search

sfackler / rust-native-tls

Apache License 2.0
470 stars 195 forks source link

mbedtls implementation #211

Open MabezDev opened 2 years ago

MabezDev commented 2 years ago

Without rust-native-tls support, a lot of std crates become partially, or completely unusable. For our std target, riscv32imc-esp-espidf, we have an mbedtls implementation available.

rust-mbedtls is a stable and well maintained crate with bindings to mbedtls. Would you be open to PR's adding support in rust-native-tls?

sfackler commented 2 years ago

How would you classify the set of targets that should use mbedtls?

MabezDev commented 2 years ago

For our use case, we can use target_os = "espidf".

sfackler commented 2 years ago

And OpenSSL will not build at all for espidf?

MabezDev commented 2 years ago

We had partial bindings for openSSL but they were buggy and are being removed with esp-idf 5.0. There is a possibility we could extract the openSSL wrapper into its own library and maintain it separately.

sfackler commented 2 years ago

I'm just asking to confirm that making this change won't break people that were using OpenSSL on that OS already - if it's not supported at all then it should be fine to add mbedts for that case.

MabezDev commented 2 years ago

Correct, it won't break any existing code by adding mbedtls support for espidf in this crate.

I'll start working on a PR :).

jan-br commented 2 years ago

Any updates on this? :) @MabezDev

MabezDev commented 2 years ago

@jan-br I have it working locally, but require some changes to mbedtls. Similar patches are in review upstream in mbedtls so I'm waiting for them to get merged, before I can open a PR here :).

jan-br commented 2 years ago

Thats great, thanks for your work @MabezDev . :) This could be quite a game changer for rust development with esp-idf. Also just wondering, is this working with Xtensa too or is it just RiscV?

MabezDev commented 2 years ago

Both Xtensa and RISC-V will be supported :).

andresv commented 2 years ago

Almost excellent timing. I also would like to use it for mqttrust.

jan-br commented 2 years ago

@jan-br I have it working locally, but require some changes to mbedtls. Similar patches are in review upstream in mbedtls so I'm waiting for them to get merged, before I can open a PR here :).

Hi again @MabezDev :) You've mentioned, you got rust-native-tls with mbedtls working on xtensa. So I have checked out your fork of rust-native-tls and mbedtls locally and modified the path of the mbedtls dependency for my setup and added rust-native-tls to my esp project.

The ESP project I used as a template is the std demo project.

Are all changes already upstream on those forks? I can't get it to compile in my project. :(

Error after cargo build --release in the std template project.


error: failed to run custom build command for `mbedtls-sys-auto v2.26.1 (/hdd/projects/rust-mbedtls/mbedtls-sys)`

Caused by:
  process didn't exit successfully: `/hdd/projects/rust-esp32-std-demo/target/release/build/mbedtls-sys-auto-fe148a4450c70867/build-script-build` (exit status: 101)
  --- stdout
  cargo:rustc-cfg=time_component="libc"
  cargo:rustc-cfg=std_component="entropy"
  cargo:rustc-cfg=std_component="fs"
  cargo:rustc-cfg=std_component="net"
  cargo:rustc-cfg=threading_component="pthread"
  cargo:platform-components=time_component=libc,std_component=entropy,std_component=fs,std_component=net,threading_component=pthread
  cargo:rerun-if-env-changed=RUST_MBEDTLS_SYS_SOURCE
  cargo:rerun-if-changed=vendor/CMakeLists.txt
  cargo:rerun-if-changed=vendor/include/mbedtls/config_psa.h
  cargo:rerun-if-changed=vendor/include/mbedtls/bignum.h
  cargo:rerun-if-changed=vendor/include/mbedtls/md.h
  cargo:rerun-if-changed=vendor/include/mbedtls/threading.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ecp.h
  cargo:rerun-if-changed=vendor/include/mbedtls/rsa.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ecdsa.h
  cargo:rerun-if-changed=vendor/include/mbedtls/platform_time.h
  cargo:rerun-if-changed=vendor/include/mbedtls/asn1.h
  cargo:rerun-if-changed=vendor/include/mbedtls/pk.h
  cargo:rerun-if-changed=vendor/include/mbedtls/platform_util.h
  cargo:rerun-if-changed=vendor/include/mbedtls/x509.h
  cargo:rerun-if-changed=vendor/include/mbedtls/cipher.h
  cargo:rerun-if-changed=vendor/include/mbedtls/x509_crl.h
  cargo:rerun-if-changed=vendor/include/mbedtls/aes.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ssl_ciphersuites.h
  cargo:rerun-if-changed=vendor/include/mbedtls/x509_crt.h
  cargo:rerun-if-changed=vendor/include/mbedtls/dhm.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ecdh.h
  cargo:rerun-if-changed=vendor/include/mbedtls/oid.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ctr_drbg.h
  cargo:rerun-if-changed=vendor/include/mbedtls/hmac_drbg.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ssl.h
  cargo:rerun-if-changed=vendor/include/mbedtls/md5.h
  cargo:rerun-if-changed=vendor/include/mbedtls/sha1.h
  cargo:rerun-if-changed=vendor/include/mbedtls/sha256.h
  cargo:rerun-if-changed=vendor/include/mbedtls/sha512.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ecjpake.h
  cargo:rerun-if-changed=vendor/include/mbedtls/psa_util.h
  cargo:rerun-if-changed=vendor/include/mbedtls/net_sockets.h
  cargo:rerun-if-changed=vendor/include/mbedtls/havege.h
  cargo:rerun-if-changed=vendor/include/mbedtls/poly1305.h
  cargo:rerun-if-changed=vendor/include/mbedtls/chacha20.h
  cargo:rerun-if-changed=vendor/include/mbedtls/xtea.h
  cargo:rerun-if-changed=vendor/include/mbedtls/x509_csr.h
  cargo:rerun-if-changed=vendor/include/mbedtls/version.h
  cargo:rerun-if-changed=vendor/include/mbedtls/timing.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ssl_ticket.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ssl_internal.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ssl_cookie.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ssl_cache.h
  cargo:rerun-if-changed=vendor/include/mbedtls/rsa_internal.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ripemd160.h
  cargo:rerun-if-changed=vendor/include/mbedtls/platform.h
  cargo:rerun-if-changed=vendor/include/mbedtls/pkcs5.h
  cargo:rerun-if-changed=vendor/include/mbedtls/pkcs12.h
  cargo:rerun-if-changed=vendor/include/mbedtls/pk_internal.h
  cargo:rerun-if-changed=vendor/include/mbedtls/pem.h
  cargo:rerun-if-changed=vendor/include/mbedtls/padlock.h
  cargo:rerun-if-changed=vendor/include/mbedtls/nist_kw.h
  cargo:rerun-if-changed=vendor/include/mbedtls/net.h
  cargo:rerun-if-changed=vendor/include/mbedtls/memory_buffer_alloc.h
  cargo:rerun-if-changed=vendor/include/mbedtls/md_internal.h
  cargo:rerun-if-changed=vendor/include/mbedtls/md4.h
  cargo:rerun-if-changed=vendor/include/mbedtls/md2.h
  cargo:rerun-if-changed=vendor/include/mbedtls/hkdf.h
  cargo:rerun-if-changed=vendor/include/mbedtls/gcm.h
  cargo:rerun-if-changed=vendor/include/mbedtls/error.h
  cargo:rerun-if-changed=vendor/include/mbedtls/entropy_poll.h
  cargo:rerun-if-changed=vendor/include/mbedtls/entropy.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ecp_internal.h
  cargo:rerun-if-changed=vendor/include/mbedtls/des.h
  cargo:rerun-if-changed=vendor/include/mbedtls/debug.h
  cargo:rerun-if-changed=vendor/include/mbedtls/cmac.h
  cargo:rerun-if-changed=vendor/include/mbedtls/cipher_internal.h
  cargo:rerun-if-changed=vendor/include/mbedtls/chachapoly.h
  cargo:rerun-if-changed=vendor/include/mbedtls/ccm.h
  cargo:rerun-if-changed=vendor/include/mbedtls/camellia.h
  cargo:rerun-if-changed=vendor/include/mbedtls/bn_mul.h
  cargo:rerun-if-changed=vendor/include/mbedtls/blowfish.h
  cargo:rerun-if-changed=vendor/include/mbedtls/base64.h
  cargo:rerun-if-changed=vendor/include/mbedtls/asn1write.h
  cargo:rerun-if-changed=vendor/include/mbedtls/aria.h
  cargo:rerun-if-changed=vendor/include/mbedtls/arc4.h
  cargo:rerun-if-changed=vendor/include/mbedtls/aesni.h
  cargo:rerun-if-changed=vendor/library/aria.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_se.h
  cargo:rerun-if-changed=vendor/library/check_crypto_config.h
  cargo:rerun-if-changed=vendor/library/psa_crypto_service_integration.h
  cargo:rerun-if-changed=vendor/library/net_sockets.c
  cargo:rerun-if-changed=vendor/library/ssl_cli.c
  cargo:rerun-if-changed=vendor/library/Makefile
  cargo:rerun-if-changed=vendor/library/md4.c
  cargo:rerun-if-changed=vendor/library/pkwrite.c
  cargo:rerun-if-changed=vendor/library/ssl_cache.c
  cargo:rerun-if-changed=vendor/library/pk.c
  cargo:rerun-if-changed=vendor/library/sha512.c
  cargo:rerun-if-changed=vendor/library/ecjpake.c
  cargo:rerun-if-changed=vendor/library/error.c
  cargo:rerun-if-changed=vendor/library/ssl_ticket.c
  cargo:rerun-if-changed=vendor/library/x509_create.c
  cargo:rerun-if-changed=vendor/library/ctr_drbg.c
  cargo:rerun-if-changed=vendor/library/ssl_tls13_keys.h
  cargo:rerun-if-changed=vendor/library/pkparse.c
  cargo:rerun-if-changed=vendor/library/x509write_csr.c
  cargo:rerun-if-changed=vendor/library/rsa_internal.c
  cargo:rerun-if-changed=vendor/library/x509_csr.c
  cargo:rerun-if-changed=vendor/library/ssl_ciphersuites.c
  cargo:rerun-if-changed=vendor/library/camellia.c
  cargo:rerun-if-changed=vendor/library/ssl_tls13_keys.c
  cargo:rerun-if-changed=vendor/library/pkcs12.c
  cargo:rerun-if-changed=vendor/library/threading.c
  cargo:rerun-if-changed=vendor/library/entropy_poll.c
  cargo:rerun-if-changed=vendor/library/ssl_tls.c
  cargo:rerun-if-changed=vendor/library/ecdh.c
  cargo:rerun-if-changed=vendor/library/asn1parse.c
  cargo:rerun-if-changed=vendor/library/arc4.c
  cargo:rerun-if-changed=vendor/library/chachapoly.c
  cargo:rerun-if-changed=vendor/library/rsa.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_its.h
  cargo:rerun-if-changed=vendor/library/havege.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_slot_management.c
  cargo:rerun-if-changed=vendor/library/poly1305.c
  cargo:rerun-if-changed=vendor/library/sha256.c
  cargo:rerun-if-changed=vendor/library/aes.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_client.c
  cargo:rerun-if-changed=vendor/library/asn1write.c
  cargo:rerun-if-changed=vendor/library/pem.c
  cargo:rerun-if-changed=vendor/library/ecp.c
  cargo:rerun-if-changed=vendor/library/pkcs11.c
  cargo:rerun-if-changed=vendor/library/psa_crypto.c
  cargo:rerun-if-changed=vendor/library/memory_buffer_alloc.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_rsa.c
  cargo:rerun-if-changed=vendor/library/base64.c
  cargo:rerun-if-changed=vendor/library/bignum.c
  cargo:rerun-if-changed=vendor/library/x509_crt.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_driver_wrappers.c
  cargo:rerun-if-changed=vendor/library/ecp_curves.c
  cargo:rerun-if-changed=vendor/library/version_features.c
  cargo:rerun-if-changed=vendor/library/sha1.c
  cargo:rerun-if-changed=vendor/library/chacha20.c
  cargo:rerun-if-changed=vendor/library/ccm.c
  cargo:rerun-if-changed=vendor/library/hkdf.c
  cargo:rerun-if-changed=vendor/library/des.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_se.c
  cargo:rerun-if-changed=vendor/library/x509_crl.c
  cargo:rerun-if-changed=vendor/library/.gitignore
  cargo:rerun-if-changed=vendor/library/ripemd160.c
  cargo:rerun-if-changed=vendor/library/hmac_drbg.c
  cargo:rerun-if-changed=vendor/library/x509.c
  cargo:rerun-if-changed=vendor/library/platform.c
  cargo:rerun-if-changed=vendor/library/platform_util.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_core.h
  cargo:rerun-if-changed=vendor/library/ecdsa.c
  cargo:rerun-if-changed=vendor/library/padlock.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_storage.c
  cargo:rerun-if-changed=vendor/library/ssl_cookie.c
  cargo:rerun-if-changed=vendor/library/dhm.c
  cargo:rerun-if-changed=vendor/library/oid.c
  cargo:rerun-if-changed=vendor/library/entropy.c
  cargo:rerun-if-changed=vendor/library/md.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_ecp.h
  cargo:rerun-if-changed=vendor/library/psa_crypto_random_impl.h
  cargo:rerun-if-changed=vendor/library/psa_crypto_driver_wrappers.h
  cargo:rerun-if-changed=vendor/library/certs.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_ecp.c
  cargo:rerun-if-changed=vendor/library/version.c
  cargo:rerun-if-changed=vendor/library/xtea.c
  cargo:rerun-if-changed=vendor/library/md5.c
  cargo:rerun-if-changed=vendor/library/ssl_srv.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_invasive.h
  cargo:rerun-if-changed=vendor/library/blowfish.c
  cargo:rerun-if-changed=vendor/library/cipher_wrap.c
  cargo:rerun-if-changed=vendor/library/aesni.c
  cargo:rerun-if-changed=vendor/library/pk_wrap.c
  cargo:rerun-if-changed=vendor/library/timing.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_slot_management.h
  cargo:rerun-if-changed=vendor/library/psa_crypto_rsa.h
  cargo:rerun-if-changed=vendor/library/ssl_msg.c
  cargo:rerun-if-changed=vendor/library/common.h
  cargo:rerun-if-changed=vendor/library/gcm.c
  cargo:rerun-if-changed=vendor/library/nist_kw.c
  cargo:rerun-if-changed=vendor/library/pkcs5.c
  cargo:rerun-if-changed=vendor/library/psa_its_file.c
  cargo:rerun-if-changed=vendor/library/CMakeLists.txt
  cargo:rerun-if-changed=vendor/library/debug.c
  cargo:rerun-if-changed=vendor/library/cipher.c
  cargo:rerun-if-changed=vendor/library/md2.c
  cargo:rerun-if-changed=vendor/library/psa_crypto_storage.h
  cargo:rerun-if-changed=vendor/library/cmac.c
  cargo:rerun-if-changed=vendor/library/ssl_invasive.h
  cargo:rerun-if-changed=vendor/library/x509write_crt.c
  OPT_LEVEL = Some("s")
  TARGET = Some("xtensa-esp32-espidf")
  HOST = Some("x86_64-unknown-linux-gnu")
  CC_xtensa-esp32-espidf = None
  CC_xtensa_esp32_espidf = None
  TARGET_CC = None
  CC = None
  CROSS_COMPILE = None
  CFLAGS_xtensa-esp32-espidf = None
  CFLAGS_xtensa_esp32_espidf = None
  TARGET_CFLAGS = None
  CFLAGS = None
  CRATE_CC_NO_DEFAULTS = None
  DEBUG = Some("false")
  CARGO_CFG_TARGET_FEATURE = Some("atomctl,bool,coprocessor,debug,dfpaccel,div32,exception,fp,highpriinterrupts,interrupt,loop,mac16,memctl,miscsr,mul32,mul32high,nsa,prid,regprotect,rvector,s32c1i,sext,threadptr,timerint,windowed")
  CMAKE_TOOLCHAIN_FILE_xtensa-esp32-espidf = None
  CMAKE_TOOLCHAIN_FILE_xtensa_esp32_espidf = None
  TARGET_CMAKE_TOOLCHAIN_FILE = None
  CMAKE_TOOLCHAIN_FILE = None
  CMAKE_GENERATOR_xtensa-esp32-espidf = None
  CMAKE_GENERATOR_xtensa_esp32_espidf = None
  TARGET_CMAKE_GENERATOR = None
  CMAKE_GENERATOR = None
  CMAKE_PREFIX_PATH_xtensa-esp32-espidf = None
  CMAKE_PREFIX_PATH_xtensa_esp32_espidf = None
  TARGET_CMAKE_PREFIX_PATH = None
  CMAKE_PREFIX_PATH = None
  CMAKE_xtensa-esp32-espidf = None
  CMAKE_xtensa_esp32_espidf = None
  TARGET_CMAKE = None
  CMAKE = None
  running: "cmake" "/hdd/projects/rust-mbedtls/mbedtls-sys/vendor" "-DENABLE_PROGRAMS=OFF" "-DENABLE_TESTING=OFF" "-DCMAKE_INSTALL_PREFIX=/hdd/projects/rust-esp32-std-demo/target/xtensa-esp32-espidf/release/build/mbedtls-sys-auto-74fb62327747d73c/out" "-DCMAKE_C_FLAGS= -DMBEDTLS_CONFIG_FILE=\"\\\"/hdd/projects/rust-esp32-std-demo/target/xtensa-esp32-espidf/release/build/mbedtls-sys-auto-74fb62327747d73c/out/config.h\\\"\" -ffunction-sections -fdata-sections -fPIC" "-DCMAKE_C_COMPILER=/usr/bin/cc" "-DCMAKE_CXX_FLAGS= -ffunction-sections -fdata-sections -fPIC" "-DCMAKE_CXX_COMPILER=/usr/bin/c++" "-DCMAKE_ASM_FLAGS= -ffunction-sections -fdata-sections -fPIC" "-DCMAKE_ASM_COMPILER=/usr/bin/cc" "-DCMAKE_BUILD_TYPE=MinSizeRel"
  -- The C compiler identification is GNU 11.1.0
  -- Detecting C compiler ABI info
  -- Detecting C compiler ABI info - done
  -- Check for working C compiler: /usr/bin/cc - skipped
  -- Detecting C compile features
  -- Detecting C compile features - done
  -- Found Python3: /usr/bin/python3.9 (found version "3.9.7") found components: Interpreter 
  -- Performing Test C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS
  -- Performing Test C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS - Success
  -- Configuring done
  -- Generating done
  -- Build files have been written to: /hdd/projects/rust-esp32-std-demo/target/xtensa-esp32-espidf/release/build/mbedtls-sys-auto-74fb62327747d73c/out/build
  running: "cmake" "--build" "." "--target" "lib" "--config" "MinSizeRel" "--parallel" "32"
  [  3%] Building C object library/CMakeFiles/mbedcrypto.dir/aes.c.o
  [  3%] Building C object library/CMakeFiles/mbedcrypto.dir/aria.c.o
  [  3%] Building C object library/CMakeFiles/mbedcrypto.dir/asn1write.c.o
  [  5%] Building C object library/CMakeFiles/mbedcrypto.dir/base64.c.o
  [  5%] Building C object library/CMakeFiles/mbedcrypto.dir/aesni.c.o
  [  7%] Building C object library/CMakeFiles/mbedcrypto.dir/asn1parse.c.o
  [  7%] Building C object library/CMakeFiles/mbedcrypto.dir/arc4.c.o
  [  9%] Building C object library/CMakeFiles/mbedcrypto.dir/camellia.c.o
  [ 10%] Building C object library/CMakeFiles/mbedcrypto.dir/cipher_wrap.c.o
  [ 10%] Building C object library/CMakeFiles/mbedcrypto.dir/ccm.c.o
  [ 11%] Building C object library/CMakeFiles/mbedcrypto.dir/chachapoly.c.o
  [ 14%] Building C object library/CMakeFiles/mbedcrypto.dir/bignum.c.o
  [ 14%] Building C object library/CMakeFiles/mbedcrypto.dir/chacha20.c.o
  [ 15%] Building C object library/CMakeFiles/mbedcrypto.dir/cmac.c.o
  [ 17%] Building C object library/CMakeFiles/mbedcrypto.dir/cipher.c.o
  [ 18%] Building C object library/CMakeFiles/mbedcrypto.dir/blowfish.c.o
  [ 18%] Building C object library/CMakeFiles/mbedcrypto.dir/ctr_drbg.c.o
  [ 19%] Building C object library/CMakeFiles/mbedcrypto.dir/des.c.o
  [ 20%] Building C object library/CMakeFiles/mbedcrypto.dir/dhm.c.o
  [ 21%] Building C object library/CMakeFiles/mbedcrypto.dir/ecdh.c.o
  [ 22%] Building C object library/CMakeFiles/mbedcrypto.dir/ecdsa.c.o
  [ 25%] Building C object library/CMakeFiles/mbedcrypto.dir/ecjpake.c.o
  [ 25%] Building C object library/CMakeFiles/mbedcrypto.dir/ecp.c.o
  [ 27%] Building C object library/CMakeFiles/mbedcrypto.dir/error.c.o
  [ 27%] Building C object library/CMakeFiles/mbedcrypto.dir/entropy_poll.c.o
  [ 28%] Building C object library/CMakeFiles/mbedcrypto.dir/gcm.c.o
  [ 29%] Building C object library/CMakeFiles/mbedcrypto.dir/ecp_curves.c.o
  [ 30%] Building C object library/CMakeFiles/mbedcrypto.dir/havege.c.o
  [ 31%] Building C object library/CMakeFiles/mbedcrypto.dir/entropy.c.o
  [ 33%] Building C object library/CMakeFiles/mbedcrypto.dir/hkdf.c.o
  [ 33%] Building C object library/CMakeFiles/mbedcrypto.dir/hmac_drbg.c.o
  [ 34%] Building C object library/CMakeFiles/mbedcrypto.dir/md.c.o
  [ 35%] Building C object library/CMakeFiles/mbedcrypto.dir/md2.c.o
  [ 36%] Building C object library/CMakeFiles/mbedcrypto.dir/md4.c.o
  [ 38%] Building C object library/CMakeFiles/mbedcrypto.dir/memory_buffer_alloc.c.o
  [ 39%] Building C object library/CMakeFiles/mbedcrypto.dir/md5.c.o
  [ 40%] Building C object library/CMakeFiles/mbedcrypto.dir/nist_kw.c.o
  [ 41%] Building C object library/CMakeFiles/mbedcrypto.dir/oid.c.o
  [ 43%] Building C object library/CMakeFiles/mbedcrypto.dir/pem.c.o
  [ 43%] Building C object library/CMakeFiles/mbedcrypto.dir/padlock.c.o
  [ 44%] Building C object library/CMakeFiles/mbedcrypto.dir/pk.c.o
  [ 45%] Building C object library/CMakeFiles/mbedcrypto.dir/pkcs12.c.o
  [ 47%] Building C object library/CMakeFiles/mbedcrypto.dir/pkparse.c.o
  [ 47%] Building C object library/CMakeFiles/mbedcrypto.dir/pk_wrap.c.o
  [ 48%] Building C object library/CMakeFiles/mbedcrypto.dir/pkcs5.c.o
  [ 50%] Building C object library/CMakeFiles/mbedcrypto.dir/platform.c.o
  [ 52%] Building C object library/CMakeFiles/mbedcrypto.dir/poly1305.c.o
  [ 52%] Building C object library/CMakeFiles/mbedcrypto.dir/platform_util.c.o
  [ 53%] Building C object library/CMakeFiles/mbedcrypto.dir/pkwrite.c.o
  [ 54%] Building C object library/CMakeFiles/mbedcrypto.dir/psa_crypto.c.o
  [ 55%] Building C object library/CMakeFiles/mbedcrypto.dir/psa_crypto_client.c.o
  [ 56%] Building C object library/CMakeFiles/mbedcrypto.dir/psa_crypto_rsa.c.o
  [ 57%] Building C object library/CMakeFiles/mbedcrypto.dir/psa_crypto_ecp.c.o
  [ 58%] Building C object library/CMakeFiles/mbedcrypto.dir/psa_crypto_driver_wrappers.c.o
  [ 59%] Building C object library/CMakeFiles/mbedcrypto.dir/psa_crypto_se.c.o
  [ 60%] Building C object library/CMakeFiles/mbedcrypto.dir/psa_crypto_slot_management.c.o
  [ 61%] Building C object library/CMakeFiles/mbedcrypto.dir/psa_crypto_storage.c.o
  [ 65%] Building C object library/CMakeFiles/mbedcrypto.dir/psa_its_file.c.o
  [ 65%] Building C object library/CMakeFiles/mbedcrypto.dir/ripemd160.c.o
  [ 65%] Building C object library/CMakeFiles/mbedcrypto.dir/rsa.c.o
  [ 66%] Building C object library/CMakeFiles/mbedcrypto.dir/sha1.c.o
  [ 67%] Building C object library/CMakeFiles/mbedcrypto.dir/sha256.c.o
  [ 68%] Building C object library/CMakeFiles/mbedcrypto.dir/rsa_internal.c.o
  [ 69%] Building C object library/CMakeFiles/mbedcrypto.dir/sha512.c.o
  [ 70%] Building C object library/CMakeFiles/mbedcrypto.dir/timing.c.o
  [ 71%] Building C object library/CMakeFiles/mbedcrypto.dir/threading.c.o
  [ 72%] Building C object library/CMakeFiles/mbedcrypto.dir/version_features.c.o
  [ 73%] Building C object library/CMakeFiles/mbedcrypto.dir/version.c.o
  [ 75%] Building C object library/CMakeFiles/mbedcrypto.dir/xtea.c.o
  [ 76%] Linking C static library libmbedcrypto.a
  [ 76%] Built target mbedcrypto
  [ 77%] Building C object library/CMakeFiles/mbedx509.dir/x509_crt.c.o
  [ 78%] Building C object library/CMakeFiles/mbedx509.dir/x509_csr.c.o
  [ 80%] Building C object library/CMakeFiles/mbedx509.dir/x509.c.o
  [ 80%] Building C object library/CMakeFiles/mbedx509.dir/certs.c.o
  [ 81%] Building C object library/CMakeFiles/mbedx509.dir/pkcs11.c.o
  [ 83%] Building C object library/CMakeFiles/mbedx509.dir/x509_create.c.o
  [ 83%] Building C object library/CMakeFiles/mbedx509.dir/x509write_csr.c.o
  [ 85%] Building C object library/CMakeFiles/mbedx509.dir/x509write_crt.c.o
  [ 85%] Building C object library/CMakeFiles/mbedx509.dir/x509_crl.c.o
  [ 86%] Linking C static library libmbedx509.a
  [ 86%] Built target mbedx509
  [ 88%] Building C object library/CMakeFiles/mbedtls.dir/debug.c.o
  [ 89%] Building C object library/CMakeFiles/mbedtls.dir/net_sockets.c.o
  [ 90%] Building C object library/CMakeFiles/mbedtls.dir/ssl_cookie.c.o
  [ 91%] Building C object library/CMakeFiles/mbedtls.dir/ssl_ciphersuites.c.o
  [ 92%] Building C object library/CMakeFiles/mbedtls.dir/ssl_cache.c.o
  [ 93%] Building C object library/CMakeFiles/mbedtls.dir/ssl_msg.c.o
  [ 94%] Building C object library/CMakeFiles/mbedtls.dir/ssl_cli.c.o
  [ 95%] Building C object library/CMakeFiles/mbedtls.dir/ssl_srv.c.o
  [ 96%] Building C object library/CMakeFiles/mbedtls.dir/ssl_tls.c.o
  [ 97%] Building C object library/CMakeFiles/mbedtls.dir/ssl_tls13_keys.c.o
  [ 98%] Building C object library/CMakeFiles/mbedtls.dir/ssl_ticket.c.o

  --- stderr
  CMake Warning:
    Manually-specified variables were not used by the project:

      CMAKE_ASM_COMPILER
      CMAKE_ASM_FLAGS
      CMAKE_CXX_COMPILER
      CMAKE_CXX_FLAGS

  make: warning: -j32 forced in submake: resetting jobserver mode.
  /hdd/projects/rust-mbedtls/mbedtls-sys/vendor/library/ssl_tls.c: In function ‘ssl_calc_finished_tls_sha384’:
  /hdd/projects/rust-mbedtls/mbedtls-sys/vendor/library/ssl_tls.c:3335:5: error: ‘mbedtls_sha512_finish_ret’ accessing 64 bytes in a region of size 48 [-Werror=stringop-overflow=]
   3335 |     finish( &sha512, padbuf );
        |     ^~~~~~~~~~~~~~~~~~~~~~~~~
  /hdd/projects/rust-mbedtls/mbedtls-sys/vendor/library/ssl_tls.c:3335:5: note: referencing argument 2 of type ‘unsigned char *’
  In file included from /hdd/projects/rust-mbedtls/mbedtls-sys/vendor/include/mbedtls/ssl_internal.h:51,
                   from /hdd/projects/rust-mbedtls/mbedtls-sys/vendor/library/ssl_tls.c:41:
  /hdd/projects/rust-mbedtls/mbedtls-sys/vendor/include/mbedtls/sha512.h:144:5: note: in a call to function ‘mbedtls_sha512_finish_ret’
    144 | int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
        |     ^~~~~~~~~~~~~~~~~~~~~~~~~
  cc1: all warnings being treated as errors
  make[3]: *** [library/CMakeFiles/mbedtls.dir/build.make:202: library/CMakeFiles/mbedtls.dir/ssl_tls.c.o] Error 1
  make[3]: *** Waiting for unfinished jobs....
  make[2]: *** [CMakeFiles/Makefile2:219: library/CMakeFiles/mbedtls.dir/all] Error 2
  make[1]: *** [CMakeFiles/Makefile2:254: library/CMakeFiles/lib.dir/rule] Error 2
  make: *** [Makefile:221: lib] Error 2
  thread 'main' panicked at '
  command did not execute successfully, got: exit status: 2

  build script failed, must exit now', /home/jan/.cargo/registry/src/github.com-1ecc6299db9ec823/cmake-0.1.48/src/lib.rs:975:5
  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...
error: build failed
MabezDev commented 2 years ago

Sorry not everything is pushed at the moment. The idea is to replace mbedtls-sys-auto completely with esp-idf-sys, but its been a bit tricky to work out all the issues thus far. Once I have something I can build I'll report back here.

If you are desperate for tls however, just this weekend someone got the ring crate building on the espidf platform: https://github.com/briansmith/ring/pull/1459, with an demo here: https://github.com/killyourphone/tlsdemo.

There are still advantages to having mbedtls support (and rust-native-tls support) such as better use of the hardware peripherals for accelerated hashing etc, so I won't stop working on this but there is an alternative if you need something now :)

jan-br commented 2 years ago

Yeah TLS is an absolut hard requirement for my current project. So its been quite a blocker for a while now. I'll check the ring PR out. I could not ask for anything more if that works. That would solve alot of problems for me right now. Thanks alot for the hint!

ellenhp commented 2 years ago

Yeah TLS is an absolut hard requirement for my current project. So its been quite a blocker for a while now. I'll check the ring PR out. I could not ask for anything more if that works. That would solve alot of problems for me right now. Thanks alot for the hint!

Just saw this issue referenced from that PR after going to go check on it. Just be aware you'll have to deal with a lot of patched crates if you want to go with my ring/rustls setup, but it does work if you need something now. I also will make no guarantees of safety, stability, etc. I closely guard my ssh keys but I still never recommend people trust a stranger not to sneak something into one of your dependencies. I'm really hoping some of these changes get upstreamed so the list of crates to patch gets shorter. And of course as soon as this mbedtls work is done I think that'll be ideal for most use-cases.

jan-br commented 2 years ago

Yeah TLS is an absolut hard requirement for my current project. So its been quite a blocker for a while now. I'll check the ring PR out. I could not ask for anything more if that works. That would solve alot of problems for me right now. Thanks alot for the hint!

Just saw this issue referenced from that PR after going to go check on it. Just be aware you'll have to deal with a lot of patched crates if you want to go with my ring/rustls setup, but it does work if you need something now. I also will make no guarantees of safety, stability, etc. I closely guard my ssh keys but I still never recommend people trust a stranger not to sneak something into one of your dependencies. I'm really hoping some of these changes get upstreamed so the list of crates to patch gets shorter. And of course as soon as this mbedtls work is done I think that'll be ideal for most use-cases.

Yes I saw that. It is actually quite a mess, but I think I got ring working for now. But for a production environment an upstream merge would of course be awesome.

Janrupf commented 2 years ago

@MabezDev are you still working on this? I recently got mio and tokio running the ESP and now I'm looking for a TLS implementation. I suppose for now one could hack something together with either ring or the ESP TLS API, but a proper wrapper would be amazing!

lu-zero commented 1 year ago

@MabezDev another poke ^^

MabezDev commented 1 year ago

Sorry for missing these! I'm not currently working mbedtls support but I did talk to a few colleagues internally about this. Instead of mbedtls we're probably going to wrap the esp-tls layer instead as the API surface is far smaller and in theory, allows us to use another TLS implementation underneath (WolfSSL is supported by esp-tls). I don't have any time scale on this sadly, this is currently a side project for the folks already maintaining esp-tls. For now, the best option is still to use the patched ring from esp-rs-compat.

ivmarkov commented 1 year ago

@MabezDev are you still working on this? I recently got mio and tokio running the ESP and now I'm looking for a TLS implementation. I suppose for now one could hack something together with either ring or the ESP TLS API, but a proper wrapper would be amazing!

@Janrupf I would be very very interested in seeing how you implemented support for mio on top of ESP IDF given that mio (a) does not support neither select nor poll and (b) relies on edge-triggering rather than level triggering. This is by the way the reason why I looked into supporting the polling crate from the smol-rs ecosystem instead.

Janrupf commented 1 year ago

@MabezDev are you still working on this? I recently got mio and tokio running the ESP and now I'm looking for a TLS implementation. I suppose for now one could hack something together with either ring or the ESP TLS API, but a proper wrapper would be amazing!

@Janrupf I would be very very interested in seeing how you implemented support for mio on top of ESP IDF given that mio (a) does not support neither select nor poll and (b) relies on edge-triggering rather than level triggering. This is by the way the reason why I looked into supporting the polling crate from the smol-rs ecosystem instead.

https://github.com/tokio-rs/mio/pull/1602 - see here. TL;DR: I'm still working on a fully proper implementation (though CI is the main problem right now), but I already have a fully working mio for ESP32 implementation (and thus Tokio for ESP32)

ivmarkov commented 1 year ago

@MabezDev are you still working on this? I recently got mio and tokio running the ESP and now I'm looking for a TLS implementation. I suppose for now one could hack something together with either ring or the ESP TLS API, but a proper wrapper would be amazing!

@Janrupf I would be very very interested in seeing how you implemented support for mio on top of ESP IDF given that mio (a) does not support neither select nor poll and (b) relies on edge-triggering rather than level triggering. This is by the way the reason why I looked into supporting the polling crate from the smol-rs ecosystem instead.

tokio-rs/mio#1602 - see here. TL;DR: I'm still working on a fully proper implementation (though CI is the main problem right now), but I already have a fully working mio for ESP32 implementation (and thus Tokio for ESP32)

Fingers crossed for a successful merge upstream! Which reminds me that I should start the effort to upstream my own changes to socket2 and polling. Which are - fortunately - very small, so hopefully will be accepted upstream.

zvolin commented 1 year ago

Hi, I also came across this when trying to use native-tls enabled crates in Intel SGX enclaves environment. I decided to give this issue a try from where @MabezDev finished. Big thanks for this kickstart, as I'm not really familiar with TLS stuff etc. I'm not sure if there is still an interest in this, but if so, I think I'll be able to issue some initial PR in a few days hopefully :crossed_fingers:

cs-clarence commented 7 months ago

really need this right now

zvolin commented 7 months ago

iirc it was working on the branch from my PR and the master of https://github.com/tiny-http/tiny-http (they didn't release a version with rust-native-tls support so far). Unfortunately there seems to be no interest in this change here

ivmarkov commented 7 months ago

I do realize it might not be a solution within the context of folks willing to reuse app-level Rust crates which are already hard-wired to rust-native-tls, but in the meantime esp-idf-svc has the EspTls blocking client TLS wrapper, as well as its EspAsyncTls async sibling. These are currently client TLS connection only, but a server one might be coming too. Which might happen faster if someone is willing to contribute a PR to esp-idf-svc. :)