diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1aca047bde9..128fb9ba3c1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -64,7 +64,7 @@ jobs: uses: actions/cache@v2 env: # Increment this value to invalidate previous cache entries. - CACHE_VERSION: 2 + CACHE_VERSION: 3 with: path: | ./cargo-cache/bin diff --git a/Cargo.lock b/Cargo.lock index 59801fe1586..9dd587376ff 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2459,7 +2459,7 @@ dependencies = [ "assert_matches", "log", "openssl", - "ring", + "ring 0.16.20", "rustls", "serde", "serde_json", @@ -2687,7 +2687,7 @@ dependencies = [ "log", "oak_attestation_common", "rustls", - "rustls-pemfile 0.2.1", + "rustls-pemfile 0.3.0", "serde", "serde_json", "sha2 0.10.2", @@ -2744,7 +2744,7 @@ dependencies = [ "prost-build 0.10.0", "quickcheck", "quickcheck_macros", - "ring", + "ring 0.17.0-not-released-yet", ] [[package]] @@ -2763,7 +2763,7 @@ dependencies = [ "log", "oak_attestation_common", "rustls", - "rustls-pemfile 0.2.1", + "rustls-pemfile 0.3.0", "sha2 0.10.2", "tokio", "tokio-rustls", @@ -3488,11 +3488,23 @@ dependencies = [ "libc", "once_cell", "spin 0.5.2", - "untrusted", + "untrusted 0.7.1", "web-sys", "winapi", ] +[[package]] +name = "ring" +version = "0.17.0-not-released-yet" +dependencies = [ + "cc", + "libc", + "once_cell", + "spin 0.9.2", + "untrusted 0.9.0", + "winapi", +] + [[package]] name = "rustc-demangle" version = "0.1.21" @@ -3546,7 +3558,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4fbfeb8d0ddb84706bc597a5574ab8912817c52a397f819e5b614e2265206921" dependencies = [ "log", - "ring", + "ring 0.16.20", "sct", "webpki", ] @@ -3658,8 +3670,8 @@ version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" dependencies = [ - "ring", - "untrusted", + "ring 0.16.20", + "untrusted 0.7.1", ] [[package]] @@ -4817,6 +4829,12 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +[[package]] +name = "untrusted" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" + [[package]] name = "url" version = "2.2.2" @@ -5264,8 +5282,8 @@ version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" dependencies = [ - "ring", - "untrusted", + "ring 0.16.20", + "untrusted 0.7.1", ] [[package]] diff --git a/deny.toml b/deny.toml index c145442a8c9..da409215696 100644 --- a/deny.toml +++ b/deny.toml @@ -43,7 +43,6 @@ copyleft = "deny" [[licenses.clarify]] name = "ring" -version = "*" expression = "MIT AND ISC AND OpenSSL" license-files = [{ path = "LICENSE", hash = 3171872035 }] diff --git a/oak_functions/loader/fuzz/Cargo.lock b/oak_functions/loader/fuzz/Cargo.lock index 674699c4da6..d030f599365 100644 --- a/oak_functions/loader/fuzz/Cargo.lock +++ b/oak_functions/loader/fuzz/Cargo.lock @@ -845,7 +845,7 @@ dependencies = [ "log", "prost", "prost-build", - "ring", + "ring 0.17.0-not-released-yet", ] [[package]] @@ -1110,12 +1110,24 @@ dependencies = [ "cc", "libc", "once_cell", - "spin", - "untrusted", + "spin 0.5.2", + "untrusted 0.7.1", "web-sys", "winapi", ] +[[package]] +name = "ring" +version = "0.17.0-not-released-yet" +dependencies = [ + "cc", + "libc", + "once_cell", + "spin 0.9.2", + "untrusted 0.9.0", + "winapi", +] + [[package]] name = "rustls" version = "0.20.3" @@ -1123,7 +1135,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b323592e3164322f5b193dc4302e4e36cd8d37158a712d664efae1a5c2791700" dependencies = [ "log", - "ring", + "ring 0.16.20", "sct", "webpki", ] @@ -1177,8 +1189,8 @@ version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" dependencies = [ - "ring", - "untrusted", + "ring 0.16.20", + "untrusted 0.7.1", ] [[package]] @@ -1276,6 +1288,12 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" +[[package]] +name = "spin" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "511254be0c5bcf062b019a6c89c01a664aa359ded62f78aa72c6fc137c0590e5" + [[package]] name = "strsim" version = "0.10.0" @@ -1589,6 +1607,12 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +[[package]] +name = "untrusted" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" + [[package]] name = "url" version = "2.2.2" @@ -1717,8 +1741,8 @@ version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" dependencies = [ - "ring", - "untrusted", + "ring 0.16.20", + "untrusted 0.7.1", ] [[package]] diff --git a/remote_attestation/rust/Cargo.toml b/remote_attestation/rust/Cargo.toml index f9eb27aa9ed..87692263b70 100644 --- a/remote_attestation/rust/Cargo.toml +++ b/remote_attestation/rust/Cargo.toml @@ -14,7 +14,7 @@ anyhow = { version = "*", default-features = false } bytes = { version = "*", default-features = false } log = "*" prost = { version = "*", default-features = false, features = ["prost-derive"] } -ring = "*" +ring = { path = "../../third_party/ring" } [build-dependencies] prost-build = "*" diff --git a/remote_attestation/rust/src/crypto.rs b/remote_attestation/rust/src/crypto.rs index 23b033e6e8f..4764aa37eea 100644 --- a/remote_attestation/rust/src/crypto.rs +++ b/remote_attestation/rust/src/crypto.rs @@ -234,11 +234,10 @@ impl KeyNegotiator { ) -> anyhow::Result<(EncryptionKey, DecryptionKey)> { let type_ = self.type_.clone(); let self_public_key = self.public_key().context("Couldn't get self public key")?; - let (encryption_key, decryption_key) = agreement::agree_ephemeral( + agreement::agree_ephemeral( self.private_key, &agreement::UnparsedPublicKey::new(KEY_AGREEMENT_ALGORITHM, peer_public_key), - anyhow!