pkcs12 file parser use mbedTLS#2
Open
seanjin99 wants to merge 28 commits into
Open
Conversation
seanjin99
force-pushed
the
mbedTLS2.6.10
branch
8 times, most recently
from
e7efa71 to
264f581
Compare
|
I have read the CLA Document and I hereby sign the CLA You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot. |
seanjin99
force-pushed
the
mbedTLS2.6.10
branch
3 times, most recently
from
38419f3 to
491cbc8
Compare
seanjin99
force-pushed
the
mbedTLS2.6.10
branch
from
491cbc8 to
45fa513
Compare
Signed-off-by: seanjin99 <xhjin99@gmail.com>
seanjin99
force-pushed
the
mbedTLS2.6.10
branch
from
e8d8d01 to
e11b55a
Compare
…lidation in ta.c Signed-off-by: seanjin99 <xhjin99@gmail.com>
seanjin99
force-pushed
the
mbedTLS2.6.10
branch
from
7be405b to
12eb685
Compare
…lienttest target Signed-off-by: seanjin99 <xhjin99@gmail.com>
seanjin99
force-pushed
the
mbedTLS2.6.10
branch
from
fee51d5 to
119d4e2
Compare
Owner
Author
|
I have read the CLA Document and I hereby sign the CLA |
Owner
Author
|
I have read the CLA Document and I hereby sign the CLA |
Signed-off-by: seanjin99 <xhjin99@gmail.com>
Signed-off-by: seanjin99 <xhjin99@gmail.com>
Signed-off-by: seanjin99 <xhjin99@gmail.com>
- Add check_c_compiler_flag() for analyzer warning suppressions - Suppress test output with CMAKE_REQUIRED_QUIET - Apply clang-tidy flags only on GitHub Actions CI - Fixes macOS build while preserving CI analyzer functionality - Code cleanup: refactor digest.c, restore cmac_context do-while pattern - Remove dead code: MBEDTLS_ALLOW_PRIVATE_ACCESS, empty if statements
Analyzer flags only work when --analyze is enabled, so checking them
without analyzer active gives false results. Use ENV{CI} consistently
to apply flags only on GitHub Actions where analyzer is enabled.
GitHub Actions uses clang-tidy, not the Clang Static Analyzer. The -Wno-analyzer-* flags don't exist in clang-tidy and cause build failures. Removed all analyzer-specific warning suppressions from external libraries.
- Fixed root key initialization race conditions in otp.c * Added thread-safe initialization using C11 once_flag and call_once * Replaced unprotected static variables with call_once pattern * Added init_root_key() and init_common_root_key() initialization functions * Added failure tracking for proper error handling - Removed unnecessary mutex from rand_bytes() in rand.c * mbedTLS already provides thread-safety via MBEDTLS_THREADING_C * Eliminates lock contention with 255+ concurrent threads Test Results: - SaCryptoCipherMultipleThread.processMultipleThread now passes 10/10 runs - Previously failed consistently due to HMAC signature mismatches - Performance: 248-419ms with 255 concurrent threads
- Fixed session double-check locking race in client_session() - Removed unprotected read of session variable before mutex - All session checks now properly protected by mutex - Prevents race where one thread reads while another writes - Applied mbedTLS 3.6.2 CTR counter performance optimization - Backported optimized counter increment (32-bit word operations) - Added ctr.h header with mbedtls_ctr_increment_counter() - Modified patch_mbedtls.cmake to apply optimization during build - Fixed unused variable warning in aes.c Verified with ThreadSanitizer: 0 races detected Multi-threaded tests (255 threads): All passed
seanjin99
force-pushed
the
mbedTLS2.6.10
branch
from
cb2aec7 to
72cd458
Compare
added 11 commits
February 26, 2026 23:08
