diff --git a/rustls-mbedcrypto-provider/examples/client.rs b/rustls-mbedcrypto-provider/examples/client.rs index bb84f0f..e708701 100644 --- a/rustls-mbedcrypto-provider/examples/client.rs +++ b/rustls-mbedcrypto-provider/examples/client.rs @@ -45,12 +45,7 @@ fn main() { .conn .negotiated_cipher_suite() .unwrap(); - writeln!( - &mut std::io::stderr(), - "Current ciphersuite: {:?}", - ciphersuite.suite() - ) - .unwrap(); + writeln!(&mut std::io::stderr(), "Current ciphersuite: {:?}", ciphersuite.suite()).unwrap(); let mut plaintext = Vec::new(); tls.read_to_end(&mut plaintext).unwrap(); stdout().write_all(&plaintext).unwrap(); diff --git a/rustls-mbedcrypto-provider/examples/internal/bench.rs b/rustls-mbedcrypto-provider/examples/internal/bench.rs index ed80e52..cd0fde1 100644 --- a/rustls-mbedcrypto-provider/examples/internal/bench.rs +++ b/rustls-mbedcrypto-provider/examples/internal/bench.rs @@ -170,11 +170,7 @@ impl BenchmarkParam { ciphersuite: rustls::SupportedCipherSuite, version: &'static rustls::SupportedProtocolVersion, ) -> Self { - Self { - key_type, - ciphersuite, - version, - } + Self { key_type, ciphersuite, version } } } @@ -266,13 +262,11 @@ impl KeyType { } fn get_key(&self) -> PrivateKeyDer<'static> { - rustls_pemfile::pkcs8_private_keys(&mut io::BufReader::new( - fs::File::open(self.path_for("end.key")).unwrap(), - )) - .next() - .unwrap() - .unwrap() - .into() + rustls_pemfile::pkcs8_private_keys(&mut io::BufReader::new(fs::File::open(self.path_for("end.key")).unwrap())) + .next() + .unwrap() + .unwrap() + .into() } fn get_client_chain(&self) -> Vec> { @@ -284,13 +278,11 @@ impl KeyType { } fn get_client_key(&self) -> PrivateKeyDer<'static> { - rustls_pemfile::pkcs8_private_keys(&mut io::BufReader::new( - fs::File::open(self.path_for("client.key")).unwrap(), - )) - .next() - .unwrap() - .unwrap() - .into() + rustls_pemfile::pkcs8_private_keys(&mut io::BufReader::new(fs::File::open(self.path_for("client.key")).unwrap())) + .next() + .unwrap() + .unwrap() + .into() } } @@ -335,17 +327,10 @@ fn make_server_config( cfg } -fn make_client_config( - params: &BenchmarkParam, - clientauth: ClientAuth, - resume: ResumptionParam, -) -> ClientConfig { +fn make_client_config(params: &BenchmarkParam, clientauth: ClientAuth, resume: ResumptionParam) -> ClientConfig { let mut root_store = RootCertStore::empty(); - let mut rootbuf = - io::BufReader::new(fs::File::open(params.key_type.path_for("ca.cert")).unwrap()); - root_store.add_parsable_certificates( - rustls_pemfile::certs(&mut rootbuf).map(|result| result.unwrap()), - ); + let mut rootbuf = io::BufReader::new(fs::File::open(params.key_type.path_for("ca.cert")).unwrap()); + root_store.add_parsable_certificates(rustls_pemfile::certs(&mut rootbuf).map(|result| result.unwrap())); let cfg = ClientConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) .with_cipher_suites(&[params.ciphersuite]) @@ -355,11 +340,8 @@ fn make_client_config( .with_root_certificates(root_store); let mut cfg = if clientauth == ClientAuth::Yes { - cfg.with_client_auth_cert( - params.key_type.get_client_chain(), - params.key_type.get_client_key(), - ) - .unwrap() + cfg.with_client_auth_cert(params.key_type.get_client_chain(), params.key_type.get_client_key()) + .unwrap() } else { cfg.with_no_client_auth() }; @@ -390,11 +372,7 @@ fn bench_handshake(params: &BenchmarkParam, clientauth: ClientAuth, resume: Resu assert!(params.ciphersuite.version() == params.version); - let rounds = apply_work_multiplier(if resume == ResumptionParam::No { - 512 - } else { - 4096 - }); + let rounds = apply_work_multiplier(if resume == ResumptionParam::No { 512 } else { 4096 }); let mut client_time = 0f64; let mut server_time = 0f64; @@ -460,11 +438,7 @@ fn do_handshake(client: &mut ClientConnection, server: &mut ServerConnection) { } fn bench_bulk(params: &BenchmarkParam, plaintext_size: u64, max_fragment_size: Option) { - let client_config = Arc::new(make_client_config( - params, - ClientAuth::No, - ResumptionParam::No, - )); + let client_config = Arc::new(make_client_config(params, ClientAuth::No, ResumptionParam::No)); let server_config = Arc::new(make_server_config( params, ClientAuth::No, @@ -522,17 +496,8 @@ fn bench_bulk(params: &BenchmarkParam, plaintext_size: u64, max_fragment_size: O } fn bench_memory(params: &BenchmarkParam, conn_count: u64) { - let client_config = Arc::new(make_client_config( - params, - ClientAuth::No, - ResumptionParam::No, - )); - let server_config = Arc::new(make_server_config( - params, - ClientAuth::No, - ResumptionParam::No, - None, - )); + let client_config = Arc::new(make_client_config(params, ClientAuth::No, ResumptionParam::No)); + let server_config = Arc::new(make_server_config(params, ClientAuth::No, ResumptionParam::No, None)); // The target here is to end up with conn_count post-handshake // server and client sessions. @@ -573,9 +538,7 @@ fn bench_memory(params: &BenchmarkParam, conn_count: u64) { fn lookup_matching_benches(name: &str) -> Vec<&BenchmarkParam> { let r: Vec<&BenchmarkParam> = ALL_BENCHMARKS .iter() - .filter(|params| { - format!("{:?}", params.ciphersuite.suite()).to_lowercase() == name.to_lowercase() - }) + .filter(|params| format!("{:?}", params.ciphersuite.suite()).to_lowercase() == name.to_lowercase()) .collect(); if r.is_empty() { diff --git a/rustls-mbedcrypto-provider/src/hash.rs b/rustls-mbedcrypto-provider/src/hash.rs index f2f1182..4db7cb7 100644 --- a/rustls-mbedcrypto-provider/src/hash.rs +++ b/rustls-mbedcrypto-provider/src/hash.rs @@ -91,10 +91,7 @@ pub(crate) struct MbedHashContext { impl Clone for MbedHashContext { fn clone(&self) -> Self { let state = self.state.lock().unwrap(); - Self { - state: Arc::new(Mutex::new(state.clone())), - hash_algo: self.hash_algo, - } + Self { state: Arc::new(Mutex::new(state.clone())), hash_algo: self.hash_algo } } } diff --git a/rustls-mbedcrypto-provider/src/kx.rs b/rustls-mbedcrypto-provider/src/kx.rs index ad5afd1..89f3632 100644 --- a/rustls-mbedcrypto-provider/src/kx.rs +++ b/rustls-mbedcrypto-provider/src/kx.rs @@ -52,10 +52,7 @@ impl SupportedKxGroup for KxGroup { rustls::crypto::GetRandomFailed })?; - fn get_key_pair( - pk: &mut PkMbed, - kx_group: &KxGroup, - ) -> Result { + fn get_key_pair(pk: &mut PkMbed, kx_group: &KxGroup) -> Result { let group = EcGroup::new(kx_group.agreement_algorithm.group_id)?; let pub_key = pk .ec_public()? @@ -84,28 +81,19 @@ impl SupportedKxGroup for KxGroup { } /// Ephemeral ECDH on curve25519 (see RFC7748) -pub static X25519: &dyn SupportedKxGroup = &KxGroup { - name: NamedGroup::X25519, - agreement_algorithm: &agreement::X25519, -}; +pub static X25519: &dyn SupportedKxGroup = &KxGroup { name: NamedGroup::X25519, agreement_algorithm: &agreement::X25519 }; /// Ephemeral ECDH on secp256r1 (aka NIST-P256) -pub static SECP256R1: &dyn SupportedKxGroup = &KxGroup { - name: NamedGroup::secp256r1, - agreement_algorithm: &agreement::ECDH_P256, -}; +pub static SECP256R1: &dyn SupportedKxGroup = + &KxGroup { name: NamedGroup::secp256r1, agreement_algorithm: &agreement::ECDH_P256 }; /// Ephemeral ECDH on secp384r1 (aka NIST-P384) -pub static SECP384R1: &dyn SupportedKxGroup = &KxGroup { - name: NamedGroup::secp384r1, - agreement_algorithm: &agreement::ECDH_P384, -}; +pub static SECP384R1: &dyn SupportedKxGroup = + &KxGroup { name: NamedGroup::secp384r1, agreement_algorithm: &agreement::ECDH_P384 }; /// Ephemeral ECDH on secp521r1 (aka NIST-P521) -pub static SECP521R1: &dyn SupportedKxGroup = &KxGroup { - name: NamedGroup::secp521r1, - agreement_algorithm: &agreement::ECDH_P521, -}; +pub static SECP521R1: &dyn SupportedKxGroup = + &KxGroup { name: NamedGroup::secp521r1, agreement_algorithm: &agreement::ECDH_P521 }; /// A list of all the key exchange groups supported by mbedtls. pub static ALL_KX_GROUPS: &[&dyn SupportedKxGroup] = &[X25519, SECP256R1, SECP384R1, SECP521R1]; @@ -130,18 +118,15 @@ impl crypto::ActiveKeyExchange for KeyExchange { let ec_group = EcGroup::new(group_id).map_err(mbedtls_err_to_rustls_error)?; let private_key = Mpi::from_binary(&self.priv_key).map_err(mbedtls_err_to_rustls_error)?; - let mut sk = PkMbed::private_from_ec_components(ec_group.clone(), private_key) - .map_err(mbedtls_err_to_rustls_error)?; + let mut sk = PkMbed::private_from_ec_components(ec_group.clone(), private_key).map_err(mbedtls_err_to_rustls_error)?; if peer_public_key.len() != self.agreement_algorithm.public_key_len { return Err(Error::General(format!( "Failed to validate {:?} comping peer public key, invalid length", group_id ))); } - let public_point = EcPoint::from_binary_no_compress(&ec_group, peer_public_key) - .map_err(mbedtls_err_to_rustls_error)?; - let peer_pk = PkMbed::public_from_ec_components(ec_group.clone(), public_point) - .map_err(mbedtls_err_to_rustls_error)?; + let public_point = EcPoint::from_binary_no_compress(&ec_group, peer_public_key).map_err(mbedtls_err_to_rustls_error)?; + let peer_pk = PkMbed::public_from_ec_components(ec_group.clone(), public_point).map_err(mbedtls_err_to_rustls_error)?; let mut shared_secret = vec![ 0u8; diff --git a/rustls-mbedcrypto-provider/src/tls12.rs b/rustls-mbedcrypto-provider/src/tls12.rs index f35452a..4e3fd70 100644 --- a/rustls-mbedcrypto-provider/src/tls12.rs +++ b/rustls-mbedcrypto-provider/src/tls12.rs @@ -13,19 +13,15 @@ use mbedtls::cipher::raw::{CipherId, CipherMode, CipherType}; use mbedtls::cipher::{Authenticated, Cipher, Decryption, Encryption, Fresh}; use rustls::cipher_suite::CipherSuiteCommon; use rustls::crypto::cipher::{ - make_tls12_aad, AeadKey, BorrowedPlainMessage, Iv, KeyBlockShape, MessageDecrypter, - MessageEncrypter, Nonce, OpaqueMessage, PlainMessage, Tls12AeadAlgorithm, - UnsupportedOperationError, NONCE_LEN, + make_tls12_aad, AeadKey, BorrowedPlainMessage, Iv, KeyBlockShape, MessageDecrypter, MessageEncrypter, Nonce, OpaqueMessage, + PlainMessage, Tls12AeadAlgorithm, UnsupportedOperationError, NONCE_LEN, }; use rustls::crypto::tls12::PrfUsingHmac; use rustls::crypto::KeyExchangeAlgorithm; use super::aead::{self, Algorithm, AES128_GCM, AES256_GCM}; use alloc::string::String; -use rustls::{ - CipherSuite, ConnectionTrafficSecrets, Error, SignatureScheme, SupportedCipherSuite, - Tls12CipherSuite, -}; +use rustls::{CipherSuite, ConnectionTrafficSecrets, Error, SignatureScheme, SupportedCipherSuite, Tls12CipherSuite}; pub(crate) const GCM_FIXED_IV_LEN: usize = 4; pub(crate) const GCM_EXPLICIT_NONCE_LEN: usize = 8; @@ -46,69 +42,64 @@ pub static TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite = }); /// The TLS1.2 ciphersuite TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -pub static TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite = - SupportedCipherSuite::Tls12(&Tls12CipherSuite { - common: CipherSuiteCommon { - suite: CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - hash_provider: &super::hash::SHA256, - }, - kx: KeyExchangeAlgorithm::ECDHE, - sign: TLS12_RSA_SCHEMES, - aead_alg: &ChaCha20Poly1305, - prf_provider: &PrfUsingHmac(&super::hmac::HMAC_SHA256), - }); +pub static TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite = SupportedCipherSuite::Tls12(&Tls12CipherSuite { + common: CipherSuiteCommon { + suite: CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + hash_provider: &super::hash::SHA256, + }, + kx: KeyExchangeAlgorithm::ECDHE, + sign: TLS12_RSA_SCHEMES, + aead_alg: &ChaCha20Poly1305, + prf_provider: &PrfUsingHmac(&super::hmac::HMAC_SHA256), +}); /// The TLS1.2 ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -pub static TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite = - SupportedCipherSuite::Tls12(&Tls12CipherSuite { - common: CipherSuiteCommon { - suite: CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - hash_provider: &super::hash::SHA256, - }, - kx: KeyExchangeAlgorithm::ECDHE, - sign: TLS12_RSA_SCHEMES, - aead_alg: &AES128_GCM, - prf_provider: &PrfUsingHmac(&super::hmac::HMAC_SHA256), - }); +pub static TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite = SupportedCipherSuite::Tls12(&Tls12CipherSuite { + common: CipherSuiteCommon { + suite: CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + hash_provider: &super::hash::SHA256, + }, + kx: KeyExchangeAlgorithm::ECDHE, + sign: TLS12_RSA_SCHEMES, + aead_alg: &AES128_GCM, + prf_provider: &PrfUsingHmac(&super::hmac::HMAC_SHA256), +}); /// The TLS1.2 ciphersuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -pub static TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite = - SupportedCipherSuite::Tls12(&Tls12CipherSuite { - common: CipherSuiteCommon { - suite: CipherSuite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - hash_provider: &super::hash::SHA384, - }, - kx: KeyExchangeAlgorithm::ECDHE, - sign: TLS12_RSA_SCHEMES, - aead_alg: &AES256_GCM, - prf_provider: &PrfUsingHmac(&super::hmac::HMAC_SHA384), - }); +pub static TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite = SupportedCipherSuite::Tls12(&Tls12CipherSuite { + common: CipherSuiteCommon { + suite: CipherSuite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + hash_provider: &super::hash::SHA384, + }, + kx: KeyExchangeAlgorithm::ECDHE, + sign: TLS12_RSA_SCHEMES, + aead_alg: &AES256_GCM, + prf_provider: &PrfUsingHmac(&super::hmac::HMAC_SHA384), +}); /// The TLS1.2 ciphersuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -pub static TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite = - SupportedCipherSuite::Tls12(&Tls12CipherSuite { - common: CipherSuiteCommon { - suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - hash_provider: &super::hash::SHA256, - }, - kx: KeyExchangeAlgorithm::ECDHE, - sign: TLS12_ECDSA_SCHEMES, - aead_alg: &AES128_GCM, - prf_provider: &PrfUsingHmac(&super::hmac::HMAC_SHA256), - }); +pub static TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite = SupportedCipherSuite::Tls12(&Tls12CipherSuite { + common: CipherSuiteCommon { + suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + hash_provider: &super::hash::SHA256, + }, + kx: KeyExchangeAlgorithm::ECDHE, + sign: TLS12_ECDSA_SCHEMES, + aead_alg: &AES128_GCM, + prf_provider: &PrfUsingHmac(&super::hmac::HMAC_SHA256), +}); /// The TLS1.2 ciphersuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -pub static TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite = - SupportedCipherSuite::Tls12(&Tls12CipherSuite { - common: CipherSuiteCommon { - suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - hash_provider: &super::hash::SHA384, - }, - kx: KeyExchangeAlgorithm::ECDHE, - sign: TLS12_ECDSA_SCHEMES, - aead_alg: &AES256_GCM, - prf_provider: &PrfUsingHmac(&super::hmac::HMAC_SHA384), - }); +pub static TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite = SupportedCipherSuite::Tls12(&Tls12CipherSuite { + common: CipherSuiteCommon { + suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + hash_provider: &super::hash::SHA384, + }, + kx: KeyExchangeAlgorithm::ECDHE, + sign: TLS12_ECDSA_SCHEMES, + aead_alg: &AES256_GCM, + prf_provider: &PrfUsingHmac(&super::hmac::HMAC_SHA384), +}); static TLS12_ECDSA_SCHEMES: &[SignatureScheme] = &[ SignatureScheme::ED25519, @@ -136,10 +127,7 @@ impl Tls12AeadAlgorithm for Algorithm { fn decrypter(&self, key: AeadKey, iv: &[u8]) -> Box { let dec_key = key.as_ref().to_vec(); - let mut ret = GcmMessageDecrypter { - dec_key, - dec_salt: [0u8; GCM_FIXED_IV_LEN], - }; + let mut ret = GcmMessageDecrypter { dec_key, dec_salt: [0u8; GCM_FIXED_IV_LEN] }; debug_assert_eq!(iv.len(), GCM_FIXED_IV_LEN); ret.dec_salt.copy_from_slice(iv); @@ -161,14 +149,8 @@ impl Tls12AeadAlgorithm for Algorithm { explicit: &[u8], ) -> Result { match self.cipher_type { - CipherType::Aes128Gcm => Ok(ConnectionTrafficSecrets::Aes128Gcm { - key, - iv: gcm_iv(iv, explicit), - }), - CipherType::Aes256Gcm => Ok(ConnectionTrafficSecrets::Aes256Gcm { - key, - iv: gcm_iv(iv, explicit), - }), + CipherType::Aes128Gcm => Ok(ConnectionTrafficSecrets::Aes128Gcm { key, iv: gcm_iv(iv, explicit) }), + CipherType::Aes256Gcm => Ok(ConnectionTrafficSecrets::Aes256Gcm { key, iv: gcm_iv(iv, explicit) }), _ => Err(UnsupportedOperationError), } } @@ -178,25 +160,15 @@ pub(crate) struct ChaCha20Poly1305; impl Tls12AeadAlgorithm for ChaCha20Poly1305 { fn decrypter(&self, dec_key: AeadKey, iv: &[u8]) -> Box { - Box::new(ChaCha20Poly1305MessageDecrypter { - dec_key: dec_key.as_ref().to_vec(), - dec_offset: Iv::copy(iv), - }) + Box::new(ChaCha20Poly1305MessageDecrypter { dec_key: dec_key.as_ref().to_vec(), dec_offset: Iv::copy(iv) }) } fn encrypter(&self, enc_key: AeadKey, enc_iv: &[u8], _: &[u8]) -> Box { - Box::new(ChaCha20Poly1305MessageEncrypter { - enc_key: enc_key.as_ref().to_vec(), - enc_offset: Iv::copy(enc_iv), - }) + Box::new(ChaCha20Poly1305MessageEncrypter { enc_key: enc_key.as_ref().to_vec(), enc_offset: Iv::copy(enc_iv) }) } fn key_block_shape(&self) -> KeyBlockShape { - KeyBlockShape { - enc_key_len: 32, - fixed_iv_len: 12, - explicit_nonce_len: 0, - } + KeyBlockShape { enc_key_len: 32, fixed_iv_len: 12, explicit_nonce_len: 0 } } fn extract_keys( @@ -207,10 +179,7 @@ impl Tls12AeadAlgorithm for ChaCha20Poly1305 { ) -> Result { // This should always be true because KeyBlockShape and the Iv nonce len are in agreement. debug_assert_eq!(NONCE_LEN, iv.len()); - Ok(ConnectionTrafficSecrets::Chacha20Poly1305 { - key, - iv: Iv::new(iv[..].try_into().unwrap()), - }) + Ok(ConnectionTrafficSecrets::Chacha20Poly1305 { key, iv: Iv::new(iv[..].try_into().unwrap()) }) } } @@ -241,12 +210,8 @@ impl MessageDecrypter for GcmMessageDecrypter { let aad = make_tls12_aad(seq, msg.typ, msg.version, payload.len() - GCM_OVERHEAD); let key_bit_len = self.dec_key.len() * 8; - let cipher = Cipher::::new( - CipherId::Aes, - CipherMode::GCM, - key_bit_len as _, - ) - .map_err(mbedtls_err_to_rustls_error)?; + let cipher = Cipher::::new(CipherId::Aes, CipherMode::GCM, key_bit_len as _) + .map_err(mbedtls_err_to_rustls_error)?; let cipher = cipher .set_key_iv(&self.dec_key, &nonce) @@ -291,12 +256,8 @@ impl MessageEncrypter for GcmMessageEncrypter { payload.extend_from_slice(msg.payload); let key_bit_len = self.enc_key.len() * 8; - let cipher = Cipher::::new( - CipherId::Aes, - CipherMode::GCM, - key_bit_len as _, - ) - .map_err(mbedtls_err_to_rustls_error)?; + let cipher = Cipher::::new(CipherId::Aes, CipherMode::GCM, key_bit_len as _) + .map_err(mbedtls_err_to_rustls_error)?; let cipher = cipher .set_key_iv(&self.enc_key, &nonce) .map_err(mbedtls_err_to_rustls_error)?; @@ -343,12 +304,7 @@ impl MessageDecrypter for ChaCha20Poly1305MessageDecrypter { } let nonce = Nonce::new(&self.dec_offset, seq).0; - let aad = make_tls12_aad( - seq, - msg.typ, - msg.version, - payload.len() - CHACHAPOLY1305_OVERHEAD, - ); + let aad = make_tls12_aad(seq, msg.typ, msg.version, payload.len() - CHACHAPOLY1305_OVERHEAD); let payload = msg.payload_mut(); diff --git a/rustls-mbedcrypto-provider/src/tls13.rs b/rustls-mbedcrypto-provider/src/tls13.rs index 3ee1841..2378248 100644 --- a/rustls-mbedcrypto-provider/src/tls13.rs +++ b/rustls-mbedcrypto-provider/src/tls13.rs @@ -15,14 +15,13 @@ use mbedtls::cipher::raw::CipherType; use mbedtls::cipher::{Authenticated, Cipher, Decryption, Encryption, Fresh}; use rustls::cipher_suite::CipherSuiteCommon; use rustls::crypto::cipher::{ - make_tls13_aad, AeadKey, BorrowedPlainMessage, Iv, MessageDecrypter, MessageEncrypter, Nonce, - OpaqueMessage, PlainMessage, Tls13AeadAlgorithm, UnsupportedOperationError, + make_tls13_aad, AeadKey, BorrowedPlainMessage, Iv, MessageDecrypter, MessageEncrypter, Nonce, OpaqueMessage, PlainMessage, + Tls13AeadAlgorithm, UnsupportedOperationError, }; use rustls::crypto::tls13::HkdfUsingHmac; use rustls::internal::msgs::codec::Codec; use rustls::{ - CipherSuite, ConnectionTrafficSecrets, ContentType, Error, ProtocolVersion, - SupportedCipherSuite, Tls13CipherSuite, + CipherSuite, ConnectionTrafficSecrets, ContentType, Error, ProtocolVersion, SupportedCipherSuite, Tls13CipherSuite, }; /// The TLS1.3 ciphersuite TLS_CHACHA20_POLY1305_SHA256 @@ -39,62 +38,46 @@ pub(crate) static TLS13_CHACHA20_POLY1305_SHA256_INTERNAL: &Tls13CipherSuite = & }; /// The TLS1.3 ciphersuite TLS_AES_256_GCM_SHA384 -pub static TLS13_AES_256_GCM_SHA384: SupportedCipherSuite = - SupportedCipherSuite::Tls13(&Tls13CipherSuite { - common: CipherSuiteCommon { - suite: CipherSuite::TLS13_AES_256_GCM_SHA384, - hash_provider: &super::hash::SHA384, - }, - hkdf_provider: &HkdfUsingHmac(&super::hmac::HMAC_SHA384), - aead_alg: &AeadAlgorithm(&aead::AES256_GCM), - }); +pub static TLS13_AES_256_GCM_SHA384: SupportedCipherSuite = SupportedCipherSuite::Tls13(&Tls13CipherSuite { + common: CipherSuiteCommon { + suite: CipherSuite::TLS13_AES_256_GCM_SHA384, + hash_provider: &super::hash::SHA384, + }, + hkdf_provider: &HkdfUsingHmac(&super::hmac::HMAC_SHA384), + aead_alg: &AeadAlgorithm(&aead::AES256_GCM), +}); /// The TLS1.3 ciphersuite TLS_AES_128_GCM_SHA256 -pub static TLS13_AES_128_GCM_SHA256: SupportedCipherSuite = - SupportedCipherSuite::Tls13(&Tls13CipherSuite { - common: CipherSuiteCommon { - suite: CipherSuite::TLS13_AES_128_GCM_SHA256, - hash_provider: &super::hash::SHA256, - }, - hkdf_provider: &HkdfUsingHmac(&super::hmac::HMAC_SHA256), - aead_alg: &AeadAlgorithm(&aead::AES128_GCM), - }); +pub static TLS13_AES_128_GCM_SHA256: SupportedCipherSuite = SupportedCipherSuite::Tls13(&Tls13CipherSuite { + common: CipherSuiteCommon { + suite: CipherSuite::TLS13_AES_128_GCM_SHA256, + hash_provider: &super::hash::SHA256, + }, + hkdf_provider: &HkdfUsingHmac(&super::hmac::HMAC_SHA256), + aead_alg: &AeadAlgorithm(&aead::AES128_GCM), +}); // common encrypter/decrypter/key_len items for above Tls13AeadAlgorithm impls struct AeadAlgorithm(&'static aead::Algorithm); impl Tls13AeadAlgorithm for AeadAlgorithm { fn encrypter(&self, key: AeadKey, iv: Iv) -> Box { - Box::new(Tls13MessageEncrypter { - enc_key: key.as_ref().to_vec(), - iv, - aead_algorithm: self.0, - }) + Box::new(Tls13MessageEncrypter { enc_key: key.as_ref().to_vec(), iv, aead_algorithm: self.0 }) } fn decrypter(&self, key: AeadKey, iv: Iv) -> Box { - Box::new(Tls13MessageDecrypter { - dec_key: key.as_ref().to_vec(), - iv, - aead_algorithm: self.0, - }) + Box::new(Tls13MessageDecrypter { dec_key: key.as_ref().to_vec(), iv, aead_algorithm: self.0 }) } fn key_len(&self) -> usize { self.0.key_length } - fn extract_keys( - &self, - key: AeadKey, - iv: Iv, - ) -> Result { + fn extract_keys(&self, key: AeadKey, iv: Iv) -> Result { match self.0.cipher_type { CipherType::Aes128Gcm => Ok(ConnectionTrafficSecrets::Aes128Gcm { key, iv }), CipherType::Aes256Gcm => Ok(ConnectionTrafficSecrets::Aes256Gcm { key, iv }), - CipherType::Chacha20Poly1305 => { - Ok(ConnectionTrafficSecrets::Chacha20Poly1305 { key, iv }) - } + CipherType::Chacha20Poly1305 => Ok(ConnectionTrafficSecrets::Chacha20Poly1305 { key, iv }), _ => Err(UnsupportedOperationError), } } diff --git a/rustls-mbedcrypto-provider/tests/api.rs b/rustls-mbedcrypto-provider/tests/api.rs index 6f3c7ab..58c7c89 100644 --- a/rustls-mbedcrypto-provider/tests/api.rs +++ b/rustls-mbedcrypto-provider/tests/api.rs @@ -16,9 +16,7 @@ use std::sync::Arc; use std::sync::Mutex; use pki_types::{CertificateDer, UnixTime}; -use rustls::client::{ - verify_server_cert_signed_by_trust_anchor, ResolvesClientCert, Resumption, WebPkiServerVerifier, -}; +use rustls::client::{verify_server_cert_signed_by_trust_anchor, ResolvesClientCert, Resumption, WebPkiServerVerifier}; use rustls::internal::msgs::{ base::Payload, codec::Codec, @@ -28,10 +26,9 @@ use rustls::internal::msgs::{ }; use rustls::server::{ClientHello, ParsedCertificate, ResolvesServerCert, WebPkiClientVerifier}; use rustls::{ - sign, AlertDescription, CertificateError, CipherSuite, ClientConfig, ClientConnection, - ConnectionCommon, ContentType, DistinguishedName, Error, KeyLog, PeerIncompatible, - PeerMisbehaved, ProtocolVersion, ServerConfig, ServerConnection, SideData, SignatureScheme, - Stream, StreamOwned, SupportedCipherSuite, + sign, AlertDescription, CertificateError, CipherSuite, ClientConfig, ClientConnection, ConnectionCommon, ContentType, + DistinguishedName, Error, KeyLog, PeerIncompatible, PeerMisbehaved, ProtocolVersion, ServerConfig, ServerConnection, + SideData, SignatureScheme, Stream, StreamOwned, SupportedCipherSuite, }; use rustls_mbedcrypto_provider::ALL_CIPHER_SUITES; @@ -53,8 +50,7 @@ fn alpn_test_error( let mut client_config = make_client_config_with_versions(KeyType::Rsa, &[version]); client_config.alpn_protocols = client_protos.clone(); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); assert_eq!(client.alpn_protocol(), None); assert_eq!(server.alpn_protocol(), None); @@ -123,10 +119,7 @@ fn version_test( let client_config = make_client_config_with_versions(KeyType::Rsa, client_versions); let server_config = make_server_config_with_versions(KeyType::Rsa, server_versions); - println!( - "version {:?} {:?} -> {:?}", - client_versions, server_versions, result - ); + println!("version {:?} {:?} -> {:?}", client_versions, server_versions, result); let (mut client, mut server) = make_pair_for_configs(client_config, server_config); @@ -149,19 +142,11 @@ fn versions() { // client default, server 1.2 -> 1.2 #[cfg(feature = "tls12")] - version_test( - &[], - &[&rustls::version::TLS12], - Some(ProtocolVersion::TLSv1_2), - ); + version_test(&[], &[&rustls::version::TLS12], Some(ProtocolVersion::TLSv1_2)); // client 1.2, server default -> 1.2 #[cfg(feature = "tls12")] - version_test( - &[&rustls::version::TLS12], - &[], - Some(ProtocolVersion::TLSv1_2), - ); + version_test(&[&rustls::version::TLS12], &[], Some(ProtocolVersion::TLSv1_2)); // client 1.2, server 1.3 -> fail #[cfg(feature = "tls12")] @@ -302,8 +287,7 @@ fn buffered_client_data_sent() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(KeyType::Rsa, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); assert_eq!(5, client.writer().write(b"hello").unwrap()); @@ -321,8 +305,7 @@ fn buffered_server_data_sent() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(KeyType::Rsa, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); assert_eq!(5, server.writer().write(b"hello").unwrap()); @@ -340,8 +323,7 @@ fn buffered_both_data_sent() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(KeyType::Rsa, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); assert_eq!( 12, @@ -375,8 +357,7 @@ fn client_can_get_server_cert() { for kt in ALL_KEY_TYPES.iter() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(*kt, &[version]); - let (mut client, mut server) = - make_pair_for_configs(client_config, make_server_config(*kt)); + let (mut client, mut server) = make_pair_for_configs(client_config, make_server_config(*kt)); do_handshake(&mut client, &mut server); let certs = client.peer_certificates(); @@ -391,14 +372,12 @@ fn client_can_get_server_cert_after_resumption() { let server_config = make_server_config(*kt); for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(*kt, &[version]); - let (mut client, mut server) = - make_pair_for_configs(client_config.clone(), server_config.clone()); + let (mut client, mut server) = make_pair_for_configs(client_config.clone(), server_config.clone()); do_handshake(&mut client, &mut server); let original_certs = client.peer_certificates(); - let (mut client, mut server) = - make_pair_for_configs(client_config.clone(), server_config.clone()); + let (mut client, mut server) = make_pair_for_configs(client_config.clone(), server_config.clone()); do_handshake(&mut client, &mut server); let resumed_certs = client.peer_certificates(); @@ -415,8 +394,7 @@ fn server_can_get_client_cert() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions_with_auth(*kt, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); do_handshake(&mut client, &mut server); let certs = server.peer_certificates(); @@ -433,13 +411,11 @@ fn server_can_get_client_cert_after_resumption() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions_with_auth(*kt, &[version]); let client_config = Arc::new(client_config); - let (mut client, mut server) = - make_pair_for_arc_configs(&client_config, &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&client_config, &server_config); do_handshake(&mut client, &mut server); let original_certs = server.peer_certificates(); - let (mut client, mut server) = - make_pair_for_arc_configs(&client_config, &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&client_config, &server_config); do_handshake(&mut client, &mut server); let resumed_certs = server.peer_certificates(); assert_eq!(original_certs, resumed_certs); @@ -454,8 +430,7 @@ fn test_config_builders_debug() { "ConfigBuilder { state: WantsCipherSuites(Mbedtls) }", format!("{:?}", b) ); - let b = - b.with_cipher_suites(&[rustls_mbedcrypto_provider::tls13::TLS13_CHACHA20_POLY1305_SHA256]); + let b = b.with_cipher_suites(&[rustls_mbedcrypto_provider::tls13::TLS13_CHACHA20_POLY1305_SHA256]); assert_eq!("ConfigBuilder { state: WantsKxGroups { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], provider: Mbedtls } }", format!("{:?}", b)); let b = b.with_kx_groups(&[rustls_mbedcrypto_provider::kx_group::X25519]); assert_eq!("ConfigBuilder { state: WantsVersions { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], kx_groups: [X25519], provider: Mbedtls } }", format!("{:?}", b)); @@ -470,8 +445,7 @@ fn test_config_builders_debug() { "ConfigBuilder { state: WantsCipherSuites(Mbedtls) }", format!("{:?}", b) ); - let b = - b.with_cipher_suites(&[rustls_mbedcrypto_provider::tls13::TLS13_CHACHA20_POLY1305_SHA256]); + let b = b.with_cipher_suites(&[rustls_mbedcrypto_provider::tls13::TLS13_CHACHA20_POLY1305_SHA256]); assert_eq!("ConfigBuilder { state: WantsKxGroups { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], provider: Mbedtls } }", format!("{:?}", b)); let b = b.with_kx_groups(&[rustls_mbedcrypto_provider::kx_group::X25519]); assert_eq!("ConfigBuilder { state: WantsVersions { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], kx_groups: [X25519], provider: Mbedtls } }", format!("{:?}", b)); @@ -495,12 +469,11 @@ fn server_allow_any_anonymous_or_authenticated_client() { .build() .unwrap(); - let server_config = - ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) - .with_safe_defaults() - .with_client_cert_verifier(client_auth) - .with_single_cert(kt.get_chain(), kt.get_key()) - .unwrap(); + let server_config = ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) + .with_safe_defaults() + .with_client_cert_verifier(client_auth) + .with_single_cert(kt.get_chain(), kt.get_key()) + .unwrap(); let server_config = Arc::new(server_config); for version in rustls::ALL_VERSIONS { @@ -509,8 +482,7 @@ fn server_allow_any_anonymous_or_authenticated_client() { } else { make_client_config_with_versions(kt, &[version]) }; - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); do_handshake(&mut client, &mut server); let certs = server.peer_certificates(); @@ -531,8 +503,7 @@ fn server_close_notify() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions_with_auth(kt, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); do_handshake(&mut client, &mut server); // check that alerts don't overtake appdata @@ -570,8 +541,7 @@ fn client_close_notify() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions_with_auth(kt, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); do_handshake(&mut client, &mut server); // check that alerts don't overtake appdata @@ -609,8 +579,7 @@ fn server_closes_uncleanly() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(kt, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); do_handshake(&mut client, &mut server); // check that unclean EOF reporting does not overtake appdata @@ -635,10 +604,7 @@ fn server_closes_uncleanly() { assert!(!io_state.peer_has_closed()); check_read(&mut client.reader(), b"from-server!"); - check_read_err( - &mut client.reader() as &mut dyn io::Read, - io::ErrorKind::UnexpectedEof, - ); + check_read_err(&mut client.reader() as &mut dyn io::Read, io::ErrorKind::UnexpectedEof); // may still transmit pending frames transfer(&mut client, &mut server); @@ -654,8 +620,7 @@ fn client_closes_uncleanly() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(kt, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); do_handshake(&mut client, &mut server); // check that unclean EOF reporting does not overtake appdata @@ -680,10 +645,7 @@ fn client_closes_uncleanly() { assert!(!io_state.peer_has_closed()); check_read(&mut server.reader(), b"from-client!"); - check_read_err( - &mut server.reader() as &mut dyn io::Read, - io::ErrorKind::UnexpectedEof, - ); + check_read_err(&mut server.reader() as &mut dyn io::Read, io::ErrorKind::UnexpectedEof); // may still transmit pending frames transfer(&mut server, &mut client); @@ -708,13 +670,10 @@ fn test_tls13_valid_early_plaintext_alert() { // * The negotiated protocol version is TLS 1.3. server .read_tls(&mut io::Cursor::new( - >::into(Message::build_alert( - AlertLevel::Fatal, - AlertDescription::UnknownCA, - )) - .borrow() - .to_unencrypted_opaque() - .encode(), + >::into(Message::build_alert(AlertLevel::Fatal, AlertDescription::UnknownCA)) + .borrow() + .to_unencrypted_opaque() + .encode(), )) .unwrap(); @@ -760,13 +719,10 @@ fn test_tls13_late_plaintext_alert() { // Inject a plaintext alert from the client. The server should attempt to decrypt this message. server .read_tls(&mut io::Cursor::new( - >::into(Message::build_alert( - AlertLevel::Fatal, - AlertDescription::UnknownCA, - )) - .borrow() - .to_unencrypted_opaque() - .encode(), + >::into(Message::build_alert(AlertLevel::Fatal, AlertDescription::UnknownCA)) + .borrow() + .to_unencrypted_opaque() + .encode(), )) .unwrap(); @@ -840,14 +796,10 @@ fn server_cert_resolve_with_sni() { let client_config = make_client_config(*kt); let mut server_config = make_server_config(*kt); - server_config.cert_resolver = Arc::new(ServerCheckCertResolve { - expected_sni: Some("the-value-from-sni".into()), - ..Default::default() - }); + server_config.cert_resolver = + Arc::new(ServerCheckCertResolve { expected_sni: Some("the-value-from-sni".into()), ..Default::default() }); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("the-value-from-sni")) - .unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("the-value-from-sni")).unwrap(); let mut server = ServerConnection::new(Arc::new(server_config)).unwrap(); let err = do_handshake_until_error(&mut client, &mut server); @@ -867,8 +819,7 @@ fn server_cert_resolve_with_alpn() { ..Default::default() }); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("sni-value")).unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("sni-value")).unwrap(); let mut server = ServerConnection::new(Arc::new(server_config)).unwrap(); let err = do_handshake_until_error(&mut client, &mut server); @@ -882,13 +833,10 @@ fn client_trims_terminating_dot() { let client_config = make_client_config(*kt); let mut server_config = make_server_config(*kt); - server_config.cert_resolver = Arc::new(ServerCheckCertResolve { - expected_sni: Some("some-host.com".into()), - ..Default::default() - }); + server_config.cert_resolver = + Arc::new(ServerCheckCertResolve { expected_sni: Some("some-host.com".into()), ..Default::default() }); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("some-host.com.")).unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("some-host.com.")).unwrap(); let mut server = ServerConnection::new(Arc::new(server_config)).unwrap(); let err = do_handshake_until_error(&mut client, &mut server); @@ -897,11 +845,7 @@ fn client_trims_terminating_dot() { } #[cfg(feature = "tls12")] -fn check_sigalgs_reduced_by_ciphersuite( - kt: KeyType, - suite: CipherSuite, - expected_sigalgs: Vec, -) { +fn check_sigalgs_reduced_by_ciphersuite(kt: KeyType, suite: CipherSuite, expected_sigalgs: Vec) { let client_config = finish_client_config( kt, ClientConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) @@ -919,8 +863,7 @@ fn check_sigalgs_reduced_by_ciphersuite( ..Default::default() }); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); let mut server = ServerConnection::new(Arc::new(server_config)).unwrap(); let err = do_handshake_until_error(&mut client, &mut server); @@ -979,9 +922,7 @@ fn client_with_sni_disabled_does_not_send_sni() { let mut client_config = make_client_config_with_versions(*kt, &[version]); client_config.enable_sni = false; - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("value-not-sent")) - .unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("value-not-sent")).unwrap(); let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap(); let err = do_handshake_until_error(&mut client, &mut server); @@ -997,11 +938,7 @@ fn client_checks_server_certificate_with_given_name() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(*kt, &[version]); - let mut client = ClientConnection::new( - Arc::new(client_config), - server_name("not-the-right-hostname.com"), - ) - .unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("not-the-right-hostname.com")).unwrap(); let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap(); let err = do_handshake_until_error(&mut client, &mut server); @@ -1077,17 +1014,14 @@ fn client_check_server_certificate_ee_revoked() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_verifier(&[version], builder.clone()); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap(); // We expect the handshake to fail since the server's EE certificate is revoked. let err = do_handshake_until_error(&mut client, &mut server); assert_eq!( err, - Err(ErrorFromPeer::Client(Error::InvalidCertificate( - CertificateError::Revoked - ))) + Err(ErrorFromPeer::Client(Error::InvalidCertificate(CertificateError::Revoked))) ); } } @@ -1113,10 +1047,8 @@ fn client_check_server_certificate_ee_unknown_revocation() { .allow_unknown_revocation_status(); for version in rustls::ALL_VERSIONS { - let client_config = - make_client_config_with_verifier(&[version], forbid_unknown_verifier.clone()); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); + let client_config = make_client_config_with_verifier(&[version], forbid_unknown_verifier.clone()); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap(); // We expect if we use the forbid_unknown_verifier that the handshake will fail since the @@ -1130,10 +1062,8 @@ fn client_check_server_certificate_ee_unknown_revocation() { )); // We expect if we use the allow_unknown_verifier that the handshake will not fail. - let client_config = - make_client_config_with_verifier(&[version], allow_unknown_verifier.clone()); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); + let client_config = make_client_config_with_verifier(&[version], allow_unknown_verifier.clone()); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap(); let res = do_handshake_until_error(&mut client, &mut server); assert!(res.is_ok()); @@ -1162,10 +1092,8 @@ fn client_check_server_certificate_intermediate_revoked() { .allow_unknown_revocation_status(); for version in rustls::ALL_VERSIONS { - let client_config = - make_client_config_with_verifier(&[version], full_chain_verifier_builder.clone()); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); + let client_config = make_client_config_with_verifier(&[version], full_chain_verifier_builder.clone()); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap(); // We expect the handshake to fail when using the full chain verifier since the intermediate's @@ -1173,15 +1101,11 @@ fn client_check_server_certificate_intermediate_revoked() { let err = do_handshake_until_error(&mut client, &mut server); assert_eq!( err, - Err(ErrorFromPeer::Client(Error::InvalidCertificate( - CertificateError::Revoked - ))) + Err(ErrorFromPeer::Client(Error::InvalidCertificate(CertificateError::Revoked))) ); - let client_config = - make_client_config_with_verifier(&[version], ee_verifier_builder.clone()); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); + let client_config = make_client_config_with_verifier(&[version], ee_verifier_builder.clone()); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap(); // We expect the handshake to succeed when we use the verifier that only checks the EE certificate // revocation status. The revoked intermediate status should not be checked. @@ -1235,11 +1159,7 @@ struct ClientCheckCertResolve { } impl ClientCheckCertResolve { - fn new( - expect_queries: usize, - expect_root_hint_subjects: Vec>, - expect_sigschemes: Vec, - ) -> Self { + fn new(expect_queries: usize, expect_root_hint_subjects: Vec>, expect_sigschemes: Vec) -> Self { Self { query_count: AtomicUsize::new(0), expect_queries, @@ -1259,11 +1179,7 @@ impl Drop for ClientCheckCertResolve { } impl ResolvesClientCert for ClientCheckCertResolve { - fn resolve( - &self, - root_hint_subjects: &[&[u8]], - sigschemes: &[SignatureScheme], - ) -> Option> { + fn resolve(&self, root_hint_subjects: &[&[u8]], sigschemes: &[SignatureScheme]) -> Option> { self.query_count .fetch_add(1, Ordering::SeqCst); @@ -1282,11 +1198,7 @@ impl ResolvesClientCert for ClientCheckCertResolve { } } -fn test_client_cert_resolve( - key_type: KeyType, - server_config: Arc, - expected_root_hint_subjects: Vec>, -) { +fn test_client_cert_resolve(key_type: KeyType, server_config: Arc, expected_root_hint_subjects: Vec>) { for version in rustls::ALL_VERSIONS { let expected_sigschemes = match version.version { ProtocolVersion::TLSv1_2 => vec![ @@ -1320,8 +1232,7 @@ fn test_client_cert_resolve( expected_sigschemes, )); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); assert_eq!( do_handshake_until_error(&mut client, &mut server), @@ -1356,8 +1267,7 @@ fn client_cert_resolve_server_no_hints() { // arguments. for key_type in ALL_KEY_TYPES.into_iter() { // Build a verifier with no hint subjects. - let verifier = WebPkiClientVerifier::builder(get_client_root_store(key_type)) - .clear_root_hint_subjects(); + let verifier = WebPkiClientVerifier::builder(get_client_root_store(key_type)).clear_root_hint_subjects(); let server_config = make_server_config_with_client_verifier(key_type, verifier); let expected_root_hint_subjects = Vec::default(); // no hints expected. test_client_cert_resolve(key_type, server_config.into(), expected_root_hint_subjects); @@ -1374,9 +1284,7 @@ fn client_cert_resolve_server_added_hint() { match key_type { KeyType::Rsa => &b"0\x1a1\x180\x16\x06\x03U\x04\x03\x0c\x0fponytown RSA CA"[..], KeyType::Ecdsa => &b"0\x1c1\x1a0\x18\x06\x03U\x04\x03\x0c\x11ponytown ECDSA CA"[..], - KeyType::Ed25519 => { - &b"0\x1c1\x1a0\x18\x06\x03U\x04\x03\x0c\x11ponytown EdDSA CA"[..] - } + KeyType::Ed25519 => &b"0\x1c1\x1a0\x18\x06\x03U\x04\x03\x0c\x11ponytown EdDSA CA"[..], } .to_vec(), extra_name.clone(), @@ -1397,8 +1305,7 @@ fn client_auth_works() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions_with_auth(*kt, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); do_handshake(&mut client, &mut server); } } @@ -1415,10 +1322,7 @@ fn client_mandatory_auth_client_revocation_works() { let ee_verifier_builder = WebPkiClientVerifier::builder(get_client_root_store(*kt)) .with_crls(relevant_crls) .only_check_end_entity_revocation(); - let revoked_server_config = Arc::new(make_server_config_with_client_verifier( - *kt, - ee_verifier_builder, - )); + let revoked_server_config = Arc::new(make_server_config_with_client_verifier(*kt, ee_verifier_builder)); // Create a server configuration that includes a CRL that doesn't cover the client certificate, // and uses the default behaviour of treating unknown revocation status as an error. @@ -1426,10 +1330,7 @@ fn client_mandatory_auth_client_revocation_works() { let ee_verifier_builder = WebPkiClientVerifier::builder(get_client_root_store(*kt)) .with_crls(unrelated_crls.clone()) .only_check_end_entity_revocation(); - let missing_client_crl_server_config = Arc::new(make_server_config_with_client_verifier( - *kt, - ee_verifier_builder, - )); + let missing_client_crl_server_config = Arc::new(make_server_config_with_client_verifier(*kt, ee_verifier_builder)); // Create a server configuration that includes a CRL that doesn't cover the client certificate, // but change the builder to allow unknown revocation status. @@ -1437,28 +1338,22 @@ fn client_mandatory_auth_client_revocation_works() { .with_crls(unrelated_crls.clone()) .only_check_end_entity_revocation() .allow_unknown_revocation_status(); - let allow_missing_client_crl_server_config = Arc::new( - make_server_config_with_client_verifier(*kt, ee_verifier_builder), - ); + let allow_missing_client_crl_server_config = + Arc::new(make_server_config_with_client_verifier(*kt, ee_verifier_builder)); for version in rustls::ALL_VERSIONS { // Connecting to the server with a CRL that indicates the client certificate is revoked // should fail with the expected error. - let client_config = - Arc::new(make_client_config_with_versions_with_auth(*kt, &[version])); - let (mut client, mut server) = - make_pair_for_arc_configs(&client_config, &revoked_server_config); + let client_config = Arc::new(make_client_config_with_versions_with_auth(*kt, &[version])); + let (mut client, mut server) = make_pair_for_arc_configs(&client_config, &revoked_server_config); let err = do_handshake_until_error(&mut client, &mut server); assert_eq!( err, - Err(ErrorFromPeer::Server(Error::InvalidCertificate( - CertificateError::Revoked - ))) + Err(ErrorFromPeer::Server(Error::InvalidCertificate(CertificateError::Revoked))) ); // Connecting to the server missing CRL information for the client certificate should // fail with the expected unknown revocation status error. - let (mut client, mut server) = - make_pair_for_arc_configs(&client_config, &missing_client_crl_server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&client_config, &missing_client_crl_server_config); let res = do_handshake_until_error(&mut client, &mut server); assert!(matches!( res, @@ -1468,8 +1363,7 @@ fn client_mandatory_auth_client_revocation_works() { )); // Connecting to the server missing CRL information for the client should not error // if the server's verifier allows unknown revocation status. - let (mut client, mut server) = - make_pair_for_arc_configs(&client_config, &allow_missing_client_crl_server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&client_config, &allow_missing_client_crl_server_config); let res = do_handshake_until_error(&mut client, &mut server); assert!(res.is_ok()); } @@ -1486,10 +1380,7 @@ fn client_mandatory_auth_intermediate_revocation_works() { let full_chain_verifier_builder = WebPkiClientVerifier::builder(get_client_root_store(*kt)) .with_crls(crls.clone()) .allow_unknown_revocation_status(); - let full_chain_server_config = Arc::new(make_server_config_with_client_verifier( - *kt, - full_chain_verifier_builder, - )); + let full_chain_server_config = Arc::new(make_server_config_with_client_verifier(*kt, full_chain_verifier_builder)); // Also create a server configuration that uses the same CRL, but that only checks the EE // cert revocation status. @@ -1497,28 +1388,20 @@ fn client_mandatory_auth_intermediate_revocation_works() { .with_crls(crls) .only_check_end_entity_revocation() .allow_unknown_revocation_status(); - let ee_server_config = Arc::new(make_server_config_with_client_verifier( - *kt, - ee_only_verifier_builder, - )); + let ee_server_config = Arc::new(make_server_config_with_client_verifier(*kt, ee_only_verifier_builder)); for version in rustls::ALL_VERSIONS { // When checking the full chain, we expect an error - the intermediate is revoked. - let client_config = - Arc::new(make_client_config_with_versions_with_auth(*kt, &[version])); - let (mut client, mut server) = - make_pair_for_arc_configs(&client_config, &full_chain_server_config); + let client_config = Arc::new(make_client_config_with_versions_with_auth(*kt, &[version])); + let (mut client, mut server) = make_pair_for_arc_configs(&client_config, &full_chain_server_config); let err = do_handshake_until_error(&mut client, &mut server); assert_eq!( err, - Err(ErrorFromPeer::Server(Error::InvalidCertificate( - CertificateError::Revoked - ))) + Err(ErrorFromPeer::Server(Error::InvalidCertificate(CertificateError::Revoked))) ); // However, when checking just the EE cert we expect no error - the intermediate's // revocation status should not be checked. - let (mut client, mut server) = - make_pair_for_arc_configs(&client_config, &ee_server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&client_config, &ee_server_config); assert!(do_handshake_until_error(&mut client, &mut server).is_ok()); } } @@ -1534,15 +1417,12 @@ fn client_optional_auth_client_revocation_works() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions_with_auth(*kt, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); // Because the client certificate is revoked, the handshake should fail. let err = do_handshake_until_error(&mut client, &mut server); assert_eq!( err, - Err(ErrorFromPeer::Server(Error::InvalidCertificate( - CertificateError::Revoked - ))) + Err(ErrorFromPeer::Server(Error::InvalidCertificate(CertificateError::Revoked))) ); } } @@ -1637,10 +1517,7 @@ fn server_respects_buffer_limit_pre_handshake_with_vectored_write() { assert_eq!( server .writer() - .write_vectored(&[ - IoSlice::new(b"01234567890123456789"), - IoSlice::new(b"01234567890123456789") - ]) + .write_vectored(&[IoSlice::new(b"01234567890123456789"), IoSlice::new(b"01234567890123456789")]) .unwrap(), 32 ); @@ -1718,10 +1595,7 @@ fn client_respects_buffer_limit_pre_handshake_with_vectored_write() { assert_eq!( client .writer() - .write_vectored(&[ - IoSlice::new(b"01234567890123456789"), - IoSlice::new(b"01234567890123456789") - ]) + .write_vectored(&[IoSlice::new(b"01234567890123456789"), IoSlice::new(b"01234567890123456789")]) .unwrap(), 32 ); @@ -1978,10 +1852,7 @@ fn client_complete_io_for_write() { println!("{:?}", pipe.writevs); assert_eq!(pipe.writevs, vec![vec![42, 42]]); } - check_read( - &mut server.reader(), - b"0123456789012345678901234567890123456789", - ); + check_read(&mut server.reader(), b"0123456789012345678901234567890123456789"); } } @@ -2007,10 +1878,7 @@ fn buffered_client_complete_io_for_write() { println!("{:?}", pipe.writevs); assert_eq!(pipe.writevs, vec![vec![42, 42]]); } - check_read( - &mut server.reader(), - b"0123456789012345678901234567890123456789", - ); + check_read(&mut server.reader(), b"0123456789012345678901234567890123456789"); } } @@ -2083,10 +1951,7 @@ fn server_complete_io_for_write() { assert!(rdlen == 0 && wrlen > 0); assert_eq!(pipe.writevs, vec![vec![42, 42]]); } - check_read( - &mut client.reader(), - b"0123456789012345678901234567890123456789", - ); + check_read(&mut client.reader(), b"0123456789012345678901234567890123456789"); } } @@ -2275,10 +2140,7 @@ fn stream_write_reports_underlying_io_error_before_plaintext_processed() { let (mut client, mut server) = make_pair(KeyType::Rsa); do_handshake(&mut client, &mut server); - let mut pipe = FailsWrites { - errkind: io::ErrorKind::ConnectionAborted, - after: 0, - }; + let mut pipe = FailsWrites { errkind: io::ErrorKind::ConnectionAborted, after: 0 }; client .writer() .write_all(b"hello") @@ -2295,10 +2157,7 @@ fn stream_write_swallows_underlying_io_error_after_plaintext_processed() { let (mut client, mut server) = make_pair(KeyType::Rsa); do_handshake(&mut client, &mut server); - let mut pipe = FailsWrites { - errkind: io::ErrorKind::ConnectionAborted, - after: 1, - }; + let mut pipe = FailsWrites { errkind: io::ErrorKind::ConnectionAborted, after: 1 }; client .writer() .write_all(b"hello") @@ -2313,9 +2172,7 @@ fn make_disjoint_suite_configs() -> (ClientConfig, ServerConfig) { let server_config = finish_server_config( kt, ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) - .with_cipher_suites(&[ - rustls_mbedcrypto_provider::tls13::TLS13_CHACHA20_POLY1305_SHA256, - ]) + .with_cipher_suites(&[rustls_mbedcrypto_provider::tls13::TLS13_CHACHA20_POLY1305_SHA256]) .with_safe_default_kx_groups() .with_safe_default_protocol_versions() .unwrap(), @@ -2468,11 +2325,7 @@ fn server_exposes_offered_sni() { let kt = KeyType::Rsa; for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(kt, &[version]); - let mut client = ClientConnection::new( - Arc::new(client_config), - server_name("second.testserver.com"), - ) - .unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("second.testserver.com")).unwrap(); let mut server = ServerConnection::new(Arc::new(make_server_config(kt))).unwrap(); assert_eq!(None, server.server_name()); @@ -2487,11 +2340,7 @@ fn server_exposes_offered_sni_smashed_to_lowercase() { let kt = KeyType::Rsa; for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(kt, &[version]); - let mut client = ClientConnection::new( - Arc::new(client_config), - server_name("SECOND.TESTServer.com"), - ) - .unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("SECOND.TESTServer.com")).unwrap(); let mut server = ServerConnection::new(Arc::new(make_server_config(kt))).unwrap(); assert_eq!(None, server.server_name()); @@ -2512,17 +2361,13 @@ fn server_exposes_offered_sni_even_if_resolver_fails() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(kt, &[version]); let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap(); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("thisdoesNOTexist.com")) - .unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("thisdoesNOTexist.com")).unwrap(); assert_eq!(None, server.server_name()); transfer(&mut client, &mut server); assert_eq!( server.process_new_packets(), - Err(Error::General( - "no server certificate chain resolved".to_string() - )) + Err(Error::General("no server certificate chain resolved".to_string())) ); assert_eq!(Some("thisdoesnotexist.com"), server.server_name()); } @@ -2535,10 +2380,7 @@ fn sni_resolver_works() { let signing_key = sign::RsaSigningKey::new(&kt.get_key()).unwrap(); let signing_key: Arc = Arc::new(signing_key); resolver - .add( - "localhost", - sign::CertifiedKey::new(kt.get_chain(), signing_key.clone()), - ) + .add("localhost", sign::CertifiedKey::new(kt.get_chain(), signing_key.clone())) .unwrap(); let mut server_config = make_server_config(kt); @@ -2546,17 +2388,12 @@ fn sni_resolver_works() { let server_config = Arc::new(server_config); let mut server1 = ServerConnection::new(Arc::clone(&server_config)).unwrap(); - let mut client1 = - ClientConnection::new(Arc::new(make_client_config(kt)), server_name("localhost")).unwrap(); + let mut client1 = ClientConnection::new(Arc::new(make_client_config(kt)), server_name("localhost")).unwrap(); let err = do_handshake_until_error(&mut client1, &mut server1); assert_eq!(err, Ok(())); let mut server2 = ServerConnection::new(Arc::clone(&server_config)).unwrap(); - let mut client2 = ClientConnection::new( - Arc::new(make_client_config(kt)), - server_name("notlocalhost"), - ) - .unwrap(); + let mut client2 = ClientConnection::new(Arc::new(make_client_config(kt)), server_name("notlocalhost")).unwrap(); let err = do_handshake_until_error(&mut client2, &mut server2); assert_eq!( err, @@ -2575,24 +2412,15 @@ fn sni_resolver_rejects_wrong_names() { assert_eq!( Ok(()), - resolver.add( - "localhost", - sign::CertifiedKey::new(kt.get_chain(), signing_key.clone()) - ) + resolver.add("localhost", sign::CertifiedKey::new(kt.get_chain(), signing_key.clone())) ); assert_eq!( Err(Error::InvalidCertificate(CertificateError::NotValidForName)), - resolver.add( - "not-localhost", - sign::CertifiedKey::new(kt.get_chain(), signing_key.clone()) - ) + resolver.add("not-localhost", sign::CertifiedKey::new(kt.get_chain(), signing_key.clone())) ); assert_eq!( Err(Error::General("Bad DNS name".into())), - resolver.add( - "not ascii 🦀", - sign::CertifiedKey::new(kt.get_chain(), signing_key.clone()) - ) + resolver.add("not ascii 🦀", sign::CertifiedKey::new(kt.get_chain(), signing_key.clone())) ); } @@ -2605,10 +2433,7 @@ fn sni_resolver_lower_cases_configured_names() { assert_eq!( Ok(()), - resolver.add( - "LOCALHOST", - sign::CertifiedKey::new(kt.get_chain(), signing_key.clone()) - ) + resolver.add("LOCALHOST", sign::CertifiedKey::new(kt.get_chain(), signing_key.clone())) ); let mut server_config = make_server_config(kt); @@ -2616,8 +2441,7 @@ fn sni_resolver_lower_cases_configured_names() { let server_config = Arc::new(server_config); let mut server1 = ServerConnection::new(Arc::clone(&server_config)).unwrap(); - let mut client1 = - ClientConnection::new(Arc::new(make_client_config(kt)), server_name("localhost")).unwrap(); + let mut client1 = ClientConnection::new(Arc::new(make_client_config(kt)), server_name("localhost")).unwrap(); let err = do_handshake_until_error(&mut client1, &mut server1); assert_eq!(err, Ok(())); } @@ -2632,10 +2456,7 @@ fn sni_resolver_lower_cases_queried_names() { assert_eq!( Ok(()), - resolver.add( - "localhost", - sign::CertifiedKey::new(kt.get_chain(), signing_key.clone()) - ) + resolver.add("localhost", sign::CertifiedKey::new(kt.get_chain(), signing_key.clone())) ); let mut server_config = make_server_config(kt); @@ -2643,8 +2464,7 @@ fn sni_resolver_lower_cases_queried_names() { let server_config = Arc::new(server_config); let mut server1 = ServerConnection::new(Arc::clone(&server_config)).unwrap(); - let mut client1 = - ClientConnection::new(Arc::new(make_client_config(kt)), server_name("LOCALHOST")).unwrap(); + let mut client1 = ClientConnection::new(Arc::new(make_client_config(kt)), server_name("LOCALHOST")).unwrap(); let err = do_handshake_until_error(&mut client1, &mut server1); assert_eq!(err, Ok(())); } @@ -2658,19 +2478,13 @@ fn sni_resolver_rejects_bad_certs() { assert_eq!( Err(Error::NoCertificatesPresented), - resolver.add( - "localhost", - sign::CertifiedKey::new(vec![], signing_key.clone()) - ) + resolver.add("localhost", sign::CertifiedKey::new(vec![], signing_key.clone())) ); let bad_chain = vec![CertificateDer::from(vec![0xa0])]; assert_eq!( Err(Error::InvalidCertificate(CertificateError::BadEncoding)), - resolver.add( - "localhost", - sign::CertifiedKey::new(bad_chain, signing_key.clone()) - ) + resolver.add("localhost", sign::CertifiedKey::new(bad_chain, signing_key.clone())) ); } @@ -2731,8 +2545,7 @@ fn test_tls13_exporter() { #[test] fn test_tls13_exporter_maximum_output_length() { - let client_config = - make_client_config_with_versions(KeyType::Ecdsa, &[&rustls::version::TLS13]); + let client_config = make_client_config_with_versions(KeyType::Ecdsa, &[&rustls::version::TLS13]); let server_config = make_server_config(KeyType::Ecdsa); let (mut client, mut server) = make_pair_for_configs(client_config, server_config); @@ -2746,18 +2559,10 @@ fn test_tls13_exporter_maximum_output_length() { let mut maximum_allowed_output_client = [0u8; 255 * 48]; let mut maximum_allowed_output_server = [0u8; 255 * 48]; client - .export_keying_material( - &mut maximum_allowed_output_client, - b"label", - Some(b"context"), - ) + .export_keying_material(&mut maximum_allowed_output_client, b"label", Some(b"context")) .unwrap(); server - .export_keying_material( - &mut maximum_allowed_output_server, - b"label", - Some(b"context"), - ) + .export_keying_material(&mut maximum_allowed_output_server, b"label", Some(b"context")) .unwrap(); assert_eq!(maximum_allowed_output_client, maximum_allowed_output_server); @@ -2783,11 +2588,7 @@ fn do_suite_test( expect_suite: SupportedCipherSuite, expect_version: ProtocolVersion, ) { - println!( - "do_suite_test {:?} {:?}", - expect_version, - expect_suite.suite() - ); + println!("do_suite_test {:?} {:?}", expect_version, expect_suite.suite()); let (mut client, mut server) = make_pair_for_configs(client_config, server_config); assert_eq!(None, client.negotiated_cipher_suite()); @@ -2842,16 +2643,8 @@ static TEST_CIPHERSUITES: &[(&rustls::SupportedProtocolVersion, KeyType, CipherS KeyType::Rsa, CipherSuite::TLS13_CHACHA20_POLY1305_SHA256, ), - ( - &rustls::version::TLS13, - KeyType::Rsa, - CipherSuite::TLS13_AES_256_GCM_SHA384, - ), - ( - &rustls::version::TLS13, - KeyType::Rsa, - CipherSuite::TLS13_AES_128_GCM_SHA256, - ), + (&rustls::version::TLS13, KeyType::Rsa, CipherSuite::TLS13_AES_256_GCM_SHA384), + (&rustls::version::TLS13, KeyType::Rsa, CipherSuite::TLS13_AES_128_GCM_SHA256), #[cfg(feature = "tls12")] ( &rustls::version::TLS12, @@ -2957,10 +2750,7 @@ struct KeyLogToVec { impl KeyLogToVec { fn new(who: &'static str) -> Self { - Self { - label: who, - items: Mutex::new(vec![]), - } + Self { label: who, items: Mutex::new(vec![]) } } fn take(&self) -> Vec { @@ -2970,11 +2760,7 @@ impl KeyLogToVec { impl KeyLog for KeyLogToVec { fn log(&self, label: &str, client: &[u8], secret: &[u8]) { - let value = KeyLogItem { - label: label.into(), - client_random: client.into(), - secret: secret.into(), - }; + let value = KeyLogItem { label: label.into(), client_random: client.into(), secret: secret.into() }; println!("key log {:?}: {:?}", self.label, value); @@ -3061,28 +2847,16 @@ fn key_log_for_tls13() { let server_resume_log = server_key_log.take(); assert_eq!(5, client_resume_log.len()); - assert_eq!( - "CLIENT_HANDSHAKE_TRAFFIC_SECRET", - client_resume_log[0].label - ); - assert_eq!( - "SERVER_HANDSHAKE_TRAFFIC_SECRET", - client_resume_log[1].label - ); + assert_eq!("CLIENT_HANDSHAKE_TRAFFIC_SECRET", client_resume_log[0].label); + assert_eq!("SERVER_HANDSHAKE_TRAFFIC_SECRET", client_resume_log[1].label); assert_eq!("CLIENT_TRAFFIC_SECRET_0", client_resume_log[2].label); assert_eq!("SERVER_TRAFFIC_SECRET_0", client_resume_log[3].label); assert_eq!("EXPORTER_SECRET", client_resume_log[4].label); assert_eq!(6, server_resume_log.len()); assert_eq!("CLIENT_EARLY_TRAFFIC_SECRET", server_resume_log[0].label); - assert_eq!( - "CLIENT_HANDSHAKE_TRAFFIC_SECRET", - server_resume_log[1].label - ); - assert_eq!( - "SERVER_HANDSHAKE_TRAFFIC_SECRET", - server_resume_log[2].label - ); + assert_eq!("CLIENT_HANDSHAKE_TRAFFIC_SECRET", server_resume_log[1].label); + assert_eq!("SERVER_HANDSHAKE_TRAFFIC_SECRET", server_resume_log[2].label); assert_eq!("CLIENT_TRAFFIC_SECRET_0", server_resume_log[3].label); assert_eq!("SERVER_TRAFFIC_SECRET_0", server_resume_log[4].label); assert_eq!("EXPORTER_SECRET", server_resume_log[5].label); @@ -3113,10 +2887,7 @@ fn vectored_write_for_server_appdata() { assert_eq!(84, wrlen); assert_eq!(pipe.writevs, vec![vec![42, 42]]); } - check_read( - &mut client.reader(), - b"0123456789012345678901234567890123456789", - ); + check_read(&mut client.reader(), b"0123456789012345678901234567890123456789"); } #[test] @@ -3138,18 +2909,14 @@ fn vectored_write_for_client_appdata() { assert_eq!(84, wrlen); assert_eq!