Include IANA reference in the definition of ECC curves and DH groups #279
Conversation
Define a vendor-range within the the private use ranges in the IANA registry. Provide recommendations for how to support vendor-defined curves and groups.
Connect the types to the key type construction macros by x-refs.
| /** Minimum value for a vendor-defined Diffie Hellman group identifier | ||
| * | ||
| * The range for vendor-defined group identifiers is a subset of the IANA | ||
| * registry private use range, `0x01fc` - `0x01ff`. |
There was a problem hiding this comment.
Unfortunately, this is a ridiculously small range whereas an implementation may well wish to define many custom groups, since many groups have been common in the wild and specific systems or protocols may define their own groups.
The TLS registry puts EC and FF groups in the same 16-bit range, but we don't have to. I propose to use some values in the IANA EC range for vendor FF groups. We can in particular use the GREASE values, which TLS uses for the purpose of not having a corresponding cryptographic algorithm.
There was a problem hiding this comment.
From a quick glance, the proposed GREASE values that can be used in this way are:
0x0A0A, 0x1A1A, 0x2A2A, 0x3A3A, 0x4A4A, 0x5A5A, 0x6A6A, 0x7A7A,
0x8A8A, 0x9A9A, 0xAAAA, 0xBABA, 0xCACA, 0xDADA, 0xEAEA, 0xFAFA
This is still draft and subject to change. This might not affect this API element, but should modify the documentation of psa_dh_group_t.
- Is the suggestion to directly list the values, as being permitted for vendor-defined additional DH groups, or indirectly by referencing the specification draft?
- Do we want to slice up the GREASE identifiers, and reserve a set for PSA Crypto future use?
- Is the [arbitrary] 50/50 split of the TLS support group private use range appropriate (for this and ECC)?
There was a problem hiding this comment.
My proposal was to define the GREASE values (stated by value, with the GREASE spec given as an informative rationale) as reserved for vendors in psa_dh_group_t.
Though given that there are only 16 of them, that's not much. We can punt PSA crypto future use until later, but I do think we need more vendor FFDH values. I guess the only solution (short of moving to a bigger type) is to take values that are already assigned to elliptic curves and declare them as vendor-specific FFDH values.
There was a problem hiding this comment.
I've added a commit the extends the recommendations for vendor defined DH groups.
Rely on general reference to IANA documentation
Can someone help with making the associated change to those scripts. There is no obviously correct place to exclude these definitions from the testing that is done here. Why are these values not suitable for this test? |
|
I'll update the scripts. |
|
The problem was that the (for now) mbedcrypto-specific value |
|
CI report: the TLS head job failed in |
|
https://jenkins-internal.mbed.com/view/mbed-crypto/job/mbedtls-psa-release-new/574/ passed so we have full CI approval. Since I made some of the changes, this needs approval from a team member other than me. |
gilles-peskine-arm
dismissed
their stale review
I pushed a commit to fix the problem. As far as I'm concerned, this PR is approved.
gilles-peskine-arm
added
needs: review
|
Is there any chance that this could be reviewed, approved and merged today (if there is no issue with the implementation, obviuosly? - please? :-) |
| /** Minimum value for a vendor-defined Diffie Hellman group identifier | ||
| * | ||
| * The range for vendor-defined group identifiers is a subset of the IANA | ||
| * registry private use range, `0x01fc` - `0x01ff`. |
There was a problem hiding this comment.
@athoelke To confirm, this range is still accurate, but the GREASE values are also available so the practical use of this range is limited.
There was a problem hiding this comment.
Yes, that is correct. An minor improvement might be to refer to the psa_dh_group_t definition and its description of other ways to allocate a vendor-defined group number.
However, I'd like this merged sooner so I can render the reST and separate the specification from the doxygen source code, which is a pre-requistite to completing the remaing API changes before publishing 1.0.0 of the spec. I can clarify/improve the text after the split if desirable.
* ARMmbed#272: Insert doxygen comments on old algorithms so they appear in PSA documentation * ARMmbed#285: SE driver: make persistent data work * ARMmbed#279: Include IANA reference in the definition of ECC curves and DH groups * ARMmbed#287: DRBG documentation improvements * ARMmbed#297: Fix int overflow in mbedtls_asn1_get_int (Credit to OSS-Fuzz)
Fixes ARMmbed/psa-crypto#262