I saw the following comment when configuring Record Size Limit Extension (RFC 8449) in `mbedtls_config.h` [1]:
> This extension is currently in development and must NOT be used except for testing purposes.
Is this still accurate? What functionality is missing for full RFC 8449 support? Is this feature planned for a specific date?
[1] https://github.com/Mbed-TLS/mbedtls/blob/611f899c0c9d397baedfaec34ea0861ad2…
Hi,
We are integrating https://github.com/prplfoundation/hostap code into
our project that makes uses of crypto and SSL functionality. Their
code is so written that they have interfaces defined where crypto and
SSL 3rd party algorithms can be called and implemented.
We are stuck implementing those APIs interfaces using MBedTLS and in
need of help for its implementation. Referring to the below set of
interfaces as defined in
https://github.com/prplfoundation/hostap/blob/master/src/crypto/tls_none.c
we need to implement required code for MBedTLS.
I am in need help implementing below API:
struct tls_connection * tls_connection_init(void *tls_ctx) where
tls_connection is below defined type [user defined type - hope is
correct implementation]:
struct tls_connection {
mbedtls_ssl_context *ssl;
keyman_creds *cr;
};
We have made the below implementation
struct tls_connection * tls_connection_init(void *ssl_ctx)
{
mbedtls_ssl_context *mssl_ctx = ssl_ctx;
struct tls_connection *conn;
conn = os_zalloc(sizeof(*conn));
if (conn == NULL) {
return NULL;
}
conn->ssl = mssl_ctx ;
conn->cr = NULL;
mbedtls_ssl_set_bio(ssl_ctx, NULL, net_send, net_recv, NULL);
return conn;
}
If my above implementation is correct please let me know how to
implement our own net_send and net_recv function. There are many
buffer declaration in mbedtls_ssl_context I am not sue what algorithm
to use to read complete / remaining bytes using internal data
structure :
int net_recv(void *ctx, unsigned char *buf, size_t len)
{
/* how to implement */
}
int net_send(void *ctx, const unsigned char *buf, size_t len)
{
/* how to implement */
}
Thanks in advance.
Regards,
Prakash
Hi,
Please also let me know the features of PSA in MbedTLS. I found this
related document -
https://mbed-tls.readthedocs.io/en/latest/getting_started/psa/.
Is PSA related to Platform Security Architecture or is related to TLS security?
How will the inclusion and non-inclusion of PSA will differ in terms
of security?
Thanks in advance.
Regards,
Prakash
Hello,
Bignum is a very useful feature in Mbedtls, which is a part to
libmbedcrypto.a. I want to build this module only as a standalone static
library. However, I find it's difficult to modify CMakelists.txt to do
this.
I appreciate your suggestions.
Blade
Hi,
I am trying to compile MbedTLS 3.5.2 release without PSA but get below
error message:
mbedtls/check_config.h:62:2: #error "MBEDTLS_ECP_DP_BP256R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:66:2: #error "MBEDTLS_ECP_DP_BP384R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:70:2: #error "MBEDTLS_ECP_DP_BP512R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:74:2: #error "MBEDTLS_ECP_DP_CURVE25519_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:78:2: #error "MBEDTLS_ECP_DP_CURVE448_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:82:2: #error "MBEDTLS_ECP_DP_SECP192R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:86:2: #error "MBEDTLS_ECP_DP_SECP224R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:90:2: #error "MBEDTLS_ECP_DP_SECP256R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:94:2: #error "MBEDTLS_ECP_DP_SECP384R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:98:2: #error "MBEDTLS_ECP_DP_SECP521R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:102:2: #error "MBEDTLS_ECP_DP_SECP192K1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:111:2: #error "MBEDTLS_ECP_DP_SECP256K1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:391:2: #error
"MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all
prerequisites"
mbedtls/check_config.h:397:2: #error
"MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all
prerequisites"
mbedtls/check_config.h:406:2: #error
"MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED defined, but not all
prerequisites"
mbedtls/check_config.h:418:2: #error
"MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all
prerequisites"
mbedtls/check_config.h:425:2: #error
"MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all
prerequisites"
mbedtls/check_config.h:481:2: #error "MBEDTLS_LMS_C requires
MBEDTLS_PSA_CRYPTO_C and PSA_WANT_ALG_SHA_256"
mbedtls/check_config.h:725:2: #error "MBEDTLS_PLATFORM_NV_SEED_ALT
defined, but not all prerequisites"
mbedtls/check_config.h:879:2: #error
"MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED defined, but
not all prerequisites"
mbedtls/check_config.h:885:2: #error
"MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED defined,
but not all prerequisites"
Regards,
Prakash
Hi,
I am trying to build MbedtLS 3.5.2 and get the below error:
mbedtls/library/psa_crypto_storage.c:23:23: psa/error.h: No such file
or directory
mbedtls/library/psa_crypto_storage.c:24:42:
psa/internal_trusted_storage.h: No such file or directory
I searched all thru the directories and found error.h in mbetls
directory but could not find internal_trusted_storage.h header file?
#if defined(MBEDTLS_PSA_ITS_FILE_C)
#include "psa_crypto_its.h"
#else /* Native ITS implementation */
#include "psa/error.h"
#include "psa/internal_trusted_storage.h"
#endif
Regards,
Prakash
Hi Team,
Referring to MBed release page -
https://github.com/Mbed-TLS/mbedtls/releases?page=1 I see that there has
been constant release periodically from Jul 27, 2018 mbedtls-2.1.14
till Nov 8, 2023 v3.5.1.
In the same context I understand that with each release there have been
fixes and new features / enhancement implementation. There was a project
that I was working in year 2020 were we tried to integrate MBed TLS in EAP
https://github.com/prplfoundation/hostap. It was a practice exercise that
our team did that time. I have not much idea as to which MBed TLS version
was opted and integrated then.
Now that so many new releases are made after 2020 - are older versions can
be taken as stable?
Is it that we should take the latest version and try again from scratch?
Thanks in advance.
Regards,
Prakash
Hello,
I have a simple http(s) server running on embedded platform using mbedtls.
Using ssl session cache significantly improves the throughput. However
while it works flawlessly in chromium based browser I noticed that in
Firefox it does not work at all.
Following there is a short snippet of my accept routine. Am I doing
something wrong?
...
mbedtls_ssl_conf_session_cache(&ssl_ctx->conf, &server_cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set);
mbedtls_ssl_init(*ssl);
rc = mbedtls_ssl_setup(*ssl, &ssl_ctx->conf);
if (rc < 0) {
mbedtls_ssl_free(*ssl);
mg_free(*ssl);
*ssl = NULL;
return -ENOMEM;
}
mbedtls_ssl_set_bio(*ssl, sock, mbedtls_net_send, mbedtls_net_recv, NULL);
rc = mbed_ssl_handshake(*ssl);
...
best regards
Jan
Hi,
We are trying to integrate MBedTLs 3.5.2 release code into our
project. In the same regards we need your help for all information as
requested below - please do provide your valuable information:
1. Please confirm if all source and include files for MbedTLs 3.5.2
are available in below directories, so that we make use of these file
only (libraries can be built independently and have no dependency with
other files in other folder) -
mbedtls-3.5.2\include\mbedtls
mbedtls-3.5.2\include\psa
mbedtls-3.5.2\library
2. We are using our own RTOS threads instead of Posix or other
variants. Is there any specific configuration we need to do / setup?
3. We want to use as much small memory as possible - please let me
know the required configuration for the same?
4. Please let us know the various configuration / setup details that
we should do for the MBedTLS 3.5.2 codebase?
5. Any other references and information related to configuration /
setup / compilation will be an added advantage.
Thanks in advance and please let me know in case of any issues or concerns.
Regards,
Prakash
