mod.rs source code [crates/rustls/src/crypto/ring/mod.rs]

1	use pki_types::PrivateKeyDer;
2	pub(crate) use ring as ring_like;
3	use webpki::ring as webpki_algs;
4
5	use crate::Error;
6	use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom, SupportedKxGroup};
7	use crate::enums::SignatureScheme;
8	use crate::rand::GetRandomFailed;
9	use crate::sign::SigningKey;
10	use crate::suites::SupportedCipherSuite;
11	use crate::sync::Arc;
12	use crate::webpki::WebPkiSupportedAlgorithms;
13
14	/// Using software keys for authentication.
15	pub mod sign;
16
17	pub(crate) mod hash;
18	#[cfg(any(test, feature = "tls12"))]
19	pub(crate) mod hmac;
20	pub(crate) mod kx;
21	pub(crate) mod quic;
22	#[cfg(any(feature = "std", feature = "hashbrown"))]
23	pub(crate) mod ticketer;
24	#[cfg(feature = "tls12")]
25	pub(crate) mod tls12;
26	pub(crate) mod tls13;
27
28	/// A `CryptoProvider` backed by the [ring] crate.
29	///
30	/// [ring]: https://github.com/briansmith/ring
31	pub fn default_provider() -> CryptoProvider {
32	CryptoProvider {
33	cipher_suites: DEFAULT_CIPHER_SUITES.to_vec(),
34	kx_groups: DEFAULT_KX_GROUPS.to_vec(),
35	signature_verification_algorithms: SUPPORTED_SIG_ALGS,
36	secure_random: &Ring,
37	key_provider: &Ring,
38	}
39	}
40
41	/// Default crypto provider.
42	#[derive(Debug)]
43	struct Ring;
44
45	impl SecureRandom for Ring {
46	fn fill(&self, buf: &mut [u8]) -> Result<(), GetRandomFailed> {
47	use ring_like::rand::SecureRandom;
48
49	ring_like::rand::SystemRandom::new()
50	.fill(buf)
51	.map_err(\|_\| GetRandomFailed)
52	}
53	}
54
55	impl KeyProvider for Ring {
56	fn load_private_key(
57	&self,
58	key_der: PrivateKeyDer<'static>,
59	) -> Result<Arc<dyn SigningKey>, Error> {
60	sign::any_supported_type(&key_der)
61	}
62	}
63
64	/// The cipher suite configuration that an application should use by default.
65	///
66	/// This will be [`ALL_CIPHER_SUITES`] sans any supported cipher suites that
67	/// shouldn't be enabled by most applications.
68	pub static DEFAULT_CIPHER_SUITES: &[SupportedCipherSuite] = ALL_CIPHER_SUITES;
69
70	/// A list of all the cipher suites supported by the rustls ring* provider.*
71	pub static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[
72	// TLS1.3 suites
73	tls13::TLS13_AES_256_GCM_SHA384,
74	tls13::TLS13_AES_128_GCM_SHA256,
75	tls13::TLS13_CHACHA20_POLY1305_SHA256,
76	// TLS1.2 suites
77	#[cfg(feature = "tls12")]
78	tls12::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
79	#[cfg(feature = "tls12")]
80	tls12::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
81	#[cfg(feature = "tls12")]
82	tls12::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
83	#[cfg(feature = "tls12")]
84	tls12::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
85	#[cfg(feature = "tls12")]
86	tls12::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
87	#[cfg(feature = "tls12")]
88	tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
89	];
90
91	/// All defined cipher suites supported by ring* appear in this module.*
92	pub mod cipher_suite {
93	#[cfg(feature = "tls12")]
94	pub use super::tls12::{
95	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
96	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
97	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
98	};
99	pub use super::tls13::{
100	TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
101	};
102	}
103
104	/// A `WebPkiSupportedAlgorithms` value that reflects webpki's capabilities when
105	/// compiled against ring.
106	static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms {
107	all: &[
108	webpki_algs::ECDSA_P256_SHA256,
109	webpki_algs::ECDSA_P256_SHA384,
110	webpki_algs::ECDSA_P384_SHA256,
111	webpki_algs::ECDSA_P384_SHA384,
112	webpki_algs::ED25519,
113	webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
114	webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
115	webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
116	webpki_algs::RSA_PKCS1_2048_8192_SHA256,
117	webpki_algs::RSA_PKCS1_2048_8192_SHA384,
118	webpki_algs::RSA_PKCS1_2048_8192_SHA512,
119	webpki_algs::RSA_PKCS1_3072_8192_SHA384,
120	],
121	mapping: &[
122	// Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is.
123	(
124	SignatureScheme::ECDSA_NISTP384_SHA384,
125	&[
126	webpki_algs::ECDSA_P384_SHA384,
127	webpki_algs::ECDSA_P256_SHA384,
128	],
129	),
130	(
131	SignatureScheme::ECDSA_NISTP256_SHA256,
132	&[
133	webpki_algs::ECDSA_P256_SHA256,
134	webpki_algs::ECDSA_P384_SHA256,
135	],
136	),
137	(SignatureScheme::ED25519, &[webpki_algs::ED25519]),
138	(
139	SignatureScheme::RSA_PSS_SHA512,
140	&[webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY],
141	),
142	(
143	SignatureScheme::RSA_PSS_SHA384,
144	&[webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY],
145	),
146	(
147	SignatureScheme::RSA_PSS_SHA256,
148	&[webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY],
149	),
150	(
151	SignatureScheme::RSA_PKCS1_SHA512,
152	&[webpki_algs::RSA_PKCS1_2048_8192_SHA512],
153	),
154	(
155	SignatureScheme::RSA_PKCS1_SHA384,
156	&[webpki_algs::RSA_PKCS1_2048_8192_SHA384],
157	),
158	(
159	SignatureScheme::RSA_PKCS1_SHA256,
160	&[webpki_algs::RSA_PKCS1_2048_8192_SHA256],
161	),
162	],
163	};
164
165	/// All defined key exchange groups supported by ring* appear in this module.*
166	///
167	/// [`ALL_KX_GROUPS`] is provided as an array of all of these values.
168	/// [`DEFAULT_KX_GROUPS`] is provided as an array of this provider's defaults.
169	pub mod kx_group {
170	pub use super::kx::{SECP256R1, SECP384R1, X25519};
171	}
172
173	/// A list of the default key exchange groups supported by this provider.
174	pub static DEFAULT_KX_GROUPS: &[&dyn SupportedKxGroup] = ALL_KX_GROUPS;
175
176	/// A list of all the key exchange groups supported by this provider.
177	pub static ALL_KX_GROUPS: &[&dyn SupportedKxGroup] =
178	&[kx_group::X25519, kx_group::SECP256R1, kx_group::SECP384R1];
179
180	#[cfg(any(feature = "std", feature = "hashbrown"))]
181	pub use ticketer::Ticketer;
182
183	/// Compatibility shims between ring 0.16.x and 0.17.x API
184	mod ring_shim {
185	use super::ring_like;
186	use crate::crypto::SharedSecret;
187
188	pub(super) fn agree_ephemeral(
189	priv_key: ring_like::agreement::EphemeralPrivateKey,
190	peer_key: &ring_like::agreement::UnparsedPublicKey<&[u8]>,
191	) -> Result<SharedSecret, ()> {
192	ring_like::agreement::agree_ephemeral(priv_key, peer_key, \|secret\| {
193	SharedSecret::from(secret)
194	})
195	.map_err(\|_\| ())
196	}
197	}
198
199	pub(super) fn fips() -> bool {
200	`false`
201	}
202