migrate to mbedtls 3.x with mbedtls 2.x backward compatibility #9662
Conversation
|
Refer to this link for build results (access rights to CI server needed): |
awakecoding
force-pushed
the
mbedtls-update
branch
from
21137df
to
0075af7
Compare
|
Refer to this link for build results (access rights to CI server needed): |
awakecoding
force-pushed
the
mbedtls-update
branch
from
0075af7
to
ad518a9
Compare
|
Refer to this link for build results (access rights to CI server needed): |
|
@akallabeth changes have been made according to comments, as for the removal of mbedtls id mapping of DES, Blowfish ciphers, they've been removed in mbedtls 3.x, and it's not worth using ifdefs for compatibility. As for camelia ciphers, we never needed them, and they're bound to be removed eventually, so might as well rip the band aid now. I do use the AES ciphers in other projects that use WinPR without FreeRDP though, so we're keeping those. |
|
@awakecoding your changes break the openssl build on the ci. |
|
I'll do another pass of changes on Monday to get this pull request clean and ready to go. I'll put the camellia ciphers back, but blowfish and DES will still be removed because they're no longer defined, is that okay? In other words I'll limit the ID removal to what's been removed in mbedtls 3.x |
|
@awakecoding I´d just keep all the defines in the public header, but no need to implement that (no longer existing) ones for |
awakecoding
force-pushed
the
mbedtls-update
branch
from
ad518a9
to
a5280fd
Compare
|
Refer to this link for build results (access rights to CI server needed): |
awakecoding
force-pushed
the
mbedtls-update
branch
from
a5280fd
to
9611f1d
Compare
|
Refer to this link for build results (access rights to CI server needed): |
|
@akallabeth it should all be good now! |
|
@awakecoding great, and merged! |
This pull request adds support for mbedtls 3.x while retaining mbedtls 2.x compatibility. mbedtls support is still limited to WinPR library builds, as we don't yet have full support for making FreeRDP hybrid openssl/mbedtls builds in one go. For our internal builds, we build WinPR+mbedtls first, then FreeRDP+openssl against WinPR+mbedtls. Fixing the build system for this would be better off done in a separate pull request, and start with mbedtls 3/2 compatibility.
Here is how I've built mbedtls 2 and 3 locally:
Here is how I have built WinPR against both versions of mbedtls locally (yes, the CMakeLists.txt in FreeRDP/WinPR can be used as the "root" one for WinPR-only builds):
And now, to build FreeRDP against a prebuilt WinPR (this requires a bit of fiddling in cmake/ConfigureFreeRDP.cmake that I'll look into a future pull request for the build system improvements):
That's it! Most of the changes were to remove deprecated algorithms, and I also removed a bunch of definition mappings we were likely never going to use (I originally had replicated the entire set from mbedtls). Some struct members became private, requiring the usage of functions to access them. I added backward compatibility wrappers such that it can still build with mbedtls 2.
Since RC4 and MD4 were removed from mbedtls, I set the default to use internal RC4, MD4 for mbedtls, while leaving them on (previous default) for openssl builds. The old havege random number generated was also removed from mbedtls, so I added code for the newer APIs which aren't as straightforward to use, but should do the trick.