Make use of FFDH keys in TLS 1.3 v.2

[mprse]

Description

Resolves: #5979
Continuation of: #6102
Needs: #7577

This PR adds support for FFDH keys and uses structures and adapts code used for ECDH computation.
Provides only mbedtls tests in ssl-opt.sh

PR checklist

Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")

• changelog provided
• backport not required (new feature)
• tests provided (partially, missing openssl, gnutls tests)

[mpg]

Looks pretty good overall, most points are fairly minor, except the reliance on dhm.h which I think is structurally no what we want at this point.

[mpg]

Thanks for addressing my feedback! I like what you've done with the functions that handle human-readable names, I think it's really neat now.

I also like the unification of ECDH and FFDH when writing our key share, but I have a number of suggestions to improve it further.

Edit: see also: #7627 (comment) and #7627 (comment)

[mpg]

Looks good to me, but while the iron's hot, let's try to improve as discussed here (new helper macro + trying to de-duplicate code unless it turns out to be harder than I think).

[mpg]

LGTM, thanks!

[mprse]

Force-pushed the following fix:

@@ -528,10 +528,10 @@ int parse_curves(const char *curves, uint16_t *group_list, size_t group_list_len
             }
         }
 
-        mbedtls_printf("Number of curves: %d\n", i);
+        mbedtls_printf("Number of curves: %lu\n", i);
 
         if (i == group_list_len - 1 && *p != '\0') {
-            mbedtls_printf("curves list too long, maximum %d",
+            mbedtls_printf("curves list too long, maximum %lu",
                            group_list_len - 1);
             return -1;
         }

Edit:
zu -> lu as mingw had problem with zu.

[mpg]

@mprse I think we also need to cast the argument: printf("... %lu ...", (unsigned long) foo);. It's quite annoying that in 2023 we can't seem to use %zu yet.

[mprse]

CI was green and I added only the last commit to fix comments (shouldn't cause any harm).
As discussed earlier, remaining comments (adapting function names, parameters names, structures, etc) will be fixed in the follow-up PR as this one becomes big already.
Setting to ready for review.

[mprse]

Force pushed last commit to restart CI as it seems it was aborted (not sure now if my happiness from green CI wasn't too early) .

Also it seems that there is still problem with ffdh8192 on CI (even with one retry):

TLS 1.3 m->m: HRR x25519 -> ffdhe8192 .................................. RETRY(client-timeout) RETRY(client-timeout) FAIL
  ! bad client exit code (expected 0, got 143)
  ! outputs saved to o-XXX-1682.log

TLS 1.3 m->m: HRR x448 -> ffdhe8192 .................................... RETRY(client-timeout) RETRY(client-timeout) FAIL
  ! bad client exit code (expected 0, got 143)
  ! outputs saved to o-XXX-1688.log

TLS 1.3 m->m: HRR ffdhe2048 -> ffdhe8192 ............................... RETRY(client-timeout) PASS

[mpg]

Do we really need to use the largest ffdh group in tests? Or could we only test with ffdhe2048 and ffdhe3072 in all the compat tests in order to avoid the performance issues?

Perhaps keep only one test with ffdh8072 in order to make sure buffer sizes are correct, but that one would be guarded by client_needs_more_time 4 and not_with_valgrind to reduce the probability of timeouts. (Btw, this is not about adding retries, it's about enlarging the delay before timeout.)

Wdyt?

[mprse]

Do we really need to use the largest ffdh group in tests? Or could we only test with ffdhe2048 and ffdhe3072 in all the compat tests in order to avoid the performance issues?

First we had all groups tested but this was too much, so we decided to have only corner cases (smallest and biggest group). This makes sense, but since we have such problems on CI maybe using FFDHE6144 instead FFDHE8192 would be enough?

[mpg]

I think we need to differentiate our strategy based on what we're testing. It looks to me like the numerous "TLS 1.3 X->Y: HRR zzz -> ttt" are mostly about negotiation by means of HelloRetryRequest: here I think we don't care about using large groups, and just using any two distinct groups would be enough, so I'd pick the two smallest groups.

Then I think we need one test using the largest group with ourselves to validate buffer sizes. Then one interop test with each group with GnuTLS and/or OpenSSL to make sure we don't have group-specific errors (such as a typo in the group parameters or their IDs).

(Note: this might apply to curves as well. I'm not sure we need to test absolutely all combinations of curves either in the HelloRetryRequest tests.)

@ronald-cron-arm wdyt?

[mprse]

Then I think we need one test using the largest group with ourselves to validate buffer sizes. Then one interop test with each group with GnuTLS and/or OpenSSL to make sure we don't have group-specific errors (such as a typo in the group parameters or their IDs).

Should these tests be manually added to ssl-opt.sh?

