We have released Mbed TLS versions 3.5.0 and 2.8.5.
These releases of Mbed TLS address several security issues, provide bug fixes, and bring other minor changes. Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.5, https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.5.0).
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Many Thanks.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org
To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org
Hi Mbed TLS users,
We are planning to change the license for Mbed TLS shortly, from Apache 2.0 to a dual license Apache 2.0 / GPLv2-0-or-later license.
This will allow GPL-licensed projects to take Mbed TLS under a GPL license.
Projects which currently take Mbed TLS under an Apache 2.0 license may continue to do so, and therefore should not be affected by this change.
The inbound license, under which we accept contributions, is already a dual-license. There is therefore no impact for contributors, and no impact on PRs that are currently in review, or those that have previously been integrated into the library.
We hope that this will enable more projects to make use of Mbed TLS.
Dave Rodgman
We are happy to announce the publication in GitHub of the TF-PSA-Crypto repository: https://github.com/Mbed-TLS/TF-PSA-Crypto.
The TF-PSA-Crypto repository provides an implementation of the PSA Cryptography API (https://arm-software.github.io/psa-api). This encompasses the on-going extensions to the PSA Cryptography API (e.g. PAKE). The PSA Cryptography API implementation is organized around the PSA Cryptography driver interface aiming to ease the support of cryptographic accelerators and processors.
This is a significant milestone on the journey to split the PSA Cryptography API implementation and its development out of the Mbed TLS repository into TF-PSA-Crypto. This is early days though and the TF-PSA-Crypto repository should be considered as a prototype: it is read-only and mostly a mirror of the PSA Cryptography API implementation of Mbed TLS. But we believe it is a good illustration of what we are aiming at.
Thanks, Ronald Cron on behalf of the Mbed TLS team.
Hi experts,
I wanted to forward some crypto operations to an external driver that provides psa_call APIs. The mbedtls version I am using 3.4.0.
Take psa_asymmetric_encrypt as an example, The mbedtls api is
psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
const uint8_t *salt,
size_t salt_length,
uint8_t *output,
size_t output_size,
size_t *output_length)
It gets attribute, key.data and key.byte from key_id. Then call function psa_driver_wrapper_asymmetric_encrypt without key_id as its argument:
status = psa_driver_wrapper_asymmetric_encrypt(
&attributes, slot->key.data, slot->key.bytes,
alg, input, input_length, salt, salt_length,
output, output_size, output_length);
In psa_driver_wrapper_asymmetric_encrypt, it will use different implementations according to the location value in https://github.com/Mbed-TLS/mbedtls/blob/d69d3cda34c400a55220352518e37d3d2c….
I define a new location definition(RSS_PSA_LOCATION. When the location is RSS_PSA_LOCATION, making it call
psa_status_t crypto_psa_asymmetric_encrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
const uint8_t *salt,
size_t salt_length,
uint8_t *output,
size_t output_size,
size_t *output_length)
This API require key_id. Is it possible to get key_id from attribute and key_slot?
Regards,
Jiamei Xie
Hi,
I am trying to use the MACRO's defined at - https://github.com/Mbed-TLS/mbedtls/blob/development/docs/driver-only-build… to enable driver only build.
As mentioned on the page I tried to do this for SHA256. However, the code in sha256.c isn't ifdefed by "MBEDTLS_PSA_ACCEL_ALG_SHA_256" so still gets compiled ?
Can you point me to what I am missing here ?
Regards,
Ruchika
Hi all,
I have been using the old version(2.28) for a very long time, and updated to version 3.4.0 recently.
When using rsa encryption, there is a parameter 'mode' that allows to choose whether to use a public key or a private key. Why is it canceled in the new version? And how can I use the private key to perform an encryption operation?
Thank you for your help!
Hi,
For the crypto accelerator, we are developing for our SoC, we have a use-case where the same driver can support multiple/range of KEY LOCATIONS. We want a mechanism such that, the a common function in driver is called which can then take the necessary option based on the key location.
The way jsons are currently structured, what I understand is that for every key location, we will need to create a separate json with a different driver prefix. This would lead to a lot of code duplication for us.
For eg { to define 3 locations X, Y and Z , I need to create 3 json files -> these all refer to same crypto sub-system I my case}
#define TEST_DRIVER_X_OPAQUE_DRIVER_ID
#define TEST_DRIVER_Y_OPAQUE_DRIVER_ID
#define TEST_DRIVER_Z_OPAQUE_DRIVER_ID
Switch (key_location)
Case x:
Test_driver_x_ opaque_import_key();
break;
Case y:
Test_driver_y_ opaque_import_key();
break;
Case z:
Test_driver_z_ opaque_import_key();
break;
This is resulting in a lot of code duplication and overhead. What we want to have the flexibility to achieve is :
#define TEST_DRIVER_OPAQUE_DRIVER_ID
Switch (key_location)
Case x:
Case y:
Case z:
Test_driver_opaque_import_key();
If we can support multiple locations from a driver json file for a given driver, this issue would be resolved. This would give the driver writers flexibility on how and where they want to handle the locations.
Please let us know your views on the same.
Regards,
Ruchika