rustls_rustcrypto/
lib.rs

1#![no_std]
2#![cfg_attr(docsrs, feature(doc_auto_cfg))]
3#![doc = include_str!("../README.md")]
4#![doc(
5    html_logo_url = "https://raw.githubusercontent.com/RustCrypto/meta/master/logo.svg",
6    html_favicon_url = "https://raw.githubusercontent.com/RustCrypto/meta/master/logo.svg"
7)]
8#![warn(
9    clippy::alloc_instead_of_core,
10    clippy::cast_lossless,
11    clippy::cast_possible_truncation,
12    clippy::cast_possible_wrap,
13    clippy::cast_precision_loss,
14    clippy::cast_sign_loss,
15    clippy::checked_conversions,
16    clippy::from_iter_instead_of_collect,
17    clippy::missing_errors_doc,
18    clippy::mod_module_files,
19    clippy::implicit_saturating_sub,
20    clippy::panic,
21    clippy::panic_in_result_fn,
22    clippy::std_instead_of_alloc,
23    clippy::std_instead_of_core,
24    clippy::unwrap_used,
25    rust_2018_idioms,
26    trivial_numeric_casts,
27    unused_lifetimes
28)]
29
30//! # Usage
31//!
32//! See [`examples-xsmall`](https://github.com/RustCrypto/rustls-rustcrypto/tree/master/examples-xsmall)
33//! for a usage example.
34
35#[cfg(not(feature = "alloc"))]
36compile_error!("Rustls currently does not support alloc-less environments");
37
38#[cfg(feature = "alloc")]
39extern crate alloc;
40
41#[cfg(feature = "alloc")]
42use alloc::sync::Arc;
43
44use rustls::crypto::{
45    CipherSuiteCommon, CryptoProvider, GetRandomFailed, KeyProvider, SecureRandom,
46};
47use rustls::{CipherSuite, SupportedCipherSuite, Tls13CipherSuite};
48
49#[cfg(feature = "tls12")]
50use rustls::SignatureScheme;
51
52#[derive(Debug)]
53pub struct Provider;
54
55pub fn provider() -> CryptoProvider {
56    CryptoProvider {
57        cipher_suites: ALL_CIPHER_SUITES.to_vec(),
58        kx_groups: kx::ALL_KX_GROUPS.to_vec(),
59        signature_verification_algorithms: verify::ALGORITHMS,
60        secure_random: &Provider,
61        key_provider: &Provider,
62    }
63}
64
65impl SecureRandom for Provider {
66    fn fill(&self, bytes: &mut [u8]) -> Result<(), GetRandomFailed> {
67        use rand_core::RngCore;
68        rand_core::OsRng
69            .try_fill_bytes(bytes)
70            .map_err(|_| GetRandomFailed)
71    }
72}
73
74impl KeyProvider for Provider {
75    fn load_private_key(
76        &self,
77        key_der: pki_types::PrivateKeyDer<'static>,
78    ) -> Result<Arc<dyn rustls::sign::SigningKey>, rustls::Error> {
79        sign::any_supported_type(&key_der)
80    }
81}
82
83#[cfg(feature = "tls12")]
84const TLS12_ECDSA_SCHEMES: [SignatureScheme; 4] = [
85    SignatureScheme::ECDSA_NISTP256_SHA256,
86    SignatureScheme::ECDSA_NISTP384_SHA384,
87    SignatureScheme::ECDSA_NISTP521_SHA512,
88    SignatureScheme::ED25519,
89];
90
91#[cfg(feature = "tls12")]
92const TLS12_RSA_SCHEMES: [SignatureScheme; 6] = [
93    SignatureScheme::RSA_PKCS1_SHA256,
94    SignatureScheme::RSA_PKCS1_SHA384,
95    SignatureScheme::RSA_PKCS1_SHA512,
96    SignatureScheme::RSA_PSS_SHA256,
97    SignatureScheme::RSA_PSS_SHA384,
98    SignatureScheme::RSA_PSS_SHA512,
99];
100
101#[cfg(feature = "tls12")]
102pub const TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite =
103    SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
104        common: CipherSuiteCommon {
105            suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
106            hash_provider: hash::SHA256,
107            confidentiality_limit: u64::MAX,
108        },
109        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
110        sign: &TLS12_ECDSA_SCHEMES,
111        aead_alg: &aead::gcm::Tls12Aes128Gcm,
112        prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA256),
113    });
114
115#[cfg(feature = "tls12")]
116pub const TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite =
117    SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
118        common: CipherSuiteCommon {
119            suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
120            hash_provider: hash::SHA384,
121            confidentiality_limit: u64::MAX,
122        },
123        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
124        sign: &TLS12_ECDSA_SCHEMES,
125        prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA384),
126        aead_alg: &aead::gcm::Tls12Aes256Gcm,
127    });
128
129#[cfg(feature = "tls12")]
130pub const TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
131    SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
132        common: CipherSuiteCommon {
133            suite: CipherSuite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
134            hash_provider: hash::SHA256,
135            confidentiality_limit: u64::MAX,
136        },
137        prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA256),
138        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
139        sign: &TLS12_ECDSA_SCHEMES,
140        aead_alg: &aead::chacha20::Chacha20Poly1305,
141    });
142
