tttls1.3 0.2.18 → 0.3.0

data/lib/tttls1.3/connection.rb

@@ -5,6 +5,9 @@ module TTTLS13
   INITIAL = 0
   EOF     = -1
 
+  SUPPORTED_ECHCONFIG_VERSIONS = ["\xfe\x0d"].freeze
+  private_constant :SUPPORTED_ECHCONFIG_VERSIONS
+
   # rubocop: disable Metrics/ClassLength
   class Connection
     include Logging
@@ -25,7 +28,7 @@ module TTTLS13
       @send_record_size = Message::DEFAULT_RECORD_SIZE_LIMIT
       @recv_record_size = Message::DEFAULT_RECORD_SIZE_LIMIT
       @alpn = nil # String
-      @exporter_master_secret = nil # String
+      @exporter_secret = nil # String
     end
 
     # @raise [TTTLS13::Error::ConfigError]
@@ -109,15 +112,15 @@ module TTTLS13
     #
     # @return [String, nil]
     def exporter(label, context, key_length)
-      return nil if @exporter_master_secret.nil? || @cipher_suite.nil?
+      return nil if @exporter_secret.nil? || @cipher_suite.nil?
 
       digest = CipherSuite.digest(@cipher_suite)
-      do_exporter(@exporter_master_secret, digest, label, context, key_length)
+      do_exporter(@exporter_secret, digest, label, context, key_length)
     end
 
     private
 
-    # @param secret [String] (early_)exporter_master_secret
+    # @param secret [String] (early_)exporter_secret
     # @param digest [String] name of digest algorithm
     # @param label [String]
     # @param context [String]
@@ -517,10 +520,8 @@ module TTTLS13
     #
     # @return [Array of TTTLS13::Message::Extension::SignatureAlgorithms]
     def do_select_signature_algorithms(signature_algorithms, crt)
-      spki = OpenSSL::Netscape::SPKI.new
-      spki.public_key = crt.public_key
-      pka = OpenSSL::ASN1.decode(spki.to_der)
-                         .value.first.value.first.value.first.value.first.value
+      pka = OpenSSL::ASN1.decode(crt.public_key.to_der)
+                         .value.first.value.first.value
       signature_algorithms.select do |sa|
         case sa
         when SignatureScheme::ECDSA_SECP256R1_SHA256,

data/lib/tttls1.3/cryptograph/aead.rb

@@ -45,7 +45,7 @@ module TTTLS13
       # @return [String]
       def encrypt(content, type)
         cipher = reset_cipher
-        plaintext = content + type + "\x00" * @length_of_padding
+        plaintext = content + type + @length_of_padding.zeros
         cipher.auth_data = additional_data(plaintext.length)
         encrypted_data = cipher.update(plaintext) + cipher.final
         @sequence_number.succ

data/lib/tttls1.3/error.rb

@@ -10,7 +10,7 @@ module TTTLS13
     class ConfigError < Error; end
 
     # Raised on received Error Alerts message or invalid message.
-    # https://tools.ietf.org/html/rfc8446#section-6.2
+    # https://datatracker.ietf.org/doc/html/rfc8446#section-6.2
     # Terminated the connection, so you *cannot* recover from this exception.
     class ErrorAlerts < Error
       # @return [TTTLS13::Message::Alert]