…-sample, entropy, double-free fixes - Header rename: pkcs8.h/test_helpers.h -> *_mbedtls.h/*_openssl.h to avoid shadowing - CMake: FetchContent offline mode, -march=native switch, pthread/GTest/OpenSSL fixes - CENC: sa_subsample_length_s struct size fix (1031 tests), offset propagation (multi-sample) - EC ElGamal: parameter struct conversion for ARM32 size_t vs uint64_t (70 tests) - symmetric: CTR cipher reinit from key length instead of stale context - typej: double-free fix (NULL after free on error path) - hardware_rng: /dev/hwrng -> /dev/urandom fallback with read validation - random(): chunked CTR-DRBG generation for >1024 byte requests - object_store tests: proper cleanup to eliminate leak warnings - sa_ta_types.h: _Static_assert for sa_subsample_length_s == 16 bytes - Compiler warning fixes for ARM32 cross-compilation
… handling - Fix 6 SetUp() methods to check sa_svp_supported() at runtime instead of unconditionally skipping SVP tests - Add SVP buffer passing in client-side cipher_process, cipher_process_last, and process_common_encryption (pass SVP handle + offset via TA params) - Fix SVP offset handling: send actual svp.offset, use assignment on return - Fix overflow tests to set svp.offset for SVP buffer types - Replace hardcoded GTEST_SKIP in failSvpBufferOverlap and ElGamal tests with sa_svp_supported() runtime check - Set video_output.c svp_enabled conditionally on ENABLE_SVP - Add SVP variable declarations in ta_sa_process_common_encryption.c
- sa_svp_buffer_create.c: Use (uint64_t)(uintptr_t) for void*->uint64_t cast - sa_svp_buffer_release.c: Use (void*)(uintptr_t) for uint64_t->void* cast - ta.c: Fix both svp_memory casts with uintptr_t; use local void* for ta_sa_svp_buffer_release to avoid uint64_t*->void** type punning - hardware_rng.c: Early return for zero-length RNG request (read(fd,buf,0) returns 0 which was misinterpreted as failure); remove trailing whitespace
…adding, get_required_length - ta_test_helpers.cpp: Add SVP buffer write in vector overload of buffer_alloc so data is written into SVP buffers via ta_sa_svp_buffer_write - test_process_common_encryption.cpp (util_openssl): Add SVP path in build_samples to write encrypted data into SVP input buffers - ta_sa_svp_crypto.cpp: Fix get_required_length for PKCS7 decrypt mode to return input size instead of PADDED_SIZE - symmetric.c: Fix ECB PKCS7 encrypt_last for block-aligned input to produce a full padding block (16 bytes of 0x10) per PKCS7 spec
- tasecureapi-mbedtls_1.0.bb: Yocto recipe for ARM32 cross-compilation (SVP=ON, DISABLE_CENC_TIMING=ON, BUILD_TESTS=ON) - README.md: Build instructions, test results for all 4 test binaries - saclienttest SVP=ON+DISABLE_CENC_TIMING: 6670/6670 pass - taimpltest SVP=ON+DISABLE_CENC_TIMING: 707/707 pass - Known CENC timing failures documented
- Add 3-tier OpenSSL resolution: cross-compile provided, system find_package, or auto-fetch from GitHub (OpenSSL 3.6.0) - New providers/openssl/CMakeLists.txt with ExternalProject_Add pattern - Add OpenSSL/deps entries in deps.cmake - Wire BUILD_UTIL_OPENSSL option into top-level CMakeLists.txt - Remove duplicate find_package(OpenSSL) from client and util_openssl - Update README: crypto operations table, build section with mermaid diagram, library purposes, make -j1 note for auto-fetch
…not a TA provider
- Convert root_keystore.h from static const array to extern declarations - Add root_keystore.c with array definition and default_root_keystore_size - Remove getenv(ROOT_KEYSTORE) and getenv(ROOT_KEYSTORE_PASSWORD) from pkcs12_mbedtls.c and pkcs12.c - load only from embedded array - Remove duplicate macros from common.h (now in root_keystore.h only) - Simplify pkcs12 tests to 2 tests each (no env var manipulation) - Update README.md to document embedded keystore approach
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mbedTLS implementation