crypto/mbedtls: Add support for mbedtls 3.x #2122

sirknightj · 2025-05-02T03:24:33Z

Issue #, if available:

Running the CI for external contributor's PR. Will close this PR afterwards.

What was changed?

See the original PR for the details

Why was it changed?

See the original PR for the details

How was it changed?

See the original PR for the details

What testing was done for the changes?

See the original PR for the details

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

sirknightj · 2025-05-14T20:30:57Z

Hi @vikramdattu, it seems the CI is failing for some of the jobs, could you take a look?

https://github.com/awslabs/amazon-kinesis-video-streams-webrtc-sdk-c/actions/runs/15030244547/job/42240882011?pr=2122#step:8:6849

/__w/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/tst/DtlsApiTest.cpp:88:19: error: 'mbedtls_pk_context' {aka 'struct mbedtls_pk_context'} has no member named 'pk_info'
   88 |     EXPECT_EQ(key.pk_info, nullptr);
      |                   ^~~~~~~

https://github.com/awslabs/amazon-kinesis-video-streams-webrtc-sdk-c/actions/runs/15030244547/job/42240882076?pr=2122#step:6:2889

[ 17%] Building C object lib/CMakeFiles/websockets.dir/tls/mbedtls/mbedtls-extensions.c.o
/Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libwebsockets/build/src/project_libwebsockets/lib/tls/mbedtls/mbedtls-extensions.c:253:9: error: call to undeclared function 'mbedtls_x509_get_name'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
  253 |                 ret = mbedtls_x509_get_name( p, end, &rfc822Name );
-- Configuring incomplete, errors occurred!
      |                       ^
1 error generated.

codecov-commenter · 2025-05-14T20:51:00Z

Codecov Report

Attention: Patch coverage is 76.00000% with 6 lines in your changes missing coverage. Please review.

Project coverage is 75.51%. Comparing base (cf817bc) to head (875d520).
Report is 7 commits behind head on develop.

Files with missing lines	Patch %	Lines
src/source/Ice/TurnConnection.c	73.91%	6 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #2122      +/-   ##
===========================================
+ Coverage    75.46%   75.51%   +0.04%     
===========================================
  Files           48       48              
  Lines        14078    14100      +22     
===========================================
+ Hits         10624    10647      +23     
+ Misses        3454     3453       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

sirknightj · 2025-05-15T18:19:59Z

Hi @vikramdattu, thanks for looking at the CI.

It seems there's still a few issues that need to be reviewed:

0 - clang-format is complaining

1 - the unit tests for TURN seem to be failing. https://github.com/awslabs/amazon-kinesis-video-streams-webrtc-sdk-c/actions/runs/15047512663/job/42300992671?pr=2122

Tearing down test: TurnConnectionFunctionalityTest

[  FAILED  ] TurnConnectionFunctionalityTest.turnConnectionCallMultipleTurnSendDataInThreads (10651 ms)
[----------] 8 tests from TurnConnectionFunctionalityTest (95365 ms total)

[----------] Global test environment tear-down
[==========] 8 tests from 1 test suite ran. (95365 ms total)
[  PASSED  ] 0 tests.
[  FAILED  ] 8 tests, listed below:
[  FAILED  ] TurnConnectionFunctionalityTest.turnConnectionReceiveRelayedAddress
[  FAILED  ] TurnConnectionFunctionalityTest.turnConnectionRefreshPermissionTest
[  FAILED  ] TurnConnectionFunctionalityTest.turnConnectionShutdownCompleteBeforeTimeout
[  FAILED  ] TurnConnectionFunctionalityTest.turnConnectionShutdownAsync
[  FAILED  ] TurnConnectionFunctionalityTest.turnConnectionShutdownWithAllocationRemovesTurnSocketConnection
[  FAILED  ] TurnConnectionFunctionalityTest.turnConnectionReceivePartialChannelMessageTest
[  FAILED  ] TurnConnectionFunctionalityTest.turnConnectionReceiveChannelDataMixedWithStunMessage
[  FAILED  ] TurnConnectionFunctionalityTest.turnConnectionCallMultipleTurnSendDataInThreads

2 - Seems to be a build issue with the Ubuntu with gcc-4.4 path - https://github.com/awslabs/amazon-kinesis-video-streams-webrtc-sdk-c/actions/runs/15047512663/job/42300992482?pr=2122

[  5%] Building C object library/CMakeFiles/mbedcrypto_static.dir/asn1parse.c.o
[  6%] Building C object library/CMakeFiles/mbedcrypto_static.dir/asn1write.c.o
[  6%] Building C object library/CMakeFiles/mbedcrypto_static.dir/base64.c.o
In file included from /__w/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/constant_time_internal.h:577,
                 from /__w/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/base64.c:16:
/__w/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/constant_time_impl.h: In function 'mbedtls_ct_bool':
/__w/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/constant_time_impl.h:168: error: expected string literal before ')' token
/__w/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/constant_time_impl.h: In function 'mbedtls_ct_if':
/__w/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/constant_time_impl.h:249: error: expected string literal before ')' token
/__w/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/constant_time_impl.h: In function 'mbedtls_ct_uint_lt':
/__w/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/constant_time_impl.h:330: error: expected string literal before ')' token
make[5]: *** [library/CMakeFiles/mbedcrypto_static.dir/build.make:163: library/CMakeFiles/mbedcrypto_static.dir/base64.c.o] Error 1
make[4]: *** [CMakeFiles/Makefile2:354: library/CMakeFiles/mbedcrypto_static.dir/all] Error 2
make[3]: *** [Makefile:136: all] Error 2
make[2]: *** [CMakeFiles/project_libmbedtls.dir/build.make:87: build/src/project_libmbedtls-stamp/project_libmbedtls-build] Error 2
make[1]: *** [CMakeFiles/Makefile2:87: CMakeFiles/project_libmbedtls.dir/all] Error 2
make: *** [Makefile:91: all] Error 2
CMake Error at CMake/Utilities.cmake:75 (message):
  CMake step for libmbedtls failed: 2
Call Stack (most recent call first):
  CMakeLists.txt:186 (build_dependency)


-- Configuring incomplete, errors occurred!

3 - Seems to be a build issue with M1 mac + gcc - https://github.com/awslabs/amazon-kinesis-video-streams-webrtc-sdk-c/actions/runs/15047512663/job/42300992683?pr=2122

[ 10%] Building C object library/CMakeFiles/mbedcrypto_static.dir/chachapoly.c.o
[ 10%] Building C object library/CMakeFiles/mbedcrypto_static.dir/cipher.c.o
[ 11%] Building C object library/CMakeFiles/mbedcrypto_static.dir/cipher_wrap.c.o
[ 11%] Building C object library/CMakeFiles/mbedcrypto_static.dir/constant_time.c.o
[ 12%] Building C object library/CMakeFiles/mbedcrypto_static.dir/cmac.c.o
[ 12%] Building C object library/CMakeFiles/mbedcrypto_static.dir/ctr_drbg.c.o
In file included from /Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/ctr_drbg.c:13:
In function 'mbedtls_xor',
    inlined from 'ctr_drbg_update_internal' at /Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/ctr_drbg.c:372:5:
/Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/common.h:235:17: error: array subscript 48 is outside array bounds of 'unsigned char[48]' [-Werror=array-bounds=]
  235 |         r[i] = a[i] ^ b[i];
      |                ~^~~
/Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/ctr_drbg.c: In function 'ctr_drbg_update_internal':
/Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/ctr_drbg.c:335:19: note: at offset 48 into object 'tmp' of size 48
  335 |     unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
      |                   ^~~
In function 'mbedtls_xor',
    inlined from 'ctr_drbg_update_internal' at /Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/ctr_drbg.c:372:5:
/Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/common.h:235:24: error: array subscript 48 is outside array bounds of 'const unsigned char[48]' [-Werror=array-bounds=]
  235 |         r[i] = a[i] ^ b[i];
      |                       ~^~~
/Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/ctr_drbg.c: In function 'ctr_drbg_update_internal':
/Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/ctr_drbg.c:333:57: note: at offset 48 into object 'data' of size [0, 48]
  333 |                                     const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN])
      |                                     ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'mbedtls_xor',
    inlined from 'ctr_drbg_update_internal' at /Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/ctr_drbg.c:372:5:
/Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/common.h:235:14: error: array subscript 48 is outside array bounds of 'unsigned char[48]' [-Werror=array-bounds=]
  235 |         r[i] = a[i] ^ b[i];
      |         ~~~~~^~~~~~~~~~~~~
/Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/ctr_drbg.c: In function 'ctr_drbg_update_internal':
/Users/runner/work/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/open-source/libmbedtls/build/src/project_libmbedtls/library/ctr_drbg.c:335:19: note: at offset 48 into object 'tmp' of size 48
  335 |     unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
      |                   ^~~
cc1: all warnings being treated as errors
make[5]: *** [library/CMakeFiles/mbedcrypto_static.dir/ctr_drbg.c.o] Error 1
make[4]: *** [library/CMakeFiles/mbedcrypto_static.dir/all] Error 2
make[3]: *** [all] Error 2
make[2]: *** [build/src/project_libmbedtls-stamp/project_libmbedtls-build] Error 2
make[1]: *** [CMakeFiles/project_libmbedtls.dir/all] Error 2
make: *** [all] Error 2
CMake Error at CMake/Utilities.cmake:75 (message):
  CMake step for libmbedtls failed: 2
Call Stack (most recent call first):
  CMakeLists.txt:186 (build_dependency)
-- Configuring incomplete, errors occurred!

vikramdattu · 2025-05-16T06:01:39Z

@sirknightj locally, when tried, the tests seems to be running fine..!

cmake .. -DBUILD_TEST=ON -DENABLE_AWS_SDK_IN_TESTS=OFF -DUSE_OPENSSL=OFF -DUSE_MBEDTLS=ON
make -j
./tst/webrtc_client_test --gtest_filter='TurnConnectionFunctionalityTest*'

Result:

2025-05-16 05:59:03.285 INFO    initKvsWebRtc(): Initializing WebRTC library...
2025-05-16 05:59:03.288 INFO    initKvsWebRtc(): SDK version: a36b94f318993ae4d5c50cc4ac56825091d27f7f
2025-05-16 05:59:03.289 INFO    TearDown(): 
Tearing down test: TurnConnectionFunctionalityTest

[       OK ] TurnConnectionFunctionalityTest.turnConnectionCallMultipleTurnSendDataInThreads (407 ms)
[----------] 10 tests from TurnConnectionFunctionalityTest (4079 ms total)

[----------] Global test environment tear-down
[==========] 10 tests from 1 test suite ran. (4079 ms total)
[  PASSED  ] 10 tests.

I think I should try with Linux.

vikramdattu · 2025-05-16T10:39:07Z

@sirknightj

Here, the gcc version used for building is 4.4 which is too old and might not be correct for the latest mbedtls:
https://github.com/awslabs/amazon-kinesis-video-streams-webrtc-sdk-c/actions/runs/15047512663/job/42300992482?pr=2122#step:6:523

Looks like gcc 5.4 is what it is tested oldest! https://github.com/Mbed-TLS/mbedtls?tab=readme-ov-file#tool-versions.
Is there a reason we want to keep the build on gcc4.4? Can we switch to some later version?

For array out of bound error, looks like a false-positive from compiler and we can suppress with -Wno-array-bounds flag to mbedtls build
Related issue: Issue Building MbedTLS 3.6.0 on Fedora Mbed-TLS/mbedtls#9003
Not able to re-produce the runtime test failure (TurnConnectionFunctionalityTest), passing for all the below combinations:
- AppleSilicon(M1)+clang
- AppleSilicon(M1)+GCC14
- Ubuntu24.0+GCC13
- Ubuntu24.0+GCC14

sirknightj · 2025-05-16T16:03:29Z

Hi @vikramdattu, thanks for looking into it.

1 - I'm sure the 4.4 was added for a good reason, maybe we can add a cmake flag for which MbedTLS version (e.g. MBEDTLS_VERSION_V2=ON) and add it to the CI, kind of like how OpenSSL one is set: https://github.com/awslabs/amazon-kinesis-video-streams-webrtc-sdk-c/pull/1840/files

2 - Sure we can add that flag to the MbedTLS build, libmbedtls-CMakeLists.txt.

3 - According to the CI, the failure seems to be related to a missing call to mbedtls_ssl_set_hostname.

2025-05-15 16:14:04.977 INFO    getIpWithHostName(): ICE SERVER Hostname received: 34-220-206-46.t-e1255f99.kinesisvideo.***.amazonaws.com
2025-05-15 16:14:04.977 PROFILE parseIceServer(): ICE Server address for 34-220-206-46.t-e1255f99.kinesisvideo.***.amazonaws.com: 34.220.206.46
2025-05-15 16:14:04.978 DEBUG   createSocketConnection(): create socket without the bind address(1:1)
2025-05-15 16:14:04.978 DEBUG   createSocketConnection(): tcp socket connected with ip: 34.220.56.251:443. family:1
2025-05-15 16:14:04.981 VERBOSE stepStateMachine(): [TURN-0x55a93f975068] State Machine - Current state: 0x0000000000000001, Next state: 0x0000000000000002, Current local state retry count [0], Max local state retry count [0], State transition wait time [0] ms
2025-05-15 16:14:04.981 DEBUG   stepTurnConnectionStateMachine(): [0x55a93f975068] Turn connection state changed from TURN_STATE_NEW to TURN_STATE_CHECK_SOCKET_CONNECTION.
2025-05-15 16:14:04.981 DEBUG   socketConnectionIsConnected(): connect ip: 0000:0000:0000:0000:0000:0000:0000:0000:0. family:0 with ip: 34.220.56.251:443. family:1
2025-05-15 16:14:04.981 WARN    socketConnectionIsConnected(): socket connection check failed with errno Operation already in progress(114)
2025-05-15 16:14:04.981 VERBOSE stepStateMachine(): [TURN-0x55a93f975068] State Machine - Current state: 0x0000000000000002, Next state: 0x0000000000000002, Current local state retry count [1], Max local state retry count [0], State transition wait time [0] ms
2025-05-15 16:14:05.031 DEBUG   socketConnectionIsConnected(): connect ip: 0000:0000:0000:0000:0000:0000:0000:0000:0. family:0 with ip: 34.220.56.251:443. family:1
2025-05-15 16:14:05.031 VERBOSE stepStateMachine(): [TURN-0x55a93f975068] State Machine - Current state: 0x0000000000000002, Next state: 0x0000000000000004, Current local state retry count [0], Max local state retry count [0], State transition wait time [0] ms
2025-05-15 16:14:05.032 DEBUG   stepTurnConnectionStateMachine(): [0x55a93f975068] Turn connection state changed from TURN_STATE_CHECK_SOCKET_CONNECTION to TURN_STATE_GET_CREDENTIALS.
2025-05-15 16:14:05.032 VERBOSE stepStateMachine(): [TURN-0x55a93f975068] State Machine - Current state: 0x0000000000000004, Next state: 0x0000000000000004, Current local state retry count [1], Max local state retry count [0], State transition wait time [0] ms
2025-05-15 16:14:05.055 WARN    tlsSessionProcessPacket(): mbedtls_ssl_read failed with SSL - Attempt to verify a certificate without an expected hostname. This is usually insecure.  In TLS clients, when a client authenticates a server through its certificate, the client normally checks three things: - the certificate chain must be valid; - the chain must start from a trusted CA; - the certificate must cover the server name that is expected by the client.  Omitting any of these checks is generally insecure, and can allow a malicious server to impersonate a legitimate server.  The third check may be safely skipped in some unusual scenarios, such as networks where eavesdropping is a risk but not active attacks, or a private PKI where the client equally trusts all servers that are accredited by the root CA.  You should call mbedtls_ssl_set_hostname() with the expected server name before starting a TLS handshake on a client (unless the client is set up to only use PSK-based authentication, which does not rely on the host name). If you have determined that server name verification is not required fo
