Skip to content

Commit 885f1f5

Browse files
egrimley-armegrimley-arm
authored
Merge pull request #494 from egrimley-arm/pr-tls13
Switch from TLS 1.2 to TLS 1.3.
2 parents 4a989aa + 4344ebe commit 885f1f5

File tree

19 files changed

+199
-217
lines changed

19 files changed

+199
-217
lines changed

icecap/src/c/libc-supplement/include/stdio.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,5 +17,6 @@
1717
typedef struct { void *x; } FILE;
1818

1919
int printf(const char *format, ...);
20+
int puts(const char *s);
2021
int snprintf(char *str, size_t size, const char *format, ...);
2122
int vsnprintf(char *str, size_t size, const char *format, __builtin_va_list ap);

icecap/src/c/libc-supplement/src/printf.c

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
/*
2+
* AUTHORS
3+
*
4+
* The Veracruz Development Team.
5+
*
6+
* COPYRIGHT
7+
*
8+
* See the `LICENSE_MIT.markdown` file in the Veracruz root directory
9+
* for licensing and copyright information.
10+
*
11+
*/
12+
13+
#include <stdio.h>
14+
15+
int printf(const char *format, ...)
16+
{
17+
// HACK: do nothing, and assume return value is not checked
18+
return 0;
19+
}

icecap/src/c/libc-supplement/src/puts.c

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
/*
2+
* AUTHORS
3+
*
4+
* The Veracruz Development Team.
5+
*
6+
* COPYRIGHT
7+
*
8+
* See the `LICENSE_MIT.markdown` file in the Veracruz root directory
9+
* for licensing and copyright information.
10+
*
11+
*/
12+
13+
#include <stdio.h>
14+
15+
int puts(const char *s)
16+
{
17+
// HACK: do nothing
18+
return 0;
19+
}

sdk/generate-policy/src/main.rs

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,8 @@
1010
//! and copyright information.
1111
1212
use std::{
13-
fmt::Debug,
1413
convert::TryFrom,
14+
fmt::Debug,
1515
fs::{read_to_string, File},
1616
io::{Read, Write},
1717
net::SocketAddr,
@@ -41,8 +41,7 @@ use wasi_types::Rights;
4141
////////////////////////////////////////////////////////////////////////////////
4242

4343
/// Aborts the program with a message on `stderr`.
44-
fn abort_with<T: Debug>(msg: T) -> !
45-
{
44+
fn abort_with<T: Debug>(msg: T) -> ! {
4645
eprintln!("{:?}", msg);
4746
exit(1);
4847
}
@@ -80,7 +79,7 @@ information.";
8079
const VERSION: &'static str = "0.1.0";
8180

8281
/// The single supported ciphersuite embedded in the policy file.
83-
const POLICY_CIPHERSUITE: &'static str = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256";
82+
const POLICY_CIPHERSUITE: &'static str = "TLS1_3_CHACHA20_POLY1305_SHA256";
8483

8584
/// The default filename of the output JSON policy file, if no alternative is
8685
/// provided on the command line.

session-manager/src/session_context.rs

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -156,12 +156,13 @@ impl SessionContext {
156156
let entropy = Arc::new(mbedtls::rng::OsEntropy::new());
157157
let rng = Arc::new(mbedtls::rng::CtrDrbg::new(entropy, None)?);
158158
config.set_rng(rng);
159-
config.set_min_version(config::Version::Tls1_2)?;
160-
config.set_max_version(config::Version::Tls1_2)?;
159+
config.set_min_version(config::Version::Tls1_3)?;
160+
config.set_max_version(config::Version::Tls1_3)?;
161161
config.set_ca_list(Arc::new(self.root_certs.clone()), None);
162162
config.push_cert(
163163
Arc::new(self.cert_chain.clone()),
164164
Arc::new(mbedtls::pk::Pk::from_private_key(
165+
&mut mbedtls::rng::CtrDrbg::new(Arc::new(mbedtls::rng::OsEntropy::new()), None)?,
165166
&self.server_private_key,
166167
None,
167168
)?),

tests/tests/server_test.rs

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -771,8 +771,8 @@ impl TestExecutor {
771771
}
772772

773773
fn check_policy_hash(&mut self) -> Result<Vec<u8>> {
774-
let serialized_request_policy_hash =
775-
transport_protocol::serialize_request_policy_hash().map_err(|e| {
774+
let serialized_request_policy_hash = transport_protocol::serialize_request_policy_hash()
775+
.map_err(|e| {
776776
anyhow!(
777777
"Failed to serialize request for policy hash. Error produced: {:?}.",
778778
e
@@ -1030,8 +1030,8 @@ fn create_client_test_connection<P: AsRef<Path>, Q: AsRef<Path>>(
10301030
mbedtls::ssl::config::Transport::Stream,
10311031
mbedtls::ssl::config::Preset::Default,
10321032
);
1033-
config.set_min_version(mbedtls::ssl::config::Version::Tls1_2)?;
1034-
config.set_max_version(mbedtls::ssl::config::Version::Tls1_2)?;
1033+
config.set_min_version(mbedtls::ssl::config::Version::Tls1_3)?;
1034+
config.set_max_version(mbedtls::ssl::config::Version::Tls1_3)?;
10351035
let policy_ciphersuite = veracruz_utils::lookup_ciphersuite(ciphersuite_str)
10361036
.ok_or_else(|| anyhow!("invalid ciphersuite"))?;
10371037
let cipher_suites: Vec<i32> = vec![policy_ciphersuite.into(), 0];
@@ -1061,6 +1061,10 @@ fn read_cert_file<P: AsRef<Path>>(filename: P) -> Result<List<Certificate>> {
10611061
fn read_priv_key_file<P: AsRef<Path>>(filename: P) -> Result<mbedtls::pk::Pk> {
10621062
let mut buffer = std::fs::read(filename)?;
10631063
buffer.push(b'\0');
1064-
let pkey_vec = mbedtls::pk::Pk::from_private_key(&buffer, None)?;
1064+
let pkey_vec = mbedtls::pk::Pk::from_private_key(
1065+
&mut mbedtls::rng::CtrDrbg::new(Arc::new(mbedtls::rng::OsEntropy::new()), None)?,
1066+
&buffer,
1067+
None,
1068+
)?;
10651069
Ok(pkey_vec)
10661070
}

third-party/rust-mbedtls

Submodule rust-mbedtls updated 758 files

third-party/rust-psa-crypto

veracruz-client/src/tests.rs

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -104,8 +104,13 @@ fn veracruz_client_session() {
104104
let mut key_buffer = std::vec::Vec::new();
105105
key_file.read_to_end(&mut key_buffer).unwrap();
106106
key_buffer.push(b'\0');
107-
let rsa_keys = mbedtls::pk::Pk::from_private_key(&key_buffer, None)
108-
.expect("file contains invalid rsa private key");
107+
let rsa_keys = mbedtls::pk::Pk::from_private_key(
108+
&mut mbedtls::rng::CtrDrbg::new(Arc::new(mbedtls::rng::OsEntropy::new()), None)
109+
.unwrap(),
110+
&key_buffer,
111+
None,
112+
)
113+
.expect("file contains invalid rsa private key");
109114
rsa_keys
110115
};
111116

@@ -136,10 +141,10 @@ fn veracruz_client_session() {
136141
);
137142
config.set_ca_list(Arc::new(client_cert), None);
138143
config
139-
.set_min_version(mbedtls::ssl::config::Version::Tls1_2)
144+
.set_min_version(mbedtls::ssl::config::Version::Tls1_3)
140145
.unwrap();
141146
config
142-
.set_max_version(mbedtls::ssl::config::Version::Tls1_2)
147+
.set_max_version(mbedtls::ssl::config::Version::Tls1_3)
143148
.unwrap();
144149
config
145150
.push_cert(Arc::new(server_cert), Arc::new(server_priv_key))

veracruz-client/src/veracruz_client.rs

Lines changed: 19 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,10 @@ use std::{
1818
fs::File,
1919
io::{BufReader, Read, Write},
2020
path::Path,
21-
sync::{Arc, atomic::{AtomicU32, Ordering}},
21+
sync::{
22+
atomic::{AtomicU32, Ordering},
23+
Arc,
24+
},
2225
};
2326
use veracruz_utils::VERACRUZ_RUNTIME_HASH_EXTENSION_ID;
2427

@@ -99,7 +102,8 @@ impl Write for InsecureConnection {
99102
let received_session_id = body_items[0]
100103
.parse::<u32>()
101104
.map_err(|_| err("bad session id"))?;
102-
self.remote_session_id.store(received_session_id, Ordering::SeqCst);
105+
self.remote_session_id
106+
.store(received_session_id, Ordering::SeqCst);
103107
// And append response data to the read_buffer.
104108
for item in body_items.iter().skip(1) {
105109
let this_body_data = base64::decode(item).map_err(|_| err("base64::decode"))?;
@@ -153,7 +157,11 @@ impl VeracruzClient {
153157
pub(crate) fn read_private_key<P: AsRef<Path>>(filename: P) -> Result<Pk> {
154158
let mut buffer = VeracruzClient::read_all_bytes_in_file(filename)?;
155159
buffer.push(b'\0');
156-
let pkey_vec = Pk::from_private_key(&buffer, None)?;
160+
let pkey_vec = Pk::from_private_key(
161+
&mut mbedtls::rng::CtrDrbg::new(Arc::new(mbedtls::rng::OsEntropy::new()), None)?,
162+
&buffer,
163+
None,
164+
)?;
157165
Ok(pkey_vec)
158166
}
159167

@@ -228,8 +236,8 @@ impl VeracruzClient {
228236

229237
use mbedtls::ssl::config::{Config, Endpoint, Preset, Transport, Version};
230238
let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
231-
config.set_min_version(Version::Tls1_2)?;
232-
config.set_max_version(Version::Tls1_2)?;
239+
config.set_min_version(Version::Tls1_3)?;
240+
config.set_max_version(Version::Tls1_3)?;
233241
let policy_ciphersuite = veracruz_utils::lookup_ciphersuite(policy.ciphersuite().as_str())
234242
.ok_or(anyhow!(VeracruzClientError::UnexpectedCiphersuite))?;
235243
let cipher_suites: Vec<i32> = vec![policy_ciphersuite.into(), 0];
@@ -372,12 +380,13 @@ impl VeracruzClient {
372380
.ok_or(anyhow!(VeracruzClientError::UnexpectedCertificate))?;
373381
let extensions = cert.extensions()?;
374382
// check for OUR extension
375-
let data = veracruz_utils::find_extension(extensions, &VERACRUZ_RUNTIME_HASH_EXTENSION_ID).ok_or({
376-
error!("Our extension is not present. This should be fatal");
377-
anyhow!(VeracruzClientError::RuntimeHashExtensionMissing)
378-
})?;
383+
let data = veracruz_utils::find_extension(extensions, &VERACRUZ_RUNTIME_HASH_EXTENSION_ID)
384+
.ok_or({
385+
error!("Our extension is not present. This should be fatal");
386+
anyhow!(VeracruzClientError::RuntimeHashExtensionMissing)
387+
})?;
379388
info!("Certificate extension present.");
380-
self.compare_runtime_hash(&data).map_err(|err|{
389+
self.compare_runtime_hash(&data).map_err(|err| {
381390
error!("Runtime hash mismatch: {}.", err);
382391
anyhow!(err)
383392
})

0 commit comments

Comments
 (0)