From 73b07b52d5b4f5a341856e707c52100efd71b682 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Eng=C3=A9libert?= <tuxmain@zettascript.org>
Date: Tue, 20 Jan 2026 09:31:06 +0100
Subject: [PATCH] Graviola

---
 Cargo.lock          | 175 +++++++++++++++++++++++++++++++++++++++++++-
 rpxy-bin/Cargo.toml |   1 +
 rpxy-lib/Cargo.toml |   2 +
 rpxy-lib/src/lib.rs |  54 ++++++++++++++
 4 files changed, 231 insertions(+), 1 deletion(-)

diff --git a/Cargo.lock b/Cargo.lock
index c6601e8..2c88af4 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -677,6 +677,17 @@ version = "0.8.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
 
+[[package]]
+name = "core-models"
+version = "0.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0940496e5c83c54f3b753d5317daec82e8edac71c33aaa1f666d76f518de2444"
+dependencies = [
+ "hax-lib",
+ "pastey",
+ "rand 0.9.2",
+]
+
 [[package]]
 name = "cpufeatures"
 version = "0.2.17"
@@ -1263,6 +1274,16 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
 
+[[package]]
+name = "graviola"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b1662fcff7237fbe8c91ff2800fcce9435af25b7f0cb580f5679b31c3a1f1e7a"
+dependencies = [
+ "cfg-if",
+ "getrandom 0.3.3",
+]
+
 [[package]]
 name = "group"
 version = "0.13.0"
@@ -1350,6 +1371,43 @@ dependencies = [
  "foldhash 0.2.0",
 ]
 
+[[package]]
+name = "hax-lib"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "74d9ba66d1739c68e0219b2b2238b5c4145f491ebf181b9c6ab561a19352ae86"
+dependencies = [
+ "hax-lib-macros",
+ "num-bigint",
+ "num-traits",
+]
+
+[[package]]
+name = "hax-lib-macros"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24ba777a231a58d1bce1d68313fa6b6afcc7966adef23d60f45b8a2b9b688bf1"
+dependencies = [
+ "hax-lib-macros-types",
+ "proc-macro-error2",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "hax-lib-macros-types"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "867e19177d7425140b417cd27c2e05320e727ee682e98368f88b7194e80ad515"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_json",
+ "uuid",
+]
+
 [[package]]
 name = "hermit-abi"
 version = "0.5.2"
@@ -1787,6 +1845,70 @@ version = "0.2.177"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976"
 
+[[package]]
+name = "libcrux-intrinsics"
+version = "0.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc9ee7ef66569dd7516454fe26de4e401c0c62073929803486b96744594b9632"
+dependencies = [
+ "core-models",
+ "hax-lib",
+]
+
+[[package]]
+name = "libcrux-ml-kem"
+version = "0.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4bb6a88086bf11bd2ec90926c749c4a427f2e59841437dbdede8cde8a96334ab"
+dependencies = [
+ "hax-lib",
+ "libcrux-intrinsics",
+ "libcrux-platform",
+ "libcrux-secrets",
+ "libcrux-sha3",
+ "libcrux-traits",
+]
+
+[[package]]
+name = "libcrux-platform"
+version = "0.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db82d058aa76ea315a3b2092f69dfbd67ddb0e462038a206e1dcd73f058c0778"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "libcrux-secrets"
+version = "0.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e4dbbf6bc9f2bc0f20dc3bea3e5c99adff3bdccf6d2a40488963da69e2ec307"
+dependencies = [
+ "hax-lib",
+]
+
+[[package]]
+name = "libcrux-sha3"
+version = "0.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2400bec764d1c75b8a496d5747cffe32f1fb864a12577f0aca2f55a92021c962"
+dependencies = [
+ "hax-lib",
+ "libcrux-intrinsics",
+ "libcrux-platform",
+ "libcrux-traits",
+]
+
+[[package]]
+name = "libcrux-traits"
+version = "0.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9adfd58e79d860f6b9e40e35127bfae9e5bd3ade33201d1347459011a2add034"
+dependencies = [
+ "libcrux-secrets",
+ "rand 0.9.2",
+]
+
 [[package]]
 name = "libloading"
 version = "0.8.8"
@@ -2120,6 +2242,12 @@ version = "2.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba"
 
+[[package]]
+name = "pastey"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "35fb2e5f958ec131621fdd531e9fc186ed768cbe395337403ae56c17a74c68ec"
+
 [[package]]
 name = "pem"
 version = "3.0.6"
@@ -2245,6 +2373,28 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "proc-macro-error-attr2"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+]
+
+[[package]]
+name = "proc-macro-error2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802"
+dependencies = [
+ "proc-macro-error-attr2",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.101"
@@ -2602,6 +2752,7 @@ dependencies = [
  "rpxy-acme",
  "rpxy-certs",
  "rustls",
+ "rustls-graviola",
  "rustls-openssl",
  "rustls-post-quantum",
  "rustls-symcrypt",
@@ -2713,6 +2864,17 @@ dependencies = [
  "x509-parser",
 ]
 
+[[package]]
+name = "rustls-graviola"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e81f0f2005bfba00e8088f9cb75f4b3ce3f2a31aebfaeed0b2cc05e13d01ce06"
+dependencies = [
+ "graviola",
+ "libcrux-ml-kem",
+ "rustls",
+]
+
 [[package]]
 name = "rustls-native-certs"
 version = "0.8.1"
@@ -2774,7 +2936,7 @@ dependencies = [
  "security-framework 3.5.1",
  "security-framework-sys",
  "webpki-root-certs",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -3702,6 +3864,17 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
 
+[[package]]
+name = "uuid"
+version = "1.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2e054861b4bd027cd373e18e8d8d8e6548085000e41290d95ce0c373a654b4a"
+dependencies = [
+ "getrandom 0.3.3",
+ "js-sys",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "valuable"
 version = "0.1.1"
diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml
index 2e8b088..4504b0c 100644
--- a/rpxy-bin/Cargo.toml
+++ b/rpxy-bin/Cargo.toml
@@ -33,6 +33,7 @@ default = [
 provider-aws-lc-rs = ["rpxy-lib/rustls-backend-aws-lc-rs"]
 provider-aws-lc-pq = ["rpxy-lib/rustls-backend-aws-lc-pq", "rpxy-lib/post-quantum"]
 provider-boring = ["rpxy-lib/rustls-backend-boring"]
+provider-graviola = ["rpxy-lib/rustls-backend-graviola"]
 provider-openssl = ["rpxy-lib/rustls-backend-openssl"]
 provider-ring = ["rpxy-lib/rustls-backend-ring"]
 provider-symcrypt = ["rpxy-lib/rustls-backend-symcrypt"]
diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml
index 73956c2..99084c0 100644
--- a/rpxy-lib/Cargo.toml
+++ b/rpxy-lib/Cargo.toml
@@ -31,6 +31,7 @@ rustls-backend = ["hyper-rustls"]
 rustls-backend-aws-lc-rs = ["hyper-rustls/aws-lc-rs"]
 rustls-backend-aws-lc-pq = ["hyper-rustls/aws-lc-rs", "post-quantum"]
 rustls-backend-boring = ["hyper-rustls/aws-lc-rs", "boring-rustls-provider"]
+rustls-backend-graviola = ["hyper-rustls/aws-lc-rs", "rustls-graviola"]
 rustls-backend-openssl = ["hyper-rustls/aws-lc-rs", "rustls-openssl"]
 rustls-backend-ring = ["hyper-rustls/ring"]
 rustls-backend-symcrypt = ["hyper-rustls/aws-lc-rs", "rustls-symcrypt"]
@@ -91,6 +92,7 @@ rpxy-certs = { path = "../rpxy-certs/", default-features = false }
 hot_reload = "0.2.0"
 rustls = { version = "0.23.32", default-features = false, features = ["std"] }
 boring-rustls-provider = { git = "https://github.com/janrueth/boring-rustls-provider.git", rev = "490340afa77e2c08fc45853124f99d49f4f9f8a0", optional = true }
+rustls-graviola = { version = "0.3.2", optional = true }
 rustls-openssl = { version = "0.3.0", default-features = false, features = ["tls12"], optional = true }
 rustls-post-quantum = { version = "0.2.4", optional = true }
 rustls-symcrypt = { version = "0.2.1", optional = true, features = ["chacha", "x25519"] }
diff --git a/rpxy-lib/src/lib.rs b/rpxy-lib/src/lib.rs
index b2c8916..a8ffa0e 100644
--- a/rpxy-lib/src/lib.rs
+++ b/rpxy-lib/src/lib.rs
@@ -283,6 +283,60 @@ pub async fn entrypoint(
     _provider = CryptoProvider::install_default(prov);
   }
 
+  #[cfg(feature = "rustls-backend-graviola")]
+  {
+    info!("Using RusTLS provider graviola");
+    let mut prov = rustls_graviola::default_provider();
+    if let Some(ciphers) = ciphers {
+      prov.cipher_suites.clear();
+      for cipher in ciphers {
+        match cipher.as_str() {
+          "AES_256_GCM_SHA384" => prov.cipher_suites.push(rustls_graviola::suites::TLS13_AES_256_GCM_SHA384),
+          "AES_128_GCM_SHA256" => prov.cipher_suites.push(rustls_graviola::suites::TLS13_AES_128_GCM_SHA256),
+          "CHACHA20_POLY1305_SHA256" => prov
+            .cipher_suites
+            .push(rustls_graviola::suites::TLS13_CHACHA20_POLY1305_SHA256),
+          "ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" => prov
+            .cipher_suites
+            .push(rustls_graviola::suites::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
+          "ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" => prov
+            .cipher_suites
+            .push(rustls_graviola::suites::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
+          "ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" => prov
+            .cipher_suites
+            .push(rustls_graviola::suites::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256),
+          "ECDHE_RSA_WITH_AES_256_GCM_SHA384" => prov
+            .cipher_suites
+            .push(rustls_graviola::suites::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384),
+          "ECDHE_RSA_WITH_AES_128_GCM_SHA256" => prov
+            .cipher_suites
+            .push(rustls_graviola::suites::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256),
+          "ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" => prov
+            .cipher_suites
+            .push(rustls_graviola::suites::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256),
+          other => {
+            log::error!("Unknown cipher `{other}`")
+          }
+        }
+      }
+    }
+    if let Some(kexes) = kexes {
+      prov.kx_groups.clear();
+      for kex in kexes {
+        match kex.as_str() {
+          "X25519" => prov.kx_groups.push(&rustls_graviola::kx::X25519),
+          "SECP256R1" => prov.kx_groups.push(&rustls_graviola::kx::P256),
+          "SECP384R1" => prov.kx_groups.push(&rustls_graviola::kx::P384),
+          "X25519MLKEM768" => prov.kx_groups.push(rustls_graviola::kx::X25519MLKEM768),
+          other => {
+            log::error!("Unknown kex `{other}`")
+          }
+        }
+      }
+    }
+    _provider = CryptoProvider::install_default(prov);
+  }
+
   #[cfg(feature = "rustls-backend-openssl")]
   {
     info!("Using RusTLS provider openssl");