143#[cfg(feature = "tls12")]
144const TLS_ECDHE_ECDSA_SUITES: &[SupportedCipherSuite] = &[
145    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
146    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
147    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
148];
149
150#[cfg(feature = "tls12")]
151pub const TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite =
152    SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
153        common: CipherSuiteCommon {
154            suite: CipherSuite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
155            hash_provider: hash::SHA256,
156            confidentiality_limit: u64::MAX,
157        },
158        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
159        sign: &TLS12_RSA_SCHEMES,
160        aead_alg: &aead::gcm::Tls12Aes128Gcm,
161        prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA256),
162    });
163
164#[cfg(feature = "tls12")]
165pub const TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: SupportedCipherSuite =
166    SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
167        common: CipherSuiteCommon {
168            suite: CipherSuite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
169            hash_provider: hash::SHA384,
170            confidentiality_limit: u64::MAX,
171        },
172        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
173        sign: &TLS12_RSA_SCHEMES,
174        prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA384),
175        aead_alg: &aead::gcm::Tls12Aes256Gcm,
176    });
177
178#[cfg(feature = "tls12")]
179pub const TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
180    SupportedCipherSuite::Tls12(&rustls::Tls12CipherSuite {
181        common: CipherSuiteCommon {
182            suite: CipherSuite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
183            hash_provider: hash::SHA256,
184            confidentiality_limit: u64::MAX,
185        },
186        kx: rustls::crypto::KeyExchangeAlgorithm::ECDHE,
187        sign: &TLS12_RSA_SCHEMES,
188        prf_provider: &rustls::crypto::tls12::PrfUsingHmac(hmac::SHA256),
189        aead_alg: &aead::chacha20::Chacha20Poly1305,
190    });
191
192#[cfg(feature = "tls12")]
193const TLS_ECDHE_RSA_SUITES: &[SupportedCipherSuite] = &[
194    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
195    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
196    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
197];
198
199#[cfg(feature = "tls12")]
200const TLS12_SUITES: &[SupportedCipherSuite] = misc::const_concat_slices!(
201    SupportedCipherSuite,
202    TLS_ECDHE_ECDSA_SUITES,
203    TLS_ECDHE_RSA_SUITES
204);
205
206#[cfg(not(feature = "tls12"))]
207const TLS12_SUITES: &[SupportedCipherSuite] = &[];
208
209pub const TLS13_AES_128_GCM_SHA256: SupportedCipherSuite =
210    SupportedCipherSuite::Tls13(&Tls13CipherSuite {
211        common: CipherSuiteCommon {
212            suite: CipherSuite::TLS13_AES_128_GCM_SHA256,
213            hash_provider: hash::SHA256,
214            confidentiality_limit: u64::MAX,
215        },
216        hkdf_provider: &rustls::crypto::tls13::HkdfUsingHmac(hmac::SHA256),
217        aead_alg: &aead::gcm::Tls13Aes128Gcm,
218        quic: None,
219    });
220
221pub const TLS13_AES_256_GCM_SHA384: SupportedCipherSuite =
222    SupportedCipherSuite::Tls13(&Tls13CipherSuite {
223        common: CipherSuiteCommon {
224            suite: CipherSuite::TLS13_AES_256_GCM_SHA384,
225            hash_provider: hash::SHA384,
226            confidentiality_limit: u64::MAX,
227        },
228        hkdf_provider: &rustls::crypto::tls13::HkdfUsingHmac(hmac::SHA384),
229        aead_alg: &aead::gcm::Tls13Aes256Gcm,
230        quic: None,
231    });
232
233const TLS13_AES_SUITES: &[SupportedCipherSuite] =
234    &[TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384];
235
236pub const TLS13_CHACHA20_POLY1305_SHA256: SupportedCipherSuite =
237    SupportedCipherSuite::Tls13(&Tls13CipherSuite {
238        common: CipherSuiteCommon {
239            suite: CipherSuite::TLS13_CHACHA20_POLY1305_SHA256,
240            hash_provider: hash::SHA256,
241            confidentiality_limit: u64::MAX,
242        },
243        hkdf_provider: &rustls::crypto::tls13::HkdfUsingHmac(hmac::SHA256),
244        aead_alg: &aead::chacha20::Chacha20Poly1305,
245        quic: None,
246    });
247
248const TLS13_SUITES: &[SupportedCipherSuite] = misc::const_concat_slices!(
249    SupportedCipherSuite,
250    TLS13_AES_SUITES,
251    &[TLS13_CHACHA20_POLY1305_SHA256]
252);
253
254static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = misc::const_concat_slices!(
255    SupportedCipherSuite,
256    if cfg!(feature = "tls12") {
257        TLS12_SUITES
258    } else {
259        &[]
260    },
261    TLS13_SUITES,
262);
263
264mod aead;
265mod hash;
266mod hmac;
267mod kx;
268mod misc;
269pub mod quic;
270pub mod sign;
271mod verify;