Class: TTTLS13::Ech

Inherits:
Object
  • Object
show all
Defined in:
lib/tttls1.3/ech.rb

Overview

rubocop: disable Metrics/ClassLength

Class Method Summary collapse

Class Method Details

.aead_id2overhead_len(aead_id) ⇒ Object 



332
333
334
335
336
337
338
339
 
# File 'lib/tttls1.3/ech.rb', line 332

def self.aead_id2overhead_len(aead_id)
  case aead_id
  when HPKE::AES_128_GCM, HPKE::CHACHA20_POLY1305
    16
  when HPKE::AES_256_GCM
    32
  end
end

.encode_ch_inner(inner, maximum_name_length, replaced) ⇒ String

Returns EncodedClientHelloInner.

Parameters:

Returns:

  • (String)

    EncodedClientHelloInner



158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
 
# File 'lib/tttls1.3/ech.rb', line 158

def self.encode_ch_inner(inner, maximum_name_length, replaced)
  encoded = Message::ClientHello.new(
    legacy_version: inner.legacy_version,
    random: inner.random,
    legacy_session_id: '',
    cipher_suites: inner.cipher_suites,
    legacy_compression_methods: inner.legacy_compression_methods,
    extensions: replaced
  )
  server_name_length = \
    replaced[Message::ExtensionType::SERVER_NAME].server_name.length

  padding_encoded_ch_inner(
    # which does not include the Handshake structure's four byte header.
    encoded.serialize[4..],
    server_name_length,
    maximum_name_length
  )
end

.encrypted_ech_config(ech_config, hpke_cipher_suite_selector) ⇒ TTTLS13::EchState or nil, String or nil

rubocop: disable Metrics/AbcSize

Parameters:

  • ech_config (ECHConfig)
  • hpke_cipher_suite_selector (Method)

Returns:



77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
# File 'lib/tttls1.3/ech.rb', line 77

def self.encrypted_ech_config(ech_config, hpke_cipher_suite_selector)
  public_name = ech_config.echconfig_contents.public_name
  key_config = ech_config.echconfig_contents.key_config
  public_key = key_config.public_key.opaque
  kem_id = key_config&.kem_id&.uint16
  config_id = key_config.config_id
  cipher_suite = hpke_cipher_suite_selector.call(key_config)
  aead_cipher = cipher_suite&.aead_id&.uint16
  return [nil, nil, nil] \
    if [kem_id, aead_cipher].any?(&:nil?)

  kem_curve, hash = kem_id2dhkem(kem_id)
  pkr = kem_curve&.new(hash)&.deserialize_public_key(public_key)
  return [nil, nil, nil] if pkr.nil?

  hpke = HPKE.new(kem_id, hash, aead_cipher)
  base_s = hpke.setup_base_s(pkr, "tls ech\x00" + ech_config.encode)
  enc = base_s[:enc]
  ctx = base_s[:context_s]
  ech_secret = base_s[:shared_secret]
  mnl = ech_config.echconfig_contents.maximum_name_length
  ech_state = EchState.new(
    mnl,
    config_id,
    cipher_suite,
    public_name,
    ctx
  )

  [ech_state, enc, ech_secret]
end

.kem_id2dhkem(kem_id) ⇒ Object 



317
318
319
320
321
322
323
324
325
326
327
328
329
330
 
# File 'lib/tttls1.3/ech.rb', line 317

def self.kem_id2dhkem(kem_id)
  case kem_id
  when HPKE::DHKEM_P256_HKDF_SHA256
    [HPKE::DHKEM::EC::P_256, HPKE::HKDF_SHA256]
  when HPKE::DHKEM_P384_HKDF_SHA384
    [HPKE::DHKEM::EC::P_384, HPKE::HKDF_SHA384]
  when HPKE::DHKEM_P521_HKDF_SHA512
    [HPKE::DHKEM::EC::P_521, HPKE::HKDF_SHA512]
  when HPKE::DHKEM_X25519_HKDF_SHA256
    [HPKE::DHKEM::X25519, HPKE::HKDF_SHA256]
  when HPKE::DHKEM_X448_HKDF_SHA512
    [HPKE::DHKEM::X448, HPKE::HKDF_SHA512]
  end
end

.new_ch_outer(aad, cipher_suite, config_id, enc, payload) ⇒ TTTLS13::Message::ClientHello

Parameters:

Returns:



239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
 
# File 'lib/tttls1.3/ech.rb', line 239

def self.new_ch_outer(aad, cipher_suite, config_id, enc, payload)
  outer_ech = Message::Extension::ECHClientHello.new_outer(
    cipher_suite:,
    config_id:,
    enc:,
    payload:
  )
  Message::ClientHello.new(
    legacy_version: aad.legacy_version,
    random: aad.random,
    legacy_session_id: aad.legacy_session_id,
    cipher_suites: aad.cipher_suites,
    legacy_compression_methods: aad.legacy_compression_methods,
    extensions: aad.extensions.merge(
      Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => outer_ech
    )
  )
end

.new_ch_outer_aad(inner, cipher_suite, config_id, enc, payload_len, server_name) ⇒ TTTLS13::Message::ClientHello

rubocop: disable Metrics/ParameterLists

Parameters:

Returns:



206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
 
# File 'lib/tttls1.3/ech.rb', line 206

def self.new_ch_outer_aad(inner,
                          cipher_suite,
                          config_id,
                          enc,
                          payload_len,
                          server_name)
  aad_ech = Message::Extension::ECHClientHello.new_outer(
    cipher_suite:,
    config_id:,
    enc:,
    payload: payload_len.zeros
  )
  Message::ClientHello.new(
    legacy_version: inner.legacy_version,
    legacy_session_id: inner.legacy_session_id,
    cipher_suites: inner.cipher_suites,
    legacy_compression_methods: inner.legacy_compression_methods,
    extensions: inner.extensions.merge(
      Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => aad_ech,
      Message::ExtensionType::SERVER_NAME => \
        Message::Extension::ServerName.new(server_name)
    )
  )
end

.new_grease_echMessage::Extension::ECHClientHello

Returns:



259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
 
# File 'lib/tttls1.3/ech.rb', line 259

def self.new_grease_ech
  # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#name-compliance-requirements
  cipher_suite = HpkeSymmetricCipherSuite.new(
    HpkeSymmetricCipherSuite::HpkeKdfId.new(
      HPKE::HKDF_SHA256
    ),
    HpkeSymmetricCipherSuite::HpkeAeadId.new(
      HPKE::AES_128_GCM
    )
  )
  # Set the enc field to a randomly-generated valid encapsulated public key
  # output by the HPKE KEM.
  #
  # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.2-2.3.1
  public_key = OpenSSL::PKey.read(
    OpenSSL::PKey.generate_key('X25519').public_to_pem
  )
  hpke = HPKE.new(HPKE::DHKEM_X25519_HKDF_SHA256, HPKE::HKDF_SHA256, HPKE::AES_128_GCM)
  enc = hpke.setup_base_s(public_key, '')[:enc]
  # Set the payload field to a randomly-generated string of L+C bytes, where
  # C is the ciphertext expansion of the selected AEAD scheme and L is the
  # size of the EncodedClientHelloInner the client would compute when
  # offering ECH, padded according to Section 6.1.3.
  #
  # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.2-2.4.1
  payload_len = placeholder_encoded_ch_inner_len \
                + aead_id2overhead_len(HPKE::AES_128_GCM)

  Message::Extension::ECHClientHello.new_outer(
    cipher_suite:,
    config_id: Convert.bin2i(OpenSSL::Random.random_bytes(1)),
    enc:,
    payload: OpenSSL::Random.random_bytes(payload_len)
  )
end

.new_greased_ch(inner, ech) ⇒ TTTLS13::Message::ClientHello

Parameters:

Returns:



304
305
306
307
308
309
310
311
312
313
314
315
 
# File 'lib/tttls1.3/ech.rb', line 304

def self.new_greased_ch(inner, ech)
  Message::ClientHello.new(
    legacy_version: inner.legacy_version,
    random: inner.random,
    legacy_session_id: inner.legacy_session_id,
    cipher_suites: inner.cipher_suites,
    legacy_compression_methods: inner.legacy_compression_methods,
    extensions: inner.extensions.merge(
      Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => ech
    )
  )
end

