tttls1.3 0.3.2 → 0.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7245602faa9087e83b3e47484aa88dc368b153e98c76fd00e36ebb1a863af6ef
-  data.tar.gz: c7362f39fc26763f712cdf61a29b3796686c50034d2a6431788d8dbf7dd505c9
+  metadata.gz: '0913f70f0bdbfd6740f41ce7902f55660ea1bd99533a8f765f9d98a1bd56a58c'
+  data.tar.gz: 611a063ae74498d19636ebf3ee3741b76164856341bb38ec9966a999579bdfb1
 SHA512:
-  metadata.gz: 33168ef27007f9e6d73197ed3e1bae9b58dadfdf3042e732ddc6a05913db0aad48fb653ea7b7222716d70ebe42739f2d9dddee0ec75ee45eb33daba4be6f0229
-  data.tar.gz: d05c73a49e0f5d568785c3b6af3d9bc3c286b35f1110c5f31860f8cf788a9f9e019112fd8647394672c279808e20c4f02d438a58c44f5bab9af1d5fb851ef41f
+  metadata.gz: 88f39003d30f4642c67a61169923fe248bc572b4a1c638eb36803dc4278aa91a499919784cd060fa35c522bcb935745d1b4542abb1963514aba1f86f1ea789fd
+  data.tar.gz: cd2ae8cd383cd9737a732d53c8ca27cbacdcd3c4a5b6bee62f5f43faba4fd8eb8067b0621df18d8b77db679823c3aa26947508fe5827939bf6741e6f417a1d80

data/.rubocop.yml

@@ -4,6 +4,9 @@ AllCops:
 Gemspec/RequiredRubyVersion:
   Enabled: false
 
+Semicolon:
+  AllowAsExpressionSeparator: true
+
 Style/ConditionalAssignment:
   Enabled: false
 

data/Gemfile

@@ -9,11 +9,12 @@ gem 'openssl'
 gem 'rake'
 
 group :development do
+  gem 'base64'
   gem 'byebug'
   gem 'http_parser.rb'
+  gem 'resolv', '~> 0.4.0'
   gem 'rspec', '3.9.0'
   gem 'rubocop', '0.78.0'
-  gem 'svcb_rr_patch'
   gem 'webrick'
 end
 

data/example/helper.rb

@@ -2,13 +2,15 @@
 
 $LOAD_PATH << __dir__ + '/../lib'
 
+require 'base64'
+require 'resolv'
 require 'socket'
 require 'time'
 require 'uri'
 require 'webrick'
 
+require 'ech_config'
 require 'http/parser'
-require 'svcb_rr_patch'
 
 require 'tttls1.3'
 
@@ -83,3 +85,32 @@ def transcript_htmlize(transcript)
     format(m[k], TTTLS13::Convert.obj2html(v.first))
   end.join('<br>')
 end
+
+def parse_echconfigs_pem(pem)
+  # https://datatracker.ietf.org/doc/html/draft-farrell-tls-pemesni-08#section-3-4
+  s = pem.gsub(/-----(BEGIN|END) (ECH CONFIGS|ECHCONFIG)-----/, '')
+         .gsub("\n", '')
+  b = Base64.decode64(s)
+  raise 'failed to parse ECHConfigs' \
+    unless b.length == b.slice(0, 2).unpack1('n') + 2
+
+  ECHConfig.decode_vectors(b.slice(2..))
+end
+
+def resolve_echconfig(hostname)
+  rr = Resolv::DNS.new.getresources(
+    hostname,
+    Resolv::DNS::Resource::IN::HTTPS
+  )
+
+  # https://datatracker.ietf.org/doc/html/draft-ietf-tls-svcb-ech-01#section-6
+  ech = 5
+  raise "failed to resolve echconfig via #{hostname} HTTPS RR" \
+    if rr.first.nil? || rr.first.params[ech].nil?
+
+  octet = rr.first.params[ech].value
+  raise 'failed to parse ECHConfigs' \
+    unless octet.length == octet.slice(0, 2).unpack1('n') + 2
+
+  ECHConfig.decode_vectors(octet.slice(2..)).first
+end

data/example/https_client_using_0rtt.rb

@@ -9,7 +9,8 @@ req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
@@ -24,7 +25,8 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 
 succeed_early_data = false

data/example/https_client_using_ech.rb

@@ -2,22 +2,21 @@
 # frozen_string_literal: true
 
 require_relative 'helper'
-HpkeSymmetricCipherSuite = \
-  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
 uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
 req = simple_http_request(uri.host, uri.path)
+ech_config = if ARGV.length > 1
+               parse_echconfigs_pem(File.open(ARGV[1]).read).first
+             else
+               resolve_echconfig(uri.host)
+             end
 
-rr = Resolv::DNS.new.getresources(
-  uri.host,
-  Resolv::DNS::Resource::IN::HTTPS
-)
 socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_config: ech_config,
   ech_hpke_cipher_suites:
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'

data/example/https_client_using_grease_ech.rb

@@ -2,8 +2,6 @@
 # frozen_string_literal: true
 
 require_relative 'helper'
-HpkeSymmetricCipherSuite = \
-  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
 uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'

data/example/https_client_using_hrr.rb

@@ -11,7 +11,8 @@ socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   key_share_groups: [], # empty KeyShareClientHello.client_shares
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect

data/example/https_client_using_hrr_and_ech.rb

@@ -2,23 +2,22 @@
 # frozen_string_literal: true
 
 require_relative 'helper'
-HpkeSymmetricCipherSuite = \
-  ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
 uri = URI.parse(ARGV[0] || 'https://localhost:4433')
 ca_file = __dir__ + '/../tmp/ca.crt'
 req = simple_http_request(uri.host, uri.path)
+ech_config = if ARGV.length > 1
+               parse_echconfigs_pem(File.open(ARGV[1]).read).first
+             else
+               resolve_echconfig(uri.host)
+             end
 
-rr = Resolv::DNS.new.getresources(
-  uri.host,
-  Resolv::DNS::Resource::IN::HTTPS
-)
 socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   key_share_groups: [], # empty KeyShareClientHello.client_shares
   alpn: ['http/1.1'],
-  ech_config: rr.first.svc_params['ech'].echconfiglist.first,
+  ech_config: ech_config,
   ech_hpke_cipher_suites:
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'

data/example/https_client_using_hrr_and_ticket.rb

@@ -9,7 +9,8 @@ req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
@@ -25,7 +26,8 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 
 [

data/example/https_client_using_status_request.rb

@@ -19,7 +19,8 @@ settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
   check_certificate_status: true,
-  process_certificate_status: process_certificate_status
+  process_certificate_status: process_certificate_status,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 client = TTTLS13::Client.new(socket, uri.host, **settings)
 client.connect

data/example/https_client_using_ticket.rb

@@ -9,7 +9,8 @@ req = simple_http_request(uri.host, uri.path)
 
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
-  alpn: ['http/1.1']
+  alpn: ['http/1.1'],
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
@@ -24,7 +25,8 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 
 [

data/example/https_client_using_ticket_and_ech.rb

@@ -0,0 +1,57 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+
+uri = URI.parse(ARGV[0] || 'https://localhost:4433')
+ca_file = __dir__ + '/../tmp/ca.crt'
+req = simple_http_request(uri.host, uri.path)
+ech_config = if ARGV.length > 1
+               parse_echconfigs_pem(File.open(ARGV[1]).read).first
+             else
+               resolve_echconfig(uri.host)
+             end
+
+settings_2nd = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_config: ech_config,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+process_new_session_ticket = lambda do |nst, rms, cs|
+  return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
+
+  settings_2nd[:ticket] = nst.ticket
+  settings_2nd[:resumption_main_secret] = rms
+  settings_2nd[:psk_cipher_suite] = cs
+  settings_2nd[:ticket_nonce] = nst.ticket_nonce
+  settings_2nd[:ticket_age_add] = nst.ticket_age_add
+  settings_2nd[:ticket_timestamp] = nst.timestamp
+end
+settings_1st = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  ech_config: ech_config,
+  ech_hpke_cipher_suites:
+    TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
+  process_new_session_ticket: process_new_session_ticket,
+  sslkeylogfile: '/tmp/sslkeylogfile.log'
+}
+
+[
+  # Initial Handshake:
+  settings_1st,
+  # Subsequent Handshake:
+  settings_2nd
+].each do |settings|
+  socket = TCPSocket.new(uri.host, uri.port)
+  client = TTTLS13::Client.new(socket, uri.host, **settings)
+  client.connect
+  client.write(req)
+
+  print recv_http_response(client)
+  client.close unless client.eof?
+  socket.close
+end

data/lib/tttls1.3/client.rb

@@ -89,8 +89,8 @@ module TTTLS13
   class Client
     include Logging
 
-    HpkeSymmetricCipherSuit = \
-      ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+    HpkeSymmetricCipherSuit \
+      = ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
 
     attr_reader :transcript
 
@@ -110,7 +110,6 @@ module TTTLS13
       raise Error::ConfigError unless valid_settings?
     end
 
-    # NOTE:
     #                           START <----+
     #            Send ClientHello |        | Recv HelloRetryRequest
     #       [K_send = early data] |        |
@@ -327,7 +326,7 @@ module TTTLS13
           )
 
           # rejected ECH
-          # NOTE: It can compute (hrr_)accept_ech until client selects the
+          # It can compute (hrr_)accept_ech until client selects the
           # cipher_suite.
           if !sh.hrr? && use_ech?
             if !@transcript.include?(HRR) && !key_schedule.accept_ech?
@@ -1008,7 +1007,6 @@ module TTTLS13
       [new_exs, priv_keys]
     end
 
-    # NOTE:
     # https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2
     #
     # @param ch1 [TTTLS13::Message::ClientHello]

data/lib/tttls1.3/cryptograph/aead.rb

@@ -23,8 +23,6 @@ module TTTLS13
         when CipherSuite::TLS_CHACHA20_POLY1305_SHA256
           @cipher = OpenSSL::Cipher.new('chacha20-poly1305')
         else
-          # Note:
-          # not supported
           # CipherSuite::TLS_AES_128_CCM_SHA256
           # CipherSuite::TLS_AES_128_CCM_8_SHA256
           raise Error::ErrorAlerts, :internal_error
@@ -36,7 +34,6 @@ module TTTLS13
         @auth_tag_len = CipherSuite.auth_tag_len(@cipher_suite)
       end
 
