Hide algorithms behind features

.gitignore

@@ -2,3 +2,4 @@ debug/
 target/
 **/*.rs.bk
 *.pdb
+.idea/

Cargo.toml

@@ -19,41 +19,49 @@ resolver = "1" # Hack to enable the `custom` feature of `getrandom`
 # default features often have std breaking no_std and potentially other unwanted
 [dependencies]
 aead = { version = "0.5.2", default-features = false }
-aes-gcm = { version = "0.10.3", default-features = false, features = ["aes", "alloc"] }
-chacha20poly1305 = { version = "0.10.1", default-features = false }
+aes-gcm = { version = "0.10.3", default-features = false, features = ["aes", "alloc"], optional = true }
+chacha20poly1305 = { version = "0.10.1", default-features = false, optional = true }
 crypto-common = { version = "0.1.6", default-features = false }
 der = { version = "0.7.9", default-features = false }
 digest = { version = "0.10.7", default-features = false }
-ecdsa = { version = "0.16.8", default-features = false, features = ["alloc"] }
-ed25519-dalek = { version = "2", default-features = false, features = ["pkcs8"] }
+ecdsa = { version = "0.16.8", default-features = false, features = ["alloc"], optional = true }
+ed25519-dalek = { version = "2", default-features = false, features = ["pkcs8"], optional = true }
 hmac = { version = "0.12.1", default-features = false }
-p256 = { version = "0.13.2", default-features = false, features = ["pem", "ecdsa", "ecdh"] }
-p384 = { version = "0.13.0", default-features = false, features = ["pem", "ecdsa", "ecdh"] }
+p256 = { version = "0.13.2", default-features = false, features = ["pem", "ecdsa", "ecdh"], optional = true }
+p384 = { version = "0.13.0", default-features = false, features = ["pem", "ecdsa", "ecdh"], optional = true }
 paste = { version = "1.0.15", default-features = false }
 pkcs8 = { version = "0.10.2", default-features = false, features = ["pem", "pkcs5"] }
 pki-types = { package = "rustls-pki-types", version = "1.0.1", default-features = false }
 rand_core = { version = "0.6.4", default-features = false, features = ["getrandom"] }
-rsa = { version = "0.9.2", default-features = false, features = ["sha2"] }
+rsa = { version = "0.9.2", default-features = false, features = ["sha2"], optional = true }
 rustls = { version = "0.23.12", default-features = false }
 sec1 = { version = "0.7.3", default-features = false, features = ["pkcs8", "pem"] }
 sha2 = { version = "0.10.7", default-features = false }
-signature = { version = "2.1.0", default-features = false }
+signature = { version = "2.1.0", default-features = false, features = ["rand_core", "alloc"] }
 webpki = { package = "rustls-webpki", version = "0.102.0", default-features = false }
-x25519-dalek = { version = "2", default-features = false }
+x25519-dalek = { version = "2", default-features = false, optional = true }
 
 [dev-dependencies]
 getrandom = { version = "0.2", features = ["custom"] } # workaround to build on no_std targets
 
 [features]
-default = ["std", "tls12", "zeroize"]
+default = ["std", "tls12", "zeroize", "quic", "aes-gcm", "chacha20poly1305", "rsa", "p256", "p384", "ed25519", "x25519"]
 logging = ["rustls/logging"]
-tls12 = ["rustls/tls12"]
+tls12 = ["rustls/tls12", "ecdsa"]
 
 # Only enable feature in upstream if there is an overall effect e.g. aead/alloc in-place
 # zeroize is another typical that can be turned off
 
 # TODO: go through all of these that what gets exposed re: std error type
-std = ["alloc", "webpki/std", "pki-types/std", "rustls/std", "ed25519-dalek/std"]
+std = ["alloc", "webpki/std", "pki-types/std", "rustls/std"]
 # TODO: go through all of these to ensure to_vec etc. impls are exposed
-alloc = ["webpki/alloc", "pki-types/alloc", "aead/alloc", "ed25519-dalek/alloc"]
-zeroize = ["ed25519-dalek/zeroize", "x25519-dalek/zeroize"]
+alloc = ["webpki/alloc", "pki-types/alloc", "aead/alloc"]
+zeroize = ["ed25519-dalek?/zeroize", "x25519-dalek?/zeroize"]
+quic = ["chacha20poly1305"]
+aes-gcm = ["dep:aes-gcm"]
+chacha20poly1305 = ["dep:chacha20poly1305"]
+ecdsa = ["dep:ecdsa"]
+p256 = ["dep:p256", "ecdsa"]
+p384 = ["dep:p384", "ecdsa"]
+x25519 = ["dep:x25519-dalek"]
+ed25519 = ["dep:ed25519-dalek", "ed25519-dalek/alloc", "ed25519-dalek/std", "alloc"]

src/aead.rs

@@ -1,6 +1,7 @@
 use aead::Buffer;
 use rustls::crypto::cipher::{BorrowedPayload, PrefixedPayload};
 
+#[cfg(feature = "chacha20poly1305")]
 pub mod chacha20;
 pub mod gcm;
 

src/aead/chacha20.rs

@@ -3,6 +3,7 @@ use alloc::boxed::Box;
 
 use super::{DecryptBufferAdapter, EncryptBufferAdapter};
 
+#[cfg(feature = "chacha20poly1305")]
 use chacha20poly1305::{AeadInPlace, KeyInit, KeySizeUser};
 use rustls::crypto::cipher::{
     self, AeadKey, InboundOpaqueMessage, InboundPlainMessage, Iv, MessageDecrypter,
@@ -14,8 +15,10 @@ use rustls::{ConnectionTrafficSecrets, ContentType, ProtocolVersion};
 #[cfg(feature = "tls12")]
 use rustls::crypto::cipher::{KeyBlockShape, Tls12AeadAlgorithm, NONCE_LEN};
 
+#[cfg(feature = "chacha20poly1305")]
 pub struct Chacha20Poly1305;
 
+#[cfg(feature = "chacha20poly1305")]
 impl Tls13AeadAlgorithm for Chacha20Poly1305 {
     fn encrypter(&self, key: AeadKey, iv: Iv) -> Box<dyn MessageEncrypter> {
         Box::new(Tls13Cipher(

src/aead/gcm.rs

@@ -225,11 +225,13 @@ macro_rules! impl_gcm_tls12 {
     };
 }
 
+#[cfg(feature = "aes-gcm")]
 impl_gcm_tls13! {Aes128Gcm, aes_gcm::Aes128Gcm, 16}
+#[cfg(feature = "aes-gcm")]
 impl_gcm_tls13! {Aes256Gcm, aes_gcm::Aes256Gcm, 16}
 
-#[cfg(feature = "tls12")]
+#[cfg(all(feature = "tls12", feature = "aes-gcm"))]
 impl_gcm_tls12! {Aes128Gcm, aes_gcm::Aes128Gcm, TLS12_GCM_EXPLICIT_NONCE_LEN, TLS12_GCM_OVERHEAD}
 
-#[cfg(feature = "tls12")]
+#[cfg(all(feature = "tls12", feature = "aes-gcm"))]
 impl_gcm_tls12! {Aes256Gcm, aes_gcm::Aes256Gcm, TLS12_GCM_EXPLICIT_NONCE_LEN, TLS12_GCM_OVERHEAD}

src/kx.rs

@@ -5,10 +5,12 @@ use crypto::{SharedSecret, SupportedKxGroup};
 use paste::paste;
 use rustls::crypto;
 
+#[cfg(feature = "x25519")]
 #[derive(Debug)]
 pub struct X25519;
 
-impl crypto::SupportedKxGroup for X25519 {
+#[cfg(feature = "x25519")]
+impl SupportedKxGroup for X25519 {
     fn name(&self) -> rustls::NamedGroup {
         rustls::NamedGroup::X25519
     }
@@ -20,11 +22,13 @@ impl crypto::SupportedKxGroup for X25519 {
     }
 }
 
+#[cfg(feature = "x25519")]
 pub struct X25519KeyExchange {
     priv_key: x25519_dalek::EphemeralSecret,
     pub_key: x25519_dalek::PublicKey,
 }
 
+#[cfg(feature = "x25519")]
 impl crypto::ActiveKeyExchange for X25519KeyExchange {
     fn complete(self: Box<X25519KeyExchange>, peer: &[u8]) -> Result<SharedSecret, rustls::Error> {
         let peer_array: [u8; 32] = peer
@@ -102,7 +106,16 @@ macro_rules! impl_kx {
     };
 }
 
