upgrade to latest rustcrypto crates

Author: Steve Fan

Cargo.lock

@@ -11,61 +11,62 @@ readme = "README.md"
 repository = "https://github.com/RustCrypto/rustls-rustcrypto"
 categories = ["cryptography", "no-std"]
 keywords = ["rustls", "tls"]
-edition = "2021"
-rust-version = "1.75"
+edition = "2024"
+rust-version = "1.85"
 resolver = "2"
 
 # Ensure all dependencies + feats are mapped to crate features for correct usage
 # default features often have std breaking no_std and potentially other unwanted
 [dependencies]
 # Cryptographic dependencies
-aead = { version = "0.5.2", default-features = false, optional = true }
-aes = { version = "0.8.4", default-features = false, optional = true }
-aes-gcm = { version = "0.10.3", default-features = false, optional = true }
-ccm = { version = "0.5.0", default-features = false, optional = true }
-chacha20poly1305 = { version = "0.10.1", default-features = false, optional = true }
-crrl = { git = "https://github.com/stevefan1999-personal/crrl", version = "0.9.0", default-features = false, optional = true }
-crypto-common = { version = "0.1.6", default-features = false }
-der = { version = "0.7.10", default-features = false, optional = true }
-digest = { version = "0.10.7", default-features = false }
-ecdsa = { version = "0.16.9", default-features = false, optional = true }
-ed25519-dalek = { version = "2", default-features = false, optional = true }
-elliptic-curve = { version = "0.13.8", default-features = false, optional = true }
-hmac = { version = "0.12.1", default-features = false }
-p256 = { version = "0.13.2", default-features = false, optional = true }
-p384 = { version = "0.13.1", default-features = false, optional = true }
-p521 = { version = "0.13.3", default-features = false, optional = true }
-pkcs1 = { version = "0.7.5", default-features = false, optional = true }
-pkcs8 = { version = "0.10.2", default-features = false, optional = true }
-rsa = { version = "0.9.8", default-features = false, optional = true }
-sec1 = { version = "0.7.3", default-features = false, optional = true }
-sha2 = { version = "0.10.9", default-features = false }
-signature = { version = "2.2.0", default-features = false, optional = true }
+aead = { version = "0.6.0-rc.2", default-features = false, optional = true }
+aes = { version = "0.9.0-rc.1", default-features = false, optional = true }
+aes-gcm = { version = "0.11.0-rc.1", default-features = false, optional = true }
+ccm = { version = "0.6.0-pre", default-features = false, optional = true, git = "https://github.com/RustCrypto/AEADs/" }
+chacha20poly1305 = { version = "0.11.0-rc.1", default-features = false, optional = true }
+cipher = "0.5.0-rc.1"
+# crrl = { git = "https://github.com/stevefan1999-personal/crrl", version = "0.9.0", default-features = false, optional = true }
+crypto-common = { version = "0.2.0-rc.4", default-features = false }
+der = { version = "0.8.0-rc.8", default-features = false, optional = true }
+digest = { version = "0.11.0-rc.1", default-features = false }
+ecdsa = { version = "0.17.0-rc.6", default-features = false, optional = true }
+ed25519-dalek = { version = "3.0.0-pre.1", default-features = false, optional = true }
+elliptic-curve = { version = "0.14.0-rc.13", default-features = false, optional = true }
+hmac = { version = "0.13.0-rc.1", default-features = false }
+p256 = { version = "0.14.0-pre.10", default-features = false, optional = true }
+p384 = { version = "0.14.0-pre.10", default-features = false, optional = true }
+p521 = { version = "0.14.0-pre.10", default-features = false, optional = true }
+pkcs1 = { version = "0.8.0-rc.3", default-features = false, optional = true }
+pkcs8 = { version = "0.11.0-rc.6", default-features = false, optional = true }
+rsa = { version = "0.10.0-rc.6", default-features = false, optional = true }
+sec1 = { version = "0.8.0-rc.9", default-features = false, optional = true }
+sha2 = { version = "0.11.0-rc.2", default-features = false }
+signature = { version = "3.0.0-rc.3", default-features = false, optional = true }
 typenum = { version = "1.18.0", features = ["no_std", "const-generics"] }
-x25519-dalek = { version = "2", default-features = false, optional = true }
+x25519-dalek = { version = "3.0.0-pre.1", default-features = false, optional = true }
+x448 = { version = "0.14.0-pre.0", default-features = false, optional = true }
 
 # External groups
-getrandom = { version = "0.2", default-features = false, features = ["custom"] }
-paste = { version = "1.0.15", default-features = false }
+const-default = { version = "1.0.0", features = ["derive"] }
+getrandom = { version = "0.3", default-features = false }
 pki-types = { package = "rustls-pki-types", version = "1.12.0", default-features = false }
-rand_core = { version = "0.6.4", default-features = false, features = [
-    "getrandom",
+preinterpret = "0.2.0"
+rand_core = { version = "0.9.3", default-features = false, features = [
+    "os_rng"
 ], optional = true }
-rustls = { version = "0.23.27", default-features = false }
-webpki = { package = "rustls-webpki", version = "0.102.8", default-features = false, optional = true }
+rustls = { version = "0.23.31", default-features = false }
+webpki = { package = "rustls-webpki", version = "0.103.4", default-features = false, optional = true }
+paste = "1.0.15"
 
-[target.'cfg(target_arch = "wasm32")'.dependencies]
-getrandom = { version = "0.2", features = ["wasm-bindgen"] }
 
 [dev-dependencies]
 bytes = { version = "1.10.1", default-features = false }
-itertools = { version = "0.13.0", default-features = false }
-rsa = { version = "0.9.8", default-features = false, features = ["sha2"] }
-rustls = { version = "0.23.27", default-features = false, features = ["std"] }
-sha2 = { version = "0.10.9", default-features = false }
-spki = { version = "0.7.3", default-features = false, features = ["alloc"] }
+itertools = { version = "0.14.0", default-features = false }
+rsa = { version = "0.10.0-rc.6", default-features = false, features = ["sha2"] }
+rustls = { version = "0.23.31", default-features = false, features = ["std"] }
+spki = { version = "0.8.0-rc.4", default-features = false, features = ["alloc"] }
 x509-cert = { version = "0.2.5", default-features = false, features = [
-    "builder",
+    "builder", "hazmat"
 ] }
 
 [features]
@@ -104,13 +105,13 @@ zeroize = [
 subtle = ["digest/subtle", "pkcs8?/subtle", "sec1?/subtle"]
 fast = [
     "ed25519-dalek?/fast",
-    "rsa?/u64_digit",
+    # "rsa?/u64_digit",
     "x25519-dalek?/precomputed-tables",
 ]
 
 nist = []
-p256 = ["dep:p256", "nist"]
-p384 = ["dep:p384", "nist"]
+p256 = ["dep:p256", "nist", "p256/pkcs8"]
+p384 = ["dep:p384", "nist", "p384/pkcs8"]
 p521 = ["dep:p521", "nist"]
 ed25519 = ["dep:ed25519-dalek"]
 
@@ -203,10 +204,10 @@ hash-sha512 = ["hash"]
 hash-full = ["hash-sha224", "hash-sha256", "hash-sha384", "hash-sha512"]
 
 # Formats
-der = ["dep:der"]
-sec1 = ["dep:sec1", "elliptic-curve?/sec1", "sec1/pkcs8"]
+der = ["dep:der", "sec1?/der"]
+sec1 = ["dep:sec1", "elliptic-curve?/sec1"]
 pem = ["elliptic-curve?/pem", "ecdsa?/pem"]
-pkcs1 = ["dep:pkcs1"]
+pkcs1 = ["dep:pkcs1", "rsa?/encoding"]
 pkcs8 = [
     "dep:pkcs8",
     "ecdsa?/pkcs8",
@@ -215,7 +216,6 @@ pkcs8 = [
     "p256?/pkcs8",
     "p384?/pkcs8",
     "p521?/pkcs8",
-    "sec1?/pkcs8",
 ]
 
 aes = ["dep:aes"]
@@ -225,6 +225,6 @@ ccm = ["dep:ccm"]
 chacha20poly1305 = ["dep:chacha20poly1305"]
 elliptic-curve = ["dep:elliptic-curve"]
 gcm = []
-rand = ["dep:rand_core", "signature?/rand_core"]
+rand = ["dep:rand_core", "signature?/rand_core", "x25519-dalek?/os_rng"]
 signature = ["dep:signature"]
-x448 = ["dep:crrl", "crrl/x448"]
+x448 = ["dep:x448"]

Cargo.toml

@@ -1,18 +1,14 @@
 use aead::Buffer;
 use rustls::crypto::cipher::{BorrowedPayload, PrefixedPayload};
 
-#[cfg(feature = "chacha20poly1305")]
-pub const CHACHAPOLY1305_OVERHEAD: usize = 16;
-
-#[cfg(feature = "chacha20poly1305")]
-pub struct ChaCha20Poly1305;
-
 #[cfg(feature = "gcm")]
 pub mod gcm;
 
 #[cfg(feature = "ccm")]
 pub mod ccm;
 
