Merge #50

50: Implement cert expiry checking without libc r=jack-fortanix a=Goirad

Add features and implementations of time related functions to use when `libc` isn't available.
Because of feature weirdness I added a `use_libc` feature for those that want to just use libc.
The `gmtime_r` function is written with chrono, as is the custom `time` function.

Co-authored-by: Dario Gonzalez <[email protected]>

Author: bors[bot]

Cargo.lock

@@ -16,5 +16,6 @@ cargo test --features zlib
 cargo test --features pkcs12
 cargo test --features pkcs12_rc2
 cargo test --features force_aesni_support
+cargo +$CORE_IO_NIGHTLY test --no-default-features --features core_io,rdrand,time,custom_time,custom_gmtime_r
 cargo +$CORE_IO_NIGHTLY test --no-default-features --features core_io,rdrand
 cargo +nightly test --no-run --target=x86_64-fortanix-unknown-sgx --features=sgx --no-default-features

ct.sh

@@ -35,12 +35,14 @@ cmake = "0.1.17"
 default = ["std", "zlib", "time", "pthread", "aesni", "padlock", "legacy_protocols"]
 std = []
 custom_printf = []
+custom_time = ["custom_gmtime_r", "time"]
+custom_gmtime_r = ["time"]
 custom_has_support = []
 aes_alt = []
 custom_threading = ["threading"]
 pthread = ["libc","threading"]
 threading = []
-time = ["libc"]
+time = []
 havege = ["time"]
 zlib = ["libz-sys"]
 pkcs11 = []

mbedtls-sys/Cargo.toml

@@ -382,6 +382,8 @@ pub const FEATURE_DEFINES: &'static [(&'static str, CDefine)] = &[
     ("time",               ("MBEDTLS_HAVE_TIME",               Defined)),
     ("time",               ("MBEDTLS_HAVE_TIME_DATE",          Defined)),
     ("time",               ("MBEDTLS_TIMING_C",                Defined)),
+    ("custom_time",        ("MBEDTLS_PLATFORM_TIME_MACRO",     DefinedAs("mbedtls_time"))),
+    ("custom_gmtime_r",    ("MBEDTLS_PLATFORM_GMTIME_R_ALT",   Defined)),
     ("havege",             ("MBEDTLS_HAVEGE_C",                Defined)),
     ("threading",          ("MBEDTLS_THREADING_C",             Defined)),
     ("pthread",            ("MBEDTLS_THREADING_PTHREAD",       Defined)),

mbedtls-sys/build/config.rs

@@ -19,3 +19,9 @@ pub use bindings::*;
    https://github.com/rust-lang-nursery/rust-bindgen/issues/231
 */
 pub const ECDSA_MAX_LEN : u32 = 141;
+
+#[cfg(all(feature = "time", not(feature = "custom_time"), not(feature = "libc")))]
+impl _ERROR_MUST_ENABLE_EITHER_CUSTOM_TIME_OR_LIBC_ for _TIME_FEATURE_ {}
+
+#[cfg(all(feature = "time", not(feature = "custom_gmtime_r"), not(feature = "libc")))]
+impl _ERROR_MUST_ENABLE_EITHER_CUSTOM_GMTIME_R_OR_LIBC_ for _TIME_FEATURE_ {}

mbedtls-sys/src/lib.rs

@@ -89,21 +89,40 @@ extern crate libc;
 #[cfg(feature = "libc")]
 mod libc_types {
     pub use super::libc::FILE;
+
+    #[cfg(feature = "time")]
+    pub use super::libc::{time_t, tm};
+
 }
 
 #[cfg(not(feature = "libc"))]
 mod libc_types {
     pub enum FILE {}
+
+    #[cfg(feature = "time")]
+    pub type time_t = i64;
+
+    #[cfg(feature = "time")]
+    #[repr(C)]
+    pub struct tm {
+        pub tm_sec:   i32,            /* Seconds.        [0-60] (1 leap second) */
+        pub tm_min:   i32,            /* Minutes.        [0-59] */
+        pub tm_hour:  i32,            /* Hours.          [0-23] */
+        pub tm_mday:  i32,            /* Day.            [1-31] */
+        pub tm_mon:   i32,            /* Month.          [0-11] */
+        pub tm_year:  i32,            /* Year          - 1900.  */
+        pub tm_wday:  i32,            /* Day of week.    [0-6]  */
+        pub tm_yday:  i32,            /* Days in year.   [0-365]*/
+        pub tm_isdst: i32,
+    }
+
 }
 
 pub use self::libc_types::*;
 