2025-05-15 16:14:05.055 DEBUG   tlsSessionProcessPacket(): Warning: reading socket data failed with 0x0000000c
2025-05-15 16:14:05.055 DEBUG   socketConnectionReadData(): Warning: reading socket data failed with 0x0000000c
2025-05-15 16:14:05.081 VERBOSE stepStateMachine(): [TURN-0x55a93f975068] State Machine - Current state: 0x0000000000000004, Next state: 0x0000000000000004, Current local state retry count [1], Max local state retry count [0], State transition wait time [0] ms
2025-05-15 16:14:05.081 WARN    tlsSessionPutApplicationData(): mbedtls_ssl_write failed with SSL - An unexpected message was received from our peer
2025-05-15 16:14:05.081 ERROR   iceUtilsSendData(): operation returned status code: 0x0000000c
2025-05-15 16:14:05.081 ERROR   iceUtilsSendStunPacket(): operation returned status code: 0x0000000c
2025-05-15 16:14:05.081 VERBOSE stepStateMachine(): [TURN-0x55a93f975068] State Machine - Current state: 0x0000000000000004, Next state: 0x0000000000000100, Current local state retry count [0], Max local state retry count [0], State transition wait time [0] ms
2025-05-15 16:14:05.081 WARN    executeFailedTurnState(): TurnConnection in TURN_STATE_FAILED due to 0x0000000c. Aborting TurnConnection
2025-05-15 16:14:05.081 DEBUG   stepTurnConnectionStateMachine(): [0x55a93f975068] Turn connection state changed from TURN_STATE_GET_CREDENTIALS to TURN_STATE_FAILED.
2025-05-15 16:14:05.081 VERBOSE stepStateMachine(): [TURN-0x55a93f975068] State Machine - Current state: 0x0000000000000100, Next state: 0x0000000000000080, Current local state retry count [0], Max local state retry count [0], State transition wait time [0] ms
2025-05-15 16:14:05.081 DEBUG   stepTurnConnectionStateMachine(): [0x55a93f975068] Turn connection state changed from TURN_STATE_FAILED to TURN_STATE_CLEAN_UP.
2025-05-15 16:14:05.081 DEBUG   socketConnectionClosed(): Close socket 168
2025-05-15 16:14:05.081 VERBOSE stepStateMachine(): [TURN-0x55a93f975068] State Machine - Current state: 0x0000000000000080, Next state: 0x0000000000000100, Current local state retry count [0], Max local state retry count [0], State transition wait time [0] ms
2025-05-15 16:14:05.081 WARN    executeFailedTurnState(): TurnConnection in TURN_STATE_FAILED due to 0x0000000c. Aborting TurnConnection
2025-05-15 16:14:05.081 DEBUG   stepTurnConnectionStateMachine(): [0x55a93f975068] Turn connection state changed from TURN_STATE_CLEAN_UP to TURN_STATE_FAILED.
2025-05-15 16:14:05.081 VERBOSE stepStateMachine(): [TURN-0x55a93f975068] State Machine - Current state: 0x0000000000000100, Next state: 0x0000000000000100, Current local state retry count [1], Max local state retry count [0], State transition wait time [0] ms
2025-05-15 16:14:05.081 WARN    executeFailedTurnState(): TurnConnection in TURN_STATE_FAILED due to 0x0000000c. Aborting TurnConnection
/__w/amazon-kinesis-video-streams-webrtc-sdk-c/amazon-kinesis-video-streams-webrtc-sdk-c/tst/TurnConnectionFunctionalityTest.cpp:112: Failure
Value of: relayAddressReceived
  Actual: false
Expected: true

