- mbed-tls - lists.trustedfirmware.org

Performance tuning of SHA256 on big files

by Liu James

Hi, This is an updated post from https://github.com/Mbed-TLS/mbedtls/issues/6464, which should be posted in mbedtls mail list. My question is how to significantly improve SHA256 performance on big files (regardless of architectures). *=== Updates* I use same code with mbedtls-3.1.0 to run tests in x86, and performance is still downgraded. Mbed TLS version (number or commit id): *3.1.0* Operating system and version: * Centos-8.5, CPU 11900K* Configuration (if not default, please attach mbedtls_config.h): Compiler and options (if you used a pre-built binary, please indicate how you obtained it): *gcc/g++ 8.5* Additional environment information: *Test files and performance* CentOS-8.5.2111-x86_64-boot.iso (827.3 MB): sha256 *5 sec* CentOS-8.5.2111-x86_64-boot.iso (10.79 GB): sha256 *66 sec* Also, as advised I try to turn on "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT " and "MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT" using mbedtls-3.2.0 in M1, but compiler reported the following error: CMake Error at library/CMakeLists.txt:257 (add_library): Cannot find source file: psa_crypto_driver_wrappers.c Tried extensions .c .C .c++ .cc .cpp .cxx .cu .mpp .m .M .mm .ixx .cppm .h .hh .h++ .hm .hpp .hxx .in .txx .f .F .for .f77 .f90 .f95 .f03 .hip .ispc CMake Error at library/CMakeLists.txt:257 (add_library): No SOURCES given to target: mbedcrypto Thanks for your help. *=== Original message at github* Summary sha256() and sha1() incurs significant overhead on big files(~1G above). *This might not be an issue*, and I'm looking for an efficient way to calculate hash on big files. System information Mbed TLS version (number or commit id): 3.1.0 Operating system and version: M1 OSX Configuration (if not default, please attach mbedtls_config.h): Compiler and options (if you used a pre-built binary, please indicate how you obtained it): Clang++ Additional environment information: Expected behavior Fast calculation of big files in less than 1 second Actual behavior Test files: CentOS-8.5.2111-x86_64-boot.iso (827.3 MB): sha1 *3.3 sec*, sha256 *5.9 sec* CentOS-8.5.2111-x86_64-boot.iso (10.79 GB): sha1 *40 sec*, sha256 *78 sec* Steps to reproduce ISO files can be downloaded at: http://ftp.iij.ad.jp/pub/linux/centos-vault/8.5.2111/isos/x86_64/ Make sure use fast disk, say nvme, to store ISO files, or else loading big files could take lots of time. Also use user from time command to measure performance. Workable code of sha256: string test_sha256(string file_path) { mbedtls_sha256_context ctx; FILE *fp; string output; int BUFFER_SIZE = 4096; uint8_t buffer[BUFFER_SIZE]; size_t read, k_bytes; uint8_t hash[32]; mbedtls_sha256_init(&ctx); mbedtls_sha256_starts(&ctx, 0); fp = fopen(file_path.c_str(), "r"); if (fp == NULL) { mbedtls_sha256_free(&ctx); return output; } while ((read = fread(buffer, 1, BUFFER_SIZE, fp))) { mbedtls_sha256_update(&ctx, buffer, read); } mbedtls_sha256_finish(&ctx, hash); mbedtls_sha256_free(&ctx); fclose(fp); // update hash string, omit here return output; }

2 years, 11 months

4
5
0 0

Is there a server somewhere which can be used for testing various MbedTLS client cipher suites

by Peter

Hi All, There are machines out there for testing servers but I don't know of one which can be used for testing a client. This is a tricky area. For example I have a board running, LWIP and MbedTLS, uploading little test files to two sites. One was running EC and AES256. It worked fine. The other was running RSA and AES256 but didn't work, and after some work it was found that its certificate chain was running SHA-1 on the top level certificate, dated 2006. This is actually a major name on the internet! And we didn't have SHA-1 enabled because it is supposed to be deprecated. I wonder if there is some practical way to test out all this. We can probably enable all the MbedTLS crypto options (TLS is taking up 150k out of 350k of code for the whole product, but we can probably throw in some more) but testing them is something else. There is a test suite in TLS but it needs to be embedded in the product itself. Has someone implemented that code on a server somewhere? Thank you in advance for any pointers. Peter

2 years, 12 months

1
0
0 0

Error about psa_crypto_init

by 韩轾

I meet a problem when I call function `psa_crypto_init`, it return error code -148 that was PSA_ERROR_INSUFFICIENT_ENTROPY. I track this function step by step and found it caused by MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED. Code in entropy.c, if( ctx->source_count == 0 ), return this error. My question: I run code on Ubuntu, it runs well. But in some arm board, it returns this error. Why this count will be 0 sometimes? What is the root cause of this error.

