tttls1.3 0.1.0

data/lib/tttls1.3/key_schedule.rb

@@ -0,0 +1,242 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+  # rubocop: disable Metrics/ClassLength
+  class KeySchedule
+    # @param psk [String]
+    # @param shared_secret [String]
+    # @param cipher_suite [TTTLS13::CipherSuite]
+    # @param transcript [TTTLS13::Transcript]
+    def initialize(psk: nil, shared_secret:, cipher_suite:, transcript:)
+      @digest = CipherSuite.digest(cipher_suite)
+      @hash_len = CipherSuite.hash_len(cipher_suite)
+      @key_len = CipherSuite.key_len(cipher_suite)
+      @iv_len = CipherSuite.iv_len(cipher_suite)
+      @psk = psk || "\x00" * @hash_len
+      @shared_secret = shared_secret
+      @transcript = transcript
+    end
+
+    # @return [String]
+    def early_salt
+      "\x00" * @hash_len
+    end
+
+    # @return [String]
+    def early_secret
+      hkdf_extract(@psk, early_salt)
+    end
+
+    # @return [String]
+    def binder_key_ext
+      hash = OpenSSL::Digest.digest(@digest, '')
+      base_key = derive_secret(early_secret, 'ext binder', hash)
+      hkdf_expand_label(base_key, 'finished', '', @hash_len)
+    end
+
+    # @return [String]
+    def binder_key_res
+      hash = OpenSSL::Digest.digest(@digest, '')
+      base_key = derive_secret(early_secret, 'res binder', hash)
+      hkdf_expand_label(base_key, 'finished', '', @hash_len)
+    end
+
+    # @return [String]
+    def client_early_traffic_secret
+      hash = @transcript.hash(@digest, CH)
+      derive_secret(early_secret, 'c e traffic', hash)
+    end
+
+    # @return [String]
+    def early_data_write_key
+      secret = client_early_traffic_secret
+      hkdf_expand_label(secret, 'key', '', @key_len)
+    end
+
+    # @return [String]
+    def early_data_write_iv
+      secret = client_early_traffic_secret
+      hkdf_expand_label(secret, 'iv', '', @iv_len)
+    end
+
+    # @return [String]
+    def early_exporter_master_secret
+      hash = OpenSSL::Digest.digest(@digest, '')
+      derive_secret(early_secret, 'e exp master', hash)
+    end
+
+    # @return [String]
+    def handshake_salt
+      hash = OpenSSL::Digest.digest(@digest, '')
+      derive_secret(early_secret, 'derived', hash)
+    end
+
+    # @return [String]
+    def handshake_secret
+      hkdf_extract(@shared_secret, handshake_salt)
+    end
+
+    # @return [String]
+    def client_handshake_traffic_secret
+      hash = @transcript.hash(@digest, SH)
+      derive_secret(handshake_secret, 'c hs traffic', hash)
+    end
+
+    # @return [String]
+    def client_finished_key
+      secret = client_handshake_traffic_secret
+      hkdf_expand_label(secret, 'finished', '', @hash_len)
+    end
+
+    # @return [String]
+    def client_handshake_write_key
+      secret = client_handshake_traffic_secret
+      hkdf_expand_label(secret, 'key', '', @key_len)
+    end
+
+    # @return [String]
+    def client_handshake_write_iv
+      secret = client_handshake_traffic_secret
+      hkdf_expand_label(secret, 'iv', '', @iv_len)
+    end
+
+    # @return [String]
+    def server_handshake_traffic_secret
+      hash = @transcript.hash(@digest, SH)
+      derive_secret(handshake_secret, 's hs traffic', hash)
+    end
+
+    # @return [String]
+    def server_finished_key
+      secret = server_handshake_traffic_secret
+      hkdf_expand_label(secret, 'finished', '', @hash_len)
+    end
+
+    # @return [String]
+    def server_handshake_write_key
+      secret = server_handshake_traffic_secret
+      hkdf_expand_label(secret, 'key', '', @key_len)
+    end
+
+    # @return [String]
+    def server_handshake_write_iv
+      secret = server_handshake_traffic_secret
+      hkdf_expand_label(secret, 'iv', '', @iv_len)
+    end
+
+    # @return [String]
+    def master_salt
+      hash = OpenSSL::Digest.digest(@digest, '')
+      derive_secret(handshake_secret, 'derived', hash)
+    end
+
+    # @return [String]
+    def master_secret
+      ikm = "\x00" * @hash_len
+      hkdf_extract(ikm, master_salt)
+    end
+
+    # @return [String]
+    def client_application_traffic_secret
+      hash = @transcript.hash(@digest, SF)
+      derive_secret(master_secret, 'c ap traffic', hash)
+    end
+
+    # @return [String]
+    def client_application_write_key
+      secret = client_application_traffic_secret
+      hkdf_expand_label(secret, 'key', '', @key_len)
+    end
+
+    # @return [String]
+    def client_application_write_iv
+      secret = client_application_traffic_secret
+      hkdf_expand_label(secret, 'iv', '', @iv_len)
+    end
+
+    # @return [String]
+    def server_application_traffic_secret
+      hash = @transcript.hash(@digest, SF)
+      derive_secret(master_secret, 's ap traffic', hash)
+    end
+
+    # @return [String]
+    def server_application_write_key
+      secret = server_application_traffic_secret
+      hkdf_expand_label(secret, 'key', '', @key_len)
+    end
+
+    # @return [String]
+    def server_application_write_iv
+      secret = server_application_traffic_secret
+      hkdf_expand_label(secret, 'iv', '', @iv_len)
+    end
+
+    # @return [String]
+    def exporter_master_secret
+      hash = @transcript.hash(@digest, SF)
+      derive_secret(master_secret, 'exp master', hash)
+    end
+
+    # @return [String]
+    def resumption_master_secret
+      hash = @transcript.hash(@digest, CF)
+      derive_secret(master_secret, 'res master', hash)
+    end
+
+    # @param ikm [String]
+    # @param salt [String]
+    #
+    # @return [String]
+    def hkdf_extract(ikm, salt)
+      OpenSSL::HMAC.digest(@digest, salt, ikm)
+    end
+
+    # @param secret [String]
+    # @param label [String]
+    # @param context [String]
+    # @param length [Integer]
+    #
+    # @return [String]
+    def hkdf_expand_label(secret, label, context, length)
+      binary = length.to_uint16
+      binary += ('tls13 ' + label).prefix_uint8_length
+      binary += context.prefix_uint8_length
+      self.class.hkdf_expand(secret, binary, length, @digest)
+    end
+
+    # @param secret [String]
+    # @param info [String]
+    # @param length [Integer]
+    # @param digest [String] name of digest algorithm
+    #
+    # @raise [TTTLS13::Error::ErrorAlerts]
+    #
+    # @param [String]
+    def self.hkdf_expand(secret, info, length, digest)
+      hash_len = OpenSSL::Digest.new(digest).digest_length
+      raise Error::ErrorAlerts, :internal_error if length > 255 * hash_len
+
+      n = (length.to_f / hash_len).ceil
+      okm = ''
+      t = ''
+      (1..n).each do |i|
+        t = OpenSSL::HMAC.digest(digest, secret, t + info + i.chr)
+        okm += t
+      end
+      okm[0...length]
+    end
+
+    # @param secret [String]
+    # @param label [String]
+    # @param context [String]
+    #
+    # @return [String]
+    def derive_secret(secret, label, context)
+      hkdf_expand_label(secret, label, context, @hash_len)
+    end
+  end
+  # rubocop: enable Metrics/ClassLength
+end

