Make crypto context update their own IV about python-mbedtls HOT 7 CLOSED

mmm... that looks like a bug. I have to see how to fix this using the generic C-API from upstream.

Are you doing a security audit of this library? In any case, your feedback is much appreciated.

from python-mbedtls.

No security audit, full story below:
I'm trying to port the python tools/libraries I'm writing to webassembly using pyodide but I faced two major problems:

1. pyodide has no SSL/TLS support (probably some issues with interfacing emscripten compiled openssl with python, also since webassembly doesn't support sockets the maintainers of pyodide don't want to spend resources on that. however I have a pretty niche usecase for using the in-memory SSL/TLS)
2. no out of the box 3rd party crypto library. There isn't a single one which can compile easily in a way that pyodide can use because CFFI/rust/... long story, there are some caveats.

I've been searching for half a year to these major blocking issues, and by chance stumbled across your project which compiles out-of-the-box on pyodide/emscripten, has working TLS support and also provides C-backed crypto interface.
The missing crypto library support in pyodide is a major pain-point for many users as you might imagine and currently there is no 3rd party lib which works. Believe me I tried so many different approaches but they all failed.
Therefore I'm trying my best to improve this project so I (and probably many others) can have proper usability for cryptography-related projects.
Also I'm writing a custom crypto lib that will work cross-platforms with support for major existing crypto packages with a unified interface, it's nothing major but will help users writing libraries that will work on both pyodide and python. I'm mentioning this because I have working testcases for testing the integration of supported crypto modules (mbedtls included) and this is how I find the issues in your lib.

from python-mbedtls.

Interesting. I am glad my library is useful. :)

I am working on this now. I think I have the same kind of error on AEAD ciphers I still have to fix. I am not exactly sure how to test this, either.

How do you test it? test vectors?

from python-mbedtls.

I'm writing a wrapper library (it's for my project's not production grade) called unicrypto which has test vectors, and also supports your project.
With this PR all tests cases passing except one, which is CFB when the segment_size is one (default is 8 which works). This is not related to this PR, but to the fact that I couldn't find a way to control the segment_size parameter using the current API.
However, for me it's not a big issue currently, this is just a headsup.
With this being said, would you please push the current package to pyp so I can reference it in the build environmnet?

from python-mbedtls.

And thank you for your hard work!

from python-mbedtls.

This is not related to this PR, but to the fact that I couldn't find a way to control the segment_size parameter using the current API.

I do not know either how to that on the backend.

With this being said, would you please push the current package to pyp so I can reference it in the build environmnet?

Yes, I guess it makes sense now. I am not happy with my TLSWrappedSocket code but these are enough fixes and changes to warrant a new release. I'll take care of that shortly.

from python-mbedtls.

FYI: 1.7.0 released just yet.

from python-mbedtls.