Align remaining TLS ECDH APIs on "group" terminology

This adds "group" versions of our codepoint-based APIs. This is mostly
because it looks weird to switch terminology randomly in the
implementation. See I7a356793d36419fc668364c912ca7b4f5c6c23a2 for
additional context.

I've not bothered renaming the bssl_shim flags. That seems a waste of
time.

Change-Id: I566ad132f5a33d99efd8cb2bb8b76d9a6038c825
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60207
Reviewed-by: Adam Langley <[email protected]>
Commit-Queue: David Benjamin <[email protected]>

Author: davidben

include/openssl/ssl.h

@@ -2353,15 +2353,15 @@ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
 // element of |groups| should be a |NID_*| constant from nid.h. It returns one
 // on success and zero on failure.
 //
-// Note that this API does not use the |SSL_CURVE_*| values defined below.
+// Note that this API does not use the |SSL_GROUP_*| values defined below.
 OPENSSL_EXPORT int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups,
                                        size_t num_groups);
 
 // SSL_set1_groups sets the preferred groups for |ssl| to be |groups|. Each
 // element of |groups| should be a |NID_*| constant from nid.h. It returns one
 // on success and zero on failure.
 //
-// Note that this API does not use the |SSL_CURVE_*| values defined below.
+// Note that this API does not use the |SSL_GROUP_*| values defined below.
 OPENSSL_EXPORT int SSL_set1_groups(SSL *ssl, const int *groups,
                                    size_t num_groups);
 
@@ -2377,27 +2377,24 @@ OPENSSL_EXPORT int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups);
 // failure.
 OPENSSL_EXPORT int SSL_set1_groups_list(SSL *ssl, const char *groups);
 
-// SSL_CURVE_* define TLS curve IDs.
-#define SSL_CURVE_SECP224R1 21
-#define SSL_CURVE_SECP256R1 23
-#define SSL_CURVE_SECP384R1 24
-#define SSL_CURVE_SECP521R1 25
-#define SSL_CURVE_X25519 29
-#define SSL_CURVE_X25519_KYBER768_DRAFT00 0x6399
+// SSL_GROUP_* define TLS group IDs.
+#define SSL_GROUP_SECP224R1 21
+#define SSL_GROUP_SECP256R1 23
+#define SSL_GROUP_SECP384R1 24
+#define SSL_GROUP_SECP521R1 25
+#define SSL_GROUP_X25519 29
+#define SSL_GROUP_X25519_KYBER768_DRAFT00 0x6399
 
-// SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
-// completed handshake or 0 if not applicable.
-//
-// TODO(davidben): This API currently does not work correctly if there is a
-// renegotiation in progress. Fix this.
-OPENSSL_EXPORT uint16_t SSL_get_curve_id(const SSL *ssl);
+// SSL_get_group_id returns the ID of the group used by |ssl|'s most recently
+// completed handshake, or 0 if not applicable.
+OPENSSL_EXPORT uint16_t SSL_get_group_id(const SSL *ssl);
 
-// SSL_get_curve_name returns a human-readable name for the curve specified by
-// the given TLS curve id, or NULL if the curve is unknown.
-OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id);
+// SSL_get_group_name returns a human-readable name for the group specified by
+// the given TLS group ID, or NULL if the group is unknown.
+OPENSSL_EXPORT const char *SSL_get_group_name(uint16_t group_id);
 
-// SSL_get_all_curve_names outputs a list of possible strings
-// |SSL_get_curve_name| may return in this version of BoringSSL. It writes at
+// SSL_get_all_group_names outputs a list of possible strings
+// |SSL_get_group_name| may return in this version of BoringSSL. It writes at
 // most |max_out| entries to |out| and returns the total number it would have
 // written, if |max_out| had been large enough. |max_out| may be initially set
 // to zero to size the output.
@@ -2408,7 +2405,7 @@ OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id);
 // placeholder, experimental, or deprecated values that do not apply to every
 // caller. Future versions of BoringSSL may also return strings not in this
 // list, so this does not apply if, say, sending strings across services.
-OPENSSL_EXPORT size_t SSL_get_all_curve_names(const char **out, size_t max_out);
+OPENSSL_EXPORT size_t SSL_get_all_group_names(const char **out, size_t max_out);
 
 
 // Certificate verification.
@@ -5243,6 +5240,15 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
 #define SSL_set1_curves SSL_set1_groups
 #define SSL_CTX_set1_curves_list SSL_CTX_set1_groups_list
 #define SSL_set1_curves_list SSL_set1_groups_list
+#define SSL_get_curve_id SSL_get_group_id
+#define SSL_get_curve_name SSL_get_group_name
+#define SSL_get_all_curve_names SSL_get_all_group_names
+#define SSL_CURVE_SECP224R1 SSL_GROUP_SECP224R1
+#define SSL_CURVE_SECP256R1 SSL_GROUP_SECP256R1
+#define SSL_CURVE_SECP384R1 SSL_GROUP_SECP384R1
+#define SSL_CURVE_SECP521R1 SSL_GROUP_SECP521R1
+#define SSL_CURVE_X25519 SSL_GROUP_X25519
+#define SSL_CURVE_X25519_KYBER768_DRAFT00 SSL_GROUP_X25519_KYBER768_DRAFT00
 
 
 // Compliance policy configurations

ssl/extensions.cc

@@ -206,7 +206,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {
 
 static bool is_post_quantum_group(uint16_t id) {
   switch (id) {
-    case SSL_CURVE_X25519_KYBER768_DRAFT00:
+    case SSL_GROUP_X25519_KYBER768_DRAFT00:
       return true;
     default:
       return false;
@@ -307,9 +307,9 @@ bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
 }
 
 static const uint16_t kDefaultGroups[] = {
-    SSL_CURVE_X25519,
-    SSL_CURVE_SECP256R1,
-    SSL_CURVE_SECP384R1,
+    SSL_GROUP_X25519,
+    SSL_GROUP_SECP256R1,
+    SSL_GROUP_SECP384R1,
 };
 
 Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) {

ssl/handoff.cc

@@ -52,12 +52,12 @@ static bool serialize_features(CBB *out) {
       return false;
     }
   }
-  CBB curves;
-  if (!CBB_add_asn1(out, &curves, CBS_ASN1_OCTETSTRING)) {
+  CBB groups;
+  if (!CBB_add_asn1(out, &groups, CBS_ASN1_OCTETSTRING)) {
     return false;
   }
   for (const NamedGroup& g : NamedGroups()) {
-    if (!CBB_add_u16(&curves, g.group_id)) {
+    if (!CBB_add_u16(&groups, g.group_id)) {
       return false;
     }
   }
@@ -169,46 +169,46 @@ static bool apply_remote_features(SSL *ssl, CBS *in) {
     return false;
   }
 
-  CBS curves;
-  if (!CBS_get_asn1(in, &curves, CBS_ASN1_OCTETSTRING)) {
+  CBS groups;
+  if (!CBS_get_asn1(in, &groups, CBS_ASN1_OCTETSTRING)) {
     return false;
   }
-  Array<uint16_t> supported_curves;
-  if (!supported_curves.Init(CBS_len(&curves) / 2)) {
+  Array<uint16_t> supported_groups;
+  if (!supported_groups.Init(CBS_len(&groups) / 2)) {
     return false;
   }
   size_t idx = 0;
-  while (CBS_len(&curves)) {
-    uint16_t curve;
-    if (!CBS_get_u16(&curves, &curve)) {
+  while (CBS_len(&groups)) {
+    uint16_t group;
+    if (!CBS_get_u16(&groups, &group)) {
       return false;
     }
-    supported_curves[idx++] = curve;
+    supported_groups[idx++] = group;
   }
-  Span<const uint16_t> configured_curves =
+  Span<const uint16_t> configured_groups =
       tls1_get_grouplist(ssl->s3->hs.get());
-  Array<uint16_t> new_configured_curves;
-  if (!new_configured_curves.Init(configured_curves.size())) {
+  Array<uint16_t> new_configured_groups;
+  if (!new_configured_groups.Init(configured_groups.size())) {
     return false;
   }
   idx = 0;
-  for (uint16_t configured_curve : configured_curves) {
+  for (uint16_t configured_group : configured_groups) {
     bool ok = false;
-    for (uint16_t supported_curve : supported_curves) {
-      if (supported_curve == configured_curve) {
+    for (uint16_t supported_group : supported_groups) {
+      if (supported_group == configured_group) {
         ok = true;
         break;
       }
     }
     if (ok) {
-      new_configured_curves[idx++] = configured_curve;
+      new_configured_groups[idx++] = configured_group;
     }
   }
   if (idx == 0) {
     return false;
   }
-  new_configured_curves.Shrink(idx);
-  ssl->config->supported_group_list = std::move(new_configured_curves);
+  new_configured_groups.Shrink(idx);
+  ssl->config->supported_group_list = std::move(new_configured_groups);
 
   CBS alps;
   CBS_init(&alps, nullptr, 0);

ssl/handshake_server.cc

@@ -483,7 +483,7 @@ static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) {
   while (CBS_len(&supported_groups) > 0) {
     uint16_t group;
     if (!CBS_get_u16(&supported_groups, &group) ||
-        group == SSL_CURVE_X25519) {
+        group == SSL_GROUP_X25519) {
       return false;
     }
   }

ssl/ssl_key_share.cc

@@ -141,7 +141,7 @@ class X25519KeyShare : public SSLKeyShare {
  public:
   X25519KeyShare() {}
 
