rustls/crypto/aws_lc_rs/
mod.rs

1use crate::crypto::{CryptoProvider, KeyProvider, SecureRandom};
2use crate::enums::SignatureScheme;
3use crate::rand::GetRandomFailed;
4use crate::sign::SigningKey;
5use crate::suites::SupportedCipherSuite;
6use crate::webpki::WebPkiSupportedAlgorithms;
7use crate::Error;
8
9use pki_types::PrivateKeyDer;
10use webpki::aws_lc_rs as webpki_algs;
11
12use alloc::sync::Arc;
13
14// aws-lc-rs has a -- roughly -- ring-compatible API, so we just reuse all that
15// glue here.  The shared files should always use `super::ring_like` to access a
16// ring-compatible crate, and `super::ring_shim` to bridge the gaps where they are
17// small.
18pub(crate) use aws_lc_rs as ring_like;
19
20/// Using software keys for authentication.
21#[path = "../ring/sign.rs"]
22pub mod sign;
23
24#[path = "../ring/hash.rs"]
25pub(crate) mod hash;
26#[path = "../ring/kx.rs"]
27pub(crate) mod kx;
28#[path = "../ring/quic.rs"]
29pub(crate) mod quic;
30#[path = "../ring/ticketer.rs"]
31pub(crate) mod ticketer;
32#[cfg(feature = "tls12")]
33pub(crate) mod tls12;
34pub(crate) mod tls13;
35
36/// A `CryptoProvider` backed by aws-lc-rs.
37pub fn default_provider() -> CryptoProvider {
38    CryptoProvider {
39        cipher_suites: DEFAULT_CIPHER_SUITES.to_vec(),
40        kx_groups: ALL_KX_GROUPS.to_vec(),
41        signature_verification_algorithms: SUPPORTED_SIG_ALGS,
42        secure_random: &AwsLcRs,
43        key_provider: &AwsLcRs,
44    }
45}
46
47#[derive(Debug)]
48struct AwsLcRs;
49
50impl SecureRandom for AwsLcRs {
51    fn fill(&self, buf: &mut [u8]) -> Result<(), GetRandomFailed> {
52        use ring_like::rand::SecureRandom;
53
54        ring_like::rand::SystemRandom::new()
55            .fill(buf)
56            .map_err(|_| GetRandomFailed)
57    }
58}
59
60impl KeyProvider for AwsLcRs {
61    fn load_private_key(
62        &self,
63        key_der: PrivateKeyDer<'static>,
64    ) -> Result<Arc<dyn SigningKey>, Error> {
65        sign::any_supported_type(&key_der)
66    }
67}
68
69/// The cipher suite configuration that an application should use by default.
70///
71/// This will be [`ALL_CIPHER_SUITES`] sans any supported cipher suites that
72/// shouldn't be enabled by most applications.
73pub static DEFAULT_CIPHER_SUITES: &[SupportedCipherSuite] = ALL_CIPHER_SUITES;
74
75/// A list of all the cipher suites supported by the rustls *ring* provider.
76pub static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[
77    // TLS1.3 suites
78    tls13::TLS13_AES_256_GCM_SHA384,
79    tls13::TLS13_AES_128_GCM_SHA256,
80    tls13::TLS13_CHACHA20_POLY1305_SHA256,
81    // TLS1.2 suites
82    #[cfg(feature = "tls12")]
83    tls12::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
84    #[cfg(feature = "tls12")]
85    tls12::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
86    #[cfg(feature = "tls12")]
87    tls12::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
88    #[cfg(feature = "tls12")]
89    tls12::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
90    #[cfg(feature = "tls12")]
91    tls12::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
92    #[cfg(feature = "tls12")]
93    tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
94];
95
96/// All defined cipher suites supported by aws-lc-rs appear in this module.
97pub mod cipher_suite {
98    #[cfg(feature = "tls12")]
99    pub use super::tls12::{
100        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
101        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
102        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
103    };
104    pub use super::tls13::{
105        TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
106    };
107}
108
109/// A `WebPkiSupportedAlgorithms` value that reflects webpki's capabilities when
110/// compiled against *ring*.
111static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms {
112    all: &[
113        webpki_algs::ECDSA_P256_SHA256,
114        webpki_algs::ECDSA_P256_SHA384,
115        webpki_algs::ECDSA_P384_SHA256,
116        webpki_algs::ECDSA_P384_SHA384,
117        webpki_algs::ED25519,
118        webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
119        webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
120        webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
121        webpki_algs::RSA_PKCS1_2048_8192_SHA256,
122        webpki_algs::RSA_PKCS1_2048_8192_SHA384,
123        webpki_algs::RSA_PKCS1_2048_8192_SHA512,
124        webpki_algs::RSA_PKCS1_3072_8192_SHA384,
125    ],
126    mapping: &[
127        // Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is.
128        (
129            SignatureScheme::ECDSA_NISTP384_SHA384,
130            &[
131                webpki_algs::ECDSA_P384_SHA384,
132                webpki_algs::ECDSA_P256_SHA384,
133            ],
134        ),
135        (
136            SignatureScheme::ECDSA_NISTP256_SHA256,
137            &[
138                webpki_algs::ECDSA_P256_SHA256,
139                webpki_algs::ECDSA_P384_SHA256,
140            ],
141        ),
142        (SignatureScheme::ED25519, &[webpki_algs::ED25519]),
143        (
144            SignatureScheme::RSA_PSS_SHA512,
145            &[webpki_algs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY],
146        ),
147        (
148            SignatureScheme::RSA_PSS_SHA384,
149            &[webpki_algs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY],
150        ),
151        (
152            SignatureScheme::RSA_PSS_SHA256,
153            &[webpki_algs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY],
154        ),
155        (
156            SignatureScheme::RSA_PKCS1_SHA512,
157            &[webpki_algs::RSA_PKCS1_2048_8192_SHA512],
158        ),
159        (
160            SignatureScheme::RSA_PKCS1_SHA384,
161            &[webpki_algs::RSA_PKCS1_2048_8192_SHA384],
162        ),
163        (
164            SignatureScheme::RSA_PKCS1_SHA256,
165            &[webpki_algs::RSA_PKCS1_2048_8192_SHA256],
166        ),
167    ],
168};
169
170/// All defined key exchange groups supported by aws-lc-rs appear in this module.
171///
172/// [`ALL_KX_GROUPS`] is provided as an array of all of these values.
173pub mod kx_group {
174    pub use super::kx::SECP256R1;
175    pub use super::kx::SECP384R1;
176    pub use super::kx::X25519;
177}
178
179pub use kx::ALL_KX_GROUPS;
180pub use ticketer::Ticketer;
181
182/// Compatibility shims between ring 0.16.x and 0.17.x API
183mod ring_shim {
184    use super::ring_like;
185    use crate::crypto::SharedSecret;
186
187    pub(super) fn agree_ephemeral(
188        priv_key: ring_like::agreement::EphemeralPrivateKey,
189        peer_key: &ring_like::agreement::UnparsedPublicKey<&[u8]>,
190    ) -> Result<SharedSecret, ()> {
191        ring_like::agreement::agree_ephemeral(priv_key, peer_key, (), |secret| {
192            Ok(SharedSecret::from(secret))
193        })
194    }
195
196    pub(super) fn rsa_key_pair_public_modulus_len(kp: &ring_like::signature::RsaKeyPair) -> usize {
197        kp.public_modulus_len()
198    }
199
200    pub(super) fn ecdsa_key_pair_from_pkcs8(
201        alg: &'static ring_like::signature::EcdsaSigningAlgorithm,
202        data: &[u8],
203        _rng: &dyn ring_like::rand::SecureRandom,
204    ) -> Result<ring_like::signature::EcdsaKeyPair, ()> {
205        ring_like::signature::EcdsaKeyPair::from_pkcs8(alg, data).map_err(|_| ())
206    }
207}
rustls/crypto/aws_lc_rs/mod.rs

rustls/crypto/aws_lc_rs/
mod.rs
