From 3c1d11c9cde094e0f6e7eda3101a2b387d4573c2 Mon Sep 17 00:00:00 2001 From: Joseph Birr-Pixton Date: Tue, 27 Feb 2024 10:20:21 +0000 Subject: [PATCH] squash: inject TimeProvider into top of config builder construction --- rustls/src/builder.rs | 4 + rustls/src/client/builder.rs | 101 ++--------------------- rustls/src/client/client_conn.rs | 40 +++++++++- rustls/src/server/builder.rs | 133 +------------------------------ rustls/src/server/server_conn.rs | 43 +++++++++- rustls/src/time_provider.rs | 3 +- rustls/tests/api.rs | 30 +++++-- 7 files changed, 118 insertions(+), 236 deletions(-) diff --git a/rustls/src/builder.rs b/rustls/src/builder.rs index aad5276654f..4ccd82b891c 100644 --- a/rustls/src/builder.rs +++ b/rustls/src/builder.rs @@ -1,4 +1,5 @@ use crate::error::Error; +use crate::time_provider::TimeProvider; use crate::versions; use crate::{crypto::CryptoProvider, msgs::handshake::ALL_KEY_EXCHANGE_ALGORITHMS}; @@ -184,6 +185,7 @@ impl fmt::Debug for ConfigBuilder, + pub(crate) time_provider: Arc, } impl ConfigBuilder { @@ -248,6 +250,7 @@ impl ConfigBuilder { state: WantsVerifier { provider: self.state.provider, versions: versions::EnabledVersions::new(versions), + time_provider: self.state.time_provider, }, side: self.side, }) @@ -261,6 +264,7 @@ impl ConfigBuilder { pub struct WantsVerifier { pub(crate) provider: Arc, pub(crate) versions: versions::EnabledVersions, + pub(crate) time_provider: Arc, } /// Helper trait to abstract [`ConfigBuilder`] over building a [`ClientConfig`] or [`ServerConfig`]. diff --git a/rustls/src/client/builder.rs b/rustls/src/client/builder.rs index 24219b03aa4..ac2df168c15 100644 --- a/rustls/src/client/builder.rs +++ b/rustls/src/client/builder.rs @@ -5,8 +5,7 @@ use crate::crypto::CryptoProvider; use crate::error::Error; use crate::key_log::NoKeyLog; use crate::msgs::handshake::CertificateChain; -#[cfg(feature = "std")] -use crate::time_provider::DefaultTimeProvider; +use crate::time_provider::TimeProvider; use crate::webpki::{self, WebPkiServerVerifier}; use crate::{verify, versions}; @@ -58,6 +57,7 @@ impl ConfigBuilder { provider: self.state.provider, versions: self.state.versions, verifier, + time_provider: self.state.time_provider, }, side: PhantomData, } @@ -96,6 +96,7 @@ pub(super) mod danger { provider: self.cfg.state.provider, versions: self.cfg.state.versions, verifier, + time_provider: self.cfg.state.time_provider, }, side: PhantomData, } @@ -112,11 +113,9 @@ pub struct WantsClientCert { provider: Arc, versions: versions::EnabledVersions, verifier: Arc, + time_provider: Arc, } -// When the std feature is enabled we use the default time provider and move directly from -// WantsClientCert to ClientConfig. -#[cfg(feature = "std")] impl ConfigBuilder { /// Sets a single certificate chain and matching private key for use /// in client authentication. @@ -166,97 +165,7 @@ impl ConfigBuilder { enable_early_data: false, #[cfg(feature = "tls12")] require_ems: cfg!