Merge pull request #622 from egrimley-arm/pr-update-mbedtls

Update version of Mbed TLS
veracruz-project · Jun 29, 2023 · abab18a · abab18a
2 parents a0f4d7a + e38c2e7
commit abab18a
Show file tree

Hide file tree

Showing 25 changed files with 711 additions and 227 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -1,7 +1,7 @@
 [submodule "psa_attestation/lib/QCBOR"]
 	path = psa-attestation/lib/QCBOR
 	url = https://github.com/veracruz-project/QCBOR.git
-    branch = master
+	branch = master
 [submodule "psa_attestation/lib/t_cose"]
 	path = psa-attestation/lib/t_cose
 	url = https://github.com/veracruz-project/t_cose.git
@@ -45,3 +45,4 @@
 [submodule "third-party/rust-mbedtls"]
 	path = third-party/rust-mbedtls
 	url = https://github.com/veracruz-project/rust-mbedtls.git
+	branch = veracruz
diff --git a/execution-engine/Cargo.toml b/execution-engine/Cargo.toml
@@ -8,6 +8,7 @@ version = "0.3.0"
 [features]
 default = []
 icecap = [
+  "mbedtls/icecap",
   "platform-services/icecap",
   "policy-utils/icecap",
 ]
@@ -34,7 +35,7 @@ cfg-if = "1"
 ctor = "=0.1.16"
 err-derive = "0.2"
 lazy_static = { version = "1.4.0", features = ["spin_no_std"] }
-mbedtls = { path = "../third-party/rust-mbedtls/mbedtls" }
+mbedtls = { path = "../third-party/rust-mbedtls/mbedtls", default-features = false, features = ["std", "aesni", "padlock", "tls13"] }
 nix = { version = "0.20.2", optional = true }
 num = { version = "0.4", default-features = false }
 num-derive = { version = "0.3", default-features = false }

diff --git a/policy-utils/Cargo.toml b/policy-utils/Cargo.toml
@@ -7,6 +7,7 @@ version = "0.3.0"
 
 [features]
 icecap = [
+  "mbedtls/icecap",
   "veracruz-utils/icecap",
 ]
 nitro = [
@@ -26,7 +27,7 @@ err-derive = { version = "0.2", default-features = false }
 hex = { version = "0.4.2" }
 lalrpop-util = { version = "0.19.8", features = ["lexer"] }
 lexical-core = { version = "0.8.2", default-features = false }
-mbedtls = { path = "../third-party/rust-mbedtls/mbedtls" }
+mbedtls = { path = "../third-party/rust-mbedtls/mbedtls", default-features = false, features = ["std", "aesni", "padlock", "tls13"] }
 regex = "1"
 serde = { version = "1.0.115", features = ["derive"] }
 serde_json = { version = "1.0", default-features = false }

diff --git a/psa-attestation/Cargo.toml b/psa-attestation/Cargo.toml
@@ -12,7 +12,7 @@ crate-type = ["rlib"]
 
 [features]
 # build.rs depends on features
-icecap = []
+icecap = ["mbedtls-sys-auto/icecap"]
 linux = []
 nitro = [
   "mbedtls-sys-auto/monitor_getrandom",
@@ -21,8 +21,8 @@ nitro = [
 [dependencies]
 libc = "0.2.124"
 # We are not really using mbedtls-sys-auto but we are using the C
-# libraries libmbedcrypto.a and libshim.a that mbedtls-sys-auto builds.
-mbedtls-sys-auto = { path = "../third-party/rust-mbedtls/mbedtls-sys" }
+# library libmbedcrypto.a that mbedtls-sys-auto builds.
+mbedtls-sys-auto = { path = "../third-party/rust-mbedtls/mbedtls-sys", default-features = false }
 
 [build-dependencies]
 bindgen = "0.59.2"

diff --git a/psa-attestation/build.rs b/psa-attestation/build.rs
@@ -47,9 +47,8 @@ fn main() {
 
     println!("cargo:rustc-link-lib=static=psa_attestation");
     println!("cargo:rustc-link-search={:}", target_dir);
-    // These two C libraries come from mbedtls-sys-auto:
+    // This C library comes from mbedtls-sys-auto:
     println!("cargo:rustc-link-lib=static=mbedcrypto");
-    println!("cargo:rustc-link-lib=static=shim");
 
     // Tell cargo to invalidate the build crate whenever the wrapper changes
     //println!("cargo:rerun-if-changed=wrapper.h");

diff --git a/runtime-manager/Cargo.toml b/runtime-manager/Cargo.toml
@@ -12,7 +12,7 @@ icecap = [
   "bincode",
   "execution-engine/icecap",
   "policy-utils/icecap",
-  "psa-attestation",
+  "psa-attestation/icecap",
   "serde",
   "session-manager/icecap",
   "transport-protocol/icecap",

diff --git a/session-manager/Cargo.toml b/session-manager/Cargo.toml
@@ -7,6 +7,7 @@ version = "0.3.0"
 
