edgelesssys · burgerdev · Feb 22, 2025 · Feb 28, 2025
@@ -5,6 +5,7 @@ package authority
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"log/slog"
@@ -17,6 +18,7 @@ import (
 	"github.com/edgelesssys/contrast/internal/attestation/certcache"
 	"github.com/edgelesssys/contrast/internal/attestation/snp"
 	"github.com/edgelesssys/contrast/internal/attestation/tdx"
+	"github.com/edgelesssys/contrast/internal/constants"
 	"github.com/edgelesssys/contrast/internal/logger"
 	"github.com/edgelesssys/contrast/internal/memstore"
 	"github.com/prometheus/client_golang/prometheus"
@@ -112,16 +114,19 @@ func (c *Credentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.A
 		return nil, nil, err
 	}
 
-	conn, info, err := credentials.NewTLS(serverCfg).ServerHandshake(rawConn)
-	if err != nil {
-		log.Error("ServerHandshake failed", "error", err)
-		return nil, nil, err
+	ctx, cancel := context.WithTimeout(context.Background(), constants.ATLSServerTimeout)
+	defer cancel()
+
+	conn := tls.Server(rawConn, serverCfg)
+	if err := conn.HandshakeContext(ctx); err != nil {
+		return nil, nil, fmt.Errorf("handshake error: %w", err)
 	}
-	tlsInfo, ok := info.(credentials.TLSInfo)
-	if ok {
-		authInfo.TLSInfo = tlsInfo
-	} else {
-		log.Error("credentials.NewTLS returned unexpected AuthInfo", "obj", info)
+
+	authInfo.TLSInfo = credentials.TLSInfo{
+		State: conn.ConnectionState(),
+		CommonAuthInfo: credentials.CommonAuthInfo{
+			SecurityLevel: credentials.PrivacyAndIntegrity,
+		},
 	}
 
 	return conn, authInfo, nil

@@ -301,7 +301,7 @@ func getPeerPublicKey(ctx context.Context) ([]byte, error) {
 	}
 	tlsInfo, ok := peer.AuthInfo.(credentials.TLSInfo)
 	if !ok {
-		return nil, errors.New("peer auth info is not of type TLSInfo")
+		return nil, fmt.Errorf("peer auth info is not of type TLSInfo: got %T", peer.AuthInfo)
 	}
 	if len(tlsInfo.State.PeerCertificates) == 0 || tlsInfo.State.PeerCertificates[0] == nil {
 		return nil, errors.New("no peer certificates found")

diff --git a/internal/constants/constants.go b/internal/constants/constants.go
@@ -3,7 +3,11 @@
 
 package constants
 
-import "github.com/google/go-sev-guest/abi"
+import (
+	"time"
+
+	"github.com/google/go-sev-guest/abi"
+)
 
 // Version value is injected at build time.
 var (
@@ -26,3 +30,14 @@ var SNPPolicy = abi.SnpPolicy{
 	SMT:   true,
 	Debug: false,
 }
+
+const (
+	// ATLSClientTimeout is the maximal amount of time spent by Coordinator clients for issuing
+	// and validation of attestation docs.
+	ATLSClientTimeout = 30 * time.Second
+
+	// ATLSServerTimeout is the maximal amount of time that the Coordinator can spend for issuing
+	// attestation docs. It's deliberately smaller than ATLSClientTimeout to allow proper error
+	// propagation.
+	ATLSServerTimeout = ATLSClientTimeout - 5*time.Second
+)
diff --git a/internal/grpc/atlscredentials/atlscredentials.go b/internal/grpc/atlscredentials/atlscredentials.go
@@ -7,10 +7,13 @@ package atlscredentials
 import (
 	"context"
 	"crypto"
+	"crypto/tls"
 	"errors"
+	"fmt"
 	"net"
 
 	"github.com/edgelesssys/contrast/internal/atls"
+	"github.com/edgelesssys/contrast/internal/constants"
 	"github.com/prometheus/client_golang/prometheus"
 	"google.golang.org/grpc/credentials"
 )
@@ -58,7 +61,22 @@ func (c *Credentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.A
 		return nil, nil, err
 	}
 
-	return credentials.NewTLS(serverCfg).ServerHandshake(rawConn)
+	ctx, cancel := context.WithTimeout(context.Background(), constants.ATLSServerTimeout)
+	defer cancel()
+
+	conn := tls.Server(rawConn, serverCfg)
+	if err := conn.HandshakeContext(ctx); err != nil {
+		return nil, nil, fmt.Errorf("handshake error: %w", err)
+	}
+
+	info := credentials.TLSInfo{
+		State: conn.ConnectionState(),
+		CommonAuthInfo: credentials.CommonAuthInfo{
+			SecurityLevel: credentials.PrivacyAndIntegrity,
+		},
+	}
+
+	return conn, info, nil
 }
 
 // Info provides information about the protocol.

diff --git a/internal/grpc/dialer/dialer.go b/internal/grpc/dialer/dialer.go
@@ -8,9 +8,9 @@ import (
 	"context"
 	"crypto"
 	"net"
-	"time"
 
 	"github.com/edgelesssys/contrast/internal/atls"
+	"github.com/edgelesssys/contrast/internal/constants"
 	"github.com/edgelesssys/contrast/internal/grpc/atlscredentials"
 	"github.com/prometheus/client_golang/prometheus"
 	"google.golang.org/grpc"
@@ -57,7 +57,7 @@ func (d *Dialer) Dial(_ context.Context, target string) (*grpc.ClientConn, error
 		grpc.WithConnectParams(grpc.ConnectParams{
 			// We need a high initial timeout, because otherwise the client will get stuck in a reconnect loop
 			// where the timeout is too low to get a full handshake done.
-			MinConnectTimeout: 30 * time.Second,
+			MinConnectTimeout: constants.ATLSClientTimeout,
 		}),
 	)
 }