tttls1.3 0.2.17 → 0.2.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/ci.yml +4 -2
- data/.gitignore +1 -0
- data/.ruby-version +1 -0
- data/Gemfile +3 -1
- data/README.md +3 -1
- data/example/https_client.rb +2 -1
- data/example/https_server.rb +3 -2
- data/lib/tttls1.3/client.rb +31 -0
- data/lib/tttls1.3/server.rb +28 -1
- data/lib/tttls1.3/sslkeylogfile.rb +87 -0
- data/lib/tttls1.3/version.rb +1 -1
- data/lib/tttls1.3.rb +1 -0
- metadata +5 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1a07aded25aecad8bd61ff9fd49a70df15c8abf356d4747891486dd81386b68d
|
4
|
+
data.tar.gz: 4637b3288dab22caae951cc43c283057fd3ed215fc5fa86e318becc3369ac7b2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 621a8f82c99e21e964cfb6defe14e2f8864f1c42cc94c9af725de2ff73929226d99a694c893ada3fc44c5224be70ec87bfcb291eceab271b33e4759c6c900cd8
|
7
|
+
data.tar.gz: 9088db06f998013577eb647d064e97035047a2cef7799010bc91f18384787bdf158357fd33c296b92ec1bc07a2ad1b307c98d0217735dfef5c6acf565f3c9433
|
data/.github/workflows/ci.yml
CHANGED
@@ -15,10 +15,12 @@ jobs:
|
|
15
15
|
matrix:
|
16
16
|
ruby-version: ['2.7.x', '3.0.x', '3.1.x']
|
17
17
|
steps:
|
18
|
+
- uses: actions/checkout@v3
|
18
19
|
- uses: docker://thekuwayama/openssl:latest
|
19
20
|
- name: Set up Ruby
|
20
|
-
uses:
|
21
|
-
|
21
|
+
uses: ruby/setup-ruby@v1
|
22
|
+
with:
|
23
|
+
ruby-version: ${{ matrix.ruby }}
|
22
24
|
- name: Install dependencies
|
23
25
|
run: |
|
24
26
|
gem --version
|
data/.gitignore
CHANGED
data/.ruby-version
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
3.1.2
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
[](https://badge.fury.io/rb/tttls1.3)
|
4
4
|
[](https://github.com/thekuwayama/tttls1.3/actions?workflow=CI)
|
5
|
-
[](https://codeclimate.com/github/thekuwayama/tttls1.3/maintainability)
|
6
6
|
|
7
7
|
tttls1.3 is Ruby implementation of [TLS 1.3](https://tools.ietf.org/html/rfc8446) protocol.
|
8
8
|
|
@@ -104,6 +104,7 @@ tttls1.3 client is configurable using keyword arguments.
|
|
104
104
|
| `:process_certificate_status` | Proc | `TTTLS13::Client.method(:softfail_check_certificate_status)` | Proc(or Method) that checks received OCSPResponse. Its 3 arguments are OpenSSL::OCSP::Response, end-entity certificate(OpenSSL::X509::Certificate) and certificates chain(Array of Certificate) used for verification and it returns Boolean. |
|
105
105
|
| `:compress_certificate_algorithms` | Array of TTTLS13::Message::Extension::CertificateCompressionAlgorithm constant | `ZLIB` | The compression algorithms are supported for compressing the Certificate message. |
|
106
106
|
| `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
|
107
|
+
| `:sslkeylogfile` | String | nil | If needed to log SSLKEYLOGFILE, set the file path. |
|
107
108
|
| `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
|
108
109
|
|
109
110
|
|
@@ -123,6 +124,7 @@ tttls1.3 server is configurable using keyword arguments.