+#[cfg(feature = "p256")]
 impl_kx! {SecP256R1, rustls::NamedGroup::secp256r1, p256::ecdh::EphemeralSecret, p256::PublicKey}
+#[cfg(feature = "p384")]
 impl_kx! {SecP384R1, rustls::NamedGroup::secp384r1, p384::ecdh::EphemeralSecret, p384::PublicKey}
 
-pub const ALL_KX_GROUPS: &[&dyn SupportedKxGroup] = &[&X25519, &SecP256R1, &SecP384R1];
+pub const ALL_KX_GROUPS: &[&dyn SupportedKxGroup] = &[
+    #[cfg(feature = "x25519")]
+    &X25519,
+    #[cfg(feature = "p256")]
+    &SecP256R1,
+    #[cfg(feature = "p384")]
+    &SecP384R1
+];

src/lib.rs

@@ -81,14 +81,16 @@ impl KeyProvider for Provider {
 }
 
 #[cfg(feature = "tls12")]
-const TLS12_ECDSA_SCHEMES: [SignatureScheme; 4] = [
+const TLS12_ECDSA_SCHEMES: &[SignatureScheme] = &[
+    #[cfg(feature = "p256")]
     SignatureScheme::ECDSA_NISTP256_SHA256,
+    #[cfg(feature = "p384")]
     SignatureScheme::ECDSA_NISTP384_SHA384,
-    SignatureScheme::ECDSA_NISTP521_SHA512,
+    #[cfg(feature = "ed25519")]
     SignatureScheme::ED25519,
 ];
 
-#[cfg(feature = "tls12")]
+#[cfg(all(feature = "tls12", feature = "rsa"))]
 const TLS12_RSA_SCHEMES: [SignatureScheme; 6] = [
     SignatureScheme::RSA_PKCS1_SHA256,
     SignatureScheme::RSA_PKCS1_SHA384,
@@ -98,7 +100,7 @@ const TLS12_RSA_SCHEMES: [SignatureScheme; 6] = [
     SignatureScheme::RSA_PSS_SHA512,
 ];
 
-#[cfg(feature = "tls12")]
+#[cfg(all(feature = "tls12", feature = "aes-gcm"))]
 pub const TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
         common: CipherSuiteCommon {
@@ -107,12 +109,12 @@ pub const TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite =
             confidentiality_limit: u64::MAX,
         },
         kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
-        sign: &TLS12_ECDSA_SCHEMES,
+        sign: TLS12_ECDSA_SCHEMES,
         aead_alg: &aead::gcm::Tls12Aes128Gcm,
         prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA256),
     });
 
-#[cfg(feature = "tls12")]
+#[cfg(all(feature = "tls12", feature = "aes-gcm"))]
 pub const TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
         common: CipherSuiteCommon {
@@ -121,12 +123,12 @@ pub const TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite =
             confidentiality_limit: u64::MAX,
         },
         kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
-        sign: &TLS12_ECDSA_SCHEMES,
+        sign: TLS12_ECDSA_SCHEMES,
         prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA384),
         aead_alg: &aead::gcm::Tls12Aes256Gcm,
     });
 
-#[cfg(feature = "tls12")]
+#[cfg(all(feature = "tls12", feature = "chacha20poly1305"))]
 pub const TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
         common: CipherSuiteCommon {
@@ -136,18 +138,12 @@ pub const TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
         },
         prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA256),
         kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
-        sign: &TLS12_ECDSA_SCHEMES,
+        sign: TLS12_ECDSA_SCHEMES,
         aead_alg: &aead::chacha20::Chacha20Poly1305,
     });
 
-#[cfg(feature = "tls12")]
-const TLS_ECDHE_ECDSA_SUITES: &[SupportedCipherSuite] = &[
-    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-];
 
-#[cfg(feature = "tls12")]
+#[cfg(all(feature = "tls12", feature = "aes-gcm", feature = "rsa"))]
 pub const TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
         common: CipherSuiteCommon {
@@ -161,7 +157,7 @@ pub const TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite =
         prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA256),
     });
 
-#[cfg(feature = "tls12")]
+#[cfg(all(feature = "tls12", feature = "aes-gcm", feature = "ecdsa", feature = "rsa"))]
 pub const TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
         common: CipherSuiteCommon {
@@ -175,7 +171,7 @@ pub const TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite =
         aead_alg: &aead::gcm::Tls12Aes256Gcm,
     });
 
-#[cfg(feature = "tls12")]
+#[cfg(all(feature = "tls12", feature = "rsa", feature = "chacha20poly1305"))]
 pub const TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
         common: CipherSuiteCommon {
@@ -189,23 +185,26 @@ pub const TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
         aead_alg: &aead::chacha20::Chacha20Poly1305,
     });
 
-#[cfg(feature = "tls12")]
-const TLS_ECDHE_RSA_SUITES: &[SupportedCipherSuite] = &[
+#[cfg(all(feature = "tls12", feature = "ecdsa"))]
+const TLS12_SUITES: &[SupportedCipherSuite] = &[
+    #[cfg(feature = "aes-gcm")]
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    #[cfg(feature = "aes-gcm")]
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    #[cfg(feature = "chacha20poly1305")]
+    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    #[cfg(all(feature = "rsa", feature = "aes-gcm"))]
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    #[cfg(all(feature = "rsa", feature = "aes-gcm"))]
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    #[cfg(all(feature = "rsa", feature = "chacha20poly1305"))]
     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 ];
 
-#[cfg(feature = "tls12")]
-const TLS12_SUITES: &[SupportedCipherSuite] = misc::const_concat_slices!(
-    SupportedCipherSuite,
-    TLS_ECDHE_ECDSA_SUITES,
-    TLS_ECDHE_RSA_SUITES
-);
-
 #[cfg(not(feature = "tls12"))]
 const TLS12_SUITES: &[SupportedCipherSuite] = &[];
 
+#[cfg(feature = "aes-gcm")]
 pub const TLS13_AES_128_GCM_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls13(&Tls13CipherSuite {
         common: CipherSuiteCommon {
@@ -218,6 +217,7 @@ pub const TLS13_AES_128_GCM_SHA256: SupportedCipherSuite =
         quic: None,
     });
 
+#[cfg(feature = "aes-gcm")]
 pub const TLS13_AES_256_GCM_SHA384: SupportedCipherSuite =
     SupportedCipherSuite::Tls13(&Tls13CipherSuite {
         common: CipherSuiteCommon {
@@ -230,9 +230,7 @@ pub const TLS13_AES_256_GCM_SHA384: SupportedCipherSuite =
         quic: None,
     });
 
-const TLS13_AES_SUITES: &[SupportedCipherSuite] =
-    &[TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384];
-
+#[cfg(feature = "chacha20poly1305")]
 pub const TLS13_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls13(&Tls13CipherSuite {
         common: CipherSuiteCommon {
@@ -245,11 +243,14 @@ pub const TLS13_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
         quic: None,
     });
 
-const TLS13_SUITES: &[SupportedCipherSuite] = misc::const_concat_slices!(
-    SupportedCipherSuite,
-    TLS13_AES_SUITES,
-    &[TLS13_CHACHA20_POLY1305_SHA256]
-);
+const TLS13_SUITES: &[SupportedCipherSuite] = &[
+        #[cfg(feature = "aes-gcm")]
+        TLS13_AES_128_GCM_SHA256,
+        #[cfg(feature = "aes-gcm")]
+        TLS13_AES_256_GCM_SHA384,
+        #[cfg(feature = "chacha20poly1305")]
+        TLS13_CHACHA20_POLY1305_SHA256
+];
 
 static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = misc::const_concat_slices!(
     SupportedCipherSuite,
@@ -261,11 +262,24 @@ static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = misc::const_concat_slices!(
     TLS13_SUITES,
 );
 
+#[cfg(feature = "p256")]
+pub use verify::ecdsa::{ECDSA_P256_SHA256, ECDSA_P256_SHA384};
+#[cfg(feature = "p384")]
+pub use verify::ecdsa::{ECDSA_P384_SHA256, ECDSA_P384_SHA384};
+
+#[cfg(feature = "ed25519")]
+pub use verify::eddsa::ED25519;
+
+#[cfg(feature = "rsa")]
+pub use verify::rsa::{RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA512, RSA_PSS_SHA256, RSA_PSS_SHA384, RSA_PSS_SHA512};
+
 mod aead;
 mod hash;
 mod hmac;
+
 mod kx;
 mod misc;
+#[cfg(feature = "quic")]
 pub mod quic;
 pub mod sign;
 mod verify;