• State Not Answered
  • Replies 5 replies
  • Subscribers 75 subscribers
  • Views 717 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 321475
Options

MBEDTLS minimun configuration for uOSCORE

luca-aa

Hi, I'm new to this blog and I hope someone can help me. I need to add OSCORE encryption on the COAP protocol on my project. I haven't found any exaustive application examples around. Initially I've activated these configurations in the project.


CONFIG_UOSCORE=y
CONFIG_ZCBOR=y
CONFIG_ZCBOR_CANONICAL=y
CONFIG_MBEDTLS=y

I read that they are all the necessary to make uoscore work. But they are not enough. I've got these errors:

C:/ncs/v2.5.0/modules/lib/uoscore-uedhoc/src/common/crypto_wrapper.c: In function 'shared_secret_derive':
C:/ncs/v2.5.0/modules/lib/uoscore-uedhoc/src/common/crypto_wrapper.c:738:45: warning: implicit declaration of function 'mbedtls_pk_ec'; did you mean 'mbedtls_pk_free'? [-Wimplicit-function-declaration]
738 | mbedtls_ecp_group_load(&mbedtls_pk_ec(ctx_verify)->grp,

| mbedtls_pk_free
C:/ncs/v2.5.0/modules/lib/uoscore-uedhoc/src/common/crypto_wrapper.c:738:70: error: invalid type argument of '->' (have 'int')
738 | mbedtls_ecp_group_load(&mbedtls_pk_ec(ctx_verify)->grp,
| ^~
C:/ncs/v2.5.0/modules/lib/uoscore-uedhoc/src/common/crypto_wrapper.c:744:70: error: invalid type argument of '->' (have 'int')
744 | mbedtls_ecp_decompress(&mbedtls_pk_ec(ctx_verify)->grp, pk,

That sound strange to me. Why OSCORE reference the pk functions?

Anyway, my need is to understand which is the minimum mbedtls configuration to let uOSCORE compile and work with default encryption methods (AES and SHA256)?

Help me please. Thank you.

  • 0

    Hi,

    I must admitt we don't have any experience with using uOSCORE, but that said, it looks like you need these configs:

    CONFIG_MBEDTLS_PK_C=y
CONFIG_MBEDTLS_ECP_C=y

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    Thank you for answer.

    Well i did test to add these two config to the project. This made the project compile but still doesn't work.

    This is what I did. Starting from the UDP sample project (udp/sample/cellular/udp). I have added config for COAP, OSCORE and changed network mode to NBIOT. This is the modified part of prj.conf file:

    #Also need to increase stack size for thread working with oscore library
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=8192
...

# LTE parameters
## Network Mode / LTE category
CONFIG_LTE_NETWORK_MODE_LTE_M=n
CONFIG_LTE_NETWORK_MODE_NBIOT=y

# CoAP
CONFIG_COAP=y

# Needed for uoscore
CONFIG_UOSCORE=y
CONFIG_ZCBOR=y
CONFIG_ZCBOR_CANONICAL=y
CONFIG_MBEDTLS=y

CONFIG_MBEDTLS_PK_C=y
CONFIG_MBEDTLS_ECP_C=y

    Then I've modified the "socket_transmission_work_fn" function in main.c file:

    //Oscore init params definition (taken from library test vectors)
const uint8_t *T1__ID_CONTEXT;
uint8_t T1__ID_CONTEXT_LEN;

const uint8_t T1__MASTER_SECRET[16] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
					0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
					0x0d, 0x0e, 0x0f };
uint8_t T1__MASTER_SECRET_LEN = sizeof(T1__MASTER_SECRET);

const uint8_t *T1__SENDER_ID = NULL;
uint8_t T1__SENDER_ID_LEN = 0;

const uint8_t T1__MASTER_SALT[8] = { 0x9e, 0x7c, 0xa9, 0x22,
				     0x23, 0x78, 0x63, 0x40 };
uint8_t T1__MASTER_SALT_LEN = sizeof(T1__MASTER_SALT);

const uint8_t T1__RECIPIENT_ID[1] = { 0x01 };
uint8_t T1__RECIPIENT_ID_LEN = sizeof(T1__RECIPIENT_ID);

....


static void socket_transmission_work_fn(struct k_work *work)
{
    ....

	enum err r;
	struct context c_client;
	
	struct oscore_init_params params = {
		.master_secret.ptr = (uint8_t *)T1__MASTER_SECRET,
		.master_secret.len = T1__MASTER_SECRET_LEN,
		.sender_id.ptr = (uint8_t *)T1__SENDER_ID,
		.sender_id.len = T1__SENDER_ID_LEN,
		.recipient_id.ptr = (uint8_t *)T1__RECIPIENT_ID,
		.recipient_id.len = T1__RECIPIENT_ID_LEN,
		.master_salt.ptr = (uint8_t *)T1__MASTER_SALT,
		.master_salt.len = T1__MASTER_SALT_LEN,
		.id_context.ptr = (uint8_t *)T1__ID_CONTEXT,
		.id_context.len = T1__ID_CONTEXT_LEN,
		.aead_alg = OSCORE_AES_CCM_16_64_128,
		.hkdf = OSCORE_SHA_256,
		.fresh_master_secret_salt = true,
	};

	r = oscore_context_init(&params, &c_client);	//FAILS RETURNING "unexpected_result_from_ext_lib"

	if(r!=ok) {
		printk("Error in oscore_context_init");
	}

	int coap_len=build_coap_packet();	
	if(coap_len<0) {
		printk("Failed to create coap packet");
	}
		
	r = coap2oscore((uint8_t *)coap_buf, coap_len, (uint8_t *)&oscore_buf, &oscore_buf_len, &c_client);
	if(r!=ok) {
		printk("Error in coap2oscore!");
	}

	err = send(client_fd, oscore_buf, oscore_buf_len, 0);
	if (err < 0) {
		printk("Failed to transmit UDP packet, error: %d\n", errno);
	}

    ...

	k_work_schedule(&socket_transmission_work,
			K_SECONDS(CONFIG_UDP_DATA_UPLOAD_FREQUENCY_SECONDS));
}

    It result in failing the oscore initialization function "oscore_context_init" returning "unexpected_result_from_ext_lib"

    I supposed there are still some problems coming from mbedtls configuration, or maybe some kind of uncompatibility.

    Anyone did use uoscore library and encountered this kind of problems?

    What's wrong?

  • 0 in reply to Einar Thorsrud
    Further information about what's going wrong in oscore initialization.
    I saw that, on library initialization, mbedtls function psa_import_key is called and return error code PSA_ERROR_NOT_SUPPORTED.
    So, not wrong parameters but some kind of hardware incompatibility or maybe unfinished work on library.
    It looks unusable
  • 0 in reply to luca-aa

    Hi,

    Generally, when you get PSA_ERROR_NOT_SUPPORTED returned from a PSA API call that means that there is no support for the algorithm, key size, or simmilar that is used. This could be just becaue support for that specific feature is not enabled (see Feature configurations and driver support), or that we don't have any support for that algorithm. If you check the parmeters for the call when you get this error, we can see if it is just a configuration that is missing.

    As mentionned, we don't have any experience with uOSCORE though so, there may be several issues that needs to be resolved.

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    I have good news. The uOSCORE library is working now. But sincerely I don't understand the reason. This is what I did:

    As I said in the beginning I started introducing COAP and OSCORE in UDP sample changing the UDP packet into a COAP one.

    As the error I figured out (PSA_ERROR_NOT_SUPPORTED) is coming from MBEDTLS I decide to individually test the encryption and hashing functions. I have tried to compile AES128, SHA256 and HMAC sample and all of these were working fine.

    Starting from HMAC sample I've introduced uOSCORE library initialization, generate a COAP packet and crypt with oscore. All of these steps were ok. 

    Finally I introduced modem configuration and packet sending. That's all. Everything is working now. Starting from HMAC instead of UDP sample. The only difference is that previously I was using sheduled work for sending messages (as UDP sample do) and now I send it from main thread. But I don't think that it could affect MBEDTLS or OSCORE library operations.

    Anyway maybe I'll try to further investigate.

    Thank you

Related
Terms of service