use pki_types::PrivateKeyDer; pub(crate) use ring as ring_like; use webpki::ring as webpki_algs; use crate::Error; use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom, SupportedKxGroup}; use crate::enums::SignatureScheme; use crate::rand::GetRandomFailed; use crate::sign::SigningKey; use crate::suites::SupportedCipherSuite; use crate::sync::Arc; use crate::webpki::WebPkiSupportedAlgorithms; /// Using software keys for authentication. pub mod sign; pub(crate) mod hash; #[cfg(any(test, feature = "tls12"))] pub(crate) mod hmac; pub(crate) mod kx; pub(crate) mod quic; #[cfg(feature = "std")] pub(crate) mod ticketer; #[cfg(feature = "tls12")] pub(crate) mod tls12; pub(crate) mod tls13; /// A `CryptoProvider` backed by the [*ring*] crate. /// /// [*ring*]: https://github.com/briansmith/ring pub fn default_provider() -> CryptoProvider { CryptoProvider { cipher_suites: DEFAULT_CIPHER_SUITES.to_vec(), kx_groups: DEFAULT_KX_GROUPS.to_vec(), signature_verification_algorithms: SUPPORTED_SIG_ALGS, secure_random: &Ring, key_provider: &Ring, } } /// Default crypto provider. #[derive(Debug)] struct Ring; impl SecureRandom for Ring { fn fill(&self, buf: &mut [u8]) -> Result<(), GetRandomFailed> { use ring_like::rand::SecureRandom; ring_like::rand::SystemRandom::new() .fill(buf) .map_err(|_| GetRandomFailed) } } impl KeyProvider for Ring { fn load_private_key( &self, key_der: PrivateKeyDer<'static>, ) -> Result, Error> { sign::any_supported_type(&key_der) } } /// The cipher suite configuration that an application should use by default. /// /// This will be [`ALL_CIPHER_SUITES`] sans any supported cipher suites that /// shouldn't be enabled by most applications. pub static DEFAULT_CIPHER_SUITES: &[SupportedCipherSuite] = ALL_CIPHER_SUITES; /// A list of all the cipher suites supported by the rustls *ring* provider. pub static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[ // TLS1.3 suites tls13::TLS13_AES_256_GCM_SHA384, tls13::TLS13_AES_128_GCM_SHA256, tls13::TLS13_CHACHA20_POLY1305_SHA256, // TLS1.2 suites #[cfg(feature = "tls12")] tls12::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, #[cfg(feature = "tls12")] tls12::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, #[cfg(feature = "tls12")] tls12::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, #[cfg(feature = "tls12")] tls12::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, #[cfg(feature = "tls12")] tls12::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, #[cfg(feature = "tls12")] tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, ]; /// All defined cipher suites supported by *ring* appear in this module. pub mod cipher_suite { #[cfg(feature = "tls12")] pub use super::tls12::{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, }; pub use super::tls13::{ TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256, }; } /// A `WebPkiSupportedAlgorithms` value that reflects webpki's capabilities when /// compiled against *ring*. static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms { all: &[ webpki_algs::ECDSA_P256_SHA256, webpki_algs::ECDSA_P256_SHA384, webpki_algs::ECDSA_P384_SHA256, webpki_algs::ECDSA_P384_SHA384, webpki_algs::ED25519, webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, webpki_algs::RSA_PKCS1_2048_8192_SHA256, webpki_algs::RSA_PKCS1_2048_8192_SHA384, webpki_algs::RSA_PKCS1_2048_8192_SHA512, webpki_algs::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS, webpki_algs::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS, webpki_algs::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS, ], mapping: &[ // Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is. ( SignatureScheme::ECDSA_NISTP384_SHA384, &[ webpki_algs::ECDSA_P384_SHA384, webpki_algs::ECDSA_P256_SHA384, ], ), ( SignatureScheme::ECDSA_NISTP256_SHA256, &[ webpki_algs::ECDSA_P256_SHA256, webpki_algs::ECDSA_P384_SHA256, ], ), (SignatureScheme::ED25519, &[webpki_algs::ED25519]), ( SignatureScheme::RSA_PSS_SHA512, &[webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY], ), ( SignatureScheme::RSA_PSS_SHA384, &[webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY], ), ( SignatureScheme::RSA_PSS_SHA256, &[webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY], ), ( SignatureScheme::RSA_PKCS1_SHA512, &[webpki_algs::RSA_PKCS1_2048_8192_SHA512], ), ( SignatureScheme::RSA_PKCS1_SHA384, &[webpki_algs::RSA_PKCS1_2048_8192_SHA384], ), ( SignatureScheme::RSA_PKCS1_SHA256, &[webpki_algs::RSA_PKCS1_2048_8192_SHA256], ), ], }; /// All defined key exchange groups supported by *ring* appear in this module. /// /// [`ALL_KX_GROUPS`] is provided as an array of all of these values. /// [`DEFAULT_KX_GROUPS`] is provided as an array of this provider's defaults. pub mod kx_group { pub use super::kx::{SECP256R1, SECP384R1, X25519}; } /// A list of the default key exchange groups supported by this provider. pub static DEFAULT_KX_GROUPS: &[&dyn SupportedKxGroup] = ALL_KX_GROUPS; /// A list of all the key exchange groups supported by this provider. pub static ALL_KX_GROUPS: &[&dyn SupportedKxGroup] = &[kx_group::X25519, kx_group::SECP256R1, kx_group::SECP384R1]; #[cfg(feature = "std")] pub use ticketer::Ticketer; /// Compatibility shims between ring 0.16.x and 0.17.x API mod ring_shim { use super::ring_like; use crate::crypto::SharedSecret; pub(super) fn agree_ephemeral( priv_key: ring_like::agreement::EphemeralPrivateKey, peer_key: &ring_like::agreement::UnparsedPublicKey<&[u8]>, ) -> Result { ring_like::agreement::agree_ephemeral(priv_key, peer_key, |secret| { SharedSecret::from(secret) }) .map_err(|_| ()) } } pub(super) fn fips() -> bool { false }