Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Parsec should source mbedtls, not mbed-crypto #153

Closed
gilles-peskine-arm opened this issue Apr 22, 2020 · 5 comments
Closed

Parsec should source mbedtls, not mbed-crypto #153

gilles-peskine-arm opened this issue Apr 22, 2020 · 5 comments
Labels
invalid This doesn't seem right

Comments

@gilles-peskine-arm
Copy link

setup_mbed_crypto.sh sources https://github.com/ARMmbed/mbed-crypto, but that repository is no longer being updated. The development of the crypto part of Mbed TLS has been wrapped back into the main repository at https://github.com/ARMmbed/mbedtls.

If you don't want to waste time building the X.509 and TLS parts of the library, run scripts/config.py crypto or scripts/config.py crypto_full before make.

@hug-dev hug-dev added the invalid This doesn't seem right label Apr 22, 2020
@egrimley-arm
Copy link
Collaborator

The default branch from the new repo is (unsurprisingly) not compatible with what Parsec expects. For example, there's this change mentioned somewhere: Rename psa_asymmetric_sign() to psa_sign_hash() and psa_asymmetric_verify() to psa_verify_hash().

@ionut-arm
Copy link
Member

The default branch from the new repo is (unsurprisingly) not compatible with what Parsec expects. For example, there's this change mentioned somewhere: Rename psa_asymmetric_sign() to psa_sign_hash() and psa_asymmetric_verify() to psa_verify_hash().

Indeed, this is probably a follow-up part of the transition to PSA crypto v1.0 - we've updated the interface, but not our dependance on an early version of Mbed Crypto :)

Don't think this was on our immediat roadmap because of other work we're focusing on at the moment (e.g. the SE driver)

@gilles-peskine-arm
Copy link
Author

As long as you're only prototyping, you can continue to use the mbed-crypto repository in the short term. We aren't shutting it down yet. But we have stopped updating it, and it's starting to contain unfixed security vulnerabilities.

The name change of psa_asymmetric_sign is one of the differences between the beta versions of the API and 1.0.0. Mbed TLS is transitioning to 1.0.0; we aren't fully there yet, the main difference being that you still need to use psa_open_key and psa_close_key even though they've been removed from 1.0.0. But you can keep using the old name in Mbed TLS for now: we provide compatibility wrappers where possible.

egrimley-arm added a commit to egrimley-arm/rust-psa-crypto that referenced this issue May 6, 2020
This would fix parallaxsecond/parsec#153.

Instead of
wget https://github.com/ARMmbed/mbed-crypto/archive/mbedcrypto-2.0.0.tar.gz
we fetch the Mbed Crypto source with:
git clone https://github.com/ARMmbed/mbedtls && git checkout $MBED_COMMIT

The MBED_COMMIT is specified in Cargo.toml and will be updated from
time to time at least until there is a stable branch we can use.

Two functions in the API have changed their names. These are renamed
in psa-crypto-sys, not in psa-crypto.

Signed-off-by: Edmund Grimley Evans <[email protected]>
@egrimley-arm
Copy link
Collaborator

I've patched rust-psa-crypto to use the new repo: parallaxsecond/rust-psa-crypto@b17c9f7

In order to make the CI tests deterministic a particular commit is fetched.

egrimley-arm added a commit to egrimley-arm/rust-psa-crypto that referenced this issue May 7, 2020
This would fix parallaxsecond/parsec#153.

Instead of
wget https://github.com/ARMmbed/mbed-crypto/archive/mbedcrypto-2.0.0.tar.gz
we fetch the Mbed Crypto source with:
git clone https://github.com/ARMmbed/mbedtls && git checkout $MBED_COMMIT

The MBED_COMMIT is specified in Cargo.toml and will be updated from
time to time at least until there is a stable branch we can use.

Two functions in the API have changed their names. These are renamed
in psa-crypto-sys, not in psa-crypto.

Signed-off-by: Edmund Grimley Evans <[email protected]>
@hug-dev
Copy link
Member

hug-dev commented Jun 2, 2020

rust-psa-crypto already uses the development branch of Mbed TLS to build Mbed Crypto, its usage in Parsec will be done as part of #177

@hug-dev hug-dev closed this as completed Jun 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
invalid This doesn't seem right
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants