dtls icon indicating copy to clipboard operation
dtls copied to clipboard
verified publisher icon pion

Add the key share extension

Open philipch07 opened this issue 3 months ago • 5 comments

Description

This adds the supported_versions extension feature in accordance with DTLS v1.3 which refers to TLS 1.3 section 4.2.8, 4.2.8.1, and 4.2.8.2.

Note about the ci failures: This currently uses a global variable to test that my current logic is valid, so it will break all the DTLS v1.2 tests. At the moment, this is blocked by #738 as it requires a proper config/switch. I'm not sure what the best way of setting the toggle would be in extensions.go, but hopefully my current approach makes some sense.

Reference issue

Closes #743.

philipch07 avatar Oct 12 '25 19:10 philipch07

Codecov Report

:x: Patch coverage is 91.01124% with 8 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 81.22%. Comparing base (7b68bd9) to head (4cfd7cd). :warning: Report is 4 commits behind head on master.

Files with missing lines Patch % Lines
pkg/protocol/extension/key_share.go 93.10% 3 Missing and 3 partials :warning:
pkg/protocol/extension/extension.go 0.00% 2 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #749      +/-   ##
==========================================
+ Coverage   79.13%   81.22%   +2.09%     
==========================================
  Files         102      102              
  Lines        6917     5679    -1238     
==========================================
- Hits         5474     4613     -861     
+ Misses       1068      685     -383     
- Partials      375      381       +6
Flag Coverage Δ
go 81.22% <91.01%> (+2.06%) :arrow_up:
wasm ?

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Oct 26 '25 23:10 codecov[bot]

Thanks for this draft! I have made some adjustments to your suggestion.

I have taken inspiration from the TLS 1.3 implementation in the standard library where they reuse TLS 1.2 types and extensions rather than renaming or creating new - this simplified the implementation a lot. Additionally, I think we should only stick to the groups supported by the standard library and the TLS 1.3 implementation.

Tests were a bit flaky with marshaling and unmarshaling in the same test. Therefore, I added tests with raw bytes captured from the NSS stack of Firefox with Wireshark (pro tip: you can copy bytes as a Go literal) and some handcrafted bytes.

theodorsm avatar Oct 27 '25 00:10 theodorsm

@philipch07 @theodorsm thank you <3 i'm going to read the spec and submit a review this week :+1:

JoTurk avatar Oct 27 '25 00:10 JoTurk

@philipch07 thanks for the feedback. Regarding naming, we could change it to something like supported_groups_and_elliptic_curves. I think the comment is enough, as it will be shown to a developer using this package in the generated documentation and by LSP servers.

theodorsm avatar Oct 27 '25 21:10 theodorsm

@theodorsm That sounds good to me, and thanks for the updates. I'm looking forward to @JoeTurki's review and then I think we should be good to go if you're feeling good about it! I'm really happy to see the progress so far :)

philipch07 avatar Oct 27 '25 22:10 philipch07