diff --git a/src/aead.rs b/src/aead.rs index 7bb0d15..06b002c 100644 --- a/src/aead.rs +++ b/src/aead.rs @@ -120,7 +120,7 @@ mod test { match &test.result { TestResult::Invalid => { - if test.flags.iter().any(|flag| *flag == TestFlag::ModifiedTag) { + if test.flags.contains(&TestFlag::ModifiedTag) { assert_ne!( actual_tag[..], test.tag[..], diff --git a/src/hkdf.rs b/src/hkdf.rs index 9a57ef9..1700317 100644 --- a/src/hkdf.rs +++ b/src/hkdf.rs @@ -108,7 +108,6 @@ impl RustlsHkdfExpander for HkdfExpander { } fn add_hkdf_info(ctx: &mut PkeyCtxRef, info: &[&[u8]]) -> Result<(), ErrorStack> { - #[cfg(bugged_add_hkdf_info)] let bugged_version = true; diff --git a/src/kx_group/ec.rs b/src/kx_group/ec.rs index c595d29..db36c15 100644 --- a/src/kx_group/ec.rs +++ b/src/kx_group/ec.rs @@ -33,7 +33,7 @@ pub const SECP384R1: &dyn SupportedKxGroup = &EcKxGroup { }; impl SupportedKxGroup for EcKxGroup { - fn start(&self) -> Result, Error> { + fn start(&self) -> Result, Error> { EcGroup::from_curve_name(self.nid) .and_then(|group| { let priv_key = EcKey::generate(&group)?; diff --git a/src/kx_group/kem.rs b/src/kx_group/kem.rs index 82d20b5..a7e6094 100644 --- a/src/kx_group/kem.rs +++ b/src/kx_group/kem.rs @@ -56,7 +56,7 @@ impl KxGroup { } impl SupportedKxGroup for KxGroup { - fn start(&self) -> Result, Error> { + fn start(&self) -> Result, Error> { self.start_internal() .map(|kx| Box::new(kx) as Box) } @@ -125,7 +125,7 @@ struct X25519HybridKeyExchange { } impl SupportedKxGroup for X25519HybridKxGroup { - fn start(&self) -> Result, Error> { + fn start(&self) -> Result, Error> { self.0.start_internal().map(|inner| { let pub_key = inner.pub_key(); let classical_pub_key = pub_key[pub_key.len() - 32..].to_vec(); diff --git a/src/kx_group/mod.rs b/src/kx_group/mod.rs index fc78a0a..da0e1a2 100644 --- a/src/kx_group/mod.rs +++ b/src/kx_group/mod.rs @@ -9,12 +9,16 @@ mod x25519; #[cfg(not(feature = "fips"))] pub use x25519::X25519; -#[cfg(ossl350)] mod kem; -#[cfg(ossl350)] pub use kem::{MLKEM768, X25519MLKEM768}; -/// Key exchanges enabled by default by this provider: +/// Key exchanges enabled by default by this provider. +/// +/// This list is compile-time and feature-based only. It does not account for +/// whether algorithms are available from OpenSSL at runtime. +/// Use [available_default_kx_groups()] for runtime-available defaults. +/// +/// Compile-time set: /// * [X25519MLKEM768] (OpenSSL 3.5+) /// * [X25519] (if fips feature not enabled) /// * [SECP384R1] @@ -23,17 +27,23 @@ pub use kem::{MLKEM768, X25519MLKEM768}; /// If the `prefer-post-quantum` feature is enabled, X25519MLKEM768 will /// be the first group offered, otherwise it will be the last. pub static DEFAULT_KX_GROUPS: &[&dyn SupportedKxGroup] = &[ - #[cfg(all(ossl350, feature = "prefer-post-quantum"))] + #[cfg(feature = "prefer-post-quantum")] X25519MLKEM768, #[cfg(not(feature = "fips"))] X25519, SECP256R1, SECP384R1, - #[cfg(all(ossl350, not(feature = "prefer-post-quantum")))] + #[cfg(not(feature = "prefer-post-quantum"))] X25519MLKEM768, ]; -/// All key exchanges supported by this provider: +/// All key exchanges supported by this provider. +/// +/// This list is compile-time and feature-based only. It does not account for +/// whether algorithms are available from the active OpenSSL provider at runtime. +/// Use [available_kx_groups()] for runtime-available groups. +/// +/// Compile-time set: /// * [X25519MLKEM768] (OpenSSL 3.5+) /// * [X25519] (if fips feature not enabled) /// * [SECP384R1] @@ -43,14 +53,31 @@ pub static DEFAULT_KX_GROUPS: &[&dyn SupportedKxGroup] = &[ /// If the `prefer-post-quantum` feature is enabled, X25519MLKEM768 will /// be the first group offered, otherwise it will be the last. pub static ALL_KX_GROUPS: &[&dyn SupportedKxGroup] = &[ - #[cfg(all(ossl350, feature = "prefer-post-quantum"))] + #[cfg(feature = "prefer-post-quantum")] X25519MLKEM768, #[cfg(not(feature = "fips"))] X25519, SECP256R1, SECP384R1, - #[cfg(all(ossl350, not(feature = "prefer-post-quantum")))] + #[cfg(not(feature = "prefer-post-quantum"))] X25519MLKEM768, - #[cfg(ossl350)] MLKEM768, ]; + +/// Returns the algorithms from [DEFAULT_KX_GROUPS] that are available at runtime. +pub fn available_default_kx_groups() -> Vec<&'static dyn SupportedKxGroup> { + DEFAULT_KX_GROUPS + .iter() + .copied() + .filter(|group| group.start().is_ok()) + .collect() +} + +/// Returns the algorithms from [ALL_KX_GROUPS] that are available at runtime. +pub fn available_kx_groups() -> Vec<&'static dyn SupportedKxGroup> { + ALL_KX_GROUPS + .iter() + .copied() + .filter(|group| group.start().is_ok()) + .collect() +} diff --git a/src/lib.rs b/src/lib.rs index 330bf67..fc3fa7a 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -34,7 +34,7 @@ //! * SECP256R1 //! * X25519 //! * MLKEM768 (OpenSSL 3.5+) -//! +//! //! If the `fips` feature is enabled then X25519 will not be available. //! If the `prefer-post-quantum` feature is enabled, X25519MLKEM768 will be the first group offered, otherwise it will be the last. //! MLKEM768 is not offered by default, but can be used by specifying it in the `custom_provider()` function. @@ -122,7 +122,7 @@ pub use verify::SUPPORTED_SIG_ALGS; pub fn default_provider() -> CryptoProvider { CryptoProvider { cipher_suites: ALL_CIPHER_SUITES.to_vec(), - kx_groups: kx_group::DEFAULT_KX_GROUPS.to_vec(), + kx_groups: kx_group::available_default_kx_groups(), signature_verification_algorithms: SUPPORTED_SIG_ALGS, secure_random: &SecureRandom, key_provider: &KeyProvider, diff --git a/src/openssl_internal/mod.rs b/src/openssl_internal/mod.rs index 765619a..2dbfa34 100644 --- a/src/openssl_internal/mod.rs +++ b/src/openssl_internal/mod.rs @@ -4,7 +4,6 @@ use openssl_sys::c_int; #[cfg(ossl320)] mod hpke; -#[cfg(ossl350)] pub(crate) mod kem; #[cfg(feature = "tls12")] pub(crate) mod prf; @@ -18,7 +17,6 @@ pub(crate) fn cvt(r: c_int) -> Result { } } -#[cfg(ossl320)] #[inline] fn cvt_p(r: *mut T) -> Result<*mut T, ErrorStack> { if r.is_null() {