Skip to content
This repository has been archived by the owner on Jul 29, 2024. It is now read-only.

Commit

Permalink
fix error after upgrading ring and webpki.
Browse files Browse the repository at this point in the history 
Signed-off-by: Yang, Longlong <[email protected]>
  • Loading branch information
@longlongyang
longlongyang committed Nov 30, 2023
1 parent 3b35907 commit 5728a81
Show file tree
Hide file tree
Showing 10 changed files with 101 additions and 53 deletions.
2 changes: 1 addition & 1 deletion fuzz-target/fuzzlib/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ afl = { version = "=0.12.12", optional = true }
spdmlib = { path = "../../spdmlib", default-features = false, features=["spdm-ring"] }
simple_logger = "4.2.0"
log = "0.4.13"
ring = { version = "0.16.20" }
ring = { version = "0.17.6" }
flexi_logger = "0.27.2"
spdmlib-test = { path = "../../test/spdmlib-test" }
futures = { version = "0.3", default-features = false }
Expand Down
4 changes: 2 additions & 2 deletions sh_script/pre-build.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@
format-patch() {
# apply the patch set for ring
pushd external/ring
git reset --hard 9cc0d45f4d8521f467bb3a621e74b1535e118188
git reset --hard 464d367252354418a2c17feb806876d4d89a8508
git clean -xdf
git apply ../patches/ring/0001-Support-x86_64-unknown-none-target.patch
popd

# apply the patch set for webpki
pushd external/webpki
git reset --hard 0b7cbf2d327d7665d9d06072bf46b2e7ca05f065
git reset --hard f84a538a5cd281ba1ffc0d54bbe5824cf5969703
git clean -xdf
git apply ../patches/webpki/0001-Add-support-for-verifying-certificate-chain-with-EKU.patch
popd
Expand Down
6 changes: 3 additions & 3 deletions spdmlib/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ bytes = { version="1", default-features=false }
conquer-once = { version = "0.3.2", default-features = false }
lazy_static = { version = "1.0", features = ["spin_no_std"], optional = true }

ring = { version = "0.16.20", optional = true }
webpki = { version = "0.22.0", default-features = false, features = ["alloc"], optional = true}
untrusted = { version = "0.7.1", optional = true }
ring = { version = "0.17.6", optional = true }
webpki = { version = "0.22.4", default-features = false, features = ["alloc"], optional = true}
untrusted = { version = "0.9.0", optional = true }
zeroize = { version = "1.5.0", features = ["zeroize_derive"]}

futures = { version = "0.3", default-features = false }
Expand Down
99 changes: 79 additions & 20 deletions spdmlib/src/crypto/spdm_ring/cert_operation_impl.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,22 +58,88 @@ fn verify_cert_chain(cert_chain: &[u8]) -> SpdmResult {
&webpki::ECDSA_P384_SHA384,
];

let certs_der = untrusted::Input::from(cert_chain);
let reader = &mut untrusted::Reader::new(certs_der);

let mut certs = Vec::new();
let mut certs_walker = 0;
let cert_chain_len = cert_chain.len();
loop {
let start = reader.mark();
match der::expect_tag_and_get_value(reader, der::Tag::Sequence) {
Ok(_) => {
let end = reader.mark();
let cert = reader
.get_input_between_marks(start, end)
.map_err(|_| SPDM_STATUS_INVALID_CERT)?;
certs.push(cert.as_slice_less_safe())
let start = if certs_walker < cert_chain_len {
certs_walker
} else {
break;
};

let tag = cert_chain[certs_walker];
if usize::from(der::Tag::Sequence) != tag as usize {
break;
}

certs_walker += 1;
if certs_walker >= cert_chain_len {
break;
}

// If the high order bit of the first byte is set to zero then the length
// is encoded in the seven remaining bits of that byte. Otherwise, those
// seven bits represent the number of bytes used to encode the length.
let length_byte0 = cert_chain[certs_walker];

let length = match length_byte0 {
n if (n & 0x80) == 0 => n as usize,
0x81 => {
certs_walker += 1;
if certs_walker >= cert_chain_len {
break;
}

let second_byte = cert_chain[certs_walker];
if second_byte < 128 {
break; // Not the canonical encoding.
}

certs_walker += 1;
if certs_walker >= cert_chain_len {
break;
}

second_byte as usize
}
0x82 => {
certs_walker += 1;
if certs_walker >= cert_chain_len {
break;
}

let second_byte = cert_chain[certs_walker] as usize;

certs_walker += 1;
if certs_walker >= cert_chain_len {
break;
}

let third_byte = cert_chain[certs_walker] as usize;

certs_walker += 1;
if certs_walker >= cert_chain_len {
break;
}

let combined = (second_byte << 8) | third_byte;
if combined < 256 {
break; // Not the canonical encoding.
}
combined
}
_ => {
break; // We don't support longer lengths.
}
Err(_) => break,
};

certs_walker += length;
if certs_walker > cert_chain_len {
break;
}

certs.push(&cert_chain[start..certs_walker]);
}
let certs_len = certs.len();

Expand Down Expand Up @@ -117,14 +183,7 @@ fn verify_cert_chain(cert_chain: &[u8]) -> SpdmResult {

// we cannot call verify_is_valid_tls_server_cert because it will check verify_cert::EKU_SERVER_AUTH.
if cert
.verify_cert_chain_with_eku(
EKU_SPDM_RESPONDER_AUTH,
ALL_SIGALGS,
&anchors,
inters,
time,
0,
)
.verify_cert_chain_with_eku(EKU_SPDM_RESPONDER_AUTH, ALL_SIGALGS, &anchors, inters, time)
.is_ok()
{
info!("Cert verification Pass\n");
Expand Down
24 changes: 6 additions & 18 deletions spdmlib/src/crypto/spdm_ring/dhe_impl.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,15 +38,9 @@ impl SpdmDheKeyExchange for SpdmDheKeyExchangeP256 {
let peer_public_key =
ring::agreement::UnparsedPublicKey::new(&ring::agreement::ECDH_P256, pubkey.as_ref());
let mut final_key = BytesMutStrubbed::new();
match ring::agreement::agree_ephemeral(
self.0,
&peer_public_key,
ring::error::Unspecified,
|key_material| {
final_key.extend_from_slice(key_material);
Ok(())
},
) {
match ring::agreement::agree_ephemeral(self.0, &peer_public_key, |key_material| {
final_key.extend_from_slice(key_material);
}) {
Ok(()) => Some(SpdmDheFinalKeyStruct::from(final_key)),
Err(_) => None,
}
Expand Down Expand Up @@ -82,15 +76,9 @@ impl SpdmDheKeyExchange for SpdmDheKeyExchangeP384 {
let peer_public_key =
ring::agreement::UnparsedPublicKey::new(&ring::agreement::ECDH_P384, pubkey.as_ref());
let mut final_key = BytesMutStrubbed::new();
match ring::agreement::agree_ephemeral(
self.0,
&peer_public_key,
ring::error::Unspecified,
|key_material| {
final_key.extend_from_slice(key_material);
Ok(())
},
) {
match ring::agreement::agree_ephemeral(self.0, &peer_public_key, |key_material| {
final_key.extend_from_slice(key_material);
}) {
Ok(()) => Some(SpdmDheFinalKeyStruct::from(final_key)),
Err(_) => None,
}
Expand Down
2 changes: 1 addition & 1 deletion spdmlib/src/crypto/spdm_ring/hkdf_impl.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ fn hkdf_expand(
_ => return None,
}?;

if prk.data_size as usize != algo.hmac_algorithm().digest_algorithm().output_len {
if prk.data_size as usize != algo.hmac_algorithm().digest_algorithm().output_len() {
return None;
}

Expand Down
6 changes: 3 additions & 3 deletions test/spdm-emu/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ edition = "2018"

[dependencies]
log = "0.4.13"
ring = { version = "0.16.20" }
webpki = { version = "0.22.0", default-features = false, features = ["alloc"]}
untrusted = { version = "0.7.1" }
ring = { version = "0.17.6" }
webpki = { version = "0.22.4", default-features = false, features = ["alloc"]}
untrusted = { version = "0.9.0" }
codec = { path = "../../codec" }
spdmlib = { path = "../../spdmlib", default-features = false }
mctp_transport = { path = "../../mctp_transport" }
Expand Down
6 changes: 3 additions & 3 deletions test/spdm-emu/src/crypto_callback.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,9 +106,9 @@ fn sign_ecdsa_asym_algo(
};
let der_file = std::fs::read(key_file_path).expect("unable to read key der!");
let key_bytes = der_file.as_slice();

let rng = ring::rand::SystemRandom::new();
let key_pair: ring::signature::EcdsaKeyPair =
ring::signature::EcdsaKeyPair::from_pkcs8(algorithm, key_bytes).ok()?;
ring::signature::EcdsaKeyPair::from_pkcs8(algorithm, key_bytes, &rng).ok()?;

let rng = ring::rand::SystemRandom::new();

Expand Down Expand Up @@ -153,7 +153,7 @@ fn sign_rsa_asym_algo(
let key_pair: ring::signature::RsaKeyPair =
ring::signature::RsaKeyPair::from_der(key_bytes).ok()?;

if key_len != key_pair.public_modulus_len() {
if key_len != key_pair.public().modulus_len() {
panic!();
}

Expand Down
2 changes: 1 addition & 1 deletion test/spdmlib-test/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ edition = "2021"
spdmlib = { path = "../../spdmlib", default-features = false, features=["spdm-ring"] }
codec = { path = "../../codec", features = ["alloc"] }
log = "0.4.13"
ring = { version = "0.16.20" }
ring = { version = "0.17.6" }
bytes = { version="1", default-features=false }
futures = { version = "0.3", default-features = false }
async-trait = "0.1.71"
Expand Down
3 changes: 2 additions & 1 deletion test/spdmlib-test/src/common/secret_callback.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -304,8 +304,9 @@ fn sign_ecdsa_asym_algo(
let der_file = std::fs::read(key_file_path).expect("unable to read key der!");
let key_bytes = der_file.as_slice();

let rng = ring::rand::SystemRandom::new();
let key_pair: ring::signature::EcdsaKeyPair =
ring::signature::EcdsaKeyPair::from_pkcs8(algorithm, key_bytes).unwrap();
ring::signature::EcdsaKeyPair::from_pkcs8(algorithm, key_bytes, &rng).unwrap();

let rng = ring::rand::SystemRandom::new();

Expand Down

0 comments on commit 5728a81

Please sign in to comment.