data/lib/tttls1.3/message/alert.rb

@@ -0,0 +1,86 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  module Message
+    module AlertLevel
+      WARNING = "\x01"
+      FATAL   = "\x02"
+    end
+
+    # rubocop: disable Layout/AlignHash
+    ALERT_DESCRIPTION = {
+      close_notify:                    "\x00",
+      unexpected_message:              "\x0a",
+      bad_record_mac:                  "\x14",
+      record_overflow:                 "\x16",
+      handshake_failure:               "\x28",
+      bad_certificate:                 "\x2a",
+      unsupported_certificate:         "\x2b",
+      certificate_revoked:             "\x2c",
+      certificate_expired:             "\x2d",
+      certificate_unknown:             "\x2e",
+      illegal_parameter:               "\x2f",
+      unknown_ca:                      "\x30",
+      access_denied:                   "\x31",
+      decode_error:                    "\x32",
+      decrypt_error:                   "\x33",
+      protocol_version:                "\x46",
+      insufficient_security:           "\x47",
+      internal_error:                  "\x50",
+      inappropriate_fallback:          "\x56",
+      user_canceled:                   "\x5a",
+      missing_extension:               "\x6d",
+      unsupported_extension:           "\x6e",
+      unrecognized_name:               "\x70",
+      bad_certificate_status_response: "\x71",
+      unknown_psk_identity:            "\x73",
+      certificate_required:            "\x74",
+      no_application_protocol:         "\x78"
+    }.freeze
+    # rubocop: enable Layout/AlignHash
+
+    class Alert
+      attr_reader :level
+      attr_reader :description
+
+      # @param level [TTTLS13::Message::AlertLevel]
+      # @param description [String] value of ALERT_DESCRIPTION
+      def initialize(level: nil, description:)
+        @level = level
+        @description = description
+        if @level.nil? && (@description == ALERT_DESCRIPTION[:user_canceled] ||
+                           @description == ALERT_DESCRIPTION[:close_notify])
+          @level = AlertLevel::WARNING
+        elsif @level.nil?
+          @level = AlertLevel::FATAL
+        end
+      end
+
+      # @return [String]
+      def serialize
+        @level + @description
+      end
+
+      # @param binary [String]
+      #
+      # @raise [TTTLS13::Error::ErrorAlerts]
+      #
+      # @return [TTTLS13::Message::Alert]
+      def self.deserialize(binary)
+        raise Error::ErrorAlerts, :internal_error if binary.nil?
+        raise Error::ErrorAlerts, :decode_error unless binary.length == 2
+
+        level = binary[0]
+        description = binary[1]
+        Alert.new(level: level, description: description)
+      end
+
+      # @return [TTTLS13::Error::ErrorAlerts]
+      def to_error
+        desc = ALERT_DESCRIPTION.invert[@description]
+        Error::ErrorAlerts.new(desc)
+      end
+    end
+  end
+end

data/lib/tttls1.3/message/application_data.rb

@@ -0,0 +1,27 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  module Message
+    class ApplicationData
+      attr_reader :fragment
+
+      # @param [String]
+      def initialize(fragment)
+        @fragment = fragment
+      end
+
+      # @return [String]
+      def serialize
+        @fragment
+      end
+
+      # @param binary [String]
+      #
+      # @return [TTTLS13::Message::ApplicationData]
+      def self.deserialize(binary)
+        ApplicationData.new(binary || '')
+      end
+    end
+  end
+end

