echspec 0.0.1

data/lib/echspec/log.rb

@@ -0,0 +1,85 @@
+module EchSpec
+  module Log
+    class MessageStack
+      def initialize
+        @stack = []
+      end
+
+      # @param msg [TTTLS13::Message::$Object]
+      def <<(msg)
+        @stack << msg
+      end
+
+      def marshal
+        arr = []
+        arr = @stack.reduce(arr) { |sum, msg| sum << "\"#{MessageStack.msg2name(msg)}\":#{MessageStack.obj2json(msg)}" }
+        "{#{arr.reverse.join(',')}}"
+      end
+
+      # rubocop: disable Metrics/CyclomaticComplexity
+      # rubocop: disable Metrics/PerceivedComplexity
+      def self.msg2name(msg)
+        case msg
+        in TTTLS13::Message::ClientHello if msg.ch_inner?
+          'ClientHelloInner'
+        in TTTLS13::Message::ClientHello
+          'ClientHello'
+        in TTTLS13::Message::ServerHello if msg.hrr?
+          'HelloRetryRequest'
+        in TTTLS13::Message::ServerHello
+          'ServerHello'
+        in TTTLS13::Message::ChangeCipherSpec
+          'ChangeCipherSpec'
+        in TTTLS13::Message::EncryptedExtensions
+          'EncryptedExtensions'
+        in TTTLS13::Message::Certificate
+          'Certificate'
+        in TTTLS13::Message::CertificateVerify
+          'CertificateVerify'
+        in TTTLS13::Message::Finished
+          'Finished'
+        in TTTLS13::Message::EndOfEarlyData
+          'EndOfEarlyData'
+        in TTTLS13::Message::Alert
+          'Alert'
+        end
+      end
+      # rubocop: enable Metrics/CyclomaticComplexity
+      # rubocop: enable Metrics/PerceivedComplexity
+
+      # rubocop: disable Metrics/CyclomaticComplexity
+      # rubocop: disable Metrics/PerceivedComplexity
+      def self.obj2json(obj)
+        case obj
+        in OpenSSL::X509::Certificate
+          obj.to_pem.gsub("\n", '\n')
+        in Numeric | TrueClass | FalseClass
+          obj.pretty_print_inspect
+        in ''
+          '""'
+        in String
+          "\"0x#{obj.unpack1('H*')}\""
+        in NilClass
+          'null'
+        in Array
+          s = obj.map { |i| obj2json(i) }.join(',')
+          "[#{s}]"
+        in Hash
+          s = obj.map { |k, v| "#{obj2json(k)}:#{obj2json(v)}" }.join(',')
+          "{#{s}}"
+        in Object if !obj.instance_variables.empty?
+          arr = obj.instance_variables.map do |i|
+            k = i[1..]
+            v = obj2json(obj.instance_variable_get(i))
+            "\"#{k}\":#{v}"
+          end
+          "{#{arr.join(',')}}"
+        else
+          "\"$#{obj.class.name}\""
+        end
+      end
+      # rubocop: enable Metrics/CyclomaticComplexity
+      # rubocop: enable Metrics/PerceivedComplexity
+    end
+  end
+end

data/lib/echspec/result.rb

@@ -0,0 +1,26 @@
+module EchSpec
+  class Ok
+    attr_reader :obj
+
+    def initialize(obj)
+      @obj = obj
+    end
+
+    def deconstruct
+      [@obj]
+    end
+  end
+
+  class Err
+    attr_reader :details, :message_stack
+
+    def initialize(details, message_stack)
+      @details = details
+      @message_stack = message_stack
+    end
+
+    def deconstruct
+      [@details, @message_stack]
+    end
+  end
+end

data/lib/echspec/spec/5.1-10.rb

@@ -0,0 +1,222 @@
+module EchSpec
+  module Spec
+    class Spec5_1_10 < WithSocket
+      # Next it makes a copy of the client_hello field and copies the
+      # legacy_session_id field from ClientHelloOuter. It then looks for an
+      # "ech_outer_extensions" extension. If found, it replaces the extension
+      # with the corresponding sequence of extensions in the
+      # ClientHelloOuter. The server MUST abort the connection with an
+      # "illegal_parameter" alert if any of the following are true:
+      #
+      # * Any referenced extension is missing in ClientHelloOuter.
+      # * Any extension is referenced in OuterExtensions more than once.
+      # * "encrypted_client_hello" is referenced in OuterExtensions.
+      # * The extensions in ClientHelloOuter corresponding to those in
+      #   OuterExtensions do not occur in the same order.
+      #
+      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-5.1-10
+
+      # @return [EchSpec::SpecGroup]
+      def self.spec_group
+        SpecGroup.new(
+          '5.1-10',
+          [
+            SpecCase.new(
+              'MUST abort with an "illegal_parameter" alert, if any referenced extension is missing in ClientHelloOuter.',
+              method(:validate_missing_referenced_extensions)
+            ),
+            SpecCase.new(
+              'MUST abort with an "illegal_parameter" alert, if any extension is referenced in OuterExtensions more than once.',
+              method(:validate_duplicated_outer_extensions)
+            ),
+            SpecCase.new(
+              'MUST abort with an "illegal_parameter" alert, if "encrypted_client_hello" is referenced in OuterExtensions.',
+              method(:validate_referenced_encrypted_client_hello)
+            ),
+            SpecCase.new(
+              'MUST abort with an "illegal_parameter" alert, if the extensions in ClientHelloOuter corresponding to those in OuterExtensions do not occur in the same order.',
+              method(:validate_not_same_order_extensions)
+            )
+          ]
+        )
+      end
+
+      # @param hostname [String]
+      # @param port [Integer]
+      # @param ech_config [ECHConfig]
+      #
+      # @return [EchSpec::Ok | Err]
+      def self.validate_missing_referenced_extensions(hostname, port, ech_config)
+        Spec5_1_10.new.validate_invalid_ech_outer_extensions(hostname, port, ech_config, MissingReferencedExtensions)
+      end
+
+      # @param hostname [String]
+      # @param port [Integer]
+      # @param ech_config [ECHConfig]
+      #
+      # @return [EchSpec::Ok | Err]
+      def self.validate_duplicated_outer_extensions(hostname, port, ech_config)
+        Spec5_1_10.new.validate_invalid_ech_outer_extensions(hostname, port, ech_config, DuplicatedOuterExtensions)
+      end
+
+      # @param hostname [String]
+      # @param port [Integer]
+      # @param ech_config [ECHConfig]
+      #
+      # @return [EchSpec::Ok | Err]
+      def self.validate_referenced_encrypted_client_hello(hostname, port, ech_config)
+        Spec5_1_10.new.validate_invalid_ech_outer_extensions(hostname, port, ech_config, ReferencedEncryptedClientHello)
+      end
+
+      # @param hostname [String]
+      # @param port [Integer]
+      # @param ech_config [ECHConfig]
+      #
+      # @return [EchSpec::Ok | Err]
+      def self.validate_not_same_order_extensions(hostname, port, ech_config)
+        Spec5_1_10.new.validate_invalid_ech_outer_extensions(hostname, port, ech_config, NotSameOrderExtensions)
+      end
+
+      # @param hostname [String]
+      # @param port [Integer]
+      # @param ech_config [ECHConfig]
+      # @param super_extensions [TTTLS13::Message::Extension::$Object]
+      #
+      # @return [EchSpec::Ok | Err]
+      def validate_invalid_ech_outer_extensions(hostname, port, ech_config, super_extensions)
+        with_socket(hostname, port) do |socket|
+          recv = send_invalid_ech_outer_extensions(socket, hostname, ech_config, super_extensions)
+          return Err.new('did not send expected alert: illegal_parameter', message_stack) \
+            unless Spec.expect_alert(recv, :illegal_parameter)
+
+          Ok.new(nil)
+        end
+      end
+
+      def send_invalid_ech_outer_extensions(socket, hostname, ech_config, super_extensions)
+        conn = TLS13Client::Connection.new(socket, :client)
+        inner_ech = TTTLS13::Message::Extension::ECHClientHello.new_inner
+        exs, = TLS13Client.gen_ch_extensions(hostname)
+        exs = super_extensions.new(exs.values)
+        inner = TTTLS13::Message::ClientHello.new(
+          cipher_suites: TTTLS13::CipherSuites.new(
+            [
+              TTTLS13::CipherSuite::TLS_AES_256_GCM_SHA384,
+              TTTLS13::CipherSuite::TLS_CHACHA20_POLY1305_SHA256,
+              TTTLS13::CipherSuite::TLS_AES_128_GCM_SHA256
+            ]
+          ),
+          extensions: exs.merge(
+            TTTLS13::Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => inner_ech
+          )
+        )
+
+        selector = proc { |x| TLS13Client.select_ech_hpke_cipher_suite(x) }
+        ch, inner, = TTTLS13::Ech.offer_ech(inner, ech_config, selector)
+        conn.send_record(
+          TTTLS13::Message::Record.new(
+            type: TTTLS13::Message::ContentType::HANDSHAKE,
+            messages: [ch],
+            cipher: TTTLS13::Cryptograph::Passer.new
+          )
+        )
+        @stack << inner
+        @stack << ch
+
+        recv, = conn.recv_message(TTTLS13::Cryptograph::Passer.new)
+        @stack << recv
+
+        recv
+      end
+
+      class MissingReferencedExtensions < TTTLS13::Message::Extensions
+        # @param _ [Array of TTTLS13::Message::ExtensionType]
+        #
+        # @return [TTTLS13::Message::Extensions] for EncodedClientHelloInner
+        def remove_and_replace!(_)
+          outer_extensions = [TTTLS13::Message::ExtensionType::KEY_SHARE]
+          tmp1 = filter { |k, _| !outer_extensions.include?(k) }
+
+          clear
+          replaced = TTTLS13::Message::Extensions.new
+
+          tmp1.each_value { |v| self << v; replaced << v }
+          # key_share is referenced, but it is missing in ClientHelloOuter.
