mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

Didrik Rokhaug — Fri, 29 Jan 2021 14:47:21 GMT

The pull request which should fix your issues has now been published:https://github.com/nrfconnect/sdk-nrfxlib/pull/390

I don't have the opportunity to test it myself today, but it should solve all the RSA problems in the cryptocell library.

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

Didrik Rokhaug — Thu, 28 Jan 2021 14:59:23 GMT

Hi, and sorry for the late reply.

Since my last comment, the developers has found even more problems with the library.

It seems like you at least also have to provide E, although that is unpractical for the application.

However, I have been promised that a Pull Request with an updated version of the library will be available within the next few days.

Sorry for the inconvenience, and the time this is taking.

Best regards,

Didrik

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

basvkesteren — Mon, 25 Jan 2021 08:46:11 GMT

Hi Didrik,

Thanks for the response. So, do I understand it right that this missing functionality will be added to a future NCS release? Looks to me the crypto-library is binary only, I can't modify it myself, right?

Also, I did a quick test this morning. In the following code the test_RSA_N/P/Q/E contain a valid RSA key. This sequence works with CONFIG_CC3XX_BACKEND=n, but fails with CONFIG_CC3XX_BACKEND=y (I get a 'mbedtls_rsa_complete failed: -16512' printout).

What am I missing? I'm using NCS 1.4.0

    LOG_DBG("RSA import, again:");
    mbedtls_rsa_init(&rsa, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256);
    if((r = mbedtls_rsa_import_raw(&rsa, test_RSA_N, sizeof(test_RSA_N),
                                         test_RSA_P, sizeof(test_RSA_P), 
                                         test_RSA_Q, sizeof(test_RSA_Q),
                                         NULL, 0, /* D */
                                         test_RSA_E, sizeof(test_RSA_E)))) {
        mbedtls_strerror(r, errbuf, sizeof(errbuf));
        LOG_DBG("mbedtls_rsa_import_raw failed: %d (%s)", r, errbuf);
    }
    LOG_DBG("ok");

    LOG_DBG("mbedtls_rsa_complete");
    if((r = mbedtls_rsa_complete(&rsa))) {
        mbedtls_strerror(r, errbuf, sizeof(errbuf));
        LOG_DBG("mbedtls_rsa_complete failed: %d (%s)\n", r, errbuf);
    }
    LOG_DBG("ok");

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

Didrik Rokhaug — Fri, 22 Jan 2021 15:50:04 GMT

Hi, and sorry for the slow response.

The reason for why it fails when using the cryptocell is because the library doesn't calculate N based on P and Q.

However, if you calculate N and provide it to the library, it will work.

We will also add this missing detail in future versions of the crypto libraries.

This is the code snippet that should have been in the crypto library:

   if( !have_N && have_P && have_Q )
    {
        if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
                                         &ctx->Q ) ) != 0 )
        {
            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
        }

        ctx->len = mbedtls_mpi_size( &ctx->N );
    }

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

basvkesteren — Wed, 13 Jan 2021 16:37:54 GMT

Hi Didrik,

Thanks for the reply! About that upload, dunno how I've missed that button... A well.

But, any word from the developers?

Since I've uploaded my initial testcode I've been tweaking and fixing the mbedtls code; it's working stable now, but rather slow (especially the RSA calls). Would like to fix that 🙂

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

Didrik Rokhaug — Wed, 06 Jan 2021 16:08:36 GMT

Hi, and happy new year to you too.

[quote user="basvkesteren"](think i don't have the option of uploading stuff to the ticket, like you did?)[/quote]

You should be able to, although not every file type is allowed, so e.g., your prj.conf must either be renamed to something else than *.conf, or it must be in a zipped folder.

You can find the option to upload files here:

I've looked at your code, and you are correct that it doesn't use the cryptocell for the RSA encryption.

I believe the cryptocell is still used to get random numbers, but it is definitely used if you change your f_rng() to this:

#include <drivers/entropy.h>

static int f_rng(void *ctx, unsigned char *buf, size_t len)   
    const struct device *dev = device_get_binding(DT_CHOSEN_ZEPHYR_ENTROPY_LABEL);
    
    static int first = 1;
    if (first) {
        printk("Name of entropy device: %s\n", dev->name);
        first = 0;
    }
    
	if (!dev) {
		printk("error: no entropy device\n");
		return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
	}
	int err = entropy_get_entropy(dev, buf, len);
	if (err) {
		printk("Failed to get entropy\n");
		return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
	}

	return 0;
}

I would also change your call to mbedtls_rsa_private to use mbedtls_ctr_drbg_random instead of f_rng.

