- mbed-tls - lists.trustedfirmware.org

Assistance Requested: TLS Handshake Failure with MbedTLS on STM32F4

by Ashvajit Prasad

Hello Mbed-TLS team, I am reaching out for guidance on an issue I've encountered while integrating MbedTLS for HTTPS requests using the coreHTTP stack alongside FreeRTOSplusTCP on an STM32F4 device. Although I have successfully implemented an HTTP client, moving to HTTPS has presented some challenges. My approach has included several adjustments to the mbedtls_config file, such as: - Integrating a Random Number Generator (RNG) from STM32 within the mbed_Entropy_poll function. - Utilizing the calloc and free functions provided by FreeRTOS. - Modifying the search algorithm to correctly handle null-terminated PEM certificates. Despite these efforts, I am unable to establish a connection to the server, with the process consistently failing during the TLS handshake phase. Specifically, the client hello message is transmitted from my device, but no response is received from the server, resulting in an MBEDTLS_INTERNAL_ERROR. Enclosed with this email are my mbedtls_config file and a detailed account of the issue as posted on the FreeRTOS forum<https://forums.freertos.org/t/integration-of-ssl-in-corehttp/19561/11>. While I do not expect a full code review<https://github.com/AshvajitP/Eth_FreeRTOS_F4>, any insights into potential causes for this type of handshake failure would be greatly appreciated. Thank you for your time and assistance. Regards, Ashvajit Prasad

7 months, 3 weeks

1
0
0 0

Status of RFC 8449 support

by norbert.fabritius＠esrlabs.com

I saw the following comment when configuring Record Size Limit Extension (RFC 8449) in `mbedtls_config.h` [1]: > This extension is currently in development and must NOT be used except for testing purposes. Is this still accurate? What functionality is missing for full RFC 8449 support? Is this feature planned for a specific date? [1] https://github.com/Mbed-TLS/mbedtls/blob/611f899c0c9d397baedfaec34ea0861ad2…

7 months, 3 weeks

3
3
0 0

MBedTLS Integration API Implementation

by Satya Prakash Prasad

Hi, We are integrating https://github.com/prplfoundation/hostap code into our project that makes uses of crypto and SSL functionality. Their code is so written that they have interfaces defined where crypto and SSL 3rd party algorithms can be called and implemented. We are stuck implementing those APIs interfaces using MBedTLS and in need of help for its implementation. Referring to the below set of interfaces as defined in https://github.com/prplfoundation/hostap/blob/master/src/crypto/tls_none.c we need to implement required code for MBedTLS. I am in need help implementing below API: struct tls_connection * tls_connection_init(void *tls_ctx) where tls_connection is below defined type [user defined type - hope is correct implementation]: struct tls_connection { mbedtls_ssl_context *ssl; keyman_creds *cr; }; We have made the below implementation struct tls_connection * tls_connection_init(void *ssl_ctx) { mbedtls_ssl_context *mssl_ctx = ssl_ctx; struct tls_connection *conn; conn = os_zalloc(sizeof(*conn)); if (conn == NULL) { return NULL; } conn->ssl = mssl_ctx ; conn->cr = NULL; mbedtls_ssl_set_bio(ssl_ctx, NULL, net_send, net_recv, NULL); return conn; } If my above implementation is correct please let me know how to implement our own net_send and net_recv function. There are many buffer declaration in mbedtls_ssl_context I am not sue what algorithm to use to read complete / remaining bytes using internal data structure : int net_recv(void *ctx, unsigned char *buf, size_t len) { /* how to implement */ } int net_send(void *ctx, const unsigned char *buf, size_t len) { /* how to implement */ } Thanks in advance. Regards, Prakash

7 months, 3 weeks

1
0
0 0

GCC Compiler Version

by Satya Prakash Prasad

Hi, Please let me know which GCC compiler version to use to compile MBedTLS on Ubuntu and test cases that we can build and verify? Regards, Prakash

8 months

2
1
0 0

MBedTLS PSA

by Satya Prakash Prasad

Hi, Please also let me know the features of PSA in MbedTLS. I found this related document - https://mbed-tls.readthedocs.io/en/latest/getting_started/psa/. Is PSA related to Platform Security Architecture or is related to TLS security? How will the inclusion and non-inclusion of PSA will differ in terms of security? Thanks in advance. Regards, Prakash

8 months

2
3
0 0

Build bignum module only

by Liu Blade

Hello, Bignum is a very useful feature in Mbedtls, which is a part to libmbedcrypto.a. I want to build this module only as a standalone static library. However, I find it's difficult to modify CMakelists.txt to do this. I appreciate your suggestions. Blade

