From 85b7fafc57ee687b7981879f58bb5022c35a2454 Mon Sep 17 00:00:00 2001 From: Vincent Date: Mon, 2 Feb 2026 09:42:09 +0100 Subject: [PATCH] Refactored: Moved TLSGroups to new branch feature/named_group --- src/constants.rs | 15 ++++----------- src/lib.rs | 29 +++++++++++++++-------------- 2 files changed, 19 insertions(+), 25 deletions(-) diff --git a/src/constants.rs b/src/constants.rs index 1ffe684..240b72b 100644 --- a/src/constants.rs +++ b/src/constants.rs @@ -144,9 +144,6 @@ pub fn named_group_to_tls_name(id: NamedGroup) -> Option<&'static CStr> { pub fn named_group_to_nid(group: NamedGroup) -> Option { use NamedGroup::*; - // See TLSEXT_nid_unknown from tls1.h - openssl-sys does not - // have a constant for this to import. - const TLSEXT_NID_UNKNOWN: c_int = 0x1000000; // See NID_ffhdhe* from obj_mac.h - openssl-sys does not have // constants for these to import. const NID_FFDHE2048: c_int = 1126; @@ -154,11 +151,10 @@ pub fn named_group_to_nid(group: NamedGroup) -> Option { const NID_FFDHE4096: c_int = 1128; const NID_FFDHE6144: c_int = 1129; const NID_FFDHE8192: c_int = 1130; - // See NID_ML_KEM_* from obj_mac.h - openssl-sys does not have - // constants for these to import. - const NID_ML_KEM_512: c_int = 1454; - const NID_ML_KEM_768: c_int = 1455; - const NID_ML_KEM_1024: c_int = 1456; + + // See TLSEXT_nid_unknown from tls1.h - openssl-sys does not + // have a constant for this to import. + const TLSEXT_NID_UNKNOWN: c_int = 0x1000000; match group { secp256r1 => Some(NID_X9_62_prime256v1), @@ -171,9 +167,6 @@ pub fn named_group_to_nid(group: NamedGroup) -> Option { FFDHE4096 => Some(NID_FFDHE4096), FFDHE6144 => Some(NID_FFDHE6144), FFDHE8192 => Some(NID_FFDHE8192), - MLKEM512 => Some(NID_ML_KEM_512), - MLKEM768 => Some(NID_ML_KEM_768), - MLKEM1024 => Some(NID_ML_KEM_1024), other => Some(TLSEXT_NID_UNKNOWN | u16::from(other) as c_int), } } diff --git a/src/lib.rs b/src/lib.rs index c92c098..bd775ca 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -13,7 +13,9 @@ use openssl_sys::{ }; use rustls::client::Resumption; -use rustls::crypto::{aws_lc_rs as provider, SupportedKxGroup}; +use rustls::crypto::aws_lc_rs as provider; +use rustls::crypto::aws_lc_rs::Ticketer; +use rustls::crypto::SupportedKxGroup; use rustls::pki_types::{CertificateDer, ServerName}; use rustls::server::{Accepted, Acceptor, ProducesTickets}; use rustls::{ @@ -101,7 +103,7 @@ pub struct SslCipher { pub standard_name: &'static CStr, pub version: &'static CStr, pub description: &'static CStr, - rustls: &'static rustls::SupportedCipherSuite, + pub rustls: CipherSuite, } impl SslCipher { @@ -133,7 +135,7 @@ impl SslCipher { } pub fn protocol_id(&self) -> u16 { - u16::from(self.rustls.suite()) + u16::from(self.rustls) } pub fn openssl_id(&self) -> u32 { @@ -142,7 +144,6 @@ impl SslCipher { } static TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: SslCipher = SslCipher { - rustls: &provider::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, auth: constants::NID_AUTH_ECDSA, kx: constants::NID_KX_ECDHE, bits: 128, @@ -150,10 +151,10 @@ static TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: SslCipher = SslCipher { standard_name: c"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", version: c"TLSv1.2", description: c"ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD\n", + rustls: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, }; static TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: SslCipher = SslCipher { - rustls: &provider::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, auth: constants::NID_AUTH_ECDSA, kx: constants::NID_KX_ECDHE, bits: 256, @@ -161,21 +162,21 @@ static TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: SslCipher = SslCipher { standard_name: c"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", version: c"TLSv1.2", description: c"ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD\n", + rustls: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, }; static TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: SslCipher = SslCipher { - rustls: &provider::cipher_suite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, auth: constants::NID_AUTH_ECDSA, kx: constants::NID_KX_ECDHE, bits: 256, openssl_name: c"ECDHE-ECDSA-CHACHA20-POLY1305", standard_name: c"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + rustls: CipherSuite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, version: c"TLSv1.2", description: c"ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD\n", }; static TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: SslCipher = SslCipher { - rustls: &provider::cipher_suite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, auth: constants::NID_AUTH_RSA, kx: constants::NID_KX_ECDHE, bits: 128, @@ -183,10 +184,10 @@ static TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: SslCipher = SslCipher { standard_name: c"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", version: c"TLSv1.2", description: c"ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD\n", + rustls: CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, }; static TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: SslCipher = SslCipher { - rustls: &provider::cipher_suite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, auth: constants::NID_AUTH_RSA, kx: constants::NID_KX_ECDHE, bits: 256, @@ -194,10 +195,10 @@ static TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: SslCipher = SslCipher { standard_name: c"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", version: c"TLSv1.2", description: c"ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD\n", + rustls: CipherSuite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, }; static TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: SslCipher = SslCipher { - rustls: &provider::cipher_suite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, auth: constants::NID_AUTH_RSA, kx: constants::NID_KX_ECDHE, bits: 256, @@ -205,10 +206,10 @@ static TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: SslCipher = SslCipher { standard_name: c"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", version: c"TLSv1.2", description: c"ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD\n", + rustls: CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, }; static TLS13_AES_128_GCM_SHA256: SslCipher = SslCipher { - rustls: &provider::cipher_suite::TLS13_AES_128_GCM_SHA256, auth: constants::NID_AUTH_ANY, kx: constants::NID_KX_ANY, bits: 128, @@ -216,10 +217,10 @@ static TLS13_AES_128_GCM_SHA256: SslCipher = SslCipher { standard_name: c"TLS_AES_128_GCM_SHA256", version: c"TLSv1.3", description: c"TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD\n", + rustls: CipherSuite::TLS13_AES_128_GCM_SHA256, }; static TLS13_AES_256_GCM_SHA384: SslCipher = SslCipher { - rustls: &provider::cipher_suite::TLS13_AES_256_GCM_SHA384, auth: constants::NID_AUTH_ANY, kx: constants::NID_KX_ANY, bits: 256, @@ -227,10 +228,10 @@ static TLS13_AES_256_GCM_SHA384: SslCipher = SslCipher { standard_name: c"TLS_AES_256_GCM_SHA384", version: c"TLSv1.3", description: c"TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD\n", + rustls: CipherSuite::TLS13_AES_256_GCM_SHA384, }; static TLS13_CHACHA20_POLY1305_SHA256: SslCipher = SslCipher { - rustls: &provider::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256, auth: constants::NID_AUTH_ANY, kx: constants::NID_KX_ANY, bits: 256, @@ -238,6 +239,7 @@ static TLS13_CHACHA20_POLY1305_SHA256: SslCipher = SslCipher { standard_name: c"TLS_CHACHA20_POLY1305_SHA256", version: c"TLSv1.3", description: c"TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD\n", + rustls: CipherSuite::TLS13_CHACHA20_POLY1305_SHA256, }; /// Backs a server-side SSL_SESSION object @@ -470,7 +472,7 @@ impl SslContext { // a ticketer. Doing so is wasteful for a client, and incompatible with miri // (due to calls to a foreign function, `RAND_bytes`). let ticketer = match !method.server_versions.is_empty() && cfg!(not(miri)) { - true => provider::Ticketer::new().ok(), + true => Ticketer::new().ok(), false => None, }; Self { @@ -1109,7 +1111,6 @@ impl Ssl { if let ConnMode::Unknown = self.mode { self.set_client_mode(); } - if matches!(self.conn, ConnState::Nothing) { self.init_client_conn()?; }