-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MD: HMAC in DTLS cookies #5174
Comments
@mpg I implemented both follow-ups, and I have some remarks:
|
Not that I know of (I've looked a bit and couldn't find any issue). Would you be interested in creating a PR to fix that once #5602 is merged? That would mean also creating a PR for 2.28 as bug fixes need backporting. If you'd rather not and prefer to focus on PSA work instead, no problem of course, I'll just open an issue to track this. |
In
ssl_cookie.c
, whenMBEDTLS_USE_PSA_CRYPTO
is enabled, move from using thembedtls_md_hmac
API to thepsa_mac
API, and from using the user-provided RNG for key generation to usingpsa_generate_key()
.struct mbedtls_ssl_cookie_ctx
, store the key as ambedtls_svc_key_id_t
instead of ambedtls_md_context_t
, with corresponding adaptations inmbedtls_ssl_cookie_init()
/mbedtls_ssl_cookie_free()
.mbedtls_ssl_cookie_setup()
, set up appropriate attributes and usepsa_generate_key()
.ssl_cookie_hmac()
, usepsa_mac_sign_setup()
,psa_mac_update()
andpsa_mac_sign_finish()
.Note: the
hmac_ctx
in thecookie_ctx
serves two purposes: (1) store the key, and (2) provide a context for multi-part operations. With PSA those roles are distinct; only the key needs to be in the context, thepsa_mac_operation_t
object should be internal tossl_cookie_hmac()
.Possible follow-ups (either do them in the same PR if easy enough, or open (an) issue(s) to track):
MBEDTLS_USE_PSA_CRYPTO
is enabled, we no longer need a mutex in thecookie_ctx
to protect thembedtls_md_context_t
, since thepsa_mac_operation_t
object is now local to the function that uses it. OTOH, when aserial
field is present, incrementing it should be protected by the mutex (this is a pre-existing bug).psa_mac_sign
and, for verification, does the constant-timememcmp()
manually. Would it be better to usepsa_mac_verify
? Perhaps not (less code sharing between generation and verification). We need to make a decision.The text was updated successfully, but these errors were encountered: