Use PSA EC-JPAKE in TLS (1.2) #5886
Conversation
superna9999
added
needs-work
needs-ci
superna9999
force-pushed
the
5847-use-psa-pake-in-tls
branch
4 times, most recently
from
d5424e0 to
546840c
Compare
daverodgman
added
the
priority-medium
superna9999
force-pushed
the
5847-use-psa-pake-in-tls
branch
from
546840c to
5cc2469
Compare
superna9999
force-pushed
the
5847-use-psa-pake-in-tls
branch
from
5cc2469 to
3f9437d
Compare
superna9999
force-pushed
the
5847-use-psa-pake-in-tls
branch
from
3f9437d to
aee9b3e
Compare
|
Next time you update this, can you also remove the line about EC J-PAKE in |
superna9999
force-pushed
the
5847-use-psa-pake-in-tls
branch
3 times, most recently
from
076d18a to
68e86da
Compare
superna9999
added
needs-review
superna9999
force-pushed
the
5847-use-psa-pake-in-tls
branch
from
68e86da to
266e2e7
Compare
|
Note: the failure in ABI-API checking is not a problem, see #6115 (comment) |
|
Now that #6115 has been merged, this should be rebased. @superna9999 Can you take care of this? Otherwise please let us know and we'll handle it. |
mpg
added
needs-work
and removed
needs-preceding-pr
mpg
removed
the
needs-review
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
superna9999
force-pushed
the
5847-use-psa-pake-in-tls
branch
from
266e2e7 to
f254b85
Compare
|
@mpg done! |
|
Great, thanks! |
| psa_role = PSA_PAKE_ROLE_CLIENT; | ||
|
|
||
|
|
||
| if( pw_len > 0 ) |
There was a problem hiding this comment.
Minor: unless I'm missing something, we could merge this we the next if( pw_len > 0 ) block. This would avoid the need to destroy the key in the failure path of the next two blocks, and keep related things together. (While at it, I think we could make attributes local to that block as well.)
| #if defined(MBEDTLS_USE_PSA_CRYPTO) | ||
| psa_pake_abort( &handshake->psa_pake_ctx ); | ||
| psa_destroy_key( handshake->psa_pake_password ); | ||
| handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; |
There was a problem hiding this comment.
Note: not setting psa_pake_ctx_is_ok is correct because it's going to be done by the call to zeroize() near the end of this function.
| @@ -5731,6 +5807,55 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, | |||
| else | |||
| #endif | |||
| { | |||
| #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ | |||
There was a problem hiding this comment.
Partially pre-existing: with the new EC J-PAKE block added, the structure become hard to follow:
if( direct_psk_to_ms )
{
/* get MS directly */
}
else
{
if( ecjpake )
{
/* compute PMS, dozens of line */
}
// here I have lost track of where in are in the control flow
/* derive MS from PMS */
}
I think we could directly return success at the end of the "get MS directly" block, saving one nesting level (no else).
| return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); | ||
| } | ||
| } | ||
| #endif |
There was a problem hiding this comment.
Minor and partially pre-existing (the few lines below): I find it weird that we are first computing the MS from the PMS, and only then printing out the PMS. It's a bit worse IMO with the addition of this new block: now it's (1) compute the PMS, (2) compute the MS, (3) print the PMS, while 1-3-2 would seem more natural to me.
| @@ -5769,6 +5894,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) | |||
| return( ret ); | |||
| } | |||
|
|
|||
|
|
|||
There was a problem hiding this comment.
Minor: seems spurious to me, we usually don't leave two blank lines in a row.
| { | ||
| status = psa_pake_output( &ssl->handshake->psa_pake_ctx, | ||
| step, p + 2 + output_offset, | ||
| end - p - output_offset - 2, |
There was a problem hiding this comment.
Minor: I think p - 2 - output_offset would be slightly better for consistency (and as it happens, alignment) with the line above.
| output_offset += output_len; | ||
| } | ||
|
|
||
| content_len = output_offset; |
There was a problem hiding this comment.
Question: why do we stop there instead of also computing the PMS as we do in the non-PSA case? If there's a reason, it's not obvious to me.
Generally speaking, it's a pre-existing issue with the code that the PMS is computed in various places for various key exchanges and this makes things really hard to follow at times. Let's not introduce more variations unless we have a good reason.
There was a problem hiding this comment.
Hmm it wasn't necessary before the addition of the custom SHA256 PMS for PAKE, so indeed I may have forgotten a step while migrating and it may explain why it doesn't work with the non-PSA implementation.
|
It's hard to validate correctness (are we using the correct format? computing the expected value for the shared secret? etc), not just for this PR, but for the entire EC J-PAKE line of work, because the key exchange is randomized and we can't use known-answer tests. So, I guess the only thing we can do is test interop with other implementations. I'm not aware of other implementations of the ECJPAKE key exchange in TLS out there, but now we have two in Mbed TLS: the version that uses PSA and the one that doesn't. Let's see if they can talk to each other: git checkout -- include/mbedtls/mbedtls_config.h
scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
make clean
make -C programs ssl/ssl_server2 ssl/ssl_client2
cp programs/ssl/ssl_server2 s2_no_use_psa
cp programs/ssl/ssl_client2 c2_no_use_psa
scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
make clean
make -C programs ssl/ssl_server2 ssl/ssl_client2
make -C programs test/udp_proxy test/query_compile_time_config
P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f ECJPAKE
P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f ECJPAKEAnd unfortunately the results are not looking good on my machine: I don't have time to debug now, I can have a look next week until you beat be to it, @superna9999 Also, based on this, I'm going to advocate that we add an |
|
@mpg thanks, I think I may missed something when adding support for #6115, in the first implementation it worked while developement when I implemented only the client and left the server using non-PSA. But when migrated to the custom KDF I may have missed step. I'll add the all.sh component to this PR as you suggest. |
|
Note: this will need rework once the I/O format of |
|
Finally I'm lacking time to review and update those PRs, I'm OK if those are taken over by @mprse @AndrzejKurek or @valeriosetti |
I'm currently trying to fix test issues reported by @mpg by rebasing this PR on top of PR #6390. Once I'll have something ready I'll open a new PR to continue this work |
|
Taken over by @valeriosetti in #6533 |
Description
TLS 1.2 has optional support for a key exchange based on EC J-PAKE, defined as part of the Thread standard, see MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED. Currently the implementation always uses the mbedtls_ecjpake API regardless of whether MBEDTLS_USE_PSA_CRYPTO is enabled.
This task it to make it use the PSA API when MBEDTLS_USE_PSA_CRYPTO is enabled.
Resolves #5847
Status
IN DEVELOPMENT
Requires Backporting
NO
Migrations
NO
Additional comments
Depends on #6115 to be merged
Todos
Steps to test or reproduce
ssl-opt.sh must run clean