Update to mbedtls v0.13.0 #658

mridul-manohar · 2024-11-19T19:54:22Z

rust-mbedtls PR #372 adds combined errors for mbedtls. this enhancement is available from mbedtls v0.13.0

fortanix-vme/aws-nitro-enclaves/eif-tools/Cargo.toml

Taowyoo · 2024-11-20T22:34:09Z

@mridul-manohar From CI, some errors used in code need to be updated. Please check.

Pagten · 2025-04-25T12:37:07Z

For all crates that didn't need any rust code modifications when upgrading to mbedtls 0.13, we should consider specifying the dependency as

mbedtls = { version = ">=0.12.0, <0.14.0", ... }

This more accurately presents the actual dependency constraints of these crates and it may ease the process for upgrading them, since consumers won't be forced to simultaneously upgrade to the new mbedtls version.

mridul-manohar · 2025-05-19T19:00:03Z

For all crates that didn't need any rust code modifications when upgrading to mbedtls 0.13, we should consider specifying the dependency as
mbedtls = { version = ">=0.12.0, <0.14.0", ... }
This more accurately presents the actual dependency constraints of these crates and it may ease the process for upgrading them, since consumers won't be forced to simultaneously upgrade to the new mbedtls version.

@Pagten ^Addressed this change-request.

Taowyoo

Since changing error type in most cases is breaking change.
Could you check and bump the version of updated crates ?

fortanix-vme/aws-nitro-enclaves/nitro-attestation-verify/Cargo.toml

Taowyoo · 2025-05-19T21:01:08Z

intel-sgx/pcs/Cargo.toml

@@ -35,11 +35,12 @@ failure = "0.1.1"
 anyhow = { version = "1", optional = true }
 quick-error = "1.2.3"
 num = "0.2"
-mbedtls = { version = "0.12.3", features = ["std", "time"], default-features = false, optional = true }
+mbedtls = { version = "0.13.2", features = ["std", "time"], default-features = false, optional = true }


Suggested change

mbedtls = { version = "0.13.2", features = ["std", "time"], default-features = false, optional = true }

mbedtls = { version = ">=0.12.0, <0.14.0", features = ["std", "time"], default-features = false, optional = true }

Changed as suggested. We are pointing it to exact version = "0.13.1"

raoulstrackx

There are many code changes that are (likely) not compatible with mbedtls 0.12. You may be able to call .into() to ensure the code keeps working for both versions.

raoulstrackx · 2025-05-20T08:15:57Z

fortanix-vme/aws-nitro-enclaves/nitro-attestation-verify/src/lib.rs

-        static ref NOT_VALID_YET_ERR: NitroError = NitroError::CertificateVerifyFailure("Certificate verify failure: X509CertVerifyFailed, The certificate validity starts in the future\n".to_string());
-        static ref EXPIRED_ERR: NitroError = NitroError::CertificateVerifyFailure("Certificate verify failure: X509CertVerifyFailed, The certificate validity has expired\n".to_string());
+        static ref NOT_VALID_YET_ERR: NitroError = NitroError::CertificateVerifyFailure("Certificate verify failure: HighLevel(X509CertVerifyFailed), The certificate validity starts in the future\n".to_string());
+        static ref EXPIRED_ERR: NitroError = NitroError::CertificateVerifyFailure("Certificate verify failure: HighLevel(X509CertVerifyFailed), The certificate validity has expired\n".to_string());


Does this change still work on mbedtls 0.12?

This requires v0.13.1 (therefore not backcompt)
and we are pointing to exact version = "0.13.1"

raoulstrackx · 2025-05-20T08:16:17Z

fortanix-vme/aws-nitro-enclaves/nitro-attestation-verify/src/mbedtls.rs

@@ -97,7 +98,7 @@ impl SigningPublicKey for WrappedCert {
        // We'll throw error if signature verify does not work
        match pk.verify(*md, &digest, &sig) {
            Ok(_) => Ok(true),
-            Err(mbedtls::Error::EcpVerifyFailed) => Ok(false),
+            Err(ErrMbed::HighLevel(codes::EcpVerifyFailed)) => Ok(false),


Does this change still work on mbedtls 0.12?

This requires v0.13.1 (therefore not backcompt)
and we are pointing to exact version = "0.13.1" now

raoulstrackx · 2025-05-20T08:17:06Z

intel-sgx/pcs/src/pckcrt.rs

-        Certificate::from_pem(cert.as_bytes_with_nul()).map_err(|_| MbedError::X509InvalidFormat)
+    pub fn pck(&self) -> Result<MbedtlsBox<Certificate>, ErrMbed> {
+        let cert = CString::new(self.cert.as_bytes()).map_err(|_| ErrMbed::HighLevel(codes::X509InvalidFormat))?;
+        Certificate::from_pem(cert.as_bytes_with_nul()).map_err(|_| ErrMbed::HighLevel(codes::X509InvalidFormat))


Does this change still work on mbedtls 0.12?

This requires v0.13.1 (therefore not backcompt)
and we are pointing to exact version = "0.13.1"

raoulstrackx · 2025-05-20T08:17:42Z

intel-sgx/pcs/Cargo.toml


 [dev-dependencies]
 hex = "0.4.2"
 tempdir = "0.3.7"
+mbedtls = { version = ">=0.12.0, <0.14.0" }


Why is this needed?

Had added this for mbedtls imports in mod tests { .. }
removed this now since it was not needed.

mridul-manohar · 2025-05-20T19:07:20Z

There are many code changes that are (likely) not compatible with mbedtls 0.12. You may be able to call .into() to ensure the code keeps working for both versions.

@raoulstrackx thanks for pointing this out. After discussing with @Taowyoo we have decided to point to specific
version = "0.13.1" for the crates which required code changes for combined error types. This ensures that we don't need to ensure compatibility ( using .into() ) with ver0.12

raoulstrackx · 2025-05-21T15:02:33Z

There are many code changes that are (likely) not compatible with mbedtls 0.12. You may be able to call .into() to ensure the code keeps working for both versions.

@raoulstrackx thanks for pointing this out. After discussing with @Taowyoo we have decided to point to specific version = "0.13.1" for the crates which required code changes for combined error types. This ensures that we don't need to ensure compatibility ( using .into() ) with ver0.12

What was the reasoning to force upgrades to mbedtls 0.13.1? It'd be at least a breaking change for pcs (I haven't checked the other crates). I'm also a little bit worried about the impact on the fortanixvme target. Just adding .into() to fix the errors should work, and would only require a patch number bump.

Taowyoo · 2025-05-22T18:39:00Z

HI @raoulstrackx
@mridul’s PR is going to upgrade mbedtls in rust-sgx repo to 0.13
Any crates that directly use mbedtls Error type need to upgrade the dependency requirement on mbedtls to 0.13 , include:

nitro-attestation-verify
pcs

Crates that do not explicitly use mbedtls Error type could use range version ">=0.12.0, <0.14.0" to keep compatibility for 0.12 version

Taowyoo · 2025-05-22T18:41:14Z

I think the main concern from @raoul Strackx is that bumping mbedtls version in vme crates might cause compile issue in roche.

So I suggest @mridul to have a PR on roche side with changes in rust-sgx to ensure changes in rust-sgx is fine with roche CI.

mridul-manohar requested review from Taowyoo and raoulstrackx November 19, 2024 19:54

Taowyoo reviewed Nov 20, 2024

View reviewed changes

fortanix-vme/aws-nitro-enclaves/eif-tools/Cargo.toml Outdated Show resolved Hide resolved

mridul-manohar force-pushed the mridul/mbedtls-0.13-update branch from 10ce53b to 731c4e4 Compare April 24, 2025 21:46

Taowyoo previously approved these changes Apr 24, 2025

View reviewed changes

mridul-manohar dismissed Taowyoo’s stale review via 17c5949 May 12, 2025 14:32

mridul-manohar added 4 commits May 13, 2025 13:50

initial commit

11dc96e

serde revert

be8132a

update mbedtls_v0.13.1

261215a

update locks

0d2ff55

mridul-manohar force-pushed the mridul/mbedtls-0.13-update branch from 17c5949 to 0d2ff55 Compare May 13, 2025 08:23

mridul-manohar added 8 commits May 13, 2025 18:26

build fix1

5554888

build fix2

f0207b7

build fix3

f293ada

pcs mbedtls0.13.2

89d5bf8

build fix4

7615d6b

build fix5

6db924a

build fix6

c2b1ba0

review - mbedtls ver range

81c01f3

Taowyoo reviewed May 19, 2025

View reviewed changes

review - mbedtls ver range2

e7d9354

raoulstrackx requested changes May 20, 2025

View reviewed changes

mridul-manohar added 2 commits May 20, 2025 16:43

dev-dep remove

fab9536

exact ver

d08a371

Taowyoo approved these changes May 22, 2025

View reviewed changes

	mbedtls = { version = "0.13.2", features = ["std", "time"], default-features = false, optional = true }
	mbedtls = { version = ">=0.12.0, <0.14.0", features = ["std", "time"], default-features = false, optional = true }

Update to mbedtls v0.13.0 #658

Are you sure you want to change the base?

Update to mbedtls v0.13.0 #658

Uh oh!

Conversation

mridul-manohar commented Nov 19, 2024

Uh oh!

Uh oh!

Taowyoo commented Nov 20, 2024

Uh oh!

Pagten commented Apr 25, 2025

Uh oh!

mridul-manohar commented May 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Taowyoo left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

mridul-manohar May 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

raoulstrackx left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

mridul-manohar commented May 20, 2025

Uh oh!

raoulstrackx commented May 21, 2025

Uh oh!

Taowyoo commented May 22, 2025

Uh oh!

Taowyoo commented May 22, 2025

Uh oh!

Uh oh!

mridul-manohar commented May 19, 2025 •

edited

Loading

mridul-manohar May 20, 2025 •

edited

Loading