-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Study: build TLS without ECP #6004
Comments
We can get a list of external symbols used by libmbedtls in a full config (which has
and then look at The good: this confirms no dependency on ecdh or ecdsa. This confirms dependencies on ecjpake which are known and will be addressed in #5847. (Also the same method for X.509 confirms no dependency on ecdh, ecdsa, ecjpake or ecp.) The less good:
Preliminary analysis:
|
Hi @mpg,
Please note that this is the first time for me to work on this repo, so I'm aware that my proposal can be totally garbage. But in case it makes any sense to you, just let me know and I'll open a PR to let you check it. |
Just some quick thoughts on the first part. The type This is highly visible in a lot of places: what's the input/output formats of But now things are changing, we intend to retire all those So, all the TLS-specific constants and helper functions should now live in TLS: that's the Regarding the generic data, like bit size etc, I'm not sure yet where that should live, might be a new module |
Code using the PSA API (e.g. all parts of the code under |
Note (just as I was going through old issues and noticed one that might be related): similarly to what we're gonna do for hashes identifiers in MD, we might want to make ECP group ID to make them more similar to PSA identifiers, which are a pair (family, bitsize). The primary purpose would be to save code size in the conversion functions ECP <-> PSA, but as it happens, I think that would also be a step towards #2375 |
Sorry, but it's not totally clear to me how I can help here.
|
@valeriosetti I'll create issues tomorrow! Sorry, been a bit busy recently and hadn't noticed you were already done with 6702. |
Closing, superseded by #6839 that takes a larger view of the issues at hand. |
As of current development, when
MBEDTLS_USE_PSA_CRYPTO
is enabled, TLS uses only PSA Crypto for all ECDH(E) and ECDSA crypto operations; after #5847 that will be the case for EC J-PAKE operations as well. However, TLS still uses functions from the ECP module for non-crypto operations, such as information management (converting between TLS/IANA id and internalgrp_id
, querying curve size, etc.) and key import/export.This task is to study how to get rid of those dependencies and create an estimated series of task achieving this result.
The text was updated successfully, but these errors were encountered: