Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for ECDHE-PSK-AES-GCM/CCM ciphersuites #1729

Open
mpg opened this issue Jun 14, 2018 · 3 comments
Open

Add support for ECDHE-PSK-AES-GCM/CCM ciphersuites #1729

mpg opened this issue Jun 14, 2018 · 3 comments
Labels
component-tls enhancement good-first-issue Good for newcomers help-wanted This issue is not being actively worked on, but PRs welcome. historical-reviewing Currently reviewing (for legacy PR/issues)

Comments

@mpg
Copy link
Contributor

mpg commented Jun 14, 2018
edited
Loading

Description

  • Type: Feature Request
  • Priority: Minor

Enhancement\Feature Request

Add support for the new ciphersuites with ECDHE-PSK key exchange and AEAD encryption from RFC 8442.

Justification - why does the library need this feature?

ECDHE-PSK key exchange can be interesting in a number of constrained scenarios including IoT. It is currently supported by Mbed TLS but the only ciphersuites defined with it use NULL, RC4 or CBC-mode encryption, all of which are deprecated or have issues. The draft adds ciphersuites based on ECDHE-PSK and modern AEAD algorithms such as AES-GCM and AES-CCM.

Support for these ciphersuites would be easy to add to Mbed TLS as we already have all the building blocks.
@jethrogb
Copy link

This is now RFC 8442. +1 for this feature.

@tom-daubney-arm tom-daubney-arm added historical-reviewing Currently reviewing (for legacy PR/issues) historical-reviewed Reviewed & agreed to keep legacy PR/issue and removed historical-reviewed Reviewed & agreed to keep legacy PR/issue labels Nov 8, 2022
@gilles-peskine-arm gilles-peskine-arm mentioned this issue Jun 27, 2024
Open
@dimakuv
Copy link

dimakuv commented Jun 27, 2024

Not sure if this will help bump the priority, but our Gramine project would like this feature to be added to mbedTLS: #8170 (comment)

@mpg mpg added help-wanted This issue is not being actively worked on, but PRs welcome. good-first-issue Good for newcomers labels Jul 1, 2024
@mpg
Copy link
Contributor Author

mpg commented Jul 1, 2024

I've added the labels "help-wanted" and "good-first-issue" to indicate that we would welcome a PR for this, and it should not require deep knowledge of the library to achieve. Here's an outline of steps

  • Add a paragraph to include/ssl/ssl_ciphersuites.h defining macros for the new ciphersuites with the value from section 4 - should go between RFC 7902 and RFC 8446 (TLS 1.3).
  • Add definitions for this ciphersuites in ciphersuite_definitions in library/ssl_ciphersuites.c. Check existing similar ciphersuites (some with ECDHE-PSK, some with AES-GCM, AES-CCM, AES-CCM-8) for applicable values and feature guard macros.
  • Add the ciphersuites to ciphersuite_preference in library/ssl_ciphersuites.c` - check the comment at the top for where to insert them (and look at existing entries).
  • Manually confirm that everything works my invoking programs/ssl/ssl_server2 and programs/ssl/ssl_client2 with appropriate options (forcing TLS 1.2 and use of one of the new ciphersuites).
  • Add test cases for the new ciphersuites in tests/suites/test_suite_ssl.data using the function handshake_psk_cipher (check existing uses of this function for examples).
  • Add the ciphersuites to tests/compat.sh - check if they are supported by OpenSSL and GnuTLS (if you are unsure about which versions we use on the CI, feel free to ask).

(And of course see CONTRIBUTING.md.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component-tls enhancement good-first-issue Good for newcomers help-wanted This issue is not being actively worked on, but PRs welcome. historical-reviewing Currently reviewing (for legacy PR/issues)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mpg @jethrogb @dimakuv @tom-daubney-arm