Encrypted client hello configuration messages and serialization #1568
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #1568 +/- ##
==========================================
- Coverage 96.41% 96.37% -0.04%
==========================================
Files 75 75
Lines 15507 15574 +67
==========================================
+ Hits 14951 15010 +59
- Misses 556 564 +8
... and 1 file with indirect coverage changes 📣 Codecov offers a browser extension for seamless coverage viewing on GitHub. Try it in Chrome or Firefox today! |
djc
approved these changes
Nov 6, 2023
This commit breaks out representation of Encrypted Client Hello (ECH) configuration from overall support for the feature. This code is relatively isolated and so can be added without much impact to the rest of the codebase. It does _not_ provide any actual ECH support. The code is almost entirely derived from earlier WIP branches adding ECH support, updated for the current Rustls codebase, and spot checked against the current most ECH draft at the time of writing (draft-17). HPKE references are also updated to use the published RFC (RFC 9180). Notable updates from the WIP version: * adapting to the `Codec` return type change. * adapting to the enum builder changes. * adapting to the server name changes. * adapting to `TlsListElement` trait. * adapting HPKE registry refs to use the RFC instead of an earlier draft. * adding `Hpke` prefix to enums to clarify their purpose. * adapting base64 usage to avoid deprecated fns. * reworking unit tests for de-duplication, adding another encoded test case, adding more asserts for decoded content. * fixing `clippy::use_self` finding. * Changing `default` fn on `HpkeSymmetricCipherSuite` to be an impl of `Default`. * Updating trust-dns-resolver code to use latest hickory-resolver. * Pulling out ECH config fetch + deserialize from ECH example program to a connect-tests unit test.
This commit adds a new `connect-tests/tests/ech.rs` module that performs a DNS over HTTPS lookup for HTTPS type records, finding `EchConfig`s and testing we can deserialize the raw form into the Rustls representation without error. Presently it tests against: * `crypto.cloudflare.com` * `defo.ie` * `tls-ech.dev` Since these are network based tests they need to live in `connect-tests` to avoid flakyness during normal CI runs. In previous WIP branches this was done as part of an overall end-to-end example of using ECH, but we can test this in isolation ahead of having full ECH support.
ctz
approved these changes
Nov 8, 2023
|
Just tagging for better tracking. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This branch breaks out representation of Encrypted Client Hello (ECH) configuration from overall support for the feature. This code is relatively isolated and so can be added without much impact to the rest of the codebase. It does not provide any actual ECH support but is a necessary prerequisite.
The code is almost entirely derived from earlier WIP branches adding ECH support (notably, #663), but updated for the current Rustls codebase, and spot checked against the latest ECH draft at the time of writing (draft-17). HPKE references are also updated to use the published RFC (RFC 9180).