update rust mbedtls code & tests

fortanix · May 10, 2023 · ac30080 · ac30080
1 parent 5a5a6f5
commit ac30080
Show file tree

Hide file tree

Showing 39 changed files with 2,708 additions and 966 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/mbedtls/Cargo.toml b/mbedtls/Cargo.toml
@@ -34,7 +34,7 @@ tokio = { version = "1.16.1", optional = true }
 rs-libc = "0.2.0"
 
 [dependencies.mbedtls-sys-auto]
-version = "2.25.0"
+version = "3.4.0"
 default-features = false
 features = ["trusted_cert_callback", "threading"]
 path = "../mbedtls-sys"
@@ -54,6 +54,9 @@ async-stream = "0.3.0"
 futures = "0.3"
 tracing = "0.1"
 pin-project-lite = "0.2"
+ntest = "0.8"
+lazy_static = "1.4"
+env_logger = "0.10"
 
 [build-dependencies]
 cc = "1.0"
@@ -73,7 +76,6 @@ padlock = ["mbedtls-sys-auto/padlock"]
 dsa = ["std", "yasna", "num-bigint", "bit-vec"]
 pkcs12 = ["std", "yasna"]
 pkcs12_rc2 = ["pkcs12", "rc2", "cbc"]
-legacy_protocols = ["mbedtls-sys-auto/legacy_protocols"]
 async = ["std", "tokio","tokio/net","tokio/io-util", "tokio/macros"]
 async-rt = ["async", "tokio/rt", "tokio/sync", "tokio/rt-multi-thread"]
 

diff --git a/mbedtls/examples/server.rs b/mbedtls/examples/server.rs
@@ -24,6 +24,7 @@ use mbedtls::Result as TlsResult;
 mod support;
 use support::entropy::entropy_new;
 use support::keys;
+use support::rand::test_rng;
 
 fn listen<E, F: FnMut(TcpStream) -> Result<(), E>>(mut handle_client: F) -> Result<(), E> {
     let sock = TcpListener::bind("127.0.0.1:8080").unwrap();
@@ -39,7 +40,7 @@ fn result_main() -> TlsResult<()> {
     let entropy = entropy_new();
     let rng = Arc::new(CtrDrbg::new(Arc::new(entropy), None)?);
     let cert = Arc::new(Certificate::from_pem_multiple(keys::PEM_CERT.as_bytes())?);
-    let key = Arc::new(Pk::from_private_key(keys::PEM_KEY.as_bytes(), None)?);
+    let key = Arc::new(Pk::from_private_key(&mut test_rng(),keys::PEM_KEY.as_bytes(), None)?);
     let mut config = Config::new(Endpoint::Server, Transport::Stream, Preset::Default);
     config.set_rng(rng);
     config.push_cert(cert, key)?;

diff --git a/mbedtls/src/bignum/mod.rs b/mbedtls/src/bignum/mod.rs
@@ -131,8 +131,8 @@ impl Mpi {
     }
 
     fn get_limb(&self, n: usize) -> mpi_uint {
-        if n < self.inner.n {
-            unsafe { *self.inner.p.offset(n as isize) }
+        if n < self.inner.private_n {
+            unsafe { *self.inner.private_p.offset(n as isize) }
         } else {
             // zero pad
             0

diff --git a/mbedtls/src/cipher/mod.rs b/mbedtls/src/cipher/mod.rs
@@ -145,7 +145,7 @@ impl<O: Operation, T: Type> Cipher<O, T, Fresh> {
 
         // Put together the structure to return
         Ok(Cipher {
-            raw_cipher: raw_cipher,
+            raw_cipher,
             padding: raw::CipherPadding::Pkcs7,
             _op: PhantomData,
             _type: PhantomData,
@@ -290,12 +290,12 @@ impl Cipher<Encryption, Authenticated, AdditionalData> {
     pub fn encrypt_auth_inplace(
         mut self,
         ad: &[u8],
-        data: &mut [u8],
-        tag: &mut [u8],
+        data_with_tag: &mut [u8],
+        tag_len: usize,
     ) -> Result<(usize, Cipher<Encryption, Authenticated, Finished>)> {
         Ok((
             self.raw_cipher
-                .encrypt_auth_inplace(ad, data, tag)?,
+                .encrypt_auth_inplace(ad, data_with_tag, tag_len)?,
             self.change_state(),
         ))
     }
@@ -319,12 +319,12 @@ impl Cipher<Decryption, Authenticated, AdditionalData> {
     pub fn decrypt_auth_inplace(
         mut self,
         ad: &[u8],
-        data: &mut [u8],
-        tag: &[u8],
+        data_with_tag: &mut [u8],
+        tag_len: usize,
     ) -> Result<(usize, Cipher<Decryption, Authenticated, Finished>)> {
         Ok((
             self.raw_cipher
-                .decrypt_auth_inplace(ad, data, tag)?,
+                .decrypt_auth_inplace(ad, data_with_tag, tag_len)?,
             self.change_state(),
         ))
     }
@@ -437,6 +437,7 @@ fn ccm_inplace() {
     let iv = [0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16];
     let ad = [0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07];
     let mut c = [0x20, 0x21, 0x22, 0x23, 0x0, 0x0, 0x0, 0x0];
+    let tag_len: usize = 4;
     let validate_cipher = [0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d];
     let validate_plain = [0x20, 0x21, 0x22, 0x23];
 
@@ -447,9 +448,8 @@ fn ccm_inplace() {
     )
     .unwrap();
     let cipher = cipher.set_key_iv(&k, &iv).unwrap();
-    let (data, tag) = c.split_at_mut(4);
     cipher
-        .encrypt_auth_inplace(&ad, data, tag)
+        .encrypt_auth_inplace(&ad, &mut c, tag_len)
         .unwrap();
     assert_eq!(c, validate_cipher);
 
@@ -460,9 +460,8 @@ fn ccm_inplace() {
     )
     .unwrap();
     let cipher = cipher.set_key_iv(&k, &iv).unwrap();
-    let (data, tag) = c.split_at_mut(4);
-    cipher.decrypt_auth_inplace(&ad, data, tag).unwrap();
-    assert_eq!(validate_plain, data);
+    cipher.decrypt_auth_inplace(&ad, &mut c, tag_len).unwrap();
+    assert_eq!(validate_plain, c[..c.len() - tag_len]);
 }
 
 #[test]