tttls1.3 0.2.19 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60aaa0dddc8e01d6ee1c89a81de02e7cd9e05e0169e11381ebb68aa919644f11
-  data.tar.gz: 974b5c89009c2a63a6d99a608b32463cb0b6dc4bb0ed9e915cd03cca45ce2ea9
+  metadata.gz: fd89bebc90f5379d37e4fd3d1397168b6df9fcbfe5d1ad05f3ae852ba7d071d1
+  data.tar.gz: 45372c096b46a5c37c9e05d22dfad8d53e24278d5d195b1b7305aa86b49bdfe9
 SHA512:
-  metadata.gz: b9ab939f9010481de463c2fbf81dc230cdd653dac47286e1fd61f8820da796a09b0675837dc119ebd8f1ddd137383ccc87aec18edd4945312cb0923ebbe77e52
-  data.tar.gz: 74d0635bba0274cfaf9ed980d2f0cef3351ab1f820a17720424dececaeb86c6ea36d6f9c3d7b69c8e81b52c4790b1796ba59d02a95a30d4afe90bad35767d442
+  metadata.gz: 6b79f03e7eff3d7f2e47e0ca715ee9559c8c2a04f3f6c4869b4c8b915905f8934bb6cf4dd776ae74bdc3e7d9c97dd3a8ee77e46298073bdffd70fc936a954421
+  data.tar.gz: c43d3629de31d6ebd8f86d0c7a700d85a9f6e53be351eb13062c7ad0af9d1b8acc1c685f95a48e7d320b22ad1cd83979c4de3b57f07245060d6cc0dacdcca482

data/Gemfile

@@ -2,6 +2,7 @@
 
 source 'https://rubygems.org'
 
+gem 'ech_config', '~> 0.0.3'
 gem 'logger'
 gem 'openssl'
 gem 'rake'
@@ -11,6 +12,7 @@ group :development do
   gem 'http_parser.rb'
   gem 'rspec', '3.9.0'
   gem 'rubocop', '0.78.0'
+  gem 'svcb_rr_patch'
   gem 'webrick'
 end
 

data/README.md

@@ -4,7 +4,7 @@
 [![Actions Status](https://github.com/thekuwayama/tttls1.3/workflows/CI/badge.svg)](https://github.com/thekuwayama/tttls1.3/actions?workflow=CI)
 [![Maintainability](https://api.codeclimate.com/v1/badges/b5ae1b3a43828142d2fa/maintainability)](https://codeclimate.com/github/thekuwayama/tttls1.3/maintainability)
 
-tttls1.3 is Ruby implementation of [TLS 1.3](https://tools.ietf.org/html/rfc8446) protocol.
+tttls1.3 is Ruby implementation of [TLS 1.3](https://datatracker.ietf.org/doc/rfc8446/) protocol.
 
 tttls1.3 uses [openssl](https://github.com/ruby/openssl) for crypto and X.509 operations.
 
@@ -22,6 +22,7 @@ tttls1.3 provides client API with the following features:
 * Simple 1-RTT Handshake
 * HelloRetryRequest
 * Resumed 0-RTT Handshake (with PSK from NST)
+* [ECH](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/)
 
 **NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate and external PSKs.
 
@@ -103,6 +104,8 @@ tttls1.3 client is configurable using keyword arguments.
 | `:check_certificate_status` | Boolean | false | If needed to check certificate status, set true. |
 | `:process_certificate_status` | Proc | `TTTLS13::Client.method(:softfail_check_certificate_status)` | Proc(or Method) that checks received OCSPResponse. Its 3 arguments are OpenSSL::OCSP::Response, end-entity certificate(OpenSSL::X509::Certificate) and certificates chain(Array of Certificate) used for verification and it returns Boolean. |
 | `:compress_certificate_algorithms` | Array of TTTLS13::Message::Extension::CertificateCompressionAlgorithm constant | `ZLIB` | The compression algorithms are supported for compressing the Certificate message. |
+| `:ech_config` | ECHConfig | nil | ECHConfig to use ECH. If needed to use ECH, set TTTLS13::STANDARD\_CLIENT\_ECH_HPKE\_SYMMETRIC\_CIPHER\_SUITES, for example. See [ech_config](https://github.com/thekuwayama/ech_config). |
+| `:ech_hpke_cipher_suites` | Array of ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite | nil | If needed to use ECH, set client preference HPKE cipher suites. |
 | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
 | `:sslkeylogfile` | String | nil | If needed to log SSLKEYLOGFILE, set the file path. |
 | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |

data/example/helper.rb

@@ -3,10 +3,13 @@
 $LOAD_PATH << __dir__ + '/../lib'
 
 require 'socket'
-require 'tttls1.3'
+require 'time'
 require 'webrick'
+
 require 'http/parser'
-require 'time'
+require 'svcb_rr_patch'
+
+require 'tttls1.3'
 
 def simple_http_request(hostname, path = '/')
   s = <<~REQUEST

data/example/https_client_using_ech.rb

@@ -0,0 +1,32 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+HpkeSymmetricCipherSuite = \
+  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+
+hostname = 'crypto.cloudflare.com'
+port = 443
+ca_file = __dir__ + '/../tmp/ca.crt'
+req = simple_http_request(hostname, '/cdn-cgi/trace')
+
+rr = Resolv::DNS.new.getresources(
+  hostname,
+  Resolv::DNS::Resource::IN::HTTPS
+)
+socket = TCPSocket.new(hostname, port)
+settings = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+client = TTTLS13::Client.new(socket, hostname, **settings)
+client.connect
+client.write(req)
+
+print recv_http_response(client)
+client.close unless client.eof?
+socket.close

data/example/https_client_using_grease_ech.rb

@@ -0,0 +1,26 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+HpkeSymmetricCipherSuite = \
+  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+
+hostname = 'crypto.cloudflare.com'
+port = 443
+ca_file = __dir__ + '/../tmp/ca.crt'
+
+socket = TCPSocket.new(hostname, port)
+settings = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+client = TTTLS13::Client.new(socket, hostname, **settings)
+client.connect
+
+print client.retry_configs if client.rejected_ech?
+
+client.close unless client.eof?
+socket.close

data/example/https_client_using_grease_psk.rb

@@ -0,0 +1,66 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+HpkeSymmetricCipherSuite = \
+  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+
+hostname = 'crypto.cloudflare.com'
+port = 443
+ca_file = __dir__ + '/../tmp/ca.crt'
+req = simple_http_request(hostname, '/cdn-cgi/trace')
+
+rr = Resolv::DNS.new.getresources(
+  hostname,
+  Resolv::DNS::Resource::IN::HTTPS
+)
+settings_2nd = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+process_new_session_ticket = lambda do |nst, rms, cs|
+  return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
+
+  settings_2nd[:ticket] = nst.ticket
+  settings_2nd[:resumption_main_secret] = rms
+  settings_2nd[:psk_cipher_suite] = cs
+  settings_2nd[:ticket_nonce] = nst.ticket_nonce
+  settings_2nd[:ticket_age_add] = nst.ticket_age_add
+  settings_2nd[:ticket_timestamp] = nst.timestamp
+end
+settings_1st = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  process_new_session_ticket: process_new_session_ticket,
+  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_hpke_cipher_suites: [
+    HpkeSymmetricCipherSuite.new(
+      HpkeSymmetricCipherSuite::HpkeKdfId.new(
+        TTTLS13::Hpke::KdfId::HKDF_SHA256
+      ),
+      HpkeSymmetricCipherSuite::HpkeAeadId.new(
+        TTTLS13::Hpke::AeadId::AES_128_GCM
+      )
+    )
+  ],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+
+[
+  # Initial Handshake:
+  settings_1st,
+  # Subsequent Handshake:
+  settings_2nd
+].each do |settings|
+  socket = TCPSocket.new(hostname, port)
+  client = TTTLS13::Client.new(socket, hostname, **settings)
+  client.connect
+  client.write(req)
+  print recv_http_response(client)
+  client.close unless client.eof?
+  socket.close
+end

data/example/https_client_using_hrr_and_ech.rb

@@ -0,0 +1,32 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+HpkeSymmetricCipherSuite = \
+  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+
+hostname = 'crypto.cloudflare.com'
+port = 443
+ca_file = __dir__ + '/../tmp/ca.crt'
+req = simple_http_request(hostname, '/cdn-cgi/trace')
+
+rr = Resolv::DNS.new.getresources(
+  hostname,
+  Resolv::DNS::Resource::IN::HTTPS
+)
+socket = TCPSocket.new(hostname, port)
+settings = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  key_share_groups: [], # empty KeyShareClientHello.client_shares
+  alpn: ['http/1.1'],
+  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+client = TTTLS13::Client.new(socket, hostname, **settings)
+client.connect
+client.write(req)
+print recv_http_response(client)
+client.close unless client.eof?
+socket.close