Skip to content

Commit ba87283

Browse files
author
Juliette Pretot
committed
Use the vendored version of ring
Requires updating our code to accomodate API changes since the vendored version is newer
1 parent 717e9bc commit ba87283

File tree

4 files changed

+126
-76
lines changed

4 files changed

+126
-76
lines changed

Cargo.lock

Lines changed: 31 additions & 13 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

oak_functions/loader/fuzz/Cargo.lock

Lines changed: 32 additions & 8 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

remote_attestation/rust/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ anyhow = { version = "*", default-features = false }
1414
bytes = { version = "*", default-features = false }
1515
log = "*"
1616
prost = { version = "*", default-features = false, features = ["prost-derive"] }
17-
ring = "*"
17+
ring = { path = "../../third_party/ring" }
1818

1919
[build-dependencies]
2020
prost-build = "*"

remote_attestation/rust/src/crypto.rs

Lines changed: 62 additions & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -86,13 +86,15 @@ impl aead::NonceSequence for OneNonceSequence {
8686
}
8787
}
8888

89+
type Key = [u8; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH];
90+
8991
/// Convenience struct for passing an encryption key as an argument.
9092
#[derive(PartialEq)]
91-
pub(crate) struct EncryptionKey(pub(crate) [u8; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH]);
93+
pub(crate) struct EncryptionKey(pub(crate) Key);
9294

9395
/// Convenience struct for passing a decryption key as an argument.
9496
#[derive(PartialEq)]
95-
pub(crate) struct DecryptionKey(pub(crate) [u8; KEY_AGREEMENT_ALGORITHM_KEY_LENGTH]);
97+
pub(crate) struct DecryptionKey(pub(crate) Key);
9698

9799
/// Implementation of Authenticated Encryption with Associated Data (AEAD).
98100
///
@@ -234,57 +236,62 @@ impl KeyNegotiator {
234236
) -> anyhow::Result<(EncryptionKey, DecryptionKey)> {
235237
let type_ = self.type_.clone();
236238
let self_public_key = self.public_key().context("Couldn't get self public key")?;
237-
let (encryption_key, decryption_key) = agreement::agree_ephemeral(
238-
self.private_key,
239-
&agreement::UnparsedPublicKey::new(KEY_AGREEMENT_ALGORITHM, peer_public_key),
240-
anyhow!("Couldn't derive session keys"),
241-
|key_material| {
242-
let key_material = key_material
243-
.try_into()
244-
.map_err(anyhow::Error::msg)
245-
.context(format!(
246-
"Incorrect key material length, expected {}, found {}",
247-
KEY_AGREEMENT_ALGORITHM_KEY_LENGTH,
248-
key_material.len()
249-
))?;
250-
let peer_public_key = *peer_public_key;
251-
match type_ {
252-
// On the server side `self_public_key` is the server key.
253-
KeyNegotiatorType::Server => {
254-
let encryption_key = Self::key_derivation_function(
255-
key_material,
256-
SERVER_KEY_PURPOSE,
257-
&self_public_key,
258-
&peer_public_key,
259-
);
260-
let decryption_key = Self::key_derivation_function(
261-
key_material,
262-
CLIENT_KEY_PURPOSE,
263-
&self_public_key,
264-
&peer_public_key,
265-
);
266-
Ok((encryption_key, decryption_key))
267-
}
268-
// On the client side `peer_public_key` is the server key.
269-
KeyNegotiatorType::Client => {
270-
let encryption_key = Self::key_derivation_function(
271-
key_material,
272-
CLIENT_KEY_PURPOSE,
273-
&peer_public_key,
274-
&self_public_key,
275-
);
276-
let decryption_key = Self::key_derivation_function(
277-
key_material,
278-
SERVER_KEY_PURPOSE,
279-
&peer_public_key,
280-
&self_public_key,
281-
);
282-
Ok((encryption_key, decryption_key))
239+
let (encryption_key, decryption_key) =
240+
agreement::agree_ephemeral(
241+
self.private_key,
242+
&agreement::UnparsedPublicKey::new(KEY_AGREEMENT_ALGORITHM, peer_public_key),
243+
|key_material| -> Result<
244+
(Result<Key, anyhow::Error>, Result<Key, anyhow::Error>),
245+
anyhow::Error,
246+
> {
247+
let key_material = key_material
248+
.try_into()
249+
.map_err(anyhow::Error::msg)
250+
.context(format!(
251+
"Incorrect key material length, expected {}, found {}",
252+
KEY_AGREEMENT_ALGORITHM_KEY_LENGTH,
253+
key_material.len()
254+
))?;
255+
let peer_public_key = *peer_public_key;
256+
match type_ {
257+
// On the server side `self_public_key` is the server key.
258+
KeyNegotiatorType::Server => {
259+
let encryption_key = Self::key_derivation_function(
260+
key_material,
261+
SERVER_KEY_PURPOSE,
262+
&self_public_key,
263+
&peer_public_key,
264+
);
265+
let decryption_key = Self::key_derivation_function(
266+
key_material,
267+
CLIENT_KEY_PURPOSE,
268+
&self_public_key,
269+
&peer_public_key,
270+
);
271+
Ok((encryption_key, decryption_key))
272+
}
273+
// On the client side `peer_public_key` is the server key.
274+
KeyNegotiatorType::Client => {
275+
let encryption_key = Self::key_derivation_function(
276+
key_material,
277+
CLIENT_KEY_PURPOSE,
278+
&peer_public_key,
279+
&self_public_key,
280+
);
281+
let decryption_key = Self::key_derivation_function(
282+
key_material,
283+
SERVER_KEY_PURPOSE,
284+
&peer_public_key,
285+
&self_public_key,
286+
);
287+
Ok((encryption_key, decryption_key))
288+
}
283289
}
284-
}
285-
},
286-
)
287-
.context("Couldn't agree on session keys")?;
290+
},
291+
)
292+
.map_err(anyhow::Error::msg)
293+
.context("Couldn't derive session keys")?
294+
.context("Couldn't agree on session keys")?;
288295
Ok((
289296
EncryptionKey(encryption_key.context("Couldn't derive encryption key")?),
290297
DecryptionKey(decryption_key.context("Couldn't derive decryption key")?),
@@ -351,8 +358,9 @@ impl Signer {
351358
let rng = ring::rand::SystemRandom::new();
352359
let key_pair_pkcs8 = EcdsaKeyPair::generate_pkcs8(SIGNING_ALGORITHM, &rng)
353360
.map_err(|error| anyhow!("Couldn't generate PKCS#8 key pair: {:?}", error))?;
354-
let key_pair = EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref())
355-
.map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?;
361+
let key_pair =
362+
EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref(), &rng)
363+
.map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?;
356364

357365
Ok(Self { key_pair })
358366
}

0 commit comments

Comments
 (0)