Bump MSRV to 1.70.0 (#822)

* Bump MSRV to 1.70.0

* Use toml_edit v0.23

* Fix format

* 'untrusted' dependency remains on 0.7.1

Author: justsmth

.github/workflows/integration.yml

@@ -335,13 +335,13 @@ jobs:
       - name: Install MSRV Rust version
         uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: 1.63.0 # TODO: dynamically identify MSRV
+          toolchain: 1.70.0 # TODO: dynamically identify MSRV
 
       - name: Update dependencies
         run: |
-          cargo +1.63.0 update
-          cargo +1.63.0 tree
+          cargo +1.70.0 update
+          cargo +1.70.0 tree
 
       - name: Verify msrv
         working-directory: ./aws-lc-rs
-        run: cargo +1.63.0 check --features bindgen
+        run: cargo +1.70.0 check --features bindgen

Cargo.toml

@@ -15,6 +15,24 @@ exclude = [
 ]
 resolver = "2"
 
+[workspace.dependencies]
+bindgen = "0.72.0"
+cc = "1.2.26"
+clap = "=4.4.18"# v4.5 is MSRV 1.74
+cmake = "0.1.54"
+criterion = "0.5.1" # v0.6.0 depends on clap v4.5
+dunce = "1.0.5"
+fs_extra = "1.3.0"
+hex = "0.4.3"
+lazy_static = "1.5.0"
+openssl = "0.10.73"
+paste = "1.0.15"
+regex = "1.11.1"
+ring = "0.17.14"
+untrusted = "0.7.1"
+zeroize = "1.8.1"
+toml_edit = "0.23.0"
+
 [profile.bench]
 lto = true
 

aws-lc-fips-sys/Cargo.toml

@@ -7,7 +7,7 @@ authors = ["AWS-LC"]
 edition = "2021"
 repository = "https://github.com/aws/aws-lc-rs"
 license = "ISC AND (Apache-2.0 OR ISC) AND OpenSSL"
-rust-version = "1.63.0"
+rust-version = "1.70.0"
 include = [
     "LICENSE",
     "/aws-lc/**/*.c",
@@ -65,21 +65,20 @@ bindgen = [
 ] # Generate the bindings on the targeted platform as a fallback mechanism.
 
 [build-dependencies]
-cmake = "0.1.48"
-dunce = "1.0"
-fs_extra = "1.3"
-cc = "1.0.100"
-regex = "1"
+cmake.workspace = true
+dunce.workspace = true
+fs_extra.workspace = true
+cc.workspace = true
+regex.workspace = true
 
 [target.'cfg(all(any(target_arch = "x86_64", target_arch = "aarch64"), any(target_os = "linux", target_os = "macos"), any(target_env = "gnu", target_env = "musl", target_env = "")))'.build-dependencies]
-bindgen = { version = "0.69.5", optional = true }
+bindgen = { workspace = true, optional = true }
 
 [target.'cfg(not(all(any(target_arch = "x86_64", target_arch = "aarch64"), any(target_os = "linux", target_os = "macos"), any(target_env = "gnu", target_env = "musl", target_env = ""))))'.build-dependencies]
-bindgen = { version = "0.69.5" }
+bindgen = { workspace = true }
 
 [dev-dependencies]
-# Pinned dependency to preserve MSRV: 1.60.0  <= rust-version < 1.65.0
-regex = "~1.9.6"
+regex.workspace = true
 
 [package.metadata.aws-lc-fips-sys]
 commit-hash = "205ad181868086a090e6b766c076a9732ad354c7"

aws-lc-fips-sys/builder/main.rs

@@ -775,7 +775,7 @@ fn invoke_external_bindgen(
         "functions,types,vars,methods,constructors,destructors",
         header.as_str(),
         "--rust-target",
-        r"1.59",
+        r"1.70",
         "--output",
         gen_bindings_path.to_str().unwrap(),
         "--formatter",

aws-lc-fips-sys/builder/sys_bindgen.rs

@@ -42,6 +42,7 @@ fn prepare_bindings_builder(manifest_dir: &Path, options: &BindingOptions) -> bi
         .allowlist_file(r".*(/|\\)openssl((/|\\)[^/\\]+)+\.h")
         .allowlist_file(r".*(/|\\)rust_wrapper\.h")
         .rustified_enum(r"point_conversion_form_t")
+        .rust_target(bindgen::RustTarget::stable(70, 0).unwrap())
         .default_macro_constant_type(bindgen::MacroTypeVariation::Signed)
         .generate_comments(true)
         .fit_macro_constants(false)

aws-lc-rs-testing/Cargo.toml

@@ -3,7 +3,7 @@ name = "aws-lc-rs-testing"
 authors = ["AWS-LibCrypto"]
 version = "0.1.0"
 edition = "2021"
-rust-version = "1.63"
+rust-version = "1.70.0"
 publish = false
 
 [features]
@@ -16,11 +16,11 @@ asan = ["aws-lc-rs/asan"]
 
 [dev-dependencies]
 aws-lc-rs = { version = "1.0", path = "../aws-lc-rs", features = ["ring-sig-verify", "unstable"] }
-untrusted = { version = "0.7.1" }
-paste = "1.0.11"
-criterion = { version = "0.5.0", features = ["csv_output"] }
-ring = "0.17"
-openssl = { version = "0.10.52", features = ["vendored"] }
+untrusted.workspace = true
+paste.workspace = true
+criterion = { workspace = true, features = ["csv_output"] }
+ring.workspace = true
+openssl = { workspace = true, features = ["vendored"] }
 
 [[bench]]
 name = "aead_benchmark"

aws-lc-rs/Cargo.toml

@@ -5,7 +5,7 @@ version = "1.13.3"
 # this crate re-exports whatever sys crate that was selected
 links = "aws_lc_rs_1_13_3_sys"
 edition = "2021"
-rust-version = "1.63.0"
+rust-version = "1.70.0"
 keywords = ["crypto", "cryptography", "security"]
 license = "ISC AND (Apache-2.0 OR ISC)"
 description = "aws-lc-rs is a cryptographic library using AWS-LC for its cryptographic operations. This library strives to be API-compatible with the popular Rust library named ring."
@@ -46,31 +46,17 @@ non-fips = ["aws-lc-sys"]
 fips = ["dep:aws-lc-fips-sys"]
 
 [dependencies]
-untrusted = { version = "0.7.1", optional = true }
+untrusted = { workspace = true, optional = true }
 aws-lc-sys = { version = "0.30.0", path = "../aws-lc-sys", optional = true }
 aws-lc-fips-sys = { version = "0.13.1", path = "../aws-lc-fips-sys", optional = true }
-zeroize = "1.7"
+zeroize.workspace = true
 
 [dev-dependencies]
-paste = "1.0.11"
-lazy_static = "1.4.0"
-clap = { version = "4.1.8", features = ["derive"] }
-hex = "0.4.3"
-
-# Pinned dependency to preserve MSRV: 1.63.0 <= rust-version < 1.70.0
-which = "5.0.0"
-# Pinned dependency to preserve MSRV: ??? <= rust-version < 1.70.0
-home = "=0.5.5"
-# Pinned dependency to preserve MSRV: 1.60.0  <= rust-version < 1.65.0
-regex = "<1.10.0"
-# Pinned dependency to preserve MSRV: ??? <= rust-version < 1.65.0
-regex-automata = "~0.3.9"
-# Pinned dependency to preserve MSRV: 1.60.0  <= rust-version < 1.65.0
-regex-syntax = "~0.7.5"
-# Pinned to avoid build failure in older versions
-proc-macro2 = "1.0.60"
-# Pinned dependency to preserve MSRV: 1.60.0  <= rust-version < 1.70.0
-once_cell = "~1.20.3"
+paste.workspace = true
+lazy_static.workspace = true
+clap = { workspace = true, features = ["derive"] }
+hex.workspace = true
+regex.workspace = true
 
 [package.metadata.cargo-udeps.ignore]
 development = ["which", "home", "regex", "regex-automata", "regex-syntax", "proc-macro2", "jobserver", "cc", "once_cell"]

aws-lc-rs/src/cipher/aes.rs

@@ -49,12 +49,11 @@ pub(super) fn encrypt_ctr_mode(
     context: EncryptionContext,
     in_out: &mut [u8],
 ) -> Result<DecryptionContext, Unspecified> {
-    #[allow(clippy::match_wildcard_for_single_variants)]
-    let key = match &key {
-        SymmetricCipherKey::Aes128 { enc_key, .. }
-        | SymmetricCipherKey::Aes192 { enc_key, .. }
-        | SymmetricCipherKey::Aes256 { enc_key, .. } => enc_key,
-        _ => unreachable!(),
+    let (SymmetricCipherKey::Aes128 { enc_key, .. }
+    | SymmetricCipherKey::Aes192 { enc_key, .. }
+    | SymmetricCipherKey::Aes256 { enc_key, .. }) = &key
+    else {
+        unreachable!()
     };
 
     let mut iv = {
@@ -65,7 +64,7 @@ pub(super) fn encrypt_ctr_mode(
 
     let mut buffer = [0u8; AES_BLOCK_LEN];
 
-    aes_ctr128_encrypt(key, &mut iv, &mut buffer, in_out);
+    aes_ctr128_encrypt(enc_key, &mut iv, &mut buffer, in_out);
     iv.zeroize();
 
     Ok(context.into())
@@ -85,12 +84,11 @@ pub(super) fn encrypt_cbc_mode(
     context: EncryptionContext,
     in_out: &mut [u8],
 ) -> Result<DecryptionContext, Unspecified> {
-    #[allow(clippy::match_wildcard_for_single_variants)]
-    let key = match &key {
-        SymmetricCipherKey::Aes128 { enc_key, .. }
-        | SymmetricCipherKey::Aes192 { enc_key, .. }
-        | SymmetricCipherKey::Aes256 { enc_key, .. } => enc_key,
-        _ => unreachable!(),
+    let (SymmetricCipherKey::Aes128 { enc_key, .. }
+    | SymmetricCipherKey::Aes192 { enc_key, .. }
+    | SymmetricCipherKey::Aes256 { enc_key, .. }) = &key
+    else {
+        unreachable!()
     };
 
     let mut iv = {
@@ -99,7 +97,7 @@ pub(super) fn encrypt_cbc_mode(
         iv
     };
 
-    aes_cbc_encrypt(key, &mut iv, in_out);
+    aes_cbc_encrypt(enc_key, &mut iv, in_out);
     iv.zeroize();
 
     Ok(context.into())
@@ -111,12 +109,11 @@ pub(super) fn decrypt_cbc_mode<'in_out>(
     context: DecryptionContext,
     in_out: &'in_out mut [u8],
 ) -> Result<&'in_out mut [u8], Unspecified> {
-    #[allow(clippy::match_wildcard_for_single_variants)]
-    let key = match &key {
-        SymmetricCipherKey::Aes128 { dec_key, .. }
-        | SymmetricCipherKey::Aes192 { dec_key, .. }
-        | SymmetricCipherKey::Aes256 { dec_key, .. } => dec_key,
-        _ => unreachable!(),
+    let (SymmetricCipherKey::Aes128 { dec_key, .. }
+    | SymmetricCipherKey::Aes192 { dec_key, .. }
+    | SymmetricCipherKey::Aes256 { dec_key, .. }) = &key
+    else {
+        unreachable!()
     };
 
     let mut iv = {
@@ -125,7 +122,7 @@ pub(super) fn decrypt_cbc_mode<'in_out>(
         iv
     };
 
-    aes_cbc_decrypt(key, &mut iv, in_out);
+    aes_cbc_decrypt(dec_key, &mut iv, in_out);
     iv.zeroize();
 
     Ok(in_out)
@@ -138,12 +135,11 @@ pub(super) fn encrypt_cfb_mode(
     context: EncryptionContext,
     in_out: &mut [u8],
 ) -> Result<DecryptionContext, Unspecified> {
-    #[allow(clippy::match_wildcard_for_single_variants)]
-    let key = match &key {
-        SymmetricCipherKey::Aes128 { enc_key, .. }
-        | SymmetricCipherKey::Aes192 { enc_key, .. }
-        | SymmetricCipherKey::Aes256 { enc_key, .. } => enc_key,
-        _ => unreachable!(),
+    let (SymmetricCipherKey::Aes128 { enc_key, .. }
+    | SymmetricCipherKey::Aes192 { enc_key, .. }
+    | SymmetricCipherKey::Aes256 { enc_key, .. }) = &key
+    else {
+        unreachable!()
     };
 
     let mut iv = {
@@ -158,7 +154,7 @@ pub(super) fn encrypt_cfb_mode(
         _ => unreachable!(),
     };
 
-    cfb_encrypt(key, &mut iv, in_out);
+    cfb_encrypt(enc_key, &mut iv, in_out);
     iv.zeroize();
 
     Ok(context.into())
@@ -171,12 +167,11 @@ pub(super) fn decrypt_cfb_mode<'in_out>(
     context: DecryptionContext,
     in_out: &'in_out mut [u8],
 ) -> Result<&'in_out mut [u8], Unspecified> {
-    #[allow(clippy::match_wildcard_for_single_variants)]
-    let key = match &key {
-        SymmetricCipherKey::Aes128 { enc_key, .. }
-        | SymmetricCipherKey::Aes192 { enc_key, .. }
-        | SymmetricCipherKey::Aes256 { enc_key, .. } => enc_key,
-        _ => unreachable!(),
+    let (SymmetricCipherKey::Aes128 { enc_key, .. }
+    | SymmetricCipherKey::Aes192 { enc_key, .. }
+    | SymmetricCipherKey::Aes256 { enc_key, .. }) = &key
+    else {
+        unreachable!()
     };
 
     let mut iv = {
@@ -191,7 +186,7 @@ pub(super) fn decrypt_cfb_mode<'in_out>(
         _ => unreachable!(),
     };
 
-    cfb_decrypt(key, &mut iv, in_out);
+    cfb_decrypt(enc_key, &mut iv, in_out);
 
     iv.zeroize();
 
@@ -208,18 +203,17 @@ pub(super) fn encrypt_ecb_mode(
         unreachable!();
     }
 
-    #[allow(clippy::match_wildcard_for_single_variants)]
-    let key = match &key {
-        SymmetricCipherKey::Aes128 { enc_key, .. }
-        | SymmetricCipherKey::Aes192 { enc_key, .. }
-        | SymmetricCipherKey::Aes256 { enc_key, .. } => enc_key,
-        _ => unreachable!(),
+    let (SymmetricCipherKey::Aes128 { enc_key, .. }
+    | SymmetricCipherKey::Aes192 { enc_key, .. }
+    | SymmetricCipherKey::Aes256 { enc_key, .. }) = &key
+    else {
+        unreachable!()
     };
 
     let mut in_out_iter = in_out.chunks_exact_mut(AES_BLOCK_LEN);
 
     for block in in_out_iter.by_ref() {
-        aes_ecb_encrypt(key, block);
+        aes_ecb_encrypt(enc_key, block);
     }
 
     // This is a sanity check that should not happen. We validate in `encrypt` that in_out.len() % block_len == 0
@@ -239,19 +233,18 @@ pub(super) fn decrypt_ecb_mode<'in_out>(
         unreachable!();
     }
 
-    #[allow(clippy::match_wildcard_for_single_variants)]
-    let key = match &key {
-        SymmetricCipherKey::Aes128 { dec_key, .. }
-        | SymmetricCipherKey::Aes192 { dec_key, .. }
-        | SymmetricCipherKey::Aes256 { dec_key, .. } => dec_key,
-        _ => unreachable!(),
+    let (SymmetricCipherKey::Aes128 { dec_key, .. }
+    | SymmetricCipherKey::Aes192 { dec_key, .. }
+    | SymmetricCipherKey::Aes256 { dec_key, .. }) = &key
+    else {
+        unreachable!()
     };
 
     {
         let mut in_out_iter = in_out.chunks_exact_mut(AES_BLOCK_LEN);
 
         for block in in_out_iter.by_ref() {
-            aes_ecb_decrypt(key, block);
+            aes_ecb_decrypt(dec_key, block);
         }
 
         // This is a sanity check hat should not fail. We validate in `decrypt` that in_out.len() % block_len == 0 for

aws-lc-rs/src/digest.rs

@@ -39,16 +39,14 @@ use crate::aws_lc::{
 };
 use crate::error::Unspecified;
 use crate::ptr::ConstPointer;
+use core::ffi::c_uint;
 use core::mem::MaybeUninit;
 use digest_ctx::DigestContext;
 pub use sha::{
     SHA1_FOR_LEGACY_USE_ONLY, SHA1_OUTPUT_LEN, SHA224, SHA224_OUTPUT_LEN, SHA256,
     SHA256_OUTPUT_LEN, SHA384, SHA384_OUTPUT_LEN, SHA3_256, SHA3_384, SHA3_512, SHA512, SHA512_256,
     SHA512_256_OUTPUT_LEN, SHA512_OUTPUT_LEN,
 };
-// TODO: Uncomment when MSRV >= 1.64
-//use core::ffi::c_uint;
-use std::os::raw::c_uint;
 
 /// A context for multi-step (Init-Update-Finish) digest calculations.
 //

aws-lc-rs/src/ec.rs

@@ -20,9 +20,7 @@ use crate::error::{KeyRejected, Unspecified};
 use crate::fips::indicator_check;
 use crate::ptr::{ConstPointer, LcPtr};
 use crate::signature::Signature;
-// TODO: Uncomment when MSRV >= 1.64
-//use core::ffi::c_int;
-use std::os::raw::c_int;
+use core::ffi::c_int;
 use std::ptr::null;
 
 pub(crate) mod encoding;