tttls1.3 0.2.12 → 0.2.16
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/ci.yml +32 -0
- data/.rubocop.yml +2 -2
- data/Gemfile +3 -4
- data/README.md +4 -1
- data/example/helper.rb +3 -3
- data/example/https_client.rb +1 -1
- data/example/https_client_using_0rtt.rb +2 -2
- data/example/https_client_using_hrr.rb +1 -1
- data/example/https_client_using_hrr_and_ticket.rb +2 -2
- data/example/https_client_using_status_request.rb +2 -2
- data/example/https_client_using_ticket.rb +2 -2
- data/example/https_server.rb +2 -2
- data/interop/client_spec.rb +6 -6
- data/interop/server_spec.rb +6 -6
- data/lib/tttls1.3/client.rb +106 -65
- data/lib/tttls1.3/connection.rb +43 -30
- data/lib/tttls1.3/cryptograph/aead.rb +20 -7
- data/lib/tttls1.3/cryptograph.rb +1 -1
- data/lib/tttls1.3/message/alert.rb +2 -2
- data/lib/tttls1.3/message/client_hello.rb +1 -0
- data/lib/tttls1.3/message/compressed_certificate.rb +82 -0
- data/lib/tttls1.3/message/extension/alpn.rb +5 -2
- data/lib/tttls1.3/message/extension/compress_certificate.rb +58 -0
- data/lib/tttls1.3/message/extension/signature_algorithms.rb +15 -5
- data/lib/tttls1.3/message/extension/signature_algorithms_cert.rb +5 -4
- data/lib/tttls1.3/message/extension/supported_groups.rb +2 -2
- data/lib/tttls1.3/message/extensions.rb +31 -18
- data/lib/tttls1.3/message/record.rb +28 -16
- data/lib/tttls1.3/message.rb +23 -21
- data/lib/tttls1.3/server.rb +88 -37
- data/lib/tttls1.3/transcript.rb +3 -7
- data/lib/tttls1.3/version.rb +1 -1
- data/spec/client_spec.rb +28 -19
- data/spec/compress_certificate_spec.rb +54 -0
- data/spec/connection_spec.rb +22 -15
- data/spec/extensions_spec.rb +16 -0
- data/spec/fixtures/rsa_rsa.crt +15 -15
- data/spec/fixtures/rsa_rsa.key +25 -25
- data/spec/key_schedule_spec.rb +48 -25
- data/spec/record_spec.rb +2 -2
- data/spec/server_hello_spec.rb +1 -1
- data/spec/server_spec.rb +23 -11
- data/spec/signature_algorithms_cert_spec.rb +4 -0
- data/spec/signature_algorithms_spec.rb +4 -0
- data/spec/spec_helper.rb +4 -0
- data/spec/transcript_spec.rb +34 -20
- data/tttls1.3.gemspec +0 -1
- metadata +11 -7
- data/.github/workflows/main.yml +0 -25
data/lib/tttls1.3/client.rb
CHANGED
|
@@ -43,6 +43,11 @@ module TTTLS13
|
|
|
43
43
|
].freeze
|
|
44
44
|
private_constant :DEFAULT_CH_NAMED_GROUP_LIST
|
|
45
45
|
|
|
46
|
+
DEFALUT_CH_COMPRESS_CERTIFICATE_ALGORITHMS = [
|
|
47
|
+
Message::Extension::CertificateCompressionAlgorithm::ZLIB
|
|
48
|
+
].freeze
|
|
49
|
+
private_constant :DEFALUT_CH_COMPRESS_CERTIFICATE_ALGORITHMS
|
|
50
|
+
|
|
46
51
|
DEFAULT_CLIENT_SETTINGS = {
|
|
47
52
|
ca_file: nil,
|
|
48
53
|
cipher_suites: DEFAULT_CH_CIPHER_SUITES,
|
|
@@ -61,6 +66,7 @@ module TTTLS13
|
|
|
61
66
|
record_size_limit: nil,
|
|
62
67
|
check_certificate_status: false,
|
|
63
68
|
process_certificate_status: nil,
|
|
69
|
+
compress_certificate_algorithms: DEFALUT_CH_COMPRESS_CERTIFICATE_ALGORITHMS,
|
|
64
70
|
compatibility_mode: true,
|
|
65
71
|
loglevel: Logger::WARN
|
|
66
72
|
}.freeze
|
|
@@ -154,8 +160,8 @@ module TTTLS13
|
|
|
154
160
|
|
|
155
161
|
extensions, priv_keys = gen_ch_extensions
|
|
156
162
|
binder_key = (use_psk? ? key_schedule.binder_key_res : nil)
|
|
157
|
-
|
|
158
|
-
|
|
163
|
+
ch = send_client_hello(extensions, binder_key)
|
|
164
|
+
transcript[CH] = [ch, ch.serialize]
|
|
159
165
|
send_ccs if @settings[:compatibility_mode]
|
|
160
166
|
if use_early_data?
|
|
161
167
|
e_wcipher = gen_cipher(
|
|
@@ -170,7 +176,7 @@ module TTTLS13
|
|
|
170
176
|
when ClientState::WAIT_SH
|
|
171
177
|
logger.debug('ClientState::WAIT_SH')
|
|
172
178
|
|
|
173
|
-
sh = transcript[SH] = recv_server_hello
|
|
179
|
+
sh, = transcript[SH] = recv_server_hello
|
|
174
180
|
|
|
175
181
|
# downgrade protection
|
|
176
182
|
if !sh.negotiated_tls_1_3? && sh.downgraded?
|
|
@@ -187,7 +193,7 @@ module TTTLS13
|
|
|
187
193
|
unless sh.legacy_compression_method == "\x00"
|
|
188
194
|
|
|
189
195
|
# validate sh using ch
|
|
190
|
-
ch = transcript[CH]
|
|
196
|
+
ch, = transcript[CH]
|
|
191
197
|
terminate(:illegal_parameter) \
|
|
192
198
|
unless sh.legacy_version == ch.legacy_version
|
|
193
199
|
terminate(:illegal_parameter) \
|
|
@@ -199,7 +205,7 @@ module TTTLS13
|
|
|
199
205
|
|
|
200
206
|
# validate sh using hrr
|
|
201
207
|
if transcript.include?(HRR)
|
|
202
|
-
hrr = transcript[HRR]
|
|
208
|
+
hrr, = transcript[HRR]
|
|
203
209
|
terminate(:illegal_parameter) \
|
|
204
210
|
unless sh.cipher_suite == hrr.cipher_suite
|
|
205
211
|
|
|
@@ -212,8 +218,9 @@ module TTTLS13
|
|
|
212
218
|
# handling HRR
|
|
213
219
|
if sh.hrr?
|
|
214
220
|
terminate(:unexpected_message) if transcript.include?(HRR)
|
|
215
|
-
|
|
216
|
-
|
|
221
|
+
|
|
222
|
+
ch1, = transcript[CH1] = transcript.delete(CH)
|
|
223
|
+
hrr, = transcript[HRR] = transcript.delete(SH)
|
|
217
224
|
|
|
218
225
|
# validate cookie
|
|
219
226
|
diff_sets = sh.extensions.keys - ch1.extensions.keys
|
|
@@ -235,8 +242,9 @@ module TTTLS13
|
|
|
235
242
|
extensions, pk = gen_newch_extensions(ch1, hrr)
|
|
236
243
|
priv_keys = pk.merge(priv_keys)
|
|
237
244
|
binder_key = (use_psk? ? key_schedule.binder_key_res : nil)
|
|
238
|
-
|
|
239
|
-
|
|
245
|
+
ch = send_new_client_hello(ch1, hrr, extensions, binder_key)
|
|
246
|
+
transcript[CH] = [ch, ch.serialize]
|
|
247
|
+
|
|
240
248
|
@state = ClientState::WAIT_SH
|
|
241
249
|
next
|
|
242
250
|
end
|
|
@@ -277,37 +285,46 @@ module TTTLS13
|
|
|
277
285
|
when ClientState::WAIT_EE
|
|
278
286
|
logger.debug('ClientState::WAIT_EE')
|
|
279
287
|
|
|
280
|
-
ee = transcript[EE] = recv_encrypted_extensions(hs_rcipher)
|
|
288
|
+
ee, = transcript[EE] = recv_encrypted_extensions(hs_rcipher)
|
|
281
289
|
terminate(:illegal_parameter) unless ee.appearable_extensions?
|
|
282
290
|
|
|
283
|
-
ch = transcript[CH]
|
|
291
|
+
ch, = transcript[CH]
|
|
284
292
|
terminate(:unsupported_extension) \
|
|
285
293
|
unless (ee.extensions.keys - ch.extensions.keys).empty?
|
|
286
294
|
|
|
287
295
|
rsl = ee.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT]
|
|
288
296
|
@recv_record_size = rsl.record_size_limit unless rsl.nil?
|
|
289
|
-
|
|
290
297
|
@succeed_early_data = true \
|
|
291
298
|
if ee.extensions.include?(Message::ExtensionType::EARLY_DATA)
|
|
292
|
-
|
|
293
299
|
@alpn = ee.extensions[
|
|
294
300
|
Message::ExtensionType::APPLICATION_LAYER_PROTOCOL_NEGOTIATION
|
|
295
301
|
]&.protocol_name_list&.first
|
|
296
|
-
|
|
297
302
|
@state = ClientState::WAIT_CERT_CR
|
|
298
303
|
@state = ClientState::WAIT_FINISHED unless psk.nil?
|
|
299
304
|
when ClientState::WAIT_CERT_CR
|
|
300
305
|
logger.debug('ClientState::WAIT_CERT_CR')
|
|
301
306
|
|
|
302
|
-
message = recv_message(
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
307
|
+
message, orig_msg = recv_message(
|
|
308
|
+
receivable_ccs: true,
|
|
309
|
+
cipher: hs_rcipher
|
|
310
|
+
)
|
|
311
|
+
case message.msg_type
|
|
312
|
+
when Message::HandshakeType::CERTIFICATE,
|
|
313
|
+
Message::HandshakeType::COMPRESSED_CERTIFICATE
|
|
314
|
+
ct, = transcript[CT] = [message, orig_msg]
|
|
315
|
+
terminate(:bad_certificate) \
|
|
316
|
+
if ct.is_a?(Message::CompressedCertificate) &&
|
|
317
|
+
!@settings[:compress_certificate_algorithms]
|
|
318
|
+
.include?(ct.algorithm)
|
|
319
|
+
|
|
320
|
+
ct = ct.certificate_message \
|
|
321
|
+
if ct.is_a?(Message::CompressedCertificate)
|
|
322
|
+
alert = check_invalid_certificate(ct, transcript[CH].first)
|
|
306
323
|
terminate(alert) unless alert.nil?
|
|
307
324
|
|
|
308
325
|
@state = ClientState::WAIT_CV
|
|
309
|
-
|
|
310
|
-
transcript[CR] = message
|
|
326
|
+
when Message::HandshakeType::CERTIFICATE_REQUEST
|
|
327
|
+
transcript[CR] = [message, orig_msg]
|
|
311
328
|
# TODO: client authentication
|
|
312
329
|
@state = ClientState::WAIT_CERT
|
|
313
330
|
else
|
|
@@ -316,46 +333,56 @@ module TTTLS13
|
|
|
316
333
|
when ClientState::WAIT_CERT
|
|
317
334
|
logger.debug('ClientState::WAIT_CERT')
|
|
318
335
|
|
|
319
|
-
ct = transcript[CT] = recv_certificate(hs_rcipher)
|
|
320
|
-
|
|
336
|
+
ct, = transcript[CT] = recv_certificate(hs_rcipher)
|
|
337
|
+
if ct.is_a?(Message::CompressedCertificate) &&
|
|
338
|
+
!@settings[:compress_certificate_algorithms].include?(ct.algorithm)
|
|
339
|
+
terminate(:bad_certificate)
|
|
340
|
+
elsif ct.is_a?(Message::CompressedCertificate)
|
|
341
|
+
ct = ct.certificate_message
|
|
342
|
+
end
|
|
343
|
+
|
|
344
|
+
alert = check_invalid_certificate(ct, transcript[CH].first)
|
|
321
345
|
terminate(alert) unless alert.nil?
|
|
322
346
|
|
|
323
347
|
@state = ClientState::WAIT_CV
|
|
324
348
|
when ClientState::WAIT_CV
|
|
325
349
|
logger.debug('ClientState::WAIT_CV')
|
|
326
350
|
|
|
327
|
-
cv = transcript[CV] = recv_certificate_verify(hs_rcipher)
|
|
351
|
+
cv, = transcript[CV] = recv_certificate_verify(hs_rcipher)
|
|
328
352
|
digest = CipherSuite.digest(@cipher_suite)
|
|
329
353
|
hash = transcript.hash(digest, CT)
|
|
354
|
+
ct, = transcript[CT]
|
|
355
|
+
ct = ct.certificate_message \
|
|
356
|
+
if ct.is_a?(Message::CompressedCertificate)
|
|
330
357
|
terminate(:decrypt_error) \
|
|
331
|
-
unless verified_certificate_verify?(
|
|
358
|
+
unless verified_certificate_verify?(ct, cv, hash)
|
|
332
359
|
|
|
333
360
|
@signature_scheme = cv.signature_scheme
|
|
334
|
-
|
|
335
361
|
@state = ClientState::WAIT_FINISHED
|
|
336
362
|
when ClientState::WAIT_FINISHED
|
|
337
363
|
logger.debug('ClientState::WAIT_FINISHED')
|
|
338
364
|
|
|
339
|
-
sf = transcript[SF] = recv_finished(hs_rcipher)
|
|
365
|
+
sf, = transcript[SF] = recv_finished(hs_rcipher)
|
|
340
366
|
digest = CipherSuite.digest(@cipher_suite)
|
|
341
|
-
|
|
367
|
+
terminate(:decrypt_error) unless verified_finished?(
|
|
342
368
|
finished: sf,
|
|
343
369
|
digest: digest,
|
|
344
370
|
finished_key: key_schedule.server_finished_key,
|
|
345
371
|
hash: transcript.hash(digest, CV)
|
|
346
372
|
)
|
|
347
|
-
terminate(:decrypt_error) unless verified
|
|
348
|
-
|
|
349
|
-
transcript[EOED] = send_eoed(e_wcipher) \
|
|
350
|
-
if use_early_data? && succeed_early_data?
|
|
351
373
|
|
|
374
|
+
if use_early_data? && succeed_early_data?
|
|
375
|
+
eoed = send_eoed(e_wcipher)
|
|
376
|
+
transcript[EOED] = [eoed, eoed.serialize]
|
|
377
|
+
end
|
|
352
378
|
# TODO: Send Certificate [+ CertificateVerify]
|
|
353
379
|
signature = sign_finished(
|
|
354
380
|
digest: digest,
|
|
355
381
|
finished_key: key_schedule.client_finished_key,
|
|
356
382
|
hash: transcript.hash(digest, EOED)
|
|
357
383
|
)
|
|
358
|
-
|
|
384
|
+
cf = send_finished(signature, hs_wcipher)
|
|
385
|
+
transcript[CF] = [cf, cf.serialize]
|
|
359
386
|
@alert_wcipher = @ap_wcipher = gen_cipher(
|
|
360
387
|
@cipher_suite,
|
|
361
388
|
key_schedule.client_application_write_key,
|
|
@@ -403,23 +430,16 @@ module TTTLS13
|
|
|
403
430
|
# @return [Boolean]
|
|
404
431
|
#
|
|
405
432
|
# @example
|
|
406
|
-
#
|
|
433
|
+
# m = Client.method(:softfail_check_certificate_status)
|
|
407
434
|
# Client.new(
|
|
408
435
|
# socket,
|
|
409
436
|
# hostname,
|
|
410
437
|
# check_certificate_status: true,
|
|
411
|
-
# process_certificate_status:
|
|
438
|
+
# process_certificate_status: m
|
|
412
439
|
# )
|
|
413
|
-
# rubocop: disable Metrics/AbcSize
|
|
414
|
-
# rubocop: disable Metrics/CyclomaticComplexity
|
|
415
|
-
# rubocop: disable Metrics/PerceivedComplexity
|
|
416
440
|
def self.softfail_check_certificate_status(res, cert, chain)
|
|
417
441
|
ocsp_response = res
|
|
418
|
-
|
|
419
|
-
store.set_default_paths
|
|
420
|
-
context = OpenSSL::X509::StoreContext.new(store, cert, chain)
|
|
421
|
-
context.verify
|
|
422
|
-
cid = OpenSSL::OCSP::CertificateId.new(cert, context.chain[1])
|
|
442
|
+
cid = OpenSSL::OCSP::CertificateId.new(cert, chain.first)
|
|
423
443
|
|
|
424
444
|
# When NOT received OCSPResponse in TLS handshake, this method will
|
|
425
445
|
# send OCSPRequest. If ocsp_uri is NOT presented in Certificate, return
|
|
@@ -430,23 +450,25 @@ module TTTLS13
|
|
|
430
450
|
return true if uri.nil?
|
|
431
451
|
|
|
432
452
|
begin
|
|
433
|
-
|
|
453
|
+
# send OCSP::Request
|
|
454
|
+
ocsp_request = gen_ocsp_request(cid)
|
|
455
|
+
Timeout.timeout(2) do
|
|
456
|
+
ocsp_response = send_ocsp_request(ocsp_request, uri)
|
|
457
|
+
end
|
|
458
|
+
|
|
459
|
+
# check nonce of OCSP::Response
|
|
460
|
+
check_nonce = ocsp_request.check_nonce(ocsp_response.basic)
|
|
461
|
+
return true unless [-1, 1].include?(check_nonce)
|
|
434
462
|
rescue StandardError
|
|
435
463
|
return true
|
|
436
464
|
end
|
|
437
465
|
end
|
|
438
|
-
return
|
|
466
|
+
return true \
|
|
439
467
|
if ocsp_response.status != OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
|
|
440
468
|
|
|
441
469
|
status = ocsp_response.basic.status.find { |s| s.first.cmp(cid) }
|
|
442
|
-
|
|
443
|
-
return false if !status[3].nil? && status[3] < Time.now
|
|
444
|
-
|
|
445
|
-
ocsp_response.basic.verify(chain, store)
|
|
470
|
+
status[1] != OpenSSL::OCSP::V_CERTSTATUS_REVOKED
|
|
446
471
|
end
|
|
447
|
-
# rubocop: enable Metrics/AbcSize
|
|
448
|
-
# rubocop: enable Metrics/CyclomaticComplexity
|
|
449
|
-
# rubocop: enable Metrics/PerceivedComplexity
|
|
450
472
|
|
|
451
473
|
private
|
|
452
474
|
|
|
@@ -479,6 +501,9 @@ module TTTLS13
|
|
|
479
501
|
rsl = @settings[:record_size_limit]
|
|
480
502
|
return false if !rsl.nil? && (rsl < 64 || rsl > 2**14 + 1)
|
|
481
503
|
|
|
504
|
+
return false if @settings[:check_certificate_status] &&
|
|
505
|
+
@settings[:process_certificate_status].nil?
|
|
506
|
+
|
|
482
507
|
true
|
|
483
508
|
end
|
|
484
509
|
# rubocop: enable Metrics/AbcSize
|
|
@@ -530,7 +555,7 @@ module TTTLS13
|
|
|
530
555
|
# rubocop: disable Metrics/MethodLength
|
|
531
556
|
# rubocop: disable Metrics/PerceivedComplexity
|
|
532
557
|
def gen_ch_extensions
|
|
533
|
-
exs =
|
|
558
|
+
exs = Message::Extensions.new
|
|
534
559
|
# server_name
|
|
535
560
|
exs << Message::Extension::ServerName.new(@hostname)
|
|
536
561
|
|
|
@@ -580,7 +605,15 @@ module TTTLS13
|
|
|
580
605
|
exs << Message::Extension::OCSPStatusRequest.new \
|
|
581
606
|
if @settings[:check_certificate_status]
|
|
582
607
|
|
|
583
|
-
|
|
608
|
+
# compress_certificate
|
|
609
|
+
if !@settings[:compress_certificate_algorithms].nil? &&
|
|
610
|
+
!@settings[:compress_certificate_algorithms].empty?
