- mbed-tls - lists.trustedfirmware.org

FW: How to map PSA method to openssl method

by Gyorgy Szing

Hi, Can you please help Jun to find an answer to is question? (See below.) /George ---------- Forwarded message --------- 发件人： Jun Nie <jun.nie(a)linaro.org> Date: 2021年6月7日周一下午2:31 Subject: How to map PSA method to openssl method To: <mbed-tls(a)lists.trustedfirmware.org> Hi, I want to sign a data on PC with openssl, and verifiy it with PSA-RoT on board. Does anybody know how to map PSA method to openssl method? Such as: psa_sign_hash(key_handle, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256), hash, hash_len, sig, sizeof(sig), sig_len); Regards, Jun

4 years, 2 months

1
0
0 0

Re: [mbed-tls] mbedtls_ssl_set_bio hangs

by Gilles Peskine

Hi Ron, The code you've shown so far only consists of setup functions that populate fields in the configuration structure, then in the context structure. Communication has not started yet. mbedtls_ssl_set_bio in particular is a very simple setter function. Where does the code actually hang? Have some messages already been exchanged on the network at that point? Can you get a stack trace? Best regards, -- Gilles Peskine Mbed TLS developer On 08/06/2021 02:30, Ron Eggler via mbed-tls wrote: > > On 2021-06-07 5:00 p.m., Ron Eggler via mbed-tls wrote: >> Hi, >> >> >> i'm in the process of wrioting an FTPS client for a system running on >> uCOS. >> >> I've been able to setup the control channel fine and working on >> setting up the data channel for a simple list command execution. >> >> It seems like I seem able to setup everything fine but the call to >> mbedtls_ssl_set_bio() hangs even though I set it to execute the >> timeout function like: >> >> mbedtls_ssl_set_bio( &ssl_d, >> &data_fd, >> mbedtls_tls_send, >> NULL, >> mbedtls_tls_recv_timeout); >> >> Where the mbed_tls_recv_timeout looks like: >> >> https://pastebin.com/Jw3iLc0x >> >> The current connection uses ipv4, i.e. the select () branch is >> active. I never see the timed out message. Any idea what may be going >> on here? >> >> Thank you, >> >> Ron >> > A bit more detail: as for what comes before the mbedtls_ssl_set_bio() > call: > > ret = mbedtls_ssl_config_defaults(&conf_d, > MBEDTLS_SSL_IS_CLIENT, > MBEDTLS_SSL_TRANSPORT_STREAM, > MBEDTLS_SSL_PRESET_DEFAULT); > > mbedtls_ssl_conf_authmode( &conf_d, MBEDTLS_SSL_VERIFY_OPTIONAL); > mbedtls_ssl_conf_ca_chain( &conf_d, &cacert_d, NULL ); > mbedtls_ssl_conf_rng(&conf_d, mbedtls_ctr_drbg_random, &ctr_drbg_d ); > mbedtls_ssl_conf_dbg(&conf_d, mydebug, stdout); > ret = mbedtls_ssl_conf_own_cert( &conf_d, &clicert_d, &pkey_d); > > ret = mbedtls_ssl_setup( &ssl_d, &conf_d ); > > mbedtls_ssl_set_bio( &ssl_d, > &data_fd, > mbedtls_tls_send, > NULL, > mbedtls_tls_recv_timeout); >

4 years, 2 months

1
0
0 0

Re: [mbed-tls] mbedtls_ssl_set_bio hangs

by Ron Eggler

On 2021-06-07 5:00 p.m., Ron Eggler via mbed-tls wrote: > Hi, > > > i'm in the process of wrioting an FTPS client for a system running on > uCOS. > > I've been able to setup the control channel fine and working on > setting up the data channel for a simple list command execution. > > It seems like I seem able to setup everything fine but the call to > mbedtls_ssl_set_bio() hangs even though I set it to execute the > timeout function like: > > mbedtls_ssl_set_bio( &ssl_d, > &data_fd, > mbedtls_tls_send, > NULL, > mbedtls_tls_recv_timeout); > > Where the mbed_tls_recv_timeout looks like: > > https://pastebin.com/Jw3iLc0x > > The current connection uses ipv4, i.e. the select () branch is active. > I never see the timed out message. Any idea what may be going on here? > > Thank you, > > Ron > A bit more detail: as for what comes before the mbedtls_ssl_set_bio() call: ret = mbedtls_ssl_config_defaults(&conf_d, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); mbedtls_ssl_conf_authmode( &conf_d, MBEDTLS_SSL_VERIFY_OPTIONAL); mbedtls_ssl_conf_ca_chain( &conf_d, &cacert_d, NULL ); mbedtls_ssl_conf_rng(&conf_d, mbedtls_ctr_drbg_random, &ctr_drbg_d ); mbedtls_ssl_conf_dbg(&conf_d, mydebug, stdout); ret = mbedtls_ssl_conf_own_cert( &conf_d, &clicert_d, &pkey_d); ret = mbedtls_ssl_setup( &ssl_d, &conf_d ); mbedtls_ssl_set_bio( &ssl_d, &data_fd, mbedtls_tls_send, NULL, mbedtls_tls_recv_timeout);

4 years, 2 months

1
0
0 0

mbedtls_ssl_set_bio hangs

by Ron Eggler

Hi, i'm in the process of wrioting an FTPS client for a system running on uCOS. I've been able to setup the control channel fine and working on setting up the data channel for a simple list command execution. It seems like I seem able to setup everything fine but the call to mbedtls_ssl_set_bio() hangs even though I set it to execute the timeout function like: mbedtls_ssl_set_bio( &ssl_d, &data_fd, mbedtls_tls_send, NULL, mbedtls_tls_recv_timeout); Where the mbed_tls_recv_timeout looks like: https://pastebin.com/Jw3iLc0x The current connection uses ipv4, i.e. the select () branch is active. I never see the timed out message. Any idea what may be going on here? Thank you, Ron

4 years, 2 months

1
0
0 0

Re: [mbed-tls] Signing without explicit private key

by Gilles Peskine

Hi Stefano, The pk module has limited support for opaque RSA keys, by using the RSA_ALT functionality (https://tls.mbed.org/kb/cryptography/use-external-rsa-private-key <https://tls.mbed.org/kb/cryptography/use-external-rsa-private-key>). There's no support for opaque EC keys. For a TLS server, you can use the asynchronous callback feature to use an opaque key. See https://tls.mbed.org/kb/how-to/ssl_async <https://tls.mbed.org/kb/how-to/ssl_async> The PSA crypto API supports opaque keys. On the application side, you need to use functions like psa_asymmetric_sign instead of mbedtls_pk_sign. On the hardware side, you need to implement a secure element driver for your crypto chip. Driver support is work in progress, and documentation and tooling are still sparse. The driver specifications are in https://github.com/ARMmbed/mbedtls/tree/development/docs/proposed <https://github.com/ARMmbed/mbedtls/tree/development/docs/proposed> . To add driver support, you currently need to edit library/psa_crypto_driver_wrappers.c and replace calls to the test driver by calls to your real driver. Best regards, -- Gilles Peskine Mbed TLS developer and PSA Crypto architect On 03/06/2021 17:20, stefano664 via mbed-tls wrote: > Hi all, > I'm using mbedTLS libraries with an OPTIGA cryptochip. At the > moment, when I call the sign function: > > err = mbedtls_pk_sign(&priv_key, MBEDTLS_MD_SHA384, hash, 0, sign, > &olen, mbedtls_ctr_drbg_random, &ctr_drbg); > > I need to pass it a valid private key else if it isn't used, because > alternative sign routine use the one into cryptochip. > > It is possible to avoid passing this key? > > Best regards, > Stefano Mologni >

4 years, 2 months

1
0
0 0

Re: [mbed-tls] Request for Support [Issue : Webserver handshake failing with self-signed certificate]

by Gilles Peskine

Hi Selin, Another thing to check is that the stack is large enough. Stack overflows can sometimes cause weird behavior. Other than that, I'm afraid I can't think of a reason why there would be an infinite loop involving mbedtls_mpi_cmp_mpi. To go further, I think you need to trace the program in a debugger, figure out what arguments are being passed to the functions, and where the infinite loop is. Best regards, -- Gilles Peskine Mbed TLS developer On 26/05/2021 10:24, Selin Chris via mbed-tls wrote: > Hi Gilles, > > Thanks for the quick reply. > > I migrated to version 2.16, and I have seen the same issue is still > there. Moreover, we have reseeded the RNG, still issue is there. > > > > I created a client and it's working fine, it's able to handshake and > send data to the server. Only problem is server communication where > control is going in infinite loop while creating server key exchange. > As you asked for the call stack of the loop, I am attaching the call > stack with this mail. > > Please support us. > > > > Thank you. > > > Regards, > > Selin. > > > > On Fri, May 21, 2021 at 5:30 PM > <mbed-tls-request(a)lists.trustedfirmware.org > <mailto:mbed-tls-request@lists.trustedfirmware.org>> wrote: > > Send mbed-tls mailing list submissions to > mbed-tls(a)lists.trustedfirmware.org > <mailto:mbed-tls@lists.trustedfirmware.org> > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls > <https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls> > or, via email, send a message with subject or body 'help' to > mbed-tls-request(a)lists.trustedfirmware.org > <mailto:mbed-tls-request@lists.trustedfirmware.org> > > You can reach the person managing the list at > mbed-tls-owner(a)lists.trustedfirmware.org > <mailto:mbed-tls-owner@lists.trustedfirmware.org> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of mbed-tls digest..." > > > Today's Topics: > > 1. Re: Request for Support [Issue : Webserver handshake failing > with self-signed certificate] (Gilles Peskine) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 20 May 2021 15:13:54 +0200 > From: Gilles Peskine <gilles.peskine(a)arm.com > <mailto:gilles.peskine@arm.com>> > To: mbed-tls(a)lists.trustedfirmware.org > <mailto:mbed-tls@lists.trustedfirmware.org> > Subject: Re: [mbed-tls] Request for Support [Issue : Webserver > handshake failing with self-signed certificate] > Message-ID: <93c3cd71-bdc1-c3ec-4bbc-89ff995a8444(a)arm.com > <mailto:93c3cd71-bdc1-c3ec-4bbc-89ff995a8444@arm.com>> > Content-Type: text/plain; charset=utf-8 > > Hi Selin, > > A possible problem could be a misconfigured random generator. However > this is purely speculation. Can you get a stack trace? Finding the > root > cause requires finding where mbedtls_mpi_cmp_mpi is called. > > Please note that Mbed TLS 2.16.3 has known bugs and > vulnerabilities. You > should upgrade to the latest bug-fixing version of the 2.16 > branch, 2.16.10. > > -- > Gilles Peskine > Mbed TLS developer > > On 20/05/2021 13:06, Selin Chris via mbed-tls wrote: > > > > Hi, > > > > Thank you for adding me to the mbed-tls mailing list. > > > > We have created a self-signed certificate with ECC key of > > MBEDTLS_ECP_DP_SECP256R1 type, since it is a self-signed certificate > > after we send the certificate to chrome from our web server it shows > > not trusted and goes to the page where we need to manually proceed > > with the acceptance of the certificate to allow further > communication. > > After this we again have to perform handshake for which we need to > > prepare the server key exchange, while preparing the server key > > exchange we notice that it is infinitely calling the > > mbedtls_mpi_cmp_mpi() function in bignum.c and the execution is not > > able to proceed hereafter. Sometimes we also see that when executing > > ssl_prepare_server_key_exchange() function in ssl_srv.c we find > > ciphersuite_info pointer as null and the program goes into data > panic > > due to that. We have checked our stacks and not seen any sign of > > corruption. > > > > The mbedtls version that we are using is mbedtls-2.16.3. > > Please find the attached wireshark trace during this scenario. > The IP > > 192.168.2.67 corresponds to our webserver and 192.168.2.100 the pc > > with the browser. > > > > Please let us know the root-cause of the issue and the actions to be > > taken to fix this - can you please expedite as this is a blocking > > issue in our project. > > > > Thanks for the support. > > > > Regards, > > Selin. > > > > > > > > > > ------------------------------ > > Subject: Digest Footer > > mbed-tls mailing list > mbed-tls(a)lists.trustedfirmware.org > <mailto:mbed-tls@lists.trustedfirmware.org> > https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls > <https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls> > > > ------------------------------ > > End of mbed-tls Digest, Vol 15, Issue 8 > *************************************** > >

4 years, 2 months

1
0
0 0

How to map PSA method to openssl method

by Jun Nie

Hi, I want to sign a data on PC with openssl, and verifiy it with PSA-RoT on board. Does anybody know how to map PSA method to openssl method? Such as: psa_sign_hash(key_handle, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256), hash, hash_len, sig, sizeof(sig), sig_len); Regards, Jun