+#[macro_use]
+pub(crate) mod common;
 pub(crate) struct EncryptBufferAdapter<'a>(pub(crate) &'a mut PrefixedPayload);
 
 impl AsRef<[u8]> for EncryptBufferAdapter<'_> {

src/aead.rs

@@ -1,12 +1,12 @@
-use aes::{Aes128, Aes256};
+use ::aes::{Aes128, Aes256};
 
 #[cfg(feature = "gcm")]
 use aes_gcm::AesGcm;
 
 #[cfg(feature = "ccm")]
 use {
     ccm::Ccm,
-    typenum::{U16, U8},
+    typenum::{U8, U16},
 };
 
 #[cfg(any(feature = "gcm", feature = "ccm"))]

src/aead/aes.rs

@@ -0,0 +1 @@
+

src/aead/common.rs

@@ -2,18 +2,21 @@
 use alloc::boxed::Box;
 
 use digest::{Digest, OutputSizeUser};
-use paste::paste;
+use preinterpret::preinterpret;
 use rustls::crypto::{self, hash};
 
 macro_rules! impl_hash {
     ($name:ident, $ty:ty, $algo:ty) => {
-        paste! {
+        preinterpret! {
+            [!set! #hash_name = [!ident! Hash_ $name]]
+            [!set! #hash_content_name = [!ident! HashContent_ $name]]
+
             #[allow(non_camel_case_types)]
-            pub struct [<Hash_ $name>];
+            pub struct #hash_name;
 
-            impl hash::Hash for [<Hash_ $name>] {
+            impl hash::Hash for #hash_name {
                 fn start(&self) -> Box<dyn hash::Context> {
-                    Box::new([<HashContent_ $name>]($ty::new()))
+                    Box::new(#hash_content_name($ty::new()))
                 }
 
                 fn hash(&self, data: &[u8]) -> hash::Output {
@@ -30,15 +33,15 @@ macro_rules! impl_hash {
             }
 
             #[allow(non_camel_case_types)]
-            pub struct [<HashContent_ $name>]($ty);
+            pub struct #hash_content_name($ty);
 
-            impl hash::Context for [<HashContent_ $name>] {
+            impl hash::Context for #hash_content_name {
                 fn fork_finish(&self) -> hash::Output {
                     hash::Output::new(&self.0.clone().finalize()[..])
                 }
 
                 fn fork(&self) -> Box<dyn hash::Context> {
-                    Box::new([<HashContent_ $name>](self.0.clone()))
+                    Box::new(#hash_content_name(self.0.clone()))
                 }
 
                 fn finish(self: Box<Self>) -> hash::Output {
@@ -50,7 +53,7 @@ macro_rules! impl_hash {
                 }
             }
 
-            pub const $name: &dyn crypto::hash::Hash = &[<Hash_ $name>];
+            pub const $name: &dyn crypto::hash::Hash = &#hash_name;
         }
     };
 }

src/hash.rs

@@ -1,23 +1,26 @@
 #[cfg(feature = "alloc")]
 use alloc::boxed::Box;
 
+use crypto_common::KeyInit;
 use crypto_common::OutputSizeUser;
-use paste::paste;
+use preinterpret::preinterpret;
 use rustls::crypto::hmac::{Hmac, Key, Tag};
 
 macro_rules! impl_hmac {
     (
         $name: ident,
         $ty: ty
     ) => {
-        paste! {
+        preinterpret! {
+            [!set! #hmac_type_name = [!ident! Hmac_ $name]]
+            [!set! #hmac_key_type_name = [!ident! HmacKey_ $name]]
+
             #[allow(non_camel_case_types)]
-            pub struct [<Hmac_ $name>];
+            pub struct #hmac_type_name;
 
-            impl Hmac for [<Hmac_ $name>] {
+            impl Hmac for #hmac_type_name {
                 fn with_key(&self, key: &[u8]) -> Box<dyn Key> {
-                    use ::hmac::Mac;
-                    Box::new([<HmacKey_ $name>](
+                    Box::new(#hmac_key_type_name(
                         ::hmac::Hmac::<$ty>::new_from_slice(key).unwrap(),
                     ))
                 }
@@ -28,9 +31,9 @@ macro_rules! impl_hmac {
             }
 
             #[allow(non_camel_case_types)]
-            pub struct [<HmacKey_ $name>](::hmac::Hmac<$ty>);
+            pub struct #hmac_key_type_name(::hmac::Hmac<$ty>);
 
