tttls1.3 0.1.4 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +3 -0
  3. data/README.md +35 -13
  4. data/Rakefile +2 -4
  5. data/example/helper.rb +30 -7
  6. data/example/https_client.rb +3 -20
  7. data/example/https_client_using_0rtt.rb +10 -24
  8. data/example/https_client_using_hrr.rb +3 -20
  9. data/example/https_client_using_ticket.rb +3 -20
  10. data/example/https_server.rb +43 -0
  11. data/interop/client_spec.rb +111 -22
  12. data/interop/helper.rb +1 -0
  13. data/interop/server_spec.rb +182 -0
  14. data/lib/tttls1.3/client.rb +115 -98
  15. data/lib/tttls1.3/connection.rb +119 -32
  16. data/lib/tttls1.3/message/certificate.rb +18 -0
  17. data/lib/tttls1.3/message/client_hello.rb +38 -0
  18. data/lib/tttls1.3/message/encrypted_extensions.rb +20 -16
  19. data/lib/tttls1.3/message/extension/key_share.rb +24 -2
  20. data/lib/tttls1.3/message/extension/supported_groups.rb +0 -87
  21. data/lib/tttls1.3/message/extensions.rb +1 -27
  22. data/lib/tttls1.3/message/new_session_ticket.rb +14 -0
  23. data/lib/tttls1.3/message/record.rb +23 -20
  24. data/lib/tttls1.3/message/server_hello.rb +27 -0
  25. data/lib/tttls1.3/message.rb +35 -2
  26. data/lib/tttls1.3/named_group.rb +89 -0
  27. data/lib/tttls1.3/server.rb +439 -0
  28. data/lib/tttls1.3/transcript.rb +6 -0
  29. data/lib/tttls1.3/version.rb +1 -1
  30. data/lib/tttls1.3.rb +3 -0
  31. data/spec/certificate_spec.rb +28 -1
  32. data/spec/client_spec.rb +14 -10
  33. data/spec/connection_spec.rb +43 -13
  34. data/spec/encrypted_extensions_spec.rb +4 -4
  35. data/spec/fixtures/rsa_ca.crt +29 -0
  36. data/spec/fixtures/rsa_ca.key +51 -0
  37. data/spec/fixtures/rsa_rsa.crt +23 -0
  38. data/spec/fixtures/rsa_rsa.key +27 -0
  39. data/spec/fixtures/rsa_secp256r1.crt +19 -0
  40. data/spec/fixtures/rsa_secp256r1.key +5 -0
  41. data/spec/fixtures/rsa_secp384r1.crt +19 -0
  42. data/spec/fixtures/rsa_secp384r1.key +6 -0
  43. data/spec/fixtures/rsa_secp521r1.crt +20 -0
  44. data/spec/fixtures/rsa_secp521r1.key +7 -0
  45. data/spec/server_spec.rb +186 -0
  46. data/spec/spec_helper.rb +43 -0
  47. metadata +28 -2
@@ -0,0 +1,182 @@
1
+ # encoding: ascii-8bit
2
+ # frozen_string_literal: true
3
+
4
+ require_relative 'helper'
5
+
6
+ FIXTURES_DIR = __dir__ + '/../spec/fixtures'
7
+ tcpserver = TCPServer.open(4433)
8
+
9
+ RSpec.describe Server do
10
+ # testcases
11
+ # normal [Boolean] Is this nominal scenarios?
12
+ # opt [String] openssl s_client options
13
+ # crt [String] server crt file path
14
+ # key [String] server key file path
15
+ # settings [Hash] TTTLS13::Client settins
16
+ [
17
+ # rubocop: disable Metrics/LineLength
18
+ [
19
+ true,
20
+ '-groups P-256:P-384:P-521 -ciphersuites TLS_AES_256_GCM_SHA384',
21
+ FIXTURES_DIR + '/rsa_rsa.crt',
22
+ FIXTURES_DIR + '/rsa_rsa.key',
23
+ cipher_suites: [CipherSuite::TLS_AES_256_GCM_SHA384]
24
+ ],
25
+ [
26
+ true,
27
+ '-groups P-256:P-384:P-521 -ciphersuites TLS_CHACHA20_POLY1305_SHA256',
28
+ FIXTURES_DIR + '/rsa_rsa.crt',
29
+ FIXTURES_DIR + '/rsa_rsa.key',
30
+ cipher_suites: [CipherSuite::TLS_CHACHA20_POLY1305_SHA256]
31
+ ],
32
+ [
33
+ true,
34
+ '-groups P-256:P-384:P-521 -ciphersuites TLS_AES_128_GCM_SHA256',
35
+ FIXTURES_DIR + '/rsa_rsa.crt',
36
+ FIXTURES_DIR + '/rsa_rsa.key',
37
+ cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256]
38
+ ],
39
+ [
40
+ false,
41
+ '-groups P-256:P-384:P-521 -ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256',
42
+ FIXTURES_DIR + '/rsa_rsa.crt',
43
+ FIXTURES_DIR + '/rsa_rsa.key',
44
+ cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256]
45
+ ],
46
+ [
47
+ true,
48
+ '-groups P-256',
49
+ FIXTURES_DIR + '/rsa_rsa.crt',
50
+ FIXTURES_DIR + '/rsa_rsa.key',
51
+ supported_groups: [NamedGroup::SECP256R1]
52
+ ],
53
+ [
54
+ true,
55
+ '-groups P-384',
56
+ FIXTURES_DIR + '/rsa_rsa.crt',
57
+ FIXTURES_DIR + '/rsa_rsa.key',
58
+ supported_groups: [NamedGroup::SECP384R1]
59
+ ],
60
+ [
61
+ true,
62
+ '-groups P-521',
