echspec 0.0.1 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 942fd582bb741ca465bb5255b458ef3cbf3ff8cd09f20b45957df8c64d32f55a
-  data.tar.gz: e5748a921bc1ab45c053884690fe0e7f5718b8847c6376f87100f22173f8dd9c
+  metadata.gz: 4ff77e42c8a7e2d787372fe6f96f3c00619fb6bcb3feea8df89c5400a838aef6
+  data.tar.gz: d317448071982052658909b19a99f535ce99e1c9f063de65be9cecae1ab4179f
 SHA512:
-  metadata.gz: a9597e9295d2b6a8d2b836a59a9ec1013edb42b2fc605e2dacd9ba274510ccb9982f1971d6aa4d092f1896da19a4d2317386d72f9d690639049e288e96fe1fe5
-  data.tar.gz: d104c73ca8124af91cbaeb172757d8353e3a328668c89a9d1b66f01281ac6d8e5bacd298ac96b05fa27d1b70dadceb9a216c8b873db9607286a7e0767f304c58
+  metadata.gz: 7c4eea37fd0a7002bf6fd2a68b0a5c299bf84b43a71933053fb6cf2df59aedc17836e3299e809d1e5889130ccfcbd6ec19a276ffda556da8cf58b9e28042e211
+  data.tar.gz: c56a875c0547d3456958a5cbd9b8d3ec7d4e921033d176c2b2835b80657b59d9d207e9dc0342564506f89d9cee313168427e906e9d6249f6298a0e90d6a9a5cf

data/.rubocop.yml

@@ -1,5 +1,5 @@
 AllCops:
-  TargetRubyVersion: 3.2
+  TargetRubyVersion: 4.0
 
 Layout/LineLength:
   Max: 200
@@ -9,6 +9,7 @@ Metrics/AbcSize:
 
 Metrics/BlockLength:
   Exclude:
+    - 'Rakefile'
     - 'spec/*.rb'
 
 Metrics/ClassLength:

data/.ruby-version

@@ -1 +1 @@
-3.3.6
+4.0.1

data/Gemfile

@@ -1,13 +1,14 @@
 source 'https://rubygems.org'
 
 gem 'base64'
+gem 'ech_config', github: 'thekuwayama/ech_config'
 gem 'resolv', '> 0.4.0'
 gem 'tttls1.3', github: 'thekuwayama/tttls1.3'
 
 group :development do
   gem 'rake', '13.2.1'
   gem 'rspec'
-  gem 'rubocop', '1.62.0'
+  gem 'rubocop', '1.82.1'
 end
 
 gemspec

data/README.md

@@ -8,10 +8,10 @@
 
 ![echspec demo](docs/echspec-demo.png)
 
-- https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22
+- https://datatracker.ietf.org/doc/html/rfc9849
 
 
-## Initial Setup
+## Installation
 
 The gem is available at [rubygems.org](https://rubygems.org/gems/echspec). You can install it the following:
 
