- mbed-tls - lists.trustedfirmware.org

MbedTLS (2.25.0) TLS handshake on FreeRTOS - PSA Crypto enabled (SE) but not used during client step 8

by hippolyte.einfalt＠viveris.fr

Greetings, ## The Setup Greetings, ## The Setup I have a RENESAS board that has an integrated crypto processor and uses MbedTLS 2.25.0. I have a SE (secure element) connected to it. I am allowing hardware acceleration and PSA crypto API inside mbedtls_config.h I registered my SE driver before calling psa_crypto_init(). The board connects to a web server and performs TLS handshake with the forced cipher `MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`. ## The issue The handshake fails during the step 8 when generating EC private key for ECDHE exchange. I have tracked the issue through debug and it unfolded as follows inside `ssl_write_client_key_exchange()`: - We enter the PSA crypto code from the pre-processor directives. - We set the key attributes after initializing them to 0. (here usage_flags, algorithm, type and bits field are set but lifetime is still 0 from init at this point, this will count later on) - The next function `psa_generate_key()` fails. ## In depth When inside the `psa_generate_key()` function, we start the key creation inside `psa_start_key_creation()`. But here, when validating the attributes of the key in `psa_validate_key_attributes()`, we are not able to rely on the SE to store the key due to it being volatile (lifetime is still 0), the driver is never called. From there the program keeps going until trying to generate the key with the crypto processor from the board which does not support this type of key and returns unsupported error. ## Main question Since the lifetime is forced to be representing a volatile key and since the driver for the SE is not called except for persistent ones, i cannot do this cryptographic step using the SE. Is the generation of the volatile key at this step meant to be handled by the MbedTLS library (software or hardware alt) and not by the PSA Crypto API (SE) due to the key being volatile ? If not, how is the Se supposed to be called in the handshake and what am i missing ? ## Discussion I can pass the handshake when disabling hardware acceleration and using the software for cryptographic steps, but in this case i am not using the SE for them. Should the SE only be used to store the client certificate for mTLS case ? ## Note I must use the MbedTLS version 2.25.0 since the SE driver I am using relies on this version.

1 year, 1 month

2
5
2 0

Release all memory held by mbedtls_ssl_context

by Satya Prakash Prasad

Hi, We are writing a client code which can accept or decline connection to the server - so for each connection I understand there is a mbedtls_ssl_context data established. Once the same is closed or not required we need to do deinitialize or free memory allocated to its member variables like - we need to free all memory allocated since we need it back else our application will run out of memory like: os_free(mbed_ctx->handshake); os_free(mbed_ctx->transform_negotiate); os_free(mbed_ctx->session_negotiate); os_free(mbed_ctx->in_buf); os_free(mbed_ctx->out_buf); But there are many member variables which also need to free memory if allocated and assigned to it. Is there a function / method that can free all memory for mbedtls_ssl_context instance variable? Thanks in advance. Regards, Prakash

1 year, 1 month

3
3
0 0

Reminder: MBed TLS Tech Forum - Asia/Europe

by Don Harbin

Hi All, A gentle reminder that the Asia-Europe timezone-friendly MBed TLS Tech forum is next Monday at 10:00am PM UK time. Invite details can be found on the online calendar here <https://www.trustedfirmware.org/meetings/>. If you have any topics, please let Dave Rodgman know. :) Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

