ECDSA support for mbed TLS

[katzer]

About

This PR adds support for ECDSA for both key exchange and host key algorithms.

The following elliptic curves are supported:

• 256-bit curve defined by FIPS 186-4 and SEC1
• 384-bit curve defined by FIPS 186-4 and SEC1
• 521-bit curve defined by FIPS 186-4 and SEC1

[katzer]

@willco007 Any comments?

[tiennou]

I'm poking at this using the WIP testcase PR (I have an ECDSA userauth testcase coming up).

Right now it's causing memory corruption, as it seems you're missing a call to mbedtls_ecdsa_init before calling mbedtls_ecdsa_genkey. With that fixed, mbedTLS complains about "PK - invalid key tag or value" when trying to parse the key, as it doesn't seem to know about OpenSSH-type keys — as per pk_parse.c.

AFAIU all our key support matrix issues are caused by our hostkey support going like this :

• asks crypto backend to parse PEM/read DER (via init/initPEM).
• crypto backend might use its own parser, or it might use our PEM parser (mbedTLS does the former, OpenSSL does the latter).

Hence, you might be able to crack open the key using our PEM parser, and use the things inside to build the key manually. This SO question seems to imply it's doable.

[katzer]

@tiennou

I'm poking at this using the WIP testcase PR (I have an ECDSA userauth testcase coming up).

👍

Right now it's causing memory corruption, as it seems you're missing a call to mbedtls_ecdsa_init before calling mbedtls_ecdsa_genkey.

Strange, for me it works. But in general you're right. It's missing there. I'll add it.

mbedTLS complains about "PK - invalid key tag or value" when trying to parse the key, as it doesn't seem to know about OpenSSH-type keys

Only PEM/DER format is supported. I successfully tested userauth and remote command execution with a ecdsa key created as follows:

ssh-keygen -m PEM -t ecdsa -b 256 -q -f $HOME/.ssh/dev.key -N ""

That creates a EC PRIVATE KEY. I dont get your point why to use another PEM parser?

[tiennou]

I did ssh-keygen -t ecdsa -f key_ecdsa, and got this key out (OpenSSH_7.9p1, LibreSSL 2.7.3, on macOS 10.14.4).

That creates a EC PRIVATE KEY. I dont get your point why to use another PEM parser?

Because the one provided by mbedTLS doesn't handle OpenSSH keys (like the one I generated above), so you're leaving that one the table compatibility-wise. Would you be so kind to PR my repo with a couple of those EC PRIVATE KEY so I can add them to the testsuite?

Hence, we have "a bunch" of pem parsers, one which knows RSA/DSA, one which knows OpenSSH. This one is used by Libgcrypt and WinCNG. OpenSSL uses our OpenSSH parser, but its own for RSA/DSA. mbedTLS uses its own parser exclusively.

Do note that I'm trying to grasp how the codebase is architected at the moment, so take what I'm saying with a grain a salt, but I feel that the mbedTLS backend should follow the same logic and go through our parser as well. And then add EC PRIVATE KEY support to our parser, so that all backends can benefit. I have a branch trying to make the parser architecture "saner", but it's not ready yet, so I can't provide a baseline…

Arguably, I was misled by the format issue, so if I get one of those keys, I'll give it a try and review. It's one less missing feature after all 😉.

[katzer]

@tiennou @willco007 I've also added support to handle OpenSSL keys. Would be nice if one of you could review my PR.

[willco007]

@katzer the _libssh2_mbedtls_parse_openssh_key function only handles ecdsa style keys, I assume that is just because this is a WIP. Otherwise the parsing/building of the key type looks fine to me. 👍

[tiennou]

A few minor review comments, please take the macro stuff with a grain of salt.

AFAICT the mbedTLS backend never supported OpenSSH keys (OPENSSH PRIVATE KEY), the current architecture makes it hard to have consistent support for stuff, so I'm fine with it only supporting ECDSA keys for now.

[katzer]

@tiennou

A few minor review comments, please take the macro stuff with a grain of salt.

Done

AFAICT the mbedTLS backend never supported OpenSSH keys (OPENSSH PRIVATE KEY) [...] so I'm fine with it only supporting ECDSA keys for now.

Now I've implemented it, so lets keep it.

[katzer]

@willco007 @tiennou Any chance to see that being merged into master any time soon?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[willco007]

What state are we in with this, it looks ready to be merged, is that correct?

[katzer]

@willco007 Yes

[willco007]

I've added a couple comments about additional bounds checking, but otherwise it looks great. Thanks for the PR!

[willco007]

also advancing p here, and if bytes is 0 length this could go negative. Same below in the memmove.

[willco007]

This PR is still waiting on bounds checks updates I noted on May 15, thanks.