+          replaced << TTTLS13::Message::Extension::ECHOuterExtensions.new(
+            [TTTLS13::Message::ExtensionType::KEY_SHARE]
+          )
+          replaced
+        end
+      end
+
+      class DuplicatedOuterExtensions < TTTLS13::Message::Extensions
+        # @param _ [Array of TTTLS13::Message::ExtensionType]
+        #
+        # @return [TTTLS13::Message::Extensions] for EncodedClientHelloInner
+        def remove_and_replace!(_)
+          outer_extensions = [TTTLS13::Message::ExtensionType::KEY_SHARE]
+          tmp1 = filter { |k, _| !outer_extensions.include?(k) }
+          tmp2 = filter { |k, _| outer_extensions.include?(k) }
+
+          clear
+          replaced = TTTLS13::Message::Extensions.new
+
+          tmp1.each_value { |v| self << v; replaced << v }
+          tmp2.each_value { |v| self << v }
+          # key_share appears twice in OuterExtensions.
+          replaced << TTTLS13::Message::Extension::ECHOuterExtensions.new(
+            [TTTLS13::Message::ExtensionType::KEY_SHARE] * 2
+          )
+          replaced
+        end
+      end
+
+      class ReferencedEncryptedClientHello < TTTLS13::Message::Extensions
+        # @param _ [Array of TTTLS13::Message::ExtensionType]
+        #
+        # @return [TTTLS13::Message::Extensions] for EncodedClientHelloInner
+        def remove_and_replace!(_)
+          outer_extensions = [TTTLS13::Message::ExtensionType::ENCRYPTED_CLIENT_HELLO]
+          tmp1 = filter { |k, _| !outer_extensions.include?(k) }
+          tmp2 = filter { |k, _| outer_extensions.include?(k) }
+
+          clear
+          replaced = TTTLS13::Message::Extensions.new
+
+          tmp1.each_value { |v| self << v; replaced << v }
+          tmp2.each_value { |v| self << v }
+          # encrypted_client_hello appears in OuterExtensions.
+          replaced << TTTLS13::Message::Extension::ECHOuterExtensions.new(
+            [TTTLS13::Message::ExtensionType::ENCRYPTED_CLIENT_HELLO]
+          )
+          replaced
+        end
+      end
+
+      class NotSameOrderExtensions < TTTLS13::Message::Extensions
+        # @param _ [Array of TTTLS13::Message::ExtensionType]
+        #
+        # @return [TTTLS13::Message::Extensions] for EncodedClientHelloInner
+        def remove_and_replace!(_)
+          outer_extensions = [
+            TTTLS13::Message::ExtensionType::KEY_SHARE,
+            TTTLS13::Message::ExtensionType::SUPPORTED_VERSIONS
+          ]
+          tmp1 = filter { |k, _| !outer_extensions.include?(k) }
+          tmp2 = filter { |k, _| outer_extensions.include?(k) }
+
+          clear
+          replaced = TTTLS13::Message::Extensions.new
+
+          tmp1.each_value { |v| self << v; replaced << v }
+          tmp2.each_value { |v| self << v }
+          # extensions in ClientHelloOuter and OuterExtensions are not in the same order.
+          replaced << TTTLS13::Message::Extension::ECHOuterExtensions.new(
+            tmp2.keys.reverse
+          )
+          replaced
+        end
+      end
+    end
+  end
+end

data/lib/echspec/spec/5.1-9.rb

@@ -0,0 +1,108 @@
+module EchSpec
+  module Spec
+    class Spec5_1_9 < WithSocket
+      # The client-facing server computes ClientHelloInner by reversing this
+      # process. First it parses EncodedClientHelloInner, interpreting all
+      # bytes after client_hello as padding. If any padding byte is non-
+      # zero, the server MUST abort the connection with an
+      # "illegal_parameter" alert.
+      #
+      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-5.1-9
+
+      # @return [EchSpec::SpecGroup]
+      def self.spec_group
+        SpecGroup.new(
+          '5.1-9',
+          [
+            SpecCase.new(
+              'MUST abort with an "illegal_parameter" alert, if EncodedClientHelloInner is padded with non-zero values.',
+              method(:validate_nonzero_padding_encoded_ch_inner)
+            )
+          ]
+        )
+      end
+
+      # @param hostname [String]
+      # @param port [Integer]
+      # @param ech_config [ECHConfig]
+      #
+      # @return [EchSpec::Ok | Err]
+      def self.validate_nonzero_padding_encoded_ch_inner(hostname, port, ech_config)
+        Spec5_1_9.new.do_validate_nonzero_padding_encoded_ch_inner(hostname, port, ech_config)
+      end
+
+      # @param hostname [String]
+      # @param port [Integer]
+      # @param ech_config [ECHConfig]
+      #
+      # @return [EchSpec::Ok | Err]
+      def do_validate_nonzero_padding_encoded_ch_inner(hostname, port, ech_config)
+        with_socket(hostname, port) do |socket|
+          recv = send_nonzero_padding_encoded_ch_inner(socket, hostname, ech_config)
+          return Err.new('did not send expected alert: illegal_parameter', message_stack) \
+            unless Spec.expect_alert(recv, :illegal_parameter)
+
+          Ok.new(nil)
+        end
+      end
+
+      def send_nonzero_padding_encoded_ch_inner(socket, hostname, ech_config)
+        conn = TLS13Client::Connection.new(socket, :client)
+        inner_ech = TTTLS13::Message::Extension::ECHClientHello.new_inner
+        exs, = TLS13Client.gen_ch_extensions(hostname)
+        inner = TTTLS13::Message::ClientHello.new(
+          cipher_suites: TTTLS13::CipherSuites.new(
+            [
+              TTTLS13::CipherSuite::TLS_AES_256_GCM_SHA384,
+              TTTLS13::CipherSuite::TLS_CHACHA20_POLY1305_SHA256,
+              TTTLS13::CipherSuite::TLS_AES_128_GCM_SHA256
+            ]
+          ),
+          extensions: exs.merge(
+            TTTLS13::Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => inner_ech
+          )
+        )
+
+        selector = proc { |x| TLS13Client.select_ech_hpke_cipher_suite(x) }
+        ch, inner, = NonzeroPaddingEch.offer_ech(inner, ech_config, selector)
+        conn.send_record(
+          TTTLS13::Message::Record.new(
+            type: TTTLS13::Message::ContentType::HANDSHAKE,
+            messages: [ch],
+            cipher: TTTLS13::Cryptograph::Passer.new
+          )
+        )
+        @stack << inner
+        @stack << ch
+
+        recv, = conn.recv_message(TTTLS13::Cryptograph::Passer.new)
+        @stack << recv
+
+        recv
+      end
+
+      class NonzeroPaddingEch < TTTLS13::Ech
+        NON_ZERO = "\x11".freeze
+
+        # @param s [String]
+        # @param server_name_length [Integer]
+        # @param maximum_name_length [Integer]
+        #
+        # @return [String]
+        def self.padding_encoded_ch_inner(s,
+                                          server_name_length,
+                                          maximum_name_length)
+          padding_len =
+            if server_name_length.positive?
+              [maximum_name_length - server_name_length, 0].max
+            else
+              9 + maximum_name_length
+            end
+
+          padding_len = 31 - ((s.length + padding_len - 1) % 32)
+          s + NON_ZERO * padding_len # padding with non-zero value
+        end
+      end
+    end
+  end
+end

data/lib/echspec/spec/7-5.rb

@@ -0,0 +1,242 @@
+module EchSpec
+  module Spec
+    class Spec7_5 < WithSocket
+      # If ECHClientHello.type is not a valid ECHClientHelloType, then the
+      # server MUST abort with an "illegal_parameter" alert.
