Deprecate and remove use of `FfdheGroup::from_named_group`

author: Joe Birr-Pixton <jpixton@gmail.com> 2024-08-27 13:17:11 +0100
committer: Joe Birr-Pixton <jpixton@gmail.com> 2024-09-05 12:59:06 +0000
commit: 483fece984484b9023af1d7b8626a025e30c2645 (patch)
tree: 905ee78078b6978422888b78709f6e37db4c1852
parent: 97191e057bd178f69bd401a0f40bedeef65d2c58 (diff)
7 files changed, 51 insertions, 26 deletions
diff --git a/openssl-tests/src/ffdhe.rs b/openssl-tests/src/ffdhe.rs
index c45f5199..941005b4 100644
--- a/openssl-tests/src/ffdhe.rs
+++ b/openssl-tests/src/ffdhe.rs
@@ -11,7 +11,7 @@ pub static TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: SupportedCipherSuite =
     SupportedCipherSuite::Tls12(&TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256);
 
 #[derive(Debug)]
-pub struct FfdheKxGroup(pub NamedGroup);
+pub struct FfdheKxGroup(pub NamedGroup, pub FfdheGroup<'static>);
 
 impl SupportedKxGroup for FfdheKxGroup {
     fn start(&self) -> Result<Box<dyn ActiveKeyExchange>, rustls::Error> {
@@ -21,7 +21,7 @@ impl SupportedKxGroup for FfdheKxGroup {
             .fill(&mut x)?;
         let x = BigUint::from_bytes_be(&x);
 
-        let group = FfdheGroup::from_named_group(self.0).unwrap();
+        let group = self.1;
         let p = BigUint::from_bytes_be(group.p);
         let g = BigUint::from_bytes_be(group.g);
 
@@ -37,6 +37,10 @@ impl SupportedKxGroup for FfdheKxGroup {
         }))
     }
 
+    fn ffdhe_group(&self) -> Option<FfdheGroup<'static>> {
+        Some(self.1)
+    }
+
     fn name(&self) -> NamedGroup {
         self.0
     }
@@ -76,6 +80,10 @@ impl ActiveKeyExchange for ActiveFfdheKx {
         &self.x_pub
     }
 
+    fn ffdhe_group(&self) -> Option<FfdheGroup<'static>> {
+        Some(self.group)
+    }
+
     fn group(&self) -> NamedGroup {
         self.named_group
     }
diff --git a/openssl-tests/src/ffdhe_kx_with_openssl.rs b/openssl-tests/src/ffdhe_kx_with_openssl.rs
index fe3fe532..89b814ee 100644
--- a/openssl-tests/src/ffdhe_kx_with_openssl.rs
+++ b/openssl-tests/src/ffdhe_kx_with_openssl.rs
@@ -211,7 +211,10 @@ fn ffdhe_provider() -> CryptoProvider {
             ffdhe::TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
             provider::cipher_suite::TLS13_AES_128_GCM_SHA256,
         ],
-        kx_groups: vec![&FfdheKxGroup(rustls::NamedGroup::FFDHE2048)],
+        kx_groups: vec![&FfdheKxGroup(
+            rustls::NamedGroup::FFDHE2048,
+            rustls::ffdhe_groups::FFDHE2048,
+        )],
         ..provider::default_provider()
     }
 }
diff --git a/openssl-tests/src/validate_ffdhe_params.rs b/openssl-tests/src/validate_ffdhe_params.rs
index 9b4f292b..e266e5fa 100644
--- a/openssl-tests/src/validate_ffdhe_params.rs
+++ b/openssl-tests/src/validate_ffdhe_params.rs
@@ -20,10 +20,11 @@ fn ffdhe_params_correct() {
 fn test_ffdhe_params_correct(group: NamedGroup) {
     let (p, g) = get_ffdhe_params_from_openssl(group);
     let openssl_params = FfdheGroup::from_params_trimming_leading_zeros(&p, &g);
-    let rustls_params = FfdheGroup::from_named_group(group).unwrap();
-    assert_eq!(rustls_params.named_group(), Some(group));
+    #[allow(deprecated)]
+    let rustls_params_from_name = FfdheGroup::from_named_group(group).unwrap();
+    assert_eq!(rustls_params_from_name.named_group(), Some(group));
 
