Skip to content

Commit 1e530b7

Browse files
author
Juliette Pretot
committed
Use the vendored version of ring
Requires updating our code to accomodate API changes since the vendored version is newer
1 parent 717e9bc commit 1e530b7

File tree

4 files changed

+108
-54
lines changed

4 files changed

+108
-54
lines changed

Cargo.lock

Lines changed: 31 additions & 13 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

oak_functions/loader/fuzz/Cargo.lock

Lines changed: 32 additions & 8 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

remote_attestation/rust/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ anyhow = { version = "*", default-features = false }
1414
bytes = { version = "*", default-features = false }
1515
log = "*"
1616
prost = { version = "*", default-features = false, features = ["prost-derive"] }
17-
ring = "*"
17+
ring = { path = "../../third_party/ring" }
1818

1919
[build-dependencies]
2020
prost-build = "*"

remote_attestation/rust/src/crypto.rs

Lines changed: 44 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -86,13 +86,15 @@ impl aead::NonceSequence for OneNonceSequence {
8686
}
8787
}
8888

89+
type Key = [u8; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH];
90+
8991
/// Convenience struct for passing an encryption key as an argument.
9092
#[derive(PartialEq)]
91-
pub(crate) struct EncryptionKey(pub(crate) [u8; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH]);
93+
pub(crate) struct EncryptionKey(pub(crate) Key);
9294

9395
/// Convenience struct for passing a decryption key as an argument.
9496
#[derive(PartialEq)]
95-
pub(crate) struct DecryptionKey(pub(crate) [u8; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH]);
97+
pub(crate) struct DecryptionKey(pub(crate) Key);
9698

9799
/// Implementation of Authenticated Encryption with Associated Data (AEAD).
98100
///
@@ -234,11 +236,10 @@ impl KeyNegotiator {
234236
) -> anyhow::Result<(EncryptionKey, DecryptionKey)> {
235237
let type_ = self.type_.clone();
236238
let self_public_key = self.public_key().context("Couldn't get self public key")?;
237-
let (encryption_key, decryption_key) = agreement::agree_ephemeral(
239+
agreement::agree_ephemeral(
238240
self.private_key,
239241
&agreement::UnparsedPublicKey::new(KEY_AGREEMENT_ALGORITHM, peer_public_key),
240-
anyhow!("Couldn't derive session keys"),
241-
|key_material| {
242+
|key_material| -> anyhow::Result<(EncryptionKey, DecryptionKey)> {
242243
let key_material = key_material
243244
.try_into()
244245
.map_err(anyhow::Error::msg)
@@ -251,44 +252,54 @@ impl KeyNegotiator {
251252
match type_ {
252253
// On the server side `self_public_key` is the server key.
253254
KeyNegotiatorType::Server => {
254-
let encryption_key = Self::key_derivation_function(
255-
key_material,
256-
SERVER_KEY_PURPOSE,
257-
&self_public_key,
258-
&peer_public_key,
255+
let encryption_key = EncryptionKey(
256+
Self::key_derivation_function(
257+
key_material,
258+
SERVER_KEY_PURPOSE,
259+
&self_public_key,
260+
&peer_public_key,
261+
)
262+
.context("Couldn't derive decryption key")?,
259263
);
260-
let decryption_key = Self::key_derivation_function(
261-
key_material,
262-
CLIENT_KEY_PURPOSE,
263-
&self_public_key,
264-
&peer_public_key,
264+
let decryption_key = DecryptionKey(
265+
Self::key_derivation_function(
266+
key_material,
267+
CLIENT_KEY_PURPOSE,
268+
&self_public_key,
269+
&peer_public_key,
270+
)
271+
.context("Couldn't derive encryption key")?,
265272
);
266273
Ok((encryption_key, decryption_key))
267274
}
268275
// On the client side `peer_public_key` is the server key.
269276
KeyNegotiatorType::Client => {
270-
let encryption_key = Self::key_derivation_function(
271-
key_material,
272-
CLIENT_KEY_PURPOSE,
273-
&peer_public_key,
274-
&self_public_key,
277+
let encryption_key = EncryptionKey(
278+
Self::key_derivation_function(
279+
key_material,
280+
CLIENT_KEY_PURPOSE,
281+
&peer_public_key,
282+
&self_public_key,
283+
)
284+
.context("Couldn't derive decryption key")?,
275285
);
276-
let decryption_key = Self::key_derivation_function(
277-
key_material,
278-
SERVER_KEY_PURPOSE,
279-
&peer_public_key,
280-
&self_public_key,
286+
let decryption_key = DecryptionKey(
287+
Self::key_derivation_function(
288+
key_material,
289+
SERVER_KEY_PURPOSE,
290+
&peer_public_key,
291+
&self_public_key,
292+
)
293+
.context("Couldn't derive encryption key")?,
281294
);
282295
Ok((encryption_key, decryption_key))
283296
}
284297
}
285298
},
286299
)
287-
.context("Couldn't agree on session keys")?;
288-
Ok((
289-
EncryptionKey(encryption_key.context("Couldn't derive encryption key")?),
290-
DecryptionKey(decryption_key.context("Couldn't derive decryption key")?),
291-
))
300+
.map_err(anyhow::Error::msg)
301+
.context("Couldn't derive session keys")?
302+
.context("Couldn't agree on session keys")
292303
}
293304

294305
/// Derives a session key from `key_material` using HKDF.
@@ -351,8 +362,9 @@ impl Signer {
351362
let rng = ring::rand::SystemRandom::new();
352363
let key_pair_pkcs8 = EcdsaKeyPair::generate_pkcs8(SIGNING_ALGORITHM, &rng)
353364
.map_err(|error| anyhow!("Couldn't generate PKCS#8 key pair: {:?}", error))?;
354-
let key_pair = EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref())
355-
.map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?;
365+
let key_pair =
366+
EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref(), &rng)
367+
.map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?;
356368

357369
Ok(Self { key_pair })
358370
}

0 commit comments

Comments
 (0)