Skip to content

examples: tls client and server for new rustls #221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 19, 2025
Merged

examples: tls client and server for new rustls #221

merged 4 commits into from
Aug 19, 2025

Conversation

@DemesneGH
Copy link
Contributor

@DemesneGH DemesneGH commented Aug 15, 2025

This PR mainly updates the TLS client and TLS server examples to support Rustls 0.23.0+ (currently using 0.23.12).

Upgrading Rustls and its dependencies will:

  1. remove existing security warnings, e.g.: Dependabot alert #27 , and other warnings of rustls, webpki, and ring.
  2. demonstrate fully updated TLS examples

Key Improvements in Rustls 0.23+

Rustls now supports:

This allows us to integrate directly with optee-utee APIs without manually porting entire crates.
After customizing the rng and time providers, Rustls can run in OP-TEE std TAs. (no-std support is in future plan but not included here.)

  • TimeProvider: Straightforward to implement, please see code in this PR.
  • CryptoProvider: More involved, detailed below.

Crypto Provider

Available Rustls crypto providers: https://github.com/rustls/rustls?tab=readme-ov-file#cryptography-providers
Of course we can implement and maintain our own crypto provider for OP-TEE, but if there are existing providers available, it’s better to reuse them. We selected ring and rustls-rustcrypto as our candidates.

1. ring provider

2. rustls-rustcrypto provider

Our decision is, port getrandom to OP-TEE, then use rustls-rustcrypto as the provider.

Getrandom Porting

  • getrandom is a hardware RNG crate with multiple backends.
  • We have added an OP-TEE target and backend:
    • Since rustls-rustcrypto depends on getrandom 0.2 (which is in maintenance mode), we maintain an OP-TEE-enabled getrandom in incubator-teaclave-crates (currently in my fork: git = "https://github.com/DemesneGH/incubator-teaclave-crates.git", I will open a PR and modify this url after it merged).
    • We plan to upstream OP-TEE support for getrandom 0.3.
  • Because the ported getrandom depends on optee-utee 0.4.0, all other TLS TA modules also pin optee-* crates to 0.4.0 to avoid build inconsistencies.

Code Changes

  • New tls_client and tls_server examples using Rustls 0.23.12. We chose this version because it is the one currently used by rustls-rustcrypto.
  • New rustls-provider crate under crates/, used by TLS examples.
  • Updated outdated TLS server test certs and improved test script error checks.
  • Fixed 32-bit TLS TA build errors by disabling CFG_TA_FLOAT_SUPPORT (see commit message for details).

no-std TLS examples

They need the no-std Rustls and no-std crypto backend. AFAIK:

  • Rustls now offers initial support for no-std (release notes), which requires further research for our usecase.
  • Several rustcrypto crates already support no-std.
    It is possible to have no-std TLS TAs, but this will require additional effort and investigation, so it remains a goal for future work.

@DemesneGH DemesneGH mentioned this pull request Aug 15, 2025
Merged
m4sterchain
m4sterchain reviewed Aug 15, 2025
View reviewed changes
m4sterchain
m4sterchain reviewed Aug 16, 2025
View reviewed changes
crates/rustls_provider/src/lib.rs Outdated
let millis = time.millis as u64;

// Create UnixTime from seconds and milliseconds
let total_millis = seconds * 1000 + millis;
Copy link
Contributor

@m4sterchain m4sterchain Aug 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the Ree time can be manipulated, operations on it may overflow. Although the exact consequences are unclear, it would be safer to return None in such cases.

ivila
ivila reviewed Aug 18, 2025
View reviewed changes
ivila
ivila reviewed Aug 18, 2025
View reviewed changes
ivila
ivila reviewed Aug 18, 2025
View reviewed changes
@DemesneGH
examples: tls client and server for new rustls
03539ab
@DemesneGH
examples: refresh test certs for tls server
d239558 
The original test certs expired at 2024 which causes "Cert Expired"
error when testing tls server example.
@DemesneGH
build: disable CFG_TA_FLOAT_SUPPORT
5019070 
When building tls_client and tls_server 32bit TAs, this error occurred:
  multiple definition of `__aeabi_fcmple' (`__aeabi_fcmpeq' and others)
This means the __aeabi functions are defined both in Rustc
compiler_builtins and optee libutils.

Disable the CFG_TA_FLOAT_SUPPORT when building libutils is a easy
approach without porting the compiler_builtins.
@DemesneGH
Copy link
Contributor Author

DemesneGH commented Aug 18, 2025

Reorganize the commits with all above comments resolved

m4sterchain
m4sterchain reviewed Aug 18, 2025
View reviewed changes
Copy link
Contributor

@m4sterchain m4sterchain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the improvements 🙌 Just a few minor comments that I think can still be addressed. All the rest LGTM.

@m4sterchain
Copy link
Contributor

m4sterchain commented Aug 19, 2025

LGTM. Thanks.

@DemesneGH DemesneGH merged commit 4f8ca69 into apache:main Aug 19, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@m4sterchain m4sterchain m4sterchain left review comments

@ivila ivila ivila left review comments

Assignees

No one assigned

Labels

example feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DemesneGH @m4sterchain @ivila