use alloc::vec::Vec;
pub(crate) use aws_lc_rs as ring_like;
use pki_types::PrivateKeyDer;
use webpki::aws_lc_rs as webpki_algs;
use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom, SupportedKxGroup};
use crate::enums::SignatureScheme;
use crate::rand::GetRandomFailed;
use crate::sign::SigningKey;
use crate::suites::SupportedCipherSuite;
use crate::sync::Arc;
use crate::webpki::WebPkiSupportedAlgorithms;
use crate::{Error, OtherError};
pub mod hpke;
pub(crate) mod pq;
pub mod sign;
#[path = "../ring/hash.rs"]
pub(crate) mod hash;
#[path = "../ring/hmac.rs"]
pub(crate) mod hmac;
#[path = "../ring/kx.rs"]
pub(crate) mod kx;
#[path = "../ring/quic.rs"]
pub(crate) mod quic;
#[cfg(any(feature = "std", feature = "hashbrown"))]
pub(crate) mod ticketer;
#[cfg(feature = "tls12")]
pub(crate) mod tls12;
pub(crate) mod tls13;
pub fn default_provider() -> CryptoProvider {
CryptoProvider {
cipher_suites: DEFAULT_CIPHER_SUITES.to_vec(),
kx_groups: default_kx_groups(),
signature_verification_algorithms: SUPPORTED_SIG_ALGS,
secure_random: &AwsLcRs,
key_provider: &AwsLcRs,
}
}
fn default_kx_groups() -> Vec<&'static dyn SupportedKxGroup> {
#[cfg(feature = "fips")]
{
DEFAULT_KX_GROUPS
.iter()
.filter(|cs| cs.fips())
.copied()
.collect()
}
#[cfg(not(feature = "fips"))]
{
DEFAULT_KX_GROUPS.to_vec()
}
}
#[derive(Debug)]
struct AwsLcRs;
impl SecureRandom for AwsLcRs {
fn fill(&self, buf: &mut [u8]) -> Result<(), GetRandomFailed> {
use ring_like::rand::SecureRandom;
ring_like::rand::SystemRandom::new()
.fill(buf)
.map_err(|_| GetRandomFailed)
}
fn fips(&self) -> bool {
fips()
}
}
impl KeyProvider for AwsLcRs {
fn load_private_key(
&self,
key_der: PrivateKeyDer<'static>,
) -> Result<Arc<dyn SigningKey>, Error> {
sign::any_supported_type(&key_der)
}
fn fips(&self) -> bool {
fips()
}
}
pub static DEFAULT_CIPHER_SUITES: &[SupportedCipherSuite] = &[
tls13::TLS13_AES_256_GCM_SHA384,
tls13::TLS13_AES_128_GCM_SHA256,
#[cfg(not(feature = "fips"))]
tls13::TLS13_CHACHA20_POLY1305_SHA256,
#[cfg(feature = "tls12")]
tls12::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
#[cfg(feature = "tls12")]
tls12::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
#[cfg(all(feature = "tls12", not(feature = "fips")))]
tls12::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
#[cfg(feature = "tls12")]
tls12::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
#[cfg(feature = "tls12")]
tls12::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
#[cfg(all(feature = "tls12", not(feature = "fips")))]
tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
];
pub static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[
tls13::TLS13_AES_256_GCM_SHA384,
tls13::TLS13_AES_128_GCM_SHA256,
tls13::TLS13_CHACHA20_POLY1305_SHA256,
#[cfg(feature = "tls12")]
tls12::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
#[cfg(feature = "tls12")]
tls12::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
#[cfg(feature = "tls12")]
tls12::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
#[cfg(feature = "tls12")]
tls12::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
#[cfg(feature = "tls12")]
tls12::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
#[cfg(feature = "tls12")]
tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
];
pub mod cipher_suite {
#[cfg(feature = "tls12")]
pub use super::tls12::{
