rustls/crypto/ring/
mod.rs

1use pki_types::PrivateKeyDer;
2pub(crate) use ring as ring_like;
3use webpki::ring as webpki_algs;
4
5use crate::Error;
6use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom, SupportedKxGroup};
7use crate::enums::SignatureScheme;
8use crate::rand::GetRandomFailed;
9use crate::sign::SigningKey;
10use crate::suites::SupportedCipherSuite;
11use crate::sync::Arc;
12use crate::webpki::WebPkiSupportedAlgorithms;
13
14/// Using software keys for authentication.
15pub mod sign;
16
17pub(crate) mod hash;
18#[cfg(any(test, feature = "tls12"))]
19pub(crate) mod hmac;
20pub(crate) mod kx;
21pub(crate) mod quic;
22#[cfg(feature = "std")]
23pub(crate) mod ticketer;
24#[cfg(feature = "tls12")]
25pub(crate) mod tls12;
26pub(crate) mod tls13;
27
28/// A `CryptoProvider` backed by the [*ring*] crate.
29///
30/// [*ring*]: https://github.com/briansmith/ring
31pub fn default_provider() -> CryptoProvider {
32    CryptoProvider {
33        cipher_suites: DEFAULT_CIPHER_SUITES.to_vec(),
34        kx_groups: DEFAULT_KX_GROUPS.to_vec(),
35        signature_verification_algorithms: SUPPORTED_SIG_ALGS,
36        secure_random: &Ring,
37        key_provider: &Ring,
38    }
39}
40
41/// Default crypto provider.
42#[derive(Debug)]
43struct Ring;
44
45impl SecureRandom for Ring {
46    fn fill(&self, buf: &mut [u8]) -> Result<(), GetRandomFailed> {
47        use ring_like::rand::SecureRandom;
48
49        ring_like::rand::SystemRandom::new()
50            .fill(buf)
51            .map_err(|_| GetRandomFailed)
52    }
53}
54
55impl KeyProvider for Ring {
56    fn load_private_key(
57        &self,
58        key_der: PrivateKeyDer<'static>,
59    ) -> Result<Arc<dyn SigningKey>, Error> {
60        sign::any_supported_type(&key_der)
61    }
62}
63
64/// The cipher suite configuration that an application should use by default.
65///
66/// This will be [`ALL_CIPHER_SUITES`] sans any supported cipher suites that
67/// shouldn't be enabled by most applications.
68pub static DEFAULT_CIPHER_SUITES: &[SupportedCipherSuite] = ALL_CIPHER_SUITES;
69
70/// A list of all the cipher suites supported by the rustls *ring* provider.
71pub static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[
72    // TLS1.3 suites
73    tls13::TLS13_AES_256_GCM_SHA384,
74    tls13::TLS13_AES_128_GCM_SHA256,
75    tls13::TLS13_CHACHA20_POLY1305_SHA256,
76    // TLS1.2 suites
77    #[cfg(feature = "tls12")]
78    tls12::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
79    #[cfg(feature = "tls12")]
80    tls12::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
81    #[cfg(feature = "tls12")]
82    tls12::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
83    #[cfg(feature = "tls12")]
84    tls12::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
85    #[cfg(feature = "tls12")]
86    tls12::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
87    #[cfg(feature = "tls12")]
88    tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
89];
90
91/// All defined cipher suites supported by *ring* appear in this module.
92pub mod cipher_suite {
93    #[cfg(feature = "tls12")]
94    pub use super::tls12::{
95        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
96        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
97        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
98    };
99    pub use super::tls13::{
100        TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
101    };
102}
103
104/// A `WebPkiSupportedAlgorithms` value that reflects webpki's capabilities when
105/// compiled against *ring*.
106static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms {
107    all: &[
108        webpki_algs::ECDSA_P256_SHA256,
109        webpki_algs::ECDSA_P256_SHA384,
110        webpki_algs::ECDSA_P384_SHA256,
111        webpki_algs::ECDSA_P384_SHA384,
112        webpki_algs::ED25519,
113        webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
114        webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
115        webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
116        webpki_algs::RSA_PKCS1_2048_8192_SHA256,
117        webpki_algs::RSA_PKCS1_2048_8192_SHA384,
118        webpki_algs::RSA_PKCS1_2048_8192_SHA512,
119        webpki_algs::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
120        webpki_algs::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
121        webpki_algs::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
122    ],
123    mapping: &[
124        // Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is.
125        (
126            SignatureScheme::ECDSA_NISTP384_SHA384,
127            &[
128                webpki_algs::ECDSA_P384_SHA384,
129                webpki_algs::ECDSA_P256_SHA384,
130            ],
131        ),
132        (
133            SignatureScheme::ECDSA_NISTP256_SHA256,
134            &[
135                webpki_algs::ECDSA_P256_SHA256,
136                webpki_algs::ECDSA_P384_SHA256,
137            ],
138        ),
139        (SignatureScheme::ED25519, &[webpki_algs::ED25519]),
140        (
141            SignatureScheme::RSA_PSS_SHA512,
142            &[webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY],
143        ),
144        (
145            SignatureScheme::RSA_PSS_SHA384,
146            &[webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY],
147        ),
148        (
149            SignatureScheme::RSA_PSS_SHA256,
150            &[webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY],
151        ),
152        (
153            SignatureScheme::RSA_PKCS1_SHA512,
154            &[webpki_algs::RSA_PKCS1_2048_8192_SHA512],
155        ),
156        (
157            SignatureScheme::RSA_PKCS1_SHA384,
158            &[webpki_algs::RSA_PKCS1_2048_8192_SHA384],
159        ),
160        (
161            SignatureScheme::RSA_PKCS1_SHA256,
162            &[webpki_algs::RSA_PKCS1_2048_8192_SHA256],
163        ),
164    ],
165};
166
167/// All defined key exchange groups supported by *ring* appear in this module.
168///
169/// [`ALL_KX_GROUPS`] is provided as an array of all of these values.
170/// [`DEFAULT_KX_GROUPS`] is provided as an array of this provider's defaults.
171pub mod kx_group {
172    pub use super::kx::{SECP256R1, SECP384R1, X25519};
173}
174
175/// A list of the default key exchange groups supported by this provider.
176pub static DEFAULT_KX_GROUPS: &[&dyn SupportedKxGroup] = ALL_KX_GROUPS;
177
178/// A list of all the key exchange groups supported by this provider.
179pub static ALL_KX_GROUPS: &[&dyn SupportedKxGroup] =
180    &[kx_group::X25519, kx_group::SECP256R1, kx_group::SECP384R1];
181
182#[cfg(feature = "std")]
183pub use ticketer::Ticketer;
184
185/// Compatibility shims between ring 0.16.x and 0.17.x API
186mod ring_shim {
187    use super::ring_like;
188    use crate::crypto::SharedSecret;
189
190    pub(super) fn agree_ephemeral(
191        priv_key: ring_like::agreement::EphemeralPrivateKey,
192        peer_key: &ring_like::agreement::UnparsedPublicKey<&[u8]>,
193    ) -> Result<SharedSecret, ()> {
194        ring_like::agreement::agree_ephemeral(priv_key, peer_key, |secret| {
195            SharedSecret::from(secret)
196        })
197        .map_err(|_| ())
198    }
199}
200
201pub(super) fn fips() -> bool {
202    false
203}