mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-16 08:42:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Driver-only FFDH is not good enough for DHE support in TLS 1.2

Browse Source 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2024-04-30 14:25:30 +02:00
parent 21ad57677c
commit 89ef2fabb5
2 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/driver-only-builds.md
View File

@ -277,6 +277,11 @@ The same holds for the associated algorithm:
`[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_FFDH` allow builds accelerating FFDH and `[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_FFDH` allow builds accelerating FFDH and
removing builtin support (i.e. `MBEDTLS_DHM_C`). removing builtin support (i.e. `MBEDTLS_DHM_C`).
Note that the PSA API only supports FFDH with RFC 7919 groups, whereas the
Mbed TLS legacy API supports custom groups. As a consequence, the TLS layer
of Mbed TLS only supports DHE cipher suites if built-in FFDH
(`MBEDTLS_DHM_C`) is present, even when `MBEDTLS_USE_PSA_CRYPTO` is enabled.
RSA RSA
--- ---

6
tests/scripts/analyze_outcomes.py
View File

@ -468,6 +468,12 @@ KNOWN_TASKS = {
'bignum.generated', 'bignum.misc', 'bignum.generated', 'bignum.misc',
], ],
'ignored_tests': { 'ignored_tests': {
'ssl-opt': [
# DHE support in TLS 1.2 requires built-in MBEDTLS_DHM_C
# (because it needs custom groups, which PSA does not
# provide), even with MBEDTLS_USE_PSA_CRYPTO.
re.compile(r'PSK callback:.*\bdhe-psk\b.*'),
],
'test_suite_platform': [ 'test_suite_platform': [
# Incompatible with sanitizers (e.g. ASan). If the driver # Incompatible with sanitizers (e.g. ASan). If the driver
# component uses a sanitizer but the reference component # component uses a sanitizer but the reference component