CI: initial configuration (#4)

Configures GitHub Actions to build the crate, run clippy, check rustdoc,
and check rustfmt

Author: tarcieri

.github/workflows/rustls-rustcrypto.yml

@@ -0,0 +1,77 @@
+name: rustls-rustcrypto
+
+on:
+  pull_request:
+    paths-ignore:
+      - README.md
+  push:
+    branches: master
+    paths-ignore:
+      - README.md
+
+permissions:
+  contents: read
+
+env:
+  CARGO_INCREMENTAL: 0
+  RUSTFLAGS: "-Dwarnings"
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        toolchain:
+          - stable
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: RustCrypto/actions/cargo-cache@master
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ matrix.toolchain }}
+      - run: cargo build
+
+  clippy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: 1.75.0
+          components: clippy
+      - run: cargo clippy --all --all-features -- -D warnings
+
+
+  doc:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+      - run: cargo doc --all-features
+
+  rustfmt:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+          components: rustfmt
+      - run: cargo fmt --all -- --check
+
+# TODO(tarcieri): run tests in CI
+#  test:
+#    strategy:
+#      matrix:
+#        toolchain:
+#          - stable
+#    runs-on: ubuntu-latest
+#    steps:
+#      - uses: actions/checkout@v4
+#      - uses: RustCrypto/actions/cargo-cache@master
+#      - uses: dtolnay/rust-toolchain@master
+#        with:
+#          toolchain: ${{ matrix.toolchain }}
+#      - run: cargo test

.gitignore

@@ -1,14 +1,4 @@
-# Generated by Cargo
-# will have compiled files and executables
 debug/
 target/
-
-# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
-# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
-Cargo.lock
-
-# These are backup files generated by rustfmt
 **/*.rs.bk
-
-# MSVC Windows builds of rustc generate these, which store debugging information
 *.pdb

.rustfmt.toml

@@ -16,7 +16,7 @@ use rustls_rustcrypto::provider;
 
 struct TestPki {
     server_cert_der: Vec<u8>,
-    server_key_der:  Vec<u8>,
+    server_key_der: Vec<u8>,
 }
 
 impl TestPki {

examples/server.rs

@@ -59,8 +59,8 @@ impl cipher::Tls12AeadAlgorithm for Chacha20Poly1305 {
 
     fn key_block_shape(&self) -> cipher::KeyBlockShape {
         cipher::KeyBlockShape {
-            enc_key_len:        32,
-            fixed_iv_len:       12,
+            enc_key_len: 32,
+            fixed_iv_len: 12,
             explicit_nonce_len: 0,
         }
     }

src/aead/chacha20.rs

@@ -21,7 +21,7 @@ impl crypto::SupportedKxGroup for X25519 {
 
 pub struct X25519KeyExchange {
     priv_key: x25519_dalek::EphemeralSecret,
-    pub_key:  x25519_dalek::PublicKey,
+    pub_key: x25519_dalek::PublicKey,
 }
 
 impl crypto::ActiveKeyExchange for X25519KeyExchange {

src/kx.rs

@@ -1,6 +1,6 @@
 #![deny(
     clippy::all,
-    clippy::pedantic,
+    // TODO: clippy::pedantic,
     clippy::alloc_instead_of_core,
     clippy::std_instead_of_alloc,
     clippy::std_instead_of_core
@@ -22,11 +22,11 @@ pub struct Provider;
 
 pub fn provider() -> CryptoProvider {
     CryptoProvider {
-        cipher_suites:                     ALL_CIPHER_SUITES.to_vec(),
-        kx_groups:                         kx::ALL_KX_GROUPS.to_vec(),
+        cipher_suites: ALL_CIPHER_SUITES.to_vec(),
+        kx_groups: kx::ALL_KX_GROUPS.to_vec(),
         signature_verification_algorithms: verify::ALGORITHMS,
-        secure_random:                     &Provider,
-        key_provider:                      &Provider,
+        secure_random: &Provider,
+        key_provider: &Provider,
     }
 }
 
@@ -69,46 +69,46 @@ const TLS12_RSA_SCHEMES: [SignatureScheme; 6] = [
 #[cfg(feature = "tls12")]
 pub const TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
-        common:       CipherSuiteCommon {
-            suite:                 CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-            hash_provider:         hash::SHA256,
+        common: CipherSuiteCommon {
+            suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+            hash_provider: hash::SHA256,
             confidentiality_limit: u64::MAX,
-            integrity_limit:       1 << 36,
+            integrity_limit: 1 << 36,
         },
-        kx:           rustls::crypto::KeyExchangeAlgorithm::ECDHE,
-        sign:         &TLS12_ECDSA_SCHEMES,
-        aead_alg:     &aead::gcm::Tls12Aes128Gcm,
+        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
+        sign: &TLS12_ECDSA_SCHEMES,
+        aead_alg: &aead::gcm::Tls12Aes128Gcm,
         prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA256),
     });
 
 #[cfg(feature = "tls12")]
 pub const TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
-        common:       CipherSuiteCommon {
-            suite:                 CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-            hash_provider:         hash::SHA384,
+        common: CipherSuiteCommon {
+            suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+            hash_provider: hash::SHA384,
             confidentiality_limit: u64::MAX,
-            integrity_limit:       1 << 36,
+            integrity_limit: 1 << 36,
         },
-        kx:           rustls::crypto::KeyExchangeAlgorithm::ECDHE,
-        sign:         &TLS12_ECDSA_SCHEMES,
+        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
+        sign: &TLS12_ECDSA_SCHEMES,
         prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA384),
-        aead_alg:     &aead::gcm::Tls12Aes256Gcm,
+        aead_alg: &aead::gcm::Tls12Aes256Gcm,
     });
 
 #[cfg(feature = "tls12")]
 pub const TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
-        common:       CipherSuiteCommon {
-            suite:                 CipherSuite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-            hash_provider:         hash::SHA256,
+        common: CipherSuiteCommon {
+            suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+            hash_provider: hash::SHA256,
             confidentiality_limit: u64::MAX,
-            integrity_limit:       1 << 36,
+            integrity_limit: 1 << 36,
         },
         prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA256),
-        kx:           rustls::crypto::KeyExchangeAlgorithm::ECDHE,
-        sign:         &TLS12_ECDSA_SCHEMES,
-        aead_alg:     &aead::chacha20::Chacha20Poly1305,
+        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
+        sign: &TLS12_ECDSA_SCHEMES,
+        aead_alg: &aead::chacha20::Chacha20Poly1305,
     });
 
 #[cfg(feature = "tls12")]
@@ -121,46 +121,46 @@ const TLS_ECDHE_ECDSA_SUITES: &[SupportedCipherSuite] = &[
 #[cfg(feature = "tls12")]
 pub const TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
-        common:       CipherSuiteCommon {
-            suite:                 CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-            hash_provider:         hash::SHA256,
+        common: CipherSuiteCommon {
+            suite: CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+            hash_provider: hash::SHA256,
             confidentiality_limit: u64::MAX,
-            integrity_limit:       1 << 36,
+            integrity_limit: 1 << 36,
         },
-        kx:           rustls::crypto::KeyExchangeAlgorithm::ECDHE,
-        sign:         &TLS12_RSA_SCHEMES,
-        aead_alg:     &aead::gcm::Tls12Aes128Gcm,
+        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
+        sign: &TLS12_RSA_SCHEMES,
+        aead_alg: &aead::gcm::Tls12Aes128Gcm,
         prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA256),
     });
 
 #[cfg(feature = "tls12")]
 pub const TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
-        common:       CipherSuiteCommon {
-            suite:                 CipherSuite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-            hash_provider:         hash::SHA384,
+        common: CipherSuiteCommon {
+            suite: CipherSuite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+            hash_provider: hash::SHA384,
             confidentiality_limit: u64::MAX,
-            integrity_limit:       1 << 36,
+            integrity_limit: 1 << 36,
         },
-        kx:           rustls::crypto::KeyExchangeAlgorithm::ECDHE,
-        sign:         &TLS12_RSA_SCHEMES,
+        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
+        sign: &TLS12_RSA_SCHEMES,
         prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA384),
-        aead_alg:     &aead::gcm::Tls12Aes256Gcm,
+        aead_alg: &aead::gcm::Tls12Aes256Gcm,
     });
 
 #[cfg(feature = "tls12")]
 pub const TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
-        common:       CipherSuiteCommon {
-            suite:                 CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-            hash_provider:         hash::SHA256,
+        common: CipherSuiteCommon {
+            suite: CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+            hash_provider: hash::SHA256,
             confidentiality_limit: u64::MAX,
-            integrity_limit:       1 << 36,
+            integrity_limit: 1 << 36,
         },
-        kx:           rustls::crypto::KeyExchangeAlgorithm::ECDHE,
-        sign:         &TLS12_RSA_SCHEMES,
+        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
+        sign: &TLS12_RSA_SCHEMES,
         prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA256),
-        aead_alg:     &aead::chacha20::Chacha20Poly1305,
+        aead_alg: &aead::chacha20::Chacha20Poly1305,
     });
 
