[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-devel] altcp_tls_mbedtls: MBEDTLS_ECP_RESTARTABLE

From: Giuseppe Modugno
Subject: Re: [lwip-devel] altcp_tls_mbedtls: MBEDTLS_ECP_RESTARTABLE
Date: Tue, 25 Jun 2019 13:40:17 +0200
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2

Il 24/06/2019 18:04, Giuseppe Modugno ha scritto:
I tried to enable MBEDTLS_ECP_RESTARTABLE option in config.h of mbedTLS. This option (and the use of mbedtls_ecp_set_max_ops()) limits the number of operations made during expensive ECC crypto functions. It's important in my NO_SYS application, because I need to serve other "tasks" in a resonable time and TLS handshake could take even 5 seconds!

However I think the layer altcp_tls_mbedtls isn't compatible with MBEDTLS_ECP_RESTARTABLE. Indeed mbedtls_ssl_handshake() could return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, but this return value isn't managed in altcp_mbedtls_lower_recv_process(). Also mbedtls_ssl_read() and mbedtls_ssl_write() could return MBEDTLS_ECP_RESTARTABLE.

When one of the above functions return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, the application should call the function again with the same input parameters.

I'd like to invest some time to add MBEDTLS_ECP_RESTARTABLE support in altcp_tls_mbedtls, but I need some help how to do. I think we need a crypto_in_progress flag in altcp_mbedtls_state_t that is set when MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS is returned.
In poll callback we call again the function when the flag is set.

No it doesn't work. Poll callback is called only 2 times a second. mbedtls_handshake() must be called several times until it doesn't return CRYPTO_IN_PROGRESS. With poll callback the handshake would take too much time.

Another possibility is to fire a timeout that is already expired: sys_timeout(0, ...).

Do you think there's a better solution?

However we don't have a poll callbak during handshake: the final poll callback will be set after successfull handshake. Do I create and use a temporary poll callback to set in altcp_mbedtls_setup_callbacks()?

After handshake, mbedtls_ssl_read() and mbedtls_ssl_write() could return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS. So this situation must be faced too. Any help?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]