gh-136306: Add support for SSL groups

[ronf]

This is an initial implementation of the feature proposed in issue #136306.

• Issue: Add support in SSL module for getting/setting groups used for key agreement #136306

---

📚 Documentation preview 📚: https://cpython-previews--136307.org.readthedocs.build/

[picnixz]

A first round of comments

[picnixz]

Suggested change

	.. versionadded:: 3.15
	.. versionadded:: next

[ronf]

Done.

[picnixz]

Suggested change

	values.
	Example::
	values. For example::

And remove the indentation in the example (I don't think it's necessary)

[ronf]

Done.

[picnixz]

Suggested change

	when connected, the :meth:`SSLSocket.group` method of SSL sockets will
	When connected, the :meth:`SSLSocket.group` method of SSL sockets will

[ronf]

Done.

[picnixz]

This should be done in a separate PR as it would be better to raise a warning. Leave it supported for now.

[ronf]

Understood - reverted for now.

[picnixz]

Please follow PEP-7 for new code (add braces).

[ronf]

Done.

[picnixz]

Some other comments (sorry I'm on mobile so it's hard)

[picnixz]

I am a bad reviewer but I just saw that you actually copied the example style of the other example. Sorry to ask you to revert it... I would prefer to update it in a follow-up PR both examplesn(or more) on this page. Again I am very sorry (GH didn't show me enough context)

[ronf]

I actually had to revert this to get the docs to build. In the doc preview, though, it looks like the block isn't actually indented. So, I think we may be good here if I understand correctly what you were looking for.

One thing I didn't like here is that the long list of returned values doesn't wrap. Should I add hard line breaks in there to manually wrap the returned value across multiple lines for readability, even though the real return value wouldn't?

[picnixz]

Can we create multiple contexts to check this? Like:

1 context for which we set P-256 and then check get_groups w and w/o aliases and 1 context for which we set P-256:X25519 and then check get_groups w and w/o aliases? something like

def test(self):
    ctx = ...
    ctx.set_groups('P-256')
    # checks

    ctx = ...
    ctx.set_groups('P-256:X25519')
    # checks

[ronf]

The values returned by ctx.get_groups() are affected only be ctx.minimum_version and ctx.maximum_version, and not by calls to ctx.set_groups(). There is a separate set of tests added in ThreadedTests.test_groups() which set the client and server contexts to different values and see what the resulting selected value is by querying SSLObject.group() after the handshake completes, including a test where the connection fails due to no overlapping groups. This is following the pattern of the test_ecdh_curve() test just above that.

[picnixz]

Ok then maybe only use either P-256 or P-256:X25519 in the set_groups call (namely only one such call) if possible and comment what we are testing (don't use docstrings). The name "test_groups" is not sufficiently clear at first glance.

[ronf]

Ok - I've split out the test methods into separate test_set_groups() and test_get_groups(), and also added some comments within each of those. This also allowed me to do a skipUnless on test_get_groups() on platforms with too old an OpenSSL.

[picnixz]

Let's add a constant (in the file) say OPENSSL_CAN_QUERY_GROUPS = ssl.OPENSSL_VERSION_INFO >= (3,2)

[ronf]

In this case, I think two constants would be required. The SSLObject.group() call requires 3.2 or later, but the SSLContext.get_groups() call requires 3.5 or later.

[picnixz]

Yes please do so. It'll ease future maintenance especially if we then support other libcrypto implementations

[ronf]

Adding CAN_GET_SELECTED_OPENSSL_GROUP and CAN_GET_AVAILABLE_OPENSSL_GROUPS.

[picnixz]

This call can fail (decode call) so you need to handle the failure

[ronf]

The values returned here are constant strings coming from OpenSSL, and they should always be plain ASCII. So, the decode should always succeed in this case. I can put in a check here, but it would effectively be dead code unless there was some kind of bug in OpenSSL. The function _ssl__SSLSocket_compression_impl contains another example of this.

[picnixz]

We need it if Python runs out of memory unfortunately. It comverts a const char* to a PyObject* so we need such guards.

[ronf]

Ah, gotcha. Change made.

