Skip to content

pkcs12 file parser use mbedTLS#2

Open
seanjin99 wants to merge 17 commits intomainfrom
mbedTLS2.6.10
Open

pkcs12 file parser use mbedTLS#2
seanjin99 wants to merge 17 commits intomainfrom
mbedTLS2.6.10

Conversation

@seanjin99
Copy link
Owner

@seanjin99 seanjin99 commented Nov 14, 2025

mbedTLS implementation

@seanjin99 seanjin99 force-pushed the mbedTLS2.6.10 branch 8 times, most recently from e7efa71 to 264f581 Compare December 8, 2025 22:28
@github-actions
Copy link

github-actions bot commented Dec 8, 2025


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.


I have read the CLA Document and I hereby sign the CLA


You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@seanjin99 seanjin99 force-pushed the mbedTLS2.6.10 branch 3 times, most recently from 38419f3 to 491cbc8 Compare December 8, 2025 22:46
@seanjin99
Copy link
Owner Author

I have read the CLA Document and I hereby sign the CLA

@seanjin99
Copy link
Owner Author

I have read the CLA Document and I hereby sign the CLA
recheck

Signed-off-by: seanjin99 <[email protected]>
- Add check_c_compiler_flag() for analyzer warning suppressions
- Suppress test output with CMAKE_REQUIRED_QUIET
- Apply clang-tidy flags only on GitHub Actions CI
- Fixes macOS build while preserving CI analyzer functionality
- Code cleanup: refactor digest.c, restore cmac_context do-while pattern
- Remove dead code: MBEDTLS_ALLOW_PRIVATE_ACCESS, empty if statements
Analyzer flags only work when --analyze is enabled, so checking them
without analyzer active gives false results. Use ENV{CI} consistently
to apply flags only on GitHub Actions where analyzer is enabled.
GitHub Actions uses clang-tidy, not the Clang Static Analyzer.
The -Wno-analyzer-* flags don't exist in clang-tidy and cause build failures.
Removed all analyzer-specific warning suppressions from external libraries.
- Fixed root key initialization race conditions in otp.c
  * Added thread-safe initialization using C11 once_flag and call_once
  * Replaced unprotected static variables with call_once pattern
  * Added init_root_key() and init_common_root_key() initialization functions
  * Added failure tracking for proper error handling

- Removed unnecessary mutex from rand_bytes() in rand.c
  * mbedTLS already provides thread-safety via MBEDTLS_THREADING_C
  * Eliminates lock contention with 255+ concurrent threads

Test Results:
- SaCryptoCipherMultipleThread.processMultipleThread now passes 10/10 runs
- Previously failed consistently due to HMAC signature mismatches
- Performance: 248-419ms with 255 concurrent threads
- Fixed session double-check locking race in client_session()
  - Removed unprotected read of session variable before mutex
  - All session checks now properly protected by mutex
  - Prevents race where one thread reads while another writes

- Applied mbedTLS 3.6.2 CTR counter performance optimization
  - Backported optimized counter increment (32-bit word operations)
  - Added ctr.h header with mbedtls_ctr_increment_counter()
  - Modified patch_mbedtls.cmake to apply optimization during build
  - Fixed unused variable warning in aes.c

Verified with ThreadSanitizer: 0 races detected
Multi-threaded tests (255 threads): All passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant