-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CNSA presets #9460
base: development
Are you sure you want to change the base?
Add CNSA presets #9460
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Features | ||
* Add support for CNSA preset that supersedes NSA SuiteB. | ||
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -326,6 +326,7 @@ | |
|
||
#define MBEDTLS_SSL_PRESET_DEFAULT 0 | ||
#define MBEDTLS_SSL_PRESET_SUITEB 2 | ||
#define MBEDTLS_SSL_PRESET_CNSA 3 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please add some test cases for the CNSA preset in TLS. I'm not sure what they should look like; we don't seem to have tests for the existing SUITEB profile. We should have some test cases that demonstrate that if all the mechanisms are allowed then the handshake goes through, and some test cases that demonstrate that if a mechanism is rejected then the handshake is rejected. This should be doable in In particular, I want test cases that clarify the situation with respect to RSA signature algorithms in TLS 1.2 vs TLS 1.3. |
||
|
||
#define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED 1 | ||
#define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED 0 | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -335,6 +335,11 @@ extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next; | |
*/ | ||
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb; | ||
|
||
/** | ||
* CNSA profile. | ||
*/ | ||
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_cnsa; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please add some test cases to |
||
|
||
/** | ||
* Empty profile that allows nothing. Useful as a basis for constructing | ||
* custom profiles. | ||
|
Original file line number | Diff line number | Diff line change | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -5651,6 +5651,16 @@ static const int ssl_preset_suiteb_ciphersuites[] = { | |||||||||||||||||
0 | ||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not really in scope, but maybe we should add There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, I will make a separate commit |
||||||||||||||||||
}; | ||||||||||||||||||
|
||||||||||||||||||
/* As per rfc9151 */ | ||||||||||||||||||
static const int ssl_preset_cnsa_ciphersuites[] = { | ||||||||||||||||||
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | ||||||||||||||||||
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | ||||||||||||||||||
MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, | ||||||||||||||||||
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, | ||||||||||||||||||
Comment on lines
+5658
to
+5659
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We're going to remove RSA-encryption and non-EC DH in TLS 1.2 , so we won't have these two cipher suites anymore. |
||||||||||||||||||
MBEDTLS_TLS1_3_AES_256_GCM_SHA384, | ||||||||||||||||||
0 | ||||||||||||||||||
}; | ||||||||||||||||||
|
||||||||||||||||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) | ||||||||||||||||||
|
||||||||||||||||||
/* NOTICE: | ||||||||||||||||||
|
@@ -5795,6 +5805,38 @@ static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { | |||||||||||||||||
}; | ||||||||||||||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ | ||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
/* As per rfc9151 */ | ||||||||||||||||||
static const uint16_t ssl_preset_cnsa_sig_algs[] = { | ||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As far as I understand, this list is supposed to cover both TLS 1.2 and TLS 1.3. Is this actually the case, given that the sigalgs for RSA in TLS 1.3 require the use of PSS, but TLS 1.2 doesn't do PSS? (It wasn't a problem for the other presets because if they allow RSA, they allow RSA without PSS.) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, the RFC does mention both 1.2 and 1.3., hence added separate entries: |
||||||||||||||||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ | ||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That macro covers both 1.2 and 1.3, but the code here is specific to 1.3.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should I do the rebase once code review is done? or before? Please suggest. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm afraid that due to an increased workload, we've had to downgrade the priority of #4602 and many other issues. So I can't promise a re-review any time soon. I'm sorry about this. Given the time between reviews, it would be easiest for us if you rebase just before we're ready for re-review (we'll let you know). Preferably, |
||||||||||||||||||
defined(PSA_WANT_ALG_SHA_384) && \ | ||||||||||||||||||
defined(PSA_WANT_ECC_SECP_R1_384) | ||||||||||||||||||
MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, | ||||||||||||||||||
#endif | ||||||||||||||||||
#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_384) | ||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA384, | ||||||||||||||||||
#endif | ||||||||||||||||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(PSA_WANT_ALG_SHA_384) | ||||||||||||||||||
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, | ||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not very familiar with where TLS 1.3 can use PSS. This looks weird to me: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. https://datatracker.ietf.org/doc/rfc9151/ says:
So, included them both. |
||||||||||||||||||
#endif | ||||||||||||||||||
MBEDTLS_TLS_SIG_NONE | ||||||||||||||||||
}; | ||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) | ||||||||||||||||||
static const uint16_t ssl_tls12_preset_cnsa_sig_algs[] = { | ||||||||||||||||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ | ||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That macro covers both 1.2 and 1.3, but the code here is specific to 1.3.