 #[cfg(feature = "pthread")]
 pub use self::libc::pthread_mutex_t;
 
-#[cfg(feature = "time")]
-pub use self::libc::{time_t, tm};
-
 #[cfg(feature = "zlib")]
 extern crate libz_sys;
 #[cfg(feature = "zlib")]

mbedtls-sys/src/types.rs

@@ -19,6 +19,7 @@ keywords = ["MbedTLS","mbed","TLS","SSL","cryptography"]
 
 [dependencies]
 bitflags = "1"
+chrono = "0.4"
 core_io = { version = "0.1", features = ["collections"], optional = true }
 spin = { version = "0.4.0", default-features = false, optional = true }
 serde = { version = "1.0.7", default-features = false }
@@ -47,7 +48,7 @@ cc = "1.0"
 
 [features]
 # Features are documented in the README
-default = ["std", "aesni", "time", "padlock", "legacy_protocols"]
+default = ["std", "aesni", "time", "padlock", "legacy_protocols", "use_libc"]
 std = ["mbedtls-sys-auto/std","serde/std"]
 threading = []
 pthread = ["threading","std","mbedtls-sys-auto/pthread"]
@@ -56,6 +57,9 @@ sgx = ["std", "rust_threading", "rdrand", "force_aesni_support"]
 rust_threading = ["threading", "mbedtls-sys-auto/custom_threading", "std"]
 force_aesni_support = ["mbedtls-sys-auto/custom_has_support","mbedtls-sys-auto/aes_alt","aesni"]
 rdrand = []
+use_libc = ["mbedtls-sys-auto/libc"]
+custom_gmtime_r = ["mbedtls-sys-auto/custom_gmtime_r"]
+custom_time = ["mbedtls-sys-auto/custom_time"]
 aesni = ["mbedtls-sys-auto/aesni"]
 zlib = ["mbedtls-sys-auto/zlib"]
 time = ["mbedtls-sys-auto/time"]

mbedtls/Cargo.toml

@@ -117,3 +117,48 @@ mod alloc_prelude {
     pub(crate) use alloc::string::ToString;
     pub(crate) use alloc::vec::Vec;
 }
+
+#[cfg(all(feature="time", any(feature="custom_gmtime_r", feature="custom_time")))]
+use mbedtls_sys::types::{time_t, tm};
+
+#[cfg(any(feature = "custom_gmtime_r", feature = "custom_time"))]
+extern crate chrono;
+
+#[cfg(feature="custom_gmtime_r")]
+#[doc(hidden)]
+#[no_mangle]
+pub unsafe extern "C" fn mbedtls_platform_gmtime_r(tt: *const time_t, tp: *mut tm) -> *mut tm {
+    use chrono::prelude::*;
+
+    //0 means no TZ offset
+    let naive = if tp.is_null() {
+        return core::ptr::null_mut()
+    } else {
+        NaiveDateTime::from_timestamp(*tt, 0)
+    };
+    let utc = DateTime::<Utc>::from_utc(naive, Utc);
+
+    let tp = &mut *tp;
+    tp.tm_sec   = utc.second()   as i32;
+    tp.tm_min   = utc.minute()   as i32;
+    tp.tm_hour  = utc.hour()     as i32;
+    tp.tm_mday  = utc.day()      as i32;
+    tp.tm_mon   = utc.month0()   as i32;
+    tp.tm_year  = utc.year()     as i32 - 1900;
+    tp.tm_wday  = utc.weekday().num_days_from_monday() as i32;
+    tp.tm_yday  = utc.ordinal0() as i32;
+    tp.tm_isdst = 0;
+
+    tp
+}
+
+#[cfg(feature="custom_time")]
+#[doc(hidden)]
+#[no_mangle]
+pub unsafe extern "C" fn mbedtls_time(tp: *mut time_t) -> time_t {
+    let timestamp = chrono::Utc::now().timestamp() as time_t;
+    if !tp.is_null() {
+        *tp = timestamp;
+    }
+    timestamp
+}

mbedtls/src/lib.rs

@@ -206,7 +206,8 @@ impl LinkedCertificate {
         if result.is_err() {
             if let Some(err_info) = err_info {
                 let verify_info = crate::private::alloc_string_repeat(|buf, size| unsafe {
-                    x509_crt_verify_info(buf, size, ptr::null_mut(), flags)
+                    let prefix = "\0";
+                    x509_crt_verify_info(buf, size, prefix.as_ptr() as *const _, flags)
                 });
                 if let Ok(error_str) = verify_info {
                     *err_info = error_str;

mbedtls/src/x509/certificate.rs

@@ -32,18 +32,23 @@ fn client(
     exp_version: Option<Version>) -> TlsResult<()> {
     let mut entropy = entropy_new();
     let mut rng = CtrDrbg::new(&mut entropy, None)?;
-    let mut cert = Certificate::from_pem(keys::PEM_CERT)?;
+    let mut cacert = Certificate::from_pem(keys::ROOT_CA_CERT)?;
+    let expected_flags = VerifyError::empty();
+    #[cfg(feature = "time")]
+    let expected_flags = expected_flags | VerifyError::CERT_EXPIRED;
     let mut verify_args = None;
     {
         let verify_callback =
             &mut |crt: &mut LinkedCertificate, depth, verify_flags: &mut VerifyError| {
-                verify_args = Some((crt.subject().unwrap(), depth, verify_flags.bits()));
+                verify_args = Some((crt.subject().unwrap(), depth, *verify_flags));
+                verify_flags.remove(VerifyError::CERT_EXPIRED); //we check the flags at the end,
+                //so removing this flag here prevents the connections from failing with VerifyError
                 Ok(())
             };
         let mut config = Config::new(Endpoint::Client, Transport::Stream, Preset::Default);
         config.set_rng(Some(&mut rng));
         config.set_verify_callback(verify_callback);
-        config.set_ca_list(Some(&mut *cert), None);
+        config.set_ca_list(Some(&mut *cacert), None);
         config.set_min_version(min_version)?;
         config.set_max_version(max_version)?;
         let mut ctx = Context::new(&config)?;
@@ -56,10 +61,9 @@ fn client(
                 s
             }
             Err(e) => {
-                assert!(exp_version.is_none());
                 match e {
-                    Error::SslBadHsProtocolVersion => {}
-                    Error::SslFatalAlertMessage => {}
+                    Error::SslBadHsProtocolVersion => {assert!(exp_version.is_none())},
+                    Error::SslFatalAlertMessage => {},
                     e => panic!("Unexpected error {}", e),
                 };
                 return Ok(());
@@ -74,7 +78,7 @@ fn client(
         session.read_exact(&mut buf).unwrap();
         assert_eq!(&buf, format!("Server2Client {:4x}", ciphersuite).as_bytes());
     } // drop verify_callback, releasing borrow of verify_args
-    assert_eq!(verify_args, Some((keys::PEM_CERT_SUBJECT.to_owned(), 0, 0)));
+    assert_eq!(verify_args, Some((keys::EXPIRED_CERT_SUBJECT.to_owned(), 0, expected_flags)));
     Ok(())
 }
 
@@ -86,8 +90,8 @@ fn server(
 ) -> TlsResult<()> {
     let mut entropy = entropy_new();
     let mut rng = CtrDrbg::new(&mut entropy, None)?;
-    let mut cert = Certificate::from_pem(keys::PEM_CERT)?;
-    let mut key = Pk::from_private_key(keys::PEM_KEY, None)?;
+    let mut cert = Certificate::from_pem(keys::EXPIRED_CERT)?;
+    let mut key = Pk::from_private_key(keys::EXPIRED_KEY, None)?;
     let mut config = Config::new(Endpoint::Server, Transport::Stream, Preset::Default);
     config.set_rng(Some(&mut rng));
     config.set_min_version(min_version)?;
@@ -102,11 +106,10 @@ fn server(
             s
         }
         Err(e) => {
-            assert!(exp_version.is_none());
             match e {
                 // client just closes connection instead of sending alert
-                Error::NetSendFailed => {}
-                Error::SslBadHsProtocolVersion => {}
+                Error::NetSendFailed => {assert!(exp_version.is_none())},
+                Error::SslBadHsProtocolVersion => {},
                 e => panic!("Unexpected error {}", e),
             };
             return Ok(());