Refactor TLS cipher suite definitions and verification algorithms

- Simplified the definition of TLS 1.2 cipher suites by introducing the `feature_slice!` macro for conditional compilation based on features.
- Replaced repetitive cipher suite definitions in `ecdsa.rs` and `rsa.rs` with a new macro `tls12_ecdhe_cipher_suite!` to streamline the code.
- Enhanced the `ALL` and `MAPPING` constants in `verify.rs` to utilize the `feature_slice!` macro for better readability and maintainability.
- Added support for EdDSA signature schemes in the verification algorithms.
- Refactored RSA hash implementations and verifier constants using a new macro `rsa_hash_and_consts!` to reduce code duplication.
- Updated TLS 1.3 cipher suite definitions in `aes.rs`, `chacha20.rs`, and `suites.rs` to use the `tls13_cipher_suite!` macro for consistency.
- Improved the organization and clarity of the codebase by consolidating feature checks and reducing boilerplate code.

Author: Steve Fan

src/hash.rs

@@ -3,11 +3,10 @@ use alloc::boxed::Box;
 
 use core::marker::PhantomData;
 use digest::{Digest, OutputSizeUser};
-use rustls::crypto::{self, hash};
 
 /// Trait to provide hash algorithm for different hash types
 pub trait HashAlgorithm {
-    const ALGORITHM: hash::HashAlgorithm;
+    const ALGORITHM: rustls::crypto::hash::HashAlgorithm;
 }
 
 // Generic hash implementation
@@ -22,64 +21,43 @@ impl<H> GenericHash<H> {
     };
 }
 
-impl<H> hash::Hash for GenericHash<H>
+impl<H> rustls::crypto::hash::Hash for GenericHash<H>
 where
     H: Digest + OutputSizeUser + Clone + Send + Sync + 'static + HashAlgorithm,
 {
-    fn start(&self) -> Box<dyn hash::Context> {
+    fn start(&self) -> Box<dyn rustls::crypto::hash::Context> {
         Box::new(GenericHashContext(H::new()))
     }
 
-    fn hash(&self, data: &[u8]) -> hash::Output {
-        hash::Output::new(&H::digest(data)[..])
+    fn hash(&self, data: &[u8]) -> rustls::crypto::hash::Output {
+        rustls::crypto::hash::Output::new(&H::digest(data)[..])
     }
 
     fn output_len(&self) -> usize {
         <H as OutputSizeUser>::output_size()
     }
 
-    fn algorithm(&self) -> hash::HashAlgorithm {
+    fn algorithm(&self) -> rustls::crypto::hash::HashAlgorithm {
         H::ALGORITHM
     }
 }
 
-// Implement HashAlgorithm trait for each hash type
-#[cfg(feature = "hash-sha224")]
-impl HashAlgorithm for ::sha2::Sha224 {
-    const ALGORITHM: hash::HashAlgorithm = hash::HashAlgorithm::SHA224;
-}
-
-#[cfg(feature = "hash-sha256")]
-impl HashAlgorithm for ::sha2::Sha256 {
-    const ALGORITHM: hash::HashAlgorithm = hash::HashAlgorithm::SHA256;
-}
-
-#[cfg(feature = "hash-sha384")]
-impl HashAlgorithm for ::sha2::Sha384 {
-    const ALGORITHM: hash::HashAlgorithm = hash::HashAlgorithm::SHA384;
-}
-
-#[cfg(feature = "hash-sha512")]
-impl HashAlgorithm for ::sha2::Sha512 {
-    const ALGORITHM: hash::HashAlgorithm = hash::HashAlgorithm::SHA512;
-}
-
 pub struct GenericHashContext<H>(H);
 
-impl<H> hash::Context for GenericHashContext<H>
+impl<H> rustls::crypto::hash::Context for GenericHashContext<H>
 where
     H: Digest + Clone + Send + Sync + 'static,
 {
-    fn fork_finish(&self) -> hash::Output {
-        hash::Output::new(&self.0.clone().finalize()[..])
+    fn fork_finish(&self) -> rustls::crypto::hash::Output {
+        rustls::crypto::hash::Output::new(&self.0.clone().finalize()[..])
     }
 
-    fn fork(&self) -> Box<dyn hash::Context> {
+    fn fork(&self) -> Box<dyn rustls::crypto::hash::Context> {
         Box::new(GenericHashContext(self.0.clone()))
     }
 
-    fn finish(self: Box<Self>) -> hash::Output {
-        hash::Output::new(&self.0.finalize()[..])
+    fn finish(self: Box<Self>) -> rustls::crypto::hash::Output {
+        rustls::crypto::hash::Output::new(&self.0.finalize()[..])
     }
 
     fn update(&mut self, data: &[u8]) {
@@ -88,15 +66,23 @@ where
 }
 
 /// Macro to generate hash constants
-macro_rules! hash_const {
-    ($name:ident, $hash:ty, $feature:literal) => {
-        #[cfg(feature = $feature)]
-        pub const $name: &dyn crypto::hash::Hash = &GenericHash::<$hash>::DEFAULT;
+macro_rules! impl_hash {
+    ($name:ident, $hash:ty) => {
+        impl HashAlgorithm for $hash {
+            const ALGORITHM: rustls::crypto::hash::HashAlgorithm =
+                rustls::crypto::hash::HashAlgorithm::$name;
+        }
+
+        pub const $name: &dyn rustls::crypto::hash::Hash = &GenericHash::<$hash>::DEFAULT;
     };
 }
 
