- mbed-tls - lists.trustedfirmware.org

RSA signature with Montgomery

by Prasad Hegde

Hi, Is there any API's available to convert the RSA signature to the Montgomery format. Thanks Prasad

2 years

1
0
0 0

Code style discussions

by David Horstmann

Hi All, Mbed TLS is planning to move to a new code style by the end of this year. The proposed new style is currently being discussed in the GitHub pull request: https://github.com/Mbed-TLS/mbedtls/pull/6591 If you have any feedback on this new style, or you think we should tweak it, feel free to comment on the pull request. We will take your thoughts into account when we decide on the final style. Discussions will continue until the evening of THIS FRIDAY (UK time). Many thanks, David Horstmann for the Mbed TLS Team

2 years

1
0
0 0

Reminder: MBed TLS Technical Forum - US/Europe

by Don Harbin

Hi All, A gentle reminder that the US-Europe timezone-friendly MBed TLS Tech forum is next Monday at 4:30 PM UK time. Invite details can be found on the online calendar here <https://www.trustedfirmware.org/meetings/>. If you have any topics, please let Dave Rodgman know. :) Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

2 years

1
0
0 0

Certificate Verify in Client Authentication does not work as expected

by Simon Nachtigall

Hello everyone, We observed a strange behavior in the mbedTLS client, when client authentication is requested by the TLS server. This behavior was observed in the newer version 3.0.0 as well as in older versions. The scenario is the following: The server selects a ciphersuite e.g. ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and sends a CertificateRequest message that only includes the ecdsa_secp256r1_sha256 signature algorithm. However, the mbedTLS client simply ignores the requested hash function and uses ecdsa_secp256r1_sha384 for the signature in the ClientVerify. Then, the server complains since the signature does not match with the requested signature algorithm and sends a handshake failure. It seems that mbedTLS does not store the requested signature algorithms/hash function from the CertificateRequest and always uses the hash function from the selected ciphersuite. In the ssl_write_certificate_verify function, we find the following comment: /* * digitally-signed struct { * opaque handshake_messages[handshake_messages_length]; * }; * * Taking shortcut here. We assume that the server always allows the * PRF Hash function and has sent it in the allowed signature * algorithms list received in the Certificate Request message. * * Until we encounter a server that does not, we will take this * shortcut. * * Reason: Otherwise we should have running hashes for SHA512 and * SHA224 in order to satisfy 'weird' needs from the server * side. */ Is this a known problem and is there any fix available? Cheers, Simon Nachtigall

2 years

2
1
0 0

Reminder: MBed TLS Technical Forum - Asia

by Don Harbin

Hi All, A gentle reminder that the Asia-Europe timezone-friendly MBed TLS Tech forum is next *Monday, Nov 7 at 10:00am UK time*. Invite details can be found on the online calendar here <https://www.trustedfirmware.org/meetings/>. If you have any topics, please let Dave Rodgman, cc'd, know. :) Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

2 years

1
0
0 0

Simple question about support of TLS1.2 and TLS1.3 on server side

by caoyxsh＠outlook.com

Is there a plan for adding support of TLS 1.2 and TLS 1.3 at same time on server side? According to : https://github.com/Mbed-TLS/mbedtls/blob/development/docs/architecture/tls1… only one version can be configured at runtime via `mbedtls_ssl_conf_{min,max}_tls_version` for a server endpoint.

2 years

1
0
0 0

Get size of available application data without calling mbedtls_ssl_read()

by Bruckner, Jan

Hi all, I'd like to know if there is some way to retrieve the currently available number of bytes of application data without calling mbedtls_ssl_read()? I'm writing a "TLS socket" for higher layers to use and would like to notify them when new application data is available, tell them how much it is, but leave it up to them when and how much to retrieve. I'd like to prevent having to buffer all application data inside my TLS socket, because that would mean copying it once from mbedtls' buffer to my socket and then again from there to the application whenever it actually requests the data. After a quick look into the sources, it seems like, if at all, this might be possible for single records. But all related fields are private and I could not find any API for this. Issue #551 [1] seems related, but is more about peeking into the application data, while I would be fine with knowing just the size of available application data. Thanks for any hints on how I could achieve this. Best regards, Jan [1] https://github.com/Mbed-TLS/mbedtls/issues/551 ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

2 years

1
1
0 0

Feedback requested: Mbed TLS builds with PSA and legacy implementations of the same algorithm with different characteristics

by Gilles Peskine

Hello, Summary: I am soliciting feedback about builds of Mbed TLS where *there is both a PSA implementation and the built-in software implementation of the same algorithm, by design, *and the PSA implementation isn't just calling the built-in implementation because the two have different characteristics, each desirable in some context. Please read this message if you are doing this or considering it. Feel free to ignore otherwise. For example, both MBEDTLS_SHA256_C and MBEDTLS_PSA_ACCEL_ALG_SHA_256 are enabled, so that calls to mbedtls_md_xxx() use the software implementation and calls to psa_hash_xxx() use the hardware accelerator via the PSA driver. And this is deliberate: there is a reason why mbedtls_md_xxx() must not call the PSA driver. In most cases, this is not desirable: if there's an accelerator, why not use it? And we're working to allow getting rid of the software implementation in more and more cases. Ultimately, PSA will be the only crypto interface in Mbed TLS, so all interfaces to calculate SHA-256 will go through psa_hash_xxx() and therefore will dispatch the call to the driver if there is one. This will be an API break, since it will require calling psa_crypto_init() before performing any cryptography. Currently we are planning to introduce this requirement in Mbed TLS 4.0. But it is currently possible to have dual algorithm support, and I can think of unusual cases where it might desirable. Scenario 1, with accelerator drivers: there is a driver, but it can only be used after some initialization. The application needs to use the algorithm before calling psa_crypto_init(), so it calls the legacy interface. After psa_crypto_init() has been called, the application would like to use the driver as much as possible. A typical use case is a bootloader which wants to verify a signature before initializing the random generator, so it calls mbedtls_md_xxx() and mbedtls_rsa_xxx(). Scenario 1 is clearly desirable, and for that we have a planned solution, which is staged initialization. The bootloader will be able to (1) initialize drivers, (2) perform a hash calculation, (3) initialize the keystore, (4) verify a signature, all without initializing the RNG. We won't make psa_crypto_init() mandatory until this feature is implemented. Scenario 2: with a cryptography service. This is a build of Mbed TLS with MBEDTLS_PSA_CRYPTO_CLIENT, so all psa_xxx() calls call the service. But, for some reason, there is also a local implementation of some cryptography algorithms. So you can call mbedtls_md() to calculate a hash even before the connection to the service has been established. Or maybe you want to call mbedtls_md() for short messages and psa_hash_compute() for long messages, because the crypto service has a faster implementation but the communication overhead offsets the gain for short messages. We are currently working on improving support for PSA drivers, and in particular, saving code size by eliminating more unnecessary code when a driver is present, and increasing the set of APIs that benefit from drivers. The obvious way to do that is to make all cryptography calls (especially from X.509 and TLS) go via the PSA interface, but we can't do that yet due to the need to have initialized the keystore and RNG. We are considering routing /certain/ crypto calls via PSA, in a way that would break scenario 2, and would also break scenario 1 in some cases, but not for hashes or signature verification. If, for example, in Mbed TLS 3.4, mbedtls_md() starts calling psa_hash_(), would this break your code? Are you in scenario 1, scenario 2, or some other variant I haven't thought of? If so, *please reply to this message and let us know what your needs are*. Feel free to reply to me in private if you don't want to discuss this publicly (I won't share directly outside Arm, but the eventual design might leak information about the unusual scenario). If we don't hear objections, there is a chance that a future Mbed TLS 3.x will break scenarios 1 and 2. If we do hear objections, we'll work to keep the current behavior or arrange a migration path. Best regards, -- Gilles Peskine Mbed TLS developer

2 years

1
1
0 0

problem PSA_CRYPTO (Mbedtls 2.28.0)

by xlin＠murata.com

I have port mbedtls 2.28.0 into my platform and am able to connect to a few websites in PKI mode. But after enabling MBEDTLS_USE_PSA_CRYPTO & MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG, with everything else stay the same, I can't connect to the same websites anymore. in the working case (no MBEDTLS_USE_PSA_CRYPTO), after the client (my app) sends "Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message", the server responds with "Change Cipher Spec, Encrypted Handshake Message". In the broken case (with MBEDTLS_USE_PSA_CRYPTO), after the client (my app) sends "Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message", the server doesn't respond with "Change Cipher Spec, Encrypted Handshake Message". I don't know how to debug the issue, any suggestion what my cause the server to drop off at the last step?

2 years

1
0
0 0

How much bigger is MbedTLS 2.28.1 relative to 2.16.2? (STM 32F417 GCC)

by Peter

I may need TLS 1.3 support which I believe arrived in 2.28, or maybe a bit later. I don't want to change to TLS 3 just yet. It looks like many changes. My target is "OK" on FLASH (150k of the 350k total code size) but is tight on RAM (after allocating 50k for the MbedTLS heap, we have just 20k RAM left). Ideally I would like the very last version of v2. The problem just found is that Cloudflare is asking for TLS 1.3 which MbedTLS 2.16 does not support. But it may be that Cloudflare can fall back and the problem is elsewhere. Many thanks for any input.

2 years, 1 month

2
1
0 0

2024

2023

2022

2021

2020

mbed-tls