tttls1.3 0.2.17 → 0.2.18

Sign up to get free protection for your applications and to get access to all the features.
Files changed (14) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/ci.yml +4 -2
  3. data/.gitignore +1 -0
  4. data/.ruby-version +1 -0
  5. data/Gemfile +3 -1
  6. data/README.md +3 -1
  7. data/example/https_client.rb +2 -1
  8. data/example/https_server.rb +3 -2
  9. data/lib/tttls1.3/client.rb +31 -0
  10. data/lib/tttls1.3/server.rb +28 -1
  11. data/lib/tttls1.3/sslkeylogfile.rb +87 -0
  12. data/lib/tttls1.3/version.rb +1 -1
  13. data/lib/tttls1.3.rb +1 -0
  14. metadata +5 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c2b9bfcfb3b52aaf74864e31adc9f132ab9ce94f4610bcaaefd8c7a5048666e5
4
- data.tar.gz: 77ccec36eaeec3d0d569a8428209b14749d0d2d80ce33348ed1cdb6f5cbd6ec8
3
+ metadata.gz: 1a07aded25aecad8bd61ff9fd49a70df15c8abf356d4747891486dd81386b68d
4
+ data.tar.gz: 4637b3288dab22caae951cc43c283057fd3ed215fc5fa86e318becc3369ac7b2
5
5
  SHA512:
6
- metadata.gz: 29ffa56dd58069ec5096bc0a19d81d79ee71a34f57d2381f91a1039d33b9ec0ca5cd965904a586d2f342957c3a05e92167e2c249fc2aad0ea4bfe2cebf9dc30f
7
- data.tar.gz: a1cd0087f0d9ab6a2c7adf5245f9acca5756da7cd3084d1e2b79a601c6606b00680291be5fe7fcf442bdb9d90cdb22dc26a241bcf26ac754ff0476e889c3f092
6
+ metadata.gz: 621a8f82c99e21e964cfb6defe14e2f8864f1c42cc94c9af725de2ff73929226d99a694c893ada3fc44c5224be70ec87bfcb291eceab271b33e4759c6c900cd8
7
+ data.tar.gz: 9088db06f998013577eb647d064e97035047a2cef7799010bc91f18384787bdf158357fd33c296b92ec1bc07a2ad1b307c98d0217735dfef5c6acf565f3c9433
data/.github/workflows/ci.yml CHANGED
@@ -15,10 +15,12 @@ jobs:
15
15
  matrix:
16
16
  ruby-version: ['2.7.x', '3.0.x', '3.1.x']
17
17
  steps:
18
+ - uses: actions/checkout@v3
18
19
  - uses: docker://thekuwayama/openssl:latest
19
20
  - name: Set up Ruby
20
- uses: actions/setup-ruby@v1
21
- - uses: actions/checkout@v1
21
+ uses: ruby/setup-ruby@v1
22
+ with:
23
+ ruby-version: ${{ matrix.ruby }}
22
24
  - name: Install dependencies
23
25
  run: |
24
26
  gem --version
data/.gitignore CHANGED
@@ -14,3 +14,4 @@ Gemfile.lock
14
14
  /coverage/
15
15
  /spec/reports/
16
16
  /tmp/
17
+ .DS_Store
data/.ruby-version ADDED
@@ -0,0 +1 @@
1
+ 3.1.2
data/Gemfile CHANGED
@@ -6,10 +6,12 @@ gem 'logger'
6
6
  gem 'openssl'
7
7
  gem 'rake'
8
8
 
9
- group :test do
9
+ group :development do
10
10
  gem 'byebug'
11
+ gem 'http_parser.rb'
11
12
  gem 'rspec', '3.9.0'
12
13
  gem 'rubocop', '0.78.0'
14
+ gem 'webrick'
13
15
  end
14
16
 
15
17
  gemspec
data/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  [![Gem Version](https://badge.fury.io/rb/tttls1.3.svg)](https://badge.fury.io/rb/tttls1.3)
4
4
  [![Actions Status](https://github.com/thekuwayama/tttls1.3/workflows/CI/badge.svg)](https://github.com/thekuwayama/tttls1.3/actions?workflow=CI)
5
- [![Maintainability](https://api.codeclimate.com/v1/badges/47f3c267d9cfd2c8e388/maintainability)](https://codeclimate.com/github/thekuwayama/tttls1.3/maintainability)
5
+ [![Maintainability](https://api.codeclimate.com/v1/badges/b5ae1b3a43828142d2fa/maintainability)](https://codeclimate.com/github/thekuwayama/tttls1.3/maintainability)
6
6
 
7
7
  tttls1.3 is Ruby implementation of [TLS 1.3](https://tools.ietf.org/html/rfc8446) protocol.
8
8
 
@@ -104,6 +104,7 @@ tttls1.3 client is configurable using keyword arguments.
104
104
  | `:process_certificate_status` | Proc | `TTTLS13::Client.method(:softfail_check_certificate_status)` | Proc(or Method) that checks received OCSPResponse. Its 3 arguments are OpenSSL::OCSP::Response, end-entity certificate(OpenSSL::X509::Certificate) and certificates chain(Array of Certificate) used for verification and it returns Boolean. |
105
105
  | `:compress_certificate_algorithms` | Array of TTTLS13::Message::Extension::CertificateCompressionAlgorithm constant | `ZLIB` | The compression algorithms are supported for compressing the Certificate message. |
106
106
  | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
107
+ | `:sslkeylogfile` | String | nil | If needed to log SSLKEYLOGFILE, set the file path. |
107
108
  | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
108
109
 
109
110
 
@@ -123,6 +124,7 @@ tttls1.3 server is configurable using keyword arguments.
123
124
  | `:process_ocsp_response` | Proc | nil | Proc that gets OpenSSL::OCSP::Response. If not needed to staple OCSP::Response, set nil. |
124
125
  | `:compress_certificate_algorithms` | Array of TTTLS13::Message::Extension::CertificateCompressionAlgorithm constant | `ZLIB` | The compression algorithms are supported for compressing the Certificate message. |
125
126
  | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
127
+ | `:sslkeylogfile` | String | nil | If needed to log SSLKEYLOGFILE, set the file path. |
126
128
  | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
127
129
 
128
130
 
data/example/https_client.rb CHANGED
@@ -10,7 +10,8 @@ req = simple_http_request(hostname)
10
10
  socket = TCPSocket.new(hostname, port)
11
11
  settings = {
12
12
  ca_file: File.exist?(ca_file) ? ca_file : nil,
13
- alpn: ['http/1.1']
13
+ alpn: ['http/1.1'],
14
+ sslkeylogfile: '/tmp/sslkeylogfile.log'
14
15
  }
15
16
  client = TTTLS13::Client.new(socket, hostname, **settings)
16
17
  client.connect
data/example/https_server.rb CHANGED
@@ -12,7 +12,8 @@ settings = {
12
12
  crt_file: __dir__ + '/../tmp/server.crt',
13
13
  chain_files: [__dir__ + '/../tmp/intermediate.crt'],
14
14
  key_file: __dir__ + '/../tmp/server.key',
15
- alpn: ['http/1.1']
15
+ alpn: ['http/1.1'],
16
+ sslkeylogfile: '/tmp/sslkeylogfile.log'
16
17
  }
17
18
 
