Skip to content

Commit

Permalink
Merge branch 'main' into update_spin
Browse files Browse the repository at this point in the history
  • Loading branch information
Taowyoo authored Oct 26, 2023
2 parents 8efbdf8 + 5462d96 commit 786b145
Show file tree
Hide file tree
Showing 10 changed files with 99 additions and 48 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ on:
- trying
pull_request:
branches:
- master
- mbedtls-3
- main
- 'v0.*'
merge_group:

Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
.cargo
target/
venv/
14 changes: 7 additions & 7 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

38 changes: 36 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,21 +1,55 @@
> [!WARNING]
> The state of this repertory is changed to maintenance. We will not accept any more feature requests. Please check [Change of status](#change-of-status) for details

# mbedtls

[![Build Status](https://travis-ci.com/fortanix/rust-mbedtls.svg?branch=master)](https://travis-ci.com/fortanix/rust-mbedtls)


This is an idiomatic Rust wrapper for MbedTLS, allowing you to use MbedTLS with
only safe code while being able to use such great Rust features like error
handling and closures.

Additionally, building on MbedTLS's focus on embedded use, this crate can be
used in a no_std environment.

## Change of status

We discovered that `mbedtls 3.4.X` is not thread safe and will not work properly with multiple threads. This problem will not be fixed in short time. And the new PSA approach does not match our needs.

So we now decided to stay on mbedtls `2.28.X`; and the state of this repertory is changed to maintenance. We will not accept any more feature requests.

Old code of `mbedtls 3.X` on `master` branch has been moved to branch `mbedtls-3`.

Related issue: [#320](https://github.com/fortanix/rust-mbedtls/issues/320)

Reference links:

- Design changes:
- https://lists.trustedfirmware.org/archives/list/[email protected]/message/RJ7YPNBNWUNW2ICQJ72H2JMKPDKGQOLT/
- Bugs
- https://github.com/fortanix/rust-mbedtls/issues/301
- https://github.com/fortanix/rust-mbedtls/issues/293
- https://github.com/Mbed-TLS/mbedtls/issues/3263

## Building

This crate depends on the mbedtls-sys-auto crate, see below for build details.

### Features

This is a list of the Cargo features available for mbedtls. Features in

* *x509* Enable PKI functionality. The main code enabled by this feature is in
the `x509` module.

* *ssl* Enable ssl/tls functionality. The main code enabled by this feature is
in the `ssl` module.

Note: The above features were introduced so that this crate could be used as a
crypto (or PKI) only library.

**bold** are enabled by default.

* **aesni** Enable support for the AES-NI instructions. On SGX, this feature is
Expand All @@ -29,12 +63,12 @@ This is a list of the Cargo features available for mbedtls. Features in
unsupported processors. On SGX, this feature is
enabled automatically.
* *mpi_force_c_code* Enables the `mpi_force_c_code` feature in mbedtls-sys
* *legacy_protocols* Enable support for SSLv3, TLSv1.0 and TLSv1.1
* *legacy_protocols* Enable support for SSLv3, TLSv1.0 and TLSv1.1. Implies *ssl*.
* *no_std_deps* On no_std, you must enable this feature. It enables optional
dependencies needed on no_std. If the `std` feature is enabled,
this feature is ignored.
* **padlock** Enable support for VIA padlock.
* *pkcs12* Enable code to parse PKCS12 files using yasna
* *pkcs12* Enable code to parse PKCS12 files using yasna. Implies *x509*.
* *pkcs12_rc2* Enable use of RC2 crate to decrypt RC2-encrypted PKCS12 files
* *rdrand* Enable the RDRAND random number generator. On SGX, this feature is
enabled automatically.
Expand Down
52 changes: 29 additions & 23 deletions ci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -24,36 +24,42 @@ case "$TRAVIS_RUST_VERSION" in
rustup target add --toolchain $TRAVIS_RUST_VERSION $TARGET
printenv

for FEAT in "" "x509," "ssl,"; do
# The SGX target cannot be run under test like a ELF binary
if [ "$TARGET" != "x86_64-fortanix-unknown-sgx" ]; then
# make sure that explicitly providing the default target works
cargo nextest run --features "$FEAT" --target $TARGET --release
cargo nextest run --features "$FEAT"pkcs12 --target $TARGET
cargo nextest run --features "$FEAT"pkcs12_rc2 --target $TARGET
cargo nextest run --features "$FEAT"dsa --target $TARGET

