Merge pull request #343 from fortanix/yx/upgrade_vendor_mbedtls

- Upgrade vendor `mbedtls` code version to `0.28.7`.
- Bump `mbedtls-sys-auto` code version to `0.28.7`.
- Add a script to automate vendor code update process, see fe68f9c.
- Save all patches we made to vendor code, see fe68f9c.

Author: Taowyoo

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "mbedtls-sys-auto"
-version = "2.28.4+mbedtls-2.28.3"
+version = "2.28.7"
 authors = ["Jethro Beekman <[email protected]>"]
 build = "build/build.rs"
 license = "Apache-2.0 OR GPL-2.0-or-later"
@@ -15,8 +15,8 @@ links = "mbedtls"
 
 [package.metadata.mbedtls]
 git = "https://github.com/Mbed-TLS/mbedtls.git"
-version = "2.28.3"
-rev = "981743de6fcdbe672e482b6fd724d31d0a0d2476"
+version = "2.28.7"
+rev = "555f84735aecdbd76a566cf087ec8425dfb0c8ab"
 
 [lib]
 name = "mbedtls_sys"

mbedtls-sys/Cargo.toml

@@ -0,0 +1,59 @@
+From cf13aecfd2270d83b0f466e8d967be95a3923e26 Mon Sep 17 00:00:00 2001
+From: Vardhan Thigle <[email protected]>
+Date: Fri, 25 Jan 2019 11:31:35 +0530
+Subject: [PATCH 1/2] Vendor Change:-
+
+1. Added conditional compilation flags "MBEDTLS_FORCE_AESNI" and "MBEDTLS_FORCE_PADLOCK"
+2. This allows us to supress cpuid based feature detection on sgx platforms.
+3. "MBEDTLS_FORCE_AESNI" gets set if "force_aesni_support" flag is enabled.
+4. Please refer to the previous commit for rust side changes.
+
+(cherry picked from commit d2317b0864e313d759671068e3d3aa52c8fab234)
+---
+ mbedtls-sys/vendor/library/aesni.c   | 2 ++
+ mbedtls-sys/vendor/library/padlock.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/mbedtls-sys/vendor/library/aesni.c b/mbedtls-sys/vendor/library/aesni.c
+index c909f654..b8f8e071 100644
+--- a/mbedtls-sys/vendor/library/aesni.c
++++ b/mbedtls-sys/vendor/library/aesni.c
+@@ -45,6 +45,7 @@
+ #include <immintrin.h>
+ #endif
+ 
++#if !defined(MBEDTLS_CUSTOM_HAS_AESNI)
+ /*
+  * AES-NI support detection routine
+  */
+@@ -74,6 +75,7 @@ int mbedtls_aesni_has_support(unsigned int what)
+ 
+     return (c & what) != 0;
+ }
++#endif
+ 
+ #if MBEDTLS_AESNI_HAVE_CODE == 2
+ 
+diff --git a/mbedtls-sys/vendor/library/padlock.c b/mbedtls-sys/vendor/library/padlock.c
+index 303f82c7..798e9b7c 100644
+--- a/mbedtls-sys/vendor/library/padlock.c
++++ b/mbedtls-sys/vendor/library/padlock.c
+@@ -39,6 +39,7 @@
+ 
+ #if defined(MBEDTLS_HAVE_X86)
+ 
++#if !defined(MBEDTLS_CUSTOM_HAS_PADLOCK)
+ /*
+  * PadLock detection routine
+  */
+@@ -68,6 +69,7 @@ int mbedtls_padlock_has_support(int feature)
+ 
+     return flags & feature;
+ }
++#endif
+ 
+ /*
+  * PadLock AES-ECB block en(de)cryption
+-- 
+2.25.1
+

