refactor: openssl feature flag handling

Author: Tobias Waurick

README.md

@@ -30,7 +30,7 @@ Currently two crypto libraries are supported:
     - Per default the OpenSSL library is locally compiled and then statically linked. The build process requires a C compiler, `perl` (and `perl-core`), and `make`. For further options see the [openssl crate documentation](https://docs.rs/openssl/0.10.55/openssl/). 
     - Compilation to Wasm32 is [not yet supported](https://github.com/sfackler/rust-openssl/issues/1016)
 
-Both cannot be enabled at the same time, thus on conflict `sframe` fallsback to using `ring`. 
+Both cannot be enabled at the same time, thus on conflict `sframe` issues a compiler error. 
 ## License
 Licensed under either of Apache License, Version 2.0 or MIT license at your option.
 

src/crypto/aead.rs

@@ -156,7 +156,7 @@ mod test {
                 decrypt_test_vector(CipherSuiteVariant::AesGcm256Sha512);
             }
 
-            #[cfg(not(feature = "ring"))]
+            #[cfg(feature = "openssl")]
             mod aes_ctr {
                 use crate::CipherSuiteVariant;
 

src/crypto/cipher_suite.rs

@@ -8,11 +8,11 @@
 #[cfg_attr(test, derive(strum_macros::Display))]
 pub enum CipherSuiteVariant {
     // /// counter mode is [not implemented in ring](https://github.com/briansmith/ring/issues/656)
-    #[cfg(not(feature = "ring"))]
+    #[cfg(feature = "openssl")]
     AesCtr128HmacSha256_80,
-    #[cfg(not(feature = "ring"))]
+    #[cfg(feature = "openssl")]
     AesCtr128HmacSha256_64,
-    #[cfg(not(feature = "ring"))]
+    #[cfg(feature = "openssl")]
     AesCtr128HmacSha256_32,
     /// encryption: AES GCM 128, key expansion: HKDF with SHA256
     AesGcm128Sha256,
@@ -32,7 +32,7 @@ pub struct CipherSuite {
 impl From<CipherSuiteVariant> for CipherSuite {
     fn from(variant: CipherSuiteVariant) -> Self {
         match variant {
-            #[cfg(not(feature = "ring"))]
+            #[cfg(feature = "openssl")]
             CipherSuiteVariant::AesCtr128HmacSha256_80 => CipherSuite {
                 variant,
                 hash_len: 32,
@@ -41,15 +41,15 @@ impl From<CipherSuiteVariant> for CipherSuite {
                 auth_tag_len: 10,
             },
 
-            #[cfg(not(feature = "ring"))]
+            #[cfg(feature = "openssl")]
             CipherSuiteVariant::AesCtr128HmacSha256_64 => CipherSuite {
                 variant,
                 hash_len: 32,
                 key_len: 16,
                 nonce_len: 12,
                 auth_tag_len: 8,
             },
-            #[cfg(not(feature = "ring"))]
+            #[cfg(feature = "openssl")]
             CipherSuiteVariant::AesCtr128HmacSha256_32 => CipherSuite {
                 variant,
                 hash_len: 32,
@@ -76,10 +76,10 @@ impl From<CipherSuiteVariant> for CipherSuite {
 }
 
 impl CipherSuite {
-    #[allow(dead_code)]
+    #[cfg(any(feature = "openssl", test))]
     pub(crate) fn is_ctr_mode(&self) -> bool {
         match self.variant {
-            #[cfg(not(feature = "ring"))]
+            #[cfg(feature = "openssl")]
             CipherSuiteVariant::AesCtr128HmacSha256_80
             | CipherSuiteVariant::AesCtr128HmacSha256_64
             | CipherSuiteVariant::AesCtr128HmacSha256_32 => true,

src/crypto/key_expansion.rs

@@ -14,11 +14,11 @@ pub const SFRAME_HKDF_SALT: &[u8] = "SFrame10".as_bytes();
 pub const SFRAME_HKDF_KEY_EXPAND_INFO: &[u8] = "key".as_bytes();
 pub const SFRAME_HDKF_SALT_EXPAND_INFO: &[u8] = "salt".as_bytes();
 
-#[cfg(not(feature = "ring"))]
+#[cfg(feature = "openssl")]
 pub const SFRAME_HKDF_SUB_SALT: &[u8] = "SFrame10 AES CTR AEAD".as_bytes();
-#[cfg(not(feature = "ring"))]
+#[cfg(feature = "openssl")]
 pub const SFRAME_HKDF_SUB_ENC_EXPAND_INFO: &[u8] = "enc".as_bytes();
-#[cfg(not(feature = "ring"))]
+#[cfg(feature = "openssl")]
 pub const SFRAME_HDKF_SUB_AUTH_EXPAND_INFO: &[u8] = "auth".as_bytes();
 
 #[cfg(test)]
@@ -50,7 +50,7 @@ mod test {
         derive_correct_base_keys(CipherSuiteVariant::AesGcm256Sha512);
     }
 
-    #[cfg(not(feature = "ring"))]
+    #[cfg(feature = "openssl")]
     mod aes_ctr {
         use super::*;
 

src/crypto/mod.rs

@@ -13,7 +13,7 @@ if #[cfg(all(not(feature = "openssl"), feature = "ring"))]{
 else if #[cfg(all(feature = "openssl", not(feature = "ring")))] {
     mod openssl;
 } else {
-    // fallback to ring
+    compile_error!("Cannot configure multiple crypto backends at the same time.");
     mod ring;
 }
 }

src/crypto/ring/key_expansion.rs

@@ -24,7 +24,11 @@ impl KeyExpansion for Secret {
         let key = expand_key(&prk, SFRAME_HKDF_KEY_EXPAND_INFO, cipher_suite.key_len)?;
         let salt = expand_key(&prk, SFRAME_HDKF_SALT_EXPAND_INFO, cipher_suite.nonce_len)?;
 
-        Ok(Secret { key, salt })
+        Ok(Secret {
+            key,
+            salt,
+            auth: None,
+        })
     }
 }
 

src/crypto/secret.rs

@@ -3,7 +3,6 @@ use crate::header::FrameCount;
 pub struct Secret {
     pub key: Vec<u8>,
     pub salt: Vec<u8>,
-    #[cfg(not(feature = "ring"))]
     pub auth: Option<Vec<u8>>,
 }
 
@@ -27,7 +26,6 @@ impl Secret {
         Secret {
             key: test_vector.key.clone(),
             salt: test_vector.salt.clone(),
-            #[cfg(not(feature = "ring"))]
             auth: None,
         }
     }

src/lib.rs

@@ -8,7 +8,7 @@
 //! # Optional features
 //!
 //! Using optional features `sframe` allows to configure different crypto libraries.
-//! Be aware that those features are mutually exlusive, if multiple `sframe` falls back to using `ring`.
+//! Be aware that those features are mutually exlusive, if multiple are configured `sframe` issues a compiler error.
 //!
 //! - **`ring`** *(enabled by default)* — Uses the [ring](https://crates.io/crates/ring) library which allows compilation to Wasm32.
 //! AES-CTR mode ciphers are not supported.