rustls/crypto/ring/
mod.rs

1use pki_types::PrivateKeyDer;
2pub(crate) use ring as ring_like;
3use webpki::ring as webpki_algs;
4
5use crate::Error;
6use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom, SupportedKxGroup};
7use crate::enums::SignatureScheme;
8use crate::rand::GetRandomFailed;
9use crate::sign::SigningKey;
10use crate::suites::SupportedCipherSuite;
11use crate::sync::Arc;
12use crate::webpki::WebPkiSupportedAlgorithms;
13
14/// Using software keys for authentication.
15pub mod sign;
16
17pub(crate) mod hash;
18pub(crate) mod hmac;
19pub(crate) mod kx;
20pub(crate) mod quic;
21#[cfg(feature = "std")]
22pub(crate) mod ticketer;
23pub(crate) mod tls12;
24pub(crate) mod tls13;
25
26/// A `CryptoProvider` backed by the [*ring*] crate.
27///
28/// [*ring*]: https://github.com/briansmith/ring
29pub fn default_provider() -> CryptoProvider {
30    CryptoProvider {
31        cipher_suites: DEFAULT_CIPHER_SUITES.to_vec(),
32        kx_groups: DEFAULT_KX_GROUPS.to_vec(),
33        signature_verification_algorithms: SUPPORTED_SIG_ALGS,
34        secure_random: &Ring,
35        key_provider: &Ring,
36    }
37}
38
39/// Default crypto provider.
40#[derive(Debug)]
41struct Ring;
42
43impl SecureRandom for Ring {
44    fn fill(&self, buf: &mut [u8]) -> Result<(), GetRandomFailed> {
45        use ring_like::rand::SecureRandom;
46
47        ring_like::rand::SystemRandom::new()
48            .fill(buf)
49            .map_err(|_| GetRandomFailed)
50    }
51}
52
53impl KeyProvider for Ring {
54    fn load_private_key(
55        &self,
56        key_der: PrivateKeyDer<'static>,
57    ) -> Result<Arc<dyn SigningKey>, Error> {
58        sign::any_supported_type(&key_der)
59    }
60}
61
62/// The cipher suite configuration that an application should use by default.
63///
64/// This will be [`ALL_CIPHER_SUITES`] sans any supported cipher suites that
65/// shouldn't be enabled by most applications.
66pub static DEFAULT_CIPHER_SUITES: &[SupportedCipherSuite] = ALL_CIPHER_SUITES;
67
68/// A list of all the cipher suites supported by the rustls *ring* provider.
69pub static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[
70    // TLS1.3 suites
71    tls13::TLS13_AES_256_GCM_SHA384,
72    tls13::TLS13_AES_128_GCM_SHA256,
73    tls13::TLS13_CHACHA20_POLY1305_SHA256,
74    // TLS1.2 suites
75    tls12::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
76    tls12::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
77    tls12::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
78    tls12::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
79    tls12::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
80    tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
81];
82
83/// All defined cipher suites supported by *ring* appear in this module.
84pub mod cipher_suite {
85    pub use super::tls12::{
86        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
87        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
88        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
89    };
90    pub use super::tls13::{
91        TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
92    };
93}
94
95/// A `WebPkiSupportedAlgorithms` value that reflects webpki's capabilities when
96/// compiled against *ring*.
97static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms {
98    all: &[
99        webpki_algs::ECDSA_P256_SHA256,
100        webpki_algs::ECDSA_P256_SHA384,
101        webpki_algs::ECDSA_P384_SHA256,
102        webpki_algs::ECDSA_P384_SHA384,
103        webpki_algs::ED25519,
104        webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
105        webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
106        webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
107        webpki_algs::RSA_PKCS1_2048_8192_SHA256,
108        webpki_algs::RSA_PKCS1_2048_8192_SHA384,
109        webpki_algs::RSA_PKCS1_2048_8192_SHA512,
110        webpki_algs::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
111        webpki_algs::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
112        webpki_algs::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
113    ],
114    mapping: &[
115        // Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is.
116        (
117            SignatureScheme::ECDSA_NISTP384_SHA384,
118            &[
119                webpki_algs::ECDSA_P384_SHA384,
120                webpki_algs::ECDSA_P256_SHA384,
121            ],
122        ),
123        (
124            SignatureScheme::ECDSA_NISTP256_SHA256,
125            &[
126                webpki_algs::ECDSA_P256_SHA256,
127                webpki_algs::ECDSA_P384_SHA256,
128            ],
129        ),
130        (SignatureScheme::ED25519, &[webpki_algs::ED25519]),
131        (
132            SignatureScheme::RSA_PSS_SHA512,
133            &[webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY],
134        ),
135        (
136            SignatureScheme::RSA_PSS_SHA384,
137            &[webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY],
138        ),
139        (
140            SignatureScheme::RSA_PSS_SHA256,
141            &[webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY],
142        ),
143        (
144            SignatureScheme::RSA_PKCS1_SHA512,
145            &[webpki_algs::RSA_PKCS1_2048_8192_SHA512],
146        ),
147        (
148            SignatureScheme::RSA_PKCS1_SHA384,
149            &[webpki_algs::RSA_PKCS1_2048_8192_SHA384],
150        ),
151        (
152            SignatureScheme::RSA_PKCS1_SHA256,
153            &[webpki_algs::RSA_PKCS1_2048_8192_SHA256],
154        ),
155    ],
156};
157
158/// All defined key exchange groups supported by *ring* appear in this module.
159///
160/// [`ALL_KX_GROUPS`] is provided as an array of all of these values.
161/// [`DEFAULT_KX_GROUPS`] is provided as an array of this provider's defaults.
162pub mod kx_group {
163    pub use super::kx::{SECP256R1, SECP384R1, X25519};
164}
165
166/// A list of the default key exchange groups supported by this provider.
167pub static DEFAULT_KX_GROUPS: &[&dyn SupportedKxGroup] = ALL_KX_GROUPS;
168
169/// A list of all the key exchange groups supported by this provider.
170pub static ALL_KX_GROUPS: &[&dyn SupportedKxGroup] =
171    &[kx_group::X25519, kx_group::SECP256R1, kx_group::SECP384R1];
172
173#[cfg(feature = "std")]
174pub use ticketer::Ticketer;
175
176/// Compatibility shims between ring 0.16.x and 0.17.x API
177mod ring_shim {
178    use super::ring_like;
179    use crate::crypto::SharedSecret;
180
181    pub(super) fn agree_ephemeral(
182        priv_key: ring_like::agreement::EphemeralPrivateKey,
183        peer_key: &ring_like::agreement::UnparsedPublicKey<&[u8]>,
184    ) -> Result<SharedSecret, ()> {
185        ring_like::agreement::agree_ephemeral(priv_key, peer_key, |secret| {
186            SharedSecret::from(secret)
187        })
188        .map_err(|_| ())
189    }
190}
191
192pub(super) fn fips() -> bool {
193    false
194}
rustls/crypto/ring/mod.rs

rustls/crypto/ring/
mod.rs
