tttls1.3 0.2.1 → 0.2.2

data/lib/tttls1.3/connection.rb

@@ -13,18 +13,16 @@ module TTTLS13
     def initialize(socket)
       @socket = socket
       @endpoint = nil # Symbol or String, :client or :server
-      @key_schedule = nil # TTTLS13::KeySchedule
-      @priv_keys = {} # Hash of NamedGroup => OpenSSL::PKey::$Object
-      @read_cipher = Cryptograph::Passer.new
-      @write_cipher = Cryptograph::Passer.new
-      @transcript = Transcript.new
+      @ap_wcipher = Cryptograph::Passer.new
+      @ap_rcipher = Cryptograph::Passer.new
+      @alert_wcipher = Cryptograph::Passer.new
       @message_queue = [] # Array of TTTLS13::Message::$Object
       @binary_buffer = '' # deposit Record.surplus_binary
       @cipher_suite = nil # TTTLS13::CipherSuite
-      @notyet_application_secret = true
+      @named_group = nil # TTTLS13::NamedGroup
+      @signature_scheme = nil # TTTLS13::SignatureScheme
       @state = 0 # ClientState or ServerState
       @send_record_size = Message::DEFAULT_RECORD_SIZE_LIMIT
-      @psk = nil # String
     end
 
     # @raise [TTTLS13::Error::ConfigError]
@@ -41,7 +39,7 @@ module TTTLS13
 
       message = nil
       loop do
-        message = recv_message
+        message = recv_message(receivable_ccs: false, cipher: @ap_rcipher)
         # At any time after the server has received the client Finished
         # message, it MAY send a NewSessionTicket message.
         break unless message.is_a?(Message::NewSessionTicket)
@@ -70,16 +68,33 @@ module TTTLS13
                (@endpoint == :server && @state == ServerState::CONNECTED)
 
       ap = Message::ApplicationData.new(binary)
-      send_application_data(ap, @write_cipher)
+      send_application_data(ap, @ap_wcipher)
     end
 
     def close
+      return if @state == EOF
+
       send_alert(:close_notify)
       @state = EOF
 
       nil
     end
 
+    # @return [TTTLS13::CipherSuite, nil]
+    def negotiated_cipher_suite
+      @cipher_suite
+    end
+
+    # @return [TTTLS13::NamedGroup, nil]
+    def negotiated_named_group
+      @named_group
+    end
+
+    # @return [TTTLS13::SignatureScheme, nil]
+    def negotiated_signature_scheme
+      @signature_scheme
+    end
+
     private
 
     # @param cipher_suite [TTTLS13::CipherSuite]
@@ -99,12 +114,12 @@ module TTTLS13
 
     # @param type [TTTLS13::Message::ContentType]
     # @param messages [Array of TTTLS13::Message::$Object] handshake messages
-    # @param write_cipher [TTTLS13::Cryptograph::Aead]
-    def send_handshakes(type, messages, write_cipher)
+    # @param cipher [TTTLS13::Cryptograph::Aead, Passer]
+    def send_handshakes(type, messages, cipher)
       record = Message::Record.new(
         type: type,
         messages: messages,
-        cipher: write_cipher
+        cipher: cipher
       )
       send_record(record)
     end
@@ -120,13 +135,13 @@ module TTTLS13
     end
 
     # @param message [TTTLS13::Message::ApplicationData]
-    # @param write_cipher [TTTLS13::Cryptograph::Aead]
-    def send_application_data(message, write_cipher)
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    def send_application_data(message, cipher)
       ap_record = Message::Record.new(
         type: Message::ContentType::APPLICATION_DATA,
         legacy_record_version: Message::ProtocolVersion::TLS_1_2,
         messages: [message],
-        cipher: write_cipher
+        cipher: cipher
       )
       send_record(ap_record)
     end
@@ -138,12 +153,12 @@ module TTTLS13
       )
       type = Message::ContentType::ALERT
       type = Message::ContentType::APPLICATION_DATA \
-        if @write_cipher.is_a?(Cryptograph::Aead)
+        if @alert_wcipher.is_a?(Cryptograph::Aead)
       alert_record = Message::Record.new(
         type: type,
         legacy_record_version: Message::ProtocolVersion::TLS_1_2,
         messages: [message],
-        cipher: @write_cipher
+        cipher: @alert_wcipher
       )
       send_record(alert_record)
     end
@@ -154,23 +169,26 @@ module TTTLS13
       @socket.write(record.serialize(@send_record_size))
     end
 
