Remove lifetime from TlsVerifier, and change webpki to hold hostname as an owned heapless String

MathiasKoch · MathiasKoch · commit 0b0be9bce156 · 2024-02-29T13:52:15.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+- Add missing implementation to support Client Certificate Authorization (#135)
+
 ## 0.17.0 - 2024-01-06
 
 - Update to stable rust
diff --git a/examples/blocking/src/main.rs b/examples/blocking/src/main.rs
@@ -6,12 +6,12 @@ use rand::rngs::OsRng;
 use std::net::TcpStream;
 use std::time::SystemTime;
 
-struct Provider<'a> {
+struct Provider {
     rng: OsRng,
-    verifier: CertVerifier<'a, Aes128GcmSha256, SystemTime, 4096>,
+    verifier: CertVerifier<Aes128GcmSha256, SystemTime, 4096>,
 }
 
-impl<'a> CryptoProvider for Provider<'a> {
+impl CryptoProvider for Provider {
     type CipherSuite = Aes128GcmSha256;
 
     type Signature = &'static [u8];
@@ -22,7 +22,7 @@ impl<'a> CryptoProvider for Provider<'a> {
 
     fn verifier(
         &mut self,
-    ) -> Result<&mut impl TlsVerifier<'_, Self::CipherSuite>, embedded_tls::TlsError> {
+    ) -> Result<&mut impl TlsVerifier<Self::CipherSuite>, embedded_tls::TlsError> {
         Ok(&mut self.verifier)
     }
 }
diff --git a/src/asynch.rs b/src/asynch.rs
@@ -78,8 +78,11 @@ where
         Provider: CryptoProvider<CipherSuite = CipherSuite>,
     {
         let mut handshake: Handshake<CipherSuite> = Handshake::new();
-        if let Ok(verifier) = context.crypto_provider.verifier() {
-            verifier.set_hostname_verification(context.config.server_name)?;
+        if let (Ok(verifier), Some(server_name)) = (
+            context.crypto_provider.verifier(),
+            context.config.server_name,
+        ) {
+            verifier.set_hostname_verification(server_name)?;
         }
         let mut state = State::ClientHello;
 
diff --git a/src/blocking.rs b/src/blocking.rs
@@ -77,8 +77,11 @@ where
         Provider: CryptoProvider<CipherSuite = CipherSuite>,
     {
         let mut handshake: Handshake<CipherSuite> = Handshake::new();
-        if let Ok(verifier) = context.crypto_provider.verifier() {
-            verifier.set_hostname_verification(context.config.server_name)?;
+        if let (Ok(verifier), Some(server_name)) = (
+            context.crypto_provider.verifier(),
+            context.config.server_name,
+        ) {
+            verifier.set_hostname_verification(server_name)?;
         }
         let mut state = State::ClientHello;
 
diff --git a/src/config.rs b/src/config.rs
@@ -70,15 +70,12 @@ impl TlsCipherSuite for Aes256GcmSha384 {
 /// The verifier is responsible for verifying certificates and signatures. Since certificate verification is
 /// an expensive process, this trait allows clients to choose how much verification should take place,
 /// and also to skip the verification if the server is verified through other means (I.e. a pre-shared key).
-pub trait TlsVerifier<'a, CipherSuite>
+pub trait TlsVerifier<CipherSuite>
 where
     CipherSuite: TlsCipherSuite,
 {
     /// Host verification is enabled by passing a server hostname.
-    fn set_hostname_verification(
-        &mut self,
-        hostname: Option<&'a str>,
-    ) -> Result<(), crate::TlsError>;
+    fn set_hostname_verification(&mut self, hostname: &str) -> Result<(), crate::TlsError>;
 
     /// Verify a certificate.
     ///
@@ -100,14 +97,11 @@ where
 
 pub struct NoVerify;
 
-impl<'a, CipherSuite> TlsVerifier<'a, CipherSuite> for NoVerify
+impl<CipherSuite> TlsVerifier<CipherSuite> for NoVerify
 where
     CipherSuite: TlsCipherSuite,
 {
-    fn set_hostname_verification(
-        &mut self,
-        _hostname: Option<&'a str>,
-    ) -> Result<(), crate::TlsError> {
+    fn set_hostname_verification(&mut self, _hostname: &str) -> Result<(), crate::TlsError> {
         Ok(())
     }
 
@@ -156,9 +150,7 @@ pub trait CryptoProvider {
 
     fn rng(&mut self) -> impl CryptoRngCore;
 
-    fn verifier(
-        &mut self,
-    ) -> Result<&mut impl TlsVerifier<'_, Self::CipherSuite>, crate::TlsError> {
+    fn verifier(&mut self) -> Result<&mut impl TlsVerifier<Self::CipherSuite>, crate::TlsError> {
         Err::<&mut NoVerify, _>(crate::TlsError::Unimplemented)
     }
 
@@ -181,9 +173,7 @@ impl<T: CryptoProvider> CryptoProvider for &mut T {
         T::rng(self)
     }
 
-    fn verifier(
-        &mut self,
-    ) -> Result<&mut impl TlsVerifier<'_, Self::CipherSuite>, crate::TlsError> {
+    fn verifier(&mut self) -> Result<&mut impl TlsVerifier<Self::CipherSuite>, crate::TlsError> {
         T::verifier(self)
     }
 
diff --git a/src/webpki.rs b/src/webpki.rs
@@ -89,18 +89,18 @@ static ALL_SIGALGS: &[&webpki::SignatureAlgorithm] = &[
     &webpki::ED25519,
 ];
 
-pub struct CertVerifier<'a, CipherSuite, Clock, const CERT_SIZE: usize>
+pub struct CertVerifier<CipherSuite, Clock, const CERT_SIZE: usize>
 where
     Clock: TlsClock,
     CipherSuite: TlsCipherSuite,
 {
-    host: Option<&'a str>,
+    host: Option<heapless::String<64>>,
     certificate_transcript: Option<CipherSuite::Hash>,
     certificate: Option<OwnedCertificate<CERT_SIZE>>,
     _clock: PhantomData<Clock>,
 }
 
-impl<'a, CipherSuite, Clock, const CERT_SIZE: usize> CertVerifier<'a, CipherSuite, Clock, CERT_SIZE>
+impl<CipherSuite, Clock, const CERT_SIZE: usize> CertVerifier<CipherSuite, Clock, CERT_SIZE>
 where
     Clock: TlsClock,
     CipherSuite: TlsCipherSuite,
@@ -115,17 +115,16 @@ where
     }
 }
 
-impl<'a, CipherSuite, Clock, const CERT_SIZE: usize> TlsVerifier<'a, CipherSuite>
-    for CertVerifier<'a, CipherSuite, Clock, CERT_SIZE>
+impl<CipherSuite, Clock, const CERT_SIZE: usize> TlsVerifier<CipherSuite>
+    for CertVerifier<CipherSuite, Clock, CERT_SIZE>
 where
     CipherSuite: TlsCipherSuite,
     Clock: TlsClock,
 {
-    fn set_hostname_verification(
-        &mut self,
-        hostname: Option<&'a str>,
-    ) -> Result<(), crate::TlsError> {
-        self.host = hostname;
+    fn set_hostname_verification(&mut self, hostname: &str) -> Result<(), TlsError> {
+        self.host.replace(
+            heapless::String::try_from(hostname).map_err(|_| TlsError::InsufficientSpace)?,
+        );
         Ok(())
     }
 
@@ -135,7 +134,7 @@ where
         ca: &Option<Certificate>,
         cert: ServerCertificate,
     ) -> Result<(), TlsError> {
-        verify_certificate(self.host.clone(), ca, &cert, Clock::now())?;
+        verify_certificate(self.host.as_deref(), ca, &cert, Clock::now())?;
         self.certificate.replace(cert.try_into()?);
         self.certificate_transcript.replace(transcript.clone());
         Ok(())

Original file line number	Diff line number	Diff line change
`@@ -78,8 +78,11 @@ where`
`78`	`78`	`Provider: CryptoProvider<CipherSuite = CipherSuite>,`
`79`	`79`	`{`
`80`	`80`	`let mut handshake: Handshake<CipherSuite> = Handshake::new();`
`81`		`- if let Ok(verifier) = context.crypto_provider.verifier() {`
`82`		`- verifier.set_hostname_verification(context.config.server_name)?;`
	`81`	`+ if let (Ok(verifier), Some(server_name)) = (`
	`82`	`+ context.crypto_provider.verifier(),`
	`83`	`+ context.config.server_name,`
	`84`	`+ ) {`
	`85`	`+ verifier.set_hostname_verification(server_name)?;`
`83`	`86`	`}`
`84`	`87`	`let mut state = State::ClientHello;`
`85`	`88`
Original file line number	Diff line number	Diff line change
`@@ -77,8 +77,11 @@ where`
`77`	`77`	`Provider: CryptoProvider<CipherSuite = CipherSuite>,`
`78`	`78`	`{`
`79`	`79`	`let mut handshake: Handshake<CipherSuite> = Handshake::new();`
`80`		`- if let Ok(verifier) = context.crypto_provider.verifier() {`
`81`		`- verifier.set_hostname_verification(context.config.server_name)?;`
	`80`	`+ if let (Ok(verifier), Some(server_name)) = (`
	`81`	`+ context.crypto_provider.verifier(),`
	`82`	`+ context.config.server_name,`
	`83`	`+ ) {`
	`84`	`+ verifier.set_hostname_verification(server_name)?;`
`82`	`85`	`}`
`83`	`86`	`let mut state = State::ClientHello;`
`84`	`87`