|
|
611
|
+
exs << Message::Extension::CompressCertificate.new(
|
|
612
|
+
@settings[:compress_certificate_algorithms]
|
|
613
|
+
)
|
|
614
|
+
end
|
|
615
|
+
|
|
616
|
+
[exs, priv_keys]
|
|
584
617
|
end
|
|
585
618
|
# rubocop: enable Metrics/AbcSize
|
|
586
619
|
# rubocop: enable Metrics/CyclomaticComplexity
|
|
@@ -673,7 +706,7 @@ module TTTLS13
|
|
|
673
706
|
# @return [TTTLS13::Message::Extensions]
|
|
674
707
|
# @return [Hash of NamedGroup => OpenSSL::PKey::EC.$Object]
|
|
675
708
|
def gen_newch_extensions(ch1, hrr)
|
|
676
|
-
exs =
|
|
709
|
+
exs = Message::Extensions.new
|
|
677
710
|
# key_share
|
|
678
711
|
if hrr.extensions.include?(Message::ExtensionType::KEY_SHARE)
|
|
679
712
|
group = hrr.extensions[Message::ExtensionType::KEY_SHARE]
|
|
@@ -695,7 +728,7 @@ module TTTLS13
|
|
|
695
728
|
if hrr.extensions.include?(Message::ExtensionType::COOKIE)
|
|
696
729
|
|
|
697
730
|
# early_data
|
|
698
|
-
new_exs = ch1.extensions.merge(
|
|
731
|
+
new_exs = ch1.extensions.merge(exs)
|
|
699
732
|
new_exs.delete(Message::ExtensionType::EARLY_DATA)
|
|
700
733
|
|
|
701
734
|
[new_exs, priv_keys]
|
|
@@ -737,11 +770,15 @@ module TTTLS13
|
|
|
737
770
|
# @raise [TTTLS13::Error::ErrorAlerts]
|
|
738
771
|
#
|
|
739
772
|
# @return [TTTLS13::Message::ServerHello]
|
|
773
|
+
# @return [String]
|
|
740
774
|
def recv_server_hello
|
|
741
|
-
sh = recv_message(
|
|
775
|
+
sh, orig_msg = recv_message(
|
|
776
|
+
receivable_ccs: true,
|
|
777
|
+
cipher: Cryptograph::Passer.new
|
|
778
|
+
)
|
|
742
779
|
terminate(:unexpected_message) unless sh.is_a?(Message::ServerHello)
|
|
743
780
|
|
|
744
|
-
sh
|
|
781
|
+
[sh, orig_msg]
|
|
745
782
|
end
|
|
746
783
|
|
|
747
784
|
# @param cipher [TTTLS13::Cryptograph::Aead]
|
|
@@ -749,12 +786,13 @@ module TTTLS13
|
|
|
749
786
|
# @raise [TTTLS13::Error::ErrorAlerts]
|
|
750
787
|
#
|
|
751
788
|
# @return [TTTLS13::Message::EncryptedExtensions]
|
|
789
|
+
# @return [String]
|
|
752
790
|
def recv_encrypted_extensions(cipher)
|
|
753
|
-
ee = recv_message(receivable_ccs: true, cipher: cipher)
|
|
791
|
+
ee, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
|
|
754
792
|
terminate(:unexpected_message) \
|
|
755
793
|
unless ee.is_a?(Message::EncryptedExtensions)
|
|
756
794
|
|
|
757
|
-
ee
|
|
795
|
+
[ee, orig_msg]
|
|
758
796
|
end
|
|
759
797
|
|
|
760
798
|
# @param cipher [TTTLS13::Cryptograph::Aead]
|
|
@@ -762,11 +800,12 @@ module TTTLS13
|
|
|
762
800
|
# @raise [TTTLS13::Error::ErrorAlerts]
|
|
763
801
|
#
|
|
764
802
|
# @return [TTTLS13::Message::Certificate]
|
|
803
|
+
# @return [String]
|
|
765
804
|
def recv_certificate(cipher)
|
|
766
|
-
ct = recv_message(receivable_ccs: true, cipher: cipher)
|
|
805
|
+
ct, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
|
|
767
806
|
terminate(:unexpected_message) unless ct.is_a?(Message::Certificate)
|
|
768
807
|
|
|
769
|
-
ct
|
|
808
|
+
[ct, orig_msg]
|
|
770
809
|
end
|
|
771
810
|
|
|
772
811
|
# @param cipher [TTTLS13::Cryptograph::Aead]
|
|
@@ -774,11 +813,12 @@ module TTTLS13
|
|
|
774
813
|
# @raise [TTTLS13::Error::ErrorAlerts]
|
|
775
814
|
#
|
|
776
815
|
# @return [TTTLS13::Message::CertificateVerify]
|
|
816
|
+
# @return [String]
|
|
777
817
|
def recv_certificate_verify(cipher)
|
|
778
|
-
cv = recv_message(receivable_ccs: true, cipher: cipher)
|
|
818
|
+
cv, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
|
|
779
819
|
terminate(:unexpected_message) unless cv.is_a?(Message::CertificateVerify)
|
|
780
820
|
|
|
781
|
-
cv
|
|
821
|
+
[cv, orig_msg]
|
|
782
822
|
end
|
|
783
823
|
|
|
784
824
|
# @param cipher [TTTLS13::Cryptograph::Aead]
|
|
@@ -786,11 +826,12 @@ module TTTLS13
|
|
|
786
826
|
# @raise [TTTLS13::Error::ErrorAlerts]
|
|
787
827
|
#
|
|
788
828
|
# @return [TTTLS13::Message::Finished]
|
|
829
|
+
# @return [String]
|
|
789
830
|
def recv_finished(cipher)
|
|
790
|
-
sf = recv_message(receivable_ccs: true, cipher: cipher)
|
|
831
|
+
sf, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
|
|
791
832
|
terminate(:unexpected_message) unless sf.is_a?(Message::Finished)
|
|
792
833
|
|
|
793
|
-
sf
|
|
834
|
+
[sf, orig_msg]
|
|
794
835
|
end
|
|
795
836
|
|
|
796
837
|
# @param cipher [TTTLS13::Cryptograph::Aead]
|
data/lib/tttls1.3/connection.rb
CHANGED
|
@@ -16,7 +16,7 @@ module TTTLS13
|
|
|
16
16
|
@ap_wcipher = Cryptograph::Passer.new
|
|
17
17
|
@ap_rcipher = Cryptograph::Passer.new
|
|
18
18
|
@alert_wcipher = Cryptograph::Passer.new
|
|
19
|
-
@message_queue = [] # Array of TTTLS13::Message::$Object
|
|
19
|
+
@message_queue = [] # Array of [TTTLS13::Message::$Object, String]
|
|
20
20
|
@binary_buffer = '' # deposit Record.surplus_binary
|
|
21
21
|
@cipher_suite = nil # TTTLS13::CipherSuite
|
|
22
22
|
@named_group = nil # TTTLS13::NamedGroup
|
|
@@ -42,7 +42,7 @@ module TTTLS13
|
|
|
42
42
|
|
|
43
43
|
message = nil
|
|
44
44
|
loop do
|
|
45
|
-
message = recv_message(receivable_ccs: false, cipher: @ap_rcipher)
|
|
45
|
+
message, = recv_message(receivable_ccs: false, cipher: @ap_rcipher)
|
|
46
46
|
# At any time after the server has received the client Finished
|
|
47
47
|
# message, it MAY send a NewSessionTicket message.
|
|
48
48
|
break unless message.is_a?(Message::NewSessionTicket)
|
|
@@ -220,13 +220,15 @@ module TTTLS13
|
|
|
220
220
|
# @raise [TTTLS13::Error::ErrorAlerts
|
|
221
221
|
#
|
|
222
222
|
# @return [TTTLS13::Message::$Object]
|
|
223
|
+
# @return [String]
|
|
223
224
|
# rubocop: disable Metrics/CyclomaticComplexity
|
|
224
225
|
def recv_message(receivable_ccs:, cipher:)
|
|
225
226
|
return @message_queue.shift unless @message_queue.empty?
|
|
226
227
|
|
|
227
228
|
messages = nil
|
|
229
|
+
orig_msgs = []
|
|
228
230
|
loop do
|
|
229
|
-
record = recv_record(cipher)
|
|
231
|
+
record, orig_msgs = recv_record(cipher)
|
|
230
232
|
case record.type
|
|
231
233
|
when Message::ContentType::HANDSHAKE,
|
|
232
234
|
Message::ContentType::APPLICATION_DATA
|
|
@@ -243,20 +245,22 @@ module TTTLS13
|
|
|
243
245
|
end
|
|
244
246
|
end
|
|
245
247
|
|
|
246
|
-
@message_queue += messages[1..]
|
|
248
|
+
@message_queue += messages[1..].zip(orig_msgs[1..])
|
|
247
249
|
message = messages.first
|
|
250
|
+
orig_msg = orig_msgs.first
|
|
248
251
|
if message.is_a?(Message::Alert)
|
|
249
252
|
handle_received_alert(message)
|
|
250
253
|
return nil
|
|
251
254
|
end
|
|
252
255
|
|
|
253
|
-
message
|
|
256
|
+
[message, orig_msg]
|
|
254
257
|
end
|
|
255
258
|
# rubocop: enable Metrics/CyclomaticComplexity
|
|
256
259
|
|
|
257
260
|
# @param cipher [TTTLS13::Cryptograph::Aead, Passer]
|
|
258
261
|
#
|
|
259
262
|
# @return [TTTLS13::Message::Record]
|
|
263
|
+
# @return [Array of String]
|
|
260
264
|
def recv_record(cipher)
|
|
261
265
|
binary = @socket.read(5)
|
|
262
266
|
record_len = Convert.bin2i(binary.slice(3, 2))
|
|
@@ -264,9 +268,13 @@ module TTTLS13
|
|
|
264
268
|
|
|
265
269
|
begin
|
|
266
270
|
buffer = @binary_buffer
|
|
267
|
-
record = Message::Record.deserialize(
|
|
268
|
-
|
|
269
|
-
|
|
271
|
+
record, orig_msgs, surplus_binary = Message::Record.deserialize(
|
|
272
|
+
binary,
|
|
273
|
+
cipher,
|
|
274
|
+
buffer,
|
|
275
|
+
@recv_record_size
|
|
276
|
+
)
|
|
277
|
+
@binary_buffer = surplus_binary
|
|
270
278
|
rescue Error::ErrorAlerts => e
|
|
271
279
|
terminate(e.message.to_sym)
|
|
272
280
|
end
|
|
@@ -278,7 +286,7 @@ module TTTLS13
|
|
|
278
286
|
end
|
|
279
287
|
|
|
280
288
|
logger.debug("receive \n" + record.pretty_inspect)
|
|
281
|
-
record
|
|
289
|
+
[record, orig_msgs]
|
|
282
290
|
end
|
|
283
291
|
|
|
284
292
|
# @param ch1 [TTTLS13::Message::ClientHello]
|
|
@@ -292,11 +300,9 @@ module TTTLS13
|
|
|
292
300
|
# TODO: ext binder
|
|
293
301
|
hash_len = OpenSSL::Digest.new(digest).digest_length
|
|
294
302
|
tt = Transcript.new
|
|
295
|
-
tt.
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
CH => ch
|
|
299
|
-
)
|
|
303
|
+
tt[CH1] = [ch1, ch1.serialize] unless ch1.nil?
|
|
304
|
+
tt[HRR] = [hrr, hrr.serialize] unless hrr.nil?
|
|
305
|
+
tt[CH] = [ch, ch.serialize]
|
|
300
306
|
# transcript-hash (CH1 + HRR +) truncated-CH
|
|
301
307
|
hash = tt.truncate_hash(digest, CH, hash_len + 3)
|
|
302
308
|
OpenSSL::HMAC.digest(digest, binder_key, hash)
|
|
@@ -500,11 +506,10 @@ module TTTLS13
|
|
|
500
506
|
return false if san.nil?
|
|
501
507
|
|
|
502
508
|
ostr = OpenSSL::ASN1.decode(san.to_der).value.last
|
|
503
|
-
|
|
504
|
-
|
|
505
|
-
|
|
506
|
-
|
|
507
|
-
matching
|
|
509
|
+
OpenSSL::ASN1.decode(ostr.value)
|
|
510
|
+
.map(&:value)
|
|
511
|
+
.map { |s| s.gsub('.', '\.').gsub('*', '.*') }
|
|
512
|
+
.any? { |s| name.match(/#{s}/) }
|
|
508
513
|
end
|
|
509
514
|
|
|
510
515
|
# @param signature_algorithms [Array of SignatureAlgorithms]
|
|
@@ -514,22 +519,22 @@ module TTTLS13
|
|
|
514
519
|
def do_select_signature_algorithms(signature_algorithms, crt)
|
|
515
520
|
spki = OpenSSL::Netscape::SPKI.new
|
|
516
521
|
spki.public_key = crt.public_key
|
|
517
|
-
|
|
518
|
-
|
|
522
|
+
pka = OpenSSL::ASN1.decode(spki.to_der)
|
|
523
|
+
.value.first.value.first.value.first.value.first.value
|
|
519
524
|
signature_algorithms.select do |sa|
|
|
520
525
|
case sa
|
|
521
526
|
when SignatureScheme::ECDSA_SECP256R1_SHA256,
|
|
522
527
|
SignatureScheme::ECDSA_SECP384R1_SHA384,
|
|
523
528
|
SignatureScheme::ECDSA_SECP521R1_SHA512
|
|
524
|
-
|
|
529
|
+
pka == 'id-ecPublicKey'
|
|
525
530
|
when SignatureScheme::RSA_PSS_PSS_SHA256,
|
|
526
531
|
SignatureScheme::RSA_PSS_PSS_SHA384,
|
|
527
532
|
SignatureScheme::RSA_PSS_PSS_SHA512
|
|
528
|
-
|
|
533
|
+
pka == 'rsassaPss'
|
|
529
534
|
when SignatureScheme::RSA_PSS_RSAE_SHA256,
|
|
530
535
|
SignatureScheme::RSA_PSS_RSAE_SHA384,
|
|
531
536
|
SignatureScheme::RSA_PSS_RSAE_SHA512
|
|
532
|
-
|
|
537
|
+
pka == 'rsaEncryption'
|
|
533
538
|
else
|
|
534
539
|
# RSASSA-PKCS1-v1_5 algorithms refer solely to signatures which appear
|
|
535
540
|
# in certificates and are not defined for use in signed TLS handshake
|
|
@@ -541,19 +546,27 @@ module TTTLS13
|
|
|
541
546
|
|
|
542
547
|
class << self
|
|
543
548
|
# @param cid [OpenSSL::OCSP::CertificateId]
|
|
544
|
-
# @param uri [String]
|
|
545
549
|
#
|
|
546
|
-
# @return [OpenSSL::OCSP::
|
|
547
|
-
def
|
|
548
|
-
# generate OCSPRequest
|
|
550
|
+
# @return [OpenSSL::OCSP::Request]
|
|
551
|
+
def gen_ocsp_request(cid)
|
|
549
552
|
ocsp_request = OpenSSL::OCSP::Request.new
|
|
550
553
|
ocsp_request.add_certid(cid)
|
|
551
554
|
ocsp_request.add_nonce
|
|
555
|
+
ocsp_request
|
|
556
|
+
end
|
|
557
|
+
|
|
558
|
+
# @param ocsp_request [OpenSSL::OCSP::Request]
|
|
559
|
+
# @param uri_string [String]
|
|
560
|
+
#
|
|
561
|
+
# @raise [Net::OpenTimeout, OpenSSL::OCSP::OCSPError, URI::$Exception]
|
|
562
|
+
#
|
|
563
|
+
# @return [OpenSSL::OCSP::Response, n
|
|
564
|
+
def send_ocsp_request(ocsp_request, uri_string)
|
|
552
565
|
# send HTTP POST
|
|
553
|
-
uri = URI.parse(
|
|
566
|
+
uri = URI.parse(uri_string)
|
|
554
567
|
path = uri.path
|
|
555
568
|
path = '/' if path.nil? || path.empty?
|
|
556
|
-
http_response = Net::HTTP.start
|
|
569
|
+
http_response = Net::HTTP.start(uri.host, uri.port) do |http|
|
|
557
570
|
http.post(
|
|
558
571
|
path,
|
|
559
572
|
ocsp_request.to_der,
|
|
@@ -44,8 +44,7 @@ module TTTLS13
|
|
|
44
44
|
#
|
|
45
45
|
# @return [String]
|
|
46
46
|
def encrypt(content, type)
|
|
47
|
-
reset_cipher
|
|
48
|
-
cipher = @cipher.encrypt
|
|
47
|
+
cipher = reset_cipher
|
|
49
48
|
plaintext = content + type + "\x00" * @length_of_padding
|
|
50
49
|
cipher.auth_data = additional_data(plaintext.length)
|
|
51
50
|
encrypted_data = cipher.update(plaintext) + cipher.final
|
|
@@ -66,8 +65,7 @@ module TTTLS13
|
|
|
66
65
|
# @return [String]
|
|
67
66
|
# @return [TTTLS13::Message::ContentType]
|
|
68
67
|
def decrypt(encrypted_record, auth_data)
|
|
69
|
-
|
|
70
|
-
decipher = @cipher.decrypt
|
|
68
|
+
decipher = reset_decipher
|
|
71
69
|
auth_tag = encrypted_record[-@auth_tag_len..-1]
|
|
72
70
|
decipher.auth_tag = auth_tag
|
|
73
71
|
decipher.auth_data = auth_data # record header of TLSCiphertext
|
|
@@ -105,11 +103,26 @@ module TTTLS13
|
|
|
105
103
|
+ ciphertext_len.to_uint16
|
|
106
104
|
end
|
|
107
105
|
|
|
106
|
+
# @return [OpenSSL::Cipher]
|
|
108
107
|
def reset_cipher
|
|
109
|
-
@cipher.
|
|
110
|
-
|
|
108
|
+
cipher = @cipher.encrypt
|
|
109
|
+
cipher.reset
|
|
110
|
+
cipher.key = @write_key
|
|
111
111
|
iv_len = CipherSuite.iv_len(@cipher_suite)
|
|
112
|
-
|
|
112
|
+
cipher.iv = @sequence_number.xor(@write_iv, iv_len)
|
|
113
|
+
|
|
114
|
+
cipher
|
|
115
|
+
end
|
|
116
|
+
|
|
117
|
+
# @return [OpenSSL::Cipher]
|
|
118
|
+
def reset_decipher
|
|
119
|
+
decipher = @cipher.decrypt
|
|
120
|
+
decipher.reset
|
|
121
|
+
decipher.key = @write_key
|
|
122
|
+
iv_len = CipherSuite.iv_len(@cipher_suite)
|
|
123
|
+
decipher.iv = @sequence_number.xor(@write_iv, iv_len)
|
|
124
|
+
|
|
125
|
+
decipher
|
|
113
126
|
end
|
|
114
127
|
|
|
115
128
|
# @param clear [String]
|
data/lib/tttls1.3/cryptograph.rb
CHANGED
|
@@ -8,7 +8,7 @@ module TTTLS13
|
|
|
8
8
|
FATAL = "\x02"
|
|
9
9
|
end
|
|
10
10
|
|
|
11
|
-
# rubocop: disable Layout/
|
|
11
|
+
# rubocop: disable Layout/HashAlignment
|
|
12
12
|
ALERT_DESCRIPTION = {
|
|
13
13
|
close_notify: "\x00",
|
|
14
14
|
unexpected_message: "\x0a",
|
|
@@ -38,7 +38,7 @@ module TTTLS13
|
|
|
38
38
|
certificate_required: "\x74",
|
|
39
39
|
no_application_protocol: "\x78"
|
|
40
40
|
}.freeze
|
|
41
|
-
# rubocop: enable Layout/
|
|
41
|
+
# rubocop: enable Layout/HashAlignment
|
|
42
42
|
|
|
43
43
|
class Alert
|
|
44
44
|
attr_reader :level
|
|
@@ -18,6 +18,7 @@ module TTTLS13
|
|
|
18
18
|
ExtensionType::CLIENT_CERTIFICATE_TYPE,
|
|
19
19
|
ExtensionType::SERVER_CERTIFICATE_TYPE,
|
|
20
20
|
ExtensionType::PADDING,
|
|
21
|
+
ExtensionType::COMPRESS_CERTIFICATE,
|
|
21
22
|
ExtensionType::RECORD_SIZE_LIMIT,
|
|
22
23
|
ExtensionType::PWD_PROTECT,
|
|
23
24
|
ExtensionType::PWD_CLEAR,
|