+    # @param receivable_ccs [Boolean]
+    # @param cipher [TTTLS13::Cryptograph::Aead, Passer]
+    #
     # @raise [TTTLS13::Error::ErrorAlerts
     #
     # @return [TTTLS13::Message::$Object]
     # rubocop: disable Metrics/CyclomaticComplexity
-    def recv_message
+    def recv_message(receivable_ccs:, cipher:)
       return @message_queue.shift unless @message_queue.empty?
 
       messages = nil
       loop do
-        record = recv_record
+        record = recv_record(cipher)
         case record.type
         when Message::ContentType::HANDSHAKE,
              Message::ContentType::APPLICATION_DATA
           messages = record.messages
           break unless messages.empty?
         when Message::ContentType::CCS
-          terminate(:unexpected_message) unless receivable_ccs?
+          terminate(:unexpected_message) unless receivable_ccs
           next
         when Message::ContentType::ALERT
           handle_received_alert(record.messages.first)
@@ -191,15 +209,17 @@ module TTTLS13
     end
     # rubocop: enable Metrics/CyclomaticComplexity
 
+    # @param wcipher [TTTLS13::Cryptograph::Aead, Passer]
+    #
     # @return [TTTLS13::Message::Record]
-    def recv_record
+    def recv_record(cipher)
       binary = @socket.read(5)
       record_len = Convert.bin2i(binary.slice(3, 2))
       binary += @socket.read(record_len)
 
       begin
         buffer = @binary_buffer
-        record = Message::Record.deserialize(binary, @read_cipher, buffer)
+        record = Message::Record.deserialize(binary, cipher, buffer)
         @binary_buffer = record.surplus_binary
       rescue Error::ErrorAlerts => e
         terminate(e.message.to_sym)
@@ -215,32 +235,37 @@ module TTTLS13
       record
     end
 
+    # @param ch1 [TTTLS13::Message::ClientHello]
+    # @param hrr [TTTLS13::Message::ServerHello]
+    # @param ch [TTTLS13::Message::ClientHello]
+    # @param binder_key [String]
     # @param digest [String] name of digest algorithm
-    # @param transcript [TTTLS13::Transcript]
     #
     # @return [String]
-    def do_sign_psk_binder(digest, transcript)
+    def do_sign_psk_binder(ch1:, hrr:, ch:, binder_key:, digest:)
       # TODO: ext binder
-      secret = @key_schedule.binder_key_res
       hash_len = OpenSSL::Digest.new(digest).digest_length
+      tt = Transcript.new
+      tt.merge!(
+        CH1 => ch1,
+        HRR => hrr,
+        CH => ch
+      )
       # transcript-hash (CH1 + HRR +) truncated-CH
-      hash = transcript.truncate_hash(digest, CH, hash_len + 3)
-      OpenSSL::HMAC.digest(digest, secret, hash)
+      hash = tt.truncate_hash(digest, CH, hash_len + 3)
+      OpenSSL::HMAC.digest(digest, binder_key, hash)
     end
 
-    # @param private_key [OpenSSL::PKey::PKey]
+    # @param key [OpenSSL::PKey::PKey]
     # @param signature_scheme [TTTLS13::SignatureScheme]
     # @param context [String]
-    # @param handshake_context_end [Integer]
+    # @param hash [String]
     #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [String]
     # rubocop: disable Metrics/CyclomaticComplexity
-    def do_sign_certificate_verify(private_key:, signature_scheme:, context:,
-                                   handshake_context_end:)
-      digest = CipherSuite.digest(@cipher_suite)
-      hash = @transcript.hash(digest, handshake_context_end)
+    def do_sign_certificate_verify(key:, signature_scheme:, context:, hash:)
       content = "\x20" * 64 + context + "\x00" + hash
 
       # RSA signatures MUST use an RSASSA-PSS algorithm, regardless of whether
@@ -249,24 +274,24 @@ module TTTLS13
       when SignatureScheme::RSA_PKCS1_SHA256,
            SignatureScheme::RSA_PSS_RSAE_SHA256,
            SignatureScheme::RSA_PSS_PSS_SHA256
-        private_key.sign_pss('SHA256', content, salt_length: :digest,
-                                                mgf1_hash: 'SHA256')
+        key.sign_pss('SHA256', content, salt_length: :digest,
+                                        mgf1_hash: 'SHA256')
       when SignatureScheme::RSA_PKCS1_SHA384,
            SignatureScheme::RSA_PSS_RSAE_SHA384,
            SignatureScheme::RSA_PSS_PSS_SHA384
-        private_key.sign_pss('SHA384', content, salt_length: :digest,
-                                                mgf1_hash: 'SHA384')
+        key.sign_pss('SHA384', content, salt_length: :digest,
+                                        mgf1_hash: 'SHA384')
       when SignatureScheme::RSA_PKCS1_SHA512,
            SignatureScheme::RSA_PSS_RSAE_SHA512,
            SignatureScheme::RSA_PSS_PSS_SHA512
-        private_key.sign_pss('SHA512', content, salt_length: :digest,
-                                                mgf1_hash: 'SHA512')
+        key.sign_pss('SHA512', content, salt_length: :digest,
+                                        mgf1_hash: 'SHA512')
       when SignatureScheme::ECDSA_SECP256R1_SHA256
-        private_key.sign('SHA256', content)
+        key.sign('SHA256', content)
       when SignatureScheme::ECDSA_SECP384R1_SHA384
-        private_key.sign('SHA384', content)
+        key.sign('SHA384', content)
       when SignatureScheme::ECDSA_SECP521R1_SHA512
-        private_key.sign('SHA512', content)
+        key.sign('SHA512', content)
       else # TODO: ED25519, ED448
         terminate(:internal_error)
       end
@@ -277,17 +302,14 @@ module TTTLS13
     # @param signature_scheme [TTTLS13::SignatureScheme]
     # @param signature [String]
     # @param context [String]
-    # @param handshake_context_end [Integer]
+    # @param hash [String]
     #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [Boolean]
     # rubocop: disable Metrics/CyclomaticComplexity
     def do_verified_certificate_verify?(public_key:, signature_scheme:,
-                                        signature:, context:,
-                                        handshake_context_end:)
-      digest = CipherSuite.digest(@cipher_suite)
-      hash = @transcript.hash(digest, handshake_context_end)
+                                        signature:, context:, hash:)
       content = "\x20" * 64 + context + "\x00" + hash
 
       # RSA signatures MUST use an RSASSA-PSS algorithm, regardless of whether
@@ -322,27 +344,22 @@ module TTTLS13
 
     # @param digest [String] name of digest algorithm
     # @param finished_key [String]
-    # @param handshake_context_end [Integer]
+    # @param hash [String]
     #
     # @return [String]
-    def do_sign_finished(digest:, finished_key:, handshake_context_end:)
-      hash = @transcript.hash(digest, handshake_context_end)
+    def sign_finished(digest:, finished_key:, hash:)
       OpenSSL::HMAC.digest(digest, finished_key, hash)
     end
 
+    # @param finished [TTTLS13::Message::Finished]
     # @param digest [String] name of digest algorithm
     # @param finished_key [String]
-    # @param handshake_context_end [Integer]
-    # @param signature [String]
+    # @param hash [String]
     #
     # @return [Boolean]
-    def do_verified_finished?(digest:, finished_key:, handshake_context_end:,
-                              signature:)
-      do_sign_finished(
-        digest: digest,
-        finished_key: finished_key,
-        handshake_context_end: handshake_context_end
-      ) == signature
+    def verified_finished?(finished:, digest:, finished_key:, hash:)
+      sign_finished(digest: digest, finished_key: finished_key, hash: hash) \
+      == finished.verify_data
     end
 
     # @param key_exchange [String]
@@ -362,8 +379,10 @@ module TTTLS13
       priv_key.dh_compute_key(pub_key)
     end
 
+    # @param transcript [TTTLS13::Transcript]
+    #
     # @return [Boolean]
-    def receivable_ccs?
+    def receivable_ccs?(transcript)
       # Received ccs before the first ClientHello message or after the peer's
       # Finished message, peer MUST abort.
       #
@@ -371,8 +390,8 @@ module TTTLS13
       # between the first and second ClientHello
       finished = (@endpoint == :client ? SF : CF)
 
-      (@transcript.include?(CH) || @transcript.include?(CH1)) &&
-        !@transcript.include?(finished)
+      (transcript.include?(CH) || transcript.include?(CH1)) &&
+        !transcript.include?(finished)
     end
 
     # @param symbol [Symbol] key of ALERT_DESCRIPTION
@@ -383,6 +402,9 @@ module TTTLS13
       raise Error::ErrorAlerts, symbol
     end
 
+    # @param alert [TTTLS13::Message::Alert]
+    #
+    # @raise [TTTLS13::Error::ErrorAlerts]
     def handle_received_alert(alert)
       unless alert.description == Message::ALERT_DESCRIPTION[:close_notify] ||
              alert.description == Message::ALERT_DESCRIPTION[:user_canceled]
@@ -390,6 +412,7 @@ module TTTLS13
       end
 
       @state = EOF
+      nil
     end
 
     # @param _nst [TTTLS13::Message::NewSessionTicket]

data/lib/tttls1.3/message/certificate.rb

@@ -66,7 +66,7 @@ module TTTLS13
       end
 
       # @return [Boolean]
-      def only_appearable_extensions?
+      def appearable_extensions?
         cl_exs = @certificate_list.map do |e|
           e.instance_variable_get(:@extensions).keys
         end

data/lib/tttls1.3/message/client_hello.rb

@@ -127,12 +127,37 @@ module TTTLS13
       # rubocop: enable Metrics/MethodLength
 
       # @return [Boolean]
-      def only_appearable_extensions?
+      def appearable_extensions?
         exs = @extensions.keys - APPEARABLE_CH_EXTENSIONS
         return true if exs.empty?
 
         !(exs - DEFINED_EXTENSIONS).empty?
       end
+
+      # @return [Boolean]
+      def negotiated_tls_1_3?
+        sv = @extensions[ExtensionType::SUPPORTED_VERSIONS]
+
+        @legacy_version == ProtocolVersion::TLS_1_2 &&
+          (sv&.versions || []).include?(ProtocolVersion::TLS_1_3)
+      end
+
+      # @return [Boolean]
+      def valid_key_share?
+        ks = @extensions[Message::ExtensionType::KEY_SHARE]
+        ks_groups = ks&.key_share_entry&.map(&:group) || []
+        sg = @extensions[Message::ExtensionType::SUPPORTED_GROUPS]
+        sg_groups = sg&.named_group_list || []
+
+        # Each KeyShareEntry value MUST correspond to a group offered in the
+        # "supported_groups" extension and MUST appear in the same order.
+        #
+        # Clients MUST NOT offer multiple KeyShareEntry values for the same
+        # group.
+        (ks_groups - sg_groups).empty? &&
+          sg_groups.filter { |g| ks_groups.include?(g) } == ks_groups &&
+          ks_groups.uniq == ks_groups
+      end
     end
   end
 end

data/lib/tttls1.3/message/encrypted_extensions.rb

@@ -58,7 +58,7 @@ module TTTLS13
       end
 
       # @return [Boolean]
-      def only_appearable_extensions?
+      def appearable_extensions?
         exs = @extensions.keys - APPEARABLE_EE_EXTENSIONS
         return true if exs.empty?
 

data/lib/tttls1.3/message/new_session_ticket.rb

@@ -92,7 +92,7 @@ module TTTLS13
       # rubocop: enable Metrics/AbcSize
 
       # @return [Boolean]
-      def only_appearable_extensions?
+      def appearable_extensions?
         exs = @extensions.keys - APPEARABLE_NST_EXTENSIONS
         return true if exs.empty?
 

data/lib/tttls1.3/message/server_hello.rb

@@ -21,6 +21,12 @@ module TTTLS13
     ].freeze
     private_constant :APPEARABLE_HRR_EXTENSIONS
 
+    DOWNGRADE_PROTECTION_TLS_1_2 = "\x44\x4F\x57\x4E\x47\x52\x44\x01"
+    private_constant :DOWNGRADE_PROTECTION_TLS_1_2
+
+    DOWNGRADE_PROTECTION_TLS_1_1 = "\x44\x4F\x57\x4E\x47\x52\x44\x00"
+    private_constant :DOWNGRADE_PROTECTION_TLS_1_1
+
     # special value of the SHA-256 of "HelloRetryRequest"
     HRR_RANDOM \
     = "\xcf\x21\xad\x74\xe5\x9a\x61\x11\xbe\x1d\x8c\x02\x1e\x65\xb8\x91" \
@@ -130,13 +136,27 @@ module TTTLS13
       end
 
       # @return [Boolean]
-      def only_appearable_extensions?
+      def appearable_extensions?
         exs = @extensions.keys - APPEARABLE_SH_EXTENSIONS
         exs = @extensions.keys - APPEARABLE_HRR_EXTENSIONS if hrr?
         return true if exs.empty?
 
         !(exs - DEFINED_EXTENSIONS).empty?
       end
+
+      # @return [Booelan]
+      def negotiated_tls_1_3?
+        sv = @extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
+
+        @legacy_version == Message::ProtocolVersion::TLS_1_2 &&
+          (sv&.versions || []).first == Message::ProtocolVersion::TLS_1_3
+      end
+
+      # @return [Boolean]
+      def downgraded?
+        [DOWNGRADE_PROTECTION_TLS_1_2,
+         DOWNGRADE_PROTECTION_TLS_1_1].include?(@random[-8..])
+      end
     end
   end
 end