tttls1.3 0.3.2 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7245602faa9087e83b3e47484aa88dc368b153e98c76fd00e36ebb1a863af6ef
-  data.tar.gz: c7362f39fc26763f712cdf61a29b3796686c50034d2a6431788d8dbf7dd505c9
+  metadata.gz: fa5d7f448e0c984d75be22a995278853b4d4b0c505aaaa92fc5e99f48371fc82
+  data.tar.gz: 4a0d95465cabfd048ea1d7190c1c617dcc26a5395e06f7acc0173fcbbfe0bd04
 SHA512:
-  metadata.gz: 33168ef27007f9e6d73197ed3e1bae9b58dadfdf3042e732ddc6a05913db0aad48fb653ea7b7222716d70ebe42739f2d9dddee0ec75ee45eb33daba4be6f0229
-  data.tar.gz: d05c73a49e0f5d568785c3b6af3d9bc3c286b35f1110c5f31860f8cf788a9f9e019112fd8647394672c279808e20c4f02d438a58c44f5bab9af1d5fb851ef41f
+  metadata.gz: 4035648fa81ae715315e1efbddd9b0b0506395180d0c7e994d6c8dd49d714e0754717b0cfa93bee702b4ef5a4d8e29bb765fae6045fdb7b24a3e25a1098eca38
+  data.tar.gz: 3c9d5286f1724b4998325ab811bf2e6ce44dbbbebb3ffb3c6c01ffe76f2d730797a599196b1ec6c3a894265b16ed0b12a78f2eeca53a36b52980de85db76f247

data/.rubocop.yml

@@ -4,6 +4,9 @@ AllCops:
 Gemspec/RequiredRubyVersion:
   Enabled: false
 
+Semicolon:
+  AllowAsExpressionSeparator: true
+
 Style/ConditionalAssignment:
   Enabled: false
 

data/example/helper.rb

@@ -7,6 +7,7 @@ require 'time'
 require 'uri'
 require 'webrick'
 
+require 'ech_config'
 require 'http/parser'
 require 'svcb_rr_patch'
 
@@ -83,3 +84,24 @@ def transcript_htmlize(transcript)
     format(m[k], TTTLS13::Convert.obj2html(v.first))
   end.join('<br>')
 end
+
+def parse_echconfigs_pem(pem)
+  s = pem.gsub(/-----(BEGIN|END) ECH CONFIGS-----/, '')
+         .gsub("\n", '')
+  b = Base64.decode64(s)
+  raise 'failed to parse ECHConfigs' \
+    unless b.length == b.slice(0, 2).unpack1('n') + 2
+
+  ECHConfig.decode_vectors(b.slice(2..))
+end
+
+def resolve_echconfig(hostname)
+  rr = Resolv::DNS.new.getresources(
+    hostname,
+    Resolv::DNS::Resource::IN::HTTPS
+  )
+  raise "failed to resolve echconfig via #{hostname} HTTPS RR" \
+    if rr.first.nil? || !rr.first.svc_params.keys.include?('ech')
+
+  rr.first.svc_params['ech'].echconfiglist.first
+end

data/example/https_client_using_0rtt.rb

@@ -9,7 +9,8 @@ req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
@@ -24,7 +25,8 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 
 succeed_early_data = false

data/example/https_client_using_ech.rb

@@ -2,22 +2,21 @@
 # frozen_string_literal: true
 
 require_relative 'helper'
-HpkeSymmetricCipherSuite = \
-  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
 uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
 req = simple_http_request(uri.host, uri.path)
+ech_config = if ARGV.length > 1
+               parse_echconfigs_pem(File.open(ARGV[1]).read).first
+             else
+               resolve_echconfig(uri.host)
+             end
 
