8000 aws_lc_rs: implement RFC 5077 recommended ticketer by cpu · Pull Request #2066 · rustls/rustls · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

aws_lc_rs: implement RFC 5077 recommended ticketer #2066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 7, 2024
Merged

aws_lc_rs: implement RFC 5077 recommended ticketer #2066

merged 8 commits into from
Aug 7, 2024

Conversation

cpu
Copy link
Member
@cpu cpu commented Aug 1, 2024
edited
Loading

Previously the aws_lc_rs crypto module shared its Ticketer implementation with ring using the "ring-like" mechanism we use for other shared implementations. This branch replaces it with an RFC 5077 based design that we believe addresses some theoretical concerns (#2023) with the design of the ring specific Ticketer, using APIs only available with aws-lc-rs.

For background, the ring ticketer is designed around an AEAD using random nonces. We must use an AEAD with *ring* because it doesn't expose an unauthenticated cipher/modes we could use for the RFC 5077 design. We must use random nonces with the AEAD design to avoid privacy leaks. The combination of these two constraints results in a design that has a more limited security margin (due to the size of the nonces and the implications of re-use).

This commit adds an aws-lc-rs Ticketer implementation that is a direct translation of the RFC 5077 "Recommended Ticket Construction". It uses AES-256 in CBC mode w/ PKCS#7 padding for encryption and HMAC-SHA-256 for message authentication.

Resolves #2021

8000
@cpu cpu self-assigned this Aug 1, 2024
@cpu cpu force-pushed the cpu-aws-rfc5077-ticketer branch from 457f0c7 to bb0dc4d Compare August 1, 2024 20:58
cpu
cpu commented Aug 1, 2024
View reviewed changes
@codecov Codecov
Copy link
codecov bot commented Aug 1, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 99.60317% with 1 line in your changes missing coverage. Please review.

Project coverage is 94.52%. Comparing base (d484e41) to head (833e85a).

Files Patch % Lines
rustls/src/polyfill.rs 80.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2066      +/-   ##
==========================================
+ Coverage   94.47%   94.52%   +0.05%     
==========================================
  Files         100      102       +2     
  Lines       23245    23465     +220     
==========================================
+ Hits        21960    22180     +220     
  Misses       1285     1285

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ctz
ctz reviewed Aug 2, 2024
View reviewed changes
djc
djc reviewed Aug 3, 2024
View reviewed changes
@cpu cpu force-pushed the cpu-aws-rfc5077-ticketer branch from bb0dc4d to 02c84ab Compare August 5, 2024 16:04
@cpu cpu mentioned this pull request Aug 5, 2024
Merged
@cpu cpu requested review from djc and ctz August 6, 2024 14:52
ctz
ctz reviewed Aug 6, 2024
View reviewed changes
@cpu cpu force-pushed the cpu-aws-rfc5077-ticketer branch from 02c84ab to 19b1c2a Compare August 6, 2024 15:34
ctz
ctz approved these changes Aug 6, 2024
View reviewed changes
@rustls-benchmarking Rustls Benchmarking
Copy link
rustls-benchmarking bot commented Aug 6, 2024
edited
Loading

Benchmark results

Instruction counts

Significant differences

⚠️ There are significant instruction count differences

Click to expand
Scenario Baseline Candidate Diff Threshold
handshake_tickets_aws_lc_rs_1.2_rsa_aes_server 4398720 5114810 ⚠️ 716090 (16.28%) 4.69%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha_server 33541797 34787502 ⚠️ 1245705 (3.71%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha_server 33542075 34787225 ⚠️ 1245150 (3.71%) 0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha_server 33612815 34850437 ⚠️ 1237622 (3.68%) 0.80%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes_server 33573419 34766984 ⚠️ 1193565 (3.56%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes_server 33575708 34767339 ⚠️ 1191631 (3.55%) 0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_aes_server 33560879 34730756 ⚠️ 1169877 (3.49%) 0.60%
handshake_tickets_aws_lc_rs_1.2_rsa_aes_client 4359844 4443045 ⚠️ 83201 (1.91%) 0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_aes_client 31226313 31145542 -80771 (-0.26%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes_client 31205475 31125005 -80470 (-0.26%) 0.20%

Other differences

Click to expand
Scenario Baseline Candidate Diff Threshold
handshake_session_id_aws_lc_rs_1.2_rsa_aes_server 3963650 3992989 29339 (0.74%) 3.50%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes_client 8902947 8845417 -57530 (-0.65%) 1.31%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha_server 33007405 32918560 -88845 (-0.27%) 0.59%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes_server 13778776 13804273 25497 (0.19%) 1.06%
handshake_no_resume_ring_1.3_ecdsap256_chacha_client 3911580 3918731 7151 (0.18%) 0.43%
handshake_session_id_aws_lc_rs_1.3_rsa_aes_server 32999535 32948780 -50755 (-0.15%) 0.65%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_client 8871139 8858657 -12482 (-0.14%) 0.63%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes_client 58208419 58287496 79077 (0.14%) 0.22%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes_client 31169159 31128929 -40230 (-0.13%) 0.58%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha_client 30705821 30737683 31862 (0.10%) 0.45%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha_server 13749542 13757338 7796 (0.06%) 0.97%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha_client 31183151 31169134 -14017 (-0.04%) 0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha_client 31206512 31192796 -13716 (-0.04%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha_server 80643408 80673508 30100 (0.04%) 0.23%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha_client 31182051 31190882 8831 (0.03%) 0.35%
handshake_no_resume_ring_1.3_ecdsap256_chacha_server 2135991 2136530 539 (0.03%) 0.78%
handshake_tickets_ring_1.3_ecdsap256_aes_client 42412211 42403203 -9008 (-0.02%) 0.20%
handshake_session_id_aws_lc_rs_1.2_rsa_aes_client 4026547 4025730 -817 (-0.02%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes_client 30713142 30719046 5904 (0.02%) 0.63%
handshake_no_resume_ring_1.2_rsa_aes_client 2853435 2853946 511 (0.02%) 0.20%
handshake_tickets_ring_1.3_ecdsap256_chacha_client 42352941 42345405 -7536 (-0.02%) 0.20%
handshake_session_id_ring_1.2_rsa_aes_server 4267485 4266726 -759 (-0.02%) 0.20%
handshake_no_resume_ring_1.3_rsa_chacha_client 2957241 2957609 368 (0.01%) 0.20%
handshake_no_resume_ring_1.3_ecdsap256_aes_server 2138550 2138809 259 (0.01%) 0.82%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes_server 33005253 33001548 -3705 (-0.01%) 0.20%
handshake_tickets_ring_1.3_ecdsap256_aes_server 44038090 44033352 -4738 (-0.01%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha_server 32963720 32960239 -3481 (-0.01%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha_client 2235134 2235367 233 (0.01%) 0.20%
handshake_tickets_ring_1.2_rsa_aes_server 4703995 4703508 -487 (-0.01%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha_server 32964363 32961046 -3317 (-0.01%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_client 92695888 92704961 9073 (0.01%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes_server 46370019 46365488 -4531 (-0.01%) 0.27%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_server 1919799 1919981 182 (0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap384_aes_server 43466876 43462848 -4028 (-0.01%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes_client 30744450 30741883 -2567 (-0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap384_chacha_server 43369017 43365587 -3430 (-0.01%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes_server 33004165 33001559 -2606 (-0.01%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_chacha_client 92675020 92667829 -7191 (-0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap256_chacha_client 41888541 41885359 -3182 (-0.01%) 0.20%
handshake_session_id_ring_1.3_rsa_chacha_server 43364771 43361598 -3173 (-0.01%) 0.20%
handshake_session_id_ring_1.2_rsa_aes_client 4284845 4284536 -309 (-0.01%) 0.20%
handshake_no_resume_ring_1.3_ecdsap256_aes_client 3920993 3921266 273 (0.01%) 0.32%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes_server 1916576 1916709 133 (0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap256_aes_client 41959177 41962088 2911 (0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap384_chacha_client 41878890 41876132 -2758 (-0.01%) 0.20%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes_server 46385351 46382538 -2813 (-0.01%) 0.42%
handshake_session_id_ring_1.3_ecdsap384_aes_client 41958884 41956366 -2518 (-0.01%) 0.20%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes_server 13401481 13402273 792 (0.01%) 1.06%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes_client 3380902 3380703 -199 (-0.01%) 0.21%
handshake_session_id_ring_1.3_rsa_aes_server 43462249 43459808 -2441 (-0.01%) 0.20%
handshake_session_id_ring_1.3_rsa_aes_client 41976619 41974280 -2339 (-0.01%) 0.20%
handshake_tickets_ring_1.3_rsa_aes_client 42425605 42423287 -2318 (-0.01%) 0.20%
handshake_tickets_ring_1.3_ecdsap384_chacha_client 42341963 42339656 -2307 (-0.01%) 0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha_client 30735610 30734078 -1532 (-0.00%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha_client 30716137 30714699 -1438 (-0.00%) 0.20%
handshake_tickets_ring_1.3_rsa_chacha_client 42359821 42357960 -1861 (-0.00%) 0.20%
handshake_session_id_ring_1.3_ecdsap256_aes_server 43460893 43462795 1902 (0.00%) 0.20%
handshake_tickets_ring_1.3_ecdsap256_chacha_server 43957577 43959393 1816 (0.00%) 0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_aes_client 30760977 30759742 -1235 (-0.00%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_aes_client 58328875 58331159 2284 (0.00%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes_server 4390346 4390179 -167 (-0.00%) 0.20%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes_client 2017035 2017106 71 (0.00%) 0.20%
handshake_session_id_ring_1.3_rsa_chacha_client 41895172 41893867 -1305 (-0.00%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_server 4393736 4393605 -131 (-0.00%) 0.20%
handshake_no_resume_ring_1.3_rsa_aes_client 2951614 2951535 -79 (-0.00%) 0.20%
handshake_no_resume_ring_1.2_rsa_aes_server 11991864 11992168 304 (0.00%) 0.20%
handshake_tickets_ring_1.3_ecdsap384_aes_client 42407243 42406174 -1069 (-0.00%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_client 3385495 3385571 76 (0.00%) 0.21%
handshake_no_resume_ring_1.3_rsa_aes_server 12179890 12180136 246 (0.00%) 0.20%
handshake_tickets_ring_1.2_rsa_aes_client 4557377 4557465 88 (0.00%) 0.20%
handshake_tickets_ring_1.3_rsa_aes_server 44034420 44035178 758 (0.00%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_chacha_server 13744375 13744595 220 (0.00%) 0.20%
handshake_tickets_ring_1.3_ecdsap384_aes_server 44039210 44038650 -560 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes_client 58245048 58245756 708 (0.00%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_aes_server 46451480 46450961 -519 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes_server 46428603 46429018 415 (0.00%) 0.20%
transfer_no_resume_ring_1.3_rsa_aes_client 58331775 58332262 487 (0.00%) 0.20%
handshake_session_id_ring_1.3_ecdsap256_chacha_server 43368558 43368243 -315 (-0.00%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes_client 2228144 2228158 14 (0.00%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_aes_server 13742223 13742308 85 (0.00%) 0.20%
handshake_no_resume_ring_1.3_rsa_chacha_server 12185949 12186023 74 (0.00%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_chacha_client 35475928 35476108 180 (0.00%) 0.20%
transfer_no_resume_ring_1.2_rsa_aes_server 46368383 46368149 -234 (-0.00%) 0.20%
handshake_tickets_ring_1.3_ecdsap384_chacha_server 43958406 43958621 215 (0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha_client 92705236 92705678 442 (0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes_client 58247615 58247852 237 (0.00%) 0.20%
transfer_no_resume_ring_1.2_rsa_aes_client 58209241 58209005 -236 (-0.00%) 0.20%
transfer_no_resume_ring_1.3_rsa_aes_server 46462562 46462734 172 (0.00%) 0.20%
transfer_no_resume_ring_1.3_rsa_chacha_client 92664819 92664491 -328 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes_server 46427255 46427419 164 (0.00%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_chacha_client 92660243 92660563 320 (0.00%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_aes_server 46454370 46454509 139 (0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_server 80607740 80607980 240 (0.00%) 0.20%
handshake_tickets_ring_1.3_rsa_chacha_server 43955565 43955455 -110 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_client 92702961 92703177 216 (0.00%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_aes_client 35473816 35473896 80 (0.00%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_chacha_server 80507708 80507549 -159 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_server 80606341 80606493 152 (0.00%) 0.20%
transfer_no_resume_ring_1.3_rsa_chacha_server 80515953 80515805 -148 (-0.00%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_chacha_server 80508911 80508789 -122 (-0.00%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_aes_client 58328193 58328264 71 (0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes_client 68666088 68666064 -24 (-0.00%) 0.20%

