commit	816653bd13f7cd5060e8b8c1e3b5c44cf5511f51	[log] [tgz]
author	Christian Huitema <huitema@huitema.net>	Sun Dec 03 12:42:13 2023 -0800
committer	GitHub <noreply@github.com>	Sun Dec 03 12:42:13 2023 -0800
tree	ea82934da9da5981c2c023b8aaf4f2cc8ca6238c
parent	7ec11a7a62bebaaff91e2d4c15b8966d1b58edb9 [diff]

Align 2023-12-03 (#11)

* Incorporate mbedtls in cmake

* include find mbedtls

* Add cmake module path

* Add find package

* Update MbedTLS find

* Add missing endif

* Check mbedtls found condition

* Struggling with Found condition.

* Remove error condition for debug

* update mbedtls test

* fix typo

* Add github action for mbedtls

* Debugging github action.

* Decomposing the build steps

* More debugging of github action

* Build mbedtls parallel to picotls

* Add sha512 and sha384

* Update sha384 definitions and test

* Add aes256gcm

* Add chachapoly

* Add test definition.

* Fix copy paste errors

* Another typo to fix

* Fix declarations

* use chacha20 test

* Fix chacha20 declaration

* One last typo, hopefully

* That's for coding when half asleep

* Fix initialization of chacha20-ctr

* Add mbedtls to ptlsbench

* Fix debug message

* Condition fusion to PTLS_HAVE_FUSION

* Declare cipher suites

* Add support for MbedTLS random

* [minicrypto] x25519 key derivation must fail when output is all-zero

* use high level PSA API

* msvc compatibility

* here also

* Fix test random

* Fix typo

* Add code of sec256r1

* [boringssl] check x25519 bad key

* clear secret

* use macro to avoid compile errors

* Simplify aead setup

* Add x25519

* Add test of mbedtls key exchanges

* Fix reference to test_key_exchange

* [evp_keyex_init] keep refcount unchanged when the function fails

* add the failing case

* extensions block is optional in TLS/1.2 also

* even though we do not test what is recorded, clear it otherwise tests that follow fail

* [fusion] unify detection scheme to the best one that we have (which we have had in h2o)

* maybe `_mm_insert_epi64` is unavailable on i386?

* clang-format

* rename files following the convention that backends use just the backend name

* `()` in a prototype means any number of args, no zero

* ensure that MBEDTLS_SHA384_C is detected regardless of include order

* API doc goes into .h

* add capability to define custom clone functions for hash contexts

* [xcode] add files

* rename (amends 08e5319)

* these files are included by `crypto.h`

* when building picotls, picotls is not part of the system

* when building picotls, picotls is not part of the system, whereas mbedtls is

* define hash implementations using `ptls_define_hash`

* mbedtls is dependency

* it is our convention to let the user initialize the crypto backends (see openssl)

* PRNG might fail too

* reduce state of symmentric ciphers; no need to set key for every IV

* engines can be tested using `test_picotls`

* report error in detail

* have ones own

* amend 2106299

* `ptls_cipher_init` is not called in ECB mode

* key_schedule_new might fail due to malloc failing

* limit scope of `psa_key_attributes_t`

* move useful comments to `.h`, as they are not specific to the mbedtls backend

* simply AEAD code by only supporting the mandatory operation types

* update test code to not rely on init-update-final cycle that is now optional (see doc-comment of ptls_aead_context_t)

* fail the same way

* expand doc-comment in picotls.h instead

* reduce state, release memory regardless of errors

* add missing `static`

* no need to have prefix for static functions

* consolidate duplicated constants into `const struct`

* reduce state

* ... and we find a bug

* update the hidden chacha20 backend

* no need to have a wrapper for CTR mode

* remove verbose doc comments

* [xcode] add files

* use standard names (e.g., <LIB>_ROOT_DIR), and UNIX-style search paths (/usr/local, lib)

* sha384 might not be available

* mbedtls of ubuntu2204 does not have these files, we can remove them and still refer to `MBEDTLS_SHA384_C` at least on homebrew

* run mbedtls test as part of the main CI (builds on top of https://github.com/h2o/h2o/pull/3311)

* remove non-standard directory

---------

Co-authored-by: Christian Huitema <christianhuitema@Christians-iMac.local>
Co-authored-by: Kazuho Oku <kazuhooku@gmail.com>

14 files changed

tree: ea82934da9da5981c2c023b8aaf4f2cc8ca6238c

README.md

picotls

Picotls is a TLS 1.3 (RFC 8446) protocol stack written in C, with the following features:

support for three crypto engines
- “OpenSSL” backend using libcrypto for crypto and X.509 operations
- “minicrypto” backend using cifra for most crypto and micro-ecc for secp256r1
- “fusion” AES-GCM engine, optimized for QUIC and other protocols that use short AEAD blocks
- libaegis for the AEGIS AEADs
support for PSK, PSK-DHE resumption using 0-RTT
API for dealing directly with TLS handshake messages (essential for QUIC)
supported extensions:
- RFC 7250 (raw public keys)
- RFC 8879 (certificate compression)
- Encrypted Client Hello (wg-draft-15)

picotls is designed to be fast, tiny, and low-latency, with the primary user being the H2O HTTP/2 server for serving HTTP/1, HTTP/2, and HTTP/3 over QUIC.

The TLS protocol implementation of picotls is licensed under the MIT license.

License and the cryptographic algorithms supported by the crypto bindings are as follows:

Binding	License	Key Exchange	Certificate	AEAD cipher
minicrypto	CC0 / 2-clause BSD	secp256r1, x25519	ECDSA (secp256r1)1	AES-128-GCM, chacha20-poly1305, AEGIS-128L (using libaegis), AEGIS-256 (using libaegis)
OpenSSL	OpenSSL	secp256r1, secp384r1, secp521r1, x25519	RSA, ECDSA (secp256r1, secp384r1, secp521r1), ed25519	AES-128-GCM, AES-256-GCM, chacha20-poly1305, AEGIS-128L (using libaegis), AEGIS-256 (using libaegis)

Note 1: Minicrypto binding is capable of signing a handshake using the certificate's key, but cannot verify a signature sent by the peer.

Building picotls

If you have cloned picotls from git then ensure that you have initialised the submodules:

% git submodule init
% git submodule update

Build using cmake:

% cmake .
% make
% make check

A dedicated documentation for using picotls with Visual Studio can be found in WindowsPort.md.

Developer documentation

Developer documentation should be available on the wiki.

Using the cli command

Run the test server (at 127.0.0.1:8443):

% ./cli -c /path/to/certificate.pem -k /path/to/private-key.pem  127.0.0.1 8443

Connect to the test server:

% ./cli 127.0.0.1 8443

Using resumption:

% ./cli -s session-file 127.0.0.1 8443

The session-file is read-write. The cli server implements a single-entry session cache. The cli server sends NewSessionTicket when it first sends application data after receiving ClientFinished.

Using early-data:

% ./cli -s session-file -e 127.0.0.1 8443

When -e option is used, client first waits for user input, and then sends CLIENT_HELLO along with the early-data.

License

The software is provided under the MIT license. Note that additional licences apply if you use the minicrypto binding (see above).

Reporting Security Issues

Please report vulnerabilities to h2o-vuln@googlegroups.com. See SECURITY.md for more information.