-rr = Resolv::DNS.new.getresources(
-  uri.host,
-  Resolv::DNS::Resource::IN::HTTPS
-)
 socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_config: ech_config,
   ech_hpke_cipher_suites:
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'

data/example/https_client_using_grease_ech.rb

@@ -2,8 +2,6 @@
 # frozen_string_literal: true
 
 require_relative 'helper'
-HpkeSymmetricCipherSuite = \
-  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
 uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'

data/example/https_client_using_hrr.rb

@@ -11,7 +11,8 @@ socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   key_share_groups: [], # empty KeyShareClientHello.client_shares
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect

data/example/https_client_using_hrr_and_ech.rb

@@ -2,23 +2,22 @@
 # frozen_string_literal: true
 
 require_relative 'helper'
-HpkeSymmetricCipherSuite = \
-  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
 uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
 req = simple_http_request(uri.host, uri.path)
+ech_config = if ARGV.length > 1
+               parse_echconfigs_pem(File.open(ARGV[1]).read).first
+             else
+               resolve_echconfig(uri.host)
+             end
 
-rr = Resolv::DNS.new.getresources(
-  uri.host,
-  Resolv::DNS::Resource::IN::HTTPS
-)
 socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   key_share_groups: [], # empty KeyShareClientHello.client_shares
   alpn: ['http/1.1'],
-  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_config: ech_config,
   ech_hpke_cipher_suites:
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'

data/example/https_client_using_hrr_and_ticket.rb

@@ -9,7 +9,8 @@ req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
@@ -25,7 +26,8 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 
 [

data/example/https_client_using_status_request.rb

@@ -19,7 +19,8 @@ settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
   check_certificate_status: true,
-  process_certificate_status: process_certificate_status
+  process_certificate_status: process_certificate_status,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect

data/example/https_client_using_ticket.rb

@@ -9,7 +9,8 @@ req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
@@ -24,7 +25,8 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 
 [

data/example/https_client_using_ticket_and_ech.rb

@@ -0,0 +1,57 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
+ca_file = __dir__ + '/../tmp/ca.crt'
+req = simple_http_request(uri.host, uri.path)
+ech_config = if ARGV.length > 1
+               parse_echconfigs_pem(File.open(ARGV[1]).read).first
+             else
+               resolve_echconfig(uri.host)
+             end
+
+settings_2nd = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_config: ech_config,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+process_new_session_ticket = lambda do |nst, rms, cs|
+  return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
+
+  settings_2nd[:ticket] = nst.ticket
+  settings_2nd[:resumption_main_secret] = rms
+  settings_2nd[:psk_cipher_suite] = cs
+  settings_2nd[:ticket_nonce] = nst.ticket_nonce
+  settings_2nd[:ticket_age_add] = nst.ticket_age_add
+  settings_2nd[:ticket_timestamp] = nst.timestamp
+end
+settings_1st = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_config: ech_config,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+
+[
+  # Initial Handshake:
+  settings_1st,
+  # Subsequent Handshake:
+  settings_2nd
+].each do |settings|
+  socket = TCPSocket.new(uri.host, uri.port)
+  client = TTTLS13::Client.new(socket, uri.host, **settings)
+  client.connect
+  client.write(req)
+
+  print recv_http_response(client)
+  client.close unless client.eof?
+  socket.close
+end

data/lib/tttls1.3/ech.rb

@@ -7,8 +7,13 @@ module TTTLS13
   SUPPORTED_ECHCONFIG_VERSIONS = ["\xfe\x0d"].freeze
   private_constant :SUPPORTED_ECHCONFIG_VERSIONS
 
-  # rubocop: disable Metrics/ModuleLength
-  module Ech
+  DEFAULT_ECH_OUTER_EXTENSIONS = [
+    Message::ExtensionType::KEY_SHARE
+  ].freeze
+  private_constant :DEFAULT_ECH_OUTER_EXTENSIONS
+
+  # rubocop: disable Metrics/ClassLength
+  class Ech
     # @param inner [TTTLS13::Message::ClientHello]
     # @param ech_config [ECHConfig]
     # @param hpke_cipher_suite_selector [Method]
@@ -30,12 +35,15 @@ module TTTLS13
       return [new_greased_ch(inner, new_grease_ech), nil, nil] \
         if ech_state.nil? || enc.nil?
 
-      encoded = encode_ch_inner(inner, ech_state.maximum_name_length)
-      overhead_len = aead_id2overhead_len(
-        ech_state.cipher_suite.aead_id.uint16
-      )
+      # for ech_outer_extensions
+      replaced = \
+        inner.extensions.remove_and_replace!(DEFAULT_ECH_OUTER_EXTENSIONS)
 
       # Encoding the ClientHelloInner
+      encoded = encode_ch_inner(inner, ech_state.maximum_name_length, replaced)
+      overhead_len = aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)
+
+      # Authenticating the ClientHelloOuter
       aad = new_ch_outer_aad(
         inner,
         ech_state.cipher_suite,
@@ -44,13 +52,13 @@ module TTTLS13
         encoded.length + overhead_len,
         ech_state.public_name
       )
-      # Authenticating the ClientHelloOuter
-      # which does not include the Handshake structure's four byte header.
+
       outer = new_ch_outer(
         aad,
         ech_state.cipher_suite,
         ech_state.config_id,
         enc,
+        # which does not include the Handshake structure's four byte header.
         ech_state.ctx.seal(aad.serialize[4..], encoded)
       )
 
@@ -104,9 +112,14 @@ module TTTLS13
     # @return [TTTLS13::Message::ClientHello]
     # @return [TTTLS13::Message::ClientHello]
     def self.offer_new_ech(inner, ech_state)
-      encoded = encode_ch_inner(inner, ech_state.maximum_name_length)
-      overhead_len \
-        = aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)
+      # for ech_outer_extensions
+      replaced = \
+        inner.extensions.remove_and_replace!(DEFAULT_ECH_OUTER_EXTENSIONS)
+
+      # Encoding the ClientHelloInner
+      encoded = encode_ch_inner(inner, ech_state.maximum_name_length, replaced)
+      overhead_len = \
+        aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)
 
       # It encrypts EncodedClientHelloInner as described in Section 6.1.1, using
       # the second partial ClientHelloOuterAAD, to obtain a second
@@ -122,13 +135,14 @@ module TTTLS13
         encoded.length + overhead_len,
         ech_state.public_name
       )
+
       # Authenticating the ClientHelloOuter
-      # which does not include the Handshake structure's four byte header.
       outer = new_ch_outer(
         aad,
         ech_state.cipher_suite,
         ech_state.config_id,
         '',
+        # which does not include the Handshake structure's four byte header.
         ech_state.ctx.seal(aad.serialize[4..], encoded)
       )
 
@@ -137,23 +151,23 @@ module TTTLS13
 
     # @param inner [TTTLS13::Message::ClientHello]
     # @param maximum_name_length [Integer]
+    # @param replaced [TTTLS13::Message::Extensions]
     #
     # @return [String] EncodedClientHelloInner
-    def self.encode_ch_inner(inner, maximum_name_length)
-      # TODO: ech_outer_extensions
+    def self.encode_ch_inner(inner, maximum_name_length, replaced)
       encoded = Message::ClientHello.new(
         legacy_version: inner.legacy_version,
         random: inner.random,
         legacy_session_id: '',
         cipher_suites: inner.cipher_suites,
         legacy_compression_methods: inner.legacy_compression_methods,
-        extensions: inner.extensions
+        extensions: replaced
       )
       server_name_length = \
-        inner.extensions[Message::ExtensionType::SERVER_NAME].server_name.length
+        replaced[Message::ExtensionType::SERVER_NAME].server_name.length
 
-      # which does not include the Handshake structure's four byte header.
       padding_encoded_ch_inner(
+        # which does not include the Handshake structure's four byte header.
         encoded.serialize[4..],
         server_name_length,
         maximum_name_length
@@ -284,6 +298,8 @@ module TTTLS13
 
