mbedtls should provide a constant time MD / HMAC check function

[JaapKeuter]

• Type: Enhancement\Feature Request
• Priority: Minor

With the focus on creating the MD / HMAC it is easy to forget that before further processing a received packet one should check the MD / HMAC first, and that this check should be done in a constant-time manner. This in order not to reveil any partial correctness of the MD / HMAC, therefore a simple memcmp() won't do. It would be nice if mbedtls, besides helping to generate the MD / HMAC, provides a safe way to check the MD / HMAC on a received packet.

[gilles-peskine-arm]

I agree. The new PSA API provides such functions (psa_hash_compare, psa_hash_verify, psa_mac_compare, psa_mac_verify).

As we're moving from mbedtls_xxx to psa_xxx for the crypto API, we don't plan to evolve the mbedtls_xxx crypto API much. However I don't have any objections to adding such functions.

The library already has a function to do the comparison: mbedtls_ssl_safer_memcmp. We should make this function official, and part of libmbedcrypto rather than libmbedtls. We can put it in md.c, or in a new constant_time module.

[gilles-peskine-arm]

The current plan is to move (and probably rename) mbedtls_ssl_safer_memcmp to a new module dedicated to constant-time code, which would be available from any crypto code that needs it. Then we can add functions like mbedtls_md_verify without duplicating code.

[gilles-peskine-arm]

Since Mbed TLS 2.28.0/3.0.0, there is a function mbedtls_ct_memcmp in libmbedcrypto. You can use it to verify a MAC.

I'm not marking this issue as resolved because you have to know this function exists and you have to think of using it. At the very least, the documentation of md, cmac, ccm, gcm and chachapoly should tell users to use this function to compare the MAC/tag. Preferably there should be dedicated functions (which would be simple wrappers) in those modules.