Skip to content

Commit b06addc

Browse files
author
Juliette Pretot
committed
Use the vendored version of ring
Requires updating our code to accomodate API changes since the vendored version is newer
1 parent 80f7440 commit b06addc

File tree

4 files changed

+101
-49
lines changed

4 files changed

+101
-49
lines changed

Cargo.lock

Lines changed: 28 additions & 10 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

oak_functions/loader/fuzz/Cargo.lock

Lines changed: 32 additions & 8 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

remote_attestation/rust/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ anyhow = { version = "*", default-features = false }
1414
bytes = { version = "*", default-features = false }
1515
log = "*"
1616
prost = { version = "*", default-features = false, features = ["prost-derive"] }
17-
ring = "*"
17+
ring = { path = "../../third_party/ring" }
1818

1919
[build-dependencies]
2020
prost-build = "*"

remote_attestation/rust/src/crypto.rs

Lines changed: 40 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -234,11 +234,10 @@ impl KeyNegotiator {
234234
) -> anyhow::Result<(EncryptionKey, DecryptionKey)> {
235235
let type_ = self.type_.clone();
236236
let self_public_key = self.public_key().context("Couldn't get self public key")?;
237-
let (encryption_key, decryption_key) = agreement::agree_ephemeral(
237+
agreement::agree_ephemeral(
238238
self.private_key,
239239
&agreement::UnparsedPublicKey::new(KEY_AGREEMENT_ALGORITHM, peer_public_key),
240-
anyhow!("Couldn't derive session keys"),
241-
|key_material| {
240+
|key_material| -> anyhow::Result<(EncryptionKey, DecryptionKey)> {
242241
let key_material = key_material
243242
.try_into()
244243
.map_err(anyhow::Error::msg)
@@ -251,44 +250,54 @@ impl KeyNegotiator {
251250
match type_ {
252251
// On the server side `self_public_key` is the server key.
253252
KeyNegotiatorType::Server => {
254-
let encryption_key = Self::key_derivation_function(
255-
key_material,
256-
SERVER_KEY_PURPOSE,
257-
&self_public_key,
258-
&peer_public_key,
253+
let encryption_key = EncryptionKey(
254+
Self::key_derivation_function(
255+
key_material,
256+
SERVER_KEY_PURPOSE,
257+
&self_public_key,
258+
&peer_public_key,
259+
)
260+
.context("Couldn't derive decryption key")?,
259261
);
260-
let decryption_key = Self::key_derivation_function(
261-
key_material,
262-
CLIENT_KEY_PURPOSE,
263-
&self_public_key,
264-
&peer_public_key,
262+
let decryption_key = DecryptionKey(
263+
Self::key_derivation_function(
264+
key_material,
265+
CLIENT_KEY_PURPOSE,
266+
&self_public_key,
267+
&peer_public_key,
268+
)
269+
.context("Couldn't derive encryption key")?,
265270
);
266271
Ok((encryption_key, decryption_key))
267272
}
268273
// On the client side `peer_public_key` is the server key.
269274
KeyNegotiatorType::Client => {
270-
let encryption_key = Self::key_derivation_function(
271-
key_material,
272-
CLIENT_KEY_PURPOSE,
273-
&peer_public_key,
274-
&self_public_key,
275+
let encryption_key = EncryptionKey(
276+
Self::key_derivation_function(
277+
key_material,
278+
CLIENT_KEY_PURPOSE,
279+
&peer_public_key,
280+
&self_public_key,
281+
)
282+
.context("Couldn't derive decryption key")?,
275283
);
276-
let decryption_key = Self::key_derivation_function(
277-
key_material,
278-
SERVER_KEY_PURPOSE,
279-
&peer_public_key,
280-
&self_public_key,
284+
let decryption_key = DecryptionKey(
285+
Self::key_derivation_function(
286+
key_material,
287+
SERVER_KEY_PURPOSE,
288+
&peer_public_key,
289+
&self_public_key,
290+
)
291+
.context("Couldn't derive encryption key")?,
281292
);
282293
Ok((encryption_key, decryption_key))
283294
}
284295
}
285296
},
286297
)
287-
.context("Couldn't agree on session keys")?;
288-
Ok((
289-
EncryptionKey(encryption_key.context("Couldn't derive encryption key")?),
290-
DecryptionKey(decryption_key.context("Couldn't derive decryption key")?),
291-
))
298+
.map_err(anyhow::Error::msg)
299+
.context("Couldn't derive session keys")?
300+
.context("Couldn't agree on session keys")
292301
}
293302

294303
/// Derives a session key from `key_material` using HKDF.
@@ -351,8 +360,9 @@ impl Signer {
351360
let rng = ring::rand::SystemRandom::new();
352361
let key_pair_pkcs8 = EcdsaKeyPair::generate_pkcs8(SIGNING_ALGORITHM, &rng)
353362
.map_err(|error| anyhow!("Couldn't generate PKCS#8 key pair: {:?}", error))?;
354-
let key_pair = EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref())
355-
.map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?;
363+
let key_pair =
364+
EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref(), &rng)
365+
.map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?;
356366

357367
Ok(Self { key_pair })
358368
}

0 commit comments

Comments
 (0)