New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make *ring* optional, and demonstrate how alternatives would be integrated #1405
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1405 +/- ##
==========================================
- Coverage 96.55% 96.43% -0.13%
==========================================
Files 71 72 +1
Lines 15123 15163 +40
==========================================
+ Hits 14602 14622 +20
- Misses 521 541 +20
... and 2 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
I think we should postpone adding aws-lc-rs until a future PR -- this one is already large enough as it is. |
6921995
to
2743ccc
Compare
1458d75
to
05aa07b
Compare
2743ccc
to
09d71b4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Early feedback, hope it's useful.
5b8a7e5
to
ff29c8a
Compare
Quick note for bisecting icount changes: $ mkdir ci-bench/commits
$ git rebase -i main --exec 'cd ci-bench && cargo run --release run-all > commits/$(git rev-parse HEAD).csv'
(...)
$ grep handshake_tickets_1.2_rsa_aes_client ci-bench/commits/*.csv
ci-bench/commits/0438e888d1617a32d244eabdf2b8c7232ea469c9.csv:handshake_tickets_1.2_rsa_aes_client,4777225
ci-bench/commits/39ab4ea727a2b7b96cec021c6e8876a2c4695b5d.csv:handshake_tickets_1.2_rsa_aes_client,4774559
ci-bench/commits/4b9efe02185956838fcb8c3bc97324847d07543e.csv:handshake_tickets_1.2_rsa_aes_client,4771167
ci-bench/commits/6d0896cd768220c68eb5f36f640023636da994c8.csv:handshake_tickets_1.2_rsa_aes_client,4769570
ci-bench/commits/9383141f6d44cccfc65a35e4e0080d77873d4a9a.csv:handshake_tickets_1.2_rsa_aes_client,4775916
ci-bench/commits/ff29c8a92082faa99aaee375dde120e169deedf7.csv:handshake_tickets_1.2_rsa_aes_client,4774989 Which doesn't point to a specific commit. Hmm! @aochagavia any ideas? |
What doesn't point to a specific commit? I'm guessing if main changed underneath you the commit hashes might, too? |
There is a very high chance the "noteworthy" diffs you are seeing are just noise (it involves only 2 resumed handshakes, which are known to be noisy, and the diffs are close to the noise threshold). I thought I'd managed to solve the noise problem, but it looks like I'll have to tweak things some more. |
Sorry, I mean the performance regression doesn't seem to be attributable to any one commit in this PR. But now I think that's because I can't see the regression locally.
Ah, understood. Is there much that can be done for that? I saw your comment about HashMap usage which makes sense for servers, but not clients (because they're only talking to one server ever, they would end up with their cache HashMap only ever containing one item, indexed by "localhost"?) |
Hmmm I just checked out the code locally and maybe it's not noise after all. Do you mind if I have a look at this next week? |
Sure, yes! |
ff29c8a
to
38a471d
Compare
After some more investigation, I discovered the stdio IPC introduces a low amount of noise that affects the resumed handshakes. I'll be figuring out how to get rid from it, and afterwards compare again between main and this PR. Update: I can confirm this is noise, though interestingly the
|
that's very interesting, because on main
on this branch it is:
which feels like it should take more instructions. (there are some indirections, but ones i'm assuming will be inlined away in release mode.) |
Oops, it looks like I didn't look carefully enough at the |
Aha! That makes a lot more sense! |
/// Used for verifying certificate chains. | ||
/// | ||
/// The order of this list is not significant. | ||
pub all: &'static [&'static dyn SignatureVerificationAlgorithm], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, but so SignatureVerificationAlgorithm
is in pki-types now, so why do we need to wrap over this? Sorry to keep harping at this, something keeps nagging at me about this types which feels unidiomatic and I can't quite grasp why it's necessary.
