Skip to content

Commit

Permalink
tests: support multiple HTTPS RRs for ECH configs
Browse files Browse the repository at this point in the history
Similar to a change in the upstream Rustls ech-client.rs demo we want to
be able to process _multiple_ HTTPS records for a given domain, and look
at each ECH config list from each record for a potential compatible
config.

Mechanically this means:

1. Updating the `test/ech_fetch.rs` helper to support writing multiple
   `.bin` files when there are multiple HTTPS records w/ ECH configs.
   The tool now outputs to stdout a comma separated list of the files it
   writes to make it easier to use with the `client.c` example.

2. Updating the `tests/client.c` example to treat the
   `RUSTLS_ECH_CONFIG_LIST` env var as a comma separated list of ECH
   config lists. We now loop through each and only fail if all of the
   provided files are unable to be used to configure the client config
   with a compatible ECH config.

Doing string manipulation with C remains "a delight". For Windows compat
we achieve tokenizing the string by the comma delim with a define to
call either `strtok_r` with GCC/clang, or `strtok_s` with MSCV.

You can test this update with:

```
ECH_CONFIG_LISTS=$(cargo test --test ech_fetch -- curves1-ng.test.defo.ie /tmp/curves1-ng.test.defo.ie)
RUSTLS_PLATFORM_VERIFIER=1 RUSTLS_ECH_CONFIG_LIST="$ECH_CONFIG_LISTS" ./cmake-build-debug/tests/client curves1-ng.test.defo.ie 443 /echstat.php?format=json
```

If you're unlucky and the first HTTPS record served is the one with
invalid configs you should see output like the following showing the
client skipping over the `.1` config list and using the `.2` one
instead:

```
client[188911]: no compatible/valid ECH configs found in '/tmp/curves1-ng.test.defo.ie.1'
client[188911]: using ECH with config list from '/tmp/curves1-ng.test.defo.ie.2'
```
  • Loading branch information
cpu committed Dec 14, 2024
1 parent 3e3b2aa commit 380e3eb
Showing 3 changed files with 126 additions and 42 deletions.
93 changes: 69 additions & 24 deletions tests/client.c
Original file line number Diff line number Diff line change
@@ -474,7 +474,9 @@ main(int argc, const char **argv)
config_builder = rustls_client_config_builder_new();
}

if(getenv("RUSTLS_ECH_GREASE")) {
const char *rustls_ech_grease = getenv("RUSTLS_ECH_GREASE");
const char *rustls_ech_config_list = getenv("RUSTLS_ECH_CONFIG_LIST");
if(rustls_ech_grease) {
const rustls_hpke *hpke = rustls_supported_hpke();
if(hpke == NULL) {
fprintf(stderr, "client: no HPKE suites for ECH available\n");
@@ -489,39 +491,82 @@ main(int argc, const char **argv)
}
fprintf(stderr, "configured for ECH GREASE\n");
}
else if(getenv("RUSTLS_ECH_CONFIG_LIST")) {
else if(rustls_ech_config_list) {
const rustls_hpke *hpke = rustls_supported_hpke();
if(hpke == NULL) {
fprintf(stderr, "client: no HPKE suites for ECH available\n");
goto cleanup;
}

char ech_config_list_buf[10000];
size_t ech_config_list_len;

unsigned int read_result = read_file(getenv("RUSTLS_ECH_CONFIG_LIST"),
ech_config_list_buf,
sizeof(ech_config_list_buf),
&ech_config_list_len);
if(read_result != DEMO_OK) {
fprintf(stderr,
"client: failed to read ECH config list file: '%s'\n",
getenv("RUSTLS_ECH_CONFIG_LIST"));
// Duplicate the ENV var value - calling STRTOK_R will modify the string
// to add null terminators between tokens.
char *ech_config_list_copy = strdup(rustls_ech_config_list);
if(!ech_config_list_copy) {
LOG_SIMPLE("failed to allocate memory for ECH config list");
goto cleanup;
}
result =
rustls_client_config_builder_enable_ech(config_builder,
(uint8_t *)ech_config_list_buf,
ech_config_list_len,
hpke);
if(result != RUSTLS_RESULT_OK) {
fprintf(stderr, "client: failed to configure ECH");
goto cleanup;

bool ech_configured = false;
// Tokenize the ech_config_list_copy by comma. The first invocation takes
// ech_config_list_copy. This is reentrant by virtue of saving state to
// saveptr. Only the _first_ invocation is given the original string.
// Subsequent calls should pass NULL and the same delim/saveptr.
const char *delim = ",";
char *saveptr = NULL;
char *ech_config_list_path =
STRTOK_R(ech_config_list_copy, delim, &saveptr);

while(ech_config_list_path) {
// Skip leading spaces
while(*ech_config_list_path == ' ') {
ech_config_list_path++;
}

// Try to read the token as a file path to an ECH config list.
char ech_config_list_buf[10000];
size_t ech_config_list_len;
const enum demo_result read_result =
read_file(ech_config_list_path,
ech_config_list_buf,
sizeof(ech_config_list_buf),
&ech_config_list_len);

// If we can't read the file, warn and continue
if(read_result != DEMO_OK) {
// Continue to the next token.
LOG("unable to read ECH config list from '%s'", ech_config_list_path);
ech_config_list_path = STRTOK_R(NULL, delim, &saveptr);
continue;
}

