Greetings,
I am new to the list, please do excuse me, in case of any list
specific etiquette issues.
Trying to use a 1.6.1 release with a Cortex M7 port, specifically a STM32H7.
After enabling MBEDTLS_ENTROPY_HARDWARE_ALT, did implement
mbedtls_hardware_poll()
It looks thus, and it does appear to work from a hardware perspective:
/**
* mbedtls_hardware_poll()
* Read random data from the Hardware RNG for entropy applications
*/
int mbedtls_hardware_poll(void *arg,
unsigned char *ent_buf,
size_t count,
size_t *ent_len)
{
register uint8_t i = 0;
uint32_t rand;
if (!LL_RNG_IsEnabled(RNG))
LL_RNG_Enable(RNG); /* Enable Random Number Generator */
for (i = 0; i < count; i++) {
while (!LL_RNG_IsActiveFlag_DRDY(RNG)) { } /* Wait for DRDY
flag to be raised */
if ((LL_RNG_IsActiveFlag_CECS(RNG)) ||
(LL_RNG_IsActiveFlag_SECS(RNG))) { /* Check error, if any */
/* Clock or Seed Error detected. Set Error */
printf(" (%d) %s: Clock/Seed Error!\r\n", __LINE__, __FUNCTION__);
}
rand = LL_RNG_ReadRandData32(RNG); /* Read RNG data */
memcpy(&(ent_buf[i * 4]), &rand, 4); /* *ent_len += 4 */
}
LL_RNG_Disable(RNG); /* Stop random numbers generation */
*ent_len = ((i + 1) * 4);
printf(" (%d) %s: Random Words: %d Word: %04d\r\n",
__LINE__,
__FUNCTION__,
count,
rand);
return 0;
}
The code which causes the problem is this, in my tls_init()
int tls_init(void)
{
int ret;
/* inspired by https://tls.mbed.org/kb/how-to/mbedtls-tutorial */
const char *pers = "SYS-LWH7";
printf(" (%d) %s: Initializing\r\n", __LINE__, __FUNCTION__);
/* initialize descriptors */
mbedtls_ssl_init(&ssl);
printf(" (%d) %s: SSL initialize\r\n", __LINE__, __FUNCTION__);
mbedtls_ssl_config_init(&conf);
printf(" (%d) %s: SSL Config initialized\r\n", __LINE__, __FUNCTION__);
mbedtls_x509_crt_init(&cacert);
printf(" (%d) %s: x509 CRT initialized\r\n", __LINE__, __FUNCTION__);
mbedtls_ctr_drbg_init(&ctr_drbg);
printf(" (%d) %s: DRBG initialized\r\n", __LINE__, __FUNCTION__);
mbedtls_entropy_init(&entropy);
printf(" (%d) %s: Entropy initialized\r\n", __LINE__, __FUNCTION__);
ret = mbedtls_ctr_drbg_seed(&ctr_drbg,
mbedtls_entropy_func,
&entropy,
(const unsigned char *) pers,
strlen(pers));
if (ret) {
LWIP_DEBUGF(MQTT_APP_DEBUG_TRACE,
("failed !\n mbedtls_ctr_drbg_seed returned %d\n",
ret));
printf(" (%d) %s: DRBG seed failed, ret=%d\r\n", __LINE__,
__FUNCTION__, ret);
return -1;
}
printf(" (%d) %s: DRBG seed returned:%d\r\n", __LINE__, __FUNCTION__, ret);
/**
* The transport type determines if we are using
* TLS (MBEDTLS_SSL_TRANSPORT_STREAM) or
* DTLS (MBEDTLS_SSL_TRANSPORT_DATAGRAM).
*/
ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
if (ret) {
LWIP_DEBUGF(MQTT_APP_DEBUG_TRACE,
("failed !\n mbedtls_ssl_config_defaults returned %d\n\n",
ret));
printf("(%d) %s: SSL config defaults failed, ret=%d\r\n",
__LINE__, __FUNCTION__, ret);
return -1;
}
printf("(%d) %s: SSL config defaults returned:%d\r\n", __LINE__,
__FUNCTION__, ret);
ret = mbedtls_x509_crt_parse(&cacert,
(const unsigned char *)test_ca_crt,
test_ca_crt_len);
if (ret)
printf(" (%d) %s: failed!\n mbedtls_x509_crt_parse returned
%d\r\n", __LINE__, __FUNCTION__, ret);
else
printf(" (%d) %s: mbedtls_x509_crt_parse returned %d\r\n",
__LINE__, __FUNCTION__, ret);
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
/**
* The library needs to know which random engine
* to use and which debug function to use as callback.
*/
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
mbedtls_ssl_setup(&ssl, &conf);
}
The output of which looks thus, in a serial terminal:
(1217) print_dhcp_state: Try connect to Broker
(174) tls_init: Initializing
(178) tls_init: SSL initialize
(181) tls_init: SSL Config initialized
(184) tls_init: x509 CRT initialized
(187) tls_init: DRBG initialized
(190) tls_init: Entropy initialized
(1027) mbedtls_hardware_poll: Random Words: 128 Word: -558876895
Any thoughts/ideas, what could be wrong ?
Any kind soul in here ?
Thanks,
Manu
Hi Simon,
Indeed while the migration is underway things can be a bit confusing, so let me try to clarify:
* releases can be found at: https://github.com/ARMmbed/mbedtls/releases - near the top you'll alwys find the latest development release followed by the latest LTS releases. At this point it is unclear if releases are going to stay on github or if they would move to trustedfrimware.org in the future, but if anything changes, we'll announce it.
* announcements about new releases and other important project events are made on the new Mbed-tls-announce mailing-list: https://github.com/ARMmbed/mbedtls/releases - if you're already subscribed to mbed-tls (this list), you don't need to subscribe to the "announce" mailing list in addition, as any post to "announce" is automatically cross-posted here ("announce" is for people who want a lower volume list).
* I don't think we're currently making announcements about upcoming releases, but I know we considered that. Unfortunately I don't remember the details and the colleague who was working on improving our release process is on leave now. But it we start making such announcements, they'll be on the "announce" list.
* We're currently planning 2.16.8 early in September.
* If you have a large number of products deployed that depend on Mbed TLS (or indeed any other tf.org project) and would like to be notified in advance of upcoming security fixes, please see the following pages: https://developer.trustedfirmware.org/w/mbed-tls/security-center/https://developer.trustedfirmware.org/w/collaboration/security_center/repor…https://developer.trustedfirmware.org/w/collaboration/security_center/trust…
I hope this answers your questions, and feel free to ask otherwise.
Manuel.
________________________________
From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Simon Leet via mbed-tls <mbed-tls(a)lists.trustedfirmware.org>
Sent: 14 August 2020 15:13
To: mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org>
Subject: [mbed-tls] LTS roadmap and announcement channel?
Hi folks,
I understand that https://tls.mbed.org/ has migrated under the umbrella of https://www.trustedfirmware.org/ but it’s not clear where I should turn to for information about the updates to the LTS versions. The https://tls.mbed.org/tech-updates blog used to announce LTS branch updates but seems defunct as of 2.16.7, and I can’t find equivalent information in https://developer.trustedfirmware.org/w/mbed-tls/roadmap/, https://github.com/ARMmbed/mbedtls/projects/2 or the generic https://www.trustedfirmware.org/blog/.
Is there a new channel for information about upcoming LTS mbedtls releases so that users can plan their appropriate upgrade cycles? E.g. when is 2.16.8 roughly expected to be released? Is the new model for monitoring release announcements reliably going to be as a new tag on https://github.com/ARMmbed/mbedtls/tags?
-Simon
Hi everyone,
Hope you are still going well
I am now working on MbedTLS to establish a key exchange with a BGM which has a TRNG
, and I read that I have to implement myself a function called «mbedTLS_hardware_poll »
But I have no idea to know how I can implement this function zlthough I read articles on the mbedtls.com about entropy site…. Can you help me, to know how I can implement this function ?
Hi all,
We have implemented the PSA Functional API for a custom secure environment
which passes PSA Arch tests.
Now we would like to run mbedtls tests (make check) on the PSA API if
possible.
When we run "make check", it includes and compiles library/psa_crypto.c file
for mbedTLS's PSA API Implementation.
Herein, we would like to compile our own psa_crypto.c implementation, does
mbedtls build system allow us to include custom PSA API Implementation to
run tests?
Thank you.
Murat
Hello,
The interface of the Diffie-Hellman (DHM) module is modeled on the way
it's used in TLS, which is a bit different from the classical
presentation. You can find code examples in programs/pkey/dh_client.c
and programs/pkey/dh_server.c .