4 years, 2 months

1
0
0 0

Re: [mbed-tls] NV_SEED read working and write not working

by Janos Follath

Hi Gopi, FN_NV_SEED_WR supposed to be called the first time the entropy context is used to retrieve some entropy. This is tracked by the `initial_entropy_run` member in the `mbedtls_entropy_context` structure (on the initial run it is zero, non-zero otherwise). FN_NV_SEED_WR not being called might mean that your “Entropy” variable hasn’t been properly initialised or that it has been used before the callbacks are set. Please note that Mbed TLS 2.16.2 has known bugs and vulnerabilities. You should upgrade to the latest bug-fixing version of the 2.16 branch, 2.16.10. Best regards, Janos (Mbed TLS developer) From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Subramanian Gopi Krishnan via mbed-tls <mbed-tls(a)lists.trustedfirmware.org> Date: Friday, 4 June 2021 at 05:50 To: mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org> Cc: T V LIJIN (EXT) <lijin.tv(a)kone.com> Subject: Re: [mbed-tls] NV_SEED read working and write not working Hi, I am working on a embedded platform, that does not has any entropy source except system ticks. To improve the randomness, I am trying to utilize NV_SEED operations. The version of mbedtls version 2.16.2 is being used. Configuration file I have enabled: #define MBEDTLS_ENTROPY_NV_SEED #define MBEDTLS_PLATFORM_NV_SEED_ALT After initializing and before seeding random number generator, I assign functions of nv seed read and write to platform seeding function as below. if( r = mbedtls_platform_set_nv_seed(FN_NV_SEED_RD, FN_NV_SEED_WR) ) { return( r ); } if( r = mbedtls_ctr_drbg_seed( &CtrDrbg, mbedtls_entropy_func, &Entropy, (const unsigned char *) u8SeedingString, (size_t)Length ) ) { return ( r ); } Later functions to generate random and free context. While running, I could see only the FN_NV_SEED_RD function is getting called. And, FN_NV_SEED_WR function is not getting called. I tried to add some print statements in mbedtls library function, mbedtls_entropy_update_nv_seed(). But it looks like, this function was never called by the library. 1. Anything else to be done? 2. someone could help me ensure NV_SEED is properly incorporated 3. How to trace the issue. Thanks, Gopi Krishnan

4 years, 2 months

2
1
0 0

NV_SEED read working and write not working

by Subramanian Gopi Krishnan

Hi, I am working on a embedded platform, that does not has any entropy source except system ticks. To improve the randomness, I am trying to utilize NV_SEED operations. Configuration file I have enabled: #define MBEDTLS_ENTROPY_NV_SEED #define MBEDTLS_PLATFORM_NV_SEED_ALT After initializing and before seeding random number generator, I assign functions of nv seed read and write to platform seeding function as below. if( r = mbedtls_platform_set_nv_seed(FN_NV_SEED_RD, FN_NV_SEED_WR) ) { return( r ); } if( r = mbedtls_ctr_drbg_seed( &CtrDrbg, mbedtls_entropy_func, &Entropy, (const unsigned char *) u8SeedingString, (size_t)Length ) ) { return ( r ); } Later functions to generate random and free context. While running, I could see only the FN_NV_SEED_RD function is getting called. And, FN_NV_SEED_WR function is not getting called. Could anyone suggest how to trace the issue. I do not have debugger on for my platform. I could debug only with print statements. Thanks, Gopi Krishnan

4 years, 2 months

1
1
0 0

Signing without explicit private key

by stefano664

Hi all, I'm using mbedTLS libraries with an OPTIGA cryptochip. At the moment, when I call the sign function: err = mbedtls_pk_sign(&priv_key, MBEDTLS_MD_SHA384, hash, 0, sign, &olen, mbedtls_ctr_drbg_random, &ctr_drbg); I need to pass it a valid private key else if it isn't used, because alternative sign routine use the one into cryptochip. It is possible to avoid passing this key? Best regards, Stefano Mologni

4 years, 2 months

1
0
0 0

Please help regarding [ERR ][TLSx]: mbedtls_ssl_handshake() failed: -0x7780 (-30592): SSL

by victor Wolff

Hello I am relatively new to mbedTLS, but I'm trying to develop an MQTT client running on an STM32 board connected to an ESP8266 MCU/WiFi module. The client should publish messages to a local broker/server where I am using Mosquitto for that purpose. I want to test different Cipher suites but when I limiting the Server to only accept one particle Cipher suite I receive an error from the server point of view "1622667145: OpenSSL Error[0]: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher" Which I find is strange because when I read through the debug list presented below it says "[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c02c". I "think" I have enabled the "MBEDTLS_SHA256_C" in the config file (mbed_lib.json) for the TLSsocket, and the cipher suites I have tested so far to limit it for is: DHE-RSA-AES128-SHA |AES128-SHA | DHE-RSA-AES128-SHA256. Could you please look at the debug list presented below to see if anything looks suspicious, or if you have any ideas? because I am truly lost and I am shooting in the dark trying to find the answer online... Thank you sincerely in advance Best regards Victor --------Debug list -------- AT< WIFI CONNECTED AT< WIFI GOT IP AT< AT= OK AT> AT+CIFSR AT< AT< AT+CIFSR AT< +CIFSR:APIP,"192.168.4.1" AT< +CIFSR:APMAC,"da:bf:c0:0d:c5:d8" AT= +CIFSR:STAIP,"192.168.10.103" AT< AT< +CIFSR:STAMAC,"d8:bf:c0:0d:c5:d8" AT< AT= OK Network interface opened successfully. Connecting to host 192.168.10.165:8883 ... Hello [INFO][TLSx]: Connecting to 192.168.10.165:8883 AT> AT+CIPSTART=0,"TCP","192.168.10.165",8883 AT< AT< AT+CIPSTART=0,"TCP","192.168.10.165",8883 AT< 0,CONNECT AT< AT= OK [INFO][TLSx]: Connected. [INFO][TLSx]: Starting the TLS handshake... [DBG ][TLSx]: ssl_tls.c:6335: |2| => handshake [DBG ][TLSx]: ssl_cli.c:3279: |2| client state: 0 [DBG ][TLSx]: ssl_tls.c:2416: |2| => flush output [DBG ][TLSx]: ssl_tls.c:2428: |2| <= flush output [DBG ][TLSx]: ssl_cli.c:3279: |2| client state: 1 [DBG ][TLSx]: ssl_tls.c:2416: |2| => flush output [DBG ][TLSx]: ssl_tls.c:2428: |2| <= flush output [DBG ][TLSx]: ssl_cli.c:0717: |2| => write client hello [DBG ][TLSx]: ssl_cli.c:0754: |3| client hello, max version: [3:3] [DBG ][TLSx]: ssl_cli.c:0693: |3| client hello, current time: 14712 [DBG ][TLSx]: ssl_cli.c:0764: |3| dumping 'client hello, random bytes' (32 bytes) [DBG ][TLSx]: ssl_cli.c:0764: |3| 0000: 00 00 39 78 00 7d 4e 7a c5 43 7f d9 5b 0c cd 3f ..9x.}Nz.C..[..? [DBG ][TLSx]: ssl_cli.c:0764: |3| 0010: 01 a0 2f 60 8e a5 c1 54 1c 0e 58 6a a3 da c0 7a ../`...T..Xj...z [DBG ][TLSx]: ssl_cli.c:0817: |3| client hello, session id len.: 0 [DBG ][TLSx]: ssl_cli.c:0818: |3| dumping 'client hello, session id' (0 bytes) [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c02c [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c030 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0ad [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c024 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c028 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0af [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c02b [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c02f [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0ac [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c023 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c027 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0ae [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c038 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c037 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: 00a9 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0a5 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: 00af [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0a9 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: 00a8 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0a4 [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: 00ae [DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0a8 [DBG ][TLSx]: ssl_cli.c:0918: |3| client hello, got 23 ciphersuites [DBG ][TLSx]: ssl_cli.c:0949: |3| client hello, compress len.: 1 [DBG ][TLSx]: ssl_cli.c:0950: |3| client hello, compress alg.: 0 [DBG ][TLSx]: ssl_cli.c:0071: |3| client hello, adding server name extension: 192.168.10 .165 [DBG ][TLSx]: ssl_cli.c:0178: |3| client hello, adding signature_algorithms extension [DBG ][TLSx]: ssl_cli.c:0263: |3| client hello, adding supported_elliptic_curves extensi on [DBG ][TLSx]: ssl_cli.c:0326: |3| client hello, adding supported_point_formats extension [DBG ][TLSx]: ssl_cli.c:0507: |3| client hello, adding encrypt_then_mac extension [DBG ][TLSx]: ssl_cli.c:0541: |3| client hello, adding extended_master_secret extension [DBG ][TLSx]: ssl_cli.c:0575: |3| client hello, adding session ticket extension [DBG ][TLSx]: ssl_cli.c:1022: |3| client hello, total extension length: 73 [DBG ][TLSx]: ssl_tls.c:2701: |2| => write record [DBG ][TLSx]: ssl_tls.c:2835: |3| output record: msgtype = 22, version = [3:1], msglen = 164 [DBG ][TLSx]: ssl_tls.c:2840: |4| dumping 'output record sent to network' (169 bytes) [DBG ][TLSx]: ssl_tls.c:2840: |4| 0000: 16 03 01 00 a4 01 00 00 a0 03 03 00 00 39 78 00 .............9x. [DBG ][TLSx]: ssl_tls.c:2840: |4| 0010: 7d 4e 7a c5 43 7f d9 5b 0c cd 3f 01 a0 2f 60 8e }Nz.C..[..?../`. [DBG ][TLSx]: ssl_tls.c:2840: |4| 0020: a5 c1 54 1c 0e 58 6a a3 da c0 7a 00 00 2e c0 2c ..T..Xj...z...., [DBG ][TLSx]: ssl_tls.c:2840: |4| 0030: c0 30 c0 ad c0 24 c0 28 c0 af c0 2b c0 2f c0 ac .0...$.(...+./.. [DBG ][TLSx]: ssl_tls.c:2840: |4| 0040: c0 23 c0 27 c0 ae c0 38 c0 37 00 a9 c0 a5 00 af .#.'...8.7...... [DBG ][TLSx]: ssl_tls.c:2840: |4| 0050: c0 a9 00 a8 c0 a4 00 ae c0 a8 00 ff 01 00 00 49 ...............I [DBG ][TLSx]: ssl_tls.c:2840: |4| 0060: 00 00 00 13 00 11 00 00 0e 31 39 32 2e 31 36 38 .........192.168 [DBG ][TLSx]: ssl_tls.c:2840: |4| 0070: 2e 31 30 2e 31 36 35 00 0d 00 12 00 10 06 03 06 .10.165......... [DBG ][TLSx]: ssl_tls.c:2840: |4| 0080: 01 05 03 05 01 04 03 04 01 03 03 03 01 00 0a 00 ................ [DBG ][TLSx]: ssl_tls.c:2840: |4| 0090: 06 00 04 00 18 00 17 00 0b 00 02 01 00 00 16 00 ................ [DBG ][TLSx]: ssl_tls.c:2840: |4| 00a0: 00 00 17 00 00 00 23 00 00 ......#.. [DBG ][TLSx]: ssl_tls.c:2416: |2| => flush output [DBG ][TLSx]: ssl_tls.c:2434: |2| message length: 169, out_left: 169 AT> AT+CIPSEND=0,169 AT< AT< AT+CIPSEND=0,169 AT< AT< OK AT= > [DBG ][TLSx]: ssl_tls.c:2441: |2| ssl->f_send() returned 169 (-0xffffff57) [DBG ][TLSx]: ssl_tls.c:2460: |2| <= flush output [DBG ][TLSx]: ssl_tls.c:2850: |2| <= write record [DBG ][TLSx]: ssl_cli.c:1049: |2| <= write client hello [DBG ][TLSx]: ssl_cli.c:3279: |2| client state: 2 [DBG ][TLSx]: ssl_tls.c:2416: |2| => flush output [DBG ][TLSx]: ssl_tls.c:2428: |2| <= flush output [DBG ][TLSx]: ssl_cli.c:1410: |2| => parse server hello [DBG ][TLSx]: ssl_tls.c:3728: |2| => read record [DBG ][TLSx]: ssl_tls.c:2208: |2| => fetch input [DBG ][TLSx]: ssl_tls.c:2365: |2| in_left: 0, nb_want: 5 AT< AT< Recv 169 bytes AT< AT< SEND OK AT< AT! +IPD AT= ,0,7: AT< 0,CLOSED [DBG ][TLSx]: ssl_tls.c:2389: |2| in_left: 0, nb_want: 5 [DBG ][TLSx]: ssl_tls.c:6345: |2| <= handshake [DBG ][TLSx]: ssl_tls.c:6335: |2| => handshake [DBG ][TLSx]: ssl_cli.c:3279: |2| client state: 2 [DBG ][TLSx]: ssl_tls.c:2416: |2| => flush output [DBG ][TLSx]: ssl_tls.c:2428: |2| <= flush output [DBG ][TLSx]: ssl_cli.c:1410: |2| => parse server hello [DBG ][TLSx]: ssl_tls.c:3728: |2| => read record [DBG ][TLSx]: ssl_tls.c:2208: |2| => fetch input [DBG ][TLSx]: ssl_tls.c:2365: |2| in_left: 0, nb_want: 5 [DBG ][TLSx]: ssl_tls.c:2389: |2| in_left: 0, nb_want: 5 [DBG ][TLSx]: ssl_tls.c:2391: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb) [DBG ][TLSx]: ssl_tls.c:2403: |2| <= fetch input [DBG ][TLSx]: ssl_tls.c:3479: |4| dumping 'input record header' (5 bytes) [DBG ][TLSx]: ssl_tls.c:3479: |4| 0000: 15 03 03 00 02 ..... [DBG ][TLSx]: ssl_tls.c:3485: |3| input record: msgtype = 21, version = [3:3], msglen = 2 [DBG ][TLSx]: ssl_tls.c:2208: |2| => fetch input [DBG ][TLSx]: ssl_tls.c:2365: |2| in_left: 5, nb_want: 7 [DBG ][TLSx]: ssl_tls.c:2389: |2| in_left: 5, nb_want: 7 [DBG ][TLSx]: ssl_tls.c:2391: |2| ssl->f_recv(_timeout)() returned 2 (-0xfffffffe) [DBG ][TLSx]: ssl_tls.c:2403: |2| <= fetch input [DBG ][TLSx]: ssl_tls.c:3656: |4| dumping 'input record from network' (7 bytes) [DBG ][TLSx]: ssl_tls.c:3656: |4| 0000: 15 03 03 00 02 02 28 ......( [DBG ][TLSx]: ssl_tls.c:3960: |2| got an alert message, type: [2:40] [DBG ][TLSx]: ssl_tls.c:3968: |1| is a fatal alert message (msg 40) [DBG ][TLSx]: ssl_tls.c:3744: |1| mbedtls_ssl_handle_message_type() returned -30592 (-0x 7780) [DBG ][TLSx]: ssl_cli.c:1416: |1| mbedtls_ssl_read_record() returned -30592 (-0x7780) [DBG ][TLSx]: ssl_tls.c:6345: |2| <= handshake [ERR ][TLSx]: mbedtls_ssl_handshake() failed: -0x7780 (-30592): SSL AT> AT+CIPCLOSE=0 AT< AT+CIPCLOSE=0 AT< UNLINK AT< AT< ERROR AT> AT+CIPCLOSE=0 AT< AT+CIPCLOSE=0 AT< UNLINK AT< AT< ERROR ERROR: rc from TCP connect is -30592 [DBG ][TLSx]: ssl_tls.c:7055: |2| => free [DBG ][TLSx]: ssl_tls.c:7120: |2| <= free AT> AT+CWQAP AT< AT+CWQAP AT< AT= OK

