mbedtls icon indicating copy to clipboard operation
mbedtls copied to clipboard
verified publisher icon Mbed-TLS

Driver-only hashes: PKCS5

Open mpg opened this issue 3 years ago • 0 comments

PKCS#5, aka RFC 8018, is a standard for password-based encryption. It defines PBKDF2-HMAC and uses it to derived encryption keys from passwords. It can optionally be used by pkparse.c in order to parse some types of encrypted keys. Currently our implementation (pkcs5.c) uses MD to compute HMACs, so it doesn't work when hashes are provided only by drivers; this task is to make it work.

  • [ ] Adjust the signature of mbedtls_pkcs5_pbkdf2_hmac() so that it takes an mbedtls_md_type_t rather than an mbedtls_md_context_t as its first parameter. This frees callers from having to bother with md_info, md_init(), md_setup(), md_free() and centralizes use of MD in one place. Adapt callers including the self_test function. (Note: this is similar to what was done with mgf_mask() in #6141.)
  • [ ] Provide an implementation of mbedtls_pkcs5_pbkdf2_hmac() based on PSA, to be used only when MD_C is not available (in order to preserve backwards compatibility: the PSA version requires psa_crypto_init() to have been called, we don't want to impose this requirement on existing code, but we can impose it in builds where this just didn't work at all before). (Again, this is similar to mgf_mask() in #6141.)
  • [ ] Adjust the dependency in check_config.h: PKCS5 now only requires MD_C || PSA_CRYPTO_C (plus CIPHER_C as before).
  • [ ] Remove the unset PKCS5_C lines from all.sh components component_test_crypto_full_no_md() and component_test_psa_crypto_config_accel_hash_use_psa().
  • [ ] Adjust dependencies in test_suite_pkcs5.data, replacing MBEDTLS_SHAxxx_C with MBEDTLS_HAS_ALG_SHA_xxx_VIA_MD_OR_PSA (from legacy_or_psa.h which needs to be #included in the .function file).
  • [ ] Similarly adjust hash dependencies in test_suite_pkparse.data for tests that depend on PKCS5_C (again, legacy_or_psa.h needs to be #included in the .function file).
  • [ ] Fix any issue that may arise.
  • [ ] Check test coverage for test_suite_pkcs5 and test_suite_pkparse: see docs/architecture/psa-migration/outcome-analysis.sh (don't forget to remove unse PKCS5_C in reference_config() and edit SUITES in your copy).

Depends on: #6141, for fixed definitions of VIA_MD_OR_PSA macros (could also just cherry-pick the commit "Fix definition of MD_OR_PSA macros" from that PR).

mpg avatar Jul 28 '22 08:07 mpg