-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mbedtls_ecp_point_read_binary from compressed fmt #6282
Conversation
0b65d06
to
9319e30
Compare
Can you please explain why you want to add this feature, which as previously noted has been somewhat deprecated in TLS for several years? Is this for a protocol that's not TLS (which can be a good justification, despite the name “Mbed TLS”, the crypto library is not just for TLS)? In any case I really don't see any justification for backporting it. |
As I noted above:
More details: hostap test suite uses compressed format in some places. hostap is widely used. I am attempting to port hostap to be able to use mbedtls |
9319e30
to
1ae8df8
Compare
Hi, and thanks for your contribution. Since you've linked to previous issues and PRs, you are aware that this is a feature we have rejected a few times already. Let me sum up the reasons:
However, standards in general and TLS in particular are not everything. If the feature is used widely enough in practice, it might be worth paying the price. You claim this is a major missing feature; I'd like to see that claim substantiated. The fact that this has been requested for the fourth time indeed points in that direction, but I'll note that the 3 links you gave didn't explain why this was needed; there's also #1608 which just said "if it's supported in writing, it should be supported in reading", which IMO is weak. So, your PR is the first one to offer an explanation: you want this in order to pass the hostap test suite. First, thanks for providing that justification, but I'm afraid I'll answer with a few more questions: why is the hostap test suite using this format? Is it on purpose, or just by happenstance (like, this was the default format of the tool used to generate the test data? I'm unfamiliar with the protocol hostapd implements: is support for this format necessary to interop with other implementations or is there some kind of negotiation where each implementation can advertise what it supports (as in TLS, which is why we never need support for TLS? Whether we want to support that feature depends on the answers to those questions; for example if it's necessary to interop with other implementations of a widely-used protocol, I'd say that's a clear yes; if it's just to pass a test suite that happens to use it by accident, I think that test suite should be improved instead. Regardless, I want to state upfront that we are unlikely to accept adding this to 2.28; the bar for adding features to LTS branches is very high and this would require very strong justification. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did a quick review just to gauge the amount of work that will be needed if we accept this. Things are looking good overall, I think most of the work would be on improving testing and documentation/comments. Perhaps we'll want this to be guarded by a compile-time option as well.
Anyway, I don't recommend you spend time on updating this PR in response to my comments before we have progressed the discussion about where we want to support the feature at all.
1ae8df8
to
ca602e4
Compare
An argument that I can give to you for why this feature should be included in mbedtls in some way is as follows: @mpg wrote:
Agreed. What do you suggest for a compile-time option name? With a compile-time option, perhaps default disabled, there should hopefully be less of an argument about whether or not to include this small amount of additional code in mbedtls to support the optional feature to parse the compressed format, even if it is now deprecated/forbidden by the standards. Separately, I plan to look further into the hostap code to see if the compressed format is used only in the test suite, or if it might be produced by the widely used hostapd and wpa_supplicant code. In the latter case, if it turns out to be true, then even if the code is modified to cease using the compressed format, there would be existing code out in the wild still using the compressed format. This remains to be determined. |
I think we fully agree on that. But it's a fairly generic argument, which applies to all crypto constructs. We don't want to implement every single crypto alg or format that ever existed (for example, we never had support for binary curves, only primes), so in addition to that general argument, we need some reason to include this format specifically - evidence that it's widely used in production.
That's the kind of thing I'm talking about. If the format might be produced by hostapd or wpa_supplicant, then as far as I'm concerned that's clearly a very strong argument to support this format. (And I fully agree that the argument holds as soon as it's produced by versions that are still in use, even if not the latest.) If on the other hand it's just the test suite, IMO the argument is much weaker - though I can see that passing existing test suites of widely-used software, even if they're using more than they should, is desirable it itself, as it would have saved you time in your porting effort (but then again, part of me is tempted to argue the test suite would be to blame here, if it had no good reason to use this format).
I don't know. Perhaps
As a general principle, we try to avoid adding too many config options, as they tend to add to the testing complexity. However this particular one doesn't seem likely to interact with too many things, so it's probably fine. PS: there are a few tests failing, in a lot of components. I only had a quick look, but it seems it's mostly negative cases. We can probably just use another value for the first bytes (AFAIK, 0x01 and 0x05 are never valid). Hopefully the same tests are failing in all the components, so just getting |
Just for information, because I don't think many people know about this: you can get a list of test cases and their outcomes (pass/fail) in a machine-processable form from the file
This confirms that indeed it's only negative cases that need to be adjusted because reading a compressed point is no longer invalid. |
I have confirmed that hostapd and wpa_supplicant (in hostap repo) produce COMPRESSED format in interface
and COMPRESSED format is used in hostapd and wpa_supplicant when the second argument is 0:
I'll try to update the PR this weekend. Thank you for the testing hints, @gilles-peskine-arm |
Thanks for looking into this! Since there's a popular piece of software that produces the compressed format, I agree that it's good for Mbed TLS to accept it. However, I do not see a justification to add it in the long-time support branch. Mbed TLS 2.28.0 already did not work with hostapd. Hostapd interoperability is a new feature that will require at least Mbed TLS 3.3. |
FYI: my prototype in openwrt/openwrt#10727 currently requires
I am working my way up the stack and am in the process of implementing mbedtls support for hostap/wpa_supplicant EAP, SAE, and DPP. Lower layers already work with mbedlts 2.28.1 and mbedtls 3.2.1. (The prototype includes support -- outside of mbedtls -- for handling the COMPRESSED point format, and was the basis for this PR.) |
Tests with invalid point encoding beginning 0x01 and 0x05 now return I still need to add some tests beginning with compressed point encodings 0x02 and 0x03 to exercise expected failure cases. |
Additional tests added and tests pass. Ready for review. Please note that this PR cherry-picks cleanly onto mbedtls-2.28.1 with the exception of a trivially resolvable merge conflict in tests/suites/test_suite_ecp.data since some Curve448 tests were added between 2.28.1 and 3.x development branch. The PR is well-contained. It is binary compatible in that it does not expose any new symbols or remove any symbols, and does not change any structure sizes. In Short Weierstrass curves with prime p where p = 3 mod 4, mbedtls_ecp_point_read_binary() handles |
@mpg this change resulted the failed tests above:
Is my syntax incorrect? I force-pushed without that change and Travis CI builds now pass. ...I really dislike macros that have a magic implied argument rather than having all args passed. |
Your syntax is correct, my suggestion wasn't, sorry.
You're not alone! There was some disagreement in the team about these macros, and it's not unlikely they may disappear or take a different shape in the future. |
I think compilers are allowed to ignore the
So, the code's just a little bit smaller in the new version, but not by much. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. I just had an idea that might save code size, but this time I'll test it myself in order to avoid wasting your time again it case it doesn't work.
library/ecp.c
Outdated
mbedtls_mpi_free( &exp ); | ||
return( ret ); | ||
} | ||
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor: we can now remove this #endif
and the next #if
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the style convention for #if
around multiple funcs? When a macro wraps more than a single function, I tend to add a blank line above and below the #if
and the #endif
. Since such change does not really save any lines of code for the two unrelated functions now next to each other, I'll wait for your response before making further changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
Ok, seems to work this time (at least passing
The idea is that computing |
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
@mpg I cherry-picked your improvement and I removed the duplicated consecutive preprocessor directives. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Note: unless I'm mistaken, this PR automatically adds ability to parse EC keys with compressed points in PK parse. However, that's not tested at the moment, so I've created an issue to add tests for that: #6886 Is there anything else that's supposed to automatically work thanks to this PR but that's not tested yet? |
@mpg These were posted earlier in this PR: PSA is missing this (and missing tests). See consecutive comments above: library/ssl_tls12_{server,client}.c
|
Thanks, but I don't think those meet the first criterion: supposed work automatically thanks for this PR. I was looking for test gaps relative to the current feature set, not possible feature extensions. Regarding PSA, this raises questions about portability and the driver API, so this is going to involve deeper discussions. Regarding TLS, compressed points have been deprecated for more that 3 years now (RFC 8422) so I don't think we are going to ever add support for them in TLS. |
@mpg the change to |
The number of lines of code it would take is quite irrelevant here. The hard part is https://github.com/ARM-software/psa-crypto-api/issues/565
This might be the reason you didn't include that patch, but I think if you had included we'd have either rejected that part or delayed your PR until https://github.com/ARM-software/psa-crypto-api/issues/565 is resolved, which seems like a worst outcome. |
https://github.com/ARM-software/psa-crypto-api/issues/565 is in a private repository — it's an issue to add support for compressed points to the PSA API. It's not just a trivial matter of saying “if the first byte of a public key is 02 or 03 then …” because PSA can use drivers, and what if the driver doesn't support compressed points? PSA aims to work on minimalistic embedded systems, so we can't just have a blanket requirement to support all formats. |
Description
mbedtls_ecp_point_read_binary()
fromMBEDTLS_ECP_PF_COMPRESSED
formatStatus
READY
Requires Backporting
NO
Migrations
NO
Additional comments
While this is a feature, it adds major missing functionality that has cost me days of time troubleshooting and fixing in the hostap test suite. Please backport to mbedtls-2.28 branch.
Todos