diff --git a/.clippy.toml b/.clippy.toml
deleted file mode 100644
index cc94ec53e13..00000000000
--- a/.clippy.toml
+++ /dev/null
@@ -1 +0,0 @@
-upper-case-acronyms-aggressive = true
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 00000000000..0133c3dea72
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: ["cpu", "ctz", "djc"]
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 94b3292535d..67998e11163 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -27,3 +27,5 @@ A clear and concise description of what you expected to happen.
**Additional context**
Add any other context about the problem here.
+For example, consider including verbose logs or a packet capture. For help
+with this [see the manual](https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#debugging).
diff --git a/.github/typos.toml b/.github/typos.toml
new file mode 100644
index 00000000000..5a8f4c2f3c3
--- /dev/null
+++ b/.github/typos.toml
@@ -0,0 +1,15 @@
+[default.extend-words]
+# encrypter as an active verb
+encrypter = "encrypter"
+
+# "type", but side-stepping the keyword and avoiding the very ugly r#type
+typ = "typ"
+
+# pn -> packet number in quic parlance
+pn = "pn"
+
+# as in Josh
+Aas = "Aas"
+
+[files]
+extend-exclude = ["*.bin", "*.json", "*.json.in", "*.svg", "macros.html", "test-ca/"]
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index aa6dca058b3..c891cc8f941 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,19 +5,23 @@ permissions:
on:
push:
- branches-ignore:
- - 'gh-readonly-queue/**'
+ branches: ['main', 'rel-*', 'ci/*']
tags:
- '**'
pull_request:
merge_group:
schedule:
- cron: '0 18 * * *'
+ workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
+env:
+ RUSTFLAGS: --deny warnings
+ AWS_LC_SYS_NO_JITTER_ENTROPY: 1
+
jobs:
build:
name: Build+test
@@ -30,6 +34,8 @@ jobs:
- nightly
os:
- ubuntu-latest
+ # aka ubuntu-latest-arm
+ - ubuntu-24.04-arm
- windows-latest
- macos-latest
exclude:
@@ -47,7 +53,7 @@ jobs:
- os: ${{ github.event_name == 'merge_group' && 'macos-latest' }}
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
@@ -62,13 +68,13 @@ jobs:
- name: Install ninja-build tool for aws-lc-fips-sys on Windows
if: runner.os == 'Windows'
- uses: seanmiddleditch/gha-setup-ninja@v5
+ uses: seanmiddleditch/gha-setup-ninja@v6
- name: Install golang for aws-lc-fips-sys on macos
if: runner.os == 'MacOS'
- uses: actions/setup-go@v5
+ uses: actions/setup-go@v6
with:
- go-version: "1.22.2"
+ go-version: "stable"
- name: cargo build (debug; default features)
run: cargo build --locked
@@ -77,41 +83,28 @@ jobs:
# this is required for fips on windows.
# nb. "--all-targets" does not include doctests
- name: cargo test (release; all features)
- run: cargo test --release --locked --all-features --all-targets
+ run: cargo test --locked --release --all-features --all-targets
env:
RUST_BACKTRACE: 1
# nb. this is separate since `--doc` option cannot be combined with other target option(s) ref:
# - https://doc.rust-lang.org/cargo/commands/cargo-test.html
- name: cargo test --doc (release; all-features)
- run: cargo test --release --locked --all-features --doc
- env:
- RUST_BACKTRACE: 1
-
- - name: cargo test (debug; aws-lc-rs)
- run: cargo test --no-default-features --features aws_lc_rs,tls12,read_buf,logging,std --all-targets
+ run: cargo test --locked --release --all-features --doc
env:
RUST_BACKTRACE: 1
- - name: cargo test (release; fips)
- run: cargo test --release --no-default-features --features fips,tls12,read_buf,logging,std --all-targets
- env:
- RUST_BACKTRACE: 1
-
- - name: cargo build (debug; rustls-provider-example)
- run: cargo build --locked -p rustls-provider-example
-
- - name: cargo build (debug; rustls-provider-example lib in no-std mode)
- run: cargo build --locked -p rustls-provider-example --no-default-features
-
- - name: cargo test (debug; rustls-provider-example; all features)
- run: cargo test --all-features -p rustls-provider-example
+ - name: cargo build (debug; no-std)
+ run: |
+ cargo build --locked --lib -p rustls $(admin/all-features-except std,brotli rustls)
+ cargo build --locked --lib -p rustls-ring --no-default-features
+ cargo build --locked --lib -p rustls-aws-lc-rs --no-default-features --features aws-lc-sys
- name: cargo build (debug; rustls-provider-test)
run: cargo build --locked -p rustls-provider-test
- name: cargo test (debug; rustls-provider-test; all features)
- run: cargo test --all-features -p rustls-provider-test
+ run: cargo test --locked --all-features -p rustls-provider-test
- name: cargo package --all-features -p rustls
run: cargo package --all-features -p rustls
@@ -121,20 +114,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@master
with:
- toolchain: "1.71"
-
- # zlib-rs is optional and requires a later MSRV
- - run: cargo check --locked --lib $(admin/all-features-except zlib rustls) -p rustls
-
- - uses: dtolnay/rust-toolchain@master
- with:
- toolchain: "1.75"
+ toolchain: "1.85"
- run: cargo check --locked --lib --all-features -p rustls
@@ -143,7 +129,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
@@ -153,18 +139,10 @@ jobs:
target: x86_64-unknown-none
- name: cargo build (debug; default features)
- run: cargo build --locked
- working-directory: rustls
-
- # this target does _not_ include the libstd crate in its sysroot
- # it will catch unwanted usage of libstd in _dependencies_
- - name: cargo build (debug; no default features; no-std)
- run: cargo build --locked --no-default-features --target x86_64-unknown-none
- working-directory: rustls
-
- - name: cargo build (debug; no default features; no-std, hashbrown)
- run: cargo build --locked --no-default-features --features hashbrown --target x86_64-unknown-none
- working-directory: rustls
+ run: |
+ cargo build --locked -p rustls
+ cargo build --locked -p rustls-ring
+ cargo build --locked -p rustls-aws-lc-rs
- name: cargo test (debug; default features)
run: cargo test --locked
@@ -173,20 +151,15 @@ jobs:
RUST_BACKTRACE: 1
- name: cargo test (debug; no default features)
- run: cargo test --locked --no-default-features
- working-directory: rustls
-
- - name: cargo test (debug; no default features; tls12)
- run: cargo test --locked --no-default-features --features tls12,std
- working-directory: rustls
-
- - name: cargo test (debug; no default features; aws-lc-rs,tls12)
- run: cargo test --no-default-features --features aws_lc_rs,tls12,std
- working-directory: rustls
+ run: |
+ cargo test --locked -p rustls --no-default-features
+ cargo test --locked -p rustls-ring --no-default-features
+ cargo test --locked -p rustls-aws-lc-rs --no-default-features --features aws-lc-sys
- - name: cargo test (debug; no default features; fips,tls12)
- run: cargo test --no-default-features --features fips,tls12,std
- working-directory: rustls
+ - name: cargo test (debug; no default features; std)
+ run: |
+ cargo test --locked -p rustls-ring --no-default-features --features std
+ cargo test --locked -p rustls-aws-lc-rs --no-default-features --features std --features aws-lc-sys
- name: cargo test (release; no run)
run: cargo test --locked --release --no-run
@@ -197,7 +170,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
@@ -205,10 +178,9 @@ jobs:
uses: dtolnay/rust-toolchain@stable
- name: Install golang toolchain
- uses: actions/setup-go@v5
+ uses: actions/setup-go@v6
with:
- go-version: "1.21"
- cache: false
+ go-version: "stable"
- name: Run test suite (ring)
working-directory: bogo
@@ -228,28 +200,27 @@ jobs:
env:
BOGO_SHIM_PROVIDER: aws-lc-rs-fips
- - name: Run test suite (post-quantum)
- working-directory: bogo
- run: ./runme
- env:
- BOGO_SHIM_PROVIDER: post-quantum
-
fuzz:
name: Smoke-test fuzzing targets
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
- - name: Install nightly toolchain
- uses: dtolnay/rust-toolchain@nightly
+ - name: Install stable toolchain
+ uses: dtolnay/rust-toolchain@stable
- name: Install cargo fuzz
- run: cargo install cargo-fuzz
+ uses: taiki-e/cache-cargo-install-action@v3
+ with:
+ tool: cargo-fuzz
- name: Smoke-test fuzz targets
+ env:
+ # cargo fuzz uses a bunch of -Z options
+ RUSTC_BOOTSTRAP: 1
run: |
cargo fuzz build
for target in $(cargo fuzz list) ; do
@@ -261,12 +232,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
- - name: Install nightly toolchain
- uses: dtolnay/rust-toolchain@nightly
+ - name: Install stable toolchain
+ uses: dtolnay/rust-toolchain@stable
- name: Smoke-test benchmark program (ring)
run: cargo run -p rustls-bench --profile=bench --locked --features ring -- --multiplier 0.1
@@ -281,17 +252,20 @@ jobs:
run: cargo bench --locked --all-features
env:
RUSTFLAGS: --cfg=bench
+ # unit-benchmarks are permanantly unstable
+ RUSTC_BOOTSTRAP: 1
docs:
name: Check for documentation errors
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
- name: Install rust toolchain
+ # use nightly to mirror docs.rs
uses: dtolnay/rust-toolchain@nightly
- name: cargo doc (rustls; all features)
@@ -305,29 +279,37 @@ jobs:
./admin/pull-readme
git diff --exit-code
+ - name: Spell check code
+ uses: crate-ci/typos@v1
+ with:
+ config: .github/typos.toml
+
+
coverage:
name: Measure coverage
runs-on: ubuntu-latest
if: github.event_name != 'merge_group'
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
- name: Install rust toolchain
- uses: dtolnay/rust-toolchain@stable
+ uses: dtolnay/rust-toolchain@nightly
with:
components: llvm-tools
- name: Install cargo-llvm-cov
- run: cargo install cargo-llvm-cov
+ uses: taiki-e/cache-cargo-install-action@v3
+ with:
+ tool: cargo-llvm-cov
- name: Measure coverage
run: ./admin/coverage --lcov --output-path final.info
- name: Report to codecov.io
- uses: codecov/codecov-action@v5
+ uses: codecov/codecov-action@v6
with:
files: final.info
token: ${{ secrets.CODECOV_TOKEN }}
@@ -338,12 +320,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
- name: Install rust toolchain
- uses: dtolnay/rust-toolchain@nightly
+ uses: dtolnay/rust-toolchain@stable
- name: Install cargo-minimal-versions
uses: taiki-e/install-action@cargo-minimal-versions
@@ -355,6 +337,9 @@ jobs:
- name: Check direct-minimal-versions
run: cargo minimal-versions --direct --ignore-private check
working-directory: rustls/
+ env:
+ # `cargo minimal-versions` uses unstable cargo features
+ RUSTC_BOOTSTRAP: 1
cross:
name: cross-target testing
@@ -367,7 +352,7 @@ jobs:
- armv7-linux-androideabi
- i686-linux-android
- thumbv7neon-linux-androideabi
- # Other standard 32-bit (Linux) targets (SKIP bindgen for i686 only)
+ # Other standard 32-bit (Linux) targets
- i586-unknown-linux-gnu
- i686-unknown-linux-gnu
# exotic Linux targets:
@@ -379,25 +364,28 @@ jobs:
- aarch64-linux-android
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
- name: Install rust toolchain
uses: dtolnay/rust-toolchain@stable
- - name: Install cross (cross-rs) from GitHub
- run: cargo install cross --git https://github.com/cross-rs/cross
- - name: Install bindgen feature & CLI for aws-lc-sys (as needed for many cross targets)
- if: ${{ matrix.target != 'i686-unknown-linux-gnu' }}
- run: cargo add --dev --features bindgen 'aws-lc-sys@>0.20' --package rustls --verbose && cargo install bindgen-cli --verbose
+ - name: Install cross
+ uses: taiki-e/cache-cargo-install-action@v3
+ with:
+ tool: cross
+ git: https://github.com/cross-rs/cross
+ # known-working main in feb 2025, bump as needed
+ rev: c7dee4d
- run: cross test --package rustls --target ${{ matrix.target }}
+ - run: cross test --package rustls-test --features aws-lc-rs --no-default-features --target ${{ matrix.target }}
semver:
name: Check semver compatibility
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
@@ -409,7 +397,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
- name: Install rust toolchain
@@ -428,30 +416,28 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
- name: Install rust nightly toolchain
- uses: dtolnay/rust-toolchain@master
+ uses: dtolnay/rust-toolchain@nightly
with:
components: rustfmt
- toolchain: nightly-2024-02-21
- name: Check formatting (unstable)
run: cargo fmt --all -- --check --config-path .rustfmt.unstable.toml
- continue-on-error: true
- name: Check formatting (unstable, connect-tests workspace)
run: cargo fmt --all --manifest-path=connect-tests/Cargo.toml -- --check --config-path .rustfmt.unstable.toml
- continue-on-error: true
- name: Check formatting (unstable, fuzz workspace)
run: cargo fmt --all --manifest-path=fuzz/Cargo.toml -- --check --config-path .rustfmt.unstable.toml
- continue-on-error: true
+ - if: ${{ failure() }}
+ run: echo "Nightly formatting check failed. Please run \`cargo +nightly fmt-unstable\`"
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
@@ -463,17 +449,14 @@ jobs:
uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- # - we want to be free of any warnings, so deny them
- # - disable incompatible_msrv as it does not understand that we apply our
- # MSRV to the just the core crate.
- - run: ./admin/clippy -- --deny warnings --allow clippy::incompatible_msrv
+ - run: ./admin/clippy -- --deny warnings
clippy-nightly:
name: Clippy (Nightly)
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
@@ -485,7 +468,7 @@ jobs:
uses: dtolnay/rust-toolchain@nightly
with:
components: clippy
- # do not deny warnings, as nightly clippy sometimes has false negatives
+ # Do not deny warnings, as nightly clippy sometimes has false negatives.
- run: ./admin/clippy
check-external-types:
@@ -493,15 +476,18 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
- name: Install rust toolchain
uses: dtolnay/rust-toolchain@master
with:
- toolchain: nightly-2024-06-30
+ toolchain: nightly-2025-10-18
# ^ sync with https://github.com/awslabs/cargo-check-external-types/blob/main/rust-toolchain.toml
- - run: cargo install --locked cargo-check-external-types
+ - name: Install cargo-check-external-types
+ uses: taiki-e/cache-cargo-install-action@v3
+ with:
+ tool: cargo-check-external-types
- name: run cargo-check-external-types for rustls/
working-directory: rustls/
run: cargo check-external-types
@@ -513,7 +499,7 @@ jobs:
VERSION: openssl-3.4.0
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
@@ -521,7 +507,7 @@ jobs:
uses: dtolnay/rust-toolchain@stable
- name: Cache ${{ env.VERSION }}
- uses: actions/cache@v4
+ uses: actions/cache@v5
id: cache-openssl
with:
path: ${{ env.VERSION }}
@@ -551,3 +537,9 @@ jobs:
run: cargo test --locked -- --include-ignored
env:
RUST_BACKTRACE: 1
+
+ audit:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v6
+ - uses: EmbarkStudios/cargo-deny-action@v2
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index af7f2fea25d..d85767cf45d 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,4 +1,6 @@
name: CIFuzz
+permissions:
+ contents: read
on: [pull_request]
concurrency:
@@ -24,7 +26,7 @@ jobs:
dry-run: false
language: rust
- name: Upload Crash
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@v7
if: failure() && steps.build.outcome == 'success'
with:
name: artifacts
diff --git a/.github/workflows/daily-tests.yml b/.github/workflows/daily-tests.yml
index e526a2e409d..d2a714fa384 100644
--- a/.github/workflows/daily-tests.yml
+++ b/.github/workflows/daily-tests.yml
@@ -31,7 +31,7 @@ jobs:
rust: stable
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
@@ -46,7 +46,7 @@ jobs:
- name: Install ninja-build tool for aws-lc-fips-sys on Windows
if: runner.os == 'Windows'
- uses: seanmiddleditch/gha-setup-ninja@v5
+ uses: seanmiddleditch/gha-setup-ninja@v6
- name: Build example programs
run: cargo build --locked -p rustls-examples
@@ -75,7 +75,7 @@ jobs:
rust: stable
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
@@ -90,7 +90,7 @@ jobs:
- name: Install ninja-build tool for aws-lc-fips-sys on Windows
if: runner.os == 'Windows'
- uses: seanmiddleditch/gha-setup-ninja@v5
+ uses: seanmiddleditch/gha-setup-ninja@v6
- name: Check simple client
run: cargo run --locked -p rustls-examples --bin simpleclient
@@ -101,15 +101,6 @@ jobs:
- name: Check simple 0rtt client
run: cargo run --locked -p rustls-examples --bin simple_0rtt_client
- - name: Check unbuffered client
- run: cargo run --locked -p rustls-examples --bin unbuffered-client
-
- - name: Check unbuffered tokio client
- run: cargo run --locked -p rustls-examples --bin unbuffered-async-client
-
- - name: Check unbuffered async-std client
- run: cargo run --locked -p rustls-examples --bin unbuffered-async-client --features=async-std
-
# Test the server_acceptor binary builds - we invoke with --help since it
# will run a server process that doesn't exit when invoked with no args
- name: Check server acceptor
@@ -125,19 +116,23 @@ jobs:
cargo run --locked -p rustls-examples --bin ech-client -- --host min-ng.test.defo.ie --path "echstat.php?format=json" public.test.defo.ie min-ng.test.defo.ie |
grep '"SSL_ECH_STATUS": "success"'
- - name: Check provider-example client
- run: cargo run --locked -p rustls-provider-example --example client
+ - name: Check ech-client (tls-ech.dev)
+ run: >
+ cargo run --locked -p rustls-examples --bin ech-client -- --path "/" public.tls-ech.dev tls-ech.dev |
+ grep 'You are using ECH.'
- name: Check rustls-post-quantum client
run: cargo run --locked -p rustls-post-quantum --example client | grep 'kex=X25519MLKEM768'
+ - name: Smoke test for secp256r1mlkem768 interop
+ run: cargo run --locked -p rustls-examples --bin tlsclient-mio -- --http --key-exchange secp256r1mlkem768 --verbose openquantumsafe.org
feature-powerset:
name: Feature Powerset
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
@@ -153,10 +148,5 @@ jobs:
--package rustls
--feature-powerset
--no-dev-deps
- --group-features aws_lc_rs,aws-lc-rs
- --group-features fips,aws_lc_rs
- --mutually-exclusive-features fips,ring
- --mutually-exclusive-features custom_provider,aws_lc_rs
- --mutually-exclusive-features custom_provider,ring
env:
RUSTFLAGS: --deny warnings
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 82f7a17d9ac..31b5f7e172b 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -5,6 +5,7 @@ permissions:
on:
workflow_dispatch:
+ pull_request:
push:
branches:
- main
@@ -17,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
with:
persist-credentials: false
@@ -39,16 +40,16 @@ jobs:
- name: cargo doc
# keep features in sync with Cargo.toml `[package.metadata.docs.rs]` section
- run: cargo doc --locked --features read_buf,ring --no-deps --package rustls
+ run: cargo doc --locked --features brotli,hashbrown,log,zlib --no-deps --package rustls
env:
- RUSTDOCFLAGS: -Dwarnings --cfg=docsrs --html-after-content tag.html
+ RUSTDOCFLAGS: -Dwarnings --cfg=rustls_docsrs --html-after-content tag.html
- name: Generate other pages
run: |
cd website && zola build --output-dir ../target/website/
- name: Restore lychee cache
- uses: actions/cache@v4
+ uses: actions/cache@v5
with:
path: .lycheecache
key: cache-lychee-${{ github.sha }}
@@ -71,17 +72,18 @@ jobs:
# lockfile causes deployment step to go wrong, due to permissions
rm -f target/doc/.lock
# move the result into website root
- mv target/doc/rustls target/website/docs
+ mv target/doc/* target/website/
+ mv target/website/rustls target/website/docs
- name: Package and upload artifact
- uses: actions/upload-pages-artifact@v3
+ uses: actions/upload-pages-artifact@v5
with:
path: ./target/website/
deploy:
name: Deploy
runs-on: ubuntu-latest
- if: github.repository == 'rustls/rustls'
+ if: github.repository == 'rustls/rustls' && github.ref == 'refs/heads/main'
needs: generate
permissions:
pages: write
@@ -92,4 +94,4 @@ jobs:
steps:
- name: Deploy to GitHub Pages
id: deployment
- uses: actions/deploy-pages@v4
+ uses: actions/deploy-pages@v5
diff --git a/.lycheeignore b/.lycheeignore
index 7b7e55f13b4..cec975d6c65 100644
--- a/.lycheeignore
+++ b/.lycheeignore
@@ -1,3 +1,2 @@
^file\:\/\/\/.*\/target\/doc\/index\.html$
-^http:\/\/www\.isg\.rhul\.ac\.uk\/tls\/Lucky13.html$
^http:\/\/www\.adobe\.com/$
diff --git a/.rustfmt.toml b/.rustfmt.toml
index e70b64a4ae9..6388c7aeea2 100644
--- a/.rustfmt.toml
+++ b/.rustfmt.toml
@@ -1 +1,3 @@
-chain_width=40
+# keep in sync with .rustfmt.unstable.toml
+chain_width = 40
+style_edition = "2024"
diff --git a/.rustfmt.unstable.toml b/.rustfmt.unstable.toml
index 521dae776b2..1a3d4f9bb79 100644
--- a/.rustfmt.unstable.toml
+++ b/.rustfmt.unstable.toml
@@ -1,5 +1,6 @@
# keep in sync with .rustfmt.toml
chain_width = 40
+style_edition = "2024"
# format imports
group_imports = "StdExternalCrate"
diff --git a/.taplo.toml b/.taplo.toml
new file mode 100644
index 00000000000..f819ac88b10
--- /dev/null
+++ b/.taplo.toml
@@ -0,0 +1,3 @@
+[formatting]
+align_comments = false
+column_width = 110
diff --git a/BENCHMARKING.md b/BENCHMARKING.md
index 2af41f8e0f3..d93ccd86393 100644
--- a/BENCHMARKING.md
+++ b/BENCHMARKING.md
@@ -6,11 +6,14 @@ information on how to run them.
## Throughput and memory usage benchmarks
These benchmarks measure the throughput and memory footprint you get from rustls. They have been
-used in the past to compare performance against OpenSSL (see the results of [December
-2023](https://github.com/aochagavia/rustls-bench-results) and [July
-2019](https://jbp.io/2019/07/01/rustls-vs-openssl-performance.html)). You can also use them to
-evaluate rustls' performance on different hardware (e.g. a bare-metal server with support for
-AVX-512 instructions vs. a cloud VM with a consumer-grade CPU).
+used in the past to compare performance against OpenSSL:
+
+- See [the most up-to-date reports](https://rustls.dev/perf/).
+- See the [historical results from December 2023](https://github.com/aochagavia/rustls-bench-results).
+- See the [historical results from July 2019](https://jbp.io/2019/07/01/rustls-vs-openssl-performance.html).
+
+You can also use them to evaluate rustls' performance on different hardware (e.g. a bare-metal server
+with support for AVX-512 instructions vs. a cloud VM with a consumer-grade CPU).
The measured aspects are:
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 8494f34780a..86964dbb9ad 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -59,7 +59,7 @@ If you're *looking* for security bugs, this crate is set up for
## Testing
- Features involving additions to the public API should have (at least)
- API-level tests (see [`rustls/tests/api.rs`](rustls/tests/api.rs)).
+ API-level tests (see [`rustls-test/tests/api/`](rustls-test/tests/api/)).
- Protocol additions should have some coverage -- consider enabling
corresponding tests in the bogo suite, or writing some ad hoc tests.
@@ -70,23 +70,12 @@ are unlikely to be accepted.
Generally any test that relies on a `CryptoProvider` anywhere, should
be run against all `CryptoProvider`s, such that
-`cargo test --all-features` runs the test several times. To achieve that
-we have two methods:
+`cargo test --all-features` runs the test several times.
-- For unit tests, see `rustls/src/test_macros.rs` which provides the
- `test_for_each_provider!` macro. This can be placed around normal
- tests and instantiates the tests once per provider.
-
- Note that rustfmt does not format code inside a macro invocation:
- when developing test code, sed `test_for_each_provider! {` to `mod tests {`,
- format the code, then sed it back.
-
-- For integration tests -- where the amount of test code is more significant,
- and lack of rustfmt support is more painful -- we instantiate the tests
- by importing them multiple times, and then the tests resolve the provider
- module to use via `super::provider`.
- For example, see `rustls/tests/runners/unbuffered.rs` and
- `rustls/tests/unbuffered.rs`.
+For integration tests -- where the amount of test code is more significant,
+we instantiate the tests by importing them multiple times, and then the tests
+resolve the provider module to use via `super::provider`. For example, see
+`rustls-test/tests/api.rs` and `rustls-test/tests/api/kx.rs`.
## Style guide
@@ -144,6 +133,22 @@ Note that we usually also practice top-down ordering here; where these are in
conflict, make a choice that you think makes sense. For getters and setters, the
order should typically mirror the order of the fields in the type definition.
+#### Attribute ordering
+
+Order attributes so that documentation appears first, and the attributes with the
+most effect on the meaning and function of the type appear last. For example:
+
+```rust
+/// Doc comment always first
+#[cfg(feature-gates)]
+#[allow(lint-configuration)]
+#[non_exhaustive]
+#[derive(Clone, Debug)]
+pub struct Foo;
+```
+
+Prefer to write `derive`d traits in alphabetical order.
+
### Functions
#### Consider avoiding short single-use functions
@@ -361,6 +366,15 @@ don't provide additional type safety. Using the
[newtype idiom](https://doc.rust-lang.org/rust-by-example/generics/new_types.html)
is one alternative when an abstraction boundary is worth the added complexity.
+#### Type exhaustiveness
+
+Public enums should be marked as _either_ `#[non_exhaustive]` or `#[allow(clippy::exhaustive_enums)]`.
+The latter is suitable for enums that are already complete by definition. For example:
+`enum CoinFlip { Heads, Tails }` is complete. Err on the side of marking something `#[non_exhaustive]`.
+
+The same applies to structs, with the detail that no manual marking is needed for
+structures with at least one private field.
+
## Design and Architecture
Some general concepts about how the library should fit together:
diff --git a/Cargo.lock b/Cargo.lock
index 04db29f222e..fca8c7b4eb0 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1,62 +1,12 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
-version = 3
-
-[[package]]
-name = "addr2line"
-version = "0.24.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1"
-dependencies = [
- "gimli",
-]
-
-[[package]]
-name = "adler2"
-version = "2.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627"
-
-[[package]]
-name = "aead"
-version = "0.5.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0"
-dependencies = [
- "crypto-common",
- "generic-array",
-]
-
-[[package]]
-name = "aes"
-version = "0.8.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0"
-dependencies = [
- "cfg-if",
- "cipher",
- "cpufeatures",
-]
-
-[[package]]
-name = "aes-gcm"
-version = "0.10.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "831010a0f742e1209b3bcea8fab6a8e149051ba6099432c8cb2cc117dec3ead1"
-dependencies = [
- "aead",
- "aes",
- "cipher",
- "ctr",
- "ghash",
- "subtle",
-]
+version = 4
[[package]]
name = "aho-corasick"
-version = "1.1.3"
+version = "1.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
+checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301"
dependencies = [
"memchr",
]
@@ -76,6 +26,15 @@ dependencies = [
"alloc-no-stdlib",
]
+[[package]]
+name = "alloca"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5a7d05ea6aea7e9e64d25b9156ba2fee3fdd659e34e41063cd2fc7cd020d7f4"
+dependencies = [
+ "cc",
+]
+
[[package]]
name = "anes"
version = "0.1.6"
@@ -84,9 +43,9 @@ checksum = "4b46cbb362ab8752921c97e041f5e366ee6297bd428a31275b9fcf1e380f7299"
[[package]]
name = "anstream"
-version = "0.6.18"
+version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b"
+checksum = "824a212faf96e9acacdbd09febd34438f8f711fb84e09a8916013cd7815ca28d"
dependencies = [
"anstyle",
"anstyle-parse",
@@ -99,49 +58,50 @@ dependencies = [
[[package]]
name = "anstyle"
-version = "1.0.10"
+version = "1.0.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9"
+checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000"
[[package]]
name = "anstyle-parse"
-version = "0.2.6"
+version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9"
+checksum = "52ce7f38b242319f7cabaa6813055467063ecdc9d355bbb4ce0c68908cd8130e"
dependencies = [
"utf8parse",
]
[[package]]
name = "anstyle-query"
-version = "1.1.2"
+version = "1.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c"
+checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
dependencies = [
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
]
[[package]]
name = "anstyle-wincon"
-version = "3.0.6"
+version = "3.0.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2109dbce0e72be3ec00bed26e6a7479ca384ad226efdd66db8fa2e3a38c83125"
+checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
dependencies = [
"anstyle",
- "windows-sys 0.59.0",
+ "once_cell_polyfill",
+ "windows-sys 0.61.2",
]
[[package]]
name = "anyhow"
-version = "1.0.95"
+version = "1.0.102"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34ac096ce696dc2fcabef30516bb13c0a68a11d30131d3df6f04711467681b04"
+checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
[[package]]
name = "asn1"
-version = "0.20.0"
+version = "0.24.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d8b84b4ea1de2bf1dcd2a759737ddb328fb6695b2a95eb7e44fed67e3406f32"
+checksum = "c9795210620c0cb3f9a7ce4f882808c38e1ef7b347c90591dceae0886e031fb1"
dependencies = [
"asn1_derive",
"itoa",
@@ -149,9 +109,9 @@ dependencies = [
[[package]]
name = "asn1-rs"
-version = "0.6.2"
+version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5493c3bedbacf7fd7382c6346bbd66687d12bbaad3a89a2d2c303ee6cf20b048"
+checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60"
dependencies = [
"asn1-rs-derive",
"asn1-rs-impl",
@@ -159,19 +119,19 @@ dependencies = [
"nom",
"num-traits",
"rusticata-macros",
- "thiserror 1.0.69",
+ "thiserror",
"time",
]
[[package]]
name = "asn1-rs-derive"
-version = "0.5.1"
+version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490"
+checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
"synstructure",
]
@@ -183,164 +143,29 @@ checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
]
[[package]]
name = "asn1_derive"
-version = "0.20.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a200809d0138620b3dba989f1d08d0620e76248bc1e62a2ec1b2df5eb1ee08ad"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.95",
-]
-
-[[package]]
-name = "async-attributes"
-version = "1.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a3203e79f4dd9bdda415ed03cf14dae5a2bf775c683a00f94e9cd1faf0f596e5"
-dependencies = [
- "quote",
- "syn 1.0.109",
-]
-
-[[package]]
-name = "async-channel"
-version = "1.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81953c529336010edd6d8e358f886d9581267795c61b19475b71314bffa46d35"
-dependencies = [
- "concurrent-queue",
- "event-listener 2.5.3",
- "futures-core",
-]
-
-[[package]]
-name = "async-channel"
-version = "2.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89b47800b0be77592da0afd425cc03468052844aff33b84e33cc696f64e77b6a"
-dependencies = [
- "concurrent-queue",
- "event-listener-strategy",
- "futures-core",
- "pin-project-lite",
-]
-
-[[package]]
-name = "async-executor"
-version = "1.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30ca9a001c1e8ba5149f91a74362376cc6bc5b919d92d988668657bd570bdcec"
-dependencies = [
- "async-task",
- "concurrent-queue",
- "fastrand",
- "futures-lite",
- "slab",
-]
-
-[[package]]
-name = "async-global-executor"
-version = "2.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05b1b633a2115cd122d73b955eadd9916c18c8f510ec9cd1686404c60ad1c29c"
-dependencies = [
- "async-channel 2.3.1",
- "async-executor",
- "async-io",
- "async-lock",
- "blocking",
- "futures-lite",
- "once_cell",
-]
-
-[[package]]
-name = "async-io"
-version = "2.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43a2b323ccce0a1d90b449fd71f2a06ca7faa7c54c2751f06c9bd851fc061059"
-dependencies = [
- "async-lock",
- "cfg-if",
- "concurrent-queue",
- "futures-io",
- "futures-lite",
- "parking",
- "polling",
- "rustix",
- "slab",
- "tracing",
- "windows-sys 0.59.0",
-]
-
-[[package]]
-name = "async-lock"
-version = "3.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff6e472cdea888a4bd64f342f09b3f50e1886d32afe8df3d663c01140b811b18"
-dependencies = [
- "event-listener 5.4.0",
- "event-listener-strategy",
- "pin-project-lite",
-]
-
-[[package]]
-name = "async-recursion"
-version = "1.1.1"
+version = "0.24.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b43422f69d8ff38f95f1b2bb76517c91589a924d1559a0e935d7c8ce0274c11"
+checksum = "909e307f1cc32bb8bccbd98f446e6d1bf03fa30f7b53a4337da7181ad30fa11a"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
-]
-
-[[package]]
-name = "async-std"
-version = "1.13.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c634475f29802fde2b8f0b505b1bd00dfe4df7d4a000f0b36f7671197d5c3615"
-dependencies = [
- "async-attributes",
- "async-channel 1.9.0",
- "async-global-executor",
- "async-io",
- "async-lock",
- "crossbeam-utils",
- "futures-channel",
- "futures-core",
- "futures-io",
- "futures-lite",
- "gloo-timers",
- "kv-log-macro",
- "log",
- "memchr",
- "once_cell",
- "pin-project-lite",
- "pin-utils",
- "slab",
- "wasm-bindgen-futures",
+ "syn",
]
-[[package]]
-name = "async-task"
-version = "4.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b75356056920673b02621b35afd0f7dda9306d03c79a30f5c56c44cf256e3de"
-
[[package]]
name = "async-trait"
-version = "0.1.85"
+version = "0.1.89"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f934833b4b7233644e5848f235df3f57ed8c80f1528a26c3dfa13d2147fa056"
+checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
]
[[package]]
@@ -351,85 +176,54 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
[[package]]
name = "autocfg"
-version = "1.4.0"
+version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
[[package]]
name = "aws-lc-fips-sys"
-version = "0.13.0"
+version = "0.13.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "59057b878509d88952425fe694a2806e468612bde2d71943f3cd8034935b5032"
+checksum = "d3d619165468401dec3caa3366ebffbcb83f2f31883e5b3932f8e2dec2ddc568"
dependencies = [
"bindgen",
"cc",
"cmake",
"dunce",
"fs_extra",
- "libc",
- "paste",
"regex",
]
[[package]]
name = "aws-lc-rs"
-version = "1.12.0"
+version = "1.16.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f409eb70b561706bf8abba8ca9c112729c481595893fd06a2dd9af8ed8441148"
+checksum = "0ec6fb3fe69024a75fa7e1bfb48aa6cf59706a101658ea01bfd33b2b248a038f"
dependencies = [
"aws-lc-fips-sys",
"aws-lc-sys",
- "paste",
+ "untrusted 0.7.1",
"zeroize",
]
[[package]]
name = "aws-lc-sys"
-version = "0.24.1"
+version = "0.40.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "923ded50f602b3007e5e63e3f094c479d9c8a9b42d7f4034e4afe456aa48bfd2"
+checksum = "f50037ee5e1e41e7b8f9d161680a725bd1626cb6f8c7e901f91f942850852fe7"
dependencies = [
- "bindgen",
"cc",
"cmake",
"dunce",
"fs_extra",
- "paste",
-]
-
-[[package]]
-name = "backtrace"
-version = "0.3.74"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d82cb332cdfaed17ae235a638438ac4d4839913cc2af585c3c6746e8f8bee1a"
-dependencies = [
- "addr2line",
- "cfg-if",
- "libc",
- "miniz_oxide",
- "object",
- "rustc-demangle",
- "windows-targets 0.52.6",
]
-[[package]]
-name = "base16ct"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
-
[[package]]
name = "base64"
version = "0.22.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
-[[package]]
-name = "base64ct"
-version = "1.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
-
[[package]]
name = "bencher"
version = "0.1.5"
@@ -438,16 +232,14 @@ checksum = "7dfdb4953a096c551ce9ace855a604d702e6e62d77fac690575ae347571717f5"
[[package]]
name = "bindgen"
-version = "0.69.5"
+version = "0.72.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "271383c67ccabffb7381723dea0672a673f292304fcb45c01cc648c7a8d58088"
+checksum = "993776b509cfb49c750f11b8f07a46fa23e0a1386ffc01fb1e7d343efc387895"
dependencies = [
"bitflags",
"cexpr",
"clang-sys",
- "itertools 0.12.1",
- "lazy_static",
- "lazycell",
+ "itertools 0.13.0",
"log",
"prettyplease",
"proc-macro2",
@@ -455,37 +247,14 @@ dependencies = [
"regex",
"rustc-hash",
"shlex",
- "syn 2.0.95",
- "which",
+ "syn",
]
[[package]]
name = "bitflags"
-version = "2.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
-
-[[package]]
-name = "block-buffer"
-version = "0.10.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
-dependencies = [
- "generic-array",
-]
-
-[[package]]
-name = "blocking"
-version = "1.6.1"
+version = "2.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "703f41c54fc768e63e091340b424302bb1c29ef4aa0c7f10fe849dfb114d29ea"
-dependencies = [
- "async-channel 2.3.1",
- "async-task",
- "futures-io",
- "futures-lite",
- "piper",
-]
+checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
[[package]]
name = "bogo"
@@ -493,15 +262,18 @@ version = "0.1.0"
dependencies = [
"base64",
"env_logger",
- "rustls 0.23.21",
- "rustls-post-quantum",
+ "nix",
+ "rustls 0.24.0-dev.0",
+ "rustls-aws-lc-rs",
+ "rustls-ring",
+ "rustls-webpki 0.104.0-alpha.7",
]
[[package]]
name = "brotli"
-version = "7.0.0"
+version = "8.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc97b8f16f944bba54f0433f07e30be199b6dc2bd25937444bbad560bcea29bd"
+checksum = "4bd8b9603c7aa97359dbd97ecf258968c95f3adddd6db2f7e7a5bef101c84560"
dependencies = [
"alloc-no-stdlib",
"alloc-stdlib",
@@ -510,9 +282,9 @@ dependencies = [
[[package]]
name = "brotli-decompressor"
-version = "4.0.1"
+version = "5.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a45bd2e4095a8b518033b128020dd4a55aab1c0a381ba4404a472630f4bc362"
+checksum = "874bb8112abecc98cbd6d81ea4fa7e94fb9449648c93cc89aa40c81c24d7de03"
dependencies = [
"alloc-no-stdlib",
"alloc-stdlib",
@@ -520,9 +292,9 @@ dependencies = [
[[package]]
name = "bumpalo"
-version = "3.16.0"
+version = "3.20.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c"
+checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
[[package]]
name = "byteorder"
@@ -532,9 +304,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
[[package]]
name = "bytes"
-version = "1.9.0"
+version = "1.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "325918d6fe32f23b19878fe4b34794ae41fc19ddbe53b10571a4874d44ffd39b"
+checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
[[package]]
name = "cast"
@@ -544,10 +316,11 @@ checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
[[package]]
name = "cc"
-version = "1.2.7"
+version = "1.2.61"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a012a0df96dd6d06ba9a1b29d6402d1a5d77c6befd2566afdc26e10603dc93d7"
+checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d"
dependencies = [
+ "find-msvc-tools",
"jobserver",
"libc",
"shlex",
@@ -564,32 +337,25 @@ dependencies = [
[[package]]
name = "cfg-if"
-version = "1.0.0"
+version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
[[package]]
-name = "chacha20"
-version = "0.9.1"
+name = "cfg_aliases"
+version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3613f74bd2eac03dad61bd53dbe620703d4371614fe0bc3b9f04dd36fe4e818"
-dependencies = [
- "cfg-if",
- "cipher",
- "cpufeatures",
-]
+checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
[[package]]
-name = "chacha20poly1305"
-version = "0.10.1"
+name = "chacha20"
+version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "10cd79432192d1c0f4e1a0fef9527696cc039165d729fb41b3f4f4f354c2dc35"
+checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601"
dependencies = [
- "aead",
- "chacha20",
- "cipher",
- "poly1305",
- "zeroize",
+ "cfg-if",
+ "cpufeatures",
+ "rand_core 0.10.1",
]
[[package]]
@@ -619,17 +385,6 @@ dependencies = [
"half",
]
-[[package]]
-name = "cipher"
-version = "0.4.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
-dependencies = [
- "crypto-common",
- "inout",
- "zeroize",
-]
-
[[package]]
name = "clang-sys"
version = "1.8.1"
@@ -643,9 +398,9 @@ dependencies = [
[[package]]
name = "clap"
-version = "4.5.26"
+version = "4.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8eb5e908ef3a6efbe1ed62520fb7287959888c88485abe072543190ecc66783"
+checksum = "1ddb117e43bbf7dacf0a4190fef4d345b9bad68dfc649cb349e7d17d28428e51"
dependencies = [
"clap_builder",
"clap_derive",
@@ -653,9 +408,9 @@ dependencies = [
[[package]]
name = "clap_builder"
-version = "4.5.26"
+version = "4.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96b01801b5fc6a0a232407abc821660c9c6d25a1cafc0d4f85f29fb8d9afc121"
+checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
dependencies = [
"anstream",
"anstyle",
@@ -665,91 +420,114 @@ dependencies = [
[[package]]
name = "clap_derive"
-version = "4.5.24"
+version = "4.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "54b755194d6389280185988721fffba69495eed5ee9feeee9a599b53db80318c"
+checksum = "f2ce8604710f6733aa641a2b3731eaa1e8b3d9973d5e3565da11800813f997a9"
dependencies = [
"heck",
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
]
[[package]]
name = "clap_lex"
-version = "0.7.4"
+version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6"
+checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
[[package]]
name = "cmake"
-version = "0.1.52"
+version = "0.1.58"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c682c223677e0e5b6b7f63a64b9351844c3f1b1678a68b7ee617e30fb082620e"
+checksum = "c0f78a02292a74a88ac736019ab962ece0bc380e3f977bf72e376c5d78ff0678"
dependencies = [
"cc",
]
[[package]]
name = "colorchoice"
-version = "1.0.3"
+version = "1.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
+checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570"
[[package]]
-name = "concurrent-queue"
-version = "2.5.0"
+name = "combine"
+version = "4.6.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ca0197aee26d1ae37445ee532fefce43251d24cc7c166799f4d46817f1d3973"
+checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd"
dependencies = [
- "crossbeam-utils",
+ "bytes",
+ "memchr",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
]
[[package]]
-name = "const-oid"
-version = "0.9.6"
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
+[[package]]
+name = "core-models"
+version = "0.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+checksum = "657f625ff361906f779745d08375ae3cc9fef87a35fba5f22874cf773010daf4"
+dependencies = [
+ "hax-lib",
+ "pastey",
+ "rand 0.9.4",
+]
[[package]]
name = "cpufeatures"
-version = "0.2.16"
+version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "16b80225097f2e5ae4e7179dd2266824648f3e2f49d9134d584b76389d31c4c3"
+checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
dependencies = [
"libc",
]
[[package]]
name = "crabgrind"
-version = "0.1.9"
+version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bdbd43e4f32a9681a504577db2d4ea7d3f7b1bf2e97955561af98501ab600508"
+checksum = "370855733cbddd025d0cb602df6f4cf898310921a3dcc4244cc3d1d8b3f2a3e4"
dependencies = [
+ "bindgen",
"cc",
+ "pkg-config",
]
[[package]]
name = "criterion"
-version = "0.5.1"
+version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2b12d017a929603d80db1831cd3a24082f8137ce19c69e6447f54f5fc8d692f"
+checksum = "950046b2aa2492f9a536f5f4f9a3de7b9e2476e575e05bd6c333371add4d98f3"
dependencies = [
+ "alloca",
"anes",
"cast",
"ciborium",
"clap",
"criterion-plot",
- "is-terminal",
- "itertools 0.10.5",
+ "itertools 0.13.0",
"num-traits",
- "once_cell",
"oorandom",
+ "page_size",
"plotters",
"rayon",
"regex",
"serde",
- "serde_derive",
"serde_json",
"tinytemplate",
"walkdir",
@@ -757,12 +535,27 @@ dependencies = [
[[package]]
name = "criterion-plot"
-version = "0.5.0"
+version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b50826342786a51a89e2da3a28f1c32b06e387201bc2d19791f622c673706b1"
+checksum = "d8d80a2f4f5b554395e47b5d8305bc3d27813bacb73493eb1001e8f76dae29ea"
dependencies = [
"cast",
- "itertools 0.10.5",
+ "itertools 0.13.0",
+]
+
+[[package]]
+name = "critical-section"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "790eea4361631c5e7d22598ecd5723ff611904e3344ce8720784c93e3d83d40b"
+
+[[package]]
+name = "crossbeam-channel"
+version = "0.5.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2"
+dependencies = [
+ "crossbeam-utils",
]
[[package]]
@@ -792,192 +585,67 @@ checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
[[package]]
name = "crunchy"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7"
-
-[[package]]
-name = "crypto-bigint"
-version = "0.5.5"
+version = "0.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
-dependencies = [
- "generic-array",
- "rand_core",
- "subtle",
- "zeroize",
-]
+checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
[[package]]
-name = "crypto-common"
-version = "0.1.6"
+name = "data-encoding"
+version = "2.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
-dependencies = [
- "generic-array",
- "typenum",
-]
+checksum = "a4ae5f15dda3c708c0ade84bfee31ccab44a3da4f88015ed22f63732abe300c8"
[[package]]
-name = "ctr"
-version = "0.9.2"
+name = "der-parser"
+version = "10.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0369ee1ad671834580515889b80f2ea915f23b8be8d0daa4bbaf2ac5c7590835"
+checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6"
dependencies = [
- "cipher",
+ "asn1-rs",
+ "displaydoc",
+ "nom",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
]
[[package]]
-name = "curve25519-dalek"
-version = "4.1.3"
+name = "deranged"
+version = "0.5.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
+checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c"
dependencies = [
- "cfg-if",
- "cpufeatures",
- "curve25519-dalek-derive",
- "fiat-crypto",
- "rustc_version",
- "subtle",
- "zeroize",
+ "powerfmt",
]
[[package]]
-name = "curve25519-dalek-derive"
-version = "0.1.1"
+name = "displaydoc"
+version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
]
[[package]]
-name = "data-encoding"
-version = "2.6.0"
+name = "dunce"
+version = "1.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e8566979429cf69b49a5c740c60791108e86440e8be149bbea4fe54d2c32d6e2"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
[[package]]
-name = "der"
-version = "0.7.9"
+name = "either"
+version = "1.15.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0"
-dependencies = [
- "const-oid",
- "zeroize",
-]
-
-[[package]]
-name = "der-parser"
-version = "9.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5cd0a5c643689626bec213c4d8bd4d96acc8ffdb4ad4bb6bc16abf27d5f4b553"
-dependencies = [
- "asn1-rs",
- "displaydoc",
- "nom",
- "num-bigint",
- "num-traits",
- "rusticata-macros",
-]
-
-[[package]]
-name = "deranged"
-version = "0.3.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4"
-dependencies = [
- "powerfmt",
-]
-
-[[package]]
-name = "digest"
-version = "0.10.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
-dependencies = [
- "block-buffer",
- "const-oid",
- "crypto-common",
- "subtle",
-]
-
-[[package]]
-name = "displaydoc"
-version = "0.2.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.95",
-]
-
-[[package]]
-name = "dunce"
-version = "1.0.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
-
-[[package]]
-name = "ecdsa"
-version = "0.16.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
-dependencies = [
- "der",
- "digest",
- "elliptic-curve",
- "rfc6979",
- "signature",
- "spki",
-]
-
-[[package]]
-name = "either"
-version = "1.13.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0"
-
-[[package]]
-name = "elliptic-curve"
-version = "0.13.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
-dependencies = [
- "base16ct",
- "crypto-bigint",
- "digest",
- "ff",
- "generic-array",
- "group",
- "hkdf",
- "pkcs8",
- "rand_core",
- "sec1",
- "subtle",
- "zeroize",
-]
-
-[[package]]
-name = "enum-as-inner"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
-dependencies = [
- "heck",
- "proc-macro2",
- "quote",
- "syn 2.0.95",
-]
+checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
[[package]]
name = "env_filter"
-version = "0.1.3"
+version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "186e05a59d4c50738528153b83b0b0194d3a29507dfec16eccd4b342903397d0"
+checksum = "32e90c2accc4b07a8456ea0debdc2e7587bdd890680d71173a15d4ae604f6eef"
dependencies = [
"log",
"regex",
@@ -985,81 +653,28 @@ dependencies = [
[[package]]
name = "env_logger"
-version = "0.11.6"
+version = "0.11.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dcaee3d8e3cfc3fd92428d477bc97fc29ec8716d180c0d74c643bb26166660e0"
+checksum = "0621c04f2196ac3f488dd583365b9c09be011a4ab8b9f37248ffcc8f6198b56a"
dependencies = [
"anstream",
"anstyle",
"env_filter",
- "humantime",
+ "jiff",
"log",
]
[[package]]
name = "equivalent"
-version = "1.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
-
-[[package]]
-name = "errno"
-version = "0.3.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d"
-dependencies = [
- "libc",
- "windows-sys 0.59.0",
-]
-
-[[package]]
-name = "event-listener"
-version = "2.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
-
-[[package]]
-name = "event-listener"
-version = "5.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3492acde4c3fc54c845eaab3eed8bd00c7a7d881f78bfc801e43a93dec1331ae"
-dependencies = [
- "concurrent-queue",
- "parking",
- "pin-project-lite",
-]
-
-[[package]]
-name = "event-listener-strategy"
-version = "0.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3c3e4e0dd3673c1139bf041f3008816d9cf2946bbfac2945c09e523b8d7b05b2"
-dependencies = [
- "event-listener 5.4.0",
- "pin-project-lite",
-]
-
-[[package]]
-name = "fastrand"
-version = "2.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
-
-[[package]]
-name = "ff"
-version = "0.13.0"
+version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449"
-dependencies = [
- "rand_core",
- "subtle",
-]
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
[[package]]
-name = "fiat-crypto"
-version = "0.2.9"
+name = "find-msvc-tools"
+version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
+checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
[[package]]
name = "fnv"
@@ -1069,9 +684,15 @@ checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
[[package]]
name = "foldhash"
-version = "0.1.4"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+
+[[package]]
+name = "foldhash"
+version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a0d2fde1f7b3d48b8395d5f2de76c18a528bd6a9cdde438df747bfcba3e05d6f"
+checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
[[package]]
name = "foreign-types"
@@ -1090,9 +711,9 @@ checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
[[package]]
name = "form_urlencoded"
-version = "1.2.1"
+version = "1.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
+checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf"
dependencies = [
"percent-encoding",
]
@@ -1105,144 +726,119 @@ checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
[[package]]
name = "futures-channel"
-version = "0.3.31"
+version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
+checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
dependencies = [
"futures-core",
]
[[package]]
name = "futures-core"
-version = "0.3.31"
+version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
+checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d"
[[package]]
name = "futures-io"
-version = "0.3.31"
+version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718"
[[package]]
-name = "futures-lite"
-version = "2.5.0"
+name = "futures-macro"
+version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cef40d21ae2c515b51041df9ed313ed21e572df340ea58a922a0aefe7e8891a1"
+checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b"
dependencies = [
- "fastrand",
- "futures-core",
- "futures-io",
- "parking",
- "pin-project-lite",
+ "proc-macro2",
+ "quote",
+ "syn",
]
[[package]]
name = "futures-sink"
-version = "0.3.31"
+version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
+checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893"
[[package]]
name = "futures-task"
-version = "0.3.31"
+version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
+checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
[[package]]
name = "futures-util"
-version = "0.3.31"
+version = "0.3.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
+checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6"
dependencies = [
"futures-core",
+ "futures-macro",
"futures-task",
"pin-project-lite",
- "pin-utils",
"slab",
]
[[package]]
-name = "fxhash"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c31b6d751ae2c7f11320402d34e41349dd1016f8d5d45e48c4312bc8625af50c"
-dependencies = [
- "byteorder",
-]
-
-[[package]]
-name = "generic-array"
-version = "0.14.7"
+name = "getrandom"
+version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
dependencies = [
- "typenum",
- "version_check",
- "zeroize",
+ "cfg-if",
+ "libc",
+ "wasi",
]
[[package]]
name = "getrandom"
-version = "0.2.15"
+version = "0.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
+checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
dependencies = [
"cfg-if",
"libc",
- "wasi",
+ "r-efi 5.3.0",
+ "wasip2",
]
[[package]]
-name = "ghash"
-version = "0.5.1"
+name = "getrandom"
+version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f0d8a4362ccb29cb0b265253fb0a2728f592895ee6854fd9bc13f2ffda266ff1"
+checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
dependencies = [
- "opaque-debug",
- "polyval",
+ "cfg-if",
+ "libc",
+ "r-efi 6.0.0",
+ "rand_core 0.10.1",
+ "wasip2",
+ "wasip3",
]
-[[package]]
-name = "gimli"
-version = "0.31.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
-
[[package]]
name = "glob"
-version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8d1add55171497b4705a648c6b583acafb01d58050a51727785f0b2c8e0a2b2"
-
-[[package]]
-name = "gloo-timers"
-version = "0.3.0"
+version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
-dependencies = [
- "futures-channel",
- "futures-core",
- "js-sys",
- "wasm-bindgen",
-]
+checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
[[package]]
-name = "group"
-version = "0.13.0"
+name = "graviola"
+version = "0.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
+checksum = "4387e0458389da24c6fe732531e65595c7c4a32b027f98f4789e512e28224465"
dependencies = [
- "ff",
- "rand_core",
- "subtle",
+ "cfg-if",
+ "getrandom 0.3.4",
]
[[package]]
name = "h2"
-version = "0.4.7"
+version = "0.4.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ccae279728d634d083c00f6099cb58f01cc99c145b84b8be2f6c74618d79922e"
+checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54"
dependencies = [
"atomic-waker",
"bytes",
@@ -1259,34 +855,75 @@ dependencies = [
[[package]]
name = "half"
-version = "2.4.1"
+version = "2.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6dd08c532ae367adf81c312a4580bc67f1d0fe8bc9c460520283f4c0ff277888"
+checksum = "6ea2d84b969582b4b1864a92dc5d27cd2b77b622a8d79306834f1be5ba20d84b"
dependencies = [
"cfg-if",
"crunchy",
+ "zerocopy",
]
[[package]]
name = "hashbrown"
-version = "0.15.2"
+version = "0.15.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
dependencies = [
- "foldhash",
+ "foldhash 0.1.5",
]
[[package]]
-name = "heck"
-version = "0.5.0"
+name = "hashbrown"
+version = "0.17.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51"
+dependencies = [
+ "foldhash 0.2.0",
+]
[[package]]
-name = "hermit-abi"
-version = "0.4.0"
+name = "hax-lib"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "543f93241d32b3f00569201bfce9d7a93c92c6421b23c77864ac929dc947b9fc"
+dependencies = [
+ "hax-lib-macros",
+ "num-bigint",
+ "num-traits",
+]
+
+[[package]]
+name = "hax-lib-macros"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8755751e760b11021765bb04cb4a6c4e24742688d9f3aa14c2079638f537b0f"
+dependencies = [
+ "hax-lib-macros-types",
+ "proc-macro-error2",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "hax-lib-macros-types"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f177c9ae8ea456e2f71ff3c1ea47bf4464f772a05133fcbba56cd5ba169035a2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_json",
+ "uuid",
+]
+
+[[package]]
+name = "heck"
+version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fbf6a919d6cf397374f7dfeeea91d974c7c0a7221d0d0f4f20d859d329e53fcc"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
[[package]]
name = "hex"
@@ -1295,28 +932,27 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
-name = "hickory-proto"
-version = "0.25.0-alpha.4"
+name = "hickory-net"
+version = "0.26.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d063c0692ee669aa6d261988aa19ca5510f1cc40e4f211024f50c888499a35d7"
+checksum = "e2295ed2f9c31e471e1428a8f88a3f0e1f4b27c15049592138d1eebe9c35b183"
dependencies = [
- "async-recursion",
"async-trait",
"bytes",
"cfg-if",
"data-encoding",
- "enum-as-inner",
"futures-channel",
"futures-io",
"futures-util",
"h2",
+ "hickory-proto",
"http",
"idna",
"ipnet",
- "once_cell",
- "rand",
- "rustls 0.23.20",
- "thiserror 2.0.10",
+ "jni",
+ "rand 0.10.1",
+ "rustls 0.23.40",
+ "thiserror",
"tinyvec",
"tokio",
"tokio-rustls",
@@ -1325,140 +961,84 @@ dependencies = [
"webpki-roots",
]
+[[package]]
+name = "hickory-proto"
+version = "0.26.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0bab31817bfb44672a252e97fe81cd0c18d1b2cf892108922f6818820df8c643"
+dependencies = [
+ "data-encoding",
+ "idna",
+ "ipnet",
+ "jni",
+ "once_cell",
+ "prefix-trie",
+ "rand 0.10.1",
+ "ring",
+ "thiserror",
+ "tinyvec",
+ "tracing",
+ "url",
+]
+
[[package]]
name = "hickory-resolver"
-version = "0.25.0-alpha.3"
+version = "0.26.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0eec9ac701a9b34a77c8ccbe39d589db876290f6bdc6e05ac118fd114cb1ad26"
+checksum = "f0d58d28879ceecde6607729660c2667a081ccdc082e082675042793960f178c"
dependencies = [
"cfg-if",
"futures-util",
+ "hickory-net",
"hickory-proto",
"ipconfig",
- "lru-cache",
+ "ipnet",
+ "jni",
+ "moka",
+ "ndk-context",
"once_cell",
"parking_lot",
- "rand",
+ "rand 0.10.1",
"resolv-conf",
- "rustls 0.23.20",
+ "rustls 0.23.40",
"smallvec",
- "thiserror 1.0.69",
+ "system-configuration",
+ "thiserror",
"tokio",
"tokio-rustls",
"tracing",
"webpki-roots",
]
-[[package]]
-name = "hkdf"
-version = "0.12.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7"
-dependencies = [
- "hmac",
-]
-
-[[package]]
-name = "hmac"
-version = "0.12.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
-dependencies = [
- "digest",
-]
-
-[[package]]
-name = "home"
-version = "0.5.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf"
-dependencies = [
- "windows-sys 0.59.0",
-]
-
-[[package]]
-name = "hostname"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3c731c3e10504cc8ed35cfe2f1db4c9274c3d35fa486e3b31df46f068ef3e867"
-dependencies = [
- "libc",
- "match_cfg",
- "winapi",
-]
-
-[[package]]
-name = "hpke-rs"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e11bd4ee27b79fa1820e72ef8489cc729c87299ec3f7f52b8fc8dcb87cb2d485"
-dependencies = [
- "hpke-rs-crypto",
- "log",
- "zeroize",
-]
-
-[[package]]
-name = "hpke-rs-crypto"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1c3f1ae0a26c18d6469a70db1217136056261c4a244b09a755bc60bd4e055b67"
-dependencies = [
- "rand_core",
-]
-
-[[package]]
-name = "hpke-rs-rust-crypto"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a08d4500baf0aced746723d3515d08212bdb9d941df6d1aca3d46d1619b2a1cf"
-dependencies = [
- "aes-gcm",
- "chacha20poly1305",
- "hkdf",
- "hpke-rs-crypto",
- "p256",
- "p384",
- "rand_chacha",
- "rand_core",
- "sha2",
- "x25519-dalek",
-]
-
[[package]]
name = "http"
-version = "1.2.0"
+version = "1.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f16ca2af56261c99fba8bac40a10251ce8188205a4c448fbb745a2e4daa76fea"
+checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
dependencies = [
"bytes",
- "fnv",
"itoa",
]
-[[package]]
-name = "humantime"
-version = "2.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
-
[[package]]
name = "icu_collections"
-version = "1.5.0"
+version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db2fa452206ebee18c4b5c2274dbf1de17008e874b4dc4f0aea9d01ca79e4526"
+checksum = "2984d1cd16c883d7935b9e07e44071dca8d917fd52ecc02c04d5fa0b5a3f191c"
dependencies = [
"displaydoc",
+ "potential_utf",
+ "utf8_iter",
"yoke",
"zerofrom",
"zerovec",
]
[[package]]
-name = "icu_locid"
-version = "1.5.0"
+name = "icu_locale_core"
+version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13acbb8371917fc971be86fc8057c41a64b521c184808a698c02acc242dbf637"
+checksum = "92219b62b3e2b4d88ac5119f8904c10f8f61bf7e95b640d25ba3075e6cac2c29"
dependencies = [
"displaydoc",
"litemap",
@@ -1467,104 +1047,72 @@ dependencies = [
"zerovec",
]
-[[package]]
-name = "icu_locid_transform"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "01d11ac35de8e40fdeda00d9e1e9d92525f3f9d887cdd7aa81d727596788b54e"
-dependencies = [
- "displaydoc",
- "icu_locid",
- "icu_locid_transform_data",
- "icu_provider",
- "tinystr",
- "zerovec",
-]
-
-[[package]]
-name = "icu_locid_transform_data"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fdc8ff3388f852bede6b579ad4e978ab004f139284d7b28715f773507b946f6e"
-
[[package]]
name = "icu_normalizer"
-version = "1.5.0"
+version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "19ce3e0da2ec68599d193c93d088142efd7f9c5d6fc9b803774855747dc6a84f"
+checksum = "c56e5ee99d6e3d33bd91c5d85458b6005a22140021cc324cea84dd0e72cff3b4"
dependencies = [
- "displaydoc",
"icu_collections",
"icu_normalizer_data",
"icu_properties",
"icu_provider",
"smallvec",
- "utf16_iter",
- "utf8_iter",
- "write16",
"zerovec",
]
[[package]]
name = "icu_normalizer_data"
-version = "1.5.0"
+version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8cafbf7aa791e9b22bec55a167906f9e1215fd475cd22adfcf660e03e989516"
+checksum = "da3be0ae77ea334f4da67c12f149704f19f81d1adf7c51cf482943e84a2bad38"
[[package]]
name = "icu_properties"
-version = "1.5.1"
+version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93d6020766cfc6302c15dbbc9c8778c37e62c14427cb7f6e601d849e092aeef5"
+checksum = "bee3b67d0ea5c2cca5003417989af8996f8604e34fb9ddf96208a033901e70de"
dependencies = [
- "displaydoc",
"icu_collections",
- "icu_locid_transform",
+ "icu_locale_core",
"icu_properties_data",
"icu_provider",
- "tinystr",
+ "zerotrie",
"zerovec",
]
[[package]]
name = "icu_properties_data"
-version = "1.5.0"
+version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67a8effbc3dd3e4ba1afa8ad918d5684b8868b3b26500753effea8d2eed19569"
+checksum = "8e2bbb201e0c04f7b4b3e14382af113e17ba4f63e2c9d2ee626b720cbce54a14"
[[package]]
name = "icu_provider"
-version = "1.5.0"
+version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ed421c8a8ef78d3e2dbc98a973be2f3770cb42b606e3ab18d6237c4dfde68d9"
+checksum = "139c4cf31c8b5f33d7e199446eff9c1e02decfc2f0eec2c8d71f65befa45b421"
dependencies = [
"displaydoc",
- "icu_locid",
- "icu_provider_macros",
- "stable_deref_trait",
- "tinystr",
+ "icu_locale_core",
"writeable",
"yoke",
"zerofrom",
+ "zerotrie",
"zerovec",
]
[[package]]
-name = "icu_provider_macros"
-version = "1.5.0"
+name = "id-arena"
+version = "2.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.95",
-]
+checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
[[package]]
name = "idna"
-version = "1.0.3"
+version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e"
+checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
dependencies = [
"idna_adapter",
"smallvec",
@@ -1573,9 +1121,9 @@ dependencies = [
[[package]]
name = "idna_adapter"
-version = "1.2.0"
+version = "1.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "daca1df1c957320b2cf139ac61e7bd64fed304c5040df000a745aa1de3b4ef71"
+checksum = "cb68373c0d6620ef8105e855e7745e18b0d00d3bdb07fb532e434244cdb9a714"
dependencies = [
"icu_normalizer",
"icu_properties",
@@ -1583,117 +1131,161 @@ dependencies = [
[[package]]
name = "indexmap"
-version = "2.7.0"
+version = "2.14.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f"
+checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
dependencies = [
"equivalent",
- "hashbrown",
-]
-
-[[package]]
-name = "inout"
-version = "0.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
-dependencies = [
- "generic-array",
+ "hashbrown 0.17.0",
+ "serde",
+ "serde_core",
]
[[package]]
name = "ipconfig"
-version = "0.3.2"
+version = "0.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b58db92f96b720de98181bbbe63c831e87005ab460c1bf306eb2622b4707997f"
+checksum = "4d40460c0ce33d6ce4b0630ad68ff63d6661961c48b6dba35e5a4d81cfb48222"
dependencies = [
"socket2",
"widestring",
- "windows-sys 0.48.0",
- "winreg",
+ "windows-registry",
+ "windows-result",
+ "windows-sys 0.61.2",
]
[[package]]
name = "ipnet"
-version = "2.10.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ddc24109865250148c2e0f3d25d4f0f479571723792d3802153c60922a4fb708"
-
-[[package]]
-name = "is-terminal"
-version = "0.4.13"
+version = "2.12.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "261f68e344040fbd0edea105bef17c66edf46f984ddb1115b775ce31be948f4b"
+checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
dependencies = [
- "hermit-abi",
- "libc",
- "windows-sys 0.52.0",
+ "serde",
]
[[package]]
name = "is_terminal_polyfill"
-version = "1.70.1"
+version = "1.70.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
+checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
[[package]]
name = "itertools"
-version = "0.10.5"
+version = "0.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
+checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186"
dependencies = [
"either",
]
[[package]]
name = "itertools"
-version = "0.12.1"
+version = "0.14.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569"
+checksum = "2b192c782037fadd9cfa75548310488aabdbf3d2da73885b31bd0abd03351285"
dependencies = [
"either",
]
[[package]]
-name = "itertools"
-version = "0.14.0"
+name = "itoa"
+version = "1.0.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b192c782037fadd9cfa75548310488aabdbf3d2da73885b31bd0abd03351285"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
+
+[[package]]
+name = "jiff"
+version = "0.2.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f00b5dbd620d61dfdcb6007c9c1f6054ebd75319f163d886a9055cec1155073d"
dependencies = [
- "either",
+ "jiff-static",
+ "log",
+ "portable-atomic",
+ "portable-atomic-util",
+ "serde_core",
]
[[package]]
-name = "itoa"
-version = "1.0.14"
+name = "jiff-static"
+version = "0.2.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674"
+checksum = "e000de030ff8022ea1da3f466fbb0f3a809f5e51ed31f6dd931c35181ad8e6d7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
[[package]]
-name = "jobserver"
-version = "0.1.32"
+name = "jni"
+version = "0.22.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0"
+checksum = "5efd9a482cf3a427f00d6b35f14332adc7902ce91efb778580e180ff90fa3498"
dependencies = [
- "libc",
+ "cfg-if",
+ "combine",
+ "jni-macros",
+ "jni-sys",
+ "log",
+ "simd_cesu8",
+ "thiserror",
+ "walkdir",
+ "windows-link",
]
[[package]]
-name = "js-sys"
-version = "0.3.76"
+name = "jni-macros"
+version = "0.22.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6717b6b5b077764fb5966237269cb3c64edddde4b14ce42647430a78ced9e7b7"
+checksum = "a00109accc170f0bdb141fed3e393c565b6f5e072365c3bd58f5b062591560a3"
dependencies = [
- "once_cell",
- "wasm-bindgen",
+ "proc-macro2",
+ "quote",
+ "rustc_version",
+ "simd_cesu8",
+ "syn",
]
[[package]]
-name = "kv-log-macro"
-version = "1.0.7"
+name = "jni-sys"
+version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0de8b303297635ad57c9f5059fd9cee7a47f8e8daa09df0fcd07dd39fb22977f"
+checksum = "c6377a88cb3910bee9b0fa88d4f42e1d2da8e79915598f65fb0c7ee14c878af2"
dependencies = [
- "log",
+ "jni-sys-macros",
+]
+
+[[package]]
+name = "jni-sys-macros"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38c0b942f458fe50cdac086d2f946512305e5631e720728f2a61aabcd47a6264"
+dependencies = [
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "jobserver"
+version = "0.1.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33"
+dependencies = [
+ "getrandom 0.3.4",
+ "libc",
+]
+
+[[package]]
+name = "js-sys"
+version = "0.3.97"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1840c94c045fbcf8ba2812c95db44499f7c64910a912551aaaa541decebcacf"
+dependencies = [
+ "cfg-if",
+ "futures-util",
+ "once_cell",
+ "wasm-bindgen",
]
[[package]]
@@ -1701,89 +1293,119 @@ name = "lazy_static"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
-dependencies = [
- "spin",
-]
[[package]]
-name = "lazycell"
-version = "1.3.0"
+name = "leb128fmt"
+version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
+checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
[[package]]
name = "libc"
-version = "0.2.169"
+version = "0.2.186"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
+checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66"
[[package]]
-name = "libloading"
-version = "0.8.6"
+name = "libcrux-intrinsics"
+version = "0.0.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34"
+checksum = "b1b5db005ff8001e026b73a6842ee81bbef8ec5ff0e1915a67ae65fd2a9fafa5"
dependencies = [
- "cfg-if",
- "windows-targets 0.52.6",
+ "core-models",
+ "hax-lib",
]
[[package]]
-name = "libm"
-version = "0.2.11"
+name = "libcrux-ml-kem"
+version = "0.0.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8355be11b20d696c8f18f6cc018c4e372165b1fa8126cef092399c9951984ffa"
+checksum = "a14ab3e477de9df6ee1273a114018ff62c4996ca9220070c4e5cb1743f94a67d"
+dependencies = [
+ "hax-lib",
+ "libcrux-intrinsics",
+ "libcrux-platform",
+ "libcrux-secrets",
+ "libcrux-sha3",
+ "libcrux-traits",
+]
[[package]]
-name = "linked-hash-map"
-version = "0.5.6"
+name = "libcrux-platform"
+version = "0.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f"
+checksum = "1d9e21d7ed31a92ac539bd69a8c970b183ee883872d2d19ce27036e24cb8ecc4"
+dependencies = [
+ "libc",
+]
[[package]]
-name = "linux-raw-sys"
-version = "0.4.15"
+name = "libcrux-secrets"
+version = "0.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d26c52dbd32dccf2d10cac7725f8eae5296885fb5703b261f7d0a0739ec807ab"
+checksum = "1ce650f3041b44ba40d4263852347d007cd2cd9d1cc856a6f6c8b2e10c3fd40b"
+dependencies = [
+ "hax-lib",
+]
[[package]]
-name = "litemap"
-version = "0.7.4"
+name = "libcrux-sha3"
+version = "0.0.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ee93343901ab17bd981295f2cf0026d4ad018c7c31ba84549a4ddbb47a45104"
+checksum = "b1ae0b7d0e1cc4793a609fd0ff2ca3b3a3fabae523770c619a3d4bc86417b0d7"
+dependencies = [
+ "hax-lib",
+ "libcrux-intrinsics",
+ "libcrux-platform",
+ "libcrux-traits",
+]
[[package]]
-name = "lock_api"
-version = "0.4.12"
+name = "libcrux-traits"
+version = "0.0.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17"
+checksum = "812e4fa89f3f5e34b47f928b22b1b78395a0d4ec23b1f583db635f128159d65f"
dependencies = [
- "autocfg",
- "scopeguard",
+ "libcrux-secrets",
+ "rand 0.9.4",
]
[[package]]
-name = "log"
-version = "0.4.22"
+name = "libloading"
+version = "0.8.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
+checksum = "d7c4b02199fee7c5d21a5ae7d8cfa79a6ef5bb2fc834d6e9058e89c825efdc55"
dependencies = [
- "value-bag",
+ "cfg-if",
+ "windows-link",
]
[[package]]
-name = "lru-cache"
-version = "0.1.2"
+name = "litemap"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92daf443525c4cce67b150400bc2316076100ce0b3686209eb8cf3c31612e6f0"
+
+[[package]]
+name = "lock_api"
+version = "0.4.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "31e24f1ad8321ca0e8a1e0ac13f23cb668e6f5466c2c57319f6a5cf1cc8e3b1c"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
dependencies = [
- "linked-hash-map",
+ "scopeguard",
]
+[[package]]
+name = "log"
+version = "0.4.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
+
[[package]]
name = "macro_rules_attribute"
-version = "0.2.0"
+version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a82271f7bc033d84bbca59a3ce3e4159938cb08a9c3aebbe54d215131518a13"
+checksum = "65049d7923698040cd0b1ddcced9b0eb14dd22c5f86ae59c3740eab64a676520"
dependencies = [
"macro_rules_attribute-proc_macro",
"paste",
@@ -1791,21 +1413,15 @@ dependencies = [
[[package]]
name = "macro_rules_attribute-proc_macro"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8dd856d451cc0da70e2ef2ce95a18e39a93b7558bedf10201ad28503f918568"
-
-[[package]]
-name = "match_cfg"
-version = "0.1.0"
+version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ffbee8634e0d45d258acb448e7eaab3fce7a0a467395d4d9f228e3c1f01fb2e4"
+checksum = "670fdfda89751bc4a84ac13eaa63e205cf0fd22b4c9a5fbfa085b63c1f1d3a30"
[[package]]
name = "memchr"
-version = "2.7.4"
+version = "2.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
+checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
[[package]]
name = "minimal-lexical"
@@ -1814,24 +1430,50 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
[[package]]
-name = "miniz_oxide"
-version = "0.8.2"
+name = "mio"
+version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ffbe83022cedc1d264172192511ae958937694cd57ce297164951b8b3568394"
+checksum = "50b7e5b27aa02a74bac8c3f23f448f8d87ff11f92d3aac1a6ed369ee08cc56c1"
dependencies = [
- "adler2",
+ "libc",
+ "log",
+ "wasi",
+ "windows-sys 0.61.2",
]
[[package]]
-name = "mio"
-version = "1.0.3"
+name = "moka"
+version = "0.12.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd"
+checksum = "957228ad12042ee839f93c8f257b62b4c0ab5eaae1d4fa60de53b27c9d7c5046"
dependencies = [
+ "crossbeam-channel",
+ "crossbeam-epoch",
+ "crossbeam-utils",
+ "equivalent",
+ "parking_lot",
+ "portable-atomic",
+ "smallvec",
+ "tagptr",
+ "uuid",
+]
+
+[[package]]
+name = "ndk-context"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "27b02d87554356db9e9a873add8782d4ea6e3e58ea071a9adb9a2e8ddb884a8b"
+
+[[package]]
+name = "nix"
+version = "0.31.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d6d0705320c1e6ba1d912b5e37cf18071b6c2e9b7fa8215a1e8a7651966f5d3"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "cfg_aliases",
"libc",
- "log",
- "wasi",
- "windows-sys 0.52.0",
]
[[package]]
@@ -1846,36 +1488,19 @@ dependencies = [
[[package]]
name = "num-bigint"
-version = "0.4.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
-dependencies = [
- "num-integer",
- "num-traits",
-]
-
-[[package]]
-name = "num-bigint-dig"
-version = "0.8.4"
+version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
dependencies = [
- "byteorder",
- "lazy_static",
- "libm",
"num-integer",
- "num-iter",
"num-traits",
- "rand",
- "smallvec",
- "zeroize",
]
[[package]]
name = "num-conv"
-version = "0.1.0"
+version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
+checksum = "c6673768db2d862beb9b39a78fdcb1a69439615d5794a1be50caa9bc92c81967"
[[package]]
name = "num-integer"
@@ -1886,17 +1511,6 @@ dependencies = [
"num-traits",
]
-[[package]]
-name = "num-iter"
-version = "0.1.45"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf"
-dependencies = [
- "autocfg",
- "num-integer",
- "num-traits",
-]
-
[[package]]
name = "num-traits"
version = "0.2.19"
@@ -1904,56 +1518,49 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
dependencies = [
"autocfg",
- "libm",
-]
-
-[[package]]
-name = "object"
-version = "0.36.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62948e14d923ea95ea2c7c86c71013138b66525b86bdc08d2dcc262bdb497b87"
-dependencies = [
- "memchr",
]
[[package]]
name = "oid-registry"
-version = "0.7.1"
+version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8d8034d9489cdaf79228eb9f6a3b8d7bb32ba00d6645ebd48eef4077ceb5bd9"
+checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7"
dependencies = [
"asn1-rs",
]
[[package]]
name = "once_cell"
-version = "1.20.2"
+version = "1.21.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775"
+checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
+dependencies = [
+ "critical-section",
+ "portable-atomic",
+]
[[package]]
-name = "oorandom"
-version = "11.1.4"
+name = "once_cell_polyfill"
+version = "1.70.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b410bbe7e14ab526a0e86877eb47c6996a2bd7746f027ba551028c925390e4e9"
+checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
[[package]]
-name = "opaque-debug"
-version = "0.3.1"
+name = "oorandom"
+version = "11.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
+checksum = "d6790f58c7ff633d8771f42965289203411a5e5c68388703c06e14f24770b41e"
[[package]]
name = "openssl"
-version = "0.10.68"
+version = "0.10.79"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5"
+checksum = "bf0b434746ee2832f4f0baf10137e1cabb18cbe6912c69e2e33263c45250f542"
dependencies = [
"bitflags",
"cfg-if",
"foreign-types",
"libc",
- "once_cell",
"openssl-macros",
"openssl-sys",
]
@@ -1966,14 +1573,14 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
]
[[package]]
name = "openssl-sys"
-version = "0.9.104"
+version = "0.9.115"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741"
+checksum = "158fe5b292746440aa6e7a7e690e55aeb72d41505e2804c23c6973ad0e9c9781"
dependencies = [
"cc",
"libc",
@@ -1982,38 +1589,20 @@ dependencies = [
]
[[package]]
-name = "p256"
-version = "0.13.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"
-dependencies = [
- "ecdsa",
- "elliptic-curve",
- "primeorder",
- "sha2",
-]
-
-[[package]]
-name = "p384"
-version = "0.13.0"
+name = "page_size"
+version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209"
+checksum = "30d5b2194ed13191c1999ae0704b7839fb18384fa22e49b57eeaa97d79ce40da"
dependencies = [
- "elliptic-curve",
- "primeorder",
+ "libc",
+ "winapi",
]
-[[package]]
-name = "parking"
-version = "2.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba"
-
[[package]]
name = "parking_lot"
-version = "0.12.3"
+version = "0.12.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27"
+checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
dependencies = [
"lock_api",
"parking_lot_core",
@@ -2021,15 +1610,15 @@ dependencies = [
[[package]]
name = "parking_lot_core"
-version = "0.9.10"
+version = "0.9.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8"
+checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
dependencies = [
"cfg-if",
"libc",
"redox_syscall",
"smallvec",
- "windows-targets 0.52.6",
+ "windows-link",
]
[[package]]
@@ -2038,71 +1627,39 @@ version = "1.0.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
+[[package]]
+name = "pastey"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c5a797f0e07bdf071d15742978fc3128ec6c22891c31a3a931513263904c982a"
+
[[package]]
name = "pem"
-version = "3.0.4"
+version = "3.0.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae"
+checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be"
dependencies = [
"base64",
- "serde",
+ "serde_core",
]
[[package]]
name = "percent-encoding"
-version = "2.3.1"
+version = "2.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
+checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
[[package]]
name = "pin-project-lite"
-version = "0.2.16"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
-
-[[package]]
-name = "pin-utils"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
-
-[[package]]
-name = "piper"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96c8c490f422ef9a4efd2cb5b42b76c8613d7e7dfc1caf667b8a3350a5acc066"
-dependencies = [
- "atomic-waker",
- "fastrand",
- "futures-io",
-]
-
-[[package]]
-name = "pkcs1"
-version = "0.7.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f"
-dependencies = [
- "der",
- "pkcs8",
- "spki",
-]
-
-[[package]]
-name = "pkcs8"
-version = "0.10.2"
+version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
-dependencies = [
- "der",
- "spki",
-]
+checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd"
[[package]]
name = "pkg-config"
-version = "0.3.31"
+version = "0.3.33"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2"
+checksum = "19f132c84eca552bf34cab8ec81f1c1dcc229b811638f9d283dceabe58c5569e"
[[package]]
name = "plotters"
@@ -2133,41 +1690,27 @@ dependencies = [
]
[[package]]
-name = "polling"
-version = "3.7.4"
+name = "portable-atomic"
+version = "1.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a604568c3202727d1507653cb121dbd627a58684eb09a820fd746bee38b4442f"
-dependencies = [
- "cfg-if",
- "concurrent-queue",
- "hermit-abi",
- "pin-project-lite",
- "rustix",
- "tracing",
- "windows-sys 0.59.0",
-]
+checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
[[package]]
-name = "poly1305"
-version = "0.8.0"
+name = "portable-atomic-util"
+version = "0.2.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8159bd90725d2df49889a078b54f4f79e87f1f8a8444194cdca81d38f5393abf"
+checksum = "c2a106d1259c23fac8e543272398ae0e3c0b8d33c88ed73d0cc71b0f1d902618"
dependencies = [
- "cpufeatures",
- "opaque-debug",
- "universal-hash",
+ "portable-atomic",
]
[[package]]
-name = "polyval"
-version = "0.6.2"
+name = "potential_utf"
+version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25"
+checksum = "0103b1cef7ec0cf76490e969665504990193874ea05c85ff9bab8b911d0a0564"
dependencies = [
- "cfg-if",
- "cpufeatures",
- "opaque-debug",
- "universal-hash",
+ "zerovec",
]
[[package]]
@@ -2178,91 +1721,137 @@ checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
[[package]]
name = "ppv-lite86"
-version = "0.2.20"
+version = "0.2.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77957b295656769bb8ad2b6a6b09d897d94f05c41b069aede1fcdaa675eaea04"
+checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
dependencies = [
"zerocopy",
]
+[[package]]
+name = "prefix-trie"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23370be78b7e5bcbb0cab4a02047eb040279a693c78daad04c2c5f1c24a83503"
+dependencies = [
+ "either",
+ "ipnet",
+ "num-traits",
+]
+
[[package]]
name = "prettyplease"
-version = "0.2.27"
+version = "0.2.37"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "483f8c21f64f3ea09fe0f30f5d48c3e8eefe5dac9129f0075f76593b4c1da705"
+checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
dependencies = [
"proc-macro2",
- "syn 2.0.95",
+ "syn",
]
[[package]]
-name = "primeorder"
-version = "0.13.6"
+name = "proc-macro-error-attr2"
+version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
+checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5"
dependencies = [
- "elliptic-curve",
+ "proc-macro2",
+ "quote",
]
[[package]]
-name = "proc-macro2"
-version = "1.0.92"
+name = "proc-macro-error2"
+version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37d3544b3f2748c54e147655edb5025752e2303145b5aefb3c3ea2c78b973bb0"
+checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802"
dependencies = [
- "unicode-ident",
+ "proc-macro-error-attr2",
+ "proc-macro2",
+ "quote",
+ "syn",
]
[[package]]
-name = "quick-error"
-version = "1.2.3"
+name = "proc-macro2"
+version = "1.0.106"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0"
+checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
+dependencies = [
+ "unicode-ident",
+]
[[package]]
name = "quote"
-version = "1.0.38"
+version = "1.0.45"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e4dccaaaf89514f546c693ddc140f729f958c247918a13380cccc6078391acc"
+checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
dependencies = [
"proc-macro2",
]
+[[package]]
+name = "r-efi"
+version = "5.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
+
+[[package]]
+name = "r-efi"
+version = "6.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
+
[[package]]
name = "rand"
-version = "0.8.5"
+version = "0.9.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
dependencies = [
- "libc",
"rand_chacha",
- "rand_core",
+ "rand_core 0.9.5",
+]
+
+[[package]]
+name = "rand"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d2e8e8bcc7961af1fdac401278c6a831614941f6164ee3bf4ce61b7edb162207"
+dependencies = [
+ "chacha20",
+ "getrandom 0.4.2",
+ "rand_core 0.10.1",
]
[[package]]
name = "rand_chacha"
-version = "0.3.1"
+version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
dependencies = [
"ppv-lite86",
- "rand_core",
+ "rand_core 0.9.5",
]
[[package]]
name = "rand_core"
-version = "0.6.4"
+version = "0.9.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
dependencies = [
- "getrandom",
+ "getrandom 0.3.4",
]
+[[package]]
+name = "rand_core"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63b8176103e19a2643978565ca18b50549f6101881c443590420e4dc998a3c69"
+
[[package]]
name = "rayon"
-version = "1.10.0"
+version = "1.12.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b418a60154510ca1a002a752ca9714984e21e4241e804d32555251faf8b78ffa"
+checksum = "fb39b166781f92d482534ef4b4b1b2568f42613b53e5b6c160e24cfbfa30926d"
dependencies = [
"either",
"rayon-core",
@@ -2270,9 +1859,9 @@ dependencies = [
[[package]]
name = "rayon-core"
-version = "1.12.1"
+version = "1.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1465873a3dfdaa8ae7cb14b4383657caab0b3e8a0aa9ae8e04b044854c8dfce2"
+checksum = "22e18b0f0062d30d4230b2e85ff77fdfe4326feb054b9783a3460d8435c8ab91"
dependencies = [
"crossbeam-deque",
"crossbeam-utils",
@@ -2280,31 +1869,32 @@ dependencies = [
[[package]]
name = "rcgen"
-version = "0.13.2"
+version = "0.14.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75e669e5202259b5314d1ea5397316ad400819437857b90861765f24c4cf80a2"
+checksum = "10b99e0098aa4082912d4c649628623db6aba77335e4f4569ff5083a6448b32e"
dependencies = [
"aws-lc-rs",
"pem",
"rustls-pki-types",
"time",
+ "x509-parser",
"yasna",
]
[[package]]
name = "redox_syscall"
-version = "0.5.8"
+version = "0.5.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834"
+checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
dependencies = [
"bitflags",
]
[[package]]
name = "regex"
-version = "1.11.1"
+version = "1.12.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
+checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276"
dependencies = [
"aho-corasick",
"memchr",
@@ -2314,9 +1904,9 @@ dependencies = [
[[package]]
name = "regex-automata"
-version = "0.4.9"
+version = "0.4.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908"
+checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f"
dependencies = [
"aho-corasick",
"memchr",
@@ -2325,77 +1915,35 @@ dependencies = [
[[package]]
name = "regex-syntax"
-version = "0.8.5"
+version = "0.8.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
+checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
[[package]]
name = "resolv-conf"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52e44394d2086d010551b14b53b1f24e31647570cd1deb0379e2c21b329aba00"
-dependencies = [
- "hostname",
- "quick-error",
-]
-
-[[package]]
-name = "rfc6979"
-version = "0.4.0"
+version = "0.7.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
-dependencies = [
- "hmac",
- "subtle",
-]
+checksum = "1e061d1b48cb8d38042de4ae0a7a6401009d6143dc80d2e2d6f31f0bdd6470c7"
[[package]]
name = "ring"
-version = "0.17.8"
+version = "0.17.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
+checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
dependencies = [
"cc",
"cfg-if",
- "getrandom",
+ "getrandom 0.2.17",
"libc",
- "spin",
- "untrusted",
+ "untrusted 0.9.0",
"windows-sys 0.52.0",
]
-[[package]]
-name = "rsa"
-version = "0.9.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "47c75d7c5c6b673e58bf54d8544a9f432e3a925b0e80f7cd3602ab5c50c55519"
-dependencies = [
- "const-oid",
- "digest",
- "num-bigint-dig",
- "num-integer",
- "num-traits",
- "pkcs1",
- "pkcs8",
- "rand_core",
- "sha2",
- "signature",
- "spki",
- "subtle",
- "zeroize",
-]
-
-[[package]]
-name = "rustc-demangle"
-version = "0.1.24"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
-
[[package]]
name = "rustc-hash"
-version = "1.1.0"
+version = "2.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
+checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe"
[[package]]
name = "rustc_version"
@@ -2415,72 +1963,70 @@ dependencies = [
"nom",
]
-[[package]]
-name = "rustix"
-version = "0.38.43"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a78891ee6bf2340288408954ac787aa063d8e8817e9f53abb37c695c6d834ef6"
-dependencies = [
- "bitflags",
- "errno",
- "libc",
- "linux-raw-sys",
- "windows-sys 0.59.0",
-]
-
[[package]]
name = "rustls"
-version = "0.23.20"
+version = "0.23.40"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5065c3f250cbd332cd894be57c40fa52387247659b14a2d6041d121547903b1b"
+checksum = "ef86cd5876211988985292b91c96a8f2d298df24e75989a43a3c73f2d4d8168b"
dependencies = [
+ "aws-lc-rs",
"log",
"once_cell",
- "ring",
"rustls-pki-types",
- "rustls-webpki",
+ "rustls-webpki 0.103.13",
"subtle",
"zeroize",
]
[[package]]
name = "rustls"
-version = "0.23.21"
+version = "0.24.0-dev.0"
dependencies = [
- "aws-lc-rs",
- "base64",
"bencher",
"brotli",
"brotli-decompressor",
"env_logger",
- "hashbrown",
- "hex",
+ "graviola",
+ "hashbrown 0.17.0",
"log",
- "macro_rules_attribute",
- "num-bigint",
"once_cell",
"rcgen",
- "ring",
"rustls-pki-types",
- "rustls-webpki",
- "rustversion",
- "serde",
- "serde_json",
+ "rustls-test",
+ "rustls-webpki 0.104.0-alpha.7",
"subtle",
"time",
"webpki-roots",
- "x509-parser",
"zeroize",
"zlib-rs",
]
+[[package]]
+name = "rustls-aws-lc-rs"
+version = "0.1.0-dev.0"
+dependencies = [
+ "aws-lc-rs",
+ "bencher",
+ "hex",
+ "rustls 0.24.0-dev.0",
+ "rustls-pki-types",
+ "rustls-test",
+ "serde",
+ "serde_json",
+ "subtle",
+ "zeroize",
+]
+
[[package]]
name = "rustls-bench"
version = "0.1.0"
dependencies = [
"clap",
- "rustls 0.23.21",
- "rustls-post-quantum",
+ "rustls 0.24.0-dev.0",
+ "rustls-aws-lc-rs",
+ "rustls-graviola",
+ "rustls-ring",
+ "rustls-test",
"tikv-jemallocator",
]
@@ -2493,21 +2039,23 @@ dependencies = [
"byteorder",
"clap",
"crabgrind",
- "fxhash",
"itertools 0.14.0",
"rayon",
- "rustls 0.23.21",
- "tikv-jemallocator",
+ "rustc-hash",
+ "rustls 0.24.0-dev.0",
+ "rustls-aws-lc-rs",
+ "rustls-fuzzing-provider",
+ "rustls-ring",
+ "rustls-test",
]
[[package]]
name = "rustls-connect-tests"
version = "0.0.1"
dependencies = [
- "hickory-resolver",
"regex",
"ring",
- "rustls 0.23.21",
+ "rustls 0.24.0-dev.0",
"tokio",
]
@@ -2515,14 +2063,15 @@ dependencies = [
name = "rustls-examples"
version = "0.0.1"
dependencies = [
- "async-std",
"clap",
"env_logger",
"hickory-resolver",
"log",
"mio",
"rcgen",
- "rustls 0.23.21",
+ "rustls 0.24.0-dev.0",
+ "rustls-aws-lc-rs",
+ "rustls-util",
"serde",
"tokio",
"webpki-roots",
@@ -2533,8 +2082,18 @@ name = "rustls-fuzzing-provider"
version = "0.1.0"
dependencies = [
"env_logger",
- "rustls 0.23.21",
- "rustls-webpki",
+ "rustls 0.24.0-dev.0",
+]
+
+[[package]]
+name = "rustls-graviola"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "323c712e50c59ceb2ba9ad4d79dcfd3e0046a082d61efa87fcdf8f59af04473c"
+dependencies = [
+ "graviola",
+ "libcrux-ml-kem",
+ "rustls 0.23.40",
]
[[package]]
@@ -2546,85 +2105,113 @@ dependencies = [
"num-bigint",
"once_cell",
"openssl",
- "rustls 0.23.21",
+ "rustls 0.24.0-dev.0",
+ "rustls-aws-lc-rs",
+ "rustls-util",
]
[[package]]
name = "rustls-pki-types"
-version = "1.10.1"
+version = "1.14.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d2bf47e6ff922db3825eb750c4e2ff784c6ff8fb9e13046ef6a1d1c5401b0b37"
+checksum = "30a7197ae7eb376e574fe940d068c30fe0462554a3ddbe4eca7838e049c937a9"
+dependencies = [
+ "zeroize",
+]
[[package]]
name = "rustls-post-quantum"
-version = "0.2.1"
+version = "0.3.0-alpha.0"
dependencies = [
"aws-lc-rs",
"criterion",
"env_logger",
- "rustls 0.23.21",
+ "rcgen",
+ "rustls 0.24.0-dev.0",
+ "rustls-aws-lc-rs",
+ "rustls-test",
+ "rustls-util",
+ "rustls-webpki 0.104.0-alpha.7",
"webpki-roots",
]
[[package]]
-name = "rustls-provider-example"
-version = "0.0.1"
+name = "rustls-provider-test"
+version = "0.1.0"
+dependencies = [
+ "hex",
+ "rustls 0.24.0-dev.0",
+ "rustls-aws-lc-rs",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "rustls-ring"
+version = "0.1.0-dev.0"
+dependencies = [
+ "bencher",
+ "ring",
+ "rustls 0.24.0-dev.0",
+ "rustls-pki-types",
+ "rustls-test",
+ "subtle",
+]
+
+[[package]]
+name = "rustls-test"
+version = "0.1.0"
dependencies = [
- "chacha20poly1305",
- "der",
- "ecdsa",
"env_logger",
- "hmac",
- "hpke-rs",
- "hpke-rs-crypto",
- "hpke-rs-rust-crypto",
- "p256",
- "pkcs8",
- "rand_core",
- "rcgen",
- "rsa",
- "rustls 0.23.21",
- "rustls-webpki",
- "sha2",
- "signature",
+ "log",
+ "macro_rules_attribute",
+ "num-bigint",
+ "rustls 0.24.0-dev.0",
+ "rustls-aws-lc-rs",
+ "rustls-pki-types",
+ "rustls-ring",
+ "rustls-util",
+ "rustls-webpki 0.104.0-alpha.7",
"webpki-roots",
- "x25519-dalek",
+ "x509-parser",
]
[[package]]
-name = "rustls-provider-test"
+name = "rustls-util"
version = "0.1.0"
dependencies = [
- "hex",
- "rustls 0.23.21",
- "rustls-provider-example",
- "serde",
- "serde_json",
+ "env_logger",
+ "log",
+ "rustls 0.24.0-dev.0",
]
[[package]]
name = "rustls-webpki"
-version = "0.102.8"
+version = "0.103.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
+checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
dependencies = [
"aws-lc-rs",
"ring",
"rustls-pki-types",
- "untrusted",
+ "untrusted 0.9.0",
]
[[package]]
-name = "rustversion"
-version = "1.0.19"
+name = "rustls-webpki"
+version = "0.104.0-alpha.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f7c45b9784283f1b2e7fb61b42047c2fd678ef0960d4f6f1eba131594cc369d4"
+checksum = "bea702cca24d344fc70973022bf7eb920c224e318466eb49784272337dd24b1a"
+dependencies = [
+ "rustls-pki-types",
+ "untrusted 0.9.0",
+]
[[package]]
-name = "ryu"
-version = "1.0.18"
+name = "rustversion"
+version = "1.0.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
+checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
[[package]]
name = "same-file"
@@ -2641,67 +2228,53 @@ version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
-[[package]]
-name = "sec1"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
-dependencies = [
- "base16ct",
- "der",
- "generic-array",
- "pkcs8",
- "subtle",
- "zeroize",
-]
-
[[package]]
name = "semver"
-version = "1.0.24"
+version = "1.0.28"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3cb6eb87a131f756572d7fb904f6e7b68633f09cca868c5df1c4b8d1a694bbba"
+checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd"
[[package]]
name = "serde"
-version = "1.0.217"
+version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "02fc4265df13d6fa1d00ecff087228cc0a2b5f3c0e87e258d8b94a156e984c70"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
dependencies = [
+ "serde_core",
"serde_derive",
]
[[package]]
-name = "serde_derive"
-version = "1.0.217"
+name = "serde_core"
+version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a9bf7cf98d04a2b28aead066b7496853d4779c9cc183c440dbac457641e19a0"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.95",
+ "serde_derive",
]
[[package]]
-name = "serde_json"
-version = "1.0.135"
+name = "serde_derive"
+version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b0d7ba2887406110130a978386c4e1befb98c674b4fba677954e4db976630d9"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
dependencies = [
- "itoa",
- "memchr",
- "ryu",
- "serde",
+ "proc-macro2",
+ "quote",
+ "syn",
]
[[package]]
-name = "sha2"
-version = "0.10.8"
+name = "serde_json"
+version = "1.0.149"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
+checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
dependencies = [
- "cfg-if",
- "cpufeatures",
- "digest",
+ "itoa",
+ "memchr",
+ "serde",
+ "serde_core",
+ "zmij",
]
[[package]]
@@ -2711,61 +2284,48 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
[[package]]
-name = "signature"
-version = "2.2.0"
+name = "simd_cesu8"
+version = "1.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
+checksum = "94f90157bb87cddf702797c5dadfa0be7d266cdf49e22da2fcaa32eff75b2c33"
dependencies = [
- "digest",
- "rand_core",
+ "rustc_version",
+ "simdutf8",
]
+[[package]]
+name = "simdutf8"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3a9fe34e3e7a50316060351f37187a3f546bce95496156754b601a5fa71b76e"
+
[[package]]
name = "slab"
-version = "0.4.9"
+version = "0.4.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
-dependencies = [
- "autocfg",
-]
+checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5"
[[package]]
name = "smallvec"
-version = "1.13.2"
+version = "1.15.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
[[package]]
name = "socket2"
-version = "0.5.8"
+version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8"
+checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
dependencies = [
"libc",
- "windows-sys 0.52.0",
-]
-
-[[package]]
-name = "spin"
-version = "0.9.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
-
-[[package]]
-name = "spki"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
-dependencies = [
- "base64ct",
- "der",
+ "windows-sys 0.61.2",
]
[[package]]
name = "stable_deref_trait"
-version = "1.2.0"
+version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
+checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
[[package]]
name = "strsim"
@@ -2781,9 +2341,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
[[package]]
name = "syn"
-version = "1.0.109"
+version = "2.0.117"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
dependencies = [
"proc-macro2",
"quote",
@@ -2791,72 +2351,68 @@ dependencies = [
]
[[package]]
-name = "syn"
-version = "2.0.95"
+name = "synstructure"
+version = "0.13.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "46f71c0377baf4ef1cc3e3402ded576dccc315800fbc62dfc7fe04b009773b4a"
+checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
dependencies = [
"proc-macro2",
"quote",
- "unicode-ident",
+ "syn",
]
[[package]]
-name = "synstructure"
-version = "0.13.1"
+name = "system-configuration"
+version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971"
+checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b"
dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.95",
+ "bitflags",
+ "core-foundation",
+ "system-configuration-sys",
]
[[package]]
-name = "thiserror"
-version = "1.0.69"
+name = "system-configuration-sys"
+version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4"
dependencies = [
- "thiserror-impl 1.0.69",
+ "core-foundation-sys",
+ "libc",
]
[[package]]
-name = "thiserror"
-version = "2.0.10"
+name = "tagptr"
+version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a3ac7f54ca534db81081ef1c1e7f6ea8a3ef428d2fc069097c079443d24124d3"
-dependencies = [
- "thiserror-impl 2.0.10",
-]
+checksum = "7b2093cf4c8eb1e67749a6762251bc9cd836b6fc171623bd0a9d324d37af2417"
[[package]]
-name = "thiserror-impl"
-version = "1.0.69"
+name = "thiserror"
+version = "2.0.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.95",
+ "thiserror-impl",
]
[[package]]
name = "thiserror-impl"
-version = "2.0.10"
+version = "2.0.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e9465d30713b56a37ede7185763c3492a91be2f5fa68d958c44e41ab9248beb"
+checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
]
[[package]]
name = "tikv-jemalloc-sys"
-version = "0.6.0+5.3.0-1-ge13ca993e8ccb9ba9847cc330696e02839f328f7"
+version = "0.6.1+5.3.0-1-ge13ca993e8ccb9ba9847cc330696e02839f328f7"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd3c60906412afa9c2b5b5a48ca6a5abe5736aec9eb48ad05037a677e52e4e2d"
+checksum = "cd8aa5b2ab86a2cefa406d889139c162cbb230092f7d1d7cbc1716405d852a3b"
dependencies = [
"cc",
"libc",
@@ -2864,9 +2420,9 @@ dependencies = [
[[package]]
name = "tikv-jemallocator"
-version = "0.6.0"
+version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4cec5ff18518d81584f477e9bfdf957f5bb0979b0bac3af4ca30b5b3ae2d2865"
+checksum = "0359b4327f954e0567e69fb191cf1436617748813819c94b8cd4a431422d053a"
dependencies = [
"libc",
"tikv-jemalloc-sys",
@@ -2874,30 +2430,30 @@ dependencies = [
[[package]]
name = "time"
-version = "0.3.37"
+version = "0.3.47"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21"
+checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
dependencies = [
"deranged",
"itoa",
"num-conv",
"powerfmt",
- "serde",
+ "serde_core",
"time-core",
"time-macros",
]
[[package]]
name = "time-core"
-version = "0.1.2"
+version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
+checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
[[package]]
name = "time-macros"
-version = "0.2.19"
+version = "0.2.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de"
+checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
dependencies = [
"num-conv",
"time-core",
@@ -2905,9 +2461,9 @@ dependencies = [
[[package]]
name = "tinystr"
-version = "0.7.6"
+version = "0.8.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9117f5d4db391c1cf6927e7bea3db74b9a1c1add8f7eda9ffd5364f40f57b82f"
+checksum = "c8323304221c2a851516f22236c5722a72eaa19749016521d6dff0824447d96d"
dependencies = [
"displaydoc",
"zerovec",
@@ -2925,9 +2481,9 @@ dependencies = [
[[package]]
name = "tinyvec"
-version = "1.8.1"
+version = "1.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "022db8904dfa342efe721985167e9fcd16c29b226db4397ed752a761cfce81e8"
+checksum = "3e61e67053d25a4e82c844e8424039d9745781b3fc4f32b8d55ed50f5f667ef3"
dependencies = [
"tinyvec_macros",
]
@@ -2940,46 +2496,45 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
[[package]]
name = "tokio"
-version = "1.43.0"
+version = "1.52.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3d61fa4ffa3de412bfea335c6ecff681de2b609ba3c77ef3e00e521813a9ed9e"
