Add Oblivious DNS over HTTPS (ODoH) implementation according to RFC 9230 #41
Conversation
Sources/ObliviousX/Errors.swift
Outdated
| // SPDX-License-Identifier: Apache-2.0 | ||
| // | ||
| //===----------------------------------------------------------------------===// | ||
| import Foundation |
There was a problem hiding this comment.
This import seems unnecessary.
Sources/ObliviousX/ODoHRoutine.swift
Outdated
| /// | ||
| /// // 6. Send encrypted response back through proxy to client... | ||
| /// ``` | ||
| public struct ODoH: Sendable { |
There was a problem hiding this comment.
I'm inclined to say we should move this to a separate target and product. That way for users who aren't doing ODoH, they don't need to pay the code size cost.
Sources/ObliviousX/ODoHRoutine.swift
Outdated
| public struct Routine { | ||
| public private(set) var ct: HPKE.Ciphersuite | ||
| public private(set) var pkR: any HPKEDiffieHellmanPublicKey | ||
| public private(set) var keyID: Data |
There was a problem hiding this comment.
If the two first variables are going to be public, they need to have better variable names.
Sources/ObliviousX/ODoHRoutine.swift
Outdated
| /// | ||
| /// - Parameter version: The version to search for | ||
| /// - Returns: The first matching configuration, or `nil` if no configuration with that version exists | ||
| public func first(version: UInt16) -> ODoH.Configuration? { |
There was a problem hiding this comment.
This should be an Int in public API.
Sources/ObliviousX/ODoHRoutine.swift
Outdated
| internal func encode() -> Data { | ||
| var data = Data() | ||
| let contentsData = self.contents.encode() | ||
| data.append(bigEndianBytes: self.version) // 2 bytes: version |
There was a problem hiding this comment.
Recommend we do a reserveCapacity on data once we have the length of contentsData.
| /// | ||
| /// - Returns: The encoded configuration contents ready for network transmission | ||
| internal func encode() -> Data { | ||
| var data = Data() |
There was a problem hiding this comment.
Same note here on reserveCapacity.
| /// | ||
| /// - Returns: The encoded message ready for encryption | ||
| internal func encode() -> Data { | ||
| var data = Data() |
There was a problem hiding this comment.
Same note here on reserveCapacity.
| /// | ||
| /// - Returns: The encoded message ready for network transmission | ||
| public func encode() -> Data { | ||
| var data = Data() |
There was a problem hiding this comment.
Same note here about reserveCapacity.
Co-authored-by: Cory Benfield <[email protected]>
Co-authored-by: Cory Benfield <[email protected]>
|
Closing to split up the PR |
2 participants
Motivation:
This change implements support for Oblivious DNS over HTTPS (ODoH) as specified in RFC 9230. ODoH provides privacy-preserving DNS resolution by separating client identity from DNS query content through cryptographic encryption and proxy routing.
Modifications:
ObliviousXErrorwith new error cases for ODoH-specific validation failuresODoHRoutine.swiftwith complete RFC 9230 implementation including HPKE-based encryption/decryption, configuration parsing, and message serializationResult:
After this change,
ObliviousXwill support the complete ODoH protocol, enabling privacy-preserving DNS operations.