4 years, 2 months

1
0
0 0

Parsing PKCS12 file

by Sunil Jain

Hello, We have requirements of parsing PKCS12 file in our project to import the certificate. I have seen the code and am not able to find the related API which can be used to parse the PKCS12 file. Do you have some sample example code which does this work? Thanks for your help. -- Regards, Sunil Jain

4 years, 2 months

1
0
0 0

FTP Data connection handshake is failing

by Sunil Jain

Hello, We are porting MbedTLS 2.16 for FTP server. There are 2 connection in FTP communication, Control and data. For control communication we are ok with handshake but data communication handshake is having issue. We have observed with FTP Client (FileZilla) our earlier implementation of FTP server with Mocana secure library, we used to send certificate and server key exchange in control communication handshake only, for Data communication handshake ServerHello and change cipher spec was sent. But in case of MbedTLS, we are sending certificate and server key exchange in data communication handshake also. FTP Client (FileZilla) is rejecting the handshake after receiving the server certificate server key exchange and from the FTP server as I believe it is expecting session resumption and FTP Server is waiting for client key exchange in handshake. In attached wireshark trace, packet number 1570 is having issue. When we tested this server with another FTP client (WinSCP), its working fine as this client is not expecting session resumption. As I go through the code documentation of MbedTLS, I found that we cannot set the session resumption at server side, only client side we can do this setting. How can we make FTP server ready with session resumption? Please support us. Thanks and Regards, Sunil

4 years, 2 months

1
0
0 0

ECDSA signature verification failure

by Nassim Eddequiouaq

Hi, I'm running into a signature verification issue with ECDSA. I've generated test values with python and have a working signature verification: --------- Python --------- In [66]: sig_bytes.hex() Out[66]: '30440220704fb7e4e51dc0f2f9bb0a3645d433bdd7ea23dff5e0e231449261f043c645db02203e648d4924c56b14004d984bcacf954e47ae6109db15597695664d06c0b782c2' In [67]: statement Out[67]: b'1:VALID_SESSION:2:xxxx' In [68]: key = load_pem_public_key(b'-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWaBFEuO91YcVK6mJqDtjCvRT8cE7\nfjKNmOxU/wYzSPVHyyZ0IhxY9 ...: UFwZKWO1iEWkeReHK/SNRk2rtvX4qX44g==\n-----END PUBLIC KEY-----\n') In [69]: key.verify(sig_bytes, statement, primitives.asymmetric.ec.ECDSA(primitives.hashes.SHA256())) Success ---------------------------- And have the following code on the mbedTLS C side which fails on mbedtls_ecdsa_read_signature(): --------- MbedTLS --------- uint8_t sha256_digest_buff[SHA256_DIGEST_BYTES] = { 0 }; uint8_t* message = (uint8_t*)"1:VALID_SESSION:2:xxxx"; uint8_t* public_key_pem = (uint8_t*)"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEc8uijCCOayvXQz5+2fjVjAbNraYf\nReDKcN8p5ttPedCXxr8A9rGcmA89pFcmpuDRvZgx+qiRC/pNcs0kqy1VVQ==\n-----END PUBLIC KEY-----\n"; uint8_t signature[70] = {0x30, 0x44, 0x02, 0x20, 0x70, 0x4f, 0xb7, 0xe4, 0xe5, 0x1d, 0xc0, 0xf2, 0xf9, 0xbb, 0x0a, 0x36, 0x45, 0xd4, 0x33, 0xbd, 0xd7, 0xea, 0x23, 0xdf, 0xf5, 0xe0, 0xe2, 0x31, 0x44, 0x92, 0x61, 0xf0, 0x43, 0xc6, 0x45, 0xdb, 0x02, 0x20, 0x3e, 0x64, 0x8d, 0x49, 0x24, 0xc5, 0x6b, 0x14, 0x00, 0x4d, 0x98, 0x4b, 0xca, 0xcf, 0x95, 0x4e, 0x47, 0xae, 0x61, 0x09, 0xdb, 0x15, 0x59, 0x76, 0x95, 0x66, 0x4d, 0x06, 0xc0, 0xb7, 0x82, 0xc2}; [...] int mbedtls_status = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_pk_context pubkey_ctx; mbedtls_ecdsa_context ecdsa_ctx; mbedtls_ecp_curve_info *curve_info = NULL; /* Create public key context */ mbedtls_pk_init(&pubkey_ctx); /* Create ecdsa context */ mbedtls_ecdsa_init(&ecdsa_ctx); /* Parse public key */ if ((mbedtls_status = mbedtls_pk_parse_public_key(&pubkey_ctx, pubkey_pem, pubkey_pem_len)) != 0) { ERRORF("Failure failure parsing PEM-encoded ecdsa-p256r1 public key, mbedTLS status: %d", mbedtls_status); ret = E_INVAL_PUBKEY; goto cleanup; } /* Hash the message with sha256 */ if ((mbedtls_status = mbedtls_sha256_ret(message, message_len, sha256_digest_buff, 0 /* Not 224 bits hashing */ )) != 0) { ERRORF("Failure sha256-hashing message before ecdsa-p256r1 signature verification, mbedTLS status: %d", mbedtls_status); ret = E_FAILED_HASH; goto cleanup; } /* Set the public key as the ecdsa signature verification key */ if ((mbedtls_status = mbedtls_ecp_copy(&ecdsa_ctx.Q, &mbedtls_pk_ec(pubkey_ctx)->Q)) != 0 ) { ERRORF("Failure copying ecdsa-p256r1 public key to ecdsa context, mbedTLS status: %d", mbedtls_status); ret = E_UNKNOWN; goto cleanup; } if ((mbedtls_status = mbedtls_ecp_group_copy(&ecdsa_ctx.grp, &mbedtls_pk_ec(pubkey_ctx)->grp)) != 0 ) { ERRORF("Failure copying ecdsa-p256r1 public key group to ecdsa context, mbedTLS status: %d", mbedtls_status); ret = E_UNKNOWN; goto cleanup; } /* Verify ecdsa-p256r1 signature verification */ if ((mbedtls_status = mbedtls_ecdsa_read_signature(&ecdsa_ctx, sha256_digest_buff, sizeof(sha256_digest_buff), signature, signature_len)) != 0) { ERRORF("Failure verifying ecdsa-p256r1 signature against message, mbedTLS status: %d", mbedtls_status); ret = E_INVALID_SIG; goto cleanup; } /* Success */ ret = E_SUCCESS; ---------------------------- Also, `mbedtls_ecp_curve_info_from_grp_id( ecdsa_ctx.grp.id )->name` yields the right curve prior to the signature verification. I must be missing something in the process. Would love to get some input, thanks a lot! -- Nassim Eddequiouaq

4 years, 2 months

1
0
0 0

Re: [mbed-tls] Request for Support [Issue : Webserver handshake failing with self-signed certificate]

by Selin Chris

Hi Gilles, Thanks for the quick reply. I migrated to version 2.16, and I have seen the same issue is still there. Moreover, we have reseeded the RNG, still issue is there. I created a client and it's working fine, it's able to handshake and send data to the server. Only problem is server communication where control is going in infinite loop while creating server key exchange. As you asked for the call stack of the loop, I am attaching the call stack with this mail. Please support us. Thank you. Regards, Selin. On Fri, May 21, 2021 at 5:30 PM <mbed-tls-request(a)lists.trustedfirmware.org> wrote: > Send mbed-tls mailing list submissions to > mbed-tls(a)lists.trustedfirmware.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls > or, via email, send a message with subject or body 'help' to > mbed-tls-request(a)lists.trustedfirmware.org > > You can reach the person managing the list at > mbed-tls-owner(a)lists.trustedfirmware.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of mbed-tls digest..." > > > Today's Topics: > > 1. Re: Request for Support [Issue : Webserver handshake failing > with self-signed certificate] (Gilles Peskine) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 20 May 2021 15:13:54 +0200 > From: Gilles Peskine <gilles.peskine(a)arm.com> > To: mbed-tls(a)lists.trustedfirmware.org > Subject: Re: [mbed-tls] Request for Support [Issue : Webserver > handshake failing with self-signed certificate] > Message-ID: <93c3cd71-bdc1-c3ec-4bbc-89ff995a8444(a)arm.com> > Content-Type: text/plain; charset=utf-8 > > Hi Selin, > > A possible problem could be a misconfigured random generator. However > this is purely speculation. Can you get a stack trace? Finding the root > cause requires finding where mbedtls_mpi_cmp_mpi is called. > > Please note that Mbed TLS 2.16.3 has known bugs and vulnerabilities. You > should upgrade to the latest bug-fixing version of the 2.16 branch, > 2.16.10. > > -- > Gilles Peskine > Mbed TLS developer > > On 20/05/2021 13:06, Selin Chris via mbed-tls wrote: > > > > Hi, > > > > Thank you for adding me to the mbed-tls mailing list. > > > > We have created a self-signed certificate with ECC key of > > MBEDTLS_ECP_DP_SECP256R1 type, since it is a self-signed certificate > > after we send the certificate to chrome from our web server it shows > > not trusted and goes to the page where we need to manually proceed > > with the acceptance of the certificate to allow further communication. > > After this we again have to perform handshake for which we need to > > prepare the server key exchange, while preparing the server key > > exchange we notice that it is infinitely calling the > > mbedtls_mpi_cmp_mpi() function in bignum.c and the execution is not > > able to proceed hereafter. Sometimes we also see that when executing > > ssl_prepare_server_key_exchange() function in ssl_srv.c we find > > ciphersuite_info pointer as null and the program goes into data panic > > due to that. We have checked our stacks and not seen any sign of > > corruption. > > > > The mbedtls version that we are using is mbedtls-2.16.3. > > Please find the attached wireshark trace during this scenario. The IP > > 192.168.2.67 corresponds to our webserver and 192.168.2.100 the pc > > with the browser. > > > > Please let us know the root-cause of the issue and the actions to be > > taken to fix this - can you please expedite as this is a blocking > > issue in our project. > > > > Thanks for the support. > > > > Regards, > > Selin. > > > > > > > > > > ------------------------------ > > Subject: Digest Footer > > mbed-tls mailing list > mbed-tls(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls > > > ------------------------------ > > End of mbed-tls Digest, Vol 15, Issue 8 > *************************************** >

