odoh-rs
odoh-rs is a library that implements RFC 9230 Oblivious DNS over HTTPS protocol in Rust.
It can be used to implement an ODoH client or server (target).
odoh-client-rs uses odoh-rs
to implement its functionality, and is a good source of API usage examples, along with the tests in odoh-rs
, in particular test_vectors_for_odoh.
This library is interoperable with odoh-go.
odoh-rs
uses hpke as the underlying HPKE implementation. It supports the default Oblivious DoH ciphersuite
(KEM: X25519HkdfSha256, KDF: HkdfSha256, AEAD: AesGcm128)
.
It does not provide full crypto agility.
Example API Usage
This example outlines the steps necessary for a successful ODoH query.
// Use a seed to initialize a RNG. *Note* you should rely on some
// random source.
let mut rng = from_seed;
// Generate a key pair on server side.
let key_pair = new;
// Create client configs from the key pair. It can be distributed
// to the clients.
let public_key = key_pair.public.clone;
let client_configs: ObliviousDoHConfigs = vec!.into;
let client_configs_bytes = compose.unwrap.freeze;
// ... distributing client_configs_bytes ...
// Parse and extract first supported config from client configs on client side.
let client_configs: ObliviousDoHConfigs = parse.unwrap;
let client_config = client_configs.into_iter.next.unwrap;
let config_contents = client_config.into;
// This is a example client request. This library doesn't validate
// DNS message.
let query = new;
// Encrypt the above request. The client_secret returned will be
// used later to decrypt server's response.
let = encrypt_query.unwrap;
// ... sending query_enc to the server ...
// Server decrypt request.
let = decrypt_query.unwrap;
assert_eq!;
// Server could now resolve the decrypted query, and compose a response.
let response = new;
// server encrypt response
let nonce = default;
let response_enc = encrypt_response.unwrap;
// ... sending response_enc back to the client ...
// client descrypt response
let response_dec = decrypt_response.unwrap;
assert_eq!;