/// | ||
/// The supported schemes in this mapping is communicated to the peer and the order is significant. | ||
/// The first mapping is our highest preference. | ||
pub mapping: &'static [( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why don't we want to this to just be a top-level static
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not quite sure what you mean. it needs to be configurable rather than static so the WebPkiServerVerifier
(etc.) can be reused without ring. there's a separate constructor of this type in ba26a6d#diff-8749c6ccb1619fb20bb8abc0a3651cc58eaf05ff79a0c395c7b9ef76047cea05R11-R17 backed by https://crates.io/crates/rsa if that makes the goal any clearer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, so this is really a way for the crypto provider to provide it's signature verification algorithms, and a mapping from SignatureScheme
to them? And you used the WebPki
prefix since this is specifically used for the webpki-backed verifiers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct, yes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know, it feels more like a crypto provider concern that happens to be used by the verifiers, not all that webpki-specific.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any thoughts on a way forward on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'm convinced that this a decent design. Should we be worried about the link-time inclusion of all signature verification algorithms by default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that is the status quo. Though I guess this does now give people the opportunity to avoid that if desired.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nb. since the above reviews the webpki-is-optional commit has been dropped, and there are two net-new refactoring commits to OpaqueMessage which would benefit from a look.
New changes look good to me 👍
18737c7
to
937bb0c
Compare
FYI, the @RustCrypto project is going to try to put together a provider based on the example. You can follow along at https://github.com/RustCrypto/rustls-rustcrypto (currently an empty repo) |
@tarcieri maybe collaborate with @stevefan1999-personal, they started on https://github.com/stevefan1999-personal/rustls-provider-rustcrypto already? Feel free to ask questions via issues or our Discord. |
Wasn't aware @stevefan1999-personal already started on one but I think it would make sense for this provider to live under the @RustCrypto organization |
@tarcieri Yep. This should be a community collaboration effort. And not only RustCrypto, we also have https://github.com/franziskuskiefer/evercrypt-rust/ too, which is a formally verified TLS library from F*, but ported to Rust. |
@stevefan1999-personal would you want to upstream your current work to our repo? We can give you code review in the process. |
Using the crate without this feature means something external needs to provide all the cryptography, and (eg) convenient integrated key loading APIs disappear.
…re used The prior arrangements are still available (and the default), if the crate is built with the *ring* feature. `WebPkiSupportedAlgorithms` is a new structure (designed for static construction, and direct use in webpki calls) that links `pki_types::SignatureVerificationAlgorithm`s to their corresponding TLS `SignatureScheme`. This replaces the hardcoded mappings in `fn convert_scheme` etc.
This removes a further need for `Payload` to be understood outside this crate. `payload()` allows immutable access as a slice, `payload_mut()` allows mutable access to the underlying vec (such as needed to decrypt the message without a copy).
This is an example that builds a mostly-unchanged rustls example (simpleclient), but only using crypto from the rust-crypto project and elsewhere. This is intended to be minimalistic, and not a complete replacement for *ring*. It implements: - TLS1.3 TLS13_CHACHA20_POLY1305_SHA256 cipher suite. - TLS1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suite. - X25519 key exchange. - RSA-PSS-SHA256 and RSA-PKCS1-SHA256 signature verification for verifying the server, integrated into the webpki crate. - random generation using `rand_core`. This means it can fetch www.rust-lang.org. TLS1.2 is not strictly necessary for this server, but serves to demonstrate that part of the API.
937bb0c
to
78295cf
Compare
Sure thing! The server example should be good for review, but I will need to make some adjustment first. I will head back to it later tomorrow. |
This builds on #1401 to make ring and webpki dependencies optional. Then there is a demonstration of custom crypto using various crypto crates from the ecosystem.
TODOs:
cargo run --example client
in theconnect-tests
jobthis PR seems like a good venue to introduce an optional aws-lc-rs dependency, and arrange to run our tests against itcargo hack --feature-powerset --no-dev-deps build
andcargo hack --feature-powerset test
to make sure all combinations of features at least compile and pass tests