mirror of
https://github.com/signalapp/libsignal.git
synced 2024-09-19 19:42:19 +02:00
Use SVR3 staging domains and enclaves
This commit is contained in:
parent
b31ca0781c
commit
16631a88ca
@ -15,7 +15,6 @@ use prost::{DecodeError, Message};
|
||||
use sha2::{Digest, Sha384};
|
||||
use subtle::ConstantTimeEq;
|
||||
|
||||
use crate::dcap::MREnclave;
|
||||
use crate::enclave::{self, Claims, Handshake};
|
||||
use crate::proto;
|
||||
use crate::svr2::{expected_raft_config, RaftConfig};
|
||||
@ -31,13 +30,13 @@ type Pcr = [u8; 48];
|
||||
// We only ever validate PCRs 0, 1, and 2.
|
||||
type PcrMap = SmallMap<usize, Pcr, 3>;
|
||||
|
||||
const EXPECTED_PCRS: SmallMap<MREnclave, PcrMap, 1> = SmallMap::new([
|
||||
const EXPECTED_PCRS: SmallMap<&'static [u8], PcrMap, 1> = SmallMap::new([
|
||||
(
|
||||
hex!("17e1cb662572d28e0eb5a492ed8df949bc2cfcf3f2098b710e7b637759d6dcb3"),
|
||||
b"cc8f7cb1.52b91975.61d0bcb0",
|
||||
SmallMap::new([
|
||||
(0, hex!("67fdc91606ca9d5e73c35412f7d22397deb3f56ff2365803c66f0924f1dbeb29517fa4a62014b0bf49bd59541e4bcdd7")),
|
||||
(0, hex!("cc8f7cb1206285b1d07d1c390fee96d98c6373b2006aee6764f45c8acde7abc7a87b9af665ff0b2b14f4b20717f3f356")),
|
||||
(1, hex!("52b919754e1643f4027eeee8ec39cc4a2cb931723de0c93ce5cc8d407467dc4302e86490c01c0d755acfe10dbf657546")),
|
||||
(2, hex!("18e034916997b8e97edfc79e743f70ddcef21a45841a7a8727e2b6d094b1941bd6f988d806df1471025bcccfe35c4572")),
|
||||
(2, hex!("61d0bcb015dc32cded08c17ec0e9de008682d3a16082f59a6b60de00a0fba4aebbb26447c67378c924afe74bc9654738")),
|
||||
]),
|
||||
),
|
||||
]);
|
||||
@ -51,7 +50,7 @@ impl Handshake {
|
||||
) -> Result<Self, enclave::Error> {
|
||||
let expected_pcrs =
|
||||
EXPECTED_PCRS
|
||||
.get(enclave)
|
||||
.get(&enclave)
|
||||
.ok_or_else(|| enclave::Error::AttestationDataError {
|
||||
reason: format!("unknown enclave {:?}", enclave),
|
||||
})?;
|
||||
|
@ -14,7 +14,7 @@ use crate::util::SmallMap;
|
||||
|
||||
/// Map from MREnclave to intel SW advisories that are known to be mitigated in the
|
||||
/// build with that MREnclave value
|
||||
const ACCEPTABLE_SW_ADVISORIES: &SmallMap<MREnclave, &'static [&'static str], 4> =
|
||||
const ACCEPTABLE_SW_ADVISORIES: &SmallMap<MREnclave, &'static [&'static str], 5> =
|
||||
&SmallMap::new([
|
||||
(
|
||||
hex!("a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95"),
|
||||
@ -32,6 +32,10 @@ const ACCEPTABLE_SW_ADVISORIES: &SmallMap<MREnclave, &'static [&'static str], 4>
|
||||
hex!("a6622ad4656e1abcd0bc0ff17c229477747d2ded0495c4ebee7ed35c1789fa97"),
|
||||
&["INTEL-SA-00615", "INTEL-SA-00657"] as &[&str],
|
||||
),
|
||||
(
|
||||
hex!("5db9423ed5a0b0bef374eac3a8251839e1f63ed40a2537415b63656b26912d92"),
|
||||
&["INTEL-SA-00615", "INTEL-SA-00657"] as &[&str],
|
||||
),
|
||||
]);
|
||||
|
||||
/// SW advisories known to be mitigated by default. If an MREnclave is provided that
|
||||
@ -57,7 +61,7 @@ impl PartialEq<svr2::RaftGroupConfig> for RaftConfig {
|
||||
}
|
||||
|
||||
/// Expected raft configuration for a given enclave.
|
||||
static EXPECTED_RAFT_CONFIG: SmallMap<MREnclave, &'static RaftConfig, 4> = SmallMap::new([
|
||||
static EXPECTED_RAFT_CONFIG: SmallMap<MREnclave, &'static RaftConfig, 5> = SmallMap::new([
|
||||
(
|
||||
hex!("a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95"),
|
||||
&RaftConfig {
|
||||
@ -94,6 +98,16 @@ static EXPECTED_RAFT_CONFIG: SmallMap<MREnclave, &'static RaftConfig, 4> = Small
|
||||
group_id: 1230918306983775578,
|
||||
},
|
||||
),
|
||||
(
|
||||
// svr3 staging
|
||||
hex!("5db9423ed5a0b0bef374eac3a8251839e1f63ed40a2537415b63656b26912d92"),
|
||||
&RaftConfig {
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 5,
|
||||
super_majority: 0,
|
||||
group_id: 13862729870901000330,
|
||||
},
|
||||
),
|
||||
]);
|
||||
|
||||
pub(crate) fn expected_raft_config(
|
||||
|
@ -16,7 +16,7 @@ pub(crate) struct SmallMap<K, V, const N: usize>([(K, V); N]);
|
||||
|
||||
impl<K, V, const N: usize> SmallMap<K, V, N> {
|
||||
/// The maximum number of elements allowed in a `SmallMap`.
|
||||
const MAX_SIZE: usize = 4;
|
||||
const MAX_SIZE: usize = 5;
|
||||
|
||||
/// Checks at compile-time (via `const`) that `N` is small enough.
|
||||
const CHECK_MAX_SIZE: () = assert!(
|
||||
|
@ -22,23 +22,13 @@ use libsignal_net::infra::TcpSslTransportConnector;
|
||||
use libsignal_net::svr::{Auth, SvrConnection};
|
||||
use libsignal_net::svr3::{OpaqueMaskedShareSet, PpssOps};
|
||||
|
||||
const SGX_TEST_SERVER_CERT_DER: &[u8] = include_bytes!("../res/sgx_test_server_cert.cer");
|
||||
const SGX_TEST_RAFT_CONFIG: RaftConfig = RaftConfig {
|
||||
min_voting_replicas: 1,
|
||||
max_voting_replicas: 3,
|
||||
super_majority: 0,
|
||||
group_id: 5873791967879921865,
|
||||
};
|
||||
|
||||
const NITRO_TEST_RAFT_CONFIG: RaftConfig = RaftConfig {
|
||||
group_id: 14613281978079894749,
|
||||
min_voting_replicas: 1,
|
||||
group_id: 2058019258222238426,
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 5,
|
||||
super_majority: 0,
|
||||
};
|
||||
|
||||
const NITRO_TEST_SERVER_CERT_DER: &[u8] = include_bytes!("../res/nitro_test_server_cert.cer");
|
||||
|
||||
#[derive(Parser, Debug)]
|
||||
struct Args {
|
||||
/// base64 encoding of the auth secret for SGX
|
||||
@ -70,13 +60,8 @@ async fn main() {
|
||||
};
|
||||
|
||||
let connect = || async {
|
||||
let connection_a = EndpointConnection::with_custom_properties(
|
||||
env.sgx(),
|
||||
Duration::from_secs(10),
|
||||
TcpSslTransportConnector,
|
||||
RootCertificates::FromDer(SGX_TEST_SERVER_CERT_DER.to_vec()),
|
||||
Some(&SGX_TEST_RAFT_CONFIG),
|
||||
);
|
||||
let connection_a =
|
||||
EndpointConnection::new(env.sgx(), Duration::from_secs(10), TcpSslTransportConnector);
|
||||
let sgx_auth = Auth {
|
||||
uid: uid.to_string(),
|
||||
secret: sgx_secret,
|
||||
@ -89,7 +74,7 @@ async fn main() {
|
||||
env.nitro(),
|
||||
Duration::from_secs(10),
|
||||
TcpSslTransportConnector,
|
||||
RootCertificates::FromDer(NITRO_TEST_SERVER_CERT_DER.to_vec()),
|
||||
RootCertificates::Signal,
|
||||
Some(&NITRO_TEST_RAFT_CONFIG),
|
||||
);
|
||||
let nitro_auth = Auth {
|
||||
|
Binary file not shown.
@ -45,7 +45,11 @@ impl EnclaveKind for Sgx {
|
||||
|
||||
impl EnclaveKind for Nitro {
|
||||
fn url_path(enclave: &[u8]) -> PathAndQuery {
|
||||
PathAndQuery::try_from(format!("/v1/{}", hex::encode(enclave))).unwrap()
|
||||
PathAndQuery::try_from(format!(
|
||||
"/v1/{}",
|
||||
std::str::from_utf8(enclave).expect("valid utf8")
|
||||
))
|
||||
.unwrap()
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -50,16 +50,14 @@ pub const STAGING: Env<'static, Svr3Env> = Env {
|
||||
},
|
||||
svr3: Svr3Env(
|
||||
EnclaveEndpoint {
|
||||
host: "backend1.svr3.test.signal.org",
|
||||
host: "backend1.svr3.staging.signal.org",
|
||||
mr_enclave: MrEnclave::new(&hex!(
|
||||
"acb1973aa0bbbd14b3b4e06f145497d948fd4a98efc500fcce363b3b743ec482"
|
||||
"5db9423ed5a0b0bef374eac3a8251839e1f63ed40a2537415b63656b26912d92"
|
||||
)),
|
||||
},
|
||||
EnclaveEndpoint {
|
||||
host: "backend2.svr3.test.signal.org",
|
||||
mr_enclave: MrEnclave::new(&hex!(
|
||||
"17e1cb662572d28e0eb5a492ed8df949bc2cfcf3f2098b710e7b637759d6dcb3"
|
||||
)),
|
||||
host: "backend2.svr3.staging.signal.org",
|
||||
mr_enclave: MrEnclave::new(b"cc8f7cb1.52b91975.61d0bcb0"),
|
||||
},
|
||||
),
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user