|
|
123
124
|
| `:process_ocsp_response` | Proc | nil | Proc that gets OpenSSL::OCSP::Response. If not needed to staple OCSP::Response, set nil. |
|
124
125
|
| `:compress_certificate_algorithms` | Array of TTTLS13::Message::Extension::CertificateCompressionAlgorithm constant | `ZLIB` | The compression algorithms are supported for compressing the Certificate message. |
|
125
126
|
| `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
|
127
|
+
| `:sslkeylogfile` | String | nil | If needed to log SSLKEYLOGFILE, set the file path. |
|
126
128
|
| `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
|
127
129
|
|
128
130
|
|
data/example/https_client.rb
CHANGED
@@ -10,7 +10,8 @@ req = simple_http_request(hostname)
|
|
10
10
|
socket = TCPSocket.new(hostname, port)
|
11
11
|
settings = {
|
12
12
|
ca_file: File.exist?(ca_file) ? ca_file : nil,
|
13
|
-
alpn: ['http/1.1']
|
13
|
+
alpn: ['http/1.1'],
|
14
|
+
sslkeylogfile: '/tmp/sslkeylogfile.log'
|
14
15
|
}
|
15
16
|
client = TTTLS13::Client.new(socket, hostname, **settings)
|
16
17
|
client.connect
|
data/example/https_server.rb
CHANGED
@@ -12,7 +12,8 @@ settings = {
|
|
12
12
|
crt_file: __dir__ + '/../tmp/server.crt',
|
13
13
|
chain_files: [__dir__ + '/../tmp/intermediate.crt'],
|
14
14
|
key_file: __dir__ + '/../tmp/server.key',
|
15
|
-
alpn: ['http/1.1']
|
15
|
+
alpn: ['http/1.1'],
|
16
|
+
sslkeylogfile: '/tmp/sslkeylogfile.log'
|
16
17
|
}
|
17
18
|
|
18
19
|
q = Queue.new
|
@@ -49,7 +50,7 @@ Etc.nprocessors.times do
|
|
49
50
|
rescue Timeout::Error
|
50
51
|
logger.warn 'Timeout'
|
51
52
|
ensure
|
52
|
-
s
|
53
|
+
s&.close
|
53
54
|
end
|
54
55
|
end
|
55
56
|
end
|
data/lib/tttls1.3/client.rb
CHANGED
@@ -68,6 +68,7 @@ module TTTLS13
|
|
68
68
|
process_certificate_status: nil,
|
69
69
|
compress_certificate_algorithms: DEFALUT_CH_COMPRESS_CERTIFICATE_ALGORITHMS,
|
70
70
|
compatibility_mode: true,
|
71
|
+
sslkeylogfile: nil,
|
71
72
|
loglevel: Logger::WARN
|
72
73
|
}.freeze
|
73
74
|
private_constant :DEFAULT_CLIENT_SETTINGS
|
@@ -151,6 +152,15 @@ module TTTLS13
|
|
151
152
|
hs_wcipher = nil # TTTLS13::Cryptograph::$Object
|
152
153
|
hs_rcipher = nil # TTTLS13::Cryptograph::$Object
|
153
154
|
e_wcipher = nil # TTTLS13::Cryptograph::$Object
|
155
|
+
sslkeylogfile = nil # TTTLS13::SslKeyLogFile::Writer
|
156
|
+
unless @settings[:sslkeylogfile].nil?
|
157
|
+
begin
|
158
|
+
sslkeylogfile = SslKeyLogFile::Writer.new(@settings[:sslkeylogfile])
|
159
|
+
rescue SystemCallError => e
|
160
|
+
msg = "\"#{@settings[:sslkeylogfile]}\" file can NOT open: #{e}"
|
161
|
+
logger.warn(msg)
|
162
|
+
end
|
163
|
+
end
|
154
164
|
|
155
165
|
@state = ClientState::START
|
156
166
|
loop do
|
@@ -169,6 +179,10 @@ module TTTLS13
|
|
169
179
|
key_schedule.early_data_write_key,
|
170
180
|
key_schedule.early_data_write_iv
|
171
181
|
)
|
182
|
+
sslkeylogfile&.write_client_early_traffic_secret(
|
183
|
+
transcript[CH].first.random,
|
184
|
+
key_schedule.client_early_traffic_secret
|
185
|
+
)
|
172
186
|
send_early_data(e_wcipher)
|
173
187
|
end
|
174
188
|
|
@@ -276,11 +290,19 @@ module TTTLS13
|
|
276
290
|
key_schedule.client_handshake_write_key,
|
277
291
|
key_schedule.client_handshake_write_iv
|
278
292
|
)
|
293
|
+
sslkeylogfile&.write_client_handshake_traffic_secret(
|
294
|
+
transcript[CH].first.random,
|
295
|
+
key_schedule.client_handshake_traffic_secret
|
296
|
+
)
|
279
297
|
hs_rcipher = gen_cipher(
|
280
298
|
@cipher_suite,
|
281
299
|
key_schedule.server_handshake_write_key,
|
282
300
|
key_schedule.server_handshake_write_iv
|
283
301
|
)
|
302
|
+
sslkeylogfile&.write_server_handshake_traffic_secret(
|
303
|
+
transcript[CH].first.random,
|
304
|
+
key_schedule.server_handshake_traffic_secret
|
305
|
+
)
|
284
306
|
@state = ClientState::WAIT_EE
|
285
307
|
when ClientState::WAIT_EE
|
286
308
|
logger.debug('ClientState::WAIT_EE')
|
@@ -388,11 +410,19 @@ module TTTLS13
|
|
388
410
|
key_schedule.client_application_write_key,
|
389
411
|
key_schedule.client_application_write_iv
|
390
412
|
)
|
413
|
+
sslkeylogfile&.write_client_traffic_secret_0(
|
414
|
+
transcript[CH].first.random,
|
415
|
+
key_schedule.client_application_traffic_secret
|
416
|
+
)
|
391
417
|
@ap_rcipher = gen_cipher(
|
392
418
|
@cipher_suite,
|
393
419
|
key_schedule.server_application_write_key,
|
394
420
|
key_schedule.server_application_write_iv
|
395
421
|
)
|
422
|
+
sslkeylogfile&.write_server_traffic_secret_0(
|
423
|
+
transcript[CH].first.random,
|
424
|
+
key_schedule.server_application_traffic_secret
|
425
|
+
)
|
396
426
|
@exporter_master_secret = key_schedule.exporter_master_secret
|
397
427
|
@resumption_master_secret = key_schedule.resumption_master_secret
|
398
428
|
@state = ClientState::CONNECTED
|
@@ -402,6 +432,7 @@ module TTTLS13
|
|
402
432
|
break
|
403
433
|
end
|
404
434
|
end
|
435
|
+
sslkeylogfile&.close
|
405
436
|
end
|
406
437
|
# rubocop: enable Metrics/AbcSize
|
407
438
|
# rubocop: enable Metrics/BlockLength
|
data/lib/tttls1.3/server.rb
CHANGED
@@ -60,6 +60,7 @@ module TTTLS13
|
|
60
60
|
process_ocsp_response: nil,
|
61
61
|
compress_certificate_algorithms: DEFAULT_SP_COMPRESS_CERTIFICATE_ALGORITHMS,
|
62
62
|
compatibility_mode: true,
|
63
|
+
sslkeylogfile: nil,
|
63
64
|
loglevel: Logger::WARN
|
64
65
|
}.freeze
|
65
66
|
private_constant :DEFAULT_SERVER_SETTINGS
|
@@ -148,6 +149,15 @@ module TTTLS13
|
|
148
149
|
priv_key = nil # OpenSSL::PKey::$Object
|
149
150
|
hs_wcipher = nil # TTTLS13::Cryptograph::$Object
|
150
151
|
hs_rcipher = nil # TTTLS13::Cryptograph::$Object
|
152
|
+
sslkeylogfile = nil # TTTLS13::SslKeyLogFile::Writer
|
153
|
+
unless @settings[:sslkeylogfile].nil?
