Merge pull request fortanix#658 from fortanix/mridul/mbedtls-0.13-update

gausk · web-flow · commit e678e0f2196e · 2025-06-05T12:55:37.000Z
Update to mbedtls v0.13.0
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/em-app/Cargo.toml b/em-app/Cargo.toml
@@ -14,14 +14,14 @@ b64-ct = "0.1.3"
 em-client = { version = "4.0.0", default-features = false, features = ["client"] }
 em-node-agent-client = "1.0.0"
 hyper = { version = "0.10", default-features = false }
-mbedtls = { version = "0.12", default-features = false, features = ["rdrand", "std", "ssl"] }
+mbedtls = { version = ">=0.12.0, <0.14.0", default-features = false, features = ["rdrand", "std", "ssl"] }
 pkix = ">=0.1.2, <0.3.0"
 
 rustc-serialize = "0.3.24"
 sdkms = { version = "0.3", default-features = false }
-serde = "1.0.123"
+serde = "1.0"
 serde_bytes = "0.11"
-serde_derive = "1.0.123"
+serde_derive = "1.0"
 serde_json = "1.0"
 url = "1"
 uuid = { version = "0.6.3", features = ["v4", "serde"] }
diff --git a/em-app/examples/get-certificate/Cargo.toml b/em-app/examples/get-certificate/Cargo.toml
@@ -8,5 +8,5 @@ publish = false
 
 [dependencies]
 em-app = { path = "../../" }
-mbedtls = { version = "0.12", default-features = false, features = ["std"] }
+mbedtls = { version = ">=0.12.0, <0.14.0", default-features = false, features = ["std"] }
 serde_json = "1.0"
diff --git a/examples/tls/Cargo.toml b/examples/tls/Cargo.toml
@@ -7,4 +7,4 @@ publish = false
 
