mod.rs source code [crates/rustls-0.22.2/src/crypto/ring/mod.rs]

1	use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom};
2	use crate::enums::SignatureScheme;
3	use crate::rand::GetRandomFailed;
4	use crate::sign::SigningKey;
5	use crate::suites::SupportedCipherSuite;
6	use crate::webpki::WebPkiSupportedAlgorithms;
7	use crate::Error;
8
9	use pki_types::PrivateKeyDer;
10	use webpki::ring as webpki_algs;
11
12	use alloc::sync::Arc;
13
14	pub(crate) use ring as ring_like;
15
16	/// Using software keys for authentication.
17	pub mod sign;
18
19	pub(crate) mod hash;
20	pub(crate) mod hmac;
21	pub(crate) mod kx;
22	pub(crate) mod quic;
23	pub(crate) mod ticketer;
24	#[cfg(feature = "tls12")]
25	pub(crate) mod tls12;
26	pub(crate) mod tls13;
27
28	/// A `CryptoProvider` backed by the [ring] crate.
29	///
30	/// [ring]: https://github.com/briansmith/ring
31	pub fn default_provider() -> CryptoProvider {
32	CryptoProvider {
33	cipher_suites: DEFAULT_CIPHER_SUITES.to_vec(),
34	kx_groups: ALL_KX_GROUPS.to_vec(),
35	signature_verification_algorithms: SUPPORTED_SIG_ALGS,
36	secure_random: &Ring,
37	key_provider: &Ring,
38	}
39	}
40
41	/// Default crypto provider.
42	#[derive(Debug)]
43	struct Ring;
44
45	impl SecureRandom for Ring {
46	fn fill(&self, buf: &mut [u8]) -> Result<(), GetRandomFailed> {
47	use ring_like::rand::SecureRandom;
48
49	ring_like::rand::SystemRandom::new()
50	.fill(buf)
51	.map_err(\|_\| GetRandomFailed)
52	}
53	}
54
55	impl KeyProvider for Ring {
56	fn load_private_key(
57	&self,
58	key_der: PrivateKeyDer<'static>,
59	) -> Result<Arc<dyn SigningKey>, Error> {
60	sign::any_supported_type(&key_der)
61	}
62	}
63
64	/// The cipher suite configuration that an application should use by default.
65	///
66	/// This will be [`ALL_CIPHER_SUITES`] sans any supported cipher suites that
67	/// shouldn't be enabled by most applications.
68	pub static DEFAULT_CIPHER_SUITES: &[SupportedCipherSuite] = ALL_CIPHER_SUITES;
69
70	/// A list of all the cipher suites supported by the rustls ring* provider.*
71	pub static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[
72	// TLS1.3 suites
73	tls13::TLS13_AES_256_GCM_SHA384,
74	tls13::TLS13_AES_128_GCM_SHA256,
75	tls13::TLS13_CHACHA20_POLY1305_SHA256,
76	// TLS1.2 suites
77	#[cfg(feature = "tls12")]
78	tls12::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
79	#[cfg(feature = "tls12")]
80	tls12::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
81	#[cfg(feature = "tls12")]
82	tls12::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
83	#[cfg(feature = "tls12")]
84	tls12::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
85	#[cfg(feature = "tls12")]
86	tls12::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
87	#[cfg(feature = "tls12")]
88	tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
89	];
90
91	/// All defined cipher suites supported by ring* appear in this module.*
92	pub mod cipher_suite {
93	#[cfg(feature = "tls12")]
94	pub use super::tls12::{
95	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
96	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
97	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
98	};
99	pub use super::tls13::{
100	TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
101	};
102	}
103
104	/// A `WebPkiSupportedAlgorithms` value that reflects webpki's capabilities when
105	/// compiled against ring.
106	static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms {
107	all: &[
108	webpki_algs::ECDSA_P256_SHA256,
109	webpki_algs::ECDSA_P256_SHA384,
110	webpki_algs::ECDSA_P384_SHA256,
111	webpki_algs::ECDSA_P384_SHA384,
112	webpki_algs::ED25519,
113	webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
114	webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
115	webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
116	webpki_algs::RSA_PKCS1_2048_8192_SHA256,
117	webpki_algs::RSA_PKCS1_2048_8192_SHA384,
118	webpki_algs::RSA_PKCS1_2048_8192_SHA512,
119	webpki_algs::RSA_PKCS1_3072_8192_SHA384,
120	],
121	mapping: &[
122	// Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is.
123	(
124	SignatureScheme::ECDSA_NISTP384_SHA384,
125	&[
126	webpki_algs::ECDSA_P384_SHA384,
127	webpki_algs::ECDSA_P256_SHA384,
128	],
129	),
130	(
131	SignatureScheme::ECDSA_NISTP256_SHA256,
132	&[
133	webpki_algs::ECDSA_P256_SHA256,
134	webpki_algs::ECDSA_P384_SHA256,
135	],
136	),
137	(SignatureScheme::ED25519, &[webpki_algs::ED25519]),
138	(
139	SignatureScheme::RSA_PSS_SHA512,
140	&[webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY],
141	),
142	(
143	SignatureScheme::RSA_PSS_SHA384,
144	&[webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY],
145	),
146	(
147	SignatureScheme::RSA_PSS_SHA256,
148	&[webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY],
149	),
150	(
151	SignatureScheme::RSA_PKCS1_SHA512,
152	&[webpki_algs::RSA_PKCS1_2048_8192_SHA512],
153	),
154	(
155	SignatureScheme::RSA_PKCS1_SHA384,
156	&[webpki_algs::RSA_PKCS1_2048_8192_SHA384],
157	),
158	(
159	SignatureScheme::RSA_PKCS1_SHA256,
160	&[webpki_algs::RSA_PKCS1_2048_8192_SHA256],
161	),
162	],
163	};
164
165	/// All defined key exchange groups supported by ring* appear in this module.*
166	///
167	/// [`ALL_KX_GROUPS`] is provided as an array of all of these values.
168	pub mod kx_group {
169	pub use super::kx::SECP256R1;
170	pub use super::kx::SECP384R1;
171	pub use super::kx::X25519;
172	}
173
174	pub use kx::ALL_KX_GROUPS;
175	pub use ticketer::Ticketer;
176
177	/// Compatibility shims between ring 0.16.x and 0.17.x API
178	mod ring_shim {
179	use super::ring_like;
180	use crate::crypto::SharedSecret;
181
182	pub(super) fn agree_ephemeral(
183	priv_key: ring_like::agreement::EphemeralPrivateKey,
184	peer_key: &ring_like::agreement::UnparsedPublicKey<&[u8]>,
185	) -> Result<SharedSecret, ()> {
186	ring_like::agreement::agree_ephemeral(priv_key, peer_key, \|secret\| {
187	SharedSecret::from(secret)
188	})
189	.map_err(\|_\| ())
190	}
191	}
192