18
19
  q = Queue.new
@@ -49,7 +50,7 @@ Etc.nprocessors.times do
49
50
  rescue Timeout::Error
50
51
  logger.warn 'Timeout'
51
52
  ensure
52
- s.close
53
+ s&.close
53
54
  end
54
55
  end
55
56
  end
data/lib/tttls1.3/client.rb CHANGED
@@ -68,6 +68,7 @@ module TTTLS13
68
68
  process_certificate_status: nil,
69
69
  compress_certificate_algorithms: DEFALUT_CH_COMPRESS_CERTIFICATE_ALGORITHMS,
70
70
  compatibility_mode: true,
71
+ sslkeylogfile: nil,
71
72
  loglevel: Logger::WARN
72
73
  }.freeze
73
74
  private_constant :DEFAULT_CLIENT_SETTINGS
@@ -151,6 +152,15 @@ module TTTLS13
151
152
  hs_wcipher = nil # TTTLS13::Cryptograph::$Object
152
153
  hs_rcipher = nil # TTTLS13::Cryptograph::$Object
153
154
  e_wcipher = nil # TTTLS13::Cryptograph::$Object
155
+ sslkeylogfile = nil # TTTLS13::SslKeyLogFile::Writer
156
+ unless @settings[:sslkeylogfile].nil?
157
+ begin
158
+ sslkeylogfile = SslKeyLogFile::Writer.new(@settings[:sslkeylogfile])
159
+ rescue SystemCallError => e
160
+ msg = "\"#{@settings[:sslkeylogfile]}\" file can NOT open: #{e}"
161
+ logger.warn(msg)
162
+ end
163
+ end
154
164
 
155
165
  @state = ClientState::START
156
166
  loop do
@@ -169,6 +179,10 @@ module TTTLS13
169
179
  key_schedule.early_data_write_key,
170
180
  key_schedule.early_data_write_iv
171
181
  )
182
+ sslkeylogfile&.write_client_early_traffic_secret(
183
+ transcript[CH].first.random,
184
+ key_schedule.client_early_traffic_secret
185
+ )
172
186
  send_early_data(e_wcipher)
173
187
  end
174
188
 
@@ -276,11 +290,19 @@ module TTTLS13
276
290
  key_schedule.client_handshake_write_key,
277
291
  key_schedule.client_handshake_write_iv
278
292
  )
293
+ sslkeylogfile&.write_client_handshake_traffic_secret(
294
+ transcript[CH].first.random,
295
+ key_schedule.client_handshake_traffic_secret
296
+ )
279
297
  hs_rcipher = gen_cipher(
280
298
  @cipher_suite,
281
299
  key_schedule.server_handshake_write_key,
282
300
  key_schedule.server_handshake_write_iv
283
301
  )
302
+ sslkeylogfile&.write_server_handshake_traffic_secret(
303
+ transcript[CH].first.random,
304
+ key_schedule.server_handshake_traffic_secret
305
+ )
284
306
  @state = ClientState::WAIT_EE
285
307
  when ClientState::WAIT_EE
286
308
  logger.debug('ClientState::WAIT_EE')
@@ -388,11 +410,19 @@ module TTTLS13
388
410
  key_schedule.client_application_write_key,
389
411
  key_schedule.client_application_write_iv
390
412
  )
413
+ sslkeylogfile&.write_client_traffic_secret_0(
414
+ transcript[CH].first.random,
415
+ key_schedule.client_application_traffic_secret
416
+ )
391
417
  @ap_rcipher = gen_cipher(
392
418
  @cipher_suite,
393
419
  key_schedule.server_application_write_key,
394
420
  key_schedule.server_application_write_iv
395
421
  )
422
+ sslkeylogfile&.write_server_traffic_secret_0(
423
+ transcript[CH].first.random,
424
+ key_schedule.server_application_traffic_secret
425
+ )
396
426
  @exporter_master_secret = key_schedule.exporter_master_secret
397
427
  @resumption_master_secret = key_schedule.resumption_master_secret
398
428
  @state = ClientState::CONNECTED
@@ -402,6 +432,7 @@ module TTTLS13
402
432
  break
403
433
  end
404
434
  end
435
+ sslkeylogfile&.close
405
436
  end
406
437
  # rubocop: enable Metrics/AbcSize
407
438
  # rubocop: enable Metrics/BlockLength
data/lib/tttls1.3/server.rb CHANGED
@@ -60,6 +60,7 @@ module TTTLS13
60
60
  process_ocsp_response: nil,
61
61
  compress_certificate_algorithms: DEFAULT_SP_COMPRESS_CERTIFICATE_ALGORITHMS,
62
62
  compatibility_mode: true,
63
+ sslkeylogfile: nil,
63
64
  loglevel: Logger::WARN
64
65
  }.freeze
65
66
  private_constant :DEFAULT_SERVER_SETTINGS
@@ -148,6 +149,15 @@ module TTTLS13
148
149
  priv_key = nil # OpenSSL::PKey::$Object
149
150
  hs_wcipher = nil # TTTLS13::Cryptograph::$Object
150
151
  hs_rcipher = nil # TTTLS13::Cryptograph::$Object
152
+ sslkeylogfile = nil # TTTLS13::SslKeyLogFile::Writer
153
+ unless @settings[:sslkeylogfile].nil?
154
+ begin
155
+ sslkeylogfile = SslKeyLogFile::Writer.new(@settings[:sslkeylogfile])
156
+ rescue SystemCallError => e
157
+ msg = "\"#{@settings[:sslkeylogfile]}\" file can NOT open: #{e}"
158
+ logger.warn(msg)
159
+ end
160
+ end
151
161
 
