echspec 0.0.2 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 664b02dfe5659032ff19242937be686085ab762f223fd950a1332da55fd69e12
-  data.tar.gz: 0146c242937094ff8a4cb1c494d27af14a55d34e8967c4bf174b6eb76132b8c6
+  metadata.gz: 9da986ad5207e26d816ebe08d7f8620981836c13d0dd9d695447269276a13453
+  data.tar.gz: ad7effc41c7349b011fc386ec4195d1d2dd86d51af68317d4034ad9538a9d31f
 SHA512:
-  metadata.gz: ca2add160c37c4997ee2f76172c1b4edc598d85149fecfae5fd6861dce34455916fbee67d02bbf60e8d6f121e583ca284fee4bde73a215c735c05465e30b8704
-  data.tar.gz: 832197c0251d27bf060a4ac774126117eca42fc11615e1078edbf4db84109a24125e6ab2417cba393223a87632701deea876a90e0e1cf5d9a8d7c7b324a40dc8
+  metadata.gz: 53a725b8f4e8404f579b4b87b7d434c6146fa054f80a67147a2df2477102ecd3f7ca32db9b8827a5f00bfd1c51c0c70ec2c1575747c8a53716f682111a6d1c23
+  data.tar.gz: a0c8940990d04ff038e1ecdc4f1505a8b27f4ca87232daf08daecc9263f0a34c0cb8f14fee896d254a729102cc01d1cb7bb127f754c3ad9119b6bfb39c1487e7

data/.rubocop.yml

@@ -1,5 +1,5 @@
 AllCops:
-  TargetRubyVersion: 3.2
+  TargetRubyVersion: 4.0
 
 Layout/LineLength:
   Max: 200
@@ -9,6 +9,7 @@ Metrics/AbcSize:
 
 Metrics/BlockLength:
   Exclude:
+    - 'Rakefile'
     - 'spec/*.rb'
 
 Metrics/ClassLength:

data/.ruby-version

@@ -1 +1 @@
-3.4.3
+4.0.1

data/Gemfile

@@ -1,13 +1,14 @@
 source 'https://rubygems.org'
 
 gem 'base64'
+gem 'ech_config', github: 'thekuwayama/ech_config'
 gem 'resolv', '> 0.4.0'
 gem 'tttls1.3', github: 'thekuwayama/tttls1.3'
 
 group :development do
   gem 'rake', '13.2.1'
   gem 'rspec'
-  gem 'rubocop', '1.62.0'
+  gem 'rubocop', '1.82.1'
 end
 
 gemspec

data/README.md

@@ -8,7 +8,7 @@
 
 ![echspec demo](docs/echspec-demo.png)
 
-- https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22
+- https://datatracker.ietf.org/doc/html/rfc9849
 
 
 ## Installation
@@ -24,7 +24,13 @@ $ gem install echspec
 
 ```sh-session
 $ echspec --help
-Usage: echspec [OPTIONS] <HOSTNAME>
+Usage: echspec {SUBCOMMAND}
+
+Available subcommands: run, gen_configs, version, help.
+```
+```sh-session
+$ echspec run --help
+Usage: echspec run [OPTIONS...] {HOSTNAME}
     -f, --file FILE                  path to ECHConfigs PEM file       (default resolve ECHConfigs via DNS)
     -p, --port VALUE                 server port number                (default 443)
     -n, --not-force-compliant-hpke   not force compliant ECHConfig HPKE cipher suite
@@ -35,7 +41,7 @@ Usage: echspec [OPTIONS] <HOSTNAME>
 You can run it the following:
 
 ```sh-session
-$ echspec research.cloudflare.com
+$ echspec run research.cloudflare.com
 TLS Encrypted Client Hello Server
         ✔ MUST implement the following HPKE cipher suite: KEM: DHKEM(X25519, HKDF-SHA256), KDF: HKDF-SHA256 and AEAD: AES-128-GCM. [9]
         ✔ MUST abort with an "illegal_parameter" alert, if EncodedClientHelloInner is padded with non-zero values. [5.1-9]
@@ -54,7 +60,7 @@ TLS Encrypted Client Hello Server
 Failures:
 
