Add CNSA presets

[krish2718]

CNSA supersedes NSA SuiteB crypto suites, esp. brings back RSA with higher modulus (>=3072). This was based on RFC9151, see [1].

Implements #4602.

[1] - https://datatracker.ietf.org/doc/rfc9151/

Description

Add support for CNSA preset, mainly for RSA3K support, else need to fallback to DEFAULT to use RSA instead of SuiteB.

PR checklist

Please remove the segment/s on either side of the | symbol as appropriate, and add any relevant link/s to the end of the line.
If the provided content is part of the present PR remove the # symbol.

• changelog provided
• development PR provided
• framework PR not required
• 3.6 PR not required because: it's a new feature, no need to backport
• 2.28 PR not required because: it's a new feature, no need to backport
• tests not required because: all tests use DEFAULT preset, haven't seen any for SuiteB, so skipped for CNSA as well, but if needed can add

[gilles-peskine-arm]

Thank you very much for contributing this! We'll review it shortly.

[gilles-peskine-arm]

Please avoid rebasing once the pull request is in review. It's ok for now because I haven't started reviewing yet, but if you want to make more changes, please make them in separate commits.

We encourage small commits that only do one thing.

[krish2718]

Please avoid rebasing once the pull request is in review. It's ok for now because I haven't started reviewing yet, but if you want to make more changes, please make them in separate commits.

We encourage small commits that only do one thing.

Sorry, I did read those instructions, but old habit of rebase, will follow that norm, thanks.

[gilles-peskine-arm]

Thank you very much for contributing this! I've reviewed the code and there are a few things I'm not sure of, perhaps because I'm not deeply familiar with TLS 1.3.

At some point, we'll need to rebase or merge with the current development branch, because the preprocessor symbols that control cryptographic mechanisms are evolving. However, given that this evolution is still ongoing and I can't promise fast reviews, it would be best to wait until further notice.

[gilles-peskine-arm]

It's a bit nitpicky, but in the context of Mbed TLS, the CNSA preset doesn't supersede the suite B preset: we now have both.

Also, for the unfamiliar, it's not clear what “CNSA preset” is about.

Suggestion:

Add a CNSA certificate profile for X.509 and TLS. This is intended as a successor of NSA Suite B.

[gilles-peskine-arm]

We're going to remove RSA-encryption and non-EC DH in TLS 1.2 , so we won't have these two cipher suites anymore.

[gilles-peskine-arm]

Not really in scope, but maybe we should add MBEDTLS_TLS1_3_AES_128_GCM_SHA256 and MBEDTLS_TLS1_3_AES_256_GCM_SHA384 to suiteb?

[krish2718]

Yes, I will make a separate commit

[gilles-peskine-arm]

As far as I understand, this list is supposed to cover both TLS 1.2 and TLS 1.3. Is this actually the case, given that the sigalgs for RSA in TLS 1.3 require the use of PSS, but TLS 1.2 doesn't do PSS? (It wasn't a problem for the other presets because if they allow RSA, they allow RSA without PSS.)

[krish2718]

Yes, the RFC does mention both 1.2 and 1.3., hence added separate entries: ssl_preset_cnsa_sig_algs and ssl_tls12_preset_cnsa_sig_algs.

[gilles-peskine-arm]

That macro covers both 1.2 and 1.3, but the code here is specific to 1.3.

Suggested change

	#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
	#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \
	defined(PSA_HAVE_ALG_SOME_ECDSA) && \

PSA_HAVE_ALG_SOME_ECDSA replaces MBEDTLS_PK_CAN_ECDSA_SOME. It may be necessary to rebase this pull request for the CI to pass with PSA_HAVE_ALG_SOME_ECDSA.

[krish2718]

Should I do the rebase once code review is done? or before? Please suggest.

[gilles-peskine-arm]

I'm afraid that due to an increased workload, we've had to downgrade the priority of #4602 and many other issues. So I can't promise a re-review any time soon. I'm sorry about this.

Given the time between reviews, it would be easiest for us if you rebase just before we're ready for re-review (we'll let you know). Preferably, git range-diff origin/development OLD-COMMIT-ID NEW-COMMIT-ID should give a usable result.

[gilles-peskine-arm]

By the time we release Mbed TLS 4.0, we want to have

Suggested change

	#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_384)
	#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) && defined(PSA_WANT_ALG_SHA_384)

[gilles-peskine-arm]

Suggested change

	#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
	#if defined(PSA_WANT_ALG_ECDH) && defined(PSA_WANT_ECC_SECP_R1_384)

[gilles-peskine-arm]

Suggested change

	MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
	MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
	#if defined(PSA_WANT_DH_RFC7919_3072)
	MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
	#endif
	#if defined(PSA_WANT_DH_RFC7919_4096)
	MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
	#endif

[gilles-peskine-arm]

Please add some test cases to test_suite_x509parse that exercise the CNSA profile (similar to what we already have for suiteb). E.g. have a test case with an RSA-3072 or RSA-4096 signature that's accepted, and one with an RSA-2048 signature that's rejected.

[gilles-peskine-arm]

Please add some test cases for the CNSA preset in TLS. I'm not sure what they should look like; we don't seem to have tests for the existing SUITEB profile. We should have some test cases that demonstrate that if all the mechanisms are allowed then the handshake goes through, and some test cases that demonstrate that if a mechanism is rejected then the handshake is rejected. This should be doable in test_suite_ssl, but will require a new function that calls mbedtls_ssl_config_defaults with a preset that's given in the test data.

In particular, I want test cases that clarify the situation with respect to RSA signature algorithms in TLS 1.2 vs TLS 1.3.