- mbed-tls - lists.trustedfirmware.org

by Ahmed Mohammed

Hello, What is the difference between these two macros in include/mbedtls/build_info.h: MBEDTLS_CONFIG_FILE MBEDTLS_USER_CONFIG_FILE In other words, why would I have two different user configuration files? Or I misunderstand the difference between such files. Kind regards, Ahmed Mohammed

3 years

2
1
0 0

Slowness in verification of a ecdsa secp256r1 signature using S32K Microcontroller (clock speed 112MHz) - bare metal implementation

by ammar.ahmed.mughal＠gmail.com

I am verifying a signature generated using ecdsa secp256r1. The signature is getting verified but the time taken by the verification step is too long. It takes 4-5 seconds to verify the signature. The implementation is bare metal i.e. no RTOS (one realizes the use of RTOS but still the time is too long). Can you please guide a way around for this issue. How to make it work faster , the ideal verification time would be 30ms - 60ms. Here is a gist of my code mbedtls_ecp_curve_info *curve_info = NULL; mbedtls_ecdsa_context ecdsa_context; /// Initialization mbedtls_ecdsa_init(&ecdsa_context); curve_info = mbedtls_ecp_curve_info_from_tls_id(23); /// 23 is tls_id of secp256r1 mbedtls_ecp_group_load(&ecdsa_context.grp, curve_info->grp_id); /// Processing result = mbedtls_ecp_point_read_binary( &ecdsa_context.grp, &ecdsa_context.Q, public_key_data, // public key data in uncompressed format i.e. including leading 0x04 sizeof(public_key_data) ); /// 32 /// 71 status_verify_signature = mbedtls_ecdsa_read_signature(&ecdsa_context, hash, sizeof(hash), signature, sizeof(sig)); /// converts the signature data to ASN1, verifies the signature Thank you :)

3 years

2
1
0 0

Mutual authentication support in Embed tls

by Anupma Jain

Hello, Can please provide me with any example on "how to achieve Mutual authentication(Client and server certificate validation)" in mbed-tls. Please help me with this.It is a little urgent. Thank you Regards Anupma Jain

3 years

1
0
0 0

Website update

by Dave Rodgman

Hi all, Apologies for the website outage. We have now restored the majority of the old content, which is reachable via our Trusted Firmware website (the old website address will redirect here). The new location for our documentation, including the knowledge base and security advisories, is: https://mbed-tls.readthedocs.io/en/latest/ Please let us know (on the mailing list, via the Tech Forum, or raise a GitHub issue or PR) if you find any issues or missing documentation. The source repository for the docs is here: https://github.com/Mbed-TLS/mbedtls-docs Community contributions to the docs are welcome! Regards Dave Rodgman

3 years

2
1
0 0

OID Issue

by Subramanian Gopi Krishnan

Hi, We have developed a propriety protocol that authenticate node using certificate. In our PKI, we have four level of certificates as ROOT_CA, PROXY_CA, LOCAL_CA, and DEVICE_CERTIFICATE. Parsing of trusted CA certificate is getting success. However, verifying PROXY_CA against ROOT_CA fails with below error code. MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND I have viewed the certificates transacted using OpenSSL command, the ASN1 OID is ECDSA_SHA384. Though, I have enabled the algorithm, it is failing. Any support would be appreciated. Attached the config.h for your reference. Thanks, Gopi Krishnan

3 years

1
0
0 0

Adding option to disable the zeroisation of internal buffers

by joel.petersson＠dirac.com

After recently updating mbedtls I noticed a considerable slowdown (over 70% on my cortex-m7 board) in the sha256 implementation, and after some digging I found the offending commit: https://github.com/Mbed-TLS/mbedtls/commit/76749aea784cfec245390d0d6f0ab0a2… I understand the motivation behind the commit, but I think it may not be relevant to all use cases. So my question is if an option to disable the clearing of internal buffers in mbedtls_config.h would be a reasonable improvement? Or would that be considered to much of a foot gun? Regards, Joel Petersson

3 years

4
7
0 0

support of Certificate exchange between client and server in Mbedtls

by Anupma Jain

Hi, In Embed tls version 2.28, is there any support to validate client certificate fields like for example: validity of certificate, CA validation or role extraction ? If support is present then, how can we enable that ? Please help me with this.Thanks in advance. Regards Anupma

3 years, 1 month

1
0
0 0

Reminder: MBed TLS Technical Forum - US/Europe

by Don Harbin

Hi All, A gentle reminder that the US-Europe timezone-friendly MBed TLS Tech forum is next Monday at 4:30 PM UK time. Invite details can be found on the online calendar here <https://www.trustedfirmware.org/meetings/>. If you have any topics, please let Dave Rodgman know. :) Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

3 years, 1 month

1
0
0 0

totally beginner question...

by boddeke＠mac.com

hello, we are testing a secure communication and got example code that uses the mbed-tls library. i am using the online keil studio with mbed.org: created a new project (compiles fine) and added in the mbed-tls library but this already gives compile errors. see below. i am using the latest greatest versions (mbed-os 6.16.0 and mbedtls-3.2.1) and tried some older versions. all seem to give the same problems. see below. i have tried commenting out MBEDTLS_HAVE_TIME in mbedtls_config.h but that does not seem to make any difference tried different target boards, also no difference any help is greatly appreciated! thanks frank Build started Using toolchain ARMC6 profile {'ENV': {'ARMLMD_LICENSE_FILE': '8224@10.10.101.194:8224@10.10.109.222'}, 'PATHS': {'ARMC6_PATH': '/opt/ARMCompiler6.15.13/bin/', 'ARM_PATH': '/opt/armcc5_06_u6/'}, 'common': ['-c', '--gnu', '-O3', '-Otime', '--split_sections', '--apcs=interwork'], 'cxx': ['--cpp', '--no_rtti'], 'COMPILE_C_AS_CPP': False, 'NEW_SCAN_RESOURCES': True} scan /tmp/chroots/ch-59110c86-ee99-44c4-9ef0-79f3efde74a7/src scan /tmp/chroots/ch-59110c86-ee99-44c4-9ef0-79f3efde74a7/extras/mbed-os.lib compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Config/RTX_Config.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/TOOLCHAIN_ARM/TARGET_RTOS_M4_M7/irq_cm4f.S compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_evflags.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_lib.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_mempool.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Library/cmsis_os1.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_evr.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_memory.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_delay.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_msgqueue.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_kernel.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_mutex.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_semaphore.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_system.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/Source/os_systick.c compile mbed-os/cmsis/CMSIS_5/CMSIS/TARGET_CORTEX_M/Source/mbed_tz_context.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_timer.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/Source/os_tick_ptim.c compile mbed-os/cmsis/CMSIS_5/CMSIS/RTOS2/RTX/Source/rtx_thread.c "time.h included in a configuration without MBEDTLS_HAVE_TIME" unknown type name 'time_t'; did you mean 'size_t'? unknown type name 'time_t'; did you mean 'size_t'? unknown type name 'time_t'; did you mean 'size_t'? compile mbed-os/cmsis/device/rtos/source/mbed_rtos_rtx.c In file included from /extras/mbed-os.lib/cmsis/device/rtos/source/mbed_rtos_rtx.c:23: In file included from /extras/mbed-os.lib/platform/include/platform/mbed_error.h:21: In file included from /extras/mbed-os.lib/platform/include/platform/mbed_retarget.h:107: /src/mbedtls/tests/include/baremetal-override/time.h:18:2: error: "time.h included in a configuration without MBEDTLS_HAVE_TIME" #error "time.h included in a configuration without MBEDTLS_HAVE_TIME" ^ In file included from /extras/mbed-os.lib/cmsis/device/rtos/source/mbed_rtos_rtx.c:23: In file included from /extras/mbed-os.lib/platform/include/platform/mbed_error.h:21: /extras/mbed-os.lib/platform/include/platform/mbed_retarget.h:669:5: error: unknown type name 'time_t'; did you mean 'size_t'? time_t st_atime; ///< Time of last access ^~~~~~ size_t /opt/ARMCompiler6.15.13/bin/../include/stdio.h:53:26: note: 'size_t' declared here typedef unsigned int size_t; /* see <stddef.h> */ ^ In file included from /extras/mbed-os.lib/cmsis/device/rtos/source/mbed_rtos_rtx.c:23: In file included from /extras/mbed-os.lib/platform/include/platform/mbed_error.h:21: /extras/mbed-os.lib/platform/include/platform/mbed_retarget.h:670:5: error: unknown type name 'time_t'; did you mean 'size_t'? time_t st_mtime; ///< Time of last data modification ^~~~~~ size_t /opt/ARMCompiler6.15.13/bin/../include/stdio.h:53:26: note: 'size_t' declared here typedef unsigned int size_t; /* see <stddef.h> */ ^ In file included from /extras/mbed-os.lib/cmsis/device/rtos/source/mbed_rtos_rtx.c:23: In file included from /extras/mbed-os.lib/platform/include/platform/mbed_error.h:21: /extras/mbed-os.lib/platform/include/platform/mbed_retarget.h:671:5: error: unknown type name 'time_t'; did you mean 'size_t'? time_t st_ctime; ///< Time of last status change ^~~~~~ size_t /opt/ARMCompiler6.15.13/bin/../include/stdio.h:53:26: note: 'size_t' declared here typedef unsigned int size_t; /* see <stddef.h> */ ^ 4 errors generated. Internal error. Build failed Build failed

3 years, 1 month

1
0
0 0

misc. questions

by Frank Bergmann

Hi all, I have some questions. 1) If you have an established TLS connection (mbed TLS 3.x) and while the connection is up the (server-) certificate expires: Will the connection stay up? Or is a new handshake (with valid cert) REQUIRED? 2) Related to question 1: CAN mbed TLS switch to a new cert on an existing TLS connection? (e.g. by doing another handshake from server OR client side) 3) With 3.x some struct members are now "private". Even if you can allow private access by a define it would be better to use a getter. But for ssl context's "state" I am missing this and also for "p_bio" (to access fd). Is there a chance to get this implemented? BTW - a big "LIKE" for 3.x! I really appreciate the changes. Thank you! kind regards, Frank

3 years, 1 month

5
6
0 0

2025

2024

2023

2022

2021

2020

mbed-tls