         1) MUST abort with an "illegal_parameter" alert, if ECHClientHello.type is not a valid ECHClientHelloType in ClientHelloOuter. [7-5]
-                https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7-5
+                https://datatracker.ietf.org/doc/html/rfc9849#section-7-5
                 did not send expected alert: illegal_parameter
 
 1 failure
@@ -63,7 +69,7 @@ Failures:
 By default, `echspec` retrieves ECHConfigs via HTTPS records. By using the `-f, --file FILE` option, you can specify an ECHConfig pem file. If you need to test the server on localhost, you can run it the following:
 
 ```sh-session
-$ echspec -f fixtures/echconfigs.pem -p 4433 localhost
+$ echspec run -f fixtures/echconfigs.pem -p 4433 localhost
 ```
 
 By default, `echspec` uses the following HPKE cipher suite
@@ -78,13 +84,13 @@ By default, `echspec` uses the following HPKE cipher suite
 Using the `-n` or `--not-force-compliant-hpke`, you can not enforce the HPKE cipher suite.
 
 ```sh-session
-$ echspec -f fixtures/echconfigs.pem -p 4433 -n localhost
+$ echspec run -f fixtures/echconfigs.pem -p 4433 -n localhost
 ```
 
 If you specify the SECTIONS, you can run only SECTIONS the following:
 
 ```sh-session
-$ echspec -f fixtures/echconfigs.pem -p 4433 -n -s 7.1.1-2,7.1.1-5 localhost
+$ echspec run -f fixtures/echconfigs.pem -p 4433 -n -s 7.1.1-2,7.1.1-5 localhost
 TLS Encrypted Client Hello Server
         ✔ MUST abort with a "missing_extension" alert, if 2nd ClientHelloOuter does not contains the "encrypted_client_hello" extension. [7.1.1-2]
         ✔ MUST abort with an "illegal_parameter" alert, if 2nd ClientHelloOuter "encrypted_client_hello" enc is empty. [7.1.1-2]
@@ -94,7 +100,7 @@ TLS Encrypted Client Hello Server
 Using the `-v` or `--verbose` option provides a message stack if an error occurs. The message stack is formatted as JSON.
 
 ```sh-session
-$ echspec -s 7-5 -v research.cloudflare.com 2>&1 > /dev/null | jq .
+$ echspec run -s 7-5 -v research.cloudflare.com 2>&1 > /dev/null | jq .
 ````
 
 <details>

data/echspec.gemspec

@@ -11,16 +11,20 @@ Gem::Specification.new do |spec|
   spec.description   = spec.summary
   spec.homepage      = 'https://github.com/thekuwayama/echspec'
   spec.license       = 'MIT'
-  spec.required_ruby_version = '>=3.2'
+  spec.required_ruby_version = '>=4.0'
 
-  spec.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
   spec.require_paths = ['lib']
   spec.bindir        = 'exe'
   spec.executables   = ['echspec']
 
   spec.add_development_dependency 'bundler'
   spec.add_dependency             'base64'
+  spec.add_dependency             'ech_config', '~> 0.0.4'
   spec.add_dependency             'resolv', '> 0.4.0'
-  spec.add_dependency             'tttls1.3', '~> 0.3.5'
+  spec.add_dependency             'tttls1.3', '~> 0.3.6'
 end

data/exe/echspec

@@ -4,4 +4,4 @@ $LOAD_PATH << "#{__dir__}/../lib"
 
 require 'echspec'
 
-EchSpec::CLI.new.run
+EchSpec::CLI.new.execute

data/lib/echspec/cli/gen_configs.rb

@@ -0,0 +1,61 @@
+module EchSpec
+  class CLI
+    class GenConfigs
+      def execute(argv)
+        fpath = parse_options(argv)
+        write(fpath)
+      end
+
+      def parse_options(argv)
+        op = OptionParser.new
+
+        op.banner = 'Usage: echspec gen_configs {FILE}'
+
+        begin
+          args = op.parse(argv)
+        rescue OptionParser::InvalidOption, OptionParser::MissingArgument => e
+          warn op
+          warn "** #{e.message}"
+          exit 1
+        end
+
+        if args.length != 1
+          warn op
+          warn '** {FILE} argument is not specified'
+          exit 1
+        end
+        args[0]
+      end
+
+      def write(fpath)
+        hostname = 'localhost'
+
+        key = OpenSSL::PKey.generate_key('X25519')
+        echconfigs = ECHConfigList.new(
+          [
+            ECHConfig.new(
+              "\xfe\x0d".b,
+              ECHConfig::ECHConfigContents.new(
+                ECHConfig::ECHConfigContents::HpkeKeyConfig.new(
+                  123,
+                  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeKemId.new(HPKE::DHKEM_X25519_HKDF_SHA256),
+                  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkePublicKey.new(key.raw_public_key),
+                  [
+                    ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite.new(
+                      ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite::HpkeKdfId.new(HPKE::HKDF_SHA256),
+                      ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite::HpkeAeadId.new(HPKE::AES_128_GCM)
+                    )
+                  ]
+                ),
+                32,
+                hostname.b,
+                ECHConfig::ECHConfigContents::Extensions.new('')
+              )
+            )
+          ]
+        )
+        File.write(fpath, key.private_to_pem + echconfigs.to_pem)
+      end
+    end
+  end
+end

data/lib/echspec/cli/run.rb

@@ -0,0 +1,100 @@
+module EchSpec
+  class CLI
+    class Run
+      def execute(argv)
+        fpath, port, force_compliant, verbose, hostname, sections = parse_options(argv)
+
+        if sections.nil?
+          Spec.run(fpath, port, hostname, force_compliant, verbose)
+        else
+          Spec.run_only(fpath, port, hostname, sections, verbose)
+        end
+      end
+
+      # rubocop: disable Metrics/AbcSize
+      # rubocop: disable Metrics/MethodLength
+      def parse_options(argv)
+        op = OptionParser.new
+
+        # default value
+        fpath = nil
+        port = 443
+        force_compliant = true
+        verbose = false
+        sections = nil
+
+        op.on(
+          '-f',
+          '--file FILE',
+          'path to ECHConfigs PEM file       (default resolve ECHConfigs via DNS)'
+        ) do |v|
+          fpath = v
+        end
+
+        op.on(
+          '-p',
+          '--port VALUE',
+          "server port number                (default #{port})"
+        ) do |v|
+          port = v
+        end
+
+        op.on(
+          '-n',
+          '--not-force-compliant-hpke',
+          'not force compliant ECHConfig HPKE cipher suite'
+        ) do
+          force_compliant = false
+        end
+
+        op.on(
+          '-v',
+          '--verbose',
+          'verbose mode; prints message stack if raised an error'
+        ) do
+          verbose = true
+        end
+
+        op.on(
+          '-s',
+          '--sections SECTIONS',
+          'sections to test; by the default, test all sections'
+        ) do |v|
+          sections = v.split(',')
+        end
+
+        op.banner = 'Usage: echspec run [OPTIONS...] {HOSTNAME}'
+
+        begin
+          args = op.parse(argv)
+        rescue OptionParser::InvalidOption, OptionParser::MissingArgument => e
+          warn op
+          warn "** #{e.message}"
+          exit 1
+        end
+
+        if !fpath.nil? && !File.exist?(fpath)
+          warn '** {FILE} is not found'
+          exit 1
+        end
+
+        unknowns = sections.nil? ? [] : sections - Spec.sections
+        unless unknowns.empty?
+          warn "** #{unknowns} are unknown sections"
+          exit 1
+        end
+
+        if args.length != 1
+          warn op
+          warn '** {HOSTNAME} argument is not specified'
+          exit 1
+        end
+        hostname = args[0]
+
+        [fpath, port, force_compliant, verbose, hostname, sections]
+      end
+      # rubocop: enable Metrics/AbcSize
+      # rubocop: enable Metrics/MethodLength
+    end
+  end
+end

data/lib/echspec/cli.rb

@@ -1,96 +1,33 @@
+require_relative 'cli/gen_configs'
+require_relative 'cli/run'
+
 module EchSpec
   class CLI
-    # rubocop: disable Metrics/AbcSize
-    # rubocop: disable Metrics/MethodLength
-    def parse_options(argv = ARGV)
-      op = OptionParser.new
-
-      # default value
-      fpath = nil
-      port = 443
-      force_compliant = true
-      verbose = false
-      sections = nil
-
-      op.on(
-        '-f',
-        '--file FILE',
-        'path to ECHConfigs PEM file       (default resolve ECHConfigs via DNS)'
-      ) do |v|
-        fpath = v
-      end
-
-      op.on(
-        '-p',
-        '--port VALUE',
-        "server port number                (default #{port})"
-      ) do |v|
-        port = v
-      end
-
-      op.on(
-        '-n',
-        '--not-force-compliant-hpke',
-        'not force compliant ECHConfig HPKE cipher suite'
-      ) do
-        force_compliant = false
-      end
-
-      op.on(
-        '-v',
-        '--verbose',
-        'verbose mode; prints message stack if raised an error'
-      ) do
-        verbose = true
-      end
-
-      op.on(
-        '-s',
-        '--sections SECTIONS',
-        'sections to test; by the default, test all sections'
-      ) do |v|
-        sections = v.split(',')
-      end
-
-      op.banner = 'Usage: echspec [OPTIONS] <HOSTNAME>'
-      begin
-        args = op.parse(argv)
-      rescue OptionParser::InvalidOption, OptionParser::MissingArgument => e
-        warn op
-        warn "** #{e.message}"
-        exit 1
-      end
+    using Refinements
 
-      if !fpath.nil? && !File.exist?(fpath)
-        warn '** <FILE> is not found'
-        exit 1
-      end
+    def execute(argv = ARGV)
+      subcommands = %i[run gen_configs]
 
-      unknowns = sections.nil? ? [] : sections - Spec.sections
-      unless unknowns.empty?
-        warn "** #{unknowns} are unknown sections"
-        exit 1
-      end
+      op = OptionParser.new
 
-      if args.length != 1
-        warn op
-        warn '** <HOSTNAME> argument is not specified'
-        exit 1
-      end
-      hostname = args[0]
+      op.banner = <<~USAGE
+        Usage: echspec {SUBCOMMAND}
 
-      [fpath, port, force_compliant, verbose, hostname, sections]
-    end
-    # rubocop: enable Metrics/AbcSize
-    # rubocop: enable Metrics/MethodLength
+        Available subcommands: #{subcommands.join(', ')}, version, help.
+      USAGE
 
-    def run
-      fpath, port, force_compliant, verbose, hostname, sections = parse_options
+      op.version = EchSpec::VERSION
+      op.order!(argv)
 
-      if sections.nil?
-        Spec.run(fpath, port, hostname, force_compliant, verbose)
+      subcommand = argv.shift
+      case subcommand&.to_sym
+      when :version
+        puts EchSpec::VERSION
+      when *subcommands
+        klass = self.class.const_get(subcommand.to_camel)
+        klass.new.__send__(:execute, argv)
       else
-        Spec.run_only(fpath, port, hostname, sections, verbose)
+        puts op
       end
     end
   end

data/lib/echspec/spec/5.1-10.rb

@@ -1,7 +1,7 @@
 module EchSpec
   module Spec
     class Spec5_1_10 < WithSocket
-      # Next it makes a copy of the client_hello field and copies the
+      # Next, it makes a copy of the client_hello field and copies the
       # legacy_session_id field from ClientHelloOuter. It then looks for an
       # "ech_outer_extensions" extension. If found, it replaces the extension
       # with the corresponding sequence of extensions in the
@@ -14,7 +14,7 @@ module EchSpec
       # * The extensions in ClientHelloOuter corresponding to those in
       #   OuterExtensions do not occur in the same order.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-5.1-10
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-5.1-10
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group

data/lib/echspec/spec/5.1-9.rb

@@ -2,12 +2,12 @@ module EchSpec
   module Spec
     class Spec5_1_9 < WithSocket
       # The client-facing server computes ClientHelloInner by reversing this
-      # process. First it parses EncodedClientHelloInner, interpreting all
-      # bytes after client_hello as padding. If any padding byte is non-
-      # zero, the server MUST abort the connection with an
-      # "illegal_parameter" alert.
+      # process. First, it parses EncodedClientHelloInner, interpreting all
+      # bytes after client_hello as padding. If any padding byte is non-zero,
+      # the server MUST abort the connection with an "illegal_parameter"
+      # alert.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-5.1-9
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-5.1-9
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group

data/lib/echspec/spec/7-5.rb

@@ -1,10 +1,14 @@
 module EchSpec
   module Spec
     class Spec7_5 < WithSocket
-      # If ECHClientHello.type is not a valid ECHClientHelloType, then the
-      # server MUST abort with an "illegal_parameter" alert.
+      # In shared mode, a server plays both roles, first decrypting the
+      # ClientHelloOuter and then using the contents of the ClientHelloInner.
+      # A shared mode server which receives a ClientHello with
+      # ECHClientHello.type of inner MUST abort with an "illegal_parameter"
+      # alert, because such a ClientHello should never be received directly
+      # from the network.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7-5
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-7-5
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group

data/lib/echspec/spec/7.1-11.rb

@@ -7,7 +7,7 @@ module EchSpec
       # offer TLS 1.2 or below. If either of these checks fails, the client-
       # facing server MUST abort with an "illegal_parameter" alert.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7.1-11
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-7.1-11
 
       # @return [SpecGroup]
       def self.spec_group

data/lib/echspec/spec/7.1-14.2.1.rb

@@ -3,8 +3,8 @@ module EchSpec
     class Spec7_1_14_2_1 < WithSocket
       # Otherwise, if all candidate ECHConfig values fail to decrypt the
       # extension, the client-facing server MUST ignore the extension and
-      # proceed with the connection using ClientHelloOuter, with the
-      # following modifications:
+      # proceed with the connection using ClientHelloOuter with the following
+      # modifications:
       #
       # * If the server is configured with any ECHConfigs, it MUST include
       #   the "encrypted_client_hello" extension in its EncryptedExtensions
@@ -13,7 +13,7 @@ module EchSpec
       #   ECHConfig values of different versions. This allows a server to
       #   support multiple versions at once.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7.1-14.2.1
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-7.1-14.2.1
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group

data/lib/echspec/spec/7.1.1-2.rb

@@ -1,7 +1,7 @@
 module EchSpec
   module Spec
     class Spec7_1_1_2 < WithSocket
-      # If the client-facing server accepted ECH, it checks the second
+      # If the client-facing server accepted ECH, it checks that the second
       # ClientHelloOuter also contains the "encrypted_client_hello"