+      #
+      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7-5
+
+      # @return [EchSpec::SpecGroup]
+      def self.spec_group
+        SpecGroup.new(
+          '7-5',
+          [
+            SpecCase.new(
+              'MUST abort with an "illegal_parameter" alert, if ECHClientHello.type is not a valid ECHClientHelloType in ClientHelloInner.',
+              method(:validate_illegal_inner_ech_type)
+            ),
+            SpecCase.new(
+              'MUST abort with an "illegal_parameter" alert, if ECHClientHello.type is not a valid ECHClientHelloType in ClientHelloOuter.',
+              method(:validate_illegal_outer_ech_type)
+            )
+          ]
+        )
+      end
+
+      # @param hostname [String]
+      # @param port [Integer]
+      # @param ech_config [ECHConfig]
+      #
+      # @return [EchSpec::Ok | Err]
+      def self.validate_illegal_inner_ech_type(hostname, port, ech_config)
+        Spec7_5.new.do_validate_illegal_ech_type(
+          hostname,
+          port,
+          ech_config,
+          :send_ch_illegal_inner_ech_type
+        )
+      end
+
+      # @param hostname [String]
+      # @param port [Integer]
+      # @param ech_config [ECHConfig]
+      #
+      # @return [EchSpec::Ok | Err]
+      def self.validate_illegal_outer_ech_type(hostname, port, ech_config)
+        Spec7_5.new.do_validate_illegal_ech_type(
+          hostname,
+          port,
+          ech_config,
+          :send_ch_illegal_outer_ech_type
+        )
+      end
+
+      # @param hostname [String]
+      # @param port [Integer]
+      # @param ech_config [ECHConfig]
+      # @param method [Method]
+      #
+      # @return [EchSpec::Ok | Err]
+      def do_validate_illegal_ech_type(hostname, port, ech_config, method)
+        with_socket(hostname, port) do |socket|
+          recv = send(method, socket, hostname, ech_config)
+          return Err.new('did not send expected alert: illegal_parameter', message_stack) \
+            unless Spec.expect_alert(recv, :illegal_parameter)
+
+          Ok.new(nil)
+        end
+      end
+
+      # @param socket [TCPSocket]
+      # @param hostname [String]
+      # @param ech_config [ECHConfig]
+      #
+      # @return [TTTLS13::Message::Record]
+      def send_ch_illegal_inner_ech_type(socket, hostname, ech_config)
+        conn = TLS13Client::Connection.new(socket, :client)
+        inner_ech = IllegalEchClientHello.new_inner
+        exs, = TLS13Client.gen_ch_extensions(hostname)
+        inner = TTTLS13::Message::ClientHello.new(
+          cipher_suites: TTTLS13::CipherSuites.new(
+            [
+              TTTLS13::CipherSuite::TLS_AES_256_GCM_SHA384,
+              TTTLS13::CipherSuite::TLS_CHACHA20_POLY1305_SHA256,
+              TTTLS13::CipherSuite::TLS_AES_128_GCM_SHA256
+            ]
+          ),
+          extensions: exs.merge(
+            TTTLS13::Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => inner_ech
+          )
+        )
+
+        selector = proc { |x| TLS13Client.select_ech_hpke_cipher_suite(x) }
+        ch, inner, = TTTLS13::Ech.offer_ech(inner, ech_config, selector)
+        conn.send_record(
+          TTTLS13::Message::Record.new(
+            type: TTTLS13::Message::ContentType::HANDSHAKE,
+            messages: [ch],
+            cipher: TTTLS13::Cryptograph::Passer.new
+          )
+        )
+        @stack << inner
+        @stack << ch
+
+        recv, = conn.recv_message(TTTLS13::Cryptograph::Passer.new)
+        @stack << recv
+
+        recv
+      end
+
+      # @param socket [TCPSocket]
+      # @param hostname [String]
+      # @param ech_config [ECHConfig]
+      #
+      # @return [TTTLS13::Message::Record]
+      # rubocop: disable Metrics/AbcSize
+      # rubocop: disable Metrics/MethodLength
+      def send_ch_illegal_outer_ech_type(socket, hostname, ech_config)
+        conn = TLS13Client::Connection.new(socket, :client)
+        inner_ech = TTTLS13::Message::Extension::ECHClientHello.new_inner
+        exs, = TLS13Client.gen_ch_extensions(hostname)
+        inner = TTTLS13::Message::ClientHello.new(
+          cipher_suites: TTTLS13::CipherSuites.new(
+            [
+              TTTLS13::CipherSuite::TLS_AES_256_GCM_SHA384,
+              TTTLS13::CipherSuite::TLS_CHACHA20_POLY1305_SHA256,
+              TTTLS13::CipherSuite::TLS_AES_128_GCM_SHA256
+            ]
+          ),
+          extensions: exs.merge(
+            TTTLS13::Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => inner_ech
+          )
+        )
+        @stack << inner
+
+        # offer_ech
+        selector = proc { |x| TLS13Client.select_ech_hpke_cipher_suite(x) }
+
+        # for ech_outer_extensions
+        replaced = \
+          inner.extensions.remove_and_replace!([])
+
+        # Encrypted ClientHello Configuration
+        ech_state, enc = TTTLS13::Ech.encrypted_ech_config(
+          ech_config,
+          selector
+        )
+        encoded = TTTLS13::Ech.encode_ch_inner(inner, ech_state.maximum_name_length, replaced)
+        overhead_len = TTTLS13::Ech.aead_id2overhead_len(
+          ech_state.cipher_suite.aead_id.uint16
+        )
+
+        # Encoding the ClientHelloInner
+        aad_ech = IllegalEchClientHello.new_outer(
+          cipher_suite: ech_state.cipher_suite,
+          config_id: ech_state.config_id,
+          enc:,
+          payload: '0' * (encoded.length + overhead_len)
+        )
+        aad = TTTLS13::Message::ClientHello.new(
+          legacy_version: inner.legacy_version,
+          legacy_session_id: inner.legacy_session_id,
+          cipher_suites: inner.cipher_suites,
+          legacy_compression_methods: inner.legacy_compression_methods,
+          extensions: inner.extensions.merge(
+            TTTLS13::Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => aad_ech,
+            TTTLS13::Message::ExtensionType::SERVER_NAME => \
+            TTTLS13::Message::Extension::ServerName.new(ech_state.public_name)
+          )
+        )
+
+        # Authenticating the ClientHelloOuter
+        # which does not include the Handshake structure's four byte header.
+        outer_ech = IllegalEchClientHello.new_outer(
+          cipher_suite: ech_state.cipher_suite,
+          config_id: ech_state.config_id,
+          enc:,
+          payload: ech_state.ctx.seal(aad.serialize[4..], encoded)
+        )
+        outer = TTTLS13::Message::ClientHello.new(
+          legacy_version: aad.legacy_version,
+          random: aad.random,
+          legacy_session_id: aad.legacy_session_id,
+          cipher_suites: aad.cipher_suites,
+          legacy_compression_methods: aad.legacy_compression_methods,
+          extensions: aad.extensions.merge(
+            TTTLS13::Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => outer_ech
+          )
+        )
+        conn.send_record(
+          TTTLS13::Message::Record.new(
+            type: TTTLS13::Message::ContentType::HANDSHAKE,
+            messages: [outer],
+            cipher: TTTLS13::Cryptograph::Passer.new
+          )
+        )
+        @stack << outer
+
+        recv, = conn.recv_message(TTTLS13::Cryptograph::Passer.new)
+        @stack << recv
+
+        recv
+      end
+      # rubocop: enable Metrics/AbcSize
+      # rubocop: enable Metrics/MethodLength
+
+      class IllegalEchClientHello < TTTLS13::Message::Extension::ECHClientHello
+        using TTTLS13::Refinements
+
+        ILLEGAL_OUTER = "\x02".freeze
+        ILLEGAL_INNER = "\x03".freeze
+
+        def self.new_inner
+          IllegalEchClientHello.new(type: ILLEGAL_INNER)
+        end
+
+        def self.new_outer(cipher_suite:, config_id:, enc:, payload:)
+          IllegalEchClientHello.new(
+            type: ILLEGAL_OUTER,
+            cipher_suite:,
+            config_id:,
+            enc:,
+            payload:
+          )
+        end
+
+        def serialize
+          case @type
+          when ILLEGAL_OUTER
+            binary = @type + @cipher_suite.encode + @config_id.to_uint8 \
+                     + @enc.prefix_uint16_length + @payload.prefix_uint16_length
+          when ILLEGAL_INNER
+            binary = @type
+          else
+            return super
+          end
+
+          @extension_type + binary.prefix_uint16_length
+        end
+      end
+    end
+  end
+end