Refactor TLS 1.3 cipher selection and fix SSL_get_ciphers

[smittals2]

Issues:

CryptoAlg-2559

Description of changes:

1. SSL_CTX_new now configures ctx->tls13_cipher_suites with default TLS 1.3 ciphers (did not previously). The default preference order for TLS 1.3 ciphersuites differs based on whether AES Hardware acceleration is enabled in AWS-LC, we match this behavior in SSL_CTX_new.
2. The SSL_CONFIG object holds it's own TLS 1.3 ciphersuites now
3. Server side and client side cipher selection logic is modified to account for the new field in SSL_CONFIG
4. Each time a cipher list is configured either on SSL_CTX or SSL_CONFIG, the main cipher_list is updated with values from its own tls13_cipher_suites via a new function update_cipher_list. This function also updates in_group_flags accordingly. This means, TLS 1.3 ciphersuites are stored seperately while the main cipher_list var holds ALL ciphersuites in both objects
5. Outdated comments were updated

Call-outs:

Note SSL_CTX generally has a longer lifetime than an SSL object. SSL_CONFIG objects live on SSL objects. Both SSL_CTX and SSL_CONFIG have their own cipher_list and tls13_cipher_list fields. We support SSL_[CTX]_set_... APIs to set these fields.

In general, our TLS implementations pick cipher suites against the given connection constraints/parameters. Adding TLS 1.3 ciphersuites to ctx->cipher_list or config->cipher_list does not modify this behavior or introduce new problems.

Testing:

Added new testing to validate cipher selection behavior between SSL_CTX and SSL_CONFIG objects
Added change detection test for TLS 1.3 Client Hello
Updated old tests and to-do's regarding TLS 1.3
Testing to ensure SSL_get_ciphers returns ALL ciphersuites instead of TLS 1.2 and below.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 93.33333% with 9 lines in your changes missing coverage. Please review.

Project coverage is 78.98%. Comparing base (29be983) to head (2c6d018).
Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
ssl/ssl_cipher.cc	88.09%	5 Missing ⚠️
ssl/ssl_lib.cc	93.93%	2 Missing ⚠️
ssl/ssl_test.cc	95.91%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2092      +/-   ##
==========================================
+ Coverage   78.95%   78.98%   +0.03%     
==========================================
  Files         610      610              
  Lines      105293   105381      +88     
  Branches    14911    14937      +26     
==========================================
+ Hits        83129    83231     +102     
+ Misses      21511    21499      -12     
+ Partials      653      651       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[andrewhop]

Do we have tests that attempt to set 1.3 ciphers and ensure they are rejected?

[smittals2]

Do you mean use the TLS 1.2 setter functions to set TLS 1.3 ciphers? If so yes you get a no cipher match error.

[andrewhop]

Why are you filtering the TLS 1.3 ciphers again here? From line 276 we already know we want 1.3 ciphers and tls13_cipher_list only has 1.3 ciphers in it.

[andrewhop]

Actually can these two blocks be combined into a single flow:

1. Call SSL_get_ciphers to get all 1.2 and 1.3 ciphers
2. Filter that based on min/max
3. Write that to the CBB

[smittals2]

Cannot combine the two blocks. Different cases for ECH (discussed offline)

[andrewhop]

I agree you can't combine the two blocks into one shared block, but I'm still curious about the filtering, can this just use ciphers from up above which only includes 1.3 ciphers?

[smittals2]

Are you saying use the same SSL_get_ciphers call below as well?

The reason we can't do this is if you are a ECH ClientHelloInner, and you support TLS versions less than 1.3, by RFC we still only send TLS 1.3 ciphersuites. Since collect_ciphers takes min max version from the handshake, using the above ciphers var would erroneously pull in TLS 1.2 and below ciphersuites. Therefore, we specifically pass in only the tls13_ciphersuites in the else block

[andrewhop]

Double checking my understanding: this is in an if/else block so only hs->min_version < TLS1_3_VERSION or hs->max_version >= TLS1_3_VERSION will run. If min is less than 1.3 we want to add both, and SSL_get_ciphers returns both?

[smittals2]

Yes if min is less than 1.3, we want to add min to max (where max could also be anything). We pass this in to collect_cipher_protocol_ids.

SSL_get_ciphers will return the SSL level (if configured) and otherwise SSL_CTX main cipher list which now holds all ciphersuites.

[andrewhop]

Please update SSL_get_ciphers documentation to note it returns all ciphers 1.2 and 1.3

[smittals2]

The current documentation covers this case ("cipher list for |ssl|") but I'll make it more explicit. We just weren't living up to this contract initially.

[andrewhop]

What does in_group_flags do?

[smittals2]

https://github.com/aws/aws-lc/blob/81f138a0632151e24ecbf3e0b08c37d6f82f57ed/ssl/internal.h#L648C1-L677C8

[andrewhop]

Should this fail here instead? If this happens does that mean something happened up above and the wrong number of things got added?

[andrewhop]

Can a group include a 1.3 and 1.2 cipher suite?

[smittals2]

No, you can only group ciphersuites within the same TLS version

[andrewhop]

Can we just pass the 1.3 ciphers to ssl_create_cipher_list and have it put them at the beginning automatically?

[smittals2]

The same ssl_create_cipher_list function is used to create tls13_cipher_lists and the main cipher_list. Therefore, I have chosen to do update's separately to properly distinguish what is being set.