tttls1.3 0.2.1 → 0.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +1 -0
- data/Rakefile +3 -3
- data/example/https_client_using_hrr_and_ticket.rb +40 -0
- data/interop/client_spec.rb +15 -0
- data/interop/server_spec.rb +8 -0
- data/lib/tttls1.3/client.rb +265 -272
- data/lib/tttls1.3/connection.rb +85 -62
- data/lib/tttls1.3/message/certificate.rb +1 -1
- data/lib/tttls1.3/message/client_hello.rb +26 -1
- data/lib/tttls1.3/message/encrypted_extensions.rb +1 -1
- data/lib/tttls1.3/message/new_session_ticket.rb +1 -1
- data/lib/tttls1.3/message/server_hello.rb +21 -1
- data/lib/tttls1.3/server.rb +179 -157
- data/lib/tttls1.3/version.rb +1 -1
- data/spec/certificate_spec.rb +4 -4
- data/spec/client_hello_spec.rb +3 -0
- data/spec/client_spec.rb +96 -157
- data/spec/connection_spec.rb +32 -23
- data/spec/encrypted_extensions_spec.rb +4 -4
- data/spec/fixtures/rsa_ca.crt +16 -27
- data/spec/fixtures/rsa_ca.key +25 -49
- data/spec/fixtures/rsa_rsa.crt +16 -21
- data/spec/fixtures/rsa_rsa.key +25 -25
- data/spec/fixtures/rsa_rsassaPss.crt +20 -0
- data/spec/fixtures/rsa_rsassaPss.key +27 -0
- data/spec/fixtures/rsa_secp256r1.crt +12 -17
- data/spec/fixtures/rsa_secp256r1.key +3 -3
- data/spec/fixtures/rsa_secp384r1.crt +12 -17
- data/spec/fixtures/rsa_secp384r1.key +4 -4
- data/spec/fixtures/rsa_secp521r1.crt +13 -18
- data/spec/fixtures/rsa_secp521r1.key +5 -5
- data/spec/server_hello_spec.rb +60 -0
- data/spec/server_spec.rb +79 -60
- metadata +7 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 356ce310f2323bede1cdfd21f6c18050d2ce9aca6da4c8ed67b439b597c92ba0
|
4
|
+
data.tar.gz: d1bcb99ae830df4c8c40688d85e5c7efcda76e0c608ef0707b5201862a5baff8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ae23baf431d2908aceae8e411deb2b8ebf33f8696e67602081c3f07b2d9dad523f8a21a251d5333243e2f44405e8efa0e6595e0af7a744c9fda05c026a824346
|
7
|
+
data.tar.gz: '0978b73204cc49a3fac033904c98c17eb05f45a2793a5f326298414db09599d065ab599ce34e4cc73bbd928abed9cb988a35ef7248ec9af1ff8a121f6378da61'
|
data/README.md
CHANGED
@@ -67,6 +67,7 @@ tttls1.3 provides client API with the following features:
|
|
67
67
|
tttls1.3 provides server API with the following features:
|
68
68
|
|
69
69
|
* Simple 1-RTT Handshake
|
70
|
+
* HelloRetryRequest
|
70
71
|
|
71
72
|
**NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate, external PSKs.
|
72
73
|
|
data/Rakefile
CHANGED
@@ -17,7 +17,7 @@ directory TMP_DIR
|
|
17
17
|
|
18
18
|
file CA_KEY => TMP_DIR do
|
19
19
|
puts "generate #{CA_KEY}..."
|
20
|
-
ca_key = OpenSSL::PKey::RSA.generate(
|
20
|
+
ca_key = OpenSSL::PKey::RSA.generate(2048)
|
21
21
|
File.write(CA_KEY, ca_key.to_pem)
|
22
22
|
end
|
23
23
|
|
@@ -32,7 +32,7 @@ file CA_CRT => [TMP_DIR, CA_KEY] do
|
|
32
32
|
ca_crt.not_before = Time.now
|
33
33
|
ca_crt.not_after = Time.now + (60 * 60 * 24 * 365 * 10)
|
34
34
|
ca_crt.public_key = ca_key.public_key
|
35
|
-
ca_crt.serial =
|
35
|
+
ca_crt.serial = OpenSSL::BN.rand(64)
|
36
36
|
ca_crt.version = 2
|
37
37
|
ca_crt.issuer = issu
|
38
38
|
ca_crt.subject = sub
|
@@ -83,7 +83,7 @@ file SERVER_CRT => [TMP_DIR, CA_CRT, SERVER_KEY] do
|
|
83
83
|
server_crt.not_before = Time.now
|
84
84
|
server_crt.not_after = Time.now + (60 * 60 * 24 * 365)
|
85
85
|
server_crt.public_key = server_key.public_key
|
86
|
-
server_crt.serial =
|
86
|
+
server_crt.serial = OpenSSL::BN.rand(64)
|
87
87
|
server_crt.version = 2
|
88
88
|
server_crt.issuer = ca_crt.issuer
|
89
89
|
server_crt.subject = sub
|
@@ -0,0 +1,40 @@
|
|
1
|
+
# encoding: ascii-8bit
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require_relative 'helper'
|
5
|
+
|
6
|
+
hostname, port = (ARGV[0] || 'localhost:4433').split(':')
|
7
|
+
req = simple_http_request(hostname)
|
8
|
+
|
9
|
+
settings_2nd = {
|
10
|
+
ca_file: __dir__ + '/../tmp/ca.crt'
|
11
|
+
}
|
12
|
+
process_new_session_ticket = proc do |nst, rms, cs|
|
13
|
+
return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
|
14
|
+
|
15
|
+
settings_2nd[:key_share_groups] = [] # empty KeyShareClientHello.client_shares
|
16
|
+
settings_2nd[:ticket] = nst.ticket
|
17
|
+
settings_2nd[:resumption_master_secret] = rms
|
18
|
+
settings_2nd[:psk_cipher_suite] = cs
|
19
|
+
settings_2nd[:ticket_nonce] = nst.ticket_nonce
|
20
|
+
settings_2nd[:ticket_age_add] = nst.ticket_age_add
|
21
|
+
settings_2nd[:ticket_timestamp] = nst.timestamp
|
22
|
+
end
|
23
|
+
settings_1st = {
|
24
|
+
ca_file: __dir__ + '/../tmp/ca.crt',
|
25
|
+
process_new_session_ticket: process_new_session_ticket
|
26
|
+
}
|
27
|
+
|
28
|
+
[
|
29
|
+
# Initial Handshake:
|
30
|
+
settings_1st,
|
31
|
+
# Subsequent Handshake:
|
32
|
+
settings_2nd
|
33
|
+
].each do |settings|
|
34
|
+
socket = TCPSocket.new(hostname, port)
|
35
|
+
client = TTTLS13::Client.new(socket, hostname, settings)
|
36
|
+
client.connect
|
37
|
+
client.write(req)
|
38
|
+
print recv_http_response(client)
|
39
|
+
client.close
|
40
|
+
end
|
data/interop/client_spec.rb
CHANGED
@@ -118,6 +118,14 @@ RSpec.describe Client do
|
|
118
118
|
signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
|
119
119
|
signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
|
120
120
|
],
|
121
|
+
[
|
122
|
+
true,
|
123
|
+
'-sigalgs RSA-PSS+SHA256',
|
124
|
+
'rsa_rsassaPss.crt',
|
125
|
+
'rsa_rsassaPss.key',
|
126
|
+
signature_algorithms_cert: [SignatureScheme::RSA_PSS_RSAE_SHA256],
|
127
|
+
signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
|
128
|
+
],
|
121
129
|
[
|
122
130
|
false,
|
123
131
|
'-sigalgs ECDSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256',
|
@@ -132,6 +140,13 @@ RSpec.describe Client do
|
|
132
140
|
'rsa_rsa.crt',
|
133
141
|
'rsa_rsa.key',
|
134
142
|
{}
|
143
|
+
],
|
144
|
+
[
|
145
|
+
true,
|
146
|
+
'',
|
147
|
+
'rsa_rsa.crt',
|
148
|
+
'rsa_rsa.key',
|
149
|
+
key_share_groups: []
|
135
150
|
]
|
136
151
|
# rubocop: enable Metrics/LineLength
|
137
152
|
].each do |normal, opt, crt, key, settings|
|
data/interop/server_spec.rb
CHANGED
@@ -119,6 +119,14 @@ RSpec.describe Server do
|
|
119
119
|
signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
|
120
120
|
signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
|
121
121
|
],
|
122
|
+
[
|
123
|
+
true,
|
124
|
+
'-groups P-256:P-384:P-521 -sigalgs RSA-PSS+SHA256',
|
125
|
+
FIXTURES_DIR + '/rsa_rsassaPss.crt',
|
126
|
+
FIXTURES_DIR + '/rsa_rsassaPss.key',
|
127
|
+
signature_algorithms_cert: [SignatureScheme::RSA_PSS_RSAE_SHA256],
|
128
|
+
signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
|
129
|
+
],
|
122
130
|
[
|
123
131
|
false,
|
124
132
|
'-groups P-256:P-384:P-521 -sigalgs ECDSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256',
|