(feature = "fips"), - time_provider: Arc::new(DefaultTimeProvider), - } - } -} - -// When the std feature is not enabled we have an extra state in the config builder process -// for providing a time provider. -#[cfg(not(feature = "std"))] -impl ConfigBuilder { - /// Sets a single certificate chain and matching private key for use - /// in client authentication. - /// - /// `cert_chain` is a vector of DER-encoded certificates. - /// `key_der` is a DER-encoded private key as PKCS#1, PKCS#8, or SEC1. The - /// `aws-lc-rs` and `ring` [`CryptoProvider`]s support all three encodings, - /// but other `CryptoProviders` may not. - /// - /// This function fails if `key_der` is invalid. - pub fn with_client_auth_cert( - self, - cert_chain: Vec>, - key_der: PrivateKeyDer<'static>, - ) -> Result, Error> { - let private_key = self - .state - .provider - .key_provider - .load_private_key(key_der)?; - let resolver = - handy::AlwaysResolvesClientCert::new(private_key, CertificateChain(cert_chain))?; - Ok(self.with_client_cert_resolver(Arc::new(resolver))) - } - - /// Do not support client auth. - pub fn with_no_client_auth(self) -> ConfigBuilder { - self.with_client_cert_resolver(Arc::new(handy::FailResolveClientCert {})) - } - - /// Sets a custom [`ResolvesClientCert`]. - pub fn with_client_cert_resolver( - self, - client_auth_cert_resolver: Arc, - ) -> ConfigBuilder { - ConfigBuilder { - state: WantsTimeProvider { - provider: self.state.provider, - versions: self.state.versions, - verifier: self.state.verifier, - client_auth_cert_resolver, - }, - side: PhantomData, - } - } -} - -/// A config builder state where the caller needs to supply a [`TimeProvider`]. -/// -/// For more information, see the [`ConfigBuilder`] documentation. -/// -/// [`TimeProvider`]: crate::time_provider::TimeProvider -#[cfg(not(feature = "std"))] -#[derive(Clone)] -pub struct WantsTimeProvider { - provider: Arc, - versions: versions::EnabledVersions, - verifier: Arc, - client_auth_cert_resolver: Arc, -} - -#[cfg(not(feature = "std"))] -impl ConfigBuilder { - /// Sets a custom [`crate::time_provider::TimeProvider`]. - pub fn with_time_provider( - self, - time_provider: Arc, - ) -> ClientConfig { - ClientConfig { - provider: self.state.provider, - alpn_protocols: Vec::new(), - resumption: Resumption::default(), - max_fragment_size: None, - client_auth_cert_resolver: self.state.client_auth_cert_resolver, - versions: self.state.versions, - enable_sni: true, - verifier: self.state.verifier, - key_log: Arc::new(NoKeyLog {}), - enable_secret_extraction: false, - enable_early_data: false, - #[cfg(feature = "tls12")] - require_ems: cfg!(feature = "fips"), - time_provider, + time_provider: self.state.time_provider, } } } diff --git a/rustls/src/client/client_conn.rs b/rustls/src/client/client_conn.rs index 5ba7fdd1264..0e184329bf4 100644 --- a/rustls/src/client/client_conn.rs +++ b/rustls/src/client/client_conn.rs @@ -11,11 +11,15 @@ use crate::msgs::handshake::ClientExtension; use crate::msgs::persist; use crate::sign; use crate::suites::SupportedCipherSuite; +#[cfg(feature = "std")] +use crate::time_provider::DefaultTimeProvider; use crate::time_provider::TimeProvider; use crate::unbuffered::{EncryptError, TransmitTlsData}; use crate::versions; use crate::KeyLog; -use crate::{verify, WantsVerifier, WantsVersions}; +#[cfg(feature = "std")] +use crate::WantsVerifier; +use crate::{verify, WantsVersions}; use super::handy::NoClientSessionStorage; use super::hs; @@ -225,6 +229,7 @@ impl ClientConfig { /// and safe protocol version defaults. /// /// For more information, see the [`ConfigBuilder`] documentation. + #[cfg(feature = "std")] pub fn builder() -> ConfigBuilder { Self::builder_with_protocol_versions(versions::DEFAULT_VERSIONS) } @@ -241,6 +246,7 @@ impl ClientConfig { /// the crate features and process default. /// /// For more information, see the [`ConfigBuilder`] documentation. + #[cfg(feature = "std")] pub fn builder_with_protocol_versions( versions: &[&'static versions::SupportedProtocolVersion], ) -> ConfigBuilder { @@ -262,11 +268,41 @@ impl ClientConfig { /// version is not supported by the provider's ciphersuites. /// /// For more information, see the [`ConfigBuilder`] documentation. + #[cfg(feature = "std")] pub fn builder_with_provider( provider: Arc, ) -> ConfigBuilder { ConfigBuilder { - state: WantsVersions { provider }, + state: WantsVersions { + provider, + time_provider: Arc::new(DefaultTimeProvider), + }, + side: PhantomData, + } + } + /// Create a builder for a client configuration with no default implementation details. + /// + /// This API must be used by `no_std` users. + /// + /// You must provide a specific [`TimeProvider`]. + /// + /// You must provide a specific [`CryptoProvider`]. + /// + /// This will use the provider's configured ciphersuites. You must additionally choose + /// which protocol versions to enable, using `with_protocol_versions` or + /// `with_safe_default_protocol_versions` and handling the `Result` in case a protocol + /// version is not supported by the provider's ciphersuites. + /// + /// For more information, see the [`ConfigBuilder`] documentation. + pub fn builder_with_details( + provider: Arc, + time_provider: Arc, + ) -> ConfigBuilder { + ConfigBuilder { + state: WantsVersions { + provider, + time_provider, + }, side: PhantomData, } } diff --git a/rustls/src/server/builder.rs b/rustls/src/server/builder.rs index 51e8d586e8e..11ea41ab9d6 100644 --- a/rustls/src/server/builder.rs +++ b/rustls/src/server/builder.rs @@ -4,8 +4,7 @@ use crate::error::Error; use crate::msgs::handshake::CertificateChain; use crate::server::handy; use crate::server::{ResolvesServerCert, ServerConfig}; -#[cfg(feature = "std")] -use crate::time_provider::DefaultTimeProvider; +use crate::time_provider::TimeProvider; use crate::verify::{ClientCertVerifier, NoClientAuth}; use crate::versions; use crate::NoKeyLog; @@ -27,6 +26,7 @@ impl ConfigBuilder { provider: self.state.provider, versions: self.state.versions, verifier: client_cert_verifier, + time_provider: self.state.time_provider, }, side: PhantomData, } @@ -47,11 +47,9 @@ pub struct WantsServerCert { provider: Arc, versions: versions::EnabledVersions, verifier: Arc, + time_provider: Arc, } -// When the std feature is enabled we use the default time provider and move directly from -// WantsServerCert to ServerConfig. -#[cfg(feature = "std")] impl ConfigBuilder { /// Sets a single certificate chain and matching private key. This /// certificate and key is used for all subsequent connections, @@ -134,130 +132,7 @@ impl ConfigBuilder { send_tls13_tickets: 4, #[cfg(feature = "tls12")] require_ems: cfg!(feature = "fips"), - time_provider: Arc::new(DefaultTimeProvider), - } - } -} - -// When the std feature is not enabled we have an extra state in the config builder process -// for providing a time provider. -#[cfg(not(feature = "std"))] -impl ConfigBuilder { - /// Sets a single certificate chain and matching private key. This - /// certificate and key is used for all subsequent connections, - /// irrespective of things like SNI hostname. - /// - /// Note that the end-entity certificate must have the - /// [Subject Alternative Name](https://tools.ietf.org/html/rfc6125#section-4.1) - /// extension to describe, e.g., the valid DNS name. The `commonName` field is - /// disregarded. - /// - /// `cert_chain` is a vector of DER-encoded certificates. - /// `key_der` is a DER-encoded private key as PKCS#1, PKCS#8, or SEC1. The - /// `aws-lc-rs` and `ring` [`CryptoProvider`]s support all three encodings, - /// but other `CryptoProviders` may not. - /// - /// This function fails if `key_der` is invalid. - pub fn with_single_cert( - self, - cert_chain: Vec>, - key_der: PrivateKeyDer<'static>, - ) -> Result, Error> { - let private_key = self - .state - .provider - .key_provider - .load_private_key(key_der)?; - let resolver = handy::AlwaysResolvesChain::new(private_key, CertificateChain(cert_chain)); - Ok(self.with_cert_resolver(Arc::new(resolver))) - } - - /// Sets a single certificate chain, matching private key and optional OCSP - /// response. This certificate and key is used for all - /// subsequent connections, irrespective of things like SNI hostname. - /// - /// `cert_chain` is a vector of DER-encoded certificates. - /// `key_der` is a DER-encoded private key as PKCS#1, PKCS#8, or SEC1. The - /// `aws-lc-rs` and `ring` [`CryptoProvider`]s support all three encodings, - /// but other `CryptoProviders` may not. - /// `ocsp` is a DER-encoded OCSP response. Ignored if zero length. - /// - /// This function fails if `key_der` is invalid. - pub fn with_single_cert_with_ocsp( - self, - cert_chain: Vec>, - key_der: PrivateKeyDer<'static>, - ocsp: Vec, - ) -> Result, Error> { - let private_key = self - .state - .provider - .key_provider - .load_private_key(key_der)?; - let resolver = handy::AlwaysResolvesChain::new_with_extras( - private_key, - CertificateChain(cert_chain), - ocsp, - ); - Ok(self.with_cert_resolver(Arc::new(resolver))) - } - - /// Sets a custom [`ResolvesServerCert`]. - pub fn with_cert_resolver( - self, - cert_resolver: Arc, - ) -> ConfigBuilder { - ConfigBuilder { - state: WantsTimeProvider { - provider: self.state.provider, - versions: self.state.versions, - verifier: self.state.verifier, - cert_resolver, - }, - side: PhantomData, - } - } -} - -/// A config builder state where the caller needs to supply a [`TimeProvider`]. -/// -/// For more information, see the [`ConfigBuilder`] documentation. -/// -/// [`TimeProvider`]: crate::time_provider::TimeProvider -#[cfg(not(feature = "std"))] -#[derive(Clone, Debug)] -pub struct WantsTimeProvider { - provider: Arc, - versions: versions::EnabledVersions, - verifier: Arc, - cert_resolver: Arc, -} - -#[cfg(not(feature = "std"))] -impl ConfigBuilder { - /// Sets a custom [`crate::time_provider::TimeProvider`]. - pub fn with_time_provider( - self, - time_provider: Arc, - ) -> ServerConfig { - ServerConfig { - provider: self.state.provider, - verifier: self.state.verifier, - cert_resolver: self.state.cert_resolver, - ignore_client_order: false, - max_fragment_size: None, - session_storage: Arc::new(handy::NoServerSessionStorage {}), - ticketer: Arc::new(handy::NeverProducesTickets {}), - alpn_protocols: Vec::new(), - versions: self.state.versions, - key_log: Arc::new(NoKeyLog {}), - enable_secret_extraction: false, - max_early_data_size: 0, - send_half_rtt_data: false, - send_tls13_tickets: 4, - #[cfg(feature = "tls12")] - require_ems: cfg!