bitwarden_crypto/store/
cipher_suite.rs1use crate::Kdf;
2
3#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
10pub enum CipherSuite {
11 #[default]
13 Standard,
14 Fips,
17}
18
19impl CipherSuite {
20 pub fn from_gov_mode(gov_mode: bool) -> Self {
23 if gov_mode {
24 CipherSuite::Fips
25 } else {
26 CipherSuite::Standard
27 }
28 }
29
30 pub fn default_kdf_for_new_account(self) -> Kdf {
35 match self {
36 CipherSuite::Standard => Kdf::default_argon2(),
37 CipherSuite::Fips => Kdf::default_pbkdf2(),
38 }
39 }
40
41 pub fn is_kdf_compliant(self, kdf: &Kdf) -> bool {
46 match self {
47 CipherSuite::Standard => true,
48 CipherSuite::Fips => matches!(kdf, Kdf::PBKDF2 { .. }),
49 }
50 }
51}
52
53#[cfg(test)]
54mod tests {
55 use super::*;
56
57 #[test]
58 fn default_is_standard() {
59 assert_eq!(CipherSuite::default(), CipherSuite::Standard);
60 }
61
62 #[test]
63 fn from_gov_mode_maps_to_suite() {
64 assert_eq!(CipherSuite::from_gov_mode(false), CipherSuite::Standard);
65 assert_eq!(CipherSuite::from_gov_mode(true), CipherSuite::Fips);
66 }
67
68 #[test]
69 fn standard_uses_argon2_for_new_account() {
70 assert!(matches!(
71 CipherSuite::Standard.default_kdf_for_new_account(),
72 Kdf::Argon2id { .. }
73 ));
74 }
75
76 #[test]
77 fn fips_uses_pbkdf2_for_new_account() {
78 assert!(matches!(
79 CipherSuite::Fips.default_kdf_for_new_account(),
80 Kdf::PBKDF2 { .. }
81 ));
82 }
83
84 #[test]
85 fn standard_allows_any_kdf() {
86 assert!(CipherSuite::Standard.is_kdf_compliant(&Kdf::default_argon2()));
87 assert!(CipherSuite::Standard.is_kdf_compliant(&Kdf::default_pbkdf2()));
88 }
89
90 #[test]
91 fn fips_allows_only_pbkdf2() {
92 assert!(CipherSuite::Fips.is_kdf_compliant(&Kdf::default_pbkdf2()));
93 assert!(!CipherSuite::Fips.is_kdf_compliant(&Kdf::default_argon2()));
94 }
95}