271acbb315
- Bump boring/boring-sys from v4 to v5 (zero API breaks) - Merge fips/fips-only into a single fips feature that both enables FIPS-validated BoringSSL and restricts algorithms to SP 800-52r2 - Tighten FIPS KX groups to P-256 and P-384 only (aligned with boring's fips202205 compliance policy) - Remove ECDSA_P521_SHA512 from FIPS signature verification set - Simplify fips feature to forward boring/fips only (drop redundant boring-sys/fips) - Add fips-precompiled as deprecated alias matching boring's naming - Change default features to empty (TLS 1.2 now requires explicit tls12 feature opt-in) - Gate TLS 1.2 code paths properly so the crate compiles and passes tests with default (TLS 1.3 only) features - Update README to reflect current state: boring v5, feature docs, FIPS mode documentation, workspace structure
51 lines
1.8 KiB
TOML
51 lines
1.8 KiB
TOML
[package]
|
|
name = "boring-rustls-provider"
|
|
version = "0.0.1"
|
|
authors = ["Jan Rüth <boring-rustls-provider@djiehmail.com>"]
|
|
edition = "2021"
|
|
license = "MIT"
|
|
description = "Boringssl rustls provider"
|
|
publish = false
|
|
|
|
[features]
|
|
default = []
|
|
|
|
# Build against a FIPS-validated version of BoringSSL and restrict the
|
|
# provider to FIPS-approved algorithms only. This affects:
|
|
# - Cipher suites: AES-GCM only (no ChaCha20-Poly1305).
|
|
# - Key exchange groups: P-256 and P-384 only (no X25519, X448, P-521,
|
|
# or FFDHE). P256Kyber768Draft00 will be added once implemented.
|
|
# - Signature algorithms: RSA PKCS#1 / PSS and ECDSA with P-256/P-384
|
|
# only (no P-521, Ed25519, or Ed448).
|
|
# Aligned with boring's `fips202205` compliance policy (SP 800-52r2).
|
|
fips = ["boring/fips"]
|
|
|
|
# Deprecated alias for `fips`. Matches the boring crate's feature name
|
|
# for backwards compatibility.
|
|
fips-precompiled = ["fips"]
|
|
|
|
# Enable TLS 1.2 cipher suites (ECDHE-ECDSA and ECDHE-RSA with AES-GCM
|
|
# and ChaCha20-Poly1305). Without this feature only TLS 1.3 is available.
|
|
tls12 = ["rustls/tls12"]
|
|
|
|
# Enable debug logging of BoringSSL errors and provider internals via
|
|
# the `log` crate. Useful for diagnosing handshake failures.
|
|
logging = ["log"]
|
|
|
|
[dependencies]
|
|
aead = {version = "0.5", default-features = false, features = ["alloc"] }
|
|
boring = { workspace = true }
|
|
boring-additions = { path = "../boring-additions" }
|
|
boring-sys = { workspace = true }
|
|
boring-sys-additions = { path = "../boring-sys-additions" }
|
|
foreign-types = "0.5"
|
|
log = { version = "0.4.4", optional = true }
|
|
rustls = { workspace = true }
|
|
rustls-pki-types = { workspace = true }
|
|
spki = "0.7"
|
|
|
|
[dev-dependencies]
|
|
hex-literal = "1"
|
|
rcgen = "0.12"
|
|
tokio = { version = "1.34", features = ["macros", "rt", "net", "io-util", "io-std"] }
|
|
tokio-rustls = { workspace = true }
|