4 years, 2 months

1
0
0 0

Server and client fails with “Verification of the message MAC failed” after Successful Handshake

by Vaibhav Sathye

Hi I am writing a server client with Libuv as tcp stack and mbedtls as ssl. I am able to do a successful handshake between server and client but after that when I try to write/read application data it fails with “Verification of the message MAC failed”. After inspecting debug logs, I found the server and client have the same Pre-master master secret and IV and still it is failing. Currently both client and server are on the same machine . I am attaching server and client logs. Any help is appreciated. server.log <https://drive.google.com/file/d/1oaMMV2_YVDL8GLn6GH3PIQSIH5BDbGeU/view?usp=…> client.log <https://drive.google.com/file/d/1Z9P1ssglqRpBUmXF9TuRQd6KJKvyw6RJ/view?usp=…> Thanks Vaibhav

4 years, 2 months

1
0
0 0

Re: [mbed-tls] Request for Support [Issue : Webserver handshake failing with self-signed certificate]

by Gilles Peskine

Hi Selin, A possible problem could be a misconfigured random generator. However this is purely speculation. Can you get a stack trace? Finding the root cause requires finding where mbedtls_mpi_cmp_mpi is called. Please note that Mbed TLS 2.16.3 has known bugs and vulnerabilities. You should upgrade to the latest bug-fixing version of the 2.16 branch, 2.16.10. -- Gilles Peskine Mbed TLS developer On 20/05/2021 13:06, Selin Chris via mbed-tls wrote: > > Hi, > > Thank you for adding me to the mbed-tls mailing list. > > We have created a self-signed certificate with ECC key of > MBEDTLS_ECP_DP_SECP256R1 type, since it is a self-signed certificate > after we send the certificate to chrome from our web server it shows > not trusted and goes to the page where we need to manually proceed > with the acceptance of the certificate to allow further communication. > After this we again have to perform handshake for which we need to > prepare the server key exchange, while preparing the server key > exchange we notice that it is infinitely calling the > mbedtls_mpi_cmp_mpi() function in bignum.c and the execution is not > able to proceed hereafter. Sometimes we also see that when executing > ssl_prepare_server_key_exchange() function in ssl_srv.c we find > ciphersuite_info pointer as null and the program goes into data panic > due to that. We have checked our stacks and not seen any sign of > corruption. > > The mbedtls version that we are using is mbedtls-2.16.3. > Please find the attached wireshark trace during this scenario. The IP > 192.168.2.67 corresponds to our webserver and 192.168.2.100 the pc > with the browser. > > Please let us know the root-cause of the issue and the actions to be > taken to fix this - can you please expedite as this is a blocking > issue in our project. > > Thanks for the support. > > Regards, > Selin. > > >

4 years, 3 months

1
0
0 0

Request for Support [Issue : Webserver handshake failing with self-signed certificate]

by Selin Chris

Hi, Thank you for adding me to the mbed-tls mailing list. We have created a self-signed certificate with ECC key of MBEDTLS_ECP_DP_SECP256R1 type, since it is a self-signed certificate after we send the certificate to chrome from our web server it shows not trusted and goes to the page where we need to manually proceed with the acceptance of the certificate to allow further communication. After this we again have to perform handshake for which we need to prepare the server key exchange, while preparing the server key exchange we notice that it is infinitely calling the mbedtls_mpi_cmp_mpi() function in bignum.c and the execution is not able to proceed hereafter. Sometimes we also see that when executing ssl_prepare_server_key_exchange() function in ssl_srv.c we find ciphersuite_info pointer as null and the program goes into data panic due to that. We have checked our stacks and not seen any sign of corruption. The mbedtls version that we are using is mbedtls-2.16.3. Please find the attached wireshark trace during this scenario. The IP 192.168.2.67 corresponds to our webserver and 192.168.2.100 the pc with the browser. Please let us know the root-cause of the issue and the actions to be taken to fix this - can you please expedite as this is a blocking issue in our project. Thanks for the support. Regards, Selin.

4 years, 3 months

1
0
0 0

Re: [mbed-tls] Query for TLS 1.3

by Shebu Varghese Kuriakose

Hi Manoj, As you might have seen, TLS1.3 prototype is available in github https://github.com/hannestschofenig/mbedtls/tree/tls13-prototype The project is working on reviewing the prototype and upstreaming parts of it to Mbed TLS. The currently open pull requests to Mbed TLS project can be found here: https://github.com/ARMmbed/mbedtls/labels/MPS%20%2F%20TLS%201.3 Some of the outstanding work is captured here - https://github.com/ARMmbed/mbedtls/projects/2#column-12964476 If possible, please test the TLS1.3 prototype and let know if you have any feedback. Also welcome to review any patches. 1. Expected date for release of MbedTLS with TLS 1.3 support? A subset of TLS 1.3 features is aimed to be available around the last quarter of 2021. TLS1.3 support in Mbed TLS at that point would be limited for TLS (no DTLS), Client side and ECDHE. There won't be support for server side, PSK and 0-RTT in this initial version. Note the last quarter target is based on high level task estimations and can change based on progress made in the coming months. You can use the prototype above in the interim for prototyping/development purposes. It is not expected to be integrated on production platforms though. 1. Is MbedTLS with TLS 1.3 support available under paid subscription? No, there is no paid offerings in Mbed TLS project. Mbed TLS project is an open source community project under trustedfirmware.org (https://www.trustedfirmware.org/) and is available to use under the open source license (Refer license section - https://github.com/ARMmbed/mbedtls). 1. Process for paid subscription (if point #2 applicable) Not Applicable Regards, Shebu From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org<mailto:mbed-tls-bounces@lists.trustedfirmware.org>> On Behalf Of Manoj Srivastava via mbed-tls Sent: Monday, May 17, 2021 8:57 PM To: mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org> Subject: [mbed-tls] Query for TLS 1.3 Hello, I am using mbedTLS for TLS support. I am looking for TLS 1.3 support for PSK only mode. I have checked source code online but didn't get TLS 1.3 PSK only code. I found all prototype code only. Can you please highlight the repository if the same is available ? In case fixed code for TLS 1.3 for PSK only mode is not available then can please answer followings: 1. Expected date for release of MbedTLS with TLS 1.3 support? 2. Is MbedTLS with TLS 1.3 support available under paid subscription? 3. Process for paid subscription (if point #2 applicable) Best Regards, Manoj Srivastava

4 years, 3 months

1
0
0 0

Query for TLS 1.3

by Manoj Srivastava

Hello, I am using mbedTLS for TLS support. I am looking for TLS 1.3 support for PSK only mode. I have checked source code online but didn't get TLS 1.3 PSK only code. I found all prototype code only. Can you please highlight the repository if the same is available ? In case fixed code for TLS 1.3 for PSK only mode is not available then can please answer followings: 1. Expected date for release of MbedTLS with TLS 1.3 support? 2. Is MbedTLS with TLS 1.3 support available under paid subscription? 3. Process for paid subscription (if point #2 applicable) Best Regards, Manoj Srivastava

4 years, 3 months

1
0
0 0

Re: [mbed-tls] Support for ECDH key generation with Curve25519

by brian_d＠tutanota.com

Hi, thanks a lot for the fast reply and sorry for my late answer but I did a lot of tests in order to solve the problem (I never had success on compute shared function when "talking" with another peer). Yes, you're right, no need to modify anything. The issue was that mbedtls uses ecp point coordinates in big endian format while the other peer bytes were intended to be in little endian format. After reversing the bytes before compute shared everything worked! Thank you, have a nice day! Brian 3 mag 2021, 21:53 da mbed-tls(a)lists.trustedfirmware.org: > Hi Brian, > > It's not clear to me what you're trying to do. Mbed TLS supports > Curve25519 arithmetic for X25519, accessible through the > mbedtls_ecdh_xxx interface. If you want to use Curve25519 for some other > purpose, this may or may not be supported via direct access to the > mbedtls_ecp_xxx interface. The curve arithmetic code only supports > predefined groups, it does not support changing the generator without > patching the library. > > For Curve25519, the generator is the point (X,Z)=(9,1). Isn't this the > generator you want? > > Best regards, > > -- > Gilles Peskine > Mbed TLS developer > > On 30/04/2021 17:39, Brian via mbed-tls wrote: > >> Hi all, >> I'm trying to set the generator g to a value of 9 for the Curve25519 with mbedtls_ecp_gen_key function. However I cannot find any way to accomplish that. >> Could anyone help me? >> Thank you, have a nice day,Brian >> > > -- > mbed-tls mailing list > mbed-tls(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls >

4 years, 3 months

1
0
0 0

Not sure if the TLS implementation is correct or not

by Younes Boulahya

Please see these 2 stackoverflow posts: Implementing TLS over HTTP in STM32F303RC using W5500 <https://stackoverflow.com/questions/67522903/implementing-tls-over-http-in-…> HTTPS Handshake Debugging <https://stackoverflow.com/questions/67534996/https-handshake-debugging> In short I have implemented mbedtls over an HTTP Client but I am not sure if it's working or not, when I debug using wireshark I can see the handshake and the encrypted data sent to the server, but I don't see any records added to mysql database. [image: 1.PNG]

4 years, 3 months

1
0
0 0

mbedTLS -entropy source issue

by Pandurangan, Devi

Hi, I'm trying to integrate NXPs secure element SE050 into an application running on MSP432E401Y chip. I was able to successfully integrate their middleware(Plug and trust) on a baremetal project with mbedTLS enabled. It seems on this baremetal project, entropy_source (from entropy_alt.c) is not working. And this has a knock on effect on mbedtls_ctr_drbg_seed function which fails and takes the entire project down with it. Also, from the sole example given in the Simplelink SDK (tcpechotls), I see that mbedtls is used in a project with RTOS enabled. Should I try integrating this code in an RTOS based project and check? Has anyone worked on this ? Thanks, Devi Pandurangan Lead Engineer - Embedded Software Armstrong Fluid Technology #59, "Hampapura Mane" 3rd Main, Margosa Road, Malleswaram, Bangalore, Karnataka, 560 003, India T : +91-80-49063555<tel:+91-80-49063555> | F : +91-80-23343535 www.armstrongfluidtechnology.com [cid:image001.jpg@01D741AF.326E2340]<http://www.armstrongfluidtechnology.com/> [cid:image002.jpg@01D741AF.326E2340]<http://twitter.com/ArmstrongFT_UK> [cid:image003.jpg@01D741AF.326E2340]<http://plus.google.com/+Armstrongfluidtechnology> [cid:image004.jpg@01D741AF.326E2340]<http://www.linkedin.com/company/armstrong-fluid-technology> [cid:image005.jpg@01D741AF.326E2340]<http://www.youtube.com/user/ArmstrongFT> [cid:image006.jpg@01D741AF.326E2340]<https://www.facebook.com/ArmstrongFluidTechnology/> [cid:image007.jpg@01D741AF.326E2340]<https://www.flickr.com/photos/armstrongintegrated/collections/> DISCLAIMER: This email and any attachments are sent in confidence, subject to applicable legal privilege and upon the basis that the recipient will conduct appropriate checks. If you have received this email in error, please send it back to us and immediately and permanently delete it: you are strictly prohibited from using, copying or disclosing it or any information contained in it or in any attachment. Internet communications are not secure and Armstrong Design Private Limited is not responsible for their abuse by third parties, nor for any alteration or corruption in transmission, nor for any damage or loss caused by any virus or other defect. Armstrong Fluid Technology is a trading name of Armstrong Design Private Limited, #59, First Floor, 3rd Main Margosa Road, Malleswaram, Bangalore, 560 003, India registered in India company no. 029120KA2004PTC034014.

