diff --git a/README.md b/README.md index f4765e5..2ade7a7 100644 --- a/README.md +++ b/README.md @@ -4,3 +4,36 @@ An experimental [rustls Crypto Provider](https://docs.rs/rustls/latest/rustls/cr ## Usage The main entry points are the `rustls_openssl::default_provider` and `rustls_openssl::custom_provider` functions. See the [rustls documentation]((https://docs.rs/rustls/latest/rustls/crypto/struct.CryptoProvider.html)) for how to use them. + +## Supported Ciphers + +Supported cipher suites are listed below, in descending order of preference. + +### TLS 1.3 + +``` +TLS13_AES_256_GCM_SHA384 +TLS13_AES_128_GCM_SHA256 +TLS13_CHACHA20_POLY1305_SHA256 // Requires the `chacha` feature +``` + +### TLS 1.2 + +``` +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 // Requires the `chacha` feature +``` +## Supported Key Exchanges + +Key exchanges, in descending order ofpreference: + +``` +SECP384R1 +SECP256R1 +X25519 // Requires the `x25519` feature +``` + +## Signature verification algorithms + +ECDSA signature verification is done using the webpki ring implementation. ED25119 and RSA signature verification is done using openssl. diff --git a/src/lib.rs b/src/lib.rs index a511411..efc62a5 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -265,12 +265,15 @@ static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, ]; +// TODO implement ECDSA verification. For now reuse webpki's ring implementation. +use webpki::ring as webpki_algs; + static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms { all: &[ - // webpki_algs::ECDSA_P256_SHA256, - // webpki_algs::ECDSA_P256_SHA384, - // webpki_algs::ECDSA_P384_SHA256, - // webpki_algs::ECDSA_P384_SHA384, + webpki_algs::ECDSA_P256_SHA256, + webpki_algs::ECDSA_P256_SHA384, + webpki_algs::ECDSA_P384_SHA256, + webpki_algs::ECDSA_P384_SHA384, verify::ED25519, verify::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, verify::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, @@ -281,21 +284,21 @@ static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms verify::RSA_PKCS1_3072_8192_SHA384, ], mapping: &[ - // Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is. - // ( - // SignatureScheme::ECDSA_NISTP384_SHA384, - // &[ - // webpki_algs::ECDSA_P384_SHA384, - // webpki_algs::ECDSA_P256_SHA384, - // ], - // ), - // ( - // SignatureScheme::ECDSA_NISTP256_SHA256, - // &[ - // webpki_algs::ECDSA_P256_SHA256, - // webpki_algs::ECDSA_P384_SHA256, - // ], - // ), + //Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is. + ( + SignatureScheme::ECDSA_NISTP384_SHA384, + &[ + webpki_algs::ECDSA_P384_SHA384, + webpki_algs::ECDSA_P256_SHA384, + ], + ), + ( + SignatureScheme::ECDSA_NISTP256_SHA256, + &[ + webpki_algs::ECDSA_P256_SHA256, + webpki_algs::ECDSA_P384_SHA256, + ], + ), (SignatureScheme::ED25519, &[verify::ED25519]), ( SignatureScheme::RSA_PSS_SHA512, diff --git a/tests/it.rs b/tests/it.rs index bc0cc77..e07f69d 100644 --- a/tests/it.rs +++ b/tests/it.rs @@ -226,11 +226,11 @@ fn test_with_custom_config_to_internet( SECP384R1, CipherSuite::TLS13_AES_256_GCM_SHA384 )] -#[case::tls_ecdhe_ecdsa_with_aes_256_gcm_sha384( - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - SECP384R1, - CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -)] +// #[case::tls_ecdhe_ecdsa_with_aes_256_gcm_sha384( +// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, +// SECP384R1, +// CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +// )] fn test_tls( #[case] suite: SupportedCipherSuite, #[case] group: &'static dyn SupportedKxGroup,