[TLS 1.3] Codepoints for ECDH w/ Brainpool (RFC 8734)

src/lib/tls/msg_client_hello.cpp

@@ -419,11 +419,13 @@
    //    A client that offers a group MUST be able and willing to perform a DH
    //    key exchange using that group.
    //
-   // We don't support hybrid key exchange in TLS 1.2
+   // We don't support hybrid key exchange in TLS 1.2, and we should not offer
+   // any groups that are not available in TLS 1.2 (e.g. brainpool curves with)
+   // TLS 1.3 wire codes.
    const std::vector<Group_Params> kex_groups = policy.key_exchange_groups();
    std::vector<Group_Params> compatible_kex_groups;
    std::copy_if(kex_groups.begin(), kex_groups.end(), std::back_inserter(compatible_kex_groups), [](const auto group) {
-      return !group.is_post_quantum();
+      return group.usable_in_version(Protocol_Version::TLS_V12);
    });
 
    auto supported_groups = std::make_unique<Supported_Groups>(std::move(compatible_kex_groups));
@@ -762,9 +764,19 @@
       m_data->extensions().add(new Server_Name_Indicator(hostname));
    }
 
-   m_data->extensions().add(new Supported_Groups(policy.key_exchange_groups()));
-
-   m_data->extensions().add(new Key_Share(policy, cb, rng));
+   const auto available_groups = policy.key_exchange_groups();
+   std::vector<Group_Params> compatible_kex_groups;
+   std::copy_if(available_groups.begin(),
+                available_groups.end(),
+                std::back_inserter(compatible_kex_groups),
+                [&](const auto group) {
+                   // If we allow the legacy TLS 1.2, we won't filter out any
+                   // groups, in case the server might negotiate TLS 1.2.
+                   return policy.allow_tls12() || group.usable_in_version(Protocol_Version::TLS_V13);
+                });
+   m_data->extensions().add(new Supported_Groups(std::move(compatible_kex_groups)));
+
+   m_data->extensions().add(new Key_Share(compatible_kex_groups, policy, cb, rng));
 
    m_data->extensions().add(new Supported_Versions(Protocol_Version::TLS_V13, policy));
 

src/lib/tls/tls13/tls_extensions_key_share.cpp

@@ -226,8 +226,10 @@ class Key_Share_ClientHello {
          }
       }
 
-      Key_Share_ClientHello(const Policy& policy, Callbacks& cb, RandomNumberGenerator& rng) {
-         const auto supported = policy.key_exchange_groups();
+      Key_Share_ClientHello(const std::vector<Group_Params>& supported_groups,
+                            const Policy& policy,
+                            Callbacks& cb,
+                            RandomNumberGenerator& rng) {
          const auto offers = policy.key_exchange_groups_to_offer();
 
          // RFC 8446 P. 48
@@ -241,7 +243,7 @@ class Key_Share_ClientHello {
          //
          // ... hence, we're going through the supported groups and find those that
          //     should be used to offer a key exchange. This will satisfy above spec.
-         for(const auto group : supported) {
+         for(const auto group : supported_groups) {
             if(std::find(offers.begin(), offers.end(), group) == offers.end()) {
                continue;
             }
@@ -424,8 +426,11 @@ Key_Share::Key_Share(TLS_Data_Reader& reader, uint16_t extension_size, Handshake
 }
 
 // ClientHello
-Key_Share::Key_Share(const Policy& policy, Callbacks& cb, RandomNumberGenerator& rng) :
-      m_impl(std::make_unique<Key_Share_Impl>(Key_Share_ClientHello(policy, cb, rng))) {}
+Key_Share::Key_Share(const std::vector<Group_Params>& supported_groups,
+                     const Policy& policy,
+                     Callbacks& cb,
+                     RandomNumberGenerator& rng) :
+      m_impl(std::make_unique<Key_Share_Impl>(Key_Share_ClientHello(supported_groups, policy, cb, rng))) {}
 
