-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
webpki with Ring 0.17 and untrusted 0.9 #43
Comments
On the rustls side, we have rustls/rustls#1108. We don't have a similar branch/PR for rustls-webpki yet, but if you want to submit one, that would be great! |
Thanks for the quick reply!
Yes, I tried to build starting from that branch. I am not really proficient in Rust yet (only wrote some minor demo tools so far), but I am willing to learn it. So I will try and see what I can do! |
Feel free to ask for help if/when you get stuck! |
Unfortunately I got stuck quicker than I hoped. It is clear that compilation does not work anymore because of: But I have no idea what would be a more secure way to check for equality/inequality here. |
For now I used the straightforward way of replacing the checks just for sake of continuing with my build test, the branch for that is here: |
I think the point is that in some places, we'd want constant-time comparison code (for example, using the constant_time_eq crate?) rather than a simple slice comparison (which can short-circuit and would then leak some information as a timing side channel). I'm honestly not sure that's a concern here. It is interesting that the referenced commit mentions this in the commit message:
|
I mean the statement is not wrong, maybe it meant it can be changed to work by just adding the explicit So what are you proposing? Directly looking for constant time code or first merging the "naive" approach that behaves just like before? I can clean up the branch for a PR (also with the tests which are missing now), or play around with the package you suggested (or alternatives). |
For each of the comparison site, we should make a judgement call whether constant-time comparison is necessary. The easy way out might be to do it for all of them, but that might be overkill. Submitting your branch as a (draft?) PR is probably a good idea either way, will make it easier for us to review. |
Addressed for this crate in #193 |
I am currently trying to build
rustls
for the riscv64 architecture. Unfortunately riscv support is only possible withring
0.17 and not with ring 0.16.20, and I tried to find my way through the dependencies and ended up here with getting build errors. Thewebpki
build fails when having a mismatch in theuntrusted
versions (0.7.1 for webpki and 0.9 for ring), and also fails when switching to 0.9 for both (I assume the API changed). Are there plans yet to update the ring/unstrusted dependencies?If not, I would try myself to fix this somehow.
The text was updated successfully, but these errors were encountered: