DeterministicESPAsyncWebServer v6.27.1
Zero-allocation, bounded-execution async HTTP server for ESP32
Loading...
Searching...
No Matches
Standards conformance audit

A per-standard conformance review of every entry in STANDARDS.md: the key MUST / SHOULD requirements checked against the implementation, and the evidence backing the verdict. It is the tracking artifact the roadmap's "audit the library against its standards" item asks for.

Methodology. For each standard: (1) read the authoritative text's conformance requirements, (2) check the implementation against them, (3) prefer a real-peer conformance check where one exists - the interop harness (test/servers/interop.py) drives the device against the reference implementation, not just our own round-trip, which is the strongest evidence a wire format is right. Where a real peer is not wired, the evidence is a host test with pinned spec vectors. Any genuine gap (breaks a compliant peer or violates a MUST) becomes a bug in BUGS.md + a regression test; this pass found none open beyond the scope boundaries already tracked in ROADMAP.md.

Verdict legend. βœ… conformant (MUSTs met, evidence cited) - πŸ”· conformant within a documented scope boundary (implemented part meets its MUSTs; the unimplemented part is roadmap, not a violation) - πŸ”— delegated to mbedTLS (the platform crypto/TLS stack owns conformance) - πŸ“Ž reference-only (notation / obsoleted, nothing to conform to).

Evidence sources. native_* = a host Unity test env - interop:<peer> = a real reference peer in the harness - vec:<spec> = pinned spec test vectors - HW = verified on ESP32 hardware.


HTTP core

Standard Verdict Key MUSTs checked Evidence
RFC 9110 Semantics βœ… Method/status registry, conditional requests (If-*), Range/206/416, header parsing native_http_*, interop:http (stdlib client), HW
RFC 9112 Messaging βœ… Request framing; reject Content-Length+Transfer-Encoding conflict and duplicate/invalid CL (smuggling) native_http_parser (smuggling cases), HW
RFC 9111 Caching βœ… ETag/Last-Modified, 304 on conditional GET, Cache-Control native_http_delivery, native_etag
RFC 3986 URI βœ… Path/query split, percent-decoding, dot-segment handling native_http_parser
RFC 1123 HTTP-date βœ… IMF-fixdate format for Last-Modified / If-Modified-Since (gmtime_r, no locale) native_http_time
RFC 6265 Cookies βœ… Inbound cookie parsing (http_get_cookie), outbound set_cookie emission native_http_parser, native_auth, HW
RFC 7239 Forwarded βœ… Parsing client IP / HTTPS scheme from Forwarded / X-Forwarded-* headers native_http_parser
RFC 5234 ABNF πŸ“Ž Grammar notation only -
RFC 7230/7231/7233 πŸ“Ž Obsoleted by 9110/9112; cited where code predates the renumbering -

HTTP/2 & HTTP/3

Standard Verdict Key MUSTs checked Evidence
RFC 9113 HTTP/2 βœ… Frame layout, stream states, flow control, h2 ALPN; connection preface native_h2_* (PSRAM-gated), HW
RFC 7541 HPACK βœ… Static+dynamic table, integer + canonical Huffman string coding, eviction native_hpack (RFC 7541 vectors)
RFC 9204 QPACK βœ… Static-table field-section encode/decode, prefix native_qpack
RFC 9000 QUIC πŸ”· varint/packet/frame codecs, transport params (Β§18), stateful v1 engine (AEAD per level, CRYPTO/STREAM reassembly, ACK, coalescing). Loss recovery + CC are roadmap native_quic_*, HW byte-exact
RFC 9001 QUIC-TLS βœ… Initial/Handshake/1-RTT protection, header protection, Retry integrity tag native_quic_crypto (vs App A), HW
RFC 8446 TLS1.3 (QUIC) πŸ”· From-scratch handshake for HTTP/3 (AES-128-GCM + X25519 + Ed25519, Β§7.1 schedule, Β§4 msgs) pinned to RFC 8448 native_quic_tls (vec:RFC 8448)
RFC 8448 traces βœ… Key schedule + ServerHello/Certificate/Finished bytes pinned vec:RFC 8448
RFC 9114 HTTP/3 βœ… Control + QPACK streams, SETTINGS, requestβ†’response mapping, UDP/server wiring, and hardware-interop native_h3_* end-to-end, HW
RFC 9147 DTLS 1.3 πŸ”· Record layer (unified header, AEAD-128-GCM, Β§4.2.3 seq-num encryption + Β§4.2.2 reconstruction, Β§4.5.1 anti-replay) + handshake framing (Β§5.2 header, Β§5.4 reassembly, Β§7 ACK, Β§5.1 cookie) + Β§5-6 server handshake (full 1-RTT, epoch 0β†’2β†’3, Β§5.9 dtls13 labels) + Β§5.1 HRR group renegotiation (address-bound cookie) + Β§5.8 PTO retransmission (backoff, ACK cancellation). CoAP-over-DTLS roadmap native_dtls*, native_dtls_conn, **interop:wolfSSL DTLS 1.3 (handshake + app data, direct + HRR)**

HTTP authentication & authorization

Standard Verdict Key MUSTs checked Evidence
RFC 7617 Basic βœ… Basic challenge/credential, base64 userid:password native_auth
RFC 7616 Digest βœ… SHA-256, qop=auth, nonce/cnonce/nc, response hash native_auth (RFC vectors)
RFC 7519 JWT βœ… Header/claims decode, exp/nbf/iat, HS256 verify native_jwt, native_oidc
RFC 7515 JWS βœ… Signing-input construction, signature verify structure native_jwt
RFC 7518 JWA βœ… HS256 / RS256 identifiers + verification native_jwt, native_oidc
RFC 6749 OAuth2 βœ… Token-endpoint request/response (client) native_oauth
RFC 7636 PKCE βœ… code_verifier/code_challenge S256 native_oauth
OIDC Core 1.0 βœ… ID-token RS256 verification, claim checks native_oidc (regenerated vectors)

Content types & serialization

Standard Verdict Key MUSTs checked Evidence
RFC 4648 Base16/32/64 βœ… Padding, alphabet, base64url; reject non-alphabet native_base64, vec:RFC 4648
RFC 7578 multipart βœ… Boundary handling, part headers, Content-Disposition native_multipart
RFC 2046 MIME πŸ“Ž Multipart boundary semantics (referenced) -
RFC 1951 DEFLATE βœ… inflate/deflate; used by WS permessage-deflate native_deflate, native_ssh_zlib
RFC 8949 CBOR βœ… Major types, canonical lengths, encode+decode native_cbor (vectors)
MessagePack βœ… Type tags, fixext, encode+decode native_msgpack
GraphQL πŸ”· Bounded query subset (documented scope) native_graphql
WHATWG SSE βœ… data:/event:/id:/retry: field format, framing native_sse, HW

WebSocket

Standard Verdict Key MUSTs checked Evidence
RFC 6455 βœ… Handshake (SHA-1 accept), frame opcodes, masking, close codes, fragmentation native_websocket, interop:websockets (websockets lib), HW
RFC 7692 pmdeflate βœ… permessage-deflate negotiation, context takeover, per-message flush native_websocket

IoT / industrial messaging

Standard Verdict Key MUSTs checked Evidence
RFC 7252 CoAP βœ… Message format, type/token, option delta encoding, response codes native_coap, interop:aiocoap
RFC 7959 Block-Wise βœ… Block1/Block2 option, NUM/M/SZX, 2.31 Continue native_coap_block
RFC 7641 CoAP Observe βœ… Observe option, monotonic sequence number (the clock bug is fixed) native_coap_observe
MQTT 3.1.1 / 5.0 βœ… CONNECT/PUBLISH/SUBSCRIBE packets, QoS, v5 properties (client) native_mqtt, interop:mosquitto+paho, HW
Modbus v1.1b3 + TCP βœ… MBAP header, FC dispatch, exception codes, register model native_modbus, interop:pymodbus (client+server)
OPC UA (IEC 62541) βœ… Binary built-in types, UACP framing, Hello/Ack, session, Read/Write/Browse native_opcua*, interop:asyncua, HW

Network management (SNMP)

Standard Verdict Key MUSTs checked Evidence
RFC 1157 SNMPv1 βœ… Message + PDU BER, community, GET/GETNEXT/SET native_snmp, interop:net-snmp
RFC 3411-3416 βœ… v3 architecture, message processing, USM, v2c/v3 PDU ops native_snmp, interop:net-snmp+pysnmp
RFC 3414 USM βœ… authPriv, engine discovery, time window, msgAuthoritativeEngine native_snmp
RFC 3826 AES / 7860 HMAC-SHA2 βœ… CFB-128 priv, HMAC-SHA-256 auth, localized keys native_snmp (vectors)
RFC 2578 SMIv2 πŸ“Ž MIB/OID structure (referenced) -
ITU-T X.690 BER/DER βœ… TLV, length forms, INTEGER/OID/SEQUENCE encoding native_snmp, native_oidc