-  uint16_t GroupID() const override { return SSL_CURVE_X25519; }
+  uint16_t GroupID() const override { return SSL_GROUP_X25519; }
 
   bool Generate(CBB *out) override {
     uint8_t public_key[32];
@@ -198,7 +198,7 @@ class X25519Kyber768KeyShare : public SSLKeyShare {
   X25519Kyber768KeyShare() {}
 
   uint16_t GroupID() const override {
-    return SSL_CURVE_X25519_KYBER768_DRAFT00;
+    return SSL_GROUP_X25519_KYBER768_DRAFT00;
   }
 
   bool Generate(CBB *out) override {
@@ -285,12 +285,12 @@ class X25519Kyber768KeyShare : public SSLKeyShare {
 };
 
 constexpr NamedGroup kNamedGroups[] = {
-    {NID_secp224r1, SSL_CURVE_SECP224R1, "P-224", "secp224r1"},
-    {NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256", "prime256v1"},
-    {NID_secp384r1, SSL_CURVE_SECP384R1, "P-384", "secp384r1"},
-    {NID_secp521r1, SSL_CURVE_SECP521R1, "P-521", "secp521r1"},
-    {NID_X25519, SSL_CURVE_X25519, "X25519", "x25519"},
-    {NID_X25519Kyber768Draft00, SSL_CURVE_X25519_KYBER768_DRAFT00,
+    {NID_secp224r1, SSL_GROUP_SECP224R1, "P-224", "secp224r1"},
+    {NID_X9_62_prime256v1, SSL_GROUP_SECP256R1, "P-256", "prime256v1"},
+    {NID_secp384r1, SSL_GROUP_SECP384R1, "P-384", "secp384r1"},
+    {NID_secp521r1, SSL_GROUP_SECP521R1, "P-521", "secp521r1"},
+    {NID_X25519, SSL_GROUP_X25519, "X25519", "x25519"},
+    {NID_X25519Kyber768Draft00, SSL_GROUP_X25519_KYBER768_DRAFT00,
      "X25519Kyber768Draft00", ""},
 };
 
@@ -302,17 +302,17 @@ Span<const NamedGroup> NamedGroups() {
 
 UniquePtr<SSLKeyShare> SSLKeyShare::Create(uint16_t group_id) {
   switch (group_id) {
-    case SSL_CURVE_SECP224R1:
-      return MakeUnique<ECKeyShare>(NID_secp224r1, SSL_CURVE_SECP224R1);
-    case SSL_CURVE_SECP256R1:
-      return MakeUnique<ECKeyShare>(NID_X9_62_prime256v1, SSL_CURVE_SECP256R1);
-    case SSL_CURVE_SECP384R1:
-      return MakeUnique<ECKeyShare>(NID_secp384r1, SSL_CURVE_SECP384R1);
-    case SSL_CURVE_SECP521R1:
-      return MakeUnique<ECKeyShare>(NID_secp521r1, SSL_CURVE_SECP521R1);
-    case SSL_CURVE_X25519:
+    case SSL_GROUP_SECP224R1:
+      return MakeUnique<ECKeyShare>(NID_secp224r1, SSL_GROUP_SECP224R1);
+    case SSL_GROUP_SECP256R1:
+      return MakeUnique<ECKeyShare>(NID_X9_62_prime256v1, SSL_GROUP_SECP256R1);
+    case SSL_GROUP_SECP384R1:
+      return MakeUnique<ECKeyShare>(NID_secp384r1, SSL_GROUP_SECP384R1);
+    case SSL_GROUP_SECP521R1:
+      return MakeUnique<ECKeyShare>(NID_secp521r1, SSL_GROUP_SECP521R1);
+    case SSL_GROUP_X25519:
       return MakeUnique<X25519KeyShare>();
-    case SSL_CURVE_X25519_KYBER768_DRAFT00:
+    case SSL_GROUP_X25519_KYBER768_DRAFT00:
       return MakeUnique<X25519Kyber768KeyShare>();
     default:
       return nullptr;
@@ -349,7 +349,7 @@ BSSL_NAMESPACE_END
 
 using namespace bssl;
 
-const char* SSL_get_curve_name(uint16_t group_id) {
+const char* SSL_get_group_name(uint16_t group_id) {
   for (const auto &group : kNamedGroups) {
     if (group.group_id == group_id) {
       return group.name;
@@ -358,7 +358,7 @@ const char* SSL_get_curve_name(uint16_t group_id) {
   return nullptr;
 }
 
