New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FFDH 3: use in TLS 1.3 #5979
Comments
You may be aware of this already, but there is also the change between 1.2 and 1.3 with respect to the negotiated key: 1.2 says
1.3 says
|
Good point. Fortunately, what TLS 1.3 requires is what PSA Crypto does according to
So, here again, the PSA Crypto API is a better match for TLS 1.3 than for 1.2, which is not really surprising, as both TLS 1.3 and the PSA API benefit from more accumulated knowledge than TLS 1.2. |
I'm probably missing something, but I think that some changes in computation will be also needed as we need to use FFDH keys somewhere. For example here: mbedtls/library/ssl_tls13_client.c Lines 287 to 337 in d5b1eb5
From my point of view |
Yes, in my mind that's the negotiation, and clearly that part has to change. When I said the computation itself should work the same, I meant things like generating a key pair, sending the public part and computing the shared secret - I think those parts will use the same PSA functions, just with different arguments for key type / alg / size / etc. How we choose those arguments and communicate with our peer about it, indeed needs to change. I mean if you look at the comment below about dispatching based on the key exchange mechanism (KEM) and the fact that each will have its own branch, it is my initial impression (which may be wrong) that ECDH and FFDH should be able to use the same function, just with different parameters. As opposed to (future) PQC key exchanges which are likely to need entirely different code. Does that make sense? Do you think I'm missing something? (I'm not super familiar with the 1.3 code.) |
The FFDH PR is still under review, but I refreshed PR #6102. The For example to test our implementation with
The handshake fails, but I'm not sure if this is correct usage of gnutls client.
EDIT:
It seem that our version of `OpenSSL 1.1.1a 20 Nov 2018' does not support ffhde groups for tls 1.3. It was added later(openssl/openssl#8178). EDIT: |
@mprse Considering this is about TLS 1.3, I guess @ronald-cron-arm or @yuhaoth may be more able to help than me. I'm not seeing anything obviously wrong in the above call. |
Context: TLS 1.3 (RFC 8446) supports key exchange either with ECDHE or DHE (aka Finite-Field Diffie-Hellman or FFDH). Contrary to TLS 1.2 where those are seen as different key exchange mechanisms, in TLS 1.3 they are treated as variants of the same mechanisms, distinguished only by the just of "group" (an elliptic curve of finite field); this matches nicely the PSA Crypto API for key agreement, which works in the same way. Also, TLS 1.3 only supports FFDH on named groups which again matches nicely the PSA Crypto API.
This task is to implement support for DHE key exchange in TLS 1.3. Most of the code should be shared with ECDHE and only minor extensions should be needed:
ssl_preset_default_groups
.ssl_write_supported_groups_ext()
.ssl_tls13_parse_supported_groups_ext()
(might consist of adjustingmbedtls_ssl_named_group_is_supported()
).ssl_client2.c
andssl_server2.c
- this can be done either by making the existingcurve
command-line option accept FFDH groups as well, or creating a new option that does.ssl-opt.sh
- one positive test per group, plus a negative test for when the client and server have no group in common (for example, one only has EC the other only FF).ssl-opt.sh
we also want positive tests using OpenSSL and GnuTLS for each group. (This partially makes up for the lack of official test vectors.)Note: Currently (and until Mbed TLS 4.0) the API for configuring supported groups is not as clean as we'd like, as it consists of two functions:
mbedtls_ssl_conf_curves()
(deprecated but still supported until 4.0, only allows configuring curves) andmbedtls_ssl_conf_groups()
(recommended, allows configuring both curves and finite fields). We jump through a few hoops internally to make this work, see the implementations of these two functions, as well asmbedtls_ssl_get_groups()
.Note: Unlike elliptic curves, there is not per-group config options, if FFDH is supported then all groups are supported, see PSA conditional inclusion documentation
Depends on: #3261, #5912
The text was updated successfully, but these errors were encountered: