RubyGems - tttls1.3 - Versions diffs - 0.1.4 → 0.2.0 - Mend

tttls1.3 0.1.4 → 0.2.0

Files changed (47) hide show

checksums.yaml +4 -4
data/.rubocop.yml +3 -0
data/README.md +35 -13
data/Rakefile +2 -4
data/example/helper.rb +30 -7
data/example/https_client.rb +3 -20
data/example/https_client_using_0rtt.rb +10 -24
data/example/https_client_using_hrr.rb +3 -20
data/example/https_client_using_ticket.rb +3 -20
data/example/https_server.rb +43 -0
data/interop/client_spec.rb +111 -22
data/interop/helper.rb +1 -0
data/interop/server_spec.rb +182 -0
data/lib/tttls1.3/client.rb +115 -98
data/lib/tttls1.3/connection.rb +119 -32
data/lib/tttls1.3/message/certificate.rb +18 -0
data/lib/tttls1.3/message/client_hello.rb +38 -0
data/lib/tttls1.3/message/encrypted_extensions.rb +20 -16
data/lib/tttls1.3/message/extension/key_share.rb +24 -2
data/lib/tttls1.3/message/extension/supported_groups.rb +0 -87
data/lib/tttls1.3/message/extensions.rb +1 -27
data/lib/tttls1.3/message/new_session_ticket.rb +14 -0
data/lib/tttls1.3/message/record.rb +23 -20
data/lib/tttls1.3/message/server_hello.rb +27 -0
data/lib/tttls1.3/message.rb +35 -2
data/lib/tttls1.3/named_group.rb +89 -0
data/lib/tttls1.3/server.rb +439 -0
data/lib/tttls1.3/transcript.rb +6 -0
data/lib/tttls1.3/version.rb +1 -1
data/lib/tttls1.3.rb +3 -0
data/spec/certificate_spec.rb +28 -1
data/spec/client_spec.rb +14 -10
data/spec/connection_spec.rb +43 -13
data/spec/encrypted_extensions_spec.rb +4 -4
data/spec/fixtures/rsa_ca.crt +29 -0
data/spec/fixtures/rsa_ca.key +51 -0
data/spec/fixtures/rsa_rsa.crt +23 -0
data/spec/fixtures/rsa_rsa.key +27 -0
data/spec/fixtures/rsa_secp256r1.crt +19 -0
data/spec/fixtures/rsa_secp256r1.key +5 -0
data/spec/fixtures/rsa_secp384r1.crt +19 -0
data/spec/fixtures/rsa_secp384r1.key +6 -0
data/spec/fixtures/rsa_secp521r1.crt +20 -0
data/spec/fixtures/rsa_secp521r1.key +7 -0
data/spec/server_spec.rb +186 -0
data/spec/spec_helper.rb +43 -0
metadata +28 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e5e95ca87bc146cc9021a42dc44ed5daef30a5d8fc7040ab4531c77045077e82
-  data.tar.gz: cae31fb5ec83ac405142d7c67b1b9298d2d0880dbd053e37e7edfd888e70cf9e
+  metadata.gz: 39cf5b4e5fd508981bdefedc27502ac14b984699983d44160d9a836b2ab2aa2b
+  data.tar.gz: 0250c8ad97ef5bef6a52d7b6e22c990b842ce66a8ab6e2d3abc0c6ef90a4eb13
 SHA512:
-  metadata.gz: 32080b68a237890982c9407491e754df789460550e7b68a87d1f77a01749da79a7bc463dbb8b53659eb27aa1fc990e168454754fc7b1636ac474e43c61fecd1f
-  data.tar.gz: 5a43785680db1cda38f704ac0df711ff10c0d2cded4fc2620c7c5ad8ee15d4f682672983642ce50f4b371cddd93760d06d98839d6c7811323482add07fe7fbc9
+  metadata.gz: e8ef15683ceabb9396eb51e5831f3dc48ed9c4df11871f10458160804891107fe3bff2d0c1810ad294134c8bec4d63534b2aee7cc6c8bff5f7ae07462bf753ef
+  data.tar.gz: 7baf720c22742962380449ad01372264634e878113858643cdc8a0db55e0f0cf07e0bd45cd80ad461cab9a337c89c7e0ad9c0e0057e02cbcda77a0765f10bdb9

data/.rubocop.yml CHANGED Viewed

@@ -10,6 +10,9 @@ Metrics/AbcSize:
 Metrics/MethodLength:
   Max: 30
+Naming/UncommunicativeMethodParamName:
+  MinNameLength: 1
 Metrics/BlockLength:
   Exclude:
     - 'Rakefile'

data/README.md CHANGED Viewed

@@ -12,29 +12,18 @@ Backward compatibility and performance are not an objective.
 This gem should not be used for production software.
-## Features
-tttls1.3 provides client API with the following features:
-* Simple 1-RTT Handshake
-* HelloRetryRequest
-* Resumed 0-RTT Handshake (with PSK from ticket)
-NOT supports X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate, external PSKs.
 ## Getting started
 tttls1.3 gem is available at [rubygems.org](https://rubygems.org/gems/tttls1.3). You can install with:
-```
+```bash
 $ gem install tttls1.3
 ```
 This implementation provides only minimal API, so your code is responsible for application layer.
 Roughly, this works as follows:
-```
+```ruby
 require 'tttls1.3'
 socket = YourTransport.new
@@ -46,9 +35,42 @@ client.read
 client.close
 ```
+```ruby
+require 'tttls1.3'
+socket = YourTransport.new
+server = TTTLS13::Server.new(socket.accept)
+server.accept
+server.read
+server.write(YOUR_MESSAGE)
+server.close
+```
 HTTPS examples are [here](https://github.com/thekuwayama/tttls1.3/tree/master/example).
+## Features
+### Client
+tttls1.3 provides client API with the following features:
+* Simple 1-RTT Handshake
+* HelloRetryRequest
+* Resumed 0-RTT Handshake (with PSK from ticket)
+**NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate, external PSKs.
+### Server
+tttls1.3 provides server API with the following features:
+* Simple 1-RTT Handshake
+**NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate, external PSKs.
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile CHANGED Viewed

@@ -6,8 +6,6 @@ require 'rspec/core/rake_task'
 require 'openssl'
 require 'fileutils'
-RuboCop::RakeTask.new
 TMP_DIR    = __dir__ + '/tmp'
 CA_KEY     = TMP_DIR + '/ca.key'
 CA_CRT     = TMP_DIR + '/ca.crt'
@@ -128,6 +126,6 @@ task :del_certs do
   end
 end
-RSpec::Core::RakeTask.new(spec: :gen_certs)
+RuboCop::RakeTask.new
+RSpec::Core::RakeTask.new(:spec)
 task default: %i[rubocop spec]

data/example/helper.rb CHANGED Viewed

@@ -4,13 +4,36 @@ $LOAD_PATH << __dir__ + '/../lib'
 require 'socket'
 require 'tttls1.3'
+require 'webrick'
+def simple_http_request(hostname)
+  s = <<~BIN
+    GET / HTTP/1.1
+    Host: #{hostname}
+    User-Agent: https_client
+    Accept: */*
-def http_get(hostname)
-  <<~BIN
-    GET / HTTP/1.1\r
-    Host: #{hostname}\r
-    User-Agent: https_client\r
-    Accept: */*\r
-    \r
   BIN
+  s.gsub("\n", "\r\n")
+end
+def recv_http_response(client)
+  # status line, header
+  buf = ''
+  buf += client.read until buf.include?(WEBrick::CRLF * 2)
+  header = buf.split(WEBrick::CRLF * 2).first
+  # header; Content-Length
+  cl_line = header.split(WEBrick::CRLF).find { |s| s.match(/Content-Length:/i) }
+  # body
+  unless cl_line.nil?
+    cl = cl_line.split(':').last.to_i
+    buf = buf.split(WEBrick::CRLF * 2)[1..].join
+    while buf.length < cl
+      s = client.read
+      buf += s
+    end
+  end
+  header + WEBrick::CRLF * 2 + buf
 end

