rustls · cpu · Oct 4, 2024 · Oct 1, 2024 · Oct 1, 2024 · Oct 1, 2024
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -82,6 +82,23 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y valgrind
       - run: VALGRIND=valgrind make PROFILE=release test integration
 
+  cert-compression:
+    name: Certificate Compression
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Install nightly rust toolchain
+        uses: dtolnay/rust-toolchain@nightly
+      - name: Unit tests
+        run: make PROFILE=debug CERT_COMPRESSION=true test
+      - name: Integration tests
+        run: make PROFILE=debug CERT_COMPRESSION=true integration
+
   test-windows-cmake-debug:
     name: Windows CMake, Debug configuration
     runs-on: windows-latest
@@ -130,6 +147,27 @@ jobs:
           CLIENT_BINARY: D:\a\rustls-ffi\rustls-ffi\build\tests\Release\client.exe
           SERVER_BINARY: D:\a\rustls-ffi\rustls-ffi\build\tests\Release\server.exe
 
+  test-windows-cmake-compression:
+    name: Windows CMake, Cert. Compression
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Install nightly rust toolchain
+        uses: dtolnay/rust-toolchain@nightly
+      - name: Install NASM for aws-lc-rs
+        uses: ilammy/setup-nasm@v1
+      - name: Configure CMake enabling cert compression
+        run: cmake -DCERT_COMPRESSION="true" -S . -B build
+      - name: Build, release configuration, compression
+        run: cmake --build build --config Release
+      - name: Integration test, release configuration, compression
+        run: cargo test --features=cert_compression --locked --test client_server client_server_integration -- --ignored --exact
+        env:
+          CLIENT_BINARY: D:\a\rustls-ffi\rustls-ffi\build\tests\Release\client.exe
+          SERVER_BINARY: D:\a\rustls-ffi\rustls-ffi\build\tests\Release\server.exe
+
   ensure-header-updated:
     runs-on: ubuntu-latest
     steps:

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -8,13 +8,19 @@ if (NOT (CRYPTO_PROVIDER STREQUAL "aws-lc-rs" OR CRYPTO_PROVIDER STREQUAL "ring"
     message(FATAL_ERROR "Invalid crypto provider specified: ${CRYPTO_PROVIDER}. Must be 'aws-lc-rs' or 'ring'.")
 endif ()
 
+set(CERT_COMPRESSION "false" CACHE STRING "Whether to enable brotli and zlib certificate compression support")
+
 set(CARGO_FEATURES --no-default-features)
 if (CRYPTO_PROVIDER STREQUAL "aws-lc-rs")
     list(APPEND CARGO_FEATURES --features=aws-lc-rs)
 elseif (CRYPTO_PROVIDER STREQUAL "ring")
     list(APPEND CARGO_FEATURES --features=ring)
 endif ()
 
+if (CERT_COMPRESSION STREQUAL "true")
+    list(APPEND CARGO_FEATURES --features=cert_compression)
+endif ()
+
 add_subdirectory(tests)
 
 include(ExternalProject)

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -23,6 +23,7 @@ read_buf = ["rustls/read_buf"]
 capi = []
 ring = ["rustls/ring", "webpki/ring"]
 aws-lc-rs = ["rustls/aws-lc-rs", "webpki/aws_lc_rs"]
+cert_compression = ["rustls/brotli", "rustls/zlib"]
 
 [dependencies]
 # Keep in sync with RUSTLS_CRATE_VERSION in build.rs

diff --git a/Makefile b/Makefile
@@ -10,6 +10,7 @@ CARGOFLAGS += --locked
 CFLAGS := -Werror -Wall -Wextra -Wpedantic -g -I src/
 PROFILE := release
 CRYPTO_PROVIDER := aws-lc-rs
+COMPRESSION := false
 DESTDIR=/usr/local
 
 ifeq ($(PROFILE), debug)
@@ -35,6 +36,11 @@ else ifeq ($(CRYPTO_PROVIDER), ring)
 	CARGOFLAGS += --no-default-features --features ring
 endif
 
+ifeq ($(COMPRESSION), true)
+	CARGOFLAGS += --features cert_compression
+	LDFLAGS += -lm
+endif
+
 all: target/client target/server
 
 test: all

diff --git a/Makefile.pkg-config b/Makefile.pkg-config
@@ -14,6 +14,7 @@ CARGOFLAGS += --locked
 CFLAGS := -Werror -Wall -Wextra -Wpedantic -g -I src/
 PROFILE := release
 CRYPTO_PROVIDER := aws-lc-rs
+CERT_COMPRESSION := false
 PREFIX=/usr/local
 
 ifeq ($(PROFILE), debug)
@@ -34,6 +35,10 @@ else ifeq ($(CRYPTO_PROVIDER), ring)
 	CARGOFLAGS += --no-default-features --features ring
 endif
 