+checksum = "b67dee974fe86fd92cc45b7a95fdd2f99a36a6d7b0d431a231178d3d670bbcc6"
dependencies = [
- "backtrace",
"bytes",
"libc",
"mio",
"pin-project-lite",
"socket2",
"tokio-macros",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
]
[[package]]
name = "tokio-macros"
-version = "2.5.0"
+version = "2.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8"
+checksum = "385a6cb71ab9ab790c5fe8d67f1645e6c450a7ce006a33de03daa956cf70a496"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
]
[[package]]
name = "tokio-rustls"
-version = "0.26.1"
+version = "0.26.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f6d0975eaace0cf0fcadee4e4aaa5da15b5c079146f2cffb67c113be122bf37"
+checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
dependencies = [
- "rustls 0.23.20",
+ "rustls 0.23.40",
"tokio",
]
[[package]]
name = "tokio-util"
-version = "0.7.13"
+version = "0.7.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7fcaa8d55a2bdd6b83ace262b016eca0d79ee02818c5c1bcdf0305114081078"
+checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098"
dependencies = [
"bytes",
"futures-core",
@@ -2990,56 +2545,40 @@ dependencies = [
[[package]]
name = "tracing"
-version = "0.1.41"
+version = "0.1.44"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0"
+checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
dependencies = [
"pin-project-lite",
- "tracing-attributes",
"tracing-core",
]
-[[package]]
-name = "tracing-attributes"
-version = "0.1.28"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.95",
-]
-
[[package]]
name = "tracing-core"
-version = "0.1.33"
+version = "0.1.36"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e672c95779cf947c5311f83787af4fa8fffd12fb27e4993211a84bdfd9610f9c"
+checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
dependencies = [
"once_cell",
]
[[package]]
-name = "typenum"
-version = "1.17.0"
+name = "unicode-ident"
+version = "1.0.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
[[package]]
-name = "unicode-ident"
-version = "1.0.14"
+name = "unicode-xid"
+version = "0.2.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "adb9e6ca4f869e1180728b7950e35922a7fc6397f7b641499e8f3ef06e50dc83"
+checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
[[package]]
-name = "universal-hash"
-version = "0.5.1"
+name = "untrusted"
+version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea"
-dependencies = [
- "crypto-common",
- "subtle",
-]
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
[[package]]
name = "untrusted"
@@ -3049,21 +2588,16 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
[[package]]
name = "url"
-version = "2.5.4"
+version = "2.5.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60"
+checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed"
dependencies = [
"form_urlencoded",
"idna",
"percent-encoding",
+ "serde",
]
-[[package]]
-name = "utf16_iter"
-version = "1.0.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246"
-
[[package]]
name = "utf8_iter"
version = "1.0.4"
@@ -3077,10 +2611,15 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
[[package]]
-name = "value-bag"
-version = "1.10.0"
+name = "uuid"
+version = "1.23.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3ef4c4aa54d5d05a279399bfa921ec387b7aba77caf7a682ae8d86785b8fdad2"
+checksum = "ddd74a9687298c6858e9b88ec8935ec45d22e8fd5e6394fa1bd4e99a87789c76"
+dependencies = [
+ "getrandom 0.4.2",
+ "js-sys",
+ "wasm-bindgen",
+]
[[package]]
name = "vcpkg"
@@ -3088,12 +2627,6 @@ version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
-[[package]]
-name = "version_check"
-version = "0.9.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
-
[[package]]
name = "walkdir"
version = "2.5.0"
@@ -3106,53 +2639,46 @@ dependencies = [
[[package]]
name = "wasi"
-version = "0.11.0+wasi-snapshot-preview1"
+version = "0.11.1+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
[[package]]
-name = "wasm-bindgen"
-version = "0.2.99"
+name = "wasip2"
+version = "1.0.3+wasi-0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a474f6281d1d70c17ae7aa6a613c87fce69a127e2624002df63dcb39d6cf6396"
+checksum = "20064672db26d7cdc89c7798c48a0fdfac8213434a1186e5ef29fd560ae223d6"
dependencies = [
- "cfg-if",
- "once_cell",
- "wasm-bindgen-macro",
+ "wit-bindgen 0.57.1",
]
[[package]]
-name = "wasm-bindgen-backend"
-version = "0.2.99"
+name = "wasip3"
+version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f89bb38646b4f81674e8f5c3fb81b562be1fd936d84320f3264486418519c79"
+checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
dependencies = [
- "bumpalo",
- "log",
- "proc-macro2",
- "quote",
- "syn 2.0.95",
- "wasm-bindgen-shared",
+ "wit-bindgen 0.51.0",
]
[[package]]
-name = "wasm-bindgen-futures"
-version = "0.4.49"
+name = "wasm-bindgen"
+version = "0.2.120"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38176d9b44ea84e9184eff0bc34cc167ed044f816accfe5922e54d84cf48eca2"
+checksum = "df52b6d9b87e0c74c9edfa1eb2d9bf85e5d63515474513aa50fa181b3c4f5db1"
dependencies = [
"cfg-if",
- "js-sys",
"once_cell",
- "wasm-bindgen",
- "web-sys",
+ "rustversion",
+ "wasm-bindgen-macro",
+ "wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-macro"
-version = "0.2.99"
+version = "0.2.120"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2cc6181fd9a7492eef6fef1f33961e3695e4579b9872a6f7c83aee556666d4fe"
+checksum = "78b1041f495fb322e64aca85f5756b2172e35cd459376e67f2a6c9dffcedb103"
dependencies = [
"quote",
"wasm-bindgen-macro-support",
@@ -3160,59 +2686,84 @@ dependencies = [
[[package]]
name = "wasm-bindgen-macro-support"
-version = "0.2.99"
+version = "0.2.120"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30d7a95b763d3c45903ed6c81f156801839e5ee968bb07e534c44df0fcd330c2"
+checksum = "9dcd0ff20416988a18ac686d4d4d0f6aae9ebf08a389ff5d29012b05af2a1b41"
dependencies = [
+ "bumpalo",
"proc-macro2",
"quote",
- "syn 2.0.95",
- "wasm-bindgen-backend",
+ "syn",
"wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-shared"
-version = "0.2.99"
+version = "0.2.120"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "943aab3fdaaa029a6e0271b35ea10b72b943135afe9bffca82384098ad0e06a6"
+checksum = "49757b3c82ebf16c57d69365a142940b384176c24df52a087fb748e2085359ea"
+dependencies = [
+ "unicode-ident",
+]
[[package]]
-name = "web-sys"
-version = "0.3.76"
+name = "wasm-encoder"
+version = "0.244.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "04dd7223427d52553d3702c004d3b2fe07c148165faa56313cb00211e31c12bc"
+checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319"
dependencies = [
- "js-sys",
- "wasm-bindgen",
+ "leb128fmt",
+ "wasmparser",
]
[[package]]
-name = "webpki-roots"
-version = "0.26.7"
+name = "wasm-metadata"
+version = "0.244.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d642ff16b7e79272ae451b7322067cdc17cadf68c23264be9d94a32319efe7e"
+checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
dependencies = [
- "rustls-pki-types",
+ "anyhow",
+ "indexmap",
+ "wasm-encoder",
+ "wasmparser",
]
[[package]]
-name = "which"
-version = "4.4.2"
+name = "wasmparser"
+version = "0.244.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7"
+checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
dependencies = [
- "either",
- "home",
- "once_cell",
- "rustix",
+ "bitflags",
+ "hashbrown 0.15.5",
+ "indexmap",
+ "semver",
+]
+
+[[package]]
+name = "web-sys"
+version = "0.3.97"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2eadbac71025cd7b0834f20d1fe8472e8495821b4e9801eb0a60bd1f19827602"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "webpki-roots"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "52f5ee44c96cf55f1b349600768e3ece3a8f26010c05265ab73f945bb1a2eb9d"
+dependencies = [
+ "rustls-pki-types",
]
[[package]]
name = "widestring"
-version = "1.1.0"
+version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7219d36b6eac893fa81e84ebe06485e7dcbb616177469b142df14f1f4deb1311"
+checksum = "72069c3113ab32ab29e5584db3c6ec55d416895e60715417b5b883a357c3e471"
[[package]]
name = "winapi"
@@ -3232,11 +2783,11 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
[[package]]
name = "winapi-util"
-version = "0.1.9"
+version = "0.1.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
+checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
dependencies = [
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
]
[[package]]
@@ -3246,45 +2797,56 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
-name = "windows-sys"
-version = "0.48.0"
+name = "windows-link"
+version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
+[[package]]
+name = "windows-registry"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02752bf7fbdcce7f2a27a742f798510f3e5ad88dbe84871e5168e2120c3d5720"
dependencies = [
- "windows-targets 0.48.5",
+ "windows-link",
+ "windows-result",
+ "windows-strings",
]
[[package]]
-name = "windows-sys"
-version = "0.52.0"
+name = "windows-result"
+version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+checksum = "7781fa89eaf60850ac3d2da7af8e5242a5ea78d1a11c49bf2910bb5a73853eb5"
dependencies = [
- "windows-targets 0.52.6",
+ "windows-link",
+]
+
+[[package]]
+name = "windows-strings"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7837d08f69c77cf6b07689544538e017c1bfcf57e34b4c0ff58e6c2cd3b37091"
+dependencies = [
+ "windows-link",
]
[[package]]
name = "windows-sys"
-version = "0.59.0"
+version = "0.52.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
dependencies = [
- "windows-targets 0.52.6",
+ "windows-targets",
]
[[package]]
-name = "windows-targets"
-version = "0.48.5"
+name = "windows-sys"
+version = "0.61.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
dependencies = [
- "windows_aarch64_gnullvm 0.48.5",
- "windows_aarch64_msvc 0.48.5",
- "windows_i686_gnu 0.48.5",
- "windows_i686_msvc 0.48.5",
- "windows_x86_64_gnu 0.48.5",
- "windows_x86_64_gnullvm 0.48.5",
- "windows_x86_64_msvc 0.48.5",
+ "windows-link",
]
[[package]]
@@ -3293,46 +2855,28 @@ version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
dependencies = [
- "windows_aarch64_gnullvm 0.52.6",
- "windows_aarch64_msvc 0.52.6",
- "windows_i686_gnu 0.52.6",
+ "windows_aarch64_gnullvm",
+ "windows_aarch64_msvc",
+ "windows_i686_gnu",
"windows_i686_gnullvm",
- "windows_i686_msvc 0.52.6",
- "windows_x86_64_gnu 0.52.6",
- "windows_x86_64_gnullvm 0.52.6",
- "windows_x86_64_msvc 0.52.6",
+ "windows_i686_msvc",
+ "windows_x86_64_gnu",
+ "windows_x86_64_gnullvm",
+ "windows_x86_64_msvc",
]
-[[package]]
-name = "windows_aarch64_gnullvm"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
-
[[package]]
name = "windows_aarch64_gnullvm"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
-[[package]]
-name = "windows_aarch64_msvc"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
-
[[package]]
name = "windows_aarch64_msvc"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
-[[package]]
-name = "windows_i686_gnu"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
-
[[package]]
name = "windows_i686_gnu"
version = "0.52.6"
@@ -3345,24 +2889,12 @@ version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
-[[package]]
-name = "windows_i686_msvc"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
-
[[package]]
name = "windows_i686_msvc"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
-[[package]]
-name = "windows_x86_64_gnu"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
-
[[package]]
name = "windows_x86_64_gnu"
version = "0.52.6"
@@ -3371,76 +2903,131 @@ checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
[[package]]
name = "windows_x86_64_gnullvm"
-version = "0.48.5"
+version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
[[package]]
-name = "windows_x86_64_gnullvm"
+name = "windows_x86_64_msvc"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
[[package]]
-name = "windows_x86_64_msvc"
-version = "0.48.5"
+name = "wit-bindgen"
+version = "0.51.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
+checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
+dependencies = [
+ "wit-bindgen-rust-macro",
+]
[[package]]
-name = "windows_x86_64_msvc"
-version = "0.52.6"
+name = "wit-bindgen"
+version = "0.57.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
+checksum = "1ebf944e87a7c253233ad6766e082e3cd714b5d03812acc24c318f549614536e"
[[package]]
-name = "winreg"
-version = "0.50.0"
+name = "wit-bindgen-core"
+version = "0.51.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "524e57b2c537c0f9b1e69f1965311ec12182b4122e45035b1508cd24d2adadb1"
+checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc"
dependencies = [
- "cfg-if",
- "windows-sys 0.48.0",
+ "anyhow",
+ "heck",
+ "wit-parser",
]
[[package]]
-name = "write16"
-version = "1.0.0"
+name = "wit-bindgen-rust"
+version = "0.51.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d1890f4022759daae28ed4fe62859b1236caebfc61ede2f63ed4e695f3f6d936"
+checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
+dependencies = [
+ "anyhow",
+ "heck",
+ "indexmap",
+ "prettyplease",
+ "syn",
+ "wasm-metadata",
+ "wit-bindgen-core",
+ "wit-component",
+]
[[package]]
-name = "writeable"
-version = "0.5.5"
+name = "wit-bindgen-rust-macro"
+version = "0.51.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51"
+checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a"
+dependencies = [
+ "anyhow",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wit-bindgen-core",
+ "wit-bindgen-rust",
+]
[[package]]
-name = "x25519-dalek"
-version = "2.0.1"
+name = "wit-component"
+version = "0.244.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7e468321c81fb07fa7f4c636c3972b9100f0346e5b6a9f2bd0603a52f7ed277"
+checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
dependencies = [
- "curve25519-dalek",
- "rand_core",
+ "anyhow",
+ "bitflags",
+ "indexmap",
+ "log",
"serde",
- "zeroize",
+ "serde_derive",
+ "serde_json",
+ "wasm-encoder",
+ "wasm-metadata",
+ "wasmparser",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-parser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
+dependencies = [
+ "anyhow",
+ "id-arena",
+ "indexmap",
+ "log",
+ "semver",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "unicode-xid",
+ "wasmparser",
]
+[[package]]
+name = "writeable"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ffae5123b2d3fc086436f8834ae3ab053a283cfac8fe0a0b8eaae044768a4c4"
+
[[package]]
name = "x509-parser"
-version = "0.16.0"
+version = "0.18.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fcbc162f30700d6f3f82a24bf7cc62ffe7caea42c0b2cba8bf7f3ae50cf51f69"
+checksum = "d43b0f71ce057da06bc0851b23ee24f3f86190b07203dd8f567d0b706a185202"
dependencies = [
"asn1-rs",
+ "aws-lc-rs",
"data-encoding",
"der-parser",
"lazy_static",
"nom",
"oid-registry",
"rusticata-macros",
- "thiserror 1.0.69",
+ "thiserror",
"time",
]
@@ -3455,11 +3042,10 @@ dependencies = [
[[package]]
name = "yoke"
-version = "0.7.5"
+version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "120e6aef9aa629e3d4f52dc8cc43a015c7724194c97dfaf45180d2daf2b77f40"
+checksum = "abe8c5fda708d9ca3df187cae8bfb9ceda00dd96231bed36e445a1a48e66f9ca"
dependencies = [
- "serde",
"stable_deref_trait",
"yoke-derive",
"zerofrom",
@@ -3467,83 +3053,79 @@ dependencies = [
[[package]]
name = "yoke-derive"
-version = "0.7.5"
+version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2380878cad4ac9aac1e2435f3eb4020e8374b5f13c296cb75b4620ff8e229154"
+checksum = "de844c262c8848816172cef550288e7dc6c7b7814b4ee56b3e1553f275f1858e"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
"synstructure",
]
[[package]]
name = "zerocopy"
-version = "0.7.35"
+version = "0.8.48"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0"
+checksum = "eed437bf9d6692032087e337407a86f04cd8d6a16a37199ed57949d415bd68e9"
dependencies = [
- "byteorder",
"zerocopy-derive",
]
[[package]]
name = "zerocopy-derive"
-version = "0.7.35"
+version = "0.8.48"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e"
+checksum = "70e3cd084b1788766f53af483dd21f93881ff30d7320490ec3ef7526d203bad4"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
]
[[package]]
name = "zerofrom"
-version = "0.1.5"
+version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cff3ee08c995dee1859d998dea82f7374f2826091dd9cd47def953cae446cd2e"
+checksum = "69faa1f2a1ea75661980b013019ed6687ed0e83d069bc1114e2cc74c6c04c4df"
dependencies = [
"zerofrom-derive",
]
[[package]]
name = "zerofrom-derive"
-version = "0.1.5"
+version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "595eed982f7d355beb85837f651fa22e90b3c044842dc7f2c2842c086f295808"
+checksum = "11532158c46691caf0f2593ea8358fed6bbf68a0315e80aae9bd41fbade684a1"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
"synstructure",
]
[[package]]
name = "zeroize"
-version = "1.8.1"
+version = "1.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
-dependencies = [
- "zeroize_derive",
-]
+checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
[[package]]
-name = "zeroize_derive"
-version = "1.4.2"
+name = "zerotrie"
+version = "0.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
+checksum = "0f9152d31db0792fa83f70fb2f83148effb5c1f5b8c7686c3459e361d9bc20bf"
dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.95",
+ "displaydoc",
+ "yoke",
+ "zerofrom",
]
[[package]]
name = "zerovec"
-version = "0.10.4"
+version = "0.11.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aa2b893d79df23bfb12d5461018d408ea19dfafe76c2c7ef6d4eba614f8ff079"
+checksum = "90f911cbc359ab6af17377d242225f4d75119aec87ea711a880987b18cd7b239"
dependencies = [
"yoke",
"zerofrom",
@@ -3552,17 +3134,23 @@ dependencies = [
[[package]]
name = "zerovec-derive"
-version = "0.10.3"
+version = "0.11.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6"
+checksum = "625dc425cab0dca6dc3c3319506e6593dcb08a9f387ea3b284dbd52a92c40555"
dependencies = [
"proc-macro2",
"quote",
- "syn 2.0.95",
+ "syn",
]
[[package]]
name = "zlib-rs"
-version = "0.4.1"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3be3d40e40a133f9c916ee3f9f4fa2d9d63435b5fbe1bfc6d9dae0aa0ada1513"
+
+[[package]]
+name = "zmij"
+version = "1.0.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aada01553a9312bad4b9569035a1f12b05e5ec9770a1a4b323757356928944f8"
+checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"
diff --git a/Cargo.toml b/Cargo.toml
index 88fdcb74976..07aa8561013 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -10,10 +10,14 @@ members = [
"examples",
# Tests that require OpenSSL
"openssl-tests",
- # example of custom provider
- "provider-example",
# the main library and tests
"rustls",
+ # AWS-LC based crypto provider
+ "rustls-aws-lc-rs",
+ # the ring crypto provider
+ "rustls-ring",
+ # common code for testing the core crate
+ "rustls-test",
# benchmarking tool
"rustls-bench",
# experimental post-quantum algorithm support
@@ -22,6 +26,8 @@ members = [
"rustls-provider-test",
# rustls cryptography provider for fuzzing
"rustls-fuzzing-provider",
+ # utility code
+ "rustls-util",
]
## Deliberately not included in `members`:
@@ -31,36 +37,36 @@ exclude = [
]
default-members = [
+ #Â ---
"examples",
"rustls",
+ "rustls-aws-lc-rs",
+ "rustls-ring",
+ "rustls-test",
]
resolver = "2"
[workspace.dependencies]
anyhow = "1.0.73"
-asn1 = "0.20"
-async-std = { version = "1.12.0", features = ["attributes"] }
+asn1 = "0.24"
async-trait = "0.1.74"
-aws-lc-rs = { version = "1.12", default-features = false, features = ["aws-lc-sys", "prebuilt-nasm"] }
+aws-lc-rs = { version = "1.14", default-features = false }
base64 = "0.22"
bencher = "0.1.5"
-brotli = { version = "7", default-features = false, features = ["std"] }
-brotli-decompressor = "4.0.1" # 4.0.1 required for panic fix
+brotli = { version = "8", default-features = false, features = ["std"] }
+brotli-decompressor = "5.0.0"
byteorder = "1.4.3"
-chacha20poly1305 = { version = "0.10", default-features = false, features = ["alloc"] }
clap = { version = "4.3.21", features = ["derive", "env"] }
-crabgrind = "=0.1.9" # compatible with valgrind package on GHA ubuntu-latest
-der = "0.7"
-ecdsa = "0.16.8"
+crabgrind = "0.2"
+criterion = "0.8"
env_logger = "0.11"
-fxhash = "0.2.1"
-hashbrown = { version = "0.15", default-features = false, features = ["default-hasher", "inline-more"] }
+graviola = "0.3"
+hashbrown = { version = "0.17", default-features = false, features = ["default-hasher", "inline-more"] }
hex = "0.4"
-hickory-resolver = { version = "=0.25.0-alpha.3", features = ["dns-over-https-rustls", "webpki-roots"] }
-hmac = "0.12"
-hpke-rs = "0.2"
-hpke-rs-crypto = "0.2"
-hpke-rs-rust-crypto = "0.2"
+hickory-resolver = { version = "0.26", features = ["https-aws-lc-rs", "webpki-roots"] }
+hpke-rs = "0.6"
+hpke-rs-crypto = "0.6"
+hpke-rs-rust-crypto = "0.6"
itertools = "0.14"
log = { version = "0.4.8" }
macro_rules_attribute = "0.2"
@@ -68,30 +74,70 @@ mio = { version = "1", features = ["net", "os-poll"] }
num-bigint = "0.4.4"
once_cell = { version = "1.16", default-features = false, features = ["alloc", "race"] }
openssl = "0.10"
-p256 = { version = "0.13.2", default-features = false, features = ["alloc", "ecdsa", "pkcs8"] }
-pkcs8 = "0.10.2"
-pki-types = { package = "rustls-pki-types", version = "1.10", features = ["alloc"] }
-rand_core = { version = "0.6", features = ["getrandom"] }
+pki-types = { package = "rustls-pki-types", version = "1.14", features = ["alloc"] }
rayon = "1.7"
-rcgen = { version = "0.13", features = ["pem", "aws_lc_rs"], default-features = false }
+rcgen = { version = "0.14.4", features = ["pem", "aws_lc_rs"], default-features = false }
regex = "1"
ring = "0.17"
-rsa = { version = "0.9", features = ["sha2"], default-features = false }
+rustc-hash = "2"
+rustls-fuzzing-provider = { path = "rustls-fuzzing-provider/" }
+rustls-graviola = { version = "0.3" }
+rustls-test = { path = "rustls-test/", default-features = false }
+rustls-util = { path = "rustls-util/" }
serde = { version = "1", features = ["derive"] }
serde_json = "1"
-sha2 = { version = "0.10", default-features = false }
-signature = "2"
subtle = { version = "2.5.0", default-features = false }
time = { version = "0.3.6", default-features = false }
tikv-jemallocator = "0.6"
-tokio = { version = "1.34", features = ["io-util", "macros", "net", "rt"]}
-webpki = { package = "rustls-webpki", version = "0.102.8", features = ["alloc"], default-features = false }
-webpki-roots = "0.26"
-x25519-dalek = "2"
-x509-parser = "0.16"
-zeroize = "1.7"
-zlib-rs = "0.4"
+tokio = { version = "1.34", features = ["io-util", "macros", "net", "rt"] }
+webpki = { package = "rustls-webpki", version = "=0.104.0-alpha.7", features = [
+ "alloc",
+], default-features = false }
+webpki-roots = "1"
+x509-parser = "0.18"
+zeroize = "1.8"
+zlib-rs = "0.6"
[profile.bench]
codegen-units = 1
lto = true
+
+[workspace.lints.clippy]
+alloc_instead_of_core = "warn"
+cloned_instead_of_copied = "warn"
+manual_let_else = "warn"
+needless_collect = "warn"
+needless_pass_by_ref_mut = "warn"
+or_fun_call = "warn"
+redundant_clone = "warn"
+std_instead_of_core = "warn"
+upper_case_acronyms = "warn"
+use_self = "warn"
+
+# Relax these clippy lints:
+# - too_many_arguments: some things just need a lot of state, wrapping it
+# doesn't necessarily make it easier to follow what's going on
+too_many_arguments = "allow"
+
+# - new_without_default: for internal constructors, the indirection is not
+# helpful
+new_without_default = "allow"
+
+[workspace.lints.rust]
+elided_lifetimes_in_paths = "warn"
+trivial_numeric_casts = "warn"
+unexpected_cfgs = { level = "warn", check-cfg = [
+ "cfg(bench)",
+ "cfg(coverage_nightly)",
+ "cfg(rustls_docsrs)",
+] }
+unnameable_types = "warn"
+unreachable_pub = "warn"
+unused_extern_crates = "warn"
+unused_import_braces = "warn"
+unused_qualifications = "warn"
+
+# ensure all our tests are against the local copy, never
+# against the latest _published_ copy.
+[patch.crates-io]
+rustls = { path = "rustls" }
diff --git a/README.md b/README.md
index 2488264fce6..0c6362b63c9 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
- 
+ 
@@ -23,6 +23,9 @@ If you'd like to help out, please see [CONTRIBUTING.md](CONTRIBUTING.md).
[](https://discord.gg/MCSB76RU96)
[](https://www.bestpractices.dev/projects/9034)
+The maintainers pronounce "rustls" as rustles (rather than rust-TLS), but we don't feel strongly
+about it.
+
## Changelog
The detailed list of changes in each release can be found at
@@ -43,64 +46,72 @@ list of protocol features](https://docs.rs/rustls/latest/rustls/manual/_04_featu
### Platform support
-While Rustls itself is platform independent, by default it uses [`aws-lc-rs`] for implementing
-the cryptography in TLS. See [the aws-lc-rs FAQ][aws-lc-rs-platforms-faq] for more details of the
-platform/architecture support constraints in aws-lc-rs.
-
-[`ring`] is also available via the `ring` crate feature: see
-[the supported `ring` target platforms][ring-target-platforms].
+While Rustls itself is platform independent, it requires the use of cryptography primitives
+for implementing the cryptography algorithms used in TLS. In Rustls, a
+[`crypto::CryptoProvider`] represents a collection of crypto primitive implementations.
By providing a custom instance of the [`crypto::CryptoProvider`] struct, you
can replace all cryptography dependencies of rustls. This is a route to being portable
to a wider set of architectures and environments, or compliance requirements. See the
[`crypto::CryptoProvider`] documentation for more details.
-Specifying `default-features = false` when depending on rustls will remove the
-dependency on aws-lc-rs.
-
-Rustls requires Rust 1.63 or later. It has an optional dependency on zlib-rs which requires 1.75 or later.
-
-[ring-target-platforms]: https://github.com/briansmith/ring/blob/2e8363b433fa3b3962c877d9ed2e9145612f3160/include/ring-core/target.h#L18-L64
[`crypto::CryptoProvider`]: https://docs.rs/rustls/latest/rustls/crypto/struct.CryptoProvider.html
-[`ring`]: https://crates.io/crates/ring
-[aws-lc-rs-platforms-faq]: https://aws.github.io/aws-lc-rs/faq.html#can-i-run-aws-lc-rs-on-x-platform-or-architecture
-[`aws-lc-rs`]: https://crates.io/crates/aws-lc-rs
### Cryptography providers
Since Rustls 0.22 it has been possible to choose the provider of the cryptographic primitives
that Rustls uses. This may be appealing if you have specific platform, compliance or feature
-requirements that aren't met by the default provider, [`aws-lc-rs`].
+requirements.
-Users that wish to customize the provider in use can do so when constructing `ClientConfig`
-and `ServerConfig` instances using the `with_crypto_provider` method on the respective config
-builder types. See the [`crypto::CryptoProvider`] documentation for more details.
+From 0.24, users must explicitly provide a crypto provider when constructing `ClientConfig` or
+`ServerConfig` instances. See the [`crypto::CryptoProvider`] documentation for more details.
-#### Built-in providers
+#### First-party providers
-Rustls ships with two built-in providers controlled with associated feature flags:
+The Rustls project currently maintains two cryptography providers:
-* [`aws-lc-rs`] - enabled by default, available with the `aws_lc_rs` feature flag enabled.
-* [`ring`] - available with the `ring` feature flag enabled.
+* [`rustls-aws-lc-rs`] - a provider that uses the [`aws-lc-rs`] crate for cryptography.
+While this provider can be harder to build on [some platforms][aws-lc-rs-platforms-faq], it provides excellent
+performance and a complete feature set (including post-quantum algorithms).
+* [`rustls-ring`] - a provider that uses the [`ring`] crate for cryptography. This
+provider is easier to build on a variety of platforms, but has a more limited feature set
+(for example, it does not support post-quantum algorithms).
+
+The Rustls team recommends using the [`rustls-aws-lc-rs`] crate for its complete feature set
+and performance. See [the aws-lc-rs FAQ][aws-lc-rs-platforms-faq] for more details of the
+platform/architecture support constraints in aws-lc-rs.
See the documentation for [`crypto::CryptoProvider`] for details on how providers are
selected.
+(For rustls versions prior to 0.24, both of these providers were shipped as part of the rustls
+crate, and Cargo features were used to select the preferred provider. The `aws-lc-rs` feature
+was enabled by default.)
+
+[`rustls-aws-lc-rs`]: https://crates.io/crates/rustls-aws-lc-rs
+[`aws-lc-rs`]: https://crates.io/crates/aws-lc-rs
+[aws-lc-rs-platforms-faq]: https://aws.github.io/aws-lc-rs/faq.html#can-i-run-aws-lc-rs-on-x-platform-or-architecture
+[`rustls-ring`]: https://crates.io/crates/rustls-ring
+[`ring`]: https://crates.io/crates/ring
+
#### Third-party providers
The community has also started developing third-party providers for Rustls:
-* [`rustls-mbedtls-provider`] - a provider that uses [`mbedtls`] for cryptography.
-* [`rustls-openssl`] - a provider that uses [OpenSSL] for cryptography.
-* [`rustls-post-quantum`]: an experimental provider that adds support for post-quantum
-key exchange to the default aws-lc-rs provider.
* [`boring-rustls-provider`] - a work-in-progress provider that uses [`boringssl`] for
cryptography.
+* [`rustls-ccm`] - adds AES-CCM cipher suites (TLS 1.2 and 1.3) using [`RustCrypto`], for IoT/constrained-device protocols (IEEE 2030.5, Matter, RFC 7925).
+* [`rustls-graviola`] - a provider that uses [`graviola`] for cryptography.
+* [`rustls-mbedtls-provider`] - a provider that uses [`mbedtls`] for cryptography.
+* [`rustls-openssl`] - a provider that uses [OpenSSL] for cryptography.
* [`rustls-rustcrypto`] - an experimental provider that uses the crypto primitives
from [`RustCrypto`] for cryptography.
* [`rustls-symcrypt`] - a provider that uses Microsoft's [SymCrypt] library.
* [`rustls-wolfcrypt-provider`] - a work-in-progress provider that uses [`wolfCrypt`] for cryptography.
+[`rustls-ccm`]: https://github.com/jsulmont/rustls-ccm
+[`rustls-graviola`]: https://crates.io/crates/rustls-graviola
+[`graviola`]: https://github.com/ctz/graviola
[`rustls-mbedtls-provider`]: https://github.com/fortanix/rustls-mbedtls-provider
[`mbedtls`]: https://github.com/Mbed-TLS/mbedtls
[`rustls-openssl`]: https://github.com/tofay/rustls-openssl
@@ -111,21 +122,12 @@ from [`RustCrypto`] for cryptography.
[`boringssl`]: https://github.com/google/boringssl
[`rustls-rustcrypto`]: https://github.com/RustCrypto/rustls-rustcrypto
[`RustCrypto`]: https://github.com/RustCrypto
-[`rustls-post-quantum`]: https://crates.io/crates/rustls-post-quantum
[`rustls-wolfcrypt-provider`]: https://github.com/wolfSSL/rustls-wolfcrypt-provider
[`wolfCrypt`]: https://www.wolfssl.com/products/wolfcrypt
-#### Custom provider
-
-We also provide a simple example of writing your own provider in the [`custom-provider`]
-example. This example implements a minimal provider using parts of the [`RustCrypto`]
-ecosystem.
-
See the [Making a custom CryptoProvider] section of the documentation for more information
on this topic.
-[`custom-provider`]: https://github.com/rustls/rustls/tree/main/provider-example/
-[`RustCrypto`]: https://github.com/RustCrypto
[Making a custom CryptoProvider]: https://docs.rs/rustls/latest/rustls/crypto/struct.CryptoProvider.html#making-a-custom-cryptoprovider
# Example code
@@ -184,7 +186,7 @@ depth=2 CN = ponytown RSA CA
verify error:num=19:self signed certificate in certificate chain
hello world
^C
-$ echo hello world | cargo run --bin tlsclient-mio -- --cafile test-ca/rsa-2048/ca.cert -p 8443 localhost
+$ echo hello world | cargo run --bin tlsclient-mio -- --cafile test-ca/rsa-2048/ca.cert --port 8443 localhost
hello world
^C
```
diff --git a/SECURITY.md b/SECURITY.md
index 595d560d05a..6e88fdb160f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -5,7 +5,7 @@
Security fixes will be backported only to the rustls versions for which the
original semver-compatible release was published less than 2 years ago.
-For example, as of 2024-04-18 the latest release is 0.23.4.
+For example, as of 2025-05-09 the latest release is 0.23.27.
* 0.23.0 was released in February of 2024
* 0.22.0 was released in December of 2023
@@ -13,7 +13,7 @@ For example, as of 2024-04-18 the latest release is 0.23.4.
* 0.20.0 was released in September of 2021
* 0.19.0 was released in November of 2020
-Therefore 0.23.x, 0.22.x and 0.21.x will be updated, while 0.20.x and 0.19.x
+Therefore 0.23.x and 0.22.x will be updated, while 0.21.x, 0.20.x and 0.19.x
will not be.
> [!NOTE]
@@ -29,8 +29,8 @@ in the course of normal development, subject to these constraints:
- Our MSRV will be no more recent than 9 versions old, or approximately 12 months.
> [!TIP]
-> At the time of writing, the most recent Rust release is 1.82.0. That means
-> our MSRV could be as recent as 1.73.0. As it happens, it is 1.71.0.
+> At the time of writing, the most recent Rust release is 1.94. That means
+> our MSRV could be as recent as 1.85. As it happens, it is 1.85.
- Our MSRV policy only covers the core library crate: it does not cover tests
or example code, and is not binding on our dependencies.
@@ -55,11 +55,20 @@ MSRV than this policy.
> [!NOTE]
> This is currently the case for our optional dependency on `zlib-rs`, which
-> has a current MSRV of 1.75.0.
+> has a current MSRV of 1.75.
## Reporting a Vulnerability
+Before reporting a security bug, make sure to:
+
+- Consider the threat model below. Misconfiguration that is unlikely to happen accidentally is
+ unlikely to be a security bug.
+- If applicable, compare the behavior to other TLS implementations. If the behavior is consistent
+ with other implementations, it is less likely to be a security bug.
+
Please report security bugs [via github](https://github.com/rustls/rustls/security/advisories/new).
+Make sure to disclose any use of AI assistance upfront.
+
We'll then:
- Prepare a fix and regression tests.
@@ -69,3 +78,112 @@ We'll then:
If you're *looking* for security bugs, this crate is set up for
`cargo fuzz` but would benefit from more runtime, targets and corpora.
+
+## Threat model
+
+### Scope and assumptions
+
+This library typically sits between raw network I/O and application code. The network side
+is fully attacker-controlled; the application-side is relatively trusted but still aims to be
+misuse-resistant.
+
+By "fully attacker-controlled", we specifically include:
+
+- on-path attackers (manipulating traffic to a real, honest peer)
+- malicious peers (whether pre- or post-authentication)
+- honest but broken peers (again, pre- or post-authentication)
+
+The core `rustls` library is a TLS protocol implementation, and requires additional items to
+become useful. These items are therefore in scope:
+
+- the default certificate verifiers based on `rustls-webpki`.
+- the cryptography providers published from the rustls repository (currently `rustls-ring` and `rustls-aws-lc-rs`;
+ but not the underlying libraries).
+
+These items are out of scope (security reports for them will be treated as normal bug reports):
+
+- examples, benchmarking and test code,
+- code in the `rustls-util` crate
+- our public website https://rustls.dev/
+
+### Boundary: network-originated input
+
+Everything arriving from the wire is treated as adversarially crafted. This is the primary attack surface.
+
+Specific threats (non-exhaustive):
+
+- Integer overflow or underflow in length fields,
+- Buffer over-read during fragment reassembly,
+- Infinite loops,
+- Reachable loops with inappropriate and attacker-controlled complexity, with significant amplification,
+- Reachable panics,
+- Authentication bypass,
+- Protocol downgrade,
+- Memory exhaustion or excessive memory consumption, with a significant amplification compared to attacker-controlled input.
+
+Mitigations:
+
+- The entire crate which processes items on this trust boundary is `forbid(unsafe_code)`. This means all
+ code within is the memory safe-subset of Rust. This ameliorates impact of items like integer overflows (generally
+ reducing their impact to denial-of-service), but has little impact on other threats.
+- We fuzz this interface, looking for reachable panics. The project is registered with OSS-Fuzz which provides
+ compute for this effort. Fuzzing is performed with a mock provider of cryptography, which is intended to make
+ both pre-auth and post-auth code paths reachable to the fuzzer (at the cost of fuzzing not covering the actual
+ cryptography implementations).
+- We have [studied and explained](https://rustls.dev/docs/manual/_01_impl_vulnerabilities/index.html#a-review-of-tls-implementation-vulnerabilities)
+ issues encountered in other TLS implementations and discuss further mitigations there.
+- We implement the TLS 1.3 downgrade sentinel (a [standard and required protocol feature](https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.3)
+ which limits downgrade from TLS 1.3).
+
+### Boundary: cryptography provider
+
+All items under the `CryptoProvider` and associated interfaces are external to the core `rustls`
+library, but overall secure operation is contingent on their correct implementation. Specific
+responsibilities are delegated through this interface (non-exhaustive):
+
+- random material generation
+- cryptography operations (encryption, decryption, hashing, key agreement, key derivation, signing, verification)
+- zeroization of long-term, ephemeral and intermediate secret key material
+- side-channel safety of cryptographic operations
+- correct error reporting (especially for cases such as signature verification and input validation)
+
+The core `rustls` crate cannot perform securely if these items are faulty, and it is not
+a security finding that (for example) rustls does not detect random material generation which produces
+the number 4 repeatedly.
+
+In addition, the core `rustls` crate itself:
+
+- performs zeroization of key material values it holds,
+- compares secret and public values in constant time,
+- correctly propagates and handles errors,
+- avoids `Debug` impls on any type that contains secret key material,
+- eschews support for problematic protocol features such as RSA encryption, and CBC-mode ciphersuites.
+
+### Boundary: public API
+
+The public API is the interface between the core `rustls` library and application code.
+This is a semi-trusted boundary: callers are not treated as adversaries, but the API
+aims to be misuse-resistant so that common mistakes do not lead to security failures.
+
+However, application code is not treated as adversarial. Callers who deliberately work
+to undermine their own security (for example, by implementing a custom certificate verifier
+that accepts all certificates) are outside the threat model. Security reports that
+require the caller to actively opt in to insecure behavior — through custom configuration
+that is unlikely to arise by accident — will be treated as normal bug reports.
+
+Specific threats (non-exhaustive):
+
+- Accidental or inadvertent disabling of essential security controls such as
+ hostname verification or certificate chain validation.
+- Accidental or inadvertent exposure of secret key material outside the library.
+- Reachable panics from normal sequences of API calls.
+
+Mitigations:
+
+- We make it specifically unfriendly to configure a custom certificate verifier,
+ to guide people away from this route of problem solving deployment issues.
+- Support for [`SSLKEYLOGFILE`](https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/)
+ requires explicit action on the part of the application.
+- Avoiding `Debug` impls on any type that contains secret key material.
+- In the public API error type, we have items for unreachable conditions, and
+ conditions that indicate misuse of the public API. These are returned instead of panics.
diff --git a/admin/all-features-except b/admin/all-features-except
index 395ee9d1611..d94ce63815f 100755
--- a/admin/all-features-except
+++ b/admin/all-features-except
@@ -9,7 +9,7 @@ a, b and c.
The output is decorated with `--no-default-features --features` meaning
it can be used directly with cargo, for example:
-$ cargo build $(admin/all-features-except std,logging rustls)
+$ cargo build $(admin/all-features-except std,log rustls)
It is assumed but not verified that the remaining features do not
have dependencies on the disabled features (otherwise, cargo will
diff --git a/admin/bench-measure.mk b/admin/bench-measure.mk
index a02510fed47..d982db3d060 100644
--- a/admin/bench-measure.mk
+++ b/admin/bench-measure.mk
@@ -48,14 +48,14 @@ memory: $(BENCH)
$(MEMUSAGE) $^ memory TLS13_AES_256_GCM_SHA384 5000
threads: $(BENCH)
- for thr in $(shell admin/threads-seq.rs) ; do \
- $^ --threads $$thr handshake TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ; \
- $^ --threads $$thr handshake-resume TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ; \
- $^ --threads $$thr handshake-ticket TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ; \
- $^ --key-type rsa2048 --threads $$thr handshake TLS13_AES_256_GCM_SHA384 ; \
- $^ --threads $$thr handshake-ticket TLS13_AES_256_GCM_SHA384 ; \
- $^ --threads $$thr bulk TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ; \
- $^ --key-type rsa2048 --threads $$thr bulk TLS13_AES_256_GCM_SHA384 ; \
+ for t in $(shell admin/threads-seq.rs) ; do \
+ $^ --threads $$t handshake TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ; \
+ $^ --threads $$t handshake-resume TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ; \
+ $^ --threads $$t handshake-ticket TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ; \
+ $^ --key-type rsa2048 --threads $$t handshake TLS13_AES_256_GCM_SHA384 ; \
+ $^ --threads $$t handshake-ticket TLS13_AES_256_GCM_SHA384 ; \
+ $^ --threads $$t bulk TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ; \
+ $^ --key-type rsa2048 --threads $$t bulk TLS13_AES_256_GCM_SHA384 ; \
done
thread-latency: $(BENCH)
diff --git a/admin/capture-certdata b/admin/capture-certdata
index b02cf24dc6a..2d3ad4b9961 100755
--- a/admin/capture-certdata
+++ b/admin/capture-certdata
@@ -49,7 +49,7 @@ def collect(hostname):
return certs
if __name__ == '__main__':
- certfile = lambda name, i: 'rustls/src/testdata/cert-%s.%d.der' % (name, i)
+ certfile = lambda name, i: 'rustls-test/benches/data/cert-%s.%d.der' % (name, i)
for name, hostname in SITES.items():
if path.exists(certfile(name, 0)):
@@ -59,4 +59,3 @@ if __name__ == '__main__':
for i, cert in enumerate(certchain):
open(certfile(name, i), 'wb').write(cert)
print('wrote', certfile(name, i))
-
diff --git a/admin/clippy b/admin/clippy
index 32250254c43..1a02146a5ce 100755
--- a/admin/clippy
+++ b/admin/clippy
@@ -23,6 +23,9 @@ run_clippy --package rustls --no-default-features --all-targets
# run all workspace members (individually, because we don't want feature unification)
for p in $(admin/all-workspace-members) ; do
case "$p" in
+ rustls-bench)
+ ALL_FEATURES=$(admin/all-features-except graviola rustls-bench)
+ ;;
*)
ALL_FEATURES="--all-features"
;;
diff --git a/admin/coverage b/admin/coverage
index 61360e42284..aeea3db2b0d 100755
--- a/admin/coverage
+++ b/admin/coverage
@@ -2,13 +2,18 @@
set -e
-source <(cargo llvm-cov show-env --export-prefix "$@")
+# for branch coverage support, which is unstable
+export RUSTC_BOOTSTRAP=1
+OPTIONS=--branch
+
+source <(cargo llvm-cov show-env --export-prefix $OPTIONS "$@")
cargo llvm-cov clean --workspace
cargo build --locked --all-targets --all-features
-cargo test --locked --all-features
-cargo test -p rustls --locked --no-default-features --features tls12,logging,aws_lc_rs,fips,std
-cargo test -p rustls --locked --no-default-features --features tls12,logging,ring,std
+cargo test --locked --all-features # this presumably enables `fips`
+cargo test -p rustls-ring --locked
+cargo test -p rustls-aws-lc-rs --locked
+cargo test -p rustls-test --locked --features aws-lc-rs # aws-lc-rs, but no fips
# ensure both zlib and brotli are tested, irrespective of their order
cargo test --locked $(admin/all-features-except zlib rustls)
@@ -17,10 +22,4 @@ cargo test --locked $(admin/all-features-except brotli rustls)
## bogo
cargo test --locked --test bogo -- --ignored --test-threads 1
-# provider example unit tests
-cargo test --locked --package rustls-provider-example
-
-## provider example tests
-cargo test --locked --package rustls-provider-test
-
-cargo llvm-cov report "$@"
+cargo llvm-cov report --ignore-filename-regex "(bogo|rustls-test)/" $OPTIONS "$@"
diff --git a/admin/logo/LICENSE b/admin/logo/LICENSE
new file mode 100644
index 00000000000..fe463e0f788
--- /dev/null
+++ b/admin/logo/LICENSE
@@ -0,0 +1,408 @@
+Attribution-NonCommercial 4.0 International
+
+=======================================================================
+
+Creative Commons Corporation ("Creative Commons") is not a law firm and
+does not provide legal services or legal advice. Distribution of
+Creative Commons public licenses does not create a lawyer-client or
+other relationship. Creative Commons makes its licenses and related
+information available on an "as-is" basis. Creative Commons gives no
+warranties regarding its licenses, any material licensed under their
+terms and conditions, or any related information. Creative Commons
+disclaims all liability for damages resulting from their use to the
+fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and
+conditions that creators and other rights holders may use to share
+original works of authorship and other material subject to copyright
+and certain other rights specified in the public license below. The
+following considerations are for informational purposes only, are not
+exhaustive, and do not form part of our licenses.
+
+ Considerations for licensors: Our public licenses are
+ intended for use by those authorized to give the public
+ permission to use material in ways otherwise restricted by
+ copyright and certain other rights. Our licenses are
+ irrevocable. Licensors should read and understand the terms
+ and conditions of the license they choose before applying it.
+ Licensors should also secure all rights necessary before
+ applying our licenses so that the public can reuse the
+ material as expected. Licensors should clearly mark any
+ material not subject to the license. This includes other CC-
+ licensed material, or material used under an exception or
+ limitation to copyright. More considerations for licensors:
+ wiki.creativecommons.org/Considerations_for_licensors
+
+ Considerations for the public: By using one of our public
+ licenses, a licensor grants the public permission to use the
+ licensed material under specified terms and conditions. If
+ the licensor's permission is not necessary for any reason--for
+ example, because of any applicable exception or limitation to
+ copyright--then that use is not regulated by the license. Our
+ licenses grant only permissions under copyright and certain
+ other rights that a licensor has authority to grant. Use of
+ the licensed material may still be restricted for other
+ reasons, including because others have copyright or other
+ rights in the material. A licensor may make special requests,
+ such as asking that all changes be marked or described.
+ Although not required by our licenses, you are encouraged to
+ respect those requests where reasonable. More considerations
+ for the public:
+ wiki.creativecommons.org/Considerations_for_licensees
+
+=======================================================================
+
+Creative Commons Attribution-NonCommercial 4.0 International Public
+License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution-NonCommercial 4.0 International Public License ("Public
+License"). To the extent this Public License may be interpreted as a
+contract, You are granted the Licensed Rights in consideration of Your
+acceptance of these terms and conditions, and the Licensor grants You
+such rights in consideration of benefits the Licensor receives from
+making the Licensed Material available under these terms and
+conditions.
+
+
+Section 1 -- Definitions.
+
+ a. Adapted Material means material subject to Copyright and Similar
+ Rights that is derived from or based upon the Licensed Material
+ and in which the Licensed Material is translated, altered,
+ arranged, transformed, or otherwise modified in a manner requiring
+ permission under the Copyright and Similar Rights held by the
+ Licensor. For purposes of this Public License, where the Licensed
+ Material is a musical work, performance, or sound recording,
+ Adapted Material is always produced where the Licensed Material is
+ synched in timed relation with a moving image.
+
+ b. Adapter's License means the license You apply to Your Copyright
+ and Similar Rights in Your contributions to Adapted Material in
+ accordance with the terms and conditions of this Public License.
+
+ c. Copyright and Similar Rights means copyright and/or similar rights
+ closely related to copyright including, without limitation,
+ performance, broadcast, sound recording, and Sui Generis Database
+ Rights, without regard to how the rights are labeled or
+ categorized. For purposes of this Public License, the rights
+ specified in Section 2(b)(1)-(2) are not Copyright and Similar
+ Rights.
+ d. Effective Technological Measures means those measures that, in the
+ absence of proper authority, may not be circumvented under laws
+ fulfilling obligations under Article 11 of the WIPO Copyright
+ Treaty adopted on December 20, 1996, and/or similar international
+ agreements.
+
+ e. Exceptions and Limitations means fair use, fair dealing, and/or
+ any other exception or limitation to Copyright and Similar Rights
+ that applies to Your use of the Licensed Material.
+
+ f. Licensed Material means the artistic or literary work, database,
+ or other material to which the Licensor applied this Public
+ License.
+
+ g. Licensed Rights means the rights granted to You subject to the
+ terms and conditions of this Public License, which are limited to
+ all Copyright and Similar Rights that apply to Your use of the
+ Licensed Material and that the Licensor has authority to license.
+
+ h. Licensor means the individual(s) or entity(ies) granting rights
+ under this Public License.
+
+ i. NonCommercial means not primarily intended for or directed towards
+ commercial advantage or monetary compensation. For purposes of
+ this Public License, the exchange of the Licensed Material for
+ other material subject to Copyright and Similar Rights by digital
+ file-sharing or similar means is NonCommercial provided there is
+ no payment of monetary compensation in connection with the
+ exchange.
+
+ j. Share means to provide material to the public by any means or
+ process that requires permission under the Licensed Rights, such
+ as reproduction, public display, public performance, distribution,
+ dissemination, communication, or importation, and to make material
+ available to the public including in ways that members of the
+ public may access the material from a place and at a time
+ individually chosen by them.
+
+ k. Sui Generis Database Rights means rights other than copyright
+ resulting from Directive 96/9/EC of the European Parliament and of
+ the Council of 11 March 1996 on the legal protection of databases,
+ as amended and/or succeeded, as well as other essentially
+ equivalent rights anywhere in the world.
+
+ l. You means the individual or entity exercising the Licensed Rights
+ under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+ a. License grant.
+
+ 1. Subject to the terms and conditions of this Public License,
+ the Licensor hereby grants You a worldwide, royalty-free,
+ non-sublicensable, non-exclusive, irrevocable license to
+ exercise the Licensed Rights in the Licensed Material to:
+
+ a. reproduce and Share the Licensed Material, in whole or
+ in part, for NonCommercial purposes only; and
+
+ b. produce, reproduce, and Share Adapted Material for
+ NonCommercial purposes only.
+
+ 2. Exceptions and Limitations. For the avoidance of doubt, where
+ Exceptions and Limitations apply to Your use, this Public
+ License does not apply, and You do not need to comply with
+ its terms and conditions.
+
+ 3. Term. The term of this Public License is specified in Section
+ 6(a).
+
+ 4. Media and formats; technical modifications allowed. The
+ Licensor authorizes You to exercise the Licensed Rights in
+ all media and formats whether now known or hereafter created,
+ and to make technical modifications necessary to do so. The
+ Licensor waives and/or agrees not to assert any right or
+ authority to forbid You from making technical modifications
+ necessary to exercise the Licensed Rights, including
+ technical modifications necessary to circumvent Effective
+ Technological Measures. For purposes of this Public License,
+ simply making modifications authorized by this Section 2(a)
+ (4) never produces Adapted Material.
+
+ 5. Downstream recipients.
+
+ a. Offer from the Licensor -- Licensed Material. Every
+ recipient of the Licensed Material automatically
+ receives an offer from the Licensor to exercise the
+ Licensed Rights under the terms and conditions of this
+ Public License.
+
+ b. No downstream restrictions. You may not offer or impose
+ any additional or different terms or conditions on, or
+ apply any Effective Technological Measures to, the
+ Licensed Material if doing so restricts exercise of the
+ Licensed Rights by any recipient of the Licensed
+ Material.
+
+ 6. No endorsement. Nothing in this Public License constitutes or
+ may be construed as permission to assert or imply that You
+ are, or that Your use of the Licensed Material is, connected
+ with, or sponsored, endorsed, or granted official status by,
+ the Licensor or others designated to receive attribution as
+ provided in Section 3(a)(1)(A)(i).
+
+ b. Other rights.
+
+ 1. Moral rights, such as the right of integrity, are not
+ licensed under this Public License, nor are publicity,
+ privacy, and/or other similar personality rights; however, to
+ the extent possible, the Licensor waives and/or agrees not to
+ assert any such rights held by the Licensor to the limited
+ extent necessary to allow You to exercise the Licensed
+ Rights, but not otherwise.
+
+ 2. Patent and trademark rights are not licensed under this
+ Public License.
+
+ 3. To the extent possible, the Licensor waives any right to
+ collect royalties from You for the exercise of the Licensed
+ Rights, whether directly or through a collecting society
+ under any voluntary or waivable statutory or compulsory
+ licensing scheme. In all other cases the Licensor expressly
+ reserves any right to collect such royalties, including when
+ the Licensed Material is used other than for NonCommercial
+ purposes.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+ a. Attribution.
+
+ 1. If You Share the Licensed Material (including in modified
+ form), You must:
+
+ a. retain the following if it is supplied by the Licensor
+ with the Licensed Material:
+
+ i. identification of the creator(s) of the Licensed
+ Material and any others designated to receive
+ attribution, in any reasonable manner requested by
+ the Licensor (including by pseudonym if
+ designated);
+
+ ii. a copyright notice;
+
+ iii. a notice that refers to this Public License;
+
+ iv. a notice that refers to the disclaimer of
+ warranties;
+
+ v. a URI or hyperlink to the Licensed Material to the
+ extent reasonably practicable;
+
+ b. indicate if You modified the Licensed Material and
+ retain an indication of any previous modifications; and
+
+ c. indicate the Licensed Material is licensed under this
+ Public License, and include the text of, or the URI or
+ hyperlink to, this Public License.
+
+ 2. You may satisfy the conditions in Section 3(a)(1) in any
+ reasonable manner based on the medium, means, and context in
+ which You Share the Licensed Material. For example, it may be
+ reasonable to satisfy the conditions by providing a URI or
+ hyperlink to a resource that includes the required
+ information.
+
+ 3. If requested by the Licensor, You must remove any of the
+ information required by Section 3(a)(1)(A) to the extent
+ reasonably practicable.
+
+ 4. If You Share Adapted Material You produce, the Adapter's
+ License You apply must not prevent recipients of the Adapted
+ Material from complying with this Public License.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+ a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+ to extract, reuse, reproduce, and Share all or a substantial
+ portion of the contents of the database for NonCommercial purposes
+ only;
+
+ b. if You include all or a substantial portion of the database
+ contents in a database in which You have Sui Generis Database
+ Rights, then the database in which You have Sui Generis Database
+ Rights (but not its individual contents) is Adapted Material; and
+
+ c. You must comply with the conditions in Section 3(a) if You Share
+ all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+ a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+ EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+ AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+ IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+ WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+ ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+ KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+ ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+ b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+ TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+ NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+ INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+ COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+ USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+ ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+ DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+ IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+ c. The disclaimer of warranties and limitation of liability provided
+ above shall be interpreted in a manner that, to the extent
+ possible, most closely approximates an absolute disclaimer and
+ waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+ a. This Public License applies for the term of the Copyright and
+ Similar Rights licensed here. However, if You fail to comply with
+ this Public License, then Your rights under this Public License
+ terminate automatically.
+
+ b. Where Your right to use the Licensed Material has terminated under
+ Section 6(a), it reinstates:
+
+ 1. automatically as of the date the violation is cured, provided
+ it is cured within 30 days of Your discovery of the
+ violation; or
+
+ 2. upon express reinstatement by the Licensor.
+
+ For the avoidance of doubt, this Section 6(b) does not affect any
+ right the Licensor may have to seek remedies for Your violations
+ of this Public License.
+
+ c. For the avoidance of doubt, the Licensor may also offer the
+ Licensed Material under separate terms or conditions or stop
+ distributing the Licensed Material at any time; however, doing so
+ will not terminate this Public License.
+
+ d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+ License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+ a. The Licensor shall not be bound by any additional or different
+ terms or conditions communicated by You unless expressly agreed.
+
+ b. Any arrangements, understandings, or agreements regarding the
+ Licensed Material not stated herein are separate from and
+ independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+ a. For the avoidance of doubt, this Public License does not, and
+ shall not be interpreted to, reduce, limit, restrict, or impose
+ conditions on any use of the Licensed Material that could lawfully
+ be made without permission under this Public License.
+
+ b. To the extent possible, if any provision of this Public License is
+ deemed unenforceable, it shall be automatically reformed to the
+ minimum extent necessary to make it enforceable. If the provision
+ cannot be reformed, it shall be severed from this Public License
+ without affecting the enforceability of the remaining terms and
+ conditions.
+
+ c. No term or condition of this Public License will be waived and no
+ failure to comply consented to unless expressly agreed to by the
+ Licensor.
+
+ d. Nothing in this Public License constitutes or may be interpreted
+ as a limitation upon, or waiver of, any privileges and immunities
+ that apply to the Licensor or You, including from the legal
+ processes of any jurisdiction or authority.
+
+=======================================================================
+
+Creative Commons is not a party to its public
+licenses. Notwithstanding, Creative Commons may elect to apply one of
+its public licenses to material it publishes and in those instances
+will be considered the “Licensor.†The text of the Creative Commons
+public licenses is dedicated to the public domain under the CC0 Public
+Domain Dedication. Except for the limited purpose of indicating that
+material is shared under a Creative Commons public license or as
+otherwise permitted by the Creative Commons policies published at
+creativecommons.org/policies, Creative Commons does not authorize the
+use of the trademark "Creative Commons" or any other trademark or logo
+of Creative Commons without its prior written consent including,
+without limitation, in connection with any unauthorized modifications
+to any of its public licenses or any other arrangements,
+understandings, or agreements concerning use of licensed material. For
+the avoidance of doubt, this paragraph does not form part of the
+public licenses.
+
+Creative Commons may be contacted at creativecommons.org.
+
diff --git a/admin/logo/rustls.svg b/admin/logo/rustls.svg
new file mode 100644
index 00000000000..256cf8fff7a
--- /dev/null
+++ b/admin/logo/rustls.svg
@@ -0,0 +1,628 @@
+
+
+
+
diff --git a/admin/rustls-logo-web.png b/admin/rustls-logo-web.png
old mode 100755
new mode 100644
index 705b1307837..5df223bf6d6
Binary files a/admin/rustls-logo-web.png and b/admin/rustls-logo-web.png differ
diff --git a/bogo/Cargo.toml b/bogo/Cargo.toml
index cc3f2d3d64d..a654f0bb79a 100644
--- a/bogo/Cargo.toml
+++ b/bogo/Cargo.toml
@@ -2,14 +2,20 @@
name = "bogo"
version = "0.1.0"
edition = "2021"
+publish = false
[dependencies]
base64 = { workspace = true }
env_logger = { workspace = true }
-rustls = { path = "../rustls", features = ["aws_lc_rs", "ring", "tls12"] }
-rustls-post-quantum = { path = "../rustls-post-quantum", optional = true }
+nix = { version = "0.31", default-features = false, features = ["signal"] }
+rustls = { path = "../rustls" }
+rustls-aws-lc-rs = { path = "../rustls-aws-lc-rs" }
+rustls-ring = { path = "../rustls-ring" }
+webpki = { workspace = true }
[features]
default = []
-post-quantum = ["dep:rustls-post-quantum"]
-fips = ["rustls/fips"]
+fips = ["rustls-aws-lc-rs/fips"]
+
+[lints]
+workspace = true
diff --git a/bogo/check.py b/bogo/check.py
index c6fb9cb33ba..062d8ed8030 100644
--- a/bogo/check.py
+++ b/bogo/check.py
@@ -12,10 +12,9 @@
import fnmatch
import sys
-config = json.load(open('config.json'))
-test_error_set = set(config['TestErrorMap'].keys())
-test_local_error_set = set(config['TestLocalErrorMap'].keys())
-obsolete_disabled_tests = set()
+config = json.load(open("config.json"))
+test_error_set = set(config["TestErrorMap"].keys())
+test_local_error_set = set(config["TestLocalErrorMap"].keys())
all_tests = set()
failing_tests = set()
@@ -24,7 +23,7 @@
passed_tests = set()
for line in sys.stdin:
- m = re.match(r'^(PASSED|UNIMPLEMENTED|FAILED|DISABLED) \((.*)\)$', line.strip())
+ m = re.match(r"^(PASSED|UNIMPLEMENTED|FAILED|DISABLED) \((.*)\)$", line.strip())
if m:
status, name = m.groups()
if name in test_error_set:
@@ -32,33 +31,33 @@
if name in test_local_error_set:
test_local_error_set.remove(name)
all_tests.add(name)
- if status == 'FAILED':
+ if status == "FAILED":
failing_tests.add(name)
- elif status == 'UNIMPLEMENTED':
+ elif status == "UNIMPLEMENTED":
unimpl_tests.add(name)
- elif status == 'DISABLED':
+ elif status == "DISABLED":
disabled_tests.add(name)
- elif status == 'PASSED':
+ elif status == "PASSED":
passed_tests.add(name)
if disabled_tests:
- for disabled_glob in sorted(config['DisabledTests'].keys()):
+ for disabled_glob in sorted(config["DisabledTests"].keys()):
tests_matching_glob = fnmatch.filter(disabled_tests, disabled_glob)
if not tests_matching_glob:
- print('DisabledTests glob', disabled_glob, 'matches no tests')
+ print("DisabledTests glob", disabled_glob, "matches no tests")
else:
# to check DisabledTests, apply patch below to bogo
- print('(DisabledTests unchecked)')
+ print("(DisabledTests unchecked)")
-print(len(all_tests), 'total tests')
-print(len(passed_tests), 'passed')
-print(len(failing_tests), 'tests failing')
-print(len(unimpl_tests), 'tests not supported')
+print(len(all_tests), "total tests")
+print(len(passed_tests), "passed")
+print(len(failing_tests), "tests failing")
+print(len(unimpl_tests), "tests not supported")
if test_error_set:
- print('unknown TestErrorMap keys', list(sorted(test_error_set)))
+ print("unknown TestErrorMap keys", list(sorted(test_error_set)))
if test_local_error_set:
- print('unknown TestLocalErrorMap keys', list(sorted(test_local_error_set)))
+ print("unknown TestLocalErrorMap keys", list(sorted(test_local_error_set)))
MENTION_DISABLED_TESTS_PATCH = """
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
diff --git a/bogo/config.json.in b/bogo/config.json.in
index 2586a6f303c..a12200ea28c 100644
--- a/bogo/config.json.in
+++ b/bogo/config.json.in
@@ -1,234 +1,183 @@
{
"DisabledTests": {
- "SendV2ClientHello-*": "only support TLS1.2",
- "*SSL3*": "",
- "*TLS1-*": "",
- "*-TLS1": "",
- "*TLS11-*": "",
- "*-TLS11": "",
- "ConflictingVersionNegotiation": "",
- "CertificateSelection-*": "TODO",
- "SendFallbackSCSV": "fallback scsv not implemented",
- "ECDSAKeyUsage-*": "TODO: we don't do anything with key usages",
- "CheckRecordVersion-*": "we don't look at record version",
+ "*-ECDSA_SHA1-*": "no ecdsa-sha1",
+ "*-HintMismatch-*": "hints are a boringssl-specific feature",
+ "*-P-224-*": "no p224",
+ "*-QUIC": "quic mode does not work over TLS1.3 framing -- do this in the shim?",
+ "*-QUIC-*" :"quic mode does not work over TLS1.3 framing -- do this in the shim?",
+ "*-RSA_PKCS1_SHA256_LEGACY-*": "NYI on our side https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-pkcs1/01/",
+ "*-RSA_WITH_3DES_EDE_CBC_SHA-*": "no cbc suites",
+ "*-RSA_WITH_AES_128_CBC_SHA-*": "no rsa kem",
+ "*-RSA_WITH_AES_128_GCM_SHA256-*": "no rsa kem",
+ "*-RSA_WITH_AES_256_CBC_SHA-*": "no rsa kem",
+ "*-RSA_WITH_AES_256_GCM_SHA384-*": "no rsa kem",
+ "*-Sign-RSA_PKCS1_SHA1-*": "no sha1",
+ "*-SignDefault-RSA_PKCS1_SHA1-*": "no sha1",
+ "*-TLS1": "we only support >=TLS1.2",
+ "*-TLS11": "we only support >=TLS1.2",
+ "*-VerifyDefault-RSA_PKCS1_SHA1-*": "no sha1",
+ "*Auth-SHA1-Fallback*": "no sha1 support, so no meaningful need to assume client supports it",
+ "*CBCPadding*": "no cbc suites",
"*DTLS*": "not supported",
- "MTU*": "dtls only",
+ "*EarlyKeyingMaterial-Client-*": "early exporter NYI",
+ "*Kyber*": "old draft, not implemented",
+ "*SSL3*": "we only support >=TLS1.2",
+ "*TLS1-*": "we only support >=TLS1.2",
+ "*TLS11-*": "we only support >=TLS1.2",
+ "*_P224_*": "no p224",
+ "*_WITH_AES_128_CBC_*": "no cbc suites",
+ "*_WITH_AES_256_CBC_*": "no cbc suites",
+ "ALPN*SelectEmpty-*": "our API design does not allow for this",
+ "ALPS-*": "no ALPS support yet",
+ "BadRSAClientKeyExchange-*": "no rsa kem",
+ "Basic-Server-RSA-*": "no rsa kem",
+ "CBCRecordSplitting*": "no cbc suites",
+ "CertificateCipherMismatch-PSS": "no rsa kem",
+ "CertificateSelection-*ClientCertificateTypes-*": "no support for CertificateRequest::certificate_types",
+ "CertificateSelection-*TrustAnchorIDs-*": "no support for trust anchor IDs draft",
+ "CertificateSelection-Client-SignatureAlgorithmECDSACurve-TLS-TLS12": "ClientCredentialResolver does not receive protocol version",
+ "CertificateSelection-Server-*": "TODO certificate selection for servers",
+ "CheckClientCertificateTypes": "we don't check TLS1.2 CertificateRequest.certificate_types",
+ "CheckClientCertificateTypes": "we don't check TLS1.2 CertificateRequest.certificate_types",
+ "CheckECDSACurve-TLS12": "we don't have this check",
+ "CheckLeafCurve": "we don't check this in TLS1.2 (note CheckLeafCurve-TLS13 works)",
+ "CheckRecordVersion-*": "we don't look at record version",
+ "Client-RejectJDK11DowngradeRandom": "workarounds for oracle engineering quality",
+ "Client-VerifyDefault-ECDSA_P521_SHA512-TLS12": "p521-sha512 accepted by default (where supported)",
+ "Client-VerifyDefault-ECDSA_P521_SHA512-TLS13": "p521-sha512 accepted by default (where supported)",
+ "Client-VerifyDefault-Ed25519-TLS12": "ed25519 accepted by default",
+ "Client-VerifyDefault-Ed25519-TLS13": "ed25519 accepted by default",
+ "ClientHelloPadding": "hello padding extension not implemented",
+ "ConflictingVersionNegotiation": "expects to negotiate TLS1.1",
+ "CurveTest-*-P-521-*": "no p521 key exchange",
+ "DelegatedCredentials-*": "not implemented",
"DisableEverything": "not useful",
- "CheckLeafCurve": "",
- "SendWarningAlerts-*": "",
- "Peek-*": "",
- "EchoTLS13CompatibilitySessionID": "",
- "ClientOCSPCallback*": "ocsp not supported yet",
- "ServerOCSPCallback*": "",
- "SendUnsolicitedOCSPOnCertificate-TLS13": "we unconditionally request a stapled OCSP response",
"DuplicateCertCompressionExt*-TLS12": "RFC8879: if TLS 1.2 or earlier is negotiated, the peers MUST ignore this extension",
+ "ECDSAKeyUsage-*": "TODO: we don't do anything with key usages",
+ "EarlyData-*ALPN*-*": "no alpn change in resumed sessions",
+ "Ed25519DefaultDisable-NoAccept": "not implemented (ed25519 accepted by default)",
+ "Ed25519DefaultDisable-NoAdvertise": "not implemented (ed25519 advertised by default)",
+ "EmptyExtensions-ClientHello-TLS12": "we require signature algorithms ext",
+ "ExtendedMasterSecret-Renego-*": "no renegotiation",
+ "ExtraClientEncryptedExtension-*": "we don't implement ALPS",
+ "FallbackSCSV*": "fallback countermeasure not yet implemented",
+ "GREASE-*": "not implemented",
+ "IgnoreExtensionsOnIntermediates-TLS13": "assumes SCT support",
+ "LargeMessage-Reject": "not supported as a runtime option (cert size limit is compile-time constant)",
+ "MLKEMKeyShareIncludedSecond-X25519MLKEM768": "we only include a share for the first configured group",
+ "MLKEMKeyShareIncludedThird-X25519MLKEM768": "we only include a share for the first configured group",
+ "MTU*": "dtls only",
+ "NPN-*": "no NPN support, never",
+ "NoCommonCurves": "nothing to fall back to",
+ "NoCommonSignatureAlgorithms-TLS12-Fallback": "requires TLS_RSA_WITH_AES_128_GCM_SHA256",
+ "OmitExtensions-ClientHello-TLS12": "we require signature algorithms ext",
+ "PAKE-*": "no PAKE draft support",
+ "Peek-*": "no SSL_peek or equivalent",
+ "QUIC-*": "quic mode does not work over TLS1.3 framing -- do this in the shim?",
+ "QUICCompatibilityMode": "quic mode does not work over TLS1.3 framing -- do this in the shim?",
+ "QUICTransportParams-*": "quic mode does not work over TLS1.3 framing -- do this in the shim?",
+ "RSA-PSS-Large": "no support for 1024-bit RSA keys",
+ "RSAEphemeralKey": "no rsa kem",
+ "RSAKeyUsage-*": "no rsa kem",
+ "Renegotiate-Client-*": "no renegotiation",
+ "Renegotiate-ForbidAfterHandshake": "no renegotiation",
+ "Renegotiate-Server-*": "no renegotiation",
+ "RequireAnyClientCertificate-TLS12": "we don't send an alert in this case",
+ "Resume-Client-CipherMismatch": "tries to vary to unimplemented CBC-mode cs",
+ "Resume-Server-OmitPSKsOnSecondClientHello": "not required by RFC",
+ "RetainOnlySHA256-*": "test for SSL_CTX_set_retain_only_sha256_of_client_certs api",
+ "SendClientVersion-RSA": "no rsa kem",
+ "SendFallbackSCSV": "fallback scsv not implemented",
+ "SendSCTListOnResume-TLS-TLS12": "no sct stapling",
+ "SendUnsolicitedOCSPOnCertificate-TLS13": "we unconditionally request a stapled OCSP response",
+ "SendUnsolicitedSCTOnCertificate-TLS13": "SCT stapling not supported",
+ "SendV2ClientHello-*": "we only support >=TLS1.2",
+ "Server-JDK11*": "workarounds for oracle engineering quality",
+ "Server-VerifyDefault-ECDSA_P521_SHA512-TLS12": "p521-sha512 accepted by default (where supported)",
+ "Server-VerifyDefault-ECDSA_P521_SHA512-TLS13": "p521-sha512 accepted by default (where supported)",
+ "Server-VerifyDefault-Ed25519-TLS12": "ed25519 accepted by default",
+ "Server-VerifyDefault-Ed25519-TLS13": "ed25519 accepted by default",
+ "ServerBogusVersion": "we ignore legacy_version if there's an extension",
+ "ServerOCSPCallback*": "ocsp not supported for servers",
+ "Shutdown-Shim-ApplicationData*": "tests boringssl/openssl-specific behaviour, we don't let application data overtake connection shutdown",
+ "Shutdown-Shim-HelloRequest-*": "no renegotiation",
+ "Shutdown-Shim-Renegotiate-*": "no renegotiation",
+ "SignedCertificateTimestampListEmpty-Client-*": "no sct stapling",
+ "SignedCertificateTimestampListEmptySCT-Client-*": "no sct stapling",
+ "TLS13-Client-*TicketFlags*": "no flags extension support (on tickets or elsewhere)",
+ "TrustAnchors-*": "no TrustAnchor draft support",
+ "TwoMLKEMs": "we only include a share for the first configured group",
+ "VerifyPreferences-Enforced": "we validate but don't actually implement -verify-prefs",
+ "VerifyPreferences-NoCommonAlgorithms": "we validate but don't actually implement -verify-prefs",
#if defined(RING)
"TLS-ECH-*": "*ring* has no HPKE provider for ECH",
+ "AllExtensions-Client-Permute-ECH-HelloRetryRequest-TLS-TLS13": "requires ECH",
#elif defined(AWS_LC_RS) && defined(FIPS)
"TLS-ECH-*": "ECH test suites use non-FIPS approved algos",
#else
- "TLS-ECH-Server*": "ECH server support NYI",
"TLS-ECH-Client-NoSupportedConfigs": "we don't fallback to TLS w/o ECH for no supported configs",
- "TLS-ECH-Client-SkipInvalidPublicName*": "we allow underscore names, don't fallback on no ECH configs",
"TLS-ECH-Client-NoSupportedConfigs-GREASE": "we don't fallback to GREASE for no ECH configs",
- "TLS-ECH-Client-TLS12-RejectRetryConfigs": "we disable TLS1.2 w/ ECH",
- "TLS-ECH-Client-Reject-NoClientCertificate-TLS12": "we disable TLS1.2 w/ ECH",
- "TLS-ECH-Client-Reject-TLS12": "we disable TLS1.2 w/ ECH",
- "TLS-ECH-Client-Reject-ResumeInnerSession-TLS12": "we disable TLS1.2 w/ ECH",
- "TLS-ECH-GREASE-Client-TLS12-RejectRetryConfigs": "we disable TLS1.2 w/ ECH",
"TLS-ECH-Client-Reject-EarlyDataRejected-TLS12": "we disable TLS1.2 w/ ECH",
+ "TLS-ECH-Client-Reject-NoClientCertificate-TLS12": "we disable TLS1.2 w/ ECH",
"TLS-ECH-Client-Reject-NoClientCertificate-TLS12-Async": "we disable TLS1.2 w/ ECH",
+ "TLS-ECH-Client-Reject-ResumeInnerSession-TLS12": "we disable TLS1.2 w/ ECH",
"TLS-ECH-Client-Reject-ResumeInnerSession-TLS13": "assumes no outer GREASE PSK, we send GREASE PSK",
+ "TLS-ECH-Client-Reject-TLS12": "we disable TLS1.2 w/ ECH",
+ "TLS-ECH-Client-SkipInvalidPublicName*": "we allow underscore names, don't fallback on no ECH configs",
+ "TLS-ECH-Client-TLS12-RejectRetryConfigs": "we disable TLS1.2 w/ ECH",
+ "TLS-ECH-GREASE-Client-TLS12-RejectRetryConfigs": "we disable TLS1.2 w/ ECH",
+ "TLS-ECH-Server*": "ECH server support NYI",
#endif
- "ALPS-*": "",
- "NPN-*": "",
- "NoCheckClientCertificateTypes": "we don't have this check",
- "CheckClientCertificateTypes": "^",
- "CheckECDSACurve-TLS12": "we don't have this check",
- "NoCheckECDSACurve-TLS12": "^",
- "CheckClientCertificateTypes": "^",
- "*-RSA_PKCS1_SHA256_LEGACY-*": "NYI on our side https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-pkcs1/01/",
- "NoCommonSignatureAlgorithms-TLS12-Fallback": "requires TLS_RSA_WITH_AES_128_GCM_SHA256",
-#if defined(POST_QUANTUM)
- "MLKEMKeyShareIncludedSecond": "we only include a share for the first configured group",
- "MLKEMKeyShareIncludedThird": "^",
+#if defined(AWS_LC_RS)
+ "MLKEMKeyShareIncludedSecond-MLKEM1024": "we only include a share for the first configured group",
+ "MLKEMKeyShareIncludedThird-MLKEM1024": "we only include a share for the first configured group",
+ "NotJustMLKEMKeyShare-MLKEM1024": "we only include a share for the first configured group",
#else
"*MLKEM*": "not implemented",
#endif
- "*Kyber*": "old draft, not implemented",
- "ExtraClientEncryptedExtension-*": "we don't implement ALPS",
- "Server-JDK11*": "workarounds for oracle engineering quality",
- "Client-RejectJDK11DowngradeRandom": "",
- "SendUnsolicitedSCTOnCertificate-TLS13": "SCT stapling not supported",
- "SignedCertificateTimestampListEmpty-Client-*": "",
- "SignedCertificateTimestampListEmptySCT-Client-*": "",
- "SendSCTListOnResume-TLS-TLS12": "",
- "IgnoreExtensionsOnIntermediates-TLS13": "assumes SCT support",
- "CBCRecordSplitting*": "insane ciphersuites",
- "*CBCPadding*": "",
- "RSAEphemeralKey": "",
- "BadRSAClientKeyExchange-*": "",
- "SendClientVersion-RSA": "",
- "Basic-Server-RSA-*": "",
- "RSAKeyUsage-*": "",
- "*-RSA_WITH_3DES_EDE_CBC_SHA-*": "",
- "*_WITH_AES_128_CBC_*": "",
- "*_WITH_AES_256_CBC_*": "",
- "*-ECDSA_SHA1-*": "no ecdsa-sha1",
- "*-Sign-RSA_PKCS1_SHA1-*": "no sha1",
- "*-SignDefault-RSA_PKCS1_SHA1-*": "no sha1",
- "*-VerifyDefault-RSA_PKCS1_SHA1-*": "no sha1",
- "VerifyPreferences-NoCommonAlgorithms": "we validate but don't actually implement -verify-prefs",
- "VerifyPreferences-Enforced": "",
- "*_P224_*": "no p224",
- "*-P-224-*": "",
+#if defined(AWS_LC_RS)
+ "PostQuantumNotEnabledByDefaultForAServer": "it is",
+ "PostQuantumNotEnabledByDefaultInClients": "it is",
+#endif
+
#ifdef RING
"*-ECDSA_P521_SHA512-*": "no p521 signatures/verification",
#endif
- "CurveTest-*-P-521-*": "no p521 key exchange",
- "GREASE-*": "not implemented",
- "LargeMessage-Reject": "",
- "DelegatedCredentials-*": "not implemented",
- "ExportTrafficSecrets-*": "",
- "NoCommonCurves": "nothing to fall back to",
- "ClientHelloPadding": "hello padding extension not implemented",
- "Resume-Client-CipherMismatch": "tries to vary to unimplemented CBC-mode cs",
- "*Auth-SHA1-Fallback*": "",
- "RSA-PSS-Large": "",
- "*-RSA_WITH_AES_128_GCM_SHA256-*": "",
- "*-RSA_WITH_AES_256_GCM_SHA384-*": "",
- "*-RSA_WITH_AES_128_CBC_SHA-*": "",
- "*-RSA_WITH_AES_256_CBC_SHA-*": "",
- "OmitExtensions-ClientHello-TLS12": "",
- "EmptyExtensions-ClientHello-TLS12": "",
- "Resume-Server-OmitPSKsOnSecondClientHello": "not required by RFC",
- "FallbackSCSV*": "fallback countermeasure not yet implemented",
- "RequireAnyClientCertificate-TLS12": "we don't send an alert in this case",
- "ServerBogusVersion": "we ignore legacy_version if there's an extension",
- "Renegotiate-Client-*": "no reneg",
- "Shutdown-Shim-Renegotiate-*": "",
- "Shutdown-Shim-HelloRequest-*": "",
- "Shutdown-Shim-ApplicationData*": "tests boringssl/openssl-specific behaviour, we don't let application data overtake connection shutdown",
- "Renegotiate-Server-*": "",
- "Renegotiate-ForbidAfterHandshake": "",
- "SendHalfHelloRequest-*": "",
- "RetainOnlySHA256-*": "",
- "ExtendedMasterSecret-Renego-*": "",
- "ALPN*SelectEmpty-*": "",
- "EarlyData-*ALPN*-*": "no alpn change in resumed sessions",
- "*EarlyKeyingMaterial-Client-*": "early exporter NYI",
- "QUICTransportParams-*": "Bogo assumes this can be tested over TLS1.3 framing -- could make this work with some effort",
- "QUICCompatibilityMode": "",
- "Ed25519DefaultDisable-NoAccept": "not implemented (ed25519 accepted by default)",
- "Ed25519DefaultDisable-NoAdvertise": "not implemented (ed25519 advertised by default)",
- "Server-VerifyDefault-Ed25519-TLS13": "ed25519 accepted by default",
- "Server-VerifyDefault-Ed25519-TLS12": "",
- "Client-VerifyDefault-Ed25519-TLS13": "",
- "Client-VerifyDefault-Ed25519-TLS12": "",
- "Server-VerifyDefault-ECDSA_P521_SHA512-TLS13": "p521-sha512 accepted by default (where supported)",
- "Server-VerifyDefault-ECDSA_P521_SHA512-TLS12": "",
- "Client-VerifyDefault-ECDSA_P521_SHA512-TLS13": "",
- "Client-VerifyDefault-ECDSA_P521_SHA512-TLS12": "",
- "*-HintMismatch-*": "hints are a boringssl-specific feature",
+
#if defined(AWS_LC_RS) && defined(FIPS)
- "Compliance-fips-202205-TLS-Client-ECDSA_P521_SHA512": "these algorithms are fips approved in aws-lc-rs",
- "Compliance-fips-202205-TLS-Server-ECDSA_P521_SHA512": "",
- "Compliance-fips-202205-TLS-Client-Ed25519": "",
- "Compliance-fips-202205-TLS-Server-Ed25519": "",
+ "Compliance-fips-202205-TLS-Client-ECDSA_P521_SHA512": "fips approved in aws-lc-rs",
+ "Compliance-fips-202205-TLS-Client-Ed25519": "fips approved in aws-lc-rs",
+ "Compliance-fips-202205-TLS-Client-MLKEM": "fips pending in aws-lc-rs",
+ "Compliance-fips-202205-TLS-Client-X25519MLKEM768": "ml-kem fips pending in aws-lc-rs",
+ "Compliance-fips-202205-TLS-Server-ECDSA_P521_SHA512": "fips approved in aws-lc-rs",
+ "Compliance-fips-202205-TLS-Server-Ed25519": "fips approved in aws-lc-rs",
+ "Compliance-fips-202205-TLS-Server-MLKEM": "fips pending in aws-lc-rs",
+ "Compliance-fips-202205-TLS-Server-X25519MLKEM768": "ml-kem fips pending in aws-lc-rs",
#endif
- "*-QUIC-*" :"",
- "QUIC-*": "",
- "*-QUIC": ""
+
+ "__LAST__": ""
},
"ErrorMap": {
- ":HTTP_REQUEST:": ":GARBAGE:",
- ":HTTPS_PROXY_REQUEST:": ":GARBAGE:",
- ":WRONG_VERSION_NUMBER:": ":GARBAGE:",
- ":PEER_DID_NOT_RETURN_A_CERTIFICATE:": ":NO_CERTS:",
- ":UNEXPECTED_RECORD:": ":UNEXPECTED_MESSAGE:",
- ":NO_RENEGOTIATION:": ":UNEXPECTED_MESSAGE:",
- ":DIGEST_CHECK_FAILED:": ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
- ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:": ":UNEXPECTED_MESSAGE:",
- ":ENCRYPTED_LENGTH_TOO_LONG:": ":GARBAGE:"
+ ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:": [":UNEXPECTED_MESSAGE:"],
+ ":ENCRYPTED_LENGTH_TOO_LONG:": [":GARBAGE:"],
+ ":HTTPS_PROXY_REQUEST:": [":GARBAGE:"],
+ ":HTTP_REQUEST:": [":GARBAGE:"],
+ ":NO_RENEGOTIATION:": [":UNEXPECTED_MESSAGE:"],
+ ":PEER_DID_NOT_RETURN_A_CERTIFICATE:": [":NO_CERTS:"],
+ ":UNEXPECTED_RECORD:": [":UNEXPECTED_MESSAGE:"],
+ ":WRONG_VERSION_NUMBER:": [":GARBAGE:"]
},
"TestErrorMap": {
- "EmptyCertificateList": ":NO_CERTS:",
- "SendInvalidRecordType": ":GARBAGE:",
- "NoSharedCipher": ":HANDSHAKE_FAILURE:",
- "NoSharedCipher-TLS13": ":HANDSHAKE_FAILURE:",
- "InvalidECDHPoint-Client": ":PEER_MISBEHAVIOUR:",
- "InvalidECDHPoint-Server": ":PEER_MISBEHAVIOUR:",
- "TrailingMessageData-ClientHello-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-ServerHello-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-ServerCertificate-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-CertificateRequest-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-ClientCertificate-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-CertificateVerify-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-NewSessionTicket-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-ServerHelloDone-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-ServerKeyExchange-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-ClientKeyExchange-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-CertificateStatus-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-TLS13-ClientHello-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-TLS13-ServerHello-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-TLS13-EncryptedExtensions-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-TLS13-CertificateRequest-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-TLS13-ServerCertificate-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-TLS13-ServerCertificateVerify-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-TLS13-ServerFinished-TLS": ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
- "TrailingMessageData-TLS13-ClientCertificate-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-TLS13-ClientCertificateVerify-TLS": ":BAD_HANDSHAKE_MSG:",
- "TrailingMessageData-TLS13-EndOfEarlyData-TLS": ":BAD_HANDSHAKE_MSG:",
- "Server-NonEmptyEndOfEarlyData-TLS13": ":BAD_HANDSHAKE_MSG:",
- "MissingKeyShare-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "MissingKeyShare-Server-TLS13": ":INCOMPATIBLE:",
- "EmptyEncryptedExtensions-TLS13": ":BAD_HANDSHAKE_MSG:",
- "NoSupportedCurves": ":INCOMPATIBLE:",
- "VersionTooLow": ":INCOMPATIBLE:",
- "ALPNClient-RejectUnknown-TLS-TLS12": ":PEER_MISBEHAVIOUR:",
- "ALPNClient-RejectUnknown-TLS-TLS13": ":PEER_MISBEHAVIOUR:",
- "ALPNClient-EmptyProtocolName-TLS-TLS12": ":PEER_MISBEHAVIOUR:",
- "ALPNClient-EmptyProtocolName-TLS-TLS13": ":PEER_MISBEHAVIOUR:",
- "ALPNServer-EmptyProtocolName-TLS-TLS12": ":PEER_MISBEHAVIOUR:",
- "ALPNServer-EmptyProtocolName-TLS-TLS13": ":PEER_MISBEHAVIOUR:",
- "Verify-ClientAuth-SignatureType": ":BAD_SIGNATURE:",
- "Verify-ServerAuth-SignatureType-TLS13": ":BAD_SIGNATURE:",
- "Verify-ClientAuth-SignatureType-TLS13": ":BAD_SIGNATURE:",
- "UnofferedExtension-Client": ":PEER_MISBEHAVIOUR:",
- "UnknownExtension-Client": ":PEER_MISBEHAVIOUR:",
- "KeyUpdate-InvalidRequestMode": ":BAD_HANDSHAKE_MSG:",
- "ExtraCompressionMethods-TLS13": ":PEER_MISBEHAVIOUR:",
- "NoNullCompression-TLS12": ":INCOMPATIBLE:",
- "NoNullCompression-TLS13": ":INCOMPATIBLE:",
- "InvalidCompressionMethod": ":PEER_MISBEHAVIOUR:",
- "TLS13-InvalidCompressionMethod": ":PEER_MISBEHAVIOUR:",
- "TLS13-WrongOuterRecord": ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
- "TLS-TLS13-ECDHE_ECDSA_WITH_AES_128_GCM_SHA256-server": ":INCOMPATIBLE:",
- "TLS-TLS13-ECDHE_ECDSA_WITH_AES_128_GCM_SHA256-client": ":PEER_MISBEHAVIOUR:",
- "TLS-TLS13-ECDHE_ECDSA_WITH_AES_256_GCM_SHA384-server": ":INCOMPATIBLE:",
- "TLS-TLS13-ECDHE_ECDSA_WITH_AES_256_GCM_SHA384-client": ":PEER_MISBEHAVIOUR:",
- "TLS-TLS13-ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256-server": ":INCOMPATIBLE:",
- "TLS-TLS13-ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256-client": ":PEER_MISBEHAVIOUR:",
- "TLS-TLS13-ECDHE_RSA_WITH_AES_128_GCM_SHA256-server": ":INCOMPATIBLE:",
- "TLS-TLS13-ECDHE_RSA_WITH_AES_128_GCM_SHA256-client": ":PEER_MISBEHAVIOUR:",
- "TLS-TLS13-ECDHE_RSA_WITH_AES_256_GCM_SHA384-server": ":INCOMPATIBLE:",
- "TLS-TLS13-ECDHE_RSA_WITH_AES_256_GCM_SHA384-client": ":PEER_MISBEHAVIOUR:",
- "TLS-TLS13-ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256-server": ":INCOMPATIBLE:",
- "TLS-TLS13-ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256-client": ":PEER_MISBEHAVIOUR:",
- "TLS-TLS12-CHACHA20_POLY1305_SHA256-server": ":INCOMPATIBLE:",
- "TLS-TLS12-CHACHA20_POLY1305_SHA256-client": ":PEER_MISBEHAVIOUR:",
- "TLS-TLS12-AES_128_GCM_SHA256-server": ":INCOMPATIBLE:",
- "TLS-TLS12-AES_128_GCM_SHA256-client": ":PEER_MISBEHAVIOUR:",
- "TLS-TLS12-AES_256_GCM_SHA384-server": ":INCOMPATIBLE:",
- "TLS-TLS12-AES_256_GCM_SHA384-client": ":PEER_MISBEHAVIOUR:",
- "SkipHelloRetryRequest-TLS13": ":PEER_MISBEHAVIOUR:",
- "NoSupportedVersions": ":INCOMPATIBLE:",
- "Server-Sign-RSA_PKCS1_SHA256-TLS13": ":INCOMPATIBLE:",
- "Server-Sign-RSA_PKCS1_SHA384-TLS13": ":INCOMPATIBLE:",
- "Server-Sign-RSA_PKCS1_SHA512-TLS13": ":INCOMPATIBLE:",
- "Server-SignDefault-RSA_PKCS1_SHA256-TLS13": ":INCOMPATIBLE:",
- "Server-SignDefault-RSA_PKCS1_SHA384-TLS13": ":INCOMPATIBLE:",
- "Server-SignDefault-RSA_PKCS1_SHA512-TLS13": ":INCOMPATIBLE:",
+ "ALPNClient-EmptyProtocolName-TLS-TLS12": ":DECODE_ERROR:",
+ "ALPNClient-EmptyProtocolName-TLS-TLS13": ":DECODE_ERROR:",
+ "ALPNServer-EmptyProtocolName-TLS-TLS12": ":DECODE_ERROR:",
+ "ALPNServer-EmptyProtocolName-TLS-TLS13": ":DECODE_ERROR:",
+ "AppDataBeforeTLS13KeyChange": ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
+ "AppDataBeforeTLS13KeyChange-Empty": ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
+ "CertCompressionTooLargeClient-TLS13": ":GARBAGE:",
+ "CertificateCipherMismatch-ECDSA": ":WRONG_SIGNATURE_TYPE:",
+ "CertificateCipherMismatch-Ed25519": ":WRONG_SIGNATURE_TYPE:",
+ "CertificateCipherMismatch-RSA": ":WRONG_SIGNATURE_TYPE:",
"Client-Sign-RSA_PKCS1_SHA256-TLS13": ":INCOMPATIBLE:",
"Client-Sign-RSA_PKCS1_SHA384-TLS13": ":INCOMPATIBLE:",
"Client-Sign-RSA_PKCS1_SHA512-TLS13": ":INCOMPATIBLE:",
@@ -236,154 +185,122 @@
"Client-SignDefault-RSA_PKCS1_SHA384-TLS13": ":INCOMPATIBLE:",
"Client-SignDefault-RSA_PKCS1_SHA512-TLS13": ":INCOMPATIBLE:",
"Client-TLS13-NoSign-RSA_PKCS1_MD5_SHA1": ":INCOMPATIBLE:",
- "Server-TLS12-NoSign-RSA_PKCS1_MD5_SHA1": ":INCOMPATIBLE:",
- "Server-TLS13-NoSign-RSA_PKCS1_MD5_SHA1": ":INCOMPATIBLE:",
- "ClientAuth-NoFallback-RSA": ":BAD_HANDSHAKE_MSG:",
+ "Client-TooLongSessionID": ":BAD_HANDSHAKE_MSG:",
"ClientAuth-NoFallback-ECDSA": ":BAD_HANDSHAKE_MSG:",
+ "ClientAuth-NoFallback-RSA": ":BAD_HANDSHAKE_MSG:",
"ClientAuth-NoFallback-TLS13": ":BAD_HANDSHAKE_MSG:",
- "ServerAuth-NoFallback-TLS13": ":INCOMPATIBLE:",
- "SecondClientHelloWrongCurve-TLS13": ":PEER_MISBEHAVIOUR:",
- "SecondClientHelloMissingKeyShare-TLS13": ":INCOMPATIBLE:",
- "Resume-Server-BinderWrongLength-SecondBinder": ":PEER_MISBEHAVIOUR:",
- "Resume-Server-NoPSKBinder-SecondBinder": ":PEER_MISBEHAVIOUR:",
- "Resume-Server-ExtraPSKBinder-SecondBinder": ":PEER_MISBEHAVIOUR:",
- "Resume-Server-ExtraIdentityNoBinder-SecondBinder": ":PEER_MISBEHAVIOUR:",
- "Resume-Server-InvalidPSKBinder-SecondBinder": ":PEER_MISBEHAVIOUR:",
- "Resume-Server-PSKBinderFirstExtension-SecondBinder": ":PEER_MISBEHAVIOUR:",
- "Resume-Server-BinderWrongLength": ":PEER_MISBEHAVIOUR:",
- "Resume-Server-NoPSKBinder": ":PEER_MISBEHAVIOUR:",
- "Resume-Server-ExtraPSKBinder": ":PEER_MISBEHAVIOUR:",
- "Resume-Server-ExtraIdentityNoBinder": ":PEER_MISBEHAVIOUR:",
- "Resume-Server-InvalidPSKBinder": ":PEER_MISBEHAVIOUR:",
- "Resume-Server-PSKBinderFirstExtension": ":PEER_MISBEHAVIOUR:",
- "Resume-Client-PRFMismatch-TLS13": ":PEER_MISBEHAVIOUR:",
- "Resume-Client-Mismatch-TLS12-TLS13-TLS": ":PEER_MISBEHAVIOUR:",
- "Resume-Client-Mismatch-TLS13-TLS12-TLS": ":WRONG_CIPHER_RETURNED:",
- "NoSupportedCurves-TLS13": ":INCOMPATIBLE:",
- "BadECDHECurve-TLS13": ":PEER_MISBEHAVIOUR:",
- "InvalidECDHPoint-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "InvalidECDHPoint-Server-TLS13": ":PEER_MISBEHAVIOUR:",
- "InvalidPSKIdentity-TLS13": ":PEER_MISBEHAVIOUR:",
- "AlwaysSelectPSKIdentity-TLS13": ":PEER_MISBEHAVIOUR:",
- "TrailingKeyShareData-TLS13": ":BAD_HANDSHAKE_MSG:",
- "HelloRetryRequestCurveMismatch-TLS13": ":PEER_MISBEHAVIOUR:",
+ "DisabledCurve-HelloRetryRequest-TLS13": ":ILLEGAL_HELLO_RETRY_REQUEST_WITH_UNOFFERED_GROUP:",
+ "EarlyData-SkipEndOfEarlyData-TLS13": ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
+ "EmptyCertificateList": ":NO_CERTS:",
+ "EmptyEncryptedExtensions-TLS13": ":BAD_HANDSHAKE_MSG:",
+ "ExtendedMasterSecret-NoToYes-Client": ":RESUMED_SESSION_WITH_VARIED_EMS:",
+ "ExtendedMasterSecret-YesToNo-Client": ":RESUMED_SESSION_WITH_VARIED_EMS:",
+ "ExtendedMasterSecret-YesToNo-Server": ":RESUMED_SESSION_WITH_VARIED_EMS:",
+ "HelloRetryRequest-CipherChange-TLS13": ":SELECTED_DIFFERENT_CIPHERSUITE_AFTER_RETRY:",
+ "HelloRetryRequest-EmptyCookie-TLS13": ":DECODE_ERROR:",
"HelloRetryRequestVersionMismatch-TLS13": ":INCOMPATIBLE:",
- "HelloRetryRequest-DuplicateCookie-TLS13": ":PEER_MISBEHAVIOUR:",
- "HelloRetryRequest-DuplicateCurve-TLS13": ":PEER_MISBEHAVIOUR:",
- "UnknownUnencryptedExtension-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "UnexpectedUnencryptedExtension-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "UnofferedExtension-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "RenegotiationInfo-Forbidden-TLS13": ":PEER_MISBEHAVIOUR:",
- "UnknownExtension-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "RequestContextInHandshake-TLS13": ":BAD_HANDSHAKE_MSG:",
- "UnnecessaryHelloRetryRequest-TLS13": ":PEER_MISBEHAVIOUR:",
- "UnknownCurve-HelloRetryRequest-TLS13": ":PEER_MISBEHAVIOUR:",
- "DisabledCurve-HelloRetryRequest-TLS13": ":PEER_MISBEHAVIOUR:",
- "HelloRetryRequest-Empty-TLS13": ":PEER_MISBEHAVIOUR:",
- "HelloRetryRequest-EmptyCookie-TLS13": ":PEER_MISBEHAVIOUR:",
- "TrailingDataWithFinished-Client-TLS12": ":PEER_MISBEHAVIOUR:",
- "TrailingDataWithFinished-Resume-Client-TLS12": ":PEER_MISBEHAVIOUR:",
- "TrailingDataWithFinished-Server-TLS12": ":PEER_MISBEHAVIOUR:",
- "TrailingDataWithFinished-Resume-Server-TLS12": ":PEER_MISBEHAVIOUR:",
- "TrailingDataWithFinished-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "TrailingDataWithFinished-Server-TLS13": ":PEER_MISBEHAVIOUR:",
- "TrailingDataWithFinished-Resume-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "TrailingDataWithFinished-Resume-Server-TLS13": ":PEER_MISBEHAVIOUR:",
- "PartialSecondClientHelloAfterFirst": ":PEER_MISBEHAVIOUR:",
- "PartialClientFinishedWithSecondClientHello": ":PEER_MISBEHAVIOUR:",
- "PartialClientFinishedWithClientHello-TLS12-Resume": ":PEER_MISBEHAVIOUR:",
- "PartialServerHelloWithHelloRetryRequest": ":PEER_MISBEHAVIOUR:",
- "PartialNewSessionTicketWithServerHelloDone": ":PEER_MISBEHAVIOUR:",
- "PartialEndOfEarlyDataWithClientHello": ":PEER_MISBEHAVIOUR:",
- "FragmentAcrossChangeCipherSpec-Client": ":PEER_MISBEHAVIOUR:",
- "FragmentAcrossChangeCipherSpec-Server-Packed": ":PEER_MISBEHAVIOUR:",
- "FragmentAcrossChangeCipherSpec-Client-Resume-Packed": ":PEER_MISBEHAVIOUR:",
- "FragmentAcrossChangeCipherSpec-Client-Resume": ":PEER_MISBEHAVIOUR:",
- "FragmentAcrossChangeCipherSpec-Server-Resume": ":PEER_MISBEHAVIOUR:",
- "FragmentAcrossChangeCipherSpec-Server": ":PEER_MISBEHAVIOUR:",
- "FragmentAcrossChangeCipherSpec-Client-Packed": ":PEER_MISBEHAVIOUR:",
- "FragmentAcrossChangeCipherSpec-Server-Resume-Packed": ":PEER_MISBEHAVIOUR:",
- "PartialFinishedWithServerHelloDone": ":PEER_MISBEHAVIOUR:",
- "UnsupportedCurve-ServerHello-TLS13": ":PEER_MISBEHAVIOUR:",
- "PartialClientKeyExchangeWithClientHello": ":PEER_MISBEHAVIOUR:",
+ "KeyUpdate-InvalidRequestMode": ":BAD_HANDSHAKE_MSG:",
"MinimumVersion-Client-TLS13-TLS12-TLS": ":INCOMPATIBLE:",
"MinimumVersion-Client2-TLS13-TLS12-TLS": ":INCOMPATIBLE:",
"MinimumVersion-Server-TLS13-TLS12-TLS": ":INCOMPATIBLE:",
"MinimumVersion-Server2-TLS13-TLS12-TLS": ":INCOMPATIBLE:",
- "DuplicateKeyShares-TLS13": ":PEER_MISBEHAVIOUR:",
- "PartialEncryptedExtensionsWithServerHello": ":PEER_MISBEHAVIOUR:",
- "PartialClientFinishedWithClientHello": ":PEER_MISBEHAVIOUR:",
- "PointFormat-EncryptedExtensions-TLS13": ":PEER_MISBEHAVIOUR:",
- "Ticket-Forbidden-TLS13": ":PEER_MISBEHAVIOUR:",
- "PointFormat-Server-MissingUncompressed": ":INCOMPATIBLE:",
+ "MissingKeyShare-Server-TLS13": ":INCOMPATIBLE:",
"MissingSignatureAlgorithmsInCertificateRequest-TLS13": ":INCOMPATIBLE:",
- "NegotiatePSKResumption-TLS13": ":PEER_MISBEHAVIOUR:",
- "PointFormat-Client-MissingUncompressed": ":PEER_MISBEHAVIOUR:",
- "UnsolicitedServerNameAck-TLS-TLS12": ":PEER_MISBEHAVIOUR:",
- "UnsolicitedServerNameAck-TLS-TLS13": ":PEER_MISBEHAVIOUR:",
- "TicketSessionIDLength-33-TLS-TLS12": ":BAD_HANDSHAKE_MSG:",
- "Server-TooLongSessionID-TLS13": ":BAD_HANDSHAKE_MSG:",
- "Server-TooLongSessionID-TLS12": ":BAD_HANDSHAKE_MSG:",
- "Client-TooLongSessionID": ":BAD_HANDSHAKE_MSG:",
- "SendUnknownExtensionOnCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
- "SendDuplicateExtensionsOnCerts-TLS13": ":PEER_MISBEHAVIOUR:",
- "EMS-Forbidden-TLS13": ":PEER_MISBEHAVIOUR:",
- "Unclean-Shutdown": ":CLOSE_WITHOUT_CLOSE_NOTIFY:",
- "SendExtensionOnClientCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
+ "NoNullCompression-TLS12": ":INCOMPATIBLE:",
+ "NoNullCompression-TLS13": ":INCOMPATIBLE:",
+ "NoSharedCipher": ":HANDSHAKE_FAILURE:",
+ "NoSharedCipher-TLS13": ":HANDSHAKE_FAILURE:",
+ "NoSupportedCurves": ":INCOMPATIBLE:",
+ "NoSupportedCurves-TLS13": ":INCOMPATIBLE:",
+ "NoSupportedVersions": ":INCOMPATIBLE:",
+ "PointFormat-Client-MissingUncompressed": ":SERVER_HELLO_MUST_OFFER_UNCOMPRESSED_EC_POINTS:",
+ "PointFormat-Server-MissingUncompressed": ":INCOMPATIBLE:",
+ "RejectPSSKeyType-Client-TLS12": ":WRONG_SIGNATURE_TYPE:",
+ "RejectPSSKeyType-Client-TLS13": ":WRONG_SIGNATURE_TYPE:",
+ "RejectPSSKeyType-Server-TLS12": ":WRONG_SIGNATURE_TYPE:",
+ "RejectPSSKeyType-Server-TLS13": ":WRONG_SIGNATURE_TYPE:",
+ "RenegotiationInfo-Forbidden-TLS13": ":UNEXPECTED_EXTENSION:",
+ "RequestContextInHandshake-TLS13": ":BAD_HANDSHAKE_MSG:",
+ "Resume-Client-Mismatch-TLS13-TLS12-TLS": ":WRONG_CIPHER_RETURNED:",
+ "SecondClientHelloMissingKeyShare-TLS13": ":INCOMPATIBLE:",
+ "SecondServerHelloNoVersion-TLS13": ":WRONG_CIPHER_RETURNED:",
+ "SecondServerHelloWrongVersion-TLS13": ":INCOMPATIBLE:",
"SendBogusAlertType": ":BAD_ALERT:",
- "TLS13-HRR-InvalidCompressionMethod": ":BAD_HANDSHAKE_MSG:",
- "CertificateCipherMismatch-RSA": ":WRONG_SIGNATURE_TYPE:",
- "CertificateCipherMismatch-ECDSA": ":WRONG_SIGNATURE_TYPE:",
- "CertificateCipherMismatch-Ed25519": ":WRONG_SIGNATURE_TYPE:",
- "ServerCipherFilter-RSA": ":INCOMPATIBLE:",
+ "SendInvalidRecordType": ":GARBAGE:",
+ "Server-NonEmptyEndOfEarlyData-TLS13": ":BAD_HANDSHAKE_MSG:",
+ "Server-Sign-RSA_PKCS1_SHA256-TLS13": ":INCOMPATIBLE:",
+ "Server-Sign-RSA_PKCS1_SHA384-TLS13": ":INCOMPATIBLE:",
+ "Server-Sign-RSA_PKCS1_SHA512-TLS13": ":INCOMPATIBLE:",
+ "Server-SignDefault-RSA_PKCS1_SHA256-TLS13": ":INCOMPATIBLE:",
+ "Server-SignDefault-RSA_PKCS1_SHA384-TLS13": ":INCOMPATIBLE:",
+ "Server-SignDefault-RSA_PKCS1_SHA512-TLS13": ":INCOMPATIBLE:",
+ "Server-TLS12-NoSign-RSA_PKCS1_MD5_SHA1": ":INCOMPATIBLE:",
+ "Server-TLS13-NoSign-RSA_PKCS1_MD5_SHA1": ":INCOMPATIBLE:",
+ "Server-TooLongSessionID-TLS12": ":BAD_HANDSHAKE_MSG:",
+ "Server-TooLongSessionID-TLS13": ":BAD_HANDSHAKE_MSG:",
+ "ServerAuth-NoFallback-TLS13": ":INCOMPATIBLE:",
"ServerCipherFilter-ECDSA": ":INCOMPATIBLE:",
"ServerCipherFilter-Ed25519": ":INCOMPATIBLE:",
- "TLS13-OnlyPadding": ":PEER_MISBEHAVIOUR:",
- "TLS13-EmptyRecords": ":PEER_MISBEHAVIOUR:",
- "TLS13-DuplicateTicketEarlyDataSupport": ":PEER_MISBEHAVIOUR:",
- "SupportedVersionSelection-TLS12": ":PEER_MISBEHAVIOUR:",
- "HelloRetryRequest-CipherChange-TLS13": ":PEER_MISBEHAVIOUR:",
- "CurveTest-Client-Compressed-P-256-TLS12": ":PEER_MISBEHAVIOUR:",
- "CurveTest-Server-Compressed-P-256-TLS12": ":PEER_MISBEHAVIOUR:",
- "CurveTest-Client-Compressed-P-256-TLS13": ":PEER_MISBEHAVIOUR:",
- "CurveTest-Server-Compressed-P-256-TLS13": ":PEER_MISBEHAVIOUR:",
- "CurveTest-Client-Compressed-P-384-TLS12": ":PEER_MISBEHAVIOUR:",
- "CurveTest-Server-Compressed-P-384-TLS12": ":PEER_MISBEHAVIOUR:",
- "CurveTest-Client-Compressed-P-384-TLS13": ":PEER_MISBEHAVIOUR:",
- "CurveTest-Server-Compressed-P-384-TLS13": ":PEER_MISBEHAVIOUR:",
- "ExtendedMasterSecret-NoToYes-Client": ":PEER_MISBEHAVIOUR:",
- "ExtendedMasterSecret-YesToNo-Server": ":PEER_MISBEHAVIOUR:",
- "ExtendedMasterSecret-YesToNo-Client": ":PEER_MISBEHAVIOUR:",
- "ServerAcceptsEarlyDataOnHRR-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "Downgrade-TLS12-Client": ":PEER_MISBEHAVIOUR:",
- "Downgrade-TLS10-Client": ":HANDSHAKE_FAILURE:",
- "Downgrade-TLS10-Server": ":INCOMPATIBLE:",
- "ECDSACurveMismatch-Verify-TLS13": ":BAD_SIGNATURE:",
- "SecondServerHelloNoVersion-TLS13": ":PEER_MISBEHAVIOUR:",
- "SecondServerHelloWrongVersion-TLS13": ":INCOMPATIBLE:",
- "TooManyChangeCipherSpec-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "TooManyChangeCipherSpec-Server-TLS13": ":PEER_MISBEHAVIOUR:",
- "EarlyData-CipherMismatch-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "EarlyDataWithoutResume-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "EarlyDataVersionDowngrade-Client-TLS13": ":PEER_MISBEHAVIOUR:",
- "EarlyData-SkipEndOfEarlyData-TLS13": ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
- "CertCompressionTooLargeClient-TLS13": ":GARBAGE:",
- "SkipEarlyData-Interleaved-TLS13": ":PEER_MISBEHAVIOUR:",
- "SkipEarlyData-TooMuchData-TLS13": ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
+ "ServerCipherFilter-RSA": ":INCOMPATIBLE:",
"SkipEarlyData-HRR-FatalAlert-TLS13": ":HANDSHAKE_FAILURE:",
- "SkipEarlyData-HRR-Interleaved-TLS13": ":PEER_MISBEHAVIOUR:",
"SkipEarlyData-HRR-TooMuchData-TLS13": ":UNEXPECTED_MESSAGE:",
- "SkipEarlyData-SecondClientHelloEarlyData-TLS13": ":PEER_MISBEHAVIOUR:"
+ "SkipEarlyData-TooMuchData-TLS13": ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
+ "SupportedVersionSelection-TLS12": ":SELECTED_TLS12_USING_TLS13_VERSION_EXTENSION:",
+ "TicketSessionIDLength-33-TLS-TLS12": ":BAD_HANDSHAKE_MSG:",
+ "TLS-TLS12-AES_128_GCM_SHA256-server": ":INCOMPATIBLE:",
+ "TLS-TLS12-AES_256_GCM_SHA384-server": ":INCOMPATIBLE:",
+ "TLS-TLS12-CHACHA20_POLY1305_SHA256-server": ":INCOMPATIBLE:",
+ "TLS13-HRR-InvalidCompressionMethod": ":BAD_HANDSHAKE_MSG:",
+ "TLS13-InvalidCompressionMethod": ":UNSUPPORTED_COMPRESSION_ALGORITHM:",
+ "TLS13-WrongOuterRecord-TLS": ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
+ "TooManyChangeCipherSpec-Client-TLS13": ":ILLEGAL_MIDDLEBOX_CHANGE_CIPHER_SPEC:",
+ "TooManyChangeCipherSpec-Server-TLS13": ":ILLEGAL_MIDDLEBOX_CHANGE_CIPHER_SPEC:",
+ "TrailingKeyShareData-TLS13": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-CertificateRequest-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-CertificateStatus-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-CertificateVerify-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-ClientCertificate-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-ClientHello-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-ClientKeyExchange-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-NewSessionTicket-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-ServerCertificate-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-ServerHello-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-ServerHelloDone-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-ServerKeyExchange-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-TLS13-CertificateRequest-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-TLS13-ClientCertificate-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-TLS13-ClientCertificateVerify-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-TLS13-ClientHello-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-TLS13-EncryptedExtensions-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-TLS13-EndOfEarlyData-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-TLS13-ServerCertificate-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-TLS13-ServerCertificateVerify-TLS": ":BAD_HANDSHAKE_MSG:",
+ "TrailingMessageData-TLS13-ServerHello-TLS": ":BAD_HANDSHAKE_MSG:",
+ "Unclean-Shutdown": ":CLOSE_WITHOUT_CLOSE_NOTIFY:",
+ "UnknownCurve-HelloRetryRequest-TLS13": ":ILLEGAL_HELLO_RETRY_REQUEST_WITH_UNOFFERED_GROUP:",
+ "UnnecessaryHelloRetryRequest-TLS13": ":ILLEGAL_HELLO_RETRY_REQUEST_WITH_OFFERED_GROUP:",
+ "VersionTooLow": ":INCOMPATIBLE:"
},
"TestLocalErrorMap": {
- "GarbageCertificate-Server-TLS12": "remote error: bad certificate",
- "GarbageCertificate-Server-TLS13": "remote error: bad certificate",
+ "C__": "no alerts sent for the following tests... (artificial error created in the shim)",
+ "CertificateSelection-Client-CheckIssuer-MatchNone-TLS-TLS12": "",
+ "CertificateSelection-Client-CheckIssuer-MatchNone-TLS-TLS13": "",
+ "CertificateSelection-Client-CheckIssuerFallback-MatchNone-TLS-TLS12": "",
+ "CertificateSelection-Client-CheckIssuerFallback-MatchNone-TLS-TLS13": "",
+ "CertificateSelection-Client-SignatureAlgorithm-MatchNone-TLS-TLS12": "",
+ "CertificateSelection-Client-SignatureAlgorithm-MatchNone-TLS-TLS13": "",
+ "CertificateSelection-Client-SignatureAlgorithmECDSACurve-MatchNone-TLS-TLS13": "",
+ "CertificateSelection-Client-SignatureAlgorithmKeyPrefs-MatchNone-TLS-TLS12": "",
+ "CertificateSelection-Client-SignatureAlgorithmKeyPrefs-MatchNone-TLS-TLS13": "",
+ "D__": "",
+ "DuplicateExtensionClient-TLS-TLS12": "remote error: illegal parameter",
+ "DuplicateExtensionClient-TLS-TLS13": "remote error: illegal parameter",
+ "DuplicateExtensionServer-TLS-TLS12": "remote error: illegal parameter",
+ "DuplicateExtensionServer-TLS-TLS13": "remote error: illegal parameter",
"GarbageCertificate-Client-TLS12": "remote error: bad certificate",
"GarbageCertificate-Client-TLS13": "remote error: bad certificate",
- "Downgrade-TLS10-Client": "tls: no cipher suite supported by both client and server",
- "Downgrade-TLS10-Server": "remote error: protocol version not supported",
- "TrailingDataWithFinished-Client-TLS13": "local error: bad record MAC",
- "TrailingDataWithFinished-Resume-Client-TLS13": "local error: bad record MAC",
+ "GarbageCertificate-Server-TLS12": "remote error: bad certificate",
+ "GarbageCertificate-Server-TLS13": "remote error: bad certificate",
"SkipEarlyData-SecondClientHelloEarlyData-TLS13": "remote error: illegal parameter"
},
"HalfRTTTickets": 0
diff --git a/bogo/fetch-and-build b/bogo/fetch-and-build
index 67e2214abb8..f852e34e96e 100755
--- a/bogo/fetch-and-build
+++ b/bogo/fetch-and-build
@@ -15,7 +15,7 @@ util/testresult
EOF
# fix on a tested point of rustls-testing branch
-COMMIT=018edfaaaeea43bf35a16e9f7ba24510c0c003bb
+COMMIT=b6a09c71d983cf1ad7b729a7b1b287064bc6fae0
git fetch --depth=1 https://github.com/rustls/boringssl.git $COMMIT
git checkout $COMMIT
(cd ssl/test/runner && go test -c)
diff --git a/bogo/runme b/bogo/runme
index 1a79f77a5d4..f0bba108bf9 100755
--- a/bogo/runme
+++ b/bogo/runme
@@ -12,16 +12,13 @@ case ${BOGO_SHIM_PROVIDER:-aws-lc-rs} in
;;
aws-lc-rs)
cpp -P -DAWS_LC_RS config.json.in > config.json
+ export AWS_LC_SYS_NO_JITTER_ENTROPY=1
cargo run -- -print-rustls-provider
;;
aws-lc-rs-fips)
cpp -P -DAWS_LC_RS -DFIPS config.json.in > config.json
cargo run --features fips -- -print-rustls-provider
;;
- post-quantum)
- cpp -P -DAWS_LC_RS -DPOST_QUANTUM config.json.in > config.json
- cargo run --features post-quantum -- -print-rustls-provider
- ;;
existing)
;;
*)
@@ -38,10 +35,14 @@ fi
# Best effort on OS-X
case $OSTYPE in darwin*) set +e ;; esac
+# Set default timeout unless -wait-for-debugger flag is present.
+# When this flag is set the shim will pause itself, and the runner will
+# print the PID to attach to in order to continue.
+runner_args="-pipe -allow-unimplemented"
+[[ ! "$*" =~ "-wait-for-debugger" ]] && runner_args+=" -test.timeout 60s"
+
( cd bogo/ssl/test/runner && ./runner.test -shim-path ../../../../../target/debug/bogo \
-shim-config ../../../../config.json \
- -pipe \
- -allow-unimplemented \
- -test.timeout 60s \
+ $runner_args \
"$@") # you can pass in `-test "Foo;Bar"` to run specific tests
true
diff --git a/bogo/src/main.rs b/bogo/src/main.rs
index 8b8656a3eda..a97cfb9f27d 100644
--- a/bogo/src/main.rs
+++ b/bogo/src/main.rs
@@ -4,1359 +4,730 @@
// https://boringssl.googlesource.com/boringssl/+/master/ssl/test
//
-use std::fmt::{Debug, Formatter};
+use core::any::Any;
+use core::fmt::{Debug, Formatter};
+use core::hash::Hasher;
+use std::borrow::Cow;
use std::io::{self, Read, Write};
-use std::sync::Arc;
+use std::sync::{Arc, Mutex};
use std::{env, net, process, thread, time};
-use base64::prelude::{Engine, BASE64_STANDARD};
-use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
+use base64::prelude::{BASE64_STANDARD, Engine};
+#[cfg(unix)]
+use nix::sys::signal::{self, Signal};
+#[cfg(unix)]
+use nix::unistd::Pid;
+use rustls::client::danger::{
+ HandshakeSignatureValid, PeerVerified, ServerIdentity, ServerVerifier,
+};
use rustls::client::{
- ClientConfig, ClientConnection, EchConfig, EchGreaseConfig, EchMode, EchStatus, Resumption,
+ self, ClientConfig, ClientConnection, ClientSessionKey, CredentialRequest, EchConfig,
+ EchGreaseConfig, EchMode, EchStatus, Resumption, Tls12Resumption, Tls13Session,
WebPkiServerVerifier,
};
-use rustls::crypto::aws_lc_rs::hpke;
use rustls::crypto::hpke::{Hpke, HpkePublicKey};
-use rustls::crypto::{aws_lc_rs, ring, CryptoProvider};
-use rustls::internal::msgs::codec::{Codec, Reader};
-use rustls::internal::msgs::handshake::EchConfigPayload;
-use rustls::internal::msgs::persist::ServerSessionValue;
+use rustls::crypto::kx::NamedGroup;
+use rustls::crypto::{
+ Credentials, CryptoProvider, Identity, SelectedCredential, SignatureScheme, Signer, SigningKey,
+ SingleCredential,
+};
+use rustls::enums::{
+ ApplicationProtocol, CertificateCompressionAlgorithm, CertificateType, ProtocolVersion,
+};
+use rustls::error::{
+ AlertDescription, CertificateError, Error, InvalidMessage, PeerIncompatible, PeerMisbehaved,
+};
use rustls::pki_types::pem::PemObject;
-use rustls::pki_types::{CertificateDer, EchConfigListBytes, PrivateKeyDer, ServerName, UnixTime};
-use rustls::server::danger::{ClientCertVerified, ClientCertVerifier};
-use rustls::server::{
- ClientHello, ProducesTickets, ServerConfig, ServerConnection, WebPkiClientVerifier,
+use rustls::pki_types::{
+ CertificateDer, EchConfigListBytes, PrivateKeyDer, ServerName, SubjectPublicKeyInfoDer,
};
-use rustls::{
- client, compress, server, sign, version, AlertDescription, CertificateCompressionAlgorithm,
- CertificateError, Connection, DigitallySignedStruct, DistinguishedName, Error, HandshakeKind,
- InvalidMessage, NamedGroup, PeerIncompatible, PeerMisbehaved, ProtocolVersion, RootCertStore,
- Side, SignatureAlgorithm, SignatureScheme, SupportedProtocolVersion,
+use rustls::server::danger::{ClientIdentity, ClientVerifier, SignatureVerificationInput};
+use rustls::server::{
+ self, ClientHello, PreferClientOrder, PreferServerOrder, ServerConfig, ServerConnection,
+ ServerSessionKey, WebPkiClientVerifier,
};
+use rustls::{Connection, DistinguishedName, HandshakeKind, RootCertStore, compress};
+use rustls_aws_lc_rs::hpke;
-static BOGO_NACK: i32 = 89;
-
-macro_rules! println_err(
- ($($arg:tt)*) => { {
- writeln!(&mut ::std::io::stderr(), $($arg)*).unwrap();
- } }
-);
+pub fn main() {
+ let mut args: Vec<_> = env::args().collect();
+ env_logger::init();
-#[derive(Debug)]
-struct Options {
- port: u16,
- shim_id: u64,
- side: Side,
- max_fragment: Option,
- resumes: usize,
- verify_peer: bool,
- require_any_client_cert: bool,
- server_preference: bool,
- root_hint_subjects: Vec,
- offer_no_client_cas: bool,
- tickets: bool,
- resume_with_tickets_disabled: bool,
- queue_data: bool,
- queue_data_on_resume: bool,
- only_write_one_byte_after_handshake: bool,
- only_write_one_byte_after_handshake_on_resume: bool,
- shut_down_after_handshake: bool,
- check_close_notify: bool,
- host_name: String,
- use_sni: bool,
- trusted_cert_file: String,
- key_file: String,
- cert_file: String,
- protocols: Vec,
- reject_alpn: bool,
- support_tls13: bool,
- support_tls12: bool,
- min_version: Option,
- max_version: Option,
- server_ocsp_response: Vec,
- use_signing_scheme: u16,
- groups: Option>,
- export_keying_material: usize,
- export_keying_material_label: String,
- export_keying_material_context: String,
- export_keying_material_context_used: bool,
- read_size: usize,
- quic_transport_params: Vec,
- expect_quic_transport_params: Vec,
- enable_early_data: bool,
- expect_ticket_supports_early_data: bool,
- expect_accept_early_data: bool,
- expect_reject_early_data: bool,
- expect_version: u16,
- resumption_delay: u32,
- queue_early_data_after_received_messages: Vec,
- require_ems: bool,
- expect_handshake_kind: Option>,
- expect_handshake_kind_resumed: Option>,
- install_cert_compression_algs: CompressionAlgs,
- selected_provider: SelectedProvider,
- provider: CryptoProvider,
- ech_config_list: Option>,
- expect_ech_accept: bool,
- expect_ech_retry_configs: Option>,
- on_resume_ech_config_list: Option>,
- on_resume_expect_ech_accept: bool,
- on_initial_expect_ech_accept: bool,
- enable_ech_grease: bool,
- send_key_update: bool,
- expect_curve_id: Option,
- on_initial_expect_curve_id: Option,
- on_resume_expect_curve_id: Option,
-}
+ args.remove(0);
-impl Options {
- fn new() -> Self {
- let selected_provider = SelectedProvider::from_env();
- Options {
- port: 0,
- shim_id: 0,
- side: Side::Client,
- max_fragment: None,
- resumes: 0,
- verify_peer: false,
- tickets: true,
- resume_with_tickets_disabled: false,
- host_name: "example.com".to_string(),
- use_sni: false,
- queue_data: false,
- queue_data_on_resume: false,
- only_write_one_byte_after_handshake: false,
- only_write_one_byte_after_handshake_on_resume: false,
- shut_down_after_handshake: false,
- check_close_notify: false,
- require_any_client_cert: false,
- server_preference: false,
- root_hint_subjects: vec![],
- offer_no_client_cas: false,
- trusted_cert_file: "".to_string(),
- key_file: "".to_string(),
- cert_file: "".to_string(),
- protocols: vec![],
- reject_alpn: false,
- support_tls13: true,
- support_tls12: true,
- min_version: None,
- max_version: None,
- server_ocsp_response: vec![],
- use_signing_scheme: 0,
- groups: None,
- export_keying_material: 0,
- export_keying_material_label: "".to_string(),
- export_keying_material_context: "".to_string(),
- export_keying_material_context_used: false,
- read_size: 512,
- quic_transport_params: vec![],
- expect_quic_transport_params: vec![],
- enable_early_data: false,
- expect_ticket_supports_early_data: false,
- expect_accept_early_data: false,
- expect_reject_early_data: false,
- expect_version: 0,
- resumption_delay: 0,
- queue_early_data_after_received_messages: vec![],
- require_ems: false,
- expect_handshake_kind: None,
- expect_handshake_kind_resumed: Some(vec![HandshakeKind::Resumed]),
- install_cert_compression_algs: CompressionAlgs::None,
- selected_provider,
- provider: selected_provider.provider(),
- ech_config_list: None,
- expect_ech_accept: false,
- expect_ech_retry_configs: None,
- on_resume_ech_config_list: None,
- on_resume_expect_ech_accept: false,
- on_initial_expect_ech_accept: false,
- enable_ech_grease: false,
- send_key_update: false,
- expect_curve_id: None,
- on_initial_expect_curve_id: None,
- on_resume_expect_curve_id: None,
- }
+ if !args.is_empty() && args[0] == "-is-handshaker-supported" {
+ println!("No");
+ process::exit(0);
}
+ println!("options: {args:?}");
- fn version_allowed(&self, vers: ProtocolVersion) -> bool {
- (self.min_version.is_none() || u16::from(vers) >= u16::from(self.min_version.unwrap()))
- && (self.max_version.is_none()
- || u16::from(vers) <= u16::from(self.max_version.unwrap()))
- }
+ let mut opts = Options::new();
- fn tls13_supported(&self) -> bool {
- self.support_tls13 && self.version_allowed(ProtocolVersion::TLSv1_3)
+ while !args.is_empty() {
+ opts.parse_one(&mut args);
}
- fn tls12_supported(&self) -> bool {
- self.support_tls12 && self.version_allowed(ProtocolVersion::TLSv1_2)
+ if opts.side == Side::Client
+ && opts.on_initial_expect_curve_id != opts.on_resume_expect_curve_id
+ {
+ // expecting server to HRR us to its desired curve
+ opts.expect_handshake_kind_resumed =
+ Some(vec![HandshakeKind::ResumedWithHelloRetryRequest]);
}
- fn supported_versions(&self) -> Vec<&'static SupportedProtocolVersion> {
- let mut versions = vec![];
-
- if self.tls12_supported() {
- versions.push(&version::TLS12);
- }
+ println!("opts {opts:?}");
- if self.tls13_supported() {
- versions.push(&version::TLS13);
- }
- versions
+ #[cfg(unix)]
+ if opts.wait_for_debugger {
+ // On Unix systems when -wait-for-debugger is passed from the BoGo runner
+ // we should SIGSTOP ourselves to allow a debugger to attach to the shim to
+ // continue the testing process.
+ signal::kill(Pid::from_raw(process::id() as i32), Signal::SIGSTOP).unwrap();
}
-}
-#[derive(Clone, Copy, Debug, PartialEq)]
-enum SelectedProvider {
- AwsLcRs,
- #[cfg_attr(not(feature = "fips"), allow(dead_code))]
- AwsLcRsFips,
- #[cfg_attr(not(feature = "post-quantum"), allow(dead_code))]
- PostQuantum,
- Ring,
-}
+ let key_log = Arc::new(KeyLogMemo::default());
+ let mut config = match opts.side {
+ Side::Client => SideConfig::Client(make_client_cfg(&opts, &key_log)),
+ Side::Server => SideConfig::Server(make_server_cfg(&opts, &key_log)),
+ };
-impl SelectedProvider {
- fn from_env() -> Self {
- match env::var("BOGO_SHIM_PROVIDER")
- .ok()
- .as_deref()
- {
- None | Some("aws-lc-rs") => Self::AwsLcRs,
- #[cfg(feature = "fips")]
- Some("aws-lc-rs-fips") => Self::AwsLcRsFips,
- #[cfg(feature = "post-quantum")]
- Some("post-quantum") => Self::PostQuantum,
- Some("ring") => Self::Ring,
- Some(other) => panic!("unrecognised value for BOGO_SHIM_PROVIDER: {other:?}"),
+ for i in 0..opts.resumes + 1 {
+ assert!(opts.quic_transport_params.is_empty());
+ assert!(
+ opts.expect_quic_transport_params
+ .is_empty()
+ );
+
+ match &config {
+ SideConfig::Client(config) => {
+ let server_name = ServerName::try_from(opts.host_name.as_str())
+ .unwrap()
+ .to_owned();
+ let sess = config
+ .connect(server_name)
+ .build()
+ .unwrap();
+ exec(&opts, sess, &key_log, i);
+ }
+ SideConfig::Server(config) => {
+ let sess = ServerConnection::new(config.clone()).unwrap();
+ exec(&opts, sess, &key_log, i);
+ }
}
- }
- fn provider(&self) -> CryptoProvider {
- match self {
- Self::AwsLcRs | Self::AwsLcRsFips | Self::PostQuantum => {
- // ensure all suites and kx groups are included (even in fips builds)
- // as non-fips test cases require them. runner activates fips mode via -fips-202205 option
- // this includes rustls-post-quantum, which just returns an altered
- // version of `aws_lc_rs::default_provider()`
- CryptoProvider {
- kx_groups: aws_lc_rs::ALL_KX_GROUPS.to_vec(),
- cipher_suites: aws_lc_rs::ALL_CIPHER_SUITES.to_vec(),
- ..aws_lc_rs::default_provider()
- }
- }
+ if opts.resume_with_tickets_disabled {
+ opts.tickets = false;
- Self::Ring => ring::default_provider(),
+ match &mut config {
+ SideConfig::Server(server) => *server = make_server_cfg(&opts, &key_log),
+ SideConfig::Client(client) => *client = make_client_cfg(&opts, &key_log),
+ };
}
- }
- fn ticketer(&self) -> Arc {
- match self {
- Self::AwsLcRs | Self::AwsLcRsFips | Self::PostQuantum => {
- aws_lc_rs::Ticketer::new().unwrap()
+ if opts.on_resume_ech_config_list.is_some() {
+ opts.ech_config_list
+ .clone_from(&opts.on_resume_ech_config_list);
+ opts.expect_ech_accept = opts.on_resume_expect_ech_accept;
+ if let SideConfig::Client(client_cfg) = &mut config {
+ *client_cfg = make_client_cfg(&opts, &key_log);
}
- Self::Ring => ring::Ticketer::new().unwrap(),
}
- }
- fn supports_ech(&self) -> bool {
- match *self {
- Self::AwsLcRs | Self::AwsLcRsFips | Self::PostQuantum => true,
- Self::Ring => false,
- }
+ opts.expect_handshake_kind
+ .clone_from(&opts.expect_handshake_kind_resumed);
}
}
-fn load_root_certs(filename: &str) -> Arc {
- let mut roots = RootCertStore::empty();
+fn exec(opts: &Options, mut sess: impl Connection + 'static, key_log: &KeyLogMemo, count: usize) {
+ let mut sent_message = false;
- // -verify-peer can be used without specifying a root cert,
- // to test (eg) client auth without actually looking at the certs.
- //
- // but WebPkiClientVerifier requires a non-empty set of roots.
- //
- // use an unrelated cert we have lying around.
- let filename = match filename {
- "" => "../../../../../test-ca/rsa-2048/ca.cert",
- filename => filename,
- };
+ let addrs = [
+ net::SocketAddr::from((net::Ipv6Addr::LOCALHOST, opts.port)),
+ net::SocketAddr::from((net::Ipv4Addr::LOCALHOST, opts.port)),
+ ];
+ let mut conn = net::TcpStream::connect(&addrs[..]).expect("cannot connect");
+ let mut sent_shutdown = false;
+ let mut sent_exporter = false;
+ let mut sent_key_update = false;
+ let mut quench_writes = false;
- roots.add_parsable_certificates(
- CertificateDer::pem_file_iter(filename)
- .unwrap()
- .map(|item| item.unwrap()),
- );
- Arc::new(roots)
-}
+ conn.write_all(&opts.shim_id.to_le_bytes())
+ .unwrap();
-fn split_protocols(protos: &str) -> Vec {
- let mut ret = Vec::new();
+ loop {
+ if !sent_message && (opts.queue_data || (opts.queue_data_on_resume && count > 0)) {
+ if !opts
+ .queue_early_data_after_received_messages
+ .is_empty()
+ {
+ flush(&mut sess, &mut conn);
+ for message_size_estimate in &opts.queue_early_data_after_received_messages {
+ read_n_bytes(opts, &mut sess, &mut conn, *message_size_estimate);
+ }
+ println!("now ready for early data");
+ }
- let mut offs = 0;
- while offs < protos.len() {
- let len = protos.as_bytes()[offs] as usize;
- let item = protos[offs + 1..offs + 1 + len].to_string();
- ret.push(item);
- offs += 1 + len;
- }
-
- ret
-}
-
-fn decode_hex(hex: &str) -> Vec {
- (0..hex.len())
- .step_by(2)
- .map(|i| u8::from_str_radix(&hex[i..i + 2], 16).unwrap())
- .inspect(|x| println!("item {:?}", x))
- .collect()
-}
-
-#[derive(Debug)]
-struct DummyClientAuth {
- mandatory: bool,
- root_hint_subjects: Vec,
- parent: Arc,
-}
-
-impl DummyClientAuth {
- fn new(
- trusted_cert_file: &str,
- mandatory: bool,
- root_hint_subjects: Vec,
- ) -> Self {
- Self {
- mandatory,
- root_hint_subjects,
- parent: WebPkiClientVerifier::builder_with_provider(
- load_root_certs(trusted_cert_file),
- SelectedProvider::from_env()
- .provider()
- .into(),
- )
- .build()
- .unwrap(),
+ if count > 0 && opts.enable_early_data {
+ let len = client(&mut sess)
+ .early_data()
+ .expect("0rtt not available")
+ .write(b"hello")
+ .expect("0rtt write failed");
+ sess.writer()
+ .write_all(&b"hello"[len..])
+ .unwrap();
+ sent_message = true;
+ } else if !opts.only_write_one_byte_after_handshake {
+ let _ = sess.writer().write_all(b"hello");
+ sent_message = true;
+ }
}
- }
-}
-
-impl ClientCertVerifier for DummyClientAuth {
- fn offer_client_auth(&self) -> bool {
- true
- }
-
- fn client_auth_mandatory(&self) -> bool {
- self.mandatory
- }
- fn root_hint_subjects(&self) -> &[DistinguishedName] {
- &self.root_hint_subjects
- }
+ if !quench_writes {
+ flush(&mut sess, &mut conn);
+ }
- fn verify_client_cert(
- &self,
- _end_entity: &CertificateDer<'_>,
- _intermediates: &[CertificateDer<'_>],
- _now: UnixTime,
- ) -> Result {
- Ok(ClientCertVerified::assertion())
- }
+ if sess.wants_read() {
+ read_all_bytes(opts, &mut sess, &mut conn);
+ }
- fn verify_tls12_signature(
- &self,
- message: &[u8],
- cert: &CertificateDer<'_>,
- dss: &DigitallySignedStruct,
- ) -> Result {
- self.parent
- .verify_tls12_signature(message, cert, dss)
- }
+ if opts.side == Side::Server && opts.enable_early_data {
+ if let Some(ed) = &mut server(&mut sess).early_data() {
+ let mut data = Vec::new();
+ let data_len = ed
+ .read_to_end(&mut data)
+ .expect("cannot read early_data");
- fn verify_tls13_signature(
- &self,
- message: &[u8],
- cert: &CertificateDer<'_>,
- dss: &DigitallySignedStruct,
- ) -> Result {
- self.parent
- .verify_tls13_signature(message, cert, dss)
- }
+ for b in data.iter_mut() {
+ *b ^= 0xff;
+ }
- fn supported_verify_schemes(&self) -> Vec {
- self.parent.supported_verify_schemes()
- }
-}
+ sess.writer()
+ .write_all(&data[..data_len])
+ .expect("cannot echo early_data in 1rtt data");
+ }
+ }
-#[derive(Debug)]
-struct DummyServerAuth {
- parent: Arc,
-}
+ if !sess.is_handshaking() && opts.export_keying_material > 0 && !sent_exporter {
+ let mut export = vec![0; opts.export_keying_material];
+ sess.exporter()
+ .unwrap()
+ .derive(
+ opts.export_keying_material_label
+ .as_bytes(),
+ if opts.export_keying_material_context_used {
+ Some(
+ opts.export_keying_material_context
+ .as_bytes(),
+ )
+ } else {
+ None
+ },
+ &mut export,
+ )
+ .unwrap();
+ sess.writer()
+ .write_all(&export)
+ .unwrap();
+ sent_exporter = true;
+ }
-impl DummyServerAuth {
- fn new(trusted_cert_file: &str) -> Self {
- DummyServerAuth {
- parent: WebPkiServerVerifier::builder_with_provider(
- load_root_certs(trusted_cert_file),
- SelectedProvider::from_env()
- .provider()
- .into(),
- )
- .build()
- .unwrap(),
+ if !sess.is_handshaking() && opts.export_traffic_secrets && !sent_exporter {
+ let secrets = key_log.clone_inner();
+ assert_eq!(
+ secrets.client_traffic_secret.len(),
+ secrets.server_traffic_secret.len()
+ );
+ sess.writer()
+ .write_all(&(secrets.client_traffic_secret.len() as u16).to_le_bytes())
+ .unwrap();
+ sess.writer()
+ .write_all(&secrets.server_traffic_secret)
+ .unwrap();
+ sess.writer()
+ .write_all(&secrets.client_traffic_secret)
+ .unwrap();
+ sent_exporter = true;
}
- }
-}
-impl ServerCertVerifier for DummyServerAuth {
- fn verify_server_cert(
- &self,
- _end_entity: &CertificateDer<'_>,
- _certs: &[CertificateDer<'_>],
- _hostname: &ServerName<'_>,
- _ocsp: &[u8],
- _now: UnixTime,
- ) -> Result {
- Ok(ServerCertVerified::assertion())
- }
+ if opts.send_key_update && !sent_key_update && !sess.is_handshaking() {
+ sess.refresh_traffic_keys().unwrap();
+ sent_key_update = true;
+ }
- fn verify_tls12_signature(
- &self,
- message: &[u8],
- cert: &CertificateDer<'_>,
- dss: &DigitallySignedStruct,
- ) -> Result {
- self.parent
- .verify_tls12_signature(message, cert, dss)
- }
+ if !sess.is_handshaking() && opts.only_write_one_byte_after_handshake && !sent_message {
+ println!("writing message and then only one byte of its tls frame");
+ flush(&mut sess, &mut conn);
- fn verify_tls13_signature(
- &self,
- message: &[u8],
- cert: &CertificateDer<'_>,
- dss: &DigitallySignedStruct,
- ) -> Result {
- self.parent
- .verify_tls13_signature(message, cert, dss)
- }
+ sess.writer()
+ .write_all(b"hello")
+ .unwrap();
+ sent_message = true;
- fn supported_verify_schemes(&self) -> Vec {
- self.parent.supported_verify_schemes()
- }
-}
+ let mut one_byte = [0u8];
+ let mut cursor = io::Cursor::new(&mut one_byte[..]);
+ sess.write_tls(&mut cursor).unwrap();
+ conn.write_all(&one_byte)
+ .expect("IO error");
-#[derive(Debug)]
-struct FixedSignatureSchemeSigningKey {
- key: Arc,
- scheme: SignatureScheme,
-}
+ quench_writes = true;
+ }
-impl sign::SigningKey for FixedSignatureSchemeSigningKey {
- fn choose_scheme(&self, offered: &[SignatureScheme]) -> Option> {
- if offered.contains(&self.scheme) {
- self.key.choose_scheme(&[self.scheme])
- } else {
- self.key.choose_scheme(&[])
+ if opts.enable_early_data
+ && opts.side == Side::Client
+ && !sess.is_handshaking()
+ && count > 0
+ {
+ if opts.expect_accept_early_data && !client(&mut sess).is_early_data_accepted() {
+ quit_err("Early data was not accepted, but we expect the opposite");
+ } else if opts.expect_reject_early_data && client(&mut sess).is_early_data_accepted() {
+ quit_err("Early data was accepted, but we expect the opposite");
+ }
+ if opts.expect_version == 0x0304 {
+ match sess.protocol_version() {
+ Some(ProtocolVersion::TLSv1_3) | Some(ProtocolVersion(0x7f17)) => {}
+ _ => quit_err("wrong protocol version"),
+ }
+ }
}
- }
- fn algorithm(&self) -> SignatureAlgorithm {
- self.key.algorithm()
- }
-}
-#[derive(Debug)]
-struct FixedSignatureSchemeServerCertResolver {
- resolver: Arc,
- scheme: SignatureScheme,
-}
+ if let (Some(expected_options), false) =
+ (opts.expect_handshake_kind.as_ref(), sess.is_handshaking())
+ {
+ let actual = sess.handshake_kind().unwrap();
+ assert!(
+ expected_options.contains(&actual),
+ "wanted to see {expected_options:?} but got {actual:?}"
+ );
+ }
-impl server::ResolvesServerCert for FixedSignatureSchemeServerCertResolver {
- fn resolve(&self, client_hello: ClientHello) -> Option> {
- let mut certkey = self.resolver.resolve(client_hello)?;
- Arc::make_mut(&mut certkey).key = Arc::new(FixedSignatureSchemeSigningKey {
- key: certkey.key.clone(),
- scheme: self.scheme,
- });
- Some(certkey)
- }
-}
+ if let Some(curve_id) = &opts.expect_curve_id {
+ // unlike openssl/boringssl's API, `negotiated_key_exchange_group`
+ // works for the connection, not session. this means TLS1.2
+ // resumptions never have a value for `negotiated_key_exchange_group`
+ let tls12_resumed = sess.protocol_version() == Some(ProtocolVersion::TLSv1_2)
+ && sess.handshake_kind() == Some(HandshakeKind::Resumed);
+ let negotiated_key_exchange_group_ready = !(sess.is_handshaking() || tls12_resumed);
-#[derive(Debug)]
-struct FixedSignatureSchemeClientCertResolver {
- resolver: Arc,
- scheme: SignatureScheme,
-}
+ if negotiated_key_exchange_group_ready {
+ let actual = sess
+ .negotiated_key_exchange_group()
+ .expect("no kx with -expect-curve-id");
+ assert_eq!(curve_id, &actual.name());
+ }
+ }
-impl client::ResolvesClientCert for FixedSignatureSchemeClientCertResolver {
- fn resolve(
- &self,
- root_hint_subjects: &[&[u8]],
- sigschemes: &[SignatureScheme],
- ) -> Option> {
- if !sigschemes.contains(&self.scheme) {
- quit(":NO_COMMON_SIGNATURE_ALGORITHMS:");
+ if let Some(curve_id) = &opts.on_initial_expect_curve_id {
+ if !sess.is_handshaking() && count == 0 {
+ assert_eq!(sess.handshake_kind().unwrap(), HandshakeKind::Full);
+ assert_eq!(
+ sess.negotiated_key_exchange_group()
+ .expect("no kx with -on-initial-expect-curve-id")
+ .name(),
+ *curve_id
+ );
+ }
}
- let mut certkey = self
- .resolver
- .resolve(root_hint_subjects, sigschemes)?;
- Arc::make_mut(&mut certkey).key = Arc::new(FixedSignatureSchemeSigningKey {
- key: certkey.key.clone(),
- scheme: self.scheme,
- });
- Some(certkey)
- }
- fn has_certs(&self) -> bool {
- self.resolver.has_certs()
- }
-}
+ if let Some(curve_id) = &opts.on_resume_expect_curve_id {
+ if !sess.is_handshaking() && count > 0 {
+ assert!(matches!(
+ sess.handshake_kind().unwrap(),
+ HandshakeKind::Resumed | HandshakeKind::ResumedWithHelloRetryRequest
+ ));
+ assert_eq!(
+ sess.negotiated_key_exchange_group()
+ .expect("no kx with -on-resume-expect-curve-id")
+ .name(),
+ *curve_id
+ );
+ }
+ }
-fn lookup_scheme(scheme: u16) -> SignatureScheme {
- match scheme {
- 0x0401 => SignatureScheme::RSA_PKCS1_SHA256,
- 0x0501 => SignatureScheme::RSA_PKCS1_SHA384,
- 0x0601 => SignatureScheme::RSA_PKCS1_SHA512,
- 0x0403 => SignatureScheme::ECDSA_NISTP256_SHA256,
- 0x0503 => SignatureScheme::ECDSA_NISTP384_SHA384,
- 0x0603 => SignatureScheme::ECDSA_NISTP521_SHA512,
- 0x0804 => SignatureScheme::RSA_PSS_SHA256,
- 0x0805 => SignatureScheme::RSA_PSS_SHA384,
- 0x0806 => SignatureScheme::RSA_PSS_SHA512,
- 0x0807 => SignatureScheme::ED25519,
- // TODO: add support for Ed448
- // 0x0808 => SignatureScheme::ED448,
- _ => {
- println_err!("Unsupported signature scheme {:04x}", scheme);
- process::exit(BOGO_NACK);
+ {
+ let ech_accept_required =
+ (count == 0 && opts.on_initial_expect_ech_accept) || opts.expect_ech_accept;
+ if ech_accept_required
+ && !sess.is_handshaking()
+ && client(&mut sess).ech_status() != EchStatus::Accepted
+ {
+ quit_err("ECH was not accepted, but we expect the opposite");
+ }
}
- }
-}
-#[derive(Debug)]
-struct ServerCacheWithResumptionDelay {
- delay: u32,
- storage: Arc,
-}
-
-impl ServerCacheWithResumptionDelay {
- fn new(delay: u32) -> Arc {
- Arc::new(Self {
- delay,
- storage: server::ServerSessionMemoryCache::new(32),
- })
- }
-}
-
-fn align_time() {
- /* we don't have an injectable clock source in rustls' public api, and
- * resumption timing is in seconds resolution, so tests that use
- * resumption_delay tend to be flickery if the seconds time ticks
- * during this.
- *
- * this function delays until a fresh second ticks, which alleviates
- * this. gross!
- */
- fn sample() -> u64 {
- time::SystemTime::now()
- .duration_since(time::SystemTime::UNIX_EPOCH)
- .unwrap()
- .as_secs()
- }
-
- let start_secs = sample();
- while start_secs == sample() {
- thread::sleep(time::Duration::from_millis(20));
- }
-}
-
-impl server::StoresServerSessions for ServerCacheWithResumptionDelay {
- fn put(&self, key: Vec, value: Vec) -> bool {
- let mut ssv = ServerSessionValue::read_bytes(&value).unwrap();
- ssv.creation_time_sec -= self.delay as u64;
-
- self.storage
- .put(key, ssv.get_encoding())
- }
-
- fn get(&self, key: &[u8]) -> Option> {
- self.storage.get(key)
- }
-
- fn take(&self, key: &[u8]) -> Option> {
- self.storage.take(key)
- }
-
- fn can_cache(&self) -> bool {
- self.storage.can_cache()
- }
-}
-
-fn make_server_cfg(opts: &Options) -> Arc {
- let client_auth =
- if opts.verify_peer || opts.offer_no_client_cas || opts.require_any_client_cert {
- Arc::new(DummyClientAuth::new(
- &opts.trusted_cert_file,
- opts.require_any_client_cert,
- opts.root_hint_subjects.clone(),
- ))
- } else {
- server::WebPkiClientVerifier::no_client_auth()
+ let mut buf = [0u8; 1024];
+ let len = match sess
+ .reader()
+ .read(&mut buf[..opts.read_size])
+ {
+ Ok(0) => {
+ if opts.check_close_notify {
+ println!("close notify ok");
+ }
+ println!("EOF (tls)");
+ return;
+ }
+ Ok(len) => len,
+ Err(err) if err.kind() == io::ErrorKind::WouldBlock => 0,
+ Err(err) if err.kind() == io::ErrorKind::UnexpectedEof => {
+ if opts.check_close_notify {
+ quit_err(":CLOSE_WITHOUT_CLOSE_NOTIFY:");
+ }
+ println!("EOF (tcp)");
+ return;
+ }
+ Err(err) => panic!("unhandled read error {err:?}"),
};
- let cert = CertificateDer::pem_file_iter(&opts.cert_file)
- .unwrap()
- .map(|cert| cert.unwrap())
- .collect::>();
- let key = PrivateKeyDer::from_pem_file(&opts.key_file).unwrap();
-
- let mut provider = opts.provider.clone();
-
- if let Some(groups) = &opts.groups {
- provider
- .kx_groups
- .retain(|kxg| groups.contains(&kxg.name()));
- }
-
- let mut cfg = ServerConfig::builder_with_provider(provider.into())
- .with_protocol_versions(&opts.supported_versions())
- .unwrap()
- .with_client_cert_verifier(client_auth)
- .with_single_cert_with_ocsp(cert.clone(), key, opts.server_ocsp_response.clone())
- .unwrap();
-
- cfg.session_storage = ServerCacheWithResumptionDelay::new(opts.resumption_delay);
- cfg.max_fragment_size = opts.max_fragment;
- cfg.send_tls13_tickets = 1;
- cfg.require_ems = opts.require_ems;
- cfg.ignore_client_order = opts.server_preference;
-
- if opts.use_signing_scheme > 0 {
- let scheme = lookup_scheme(opts.use_signing_scheme);
- cfg.cert_resolver = Arc::new(FixedSignatureSchemeServerCertResolver {
- resolver: cfg.cert_resolver.clone(),
- scheme,
- });
- }
-
- if opts.tickets {
- cfg.ticketer = opts.selected_provider.ticketer();
- } else if opts.resumes == 0 {
- cfg.session_storage = Arc::new(server::NoServerSessionStorage {});
- }
-
- if !opts.protocols.is_empty() {
- cfg.alpn_protocols = opts
- .protocols
- .iter()
- .map(|proto| proto.as_bytes().to_vec())
- .collect::>();
- }
-
- if opts.reject_alpn {
- cfg.alpn_protocols = vec![b"invalid".to_vec()];
- }
-
- if opts.enable_early_data {
- // see kMaxEarlyDataAccepted in boringssl, which bogo validates
- cfg.max_early_data_size = 14336;
- cfg.send_half_rtt_data = true;
- }
-
- match opts.install_cert_compression_algs {
- CompressionAlgs::All => {
- cfg.cert_compressors = vec![&ExpandingAlgorithm, &ShrinkingAlgorithm, &RandomAlgorithm];
- cfg.cert_decompressors =
- vec![&ExpandingAlgorithm, &ShrinkingAlgorithm, &RandomAlgorithm];
- }
- CompressionAlgs::One(ShrinkingAlgorithm::ALGORITHM) => {
- cfg.cert_compressors = vec![&ShrinkingAlgorithm];
- cfg.cert_decompressors = vec![&ShrinkingAlgorithm];
+ if opts.shut_down_after_handshake && !sent_shutdown && !sess.is_handshaking() {
+ sess.send_close_notify();
+ sent_shutdown = true;
}
- CompressionAlgs::None => {}
- _ => unimplemented!(),
- }
- Arc::new(cfg)
-}
+ if quench_writes && len > 0 {
+ println!("unquenching writes after {len:?}");
+ quench_writes = false;
+ }
-struct ClientCacheWithoutKxHints {
- delay: u32,
- storage: Arc,
-}
+ for b in buf.iter_mut() {
+ *b ^= 0xff;
+ }
-impl ClientCacheWithoutKxHints {
- fn new(delay: u32) -> Arc {
- Arc::new(ClientCacheWithoutKxHints {
- delay,
- storage: Arc::new(client::ClientSessionMemoryCache::new(32)),
- })
+ sess.writer()
+ .write_all(&buf[..len])
+ .unwrap();
}
}
-impl client::ClientSessionStore for ClientCacheWithoutKxHints {
- fn set_kx_hint(&self, _: ServerName<'static>, _: NamedGroup) {}
- fn kx_hint(&self, _: &ServerName<'_>) -> Option {
- None
- }
-
- fn set_tls12_session(
- &self,
- server_name: ServerName<'static>,
- mut value: client::Tls12ClientSessionValue,
- ) {
- value.rewind_epoch(self.delay);
- self.storage
- .set_tls12_session(server_name, value);
- }
-
- fn tls12_session(
- &self,
- server_name: &ServerName<'_>,
- ) -> Option {
- self.storage.tls12_session(server_name)
- }
-
- fn remove_tls12_session(&self, server_name: &ServerName<'static>) {
- self.storage
- .remove_tls12_session(server_name);
- }
-
- fn insert_tls13_ticket(
- &self,
- server_name: ServerName<'static>,
- mut value: client::Tls13ClientSessionValue,
- ) {
- value.rewind_epoch(self.delay);
- self.storage
- .insert_tls13_ticket(server_name, value)
- }
-
- fn take_tls13_ticket(
- &self,
- server_name: &ServerName<'static>,
- ) -> Option {
- self.storage
- .take_tls13_ticket(server_name)
- }
+enum SideConfig {
+ Client(Arc),
+ Server(Arc),
}
-impl Debug for ClientCacheWithoutKxHints {
- fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
- // Note: we omit self.storage here as it may contain sensitive data.
