lib/mbedtls: Update to mbedtls-v3.5.1. #8988
Conversation
|
Thanks for this. It's a good change but let's wait until after the next release (after v1.20). |
Yes, it's just something I bumped into while doing #8968 and I figured out it would be nice to at least have some reference when the time comes. |
93af87e to
83cca00
Compare
|
Code size report: |
5d73ef6 to
1df37f8
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #8988 +/- ##
=======================================
Coverage 98.36% 98.36%
=======================================
Files 159 159
Lines 21088 21088
=======================================
Hits 20743 20743
Misses 345 345 ☔ View full report in Codecov by Sentry. |
61df480 to
3167e03
Compare
da16a68 to
a68a280
Compare
UPDATE:
|
2e34fb8 to
32eb485
Compare
e46e3b8 to
32fb72b
Compare
@dpgeorge I think this is ready to be reviewed, to sum up the changes:
If there is anything else I can do let me know 👍🏼 |
Hmm, that's annoying that it's renamed to exactly what we name our config file! I suggest calling ours |
Does that test really need to be deleted, or is it possible to just update the key/cert data to something else? The aim of that test is to do a very simple Well, I guess there is the existing |
Yes that was my conclusion too. The key/cert there was only 512 bits and there is no clue about how it was generated... |
|
Also I don't have any device available to test these changes so it would be better if you or anyone could test this on mbedtls ports before merging 👍🏼 |
Signed-off-by: Carlos Gil <[email protected]>
Running `./do-mp.sh` now generates this `mp_mbedtls_errors.c` file. The `esp32_mbedtls_errors.c` file is already up-to-date. Signed-off-by: Carlos Gil <[email protected]>
Changes include: - Some mbedtls source files renamed or deprecated. - Our `mbedtls_config.h` files are renamed to `mbedtls_config_port.h`, so they don't clash with mbedtls's new default configuration file named `mbedtls_config.h`. - MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE is deprecated. - MBEDTLS_HAVE_TIME now requires an `mbedtls_ms_time` function to be defined but it's only used for TLSv1.3 (currently not enabled in MicroPython so there is a lazy implementation, i.e. seconds * 1000). - `tests/multi_net/ssl_data.py` is removed (due to deprecation of MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE), there are the existing `ssl_cert_rsa.py` and `sslcontext_server_client.py` tests which do very similar, simple SSL data transfer. - Tests now use an EC key by default (they are smaller and faster), and the RSA key has been regenerated due to the old PKCS encoding used by openssl rsa command, see https://stackoverflow.com/questions/40822328/openssl-rsa-key-pem-and-der-conversion-does-not-match (and `tests/README.md` has been updated accordingly). Signed-off-by: Carlos Gil <[email protected]>
|
I have tested this on unix, esp32, rp2 (Pico W) and stm32 (PYBD-SF6) and all SSL-related tests pass. The tests I ran were from I have also split this PR up into 3 commits: update mbedtls, update mbedtls_errors, and then the rest of the changes. |
|
Now merged! Thanks @Carglglz for sticking with this for over a year and a half! |
Happy to see MicroPython up to date with MbedTLS now! 🎉 Also I think #11355 can be closed now 👍🏼 [EDIT] |
Incorrect error handling in send/recv would raise an OSError with
an incorrect (negative) code.
It's likely that this bug was always happening in the Pico W
implementation, which became the basis of the current shared
implementation.
Push handling of WANT_{READ,WRITE} down into mbedtls_raise_error
and use it in recv_into and send.
Tested by connecting to google.com:443, sending nothing, and trying
to read a byte:
```py
import socketpool, ssl, time, wifi
socket = socketpool.SocketPool(wifi.radio)
ctx = ssl.SSLContext()
with ctx.wrap_socket(socket.socket()) as ss:
ss.connect(("google.com", 443))
ss.settimeout(1)
b = bytearray(1)
try:
t0 = time.monotonic()
ss.recv_into(b)
except Exception as ee:
t1 = time.monotonic()
exc = ee
print(t1-t0)
raise exc
```
As desired, an exception `OSError: [Errno 116] ETIMEDOUT` occurred
and the time delta value was 1.0 seconds.
(tested on pycamera)
Closes: micropython#8988
|
how long it will land on a release branch? it looks like it didn't landed on 1.23.0-preview, so I guess at least 1.24? |
|
This PR is merged. So it is present in the v1.23 preview versions. |
|
this PR moved mbedtls_config.h to mbedtls_config_port.h, but that didn't happen in 1.23.0-preview tag and still have havege_c which not valid in mbedtls 3.X |
|
I see in the actual preview e.g the file stm32/mbedtls/mbedtls_config_port.h. At which port & version do you look? |
|
I only see that on master branch but that path still has old config.h in 1.23 preview tag: not but it isn't a branch so maybe it will branch at later point? |
|
Please show the full path name of the file you are concerned about. |
|
the link I saw you is already full path? ports/unix/mbedtls/mbedtls_config.h |
|
The actual state of the repository's master branch shows: |
|
ha x.preview tag is just after x-1 release, well before actual version x branches, never mind |
This is a draft for a possible future
mbedTLS 3.xmigration.Following 3.0-migration-guide I made the necessary changes to update mbedTLS:
Unix port builds:
(although needs adding#if...#endifinlib/mbedtls/x509.c:137to avoiderror: unused function 'md_type_to_string'Tests:
Multi:
For reference esp-idf v.5 will use
mbedTLS 3.xtoo mbed-tls-support-in-esp-idf.TLDR:
Big changes affect configuration options in
mbedtls_config.h, some functions renamed inextmod/moduhashlib.canderror codes deprecated/ renamed in
lib/mbedtls_errors/mp_mbedtls_errors.c.Other than that, shouldn't be too difficult to update 👍🏼 .