tttls1.3 0.2.12 → 0.2.16

data/lib/tttls1.3/message/compressed_certificate.rb

@@ -0,0 +1,82 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+  module Message
+    class CompressedCertificate
+      attr_reader :msg_type
+      attr_reader :certificate_message
+      attr_reader :algorithm
+
+      # @param certificate_message [TTTLS13::Message::Certificate]
+      # @param algorithm [CertificateCompressionAlgorithm]
+      def initialize(certificate_message:, algorithm:)
+        @msg_type = HandshakeType::COMPRESSED_CERTIFICATE
+        @certificate_message = certificate_message
+        @algorithm = algorithm
+      end
+
+      # @return [String]
+      def serialize
+        binary = ''
+        binary += @algorithm
+        ct_bin = @certificate_message.serialize[4..]
+        binary += ct_bin.length.to_uint24
+        case @algorithm
+        when Extension::CertificateCompressionAlgorithm::ZLIB
+          binary += Zlib::Deflate.deflate(ct_bin).prefix_uint24_length
+        else # TODO: orig_msgs, ZSTD
+          raise Error::ErrorAlerts, :internal_error
+        end
+
+        @msg_type + binary.prefix_uint24_length
+      end
+
+      alias fragment serialize
+
+      # @param binary [String]
+      #
+      # @raise [TTTLS13::Error::ErrorAlerts]
+      #
+      # @return [TTTLS13::Message::CompressedCertificate]
+      # rubocop: disable Metrics/AbcSize
+      # rubocop: disable Metrics/CyclomaticComplexity
+      # rubocop: disable Metrics/PerceivedComplexity
+      def self.deserialize(binary)
+        raise Error::ErrorAlerts, :internal_error if binary.nil?
+        raise Error::ErrorAlerts, :decode_error if binary.length < 5
+        raise Error::ErrorAlerts, :internal_error \
+          unless binary[0] == HandshakeType::COMPRESSED_CERTIFICATE
+
+        msg_len = Convert.bin2i(binary.slice(1, 3))
+        algorithm = binary.slice(4, 2)
+        uncompressed_length = Convert.bin2i(binary.slice(6, 3))
+        ccm_len = Convert.bin2i(binary.slice(9, 3))
+        ct_bin = ''
+        case algorithm
+        when Extension::CertificateCompressionAlgorithm::ZLIB
+          ct_bin = Zlib::Inflate.inflate(binary.slice(12, ccm_len))
+        else # TODO: BROTLI, ZSTD
+          raise Error::ErrorAlerts, :bad_certificate
+        end
+
+        raise Error::ErrorAlerts, :bad_certificate \
+          unless ct_bin.length == uncompressed_length
+        raise Error::ErrorAlerts, :decode_error \
+          unless ccm_len + 12 == binary.length && msg_len + 4 == binary.length
+
+        certificate_message = Certificate.deserialize(
+          HandshakeType::CERTIFICATE + ct_bin.prefix_uint24_length
+        )
+        CompressedCertificate.new(
+          certificate_message: certificate_message,
+          algorithm: algorithm
+        )
+      end
+      # rubocop: enable Metrics/AbcSize
+      # rubocop: enable Metrics/CyclomaticComplexity
+      # rubocop: enable Metrics/PerceivedComplexity
+    end
+  end
+end

data/lib/tttls1.3/message/extension/alpn.rb

@@ -27,9 +27,12 @@ module TTTLS13
 
         # @return [String]
         def serialize
-          binary = @protocol_name_list.map(&:prefix_uint8_length).join
+          binary = @protocol_name_list
+                   .map(&:prefix_uint8_length)
+                   .join
+                   .prefix_uint16_length
 
-          @extension_type + binary.prefix_uint16_length.prefix_uint16_length
+          @extension_type + binary.prefix_uint16_length
         end
 
