Fix RFC 7250 Compliance (#2257) #2274

holodorum · 2024-12-11T15:33:17Z

This pull requests fixes issue #2257 by changing the way the server validates the client_certificate_type_extension and the server_certificate_type_extension in the ServerHello.

Considerations

Initially the validation logic for the certificate type extensions resided in common_state and validated the negotation of raw keys only, hence we called the struct RawKeyNegotationParams. The validation logic is different for the server and client now and we are not only negotiating raw keys, I moved this to client::hs::CertificateTypeExtensionParams and server::hs::CertificateTypeExtensionParams.

codecov · 2024-12-11T15:58:53Z

Codecov Report

Attention: Patch coverage is 96.05263% with 3 lines in your changes missing coverage. Please review.

Project coverage is 94.88%. Comparing base (d97b319) to head (fa3e317).
Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
rustls/src/server/hs.rs	95.34%	2 Missing ⚠️
rustls/src/client/hs.rs	96.96%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2274      +/-   ##
==========================================
- Coverage   94.88%   94.88%   -0.01%     
==========================================
  Files         103      103              
  Lines       24204    24201       -3     
==========================================
- Hits        22965    22962       -3     
  Misses       1239     1239

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

cpu

This seems reasonable to me. Thanks for the quick fix!

cpu · 2024-12-12T14:26:53Z

rustls/src/client/hs.rs

+            (true, false) => CertificateTypeExtensionNegotationResult::Err(
+                Error::PeerIncompatible(PeerIncompatible::IncorrectCertificateTypeExtension),
+            ),
+            (false, true) => CertificateTypeExtensionNegotationResult::Err(


The coverage gap flagged for this branch seems worth considering if it isn't too tricky. WDYT?

To be honest I'm not sure if it should be possible to get to the (false, true) arm.
There are already api tests sending an unsolicited certificate type extension in the ServerHello, but then an UnsolicitedEncryptedExtension error is raised before even negotiating the certificate type.
If there is no way to get to that situation we could maybe remove the UnsolicitedCertificateTypeExtension, or I can write a small unit test.

rustls-benchmarking · 2024-12-12T14:31:04Z

Benchmark results

Instruction counts

Significant differences

⚠️ There are significant instruction count differences

Click to expand

Scenario	Baseline	Candidate	Diff	Threshold
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_server	1179908	1175258	✅ -4650 (-0.39%)	0.20%

Other differences

Click to expand

Scenario	Baseline	Candidate	Diff	Threshold
handshake_no_resume_aws_lc_rs_1.3_rsa_aes_server	10683004	10741455	58451 (0.55%)	0.88%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_client	8243055	8282622	39567 (0.48%)	0.81%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha_server	10702014	10718522	16508 (0.15%)	1.09%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_client	3086995	3082307	-4688 (-0.15%)	0.28%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes_client	8288451	8290491	2040 (0.02%)	0.85%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes_server	10442935	10444721	1786 (0.02%)	0.82%
handshake_session_id_aws_lc_rs_1.2_rsa_aes_server	3874155	3874755	600 (0.02%)	0.20%
handshake_tickets_aws_lc_rs_1.2_rsa_aes_server	5021182	5021782	600 (0.01%)	0.20%
handshake_session_id_ring_1.2_rsa_aes_server	4235170	4235650	480 (0.01%)	0.20%
handshake_tickets_ring_1.2_rsa_aes_server	4699410	4699890	480 (0.01%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes_client	3080746	3080469	-277 (-0.01%)	0.26%
handshake_session_id_aws_lc_rs_1.2_rsa_aes_client	3874375	3874675	300 (0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.2_rsa_aes_client	4216459	4216759	300 (0.01%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes_server	28976255	28974255	-2000 (-0.01%)	0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_aes_server	28973765	28971979	-1786 (-0.01%)	0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha_server	28895410	28893663	-1747 (-0.01%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha_server	28897750	28896048	-1702 (-0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha_server	30390306	30388554	-1752 (-0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha_server	30390635	30388895	-1740 (-0.01%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes_server	28976036	28974418	-1618 (-0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes_server	30433175	30431509	-1666 (-0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha_server	30387719	30386058	-1661 (-0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes_server	30432988	30431366	-1622 (-0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_aes_server	30430322	30428714	-1608 (-0.01%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha_server	28897668	28896196	-1472 (-0.01%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_server	2163936	2163826	-110 (-0.01%)	0.20%
handshake_session_id_ring_1.3_rsa_chacha_server	41492560	41490580	-1980 (-0.00%)	0.20%
handshake_session_id_ring_1.3_ecdsap256_chacha_server	41494671	41492691	-1980 (-0.00%)	0.20%
handshake_session_id_ring_1.3_ecdsap384_chacha_server	41494719	41492739	-1980 (-0.00%)	0.20%
handshake_session_id_ring_1.3_rsa_aes_server	41610820	41608840	-1980 (-0.00%)	0.20%
handshake_session_id_ring_1.3_ecdsap256_aes_server	41612931	41610951	-1980 (-0.00%)	0.20%
handshake_session_id_ring_1.3_ecdsap384_aes_server	41612979	41610999	-1980 (-0.00%)	0.20%
handshake_tickets_ring_1.3_rsa_chacha_server	41974270	41972290	-1980 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap256_chacha_server	41976568	41974588	-1980 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap384_chacha_server	41976758	41974778	-1980 (-0.00%)	0.20%
handshake_tickets_ring_1.3_rsa_aes_server	42072610	42070630	-1980 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap256_aes_server	42074908	42072928	-1980 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap384_aes_server	42075098	42073118	-1980 (-0.00%)	0.20%
handshake_session_id_ring_1.2_rsa_aes_client	4238499	4238679	180 (0.00%)	0.20%
handshake_tickets_ring_1.2_rsa_aes_client	4499013	4499193	180 (0.00%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes_server	2160714	2160794	80 (0.00%)	0.20%
handshake_no_resume_ring_1.3_ecdsap256_aes_client	3621193	3621093	-100 (-0.00%)	0.22%
handshake_session_id_aws_lc_rs_1.3_rsa_aes_client	27861818	27861153	-665 (-0.00%)	0.20%
handshake_no_resume_ring_1.3_ecdsap256_chacha_server	1611977	1611941	-36 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha_client	27797997	27797410	-587 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes_client	27857434	27856867	-567 (-0.00%)	0.20%
handshake_no_resume_ring_1.3_ecdsap256_chacha_client	3624589	3624521	-68 (-0.00%)	0.22%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes_server	1173063	1173041	-22 (-0.00%)	0.20%
handshake_no_resume_ring_1.3_ecdsap256_aes_server	1610604	1610575	-29 (-0.00%)	0.20%
handshake_session_id_ring_1.3_ecdsap384_chacha_client	40196039	40195319	-720 (-0.00%)	0.20%
handshake_session_id_ring_1.3_ecdsap256_chacha_client	40198982	40198262	-720 (-0.00%)	0.20%
handshake_session_id_ring_1.3_rsa_chacha_client	40203033	40202313	-720 (-0.00%)	0.20%
handshake_session_id_ring_1.3_ecdsap384_aes_client	40290359	40289639	-720 (-0.00%)	0.20%
handshake_session_id_ring_1.3_ecdsap256_aes_client	40293302	40292582	-720 (-0.00%)	0.20%
handshake_session_id_ring_1.3_rsa_aes_client	40297353	40296633	-720 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap384_chacha_client	40513549	40512829	-720 (-0.00%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha_client	28191981	28191480	-501 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap256_chacha_client	40516810	40516090	-720 (-0.00%)	0.20%
handshake_tickets_ring_1.3_rsa_chacha_client	40520810	40520090	-720 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap384_aes_client	40587739	40587019	-720 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap256_aes_client	40591000	40590280	-720 (-0.00%)	0.20%
handshake_tickets_ring_1.3_rsa_aes_client	40595000	40594280	-720 (-0.00%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha_client	28195028	28194602	-426 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha_client	27795352	27794934	-418 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha_client	27802292	27801881	-411 (-0.00%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes_client	28224850	28224433	-417 (-0.00%)	0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_aes_client	28228666	28228275	-391 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes_client	27854801	27854493	-308 (-0.00%)	0.20%
transfer_no_resume_ring_1.2_rsa_aes_client	58219747	58219106	-641 (-0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes_client	58175573	58174933	-640 (-0.00%)	0.20%
handshake_no_resume_ring_1.3_rsa_aes_client	2654301	2654276	-25 (-0.00%)	0.20%
handshake_no_resume_ring_1.3_rsa_chacha_client	2660168	2660143	-25 (-0.00%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes_client	1924268	1924251	-17 (-0.00%)	0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha_client	28198849 8000	28198610	-239 (-0.00%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha_client	1931014	1931001	-13 (-0.00%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes_client	28221860	28221689	-171 (-0.00%)	0.20%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes_client	1716235	1716245	10 (0.00%)	0.20%
handshake_no_resume_ring_1.3_ecdsap384_aes_server	7562933	7562905	-28 (-0.00%)	0.20%
handshake_no_resume_ring_1.3_ecdsap384_chacha_server	7565085	7565059	-26 (-0.00%)	0.20%
handshake_no_resume_ring_1.2_rsa_aes_client	2561940	2561946	6 (0.00%)	0.20%
handshake_no_resume_ring_1.3_rsa_aes_server	11423480	11423454	-26 (-0.00%)	0.20%
handshake_no_resume_ring_1.3_rsa_chacha_server	11429435	11429409	-26 (-0.00%)	0.20%
handshake_no_resume_ring_1.2_rsa_aes_server	11290925	11290941	16 (0.00%)	0.20%
handshake_no_resume_ring_1.3_ecdsap384_chacha_client	35182662	35182637	-25 (-0.00%)	0.20%
handshake_no_resume_ring_1.3_ecdsap384_aes_client	35180730	35180718	-12 (-0.00%)	0.20%
transfer_no_resume_ring_1.3_ecdsap384_aes_server	46471415	46471426	11 (0.00%)	0.20%
transfer_no_resume_ring_1.3_ecdsap256_aes_server	46468546	46468536	-10 (-0.00%)	0.20%
transfer_no_resume_ring_1.3_rsa_aes_server	46468145	46468154	9 (0.00%)	0.20%
transfer_no_resume_ring_1.3_ecdsap384_chacha_server	80541175	80541185	10 (0.00%)	0.20%
transfer_no_resume_ring_1.3_rsa_chacha_client	92668584	92668573	-11 (-0.00%)	0.20%
transfer_no_resume_ring_1.3_rsa_chacha_server	80535984	80535993	9 (0.00%)	0.20%
transfer_no_resume_ring_1.3_ecdsap256_chacha_client	92657681	92657672	-9 (-0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes_server	46407040	46407044	4 (0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_client	92698762	92698768	6 (0.00%)	0.20%
transfer_no_resume_ring_1.2_rsa_aes_server	46377338	46377335	-3 (-0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes_server	46460632	46460635	3 (0.00%)	0.20%
transfer_no_resume_ring_1.3_rsa_aes_client	58336416	58336413	-3 (-0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_server	80641987	80641991	4 (0.00%)	0.20%
transfer_no_resume_ring_1.3_ecdsap384_chacha_client	92666742	92666746	4 (0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes_server	46465288	46465290	2 (0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes_client	58232525	58232527	2 (0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes_client	58235403	58235401	-2 (-0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha_server	80644947	80644949	2 (0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_server	80649613	80649615	2 (0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes_server	46457662	46457663	1 (0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes_client	58237488	58237487	-1 (-0.00%)	0.20%
transfer_no_resume_ring_1.3_ecdsap256_aes_client	58325513	58325512	-1 (-0.00%)	0.20%
transfer_no_resume_ring_1.3_ecdsap256_chacha_server	80536385	80536384	-1 (-0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_client	92696522	92696523	1 (0.00%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha_client	92702762	92702761	-1 (-0.00%)	0.20%
transfer_no_resume_ring_1.3_ecdsap384_aes_client	58332659	58332659	0 (0.00%)	0.20%

Wall-time

Significant differences

⚠️ There are significant wall-time differences

Click to expand

Scenario	Baseline	Candidate	Diff	Threshold
handshake_tickets_aws_lc_rs_1.2_rsa_aes	1.85 ms	1.79 ms	✅ -0.07 ms (-3.60%)	2.45%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes	1.14 ms	1.10 ms	✅ -0.04 ms (-3.56%)	2.57%
handshake_session_id_aws_lc_rs_1.2_rsa_aes	1.67 ms	1.62 ms	✅ -0.05 ms (-3.04%)	2.25%
handshake_session_id_aws_lc_rs_1.3_rsa_aes	5.04 ms	4.97 ms	✅ -0.07 ms (-1.46%)	1.22%

Other differences

Click to expand

Scenario	Baseline	Candidate	Diff	Threshold
handshake_no_resume_aws_lc_rs_1.2_rsa_aes	1.10 ms	1.07 ms	-0.03 ms (-2.78%)	3.57%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha	1.13 ms	1.11 ms	-0.02 ms (-2.04%)	2.08%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha	5.01 ms	4.93 ms	-0.08 ms (-1.54%)	1.57%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes	5.15 ms	5.08 ms	-0.07 ms (-1.46%)	4.98%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes	5.09 ms	5.02 ms	-0.07 ms (-1.40%)	3.91%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha	5.21 ms	5.14 ms	-0.07 ms (-1.30%)	1.65%
handshake_tickets_aws_lc_rs_1.3_rsa_aes	5.23 ms	5.17 ms	-0.06 ms (-1.21%)	1.41%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha	457.17 µs	453.21 µs	-3.96 µs (-0.87%)	3.30%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha	4.31 ms	4.28 ms	-0.04 ms (-0.82%)	1.74%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes	4.34 ms	4.31 ms	-0.03 ms (-0.80%)	1.75%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes	4.46 ms	4.42 ms	-0.04 ms (-0.79%)	3.86%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes	459.45 µs	456.06 µs	-3.39 µs (-0.74%)	3.88%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes	5.17 ms	5.13 ms	-0.04 ms (-0.74%)	3.29%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha	4.51 ms	4.47 ms	-0.03 ms (-0.73%)	1.47%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha	4.99 ms	4.96 ms	-0.03 ms (-0.64%)	1.37%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha	5.20 ms	5.17 ms	-0.03 ms (-0.63%)	1.55%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes	4.54 ms	4.51 ms	-0.03 ms (-0.62%)	1.98%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes	5.04 ms	5.01 ms	-0.03 ms (-0.61%)	1.68%
handshake_tickets_ring_1.2_rsa_aes	1.61 ms	1.60 ms	-0.01 ms (-0.59%)	1.63%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha	13.64 ms	13.56 ms	-0.08 ms (-0.56%)	1.71%
transfer_no_resume_ring_1.3_rsa_aes	6.81 ms	6.77 ms	-0.04 ms (-0.54%)	3.58%
transfer_no_resume_ring_1.3_ecdsap256_aes	6.32 ms	6.28 ms	-0.03 ms (-0.53%)	3.27%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes	5.24 ms	5.21 ms	-0.03 ms (-0.51%)	1.06%
transfer_no_resume_ring_1.2_rsa_aes	6.74 ms	6.71 ms	-0.03 ms (-0.49%)	3.04%
transfer_no_resume_ring_1.3_ecdsap384_aes	9.43 ms	9.39 ms	-0.04 ms (-0.39%)	2.29%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes	1.17 ms	1.16 ms	-0.00 ms (-0.34%)	1.02%
handshake_no_resume_ring_1.2_rsa_aes	991.70 µs	988.39 µs	-3.31 µs (-0.33%)	1.28%
handshake_session_id_ring_1.3_ecdsap256_aes	6.38 ms	6.36 ms	-0.02 ms (-0.33%)	1.00%
handshake_tickets_ring_1.3_ecdsap256_chacha	6.41 ms	6.38 ms	-0.02 ms (-0.32%)	1.00%
handshake_no_resume_ring_1.3_ecdsap256_chacha	499.67 µs	498.08 µs	-1.59 µs (-0.32%)	2.95%
handshake_session_id_ring_1.3_rsa_aes	6.88 ms	6.86 ms	-0.02 ms (-0.31%)	1.00%
transfer_no_resume_ring_1.3_rsa_chacha	13.46 ms	13.42 ms	-0.04 ms (-0.30%)	1.51%
handshake_tickets_ring_1.3_ecdsap256_aes	6.46 ms	6.44 ms	-0.02 ms (-0.29%)	1.00%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha	13.64 ms	13.60 ms	-0.04 ms (-0.27%)	1.62%
transfer_no_resume_ring_1.3_ecdsap384_chacha	16.07 ms	16.03 ms	-0.04 ms (-0.26%)	1.40%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha	12.93 ms	12.90 ms	-0.03 ms (-0.26%)	1.69%
handshake_session_id_ring_1.3_ecdsap384_aes	9.48 ms	9.46 ms	-0.02 ms (-0.26%)	1.00%
transfer_no_resume_ring_1.3_ecdsap256_chacha	12.96 ms	12.93 ms	-0.03 ms (-0.25%)	1.74%
handshake_session_id_ring_1.2_rsa_aes	1.53 ms	1.52 ms	-0.00 ms (-0.25%)	1.00%
handshake_tickets_ring_1.3_rsa_chacha	6.89 ms	6.88 ms	-0.02 ms (-0.24%)	1.00%
handshake_session_id_ring_1.3_ecdsap256_chacha	6.33 ms	6.32 ms	-0.01 ms (-0.24%)	1.00%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha	1.16 ms	1.15 ms	-0.00 ms (-0.23%)	1.06%
handshake_no_resume_ring_1.3_ecdsap256_aes	502.63 µs	501.56 µs	-1.07 µs (-0.21%)	2.12%
handshake_tickets_ring_1.3_rsa_aes	6.94 ms	6.93 ms	-0.01 ms (-0.20%)	1.00%
handshake_session_id_ring_1.3_rsa_chacha	6.82 ms	6.81 ms	-0.01 ms (-0.20%)	1.00%
handshake_session_id_ring_1.3_ecdsap384_chacha	9.43 ms	9.41 ms	-0.02 ms (-0.19%)	1.00%
handshake_no_resume_ring_1.3_rsa_aes	994.15 µs	992.23 µs	-1.93 µs (-0.19%)	1.09%
handshake_tickets_ring_1.3_ecdsap384_chacha	9.50 ms	9.48 ms	-0.02 ms (-0.19%)	1.00%
handshake_no_resume_ring_1.3_rsa_chacha	993.39 µs	991.71 µs	-1.68 µs (-0.17%)	1.25%
handshake_tickets_ring_1.3_ecdsap384_aes	9.54 ms	9.53 ms	-0.01 ms (-0.12%)	1.00%
handshake_no_resume_ring_1.3_ecdsap384_chacha	3.60 ms	3.60 ms	-0.00 ms (-0.01%)	1.00%
handshake_no_resume_ring_1.3_ecdsap384_aes	3.61 ms	3.61 ms	-0.00 ms (-0.00%)	1.00%

Additional information

Historical results

Checkout details:

Base repo: https://github.com/rustls/rustls.git
Base branch: main (d97b319)
Candidate repo: https://github.com/holodorum/rustls_rfc7250.git
Candidate branch: rfc_compliant (fa3e317)

openssl-tests/src/raw_key_openssl_interop.rs

rustls/src/client/hs.rs

rustls/src/common_state.rs

rustls/src/client/hs.rs

See rustls/rustls#2274 Closes #3616

rustls/src/client/hs.rs

openssl-tests/src/raw_key_openssl_interop.rs

rustls/src/client/hs.rs

rustls/src/server/hs.rs

openssl-tests/src/raw_key_openssl_interop.rs

cpu · 2025-01-23T17:57:41Z

Just to check my understanding here: is this blocked on another round of iteration based on djc's most recent feedback?

holodorum · 2025-01-30T11:23:44Z

The semver test is failing, with the message pub fn removed or renamed, before rebasing on main the test didn't fail. Any idea, why it fails and how to solve that?

cpu · 2025-01-30T13:40:06Z

The semver test is failing, with the message pub fn removed or renameed

@holodorum you can ignore that, sorry about the noise. It's a side-effect from #2288 (upstream issue: obi1kenobi/cargo-semver-checks#638) that will be resolved once we cut a rustls/rustls-post-quantum release, which should happen soon.

brody4hire · 2025-02-04T19:08:21Z

I tried merging this with recent updates from main in brody4hire#8 - semver seems to be OK now. But codecov does seem to indicate some missing test coverage.

