Struct rustls::SupportedCipherSuite

pub struct SupportedCipherSuite {
    pub suite: CipherSuite,
    pub kx: KeyExchangeAlgorithm,
    pub bulk: BulkAlgorithm,
    pub hash: HashAlgorithm,
    pub sign: Option<&'static [SignatureScheme]>,
    pub enc_key_len: usize,
    pub fixed_iv_len: usize,
    pub explicit_nonce_len: usize,
    /* private fields */
}

A cipher suite supported by rustls.

All possible instances of this class are provided by the library in the ALL_CIPHERSUITES array.

Fields

suite: CipherSuite

The TLS enumeration naming this cipher suite.

kx: KeyExchangeAlgorithm

How to exchange/agree keys.

bulk: BulkAlgorithm

How to do bulk encryption.

hash: HashAlgorithm

How to do hashing.

sign: Option<&'static [SignatureScheme]>

How to sign messages for authentication.

This is not present for TLS1.3, because authentication is orthogonal to the ciphersuite concept there.

enc_key_len: usize

Encryption key length, for the bulk algorithm.

fixed_iv_len: usize

How long the fixed part of the ‘IV’ is.

This isn’t usually an IV, but we continue the terminology misuse to match the standard.

explicit_nonce_len: usize

This is a non-standard extension which extends the key block to provide an initial explicit nonce offset, in a deterministic and safe way. GCM needs this, chacha20poly1305 works this way by design.

Implementations

impl SupportedCipherSuite

pub fn get_hash(&self) -> &'static Algorithm

Which hash function to use with this suite.

pub fn do_client_kx(&self, kx_params: &[u8]) -> Option<KeyExchangeResult>

We have parameters and a verified public key in kx_params. Generate an ephemeral key, generate the shared secret, and return it and the public half in a KeyExchangeResult.

pub fn start_server_kx(&self, named_group: NamedGroup) -> Option<KeyExchange>

Start the KX process with the given group. This generates the server’s share, but we don’t yet have the client’s share.

pub fn resolve_sig_schemes(
    &self,
    offered: &[SignatureScheme]
) -> Vec<SignatureScheme>

Resolve the set of supported SignatureSchemes from the offered SupportedSignatureSchemes. If we return an empty set, the handshake terminates.

pub fn key_block_len(&self) -> usize

Length of key block that needs to be output by the key derivation phase for this suite.

pub fn usable_for_version(&self, version: ProtocolVersion) -> bool

Return true if this suite is usable for TLS version.

pub fn usable_for_sigalg(&self, sigalg: SignatureAlgorithm) -> bool

Return true if this suite is usable for a key only offering sigalg signatures. This resolves to true for all TLS1.3 suites.

pub fn can_resume_to(&self, new_suite: &SupportedCipherSuite) -> bool

Can a session using suite self resume using suite new_suite?

Trait Implementations

impl Debug for SupportedCipherSuite

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq<SupportedCipherSuite> for SupportedCipherSuite

fn eq(&self, other: &SupportedCipherSuite) -> bool

This method tests for self and other values to be equal, and is used by ==.

const fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.