Elliptic-curve Diffie-Hellman (provided by the ECDH module) has similar
security properties and is significantly faster. If you don't need
interoperability with legacy software that only supports classical
(finite-field) Diffie-Hellman, you should use ECDH rather than DHM. With
the ECDH module, you can use either the same TLS-inspired interface as
the DHM module, or a more classical interface for which there is a usage
example in psa_crypto.c in the function psa_key_agreement_ecdh.
Hope this helps,
--
Gilles Peskine
Mbed TLS developer
You can find an example of the TLS-like inter
On 12/08/2020 14:02, youssouf sokhona via mbed-tls wrote:
>
> Hello, I hope you are going well during this Covid crisis.
>
>
>
> I'm sending you this message to find out how to generate a Diffie
> Hellman key using MbedTLS. Indeed, with all the documentation, I'm a
> bit lost.
>
>
>
> I think, you have to use the int mbedtls_dhm_set_group function to
> create p and g. And then, I don't know how to use which function...
> Moreover, I can't find any function that allows to set a and b,
> whereas they are 2 fundamental elements
>
> Can you help me? Thank you!
>
>
>
> Best regards, YS
>
>
>
Hello,
Short version: to use the official tools to configure Mbed TLS, or to
run the unit tests, you need Python. If we start requiring Python 3.5,
is this going to be a problem?
Detailed version:
Mbed TLS includes four Python scripts that are of interest to users,
with a fifth one in preparation:
* scripts/config.py : compile-time configuration (unless you prefer to
edit config.h directly).
* scripts/generate_psa_constants.py : to build
programs/psa/psa_constant_names (we have a pending task to commit the
result instead of requiring it during the build).
* tests/scripts/generate_test_code.py : necessary to build the unit tests.
* tests/scripts/mbedtls_test.py : does anyone use this? It's for testing
on platforms with Greentea, but some of the automation is missing.
* upcoming: a script to generate glue code for accelerator and secure
element drivers. We'll also provide a manual way, but it won't be as
convenient.
This is a question to everyone who's building Mbed TLS and using some of
these scripts: is it ok if they require Python 3.5?
Currently:
* scripts/config.py requires Python 3.5.
* scripts/generate_psa_constants.py requires Python 3.3.
* tests/scripts/generate_test_code.py still works with Python 2.7.
* tests/scripts/mbedtls_test.py still works with Python 2.7.
* the driver glue code generation script will require Python 3.5, or
Python 3.4 + typing.
Is there any demand for versions of Python before 3.5?
--
Gilles Peskine
Mbed TLS developer
Hello, I hope you are going well during this Covid crisis.
I'm sending you this message to find out how to generate a Diffie Hellman key using MbedTLS. Indeed, with all the documentation, I'm a bit lost.
I think, you have to use the int mbedtls_dhm_set_group function to create p and g. And then, I don't know how to use which function... Moreover, I can't find any function that allows to set a and b, whereas they are 2 fundamental elements
Can you help me? Thank you!
Best regards, YS
Hi Frank,
We have now updated the links both on the download-archive and releases site and now they point to https://github.com/ARMmbed/mbedtls/releases, where all the releases are available.
We also have added checksums to the release notes on github and fixed the archive structure.
Thank you very much for pointing these issues out!
Cheers,
Janos
(Mbed TLS developer)
On 04/08/2020, 19:06, "mbed-tls on behalf of Frank Bergmann via mbed-tls" <mbed-tls-bounces(a)lists.trustedfirmware.org on behalf of mbed-tls(a)lists.trustedfirmware.org> wrote:
Hi,
2.16.7 was released on github more than one month ago (2020-07-01).
But it is not listed on
- download archive at https://tls.mbed.org/download-archive
- release news at https://tls.mbed.org/tech-updates/releases
Questions about that:
- Is it an "official" release even if it is not mentioned on release news?
- When will it be available in download archive?
- If there will be no more addings to download archive because now we'll
have to use github:
* Will there be separate releases GPL/Apache available?
* Will a signed/unsigned check sum be provided?
* Will the "new structure" as provided by tarball on github be kept
in future or was it just an accident? (e.g. main dir is named
"mbedtls-mbedtls-2.16.7")
I started using mbed TLS with 2.16.6 but now I am confused. ;-)
cheers,
Frank
--
mbed-tls mailing list
mbed-tls(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
