mirror of
https://github.com/signalapp/libsignal.git
synced 2024-09-19 19:42:19 +02:00
SVR3: Support production enclaves
This commit is contained in:
parent
31d6015522
commit
71031786dc
@ -19,9 +19,9 @@ pub const ENCLAVE_ID_SVR3_NITRO_STAGING: &[u8] = b"ffe631d7.52b91975.a4544fb5";
|
||||
pub const ENCLAVE_ID_SVR3_TPM2SNP_STAGING: &[u8] = b"0.20240510.172959";
|
||||
|
||||
pub const ENCLAVE_ID_SVR3_SGX_PROD: &[u8] =
|
||||
&hex!("0000000000000000000000000000000000000000000000000000000000000000");
|
||||
pub const ENCLAVE_ID_SVR3_NITRO_PROD: &[u8] = b"00000000.00000000.00000000";
|
||||
pub const ENCLAVE_ID_SVR3_TPM2SNP_PROD: &[u8] = b"0.00000000.000000";
|
||||
&hex!("0899bf951b57f27b5cd3d2dd4dbe5a144a4a62154853a4e352ac2c93ecfe6a2c");
|
||||
pub const ENCLAVE_ID_SVR3_NITRO_PROD: &[u8] = ENCLAVE_ID_SVR3_NITRO_STAGING;
|
||||
pub const ENCLAVE_ID_SVR3_TPM2SNP_PROD: &[u8] = ENCLAVE_ID_SVR3_TPM2SNP_STAGING;
|
||||
|
||||
pub const ENCLAVE_ID_CDSI_PROD: &[u8] = ENCLAVE_ID_CDSI_STAGING;
|
||||
pub const ENCLAVE_ID_SVR2_PROD: &[u8] =
|
||||
@ -60,7 +60,7 @@ pub(crate) const TPM2SNP_EXPECTED_PCRS: SmallMap<&'static [u8], &'static tpm2snp
|
||||
|
||||
/// Map from MREnclave to intel SW advisories that are known to be mitigated in the
|
||||
/// build with that MREnclave value
|
||||
pub(crate) const ACCEPTABLE_SW_ADVISORIES: &SmallMap<&'static [u8], &'static [&'static str], 3> =
|
||||
pub(crate) const ACCEPTABLE_SW_ADVISORIES: &SmallMap<&'static [u8], &'static [&'static str], 4> =
|
||||
&SmallMap::new([
|
||||
(
|
||||
ENCLAVE_ID_SVR2_STAGING,
|
||||
@ -74,6 +74,10 @@ pub(crate) const ACCEPTABLE_SW_ADVISORIES: &SmallMap<&'static [u8], &'static [&'
|
||||
ENCLAVE_ID_SVR3_SGX_STAGING,
|
||||
&["INTEL-SA-00615", "INTEL-SA-00657"] as &[&str],
|
||||
),
|
||||
(
|
||||
ENCLAVE_ID_SVR3_SGX_PROD,
|
||||
&["INTEL-SA-00615", "INTEL-SA-00657"] as &[&str],
|
||||
),
|
||||
]);
|
||||
|
||||
/// SW advisories known to be mitigated by default. If an MREnclave is provided that
|
||||
@ -81,51 +85,61 @@ pub(crate) const ACCEPTABLE_SW_ADVISORIES: &SmallMap<&'static [u8], &'static [&'
|
||||
pub(crate) const DEFAULT_SW_ADVISORIES: &[&str] = &[];
|
||||
|
||||
/// Expected raft configuration for a given enclave.
|
||||
pub(crate) static EXPECTED_RAFT_CONFIG: SmallMap<&'static [u8], &'static RaftConfig, 5> =
|
||||
pub const RAFT_CONFIG_SVR2_STAGING: &RaftConfig = &RaftConfig {
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 5,
|
||||
super_majority: 0,
|
||||
group_id: 16934825672495360159,
|
||||
};
|
||||
|
||||
pub const RAFT_CONFIG_SVR2_PROD: &RaftConfig = &RaftConfig {
|
||||
min_voting_replicas: 4,
|
||||
max_voting_replicas: 7,
|
||||
super_majority: 2,
|
||||
group_id: 1230918306983775578,
|
||||
};
|
||||
|
||||
pub const RAFT_CONFIG_SVR3_SGX_STAGING: &RaftConfig = &RaftConfig {
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 9,
|
||||
super_majority: 0,
|
||||
group_id: 15742431669367858463,
|
||||
};
|
||||
pub const RAFT_CONFIG_SVR3_NITRO_STAGING: &RaftConfig = &RaftConfig {
|
||||
group_id: 10298929430185113734,
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 9,
|
||||
super_majority: 0,
|
||||
};
|
||||
pub const RAFT_CONFIG_SVR3_TPM2SNP_STAGING: &RaftConfig = &RaftConfig {
|
||||
group_id: 8572438378773168949,
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 9,
|
||||
super_majority: 0,
|
||||
};
|
||||
pub const RAFT_CONFIG_SVR3_SGX_PROD: &RaftConfig = &RaftConfig {
|
||||
min_voting_replicas: 4,
|
||||
max_voting_replicas: 13,
|
||||
super_majority: 2,
|
||||
group_id: 9590812984166600424,
|
||||
};
|
||||
pub const RAFT_CONFIG_SVR3_NITRO_PROD: &RaftConfig = &RaftConfig {
|
||||
group_id: 13958530449904196066,
|
||||
min_voting_replicas: 4,
|
||||
max_voting_replicas: 13,
|
||||
super_majority: 2,
|
||||
};
|
||||
pub const RAFT_CONFIG_SVR3_TPM2SNP_PROD: &RaftConfig = &RaftConfig {
|
||||
group_id: 6899183880775443455,
|
||||
min_voting_replicas: 4,
|
||||
max_voting_replicas: 13,
|
||||
super_majority: 2,
|
||||
};
|
||||
|
||||
// This is left here primarily to support SVR2 bridging code that does
|
||||
// not expose the notion of environment to the clients.
|
||||
pub(crate) static EXPECTED_RAFT_CONFIG_SVR2: SmallMap<&'static [u8], &'static RaftConfig, 2> =
|
||||
SmallMap::new([
|
||||
(
|
||||
ENCLAVE_ID_SVR2_STAGING,
|
||||
&RaftConfig {
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 5,
|
||||
super_majority: 0,
|
||||
group_id: 16934825672495360159,
|
||||
},
|
||||
),
|
||||
(
|
||||
ENCLAVE_ID_SVR2_PROD,
|
||||
&RaftConfig {
|
||||
min_voting_replicas: 4,
|
||||
max_voting_replicas: 7,
|
||||
super_majority: 2,
|
||||
group_id: 1230918306983775578,
|
||||
},
|
||||
),
|
||||
(
|
||||
ENCLAVE_ID_SVR3_SGX_STAGING,
|
||||
&RaftConfig {
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 9,
|
||||
super_majority: 0,
|
||||
group_id: 15742431669367858463,
|
||||
},
|
||||
),
|
||||
(
|
||||
ENCLAVE_ID_SVR3_NITRO_STAGING,
|
||||
&RaftConfig {
|
||||
group_id: 10298929430185113734,
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 9,
|
||||
super_majority: 0,
|
||||
},
|
||||
),
|
||||
(
|
||||
ENCLAVE_ID_SVR3_TPM2SNP_STAGING,
|
||||
&RaftConfig {
|
||||
group_id: 8572438378773168949,
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 9,
|
||||
super_majority: 0,
|
||||
},
|
||||
),
|
||||
(ENCLAVE_ID_SVR2_STAGING, RAFT_CONFIG_SVR2_STAGING),
|
||||
(ENCLAVE_ID_SVR2_PROD, RAFT_CONFIG_SVR2_PROD),
|
||||
]);
|
||||
|
@ -17,7 +17,7 @@ use subtle::ConstantTimeEq;
|
||||
|
||||
use crate::enclave::{self, Claims, Handshake};
|
||||
use crate::proto;
|
||||
use crate::svr2::{expected_raft_config, RaftConfig};
|
||||
use crate::svr2::RaftConfig;
|
||||
use crate::util::SmallMap;
|
||||
|
||||
use crate::constants::NITRO_EXPECTED_PCRS;
|
||||
@ -55,9 +55,8 @@ pub fn new_handshake(
|
||||
mr_enclave: &[u8],
|
||||
attestation_msg: &[u8],
|
||||
now: SystemTime,
|
||||
raft_config_override: Option<&'static RaftConfig>,
|
||||
expected_raft_config: &'static RaftConfig,
|
||||
) -> Result<Handshake, enclave::Error> {
|
||||
let expected_raft_config = expected_raft_config(mr_enclave, raft_config_override)?;
|
||||
let handshake_start = proto::svr::ClientHandshakeStart::decode(attestation_msg)?;
|
||||
let handshake = Handshake::for_nitro(
|
||||
mr_enclave,
|
||||
|
@ -3,7 +3,9 @@
|
||||
// SPDX-License-Identifier: AGPL-3.0-only
|
||||
//
|
||||
|
||||
use crate::constants::{ACCEPTABLE_SW_ADVISORIES, DEFAULT_SW_ADVISORIES, EXPECTED_RAFT_CONFIG};
|
||||
use crate::constants::{
|
||||
ACCEPTABLE_SW_ADVISORIES, DEFAULT_SW_ADVISORIES, EXPECTED_RAFT_CONFIG_SVR2,
|
||||
};
|
||||
use prost::Message;
|
||||
|
||||
use crate::enclave::{Error, Handshake, Result};
|
||||
@ -27,38 +29,41 @@ impl PartialEq<svr::RaftGroupConfig> for RaftConfig {
|
||||
}
|
||||
}
|
||||
|
||||
pub(crate) fn expected_raft_config(
|
||||
mr_enclave: &[u8],
|
||||
config_override: Option<&'static RaftConfig>,
|
||||
) -> Result<&'static RaftConfig> {
|
||||
config_override
|
||||
.or_else(|| EXPECTED_RAFT_CONFIG.get(&mr_enclave).copied())
|
||||
.ok_or(Error::AttestationDataError {
|
||||
reason: format!("unknown mrenclave {:?}", mr_enclave),
|
||||
})
|
||||
}
|
||||
/// Lookup the group id constant associated with the `mrenclave`
|
||||
pub fn lookup_groupid(mrenclave: &[u8]) -> Option<u64> {
|
||||
EXPECTED_RAFT_CONFIG
|
||||
EXPECTED_RAFT_CONFIG_SVR2
|
||||
.get(&mrenclave)
|
||||
.map(|config| config.group_id)
|
||||
}
|
||||
|
||||
// Must only be used for SVR2 bridging code that does
|
||||
// not expose the notion of environment to the clients.
|
||||
pub fn new_handshake_with_raft_config_lookup(
|
||||
mrenclave: &[u8],
|
||||
attestation_msg: &[u8],
|
||||
current_time: std::time::SystemTime,
|
||||
) -> Result<Handshake> {
|
||||
let expected_raft_config =
|
||||
EXPECTED_RAFT_CONFIG_SVR2
|
||||
.get(&mrenclave)
|
||||
.copied()
|
||||
.ok_or(Error::AttestationDataError {
|
||||
reason: format!("unknown mrenclave {:?}", &mrenclave),
|
||||
})?;
|
||||
new_handshake(
|
||||
mrenclave,
|
||||
attestation_msg,
|
||||
current_time,
|
||||
expected_raft_config,
|
||||
)
|
||||
}
|
||||
|
||||
pub fn new_handshake(
|
||||
mrenclave: &[u8],
|
||||
attestation_msg: &[u8],
|
||||
current_time: std::time::SystemTime,
|
||||
expected_raft_config: &'static RaftConfig,
|
||||
) -> Result<Handshake> {
|
||||
new_handshake_with_override(mrenclave, attestation_msg, current_time, None)
|
||||
}
|
||||
|
||||
pub fn new_handshake_with_override(
|
||||
mrenclave: &[u8],
|
||||
attestation_msg: &[u8],
|
||||
current_time: std::time::SystemTime,
|
||||
raft_config_override: Option<&'static RaftConfig>,
|
||||
) -> Result<Handshake> {
|
||||
let expected_raft_config = expected_raft_config(mrenclave, raft_config_override)?;
|
||||
new_handshake_with_constants(
|
||||
mrenclave,
|
||||
attestation_msg,
|
||||
@ -105,7 +110,13 @@ mod tests {
|
||||
let current_time = SystemTime::UNIX_EPOCH + Duration::from_secs(1709245753);
|
||||
let mrenclave_bytes =
|
||||
hex!("acb1973aa0bbbd14b3b4e06f145497d948fd4a98efc500fcce363b3b743ec482");
|
||||
new_handshake(&mrenclave_bytes, HANDSHAKE_BYTES, current_time).unwrap();
|
||||
let raft_config: &RaftConfig = &RaftConfig {
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 5,
|
||||
super_majority: 0,
|
||||
group_id: 16934825672495360159,
|
||||
};
|
||||
new_handshake(&mrenclave_bytes, HANDSHAKE_BYTES, current_time, raft_config).unwrap();
|
||||
}
|
||||
|
||||
#[test]
|
||||
|
@ -14,7 +14,7 @@ use crate::cert_chain::{self, CertChain};
|
||||
use crate::enclave::{Claims, Error, Handshake, Result, UnvalidatedHandshake};
|
||||
use crate::expireable::Expireable as _;
|
||||
use crate::proto::{svr, svr3};
|
||||
use crate::svr2::expected_raft_config;
|
||||
use crate::svr2::RaftConfig;
|
||||
|
||||
use crate::constants::TPM2SNP_EXPECTED_PCRS;
|
||||
|
||||
@ -25,8 +25,12 @@ pub(crate) use tpm2::{Error as Tpm2Error, PcrMap};
|
||||
|
||||
const GOOG_AKCERT_ROOT_PEM: &[u8] = include_bytes!("../res/goog_akcert_root.pem");
|
||||
|
||||
pub fn new_handshake(enclave: &[u8], attestation_msg: &[u8], now: SystemTime) -> Result<Handshake> {
|
||||
let expected_raft_config = expected_raft_config(enclave, None)?;
|
||||
pub fn new_handshake(
|
||||
enclave: &[u8],
|
||||
attestation_msg: &[u8],
|
||||
now: SystemTime,
|
||||
expected_raft_config: &'static RaftConfig,
|
||||
) -> Result<Handshake> {
|
||||
let handshake_start = svr::ClientHandshakeStart::decode(attestation_msg)?;
|
||||
Handshake::for_tpm2snp(
|
||||
enclave,
|
||||
|
@ -103,11 +103,7 @@ impl ConnectionManager {
|
||||
) -> EnclaveEndpointConnection<E, MultiRouteConnectionManager> {
|
||||
let params = endpoint.domain_config.connection_params_with_fallback();
|
||||
let params = add_user_agent_header(params, user_agent);
|
||||
EnclaveEndpointConnection::new_multi(
|
||||
endpoint.mr_enclave,
|
||||
params,
|
||||
ONE_ROUTE_CONNECTION_TIMEOUT,
|
||||
)
|
||||
EnclaveEndpointConnection::new_multi(endpoint, params, ONE_ROUTE_CONNECTION_TIMEOUT)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -20,7 +20,7 @@ fn new_client(
|
||||
attestation_msg: &[u8],
|
||||
current_time: std::time::SystemTime,
|
||||
) -> Result<SgxClientState> {
|
||||
SgxClientState::new(svr2::new_handshake(
|
||||
SgxClientState::new(svr2::new_handshake_with_raft_config_lookup(
|
||||
mrenclave,
|
||||
attestation_msg,
|
||||
current_time,
|
||||
|
@ -33,7 +33,7 @@ use libsignal_net::svr3::{OpaqueMaskedShareSet, PpssOps};
|
||||
const TEST_SERVER_CERT: RootCertificates = RootCertificates::FromDer(Cow::Borrowed(
|
||||
include_bytes!("../res/sgx_test_server_cert.cer"),
|
||||
));
|
||||
const TEST_SERVER_RAFT_CONFIG: RaftConfig = RaftConfig {
|
||||
const TEST_SERVER_RAFT_CONFIG: &RaftConfig = &RaftConfig {
|
||||
min_voting_replicas: 1,
|
||||
max_voting_replicas: 3,
|
||||
super_majority: 0,
|
||||
@ -104,6 +104,7 @@ async fn main() {
|
||||
mr_enclave: MrEnclave::new(&hex!(
|
||||
"acb1973aa0bbbd14b3b4e06f145497d948fd4a98efc500fcce363b3b743ec482"
|
||||
)),
|
||||
raft_config: Some(TEST_SERVER_RAFT_CONFIG),
|
||||
};
|
||||
TwoForTwoEnv(endpoint.clone(), endpoint)
|
||||
};
|
||||
@ -112,21 +113,15 @@ async fn main() {
|
||||
|
||||
let connect = || async {
|
||||
let connector = TcpSslTransportConnector::new(DnsResolver::default());
|
||||
let connection_a = EnclaveEndpointConnection::with_custom_properties(
|
||||
two_sgx_env.0.clone(),
|
||||
Duration::from_secs(10),
|
||||
Some(&TEST_SERVER_RAFT_CONFIG),
|
||||
);
|
||||
let connection_a =
|
||||
EnclaveEndpointConnection::new(two_sgx_env.0.clone(), Duration::from_secs(10));
|
||||
|
||||
let a = SvrConnection::connect(make_auth(uid_a), &connection_a, connector.clone())
|
||||
.await
|
||||
.expect("can attestedly connect");
|
||||
|
||||
let connection_b = EnclaveEndpointConnection::with_custom_properties(
|
||||
two_sgx_env.1.clone(),
|
||||
Duration::from_secs(10),
|
||||
Some(&TEST_SERVER_RAFT_CONFIG),
|
||||
);
|
||||
let connection_b =
|
||||
EnclaveEndpointConnection::new(two_sgx_env.1.clone(), Duration::from_secs(10));
|
||||
|
||||
let b = SvrConnection::connect(make_auth(uid_b), &connection_b, connector)
|
||||
.await
|
||||
|
@ -30,6 +30,7 @@ use crate::svr::SvrConnection;
|
||||
pub trait EnclaveKind {
|
||||
fn url_path(enclave: &[u8]) -> PathAndQuery;
|
||||
}
|
||||
|
||||
pub trait Svr3Flavor: EnclaveKind {}
|
||||
|
||||
pub enum Cdsi {}
|
||||
@ -177,6 +178,7 @@ impl<Bytes: AsRef<[u8]>, S> AsRef<[u8]> for MrEnclave<Bytes, S> {
|
||||
pub struct EnclaveEndpoint<'a, E: EnclaveKind> {
|
||||
pub domain_config: DomainConfig,
|
||||
pub mr_enclave: MrEnclave<&'a [u8], E>,
|
||||
pub raft_config: Option<&'a RaftConfig>,
|
||||
}
|
||||
|
||||
pub trait NewHandshake {
|
||||
@ -190,21 +192,7 @@ pub trait NewHandshake {
|
||||
|
||||
pub struct EndpointParams<E: EnclaveKind> {
|
||||
pub(crate) mr_enclave: MrEnclave<&'static [u8], E>,
|
||||
pub(crate) raft_config_override: Option<&'static RaftConfig>,
|
||||
}
|
||||
|
||||
impl<E: EnclaveKind> EndpointParams<E> {
|
||||
pub const fn new(mr_enclave: MrEnclave<&'static [u8], E>) -> Self {
|
||||
Self {
|
||||
mr_enclave,
|
||||
raft_config_override: None,
|
||||
}
|
||||
}
|
||||
|
||||
pub fn with_raft_override(mut self, raft_config: &'static RaftConfig) -> Self {
|
||||
self.raft_config_override = Some(raft_config);
|
||||
self
|
||||
}
|
||||
pub(crate) raft_config: Option<&'static RaftConfig>,
|
||||
}
|
||||
|
||||
pub struct EnclaveEndpointConnection<E: EnclaveKind, C> {
|
||||
@ -280,14 +268,6 @@ impl<E: EnclaveKind + NewHandshake, C: ConnectionManager> EnclaveEndpointConnect
|
||||
|
||||
impl<E: EnclaveKind> EnclaveEndpointConnection<E, SingleRouteThrottlingConnectionManager> {
|
||||
pub fn new(endpoint: EnclaveEndpoint<'static, E>, connect_timeout: Duration) -> Self {
|
||||
Self::with_custom_properties(endpoint, connect_timeout, None)
|
||||
}
|
||||
|
||||
pub fn with_custom_properties(
|
||||
endpoint: EnclaveEndpoint<'static, E>,
|
||||
connect_timeout: Duration,
|
||||
raft_config_override: Option<&'static RaftConfig>,
|
||||
) -> Self {
|
||||
Self {
|
||||
endpoint_connection: EndpointConnection {
|
||||
manager: SingleRouteThrottlingConnectionManager::new(
|
||||
@ -298,7 +278,7 @@ impl<E: EnclaveKind> EnclaveEndpointConnection<E, SingleRouteThrottlingConnectio
|
||||
},
|
||||
params: EndpointParams {
|
||||
mr_enclave: endpoint.mr_enclave,
|
||||
raft_config_override,
|
||||
raft_config: endpoint.raft_config,
|
||||
},
|
||||
}
|
||||
}
|
||||
@ -306,7 +286,7 @@ impl<E: EnclaveKind> EnclaveEndpointConnection<E, SingleRouteThrottlingConnectio
|
||||
|
||||
impl<E: EnclaveKind> EnclaveEndpointConnection<E, MultiRouteConnectionManager> {
|
||||
pub fn new_multi(
|
||||
mr_enclave: MrEnclave<&'static [u8], E>,
|
||||
endpoint: &EnclaveEndpoint<'static, E>,
|
||||
connection_params: impl IntoIterator<Item = ConnectionParams>,
|
||||
one_route_connect_timeout: Duration,
|
||||
) -> Self {
|
||||
@ -314,11 +294,14 @@ impl<E: EnclaveKind> EnclaveEndpointConnection<E, MultiRouteConnectionManager> {
|
||||
endpoint_connection: EndpointConnection::new_multi(
|
||||
connection_params,
|
||||
one_route_connect_timeout,
|
||||
make_ws_config(E::url_path(mr_enclave.as_ref()), one_route_connect_timeout),
|
||||
make_ws_config(
|
||||
E::url_path(endpoint.mr_enclave.as_ref()),
|
||||
one_route_connect_timeout,
|
||||
),
|
||||
),
|
||||
params: EndpointParams {
|
||||
mr_enclave,
|
||||
raft_config_override: None,
|
||||
mr_enclave: endpoint.mr_enclave,
|
||||
raft_config: endpoint.raft_config,
|
||||
},
|
||||
}
|
||||
}
|
||||
@ -329,11 +312,13 @@ impl NewHandshake for Sgx {
|
||||
params: &EndpointParams<Self>,
|
||||
attestation_message: &[u8],
|
||||
) -> enclave::Result<enclave::Handshake> {
|
||||
attest::svr2::new_handshake_with_override(
|
||||
attest::svr2::new_handshake(
|
||||
params.mr_enclave.as_ref(),
|
||||
attestation_message,
|
||||
SystemTime::now(),
|
||||
params.raft_config_override,
|
||||
params
|
||||
.raft_config
|
||||
.expect("Raft config must be present for SGX"),
|
||||
)
|
||||
}
|
||||
}
|
||||
@ -360,7 +345,9 @@ impl NewHandshake for Nitro {
|
||||
params.mr_enclave.as_ref(),
|
||||
attestation_message,
|
||||
SystemTime::now(),
|
||||
params.raft_config_override,
|
||||
params
|
||||
.raft_config
|
||||
.expect("Raft config must be present for Nitro"),
|
||||
)
|
||||
}
|
||||
}
|
||||
@ -374,6 +361,9 @@ impl NewHandshake for Tpm2Snp {
|
||||
params.mr_enclave.as_ref(),
|
||||
attestation_message,
|
||||
SystemTime::now(),
|
||||
params
|
||||
.raft_config
|
||||
.expect("Raft config must be present for Tpm2Snp"),
|
||||
)
|
||||
}
|
||||
}
|
||||
@ -412,16 +402,26 @@ mod test {
|
||||
}
|
||||
|
||||
const CONNECT_TIMEOUT: Duration = Duration::from_secs(10);
|
||||
const TEST_RAFT_CONFIG: &RaftConfig = &RaftConfig {
|
||||
min_voting_replicas: 0,
|
||||
max_voting_replicas: 0,
|
||||
super_majority: 0,
|
||||
group_id: 0,
|
||||
};
|
||||
|
||||
async fn enclave_connect<C: ConnectionManager>(
|
||||
manager: C,
|
||||
) -> Result<AttestedConnection<SslStream<TcpStream>>, Error> {
|
||||
let mr_enclave = MrEnclave::new(b"abcdef".as_slice());
|
||||
let connection = EnclaveEndpointConnection {
|
||||
endpoint_connection: EndpointConnection {
|
||||
manager,
|
||||
config: make_ws_config(PathAndQuery::from_static("/endpoint"), CONNECT_TIMEOUT),
|
||||
},
|
||||
params: EndpointParams::<Cdsi>::new(MrEnclave::new(b"abcdef")),
|
||||
params: EndpointParams::<Cdsi> {
|
||||
mr_enclave,
|
||||
raft_config: Some(TEST_RAFT_CONFIG),
|
||||
},
|
||||
};
|
||||
|
||||
connection
|
||||
@ -464,12 +464,12 @@ mod test {
|
||||
#[tokio::test]
|
||||
async fn multi_route_enclave_connect_failure() {
|
||||
let result = enclave_connect(MultiRouteConnectionManager::new(vec![
|
||||
SingleRouteThrottlingConnectionManager::new(
|
||||
fake_connection_params(),
|
||||
CONNECT_TIMEOUT
|
||||
);
|
||||
3
|
||||
]))
|
||||
SingleRouteThrottlingConnectionManager::new(
|
||||
fake_connection_params(),
|
||||
CONNECT_TIMEOUT,
|
||||
);
|
||||
3
|
||||
]))
|
||||
.await;
|
||||
assert_matches!(result, Err(Error::ConnectionTimedOut));
|
||||
}
|
||||
@ -479,12 +479,12 @@ mod test {
|
||||
#[tokio::test]
|
||||
async fn multi_route_enclave_connect_cooldown() {
|
||||
let connection_manager = MultiRouteConnectionManager::new(vec![
|
||||
SingleRouteThrottlingConnectionManager::new(
|
||||
fake_connection_params(),
|
||||
CONNECT_TIMEOUT
|
||||
);
|
||||
3
|
||||
]);
|
||||
SingleRouteThrottlingConnectionManager::new(
|
||||
fake_connection_params(),
|
||||
CONNECT_TIMEOUT,
|
||||
);
|
||||
3
|
||||
]);
|
||||
|
||||
// Repeatedly try connecting unsuccessfully until all the inner routes
|
||||
// are throttling, with a max count to prevent infinite looping.
|
||||
|
@ -89,9 +89,9 @@ const DOMAIN_CONFIG_SVR2_STAGING: DomainConfig = DomainConfig {
|
||||
};
|
||||
|
||||
const DOMAIN_CONFIG_SVR3_SGX: DomainConfig = DomainConfig {
|
||||
hostname: "svr3.signal.org",
|
||||
hostname: "backend1.svr3.signal.org",
|
||||
port: DEFAULT_HTTPS_PORT,
|
||||
ip_v4: &[ip_addr!(v4, "143.244.220.150")],
|
||||
ip_v4: &[ip_addr!(v4, "40.112.138.96")],
|
||||
ip_v6: &[],
|
||||
cert: RootCertificates::Signal,
|
||||
proxy_path: "/svr3-sgx",
|
||||
@ -107,9 +107,9 @@ const DOMAIN_CONFIG_SVR3_SGX_STAGING: DomainConfig = DomainConfig {
|
||||
};
|
||||
|
||||
const DOMAIN_CONFIG_SVR3_NITRO: DomainConfig = DomainConfig {
|
||||
hostname: "devnull.signal.org",
|
||||
hostname: "backend2.svr3.signal.org",
|
||||
port: DEFAULT_HTTPS_PORT,
|
||||
ip_v4: &[],
|
||||
ip_v4: &[ip_addr!(v4, "75.2.91.98")],
|
||||
ip_v6: &[],
|
||||
cert: RootCertificates::Signal,
|
||||
proxy_path: "/svr3-nitro",
|
||||
@ -125,9 +125,9 @@ const DOMAIN_CONFIG_SVR3_NITRO_STAGING: DomainConfig = DomainConfig {
|
||||
};
|
||||
|
||||
pub const DOMAIN_CONFIG_SVR3_TPM2SNP: DomainConfig = DomainConfig {
|
||||
hostname: "devnull.signal.org",
|
||||
hostname: "backend3.svr3.signal.org",
|
||||
port: DEFAULT_HTTPS_PORT,
|
||||
ip_v4: &[],
|
||||
ip_v4: &[ip_addr!(v4, "34.144.241.251")],
|
||||
ip_v6: &[],
|
||||
cert: RootCertificates::Signal,
|
||||
proxy_path: "/svr3-tpm2snp",
|
||||
@ -300,23 +300,28 @@ pub const STAGING: Env<'static, Svr3Env> = Env {
|
||||
cdsi: EnclaveEndpoint {
|
||||
domain_config: DOMAIN_CONFIG_CDSI_STAGING,
|
||||
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_CDSI_STAGING),
|
||||
raft_config: None,
|
||||
},
|
||||
svr2: EnclaveEndpoint {
|
||||
domain_config: DOMAIN_CONFIG_SVR2_STAGING,
|
||||
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR2_STAGING),
|
||||
raft_config: Some(attest::constants::RAFT_CONFIG_SVR2_STAGING),
|
||||
},
|
||||
svr3: Svr3Env(
|
||||
EnclaveEndpoint {
|
||||
domain_config: DOMAIN_CONFIG_SVR3_SGX_STAGING,
|
||||
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_SGX_STAGING),
|
||||
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_SGX_STAGING),
|
||||
},
|
||||
EnclaveEndpoint {
|
||||
domain_config: DOMAIN_CONFIG_SVR3_NITRO_STAGING,
|
||||
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_NITRO_STAGING),
|
||||
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_NITRO_STAGING),
|
||||
},
|
||||
EnclaveEndpoint {
|
||||
domain_config: DOMAIN_CONFIG_SVR3_TPM2SNP_STAGING,
|
||||
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_TPM2SNP_STAGING),
|
||||
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_TPM2SNP_STAGING),
|
||||
},
|
||||
),
|
||||
};
|
||||
@ -326,23 +331,28 @@ pub const PROD: Env<'static, Svr3Env> = Env {
|
||||
cdsi: EnclaveEndpoint {
|
||||
domain_config: DOMAIN_CONFIG_CDSI,
|
||||
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_CDSI_PROD),
|
||||
raft_config: None,
|
||||
},
|
||||
svr2: EnclaveEndpoint {
|
||||
domain_config: DOMAIN_CONFIG_SVR2,
|
||||
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR2_PROD),
|
||||
raft_config: Some(attest::constants::RAFT_CONFIG_SVR2_PROD),
|
||||
},
|
||||
svr3: Svr3Env(
|
||||
EnclaveEndpoint {
|
||||
domain_config: DOMAIN_CONFIG_SVR3_SGX,
|
||||
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_SGX_PROD),
|
||||
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_SGX_PROD),
|
||||
},
|
||||
EnclaveEndpoint {
|
||||
domain_config: DOMAIN_CONFIG_SVR3_NITRO,
|
||||
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_NITRO_PROD),
|
||||
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_NITRO_PROD),
|
||||
},
|
||||
EnclaveEndpoint {
|
||||
domain_config: DOMAIN_CONFIG_SVR3_TPM2SNP,
|
||||
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_TPM2SNP_PROD),
|
||||
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_TPM2SNP_PROD),
|
||||
},
|
||||
),
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user