Available on crate feature
std only.Expand description
Adaptive Crypto Engine
Picks the AEAD cipher automatically from the host’s hardware capabilities:
- AES-256-GCM (ring asm) → Apple Silicon (FEAT_AES), x86_64 (AES-NI)
- ChaCha20-Poly1305 (ring asm) → ARM without AES, MIPS, RISC-V, IoT
Without HW AES, ChaCha20 is ~3-4x faster; with HW AES, AES-GCM is ~1.3x faster than ChaCha20.
Under --features fips the AEAD backend swaps to aws-lc-rs
(FIPS-validated AWS-LC). The Rust API surface is identical to
ring::aead, so the rest of this module is untouched. The cipher
suite enum keeps ChaCha20Poly1305 (wire-format stability) but the
negotiation/build paths reject it under fips.
Structs§
- Crypto
Session - Unified crypto session — works with any supported cipher suite.
- HwCaps
- Hardware capabilities report
Enums§
- Cipher
Suite - Supported cipher suites.
- Crypto
Error - Crypto errors
Constants§
- AEAD_
MAX_ INVOCATIONS - Hard upper bound on per-direction AEAD invocations before forcing a key rotation (or, in the absence of rekey, failing the operation).
- AEAD_
OVERHEAD - Overhead bytes: both AES-GCM and ChaCha20-Poly1305 produce a 16-byte tag
Functions§
- negotiate_
cipher - Negotiate best cipher suite between client and server.