cosmopolitan/third_party/mbedtls/README.cosmo

DESCRIPTION

  Mbed TLS is a crypto library built by ARM that's been released
  under a more permissive license than alternatives like OpenSSL
  and is useful for interoperating with systems that require TLS

SOURCE

  https://github.com/ARMmbed/mbedtls/archive/refs/tags/v2.26.0.tar.gz

LICENSE

  Apache 2.o

LOCAL CHANGES

  - Strengthened server against DOS by removing expensive protections
    for old Internet Explorer against Lucky Thirteen timing attacks.

  - Reduce build+test latency from 15 seconds to 5 seconds.

  - Features have been added that enable this library to produce SSL
    certificates that can be used by Google Chrome. This required we
    add featurces for editing Subject Alternative Names and Extended
    Key Usage X.509 extension fields since upstream mbedtls can only
    do that currently for Netscape Navigator.

  - Local changes needed to be made to test_suite_ssl.datax due to it
    not taking into consideration disabled features like DTLS.

  - Local changes needed to be made to test_suite_x509parse.datax due
    to the features we added for subject alternative name parsing.

  - We've slimmed things down to meet our own specific local needs.
    For example, we don't need the PSA code since we don't target ARM
    hardware. We also don't need algorithms like camellia, blowfish,
    ripemd, arc4, ecjpake, etc. We want security code that's simple,
    readable, and easy to maintain. For example, the formally verified
    eliptic curve diffie-helman code was 38 files and most of it was
    dead code which could be consolidated into one < 1 kLOC file.

  - The only breaking API change that's been made is to redefine int
    arrays of things like long lists of ciphersuites to be uint8_t or
    uint16_t instead when appropriate.

  - Exported test code so it (a) doesn't have python as a build time
    dependency, (b) doesn't print to stdout on success, (c) bundles
    its dependencies inside a zip container so the tests are able to
    run hermetically if the binary is scp'd to some machine, and (d)
    doesn't have large amounts of duplicated generated code.

  - Fix mbedtls_mpi_sub_abs() to not call malloc/free/memcpy since
    it's called 11,124 times during as SSL handshake.

  - Make P-256 and P-384 modulus goes 5x faster.

  - Make chacha20 26% faster.

  - Make base64 100x faster.

  - Make gcm faster.
Add SSL to redbean Your redbean can now interoperate with clients that require TLS crypto. This is accomplished using a protocol polyglot that lets us distinguish between HTTP and HTTPS regardless of the port number. Certificates will be generated automatically, if none are supplied by the user. Footprint increases by only a few hundred kb so redbean in MODY=tiny is now 1.0mb - Add lseek() polyfills for ZIP executable - Automatically polyfill /tmp/FOO paths on NT - Fix readdir() / ftw() / nftw() bugs on Windows - Introduce -B flag for slower SSL that's stronger - Remove mbedtls features Cosmopolitan doesn't need - Have base64 decoder support the uri-safe alternative - Remove Truncated HMAC because it's forbidden by the IETF - Add all the mbedtls test suites and make them go 3x faster - Support opendir() / readdir() / closedir() on ZIP executable - Use Everest for ECDHE-ECDSA because it's so good it's so good - Add tinier implementation of sha1 since it's not worth the rom - Add chi-square monte-carlo mean correlation tests for getrandom() - Source entropy on Windows from the proper interface everyone uses We're continuing to outperform NGINX and other servers on raw message throughput. Using SSL means that instead of 1,000,000 qps you can get around 300,000 qps. However redbean isn't as fast as NGINX yet at SSL handshakes, since redbean can do 2,627 per second and NGINX does 4.3k Right now, the SSL UX story works best if you give your redbean a key signing key since that can be easily generated by openssl using a one liner then redbean will do all the things that are impossibly hard to do like signing ecdsa and rsa certificates that'll work in chrome. We should integrate the let's encrypt acme protocol in the future. Live Demo: https://redbean.justine.lol/ Root Cert: https://redbean.justine.lol/redbean1.crt 2021-06-24 19:31:26 +00:00			`DESCRIPTION`

