Make *ring* optional, and demonstrate how alternatives would be integrated

[ctz]

This builds on #1401 to make ring and webpki dependencies optional. Then there is a demonstration of custom crypto using various crypto crates from the ecosystem.

TODOs:

• we should run cargo run --example client in the connect-tests job
• this PR seems like a good venue to introduce an optional aws-lc-rs dependency, and arrange to run our tests against it
• run cargo hack --feature-powerset --no-dev-deps build and cargo hack --feature-powerset test to make sure all combinations of features at least compile and pass tests
• seems like the is some utility in making the provider example introduced here more reusable: Check for UB using krabcake rustls-ffi#342 (comment)
  • this will be follow-on work, see discussion on add an example tls server with provider #1440

[codecov]

Codecov Report

Merging #1405 (78295cf) into main (3fc1c93) will decrease coverage by 0.13%.
The diff coverage is 94.59%.

@@            Coverage Diff             @@
##             main    #1405      +/-   ##
==========================================
- Coverage   96.55%   96.43%   -0.13%     
==========================================
  Files          71       72       +1     
  Lines       15123    15163      +40     
==========================================
+ Hits        14602    14622      +20     
- Misses        521      541      +20     

Files Changed	Coverage Δ
rustls/src/builder.rs	98.95% <ø> (ø)
rustls/src/client/builder.rs	88.23% <ø> (ø)
rustls/src/crypto/mod.rs	0.00% <ø> (ø)
rustls/src/crypto/ring/mod.rs	94.25% <ø> (ø)
rustls/src/hash_hs.rs	100.00% <ø> (ø)
rustls/src/hkdf.rs	100.00% <ø> (ø)
rustls/src/server/server_conn.rs	87.41% <ø> (ø)
rustls/src/suites.rs	99.24% <ø> (ø)
rustls/src/tls12/mod.rs	97.82% <ø> (ø)
rustls/src/tls12/prf.rs	100.00% <ø> (ø)
... and 18 more

... and 2 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[djc]

I think we should postpone adding aws-lc-rs until a future PR -- this one is already large enough as it is.

[djc]

Early feedback, hope it's useful.

[ctz]

Quick note for bisecting icount changes:

$ mkdir ci-bench/commits
$ git rebase -i main --exec 'cd ci-bench && cargo run --release run-all > commits/$(git rev-parse HEAD).csv'
(...)
$ grep handshake_tickets_1.2_rsa_aes_client ci-bench/commits/*.csv
ci-bench/commits/0438e888d1617a32d244eabdf2b8c7232ea469c9.csv:handshake_tickets_1.2_rsa_aes_client,4777225
ci-bench/commits/39ab4ea727a2b7b96cec021c6e8876a2c4695b5d.csv:handshake_tickets_1.2_rsa_aes_client,4774559
ci-bench/commits/4b9efe02185956838fcb8c3bc97324847d07543e.csv:handshake_tickets_1.2_rsa_aes_client,4771167
ci-bench/commits/6d0896cd768220c68eb5f36f640023636da994c8.csv:handshake_tickets_1.2_rsa_aes_client,4769570
ci-bench/commits/9383141f6d44cccfc65a35e4e0080d77873d4a9a.csv:handshake_tickets_1.2_rsa_aes_client,4775916
ci-bench/commits/ff29c8a92082faa99aaee375dde120e169deedf7.csv:handshake_tickets_1.2_rsa_aes_client,4774989

Which doesn't point to a specific commit. Hmm!

@aochagavia any ideas?

[djc]

What doesn't point to a specific commit? I'm guessing if main changed underneath you the commit hashes might, too?

[aochagavia]

There is a very high chance the "noteworthy" diffs you are seeing are just noise (it involves only 2 resumed handshakes, which are known to be noisy, and the diffs are close to the noise threshold). I thought I'd managed to solve the noise problem, but it looks like I'll have to tweak things some more.

[ctz]

What doesn't point to a specific commit?

Sorry, I mean the performance regression doesn't seem to be attributable to any one commit in this PR. But now I think that's because I can't see the regression locally.

There is a very high chance the "noteworthy" diffs you are seeing are just noise

Ah, understood. Is there much that can be done for that?

I saw your comment about HashMap usage which makes sense for servers, but not clients (because they're only talking to one server ever, they would end up with their cache HashMap only ever containing one item, indexed by "localhost"?)

[aochagavia]

Hmmm I just checked out the code locally and maybe it's not noise after all. Do you mind if I have a look at this next week?

[ctz]

Sure, yes!

[aochagavia]

After some more investigation, I discovered the stdio IPC introduces a low amount of noise that affects the resumed handshakes. I'll be figuring out how to get rid from it, and afterwards compare again between main and this PR.

Update: I can confirm this is noise, though interestingly the handshake_session_id_1.2_rsa_aes_client has reduced its instruction count with 0.40%. Below is the reduction's details, as reported by cg_diff + cg_annotate. It looks like we now allocate less, the encoding of messages requires less instructions, and supported_verify_schemes requires less instructions too. Does that make sense?

-12,401 (65.99%)  ./malloc/./malloc/malloc.c:_int_malloc
 -4,516 (24.03%)  ./malloc/./malloc/malloc.c:unlink_chunk.constprop.0
 -3,764 (20.03%)  ???:rustls::msgs::message::MessagePayload::encode
  2,542 (-13.5%)  ???:<rustls::msgs::message::PlainMessage as core::convert::From<rustls::msgs::message::Message>>::from
  1,984 (-10.6%)  ???:<rustls::webpki::verify::WebPkiServerVerifier as rustls::verify::ServerCertVerifier>::supported_verify_schemes
   -825 ( 4.39%)  ./malloc/./malloc/malloc.c:malloc_consolidate
   -708 ( 3.77%)  ./malloc/./malloc/malloc.c:_int_free
   -608 ( 3.24%)  ./elf/../sysdeps/x86_64/dl-machine.h:_dl_relocate_object
    406 (-2.16%)  ./string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:__memcpy_avx_unaligned_erms
   -384 ( 2.04%)  ./malloc/./malloc/malloc.c:alloc_perturb
   -380 ( 2.02%)  ./elf/./elf/do-rel.h:_dl_relocate_object
   -192 ( 1.02%)  ???:rustls::msgs::message::MessagePayload::new
    138 (-0.73%)  ./string/../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:__memcmp_avx2_movbe
   -126 ( 0.67%)  ???:rustls::tls12::prf::prf
     96 (-0.51%)  ???:rustls::webpki::verify::verify_signed_struct
    -80 ( 0.43%)  ???:rustls::webpki::verify::WebPkiServerVerifier::default_verify_tls12_signature
    -33 ( 0.18%)  /home/aochagavia/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ring-0.16.20/pregenerated/x86_64-mont-elf.S:bn_sqr8x_mont
     26 (-0.14%)  ???:rustls::msgs::handshake::HasServerExtensions::has_duplicate_extension

[ctz]

and supported_verify_schemes requires less instructions too

that's very interesting, because on main supported_verify_schemes is simpler. on main it is:

162     pub fn default_supported_verify_schemes() -> Vec<SignatureScheme> {
163         vec![
164             SignatureScheme::ECDSA_NISTP384_SHA384,
165             SignatureScheme::ECDSA_NISTP256_SHA256,
166             SignatureScheme::ED25519,
167             SignatureScheme::RSA_PSS_SHA512,
168             SignatureScheme::RSA_PSS_SHA384,
169             SignatureScheme::RSA_PSS_SHA256,
170             SignatureScheme::RSA_PKCS1_SHA512,
171             SignatureScheme::RSA_PKCS1_SHA384,
172             SignatureScheme::RSA_PKCS1_SHA256,
173         ]
174     }

on this branch it is:

520     fn supported_schemes(&self) -> Vec<SignatureScheme> {
521         self.mapping
522             .iter()
523             .map(|item| item.0)
524             .collect()
525     }

which feels like it should take more instructions. (there are some indirections, but ones i'm assuming will be inlined away in release mode.)

[aochagavia]

Oops, it looks like I didn't look carefully enough at the + and - signs in the report. supported_verify_schemes has in fact 10% more instructions.

[ctz]

Aha! That makes a lot more sense!

[djc]

Okay, but so SignatureVerificationAlgorithm is in pki-types now, so why do we need to wrap over this? Sorry to keep harping at this, something keeps nagging at me about this types which feels unidiomatic and I can't quite grasp why it's necessary.

[djc]

Why don't we want to this to just be a top-level static?

[ctz]

not quite sure what you mean. it needs to be configurable rather than static so the WebPkiServerVerifier (etc.) can be reused without ring. there's a separate constructor of this type in ba26a6d#diff-8749c6ccb1619fb20bb8abc0a3651cc58eaf05ff79a0c395c7b9ef76047cea05R11-R17 backed by https://crates.io/crates/rsa if that makes the goal any clearer?

[djc]

Okay, so this is really a way for the crypto provider to provide it's signature verification algorithms, and a mapping from SignatureScheme to them? And you used the WebPki prefix since this is specifically used for the webpki-backed verifiers?

[ctz]

correct, yes.

[djc]

I don't know, it feels more like a crypto provider concern that happens to be used by the verifiers, not all that webpki-specific.

[ctz]

Any thoughts on a way forward on this?

[djc]

I think I'm convinced that this a decent design. Should we be worried about the link-time inclusion of all signature verification algorithms by default?

[ctz]

I think that is the status quo. Though I guess this does now give people the opportunity to avoid that if desired.

[cpu]

nb. since the above reviews the webpki-is-optional commit has been dropped, and there are two net-new refactoring commits to OpaqueMessage which would benefit from a look.

New changes look good to me 👍

[tarcieri]

FYI, the @RustCrypto project is going to try to put together a provider based on the example.

You can follow along at https://github.com/RustCrypto/rustls-rustcrypto (currently an empty repo)

[djc]

@tarcieri maybe collaborate with @stevefan1999-personal, they started on https://github.com/stevefan1999-personal/rustls-provider-rustcrypto already? Feel free to ask questions via issues or our Discord.

[tarcieri]

Wasn't aware @stevefan1999-personal already started on one but I think it would make sense for this provider to live under the @RustCrypto organization

[stevefan1999-personal]

@tarcieri Yep. This should be a community collaboration effort. And not only RustCrypto, we also have https://github.com/franziskuskiefer/evercrypt-rust/ too, which is a formally verified TLS library from F*, but ported to Rust.

[tarcieri]

@stevefan1999-personal would you want to upstream your current work to our repo? We can give you code review in the process.

[stevefan1999-personal]

@stevefan1999-personal would you want to upstream your current work to our repo? We can give you code review in the process.

Sure thing! The server example should be good for review, but I will need to make some adjustment first. I will head back to it later tomorrow.