0.23.x API gap reduction #470
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In a few places we create named bindings without needing them. In a couple other places we're doing work with explicit `match`'s that could be done more naturally with `map()`/`and_then()`/`unwrap_or()`.
This commit adds `rustls_connection_get_negotiated_key_exchange_group()` and `rustls_connection_get_negotiated_key_exchange_group_name()` functions. These operate similar to the existing `rustls_connection_get_negotiated_ciphersuite()` and `rustls_connection_get_negotiated_ciphersuite_name()` functions, except returning details of the negotiated key exchange group (when available) as opposed to the ciphersuite.
ctz
approved these changes
Oct 4, 2024
Adds a `rustls_connection_refresh_traffic_keys()` fn for queuing a traffic key refresh, e.g. because you know the connection is about to be idle for a long time and you wish to roll keys ahead of this. There's not a great place to use this from `client.c` or `server.c` so for now I've added this API without integration test coverage.
This commit exposes the upstream `rustls::CertifiedKey::keys_match()` fn, and uses it in the test `common.c` helper for loading a `rustls_certified_key`. This lets us bail early for mismatched certs/keys, and offers downstream projects the chance to do similar.
This commit adds a new crate feature `cert_compression` that when enabled will activate the `rustls/brotli` and `rustls/zlib` features. This in turn will update client and server connections to attempt to use RFC 8879[0] certificate compression. No support is provided for implementing custom compression algorithms. I suspect the need for this is quite niche. Similarly there's no API surface for enabling the crate feature but disabling compression support per-connection. Let's wait for someone with a use-case to come along before making things more complicated. Both Makefiles and the CMake build are updated to _disable_ the feature by default, toggleable with CERT_COMPRESSION=true build variable. This is disabled by default because the zlib-rs crate requires a MSRV of 1.73+. [0]: https://www.rfc-editor.org/rfc/rfc8879
This commit adds a new `rustls_web_pki_server_cert_verifier_enforce_revocation_expiry()` fn that can update the CRL expiration policy of a `rustls_web_pki_server_cert_verifier_builder` instance to enforce that the CRL's nextUpdate is not in the past. This augments the existing controls for revocation checking depth, and unknown status error handling. By default we match the upstream default behaviour and ignore CRL expiration.
This commit adds a `rustls_connection_handshake_kind()` fn for getting the handshake kind of a `rustls_connection`. The kind of connection is returned as a `rustls_handshake_kind` enum, which can be translated to a `rustls_str` using `rustls_handshake_kind_str()`. The `rustls_handshake_kind` enum has variants for full, full with hello retry request, and resumed handshake types matching the upstream `rustls::HandshakeKind` enum.
cpu
force-pushed
the
cpu-api-gap-reduction
branch
from
2a23f09 to
4a5f903
Compare
|
Merging with one review on the assumption this is going to sit in |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Trying to narrow the gap between features
rustlshas added upstream and what we expose inrustls-ffi. This brings us close to having covered all the major additions from the past year or two of releases.I think there are three main gaps remaining (besides those mentioned in #214):
I will probably knock out the first two in the coming weeks. I'd prefer to hold off on the unbuffered API for the moment.
From the 0.23.11 release we get:
rustls_connection_get_negotiated_key_exchange_group()andrustls_connection_get_negotiated_key_exchange_group_name()to matchnegotiated_key_exchange_group().rustls_connection_refresh_traffic_keys()to matchrefresh_traffic_keys()rustls_certified_key_keys_match()to matchkeys_match()From the 0.23.9 release we get:
cert_compression, that activatesrustls/brotliandrustls/zlib. This feature is off-by-default due to MSRV reasons but can be toggled with theCERT_COMPRESSIONbuild var.From the 0.23.8 release we get:
rustls_web_pki_server_cert_verifier_enforce_revocation_expiry()to matchenforce_revocation_expiration()From the 0.23.5 release we get:
rustls_connection_handshake_kind()andrustls_handshake_kind_str()to matchhandshake_kind().