diff --git a/.gitmodules b/.gitmodules index 36634ee..288ea77 100644 --- a/.gitmodules +++ b/.gitmodules @@ -4,6 +4,3 @@ [submodule "deps/td-shim"] path = deps/td-shim url = https://github.com/confidential-containers/td-shim -[submodule "deps/rustls"] - path = deps/rustls - url = https://github.com/rustls/rustls.git diff --git a/deps/patches/rustls.diff b/deps/patches/rustls.diff deleted file mode 100644 index 6766f60..0000000 --- a/deps/patches/rustls.diff +++ /dev/null @@ -1,268 +0,0 @@ -diff --git a/rustls/Cargo.toml b/rustls/Cargo.toml -index 4ec52f86..1962fb28 100644 ---- a/rustls/Cargo.toml -+++ b/rustls/Cargo.toml -@@ -18,14 +18,18 @@ rustversion = { version = "1.0.6", optional = true } - [dependencies] - aws-lc-rs = { version = "1.5", optional = true } - log = { version = "0.4.4", optional = true } --ring = { version = "0.17", optional = true } -+ring = { version = "0.17", features = ["alloc", "less-safe-getrandom-custom-or-rdrand"], default-features = false, optional = true } - subtle = { version = "2.5.0", default-features = false } --webpki = { package = "rustls-webpki", version = "0.102.1", features = ["std"], default-features = false } --pki-types = { package = "rustls-pki-types", version = "1", features = ["std"] } -+webpki = { package = "rustls-webpki", version = "0.102", features = ["alloc", "ring"], default-features = false } -+pki-types = { package = "rustls-pki-types", version = "1" } -+rust_std_stub = { path = "../../../src/std-support/rust-std-stub", optional = true } - zeroize = "1.6.0" - - [features] - default = ["logging", "ring", "tls12"] -+alloc = ["ring/alloc", "webpki/alloc"] -+std = ["alloc", "ring/std", "webpki/std"] -+no_std = ["rust_std_stub", "alloc"] - logging = ["log"] - aws_lc_rs = ["dep:aws-lc-rs", "webpki/aws_lc_rs"] - ring = ["dep:ring", "webpki/ring"] -diff --git a/rustls/src/client/hs.rs b/rustls/src/client/hs.rs -index 26ce6383..3ce9d5dc 100644 ---- a/rustls/src/client/hs.rs -+++ b/rustls/src/client/hs.rs -@@ -68,7 +68,15 @@ fn find_session( - None - }) - .and_then(|resuming| { -+ #[cfg(feature = "std")] - let retrieved = persist::Retrieved::new(resuming, UnixTime::now()); -+ #[cfg(not(feature = "std"))] -+ let retrieved = persist::Retrieved::new( -+ resuming, -+ UnixTime::since_unix_epoch(core::time::Duration::from_secs( -+ std::time::now().as_secs(), -+ )), -+ ); - match retrieved.has_expired() { - false => Some(retrieved), - true => None, -diff --git a/rustls/src/client/tls13.rs b/rustls/src/client/tls13.rs -index fdd53b95..e8926b47 100644 ---- a/rustls/src/client/tls13.rs -+++ b/rustls/src/client/tls13.rs -@@ -673,7 +673,12 @@ impl State for ExpectCertificateVerify { - intermediates, - &self.server_name, - &self.server_cert.ocsp_response, -+ #[cfg(feature = "std")] - UnixTime::now(), -+ #[cfg(not(feature = "std"))] -+ UnixTime::since_unix_epoch(core::time::Duration::from_secs( -+ std::time::now().as_secs(), -+ )), - ) - .map_err(|err| { - cx.common -@@ -956,7 +961,10 @@ impl ExpectTraffic { - .peer_certificates - .clone() - .unwrap_or_default(), -+ #[cfg(feature = "std")] - UnixTime::now(), -+ #[cfg(not(feature = "std"))] -+ UnixTime::since_unix_epoch(core::time::Duration::from_secs(std::time::now().as_secs())), - nst.lifetime, - nst.age_add, - nst.get_max_early_data_size() -diff --git a/rustls/src/error.rs b/rustls/src/error.rs -index 7d692b7f..4c7c3eb2 100644 ---- a/rustls/src/error.rs -+++ b/rustls/src/error.rs -@@ -550,7 +550,7 @@ impl From for Error { - /// - /// Enums holding this type will never compare equal to each other. - #[derive(Debug, Clone)] --pub struct OtherError(pub Arc); -+pub struct OtherError(pub Arc); - - impl PartialEq for OtherError { - fn eq(&self, _other: &Self) -> bool { -@@ -570,12 +570,6 @@ impl fmt::Display for OtherError { - } - } - --impl StdError for OtherError { -- fn source(&self) -> Option<&(dyn StdError + 'static)> { -- Some(self.0.as_ref()) -- } --} -- - #[cfg(test)] - mod tests { - use super::{Error, InvalidMessage}; -diff --git a/rustls/src/lib.rs b/rustls/src/lib.rs -index 8988f31c..2ba40be4 100644 ---- a/rustls/src/lib.rs -+++ b/rustls/src/lib.rs -@@ -273,7 +273,9 @@ - - // Require docs for public APIs, deny unsafe code, etc. - #![forbid(unsafe_code, unused_must_use)] --#![cfg_attr(not(any(read_buf, bench)), forbid(unstable_features))] -+// If std feature enabled, forbit unstable_features -+#![cfg_attr(feature = "std", forbid(unstable_features))] -+#![cfg_attr(feature = "std", deny(unused_qualifications))] - #![deny( - clippy::alloc_instead_of_core, - clippy::clone_on_ref_ptr, -@@ -285,8 +287,7 @@ - missing_docs, - unreachable_pub, - unused_import_braces, -- unused_extern_crates, -- unused_qualifications -+ unused_extern_crates - )] - // Relax these clippy lints: - // - ptr_arg: this triggers on references to type aliases that are Vec -@@ -305,6 +306,8 @@ - clippy::single_component_path_imports, - clippy::new_without_default - )] -+#![allow(internal_features)] -+#![feature(prelude_import)] - // Enable documentation for all features on docs.rs - #![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg))] - // XXX: Because of https://github.com/rust-lang/rust/issues/54726, we cannot -@@ -326,8 +329,20 @@ extern crate alloc; - // is in `std::prelude` but not in `core::prelude`. This helps maintain no-std support as even - // developers that are not interested in, or aware of, no-std support and / or that never run - // `cargo build --no-default-features` locally will get errors when they rely on `std::prelude` API. -+#[cfg(all(not(test), feature = "std"))] - extern crate std; - -+#[cfg(not(feature = "std"))] -+extern crate rust_std_stub as std; -+ -+// prelude internal_std for calling Vec, String, Mutex, HashMap, etc. -+#[cfg(not(feature = "std"))] -+#[prelude_import] -+#[allow(unused_imports)] -+#[allow(unused_attributes)] -+#[macro_use] -+use std::prelude::*; -+ - // Import `test` sysroot crate for `Bencher` definitions. - #[cfg(bench)] - #[allow(unused_extern_crates)] -@@ -374,6 +389,7 @@ mod bs_debug; - mod builder; - mod enums; - mod key_log; -+#[cfg(feature = "std")] - mod key_log_file; - mod suites; - mod versions; -@@ -441,7 +457,10 @@ pub use crate::error::{ - CertRevocationListError, CertificateError, Error, InvalidMessage, OtherError, PeerIncompatible, - PeerMisbehaved, - }; -+#[cfg(not(feature = "std"))] -+pub use crate::key_log::NoKeyLog as KeyLogFile; - pub use crate::key_log::{KeyLog, NoKeyLog}; -+#[cfg(feature = "std")] - pub use crate::key_log_file::KeyLogFile; - pub use crate::msgs::enums::NamedGroup; - pub use crate::msgs::handshake::DistinguishedName; -diff --git a/rustls/src/server/tls13.rs b/rustls/src/server/tls13.rs -index 290fb3db..45121a2d 100644 ---- a/rustls/src/server/tls13.rs -+++ b/rustls/src/server/tls13.rs -@@ -312,10 +312,16 @@ mod client_hello { - } - - for (i, psk_id) in psk_offer.identities.iter().enumerate() { -+ #[cfg(feature = "std")] -+ let now = UnixTime::now(); -+ #[cfg(not(feature = "std"))] -+ let now = UnixTime::since_unix_epoch(core::time::Duration::from_secs( -+ std::time::now().as_secs(), -+ )); - let resume = match self - .attempt_tls13_ticket_decryption(&psk_id.identity.0) - .map(|resumedata| { -- resumedata.set_freshness(psk_id.obfuscated_ticket_age, UnixTime::now()) -+ resumedata.set_freshness(psk_id.obfuscated_ticket_age, now) - }) - .filter(|resumedata| { - hs::can_resume(self.suite.into(), &cx.data.sni, false, resumedata) -@@ -921,9 +927,14 @@ impl State for ExpectCertificate { - Some(chain) => chain, - }; - -+ #[cfg(feature = "std")] -+ let now = UnixTime::now(); -+ #[cfg(not(feature = "std"))] -+ let now = -+ UnixTime::since_unix_epoch(core::time::Duration::from_secs(std::time::now().as_secs())); - self.config - .verifier -- .verify_client_cert(end_entity, intermediates, UnixTime::now()) -+ .verify_client_cert(end_entity, intermediates, now) - .map_err(|err| { - cx.common - .send_cert_verify_error_alert(err) -@@ -1096,7 +1107,10 @@ impl ExpectFinished { - key_schedule, - cx, - &nonce, -+ #[cfg(feature = "std")] - UnixTime::now(), -+ #[cfg(not(feature = "std"))] -+ UnixTime::since_unix_epoch(core::time::Duration::from_secs(std::time::now().as_secs())), - age_add, - ) - .get_encoding(); -diff --git a/rustls/src/ticketer.rs b/rustls/src/ticketer.rs -index ddadb0ef..8a43f5bc 100644 ---- a/rustls/src/ticketer.rs -+++ b/rustls/src/ticketer.rs -@@ -46,9 +46,12 @@ impl TicketSwitcher { - next: Some(generator()?), - current: generator()?, - previous: None, -+ #[cfg(feature = "std")] - next_switch_time: UnixTime::now() - .as_secs() - .saturating_add(u64::from(lifetime)), -+ #[cfg(not(feature = "std"))] -+ next_switch_time: std::time::now().as_secs(), - }), - }) - } -@@ -144,13 +147,25 @@ impl ProducesTickets for TicketSwitcher { - } - - fn encrypt(&self, message: &[u8]) -> Option> { -- let state = self.maybe_roll(UnixTime::now())?; -+ #[cfg(feature = "std")] -+ let now = UnixTime::now(); -+ #[cfg(not(feature = "std"))] -+ let now = -+ UnixTime::since_unix_epoch(core::time::Duration::from_secs(std::time::now().as_secs())); -+ -+ let state = self.maybe_roll(now)?; - - state.current.encrypt(message) - } - - fn decrypt(&self, ciphertext: &[u8]) -> Option> { -- let state = self.maybe_roll(UnixTime::now())?; -+ #[cfg(feature = "std")] -+ let now = UnixTime::now(); -+ #[cfg(not(feature = "std"))] -+ let now = -+ UnixTime::since_unix_epoch(core::time::Duration::from_secs(std::time::now().as_secs())); -+ -+ let state = self.maybe_roll(now)?; - - // Decrypt with the current key; if that fails, try with the previous. - state diff --git a/deps/rustls b/deps/rustls deleted file mode 160000 index ae277be..0000000 --- a/deps/rustls +++ /dev/null @@ -1 +0,0 @@ -Subproject commit ae277befb5061bbd4c44fea1c2697f2da5b2f6fa diff --git a/sh_script/preparation.sh b/sh_script/preparation.sh index 74c1965..18126c7 100755 --- a/sh_script/preparation.sh +++ b/sh_script/preparation.sh @@ -4,12 +4,6 @@ preparation() { pushd deps/td-shim bash sh_script/preparation.sh popd - - pushd deps/rustls - git reset --hard ae277befb5061bbd4c44fea1c2697f2da5b2f6fa - git clean -f -d - patch -p 1 -i ../patches/rustls.diff - popd } preparation