 // HelloRetryRequest
 Key_Share::Key_Share(Named_Group selected_group) :

src/lib/tls/tls_algos.cpp

@@ -8,6 +8,7 @@
 
 #include <botan/ec_group.h>
 #include <botan/exceptn.h>
+#include <botan/tls_version.h>
 #include <botan/internal/fmt.h>
 
 namespace Botan::TLS {
@@ -153,6 +154,15 @@ std::optional<Group_Params> Group_Params::from_string(std::string_view group_nam
    if(group_name == "brainpool512r1") {
       return Group_Params::BRAINPOOL512R1;
    }
+   if(group_name == "brainpool256r1tls13") {
+      return Group_Params::BRAINPOOL256R1_TLS13;
+   }
+   if(group_name == "brainpool384r1tls13") {
+      return Group_Params::BRAINPOOL384R1_TLS13;
+   }
+   if(group_name == "brainpool512r1tls13") {
+      return Group_Params::BRAINPOOL512R1_TLS13;
+   }
    if(group_name == "x25519") {
       return Group_Params::X25519;
    }
@@ -224,6 +234,12 @@ std::optional<std::string> Group_Params::to_string() const {
          return "brainpool384r1";
       case Group_Params::BRAINPOOL512R1:
          return "brainpool512r1";
+      case Group_Params::BRAINPOOL256R1_TLS13:
+         return "brainpool256r1tls13";
+      case Group_Params::BRAINPOOL384R1_TLS13:
+         return "brainpool384r1tls13";
+      case Group_Params::BRAINPOOL512R1_TLS13:
+         return "brainpool512r1tls13";
       case Group_Params::X25519:
          return "x25519";
 
@@ -267,4 +283,37 @@ std::optional<std::string> Group_Params::to_string() const {
    }
 }
 
+std::optional<std::string> Group_Params::to_algorithm_spec() const {
+   switch(m_code) {
+      // Brainpool curves have two sets of code points. See RFCs 7027 and 8734.
+      case Group_Params::BRAINPOOL256R1:
+      case Group_Params::BRAINPOOL256R1_TLS13:
+         return "brainpool256r1";
+      case Group_Params::BRAINPOOL384R1:
+      case Group_Params::BRAINPOOL384R1_TLS13:
+         return "brainpool384r1";
+      case Group_Params::BRAINPOOL512R1:
+      case Group_Params::BRAINPOOL512R1_TLS13:
+         return "brainpool512r1";
+
+      default:
+         return to_string();
+   }
+}
+
+bool Group_Params::usable_in_version(const Protocol_Version& version) const {
+   // The wire codes for brainpool differ between TLS 1.2 and 1.3 for
+   // "historical" reasons. When negotiating the respective protocol version,
+   // we should use the appropriate wire code.
+   //
+   // Also KEM-based key exchanges are not implemented for TLS 1.2.
+   if(version.is_pre_tls_13()) {
+      return !is_post_quantum() && m_code != Group_Params_Code::BRAINPOOL256R1_TLS13 &&
+             m_code != Group_Params_Code::BRAINPOOL384R1_TLS13 && m_code != Group_Params_Code::BRAINPOOL512R1_TLS13;
+   } else {
+      return m_code != Group_Params_Code::BRAINPOOL256R1 && m_code != Group_Params_Code::BRAINPOOL384R1 &&
+             m_code != Group_Params_Code::BRAINPOOL512R1;
+   }
+}
+
 }  // namespace Botan::TLS

src/lib/tls/tls_algos.h

@@ -18,6 +18,8 @@
 
 namespace Botan::TLS {
 
+class Protocol_Version;
+
 enum class Cipher_Algo {
    CHACHA20_POLY1305,
 
@@ -91,6 +93,13 @@ enum class Group_Params_Code : uint16_t {
 
    X25519 = 29,
 
+   // The original brainpool code points (see above) were deprecated by IETF
+   // and should therefore not be used in TLS 1.3 and above.
+   // RFC 8734 re-introduced them for TLS 1.3, as new code points. -.-
+   BRAINPOOL256R1_TLS13 = 31,
+   BRAINPOOL384R1_TLS13 = 32,
+   BRAINPOOL512R1_TLS13 = 33,
+
    FFDHE_2048 = 256,
    FFDHE_3072 = 257,
    FFDHE_4096 = 258,
@@ -146,12 +155,16 @@ class BOTAN_PUBLIC_API(3, 2) Group_Params final {
 
       constexpr uint16_t wire_code() const { return static_cast<uint16_t>(m_code); }
 
+      bool usable_in_version(const Protocol_Version& version) const;
+
       constexpr bool is_x25519() const { return m_code == Group_Params_Code::X25519; }
 
       constexpr bool is_ecdh_named_curve() const {
          return m_code == Group_Params_Code::SECP256R1 || m_code == Group_Params_Code::SECP384R1 ||
                 m_code == Group_Params_Code::SECP521R1 || m_code == Group_Params_Code::BRAINPOOL256R1 ||
-                m_code == Group_Params_Code::BRAINPOOL384R1 || m_code == Group_Params_Code::BRAINPOOL512R1;
+                m_code == Group_Params_Code::BRAINPOOL384R1 || m_code == Group_Params_Code::BRAINPOOL512R1 ||
+                m_code == Group_Params_Code::BRAINPOOL256R1_TLS13 ||
+                m_code == Group_Params_Code::BRAINPOOL384R1_TLS13 || m_code == Group_Params_Code::BRAINPOOL512R1_TLS13;
       }
 
       constexpr bool is_in_ffdhe_range() const {
@@ -186,9 +199,14 @@ class BOTAN_PUBLIC_API(3, 2) Group_Params final {
 
       constexpr bool is_kem() const { return is_pure_kyber() || is_pqc_hybrid(); }
 
-      // Returns std::nullopt if the param has no known name
+      // Returns a unique name for the group param, std::nullopt otherwise  if
+      // the param has no known name.
       std::optional<std::string> to_string() const;
 
+      // Returns the string that is typically used to instantiate the algorithm.
+      // This might not be unique across specific code points.
+      std::optional<std::string> to_algorithm_spec() const;
+
    private:
       Group_Params_Code m_code;
 };

src/lib/tls/tls_callbacks.cpp

@@ -153,7 +153,7 @@ bool TLS::Callbacks::tls_verify_message(const Public_Key& key,
 std::unique_ptr<Private_Key> TLS::Callbacks::tls_kem_generate_key(TLS::Group_Params group, RandomNumberGenerator& rng) {
 #if defined(BOTAN_HAS_KYBER)
    if(group.is_pure_kyber()) {
-      return std::make_unique<Kyber_PrivateKey>(rng, KyberMode(group.to_string().value()));
+      return std::make_unique<Kyber_PrivateKey>(rng, KyberMode(group.to_algorithm_spec().value()));
    }
 #endif
 
@@ -181,7 +181,7 @@ KEM_Encapsulation TLS::Callbacks::tls_kem_encapsulate(TLS::Group_Params group,
 
 #if defined(BOTAN_HAS_KYBER)
          if(group.is_pure_kyber()) {
-            return std::make_unique<Kyber_PublicKey>(encoded_public_key, KyberMode(group.to_string().value()));
+            return std::make_unique<Kyber_PublicKey>(encoded_public_key, KyberMode(group.to_algorithm_spec().value()));
          }
 #endif
 
@@ -231,7 +231,7 @@ DL_Group get_dl_group(const std::variant<TLS::Group_Params, DL_Group>& group) {
    // groups.
    return std::visit(
       overloaded{[](const DL_Group& dl_group) { return dl_group; },
-                 [&](TLS::Group_Params group_param) { return DL_Group(group_param.to_string().value()); }},
+                 [&](TLS::Group_Params group_param) { return DL_Group(group_param.to_algorithm_spec().value()); }},
       group);
 }
 
@@ -248,7 +248,7 @@ std::unique_ptr<PK_Key_Agreement_Key> TLS::Callbacks::tls_generate_ephemeral_key
    const auto group_params = std::get<TLS::Group_Params>(group);
 
    if(group_params.is_ecdh_named_curve()) {
-      const EC_Group ec_group(group_params.to_string().value());
+      const EC_Group ec_group(group_params.to_algorithm_spec().value());
       return std::make_unique<ECDH_PrivateKey>(rng, ec_group);
    }
 
@@ -303,7 +303,7 @@ secure_vector<uint8_t> TLS::Callbacks::tls_ephemeral_key_agreement(
    const auto group_params = std::get<TLS::Group_Params>(group);
 
    if(group_params.is_ecdh_named_curve()) {
-      const EC_Group ec_group(group_params.to_string().value());
+      const EC_Group ec_group(group_params.to_algorithm_spec().value());
       ECDH_PublicKey peer_key(ec_group, ec_group.OS2ECP(public_value));
       policy.check_peer_key_acceptable(peer_key);
 

src/lib/tls/tls_extensions.cpp

@@ -483,7 +483,7 @@ Certificate_Type Certificate_Type_Base::selected_certificate_type() const {
    return m_certificate_types.front();
 }
 
