I want to apply a new encryption algorithm to mbedtls.(on esp32)
Currently, I understand that using mbedtls in PlatformIO utilizes the AES algorithm, but can I refer to the static library file I created and use my algorithm instead of AES?
Right now, the method I’m attempting involves modifying the code in PlatformIO’s directory (.platformio/packages/~~~~), but it seems impossible.
mbedTLS can utilize the AES algorithm. E.g., when it mbedTLS is used to establish a HTTPS connection, during the TLS handshake, a ciphersuite is negotiated between the server and the client. The client lists all available ciphersuites it has in the Client Hello message. The server picks one (or denies or the connection) and the handshake goes according to that ciphersuite, e.g., TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. But the server could have also chosen TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, which does symmetric encryption with the ChaCha20 stream cipher. So, mbedTLS does not always use AES when establishing a e.g. TLS connection. Of course, when a user directly calls into the mbedTLS API of e.g. mbedtls_aes_crypt_cbc() etc., it will be used.
mbedTLS is highly reconfigurable. In fact, ESP-IDF already uses those reconfiguration abilities to e.g. redirect the AES functions into their functions which utilize the AES accelerator hardware of the ESP32 chip.
E.g., by turning on
that causes
and specifically
To redirect execution into their own functions, e.g.,
etc.
To come back to the original question: Replacing mbedTLS’S AES functions with something that is not AES seems like a really bad idea. If mbedTLS is used to connect to some server and it asks for “AES”, it compute your algorithm instead of AES, and fail the TLS handshake. That is, unless you apply the same hack to the server side as well.
But, there already is a way of adding new encryption algorithms to TLS, specifically mbedTLS too: A new ciphersuite! (ssl_ciphersuites.c, ssl_ciphersuites.h)
So first of all, I would not recommend to try and make changes directly to mbedTLS for ESP32. Specifically when chosing framework = arduino, the mbedTLS library is precompiled anyway and you’ll get no chance to modify it. That’s only possible with ESP-IDF builds that build mbedTLS from source.
Another drawback is that it’s slow to develop for. You can do the same “add a ciphersuite / encryption to mbedTLS” by compiling mbedTLS regularly for your Desktop PC, but the development environment is much better and faster. You can build the example mbedTLS client and server application there to test your changes locally.
I am currently developing for cryptographic module verification. This means you don’t need to worry about hacking risks. Thank you for your concern.
I moved the libmbedtls.a, libmbedcrypto.a, and libmbedx509.a files from the mbedtls library folder in ESP-IDF (esp-idf/examples/protocols/mqtt/ssl/build/esp-idf/mbedtls/mbedtls/library) to the local repository of PlatformIO (~/.platformio/packages/framework-arduinoespressif32/tools/sdk/esp32/lib), but several errors similar to the following occur:
.pio/build/esp32dev/libf65/libWiFiClientSecure.a(ssl_client.cpp.o):(.literal._Z16start_ssl_clientP17sslclient_contextRK9IPAddressjPKciS5_bS5_S5_S5_S5_bPS5_+0x74): undefined reference to mbedtls_ssl_conf_psk'
So your config doesn’t have PSK turned on?
best to use Espressif’s mbedTLS version and their config file as a base…