rustls/crypto/ring/
mod.rs

1use alloc::sync::Arc;
2
3use pki_types::PrivateKeyDer;
4pub(crate) use ring as ring_like;
5use webpki::ring as webpki_algs;
6
7use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom};
8use crate::enums::SignatureScheme;
9use crate::rand::GetRandomFailed;
10use crate::sign::SigningKey;
11use crate::suites::SupportedCipherSuite;
12use crate::webpki::WebPkiSupportedAlgorithms;
13use crate::Error;
14
15/// Using software keys for authentication.
16pub mod sign;
17
18pub(crate) mod hash;
19#[cfg(any(test, feature = "tls12"))]
20pub(crate) mod hmac;
21pub(crate) mod kx;
22pub(crate) mod quic;
23#[cfg(any(feature = "std", feature = "hashbrown"))]
24pub(crate) mod ticketer;
25#[cfg(feature = "tls12")]
26pub(crate) mod tls12;
27pub(crate) mod tls13;
28
29/// A `CryptoProvider` backed by the [*ring*] crate.
30///
31/// [*ring*]: https://github.com/briansmith/ring
32pub fn default_provider() -> CryptoProvider {
33    CryptoProvider {
34        cipher_suites: DEFAULT_CIPHER_SUITES.to_vec(),
35        kx_groups: ALL_KX_GROUPS.to_vec(),
36        signature_verification_algorithms: SUPPORTED_SIG_ALGS,
37        secure_random: &Ring,
38        key_provider: &Ring,
39    }
40}
41
42/// Default crypto provider.
43#[derive(Debug)]
44struct Ring;
45
46impl SecureRandom for Ring {
47    fn fill(&self, buf: &mut [u8]) -> Result<(), GetRandomFailed> {
48        use ring_like::rand::SecureRandom;
49
50        ring_like::rand::SystemRandom::new()
51            .fill(buf)
52            .map_err(|_| GetRandomFailed)
53    }
54}
55
56impl KeyProvider for Ring {
57    fn load_private_key(
58        &self,
59        key_der: PrivateKeyDer<'static>,
60    ) -> Result<Arc<dyn SigningKey>, Error> {
61        sign::any_supported_type(&key_der)
62    }
63}
64
65/// The cipher suite configuration that an application should use by default.
66///
67/// This will be [`ALL_CIPHER_SUITES`] sans any supported cipher suites that
68/// shouldn't be enabled by most applications.
69pub static DEFAULT_CIPHER_SUITES: &[SupportedCipherSuite] = ALL_CIPHER_SUITES;
70
71/// A list of all the cipher suites supported by the rustls *ring* provider.
72pub static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[
73    // TLS1.3 suites
74    tls13::TLS13_AES_256_GCM_SHA384,
75    tls13::TLS13_AES_128_GCM_SHA256,
76    tls13::TLS13_CHACHA20_POLY1305_SHA256,
77    // TLS1.2 suites
78    #[cfg(feature = "tls12")]
79    tls12::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
80    #[cfg(feature = "tls12")]
81    tls12::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
82    #[cfg(feature = "tls12")]
83    tls12::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
84    #[cfg(feature = "tls12")]
85    tls12::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
86    #[cfg(feature = "tls12")]
87    tls12::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
88    #[cfg(feature = "tls12")]
89    tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
90];
91
92/// All defined cipher suites supported by *ring* appear in this module.
93pub mod cipher_suite {
94    #[cfg(feature = "tls12")]
95    pub use super::tls12::{
96        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
97        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
98        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
99    };
100    pub use super::tls13::{
101        TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
102    };
103}
104
105/// A `WebPkiSupportedAlgorithms` value that reflects webpki's capabilities when
106/// compiled against *ring*.
107static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms {
108    all: &[
109        webpki_algs::ECDSA_P256_SHA256,
110        webpki_algs::ECDSA_P256_SHA384,
111        webpki_algs::ECDSA_P384_SHA256,
112        webpki_algs::ECDSA_P384_SHA384,
113        webpki_algs::ED25519,
114        webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
115        webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
116        webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
117        webpki_algs::RSA_PKCS1_2048_8192_SHA256,
118        webpki_algs::RSA_PKCS1_2048_8192_SHA384,
119        webpki_algs::RSA_PKCS1_2048_8192_SHA512,
120        webpki_algs::RSA_PKCS1_3072_8192_SHA384,
121    ],
122    mapping: &[
123        // Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is.
124        (
125            SignatureScheme::ECDSA_NISTP384_SHA384,
126            &[
127                webpki_algs::ECDSA_P384_SHA384,
128                webpki_algs::ECDSA_P256_SHA384,
129            ],
130        ),
131        (
132            SignatureScheme::ECDSA_NISTP256_SHA256,
133            &[
134                webpki_algs::ECDSA_P256_SHA256,
135                webpki_algs::ECDSA_P384_SHA256,
136            ],
137        ),
138        (SignatureScheme::ED25519, &[webpki_algs::ED25519]),
139        (
140            SignatureScheme::RSA_PSS_SHA512,
141            &[webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY],
142        ),
143        (
144            SignatureScheme::RSA_PSS_SHA384,
145            &[webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY],
146        ),
147        (
148            SignatureScheme::RSA_PSS_SHA256,
149            &[webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY],
150        ),
151        (
152            SignatureScheme::RSA_PKCS1_SHA512,
153            &[webpki_algs::RSA_PKCS1_2048_8192_SHA512],
154        ),
155        (
156            SignatureScheme::RSA_PKCS1_SHA384,
157            &[webpki_algs::RSA_PKCS1_2048_8192_SHA384],
158        ),
159        (
160            SignatureScheme::RSA_PKCS1_SHA256,
161            &[webpki_algs::RSA_PKCS1_2048_8192_SHA256],
162        ),
163    ],
164};
165
166/// All defined key exchange groups supported by *ring* appear in this module.
167///
168/// [`ALL_KX_GROUPS`] is provided as an array of all of these values.
169pub mod kx_group {
170    pub use super::kx::{SECP256R1, SECP384R1, X25519};
171}
172
173pub use kx::ALL_KX_GROUPS;
174#[cfg(any(feature = "std", feature = "hashbrown"))]
175pub use ticketer::Ticketer;
176
177/// Compatibility shims between ring 0.16.x and 0.17.x API
178mod ring_shim {
179    use super::ring_like;
180    use crate::crypto::SharedSecret;
181
182    pub(super) fn agree_ephemeral(
183        priv_key: ring_like::agreement::EphemeralPrivateKey,
184        peer_key: &ring_like::agreement::UnparsedPublicKey<&[u8]>,
185    ) -> Result<SharedSecret, ()> {
186        ring_like::agreement::agree_ephemeral(priv_key, peer_key, |secret| {
187            SharedSecret::from(secret)
188        })
189        .map_err(|_| ())
190    }
191}
192
193pub(super) fn fips() -> bool {
194    false
195}
rustls/crypto/ring/mod.rs

rustls/crypto/ring/
mod.rs
