Dear Mbed TLS maintainers,
I have surveyed Mbed TLS and know that it has features which can improve
AES block cipher performance by hardware instructions instead of SW
implementation
e.q., AESCE of ARMV8 and AESNI of INTEL.
AS far as I know about RISC-V Cryptography extension(Zkne and Zknd),
it also supports relevant AES instructions which can accelerate aes
key schedule, encryption and decryption process.
(https://tools.cloudbear.ru/docs/riscv-crypto-spec-scalar-1.0.0-rc6-20211012…)
I want to ask for your opinions and agreement.
Is there any willingness to accept this RISC-V accelerated feature
idea and contribution to Mbed TLS ?
If you agree with it, I would like to prepare a pull request for you to review.
Sincerely,
Rick
Dear Mbed TLS users,
We have released Mbed TLS version 3.6.2. This release provides a security fix for an out-of-bounds write vulnerability in the pkwrite module.
Full details are available in the release notes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.2
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Many thanks,
David Horstmann
Mbed TLS developer
Hi,
I'm currently working on adding mbedTLS 3.x support for Privoxy [0].
Everything seems to be working but I ifdef'ed out the following
code in [1] that worked with mbedTLS 2.28.8:
/*
* Check if key and issuer certificate match
*/
if (!mbedtls_pk_can_do(&issuer_cert.pk, MBEDTLS_PK_RSA) ||
mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa(issuer_cert.pk)->N,
&mbedtls_pk_rsa(*issuer_key)->N) != 0 ||
mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa(issuer_cert.pk)->E,
&mbedtls_pk_rsa(*issuer_key)->E) != 0)
{
log_error(LOG_LEVEL_ERROR,
"Issuer key doesn't match issuer certificate");
ret = -1;
goto exit;
}
As N and E are private now it no longer compiles.
Is there a way to implement the check with mbedTLS 3.x?
My impression is that the sanity check is overly cautious
and we don't have equivalent code for OpenSSL and wolfSSL
but I'm curious.
Thanks,
Fabian
[0] <https://www.privoxy.org/>
[1] <https://www.privoxy.org/gitweb/?p=privoxy.git;a=blob;f=ssl.c;h=e8007cd9adad…>
Hello,
I'm running into an issue with using Mbed-TLS on an embedded device of ours and I'm curious if anyone would be able to point me in the right direction. If this is the wrong channel for general use questions, let me know and I'll search elsewhere. As a forewarning, I'm still getting my bearings around the nuts and bolts of Mbed-TLS and network security; apologies if I misstate something or jumble things up.
Our device uses Mbed-TLS 3.0.0; ideally I'd like to upgrade this to a newer version, but this version was included in a SDK package for our device and I'd like to get some basic functionality proven out first before trying to reintegrate a newer version into the rest of provided code. The current goal is to get our device to serve a web page over HTTPS with TLS.
What we currently see is that the initial hello client and server messages are exchanged without issue, but the connection is rejected after the server requests a certificate from the client. In some browsers, this opens a prompt where you can select a given certificate on the machine; in others, it skips this prompt and sends a response back with an empty certificate. In both instances, the server will return an error and deny the connection.
This seems like some sort of user configuration error, given your average web page served over HTTPS on the internet avoids making this request. The literature I've been able to find so far also seems to suggest this request is entirely optional. Is there some option I'm overlooking that makes the server skip asking the client for its certificate and lets connection continue on?
Michael Reutman
Senior Embedded Software Engineer
NovaTech Automation
261 Brodhead Rd.
Bethlehem, PA 18017
novatechautomation.com<http://www.novatechautomation.com/> | NovaTechLinkedIn<https://www.linkedin.com/company/565017>
NovaTech Automation is Net Zero committed. #KeepItCool<https://www.keepitcool.earth/>
Receipt of this email implies compliance with our terms and conditions<https://www.novatechautomation.com/email-terms-conditions>.
