Make (TLS) groups fully independent of (EC) curves

[baentsch]

Referring to the statement by @mattcaswell in #10512

We have implemented fully pluggable KEM and KEX in libssl

wouldn't the expectation be fair that after adding new TLS (1.3) groups (via a pluggable KEM provider) those new groups should be visible/accessible in a similar way as the original (EC) curves?

More specifically, the API SSL_get_shared_group seems to behave somewhat out of line with this full integration: By returning only NIDs (of known libcrypto implementations), it effectively returns nothing if a new, Provider-implemented, TLS1.3 KEM group (PQC in this case) has been integrated and runs:

Supported Elliptic Groups: 0x0201
Shared Elliptic groups: <NULL>

TLS1.3 operates correctly with the new crypto (KEM) from the Provider (confirming the statement at the beginning), but only tries to display built-in/libcrypto-provided shared (Elliptic) groups.

In any case, the output above seems to be inconsistent: Either it should display nothing (as the new KEM is not an EC curve) OR also display the shared group (which already is shown as supported with its group ID). The reason for the NULL above is this statement in ssl/s3_lib.c:

return tls1_group_id2nid(id, 1);

A possible alternative is to amend the above return statement as follows

if (s->session->ssl_version != TLS1_3_VERSION) return tls1_group_id2nid(id, 1);

and update the documentation in doc/man3/SSL_CTX_set1_curves.pod accordingly: Amend the current

SSL_get_shared_group() returns the NID of the shared group B for a server-side SSL B.

as follows:

SSL_get_shared_group() returns the NID of the shared group B for a server-side SSL B when running SSL or TLS<1.3; for TLS1.3, returns the shared group ID.

In addition, it would be nice to amend the code in apps/lib/s_cb.c annotated "TODO(TLS1.3)" to fetch the group name. When trying to implement this I had to find I'm out of my depth here: At first look, the function tls1_group_id_lookup could deliver the TLS_GROUP_INFO structure containing all required information, however, function and data structures seem to be only (SSL-)local and not generally accessible, so some internal "API opening" may be be required for this. So, any reference to APIs I am not aware of and already delivering this functionality would be gratefully welcomed: I'd volunteer to integrate that into apps/lib/s_cb.c.

An alternative to this proposal would be a new API for TLS1.3 groups that has no relation to the old (EC) curves.

[romen]

Thanks for reporting this (and the testing of pluggable KEM groups backed by liboqs implementations).

I think both solutions would be acceptable and it is great you are willing to work on this.

I'd defer to @mattcaswell for more direction on which approach would be preferable.

[romen]

I'm adding this to the 3.0beta1 milestone for evaluation by OTC: while the addition of a new API or opening existing ones could configure as a new feature, the issue highlights a shortcoming in the current SSL_get_shared_group() implementation which should be discussed.

[mattcaswell]

I think the problem is purely in the implementation of ssl_print_groups in apps\s_cb.c.

SSL_get_shared_group() is documented to behave as follows in the event of a non-built-in group:

If the NID for the shared group is unknown then the value
is set to the bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the
group.

This behaviour should already be implemented in tls1_group_id2nid, so SSL_get_shared_group should already be doing the right thing.

The "Supported Elliptic Groups" output already has the logic to handle this:

openssl/apps/lib/s_cb.c

Lines 356 to 371 in 2c61a67

	BIO_puts(out, "Supported Elliptic Groups: ");
	for (i = 0; i < ngroups; i++) {
	if (i)
	BIO_puts(out, ":");
	nid = groups[i];
	/* If unrecognised print out hex version */
	if (nid & TLSEXT_nid_unknown) {
	BIO_printf(out, "0x%04X", nid & 0xFFFF);
	} else {
	/* TODO(TLS1.3): Get group name here */
	/* Use NIST name for curve if it exists */
	gname = EC_curve_nid2nist(nid);
	if (gname == NULL)
	gname = OBJ_nid2sn(nid);
	BIO_printf(out, "%s", gname);
	}

But the "Shared Elliptic Groups" output is missing this logic:

openssl/apps/lib/s_cb.c

Lines 378 to 389 in 2c61a67

	BIO_puts(out, "\nShared Elliptic groups: ");
	ngroups = SSL_get_shared_group(s, -1);
	for (i = 0; i < ngroups; i++) {
	if (i)
	BIO_puts(out, ":");
	nid = SSL_get_shared_group(s, i);
	/* TODO(TLS1.3): Convert for DH groups */
	gname = EC_curve_nid2nist(nid);
	if (gname == NULL)
	gname = OBJ_nid2sn(nid);
	BIO_printf(out, "%s", gname);
	}

We just need to add the missing logic and it should work as expected.

While we're at it, I'd suggest we drop the word "Elliptic" from the labels and just make them "Supported Groups" and "Shared Groups".

In addition, it would be nice to amend the code in apps/lib/s_cb.c annotated "TODO(TLS1.3)" to fetch the group name. When trying to implement this I had to find I'm out of my depth here: At first look, the function tls1_group_id_lookup could deliver the TLS_GROUP_INFO structure containing all required information, however, function and data structures seem to be only (SSL-)local and not generally accessible, so some internal "API opening" may be be required for this. So, any reference to APIs I am not aware of and already delivering this functionality would be gratefully welcomed

I don't think there is an API to do this at the moment. We'd have to add something new. Say, something like:

    const char *SSL_group_to_name(SSL *s, int group);

This could simply take the id in the format provided by SSL_get_shared_group and return the associated string value for it.