data/lib/tttls1.3/message/certificate.rb

@@ -0,0 +1,121 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+  module Message
+    class Certificate
+      attr_reader :msg_type
+      attr_reader :certificate_request_context
+      attr_reader :certificate_list
+
+      # @param certificate_request_context [String]
+      # @param certificate_list [Array of CertificateEntry]
+      def initialize(certificate_request_context: '',
+                     certificate_list: [])
+        @msg_type = HandshakeType::CERTIFICATE
+        @certificate_request_context = certificate_request_context || ''
+        @certificate_list = certificate_list || []
+      end
+
+      # @return [String]
+      def serialize
+        binary = ''
+        binary += @certificate_request_context.prefix_uint8_length
+        binary += @certificate_list.map(&:serialize).join.prefix_uint24_length
+
+        @msg_type + binary.prefix_uint24_length
+      end
+
+      alias fragment serialize
+
+      # @param binary [String]
+      #
+      # @raise [TTTLS13::Error::ErrorAlerts]
+      #
+      # @return [TTTLS13::Message::Certificate]
+      def self.deserialize(binary)
+        raise Error::ErrorAlerts, :internal_error if binary.nil?
+        raise Error::ErrorAlerts, :decode_error if binary.length < 5
+        raise Error::ErrorAlerts, :internal_error \
+          unless binary[0] == HandshakeType::CERTIFICATE
+
+        msg_len = Convert.bin2i(binary.slice(1, 3))
+        crc_len = Convert.bin2i(binary.slice(4, 1))
+        certificate_request_context = binary.slice(5, crc_len)
+        i = 5 + crc_len
+        cl_len = Convert.bin2i(binary.slice(i, 3))
+        i += 3
+        cl_bin = binary.slice(i, cl_len)
+        i += cl_len
+        certificate_list = deserialize_certificate_list(cl_bin)
+        raise Error::ErrorAlerts, :decode_error unless i == msg_len + 4 &&
+                                                       i == binary.length
+
+        Certificate.new(
+          certificate_request_context: certificate_request_context,
+          certificate_list: certificate_list
+        )
+      end
+
+      class << self
+        private
+
+        # @param binary [String]
+        #
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [Array of CertificateEntry]
+        def deserialize_certificate_list(binary)
+          raise Error::ErrorAlerts, :internal_error if binary.nil?
+
+          i = 0
+          certificate_list = []
+          while i < binary.length
+            raise Error::ErrorAlerts, :decode_error if i + 3 > binary.length
+
+            cd_len = Convert.bin2i(binary.slice(i, 3))
+            i += 3
+            cd_bin = binary.slice(i, cd_len)
+            cert_data = OpenSSL::X509::Certificate.new(cd_bin)
+            i += cd_len
+            raise Error::ErrorAlerts, :decode_error if i + 2 > binary.length
+
+            exs_len = Convert.bin2i(binary.slice(i, 2))
+            i += 2
+            exs_bin = binary.slice(i, exs_len)
+            extensions = Extensions.deserialize(exs_bin,
+                                                HandshakeType::CERTIFICATE)
+            i += exs_len
+            certificate_list << CertificateEntry.new(cert_data, extensions)
+          end
+          raise Error::ErrorAlerts, :decode_error unless i == binary.length
+
+          certificate_list
+        end
+      end
+    end
+
+    class CertificateEntry
+      attr_reader :cert_data
+      attr_reader :extensions
+
+      # @param cert_data [OpenSSL::X509::Certificate]
+      # @param extensions [TTTLS13::Message::Extensions]
+      #
+      # @return [CertificateEntry]
+      def initialize(cert_data, extensions = Extensions.new)
+        @cert_data = cert_data
+        @extensions = extensions || Extensions.new
+      end
+
+      # @return [String]
+      def serialize
+        binary = ''
+        binary += @cert_data.to_der.prefix_uint24_length
+        binary += @extensions.serialize
+        binary
+      end
+    end
+  end
+end

data/lib/tttls1.3/message/certificate_verify.rb

@@ -0,0 +1,59 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+  module Message
+    class CertificateVerify
+      attr_reader :msg_type
+      attr_reader :signature_scheme
+      attr_reader :signature
+
+      # @param signature_scheme [TTTLS13::SignatureScheme]
+      # @param signature [String]
+      #
+      # @raise [TTTLS13::Error::ErrorAlerts]
+      def initialize(signature_scheme:, signature:)
+        @msg_type = HandshakeType::CERTIFICATE_VERIFY
+        @signature_scheme = signature_scheme
+        @signature = signature
+        raise Error::ErrorAlerts, :internal_error \
+          if @signature.length > 2**16 - 1
+      end
+
+      # @return [String]
+      def serialize
+        binary = ''
+        binary += @signature_scheme
+        binary += @signature.prefix_uint16_length
+
+        @msg_type + binary.prefix_uint24_length
+      end
+
+      alias fragment serialize
+
+      # @param binary [String]
+      #
+      # @raise [TTTLS13::Error::ErrorAlerts]
+      #
+      # @return [TTTLS13::Message::CertificateVerify]
+      def self.deserialize(binary)
+        raise Error::ErrorAlerts, :internal_error if binary.nil?
+        raise Error::ErrorAlerts, :decode_error if binary.length < 8
+        raise Error::ErrorAlerts, :internal_error \
+          unless binary[0] == HandshakeType::CERTIFICATE_VERIFY
+
+        msg_len = Convert.bin2i(binary.slice(1, 3))
+        signature_scheme = binary.slice(4, 2)
+        signature_len = Convert.bin2i(binary.slice(6, 2))
+        signature = binary.slice(8, signature_len)
+        raise Error::ErrorAlerts, :internal_error \
+          unless signature_len + 4 == msg_len &&
+                 signature_len + 8 == binary.length
+
+        CertificateVerify.new(signature_scheme: signature_scheme,
+                              signature: signature)
+      end
+    end
+  end
+end