# If AES-NI is supported, test the feature
if [ -n "$AES_NI_SUPPORT" ]; then
cargo nextest run --features "$FEAT"force_aesni_support --target $TARGET
fi

# no_std tests only are able to run on x86 platform
if [ "$TARGET" == "x86_64-unknown-linux-gnu" ] || [[ "$TARGET" =~ ^x86_64-pc-windows- ]]; then
cargo nextest run --no-default-features --features "$FEAT"no_std_deps,rdrand,time --target $TARGET
cargo nextest run --no-default-features --features "$FEAT"no_std_deps --target $TARGET
fi

else
cargo +$TRAVIS_RUST_VERSION test --no-run --features "$FEAT" --target=$TARGET
fi
done

# The SGX target cannot be run under test like a ELF binary
if [ "$TARGET" != "x86_64-fortanix-unknown-sgx" ]; then
# make sure that explicitly providing the default target works
cargo nextest run --target $TARGET --release
cargo nextest run --features pkcs12 --target $TARGET
cargo nextest run --features pkcs12_rc2 --target $TARGET
cargo nextest run --features dsa --target $TARGET
cargo nextest run --test async_session --features=async-rt --target $TARGET
cargo nextest run --test async_session --features=async-rt,legacy_protocols --target $TARGET
cargo nextest run --test async_session --features=async-rt,ssl --target $TARGET
cargo nextest run --test async_session --features=async-rt,ssl,legacy_protocols --target $TARGET

# If zlib is installed, test the zlib feature
if [ -n "$ZLIB_INSTALLED" ]; then
cargo nextest run --features zlib --target $TARGET
cargo nextest run --test async_session --features=async-rt,zlib --target $TARGET
cargo nextest run --test async_session --features=async-rt,zlib,legacy_protocols --target $TARGET
cargo nextest run --test async_session --features=async-rt,ssl,zlib --target $TARGET
cargo nextest run --test async_session --features=async-rt,ssl,zlib,legacy_protocols --target $TARGET
fi

# If AES-NI is supported, test the feature
if [ -n "$AES_NI_SUPPORT" ]; then
cargo nextest run --features force_aesni_support --target $TARGET
fi

# no_std tests only are able to run on x86 platform
if [ "$TARGET" == "x86_64-unknown-linux-gnu" ] || [[ "$TARGET" =~ ^x86_64-pc-windows- ]]; then
cargo nextest run --no-default-features --features no_std_deps,rdrand,time --target $TARGET
cargo nextest run --no-default-features --features no_std_deps --target $TARGET
fi

else
cargo +$TRAVIS_RUST_VERSION test --no-run --target=$TARGET
fi
;;
*)
Expand Down
31 changes: 18 additions & 13 deletions mbedtls/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
[package]
name = "mbedtls"
version = "0.9.3"
# We jumped from v0.9 to v0.12 because v0.10 and v0.11 were based on mbedtls 3.X, which
# we decided not to support.
version = "0.12.0"
authors = ["Jethro Beekman <[email protected]>"]
build = "build.rs"
edition = "2018"
Expand Down Expand Up @@ -60,6 +62,10 @@ cc = "1.0"