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
};
pub use super::tls13::{
TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
};
}
static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms {
all: &[
webpki_algs::ECDSA_P256_SHA256,
webpki_algs::ECDSA_P256_SHA384,
webpki_algs::ECDSA_P384_SHA256,
webpki_algs::ECDSA_P384_SHA384,
webpki_algs::ECDSA_P521_SHA256,
webpki_algs::ECDSA_P521_SHA384,
webpki_algs::ECDSA_P521_SHA512,
webpki_algs::ED25519,
webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
webpki_algs::RSA_PKCS1_2048_8192_SHA256,
webpki_algs::RSA_PKCS1_2048_8192_SHA384,
webpki_algs::RSA_PKCS1_2048_8192_SHA512,
webpki_algs::RSA_PKCS1_3072_8192_SHA384,
],
mapping: &[
(
SignatureScheme::ECDSA_NISTP384_SHA384,
&[
webpki_algs::ECDSA_P384_SHA384,
webpki_algs::ECDSA_P256_SHA384,
webpki_algs::ECDSA_P521_SHA384,
],
),
(
SignatureScheme::ECDSA_NISTP256_SHA256,
&[
webpki_algs::ECDSA_P256_SHA256,
webpki_algs::ECDSA_P384_SHA256,
webpki_algs::ECDSA_P521_SHA256,
],
),
(
SignatureScheme::ECDSA_NISTP521_SHA512,
&[webpki_algs::ECDSA_P521_SHA512],
),
(SignatureScheme::ED25519, &[webpki_algs::ED25519]),
(
SignatureScheme::RSA_PSS_SHA512,
&[webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY],
),
(
SignatureScheme::RSA_PSS_SHA384,
&[webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY],
),
(
SignatureScheme::RSA_PSS_SHA256,
&[webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY],
),
(
SignatureScheme::RSA_PKCS1_SHA512,
&[webpki_algs::RSA_PKCS1_2048_8192_SHA512],
),
(
SignatureScheme::RSA_PKCS1_SHA384,
&[webpki_algs::RSA_PKCS1_2048_8192_SHA384],
),
(
SignatureScheme::RSA_PKCS1_SHA256,
&[webpki_algs::RSA_PKCS1_2048_8192_SHA256],
),
],
};
pub mod kx_group {
pub use super::kx::{SECP256R1, SECP384R1, X25519};
pub use super::pq::{MLKEM768, X25519MLKEM768};
}
pub static DEFAULT_KX_GROUPS: &[&dyn SupportedKxGroup] = &[
#[cfg(feature = "prefer-post-quantum")]
kx_group::X25519MLKEM768,
kx_group::X25519,
kx_group::SECP256R1,
kx_group::SECP384R1,
#[cfg(not(feature = "prefer-post-quantum"))]
kx_group::X25519MLKEM768,
];
pub static ALL_KX_GROUPS: &[&dyn SupportedKxGroup] = &[
#[cfg(feature = "prefer-post-quantum")]
kx_group::X25519MLKEM768,
kx_group::X25519,
kx_group::SECP256R1,
kx_group::SECP384R1,
#[cfg(not(feature = "prefer-post-quantum"))]
kx_group::X25519MLKEM768,
kx_group::MLKEM768,
];
#[cfg(any(feature = "std", feature = "hashbrown"))]
pub use ticketer::Ticketer;
mod ring_shim {
use super::ring_like;
use crate::crypto::SharedSecret;
pub(super) fn agree_ephemeral(
priv_key: ring_like::agreement::EphemeralPrivateKey,
peer_key: &ring_like::agreement::UnparsedPublicKey<&[u8]>,
) -> Result<SharedSecret, ()> {
ring_like::agreement::agree_ephemeral(priv_key, peer_key, (), |secret| {
Ok(SharedSecret::from(secret))
})
}
}
pub(super) fn fips() -> bool {
aws_lc_rs::try_fips_mode().is_ok()
}
pub(super) fn unspecified_err(_e: aws_lc_rs::error::Unspecified) -> Error {
#[cfg(feature = "std")]
{
Error::Other(OtherError(Arc::new(_e)))
}
#[cfg(not(feature = "std"))]
{
Error::Other(OtherError())
}
}
#[cfg(test)]
mod tests {
#[cfg(feature = "fips")]
#[test]
fn default_suites_are_fips() {
assert!(super::DEFAULT_CIPHER_SUITES
.iter()
.all(|scs| scs.fips()));
}
#[cfg(not(feature = "fips"))]
#[test]
fn default_suites() {
assert_eq!(super::DEFAULT_CIPHER_SUITES, super::ALL_CIPHER_SUITES);
}
}