1use pki_types::PrivateKeyDer;
2pub(crate) use ring as ring_like;
3use webpki::ring as webpki_algs;
4
5use crate::Error;
6use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom, SupportedKxGroup};
7use crate::enums::SignatureScheme;
8use crate::rand::GetRandomFailed;
9use crate::sign::SigningKey;
10use crate::suites::SupportedCipherSuite;
11use crate::sync::Arc;
12use crate::webpki::WebPkiSupportedAlgorithms;
13
14pub mod sign;
16
17pub(crate) mod hash;
18#[cfg(any(test, feature = "tls12"))]
19pub(crate) mod hmac;
20pub(crate) mod kx;
21pub(crate) mod quic;
22#[cfg(feature = "std")]
23pub(crate) mod ticketer;
24#[cfg(feature = "tls12")]
25pub(crate) mod tls12;
26pub(crate) mod tls13;
27
28pub fn default_provider() -> CryptoProvider {
32 CryptoProvider {
33 cipher_suites: DEFAULT_CIPHER_SUITES.to_vec(),
34 kx_groups: DEFAULT_KX_GROUPS.to_vec(),
35 signature_verification_algorithms: SUPPORTED_SIG_ALGS,
36 secure_random: &Ring,
37 key_provider: &Ring,
38 }
39}
40
41#[derive(Debug)]
43struct Ring;
44
45impl SecureRandom for Ring {
46 fn fill(&self, buf: &mut [u8]) -> Result<(), GetRandomFailed> {
47 use ring_like::rand::SecureRandom;
48
49 ring_like::rand::SystemRandom::new()
50 .fill(buf)
51 .map_err(|_| GetRandomFailed)
52 }
53}
54
55impl KeyProvider for Ring {
56 fn load_private_key(
57 &self,
58 key_der: PrivateKeyDer<'static>,
59 ) -> Result<Arc<dyn SigningKey>, Error> {
60 sign::any_supported_type(&key_der)
61 }
62}
63
64pub static DEFAULT_CIPHER_SUITES: &[SupportedCipherSuite] = ALL_CIPHER_SUITES;
69
70pub static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[
72 tls13::TLS13_AES_256_GCM_SHA384,
74 tls13::TLS13_AES_128_GCM_SHA256,
75 tls13::TLS13_CHACHA20_POLY1305_SHA256,
76 #[cfg(feature = "tls12")]
78 tls12::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
79 #[cfg(feature = "tls12")]
80 tls12::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
81 #[cfg(feature = "tls12")]
82 tls12::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
83 #[cfg(feature = "tls12")]
84 tls12::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
85 #[cfg(feature = "tls12")]
86 tls12::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
87 #[cfg(feature = "tls12")]
88 tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
89];
90
91pub mod cipher_suite {
93 #[cfg(feature = "tls12")]
94 pub use super::tls12::{
95 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
96 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
97 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
98 };
99 pub use super::tls13::{
100 TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
101 };
102}
103
104static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms {
107 all: &[
108 webpki_algs::ECDSA_P256_SHA256,
109 webpki_algs::ECDSA_P256_SHA384,
110 webpki_algs::ECDSA_P384_SHA256,
111 webpki_algs::ECDSA_P384_SHA384,
112 webpki_algs::ED25519,
113 webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
114 webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
115 webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
116 webpki_algs::RSA_PKCS1_2048_8192_SHA256,
117 webpki_algs::RSA_PKCS1_2048_8192_SHA384,
118 webpki_algs::RSA_PKCS1_2048_8192_SHA512,
119 webpki_algs::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
120 webpki_algs::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
121 webpki_algs::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
122 ],
123 mapping: &[
124 (
126 SignatureScheme::ECDSA_NISTP384_SHA384,
127 &[
128 webpki_algs::ECDSA_P384_SHA384,
129 webpki_algs::ECDSA_P256_SHA384,
130 ],
131 ),
132 (
133 SignatureScheme::ECDSA_NISTP256_SHA256,
134 &[
135 webpki_algs::ECDSA_P256_SHA256,
136 webpki_algs::ECDSA_P384_SHA256,
137 ],
138 ),
139 (SignatureScheme::ED25519, &[webpki_algs::ED25519]),
140 (
141 SignatureScheme::RSA_PSS_SHA512,
142 &[webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY],
143 ),
144 (
145 SignatureScheme::RSA_PSS_SHA384,
146 &[webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY],
147 ),
148 (
149 SignatureScheme::RSA_PSS_SHA256,
150 &[webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY],
151 ),
152 (
153 SignatureScheme::RSA_PKCS1_SHA512,
154 &[webpki_algs::RSA_PKCS1_2048_8192_SHA512],
155 ),
156 (
157 SignatureScheme::RSA_PKCS1_SHA384,
158 &[webpki_algs::RSA_PKCS1_2048_8192_SHA384],
159 ),
160 (
161 SignatureScheme::RSA_PKCS1_SHA256,
162 &[webpki_algs::RSA_PKCS1_2048_8192_SHA256],
163 ),
164 ],
165};
166
167pub mod kx_group {
172 pub use super::kx::{SECP256R1, SECP384R1, X25519};
173}
174
175pub static DEFAULT_KX_GROUPS: &[&dyn SupportedKxGroup] = ALL_KX_GROUPS;
177
178pub static ALL_KX_GROUPS: &[&dyn SupportedKxGroup] =
180 &[kx_group::X25519, kx_group::SECP256R1, kx_group::SECP384R1];
181
182#[cfg(feature = "std")]
183pub use ticketer::Ticketer;
184
185mod ring_shim {
187 use super::ring_like;
188 use crate::crypto::SharedSecret;
189
190 pub(super) fn agree_ephemeral(
191 priv_key: ring_like::agreement::EphemeralPrivateKey,
192 peer_key: &ring_like::agreement::UnparsedPublicKey<&[u8]>,
193 ) -> Result<SharedSecret, ()> {
194 ring_like::agreement::agree_ephemeral(priv_key, peer_key, |secret| {
195 SharedSecret::from(secret)
196 })
197 .map_err(|_| ())
198 }
199}
200
201pub(super) fn fips() -> bool {
202 false
203}