[baentsch]

Thanks for your quick feedback & Thanks for the pointer to the TLSEXT_nid_unknown logic. Here's a fix along your suggestions, @mattcaswell.
As I don't know your team's prerequisites for PRs (beyond running make test with 100% PASS), I refrained from just quickly submitting the above to close out the immediate bug. I'd also be glad to add the "groupname-getter" API in the PR if you'd be accepting such--clearly non-essential--code before getting the beta out the door. Glad to take your guidance as to how/whether/when to proceed.

[mattcaswell]

Thanks for your quick feedback & Thanks for the pointer to the TLSEXT_nid_unknown logic. Here's a fix along your suggestions, @mattcaswell.

The fix looks good from my quick scan. Please feel free to go ahead and create a PR for it. The main thing you may need to do is send us a CLA (if you haven't already done so):

https://www.openssl.org/policies/cla.html

I'd also be glad to add the "groupname-getter" API in the PR if you'd be accepting such--clearly non-essential--code before getting the beta out the door. Glad to take your guidance as to how/whether/when to proceed.

We haven't yet reached feature freeze, so we still have the ability to add new APIs if we feel it is warranted. In this case the API should be relatively straightforward and low risk - and the need for it is introduced by other changes already made for 3.0. So, I don't see a problem with us doing this now - although its unlikely that we would hold up 3.0 beta1 for it, and if it missed beta1 it wouldn't go in for somewhile. However, there's still a lot to do before beta1 so this shouldn't be an issue.

So, I'd be happy to see you submit a PR to add this. It would need to be accompanied with appropriate documentation and a test (probably in test/sslapitest.c, perhaps as an extension of the existing test_pluggable_group test).

[baentsch]

Thanks again for feedback & guidance.

The main thing you may need to do is send us a CLA (if you haven't already done so)

So done now. Will I get an ACK on this or can I just proceed with the PR?

you submit a PR to add this. It would need to be accompanied with appropriate documentation and a test (probably in test/sslapitest.c, perhaps as an extension of the existing test_pluggable_group test).

OK - working on it....

Additional, immediate questions after checking out the "surrounding" code for this addition: Should I make "related" fix suggestions in the same PR or do separate issue/PR pairs on things that don't look right? Most notably, I spotted many #ifdef's that don't look quite right any more: For example, the ones below appear out of step with the new groups' stance as EC-independent entities now (and there are some more).

Key issue: The internal s3 data structure headers (correctly) don't contain #ifdef's any more for elements like peer_tmp or pkey but code like this doesn't handle them right if EC and DH are both undefined:

openssl/ssl/s3_lib.c

Lines 3398 to 3401 in 2c61a67

	#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
	EVP_PKEY_free(s->s3.tmp.pkey);
	EVP_PKEY_free(s->s3.peer_tmp);
	#endif /* !OPENSSL_NO_EC */

Also the command dispatchers seem to be flawed in this case:

openssl/ssl/s3_lib.c

Lines 3625 to 3671 in 2c61a67

	#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
	case SSL_CTRL_GET_GROUPS:
	{
	uint16_t *clist;
	size_t clistlen;
	if (!s->session)
	return 0;
	clist = s->ext.peer_supportedgroups;
	clistlen = s->ext.peer_supportedgroups_len;
	if (parg) {
	size_t i;
	int *cptr = parg;
	for (i = 0; i < clistlen; i++) {
	const TLS_GROUP_INFO *cinf
	= tls1_group_id_lookup(s->ctx, clist[i]);
	if (cinf != NULL)
	cptr[i] = tls1_group_id2nid(cinf->group_id, 1);
	else
	cptr[i] = TLSEXT_nid_unknown | clist[i];
	}
	}
	return (int)clistlen;
	}
	case SSL_CTRL_SET_GROUPS:
	return tls1_set_groups(&s->ext.supportedgroups,
	&s->ext.supportedgroups_len, parg, larg);
	case SSL_CTRL_SET_GROUPS_LIST:
	return tls1_set_groups_list(s->ctx, &s->ext.supportedgroups,
	&s->ext.supportedgroups_len, parg);
	case SSL_CTRL_GET_SHARED_GROUP:
	{
	uint16_t id = tls1_shared_group(s, larg);
	if (larg != -1)
	return tls1_group_id2nid(id, 1);
	return id;
	}
	case SSL_CTRL_GET_NEGOTIATED_GROUP:
	ret = tls1_group_id2nid(s->s3.group_id, 1);
	break;
	#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */

Additional proof point: when I build my (previously perfectly functioning) PQC-providers in an OpenSSL master branch set up with ./Configure -no-ec -no-dh nothing works any more. Reason is clear: The groups' SSL_CTRL_XXX commands simply are not present/executed due to code missing when -no-ec -no-dh (OPENSSL_NO_EC, OPENSSL_NO_DH) are set.

Looking at all of this I guess it's reasonable to just make change suggestions in the same PR as it's all got to do with this issue -- and it's already labelled "bug" :)