mbedtls-sys/vendor-patches/0001-Vendor-Change.patch

@@ -0,0 +1,35 @@
+From 044be6ae4f75c915b44a085e5943a65a22b3414a Mon Sep 17 00:00:00 2001
+From: Raoul Strackx <[email protected]>
+Date: Tue, 10 Mar 2020 16:51:47 +0100
+Subject: [PATCH 2/2] Adding mpi_force_c_code feature
+
+(cherry picked from commit 38522c212a441cb0c58b1ae6be6f2f43e3affb99)
+---
+ mbedtls-sys/vendor/include/mbedtls/bn_mul.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mbedtls-sys/vendor/include/mbedtls/bn_mul.h b/mbedtls-sys/vendor/include/mbedtls/bn_mul.h
+index a0bc4d06..103e62a6 100644
+--- a/mbedtls-sys/vendor/include/mbedtls/bn_mul.h
++++ b/mbedtls-sys/vendor/include/mbedtls/bn_mul.h
+@@ -85,7 +85,7 @@
+ #endif /* bits in mbedtls_mpi_uint */
+ 
+ /* *INDENT-OFF* */
+-#if defined(MBEDTLS_HAVE_ASM)
++#if defined(MBEDTLS_HAVE_ASM) && !defined(MBEDTLS_MPI_FORCE_C_CODE)
+ 
+ #ifndef asm
+ #define asm __asm
+@@ -953,7 +953,7 @@
+ #endif /* SSE2 */
+ #endif /* MSVC */
+ 
+-#endif /* MBEDTLS_HAVE_ASM */
++#endif /* MBEDTLS_HAVE_ASM && !MBEDTLS_MPI_FORCE_C_CODE */
+ 
+ #if !defined(MULADDC_CORE)
+ #if defined(MBEDTLS_HAVE_UDBL)
+-- 
+2.25.1
+

mbedtls-sys/vendor-patches/0002-Adding-mpi_force_c_code-feature.patch

@@ -20,7 +20,7 @@ github issues for questions.
 **OS**  
 Mbed OS|linux|windows|
 
-**mbed TLS build:**  
+**Mbed TLS build:**  
 Version: x.x.x or git commit id  
 OS version: x.x.x  
 Configuration: please attach config.h file where possible  

mbedtls-sys/vendor/.github/issue_template.md

@@ -1,5 +1,7 @@
 # Random seed file created by test scripts and sample programs
 seedfile
+# MBEDTLS_PSA_INJECT_ENTROPY seed file created by the test framework
+00000000ffffff52.psa_its
 
 # CMake build artifacts:
 CMakeCache.txt
@@ -28,6 +30,9 @@ massif-*
 .project
 /.settings
 
+# Unix-like build artifacts:
+*.o
+
 # MSVC build artifacts:
 *.exe
 *.pdb
@@ -65,3 +70,6 @@ massif-*
 /TAGS
 /cscope*.out
 /tags
+
+# Clangd compilation database
+compile_commands.json

mbedtls-sys/vendor/.gitignore

@@ -0,0 +1,26 @@
+# .readthedocs.yaml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+# Set the version of Python and other tools you might need
+build:
+  os: ubuntu-20.04
+  tools:
+    python: "3.9"
+  jobs:
+    pre_build:
+    - ./scripts/apidoc_full.sh
+    - breathe-apidoc -o docs/api apidoc/xml
+
+# Build documentation in the docs/ directory with Sphinx
+sphinx:
+  builder: dirhtml
+  configuration: docs/conf.py
+
+# Optionally declare the Python requirements required to build your docs
+python:
+  install:
+  - requirements: docs/requirements.txt

mbedtls-sys/vendor/.readthedocs.yaml

@@ -1,89 +1,24 @@
-language: c
-compiler: gcc
-sudo: false
-cache: ccache
-
-jobs:
-  include:
-    - name: basic checks and reference configurations
-      addons:
-        apt:
-          packages:
-          - gnutls-bin
-          - doxygen
-          - graphviz
-          - gcc-arm-none-eabi
-          - libnewlib-arm-none-eabi
-          - gcc-arm-linux-gnueabi
-          - libc6-dev-armel-cross
-      language: python # Needed to get pip for Python 3
-      python: 3.5 # version from Ubuntu 16.04
-      install:
-        - scripts/min_requirements.py
-      script:
-        - tests/scripts/all.sh -k 'check_*'
-        - tests/scripts/all.sh -k test_default_out_of_box
-        - tests/scripts/all.sh -k test_ref_configs
-        - tests/scripts/all.sh -k build_arm_linux_gnueabi_gcc_arm5vte build_arm_none_eabi_gcc_m0plus
+# Declare python as our language. This way we get our chosen Python version,
+# and pip is available. Gcc and clang are available anyway.
+dist: jammy
+os: linux
+language: python
+python: 3.10
 