@@ -44,12 +44,20 @@ TLS Encrypted Client Hello Server
         ✔ MUST abort with an "illegal_parameter" alert, if "encrypted_client_hello" is referenced in OuterExtensions. [5.1-10]
         ✔ MUST abort with an "illegal_parameter" alert, if the extensions in ClientHelloOuter corresponding to those in OuterExtensions do not occur in the same order. [5.1-10]
         ✔ MUST abort with an "illegal_parameter" alert, if ECHClientHello.type is not a valid ECHClientHelloType in ClientHelloInner. [7-5]
-        ✔ MUST abort with an "illegal_parameter" alert, if ECHClientHello.type is not a valid ECHClientHelloType in ClientHelloOuter. [7-5]
+        x MUST abort with an "illegal_parameter" alert, if ECHClientHello.type is not a valid ECHClientHelloType in ClientHelloOuter. [7-5]
         ✔ MUST abort with an "illegal_parameter" alert, if ClientHelloInner offers TLS 1.2 or below. [7.1-11]
         ✔ MUST include the "encrypted_client_hello" extension in its EncryptedExtensions with the "retry_configs" field set to one or more ECHConfig. [7.1-14.2.1]
         ✔ MUST abort with a "missing_extension" alert, if 2nd ClientHelloOuter does not contains the "encrypted_client_hello" extension. [7.1.1-2]
         ✔ MUST abort with an "illegal_parameter" alert, if 2nd ClientHelloOuter "encrypted_client_hello" enc is empty. [7.1.1-2]
         ✔ MUST abort with a "decrypt_error" alert, if fails to decrypt 2nd ClientHelloOuter. [7.1.1-5]
+
+Failures:
+
+        1) MUST abort with an "illegal_parameter" alert, if ECHClientHello.type is not a valid ECHClientHelloType in ClientHelloOuter. [7-5]
+                https://datatracker.ietf.org/doc/html/rfc9849#section-7-5
+                did not send expected alert: illegal_parameter
+
+1 failure
 ```
 
 By default, `echspec` retrieves ECHConfigs via HTTPS records. By using the `-f, --file FILE` option, you can specify an ECHConfig pem file. If you need to test the server on localhost, you can run it the following:

data/Rakefile

@@ -1,8 +1,49 @@
 require 'bundler/gem_tasks'
+require 'ech_config'
+require 'hpke'
+require 'openssl'
 require 'rspec/core/rake_task'
 require 'rubocop/rake_task'
 
 RuboCop::RakeTask.new
 RSpec::Core::RakeTask.new(:spec)
 
+TMP_DIR    = "#{__dir__}/tmp".freeze
+ECHCONFIGS = "#{TMP_DIR}/echconfigs.pem".freeze
+
+directory TMP_DIR
+
+file ECHCONFIGS => TMP_DIR do
+  puts "generate #{ECHCONFIGS}..."
+
+  key = OpenSSL::PKey.generate_key('X25519')
+  echconfigs = ECHConfigList.new(
+    [
+      ECHConfig.new(
+        "\xfe\x0d".b,
+        ECHConfig::ECHConfigContents.new(
+          ECHConfig::ECHConfigContents::HpkeKeyConfig.new(
+            123,
+            ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeKemId.new(HPKE::DHKEM_X25519_HKDF_SHA256),
+            ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkePublicKey.new(key.raw_public_key),
+            [
+              ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite.new(
+                ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite::HpkeKdfId.new(HPKE::HKDF_SHA256),
+                ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite::HpkeAeadId.new(HPKE::AES_128_GCM)
+              )
+            ]
+          ),
+          32,
+          'localhost'.b,
+          ECHConfig::ECHConfigContents::Extensions.new('')
+        )
+      )
+    ]
+  )
+  File.write(ECHCONFIGS, key.private_to_pem + echconfigs.to_pem)
+end
+
+desc 'generate echconfigs file'
+task gen_echconfigs: ECHCONFIGS
+
 task default: %i[rubocop spec]

data/echspec.gemspec

@@ -11,16 +11,20 @@ Gem::Specification.new do |spec|
   spec.description   = spec.summary
   spec.homepage      = 'https://github.com/thekuwayama/echspec'
   spec.license       = 'MIT'
-  spec.required_ruby_version = '>=3.2'
+  spec.required_ruby_version = '>=4.0'
 
-  spec.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
   spec.require_paths = ['lib']
   spec.bindir        = 'exe'
   spec.executables   = ['echspec']
 
   spec.add_development_dependency 'bundler'
   spec.add_dependency             'base64'
+  spec.add_dependency             'ech_config', '~> 0.0.4'
   spec.add_dependency             'resolv', '> 0.4.0'
-  spec.add_dependency             'tttls1.3', '~> 0.3.4'
+  spec.add_dependency             'tttls1.3', '~> 0.3.6'
 end

data/lib/echspec/log.rb

@@ -34,12 +34,16 @@ module EchSpec
           'EncryptedExtensions'
         in TTTLS13::Message::Certificate
           'Certificate'
+        in TTTLS13::Message::CompressedCertificate
+          'CompressedCertificate'
         in TTTLS13::Message::CertificateVerify
           'CertificateVerify'
         in TTTLS13::Message::Finished
           'Finished'
         in TTTLS13::Message::EndOfEarlyData
           'EndOfEarlyData'
+        in TTTLS13::Message::NewSessionTicket
+          'NewSessionTicket'
         in TTTLS13::Message::Alert
           'Alert'
         end

data/lib/echspec/spec/5.1-10.rb

@@ -1,7 +1,7 @@
 module EchSpec
   module Spec
     class Spec5_1_10 < WithSocket
-      # Next it makes a copy of the client_hello field and copies the
+      # Next, it makes a copy of the client_hello field and copies the
       # legacy_session_id field from ClientHelloOuter. It then looks for an
       # "ech_outer_extensions" extension. If found, it replaces the extension
       # with the corresponding sequence of extensions in the
@@ -14,7 +14,7 @@ module EchSpec
       # * The extensions in ClientHelloOuter corresponding to those in
       #   OuterExtensions do not occur in the same order.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-5.1-10
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-5.1-10
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group
@@ -130,7 +130,7 @@ module EchSpec
       end
 
       class MissingReferencedExtensions < TTTLS13::Message::Extensions
-        # @param _ [Array of TTTLS13::Message::ExtensionType]
+        # @param _ [Array<TTTLS13::Message::ExtensionType>]
         #
         # @return [TTTLS13::Message::Extensions] for EncodedClientHelloInner
         def remove_and_replace!(_)
@@ -150,7 +150,7 @@ module EchSpec
       end
 
       class DuplicatedOuterExtensions < TTTLS13::Message::Extensions
-        # @param _ [Array of TTTLS13::Message::ExtensionType]
+        # @param _ [Array<TTTLS13::Message::ExtensionType>]
         #
         # @return [TTTLS13::Message::Extensions] for EncodedClientHelloInner
         def remove_and_replace!(_)
@@ -172,7 +172,7 @@ module EchSpec
       end
 
       class ReferencedEncryptedClientHello < TTTLS13::Message::Extensions
-        # @param _ [Array of TTTLS13::Message::ExtensionType]
+        # @param _ [Array<TTTLS13::Message::ExtensionType>]
         #
         # @return [TTTLS13::Message::Extensions] for EncodedClientHelloInner
         def remove_and_replace!(_)
@@ -194,7 +194,7 @@ module EchSpec
       end
 
       class NotSameOrderExtensions < TTTLS13::Message::Extensions
-        # @param _ [Array of TTTLS13::Message::ExtensionType]
+        # @param _ [Array<TTTLS13::Message::ExtensionType>]
         #
         # @return [TTTLS13::Message::Extensions] for EncodedClientHelloInner
         def remove_and_replace!(_)

data/lib/echspec/spec/5.1-9.rb

@@ -2,12 +2,12 @@ module EchSpec
   module Spec
     class Spec5_1_9 < WithSocket
       # The client-facing server computes ClientHelloInner by reversing this
-      # process. First it parses EncodedClientHelloInner, interpreting all
-      # bytes after client_hello as padding. If any padding byte is non-
-      # zero, the server MUST abort the connection with an
-      # "illegal_parameter" alert.
+      # process. First, it parses EncodedClientHelloInner, interpreting all
+      # bytes after client_hello as padding. If any padding byte is non-zero,
+      # the server MUST abort the connection with an "illegal_parameter"
+      # alert.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-5.1-9
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-5.1-9
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group

data/lib/echspec/spec/7-5.rb

@@ -1,10 +1,14 @@
 module EchSpec
   module Spec
     class Spec7_5 < WithSocket
-      # If ECHClientHello.type is not a valid ECHClientHelloType, then the
-      # server MUST abort with an "illegal_parameter" alert.
+      # In shared mode, a server plays both roles, first decrypting the
+      # ClientHelloOuter and then using the contents of the ClientHelloInner.
+      # A shared mode server which receives a ClientHello with
+      # ECHClientHello.type of inner MUST abort with an "illegal_parameter"
+      # alert, because such a ClientHello should never be received directly
+      # from the network.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7-5
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-7-5
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group

data/lib/echspec/spec/7.1-11.rb

@@ -7,7 +7,7 @@ module EchSpec
       # offer TLS 1.2 or below. If either of these checks fails, the client-
       # facing server MUST abort with an "illegal_parameter" alert.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7.1-11
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-7.1-11
 
       # @return [SpecGroup]
       def self.spec_group

data/lib/echspec/spec/7.1-14.2.1.rb

@@ -3,8 +3,8 @@ module EchSpec
     class Spec7_1_14_2_1 < WithSocket
       # Otherwise, if all candidate ECHConfig values fail to decrypt the
       # extension, the client-facing server MUST ignore the extension and
-      # proceed with the connection using ClientHelloOuter, with the
-      # following modifications:
+      # proceed with the connection using ClientHelloOuter with the following
+      # modifications:
       #
       # * If the server is configured with any ECHConfigs, it MUST include
       #   the "encrypted_client_hello" extension in its EncryptedExtensions
@@ -13,7 +13,7 @@ module EchSpec
       #   ECHConfig values of different versions. This allows a server to
       #   support multiple versions at once.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7.1-14.2.1
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-7.1-14.2.1
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group
@@ -60,7 +60,7 @@ module EchSpec
         # send ClientHello
         conn = TLS13Client::Connection.new(socket, :client)
         inner_ech = TTTLS13::Message::Extension::ECHClientHello.new_inner
-        exs, priv_keys = TLS13Client.gen_ch_extensions(hostname)
+        exs, shared_secret = TLS13Client.gen_ch_extensions(hostname)
         inner = TTTLS13::Message::ClientHello.new(
           cipher_suites: TTTLS13::CipherSuites.new(
             [
@@ -98,14 +98,9 @@ module EchSpec
         transcript[TTTLS13::SH] = [sh, sh.serialize]
         kse = sh.extensions[TTTLS13::Message::ExtensionType::KEY_SHARE]
                 .key_share_entry.first
-        shared_secret = TTTLS13::Endpoint.gen_shared_secret(
-          kse.key_exchange,
-          priv_keys[kse.group],
-          kse.group
-        )
         key_schedule = TTTLS13::KeySchedule.new(
           psk: nil,
-          shared_secret:,
+          shared_secret: shared_secret.build(kse.group, kse.key_exchange),
           cipher_suite: sh.cipher_suite,
           transcript:
         )

data/lib/echspec/spec/7.1.1-2.rb

@@ -1,7 +1,7 @@
 module EchSpec
   module Spec
     class Spec7_1_1_2 < WithSocket
-      # If the client-facing server accepted ECH, it checks the second
+      # If the client-facing server accepted ECH, it checks that the second
       # ClientHelloOuter also contains the "encrypted_client_hello"
       # extension. If not, it MUST abort the handshake with a
       # "missing_extension" alert. Otherwise, it checks that
@@ -9,7 +9,7 @@ module EchSpec
       # unchanged, and that ECHClientHello.enc is empty. If not, it MUST
       # abort the handshake with an "illegal_parameter" alert.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7.1.1-2
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-7.1.1-2
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group

data/lib/echspec/spec/7.1.1-5.rb

@@ -5,10 +5,10 @@ module EchSpec
       # using the second ClientHelloOuter. If decryption fails, the client-
       # facing server MUST abort the handshake with a "decrypt_error" alert.
       # Otherwise, it reconstructs the second ClientHelloInner from the new
-      # EncodedClientHelloInner as described in Section 5.1, using the
-      # second ClientHelloOuter for any referenced extensions.
+      # EncodedClientHelloInner as described in Section 5.1, using the second
+      # ClientHelloOuter for any referenced extensions.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7.1.1-5
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-7.1.1-5
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group

data/lib/echspec/spec/9.rb

@@ -9,7 +9,7 @@ module EchSpec
       # * KDF: HKDF-SHA256 (see Section 7.2 of [HPKE])
       # * AEAD: AES-128-GCM (see Section 7.3 of [HPKE])
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-9
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-9
       @section = '9'
       @description = 'MUST implement the following HPKE cipher suite: KEM: DHKEM(X25519, HKDF-SHA256), KDF: HKDF-SHA256 and AEAD: AES-128-GCM.'
       class << self
@@ -41,15 +41,15 @@ module EchSpec
           end
         end
 
-        # @param ech_configs [Array of ECHConfig]
+        # @param ech_configs [Array<ECHConfig>]
         #
-        # @return [EchSpec::Ok<ECHConfig> | Err]
+        # @return [EchSpec::Ok | Err]
         def validate_compliant_ech_configs(ech_configs)
           ech_config = ech_configs.find do |c|
             kconfig = c.echconfig_contents.key_config
-            valid_kem_id = kconfig.kem_id.uint16 == 0x0020
+            valid_kem_id = kconfig.kem_id.uint16 == HPKE::DHKEM_X25519_HKDF_SHA256
             valid_cipher_suite = kconfig.cipher_suites.any? do |cs|
-              cs.kdf_id.uint16 == 0x0001 && cs.aead_id.uint16 == 0x0001
+              cs.kdf_id.uint16 == HPKE::HKDF_SHA256 && cs.aead_id.uint16 == HPKE::AES_128_GCM
             end
 
             valid_kem_id && valid_cipher_suite
@@ -61,7 +61,7 @@ module EchSpec
 
         # @param hostname [String]
         #
-        # @return [EchSpec::Ok<Array of ECHConfig> | Err]
+        # @return [EchSpec::Ok<Array<ECHConfig>> | Err]
         def resolve_ech_configs(hostname)
           begin
             rr = Resolv::DNS.new.getresource(
@@ -72,7 +72,7 @@ module EchSpec
             return Err.new(e.message, nil)
           end
 
-          # https://datatracker.ietf.org/doc/html/draft-ietf-tls-svcb-ech-01#section-6
+          # https://datatracker.ietf.org/doc/html/rfc9934#section-3
           ech = 5
           return Err.new("HTTPS resource record for #{hostname} does NOT have ech SvcParams.", nil) if rr.params[ech].nil?
 
@@ -85,7 +85,7 @@ module EchSpec
 
         # @param pem [String]
         #
-        # @return [EchSpec::Ok<Array of ECHConfig> | Err]
+        # @return [EchSpec::Ok<Array<ECHConfig>> | Err]
         def parse_pem(pem)
           s = pem.scan(/-----BEGIN ECHCONFIG-----(.*)-----END ECHCONFIG-----/m)
                  .first
@@ -95,7 +95,7 @@ module EchSpec
           ech_configs = ECHConfig.decode_vectors(b.slice(2..))
           Ok.new(ech_configs)
         rescue StandardError
-          # https://datatracker.ietf.org/doc/html/draft-farrell-tls-pemesni-08#section-3
+          # https://datatracker.ietf.org/doc/html/rfc9934#section-3
           example = <<~PEM
             -----BEGIN PRIVATE KEY-----
             MC4CAQAwBQYDK2VuBCIEICjd4yGRdsoP9gU7YT7My8DHx1Tjme8GYDXrOMCi8v1V

data/lib/echspec/spec.rb

@@ -12,20 +12,20 @@ module EchSpec
           msg.description == TTTLS13::Message::ALERT_DESCRIPTION[desc]
       end
 
-      ResultDesc = Struct.new(:result, :desc)
+      ResultDescURL = Struct.new(:result, :desc, :url)
 
-      # @param rds [Array of ResultDesc] result: EchSpec::Ok | Err, desc: String
+      # @param rdus [Array<ResultDescURL>] result: EchSpec::Ok | Err, desc: String, url: URI
       # @param verbose [Boolean]
-      def print_results(rds, verbose)
-        rds.each { |rd| print_summary(rd.result, rd.desc) }
-        failures = rds.filter { |rd| rd.result.is_a? Err }
+      def print_results(rdus, verbose)
+        rdus.each { |rdu| print_summary(rdu.result, rdu.desc) }
+        failures = rdus.filter { |rdu| rdu.result.is_a? Err }
         return if failures.empty?
 
         puts
         puts 'Failures:'
         puts
         failures.each
-                .with_index { |rd, idx| print_err_details(rd.result, idx, rd.desc, verbose) }
+                .with_index { |rdu, idx| print_err_details(rdu.result, rdu.url, idx, rdu.desc, verbose) }
         puts "#{failures.length} failure".red
       end
 
@@ -36,20 +36,22 @@ module EchSpec
         cross = "\u0078"
         summary = case result
                   in Ok
-                    "\t#{check} #{desc}".green
+                    "#{check} #{desc}".green.indent
                   in Err
-                    "\t#{cross} #{desc}".red
+                    "#{cross} #{desc}".red.indent
                   end
         puts summary
       end
 
       # @param err [EchSpec::Err]
+      # @param url [String]
       # @param idx [Integer]
       # @param desc [String]
       # @param verbose [Boolean]
-      def print_err_details(err, idx, desc, verbose)
-        puts "\t#{idx + 1}) #{desc}"
-        puts "\t\t#{err.details}"
+      def print_err_details(err, url, idx, desc, verbose)
+        puts "#{idx + 1}) #{desc}".indent
+        puts url.indent.indent
+        puts err.details.indent.indent
         warn err.message_stack if verbose && !err.message_stack.nil?
         puts
       end
@@ -103,7 +105,7 @@ module EchSpec
       # @param fpath [String | NilClass]
       # @param port [Integer]
       # @param hostname [String]
-      # @param sections [Array of String]
+      # @param sections [Array<String>]
       # @param verbose [Boolean]
       def run_only(fpath, port, hostname, sections, verbose)
         targets = spec_groups.filter { |g| sections.include?(g.section) }
@@ -119,18 +121,34 @@ module EchSpec
       # @param port [Integer]
       # @param hostname [String]
       # @param ech_config [ECHConfig]
-      # @param targets [Array of EchSpec::SpecGroup]
+      # @param targets [Array<EchSpec::SpecGroup>]
       # @param verbose [Boolean]
       def do_run(port, hostname, ech_config, targets, verbose)
-        rds = targets.flat_map do |g|
+        rdus = targets.flat_map do |g|
           g.spec_cases.map do |sc|
-            r = sc.method.call(hostname, port, ech_config)
-            d = "#{sc.description} [#{g.section}]"
-            ResultDesc.new(result: r, desc: d)
+            result = sc.method.call(hostname, port, ech_config)
+            desc = desc(sc.description, g.section)
+            url = url(g.section)
+            ResultDescURL.new(result:, desc:, url:)
           end
         end
 
-        print_results(rds, verbose)
+        print_results(rdus, verbose)
+      end
+
+      # @param description [String]
+      # @param section [String]
+      #
+      # @return [String]
+      def desc(description, section)
+        "#{description} [#{section}]"
+      end
+
+      # @param section [String]
+      #
+      # @return [String]
+      def url(section)
+        "https://datatracker.ietf.org/doc/html/rfc9849#section-#{section}"
       end
 
       # @param fpath [String | NilClass]
@@ -139,24 +157,28 @@ module EchSpec
       #
       # @return [ECHConfig]
       def try_get_ech_config(fpath, hostname, force_compliant)
-        # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-9
-        case result = Spec9.try_get_ech_config(fpath, hostname, force_compliant)
-        in Ok(obj) if force_compliant
-          result.tap { |r| print_summary(r, "#{Spec9.description} [#{Spec9.section}]") }
-          obj
-        in Ok(obj)
-          obj
+        # https://datatracker.ietf.org/doc/html/rfc9849#section-9
+        result = Spec9.try_get_ech_config(fpath, hostname, force_compliant)
+        desc = desc(Spec9.description, Spec9.section)
+        url = url(Spec9.section)
+
+        case result
+        in Ok(ech_config) if force_compliant
+          print_summary(result, desc)
+          ech_config
+        in Ok(ech_config)
+          ech_config
         in Err(details, _)
-          puts "\t#{details}".red
+          print_results([ResultDescURL.new(result:, desc:, url:)], true)
           exit 1
         end
       end
 
       def spec_groups
-        # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-5
+        # https://datatracker.ietf.org/doc/html/rfc9849#section-5
         groups = [Spec5_1_9, Spec5_1_10]
 
-        # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7
+        # https://datatracker.ietf.org/doc/html/rfc9849#section-7
         groups += [Spec7_5, Spec7_1_11, Spec7_1_14_2_1, Spec7_1_1_2, Spec7_1_1_5]
 
         groups.map(&:spec_group)

data/lib/echspec/tls13_client.rb

@@ -66,12 +66,12 @@ module EchSpec
         exs << TTTLS13::Message::Extension::SupportedGroups.new(groups)
 
         # key_share
-        key_share, priv_keys = TTTLS13::Message::Extension::KeyShare.gen_ch_key_share(
+        key_share, shared_secret = TTTLS13::Message::Extension::KeyShare.gen_ch_key_share(
           groups
         )
         exs << key_share
 
-        [exs, priv_keys]
+        [exs, shared_secret]
       end
 
       # @param ch1 [TTTLS13::Message::ClientHello]

data/lib/echspec/utils.rb

@@ -1,6 +1,10 @@
 module EchSpec
   module Refinements
     refine String do
+      def indent
+        "\t#{self}"
+      end
+
       def colorize(code)
         "\e[#{code}m#{self}\e[0m"
       end

data/lib/echspec/version.rb

@@ -1,3 +1,3 @@
 module EchSpec
-  VERSION = '0.0.1'.freeze
+  VERSION = '0.0.3'.freeze
 end

data/lib/echspec.rb

@@ -1,16 +1,17 @@
 require 'base64'
 require 'optparse'
+require 'pp'
 require 'resolv'
 require 'timeout'
 require 'tttls1.3'
 
-require 'echspec/version'
-require 'echspec/utils'
-require 'echspec/log'
-require 'echspec/error'
-require 'echspec/result'
-require 'echspec/tls13_client'
-require 'echspec/spec_case'
-require 'echspec/spec_group'
-require 'echspec/spec'
-require 'echspec/cli'
+require_relative 'echspec/version'
+require_relative 'echspec/utils'
+require_relative 'echspec/log'
+require_relative 'echspec/error'
+require_relative 'echspec/result'
+require_relative 'echspec/tls13_client'
+require_relative 'echspec/spec_case'
+require_relative 'echspec/spec_group'
+require_relative 'echspec/spec'
+require_relative 'echspec/cli'

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: echspec
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.3
 platform: ruby
 authors:
 - thekuwayama
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-01-12 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -38,6 +37,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: ech_config
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.4
 - !ruby/object:Gem::Dependency
   name: resolv
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +71,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.4
+        version: 0.3.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.4
+        version: 0.3.6
 description: A conformance testing tool for ECH implementation
 email:
 - thekuwayama@gmail.com
@@ -74,8 +87,6 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/workflows/ci.yml"
-- ".gitignore"
 - ".rubocop.yml"
 - ".ruby-version"
 - Gemfile
@@ -107,15 +118,10 @@ files:
 - lib/echspec/tls13_client.rb
 - lib/echspec/utils.rb
 - lib/echspec/version.rb
-- spec/9_spec.rb
-- spec/log_spec.rb
-- spec/spec_helper.rb
-- spec/with_socket_spec.rb
 homepage: https://github.com/thekuwayama/echspec
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -123,19 +129,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.2'
+      version: '4.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 4.0.7
 specification_version: 4
 summary: A conformance testing tool for ECH implementation
-test_files:
-- spec/9_spec.rb
-- spec/log_spec.rb
-- spec/spec_helper.rb
-- spec/with_socket_spec.rb
+test_files: []

data/.github/workflows/ci.yml

@@ -1,30 +0,0 @@
-name: lint & test
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  ci:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        ruby-version: ['3.2', '3.3', '3.4']
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: ${{ matrix.ruby-version }}
-      - name: Install dependencies
-        run: |
-          gem --version
-          gem install bundler
-          bundle --version
-          bundle install
-      - name: Run rubocop & rspec
-        run: bundle exec rake

data/.gitignore

@@ -1,17 +0,0 @@
-*.gem
-*.rbc
-.config
-.rvmrc
-/.bundle/
-/vendor/
-/lib/bundler/man/
-/pkg/
-/.yardoc/
-/_yardoc/
-/doc/
-/rdoc/
-/coverage/
-/spec/reports/
-/tmp/
-.DS_Store
-Gemfile.lock

data/spec/9_spec.rb

@@ -1,13 +0,0 @@
-require_relative 'spec_helper'
-
-RSpec.describe EchSpec::Spec::Spec9 do
-  context 'parse_pem' do
-    let(:pem) do
-      File.open("#{__dir__}/../fixtures/echconfigs.pem").read
-    end
-
-    it 'could parse' do
-      expect(EchSpec::Spec::Spec9.send(:parse_pem, pem)).to be_a EchSpec::Ok
-    end
-  end
-end

data/spec/log_spec.rb

@@ -1,58 +0,0 @@
-require_relative 'spec_helper'
-
-RSpec.describe EchSpec::Log::MessageStack do
-  context 'obj2json' do
-    let(:crt) do
-      File.open("#{__dir__}/../fixtures/server.crt").read
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(OpenSSL::X509::Certificate.new(crt)))
-        .to eq "#{crt.split("\n").join('\n')}\\n"
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(1)).to eq '1'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(0.1)).to eq '0.1'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(true)).to eq 'true'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(false)).to eq 'false'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json('')).to eq '""'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json('string')).to eq '"0x737472696e67"'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(nil)).to eq 'null'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json([1, true, '', 'string', nil])).to eq '[1,true,"","0x737472696e67",null]'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(1 => true, '' => 'string', nil => [])).to eq '{1:true,"":"0x737472696e67",null:[]}'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(C.new('string'))).to eq '{"name":"0x737472696e67"}'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(D.new)).to eq '"$D"'
-    end
-  end
-end

data/spec/spec_helper.rb

@@ -1,12 +0,0 @@
-RSpec.configure(&:disable_monkey_patching!)
-
-require 'echspec'
-
-class C
-  def initialize(name)
-    @name = name
-  end
-end
-
-class D
-end

data/spec/with_socket_spec.rb

@@ -1,77 +0,0 @@
-require_relative 'spec_helper'
-
-module EchSpec
-  module Spec
-    class SpecX < WithSocket
-      def validate(hostname, port)
-        with_socket(hostname, port) do |_socket|
-          # not return
-        end
-      end
-    end
-
-    class SpecY < WithSocket
-      def validate(hostname, port)
-        with_socket(hostname, port) do |_socket|
-          return EchSpec::Ok.new(1)
-        end
-      end
-    end
-
-    class SpecZ < WithSocket
-      def validate(hostname, port)
-        with_socket(hostname, port) do |_socket|
-          msg = TTTLS13::Message::Alert.new(
-            level: TTTLS13::Message::AlertLevel::FATAL,
-            description: "\x0a"
-          )
-          return EchSpec::Err.new('details', [msg])
-        end
-      end
-    end
-
-    class SpecW < WithSocket
-      def validate(hostname, port)
-        with_socket(hostname, port) do |_socket|
-          raise EchSpec::Error::BeforeTargetSituationError, 'not received ClientHello'
-        end
-      end
-    end
-  end
-end
-
-RSpec.describe EchSpec::Spec::WithSocket do
-  context 'with_socket' do
-    before do
-      socket = StringIO.new
-      allow(TCPSocket).to receive(:new).and_return(socket)
-    end
-
-    it 'should return nil' do
-      result = EchSpec::Spec::SpecX.new.validate('localhost', 4433)
-      expect(result).to eq nil
-    end
-
-    it 'should return Ok(1)' do
-      result = EchSpec::Spec::SpecY.new.validate('localhost', 4433)
-      expect(result).to be_a EchSpec::Ok
-      expect(result.obj).to eq 1
-    end
-
-    it 'should return Err(details, message_stack)' do
-      result = EchSpec::Spec::SpecZ.new.validate('localhost', 4433)
-      expect(result).to be_a EchSpec::Err
-      expect(result.details).to eq 'details'
-      expect(result.message_stack.length).to be 1
-      expect(result.message_stack.first.level).to be TTTLS13::Message::AlertLevel::FATAL
-      expect(result.message_stack.first.description).to eq "\x0a"
-    end
-
-    it 'should return Err(details, message_stack), raised BeforeTargetSituationError' do
-      result = EchSpec::Spec::SpecW.new.validate('localhost', 4433)
-      expect(result).to be_a EchSpec::Err
-      expect(result.details).to eq 'not received ClientHello'
-      expect(result.message_stack).to eq '{}'
-    end
-  end
-end