tttls1.3 0.3.1 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fbb7e4290064777d30371999409395c0f2db398d1ee7a67eaaf5fa500de27954
-  data.tar.gz: 3a00195088a78054fd4abdbf77e11fff3898f23b539d90e3ce141a0ef045f227
+  metadata.gz: fa5d7f448e0c984d75be22a995278853b4d4b0c505aaaa92fc5e99f48371fc82
+  data.tar.gz: 4a0d95465cabfd048ea1d7190c1c617dcc26a5395e06f7acc0173fcbbfe0bd04
 SHA512:
-  metadata.gz: 3186fcebd41a40b21c5a4d1de53d13af3ea57dd4d0f3e6baff476882223cc370cb610d9c13cc4df43c3b5b13dd10063b702f39636dd447e9386062de7c566bbc
-  data.tar.gz: 4c8f6a076e042b1c9059dea5b9598d5bd5d80640b2b72cc859a76d2e020edc047b8309c7821ca849b445c51c41fbcac600363c34881074b28996774d05cc8ffb
+  metadata.gz: 4035648fa81ae715315e1efbddd9b0b0506395180d0c7e994d6c8dd49d714e0754717b0cfa93bee702b4ef5a4d8e29bb765fae6045fdb7b24a3e25a1098eca38
+  data.tar.gz: 3c9d5286f1724b4998325ab811bf2e6ce44dbbbebb3ffb3c6c01ffe76f2d730797a599196b1ec6c3a894265b16ed0b12a78f2eeca53a36b52980de85db76f247

data/.rubocop.yml

@@ -4,6 +4,9 @@ AllCops:
 Gemspec/RequiredRubyVersion:
   Enabled: false
 
+Semicolon:
+  AllowAsExpressionSeparator: true
+
 Style/ConditionalAssignment:
   Enabled: false
 

data/Gemfile

@@ -3,6 +3,7 @@
 source 'https://rubygems.org'
 
 gem 'ech_config', '~> 0.0.3'
+gem 'hpke'
 gem 'logger'
 gem 'openssl'
 gem 'rake'

data/example/helper.rb

@@ -7,6 +7,7 @@ require 'time'
 require 'uri'
 require 'webrick'
 
+require 'ech_config'
 require 'http/parser'
 require 'svcb_rr_patch'
 
@@ -62,3 +63,45 @@ def recv_http_response(client)
   parser << client.read until client.eof?
   buf
 end
+
+def transcript_htmlize(transcript)
+  m = {
+    TTTLS13::CH1 => 'ClientHello',
+    TTTLS13::HRR => 'HelloRetryRequest',
+    TTTLS13::CH => 'ClientHello',
+    TTTLS13::SH => 'ServerHello',
+    TTTLS13::EE => 'EncryptedExtensions',
+    TTTLS13::CR => 'CertificateRequest',
+    TTTLS13::CT => 'Certificate',
+    TTTLS13::CV => 'CertificateVerify',
+    TTTLS13::SF => 'Finished',
+    TTTLS13::EOED => 'EndOfEarlyData',
+    TTTLS13::CCT => 'Certificate',
+    TTTLS13::CCV => 'CertificateVerify',
+    TTTLS13::CF => 'Finished'
+  }.map { |k, v| [k, '<details><summary>' + v + '</summary>%s</details>'] }.to_h
+  transcript.map do |k, v|
+    format(m[k], TTTLS13::Convert.obj2html(v.first))
+  end.join('<br>')
+end
+
+def parse_echconfigs_pem(pem)
+  s = pem.gsub(/-----(BEGIN|END) ECH CONFIGS-----/, '')
+         .gsub("\n", '')
+  b = Base64.decode64(s)
+  raise 'failed to parse ECHConfigs' \
+    unless b.length == b.slice(0, 2).unpack1('n') + 2
+
+  ECHConfig.decode_vectors(b.slice(2..))
+end
+
+def resolve_echconfig(hostname)
+  rr = Resolv::DNS.new.getresources(
+    hostname,
+    Resolv::DNS::Resource::IN::HTTPS
+  )
+  raise "failed to resolve echconfig via #{hostname} HTTPS RR" \
+    if rr.first.nil? || !rr.first.svc_params.keys.include?('ech')
+
+  rr.first.svc_params['ech'].echconfiglist.first
+end

data/example/https_client_using_0rtt.rb

@@ -9,13 +9,14 @@ req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
 
   settings_2nd[:ticket] = nst.ticket
-  settings_2nd[:resumption_main_secret] = rms
+  settings_2nd[:resumption_secret] = rms
   settings_2nd[:psk_cipher_suite] = cs
   settings_2nd[:ticket_nonce] = nst.ticket_nonce
   settings_2nd[:ticket_age_add] = nst.ticket_age_add
@@ -24,7 +25,8 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 
 succeed_early_data = false

data/example/https_client_using_ech.rb

@@ -2,22 +2,21 @@
 # frozen_string_literal: true
 
 require_relative 'helper'
-HpkeSymmetricCipherSuite = \
-  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
 uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
 req = simple_http_request(uri.host, uri.path)
+ech_config = if ARGV.length > 1
+               parse_echconfigs_pem(File.open(ARGV[1]).read).first
+             else
+               resolve_echconfig(uri.host)
+             end
 
-rr = Resolv::DNS.new.getresources(
-  uri.host,
-  Resolv::DNS::Resource::IN::HTTPS
-)
 socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_config: ech_config,
   ech_hpke_cipher_suites:
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'

data/example/https_client_using_grease_ech.rb

@@ -2,8 +2,6 @@
 # frozen_string_literal: true
 
 require_relative 'helper'
-HpkeSymmetricCipherSuite = \
-  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
 uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'

data/example/https_client_using_hrr.rb

@@ -11,7 +11,8 @@ socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   key_share_groups: [], # empty KeyShareClientHello.client_shares
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect

data/example/https_client_using_hrr_and_ech.rb

@@ -2,23 +2,22 @@
 # frozen_string_literal: true
 
 require_relative 'helper'
-HpkeSymmetricCipherSuite = \
-  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
 uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
 req = simple_http_request(uri.host, uri.path)
+ech_config = if ARGV.length > 1
+               parse_echconfigs_pem(File.open(ARGV[1]).read).first
+             else
+               resolve_echconfig(uri.host)
+             end
 
-rr = Resolv::DNS.new.getresources(
-  uri.host,
-  Resolv::DNS::Resource::IN::HTTPS
-)
 socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   key_share_groups: [], # empty KeyShareClientHello.client_shares
   alpn: ['http/1.1'],
-  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_config: ech_config,
   ech_hpke_cipher_suites:
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'

data/example/https_client_using_hrr_and_ticket.rb

@@ -9,7 +9,8 @@ req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
@@ -25,7 +26,8 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 
 [

data/example/https_client_using_status_request.rb

@@ -19,7 +19,8 @@ settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
   check_certificate_status: true,
-  process_certificate_status: process_certificate_status
+  process_certificate_status: process_certificate_status,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect

data/example/https_client_using_ticket.rb

@@ -9,7 +9,8 @@ req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
@@ -24,7 +25,8 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 
 [

data/example/https_client_using_ticket_and_ech.rb

@@ -0,0 +1,57 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
+ca_file = __dir__ + '/../tmp/ca.crt'
+req = simple_http_request(uri.host, uri.path)
+ech_config = if ARGV.length > 1
+               parse_echconfigs_pem(File.open(ARGV[1]).read).first
+             else
+               resolve_echconfig(uri.host)
+             end
+
+settings_2nd = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_config: ech_config,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+process_new_session_ticket = lambda do |nst, rms, cs|
+  return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
+
+  settings_2nd[:ticket] = nst.ticket
+  settings_2nd[:resumption_main_secret] = rms
+  settings_2nd[:psk_cipher_suite] = cs
+  settings_2nd[:ticket_nonce] = nst.ticket_nonce
+  settings_2nd[:ticket_age_add] = nst.ticket_age_add
+  settings_2nd[:ticket_timestamp] = nst.timestamp
+end
+settings_1st = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_config: ech_config,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+
+[
+  # Initial Handshake:
+  settings_1st,
+  # Subsequent Handshake:
+  settings_2nd
+].each do |settings|
+  socket = TCPSocket.new(uri.host, uri.port)
+  client = TTTLS13::Client.new(socket, uri.host, **settings)
+  client.connect
+  client.write(req)
+
+  print recv_http_response(client)
+  client.close unless client.eof?
+  socket.close
+end

data/example/https_server.rb

@@ -30,7 +30,20 @@ Etc.nprocessors.times do
         parser.on_message_complete = lambda do
           if !parser.http_method.nil?
             logger.info 'Receive Request'
-            server.write(simple_http_response('TEST'))
+            html = <<HTML
+  <!DOCTYPE html>
+  <html>
+    <head>
+      <meta charset="UTF-8" />
+      <title>tttls1.3 test server</title>
+    </head>
+    <body>
+  %s
+    </body>
+  </html>
+HTML
+            html = format(html, transcript_htmlize(server.transcript))
+            server.write(simple_http_response(html))
             server.close
           else
             logger.warn 'Not Request'