 [dependencies]
 chrono = "0.4"
-mbedtls = { version = "0.12", default-features = false, features = ["std"] }
+mbedtls = { version = ">=0.12.0, <0.14.0", default-features = false, features = ["std"] }
diff --git a/fortanix-vme/aws-nitro-enclaves/nitro-attestation-verify/Cargo.toml b/fortanix-vme/aws-nitro-enclaves/nitro-attestation-verify/Cargo.toml
@@ -9,7 +9,7 @@ publish = false
 chrono = "0.4"
 serde_cbor = "0.11"
 aws-nitro-enclaves-cose = { version = "0.5.0", default-features = false }
-mbedtls = { version = "0.12", features = ["rdrand", "std", "time", "ssl"], default-features = false, optional = true }
+mbedtls = { version = "0.13.1", features = ["rdrand", "std", "time", "ssl"], default-features = false, optional = true }
 num-bigint = "0.4"
 serde = { version = "1.0", features = ["derive"] }
 serde_bytes = "0.11"
diff --git a/fortanix-vme/aws-nitro-enclaves/nitro-attestation-verify/src/lib.rs b/fortanix-vme/aws-nitro-enclaves/nitro-attestation-verify/src/lib.rs
@@ -328,8 +328,8 @@ mod tests {
         //   Not After : Sep  9 13:19:20 2021 GMT
         static ref PROPER_TOKEN : Vec<u8> = include_bytes!("../data/request_proper.bin").to_vec();
         static ref PROPER_VALIDITY: (DateTime<Utc>, DateTime<Utc>) = (Utc.with_ymd_and_hms(2021, 9, 9, 10, 19, 19).unwrap(),  Utc.with_ymd_and_hms(2021, 9, 9, 13, 19, 21).unwrap());
-        static ref NOT_VALID_YET_ERR: NitroError = NitroError::CertificateVerifyFailure("Certificate verify failure: X509CertVerifyFailed, The certificate validity starts in the future\n".to_string());
-        static ref EXPIRED_ERR: NitroError = NitroError::CertificateVerifyFailure("Certificate verify failure: X509CertVerifyFailed, The certificate validity has expired\n".to_string());
+        static ref NOT_VALID_YET_ERR: NitroError = NitroError::CertificateVerifyFailure("Certificate verify failure: HighLevel(X509CertVerifyFailed), The certificate validity starts in the future\n".to_string());
+        static ref EXPIRED_ERR: NitroError = NitroError::CertificateVerifyFailure("Certificate verify failure: HighLevel(X509CertVerifyFailed), The certificate validity has expired\n".to_string());
         static ref TAMPERED_SIGNATURE : Vec<u8> = include_bytes!("../data/tampered_signature.bin").to_vec();
         static ref TAMPERED_CERTIFICATE : Vec<u8> = include_bytes!("../data/tampered_certificate.bin").to_vec();
     }
diff --git a/fortanix-vme/aws-nitro-enclaves/nitro-attestation-verify/src/mbedtls.rs b/fortanix-vme/aws-nitro-enclaves/nitro-attestation-verify/src/mbedtls.rs
@@ -6,6 +6,7 @@
 use aws_nitro_enclaves_cose::crypto::{Hash, MessageDigest, SignatureAlgorithm, SigningPublicKey};
 use aws_nitro_enclaves_cose::error::CoseError;
 use mbedtls::alloc::Box as MbedtlsBox;
+use mbedtls::error::{codes, Error as ErrMbed};
 use mbedtls::hash::{self, Md};
 use mbedtls::pk::EcGroupId;
 use mbedtls::x509::Certificate;
@@ -97,7 +98,7 @@ impl SigningPublicKey for WrappedCert {
         // We'll throw error if signature verify does not work
         match pk.verify(*md, &digest, &sig) {
             Ok(_) => Ok(true),
-            Err(mbedtls::Error::EcpVerifyFailed) => Ok(false),
+            Err(ErrMbed::HighLevel(codes::EcpVerifyFailed)) => Ok(false),
             Err(e) => Err(CoseError::SignatureError(Box::new(e))),
         }
     }
diff --git a/intel-sgx/dcap-artifact-retrieval/Cargo.toml b/intel-sgx/dcap-artifact-retrieval/Cargo.toml
@@ -22,7 +22,7 @@ backoff = "0.4.0"
 clap = { version = "2.23.3", optional = true }
 lazy_static = "1"
 lru-cache = "0.1.2"
-mbedtls = { version = "0.12.3", features = [
+mbedtls = { version = ">=0.12.0, <0.14.0", features = [
     "x509",
     "ssl",
     "std",
@@ -47,6 +47,6 @@ yasna = { version = "0.3", features = ["num-bigint", "bit-vec"] }
 pcs = { version = "0.7", path = "../pcs", features = ["verify"] }
 
 [build-dependencies]
-mbedtls = { version = "0.12.3", features = ["ssl", "x509"] }
+mbedtls = { version = ">=0.12.0, <0.14.0", features = ["ssl", "x509"] }
 pkix = "0.2.0"
 serde_cbor = "0.11"
diff --git a/intel-sgx/dcap-ql/Cargo.toml b/intel-sgx/dcap-ql/Cargo.toml
@@ -45,15 +45,15 @@ byteorder = "1.1.0" # Unlicense/MIT
 anyhow = "1.0"   # MIT/Apache-2.0
 lazy_static = "1"   # MIT/Apache-2.0
 libc = { version = "0.2", optional = true }        # MIT/Apache-2.0
-mbedtls = { version = "0.12", default-features = false, features = ["std", "x509"], optional = true }
+mbedtls = { version = ">=0.12.0, <0.14.0", default-features = false, features = ["std", "x509"], optional = true }
 num = { version = "0.2", optional = true }
 num-derive = "0.2"  # MIT/Apache-2.0
 num-traits = "0.2"  # MIT/Apache-2.0
 serde = { version = "1.0.104", features = ["derive"], optional = true } # MIT/Apache-2.0
 yasna = { version = "0.3", features = ["num-bigint", "bit-vec"], optional = true }
 
 [dev-dependencies]
-mbedtls = { version = "0.12" }
+mbedtls = { version = ">=0.12.0, <0.14.0" }
 report-test = { version = "0.5.0", path = "../report-test" }
 sgxs = { version = "0.8.0", path = "../sgxs" }
 serde = { version = "1.0.104", features = ["derive"] }
diff --git a/intel-sgx/fortanix-sgx-tools/Cargo.toml b/intel-sgx/fortanix-sgx-tools/Cargo.toml
@@ -34,5 +34,5 @@ serde_derive = "1.0.84"    # MIT/Apache-2.0
 serde = "1.0.84"           # MIT/Apache-2.0
 toml = "0.4.10"            # MIT/Apache-2.0
 num_cpus = "1.9.0"         # MIT/Apache-2.0
-libc = "0.2.48"            # MIT/Apache-2.0
+libc = "0.2"            # MIT/Apache-2.0
 nix = "0.13.0"             # MIT
diff --git a/intel-sgx/ias/Cargo.toml b/intel-sgx/ias/Cargo.toml
@@ -20,7 +20,7 @@ serde_json = { version = "1", optional = true }
 serde = { version = "1.0.7", features = ["derive"] }
 url = "2.2"
 
-mbedtls = { version = "0.12", features = ["std"], default-features = false, optional = true }
+mbedtls = { version = ">=0.12.0, <0.14.0", features = ["std"], default-features = false, optional = true }
 pkix = ">=0.1.0, <0.3.0"
 
 sgx-isa = { version = "0.4", path = "../sgx-isa" }
diff --git a/intel-sgx/pcs/Cargo.toml b/intel-sgx/pcs/Cargo.toml
@@ -35,7 +35,7 @@ failure = "0.1.1"
 anyhow = { version = "1", optional = true }
 quick-error = "1.2.3"
 num = "0.2"
-mbedtls = { version = "0.12.3", features = ["std", "time"], default-features = false, optional = true }
+mbedtls = { version = "0.13.1", features = ["std", "time"], default-features = false, optional = true }
 
 [dev-dependencies]
 hex = "0.4.2"
diff --git a/intel-sgx/pcs/src/pckcrt.rs b/intel-sgx/pcs/src/pckcrt.rs
@@ -25,7 +25,7 @@ use {
     mbedtls::alloc::{Box as MbedtlsBox, List as MbedtlsList},
     mbedtls::ecp::EcPoint,
     mbedtls::x509::certificate::Certificate,
-    mbedtls::Error as MbedError,
+    mbedtls::error::{codes, Error as ErrMbed},
     std::ffi::CString,
     std::ops::Deref,
     super::{DcapArtifactIssuer, PckCrl},
@@ -487,13 +487,13 @@ impl PckCert<Verified> {
     }
 
     #[cfg(feature = "verify")]
-    pub fn pck(&self) -> Result<MbedtlsBox<Certificate>, MbedError> {
-        let cert = CString::new(self.cert.as_bytes()).map_err(|_| MbedError::X509InvalidFormat)?;
-        Certificate::from_pem(cert.as_bytes_with_nul()).map_err(|_| MbedError::X509InvalidFormat)
+    pub fn pck(&self) -> Result<MbedtlsBox<Certificate>, ErrMbed> {
+        let cert = CString::new(self.cert.as_bytes()).map_err(|_| ErrMbed::HighLevel(codes::X509InvalidFormat))?;
+        Certificate::from_pem(cert.as_bytes_with_nul()).map_err(|_| ErrMbed::HighLevel(codes::X509InvalidFormat))
     }
 