 // Generate hash constants using macro
-hash_const!(SHA224, ::sha2::Sha224, "hash-sha224");
-hash_const!(SHA256, ::sha2::Sha256, "hash-sha256");
-hash_const!(SHA384, ::sha2::Sha384, "hash-sha384");
-hash_const!(SHA512, ::sha2::Sha512, "hash-sha512");
+#[cfg(feature = "hash-sha224")]
+impl_hash!(SHA224, ::sha2::Sha224);
+#[cfg(feature = "hash-sha256")]
+impl_hash!(SHA256, ::sha2::Sha256);
+#[cfg(feature = "hash-sha384")]
+impl_hash!(SHA384, ::sha2::Sha384);
+#[cfg(feature = "hash-sha512")]
+impl_hash!(SHA512, ::sha2::Sha512);

src/hmac.rs

@@ -14,6 +14,12 @@ pub struct GenericHmac<H: HmacHash> {
     _phantom: PhantomData<H>,
 }
 
+impl<H: HmacHash> GenericHmac<H> {
+    pub const DEFAULT: Self = Self {
+        _phantom: PhantomData,
+    };
+}
+
 impl<H> RustlsHmac for GenericHmac<H>
 where
     H: HmacHash,
@@ -54,17 +60,14 @@ where
     }
 }
 
-#[cfg(feature = "hash-sha256")]
-pub const SHA256: &dyn RustlsHmac = &GenericHmac::<::sha2::Sha256> {
-    _phantom: PhantomData,
-};
-
-#[cfg(feature = "hash-sha384")]
-pub const SHA384: &dyn RustlsHmac = &GenericHmac::<::sha2::Sha384> {
-    _phantom: PhantomData,
-};
+/// Macro to generate HMAC constants
+macro_rules! hmac_const {
+    ($name:ident, $hash:ty) => {
+        pub const $name: &GenericHmac<$hash> = &GenericHmac::DEFAULT;
+    };
+}
 
-#[cfg(feature = "hash-sha512")]
-pub const SHA512: &dyn RustlsHmac = &GenericHmac::<::sha2::Sha512> {
-    _phantom: PhantomData,
-};
+// Generate HMAC constants using macro
+hmac_const!(SHA256, ::sha2::Sha256);
+hmac_const!(SHA384, ::sha2::Sha384);
+hmac_const!(SHA512, ::sha2::Sha512);

src/kx/nist.rs

@@ -1,59 +1,35 @@
-#[cfg(all(feature = "alloc", feature = "kx-nist"))]
+#[cfg(feature = "alloc")]
 use alloc::boxed::Box;
-
-#[cfg(feature = "kx-nist")]
+use core::fmt::Debug;
 use core::marker::PhantomData;
 
-#[cfg(feature = "kx-nist")]
-use rustls::{Error, NamedGroup, PeerMisbehaved, crypto};
-
-#[cfg(feature = "kx-nist")]
 use crypto::{ActiveKeyExchange, SharedSecret, SupportedKxGroup};
-
-#[cfg(feature = "kx-nist")]
 use elliptic_curve::{
     Curve, CurveArithmetic, PublicKey,
     ecdh::EphemeralSecret,
     point::PointCompression,
     sec1::{FromEncodedPoint, ToEncodedPoint},
 };
-
-#[cfg(feature = "kx-nist")]
 use rand_core::OsRng;
-
-#[cfg(feature = "kx-nist")]
+use rustls::{Error, NamedGroup, PeerMisbehaved, crypto};
 use sec1::point::ModulusSize;
 
-#[cfg(feature = "kx-nist")]
-use core::fmt::Debug;
-
-#[cfg(feature = "kx-nist")]
 pub trait NistCurve: Curve + CurveArithmetic + PointCompression {
     const NAMED_GROUP: NamedGroup;
 }
 
-#[cfg(all(feature = "kx-nist", feature = "kx-p256"))]
-impl NistCurve for ::p256::NistP256 {
-    const NAMED_GROUP: NamedGroup = NamedGroup::secp256r1;
-}
-
-#[cfg(all(feature = "kx-nist", feature = "kx-p384"))]
-impl NistCurve for ::p384::NistP384 {
-    const NAMED_GROUP: NamedGroup = NamedGroup::secp384r1;
-}
-
-#[cfg(all(feature = "kx-nist", feature = "kx-p521"))]
-impl NistCurve for ::p521::NistP521 {
-    const NAMED_GROUP: NamedGroup = NamedGroup::secp521r1;
-}
-
-#[cfg(feature = "kx-nist")]
 #[derive(Debug)]
 pub struct NistKxGroup<C>(PhantomData<C>)
 where
     C: NistCurve;
 
-#[cfg(feature = "kx-nist")]
+impl<C> NistKxGroup<C>
+where
+    C: NistCurve,
+{
+    const DEFAULT: Self = Self(PhantomData);
+}
+
 impl<C> SupportedKxGroup for NistKxGroup<C>
 where
     <C as CurveArithmetic>::AffinePoint: FromEncodedPoint<C> + ToEncodedPoint<C>,
@@ -75,7 +51,6 @@ where
     }
 }
 
-#[cfg(feature = "kx-nist")]
 #[allow(non_camel_case_types)]
 pub struct NistKeyExchange<C>
 where
@@ -85,12 +60,11 @@ where
     pub_key: Box<[u8]>,
 }
 
-#[cfg(feature = "kx-nist")]
-impl<C: NistCurve> ActiveKeyExchange for NistKeyExchange<C>
+impl<C> ActiveKeyExchange for NistKeyExchange<C>
 where
-    <C as CurveArithmetic>::AffinePoint: FromEncodedPoint<C>,
+    <C as CurveArithmetic>::AffinePoint: FromEncodedPoint<C> + ToEncodedPoint<C>,
     <C as elliptic_curve::Curve>::FieldBytesSize: ModulusSize,
-    <C as CurveArithmetic>::AffinePoint: ToEncodedPoint<C>,
+    C: NistCurve,
 {
     fn complete(self: Box<Self>, peer: &[u8]) -> Result<SharedSecret, Error> {
         let their_pub = PublicKey::<C>::from_sec1_bytes(peer)
@@ -112,11 +86,21 @@ where
     }
 }
 
+macro_rules! impl_nist_curve {
+    ($ty:ty, $named_group:expr, $const_name:ident) => {
+        impl NistCurve for $ty {
+            const NAMED_GROUP: NamedGroup = $named_group;
+        }
+
+        pub const $const_name: NistKxGroup<$ty> = NistKxGroup::DEFAULT;
+    };
+}
+
 #[cfg(feature = "kx-p256")]
-pub const SEC_P256_R1: NistKxGroup<::p256::NistP256> = NistKxGroup(PhantomData);
+impl_nist_curve!(::p256::NistP256, NamedGroup::secp256r1, SEC_P256_R1);
 
 #[cfg(feature = "kx-p384")]
-pub const SEC_P384_R1: NistKxGroup<::p384::NistP384> = NistKxGroup(PhantomData);
+impl_nist_curve!(::p384::NistP384, NamedGroup::secp384r1, SEC_P384_R1);
 
 #[cfg(feature = "kx-p521")]
-pub const SEC_P521_R1: NistKxGroup<::p521::NistP521> = NistKxGroup(PhantomData);
+impl_nist_curve!(::p521::NistP521, NamedGroup::secp521r1, SEC_P521_R1);

src/lib.rs

@@ -56,18 +56,16 @@ pub fn provider() -> CryptoProvider {
 
 impl SecureRandom for Provider {
     fn fill(&self, #[allow(unused_variables)] bytes: &mut [u8]) -> Result<(), GetRandomFailed> {
-        #[cfg(feature = "rand")]
-        {
-            use rand_core::TryRngCore;
-            rand_core::OsRng
-                .try_fill_bytes(bytes)
-                .map_err(|_| GetRandomFailed)
-        }
-
-        #[cfg(not(feature = "rand"))]
-        {
-            Err(GetRandomFailed)
-        }
+        feature_eval_expr!(
+            [feature = "rand"],
+            {
+                use rand_core::TryRngCore;
+                rand_core::OsRng
+                    .try_fill_bytes(bytes)
+                    .map_err(|_| GetRandomFailed)
+            },
+            else Err(GetRandomFailed)
+        )
     }
 }
 
@@ -76,30 +74,17 @@ impl KeyProvider for Provider {
         &self,
         #[allow(unused_variables)] key_der: PrivateKeyDer<'static>,
     ) -> Result<Arc<dyn SigningKey>, rustls::Error> {
-        #[cfg(feature = "sign")]
-        {
-            sign::any_supported_type(&key_der)
-        }
-        #[cfg(not(feature = "sign"))]
-        {
-            Err(rustls::Error::General("not key providers supported".into()))
-        }
+        feature_eval_expr!(
+            [feature = "sign"],
+            sign::any_supported_type(&key_der),
+            else Err(rustls::Error::General("not key providers supported".into()))
+        )
     }
 }
 
 pub const ALL_CIPHER_SUITES: &[SupportedCipherSuite] = misc::const_concat_slices!(
     SupportedCipherSuite,
-    {
-        #[cfg(feature = "tls12")]
-        {
-            tls12::suites::TLS12_SUITES
-        }
-
-        #[cfg(not(feature = "tls12"))]
-        {
-            &[]
-        }
-    },
+    feature_slice!([feature = "tls12"], tls12::suites::TLS12_SUITES),
     tls13::suites::TLS13_SUITES
 );