tttls1.3 0.1.4 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +3 -0
- data/README.md +35 -13
- data/Rakefile +2 -4
- data/example/helper.rb +30 -7
- data/example/https_client.rb +3 -20
- data/example/https_client_using_0rtt.rb +10 -24
- data/example/https_client_using_hrr.rb +3 -20
- data/example/https_client_using_ticket.rb +3 -20
- data/example/https_server.rb +43 -0
- data/interop/client_spec.rb +111 -22
- data/interop/helper.rb +1 -0
- data/interop/server_spec.rb +182 -0
- data/lib/tttls1.3/client.rb +115 -98
- data/lib/tttls1.3/connection.rb +119 -32
- data/lib/tttls1.3/message/certificate.rb +18 -0
- data/lib/tttls1.3/message/client_hello.rb +38 -0
- data/lib/tttls1.3/message/encrypted_extensions.rb +20 -16
- data/lib/tttls1.3/message/extension/key_share.rb +24 -2
- data/lib/tttls1.3/message/extension/supported_groups.rb +0 -87
- data/lib/tttls1.3/message/extensions.rb +1 -27
- data/lib/tttls1.3/message/new_session_ticket.rb +14 -0
- data/lib/tttls1.3/message/record.rb +23 -20
- data/lib/tttls1.3/message/server_hello.rb +27 -0
- data/lib/tttls1.3/message.rb +35 -2
- data/lib/tttls1.3/named_group.rb +89 -0
- data/lib/tttls1.3/server.rb +439 -0
- data/lib/tttls1.3/transcript.rb +6 -0
- data/lib/tttls1.3/version.rb +1 -1
- data/lib/tttls1.3.rb +3 -0
- data/spec/certificate_spec.rb +28 -1
- data/spec/client_spec.rb +14 -10
- data/spec/connection_spec.rb +43 -13
- data/spec/encrypted_extensions_spec.rb +4 -4
- data/spec/fixtures/rsa_ca.crt +29 -0
- data/spec/fixtures/rsa_ca.key +51 -0
- data/spec/fixtures/rsa_rsa.crt +23 -0
- data/spec/fixtures/rsa_rsa.key +27 -0
- data/spec/fixtures/rsa_secp256r1.crt +19 -0
- data/spec/fixtures/rsa_secp256r1.key +5 -0
- data/spec/fixtures/rsa_secp384r1.crt +19 -0
- data/spec/fixtures/rsa_secp384r1.key +6 -0
- data/spec/fixtures/rsa_secp521r1.crt +20 -0
- data/spec/fixtures/rsa_secp521r1.key +7 -0
- data/spec/server_spec.rb +186 -0
- data/spec/spec_helper.rb +43 -0
- metadata +28 -2
|
@@ -0,0 +1,182 @@
|
|
|
1
|
+
# encoding: ascii-8bit
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require_relative 'helper'
|
|
5
|
+
|
|
6
|
+
FIXTURES_DIR = __dir__ + '/../spec/fixtures'
|
|
7
|
+
tcpserver = TCPServer.open(4433)
|
|
8
|
+
|
|
9
|
+
RSpec.describe Server do
|
|
10
|
+
# testcases
|
|
11
|
+
# normal [Boolean] Is this nominal scenarios?
|
|
12
|
+
# opt [String] openssl s_client options
|
|
13
|
+
# crt [String] server crt file path
|
|
14
|
+
# key [String] server key file path
|
|
15
|
+
# settings [Hash] TTTLS13::Client settins
|
|
16
|
+
[
|
|
17
|
+
# rubocop: disable Metrics/LineLength
|
|
18
|
+
[
|
|
19
|
+
true,
|
|
20
|
+
'-groups P-256:P-384:P-521 -ciphersuites TLS_AES_256_GCM_SHA384',
|
|
21
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
22
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
23
|
+
cipher_suites: [CipherSuite::TLS_AES_256_GCM_SHA384]
|
|
24
|
+
],
|
|
25
|
+
[
|
|
26
|
+
true,
|
|
27
|
+
'-groups P-256:P-384:P-521 -ciphersuites TLS_CHACHA20_POLY1305_SHA256',
|
|
28
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
29
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
30
|
+
cipher_suites: [CipherSuite::TLS_CHACHA20_POLY1305_SHA256]
|
|
31
|
+
],
|
|
32
|
+
[
|
|
33
|
+
true,
|
|
34
|
+
'-groups P-256:P-384:P-521 -ciphersuites TLS_AES_128_GCM_SHA256',
|
|
35
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
36
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
37
|
+
cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256]
|
|
38
|
+
],
|
|
39
|
+
[
|
|
40
|
+
false,
|
|
41
|
+
'-groups P-256:P-384:P-521 -ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256',
|
|
42
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
43
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
44
|
+
cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256]
|
|
45
|
+
],
|
|
46
|
+
[
|
|
47
|
+
true,
|
|
48
|
+
'-groups P-256',
|
|
49
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
50
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
51
|
+
supported_groups: [NamedGroup::SECP256R1]
|
|
52
|
+
],
|
|
53
|
+
[
|
|
54
|
+
true,
|
|
55
|
+
'-groups P-384',
|
|
56
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
57
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
58
|
+
supported_groups: [NamedGroup::SECP384R1]
|
|
59
|
+
],
|
|
60
|
+
[
|
|
61
|
+
true,
|
|
62
|
+
'-groups P-521',
|
|
63
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
64
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
65
|
+
supported_groups: [NamedGroup::SECP521R1]
|
|
66
|
+
],
|
|
67
|
+
[
|
|
68
|
+
false,
|
|
69
|
+
'-groups P-256:P-384',
|
|
70
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
71
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
72
|
+
supported_groups: [NamedGroup::SECP521R1]
|
|
73
|
+
],
|
|
74
|
+
[
|
|
75
|
+
true,
|
|
76
|
+
'-groups P-256:P-384:P-521 -sigalgs RSA-PSS+SHA256',
|
|
77
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
78
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
79
|
+
signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
|
|
80
|
+
signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
|
|
81
|
+
],
|
|
82
|
+
[
|
|
83
|
+
true,
|
|
84
|
+
'-groups P-256:P-384:P-521 -sigalgs RSA-PSS+SHA384',
|
|
85
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
86
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
87
|
+
signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
|
|
88
|
+
signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA384]
|
|
89
|
+
],
|
|
90
|
+
[
|
|
91
|
+
true,
|
|
92
|
+
'-groups P-256:P-384:P-521 -sigalgs RSA-PSS+SHA512',
|
|
93
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
94
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
95
|
+
signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
|
|
96
|
+
signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA512]
|
|
97
|
+
],
|
|
98
|
+
[
|
|
99
|
+
true,
|
|
100
|
+
'-groups P-256:P-384:P-521 -sigalgs ECDSA+SHA256',
|
|
101
|
+
FIXTURES_DIR + '/rsa_secp256r1.crt',
|
|
102
|
+
FIXTURES_DIR + '/rsa_secp256r1.key',
|
|
103
|
+
signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
|
|
104
|
+
signature_algorithms: [SignatureScheme::ECDSA_SECP256R1_SHA256]
|
|
105
|
+
],
|
|
106
|
+
[
|
|
107
|
+
true,
|
|
108
|
+
'-groups P-256:P-384:P-521 -sigalgs ECDSA+SHA384',
|
|
109
|
+
FIXTURES_DIR + '/rsa_secp384r1.crt',
|
|
110
|
+
FIXTURES_DIR + '/rsa_secp384r1.key',
|
|
111
|
+
signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
|
|
112
|
+
signature_algorithms: [SignatureScheme::ECDSA_SECP384R1_SHA384]
|
|
113
|
+
],
|
|
114
|
+
[
|
|
115
|
+
true,
|
|
116
|
+
'-groups P-256:P-384:P-521 -sigalgs ECDSA+SHA512',
|
|
117
|
+
FIXTURES_DIR + '/rsa_secp521r1.crt',
|
|
118
|
+
FIXTURES_DIR + '/rsa_secp521r1.key',
|
|
119
|
+
signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
|
|
120
|
+
signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
|
|
121
|
+
],
|
|
122
|
+
[
|
|
123
|
+
false,
|
|
124
|
+
'-groups P-256:P-384:P-521 -sigalgs ECDSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256',
|
|
125
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
126
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
127
|
+
signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
|
|
128
|
+
signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
|
|
129
|
+
],
|
|
130
|
+
[
|
|
131
|
+
true,
|
|
132
|
+
'-groups P-256:P-384:P-521 -record_padding 8446',
|
|
133
|
+
FIXTURES_DIR + '/rsa_rsa.crt',
|
|
134
|
+
FIXTURES_DIR + '/rsa_rsa.key',
|
|
135
|
+
{}
|
|
136
|
+
]
|
|
137
|
+
# rubocop: enable Metrics/LineLength
|
|
138
|
+
].each do |normal, opt, crt, key, settings|
|
|
139
|
+
context 'server interop' do
|
|
140
|
+
let(:server) do
|
|
141
|
+
@socket = tcpserver.accept
|
|
142
|
+
settings[:crt_file] = crt
|
|
143
|
+
settings[:key_file] = key
|
|
144
|
+
Server.new(@socket, settings)
|
|
145
|
+
end
|
|
146
|
+
|
|
147
|
+
let(:client) do
|
|
148
|
+
ip = Socket.ip_address_list.find(&:ipv4_private?).ip_address
|
|
149
|
+
cmd = 'echo -n ping | openssl s_client ' \
|
|
150
|
+
+ '-connect local:4433 ' \
|
|
151
|
+
+ '-tls1_3 ' \
|
|
152
|
+
+ '-CAfile /tmp/rsa_ca.crt ' \
|
|
153
|
+
+ '-servername localhost ' \
|
|
154
|
+
+ '-quiet ' \
|
|
155
|
+
+ opt
|
|
156
|
+
"docker run -v #{FIXTURES_DIR}:/tmp " \
|
|
157
|
+
+ "--add-host=local:#{ip} -it openssl " \
|
|
158
|
+
+ "sh -c \"#{cmd}\" 2>&1 >/dev/null"
|
|
159
|
+
end
|
|
160
|
+
|
|
161
|
+
after do
|
|
162
|
+
@socket.close
|
|
163
|
+
`docker ps -ql | xargs docker stop`
|
|
164
|
+
end
|
|
165
|
+
|
|
166
|
+
if normal
|
|
167
|
+
it "should accept request from openssl s_client ...#{opt}" do
|
|
168
|
+
spawn('sleep 2; ' + client)
|
|
169
|
+
expect { server.accept }.to_not raise_error
|
|
170
|
+
expect(server.read).to include 'ping'
|
|
171
|
+
expect { server.write('pong') }.to_not raise_error
|
|
172
|
+
expect { server.close }.to_not raise_error
|
|
173
|
+
end
|
|
174
|
+
else # exceptions scenarios
|
|
175
|
+
it "should NOT accept request from openssl s_client ...#{opt}" do
|
|
176
|
+
spawn('sleep 2; ' + client)
|
|
177
|
+
expect { server.accept }.to raise_error ErrorAlerts
|
|
178
|
+
end
|
|
179
|
+
end
|
|
180
|
+
end
|
|
181
|
+
end
|
|
182
|
+
end
|