Hi All,
A gentle reminder that the Asia-Europe timezone-friendly MBed TLS Tech
forum is next Monday at 10:00am PM UK time. Invite details can be found on
the online calendar here <https://www.trustedfirmware.org/meetings/>.
If you have any topics, please let Dave Rodgman know. :)
Best regards,
Don Harbin
TrustedFirmware Community Manager
don.harbin(a)linaro.org
ReplyReply to allForward
Compose:
Community activity: OpenCV, Sensors, AI
[image: Minimise][image: Pop-out][image: Close]
Compose:
Reminder: MBed TLS Tech Forum - Asia/Europe
[image: Minimise][image: Pop-out][image: Close]
Recipients
Hi Team,
Referring to MBed release page -
https://github.com/Mbed-TLS/mbedtls/releases?page=1 I see that there has
been constant release periodically from Jul 27, 2018 mbedtls-2.1.14
till Nov 8, 2023 v3.5.1.
In the same context I understand that with each release there have been
fixes and new features / enhancement implementation. There was a project
that I was working in year 2020 were we tried to integrate MBed TLS in EAP
https://github.com/prplfoundation/hostap. It was a practice exercise that
our team did that time. I have not much idea as to which MBed TLS version
was opted and integrated then.
Now that so many new releases are made after 2020 - are older versions can
be taken as stable?
Is it that we should take the latest version and try again from scratch?
Thanks in advance.
Regards,
Prakash
Hi,
Iam trying to import an ECC privatekey(parsed through mbedtls_parse_key()) to PSA (psa_import_key()) (for ECDSA NIST-P256-SECP-R1), by following the suggestions here ==>
https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-transition.md (under the heading - Importing a PK key by export-import for an ECC private key).
But, i get an undefined reference to `mbedtls_ecp_export' error. Is there a special flag that controls this?
I can see that the definition of this function does exist in ecp.c.
Kind Regards,
Mathi.
Hi All,
A gentle reminder that the US-Europe timezone-friendly MBed TLS Tech forum
is next Monday at 4:30 PM UK time. Invite details can be found on the
online calendar here <https://www.trustedfirmware.org/meetings/>.
If you have any topics, please let Dave Rodgman know. :)
Best regards,
Don Harbin
TrustedFirmware Community Manager
don.harbin(a)linaro.org
Hi,
We are writing a client code which can accept or decline connection to the
server - so for each connection I understand there is a mbedtls_ssl_context
data established. Once the same is closed or not required we need to do
deinitialize or free memory allocated to its member variables like - we
need to free all memory allocated since we need it back else our
application will run out of memory like:
os_free(mbed_ctx->handshake);
os_free(mbed_ctx->transform_negotiate);
os_free(mbed_ctx->session_negotiate);
os_free(mbed_ctx->in_buf);
os_free(mbed_ctx->out_buf);
But there are many member variables which also need to free memory if
allocated and assigned to it.
Is there a function / method that can free all memory
for mbedtls_ssl_context instance variable?
Thanks in advance.
Regards,
Prakash
Hi All,
A gentle reminder that the Asia-Europe timezone-friendly MBed TLS Tech
forum is next Monday at 10:00am PM UK time. Invite details can be found on
the online calendar here <https://www.trustedfirmware.org/meetings/>.
If you have any topics, please let Dave Rodgman know. :)
Best regards,
Don Harbin
TrustedFirmware Community Manager
don.harbin(a)linaro.org
Hi,
Please note that I needed to compile and work with MBed TLS version 2.19.1
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.19.1
However I am unable to compile the code / examples in it - i get below
error:
*$ cmake .CMake Deprecation Warning at CMakeLists.txt:1
(cmake_minimum_required): Compatibility with CMake < 2.8.12 will be
removed from a future version of CMake. Update the VERSION argument <min>
value or use a ...<max> suffix to tell CMake that the project does not
need compatibility with older versions.-- Selecting Windows SDK version
10.0.19041.0 to target Windows 10.0.22631.CMake Error at CMakeLists.txt:192
(add_subdirectory): add_subdirectory given source "crypto/3rdparty" which
is not an existing directory.CMake Error at CMakeLists.txt:199
(add_subdirectory): add_subdirectory given source "crypto/library" which
is not an existing directory.CMake Error at CMakeLists.txt:200
(add_subdirectory): add_subdirectory given source "crypto/include" which
is not an existing directory.CMake Warning (dev) at
programs/ssl/CMakeLists.txt:37 (target_sources): Policy CMP0076 is not
set: target_sources() command converts relative paths to absolute. Run
"cmake --help-policy CMP0076" for policy details. Use the cmake_policy
command to set the policy and suppress this warning. An interface source
of target "ssl_client2" has a relative path.This warning is for project
developers. Use -Wno-dev to suppress it.CMake Warning (dev) at
programs/ssl/CMakeLists.txt:44 (target_sources): Policy CMP0076 is not
set: target_sources() command converts relative paths to absolute. Run
"cmake --help-policy CMP0076" for policy details. Use the cmake_policy
command to set the policy and suppress this warning. An interface source
of target "ssl_server2" has a relative path.This warning is for project
developers. Use -Wno-dev to suppress it.CMake Warning (dev) at
programs/test/CMakeLists.txt:31 (target_sources): Policy CMP0076 is not
set: target_sources() command converts relative paths to absolute. Run
"cmake --help-policy CMP0076" for policy details. Use the cmake_policy
command to set the policy and suppress this warning. An interface source
of target "query_compile_time_config" has a relative path.This warning is
for project developers. Use -Wno-dev to suppress it.*
I tried removing the errors from the CmakeFile.txt but now get below error:
*$ cmake --build .Microsoft (R) Build Engine version 16.11.2+f32259642 for
.NET FrameworkCopyright (C) Microsoft Corporation. All rights
reserved.MSBUILD : error MSB1009: Project file does not exist.Switch:
ALL_BUILD.vcxproj*
Also
make all
Makefile:84: ../crypto/3rdparty/Makefile.inc: No such file or directory
make[1]: *** No rule to make target '../crypto/3rdparty/Makefile.inc'.
Stop.
Makefile:19: recipe for target 'lib' failed
make: *** [lib] Error 2
Please let me know how to resolve them and compile MBedTLS version 2.19.1
code?
Thanks in advance.
Regards,
Prakash
Hi,
I am working on an issue related to memory leak in MBedTLS. We have
integrated MBedTLS code for below 3rd party HostAPD code integration .
https://github.com/prplfoundation/hostap [Hostapd]
Please refer to the Hostapd peer code implementation as provided in
the link below:
https://github.com/prplfoundation/hostap/blob/master/eap_example/eap_exampl…https://github.com/prplfoundation/hostap/blob/master/eap_example/eap_exampl…
The main function code snippet is provided below:
https://github.com/prplfoundation/hostap/blob/master/eap_example/eap_exampl…
if (eap_example_peer_init() < 0 ||
eap_example_server_init() < 0)
return -1;
do {
printf("---[ server ]--------------------------------\n");
res_s = eap_example_server_step();
printf("---[ peer ]----------------------------------\n");
res_p = eap_example_peer_step();
} while (res_s || res_p);
Since we are implementing code for peers hence we have removed the
server step. Now we need to keep monitoring for new connections /
failed connections and act accordingly we have modified the code to
something like below -
if (eap_example_peer_init() < 0 ||
eap_example_server_init() < 0)
return -1;
do {
res_p = eap_example_peer_step();
if (eap_ctx.eapNoResp || eap_ctx.eapFail) {
eap_client_peer_deinit();
eap_client_peer_init();
}
} while (1);
We have modified the loop such that it will keep iterating for new
connections and in case of failure, re-initialization is required. Is
my understanding correct? The issue I am facing is that the client
peer deinit method is not releasing all memory allocated during
eap_example_peer_step() function ( I understand while processing the
EAP TLS server request). The deinit is purely implemented to
deallocate memory initially allocated for a new connection using TLS?
void eap_client_peer_deinit(void)
{
eap_peer_sm_deinit(eap_ctx.eap);
eap_peer_unregister_methods();
wpabuf_free(eap_ctx.eapReqData);
os_free(eap_ctx.eap_config.identity);
os_free(eap_ctx.eap_config.password);
os_free(eap_ctx.eap_config.cert.ca_cert);
os_free(eap_ctx.eap_config.cert.client_cert);
os_free(eap_ctx.eap_config.cert.private_key);
}
where
void eap_peer_sm_deinit(struct eap_sm *sm)
{
if (sm == NULL)
return;
eap_deinit_prev_method(sm, "deinit");
eap_sm_abort(sm);
if (sm->ssl_ctx2)
tls_deinit(sm->ssl_ctx2);
tls_deinit(sm->ssl_ctx);
eap_peer_erp_free_keys(sm);
os_free(sm);
}
Can you please let me know whether we are deallocating memory correctly?
Thanks in advance.
Regards,
Prakash
I am checking the certificate revocation with below scenario.
I have Root CA, Intermediate CA and device certificate is signed by Intermediate CA.
I am makeing chain certificate by combining Root CA, Intermediate CA and this chain certificate is my active CA certificate and loaded this and device certificate to the drive.
From client,
I am creating client certificate which is signed by same intermeidate CA.
Making ssl handshake. Handshake is success as expected.
Now i am revoking the intermediate CA and creating the crl which is signed by the Root CA. This crl has the serial number of intermediate CA.
Now loading the CRL to the drive and setting the crl in "mbedtls_ssl_conf_ca_chain".
Now i am establishing the ssl connection with the same client ceritificate and expecting the ssl handshake failure due to intermediate CA revoked. But i get handshake is success.
Is my understanding right about intermediate CA revocation?
I did little background debug, and my obervation is
During handshake , it goes to static int x509_crt_verify_chain function in mbedtls.
Its trying to find the parent using x509_crt_find_parent for the client certificate and get intermediate CA. During this time, parent_is_trusted is set as true.
after this x509_crt_verifycrl is called with client certificate (child), intermediate CA (parent) and crl(has the intermediate CA serial number-issued by Root CA).
During x509_crt_verifycrl check, it check for CRL issuer with ca subject and return 0, as its not matching. now in x509_crt_verify_chain , /* prepare for next iteration */ ., they are marking child_is_trusted = parent_is_trusted and child = parent, parent = NULL; and while loop continues, in loop, x509_crt_verify_chain checks for child_is_trusted is true and return as 0.
But its not checking that intermediate CA is revoked or not.
/* Stop here for trusted roots (but not for trusted EE certs) */
if( child_is_trusted )
return( 0 );
Hello,
I would like to parse certificate's SAN fields in my application. In the
documentation of the struct mbdetls_x509_crt for its member
subject_alt_names the following is stated: "Optional list of raw entries
of Subject Alternative Names extension. These can be later parsed by
mbedtls_x509_parse_subject_alt_name.".
I was using the latest development branch and tried to call the
function, however, I found out I can not, because it is defined in the
x509_internal.h private header. I later found out that the definition
was moved from the public to the private header in the commit 25b282e
<https://github.com/Mbed-TLS/mbedtls/commit/25b282ebfe5cb84e73d6194e83dc8d6c…>
(partly thanks to the issue #459
<https://github.com/Mbed-TLS/mbedtls/issues/459>).
So I switched to the 3.5.2 release and everything worked fine. Why was
this change made? Will it be kept so that I'd have to implement my own
parsing? Or was it a mistake?
Thank you for clarifying,
Roman.