test(bench): add api for mutual auth handshake (#5437)

Author: jmayclin

bindings/rust/extended/s2n-tls/src/connection.rs

@@ -937,7 +937,7 @@ impl Connection {
 
     /// Check if client auth was used for a connection.
     ///
-    /// This is only relevant if [`ClientAuthType::Optional] was used.
+    /// This is especially useful when the server has [`ClientAuthType::Optional`] configured.
     ///
     /// Corresponds to [s2n_connection_client_cert_used].
     pub fn client_cert_used(&self) -> bool {

bindings/rust/standard/bench/src/harness/mod.rs

@@ -75,6 +75,8 @@ pub enum Mode {
     Server,
 }
 
+/// While ServerAuth and Resumption are not mutually exclusive, they are treated
+/// as such for the purpose of benchmarking.
 #[derive(Clone, Copy, Default, EnumIter, Eq, PartialEq)]
 pub enum HandshakeType {
     #[default]
@@ -194,9 +196,11 @@ pub trait TlsInfo: Sized {
 
     fn negotiated_tls13(&self) -> bool;
 
-    /// Describes whether a connection was resumed. This method is only valid on
-    /// server connections because of rustls API limitations.
+    /// Describes whether a connection was resumed.
     fn resumed_connection(&self) -> bool;
+
+    /// For the rustls & openssl implementations, this only works for servers.
+    fn mutual_auth(&self) -> bool;
 }
 
 /// A TlsConnPair owns the client and server tls connections along with the IO buffers.

bindings/rust/standard/bench/src/openssl.rs

@@ -275,6 +275,11 @@ impl TlsInfo for OpenSslConnection {
     fn resumed_connection(&self) -> bool {
         self.connection.ssl().session_reused()
     }
+
+    fn mutual_auth(&self) -> bool {
+        assert!(self.connection.ssl().is_server());
+        self.connection.ssl().verified_chain().is_some()
+    }
 }
 
 #[cfg(test)]

bindings/rust/standard/bench/src/rustls.rs

@@ -21,7 +21,7 @@ use rustls::{
     pki_types::{CertificateDer, PrivateKeyDer, ServerName},
     server::{ProducesTickets, WebPkiClientVerifier},
     version::TLS13,
-    ClientConfig, ClientConnection, Connection,
+    ClientConfig, ClientConnection, CommonState, Connection, HandshakeKind,
     ProtocolVersion::TLSv1_3,
     RootCertStore, ServerConfig, ServerConnection,
 };
@@ -63,6 +63,13 @@ impl RustlsConnection {
             },
         }
     }
+
+    fn connection_common(&self) -> &CommonState {
+        match &self.connection {
+            Connection::Client(client_connection) => client_connection,
+            Connection::Server(server_connection) => server_connection,
+        }
+    }
 }
 
 #[derive(Debug)]
@@ -310,11 +317,15 @@ impl TlsInfo for RustlsConnection {
     }
 
     fn resumed_connection(&self) -> bool {
-        if let rustls::Connection::Server(s) = &self.connection {
-            s.received_resumption_data().is_some()
-        } else {
-            panic!("rustls connection resumption status must be check on the server side");
-        }
+        self.connection_common().handshake_kind().unwrap() == HandshakeKind::Resumed
+    }
+
+    fn mutual_auth(&self) -> bool {
+        assert!(matches!(self.connection, Connection::Server(_)));
+        //> For servers, this is the certificate chain or the raw public key of
+        //> the client, if client authentication was completed.
+        //> https://docs.rs/rustls/latest/rustls/struct.CommonState.html#method.peer_certificates
+        self.connection_common().peer_certificates().is_some()
     }
 }
 

bindings/rust/standard/bench/src/s2n_tls.rs

@@ -325,11 +325,13 @@ impl TlsInfo for S2NConnection {
     }
 
     fn resumed_connection(&self) -> bool {
-        !self
-            .connection
-            .handshake_type()
-            .unwrap()
-            .contains("FULL_HANDSHAKE")
+        let handshake_type = self.connection.handshake_type().unwrap();
+        assert!(handshake_type.contains("NEGOTIATED"));
+        !handshake_type.contains("FULL_HANDSHAKE")
+    }
+
+    fn mutual_auth(&self) -> bool {
+        self.connection.client_cert_used()
     }
 }
 

bindings/rust/standard/bench/src/test_utilities.rs

@@ -66,6 +66,20 @@ where
 
                     assert!(conn_pair.negotiated_tls13());
                     assert_eq!(cipher_suite, conn_pair.get_negotiated_cipher_suite());
+                    match handshake_type {
+                        HandshakeType::ServerAuth => {
+                            assert!(!conn_pair.server.mutual_auth());
+                            assert!(!conn_pair.server.resumed_connection());
+                        }
+                        HandshakeType::MutualAuth => {
+                            assert!(conn_pair.server.mutual_auth());
+                            assert!(!conn_pair.server.resumed_connection());
+                        }
+                        HandshakeType::Resumption => {
+                            assert!(!conn_pair.server.mutual_auth());
+                            assert!(conn_pair.server.resumed_connection());
+                        }
+                    }
 
                     // read in "application data" handshake messages.
                     // "NewSessionTicket" in the case of resumption