152
162
  @state = ServerState::START
153
163
  loop do
@@ -220,7 +230,7 @@ module TTTLS13
220
230
  # generate shared secret
221
231
  ke = ch.extensions[Message::ExtensionType::KEY_SHARE]
222
232
  &.key_share_entry
223
- &.find { |e| e.group == @named_group }
233
+ &.find { |kse| kse.group == @named_group }
224
234
  &.key_exchange
225
235
  shared_secret = gen_shared_secret(ke, priv_key, @named_group)
226
236
  key_schedule = KeySchedule.new(
@@ -234,11 +244,19 @@ module TTTLS13
234
244
  key_schedule.server_handshake_write_key,
235
245
  key_schedule.server_handshake_write_iv
236
246
  )
247
+ sslkeylogfile&.write_server_handshake_traffic_secret(
248
+ transcript[CH].first.random,
249
+ key_schedule.server_handshake_traffic_secret
250
+ )
237
251
  hs_rcipher = gen_cipher(
238
252
  @cipher_suite,
239
253
  key_schedule.client_handshake_write_key,
240
254
  key_schedule.client_handshake_write_iv
241
255
  )
256
+ sslkeylogfile&.write_client_handshake_traffic_secret(
257
+ transcript[CH].first.random,
258
+ key_schedule.client_handshake_traffic_secret
259
+ )
242
260
  @state = ServerState::WAIT_FLIGHT2
243
261
  when ServerState::WAIT_EOED
244
262
  logger.debug('ServerState::WAIT_EOED')
@@ -292,11 +310,19 @@ module TTTLS13
292
310
  key_schedule.server_application_write_key,
293
311
  key_schedule.server_application_write_iv
294
312
  )
313
+ sslkeylogfile&.write_server_traffic_secret_0(
314
+ transcript[CH].first.random,
315
+ key_schedule.server_application_traffic_secret
316
+ )
295
317
  @ap_rcipher = gen_cipher(
296
318
  @cipher_suite,
297
319
  key_schedule.client_application_write_key,
298
320
  key_schedule.client_application_write_iv
299
321
  )
322
+ sslkeylogfile&.write_client_traffic_secret_0(
323
+ transcript[CH].first.random,
324
+ key_schedule.client_application_traffic_secret
325
+ )
300
326
  @exporter_master_secret = key_schedule.exporter_master_secret
301
327
  @state = ServerState::CONNECTED
302
328
  when ServerState::CONNECTED
@@ -305,6 +331,7 @@ module TTTLS13
305
331
  break
306
332
  end
307
333
  end
334
+ sslkeylogfile&.close
308
335
  end
309
336
  # rubocop: enable Metrics/AbcSize
310
337
  # rubocop: enable Metrics/BlockLength
data/lib/tttls1.3/sslkeylogfile.rb ADDED
@@ -0,0 +1,87 @@
1
+ # encoding: ascii-8bit
2
+ # frozen_string_literal: true
3
+
4
+ module TTTLS13
5