data/lib/tttls1.3/message/change_cipher_spec.rb

@@ -0,0 +1,26 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  module Message
+    class ChangeCipherSpec
+      # @return [String]
+      def serialize
+        "\x01"
+      end
+
+      # @param binary [String]
+      #
+      # @raise [TTTLS13::Error::ErrorAlerts]
+      #
+      # @return [TTTLS13::Message::ChangeCipherSpec]
+      def self.deserialize(binary)
+        raise Error::ErrorAlerts, :internal_error if binary.nil?
+        raise Error::ErrorAlerts, :decode_error unless binary.length == 1
+        raise Error::ErrorAlerts, :unexpected_message unless binary[0] == "\x01"
+
+        ChangeCipherSpec.new
+      end
+    end
+  end
+end

data/lib/tttls1.3/message/client_hello.rb

@@ -0,0 +1,100 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+  module Message
+    class ClientHello
+      attr_reader :msg_type
+      attr_reader :legacy_version
+      attr_reader :random
+      attr_reader :legacy_session_id
+      attr_reader :cipher_suites
+      attr_reader :legacy_compression_methods
+      attr_reader :extensions
+
+      # @param legacy_version [String]
+      # @param random [String]
+      # @param legacy_session_id [String]
+      # @param cipher_suites [TTTLS13::CipherSuites]
+      # @param legacy_compression_methods [Array of String]
+      # @param extensions [TTTLS13::Message::Extensions]
+      # rubocop: disable Metrics/ParameterLists
+      def initialize(legacy_version: ProtocolVersion::TLS_1_2,
+                     random: OpenSSL::Random.random_bytes(32),
+                     legacy_session_id: OpenSSL::Random.random_bytes(32),
+                     cipher_suites:,
+                     legacy_compression_methods: ["\x00"],
+                     extensions: Extensions.new)
+        @msg_type = HandshakeType::CLIENT_HELLO
+        @legacy_version = legacy_version
+        @random = random
+        @legacy_session_id = legacy_session_id
+        @cipher_suites = cipher_suites
+        @legacy_compression_methods = legacy_compression_methods
+        @extensions = extensions
+      end
+      # rubocop: enable Metrics/ParameterLists
+
+      # @return [String]
+      def serialize
+        binary = ''
+        binary += @legacy_version
+        binary += @random
+        binary += @legacy_session_id.prefix_uint8_length
+        binary += @cipher_suites.serialize
+        binary += @legacy_compression_methods.join.prefix_uint8_length
+        binary += @extensions.serialize
+
+        @msg_type + binary.prefix_uint24_length
+      end
+
+      # @param binary [String]
+      #
+      # @raise [TTTLS13::Error::ErrorAlerts]
+      #
+      # @return [TTTLS13::Message::ClientHello]
+      # rubocop: disable Metrics/AbcSize
+      # rubocop: disable Metrics/MethodLength
+      def self.deserialize(binary)
+        raise Error::ErrorAlerts, :internal_error if binary.nil?
+        raise Error::ErrorAlerts, :decode_error if binary.length < 39
+        raise Error::ErrorAlerts, :internal_error \
+          unless binary[0] == HandshakeType::CLIENT_HELLO
+
+        msg_len = Convert.bin2i(binary.slice(1, 3))
+        legacy_version = binary.slice(4, 2)
+        random = binary.slice(6, 32)
+        lsid_len = Convert.bin2i(binary[38])
+        legacy_session_id = binary.slice(39, lsid_len)
+        i = 39 + lsid_len
+        cs_len = Convert.bin2i(binary.slice(i, 2))
+        i += 2
+        cs_bin = binary.slice(i, cs_len)
+        cipher_suites = CipherSuites.deserialize(cs_bin)
+        i += cs_len
+        cm_len = Convert.bin2i(binary[i])
+        i += 1
+        legacy_compression_methods = binary.slice(i, cm_len).split('')
+        i += cm_len
+        exs_len = Convert.bin2i(binary.slice(i, 2))
+        i += 2
+        exs_bin = binary.slice(i, exs_len)
+        extensions = Extensions.deserialize(exs_bin,
+                                            HandshakeType::CLIENT_HELLO)
+        i += exs_len
+        raise Error::ErrorAlerts, :decode_error unless i == msg_len + 4 &&
+                                                       i == binary.length
+
+        ClientHello.new(legacy_version: legacy_version,
+                        random: random,
+                        legacy_session_id: legacy_session_id,
+                        cipher_suites: cipher_suites,
+                        legacy_compression_methods: legacy_compression_methods,
+                        extensions: extensions)
+      end
+      # rubocop: enable Metrics/AbcSize
+      # rubocop: enable Metrics/MethodLength
+    end
+  end
+end