[picnixz]

The values returned here are constant strings coming from OpenSSL, and they should always be plain ASCII.

In this case, add an assert with a comment saying that those strings are statically allocated on OpenSSL's side. If they are dynamically fetched, checking for NULL would still be preferred but an assert doesn't hurt

[ronf]

I've added an assert about group elements being non-NULL, as well as a comment about these items being internal constants which shouldn't be modified or freed. I also added a comment about the strings being ASCII, so there should be no decoding errors (though an allocation check on the decoded string is still being handled in the previous commit.

[picnixz]

Can we have heap allocation instead here? or is there some magic in OpenSSL?

[ronf]

The word "stack" here is just what OpenSSL calls one of its data types (used for a list of items). The actual allocation is in the call to sk_OPENSSL_CSTRING_new_null just below this (with a check for allocation failure).

[picnixz]

Suggested change

	PyList_SET_ITEM(result, i, PyUnicode_DecodeFSDefault(group));
	PyList_SET_ITEM(result, i, item);

[ronf]

Thanks for catching this!

[picnixz]

Is the free() call a no-op on NULLs? I'd suggest having an error label responsible for XDECREF the result and free the groups (and don't forget to initialize them to NULL in this case).

[ronf]

From what I read, it is safe to call things like sk_OPENSSL_CSTRING_free() on a null pointer. For PyObjects, though, there's Py_DECREF() and Py_XDECREF(). The latter is safe to use on a potential NULL pointer.

I've gone ahead and moved all the freeing to an "error" label as you suggested. Commit will be in shortly.

[ronf]

From what I read, it is safe to call things like sk_OPENSSL_CSTRING_free() on a null pointer. For PyObjects, though, there's Py_DECREF() and Py_XDECREF(). The latter is supposedly safe on NULL pointers, but the former is not.

[ronf]

I'm not sure why the latest round of tests failed - The only change in this last commit was a doc file change, so I'm guessing it's a transient CI failure. Is there a way to trigger it to retry?

[picnixz]

To reduce this, just use ... and add a +doctest: SKIP comment

[ronf]

Ok, done.

[picnixz]

Suggested change

	>>> ctx.minimum_version=ssl.TLSVersion.TLSv1_3
	>>> ctx.maximum_version=ssl.TLSVersion.TLSv1_3
	>>> ctx.minimum_version = ssl.TLSVersion.TLSv1_3
	>>> ctx.maximum_version = ssl.TLSVersion.TLSv1_3

[ronf]

Done.

[picnixz]

Is there a default group that is known to always be returned?

[ronf]

The set of returned versions varies depending on the OpenSSL version. However, with the default of include_aliases=False, it should be guaranteed that P-256 will not be included since it is an alias. With include_aliases=True, I believe it should be included in all versions, going all the way back to OpenSSL 1.1.1, and I did some local testing to confirm that.

[picnixz]

Suggested change

	if (self->ssl == NULL) {
	Py_RETURN_NONE;
	}
	group_name = SSL_get0_group_name(self->ssl);
	if (group_name == NULL) {
	Py_RETURN_NONE;
	}
	if (self->ssl == NULL) {
	Py_RETURN_NONE;
	}
	group_name = SSL_get0_group_name(self->ssl);
	if (group_name == NULL) {
	Py_RETURN_NONE;
	}

You can write more compact code in general

[ronf]

What did you have in mind here? With the group_name assignment, it becomes difficult to combine the blocks above and below,e even though they both do a Py_RETURN_NONE. I'm happy to remove the blank lines if you prefer that. The style guide wasn't completely clear on that and the existing code is a mixture of cases containing blank lines after close braces and not.

[picnixz]

This comment should be split into parts:

• comment about constness should be above the assert.
• comment about the dynamic memory should be at the declaration of stack_of
• comment about non-failure for decoding should in the if (item == NULL).

[ronf]

Ok - I've made an attempt at this, though I'm not sure it completely matches what you had in mind. In particular, it was difficult to split the comment on the lack of allocation of strings inside the stack from the points later about not needing a NULL check on "group" since there's no allocation. It also meant I had to add a comment about the fact that item could be NULL due to an allocation error, even though there's no issue with decoding errors.