-            impl Key for [<HmacKey_ $name>] {
+            impl Key for #hmac_key_type_name {
                 fn sign_concat(&self, first: &[u8], middle: &[&[u8]], last: &[u8]) -> Tag {
                     use ::hmac::Mac;
                     let mut ctx = self.0.clone();
@@ -46,7 +49,7 @@ macro_rules! impl_hmac {
                     $ty::output_size()
                 }
             }
-            pub const $name: &dyn Hmac = &[<Hmac_ $name>];
+            pub const $name: &dyn Hmac = &#hmac_type_name;
         }
     };
 }

src/hmac.rs

@@ -5,15 +5,17 @@ use alloc::boxed::Box;
 use crypto::{SharedSecret, SupportedKxGroup};
 
 #[cfg(feature = "kx-nist")]
-use paste::paste;
+use preinterpret::preinterpret;
 
 #[cfg(feature = "kx-nist")]
 use rustls::crypto;
 
 #[cfg(feature = "kx-nist")]
 macro_rules! impl_kx {
     ($name:ident, $kx_name:ty, $secret:ty, $public_key:ty) => {
-        paste! {
+        preinterpret! {
+            [!set! #key_exchange = [!ident! $name KeyExchange]]
+
             #[derive(Debug)]
             #[allow(non_camel_case_types)]
             pub struct $name;
@@ -24,24 +26,24 @@ macro_rules! impl_kx {
                 }
 
                 fn start(&self) -> Result<Box<dyn crypto::ActiveKeyExchange>, rustls::Error> {
-                    let priv_key = $secret::random(&mut rand_core::OsRng);
+                    let priv_key = $secret::try_from_rng(&mut rand_core::OsRng).unwrap();
                     let pub_key: $public_key = (&priv_key).into();
-                    Ok(Box::new([<$name KeyExchange>] {
+                    Ok(Box::new(#key_exchange {
                         priv_key,
                         pub_key: pub_key.to_sec1_bytes(),
                     }))
                 }
             }
 
             #[allow(non_camel_case_types)]
-            pub struct [<$name KeyExchange>] {
+            pub struct #key_exchange {
                 priv_key: $secret,
                 pub_key:  Box<[u8]>,
             }
 
-            impl crypto::ActiveKeyExchange for [<$name KeyExchange>] {
+            impl crypto::ActiveKeyExchange for #key_exchange {
                 fn complete(
-                    self: Box<[<$name KeyExchange>]>,
+                    self: Box<#key_exchange>,
                     peer: &[u8],
                 ) -> Result<SharedSecret, rustls::Error> {
                     let their_pub = $public_key::from_sec1_bytes(peer)
@@ -72,5 +74,46 @@ impl_kx! {SecP256R1, rustls::NamedGroup::secp256r1, ::p256::ecdh::EphemeralSecre
 #[cfg(feature = "kx-p384")]
 impl_kx! {SecP384R1, rustls::NamedGroup::secp384r1, ::p384::ecdh::EphemeralSecret, ::p384::PublicKey}
 
-#[cfg(feature = "kx-p521")]
-impl_kx! {SecP521R1, rustls::NamedGroup::secp521r1, ::p521::ecdh::EphemeralSecret, ::p521::PublicKey}
+#[derive(Debug)]
+#[allow(non_camel_case_types)]
+pub struct SecP521R1;
+
+impl crypto::SupportedKxGroup for SecP521R1 {
+    fn name(&self) -> rustls::NamedGroup {
+        rustls::NamedGroup::secp521r1
+    }
+    fn start(&self) -> Result<Box<dyn crypto::ActiveKeyExchange>, rustls::Error> {
+        let priv_key = ::p521::ecdh::EphemeralSecret::try_from_rng(&mut rand_core::OsRng).unwrap();
+        let pub_key: ::p521::PublicKey = (&priv_key).into();
+        Ok(Box::new(SecP521R1KeyExchange {
+            priv_key,
+            pub_key: pub_key.to_sec1_bytes(),
+        }))
+    }
+}
+#[allow(non_camel_case_types)]
+pub struct SecP521R1KeyExchange {
+    priv_key: ::p521::ecdh::EphemeralSecret,
+    pub_key: Box<[u8]>,
+}
+impl crypto::ActiveKeyExchange for SecP521R1KeyExchange {
+    fn complete(
+        self: Box<SecP521R1KeyExchange>,
+        peer: &[u8],
+    ) -> Result<SharedSecret, rustls::Error> {
+        let their_pub = ::p521::PublicKey::from_sec1_bytes(peer)
+            .map_err(|_| rustls::Error::from(rustls::PeerMisbehaved::InvalidKeyShare))?;
+        Ok(self
+            .priv_key
+            .diffie_hellman(&their_pub)
+            .raw_secret_bytes()
+            .as_slice()
+            .into())
+    }
+    fn pub_key(&self) -> &[u8] {
+        &self.pub_key
+    }
+    fn group(&self) -> rustls::NamedGroup {
+        SecP521R1.name()
+    }
+}