-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use ring v0.17 #391
Use ring v0.17 #391
Conversation
components/tls/tls-client/src/kx.rs
Outdated
"key agreement failed".to_string(), | ||
)), | ||
}, | ||
Err(_) => Err(Error::PeerMisbehavedError( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we have a different error here from the one above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should be able to just map_err
as it was before.
See how rustls
handled this API change:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review! The original
ring::agreement::agree_ephemeral(self.privkey, &peer_key, f)
.map_err(|()| Error::PeerMisbehavedError("key agreement failed".to_string()))
fails because f
returns Result<T, ()>
and thus ring::agreement::agree_ephemeral
would return Result<Result<T, ()>, Unspecified>
. To make it work, it seems we would need an extra unwrap
to make the return value become the type Result<T, Error>
? Like the following code snippet
ring::agreement::agree_ephemeral(self.privkey, &peer_key, f)
.unwrap().map_err(|_| Error::PeerMisbehavedError("key agreement failed".to_string()))
or should we change the type of f
from impl FnOnce(&[u8]) -> Result<T, ()>
to impl FnOnce(&[u8]) -> T
? or am I understanding it wrong?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is the last thing you mentioned:
pub(crate) fn complete<T>(self, peer: &[u8], f: impl FnOnce(&[u8]) -> T) -> Result<T, Error> {
let peer_key = ring::agreement::UnparsedPublicKey::new(self.skxg.agreement_algorithm, peer);
ring::agreement::agree_ephemeral(self.privkey, &peer_key, f)
.map_err(|_| Error::PeerMisbehavedError("key agreement failed".to_string()))
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the direction! Changed it in 6c597d3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I think we just need to fix the error handling and get CI passing.
c9c6178
to
2e158e5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you check components/tls/tls-client/src/lib.rs
On my system the build complained about outdated example code:
//! let mut root_store = rustls::RootCertStore::empty();
//! root_store.add_server_trust_anchors(
//! webpki_roots::TLS_SERVER_ROOTS
-//! .0
//! .iter()
//! .map(|ta| {
//! rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
-//! ta.subject,
-//! ta.spki,
-//! ta.name_constraints,
+//! ta.subject.as_ref().to_owned(),
+//! ta.subject_public_key_info.as_ref().to_owned(),
+//! ta.name_constraints
+//! .as_ref()
+//! .map(|nc| nc.as_ref().to_owned()),
//! )
ta.subject.to_vec(), | ||
ta.subject_public_key_info.to_vec(), | ||
ta.name_constraints.as_ref().map(|nc| nc.to_vec()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In https://github.com/rustls/pki-types/blob/main/src/lib.rs they use .as_ref().to_owned()
instead of to_vec()
. Not sure if this is important here:
ta.subject.as_ref().to_owned(),
ta.subject_public_key_info.as_ref().to_owned(),
ta.name_constraints.as_ref().map(|nc| nc.as_ref().to_owned()),
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks 🙇
@sinui0 I've made some changes to the PR. Could you take a look and let me know if there are any additional modifications needed? Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🙏
What's wrong?
ring
0.17 seems to support WASM now. To maketlsn-prover
andtlsn-core
support WASM, simply upgradering
to 0.17. I'm sorry I must have done something wrong so I thought it didn't. Thanks @heeckhau for the efforts on this! 🙏What has been done?
ring
to 0.17 fortlsn-prover
andtlsn-core
webpki-roots
is updated from 0.24 to 0.26 to make it depend on ring 0.17Note
I'm unsure if I modified our code correctly to work with the new API. Please let me know if there is anything wrong 🙏