I am currently doing an ECDH exchange over MQTT (i.e. at the message layer; MQTT is fundamentally `untrusted') - with a bit of out of band work to confirm end to end integrity.
That worked nicely (and interoperable with java-bouncy-castle and openssl, etc with:
mbedtls_ecp_group_load( &ctx_cli.grp, MBEDTLS_ECP_DP_CURVE25519 )
mbedtls_ecdh_gen_public( &ctx_cli.grp, &ctx_cli.d, &ctx_cli.Q, mbedtls_ctr_drbg_random, &ctr_drbg)
mbedtls_mpi_write_binary( &ctx_cli.Q.X, node_publicsession, 32 )
to create the keys and with
mbedtls_mpi_lset( &ctx_cli.private_Qp.Z, 1 ))
mbedtls_mpi_read_binary( &ctx_cli.private_Qp.X, pubencr_tmp, CURVE259919_KEYLEN))
mbedtls_ecdh_compute_shared( &ctx_cli.grp, &ctx_cli.private_z, &ctx_cli.private_Qp, &ctx_cli.private_d, mbedtls_ctr_drbg_random, &ctr_drbg )
mbedtls_mpi_write_binary( &ctx_cli.private_z, sessionkey, CURVE259919_KEYLEN)
to calculate the emphemeral session key.
With the mbedtls_ecdh_context going increasingly private; I assume I can change the latter with:
mbedtls_ecdh_calc_secret(&ctx_cli, &len_sessionkey, sessionkey, sizeof(sessionkey), mbedtls_ctr_drbg_random, &ctr_drbg)
but am struggling to see how I an replace the key generation itself. Is there a similar option that does not look `into' ctx_cli ??
With kind regards,
Dw.
PS: actual code at https://github.com/MakerSpaceLeiden/AccesSystem/blob/master/lib-arduino/ACN…
FYI
From: Saheer Babu via Tf-openci <tf-openci(a)lists.trustedfirmware.org>
Date: Wednesday, 10 September 2025 at 15:17
To: tf-openci(a)lists.trustedfirmware.org <tf-openci(a)lists.trustedfirmware.org>
Subject: [Tf-openci] CI infrastructure scheduled maintenance: 12th Sep 2025
Hi all,
We will be performing upgrade of the clusters hosting review.trustedfirmware.org and ci.trustedfirmware.org on Friday, 12th Sep 2025 at 16:00 GMT+1.
During this maintenance window, both services will be unavailable for approximately 4 hours.
A follow-up email will be sent once the services are fully restored.
Best regards,
Saheer
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
Tf-openci mailing list -- tf-openci(a)lists.trustedfirmware.org
To unsubscribe send an email to tf-openci-leave(a)lists.trustedfirmware.org
Hi Team,
I am working on exploring DTLS handshake using the mbedtls-3.6.4 version on
our embedded platform. I enabled the hello verify request feature and got
stuck at hello verify request state on server side if I don't reset the ssl
context and don't set the client transport ID. I want to know if there is
any way to complete a handshake by bypassing the reset of ssl context and
setting the client transport ID.
Also, our environment only supports C89 constructs. I could not see
inttypes.h in the mbedtls-3.6.4, is there any specific reason to remove
this file? I am getting compilation errors without inttypes.h and stdint.h.
Is there any macro to be enabled to support the c89 compilation in mbedtls
stack?
Looking forward to your response.
Thanks and regards,
Ankita Hatmode
--
-------------------------------------------------------------------------------------------------------------------------
**Disclaimer:** This email message including any attachments is
confidential, and may be privileged and proprietary to Agiliad. If you are
not the intended recipient, please notify us immediately by replying to
this message and destroy all copies of this message including any
attachments. You are NOT authorized to read, print, retain, copy,
disseminate, distribute, or use this message or any part thereof. Thank
you.
------------------------------------------------------------------------------------------------------------------------
Dear MbedTLS maintainers,
we are already using MBedTLS, however, we recently enabled TLS 1.3 and
found that our certificates doesn't work anymore, because they are
brainpoolP256r1 (https://datatracker.ietf.org/doc/html/rfc8734). So the
question would be, if I missed any configuration to enable the usage of
brainpool curves (which are working for TLS 1.2) or if there are any
plans, that these are getting supported by MBedTLS 3.6.x?
Best regards,
Maren Konrad
