diff options
| author | Daniel McCarney <daniel@binaryparadox.net> | 2024-04-18 14:29:30 -0400 |
|---|---|---|
| committer | Daniel McCarney <daniel@binaryparadox.net> | 2024-06-12 13:23:21 +0000 |
| commit | db3a9bd9922698b3d5346c9bb0ce705195ab2243 (patch) | |
| tree | 128f7ab29fa9af952c17183ec58b50f9a85265d5 /connect-tests | |
| parent | a01d5adf36ffc79df88692883273ec73535c178c (diff) | |
connect-tests: fix DNS ECH config list tests
The SVCB/HTTPS record handling in hickory-dns 0.24 was stripping the TLS
encoded list prefix from the `ECHConfigList` that is serialized into DNS
records. This meant our previous `ech.rs` connect test was subtly wrong:
it would only ever deserialize a single `EchConfigPayload` from what it
found in DNS.
This commit updates Rustls to:
1. Use the new `EchConfigListBytes` type from pki-types to represent
what it gets from DNS. Soon we will have more API surface expecting
this type.
2. Use a hickory-dns release with some upstream fixes that ensure we get
the correct wire-encoding of the `ECHConfigList`.
3. Update the ech connect tests unit tests to assert all of the ECH
configs that may be found are the correct version.
Diffstat (limited to 'connect-tests')
| -rw-r--r-- | connect-tests/tests/ech.rs | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/connect-tests/tests/ech.rs b/connect-tests/tests/ech.rs index d0d4464d..ce159979 100644 --- a/connect-tests/tests/ech.rs +++ b/connect-tests/tests/ech.rs @@ -6,35 +6,39 @@ mod ech_config { use rustls::internal::msgs::codec::{Codec, Reader}; use rustls::internal::msgs::enums::EchVersion; use rustls::internal::msgs::handshake::EchConfigPayload; + use rustls::pki_types::EchConfigListBytes; #[test] fn cloudflare() { - test_deserialize_ech_config("crypto.cloudflare.com"); + test_deserialize_ech_config_list("crypto.cloudflare.com"); } #[test] fn defo_ie() { - test_deserialize_ech_config("defo.ie"); + test_deserialize_ech_config_list("defo.ie"); } #[test] fn tls_ech_dev() { - test_deserialize_ech_config("tls-ech.dev"); + test_deserialize_ech_config_list("tls-ech.dev"); } - /// Lookup the ECH config for a domain and deserialize it. - fn test_deserialize_ech_config(domain: &str) { + /// Lookup the ECH config list for a domain and deserialize it. + fn test_deserialize_ech_config_list(domain: &str) { let resolver = Resolver::new(ResolverConfig::google_https(), ResolverOpts::default()).unwrap(); - let raw_value = lookup_ech(&resolver, domain); - let parsed_config = EchConfigPayload::read(&mut Reader::init(&raw_value)) - .expect("failed to deserialize ECH config"); - assert_eq!(parsed_config.version, EchVersion::V14); + let tls_encoded_list = lookup_ech(&resolver, domain); + let parsed_configs = Vec::<EchConfigPayload>::read(&mut Reader::init(&tls_encoded_list)) + .expect("failed to deserialize ECH config list"); + assert!(!parsed_configs.is_empty()); + assert!(parsed_configs + .iter() + .all(|config| config.version == EchVersion::V14)); } /// Use `resolver` to make an HTTPS record type query for `domain`, returning the /// first SvcParam EchConfig value found, panicing if none are returned. - fn lookup_ech(resolver: &Resolver, domain: &str) -> Vec<u8> { + fn lookup_ech(resolver: &Resolver, domain: &str) -> EchConfigListBytes<'static> { resolver .lookup(domain, RecordType::HTTPS) .expect("failed to lookup HTTPS record type") @@ -44,11 +48,14 @@ mod ech_config { .svc_params() .iter() .find_map(|sp| match sp { - (SvcParamKey::EchConfig, SvcParamValue::EchConfig(e)) => Some(e.clone().0), + (SvcParamKey::EchConfigList, SvcParamValue::EchConfigList(e)) => { + Some(e.clone().0) + } _ => None, }), _ => None, }) .expect("missing expected HTTPS SvcParam EchConfig record") + .into() } } |