feat: port VLESS Reality onto upstream rustls main (0.24.0-dev)#9
Closed
ibigbug wants to merge 1523 commits into
Closed
feat: port VLESS Reality onto upstream rustls main (0.24.0-dev)#9ibigbug wants to merge 1523 commits into
ibigbug wants to merge 1523 commits into
Conversation
…alue::from_ticket()
This changes `Connection` into a trait rather than enum, and ensures that `ClientConnection` and `ServerConnection` impls it. This removes `ConnectionCommon` and `CommonState` derefs, and allows those types to become private. The `Deref` to `ConnectionOutputs` is maintained. This becomes important later, because the use of Deref commits us to using those parts for the internal representation of (eg) a `ClientConnection`. This comes with the pain that `use rustls::Connection` is needed for most users.
This withdraws: - `wants_read()`: not useful, since the library is only used for handshaking. - `wants_write()`: `write_hs` has a useful base case, and `wants_write()` was incorrect in relation to it anyway (did not inspect pending `hs_secrets` or `traffic_secrets`). - `send_close_notify()`: this produces a TLS-level alert, which is illegal in QUIC. None of these are used by Quinn.
This should be adequately covered by the fragmenter yielding zero chunks.
And hoist perhaps_write_key_update() out of loops.
In the case where SNI is disabled, `inner_sni` falls out of sync with `self.inner_name`. `inner_sni` is used to alter the inner hello's `server_name`, but `self.inner_name` was used as a basis for padding. This means padding would be added even if the extension wasn't, which ironically leaks the length of the inner name.
Bumps [openssl](https://github.com/rust-openssl/rust-openssl) from 0.10.78 to 0.10.79. - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.78...openssl-v0.10.79) --- updated-dependencies: - dependency-name: openssl dependency-version: 0.10.79 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
Closing — rebasing to latest 0.23.x instead. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ports the VLESS Reality feature onto the latest upstream rustls main (0.24.0-dev.0), replacing the old utls-0.23 base (rustls 0.23.21 / webpki 0.102.8). Supersedes PRs #7 and #8.
Key changes
New additions
x25519-dalek,aes-gcm,ed25519-dalek,hmac,sha2(Reality no longer uses ring/aws-lc-rs directly for its crypto)Architectural adaptations (0.23.21 → 0.24.0-dev)
key_sharetype changed:Option<Box<dyn ActiveKeyExchange>>→Option<GroupAndKeyShare>ServerCertVerifier→ServerVerifierwith newverify_identity()/SignatureVerificationInputAPIrustlscrate — Reality now usesx25519-dalek/aes-gcmdirectlywatfaq-rustlswith[lib] name = "rustls"to keep doctests workingFile renames handled
client/builder.rs→client/config.rsclient/client_conn.rs→client/connection.rscrypto/ring/→ separaterustls-ringcrate (not modified)crypto/aws_lc_rs/→ separaterustls-aws-lc-rscrate (not modified)Validation
cargo check -p watfaq-rustls✅cargo test -p watfaq-rustls✅ 215 passed, 0 failedNext step
Once merged, update the
revpin inclash-rs/clash-lib/Cargo.tomlto point at the new commit.