Comments (3)
Sorted now. Thanks for the report.
from rustls.
Have any benchmark been done to measure the impact of these assertions ?
Intuitively, I would think they would be very negligible compared to the rest of the stuff rustls has to do.
Many of the locations are far away from where a consumer of the library's API can have any influence or control input.
I view assertions as a way to make sure internal invariants of the library are correct, not as a way to validate input. The latter should use Result
instead.
This is especially important in a security oriented library, where relying on these invariants to be correct may be critical.
from rustls.
Have any benchmark been done to measure the impact of these assertions ?
Intuitively, I would think they would be very negligible compared to the rest of the stuff rustls has to do.
Yes, the benchmarks do not show any measurable performance impact of asserts.
I view assertions as a way to make sure internal invariants of the library are correct, not as a way to validate input. The latter should use Result instead.
Of course. All parsing/untrusted input handling uses Option/Result.
Most of these asserts are executable documentation of internal state -- compiling them out is OK, as they're structurally guaranteed to be true. They're useful in development though, to shake out silly bugs early.
There's also a lot of unwrap()
which is equivalent to asserting internal state, but obviously cannot/should not be compiled out. But again, this is not used on untrusted input -- a remote panic is the worst non-crypto error this library could have.
from rustls.
Related Issues (20)
- The support for "mipsel-unknown-linux-musl" has failed. HOT 2
- Io(Custom { kind: InvalidData, error: AlertReceived(HandshakeFailure) }) HOT 6
- Linux compilation is slow and seems unable to store compilation results HOT 3
- Incompatible License HOT 1
- unbuffered: After `Closed` no `WriteTraffic` state arrives HOT 4
- Side-Channel Attack Mitigations in Rustls HOT 2
- Suggest registering for OpenSSF Best Practices badge HOT 3
- Pass ClientHello by reference to ResolvesServerCert HOT 2
- GHSA-6g7w-8wpp-frhj and CVE-2024-32650 don't make it clear that async rustls servers aren't susceptible HOT 2
- AWS LC fails against golang TLS server while ring works fine HOT 6
- Rustls w/ aws-lc-rs on Windows requires NASM HOT 30
- Making impl ClientHelloPayload public ? HOT 21
- Question. Does rustls have something to hide cert (as it is sensitive data ) in binary and memory HOT 3
- Verify that SigningKey matches public key within certificate HOT 6
- Ensuring that a provider based on the one built-in is used HOT 3
- Compile error when target is watchos HOT 2
- Expose ability to customize ClientHello message HOT 4
- How I use CryptoProvider::install_default() ? HOT 2
- Illegal instruction on arm-a72 HOT 3
- Add RustCrypto cryptographic backend HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rustls.