1 year, 1 month

1
3
0 0

Building mbedtls-2.19.1

by Satya Prakash Prasad

Hi, Please note that I needed to compile and work with MBed TLS version 2.19.1 https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.19.1 However I am unable to compile the code / examples in it - i get below error: *$ cmake .CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required): Compatibility with CMake < 2.8.12 will be removed from a future version of CMake. Update the VERSION argument <min> value or use a ...<max> suffix to tell CMake that the project does not need compatibility with older versions.-- Selecting Windows SDK version 10.0.19041.0 to target Windows 10.0.22631.CMake Error at CMakeLists.txt:192 (add_subdirectory): add_subdirectory given source "crypto/3rdparty" which is not an existing directory.CMake Error at CMakeLists.txt:199 (add_subdirectory): add_subdirectory given source "crypto/library" which is not an existing directory.CMake Error at CMakeLists.txt:200 (add_subdirectory): add_subdirectory given source "crypto/include" which is not an existing directory.CMake Warning (dev) at programs/ssl/CMakeLists.txt:37 (target_sources): Policy CMP0076 is not set: target_sources() command converts relative paths to absolute. Run "cmake --help-policy CMP0076" for policy details. Use the cmake_policy command to set the policy and suppress this warning. An interface source of target "ssl_client2" has a relative path.This warning is for project developers. Use -Wno-dev to suppress it.CMake Warning (dev) at programs/ssl/CMakeLists.txt:44 (target_sources): Policy CMP0076 is not set: target_sources() command converts relative paths to absolute. Run "cmake --help-policy CMP0076" for policy details. Use the cmake_policy command to set the policy and suppress this warning. An interface source of target "ssl_server2" has a relative path.This warning is for project developers. Use -Wno-dev to suppress it.CMake Warning (dev) at programs/test/CMakeLists.txt:31 (target_sources): Policy CMP0076 is not set: target_sources() command converts relative paths to absolute. Run "cmake --help-policy CMP0076" for policy details. Use the cmake_policy command to set the policy and suppress this warning. An interface source of target "query_compile_time_config" has a relative path.This warning is for project developers. Use -Wno-dev to suppress it.* I tried removing the errors from the CmakeFile.txt but now get below error: *$ cmake --build .Microsoft (R) Build Engine version 16.11.2+f32259642 for .NET FrameworkCopyright (C) Microsoft Corporation. All rights reserved.MSBUILD : error MSB1009: Project file does not exist.Switch: ALL_BUILD.vcxproj* Also make all Makefile:84: ../crypto/3rdparty/Makefile.inc: No such file or directory make[1]: *** No rule to make target '../crypto/3rdparty/Makefile.inc'. Stop. Makefile:19: recipe for target 'lib' failed make: *** [lib] Error 2 Please let me know how to resolve them and compile MBedTLS version 2.19.1 code? Thanks in advance. Regards, Prakash

1 year, 1 month

1
0
0 0

EAP TLS

by Satya Prakash Prasad

Hi, I am working on an issue related to memory leak in MBedTLS. We have integrated MBedTLS code for below 3rd party HostAPD code integration . https://github.com/prplfoundation/hostap [Hostapd] Please refer to the Hostapd peer code implementation as provided in the link below: https://github.com/prplfoundation/hostap/blob/master/eap_example/eap_exampl… https://github.com/prplfoundation/hostap/blob/master/eap_example/eap_exampl… The main function code snippet is provided below: https://github.com/prplfoundation/hostap/blob/master/eap_example/eap_exampl… if (eap_example_peer_init() < 0 || eap_example_server_init() < 0) return -1; do { printf("---[ server ]--------------------------------\n"); res_s = eap_example_server_step(); printf("---[ peer ]----------------------------------\n"); res_p = eap_example_peer_step(); } while (res_s || res_p); Since we are implementing code for peers hence we have removed the server step. Now we need to keep monitoring for new connections / failed connections and act accordingly we have modified the code to something like below - if (eap_example_peer_init() < 0 || eap_example_server_init() < 0) return -1; do { res_p = eap_example_peer_step(); if (eap_ctx.eapNoResp || eap_ctx.eapFail) { eap_client_peer_deinit(); eap_client_peer_init(); } } while (1); We have modified the loop such that it will keep iterating for new connections and in case of failure, re-initialization is required. Is my understanding correct? The issue I am facing is that the client peer deinit method is not releasing all memory allocated during eap_example_peer_step() function ( I understand while processing the EAP TLS server request). The deinit is purely implemented to deallocate memory initially allocated for a new connection using TLS? void eap_client_peer_deinit(void) { eap_peer_sm_deinit(eap_ctx.eap); eap_peer_unregister_methods(); wpabuf_free(eap_ctx.eapReqData); os_free(eap_ctx.eap_config.identity); os_free(eap_ctx.eap_config.password); os_free(eap_ctx.eap_config.cert.ca_cert); os_free(eap_ctx.eap_config.cert.client_cert); os_free(eap_ctx.eap_config.cert.private_key); } where void eap_peer_sm_deinit(struct eap_sm *sm) { if (sm == NULL) return; eap_deinit_prev_method(sm, "deinit"); eap_sm_abort(sm); if (sm->ssl_ctx2) tls_deinit(sm->ssl_ctx2); tls_deinit(sm->ssl_ctx); eap_peer_erp_free_keys(sm); os_free(sm); } Can you please let me know whether we are deallocating memory correctly? Thanks in advance. Regards, Prakash

1 year, 1 month

1
0
0 0

Handshake is successful if the intermediate CA is revoked.