These and other requested changes are now in.

[picnixz]

Is there a way to trigger it to retry?

You can make an empty commit or ask a triager to rerun the CI (but there is none apart from me that is watching the PR I think)

[picnixz]

This looks great. I was planning to add some PQ support to Python now that ML-KEM/DEM were standardized but this is a good start as well. I'll have a look at the tests when I'm on my laptop again (Friday) but you can consider this PR to be approved unless I find something by then.

[ronf]

This looks great. I was planning to add some PQ support to Python now that ML-KEM/DEM were standardized but this is a good start as well. I'll have a look at the tests when I'm on my laptop again (Friday) but you can consider this PR to be approved unless I find something by then.

Thanks very much! There seems to be less urgency in providing support for ML-DSA and SLH-DSA for authentication than there was for ML-KEM for key agreement mainly because of the "capture now, decrypt later" concerns, but I'd be happy to contribute to an effort around supporting those as well. I'd actually like to learn more about what OpenSSL APIs actually need to change here.

[picnixz]

I am currently modernizing the use of OpenSSL HMAC in hashlib and I actually wondered whether we used APIs that were deprecated in 3.0. If you want, you can help me here, at least for the SSL module (I'd prefer that we work on separate modules to avoid merge conflicts), namely look at the calls we make to OpenSSL and check if there are deprecated calls in 3.x. If there are, open an issue and a PR that modernize such calls (for HMAC, we moved from using the old HMAC_* interface to the more generic EVP_MAC interface)

[ronf]

If you want, you can help me here, at least for the SSL module (I'd prefer that we work on separate modules to avoid merge conflicts), namely look at the calls we make to OpenSSL and check if there are deprecated calls in 3.x.

I don't know if I'll have the cycles to actually take on fixing all the issues that we find, but I gave this a quick look to get a sense for the scope of the problem. There aren't as many changes as I was expecting to find, but it's still fairly complicated if we want to continue to support all the way back to OpenSSL 1.1.1 while avoiding functions deprecated in OpenSSL 3.x.

In many cases, the old API calls still exist in 3.x but the new API will only work on 3.x. I'm thinking leaving the old calls in place may be our best bet for now, to avoid conditional compilation. An example is replacing all references to BIO_new() with BIO_new_ex() where we pass in an explicit NULL argument for the library context. It doesn't seem worth a #if everywhere that appears as long as 3.x continues to provide a wrapper for the old BIO_new() call. A similar issue shows up around one use of BIO_new_mem_buf().

Here are some of the items I've found:

• It looks like OpenSSL has split the cipher setting function into two separate functions for TLS 1.2 and below vs. TLS 1.3. The code currently calls SSL_CTX_set_cipher_list() which is TLS 1.2-only and there's another function SSL_CTX_set_ciphersuites() for TLS 1. Since we don't call the latter function right now, I think that means there's no way currently to set a non-default TLS 1.3 cipher suite list. I'm thinking this is a good candidate for treating as a bug.
• There are some calls (d2i_X509_bio and i2d_X509) for reading certs that should be changed to use the OSSL_DECODER and OSSL_ENCODER APIs.
• There's code reading DH params with PEM_read_DHparams() which returns a low-level DH object. I think should change to use PEM_read_bio_Parameters(), which returns an EVP_PKEY. There's also a call to DH_free that would change to EVP_PKEY_free().
• Another place is setting DH params with SSL_CTX_set_tmp_dh(), and that should change to SSL_CTX_set0_tmp_dh_pkey(), which operates on EVP_PKEYs.
• There's code using SSL_CTX_set_psk_client_callback() and SSL_CTX_set_psk_server_callback() which could be changed to use the OpenSSL 3.x SSL_CTX_set_psk_use_session_callback() and SSL_CTX_set_psk_find_session_callback() APIs. However, I think those new APIs only work on TLS 1.3, so this may be another case where we need to keep both around, or just continue to use the deprecated API for now, since I think it is possible to use that for both TLS 1.2 and TLS 1.3 connections if you're careful. There were some notes on this in the OpenSSL migration guide.