tttls1.3 0.2.1 → 0.2.2

data/lib/tttls1.3/server.rb

@@ -3,6 +3,7 @@
 
 module TTTLS13
   using Refinements
+
   module ServerState
     # initial value is 0, eof value is -1
     START         = 1
@@ -124,35 +125,48 @@ module TTTLS13
     # rubocop: disable Metrics/MethodLength
     # rubocop: disable Metrics/PerceivedComplexity
     def accept
+      transcript = Transcript.new
+      key_schedule = nil # TTTLS13::KeySchedule
+      priv_key = nil # OpenSSL::PKey::$Object
+
+      hs_wcipher = nil # TTTLS13::Cryptograph::$Object
+      hs_rcipher = nil # TTTLS13::Cryptograph::$Object
+
       @state = ServerState::START
       loop do
         case @state
         when ServerState::START
           logger.debug('ServerState::START')
 
-          ch = @transcript[CH] = recv_client_hello
-          terminate(:illegal_parameter) unless ch.only_appearable_extensions?
+          receivable_ccs = transcript.include?(CH1)
+          ch = transcript[CH] = recv_client_hello(receivable_ccs)
+
+          # support only TLS 1.3
+          terminate(:protocol_version) unless ch.negotiated_tls_1_3?
+
+          # validate parameters
+          terminate(:illegal_parameter) unless ch.appearable_extensions?
+          terminamte(:illegal_parameter) \
+            unless ch.legacy_compression_methods == ["\x00"]
+          terminate(:illegal_parameter) unless ch.valid_key_share?
+          terminate(:unrecognized_name) unless recognized_server_name?(ch, @crt)
+
           @state = ServerState::RECVD_CH
         when ServerState::RECVD_CH
           logger.debug('ServerState::RECVD_CH')
 
-          # support only TLS 1.3
-          terminate(:protocol_version) unless negotiated_tls_1_3?
-
-          # validate/select parameters
-          terminamte(:illegal_parameter) unless valid_ch_compression_methods?
-          terminate(:illegal_parameter) unless valid_ch_key_share?
-          terminate(:unrecognized_name) unless recognized_server_name?
-          @cipher_suite = select_cipher_suite
-          @named_group = select_named_group
-          @signature_scheme = select_signature_scheme
+          # select parameters
+          ch = transcript[CH]
+          @cipher_suite = select_cipher_suite(ch)
+          @named_group = select_named_group(ch)
+          @signature_scheme = select_signature_scheme(ch, @crt)
           terminate(:handshake_failure) \
             if @cipher_suite.nil? || @signature_scheme.nil?
 
           # send HRR
           if @named_group.nil?
-            @transcript[CH1] = @transcript.delete(CH)
-            @transcript[HRR] = send_hello_retry_request
+            ch1 = transcript[CH1] = transcript.delete(CH)
+            transcript[HRR] = send_hello_retry_request(ch1, @cipher_suite)
             @state = ServerState::START
             next
           end
@@ -160,38 +174,58 @@ module TTTLS13
         when ServerState::NEGOTIATED
           logger.debug('ServerState::NEGOTIATED')
 
-          exs, @priv_key = gen_sh_extensions
-          @transcript[SH] = send_server_hello(exs)
+          ch = transcript[CH]
+          extensions, priv_key = gen_sh_extensions(@named_group)
+          transcript[SH] = send_server_hello(extensions, @cipher_suite,
+                                             ch.legacy_session_id)
           send_ccs # compatibility mode
 
           # generate shared secret
-          ke = @transcript[CH].extensions[Message::ExtensionType::KEY_SHARE]
-                             &.key_share_entry
-                             &.find { |e| e.group == @named_group }
-                             &.key_exchange
-          shared_secret = gen_shared_secret(ke, @priv_key, @named_group)
-          @key_schedule = KeySchedule.new(psk: @psk,
-                                          shared_secret: shared_secret,
-                                          cipher_suite: @cipher_suite,
-                                          transcript: @transcript)
-          @write_cipher = gen_cipher(@cipher_suite,
-                                     @key_schedule.server_handshake_write_key,
-                                     @key_schedule.server_handshake_write_iv)
-          @read_cipher = gen_cipher(@cipher_suite,
-                                    @key_schedule.client_handshake_write_key,
-                                    @key_schedule.client_handshake_write_iv)
+          ke = ch.extensions[Message::ExtensionType::KEY_SHARE]
+                &.key_share_entry
+                &.find { |e| e.group == @named_group }
+                &.key_exchange
+          shared_secret = gen_shared_secret(ke, priv_key, @named_group)
+          key_schedule = KeySchedule.new(
+            psk: @psk,
+            shared_secret: shared_secret,
+            cipher_suite: @cipher_suite,
+            transcript: transcript
+          )
+          @alert_wcipher = hs_wcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.server_handshake_write_key,
+            key_schedule.server_handshake_write_iv
+          )
+          hs_rcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.client_handshake_write_key,
+            key_schedule.client_handshake_write_iv
+          )
           @state = ServerState::WAIT_FLIGHT2
         when ServerState::WAIT_EOED
           logger.debug('ServerState::WAIT_EOED')
         when ServerState::WAIT_FLIGHT2
           logger.debug('ServerState::WAIT_FLIGHT2')
 
-          ee = @transcript[EE] = gen_encrypted_extensions
+          ch = transcript[CH]
+          ee = transcript[EE] = gen_encrypted_extensions(ch)
           # TODO: [Send CertificateRequest]
-          ct = @transcript[CT] = gen_certificate
-          cv = @transcript[CV] = gen_certificate_verify
-          sf = @transcript[SF] = gen_finished
-          send_server_parameters([ee, ct, cv, sf])
+          ct = transcript[CT] = gen_certificate(@crt)
+          digest = CipherSuite.digest(@cipher_suite)
+          cv = transcript[CV] = gen_certificate_verify(
+            @key,
+            @signature_scheme,
+            transcript.hash(digest, CT)
+          )
+          finished_key = key_schedule.server_finished_key
+          signature = sign_finished(
+            digest: digest,
+            finished_key: finished_key,
+            hash: transcript.hash(digest, CV)
+          )
+          sf = transcript[SF] = Message::Finished.new(signature)
+          send_server_parameters([ee, ct, cv, sf], hs_wcipher)
           @state = ServerState::WAIT_FINISHED
         when ServerState::WAIT_CERT
           logger.debug('ServerState::WAIT_CERT')
@@ -200,14 +234,25 @@ module TTTLS13
         when ServerState::WAIT_FINISHED
           logger.debug('ServerState::WAIT_FINISHED')
 
-          @transcript[CF] = recv_finished
-          terminate(:decrypt_error) unless verified_finished?
-          @write_cipher = gen_cipher(@cipher_suite,
-                                     @key_schedule.server_application_write_key,
-                                     @key_schedule.server_application_write_iv)
-          @read_cipher = gen_cipher(@cipher_suite,
-                                    @key_schedule.client_application_write_key,
-                                    @key_schedule.client_application_write_iv)
+          cf = transcript[CF] = recv_finished(hs_rcipher)
+          digest = CipherSuite.digest(@cipher_suite)
+          verified = verified_finished?(
+            finished: cf,
+            digest: digest,
+            finished_key: key_schedule.client_finished_key,
+            hash: transcript.hash(digest, EOED)
+          )
+          terminate(:decrypt_error) unless verified
+          @alert_wcipher = @ap_wcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.server_application_write_key,
+            key_schedule.server_application_write_iv
+          )
+          @ap_rcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.client_application_write_key,
+            key_schedule.client_application_write_iv
+          )
           @state = ServerState::CONNECTED
         when ServerState::CONNECTED
           logger.debug('ServerState::CONNECTED')
@@ -241,33 +286,41 @@ module TTTLS13
       true
     end
 
+    # @param receivable_ccs [Boolean]
+    #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::ClientHello]
-    def recv_client_hello
-      ch = recv_message
+    def recv_client_hello(receivable_ccs)
+      ch = recv_message(receivable_ccs: receivable_ccs,
+                        cipher: Cryptograph::Passer.new)
       terminate(:unexpected_message) unless ch.is_a?(Message::ClientHello)
 
       ch
     end
 
-    # @param exs [TTTLS13::Message::Extensions]
+    # @param extensions [TTTLS13::Message::Extensions]
+    # @param cipher_suite [TTTLS13::CipherSuite]
+    # @param session_id [String]
     #
     # @return [TTTLS13::Message::ServerHello]
-    def send_server_hello(exs)
-      ch_session_id = @transcript[CH].legacy_session_id
+    def send_server_hello(extensions, cipher_suite, session_id)
       sh = Message::ServerHello.new(
-        legacy_session_id_echo: ch_session_id,
-        cipher_suite: @cipher_suite,
-        extensions: exs
+        legacy_session_id_echo: session_id,
+        cipher_suite: cipher_suite,
+        extensions: extensions
       )
-      send_handshakes(Message::ContentType::HANDSHAKE, [sh], @write_cipher)
+      send_handshakes(Message::ContentType::HANDSHAKE, [sh],
+                      Cryptograph::Passer.new)
 
       sh
     end
 
+    # @param ch1 [TTTLS13::Message::ClientHello]
+    # @param cipher_suite [TTTLS13::CipherSuite]
+    #
     # @return [TTTLS13::Message::ServerHello]
-    def send_hello_retry_request
+    def send_hello_retry_request(ch1, cipher_suite)
       exs = []
       # supported_versions
       exs << Message::Extension::SupportedVersions.new(
@@ -275,7 +328,6 @@ module TTTLS13
       )
 
       # key_share
-      ch1 = @transcript[CH1]
       sp_groups = ch1.extensions[Message::ExtensionType::SUPPORTED_GROUPS]
                     &.named_group_list || []
       ks_groups = ch1.extensions[Message::ExtensionType::KEY_SHARE]
@@ -290,64 +342,73 @@ module TTTLS13
       sh = Message::ServerHello.new(
         random: Message::HRR_RANDOM,
         legacy_session_id_echo: ch1.legacy_session_id,
-        cipher_suite: @cipher_suite,
+        cipher_suite: cipher_suite,
         extensions: Message::Extensions.new(exs)
       )
-      send_handshakes(Message::ContentType::HANDSHAKE, [sh], @write_cipher)
+      send_handshakes(Message::ContentType::HANDSHAKE, [sh],
+                      Cryptograph::Passer.new)
 
       sh
     end
 
     # @param messages [Array of TTTLS13::Message::$Object]
+    # @param cipher [TTTLS13::Cryptograph::Aead]
     #
     # @return [Array of TTTLS13::Message::$Object]
-    def send_server_parameters(messages)
+    def send_server_parameters(messages, cipher)
       send_handshakes(Message::ContentType::APPLICATION_DATA,
-                      messages.reject(&:nil?),
-                      @write_cipher)
+                      messages.reject(&:nil?), cipher)
 
       messages
     end
 
+    # @param ch [TTTLS13::Message::ClientHello]
+    #
     # @return [TTTLS13::Message::EncryptedExtensions]
-    def gen_encrypted_extensions
-      Message::EncryptedExtensions.new(gen_ee_extensions)
+    def gen_encrypted_extensions(ch)
+      Message::EncryptedExtensions.new(gen_ee_extensions(ch))
     end
 
+    # @param crt [OpenSSL::X509::Certificate]
+    #
     # @return [TTTLS13::Message::Certificate, nil]
-    def gen_certificate
-      return nil if @crt.nil?
-
-      ce = Message::CertificateEntry.new(@crt)
+    def gen_certificate(crt)
+      ce = Message::CertificateEntry.new(crt)
       Message::Certificate.new(certificate_list: [ce])
     end
 
+    # @param key [OpenSSL::PKey::PKey]
+    # @param signature_scheme [TTTLS13::SignatureScheme]
+    # @param hash [String]
+    #
     # @return [TTTLS13::Message::CertificateVerify, nil]
-    def gen_certificate_verify
-      return nil if @key.nil?
-
-      Message::CertificateVerify.new(signature_scheme: @signature_scheme,
-                                     signature: sign_certificate_verify)
-    end
-
-    # @return [TTTLS13::Message::Finished]
-    def gen_finished
-      Message::Finished.new(sign_finished)
+    def gen_certificate_verify(key, signature_scheme, hash)
+      signature = sign_certificate_verify(
+        key: key,
+        signature_scheme: signature_scheme,
+        hash: hash
+      )
+      Message::CertificateVerify.new(signature_scheme: signature_scheme,
+                                     signature: signature)
     end
 
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::Finished]
-    def recv_finished
-      cf = recv_message
+    def recv_finished(cipher)
+      cf = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) unless cf.is_a?(Message::Finished)
 
       cf
     end
 
+    # @param named_group [TTTLS13::NamedGroup]
+    #
     # @return [TTTLS13::Message::Extensions]
     # @return [OpenSSL::PKey::EC.$Object]
-    def gen_sh_extensions
+    def gen_sh_extensions(named_group)
       exs = []
       # supported_versions: only TLS 1.3
       exs << Message::Extension::SupportedVersions.new(
@@ -356,20 +417,21 @@ module TTTLS13
 
       # key_share
       key_share, priv_key \
-                 = Message::Extension::KeyShare.gen_sh_key_share(@named_group)
+                 = Message::Extension::KeyShare.gen_sh_key_share(named_group)
       exs << key_share
 
       [Message::Extensions.new(exs), priv_key]
     end
 
+    # @param ch [TTTLS13::Message::ClientHello]
+    #
     # @return [TTTLS13::Message::Extensions]
-    def gen_ee_extensions
+    def gen_ee_extensions(ch)
       exs = []
 
       # server_name
       exs << Message::Extension::ServerName.new('') \
-        if @transcript[CH].extensions
-                          .include?(Message::ExtensionType::SERVER_NAME)
+        if ch.extensions.include?(Message::ExtensionType::SERVER_NAME)
 
       # supported_groups
       exs \
@@ -378,104 +440,64 @@ module TTTLS13
       Message::Extensions.new(exs)
     end
 
+    # @param key [OpenSSL::PKey::PKey]
+    # @param signature_scheme [TTTLS13::SignatureScheme]
+    # @param hash [String]
+    #
     # @return [String]
-    def sign_certificate_verify
-      context = 'TLS 1.3, server CertificateVerify'
-      do_sign_certificate_verify(private_key: @key,
-                                 signature_scheme: @signature_scheme,
-                                 context: context,
-                                 handshake_context_end: CT)
-    end
-
-    # @return [String]
-    def sign_finished
-      digest = CipherSuite.digest(@cipher_suite)
-      finished_key = @key_schedule.server_finished_key
-      do_sign_finished(digest: digest,
-                       finished_key: finished_key,
-                       handshake_context_end: CV)
-    end
-
-    # @return [Boolean]
-    def verified_finished?
-      digest = CipherSuite.digest(@cipher_suite)
-      finished_key = @key_schedule.client_finished_key
-      signature = @transcript[CF].verify_data
-      do_verified_finished?(digest: digest,
-                            finished_key: finished_key,
-                            handshake_context_end: EOED,
-                            signature: signature)
-    end
-
-    # @return [Boolean]
-    def negotiated_tls_1_3?
-      ch = @transcript[CH]
-      ch_lv = ch.legacy_version
-      ch_sv = ch.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
-               &.versions || []
-
-      ch_lv == Message::ProtocolVersion::TLS_1_2 &&
-        ch_sv.include?(Message::ProtocolVersion::TLS_1_3)
+    def sign_certificate_verify(key:, signature_scheme:, hash:)
+      do_sign_certificate_verify(
+        key: key,
+        signature_scheme: signature_scheme,
+        context: 'TLS 1.3, server CertificateVerify',
+        hash: hash
+      )
     end
 
+    # @param ch [TTTLS13::Message::ClientHello]
+    #
     # @return [TTTLS13::CipherSuite, nil]
-    def select_cipher_suite
-      @transcript[CH].cipher_suites.find do |cs|
+    def select_cipher_suite(ch)
+      ch.cipher_suites.find do |cs|
         @settings[:cipher_suites].include?(cs)
       end
     end
 
+    # @param ch [TTTLS13::Message::ClientHello]
+    #
     # @return [TTTLS13::NamedGroup, nil]
-    def select_named_group
-      ks_groups = @transcript[CH].extensions[Message::ExtensionType::KEY_SHARE]
-                                &.key_share_entry&.map(&:group) || []
+    def select_named_group(ch)
+      ks_groups = ch.extensions[Message::ExtensionType::KEY_SHARE]
+                   &.key_share_entry&.map(&:group) || []
 
       ks_groups.find do |g|
         @settings[:supported_groups].include?(g)
       end
     end
 
