mbedtls files changed and cmake instruction added to support MbedTLS …#782
Conversation
seyednasermoravej
force-pushed
the
migration-to-psa-crypto
branch
3 times, most recently
from
1791e08 to
40c43bf
Compare
|
How can I check CI before push my code? |
|
I normally just try to replicate the environment, or else do a lot of pushing to a PR and then clean up and squash before creating the final PR. Just looking quickly I would guess you need to update the CI scripts to use MbedTLS 4 or ? |
I tested this scripts on Ubuntu 24.04 and Ubuntu 22.04. Maybe you face python errors because of absence of some packages. Please install them via pip. If you face no python error, you could create a .sh file and source it:
|
|
@seyednasermoravej I made some change to get the CI to pass, hope it was OK to push to this branch. You can do what you want with them. I would suggest rebasing and removing the commits which are not related to getting mbtls working. |
seyednasermoravej
force-pushed
the
migration-to-psa-crypto
branch
from
e9c82bb to
6c4dadb
Compare
Apologies for my delayed response. Is there anything in the code that could be improved? |
|
@seyednasermoravej I am not sure you need the change to the readme as when this is merged then it should just build as before. |
The aes interface in libsrtp expects to be able to call encrypt multiple times in a progressive manor. A call to set the IV should reset for a new set of operations. This interface is not so oblivious and there is currently no indication of the last call. This should really be improved.
Pass dst_len as it is the actual buffer size. Remove unused code, full_tag & ciphertext_len.
seyednasermoravej
force-pushed
the
migration-to-psa-crypto
branch
from
6c4dadb to
2bf6953
Compare
I removed the "README.md" changes from the branch "migration-to-psa-crypto" |
pabuhler
left a comment
pabuhler
left a comment
There was a problem hiding this comment.
Some small clean up and some unanswered questions.
Please ensure you understand the PSA API properly, this review focused mostly on the code and not the usage of the PSA API.
crypto/cipher/aes_icm_mbedtls.c
Outdated
| } | ||
|
|
||
| *dst_len = src_len; | ||
| total_len += out_len; |
There was a problem hiding this comment.
total_len and out_len are probably not needed, could just pass dst_len psa_cipher_update, this does not make much difference but cleans the code up, at least total_len could be removed
There was a problem hiding this comment.
Correct me if I'm wrong. As we need to set IV, we are using multipart symmetric encryption but we are doing the encryption just one time (we called psa_cipher_update once). That means in our case the total_len is equal to out_len. But the variable dst_len is the size of dst place holder. That's why I'm not sure if out_len is equal to dst_len or not. But for sure we can remove the total_len variable.
crypto/include/aes_gcm.h
Outdated
|
|
||
| #ifdef MBEDTLS | ||
| #ifdef PSA | ||
| // #ifdef MBEDTLS |
There was a problem hiding this comment.
what should I continue with for naming?
MBEDTLS or PSA?
There was a problem hiding this comment.
I think MBEDTLS might make more sense but I do not mind.
I'd added some comments to make the code easier for review. like: |
It's abit up to you, comments are fine if they are concise or explain something that otherwise does not make a lot of sense. No need to comment on "normal" behavior of API usage. |
seyednasermoravej
force-pushed
the
migration-to-psa-crypto
branch
3 times, most recently
from
3bd6d22 to
2b5679f
Compare
As the picture imply, there is no newline at the end of file!
How can run CI myself?
@pabuhler
|
|
the error is that there is no new line |
The opposite of Zephyr RTOS rule :) |
seyednasermoravej
force-pushed
the
migration-to-psa-crypto
branch
from
2b5679f to
23cfeeb
Compare
I did that but nothing happens |
|
You are right, need clang-format 17. |
I think I have it. At least I didn't face any not found error when I try it in my terminal. |
pabuhler
left a comment
pabuhler
left a comment
There was a problem hiding this comment.
Look basically fine and test pass. So I am Ok with merging this, then hopefully it will get some run time.
crypto/cipher/aes_icm_mbedtls.c
Outdated
| uint32_t key_size_in_bits = (c->key_size << 3); | ||
| int errcode = 0; | ||
|
|
||
| psa_status_t status = psa_crypto_init(); |
There was a problem hiding this comment.
This seams a bit random, but ok.
There was a problem hiding this comment.
Do you prefer psa_status_t status = PSA_SUCCESS; and then status = psa_crypto_init();?
There was a problem hiding this comment.
Everywhere `psa_status_t status = PSA_SUCCESS;` but in only one place `psa_status_t status = psa_crypto_init();`, I changed the code to make it the same everywhere.
There was a problem hiding this comment.
I was more asking about te placement of the call to psa_crypto_init(), but I guess this will ensure it is always called.
There was a problem hiding this comment.
Ah ok, I had two choices to place psa_crypto_init();, in the srtp_aes_icm_mbedtls_context_init or srtp_aes_icm_mbedtls_alloc. I think it should be placed in the init function.
seyednasermoravej
force-pushed
the
migration-to-psa-crypto
branch
from
23cfeeb to
4944c2e
Compare
|
After your approval, how long does it take to be merged in the main branch? |
some time in the next few days, just in case there was any other interest. |
|
I don't know why the code formatting check failed. There is no explanation message for that. |
Signed-off-by: Sayed Naser Moravej <seyednasermoravej@gmail.com>
seyednasermoravej
force-pushed
the
migration-to-psa-crypto
branch
from
492f631 to
260cc0b
Compare
2 participants
Hi Cisco team, and Merry Christmas 🎄
This PR is a draft for the migration to Mbed TLS v4.0.
For easier review and comparison, I’ve kept both the legacy code and the new implementation side by side.
There are still some unnecessary fields in a few structures, and in some places the implementation can be improved (for example, using
statusinstead oferrCode). I intentionally kept the changes as minimal as possible for now; we can clean up and refine these parts in follow-up steps once the migration direction is agreed upon.Feedback and suggestions are very welcome.