Open mpg opened 6 years ago
Not sure if this will help bump the priority, but our Gramine project would like this feature to be added to mbedTLS: https://github.com/Mbed-TLS/mbedtls/issues/8170#issuecomment-2172715014
I've added the labels "help-wanted" and "good-first-issue" to indicate that we would welcome a PR for this, and it should not require deep knowledge of the library to achieve. Here's an outline of steps
include/ssl/ssl_ciphersuites.h
defining macros for the new ciphersuites with the value from section 4 - should go between RFC 7902 and RFC 8446 (TLS 1.3).ciphersuite_definitions
in library/ssl_ciphersuites.c
. Check existing similar ciphersuites (some with ECDHE-PSK, some with AES-GCM, AES-CCM, AES-CCM-8) for applicable values and feature guard macros.ciphersuite_preference in
library/ssl_ciphersuites.c` - check the comment at the top for where to insert them (and look at existing entries).programs/ssl/ssl_server2
and programs/ssl/ssl_client2
with appropriate options (forcing TLS 1.2 and use of one of the new ciphersuites).tests/suites/test_suite_ssl.data
using the function handshake_psk_cipher
(check existing uses of this function for examples).tests/compat.sh
- check if they are supported by OpenSSL and GnuTLS (if you are unsure about which versions we use on the CI, feel free to ask).(And of course see CONTRIBUTING.md.)
Description
Enhancement\Feature Request
Add support for the new ciphersuites with ECDHE-PSK key exchange and AEAD encryption from RFC 8442.
Justification - why does the library need this feature?
ECDHE-PSK key exchange can be interesting in a number of constrained scenarios including IoT. It is currently supported by Mbed TLS but the only ciphersuites defined with it use NULL, RC4 or CBC-mode encryption, all of which are deprecated or have issues. The draft adds ciphersuites based on ECDHE-PSK and modern AEAD algorithms such as AES-GCM and AES-CCM.
Support for these ciphersuites would be easy to add to Mbed TLS as we already have all the building blocks.