Skip to main content

zerodds_security_crypto/
lib.rs

1// SPDX-License-Identifier: Apache-2.0
2// Copyright 2026 ZeroDDS Contributors
3
4//! Crate `zerodds-security-crypto`. Safety classification: **SAFE**
5//! (Wrapper um `ring`; kein eigener Primitive-Code).
6//!
7//! AES-GCM + HMAC `CryptographicPlugin`-Implementation fuer
8//! DDS-Security 1.1 §8.5 (Spec `formal/2018-04-01`).
9//!
10//! ## Schichten-Position
11//!
12//! Layer 4 — Core Services. Implementiert die SPI aus
13//! `zerodds-security::crypto::CryptographicPlugin`.
14//!
15//! ## Public API (Stand 1.0.0-rc.1)
16//!
17//! - [`AesGcmCryptoPlugin`] — AES-GCM-128/256 + HMAC-SHA256 Plugin-Impl.
18//! - [`PskCryptoPlugin`] — Pre-Shared-Key-Plugin fuer Out-of-Band-Setups.
19//! - [`Suite`] — Suite-Diskriminator (AES-128-GCM / AES-256-GCM).
20//! - [`crypto_transform`]-Modul — `CryptoHeader`/`CryptoFooter` Wire-Codec
21//!   plus `CryptoTransformKind` + `CryptoTransformIdentifier`.
22//! - [`session_key`]-Modul — `derive_session_key` + `derive_session_hmac_key`
23//!   + `compute_aad` + Tag-Konstanten (Spec §10.5.2 Tab.74).
24//! - [`aes_gcm_hw`]-Modul — HW-Capabilities-Detection (`Arch`, `HwCapabilities`).
25//! - `metrics` (Feature `metrics`) — Hook-Points fuer `zerodds-monitor` §2.5.
26//!
27//! ## Suite-Coverage
28//!
29//! | Suite | Wire-Kind | Use-Case |
30//! |-------|-----------|----------|
31//! | AES-128-GCM | 0x01 | Default-Production |
32//! | AES-256-GCM | 0x02 | High-Assurance |
33//! | HMAC-SHA256 (Auth-only) | 0x03 | Governance `metadata_protection_kind=SIGN` |
34//!
35//! 12-byte-Nonce = 4 byte Session-ID + 8 byte Counter (Spec §9.5.3.3.4.4).
36//! Wire-Token: `[kind_id(1) | session_id(4) | master_key(16|32)]`.
37//!
38//! Nonce-Wrap-around-Protection: bei 2^63 Encrypts pro Session lehnt der
39//! Plugin neue Encrypt-Calls mit "key-refresh required" ab — Caller muss
40//! ein neues `register_local_*`-Roundtrip ausloesen.
41
42#![cfg_attr(not(feature = "std"), no_std)]
43#![forbid(unsafe_code)]
44#![warn(missing_docs)]
45
46extern crate alloc;
47
48pub mod aes_gcm_hw;
49pub mod crypto_transform;
50#[cfg(feature = "metrics")]
51pub mod metrics;
52mod plugin;
53pub mod psk_plugin;
54pub mod session_key;
55pub mod suite;
56
57pub use aes_gcm_hw::{Arch, HwCapabilities};
58
59pub use crypto_transform::{
60    BUILTIN_CRYPTO_PLUGIN, CryptoFooter, CryptoHeader, CryptoTransformIdentifier,
61    CryptoTransformKind, negotiate_transform,
62};
63pub use plugin::AesGcmCryptoPlugin;
64pub use psk_plugin::{CLASS_ID_PSK_CRYPTO, HKDF_INFO_PSK_MASTER_KEY, PskCryptoPlugin};
65pub use session_key::{
66    AAD_HEADER_LEN, SESSION_KEY_TAG, SESSION_RECEIVER_KEY_TAG, compute_aad,
67    derive_session_hmac_key, derive_session_key,
68};
69pub use suite::Suite;