tttls1.3 0.2.19 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60aaa0dddc8e01d6ee1c89a81de02e7cd9e05e0169e11381ebb68aa919644f11
-  data.tar.gz: 974b5c89009c2a63a6d99a608b32463cb0b6dc4bb0ed9e915cd03cca45ce2ea9
+  metadata.gz: fbb7e4290064777d30371999409395c0f2db398d1ee7a67eaaf5fa500de27954
+  data.tar.gz: 3a00195088a78054fd4abdbf77e11fff3898f23b539d90e3ce141a0ef045f227
 SHA512:
-  metadata.gz: b9ab939f9010481de463c2fbf81dc230cdd653dac47286e1fd61f8820da796a09b0675837dc119ebd8f1ddd137383ccc87aec18edd4945312cb0923ebbe77e52
-  data.tar.gz: 74d0635bba0274cfaf9ed980d2f0cef3351ab1f820a17720424dececaeb86c6ea36d6f9c3d7b69c8e81b52c4790b1796ba59d02a95a30d4afe90bad35767d442
+  metadata.gz: 3186fcebd41a40b21c5a4d1de53d13af3ea57dd4d0f3e6baff476882223cc370cb610d9c13cc4df43c3b5b13dd10063b702f39636dd447e9386062de7c566bbc
+  data.tar.gz: 4c8f6a076e042b1c9059dea5b9598d5bd5d80640b2b72cc859a76d2e020edc047b8309c7821ca849b445c51c41fbcac600363c34881074b28996774d05cc8ffb

data/.github/workflows/ci.yml

@@ -13,14 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['2.7.x', '3.0.x', '3.1.x']
+        ruby-version: ['3.1', '3.2', '3.3']
     steps:
       - uses: actions/checkout@v3
       - uses: docker://thekuwayama/openssl:latest
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: ${{ matrix.ruby }}
+          ruby-version: ${{ matrix.ruby-version }}
       - name: Install dependencies
         run: |
           gem --version

data/.rubocop.yml

@@ -1,6 +1,9 @@
 AllCops:
   TargetRubyVersion: 2.7
 
+Gemspec/RequiredRubyVersion:
+  Enabled: false
+
 Style/ConditionalAssignment:
   Enabled: false
 

data/.ruby-version

@@ -1 +1 @@
-3.1.2
+3.2.2

data/Gemfile

@@ -2,6 +2,7 @@
 
 source 'https://rubygems.org'
 
+gem 'ech_config', '~> 0.0.3'
 gem 'logger'
 gem 'openssl'
 gem 'rake'
@@ -11,6 +12,7 @@ group :development do
   gem 'http_parser.rb'
   gem 'rspec', '3.9.0'
   gem 'rubocop', '0.78.0'
+  gem 'svcb_rr_patch'
   gem 'webrick'
 end
 

data/README.md

@@ -4,7 +4,7 @@
 [![Actions Status](https://github.com/thekuwayama/tttls1.3/workflows/CI/badge.svg)](https://github.com/thekuwayama/tttls1.3/actions?workflow=CI)
 [![Maintainability](https://api.codeclimate.com/v1/badges/b5ae1b3a43828142d2fa/maintainability)](https://codeclimate.com/github/thekuwayama/tttls1.3/maintainability)
 
-tttls1.3 is Ruby implementation of [TLS 1.3](https://tools.ietf.org/html/rfc8446) protocol.
+tttls1.3 is Ruby implementation of [TLS 1.3](https://datatracker.ietf.org/doc/rfc8446/) protocol.
 
 tttls1.3 uses [openssl](https://github.com/ruby/openssl) for crypto and X.509 operations.
 
@@ -22,6 +22,7 @@ tttls1.3 provides client API with the following features:
 * Simple 1-RTT Handshake
 * HelloRetryRequest
 * Resumed 0-RTT Handshake (with PSK from NST)
+* [ECH](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/)
 
 **NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate and external PSKs.
 
@@ -103,6 +104,8 @@ tttls1.3 client is configurable using keyword arguments.
 | `:check_certificate_status` | Boolean | false | If needed to check certificate status, set true. |
 | `:process_certificate_status` | Proc | `TTTLS13::Client.method(:softfail_check_certificate_status)` | Proc(or Method) that checks received OCSPResponse. Its 3 arguments are OpenSSL::OCSP::Response, end-entity certificate(OpenSSL::X509::Certificate) and certificates chain(Array of Certificate) used for verification and it returns Boolean. |
 | `:compress_certificate_algorithms` | Array of TTTLS13::Message::Extension::CertificateCompressionAlgorithm constant | `ZLIB` | The compression algorithms are supported for compressing the Certificate message. |
+| `:ech_config` | ECHConfig | nil | ECHConfig to use ECH. See [ech_config](https://github.com/thekuwayama/ech_config). |
+| `:ech_hpke_cipher_suites` | Array of ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite | nil | If needed to use ECH, set client preference HPKE cipher suites. For example, you can set TTTLS13::STANDARD\_CLIENT\_ECH_HPKE\_SYMMETRIC\_CIPHER\_SUITES. |
 | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
 | `:sslkeylogfile` | String | nil | If needed to log SSLKEYLOGFILE, set the file path. |
 | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |

data/example/README.md

@@ -13,7 +13,7 @@ The examples run as follows:
 ```bash
 $ ruby https_client.rb
 
-$ ruby https_client.rb localhost:4433
+$ ruby https_client.rb https://localhost:4433
 ```
 
 Note that `https_server.rb` requires PEM files of certificate and private key.

data/example/helper.rb

@@ -3,10 +3,14 @@
 $LOAD_PATH << __dir__ + '/../lib'
 
 require 'socket'
-require 'tttls1.3'
+require 'time'
+require 'uri'
 require 'webrick'
+
 require 'http/parser'
-require 'time'
+require 'svcb_rr_patch'
+
+require 'tttls1.3'
 
 def simple_http_request(hostname, path = '/')
   s = <<~REQUEST

data/example/https_client.rb

@@ -3,17 +3,17 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
-socket = TCPSocket.new(hostname, port)
+socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
   sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
-client = TTTLS13::Client.new(socket, hostname, **settings)
+client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect
 client.write(req)
 

data/example/https_client_using_0rtt.rb

@@ -3,9 +3,9 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
@@ -35,14 +35,15 @@ succeed_early_data = false
   # Subsequent Handshake:
   settings_2nd
 ].each_with_index do |settings, i|
-  socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, **settings)
+  socket = TCPSocket.new(uri.host, uri.port)
+  client = TTTLS13::Client.new(socket, uri.host, **settings)
 
   # send message using early data; 0-RTT
   client.early_data(req) if i == 1 && settings.include?(:ticket)
   client.connect
   # send message after Simple 1-RTT Handshake
   client.write(req) if i.zero? || !client.succeed_early_data?
+
   print recv_http_response(client)
   client.close unless client.eof?
   socket.close

data/example/https_client_using_ech.rb

@@ -0,0 +1,31 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+HpkeSymmetricCipherSuite = \
+  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
+ca_file = __dir__ + '/../tmp/ca.crt'
+req = simple_http_request(uri.host, uri.path)
+
+rr = Resolv::DNS.new.getresources(
+  uri.host,
+  Resolv::DNS::Resource::IN::HTTPS
+)
+socket = TCPSocket.new(uri.host, uri.port)
+settings = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+client = TTTLS13::Client.new(socket, uri.host, **settings)
+client.connect
+client.write(req)
+
+print recv_http_response(client)
+client.close unless client.eof?
+socket.close

data/example/https_client_using_grease_ech.rb

@@ -0,0 +1,24 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+HpkeSymmetricCipherSuite = \
+  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
+ca_file = __dir__ + '/../tmp/ca.crt'
+
+socket = TCPSocket.new(uri.host, uri.port)
+settings = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+client = TTTLS13::Client.new(socket, uri.host, **settings)
+client.connect
+
+print client.retry_configs if client.rejected_ech?
+client.close unless client.eof?
+socket.close

data/example/https_client_using_grease_psk.rb

@@ -0,0 +1,58 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+HpkeSymmetricCipherSuite = \
+  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
+ca_file = __dir__ + '/../tmp/ca.crt'
+req = simple_http_request(uri.host, uri.path)
+
+rr = Resolv::DNS.new.getresources(
+  uri.host,
+  Resolv::DNS::Resource::IN::HTTPS
+)
+settings_2nd = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+process_new_session_ticket = lambda do |nst, rms, cs|
+  return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
+
+  settings_2nd[:ticket] = nst.ticket
+  settings_2nd[:resumption_main_secret] = rms
+  settings_2nd[:psk_cipher_suite] = cs
+  settings_2nd[:ticket_nonce] = nst.ticket_nonce
+  settings_2nd[:ticket_age_add] = nst.ticket_age_add
+  settings_2nd[:ticket_timestamp] = nst.timestamp
+end
+settings_1st = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  process_new_session_ticket: process_new_session_ticket,
+  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+
+[
+  # Initial Handshake:
+  settings_1st,
+  # Subsequent Handshake:
+  settings_2nd
+].each do |settings|
+  socket = TCPSocket.new(uri.host, uri.port)
+  client = TTTLS13::Client.new(socket, uri.host, **settings)
+  client.connect
+  client.write(req)
+
+  print recv_http_response(client)
+  client.close unless client.eof?
+  socket.close
+end

data/example/https_client_using_hrr.rb

@@ -3,19 +3,20 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
-socket = TCPSocket.new(hostname, port)
+socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   key_share_groups: [], # empty KeyShareClientHello.client_shares
   alpn: ['http/1.1']
 }
-client = TTTLS13::Client.new(socket, hostname, **settings)
+client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect
 client.write(req)
+
 print recv_http_response(client)
 client.close unless client.eof?
 socket.close

data/example/https_client_using_hrr_and_ech.rb

@@ -0,0 +1,32 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+HpkeSymmetricCipherSuite = \
+  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
+ca_file = __dir__ + '/../tmp/ca.crt'
+req = simple_http_request(uri.host, uri.path)
+
+rr = Resolv::DNS.new.getresources(
+  uri.host,
+  Resolv::DNS::Resource::IN::HTTPS
+)
+socket = TCPSocket.new(uri.host, uri.port)
+settings = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  key_share_groups: [], # empty KeyShareClientHello.client_shares
+  alpn: ['http/1.1'],
+  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+client = TTTLS13::Client.new(socket, uri.host, **settings)
+client.connect
+client.write(req)
+
+print recv_http_response(client)
+client.close unless client.eof?
+socket.close

data/example/https_client_using_hrr_and_ticket.rb

@@ -3,9 +3,9 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
@@ -34,10 +34,11 @@ settings_1st = {
   # Subsequent Handshake:
   settings_2nd
 ].each do |settings|
-  socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, **settings)
+  socket = TCPSocket.new(uri.host, uri.port)
+  client = TTTLS13::Client.new(socket, uri.host, **settings)
   client.connect
   client.write(req)
+
   print recv_http_response(client)
   client.close unless client.eof?
   socket.close

data/example/https_client_using_status_request.rb

@@ -3,10 +3,11 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
+socket = TCPSocket.new(uri.host, uri.port)
 process_certificate_status = lambda do |res, cert, chain|
   puts 'stapled OCSPResponse: '
   puts res.basic.status.pretty_inspect unless res.nil?
@@ -14,15 +15,13 @@ process_certificate_status = lambda do |res, cert, chain|
 
   TTTLS13::Client.softfail_check_certificate_status(res, cert, chain)
 end
-
-socket = TCPSocket.new(hostname, port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
   check_certificate_status: true,
   process_certificate_status: process_certificate_status
 }
-client = TTTLS13::Client.new(socket, hostname, **settings)
+client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect
 client.write(req)
 

data/example/https_client_using_ticket.rb

@@ -3,9 +3,9 @@
 
 require_relative 'helper'
 
-hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
-req = simple_http_request(hostname)
+req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
@@ -33,10 +33,11 @@ settings_1st = {
   # Subsequent Handshake:
   settings_2nd
 ].each do |settings|
-  socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, **settings)
+  socket = TCPSocket.new(uri.host, uri.port)
+  client = TTTLS13::Client.new(socket, uri.host, **settings)
   client.connect
   client.write(req)
+
   print recv_http_response(client)
   client.close unless client.eof?
   socket.close