- f.debug_struct("ClientCacheWithoutKxHints")
- .field("delay", &self.delay)
- .finish()
- }
+fn client(conn: &mut dyn Any) -> &mut ClientConnection {
+ conn.downcast_mut::()
+ .unwrap()
}
-fn make_client_cfg(opts: &Options) -> Arc {
- let mut provider = opts.provider.clone();
-
- if let Some(groups) = &opts.groups {
- provider
- .kx_groups
- .retain(|kxg| groups.contains(&kxg.name()));
- }
-
- let cfg = ClientConfig::builder_with_provider(provider.into());
-
- let cfg = if opts.selected_provider.supports_ech() {
- if let Some(ech_config_list) = &opts.ech_config_list {
- let ech_mode: EchMode = EchConfig::new(ech_config_list.clone(), ALL_HPKE_SUITES)
- .unwrap_or_else(|_| quit(":INVALID_ECH_CONFIG_LIST:"))
- .into();
-
- cfg.with_ech(ech_mode)
- .expect("invalid ECH config")
- } else if opts.enable_ech_grease {
- let ech_mode = EchMode::Grease(EchGreaseConfig::new(
- GREASE_HPKE_SUITE,
- HpkePublicKey(GREASE_25519_PUBKEY.to_vec()),
- ));
+fn server(conn: &mut dyn Any) -> &mut ServerConnection {
+ conn.downcast_mut::()
+ .unwrap()
+}
- cfg.with_ech(ech_mode)
- .expect("invalid GREASE ECH config")
- } else {
- cfg.with_protocol_versions(&opts.supported_versions())
- .expect("inconsistent settings")
+fn read_n_bytes(opts: &Options, sess: &mut impl Connection, conn: &mut net::TcpStream, n: usize) {
+ let mut bytes = [0u8; MAX_MESSAGE_SIZE];
+ match conn.read(&mut bytes[..n]) {
+ Ok(count) => {
+ println!("read {count:?} bytes");
+ sess.read_tls(&mut io::Cursor::new(&mut bytes[..count]))
+ .expect("read_tls not expected to fail reading from buffer");
}
- } else {
- cfg.with_protocol_versions(&opts.supported_versions())
- .expect("inconsistent settings")
+ Err(err) if err.kind() == io::ErrorKind::ConnectionReset => {}
+ Err(err) => panic!("invalid read: {err}"),
};
- let cfg = cfg
- .dangerous()
- .with_custom_certificate_verifier(Arc::new(DummyServerAuth::new(&opts.trusted_cert_file)));
+ after_read(opts, sess, conn);
+}
- let mut cfg = if !opts.cert_file.is_empty() && !opts.key_file.is_empty() {
- let cert = CertificateDer::pem_file_iter(&opts.cert_file)
- .unwrap()
- .map(|item| item.unwrap())
- .collect();
- let key = PrivateKeyDer::from_pem_file(&opts.key_file).unwrap();
- cfg.with_client_auth_cert(cert, key)
- .unwrap()
- } else {
- cfg.with_no_client_auth()
+fn read_all_bytes(opts: &Options, sess: &mut impl Connection, conn: &mut net::TcpStream) {
+ match sess.read_tls(conn) {
+ Ok(_) => {}
+ Err(err) if err.kind() == io::ErrorKind::ConnectionReset => {}
+ Err(err) => panic!("invalid read: {err}"),
};
- if !opts.cert_file.is_empty() && opts.use_signing_scheme > 0 {
- let scheme = lookup_scheme(opts.use_signing_scheme);
- cfg.client_auth_cert_resolver = Arc::new(FixedSignatureSchemeClientCertResolver {
- resolver: cfg.client_auth_cert_resolver.clone(),
- scheme,
- });
- }
-
- cfg.resumption = Resumption::store(ClientCacheWithoutKxHints::new(opts.resumption_delay));
- cfg.enable_sni = opts.use_sni;
- cfg.max_fragment_size = opts.max_fragment;
- cfg.require_ems = opts.require_ems;
-
- if !opts.protocols.is_empty() {
- cfg.alpn_protocols = opts
- .protocols
- .iter()
- .map(|proto| proto.as_bytes().to_vec())
- .collect();
- }
+ after_read(opts, sess, conn);
+}
- if opts.enable_early_data {
- cfg.enable_early_data = true;
+fn after_read(opts: &Options, sess: &mut impl Connection, conn: &mut net::TcpStream) {
+ if let Err(err) = sess.process_new_packets() {
+ flush(sess, conn); /* send any alerts before exiting */
+ orderly_close(conn);
+ handle_err(opts, err);
}
+}
- match opts.install_cert_compression_algs {
- CompressionAlgs::All => {
- cfg.cert_decompressors =
- vec![&ExpandingAlgorithm, &ShrinkingAlgorithm, &RandomAlgorithm];
- cfg.cert_compressors = vec![&ExpandingAlgorithm, &ShrinkingAlgorithm, &RandomAlgorithm];
- }
- CompressionAlgs::One(ShrinkingAlgorithm::ALGORITHM) => {
- cfg.cert_decompressors = vec![&ShrinkingAlgorithm];
- cfg.cert_compressors = vec![&ShrinkingAlgorithm];
+fn flush(sess: &mut impl Connection, conn: &mut net::TcpStream) {
+ while sess.wants_write() {
+ if let Err(err) = sess.write_tls(conn) {
+ println!("IO error: {err:?}");
+ process::exit(0);
}
- CompressionAlgs::None => {}
- _ => unimplemented!(),
}
-
- Arc::new(cfg)
+ conn.flush().unwrap();
}
-fn quit(why: &str) -> ! {
- println_err!("{}", why);
- process::exit(0)
-}
+fn orderly_close(conn: &mut net::TcpStream) {
+ // assuming we just flush()'d, we will write no more.
+ let _ = conn.shutdown(net::Shutdown::Write);
-fn quit_err(why: &str) -> ! {
- println_err!("{}", why);
- process::exit(1)
-}
+ // wait for EOF
+ let mut buf = [0u8; 32];
+ while let Ok(p @ 1..) = conn.peek(&mut buf) {
+ let _ = conn.read(&mut buf[..p]).unwrap();
+ }
-fn handle_err(opts: &Options, err: Error) -> ! {
- println!("TLS error: {:?}", err);
- thread::sleep(time::Duration::from_millis(100));
+ let _ = conn.shutdown(net::Shutdown::Read);
+}
- match err {
- Error::InappropriateHandshakeMessage { .. } | Error::InappropriateMessage { .. } => {
- quit(":UNEXPECTED_MESSAGE:")
- }
- Error::AlertReceived(AlertDescription::RecordOverflow) => {
- quit(":TLSV1_ALERT_RECORD_OVERFLOW:")
- }
- Error::AlertReceived(AlertDescription::HandshakeFailure) => quit(":HANDSHAKE_FAILURE:"),
- Error::AlertReceived(AlertDescription::ProtocolVersion) => quit(":WRONG_VERSION:"),
- Error::AlertReceived(AlertDescription::InternalError) => {
- quit(":PEER_ALERT_INTERNAL_ERROR:")
- }
- Error::InvalidMessage(
- InvalidMessage::MissingData("AlertDescription")
- | InvalidMessage::TrailingData("AlertMessagePayload"),
- ) => quit(":BAD_ALERT:"),
- Error::InvalidMessage(
- InvalidMessage::TrailingData("ChangeCipherSpecPayload") | InvalidMessage::InvalidCcs,
- ) => quit(":BAD_CHANGE_CIPHER_SPEC:"),
- Error::InvalidMessage(
- InvalidMessage::InvalidKeyUpdate
- | InvalidMessage::MissingData(_)
- | InvalidMessage::TrailingData(_)
- | InvalidMessage::UnexpectedMessage("HelloRetryRequest")
- | InvalidMessage::NoSignatureSchemes
- | InvalidMessage::UnsupportedCompression,
- ) => quit(":BAD_HANDSHAKE_MSG:"),
- Error::InvalidMessage(InvalidMessage::InvalidCertRequest)
- | Error::InvalidMessage(InvalidMessage::InvalidDhParams)
- | Error::InvalidMessage(InvalidMessage::MissingKeyExchange) => quit(":BAD_HANDSHAKE_MSG:"),
- Error::InvalidMessage(InvalidMessage::InvalidContentType)
- | Error::InvalidMessage(InvalidMessage::InvalidEmptyPayload)
- | Error::InvalidMessage(InvalidMessage::UnknownProtocolVersion)
- | Error::InvalidMessage(InvalidMessage::MessageTooLarge) => quit(":GARBAGE:"),
- Error::InvalidMessage(InvalidMessage::MessageTooShort)
- if opts.enable_ech_grease || opts.ech_config_list.is_some() =>
- {
- quit(":ERROR_PARSING_EXTENSION:")
- }
- Error::InvalidMessage(InvalidMessage::UnexpectedMessage(_)) => quit(":GARBAGE:"),
- Error::DecryptError if opts.ech_config_list.is_some() => {
- quit(":INCONSISTENT_ECH_NEGOTIATION:")
- }
- Error::DecryptError => quit(":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"),
- Error::NoApplicationProtocol => quit(":NO_APPLICATION_PROTOCOL:"),
- Error::PeerIncompatible(
- PeerIncompatible::ServerSentHelloRetryRequestWithUnknownExtension,
- ) => quit(":UNEXPECTED_EXTENSION:"),
- Error::PeerIncompatible(PeerIncompatible::ServerRejectedEncryptedClientHello(
- _retry_configs,
- )) => {
- if let Some(expected_configs) = &opts.expect_ech_retry_configs {
- let expected_configs =
- Vec::::read(&mut Reader::init(expected_configs)).unwrap();
- assert_eq!(_retry_configs, Some(expected_configs));
- }
- quit(":ECH_REJECTED:")
- }
- Error::PeerIncompatible(_) => quit(":INCOMPATIBLE:"),
- Error::PeerMisbehaved(PeerMisbehaved::MissingPskModesExtension) => {
- quit(":MISSING_EXTENSION:")
- }
- Error::PeerMisbehaved(PeerMisbehaved::TooMuchEarlyDataReceived) => {
- quit(":TOO_MUCH_READ_EARLY_DATA:")
- }
- Error::PeerMisbehaved(PeerMisbehaved::SignedHandshakeWithUnadvertisedSigScheme)
- | Error::PeerMisbehaved(PeerMisbehaved::SignedKxWithWrongAlgorithm) => {
- quit(":WRONG_SIGNATURE_TYPE:")
- }
- Error::PeerMisbehaved(PeerMisbehaved::SelectedUnofferedCertCompression) => {
- quit(":UNKNOWN_CERT_COMPRESSION_ALG:")
- }
- Error::PeerMisbehaved(PeerMisbehaved::InvalidCertCompression) => {
- quit(":CERT_DECOMPRESSION_FAILED:")
- }
- Error::PeerMisbehaved(PeerMisbehaved::OfferedDuplicateCertificateCompressions) => {
- quit(":ERROR_PARSING_EXTENSION:")
- }
- Error::PeerMisbehaved(PeerMisbehaved::SelectedUnofferedCipherSuite) => {
- quit(":WRONG_CIPHER_RETURNED:")
- }
- Error::PeerMisbehaved(PeerMisbehaved::TooManyWarningAlertsReceived) => {
- quit(":TOO_MANY_WARNING_ALERTS:")
- }
- Error::PeerMisbehaved(PeerMisbehaved::TooManyKeyUpdateRequests) => {
- quit(":TOO_MANY_KEY_UPDATES:")
- }
- Error::PeerMisbehaved(PeerMisbehaved::TooManyEmptyFragments) => {
- quit(":TOO_MANY_EMPTY_FRAGMENTS:")
- }
- Error::PeerMisbehaved(PeerMisbehaved::IllegalHelloRetryRequestWithInvalidEch)
- | Error::PeerMisbehaved(PeerMisbehaved::UnsolicitedEchExtension) => {
- quit(":UNEXPECTED_EXTENSION:")
- }
- // The TLS-ECH-Client-UnsolicitedInnerServerNameAck test is expected to fail with
- // :UNEXPECTED_EXTENSION: when we receive an unsolicited inner hello SNI extension.
- // We treat this the same as any unexpected enc'd ext and return :PEER_MISBEHAVIOUR:.
- // Convert to the expected if this error occurs when we're configured w/ ECH.
- Error::PeerMisbehaved(PeerMisbehaved::UnsolicitedEncryptedExtension)
- if opts.ech_config_list.is_some() =>
- {
- quit(":UNEXPECTED_EXTENSION:")
- }
- Error::PeerMisbehaved(PeerMisbehaved::SelectedUnofferedKxGroup) => quit(":WRONG_CURVE:"),
- Error::PeerMisbehaved(PeerMisbehaved::InvalidKeyShare) => quit(":BAD_ECPOINT:"),
- Error::PeerMisbehaved(_) => quit(":PEER_MISBEHAVIOUR:"),
- Error::NoCertificatesPresented => quit(":NO_CERTS:"),
- Error::AlertReceived(AlertDescription::UnexpectedMessage) => quit(":BAD_ALERT:"),
- Error::AlertReceived(AlertDescription::DecompressionFailure) => {
- quit_err(":SSLV3_ALERT_DECOMPRESSION_FAILURE:")
- }
- Error::InvalidCertificate(CertificateError::BadEncoding) => {
- quit(":CANNOT_PARSE_LEAF_CERT:")
- }
- Error::InvalidCertificate(CertificateError::BadSignature) => quit(":BAD_SIGNATURE:"),
- Error::InvalidCertificate(e) => quit(&format!(":BAD_CERT: ({:?})", e)),
- Error::PeerSentOversizedRecord => quit(":DATA_LENGTH_TOO_LONG:"),
- _ => {
- println_err!("unhandled error: {:?}", err);
- quit(":FIXME:")
- }
- }
+#[derive(Debug)]
+struct Options {
+ port: u16,
+ shim_id: u64,
+ side: Side,
+ max_fragment: Option,
+ resumes: usize,
+ verify_peer: bool,
+ require_any_client_cert: bool,
+ server_preference: bool,
+ root_hint_subjects: Vec,
+ offer_no_client_cas: bool,
+ tickets: bool,
+ resume_with_tickets_disabled: bool,
+ queue_data: bool,
+ queue_data_on_resume: bool,
+ only_write_one_byte_after_handshake: bool,
+ only_write_one_byte_after_handshake_on_resume: bool,
+ shut_down_after_handshake: bool,
+ check_close_notify: bool,
+ host_name: String,
+ use_sni: bool,
+ trusted_cert_file: String,
+ credentials: CredentialSet,
+ protocols: Vec,
+ reject_alpn: bool,
+ support_tls13: bool,
+ support_tls12: bool,
+ min_version: Option,
+ max_version: Option,
+ server_ocsp_response: Arc<[u8]>,
+ groups: Option>,
+ server_supported_group_hint: Option,
+ export_keying_material: usize,
+ export_keying_material_label: String,
+ export_keying_material_context: String,
+ export_keying_material_context_used: bool,
+ export_traffic_secrets: bool,
+ read_size: usize,
+ quic_transport_params: Vec,
+ expect_quic_transport_params: Vec,
+ enable_early_data: bool,
+ expect_ticket_supports_early_data: bool,
+ expect_accept_early_data: bool,
+ expect_reject_early_data: bool,
+ expect_version: u16,
+ resumption_delay: u32,
+ queue_early_data_after_received_messages: Vec,
+ require_ems: bool,
+ expect_handshake_kind: Option>,
+ expect_handshake_kind_resumed: Option>,
+ install_cert_compression_algs: CompressionAlgs,
+ selected_provider: SelectedProvider,
+ provider: CryptoProvider,
+ ech_config_list: Option>,
+ expect_ech_accept: bool,
+ expect_ech_retry_configs: Option>,
+ on_resume_ech_config_list: Option>,
+ on_resume_expect_ech_accept: bool,
+ on_initial_expect_ech_accept: bool,
+ enable_ech_grease: bool,
+ send_key_update: bool,
+ expect_curve_id: Option,
+ on_initial_expect_curve_id: Option,
+ on_resume_expect_curve_id: Option,
+ wait_for_debugger: bool,
+ ocsp: OcspValidation,
}
-fn flush(sess: &mut Connection, conn: &mut net::TcpStream) {
- while sess.wants_write() {
- if let Err(err) = sess.write_tls(conn) {
- println!("IO error: {:?}", err);
- process::exit(0);
+impl Options {
+ fn new() -> Self {
+ let selected_provider = SelectedProvider::from_env();
+ Self {
+ port: 0,
+ shim_id: 0,
+ side: Side::Client,
+ max_fragment: None,
+ resumes: 0,
+ verify_peer: false,
+ tickets: true,
+ resume_with_tickets_disabled: false,
+ host_name: "example.com".to_string(),
+ use_sni: false,
+ queue_data: false,
+ queue_data_on_resume: false,
+ only_write_one_byte_after_handshake: false,
+ only_write_one_byte_after_handshake_on_resume: false,
+ shut_down_after_handshake: false,
+ check_close_notify: false,
+ require_any_client_cert: false,
+ server_preference: false,
+ root_hint_subjects: vec![],
+ offer_no_client_cas: false,
+ trusted_cert_file: "".to_string(),
+ credentials: CredentialSet::default(),
+ protocols: vec![],
+ reject_alpn: false,
+ support_tls13: true,
+ support_tls12: true,
+ min_version: None,
+ max_version: None,
+ server_ocsp_response: Arc::from([]),
+ groups: None,
+ server_supported_group_hint: None,
+ export_keying_material: 0,
+ export_keying_material_label: "".to_string(),
+ export_keying_material_context: "".to_string(),
+ export_keying_material_context_used: false,
+ export_traffic_secrets: false,
+ read_size: 512,
+ quic_transport_params: vec![],
+ expect_quic_transport_params: vec![],
+ enable_early_data: false,
+ expect_ticket_supports_early_data: false,
+ expect_accept_early_data: false,
+ expect_reject_early_data: false,
+ expect_version: 0,
+ resumption_delay: 0,
+ queue_early_data_after_received_messages: vec![],
+ require_ems: false,
+ expect_handshake_kind: None,
+ expect_handshake_kind_resumed: Some(vec![HandshakeKind::Resumed]),
+ install_cert_compression_algs: CompressionAlgs::None,
+ selected_provider,
+ provider: selected_provider.provider(),
+ ech_config_list: None,
+ expect_ech_accept: false,
+ expect_ech_retry_configs: None,
+ on_resume_ech_config_list: None,
+ on_resume_expect_ech_accept: false,
+ on_initial_expect_ech_accept: false,
+ enable_ech_grease: false,
+ send_key_update: false,
+ expect_curve_id: None,
+ on_initial_expect_curve_id: None,
+ on_resume_expect_curve_id: None,
+ wait_for_debugger: false,
+ ocsp: OcspValidation::default(),
}
}
- conn.flush().unwrap();
-}
-
-fn client(conn: &mut Connection) -> &mut ClientConnection {
- conn.try_into().unwrap()
-}
-fn server(conn: &mut Connection) -> &mut ServerConnection {
- match conn {
- Connection::Server(s) => s,
- _ => panic!("Connection is not a ServerConnection"),
+ fn version_allowed(&self, vers: ProtocolVersion) -> bool {
+ (self.min_version.is_none() || u16::from(vers) >= u16::from(self.min_version.unwrap()))
+ && (self.max_version.is_none()
+ || u16::from(vers) <= u16::from(self.max_version.unwrap()))
}
-}
-const MAX_MESSAGE_SIZE: usize = 0xffff + 5;
+ fn tls13_supported(&self) -> bool {
+ self.support_tls13 && self.version_allowed(ProtocolVersion::TLSv1_3)
+ }
-fn after_read(opts: &Options, sess: &mut Connection, conn: &mut net::TcpStream) {
- if let Err(err) = sess.process_new_packets() {
- flush(sess, conn); /* send any alerts before exiting */
- handle_err(opts, err);
+ fn tls12_supported(&self) -> bool {
+ self.support_tls12 && self.version_allowed(ProtocolVersion::TLSv1_2)
}
-}
-fn read_n_bytes(opts: &Options, sess: &mut Connection, conn: &mut net::TcpStream, n: usize) {
- let mut bytes = [0u8; MAX_MESSAGE_SIZE];
- match conn.read(&mut bytes[..n]) {
- Ok(count) => {
- println!("read {:?} bytes", count);
- sess.read_tls(&mut io::Cursor::new(&mut bytes[..count]))
- .expect("read_tls not expected to fail reading from buffer");
+ fn provider(&self) -> CryptoProvider {
+ let mut provider = self.provider.clone();
+
+ if let Some(groups) = &self.groups {
+ provider
+ .kx_groups
+ .to_mut()
+ .retain(|kxg| groups.contains(&kxg.name()));
}
- Err(ref err) if err.kind() == io::ErrorKind::ConnectionReset => {}
- Err(err) => panic!("invalid read: {}", err),
- };
- after_read(opts, sess, conn);
-}
-
-fn read_all_bytes(opts: &Options, sess: &mut Connection, conn: &mut net::TcpStream) {
- match sess.read_tls(conn) {
- Ok(_) => {}
- Err(ref err) if err.kind() == io::ErrorKind::ConnectionReset => {}
- Err(err) => panic!("invalid read: {}", err),
- };
-
- after_read(opts, sess, conn);
-}
-
-fn exec(opts: &Options, mut sess: Connection, count: usize) {
- let mut sent_message = false;
-
- let addrs = [
- net::SocketAddr::from((net::Ipv6Addr::LOCALHOST, opts.port)),
- net::SocketAddr::from((net::Ipv4Addr::LOCALHOST, opts.port)),
- ];
- let mut conn = net::TcpStream::connect(&addrs[..]).expect("cannot connect");
- let mut sent_shutdown = false;
- let mut sent_exporter = false;
- let mut sent_key_update = false;
- let mut quench_writes = false;
-
- conn.write_all(&opts.shim_id.to_le_bytes())
- .unwrap();
-
- loop {
- if !sent_message && (opts.queue_data || (opts.queue_data_on_resume && count > 0)) {
- if !opts
- .queue_early_data_after_received_messages
- .is_empty()
- {
- flush(&mut sess, &mut conn);
- for message_size_estimate in &opts.queue_early_data_after_received_messages {
- read_n_bytes(opts, &mut sess, &mut conn, *message_size_estimate);
- }
- println!("now ready for early data");
- }
-
- if count > 0 && opts.enable_early_data {
- let len = client(&mut sess)
- .early_data()
- .expect("0rtt not available")
- .write(b"hello")
- .expect("0rtt write failed");
- sess.writer()
- .write_all(&b"hello"[len..])
- .unwrap();
- sent_message = true;
- } else if !opts.only_write_one_byte_after_handshake {
- let _ = sess.writer().write_all(b"hello");
- sent_message = true;
- }
- }
-
- if !quench_writes {
- flush(&mut sess, &mut conn);
- }
-
- if sess.wants_read() {
- read_all_bytes(opts, &mut sess, &mut conn);
- }
-
- if opts.side == Side::Server && opts.enable_early_data {
- if let Some(ref mut ed) = server(&mut sess).early_data() {
- let mut data = Vec::new();
- let data_len = ed
- .read_to_end(&mut data)
- .expect("cannot read early_data");
-
- for b in data.iter_mut() {
- *b ^= 0xff;
- }
-
- sess.writer()
- .write_all(&data[..data_len])
- .expect("cannot echo early_data in 1rtt data");
- }
- }
-
- if !sess.is_handshaking() && opts.export_keying_material > 0 && !sent_exporter {
- let mut export = vec![0; opts.export_keying_material];
- sess.export_keying_material(
- &mut export,
- opts.export_keying_material_label
- .as_bytes(),
- if opts.export_keying_material_context_used {
- Some(
- opts.export_keying_material_context
- .as_bytes(),
- )
- } else {
- None
- },
- )
- .unwrap();
- sess.writer()
- .write_all(&export)
- .unwrap();
- sent_exporter = true;
- }
-
- if opts.send_key_update && !sent_key_update && !sess.is_handshaking() {
- sess.refresh_traffic_keys().unwrap();
- sent_key_update = true;
- }
-
- if !sess.is_handshaking() && opts.only_write_one_byte_after_handshake && !sent_message {
- println!("writing message and then only one byte of its tls frame");
- flush(&mut sess, &mut conn);
-
- sess.writer()
- .write_all(b"hello")
- .unwrap();
- sent_message = true;
-
- let mut one_byte = [0u8];
- let mut cursor = io::Cursor::new(&mut one_byte[..]);
- sess.write_tls(&mut cursor).unwrap();
- conn.write_all(&one_byte)
- .expect("IO error");
-
- quench_writes = true;
- }
-
- if opts.enable_early_data
- && opts.side == Side::Client
- && !sess.is_handshaking()
- && count > 0
- {
- if opts.expect_accept_early_data && !client(&mut sess).is_early_data_accepted() {
- quit_err("Early data was not accepted, but we expect the opposite");
- } else if opts.expect_reject_early_data && client(&mut sess).is_early_data_accepted() {
- quit_err("Early data was accepted, but we expect the opposite");
- }
- if opts.expect_version == 0x0304 {
- match sess.protocol_version() {
- Some(ProtocolVersion::TLSv1_3) | Some(ProtocolVersion::Unknown(0x7f17)) => {}
- _ => quit_err("wrong protocol version"),
- }
- }
- }
-
- if let (Some(expected_options), false) =
- (opts.expect_handshake_kind.as_ref(), sess.is_handshaking())
- {
- let actual = sess.handshake_kind().unwrap();
- assert!(
- expected_options.contains(&actual),
- "wanted to see {expected_options:?} but got {actual:?}"
- );
- }
-
- if let Some(curve_id) = &opts.expect_curve_id {
- // unlike openssl/boringssl's API, `negotiated_key_exchange_group`
- // works for the connection, not session. this means TLS1.2
- // resumptions never have a value for `negotiated_key_exchange_group`
- let tls12_resumed = sess.protocol_version() == Some(ProtocolVersion::TLSv1_2)
- && sess.handshake_kind() == Some(HandshakeKind::Resumed);
- let negotiated_key_exchange_group_ready = !(sess.is_handshaking() || tls12_resumed);
-
- if negotiated_key_exchange_group_ready {
- let actual = sess
- .negotiated_key_exchange_group()
- .expect("no kx with -expect-curve-id");
- assert_eq!(curve_id, &actual.name());
- }
- }
-
- if let Some(curve_id) = &opts.on_initial_expect_curve_id {
- if !sess.is_handshaking() && count == 0 {
- assert_eq!(sess.handshake_kind().unwrap(), HandshakeKind::Full);
- assert_eq!(
- sess.negotiated_key_exchange_group()
- .expect("no kx with -on-initial-expect-curve-id")
- .name(),
- *curve_id
- );
- }
- }
-
- if let Some(curve_id) = &opts.on_resume_expect_curve_id {
- if !sess.is_handshaking() && count > 0 {
- assert_eq!(sess.handshake_kind().unwrap(), HandshakeKind::Resumed);
- assert_eq!(
- sess.negotiated_key_exchange_group()
- .expect("no kx with -on-resume-expect-curve-id")
- .name(),
- *curve_id
- );
- }
- }
-
- {
- let ech_accept_required =
- (count == 0 && opts.on_initial_expect_ech_accept) || opts.expect_ech_accept;
- if ech_accept_required
- && !sess.is_handshaking()
- && client(&mut sess).ech_status() != EchStatus::Accepted
- {
- quit_err("ECH was not accepted, but we expect the opposite");
- }
- }
-
- let mut buf = [0u8; 1024];
- let len = match sess
- .reader()
- .read(&mut buf[..opts.read_size])
- {
- Ok(0) => {
- if opts.check_close_notify {
- println!("close notify ok");
- }
- println!("EOF (tls)");
- return;
- }
- Ok(len) => len,
- Err(err) if err.kind() == io::ErrorKind::WouldBlock => 0,
- Err(err) if err.kind() == io::ErrorKind::UnexpectedEof => {
- if opts.check_close_notify {
- quit_err(":CLOSE_WITHOUT_CLOSE_NOTIFY:");
- }
- println!("EOF (tcp)");
- return;
- }
- Err(err) => panic!("unhandled read error {:?}", err),
- };
-
- if opts.shut_down_after_handshake && !sent_shutdown && !sess.is_handshaking() {
- sess.send_close_notify();
- sent_shutdown = true;
- }
-
- if quench_writes && len > 0 {
- println!("unquenching writes after {:?}", len);
- quench_writes = false;
- }
-
- for b in buf.iter_mut() {
- *b ^= 0xff;
+ match (self.tls12_supported(), self.tls13_supported()) {
+ (true, true) => provider,
+ (true, false) => CryptoProvider {
+ tls13_cipher_suites: Default::default(),
+ ..provider
+ },
+ (false, true) => CryptoProvider {
+ tls12_cipher_suites: Default::default(),
+ ..provider
+ },
+ _ => panic!("nonsense version constraint"),
}
-
- sess.writer()
- .write_all(&buf[..len])
- .unwrap();
- }
-}
-
-pub fn main() {
- let mut args: Vec<_> = env::args().collect();
- env_logger::init();
-
- args.remove(0);
-
- if !args.is_empty() && args[0] == "-is-handshaker-supported" {
- println!("No");
- process::exit(0);
}
- println!("options: {:?}", args);
-
- let mut opts = Options::new();
- while !args.is_empty() {
+ fn parse_one(&mut self, args: &mut Vec) {
let arg = args.remove(0);
match arg.as_ref() {
"-port" => {
- opts.port = args.remove(0).parse::().unwrap();
+ self.port = args.remove(0).parse::().unwrap();
}
"-shim-id" => {
- opts.shim_id = args.remove(0).parse::().unwrap();
+ self.shim_id = args.remove(0).parse::().unwrap();
}
"-server" => {
- opts.side = Side::Server;
+ self.side = Side::Server;
}
"-key-file" => {
- opts.key_file = args.remove(0);
+ self.credentials.last_mut().key_file = args.remove(0);
+ }
+ "-new-x509-credential" => {
+ self.credentials.additional.push(Credential::default());
+ }
+ "-expect-selected-credential" => {
+ self.credentials.expect_selected = args.remove(0).parse::().ok();
}
"-cert-file" => {
- opts.cert_file = args.remove(0);
+ self.credentials.last_mut().cert_file = args.remove(0);
}
"-trust-cert" => {
- opts.trusted_cert_file = args.remove(0);
+ self.trusted_cert_file = args.remove(0);
}
"-resume-count" => {
- opts.resumes = args.remove(0).parse::().unwrap();
+ self.resumes = args.remove(0).parse::().unwrap();
}
"-no-tls13" => {
- opts.support_tls13 = false;
+ self.support_tls13 = false;
}
"-no-tls12" => {
- opts.support_tls12 = false;
+ self.support_tls12 = false;
}
"-min-version" => {
let min = args.remove(0).parse::().unwrap();
- opts.min_version = Some(ProtocolVersion::Unknown(min));
+ self.min_version = Some(ProtocolVersion(min));
}
"-max-version" => {
let max = args.remove(0).parse::().unwrap();
- opts.max_version = Some(ProtocolVersion::Unknown(max));
+ self.max_version = Some(ProtocolVersion(max));
}
"-max-send-fragment" => {
let max_fragment = args.remove(0).parse::().unwrap();
- opts.max_fragment = Some(max_fragment + 5); // ours includes header
+ self.max_fragment = Some(max_fragment + 5); // ours includes header
}
"-read-size" => {
let rdsz = args.remove(0).parse::().unwrap();
- opts.read_size = rdsz;
+ self.read_size = rdsz;
}
"-tls13-variant" => {
let variant = args.remove(0).parse::().unwrap();
if variant != 1 {
- println!("NYI TLS1.3 variant selection: {:?} {:?}", arg, variant);
+ println!("NYI TLS1.3 variant selection: {arg:?} {variant:?}");
process::exit(BOGO_NACK);
}
}
"-no-ticket" => {
- opts.tickets = false;
+ self.tickets = false;
}
"-on-resume-no-ticket" => {
- opts.resume_with_tickets_disabled = true;
+ self.resume_with_tickets_disabled = true;
}
"-signing-prefs" => {
let alg = args.remove(0).parse::().unwrap();
- opts.use_signing_scheme = alg;
+ self.credentials.last_mut().use_signing_scheme = Some(alg);
+ }
+ "-must-match-issuer" => {
+ self.credentials.last_mut().must_match_issuer = true;
}
"-use-client-ca-list" => {
match args.remove(0).as_ref() {
"" | "" => {
- opts.root_hint_subjects = vec![];
+ self.root_hint_subjects = vec![];
}
list => {
- opts.root_hint_subjects = list.split(',')
+ self.root_hint_subjects = list.split(',')
.map(|entry| DistinguishedName::from(decode_hex(entry)))
.collect();
}
@@ -1366,13 +737,13 @@ pub fn main() {
lookup_scheme(args.remove(0).parse::().unwrap());
}
"-expect-curve-id" => {
- opts.expect_curve_id = Some(NamedGroup::from(args.remove(0).parse::().unwrap()));
+ self.expect_curve_id = Some(NamedGroup::from(args.remove(0).parse::().unwrap()));
}
"-on-initial-expect-curve-id" => {
- opts.on_initial_expect_curve_id = Some(NamedGroup::from(args.remove(0).parse::().unwrap()));
+ self.on_initial_expect_curve_id = Some(NamedGroup::from(args.remove(0).parse::().unwrap()));
}
"-on-resume-expect-curve-id" => {
- opts.on_resume_expect_curve_id = Some(NamedGroup::from(args.remove(0).parse::().unwrap()));
+ self.on_resume_expect_curve_id = Some(NamedGroup::from(args.remove(0).parse::().unwrap()));
}
"-max-cert-list" |
"-expect-peer-signature-algorithm" |
@@ -1387,8 +758,6 @@ pub fn main() {
"-expect-signed-cert-timestamps" |
"-expect-certificate-types" |
"-expect-client-ca-list" |
- "-on-retry-expect-early-data-reason" |
- "-on-resume-expect-early-data-reason" |
"-on-initial-expect-early-data-reason" |
"-on-initial-expect-cipher" |
"-on-resume-expect-cipher" |
@@ -1407,213 +776,235 @@ pub fn main() {
"-expect-tls13-downgrade" |
"-enable-signed-cert-timestamps" |
"-expect-session-id" => {
- println!("not checking {}; NYI", arg);
+ println!("not checking {arg}; NYI");
}
"-key-update" => {
- opts.send_key_update = true;
+ self.send_key_update = true;
}
"-expect-hrr" => {
- opts.expect_handshake_kind = Some(vec![HandshakeKind::FullWithHelloRetryRequest]);
+ self.expect_handshake_kind = Some(vec![HandshakeKind::FullWithHelloRetryRequest]);
+ self.expect_handshake_kind_resumed = Some(vec![HandshakeKind::ResumedWithHelloRetryRequest]);
}
"-expect-no-hrr" => {
- opts.expect_handshake_kind = Some(vec![HandshakeKind::Full]);
+ self.expect_handshake_kind = Some(vec![HandshakeKind::Full]);
+ }
+ "-on-retry-expect-early-data-reason" | "-on-resume-expect-early-data-reason" => {
+ if args.remove(0) == "hello_retry_request" {
+ self.expect_handshake_kind_resumed = Some(vec![HandshakeKind::ResumedWithHelloRetryRequest]);
+ }
}
"-expect-session-miss" => {
- opts.expect_handshake_kind_resumed = Some(vec![
+ self.expect_handshake_kind_resumed = Some(vec![
HandshakeKind::Full,
HandshakeKind::FullWithHelloRetryRequest
]);
}
"-export-keying-material" => {
- opts.export_keying_material = args.remove(0).parse::().unwrap();
+ self.export_keying_material = args.remove(0).parse::().unwrap();
}
"-export-label" => {
- opts.export_keying_material_label = args.remove(0);
+ self.export_keying_material_label = args.remove(0);
}
"-export-context" => {
- opts.export_keying_material_context = args.remove(0);
+ self.export_keying_material_context = args.remove(0);
}
"-use-export-context" => {
- opts.export_keying_material_context_used = true;
+ self.export_keying_material_context_used = true;
+ }
+ "-export-traffic-secrets" => {
+ self.export_traffic_secrets = true;
}
"-quic-transport-params" => {
- opts.quic_transport_params = BASE64_STANDARD.decode(args.remove(0).as_bytes())
+ self.quic_transport_params = BASE64_STANDARD.decode(args.remove(0).as_bytes())
.expect("invalid base64");
}
"-expect-quic-transport-params" => {
- opts.expect_quic_transport_params = BASE64_STANDARD.decode(args.remove(0).as_bytes())
+ self.expect_quic_transport_params = BASE64_STANDARD.decode(args.remove(0).as_bytes())
.expect("invalid base64");
}
"-ocsp-response" => {
- opts.server_ocsp_response = BASE64_STANDARD.decode(args.remove(0).as_bytes())
- .expect("invalid base64");
+ self.server_ocsp_response = Arc::from(BASE64_STANDARD.decode(args.remove(0).as_bytes())
+ .expect("invalid base64"));
}
"-select-alpn" => {
- opts.protocols.push(args.remove(0));
+ self.protocols.push(args.remove(0));
}
"-require-any-client-certificate" => {
- opts.require_any_client_cert = true;
+ self.require_any_client_cert = true;
}
"-verify-peer" => {
- opts.verify_peer = true;
+ self.verify_peer = true;
}
"-shim-writes-first" => {
- opts.queue_data = true;
+ self.queue_data = true;
}
"-read-with-unfinished-write" => {
- opts.queue_data = true;
- opts.only_write_one_byte_after_handshake = true;
+ self.queue_data = true;
+ self.only_write_one_byte_after_handshake = true;
}
"-shim-shuts-down" => {
- opts.shut_down_after_handshake = true;
+ self.shut_down_after_handshake = true;
}
"-check-close-notify" => {
- opts.check_close_notify = true;
+ self.check_close_notify = true;
}
"-host-name" => {
- opts.host_name = args.remove(0);
- opts.use_sni = true;
+ self.host_name = args.remove(0);
+ self.use_sni = true;
}
"-advertise-alpn" => {
- opts.protocols = split_protocols(&args.remove(0));
+ self.protocols = split_protocols(&args.remove(0));
}
"-reject-alpn" => {
- opts.reject_alpn = true;
+ self.reject_alpn = true;
}
"-use-null-client-ca-list" => {
- opts.offer_no_client_cas = true;
+ self.offer_no_client_cas = true;
}
"-enable-early-data" => {
- opts.tickets = false;
- opts.enable_early_data = true;
+ self.tickets = false;
+ self.enable_early_data = true;
}
"-on-resume-shim-writes-first" => {
- opts.queue_data_on_resume = true;
+ self.queue_data_on_resume = true;
}
"-on-resume-read-with-unfinished-write" => {
- opts.queue_data_on_resume = true;
- opts.only_write_one_byte_after_handshake_on_resume = true;
+ self.queue_data_on_resume = true;
+ self.only_write_one_byte_after_handshake_on_resume = true;
}
"-on-resume-early-write-after-message" => {
- opts.queue_early_data_after_received_messages= match args.remove(0).parse::().unwrap() {
+ self.queue_early_data_after_received_messages = match args.remove(0).parse::().unwrap() {
// estimate where these messages appear in the server's first flight.
- 2 => vec![5 + 128 + 5 + 32],
- 8 => vec![5 + 128 + 5 + 32, 5 + 64],
+ 2 => vec![5 + 112 + 5 + 32],
+ 8 => vec![5 + 112 + 5 + 32, 5 + 64],
_ => {
panic!("unhandled -on-resume-early-write-after-message");
}
};
- opts.queue_data_on_resume = true;
+ self.queue_data_on_resume = true;
}
"-expect-ticket-supports-early-data" => {
- opts.expect_ticket_supports_early_data = true;
+ self.expect_ticket_supports_early_data = true;
}
"-expect-accept-early-data" |
"-on-resume-expect-accept-early-data" => {
- opts.expect_accept_early_data = true;
+ self.expect_accept_early_data = true;
}
"-expect-early-data-reason" |
"-on-resume-expect-reject-early-data-reason" => {
let reason = args.remove(0);
match reason.as_str() {
"disabled" | "protocol_version" => {
- opts.expect_reject_early_data = true;
+ self.expect_reject_early_data = true;
}
_ => {
- println!("NYI early data reason: {}", reason);
+ println!("NYI early data reason: {reason}");
process::exit(1);
}
}
}
"-expect-reject-early-data" |
"-on-resume-expect-reject-early-data" => {
- opts.expect_reject_early_data = true;
+ self.expect_reject_early_data = true;
}
"-expect-version" => {
- opts.expect_version = args.remove(0).parse::().unwrap();
+ self.expect_version = args.remove(0).parse::().unwrap();
}
"-curves" => {
let group = NamedGroup::from(args.remove(0).parse::().unwrap());
- opts.groups.get_or_insert(Vec::new()).push(group);
-
- // if X25519MLKEM768 is requested, insert it from rustls_post_quantum
- #[cfg(feature = "post-quantum")]
- if group == rustls_post_quantum::X25519MLKEM768.name() && opts.selected_provider == SelectedProvider::PostQuantum {
- opts.provider.kx_groups.insert(0, rustls_post_quantum::X25519MLKEM768);
- }
+ self.groups.get_or_insert(Vec::new()).push(group);
+ }
+ "-server-supported-groups-hint" => {
+ let group = NamedGroup::from(args.remove(0).parse::().unwrap());
+ self.server_supported_group_hint = Some(group);
}
"-resumption-delay" => {
- opts.resumption_delay = args.remove(0).parse::().unwrap();
+ self.resumption_delay = args.remove(0).parse::().unwrap();
align_time();
}
"-expect-extended-master-secret" => {
- opts.require_ems = true;
+ self.require_ems = true;
}
"-install-cert-compression-algs" => {
- opts.install_cert_compression_algs = CompressionAlgs::All;
+ self.install_cert_compression_algs = CompressionAlgs::All;
}
"-install-one-cert-compression-alg" => {
- opts.install_cert_compression_algs = CompressionAlgs::One(args.remove(0).parse::().unwrap());
+ self.install_cert_compression_algs = CompressionAlgs::One(args.remove(0).parse::().unwrap());
}
#[cfg(feature = "fips")]
- "-fips-202205" if opts.selected_provider == SelectedProvider::AwsLcRsFips => {
- opts.provider = rustls::crypto::default_fips_provider();
+ "-fips-202205" if self.selected_provider == SelectedProvider::AwsLcRsFips => {
+ self.provider = rustls_aws_lc_rs::DEFAULT_FIPS_PROVIDER.clone();
}
"-fips-202205" => {
println!("Not a FIPS build");
process::exit(BOGO_NACK);
}
"-ech-config-list" => {
- opts.ech_config_list = Some(BASE64_STANDARD.decode(args.remove(0).as_bytes())
+ self.ech_config_list = Some(BASE64_STANDARD.decode(args.remove(0).as_bytes())
.expect("invalid ECH config base64").into());
}
"-expect-ech-accept" => {
- opts.expect_ech_accept = true;
+ self.expect_ech_accept = true;
}
"-expect-ech-retry-configs" => {
- opts.expect_ech_retry_configs = Some(BASE64_STANDARD.decode(args.remove(0).as_bytes())
+ self.expect_ech_retry_configs = Some(BASE64_STANDARD.decode(args.remove(0).as_bytes())
.expect("invalid ECH config base64").into());
}
"-on-resume-ech-config-list" => {
- opts.on_resume_ech_config_list = Some(BASE64_STANDARD.decode(args.remove(0).as_bytes())
+ self.on_resume_ech_config_list = Some(BASE64_STANDARD.decode(args.remove(0).as_bytes())
.expect("invalid on resume ECH config base64").into());
}
"-on-resume-expect-ech-accept" => {
- opts.on_resume_expect_ech_accept = true;
+ self.on_resume_expect_ech_accept = true;
}
"-expect-no-ech-retry-configs" => {
- opts.expect_ech_retry_configs = None;
+ self.expect_ech_retry_configs = None;
}
"-on-initial-expect-ech-accept" => {
- opts.on_initial_expect_ech_accept = true;
+ self.on_initial_expect_ech_accept = true;
}
"-on-retry-expect-ech-retry-configs" => {
// Note: we treat this the same as -expect-ech-retry-configs
- opts.expect_ech_retry_configs = Some(BASE64_STANDARD.decode(args.remove(0).as_bytes())
+ self.expect_ech_retry_configs = Some(BASE64_STANDARD.decode(args.remove(0).as_bytes())
.expect("invalid retry ECH config base64").into());
}
"-enable-ech-grease" => {
- opts.enable_ech_grease = true;
+ self.enable_ech_grease = true;
}
"-server-preference" => {
- opts.server_preference = true;
+ self.server_preference = true;
+ }
+ "-fail-ocsp-callback" => {
+ self.ocsp = OcspValidation::Reject;
+ }
+ "-wait-for-debugger" => {
+ #[cfg(windows)]
+ {
+ panic!("-wait-for-debugger not supported on Windows");
+ }
+ #[cfg(unix)]
+ {
+ self.wait_for_debugger = true;
+ }
}
// defaults:
+ "-decline-alpn" |
"-enable-all-curves" |
- "-renegotiate-ignore" |
- "-no-tls11" |
- "-no-tls1" |
- "-no-ssl3" |
- "-handoff" |
- "-ipv6" |
- "-decline-alpn" |
+ "-enable-ocsp-stapling" |
"-expect-no-session" |
"-expect-ticket-renewal" |
- "-enable-ocsp-stapling" |
"-forbid-renegotiation-after-handshake" |
+ "-handoff" |
+ "-ipv6" |
+ "-no-ssl3" |
+ "-no-tls1" |
+ "-no-tls11" |
+ "-permute-extensions" |
+ "-renegotiate-ignore" |
+ "-use-ocsp-callback" |
// internal openssl details:
"-async" |
"-implicit-handshake" |
@@ -1621,126 +1012,1154 @@ pub fn main() {
"-use-early-callback" => {}
// Not implemented things
- "-dtls" |
- "-cipher" |
- "-psk" |
- "-renegotiate-freely" |
- "-false-start" |
- "-fallback-scsv" |
- "-fail-early-callback" |
- "-fail-cert-callback" |
- "-install-ddos-callback" |
- "-advertise-npn" |
"-advertise-empty-npn" |
- "-verify-fail" |
- "-expect-channel-id" |
- "-send-channel-id" |
- "-select-next-proto" |
- "-select-empty-next-proto" |
- "-expect-verify-result" |
- "-send-alert" |
+ "-advertise-npn" |
+ "-allow-hint-mismatch" |
+ "-allow-unknown-alpn-protos" |
+ "-cipher" |
+ "-cnsa-202407" |
"-digest-prefs" |
- "-use-exporter-between-reads" |
- "-ticket-key" |
- "-tls-unique" |
- "-enable-server-custom-extension" |
+ "-dtls" |
+ "-enable-channel-id" |
"-enable-client-custom-extension" |
- "-expect-dhe-group-size" |
- "-use-ticket-callback" |
"-enable-grease" |
- "-enable-channel-id" |
- "-expect-early-data-info" |
+ "-enable-server-custom-extension" |
+ "-expect-channel-id" |
"-expect-cipher-aes" |
- "-retain-only-sha256-client-cert-initial" |
+ "-expect-dhe-group-size" |
"-expect-draft-downgrade" |
- "-allow-unknown-alpn-protos" |
- "-on-initial-tls13-variant" |
- "-on-resume-export-early-keying-material" |
- "-on-resume-enable-early-data" |
+ "-expect-early-data-info" |
+ "-expect-not-resumable-across-names" |
+ "-expect-peer-cert-file" |
+ "-expect-resumable-across-names" |
+ "-expect-verify-result" |
"-export-early-keying-material" |
+ "-fail-cert-callback" |
+ "-fail-early-callback" |
+ "-fallback-scsv" |
+ "-false-start" |
"-handshake-twice" |
- "-on-resume-verify-fail" |
- "-reverify-on-resume" |
+ "-ignore-tls13-downgrade" |
+ "-install-ddos-callback" |
+ "-key-shares" |
"-no-op-extra-handshake" |
- "-expect-peer-cert-file" |
+ "-no-key-shares" |
+ "-no-server-name-ack" |
"-no-rsa-pss-rsae-certs" |
- "-ignore-tls13-downgrade" |
- "-allow-hint-mismatch" |
- "-wpa-202304" |
- "-cnsa-202407" |
- "-srtp-profiles" |
- "-permute-extensions" |
- "-signed-cert-timestamps" |
"-on-initial-expect-peer-cert-file" |
- "-use-custom-verify-callback" => {
- println!("NYI option {:?}", arg);
+ "-on-initial-tls13-variant" |
+ "-on-resume-enable-early-data" |
+ "-on-resume-export-early-keying-material" |
+ "-on-resume-verify-fail" |
+ "-psk" |
+ "-renegotiate-freely" |
+ "-resumption-across-names-enabled" |
+ "-retain-only-sha256-client-cert-initial" |
+ "-reverify-on-resume" |
+ "-select-empty-next-proto" |
+ "-select-next-proto" |
+ "-send-alert" |
+ "-send-channel-id" |
+ "-signed-cert-timestamps" |
+ "-srtp-profiles" |
+ "-ticket-key" |
+ "-tls-unique" |
+ "-use-custom-verify-callback" |
+ "-use-exporter-between-reads" |
+ "-use-ticket-aead-callback" |
+ "-use-ticket-callback" |
+ "-verify-fail" |
+ "-wpa-202304" => {
+ println!("NYI option {arg:?}");
process::exit(BOGO_NACK);
}
- "-print-rustls-provider" => {
- println!("{}", "*".repeat(66));
- println!("rustls provider is {:?}", opts.selected_provider);
- println!("{}", "*".repeat(66));
- process::exit(0);
+ "-print-rustls-provider" => {
+ println!("{}", "*".repeat(66));
+ println!("rustls provider is {:?}", self.selected_provider);
+ println!("{}", "*".repeat(66));
+ process::exit(0);
+ }
+
+ _ => {
+ println!("unhandled option {arg:?}");
+ process::exit(1);
+ }
+ }
+ }
+}
+
+#[derive(Debug, Default)]
+struct CredentialSet {
+ default: Credential,
+ additional: Vec,
+ /// Some(-1) means `default`, otherwise index into `additional`
+ expect_selected: Option,
+}
+
+impl CredentialSet {
+ fn last_mut(&mut self) -> &mut Credential {
+ self.additional
+ .last_mut()
+ .unwrap_or(&mut self.default)
+ }
+
+ fn configured(&self) -> bool {
+ self.default.configured()
+ || self
+ .additional
+ .iter()
+ .any(|cred| cred.configured())
+ }
+}
+
+#[derive(Clone, Debug, Default)]
+struct Credential {
+ key_file: String,
+ cert_file: String,
+ use_signing_scheme: Option,
+ must_match_issuer: bool,
+}
+
+impl Credential {
+ fn load_from_file(&self, provider: &CryptoProvider) -> Credentials {
+ let certs = CertificateDer::pem_file_iter(&self.cert_file)
+ .unwrap()
+ .map(|cert| cert.unwrap())
+ .collect::>();
+ let key = PrivateKeyDer::from_pem_file(&self.key_file).unwrap();
+ Credentials::from_der(
+ Arc::from(Identity::from_cert_chain(certs).unwrap()),
+ key,
+ provider,
+ )
+ .unwrap()
+ }
+
+ fn configured(&self) -> bool {
+ !self.cert_file.is_empty() && !self.key_file.is_empty()
+ }
+}
+
+#[derive(Clone, Copy, Debug, PartialEq)]
+enum SelectedProvider {
+ AwsLcRs,
+ #[cfg_attr(not(feature = "fips"), allow(dead_code))]
+ AwsLcRsFips,
+ Ring,
+}
+
+impl SelectedProvider {
+ fn from_env() -> Self {
+ match env::var("BOGO_SHIM_PROVIDER")
+ .ok()
+ .as_deref()
+ {
+ None | Some("aws-lc-rs") => Self::AwsLcRs,
+ #[cfg(feature = "fips")]
+ Some("aws-lc-rs-fips") => Self::AwsLcRsFips,
+ Some("ring") => Self::Ring,
+ Some(other) => panic!("unrecognized value for BOGO_SHIM_PROVIDER: {other:?}"),
+ }
+ }
+
+ fn provider(&self) -> CryptoProvider {
+ match self {
+ Self::AwsLcRs | Self::AwsLcRsFips => {
+ // ensure all suites and kx groups are included (even in fips builds)
+ // as non-fips test cases require them. runner activates fips mode via -fips-202205 option
+ // this includes rustls-post-quantum, which just returns an altered
+ // version of `aws_lc_rs::default_provider()`
+ CryptoProvider {
+ kx_groups: Cow::Borrowed(rustls_aws_lc_rs::ALL_KX_GROUPS),
+ tls12_cipher_suites: Cow::Borrowed(rustls_aws_lc_rs::ALL_TLS12_CIPHER_SUITES),
+ tls13_cipher_suites: Cow::Borrowed(rustls_aws_lc_rs::ALL_TLS13_CIPHER_SUITES),
+ ..rustls_aws_lc_rs::DEFAULT_PROVIDER
+ }
+ }
+
+ Self::Ring => rustls_ring::DEFAULT_PROVIDER,
+ }
+ }
+
+ fn supports_ech(&self) -> bool {
+ match *self {
+ Self::AwsLcRs | Self::AwsLcRsFips => true,
+ Self::Ring => false,
+ }
+ }
+}
+
+fn load_root_certs(filename: &str) -> Arc {
+ let mut roots = RootCertStore::empty();
+
+ // -verify-peer can be used without specifying a root cert,
+ // to test (eg) client auth without actually looking at the certs.
