Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct kx group selection #1784

Merged
merged 6 commits into from
Feb 19, 2024
Merged

Correct kx group selection #1784

merged 6 commits into from
Feb 19, 2024

Conversation

ctz
Copy link
Member

@ctz ctz commented Feb 12, 2024
edited

See https://datatracker.ietf.org/doc/draft-davidben-tls-key-share-prediction/ for background.

The first three commits are "the friends we made along the way".

fixes #1512

@ctz ctz force-pushed the jbp-correct-kx-selection branch 2 times, most recently from 349420d to 8f6cbed Compare February 12, 2024 12:25
@rustls-benchmarking Rustls Benchmarking
Copy link

rustls-benchmarking bot commented Feb 12, 2024
edited

Benchmark results

Instruction counts

Significant differences

There are no significant instruction count differences

Other differences

Click to expand
Scenario Baseline Candidate Diff Threshold
handshake_session_id_aws_lc_rs_1.2_rsa_aes_server 4055847 4124470 68623 (1.69%) 3.75%
handshake_session_id_ring_1.2_rsa_aes_client 4476536 4457348 -19188 (-0.43%) 0.71%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes_server 12315756 12273633 -42123 (-0.34%) 1.18%
handshake_tickets_ring_1.2_rsa_aes_server 4840298 4826776 -13522 (-0.28%) 0.46%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha_server 32883142 32803201 -79941 (-0.24%) 0.64%
handshake_tickets_aws_lc_rs_1.2_rsa_aes_server 4599010 4588095 -10915 (-0.24%) 3.22%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha_server 12684077 12714092 30015 (0.24%) 0.90%
handshake_session_id_aws_lc_rs_1.3_rsa_aes_server 32629028 32704113 75085 (0.23%) 0.36%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes_server 12691074 12662302 -28772 (-0.23%) 0.72%
handshake_tickets_ring_1.2_rsa_aes_client 4729374 4739681 10307 (0.22%) 0.75%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha_server 32677915 32623995 -53920 (-0.17%) 0.44%
handshake_session_id_aws_lc_rs_1.2_rsa_aes_client 4236826 4243126 6300 (0.15%) 0.95%
handshake_tickets_aws_lc_rs_1.2_rsa_aes_client 4556529 4563116 6587 (0.14%) 0.76%
handshake_tickets_ring_1.3_ecdsap256_aes_server 43855093 43914531 59438 (0.14%) 0.31%
handshake_no_resume_ring_1.3_ecdsap256_chacha_server 2131772 2129348 -2424 (-0.11%) 0.32%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha_server 32624531 32589471 -35060 (-0.11%) 0.21%
handshake_no_resume_ring_1.3_ecdsap256_aes_client 3892145 3896299 4154 (0.11%) 0.20%
handshake_no_resume_ring_1.3_ecdsap256_aes_server 2126430 2128529 2099 (0.10%) 0.24%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes_server 57188167 57137970 -50197 (-0.09%) 0.32%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes_client 8676334 8669271 -7063 (-0.08%) 1.10%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes_client 30489859 30513285 23426 (0.08%) 0.48%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha_server 91390824 91322556 -68268 (-0.07%) 0.20%
handshake_tickets_ring_1.3_ecdsap384_aes_server 43880309 43853984 -26325 (-0.06%) 0.21%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_client 8674931 8670103 -4828 (-0.06%) 1.29%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes_server 57185104 57153522 -31582 (-0.06%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha_server 32864246 32846909 -17337 (-0.05%) 0.27%
handshake_no_resume_ring_1.3_ecdsap256_chacha_client 3898848 3896803 -2045 (-0.05%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes_server 32874105 32857654 -16451 (-0.05%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes_server 32869060 32853140 -15920 (-0.05%) 0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_aes_server 32912688 32898100 -14588 (-0.04%) 0.40%
handshake_tickets_ring_1.3_ecdsap384_chacha_server 43851061 43831940 -19121 (-0.04%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes_server 1882881 1882103 -778 (-0.04%) 0.20%
handshake_session_id_ring_1.3_rsa_chacha_server 43607579 43589795 -17784 (-0.04%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes_server 32635951 32622697 -13254 (-0.04%) 0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha_client 30714360 30702345 -12015 (-0.04%) 0.23%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes_client 57967107 57946306 -20801 (-0.04%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha_client 30495243 30485591 -9652 (-0.03%) 0.29%
handshake_session_id_ring_1.3_rsa_aes_client 42194306 42207560 13254 (0.03%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes_server 32630916 32641079 10163 (0.03%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_server 1886320 1885750 -570 (-0.03%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_client 92407701 92435459 27758 (0.03%) 0.20%
handshake_tickets_ring_1.3_ecdsap256_chacha_server 43815457 43828337 12880 (0.03%) 0.24%
handshake_session_id_ring_1.3_ecdsap256_chacha_server 43606321 43593848 -12473 (-0.03%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_chacha_server 13736410 13740147 3737 (0.03%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_aes_server 57107500 57092815 -14685 (-0.03%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes_client 3340611 3341441 830 (0.02%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha_server 32620296 32612361 -7935 (-0.02%) 0.30%
handshake_tickets_ring_1.3_rsa_chacha_server 43901772 43891631 -10141 (-0.02%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha_client 30302808 30309504 6696 (0.02%) 0.41%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha_client 30500475 30493981 -6494 (-0.02%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_chacha_server 91319010 91299625 -19385 (-0.02%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes_client 3356642 3355958 -684 (-0.02%) 0.20%
handshake_tickets_ring_1.3_ecdsap256_aes_client 42191065 42182512 -8553 (-0.02%) 0.20%
handshake_tickets_ring_1.3_rsa_aes_server 43933023 43941693 8670 (0.02%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha_client 30503753 30497895 -5858 (-0.02%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_chacha_server 91281160 91298113 16953 (0.02%) 0.20%
handshake_session_id_ring_1.3_ecdsap384_aes_client 42012095 42005072 -7023 (-0.02%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes_server 57163246 57153808 -9438 (-0.02%) 0.20%
handshake_session_id_ring_1.3_ecdsap384_chacha_server 43602243 43595101 -7142 (-0.02%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha_server 32842534 32837160 -5374 (-0.02%) 0.31%
handshake_tickets_ring_1.3_rsa_chacha_client 42343526 42336717 -6809 (-0.02%) 0.20%
handshake_session_id_ring_1.2_rsa_aes_server 4373622 4374291 669 (0.02%) 0.54%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes_client 30325677 30330209 4532 (0.01%) 0.20%
handshake_tickets_ring_1.3_ecdsap384_chacha_client 42151988 42145736 -6252 (-0.01%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_aes_client 57955040 57946741 -8299 (-0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap256_aes_client 42009903 42004074 -5829 (-0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap384_chacha_client 41964605 41959136 -5469 (-0.01%) 0.20%
handshake_no_resume_ring_1.3_rsa_aes_client 4537779 4537221 -558 (-0.01%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_server 91374196 91363399 -10797 (-0.01%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_chacha_client 35449992 35454126 4134 (0.01%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha_client 3367222 3366875 -347 (-0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap256_chacha_client 41960747 41956472 -4275 (-0.01%) 0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_aes_client 30718799 30721895 3096 (0.01%) 0.20%
handshake_tickets_ring_1.3_ecdsap256_chacha_client 42147469 42143472 -3997 (-0.01%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_aes_server 13737426 13736157 -1269 (-0.01%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_server 91372355 91364393 -7962 (-0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap384_aes_server 43659783 43656006 -3777 (-0.01%) 0.20%
handshake_session_id_ring_1.3_rsa_chacha_client 42148222 42144686 -3536 (-0.01%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_aes_server 57157088 57153063 -4025 (-0.01%) 0.26%
handshake_session_id_aws_lc_rs_1.3_rsa_aes_client 30510227 30512353 2126 (0.01%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_aes_client 57946838 57950848 4010 (0.01%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_client 3345779 3345559 -220 (-0.01%) 0.28%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_server 4265540 4265269 -271 (-0.01%) 0.20%
handshake_tickets_ring_1.3_rsa_aes_client 42378170 42380823 2653 (0.01%) 0.20%
handshake_tickets_ring_1.3_ecdsap384_aes_client 42182157 42184618 2461 (0.01%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_chacha_client 92382331 92387556 5225 (0.01%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_chacha_client 92390943 92386431 -4512 (-0.00%) 0.20%
handshake_no_resume_ring_1.2_rsa_aes_client 4441138 4440928 -210 (-0.00%) 0.20%
handshake_session_id_ring_1.3_rsa_aes_server 43663898 43665695 1797 (0.00%) 0.20%
transfer_no_resume_ring_1.3_rsa_chacha_client 92391849 92395525 3676 (0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha_client 92450847 92454248 3401 (0.00%) 0.20%
handshake_session_id_ring_1.3_ecdsap256_aes_server 43654854 43656399 1545 (0.00%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes_client 30505390 30504364 -1026 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes_server 57139552 57137837 -1715 (-0.00%) 0.28%
handshake_no_resume_ring_1.3_rsa_chacha_client 4547685 4547573 -112 (-0.00%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes_server 4260499 4260577 78 (0.00%) 0.20%
transfer_no_resume_ring_1.3_rsa_aes_client 57952136 57951078 -1058 (-0.00%) 0.20%
transfer_no_resume_ring_1.2_rsa_aes_server 57001242 57002148 906 (0.00%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_aes_client 35451296 35450754 -542 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_client 92438861 92437754 -1107 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes_client 57970514 57971131 617 (0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes_client 68432309 68432966 657 (0.00%) 0.20%
handshake_no_resume_ring_1.2_rsa_aes_server 12045737 12045623 -114 (-0.00%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes_client 30320159 30319885 -274 (-0.00%) 0.42%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes_client 57990641 57991081 440 (0.00%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha_client 30312218 30312010 -208 (-0.00%) 0.20%
transfer_no_resume_ring_1.2_rsa_aes_client 57811076 57810708 -368 (-0.00%) 0.20%
transfer_no_resume_ring_1.3_rsa_aes_server 57112600 57112936 336 (0.00%) 0.20%
transfer_no_resume_ring_1.3_rsa_chacha_server 91277037 91277414 377 (0.00%) 0.20%
handshake_no_resume_ring_1.3_rsa_aes_server 12239903 12239952 49 (0.00%) 0.20%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes_client 3153212 3153207 -5 (-0.00%) 0.20%
handshake_no_resume_ring_1.3_rsa_chacha_server 12249947 12249955 8 (0.00%) 0.20%