       # extension. If not, it MUST abort the handshake with a
       # "missing_extension" alert. Otherwise, it checks that
@@ -9,7 +9,7 @@ module EchSpec
       # unchanged, and that ECHClientHello.enc is empty. If not, it MUST
       # abort the handshake with an "illegal_parameter" alert.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7.1.1-2
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-7.1.1-2
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group

data/lib/echspec/spec/7.1.1-5.rb

@@ -5,10 +5,10 @@ module EchSpec
       # using the second ClientHelloOuter. If decryption fails, the client-
       # facing server MUST abort the handshake with a "decrypt_error" alert.
       # Otherwise, it reconstructs the second ClientHelloInner from the new
-      # EncodedClientHelloInner as described in Section 5.1, using the
-      # second ClientHelloOuter for any referenced extensions.
+      # EncodedClientHelloInner as described in Section 5.1, using the second
+      # ClientHelloOuter for any referenced extensions.
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7.1.1-5
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-7.1.1-5
 
       # @return [EchSpec::SpecGroup]
       def self.spec_group

data/lib/echspec/spec/9.rb

@@ -9,7 +9,7 @@ module EchSpec
       # * KDF: HKDF-SHA256 (see Section 7.2 of [HPKE])
       # * AEAD: AES-128-GCM (see Section 7.3 of [HPKE])
       #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-9
+      # https://datatracker.ietf.org/doc/html/rfc9849#section-9
       @section = '9'
       @description = 'MUST implement the following HPKE cipher suite: KEM: DHKEM(X25519, HKDF-SHA256), KDF: HKDF-SHA256 and AEAD: AES-128-GCM.'
       class << self
@@ -47,9 +47,9 @@ module EchSpec
         def validate_compliant_ech_configs(ech_configs)
           ech_config = ech_configs.find do |c|
             kconfig = c.echconfig_contents.key_config
-            valid_kem_id = kconfig.kem_id.uint16 == 0x0020
+            valid_kem_id = kconfig.kem_id.uint16 == HPKE::DHKEM_X25519_HKDF_SHA256
             valid_cipher_suite = kconfig.cipher_suites.any? do |cs|
-              cs.kdf_id.uint16 == 0x0001 && cs.aead_id.uint16 == 0x0001
+              cs.kdf_id.uint16 == HPKE::HKDF_SHA256 && cs.aead_id.uint16 == HPKE::AES_128_GCM
             end
 
             valid_kem_id && valid_cipher_suite
@@ -72,7 +72,7 @@ module EchSpec
             return Err.new(e.message, nil)
           end
 
-          # https://datatracker.ietf.org/doc/html/draft-ietf-tls-svcb-ech-01#section-6
+          # https://datatracker.ietf.org/doc/html/rfc9934#section-3
           ech = 5
           return Err.new("HTTPS resource record for #{hostname} does NOT have ech SvcParams.", nil) if rr.params[ech].nil?
 
@@ -95,7 +95,7 @@ module EchSpec
           ech_configs = ECHConfig.decode_vectors(b.slice(2..))
           Ok.new(ech_configs)
         rescue StandardError
-          # https://datatracker.ietf.org/doc/html/draft-farrell-tls-pemesni-08#section-3
+          # https://datatracker.ietf.org/doc/html/rfc9934#section-3
           example = <<~PEM
             -----BEGIN PRIVATE KEY-----
             MC4CAQAwBQYDK2VuBCIEICjd4yGRdsoP9gU7YT7My8DHx1Tjme8GYDXrOMCi8v1V

data/lib/echspec/spec.rb

@@ -14,7 +14,7 @@ module EchSpec
 
       ResultDescURL = Struct.new(:result, :desc, :url)
 
-      # @param rds [Array<ResultDescURL>] result: EchSpec::Ok | Err, desc: String
+      # @param rdus [Array<ResultDescURL>] result: EchSpec::Ok | Err, desc: String, url: URI
       # @param verbose [Boolean]
       def print_results(rdus, verbose)
         rdus.each { |rdu| print_summary(rdu.result, rdu.desc) }
@@ -148,7 +148,7 @@ module EchSpec
       #
       # @return [String]
       def url(section)
-        "https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-#{section}"
+        "https://datatracker.ietf.org/doc/html/rfc9849#section-#{section}"
       end
 
       # @param fpath [String | NilClass]
@@ -157,7 +157,7 @@ module EchSpec
       #
       # @return [ECHConfig]
       def try_get_ech_config(fpath, hostname, force_compliant)
-        # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-9
+        # https://datatracker.ietf.org/doc/html/rfc9849#section-9
         result = Spec9.try_get_ech_config(fpath, hostname, force_compliant)
         desc = desc(Spec9.description, Spec9.section)
         url = url(Spec9.section)
@@ -175,10 +175,10 @@ module EchSpec
       end
 
       def spec_groups
-        # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-5
+        # https://datatracker.ietf.org/doc/html/rfc9849#section-5
         groups = [Spec5_1_9, Spec5_1_10]
 
-        # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7
+        # https://datatracker.ietf.org/doc/html/rfc9849#section-7
         groups += [Spec7_5, Spec7_1_11, Spec7_1_14_2_1, Spec7_1_1_2, Spec7_1_1_5]
 
         groups.map(&:spec_group)

data/lib/echspec/utils.rb

@@ -20,6 +20,10 @@ module EchSpec
       def yellow
         colorize(33)
       end
+
+      def to_camel
+        gsub(/(?:^|_)(.)/) { Regexp.last_match(1).upcase }
+      end
     end
   end
 end

data/lib/echspec/version.rb

@@ -1,3 +1,3 @@
 module EchSpec
-  VERSION = '0.0.2'.freeze
+  VERSION = '0.0.4'.freeze
 end

data/lib/echspec.rb

@@ -1,16 +1,17 @@
 require 'base64'
 require 'optparse'
+require 'pp'
 require 'resolv'
 require 'timeout'
 require 'tttls1.3'
 
-require 'echspec/version'
-require 'echspec/utils'
-require 'echspec/log'
-require 'echspec/error'
-require 'echspec/result'
-require 'echspec/tls13_client'
-require 'echspec/spec_case'
-require 'echspec/spec_group'
-require 'echspec/spec'
-require 'echspec/cli'
+require_relative 'echspec/version'
+require_relative 'echspec/utils'
+require_relative 'echspec/log'
+require_relative 'echspec/error'
+require_relative 'echspec/result'
+require_relative 'echspec/tls13_client'
+require_relative 'echspec/spec_case'
+require_relative 'echspec/spec_group'
+require_relative 'echspec/spec'
+require_relative 'echspec/cli'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: echspec
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.4
 platform: ruby
 authors:
 - thekuwayama
@@ -37,6 +37,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: ech_config
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.4
 - !ruby/object:Gem::Dependency
   name: resolv
   requirement: !ruby/object:Gem::Requirement
@@ -57,14 +71,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.5
+        version: 0.3.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.5
+        version: 0.3.6
 description: A conformance testing tool for ECH implementation
 email:
 - thekuwayama@gmail.com
@@ -73,8 +87,6 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/workflows/ci.yml"
-- ".gitignore"
 - ".rubocop.yml"
 - ".ruby-version"
 - Gemfile
@@ -89,6 +101,8 @@ files:
 - fixtures/server.key
 - lib/echspec.rb
 - lib/echspec/cli.rb
+- lib/echspec/cli/gen_configs.rb
+- lib/echspec/cli/run.rb
 - lib/echspec/error.rb
 - lib/echspec/log.rb
 - lib/echspec/result.rb
@@ -106,10 +120,6 @@ files:
 - lib/echspec/tls13_client.rb
 - lib/echspec/utils.rb
 - lib/echspec/version.rb
-- spec/9_spec.rb
-- spec/log_spec.rb
-- spec/spec_helper.rb
-- spec/with_socket_spec.rb
 homepage: https://github.com/thekuwayama/echspec
 licenses:
 - MIT
@@ -121,18 +131,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.2'
+      version: '4.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 4.0.7
 specification_version: 4
 summary: A conformance testing tool for ECH implementation
-test_files:
-- spec/9_spec.rb
-- spec/log_spec.rb
-- spec/spec_helper.rb
-- spec/with_socket_spec.rb
+test_files: []

data/.github/workflows/ci.yml

@@ -1,30 +0,0 @@
-name: lint & test
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  ci:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        ruby-version: ['3.2', '3.3', '3.4']
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Set up Ruby
-        uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c # v1.237.0
-        with:
-          ruby-version: ${{ matrix.ruby-version }}
-      - name: Install dependencies
-        run: |
-          gem --version
-          gem install bundler
-          bundle --version
-          bundle install
-      - name: Run rubocop & rspec
-        run: bundle exec rake

data/.gitignore

@@ -1,17 +0,0 @@
-*.gem
-*.rbc
-.config
-.rvmrc
-/.bundle/
-/vendor/
-/lib/bundler/man/
-/pkg/
-/.yardoc/
-/_yardoc/
-/doc/
-/rdoc/
-/coverage/
-/spec/reports/
-/tmp/
-.DS_Store
-Gemfile.lock

data/spec/9_spec.rb

@@ -1,13 +0,0 @@
-require_relative 'spec_helper'
-
-RSpec.describe EchSpec::Spec::Spec9 do
-  context 'parse_pem' do
-    let(:pem) do
-      File.open("#{__dir__}/../fixtures/echconfigs.pem").read
-    end
-
-    it 'could parse' do
-      expect(EchSpec::Spec::Spec9.send(:parse_pem, pem)).to be_a EchSpec::Ok
-    end
-  end
-end

data/spec/log_spec.rb

@@ -1,58 +0,0 @@
-require_relative 'spec_helper'
-
-RSpec.describe EchSpec::Log::MessageStack do
-  context 'obj2json' do
-    let(:crt) do
-      File.open("#{__dir__}/../fixtures/server.crt").read
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(OpenSSL::X509::Certificate.new(crt)))
-        .to eq "#{crt.split("\n").join('\n')}\\n"
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(1)).to eq '1'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(0.1)).to eq '0.1'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(true)).to eq 'true'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(false)).to eq 'false'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json('')).to eq '""'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json('string')).to eq '"0x737472696e67"'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(nil)).to eq 'null'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json([1, true, '', 'string', nil])).to eq '[1,true,"","0x737472696e67",null]'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(1 => true, '' => 'string', nil => [])).to eq '{1:true,"":"0x737472696e67",null:[]}'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(C.new('string'))).to eq '{"name":"0x737472696e67"}'
-    end
-
-    it 'should convert' do
-      expect(EchSpec::Log::MessageStack.obj2json(D.new)).to eq '"$D"'
-    end
-  end
-end

data/spec/spec_helper.rb

@@ -1,12 +0,0 @@
-RSpec.configure(&:disable_monkey_patching!)
-
-require 'echspec'
-
-class C
-  def initialize(name)
-    @name = name
-  end
-end
-
-class D
-end

data/spec/with_socket_spec.rb

@@ -1,77 +0,0 @@
-require_relative 'spec_helper'
-
-module EchSpec
-  module Spec
-    class SpecX < WithSocket
-      def validate(hostname, port)
-        with_socket(hostname, port) do |_socket|
-          # not return
-        end
-      end
-    end
-
-    class SpecY < WithSocket
-      def validate(hostname, port)
-        with_socket(hostname, port) do |_socket|
-          return EchSpec::Ok.new(1)
-        end
-      end
-    end
-
-    class SpecZ < WithSocket
-      def validate(hostname, port)
-        with_socket(hostname, port) do |_socket|
-          msg = TTTLS13::Message::Alert.new(
-            level: TTTLS13::Message::AlertLevel::FATAL,
-            description: "\x0a"
-          )
-          return EchSpec::Err.new('details', [msg])
-        end
-      end
-    end
-
-    class SpecW < WithSocket
-      def validate(hostname, port)
-        with_socket(hostname, port) do |_socket|
-          raise EchSpec::Error::BeforeTargetSituationError, 'not received ClientHello'
-        end
-      end
-    end
-  end
-end
-
-RSpec.describe EchSpec::Spec::WithSocket do
-  context 'with_socket' do
-    before do
-      socket = StringIO.new
-      allow(TCPSocket).to receive(:new).and_return(socket)
-    end
-
-    it 'should return nil' do
-      result = EchSpec::Spec::SpecX.new.validate('localhost', 4433)
-      expect(result).to eq nil
-    end
-
-    it 'should return Ok(1)' do
-      result = EchSpec::Spec::SpecY.new.validate('localhost', 4433)
-      expect(result).to be_a EchSpec::Ok
-      expect(result.obj).to eq 1
-    end
-
-    it 'should return Err(details, message_stack)' do
-      result = EchSpec::Spec::SpecZ.new.validate('localhost', 4433)
-      expect(result).to be_a EchSpec::Err
-      expect(result.details).to eq 'details'
-      expect(result.message_stack.length).to be 1
-      expect(result.message_stack.first.level).to be TTTLS13::Message::AlertLevel::FATAL
-      expect(result.message_stack.first.description).to eq "\x0a"
-    end
-
-    it 'should return Err(details, message_stack), raised BeforeTargetSituationError' do
-      result = EchSpec::Spec::SpecW.new.validate('localhost', 4433)
-      expect(result).to be_a EchSpec::Err
-      expect(result.details).to eq 'not received ClientHello'
-      expect(result.message_stack).to eq '{}'
-    end
-  end
-end