So I will leave only ffdhe2048 to be generated by script and add single G->m and m->G (GNU tls will be used as openssl doesn't support FFDH) test for each group other than ffdhe2048 in ssl-opt.sh:

Test cases added to ssl-opt.sh for groups other than ffdhe2048:

requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
requires_config_enabled PSA_WANT_ALG_FFDH
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
requires_gnutls_next_disable_tls13_compat
run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
         0 \
         -s "Protocol is TLSv1.3" \
         -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
         -s "received signature algorithm: 0x804" \
         -s "got named group: ffdhe2048(0100)" \
         -s "Certificate verification was skipped" \
         -C "received HelloRetryRequest message"
		 
		 
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
requires_gnutls_next_disable_tls13_compat
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
requires_config_enabled PSA_WANT_ALG_FFDH
run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=ffdhe2048" \
         0 \
         -c "HTTP/1.0 200 OK" \
         -c "Protocol is TLSv1.3" \
         -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \
         -c "Certificate Verify: Signature algorithm ( 0804 )" \
         -c "NamedGroup: ffdhe2048 ( 100 )" \
         -c "Verifying peer X.509 certificate... ok" \
         -C "received HelloRetryRequest message"

[mpg]

Should these tests be manually added to ssl-opt.sh?

That was my thinking, yes.

[ronald-cron-arm]

Do we really need to use the largest ffdh group in tests? Or could we only test with ffdhe2048 and ffdhe3072 in all the compat tests in order to avoid the performance issues?

Perhaps keep only one test with ffdh8072 in order to make sure buffer sizes are correct, but that one would be guarded by client_needs_more_time 4 and not_with_valgrind to reduce the probability of timeouts. (Btw, this is not about adding retries, it's about enlarging the delay before timeout.)

Wdyt?

Yes that looks reasonable to me.

[ronald-cron-arm]

I think we need to differentiate our strategy based on what we're testing. It looks to me like the numerous "TLS 1.3 X->Y: HRR zzz -> ttt" are mostly about negotiation by means of HelloRetryRequest: here I think we don't care about using large groups, and just using any two distinct groups would be enough, so I'd pick the two smallest groups.

Then I think we need one test using the largest group with ourselves to validate buffer sizes. Then one interop test with each group with GnuTLS and/or OpenSSL to make sure we don't have group-specific errors (such as a typo in the group parameters or their IDs).

(Note: this might apply to curves as well. I'm not sure we need to test absolutely all combinations of curves either in the HelloRetryRequest tests.)

@ronald-cron-arm wdyt?

That looks good to me.

[ronald-cron-arm]

Then I think we need one test using the largest group with ourselves to validate buffer sizes. Then one interop test with each group with GnuTLS and/or OpenSSL to make sure we don't have group-specific errors (such as a typo in the group parameters or their IDs).

Should these tests be manually added to ssl-opt.sh?

So I will leave only ffdhe2048 to be generated by script and add single G->m and m->G (GNU tls will be used as openssl doesn't support FFDH) test for each group other than ffdhe2048 in ssl-opt.sh:

Test cases added to ssl-opt.sh for groups other than ffdhe2048:

requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
requires_config_enabled PSA_WANT_ALG_FFDH
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
requires_gnutls_next_disable_tls13_compat
run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
         0 \
         -s "Protocol is TLSv1.3" \
         -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
         -s "received signature algorithm: 0x804" \
         -s "got named group: ffdhe2048(0100)" \
         -s "Certificate verification was skipped" \
         -C "received HelloRetryRequest message"
		 
		 
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
requires_gnutls_next_disable_tls13_compat
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
requires_config_enabled PSA_WANT_ALG_FFDH
run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=ffdhe2048" \
         0 \
         -c "HTTP/1.0 200 OK" \
         -c "Protocol is TLSv1.3" \
         -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \
         -c "Certificate Verify: Signature algorithm ( 0804 )" \
         -c "NamedGroup: ffdhe2048 ( 100 )" \
         -c "Verifying peer X.509 certificate... ok" \
         -C "received HelloRetryRequest message"

I am ok with that.

[mpg]

LGTM. Good job!

[mpg]

I had a look at the API-ABI report, and the changes are acceptable: two internal functions have been renamed.

[mprse]

Created follow-up PR that address remaining comments.

[ronald-cron-arm]

LGTM given that we've agreed to address remaining comments in a follow-up PR. I have also created a follow-up PR to try and improve one part of the code (#7862).

[ronald-cron-arm]

Suggested change

	'ffdhe2048': 0x100,
	# Only one finite field group to keep testing time within reasonable bounds.
	'ffdhe2048': 0x100,

I am happy for this to be done in the follow-up PR.

[mpg]

I'm merging this before conflicts appear, and work will continue in #7858 and #7862.