- mbed-tls - lists.trustedfirmware.org

Re: [mbed-tls] [TF-M] Adding platform specific functions to Crypto Service.

by Fabian Schmidt

Hi Roman, My understanding is that you would like to add features to the Crypto service API, but the features which you would like to add are not cryptographic in nature. Have you considered creating your own service for those features, instead of modifying the Crypto service? Or is there anything makes this not a viable option? If you are thinking about adding hardware acceleration for some Crypto features, that's indeed covered in Shebu's link. Greetings, Fabian Schmidt From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Shebu Varghese Kuriakose via TF-M Sent: Dienstag, 12. Oktober 2021 11:46 To: David Hu <David.Hu(a)arm.com>; Roman.Mazurak(a)infineon.com; tf-m(a)lists.trustedfirmware.org; mbed-tls(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: [EXT] Re: [TF-M] Adding platform specific functions to Crypto Service. Caution: EXT Email Hi Roman, I also might not have understood the question completely. As you mention crypto HAL API, here is the specification which defines a standardized mechanism for PSA Crypto implementations to interface with Secure elements and crypto accelerators - https://github.com/ARMmbed/mbedtls/blob/development/docs/proposed/psa-driver -interface.md <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co m%2FARMmbed%2Fmbedtls%2Fblob%2Fdevelopment%2Fdocs%2Fproposed%2Fpsa-driver-in terface.md&data=04%7C01%7Cfabian.schmidt%40nxp.com%7C17489158b6384ef5caa308d 98d654ead%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637696288543072051%7C Unknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLC JXVCI6Mn0%3D%7C1000&sdata=uKX4sUH37jNx1%2BvACuN8tBQl05OaXPPnMT9FqMwbhdU%3D&r eserved=0> Also adding mbed-tls mailing list as the thread is crypto related.. Regards, Shebu From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org <mailto:tf-m-bounces@lists.trustedfirmware.org> > On Behalf Of David Hu via TF-M Sent: Tuesday, October 12, 2021 4:18 AM To: Roman.Mazurak(a)infineon.com <mailto:Roman.Mazurak@infineon.com> ; tf-m(a)lists.trustedfirmware.org <mailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd(a)arm.com <mailto:nd@arm.com> > Subject: Re: [TF-M] Adding platform specific functions to Crypto Service. Hi Roman, Are you asking about adding platform specific HAL API to implement PSA Crypto API function? Please correct me if I misunderstand your question. Best regards, Hu Ziji From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org <mailto:tf-m-bounces@lists.trustedfirmware.org> > On Behalf Of Roman Mazurak via TF-M Sent: Monday, October 11, 2021 9:45 PM To: tf-m(a)lists.trustedfirmware.org <mailto:tf-m@lists.trustedfirmware.org> Subject: [TF-M] Adding platform specific functions to Crypto Service. Hi all, We would like to add a number of platform specific functions to Crypto Service API. Is it ok if such functions will not be related to cryptographic service, but such approach allows us to optimize platform design? Is there any initiative to create a Crypto Service HAL API to extend Crypto with custom functions? Best regards, Roman.

4 years, 1 month

3
3
0 0

Re: [mbed-tls] Adding platform specific functions to Crypto Service.

by Shebu Varghese Kuriakose

Hi Roman, I also might not have understood the question completely. As you mention crypto HAL API, here is the specification which defines a standardized mechanism for PSA Crypto implementations to interface with Secure elements and crypto accelerators - https://github.com/ARMmbed/mbedtls/blob/development/docs/proposed/psa-drive… Also adding mbed-tls mailing list as the thread is crypto related.. Regards, Shebu From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of David Hu via TF-M Sent: Tuesday, October 12, 2021 4:18 AM To: Roman.Mazurak(a)infineon.com; tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] Adding platform specific functions to Crypto Service. Hi Roman, Are you asking about adding platform specific HAL API to implement PSA Crypto API function? Please correct me if I misunderstand your question. Best regards, Hu Ziji From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Roman Mazurak via TF-M Sent: Monday, October 11, 2021 9:45 PM To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> Subject: [TF-M] Adding platform specific functions to Crypto Service. Hi all, We would like to add a number of platform specific functions to Crypto Service API. Is it ok if such functions will not be related to cryptographic service, but such approach allows us to optimize platform design? Is there any initiative to create a Crypto Service HAL API to extend Crypto with custom functions? Best regards, Roman.

4 years, 1 month

1
0
0 0

MbedTLS and IPv4 packet length problem

by Duygu D.

Hello, I am using this example for the source of the my main purpose : https://github.com/straight-coding/LPC407x-NoOS-LWIP-MBEDTLS-HTTPD-KEIL/blo… This example using https but I'm trying to use this example on Modbus Server. This is init function for the server tcp connections: BOOL xMBTCPPortInit( USHORT usTCPPort ) { struct altcp_pcb *pxPCBListenNew, *pxPCBListenOld; BOOL bOkay = (BOOL)FALSE; USHORT usPort; extern struct altcp_tls_config* getTlsConfig(void); tls_config = getTlsConfig(); mbedtls_ssl_conf_dbg(tls_config, my_debug, NULL); mbedtls_debug_set_threshold(5); if( usTCPPort == 0 ) { usPort = MB_TCP_DEFAULT_PORT; } else { usPort = ( USHORT ) usTCPPort; } if( ( pxPCBListenNew = pxPCBListenOld = altcp_tls_new( tls_config,IPADDR_TYPE_ANY) ) == NULL ) { /* Can't create TCP socket. */ bOkay = (BOOL)FALSE; } else if( altcp_bind( pxPCBListenNew, IP_ANY_TYPE, ( u16_t ) usPort ) != ERR_OK ) { /* Bind failed - Maybe illegal port value or in use. */ ( void )altcp_close( pxPCBListenOld ); bOkay = (BOOL)FALSE; } else if( ( pxPCBListenNew = altcp_listen( pxPCBListenNew ) ) == NULL ) { ( void )altcp_close( pxPCBListenOld ); bOkay = (BOOL)FALSE; } else { // altcp_tls_new(pxPCBListenNew, IP_GET_TYPE(ip_addr))*/; /* Register callback function for new clients. */ altcp_accept( pxPCBListenNew, prvxMBTCPPortAccept ); /* Everything okay. Set global variable. */ pxPCBListen = pxPCBListenNew; #ifdef MB_TCP_DEBUG vMBPortLog( MB_LOG_DEBUG, "MBTCP-ACCEPT", "Protocol stack ready.\r\n" ); #endif SerialPrint("MBTCTP-ACCEPT"); } bOkay = (BOOL)TRUE; return bOkay; } struct altcp_tls_config* getTlsConfig(void) { struct altcp_tls_config* conf; size_t privkey_len = strlen(privkey) + 1; size_t privkey_pass_len = strlen(privkey_pass) + 1; size_t cert_len = strlen(cert) + 1; conf = altcp_tls_create_config_server_privkey_cert((u8_t*)privkey, privkey_len, (u8_t*)privkey_pass, privkey_pass_len, (u8_t*)cert, cert_len); return conf; } And I am using basic python tls client example to show successful mbedtls handshake. This is my client.py codes: import time from socket import create_connection from ssl import SSLContext, PROTOCOL_TLS_CLIENT import ssl hostname='example.org' ip = '192.168.1.2' port = 502 context = SSLContext(PROTOCOL_TLS_CLIENT) context.options |= ssl.OP_NO_SSLv3 context.options |= ssl.OP_NO_TLSv1 context.options |= ssl.OP_NO_TLSv1_1 context.load_verify_locations('cert.pem') with create_connection((ip, port)) as client: with context.wrap_socket(client, server_hostname=hostname) as tls: print(f'Using {tls.version()}\n') tls.sendall(b'Hello world') data = tls.recv(1024) print(f'Server says: {data}') When I try to start communication I get below outputs on wireshark: [image: image.png] When the server send hello message I've this error on the line: [image: image.png] When I checked the low_level_output functions I get sending data bytes 150 byte but Ipv4 length shows us 576 byte, opt.h file set as default but if I changed TCP_MSS as a 250 byte so I can send 136 byte and Ipv4 packet lenght shows me 136. But does not make sense. I couldnt do successful handshaking. My mbedtls debug outputs in this link https://paste.ofcode.org/PP3zFmrLcKqPdRMT3LzETz How cna I solve this problem ? What is the reason for the lenght problem ? Best Regards. -- Embeded System Engineer

4 years, 1 month

3
4
0 0

image-20211001180442075

by Shudong Zhang

Hello, I am very sorry about last email by mistakes. I have some questions about multiplication on ecp curves. I add an ecp curve parameter in ecp_curve.c form SM2 algorithm standard, and the parameter is as follow: Then I followed the loading method of secp256r1 to load, but I don’t know how to perform fast calculations, so I commented NIST_MODP( p256 ). #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) caseMBEDTLS_ECP_DP_SECP256R1: NIST_MODP( p256 ); return( LOAD_GROUP( secp256r1 ) ); #endif #if defined(MBEDTLS_ECP_DP_SM256_ENABLED) caseMBEDTLS_ECP_DP_SM256: //NIST_MODP( p256 ); return( LOAD_GROUP_A( sm256 ) ); #endif Then I call the functional interface mbedtls_ecp_mul to perform the multiplication operation, but the heap memory keeps increasing . voidtest() { intret; mbedtls_mpiUd; mbedtls_ecp_groupgrp; mbedtls_ecp_pointT_Q; mbedtls_mpi_init(&Ud); mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &T_Q ); ret=mbedtls_mpi_read_binary(&Ud, arrUd, sizeof(arr_U_d)); // ret = mbedtls_ecp_group_load(&grp,MBEDTLS_ECP_DP_SECP256R1); ret=mbedtls_ecp_group_load(&grp,MBEDTLS_ECP_DP_SM256); ret=mbedtls_ecp_mul(&grp, &T_Q, &Ud, &(grp.G), NULL, NULL) ; printf("%x\n", -ret); mbedtls_mpi_free(&Ud); mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &T_Q ); } intmain() { for(inti=0; i<10; i++) test(); return0; } The heap memory is mesaured by massif( valgring tools), Can someone tell me what this is because of and how to fix this problem ? Best Regards. Shudong Zhang

4 years, 1 month

1
0
0 0

Add an ecp curves, but the multiplication add heap memory continuouly

by Shudong Zhang

Hello， I add an ecc curve parameter in ecp_curve.c form SM2 algorithm, and the parameter is as follow:

4 years, 1 month

2
1
0 0

Unable to enable CCM ciphers in mbedtls

by Ron Eggler

The |mbedtls| client project I'm working on, is to also support the cipher suites: |TLS-ECDHE-ECDSA-WITH-AES-256-CCM| & |TLS-ECDHE-ECDSA-WITH-AES-128-CCM|. I have specified them like: |const int ciphersuites[] = { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, 0 }; mbedtls_ssl_conf_ciphersuites(&ctxt->conf,ciphersuites); | and while I can see the GCM ciphers in the |Client Hello|, I cannot see the |CCM| ciphers. In |mbedtls/include/mbedtls/config.h|, the following are enabled: |#define MBEDTLS_CCM_ALT #define MBEDTLS_CCM_C #define MBEDTLS_ECDH_GEN_PUBLIC_ALT #define MBEDTLS_ECDH_COMPUTE_SHARED_ALT #define MBEDTLS_ECDSA_SIGN_ALT | What is still missing? While CCM is not listed under The following ciphers may be included <https://tls.mbed.org/module-level-design-cipher>, the ciphers i would like to add definitely show up under Supported SSL / TLS ciphersuites <https://tls.mbed.org/supported-ssl-ciphersuites>, Can someone help out?

4 years, 1 month

2
2
0 0

RAM usage and Slowness issue

by Sunil Jain

Hello, *RAM USAGE:* We are using mbedTLS 2.16 for TLS communication and found that it is consuming more RAM compared to other Cybersecurity library (Mocana ) which we were using earlier. I want to reduce the RAM usage, if there are any settings which i can apply to reduce the RAM usage Presently MbedTLS is using almost 38KB of RAM per TLS connection, I have small memory in my device (STM32F437), I want to reduce this RAM consumption to 30KB per TLS connection. *SLOWNESS:* we have found that after 4 TLS connections on STM32F437 controller, communication becomes very slow, we measured the CPU utilization at this point of time, and it's only 40% ustilized, we are not getting any clue why it becomes so slow. When we compare with Mocana cyber security library we were able to run 6 TLS connections with good speed. Please help us with the above 2 topics. -- Thanks and Regards, Sunil Jain

4 years, 1 month

2
1
0 0

TLS 1.3 support

by Alex Sukhov

Hi mbedTLS team, Our teams are in the process of reviewing available TLS library options. Is there any information that we can find with respect to the mbedTLS stance on TLS 1.3 support? I.E is there a timeline available supporting TLS 1.3? Alternatively is there documentation available that outlines the expected deltas between TLS 1.2 and 1.3 that can help compare the value gained by using TLS 1.3 instead of 1.2? Regards, Alex Sukhov Geotab Embedded System Developer, Team Lead Toll-free Visit +1 (877) 431-8221 www.geotab.com Twitter <https://twitter.com/geotab> | Facebook <https://www.facebook.com/Geotab> | YouTube <https://www.youtube.com/user/MyGeotab> | LinkedIn <https://www.linkedin.com/company/geotab/>

4 years, 1 month

3
2
0 0

Doubt in mbedtls version support for libiec61850-1.5

by lekshmi g

When we are using the version *mbedtls-2.16.6* with *libiec61850-1.5*, the TLS connection is established successfully. But when we use the *2.7.19*, the connection fails(we renamed *mbedtls 2.7.19* as *mbedtls 2.16* and put in the folder third_party\mbedtls ). We had occurred following error during the execution of client- server example programs tls_server_example and tls_client_example using 2.7.19 version. During handshaking process till CASE " MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC " it worked as expected. But In CASE "MBEDTLS_SSL_CLIENT_FINISHED" the return value should be zero. But we got in function mbedtls_ssl_safer_memcmp mac_peer==41155316 mac_expect==41155356 diff=255 (this value has to be 0 for connection establishment) But we are getting 255 constantly in all runnings. Kindly help us to resolve the issue. If this issue is due to the non supporting of mbedtls version ?.Thanks in advance. Please let us know the *supporting versions of mbedtls *for *libiec61850-1.5 *.

4 years, 1 month

2
2
0 0

On the future of on-target testing

by Gilles Peskine

Hello, Mbed TLS supports building and running unit tests in one of two modes: “hosted” or “on target”. The on-target mode relies on Greentea, the Mbed OS test framework. The on-target mode is unmaintained (there's no CI for it and the Mbed TLS maintainers hardly ever even try to build it these days) and we're considering retiring it in Mbed TLS 2.28. If you do use Mbed TLS's on-target unit testing, either by building target_test.function or by plugging your own file instead of target_test.function or host_test.function, please let us know and weigh in on https://github.com/ARMmbed/mbedtls/issues/4912 <https://github.com/ARMmbed/mbedtls/issues/4912> . Best regards, -- Gilles Peskine Mbed TLS developer

4 years, 2 months

1
1
0 0

2025

2024

2023

2022

2021

2020

mbed-tls