         # @param binary [String]

data/lib/tttls1.3/message/extension/compress_certificate.rb

@@ -0,0 +1,58 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+module TTTLS13
+  using Refinements
+  module Message
+    module Extension
+      module CertificateCompressionAlgorithm
+        ZLIB = "\x00\x01"
+        # BROTLI = "\x00\x02" # UNSUPPORTED
+        # ZSTD   = "\x00\x03" # UNSUPPORTED
+      end
+
+      # https://tools.ietf.org/html/rfc8879
+      class CompressCertificate
+        attr_reader :extension_type
+        attr_reader :algorithms
+
+        # @param algorithms [Array of CertificateCompressionAlgorithm]
+        #
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @example
+        #   CompressCertificate([CertificateCompressionAlgorithm::ZLIB])
+        def initialize(algorithms)
+          @extension_type = ExtensionType::COMPRESS_CERTIFICATE
+          @algorithms = algorithms || []
+          raise Error::ErrorAlerts, :internal_error \
+            if @algorithms.join.length < 2 ||
+               @algorithms.join.length > 2**8 - 2
+        end
+
+        # @return [String]
+        def serialize
+          binary = @algorithms.join.prefix_uint8_length
+
+          @extension_type + binary.prefix_uint16_length
+        end
+
+        # @param binary [String]
+        #
+        # @raise [TTTLS13::Error::ErrorAlerts]
+        #
+        # @return [TTTLS13::Message::Extension::CompressCertificate, nil]
+        def self.deserialize(binary)
+          raise Error::ErrorAlerts, :internal_error if binary.nil?
+
+          return nil if binary.length < 3
+
+          al_len = Convert.bin2i(binary.slice(0, 1))
+          return nil if binary.length != al_len + 1
+
+          CompressCertificate.new(binary.slice(1, al_len + 1).scan(/.{2}/m))
+        end
+      end
+    end
+  end
+end

data/lib/tttls1.3/message/extension/signature_algorithms.rb

@@ -35,17 +35,17 @@ module TTTLS13
 
         # @return [String]
         def serialize
-          binary = @supported_signature_algorithms.join
+          binary = @supported_signature_algorithms.join.prefix_uint16_length
 
-          @extension_type + binary.prefix_uint16_length.prefix_uint16_length
+          @extension_type + binary.prefix_uint16_length
         end
 
         # @param binary [String]
         #
         # @raise [TTTLS13::Error::ErrorAlerts]
         #
-        # @return [TTTLS13::Message::Extensions::SignatureAlgorithms, nil]
-        def self.deserialize(binary)
+        # @return [Array of SignatureScheme]
+        def self.deserialize_supported_signature_algorithms(binary)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
 
           return nil if binary.length < 2
@@ -61,7 +61,17 @@ module TTTLS13
           end
           return nil unless ssa_len + 2 == binary.length
 
-          SignatureAlgorithms.new(supported_signature_algorithms)
+          supported_signature_algorithms
+        end
+
+        # @param binary [String]
+        #
+        # @return [TTTLS13::Message::Extensions::SignatureAlgorithms, nil]
+        def self.deserialize(binary)
+          ssa = deserialize_supported_signature_algorithms(binary)
+          return nil if ssa.nil?
+
+          SignatureAlgorithms.new(ssa)
         end
       end
     end

data/lib/tttls1.3/message/extension/signature_algorithms_cert.rb

@@ -13,11 +13,12 @@ module TTTLS13
 
         # @param binary [String]
         #
-        # @return [TTTLS13::Message::Extensions::SignatureAlgorithmsCert]
+        # @return [TTTLS13::Message::Extensions::SignatureAlgorithmsCert, nil]
         def self.deserialize(binary)
-          extension = SignatureAlgorithms.deserialize(binary)
-          extension.extension_type = ExtensionType::SIGNATURE_ALGORITHMS_CERT
-          extension
+          ssa = deserialize_supported_signature_algorithms(binary)
+          return nil if ssa.nil?
+
+          SignatureAlgorithmsCert.new(ssa)
         end
       end
     end

data/lib/tttls1.3/message/extension/supported_groups.rb

@@ -21,9 +21,9 @@ module TTTLS13
 
         # @return [String]
         def serialize
-          binary = @named_group_list.join
+          binary = @named_group_list.join.prefix_uint16_length
 
-          @extension_type + binary.prefix_uint16_length.prefix_uint16_length
+          @extension_type + binary.prefix_uint16_length
         end
 
         # @param binary [String]

data/lib/tttls1.3/message/extensions.rb

@@ -44,10 +44,11 @@ module TTTLS13
       #
       # @return [TTTLS13::Message::Extensions]
       # rubocop: disable Metrics/CyclomaticComplexity
+      # rubocop: disable Metrics/PerceivedComplexity
       def self.deserialize(binary, msg_type)
         raise Error::ErrorAlerts, :internal_error if binary.nil?
 
-        extensions = []
+        exs = Extensions.new
         i = 0
         while i < binary.length
           raise Error::ErrorAlerts, :decode_error if i + 4 > binary.length
@@ -66,32 +67,41 @@ module TTTLS13
             ex = Extension::UnknownExtension.new(extension_type: extension_type,
                                                  extension_data: ex_bin)
           end
-          extensions << ex
+
+          # There MUST NOT be more than one extension of the same type in a
+          # given extension block.
+          raise Error::ErrorAlerts, :unsupported_extension \
+            if exs.include?(extension_type)
+
+          exs[extension_type] = ex
           i += ex_len
         end
         raise Error::ErrorAlerts, :decode_error unless i == binary.length
 
-        Extensions.new(extensions)
+        exs
       end
       # rubocop: enable Metrics/CyclomaticComplexity
+      # rubocop: enable Metrics/PerceivedComplexity
 
       # @param key [TTTLS13::Message::ExtensionType]
+      # @param default
       #
       # @return [TTTLS13::Message::Extension::$Object]
-      def [](key)
+      def fetch(key, default = nil)
         return nil if super_fetch(key, nil).is_a?(Extension::UnknownExtension)
 
-        super_fetch(key, nil)
+        super_fetch(key, default)
       end
 
-      # @param key [TTTLS13::Message::ExtensionType]
-      # @param default
+      def [](key)
+        fetch(key)
+      end
+
+      # @param ex [TTTLS13::Message::Extension::$Object]
       #
       # @return [TTTLS13::Message::Extension::$Object]
-      def fetch(key, default = nil)
-        return nil if super_fetch(key, nil).is_a?(Extension::UnknownExtension)
-
-        super_fetch(key, default)
+      def <<(ex)
+        store(ex.extension_type, ex)
       end
 
       class << self
@@ -119,20 +129,23 @@ module TTTLS13
           when ExtensionType::SERVER_NAME
             Extension::ServerName.deserialize(binary)
           when ExtensionType::STATUS_REQUEST
-            if msg_type == HandshakeType::CLIENT_HELLO # ||
-              # msg_type == HandshakeType::CERTIFICATE_REQUEST
-              Extension::OCSPStatusRequest.deserialize(binary)
-            elsif msg_type == HandshakeType::CERTIFICATE
-              Extension::OCSPResponse.deserialize(binary)
-            else
-              return nil
+            if msg_type == HandshakeType::CLIENT_HELLO
+              return Extension::OCSPStatusRequest.deserialize(binary)
             end
+
+            if msg_type == HandshakeType::CERTIFICATE
+              return Extension::OCSPResponse.deserialize(binary)
+            end
+
+            Extension::UnknownExtension.deserialize(binary, extension_type)
           when ExtensionType::SUPPORTED_GROUPS
             Extension::SupportedGroups.deserialize(binary)
           when ExtensionType::SIGNATURE_ALGORITHMS
             Extension::SignatureAlgorithms.deserialize(binary)
           when ExtensionType::APPLICATION_LAYER_PROTOCOL_NEGOTIATION
             Extension::Alpn.deserialize(binary)
+          when ExtensionType::COMPRESS_CERTIFICATE
+            Extension::CompressCertificate.deserialize(binary)
           when ExtensionType::RECORD_SIZE_LIMIT
             Extension::RecordSizeLimit.deserialize(binary)
           when ExtensionType::PRE_SHARED_KEY

data/lib/tttls1.3/message/record.rb

@@ -11,23 +11,19 @@ module TTTLS13
       attr_reader :type
       attr_reader :legacy_record_version
       attr_reader :messages
-      attr_reader :surplus_binary
       attr_reader :cipher
 
       # @param type [TTTLS13::Message::ContentType]
       # @param legacy_record_version [TTTLS13::Message::ProtocolVersion]
       # @param messages [Array of TTTLS13::Message::$Object]
-      # @param surplus_binary [String]
       # @param cipher [TTTLS13::Cryptograph::$Object]
       def initialize(type:,
                      legacy_record_version: ProtocolVersion::TLS_1_2,
                      messages:,
-                     surplus_binary: '',
                      cipher:)
         @type = type
         @legacy_record_version = legacy_record_version
         @messages = messages
-        @surplus_binary = surplus_binary
         @cipher = cipher
       end
 
@@ -40,7 +36,7 @@ module TTTLS13
       #
       # @return [String]
       def serialize(record_size_limit = DEFAULT_RECORD_SIZE_LIMIT)
-        tlsplaintext = @messages.map(&:serialize).join + @surplus_binary
+        tlsplaintext = @messages.map(&:serialize).join
         if @cipher.is_a?(Cryptograph::Aead)
           max = @cipher.tlsplaintext_length_limit(record_size_limit)
           fragments = tlsplaintext.scan(/.{1,#{max}}/m)
@@ -66,6 +62,8 @@ module TTTLS13
       # @raise [TTTLS13::Error::ErrorAlerts]
       #
       # @return [TTTLS13::Message::Record]
+      # @return [Array of String]
+      # @return [String]
       # rubocop: disable Metrics/AbcSize
       # rubocop: disable Metrics/CyclomaticComplexity
       # rubocop: disable Metrics/PerceivedComplexity
@@ -93,13 +91,17 @@ module TTTLS13
           fragment, inner_type = cipher.decrypt(fragment, binary.slice(0, 5))
         end
 
-        messages, surplus_binary = deserialize_fragment(buffered + fragment,
-                                                        inner_type || type)
-        Record.new(type: type,
-                   legacy_record_version: legacy_record_version,
-                   messages: messages,
-                   surplus_binary: surplus_binary,
-                   cipher: cipher)
+        messages, orig_msgs, surplus_binary = deserialize_fragment(
+          buffered + fragment,
+          inner_type || type
+        )
+        record = Record.new(
+          type: type,
+          legacy_record_version: legacy_record_version,
+          messages: messages,
+          cipher: cipher
+        )
+        [record, orig_msgs, surplus_binary]
       end
       # rubocop: enable Metrics/AbcSize
       # rubocop: enable Metrics/CyclomaticComplexity
@@ -116,6 +118,7 @@ module TTTLS13
               Message::ServerHello,
               Message::EncryptedExtensions,
               Message::Certificate,
+              Message::CompressedCertificate,
               Message::CertificateVerify,
               Message::Finished,
               Message::EndOfEarlyData,
@@ -152,20 +155,24 @@ module TTTLS13
           raise Error::ErrorAlerts, :internal_error if binary.nil?
 
           surplus_binary = ''
+          orig_msgs = []
           case type
           when ContentType::HANDSHAKE
-            messages, surplus_binary = deserialize_handshake(binary)
+            messages, orig_msgs, surplus_binary = deserialize_handshake(binary)
           when ContentType::CCS
             messages = [ChangeCipherSpec.deserialize(binary)]
+            orig_msgs = [binary]
           when ContentType::APPLICATION_DATA
             messages = [ApplicationData.deserialize(binary)]
+            orig_msgs = [binary]
           when ContentType::ALERT
             messages = [Alert.deserialize(binary)]
+            orig_msgs = [binary]
           else
             raise Error::ErrorAlerts, :unexpected_message
           end
 
-          [messages, surplus_binary]
+          [messages, orig_msgs, surplus_binary]
         end
 
         # @param binary [String]
@@ -173,11 +180,13 @@ module TTTLS13
         # @raise [TTTLS13::Error::ErrorAlerts]
         #
         # @return [Array of TTTLS13::Message::$Object]
+        # @return [Array of String]
         # @return [String]
         def deserialize_handshake(binary)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
 
           handshakes = []
+          orig_msgs = []
           i = 0
           while i < binary.length
             # Handshake.length is kind of uint24 and Record.length is kind of
@@ -185,18 +194,19 @@ module TTTLS13
             if binary.length < 4 + i ||
                binary.length < 4 + i + Convert.bin2i(binary.slice(i + 1, 3))
               surplus_binary = binary[i..]
-              return [handshakes, surplus_binary]
+              return [handshakes, orig_msgs, surplus_binary]
             end
 
             msg_len = Convert.bin2i(binary.slice(i + 1, 3))
             msg_bin = binary.slice(i, msg_len + 4)
+            orig_msgs << msg_bin
             message = do_deserialize_handshake(msg_bin)
             i += msg_len + 4
             handshakes << message
           end
 
           surplus_binary = binary[i..]
-          [handshakes, surplus_binary]
+          [handshakes, orig_msgs, surplus_binary]
         end
 
