecord, ServerRecord};
use crate::record_reader::RecordReader; use crate::record_reader::RecordReader;
use crate::write_buffer::WriteBuffer; use crate::write_buffer::WriteBuffer;
use crate::{HandshakeVerify, CryptoBackend, ProtocolError, Verifier}; use crate::{CryptoBackend, HandshakeVerify, ProtocolError, Verifier};
use crate::{ use crate::{
alert::{Alert, AlertDescription, AlertLevel}, alert::{Alert, AlertDescription, AlertLevel},
handshake::{certificate::CertificateRef, certificate_request::CertificateRequest}, handshake::{certificate::CertificateRef, certificate_request::CertificateRequest},
@@ -43,8 +43,8 @@ where
data: mut app_data, data: mut app_data,
}) = record }) = record
{ {
let server_key = key_schedule.get_key()?; let server_key = key_schedule.get_key();
let nonce = key_schedule.get_nonce()?; let nonce = key_schedule.get_nonce();
let crypto = <CipherSuite::Cipher as KeyInit>::new(server_key); let crypto = <CipherSuite::Cipher as KeyInit>::new(server_key);
crypto crypto
@@ -59,11 +59,11 @@ where
.rfind(|(_, b)| **b != 0); .rfind(|(_, b)| **b != 0);
if let Some((index, _)) = padding { if let Some((index, _)) = padding {
app_data.truncate(index + 1); app_data.truncate(index + 1);
}; }
// The last byte of the decrypted payload is the actual ContentType (RFC 8446 §5.4) // The last byte of the decrypted payload is the actual ContentType (RFC 8446 §5.4)
let content_type = let content_type = ContentType::of(*app_data.as_slice().last().unwrap())
ContentType::of(*app_data.as_slice().last().unwrap()).ok_or(ProtocolError::InvalidRecord)?; .ok_or(ProtocolError::InvalidRecord)?;
trace!("Decrypting: content type = {:?}", content_type); trace!("Decrypting: content type = {:?}", content_type);
@@ -102,8 +102,8 @@ pub(crate) fn encrypt<CipherSuite>(
where where
CipherSuite: TlsCipherSuite, CipherSuite: TlsCipherSuite,
{ {
let client_key = key_schedule.get_key()?; let client_key = key_schedule.get_key();
let nonce = key_schedule.get_nonce()?; let nonce = key_schedule.get_nonce();
let crypto = <CipherSuite::Cipher as KeyInit>::new(client_key); let crypto = <CipherSuite::Cipher as KeyInit>::new(client_key);
let len = buf.len() + <CipherSuite::Cipher as AeadCore>::TagSize::to_usize(); let len = buf.len() + <CipherSuite::Cipher as AeadCore>::TagSize::to_usize();
@@ -421,7 +421,10 @@ where
ServerRecord::Handshake(server_handshake) => match server_handshake { ServerRecord::Handshake(server_handshake) => match server_handshake {
ServerHandshake::ServerHello(server_hello) => { ServerHandshake::ServerHello(server_hello) => {
trace!("********* ServerHello"); trace!("********* ServerHello");
let secret = handshake.secret.take().ok_or(ProtocolError::InvalidHandshake)?; let secret = handshake
.secret
.take()
.ok_or(ProtocolError::InvalidHandshake)?;
let shared = server_hello let shared = server_hello
.calculate_shared_secret(&secret) .calculate_shared_secret(&secret)
.ok_or(ProtocolError::InvalidKeyShare)?; .ok_or(ProtocolError::InvalidKeyShare)?;
@@ -430,9 +433,10 @@ where
} }
_ => Err(ProtocolError::InvalidHandshake), _ => Err(ProtocolError::InvalidHandshake),
}, },
ServerRecord::Alert(alert) => { ServerRecord::Alert(alert) => Err(ProtocolError::HandshakeAborted(
Err(ProtocolError::HandshakeAborted(alert.level, alert.description)) alert.level,
} alert.description,
)),
_ => Err(ProtocolError::InvalidRecord), _ => Err(ProtocolError::InvalidRecord),
} }
} }
@@ -472,7 +476,7 @@ where
ServerHandshake::CertificateRequest(request) => { ServerHandshake::CertificateRequest(request) => {
handshake.certificate_request.replace(request.try_into()?); handshake.certificate_request.replace(request.try_into()?);
} }
ServerHandshake::Finished(finished) => { ServerHandshake::Finished(finished) => {
if !key_schedule.verify_server_finished(&finished)? { if !key_schedule.verify_server_finished(&finished)? {
warn!("Server signature verification failed"); warn!("Server signature verification failed");
return Err(ProtocolError::InvalidSignature); return Err(ProtocolError::InvalidSignature);
@@ -552,7 +556,8 @@ where
let ctx_str = b"TLS 1.3, client CertificateVerify\x00"; let ctx_str = b"TLS 1.3, client CertificateVerify\x00";
let mut msg: heapless::Vec<u8, 146> = heapless::Vec::new(); let mut msg: heapless::Vec<u8, 146> = heapless::Vec::new();
msg.resize(64, 0x20).map_err(|_| ProtocolError::EncodeError)?; msg.resize(64, 0x20)
.map_err(|_| ProtocolError::EncodeError)?;
msg.extend_from_slice(ctx_str) msg.extend_from_slice(ctx_str)
.map_err(|_| ProtocolError::EncodeError)?; .map_err(|_| ProtocolError::EncodeError)?;
msg.extend_from_slice(&key_schedule.transcript_hash().clone().finalize()) msg.extend_from_slice(&key_schedule.transcript_hash().clone().finalize())