[features]
# Features are documented in the README

x509 = []
ssl = ["x509"]

default = ["std", "aesni", "time", "padlock"]
std = ["byteorder/std", "mbedtls-sys-auto/std", "serde/std", "yasna", "mbedtls-platform-support/std"]
debug = ["mbedtls-sys-auto/debug"]
Expand All @@ -72,46 +78,45 @@ zlib = ["mbedtls-sys-auto/zlib"]
time = ["mbedtls-platform-support/time"]
padlock = ["mbedtls-sys-auto/padlock"]
dsa = ["std", "yasna", "num-bigint", "bit-vec"]
pkcs12 = ["std", "yasna"]
pkcs12 = ["std", "yasna", "x509"]
pkcs12_rc2 = ["pkcs12", "rc2", "cbc"]
legacy_protocols = ["mbedtls-sys-auto/legacy_protocols"]
legacy_protocols = ["mbedtls-sys-auto/legacy_protocols", "ssl"]
async = ["std", "tokio","tokio/net","tokio/io-util", "tokio/macros"]
async-rt = ["async", "tokio/rt", "tokio/sync", "tokio/rt-multi-thread"]

[[example]]
name = "client"
required-features = ["std"]
required-features = ["std", "ssl"]

[[example]]
name = "client_dtls"
required-features = ["std"]
required-features = ["std", "ssl"]

[[example]]
name = "client_psk"
required-features = ["std"]
required-features = ["std", "ssl"]

[[example]]
name = "server"
required-features = ["std"]
required-features = ["std", "ssl"]

[[test]]
name = "client_server"
required-features = ["std"]
required-features = ["std", "ssl"]

[[test]]
name = "ssl_conf_ca_cb"
required-features = ["std"]
required-features = ["std", "ssl"]

[[test]]
name = "ssl_conf_verify"
required-features = ["std"]
required-features = ["std", "ssl"]

[[test]]
name = "hyper"
required-features = ["std"]

required-features = ["std", "ssl"]

[[test]]
name = "async_session"
path = "tests/async_session.rs"
required-features = ["async-rt"]
required-features = ["async-rt", "ssl"]
5 changes: 3 additions & 2 deletions mbedtls/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,6 @@
compile_error!("Either the `std` or `no_std_deps` feature needs to be enabled");


#[macro_use]
extern crate bitflags;
#[macro_use]
extern crate serde_derive;
// required explicitly to force inclusion at link time
Expand All @@ -37,8 +35,11 @@ pub mod hash;
pub mod pk;
pub mod rng;
pub use mbedtls_platform_support::self_test as self_test;
#[cfg(feature = "ssl")]
pub mod ssl;
#[cfg(feature = "x509")]
pub mod x509;
#[cfg(any(feature = "x509", feature = "ssl", feature = "pkcs12"))]
pub mod alloc;

#[cfg(feature = "pkcs12")]
Expand Down
1 change: 1 addition & 0 deletions mbedtls/src/private.rs
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ pub unsafe fn cstr_to_slice<'a>(ptr: *const c_char) -> &'a [u8] {
use std::io::{Error as IoError, ErrorKind as IoErrorKind};

#[cfg(feature = "std")]
#[allow(dead_code)]
pub fn error_to_io_error(e: Error) -> IoError {
IoError::new(IoErrorKind::Other, e.to_string())
}
1 change: 1 addition & 0 deletions mbedtls/src/x509/certificate.rs
Original file line number Diff line number Diff line change
Expand Up @@ -561,6 +561,7 @@ impl MbedtlsList<Certificate> {
Self { inner: None }
}

#[allow(dead_code)]
pub(crate) fn into_raw(mut self) -> *mut x509_crt {
// This leaks a *mut Certificate that we can cast to x509_crt as it's transparent and has no extra fields.
self.inner.take().map(|x| x.into_raw()).unwrap_or(core::ptr::null_mut()) as *mut x509_crt
Expand Down
1 change: 1 addition & 0 deletions mbedtls/src/x509/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ pub use self::csr::Csr;
#[doc(inline)]
pub use self::profile::Profile;

use bitflags::bitflags;
use mbedtls_sys::*;
use mbedtls_sys::types::raw_types::{c_int, c_uint, c_void};
bitflags! {
Expand Down

0 comments on commit 786b145

Please sign in to comment.