			`Mbed TLS is a crypto library built by ARM that's been released`
			`under a more permissive license than alternatives like OpenSSL`
			`and is useful for interoperating with systems that require TLS`

			`SOURCE`

			`https://github.com/ARMmbed/mbedtls/archive/refs/tags/v2.26.0.tar.gz`

			`LICENSE`

			`Apache 2.o`

			`LOCAL CHANGES`

Restore Referer-Policy and wrap up MbedTLS changes redbean will now set Referer-Policy to no-referrer-when-downgrade on text/html responses by default. There's better explanations on the bits of security redbean is offering. In short, it's 128+ for modern clients and 112+ for legacy. If the -B flag is used then it's 192+ for modern and 150+ for non-EC. 2021-08-04 05:42:17 +00:00			`- Strengthened server against DOS by removing expensive protections`
			`for old Internet Explorer against Lucky Thirteen timing attacks.`

Add SSL to redbean Your redbean can now interoperate with clients that require TLS crypto. This is accomplished using a protocol polyglot that lets us distinguish between HTTP and HTTPS regardless of the port number. Certificates will be generated automatically, if none are supplied by the user. Footprint increases by only a few hundred kb so redbean in MODY=tiny is now 1.0mb - Add lseek() polyfills for ZIP executable - Automatically polyfill /tmp/FOO paths on NT - Fix readdir() / ftw() / nftw() bugs on Windows - Introduce -B flag for slower SSL that's stronger - Remove mbedtls features Cosmopolitan doesn't need - Have base64 decoder support the uri-safe alternative - Remove Truncated HMAC because it's forbidden by the IETF - Add all the mbedtls test suites and make them go 3x faster - Support opendir() / readdir() / closedir() on ZIP executable - Use Everest for ECDHE-ECDSA because it's so good it's so good - Add tinier implementation of sha1 since it's not worth the rom - Add chi-square monte-carlo mean correlation tests for getrandom() - Source entropy on Windows from the proper interface everyone uses We're continuing to outperform NGINX and other servers on raw message throughput. Using SSL means that instead of 1,000,000 qps you can get around 300,000 qps. However redbean isn't as fast as NGINX yet at SSL handshakes, since redbean can do 2,627 per second and NGINX does 4.3k Right now, the SSL UX story works best if you give your redbean a key signing key since that can be easily generated by openssl using a one liner then redbean will do all the things that are impossibly hard to do like signing ecdsa and rsa certificates that'll work in chrome. We should integrate the let's encrypt acme protocol in the future. Live Demo: https://redbean.justine.lol/ Root Cert: https://redbean.justine.lol/redbean1.crt 2021-06-24 19:31:26 +00:00			`- Reduce build+test latency from 15 seconds to 5 seconds.`

			`- Features have been added that enable this library to produce SSL`
			`certificates that can be used by Google Chrome. This required we`
			`add featurces for editing Subject Alternative Names and Extended`
			`Key Usage X.509 extension fields since upstream mbedtls can only`
			`do that currently for Netscape Navigator.`

			`- Local changes needed to be made to test_suite_ssl.datax due to it`
			`not taking into consideration disabled features like DTLS.`

			`- Local changes needed to be made to test_suite_x509parse.datax due`
			`to the features we added for subject alternative name parsing.`

			`- We've slimmed things down to meet our own specific local needs.`
			`For example, we don't need the PSA code since we don't target ARM`
			`hardware. We also don't need algorithms like camellia, blowfish,`
			`ripemd, arc4, ecjpake, etc. We want security code that's simple,`
			`readable, and easy to maintain. For example, the formally verified`
			`eliptic curve diffie-helman code was 38 files and most of it was`
			`dead code which could be consolidated into one < 1 kLOC file.`

			`- The only breaking API change that's been made is to redefine int`
			`arrays of things like long lists of ciphersuites to be uint8_t or`
			`uint16_t instead when appropriate.`

			`- Exported test code so it (a) doesn't have python as a build time`
			`dependency, (b) doesn't print to stdout on success, (c) bundles`
			`its dependencies inside a zip container so the tests are able to`
			`run hermetically if the binary is scp'd to some machine, and (d)`
			`doesn't have large amounts of duplicated generated code.`
Make chacha20 go faster 2021-07-05 21:03:50 +00:00
Make SSL handshakes much faster This change boosts SSL handshake performance from 2,627 to ~10,000 per second which is the same level of performance as NGINX at establishing secure connections. That's impressive if we consider that redbean is a forking frontend application server. This was accomplished by: 1. Enabling either SSL session caching or SSL tickets. We choose to use tickets since they reduce network round trips too and that's a more important metric than wrk'ing localhost. 2. Fixing mbedtls_mpi_sub_abs() which is the most frequently called function. It's called about 12,000 times during an SSL handshake since it's the basis of most arithmetic operations like addition and for some strange reason it was designed to make two needless copies in addition to calling malloc and free. That's now fixed. 3. Improving TLS output buffering during the SSL handshake only, so that only a single is write and read system call is needed until blocking on the ping pong. redbean will now do a better job wiping sensitive memory from a child process as soon as it's not needed. The nice thing about fork is it's much faster than reverse proxying so the goal is to use the different address spaces along with setuid() to minimize the risk that a server key will be compromised in the event that application code is hacked. 2021-07-12 06:17:47 +00:00			`- Fix mbedtls_mpi_sub_abs() to not call malloc/free/memcpy since`
			`it's called 11,124 times during as SSL handshake.`

Add SNI support to redbean and improve SSL perf This change makes SSL virtual hosting possible. You can now load multiple certificates for multiple domains and redbean will just figure out which one to use, even if you only have 1 ip address. You can also use a jumbo certificate that lists all your domains in the the subject alternative names. This change also makes performance improvements to MbedTLS. Here are some benchmarks vs. cc1920749eb81f346badaf55fbf79620cb718a55 BEFORE AFTER (microsecs) suite_ssl.com 2512881 191738 13.11x faster suite_pkparse.com 36291 3295 11.01x faster suite_x509parse.com 854669 120293 7.10x faster suite_pkwrite.com 6549 1265 5.18x faster suite_ecdsa.com 53347 18778 2.84x faster suite_pk.com 49051 18717 2.62x faster suite_ecdh.com 19535 9502 2.06x faster suite_shax.com 15848 7965 1.99x faster suite_rsa.com 353257 184828 1.91x faster suite_x509write.com 162646 85733 1.90x faster suite_ecp.com 20503 11050 1.86x faster suite_hmac_drbg.no_reseed.com 19528 11417 1.71x faster suite_hmac_drbg.nopr.com 12460 8010 1.56x faster suite_mpi.com 687124 442661 1.55x faster suite_hmac_drbg.pr.com 11890 7752 1.53x faster There aren't any special tricks to the performance imporvements. It's mostly due to code cleanup, assembly and intel instructions like mulx, adox, and adcx. 2021-07-19 21:55:20 +00:00			`- Make P-256 and P-384 modulus goes 5x faster.`

Make chacha20 go faster 2021-07-05 21:03:50 +00:00			`- Make chacha20 26% faster.`
Make GCM AES faster 13.22% mbedtls_aesni_gcm_mult 13.03% mbedtls_gcm_update 9.85% mbedtls_aesni_crypt_ecb Overhead improvement (perf record) 10.97% mbedtls_aesni_gcm_mult 10.59% mbedtls_aesni_crypt_ecb 2.26% mbedtls_gcm_update 2021-07-06 14:07:18 +00:00
			`- Make base64 100x faster.`

			`- Make gcm faster.`