("Couldn't derive session keys"), - |key_material| { + |key_material| -> anyhow::Result<(EncryptionKey, DecryptionKey)> { let key_material = key_material .try_into() .map_err(anyhow::Error::msg) @@ -251,44 +250,54 @@ impl KeyNegotiator { match type_ { // On the server side `self_public_key` is the server key. KeyNegotiatorType::Server => { - let encryption_key = Self::key_derivation_function( - key_material, - SERVER_KEY_PURPOSE, - &self_public_key, - &peer_public_key, + let encryption_key = EncryptionKey( + Self::key_derivation_function( + key_material, + SERVER_KEY_PURPOSE, + &self_public_key, + &peer_public_key, + ) + .context("Couldn't derive decryption key")?, ); - let decryption_key = Self::key_derivation_function( - key_material, - CLIENT_KEY_PURPOSE, - &self_public_key, - &peer_public_key, + let decryption_key = DecryptionKey( + Self::key_derivation_function( + key_material, + CLIENT_KEY_PURPOSE, + &self_public_key, + &peer_public_key, + ) + .context("Couldn't derive encryption key")?, ); Ok((encryption_key, decryption_key)) } // On the client side `peer_public_key` is the server key. KeyNegotiatorType::Client => { - let encryption_key = Self::key_derivation_function( - key_material, - CLIENT_KEY_PURPOSE, - &peer_public_key, - &self_public_key, + let encryption_key = EncryptionKey( + Self::key_derivation_function( + key_material, + CLIENT_KEY_PURPOSE, + &peer_public_key, + &self_public_key, + ) + .context("Couldn't derive decryption key")?, ); - let decryption_key = Self::key_derivation_function( - key_material, - SERVER_KEY_PURPOSE, - &peer_public_key, - &self_public_key, + let decryption_key = DecryptionKey( + Self::key_derivation_function( + key_material, + SERVER_KEY_PURPOSE, + &peer_public_key, + &self_public_key, + ) + .context("Couldn't derive encryption key")?, ); Ok((encryption_key, decryption_key)) } } }, ) - .context("Couldn't agree on session keys")?; - Ok(( - EncryptionKey(encryption_key.context("Couldn't derive encryption key")?), - DecryptionKey(decryption_key.context("Couldn't derive decryption key")?), - )) + .map_err(anyhow::Error::msg) + .context("Couldn't derive session keys")? + .context("Couldn't agree on session keys") } /// Derives a session key from `key_material` using HKDF. @@ -351,8 +360,9 @@ impl Signer { let rng = ring::rand::SystemRandom::new(); let key_pair_pkcs8 = EcdsaKeyPair::generate_pkcs8(SIGNING_ALGORITHM, &rng) .map_err(|error| anyhow!("Couldn't generate PKCS#8 key pair: {:?}", error))?; - let key_pair = EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref()) - .map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?; + let key_pair = + EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref(), &rng) + .map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?; Ok(Self { key_pair }) } diff --git a/third_party/ring/build.rs b/third_party/ring/build.rs index b50128a37f6..46e4355efc9 100644 --- a/third_party/ring/build.rs +++ b/third_party/ring/build.rs @@ -330,7 +330,17 @@ fn ring_build_rs_main() { // If `.git` doesn't exist then assume that this is a packaged build where // we want to optimize for minimizing the build tools required: No Perl, // no nasm, etc. - let use_pregenerated = !is_git; + // + // Oak Note: + // ring includes pre-generated objects in cargo releases. It uses logic in + // its build scripts to determine whether the build is from a version + // published on cargo, or from source code. This logic is somewhat naively + // implemented by checking for the absence of a `.git` directory. This + // check falesly leads ring to believe it is building from a version + // published on crates.io, and fails when it tries to include the + // pregenerated files not present in the source code. To build from source + // code we must patch this flag. + let use_pregenerated = false; // During local development, force warnings in non-Rust code to be treated // as errors. Since warnings are highly compiler-dependent and compilers diff --git a/third_party/ring/src/lib.rs b/third_party/ring/src/lib.rs index f61d2497438..797d35a0331 100644 --- a/third_party/ring/src/lib.rs +++ b/third_party/ring/src/lib.rs @@ -48,7 +48,10 @@ missing_debug_implementations, non_camel_case_types, non_snake_case, - unsafe_code + unsafe_code, + // Oak Note: Do not warn when building deprecated code. Ring includes + // code that is, and our CI fails on warnings + deprecated )] // `#[derive(...)]` uses `trivial_numeric_casts` and `unused_qualifications` // internally.