-size_t SSL_get_all_curve_names(const char **out, size_t max_out) {
+size_t SSL_get_all_group_names(const char **out, size_t max_out) {
   return GetAllNames(out, max_out, Span<const char *>(), &NamedGroup::name,
                      MakeConstSpan(kNamedGroups));
 }

ssl/ssl_lib.cc

@@ -2016,7 +2016,7 @@ int SSL_set1_groups_list(SSL *ssl, const char *groups) {
   return ssl_str_to_group_ids(&ssl->config->supported_group_list, groups);
 }
 
-uint16_t SSL_get_curve_id(const SSL *ssl) {
+uint16_t SSL_get_group_id(const SSL *ssl) {
   SSL_SESSION *session = SSL_get_session(ssl);
   if (session == NULL) {
     return 0;

ssl/ssl_test.cc

@@ -478,29 +478,29 @@ static const char* kShouldIncludeCBCSHA256[] = {
 static const CurveTest kCurveTests[] = {
   {
     "P-256",
-    { SSL_CURVE_SECP256R1 },
+    { SSL_GROUP_SECP256R1 },
   },
   {
     "P-256:X25519Kyber768Draft00",
-    { SSL_CURVE_SECP256R1, SSL_CURVE_X25519_KYBER768_DRAFT00 },
+    { SSL_GROUP_SECP256R1, SSL_GROUP_X25519_KYBER768_DRAFT00 },
   },
 
   {
     "P-256:P-384:P-521:X25519",
     {
-      SSL_CURVE_SECP256R1,
-      SSL_CURVE_SECP384R1,
-      SSL_CURVE_SECP521R1,
-      SSL_CURVE_X25519,
+      SSL_GROUP_SECP256R1,
+      SSL_GROUP_SECP384R1,
+      SSL_GROUP_SECP521R1,
+      SSL_GROUP_X25519,
     },
   },
   {
     "prime256v1:secp384r1:secp521r1:x25519",
     {
-      SSL_CURVE_SECP256R1,
-      SSL_CURVE_SECP384R1,
-      SSL_CURVE_SECP521R1,
-      SSL_CURVE_X25519,
+      SSL_GROUP_SECP256R1,
+      SSL_GROUP_SECP384R1,
+      SSL_GROUP_SECP521R1,
+      SSL_GROUP_X25519,
     },
   },
 };
@@ -5902,7 +5902,7 @@ TEST_P(SSLVersionTest, SessionPropertiesThreads) {
     bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl));
     EXPECT_TRUE(peer);
     EXPECT_TRUE(SSL_get_current_cipher(ssl));
-    EXPECT_TRUE(SSL_get_curve_id(ssl));
+    EXPECT_TRUE(SSL_get_group_id(ssl));
   };
 
   std::vector<std::thread> threads;
@@ -7754,7 +7754,7 @@ TEST(SSLTest, ConnectionPropertiesDuringRenegotiate) {
     ASSERT_TRUE(cipher);
     EXPECT_EQ(SSL_CIPHER_get_id(cipher),
               uint32_t{TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256});
-    EXPECT_EQ(SSL_get_curve_id(client.get()), SSL_CURVE_X25519);
+    EXPECT_EQ(SSL_get_group_id(client.get()), SSL_GROUP_X25519);
     EXPECT_EQ(SSL_get_peer_signature_algorithm(client.get()),
               SSL_SIGN_RSA_PKCS1_SHA256);
     bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
@@ -8726,7 +8726,7 @@ TEST(SSLTest, NameLists) {
        {"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_AES_128_GCM_SHA256"}},
       {SSL_get_all_cipher_names,
        {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS_AES_128_GCM_SHA256", "(NONE)"}},
-      {SSL_get_all_curve_names, {"P-256", "X25519"}},
+      {SSL_get_all_group_names, {"P-256", "X25519"}},
       {SSL_get_all_signature_algorithm_names,
        {"rsa_pkcs1_sha256", "ecdsa_secp256r1_sha256", "ecdsa_sha256"}},
   };

ssl/test/bssl_shim.cc

@@ -692,9 +692,9 @@ static bool CheckHandshakeProperties(SSL *ssl, bool is_resume,
           SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl))) ||
       !CheckListContains("OpenSSL cipher name", SSL_get_all_cipher_names,
                          SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))) ||
-      (SSL_get_curve_id(ssl) != 0 &&
-       !CheckListContains("curve", SSL_get_all_curve_names,
-                          SSL_get_curve_name(SSL_get_curve_id(ssl)))) ||
+      (SSL_get_group_id(ssl) != 0 &&
+       !CheckListContains("group", SSL_get_all_group_names,
+                          SSL_get_group_name(SSL_get_group_id(ssl)))) ||
       (SSL_get_peer_signature_algorithm(ssl) != 0 &&
        !CheckListContains(
            "sigalg", SSL_get_all_signature_algorithm_names,