data/example/https_client.rb CHANGED Viewed

@@ -4,29 +4,12 @@
 require_relative 'helper'
 hostname, port = (ARGV[0] || 'localhost:4433').split(':')
-http_get = http_get(hostname)
+req = simple_http_request(hostname)
 socket = TCPSocket.new(hostname, port)
 settings = { ca_file: __dir__ + '/../tmp/ca.crt' }
 client = TTTLS13::Client.new(socket, hostname, settings)
 client.connect
-client.write(http_get)
-# status line, header
-buffer = ''
-buffer += client.read until buffer.include?("\r\n\r\n")
-print header = buffer.split("\r\n\r\n").first
-# header; Content-Length
-cl_line = header.split("\r\n").find { |s| s.match(/Content-Length:/i) }
-# body
-unless cl_line.nil?
-  cl = cl_line.split(':').last.to_i
-  print buffer = buffer.split("\r\n\r\n")[1..].join
-  while buffer.length < cl
-    print s = client.read
-    buffer += s
-  end
-end
+client.write(req)
+print recv_http_response(client)
 client.close

data/example/https_client_using_0rtt.rb CHANGED Viewed

@@ -4,7 +4,7 @@
 require_relative 'helper'
 hostname, port = (ARGV[0] || 'localhost:4433').split(':')
-http_get = http_get(hostname)
+req = simple_http_request(hostname)
 settings_2nd = {
   ca_file: __dir__ + '/../tmp/ca.crt'
@@ -23,7 +23,9 @@ settings_1st = {
   ca_file: __dir__ + '/../tmp/ca.crt',
   process_new_session_ticket: process_new_session_ticket
 }
-accepted_early_data = false
+succeed_early_data = false
 [
   # Initial Handshake:
   settings_1st,
@@ -34,31 +36,15 @@ accepted_early_data = false
   client = TTTLS13::Client.new(socket, hostname, settings)
   # send message using early data; 0-RTT
-  client.early_data(http_get) if i == 1 && settings.include?(:ticket)
+  client.early_data(req) if i == 1 && settings.include?(:ticket)
   client.connect
   # send message after Simple 1-RTT Handshake
-  client.write(http_get) if i.zero? || !client.accepted_early_data?
-  # status line, header
-  buffer = ''
-  buffer += client.read until buffer.include?("\r\n\r\n")
-  print header = buffer.split("\r\n\r\n").first
-  # header; Content-Length
-  cl_line = header.split("\r\n").find { |s| s.match(/Content-Length:/i) }
-  # body
-  unless cl_line.nil?
-    cl = cl_line.split(':').last.to_i
-    print buffer = buffer.split("\r\n\r\n")[1..].join
-    while buffer.length < cl
-      print s = client.read
-      buffer += s
-    end
-  end
+  client.write(req) if i.zero? || !client.succeed_early_data?
+  print recv_http_response(client)
   client.close
-  accepted_early_data = client.accepted_early_data?
+  succeed_early_data = client.succeed_early_data?
 end
 puts "\n" + '-' * 10
-puts "early data of 2nd handshake: #{accepted_early_data}"
+puts "early data of 2nd handshake: #{succeed_early_data}"

data/example/https_client_using_hrr.rb CHANGED Viewed

@@ -4,7 +4,7 @@
 require_relative 'helper'
 hostname, port = (ARGV[0] || 'localhost:4433').split(':')
-http_get = http_get(hostname)
+req = simple_http_request(hostname)
 socket = TCPSocket.new(hostname, port)
 settings = {
@@ -13,23 +13,6 @@ settings = {
 }
 client = TTTLS13::Client.new(socket, hostname, settings)
 client.connect
-client.write(http_get)
-# status line, header
-buffer = ''
-buffer += client.read until buffer.include?("\r\n\r\n")
-print header = buffer.split("\r\n\r\n").first
-# header; Content-Length
-cl_line = header.split("\r\n").find { |s| s.match(/Content-Length:/i) }
-# body
-unless cl_line.nil?
-  cl = cl_line.split(':').last.to_i
-  print buffer = buffer.split("\r\n\r\n")[1..].join
-  while buffer.length < cl
-    print s = client.read
-    buffer += s
-  end
-end
+client.write(req)
+print recv_http_response(client)
 client.close

data/example/https_client_using_ticket.rb CHANGED Viewed

@@ -4,7 +4,7 @@
 require_relative 'helper'
 hostname, port = (ARGV[0] || 'localhost:4433').split(':')
-http_get = http_get(hostname)
+req = simple_http_request(hostname)
 settings_2nd = {
   ca_file: __dir__ + '/../tmp/ca.crt'
@@ -33,24 +33,7 @@ settings_1st = {
   socket = TCPSocket.new(hostname, port)
   client = TTTLS13::Client.new(socket, hostname, settings)
   client.connect
-  client.write(http_get)
-  # status line, header
-  buffer = ''
-  buffer += client.read until buffer.include?("\r\n\r\n")
-  print header = buffer.split("\r\n\r\n").first
-  # header; Content-Length
-  cl_line = header.split("\r\n").find { |s| s.match(/Content-Length:/i) }
-  # body
-  unless cl_line.nil?
-    cl = cl_line.split(':').last.to_i
-    print buffer = buffer.split("\r\n\r\n")[1..].join
-    while buffer.length < cl
-      print s = client.read
-      buffer += s
-    end
-  end
+  client.write(req)
+  print recv_http_response(client)
   client.close
 end

data/example/https_server.rb ADDED Viewed

@@ -0,0 +1,43 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+require_relative 'helper'
+port = ARGV[0] || 4433
+tcpserver = TCPServer.open(port)
+settings = { crt_file: __dir__ + '/../tmp/server.crt',
+             key_file: __dir__ + '/../tmp/server.key' }
+# rubocop: disable Metrics/BlockLength
+loop do
+  socket = tcpserver.accept
+  Thread.start(socket) do |s|
+    Timeout.timeout(5) do
+      server = TTTLS13::Server.new(s, settings)
+      server.accept
+      buffer = ''
+      buffer += server.read until buffer.include?(WEBrick::CRLF * 2)
+      req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
+      req.parse(StringIO.new(buffer))
+      puts req.to_s
+      res = WEBrick::HTTPResponse.new(WEBrick::Config::HTTP)
+      res.status = 200
+      res.body = 'Hello'
+      res.content_length = 5
+      res.content_type = 'text/html'
+      server.write(
+        res.status_line \
+        + res.header.map { |k, v| k + ': ' + v }.join(WEBrick::CRLF) \
+        + WEBrick::CRLF * 2 \
+        + res.body
+      )
+      server.close
+    end
+  rescue Timeout::Error => e
+    puts e.to_s + "\n\n"
+  ensure
+    s.close
+  end
+end
+# rubocop: enable Metrics/BlockLength

data/interop/client_spec.rb CHANGED Viewed

@@ -3,61 +3,144 @@
 require_relative 'helper'
-TMP_DIR = __dir__ + '/../tmp'
+FIXTURES_DIR = __dir__ + '/../spec/fixtures'
 RSpec.describe Client do
   # testcases
+  # normal [Boolean] Is this nominal scenarios?
+  # opt [String] openssl s_server options
+  # crt [String] server crt file path
+  # key [String] server key file path
+  # settings [Hash] TTTLS13::Server settings
   [
+    # rubocop: disable Metrics/LineLength
     [
-      ' -ciphersuites TLS_AES_256_GCM_SHA384',
+      true,
+      '-ciphersuites TLS_AES_256_GCM_SHA384',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       cipher_suites: [CipherSuite::TLS_AES_256_GCM_SHA384]
     ],
     [
-      ' -ciphersuites TLS_CHACHA20_POLY1305_SHA256',
+      true,
+      '-ciphersuites TLS_CHACHA20_POLY1305_SHA256',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       cipher_suites: [CipherSuite::TLS_CHACHA20_POLY1305_SHA256]
     ],
     [
-      ' -ciphersuites TLS_AES_128_GCM_SHA256',
+      true,
+      '-ciphersuites TLS_AES_128_GCM_SHA256',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256]
     ],
     [
-      ' -groups P-256',
+      false,
+      '-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
+      cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256]
+    ],
+    [
+      true,
+      '-groups P-256',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       supported_groups: [NamedGroup::SECP256R1]
     ],
     [
-      ' -groups P-384',
+      true,
+      '-groups P-384',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       supported_groups: [NamedGroup::SECP384R1]
     ],
     [
-      ' -groups P-521',
+      true,
+      '-groups P-521',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       supported_groups: [NamedGroup::SECP521R1]
     ],
     [
-      ' -sigalgs RSA-PSS+SHA256',
+      false,
+      '-groups P-256:P-384',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
+      supported_groups: [NamedGroup::SECP521R1]
+    ],
+    [
+      true,
+      '-sigalgs RSA-PSS+SHA256',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
       signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
     ],
     [
-      ' -sigalgs RSA-PSS+SHA384',
+      true,
+      '-sigalgs RSA-PSS+SHA384',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
       signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA384]
     ],
     [
-      ' -sigalgs RSA-PSS+SHA512',
+      true,
+      '-sigalgs RSA-PSS+SHA512',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
       signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA512]
     ],
     [
-      ' -record_padding 8446',
+      true,
+      '-sigalgs ECDSA+SHA256',
+      'rsa_secp256r1.crt',
+      'rsa_secp256r1.key',
+      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+      signature_algorithms: [SignatureScheme::ECDSA_SECP256R1_SHA256]
+    ],
+    [
+      true,
+      '-sigalgs ECDSA+SHA384',
+      'rsa_secp384r1.crt',
+      'rsa_secp384r1.key',
+      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+      signature_algorithms: [SignatureScheme::ECDSA_SECP384R1_SHA384]
+    ],
+    [
+      true,
+      '-sigalgs ECDSA+SHA512',
+      'rsa_secp521r1.crt',
+      'rsa_secp521r1.key',
+      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+      signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
+    ],
+    [
+      false,
+      '-sigalgs ECDSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256',
+      'rsa_secp521r1.crt',
+      'rsa_secp521r1.key',
+      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+      signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
+    ],
+    [
+      true,
+      '-record_padding 8446',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       {}
     ]
-  ].each do |opt, settings|
+    # rubocop: enable Metrics/LineLength
+  ].each do |normal, opt, crt, key, settings|
     context 'client interop' do
       before do
-        cmd = "docker run -v #{TMP_DIR}:/tmp -p 4433:4433 -it openssl " \
+        cmd = "docker run -v #{FIXTURES_DIR}:/tmp -p 4433:4433 -it openssl " \
               + 'openssl s_server ' \
-              + '-cert /tmp/server.crt ' \
-              + '-key /tmp/server.key ' \
+              + "-cert /tmp/#{crt} " \
+              + "-key /tmp/#{key} " \
               + '-tls1_3 ' \
               + '-www ' \
               + '-quiet ' \
@@ -65,13 +148,13 @@ RSpec.describe Client do
         pid = spawn(cmd)
         Process.detach(pid)
-        sleep(2) # waiting for openssl s_server
+        sleep(2.5) # waiting for openssl s_server
       end
       let(:client) do
         hostname = 'localhost'
         @socket = TCPSocket.new(hostname, 4433)
-        settings[:ca_file] = TMP_DIR + '/ca.crt'
+        settings[:ca_file] = FIXTURES_DIR + '/rsa_ca.crt'
         Client.new(@socket, hostname, settings)
       end
@@ -80,11 +163,17 @@ RSpec.describe Client do
         `docker ps -ql | xargs docker stop`
       end
-      it "should connect with openssl s_server ...#{opt}" do
-        expect { client.connect }.to_not raise_error
-        expect { client.write("GET / HTTP/1.0\r\n\r\n") }.to_not raise_error
-        expect(client.read).to include "HTTP/1.0 200 ok\r\n"
-        expect { client.close }.to_not raise_error
+      if normal
+        it "should connect with openssl s_server ...#{opt}" do
+          expect { client.connect }.to_not raise_error
+          expect { client.write("GET / HTTP/1.0\r\n\r\n") }.to_not raise_error
+          expect(client.read).to include "HTTP/1.0 200 ok\r\n"
+          expect { client.close }.to_not raise_error
+        end
+      else # exceptions scenarios
+        it "should NOT connect with openssl s_server ...#{opt}" do
+          expect { client.connect }.to raise_error ErrorAlerts
+        end
       end
     end
   end

data/interop/helper.rb CHANGED Viewed

@@ -9,4 +9,5 @@ include TTTLS13
 include TTTLS13::CipherSuite
 include TTTLS13::SignatureScheme
 include TTTLS13::Message::Extension
+include TTTLS13::Error
 # rubocop: enable Style/MixinUsage