4 years, 3 months

1
0
0 0

Re: [mbed-tls] URGENT PLEASE

by Frank Bergmann

Hello Younes, I assume that you recently joined the list here. In that case: Please welcome! Since ole times of Usenet it is a common behaviour to first subscribe a list/channel and listen to the posts. After some time write your own first email to the list, introduce yourself quickly and write about your problem. But please do never start with an email carrying "URGENT" in subject. This is not politely. See, the people maintaining this list do this without any fees. The spent their time to answer questions "from the community" for free. And they do it well! Hence please avoid galopping in here. ;-) You want https and sftp implementations, which are layer 7 and actually mostly on a different/higher layer then mbed TLS. And they are not trivial - there is NO SIMPLE implementation! Please compare it to projects like e.g. Apache or OpenSSH: The people required months/years to get an implementation. Regarding the C code you sent: Obviously it is at least partly coming from STM and it has a size of more than 50 KiB. Why did you sent that? This is not just a code snippet of a few lines. Did you actually expect that anyone would analyze it? Maybe someone is on this list who knows the code and can give you some hints. But don't expect a "working example of https and sftp". Hence my personal answer: - Basic examples like "client" and "server" are already provided by mbed TLS! You just need to extend them with https and sftp protocol. - If you want to use a SIMPLE implementation then please use Python or Java/Groovy. Because then you don't need to know most of the technical details of https and sftp. - If you are looking for many "working examples" of code then you should also think about using a lib like OpenSSL which is mostly used. And please be politely. Please remember that the people here are giving support for free. Great support for free. cheers, Frank On 03.05.21 21:11, Younes Boulahya via mbed-tls wrote: > I am using STM32F303RCT6 and W5500, I want to upgrade to HTTPS and > SFTP, but I can't find any working example that I can use, can you > provide me a simple one PLEASE, of both HTTPS and SFTP. > > I attach my current c code, thank you so much 🌷 > -- Frank Bergmann, Pödinghauser Str. 5, D-32051 Herford, Tel. +49-5221-9249753 SAP Hybris & Linux LPIC-3, E-Mail tx2014(a)tuxad.de, USt-IdNr DE237314606 http://tdyn.de/freel -- Redirect to profile at freelancermap http://www.gulp.de/freiberufler/2HNKY2YHW.html -- Profile at GULP

4 years, 3 months

1
0
0 0

Re: [mbed-tls] Support for ECDH key generation with Curve25519

by Gilles Peskine

Hi Brian, It's not clear to me what you're trying to do. Mbed TLS supports Curve25519 arithmetic for X25519, accessible through the mbedtls_ecdh_xxx interface. If you want to use Curve25519 for some other purpose, this may or may not be supported via direct access to the mbedtls_ecp_xxx interface. The curve arithmetic code only supports predefined groups, it does not support changing the generator without patching the library. For Curve25519, the generator is the point (X,Z)=(9,1). Isn't this the generator you want? Best regards, -- Gilles Peskine Mbed TLS developer On 30/04/2021 17:39, Brian via mbed-tls wrote: > Hi all, > I'm trying to set the generator g to a value of 9 for the Curve25519 with mbedtls_ecp_gen_key function. However I cannot find any way to accomplish that. > Could anyone help me? > Thank you, have a nice day,Brian

4 years, 3 months

1
0
0 0

URGENT PLEASE

by Younes Boulahya

<mbed-tls(a)lists.trustedfirmware.org>I am using STM32F303RCT6 and W5500, I want to upgrade to HTTPS and SFTP, but I can't find any working example that I can use, can you provide me a simple one PLEASE, of both HTTPS and SFTP. I attach my current c code, thank you so much 🌷

4 years, 3 months

1
0
0 0

Support for ECDH key generation with Curve25519

by brian_d＠tutanota.com

Hi all, I'm trying to set the generator g to a value of 9 for the Curve25519 with mbedtls_ecp_gen_key function. However I cannot find any way to accomplish that. Could anyone help me? Thank you, have a nice day,Brian

4 years, 3 months

1
0
0 0

Problems during certificate verifing

by stefano664

Good morning, I'm testing a routine that verify the validity of an intermediate certificate, against my root certificate. Both certificates are generated on my machine. The code to do this is here: https://wtools.io/paste-code/b4OL I can do the verify with openSSL and works fine. When I pass certificates tombedTLS it returns these errors: The certificate is signed with an unacceptable hash. The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). The certificate is signed with an unacceptable key (eg bad curve, RSA too short). Can someone help me to find the mistakes? Thanks for your help. ROOT CERTIFICATE: -----BEGIN CERTIFICATE----- MIIB8TCCAXagAwIBAgIBATAMBggqhkjOPQQDAgUAMDkxCzAJBgNVBAMMAkNBMR0w GwYDVQQKDBRDb21lbGl0IEdyb3VwIFMucC5BLjELMAkGA1UEBhMCSVQwHhcNMDEw MTAxMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjA5MQswCQYDVQQDDAJDQTEdMBsGA1UE CgwUQ29tZWxpdCBHcm91cCBTLnAuQS4xCzAJBgNVBAYTAklUMHYwEAYHKoZIzj0C AQYFK4EEACIDYgAE/u9D/9E9S8kmJ5W75GwaZxUuXYuCYfszCsjNEuylVMj8N1r6 Ce+FJ3eSKQGgh2/H2Pd5Ck7TENQSuVBZIVsUcUv5q/MGGJWUNLCSZm2b5kadVKXQ 6Cn6t7RDFQ0IvRoLo1AwTjAMBgNVHRMEBTADAQH/MB8GA1UdIwQYMBaAFOzrPv2f Rkotop0JzDEg/9CtjcRjMB0GA1UdDgQWBBTs6z79n0ZKLaKdCcwxIP/QrY3EYzAM BggqhkjOPQQDAgUAA2cAMGQCMAxEjQOUP2hC3yhGIkz04Y9fFR6WWH8kUqQEutfb 57Q9ADRFsmAVtJgOZEsVhnZ6ugIwcRK7dngvNozV9Uu4ifhDCLF7qQhAH4XyQ/WI GgKtCIBIps/H+JQNqjpwsVs8zlER -----END CERTIFICATE----- INTERMEDIATE CERTIFICATE: -----BEGIN CERTIFICATE----- MIIDDDCCAo+gAwIBAgIBATAMBggqhkjOPQQDAgUAMDkxCzAJBgNVBAMMAkNBMR0w GwYDVQQKDBRDb21lbGl0IEdyb3VwIFMucC5BLjELMAkGA1UEBhMCSVQwHhcNMDEw MTAxMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBozE+MDwGA1UEAww1Q29tZWxpdCBD bG91ZCBBcyBEZXYgS2ZHWUFjWHg5U3NvMnlic3plcDRQTjZjR295R1BMaTAxJjAk BgNVBAsMHUNvbWVsaXQgR3JvdXAgU3BhIC0gQ2xvdWQgTGFiMRowGAYDVQQKDBFD b21lbGl0IEdyb3VwIFNwYTEQMA4GA1UECAwHQmVyZ2FtbzELMAkGA1UEBhMCSVQw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfGrKbFRgC5o8REbcYdRzW FXS772+CC15nXCJR67gWL1wmKzrCekkFNlOnQrsPhe4iYnkhLuBYNWaVvSaHt9dS X/ZBbJ3bRnGAarw7QnirLZJFYSRRBhMw6xi91nt8kIvcA6kACFcooaRmg/jQzCyb eXO1skJhDv13TxwDB8UTtRkfOTFl23FekMPWmJpqU1YxjAAYRtcY4jGAtV4D7T3V 3WjZ0eaIjl9n2g9/slG6p3ZSjONIRmyTiBRQNynKCxy1Q9Px1ohDCcS2SsK0smy6 0EzCghEz8QjAWs7U9Ilh3OTCdCpV9clp1DQrjbDZky1rMEd7mRmTp8Fmd2c3ld0F AgMBAAGjUDBOMB0GA1UdDgQWBBT3OOc7ZPbeOBTkeYPBFQcQTLhECDAfBgNVHSME GDAWgBTs6z79n0ZKLaKdCcwxIP/QrY3EYzAMBgNVHRMEBTADAQH/MAwGCCqGSM49 BAMCBQADaQAwZgIxAJvrL0kIeB4mvRJT1MRA0Kc/mw5ZVVv0ErOQqLhQShECw6+K s5DL9V/tHf72iCCivAIxANfBJ2IMLzSZCOrSmr9fOCQktM6mFC5PyAuZX+3OGPfU UuJwph7GaoWW+fw1IxQm2Q== -----END CERTIFICATE----- Thanks a lot, Stefano

4 years, 3 months

1
0
0 0

Mbed TLS 3.0 branch transition

by Dave Rodgman

Hi, Today we are switching our branches around, so that the development branch focuses on Mbed TLS 3.0, to be released mid-year. This will include API-breaking changes. 2.x development work will continue on the development_2.x branch. After merging development_3.0 onto development, the development_3.0 branch will be removed. There is no change to the process for submitting PRs: new PRs should continue to target development, with backports to 2.x and 2.16 as needed. (The exception would be a bug-fix that only affects older branches, which would only need ports to the affected branches and not to development). As part of the 3.0 work, we are looking at various things that can be removed from the library. For some of these, we’ve notified the mailing list – please let us know in the next week if you have a good reason for retaining the feature in question. - Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0 https://github.com/ARMmbed/mbedtls/issues/4286 - Remove support for the "Truncated HMAC" (D)TLS extension https://github.com/ARMmbed/mbedtls/issues/4341 - Remove support for 3DES ciphersuites in (D)TLS https://github.com/ARMmbed/mbedtls/issues/4367 - Remove support for RC4, Blowfish, XTEA, MD2 and MD4 https://github.com/ARMmbed/mbedtls/issues/4084 - Remove support for pre-v3 X.509 certificates with extensions https://github.com/ARMmbed/mbedtls/issues/4386 - Remove the RSA key mutex https://github.com/ARMmbed/mbedtls/issues/4124 - Remove MBEDTLS_CHECK_PARAMS https://github.com/ARMmbed/mbedtls/issues/4313 - 3.0 and 2.x :- Minimum development environment: is it OK to require Python >= 3.6 and/or CMake >= 3.5.2? https://lists.trustedfirmware.org/pipermail/mbed-tls/2021-March/000319.html Dave Rodgman

4 years, 3 months

1
0
0 0

Removal of generated source and build files from the development branch

by Gilles Peskine

Hello, A number of files in the Mbed TLS source tree are automatically generated from other files, with a content that does not depend on the platform or configuration. We are considering removing the generated files from the development branch in Git, at least during the work towards Mbed TLS 3.0. This would affect at least the development branch until the 3.0 release, and may affect the development_2.x branch and the development branch after the 3.0 release. Long-time support branches and official releases will continue to have these source files in the Git tree. The reason to remove the generated files is to facilitate development, especially with the restructuring that is happening as we prepare a new major version of the library. This is an experimental change; depending on how effective it is, we may or may not wish to restore the generated files on the development branch when 3.0 stabilizes. It's also still possible that we will not go ahead with this change, depending on the impact on our CI and on the feedback we receive. The affected files are: * Two library source files: library/error.c and library/version_features.c. * Parts of some test programs: programs/test/query_config.c and programs/psa/psa_constant_names_generated.c. * The Visual Studio project files. * Some unit test data files. What does this change for you? **If you were using a long-time support branch or an official release**: no change. **If you were using the supplied GNU Makefile**: there should be no effective change. **If you were using CMake, Visual Studio or custom build scripts** on the development branch: Perl (>=5.8) will be required to generate some library sources and to generate the Visual Studio project files. Python (>=3.4) was already required to run config.py and to build the unit tests. Note that the generated files are independent of the Mbed TLS configuration, so if your deployment has a pre-configuration step, you can generate the files at this step: no new tool is required after the library is configured. The ongoing work (not complete yet as I write) is at https://github.com/ARMmbed/mbedtls/pull/4395 if you want to see what this change means concretely. We are aware that the additional dependencies are a burden in some environments, which is why we will definitely not change anything to releases or to current and future long-time support branches. If you are building Mbed TLS from the development branch and this change affects you, please let us know what constraints apply to your environment. Best regards, -- Gilles Peskine Mbed TLS developer

4 years, 3 months

1
0
0 0

Re: [mbed-tls] Uninitialized variable in rsa_prepare_blinding

by Gilles Peskine

Hello, The macro MBEDTLS_MPI_CHK sets ret, so this particular case is safe. That being said, we do have a hygiene rule to initialize ret variables, to avoid accidentally having uninitialized variables in edge cases. I'll file an issue to fix those. Thanks for reaching out! -- Gilles Peskine Mbed TLS developer On 21/04/2021 17:33, momo 19 via mbed-tls wrote: > Hello, > > I would like to report a possible bug in rsa_prepare_blinding function > in rsa.c > (https://github.com/ARMmbed/mbedtls/blob/v2.26.0/library/rsa.c > <https://github.com/ARMmbed/mbedtls/blob/v2.26.0/library/rsa.c>). I am > not sure if it is a real issue, but I think that there is a > possibility to use uninitialized variable ret: > > static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, > int (*f_rng)(void *, unsigned char *, size_t), void > *p_rng ) > { > int ret, count = 0; <--- uninitialized variable ret > mbedtls_mpi R; > > mbedtls_mpi_init( &R ); > > if( ctx->Vf.p != NULL ) > { > /* We already have blinding values, just update them by > squaring */ > MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, > &ctx->Vi ) ); > MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, > &ctx->N ) ); > MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, > &ctx->Vf ) ); > MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, > &ctx->N ) ); > > goto cleanup; <--- going to cleanup without setting a value of ret > } > > (Skipping lines for readability) > > cleanup: > mbedtls_mpi_free( &R ); > > return( ret ); <--- returning uninitialized variable ret > } > > Best regards, > grapix121 > >

4 years, 4 months

1
0
0 0

Uninitialized variable in rsa_prepare_blinding

by momo 19

Hello, I would like to report a possible bug in rsa_prepare_blinding function in rsa.c (https://github.com/ARMmbed/mbedtls/blob/v2.26.0/library/rsa.c). I am not sure if it is a real issue, but I think that there is a possibility to use uninitialized variable ret: static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret, count = 0; <--- uninitialized variable ret mbedtls_mpi R; mbedtls_mpi_init( &R ); if( ctx->Vf.p != NULL ) { /* We already have blinding values, just update them by squaring */ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) ); goto cleanup; <--- going to cleanup without setting a value of ret } (Skipping lines for readability) cleanup: mbedtls_mpi_free( &R ); return( ret ); <--- returning uninitialized variable ret } Best regards, grapix121

4 years, 4 months

1
0
0 0

Re: [mbed-tls] Signing messages with ECDSA

by stefano664

Excuse me, I replied to your e-mail without note that I'm replying to your address instead of mailing-list address. Now I'll do some other tests, starting from a blank project. I can't send a fully compilable FW because my target is an ESP32 with an OPTIGA crypto chip connected,. than it is necessary to have my hardware to run it. But attached I put my mbedtls configuration. Thank you, Stefano Il giorno mer 21 apr 2021 alle ore 14:36 Gilles Peskine < gilles.peskine(a)arm.com> ha scritto: > I adjusted your code to compile and added the missing definitions and > declarations, and this version works for me. I've attached my code. Here's > the output I get (Mbed TLS , default configuration): > > Message: PLUTOxPLUTOxPLUTOxPLUTOxPLUTOxxx > Private key: -----BEGIN EC PRIVATE KEY----- > MIGkAgEBBDCv5Vq0yRsOKLkkaI0lR32vByL9MB+4O0f+bhVErb8Fd0W1XFhN1897 > iAtnV/DeXDygBwYFK4EEACKhZANiAARgYE9uzG+nXYDoydWyDE6wrlgxiRKqm6kg > si00tFa0KD//vCemOAoYAmmbtFd9RvE6tNOw+Ze5eRtVvosmvYl5IoWx4Jda+Wv9 > ftRXkUk3nRzcAmXnG7bGmgwNC2iC73s= > -----END EC PRIVATE KEY----- > > Hash: yrmtrgMb4WzvHD5XWwb00yAE13RCi934x2ySjcWup5g= > Signature: MGQCMD8pezXqUF6v01b0WQiIUZWuuvxPR1tT15YnN9atogKR2pBPizBYbbhjAIz+ftm78AIwDogKWZVxDk5r6I38oIn0JALO7h8EcTCwjUsulYS5BRl8iyITAC42Xx+HlRPofwbr > Public key: -----BEGIN PUBLIC KEY----- > MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYGBPbsxvp12A6MnVsgxOsK5YMYkSqpup > ILItNLRWtCg//7wnpjgKGAJpm7RXfUbxOrTTsPmXuXkbVb6LJr2JeSKFseCXWvlr > /X7UV5FJN50c3AJl5xu2xpoMDQtogu97 > -----END PUBLIC KEY----- > > > I don't think I can be of any more help unless you post code to reproduce > the problem that can be compiled and run a popular platform (preferably > Linux) without modifications, and also your library configuration > (mbedtls/config.h). Preferably post those on the mailing list, because I > personally have limited time and I'm not sure when I'll next be able to > take a look. > > Best regards, > > -- > Gilles Peskine > Mbed TLS developer > > > On 21/04/2021 14:14, stefano664 wrote: > > I'm sure that the problem isn't here. > > 1) mbedtls_base64_encode is used only to generate human readable data in > this case, and to print it. The chain have the same behaviour without these. > > 2) I changed len_b64 and olen type to size_t and removed casting. I have > the same result and verify fails... > > Here the new code: https://wtools.io/paste-code/b4Hy > > Here the new output: https://wtools.io/paste-code/b4H0 > > Do you have some other idea? > Thanks a lot for your help! > > Stefano > > > Il giorno mer 21 apr 2021 alle ore 13:36 Gilles Peskine < > gilles.peskine(a)arm.com> ha scritto: > >> Ok, I found the problem: >> >> mbedtls_base64_encode(hash_b64, sizeof(hash_b64), (size_t *) &len_b64, hash, 32); >> >> >> &len_b64 is a pointer to uint16_t. Casting the pointer to size_t* doesn't >> give you a pointer to a size_t object, it gives you an invalid pointer >> since it isn't pointing to a size_t object. When mbedtls_base64_encode >> writes through that pointer, it overwrites whatever is next on the stack. >> Other calls with a size_t* cast have the same problem. Depending on exactly >> how your compiler lays out the stack, this might part of the message, or >> part of the pk structure, or part of the result... >> >> I found this problem because I massaged your code until it ran on Linux, >> and it crashed during mbedtls_pk_sign because the pk structure had been >> corrupted. Other potential ways to find such problems include static >> analysis (Coverity is good but very expensive), AddressSanitizer (if you >> can build your code on a platform that has enough space), and of course >> code review (any cast is suspicious: most of the times, when a compiler >> complains about something, a cast will silence the compiler but not >> actually fix the problem). >> >> Best regards, >> >> -- >> Gilles Peskine >> Mbed TLS developer >> >> On 21/04/2021 09:43, stefano664 wrote: >> >> Hi Gilles, >> thanks for your reply. >> >> The posted code is without error checks to be smaller. The complete code >> is here: >> >> https://wtools.io/paste-code/b4Hi >> >> All error checks pass true than all functions seems ok. >> >> In this version I added also the verify, that fail. >> >> Here you can find the output with all prints, messages and datas: >> >> https://wtools.io/paste-code/b4Hj >> >> As you can see my signature is 71 byte wide, a bit too little even after >> zeroes removing. The same made with openSSL is 104 byte wide. >> I've checked my keys, and I confirm it is 384 bit. You can check, it is >> printed during process. >> >> Thanks a lot for your help! >> >> Best regards, >> Stefano >> >> >> Il giorno mar 20 apr 2021 alle ore 21:48 Gilles Peskine via mbed-tls < >> mbed-tls(a)lists.trustedfirmware.org> ha scritto: >> >>> Hi Stefano, >>> >>> Assuming that the key is in PEM format and that the buffers (hash, tmp) >>> are large enough, I don't see anything wrong in the part of the code you >>> posted. >>> >>> You posted code without error checking. Can you confirm that all >>> functions return 0? >>> >>> mbedtls_pk_sign produces ECDSA signatures in ASN.1 format. The size of >>> the signature can be up to 104 bytes, and is often a few bytes shorter >>> because it consists of numbers in which leading zeros are omitted. Make >>> sure the tmp buffer is large enough. You can use >>> MBEDTLS_ECDSA_MAX_SIG_LEN(384) or MBEDTLS_ECDSA_MAX_LEN (from >>> mbedtls/ecdsa.h) as the signature buffer size. >>> >>> 72 bytes is the maximum size of a signature for a 256-bit key, reached >>> about 25% of the time. Are you sure you're signing with the key you >>> intended? >>> >>> People may be able to help more if you post complete code that we can >>> run on our machine. >>> >>> Best regards, >>> >>> -- >>> Gilles Peskine >>> Mbed TLS developer >>> >>> On 20/04/2021 16:49, stefano664 via mbed-tls wrote: >>> > Hi all, >>> > I have some problems with mbedTLS during ECDSA signing process. >>> > >>> > I followed the example supplied with the source code and write this >>> code: >>> > >>> > mbedtls_pk_init(&pk); >>> > mbedtls_pk_parse_key(&pk, (const unsigned char *) >>> > flash.flash_ver0.ecc_priv_key, strlen(flash.flash_ver0.ecc_priv_key) + >>> > 1, (const unsigned char *)CA_DEF_ISSUER_PWD, CA_DEF_ISSUER_PWD_LEN); >>> > mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), msg, msg_len, >>> > hash); >>> > mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, 0, tmp, (size_t *)&len, >>> > mbedtls_ctr_drbg_random, &ctr_drbg); >>> > >>> > The private key is an ECC key with 384 bit. I have two issue: >>> > >>> > 1) In tmp variable I found the signature, but it is 72 byte, instead >>> > of 96 (384*2/87); >>> > 2) On this signature I try to make a verify, but fails. >>> > >>> > Where I'm wrong? >>> > >>> > Best regards, >>> > Stefano >>> > >>> >>> -- >>> mbed-tls mailing list >>> mbed-tls(a)lists.trustedfirmware.org >>> https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls >>> >> >> IMPORTANT NOTICE: The contents of this email and any attachments are >> confidential and may also be privileged. If you are not the intended >> recipient, please notify the sender immediately and do not disclose the >> contents to any other person, use it for any purpose, or store or copy the >> information in any medium. Thank you. >> > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. >

4 years, 4 months

1
0
0 0

3.0 proposal: remove support for pre-v3 X.509 certificate with extensions

by Manuel Pegourie-Gonnard

Hi all, Version 3 of X.509 was published in 1997 and introduced extensions. However, in the years that followed, some implementations did generate certificates with extensions and a declared version less than 3. Such certs were never compliant and are rejected by default, however we have a compile-time option to no reject them for that reason: MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 Since this is 2021 and pre-v3 certificates are unlikely to still be used, we'd like to remove this option in Mbed TLS 3.0. (It would remain in 2.16 and the upcoming 2.x LTS branch.) As usual, more details can be found in the github issue: https://github.com/ARMmbed/mbedtls/issues/4386 If you need this option to still be available in Mbed TLS 3.0, please speak up now, here on on github! Regards, Manuel.

4 years, 4 months

1
0
0 0

Re: [mbed-tls] SSL session cache API in Mbed TLS 3.0

by Jérémy Audiger

Hi Hanno, Regarding your first point, I'm not against having the structure mbedtls_ssl_session as opaque on the application side, at least, it ensures the application is not modifying something that it shouldn't. Having said that, on my side, I access three fields of this structure: * sslContext.state * sslContext.own_cid_len * sslContext.own_cid The first one is used to retrieve the current state, mainly MBEDTLS_SSL_HANDSHAKE_OVER, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT. Finally, the match between an incoming LwM2M Client encrypted message using CID and the structure mbedtls_ssl_session is done by accessing own_cid / own_cid_len. But I think this one could be done using mbedtls_ssl_get_peer_cid(). Regards, Jérémy ________________________________ From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Hanno Becker via mbed-tls <mbed-tls(a)lists.trustedfirmware.org> Sent: Friday, April 16, 2021 06:37 To: mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org> Subject: [mbed-tls] SSL session cache API in Mbed TLS 3.0 Hi Mbed TLS enthusiasts, For Mbed TLS 3.0, we're considering to modify the API around SSL sessions and server-side SSL session caches as follows: 1) The mbedtls_ssl_session structure becomes opaque, that is, its layout, fields, size is not part of the API and thus not subject to any stability promises. Instances of mbedtls_ssl_session may only be accessed through public function API. At the time of writing, this is mainly mbedtls_ssl_session_load()/save() for session serialization and deserialization. In particular, user code requiring access to specific fields of mbedtls_ssl_session won't be portable without further adjustments, e.g. the addition of getter functions. If you access fields of mbedtls_ssl_session in your code and would like to retain the ability to do so, now is the time to speak up and let us know about your use case. 2) The SSL session cache API gets modified as proposed in https://github.com/ARMmbed/mbedtls/issues/4333#issuecomment-820297322: int mbedtls_ssl_cache_get( void *data, unsigned char const *session_id, size_t session_id_len, mbedtls_ssl_session *dst_session ); int mbedtls_ssl_cache_set( void *data, unsigned char const *session_id, size_t session_id_len, mbedtls_ssl_session const *session ); In words: The session ID becomes an explicit parameter. This modification is necessary because the present session cache API requires custom implementations to peek into the mbedtls_ssl_session structure, at least to inspect the session ID. With the session ID being added as an explicit parameter, this is no longer necessary. We propose that custom session cache implementations treat mbedtls_ssl_session instances opaquely and only use them through the serialization and deserialization API mbedtls_ssl_session_load()/save(). The reason why the proposed API does not operate on serialized data directly is that this would enforce unnecessary copies. If you are using a custom SSL server-side session cache implementation which accesses fields other than the session ID and which can not be implemented based on session serialization, now is the time to speak up and let us know about your use case. Kind regards, Hanno

4 years, 4 months

2
1
0 0

Re: [mbed-tls] Signing messages with ECDSA

by Gilles Peskine

Hi Stefano, Assuming that the key is in PEM format and that the buffers (hash, tmp) are large enough, I don't see anything wrong in the part of the code you posted. You posted code without error checking. Can you confirm that all functions return 0? mbedtls_pk_sign produces ECDSA signatures in ASN.1 format. The size of the signature can be up to 104 bytes, and is often a few bytes shorter because it consists of numbers in which leading zeros are omitted. Make sure the tmp buffer is large enough. You can use MBEDTLS_ECDSA_MAX_SIG_LEN(384) or MBEDTLS_ECDSA_MAX_LEN (from mbedtls/ecdsa.h) as the signature buffer size. 72 bytes is the maximum size of a signature for a 256-bit key, reached about 25% of the time. Are you sure you're signing with the key you intended? People may be able to help more if you post complete code that we can run on our machine. Best regards, -- Gilles Peskine Mbed TLS developer On 20/04/2021 16:49, stefano664 via mbed-tls wrote: > Hi all, > I have some problems with mbedTLS during ECDSA signing process. > > I followed the example supplied with the source code and write this code: > > mbedtls_pk_init(&pk); > mbedtls_pk_parse_key(&pk, (const unsigned char *) > flash.flash_ver0.ecc_priv_key, strlen(flash.flash_ver0.ecc_priv_key) + > 1, (const unsigned char *)CA_DEF_ISSUER_PWD, CA_DEF_ISSUER_PWD_LEN); > mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), msg, msg_len, > hash); > mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, 0, tmp, (size_t *)&len, > mbedtls_ctr_drbg_random, &ctr_drbg); > > The private key is an ECC key with 384 bit. I have two issue: > > 1) In tmp variable I found the signature, but it is 72 byte, instead > of 96 (384*2/87); > 2) On this signature I try to make a verify, but fails. > > Where I'm wrong? > > Best regards, > Stefano >

4 years, 4 months

1
0
0 0

Signing messages with ECDSA

by stefano664

Hi all, I have some problems with mbedTLS during ECDSA signing process. I followed the example supplied with the source code and write this code: mbedtls_pk_init(&pk); mbedtls_pk_parse_key(&pk, (const unsigned char *) flash.flash_ver0.ecc_priv_key, strlen(flash.flash_ver0.ecc_priv_key) + 1, (const unsigned char *)CA_DEF_ISSUER_PWD, CA_DEF_ISSUER_PWD_LEN); mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), msg, msg_len, hash); mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, 0, tmp, (size_t *)&len, mbedtls_ctr_drbg_random, &ctr_drbg); The private key is an ECC key with 384 bit. I have two issue: 1) In tmp variable I found the signature, but it is 72 byte, instead of 96 (384*2/87); 2) On this signature I try to make a verify, but fails. Where I'm wrong? Best regards, Stefano

4 years, 4 months

1
0
0 0

Re: [mbed-tls] TLS serialization

by Manuel Pegourie-Gonnard

Hi Jérémy, Thanks for your question! Indeed, the context (de)serialization feature only support DTLS so far. We've added an enhancement request to our backlog to extend it to TLS: https://github.com/ARMmbed/mbedtls/issues/4340 However, it may take some time before we get to it, as we're currently focused on preparing Mbed TLS 3.0. Also, this enhancement may very well turn out to be more complex that it might look initially: TLS is a reliable stream protocol (as opposed to DTLS which is an unreliable datagram protocol) and there will probably be some precautions to take and corner case to handle in order to make sure the full stream is preserved. If you or anyone else wants to open a PR for that, that would obviously help - though again, I'm afraid we'll have little review bandwidth until the end of June. (More generally, it's always a good idea to coordinate on the list before raising a large or complex PR.) Regards, Manuel. ________________________________ From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Jérémy Audiger via mbed-tls <mbed-tls(a)lists.trustedfirmware.org> Sent: 12 April 2021 18:39 To: mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org> Subject: [mbed-tls] TLS serialization Hi everyone, I'm currently trying to add the ability to serialize / deserialize a TLS security session using these APIs: * mbedtls_ssl_context_load() * mbedtls_ssl_context_save() I'm on TLS Server-side (so not talking about TLS Client here). After digging through the mailing list, I discovered this previous topic: https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000012.html and this Github repository: https://github.com/dimakuv/mbedtls-psk-example The scenario is the same here: using PSK with ciphersuite MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8 Once the handshake is done, I'm able to serialize the TLS session with the patch attached to this email. After that I'm able to decrypt one incoming packet and encrypt one ongoing packet. So, almost everything is fine. But, when the TLS Server is receiving another message from the TLS Client (message sent in two fragments), the Server is able to decrypt the first fragment but not the second one, getting this error: ssl_msg.c:5475: 0x7f9aa803d288: => read ssl_msg.c:4029: 0x7f9aa803d288: => read record ssl_msg.c:2012: 0x7f9aa803d288: => fetch input ssl_msg.c:2167: 0x7f9aa803d288: in_left: 0, nb_want: 5 ssl_msg.c:2192: 0x7f9aa803d288: in_left: 0, nb_want: 5 ssl_msg.c:2195: 0x7f9aa803d288: ssl->f_recv(_timeout)() returned 5 (-0xfffffffb) ssl_msg.c:2215: 0x7f9aa803d288: <= fetch input ssl_msg.c:3763: 0x7f9aa803d288: dumping 'input record header' (5 bytes) ssl_msg.c:3763: 0x7f9aa803d288: 0000: 17 03 03 00 41 ....A ssl_msg.c:3765: 0x7f9aa803d288: input record: msgtype = 23, version = [3:3], msglen = 65 ssl_msg.c:2012: 0x7f9aa803d288: => fetch input ssl_msg.c:2167: 0x7f9aa803d288: in_left: 5, nb_want: 70 ssl_msg.c:2192: 0x7f9aa803d288: in_left: 5, nb_want: 70 ssl_msg.c:2195: 0x7f9aa803d288: ssl->f_recv(_timeout)() returned 65 (-0xffffffbf) ssl_msg.c:2215: 0x7f9aa803d288: <= fetch input ssl_msg.c:3874: 0x7f9aa803d288: dumping 'input record from network' (70 bytes) ssl_msg.c:3874: 0x7f9aa803d288: 0000: 17 03 03 00 41 00 00 00 00 00 00 00 03 27 9d 1a ....A........'.. ssl_msg.c:3874: 0x7f9aa803d288: 0010: 50 14 ff e1 14 8c b0 f5 de 06 1c f0 43 5c a0 91 P...........C\.. ssl_msg.c:3874: 0x7f9aa803d288: 0020: 46 23 3e 42 86 ed 3a 48 38 3d e8 b4 05 09 50 ac F#>B..:H8=....P. ssl_msg.c:3874: 0x7f9aa803d288: 0030: 94 6b 9c fb c6 22 7b 46 62 e0 af 08 ab 60 50 3c .k..."{Fb....`P< ssl_msg.c:3874: 0x7f9aa803d288: 0040: 6d c6 c8 7c cb 2c m..|., ssl_msg.c:1301: 0x7f9aa803d288: => decrypt buf ssl_msg.c:1414: 0x7f9aa803d288: dumping 'additional data used for AEAD' (13 bytes) ssl_msg.c:1414: 0x7f9aa803d288: 0000: 00 00 00 00 00 00 00 02 17 03 03 00 31 ............1 ssl_msg.c:1423: 0x7f9aa803d288: dumping 'IV used' (12 bytes) ssl_msg.c:1423: 0x7f9aa803d288: 0000: db 70 01 4b 00 00 00 00 00 00 00 03 .p.K........ ssl_msg.c:1424: 0x7f9aa803d288: dumping 'TAG used' (8 bytes) ssl_msg.c:1424: 0x7f9aa803d288: 0000: 50 3c 6d c6 c8 7c cb 2c P<m..|., ssl_msg.c:1437: 0x7f9aa803d288: mbedtls_cipher_auth_decrypt() returned -25344 (-0x6300) ssl_msg.c:3900: 0x7f9aa803d288: ssl_decrypt_buf() returned -29056 (-0x7180) Between each emission or reception of the fragment, the TLS security context is loaded and saved into a database. The use case here is really interesting, it seems to work well except when I receive or emit a message split into multiple fragments. Something is lost during the session backup. Maybe an interesting thing to add is when I'm loading a TLS session from the database, I'm following these steps: * Load the session into a buffer from the database * Init a security session with mbedtls_ssl_init() and mbedtls_ssl_setup() * Load the session from the buffer with mbedtls_ssl_context_load() Since I'm not an expert of mbed TLS code, I would like to know if someone could help me investigate this issue. TLS serialization/deserialization could be interesting to be part of the mbed TLS library. Regards, Jérémy Audiger

4 years, 4 months

2
1
0 0

3.0 Proposal: remove 3DES ciphersuites

by Manuel Pegourie-Gonnard

Hi all, We'd like to completely remove support for 3DES TLS ciphersuites in Mbed TLS 3.0. Those ciphersuites are vulnerable to the Sweet32 attack and 3DES has been deprecated by NIST. If we remove them from Mbed TLS 3.0, they will remain available in Mbed TLS 2.16 and 2.x, the latter being supported until 3 years after 3.0 has been released. As usual, if for any reason you need support for 3DES TLS ciphersuites in Mbed TLS 3.0, please speak up now and let use know about your use case! More context can be found at https://github.com/ARMmbed/mbedtls/issues/4367 Regards, Manuel.

4 years, 4 months

1
0
0 0

3.0 proposal: remove support for MD2, MD4, RC4, Blowfish and XTEA

by Ronald Cron

Hi, We consider removing the support for MD2, MD4, RC4, Blowfish and XTEA from Mbed TLS 3.0 (but the support will remain in the 2.16 and 2.2x LTS branches for the course of their lifetime). If you use one of those cryptographic primitives and think it should remain in Mbed TLS 3.0, please let us know and explain why. You can find more information in the following GitHub issue: https://github.com/ARMmbed/mbedtls/issues/4084. Best regards, Ronald Cron.

4 years, 4 months

1
0
0 0

SSL session cache API in Mbed TLS 3.0

by Hanno Becker

Hi Mbed TLS enthusiasts, For Mbed TLS 3.0, we're considering to modify the API around SSL sessions and server-side SSL session caches as follows: 1) The mbedtls_ssl_session structure becomes opaque, that is, its layout, fields, size is not part of the API and thus not subject to any stability promises. Instances of mbedtls_ssl_session may only be accessed through public function API. At the time of writing, this is mainly mbedtls_ssl_session_load()/save() for session serialization and deserialization. In particular, user code requiring access to specific fields of mbedtls_ssl_session won't be portable without further adjustments, e.g. the addition of getter functions. If you access fields of mbedtls_ssl_session in your code and would like to retain the ability to do so, now is the time to speak up and let us know about your use case. 2) The SSL session cache API gets modified as proposed in https://github.com/ARMmbed/mbedtls/issues/4333#issuecomment-820297322: int mbedtls_ssl_cache_get( void *data, unsigned char const *session_id, size_t session_id_len, mbedtls_ssl_session *dst_session ); int mbedtls_ssl_cache_set( void *data, unsigned char const *session_id, size_t session_id_len, mbedtls_ssl_session const *session ); In words: The session ID becomes an explicit parameter. This modification is necessary because the present session cache API requires custom implementations to peek into the mbedtls_ssl_session structure, at least to inspect the session ID. With the session ID being added as an explicit parameter, this is no longer necessary. We propose that custom session cache implementations treat mbedtls_ssl_session instances opaquely and only use them through the serialization and deserialization API mbedtls_ssl_session_load()/save(). The reason why the proposed API does not operate on serialized data directly is that this would enforce unnecessary copies. If you are using a custom SSL server-side session cache implementation which accesses fields other than the session ID and which can not be implemented based on session serialization, now is the time to speak up and let us know about your use case. Kind regards, Hanno

4 years, 4 months

1
0
0 0

3.0 proposal: remove support for Truncated HMAC

by Manuel Pegourie-Gonnard

Hi everyone, Truncated HMAC is a TLS extension that was originally created to reduce overhead in constrained environments. Nowadays, CCM-8 ciphersuites are an alternative that's superior both in terms of having even lower overhead and in terms of security. Consequently, recent RFCs have stated that the Truncated HMAC extensions must no longer be used. So, we would like to entirely remove support for this extension from Mbed TLS 3.0. (LTS branches would obviously retain support for it.) If you need support for Truncated HMAC extension in Mbed TLS 3.0, please speak up now! More context and details can be found in this github issue, which can also be used for discussion: https://github.com/ARMmbed/mbedtls/issues/4341 Regards, Manuel.