I tried a couple mutations in brody4hire#8 based on the missing test coverage, they do not seem to trigger any CI testing failures. I think we need to add the missing test coverage.

ctz

I'm pretty happy with this. One comment, and then I feel this is mergable. A rebase will fix the CI issue now.

rustls/src/server/hs.rs

Updated logic to validate `client_certificate_type_extension` and `server_certificate_type_extension` in the ClientHello. Added an openssl interop test to replicate the issue and verify it's handled correctly. Co-authored-by: Adolfo Ochagavía <github@adolfo.ochagavia.nl>

ctz

Thanks! Appreciate your patience.

holodorum · 2025-02-07T12:57:16Z

Thanks! Appreciate your patience.

Thank you all too for the feedback and patience😁

holodorum force-pushed the rfc_compliant branch from a88b6e5 to 1cd38da Compare December 11, 2024 16:46

cpu approved these changes Dec 12, 2024

View reviewed changes

djc reviewed Dec 13, 2024

View reviewed changes

ripatel-fd pushed a commit to firedancer-io/firedancer that referenced this pull request Dec 18, 2024

Work around rustls RawPublicKey bug

b425995

See rustls/rustls#2274 Closes #3616

ripatel-fd mentioned this pull request Dec 18, 2024

Work around rustls RawPublicKey bug firedancer-io/firedancer#3728

Merged

holodorum force-pushed the rfc_compliant branch 2 times, most recently from d66af8b to 28515ec Compare December 18, 2024 18:54

djc reviewed Dec 19, 2024

View reviewed changes

rustls/src/client/hs.rs Outdated Show resolved Hide resolved

openssl-tests/src/raw_key_openssl_interop.rs Outdated Show resolved Hide resolved

holodorum force-pushed the rfc_compliant branch from 28515ec to 0d5ccd9 Compare December 22, 2024 17:25

djc reviewed Jan 6, 2025

View reviewed changes

holodorum force-pushed the rfc_compliant branch 2 times, most recently from b7fb5f6 to ac45f3d Compare January 11, 2025 09:55

holodorum force-pushed the rfc_compliant branch 3 times, most recently from 22fc4ac to 9c80f10 Compare January 30, 2025 11:06

holodorum force-pushed the rfc_compliant branch from 9c80f10 to e94b32b Compare January 30, 2025 15:20

brody4hire mentioned this pull request Feb 4, 2025

RFC 7250 update - Brody CI testing with 2 mutations brody4hire/rustls#8

Draft

ctz reviewed Feb 5, 2025

View reviewed changes

rustls/src/server/hs.rs Outdated Show resolved Hide resolved

ctz mentioned this pull request Feb 5, 2025

cleanup: use typos to avoid spelling errors #2329

Closed

6 tasks

Refactor Raw Key OpenSSL and API tests

931b75b

holodorum force-pushed the rfc_compliant branch from e94b32b to 2f28d35 Compare February 5, 2025 19:57

holodorum force-pushed the rfc_compliant branch from 2f28d35 to fa3e317 Compare February 5, 2025 20:09

ctz approved these changes Feb 6, 2025

View reviewed changes

ctz added this pull request to the merge queue Feb 6, 2025

Merged via the queue into rustls:main with commit fa3e317 Feb 6, 2025
53 checks passed

github-merge-queue bot temporarily deployed to github-pages February 6, 2025 15:31 Inactive

github-merge-queue bot temporarily deployed to github-pages February 6, 2025 18:02 Inactive

github-merge-queue bot temporarily deployed to github-pages February 7, 2025 18:07 Inactive

github-merge-queue bot temporarily deployed to github-pages February 8, 2025 18:02 Inactive

github-merge-queue bot temporarily deployed to github-pages February 9, 2025 18:06 Inactive

github-merge-queue bot temporarily deployed to github-pages February 10, 2025 18:06 Inactive

ctz mentioned this pull request Apr 1, 2025

UnsolicitedCertificateTypeExtension is not RFC 7250 compliant #2257

Closed

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix RFC 7250 Compliance (#2257) #2274

Fix RFC 7250 Compliance (#2257) #2274

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Fix RFC 7250 Compliance (#2257) #2274

Fix RFC 7250 Compliance (#2257) #2274

Conversation

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Benchmark results

Instruction counts

Significant differences

Other differences

Wall-time

Significant differences

Other differences

Additional information

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!