[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lwip-devel] altcp_tls_mbedtls: MBEDTLS_ECP_RESTARTABLE
From: |
Giuseppe Modugno |
Subject: |
Re: [lwip-devel] altcp_tls_mbedtls: MBEDTLS_ECP_RESTARTABLE |
Date: |
Tue, 25 Jun 2019 13:40:17 +0200 |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 |
Il 24/06/2019 18:04, Giuseppe Modugno ha scritto:
I tried to enable MBEDTLS_ECP_RESTARTABLE option in config.h of
mbedTLS. This option (and the use of mbedtls_ecp_set_max_ops()) limits
the number of operations made during expensive ECC crypto functions.
It's important in my NO_SYS application, because I need to serve other
"tasks" in a resonable time and TLS handshake could take even 5 seconds!
However I think the layer altcp_tls_mbedtls isn't compatible with
MBEDTLS_ECP_RESTARTABLE. Indeed mbedtls_ssl_handshake() could return
MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, but this return value isn't
managed in altcp_mbedtls_lower_recv_process().
Also mbedtls_ssl_read() and mbedtls_ssl_write() could return
MBEDTLS_ECP_RESTARTABLE.
When one of the above functions return
MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, the application should call the
function again with the same input parameters.
I'd like to invest some time to add MBEDTLS_ECP_RESTARTABLE support in
altcp_tls_mbedtls, but I need some help how to do. I think we need a
crypto_in_progress flag in altcp_mbedtls_state_t that is set when
MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS is returned.
In poll callback we call again the function when the flag is set.
No it doesn't work. Poll callback is called only 2 times a second.
mbedtls_handshake() must be called several times until it doesn't return
CRYPTO_IN_PROGRESS. With poll callback the handshake would take too much
time.
Another possibility is to fire a timeout that is already expired:
sys_timeout(0, ...).
Do you think there's a better solution?
However we don't have a poll callbak during handshake: the final poll
callback will be set after successfull handshake. Do I create and use
a temporary poll callback to set in altcp_mbedtls_setup_callbacks()?
After handshake, mbedtls_ssl_read() and mbedtls_ssl_write() could
return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS. So this situation must be
faced too. Any help?