RubyGems - tttls1.3 - Versions diffs - 0.1.4 → 0.2.0 - Mend

tttls1.3 0.1.4 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

checksums.yaml +4 -4
data/.rubocop.yml +3 -0
data/README.md +35 -13
data/Rakefile +2 -4
data/example/helper.rb +30 -7
data/example/https_client.rb +3 -20
data/example/https_client_using_0rtt.rb +10 -24
data/example/https_client_using_hrr.rb +3 -20
data/example/https_client_using_ticket.rb +3 -20
data/example/https_server.rb +43 -0
data/interop/client_spec.rb +111 -22
data/interop/helper.rb +1 -0
data/interop/server_spec.rb +182 -0
data/lib/tttls1.3/client.rb +115 -98
data/lib/tttls1.3/connection.rb +119 -32
data/lib/tttls1.3/message/certificate.rb +18 -0
data/lib/tttls1.3/message/client_hello.rb +38 -0
data/lib/tttls1.3/message/encrypted_extensions.rb +20 -16
data/lib/tttls1.3/message/extension/key_share.rb +24 -2
data/lib/tttls1.3/message/extension/supported_groups.rb +0 -87
data/lib/tttls1.3/message/extensions.rb +1 -27
data/lib/tttls1.3/message/new_session_ticket.rb +14 -0
data/lib/tttls1.3/message/record.rb +23 -20
data/lib/tttls1.3/message/server_hello.rb +27 -0
data/lib/tttls1.3/message.rb +35 -2
data/lib/tttls1.3/named_group.rb +89 -0
data/lib/tttls1.3/server.rb +439 -0
data/lib/tttls1.3/transcript.rb +6 -0
data/lib/tttls1.3/version.rb +1 -1
data/lib/tttls1.3.rb +3 -0
data/spec/certificate_spec.rb +28 -1
data/spec/client_spec.rb +14 -10
data/spec/connection_spec.rb +43 -13
data/spec/encrypted_extensions_spec.rb +4 -4
data/spec/fixtures/rsa_ca.crt +29 -0
data/spec/fixtures/rsa_ca.key +51 -0
data/spec/fixtures/rsa_rsa.crt +23 -0
data/spec/fixtures/rsa_rsa.key +27 -0
data/spec/fixtures/rsa_secp256r1.crt +19 -0
data/spec/fixtures/rsa_secp256r1.key +5 -0
data/spec/fixtures/rsa_secp384r1.crt +19 -0
data/spec/fixtures/rsa_secp384r1.key +6 -0
data/spec/fixtures/rsa_secp521r1.crt +20 -0
data/spec/fixtures/rsa_secp521r1.key +7 -0
data/spec/server_spec.rb +186 -0
data/spec/spec_helper.rb +43 -0
metadata +28 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e5e95ca87bc146cc9021a42dc44ed5daef30a5d8fc7040ab4531c77045077e82
-  data.tar.gz: cae31fb5ec83ac405142d7c67b1b9298d2d0880dbd053e37e7edfd888e70cf9e
+  metadata.gz: 39cf5b4e5fd508981bdefedc27502ac14b984699983d44160d9a836b2ab2aa2b
+  data.tar.gz: 0250c8ad97ef5bef6a52d7b6e22c990b842ce66a8ab6e2d3abc0c6ef90a4eb13
 SHA512:
-  metadata.gz: 32080b68a237890982c9407491e754df789460550e7b68a87d1f77a01749da79a7bc463dbb8b53659eb27aa1fc990e168454754fc7b1636ac474e43c61fecd1f
-  data.tar.gz: 5a43785680db1cda38f704ac0df711ff10c0d2cded4fc2620c7c5ad8ee15d4f682672983642ce50f4b371cddd93760d06d98839d6c7811323482add07fe7fbc9
+  metadata.gz: e8ef15683ceabb9396eb51e5831f3dc48ed9c4df11871f10458160804891107fe3bff2d0c1810ad294134c8bec4d63534b2aee7cc6c8bff5f7ae07462bf753ef
+  data.tar.gz: 7baf720c22742962380449ad01372264634e878113858643cdc8a0db55e0f0cf07e0bd45cd80ad461cab9a337c89c7e0ad9c0e0057e02cbcda77a0765f10bdb9

data/.rubocop.yml CHANGED Viewed

@@ -10,6 +10,9 @@ Metrics/AbcSize:
 Metrics/MethodLength:
   Max: 30
+Naming/UncommunicativeMethodParamName:
+  MinNameLength: 1
 Metrics/BlockLength:
   Exclude:
     - 'Rakefile'

data/README.md CHANGED Viewed

@@ -12,29 +12,18 @@ Backward compatibility and performance are not an objective.
 This gem should not be used for production software.
-## Features
-tttls1.3 provides client API with the following features:
-* Simple 1-RTT Handshake
-* HelloRetryRequest
-* Resumed 0-RTT Handshake (with PSK from ticket)
-NOT supports X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate, external PSKs.
 ## Getting started
 tttls1.3 gem is available at [rubygems.org](https://rubygems.org/gems/tttls1.3). You can install with:
-```
+```bash
 $ gem install tttls1.3
 ```
 This implementation provides only minimal API, so your code is responsible for application layer.
 Roughly, this works as follows:
-```
+```ruby
 require 'tttls1.3'
 socket = YourTransport.new
@@ -46,9 +35,42 @@ client.read
 client.close
 ```
+```ruby
+require 'tttls1.3'
+socket = YourTransport.new
+server = TTTLS13::Server.new(socket.accept)
+server.accept
+server.read
+server.write(YOUR_MESSAGE)
+server.close
+```
 HTTPS examples are [here](https://github.com/thekuwayama/tttls1.3/tree/master/example).
+## Features
+### Client
+tttls1.3 provides client API with the following features:
+* Simple 1-RTT Handshake
+* HelloRetryRequest
+* Resumed 0-RTT Handshake (with PSK from ticket)
+**NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate, external PSKs.
+### Server
+tttls1.3 provides server API with the following features:
+* Simple 1-RTT Handshake
+**NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate, external PSKs.
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile CHANGED Viewed

@@ -6,8 +6,6 @@ require 'rspec/core/rake_task'
 require 'openssl'
 require 'fileutils'
-RuboCop::RakeTask.new
 TMP_DIR    = __dir__ + '/tmp'
 CA_KEY     = TMP_DIR + '/ca.key'
 CA_CRT     = TMP_DIR + '/ca.crt'
@@ -128,6 +126,6 @@ task :del_certs do
   end
 end
-RSpec::Core::RakeTask.new(spec: :gen_certs)
+RuboCop::RakeTask.new
+RSpec::Core::RakeTask.new(:spec)
 task default: %i[rubocop spec]

data/example/helper.rb CHANGED Viewed

@@ -4,13 +4,36 @@ $LOAD_PATH << __dir__ + '/../lib'
 require 'socket'
 require 'tttls1.3'
+require 'webrick'
+def simple_http_request(hostname)
+  s = <<~BIN
+    GET / HTTP/1.1
+    Host: #{hostname}
+    User-Agent: https_client
+    Accept: */*
-def http_get(hostname)
-  <<~BIN
-    GET / HTTP/1.1\r
-    Host: #{hostname}\r
-    User-Agent: https_client\r
-    Accept: */*\r
-    \r
   BIN
+  s.gsub("\n", "\r\n")
+end
+def recv_http_response(client)
+  # status line, header
+  buf = ''
+  buf += client.read until buf.include?(WEBrick::CRLF * 2)
+  header = buf.split(WEBrick::CRLF * 2).first
+  # header; Content-Length
+  cl_line = header.split(WEBrick::CRLF).find { |s| s.match(/Content-Length:/i) }
+  # body
+  unless cl_line.nil?
+    cl = cl_line.split(':').last.to_i
+    buf = buf.split(WEBrick::CRLF * 2)[1..].join
+    while buf.length < cl
+      s = client.read
+      buf += s
+    end
+  end
+  header + WEBrick::CRLF * 2 + buf
 end

data/example/https_client.rb CHANGED Viewed

@@ -4,29 +4,12 @@
 require_relative 'helper'
 hostname, port = (ARGV[0] || 'localhost:4433').split(':')
-http_get = http_get(hostname)
+req = simple_http_request(hostname)
 socket = TCPSocket.new(hostname, port)
 settings = { ca_file: __dir__ + '/../tmp/ca.crt' }
 client = TTTLS13::Client.new(socket, hostname, settings)
 client.connect
-client.write(http_get)
-# status line, header
-buffer = ''
-buffer += client.read until buffer.include?("\r\n\r\n")
-print header = buffer.split("\r\n\r\n").first
-# header; Content-Length
-cl_line = header.split("\r\n").find { |s| s.match(/Content-Length:/i) }
-# body
-unless cl_line.nil?
-  cl = cl_line.split(':').last.to_i
-  print buffer = buffer.split("\r\n\r\n")[1..].join
-  while buffer.length < cl
-    print s = client.read
-    buffer += s
-  end
-end
+client.write(req)
+print recv_http_response(client)
 client.close

data/example/https_client_using_0rtt.rb CHANGED Viewed

@@ -4,7 +4,7 @@
 require_relative 'helper'
 hostname, port = (ARGV[0] || 'localhost:4433').split(':')
-http_get = http_get(hostname)
+req = simple_http_request(hostname)
 settings_2nd = {
   ca_file: __dir__ + '/../tmp/ca.crt'
@@ -23,7 +23,9 @@ settings_1st = {
   ca_file: __dir__ + '/../tmp/ca.crt',
   process_new_session_ticket: process_new_session_ticket
 }
-accepted_early_data = false
+succeed_early_data = false
 [
   # Initial Handshake:
   settings_1st,
@@ -34,31 +36,15 @@ accepted_early_data = false
   client = TTTLS13::Client.new(socket, hostname, settings)
   # send message using early data; 0-RTT
-  client.early_data(http_get) if i == 1 && settings.include?(:ticket)
+  client.early_data(req) if i == 1 && settings.include?(:ticket)
   client.connect
   # send message after Simple 1-RTT Handshake
-  client.write(http_get) if i.zero? || !client.accepted_early_data?
-  # status line, header
-  buffer = ''
-  buffer += client.read until buffer.include?("\r\n\r\n")
-  print header = buffer.split("\r\n\r\n").first
-  # header; Content-Length
-  cl_line = header.split("\r\n").find { |s| s.match(/Content-Length:/i) }
-  # body
-  unless cl_line.nil?
-    cl = cl_line.split(':').last.to_i
-    print buffer = buffer.split("\r\n\r\n")[1..].join
-    while buffer.length < cl
-      print s = client.read
-      buffer += s
-    end
-  end
+  client.write(req) if i.zero? || !client.succeed_early_data?
+  print recv_http_response(client)
   client.close
-  accepted_early_data = client.accepted_early_data?
+  succeed_early_data = client.succeed_early_data?
 end
 puts "\n" + '-' * 10
-puts "early data of 2nd handshake: #{accepted_early_data}"
+puts "early data of 2nd handshake: #{succeed_early_data}"

data/example/https_client_using_hrr.rb CHANGED Viewed

@@ -4,7 +4,7 @@
 require_relative 'helper'
 hostname, port = (ARGV[0] || 'localhost:4433').split(':')
-http_get = http_get(hostname)
+req = simple_http_request(hostname)
 socket = TCPSocket.new(hostname, port)
 settings = {
@@ -13,23 +13,6 @@ settings = {
 }
 client = TTTLS13::Client.new(socket, hostname, settings)
 client.connect
-client.write(http_get)
-# status line, header
-buffer = ''
-buffer += client.read until buffer.include?("\r\n\r\n")
-print header = buffer.split("\r\n\r\n").first
-# header; Content-Length
-cl_line = header.split("\r\n").find { |s| s.match(/Content-Length:/i) }
-# body
-unless cl_line.nil?
-  cl = cl_line.split(':').last.to_i
-  print buffer = buffer.split("\r\n\r\n")[1..].join
-  while buffer.length < cl
-    print s = client.read
-    buffer += s
-  end
-end
+client.write(req)
+print recv_http_response(client)
 client.close

data/example/https_client_using_ticket.rb CHANGED Viewed

@@ -4,7 +4,7 @@
 require_relative 'helper'
 hostname, port = (ARGV[0] || 'localhost:4433').split(':')
-http_get = http_get(hostname)
+req = simple_http_request(hostname)
 settings_2nd = {
   ca_file: __dir__ + '/../tmp/ca.crt'
@@ -33,24 +33,7 @@ settings_1st = {
   socket = TCPSocket.new(hostname, port)
   client = TTTLS13::Client.new(socket, hostname, settings)
   client.connect
-  client.write(http_get)
-  # status line, header
-  buffer = ''
-  buffer += client.read until buffer.include?("\r\n\r\n")
-  print header = buffer.split("\r\n\r\n").first
-  # header; Content-Length
-  cl_line = header.split("\r\n").find { |s| s.match(/Content-Length:/i) }
-  # body
-  unless cl_line.nil?
-    cl = cl_line.split(':').last.to_i
-    print buffer = buffer.split("\r\n\r\n")[1..].join
-    while buffer.length < cl
-      print s = client.read
-      buffer += s
-    end
-  end
+  client.write(req)
+  print recv_http_response(client)
   client.close
 end

data/example/https_server.rb ADDED Viewed

@@ -0,0 +1,43 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+require_relative 'helper'
+port = ARGV[0] || 4433
+tcpserver = TCPServer.open(port)
+settings = { crt_file: __dir__ + '/../tmp/server.crt',
+             key_file: __dir__ + '/../tmp/server.key' }
+# rubocop: disable Metrics/BlockLength
+loop do
+  socket = tcpserver.accept
+  Thread.start(socket) do |s|
+    Timeout.timeout(5) do
+      server = TTTLS13::Server.new(s, settings)
+      server.accept
+      buffer = ''
+      buffer += server.read until buffer.include?(WEBrick::CRLF * 2)
+      req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
+      req.parse(StringIO.new(buffer))
+      puts req.to_s
+      res = WEBrick::HTTPResponse.new(WEBrick::Config::HTTP)
+      res.status = 200
+      res.body = 'Hello'
+      res.content_length = 5
+      res.content_type = 'text/html'
+      server.write(
+        res.status_line \
+        + res.header.map { |k, v| k + ': ' + v }.join(WEBrick::CRLF) \
+        + WEBrick::CRLF * 2 \
+        + res.body
+      )
+      server.close
+    end
+  rescue Timeout::Error => e
+    puts e.to_s + "\n\n"
+  ensure
+    s.close
+  end
+end
+# rubocop: enable Metrics/BlockLength

data/interop/client_spec.rb CHANGED Viewed

@@ -3,61 +3,144 @@
 require_relative 'helper'
-TMP_DIR = __dir__ + '/../tmp'
+FIXTURES_DIR = __dir__ + '/../spec/fixtures'
 RSpec.describe Client do
   # testcases
+  # normal [Boolean] Is this nominal scenarios?
+  # opt [String] openssl s_server options
+  # crt [String] server crt file path
+  # key [String] server key file path
+  # settings [Hash] TTTLS13::Server settings
   [
+    # rubocop: disable Metrics/LineLength
     [
-      ' -ciphersuites TLS_AES_256_GCM_SHA384',
+      true,
+      '-ciphersuites TLS_AES_256_GCM_SHA384',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       cipher_suites: [CipherSuite::TLS_AES_256_GCM_SHA384]
     ],
     [
-      ' -ciphersuites TLS_CHACHA20_POLY1305_SHA256',
+      true,
+      '-ciphersuites TLS_CHACHA20_POLY1305_SHA256',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       cipher_suites: [CipherSuite::TLS_CHACHA20_POLY1305_SHA256]
     ],
     [
-      ' -ciphersuites TLS_AES_128_GCM_SHA256',
+      true,
+      '-ciphersuites TLS_AES_128_GCM_SHA256',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256]
     ],
     [
-      ' -groups P-256',
+      false,
+      '-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
+      cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256]
+    ],
+    [
+      true,
+      '-groups P-256',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       supported_groups: [NamedGroup::SECP256R1]
     ],
     [
-      ' -groups P-384',
+      true,
+      '-groups P-384',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       supported_groups: [NamedGroup::SECP384R1]
     ],
     [
-      ' -groups P-521',
+      true,
+      '-groups P-521',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       supported_groups: [NamedGroup::SECP521R1]
     ],
     [
-      ' -sigalgs RSA-PSS+SHA256',
+      false,
+      '-groups P-256:P-384',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
+      supported_groups: [NamedGroup::SECP521R1]
+    ],
+    [
+      true,
+      '-sigalgs RSA-PSS+SHA256',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
       signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
     ],
     [
-      ' -sigalgs RSA-PSS+SHA384',
+      true,
+      '-sigalgs RSA-PSS+SHA384',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
       signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA384]
     ],
     [
-      ' -sigalgs RSA-PSS+SHA512',
+      true,
+      '-sigalgs RSA-PSS+SHA512',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
       signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA512]
     ],
     [
-      ' -record_padding 8446',
+      true,
+      '-sigalgs ECDSA+SHA256',
+      'rsa_secp256r1.crt',
+      'rsa_secp256r1.key',
+      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+      signature_algorithms: [SignatureScheme::ECDSA_SECP256R1_SHA256]
+    ],
+    [
+      true,
+      '-sigalgs ECDSA+SHA384',
+      'rsa_secp384r1.crt',
+      'rsa_secp384r1.key',
+      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+      signature_algorithms: [SignatureScheme::ECDSA_SECP384R1_SHA384]
+    ],
+    [
+      true,
+      '-sigalgs ECDSA+SHA512',
+      'rsa_secp521r1.crt',
+      'rsa_secp521r1.key',
+      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+      signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
+    ],
+    [
+      false,
+      '-sigalgs ECDSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256',
+      'rsa_secp521r1.crt',
+      'rsa_secp521r1.key',
+      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+      signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
+    ],
+    [
+      true,
+      '-record_padding 8446',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
       {}
     ]
-  ].each do |opt, settings|
+    # rubocop: enable Metrics/LineLength
+  ].each do |normal, opt, crt, key, settings|
     context 'client interop' do
       before do
-        cmd = "docker run -v #{TMP_DIR}:/tmp -p 4433:4433 -it openssl " \
+        cmd = "docker run -v #{FIXTURES_DIR}:/tmp -p 4433:4433 -it openssl " \
               + 'openssl s_server ' \
-              + '-cert /tmp/server.crt ' \
-              + '-key /tmp/server.key ' \
+              + "-cert /tmp/#{crt} " \
+              + "-key /tmp/#{key} " \
               + '-tls1_3 ' \
               + '-www ' \
               + '-quiet ' \
@@ -65,13 +148,13 @@ RSpec.describe Client do
         pid = spawn(cmd)
         Process.detach(pid)
-        sleep(2) # waiting for openssl s_server
+        sleep(2.5) # waiting for openssl s_server
       end
       let(:client) do
         hostname = 'localhost'
         @socket = TCPSocket.new(hostname, 4433)
-        settings[:ca_file] = TMP_DIR + '/ca.crt'
+        settings[:ca_file] = FIXTURES_DIR + '/rsa_ca.crt'
         Client.new(@socket, hostname, settings)
       end
@@ -80,11 +163,17 @@ RSpec.describe Client do
         `docker ps -ql | xargs docker stop`
       end
-      it "should connect with openssl s_server ...#{opt}" do
-        expect { client.connect }.to_not raise_error
-        expect { client.write("GET / HTTP/1.0\r\n\r\n") }.to_not raise_error
-        expect(client.read).to include "HTTP/1.0 200 ok\r\n"
-        expect { client.close }.to_not raise_error
+      if normal
+        it "should connect with openssl s_server ...#{opt}" do
+          expect { client.connect }.to_not raise_error
+          expect { client.write("GET / HTTP/1.0\r\n\r\n") }.to_not raise_error
+          expect(client.read).to include "HTTP/1.0 200 ok\r\n"
+          expect { client.close }.to_not raise_error
+        end
+      else # exceptions scenarios
+        it "should NOT connect with openssl s_server ...#{opt}" do
+          expect { client.connect }.to raise_error ErrorAlerts
+        end
       end
     end
   end

data/interop/helper.rb CHANGED Viewed

@@ -9,4 +9,5 @@ include TTTLS13
 include TTTLS13::CipherSuite
 include TTTLS13::SignatureScheme
 include TTTLS13::Message::Extension
+include TTTLS13::Error
 # rubocop: enable Style/MixinUsage