RFC8613: Add in OSCORE support

[mrdeep1]

Based on work done in https://gitlab.informatik.uni-bremen.de/obergman/libcoap

New directories with files
include/oscore
src/oscore

New files
src/coap_oscore.c
include/oscore/coap_oscore.h
include/oscore/coap_crypto_internal.h
include/oscore/coap_oscore_internal.h
man/coap-oscore-conf.txt.in
man/coap_oscore.txt.in

Supported by new option (enabled by default)
./configure --enable-oscore
cmake .. -DENABLE_OSCORE=ON

Requires a TLS library configured to do the OSCORE encryption and hashing.

[mrdeep1]

Added support for building with native Visual Studio.

Mainly updates to variable types to remove Windows variable size mismatch warnings.

[kkrentz]

Interesting. I had just finished my own implementation of OSCORE because I needed it. Does your implementation cover the session key establishment that is described in Appendix B.2 of the RFC?

[mrdeep1]

@kkrentz Simple answer is no. kid context is supported, but the defined protocol is not yet implemented, which is on my TODO list. I'm currently working on getting draft-ietf-core-oscore-groupcomm to work.

Was your implementation based off libcoap?

[kkrentz]

I also took Peter van der Stok's code as a basis, but did not bother retaining his implementation of group communication.

[mrdeep1]

Code update pushed with more rigours buffer checking and some reworking to better support the ongoing draft-ietf-core-oscore-groupcomm work.

[mrdeep1]

Code updated with more rigorous checking of buffer sizes along with some re-organization for better support of the draft-ietf-core-oscore-groupcomm work.

[mrdeep1]

Added in RFC8613 Appendix C test vectors to unit tests.

[mrdeep1]

Added in Appendix B.1.1 support. OSCORE specific API has been updated.

[kkrentz]

Does OSCORE specify what should happen when an RST is being received? Looking at your code, further retransmissions seem to be cancelled when an RST is being received. Since RSTs can (or even must?) be sent unauthenticated, an attacker can cancel the retransmission process, doesn't he?

[mrdeep1]

@kkrentz Interesting question

Does OSCORE specify what should happen when an RST is being received?

Not that I can find, even under the security considetations. However, RFC7252 https://datatracker.ietf.org/doc/html/rfc7252#section-11.4 does state

In principle, other kinds of spoofing can be detected by CoAP only in
case Confirmable message semantics is used, because of unexpected
Acknowledgement or Reset messages coming from the deceived endpoint.
But this imposes keeping track of the used Message IDs, which is not
always possible, and moreover detection becomes available usually
after the damage is already done. This kind of attack can be
prevented using security modes other than NoSec.

So, when using a security model other than NoSec, this kind of RST attack cannot occur. The RFC8613 libcoap implementation can provide (D)TLS wrappers to the OSCORE packets so security modes other than NoSec are supported.

Otherwise with NoSec, the RST can only terminate a retransmission, not the initial transmission.

[kkrentz]

I ended up ignoring RSTs. Of course, if you run DTLS in addition, you can process them.

[mrdeep1]

Added in configurable support for RFC8613 Appendix B.1.2 and Appendix B.2

[obgm]

Still working through this one. Force-pushes do not make reviewer's life easier.
There is a bunch of non-COSE, non-OSCORE stuff in the COSE header files. I would like to remove anything that is not OSCORE from this PR. I can point out specific parts in the next review.

[mrdeep1]

Still working through this one. Force-pushes do not make reviewer's life easier.

Apologies. Changes pushed this time as separate commits to be squashed in later.

There is a bunch of non-COSE, non-OSCORE stuff in the COSE header files. I would like to remove anything that is not OSCORE from this PR. I can point out specific parts in the next review.

Unnecessary stuff removed and changes pushed.

[obgm]

A few more comments from my side. I have reviewed everything except for the the oscore_cose.c and the coap_*tls.c adaptations.

Once again, thanks to Jon and Peter for this huge contribution. This is some really amazing stuff.

[obgm]

As you know, I like enums (or defines if combinable) for flags to enhance the code readability. This could be something like OSCORE_SEND_PARTIAL_IV vs. OSCORE_SEND_NO_IV.

[mrdeep1]

Fixed

[obgm]

One more thing: There is a comment on #ifdef HAVE_OSCORE vs. #if HAVE_OSCORE: Please note that there is currently a third variant: #if defined(HAVE_OSCORE).

[obgm]

Thanks for doing the updates. I found some nits you might consider before (squashing and) merging this PR.

[obgm]

This comment is hard to understand. What exactly are the definitions here?

[mrdeep1]

Comment deleted

[obgm]

For consistency, I suggest using all uppercase for #defined constants.

[mrdeep1]

I believe that they are all UCd now.

[obgm]

(Not sure about the IV length here—IIRC this depends on L in the CCM blocks which is not defined here.)

[mrdeep1]

Actually it is Nonce length. _IV_LEN changed to _NONCE_LEN in all the appropriate places.

[obgm]

"Signatue" → "Signature"

As this is one of the few comments in this file, this could at least be made a Doxygen comment.

[mrdeep1]

Corrected. All functions in this file now have Doxygen comments.

[obgm]

This seems redundant (also for the following *_hkdf_alg).

[mrdeep1]

Removed all the stub functions - would be a separate PR for RIOT etc. support.

[obgm]

The COSE definitions suggest that the (AEAD) IV can be up to 13 bytes. Is this a different type of IV?

[mrdeep1]

Actually, it is used for "Partial IV" which is used for the sender sequence number (8 bytes). Re-ordered code variable location and size to make this clearer.

[obgm]

This repeats a #definein another source file. I suggest moving this into the oscore_internal header for consistency. (The same may be true for AAD_BUF_LEN which is set to 200 elsewhere.)

[mrdeep1]

Deleted both #define as they are no longer relevant.

[obgm]

For safety reasons, I suggest using sizeof(zeroes_data) here and for zeroes.length.

[mrdeep1]

Agreed and corrected.

[obgm]

The part ALL=C sort looks bogus.

[mrdeep1]

Correct. All ALL=C corrected or removed as appropriate..