-      # NOTE:
       #     AEAD-Encrypt(write_key, nonce, additional_data, plaintext)
       #
       # @param content [String]
@@ -53,7 +50,6 @@ module TTTLS13
         encrypted_data + cipher.auth_tag
       end
 
-      # NOTE:
       #     AEAD-Decrypt(peer_write_key, nonce,
       #                  additional_data, AEADEncrypted)
       #
@@ -78,7 +74,6 @@ module TTTLS13
         [clear[0...-postfix_len], clear[-postfix_len]]
       end
 
-      # NOTE:
       #     struct {
       #         opaque content[TLSPlaintext.length];
       #         ContentType type;

data/lib/tttls1.3/ech.rb

@@ -7,14 +7,19 @@ module TTTLS13
   SUPPORTED_ECHCONFIG_VERSIONS = ["\xfe\x0d"].freeze
   private_constant :SUPPORTED_ECHCONFIG_VERSIONS
 
-  # rubocop: disable Metrics/ModuleLength
-  module Ech
+  DEFAULT_ECH_OUTER_EXTENSIONS = [
+    Message::ExtensionType::KEY_SHARE
+  ].freeze
+  private_constant :DEFAULT_ECH_OUTER_EXTENSIONS
+
+  # rubocop: disable Metrics/ClassLength
+  class Ech
     # @param inner [TTTLS13::Message::ClientHello]
     # @param ech_config [ECHConfig]
     # @param hpke_cipher_suite_selector [Method]
     #
     # @return [TTTLS13::Message::ClientHello]
-    # @return [TTTLS13::Message::ClientHello]
+    # @return [TTTLS13::Message::ClientHello] ClientHelloInner
     # @return [TTTLS13::EchState]
     # rubocop: disable Metrics/AbcSize
     def self.offer_ech(inner, ech_config, hpke_cipher_suite_selector)
@@ -30,12 +35,15 @@ module TTTLS13
       return [new_greased_ch(inner, new_grease_ech), nil, nil] \
         if ech_state.nil? || enc.nil?
 
-      encoded = encode_ch_inner(inner, ech_state.maximum_name_length)
-      overhead_len = aead_id2overhead_len(
-        ech_state.cipher_suite.aead_id.uint16
-      )
+      # for ech_outer_extensions
+      replaced = \
+        inner.extensions.remove_and_replace!(DEFAULT_ECH_OUTER_EXTENSIONS)
 
       # Encoding the ClientHelloInner
+      encoded = encode_ch_inner(inner, ech_state.maximum_name_length, replaced)
+      overhead_len = aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)
+
+      # Authenticating the ClientHelloOuter
       aad = new_ch_outer_aad(
         inner,
         ech_state.cipher_suite,
@@ -44,13 +52,13 @@ module TTTLS13
         encoded.length + overhead_len,
         ech_state.public_name
       )
-      # Authenticating the ClientHelloOuter
-      # which does not include the Handshake structure's four byte header.
+
       outer = new_ch_outer(
         aad,
         ech_state.cipher_suite,
         ech_state.config_id,
         enc,
+        # which does not include the Handshake structure's four byte header.
         ech_state.ctx.seal(aad.serialize[4..], encoded)
       )
 
@@ -102,11 +110,16 @@ module TTTLS13
     # @param ech_state [TTTLS13::EchState]
     #
     # @return [TTTLS13::Message::ClientHello]
-    # @return [TTTLS13::Message::ClientHello]
+    # @return [TTTLS13::Message::ClientHello] ClientHelloInner
     def self.offer_new_ech(inner, ech_state)
-      encoded = encode_ch_inner(inner, ech_state.maximum_name_length)
-      overhead_len \
-        = aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)
+      # for ech_outer_extensions
+      replaced = \
+        inner.extensions.remove_and_replace!(DEFAULT_ECH_OUTER_EXTENSIONS)
+
+      # Encoding the ClientHelloInner
+      encoded = encode_ch_inner(inner, ech_state.maximum_name_length, replaced)
+      overhead_len = \
+        aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)
 
       # It encrypts EncodedClientHelloInner as described in Section 6.1.1, using
       # the second partial ClientHelloOuterAAD, to obtain a second
@@ -122,13 +135,14 @@ module TTTLS13
         encoded.length + overhead_len,
         ech_state.public_name
       )
+
       # Authenticating the ClientHelloOuter
-      # which does not include the Handshake structure's four byte header.
       outer = new_ch_outer(
         aad,
         ech_state.cipher_suite,
         ech_state.config_id,
         '',
+        # which does not include the Handshake structure's four byte header.
         ech_state.ctx.seal(aad.serialize[4..], encoded)
       )
 
@@ -137,23 +151,23 @@ module TTTLS13
 
     # @param inner [TTTLS13::Message::ClientHello]
     # @param maximum_name_length [Integer]
+    # @param replaced [TTTLS13::Message::Extensions]
     #
     # @return [String] EncodedClientHelloInner
-    def self.encode_ch_inner(inner, maximum_name_length)
-      # TODO: ech_outer_extensions
+    def self.encode_ch_inner(inner, maximum_name_length, replaced)
       encoded = Message::ClientHello.new(
         legacy_version: inner.legacy_version,
         random: inner.random,
         legacy_session_id: '',
         cipher_suites: inner.cipher_suites,
         legacy_compression_methods: inner.legacy_compression_methods,
-        extensions: inner.extensions
+        extensions: replaced
       )
       server_name_length = \
-        inner.extensions[Message::ExtensionType::SERVER_NAME].server_name.length
+        replaced[Message::ExtensionType::SERVER_NAME].server_name.length
 
-      # which does not include the Handshake structure's four byte header.
       padding_encoded_ch_inner(
+        # which does not include the Handshake structure's four byte header.
         encoded.serialize[4..],
         server_name_length,
         maximum_name_length
@@ -284,6 +298,8 @@ module TTTLS13
 
     # @param inner [TTTLS13::Message::ClientHello]
     # @param ech [Message::Extension::ECHClientHello]
+    #
+    # @return [TTTLS13::Message::ClientHello]
     def self.new_greased_ch(inner, ech)
       Message::ClientHello.new(
         legacy_version: inner.legacy_version,
@@ -393,7 +409,7 @@ module TTTLS13
     # @param config_id [Integer]
     # @param cipher_suite [HpkeSymmetricCipherSuite]
     # @param public_name [String]
-    # @param ctx [[HPKE::ContextS]
+    # @param ctx [HPKE::ContextS]
     def initialize(maximum_name_length,
                    config_id,
                    cipher_suite,
@@ -406,5 +422,5 @@ module TTTLS13
       @ctx = ctx
     end
   end
-  # rubocop: enable Metrics/ModuleLength
+  # rubocop: enable Metrics/ClassLength
 end

data/lib/tttls1.3/key_schedule.rb

@@ -250,7 +250,7 @@ module TTTLS13
     #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
-    # @param [String]
+    # @return [String]
     def self.hkdf_expand(secret, info, length, digest)
       hash_len = OpenSSL::Digest.new(digest).digest_length
       raise Error::ErrorAlerts, :internal_error if length > 255 * hash_len

data/lib/tttls1.3/message/application_data.rb

@@ -6,7 +6,7 @@ module TTTLS13
     class ApplicationData
       attr_reader :fragment
 
-      # @param [String]
+      # @param fragment [String]
       def initialize(fragment)
         @fragment = fragment
       end

data/lib/tttls1.3/message/client_hello.rb

@@ -160,6 +160,14 @@ module TTTLS13
           sg_groups.filter { |g| ks_groups.include?(g) } == ks_groups &&
           ks_groups.uniq == ks_groups
       end
+
+      # @return [Boolean]
+      def ch_inner?
+        ech = @extensions[Message::ExtensionType::ENCRYPTED_CLIENT_HELLO]
+        return false if ech.nil?
+
+        ech.type == Message::Extension::ECHClientHelloType::INNER
+      end
     end
   end
 end

data/lib/tttls1.3/message/extension/alpn.rb

@@ -9,7 +9,7 @@ module TTTLS13
         attr_reader :extension_type
         attr_reader :protocol_name_list
 
-        # @param named_group_list [Array of String]
+        # @param protocol_name_list [Array] Array of String
         #
         # @raise [TTTLS13::Error::ErrorAlerts]
         #

data/lib/tttls1.3/message/extension/ech.rb

@@ -12,7 +12,6 @@ module TTTLS13
         INNER = "\x01"
       end
 
-      # NOTE:
       #     struct {
       #         ECHClientHelloType type;
       #         select (ECHClientHello.type) {
@@ -26,12 +25,12 @@ module TTTLS13
       #         };
       #     } ECHClientHello;
       class ECHClientHello
-        attr_accessor :extension_type
-        attr_accessor :type
-        attr_accessor :cipher_suite
-        attr_accessor :config_id
-        attr_accessor :enc
-        attr_accessor :payload
+        attr_reader :extension_type
+        attr_reader :type
+        attr_reader :cipher_suite
+        attr_reader :config_id
+        attr_reader :enc
+        attr_reader :payload
 
         # @param type [TTTLS13::Message::Extension::ECHClientHelloType]
         # @param cipher_suite [HpkeSymmetricCipherSuite]
@@ -99,10 +98,10 @@ module TTTLS13
           # @raise [TTTLS13::Error::ErrorAlerts]
           #
           # @return [TTTLS13::Message::Extensions::ECHClientHello]
-          # rubocop: disable Metrics/AbcSize
           def deserialize_outer_ech(binary)
             raise Error::ErrorAlerts, :internal_error if binary.nil?
-            raise Error::ErrorAlerts, :decode_error if binary.length < 5
+
+            return nil if binary.length < 5
 
             kdf_id = \
               HpkeSymmetricCipherSuite::HpkeKdfId.decode(binary.slice(0, 2))
@@ -112,17 +111,14 @@ module TTTLS13
             cid = Convert.bin2i(binary.slice(4, 1))
             enc_len = Convert.bin2i(binary.slice(5, 2))
             i = 7
-            raise Error::ErrorAlerts, :decode_error \
-              if i + enc_len > binary.length
+            return nil if i + enc_len > binary.length
 