(pipe.writevs, vec![vec![42, 42]]); } - check_read( - &mut server.reader(), - b"0123456789012345678901234567890123456789", - ); + check_read(&mut server.reader(), b"0123456789012345678901234567890123456789"); } #[test] fn vectored_write_for_server_handshake_with_half_rtt_data() { let mut server_config = make_server_config(KeyType::Rsa); server_config.send_half_rtt_data = true; - let (mut client, mut server) = - make_pair_for_configs(make_client_config_with_auth(KeyType::Rsa), server_config); + let (mut client, mut server) = make_pair_for_configs(make_client_config_with_auth(KeyType::Rsa), server_config); server .writer() @@ -3188,8 +2955,7 @@ fn vectored_write_for_server_handshake_with_half_rtt_data() { } fn check_half_rtt_does_not_work(server_config: ServerConfig) { - let (mut client, mut server) = - make_pair_for_configs(make_client_config_with_auth(KeyType::Rsa), server_config); + let (mut client, mut server) = make_pair_for_configs(make_client_config_with_auth(KeyType::Rsa), server_config); server .writer() @@ -3304,10 +3070,7 @@ fn vectored_write_with_slow_client() { + server.write_tls(&mut pipe).unwrap() + server.write_tls(&mut pipe).unwrap(); assert_eq!(42, wrlen); - assert_eq!( - pipe.writevs, - vec![vec![21], vec![10], vec![5], vec![3], vec![3]] - ); + assert_eq!(pipe.writevs, vec![vec![21], vec![10], vec![5], vec![3], vec![3]]); } check_read(&mut client.reader(), b"01234567890123456789"); } @@ -3434,11 +3197,7 @@ impl rustls::client::ClientSessionStore for ClientStorage { rc } - fn set_tls12_session( - &self, - server_name: &rustls::ServerName, - value: rustls::client::Tls12ClientSessionValue, - ) { + fn set_tls12_session(&self, server_name: &rustls::ServerName, value: rustls::client::Tls12ClientSessionValue) { self.ops .lock() .unwrap() @@ -3447,18 +3206,12 @@ impl rustls::client::ClientSessionStore for ClientStorage { .set_tls12_session(server_name, value) } - fn tls12_session( - &self, - server_name: &rustls::ServerName, - ) -> Option { + fn tls12_session(&self, server_name: &rustls::ServerName) -> Option { let rc = self.storage.tls12_session(server_name); self.ops .lock() .unwrap() - .push(ClientStorageOp::GetTls12Session( - server_name.clone(), - rc.is_some(), - )); + .push(ClientStorageOp::GetTls12Session(server_name.clone(), rc.is_some())); rc } @@ -3471,11 +3224,7 @@ impl rustls::client::ClientSessionStore for ClientStorage { .remove_tls12_session(server_name); } - fn insert_tls13_ticket( - &self, - server_name: &rustls::ServerName, - value: rustls::client::Tls13ClientSessionValue, - ) { + fn insert_tls13_ticket(&self, server_name: &rustls::ServerName, value: rustls::client::Tls13ClientSessionValue) { self.ops .lock() .unwrap() @@ -3484,20 +3233,14 @@ impl rustls::client::ClientSessionStore for ClientStorage { .insert_tls13_ticket(server_name, value); } - fn take_tls13_ticket( - &self, - server_name: &rustls::ServerName, - ) -> Option { + fn take_tls13_ticket(&self, server_name: &rustls::ServerName) -> Option { let rc = self .storage .take_tls13_ticket(server_name); self.ops .lock() .unwrap() - .push(ClientStorageOp::TakeTls13Ticket( - server_name.clone(), - rc.is_some(), - )); + .push(ClientStorageOp::TakeTls13Ticket(server_name.clone(), rc.is_some())); rc } } @@ -3715,9 +3458,7 @@ fn early_data_can_be_rejected_by_server() { #[test] fn test_client_does_not_offer_sha1() { - use rustls::internal::msgs::{ - codec::Reader, handshake::HandshakePayload, message::MessagePayload, message::OpaqueMessage, - }; + use rustls::internal::msgs::{codec::Reader, handshake::HandshakePayload, message::MessagePayload, message::OpaqueMessage}; use rustls::HandshakeType; for kt in ALL_KEY_TYPES.iter() { @@ -3755,28 +3496,16 @@ fn test_client_does_not_offer_sha1() { #[test] fn test_client_config_keyshare() { - let client_config = make_client_config_with_kx_groups( - KeyType::Rsa, - &[rustls_mbedcrypto_provider::kx_group::SECP384R1], - ); - let server_config = make_server_config_with_kx_groups( - KeyType::Rsa, - &[rustls_mbedcrypto_provider::kx_group::SECP384R1], - ); + let client_config = make_client_config_with_kx_groups(KeyType::Rsa, &[rustls_mbedcrypto_provider::kx_group::SECP384R1]); + let server_config = make_server_config_with_kx_groups(KeyType::Rsa, &[rustls_mbedcrypto_provider::kx_group::SECP384R1]); let (mut client, mut server) = make_pair_for_configs(client_config, server_config); do_handshake_until_error(&mut client, &mut server).unwrap(); } #[test] fn test_client_config_keyshare_mismatch() { - let client_config = make_client_config_with_kx_groups( - KeyType::Rsa, - &[rustls_mbedcrypto_provider::kx_group::SECP384R1], - ); - let server_config = make_server_config_with_kx_groups( - KeyType::Rsa, - &[rustls_mbedcrypto_provider::kx_group::X25519], - ); + let client_config = make_client_config_with_kx_groups(KeyType::Rsa, &[rustls_mbedcrypto_provider::kx_group::SECP384R1]); + let server_config = make_server_config_with_kx_groups(KeyType::Rsa, &[rustls_mbedcrypto_provider::kx_group::X25519]); let (mut client, mut server) = make_pair_for_configs(client_config, server_config); assert!(do_handshake_until_error(&mut client, &mut server).is_err()); } @@ -3797,10 +3526,7 @@ fn test_client_sends_helloretryrequest() { client_config.resumption = Resumption::store(storage.clone()); // but server only accepts x25519, so a HRR is required - let server_config = make_server_config_with_kx_groups( - KeyType::Rsa, - &[rustls_mbedcrypto_provider::kx_group::X25519], - ); + let server_config = make_server_config_with_kx_groups(KeyType::Rsa, &[rustls_mbedcrypto_provider::kx_group::X25519]); let (mut client, mut server) = make_pair_for_configs(client_config, server_config); @@ -3845,43 +3571,19 @@ fn test_client_sends_helloretryrequest() { // client only did following storage queries: println!("storage {:#?}", storage.ops()); assert_eq!(storage.ops().len(), 9); - assert!(matches!( - storage.ops()[0], - ClientStorageOp::TakeTls13Ticket(_, false) - )); - assert!(matches!( - storage.ops()[1], - ClientStorageOp::GetTls12Session(_, false) - )); - assert!(matches!( - storage.ops()[2], - ClientStorageOp::GetKxHint(_, None) - )); + assert!(matches!(storage.ops()[0], ClientStorageOp::TakeTls13Ticket(_, false))); + assert!(matches!(storage.ops()[1], ClientStorageOp::GetTls12Session(_, false))); + assert!(matches!(storage.ops()[2], ClientStorageOp::GetKxHint(_, None))); assert!(matches!( storage.ops()[3], ClientStorageOp::SetKxHint(_, rustls::NamedGroup::X25519) )); - assert!(matches!( - storage.ops()[4], - ClientStorageOp::RemoveTls12Session(_) - )); + assert!(matches!(storage.ops()[4], ClientStorageOp::RemoveTls12Session(_))); // server sends 4 tickets by default - assert!(matches!( - storage.ops()[5], - ClientStorageOp::InsertTls13Ticket(_) - )); - assert!(matches!( - storage.ops()[6], - ClientStorageOp::InsertTls13Ticket(_) - )); - assert!(matches!( - storage.ops()[7], - ClientStorageOp::InsertTls13Ticket(_) - )); - assert!(matches!( - storage.ops()[8], - ClientStorageOp::InsertTls13Ticket(_) - )); + assert!(matches!(storage.ops()[5], ClientStorageOp::InsertTls13Ticket(_))); + assert!(matches!(storage.ops()[6], ClientStorageOp::InsertTls13Ticket(_))); + assert!(matches!(storage.ops()[7], ClientStorageOp::InsertTls13Ticket(_))); + assert!(matches!(storage.ops()[8], ClientStorageOp::InsertTls13Ticket(_))); } #[test] @@ -3927,24 +3629,13 @@ fn test_client_rejects_hrr_with_varied_session_id() { ], ); - let server_config = make_server_config_with_kx_groups( - KeyType::Rsa, - &[rustls_mbedcrypto_provider::kx_group::X25519], - ); + let server_config = make_server_config_with_kx_groups(KeyType::Rsa, &[rustls_mbedcrypto_provider::kx_group::X25519]); let (client, server) = make_pair_for_configs(client_config, server_config); let (mut client, mut server) = (client.into(), server.into()); - transfer_altered( - &mut client, - assert_client_sends_hello_with_secp384, - &mut server, - ); + transfer_altered(&mut client, assert_client_sends_hello_with_secp384, &mut server); server.process_new_packets().unwrap(); - transfer_altered( - &mut server, - assert_server_requests_retry_and_echoes_session_id, - &mut client, - ); + transfer_altered(&mut server, assert_server_requests_retry_and_echoes_session_id, &mut client); assert_eq!( client.process_new_packets(), Err(Error::PeerMisbehaved( @@ -3980,10 +3671,7 @@ fn test_client_attempts_to_use_unsupported_kx_group() { let ops = shared_storage.ops(); println!("storage {:#?}", ops); assert_eq!(ops.len(), 9); - assert!(matches!( - ops[3], - ClientStorageOp::SetKxHint(_, rustls::NamedGroup::X25519) - )); + assert!(matches!(ops[3], ClientStorageOp::SetKxHint(_, rustls::NamedGroup::X25519))); // second handshake let (mut client_2, mut server) = make_pair_for_configs(client_config_2, server_config); @@ -4093,8 +3781,7 @@ fn test_client_mtu_reduction() { for kt in ALL_KEY_TYPES.iter() { let mut client_config = make_client_config(*kt); client_config.max_fragment_size = Some(64); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); let writes = collect_write_lengths(&mut client); println!("writes at mtu=64: {:?}", writes); assert!(writes.iter().all(|x| *x <= 64)); @@ -4107,8 +3794,7 @@ fn test_server_mtu_reduction() { let mut server_config = make_server_config(KeyType::Rsa); server_config.max_fragment_size = Some(64); server_config.send_half_rtt_data = true; - let (mut client, mut server) = - make_pair_for_configs(make_client_config(KeyType::Rsa), server_config); + let (mut client, mut server) = make_pair_for_configs(make_client_config(KeyType::Rsa), server_config); let big_data = [0u8; 2048]; server @@ -4154,23 +3840,14 @@ fn check_client_max_fragment_size(size: usize) -> Option { #[test] fn bad_client_max_fragment_sizes() { - assert_eq!( - check_client_max_fragment_size(31), - Some(Error::BadMaxFragmentSize) - ); + assert_eq!(check_client_max_fragment_size(31), Some(Error::BadMaxFragmentSize)); assert_eq!(check_client_max_fragment_size(32), None); assert_eq!(check_client_max_fragment_size(64), None); assert_eq!(check_client_max_fragment_size(1460), None); assert_eq!(check_client_max_fragment_size(0x4000), None); assert_eq!(check_client_max_fragment_size(0x4005), None); - assert_eq!( - check_client_max_fragment_size(0x4006), - Some(Error::BadMaxFragmentSize) - ); - assert_eq!( - check_client_max_fragment_size(0xffff), - Some(Error::BadMaxFragmentSize) - ); + assert_eq!(check_client_max_fragment_size(0x4006), Some(Error::BadMaxFragmentSize)); + assert_eq!(check_client_max_fragment_size(0xffff), Some(Error::BadMaxFragmentSize)); } fn assert_lt(left: usize, right: usize) { @@ -4208,9 +3885,7 @@ fn test_server_rejects_duplicate_sni_names() { transfer_altered(&mut client, duplicate_sni_payload, &mut server); assert_eq!( server.process_new_packets(), - Err(Error::PeerMisbehaved( - PeerMisbehaved::DuplicateServerNameTypes - )) + Err(Error::PeerMisbehaved(PeerMisbehaved::DuplicateServerNameTypes)) ); } @@ -4237,9 +3912,7 @@ fn test_server_rejects_empty_sni_extension() { transfer_altered(&mut client, empty_sni_payload, &mut server); assert_eq!( server.process_new_packets(), - Err(Error::PeerMisbehaved( - PeerMisbehaved::ServerNameMustContainOneHostName - )) + Err(Error::PeerMisbehaved(PeerMisbehaved::ServerNameMustContainOneHostName)) ); } @@ -4268,9 +3941,7 @@ fn test_server_rejects_clients_without_any_kx_group_overlap() { transfer_altered(&mut client, different_kx_group, &mut server); assert_eq!( server.process_new_packets(), - Err(Error::PeerIncompatible( - PeerIncompatible::NoKxGroupsInCommon - )) + Err(Error::PeerIncompatible(PeerIncompatible::NoKxGroupsInCommon)) ); } @@ -4293,9 +3964,7 @@ fn test_client_rejects_illegal_tls13_ccs() { transfer_altered(&mut server, corrupt_ccs, &mut client); assert_eq!( client.process_new_packets(), - Err(Error::PeerMisbehaved( - PeerMisbehaved::IllegalMiddleboxChangeCipherSpec - )) + Err(Error::PeerMisbehaved(PeerMisbehaved::IllegalMiddleboxChangeCipherSpec)) ); } @@ -4328,45 +3997,28 @@ fn test_client_tls12_no_resume_after_server_downgrade() { server_config_2.session_storage = Arc::new(rustls::server::NoServerSessionStorage {}); dbg!("handshake 1"); - let mut client_1 = - ClientConnection::new(client_config.clone(), "localhost".try_into().unwrap()).unwrap(); + let mut client_1 = ClientConnection::new(client_config.clone(), "localhost".try_into().unwrap()).unwrap(); let mut server_1 = ServerConnection::new(server_config_1).unwrap(); common::do_handshake(&mut client_1, &mut server_1); assert_eq!(client_storage.ops().len(), 9); println!("hs1 storage ops: {:#?}", client_storage.ops()); - assert!(matches!( - client_storage.ops()[3], - ClientStorageOp::SetKxHint(_, _) - )); - assert!(matches!( - client_storage.ops()[4], - ClientStorageOp::RemoveTls12Session(_) - )); - assert!(matches!( - client_storage.ops()[5], - ClientStorageOp::InsertTls13Ticket(_) - )); + assert!(matches!(client_storage.ops()[3], ClientStorageOp::SetKxHint(_, _))); + assert!(matches!(client_storage.ops()[4], ClientStorageOp::RemoveTls12Session(_))); + assert!(matches!(client_storage.ops()[5], ClientStorageOp::InsertTls13Ticket(_))); dbg!("handshake 2"); - let mut client_2 = - ClientConnection::new(client_config, "localhost".try_into().unwrap()).unwrap(); + let mut client_2 = ClientConnection::new(client_config, "localhost".try_into().unwrap()).unwrap(); let mut server_2 = ServerConnection::new(Arc::new(server_config_2)).unwrap(); common::do_handshake(&mut client_2, &mut server_2); println!("hs2 storage ops: {:#?}", client_storage.ops()); assert_eq!(client_storage.ops().len(), 11); // attempt consumes a TLS1.3 ticket - assert!(matches!( - client_storage.ops()[9], - ClientStorageOp::TakeTls13Ticket(_, true) - )); + assert!(matches!(client_storage.ops()[9], ClientStorageOp::TakeTls13Ticket(_, true))); // but ends up with TLS1.2 - assert_eq!( - client_2.protocol_version(), - Some(rustls::ProtocolVersion::TLSv1_2) - ); + assert_eq!(client_2.protocol_version(), Some(rustls::ProtocolVersion::TLSv1_2)); } #[test] @@ -4443,9 +4095,7 @@ struct LogCounts { impl LogCounts { fn new() -> Self { - Self { - ..Default::default() - } + Self { ..Default::default() } } fn reset(&mut self) { @@ -4506,8 +4156,7 @@ fn test_no_warning_logging_during_successful_sessions() { for kt in ALL_KEY_TYPES.iter() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(*kt, &[version]); - let (mut client, mut server) = - make_pair_for_configs(client_config, make_server_config(*kt)); + let (mut client, mut server) = make_pair_for_configs(client_config, make_server_config(*kt)); do_handshake(&mut client, &mut server); } } @@ -4559,15 +4208,14 @@ fn test_secret_extraction_enabled() { println!("Testing suite {:?}", suite.suite().as_str()); // Only offer the cipher suite (and protocol version) that we're testing - let mut server_config = - ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) - .with_cipher_suites(&[suite]) - .with_safe_default_kx_groups() - .with_protocol_versions(&[version]) - .unwrap() - .with_no_client_auth() - .with_single_cert(kt.get_chain(), kt.get_key()) - .unwrap(); + let mut server_config = ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) + .with_cipher_suites(&[suite]) + .with_safe_default_kx_groups() + .with_protocol_versions(&[version]) + .unwrap() + .with_no_client_auth() + .with_single_cert(kt.get_chain(), kt.get_key()) + .unwrap(); // Opt into secret extraction from both sides server_config.enable_secret_extraction = true; let server_config = Arc::new(server_config); @@ -4575,8 +4223,7 @@ fn test_secret_extraction_enabled() { let mut client_config = make_client_config(kt); client_config.enable_secret_extraction = true; - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); do_handshake(&mut client, &mut server); @@ -4595,9 +4242,7 @@ fn test_secret_extraction_enabled() { match s { ConnectionTrafficSecrets::Aes128Gcm { key, iv } => (key.as_ref(), iv.as_ref()), ConnectionTrafficSecrets::Aes256Gcm { key, iv } => (key.as_ref(), iv.as_ref()), - ConnectionTrafficSecrets::Chacha20Poly1305 { key, iv } => { - (key.as_ref(), iv.as_ref()) - } + ConnectionTrafficSecrets::Chacha20Poly1305 { key, iv } => (key.as_ref(), iv.as_ref()), _ => panic!("unexpected secret type"), } } @@ -4624,15 +4269,14 @@ fn test_secret_extraction_disabled_or_too_early() { let kt = KeyType::Rsa; for (server_enable, client_enable) in [(true, false), (false, true)] { - let mut server_config = - ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) - .with_cipher_suites(&[suite]) - .with_safe_default_kx_groups() - .with_safe_default_protocol_versions() - .unwrap() - .with_no_client_auth() - .with_single_cert(kt.get_chain(), kt.get_key()) - .unwrap(); + let mut server_config = ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) + .with_cipher_suites(&[suite]) + .with_safe_default_kx_groups() + .with_safe_default_protocol_versions() + .unwrap() + .with_no_client_auth() + .with_single_cert(kt.get_chain(), kt.get_key()) + .unwrap(); server_config.enable_secret_extraction = server_enable; let server_config = Arc::new(server_config); @@ -4750,10 +4394,7 @@ fn test_received_plaintext_backpressure() { #[test] fn test_debug_server_name_from_ip() { assert_eq!( - format!( - "{:?}", - rustls::ServerName::IpAddress("127.0.0.1".parse().unwrap()) - ), + format!("{:?}", rustls::ServerName::IpAddress("127.0.0.1".parse().unwrap())), "IpAddress(127.0.0.1)" ) } @@ -4770,13 +4411,11 @@ fn test_debug_server_name_from_string() { fn test_explicit_provider_selection() { let client_config = finish_client_config( KeyType::Rsa, - rustls::ClientConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) - .with_safe_defaults(), + rustls::ClientConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS).with_safe_defaults(), ); let server_config = finish_server_config( KeyType::Rsa, - rustls::ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) - .with_safe_defaults(), + rustls::ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS).with_safe_defaults(), ); let (mut client, mut server) = make_pair_for_configs(client_config, server_config); @@ -4795,11 +4434,7 @@ impl rustls::crypto::CryptoProvider for FaultyRandomProvider { fn fill_random(&self, output: &mut [u8]) -> Result<(), rustls::crypto::GetRandomFailed> { let mut queue = self.rand_queue.lock().unwrap(); - println!( - "fill_random request for {} bytes (got {})", - output.len(), - queue.len() - ); + println!("fill_random request for {} bytes (got {})", output.len(), queue.len()); if queue.len() < output.len() { return Err(rustls::crypto::GetRandomFailed); @@ -4822,10 +4457,8 @@ impl rustls::crypto::CryptoProvider for FaultyRandomProvider { #[test] fn test_client_construction_fails_if_random_source_fails_in_first_request() { - static PROVIDER: FaultyRandomProvider = FaultyRandomProvider { - parent: rustls_mbedcrypto_provider::MBEDTLS, - rand_queue: Mutex::new(b""), - }; + static PROVIDER: FaultyRandomProvider = + FaultyRandomProvider { parent: rustls_mbedcrypto_provider::MBEDTLS, rand_queue: Mutex::new(b"") }; let client_config = finish_client_config( KeyType::Rsa, diff --git a/rustls-mbedcrypto-provider/tests/client_cert_verifier.rs b/rustls-mbedcrypto-provider/tests/client_cert_verifier.rs index 5b76071..6c4c2f2 100644 --- a/rustls-mbedcrypto-provider/tests/client_cert_verifier.rs +++ b/rustls-mbedcrypto-provider/tests/client_cert_verifier.rs @@ -10,17 +10,16 @@ mod common; use crate::common::{ - do_handshake_until_both_error, do_handshake_until_error, get_client_root_store, - make_client_config_with_versions, make_client_config_with_versions_with_auth, - make_pair_for_arc_configs, server_name, ErrorFromPeer, KeyType, ALL_KEY_TYPES, + do_handshake_until_both_error, do_handshake_until_error, get_client_root_store, make_client_config_with_versions, + make_client_config_with_versions_with_auth, make_pair_for_arc_configs, server_name, ErrorFromPeer, KeyType, ALL_KEY_TYPES, }; use rustls::client::danger::HandshakeSignatureValid; use rustls::client::WebPkiServerVerifier; use rustls::internal::msgs::handshake::DistinguishedName; use rustls::server::danger::{ClientCertVerified, ClientCertVerifier}; use rustls::{ - AlertDescription, ClientConnection, DigitallySignedStruct, Error, InvalidMessage, ServerConfig, - ServerConnection, SignatureScheme, + AlertDescription, ClientConnection, DigitallySignedStruct, Error, InvalidMessage, ServerConfig, ServerConnection, + SignatureScheme, }; use pki_types::{CertificateDer, UnixTime}; @@ -42,10 +41,7 @@ fn ver_err() -> Result { Err(Error::General("test err".to_string())) } -fn server_config_with_verifier( - kt: KeyType, - client_cert_verifier: MockClientVerifier, -) -> ServerConfig { +fn server_config_with_verifier(kt: KeyType, client_cert_verifier: MockClientVerifier) -> ServerConfig { ServerConfig::builder() .with_safe_defaults() .with_client_cert_verifier(Arc::new(client_cert_verifier)) @@ -63,8 +59,7 @@ fn client_verifier_works() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions_with_auth(*kt, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config.clone()), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config.clone()), &server_config); let err = do_handshake_until_error(&mut client, &mut server); assert_eq!(err, Ok(())); } @@ -82,8 +77,7 @@ fn client_verifier_no_schemes() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions_with_auth(*kt, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config.clone()), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config.clone()), &server_config); let err = do_handshake_until_error(&mut client, &mut server); assert_eq!( err, @@ -106,16 +100,13 @@ fn client_verifier_no_auth_yes_root() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(*kt, &[version]); let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap(); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); let errs = do_handshake_until_both_error(&mut client, &mut server); assert_eq!( errs, Err(vec![ ErrorFromPeer::Server(Error::NoCertificatesPresented), - ErrorFromPeer::Client(Error::AlertReceived( - AlertDescription::CertificateRequired - )) + ErrorFromPeer::Client(Error::AlertReceived(AlertDescription::CertificateRequired)) ]) ); } @@ -133,13 +124,9 @@ fn client_verifier_fails_properly() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions_with_auth(*kt, &[version]); let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap(); - let mut client = - ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); + let mut client = ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap(); let err = do_handshake_until_error(&mut client, &mut server); - assert_eq!( - err, - Err(ErrorFromPeer::Server(Error::General("test err".into()))) - ); + assert_eq!(err, Err(ErrorFromPeer::Server(Error::General("test err".into())))); } } } diff --git a/rustls-mbedcrypto-provider/tests/common/mod.rs b/rustls-mbedcrypto-provider/tests/common/mod.rs index 129aff6..4d7b7b8 100644 --- a/rustls-mbedcrypto-provider/tests/common/mod.rs +++ b/rustls-mbedcrypto-provider/tests/common/mod.rs @@ -248,29 +248,22 @@ impl KeyType { fn get_client_key(&self) -> PrivateKeyDer<'static> { PrivateKeyDer::Pkcs8( - rustls_pemfile::pkcs8_private_keys(&mut io::BufReader::new( - self.bytes_for("client.key"), - )) - .next() - .unwrap() - .unwrap(), + rustls_pemfile::pkcs8_private_keys(&mut io::BufReader::new(self.bytes_for("client.key"))) + .next() + .unwrap() + .unwrap(), ) } fn get_crl(&self, role: &str) -> CertificateRevocationListDer<'static> { - rustls_pemfile::crls(&mut io::BufReader::new( - self.bytes_for(&format!("{role}.revoked.crl.pem")), - )) - .map(|result| result.unwrap()) - .next() // We only expect one CRL. - .unwrap() + rustls_pemfile::crls(&mut io::BufReader::new(self.bytes_for(&format!("{role}.revoked.crl.pem")))) + .map(|result| result.unwrap()) + .next() // We only expect one CRL. + .unwrap() } } -pub fn finish_server_config( - kt: KeyType, - conf: rustls::ConfigBuilder, -) -> ServerConfig { +pub fn finish_server_config(kt: KeyType, conf: rustls::ConfigBuilder) -> ServerConfig { conf.with_no_client_auth() .with_single_cert(kt.get_chain(), kt.get_key()) .unwrap() @@ -279,15 +272,11 @@ pub fn finish_server_config( pub fn make_server_config(kt: KeyType) -> ServerConfig { finish_server_config( kt, - ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) - .with_safe_defaults(), + ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS).with_safe_defaults(), ) } -pub fn make_server_config_with_versions( - kt: KeyType, - versions: &[&'static rustls::SupportedProtocolVersion], -) -> ServerConfig { +pub fn make_server_config_with_versions(kt: KeyType, versions: &[&'static rustls::SupportedProtocolVersion]) -> ServerConfig { finish_server_config( kt, ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) @@ -329,17 +318,11 @@ pub fn make_server_config_with_mandatory_client_auth_crls( kt: KeyType, crls: Vec>, ) -> ServerConfig { - make_server_config_with_client_verifier( - kt, - WebPkiClientVerifier::builder(get_client_root_store(kt)).with_crls(crls), - ) + make_server_config_with_client_verifier(kt, WebPkiClientVerifier::builder(get_client_root_store(kt)).with_crls(crls)) } pub fn make_server_config_with_mandatory_client_auth(kt: KeyType) -> ServerConfig { - make_server_config_with_client_verifier( - kt, - WebPkiClientVerifier::builder(get_client_root_store(kt)), - ) + make_server_config_with_client_verifier(kt, WebPkiClientVerifier::builder(get_client_root_store(kt))) } pub fn make_server_config_with_optional_client_auth( @@ -355,10 +338,7 @@ pub fn make_server_config_with_optional_client_auth( ) } -pub fn make_server_config_with_client_verifier( - kt: KeyType, - verifier_builder: ClientCertVerifierBuilder, -) -> ServerConfig { +pub fn make_server_config_with_client_verifier(kt: KeyType, verifier_builder: ClientCertVerifierBuilder) -> ServerConfig { ServerConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) .with_safe_defaults() .with_client_cert_verifier(verifier_builder.build().unwrap()) @@ -366,15 +346,10 @@ pub fn make_server_config_with_client_verifier( .unwrap() } -pub fn finish_client_config( - kt: KeyType, - config: rustls::ConfigBuilder, -) -> ClientConfig { +pub fn finish_client_config(kt: KeyType, config: rustls::ConfigBuilder) -> ClientConfig { let mut root_store = RootCertStore::empty(); let mut rootbuf = io::BufReader::new(kt.bytes_for("ca.cert")); - root_store.add_parsable_certificates( - rustls_pemfile::certs(&mut rootbuf).map(|result| result.unwrap()), - ); + root_store.add_parsable_certificates(rustls_pemfile::certs(&mut rootbuf).map(|result| result.unwrap())); config .with_root_certificates(root_store) @@ -388,9 +363,7 @@ pub fn finish_client_config_with_creds( let mut root_store = RootCertStore::empty(); let mut rootbuf = io::BufReader::new(kt.bytes_for("ca.cert")); // Passing a reference here just for testing. - root_store.add_parsable_certificates( - rustls_pemfile::certs(&mut rootbuf).map(|result| result.unwrap()), - ); + root_store.add_parsable_certificates(rustls_pemfile::certs(&mut rootbuf).map(|result| result.unwrap())); config .with_root_certificates(root_store) @@ -401,8 +374,7 @@ pub fn finish_client_config_with_creds( pub fn make_client_config(kt: KeyType) -> ClientConfig { finish_client_config( kt, - ClientConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) - .with_safe_defaults(), + ClientConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS).with_safe_defaults(), ) } @@ -418,10 +390,7 @@ pub fn make_client_config_with_kx_groups( finish_client_config(kt, builder) } -pub fn make_client_config_with_versions( - kt: KeyType, - versions: &[&'static rustls::SupportedProtocolVersion], -) -> ClientConfig { +pub fn make_client_config_with_versions(kt: KeyType, versions: &[&'static rustls::SupportedProtocolVersion]) -> ClientConfig { let builder = ClientConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) .with_safe_default_cipher_suites() .with_safe_default_kx_groups() @@ -433,8 +402,7 @@ pub fn make_client_config_with_versions( pub fn make_client_config_with_auth(kt: KeyType) -> ClientConfig { finish_client_config_with_creds( kt, - ClientConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS) - .with_safe_defaults(), + ClientConfig::builder_with_provider(rustls_mbedcrypto_provider::MBEDTLS).with_safe_defaults(), ) } @@ -468,10 +436,7 @@ pub fn make_pair(kt: KeyType) -> (ClientConnection, ServerConnection) { make_pair_for_configs(make_client_config(kt), make_server_config(kt)) } -pub fn make_pair_for_configs( - client_config: ClientConfig, - server_config: ServerConfig, -) -> (ClientConnection, ServerConnection) { +pub fn make_pair_for_configs(client_config: ClientConfig, server_config: ServerConfig) -> (ClientConnection, ServerConnection) { make_pair_for_arc_configs(&Arc::new(client_config), &Arc::new(server_config)) } @@ -505,10 +470,7 @@ pub enum ErrorFromPeer { Server(Error), } -pub fn do_handshake_until_error( - client: &mut ClientConnection, - server: &mut ServerConnection, -) -> Result<(), ErrorFromPeer> { +pub fn do_handshake_until_error(client: &mut ClientConnection, server: &mut ServerConnection) -> Result<(), ErrorFromPeer> { while server.is_handshaking() || client.is_handshaking() { transfer(client, server); server diff --git a/rustls-mbedcrypto-provider/tests/key_log_file_env.rs b/rustls-mbedcrypto-provider/tests/key_log_file_env.rs index 3dd3307..5b467b1 100644 --- a/rustls-mbedcrypto-provider/tests/key_log_file_env.rs +++ b/rustls-mbedcrypto-provider/tests/key_log_file_env.rs @@ -32,8 +32,7 @@ mod common; use crate::common::{ - do_handshake, make_client_config_with_versions, make_pair_for_arc_configs, make_server_config, - transfer, KeyType, + do_handshake, make_client_config_with_versions, make_pair_for_arc_configs, make_server_config, transfer, KeyType, }; use std::{ env, @@ -74,8 +73,7 @@ fn exercise_key_log_file_for_client() { let mut client_config = make_client_config_with_versions(KeyType::Rsa, &[version]); client_config.key_log = Arc::new(rustls::KeyLogFile::new()); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); assert_eq!(5, client.writer().write(b"hello").unwrap()); @@ -98,8 +96,7 @@ fn exercise_key_log_file_for_server() { for version in rustls::ALL_VERSIONS { let client_config = make_client_config_with_versions(KeyType::Rsa, &[version]); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); assert_eq!(5, client.writer().write(b"hello").unwrap()); diff --git a/rustls-mbedcrypto-provider/tests/server_cert_verifier.rs b/rustls-mbedcrypto-provider/tests/server_cert_verifier.rs index 29dc192..7eced80 100644 --- a/rustls-mbedcrypto-provider/tests/server_cert_verifier.rs +++ b/rustls-mbedcrypto-provider/tests/server_cert_verifier.rs @@ -9,8 +9,8 @@ mod common; use crate::common::{ - do_handshake, do_handshake_until_both_error, make_client_config_with_versions, - make_pair_for_arc_configs, make_server_config, ErrorFromPeer, ALL_KEY_TYPES, + do_handshake, do_handshake_until_both_error, make_client_config_with_versions, make_pair_for_arc_configs, + make_server_config, ErrorFromPeer, ALL_KEY_TYPES, }; use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier}; use rustls::client::WebPkiServerVerifier; @@ -34,8 +34,7 @@ fn client_can_override_certificate_verification() { .dangerous() .set_certificate_verifier(verifier.clone()); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); do_handshake(&mut client, &mut server); } } @@ -44,9 +43,9 @@ fn client_can_override_certificate_verification() { #[test] fn client_can_override_certificate_verification_and_reject_certificate() { for kt in ALL_KEY_TYPES.iter() { - let verifier = Arc::new(MockServerVerifier::rejects_certificate( - Error::InvalidMessage(InvalidMessage::HandshakePayloadTooLarge), - )); + let verifier = Arc::new(MockServerVerifier::rejects_certificate(Error::InvalidMessage( + InvalidMessage::HandshakePayloadTooLarge, + ))); let server_config = Arc::new(make_server_config(*kt)); @@ -56,15 +55,12 @@ fn client_can_override_certificate_verification_and_reject_certificate() { .dangerous() .set_certificate_verifier(verifier.clone()); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); let errs = do_handshake_until_both_error(&mut client, &mut server); assert_eq!( errs, Err(vec![ - ErrorFromPeer::Client(Error::InvalidMessage( - InvalidMessage::HandshakePayloadTooLarge, - )), + ErrorFromPeer::Client(Error::InvalidMessage(InvalidMessage::HandshakePayloadTooLarge,)), ErrorFromPeer::Server(Error::AlertReceived(AlertDescription::HandshakeFailure)), ]), ); @@ -77,9 +73,9 @@ fn client_can_override_certificate_verification_and_reject_certificate() { fn client_can_override_certificate_verification_and_reject_tls12_signatures() { for kt in ALL_KEY_TYPES.iter() { let mut client_config = make_client_config_with_versions(*kt, &[&rustls::version::TLS12]); - let verifier = Arc::new(MockServerVerifier::rejects_tls12_signatures( - Error::InvalidMessage(InvalidMessage::HandshakePayloadTooLarge), - )); + let verifier = Arc::new(MockServerVerifier::rejects_tls12_signatures(Error::InvalidMessage( + InvalidMessage::HandshakePayloadTooLarge, + ))); client_config .dangerous() @@ -87,15 +83,12 @@ fn client_can_override_certificate_verification_and_reject_tls12_signatures() { let server_config = Arc::new(make_server_config(*kt)); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); let errs = do_handshake_until_both_error(&mut client, &mut server); assert_eq!( errs, Err(vec![ - ErrorFromPeer::Client(Error::InvalidMessage( - InvalidMessage::HandshakePayloadTooLarge, - )), + ErrorFromPeer::Client(Error::InvalidMessage(InvalidMessage::HandshakePayloadTooLarge,)), ErrorFromPeer::Server(Error::AlertReceived(AlertDescription::HandshakeFailure)), ]), ); @@ -106,9 +99,9 @@ fn client_can_override_certificate_verification_and_reject_tls12_signatures() { fn client_can_override_certificate_verification_and_reject_tls13_signatures() { for kt in ALL_KEY_TYPES.iter() { let mut client_config = make_client_config_with_versions(*kt, &[&rustls::version::TLS13]); - let verifier = Arc::new(MockServerVerifier::rejects_tls13_signatures( - Error::InvalidMessage(InvalidMessage::HandshakePayloadTooLarge), - )); + let verifier = Arc::new(MockServerVerifier::rejects_tls13_signatures(Error::InvalidMessage( + InvalidMessage::HandshakePayloadTooLarge, + ))); client_config .dangerous() @@ -116,15 +109,12 @@ fn client_can_override_certificate_verification_and_reject_tls13_signatures() { let server_config = Arc::new(make_server_config(*kt)); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); let errs = do_handshake_until_both_error(&mut client, &mut server); assert_eq!( errs, Err(vec![ - ErrorFromPeer::Client(Error::InvalidMessage( - InvalidMessage::HandshakePayloadTooLarge, - )), + ErrorFromPeer::Client(Error::InvalidMessage(InvalidMessage::HandshakePayloadTooLarge,)), ErrorFromPeer::Server(Error::AlertReceived(AlertDescription::HandshakeFailure)), ]), ); @@ -144,15 +134,12 @@ fn client_can_override_certificate_verification_and_offer_no_signature_schemes() .dangerous() .set_certificate_verifier(verifier.clone()); - let (mut client, mut server) = - make_pair_for_arc_configs(&Arc::new(client_config), &server_config); + let (mut client, mut server) = make_pair_for_arc_configs(&Arc::new(client_config), &server_config); let errs = do_handshake_until_both_error(&mut client, &mut server); assert_eq!( errs, Err(vec![ - ErrorFromPeer::Server(Error::PeerIncompatible( - rustls::PeerIncompatible::NoSignatureSchemesInCommon - )), + ErrorFromPeer::Server(Error::PeerIncompatible(rustls::PeerIncompatible::NoSignatureSchemesInCommon)), ErrorFromPeer::Client(Error::AlertReceived(AlertDescription::HandshakeFailure)), ]) ); @@ -193,10 +180,7 @@ impl ServerCertVerifier for MockServerVerifier { cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result { - println!( - "verify_tls12_signature({:?}, {:?}, {:?})", - message, cert, dss - ); + println!("verify_tls12_signature({:?}, {:?}, {:?})", message, cert, dss); if let Some(error) = &self.tls12_signature_error { Err(error.clone()) } else { @@ -210,10 +194,7 @@ impl ServerCertVerifier for MockServerVerifier { cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result { - println!( - "verify_tls13_signature({:?}, {:?}, {:?})", - message, cert, dss - ); + println!("verify_tls13_signature({:?}, {:?}, {:?})", message, cert, dss); if let Some(error) = &self.tls13_signature_error { Err(error.clone()) } else { @@ -228,38 +209,23 @@ impl ServerCertVerifier for MockServerVerifier { impl MockServerVerifier { pub fn accepts_anything() -> Self { - MockServerVerifier { - cert_rejection_error: None, - ..Default::default() - } + MockServerVerifier { cert_rejection_error: None, ..Default::default() } } pub fn rejects_certificate(err: Error) -> Self { - MockServerVerifier { - cert_rejection_error: Some(err), - ..Default::default() - } + MockServerVerifier { cert_rejection_error: Some(err), ..Default::default() } } pub fn rejects_tls12_signatures(err: Error) -> Self { - MockServerVerifier { - tls12_signature_error: Some(err), - ..Default::default() - } + MockServerVerifier { tls12_signature_error: Some(err), ..Default::default() } } pub fn rejects_tls13_signatures(err: Error) -> Self { - MockServerVerifier { - tls13_signature_error: Some(err), - ..Default::default() - } + MockServerVerifier { tls13_signature_error: Some(err), ..Default::default() } } pub fn offers_no_signature_schemes() -> Self { - MockServerVerifier { - signature_schemes: vec![], - ..Default::default() - } + MockServerVerifier { signature_schemes: vec![], ..Default::default() } } }