mirror of
https://github.com/signalapp/libsignal.git
synced 2024-09-20 03:52:17 +02:00
Use SVR3 staging domains and enclaves
This commit is contained in:
parent
b31ca0781c
commit
16631a88ca
@ -15,7 +15,6 @@ use prost::{DecodeError, Message};
|
|||||||
use sha2::{Digest, Sha384};
|
use sha2::{Digest, Sha384};
|
||||||
use subtle::ConstantTimeEq;
|
use subtle::ConstantTimeEq;
|
||||||
|
|
||||||
use crate::dcap::MREnclave;
|
|
||||||
use crate::enclave::{self, Claims, Handshake};
|
use crate::enclave::{self, Claims, Handshake};
|
||||||
use crate::proto;
|
use crate::proto;
|
||||||
use crate::svr2::{expected_raft_config, RaftConfig};
|
use crate::svr2::{expected_raft_config, RaftConfig};
|
||||||
@ -31,13 +30,13 @@ type Pcr = [u8; 48];
|
|||||||
// We only ever validate PCRs 0, 1, and 2.
|
// We only ever validate PCRs 0, 1, and 2.
|
||||||
type PcrMap = SmallMap<usize, Pcr, 3>;
|
type PcrMap = SmallMap<usize, Pcr, 3>;
|
||||||
|
|
||||||
const EXPECTED_PCRS: SmallMap<MREnclave, PcrMap, 1> = SmallMap::new([
|
const EXPECTED_PCRS: SmallMap<&'static [u8], PcrMap, 1> = SmallMap::new([
|
||||||
(
|
(
|
||||||
hex!("17e1cb662572d28e0eb5a492ed8df949bc2cfcf3f2098b710e7b637759d6dcb3"),
|
b"cc8f7cb1.52b91975.61d0bcb0",
|
||||||
SmallMap::new([
|
SmallMap::new([
|
||||||
(0, hex!("67fdc91606ca9d5e73c35412f7d22397deb3f56ff2365803c66f0924f1dbeb29517fa4a62014b0bf49bd59541e4bcdd7")),
|
(0, hex!("cc8f7cb1206285b1d07d1c390fee96d98c6373b2006aee6764f45c8acde7abc7a87b9af665ff0b2b14f4b20717f3f356")),
|
||||||
(1, hex!("52b919754e1643f4027eeee8ec39cc4a2cb931723de0c93ce5cc8d407467dc4302e86490c01c0d755acfe10dbf657546")),
|
(1, hex!("52b919754e1643f4027eeee8ec39cc4a2cb931723de0c93ce5cc8d407467dc4302e86490c01c0d755acfe10dbf657546")),
|
||||||
(2, hex!("18e034916997b8e97edfc79e743f70ddcef21a45841a7a8727e2b6d094b1941bd6f988d806df1471025bcccfe35c4572")),
|
(2, hex!("61d0bcb015dc32cded08c17ec0e9de008682d3a16082f59a6b60de00a0fba4aebbb26447c67378c924afe74bc9654738")),
|
||||||
]),
|
]),
|
||||||
),
|
),
|
||||||
]);
|
]);
|
||||||
@ -51,7 +50,7 @@ impl Handshake {
|
|||||||
) -> Result<Self, enclave::Error> {
|
) -> Result<Self, enclave::Error> {
|
||||||
let expected_pcrs =
|
let expected_pcrs =
|
||||||
EXPECTED_PCRS
|
EXPECTED_PCRS
|
||||||
.get(enclave)
|
.get(&enclave)
|
||||||
.ok_or_else(|| enclave::Error::AttestationDataError {
|
.ok_or_else(|| enclave::Error::AttestationDataError {
|
||||||
reason: format!("unknown enclave {:?}", enclave),
|
reason: format!("unknown enclave {:?}", enclave),
|
||||||
})?;
|
})?;
|
||||||
|
@ -14,7 +14,7 @@ use crate::util::SmallMap;
|
|||||||
|
|
||||||
/// Map from MREnclave to intel SW advisories that are known to be mitigated in the
|
/// Map from MREnclave to intel SW advisories that are known to be mitigated in the
|
||||||
/// build with that MREnclave value
|
/// build with that MREnclave value
|
||||||
const ACCEPTABLE_SW_ADVISORIES: &SmallMap<MREnclave, &'static [&'static str], 4> =
|
const ACCEPTABLE_SW_ADVISORIES: &SmallMap<MREnclave, &'static [&'static str], 5> =
|
||||||
&SmallMap::new([
|
&SmallMap::new([
|
||||||
(
|
(
|
||||||
hex!("a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95"),
|
hex!("a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95"),
|
||||||
@ -32,6 +32,10 @@ const ACCEPTABLE_SW_ADVISORIES: &SmallMap<MREnclave, &'static [&'static str], 4>
|
|||||||
hex!("a6622ad4656e1abcd0bc0ff17c229477747d2ded0495c4ebee7ed35c1789fa97"),
|
hex!("a6622ad4656e1abcd0bc0ff17c229477747d2ded0495c4ebee7ed35c1789fa97"),
|
||||||
&["INTEL-SA-00615", "INTEL-SA-00657"] as &[&str],
|
&["INTEL-SA-00615", "INTEL-SA-00657"] as &[&str],
|
||||||
),
|
),
|
||||||
|
(
|
||||||
|
hex!("5db9423ed5a0b0bef374eac3a8251839e1f63ed40a2537415b63656b26912d92"),
|
||||||
|
&["INTEL-SA-00615", "INTEL-SA-00657"] as &[&str],
|
||||||
|
),
|
||||||
]);
|
]);
|
||||||
|
|
||||||
/// SW advisories known to be mitigated by default. If an MREnclave is provided that
|
/// SW advisories known to be mitigated by default. If an MREnclave is provided that
|
||||||
@ -57,7 +61,7 @@ impl PartialEq<svr2::RaftGroupConfig> for RaftConfig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/// Expected raft configuration for a given enclave.
|
/// Expected raft configuration for a given enclave.
|
||||||
static EXPECTED_RAFT_CONFIG: SmallMap<MREnclave, &'static RaftConfig, 4> = SmallMap::new([
|
static EXPECTED_RAFT_CONFIG: SmallMap<MREnclave, &'static RaftConfig, 5> = SmallMap::new([
|
||||||
(
|
(
|
||||||
hex!("a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95"),
|
hex!("a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95"),
|
||||||
&RaftConfig {
|
&RaftConfig {
|
||||||
@ -94,6 +98,16 @@ static EXPECTED_RAFT_CONFIG: SmallMap<MREnclave, &'static RaftConfig, 4> = Small
|
|||||||
group_id: 1230918306983775578,
|
group_id: 1230918306983775578,
|
||||||
},
|
},
|
||||||
),
|
),
|
||||||
|
(
|
||||||
|
// svr3 staging
|
||||||
|
hex!("5db9423ed5a0b0bef374eac3a8251839e1f63ed40a2537415b63656b26912d92"),
|
||||||
|
&RaftConfig {
|
||||||
|
min_voting_replicas: 3,
|
||||||
|
max_voting_replicas: 5,
|
||||||
|
super_majority: 0,
|
||||||
|
group_id: 13862729870901000330,
|
||||||
|
},
|
||||||
|
),
|
||||||
]);
|
]);
|
||||||
|
|
||||||
pub(crate) fn expected_raft_config(
|
pub(crate) fn expected_raft_config(
|
||||||
|
@ -16,7 +16,7 @@ pub(crate) struct SmallMap<K, V, const N: usize>([(K, V); N]);
|
|||||||
|
|
||||||
impl<K, V, const N: usize> SmallMap<K, V, N> {
|
impl<K, V, const N: usize> SmallMap<K, V, N> {
|
||||||
/// The maximum number of elements allowed in a `SmallMap`.
|
/// The maximum number of elements allowed in a `SmallMap`.
|
||||||
const MAX_SIZE: usize = 4;
|
const MAX_SIZE: usize = 5;
|
||||||
|
|
||||||
/// Checks at compile-time (via `const`) that `N` is small enough.
|
/// Checks at compile-time (via `const`) that `N` is small enough.
|
||||||
const CHECK_MAX_SIZE: () = assert!(
|
const CHECK_MAX_SIZE: () = assert!(
|
||||||
|
@ -22,23 +22,13 @@ use libsignal_net::infra::TcpSslTransportConnector;
|
|||||||
use libsignal_net::svr::{Auth, SvrConnection};
|
use libsignal_net::svr::{Auth, SvrConnection};
|
||||||
use libsignal_net::svr3::{OpaqueMaskedShareSet, PpssOps};
|
use libsignal_net::svr3::{OpaqueMaskedShareSet, PpssOps};
|
||||||
|
|
||||||
const SGX_TEST_SERVER_CERT_DER: &[u8] = include_bytes!("../res/sgx_test_server_cert.cer");
|
|
||||||
const SGX_TEST_RAFT_CONFIG: RaftConfig = RaftConfig {
|
|
||||||
min_voting_replicas: 1,
|
|
||||||
max_voting_replicas: 3,
|
|
||||||
super_majority: 0,
|
|
||||||
group_id: 5873791967879921865,
|
|
||||||
};
|
|
||||||
|
|
||||||
const NITRO_TEST_RAFT_CONFIG: RaftConfig = RaftConfig {
|
const NITRO_TEST_RAFT_CONFIG: RaftConfig = RaftConfig {
|
||||||
group_id: 14613281978079894749,
|
group_id: 2058019258222238426,
|
||||||
min_voting_replicas: 1,
|
min_voting_replicas: 3,
|
||||||
max_voting_replicas: 5,
|
max_voting_replicas: 5,
|
||||||
super_majority: 0,
|
super_majority: 0,
|
||||||
};
|
};
|
||||||
|
|
||||||
const NITRO_TEST_SERVER_CERT_DER: &[u8] = include_bytes!("../res/nitro_test_server_cert.cer");
|
|
||||||
|
|
||||||
#[derive(Parser, Debug)]
|
#[derive(Parser, Debug)]
|
||||||
struct Args {
|
struct Args {
|
||||||
/// base64 encoding of the auth secret for SGX
|
/// base64 encoding of the auth secret for SGX
|
||||||
@ -70,13 +60,8 @@ async fn main() {
|
|||||||
};
|
};
|
||||||
|
|
||||||
let connect = || async {
|
let connect = || async {
|
||||||
let connection_a = EndpointConnection::with_custom_properties(
|
let connection_a =
|
||||||
env.sgx(),
|
EndpointConnection::new(env.sgx(), Duration::from_secs(10), TcpSslTransportConnector);
|
||||||
Duration::from_secs(10),
|
|
||||||
TcpSslTransportConnector,
|
|
||||||
RootCertificates::FromDer(SGX_TEST_SERVER_CERT_DER.to_vec()),
|
|
||||||
Some(&SGX_TEST_RAFT_CONFIG),
|
|
||||||
);
|
|
||||||
let sgx_auth = Auth {
|
let sgx_auth = Auth {
|
||||||
uid: uid.to_string(),
|
uid: uid.to_string(),
|
||||||
secret: sgx_secret,
|
secret: sgx_secret,
|
||||||
@ -89,7 +74,7 @@ async fn main() {
|
|||||||
env.nitro(),
|
env.nitro(),
|
||||||
Duration::from_secs(10),
|
Duration::from_secs(10),
|
||||||
TcpSslTransportConnector,
|
TcpSslTransportConnector,
|
||||||
RootCertificates::FromDer(NITRO_TEST_SERVER_CERT_DER.to_vec()),
|
RootCertificates::Signal,
|
||||||
Some(&NITRO_TEST_RAFT_CONFIG),
|
Some(&NITRO_TEST_RAFT_CONFIG),
|
||||||
);
|
);
|
||||||
let nitro_auth = Auth {
|
let nitro_auth = Auth {
|
||||||
|
Binary file not shown.
@ -45,7 +45,11 @@ impl EnclaveKind for Sgx {
|
|||||||
|
|
||||||
impl EnclaveKind for Nitro {
|
impl EnclaveKind for Nitro {
|
||||||
fn url_path(enclave: &[u8]) -> PathAndQuery {
|
fn url_path(enclave: &[u8]) -> PathAndQuery {
|
||||||
PathAndQuery::try_from(format!("/v1/{}", hex::encode(enclave))).unwrap()
|
PathAndQuery::try_from(format!(
|
||||||
|
"/v1/{}",
|
||||||
|
std::str::from_utf8(enclave).expect("valid utf8")
|
||||||
|
))
|
||||||
|
.unwrap()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -50,16 +50,14 @@ pub const STAGING: Env<'static, Svr3Env> = Env {
|
|||||||
},
|
},
|
||||||
svr3: Svr3Env(
|
svr3: Svr3Env(
|
||||||
EnclaveEndpoint {
|
EnclaveEndpoint {
|
||||||
host: "backend1.svr3.test.signal.org",
|
host: "backend1.svr3.staging.signal.org",
|
||||||
mr_enclave: MrEnclave::new(&hex!(
|
mr_enclave: MrEnclave::new(&hex!(
|
||||||
"acb1973aa0bbbd14b3b4e06f145497d948fd4a98efc500fcce363b3b743ec482"
|
"5db9423ed5a0b0bef374eac3a8251839e1f63ed40a2537415b63656b26912d92"
|
||||||
)),
|
)),
|
||||||
},
|
},
|
||||||
EnclaveEndpoint {
|
EnclaveEndpoint {
|
||||||
host: "backend2.svr3.test.signal.org",
|
host: "backend2.svr3.staging.signal.org",
|
||||||
mr_enclave: MrEnclave::new(&hex!(
|
mr_enclave: MrEnclave::new(b"cc8f7cb1.52b91975.61d0bcb0"),
|
||||||
"17e1cb662572d28e0eb5a492ed8df949bc2cfcf3f2098b710e7b637759d6dcb3"
|
|
||||||
)),
|
|
||||||
},
|
},
|
||||||
),
|
),
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user