     #[cfg(feature = "verify")]
-    pub fn public_key(&self) -> Result<EcPoint, MbedError> {
+    pub fn public_key(&self) -> Result<EcPoint, ErrMbed> {
         let cert = self.pck()?;
         let pk = cert.public_key();
         pk.ec_public()
@@ -1051,7 +1051,7 @@ mod tests {
                 .text()
                 .unwrap();
             match pck.clone().verify(&root_cas, Some(&platform_crl)) {
-                Err(Error::InvalidCrl(MbedError::EcpVerifyFailed)) => (),
+                Err(Error::InvalidCrl(ErrMbed::HighLevel(codes::EcpVerifyFailed))) => (),
                 e => panic!("Unexpected error: {:?}", e),
             }
             let processor_crl = reqwest::blocking::get("https://api.trustedservices.intel.com/sgx/certification/v4/pckcrl?ca=processor&encoding=pem")
diff --git a/intel-sgx/pcs/src/qe_identity.rs b/intel-sgx/pcs/src/qe_identity.rs
@@ -16,7 +16,7 @@ use serde_json::value::RawValue;
 use sgx_isa::{Attributes, Miscselect};
 #[cfg(feature = "verify")]
 use {
-    mbedtls::alloc::List as MbedtlsList, mbedtls::x509::certificate::Certificate, mbedtls::Error as MbedError, pkix::oid,
+    mbedtls::alloc::List as MbedtlsList, mbedtls::x509::certificate::Certificate, mbedtls::error::{codes, Error as ErrMbed}, pkix::oid,
     pkix::pem::PEM_CERTIFICATE, pkix::x509::GenericCertificate, pkix::FromBer, std::ops::Deref,
 };
 
@@ -389,13 +389,13 @@ impl QeIdentitySigned {
         // Check common name TCB cert
         let leaf = self.ca_chain.first().ok_or(Error::IncorrectCA)?;
         let tcb =
-            &pkix::pem::pem_to_der(&leaf, Some(PEM_CERTIFICATE)).ok_or(Error::InvalidQe3Id(MbedError::X509BadInputData))?;
-        let tcb = GenericCertificate::from_ber(&tcb).map_err(|_| Error::InvalidQe3Id(MbedError::X509BadInputData))?;
+            &pkix::pem::pem_to_der(&leaf, Some(PEM_CERTIFICATE)).ok_or(Error::InvalidQe3Id(ErrMbed::HighLevel(codes::X509BadInputData)))?;
+        let tcb = GenericCertificate::from_ber(&tcb).map_err(|_| Error::InvalidQe3Id(ErrMbed::HighLevel(codes::X509BadInputData)))?;
         let name = tcb
             .tbscert
             .subject
             .get(&*oid::commonName)
-            .ok_or(Error::InvalidQe3Id(MbedError::X509BadInputData))?;
+            .ok_or(Error::InvalidQe3Id(ErrMbed::HighLevel(codes::X509BadInputData)))?;
         if String::from_utf8_lossy(&name.value()) != "Intel SGX TCB Signing" {
             return Err(Error::IncorrectCA);
         }
diff --git a/intel-sgx/pcs/src/tcb_evaluation_data_numbers.rs b/intel-sgx/pcs/src/tcb_evaluation_data_numbers.rs
@@ -8,7 +8,7 @@ use std::slice::Iter;
 
 #[cfg(feature = "verify")]
 use {
-    mbedtls::alloc::List as MbedtlsList, mbedtls::x509::certificate::Certificate, mbedtls::Error as MbedError, pkix::oid,
+    mbedtls::alloc::List as MbedtlsList, mbedtls::x509::certificate::Certificate, mbedtls::error::{codes, Error as ErrMbed}, pkix::oid,
     pkix::pem::PEM_CERTIFICATE, pkix::x509::GenericCertificate, pkix::FromBer, std::ops::Deref,
 };
 
@@ -194,13 +194,13 @@ impl RawTcbEvaluationDataNumbers {
         // Check common name TCB cert
         let leaf = self.ca_chain.first().ok_or(Error::IncorrectCA)?;
         let tcb =
-            &pkix::pem::pem_to_der(&leaf, Some(PEM_CERTIFICATE)).ok_or(Error::UntrustworthyTcbEvaluationDataNumber(MbedError::X509BadInputData))?;
-        let tcb = GenericCertificate::from_ber(&tcb).map_err(|_| Error::UntrustworthyTcbEvaluationDataNumber(MbedError::X509BadInputData))?;
+            &pkix::pem::pem_to_der(&leaf, Some(PEM_CERTIFICATE)).ok_or(Error::UntrustworthyTcbEvaluationDataNumber(ErrMbed::HighLevel(codes::X509BadInputData)))?;
+        let tcb = GenericCertificate::from_ber(&tcb).map_err(|_| Error::UntrustworthyTcbEvaluationDataNumber(ErrMbed::HighLevel(codes::X509BadInputData)))?;
         let name = tcb
             .tbscert
             .subject
             .get(&*oid::commonName)
-            .ok_or(Error::UntrustworthyTcbEvaluationDataNumber(MbedError::X509BadInputData))?;
+            .ok_or(Error::UntrustworthyTcbEvaluationDataNumber(ErrMbed::HighLevel(codes::X509BadInputData)))?;
         if String::from_utf8_lossy(&name.value()) != "Intel SGX TCB Signing" {
             return Err(Error::IncorrectCA);
         }
diff --git a/intel-sgx/pcs/src/tcb_info.rs b/intel-sgx/pcs/src/tcb_info.rs
@@ -14,7 +14,7 @@ use serde::{de, Deserialize, Deserializer, Serialize, Serializer};
 use serde_json::value::RawValue;
 #[cfg(feature = "verify")]
 use {
-    mbedtls::alloc::List as MbedtlsList, mbedtls::x509::certificate::Certificate, mbedtls::Error as MbedError, pkix::oid,
+    mbedtls::alloc::List as MbedtlsList, mbedtls::x509::certificate::Certificate, mbedtls::error::{codes, Error as ErrMbed}, pkix::oid,
     pkix::pem::PEM_CERTIFICATE, pkix::x509::GenericCertificate, pkix::FromBer, std::ops::Deref,
 };
 
@@ -426,13 +426,13 @@ impl TcbInfo {
         // Check common name TCB cert
         let leaf = self.ca_chain.first().ok_or(Error::IncorrectCA)?;
         let tcb =
-            &pkix::pem::pem_to_der(&leaf, Some(PEM_CERTIFICATE)).ok_or(Error::InvalidQe3Id(MbedError::X509BadInputData))?;
-        let tcb = GenericCertificate::from_ber(&tcb).map_err(|_| Error::InvalidQe3Id(MbedError::X509BadInputData))?;
+            &pkix::pem::pem_to_der(&leaf, Some(PEM_CERTIFICATE)).ok_or(Error::InvalidQe3Id(ErrMbed::HighLevel(codes::X509BadInputData)))?;
+        let tcb = GenericCertificate::from_ber(&tcb).map_err(|_| Error::InvalidQe3Id(ErrMbed::HighLevel(codes::X509BadInputData)))?;
         let name = tcb
             .tbscert
             .subject
             .get(&*oid::commonName)
-            .ok_or(Error::InvalidQe3Id(MbedError::X509BadInputData))?;
+            .ok_or(Error::InvalidQe3Id(ErrMbed::HighLevel(codes::X509BadInputData)))?;
         if String::from_utf8_lossy(&name.value()) != "Intel SGX TCB Signing" {
             return Err(Error::IncorrectCA);
         }
diff --git a/intel-sgx/sgx-isa/Cargo.toml b/intel-sgx/sgx-isa/Cargo.toml
@@ -17,7 +17,7 @@ categories = ["hardware-support"]
 
 [dev-dependencies]
 # External dependencies
-mbedtls = { version = "0.12", default-features = false, features = ["std"] }
+mbedtls = { version = ">=0.12.0, <0.14.0", default-features = false, features = ["std"] }
 
 [dependencies]
 # External dependencies
