-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement non-PSA pk_sign_ext() #7930
Implement non-PSA pk_sign_ext() #7930
Conversation
Minor: please use github keywords to link this PR to that issue. |
I've assigned myself as a reviewer, but will wait until CI passes before I do a full review - for now I just had a quick look, and this looks like it's going in the right direction. Please ping me the CI is green! If you have trouble reproducing or understanding certain CI failures, feel free to ask questions! @valeriosetti Can I assume you'll also review this (when you're back)? |
4c3beac
to
51ee7de
Compare
@mpg After some trial and error I somewhat narrowed down and reduced the failures, but still don't have them quite figured out. I think that some were due to me having been too keen on removing references to But then, the remaining issue is that some CI tests are failing when using the PSA version of My latest commit, Then I think that the bigger (and actually maybe only) issue is between TLS 1.3 and PSA. Kind of the same story there I believe. I would appreciate some guidance or even fixes for these failures. |
b460e02 "test fix for CI failures" passed. Why are you not satisfied with it? (I haven't really looked at the code, I just came by to see if I could help with the CI results.) 51ee7de seems to be going in the wrong direction: it's making some tests depend on cbd3d3a doesn't look right either: if |
Because it dispatches based on I'll take a closer look. |
library/rsa.c
Outdated
@@ -1282,7 +1282,7 @@ int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx, | |||
|
|||
#if defined(MBEDTLS_PKCS1_V15) | |||
/* | |||
* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function | |||
* Implementation of the PKCS#1 v1.5 RSAES-PKCS1-V1_5-ENCRYPT function |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor: I think the comment was correct. Version 2.1 of the standard still defines the functions from the 1.5 standard, sometimes in a more precise way. The function has V1_5
in the name used by the standard, so it's unmabiguous.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh okay. So I assume it's the same for the others I changed?
I think the "except" clause is not correct: opaque keys are only supported when |
tests/suites/test_suite_pk.function
Outdated
size_t hash_len = mbedtls_md_get_size_from_type(md_alg); | ||
void const *options = NULL; | ||
mbedtls_pk_rsassa_pss_options rsassa_pss_options; | ||
memset(hash, 0x2a, sizeof(hash)); | ||
memset(sig, 0, sizeof(sig)); | ||
|
||
mbedtls_pk_init(&pk); | ||
PSA_INIT(); | ||
USE_PSA_INIT(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we want MD_OR_USE_PSA_INIT()
here: PSA needs to be initialized if USE_PSA
is on, but also, if MD is going to do any hashing via PSA.
@tomi-font Thanks for the summary! Form looking at the code, everything you did in the first three commits looks very reasonable and absolutely going in the right direction. A shame the CI doesn't agree :) Some of the later changes aimed at pacifying the CI are going in the wrong direction as you pointed out (moving back from Unless I'm missing something, I can't easily access the CI results for cead0db, so I'm not sure exactly what was failing before the attempts to fix the failures. I'll push a temporary branch with that commit in order to get that info. |
That's not quite the whole story. The TLS 1.3 code requires PSA Crypto APIs to be available, and always uses them for some operations. However, for other operations, it will use either PSA or legacy APIs depending on whether However, your point on testing stands: TLS 1.3 should work as soon as |
I've been looking into the TLS 1.3 failures. Perhaps there are multiple ones with different root causes, but the first I ran into is caused by When However, with TLS 1.3 we can't add a new requirement on users that "when I can see three possible ways out of this:
Rejected ideas:
|
Arguably the fact that PSS was possible with a key that wasn't explicitly configured for PSS (hence, by default, was configured for v1.5) was a policy violation, hence a bug which we should fix. But I'm not sure, because the legacy API isn't clear on what is normal use of the API and what is a policy guarantee. Does TLS 1.3 need RSA keys to work with both v1.5 and PSS? |
I wasn't sure either, for the same reason, so I checked if
So, that doesn't support the kind of solution I was suggesting, and instead rather supports your position that the fact that it worked at all may be considered a bug.
No, 1.3 only uses PSS for handshake signatures (v1.5 is still listed but can only be used inside cert chains). But I guess there is a natural (though arguably misguided on security grounds) desire to share RSA keys between 1.2 (which uses 1.5 only) and 1.3 (which uses PSA only) - at least, I think our tests heavily rely on that. Also, PK currently doesn't have a very good API for changing the padding mode on RSA keys (you need to use So, I think changing the behaviour of Wdyt? |
Thanks for your insights and reactivity!
I made the change from
I have some doubts on how doable this change actually is as the dependencies come from elsewhere than just the PK module. At least it seems that the original comment would need to be fixed.
At some point I rebased my branch to make sure I wouldn't fall too out of sync and in case some magic change would have fixed the issues. I think that's what caused the CI results to be wiped.
Indeed I stumbled upon this
What current behavior? The fact that a different (and supposedly incompatible) padding mode is accepted?
I agree with not making the scope of this PR bigger if possible. |
I'm still thinking about this. I'm bothered by the API, not just by the implementation. Whether we make a copy of the key, or relax the algorithm check in the low-level module, we're building an API that relies on cheating a key's policy. e6d1d82 chose to relax the algorithm check for PSS verification, which allowed 20422e9 to implement Enforcing key policies in a library isn't critical by itself since the caller can just access the content of the key. It only becomes a security restriction in the application as a whole or if there's a security boundary. The built-in RSA implementation doesn't have a security boundary. On the other hand, the PSA API can be implemented with a security boundary (and so can the legacy API but only with With respect to considering the application as a whole, I don't really agree with the implicit reasoning in e6d1d82 that it's ok to override the configuration of the key. Doing that when not intended can compromise an application if it starts accepting signatures that it didn't intend to accept. Even if it isn't opening a security hole by itself, it's at least potential for misuse. I don't think I would have agreed to the design of I'm still thinking about this, but currently I see two solutions:
|
@tomi-font Since this PR looks like it's going to be merged soon, I wanted to let you know that I've created #8647 which might be of interest to you (together with this PR, it should fully resolve #7126) if you'd like to make further contributions to Mbed TLS - which would be very much appreciated! |
This brings some improvements to comments/ function prototypes that relate to PKCS#1. Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
https://clangd.llvm.org/design/indexing#backgroundindex Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
This makes the function always available with its its implementation depending on MBEDTLS_USE_PSA_CRYPTO. Related dependencies and tests are updated as well. Fixes Mbed-TLS#7583. Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
And use it in the non-PSA version of mbedtls_pk_sign_ext() to bypass checks that didn't succeed when used by TLS 1.3. That is because in the failing scenarios the padding of the RSA context is not set to PKCS_V21. See the discussion on PR Mbed-TLS#7930 for more details. Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
Deprecated functions are removed and #ifdefs are updated accordingly. Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
They are replaced by MBEDTLS_USE_PSA_CRYPTO. Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
And remove the comment on the uniformity in the PK module with regards to PSA_CRYPTO_C not being referenced anymore; end users are probably not interested in that. Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
For real this time. Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Ok, so now we have two approvals and a green CI, but unfortunately conflicts have appeared after #8579 was merged. @tomi-font Can you fix them? Either by rebasing on top of recent development, or merging development into your branch, whatever works best for you. |
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
f77732e
to
851d8df
Compare
Yep, I noticed. I rebased on top of the latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rebase and conflict resolution look good to me.
I've set up auto-merge when ready, so if Valerio is happy with the rebase too, and the CI comes back green, this will be immediately added to the merge queue, to reduce risk of further conflicts! We'll see 🤞 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! 🤞
Description
This resolves #7583.
Details in commit messages.
PR checklist