data/lib/tttls1.3/hpke.rb

@@ -0,0 +1,91 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  # NOTE: Hpke module is the adapter for ech_config using hpke-rb.
+  module Hpke
+    module KemId
+      # https://www.iana.org/assignments/hpke/hpke.xhtml#hpke-kem-ids
+      P_256_SHA256  = 0x0010
+      P_384_SHA384  = 0x0011
+      P_521_SHA512  = 0x0012
+      X25519_SHA256 = 0x0020
+      X448_SHA512   = 0x0021
+    end
+
+    def self.kem_id2dhkem(kem_id)
+      case kem_id
+      when KemId::P_256_SHA256
+        %i[p_256 sha256]
+      when KemId::P_384_SHA384
+        %i[p_384 sha384]
+      when KemId::P_521_SHA512
+        %i[p_521 sha512]
+      when KemId::X25519_SHA256
+        %i[x25519 sha256]
+      when KemId::X448_SHA512
+        %i[x448 sha512]
+      end
+    end
+
+    def self.kem_curve_name2dhkem(kem_curve_name)
+      case kem_curve_name
+      when :p_256
+        HPKE::DHKEM::EC::P_256
+      when :p_384
+        HPKE::DHKEM::EC::P_384
+      when :p_521
+        HPKE::DHKEM::EC::P_521
+      when :x25519
+        HPKE::DHKEM::X25519
+      when :x448
+        HPKE::DHKEM::X448
+      end
+    end
+
+    module KdfId
+      # https://www.iana.org/assignments/hpke/hpke.xhtml#hpke-kdf-ids
+      HKDF_SHA256 = 0x0001
+      HKDF_SHA384 = 0x0002
+      HKDF_SHA512 = 0x0003
+    end
+
+    def self.kdf_id2kdf_hash(kdf_id)
+      case kdf_id
+      when KdfId::HKDF_SHA256
+        :sha256
+      when KdfId::HKDF_SHA384
+        :sha384
+      when KdfId::HKDF_SHA512
+        :sha512
+      end
+    end
+
+    module AeadId
+      # https://www.iana.org/assignments/hpke/hpke.xhtml#hpke-aead-ids
+      AES_128_GCM       = 0x0001
+      AES_256_GCM       = 0x0002
+      CHACHA20_POLY1305 = 0x0003
+    end
+
+    def self.aead_id2overhead_len(aead_id)
+      case aead_id
+      when AeadId::AES_128_GCM, AeadId::CHACHA20_POLY1305
+        16
+      when AeadId::AES_256_GCM
+        32
+      end
+    end
+
+    def self.aead_id2aead_cipher(aead_id)
+      case aead_id
+      when AeadId::AES_128_GCM
+        :aes_128_gcm
+      when AeadId::AES_256_GCM
+        :aes_256_gcm
+      when AeadId::CHACHA20_POLY1305
+        :chacha20_poly1305
+      end
+    end
+  end
+end

data/lib/tttls1.3/key_schedule.rb

@@ -14,14 +14,14 @@ module TTTLS13
       @hash_len = CipherSuite.hash_len(cipher_suite)
       @key_len = CipherSuite.key_len(cipher_suite)
       @iv_len = CipherSuite.iv_len(cipher_suite)
-      @psk = psk || "\x00" * @hash_len
+      @psk = psk || @hash_len.zeros
       @shared_secret = shared_secret
       @transcript = transcript
     end
 
     # @return [String]
     def early_salt
-      "\x00" * @hash_len
+      @hash_len.zeros
     end
 
     # @return [String]
@@ -61,8 +61,15 @@ module TTTLS13
       self.class.hkdf_expand_label(secret, 'iv', '', @iv_len, @digest)
     end
 
+    # @deprecated Please use `early_exporter_secret` instead
+    #
     # @return [String]
     def early_exporter_master_secret
+      early_exporter_secret
+    end
+
+    # @return [String]
+    def early_exporter_secret
       hash = OpenSSL::Digest.digest(@digest, '')
       derive_secret(early_secret, 'e exp master', hash)
     end
@@ -126,22 +133,36 @@ module TTTLS13
       self.class.hkdf_expand_label(secret, 'iv', '', @iv_len, @digest)
     end
 
+    # @deprecated Please use `main_salt` instead
+    #
     # @return [String]
     def master_salt
+      main_salt
+    end
+
+    # @return [String]
+    def main_salt
       hash = OpenSSL::Digest.digest(@digest, '')
       derive_secret(handshake_secret, 'derived', hash)
     end
 
+    # @deprecated Please use `main_secret` instead
+    #
     # @return [String]
     def master_secret
-      ikm = "\x00" * @hash_len
-      hkdf_extract(ikm, master_salt)
+      main_secret
+    end
+
+    # @return [String]
+    def main_secret
+      ikm = @hash_len.zeros
+      hkdf_extract(ikm, main_salt)
     end
 
     # @return [String]
     def client_application_traffic_secret
       hash = @transcript.hash(@digest, SF)
-      derive_secret(master_secret, 'c ap traffic', hash)
+      derive_secret(main_secret, 'c ap traffic', hash)
     end
 
     # @return [String]
@@ -159,7 +180,7 @@ module TTTLS13
     # @return [String]
     def server_application_traffic_secret
       hash = @transcript.hash(@digest, SF)
-      derive_secret(master_secret, 's ap traffic', hash)
+      derive_secret(main_secret, 's ap traffic', hash)
     end
 
     # @return [String]
@@ -174,16 +195,30 @@ module TTTLS13
       self.class.hkdf_expand_label(secret, 'iv', '', @iv_len, @digest)
     end
 
+    # @deprecated Please use `exporter_secret` instead
+    #
     # @return [String]
     def exporter_master_secret
+      exporter_secret
+    end
+
+    # @return [String]
+    def exporter_secret
       hash = @transcript.hash(@digest, SF)
-      derive_secret(master_secret, 'exp master', hash)
+      derive_secret(main_secret, 'exp master', hash)
     end
 
+    # @deprecated Please use `resumption_secret` instead
+    #
     # @return [String]
     def resumption_master_secret
+      resumption_secret
+    end
+
+    # @return [String]
+    def resumption_secret
       hash = @transcript.hash(@digest, CF)
-      derive_secret(master_secret, 'res master', hash)
+      derive_secret(main_secret, 'res master', hash)
     end
 
     # @param ikm [String]
@@ -238,6 +273,74 @@ module TTTLS13
     def derive_secret(secret, label, context)
       self.class.hkdf_expand_label(secret, label, context, @hash_len, @digest)
     end
+
+    # @return [String]
+    def accept_confirmation
+      ch_inner_random = @transcript[CH].first.random
+      sh = @transcript[SH].first
+      sh = Message::ServerHello.new(
+        random: sh.random[...-8] + 8.zeros,
+        legacy_session_id_echo: sh.legacy_session_id_echo,
+        cipher_suite: sh.cipher_suite,
+        extensions: sh.extensions
+      )
+      transcript = @transcript.clone
+      transcript[SH] = [sh, sh.serialize]
+      transcript_ech_conf = transcript.hash(@digest, SH)
+
+      self.class.hkdf_expand_label(
+        hkdf_extract(ch_inner_random, ''),
+        'ech accept confirmation',
+        transcript_ech_conf,
+        8,
+        @digest
+      )
+    end
+
+    # @return [Boolean]
+    def accept_ech?
+      accept_confirmation == @transcript[SH].first.random[-8..]
+    end
+
+    # @return [String]
+    def hrr_accept_confirmation
+      ch1_inner_random = @transcript[CH1].first.random
+      hrr = @transcript[HRR].first
+      ech = Message::Extension::ECHHelloRetryRequest.new("\x00" * 8)
+      hrr = Message::ServerHello.new(
+        random: hrr.random,
+        legacy_session_id_echo: hrr.legacy_session_id_echo,
+        cipher_suite: hrr.cipher_suite,
+        extensions: hrr.extensions.merge(
+          Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => ech
+        )
+      )
+
+      # It then computes the transcript hash for the first ClientHelloInner,
+      # denoted ClientHelloInner1, up to and including the modified
+      # HelloRetryRequest.
+      #
+      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-7.2.1-2
+      transcript = @transcript.clone
+      transcript[HRR] = [hrr, hrr.serialize]
+      transcript_hrr_ech_conf = transcript.hash(@digest, HRR)
+
+      self.class.hkdf_expand_label(
+        hkdf_extract(ch1_inner_random, ''),
+        'hrr ech accept confirmation',
+        transcript_hrr_ech_conf,
+        8,
+        @digest
+      )
+    end
+
+    # @return [Boolean]
+    def hrr_accept_ech?
+      hrr_ech = @transcript[HRR]
+                .first
+                .extensions[Message::ExtensionType::ENCRYPTED_CLIENT_HELLO]
+      hrr_accept_confirmation == hrr_ech.confirmation
+    end
   end
   # rubocop: enable Metrics/ClassLength
 end

data/lib/tttls1.3/message/alert.rb

@@ -36,7 +36,8 @@ module TTTLS13
       bad_certificate_status_response: "\x71",
       unknown_psk_identity:            "\x73",
       certificate_required:            "\x74",
-      no_application_protocol:         "\x78"
+      no_application_protocol:         "\x78",
+      ech_required:                    "\x79"
     }.freeze
     # rubocop: enable Layout/HashAlignment
 

data/lib/tttls1.3/message/client_hello.rb

@@ -31,7 +31,8 @@ module TTTLS13
       ExtensionType::CERTIFICATE_AUTHORITIES,
       ExtensionType::POST_HANDSHAKE_AUTH,
       ExtensionType::SIGNATURE_ALGORITHMS_CERT,
-      ExtensionType::KEY_SHARE
+      ExtensionType::KEY_SHARE,
+      ExtensionType::ENCRYPTED_CLIENT_HELLO
     ].freeze
     private_constant :APPEARABLE_CH_EXTENSIONS
 

data/lib/tttls1.3/message/encrypted_extensions.rb

@@ -15,7 +15,8 @@ module TTTLS13
       ExtensionType::CLIENT_CERTIFICATE_TYPE,
       ExtensionType::SERVER_CERTIFICATE_TYPE,
       ExtensionType::RECORD_SIZE_LIMIT,
-      ExtensionType::EARLY_DATA
+      ExtensionType::EARLY_DATA,
+      ExtensionType::ENCRYPTED_CLIENT_HELLO
     ].freeze
     private_constant :APPEARABLE_EE_EXTENSIONS
 

data/lib/tttls1.3/message/extension/alpn.rb

@@ -19,7 +19,7 @@ module TTTLS13
         # https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
         def initialize(protocol_name_list)
           @extension_type \
-          = ExtensionType::APPLICATION_LAYER_PROTOCOL_NEGOTIATION
+            = ExtensionType::APPLICATION_LAYER_PROTOCOL_NEGOTIATION
           @protocol_name_list = protocol_name_list || []
           raise Error::ErrorAlerts, :internal_error \
             if @protocol_name_list.empty?
@@ -27,10 +27,9 @@ module TTTLS13
 
         # @return [String]
         def serialize
-          binary = @protocol_name_list
-                   .map(&:prefix_uint8_length)
-                   .join
-                   .prefix_uint16_length
+          binary = @protocol_name_list.map(&:prefix_uint8_length)
+                                      .join
+                                      .prefix_uint16_length
 
           @extension_type + binary.prefix_uint16_length
         end

data/lib/tttls1.3/message/extension/compress_certificate.rb

@@ -11,7 +11,7 @@ module TTTLS13
         # ZSTD   = "\x00\x03" # UNSUPPORTED
       end
 
-      # https://tools.ietf.org/html/rfc8879
+      # https://datatracker.ietf.org/doc/html/rfc8879
       class CompressCertificate
         attr_reader :extension_type
         attr_reader :algorithms

data/lib/tttls1.3/message/extension/ech.rb

@@ -0,0 +1,241 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+  HpkeSymmetricCipherSuite = \
+    ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+  module Message
+    module Extension
+      module ECHClientHelloType
+        OUTER = "\x00"
+        INNER = "\x01"
+      end
+
+      # NOTE:
+      #     struct {
+      #         ECHClientHelloType type;
+      #         select (ECHClientHello.type) {
+      #             case outer:
+      #                 HpkeSymmetricCipherSuite cipher_suite;
+      #                 uint8 config_id;
+      #                 opaque enc<0..2^16-1>;
+      #                 opaque payload<1..2^16-1>;
+      #             case inner:
+      #                 Empty;
+      #         };
+      #     } ECHClientHello;
+      class ECHClientHello
+        attr_accessor :extension_type
+        attr_accessor :type
+        attr_accessor :cipher_suite
+        attr_accessor :config_id
+        attr_accessor :enc
+        attr_accessor :payload
+
+        # @param type [TTTLS13::Message::Extension::ECHClientHelloType]
+        # @param cipher_suite [HpkeSymmetricCipherSuite]
+        # @param config_id [Integer]
+        # @param enc [String]
+        # @param payload [String]
+        def initialize(type:,
+                       cipher_suite: nil,
+                       config_id: nil,
+                       enc: nil,
+                       payload: nil)
+          @extension_type = ExtensionType::ENCRYPTED_CLIENT_HELLO
+          @type = type
+          @cipher_suite = cipher_suite
+          raise Error::ErrorAlerts, :internal_error \
+            if @type == ECHClientHelloType::OUTER && \
+               !@cipher_suite.is_a?(HpkeSymmetricCipherSuite)
+
+          @config_id = config_id
+          @enc = enc
+          @payload = payload
+        end
+
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [String]
+        def serialize
+          case @type
+          when ECHClientHelloType::OUTER
+            binary = @type + @cipher_suite.encode + @config_id.to_uint8 \
+                     + @enc.prefix_uint16_length + @payload.prefix_uint16_length
+          when ECHClientHelloType::INNER
+            binary = @type
+          else
+            raise Error::ErrorAlerts, :internal_error
+          end
+
+          @extension_type + binary.prefix_uint16_length
+        end
+
+        # @param binary [String]
+        #
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [TTTLS13::Message::Extensions::ECHClientHello]
+        def self.deserialize(binary)
+          raise Error::ErrorAlerts, :internal_error \
+            if binary.nil? || binary.empty?
+
+          case binary[0]
+          when ECHClientHelloType::OUTER
+            return deserialize_outer_ech(binary[1..])
+          when ECHClientHelloType::INNER
+            return deserialize_inner_ech(binary[1..])
+          end
+
+          raise Error::ErrorAlerts, :internal_error
+        end
+
+        class << self
+          private
+
+          # @param binary [String]
+          #
+          # @raise [TTTLS13::Error::ErrorAlerts]
+          #
+          # @return [TTTLS13::Message::Extensions::ECHClientHello]
+          def deserialize_outer_ech(binary)
+            raise Error::ErrorAlerts, :internal_error \
+              if binary.nil? || binary.length < 5
+
+            kdf_id = \
+              HpkeSymmetricCipherSuite::HpkeKdfId.decode(binary.slice(0, 2))
+            aead_id = \
+              HpkeSymmetricCipherSuite::HpkeAeadId.decode(binary.slice(2, 2))
+            cs = HpkeSymmetricCipherSuite.new(kdf_id, aead_id)
+            cid = Convert.bin2i(binary.slice(4, 1))
+            enc_len = Convert.bin2i(binary.slice(5, 2))
+            i = 7
+            raise Error::ErrorAlerts, :internal_error \
+              if i + enc_len > binary.length
+
+            enc = binary.slice(i, enc_len)
+            i += enc_len
+            raise Error::ErrorAlerts, :internal_error \
+              if i + 2 > binary.length
+
+            payload_len = Convert.bin2i(binary.slice(i, 2))
+            raise Error::ErrorAlerts, :internal_error \
+              if i + payload_len > binary.length
+
+            payload = binary.slice(i, payload_len)
+            ECHClientHello.new(
+              type: ECHClientHelloType::OUTER,
+              cipher_suite: cs,
+              config_id: cid,
+              enc: enc,
+              payload: payload
+            )
+          end
+
+          # @param binary [String]
+          #
+          # @raise [TTTLS13::Error::ErrorAlerts]
+          #
+          # @return [TTTLS13::Message::Extensions::ECHClientHello]
+          def deserialize_inner_ech(binary)
+            raise Error::ErrorAlerts, :internal_error unless binary.empty?
+
+            ECHClientHello.new(type: ECHClientHelloType::INNER)
+          end
+        end
+
+        # @return [TTTLS13::Message::Extensions::ECHClientHello]
+        def self.new_inner
+          ECHClientHello.new(type: ECHClientHelloType::INNER)
+        end
+
+        # @param cipher_suite [HpkeSymmetricCipherSuite]
+        # @param config_id [Integer]
+        # @param enc [String]
+        # @param payload [String]
+        #
+        # @return [TTTLS13::Message::Extensions::ECHClientHello]
+        def self.new_outer(cipher_suite:, config_id:, enc:, payload:)
+          ECHClientHello.new(
+            type: ECHClientHelloType::OUTER,
+            cipher_suite: cipher_suite,
+            config_id: config_id,
+            enc: enc,
+            payload: payload
+          )
+        end
+      end
+
+      # NOTE:
+      #     struct {
+      #         ECHConfigList retry_configs;
+      #     } ECHEncryptedExtensions;
+      class ECHEncryptedExtensions
+        attr_accessor :extension_type
+        attr_accessor :retry_configs
+
+        # @param retry_configs [Array of ECHConfig]
+        def initialize(retry_configs)
+          @extension_type = ExtensionType::ENCRYPTED_CLIENT_HELLO
+          @retry_configs = retry_configs
+        end
+
+        # @return [String]
+        def serialize
+          @extension_type + @retry_configs.map(&:encode)
+                                          .join
+                                          .prefix_uint16_length
+                                          .prefix_uint16_length
+        end
+
+        # @param binary [String]
+        #
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [TTTLS13::Message::Extensions::ECHEncryptedExtensions]
+        def self.deserialize(binary)
+          raise Error::ErrorAlerts, :decode_error \
+            if binary.nil? ||
+               binary.length != binary.slice(0, 2).unpack1('n') + 2
+
+          ECHEncryptedExtensions.new(
+            ECHConfig.decode_vectors(binary.slice(2..))
+          )
+        end
+      end
+
+      # NOTE:
+      #     struct {
+      #         opaque confirmation[8];
+      #     } ECHHelloRetryRequest;
+      class ECHHelloRetryRequest
+        attr_accessor :extension_type
+        attr_accessor :confirmation
+
+        # @param confirmation [String]
+        def initialize(confirmation)
+          @extension_type = ExtensionType::ENCRYPTED_CLIENT_HELLO
+          @confirmation = confirmation
+        end
+
+        # @return [String]
+        def serialize
+          @extension_type + @confirmation.prefix_uint16_length
+        end
+
+        # @param binary [String]
+        #
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [TTTLS13::Message::Extensions::ECHHelloRetryRequest]
+        def self.deserialize(binary)
+          raise Error::ErrorAlerts, :decode_error \
+            if binary.nil? || binary.length != 8
+
+          ECHHelloRetryRequest.new(binary)
+        end
+      end
+    end
+  end
+end

data/lib/tttls1.3/message/extension/key_share.rb

@@ -91,8 +91,7 @@ module TTTLS13
           priv_keys = {}
           kse = groups.map do |group|
             curve = NamedGroup.curve_name(group)
-            ec = OpenSSL::PKey::EC.new(curve)
-            ec.generate_key!
+            ec = OpenSSL::PKey::EC.generate(curve)
             # store private key to do the key-exchange
             priv_keys.store(group, ec)
             KeyShareEntry.new(
@@ -115,8 +114,7 @@ module TTTLS13
         # @return [OpenSSL::PKey::EC.$Object]
         def self.gen_sh_key_share(group)
           curve = NamedGroup.curve_name(group)
-          ec = OpenSSL::PKey::EC.new(curve)
-          ec.generate_key!
+          ec = OpenSSL::PKey::EC.generate(curve)
 
           key_share = KeyShare.new(
             msg_type: HandshakeType::SERVER_HELLO,

data/lib/tttls1.3/message/extension/server_name.rb

@@ -15,7 +15,7 @@ module TTTLS13
       #
       # 00 00 00 00
       #
-      # https://tools.ietf.org/html/rfc6066#section-3
+      # https://datatracker.ietf.org/doc/html/rfc6066#section-3
       class ServerName
         attr_reader :extension_type
         attr_reader :server_name