rustls/enums.rs
1#![allow(non_camel_case_types)]
2#![allow(missing_docs)]
3use crate::msgs::codec::{Codec, Reader};
4use crate::msgs::enums::HashAlgorithm;
5
6enum_builder! {
7 /// The `AlertDescription` TLS protocol enum. Values in this enum are taken
8 /// from the various RFCs covering TLS, and are listed by IANA.
9 /// The `Unknown` item is used when processing unrecognised ordinals.
10 #[repr(u8)]
11 pub enum AlertDescription {
12 CloseNotify => 0x00,
13 UnexpectedMessage => 0x0a,
14 BadRecordMac => 0x14,
15 DecryptionFailed => 0x15,
16 RecordOverflow => 0x16,
17 DecompressionFailure => 0x1e,
18 HandshakeFailure => 0x28,
19 NoCertificate => 0x29,
20 BadCertificate => 0x2a,
21 UnsupportedCertificate => 0x2b,
22 CertificateRevoked => 0x2c,
23 CertificateExpired => 0x2d,
24 CertificateUnknown => 0x2e,
25 IllegalParameter => 0x2f,
26 UnknownCA => 0x30,
27 AccessDenied => 0x31,
28 DecodeError => 0x32,
29 DecryptError => 0x33,
30 ExportRestriction => 0x3c,
31 ProtocolVersion => 0x46,
32 InsufficientSecurity => 0x47,
33 InternalError => 0x50,
34 InappropriateFallback => 0x56,
35 UserCanceled => 0x5a,
36 NoRenegotiation => 0x64,
37 MissingExtension => 0x6d,
38 UnsupportedExtension => 0x6e,
39 CertificateUnobtainable => 0x6f,
40 UnrecognisedName => 0x70,
41 BadCertificateStatusResponse => 0x71,
42 BadCertificateHashValue => 0x72,
43 UnknownPSKIdentity => 0x73,
44 CertificateRequired => 0x74,
45 NoApplicationProtocol => 0x78,
46 EncryptedClientHelloRequired => 0x79, // https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-18#section-11.2
47 }
48}
49
50enum_builder! {
51 /// The `HandshakeType` TLS protocol enum. Values in this enum are taken
52 /// from the various RFCs covering TLS, and are listed by IANA.
53 /// The `Unknown` item is used when processing unrecognised ordinals.
54 #[repr(u8)]
55 pub enum HandshakeType {
56 HelloRequest => 0x00,
57 ClientHello => 0x01,
58 ServerHello => 0x02,
59 HelloVerifyRequest => 0x03,
60 NewSessionTicket => 0x04,
61 EndOfEarlyData => 0x05,
62 HelloRetryRequest => 0x06,
63 EncryptedExtensions => 0x08,
64 Certificate => 0x0b,
65 ServerKeyExchange => 0x0c,
66 CertificateRequest => 0x0d,
67 ServerHelloDone => 0x0e,
68 CertificateVerify => 0x0f,
69 ClientKeyExchange => 0x10,
70 Finished => 0x14,
71 CertificateURL => 0x15,
72 CertificateStatus => 0x16,
73 KeyUpdate => 0x18,
74 CompressedCertificate => 0x19,
75 MessageHash => 0xfe,
76 }
77}
78
79enum_builder! {
80 /// The `ContentType` TLS protocol enum. Values in this enum are taken
81 /// from the various RFCs covering TLS, and are listed by IANA.
82 /// The `Unknown` item is used when processing unrecognised ordinals.
83 #[repr(u8)]
84 pub enum ContentType {
85 ChangeCipherSpec => 0x14,
86 Alert => 0x15,
87 Handshake => 0x16,
88 ApplicationData => 0x17,
89 Heartbeat => 0x18,
90 }
91}
92
93enum_builder! {
94 /// The `ProtocolVersion` TLS protocol enum. Values in this enum are taken
95 /// from the various RFCs covering TLS, and are listed by IANA.
96 /// The `Unknown` item is used when processing unrecognised ordinals.
97 #[repr(u16)]
98 pub enum ProtocolVersion {
99 SSLv2 => 0x0002,
100 SSLv3 => 0x0300,
101 TLSv1_0 => 0x0301,
102 TLSv1_1 => 0x0302,
103 TLSv1_2 => 0x0303,
104 TLSv1_3 => 0x0304,
105 DTLSv1_0 => 0xFEFF,
106 DTLSv1_2 => 0xFEFD,
107 DTLSv1_3 => 0xFEFC,
108 }
109}
110
111enum_builder! {
112 /// The `CipherSuite` TLS protocol enum. Values in this enum are taken
113 /// from the various RFCs covering TLS, and are listed by IANA.
114 /// The `Unknown` item is used when processing unrecognised ordinals.
115 #[repr(u16)]
116 pub enum CipherSuite {
117 /// The `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256` cipher suite. Recommended=Y. Defined in
118 /// <https://www.iana.org/go/rfc5288>
119 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 => 0x009e,
120
121 /// The `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` cipher suite. Recommended=Y. Defined in
122 /// <https://www.iana.org/go/rfc5288>
123 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 => 0x009f,
124
125 /// The `TLS_DHE_PSK_WITH_AES_128_GCM_SHA256` cipher suite. Recommended=Y. Defined in
126 /// <https://www.iana.org/go/rfc5487>
127 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 => 0x00aa,
128
129 /// The `TLS_DHE_PSK_WITH_AES_256_GCM_SHA384` cipher suite. Recommended=Y. Defined in
130 /// <https://www.iana.org/go/rfc5487>
131 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 => 0x00ab,
132
133 /// The `TLS_AES_128_GCM_SHA256` cipher suite. Recommended=Y. Defined in
134 /// <https://www.iana.org/go/rfc8446>
135 TLS13_AES_128_GCM_SHA256 => 0x1301,
136
137 /// The `TLS_AES_256_GCM_SHA384` cipher suite. Recommended=Y. Defined in
138 /// <https://www.iana.org/go/rfc8446>
139 TLS13_AES_256_GCM_SHA384 => 0x1302,
140
141 /// The `TLS_CHACHA20_POLY1305_SHA256` cipher suite. Recommended=Y. Defined in
142 /// <https://www.iana.org/go/rfc8446>
143 TLS13_CHACHA20_POLY1305_SHA256 => 0x1303,
144
145 /// The `TLS_AES_128_CCM_SHA256` cipher suite. Recommended=Y. Defined in
146 /// <https://www.iana.org/go/rfc8446>
147 TLS13_AES_128_CCM_SHA256 => 0x1304,
148
149 /// The `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` cipher suite. Recommended=Y. Defined in
150 /// <https://www.iana.org/go/rfc5289>
151 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 => 0xc02b,
152
153 /// The `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` cipher suite. Recommended=Y. Defined in
154 /// <https://www.iana.org/go/rfc5289>
155 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 => 0xc02c,
156
157 /// The `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` cipher suite. Recommended=Y. Defined in
158 /// <https://www.iana.org/go/rfc5289>
159 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 => 0xc02f,
160
161 /// The `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` cipher suite. Recommended=Y. Defined in
162 /// <https://www.iana.org/go/rfc5289>
163 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 => 0xc030,
164
165 /// The `TLS_DHE_RSA_WITH_AES_128_CCM` cipher suite. Recommended=Y. Defined in
166 /// <https://www.iana.org/go/rfc6655>
167 TLS_DHE_RSA_WITH_AES_128_CCM => 0xc09e,
168
169 /// The `TLS_DHE_RSA_WITH_AES_256_CCM` cipher suite. Recommended=Y. Defined in
170 /// <https://www.iana.org/go/rfc6655>
171 TLS_DHE_RSA_WITH_AES_256_CCM => 0xc09f,
172
173 /// The `TLS_DHE_PSK_WITH_AES_128_CCM` cipher suite. Recommended=Y. Defined in
174 /// <https://www.iana.org/go/rfc6655>
175 TLS_DHE_PSK_WITH_AES_128_CCM => 0xc0a6,
176
177 /// The `TLS_DHE_PSK_WITH_AES_256_CCM` cipher suite. Recommended=Y. Defined in
178 /// <https://www.iana.org/go/rfc6655>
179 TLS_DHE_PSK_WITH_AES_256_CCM => 0xc0a7,
180
181 /// The `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` cipher suite. Recommended=Y. Defined in
182 /// <https://www.iana.org/go/rfc7905>
183 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 => 0xcca8,
184
185 /// The `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` cipher suite. Recommended=Y. Defined in
186 /// <https://www.iana.org/go/rfc7905>
187 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 => 0xcca9,
188
189 /// The `TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256` cipher suite. Recommended=Y. Defined in
190 /// <https://www.iana.org/go/rfc7905>
191 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 => 0xccaa,
192
193 /// The `TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256` cipher suite. Recommended=Y. Defined in
194 /// <https://www.iana.org/go/rfc7905>
195 TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 => 0xccac,
196
197 /// The `TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256` cipher suite. Recommended=Y. Defined in
198 /// <https://www.iana.org/go/rfc7905>
199 TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 => 0xccad,
200
201 /// The `TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256` cipher suite. Recommended=Y. Defined in
202 /// <https://www.iana.org/go/rfc8442>
203 TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 => 0xd001,
204
205 /// The `TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384` cipher suite. Recommended=Y. Defined in
206 /// <https://www.iana.org/go/rfc8442>
207 TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 => 0xd002,
208
209 /// The `TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256` cipher suite. Recommended=Y. Defined in
210 /// <https://www.iana.org/go/rfc8442>
211 TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 => 0xd005,
212
213 !Debug:
214 /// The `TLS_RSA_WITH_AES_128_CBC_SHA` cipher suite. Recommended=N. Defined in
215 /// <https://www.iana.org/go/rfc5246>
216 TLS_RSA_WITH_AES_128_CBC_SHA => 0x002f,
217
218 /// The `TLS_DHE_RSA_WITH_AES_128_CBC_SHA` cipher suite. Recommended=N. Defined in
219 /// <https://www.iana.org/go/rfc5246>
220 TLS_DHE_RSA_WITH_AES_128_CBC_SHA => 0x0033,
221
222 /// The `TLS_RSA_WITH_AES_256_CBC_SHA` cipher suite. Recommended=N. Defined in
223 /// <https://www.iana.org/go/rfc5246>
224 TLS_RSA_WITH_AES_256_CBC_SHA => 0x0035,
225
226 /// The `TLS_DHE_RSA_WITH_AES_256_CBC_SHA` cipher suite. Recommended=N. Defined in
227 /// <https://www.iana.org/go/rfc5246>
228 TLS_DHE_RSA_WITH_AES_256_CBC_SHA => 0x0039,
229
230 /// The `TLS_RSA_WITH_AES_128_CBC_SHA256` cipher suite. Recommended=N. Defined in
231 /// <https://www.iana.org/go/rfc5246>
232 TLS_RSA_WITH_AES_128_CBC_SHA256 => 0x003c,
233
234 /// The `TLS_RSA_WITH_AES_256_CBC_SHA256` cipher suite. Recommended=N. Defined in
235 /// <https://www.iana.org/go/rfc5246>
236 TLS_RSA_WITH_AES_256_CBC_SHA256 => 0x003d,
237
238 /// The `TLS_DHE_RSA_WITH_AES_128_CBC_SHA256` cipher suite. Recommended=N. Defined in
239 /// <https://www.iana.org/go/rfc5246>
240 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 => 0x0067,
241
242 /// The `TLS_DHE_RSA_WITH_AES_256_CBC_SHA256` cipher suite. Recommended=N. Defined in
243 /// <https://www.iana.org/go/rfc5246>
244 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 => 0x006b,
245
246 /// The `TLS_PSK_WITH_AES_128_CBC_SHA` cipher suite. Recommended=N. Defined in
247 /// <https://www.iana.org/go/rfc4279>
248 TLS_PSK_WITH_AES_128_CBC_SHA => 0x008c,
249
250 /// The `TLS_PSK_WITH_AES_256_CBC_SHA` cipher suite. Recommended=N. Defined in
251 /// <https://www.iana.org/go/rfc4279>
252 TLS_PSK_WITH_AES_256_CBC_SHA => 0x008d,
253
254 /// The `TLS_DHE_PSK_WITH_AES_128_CBC_SHA` cipher suite. Recommended=N. Defined in
255 /// <https://www.iana.org/go/rfc4279>
256 TLS_DHE_PSK_WITH_AES_128_CBC_SHA => 0x0090,
257
258 /// The `TLS_DHE_PSK_WITH_AES_256_CBC_SHA` cipher suite. Recommended=N. Defined in
259 /// <https://www.iana.org/go/rfc4279>
260 TLS_DHE_PSK_WITH_AES_256_CBC_SHA => 0x0091,
261
262 /// The `TLS_RSA_PSK_WITH_AES_128_CBC_SHA` cipher suite. Recommended=N. Defined in
263 /// <https://www.iana.org/go/rfc4279>
264 TLS_RSA_PSK_WITH_AES_128_CBC_SHA => 0x0094,
265
266 /// The `TLS_RSA_PSK_WITH_AES_256_CBC_SHA` cipher suite. Recommended=N. Defined in
267 /// <https://www.iana.org/go/rfc4279>
268 TLS_RSA_PSK_WITH_AES_256_CBC_SHA => 0x0095,
269
270 /// The `TLS_RSA_WITH_AES_128_GCM_SHA256` cipher suite. Recommended=N. Defined in
271 /// <https://www.iana.org/go/rfc5288>
272 TLS_RSA_WITH_AES_128_GCM_SHA256 => 0x009c,
273
274 /// The `TLS_RSA_WITH_AES_256_GCM_SHA384` cipher suite. Recommended=N. Defined in
275 /// <https://www.iana.org/go/rfc5288>
276 TLS_RSA_WITH_AES_256_GCM_SHA384 => 0x009d,
277
278 /// The `TLS_PSK_WITH_AES_128_GCM_SHA256` cipher suite. Recommended=N. Defined in
279 /// <https://www.iana.org/go/rfc5487>
280 TLS_PSK_WITH_AES_128_GCM_SHA256 => 0x00a8,
281
282 /// The `TLS_PSK_WITH_AES_256_GCM_SHA384` cipher suite. Recommended=N. Defined in
283 /// <https://www.iana.org/go/rfc5487>
284 TLS_PSK_WITH_AES_256_GCM_SHA384 => 0x00a9,
285
286 /// The `TLS_RSA_PSK_WITH_AES_128_GCM_SHA256` cipher suite. Recommended=N. Defined in
287 /// <https://www.iana.org/go/rfc5487>
288 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 => 0x00ac,
289
290 /// The `TLS_RSA_PSK_WITH_AES_256_GCM_SHA384` cipher suite. Recommended=N. Defined in
291 /// <https://www.iana.org/go/rfc5487>
292 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 => 0x00ad,
293
294 /// The `TLS_PSK_WITH_AES_128_CBC_SHA256` cipher suite. Recommended=N. Defined in
295 /// <https://www.iana.org/go/rfc5487>
296 TLS_PSK_WITH_AES_128_CBC_SHA256 => 0x00ae,
297
298 /// The `TLS_PSK_WITH_AES_256_CBC_SHA384` cipher suite. Recommended=N. Defined in
299 /// <https://www.iana.org/go/rfc5487>
300 TLS_PSK_WITH_AES_256_CBC_SHA384 => 0x00af,
301
302 /// The `TLS_DHE_PSK_WITH_AES_128_CBC_SHA256` cipher suite. Recommended=N. Defined in
303 /// <https://www.iana.org/go/rfc5487>
304 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 => 0x00b2,
305
306 /// The `TLS_DHE_PSK_WITH_AES_256_CBC_SHA384` cipher suite. Recommended=N. Defined in
307 /// <https://www.iana.org/go/rfc5487>
308 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 => 0x00b3,
309
310 /// The `TLS_RSA_PSK_WITH_AES_128_CBC_SHA256` cipher suite. Recommended=N. Defined in
311 /// <https://www.iana.org/go/rfc5487>
312 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 => 0x00b6,
313
314 /// The `TLS_RSA_PSK_WITH_AES_256_CBC_SHA384` cipher suite. Recommended=N. Defined in
315 /// <https://www.iana.org/go/rfc5487>
316 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 => 0x00b7,
317
318 /// The `TLS_EMPTY_RENEGOTIATION_INFO_SCSV` cipher suite. Recommended=N. Defined in
319 /// <https://www.iana.org/go/rfc5746>
320 TLS_EMPTY_RENEGOTIATION_INFO_SCSV => 0x00ff,
321
322 /// The `TLS_AES_128_CCM_8_SHA256` cipher suite. Recommended=N. Defined in
