Consider using bitfields for TLS 1.2 key exchange identifiers

hanno-becker commented 3 years ago

Mbed TLS maintains an internal (in the sense that it is not used in any public API) enum for key exchange identifiers:

typedef enum {
    MBEDTLS_KEY_EXCHANGE_NONE = 0,
    MBEDTLS_KEY_EXCHANGE_RSA,
    MBEDTLS_KEY_EXCHANGE_DHE_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
    MBEDTLS_KEY_EXCHANGE_PSK,
    MBEDTLS_KEY_EXCHANGE_DHE_PSK,
    MBEDTLS_KEY_EXCHANGE_RSA_PSK,
    MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
    MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
    MBEDTLS_KEY_EXCHANGE_ECJPAKE,
} mbedtls_key_exchange_type_t;

The suggestion is to replace this by a list of bitfield macros, at the benefit of reduced code size for checks like

static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info )
{
    switch( info->MBEDTLS_PRIVATE(key_exchange) )
    {
        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
            return( 1 );

        default:
            return( 0 );
    }
}

hanno-becker commented 3 years ago

This came up in #4811. CC @mpg @gilles-peskine-arm

gilles-peskine-arm commented 1 day ago

In the next release of Mbed TLS (Mbed TLS 4.0), we will remove support for RSA, RSA-PSK, static ECDH and finite-field DH key exchanges. This vastly reduces the number of places where we filter for multiple key exchange types, and brings the set of TLS 1.2 key exchanges closer to 1.3. So we might be able to unify mbedtls_key_exchange_type_t with MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx bit masks.

Mbed-TLS / mbedtls

Consider using bitfields for TLS 1.2 key exchange identifiers #4832