Build with only montgomery curves (+ DJB configuration) #2013
Conversation
Fix a spurious dependency requirement that prevented a build with no elliptic curve other than Curve25519 and Curve448.
Fix the build when the only elliptic curves are Montgomery curves.
We declare the function unconditionally, but it returns FEATURE_UNAVAILABLE for Montgomery curves.
Fix warning about unused functions when the only elliptic curves are Montgomery curves.
In the TLS test programs ssl_client2 and ssl_server2, use HMAC_DRBG if CTR_DRBG is not available.
gilles-peskine-arm
added
bug
mbed TLS team
needs-review
| (void) P; | ||
| (void) n; | ||
| (void) Q; | ||
| return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); |
There was a problem hiding this comment.
Why do we prefer a run-time error in this case to a link-time error?
There was a problem hiding this comment.
Because the function existed and I don't want to remove a function in a minor version.
There was a problem hiding this comment.
I'm don't think compatibility considerations apply here, as they would only matter for a non-default configuration that was simply not possible before (and never was). Prior to that change, with only Mongomery curves, you couldn't build ecp.c, so you didn't have that function either. After that change, with only Montgomery curves, you would start having the rest of the module but no that function, which you didn't have anyway. So I think I would prefer compile-time exclusion here.
Note that removing this function at compile-time also means making ECDSA dependent on at least one ECDSA-capable curve (currently, only Short Weierstrass curves) to be defined, because ECDSA uses muladd().
| @@ -1,7 +1,3 @@ | |||
| Decrypt empty buffer | |||
| depends_on:MBEDTLS_CHACHA20_C | |||
| dec_empty_buf: | |||
There was a problem hiding this comment.
I don't understand why we can't have a dec_empty_buf test anymore. Should we instead parameterize the test to so it uses a cipher parameter?
It seems like we are reducing the intended test coverage here by removing this test. (I think we intended to have an empty buffer test that used CHACHA20.)
There was a problem hiding this comment.
The test uses AES-CBC internally. We were running it multiple times, once from the AES test suite and once again from other test suites. Now we're not running it from the cipher.chacha20 and cipher.chachapoly test suites anymore, only from cipher.aes.
If we want an empty buffer test that uses a different cipher, we need to pass the cipher as a parameter. That's well out of scope of this PR.
There was a problem hiding this comment.
BTW I don't think DJB likes HMAC_DRBG either, but CTR_DRBG and HMAC_DRBG are all we have. HMAC_DRBG builds on SHA2 which is pretty much indispensable anyway.
There was a problem hiding this comment.
I agree with Gilles that removing the test does not reduce the actual test coverage (which might indeed differ from the intended one, though I'm not sure our intentions here were very clear), so I think it would better be handled as a separate issue, in order to avoid feature creep in this one.
BTW I don't think DJB likes HMAC_DRBG either, but CTR_DRBG and HMAC_DRBG are all we have. HMAC_DRBG builds on SHA2 which is pretty much indispensable anyway.
I assume DJB would prefer a DRBG based on ChaCha20, but as you say we don't have it (and I'm not sure one is standardized, so that could be risky to implement), and I think SHA-2 is the part of NIST Crypto that is also approved by DJB (used in Ed25519 for example), so as you say, since HMAC_DRBG builds on it... Btw, from my perspective the main benefit of a DRBG based on Chacha20 rather than HMAC would be speed, as otherwise both should have similar security properties.
There was a problem hiding this comment.
OK, noted as separate issue in #2014
| @@ -39,12 +39,22 @@ | |||
|
|
|||
| #if !defined(MBEDTLS_ENTROPY_C) || \ | |||
| !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \ | |||
| !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_CTR_DRBG_C) | |||
| !defined(MBEDTLS_NET_C) | |||
There was a problem hiding this comment.
What does Support HMAC_DRBG in the TLS test programs have to do with Build with only montgomery curves? Shouldn't this commit be in a different PR?
There was a problem hiding this comment.
I wanted to enable the SSL test programs to at least build in the “DJB-only” configuration. DJB-only means no AES and therefore no CTR_DRBG.
|
I like the approach to testing this by adding a new configuration with "only 'DJB' crypto and NIST hashes". |
| { | ||
| mbedtls_printf("MBEDTLS_CTR_DRBG_C and MBEDTLS_HMAC_DRBG_C not defined, " | ||
| "or MBEDTLS_HMAC_DRBG_C defined without " | ||
| "MBEDTLS_SHA256_C or MBEDTLS_512_C.\n"); |
| * Distinguishing features: | ||
| * - no RSA or classic DH, fully based on ECC | ||
| * - no NIST curves | ||
| * |
There was a problem hiding this comment.
also:
- no AES (I think that's worth pointing out)
- currently not usable, while waiting for some level of support of RFC 8422 (using X25519 and X448 in ECDH in TLS).
| #define MBEDTLS_PEM_PARSE_C | ||
|
|
||
| /* Save RAM at the expense of ROM */ | ||
| #define MBEDTLS_AES_ROM_TABLES |
There was a problem hiding this comment.
Doesn't really make sense in an AES-less config, does it? While it technically doesn't hurt, I think it's confusing, if we assume these config files are not just for testing but also examples for users.
|
|
||
| /* Save RAM at the expense of speed, see ecp.h */ | ||
| #define MBEDTLS_ECP_WINDOW_SIZE 2 | ||
| #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 |
There was a problem hiding this comment.
Only applicable to short-Weierstrass curves. Again, not technically relevant, but could be confusing for humans.
|
|
||
| /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */ | ||
| #define MBEDTLS_SSL_CIPHERSUITES \ | ||
| MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, \ |
There was a problem hiding this comment.
Note: this one will need more complete support of RFC 8422 (EdDSA), and also support of https://tools.ietf.org/html/draft-ietf-curdle-pkix-10 for the certificate chain if I'm not mistaken (unless of course one only uses explicitly-trusted self-signed certificates, in which case one would be better off using raw public keys, but we don't support that yet).
gilles-peskine-arm
added
needs-work
and removed
needs-review
|
With only Montgomery curves in the build, the ECP self-test fails, because |
|
For several reasons, I've changed my mind as to how to test this.
I think I'll switch to my other idea: modify |
gilles-peskine-arm
changed the title
Fix compile-time checks to allow building with ECP enabled, but no short Weierstrass curve (i.e. with only Montgomery curves: Curve25519 or Curve448). Fix #941, #1412.
I wasn't sure how to frame a non-regression test.
scripts/curves.pldidn't catch this because it tries building with all-curves-but-one. This is the right way to do what this script was designed to do, which is to catch test cases that are missing a dependency on a curve, including tests that depend on multiple curves. Maybe we should also try building with a single curve, for each curve?What I've done in this PR is to add a new reference configuration with only “DJB” crypto and NIST hashes: SHA-256, SHA-512, HMAC_DRBG, Chacha/Poly, and ECDH/ECDSA with Curve25519. I'm not sure if that configuration makes sense for the time being though, since we don't fully support Curve25519 for ECDSA and TLS. Suggestions welcome.