+    # @param ch [TTTLS13::Message::ClientHello]
+    # @param crt [OpenSSL::X509::Certificate]
+    #
     # @return [TTTLS13::SignatureScheme, nil]
-    def select_signature_scheme
-      algorithms \
-      = @transcript[CH].extensions[Message::ExtensionType::SIGNATURE_ALGORITHMS]
-                      &.supported_signature_algorithms || []
+    def select_signature_scheme(ch, crt)
+      algorithms = ch.extensions[Message::ExtensionType::SIGNATURE_ALGORITHMS]
+                    &.supported_signature_algorithms || []
 
-      do_select_signature_algorithms(algorithms, @crt).find do |ss|
+      do_select_signature_algorithms(algorithms, crt).find do |ss|
         @settings[:signature_algorithms].include?(ss)
       end
     end
 
+    # @param ch [TTTLS13::Message::ClientHello]
+    # @param crt [OpenSSL::X509::Certificate]
+    #
     # @return [Boolean]
-    def valid_ch_compression_methods?
-      @transcript[CH].legacy_compression_methods == ["\x00"]
-    end
-
-    # @return [Boolean]
-    def recognized_server_name?
-      server_name \
-      = @transcript[CH].extensions[Message::ExtensionType::SERVER_NAME]
-                      &.server_name
-
+    def recognized_server_name?(ch, crt)
+      server_name = ch.extensions[Message::ExtensionType::SERVER_NAME]
+                     &.server_name
       return true if server_name.nil?
 
-      matching_san?(@crt, server_name)
-    end
-
-    # @return [Boolean]
-    def valid_ch_key_share?
-      ks = @transcript[CH].extensions[Message::ExtensionType::KEY_SHARE]
-      ks_groups = ks&.key_share_entry&.map(&:group) || []
-      sg = @transcript[CH].extensions[Message::ExtensionType::SUPPORTED_GROUPS]
-      sp_groups = sg&.named_group_list || []
-
-      # Each KeyShareEntry value MUST correspond to a group offered in the
-      # "supported_groups" extension and MUST appear in the same order.
-      #
-      # Clients MUST NOT offer multiple KeyShareEntry values for the same group.
-      (ks_groups - sp_groups).empty? &&
-        sp_groups.filter { |g| ks_groups.include?(g) } == ks_groups &&
-        ks_groups.uniq == ks_groups
+      matching_san?(crt, server_name)
     end
   end
   # rubocop: enable Metrics/ClassLength

data/lib/tttls1.3/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module TTTLS13
-  VERSION = '0.2.1'
+  VERSION = '0.2.2'
 end

data/spec/certificate_spec.rb

@@ -27,10 +27,10 @@ RSpec.describe Certificate do
 
     it 'should be serialized' do
       expect(message.serialize).to eq HandshakeType::CERTIFICATE \
-                                      + 990.to_uint24 \
+                                      + 742.to_uint24 \
                                       + 0.to_uint8 \
-                                      + 986.to_uint24 \
-                                      + 981.to_uint24 \
+                                      + 738.to_uint24 \
+                                      + 733.to_uint24 \
                                       + certificate.to_der \
                                       + 0.to_uint16
     end
@@ -76,7 +76,7 @@ RSpec.describe Certificate do
 
     it 'should be generated' do
       expect(message.msg_type).to eq HandshakeType::CERTIFICATE
-      expect(message.only_appearable_extensions?).to be false
+      expect(message.appearable_extensions?).to be false
     end
   end
 end

data/spec/client_hello_spec.rb

@@ -36,6 +36,7 @@ RSpec.describe ClientHello do
                                            TLS_AES_128_GCM_SHA256]
       expect(message.legacy_compression_methods).to eq ["\x00"]
       expect(message.extensions).to be_empty
+      expect(message.negotiated_tls_1_3?).to be false
     end
 
     it 'should be serialized' do
@@ -59,6 +60,7 @@ RSpec.describe ClientHello do
     it 'should generate valid object' do
       expect(message.msg_type).to eq HandshakeType::CLIENT_HELLO
       expect(message.legacy_version).to eq ProtocolVersion::TLS_1_2
+      expect(message.negotiated_tls_1_3?).to be true
     end
 
     it 'should generate valid serializable object' do
@@ -74,6 +76,7 @@ RSpec.describe ClientHello do
     it 'should generate valid object' do
       expect(message.msg_type).to eq HandshakeType::CLIENT_HELLO
       expect(message.legacy_version).to eq ProtocolVersion::TLS_1_2
+      expect(message.negotiated_tls_1_3?).to be true
     end
 
     it 'should generate valid serializable object' do