Wall-time

Significant differences

⚠️ There are significant wall-time differences

Click to expand
Scenario Baseline Candidate Diff Threshold
handshake_no_resume_ring_1.3_rsa_chacha 0.99 ms 1.01 ms ⚠️ 0.02 ms (1.52%) 1.00%
handshake_no_resume_ring_1.3_rsa_aes 0.99 ms 1.01 ms ⚠️ 0.01 ms (1.34%) 1.12%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes 5.47 ms 5.53 ms ⚠️ 0.06 ms (1.17%) 1.13%

Other differences

Click to expand
Scenario Baseline Candidate Diff Threshold
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes 4.47 ms 4.57 ms 0.10 ms (2.13%) 5.18%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes 5.20 ms 5.29 ms 0.08 ms (1.60%) 3.84%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha 481.27 µs 488.04 µs 6.77 µs (1.41%) 2.64%
handshake_tickets_aws_lc_rs_1.2_rsa_aes 2.28 ms 2.31 ms 0.03 ms (1.37%) 2.12%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes 482.05 µs 488.56 µs 6.51 µs (1.35%) 2.61%
transfer_no_resume_ring_1.3_rsa_aes 6.80 ms 6.89 ms 0.09 ms (1.34%) 2.77%
transfer_no_resume_ring_1.3_ecdsap256_aes 6.32 ms 6.40 ms 0.08 ms (1.30%) 3.04%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes 5.45 ms 5.52 ms 0.07 ms (1.28%) 3.58%
handshake_no_resume_ring_1.3_ecdsap256_aes 507.87 µs 514.20 µs 6.33 µs (1.25%) 1.66%
transfer_no_resume_ring_1.2_rsa_aes 6.71 ms 6.80 ms 0.08 ms (1.23%) 2.55%
handshake_no_resume_ring_1.3_ecdsap256_chacha 505.36 µs 511.30 µs 5.95 µs (1.18%) 1.62%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes 5.45 ms 5.51 ms 0.06 ms (1.15%) 2.96%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha 5.47 ms 5.54 ms 0.06 ms (1.15%) 1.54%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes 6.19 ms 6.25 ms 0.05 ms (0.88%) 1.25%
transfer_no_resume_ring_1.3_ecdsap384_aes 9.41 ms 9.49 ms 0.08 ms (0.87%) 2.08%
handshake_session_id_ring_1.3_rsa_chacha 7.21 ms 7.27 ms 0.06 ms (0.83%) 1.00%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes 1.39 ms 1.38 ms -0.01 ms (-0.82%) 3.74%
handshake_session_id_ring_1.3_rsa_aes 7.26 ms 7.32 ms 0.06 ms (0.82%) 1.00%
handshake_session_id_ring_1.3_ecdsap256_chacha 6.73 ms 6.78 ms 0.05 ms (0.80%) 1.14%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha 12.94 ms 13.04 ms 0.10 ms (0.78%) 1.59%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha 6.45 ms 6.50 ms 0.05 ms (0.75%) 1.00%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha 6.20 ms 6.25 ms 0.05 ms (0.75%) 1.12%
handshake_tickets_ring_1.3_rsa_chacha 7.26 ms 7.31 ms 0.05 ms (0.73%) 1.23%
handshake_tickets_aws_lc_rs_1.3_rsa_aes 6.45 ms 6.49 ms 0.05 ms (0.72%) 1.18%
handshake_tickets_ring_1.3_ecdsap256_chacha 6.77 ms 6.82 ms 0.05 ms (0.70%) 1.58%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes 1.44 ms 1.43 ms -0.01 ms (-0.68%) 3.08%
transfer_no_resume_ring_1.3_rsa_chacha 13.44 ms 13.53 ms 0.09 ms (0.68%) 1.34%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha 1.43 ms 1.42 ms -0.01 ms (-0.67%) 3.82%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha 13.67 ms 13.75 ms 0.09 ms (0.64%) 1.36%
handshake_session_id_ring_1.3_ecdsap256_aes 6.78 ms 6.82 ms 0.04 ms (0.62%) 1.00%
transfer_no_resume_ring_1.3_ecdsap256_chacha 12.96 ms 13.04 ms 0.08 ms (0.61%) 1.41%
handshake_session_id_ring_1.3_ecdsap384_chacha 9.81 ms 9.87 ms 0.06 ms (0.58%) 1.00%
handshake_tickets_ring_1.3_rsa_aes 7.32 ms 7.36 ms 0.04 ms (0.57%) 1.16%
handshake_tickets_ring_1.3_ecdsap256_aes 6.83 ms 6.87 ms 0.04 ms (0.55%) 1.39%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha 13.91 ms 13.98 ms 0.07 ms (0.51%) 1.46%
transfer_no_resume_ring_1.3_ecdsap384_chacha 16.06 ms 16.13 ms 0.08 ms (0.48%) 1.21%
handshake_tickets_ring_1.3_ecdsap384_chacha 9.86 ms 9.90 ms 0.04 ms (0.45%) 1.03%
handshake_session_id_ring_1.3_ecdsap384_aes 9.86 ms 9.90 ms 0.04 ms (0.44%) 1.00%
handshake_no_resume_ring_1.2_rsa_aes 981.00 µs 984.72 µs 3.71 µs (0.38%) 1.22%
handshake_tickets_ring_1.3_ecdsap384_aes 9.92 ms 9.95 ms 0.03 ms (0.29%) 1.00%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha 6.39 ms 6.37 ms -0.02 ms (-0.27%) 1.00%
handshake_tickets_ring_1.2_rsa_aes 1.67 ms 1.68 ms 0.00 ms (0.23%) 2.52%
handshake_session_id_aws_lc_rs_1.2_rsa_aes 2.11 ms 2.11 ms -0.00 ms (-0.20%) 1.96%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha 6.13 ms 6.12 ms -0.01 ms (-0.15%) 1.04%
handshake_no_resume_ring_1.3_ecdsap384_aes 3.60 ms 3.61 ms 0.01 ms (0.14%) 1.00%
handshake_session_id_aws_lc_rs_1.3_rsa_aes 6.40 ms 6.39 ms -0.01 ms (-0.13%) 1.00%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes 5.42 ms 5.42 ms 0.01 ms (0.12%) 1.49%
handshake_session_id_ring_1.2_rsa_aes 1.59 ms 1.58 ms -0.00 ms (-0.11%) 1.29%
handshake_no_resume_ring_1.3_ecdsap384_chacha 3.60 ms 3.60 ms 0.00 ms (0.11%) 1.00%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha 5.41 ms 5.41 ms 0.00 ms (0.09%) 1.38%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes 1.20 ms 1.20 ms 0.00 ms (0.08%) 1.30%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha 1.20 ms 1.20 ms -0.00 ms (-0.05%) 1.16%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes 6.14 ms 6.14 ms -0.00 ms (-0.02%) 1.49%