323 /// <https://www.iana.org/go/rfc8446>
324 TLS13_AES_128_CCM_8_SHA256 => 0x1305,
325
326 /// The `TLS_FALLBACK_SCSV` cipher suite. Recommended=N. Defined in
327 /// <https://www.iana.org/go/rfc7507>
328 TLS_FALLBACK_SCSV => 0x5600,
329
330 /// The `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` cipher suite. Recommended=N. Defined in
331 /// <https://www.iana.org/go/rfc8422>
332 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA => 0xc009,
333
334 /// The `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` cipher suite. Recommended=N. Defined in
335 /// <https://www.iana.org/go/rfc8422>
336 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA => 0xc00a,
337
338 /// The `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` cipher suite. Recommended=N. Defined in
339 /// <https://www.iana.org/go/rfc8422>
340 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA => 0xc013,
341
342 /// The `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` cipher suite. Recommended=N. Defined in
343 /// <https://www.iana.org/go/rfc8422>
344 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA => 0xc014,
345
346 /// The `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256` cipher suite. Recommended=N. Defined in
347 /// <https://www.iana.org/go/rfc5289>
348 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 => 0xc023,
349
350 /// The `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384` cipher suite. Recommended=N. Defined in
351 /// <https://www.iana.org/go/rfc5289>
352 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 => 0xc024,
353
354 /// The `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` cipher suite. Recommended=N. Defined in
355 /// <https://www.iana.org/go/rfc5289>
356 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 => 0xc027,
357
358 /// The `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384` cipher suite. Recommended=N. Defined in
359 /// <https://www.iana.org/go/rfc5289>
360 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 => 0xc028,
361
362 /// The `TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA` cipher suite. Recommended=N. Defined in
363 /// <https://www.iana.org/go/rfc5489>
364 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA => 0xc035,
365
366 /// The `TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA` cipher suite. Recommended=N. Defined in
367 /// <https://www.iana.org/go/rfc5489>
368 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA => 0xc036,
369
370 /// The `TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256` cipher suite. Recommended=N. Defined in
371 /// <https://www.iana.org/go/rfc5489>
372 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 => 0xc037,
373
374 /// The `TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384` cipher suite. Recommended=N. Defined in
375 /// <https://www.iana.org/go/rfc5489>
376 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 => 0xc038,
377
378 /// The `TLS_RSA_WITH_AES_128_CCM` cipher suite. Recommended=N. Defined in
379 /// <https://www.iana.org/go/rfc6655>
380 TLS_RSA_WITH_AES_128_CCM => 0xc09c,
381
382 /// The `TLS_RSA_WITH_AES_256_CCM` cipher suite. Recommended=N. Defined in
383 /// <https://www.iana.org/go/rfc6655>
384 TLS_RSA_WITH_AES_256_CCM => 0xc09d,
385
386 /// The `TLS_RSA_WITH_AES_128_CCM_8` cipher suite. Recommended=N. Defined in
387 /// <https://www.iana.org/go/rfc6655>
388 TLS_RSA_WITH_AES_128_CCM_8 => 0xc0a0,
389
390 /// The `TLS_RSA_WITH_AES_256_CCM_8` cipher suite. Recommended=N. Defined in
391 /// <https://www.iana.org/go/rfc6655>
392 TLS_RSA_WITH_AES_256_CCM_8 => 0xc0a1,
393
394 /// The `TLS_DHE_RSA_WITH_AES_128_CCM_8` cipher suite. Recommended=N. Defined in
395 /// <https://www.iana.org/go/rfc6655>
396 TLS_DHE_RSA_WITH_AES_128_CCM_8 => 0xc0a2,
397
398 /// The `TLS_DHE_RSA_WITH_AES_256_CCM_8` cipher suite. Recommended=N. Defined in
399 /// <https://www.iana.org/go/rfc6655>
400 TLS_DHE_RSA_WITH_AES_256_CCM_8 => 0xc0a3,
401
402 /// The `TLS_PSK_WITH_AES_128_CCM` cipher suite. Recommended=N. Defined in
403 /// <https://www.iana.org/go/rfc6655>
404 TLS_PSK_WITH_AES_128_CCM => 0xc0a4,
405
406 /// The `TLS_PSK_WITH_AES_256_CCM` cipher suite. Recommended=N. Defined in
407 /// <https://www.iana.org/go/rfc6655>
408 TLS_PSK_WITH_AES_256_CCM => 0xc0a5,
409
410 /// The `TLS_PSK_WITH_AES_128_CCM_8` cipher suite. Recommended=N. Defined in
411 /// <https://www.iana.org/go/rfc6655>
412 TLS_PSK_WITH_AES_128_CCM_8 => 0xc0a8,
413
414 /// The `TLS_PSK_WITH_AES_256_CCM_8` cipher suite. Recommended=N. Defined in
415 /// <https://www.iana.org/go/rfc6655>
416 TLS_PSK_WITH_AES_256_CCM_8 => 0xc0a9,
417
418 /// The `TLS_PSK_DHE_WITH_AES_128_CCM_8` cipher suite. Recommended=N. Defined in
419 /// <https://www.iana.org/go/rfc6655>
420 TLS_PSK_DHE_WITH_AES_128_CCM_8 => 0xc0aa,
421
422 /// The `TLS_PSK_DHE_WITH_AES_256_CCM_8` cipher suite. Recommended=N. Defined in
423 /// <https://www.iana.org/go/rfc6655>
424 TLS_PSK_DHE_WITH_AES_256_CCM_8 => 0xc0ab,
425
426 /// The `TLS_ECDHE_ECDSA_WITH_AES_128_CCM` cipher suite. Recommended=N. Defined in
427 /// <https://www.iana.org/go/rfc7251>
428 TLS_ECDHE_ECDSA_WITH_AES_128_CCM => 0xc0ac,
429
430 /// The `TLS_ECDHE_ECDSA_WITH_AES_256_CCM` cipher suite. Recommended=N. Defined in
431 /// <https://www.iana.org/go/rfc7251>
432 TLS_ECDHE_ECDSA_WITH_AES_256_CCM => 0xc0ad,
433
434 /// The `TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8` cipher suite. Recommended=N. Defined in
435 /// <https://www.iana.org/go/rfc7251>
436 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 => 0xc0ae,
437
438 /// The `TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8` cipher suite. Recommended=N. Defined in
439 /// <https://www.iana.org/go/rfc7251>
440 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 => 0xc0af,
441
442 /// The `TLS_SHA256_SHA256` cipher suite. Recommended=N. Defined in
443 /// <https://www.iana.org/go/rfc9150>
444 TLS_SHA256_SHA256 => 0xc0b4,
445
446 /// The `TLS_SHA384_SHA384` cipher suite. Recommended=N. Defined in
447 /// <https://www.iana.org/go/rfc9150>
448 TLS_SHA384_SHA384 => 0xc0b5,
449
450 /// The `TLS_PSK_WITH_CHACHA20_POLY1305_SHA256` cipher suite. Recommended=N. Defined in
451 /// <https://www.iana.org/go/rfc7905>
452 TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 => 0xccab,
453
454 /// The `TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256` cipher suite. Recommended=N. Defined in
455 /// <https://www.iana.org/go/rfc7905>
456 TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 => 0xccae,
457
458 /// The `TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256` cipher suite. Recommended=N. Defined in
459 /// <https://www.iana.org/go/rfc8442>
460 TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 => 0xd003,
461 }
462}
463
464enum_builder! {
465 /// The `SignatureScheme` TLS protocol enum. Values in this enum are taken
466 /// from the various RFCs covering TLS, and are listed by IANA.
467 /// The `Unknown` item is used when processing unrecognised ordinals.
468 #[repr(u16)]
469 pub enum SignatureScheme {
470 RSA_PKCS1_SHA1 => 0x0201,
471 ECDSA_SHA1_Legacy => 0x0203,
472 RSA_PKCS1_SHA256 => 0x0401,
473 ECDSA_NISTP256_SHA256 => 0x0403,
474 RSA_PKCS1_SHA384 => 0x0501,
475 ECDSA_NISTP384_SHA384 => 0x0503,
476 RSA_PKCS1_SHA512 => 0x0601,
477 ECDSA_NISTP521_SHA512 => 0x0603,
478 RSA_PSS_SHA256 => 0x0804,
479 RSA_PSS_SHA384 => 0x0805,
480 RSA_PSS_SHA512 => 0x0806,
481 ED25519 => 0x0807,
482 ED448 => 0x0808,
483 // https://datatracker.ietf.org/doc/html/draft-ietf-tls-mldsa-00#name-iana-considerations
484 ML_DSA_44 => 0x0904,
485 ML_DSA_65 => 0x0905,
486 ML_DSA_87 => 0x0906,
487 }
488}
489
490impl SignatureScheme {
491 pub(crate) fn algorithm(&self) -> SignatureAlgorithm {
492 match *self {
493 Self::RSA_PKCS1_SHA1
494 | Self::RSA_PKCS1_SHA256
495 | Self::RSA_PKCS1_SHA384
496 | Self::RSA_PKCS1_SHA512
497 | Self::RSA_PSS_SHA256
498 | Self::RSA_PSS_SHA384
499 | Self::RSA_PSS_SHA512 => SignatureAlgorithm::RSA,
500 Self::ECDSA_SHA1_Legacy
501 | Self::ECDSA_NISTP256_SHA256
502 | Self::ECDSA_NISTP384_SHA384
503 | Self::ECDSA_NISTP521_SHA512 => SignatureAlgorithm::ECDSA,
504 Self::ED25519 => SignatureAlgorithm::ED25519,
505 Self::ED448 => SignatureAlgorithm::ED448,
506 _ => SignatureAlgorithm::Unknown(0),
507 }
508 }
509
510 /// Whether a particular `SignatureScheme` is allowed for TLS protocol signatures
511 /// in TLS1.3.
512 ///
513 /// This prevents (eg) RSA_PKCS1_SHA256 being offered or accepted, even if our
514 /// verifier supports it for other protocol versions.
515 ///
516 /// See RFC8446 s4.2.3: <https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3>
517 ///
518 /// This is a denylist so that newly-allocated `SignatureScheme`s values are
519 /// allowed in TLS1.3 by default.
520 pub(crate) fn supported_in_tls13(&self) -> bool {
521 let [hash, sign] = self.to_array();
522
523 // This covers both disallowing SHA1 items in `SignatureScheme`, and
524 // old hash functions. See the section beginning "Legacy algorithms:"
525 // and item starting "In TLS 1.2, the extension contained hash/signature
526 // pairs" in RFC8446 section 4.2.3.
527 match HashAlgorithm::from(hash) {
528 HashAlgorithm::NONE
529 | HashAlgorithm::MD5
530 | HashAlgorithm::SHA1
531 | HashAlgorithm::SHA224 => return false,
532 _ => (),
533 };
534
535 // RSA-PKCS1 is also disallowed for TLS1.3, see the section beginning
536 // "RSASSA-PKCS1-v1_5 algorithms:" in RFC8446 section 4.2.3.
537 //
538 // (nb. SignatureAlgorithm::RSA is RSA-PKCS1, and does not cover RSA-PSS
539 // or RSAE-PSS.)
540 //
541 // This also covers the outlawing of DSA mentioned elsewhere in 4.2.3.
542 !matches!(
543 SignatureAlgorithm::from(sign),
544 SignatureAlgorithm::Anonymous | SignatureAlgorithm::RSA | SignatureAlgorithm::DSA
545 )
546 }
547}
548
549enum_builder! {
550 /// The `SignatureAlgorithm` TLS protocol enum. Values in this enum are taken
551 /// from the various RFCs covering TLS, and are listed by IANA.
552 /// The `Unknown` item is used when processing unrecognised ordinals.
553 #[repr(u8)]
554 pub enum SignatureAlgorithm {
555 Anonymous => 0x00,
556 RSA => 0x01,
557 DSA => 0x02,
558 ECDSA => 0x03,
559 ED25519 => 0x07,
560 ED448 => 0x08,
561 }
562}
563
564enum_builder! {
565 /// The "TLS Certificate Compression Algorithm IDs" TLS protocol enum.
566 /// Values in this enum are taken from [RFC8879].
567 ///
568 /// [RFC8879]: https://www.rfc-editor.org/rfc/rfc8879.html#section-7.3
569 #[repr(u16)]
570 pub enum CertificateCompressionAlgorithm {
571 Zlib => 1,
572 Brotli => 2,
573 Zstd => 3,
574 }
575}
576
577enum_builder! {
578 /// The `CertificateType` enum sent in the cert_type extensions.
579 /// Values in this enum are taken from the various RFCs covering TLS, and are listed by IANA.
580 ///
581 /// [RFC 6091 Section 5]: <https://datatracker.ietf.org/doc/html/rfc6091#section-5>
582 /// [RFC 7250 Section 7]: <https://datatracker.ietf.org/doc/html/rfc7250#section-7>
583 #[repr(u8)]
584 pub enum CertificateType {
585 X509 => 0x00,
586 RawPublicKey => 0x02,
587 }
588}
589
590enum_builder! {
591 /// The type of Encrypted Client Hello (`EchClientHelloType`).
592 ///
593 /// Specified in [draft-ietf-tls-esni Section 5].
594 ///
595 /// [draft-ietf-tls-esni Section 5]: <https://www.ietf.org/archive/id/draft-ietf-tls-esni-18.html#section-5>
596 #[repr(u8)]
597 pub enum EchClientHelloType {
598 ClientHelloOuter => 0,
599 ClientHelloInner => 1
600 }
601}
602
603#[cfg(test)]
604mod tests {
605 use super::*;
606 use crate::msgs::enums::tests::{test_enum8, test_enum16};
607
608 #[test]
609 fn test_enums() {
610 test_enum8::<SignatureAlgorithm>(SignatureAlgorithm::Anonymous, SignatureAlgorithm::ECDSA);
611 test_enum8::<ContentType>(ContentType::ChangeCipherSpec, ContentType::Heartbeat);
612 test_enum8::<HandshakeType>(HandshakeType::HelloRequest, HandshakeType::MessageHash);
613 test_enum8::<AlertDescription>(
614 AlertDescription::CloseNotify,
615 AlertDescription::NoApplicationProtocol,
616 );
617 test_enum16::<CertificateCompressionAlgorithm>(
618 CertificateCompressionAlgorithm::Zlib,
619 CertificateCompressionAlgorithm::Zstd,
620 );
621 test_enum8::<CertificateType>(CertificateType::X509, CertificateType::RawPublicKey);
622 }
623
624 #[test]
625 fn tls13_signature_restrictions() {
626 // rsa-pkcs1 denied
627 assert!(!SignatureScheme::RSA_PKCS1_SHA1.supported_in_tls13());
628 assert!(!SignatureScheme::RSA_PKCS1_SHA256.supported_in_tls13());
629 assert!(!SignatureScheme::RSA_PKCS1_SHA384.supported_in_tls13());
630 assert!(!SignatureScheme::RSA_PKCS1_SHA512.supported_in_tls13());
631
632 // dsa denied
633 assert!(!SignatureScheme::from(0x0201).supported_in_tls13());
634 assert!(!SignatureScheme::from(0x0202).supported_in_tls13());
635 assert!(!SignatureScheme::from(0x0203).supported_in_tls13());
636 assert!(!SignatureScheme::from(0x0204).supported_in_tls13());
637 assert!(!SignatureScheme::from(0x0205).supported_in_tls13());
638 assert!(!SignatureScheme::from(0x0206).supported_in_tls13());
639
640 // common
641 assert!(SignatureScheme::ED25519.supported_in_tls13());
642 assert!(SignatureScheme::ED448.supported_in_tls13());
643 assert!(SignatureScheme::RSA_PSS_SHA256.supported_in_tls13());
644 assert!(SignatureScheme::RSA_PSS_SHA384.supported_in_tls13());
645 assert!(SignatureScheme::RSA_PSS_SHA512.supported_in_tls13());
646
647 // rsa_pss_rsae_*
648 assert!(SignatureScheme::from(0x0804).supported_in_tls13());
649 assert!(SignatureScheme::from(0x0805).supported_in_tls13());
650 assert!(SignatureScheme::from(0x0806).supported_in_tls13());
651
652 // ecdsa_brainpool*
653 assert!(SignatureScheme::from(0x081a).supported_in_tls13());
654 assert!(SignatureScheme::from(0x081b).supported_in_tls13());
655 assert!(SignatureScheme::from(0x081c).supported_in_tls13());
656 }
657}