4 years, 4 months

1
0
0 0

TLS serialization

by Jérémy Audiger

Hi everyone, I'm currently trying to add the ability to serialize / deserialize a TLS security session using these APIs: * mbedtls_ssl_context_load() * mbedtls_ssl_context_save() I'm on TLS Server-side (so not talking about TLS Client here). After digging through the mailing list, I discovered this previous topic: https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000012.html and this Github repository: https://github.com/dimakuv/mbedtls-psk-example The scenario is the same here: using PSK with ciphersuite MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8 Once the handshake is done, I'm able to serialize the TLS session with the patch attached to this email. After that I'm able to decrypt one incoming packet and encrypt one ongoing packet. So, almost everything is fine. But, when the TLS Server is receiving another message from the TLS Client (message sent in two fragments), the Server is able to decrypt the first fragment but not the second one, getting this error: ssl_msg.c:5475: 0x7f9aa803d288: => read ssl_msg.c:4029: 0x7f9aa803d288: => read record ssl_msg.c:2012: 0x7f9aa803d288: => fetch input ssl_msg.c:2167: 0x7f9aa803d288: in_left: 0, nb_want: 5 ssl_msg.c:2192: 0x7f9aa803d288: in_left: 0, nb_want: 5 ssl_msg.c:2195: 0x7f9aa803d288: ssl->f_recv(_timeout)() returned 5 (-0xfffffffb) ssl_msg.c:2215: 0x7f9aa803d288: <= fetch input ssl_msg.c:3763: 0x7f9aa803d288: dumping 'input record header' (5 bytes) ssl_msg.c:3763: 0x7f9aa803d288: 0000: 17 03 03 00 41 ....A ssl_msg.c:3765: 0x7f9aa803d288: input record: msgtype = 23, version = [3:3], msglen = 65 ssl_msg.c:2012: 0x7f9aa803d288: => fetch input ssl_msg.c:2167: 0x7f9aa803d288: in_left: 5, nb_want: 70 ssl_msg.c:2192: 0x7f9aa803d288: in_left: 5, nb_want: 70 ssl_msg.c:2195: 0x7f9aa803d288: ssl->f_recv(_timeout)() returned 65 (-0xffffffbf) ssl_msg.c:2215: 0x7f9aa803d288: <= fetch input ssl_msg.c:3874: 0x7f9aa803d288: dumping 'input record from network' (70 bytes) ssl_msg.c:3874: 0x7f9aa803d288: 0000: 17 03 03 00 41 00 00 00 00 00 00 00 03 27 9d 1a ....A........'.. ssl_msg.c:3874: 0x7f9aa803d288: 0010: 50 14 ff e1 14 8c b0 f5 de 06 1c f0 43 5c a0 91 P...........C\.. ssl_msg.c:3874: 0x7f9aa803d288: 0020: 46 23 3e 42 86 ed 3a 48 38 3d e8 b4 05 09 50 ac F#>B..:H8=....P. ssl_msg.c:3874: 0x7f9aa803d288: 0030: 94 6b 9c fb c6 22 7b 46 62 e0 af 08 ab 60 50 3c .k..."{Fb....`P< ssl_msg.c:3874: 0x7f9aa803d288: 0040: 6d c6 c8 7c cb 2c m..|., ssl_msg.c:1301: 0x7f9aa803d288: => decrypt buf ssl_msg.c:1414: 0x7f9aa803d288: dumping 'additional data used for AEAD' (13 bytes) ssl_msg.c:1414: 0x7f9aa803d288: 0000: 00 00 00 00 00 00 00 02 17 03 03 00 31 ............1 ssl_msg.c:1423: 0x7f9aa803d288: dumping 'IV used' (12 bytes) ssl_msg.c:1423: 0x7f9aa803d288: 0000: db 70 01 4b 00 00 00 00 00 00 00 03 .p.K........ ssl_msg.c:1424: 0x7f9aa803d288: dumping 'TAG used' (8 bytes) ssl_msg.c:1424: 0x7f9aa803d288: 0000: 50 3c 6d c6 c8 7c cb 2c P<m..|., ssl_msg.c:1437: 0x7f9aa803d288: mbedtls_cipher_auth_decrypt() returned -25344 (-0x6300) ssl_msg.c:3900: 0x7f9aa803d288: ssl_decrypt_buf() returned -29056 (-0x7180) Between each emission or reception of the fragment, the TLS security context is loaded and saved into a database. The use case here is really interesting, it seems to work well except when I receive or emit a message split into multiple fragments. Something is lost during the session backup. Maybe an interesting thing to add is when I'm loading a TLS session from the database, I'm following these steps: * Load the session into a buffer from the database * Init a security session with mbedtls_ssl_init() and mbedtls_ssl_setup() * Load the session from the buffer with mbedtls_ssl_context_load() Since I'm not an expert of mbed TLS code, I would like to know if someone could help me investigate this issue. TLS serialization/deserialization could be interesting to be part of the mbed TLS library. Regards, Jérémy Audiger

4 years, 4 months

1
0
0 0

3.0 proposal: remove support for TLS 1.0, TLS 1.1 and DTLS 1.0

by Manuel Pegourie-Gonnard

Hi everyone, The IETF has recently published RFC 8996, which formally deprecates TLS 1.0, TLS 1.1 and DTLS 1.0 (there is no DTLS 1.1). One of the stated goals of the RFC is to empower maintainers of (D)TLS stacks to remove them from their code base, reducing the maintenance cost and the attack surface at the same time. This RFC comes right during the time we're preparing a new major version, which is the only time we allow ourselves to remove features. We'd like to take advantage of this opportunity by entirely removing support for TLS 1.0, TLS 1.1 and DTLS 1.0 in Mbed TLS 3.0. (They would obviously stay in our long-term support branches.) If you find yourself needing support for these versions in Mbed TLS 3.0, now is the time to speak up! More details can be found in the following github issue: https://github.com/ARMmbed/mbedtls/issues/4286 Feel free to discuss this issue on the list or on github, whatever's more convenient for you. Best regards, Manuel.

4 years, 4 months

1
0
0 0

Mbed TLS 3.0 branching

by Dave Rodgman

Hello Mbed TLS users, As previously announced, we are going to switch the focus of Mbed TLS development onto the upcoming 3.0 release. * We have created the development_2.x branch, currently aligned with the tip of development * For the next two weeks, we will keep development and development_2.x in sync (daily) * On April 22, we will merge development_3.0 into development, and remove development_3.0 This means that after April 22: * development will contain API-breaking changes * new features will not normally be back-ported to development_2.x (unless there is a compelling reason to do so) * relevant bugfixes will be backported as normal Impact for users: * users of development should consider whether they should switch to using development_2.x * authors of PRs requiring backports may require an additional backport to development_2.x Regards Dave Rodgman

4 years, 4 months

1
0
0 0

3.0 proposal: remove MBEDTLS_CHECK_PARAMS

by Gilles Peskine

Hello, I propose to remove the MBEDTLS_CHECK_PARAMS feature from Mbed TLS 3.0. (As with everything else, it will of course remain in the 2.16 and 2.2x long-time support branches.) If you are using MBEDTLS_CHECK_PARAMS and you think it should remain, please let us know and explain why. If you are not using this feature, I personally think that you're making the right choice. But if you're curious what it is, you can read the documentation or my description in https://github.com/ARMmbed/mbedtls/issues/4313 . -- Gilles Peskine Mbed TLS developer

4 years, 4 months

1
0
0 0

Re: [mbed-tls] mbedtls_hmac_drbg_seed fails, returns MBEDTLS_ERR_ENTROPY_SOURCE_FAILED

by Gilles Peskine

Hi Jeff, It looks like you're using an old version of Mbed TLS. mbedtls_hmac_drbg_seed used to set ctx->entropy_len to entropy_len * 3 / 2, but this changed (https://github.com/ARMmbed/mbed-crypto/pull/238) to making a call to mbedtls_entropy_func for entropy_len and then one again for entropy_len / 2, precisely to avoid the scenario you're describing where the HMAC_DRBG module would request more entropy than the entropy can deliver in a single call. Please upgrade to the latest release of Mbed TLS, or the latest 2.16 release if you want a long-time support branch. The version you're using is old and has known vulnerabilities. -- Gilles Peskine Mbed TLS developer On 06/04/2021 13:59, Thompson, Jeff via mbed-tls wrote: > > ï¿½ > > The call flow is mbedtls_hmac_drbg -> mbedtls_hmac_drbg_reseed -> > mbedtls_entropy_func where the parameter, len, is 48 and > MBEDTLS_ENTROPY_BLOCK_SIZE is 32. I see that mbedtls_hmac_drbg_seed > sets ï¿½ctx->entropy_len = entropy_len * 3 / 2, which explains the size > difference. Iï¿½ve probably mis-configured (see attached) in order to > use TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA, because other ciphers take too > long. > > ï¿½ > > *Jeff Thompson*ï¿½| ï¿½Senior Electrical Engineer-Firmware > +1 704 752 6513 x1394 > www.invue.com <www.invue.com> > > ï¿½ > >

4 years, 4 months

1
0
0 0

mbedtls_hmac_drbg_seed fails, returns MBEDTLS_ERR_ENTROPY_SOURCE_FAILED

by Thompson, Jeff

The call flow is mbedtls_hmac_drbg -> mbedtls_hmac_drbg_reseed -> mbedtls_entropy_func where the parameter, len, is 48 and MBEDTLS_ENTROPY_BLOCK_SIZE is 32. I see that mbedtls_hmac_drbg_seed sets ctx->entropy_len = entropy_len * 3 / 2, which explains the size difference. I've probably mis-configured (see attached) in order to use TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA, because other ciphers take too long. Jeff Thompson | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com [cid:image001.gif@01D72ABA.56C4A310]

4 years, 4 months

1
0
0 0

Re: [mbed-tls] Mbed TLS mbedtls_ssl_config (struct) Question

by Manuel Pegourie-Gonnard

Hi Keith, Those are good questions, and the short answer is everything should work in a multi-threaded environment if Mbed TLS was built with threading support (for example, enabling MBEDTLS_THREADING_C and MBEDTLS_THREADING_PTHREAD in config.h). Now for some more details: regarding mbedtls_ssl_config, it is indeed treated as read-only by all function in the SSL/TLS module, except of course those functions that are explicitly meant to modify it (those whose name starts with mbedtls_ssl_conf_). So, if you set it up in the main thread and then use it in other threads, everything will be fine regarding the top-level structure itself (for sub-structures see below), regardless of whether threading support is enabled. For the DRBG contexts, you're right that each time we draw from them, they need to update their state. However, this is protected by a mutex if threading support was enabled at compile-time. A similar thing goes for private keys : RSA private keys are protected by a mutex if threading support is enabled (using them mutates state used for side-channel countermeasures), and ECDSA private keys are safe too. X.509 structures are always treated as read-only. Regarding documentation: we did recently expand the documentation on DRBGs: https://github.com/ARMmbed/mbedtls/commit/f305d92480c81c6eb02934a4e1af58152… Regarding SSL, I agree this should be better documented. If you'd like to open a PR to add documentation that would have answered your question, that would be very welcome. Regards, Manuel ________________________________ From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Keith Cancel via mbed-tls <mbed-tls(a)lists.trustedfirmware.org> Sent: 02 April 2021 06:43 To: mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org> Subject: [mbed-tls] Mbed TLS mbedtls_ssl_config (struct) Question Hello, I hope this a simple question regarding mbedtls_ssl_config. So it seems this structure is meant to be shared/used for multiple connections. However, if I have multiple threads is it treated as a read only structure by all the library code, or does it update some state at times? Similar thing regarding the mbedtls_x509_crt struct and mbedtls_ctr_drbg_context which also seem to be added to the config when I setup the config. I was hoping that once set I don’t have to worry about any mutexs/locks being used by the library under the hood. Mainly, that once the configuration is set in the main thread it state is never updated again. What made me curious about this is the fact the RNG seems to be part of the configuration and a CPRNG will generally have state that needs to change. Moreover, I can’t really find a clear answer looking at the docs. Thanks, Keith Cancel -- mbed-tls mailing list mbed-tls(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls

4 years, 4 months

1
0
0 0

Mbed TLS mbedtls_ssl_config (struct) Question

by Keith Cancel

Hello, I hope this a simple question regarding mbedtls_ssl_config. So it seems this structure is meant to be shared/used for multiple connections. However, if I have multiple threads is it treated as a read only structure by all the library code, or does it update some state at times? Similar thing regarding the mbedtls_x509_crt struct and mbedtls_ctr_drbg_context which also seem to be added to the config when I setup the config. I was hoping that once set I don’t have to worry about any mutexs/locks being used by the library under the hood. Mainly, that once the configuration is set in the main thread it state is never updated again. What made me curious about this is the fact the RNG seems to be part of the configuration and a CPRNG will generally have state that needs to change. Moreover, I can’t really find a clear answer looking at the docs. Thanks, Keith Cancel

4 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

mbed-tls