by singaravelu Balasubramani

I am checking the certificate revocation with below scenario. I have Root CA, Intermediate CA and device certificate is signed by Intermediate CA. I am makeing chain certificate by combining Root CA, Intermediate CA and this chain certificate is my active CA certificate and loaded this and device certificate to the drive. From client, I am creating client certificate which is signed by same intermeidate CA. Making ssl handshake. Handshake is success as expected. Now i am revoking the intermediate CA and creating the crl which is signed by the Root CA. This crl has the serial number of intermediate CA. Now loading the CRL to the drive and setting the crl in "mbedtls_ssl_conf_ca_chain". Now i am establishing the ssl connection with the same client ceritificate and expecting the ssl handshake failure due to intermediate CA revoked. But i get handshake is success. Is my understanding right about intermediate CA revocation? I did little background debug, and my obervation is During handshake , it goes to static int x509_crt_verify_chain function in mbedtls. Its trying to find the parent using x509_crt_find_parent for the client certificate and get intermediate CA. During this time, parent_is_trusted is set as true. after this x509_crt_verifycrl is called with client certificate (child), intermediate CA (parent) and crl(has the intermediate CA serial number-issued by Root CA). During x509_crt_verifycrl check, it check for CRL issuer with ca subject and return 0, as its not matching. now in x509_crt_verify_chain , /* prepare for next iteration */ ., they are marking child_is_trusted = parent_is_trusted and child = parent, parent = NULL; and while loop continues, in loop, x509_crt_verify_chain checks for child_is_trusted is true and return as 0. But its not checking that intermediate CA is revoked or not. /* Stop here for trusted roots (but not for trusted EE certs) */ if( child_is_trusted ) return( 0 );

1 year, 1 month

2
2
0 0

Question about mbedtls_x509_parse_subject_alt_name

by Roman Janota

Hello, I would like to parse certificate's SAN fields in my application. In the documentation of the struct mbdetls_x509_crt for its member subject_alt_names the following is stated: "Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name.". I was using the latest development branch and tried to call the function, however, I found out I can not, because it is defined in the x509_internal.h private header. I later found out that the definition was moved from the public to the private header in the commit 25b282e <https://github.com/Mbed-TLS/mbedtls/commit/25b282ebfe5cb84e73d6194e83dc8d6c…> (partly thanks to the issue #459 <https://github.com/Mbed-TLS/mbedtls/issues/459>). So I switched to the 3.5.2 release and everything worked fine. Why was this change made? Will it be kept so that I'd have to implement my own parsing? Or was it a mistake? Thank you for clarifying, Roman.

1 year, 1 month

1
0
0 0

SHA-256 mismatch for mbedtls-3.5.2.tar.gz

by Wojtek Porczyk

Hello, list, Release notes for Mbed TLS 3.5.2 [0] have this: The SHA256 hashes for the archives are: 35890edf1a2c7a7e29eac3118d43302c3e1173e0df0ebaf5db56126dabe5bb05 mbedtls-3.5.2.tar.gz 55c1525e7d5de18b84a1d1e5540950b4a3bac70e02889cf309919b2877cba63b mbedtls-3.5.2.zip However, attempting to download mbedtls-3.5.2.tar.gz yields a file with hash: eedecc468b3f8d052ef05a9d42bf63f04c8a1c50d1c5a94c251c681365a2c723 What's going on with those hashes? [0]: https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.5.2 https://web.archive.org/web/20240126105153/https://github.com/Mbed-TLS/mbed… -- pozdrawiam / best regards Wojtek Porczyk Gramine / Invisible Things Lab I do not fear computers, I fear lack of them. -- Isaac Asimov

1 year, 2 months

3
7
0 0

Question about fix of "Timing side channel in private key RSA operations"

by Yuxiang Cao

Hi folks, This is a question about understanding changes in recent new release. I want to understand how new release e.g. 2.28.7 fix the vulnerable described in https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-secur…. Want to check that if following commits in new release, for example 2.28.7, are the actual commits for fixing the vulnerable above: 42175031ca48e2fba62b97fc802e5df33d5221ff 4fe396f1e1aa84346e23b89435a251624c205035 aa6760d7b5d9a218eaf072f4155974f58b00986b 601bffc4cec7c78cfc6b64048379172578fce13c In short, they are first 4 commits in I found https://github.com/Mbed-TLS/mbedtls/compare/v2.28.6...v2.28.7 Thank you for any help you can provide! Best, Yuxiang

1 year, 2 months

2
2
0 0

Public And Private Keys

by Satya Prakash Prasad

Hi, I need some clarification on Public and Private keys that a server maintains its own side. All documents say that the client will use the server's public key to encrypt the data while the server will make use of its private keys to decrypt. Is it not that the data can be decrypted using the public key itself? How and what is encryption logic implemented in such a case? Please do provide some logical explanation for the same - how does this encryption / decryption work? Regards, Prakash

1 year, 2 months

1
0
0 0

2025

2024

2023

2022

2021

2020

mbed-tls