|
154
|
+
begin
|
155
|
+
sslkeylogfile = SslKeyLogFile::Writer.new(@settings[:sslkeylogfile])
|
156
|
+
rescue SystemCallError => e
|
157
|
+
msg = "\"#{@settings[:sslkeylogfile]}\" file can NOT open: #{e}"
|
158
|
+
logger.warn(msg)
|
159
|
+
end
|
160
|
+
end
|
151
161
|
|
152
162
|
@state = ServerState::START
|
153
163
|
loop do
|
@@ -220,7 +230,7 @@ module TTTLS13
|
|
220
230
|
# generate shared secret
|
221
231
|
ke = ch.extensions[Message::ExtensionType::KEY_SHARE]
|
222
232
|
&.key_share_entry
|
223
|
-
&.find { |
|
233
|
+
&.find { |kse| kse.group == @named_group }
|
224
234
|
&.key_exchange
|
225
235
|
shared_secret = gen_shared_secret(ke, priv_key, @named_group)
|
226
236
|
key_schedule = KeySchedule.new(
|
@@ -234,11 +244,19 @@ module TTTLS13
|
|
234
244
|
key_schedule.server_handshake_write_key,
|
235
245
|
key_schedule.server_handshake_write_iv
|
236
246
|
)
|
247
|
+
sslkeylogfile&.write_server_handshake_traffic_secret(
|
248
|
+
transcript[CH].first.random,
|
249
|
+
key_schedule.server_handshake_traffic_secret
|
250
|
+
)
|
237
251
|
hs_rcipher = gen_cipher(
|
238
252
|
@cipher_suite,
|
239
253
|
key_schedule.client_handshake_write_key,
|
240
254
|
key_schedule.client_handshake_write_iv
|
241
255
|
)
|
256
|
+
sslkeylogfile&.write_client_handshake_traffic_secret(
|
257
|
+
transcript[CH].first.random,
|
258
|
+
key_schedule.client_handshake_traffic_secret
|
259
|
+
)
|
242
260
|
@state = ServerState::WAIT_FLIGHT2
|
243
261
|
when ServerState::WAIT_EOED
|
244
262
|
logger.debug('ServerState::WAIT_EOED')
|
@@ -292,11 +310,19 @@ module TTTLS13
|
|
292
310
|
key_schedule.server_application_write_key,
|
293
311
|
key_schedule.server_application_write_iv
|
294
312
|
)
|
313
|
+
sslkeylogfile&.write_server_traffic_secret_0(
|
314
|
+
transcript[CH].first.random,
|
315
|
+
key_schedule.server_application_traffic_secret
|
316
|
+
)
|
295
317
|
@ap_rcipher = gen_cipher(
|
296
318
|
@cipher_suite,
|
297
319
|
key_schedule.client_application_write_key,
|
298
320
|
key_schedule.client_application_write_iv
|
299
321
|
)
|
322
|
+
sslkeylogfile&.write_client_traffic_secret_0(
|
323
|
+
transcript[CH].first.random,
|
324
|
+
key_schedule.client_application_traffic_secret
|
325
|
+
)
|
300
326
|
@exporter_master_secret = key_schedule.exporter_master_secret
|
301
327
|
@state = ServerState::CONNECTED
|
302
328
|
when ServerState::CONNECTED
|
@@ -305,6 +331,7 @@ module TTTLS13
|
|
305
331
|
break
|
306
332
|
end
|
307
333
|
end
|
334
|
+
sslkeylogfile&.close
|
308
335
|
end
|
309
336
|
# rubocop: enable Metrics/AbcSize
|
310
337
|
# rubocop: enable Metrics/BlockLength
|
@@ -0,0 +1,87 @@
|
|
1
|
+
# encoding: ascii-8bit
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
module TTTLS13
|
5
|
+
module SslKeyLogFile
|
6
|
+
module Label
|
7
|
+
CLIENT_EARLY_TRAFFIC_SECRET = 'CLIENT_EARLY_TRAFFIC_SECRET'
|
8
|
+
CLIENT_HANDSHAKE_TRAFFIC_SECRET = 'CLIENT_HANDSHAKE_TRAFFIC_SECRET'
|
9
|
+
SERVER_HANDSHAKE_TRAFFIC_SECRET = 'SERVER_HANDSHAKE_TRAFFIC_SECRET'
|
10
|
+
CLIENT_TRAFFIC_SECRET_0 = 'CLIENT_TRAFFIC_SECRET_0'
|
11
|
+
SERVER_TRAFFIC_SECRET_0 = 'SERVER_TRAFFIC_SECRET_0'
|
12
|
+
end
|
13
|
+
|
14
|
+
class Writer
|
15
|
+
# @param path [String]
|
16
|
+
#
|
17
|
+
# @raise [SystemCallError]
|
18
|
+
def initialize(path)
|
19
|
+
@file = File.new(path, 'a+')
|
20
|
+
end
|
21
|
+
|
22
|
+
# @param client_random [String]
|
23
|
+
# @param secret [String]
|
24
|
+
def write_client_early_traffic_secret(client_random, secret)
|
25
|
+
write_key_log(
|
26
|
+
Label::CLIENT_EARLY_TRAFFIC_SECRET,
|
27
|
+
client_random,
|
28
|
+
secret
|
29
|
+
)
|
30
|
+
end
|
31
|
+
|
32
|
+
# @param client_random [String]
|
33
|
+
# @param secret [String]
|
34
|
+
def write_client_handshake_traffic_secret(client_random, secret)
|
35
|
+
write_key_log(
|
36
|
+
Label::CLIENT_HANDSHAKE_TRAFFIC_SECRET,
|
37
|
+
client_random,
|
38
|
+
secret
|
39
|
+
)
|
40
|
+
end
|
41
|
+
|
42
|
+
# @param client_random [String]
|
43
|
+
# @param secret [String]
|
44
|
+
def write_server_handshake_traffic_secret(client_random, secret)
|
45
|
+
write_key_log(
|
46
|
+
Label::SERVER_HANDSHAKE_TRAFFIC_SECRET,
|
47
|
+
client_random,
|
48
|
+
secret
|
49
|
+
)
|
50
|
+
end
|
51
|
+
|
52
|
+
# @param client_random [String]
|
53
|
+
# @param secret [String]
|
54
|
+
def write_client_traffic_secret_0(client_random, secret)
|
55
|
+
write_key_log(
|
56
|
+
Label::CLIENT_TRAFFIC_SECRET_0,
|
57
|
+
client_random,
|
58
|
+
secret
|
59
|
+
)
|
60
|
+
end
|
61
|
+
|
62
|
+
# @param client_random [String]
|
63
|
+
# @param secret [String]
|
64
|
+
def write_server_traffic_secret_0(client_random, secret)
|
65
|
+
write_key_log(
|
66
|
+
Label::SERVER_TRAFFIC_SECRET_0,
|
67
|
+
client_random,
|
68
|
+
secret
|
69
|
+
)
|
70
|
+
end
|
71
|
+
|
72
|
+
def close
|
73
|
+
@file&.close
|
74
|
+
end
|
75
|
+
|
76
|
+
private
|
77
|
+
|
78
|
+
# @param label [TTTLS13::SslKeyLogFile::Label]
|
79
|
+
# @param client_random [String]
|
80
|
+
# @param secret [String]
|
81
|
+
def write_key_log(label, client_random, secret)
|
82
|
+
s = "#{label} #{client_random.unpack1('H*')} #{secret.unpack1('H*')}\n"
|
83
|
+
@file&.print(s)
|
84
|
+
end
|
85
|
+
end
|
86
|
+
end
|
87
|
+
end
|
data/lib/tttls1.3/version.rb
CHANGED
data/lib/tttls1.3.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: tttls1.3
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.18
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- thekuwayama
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-08-
|
11
|
+
date: 2022-08-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -63,6 +63,7 @@ files:
|
|
63
63
|
- ".gitignore"
|
64
64
|
- ".rspec"
|
65
65
|
- ".rubocop.yml"
|
66
|
+
- ".ruby-version"
|
66
67
|
- Gemfile
|
67
68
|
- LICENSE.txt
|
68
69
|
- README.md
|
@@ -123,6 +124,7 @@ files:
|
|
123
124
|
- lib/tttls1.3/sequence_number.rb
|
124
125
|
- lib/tttls1.3/server.rb
|
125
126
|
- lib/tttls1.3/signature_scheme.rb
|
127
|
+
- lib/tttls1.3/sslkeylogfile.rb
|
126
128
|
- lib/tttls1.3/transcript.rb
|
127
129
|
- lib/tttls1.3/utils.rb
|
128
130
|
- lib/tttls1.3/version.rb
|
@@ -198,7 +200,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
198
200
|
- !ruby/object:Gem::Version
|
199
201
|
version: '0'
|
200
202
|
requirements: []
|
201
|
-
rubygems_version: 3.
|
203
|
+
rubygems_version: 3.3.7
|
202
204
|
signing_key:
|
203
205
|
specification_version: 4
|
204
206
|
summary: TLS 1.3 implementation in Ruby (Tiny Trial TLS1.3 aka tttls1.3)
|