tttls1.3 0.2.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +1 -0
  3. data/Rakefile +3 -3
  4. data/example/https_client_using_hrr_and_ticket.rb +40 -0
  5. data/interop/client_spec.rb +15 -0
  6. data/interop/server_spec.rb +8 -0
  7. data/lib/tttls1.3/client.rb +265 -272
  8. data/lib/tttls1.3/connection.rb +85 -62
  9. data/lib/tttls1.3/message/certificate.rb +1 -1
  10. data/lib/tttls1.3/message/client_hello.rb +26 -1
  11. data/lib/tttls1.3/message/encrypted_extensions.rb +1 -1
  12. data/lib/tttls1.3/message/new_session_ticket.rb +1 -1
  13. data/lib/tttls1.3/message/server_hello.rb +21 -1
  14. data/lib/tttls1.3/server.rb +179 -157
  15. data/lib/tttls1.3/version.rb +1 -1
  16. data/spec/certificate_spec.rb +4 -4
  17. data/spec/client_hello_spec.rb +3 -0
  18. data/spec/client_spec.rb +96 -157
  19. data/spec/connection_spec.rb +32 -23
  20. data/spec/encrypted_extensions_spec.rb +4 -4
  21. data/spec/fixtures/rsa_ca.crt +16 -27
  22. data/spec/fixtures/rsa_ca.key +25 -49
  23. data/spec/fixtures/rsa_rsa.crt +16 -21
  24. data/spec/fixtures/rsa_rsa.key +25 -25
  25. data/spec/fixtures/rsa_rsassaPss.crt +20 -0
  26. data/spec/fixtures/rsa_rsassaPss.key +27 -0
  27. data/spec/fixtures/rsa_secp256r1.crt +12 -17
  28. data/spec/fixtures/rsa_secp256r1.key +3 -3
  29. data/spec/fixtures/rsa_secp384r1.crt +12 -17
  30. data/spec/fixtures/rsa_secp384r1.key +4 -4
  31. data/spec/fixtures/rsa_secp521r1.crt +13 -18
  32. data/spec/fixtures/rsa_secp521r1.key +5 -5
  33. data/spec/server_hello_spec.rb +60 -0
  34. data/spec/server_spec.rb +79 -60
  35. metadata +7 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 98d9d2196c5b71c0bef8d7abb8838afb1c6d6bc42cdf5b09f24402591cb259ce
4
- data.tar.gz: 7fa9dbb492a6a1b8b1b4040b212c8678aaa1fa384da421faa550bb64891908c1
3
+ metadata.gz: 356ce310f2323bede1cdfd21f6c18050d2ce9aca6da4c8ed67b439b597c92ba0
4
+ data.tar.gz: d1bcb99ae830df4c8c40688d85e5c7efcda76e0c608ef0707b5201862a5baff8
5
5
  SHA512:
6
- metadata.gz: ee9f193f6d30c8248cebe79a34c949dbbd39529eb5df949dfd02e6fb164c474334d6767b3d2c9ce99794fb04368744ccb24063e92ca078bdf45e64f05004ec70
7
- data.tar.gz: 974e0c1bfd02a73fa38ce1e46fb22032e68d43c8823692b1f0b79e6c3f417e4cf94206e9d865ef3aea7ece3c8d4268e235248c88f664264cf2e83a2df8963ecc
6
+ metadata.gz: ae23baf431d2908aceae8e411deb2b8ebf33f8696e67602081c3f07b2d9dad523f8a21a251d5333243e2f44405e8efa0e6595e0af7a744c9fda05c026a824346
7
+ data.tar.gz: '0978b73204cc49a3fac033904c98c17eb05f45a2793a5f326298414db09599d065ab599ce34e4cc73bbd928abed9cb988a35ef7248ec9af1ff8a121f6378da61'
data/README.md CHANGED
@@ -67,6 +67,7 @@ tttls1.3 provides client API with the following features:
67
67
  tttls1.3 provides server API with the following features:
68
68
 
69
69
  * Simple 1-RTT Handshake
70
+ * HelloRetryRequest
70
71
 
71
72
  **NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate, external PSKs.
72
73
 
data/Rakefile CHANGED
@@ -17,7 +17,7 @@ directory TMP_DIR
17
17
 
18
18
  file CA_KEY => TMP_DIR do
19
19
  puts "generate #{CA_KEY}..."
20
- ca_key = OpenSSL::PKey::RSA.generate(4096)
20
+ ca_key = OpenSSL::PKey::RSA.generate(2048)
21
21
  File.write(CA_KEY, ca_key.to_pem)
22
22
  end
23
23
 
@@ -32,7 +32,7 @@ file CA_CRT => [TMP_DIR, CA_KEY] do
32
32
  ca_crt.not_before = Time.now
33
33
  ca_crt.not_after = Time.now + (60 * 60 * 24 * 365 * 10)
34
34
  ca_crt.public_key = ca_key.public_key
35
- ca_crt.serial = 1
35
+ ca_crt.serial = OpenSSL::BN.rand(64)
36
36
  ca_crt.version = 2
37
37
  ca_crt.issuer = issu
38
38
  ca_crt.subject = sub
@@ -83,7 +83,7 @@ file SERVER_CRT => [TMP_DIR, CA_CRT, SERVER_KEY] do
83
83
  server_crt.not_before = Time.now
84
84
  server_crt.not_after = Time.now + (60 * 60 * 24 * 365)
85
85
  server_crt.public_key = server_key.public_key
86
- server_crt.serial = 2
86
+ server_crt.serial = OpenSSL::BN.rand(64)
87
87
  server_crt.version = 2
88
88
  server_crt.issuer = ca_crt.issuer
89
89
  server_crt.subject = sub
data/example/https_client_using_hrr_and_ticket.rb ADDED
@@ -0,0 +1,40 @@
1
+ # encoding: ascii-8bit
2
+ # frozen_string_literal: true
3
+
4
+ require_relative 'helper'
5
+
6
+ hostname, port = (ARGV[0] || 'localhost:4433').split(':')
7
+ req = simple_http_request(hostname)
8
+
9
+ settings_2nd = {
10
+ ca_file: __dir__ + '/../tmp/ca.crt'
11
+ }
12
+ process_new_session_ticket = proc do |nst, rms, cs|
13
+ return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
14
+
15
+ settings_2nd[:key_share_groups] = [] # empty KeyShareClientHello.client_shares
16
+ settings_2nd[:ticket] = nst.ticket
17
+ settings_2nd[:resumption_master_secret] = rms
18
+ settings_2nd[:psk_cipher_suite] = cs
19
+ settings_2nd[:ticket_nonce] = nst.ticket_nonce
20
+ settings_2nd[:ticket_age_add] = nst.ticket_age_add
21
+ settings_2nd[:ticket_timestamp] = nst.timestamp
22
+ end
23
+ settings_1st = {
24
+ ca_file: __dir__ + '/../tmp/ca.crt',
25
+ process_new_session_ticket: process_new_session_ticket
26
+ }
27
+
28
+ [
29
+ # Initial Handshake:
30
+ settings_1st,
31
+ # Subsequent Handshake:
32
+ settings_2nd
33
+ ].each do |settings|
34
+ socket = TCPSocket.new(hostname, port)
35
+ client = TTTLS13::Client.new(socket, hostname, settings)
36
+ client.connect
37
+ client.write(req)
38
+ print recv_http_response(client)
39
+ client.close
40
+ end
data/interop/client_spec.rb CHANGED
@@ -118,6 +118,14 @@ RSpec.describe Client do
118
118
  signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
119
119
  signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
120
120
  ],
121
+ [
122
+ true,
123
+ '-sigalgs RSA-PSS+SHA256',
124
+ 'rsa_rsassaPss.crt',
125
+ 'rsa_rsassaPss.key',
126
+ signature_algorithms_cert: [SignatureScheme::RSA_PSS_RSAE_SHA256],
127
+ signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
128
+ ],
121
129
  [
122
130
  false,
123
131
  '-sigalgs ECDSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256',
@@ -132,6 +140,13 @@ RSpec.describe Client do
132
140
  'rsa_rsa.crt',
133
141
  'rsa_rsa.key',
134
142
  {}
143
+ ],
144
+ [
145
+ true,
146
+ '',
147
+ 'rsa_rsa.crt',
148
+ 'rsa_rsa.key',
149
+ key_share_groups: []
135
150
  ]
136
151
  # rubocop: enable Metrics/LineLength
137
152
  ].each do |normal, opt, crt, key, settings|
data/interop/server_spec.rb CHANGED
@@ -119,6 +119,14 @@ RSpec.describe Server do
119
119
  signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
120
120
  signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
121
121
  ],
122
+ [
123
+ true,
124
+ '-groups P-256:P-384:P-521 -sigalgs RSA-PSS+SHA256',
125
+ FIXTURES_DIR + '/rsa_rsassaPss.crt',
126
+ FIXTURES_DIR + '/rsa_rsassaPss.key',
127
+ signature_algorithms_cert: [SignatureScheme::RSA_PSS_RSAE_SHA256],
128
+ signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
129
+ ],
122
130
  [
123
131
  false,
124
132
  '-groups P-256:P-384:P-521 -sigalgs ECDSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256',