roughtime 0.1.0

A no_std-capable Roughtime secure time-sync client with pluggable crypto backends
Documentation
[package]
name = "roughtime"
version = "0.1.0"
edition = "2024"
rust-version = "1.89"
authors = ["Hacer"]
readme = "README.md"
license = "MIT OR Apache-2.0"
description = "A no_std-capable Roughtime secure time-sync client with pluggable crypto backends"
repository = "https://codeberg.org/hacer-bark/roughtime"
homepage = "https://codeberg.org/hacer-bark/roughtime"
documentation = "https://docs.rs/roughtime"
keywords = ["roughtime", "time", "secure-time", "no-std", "ntp"]
categories = ["date-and-time", "cryptography", "no-std", "network-programming"]

[dependencies]
base64ct = { version = "1", default-features = false, features = ["alloc"] }
zeroize = { version = "1", default-features = false, features = ["derive"] }
ed25519-dalek = { version = "3", default-features = false, features = ["alloc", "zeroize"], optional = true }
sha2 = { version = "0.11", default-features = false, optional = true }
aws-lc-rs = { version = "1", optional = true }
tokio = { version = "1", default-features = false, features = ["net", "rt", "time", "macros", "sync"], optional = true }
libc = { version = "0.2", optional = true }
getrandom = { version = "0.4", optional = true }
dnscrypt = { version = "0.1", default-features = false, features = ["tokio"], optional = true }

[dev-dependencies]
# Used only to sign synthetic test fixtures (Roughtime responses); the crate itself never
# signs anything (client-only, see the crate-level security-posture docs).
ed25519-dalek = "3"
tokio = { version = "1", features = ["rt", "rt-multi-thread", "macros", "net", "time"] }

[features]
default = ["aws-lc-rs", "std", "tokio-client", "dnscrypt"]

# Crypto backends — exactly one must be selected (enforced via compile_error! in src/crypto/mod.rs).
rustcrypto = ["dep:ed25519-dalek", "dep:sha2"]
aws-lc-rs = ["dep:aws-lc-rs", "std"]
aws-lc-rs-fips = ["dep:aws-lc-rs", "aws-lc-rs/fips", "std"]

# Enables std-only modules: networking clients and the Linux os-clock backend.
# `dep:getrandom` is pulled in here (not by `rustcrypto`) so that a true `no_std` build
# (`rustcrypto` without `std`) never depends on `getrandom`, which does not support bare-metal
# targets such as `x86_64-unknown-none`. Only `rustcrypto`'s `std`-gated `fill_random` uses it.
std = ["dep:getrandom"]
tokio-client = ["std", "dep:tokio"]
blocking-client = ["std"]
os-clock = ["std", "dep:libc"]

# Resolves well-known Roughtime server hostnames via DNSCrypt (authenticated, encrypted DNS)
# instead of the OS's plaintext, unauthenticated resolver, so callers no longer need to
# manually resolve/pin server IPs to get an end-to-end-encrypted request path. See
# `resolve::resolve_servers`/`resolve_servers_async` and `client::{TokioClient,
# BlockingClient}::query_well_known`.
dnscrypt = ["std", "dep:dnscrypt", "tokio-client"]

# Opt-in, NOT in default: ratchets the anti-rollback floor to the build day using the
# build machine's wall clock. Leaving this off keeps builds fully reproducible (e.g. for
# SEV-SNP attestation measurement matching), since the embedded floor is then just the
# static hardcoded constant in src/floor.rs, independent of build machine/time.
build-time-floor = []

[lints.rust]
warnings = "deny"
future_incompatible = "deny"
unused = "deny"
missing_docs = "deny"
missing_debug_implementations = "deny"
unreachable_pub = "deny"
unsafe_code = "deny"

[lints.clippy]
all = "deny"
pedantic = "deny"
nursery = "deny"
cargo = "deny"
unwrap_used = "deny"
expect_used = "deny"
panic = "deny"
todo = "deny"
unimplemented = "deny"