search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.2k stars 2.55k forks source link

Consider dropping generic elliptic curve support #6647

Closed DemiMarie closed 1 year ago

DemiMarie commented 1 year ago

Suggested enhancement

Mbed TLS should drop support for arbitrary elliptic curves, at least in the default build. Explicitly-specified curves that are actually aliases for known named curves would continue to be supported (by being translated to said named curve), as e.g. the biometric passport standard uses them. This support could be turn on or off at runtime.

Justification

Mbed TLS needs this because arbitrary elliptic curves are impossible to implement efficiently in constant-time, and many standards require the use of the named-curve form.

gilles-peskine-arm commented 1 year ago

Can you please clarify the request? Is this about TLS, about the ecp.h interface or something else? I don't see what generic support we have that could be dropped.

Mbed TLS does not support defining arbitrary curves: you have to edit library code. I think it never did, although the original design came close. And we do not intend to move to a more open design.

Mbed TLS doesn't even recognize explicit curves in TLS. It wants named curves. (For finite-field DH, we do recognize explicit groups since that's the only way in TLS 1.2. We currently support arbitrary groups, but in Mbed TLS 4, we're likely to require the group to be one of the predefined groups.)

DemiMarie commented 1 year ago

Mbed TLS at the very least contains code for parsing AlgorithmIdentifiers that use explicitly specified curve parameters. I am not sure if such AlgorithmIdentifiers can be used to successfully verify a signature, though.

gilles-peskine-arm commented 1 year ago

Ah, right, the pkparse code supports SpecifiedECDomain. It only recognizes predefined curves: the code compares the curve parameters with know groups to find a mbedtls_ecp_grp_id, and errors out if it doesn't find a group ID.

It's impossible to trigger a signature calculation with a custom curve. All the interfaces to ECC arithmetic need a group id.

DemiMarie commented 1 year ago

I wonder if this code could be simplified by not parsing the EC domains at all, and instead doing the lookup using the raw byte sequence as key.

davidhorstmann-arm commented 1 year ago

Since we don't support arbitrary curves in practice, I'm going to close this as a non-issue. Feel free to open a follow-up issues related to other pkparse improvements if needed.