 #[cfg(feature = "tls12")]
@@ -182,44 +182,44 @@ const TLS12_SUITES: &[SupportedCipherSuite] = &[];
 
 pub const TLS13_AES_128_GCM_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls13(&Tls13CipherSuite {
-        common:        CipherSuiteCommon {
-            suite:                 CipherSuite::TLS13_AES_128_GCM_SHA256,
-            hash_provider:         hash::SHA256,
+        common: CipherSuiteCommon {
+            suite: CipherSuite::TLS13_AES_128_GCM_SHA256,
+            hash_provider: hash::SHA256,
             confidentiality_limit: u64::MAX,
-            integrity_limit:       1 << 36,
+            integrity_limit: 1 << 36,
         },
         hkdf_provider: &rustls::crypto::tls13::HkdfUsingHmac(hmac::SHA256),
-        aead_alg:      &aead::gcm::Tls13Aes128Gcm,
-        quic:          None,
+        aead_alg: &aead::gcm::Tls13Aes128Gcm,
+        quic: None,
     });
 
 pub const TLS13_AES_256_GCM_SHA384: SupportedCipherSuite =
     SupportedCipherSuite::Tls13(&Tls13CipherSuite {
-        common:        CipherSuiteCommon {
-            suite:                 CipherSuite::TLS13_AES_256_GCM_SHA384,
-            hash_provider:         hash::SHA384,
+        common: CipherSuiteCommon {
+            suite: CipherSuite::TLS13_AES_256_GCM_SHA384,
+            hash_provider: hash::SHA384,
             confidentiality_limit: u64::MAX,
-            integrity_limit:       1 << 36,
+            integrity_limit: 1 << 36,
         },
         hkdf_provider: &rustls::crypto::tls13::HkdfUsingHmac(hmac::SHA384),
-        aead_alg:      &aead::gcm::Tls13Aes256Gcm,
-        quic:          None,
+        aead_alg: &aead::gcm::Tls13Aes256Gcm,
+        quic: None,
     });
 
 const TLS13_AES_SUITES: &[SupportedCipherSuite] =
     &[TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384];
 
 pub const TLS13_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls13(&Tls13CipherSuite {
-        common:        CipherSuiteCommon {
-            suite:                 CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
-            hash_provider:         hash::SHA256,
+        common: CipherSuiteCommon {
+            suite: CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
+            hash_provider: hash::SHA256,
             confidentiality_limit: u64::MAX,
-            integrity_limit:       1 << 36,
+            integrity_limit: 1 << 36,
         },
         hkdf_provider: &rustls::crypto::tls13::HkdfUsingHmac(hmac::SHA256),
-        aead_alg:      &aead::chacha20::Chacha20Poly1305,
-        quic:          None,
+        aead_alg: &aead::chacha20::Chacha20Poly1305,
+        quic: None,
     });
 
 const TLS13_SUITES: &[SupportedCipherSuite] = misc::const_concat_slices!(

src/lib.rs

@@ -47,11 +47,13 @@ impl quic::HeaderProtectionKey for HeaderProtectionKey {
 }
 
 pub struct PacketKey {
-    #[allow(dead_code)]
     /// Computes unique nonces for each packet
-    iv:     Iv,
+    iv: Iv,
+
     /// The cipher suite used for this packet key
-    suite:  &'static Tls13CipherSuite,
+    #[allow(dead_code)]
+    suite: &'static Tls13CipherSuite,
+
     crypto: chacha20poly1305::ChaCha20Poly1305,
 }
 
@@ -76,7 +78,7 @@ impl quic::PacketKey for PacketKey {
 
         let tag = self
             .crypto
-            .encrypt_in_place_detached(&nonce.into(), &aad, payload)
+            .encrypt_in_place_detached(&nonce.into(), aad, payload)
             .map_err(|_| rustls::Error::EncryptError)?;
         Ok(quic::Tag::from(tag.as_ref()))
     }
@@ -99,7 +101,7 @@ impl quic::PacketKey for PacketKey {
         let nonce = chacha20poly1305::Nonce::from(cipher::Nonce::new(&self.iv, packet_number).0);
 
         self.crypto
-            .decrypt_in_place(&nonce, &aad, &mut payload_)
+            .decrypt_in_place(&nonce, aad, &mut payload_)
             .map_err(|_| rustls::Error::DecryptError)?;
 
         // Unfortunately the lifetime bound on decrypt_in_place sucks