Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support mbedtls as backend #495

Merged
merged 85 commits into from
Nov 16, 2023
Merged

support mbedtls as backend #495

merged 85 commits into from
Nov 16, 2023

Conversation

kazuho
Copy link
Member

@kazuho kazuho commented Nov 14, 2023

Subsumes #485.

huitema and others added 30 commits September 6, 2023 10:39
@huitema
Incorporate mbedtls in cmake
52c2797
@huitema
include find mbedtls
aac4491
@huitema
Add cmake module path
e5cd275
@huitema
Add find package
be89606
@huitema
Update MbedTLS find
4a01610
@huitema
Add missing endif
7a53976
@huitema
Check mbedtls found condition
5aac49f
@huitema
Struggling with Found condition.
bbb502e
@huitema
Remove error condition for debug
262d334
@huitema
update mbedtls test
17dee3e
@huitema
fix typo
3d5657c
@huitema
Add github action for mbedtls
b29d4b4
@huitema
Debugging github action.
ce37fa0
@huitema
Decomposing the build steps
684008c
@huitema
More debugging of github action
8bca3c2
@huitema
Build mbedtls parallel to picotls
12bd194
@huitema
Add sha512 and sha384
ccecfa5
Update sha384 definitions and test
bc75434
@huitema
Add aes256gcm
251d42b
@huitema
Add chachapoly
ca4b8cb
@huitema
Add test definition.
5118631
@huitema
Fix copy paste errors
0ad6f7f
@huitema
Another typo to fix
62736e7
@huitema
Fix declarations
4510592
@huitema
use chacha20 test
f818675
@huitema
Fix chacha20 declaration
25894ae
@huitema
One last typo, hopefully
167be77
@huitema
That's for coding when half asleep
9b80cac
@huitema
Fix initialization of chacha20-ctr
480f189
@huitema
Add mbedtls to ptlsbench
c06bc1b
@kazuho
limit scope of psa_key_attributes_t
046b582
@kazuho
move useful comments to .h, as they are not specific to the mbedtls…
4741102 
… backend
@kazuho
simply AEAD code by only supporting the mandatory operation types
2e4ecad
@kazuho
update test code to not rely on init-update-final cycle that is now o…
7550f87 
…ptional (see doc-comment of ptls_aead_context_t)
@kazuho
fail the same way
fc2bae6
@kazuho
expand doc-comment in picotls.h instead
0635d6e
@kazuho
reduce state, release memory regardless of errors
bf9e1d7
@kazuho
add missing static
60f4749
@kazuho
no need to have prefix for static functions
8a694b6
@kazuho
consolidate duplicated constants into const struct
25e0ab8
@kazuho
reduce state
0069e3c
@kazuho
... and we find a bug
177c156
@kazuho
update the hidden chacha20 backend
e6a01a8
@kazuho
no need to have a wrapper for CTR mode
7ccec73
@kazuho
remove verbose doc comments
f481e29
@kazuho
[xcode] add files
72da59d
@kazuho
use standard names (e.g., <LIB>_ROOT_DIR), and UNIX-style search path…
7e7d39b 
…s (/usr/local, lib)
@kazuho
Merge branch 'master' into kazuho/mbedtls
762afbb
@kazuho
sha384 might not be available
cdc4462
@kazuho
mbedtls of ubuntu2204 does not have these files, we can remove them a…
62236db 
…nd still refer to `MBEDTLS_SHA384_C` at least on homebrew
@huitema
Copy link
Collaborator

huitema commented Nov 14, 2023

@kazuho: thanks for picking up this PR. Is there a way I can see the differences from #485? That might help me improve the next PR...

It seems that we have an issue with the cmake discovery. Do you want me to try debug it?

@kazuho kazuho marked this pull request as ready for review November 15, 2023 06:14
kazuho
kazuho commented Nov 15, 2023
View reviewed changes
Copy link
Member Author

@kazuho kazuho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@huitema Sorry for the delay.

Probably the best way to see the differences would be to run git diff -M10 -w -r cc9364e..7e7d39b.

But my focus has been to minimize the cost of maintaining another backend. I've moved comments to picotls.h, changed tests so that existing ones will be reused, etc.

Comments below explain some of the big changes that I have made.

cmake/FindMbedTLS.cmake Show resolved Hide resolved
cmake/FindMbedTLS.cmake Outdated Show resolved Hide resolved
.github/workflows/ci.yml Show resolved Hide resolved
lib/mbedtls.c Show resolved Hide resolved
lib/mbedtls.c Show resolved Hide resolved
lib/mbedtls.c
ctx->super.do_set_iv = aead_set_iv;
if (is_enc) {
ctx->super.do_encrypt = ptls_aead__do_encrypt;
ctx->super.do_encrypt_v = aead_encrypt_v;
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The implementation has been simplified by dropping support for streaming encryption (~init -> ~update -> ~final). We only support ptls_aead_encrypt and ptls_aead_encrypt_v.

These changes have led to reduction of states in ptls_mbedtls_aead_context_t.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that something we expect for every AEAD implementation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

API for streaming encryption has been deprecated, as stated in picotls.h (here and here). This PR expands the explanation a bit.

Backends may support streaming encryption. So if you want to have that supported in the mbedtls backend, please say so.

lib/mbedtls.c Show resolved Hide resolved
kazuho
kazuho commented Nov 15, 2023
View reviewed changes
t/ptlsbench.c Show resolved Hide resolved
huitema
huitema approved these changes Nov 15, 2023
View reviewed changes
Copy link
Collaborator

@huitema huitema left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only one question left: should we write some documentation on how to use MbedTLS? or, should we wait until we have ported the signature and verify functions?

.github/workflows/ci.yml Show resolved Hide resolved
@kazuho kazuho merged commit dfe6072 into master Nov 16, 2023
13 checks passed
@kazuho
Copy link
Member Author

kazuho commented Nov 16, 2023

@huitema Thank you for reviews. This PR has been merged.

Only one question left: should we write some documentation on how to use MbedTLS? or, should we wait until we have ported the signature and verify functions?

I think we can add docs to https://github.com/h2o/picotls/wiki now that this PR has been merged. I can see the docs written in two ways. We can expand https://github.com/h2o/picotls/wiki/Using-picotls as it talks about two backends that we have already. Or, we can create a new document dedicated mbedtls backend. I'm fine either ways, but maybe the latter would be simpler and easier to understand?

@kazuho kazuho mentioned this pull request Jan 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@huitema huitema huitema approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kazuho @huitema