Hi Mbed TLS users,
We have released Mbed TLS versions 3.6.0 LTS and 2.28.8.
These releases of Mbed TLS address several security issues, provide bug fixes, and bring other minor changes. Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0, https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.8).
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org
To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org
Hello Mbed-TLS team,
I am reaching out for guidance on an issue I've encountered while integrating MbedTLS for HTTPS requests using the coreHTTP stack alongside FreeRTOSplusTCP on an STM32F4 device. Although I have successfully implemented an HTTP client, moving to HTTPS has presented some challenges.
My approach has included several adjustments to the mbedtls_config file, such as:
- Integrating a Random Number Generator (RNG) from STM32 within the mbed_Entropy_poll function.
- Utilizing the calloc and free functions provided by FreeRTOS.
- Modifying the search algorithm to correctly handle null-terminated PEM certificates.
Despite these efforts, I am unable to establish a connection to the server, with the process consistently failing during the TLS handshake phase. Specifically, the client hello message is transmitted from my device, but no response is received from the server, resulting in an MBEDTLS_INTERNAL_ERROR.
Enclosed with this email are my mbedtls_config file and a detailed account of the issue as posted on the FreeRTOS forum<https://forums.freertos.org/t/integration-of-ssl-in-corehttp/19561/11>. While I do not expect a full code review<https://github.com/AshvajitP/Eth_FreeRTOS_F4>, any insights into potential causes for this type of handshake failure would be greatly appreciated.
Thank you for your time and assistance.
Regards,
Ashvajit Prasad
I saw the following comment when configuring Record Size Limit Extension (RFC 8449) in `mbedtls_config.h` [1]:
> This extension is currently in development and must NOT be used except for testing purposes.
Is this still accurate? What functionality is missing for full RFC 8449 support? Is this feature planned for a specific date?
[1] https://github.com/Mbed-TLS/mbedtls/blob/611f899c0c9d397baedfaec34ea0861ad2…
Hi,
We are integrating https://github.com/prplfoundation/hostap code into
our project that makes uses of crypto and SSL functionality. Their
code is so written that they have interfaces defined where crypto and
SSL 3rd party algorithms can be called and implemented.
We are stuck implementing those APIs interfaces using MBedTLS and in
need of help for its implementation. Referring to the below set of
interfaces as defined in
https://github.com/prplfoundation/hostap/blob/master/src/crypto/tls_none.c
we need to implement required code for MBedTLS.
I am in need help implementing below API:
struct tls_connection * tls_connection_init(void *tls_ctx) where
tls_connection is below defined type [user defined type - hope is
correct implementation]:
struct tls_connection {
mbedtls_ssl_context *ssl;
keyman_creds *cr;
};
We have made the below implementation
struct tls_connection * tls_connection_init(void *ssl_ctx)
{
mbedtls_ssl_context *mssl_ctx = ssl_ctx;
struct tls_connection *conn;
conn = os_zalloc(sizeof(*conn));
if (conn == NULL) {
return NULL;
}
conn->ssl = mssl_ctx ;
conn->cr = NULL;
mbedtls_ssl_set_bio(ssl_ctx, NULL, net_send, net_recv, NULL);
return conn;
}
If my above implementation is correct please let me know how to
implement our own net_send and net_recv function. There are many
buffer declaration in mbedtls_ssl_context I am not sue what algorithm
to use to read complete / remaining bytes using internal data
structure :
int net_recv(void *ctx, unsigned char *buf, size_t len)
{
/* how to implement */
}
int net_send(void *ctx, const unsigned char *buf, size_t len)
{
/* how to implement */
}
Thanks in advance.
Regards,
Prakash
Hi,
Please also let me know the features of PSA in MbedTLS. I found this
related document -
https://mbed-tls.readthedocs.io/en/latest/getting_started/psa/.
Is PSA related to Platform Security Architecture or is related to TLS security?
How will the inclusion and non-inclusion of PSA will differ in terms
of security?
Thanks in advance.
Regards,
Prakash
Hello,
Bignum is a very useful feature in Mbedtls, which is a part to
libmbedcrypto.a. I want to build this module only as a standalone static
library. However, I find it's difficult to modify CMakelists.txt to do
this.
I appreciate your suggestions.
Blade
Hi,
I am trying to compile MbedTLS 3.5.2 release without PSA but get below
error message:
mbedtls/check_config.h:62:2: #error "MBEDTLS_ECP_DP_BP256R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:66:2: #error "MBEDTLS_ECP_DP_BP384R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:70:2: #error "MBEDTLS_ECP_DP_BP512R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:74:2: #error "MBEDTLS_ECP_DP_CURVE25519_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:78:2: #error "MBEDTLS_ECP_DP_CURVE448_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:82:2: #error "MBEDTLS_ECP_DP_SECP192R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:86:2: #error "MBEDTLS_ECP_DP_SECP224R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:90:2: #error "MBEDTLS_ECP_DP_SECP256R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:94:2: #error "MBEDTLS_ECP_DP_SECP384R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:98:2: #error "MBEDTLS_ECP_DP_SECP521R1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:102:2: #error "MBEDTLS_ECP_DP_SECP192K1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:111:2: #error "MBEDTLS_ECP_DP_SECP256K1_ENABLED
defined, but not its PSA counterpart"
mbedtls/check_config.h:391:2: #error
"MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all
prerequisites"
mbedtls/check_config.h:397:2: #error
"MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all
prerequisites"
mbedtls/check_config.h:406:2: #error
"MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED defined, but not all
prerequisites"
mbedtls/check_config.h:418:2: #error
"MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all
prerequisites"
mbedtls/check_config.h:425:2: #error
"MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all
prerequisites"
mbedtls/check_config.h:481:2: #error "MBEDTLS_LMS_C requires
MBEDTLS_PSA_CRYPTO_C and PSA_WANT_ALG_SHA_256"
mbedtls/check_config.h:725:2: #error "MBEDTLS_PLATFORM_NV_SEED_ALT
defined, but not all prerequisites"
mbedtls/check_config.h:879:2: #error
"MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED defined, but
not all prerequisites"
mbedtls/check_config.h:885:2: #error
"MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED defined,
but not all prerequisites"
Regards,
Prakash