(feature = "fips"), - time_provider, + time_provider: self.state.time_provider, } } } diff --git a/rustls/src/server/server_conn.rs b/rustls/src/server/server_conn.rs index d33c34694f8..f22cef94683 100644 --- a/rustls/src/server/server_conn.rs +++ b/rustls/src/server/server_conn.rs @@ -11,12 +11,16 @@ use crate::log::trace; use crate::msgs::base::Payload; use crate::msgs::handshake::{ClientHelloPayload, ProtocolName, ServerExtension}; use crate::msgs::message::Message; +#[cfg(feature = "std")] +use crate::time_provider::DefaultTimeProvider; use crate::time_provider::TimeProvider; use crate::vecbuf::ChunkVecBuffer; use crate::verify; use crate::versions; use crate::KeyLog; -use crate::{sign, WantsVerifier, WantsVersions}; +#[cfg(feature = "std")] +use crate::WantsVerifier; +use crate::{sign, WantsVersions}; use super::hs; @@ -259,7 +263,7 @@ pub struct ServerConfig { /// Supported protocol versions, in no particular order. /// The default is all supported versions. - pub(super) versions: crate::versions::EnabledVersions, + pub(super) versions: versions::EnabledVersions, /// How to verify client certificates. pub(super) verifier: Arc, @@ -368,6 +372,7 @@ impl ServerConfig { /// and safe protocol version defaults. /// /// For more information, see the [`ConfigBuilder`] documentation. + #[cfg(feature = "std")] pub fn builder() -> ConfigBuilder { Self::builder_with_protocol_versions(versions::DEFAULT_VERSIONS) } @@ -384,6 +389,7 @@ impl ServerConfig { /// the crate features and process default. /// /// For more information, see the [`ConfigBuilder`] documentation. + #[cfg(feature = "std")] pub fn builder_with_protocol_versions( versions: &[&'static versions::SupportedProtocolVersion], ) -> ConfigBuilder { @@ -405,11 +411,42 @@ impl ServerConfig { /// version is not supported by the provider's ciphersuites. /// /// For more information, see the [`ConfigBuilder`] documentation. + #[cfg(feature = "std")] pub fn builder_with_provider( provider: Arc, ) -> ConfigBuilder { ConfigBuilder { - state: WantsVersions { provider }, + state: WantsVersions { + provider, + time_provider: Arc::new(DefaultTimeProvider), + }, + side: PhantomData, + } + } + + /// Create a builder for a server configuration with no default implementation details. + /// + /// This API must be used by `no_std` users. + /// + /// You must provide a specific [`TimeProvider`]. + /// + /// You must provide a specific [`CryptoProvider`]. + /// + /// This will use the provider's configured ciphersuites. You must additionally choose + /// which protocol versions to enable, using `with_protocol_versions` or + /// `with_safe_default_protocol_versions` and handling the `Result` in case a protocol + /// version is not supported by the provider's ciphersuites. + /// + /// For more information, see the [`ConfigBuilder`] documentation. + pub fn builder_with_details( + provider: Arc, + time_provider: Arc, + ) -> ConfigBuilder { + ConfigBuilder { + state: WantsVersions { + provider, + time_provider, + }, side: PhantomData, } } diff --git a/rustls/src/time_provider.rs b/rustls/src/time_provider.rs index 6890deeed13..df706b38b43 100644 --- a/rustls/src/time_provider.rs +++ b/rustls/src/time_provider.rs @@ -17,7 +17,8 @@ pub trait TimeProvider: Debug + Send + Sync { #[derive(Debug)] #[cfg(feature = "std")] -pub(crate) struct DefaultTimeProvider; +/// Default `TimeProvider` implementation that uses `std` +pub struct DefaultTimeProvider; #[cfg(feature = "std")] impl TimeProvider for DefaultTimeProvider { diff --git a/rustls/tests/api.rs b/rustls/tests/api.rs index eb36ac1ee4c..9a98dbca77d 100644 --- a/rustls/tests/api.rs +++ b/rustls/tests/api.rs @@ -332,6 +332,26 @@ fn config_builder_for_server_rejects_incompatible_cipher_suites() { ); } +#[test] +fn config_builder_for_client_with_time() { + ClientConfig::builder_with_details( + provider::default_provider().into(), + Arc::new(rustls::time_provider::DefaultTimeProvider), + ) + .with_safe_default_protocol_versions() + .unwrap(); +} + +#[test] +fn config_builder_for_server_with_time() { + ServerConfig::builder_with_details( + provider::default_provider().into(), + Arc::new(rustls::time_provider::DefaultTimeProvider), + ) + .with_safe_default_protocol_versions() + .unwrap(); +} + #[test] fn buffered_client_data_sent() { let server_config = Arc::new(make_server_config(KeyType::Rsa)); @@ -497,14 +517,14 @@ fn test_config_builders_debug() { } .into(), ); - assert_eq!("ConfigBuilder { state: WantsVersions { provider: CryptoProvider { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], kx_groups: [X25519], signature_verification_algorithms: WebPkiSupportedAlgorithms { all: [ .. ], mapping: [ECDSA_NISTP384_SHA384, ECDSA_NISTP256_SHA256, ED25519, RSA_PSS_SHA512, RSA_PSS_SHA384, RSA_PSS_SHA256, RSA_PKCS1_SHA512, RSA_PKCS1_SHA384, RSA_PKCS1_SHA256] }, secure_random: Ring, key_provider: Ring } } }", format!("{:?}", b)); + assert_eq!("ConfigBuilder { state: WantsVersions { provider: CryptoProvider { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], kx_groups: [X25519], signature_verification_algorithms: WebPkiSupportedAlgorithms { all: [ .. ], mapping: [ECDSA_NISTP384_SHA384, ECDSA_NISTP256_SHA256, ED25519, RSA_PSS_SHA512, RSA_PSS_SHA384, RSA_PSS_SHA256, RSA_PKCS1_SHA512, RSA_PKCS1_SHA384, RSA_PKCS1_SHA256] }, secure_random: Ring, key_provider: Ring }, time_provider: DefaultTimeProvider } }", format!("{:?}", b)); let b = server_config_builder_with_versions(&[&rustls::version::TLS13]); assert_eq!( - "ConfigBuilder { state: WantsVerifier { provider: CryptoProvider { cipher_suites: [TLS13_AES_256_GCM_SHA384, TLS13_AES_128_GCM_SHA256, TLS13_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256], kx_groups: [X25519, secp256r1, secp384r1], signature_verification_algorithms: WebPkiSupportedAlgorithms { all: [ .. ], mapping: [ECDSA_NISTP384_SHA384, ECDSA_NISTP256_SHA256, ED25519, RSA_PSS_SHA512, RSA_PSS_SHA384, RSA_PSS_SHA256, RSA_PKCS1_SHA512, RSA_PKCS1_SHA384, RSA_PKCS1_SHA256] }, secure_random: Ring, key_provider: Ring }, versions: [TLSv1_3] } }", + "ConfigBuilder { state: WantsVerifier { provider: CryptoProvider { cipher_suites: [TLS13_AES_256_GCM_SHA384, TLS13_AES_128_GCM_SHA256, TLS13_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256], kx_groups: [X25519, secp256r1, secp384r1], signature_verification_algorithms: WebPkiSupportedAlgorithms { all: [ .. ], mapping: [ECDSA_NISTP384_SHA384, ECDSA_NISTP256_SHA256, ED25519, RSA_PSS_SHA512, RSA_PSS_SHA384, RSA_PSS_SHA256, RSA_PKCS1_SHA512, RSA_PKCS1_SHA384, RSA_PKCS1_SHA256] }, secure_random: Ring, key_provider: Ring }, versions: [TLSv1_3], time_provider: DefaultTimeProvider } }", format!("{:?}", b) ); let b = b.with_no_client_auth(); - assert_eq!("ConfigBuilder { state: WantsServerCert { provider: CryptoProvider { cipher_suites: [TLS13_AES_256_GCM_SHA384, TLS13_AES_128_GCM_SHA256, TLS13_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256], kx_groups: [X25519, secp256r1, secp384r1], signature_verification_algorithms: WebPkiSupportedAlgorithms { all: [ .. ], mapping: [ECDSA_NISTP384_SHA384, ECDSA_NISTP256_SHA256, ED25519, RSA_PSS_SHA512, RSA_PSS_SHA384, RSA_PSS_SHA256, RSA_PKCS1_SHA512, RSA_PKCS1_SHA384, RSA_PKCS1_SHA256] }, secure_random: Ring, key_provider: Ring }, versions: [TLSv1_3], verifier: NoClientAuth } }", format!("{:?}", b)); + assert_eq!("ConfigBuilder { state: WantsServerCert { provider: CryptoProvider { cipher_suites: [TLS13_AES_256_GCM_SHA384, TLS13_AES_128_GCM_SHA256, TLS13_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256], kx_groups: [X25519, secp256r1, secp384r1], signature_verification_algorithms: WebPkiSupportedAlgorithms { all: [ .. ], mapping: [ECDSA_NISTP384_SHA384, ECDSA_NISTP256_SHA256, ED25519, RSA_PSS_SHA512, RSA_PSS_SHA384, RSA_PSS_SHA256, RSA_PKCS1_SHA512, RSA_PKCS1_SHA384, RSA_PKCS1_SHA256] }, secure_random: Ring, key_provider: Ring }, versions: [TLSv1_3], verifier: NoClientAuth, time_provider: DefaultTimeProvider } }", format!("{:?}", b)); let b = ClientConfig::builder_with_provider( CryptoProvider { @@ -514,10 +534,10 @@ fn test_config_builders_debug() { } .into(), ); - assert_eq!("ConfigBuilder { state: WantsVersions { provider: CryptoProvider { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], kx_groups: [X25519], signature_verification_algorithms: WebPkiSupportedAlgorithms { all: [ .. ], mapping: [ECDSA_NISTP384_SHA384, ECDSA_NISTP256_SHA256, ED25519, RSA_PSS_SHA512, RSA_PSS_SHA384, RSA_PSS_SHA256, RSA_PKCS1_SHA512, RSA_PKCS1_SHA384, RSA_PKCS1_SHA256] }, secure_random: Ring, key_provider: Ring } } }", format!("{:?}", b)); + assert_eq!("ConfigBuilder { state: WantsVersions { provider: CryptoProvider { cipher_suites: [TLS13_CHACHA20_POLY1305_SHA256], kx_groups: [X25519], signature_verification_algorithms: WebPkiSupportedAlgorithms { all: [ .. ], mapping: [ECDSA_NISTP384_SHA384, ECDSA_NISTP256_SHA256, ED25519, RSA_PSS_SHA512, RSA_PSS_SHA384, RSA_PSS_SHA256, RSA_PKCS1_SHA512, RSA_PKCS1_SHA384, RSA_PKCS1_SHA256] }, secure_random: Ring, key_provider: Ring }, time_provider: DefaultTimeProvider } }", format!("{:?}", b)); let b = client_config_builder_with_versions(&[&rustls::version::TLS13]); assert_eq!( - "ConfigBuilder { state: WantsVerifier { provider: CryptoProvider { cipher_suites: [TLS13_AES_256_GCM_SHA384, TLS13_AES_128_GCM_SHA256, TLS13_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256], kx_groups: [X25519, secp256r1, secp384r1], signature_verification_algorithms: WebPkiSupportedAlgorithms { all: [ .. ], mapping: [ECDSA_NISTP384_SHA384, ECDSA_NISTP256_SHA256, ED25519, RSA_PSS_SHA512, RSA_PSS_SHA384, RSA_PSS_SHA256, RSA_PKCS1_SHA512, RSA_PKCS1_SHA384, RSA_PKCS1_SHA256] }, secure_random: Ring, key_provider: Ring }, versions: [TLSv1_3] } }", + "ConfigBuilder { state: WantsVerifier { provider: CryptoProvider { cipher_suites: [TLS13_AES_256_GCM_SHA384, TLS13_AES_128_GCM_SHA256, TLS13_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256], kx_groups: [X25519, secp256r1, secp384r1], signature_verification_algorithms: WebPkiSupportedAlgorithms { all: [ .. ], mapping: [ECDSA_NISTP384_SHA384, ECDSA_NISTP256_SHA256, ED25519, RSA_PSS_SHA512, RSA_PSS_SHA384, RSA_PSS_SHA256, RSA_PKCS1_SHA512, RSA_PKCS1_SHA384, RSA_PKCS1_SHA256] }, secure_random: Ring, key_provider: Ring }, versions: [TLSv1_3], time_provider: DefaultTimeProvider } }", format!("{:?}", b) ); }