-    assert_eq!(rustls_params, openssl_params);
+    assert_eq!(rustls_params_from_name, openssl_params);
 }
 
 /// Get FFDHE parameters `(p, g)` for the given `ffdhe_group` from OpenSSL
diff --git a/rustls/src/crypto/mod.rs b/rustls/src/crypto/mod.rs
index 845f42c4..bb3e501b 100644
--- a/rustls/src/crypto/mod.rs
+++ b/rustls/src/crypto/mod.rs
@@ -423,6 +423,7 @@ pub trait SupportedKxGroup: Send + Sync + Debug {
     /// `rustls::ffdhe_groups` contains suitable values to return from this,
     /// for example [`rustls::ffdhe_groups::FFDHE2048`][crate::ffdhe_groups::FFDHE2048].
     fn ffdhe_group(&self) -> Option<FfdheGroup<'static>> {
+        #[allow(deprecated)]
         FfdheGroup::from_named_group(self.name())
     }
 
@@ -517,6 +518,7 @@ pub trait ActiveKeyExchange: Send + Sync {
     /// `rustls::ffdhe_groups` contains suitable values to return from this,
     /// for example [`rustls::ffdhe_groups::FFDHE2048`][crate::ffdhe_groups::FFDHE2048].
     fn ffdhe_group(&self) -> Option<FfdheGroup<'static>> {
+        #[allow(deprecated)]
         FfdheGroup::from_named_group(self.group())
     }
 
diff --git a/rustls/src/msgs/ffdhe_groups.rs b/rustls/src/msgs/ffdhe_groups.rs
index 7194fdff..7b0975db 100644
--- a/rustls/src/msgs/ffdhe_groups.rs
+++ b/rustls/src/msgs/ffdhe_groups.rs
@@ -13,6 +13,10 @@ pub struct FfdheGroup<'a> {
 impl FfdheGroup<'static> {
     /// Return the `FfdheGroup` corresponding to the provided `NamedGroup`
     /// if it is indeed an FFDHE group
+    #[deprecated(
+        since = "0.23.13",
+        note = "This function is linker-unfriendly.  Use `SupportedKxGroup::ffdhe_group()` instead"
+    )]
     pub fn from_named_group(named_group: NamedGroup) -> Option<Self> {
         match named_group {
             NamedGroup::FFDHE2048 => Some(FFDHE2048),
@@ -306,11 +310,10 @@ fn named_group_ffdhe_group_roundtrip() {
     use NamedGroup::*;
     let ffdhe_groups = [FFDHE2048, FFDHE3072, FFDHE4096, FFDHE6144, FFDHE8192];
     for g in ffdhe_groups {
-        assert_eq!(
-            FfdheGroup::from_named_group(g)
-                .unwrap()
-                .named_group(),
-            Some(g)
-        );
+        #[allow(deprecated)]
+        let roundtrip = FfdheGroup::from_named_group(g)
+            .unwrap()
+            .named_group();
+        assert_eq!(roundtrip, Some(g));
     }
 }
diff --git a/rustls/src/msgs/handshake.rs b/rustls/src/msgs/handshake.rs
index 17b8a0bb..5807f443 100644
--- a/rustls/src/msgs/handshake.rs
+++ b/rustls/src/msgs/handshake.rs
@@ -1866,7 +1866,7 @@ pub(crate) struct ServerDhParams {
 impl ServerDhParams {
     #[cfg(feature = "tls12")]
     pub(crate) fn new(kx: &dyn ActiveKeyExchange) -> Self {
-        let params = match FfdheGroup::from_named_group(kx.group()) {
+        let params = match kx.ffdhe_group() {
             Some(params) => params,
             None => panic!("invalid NamedGroup for DHE key exchange: {:?}", kx.group()),
         };
diff --git a/rustls/tests/api_ffdhe.rs b/rustls/tests/api_ffdhe.rs
index 5b7c2d01..ddfcbb75 100644
--- a/rustls/tests/api_ffdhe.rs
+++ b/rustls/tests/api_ffdhe.rs
@@ -150,10 +150,7 @@ fn server_avoids_dhe_cipher_suites_when_client_has_no_known_dhe_in_groups_ext()
                     ffdhe::TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                     provider::cipher_suite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                 ],
-                kx_groups: vec![
-                    &ffdhe::FfdheKxGroup(NamedGroup::FFDHE4096),
-                    provider::kx_group::SECP256R1,
-                ],
+                kx_groups: vec![&ffdhe::FFDHE4096_KX_GROUP, provider::kx_group::SECP256R1],
                 ..provider::default_provider()
             }
             .into(),
@@ -369,7 +366,7 @@ mod ffdhe {
         SupportedKxGroup,
     };
     use rustls::ffdhe_groups::FfdheGroup;
-    use rustls::{CipherSuite, NamedGroup, SupportedCipherSuite, Tls12CipherSuite};
+    use rustls::{ffdhe_groups, CipherSuite, NamedGroup, SupportedCipherSuite, Tls12CipherSuite};
 
     use super::provider;
 
@@ -384,8 +381,12 @@ mod ffdhe {
 
     static FFDHE_KX_GROUPS: &[&dyn SupportedKxGroup] = &[&FFDHE2048_KX_GROUP, &FFDHE3072_KX_GROUP];
 
-    pub const FFDHE2048_KX_GROUP: FfdheKxGroup = FfdheKxGroup(NamedGroup::FFDHE2048);
-    pub const FFDHE3072_KX_GROUP: FfdheKxGroup = FfdheKxGroup(NamedGroup::FFDHE3072);
+    pub const FFDHE2048_KX_GROUP: FfdheKxGroup =
+        FfdheKxGroup(NamedGroup::FFDHE2048, ffdhe_groups::FFDHE2048);
+    pub const FFDHE3072_KX_GROUP: FfdheKxGroup =
+        FfdheKxGroup(NamedGroup::FFDHE3072, ffdhe_groups::FFDHE3072);
+    pub const FFDHE4096_KX_GROUP: FfdheKxGroup =
+        FfdheKxGroup(NamedGroup::FFDHE4096, ffdhe_groups::FFDHE4096);
 
     static FFDHE_CIPHER_SUITES: &[rustls::SupportedCipherSuite] = &[
         TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
@@ -410,7 +411,7 @@ mod ffdhe {
         };
 
     #[derive(Debug)]
-    pub struct FfdheKxGroup(pub NamedGroup);
+    pub struct FfdheKxGroup(pub NamedGroup, pub FfdheGroup<'static>);
 
     impl SupportedKxGroup for FfdheKxGroup {
         fn start(&self) -> Result<Box<dyn ActiveKeyExchange>, rustls::Error> {
@@ -420,22 +421,25 @@ mod ffdhe {
                 .fill(&mut x)?;
             let x = BigUint::from_bytes_be(&x);
 
-            let group = FfdheGroup::from_named_group(self.0).unwrap();
-            let p = BigUint::from_bytes_be(group.p);
-            let g = BigUint::from_bytes_be(group.g);
+            let p = BigUint::from_bytes_be(self.1.p);
+            let g = BigUint::from_bytes_be(self.1.g);
 
             let x_pub = g.modpow(&x, &p);
-            let x_pub = to_bytes_be_with_len(x_pub, group.p.len());
+            let x_pub = to_bytes_be_with_len(x_pub, self.1.p.len());
 
             Ok(Box::new(ActiveFfdheKx {
                 x_pub,
                 x,
                 p,
-                group,
+                group: self.1,
                 named_group: self.0,
             }))
         }
 
+        fn ffdhe_group(&self) -> Option<FfdheGroup<'static>> {
+            Some(self.1)
+        }
+
         fn name(&self) -> NamedGroup {
             self.0
         }
@@ -462,6 +466,10 @@ mod ffdhe {
             &self.x_pub
         }
 
+        fn ffdhe_group(&self) -> Option<FfdheGroup<'static>> {
+            Some(self.group)
+        }
+
         fn group(&self) -> NamedGroup {
             self.named_group
         }
author	Joe Birr-Pixton <jpixton@gmail.com>	2024-08-27 13:17:11 +0100
committer	Joe Birr-Pixton <jpixton@gmail.com>	2024-09-05 12:59:06 +0000
commit	483fece984484b9023af1d7b8626a025e30c2645 (patch)
tree	905ee78078b6978422888b78709f6e37db4c1852
parent	97191e057bd178f69bd401a0f40bedeef65d2c58 (diff)