Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore!: Bump to rustls 0.22, tokio-rustls 0.25 #42

Merged
merged 4 commits into from
Mar 11, 2024
Merged

chore!: Bump to rustls 0.22, tokio-rustls 0.25 #42

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
03855c0
WIP: rustls 0.22 support
fasterthanlime Mar 11, 2024
b6c3a2f
Fix integration test compile errors
fasterthanlime Mar 11, 2024
c8e844c
backtraces in CI
fasterthanlime Mar 11, 2024
746167e
TLS 1.3 codepath still does the right thing in rustls 0.22.2
fasterthanlime Mar 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ jobs:
run: |
cd ${{ github.workspace }}
cargo clippy
just ci-test
# show backtraces
RUST_BACKTRACE=1 just ci-test
- name: Upload coverage information
run: |
curl -Os https://uploader.codecov.io/latest/linux/codecov
Expand Down
46 changes: 29 additions & 17 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ Configures kTLS for tokio-rustls client and server connections.
libc = { version = "0.2.148", features = ["const-extern-fn"] }
thiserror = "1.0.49"
tracing = "0.1.37"
tokio-rustls = "0.24.1"
rustls = { version = "0.21.7", features = ["secret_extraction"] }
tokio-rustls = "0.25.0"
rustls = { version = "0.22.2" }
smallvec = "1.11.1"
memoffset = "0.9.0"
pin-project-lite = "0.2.13"
Expand Down
5 changes: 4 additions & 1 deletion Justfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,7 @@ cov:

# Run all tests
test *args:
RUST_BACKTRACE=1 cargo nextest run {{args}}
RUST_BACKTRACE=1 cargo nextest run {{args}}

check:
cargo clippy --all-features --all-targets
97 changes: 80 additions & 17 deletions src/ffi.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,27 +138,84 @@
};

Ok(match secrets {
ConnectionTrafficSecrets::Aes128Gcm { key, salt, iv } => {
CryptoInfo::AesGcm128(ktls::tls12_crypto_info_aes_gcm_128 {
info: ktls::tls_crypto_info {
version,
cipher_type: ktls::TLS_CIPHER_AES_GCM_128 as _,
},
iv,
key,
salt,
rec_seq: seq.to_be_bytes(),
})
ConnectionTrafficSecrets::Aes128Gcm { key, iv } => {
// see https://github.com/rustls/rustls/issues/1833, between
// rustls 0.21 and 0.22, the extract_keys codepath was changed,
// so, for TLS 1.2, both GCM-128 and GCM-256 return the
// Aes128Gcm variant.

match key.as_ref().len() {
16 => CryptoInfo::AesGcm128(ktls::tls12_crypto_info_aes_gcm_128 {
info: ktls::tls_crypto_info {
version,
cipher_type: ktls::TLS_CIPHER_AES_GCM_128 as _,
},
iv: iv
.as_ref()
.get(4..)
.expect("AES-GCM-128 iv is 8 bytes")
.try_into()
.expect("AES-GCM-128 iv is 8 bytes"),
key: key
.as_ref()
.try_into()
.expect("AES-GCM-128 key is 16 bytes"),
salt: iv
.as_ref()
.get(..4)
.expect("AES-GCM-128 salt is 4 bytes")
.try_into()
.expect("AES-GCM-128 salt is 4 bytes"),
rec_seq: seq.to_be_bytes(),
}),
32 => CryptoInfo::AesGcm256(ktls::tls12_crypto_info_aes_gcm_256 {
info: ktls::tls_crypto_info {
version,
cipher_type: ktls::TLS_CIPHER_AES_GCM_256 as _,
},
iv: iv
.as_ref()
.get(4..)
.expect("AES-GCM-256 iv is 8 bytes")
.try_into()
.expect("AES-GCM-256 iv is 8 bytes"),
key: key
.as_ref()
.try_into()
.expect("AES-GCM-256 key is 32 bytes"),
salt: iv
.as_ref()
.get(..4)
.expect("AES-GCM-256 salt is 4 bytes")
.try_into()
.expect("AES-GCM-256 salt is 4 bytes"),
rec_seq: seq.to_be_bytes(),
}),
_ => unreachable!("GCM key length is not 16 or 32"),

Check warning on line 194 in src/ffi.rs

View check run for this annotation

Codecov / codecov/patch

src/ffi.rs#L194 

Added line #L194 was not covered by tests
}
}
ConnectionTrafficSecrets::Aes256Gcm { key, salt, iv } => {
ConnectionTrafficSecrets::Aes256Gcm { key, iv } => {
CryptoInfo::AesGcm256(ktls::tls12_crypto_info_aes_gcm_256 {
info: ktls::tls_crypto_info {
version,
cipher_type: ktls::TLS_CIPHER_AES_GCM_256 as _,
},
iv,
key,
salt,
iv: iv
.as_ref()
.get(4..)
.expect("AES-GCM-256 iv is 8 bytes")
.try_into()
.expect("AES-GCM-256 iv is 8 bytes"),
key: key
.as_ref()
.try_into()
.expect("AES-GCM-256 key is 32 bytes"),
salt: iv
.as_ref()
.get(..4)
.expect("AES-GCM-256 salt is 4 bytes")
.try_into()
.expect("AES-GCM-256 salt is 4 bytes"),
rec_seq: seq.to_be_bytes(),
})
}
Expand All @@ -168,8 +225,14 @@
version,
cipher_type: ktls::TLS_CIPHER_CHACHA20_POLY1305 as _,
},
iv,
key,
iv: iv
.as_ref()
.try_into()
.expect("Chacha20-Poly1305 iv is 12 bytes"),
key: key
.as_ref()
.try_into()
.expect("Chacha20-Poly1305 key is 32 bytes"),
salt: ktls::__IncompleteArrayField::new(),
rec_seq: seq.to_be_bytes(),
})
Expand Down
Loading
Loading