2 years, 12 months

2
1
0 0

Reminder: MBed TLS Technical Forum - US/Europe

by Don Harbin

Hi All, A gentle reminder that the US-Europe timezone-friendly MBed TLS Tech forum is next Monday at 4:30 PM UK time. Invite details can be found on the online calendar here <https://www.trustedfirmware.org/meetings/>. If you have any topics, please let Dave Rodgman know. :) Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

2 years, 12 months

1
0
0 0

PKCS#7 format of certificate

by Subramanian Gopi Krishnan

Hi, I have developed a TLS and EST client application. Where the EST server issues the certificate in PKCS#7 format. It seems mbedtls library not support certificates in PKCS#7 format. Is there any plan to support PKCS#7 in future? Thanks, Gopi Krishnan

3 years

1
0
0 0

Reminder: MBed TLS Technical Forum - Asia

by Don Harbin

Hi All, A gentle reminder that the Asia-Europe timezone-friendly MBed TLS Tech forum is next *Monday, Oct 10 at 10:00am UK time*. Invite details can be found on the online calendar here <https://www.trustedfirmware.org/meetings/>. If you have any topics, please let Dave Rodgman, cc'd, know. :) Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

3 years

2
1
0 0

Re: Writing mbedtls_x509_crt chain to PEM ?

by Nicolas Pillot

Hello Please note that this is a repost from my previous message from yesterday as it seemd to have bugged (empty text + html attachement) when viewed from the archive. Apologies. Short question : how do i output an in-memory mbedtls_x509_crt chain to PEM text ? Context : I have a project where the user provides a PEM bundle to be used for HTTPS As it is provided by a user, may be incomplete or malformed : - no private key - more than 1 private key - no certificate at all - duplicate certificates - no certificate matching the private key - broken chain - extraneous certificates not part of the chain… So i want to full validate user input. Here is what i have succeeded so far : - parse the bundle into atomic parts, based on « BEGIN/END » labels - try to mbedtls_x509_crt_parse / mbedtls_pk_parse_key each part (no chain) - check that i only have one private key in the bundle - search for the certificat C matching the private key - starting from that atomic certificate, verify it against each other candidate certificate - if it validates, add it to the chain of C, and repeat until no candidate validates - then check that there are no remaining certificate (which never validated anything) - finally print and store the chain (as it’s now deemed correct and minimal) Now i want to store it in PEM format for later use. But i do not understand the way to do it : - there are no write functions for mbedtls_x509_crt - the mbedtls_x509write_cert structure shares few members with mbedtls_x509_crt - i have not found yet how to get/convert many of the missing members - as memory is tight i have have cleaned the « atomic parts » text buffers (but if there is no other way, i'll keep and reuse them) I guess it should be pretty simple, but i cannot wrap my head around it. Thanks in advance for your help Nicolas PS : if steps 1-8 could be done more elegantly, please do not hesitate to point me in the right direction.

3 years

1
0
0 0

Writing mbedtls_x509_crt chain to PEM ?

by Nicolas PILLOT

3 years

1
0
0 0

Mbed TLS4.0 - Remove legacy cipher APIs

by S Krishnan, Archanaa

Hi, In mbedTLS road map, there is a future task to remove legacy cipher API (https://developer.trustedfirmware.org/w/mbed-tls/roadmap/). Does that mean all existing mbedtls crypto APIs will not be supported anymore? mbedTLS is used for both its TLS and crypto library. I am curious how the planned changes will affect both set of users. * Are the crypto library users expected to only use PSA crypto APIs and key IDs? * Are the TLS library users expected to see API changes to TLS functions to support key IDs? Thank, Archanaa

3 years

4
3
0 0

Question about handshake MTU

by Martin Man

Hi guys, I use mbedtls for years (since 2.10 IIRC) upgrading to latest available as time goes by. For DTLS that is. I remember a case in the past where a link would have a small MTU (around 500 bytes) and I had to tune ssl_context.handshake.mtu to a lower value to successfully complete handshakes. I do not remember exactly why, but I did not want to actually restrict maximum value via mbedtls_ssl_set_mtu, maybe it was even ignored back then for handshakes… but Now when working on migration to 3.2.1 (gave some time to 3x releases to stabilize) I noticed that the whole ssl_context.handshake member is now private and inaccessible, which I guess is fine. Could somebody with more knowledge of the code recommend what is the best strategy for DTLS app where MTU may not always be 1400? thanks a lot for your time, Martin

3 years

4
7
0 0

2025

2024

2023

2022

2021

2020

mbed-tls