8 months

2
1
0 0

Unable to build 3.5.2 without PSA

by Satya Prakash Prasad

Hi, I am trying to compile MbedTLS 3.5.2 release without PSA but get below error message: mbedtls/check_config.h:62:2: #error "MBEDTLS_ECP_DP_BP256R1_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:66:2: #error "MBEDTLS_ECP_DP_BP384R1_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:70:2: #error "MBEDTLS_ECP_DP_BP512R1_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:74:2: #error "MBEDTLS_ECP_DP_CURVE25519_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:78:2: #error "MBEDTLS_ECP_DP_CURVE448_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:82:2: #error "MBEDTLS_ECP_DP_SECP192R1_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:86:2: #error "MBEDTLS_ECP_DP_SECP224R1_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:90:2: #error "MBEDTLS_ECP_DP_SECP256R1_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:94:2: #error "MBEDTLS_ECP_DP_SECP384R1_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:98:2: #error "MBEDTLS_ECP_DP_SECP521R1_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:102:2: #error "MBEDTLS_ECP_DP_SECP192K1_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:111:2: #error "MBEDTLS_ECP_DP_SECP256K1_ENABLED defined, but not its PSA counterpart" mbedtls/check_config.h:391:2: #error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites" mbedtls/check_config.h:397:2: #error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites" mbedtls/check_config.h:406:2: #error "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED defined, but not all prerequisites" mbedtls/check_config.h:418:2: #error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites" mbedtls/check_config.h:425:2: #error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites" mbedtls/check_config.h:481:2: #error "MBEDTLS_LMS_C requires MBEDTLS_PSA_CRYPTO_C and PSA_WANT_ALG_SHA_256" mbedtls/check_config.h:725:2: #error "MBEDTLS_PLATFORM_NV_SEED_ALT defined, but not all prerequisites" mbedtls/check_config.h:879:2: #error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED defined, but not all prerequisites" mbedtls/check_config.h:885:2: #error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED defined, but not all prerequisites" Regards, Prakash

8 months

2
4
0 0

MBedTLS 3.5.2

by Satya Prakash Prasad

Hi, I am trying to build MbedtLS 3.5.2 and get the below error: mbedtls/library/psa_crypto_storage.c:23:23: psa/error.h: No such file or directory mbedtls/library/psa_crypto_storage.c:24:42: psa/internal_trusted_storage.h: No such file or directory I searched all thru the directories and found error.h in mbetls directory but could not find internal_trusted_storage.h header file? #if defined(MBEDTLS_PSA_ITS_FILE_C) #include "psa_crypto_its.h" #else /* Native ITS implementation */ #include "psa/error.h" #include "psa/internal_trusted_storage.h" #endif Regards, Prakash

8 months

6
13
0 0

MBed TLS - Generic Question

by Satya Prakash Prasad

Hi Team, Referring to MBed release page - https://github.com/Mbed-TLS/mbedtls/releases?page=1 I see that there has been constant release periodically from Jul 27, 2018 mbedtls-2.1.14 till Nov 8, 2023 v3.5.1. In the same context I understand that with each release there have been fixes and new features / enhancement implementation. There was a project that I was working in year 2020 were we tried to integrate MBed TLS in EAP https://github.com/prplfoundation/hostap. It was a practice exercise that our team did that time. I have not much idea as to which MBed TLS version was opted and integrated then. Now that so many new releases are made after 2020 - are older versions can be taken as stable? Is it that we should take the latest version and try again from scratch? Thanks in advance. Regards, Prakash

8 months, 1 week

2
5
0 0

ssl session cache does not work in firefox

by Jan Pohanka

Hello, I have a simple http(s) server running on embedded platform using mbedtls. Using ssl session cache significantly improves the throughput. However while it works flawlessly in chromium based browser I noticed that in Firefox it does not work at all. Following there is a short snippet of my accept routine. Am I doing something wrong? ... mbedtls_ssl_conf_session_cache(&ssl_ctx->conf, &server_cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set); mbedtls_ssl_init(*ssl); rc = mbedtls_ssl_setup(*ssl, &ssl_ctx->conf); if (rc < 0) { mbedtls_ssl_free(*ssl); mg_free(*ssl); *ssl = NULL; return -ENOMEM; } mbedtls_ssl_set_bio(*ssl, sock, mbedtls_net_send, mbedtls_net_recv, NULL); rc = mbed_ssl_handshake(*ssl); ... best regards Jan

8 months, 1 week

2
1
0 0

2024

2023

2022

2021

2020

mbed-tls