Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-lc-rs: consume new TLS-specific APIs #1586

Merged
merged 15 commits into from
Nov 21, 2023
Merged

aws-lc-rs: consume new TLS-specific APIs #1586

merged 15 commits into from
Nov 21, 2023

Conversation

ctz
Copy link
Member

@ctz ctz commented Nov 13, 2023

aws-lc-rs 1.4 adds some TLS-specific APIs which are implemented inside in the FIPS boundary:

  • TLS1.2 PRF
  • an AEAD API that notices if rustls messes up the GCM nonce sequence

This PR moves to using those.

@codecov Codecov
Copy link

codecov bot commented Nov 13, 2023
edited
Loading

Codecov Report

Attention: 54 lines in your changes are missing coverage. Please review.

Comparison is base (b8b1327) 95.90% compared to head (2431bf1) 95.73%.

Files Patch % Lines
rustls/src/crypto/aws_lc_rs/tls12.rs 88.15% 27 Missing ⚠️
rustls/src/crypto/aws_lc_rs/tls13.rs 88.37% 25 Missing ⚠️
rustls/src/crypto/cipher.rs 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1586      +/-   ##
==========================================
- Coverage   95.90%   95.73%   -0.18%     
==========================================
  Files          77       79       +2     
  Lines       15742    16188     +446     
==========================================
+ Hits        15098    15498     +400     
- Misses        644      690      +46

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ctz
Copy link
Member Author

ctz commented Nov 13, 2023
edited
Loading

looking at why the coverage is so bad for this

edit: it was feature unification again :(

@ctz ctz force-pushed the jbp-aws-lc-rs-tls12-prf branch 2 times, most recently from 37d7467 to b96b8c3 Compare November 14, 2023 16:51
djc
djc reviewed Nov 14, 2023
View reviewed changes
rustls/src/crypto/aws_lc_rs/tls12.rs Outdated Show resolved Hide resolved
rustls/src/crypto/aws_lc_rs/tls12.rs Outdated Show resolved Hide resolved
admin/coverage Show resolved Hide resolved
cpu
cpu reviewed Nov 14, 2023
View reviewed changes
Copy link
Member

@cpu cpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's some initial comments, nothing major!

rustls/src/crypto/aws_lc_rs/tls12.rs Outdated Show resolved Hide resolved
rustls/src/crypto/aws_lc_rs/tls12.rs Outdated Show resolved Hide resolved
provider-example/src/aead.rs Show resolved Hide resolved
rustls/src/crypto/aws_lc_rs/tls13.rs Show resolved Hide resolved
rustls/examples/internal/bogo_shim.rs Outdated Show resolved Hide resolved
@ctz ctz force-pushed the jbp-aws-lc-rs-tls12-prf branch 2 times, most recently from 0bd10a7 to 52887f8 Compare November 17, 2023 15:16
@ctz ctz changed the base branch from main to jbp-remove-quic-feature November 17, 2023 15:17
@ctz ctz force-pushed the jbp-aws-lc-rs-tls12-prf branch 3 times, most recently from c994676 to b53915b Compare November 17, 2023 15:31
@cpu
Copy link
Member

cpu commented Nov 17, 2023

Hm, I think the aws-lc-sys bump in this branch broke the min versions check:

error[E0599]: no method named `skip_exist` found for struct `fs_extra::dir::CopyOptions` in the current scope
   --> /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/aws-lc-sys-0.12.0/builder/main.rs:429:18
    |
428 |               let options = fs_extra::dir::CopyOptions::new()
    |  ___________________________-
429 | |                 .skip_exist(true)
    | |                 -^^^^^^^^^^------ help: remove the arguments
    | |                 ||
    | |_________________|field, not a method
    |

I think the upstream crate needs to specify a diff min version in https://github.com/aws/aws-lc-rs/blob/cb030a33fb22cba4441f2b2d17e3c1c702c39895/aws-lc-sys/Cargo.toml#L55C15-L55C15 ?

@ctz
Copy link
Member Author

ctz commented Nov 17, 2023

Indeed -- have dropped a note on aws/aws-lc-rs@27d447f#r132855645

Base automatically changed from jbp-remove-quic-feature to main November 17, 2023 19:34
@djc
Copy link
Member

djc commented Nov 20, 2023

Would be good to rebase this?

@ctz ctz mentioned this pull request Nov 20, 2023
Merged
@ctz ctz force-pushed the jbp-aws-lc-rs-tls12-prf branch 2 times, most recently from de8e6c1 to e13d6ac Compare November 20, 2023 11:41
@ctz
Copy link
Member Author

ctz commented Nov 20, 2023

Would be good to rebase this?

Done!

Hm, I think the aws-lc-sys bump in this branch broke the min versions check:

About to open a PR there for this, but in the meantime #1601 made this irrelevent.

cpu
cpu approved these changes Nov 20, 2023
View reviewed changes
Copy link
Member

@cpu cpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

djc
djc approved these changes Nov 21, 2023
View reviewed changes
rustls/src/crypto/aws_lc_rs/tls12.rs Outdated Show resolved Hide resolved
@ctz
Take aws-lc-rs 1.5
8745158
@ctz
Remove ring_shim::digest_output_len
7b2a2ed 
aws-lc-rs 1.5 tracked this API change.
@ctz
Split off tls12 module for aws-lc-rs
9f662e0
@ctz
Use aws-lc-rs API for TLS1.2 PRF
61a92d5
@ctz
Remove crypto::aws_lc_rs::hmac
5350635 
This became unused outside of tests, so isn't really paying its rent.
@ctz
Make receiver of cipher::Message{En,De}crypter mutable
2a6f441 
This is necessary if implementations want to keep state between calls --
(eg, *ring*'s `aead::OpeningKey`).  The next commit takes advantage
of this.
@ctz
aws_lc_rs::tls12: Use TlsRecordSealingKey API
4a5efae
@ctz ctz added this pull request to the merge queue Nov 21, 2023
Merged via the queue into main with commit c1e34d1 Nov 21, 2023
39 of 42 checks passed
@ctz ctz deleted the jbp-aws-lc-rs-tls12-prf branch November 21, 2023 10:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

@cpu cpu cpu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ctz @cpu @djc