-Supported_Groups::Supported_Groups(const std::vector<Group_Params>& groups) : m_groups(groups) {}
+Supported_Groups::Supported_Groups(std::vector<Group_Params> groups) : m_groups(std::move(groups)) {}
 
 const std::vector<Group_Params>& Supported_Groups::groups() const {
    return m_groups;

src/lib/tls/tls_extensions.h

@@ -331,7 +331,7 @@ class BOTAN_UNSTABLE_API Supported_Groups final : public Extension {
 
       std::vector<uint8_t> serialize(Connection_Side whoami) const override;
 
-      explicit Supported_Groups(const std::vector<Group_Params>& groups);
+      explicit Supported_Groups(std::vector<Group_Params> groups);
 
       Supported_Groups(TLS_Data_Reader& reader, uint16_t extension_size);
 
@@ -827,7 +827,10 @@ class BOTAN_UNSTABLE_API Key_Share final : public Extension {
       Key_Share(TLS_Data_Reader& reader, uint16_t extension_size, Handshake_Type message_type);
 
       // constructor used for ClientHello msg
-      Key_Share(const Policy& policy, Callbacks& cb, RandomNumberGenerator& rng);
+      Key_Share(const std::vector<Group_Params>& supported_groups,
+                const Policy& policy,
+                Callbacks& cb,
+                RandomNumberGenerator& rng);
 
       // constructor used for HelloRetryRequest msg
       explicit Key_Share(Named_Group selected_group);

src/lib/tls/tls_policy.cpp

@@ -162,8 +162,9 @@ std::vector<Group_Params> Policy::key_exchange_groups() const {
       Group_Params::X25519,
 #endif
 
-         Group_Params::SECP256R1, Group_Params::BRAINPOOL256R1, Group_Params::SECP384R1, Group_Params::BRAINPOOL384R1,
-         Group_Params::SECP521R1, Group_Params::BRAINPOOL512R1,
+         Group_Params::SECP256R1, Group_Params::BRAINPOOL256R1, Group_Params::BRAINPOOL256R1_TLS13,
+         Group_Params::SECP384R1, Group_Params::BRAINPOOL384R1, Group_Params::BRAINPOOL384R1_TLS13,
+         Group_Params::SECP521R1, Group_Params::BRAINPOOL512R1, Group_Params::BRAINPOOL512R1_TLS13,
 
          Group_Params::FFDHE_2048, Group_Params::FFDHE_3072, Group_Params::FFDHE_4096, Group_Params::FFDHE_6144,
          Group_Params::FFDHE_8192,

src/lib/tls/tls_policy.h

@@ -561,8 +561,11 @@ class BOTAN_PUBLIC_API(2, 0) BSI_TR_02102_2 : public Policy {
 
       std::vector<Group_Params> key_exchange_groups() const override {
          return std::vector<Group_Params>({Group_Params::BRAINPOOL512R1,
+                                           Group_Params::BRAINPOOL512R1_TLS13,
                                            Group_Params::BRAINPOOL384R1,
+                                           Group_Params::BRAINPOOL384R1_TLS13,
                                            Group_Params::BRAINPOOL256R1,
+                                           Group_Params::BRAINPOOL256R1_TLS13,
                                            Group_Params::SECP521R1,
                                            Group_Params::SECP384R1,
                                            Group_Params::SECP256R1,

src/tests/data/tls-policy/bsi.txt

@@ -10,7 +10,7 @@ signature_hashes = SHA-512 SHA-384 SHA-256
 macs = AEAD SHA-384 SHA-256
 key_exchange_methods = ECDH DH ECDHE_PSK
 signature_methods = ECDSA RSA DSA
-key_exchange_groups = brainpool512r1 brainpool384r1 brainpool256r1 secp521r1 secp384r1 secp256r1 ffdhe/ietf/4096 ffdhe/ietf/3072
+key_exchange_groups = brainpool512r1 brainpool512r1tls13 brainpool384r1 brainpool384r1tls13 brainpool256r1 brainpool256r1tls13 secp521r1 secp384r1 secp256r1 ffdhe/ietf/4096 ffdhe/ietf/3072
 minimum_signature_strength = 120
 minimum_dh_group_size = 3000
 minimum_dsa_group_size = 3000