I was able to reproduce on my mac after doing a clean build (rm -rf build open-source dependency), but only after doing brew unlink mbedtls and also brew unlink openssl: cmake .. -DBUILD_TEST=ON -DBUILD_DEPENDENCIES=ON -DENABLE_AWS_SDK_IN_TESTS= OFF -DUSE_MBEDTLS=ON -DUSE_OPENSSL=OFF && make -j && ./tst/webrtc_client_test --gtest_filter="*turnConnectionReceiveRelayedAddress*", and confirmed it is the same error message as mentioned in the CI, though I haven't had the time yet to look into its resolution yet.

Note: To undo the brew unlink, brew link openssl@3 && brew link mbedtls@3

sirknightj · 2025-05-16T22:07:03Z

This change impacts connections with the turns: TURN servers. Modifying Common.c to use the 2nd TURN server returned:

            CHK_STATUS(signalingClientGetIceConfigInfo(pSampleConfiguration->signalingClientHandle, i, &pIceConfigInfo));
            for (j = 1; j < pIceConfigInfo->uriCount; j++) {
                CHECK(uriCount < MAX_ICE_SERVERS_COUNT);

And using ForceTURN on the JS side, no connection is established.

vikramdattu · 2025-05-19T11:47:50Z

@sirknightj https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/

The hostname verification is on by default for latest mbedtls releases. Though this is not actually required in our case as the turn credentials are securely obtained from kvs endpoint and also RTP data will go over DTLS encryption, I think we should still set the same. I have pushed the commit handling this.

src/source/Crypto/Dtls_mbedtls.c

src/source/Ice/TurnConnection.c

src/source/Ice/SocketConnection.c

src/source/Ice/TurnConnection.c

src/source/Crypto/Tls_mbedtls.c

CMake/Dependencies/libmbedtls-CMakeLists.txt

sirknightj · 2025-05-20T15:55:41Z

Hi @vikramdattu, seems like everything's passing except the gcc-4.4. It looks to still be using the v3 instead of the v2. Since the build is executed as a subprocess, we'll need to forward the flag from the main cmakelists.txt file. Here is a fixed version you can use:

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 51f67057b7..9c82dcfd33 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -22,6 +22,7 @@ option(ENABLE_KVS_THREADPOOL "Enable support for KVS thread pool in signaling" O
 option(INSTRUMENTED_ALLOCATORS "Enable memory instrumentation" OFF)
 option(ENABLE_AWS_SDK_IN_TESTS "Enable support for compiling AWS SDKs for tests" ON)
 option(ENABLE_STATS_CALCULATION_CONTROL "Enable support for runtime control of ice agent stat calculations." OFF)
+option(BUILD_OLD_MBEDTLS_VERSION "Use MbedTLS version 2.28.8." OFF)
 
 # Developer Flags
 option(BUILD_TEST "Build the testing tree." OFF)
@@ -182,6 +183,7 @@ if(BUILD_DEPENDENCIES)
   elseif(USE_MBEDTLS)
     set(BUILD_ARGS -DBUILD_STATIC_LIBS=${BUILD_STATIC_LIBS}
                    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+                   -DBUILD_OLD_MBEDTLS_VERSION=${BUILD_OLD_MBEDTLS_VERSION}
                     "-DCMAKE_C_FLAGS=${CMAKE_C_FLAGS} -std=c99")
       build_dependency(mbedtls ${BUILD_ARGS})
   endif()
diff --git a/CMake/Dependencies/libmbedtls-CMakeLists.txt b/CMake/Dependencies/libmbedtls-CMakeLists.txt
index 96ff373093..0c908697ec 100644
--- a/CMake/Dependencies/libmbedtls-CMakeLists.txt
+++ b/CMake/Dependencies/libmbedtls-CMakeLists.txt
@@ -4,7 +4,7 @@ project(libmbedtls-download NONE)
 
 include(ExternalProject)
 
-if(BUILD_OLD_MBEDTLS_VERSION)
+if (BUILD_OLD_MBEDTLS_VERSION)
   SET(MBEDTLS_GIT_TAG "v2.28.8")
 else()
   SET(MBEDTLS_GIT_TAG "v3.6.3")

vikramdattu · 2025-05-20T16:45:18Z

@sirknightj thanks for looking this up! Pushed the change.

- mbedtls 2.8.x is getting out of support: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.10 - Clone mbedtls 3.6.x instead of 2.8.x via CMake dependencies - Add related code to mbedtls usage keeping the 2.8.x support intact under mbedtls version macros

- This release handles mbedtls_3.x version support and has some fixes - Cleanup: removed libwebsocket patches as they are not needed anymore

- New API tlsSessionStartWithHostname can receive optional hostname and set the same - It is recommened to set the hostname and is on by default for mbedtls v3.6.3 and above - Since we receive ICE server credentials via secure API and anyway are use DTLS as WebRTC standard, we could skip this, but let's follow the recommendation as precaution

- Newer(3.6.x) mbedtls versions does not test builds on GCC versions as old as 4.4 - We keep this test for older mbedtls version (2.28.x)

sirknightj added the test-run CI uses Git Secrets, which are only accessible by maintainers. label May 2, 2025

sirknightj force-pushed the test-pr-2112 branch from 92497e5 to 49c15c3 Compare May 14, 2025 20:19

sirknightj changed the base branch from release-v1.12.1 to develop May 14, 2025 20:19

sirknightj force-pushed the test-pr-2112 branch from 49c15c3 to a36b94f Compare May 15, 2025 14:23

sirknightj force-pushed the test-pr-2112 branch from a36b94f to 9f6cb76 Compare May 16, 2025 17:46

sirknightj force-pushed the test-pr-2112 branch from 9f6cb76 to a3dfa88 Compare May 19, 2025 14:14

sirknightj commented May 19, 2025

View reviewed changes

sirknightj force-pushed the test-pr-2112 branch from a3dfa88 to 5fb85ba Compare May 20, 2025 14:55

sirknightj force-pushed the test-pr-2112 branch from 5fb85ba to e2ef4c2 Compare May 20, 2025 17:11

vikramdattu added 2 commits May 21, 2025 18:29

Modify mbedtls tests to consider private members in 3.6.x versions

6061354

sirknightj force-pushed the test-pr-2112 branch from e2ef4c2 to f5d3bc5 Compare May 21, 2025 19:44

vikramdattu added 4 commits May 22, 2025 11:08

Update libwebsockets to the latest release

22594fe

- This release handles mbedtls_3.x version support and has some fixes - Cleanup: removed libwebsocket patches as they are not needed anymore

mbedtls: suppress false-positive array bound error from Mac gcc14

8958e7a

CI: gcc4.4 mbedtls test for older mbedtls versions

875d520

- Newer(3.6.x) mbedtls versions does not test builds on GCC versions as old as 4.4 - We keep this test for older mbedtls version (2.28.x)

sirknightj force-pushed the test-pr-2112 branch from f5d3bc5 to 875d520 Compare May 22, 2025 14:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

crypto/mbedtls: Add support for mbedtls 3.x #2122

crypto/mbedtls: Add support for mbedtls 3.x #2122

Uh oh!

sirknightj commented May 2, 2025

Uh oh!

sirknightj commented May 14, 2025

Uh oh!

codecov-commenter commented May 14, 2025 •

edited

Loading

Uh oh!

sirknightj commented May 15, 2025

Uh oh!

vikramdattu commented May 16, 2025

Uh oh!

vikramdattu commented May 16, 2025

Uh oh!

sirknightj commented May 16, 2025 •

edited

Loading

Uh oh!

sirknightj commented May 16, 2025

Uh oh!

vikramdattu commented May 19, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sirknightj commented May 20, 2025

Uh oh!

vikramdattu commented May 20, 2025

Uh oh!

Uh oh!

crypto/mbedtls: Add support for mbedtls 3.x #2122

Are you sure you want to change the base?

crypto/mbedtls: Add support for mbedtls 3.x #2122

Uh oh!

Conversation

sirknightj commented May 2, 2025

Uh oh!

sirknightj commented May 14, 2025

Uh oh!

codecov-commenter commented May 14, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

sirknightj commented May 15, 2025

Uh oh!

vikramdattu commented May 16, 2025

Uh oh!

vikramdattu commented May 16, 2025

Uh oh!

sirknightj commented May 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sirknightj commented May 16, 2025

Uh oh!

vikramdattu commented May 19, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sirknightj commented May 20, 2025

Uh oh!

vikramdattu commented May 20, 2025

Uh oh!

Uh oh!

codecov-commenter commented May 14, 2025 •

edited

Loading

sirknightj commented May 16, 2025 •

edited

Loading