rack-tctp 0.9.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 9603392ec9a82dbf2dfec8febe170418ed2643b0
+  data.tar.gz: 642244102dd91252cf6b32c248c4381bb15779ca
+SHA512:
+  metadata.gz: 3e641bd533743f789a3259dc12de7c84bf613341f7478c5c427847384db4cd4c384defcf49e8e6871da0189aab4421f644df0c6c80638657afb804777e2fbeb9
+  data.tar.gz: 17e8a9056248af9091c43e23bc1c7c691f7e1d287ae2c70e53a075328a1e07f636745c47e516974e0f632d0d50839d41956eb9726a76642611148c5e4afab8fd

data/lib/rack/tctp/halec.rb

@@ -0,0 +1,116 @@
+require 'openssl'
+require 'socket'
+
+# HTTP application layer encryption channel. Used for the Trusted Cloud Transfer Protocol (TCTP)
+class HALEC
+  # The URL of this HALEC
+  attr_reader :url
+
+  # The plaintext socket
+  attr_reader :socket_here
+
+  # The SSL socket
+  attr_reader :ssl_socket
+
+  # The encrypted socket
+  attr_reader :socket_there
+
+  # The private key for a certificate (if any)
+  attr_reader :private_key
+
+  # A server or client certificate (if any)
+  attr_reader :certificate
+
+  # The TLS context
+  attr_reader :ctx
+
+  def initialize(options = {})
+    @url = options[:url] || ''
+    @ctx = options[:ssl_context] || OpenSSL::SSL::SSLContext.new()
+
+    @ctx.ssl_version = :TLSv1
+
+    @socket_here, @socket_there = socket_pair
+    [@socket_here, @socket_there].each do |socket|
+      socket.set_encoding(Encoding::BINARY)
+    end
+  end
+
+  private
+    def socket_pair
+      Socket.pair(:UNIX, :STREAM, 0) # Linux
+    rescue Errno::EAFNOSUPPORT
+      Socket.pair(:INET, :STREAM, 0) # Windows
+    end
+end
+
+# The Client end of an HALEC
+class ClientHALEC < HALEC
+  def initialize(options = {})
+    super(options)
+
+    @ssl_socket = OpenSSL::SSL::SSLSocket.new(@socket_here, @ctx)
+  end
+end
+
+# The Server end of an HALEC
+class ServerHALEC < HALEC
+  def initialize(options = {})
+    super(options)
+
+    if(options[:private_key] && options[:certificate])
+      @private_key = options[:private_key]
+      @certificate = options[:certificate]
+    else
+      @private_key = ServerHALEC.default_key
+      @certificate = ServerHALEC.default_self_signed_certificate
+    end
+
+    @ctx.cert = @certificate
+    @ctx.key = @private_key
+
+    @ssl_socket = OpenSSL::SSL::SSLSocket.new(@socket_here, @ctx)
+    Thread.new {
+      begin
+        s = @ssl_socket.accept
+      rescue Exception => e
+        puts e
+      end
+    }
+  end
+
+  class << self
+    @default_key
+    @default_self_signed_certificate
+
+    def initialize
+      default_key
+      default_self_signed_certificate
+
+      self
+    end
+
+    def default_key
+      @default_key ||= OpenSSL::PKey::RSA.new 2048
+    end
+
+    def default_self_signed_certificate
+      @default_self_signed_certificate ||= generate_self_signed_certificate
+    end
+
+    def generate_self_signed_certificate
+      name = OpenSSL::X509::Name.parse 'CN=tctp-server/DC=tctp'
+
+      cert = OpenSSL::X509::Certificate.new
+      cert.version = 2
+      cert.serial = 0
+      cert.not_before = Time.now
+      cert.not_after = Time.now + 3600
+
+      cert.public_key = @default_key.public_key
+      cert.subject = name
+
+      cert
+    end
+  end
+end

data/lib/rack/tctp.rb

@@ -0,0 +1,185 @@
+require 'radix'
+require 'ruby-prof'
+
+require_relative 'tctp/halec'
+
+module Rack
+  # This middleware enables Rack to make use of the Trusted Cloud Transfer Protocol (TCTP) for HTTP end-to-end
+  # body confidentiality and integrity.
+  class TCTP
+    DEFAULT_TCTP_DISCOVERY_INFORMATION = '/.*:/halecs'
+    TCTP_DISCOVERY_MEDIA_TYPE = 'text/prs.tctp-discovery'
+
+    # The slug URI can contain any HTTP compatible characters
+    def self.slug_base
+      Radix::Base.new(Radix::BASE::B62 + ['-', '_'])
+    end
+
+    # Generate a new random slug (2^64 possibilities)
+    def self.new_slug
+      slug_base.convert(rand(2**64), 10)
+    end
+
+    # The TCTP sessions
+    attr_reader :sessions
+
+    # Initializes TCTP middleware
+    def initialize(app)
+      @app = app
+      @sessions = {}
+    end
+
+    # Middleware call. Supports all TCTP use cases:
+    # * TCTP discovery
+    # * HALEC creation
+    # * HALEC handshake
+    # * Decrypting TCTP secured entity-bodies
+    # * Encrypting entity-bodies using TCTP
+    def call(env)
+      begin
+        req = Rack::Request.new(env)
+
+        # Switch through TCTP use cases
+        case
+          when is_tctp_discovery?(req)
+            # TCTP discovery
+            # TODO Parameterize discovery information
+            [200, {"Content-Type" => TCTP_DISCOVERY_MEDIA_TYPE, "Content-Length" => DEFAULT_TCTP_DISCOVERY_INFORMATION.length.to_s}, DEFAULT_TCTP_DISCOVERY_INFORMATION]
+          when is_halec_creation?(req)
+            # HALEC creation
+            halec = ServerHALEC.new(url: '/halecs/' + TCTP::new_slug)
+
+            # TODO Allow creation using predefined cookie
+            session = TCTPSession.new
+
+            # Send client_hello to server HALEC and read handshake_response
+            client_hello = req.body.read
+            halec.socket_there.write(client_hello)
+            handshake_response = [halec.socket_there.recv(2048)]
+
+            # Set location header and content-length
+            header = {'Location' => halec.url, 'Content-Length' => handshake_response[0].length.to_s}
+
+            # Set the TCTP session cookie header
+            Rack::Utils.set_cookie_header!(header, "tctp_session_cookie", {:value => session.session_id, :path => '/', :expires => Time.now+24*60*60})
+
+            # Persist session and HALEC
+            session.halecs[halec.url] = halec
+            sessions[session.session_id] = session
+
+            [201, header, handshake_response]
+          when is_halec_handshake?(req)
+            # Get persisted server HALEC
+            halec = @sessions[req.cookies['tctp_session_cookie']].halecs[req.path_info]
+
+            # Write handshake message to server HALEC
+            halec.socket_there.write(req.body.read)
+
+            # Receive handshake response
+            handshake_response = halec.socket_there.recv(2048)
+
+            # Send back server HALEC response
+            [200, {'Content-Length' => handshake_response.length.to_s}, [handshake_response]]
+          else
+            # Decrypt TCTP secured bodies
+            if is_tctp_encrypted_body?(req) then
+              decrypted_body = StringIO.new
+
+              halec_url = req.body.readline.chomp
+
+              # Gets the HALEC
+              halec = @sessions[req.cookies['tctp_session_cookie']].halecs[halec_url]
+
+              halec.socket_there.write(req.body.read)
+              decrypted_body.write(halec.ssl_socket.readpartial(2 ** 26 - 1))
+
+              req.body.string = decrypted_body.string
+            end
+
+            status, headers, body = @app.call(env)
+
+            if is_tctp_response_requested?(req)
+              # Gets the first free server HALEC for encryption
+              # TODO Send error if cookie is missing
+              halec = @sessions[req.cookies['tctp_session_cookie']].free_halec
+
+              # The length of the content body
+              content_body_length = 0
+
+              # The first line
+              first_line = halec.url + "\r\n"
+              content_body_length += first_line.length
+
+              # Encrypt the body. The first line of the response specifies the used HALEC
+              encrypted_body = []
+              encrypted_body << first_line
+
+              # Encrypt each body fragment
+              body.each do |fragment|
+                bodyio = StringIO.new(fragment)
+
+                until bodyio.eof? do
+                  chunk = bodyio.read(16 * 1024)
+                  halec.ssl_socket.write(chunk)
+                  encrypted_chunk = halec.socket_there.readpartial(32 * 1024)
+                  encrypted_body << encrypted_chunk
+                  content_body_length += encrypted_chunk.length
+                end
+              end
+
+              # Sets the content length and encoding
+              headers['Content-Length'] = content_body_length.to_s
+              headers['Content-Encoding'] = 'encrypted'
+
+              [status, headers, encrypted_body]
+            else
+              [status, headers, body]
+            end
+        end
+      rescue Exception => e
+        puts e
+      end
+    end
+
+    private
+      def is_tctp_discovery?(req)
+        req.options? && !req.env['HTTP_ACCEPT'].nil? && req.env['HTTP_ACCEPT'].eql?(TCTP_DISCOVERY_MEDIA_TYPE)
+      end
+
+      def is_halec_creation?(req)
+        req.post? && req.path_info.eql?('/halecs')
+      end
+
+      def is_halec_handshake?(req)
+        req.post? &&
+            !req.cookies.nil? &&
+            req.cookies.has_key?('tctp_session_cookie') &&
+            sessions.has_key?(req.cookies['tctp_session_cookie']) &&
+            sessions[req.cookies['tctp_session_cookie']].halecs.has_key?(req.path_info)
+      end
+
+      def is_tctp_response_requested? (req)
+        req.env['HTTP_ACCEPT_ENCODING'].eql?('encrypted')
+      end
+
+      def is_tctp_encrypted_body? (req)
+        req.env['HTTP_CONTENT_ENCODING'].eql?('encrypted')
+      end
+  end
+
+  class TCTPSession
+    attr_reader :session_id
+
+    attr_reader :halecs
+
+    def initialize(session_id = TCTP::new_slug)
+      @session_id = session_id
+      @halecs = {}
+    end
+
+    def free_halec
+      # TODO free HALEC handling
+      @halecs.first[1]
+    end
+  end
+end

data/lib/rack-tctp.rb

@@ -0,0 +1 @@
+require_relative 'rack/tctp'

metadata

@@ -0,0 +1,46 @@
+--- !ruby/object:Gem::Specification
+name: rack-tctp
+version: !ruby/object:Gem::Version
+  version: 0.9.0
+platform: ruby
+authors:
+- Mathias Slawik
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-11-21 00:00:00.000000000 Z
+dependencies: []
+description: Rack middleware for end-to-end security through TCTP
+email: mathias.slawik@tu-berlin.de
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/rack-tctp.rb
+- lib/rack/tctp.rb
+- lib/rack/tctp/halec.rb
+homepage: https://github.com/mathiasslawik/rack-tctp
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.2
+signing_key: 
+specification_version: 4
+summary: Rack TCTP middleware
+test_files: []