Merge pull request #82 from thekuwayama/fix__hrr_and_grease_ech

[ech] 22. fix: GREASE ECH with HRR
thekuwayama · Dec 23, 2023 · 795e2c6 · 795e2c6
2 parents 0215f49 + 3d5f233
commit 795e2c6
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/lib/tttls1.3/client.rb b/lib/tttls1.3/client.rb
@@ -300,6 +300,7 @@ def connect
               ech_state
             )
             # use ClientHelloInner messages for the transcript hash
+            ch_outer = ch
             ch = inner.nil? ? ch : inner
             transcript[CH] = [ch, ch.serialize]
 
@@ -976,7 +977,7 @@ def offer_ech(inner, ech_config)
     #
     # @return [TTTLS13::Message::ClientHello]
     # @return [TTTLS13::Message::ClientHello]
-    def offer_ech_hrr(inner, ech_state)
+    def offer_new_ech(inner, ech_state)
       encoded = encode_ch_inner(inner, ech_state.maximum_name_length)
       overhead_len \
         = Hpke.aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)
@@ -1085,7 +1086,7 @@ def new_ch_outer_aad(inner,
     end
     # rubocop: enable Metrics/ParameterLists
 
-    # @param inner [TTTLS13::Message::ClientHello]
+    # @param aad [TTTLS13::Message::ClientHello]
     # @param cipher_suite [HpkeSymmetricCipherSuite]
     # @param config_id [Integer]
     # @param enc [String]
@@ -1245,7 +1246,18 @@ def send_new_client_hello(ch1,
       )
 
       # encrypted_client_hello
-      ch, inner = offer_ech_hrr(ch, ech_state) if use_ech?
+      if use_ech? && ech_state.nil?
+        # If sending a second ClientHello in response to a HelloRetryRequest,
+        # the client copies the entire "encrypted_client_hello" extension from
+        # the first ClientHello.
+        #
+        # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.2-3
+        inner = ch.clone
+        ch.extensions[Message::ExtensionType::ENCRYPTED_CLIENT_HELLO] \
+          = ch1.extensions[Message::ExtensionType::ENCRYPTED_CLIENT_HELLO]
+      elsif use_ech?
+        ch, inner = offer_new_ech(ch, ech_state)
+      end
 
       # pre_shared_key
       #