tttls1.3 0.2.19 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +2 -0
- data/README.md +4 -1
- data/example/helper.rb +5 -2
- data/example/https_client_using_ech.rb +32 -0
- data/example/https_client_using_grease_ech.rb +26 -0
- data/example/https_client_using_grease_psk.rb +66 -0
- data/example/https_client_using_hrr_and_ech.rb +32 -0
- data/lib/tttls1.3/client.rb +534 -24
- data/lib/tttls1.3/connection.rb +3 -0
- data/lib/tttls1.3/cryptograph/aead.rb +1 -1
- data/lib/tttls1.3/error.rb +1 -1
- data/lib/tttls1.3/hpke.rb +91 -0
- data/lib/tttls1.3/key_schedule.rb +71 -3
- data/lib/tttls1.3/message/alert.rb +2 -1
- data/lib/tttls1.3/message/client_hello.rb +2 -1
- data/lib/tttls1.3/message/encrypted_extensions.rb +2 -1
- data/lib/tttls1.3/message/extension/alpn.rb +4 -5
- data/lib/tttls1.3/message/extension/compress_certificate.rb +1 -1
- data/lib/tttls1.3/message/extension/ech.rb +241 -0
- data/lib/tttls1.3/message/extension/server_name.rb +1 -1
- data/lib/tttls1.3/message/extensions.rb +20 -7
- data/lib/tttls1.3/message/record.rb +1 -1
- data/lib/tttls1.3/message/server_hello.rb +3 -5
- data/lib/tttls1.3/message.rb +3 -1
- data/lib/tttls1.3/named_group.rb +1 -1
- data/lib/tttls1.3/server.rb +1 -1
- data/lib/tttls1.3/utils.rb +8 -0
- data/lib/tttls1.3/version.rb +1 -1
- data/lib/tttls1.3.rb +4 -0
- data/spec/client_spec.rb +40 -0
- data/spec/ech_spec.rb +81 -0
- data/spec/spec_helper.rb +41 -5
- data/tttls1.3.gemspec +2 -0
- metadata +38 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fd89bebc90f5379d37e4fd3d1397168b6df9fcbfe5d1ad05f3ae852ba7d071d1
|
|
4
|
+
data.tar.gz: 45372c096b46a5c37c9e05d22dfad8d53e24278d5d195b1b7305aa86b49bdfe9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6b79f03e7eff3d7f2e47e0ca715ee9559c8c2a04f3f6c4869b4c8b915905f8934bb6cf4dd776ae74bdc3e7d9c97dd3a8ee77e46298073bdffd70fc936a954421
|
|
7
|
+
data.tar.gz: c43d3629de31d6ebd8f86d0c7a700d85a9f6e53be351eb13062c7ad0af9d1b8acc1c685f95a48e7d320b22ad1cd83979c4de3b57f07245060d6cc0dacdcca482
|
data/Gemfile
CHANGED
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
source 'https://rubygems.org'
|
|
4
4
|
|
|
5
|
+
gem 'ech_config', '~> 0.0.3'
|
|
5
6
|
gem 'logger'
|
|
6
7
|
gem 'openssl'
|
|
7
8
|
gem 'rake'
|
|
@@ -11,6 +12,7 @@ group :development do
|
|
|
11
12
|
gem 'http_parser.rb'
|
|
12
13
|
gem 'rspec', '3.9.0'
|
|
13
14
|
gem 'rubocop', '0.78.0'
|
|
15
|
+
gem 'svcb_rr_patch'
|
|
14
16
|
gem 'webrick'
|
|
15
17
|
end
|
|
16
18
|
|
data/README.md
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
[](https://github.com/thekuwayama/tttls1.3/actions?workflow=CI)
|
|
5
5
|
[](https://codeclimate.com/github/thekuwayama/tttls1.3/maintainability)
|
|
6
6
|
|
|
7
|
-
tttls1.3 is Ruby implementation of [TLS 1.3](https://
|
|
7
|
+
tttls1.3 is Ruby implementation of [TLS 1.3](https://datatracker.ietf.org/doc/rfc8446/) protocol.
|
|
8
8
|
|
|
9
9
|
tttls1.3 uses [openssl](https://github.com/ruby/openssl) for crypto and X.509 operations.
|
|
10
10
|
|
|
@@ -22,6 +22,7 @@ tttls1.3 provides client API with the following features:
|
|
|
22
22
|
* Simple 1-RTT Handshake
|
|
23
23
|
* HelloRetryRequest
|
|
24
24
|
* Resumed 0-RTT Handshake (with PSK from NST)
|
|
25
|
+
* [ECH](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/)
|
|
25
26
|
|
|
26
27
|
**NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate and external PSKs.
|
|
27
28
|
|
|
@@ -103,6 +104,8 @@ tttls1.3 client is configurable using keyword arguments.
|
|
|
103
104
|
| `:check_certificate_status` | Boolean | false | If needed to check certificate status, set true. |
|
|
104
105
|
| `:process_certificate_status` | Proc | `TTTLS13::Client.method(:softfail_check_certificate_status)` | Proc(or Method) that checks received OCSPResponse. Its 3 arguments are OpenSSL::OCSP::Response, end-entity certificate(OpenSSL::X509::Certificate) and certificates chain(Array of Certificate) used for verification and it returns Boolean. |
|
|
105
106
|
| `:compress_certificate_algorithms` | Array of TTTLS13::Message::Extension::CertificateCompressionAlgorithm constant | `ZLIB` | The compression algorithms are supported for compressing the Certificate message. |
|
|
107
|
+
| `:ech_config` | ECHConfig | nil | ECHConfig to use ECH. If needed to use ECH, set TTTLS13::STANDARD\_CLIENT\_ECH_HPKE\_SYMMETRIC\_CIPHER\_SUITES, for example. See [ech_config](https://github.com/thekuwayama/ech_config). |
|
|
108
|
+
| `:ech_hpke_cipher_suites` | Array of ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite | nil | If needed to use ECH, set client preference HPKE cipher suites. |
|
|
106
109
|
| `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
|
|
107
110
|
| `:sslkeylogfile` | String | nil | If needed to log SSLKEYLOGFILE, set the file path. |
|
|
108
111
|
| `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
|
data/example/helper.rb
CHANGED
|
@@ -3,10 +3,13 @@
|
|
|
3
3
|
$LOAD_PATH << __dir__ + '/../lib'
|
|
4
4
|
|
|
5
5
|
require 'socket'
|
|
6
|
-
require '
|
|
6
|
+
require 'time'
|
|
7
7
|
require 'webrick'
|
|
8
|
+
|
|
8
9
|
require 'http/parser'
|
|
9
|
-
require '
|
|
10
|
+
require 'svcb_rr_patch'
|
|
11
|
+
|
|
12
|
+
require 'tttls1.3'
|
|
10
13
|
|
|
11
14
|
def simple_http_request(hostname, path = '/')
|
|
12
15
|
s = <<~REQUEST
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
# encoding: ascii-8bit
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require_relative 'helper'
|
|
5
|
+
HpkeSymmetricCipherSuite = \
|
|
6
|
+
ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
|
|
7
|
+
|
|
8
|
+
hostname = 'crypto.cloudflare.com'
|
|
9
|
+
port = 443
|
|
10
|
+
ca_file = __dir__ + '/../tmp/ca.crt'
|
|
11
|
+
req = simple_http_request(hostname, '/cdn-cgi/trace')
|
|
12
|
+
|
|
13
|
+
rr = Resolv::DNS.new.getresources(
|
|
14
|
+
hostname,
|
|
15
|
+
Resolv::DNS::Resource::IN::HTTPS
|
|
16
|
+
)
|
|
17
|
+
socket = TCPSocket.new(hostname, port)
|
|
18
|
+
settings = {
|
|
19
|
+
ca_file: File.exist?(ca_file) ? ca_file : nil,
|
|
20
|
+
alpn: ['http/1.1'],
|
|
21
|
+
ech_config: rr.first.svc_params['ech'].echconfiglist.first,
|
|
22
|
+
ech_hpke_cipher_suites:
|
|
23
|
+
TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
|
|
24
|
+
sslkeylogfile: '/tmp/sslkeylogfile.log'
|
|
25
|
+
}
|
|
26
|
+
client = TTTLS13::Client.new(socket, hostname, **settings)
|
|
27
|
+
client.connect
|
|
28
|
+
client.write(req)
|
|
29
|
+
|
|
30
|
+
print recv_http_response(client)
|
|
31
|
+
client.close unless client.eof?
|
|
32
|
+
socket.close
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# encoding: ascii-8bit
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require_relative 'helper'
|
|
5
|
+
HpkeSymmetricCipherSuite = \
|
|
6
|
+
ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
|
|
7
|
+
|
|
8
|
+
hostname = 'crypto.cloudflare.com'
|
|
9
|
+
port = 443
|
|
10
|
+
ca_file = __dir__ + '/../tmp/ca.crt'
|
|
11
|
+
|
|
12
|
+
socket = TCPSocket.new(hostname, port)
|
|
13
|
+
settings = {
|
|
14
|
+
ca_file: File.exist?(ca_file) ? ca_file : nil,
|
|
15
|
+
alpn: ['http/1.1'],
|
|
16
|
+
ech_hpke_cipher_suites:
|
|
17
|
+
TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
|
|
18
|
+
sslkeylogfile: '/tmp/sslkeylogfile.log'
|
|
19
|
+
}
|
|
20
|
+
client = TTTLS13::Client.new(socket, hostname, **settings)
|
|
21
|
+
client.connect
|
|
22
|
+
|
|
23
|
+
print client.retry_configs if client.rejected_ech?
|
|
24
|
+
|
|
25
|
+
client.close unless client.eof?
|
|
26
|
+
socket.close
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
# encoding: ascii-8bit
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require_relative 'helper'
|
|
5
|
+
HpkeSymmetricCipherSuite = \
|
|
6
|
+
ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
|
|
7
|
+
|
|
8
|
+
hostname = 'crypto.cloudflare.com'
|
|
9
|
+
port = 443
|
|
10
|
+
ca_file = __dir__ + '/../tmp/ca.crt'
|
|
11
|
+
req = simple_http_request(hostname, '/cdn-cgi/trace')
|
|
12
|
+
|
|
13
|
+
rr = Resolv::DNS.new.getresources(
|
|
14
|
+
hostname,
|
|
15
|
+
Resolv::DNS::Resource::IN::HTTPS
|
|
16
|
+
)
|
|
17
|
+
settings_2nd = {
|
|
18
|
+
ca_file: File.exist?(ca_file) ? ca_file : nil,
|
|
19
|
+
alpn: ['http/1.1'],
|
|
20
|
+
ech_config: rr.first.svc_params['ech'].echconfiglist.first,
|
|
21
|
+
ech_hpke_cipher_suites:
|
|
22
|
+
TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
|
|
23
|
+
sslkeylogfile: '/tmp/sslkeylogfile.log'
|
|
24
|
+
}
|
|
25
|
+
process_new_session_ticket = lambda do |nst, rms, cs|
|
|
26
|
+
return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
|
|
27
|
+
|
|
28
|
+
settings_2nd[:ticket] = nst.ticket
|
|
29
|
+
settings_2nd[:resumption_main_secret] = rms
|
|
30
|
+
settings_2nd[:psk_cipher_suite] = cs
|
|
31
|
+
settings_2nd[:ticket_nonce] = nst.ticket_nonce
|
|
32
|
+
settings_2nd[:ticket_age_add] = nst.ticket_age_add
|
|
33
|
+
settings_2nd[:ticket_timestamp] = nst.timestamp
|
|
34
|
+
end
|
|
35
|
+
settings_1st = {
|
|
36
|
+
ca_file: File.exist?(ca_file) ? ca_file : nil,
|
|
37
|
+
alpn: ['http/1.1'],
|
|
38
|
+
process_new_session_ticket: process_new_session_ticket,
|
|
39
|
+
ech_config: rr.first.svc_params['ech'].echconfiglist.first,
|
|
40
|
+
ech_hpke_cipher_suites: [
|
|
41
|
+
HpkeSymmetricCipherSuite.new(
|
|
42
|
+
HpkeSymmetricCipherSuite::HpkeKdfId.new(
|
|
43
|
+
TTTLS13::Hpke::KdfId::HKDF_SHA256
|
|
44
|
+
),
|
|
45
|
+
HpkeSymmetricCipherSuite::HpkeAeadId.new(
|
|
46
|
+
TTTLS13::Hpke::AeadId::AES_128_GCM
|
|
47
|
+
)
|
|
48
|
+
)
|
|
49
|
+
],
|
|
50
|
+
sslkeylogfile: '/tmp/sslkeylogfile.log'
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
[
|
|
54
|
+
# Initial Handshake:
|
|
55
|
+
settings_1st,
|
|
56
|
+
# Subsequent Handshake:
|
|
57
|
+
settings_2nd
|
|
58
|
+
].each do |settings|
|
|
59
|
+
socket = TCPSocket.new(hostname, port)
|
|
60
|
+
client = TTTLS13::Client.new(socket, hostname, **settings)
|
|
61
|
+
client.connect
|
|
62
|
+
client.write(req)
|
|
63
|
+
print recv_http_response(client)
|
|
64
|
+
client.close unless client.eof?
|
|
65
|
+
socket.close
|
|
66
|
+
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
# encoding: ascii-8bit
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require_relative 'helper'
|
|
5
|
+
HpkeSymmetricCipherSuite = \
|
|
6
|
+
ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
|
|
7
|
+
|
|
8
|
+
hostname = 'crypto.cloudflare.com'
|
|
9
|
+
port = 443
|
|
10
|
+
ca_file = __dir__ + '/../tmp/ca.crt'
|
|
11
|
+
req = simple_http_request(hostname, '/cdn-cgi/trace')
|
|
12
|
+
|
|
13
|
+
rr = Resolv::DNS.new.getresources(
|
|
14
|
+
hostname,
|
|
15
|
+
Resolv::DNS::Resource::IN::HTTPS
|
|
16
|
+
)
|
|
17
|
+
socket = TCPSocket.new(hostname, port)
|
|
18
|
+
settings = {
|
|
19
|
+
ca_file: File.exist?(ca_file) ? ca_file : nil,
|
|
20
|
+
key_share_groups: [], # empty KeyShareClientHello.client_shares
|
|
21
|
+
alpn: ['http/1.1'],
|
|
22
|
+
ech_config: rr.first.svc_params['ech'].echconfiglist.first,
|
|
23
|
+
ech_hpke_cipher_suites:
|
|
24
|
+
TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
|
|
25
|
+
sslkeylogfile: '/tmp/sslkeylogfile.log'
|
|
26
|
+
}
|
|
27
|
+
client = TTTLS13::Client.new(socket, hostname, **settings)
|
|
28
|
+
client.connect
|
|
29
|
+
client.write(req)
|
|
30
|
+
print recv_http_response(client)
|
|
31
|
+
client.close unless client.eof?
|
|
32
|
+
socket.close
|