+ //
+ // but WebPkiClientVerifier requires a non-empty set of roots.
+ //
+ // use an unrelated cert we have lying around.
+ let filename = match filename {
+ "" => "../../../../../test-ca/rsa-2048/ca.cert",
+ filename => filename,
+ };
+
+ roots.add_parsable_certificates(
+ CertificateDer::pem_file_iter(filename)
+ .unwrap()
+ .map(|item| item.unwrap()),
+ );
+ Arc::new(roots)
+}
+
+fn split_protocols(protos: &str) -> Vec {
+ let mut ret = Vec::new();
+
+ let mut offs = 0;
+ while offs < protos.len() {
+ let len = protos.as_bytes()[offs] as usize;
+ let item = protos[offs + 1..offs + 1 + len].to_string();
+ ret.push(item);
+ offs += 1 + len;
+ }
+
+ ret
+}
+
+fn decode_hex(hex: &str) -> Vec {
+ (0..hex.len())
+ .step_by(2)
+ .map(|i| u8::from_str_radix(&hex[i..i + 2], 16).unwrap())
+ .inspect(|x| println!("item {x:?}"))
+ .collect()
+}
+
+#[derive(Debug)]
+struct DummyClientAuth {
+ mandatory: bool,
+ root_hint_subjects: Arc<[DistinguishedName]>,
+ parent: Arc,
+}
+
+impl DummyClientAuth {
+ fn new(
+ trusted_cert_file: &str,
+ mandatory: bool,
+ root_hint_subjects: Arc<[DistinguishedName]>,
+ ) -> Self {
+ Self {
+ mandatory,
+ root_hint_subjects,
+ parent: Arc::new(
+ WebPkiClientVerifier::builder(
+ load_root_certs(trusted_cert_file),
+ &SelectedProvider::from_env().provider(),
+ )
+ .build()
+ .unwrap(),
+ ),
+ }
+ }
+}
+
+impl ClientVerifier for DummyClientAuth {
+ fn verify_identity(&self, _identity: &ClientIdentity<'_>) -> Result {
+ Ok(PeerVerified::assertion())
+ }
+
+ fn verify_tls12_signature(
+ &self,
+ input: &SignatureVerificationInput<'_>,
+ ) -> Result {
+ self.parent
+ .verify_tls12_signature(input)
+ }
+
+ fn verify_tls13_signature(
+ &self,
+ input: &SignatureVerificationInput<'_>,
+ ) -> Result {
+ self.parent
+ .verify_tls13_signature(input)
+ }
+
+ fn root_hint_subjects(&self) -> Arc<[DistinguishedName]> {
+ self.root_hint_subjects.clone()
+ }
+
+ fn client_auth_mandatory(&self) -> bool {
+ self.mandatory
+ }
+
+ fn offer_client_auth(&self) -> bool {
+ true
+ }
+
+ fn supported_verify_schemes(&self) -> Vec {
+ self.parent.supported_verify_schemes()
+ }
+}
+
+#[derive(Debug)]
+struct DummyServerAuth {
+ parent: Arc,
+ ocsp: OcspValidation,
+}
+
+impl DummyServerAuth {
+ fn new(trusted_cert_file: &str, ocsp: OcspValidation) -> Self {
+ Self {
+ parent: Arc::new(
+ WebPkiServerVerifier::builder(
+ load_root_certs(trusted_cert_file),
+ &SelectedProvider::from_env().provider(),
+ )
+ .build()
+ .unwrap(),
+ ),
+ ocsp,
+ }
+ }
+}
+
+impl ServerVerifier for DummyServerAuth {
+ fn verify_identity(&self, _identity: &ServerIdentity<'_>) -> Result {
+ if let OcspValidation::Reject = self.ocsp {
+ return Err(CertificateError::InvalidOcspResponse.into());
+ }
+ Ok(PeerVerified::assertion())
+ }
+
+ fn verify_tls12_signature(
+ &self,
+ input: &SignatureVerificationInput<'_>,
+ ) -> Result {
+ self.parent
+ .verify_tls12_signature(input)
+ }
+
+ fn verify_tls13_signature(
+ &self,
+ input: &SignatureVerificationInput<'_>,
+ ) -> Result {
+ self.parent
+ .verify_tls13_signature(input)
+ }
+
+ fn supported_verify_schemes(&self) -> Vec {
+ self.parent.supported_verify_schemes()
+ }
+
+ fn request_ocsp_response(&self) -> bool {
+ true
+ }
+
+ fn hash_config(&self, h: &mut dyn Hasher) {
+ self.parent.hash_config(h)
+ }
+}
+
+#[derive(Clone, Copy, Debug, Default)]
+enum OcspValidation {
+ /// Totally ignore `ocsp_response` value
+ #[default]
+ None,
+
+ /// Return an error (irrespective of `ocsp_response` value)
+ Reject,
+}
+
+#[derive(Debug)]
+struct FixedSignatureSchemeSigningKey {
+ key: Box,
+ scheme: SignatureScheme,
+}
+
+impl SigningKey for FixedSignatureSchemeSigningKey {
+ fn choose_scheme(&self, offered: &[SignatureScheme]) -> Option> {
+ if offered.contains(&self.scheme) {
+ self.key.choose_scheme(&[self.scheme])
+ } else {
+ self.key.choose_scheme(&[])
+ }
+ }
+
+ fn public_key(&self) -> Option> {
+ self.key.public_key()
+ }
+}
+
+#[derive(Debug)]
+struct FixedSignatureSchemeServerCertResolver {
+ credentials: Credentials,
+ scheme: SignatureScheme,
+}
+
+impl server::ServerCredentialResolver for FixedSignatureSchemeServerCertResolver {
+ fn resolve(&self, client_hello: &ClientHello<'_>) -> Result {
+ if !client_hello
+ .signature_schemes()
+ .contains(&self.scheme)
+ {
+ return Err(Error::PeerIncompatible(
+ PeerIncompatible::NoSignatureSchemesInCommon,
+ ));
+ }
+
+ self.credentials
+ .signer(&[self.scheme])
+ .ok_or(Error::PeerIncompatible(
+ PeerIncompatible::NoSignatureSchemesInCommon,
+ ))
+ }
+}
+
+#[derive(Debug, Default)]
+struct MultipleClientCredentialResolver {
+ additional: Vec,
+ default: Option,
+ expect_selected: Option,
+}
+
+impl MultipleClientCredentialResolver {
+ fn add(&mut self, key: Credentials, meta: &Credential) {
+ self.additional
+ .push(ClientCert::new(key, meta));
+ }
+
+ fn set_default(&mut self, key: Credentials, meta: &Credential) {
+ self.default = Some(ClientCert::new(key, meta));
+ }
+}
+
+impl client::ClientCredentialResolver for MultipleClientCredentialResolver {
+ fn resolve(&self, request: &CredentialRequest<'_>) -> Option {
+ // `sig_schemes` is in server preference order, so respect that.
+ let sig_schemes = request.signature_schemes();
+ let root_hint_subjects = request.root_hint_subjects();
+ for sig_scheme in sig_schemes.iter().copied() {
+ for (i, cert) in self.additional.iter().enumerate() {
+ // if the server sends any issuer hints, respect them
+ if cert.must_match_issuer && !cert.any_issuer_matches_hints(root_hint_subjects) {
+ continue;
+ }
+
+ if let Some(signer) = cert.certkey.signer(&[sig_scheme]) {
+ assert!(
+ Some(i as isize) == self.expect_selected || self.expect_selected.is_none()
+ );
+ return Some(signer);
+ }
+ }
+ }
+
+ if let Some(cert) = &self.default {
+ if let Some(signer) = cert.certkey.signer(sig_schemes) {
+ assert!(matches!(self.expect_selected, Some(-1) | None));
+ return Some(signer);
+ }
+ }
+
+ assert_eq!(self.expect_selected, None);
+
+ let all_must_match_issuer = self
+ .additional
+ .iter()
+ .chain(self.default.iter())
+ .all(|item| item.must_match_issuer);
+
+ quit(match all_must_match_issuer {
+ true => ":NO_MATCHING_ISSUER:",
+ false => ":NO_COMMON_SIGNATURE_ALGORITHMS:",
+ })
+ }
+
+ fn supported_certificate_types(&self) -> &'static [CertificateType] {
+ match self.default.is_some() || !self.additional.is_empty() {
+ true => &[CertificateType::X509],
+ false => &[],
+ }
+ }
+
+ fn hash_config(&self, _: &mut dyn Hasher) {}
+}
+
+#[derive(Debug)]
+struct ClientCert {
+ certkey: Credentials,
+ issuer_names: Vec,
+ must_match_issuer: bool,
+}
+
+impl ClientCert {
+ fn new(mut certkey: Credentials, meta: &Credential) -> Self {
+ let Identity::X509(id) = &*certkey.identity else {
+ panic!("only X.509 client certs supported");
+ };
+
+ let mut issuer_names = Vec::new();
+ for cert in [&id.end_entity]
+ .into_iter()
+ .chain(id.intermediates.iter())
+ {
+ let parsed_cert = webpki::EndEntityCert::try_from(cert).unwrap();
+ issuer_names.push(DistinguishedName::in_sequence(parsed_cert.issuer()));
+ }
+
+ if let Some(scheme) = meta.use_signing_scheme {
+ certkey.key = Box::new(FixedSignatureSchemeSigningKey {
+ key: certkey.key,
+ scheme: lookup_scheme(scheme),
+ });
+ }
+
+ Self {
+ certkey,
+ issuer_names,
+ must_match_issuer: meta.must_match_issuer,
+ }
+ }
+
+ fn any_issuer_matches_hints(&self, hints: &[DistinguishedName]) -> bool {
+ hints.iter().any(|dn| {
+ self.issuer_names
+ .iter()
+ .any(|issuer| dn.as_ref() == issuer.as_ref())
+ })
+ }
+}
+
+fn lookup_scheme(scheme: u16) -> SignatureScheme {
+ match scheme {
+ 0x0401 => SignatureScheme::RSA_PKCS1_SHA256,
+ 0x0501 => SignatureScheme::RSA_PKCS1_SHA384,
+ 0x0601 => SignatureScheme::RSA_PKCS1_SHA512,
+ 0x0403 => SignatureScheme::ECDSA_NISTP256_SHA256,
+ 0x0503 => SignatureScheme::ECDSA_NISTP384_SHA384,
+ 0x0603 => SignatureScheme::ECDSA_NISTP521_SHA512,
+ 0x0804 => SignatureScheme::RSA_PSS_SHA256,
+ 0x0805 => SignatureScheme::RSA_PSS_SHA384,
+ 0x0806 => SignatureScheme::RSA_PSS_SHA512,
+ 0x0807 => SignatureScheme::ED25519,
+ // TODO: add support for Ed448
+ // 0x0808 => SignatureScheme::ED448,
+ _ => {
+ eprintln!("Unsupported signature scheme {:04x}", scheme);
+ process::exit(BOGO_NACK);
+ }
+ }
+}
+
+#[derive(Debug)]
+struct ServerCacheWithResumptionDelay {
+ delay: u32,
+ storage: Arc,
+}
+
+impl ServerCacheWithResumptionDelay {
+ fn new(delay: u32) -> Arc {
+ Arc::new(Self {
+ delay,
+ storage: server::ServerSessionMemoryCache::new(32),
+ })
+ }
+}
+
+fn align_time() {
+ /* we don't have an injectable clock source in rustls' public api, and
+ * resumption timing is in seconds resolution, so tests that use
+ * resumption_delay tend to be flickery if the seconds time ticks
+ * during this.
+ *
+ * this function delays until a fresh second ticks, which alleviates
+ * this. gross!
+ */
+ fn sample() -> u64 {
+ time::SystemTime::now()
+ .duration_since(time::SystemTime::UNIX_EPOCH)
+ .unwrap()
+ .as_secs()
+ }
+
+ let start_secs = sample();
+ while start_secs == sample() {
+ thread::sleep(time::Duration::from_millis(20));
+ }
+}
+
+impl server::StoresServerSessions for ServerCacheWithResumptionDelay {
+ fn put(&self, key: ServerSessionKey<'_>, mut value: Vec) -> bool {
+ // The creation time should be stored directly after the 2-byte version discriminant.
+ let creation_time_sec = &mut value[2..10];
+ let original = u64::from_be_bytes(creation_time_sec.try_into().unwrap());
+ let delayed = original - self.delay as u64;
+ creation_time_sec.copy_from_slice(&delayed.to_be_bytes());
+ self.storage.put(key, value)
+ }
+
+ fn get(&self, key: ServerSessionKey<'_>) -> Option> {
+ self.storage.get(key)
+ }
+
+ fn take(&self, key: ServerSessionKey<'_>) -> Option> {
+ self.storage.take(key)
+ }
+
+ fn can_cache(&self) -> bool {
+ self.storage.can_cache()
+ }
+}
+
+fn make_server_cfg(opts: &Options, key_log: &Arc) -> Arc {
+ let client_auth =
+ if opts.verify_peer || opts.offer_no_client_cas || opts.require_any_client_cert {
+ Arc::new(DummyClientAuth::new(
+ &opts.trusted_cert_file,
+ opts.require_any_client_cert,
+ Arc::from(opts.root_hint_subjects.clone()),
+ ))
+ } else {
+ WebPkiClientVerifier::no_client_auth()
+ };
+
+ assert!(
+ opts.credentials.additional.is_empty(),
+ "TODO: server certificate switching not implemented yet"
+ );
+ let cred = &opts.credentials.default;
+ let provider = opts.provider();
+ let mut credentials = cred.load_from_file(&provider);
+ credentials.ocsp = Some(opts.server_ocsp_response.clone());
+
+ let cert_resolver = match cred.use_signing_scheme {
+ Some(scheme) => Arc::new(FixedSignatureSchemeServerCertResolver {
+ credentials,
+ scheme: lookup_scheme(scheme),
+ }) as Arc,
+ None => Arc::new(SingleCredential::from(credentials)),
+ };
+
+ let mut cfg = ServerConfig::builder(Arc::new(provider))
+ .with_client_cert_verifier(client_auth)
+ .with_server_credential_resolver(cert_resolver)
+ .unwrap();
+
+ cfg.session_storage = ServerCacheWithResumptionDelay::new(opts.resumption_delay);
+ cfg.max_fragment_size = opts.max_fragment;
+ cfg.send_tls13_tickets = 1;
+ cfg.require_ems = opts.require_ems;
+ cfg.cipher_suite_selector = match opts.server_preference {
+ true => &PreferServerOrder,
+ false => &PreferClientOrder,
+ };
+
+ if opts.export_traffic_secrets {
+ cfg.key_log = key_log.clone();
+ }
+
+ if opts.tickets {
+ cfg.ticketer = Some(
+ cfg.crypto_provider()
+ .ticketer_factory
+ .ticketer()
+ .unwrap(),
+ );
+ } else if opts.resumes == 0 {
+ cfg.session_storage = Arc::new(server::NoServerSessionStorage {});
+ }
+
+ if !opts.protocols.is_empty() {
+ cfg.alpn_protocols = opts
+ .protocols
+ .iter()
+ .map(|proto| ApplicationProtocol::from(proto.as_bytes()).to_owned())
+ .collect::>();
+ }
+
+ if opts.reject_alpn {
+ cfg.alpn_protocols = vec![ApplicationProtocol::from(b"invalid")];
+ }
+
+ if opts.enable_early_data {
+ // see kMaxEarlyDataAccepted in boringssl, which bogo validates
+ cfg.max_early_data_size = 14336;
+ cfg.send_half_rtt_data = true;
+ }
+
+ match opts.install_cert_compression_algs {
+ CompressionAlgs::All => {
+ cfg.cert_compressors = vec![&ExpandingAlgorithm, &ShrinkingAlgorithm, &RandomAlgorithm];
+ cfg.cert_decompressors =
+ vec![&ExpandingAlgorithm, &ShrinkingAlgorithm, &RandomAlgorithm];
+ }
+ CompressionAlgs::One(ShrinkingAlgorithm::ALGORITHM) => {
+ cfg.cert_compressors = vec![&ShrinkingAlgorithm];
+ cfg.cert_decompressors = vec![&ShrinkingAlgorithm];
+ }
+ CompressionAlgs::None => {}
+ _ => unimplemented!(),
+ }
+
+ Arc::new(cfg)
+}
+
+struct ClientCacheWithSpecificKxHints {
+ delay: u32,
+ kx_hint: Option,
+ storage: Arc,
+}
+
+impl ClientCacheWithSpecificKxHints {
+ fn new(delay: u32, kx_hint: Option) -> Arc {
+ Arc::new(Self {
+ delay,
+ kx_hint,
+ storage: Arc::new(client::ClientSessionMemoryCache::new(32)),
+ })
+ }
+}
+
+impl client::ClientSessionStore for ClientCacheWithSpecificKxHints {
+ fn set_kx_hint(&self, _: ClientSessionKey<'static>, _: NamedGroup) {}
+ fn kx_hint(&self, _: &ClientSessionKey<'_>) -> Option {
+ self.kx_hint
+ }
+
+ fn set_tls12_session(&self, key: ClientSessionKey<'static>, mut value: client::Tls12Session) {
+ value.rewind_epoch(self.delay);
+ self.storage
+ .set_tls12_session(key, value);
+ }
+
+ fn tls12_session(&self, key: &ClientSessionKey<'_>) -> Option {
+ self.storage.tls12_session(key)
+ }
+
+ fn remove_tls12_session(&self, key: &ClientSessionKey<'static>) {
+ self.storage.remove_tls12_session(key);
+ }
+
+ fn insert_tls13_ticket(&self, key: ClientSessionKey<'static>, mut value: Tls13Session) {
+ value.rewind_epoch(self.delay);
+ self.storage
+ .insert_tls13_ticket(key, value)
+ }
+
+ fn take_tls13_ticket(&self, key: &ClientSessionKey<'static>) -> Option {
+ self.storage.take_tls13_ticket(key)
+ }
+}
+
+impl Debug for ClientCacheWithSpecificKxHints {
+ fn fmt(&self, f: &mut Formatter<'_>) -> core::fmt::Result {
+ // Note: we omit self.storage here as it may contain sensitive data.
+ f.debug_struct("ClientCacheWithoutKxHints")
+ .field("delay", &self.delay)
+ .finish_non_exhaustive()
+ }
+}
+
+fn make_client_cfg(opts: &Options, key_log: &Arc) -> Arc {
+ let provider = Arc::new(opts.provider());
+ let cfg = ClientConfig::builder(provider.clone());
+
+ let cfg = if opts.selected_provider.supports_ech() {
+ let ech_cfg = ClientConfig::builder(
+ CryptoProvider {
+ tls12_cipher_suites: Default::default(),
+ ..opts.provider()
+ }
+ .into(),
+ );
+
+ if let Some(ech_config_list) = &opts.ech_config_list {
+ let ech_mode: EchMode = EchConfig::new(ech_config_list.clone(), ALL_HPKE_SUITES)
+ .unwrap_or_else(|_| quit(":INVALID_ECH_CONFIG_LIST:"))
+ .into();
+
+ ech_cfg.with_ech(ech_mode)
+ } else if opts.enable_ech_grease {
+ let ech_mode = EchMode::Grease(EchGreaseConfig::new(
+ GREASE_HPKE_SUITE,
+ HpkePublicKey(GREASE_25519_PUBKEY.to_vec()),
+ ));
+
+ ech_cfg.with_ech(ech_mode)
+ } else {
+ cfg
+ }
+ } else {
+ cfg
+ };
+
+ let cfg = cfg
+ .dangerous()
+ .with_custom_certificate_verifier(Arc::new(DummyServerAuth::new(
+ &opts.trusted_cert_file,
+ opts.ocsp,
+ )));
+
+ let mut cfg = match opts.credentials.configured() {
+ true => {
+ let mut resolver = MultipleClientCredentialResolver {
+ expect_selected: opts.credentials.expect_selected,
+ ..Default::default()
+ };
+
+ if opts.credentials.default.configured() {
+ let cred = &opts.credentials.default;
+ resolver.set_default(cred.load_from_file(&provider), cred)
}
- _ => {
- println!("unhandled option {:?}", arg);
- process::exit(1);
+ for cred in opts.credentials.additional.iter() {
+ resolver.add(cred.load_from_file(&provider), cred);
}
+
+ cfg.with_client_credential_resolver(Arc::new(resolver))
+ .unwrap()
}
+ false => cfg.with_no_client_auth().unwrap(),
+ };
+
+ cfg.resumption = Resumption::store(ClientCacheWithSpecificKxHints::new(
+ opts.resumption_delay,
+ opts.server_supported_group_hint,
+ ))
+ .tls12_resumption(match opts.tickets {
+ true => Tls12Resumption::SessionIdOrTickets,
+ false => Tls12Resumption::SessionIdOnly,
+ });
+ cfg.enable_sni = opts.use_sni;
+ cfg.max_fragment_size = opts.max_fragment;
+ cfg.require_ems = opts.require_ems;
+ if opts.export_traffic_secrets {
+ cfg.key_log = key_log.clone();
}
- println!("opts {:?}", opts);
+ if !opts.protocols.is_empty() {
+ cfg.alpn_protocols = opts
+ .protocols
+ .iter()
+ .map(|proto| ApplicationProtocol::from(proto.as_bytes()).to_owned())
+ .collect();
+ }
- let (mut client_cfg, mut server_cfg) = match opts.side {
- Side::Client => (Some(make_client_cfg(&opts)), None),
- Side::Server => (None, Some(make_server_cfg(&opts))),
- };
+ if opts.enable_early_data {
+ cfg.enable_early_data = true;
+ }
- fn make_session(
- opts: &Options,
- scfg: &Option>,
- ccfg: &Option>,
- ) -> Connection {
- assert!(opts.quic_transport_params.is_empty());
- assert!(opts
- .expect_quic_transport_params
- .is_empty());
+ match opts.install_cert_compression_algs {
+ CompressionAlgs::All => {
+ cfg.cert_decompressors =
+ vec![&ExpandingAlgorithm, &ShrinkingAlgorithm, &RandomAlgorithm];
+ cfg.cert_compressors = vec![&ExpandingAlgorithm, &ShrinkingAlgorithm, &RandomAlgorithm];
+ }
+ CompressionAlgs::One(ShrinkingAlgorithm::ALGORITHM) => {
+ cfg.cert_decompressors = vec![&ShrinkingAlgorithm];
+ cfg.cert_compressors = vec![&ShrinkingAlgorithm];
+ }
+ CompressionAlgs::None => {}
+ _ => unimplemented!(),
+ }
- if opts.side == Side::Server {
- let scfg = Arc::clone(scfg.as_ref().unwrap());
- ServerConnection::new(scfg)
- .unwrap()
- .into()
- } else {
- let server_name = ServerName::try_from(opts.host_name.as_str())
- .unwrap()
- .to_owned();
- let ccfg = Arc::clone(ccfg.as_ref().unwrap());
+ Arc::new(cfg)
+}
- ClientConnection::new(ccfg, server_name)
- .unwrap()
- .into()
+fn quit(why: &str) -> ! {
+ eprintln!("{}", why);
+ process::exit(0)
+}
+
+fn quit_err(why: &str) -> ! {
+ eprintln!("{}", why);
+ process::exit(1)
+}
+
+fn handle_err(opts: &Options, err: Error) -> ! {
+ println!("TLS error: {err:?}");
+
+ match err {
+ Error::InappropriateHandshakeMessage { .. } | Error::InappropriateMessage { .. } => {
+ quit(":UNEXPECTED_MESSAGE:")
+ }
+ Error::AlertReceived(AlertDescription::RecordOverflow) => {
+ quit(":TLSV1_ALERT_RECORD_OVERFLOW:")
+ }
+ Error::AlertReceived(AlertDescription::HandshakeFailure) => quit(":HANDSHAKE_FAILURE:"),
+ Error::AlertReceived(AlertDescription::ProtocolVersion) => quit(":WRONG_VERSION:"),
+ Error::AlertReceived(AlertDescription::InternalError) => {
+ quit(":PEER_ALERT_INTERNAL_ERROR:")
+ }
+ Error::InvalidMessage(
+ InvalidMessage::MissingData("AlertDescription")
+ | InvalidMessage::TrailingData("AlertMessagePayload"),
+ ) => quit(":BAD_ALERT:"),
+ Error::InvalidMessage(
+ InvalidMessage::TrailingData("ChangeCipherSpecPayload") | InvalidMessage::InvalidCcs,
+ ) => quit(":BAD_CHANGE_CIPHER_SPEC:"),
+ Error::InvalidMessage(
+ InvalidMessage::EmptyTicketValue | InvalidMessage::IllegalEmptyList(_),
+ ) => quit(":DECODE_ERROR:"),
+ Error::InvalidMessage(
+ InvalidMessage::InvalidKeyUpdate
+ | InvalidMessage::MissingData(_)
+ | InvalidMessage::TrailingData(_)
+ | InvalidMessage::UnexpectedMessage("HelloRetryRequest")
+ | InvalidMessage::NoSignatureSchemes
+ | InvalidMessage::UnsupportedCompression,
+ ) => quit(":BAD_HANDSHAKE_MSG:"),
+ Error::InvalidMessage(InvalidMessage::InvalidCertRequest)
+ | Error::InvalidMessage(InvalidMessage::InvalidDhParams)
+ | Error::InvalidMessage(InvalidMessage::MissingKeyExchange) => quit(":BAD_HANDSHAKE_MSG:"),
+ Error::InvalidMessage(InvalidMessage::InvalidContentType)
+ | Error::InvalidMessage(InvalidMessage::InvalidEmptyPayload)
+ | Error::InvalidMessage(InvalidMessage::UnknownProtocolVersion)
+ | Error::InvalidMessage(
+ InvalidMessage::MessageTooLarge | InvalidMessage::CertificatePayloadTooLarge,
+ ) => quit(":GARBAGE:"),
+ Error::InvalidMessage(InvalidMessage::MessageTooShort)
+ if opts.enable_ech_grease || opts.ech_config_list.is_some() =>
+ {
+ quit(":ERROR_PARSING_EXTENSION:")
+ }
+ Error::InvalidMessage(InvalidMessage::DuplicateExtension(_)) => {
+ quit(":DUPLICATE_EXTENSION:")
+ }
+ Error::InvalidMessage(InvalidMessage::UnknownHelloRetryRequestExtension)
+ | Error::InvalidMessage(InvalidMessage::UnknownCertificateExtension) => {
+ quit(":UNEXPECTED_EXTENSION:")
+ }
+ Error::InvalidMessage(InvalidMessage::UnexpectedMessage(_)) => quit(":GARBAGE:"),
+ Error::InvalidMessage(InvalidMessage::PreSharedKeyIsNotFinalExtension) => {
+ quit(":PRE_SHARED_KEY_MUST_BE_LAST:")
+ }
+ Error::DecryptError if opts.ech_config_list.is_some() => {
+ quit(":INCONSISTENT_ECH_NEGOTIATION:")
+ }
+ Error::DecryptError => quit(":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"),
+ Error::NoApplicationProtocol => quit(":NO_APPLICATION_PROTOCOL:"),
+ Error::PeerIncompatible(
+ PeerIncompatible::ServerSentHelloRetryRequestWithUnknownExtension,
+ ) => quit(":UNEXPECTED_EXTENSION:"),
+ Error::RejectedEch(rejected_err) => {
+ if let Some(expected_configs) = &opts.expect_ech_retry_configs {
+ assert_eq!(
+ rejected_err.retry_configs().as_ref(),
+ Some(expected_configs)
+ );
+ }
+ quit(":ECH_REJECTED:")
+ }
+ Error::PeerIncompatible(PeerIncompatible::NoCipherSuitesInCommon) => {
+ quit(":NO_SHARED_CIPHER:")
+ }
+ Error::PeerIncompatible(_) => quit(":INCOMPATIBLE:"),
+ Error::PeerMisbehaved(PeerMisbehaved::MissingPskModesExtension) => {
+ quit(":MISSING_EXTENSION:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::TooMuchEarlyDataReceived) => {
+ quit(":TOO_MUCH_READ_EARLY_DATA:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::SignedHandshakeWithUnadvertisedSigScheme)
+ | Error::PeerMisbehaved(PeerMisbehaved::SignedKxWithWrongAlgorithm) => {
+ quit(":WRONG_SIGNATURE_TYPE:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::SelectedUnofferedCertCompression) => {
+ quit(":UNKNOWN_CERT_COMPRESSION_ALG:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::InvalidCertCompression) => {
+ quit(":CERT_DECOMPRESSION_FAILED:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::OfferedDuplicateCertificateCompressions) => {
+ quit(":ERROR_PARSING_EXTENSION:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::SelectedUnofferedCipherSuite) => {
+ quit(":WRONG_CIPHER_RETURNED:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::TooManyWarningAlertsReceived) => {
+ quit(":TOO_MANY_WARNING_ALERTS:")
+ }
+ Error::PeerMisbehaved(
+ PeerMisbehaved::TooManyConsecutiveHandshakeMessagesAfterHandshake,
+ ) => quit(":TOO_MANY_KEY_UPDATES:"),
+ Error::PeerMisbehaved(PeerMisbehaved::MissingKeyShare) => quit(":MISSING_KEY_SHARE:"),
+ Error::PeerMisbehaved(PeerMisbehaved::OfferedDuplicateKeyShares) => {
+ quit(":DUPLICATE_KEY_SHARE:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::IllegalMiddleboxChangeCipherSpec) => {
+ quit(":ILLEGAL_MIDDLEBOX_CHANGE_CIPHER_SPEC:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::EarlyDataExtensionWithoutResumption) => {
+ quit(":UNEXPECTED_EXTENSION:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::EarlyDataOfferedWithVariedCipherSuite) => {
+ quit(":CIPHER_MISMATCH_ON_EARLY_DATA:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::ServerEchoedCompatibilitySessionId) => {
+ quit(":SERVER_ECHOED_INVALID_SESSION_ID:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::TooManyEmptyFragments) => {
+ quit(":TOO_MANY_EMPTY_FRAGMENTS:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::IllegalHelloRetryRequestWithInvalidEch)
+ | Error::PeerMisbehaved(PeerMisbehaved::UnsolicitedEchExtension) => {
+ quit(":UNEXPECTED_EXTENSION:")
+ }
+ Error::PeerMisbehaved(
+ PeerMisbehaved::UnsolicitedEncryptedExtension
+ | PeerMisbehaved::UnsolicitedServerHelloExtension
+ | PeerMisbehaved::UnexpectedCleartextExtension
+ | PeerMisbehaved::UnsolicitedCertExtension,
+ ) => quit(":UNEXPECTED_EXTENSION:"),
+ Error::PeerMisbehaved(PeerMisbehaved::DisallowedEncryptedExtension) => {
+ quit(":ERROR_PARSING_EXTENSION:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::IllegalHelloRetryRequestWithOfferedGroup) => {
+ quit(":ILLEGAL_HELLO_RETRY_REQUEST_WITH_OFFERED_GROUP:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::IllegalHelloRetryRequestWithUnofferedNamedGroup) => {
+ quit(":ILLEGAL_HELLO_RETRY_REQUEST_WITH_UNOFFERED_GROUP:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::IllegalHelloRetryRequestWithNoChanges) => {
+ quit(":EMPTY_HELLO_RETRY_REQUEST:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::DuplicateHelloRetryRequestExtensions) => {
+ quit(":DUPLICATE_HELLO_RETRY_REQUEST_EXTENSIONS:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::SelectedTls12UsingTls13VersionExtension) => {
+ quit(":SELECTED_TLS12_USING_TLS13_VERSION_EXTENSION:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::OfferedIncorrectCompressions) => {
+ quit(":INVALID_COMPRESSION_LIST:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::SelectedUnofferedCompression) => {
+ quit(":UNSUPPORTED_COMPRESSION_ALGORITHM:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::WrongGroupForKeyShare) => quit(":WRONG_CURVE:"),
+ Error::PeerMisbehaved(PeerMisbehaved::SelectedUnofferedKxGroup) => quit(":WRONG_CURVE:"),
+ Error::PeerMisbehaved(PeerMisbehaved::RefusedToFollowHelloRetryRequest) => {
+ quit(":WRONG_CURVE:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::InvalidKeyShare) => quit(":BAD_ECPOINT:"),
+ Error::PeerMisbehaved(PeerMisbehaved::MessageInterleavedWithHandshakeMessage) => {
+ quit(":UNEXPECTED_MESSAGE:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::KeyEpochWithPendingFragment) => {
+ quit(":EXCESS_HANDSHAKE_DATA:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::NoCertificatesPresented) => quit(":NO_CERTS:"),
+ Error::PeerMisbehaved(PeerMisbehaved::OfferedEarlyDataWithOldProtocolVersion) => {
+ quit(":WRONG_VERSION_ON_EARLY_DATA:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::SelectedUnofferedApplicationProtocol) => {
+ quit(":INVALID_ALPN_PROTOCOL:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::SelectedDifferentCipherSuiteAfterRetry) => {
+ quit(":SELECTED_DIFFERENT_CIPHERSUITE_AFTER_RETRY:")
+ }
+ Error::PeerMisbehaved(
+ PeerMisbehaved::ResumptionAttemptedWithVariedEms
+ | PeerMisbehaved::ResumptionOfferedWithVariedEms,
+ ) => quit(":RESUMED_SESSION_WITH_VARIED_EMS:"),
+ Error::PeerMisbehaved(PeerMisbehaved::IllegalTlsInnerPlaintext) => {
+ quit(":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::SelectedInvalidPsk) => {
+ quit(":PSK_IDENTITY_NOT_FOUND:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::PskExtensionWithMismatchedIdsAndBinders) => {
+ quit(":PSK_IDENTITY_BINDER_COUNT_MISMATCH:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::ResumptionOfferedWithIncompatibleCipherSuite) => {
+ quit(":OLD_SESSION_PRF_HASH_MISMATCH:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::PskExtensionMustBeLast) => {
+ quit(":PRE_SHARED_KEY_MUST_BE_LAST:")
+ }
+ Error::PeerMisbehaved(
+ PeerMisbehaved::IncorrectBinder | PeerMisbehaved::IncorrectFinished,
+ ) => quit(":DIGEST_CHECK_FAILED:"),
+ Error::PeerMisbehaved(PeerMisbehaved::ServerHelloMustOfferUncompressedEcPoints) => {
+ quit(":SERVER_HELLO_MUST_OFFER_UNCOMPRESSED_EC_POINTS:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::AttemptedDowngradeToTls12WhenTls13IsSupported) => {
+ quit(":TLS13_DOWNGRADE:")
+ }
+ Error::PeerMisbehaved(PeerMisbehaved::RejectedEarlyDataInterleavedWithHandshakeMessage) => {
+ quit(":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:")
+ }
+ Error::PeerMisbehaved(
+ PeerMisbehaved::IllegalAlertLevel(_, _) | PeerMisbehaved::IllegalWarningAlert(_),
+ ) => quit(":BAD_ALERT:"),
+ Error::PeerMisbehaved(_) => panic!("!!! please add error mapping for {err:?}"),
+ Error::AlertReceived(AlertDescription::UnexpectedMessage) => quit(":BAD_ALERT:"),
+ Error::AlertReceived(AlertDescription::DecompressionFailure) => {
+ quit_err(":SSLV3_ALERT_DECOMPRESSION_FAILURE:")
+ }
+ Error::InvalidCertificate(CertificateError::BadEncoding) => {
+ quit(":CANNOT_PARSE_LEAF_CERT:")
+ }
+ Error::InvalidCertificate(CertificateError::BadSignature) => quit(":BAD_SIGNATURE:"),
+ Error::InvalidCertificate(
+ CertificateError::UnsupportedSignatureAlgorithm { .. }
+ | CertificateError::UnsupportedSignatureAlgorithmForPublicKey { .. },
+ ) => quit(":WRONG_SIGNATURE_TYPE:"),
+ Error::InvalidCertificate(CertificateError::InvalidOcspResponse) => {
+ // note: only use is in this file.
+ quit(":OCSP_CB_ERROR:")
+ }
+ Error::InvalidCertificate(e) => quit(&format!(":BAD_CERT: ({e:?})")),
+ Error::PeerSentOversizedRecord => quit(":DATA_LENGTH_TOO_LONG:"),
+ _ => {
+ eprintln!("unhandled error: {:?}", err);
+ quit(":FIXME:")
}
}
+}
- for i in 0..opts.resumes + 1 {
- let sess = make_session(&opts, &server_cfg, &client_cfg);
- exec(&opts, sess, i);
- if opts.resume_with_tickets_disabled {
- opts.tickets = false;
- server_cfg = Some(make_server_cfg(&opts));
- }
- if opts.on_resume_ech_config_list.is_some() {
- opts.ech_config_list
- .clone_from(&opts.on_resume_ech_config_list);
- opts.expect_ech_accept = opts.on_resume_expect_ech_accept;
- client_cfg = Some(make_client_cfg(&opts));
+#[derive(Debug, Default)]
+struct KeyLogMemo(Mutex);
+
+impl KeyLogMemo {
+ fn clone_inner(&self) -> KeyLogMemoInner {
+ self.0.lock().unwrap().clone()
+ }
+}
+
+impl rustls::KeyLog for KeyLogMemo {
+ fn log(&self, label: &str, _client_random: &[u8], secret: &[u8]) {
+ match label {
+ "CLIENT_TRAFFIC_SECRET_0" => {
+ self.0
+ .lock()
+ .unwrap()
+ .client_traffic_secret = secret.to_vec()
+ }
+ "SERVER_TRAFFIC_SECRET_0" => {
+ self.0
+ .lock()
+ .unwrap()
+ .server_traffic_secret = secret.to_vec()
+ }
+ _ => {}
}
- opts.expect_handshake_kind
- .clone_from(&opts.expect_handshake_kind_resumed);
}
+
+ fn will_log(&self, _label: &str) -> bool {
+ true
+ }
+}
+
+#[derive(Clone, Debug, Default)]
+struct KeyLogMemoInner {
+ client_traffic_secret: Vec,
+ server_traffic_secret: Vec,
+}
+
+#[derive(Debug, PartialEq)]
+enum Side {
+ Client,
+ Server,
}
#[derive(Debug, PartialEq)]
@@ -1759,7 +2178,7 @@ impl ShrinkingAlgorithm {
impl compress::CertDecompressor for ShrinkingAlgorithm {
fn algorithm(&self) -> CertificateCompressionAlgorithm {
- CertificateCompressionAlgorithm::Unknown(Self::ALGORITHM)
+ CertificateCompressionAlgorithm(Self::ALGORITHM)
}
fn decompress(
@@ -1778,7 +2197,7 @@ impl compress::CertDecompressor for ShrinkingAlgorithm {
impl compress::CertCompressor for ShrinkingAlgorithm {
fn algorithm(&self) -> CertificateCompressionAlgorithm {
- CertificateCompressionAlgorithm::Unknown(Self::ALGORITHM)
+ CertificateCompressionAlgorithm(Self::ALGORITHM)
}
fn compress(
@@ -1797,7 +2216,7 @@ struct ExpandingAlgorithm;
impl compress::CertDecompressor for ExpandingAlgorithm {
fn algorithm(&self) -> CertificateCompressionAlgorithm {
- CertificateCompressionAlgorithm::Unknown(0xff02)
+ CertificateCompressionAlgorithm(0xff02)
}
fn decompress(
@@ -1818,7 +2237,7 @@ impl compress::CertDecompressor for ExpandingAlgorithm {
impl compress::CertCompressor for ExpandingAlgorithm {
fn algorithm(&self) -> CertificateCompressionAlgorithm {
- CertificateCompressionAlgorithm::Unknown(0xff02)
+ CertificateCompressionAlgorithm(0xff02)
}
fn compress(
@@ -1839,7 +2258,7 @@ struct RandomAlgorithm;
impl compress::CertDecompressor for RandomAlgorithm {
fn algorithm(&self) -> CertificateCompressionAlgorithm {
- CertificateCompressionAlgorithm::Unknown(0xff03)
+ CertificateCompressionAlgorithm(0xff03)
}
fn decompress(
@@ -1857,7 +2276,7 @@ impl compress::CertDecompressor for RandomAlgorithm {
impl compress::CertCompressor for RandomAlgorithm {
fn algorithm(&self) -> CertificateCompressionAlgorithm {
- CertificateCompressionAlgorithm::Unknown(0xff03)
+ CertificateCompressionAlgorithm(0xff03)
}
fn compress(
@@ -1868,7 +2287,7 @@ impl compress::CertCompressor for RandomAlgorithm {
let random_byte = {
let mut bytes = [0];
// nb. provider is irrelevant for this use
- ring::default_provider()
+ rustls_ring::DEFAULT_PROVIDER
.secure_random
.fill(&mut bytes)
.unwrap();
@@ -1903,3 +2322,7 @@ static ALL_HPKE_SUITES: &[&dyn Hpke] = &[
hpke::DH_KEM_X25519_HKDF_SHA256_AES_256,
hpke::DH_KEM_X25519_HKDF_SHA256_CHACHA20_POLY1305,
];
+
+static BOGO_NACK: i32 = 89;
+
+const MAX_MESSAGE_SIZE: usize = 0xffff + 5;
diff --git a/ci-bench/Cargo.toml b/ci-bench/Cargo.toml
index 6fde65b814e..f9abca8ee7b 100644
--- a/ci-bench/Cargo.toml
+++ b/ci-bench/Cargo.toml
@@ -11,13 +11,17 @@ anyhow = { workspace = true }
async-trait = { workspace = true }
byteorder = { workspace = true }
clap = { workspace = true }
-fxhash = { workspace = true }
itertools = { workspace = true }
rayon = { workspace = true }
-rustls = { path = "../rustls", features = ["ring", "aws_lc_rs"] }
-
-[target.'cfg(not(target_env = "msvc"))'.dependencies]
-tikv-jemallocator = { workspace = true }
+rustc-hash = { workspace = true }
+rustls = { path = "../rustls" }
+rustls-aws-lc-rs = { path = "../rustls-aws-lc-rs" }
+rustls-ring = { path = "../rustls-ring" }
+rustls-test = { workspace = true, default-features = false }
+rustls-fuzzing-provider = { workspace = true }
[target.'cfg(target_os = "linux")'.dependencies]
crabgrind = { workspace = true }
+
+[lints]
+workspace = true
diff --git a/ci-bench/README.md b/ci-bench/README.md
index 8cab18e0231..924c71d8571 100644
--- a/ci-bench/README.md
+++ b/ci-bench/README.md
@@ -132,7 +132,7 @@ The solution was to:
that complete after a single `poll`. This way we avoid using an async runtime, which could
introduce non-determinism.
3. Use non-blocking operations under the hood in wall-time mode, which simulate IO through shared
- in-memory buffers. The server and client `Future`s are polled in turns, so again we we avoid
+ in-memory buffers. The server and client `Future`s are polled in turns, so again we avoid
pulling in an async runtime and keep things as deterministic as possible.
### Why measure CPU instructions
diff --git a/ci-bench/src/benchmark.rs b/ci-bench/src/benchmark.rs
index 6434df68a54..94ed21d7c3a 100644
--- a/ci-bench/src/benchmark.rs
+++ b/ci-bench/src/benchmark.rs
@@ -1,36 +1,16 @@
+use core::borrow::Borrow;
+use core::cmp;
use std::sync::Arc;
-use fxhash::FxHashMap;
-use itertools::Itertools;
+use rustc_hash::FxHashMap;
+use rustls::crypto::{CryptoProvider, TicketProducer};
+use rustls_test::KeyType;
-use crate::callgrind::InstructionCounts;
-use crate::util::KeyType;
use crate::Side;
-
-/// Validates a benchmark collection, returning an error if the provided benchmarks are invalid
-///
-/// Benchmarks can be invalid because of the following reasons:
-///
-/// - Re-using an already defined benchmark name.
-pub fn validate_benchmarks(benchmarks: &[Benchmark]) -> anyhow::Result<()> {
- // Detect duplicate definitions
- let duplicate_names: Vec<_> = benchmarks
- .iter()
- .map(|b| b.name.as_str())
- .duplicates()
- .collect();
- if !duplicate_names.is_empty() {
- anyhow::bail!(
- "The following benchmarks are defined multiple times: {}",
- duplicate_names.join(", ")
- );
- }
-
- Ok(())
-}
+use crate::valgrind::InstructionCounts;
/// Get the reported instruction counts for the provided benchmark
-pub fn get_reported_instr_count(
+pub(crate) fn get_reported_instr_count(
bench: &Benchmark,
results: &FxHashMap<&str, InstructionCounts>,
) -> InstructionCounts {
@@ -39,7 +19,7 @@ pub fn get_reported_instr_count(
/// Specifies which functionality is being benchmarked
#[derive(Copy, Clone)]
-pub enum BenchmarkKind {
+pub(crate) enum BenchmarkKind {
/// Perform the handshake and exit
Handshake(ResumptionKind),
/// Perform the handshake and transfer 1MB of data
@@ -48,17 +28,17 @@ pub enum BenchmarkKind {
impl BenchmarkKind {
/// Returns the [`ResumptionKind`] used in the handshake part of the benchmark
- pub fn resumption_kind(self) -> ResumptionKind {
+ pub(crate) fn resumption_kind(self) -> ResumptionKind {
match self {
- BenchmarkKind::Handshake(kind) => kind,
- BenchmarkKind::Transfer => ResumptionKind::No,
+ Self::Handshake(kind) => kind,
+ Self::Transfer => ResumptionKind::No,
}
}
}
-#[derive(PartialEq, Clone, Copy)]
/// The kind of resumption used during the handshake
-pub enum ResumptionKind {
+#[derive(PartialEq, Clone, Copy)]
+pub(crate) enum ResumptionKind {
/// No resumption
No,
/// Session ID
@@ -68,10 +48,10 @@ pub enum ResumptionKind {
}
impl ResumptionKind {
- pub const ALL: &'static [ResumptionKind] = &[Self::No, Self::SessionId, Self::Tickets];
+ pub(crate) const ALL: &'static [Self] = &[Self::No, Self::SessionId, Self::Tickets];
/// Returns a user-facing label that identifies the resumption kind
- pub fn label(&self) -> &'static str {
+ pub(crate) fn label(&self) -> &'static str {
match *self {
Self::No => "no_resume",
Self::SessionId => "session_id",
@@ -82,44 +62,48 @@ impl ResumptionKind {
/// Parameters associated to a benchmark
#[derive(Clone, Debug)]
-pub struct BenchmarkParams {
- /// Which `CryptoProvider` to test
- pub provider: rustls::crypto::CryptoProvider,
- /// How to make a suitable [`rustls::server::ProducesTickets`].
- pub ticketer: &'static fn() -> Arc,
- /// The type of key used to sign the TLS certificate
- pub key_type: KeyType,
- /// Cipher suite
- pub ciphersuite: rustls::SupportedCipherSuite,
- /// TLS version
- pub version: &'static rustls::SupportedProtocolVersion,
+pub(crate) struct BenchmarkParams {
+ /// Which `CryptoProvider` to test.
+ ///
+ /// The choice of cipher suite is baked into this.
+ pub provider: Arc,
+ /// How to make a suitable [`rustls::crypto::TicketProducer`].
+ pub ticketer: &'static fn() -> Arc,
+ /// Where to get keys for server auth
+ pub auth_key: AuthKeySource,
/// A user-facing label that identifies these params
pub label: String,
+ /// Call this once this BenchmarkParams is sure to be used
+ pub warm_up: Option,
}
impl BenchmarkParams {
/// Create a new set of benchmark params
- pub const fn new(
- provider: rustls::crypto::CryptoProvider,
- ticketer: &'static fn() -> Arc,
- key_type: KeyType,
- ciphersuite: rustls::SupportedCipherSuite,
- version: &'static rustls::SupportedProtocolVersion,
+ pub(crate) const fn new(
+ provider: Arc,
+ ticketer: &'static fn() -> Arc,
+ auth_key: AuthKeySource,
label: String,
+ warm_up: Option,
) -> Self {
Self {
provider,
ticketer,
- key_type,
- ciphersuite,
- version,
+ auth_key,
label,
+ warm_up,
}
}
}
+#[derive(Clone, Debug)]
+pub(crate) enum AuthKeySource {
+ KeyType(KeyType),
+ FuzzingProvider,
+}
+
/// A benchmark specification
-pub struct Benchmark {
+pub(crate) struct Benchmark {
/// The name of the benchmark, as shown in the benchmark results
name: String,
/// The benchmark kind
@@ -130,17 +114,43 @@ pub struct Benchmark {
impl Benchmark {
/// Create a new benchmark
- pub fn new(name: String, kind: BenchmarkKind, params: BenchmarkParams) -> Self {
+ pub(crate) fn new(name: String, kind: BenchmarkKind, params: BenchmarkParams) -> Self {
Self { name, kind, params }
}
/// Returns the benchmark's unique name
- pub fn name(&self) -> &str {
+ pub(crate) fn name(&self) -> &str {
&self.name
}
/// Returns the benchmark's unique name with the side appended to it
- pub fn name_with_side(&self, side: Side) -> String {
+ pub(crate) fn name_with_side(&self, side: Side) -> String {
format!("{}_{}", self.name, side.as_str())
}
}
+
+impl Borrow for Benchmark {
+ fn borrow(&self) -> &str {
+ &self.name
+ }
+}
+
+impl PartialEq for Benchmark {
+ fn eq(&self, other: &Self) -> bool {
+ self.name == other.name
+ }
+}
+
+impl Eq for Benchmark {}
+
+impl PartialOrd for Benchmark {
+ fn partial_cmp(&self, other: &Self) -> Option {
+ Some(self.cmp(other))
+ }
+}
+
+impl Ord for Benchmark {
+ fn cmp(&self, other: &Self) -> cmp::Ordering {
+ self.name.cmp(&other.name)
+ }
+}
diff --git a/ci-bench/src/callgrind.rs b/ci-bench/src/callgrind.rs
deleted file mode 100644
index 2dba776762d..00000000000
--- a/ci-bench/src/callgrind.rs
+++ /dev/null
@@ -1,288 +0,0 @@
-use std::fs::File;
-use std::io::{BufRead, BufReader};
-use std::ops::Sub;
-use std::path::{Path, PathBuf};
-use std::process::{Child, Command, Stdio};
-
-use anyhow::Context;
-
-use crate::benchmark::Benchmark;
-use crate::Side;
-
-/// The subdirectory in which the callgrind output should be stored
-const CALLGRIND_OUTPUT_SUBDIR: &str = "callgrind";
-
-/// A callgrind-based benchmark runner
-pub struct CallgrindRunner {
- /// The path to the ci-bench executable
- ///
- /// This is necessary because the callgrind runner works by spawning child processes
- executable: String,
- /// The directory where the callgrind output will be stored
- output_dir: PathBuf,
-}
-
-impl CallgrindRunner {
- /// Returns a new callgrind-based benchmark runner
- pub fn new(executable: String, output_dir: PathBuf) -> anyhow::Result {
- Self::ensure_callgrind_available()?;
-
- let callgrind_output_dir = output_dir.join(CALLGRIND_OUTPUT_SUBDIR);
- std::fs::create_dir_all(&callgrind_output_dir)
- .context("Failed to create callgrind output directory")?;
-
- Ok(CallgrindRunner {
- executable,
- output_dir: callgrind_output_dir,
- })
- }
-
- /// Runs the benchmark at the specified index and returns the instruction counts for each side
- pub fn run_bench(
- &self,
- benchmark_index: u32,
- bench: &Benchmark,
- ) -> anyhow::Result {
- // The server and client are started as child processes, and communicate with each other
- // through stdio.
-
- let mut server = Self::run_bench_side(
- &self.executable,
- benchmark_index,
- Side::Server,
- &bench.name_with_side(Side::Server),
- Stdio::piped(),
- Stdio::piped(),
- &self.output_dir,
- )
- .context("server side bench crashed")?;
-
- let client = Self::run_bench_side(
- &self.executable,
- benchmark_index,
- Side::Client,
- &bench.name_with_side(Side::Client),
- Stdio::from(server.process.stdout.take().unwrap()),
- Stdio::from(server.process.stdin.take().unwrap()),
- &self.output_dir,
- )
- .context("client side bench crashed")?;
-
- Ok(InstructionCounts {
- server: server.wait_and_get_instr_count()?,
- client: client.wait_and_get_instr_count()?,
- })
- }
-
- /// Returns an error if callgrind is not available
- fn ensure_callgrind_available() -> anyhow::Result<()> {
- let result = Command::new("valgrind")
- .arg("--tool=callgrind")
- .arg("--version")
- .stdout(Stdio::null())
- .stderr(Stdio::null())
- .status();
-
- match result {
- Err(e) => anyhow::bail!("Unexpected error while launching callgrind. Error: {}", e),
- Ok(status) => {
- if status.success() {
- Ok(())
- } else {
- anyhow::bail!("Failed to launch callgrind. Error: {}. Please ensure that valgrind is installed and on the $PATH.", status)
- }
- }
- }
- }
-
- /// See docs for [`Self::run_bench`]
- fn run_bench_side(
- executable: &str,
- benchmark_index: u32,
- side: Side,
- name: &str,
- stdin: Stdio,
- stdout: Stdio,
- output_dir: &Path,
- ) -> anyhow::Result {
- let callgrind_output_file = output_dir.join(name);
- let callgrind_log_file = output_dir.join(format!("{name}.log"));
-
- // Run under setarch to disable ASLR, to reduce noise
- let mut cmd = Command::new("setarch");
- let child = cmd
- .arg("-R")
- .arg("valgrind")
- .arg("--tool=callgrind")
- // Do not count instructions from the start, instead this is controlled by `CountInstructions`
- .arg("--collect-atstart=no")
- // Disable the cache simulation, since we are only interested in instruction counts
- .arg("--cache-sim=no")
- // Save callgrind's logs, which would otherwise be printed to stderr (we want to
- // keep stderr free of noise, to see any errors from the child process)
- .arg(format!("--log-file={}", callgrind_log_file.display()))
- // The file where the instruction counts will be stored
- .arg(format!(
- "--callgrind-out-file={}",
- callgrind_output_file.display()
- ))
- .arg(executable)
- .arg("run-single")
- .arg(benchmark_index.to_string())
- .arg(side.as_str())
- .stdin(stdin)
- .stdout(stdout)
- .stderr(Stdio::inherit())
- .spawn()
- .context("Failed to run benchmark in callgrind")?;
-
- Ok(BenchSubprocess {
- process: child,
- callgrind_output_file,
- })
- }
-}
-
-/// A running subprocess for one of the sides of the benchmark (client or server)
-struct BenchSubprocess {
- /// The benchmark's child process, running under callgrind
- process: Child,
- /// Callgrind's output file for this benchmark
- callgrind_output_file: PathBuf,
-}
-
-impl BenchSubprocess {
- /// Waits for the process to finish and returns the measured instruction count
- fn wait_and_get_instr_count(mut self) -> anyhow::Result {
- let status = self
- .process
- .wait()
- .context("Failed to run benchmark in callgrind")?;
- if !status.success() {
- anyhow::bail!(
- "Failed to run benchmark in callgrind. Exit code: {:?}",
- status.code()
- );
- }
-
- let instruction_count = parse_callgrind_output(&self.callgrind_output_file)?;
- Ok(instruction_count)
- }
-}
-
-/// Returns the instruction count, extracted from the callgrind output file at the provided path
-fn parse_callgrind_output(file: &Path) -> anyhow::Result {
- let file_in = File::open(file).context("Unable to open callgrind output file")?;
-
- for line in BufReader::new(file_in).lines() {
- let line = line.context("Error reading callgrind output file")?;
- if let Some(line) = line.strip_prefix("summary: ") {
- let instr_count = line
- .trim()
- .parse()
- .context("Unable to parse instruction counts from callgrind output file")?;
-
- return Ok(instr_count);
- }
- }
-
- anyhow::bail!("`summary` section not found in callgrind output file")
-}
-
-/// The instruction counts, for each side, after running a benchmark
-#[derive(Copy, Clone)]
-pub struct InstructionCounts {
- pub client: u64,
- pub server: u64,
-}
-
-impl Sub for InstructionCounts {
- type Output = InstructionCounts;
-
- fn sub(self, rhs: Self) -> Self::Output {
- InstructionCounts {
- client: self.client - rhs.client,
- server: self.server - rhs.server,
- }
- }
-}
-
-/// Returns the detailed instruction diff between the baseline and the candidate
-pub fn diff(baseline: &Path, candidate: &Path, scenario: &str) -> anyhow::Result {
- // callgrind_annotate formats the callgrind output file, suitable for comparison with
- // callgrind_differ
- let callgrind_annotate_base = Command::new("callgrind_annotate")
- .arg(
- baseline
- .join(CALLGRIND_OUTPUT_SUBDIR)
- .join(scenario),
- )
- // do not annotate source, to keep output compact
- .arg("--auto=no")
- .output()
- .context("error waiting for callgrind_annotate to finish")?;
-
- let callgrind_annotate_candidate = Command::new("callgrind_annotate")
- .arg(
- candidate
- .join(CALLGRIND_OUTPUT_SUBDIR)
- .join(scenario),
- )
- // do not annotate source, to keep output compact
- .arg("--auto=no")
- .output()
- .context("error waiting for callgrind_annotate to finish")?;
-
- if !callgrind_annotate_base.status.success() {
- anyhow::bail!(
- "callgrind_annotate for base finished with an error (code = {:?})",
- callgrind_annotate_base.status.code()
- )
- }
-
- if !callgrind_annotate_candidate
- .status
- .success()
- {
- anyhow::bail!(
- "callgrind_annotate for candidate finished with an error (code = {:?})",
- callgrind_annotate_candidate
- .status
- .code()
- )
- }
-
- let string_base = String::from_utf8(callgrind_annotate_base.stdout)
- .context("callgrind_annotate produced invalid UTF8")?;
- let string_candidate = String::from_utf8(callgrind_annotate_candidate.stdout)
- .context("callgrind_annotate produced invalid UTF8")?;
-
- // TODO: reinstate actual diffing, using `callgrind_differ` crate
- Ok(format!(
- "Base output:\n{string_base}\n\
- =====\n\n\
- Candidate output:\n{string_candidate}\n"
- ))
-}
-
-/// A RAII-like object for enabling callgrind instruction counting.
-///
-/// Warning: must not be nested.
-///
-/// Instructions outside the scope of these objects are not counted.
-pub(crate) struct CountInstructions;
-
-impl CountInstructions {
- pub(crate) fn start() -> Self {
- #[cfg(target_os = "linux")]
- crabgrind::callgrind::toggle_collect();
- CountInstructions
- }
-}
-
-impl Drop for CountInstructions {
- fn drop(&mut self) {
- #[cfg(target_os = "linux")]
- crabgrind::callgrind::toggle_collect();
- }
-}
diff --git a/ci-bench/src/main.rs b/ci-bench/src/main.rs
index fd27a77cdbe..7f21f231a44 100644
--- a/ci-bench/src/main.rs
+++ b/ci-bench/src/main.rs
@@ -1,8 +1,8 @@
-use std::collections::HashMap;
+use core::hint::black_box;
+use core::mem;
+use std::collections::{BTreeMap, BTreeSet, HashMap};
use std::fs::File;
-use std::hint::black_box;
use std::io::{self, BufRead, BufReader, Write};
-use std::mem;
use std::os::fd::{AsRawFd, FromRawFd};
use std::path::{Path, PathBuf};
use std::sync::Arc;
@@ -11,35 +11,34 @@ use std::time::Instant;
use anyhow::Context;
use async_trait::async_trait;
use clap::{Parser, Subcommand, ValueEnum};
-use fxhash::FxHashMap;
use itertools::Itertools;
use rayon::iter::Either;
use rayon::prelude::*;
+use rustc_hash::FxHashMap;
use rustls::client::Resumption;
-use rustls::crypto::{aws_lc_rs, ring, CryptoProvider, GetRandomFailed, SecureRandom};
-use rustls::pki_types::pem::PemObject;
-use rustls::pki_types::CertificateDer;
+use rustls::crypto::{CipherSuite, CryptoProvider, GetRandomFailed, SecureRandom, TicketProducer};
+use rustls::enums::ProtocolVersion;
use rustls::server::{NoServerSessionStorage, ServerSessionMemoryCache, WebPkiClientVerifier};
use rustls::{
- CipherSuite, ClientConfig, ClientConnection, HandshakeKind, ProtocolVersion, RootCertStore,
- ServerConfig, ServerConnection,
+ ClientConfig, ClientConnection, Connection, HandshakeKind, RootCertStore, ServerConfig,
+ ServerConnection,
};
+use rustls_test::KeyType;
use crate::benchmark::{
- get_reported_instr_count, validate_benchmarks, Benchmark, BenchmarkKind, BenchmarkParams,
- ResumptionKind,
+ AuthKeySource, Benchmark, BenchmarkKind, BenchmarkParams, ResumptionKind,
+ get_reported_instr_count,
};
-use crate::callgrind::{CallgrindRunner, CountInstructions};
use crate::util::async_io::{self, AsyncRead, AsyncWrite};
use crate::util::transport::{
read_handshake_message, read_plaintext_to_end_bounded, send_handshake_message,
write_all_plaintext_bounded,
};
-use crate::util::KeyType;
+use crate::valgrind::{CallgrindRunner, CountInstructions, DhatRunner, MemoryDetails};
mod benchmark;
-mod callgrind;
mod util;
+mod valgrind;
/// The size in bytes of the plaintext sent in the transfer benchmark
const TRANSFER_PLAINTEXT_SIZE: usize = 1024 * 1024 * 10; // 10 MB
@@ -61,6 +60,9 @@ const RESUMED_HANDSHAKE_RUNS: usize = 30;
/// The name of the file where the instruction counts are stored after a `run-all` run
const ICOUNTS_FILENAME: &str = "icounts.csv";
+/// The name of the file where the memory data are stored after a `run-all` run
+const MEMORY_FILENAME: &str = "memory.csv";
+
/// Default size in bytes for internal buffers (256 KB)
const DEFAULT_BUFFER_SIZE: usize = 262144;
@@ -78,20 +80,59 @@ pub enum Command {
#[arg(short, long, default_value = "target/ci-bench")]
output_dir: PathBuf,
},
- /// Run a single benchmark at the provided index (used by the bench runner to start each benchmark in its own process)
- RunSingle { index: u32, side: Side },
+ /// Run a named benchmark and print the measured CPU instruction counts in CSV format
+ RunSingle {
+ /// The name of the benchmark.
+ bench: String,
+ #[arg(short, long, default_value = "target/ci-bench")]
+ output_dir: PathBuf,
+ },
+ /// Run a single benchmark at the provided name (used by the bench runner to start each benchmark in its own process)
+ RunPipe {
+ name: String,
+ side: Side,
+ measurement_mode: Mode,
+ },
/// Run all benchmarks in walltime mode and print the measured timings in CSV format
Walltime {
#[arg(short, long)]
iterations_per_scenario: usize,
},
- /// Compare the results from two previous benchmark runs and print a user-friendly markdown overview
+ /// Compare the icount results from two previous benchmark runs and print a user-friendly markdown overview
Compare {
/// Path to the directory with the results of a previous `run-all` execution
baseline_dir: PathBuf,
/// Path to the directory with the results of a previous `run-all` execution
candidate_dir: PathBuf,
},
+ /// Compare the memory results from two previous benchmark runs and print a user-friendly markdown overview
+ CompareMemory {
+ comparator: CompareMemoryOperand,
+ /// Path to the directory with the results of a previous `run-all` execution
+ baseline_dir: PathBuf,
+ /// Path to the directory with the results of a previous `run-all` execution
+ candidate_dir: PathBuf,
+ },
+}
+
+#[derive(Copy, Clone, Debug, Default, ValueEnum)]
+pub enum CompareMemoryOperand {
+ #[default]
+ TotalBytes,
+ TotalBlocks,
+ PeakBytes,
+ PeakBlocks,
+}
+
+impl CompareMemoryOperand {
+ fn choose(&self, memory: MemoryDetails) -> u64 {
+ match self {
+ Self::TotalBytes => memory.heap_total_bytes,
+ Self::TotalBlocks => memory.heap_total_blocks,
+ Self::PeakBytes => memory.heap_peak_bytes,
+ Self::PeakBlocks => memory.heap_peak_blocks,
+ }
+ }
}
#[derive(Copy, Clone, ValueEnum)]
@@ -100,12 +141,18 @@ pub enum Side {
Client,
}
+#[derive(Copy, Clone, ValueEnum)]
+pub enum Mode {
+ Instruction,
+ Memory,
+}
+
impl Side {
/// Returns the string representation of the side
pub fn as_str(self) -> &'static str {
match self {
- Side::Client => "client",
- Side::Server => "server",
+ Self::Client => "client",
+ Self::Server => "server",
}
}
}
@@ -117,25 +164,40 @@ fn main() -> anyhow::Result<()> {
match cli.command {
Command::RunAll { output_dir } => {
let executable = std::env::args().next().unwrap();
- let results = run_all(executable, output_dir.clone(), &benchmarks)?;
-
- // Output results in CSV (note: not using a library here to avoid extra dependencies)
- let mut csv_file = File::create(output_dir.join(ICOUNTS_FILENAME))
- .context("cannot create output csv file")?;
- for (name, instr_count) in results {
- writeln!(csv_file, "{name},{instr_count}")?;
- }
+ let results = run_all(
+ executable,
+ output_dir.clone(),
+ &benchmarks.iter().collect::>(),
+ )?;
+ output_csv(results, output_dir)?;
}
- Command::RunSingle { index, side } => {
- // `u32::MAX` is used as a signal to do nothing and return. By "running" an empty
- // benchmark we can measure the startup overhead.
- if index == u32::MAX {
- return Ok(());
- }
+ Command::RunSingle { bench, output_dir } => {
+ let executable = std::env::args().next().unwrap();
+ let Some(benchmark) = benchmarks.get(bench.as_str()) else {
+ let mut output = String::new();
+ for bench in all_benchmarks()? {
+ output.push_str(&format!(" - {:?}\n", bench.name()));
+ }
+ return Err(anyhow::anyhow!(
+ "Benchmark {bench:?} not found\n\nAvailable are:\n{output}"
+ ));
+ };
+ let results = run_all(executable, output_dir.clone(), &[benchmark])?;
+ output_csv(results, output_dir)?;
+ }
+ Command::RunPipe {
+ name,
+ side,
+ measurement_mode,
+ } => {
let bench = benchmarks
- .get(index as usize)
- .ok_or(anyhow::anyhow!("Benchmark not found: {index}"))?;
+ .get(name.as_str())
+ .ok_or_else(|| anyhow::anyhow!("Benchmark not found: {name}"))?;
+
+ if let Some(warm_up) = bench.params.warm_up {
+ warm_up();
+ }
let stdin_lock = io::stdin().lock();
let stdout_lock = io::stdout().lock();
@@ -151,6 +213,13 @@ fn main() -> anyhow::Result<()> {
let mut stdin = unsafe { File::from_raw_fd(stdin_lock.as_raw_fd()) };
let mut stdout = unsafe { File::from_raw_fd(stdout_lock.as_raw_fd()) };
+ // When measuring instructions, we do multiple resumed handshakes, for
+ // reasons explained in the comments to `RESUMED_HANDSHAKE_RUNS`.
+ let resumed_reps = match measurement_mode {
+ Mode::Instruction => RESUMED_HANDSHAKE_RUNS,
+ _ => 1,
+ };
+
let handshake_buf = &mut [0u8; DEFAULT_BUFFER_SIZE];
let resumption_kind = bench.kind.resumption_kind();
let io = StepperIo {
@@ -170,6 +239,7 @@ fn main() -> anyhow::Result<()> {
),
},
bench.kind,
+ resumed_reps,
)
.await
}
@@ -184,6 +254,7 @@ fn main() -> anyhow::Result<()> {
),
},
bench.kind,
+ resumed_reps,
)
.await
}
@@ -198,9 +269,9 @@ fn main() -> anyhow::Result<()> {
Command::Walltime {
iterations_per_scenario,
} => {
- let mut timings = vec![Vec::with_capacity(iterations_per_scenario); benchmarks.len()];
+ let mut timings = BTreeMap::new();
for _ in 0..iterations_per_scenario {
- for (i, bench) in benchmarks.iter().enumerate() {
+ for bench in &benchmarks {
let start = Instant::now();
// The variables below are used to initialize the client and server configs. We
@@ -227,6 +298,7 @@ fn main() -> anyhow::Result<()> {
config: ServerSideStepper::make_config(params, resumption_kind),
},
bench.kind,
+ RESUMED_HANDSHAKE_RUNS,
)
.await
};
@@ -244,6 +316,7 @@ fn main() -> anyhow::Result<()> {
config: ClientSideStepper::make_config(params, resumption_kind),
},
bench.kind,
+ RESUMED_HANDSHAKE_RUNS,
)
.await
};
@@ -255,13 +328,16 @@ fn main() -> anyhow::Result<()> {
server_result
.with_context(|| format!("server side of {} crashed", bench.name()))?;
- timings[i].push(start.elapsed());
+ timings
+ .entry(bench.name().to_string())
+ .or_insert_with(|| Vec::with_capacity(iterations_per_scenario))
+ .push(start.elapsed());
}
}
// Output the results
- for (i, bench_timings) in timings.into_iter().enumerate() {
- print!("{}", benchmarks[i].name());
+ for (name, bench_timings) in timings.into_iter() {
+ print!("{}", name);
for timing in bench_timings {
print!(",{}", timing.as_nanos())
}
@@ -272,24 +348,61 @@ fn main() -> anyhow::Result<()> {
baseline_dir,
candidate_dir,
} => {
- let baseline = read_results(&baseline_dir.join(ICOUNTS_FILENAME))?;
- let candidate = read_results(&candidate_dir.join(ICOUNTS_FILENAME))?;
- let result = compare_results(&baseline_dir, &candidate_dir, &baseline, &candidate)?;
- print_report(&result);
+ let baseline = read_icount_results(&baseline_dir.join(ICOUNTS_FILENAME))?;
+ let candidate = read_icount_results(&candidate_dir.join(ICOUNTS_FILENAME))?;
+ let result =
+ compare_icount_results(&baseline_dir, &candidate_dir, &baseline, &candidate)?;
+ print_icount_report(&result);
+ }
+ Command::CompareMemory {
+ comparator,
+ baseline_dir,
+ candidate_dir,
+ } => {
+ let baseline = read_memory_results(&baseline_dir.join(MEMORY_FILENAME))?;
+ let candidate = read_memory_results(&candidate_dir.join(MEMORY_FILENAME))?;
+
+ print_memory_report(&compare_memory_results(&baseline, &candidate, comparator)?);
}
}
Ok(())
}
+fn output_csv(
+ results: Vec<(String, CombinedMeasurement)>,
+ output_dir: PathBuf,
+) -> anyhow::Result<()> {
+ // Output results in CSV (note: not using a library here to avoid extra dependencies)
+ let mut csv_file =
+ File::create(output_dir.join(ICOUNTS_FILENAME)).context("cannot create output csv file")?;
+ for (name, combined) in &results {
+ writeln!(csv_file, "{name},{}", combined.instructions)?;
+ }
+
+ let mut csv_file =
+ File::create(output_dir.join(MEMORY_FILENAME)).context("cannot create output csv file")?;
+ for (name, combined) in results {
+ writeln!(
+ csv_file,
+ "{name},{},{},{},{}",
+ combined.memory.heap_total_bytes,
+ combined.memory.heap_total_blocks,
+ combined.memory.heap_peak_bytes,
+ combined.memory.heap_peak_blocks,
+ )?;
+ }
+
+ Ok(())
+}
+
/// Returns all benchmarks
-fn all_benchmarks() -> anyhow::Result> {
- let mut benchmarks = Vec::new();
+fn all_benchmarks() -> anyhow::Result> {
+ let mut benchmarks = BTreeSet::new();
for param in all_benchmarks_params() {
add_benchmark_group(&mut benchmarks, param);
}
- validate_benchmarks(&benchmarks)?;
Ok(benchmarks)
}
@@ -297,93 +410,113 @@ fn all_benchmarks() -> anyhow::Result> {
fn all_benchmarks_params() -> Vec {
let mut all = Vec::new();
- for (provider, suites, ticketer, provider_name) in [
+ for (provider, ticketer, provider_name, warm_up) in [
(
- derandomize(ring::default_provider()),
- ring::ALL_CIPHER_SUITES,
- &(ring_ticketer as fn() -> Arc),
+ derandomize(rustls_ring::DEFAULT_PROVIDER),
+ &(ring_ticketer as fn() -> Arc),
"ring",
+ None,
),
(
- derandomize(aws_lc_rs::default_provider()),
- aws_lc_rs::ALL_CIPHER_SUITES,
- &(aws_lc_rs_ticketer as fn() -> Arc),
+ derandomize(rustls_aws_lc_rs::DEFAULT_PROVIDER),
+ &(aws_lc_rs_ticketer as fn() -> Arc),
"aws_lc_rs",
+ Some(warm_up_aws_lc_rs as fn()),
),
] {
- for (key_type, suite_name, version, name) in [
+ for (key_type, suite_name, name) in [
(
KeyType::Rsa2048,
CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- &rustls::version::TLS12,
"1.2_rsa_aes",
),
(
KeyType::Rsa2048,
CipherSuite::TLS13_AES_128_GCM_SHA256,
- &rustls::version::TLS13,
"1.3_rsa_aes",
),
(
KeyType::EcdsaP256,
CipherSuite::TLS13_AES_128_GCM_SHA256,
- &rustls::version::TLS13,
"1.3_ecdsap256_aes",
),
(
KeyType::EcdsaP384,
CipherSuite::TLS13_AES_128_GCM_SHA256,
- &rustls::version::TLS13,
"1.3_ecdsap384_aes",
),
(
KeyType::Rsa2048,
CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
- &rustls::version::TLS13,
"1.3_rsa_chacha",
),
(
KeyType::EcdsaP256,
CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
- &rustls::version::TLS13,
"1.3_ecdsap256_chacha",
),
(
KeyType::EcdsaP384,
CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
- &rustls::version::TLS13,
"1.3_ecdsap384_chacha",
),
] {
all.push(BenchmarkParams::new(
- provider.clone(),
+ select_suite(provider.clone(), suite_name),
ticketer,
- key_type,
- find_suite(suites, suite_name),
- version,
+ AuthKeySource::KeyType(key_type),
format!("{provider_name}_{name}"),
+ warm_up,
));
}
}
+ let make_ticketer =
+ &((|| Arc::new(rustls_fuzzing_provider::Ticketer)) as fn() -> Arc);
+
+ all.push(BenchmarkParams::new(
+ rustls_fuzzing_provider::PROVIDER_TLS13.into(),
+ make_ticketer,
+ AuthKeySource::FuzzingProvider,
+ "1.3_no_crypto".to_string(),
+ None,
+ ));
+
+ all.push(BenchmarkParams::new(
+ rustls_fuzzing_provider::PROVIDER_TLS12.into(),
+ make_ticketer,
+ AuthKeySource::FuzzingProvider,
+ "1.2_no_crypto".to_string(),
+ None,
+ ));
+
all
}
-fn find_suite(
- all: &[rustls::SupportedCipherSuite],
- name: CipherSuite,
-) -> rustls::SupportedCipherSuite {
- *all.iter()
- .find(|suite| suite.suite() == name)
- .unwrap_or_else(|| panic!("cannot find cipher suite {name:?}"))
+fn ring_ticketer() -> Arc {
+ rustls_ring::DEFAULT_PROVIDER
+ .ticketer_factory
+ .ticketer()
+ .unwrap()
}
-fn ring_ticketer() -> Arc {
- ring::Ticketer::new().unwrap()
+fn aws_lc_rs_ticketer() -> Arc {
+ rustls_aws_lc_rs::DEFAULT_PROVIDER
+ .ticketer_factory
+ .ticketer()
+ .unwrap()
}
-fn aws_lc_rs_ticketer() -> Arc {
- aws_lc_rs::Ticketer::new().unwrap()
+fn select_suite(mut provider: CryptoProvider, name: CipherSuite) -> Arc {
+ provider
+ .tls12_cipher_suites
+ .to_mut()
+ .retain(|suite| suite.common.suite == name);
+ provider
+ .tls13_cipher_suites
+ .to_mut()
+ .retain(|suite| suite.common.suite == name);
+ provider.into()
}
fn derandomize(base: CryptoProvider) -> CryptoProvider {
@@ -393,6 +526,16 @@ fn derandomize(base: CryptoProvider) -> CryptoProvider {
}
}
+fn warm_up_aws_lc_rs() {
+ // "Warm up" provider's actual entropy source. aws-lc-rs particularly
+ // has an expensive process here, which is one-time (per calling thread)
+ // so not useful to include in benchmark measurements.
+ rustls_aws_lc_rs::DEFAULT_PROVIDER
+ .secure_random
+ .fill(&mut [0u8])
+ .unwrap();
+}
+
#[derive(Debug)]
struct NotRandom;
@@ -411,7 +554,7 @@ impl SecureRandom for NotRandom {
/// - Handshake with session id resumption
/// - Handshake with ticket resumption
/// - Transfer a 1MB data stream from the server to the client
-fn add_benchmark_group(benchmarks: &mut Vec, params: BenchmarkParams) {
+fn add_benchmark_group(benchmarks: &mut BTreeSet, params: BenchmarkParams) {
let params_label = params.label.clone();
// Create handshake benchmarks for all resumption kinds
@@ -422,34 +565,48 @@ fn add_benchmark_group(benchmarks: &mut Vec, params: BenchmarkParams)
params.clone(),
);
- benchmarks.push(handshake_bench);
+ assert!(benchmarks.insert(handshake_bench), "duplicate benchmark");
}
// Benchmark data transfer
- benchmarks.push(Benchmark::new(
- format!("transfer_no_resume_{params_label}"),
- BenchmarkKind::Transfer,
- params.clone(),
- ));
+ assert!(
+ benchmarks.insert(Benchmark::new(
+ format!("transfer_no_resume_{params_label}"),
+ BenchmarkKind::Transfer,
+ params
+ )),
+ "duplicate benchmark"
+ );
}
/// Run all the provided benches under callgrind to retrieve their instruction count
-pub fn run_all(
+fn run_all(
executable: String,
output_dir: PathBuf,
- benches: &[Benchmark],
-) -> anyhow::Result> {
+ benches: &[&Benchmark],
+) -> anyhow::Result> {
+ for bench in benches {
+ if let Some(warm_up) = bench.params.warm_up {
+ warm_up();
+ }
+ }
+
// Run the benchmarks in parallel
- let runner = CallgrindRunner::new(executable, output_dir)?;
- let results: Vec<_> = benches
+ let cg_runner = CallgrindRunner::new(executable.clone(), output_dir.clone())?;
+ let cg_results: Vec<_> = benches
+ .par_iter()
+ .map(|bench| (bench, cg_runner.run_bench(bench)))
+ .collect();
+
+ let dh_runner = DhatRunner::new(executable, output_dir)?;
+ let dh_results: Vec<_> = benches
.par_iter()
- .enumerate()
- .map(|(i, bench)| (bench, runner.run_bench(i as u32, bench)))
+ .map(|bench| (bench, dh_runner.run_bench(bench)))
.collect();
// Report possible errors
- let (errors, results): (Vec<_>, FxHashMap<_, _>) =
- results
+ let (errors, cg_results): (Vec<_>, FxHashMap<_, _>) =
+ cg_results
.into_iter()
.partition_map(|(bench, result)| match result {
Err(_) => Either::Left(()),
@@ -461,18 +618,49 @@ pub fn run_all(
// crashing
anyhow::bail!("One or more benchmarks crashed");
}
+ let (errors, dh_results): (Vec<_>, FxHashMap<_, _>) =
+ dh_results
+ .into_iter()
+ .partition_map(|(bench, result)| match result {
+ Err(_) => Either::Left(()),
+ Ok(heap_profile) => Either::Right((bench.name(), heap_profile)),
+ });
+ if !errors.is_empty() {
+ // Note: there is no need to explicitly report the names of each crashed benchmark, because
+ // names and other details are automatically printed to stderr by the child process upon
+ // crashing
+ anyhow::bail!("One or more benchmarks crashed");
+ }
// Gather results keeping the original order of the benchmarks
let mut measurements = Vec::new();
for bench in benches {
- let instr_counts = get_reported_instr_count(bench, &results);
- measurements.push((bench.name_with_side(Side::Server), instr_counts.server));
- measurements.push((bench.name_with_side(Side::Client), instr_counts.client));
+ let instr_counts = get_reported_instr_count(bench, &cg_results);
+ let memory = &dh_results[bench.name()];
+ measurements.push((
+ bench.name_with_side(Side::Server),
+ CombinedMeasurement {
+ instructions: instr_counts.server,
+ memory: memory.server,
+ },
+ ));
+ measurements.push((
+ bench.name_with_side(Side::Client),
+ CombinedMeasurement {
+ instructions: instr_counts.client,
+ memory: memory.client,
+ },
+ ));
}
Ok(measurements)
}
+pub struct CombinedMeasurement {
+ instructions: u64,
+ memory: MemoryDetails,
+}
+
/// Drives the different steps in a benchmark.
///
/// See [`run_bench`] for specific details on how it is used.
@@ -502,25 +690,26 @@ struct ClientSideStepper<'a> {
impl ClientSideStepper<'_> {
fn make_config(params: &BenchmarkParams, resume: ResumptionKind) -> Arc {
- assert_eq!(params.ciphersuite.version(), params.version);
- let mut root_store = RootCertStore::empty();
- root_store.add_parsable_certificates(
- CertificateDer::pem_file_iter(params.key_type.path_for("ca.cert"))
- .unwrap()
- .map(|result| result.unwrap()),
- );
-
- let mut cfg = ClientConfig::builder_with_provider(
- CryptoProvider {
- cipher_suites: vec![params.ciphersuite],
- ..params.provider.clone()
+ let cfg = ClientConfig::builder(params.provider.clone());
+
+ let mut cfg = match params.auth_key {
+ AuthKeySource::KeyType(key_type) => {
+ let mut root_store = RootCertStore::empty();
+ root_store
+ .add(key_type.ca_cert())
+ .unwrap();
+
+ cfg.with_root_certificates(root_store)
+ .with_no_client_auth()
+ .unwrap()
}
- .into(),
- )
- .with_protocol_versions(&[params.version])
- .unwrap()
- .with_root_certificates(root_store)
- .with_no_client_auth();
+
+ AuthKeySource::FuzzingProvider => cfg
+ .dangerous()
+ .with_custom_certificate_verifier(rustls_fuzzing_provider::server_verifier())
+ .with_no_client_auth()
+ .unwrap(),
+ };
if resume != ResumptionKind::No {
cfg.resumption = Resumption::in_memory_sessions(128);
@@ -538,7 +727,11 @@ impl BenchStepper for ClientSideStepper<'_> {
async fn handshake(&mut self) -> anyhow::Result {
let server_name = "localhost".try_into().unwrap();
- let mut client = ClientConnection::new(self.config.clone(), server_name).unwrap();
+ let mut client = self
+ .config
+ .connect(server_name)
+ .build()
+ .unwrap();
client.set_buffer_limit(None);
loop {
@@ -588,19 +781,24 @@ struct ServerSideStepper<'a> {
impl ServerSideStepper<'_> {
fn make_config(params: &BenchmarkParams, resume: ResumptionKind) -> Arc {
- assert_eq!(params.ciphersuite.version(), params.version);
-
- let mut cfg = ServerConfig::builder_with_provider(params.provider.clone().into())
- .with_protocol_versions(&[params.version])
- .unwrap()
- .with_client_cert_verifier(WebPkiClientVerifier::no_client_auth())
- .with_single_cert(params.key_type.get_chain(), params.key_type.get_key())
- .expect("bad certs/private key?");
+ let cfg = ServerConfig::builder(params.provider.clone());
+
+ let mut cfg = match params.auth_key {
+ AuthKeySource::KeyType(key_type) => cfg
+ .with_client_cert_verifier(WebPkiClientVerifier::no_client_auth())
+ .with_single_cert(key_type.identity(), key_type.key())
+ .expect("bad certs/private key?"),
+
+ AuthKeySource::FuzzingProvider => cfg
+ .with_client_cert_verifier(WebPkiClientVerifier::no_client_auth())
+ .with_server_credential_resolver(rustls_fuzzing_provider::server_cert_resolver())
+ .unwrap(),
+ };
if resume == ResumptionKind::SessionId {
cfg.session_storage = ServerSessionMemoryCache::new(128);
} else if resume == ResumptionKind::Tickets {
- cfg.ticketer = (params.ticketer)();
+ cfg.ticketer = Some((params.ticketer)());
} else {
cfg.session_storage = Arc::new(NoServerSessionStorage {});
}
@@ -643,7 +841,11 @@ impl BenchStepper for ServerSideStepper<'_> {
}
/// Runs the benchmark using the provided stepper
-async fn run_bench(mut stepper: T, kind: BenchmarkKind) -> anyhow::Result<()> {
+async fn run_bench(
+ mut stepper: T,
+ kind: BenchmarkKind,
+ resumed_reps: usize,
+) -> anyhow::Result<()> {
match kind {
BenchmarkKind::Handshake(ResumptionKind::No) => {
// Just count instructions for one handshake.
@@ -655,10 +857,8 @@ async fn run_bench(mut stepper: T, kind: BenchmarkKind) -> anyh
// session ID / ticket. This is not measured.
stepper.handshake().await?;
- // From now on we can perform resumed handshakes. We do it multiple
- // times, for reasons explained in the comments to `RESUMED_HANDSHAKE_RUNS`.
let _count = CountInstructions::start();
- for _ in 0..RESUMED_HANDSHAKE_RUNS {
+ for _ in 0..resumed_reps {
// Wait for the endpoints to sync (i.e. the server must have discarded the previous
// connection and be ready for a new handshake, otherwise the client will start a
// handshake before the server is ready and the bytes will be fed to the old
@@ -693,6 +893,13 @@ struct CompareResult {
missing_in_baseline: Vec,
}
+/// The results of a comparison between two `run-all` executions
+struct MemoryCompareResult {
+ diffs: Vec,
+ /// Benchmark scenarios present in the candidate but missing in the baseline
+ missing_in_baseline: Vec,
+}
+
/// Contains information about instruction counts and their difference for a specific scenario
#[derive(Clone)]
struct Diff {
@@ -703,8 +910,19 @@ struct Diff {
diff_ratio: f64,
}
+/// Contains information about memory usage and a difference for a specific scenario & comparator
+#[derive(Clone)]
+struct MemoryDiff {
+ scenario: String,
+ baseline: MemoryDetails,
+ candidate: MemoryDetails,
+ comparator: CompareMemoryOperand,
+ diff: i64,
+ diff_ratio: f64,
+}
+
/// Reads the (benchmark, instruction count) pairs from previous CSV output
-fn read_results(path: &Path) -> anyhow::Result> {
+fn read_icount_results(path: &Path) -> anyhow::Result> {
let file = File::open(path).context(format!(
"CSV file for comparison not found: {}",
path.display()
@@ -718,11 +936,11 @@ fn read_results(path: &Path) -> anyhow::Result> {
measurements.insert(
parts
.next()
- .ok_or(anyhow::anyhow!("CSV is wrongly formatted"))?
+ .ok_or_else(|| anyhow::anyhow!("CSV is wrongly formatted"))?
.to_string(),
parts
.next()
- .ok_or(anyhow::anyhow!("CSV is wrongly formatted"))?
+ .ok_or_else(|| anyhow::anyhow!("CSV is wrongly formatted"))?
.parse()
.context("Unable to parse instruction count from CSV")?,
);
@@ -731,9 +949,54 @@ fn read_results(path: &Path) -> anyhow::Result> {
Ok(measurements)
}
+/// Reads the (benchmark, instruction count) pairs from previous CSV output
+fn read_memory_results(path: &Path) -> anyhow::Result> {
+ let file = File::open(path).context(format!(
+ "CSV file for comparison not found: {}",
+ path.display()
+ ))?;
+
+ let mut measurements = HashMap::new();
+ for line in BufReader::new(file).lines() {
+ let line = line.context("Unable to read results from CSV file")?;
+ let line = line.trim();
+ let mut parts = line.split(',');
+ measurements.insert(
+ parts
+ .next()
+ .ok_or_else(|| anyhow::anyhow!("CSV is wrongly formatted"))?
+ .to_string(),
+ MemoryDetails {
+ heap_total_bytes: parts
+ .next()
+ .ok_or_else(|| anyhow::anyhow!("CSV is wrongly formatted"))?
+ .parse()
+ .context("Unable to parse heap total bytes from CSV")?,
+ heap_total_blocks: parts
+ .next()
+ .ok_or_else(|| anyhow::anyhow!("CSV is wrongly formatted"))?
+ .parse()
+ .context("Unable to parse heap total blocks from CSV")?,
+ heap_peak_bytes: parts
+ .next()
+ .ok_or_else(|| anyhow::anyhow!("CSV is wrongly formatted"))?
+ .parse()
+ .context("Unable to parse heap peak bytes from CSV")?,
+ heap_peak_blocks: parts
+ .next()
+ .ok_or_else(|| anyhow::anyhow!("CSV is wrongly formatted"))?
+ .parse()
+ .context("Unable to parse heap peak blocks from CSV")?,
+ },
+ );
+ }
+
+ Ok(measurements)
+}
+
/// Returns an internal representation of the comparison between the baseline and the candidate
/// measurements
-fn compare_results(
+fn compare_icount_results(
baseline_dir: &Path,
candidate_dir: &Path,
baseline: &HashMap,
@@ -770,7 +1033,7 @@ fn compare_results(
let mut diffs_with_callgrind_diff = Vec::new();
for diff in diffs {
- let detailed_diff = callgrind::diff(baseline_dir, candidate_dir, &diff.scenario)?;
+ let detailed_diff = valgrind::callgrind_diff(baseline_dir, candidate_dir, &diff.scenario)?;
diffs_with_callgrind_diff.push((diff, detailed_diff));
}
@@ -780,14 +1043,62 @@ fn compare_results(
})
}
+/// Returns an internal representation of the comparison between the baseline and the candidate
+/// measurements
+fn compare_memory_results(
+ baseline: &HashMap,
+ candidate: &HashMap,
+ comparator: CompareMemoryOperand,
+) -> anyhow::Result {
+ let mut diffs = Vec::new();
+ let mut missing = Vec::new();
+
+ for (scenario, &candidate_memory) in candidate {
+ let Some(&baseline_memory) = baseline.get(scenario) else {
+ missing.push(scenario.clone());
+ continue;
+ };
+
+ let candidate_count = comparator.choose(candidate_memory);
+ let baseline_count = comparator.choose(baseline_memory);
+
+ let diff = candidate_count as i64 - baseline_count as i64;
+ let diff_ratio = diff as f64 / baseline_count as f64;
+ let diff = MemoryDiff {
+ scenario: scenario.clone(),
+ baseline: baseline_memory,
+ candidate: candidate_memory,
+ comparator,
+ diff,
+ diff_ratio,
+ };
+
+ diffs.push(diff);
+ }
+
+ diffs.sort_by(|diff1, diff2| {
+ diff2
+ .diff_ratio
+ .abs()
+ .total_cmp(&diff1.diff_ratio.abs())
+ });
+
+ Ok(MemoryCompareResult {
+ diffs,
+ missing_in_baseline: missing,
+ })
+}
+
/// Prints a report of the comparison to stdout, using GitHub-flavored markdown
-fn print_report(result: &CompareResult) {
+fn print_icount_report(result: &CompareResult) {
println!("# Benchmark results");
if !result.missing_in_baseline.is_empty() {
println!("### âš ï¸ Warning: missing benchmarks");
println!();
- println!("The following benchmark scenarios are present in the candidate but not in the baseline:");
+ println!(
+ "The following benchmark scenarios are present in the candidate but not in the baseline:"
+ );
println!();
for scenario in &result.missing_in_baseline {
println!("* {scenario}");
@@ -817,6 +1128,29 @@ fn print_report(result: &CompareResult) {
}
}
+fn print_memory_report(result: &MemoryCompareResult) {
+ println!("# Memory measurement results");
+
+ if !result.missing_in_baseline.is_empty() {
+ println!("### âš ï¸ Warning: missing benchmarks");
+ println!();
+ println!(
+ "The following benchmark scenarios are present in the candidate but not in the baseline:"
+ );
+ println!();
+ for scenario in &result.missing_in_baseline {
+ println!("* {scenario}");
+ }
+ }
+
+ println!("## Memory measurement differences");
+ if result.diffs.is_empty() {
+ println!("_There are no memory measurement differences_");
+ } else {
+ memory_table(&result.diffs, true);
+ }
+}
+
/// Renders the diffs as a markdown table
fn table<'a>(diffs: impl Iterator- , emoji_feedback: bool) {
println!("| Scenario | Baseline | Candidate | Diff |");
@@ -840,6 +1174,32 @@ fn table<'a>(diffs: impl Iterator
- , emoji_feedback: bool) {
}
}
-#[cfg(not(target_env = "msvc"))]
-#[global_allocator]
-static GLOBAL: tikv_jemallocator::Jemalloc = tikv_jemallocator::Jemalloc;
+/// Renders the diffs as a markdown table
+fn memory_table(diffs: &[MemoryDiff], emoji_feedback: bool) {
+ println!("| Scenario | Baseline | Candidate | Diff |");
+ println!("| --- | ---: | ---: | ---: |");
+ for diff in diffs {
+ let emoji = match emoji_feedback {
+ true if diff.diff_ratio > 0.01 => "âš ï¸ ",
+ true if diff.diff_ratio < -0.01 => "✅ ",
+ _ => "",
+ };
+
+ println!(
+ "| {} | Total {}B / {}#
Peak {}B / {}# | Total {}B / {}#
Peak {}B / {}# | {:?} {}{} ({:.2}%) |",
+ diff.scenario,
+ diff.baseline.heap_total_bytes,
+ diff.baseline.heap_total_blocks,
+ diff.baseline.heap_peak_bytes,
+ diff.baseline.heap_peak_blocks,
+ diff.candidate.heap_total_bytes,
+ diff.candidate.heap_total_blocks,
+ diff.candidate.heap_peak_bytes,
+ diff.candidate.heap_peak_blocks,
+ diff.comparator,
+ emoji,
+ diff.diff,
+ diff.diff_ratio * 100.0
+ )
+ }
+}
diff --git a/ci-bench/src/util.rs b/ci-bench/src/util.rs
index b32da09cd7b..9b9bf291adb 100644
--- a/ci-bench/src/util.rs
+++ b/ci-bench/src/util.rs
@@ -1,46 +1,16 @@
-use rustls::pki_types::pem::PemObject;
-use rustls::pki_types::{CertificateDer, PrivateKeyDer};
-
-#[derive(PartialEq, Clone, Copy, Debug)]
-pub enum KeyType {
- Rsa2048,
- EcdsaP256,
- EcdsaP384,
-}
-
-impl KeyType {
- pub(crate) fn path_for(&self, part: &str) -> String {
- match self {
- Self::Rsa2048 => format!("../test-ca/rsa-2048/{}", part),
- Self::EcdsaP256 => format!("../test-ca/ecdsa-p256/{}", part),
- Self::EcdsaP384 => format!("../test-ca/ecdsa-p384/{}", part),
- }
- }
-
- pub(crate) fn get_chain(&self) -> Vec> {
- CertificateDer::pem_file_iter(self.path_for("end.fullchain"))
- .unwrap()
- .map(|result| result.unwrap())
- .collect()
- }
-
- pub(crate) fn get_key(&self) -> PrivateKeyDer<'static> {
- PrivateKeyDer::from_pem_file(self.path_for("end.key")).unwrap()
- }
-}
-
-pub mod async_io {
+pub(crate) mod async_io {
//! Async IO building blocks required for sharing code between the instruction count and
//! wall-time benchmarks
- use std::cell::{Cell, RefCell};
+ use core::cell::{Cell, RefCell};
+ use core::future::Future;
+ use core::pin::{Pin, pin};
+ use core::task::{Poll, RawWaker, RawWakerVTable, Waker};
+ use core::{ptr, task};
use std::collections::VecDeque;
use std::fs::File;
- use std::future::Future;
- use std::pin::{pin, Pin};
+ use std::io;
use std::rc::Rc;
- use std::task::{Poll, RawWaker, RawWakerVTable, Waker};
- use std::{io, ptr, task};
use async_trait::async_trait;
@@ -52,7 +22,7 @@ pub mod async_io {
/// Useful when counting CPU instructions, because the server and the client side of the
/// connection run in two separate processes and communicate through stdio using blocking
/// operations.
- pub fn block_on_single_poll(
+ pub(crate) fn block_on_single_poll(
future: impl Future