+ifeq ($(CERT_COMPRESSION), true)
+	CARGOFLAGS += --features cert_compression
+endif
+
 all: target/client target/server
 
 integration: all

diff --git a/src/cipher.rs b/src/cipher.rs
@@ -16,7 +16,7 @@ use rustls::server::WebPkiClientVerifier;
 use rustls::sign::CertifiedKey;
 use rustls::{DistinguishedName, RootCertStore, SupportedCipherSuite};
 use rustls_pemfile::{certs, crls};
-use webpki::{RevocationCheckDepth, UnknownStatusPolicy};
+use webpki::{ExpirationPolicy, RevocationCheckDepth, UnknownStatusPolicy};
 
 use crate::crypto_provider::{rustls_crypto_provider, rustls_signing_key};
 use crate::enums::rustls_tls_version;
@@ -300,6 +300,25 @@ impl rustls_certified_key {
         }
     }
 
+    /// Verify the consistency of this `rustls_certified_key`'s public and private keys.
+    ///
+    /// This is done by performing a comparison of subject public key information (SPKI) bytes
+    /// between the certificate and private key.
+    ///
+    /// If the private key matches the certificate this function returns `RUSTLS_RESULT_OK`,
+    /// otherwise an error `rustls_result` is returned.
+    #[no_mangle]
+    pub extern "C" fn rustls_certified_key_keys_match(
+        key: *const rustls_certified_key,
+    ) -> rustls_result {
+        ffi_panic_boundary! {
+            match try_ref_from_ptr!(key).keys_match() {
+                Ok(_) => rustls_result::Ok,
+                Err(e) => map_error(e),
+            }
+        }
+    }
+
     /// "Free" a certified_key previously returned from `rustls_certified_key_build`.
     ///
     /// Since certified_key is actually an atomically reference-counted pointer,
@@ -871,6 +890,7 @@ pub(crate) struct ServerCertVerifierBuilder {
     crls: Vec<CertificateRevocationListDer<'static>>,
     revocation_depth: RevocationCheckDepth,
     revocation_policy: UnknownStatusPolicy,
+    revocation_expiration_policy: ExpirationPolicy,
 }
 
 impl ServerCertVerifierBuilder {
@@ -907,6 +927,7 @@ impl ServerCertVerifierBuilder {
                 crls: Vec::default(),
                 revocation_depth: RevocationCheckDepth::Chain,
                 revocation_policy: UnknownStatusPolicy::Deny,
+                revocation_expiration_policy: ExpirationPolicy::Ignore,
             }))
         }
     }
@@ -927,7 +948,8 @@ impl ServerCertVerifierBuilder {
     /// `rustls_web_pki_server_cert_verifier_only_check_end_entity_revocation` is used. Unknown
     /// revocation status for certificates considered for revocation status will be treated as
     /// an error unless `rustls_web_pki_server_cert_verifier_allow_unknown_revocation_status` is
-    /// used.
+    /// used. Expired CRLs will not be treated as an error unless
+    /// `rustls_web_pki_server_cert_verifier_enforce_revocation_expiry` is used.
     ///
     /// This copies the contents of the `rustls_root_cert_store`. It does not take
     /// ownership of the pointed-to data.
@@ -945,6 +967,7 @@ impl ServerCertVerifierBuilder {
                 crls: Vec::default(),
                 revocation_depth: RevocationCheckDepth::Chain,
                 revocation_policy: UnknownStatusPolicy::Deny,
+                revocation_expiration_policy: ExpirationPolicy::Ignore,
             }))
         }
     }
@@ -1027,6 +1050,24 @@ impl ServerCertVerifierBuilder {
         }
     }
 
+    /// When CRLs are provided with `rustls_web_pki_server_cert_verifier_builder_add_crl`, and the
+    /// CRL nextUpdate field is in the past, treat it as an error condition.
+    ///
+    /// Overrides the default behavior where CRL expiration is ignored.
+    #[no_mangle]
+    pub extern "C" fn rustls_web_pki_server_cert_verifier_enforce_revocation_expiry(
+        builder: *mut rustls_web_pki_server_cert_verifier_builder,
+    ) -> rustls_result {
+        let server_verifier_builder = try_mut_from_ptr!(builder);
+        let server_verifier_builder = match server_verifier_builder {
+            None => return AlreadyUsed,
+            Some(v) => v,
+        };
+
+        server_verifier_builder.revocation_expiration_policy = ExpirationPolicy::Enforce;
+        rustls_result::Ok
+    }
+
     /// Create a new server certificate verifier from the builder.
     ///
     /// The builder is consumed and cannot be used again, but must still be freed.
@@ -1063,6 +1104,10 @@ impl ServerCertVerifierBuilder {
                 UnknownStatusPolicy::Allow => builder = builder.allow_unknown_revocation_status(),
                 UnknownStatusPolicy::Deny => {}
             }
+            match server_verifier_builder.revocation_expiration_policy {
+                ExpirationPolicy::Enforce => builder = builder.enforce_revocation_expiration(),
+                ExpirationPolicy::Ignore => {}
+            }
 
             let verifier = match builder.build() {
                 Ok(v) => v,