TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 09503592207dae6f3a853b55f1d4ce405fd9df27 / . / docs / architecture / psa-migration / tasks-g1.md
blob: 599a11d3dbd658a32fbd1e881c1e3b7b4c91f765 [file] [log] [blame] [view]
Manuel Pégourié-Gonnardb9021642021-10-01 13:16:01 +0200[diff] [blame]1This document is temporary; it lists tasks to achieve G1 as described in
2`strategy.md` while the strategy is being reviewed - once that's done,
3corresponding github issues will be created and this document removed.
4
5For all of the tasks here, no specific testing is expected to be required,
6beyond passing the existing tests in a build with `MBEDTLS_USE_PSA_ENABLED`,
7see `testing.md`.
8
9Symmetric crypto
10================
11
12Hashes
13------
14
15### Use `psa_hash` in all of X.509
16
17Conditionally on `MBEDTLS_USE_PSA_CRYPTO`, replace all remaining calls to
18`mbedtls_md()` or `mbedtls_sha1_ret()` by calls `psa_hash` functions, namely:
19- replace `mbedtls_md()` in `x509_crt_verifycrl()` in `x509_crt.c`
20- replace `mbedtls_md()` in `mbedtls_x509write_crt_der()` in `x509write_crt.c`
21- replace `mbedtls_sha1_ret() in
22 `mbedtls_x509write_crt_set_subject_key_identifier()` in `x509write_crt.c`
23- replace `mbedtls_sha1_ret() in
24 `mbedtls_x509write_crt_set_authority_key_identifier()` in `x509write_crt.c`
25- already done in `x509_crt_check_signature()` in `x509_crt.c`, but might
26 want to replace multi-part with single-part.
27- already done in `mbedtls_x509write_csr_der_internal()` in
28 `x509write_csr.c`, but might want to replace multi-part with single-part.
29
30HMAC
31----
32
33### Variable-time HMAC in TLS record protection
34
35- This is about the calls to `mbedtls_md_hmac_xxx()` in
36`mbedtls_ssl_decrypt_buf()` and `mbedtls_ssl_encrypt_buf()`, but excludes the
37call in `mbedtls_ssl_cf_hmad()` (which it its own task).
38- Might need to change the `transform` structure to hold a PSA context instead
39 of an MD context. Note: might keep the MD context in parallel until the
40constant-time part is done as well.
41
42TODO: study this better so it can be estimated.
43
44### Constant-time HMAC in TLS record protection
45
46This is `mbedtls_ssl_cf_hmac()`. The PSA code might look a bit different as
47we'll probably need to store the HMAC key somewhere and compute the ipad/opad
48explicitly instead of using (the internals of) the MD layers for that.
49
50TODO: study this better so it can be estimated.
51
52Ciphers
53-------
54
55### Use PSA for all cipher operations in TLS
56
57- extend existing `mbedtls_cipher_setup_psa()` and related code to support
58 other ciphers than AES that can be used in TLS: ARIA (depends on #4959),
59Camellia, ChachaPoly.
60- extend unit-testing in `test_suite_cipher` to test those new ciphers as
61 AES-based cipher are already tested
62- remove the fallback mechanism in all places where `cipher_setup_psa()` is
63 called from TLS code
64- expand use of `run_test_psa()` in `ssl-opt.sh`
65
66Asymmetric crypto
67=================
68
69ECDSA
70-----
71
72### Make `mbedtls_pk_sign()` use PSA for ECDSA operations
73
74- This is already done with `PK_OPAQUE` contexts, but this task is about doing
75it for regulard `ECKEY`/`ECDSA` contexts.
76- May share some code (transcoding) with the exist support for `PK_OPAQUE`
77 contexts
78
79RSA signature (and verification)
80--------------------------------
81
82### Make `mbedtls_pk_sign()` use PSA for RSA operations
83
84- with regular `PK_RSA` context
85- only PKCS#1 v1.5 for this task
86- similar to what's done for ECDSA, except no need for transcoding (I think)
87
88### Make `mbedtls_pk_verify()` use PSA for RSA operations
89
90- with regular `PK_RSA` context
91- only PKCS#1 v1.5 for this task
92- similar to what's done for ECDSA, except no need for transcoding (I think)
93
94### Make `mbedtls_pk_verify_ext()` use PSA for RSA operations
95
96- with regular `PK_RSA` context
97- this is for RSA-PSS
98- similar to what's done for ECDSA, except no need for transcoding (I think)
99- acceptable to enforce that all hashes are equal in the parameters (as
100 imposed by the PSA API) and reject the signature otherwise
101- then need to check if all X.509 tests still pass, and if some don't, make
102 them depend on `!MBEDTLS_USE_PSA_CRYPTO`
103
104RISK: see `psa-limitations.md`
105
106RSA en/decryption
107-----------------
108
109### Make `mbedtls_pk_encrypt()` use PSA for RSA operations
110
111- with regular `PK_RSA` context
112
113### Make `mbedtls_pk_decrypt()` use PSA for RSA operations
114
115- with regular `PK_RSA` context
116
117ECDH
118----
119
120### Write remaining utilities for ECDH parsing/writing
121
122- PSA only provides an API for the operation, need to parse and write
123 parameters and public keys to/from grp ID + string of bytes
124- need to complete what was done in 4a.1
125- testing: positive: extract known-good inputs/outputs from actual handshakes?
126- testing: negative: manipulate known-good input to make it invalid
127
128Note: future task in this section depend on this one, but not on each other.
129
130### Use PSA for ECDHE in ECDHE-ECDSA and ECDHE-RSA server-side
131
132- may need to separate branches from other ECDHE-based key exchanges
133- only server-side (client-side is already done, can be used for inspiration)
134
135### Use PSA for ECDH in ECDHE-PSK (all sides and versions)
136
137- only with non-opaque PSK (support for opaque PSK here is part of G2)
138
139### Use PSA for ECDH in static-ECDH key exchanges
140
141- may require additional utility functions to load from cert to PSA
142
143FFDH
144----
145
146This may be hard, see `psa-limitations.md`
147
148EC J-PAKE
149---------
150
151Use PSA for all EC J-PAKE operations in TLS (both sides).
152(TODO: consider how this could be split.)