rustls/crypto/ring/
mod.rs

1use pki_types::PrivateKeyDer;
2pub(crate) use ring as ring_like;
3use webpki::ring as webpki_algs;
4
5use crate::Error;
6use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom, SupportedKxGroup};
7use crate::enums::SignatureScheme;
8use crate::rand::GetRandomFailed;
9use crate::sign::SigningKey;
10use crate::suites::SupportedCipherSuite;
11use crate::sync::Arc;
12use crate::webpki::WebPkiSupportedAlgorithms;
13
14/// Using software keys for authentication.
15pub mod sign;
16
17pub(crate) mod hash;
18#[cfg(any(test, feature = "tls12"))]
19pub(crate) mod hmac;
20pub(crate) mod kx;
21pub(crate) mod quic;
22#[cfg(any(feature = "std", feature = "hashbrown"))]
23pub(crate) mod ticketer;
24#[cfg(feature = "tls12")]
25pub(crate) mod tls12;
26pub(crate) mod tls13;
27
28/// A `CryptoProvider` backed by the [*ring*] crate.
29///
30/// [*ring*]: https://github.com/briansmith/ring
31pub fn default_provider() -> CryptoProvider {
32    CryptoProvider {
33        cipher_suites: DEFAULT_CIPHER_SUITES.to_vec(),
34        kx_groups: DEFAULT_KX_GROUPS.to_vec(),
35        signature_verification_algorithms: SUPPORTED_SIG_ALGS,
36        secure_random: &Ring,
37        key_provider: &Ring,
38    }
39}
40
41/// Default crypto provider.
42#[derive(Debug)]
43struct Ring;
44
45impl SecureRandom for Ring {
46    fn fill(&self, buf: &mut [u8]) -> Result<(), GetRandomFailed> {
47        use ring_like::rand::SecureRandom;
48
49        ring_like::rand::SystemRandom::new()
50            .fill(buf)
51            .map_err(|_| GetRandomFailed)
52    }
53}
54
55impl KeyProvider for Ring {
56    fn load_private_key(
57        &self,
58        key_der: PrivateKeyDer<'static>,
59    ) -> Result<Arc<dyn SigningKey>, Error> {
60        sign::any_supported_type(&key_der)
61    }
62}
63
64/// The cipher suite configuration that an application should use by default.
65///
66/// This will be [`ALL_CIPHER_SUITES`] sans any supported cipher suites that
67/// shouldn't be enabled by most applications.
68pub static DEFAULT_CIPHER_SUITES: &[SupportedCipherSuite] = ALL_CIPHER_SUITES;
69
70/// A list of all the cipher suites supported by the rustls *ring* provider.
71pub static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[
72    // TLS1.3 suites
73    tls13::TLS13_AES_256_GCM_SHA384,
74    tls13::TLS13_AES_128_GCM_SHA256,
75    tls13::TLS13_CHACHA20_POLY1305_SHA256,
76    // TLS1.2 suites
77    #[cfg(feature = "tls12")]
78    tls12::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
79    #[cfg(feature = "tls12")]
80    tls12::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
81    #[cfg(feature = "tls12")]
82    tls12::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
83    #[cfg(feature = "tls12")]
84    tls12::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
85    #[cfg(feature = "tls12")]
86    tls12::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
87    #[cfg(feature = "tls12")]
88    tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
89];
90
91/// All defined cipher suites supported by *ring* appear in this module.
92pub mod cipher_suite {
93    #[cfg(feature = "tls12")]
94    pub use super::tls12::{
95        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
96        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
97        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
98    };
99    pub use super::tls13::{
100        TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
101    };
102}
103
104/// A `WebPkiSupportedAlgorithms` value that reflects webpki's capabilities when
105/// compiled against *ring*.
106static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms {
107    all: &[
108        webpki_algs::ECDSA_P256_SHA256,
109        webpki_algs::ECDSA_P256_SHA384,
110        webpki_algs::ECDSA_P384_SHA256,
111        webpki_algs::ECDSA_P384_SHA384,
112        webpki_algs::ED25519,
113        webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
114        webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
115        webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
116        webpki_algs::RSA_PKCS1_2048_8192_SHA256,
117        webpki_algs::RSA_PKCS1_2048_8192_SHA384,
118        webpki_algs::RSA_PKCS1_2048_8192_SHA512,
119        webpki_algs::RSA_PKCS1_3072_8192_SHA384,
120    ],
121    mapping: &[
122        // Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is.
123        (
124            SignatureScheme::ECDSA_NISTP384_SHA384,
125            &[
126                webpki_algs::ECDSA_P384_SHA384,
127                webpki_algs::ECDSA_P256_SHA384,
128            ],
129        ),
130        (
131            SignatureScheme::ECDSA_NISTP256_SHA256,
132            &[
133                webpki_algs::ECDSA_P256_SHA256,
134                webpki_algs::ECDSA_P384_SHA256,
135            ],
136        ),
137        (SignatureScheme::ED25519, &[webpki_algs::ED25519]),
138        (
139            SignatureScheme::RSA_PSS_SHA512,
140            &[webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY],
141        ),
142        (
143            SignatureScheme::RSA_PSS_SHA384,
144            &[webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY],
145        ),
146        (
147            SignatureScheme::RSA_PSS_SHA256,
148            &[webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY],
149        ),
150        (
151            SignatureScheme::RSA_PKCS1_SHA512,
152            &[webpki_algs::RSA_PKCS1_2048_8192_SHA512],
153        ),
154        (
155            SignatureScheme::RSA_PKCS1_SHA384,
156            &[webpki_algs::RSA_PKCS1_2048_8192_SHA384],
157        ),
158        (
159            SignatureScheme::RSA_PKCS1_SHA256,
160            &[webpki_algs::RSA_PKCS1_2048_8192_SHA256],
161        ),
162    ],
163};
164
165/// All defined key exchange groups supported by *ring* appear in this module.
166///
167/// [`ALL_KX_GROUPS`] is provided as an array of all of these values.
168/// [`DEFAULT_KX_GROUPS`] is provided as an array of this provider's defaults.
169pub mod kx_group {
170    pub use super::kx::{SECP256R1, SECP384R1, X25519};
171}
172
173/// A list of the default key exchange groups supported by this provider.
174pub static DEFAULT_KX_GROUPS: &[&dyn SupportedKxGroup] = ALL_KX_GROUPS;
175
176/// A list of all the key exchange groups supported by this provider.
177pub static ALL_KX_GROUPS: &[&dyn SupportedKxGroup] =
178    &[kx_group::X25519, kx_group::SECP256R1, kx_group::SECP384R1];
179
180#[cfg(any(feature = "std", feature = "hashbrown"))]
181pub use ticketer::Ticketer;
182
183/// Compatibility shims between ring 0.16.x and 0.17.x API
184mod ring_shim {
185    use super::ring_like;
186    use crate::crypto::SharedSecret;
187
188    pub(super) fn agree_ephemeral(
189        priv_key: ring_like::agreement::EphemeralPrivateKey,
190        peer_key: &ring_like::agreement::UnparsedPublicKey<&[u8]>,
191    ) -> Result<SharedSecret, ()> {
192        ring_like::agreement::agree_ephemeral(priv_key, peer_key, |secret| {
193            SharedSecret::from(secret)
194        })
195        .map_err(|_| ())
196    }
197}
198
199pub(super) fn fips() -> bool {
200    false
201}