.offer_ech(inner, ech_config, hpke_cipher_suite_selector) ⇒ TTTLS13::Message::ClientHello, ...

rubocop: disable Metrics/AbcSize

Parameters:

Returns:



26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
# File 'lib/tttls1.3/ech.rb', line 26

def self.offer_ech(inner, ech_config, hpke_cipher_suite_selector)
  return [new_greased_ch(inner, new_grease_ech), nil, nil, nil] \
    if ech_config.nil? ||
       !SUPPORTED_ECHCONFIG_VERSIONS.include?(ech_config.version)

  # Encrypted ClientHello Configuration
  ech_state, enc, ech_secret = encrypted_ech_config(
    ech_config,
    hpke_cipher_suite_selector
  )
  return [new_greased_ch(inner, new_grease_ech), nil, nil, nil] \
    if ech_state.nil? || enc.nil?

  # for ech_outer_extensions
  replaced = \
    inner.extensions.remove_and_replace!(DEFAULT_ECH_OUTER_EXTENSIONS)

  # Encoding the ClientHelloInner
  encoded = encode_ch_inner(inner, ech_state.maximum_name_length, replaced)
  overhead_len = aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)

  # Authenticating the ClientHelloOuter
  aad = new_ch_outer_aad(
    inner,
    ech_state.cipher_suite,
    ech_state.config_id,
    enc,
    encoded.length + overhead_len,
    ech_state.public_name
  )

  outer = new_ch_outer(
    aad,
    ech_state.cipher_suite,
    ech_state.config_id,
    enc,
    # which does not include the Handshake structure's four byte header.
    ech_state.ctx.seal(aad.serialize[4..], encoded)
  )

  [outer, inner, ech_state, ech_secret]
end

.offer_new_ech(inner, ech_state) ⇒ TTTLS13::Message::ClientHello

Parameters:

Returns:



115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
 
# File 'lib/tttls1.3/ech.rb', line 115

def self.offer_new_ech(inner, ech_state)
  # for ech_outer_extensions
  replaced = \
    inner.extensions.remove_and_replace!(DEFAULT_ECH_OUTER_EXTENSIONS)

  # Encoding the ClientHelloInner
  encoded = encode_ch_inner(inner, ech_state.maximum_name_length, replaced)
  overhead_len = \
    aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)

  # It encrypts EncodedClientHelloInner as described in Section 6.1.1, using
  # the second partial ClientHelloOuterAAD, to obtain a second
  # ClientHelloOuter. It reuses the original HPKE encryption context
  # computed in Section 6.1 and uses the empty string for enc.
  #
  # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.1.5-4.4.1
  aad = new_ch_outer_aad(
    inner,
    ech_state.cipher_suite,
    ech_state.config_id,
    '',
    encoded.length + overhead_len,
    ech_state.public_name
  )

  # Authenticating the ClientHelloOuter
  outer = new_ch_outer(
    aad,
    ech_state.cipher_suite,
    ech_state.config_id,
    '',
    # which does not include the Handshake structure's four byte header.
    ech_state.ctx.seal(aad.serialize[4..], encoded)
  )

  [outer, inner]
end

.padding_encoded_ch_inner(s, server_name_length, maximum_name_length) ⇒ String

Parameters:

  • s (String)
  • server_name_length (Integer)
  • maximum_name_length (Integer)

Returns:

  • (String) 


183
184
185
186
187
188
189
190
191
192
193
194
195
 
# File 'lib/tttls1.3/ech.rb', line 183

def self.padding_encoded_ch_inner(s,
                                  server_name_length,
                                  maximum_name_length)
  padding_len =
    if server_name_length.positive?
      [maximum_name_length - server_name_length, 0].max
    else
      9 + maximum_name_length
    end

  padding_len = 31 - ((s.length + padding_len - 1) % 32)
  s + padding_len.zeros
end

.placeholder_encoded_ch_inner_lenInteger

Returns:

  • (Integer) 


296
297
298
 
# File 'lib/tttls1.3/ech.rb', line 296

def self.placeholder_encoded_ch_inner_len
  480
end