Do not retain master secret during terminal key schedule state #2540
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Benchmark resultsInstruction countsSignificant differencesClick to expand
Other differencesClick to expand
Wall-timeSignificant differencesThere are no significant wall-time differences Other differencesClick to expand
Additional informationCheckout details:
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2540 +/- ##
==========================================
+ Coverage 95.31% 95.32% +0.01%
==========================================
Files 97 97
Lines 21565 21614 +49
==========================================
+ Hits 20555 20604 +49
Misses 1010 1010 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
djc
approved these changes
Jul 3, 2025
There was a problem hiding this comment.
Makes me wonder (again): should we have a separate types for an in-handshake connection, vs the long-term traffic connection, or would that affect the ergonomics too much? Maybe there should be an inner TrafficConnection type that you can turn a ClientConnection or ServerConnection into that has minimal state?
`KeyScheduleBeforeFinished` encapsulates the first tranche of final derivations that do not include the client's finished message in the transcript. `KeyScheduleTraffic` contains all such final derivations, which means the client does not need to hang on to the transcript or rederive the resumption secret.
For servers, we can be sure we don't require this once we have sent all tickets. That means we can erase `KeyScheduleResumption` once that happens. For clients there's no ability to know a server has sent all possible tickets, so we have to keep this hanging around.
db404af to
12a4188
Compare
djc
approved these changes
Jul 7, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a step toward #945, but for now arranges that the TLS1.3 "master secret" is erased in the terminal state. Doing that means that secrets derived from that are impossible to rederive later.
Unconditionally deriving the resumption secret has some performance consequences: