Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce separate features for pki and tls functionalities of mbedtls #326

Merged
merged 3 commits into from
Oct 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
.cargo
target/
venv/
2 changes: 1 addition & 1 deletion Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 12 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,16 @@ This crate depends on the mbedtls-sys-auto crate, see below for build details.
### Features

This is a list of the Cargo features available for mbedtls. Features in

* *x509* Enable PKI functionality. The main code enabled by this feature is in
the `x509` module.

* *ssl* Enable ssl/tls functionality. The main code enabled by this feature is
in the `ssl` module.

Note: The above features were introduced so that this crate could be used as a
crypto (or PKI) only library.

**bold** are enabled by default.

* **aesni** Enable support for the AES-NI instructions. On SGX, this feature is
Expand All @@ -53,12 +63,12 @@ This is a list of the Cargo features available for mbedtls. Features in
unsupported processors. On SGX, this feature is
enabled automatically.
* *mpi_force_c_code* Enables the `mpi_force_c_code` feature in mbedtls-sys
* *legacy_protocols* Enable support for SSLv3, TLSv1.0 and TLSv1.1
* *legacy_protocols* Enable support for SSLv3, TLSv1.0 and TLSv1.1. Implies *ssl*.
* *no_std_deps* On no_std, you must enable this feature. It enables optional
dependencies needed on no_std. If the `std` feature is enabled,
this feature is ignored.
* **padlock** Enable support for VIA padlock.
* *pkcs12* Enable code to parse PKCS12 files using yasna
* *pkcs12* Enable code to parse PKCS12 files using yasna. Implies *x509*.
* *pkcs12_rc2* Enable use of RC2 crate to decrypt RC2-encrypted PKCS12 files
* *rdrand* Enable the RDRAND random number generator. On SGX, this feature is
enabled automatically.
Expand Down
52 changes: 29 additions & 23 deletions ci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -24,36 +24,42 @@ case "$TRAVIS_RUST_VERSION" in
rustup target add --toolchain $TRAVIS_RUST_VERSION $TARGET
printenv

for FEAT in "" "x509," "ssl,"; do
# The SGX target cannot be run under test like a ELF binary
if [ "$TARGET" != "x86_64-fortanix-unknown-sgx" ]; then
# make sure that explicitly providing the default target works
cargo nextest run --features "$FEAT" --target $TARGET --release
cargo nextest run --features "$FEAT"pkcs12 --target $TARGET
cargo nextest run --features "$FEAT"pkcs12_rc2 --target $TARGET
cargo nextest run --features "$FEAT"dsa --target $TARGET

# If AES-NI is supported, test the feature
if [ -n "$AES_NI_SUPPORT" ]; then
cargo nextest run --features "$FEAT"force_aesni_support --target $TARGET
fi

# no_std tests only are able to run on x86 platform
if [ "$TARGET" == "x86_64-unknown-linux-gnu" ] || [[ "$TARGET" =~ ^x86_64-pc-windows- ]]; then
cargo nextest run --no-default-features --features "$FEAT"no_std_deps,rdrand,time --target $TARGET
cargo nextest run --no-default-features --features "$FEAT"no_std_deps --target $TARGET
fi

else
cargo +$TRAVIS_RUST_VERSION test --no-run --features "$FEAT" --target=$TARGET
fi
done

# The SGX target cannot be run under test like a ELF binary
if [ "$TARGET" != "x86_64-fortanix-unknown-sgx" ]; then
# make sure that explicitly providing the default target works
cargo nextest run --target $TARGET --release
cargo nextest run --features pkcs12 --target $TARGET
cargo nextest run --features pkcs12_rc2 --target $TARGET
cargo nextest run --features dsa --target $TARGET
cargo nextest run --test async_session --features=async-rt --target $TARGET
cargo nextest run --test async_session --features=async-rt,legacy_protocols --target $TARGET
cargo nextest run --test async_session --features=async-rt,ssl --target $TARGET
cargo nextest run --test async_session --features=async-rt,ssl,legacy_protocols --target $TARGET

# If zlib is installed, test the zlib feature
if [ -n "$ZLIB_INSTALLED" ]; then
cargo nextest run --features zlib --target $TARGET
cargo nextest run --test async_session --features=async-rt,zlib --target $TARGET
cargo nextest run --test async_session --features=async-rt,zlib,legacy_protocols --target $TARGET
cargo nextest run --test async_session --features=async-rt,ssl,zlib --target $TARGET
cargo nextest run --test async_session --features=async-rt,ssl,zlib,legacy_protocols --target $TARGET
fi

# If AES-NI is supported, test the feature
if [ -n "$AES_NI_SUPPORT" ]; then
cargo nextest run --features force_aesni_support --target $TARGET
fi

# no_std tests only are able to run on x86 platform
if [ "$TARGET" == "x86_64-unknown-linux-gnu" ] || [[ "$TARGET" =~ ^x86_64-pc-windows- ]]; then
cargo nextest run --no-default-features --features no_std_deps,rdrand,time --target $TARGET
cargo nextest run --no-default-features --features no_std_deps --target $TARGET
fi

else
cargo +$TRAVIS_RUST_VERSION test --no-run --target=$TARGET
fi
;;
*)
Expand Down
31 changes: 18 additions & 13 deletions mbedtls/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
[package]
name = "mbedtls"
version = "0.9.3"
# We jumped from v0.9 to v0.12 because v0.10 and v0.11 were based on mbedtls 3.X, which
# we decided not to support.
version = "0.12.0"
authors = ["Jethro Beekman <jethro@fortanix.com>"]
build = "build.rs"
edition = "2018"
Expand Down Expand Up @@ -60,6 +62,10 @@ cc = "1.0"

[features]
# Features are documented in the README

x509 = []
ssl = ["x509"]

default = ["std", "aesni", "time", "padlock"]
std = ["byteorder/std", "mbedtls-sys-auto/std", "serde/std", "yasna", "mbedtls-platform-support/std"]
debug = ["mbedtls-sys-auto/debug"]
Expand All @@ -72,46 +78,45 @@ zlib = ["mbedtls-sys-auto/zlib"]
time = ["mbedtls-platform-support/time"]
padlock = ["mbedtls-sys-auto/padlock"]
dsa = ["std", "yasna", "num-bigint", "bit-vec"]
pkcs12 = ["std", "yasna"]
pkcs12 = ["std", "yasna", "x509"]
pkcs12_rc2 = ["pkcs12", "rc2", "cbc"]
legacy_protocols = ["mbedtls-sys-auto/legacy_protocols"]
legacy_protocols = ["mbedtls-sys-auto/legacy_protocols", "ssl"]
async = ["std", "tokio","tokio/net","tokio/io-util", "tokio/macros"]
async-rt = ["async", "tokio/rt", "tokio/sync", "tokio/rt-multi-thread"]

[[example]]
name = "client"
required-features = ["std"]
required-features = ["std", "ssl"]

[[example]]
name = "client_dtls"
required-features = ["std"]
required-features = ["std", "ssl"]

[[example]]
name = "client_psk"
required-features = ["std"]
required-features = ["std", "ssl"]

[[example]]
name = "server"
required-features = ["std"]
required-features = ["std", "ssl"]

[[test]]
name = "client_server"
required-features = ["std"]
required-features = ["std", "ssl"]

[[test]]
name = "ssl_conf_ca_cb"
required-features = ["std"]
required-features = ["std", "ssl"]

[[test]]
name = "ssl_conf_verify"
required-features = ["std"]
required-features = ["std", "ssl"]

[[test]]
name = "hyper"
required-features = ["std"]

required-features = ["std", "ssl"]

[[test]]
name = "async_session"
path = "tests/async_session.rs"
required-features = ["async-rt"]
required-features = ["async-rt", "ssl"]
5 changes: 3 additions & 2 deletions mbedtls/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,6 @@
compile_error!("Either the `std` or `no_std_deps` feature needs to be enabled");


#[macro_use]
extern crate bitflags;
#[macro_use]
extern crate serde_derive;
// required explicitly to force inclusion at link time
Expand All @@ -37,8 +35,11 @@ pub mod hash;
pub mod pk;
pub mod rng;
pub use mbedtls_platform_support::self_test as self_test;
#[cfg(feature = "ssl")]
pub mod ssl;
#[cfg(feature = "x509")]
pub mod x509;
#[cfg(any(feature = "x509", feature = "ssl", feature = "pkcs12"))]
pub mod alloc;

#[cfg(feature = "pkcs12")]
Expand Down
1 change: 1 addition & 0 deletions mbedtls/src/private.rs
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ pub unsafe fn cstr_to_slice<'a>(ptr: *const c_char) -> &'a [u8] {
use std::io::{Error as IoError, ErrorKind as IoErrorKind};

#[cfg(feature = "std")]
#[allow(dead_code)]
pub fn error_to_io_error(e: Error) -> IoError {
IoError::new(IoErrorKind::Other, e.to_string())
}
1 change: 1 addition & 0 deletions mbedtls/src/x509/certificate.rs
Original file line number Diff line number Diff line change
Expand Up @@ -561,6 +561,7 @@ impl MbedtlsList<Certificate> {
Self { inner: None }
}

#[allow(dead_code)]
pub(crate) fn into_raw(mut self) -> *mut x509_crt {
// This leaks a *mut Certificate that we can cast to x509_crt as it's transparent and has no extra fields.
self.inner.take().map(|x| x.into_raw()).unwrap_or(core::ptr::null_mut()) as *mut x509_crt
Expand Down
1 change: 1 addition & 0 deletions mbedtls/src/x509/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ pub use self::csr::Csr;
#[doc(inline)]
pub use self::profile::Profile;

use bitflags::bitflags;
use mbedtls_sys::*;
use mbedtls_sys::types::raw_types::{c_int, c_uint, c_void};
bitflags! {
Expand Down
Loading