63
+ FIXTURES_DIR + '/rsa_rsa.crt',
64
+ FIXTURES_DIR + '/rsa_rsa.key',
65
+ supported_groups: [NamedGroup::SECP521R1]
66
+ ],
67
+ [
68
+ false,
69
+ '-groups P-256:P-384',
70
+ FIXTURES_DIR + '/rsa_rsa.crt',
71
+ FIXTURES_DIR + '/rsa_rsa.key',
72
+ supported_groups: [NamedGroup::SECP521R1]
73
+ ],
74
+ [
75
+ true,
76
+ '-groups P-256:P-384:P-521 -sigalgs RSA-PSS+SHA256',
77
+ FIXTURES_DIR + '/rsa_rsa.crt',
78
+ FIXTURES_DIR + '/rsa_rsa.key',
79
+ signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
80
+ signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
81
+ ],
82
+ [
83
+ true,
84
+ '-groups P-256:P-384:P-521 -sigalgs RSA-PSS+SHA384',
85
+ FIXTURES_DIR + '/rsa_rsa.crt',
86
+ FIXTURES_DIR + '/rsa_rsa.key',
87
+ signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
88
+ signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA384]
89
+ ],
90
+ [
91
+ true,
92
+ '-groups P-256:P-384:P-521 -sigalgs RSA-PSS+SHA512',
93
+ FIXTURES_DIR + '/rsa_rsa.crt',
94
+ FIXTURES_DIR + '/rsa_rsa.key',
95
+ signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
96
+ signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA512]
97
+ ],
98
+ [
99
+ true,
100
+ '-groups P-256:P-384:P-521 -sigalgs ECDSA+SHA256',
101
+ FIXTURES_DIR + '/rsa_secp256r1.crt',
102
+ FIXTURES_DIR + '/rsa_secp256r1.key',
103
+ signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
104
+ signature_algorithms: [SignatureScheme::ECDSA_SECP256R1_SHA256]
105
+ ],
106
+ [
107
+ true,
108
+ '-groups P-256:P-384:P-521 -sigalgs ECDSA+SHA384',
109
+ FIXTURES_DIR + '/rsa_secp384r1.crt',
110
+ FIXTURES_DIR + '/rsa_secp384r1.key',
111
+ signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
112
+ signature_algorithms: [SignatureScheme::ECDSA_SECP384R1_SHA384]
113
+ ],
114
+ [
115
+ true,
116
+ '-groups P-256:P-384:P-521 -sigalgs ECDSA+SHA512',
117
+ FIXTURES_DIR + '/rsa_secp521r1.crt',
118
+ FIXTURES_DIR + '/rsa_secp521r1.key',
119
+ signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
120
+ signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
121
+ ],
122
+ [
123
+ false,
124
+ '-groups P-256:P-384:P-521 -sigalgs ECDSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256',
125
+ FIXTURES_DIR + '/rsa_rsa.crt',
126
+ FIXTURES_DIR + '/rsa_rsa.key',
127
+ signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
128
+ signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
129
+ ],
130
+ [
131
+ true,
132
+ '-groups P-256:P-384:P-521 -record_padding 8446',
133
+ FIXTURES_DIR + '/rsa_rsa.crt',
134
+ FIXTURES_DIR + '/rsa_rsa.key',
135
+ {}
136
+ ]
137
+ # rubocop: enable Metrics/LineLength
138
+ ].each do |normal, opt, crt, key, settings|
139
+ context 'server interop' do
140
+ let(:server) do
141
+ @socket = tcpserver.accept
142
+ settings[:crt_file] = crt
143
+ settings[:key_file] = key
144
+ Server.new(@socket, settings)
145
+ end
146
+
147
+ let(:client) do
148
+ ip = Socket.ip_address_list.find(&:ipv4_private?).ip_address
149
+ cmd = 'echo -n ping | openssl s_client ' \
150
+ + '-connect local:4433 ' \
151
+ + '-tls1_3 ' \
152
+ + '-CAfile /tmp/rsa_ca.crt ' \
153
+ + '-servername localhost ' \
154
+ + '-quiet ' \
155
+ + opt
156
+ "docker run -v #{FIXTURES_DIR}:/tmp " \
157
+ + "--add-host=local:#{ip} -it openssl " \
158
+ + "sh -c \"#{cmd}\" 2>&1 >/dev/null"
159
+ end
160
+
161
+ after do
162
+ @socket.close
163
+ `docker ps -ql | xargs docker stop`
164
+ end
165
+
166
+ if normal
167
+ it "should accept request from openssl s_client ...#{opt}" do
168
+ spawn('sleep 2; ' + client)
169
+ expect { server.accept }.to_not raise_error
170
+ expect(server.read).to include 'ping'
171
+ expect { server.write('pong') }.to_not raise_error
172
+ expect { server.close }.to_not raise_error
173
+ end
174
+ else # exceptions scenarios
175
+ it "should NOT accept request from openssl s_client ...#{opt}" do
176
+ spawn('sleep 2; ' + client)
177
+ expect { server.accept }.to raise_error ErrorAlerts
178
+ end
179
+ end
180
+ end
181
+ end
182
+ end