11
src/extensions/extension_data/key_share.rs
View File

@@ -108,10 +108,7 @@ mod tests {
#[test] #[test]
fn test_parse_empty() { fn test_parse_empty() {
setup(); setup();
let buffer = [ let buffer = [0x00, 0x17, 0x00, 0x00];
0x00, 0x17,
0x00, 0x00,
];
let result = KeyShareEntry::parse(&mut ParseBuffer::new(&buffer)).unwrap(); let result = KeyShareEntry::parse(&mut ParseBuffer::new(&buffer)).unwrap();
assert_eq!(NamedGroup::Secp256r1, result.group); assert_eq!(NamedGroup::Secp256r1, result.group);
@@ -121,11 +118,7 @@ mod tests {
#[test] #[test]
fn test_parse() { fn test_parse() {
setup(); setup();
let buffer = [ let buffer = [0x00, 0x17, 0x00, 0x02, 0xAA, 0xBB];
0x00, 0x17,
0x00, 0x02,
0xAA, 0xBB,
];
let result = KeyShareEntry::parse(&mut ParseBuffer::new(&buffer)).unwrap(); let result = KeyShareEntry::parse(&mut ParseBuffer::new(&buffer)).unwrap();
assert_eq!(NamedGroup::Secp256r1, result.group); assert_eq!(NamedGroup::Secp256r1, result.group);

3
src/extensions/extension_data/max_fragment_length.rs
View File

@@ -28,6 +28,7 @@ impl MaxFragmentLength {
} }
pub fn encode(&self, buf: &mut CryptoBuffer) -> Result<(), ProtocolError> { pub fn encode(&self, buf: &mut CryptoBuffer) -> Result<(), ProtocolError> {
buf.push(*self as u8).map_err(|_| ProtocolError::EncodeError) buf.push(*self as u8)
.map_err(|_| ProtocolError::EncodeError)
} }
} }

3
src/extensions/mod.rs
View File

@@ -75,6 +75,7 @@ impl ExtensionType {
} }
pub fn encode(self, buf: &mut CryptoBuffer) -> Result<(), ProtocolError> { pub fn encode(self, buf: &mut CryptoBuffer) -> Result<(), ProtocolError> {
buf.push_u16(self as u16).map_err(|_| ProtocolError::EncodeError) buf.push_u16(self as u16)
.map_err(|_| ProtocolError::EncodeError)
} }
} }

9
src/handshake/certificate.rs
View File

@@ -14,6 +14,7 @@ pub struct CertificateRef<'a> {
} }
impl<'a> CertificateRef<'a> { impl<'a> CertificateRef<'a> {
#[must_use]
pub fn with_context(request_context: &'a [u8]) -> Self { pub fn with_context(request_context: &'a [u8]) -> Self {
Self { Self {
raw_entries: &[], raw_entries: &[],
@@ -30,11 +31,15 @@ impl<'a> CertificateRef<'a> {
} }
pub fn parse(buf: &mut ParseBuffer<'a>) -> Result<Self, ProtocolError> { pub fn parse(buf: &mut ParseBuffer<'a>) -> Result<Self, ProtocolError> {
let request_context_len = buf.read_u8().map_err(|_| ProtocolError::InvalidCertificate)?; let request_context_len = buf
.read_u8()
.map_err(|_| ProtocolError::InvalidCertificate)?;
let request_context = buf let request_context = buf
.slice(request_context_len as usize) .slice(request_context_len as usize)
.map_err(|_| ProtocolError::InvalidCertificate)?; .map_err(|_| ProtocolError::InvalidCertificate)?;
let entries_len = buf.read_u24().map_err(|_| ProtocolError::InvalidCertificate)?; let entries_len = buf
.read_u24()
.map_err(|_| ProtocolError::InvalidCertificate)?;
let mut raw_entries = buf let mut raw_entries = buf
.slice(entries_len as usize) .slice(entries_len as usize)
.map_err(|_| ProtocolError::InvalidCertificate)?; .map_err(|_| ProtocolError::InvalidCertificate)?;

4
src/handshake/certificate_verify.rs
View File

@@ -16,7 +16,9 @@ impl<'a> HandshakeVerifyRef<'a> {
let signature_scheme = let signature_scheme =
SignatureScheme::parse(buf).map_err(|_| ProtocolError::InvalidSignatureScheme)?; SignatureScheme::parse(buf).map_err(|_| ProtocolError::InvalidSignatureScheme)?;
let len = buf.read_u16().map_err(|_| ProtocolError::InvalidSignature)?; let len = buf
.read_u16()
.map_err(|_| ProtocolError::InvalidSignature)?;
let signature = buf let signature = buf
.slice(len as usize) .slice(len as usize)
.map_err(|_| ProtocolError::InvalidSignature)?; .map_err(|_| ProtocolError::InvalidSignature)?;

2
src/handshake/client_hello.rs
View File

@@ -8,7 +8,7 @@ use p256::elliptic_curve::rand_core::RngCore;
use typenum::Unsigned; use typenum::Unsigned;
use crate::ProtocolError; use crate::ProtocolError;
use crate::config::{TlsCipherSuite, ConnectConfig}; use crate::config::{ConnectConfig, TlsCipherSuite};
use crate::extensions::extension_data::alpn::AlpnProtocolNameList; use crate::extensions::extension_data::alpn::AlpnProtocolNameList;
use crate::extensions::extension_data::key_share::{KeyShareClientHello, KeyShareEntry}; use crate::extensions::extension_data::key_share::{KeyShareClientHello, KeyShareEntry};
use crate::extensions::extension_data::pre_shared_key::PreSharedKeyClientHello; use crate::extensions::extension_data::pre_shared_key::PreSharedKeyClientHello;

7
src/handshake/mod.rs
View File

@@ -202,11 +202,14 @@ impl<'a, CipherSuite: TlsCipherSuite> ServerHandshake<'a, CipherSuite> {
} }
fn parse(buf: &mut ParseBuffer<'a>) -> Result<Self, ProtocolError> { fn parse(buf: &mut ParseBuffer<'a>) -> Result<Self, ProtocolError> {
let handshake_type = HandshakeType::parse(buf).map_err(|_| ProtocolError::InvalidHandshake)?; let handshake_type =
HandshakeType::parse(buf).map_err(|_| ProtocolError::InvalidHandshake)?;
trace!("handshake = {:?}", handshake_type); trace!("handshake = {:?}", handshake_type);
let content_len = buf.read_u24().map_err(|_| ProtocolError::InvalidHandshake)?; let content_len = buf
.read_u24()
.map_err(|_| ProtocolError::InvalidHandshake)?;
let handshake = match handshake_type { let handshake = match handshake_type {
HandshakeType::ServerHello => ServerHandshake::ServerHello(ServerHello::parse(buf)?), HandshakeType::ServerHello => ServerHandshake::ServerHello(ServerHello::parse(buf)?),

9
src/handshake/server_hello.rs
View File

@@ -1,7 +1,7 @@
use heapless::Vec; use heapless::Vec;
use crate::cipher_suites::CipherSuite;
use crate::cipher::CryptoEngine; use crate::cipher::CryptoEngine;
use crate::cipher_suites::CipherSuite;
use crate::extensions::extension_data::key_share::KeyShareEntry; use crate::extensions::extension_data::key_share::KeyShareEntry;
use crate::extensions::messages::ServerHelloExtension; use crate::extensions::messages::ServerHelloExtension;
use crate::parse_buffer::ParseBuffer; use crate::parse_buffer::ParseBuffer;
@@ -18,7 +18,9 @@ pub struct ServerHello<'a> {
impl<'a> ServerHello<'a> { impl<'a> ServerHello<'a> {
pub fn parse(buf: &mut ParseBuffer<'a>) -> Result<ServerHello<'a>, ProtocolError> { pub fn parse(buf: &mut ParseBuffer<'a>) -> Result<ServerHello<'a>, ProtocolError> {
// legacy_version is always 0x0303 in TLS 1.3; actual version is negotiated via extensions // legacy_version is always 0x0303 in TLS 1.3; actual version is negotiated via extensions
let _version = buf.read_u16().map_err(|_| ProtocolError::InvalidHandshake)?; let _version = buf
.read_u16()
.map_err(|_| ProtocolError::InvalidHandshake)?;
let mut random = [0; 32]; let mut random = [0; 32];
buf.fill(&mut random)?; buf.fill(&mut random)?;
@@ -32,7 +34,8 @@ impl<'a> ServerHello<'a> {
.slice(session_id_length as usize) .slice(session_id_length as usize)
.map_err(|_| ProtocolError::InvalidSessionIdLength)?; .map_err(|_| ProtocolError::InvalidSessionIdLength)?;
let cipher_suite = CipherSuite::parse(buf).map_err(|_| ProtocolError::InvalidCipherSuite)?; let cipher_suite =
CipherSuite::parse(buf).map_err(|_| ProtocolError::InvalidCipherSuite)?;
// compression_method: always 0x00 in TLS 1.3 // compression_method: always 0x00 in TLS 1.3
buf.read_u8()?; buf.read_u8()?;

29
src/key_schedule.rs
View File

@@ -70,7 +70,9 @@ where
match context_type { match context_type {
ContextType::None => { ContextType::None => {
hkdf_label.push(0).map_err(|_| ProtocolError::InternalError)?; hkdf_label
.push(0)
.map_err(|_| ProtocolError::InternalError)?;
} }
ContextType::Hash(context) => { ContextType::Hash(context) => {
hkdf_label hkdf_label
@@ -156,18 +158,18 @@ where
} }
#[inline] #[inline]
pub fn get_key(&self) -> Result<&KeyArray<CipherSuite>, ProtocolError> { pub fn get_key(&self) -> &KeyArray<CipherSuite> {
Ok(&self.key) &self.key
} }
#[inline] #[inline]
pub fn get_iv(&self) -> Result<&IvArray<CipherSuite>, ProtocolError> { pub fn get_iv(&self) -> &IvArray<CipherSuite> {
Ok(&self.iv) &self.iv
} }
pub fn get_nonce(&self) -> Result<IvArray<CipherSuite>, ProtocolError> { pub fn get_nonce(&self) -> IvArray<CipherSuite> {
let iv = self.get_iv()?; let iv = self.get_iv();
Ok(KeySchedule::<CipherSuite>::get_nonce(self.counter, iv)) KeySchedule::<CipherSuite>::get_nonce(self.counter, iv)
} }
fn calculate_traffic_secret( fn calculate_traffic_secret(
@@ -301,7 +303,6 @@ where
// Per-record nonce: XOR the static IV with the zero-padded sequence counter (RFC 8446 §5.3) // Per-record nonce: XOR the static IV with the zero-padded sequence counter (RFC 8446 §5.3)
let counter = Self::pad::<CipherSuite::IvLen>(&counter.to_be_bytes()); let counter = Self::pad::<CipherSuite::IvLen>(&counter.to_be_bytes());
let mut nonce = GenericArray::default(); let mut nonce = GenericArray::default();
for (index, (l, r)) in iv[0..CipherSuite::IvLen::to_usize()] for (index, (l, r)) in iv[0..CipherSuite::IvLen::to_usize()]
@@ -312,7 +313,6 @@ where
nonce[index] = l ^ r; nonce[index] = l ^ r;
} }
nonce nonce
} }
@@ -356,7 +356,6 @@ where
// IKM is all-zeros at the master secret stage (RFC 8446 §7.1) // IKM is all-zeros at the master secret stage (RFC 8446 §7.1)
self.shared.initialize(Self::zero().as_slice()); self.shared.initialize(Self::zero().as_slice());
self.calculate_traffic_secrets(b"c ap traffic", b"s ap traffic")?; self.calculate_traffic_secrets(b"c ap traffic", b"s ap traffic")?;
self.shared.derived() self.shared.derived()
} }
@@ -406,11 +405,11 @@ where
self.state.increment_counter(); self.state.increment_counter();
} }
pub(crate) fn get_key(&self) -> Result<&KeyArray<CipherSuite>, ProtocolError> { pub(crate) fn get_key(&self) -> &KeyArray<CipherSuite> {
self.state.get_key() self.state.get_key()
} }
pub(crate) fn get_nonce(&self) -> Result<IvArray<CipherSuite>, ProtocolError> { pub(crate) fn get_nonce(&self) -> IvArray<CipherSuite> {
self.state.get_nonce() self.state.get_nonce()
} }
@@ -453,11 +452,11 @@ where
&mut self.transcript_hash &mut self.transcript_hash
} }
pub(crate) fn get_key(&self) -> Result<&KeyArray<CipherSuite>, ProtocolError> { pub(crate) fn get_key(&self) -> &KeyArray<CipherSuite> {
self.state.get_key() self.state.get_key()
} }
pub(crate) fn get_nonce(&self) -> Result<IvArray<CipherSuite>, ProtocolError> { pub(crate) fn get_nonce(&self) -> IvArray<CipherSuite> {
self.state.get_nonce() self.state.get_nonce()
} }

5
src/lib.rs
View File

@@ -7,7 +7,6 @@
clippy::missing_errors_doc clippy::missing_errors_doc
)] )]
pub(crate) mod fmt; pub(crate) mod fmt;
use parse_buffer::ParseError; use parse_buffer::ParseError;
@@ -16,20 +15,20 @@ mod application_data;
pub mod blocking; pub mod blocking;
mod buffer; mod buffer;
mod change_cipher_spec; mod change_cipher_spec;
mod cipher;
mod cipher_suites; mod cipher_suites;
mod common; mod common;
mod config; mod config;
mod connection; mod connection;
mod content_types; mod content_types;
mod cipher;
mod extensions; mod extensions;
pub mod send_policy;
mod handshake; mod handshake;
mod key_schedule; mod key_schedule;
mod parse_buffer; mod parse_buffer;
pub mod read_buffer; pub mod read_buffer;
mod record; mod record;
mod record_reader; mod record_reader;
pub mod send_policy;
mod write_buffer; mod write_buffer;
pub use config::SkipVerifyProvider; pub use config::SkipVerifyProvider;

13
src/native_pki.rs
View File

@@ -1,5 +1,4 @@
use crate::ProtocolError; use crate::ProtocolError;
use crate::config::{Certificate, TlsCipherSuite, TlsClock, Verifier};
#[cfg(feature = "p384")] #[cfg(feature = "p384")]
use crate::certificate::ECDSA_SHA384; use crate::certificate::ECDSA_SHA384;
#[cfg(feature = "ed25519")] #[cfg(feature = "ed25519")]
@@ -7,6 +6,7 @@ use crate::certificate::ED25519;
use crate::certificate::{DecodedCertificate, ECDSA_SHA256, Time}; use crate::certificate::{DecodedCertificate, ECDSA_SHA256, Time};
#[cfg(feature = "rsa")] #[cfg(feature = "rsa")]
use crate::certificate::{RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA512}; use crate::certificate::{RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA512};
use crate::config::{Certificate, TlsCipherSuite, TlsClock, Verifier};
use crate::extensions::extension_data::signature_algorithms::SignatureScheme; use crate::extensions::extension_data::signature_algorithms::SignatureScheme;
use crate::handshake::{ use crate::handshake::{
certificate::{ certificate::{
@@ -126,7 +126,8 @@ where
let handshake_hash = unwrap!(self.certificate_transcript.take()); let handshake_hash = unwrap!(self.certificate_transcript.take());
let ctx_str = b"TLS 1.3, server HandshakeVerify\x00"; let ctx_str = b"TLS 1.3, server HandshakeVerify\x00";
let mut msg: Vec<u8, 146> = Vec::new(); let mut msg: Vec<u8, 146> = Vec::new();
msg.resize(64, 0x20).map_err(|_| ProtocolError::EncodeError)?; msg.resize(64, 0x20)
.map_err(|_| ProtocolError::EncodeError)?;
msg.extend_from_slice(ctx_str) msg.extend_from_slice(ctx_str)
.map_err(|_| ProtocolError::EncodeError)?; .map_err(|_| ProtocolError::EncodeError)?;
msg.extend_from_slice(&handshake_hash.finalize()) msg.extend_from_slice(&handshake_hash.finalize())
@@ -165,8 +166,8 @@ fn verify_signature(
match verify.signature_scheme { match verify.signature_scheme {
SignatureScheme::EcdsaSecp256r1Sha256 => { SignatureScheme::EcdsaSecp256r1Sha256 => {
use p256::ecdsa::{Signature, VerifyingKey, signature::Verifier}; use p256::ecdsa::{Signature, VerifyingKey, signature::Verifier};
let verifying_key = let verifying_key = VerifyingKey::from_sec1_bytes(public_key)
VerifyingKey::from_sec1_bytes(public_key).map_err(|_| ProtocolError::DecodeError)?; .map_err(|_| ProtocolError::DecodeError)?;
let signature = let signature =
Signature::from_der(&verify.signature).map_err(|_| ProtocolError::DecodeError)?; Signature::from_der(&verify.signature).map_err(|_| ProtocolError::DecodeError)?;
verified = verifying_key.verify(message, &signature).is_ok(); verified = verifying_key.verify(message, &signature).is_ok();
@@ -174,8 +175,8 @@ fn verify_signature(
#[cfg(feature = "p384")] #[cfg(feature = "p384")]
SignatureScheme::EcdsaSecp384r1Sha384 => { SignatureScheme::EcdsaSecp384r1Sha384 => {
use p384::ecdsa::{Signature, VerifyingKey, signature::Verifier}; use p384::ecdsa::{Signature, VerifyingKey, signature::Verifier};
let verifying_key = let verifying_key = VerifyingKey::from_sec1_bytes(public_key)
VerifyingKey::from_sec1_bytes(public_key).map_err(|_| ProtocolError::DecodeError)?; .map_err(|_| ProtocolError::DecodeError)?;
let signature = let signature =
Signature::from_der(&verify.signature).map_err(|_| ProtocolError::DecodeError)?; Signature::from_der(&verify.signature).map_err(|_| ProtocolError::DecodeError)?;
verified = verifying_key.verify(message, &signature).is_ok(); verified = verifying_key.verify(message, &signature).is_ok();

10
src/record.rs
View File

@@ -1,7 +1,7 @@
use crate::ProtocolError; use crate::ProtocolError;
use crate::application_data::ApplicationData; use crate::application_data::ApplicationData;
use crate::change_cipher_spec::ChangeCipherSpec; use crate::change_cipher_spec::ChangeCipherSpec;
use crate::config::{TlsCipherSuite, ConnectConfig}; use crate::config::{ConnectConfig, TlsCipherSuite};
use crate::content_types::ContentType; use crate::content_types::ContentType;
use crate::handshake::client_hello::ClientHello; use crate::handshake::client_hello::ClientHello;
use crate::handshake::{ClientHandshake, ServerHandshake}; use crate::handshake::{ClientHandshake, ServerHandshake};
@@ -88,10 +88,7 @@ where
} }
} }
pub fn client_hello<CP>( pub fn client_hello<CP>(config: &'config ConnectConfig<'config>, provider: &mut CP) -> Self
config: &'config ConnectConfig<'config>,
provider: &mut CP,
) -> Self
where where
CP: CryptoBackend, CP: CryptoBackend,
{ {
@@ -114,7 +111,7 @@ where
match self { match self {
ClientRecord::Handshake(handshake, _) => handshake.encode(buf)?, ClientRecord::Handshake(handshake, _) => handshake.encode(buf)?,
ClientRecord::Alert(alert, _) => alert.encode(buf)?, ClientRecord::Alert(alert, _) => alert.encode(buf)?,
}; }
Ok(buf.len() - record_length_marker) Ok(buf.len() - record_length_marker)
} }
@@ -215,5 +212,4 @@ impl<'a, CipherSuite: TlsCipherSuite> ServerRecord<'a, CipherSuite> {
} }
} }
} }
} }

11
src/send_policy.rs
View File

@@ -1,25 +1,20 @@
/// Controls whether `flush()` calls also flush the underlying transport. /// Controls whether `flush()` calls also flush the underlying transport.
/// ///
/// `Strict` (the default) ensures bytes reach the network immediately after every record. /// `Strict` (the default) ensures bytes reach the network immediately after every record.
/// `Relaxed` leaves transport flushing to the caller, which can reduce syscall overhead. /// `Relaxed` leaves transport flushing to the caller, which can reduce syscall overhead.
#[derive(Clone, Copy, Debug, PartialEq, Eq)] #[derive(Default, Clone, Copy, Debug, PartialEq, Eq)]
pub enum FlushPolicy { pub enum FlushPolicy {
/// Only encrypt and hand bytes to the transport; do not call `transport.flush()`. /// Only encrypt and hand bytes to the transport; do not call `transport.flush()`.
Relaxed, Relaxed,
/// Call `transport.flush()` after writing each TLS record. /// Call `transport.flush()` after writing each TLS record.
#[default]
Strict, Strict,
} }
impl FlushPolicy { impl FlushPolicy {
#[must_use]
pub fn flush_transport(&self) -> bool { pub fn flush_transport(&self) -> bool {
matches!(self, Self::Strict) matches!(self, Self::Strict)
} }
} }
impl Default for FlushPolicy {
fn default() -> Self {
FlushPolicy::Strict
}
}

6
tests/common/mod.rs
View File

@@ -29,7 +29,11 @@ pub struct EchoServer {
} }
impl EchoServer { impl EchoServer {
pub fn new(server: TcpListener, mode: ServerMode, cfg: Arc<rustls::ServerConfig>) -> EchoServer { pub fn new(
server: TcpListener,
mode: ServerMode,
cfg: Arc<rustls::ServerConfig>,
) -> EchoServer {
EchoServer { EchoServer {
server, server,
connections: HashMap::new(), connections: HashMap::new(),

47
tests/integration.rs
View File

@@ -600,7 +600,8 @@ mod early_data {
let test_dir = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests"); let test_dir = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests");
let certs = load_certs(&test_dir.join("fixtures").join("leaf-server.pem")); let certs = load_certs(&test_dir.join("fixtures").join("leaf-server.pem"));
let privkey = load_private_key(&test_dir.join("fixtures").join("leaf-server-key.pem")); let privkey =
load_private_key(&test_dir.join("fixtures").join("leaf-server-key.pem"));
let mut config = rustls::ServerConfig::builder() let mut config = rustls::ServerConfig::builder()
.with_cipher_suites(rustls::ALL_CIPHER_SUITES) .with_cipher_suites(rustls::ALL_CIPHER_SUITES)
@@ -701,7 +702,8 @@ mod client_cert {
let ca = load_certs(&test_dir.join("fixtures").join("root-ca.pem")); let ca = load_certs(&test_dir.join("fixtures").join("root-ca.pem"));
let certs = load_certs(&test_dir.join("fixtures").join("leaf-server.pem")); let certs = load_certs(&test_dir.join("fixtures").join("leaf-server.pem"));
let privkey = load_private_key(&test_dir.join("fixtures").join("leaf-server-key.pem")); let privkey =
load_private_key(&test_dir.join("fixtures").join("leaf-server-key.pem"));
let mut client_auth_roots = rustls::RootCertStore::empty(); let mut client_auth_roots = rustls::RootCertStore::empty();
for root in ca.iter() { for root in ca.iter() {
@@ -745,8 +747,10 @@ mod client_cert {
fn signer( fn signer(
&mut self, &mut self,
) -> Result<(impl signature::SignerMut<Self::Signature>, SignatureScheme), mote_tls::ProtocolError> ) -> Result<
{ (impl signature::SignerMut<Self::Signature>, SignatureScheme),
mote_tls::ProtocolError,
> {
let secret_key = SecretKey::from_sec1_der(self.priv_key) let secret_key = SecretKey::from_sec1_der(self.priv_key)
.map_err(|_| mote_tls::ProtocolError::InvalidPrivateKey)?; .map_err(|_| mote_tls::ProtocolError::InvalidPrivateKey)?;
@@ -938,7 +942,9 @@ mod cert_verify {
mod native_pki { mod native_pki {
use embedded_io_adapters::tokio_1::FromTokio; use embedded_io_adapters::tokio_1::FromTokio;
use mote_tls::native_pki::CertVerifier; use mote_tls::native_pki::CertVerifier;
use mote_tls::{Aes128GcmSha256, CryptoBackend, SignatureScheme, ProtocolError as ConnectError, Verifier}; use mote_tls::{
Aes128GcmSha256, CryptoBackend, ProtocolError as ConnectError, SignatureScheme, Verifier,
};
use p256::SecretKey; use p256::SecretKey;
use p256::ecdsa::{DerSignature, SigningKey}; use p256::ecdsa::{DerSignature, SigningKey};
use rand_core::OsRng; use rand_core::OsRng;
@@ -971,7 +977,9 @@ mod native_pki {
Ok(&mut self.verifier) Ok(&mut self.verifier)
} }
fn signer(&mut self) -> Result<(impl SignerMut<Self::Signature>, SignatureScheme), ConnectError> { fn signer(
&mut self,
) -> Result<(impl SignerMut<Self::Signature>, SignatureScheme), ConnectError> {
let key_der = self.priv_key.ok_or(ConnectError::InvalidPrivateKey)?; let key_der = self.priv_key.ok_or(ConnectError::InvalidPrivateKey)?;
let secret_key = let secret_key =
SecretKey::from_sec1_der(key_der).map_err(|_| ConnectError::InvalidPrivateKey)?; SecretKey::from_sec1_der(key_der).map_err(|_| ConnectError::InvalidPrivateKey)?;
@@ -1013,7 +1021,11 @@ mod native_pki {
let ca = load_certs(&test_dir.join("fixtures").join("root-ca.pem")); let ca = load_certs(&test_dir.join("fixtures").join("root-ca.pem"));
let certs = load_certs(&test_dir.join("fixtures").join("chain.pem")); let certs = load_certs(&test_dir.join("fixtures").join("chain.pem"));
let privkey = load_private_key(&test_dir.join("fixtures").join("intermediate-server-key.pem")); let privkey = load_private_key(
&test_dir
.join("fixtures")
.join("intermediate-server-key.pem"),
);
let mut client_auth_roots = rustls::RootCertStore::empty(); let mut client_auth_roots = rustls::RootCertStore::empty();
for root in ca.iter() { for root in ca.iter() {
@@ -1135,7 +1147,10 @@ mod native_pki {
use digest::FixedOutputReset; use digest::FixedOutputReset;
use embedded_io_adapters::tokio_1::FromTokio; use embedded_io_adapters::tokio_1::FromTokio;
use mote_tls::native_pki::CertVerifier; use mote_tls::native_pki::CertVerifier;
use mote_tls::{Aes128GcmSha256, CryptoBackend, SignatureScheme, ProtocolError as ConnectError, Verifier}; use mote_tls::{
Aes128GcmSha256, CryptoBackend, ProtocolError as ConnectError, SignatureScheme,
Verifier,
};
use rand_core::{CryptoRngCore, OsRng}; use rand_core::{CryptoRngCore, OsRng};
use rsa::pkcs8::DecodePrivateKey; use rsa::pkcs8::DecodePrivateKey;
use rustls::server::AllowAnyAnonymousOrAuthenticatedClient; use rustls::server::AllowAnyAnonymousOrAuthenticatedClient;
@@ -1183,10 +1198,13 @@ mod native_pki {
Ok(&mut self.verifier) Ok(&mut self.verifier)
} }
fn signer(&mut self) -> Result<(impl SignerMut<Self::Signature>, SignatureScheme), ConnectError> { fn signer(
&mut self,
) -> Result<(impl SignerMut<Self::Signature>, SignatureScheme), ConnectError>
{
let key_der = self.priv_key.ok_or(ConnectError::InvalidPrivateKey)?; let key_der = self.priv_key.ok_or(ConnectError::InvalidPrivateKey)?;
let private_key = let private_key = rsa::RsaPrivateKey::from_pkcs8_der(key_der)
rsa::RsaPrivateKey::from_pkcs8_der(key_der).map_err(|_| ConnectError::InvalidPrivateKey)?; .map_err(|_| ConnectError::InvalidPrivateKey)?;
let signer = RsaPssSigningKey { let signer = RsaPssSigningKey {
rng: &mut self.rng, rng: &mut self.rng,
key: rsa::pss::SigningKey::<Sha256>::new(private_key), key: rsa::pss::SigningKey::<Sha256>::new(private_key),
@@ -1222,11 +1240,14 @@ mod native_pki {
let versions = &[&rustls::version::TLS13]; let versions = &[&rustls::version::TLS13];
let test_dir = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests"); let test_dir =
std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests");
let ca = load_certs(&test_dir.join("fixtures").join("rsa-root-ca.pem")); let ca = load_certs(&test_dir.join("fixtures").join("rsa-root-ca.pem"));
let certs = load_certs(&test_dir.join("fixtures").join("rsa-leaf-server.pem")); let certs = load_certs(&test_dir.join("fixtures").join("rsa-leaf-server.pem"));
let privkey = load_private_key(&test_dir.join("fixtures").join("rsa-leaf-server-key.pem")); let privkey = load_private_key(
&test_dir.join("fixtures").join("rsa-leaf-server-key.pem"),
);
let mut client_auth_roots = rustls::RootCertStore::empty(); let mut client_auth_roots = rustls::RootCertStore::empty();
for root in ca.iter() { for root in ca.iter() {