Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bogo: implement most client-side ECH tests
Getting bogo test coverage working for ECH requires taking a (temporary) dev-dep. on the provider-example crate so we can use the Rust Crypto HPKE provider. This in turn means that we now have two Rustls versions in tree, the src crate and the older version being used by the provider example by way of hickory-dns. This will fall away when proper HPKE support is implemented with one/both built-in crypto providers but in the meantime requires some small adjustments in CI and the runme script. In general the scope of a proper HPKE impl will be much less invasive than implementing ECH so we can use this hack for now and revisit shortly. The bogo shim also requires some updates to support new command line flags. Additionally in order to be able to assert some details in errors (e.g. that an ECH required err contained expected retry configs) we have to pipe the `Options` struct deeper into the client/server processing logic. To support ECH bogo testing w/ aws-lc-rs as the provider requires taking a patch on an unreleased aws-lc-rs fix that increases a `MAX_HKDF_INFO_LEN` constant beyond 80 bytes. In practice when computing ECH confirmation the info fed through the HKDF interface can be larger than 80 bytes and without this change the operation fails with an output length error. Beyond these changes, it's worth discussing the ignored tests. They're either not applicable, or need upstream bogo fixes: "TLS-ECH-Server*": We ignore all the TLS-ECH-Server tests. We haven't implemented server side ECH yet "TLS-ECH-Client-ExpectECHOuterExtensions" "TLS-ECH-Client-CompressSupportedVersions": These rely on extension compression between inner/outer hellos. NYI. "TLS-ECH-Client-SelectECHConfig" "TLS-ECH-Client-NoSupportedConfigs" These are meant to test unsupported configs are handled correctly: we happen to support the HPKE ciphersuites that make them "unsupported". There's a fix for this upstream we can take later. "TLS-ECH-Client-SkipInvalidPublicName*": Our name validation allows underscores in names. We also don't fallback to GREASE when there are no valid ECH configs. "TLS-ECH-Client-NoSupportedConfigs-GREASE": We don't fallback to GREASE for no ECH configs. "TLS-ECH-Client-Reject-ResumeInnerSession-TLS13": This test expects an unexpected extension error in the resumption connection, but this only happens if the outer hello didn't include GREASE PSK. BoringSSL's impl doesn't. Ours does. As a result we produce `:ECH_REJECTED:` instead of :UNEXPECTED_EXTENSION:` and have to ignore this test. "TLS-ECH-Client-TLS12-RejectRetryConfigs" "TLS-ECH-Client-Reject-NoClientCertificate-TLS12" "TLS-ECH-Client-Reject-TLS12" "TLS-ECH-Client-Reject-ResumeInnerSession-TLS12" "TLS-ECH-GREASE-Client-TLS12-RejectRetryConfigs" "TLS-ECH-Client-Reject-EarlyDataRejected-TLS12" "TLS-ECH-Client-Reject-NoClientCertificate-TLS12-Async" We never offer/support TLS 1.2 when using ECH. There's no fallback to plaintext or GREASE for a server that won't support TLS 1.3
- Loading branch information