             enc = binary.slice(i, enc_len)
             i += enc_len
-            raise Error::ErrorAlerts, :decode_error \
-              if i + 2 > binary.length
+            return nil if i + 2 > binary.length
 
             payload_len = Convert.bin2i(binary.slice(i, 2))
-            raise Error::ErrorAlerts, :decode_error \
-              if i + payload_len > binary.length
+            return nil if i + payload_len > binary.length
 
             payload = binary.slice(i, payload_len)
             ECHClientHello.new(
@@ -133,7 +129,6 @@ module TTTLS13
               payload: payload
             )
           end
-          # rubocop: enable Metrics/AbcSize
 
           # @param binary [String]
           #
@@ -169,13 +164,12 @@ module TTTLS13
         end
       end
 
-      # NOTE:
       #     struct {
       #         ECHConfigList retry_configs;
       #     } ECHEncryptedExtensions;
       class ECHEncryptedExtensions
-        attr_accessor :extension_type
-        attr_accessor :retry_configs
+        attr_reader :extension_type
+        attr_reader :retry_configs
 
         # @param retry_configs [Array of ECHConfig]
         def initialize(retry_configs)
@@ -198,8 +192,7 @@ module TTTLS13
         # @return [TTTLS13::Message::Extensions::ECHEncryptedExtensions]
         def self.deserialize(binary)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
-          raise Error::ErrorAlerts, :decode_error \
-            if binary.length != binary.slice(0, 2).unpack1('n') + 2
+          return nil if binary.length != binary.slice(0, 2).unpack1('n') + 2
 
           ECHEncryptedExtensions.new(
             ECHConfig.decode_vectors(binary.slice(2..))
@@ -207,13 +200,12 @@ module TTTLS13
         end
       end
 
-      # NOTE:
       #     struct {
       #         opaque confirmation[8];
       #     } ECHHelloRetryRequest;
       class ECHHelloRetryRequest
-        attr_accessor :extension_type
-        attr_accessor :confirmation
+        attr_reader :extension_type
+        attr_reader :confirmation
 
         # @param confirmation [String]
         def initialize(confirmation)
@@ -233,7 +225,7 @@ module TTTLS13
         # @return [TTTLS13::Message::Extensions::ECHHelloRetryRequest]
         def self.deserialize(binary)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
-          raise Error::ErrorAlerts, :decode_error if binary.length != 8
+          return nil if binary.length != 8
 
           ECHHelloRetryRequest.new(binary)
         end

data/lib/tttls1.3/message/extension/ech_outer_extensions.rb

@@ -0,0 +1,51 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+  module Message
+    module Extension
+      #     ExtensionType OuterExtensions<2..254>;
+      class ECHOuterExtensions
+        attr_reader :extension_type
+        attr_reader :outer_extensions
+
+        # @param outer_extensions [Array of TTTLS13::Message::ExtensionType]
+        def initialize(outer_extensions)
+          @extension_type = ExtensionType::ECH_OUTER_EXTENSIONS
+          @outer_extensions = outer_extensions
+        end
+
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [String]
+        def serialize
+          binary = @outer_extensions.join.prefix_uint8_length
+          @extension_type + binary.prefix_uint16_length
+        end
+
+        # @param binary [String]
+        #
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [TTTLS13::Message::Extensions::ECHOuterExtensions]
+        def self.deserialize(binary)
+          raise Error::ErrorAlerts, :internal_error if binary.nil?
+
+          return nil if binary.length < 2
+
+          exlist_len = Convert.bin2i(binary.slice(0, 1))
+          i = 1
+          outer_extensions = []
+          while i < exlist_len + 1
+            outer_extensions << binary.slice(i, 2)
+            i += 2
+          end
+          return nil unless outer_extensions.length * 2 == exlist_len
+
+          ECHOuterExtensions.new(outer_extensions)
+        end
+      end
+    end
+  end
+end

data/lib/tttls1.3/message/extension/key_share.rb

@@ -11,7 +11,7 @@ module TTTLS13
         attr_reader :msg_type
         attr_reader :key_share_entry
 
-        # @param msg_type [TTTLS13::Message::ContentType]
+        # @param msg_type [TTTLS13::Message::HandshakeType]
         # @param key_share_entry [Array of KeyShareEntry]
         #
         # @raise [TTTLS13::Error::ErrorAlerts]
@@ -108,7 +108,7 @@ module TTTLS13
           [key_share, priv_keys]
         end
 
-        # @param groups [TTTLS13::NamedGroup]
+        # @param group [TTTLS13::NamedGroup]
         #
         # @return [TTTLS13::Message::Extensions::KeyShare]
         # @return [OpenSSL::PKey::EC.$Object]
@@ -129,7 +129,7 @@ module TTTLS13
           [key_share, ec]
         end
 
-        # @param groups [TTTLS13::NamedGroup]
+        # @param group [TTTLS13::NamedGroup]
         #
         # @return [TTTLS13::Message::Extensions::KeyShare]
         def self.gen_hrr_key_share(group)
@@ -143,7 +143,6 @@ module TTTLS13
         class << self
           private
 
-          # NOTE:
           #     struct {
           #         KeyShareEntry client_shares<0..2^16-1>;
           #     } KeyShareClientHello;
@@ -178,7 +177,6 @@ module TTTLS13
             key_share_entry
           end
 
-          # NOTE:
           #     struct {
           #         KeyShareEntry server_share;
           #     } KeyShareServerHello;
@@ -201,7 +199,6 @@ module TTTLS13
             [KeyShareEntry.new(group: group, key_exchange: key_exchange)]
           end
 
-          # NOTE:
           #     struct {
           #         NamedGroup selected_group;
           #     } KeyShareHelloRetryRequest;

data/lib/tttls1.3/message/extension/pre_shared_key.rb

@@ -5,7 +5,6 @@ module TTTLS13
   using Refinements
   module Message
     module Extension
-      # NOTE:
       #     struct {
       #         select (Handshake.msg_type) {
       #             case client_hello: OfferedPsks;
@@ -83,7 +82,6 @@ module TTTLS13
         end
       end
 
-      # NOTE:
       #     opaque PskBinderEntry<32..255>;
       #
       #     struct {
@@ -172,7 +170,6 @@ module TTTLS13
         # rubocop: enable Metrics/PerceivedComplexity
       end
 
-      # NOTE:
       #     struct {
       #         opaque identity<1..2^16-1>;
       #         uint32 obfuscated_ticket_age;

data/lib/tttls1.3/message/extension/server_name.rb

@@ -9,7 +9,6 @@ module TTTLS13
         HOST_NAME = "\x00"
       end
 
-      # NOTE:
       # The extension_data field SHALL be empty when @server_name is empty.
       # Then, serialized extension_data is
       #

data/lib/tttls1.3/message/extension/signature_algorithms_cert.rb

@@ -5,7 +5,7 @@ module TTTLS13
   module Message
     module Extension
       class SignatureAlgorithmsCert < SignatureAlgorithms
-        # @param versions [Array of SignatureScheme]
+        # @param supported_signature_algorithms [Array] Array of SignatureScheme
         def initialize(supported_signature_algorithms)
           super(supported_signature_algorithms)
           @extension_type = ExtensionType::SIGNATURE_ALGORITHMS_CERT

data/lib/tttls1.3/message/extension/unknown_extension.rb

@@ -5,7 +5,6 @@ module TTTLS13
   using Refinements
   module Message
     module Extension
-      # NOTE:
       # Client/Server MUST ignore unrecognized extensions,
       # but transcript MUST include unrecognized extensions.
       class UnknownExtension

data/lib/tttls1.3/message/extensions.rb

@@ -21,7 +21,6 @@ module TTTLS13
 
       alias super_fetch fetch
 
-      # NOTE:
       # "pre_shared_key" MUST be the last extension in the ClientHello
       #
       # @return [String]
@@ -105,10 +104,37 @@ module TTTLS13
         store(ex.extension_type, ex)
       end
 
+      # removing and replacing extensions from EncodedClientHelloInner
+      # with a single "ech_outer_extensions"
+      #
+      # for example
+      # - before
+      #   - self.keys:  [A B C D E]
+      #   - param    :  [D B]
+      # - after remove_and_replace!
+      #   - self.keys:  [A C E B D]
+      #   - return   :  [A C E ech_outer_extensions[B D]]
+      # @param outer_extensions [Array of TTTLS13::Message::ExtensionType]
+      #
+      # @return [TTTLS13::Message::Extensions] for EncodedClientHelloInner
+      def remove_and_replace!(outer_extensions)
+        tmp1 = filter { |k, _| !outer_extensions.include?(k) }
+        tmp2 = filter { |k, _| outer_extensions.include?(k) }
+
+        clear
+        replaced = Message::Extensions.new
+
+        tmp1.each_value { |v| self << v; replaced << v }
+        tmp2.each_value { |v| self << v }
+        replaced << Message::Extension::ECHOuterExtensions.new(tmp2.keys) \
+          unless tmp2.keys.empty?
+
+        replaced
+      end
+
       class << self
         private
 
-        # NOTE:
         # deserialize_extension ignores unparsable extension.
         # Received unparsable binary, returns nil, doesn't raise
         # ErrorAlerts :decode_error.
@@ -173,6 +199,8 @@ module TTTLS13
             else
               Extension::UnknownExtension.deserialize(binary, extension_type)
             end
+          when ExtensionType::ECH_OUTER_EXTENSIONS
+            Extension::ECHOuterExtensions.deserialize(binary)
           else
             Extension::UnknownExtension.deserialize(binary, extension_type)
           end

data/lib/tttls1.3/message/record.rb

@@ -27,7 +27,6 @@ module TTTLS13
         @cipher = cipher
       end
 
-      # NOTE:
       # serialize joins messages.
       # If serialize is received Server Parameters(EE, CT, CV),
       # it returns one binary.
@@ -50,7 +49,6 @@ module TTTLS13
         end.join
       end
 
-      # NOTE:
       # If previous Record has surplus_binary,
       # surplus_binary should is given to Record.deserialize as buffered.
       #

data/lib/tttls1.3/message.rb

@@ -74,6 +74,7 @@ module TTTLS13
       KEY_SHARE                              = "\x00\x33"
       # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-11.1
       ENCRYPTED_CLIENT_HELLO                 = "\xfe\x0d"
+      ECH_OUTER_EXTENSIONS                   = "\xfd\x00"
     end
 
     DEFINED_EXTENSIONS = ExtensionType.constants.map do |c|

data/lib/tttls1.3/named_group.rb

@@ -17,7 +17,6 @@ module TTTLS13
     # ecdhe_private_use "\xfe\x00" ~ "\xfe\xff"
 
     class << self
-      # NOTE:
       # For secp256r1, secp384r1, and secp521r1
       #
       #     struct {
@@ -57,7 +56,6 @@ module TTTLS13
         end
       end
 
-      # NOTE:
       # SECG        |  ANSI X9.62   |  NIST
       # ------------+---------------+-------------
       # secp256r1   |  prime256v1   |   NIST P-256
@@ -66,7 +64,7 @@ module TTTLS13
       #
       # https://datatracker.ietf.org/doc/html/rfc4492#appendix-A
       #
-      # @param groups [Array of TTTLS13::Message::Extension::NamedGroup]
+      # @param group [TTTLS13::Message::Extension::NamedGroup]
       #
       # @raise [TTTLS13::Error::ErrorAlerts]
       #

data/lib/tttls1.3/server.rb

@@ -96,7 +96,6 @@ module TTTLS13
       end
     end
 
-    # NOTE:
     #                              START <-----+
     #               Recv ClientHello |         | Send HelloRetryRequest
     #                                v         |

data/lib/tttls1.3/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module TTTLS13
-  VERSION = '0.3.2'
+  VERSION = '0.3.4'
 end

data/spec/client_hello_spec.rb

@@ -37,6 +37,7 @@ RSpec.describe ClientHello do
       expect(message.legacy_compression_methods).to eq ["\x00"]
       expect(message.extensions).to be_empty
       expect(message.negotiated_tls_1_3?).to be false
+      expect(message.ch_inner?).to be false
     end
 
     it 'should be serialized' do
@@ -83,4 +84,22 @@ RSpec.describe ClientHello do
       expect(message.serialize).to eq TESTBINARY_0_RTT_CLIENT_HELLO
     end
   end
+
+  context 'valid inner client_hello' do
+    let(:message) do
+      cipher_suites = CipherSuites.new([TLS_AES_256_GCM_SHA384,
+                                        TLS_CHACHA20_POLY1305_SHA256,
+                                        TLS_AES_128_GCM_SHA256])
+      ch = ClientHello.new(random: OpenSSL::Random.random_bytes(32),
+                           legacy_session_id: Array.new(32, 0).map(&:chr).join,
+                           cipher_suites: cipher_suites)
+      ch.extensions[Message::ExtensionType::ENCRYPTED_CLIENT_HELLO] \
+        = Message::Extension::ECHClientHello.new_inner
+      ch
+    end
+
+    it 'should generate ClientHelloInner' do
+      expect(message.ch_inner?).to be true
+    end
+  end
 end

data/spec/ech_outer_extensions_spec.rb

@@ -0,0 +1,42 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'spec_helper'
+using Refinements
+
+RSpec.describe ECHOuterExtensions do
+  context 'valid ech_outer_extensions, [key_share]' do
+    let(:extension) do
+      ECHOuterExtensions.new([ExtensionType::KEY_SHARE])
+    end
+
+    it 'should be generated' do
+      expect(extension.extension_type).to eq ExtensionType::ECH_OUTER_EXTENSIONS
+      expect(extension.outer_extensions).to eq [ExtensionType::KEY_SHARE]
+    end
+
+    it 'should be serialized' do
+      expect(extension.serialize).to eq ExtensionType::ECH_OUTER_EXTENSIONS \
+                                        + 3.to_uint16 \
+                                        + 2.to_uint8 \
+                                        + ExtensionType::KEY_SHARE
+    end
+  end
+
+  context 'valid ech_outer_extensions binary' do
+    let(:extension) do
+      ECHOuterExtensions.deserialize(TESTBINARY_ECH_OUTER_EXTENSIONS)
+    end
+
+    it 'should generate valid object' do
+      expect(extension.extension_type).to be ExtensionType::ECH_OUTER_EXTENSIONS
+      expect(extension.outer_extensions).to eq [ExtensionType::KEY_SHARE]
+    end
+
+    it 'should generate serializable object' do
+      expect(extension.serialize)
+        .to eq ExtensionType::ECH_OUTER_EXTENSIONS \
+               + TESTBINARY_ECH_OUTER_EXTENSIONS.prefix_uint16_length
+    end
+  end
+end

data/spec/ech_spec.rb

@@ -78,7 +78,9 @@ RSpec.describe ECHClientHello do
       expect(extension.confirmation).to eq "\x00" * 8
     end
   end
+end
 
+RSpec.describe Ech do
   context 'EncodedClientHelloInner length' do
     let(:server_name) do
       'localhost'

data/spec/extensions_spec.rb

@@ -182,4 +182,69 @@ RSpec.describe Extensions do
         .to raise_error(ErrorAlerts)
     end
   end
+
+  context 'removing and replacing extensions from EncodedClientHelloInner' do
+    let(:extensions) do
+      extensions, = Client.new(nil, 'localhost').send(:gen_ch_extensions)
+      extensions
+    end
+
+    let(:no_key_share_exs) do
+      Extensions.new(
+        extensions.filter { |k, _| k != ExtensionType::KEY_SHARE }.values
+      )
+    end
+
+    it 'should be equal remove_and_replace! with []' do
+      expected = extensions.clone
+      got = extensions.remove_and_replace!([])
+
+      expect(got.keys).to eq expected.keys
+      expect(got[ExtensionType::ECH_OUTER_EXTENSIONS]).to eq nil
+      expect(extensions.keys - got.keys).to eq []
+    end
+
+    it 'should be equal remove_and_replace! with [key_share]' do
+      expected = extensions.filter { |k, _| k != ExtensionType::KEY_SHARE }
+      expected[ExtensionType::ECH_OUTER_EXTENSIONS] = \
+        Extension::ECHOuterExtensions.new([ExtensionType::KEY_SHARE])
+      got = extensions.remove_and_replace!([ExtensionType::KEY_SHARE])
+
+      expect(got.keys).to eq expected.keys
+      expect(got[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions)
+        .to eq expected[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions
+      expect(extensions.keys - got.keys)
+        .to eq expected[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions
+    end
+
+    it 'should be equal remove_and_replace! with' \
+       ' [key_share,supported_versions]' do
+      outer_extensions = [
+        ExtensionType::KEY_SHARE,
+        ExtensionType::SUPPORTED_VERSIONS
+      ]
+      expected = extensions.filter { |k, _| !outer_extensions.include?(k) }
+      expected[ExtensionType::ECH_OUTER_EXTENSIONS] = \
+        Extension::ECHOuterExtensions.new(
+          extensions.filter { |k, _| outer_extensions.include?(k) }.keys
+        )
+      got = extensions.remove_and_replace!(outer_extensions)
+
+      expect(got.keys).to eq expected.keys
+      expect(got[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions)
+        .to eq expected[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions
+      expect(extensions.keys - got.keys)
+        .to eq expected[ExtensionType::ECH_OUTER_EXTENSIONS].outer_extensions
+    end
+
+    it 'should be equal remove_and_replace! with no key_share extensions' \
+       ' & [key_share]' do
+      expected = no_key_share_exs.clone
+      got = no_key_share_exs.remove_and_replace!([ExtensionType::KEY_SHARE])
+
+      expect(got).to eq expected
+      expect(got[ExtensionType::ECH_OUTER_EXTENSIONS]).to eq nil
+      expect(no_key_share_exs.keys - got.keys).to eq []
+    end
+  end
 end

data/spec/spec_helper.rb

@@ -245,6 +245,10 @@ TESTBINARY_ECH_HRR = <<BIN.split.map(&:hex).map(&:chr).join
   00 00 00 00 00 00 00 00
 BIN
 
+TESTBINARY_ECH_OUTER_EXTENSIONS = <<BIN.split.map(&:hex).map(&:chr).join
+  02 00 33
+BIN
+
 # https://datatracker.ietf.org/doc/html/rfc8448#section-3
 # 3.  Simple 1-RTT Handshake
 TESTBINARY_CLIENT_HELLO = <<BIN.split.map(&:hex).map(&:chr).join

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tttls1.3
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.3.4
 platform: ruby
 authors:
 - thekuwayama
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-14 00:00:00.000000000 Z
+date: 2024-12-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -108,6 +108,7 @@ files:
 - example/https_client_using_hrr_and_ticket.rb
 - example/https_client_using_status_request.rb
 - example/https_client_using_ticket.rb
+- example/https_client_using_ticket_and_ech.rb
 - example/https_server.rb
 - interop/client_spec.rb
 - interop/server_spec.rb
@@ -139,6 +140,7 @@ files:
 - lib/tttls1.3/message/extension/cookie.rb
 - lib/tttls1.3/message/extension/early_data_indication.rb
 - lib/tttls1.3/message/extension/ech.rb
+- lib/tttls1.3/message/extension/ech_outer_extensions.rb
 - lib/tttls1.3/message/extension/key_share.rb
 - lib/tttls1.3/message/extension/pre_shared_key.rb
 - lib/tttls1.3/message/extension/psk_key_exchange_modes.rb
@@ -176,6 +178,7 @@ files:
 - spec/compress_certificate_spec.rb
 - spec/cookie_spec.rb
 - spec/early_data_indication_spec.rb
+- spec/ech_outer_extensions_spec.rb
 - spec/ech_spec.rb
 - spec/encrypted_extensions_spec.rb
 - spec/end_of_early_data_spec.rb
@@ -254,6 +257,7 @@ test_files:
 - spec/compress_certificate_spec.rb
 - spec/cookie_spec.rb
 - spec/early_data_indication_spec.rb
+- spec/ech_outer_extensions_spec.rb
 - spec/ech_spec.rb
 - spec/encrypted_extensions_spec.rb
 - spec/end_of_early_data_spec.rb