 [features]
 icecap = [
+  "mbedtls/icecap",
   "policy-utils/icecap",
   "veracruz-utils/icecap",
 ]
@@ -23,7 +24,7 @@ std = [
 [dependencies]
 anyhow = "1"
 err-derive = "0.2"
-mbedtls = { path = "../third-party/rust-mbedtls/mbedtls" }
+mbedtls = { path = "../third-party/rust-mbedtls/mbedtls", default-features = false, features = ["std", "aesni", "padlock", "tls13"] }
 platform-services = { path = "../platform-services" }
 policy-utils = { path = "../policy-utils" }
 veracruz-utils = { path = "../veracruz-utils", optional = true }
diff --git a/session-manager/src/session.rs b/session-manager/src/session.rs
@@ -196,7 +196,7 @@ impl Session {
                 shared_buffers: Arc::clone(&self.shared_buffers),
             };
             match self.tls_context.establish(conn, None) {
-                Err(mbedtls::Error::SslWantRead) => (),
+                Err(e) if e.high_level() == Some(mbedtls::error::codes::SslWantRead) => (),
                 x => x?,
             };
             self.established = true;

diff --git a/session-manager/src/session_context.rs b/session-manager/src/session_context.rs
@@ -155,8 +155,8 @@ impl SessionContext {
         let entropy = Arc::new(mbedtls::rng::OsEntropy::new());
         let rng = Arc::new(mbedtls::rng::CtrDrbg::new(entropy, None)?);
         config.set_rng(rng);
-        config.set_min_version(config::Version::Tls1_3)?;
-        config.set_max_version(config::Version::Tls1_3)?;
+        config.set_min_version(config::Version::Tls13)?;
+        config.set_max_version(config::Version::Tls13)?;
         config.set_ca_list(Arc::new(self.root_certs.clone()), None);
         config.push_cert(
             Arc::new(self.cert_chain.clone()),

diff --git a/tests/Cargo.toml b/tests/Cargo.toml
@@ -17,6 +17,7 @@ path = "./src/lib.rs"
 debug = ["veracruz-server/debug"]
 icecap = [
   "icecap-veracruz-server",
+  "mbedtls/icecap",
   "policy-utils/icecap",
   "veracruz-server/icecap",
   "veracruz-utils/icecap",
@@ -47,7 +48,7 @@ icecap-veracruz-server = { path = "../icecap-veracruz-server", optional = true }
 lazy_static = "1.4.0"
 linux-veracruz-server = { path = "../linux-veracruz-server", optional = true }
 log = "0.4.13"
-mbedtls = { path = "../third-party/rust-mbedtls/mbedtls" }
+mbedtls = { path = "../third-party/rust-mbedtls/mbedtls", default-features = false, features = ["std", "aesni", "padlock", "tls13"] }
 nitro-veracruz-server = { path = "../nitro-veracruz-server", optional = true }
 nix = "0.25.0"
 policy-utils = { path = "../policy-utils", optional = true }

diff --git a/tests/tests/server_test.rs b/tests/tests/server_test.rs
@@ -1140,8 +1140,8 @@ fn create_client_test_connection<P: AsRef<Path>, Q: AsRef<Path>>(
         mbedtls::ssl::config::Transport::Stream,
         mbedtls::ssl::config::Preset::Default,
     );
-    config.set_min_version(mbedtls::ssl::config::Version::Tls1_3)?;
-    config.set_max_version(mbedtls::ssl::config::Version::Tls1_3)?;
+    config.set_min_version(mbedtls::ssl::config::Version::Tls13)?;
+    config.set_max_version(mbedtls::ssl::config::Version::Tls13)?;
     let policy_ciphersuite = veracruz_utils::lookup_ciphersuite(ciphersuite_str)
         .ok_or_else(|| anyhow!("invalid ciphersuite"))?;
     let cipher_suites: Vec<i32> = vec![policy_ciphersuite.into(), 0];

diff --git a/tests/tlstest/Cargo.toml b/tests/tlstest/Cargo.toml
@@ -4,4 +4,4 @@ edition = "2018"
 version = "0.3.0"
 
 [dependencies]
-mbedtls = { path = "../../third-party/rust-mbedtls/mbedtls" }
+mbedtls = { path = "../../third-party/rust-mbedtls/mbedtls", default-features = false, features = ["std", "aesni", "padlock", "tls13"] }
diff --git a/tests/tlstest/src/main.rs b/tests/tlstest/src/main.rs
@@ -69,8 +69,8 @@ fn client_config() -> Config {
         config::Transport::Stream,
         config::Preset::Default,
     );
-    config.set_min_version(config::Version::Tls1_3).unwrap();
-    config.set_max_version(config::Version::Tls1_3).unwrap();
+    config.set_min_version(config::Version::Tls13).unwrap();
+    config.set_max_version(config::Version::Tls13).unwrap();
     let ciphersuite_name = "TLS1-3-CHACHA20-POLY1305-SHA256";
     let ciphersuite = ciphersuites::lookup_ciphersuite(&ciphersuite_name).unwrap();
     config.set_ciphersuites(Arc::new(vec![ciphersuite, 0]));
@@ -95,8 +95,8 @@ fn server_config() -> Config {
         config::Transport::Stream,
         config::Preset::Default,
     );
-    config.set_min_version(config::Version::Tls1_3).unwrap();
-    config.set_max_version(config::Version::Tls1_3).unwrap();
+    config.set_min_version(config::Version::Tls13).unwrap();
+    config.set_max_version(config::Version::Tls13).unwrap();
     let ciphersuite_name = "TLS1-3-CHACHA20-POLY1305-SHA256";
     let ciphersuite = ciphersuites::lookup_ciphersuite(&ciphersuite_name).unwrap();
     config.set_ciphersuites(Arc::new(vec![ciphersuite, 0]));
@@ -239,14 +239,14 @@ fn run_script(script: &[&[u8]]) {
     let mut server = Context::new(Arc::new(server_config()));
     match server.establish(server_connection, None) {
         Ok(()) => (),
-        Err(mbedtls::Error::SslWantRead) => (),
+        Err(e) if e.high_level() == Some(mbedtls::error::codes::SslWantRead) => (),
         err => err.unwrap(),
     }
 
     let mut client = Context::new(Arc::new(client_config()));
     match client.establish(client_connection, None) {
         Ok(()) => (),
-        Err(mbedtls::Error::SslWantRead) => (),
+        Err(e) if e.high_level() == Some(mbedtls::error::codes::SslWantRead) => (),
         err => err.unwrap(),
     }
 

diff --git a/third-party/rust-mbedtls b/third-party/rust-mbedtls
diff --git a/veracruz-client/Cargo.toml b/veracruz-client/Cargo.toml
@@ -27,7 +27,7 @@ env_logger = { version = "0.9.0", optional = true }
 err-derive = "0.2"
 hex = "0.4.2"
 log = "0.4.13"
-mbedtls = { path = "../third-party/rust-mbedtls/mbedtls" }
+mbedtls = { path = "../third-party/rust-mbedtls/mbedtls", default-features = false, features = ["std", "aesni", "padlock", "tls13"] }
 policy-utils = { path = "../policy-utils", features = ["std"] }
 rand = "0.8.3"
 # The cargo patch mechanism does NOT work when we add function into a macro_rules!

diff --git a/veracruz-client/src/tests.rs b/veracruz-client/src/tests.rs
@@ -138,10 +138,10 @@ fn veracruz_client_session() {
     );
     config.set_ca_list(Arc::new(client_cert), None);
     config
-        .set_min_version(mbedtls::ssl::config::Version::Tls1_3)
+        .set_min_version(mbedtls::ssl::config::Version::Tls13)
         .unwrap();
     config
-        .set_max_version(mbedtls::ssl::config::Version::Tls1_3)
+        .set_max_version(mbedtls::ssl::config::Version::Tls13)
         .unwrap();
     config
         .push_cert(Arc::new(server_cert), Arc::new(server_priv_key))

diff --git a/veracruz-client/src/veracruz_client.rs b/veracruz-client/src/veracruz_client.rs
@@ -157,8 +157,8 @@ impl VeracruzClient {
 
         use mbedtls::ssl::config::{Config, Endpoint, Preset, Transport, Version};
         let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
-        config.set_min_version(Version::Tls1_3)?;
-        config.set_max_version(Version::Tls1_3)?;
+        config.set_min_version(Version::Tls13)?;
+        config.set_max_version(Version::Tls13)?;
         let policy_ciphersuite = veracruz_utils::lookup_ciphersuite(policy.ciphersuite().as_str())
             .ok_or(anyhow!(VeracruzClientError::UnexpectedCiphersuite))?;
         let cipher_suites: Vec<i32> = vec![policy_ciphersuite.into(), 0];

diff --git a/veracruz-utils/Cargo.toml b/veracruz-utils/Cargo.toml
@@ -7,6 +7,7 @@ version = "0.3.0"
 
 [features]
 icecap = [
+  "mbedtls/icecap",
   "platform-services/icecap",
   "serde/derive",
 ]
@@ -33,7 +34,7 @@ anyhow = "1"
 bincode = { version = "1.2.1", default-features = false, optional = true }
 chrono = { version = "0.4.19", default-features = false, features = ["clock", "std"], optional = true }
 err-derive = "0.2"
-mbedtls = { path = "../third-party/rust-mbedtls/mbedtls" }
+mbedtls = { path = "../third-party/rust-mbedtls/mbedtls", default-features = false, features = ["std", "aesni", "padlock", "tls13"] }
 platform-services = { path = "../platform-services", optional = true }
 # The cargo patch mechanism does NOT work when we add function into a macro_rules!
 serde = { version = "1.0.115", default-features = false, optional = true }