         # @param binary [String]
@@ -226,6 +236,8 @@ module TTTLS13
             NewSessionTicket.deserialize(binary)
           when HandshakeType::END_OF_EARLY_DATA
             EndOfEarlyData.deserialize(binary)
+          when HandshakeType::COMPRESSED_CERTIFICATE
+            CompressedCertificate.deserialize(binary)
           else
             raise Error::ErrorAlerts, :unexpected_message
           end

data/lib/tttls1.3/message.rb

@@ -21,26 +21,27 @@ module TTTLS13
     DEFAULT_VERSIONS = [ProtocolVersion::TLS_1_3].freeze
 
     module HandshakeType
-      HELLO_REQUEST        = "\x00" # RESERVED
-      CLIENT_HELLO         = "\x01"
-      SERVER_HELLO         = "\x02"
-      HELLO_VERIFY_REQUEST = "\x03" # RESERVED
-      NEW_SESSION_TICKET   = "\x04"
-      END_OF_EARLY_DATA    = "\x05"
-      HELLO_RETRY_REQUEST  = "\x06" # RESERVED
-      ENCRYPTED_EXTENSIONS = "\x08"
-      CERTIFICATE          = "\x0b"
-      SERVER_KEY_EXCHANGE  = "\x0c" # RESERVED
-      CERTIFICATE_REQUEST  = "\x0d"
-      SERVER_HELLO_DONE    = "\x0e" # RESERVED
-      CERTIFICATE_VERIFY   = "\x0f"
-      CLIENT_KEY_EXCHANGE  = "\x10" # RESERVED
-      FINISHED             = "\x14"
-      CERTIFICATE_URL      = "\x15" # RESERVED
-      CERTIFICATE_STATUS   = "\x16" # RESERVED
-      SUPPLEMENTAL_DATA    = "\x17" # RESERVED
-      KEY_UPDATE           = "\x18"
-      MESSAGE_HASH         = "\xfe"
+      HELLO_REQUEST          = "\x00" # RESERVED
+      CLIENT_HELLO           = "\x01"
+      SERVER_HELLO           = "\x02"
+      HELLO_VERIFY_REQUEST   = "\x03" # RESERVED
+      NEW_SESSION_TICKET     = "\x04"
+      END_OF_EARLY_DATA      = "\x05"
+      HELLO_RETRY_REQUEST    = "\x06" # RESERVED
+      ENCRYPTED_EXTENSIONS   = "\x08"
+      CERTIFICATE            = "\x0b"
+      SERVER_KEY_EXCHANGE    = "\x0c" # RESERVED
+      CERTIFICATE_REQUEST    = "\x0d"
+      SERVER_HELLO_DONE      = "\x0e" # RESERVED
+      CERTIFICATE_VERIFY     = "\x0f"
+      CLIENT_KEY_EXCHANGE    = "\x10" # RESERVED
+      FINISHED               = "\x14"
+      CERTIFICATE_URL        = "\x15" # RESERVED
+      CERTIFICATE_STATUS     = "\x16" # RESERVED
+      SUPPLEMENTAL_DATA      = "\x17" # RESERVED
+      KEY_UPDATE             = "\x18"
+      COMPRESSED_CERTIFICATE = "\x19"
+      MESSAGE_HASH           = "\xfe"
     end
 
     module ExtensionType
@@ -56,6 +57,7 @@ module TTTLS13
       CLIENT_CERTIFICATE_TYPE                = "\x00\x13"
       SERVER_CERTIFICATE_TYPE                = "\x00\x14"
       PADDING                                = "\x00\x15"
+      COMPRESS_CERTIFICATE                   = "\x00\x1b"
       RECORD_SIZE_LIMIT                      = "\x00\x1c"
       PWD_PROTECT                            = "\x00\x1d"
       PWD_CLEAR                              = "\x00\x1e"
@@ -78,4 +80,4 @@ module TTTLS13
   end
 end
 
-Dir[File.dirname(__FILE__) + '/message/*.rb'].each { |f| require f }
+Dir[File.dirname(__FILE__) + '/message/*.rb'].sort.each { |f| require f }