// Try to enable ECH with the config list. This may error if none
// of the ECH configs are valid/compatible.
result =
rustls_client_config_builder_enable_ech(config_builder,
(uint8_t *)ech_config_list_buf,
ech_config_list_len,
hpke);

// If we successfully configured ECH with the config list then break.
if(result == RUSTLS_RESULT_OK) {
LOG("using ECH with config list from '%s'", ech_config_list_path);
ech_configured = true;
break;
}

// Otherwise continue to the next token.
LOG("no compatible/valid ECH configs found in '%s'",
ech_config_list_path);
ech_config_list_path = STRTOK_R(NULL, delim, &saveptr);
}

fprintf(stderr,
"client: using ECH with config list from '%s'\n",
getenv("RUSTLS_ECH_CONFIG_LIST"));
// Free the copy of the env var we made.
free(ech_config_list_copy);

if(!ech_configured) {
LOG_SIMPLE("failed to configure ECH with any provided config files");
goto cleanup;
}
}

if(getenv("RUSTLS_PLATFORM_VERIFIER")) {
6 changes: 6 additions & 0 deletions tests/common.h
Original file line number Diff line number Diff line change
@@ -23,6 +23,12 @@ const char *ws_strerror(int err);
#endif /* !STDOUT_FILENO */
#endif /* _WIN32 */

#if defined(_MSC_VER)
#define STRTOK_R strtok_s
#else
#define STRTOK_R strtok_r
#endif

enum demo_result
{
DEMO_OK,
69 changes: 51 additions & 18 deletions tests/ech_fetch.rs
Original file line number Diff line number Diff line change
@@ -11,7 +11,7 @@ use std::io::Write;
use hickory_resolver::config::{ResolverConfig, ResolverOpts};
use hickory_resolver::proto::rr::rdata::svcb::{SvcParamKey, SvcParamValue};
use hickory_resolver::proto::rr::{RData, RecordType};
use hickory_resolver::{Resolver, TokioResolver};
use hickory_resolver::{ResolveError, Resolver, TokioResolver};

use rustls::pki_types::EchConfigListBytes;

@@ -24,27 +24,60 @@ async fn main() -> Result<(), Box<dyn Error>> {
.unwrap_or(format!("testdata/{}.ech.configs.bin", domain));

let resolver = Resolver::tokio(ResolverConfig::google_https(), ResolverOpts::default());
let tls_encoded_list = lookup_ech(&resolver, &domain).await;

let mut encoded_list_file = File::create(output_path)?;
encoded_list_file.write_all(&tls_encoded_list)?;
let all_lists = lookup_ech_configs(&resolver, &domain).await?;

// If there was only one HTTPS record with an ech config, write it to the output file.
if all_lists.len() == 1 {
let mut encoded_list_file = File::create(&output_path)?;
encoded_list_file.write_all(&all_lists.first().unwrap())?;
println!("{output_path}");
} else {
// Otherwise write each to its own file with a numeric suffix
for (i, ech_config_lists) in all_lists.iter().enumerate() {
let mut encoded_list_file = File::create(format!("{output_path}.{}", i + 1))?;
encoded_list_file.write_all(&ech_config_lists)?;
}
// And print a comma separated list of the file paths.
let paths = (1..=all_lists.len())
.map(|i| format!("{}.{}", output_path, i))
.collect::<Vec<_>>()
.join(",");
println!("{paths}")
}

Ok(())
}

async fn lookup_ech(resolver: &TokioResolver, domain: &str) -> EchConfigListBytes<'static> {
resolver
.lookup(domain, RecordType::HTTPS)
.await
.expect("failed to lookup HTTPS record type")
.record_iter()
.find_map(|r| match r.data() {
RData::HTTPS(svcb) => svcb.svc_params().iter().find_map(|sp| match sp {
(SvcParamKey::EchConfigList, SvcParamValue::EchConfigList(e)) => Some(e.clone().0),
_ => None,
}),
/// Collect up all `EchConfigListBytes` found in the HTTPS record(s) for a given domain name.
///
/// Assumes the port will be 443. For a more complete example see the Rustls' ech-client.rs
/// example's `lookup_ech_configs` function.
///
/// The domain name should be the **inner** name used for Encrypted Client Hello (ECH). The
/// lookup is done using DNS-over-HTTPS to protect that inner name from being disclosed in
/// plaintext ahead of the TLS handshake that negotiates ECH for the inner name.
///
/// Returns an empty vec if no HTTPS records with ECH configs are found.
async fn lookup_ech_configs(
resolver: &TokioResolver,
domain: &str,
) -> Result<Vec<EchConfigListBytes<'static>>, ResolveError> {
let lookup = resolver.lookup(domain, RecordType::HTTPS).await?;

let mut ech_config_lists = Vec::new();
for r in lookup.record_iter() {
let RData::HTTPS(svcb) = r.data() else {
continue;
};

ech_config_lists.extend(svcb.svc_params().iter().find_map(|sp| match sp {
(SvcParamKey::EchConfigList, SvcParamValue::EchConfigList(e)) => {
Some(EchConfigListBytes::from(e.clone().0))
}
_ => None,
})
.expect("missing expected HTTPS SvcParam EchConfig record")
.into()
}))
}

Ok(ech_config_lists)
}

0 comments on commit 380e3eb

Please sign in to comment.