Class: EchSpec::Spec::Spec7_1_14_2_1

Inherits:

WithSocket

• Object
• WithSocket
• EchSpec::Spec::Spec7_1_14_2_1

Defined in:

lib/echspec/spec/7.1-14.2.1.rb

Class Method Summary

• .spec_group ⇒ EchSpec::SpecGroup
• .validate_ee_retry_configs(hostname, port, _) ⇒ EchSpec::Ok | Err

Instance Method Summary

• #do_validate_ee_retry_configs(hostname, port) ⇒ EchSpec::Ok | Err
• #send_ch_with_greased_ech(socket, hostname) ⇒ Object

  rubocop: disable Metrics/AbcSize rubocop: disable Metrics/MethodLength.

Methods inherited from WithSocket

#initialize, #message_stack, #with_socket

Constructor Details

This class inherits a constructor from EchSpec::Spec::WithSocket

Class Method Details

.spec_group ⇒ EchSpec::SpecGroup

Returns:

• (EchSpec::SpecGroup)

# File 'lib/echspec/spec/7.1-14.2.1.rb', line 19

def self.spec_group
  SpecGroup.new(
    '7.1-14.2.1',
    [
      SpecCase.new(
        'MUST include the "encrypted_client_hello" extension in its EncryptedExtensions with the "retry_configs" field set to one or more ECHConfig.',
        method(:validate_ee_retry_configs)
      )
    ]
  )
end

.validate_ee_retry_configs(hostname, port, _) ⇒ EchSpec::Ok | Err

Parameters:

• hostname (String)
• port (Integer)
• _ (ECHConfig)

Returns:

• (EchSpec::Ok | Err)

# File 'lib/echspec/spec/7.1-14.2.1.rb', line 36

def self.validate_ee_retry_configs(hostname, port, _)
  Spec7_1_14_2_1.new.do_validate_ee_retry_configs(hostname, port)
end

Instance Method Details

#do_validate_ee_retry_configs(hostname, port) ⇒ EchSpec::Ok | Err

Parameters:

• hostname (String)
• port (Integer)

Returns:

• (EchSpec::Ok | Err)

# File 'lib/echspec/spec/7.1-14.2.1.rb', line 44

def do_validate_ee_retry_configs(hostname, port)
  with_socket(hostname, port) do |socket|
    recv = send_ch_with_greased_ech(socket, hostname)
    ex = recv.extensions[TTTLS13::Message::ExtensionType::ENCRYPTED_CLIENT_HELLO]
    return Err.new('did not send expected alert: encrypted_client_hello', message_stack) \
      unless ex.is_a?(TTTLS13::Message::Extension::ECHEncryptedExtensions)
    return Err.new('ECHConfigs did not have "retry_configs"', message_stack) \
      if ex.retry_configs.nil? || ex.retry_configs.empty?

    Ok.new(nil)
  end
end

#send_ch_with_greased_ech(socket, hostname) ⇒ Object

rubocop: disable Metrics/AbcSize rubocop: disable Metrics/MethodLength

Raises:

• (Error::BeforeTargetSituationError)

# File 'lib/echspec/spec/7.1-14.2.1.rb', line 59

def send_ch_with_greased_ech(socket, hostname)
  # send ClientHello
  conn = TLS13Client::Connection.new(socket, :client)
  inner_ech = TTTLS13::Message::Extension::ECHClientHello.new_inner
  exs, priv_keys = TLS13Client.gen_ch_extensions(hostname)
  inner = TTTLS13::Message::ClientHello.new(
    cipher_suites: TTTLS13::CipherSuites.new(
      [
        TTTLS13::CipherSuite::TLS_AES_256_GCM_SHA384,
        TTTLS13::CipherSuite::TLS_CHACHA20_POLY1305_SHA256,
        TTTLS13::CipherSuite::TLS_AES_128_GCM_SHA256
      ]
    ),
    extensions: exs.merge(
      TTTLS13::Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => inner_ech
    )
  )
  @stack << inner

  ch = TTTLS13::Ech.new_greased_ch(inner, TTTLS13::Ech.new_grease_ech)
  conn.send_record(
    TTTLS13::Message::Record.new(
      type: TTTLS13::Message::ContentType::HANDSHAKE,
      messages: [ch],
      cipher: TTTLS13::Cryptograph::Passer.new
    )
  )
  @stack << ch

  # receive ServerHello
  recv, = conn.recv_message(TTTLS13::Cryptograph::Passer.new)
  @stack << recv
  raise Error::BeforeTargetSituationError, 'not received ServerHello' \
    unless recv.is_a?(TTTLS13::Message::ServerHello) && !recv.hrr?

  # receive EncryptedExtensions
  transcript = TTTLS13::Transcript.new
  transcript[TTTLS13::CH] = [ch, ch.serialize]
  sh = recv
  transcript[TTTLS13::SH] = [sh, sh.serialize]
  kse = sh.extensions[TTTLS13::Message::ExtensionType::KEY_SHARE]
          .key_share_entry.first
  shared_secret = TTTLS13::Endpoint.gen_shared_secret(
    kse.key_exchange,
    priv_keys[kse.group],
    kse.group
  )
  key_schedule = TTTLS13::KeySchedule.new(
    psk: nil,
    shared_secret:,
    cipher_suite: sh.cipher_suite,
    transcript:
  )
  hs_rcipher = TTTLS13::Endpoint.gen_cipher(
    sh.cipher_suite,
    key_schedule.server_handshake_write_key,
    key_schedule.server_handshake_write_iv
  )
  recv, = conn.recv_message(hs_rcipher)
  @stack << recv
  if recv.is_a?(TTTLS13::Message::ChangeCipherSpec)
    recv, = conn.recv_message(hs_rcipher)
    @stack << recv
  end

  raise Error::BeforeTargetSituationError, 'not received EncryptedExtensions' \
    unless recv.is_a?(TTTLS13::Message::EncryptedExtensions)

  recv
end