Wall-time

Significant differences

There are no significant wall-time differences

Other differences

Click to expand
Scenario Baseline Candidate Diff Threshold
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha 474.19 µs 476.71 µs 2.53 µs (0.53%) 4.09%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha 6.42 ms 6.38 ms -0.03 ms (-0.52%) 2.11%
handshake_no_resume_ring_1.3_ecdsap256_aes 506.53 µs 508.94 µs 2.41 µs (0.48%) 2.33%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha 6.12 ms 6.10 ms -0.03 ms (-0.44%) 1.96%
handshake_tickets_aws_lc_rs_1.3_rsa_aes 6.41 ms 6.38 ms -0.03 ms (-0.41%) 2.03%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes 6.10 ms 6.08 ms -0.02 ms (-0.40%) 2.10%
handshake_no_resume_ring_1.3_ecdsap256_chacha 505.51 µs 507.53 µs 2.02 µs (0.40%) 2.28%
handshake_session_id_aws_lc_rs_1.3_rsa_aes 6.40 ms 6.37 ms -0.02 ms (-0.37%) 2.00%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes 6.13 ms 6.10 ms -0.02 ms (-0.37%) 1.92%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes 475.02 µs 476.75 µs 1.73 µs (0.36%) 3.31%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes 5.39 ms 5.37 ms -0.02 ms (-0.34%) 2.26%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha 5.38 ms 5.36 ms -0.02 ms (-0.34%) 1.72%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha 6.08 ms 6.06 ms -0.02 ms (-0.34%) 1.48%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes 5.40 ms 5.39 ms -0.02 ms (-0.33%) 2.49%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha 6.37 ms 6.35 ms -0.02 ms (-0.32%) 1.50%
handshake_tickets_ring_1.3_ecdsap256_aes 6.91 ms 6.89 ms -0.02 ms (-0.30%) 1.32%
handshake_session_id_ring_1.3_ecdsap256_chacha 6.88 ms 6.86 ms -0.02 ms (-0.28%) 1.53%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha 5.41 ms 5.39 ms -0.01 ms (-0.26%) 2.26%
handshake_session_id_aws_lc_rs_1.2_rsa_aes 2.18 ms 2.17 ms -0.01 ms (-0.25%) 1.00%
handshake_tickets_ring_1.3_ecdsap256_chacha 6.88 ms 6.86 ms -0.02 ms (-0.25%) 1.63%
handshake_tickets_aws_lc_rs_1.2_rsa_aes 2.35 ms 2.34 ms -0.01 ms (-0.25%) 1.56%
handshake_tickets_ring_1.3_rsa_chacha 7.52 ms 7.50 ms -0.02 ms (-0.23%) 1.28%
transfer_no_resume_ring_1.3_ecdsap256_aes 6.67 ms 6.69 ms 0.01 ms (0.22%) 3.65%
handshake_tickets_ring_1.3_rsa_aes 7.55 ms 7.54 ms -0.02 ms (-0.21%) 1.16%
handshake_tickets_ring_1.3_ecdsap384_aes 10.02 ms 10.00 ms -0.02 ms (-0.21%) 1.00%
handshake_session_id_ring_1.3_rsa_chacha 7.50 ms 7.49 ms -0.01 ms (-0.20%) 1.47%
handshake_tickets_ring_1.3_ecdsap384_chacha 9.99 ms 9.97 ms -0.02 ms (-0.18%) 1.00%
handshake_session_id_ring_1.3_ecdsap256_aes 6.89 ms 6.88 ms -0.01 ms (-0.18%) 1.29%
handshake_session_id_ring_1.3_ecdsap384_chacha 9.98 ms 9.96 ms -0.02 ms (-0.17%) 1.18%
handshake_session_id_ring_1.2_rsa_aes 1.75 ms 1.75 ms -0.00 ms (-0.17%) 1.97%
handshake_session_id_ring_1.3_ecdsap384_aes 10.00 ms 9.98 ms -0.02 ms (-0.15%) 1.00%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha 1.18 ms 1.18 ms 0.00 ms (0.15%) 1.38%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes 4.88 ms 4.89 ms 0.01 ms (0.14%) 7.07%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha 13.37 ms 13.39 ms 0.02 ms (0.14%) 1.97%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes 1.19 ms 1.19 ms 0.00 ms (0.13%) 1.00%
transfer_no_resume_ring_1.3_ecdsap384_aes 9.78 ms 9.80 ms 0.01 ms (0.13%) 2.35%
handshake_no_resume_ring_1.3_ecdsap384_chacha 3.62 ms 3.62 ms 0.00 ms (0.13%) 1.00%
handshake_no_resume_ring_1.2_rsa_aes 1.07 ms 1.07 ms -0.00 ms (-0.13%) 1.14%
handshake_session_id_ring_1.3_rsa_aes 7.53 ms 7.52 ms -0.01 ms (-0.13%) 1.21%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes 1.41 ms 1.41 ms -0.00 ms (-0.12%) 1.00%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha 14.31 ms 14.33 ms 0.02 ms (0.12%) 1.64%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes 5.83 ms 5.84 ms 0.01 ms (0.12%) 4.55%
transfer_no_resume_ring_1.3_ecdsap256_chacha 13.38 ms 13.39 ms 0.02 ms (0.11%) 2.29%
handshake_no_resume_ring_1.3_ecdsap384_aes 3.62 ms 3.62 ms 0.00 ms (0.11%) 1.00%
transfer_no_resume_ring_1.2_rsa_aes 7.18 ms 7.17 ms -0.01 ms (-0.10%) 3.11%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha 14.08 ms 14.09 ms 0.01 ms (0.08%) 1.97%
transfer_no_resume_ring_1.3_rsa_aes 7.26 ms 7.26 ms 0.01 ms (0.07%) 3.34%
transfer_no_resume_ring_1.3_ecdsap384_chacha 16.49 ms 16.50 ms 0.01 ms (0.06%) 1.77%
transfer_no_resume_ring_1.3_rsa_chacha 13.97 ms 13.97 ms 0.01 ms (0.05%) 2.13%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha 1.41 ms 1.41 ms -0.00 ms (-0.05%) 1.00%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes 5.83 ms 5.83 ms -0.00 ms (-0.05%) 3.41%
handshake_tickets_ring_1.2_rsa_aes 1.84 ms 1.84 ms 0.00 ms (0.04%) 1.38%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes 5.60 ms 5.61 ms 0.00 ms (0.04%) 5.69%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes 1.36 ms 1.36 ms -0.00 ms (-0.03%) 1.47%
handshake_no_resume_ring_1.3_rsa_aes 1.08 ms 1.08 ms -0.00 ms (-0.03%) 1.00%
handshake_no_resume_ring_1.3_rsa_chacha 1.09 ms 1.09 ms -0.00 ms (-0.01%) 1.00%

Additional information

Historical results

Checkout details:

@ctz ctz mentioned this pull request Feb 12, 2024
Merged
@codecov Codecov
Copy link

codecov bot commented Feb 12, 2024
edited

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (cf61961) 95.92% compared to head (59532da) 96.02%.

Files Patch % Lines
rustls/src/server/hs.rs 98.07% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1784      +/-   ##
==========================================
+ Coverage   95.92%   96.02%   +0.09%     
==========================================
  Files          81       81              
  Lines       18803    18678     -125     
==========================================
- Hits        18037    17935     -102     
+ Misses        766      743      -23

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

cpu
cpu approved these changes Feb 12, 2024
View reviewed changes
Copy link
Member

@cpu cpu left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me.

After skimming draft-davidben-tls-key-share-prediction-00 I expected there might be client changes needed here or in #1785 to track the notion of a prediction-safe supported group, but it looks like neither branch considers that. Am I overlooking something?

rustls/src/server/tls13.rs Outdated Show resolved Hide resolved
@ctz
Copy link
Member Author

ctz commented Feb 12, 2024

I expected there might be client changes needed here or in #1785 to track the notion of a prediction-safe supported group, but it looks like neither branch considers that. Am I overlooking something?

Sorry, yes, that isn't very clear. The only part I am fixing at this point is this paragraph:

TLS 1.3 servers implementing this document MUST NOT assume the client's key_share extension reflects client preferences. Instead, servers SHOULD select the best common named group based on supported_groups, without reference to key_share. The server then looks for the selected named group in key_share to decide whether to send HelloRetryRequest or ServerHello.

I'm cherry-picking just that part, because our old way of selecting a group wasn't supported by RFC8446 (an RFC we definitely want to support as correctly as possible!), specifically this text:

Each KeyShareEntry value MUST correspond to a group offered in the "supported_groups" extension and MUST appear in the same order. However, the values MAY be a non-contiguous subset of the "supported_groups" extension and MAY omit the most preferred groups.

(emphasis mine)

I think if draft-davidben-tls-key-share-prediction-00 is adopted by the WG and becomes a real thing, then we should reflect the "prediction safe" concept (eg, fn is_prediction_safe(&self) -> bool in impl NamedGroup) and implement whatever logic goes with it. But, until then, I think that might be jumping the gun.

@cpu
Copy link
Member

cpu commented Feb 12, 2024

But, until then, I think that might be jumping the gun.

Makes sense to me 👍

@cpu cpu mentioned this pull request Feb 12, 2024
Closed
djc
djc reviewed Feb 13, 2024
View reviewed changes
rustls/src/suites.rs Outdated Show resolved Hide resolved
djc
djc reviewed Feb 14, 2024
View reviewed changes
rustls/src/server/hs.rs Show resolved Hide resolved
rustls/src/server/hs.rs Outdated Show resolved Hide resolved
rustls/src/server/hs.rs Outdated Show resolved Hide resolved
rustls/src/server/hs.rs Show resolved Hide resolved
rustls/src/server/hs.rs Outdated Show resolved Hide resolved
rustls/src/server/hs.rs Outdated Show resolved Hide resolved
rustls/src/server/hs.rs Outdated Show resolved Hide resolved
@cpu cpu mentioned this pull request Feb 15, 2024
Closed
8 tasks
@ctz
Pass through key exchange errors
e5e0b3c 
In 3355e06 we generalised the error type here, but we didn't
get rid of code that discarded the information-less error.
@ctz
tests/api.rs: minor formatting corrections
33e059c
@ctz
test_client_rejects_hrr_with_varied_session_id: tighten
2e745d1 
By ignoring everything not precisely expected, these ran the risk
of incorrectly passing.  eg, `assert_server_requests_retry_and_echoes_session_id`
would pass if the server sent a `ServerHello`.
@ctz
Prefer supported_groups extension in kx group choice
0e5c51f 
Prior to this, we preferred to avoid a `HelloRetryRequest` when
any supported `KeyShare` was supplied.  But as [1] describes,
this means a client which sends a `KeyShare` for a less-preferred
group would end up using that, rather than a more-preferred group
supported by both peers.

[1]: https://www.ietf.org/archive/id/draft-davidben-tls-key-share-prediction-00.html#name-downgrades
@ctz
Select key exchange group and cipher suite together
0125301 
This is complex because the choice of usable cipher suites depends
on selected protocol version, and the set of mutually supported
key exchange groups.  Then, the usable set of key exchange groups
depends on the actually-selected cipher suite.
@ctz
Inline choose_ciphersuite_preferring_client and co
59532da 
Test the behaviour of `ServerConfig::ignore_client_order` at
the public API level.
@ctz ctz added this pull request to the merge queue Feb 19, 2024
Merged via the queue into main with commit 114ae6f Feb 19, 2024
44 checks passed
@ctz ctz deleted the jbp-correct-kx-selection branch February 19, 2024 19:47
@cpu cpu mentioned this pull request Feb 28, 2024
Merged
@djc djc mentioned this pull request Mar 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpu cpu cpu approved these changes

@djc djc djc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Key share selection by server puts too much weight on key shares presented by client
3 participants
@ctz @cpu @djc