-    - name: full configuration
-      os: linux
-      dist: focal
-      addons:
-        apt:
-          packages:
-          - clang-10
-          - gnutls-bin
-      script:
-        # Do a manual build+test sequence rather than using all.sh,
-        # because there's no all.sh component that does what we want,
-        # which is a build with Clang >= 10 and ASan, running all the SSL
-        # testing.
-        #   - The clang executable in the default PATH is Clang 7 on
-        #     Travis's focal instances, but we want Clang >= 10.
-        #   - Running all the SSL testing requires a specific set of
-        #     OpenSSL and GnuTLS versions and we don't want to bother
-        #     with those on Travis.
-        # So we explicitly select clang-10 as the compiler, and we
-        # have ad hoc restrictions on SSL testing based on what is
-        # passing at the time of writing. We will remove these limitations
-        # gradually.
-        - make CC=clang-10 CFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all -O2' LDFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all'
-        - make test
-        - programs/test/selftest
-        - tests/scripts/test_psa_constant_names.py
-        # Exclude a few test cases that are failing mysteriously.
-        # https://github.com/Mbed-TLS/mbedtls/issues/6660
-        - tests/ssl-opt.sh -e 'Fallback SCSV:\ .*list'
-        # Modern OpenSSL does not support null or ancient ciphers.
-        - tests/compat.sh -p OpenSSL -e 'NULL\|DES\|RC4'
-        - tests/scripts/travis-log-failure.sh
-        # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it.
-        # Modern GnuTLS does not support DES.
-        # One NULL cipher suite is strangely missing in pre-1.2 protocol
-        # versions (it works with (D)TLS1.2, but don't bother).
-        - tests/compat.sh -p GnuTLS -e 'CAMELLIA\|DES\|TLS-RSA-WITH-NULL-SHA256'
-        - tests/scripts/travis-log-failure.sh
-        - tests/context-info.sh
+cache: ccache
 
-    - name: Windows
-      os: windows
-      script:
-        - scripts/windows_msbuild.bat v141 # Visual Studio 2017
-        - visualc/VS2010/x64/Release/selftest.exe --ci
+branches:
+  only:
+    coverity_scan
 
-after_failure:
-- tests/scripts/travis-log-failure.sh
+install:
+  - $PYTHON scripts/min_requirements.py
 
 env:
   global:
     - SEED=1
-    - secure: "JECCru6HASpKZ0OLfHh8f/KXhKkdrCwjquZghd/qbA4ksxsWImjR7KEPERcaPndXEilzhDbKwuFvJiQX2duVgTGoq745YGhLZIjzo1i8tySkceCVd48P8WceYGz+F/bmY7r+m6fFNuxDSoGGSVeA4Lnjvmm8PFUP45YodDV9no4="
-
+    - secure: "GF/Fde5fkm15T/RNykrjrPV5Uh1KJ70cP308igL6Xkk3eJmqkkmWCe9JqRH12J3TeWw2fu9PYPHt6iFSg6jasgqysfUyg+W03knRT5QNn3h5eHgt36cQJiJr6t3whPrRaiM6U9omE0evm+c0cAwlkA3GGSMw8Z+na4EnKI6OFCo="
 addons:
-  apt:
-    packages:
-    - gnutls-bin
   coverity_scan:
     project:
       name: "ARMmbed/mbedtls"

mbedtls-sys/vendor/.travis.yml

@@ -4,19 +4,7 @@
 # to Mbed TLS.
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 
 # Wrap lines at 100 characters

mbedtls-sys/vendor/.uncrustify.cfg

@@ -1,2 +1 @@
-*.o
 Makefile