Core functions for the lake-authz draft

[geonnave]

This PR will implement the core functions for EAD message preparation and processing with focus on U and V:

• prepare EAD_1 (U)
• process EAD_1 (V)
• prepare Voucher Request (V)
• prepare Voucher Response (W)
• prepare EAD_2 (U)
• process EAD_2 (V)
• handle VREQ and VRES in stateless and stateful operation modes
• integration with the main crate
• pass CI, a.k.a. works with all features and all crypto backends

Draft link: https://www.ietf.org/archive/id/draft-selander-lake-authz-03.html

Architecture:

U                           V                                       W
|                           |                                       |
|      EDHOC message_1      |                                       |
+-------------------------->|                                       |
|  (EAD_1 = LOC_W, ENC_ID)  |                                       |
|                           |                                       |
|                           |        Voucher Request (VREQ)         |
|                           +-------------------------------------->|
|                           |       (message_1, ?opaque_state)      |
|                           |                                       |
|                           |        Voucher Response (VRES)        |
|                           |<--------------------------------------+
|                           |  (message_1, Voucher, ?opaque_state)  |
|                           |                                       |
|      EDHOC message_2      |                                       |
|<--------------------------+                                       |
|     (EAD_2 = Voucher)     |                                       |
|                           |                                       |
|                           |                                       |
|      EDHOC message_3      |                                       |
+-------------------------->|                                       |
|                           |                                       |

[geonnave]

@malishav it still needs polishing but all core functions of the draft work, so it could receive a first pass of review. Please focus on the edhoc-ead-zeroconf crate, since the integration with the rest of edhoc-rs is currently broken due to some API changes. (that is why the CI totally fails; on the other hand, cargo test for the edhoc-ead-zeroconf crate passes).

[geonnave]

Also, for reference, I used this notebook to create the traces / test vectors.

[geonnave]

It looks better now, but I think it will not be fully working with all features and possible configurations by the end of the day.

Since I will leave for PTO until 24 Oct, I would like to merge this today (if the review goes well), even if I have to adapt the CI with feature/exclude flags.

[geonnave]

Wohoo, CI passing!

[malishav]

Thanks for providing this PR @geonnave ! I left some inline comments, the major red flag that I see is parsing code which does not check the actual number of bytes received and may panic. Other than that, I think there is a misconception on the length of the voucher and some excessive allocations. See inline for more details.

[malishav]

yes, we should definitely have a way of calling the KDF function frm this code without code duplication

[malishav]

Perhaps, we can do the same as with encode_enc_structure and move this to a helper module?

[geonnave]

For the time being I moved just the logic for the info struct to a helpers module in consts.

Part of the reason is to avoid having consts depend on the cryptographic backends.
Another part is that this is now only a single small duplicated function, so in my view it still does not justify changing the dependencies in consts.
Nevertheless I added a TO-DO (🙃), that we should address as more cases like this arise.

[malishav]

This is an excessive allocation for a voucher. Voucher is always of size MAC_LENGTH which corresponds to the MAC length used in EDHOC. Since we only support a single cipher suite for now, this should use MAC_LENGTH.

[geonnave]

I changed this for consistency, but note that since we need to put the voucher in an EADItem struct, we sill need to allocate one large buffer since the EADItem.value is an EdhocMessageBuffer.

[malishav]

It seems that you are not checking anywhere how many bytes are actually in the received voucher_response, i.e. the value of voucher_response.len. This means that your code may panic when it receives a malformed Voucher Response or worse take values from the internal buffer at random. This code should be rewritten to check remaining voucher_response.len before actually accessing voucher_response.content array.

[geonnave]

Added size verifications to all parse_* routines.

[malishav]

Same comment as above: before accessing value.content, we need to check how long it is...

[malishav]

Same comment on accessing vreq.content[] as above

[malishav]

This is strange. Looking at draft-ietf-lake-authz:

The derivation of IV_1 = EDHOC-Expand(PRK, info, length) uses the following input to the info struct (see Section 4.2):

info_label = 1
context = h'' (the empty CBOR string)
length is length of nonce of the EDHOC AEAD algorithm in bytes

According to this, length should be set to AES_CCM_IV_LEN.

[geonnave]

Fixed.

[malishav]

Is this the same code as in lib/src/edhoc.rs, function encode_enc_structure ? If so, why not move it like a helper function together with CBOR-related helpers? Jsut rename the module to something more appropriate

[geonnave]

It is not the same, the input in this case is just ss: u8 while in lib/src/edhoc.rs the input is th_3: &BytesHashLen.

[malishav]

Will this be checked somehow beforehand, i.e. in the library code invoking the EAD handler? If yes, this could be an replaced with an assertion

[geonnave]

It is not checked before, since the library is agnostic of the EAD handlers. Thus I think we can keep the if check.

[geonnave]

From my side, this is ready to merge.

[malishav]

Partial review below, as discussed offline.

[malishav]

The comment here confused me. prk is not an ephemeral key, but the ECDH secret derived from the ephemeral key of U and static key of W. The code seems correct, the comment does not.

[geonnave]

As discussed, was a reminiscent comment from before a refactoring. Removed.

[malishav]

You are accessing voucher_response.content[0] here before checking whether the received length, voucher_response.len, is greater than zero. Are you ensuring that the function can be called only when voucher_response.len is >0? If yes, then you could have an assert assert!(voucher_response.len > 0). If not, the whole block of code lines 365-409 should be conditioned on if(voucher_reponse.len > 0) IMO.

[malishav]

Here, you accessed voucher_response.content[2] before having checked if there are enough bytes in the buffer according to voucher_response.len. That may panic if voucher_response.len is only 1 byte.

[malishav]

As discussed, we will address this issue in a separate PR.