Hi Christian,
There are three ECDH APIs in Mbed TLS:
1. One of them is using low level data structures like `mbedtls_ecp_point`, `mbedtls_mpi` and `mbedtls_ecp_group` 2. The other is operating on `mbedtls_ecdh_context` and buffers 3. The last one implements PSA Crypto APIhttps://armmbed.github.io/mbed-crypto/html/api/ops/ka.html
In Mbed TLS only the TLS 1.2 implementation uses the second option and that is why it is geared towards that. The TLS 1.3 implementation in Mbed TLS uses the PSA Crypto API and in general that is the recommended/future proof option.
I hope that helps.
Best wishes, Janos (Mbed TLS developer)
From: Christian Huitema via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Tuesday, 12 September 2023 at 04:50 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Output format of mbedtls_ecdh_make_params does not play well with TLS 1.3 In TLS 1.3, one half of an ECDH exchange is defined as a "key entry", coded as:
struct { NamedGroup group; opaque key_exchange<1..2^16-1>; } KeyShareEntry;
The opaque data is typically encoded as a one byte format (e.g., 0x04, no compression), and then the encoding of either one or two points: 32 bytes for one point with CURVE25519, 64 bytes for two points with SECP256R1.
The encoding for the "public key" output of mbedtls_ecdh_make_params is different: 1 byte of length, followed by 2 bytes of curve ID, followed by the raw encoding of the point or points. The related encoding of the server public key output of mbedtls_ecdh_make_public is also different: 1 byte of length, followed by 2 bytes of curve ID, followed by the raw encoding of the point or points.
To make that work, I need some reformatting: strip out 3 bytes for the client public key, write a single 0x04 byte instead; strip out one byte from the key-exchange data received at the server and write 3 bytes of length and curve ID instead. Also, make sure to reset the strings to the unmodified value before calling mbedtls_ecdh_calc_secret, which probably means maintaining two copies, thus twice the memory.
This is a bit messy, and probably unnecessary. The extra parameters "length" is already passed through the API (the &olen argument) and the "group_id" could easily be passed as well.
Or maybe I am looking at the wrong API...
-- Christian Huitema -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org