SSH & Telnet

Standard Verdict Key MUSTs checked Evidence
RFC 4251-4254 βœ… Architecture, banner/KEXINIT, binary packet, userauth, channels, global requests native_ssh*, interop:OpenSSH, HW
RFC 4253 transport βœ… Binary packet + MAC, KEX, per-direction NEWKEYS (Β§7.3), rekeying (Β§9, this session) native_ssh, native_ssh_conn
RFC 4344 CTR βœ… aes256-ctr counter mode native_ssh_crypto
RFC 6668 HMAC-SHA2 βœ… hmac-sha2-256/512 (+ ETM variants) native_ssh_hardened
RFC 8268 / 3526 DH βœ… group14-sha256 MODP KEX native_ssh, interop:OpenSSH
RFC 8332 RSA-SHA2 βœ… rsa-sha2-256/512 host key signatures native_ssh, HW
RFC 8731 curve25519 βœ… curve25519-sha256 KEX native_ssh_ed, interop:OpenSSH
RFC 8709 Ed25519 βœ… ssh-ed25519 host key + auth native_ssh_ed
RFC 5656 ECDSA P256 βœ… ecdsa-sha2-nistp256 host key + auth (RFC 6979 sign KAT) native_ssh_ecdsa, native_ssh
RFC 5656 ECDH P256 βœ… ecdh-sha2-nistp256 key exchange, on-curve peer check (RFC 5903 Β§8.1 shared-secret KAT) native_ssh_ecdsa, native_ssh
RFC 8308 ext-info βœ… ext-info-c, server-sig-algs native_ssh_server
RFC 854 Telnet βœ… IAC command/option negotiation native_telnet

Cryptographic primitives

Standard Verdict Key MUSTs checked Evidence
FIPS 180-4 SHA-2 βœ… SHA-256/512 digests native_ssh_crypto (NIST vectors)
RFC 3174 SHA-1 βœ… WebSocket accept-key only native_websocket
FIPS 197 AES βœ… / πŸ”— AES-128 block + QUIC header protection; TLS via mbedTLS native_quic_crypto, native_snmp
SP 800-38D GCM βœ… AEAD_AES_128_GCM, software GHASH native_quic_crypto
FIPS 198-1 / RFC 2104 HMAC βœ… HMAC construction native_ssh_crypto
RFC 5869 HKDF βœ… Extract/Expand, HKDF-Expand-Label native_quic_tls, vec:RFC 8448
RFC 8017 PKCS#1 βœ… / πŸ”— RS256 verify (EMSA-PKCS1-v1_5); mbedTLS for TLS native_oidc, native_ssh
RFC 7748 X25519 βœ… Curve25519 scalar mult, MPI-accel inversion on ESP32 native_ssh_ed, HW
RFC 8032 Ed25519 βœ… EdDSA sign/verify native_ssh_ed
RFC 5754 πŸ“Ž RS256 DigestInfo identifiers (referenced) -
RFC 6238 TOTP / 4226 HOTP βœ… HMAC-based OTP, time-step native_totp
RFC 4122 UUID βœ… v4 layout, variant/version bits native_uuid

Files, logging, naming, transport

Standard Verdict Key MUSTs checked Evidence
RFC 4918 WebDAV βœ… PROPFIND/PROPPATCH/MKCOL/COPY/MOVE, Depth, multistatus native_webdav
RFC 5424 Syslog βœ… PRI/version/timestamp/structured-data framing native_syslog
RFC 1035 DNS βœ… Question/answer encoding, name compression, resolver + captive responder native_dns_resolver, HW
IEEE 802.11 πŸ”· Wi-Fi link (SDK-owned); raw-L2 TX + the 802.11 MAC-header decode for the sniffer native_wifi_sniffer, HW

TLS (over TCP)

Standard Verdict Key MUSTs checked Evidence
RFC 8446 TLS 1.3 πŸ”— Record/handshake owned by mbedTLS; version + cipher policy layered on top native_tls_policy, mbedTLS
RFC 5246 TLS 1.2 πŸ”— mbedTLS; floored at 1.2, negotiated version observable native_tls_policy, mbedTLS
RFC 5077 tickets βœ… Session resumption via mbedTLS with explicit server ticket key rotation native_tls_policy, HW

Findings

No open conformance defects were found in this pass. The library's wire formats for the major protocols (HTTP, WebSocket, CoAP, MQTT, Modbus, SNMP, OPC UA, SSH) are each verified against a real reference implementation in the interop harness - the definitive conformance check - and the cryptographic primitives are pinned to their FIPS/RFC test vectors. The two most recent findings that came out of this kind of review (HTTP request-smuggling framing, and the CoAP-Observe monotonic-clock bug) are fixed and regression-tested.

Items marked πŸ”· are documented scope boundaries, not violations: the implemented subset meets its MUSTs, and the unimplemented remainder (QUIC loss recovery / congestion control, the HTTP/3 UDP server wiring, the bounded GraphQL subset) is tracked in ROADMAP.md. Items marked πŸ”— delegate conformance to mbedTLS, the audited platform TLS/crypto stack.

This audit is re-run when a subsystem changes; keep the verdict + evidence column current as protocols are added or a spec is revised.