Skip to content

Commit 76f1313

Browse files
author
jul-sh
authored
Use vendored version of ring in remote attestation (#2661)
* Clarify cargo license for all ring versions * Patch the ring build script to enable builds from source code Turns out that ring includes pre-generated objects in cargo releases. It uses logic in its build scripts to determine whether the build is from a version published on cargo, or from source code. This logic is somewhat naively implemented by checking for the absence of a `.git` directory. This check falesly leads ring to believe it is building from a version published on crates.io, and fails when it tries to include the pregenerated files not present in the source code. To build from source code we must patch this flag. * Use the vendored version of ring Requires updating our code to accomodate API changes since the vendored version is newer * bust CI cache * Allow deprecated code inside of vendored ring. It includes code that is, and our CI fails on warnings
1 parent 13bfdca commit 76f1313

File tree

8 files changed

+117
-53
lines changed

8 files changed

+117
-53
lines changed

.github/workflows/ci.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ jobs:
6464
uses: actions/cache@v2
6565
env:
6666
# Increment this value to invalidate previous cache entries.
67-
CACHE_VERSION: 2
67+
CACHE_VERSION: 3
6868
with:
6969
path: |
7070
./cargo-cache/bin

Cargo.lock

Lines changed: 28 additions & 10 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

deny.toml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,6 @@ copyleft = "deny"
4343

4444
[[licenses.clarify]]
4545
name = "ring"
46-
version = "*"
4746
expression = "MIT AND ISC AND OpenSSL"
4847
license-files = [{ path = "LICENSE", hash = 3171872035 }]
4948

oak_functions/loader/fuzz/Cargo.lock

Lines changed: 32 additions & 8 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

remote_attestation/rust/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ anyhow = { version = "*", default-features = false }
1414
bytes = { version = "*", default-features = false }
1515
log = "*"
1616
prost = { version = "*", default-features = false, features = ["prost-derive"] }
17-
ring = "*"
17+
ring = { path = "../../third_party/ring" }
1818

1919
[build-dependencies]
2020
prost-build = "*"

remote_attestation/rust/src/crypto.rs

Lines changed: 40 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -234,11 +234,10 @@ impl KeyNegotiator {
234234
) -> anyhow::Result<(EncryptionKey, DecryptionKey)> {
235235
let type_ = self.type_.clone();
236236
let self_public_key = self.public_key().context("Couldn't get self public key")?;
237-
let (encryption_key, decryption_key) = agreement::agree_ephemeral(
237+
agreement::agree_ephemeral(
238238
self.private_key,
239239
&agreement::UnparsedPublicKey::new(KEY_AGREEMENT_ALGORITHM, peer_public_key),
240-
anyhow!("Couldn't derive session keys"),
241-
|key_material| {
240+
|key_material| -> anyhow::Result<(EncryptionKey, DecryptionKey)> {
242241
let key_material = key_material
243242
.try_into()
244243
.map_err(anyhow::Error::msg)
@@ -251,44 +250,54 @@ impl KeyNegotiator {
251250
match type_ {
252251
// On the server side `self_public_key` is the server key.
253252
KeyNegotiatorType::Server => {
254-
let encryption_key = Self::key_derivation_function(
255-
key_material,
256-
SERVER_KEY_PURPOSE,
257-
&self_public_key,
258-
&peer_public_key,
253+
let encryption_key = EncryptionKey(
254+
Self::key_derivation_function(
255+
key_material,
256+
SERVER_KEY_PURPOSE,
257+
&self_public_key,
258+
&peer_public_key,
259+
)
260+
.context("Couldn't derive decryption key")?,
259261
);
260-
let decryption_key = Self::key_derivation_function(
261-
key_material,
262-
CLIENT_KEY_PURPOSE,
263-
&self_public_key,
264-
&peer_public_key,
262+
let decryption_key = DecryptionKey(
263+
Self::key_derivation_function(
264+
key_material,
265+
CLIENT_KEY_PURPOSE,
266+
&self_public_key,
267+
&peer_public_key,
268+
)
269+
.context("Couldn't derive encryption key")?,
265270
);
266271
Ok((encryption_key, decryption_key))
267272
}
268273
// On the client side `peer_public_key` is the server key.
269274
KeyNegotiatorType::Client => {
270-
let encryption_key = Self::key_derivation_function(
271-
key_material,
272-
CLIENT_KEY_PURPOSE,
273-
&peer_public_key,
274-
&self_public_key,
275+
let encryption_key = EncryptionKey(
276+
Self::key_derivation_function(
277+
key_material,
278+
CLIENT_KEY_PURPOSE,
279+
&peer_public_key,
280+
&self_public_key,
281+
)
282+
.context("Couldn't derive decryption key")?,
275283
);
276-
let decryption_key = Self::key_derivation_function(
277-
key_material,
278-
SERVER_KEY_PURPOSE,
279-
&peer_public_key,
280-
&self_public_key,
284+
let decryption_key = DecryptionKey(
285+
Self::key_derivation_function(
286+
key_material,
287+
SERVER_KEY_PURPOSE,
288+
&peer_public_key,
289+
&self_public_key,
290+
)
291+
.context("Couldn't derive encryption key")?,
281292
);
282293
Ok((encryption_key, decryption_key))
283294
}
284295
}
285296
},
286297
)
287-
.context("Couldn't agree on session keys")?;
288-
Ok((
289-
EncryptionKey(encryption_key.context("Couldn't derive encryption key")?),
290-
DecryptionKey(decryption_key.context("Couldn't derive decryption key")?),
291-
))
298+
.map_err(anyhow::Error::msg)
299+
.context("Couldn't derive session keys")?
300+
.context("Couldn't agree on session keys")
292301
}
293302

294303
/// Derives a session key from `key_material` using HKDF.
@@ -351,8 +360,9 @@ impl Signer {
351360
let rng = ring::rand::SystemRandom::new();
352361
let key_pair_pkcs8 = EcdsaKeyPair::generate_pkcs8(SIGNING_ALGORITHM, &rng)
353362
.map_err(|error| anyhow!("Couldn't generate PKCS#8 key pair: {:?}", error))?;
354-
let key_pair = EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref())
355-
.map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?;
363+
let key_pair =
364+
EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref(), &rng)
365+
.map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?;
356366

357367
Ok(Self { key_pair })
358368
}

third_party/ring/build.rs

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -330,7 +330,17 @@ fn ring_build_rs_main() {
330330
// If `.git` doesn't exist then assume that this is a packaged build where
331331
// we want to optimize for minimizing the build tools required: No Perl,
332332
// no nasm, etc.
333-
let use_pregenerated = !is_git;
333+
//
334+
// Oak Note:
335+
// ring includes pre-generated objects in cargo releases. It uses logic in
336+
// its build scripts to determine whether the build is from a version
337+
// published on cargo, or from source code. This logic is somewhat naively
338+
// implemented by checking for the absence of a `.git` directory. This
339+
// check falesly leads ring to believe it is building from a version
340+
// published on crates.io, and fails when it tries to include the
341+
// pregenerated files not present in the source code. To build from source
342+
// code we must patch this flag.
343+
let use_pregenerated = false;
334344

335345
// During local development, force warnings in non-Rust code to be treated
336346
// as errors. Since warnings are highly compiler-dependent and compilers

third_party/ring/src/lib.rs

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,10 @@
4848
missing_debug_implementations,
4949
non_camel_case_types,
5050
non_snake_case,
51-
unsafe_code
51+
unsafe_code,
52+
// Oak Note: Do not warn when building deprecated code. Ring includes
53+
// code that is, and our CI fails on warnings
54+
deprecated
5255
)]
5356
// `#[derive(...)]` uses `trivial_numeric_casts` and `unused_qualifications`
5457
// internally.

0 commit comments

Comments
 (0)