Suggested change
|
||||||||||||||||||
defined(PSA_WANT_ALG_SHA_384) && \ | ||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Note: using PSA guards for TLS 1.2 assumes that |
||||||||||||||||||
defined(PSA_WANT_ECC_SECP_R1_384) | ||||||||||||||||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), | ||||||||||||||||||
#endif | ||||||||||||||||||
#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_384) | ||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. By the time we release Mbed TLS 4.0, we want to have
Suggested change
|
||||||||||||||||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384), | ||||||||||||||||||
#endif | ||||||||||||||||||
MBEDTLS_TLS_SIG_NONE | ||||||||||||||||||
}; | ||||||||||||||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ | ||||||||||||||||||
|
||||||||||||||||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ | ||||||||||||||||||
|
||||||||||||||||||
static const uint16_t ssl_preset_suiteb_groups[] = { | ||||||||||||||||||
|
@@ -5807,6 +5849,18 @@ static const uint16_t ssl_preset_suiteb_groups[] = { | |||||||||||||||||
MBEDTLS_SSL_IANA_TLS_GROUP_NONE | ||||||||||||||||||
}; | ||||||||||||||||||
|
||||||||||||||||||
static const uint16_t ssl_preset_cnsa_groups[] = { | ||||||||||||||||||
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) | ||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, | ||||||||||||||||||
#endif | ||||||||||||||||||
#if defined(PSA_WANT_ALG_FFDH) | ||||||||||||||||||
MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, | ||||||||||||||||||
MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, | ||||||||||||||||||
Comment on lines
+5857
to
+5858
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
#endif | ||||||||||||||||||
MBEDTLS_SSL_IANA_TLS_GROUP_NONE | ||||||||||||||||||
}; | ||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) | ||||||||||||||||||
/* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs` | ||||||||||||||||||
* to make sure there are no duplicated signature algorithm entries. */ | ||||||||||||||||||
|
@@ -5976,6 +6030,29 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, | |||||||||||||||||
* Preset-specific defaults | ||||||||||||||||||
*/ | ||||||||||||||||||
switch (preset) { | ||||||||||||||||||
/* | ||||||||||||||||||
* CNSA | ||||||||||||||||||
*/ | ||||||||||||||||||
case MBEDTLS_SSL_PRESET_CNSA: | ||||||||||||||||||
|
||||||||||||||||||
conf->ciphersuite_list = ssl_preset_cnsa_ciphersuites; | ||||||||||||||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) | ||||||||||||||||||
conf->cert_profile = &mbedtls_x509_crt_profile_cnsa; | ||||||||||||||||||
#endif | ||||||||||||||||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) | ||||||||||||||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) | ||||||||||||||||||
if (mbedtls_ssl_conf_is_tls12_only(conf)) { | ||||||||||||||||||
conf->sig_algs = ssl_tls12_preset_cnsa_sig_algs; | ||||||||||||||||||
} else | ||||||||||||||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ | ||||||||||||||||||
conf->sig_algs = ssl_preset_cnsa_sig_algs; | ||||||||||||||||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ | ||||||||||||||||||
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) | ||||||||||||||||||
conf->curve_list = NULL; | ||||||||||||||||||
#endif | ||||||||||||||||||
conf->group_list = ssl_preset_cnsa_groups; | ||||||||||||||||||
break; | ||||||||||||||||||
|
||||||||||||||||||
/* | ||||||||||||||||||
* NSA Suite B | ||||||||||||||||||
*/ | ||||||||||||||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a bit nitpicky, but in the context of Mbed TLS, the CNSA preset doesn't supersede the suite B preset: we now have both.
Also, for the unfamiliar, it's not clear what “CNSA preset” is about.
Suggestion: