-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
migrate to mbedtls 3.x with mbedtls 2.x backward compatibility #9662
Conversation
Refer to this link for build results (access rights to CI server needed): |
21137df
to
0075af7
Compare
Refer to this link for build results (access rights to CI server needed): |
0075af7
to
ad518a9
Compare
Refer to this link for build results (access rights to CI server needed): |
@akallabeth changes have been made according to comments, as for the removal of mbedtls id mapping of DES, Blowfish ciphers, they've been removed in mbedtls 3.x, and it's not worth using ifdefs for compatibility. As for camelia ciphers, we never needed them, and they're bound to be removed eventually, so might as well rip the band aid now. I do use the AES ciphers in other projects that use WinPR without FreeRDP though, so we're keeping those. |
@awakecoding your changes break the openssl build on the ci. |
I'll do another pass of changes on Monday to get this pull request clean and ready to go. I'll put the camellia ciphers back, but blowfish and DES will still be removed because they're no longer defined, is that okay? In other words I'll limit the ID removal to what's been removed in mbedtls 3.x |
@awakecoding I´d just keep all the defines in the public header, but no need to implement that (no longer existing) ones for |
ad518a9
to
a5280fd
Compare
Refer to this link for build results (access rights to CI server needed): |
a5280fd
to
9611f1d
Compare
Refer to this link for build results (access rights to CI server needed): |
@akallabeth it should all be good now! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@awakecoding great, and merged! |
This pull request adds support for mbedtls 3.x while retaining mbedtls 2.x compatibility. mbedtls support is still limited to WinPR library builds, as we don't yet have full support for making FreeRDP hybrid openssl/mbedtls builds in one go. For our internal builds, we build WinPR+mbedtls first, then FreeRDP+openssl against WinPR+mbedtls. Fixing the build system for this would be better off done in a separate pull request, and start with mbedtls 3/2 compatibility.
Here is how I've built mbedtls 2 and 3 locally:
Here is how I have built WinPR against both versions of mbedtls locally (yes, the CMakeLists.txt in FreeRDP/WinPR can be used as the "root" one for WinPR-only builds):
And now, to build FreeRDP against a prebuilt WinPR (this requires a bit of fiddling in cmake/ConfigureFreeRDP.cmake that I'll look into a future pull request for the build system improvements):
That's it! Most of the changes were to remove deprecated algorithms, and I also removed a bunch of definition mappings we were likely never going to use (I originally had replicated the entire set from mbedtls). Some struct members became private, requiring the usage of functions to access them. I added backward compatibility wrappers such that it can still build with mbedtls 2.
Since RC4 and MD4 were removed from mbedtls, I set the default to use internal RC4, MD4 for mbedtls, while leaving them on (previous default) for openssl builds. The old havege random number generated was also removed from mbedtls, so I added code for the newer APIs which aren't as straightforward to use, but should do the trick.