Additional information

Historical results

Checkout details:

@cpu cpu force-pushed the cpu-aws-rfc5077-ticketer branch from 19b1c2a to b0413af Compare August 6, 2024 15:45
@cpu
Copy link
Member Author
cpu commented Aug 6, 2024
edited
Loading

⚠️ There are significant instruction count differences

There's an instruction count increase for the handshake_tickets_* tests for aws-lc-rs with this ticketer, but the wall-time benchmarks show no significant difference. I usually think of the latter as more reliable as the former (and bringing in two new algorithms does seem like it would explain the instruction diff relative to the CHACHA impl). Does that track with your thinking here @ctz?

@ctz
Copy link
Member
ctz commented Aug 6, 2024

Yes, I think the walltime ones are generally more representative. But I'm not surprised that this is a little slower -- quite a lot of area is dedicated now to making AES-GCM go fast.

djc
djc approved these changes Aug 7, 2024
View reviewed changes
Copy link
Member
@djc djc left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

There are a number of little things that the new implementation cleans up that we could perhaps backport to the ring ticketer, like treating the Ticketer name in doc comment like code, adding an empty line between methods, and moving the initialization of the Ticketer type into a new() method. Might be nice to include those in the ring Ticketer before it gets copied? On the other hand, might not be very high value.

cpu added 4 commits August 7, 2024 10:06
@cpu
crypto: lift try_split_at to polyfill mod
f39ed27 
The `try_split_at` helper in the `*ring*`-like ticketer module will soon
be useful for an `aws-lc-rs` specific ticketer impl.

This commit lifts the helper up out of the `crypto/ring` mod and into
a new `polyfill` where it can be shared by both `crypto/ring` and
`crypto/aws-lc-rs` without any fuss. If needed we can add other
polyfills here in the future.
@cpu
aws_lc_rs: lift unspecified_err helper up a level
0093990 
Much of the `aws-lc-rs` API surface returns an
`aws_lc_rs::error::Unspecified` instance that we want to map to an
`Error::Other(OtherError)`, taking care to handle the std vs no-std
differences in that type.

The `unspecified_err()` helper fn from `crypto/aws_lc_rs/hpke.rs` can do
this job for us. Let's lift it from `crypto/aws_lc_rs/hpke` to
`crypto/aws_lc_rs` so other modules (notably the ticketer) can benefit
from it.
@cpu
ring: update Ticketer rustdocs
055de71 
Updates the rustdoc to use backticks for code references, and to fix
the comment on the no-std constructor to match the std constructor w.r.t
what the encryption mechanism is.
@cpu
ring: whitespace between ticketer methods
d4d8e0c
@cpu cpu mentioned this pull request Aug 7, 2024
Open
cpu added 4 commits August 7, 2024 10:49
@cpu
ring: lift make_ticket_generator body to constructor
ead66a0 
This lets `make_ticket_generator` focus on boxing the constructed
`AeadTicketer` to adapt to the interface required by the
`TicketSwitcher`'s generator.
@cpu
crypto: split ring ticketer module
4879005 
Previously the `aws_lc_rs` crypto module shared its `Ticketer`
implementation with `ring` using the "ring-like" mechanism we use for
other shared implementations.

In preparation for the `aws-lc-rs` version to be rewritten to follow the
RFC 5077 recommended construction this commit splits the shared module,
copying the existing code under the `aws-lc-rs` module. We can remove
the `duplicate_mod` clippy allow from the `ring` module's copy since it
is no longer being `path` included into two places.
@cpu
aws_lc_rs: implement RFC 5077 recommended ticketer
1d99a2a 
Previously the `aws_lc_rs` crypto module shared its `Ticketer`
implementation with `ring` using the "ring-like" mechanism we use for
other shared implementations. This commit replaces it with an RFC 5077
based design that we believe addresses some theoretical concerns with
the design of the ring specific `Ticketer` using APIs only available
with `aws-lc-rs`.

For background, the ring ticketer is designed around an AEAD using
random nonces. We must use an AEAD with `*ring*` because it doesn't
expose an unauthenticated cipher like AES-256 CBC we could use for the
RFC 5077 design. We must use random nonces with this design to avoid
privacy leaks. The combination of these two constraints results in
a design that has a more limited security margin (due to the size of the
nonces and the implications of re-use).

This commit adds an `aws-lc-rs` Ticketer implementation that is a direct
translation of the RFC 5077 "Recommended Ticket Construction"[0]. It
uses AES-256 CBC for encryption and HMAC-SHA-256 for message
authentication.

The unit tests from the existing `*ring*` ticketer are duplicated here
to test the new RFC 5077 implementation. It may be possible to share
these tests between the two, but a straight-forward duplication felt
better in this instance given how simple the tests are.

[0]: https://www.rfc-editor.org/rfc/rfc5077#section-4
@cpu
ring: raise TICKETER_AEAD into ticketer mod
833e85a 
Previously `TICKETER_AEAD` was a `crypto/ring/mod.rs` level constant so
that the `aws-lc-rs` based impl could choose a different (FIPS
compatible) AEAD by providing a different `TICKETER_AEAD` constant in
its module.

Now that the `aws-lc-rs` impl is using a different ticketer
implementation we can lift this constant out of the `ring` module and
into the `ring/ticketer` module and update the docs to make it clearer
that CHACHA20-POLY1305 is used whenever the `*ring*` ticketer is used.
@cpu cpu force-pushed the cpu-aws-rfc5077-ticketer branch from b0413af to 833e85a Compare August 7, 2024 14:54
@cpu
Copy link
Member Author
cpu commented Aug 7, 2024

There are a number of little things that the new implementation cleans up that we could perhaps backport to the ring ticketer, like treating the Ticketer name in doc comment like code, adding an empty line between methods, and moving the initialization of the Ticketer type into a new() method. Might be nice to include those in the ring Ticketer before it gets copied

Good call-out. It feels nice to port some of those improvements backwards to the original impl. I went ahead and did that before the copy over into aws-lc-rs.

@cpu cpu enabled auto-merge August 7, 2024 14:57
@cpu cpu added this pull request to the merge queue Aug 7, 2024
Merged via the queue into rustls:main with commit 6f0f611 Aug 7, 2024
24 checks passed
@cpu cpu deleted the cpu-aws-rfc5077-ticketer branch August 7, 2024 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

@ctz ctz ctz approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

aws-lc-rs ticketer can & should use RFC5077 "recommended ticket construction"
3 participants
@cpu @ctz @djc
0