Unfortunately, I have not yet been able to get the cryptocell to perform the actual RSA encryption (though it should be possible). I will ask our developers if they can see what we are doing wrong.

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

basvkesteren — Mon, 04 Jan 2021 14:34:16 GMT

Hi Didrik and colleagues,

Best wishes for the new year 🙂

Just making sure my ticket won't be forgotten over the holidays.. ;)

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

basvkesteren — Wed, 23 Dec 2020 16:45:12 GMT

Hi Didrik,

Spend the day doing some testing. When I do the same entropy-trick (using the local f_rng function instead of mbedtls_entropy_func) stuff starts to work.

BUT, if I'm correct, I'm not using the cryptocell hardware. What do I need to do to get that working?

I've created a test-project, just doing the encryption, nothing else. I need AES-128 and RSA-1024. To get AES working, I need CONFIG_OBERON_BACKEND=y, otherwise the output is all zero's.

For RSA, i need to set CONFIG_CC3XX_BACKEND=n, or mbedtls_rsa_complete() fails with an input error.

If you could take a look at my code, i've uploaded it here

and the included testdata here

prj.conf is here

(think i don't have the option of uploading stuff to the ticket, like you did?)

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

basvkesteren — Wed, 23 Dec 2020 08:38:05 GMT

Hi Didrik,

Thanks for the example, I'll start working on that with my own code right now!

One more question right of, though; you're not using the CC3XX backend (CONFIG_CC3XX_BACKEND=n), so there's no hardware-acceleration for the crypto stuff, right? Is it not possible to use the CC3XX backend on the 52840?

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

Didrik Rokhaug — Mon, 21 Dec 2020 16:11:55 GMT

[quote user="basvkesteren"]Because I don't really have a clear picture about how and when the whole nrfxlib crypto stuff comes into play, the documentation (https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/crypto/README.html) is sort of useless; a changelog and an api-list really doesn't do...[/quote]

It is not meant that you should use the crypto libraries directly, instead, you should use the Nordic Security Module: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/nrf_security/README.html

I have also made a very small sample that seems to be working correctly, though I had to use Zephyr's sys_csrand_get() instead of mbedTLS's hardware_poll():

devzone.nordicsemi.com/.../mbedtls_5F00_rsa_5F00_import.zip

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

Didrik Rokhaug — Fri, 18 Dec 2020 15:59:22 GMT

Hi,

Unfortunately, I am not able to look at your ticket today, but I will try to get an answer to you in the beginning of next week.

Sorry for the inconvenience.

Best regards,

Didrik

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

basvkesteren — Fri, 18 Dec 2020 10:20:00 GMT

Replying to myself again 🙂

When I disable the CC3XX backend, I get a little bit further. I now have these config's:

CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_CC3XX_BACKEND=n
CONFIG_OBERON_BACKEND=y
CONFIG_MBEDTLS_VANILLA_BACKEND=n

And now the mbedtls_rsa_import/mbedtls_rsa_complete calls work as expected. However, doing an actual RSA encryption fails with a fault in mbedtls_hardware_poll.

If I then disable the CC3XX entropy thingy (CONFIG_ENTROPY_CC3XX=n) it no longer crashes, but a call to mbedtls_ctr_drbg_seed() returns -52 (CTR_DRBG - The entropy source failed), which probably makes sense; it doesn't have an entropy source?

(Edit: found out how to select the entropy-source; setting 'zephyr,entropy = &rng;' in my dts makes it use the RNG peripheral, but then the mbedtls_ctr_drbg_seed() call ends in a recursive spinlock assert..)

So, all this leads me to believe that I'm not using the CC3XX stuff properly, or it's not working properly. Is there any useful documentation, or an example perhaps, on how to configure, initialize and use this stuff for my platform?

RE: mbedtls RSA trouble, mbedtls_rsa_import/mbedtls_rsa_complete fails

basvkesteren — Fri, 18 Dec 2020 07:53:26 GMT

Or, thinking a bit about this, maybe I'm using the wrong API or configuration? Because I don't really have a clear picture about how and when the whole nrfxlib crypto stuff comes into play, the documentation (https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/crypto/README.html) is sort of useless; a changelog and an api-list really doesn't do...