Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test EC-JPAKE against an old Mbed TLS #9740

Open
gilles-peskine-arm opened this issue Oct 30, 2024 · 0 comments
Open

Test EC-JPAKE against an old Mbed TLS #9740

gilles-peskine-arm opened this issue Oct 30, 2024 · 0 comments
Labels
component-test Test framework and CI scripts component-tls enhancement size-s Estimated task size: small (~2d)

Comments

@gilles-peskine-arm
Copy link
Contributor

gilles-peskine-arm commented Oct 30, 2024
edited
Loading

Mbed TLS is the only free implementation of ECJ-PAKE cipher suites in TLS (an expired RFC, but required by Thread) that we know of. As a consequence, we don't have interoperability tests for EC-JPAKE in TLS.

For a while (since #6533), we had two partially different implementations of EC-JPAKE in TLS: with or without MBEDTLS_USE_PSA_CRYPTO. We did some interoperability testing between these two implementations. In Mbed TLS 4.0, we got rid of the non-PSA code paths, so we are back to not having any interoperability testing.

The goal of this issue is to bring back interoperability testing in the form of Mbed TLS 4.0 tested against an old version of Mbed TLS, for example Mbed TLS 2.28.10 or 3.6.2.

Only ECJPAKE is in scope here, however once we have the machinery we may want to extend this to other TLS features that are not in OpenSSL or GnuTLS (the two TLS implementations we do interoperability testing against).
@gilles-peskine-arm gilles-peskine-arm added enhancement component-tls size-s Estimated task size: small (~2d) component-test Test framework and CI scripts labels Oct 30, 2024
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Oct 30, 2024
@gilles-peskine-arm
Remove ECJPAKE interoperability testing
a1be1b8 
We no longer have two (only partially distinct) implementations of ECJ-PAKE
cipher suites in TLS, now that the non-MBEDTLS_USE_PSA_CRYPTO implementation
is being removed.

We may want to add this testing back in the future, but we'll have to use an
old Mbed TLS instead of a differently-built one.
Mbed-TLS#9740

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Oct 30, 2024
@gilles-peskine-arm
Remove ECJPAKE interoperability testing
005d977 
We no longer have two (only partially distinct) implementations of ECJ-PAKE
cipher suites in TLS, now that the non-MBEDTLS_USE_PSA_CRYPTO implementation
is being removed.

We may want to add this testing back in the future, but we'll have to use an
old Mbed TLS instead of a differently-built one.
Mbed-TLS#9740

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Oct 30, 2024
@gilles-peskine-arm
Remove ECJPAKE interoperability testing
dd95717 
We no longer have two (only partially distinct) implementations of ECJ-PAKE
cipher suites in TLS, now that the non-MBEDTLS_USE_PSA_CRYPTO implementation
is being removed.

We may want to add this testing back in the future, but we'll have to use an
old Mbed TLS instead of a differently-built one.
Mbed-TLS#9740

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component-test Test framework and CI scripts component-tls enhancement size-s Estimated task size: small (~2d)
Projects
Risks
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gilles-peskine-arm