     # @param inner [TTTLS13::Message::ClientHello]
     # @param ech [Message::Extension::ECHClientHello]
+    #
+    # @return [TTTLS13::Message::ClientHello]
     def self.new_greased_ch(inner, ech)
       Message::ClientHello.new(
         legacy_version: inner.legacy_version,
@@ -393,7 +409,7 @@ module TTTLS13
     # @param config_id [Integer]
     # @param cipher_suite [HpkeSymmetricCipherSuite]
     # @param public_name [String]
-    # @param ctx [[HPKE::ContextS]
+    # @param ctx [HPKE::ContextS]
     def initialize(maximum_name_length,
                    config_id,
                    cipher_suite,
@@ -406,5 +422,5 @@ module TTTLS13
       @ctx = ctx
     end
   end
-  # rubocop: enable Metrics/ModuleLength
+  # rubocop: enable Metrics/ClassLength
 end

data/lib/tttls1.3/message/extension/ech.rb

@@ -26,12 +26,12 @@ module TTTLS13
       #         };
       #     } ECHClientHello;
       class ECHClientHello
-        attr_accessor :extension_type
-        attr_accessor :type
-        attr_accessor :cipher_suite
-        attr_accessor :config_id
-        attr_accessor :enc
-        attr_accessor :payload
+        attr_reader :extension_type
+        attr_reader :type
+        attr_reader :cipher_suite
+        attr_reader :config_id
+        attr_reader :enc
+        attr_reader :payload
 
         # @param type [TTTLS13::Message::Extension::ECHClientHelloType]
         # @param cipher_suite [HpkeSymmetricCipherSuite]
@@ -99,10 +99,10 @@ module TTTLS13
           # @raise [TTTLS13::Error::ErrorAlerts]
           #
           # @return [TTTLS13::Message::Extensions::ECHClientHello]
-          # rubocop: disable Metrics/AbcSize
           def deserialize_outer_ech(binary)
             raise Error::ErrorAlerts, :internal_error if binary.nil?
-            raise Error::ErrorAlerts, :decode_error if binary.length < 5
+
+            return nil if binary.length < 5
 
             kdf_id = \
               HpkeSymmetricCipherSuite::HpkeKdfId.decode(binary.slice(0, 2))
@@ -112,17 +112,14 @@ module TTTLS13
             cid = Convert.bin2i(binary.slice(4, 1))
             enc_len = Convert.bin2i(binary.slice(5, 2))
             i = 7
-            raise Error::ErrorAlerts, :decode_error \
-              if i + enc_len > binary.length
+            return nil if i + enc_len > binary.length
 
             enc = binary.slice(i, enc_len)
             i += enc_len
-            raise Error::ErrorAlerts, :decode_error \
-              if i + 2 > binary.length
+            return nil if i + 2 > binary.length
 
             payload_len = Convert.bin2i(binary.slice(i, 2))
-            raise Error::ErrorAlerts, :decode_error \
-              if i + payload_len > binary.length
+            return nil if i + payload_len > binary.length
 
             payload = binary.slice(i, payload_len)
             ECHClientHello.new(
@@ -133,7 +130,6 @@ module TTTLS13
               payload: payload
             )
           end
-          # rubocop: enable Metrics/AbcSize
 
           # @param binary [String]
           #
@@ -174,8 +170,8 @@ module TTTLS13
       #         ECHConfigList retry_configs;
       #     } ECHEncryptedExtensions;
       class ECHEncryptedExtensions
-        attr_accessor :extension_type
-        attr_accessor :retry_configs
+        attr_reader :extension_type
+        attr_reader :retry_configs
 
         # @param retry_configs [Array of ECHConfig]
         def initialize(retry_configs)
@@ -198,8 +194,7 @@ module TTTLS13
         # @return [TTTLS13::Message::Extensions::ECHEncryptedExtensions]
         def self.deserialize(binary)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
-          raise Error::ErrorAlerts, :decode_error \
-            if binary.length != binary.slice(0, 2).unpack1('n') + 2
+          return nil if binary.length != binary.slice(0, 2).unpack1('n') + 2
 
           ECHEncryptedExtensions.new(
             ECHConfig.decode_vectors(binary.slice(2..))
@@ -212,8 +207,8 @@ module TTTLS13
       #         opaque confirmation[8];
       #     } ECHHelloRetryRequest;
       class ECHHelloRetryRequest
-        attr_accessor :extension_type
-        attr_accessor :confirmation
+        attr_reader :extension_type
+        attr_reader :confirmation
 
         # @param confirmation [String]
         def initialize(confirmation)
@@ -233,7 +228,7 @@ module TTTLS13
         # @return [TTTLS13::Message::Extensions::ECHHelloRetryRequest]
         def self.deserialize(binary)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
-          raise Error::ErrorAlerts, :decode_error if binary.length != 8
+          return nil if binary.length != 8
 
           ECHHelloRetryRequest.new(binary)
         end

data/lib/tttls1.3/message/extension/ech_outer_extensions.rb

@@ -0,0 +1,52 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+  module Message
+    module Extension
+      # NOTE:
+      #     ExtensionType OuterExtensions<2..254>;
+      class ECHOuterExtensions
+        attr_reader :extension_type
+        attr_reader :outer_extensions
+
+        # @param outer_extensions [Array of TTTLS13::Message::ExtensionType]
+        def initialize(outer_extensions)
+          @extension_type = ExtensionType::ECH_OUTER_EXTENSIONS
+          @outer_extensions = outer_extensions
+        end
+
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [String]
+        def serialize
+          binary = @outer_extensions.join.prefix_uint8_length
+          @extension_type + binary.prefix_uint16_length
+        end
+
+        # @param binary [String]
+        #
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [TTTLS13::Message::Extensions::ECHOuterExtensions]
+        def self.deserialize(binary)
+          raise Error::ErrorAlerts, :internal_error if binary.nil?
+
+          return nil if binary.length < 2
+
+          exlist_len = Convert.bin2i(binary.slice(0, 1))
+          i = 1
+          outer_extensions = []
+          while i < exlist_len + 1
+            outer_extensions << binary.slice(i, 2)
+            i += 2
+          end
+          return nil unless outer_extensions.length * 2 == exlist_len
+
+          ECHOuterExtensions.new(outer_extensions)
+        end
+      end
+    end
+  end
+end

data/lib/tttls1.3/message/extensions.rb

@@ -105,6 +105,34 @@ module TTTLS13
         store(ex.extension_type, ex)
       end
 
+      # removing and replacing extensions from EncodedClientHelloInner
+      # with a single "ech_outer_extensions"
+      #
+      # for example
+      # - before
+      #   - self.keys:  [A B C D E]
+      #   - param    :  [D B]
+      # - after remove_and_replace!
+      #   - self.keys:  [A C E B D]
+      #   - return   :  [A C E ech_outer_extensions[B D]]
+      # @param outer_extensions [Array of TTTLS13::Message::ExtensionType]
+      #
+      # @return [TTTLS13::Message::Extensions] for EncodedClientHelloInner
+      def remove_and_replace!(outer_extensions)
+        tmp1 = filter { |k, _| !outer_extensions.include?(k) }
+        tmp2 = filter { |k, _| outer_extensions.include?(k) }
+
+        clear
+        replaced = Message::Extensions.new
+
+        tmp1.each_value { |v| self << v; replaced << v }
+        tmp2.each_value { |v| self << v }
+        replaced << Message::Extension::ECHOuterExtensions.new(tmp2.keys) \
+          unless tmp2.keys.empty?
+
+        replaced
+      end
+
       class << self
         private
 
@@ -173,6 +201,8 @@ module TTTLS13
             else
               Extension::UnknownExtension.deserialize(binary, extension_type)
             end
+          when ExtensionType::ECH_OUTER_EXTENSIONS
+            Extension::ECHOuterExtensions.deserialize(binary)
           else
             Extension::UnknownExtension.deserialize(binary, extension_type)
           end

data/lib/tttls1.3/message.rb

@@ -74,6 +74,7 @@ module TTTLS13
       KEY_SHARE                              = "\x00\x33"
       # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-11.1
       ENCRYPTED_CLIENT_HELLO                 = "\xfe\x0d"
+      ECH_OUTER_EXTENSIONS                   = "\xfd\x00"
     end
 
     DEFINED_EXTENSIONS = ExtensionType.constants.map do |c|

data/lib/tttls1.3/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module TTTLS13
-  VERSION = '0.3.2'
+  VERSION = '0.3.3'
 end

data/spec/ech_outer_extensions_spec.rb

@@ -0,0 +1,42 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'spec_helper'
+using Refinements
+
+RSpec.describe ECHOuterExtensions do
+  context 'valid ech_outer_extensions, [key_share]' do
+    let(:extension) do
+      ECHOuterExtensions.new([ExtensionType::KEY_SHARE])
+    end
+
+    it 'should be generated' do
+      expect(extension.extension_type).to eq ExtensionType::ECH_OUTER_EXTENSIONS
+      expect(extension.outer_extensions).to eq [ExtensionType::KEY_SHARE]
+    end
+
+    it 'should be serialized' do
+      expect(extension.serialize).to eq ExtensionType::ECH_OUTER_EXTENSIONS \
+                                        + 3.to_uint16 \
+                                        + 2.to_uint8 \
+                                        + ExtensionType::KEY_SHARE
+    end
+  end
+
+  context 'valid ech_outer_extensions binary' do
+    let(:extension) do
+      ECHOuterExtensions.deserialize(TESTBINARY_ECH_OUTER_EXTENSIONS)
+    end
+
+    it 'should generate valid object' do
+      expect(extension.extension_type).to be ExtensionType::ECH_OUTER_EXTENSIONS
+      expect(extension.outer_extensions).to eq [ExtensionType::KEY_SHARE]
+    end
+
+    it 'should generate serializable object' do
+      expect(extension.serialize)
+        .to eq ExtensionType::ECH_OUTER_EXTENSIONS \
+               + TESTBINARY_ECH_OUTER_EXTENSIONS.prefix_uint16_length
+    end
+  end
+end

data/spec/ech_spec.rb

@@ -78,7 +78,9 @@ RSpec.describe ECHClientHello do
       expect(extension.confirmation).to eq "\x00" * 8
     end
   end
+end
 
+RSpec.describe Ech do
   context 'EncodedClientHelloInner length' do
     let(:server_name) do
       'localhost'

data/spec/extensions_spec.rb

@@ -182,4 +182,69 @@ RSpec.describe Extensions do
         .to raise_error(ErrorAlerts)
     end
   end
+
+  context 'removing and replacing extensions from EncodedClientHelloInner' do
+    let(:extensions) do
+      extensions, = Client.new(nil, 'localhost').send(:gen_ch_extensions)
+      extensions
+    end
+
+    let(:no_key_share_exs) do
+      Extensions.new(
+        extensions.filter { |k, _| k != ExtensionType::KEY_SHARE }.values
+      )
+    end
+
+    it 'should be equal remove_and_replace! with []' do
+      expected = extensions.clone
+      got = extensions.remove_and_replace!([])
+
+      expect(got.keys).to eq expected.keys
+      expect(got[ExtensionType::ECH_OUTER_EXTENSIONS]).to eq nil
+      expect(extensions.keys - got.keys).to eq []
+    end
+
+    it 'should be equal remove_and_replace! with [key_share]' do
+      expected = extensions.filter { |k, _| k != ExtensionType::KEY_SHARE }
+      expected[ExtensionType::ECH_OUTER_EXTENSIONS] = \
+        Extension::ECHOuterExtensions.new([ExtensionType::KEY_SHARE])
+      got = extensions.remove_and_replace!([ExtensionType::KEY_SHARE])
+
+      expect(got.keys).to eq expected.keys
+      expect(got[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions)
+        .to eq expected[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions
+      expect(extensions.keys - got.keys)
+        .to eq expected[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions
+    end
+
+    it 'should be equal remove_and_replace! with' \
+       ' [key_share,supported_versions]' do
+      outer_extensions = [
+        ExtensionType::KEY_SHARE,
+        ExtensionType::SUPPORTED_VERSIONS
+      ]
+      expected = extensions.filter { |k, _| !outer_extensions.include?(k) }
+      expected[ExtensionType::ECH_OUTER_EXTENSIONS] = \
+        Extension::ECHOuterExtensions.new(
+          extensions.filter { |k, _| outer_extensions.include?(k) }.keys
+        )
+      got = extensions.remove_and_replace!(outer_extensions)
+
+      expect(got.keys).to eq expected.keys
+      expect(got[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions)
+        .to eq expected[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions
+      expect(extensions.keys - got.keys)
+        .to eq expected[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions
+    end
+
+    it 'should be equal remove_and_replace! with no key_share extensions' \
+       ' & [key_share]' do
+      expected = no_key_share_exs.clone
+      got = no_key_share_exs.remove_and_replace!([ExtensionType::KEY_SHARE])
+
+      expect(got).to eq expected
+      expect(got[ExtensionType::ECH_OUTER_EXTENSIONS]).to eq nil
+      expect(no_key_share_exs.keys - got.keys).to eq []
+    end
+  end
 end

data/spec/spec_helper.rb

@@ -245,6 +245,10 @@ TESTBINARY_ECH_HRR = <<BIN.split.map(&:hex).map(&:chr).join
   00 00 00 00 00 00 00 00
 BIN
 
+TESTBINARY_ECH_OUTER_EXTENSIONS = <<BIN.split.map(&:hex).map(&:chr).join
+  02 00 33
+BIN
+
 # https://datatracker.ietf.org/doc/html/rfc8448#section-3
 # 3.  Simple 1-RTT Handshake
 TESTBINARY_CLIENT_HELLO = <<BIN.split.map(&:hex).map(&:chr).join

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tttls1.3
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.3.3
 platform: ruby
 authors:
 - thekuwayama
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-14 00:00:00.000000000 Z
+date: 2024-04-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -108,6 +108,7 @@ files:
 - example/https_client_using_hrr_and_ticket.rb
 - example/https_client_using_status_request.rb
 - example/https_client_using_ticket.rb
+- example/https_client_using_ticket_and_ech.rb
 - example/https_server.rb
 - interop/client_spec.rb
 - interop/server_spec.rb
@@ -139,6 +140,7 @@ files:
 - lib/tttls1.3/message/extension/cookie.rb
 - lib/tttls1.3/message/extension/early_data_indication.rb
 - lib/tttls1.3/message/extension/ech.rb
+- lib/tttls1.3/message/extension/ech_outer_extensions.rb
 - lib/tttls1.3/message/extension/key_share.rb
 - lib/tttls1.3/message/extension/pre_shared_key.rb
 - lib/tttls1.3/message/extension/psk_key_exchange_modes.rb
@@ -176,6 +178,7 @@ files:
 - spec/compress_certificate_spec.rb
 - spec/cookie_spec.rb
 - spec/early_data_indication_spec.rb
+- spec/ech_outer_extensions_spec.rb
 - spec/ech_spec.rb
 - spec/encrypted_extensions_spec.rb
 - spec/end_of_early_data_spec.rb
@@ -254,6 +257,7 @@ test_files:
 - spec/compress_certificate_spec.rb
 - spec/cookie_spec.rb
 - spec/early_data_indication_spec.rb
+- spec/ech_outer_extensions_spec.rb
 - spec/ech_spec.rb
 - spec/encrypted_extensions_spec.rb
 - spec/end_of_early_data_spec.rb