src/tests/data/tls-policy/datagram.txt

@@ -9,7 +9,7 @@ macs = AEAD
 signature_hashes = SHA-512 SHA-384 SHA-256
 signature_methods = ECDSA RSA
 key_exchange_methods = ECDH DH
-key_exchange_groups = x25519 secp256r1 brainpool256r1 secp384r1 brainpool384r1 secp521r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
+key_exchange_groups = x25519 secp256r1 brainpool256r1 brainpool256r1tls13 secp384r1 brainpool384r1 brainpool384r1tls13 secp521r1 brainpool512r1 brainpool512r1tls13 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
 allow_insecure_renegotiation = false
 include_time_in_hello_random = true
 allow_server_initiated_renegotiation = false

src/tests/data/tls-policy/default.txt

@@ -9,7 +9,7 @@ macs = AEAD SHA-256 SHA-384 SHA-1
 signature_hashes = SHA-512 SHA-384 SHA-256
 signature_methods = ECDSA RSA
 key_exchange_methods = ECDH DH
-key_exchange_groups = x25519 secp256r1 brainpool256r1 secp384r1 brainpool384r1 secp521r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
+key_exchange_groups = x25519 secp256r1 brainpool256r1 brainpool256r1tls13 secp384r1 brainpool384r1 brainpool384r1tls13 secp521r1 brainpool512r1 brainpool512r1tls13 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
 allow_insecure_renegotiation = false
 include_time_in_hello_random = true
 allow_server_initiated_renegotiation = false

src/tests/data/tls-policy/default_tls13.txt

@@ -9,7 +9,7 @@ macs = AEAD SHA-256 SHA-384 SHA-1
 signature_hashes = SHA-512 SHA-384 SHA-256
 signature_methods = ECDSA RSA
 key_exchange_methods = ECDH DH
-key_exchange_groups = x25519 secp256r1 brainpool256r1 secp384r1 brainpool384r1 secp521r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
+key_exchange_groups = x25519 secp256r1 brainpool256r1 brainpool256r1tls13 secp384r1 brainpool384r1 brainpool384r1tls13 secp521r1 brainpool512r1 brainpool512r1tls13 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
 allow_insecure_renegotiation = false
 include_time_in_hello_random = true
 allow_server_initiated_renegotiation = false

src/tests/data/tls-policy/strict.txt

@@ -9,7 +9,7 @@ macs = AEAD
 signature_hashes = SHA-512 SHA-384
 signature_methods = ECDSA RSA
 key_exchange_methods = ECDH
-key_exchange_groups = x25519 secp256r1 brainpool256r1 secp384r1 brainpool384r1 secp521r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
+key_exchange_groups = x25519 secp256r1 brainpool256r1 brainpool256r1tls13 secp384r1 brainpool384r1 brainpool384r1tls13 secp521r1 brainpool512r1 brainpool512r1tls13 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
 allow_insecure_renegotiation = false
 include_time_in_hello_random = true
 allow_server_initiated_renegotiation = false

src/tests/data/tls-policy/strict_tls13.txt

@@ -9,7 +9,7 @@ macs = AEAD
 signature_hashes = SHA-512 SHA-384
 signature_methods = ECDSA RSA
 key_exchange_methods = ECDH
-key_exchange_groups = x25519 secp256r1 brainpool256r1 secp384r1 brainpool384r1 secp521r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
+key_exchange_groups = x25519 secp256r1 brainpool256r1 brainpool256r1tls13 secp384r1 brainpool384r1 brainpool384r1tls13 secp521r1 brainpool512r1 brainpool512r1tls13 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
 allow_insecure_renegotiation = false
 include_time_in_hello_random = true
 allow_server_initiated_renegotiation = false

src/tests/test_tls_messages.cpp

@@ -230,7 +230,7 @@ class TLS_Key_Share_CH_Generation_Test final : public Text_Based_Test {
          Botan_Tests::Fixed_Output_RNG rng;
          rng.add_entropy(rng_data.data(), rng_data.size());
 
-         Botan::TLS::Key_Share share(policy, cb, rng);
+         Botan::TLS::Key_Share share(policy.key_exchange_groups(), policy, cb, rng);
          const auto serialized_buffer = share.serialize(Botan::TLS::Connection_Side::Client);
 
          result.test_eq("key_share_CH_offers test", serialized_buffer, expected_key_share);