+ module SslKeyLogFile
6
+ module Label
7
+ CLIENT_EARLY_TRAFFIC_SECRET = 'CLIENT_EARLY_TRAFFIC_SECRET'
8
+ CLIENT_HANDSHAKE_TRAFFIC_SECRET = 'CLIENT_HANDSHAKE_TRAFFIC_SECRET'
9
+ SERVER_HANDSHAKE_TRAFFIC_SECRET = 'SERVER_HANDSHAKE_TRAFFIC_SECRET'
10
+ CLIENT_TRAFFIC_SECRET_0 = 'CLIENT_TRAFFIC_SECRET_0'
11
+ SERVER_TRAFFIC_SECRET_0 = 'SERVER_TRAFFIC_SECRET_0'
12
+ end
13
+
14
+ class Writer
15
+ # @param path [String]
16
+ #
17
+ # @raise [SystemCallError]
18
+ def initialize(path)
19
+ @file = File.new(path, 'a+')
20
+ end
21
+
22
+ # @param client_random [String]
23
+ # @param secret [String]
24
+ def write_client_early_traffic_secret(client_random, secret)
25
+ write_key_log(
26
+ Label::CLIENT_EARLY_TRAFFIC_SECRET,
27
+ client_random,
28
+ secret
29
+ )
30
+ end
31
+
32
+ # @param client_random [String]
33
+ # @param secret [String]
34
+ def write_client_handshake_traffic_secret(client_random, secret)
35
+ write_key_log(
36
+ Label::CLIENT_HANDSHAKE_TRAFFIC_SECRET,
37
+ client_random,
38
+ secret
39
+ )
40
+ end
41
+
42
+ # @param client_random [String]
43
+ # @param secret [String]
44
+ def write_server_handshake_traffic_secret(client_random, secret)
45
+ write_key_log(
46
+ Label::SERVER_HANDSHAKE_TRAFFIC_SECRET,
47
+ client_random,
48
+ secret
49
+ )
50
+ end
51
+
52
+ # @param client_random [String]
53
+ # @param secret [String]
54
+ def write_client_traffic_secret_0(client_random, secret)
55
+ write_key_log(
56
+ Label::CLIENT_TRAFFIC_SECRET_0,
57
+ client_random,
58
+ secret
59
+ )
60
+ end
61
+
62
+ # @param client_random [String]
63
+ # @param secret [String]
64
+ def write_server_traffic_secret_0(client_random, secret)
65
+ write_key_log(
66
+ Label::SERVER_TRAFFIC_SECRET_0,
67
+ client_random,
68
+ secret
69
+ )
70
+ end
71
+
72
+ def close
73
+ @file&.close
74
+ end
75
+
76
+ private
77
+
78
+ # @param label [TTTLS13::SslKeyLogFile::Label]
79
+ # @param client_random [String]
80
+ # @param secret [String]
81
+ def write_key_log(label, client_random, secret)
82
+ s = "#{label} #{client_random.unpack1('H*')} #{secret.unpack1('H*')}\n"
83
+ @file&.print(s)
84
+ end
85
+ end
86
+ end
87
+ end
data/lib/tttls1.3/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module TTTLS13
4
- VERSION = '0.2.17'
4
+ VERSION = '0.2.18'
5
5
  end
data/lib/tttls1.3.rb CHANGED
@@ -17,6 +17,7 @@ require 'tttls1.3/transcript'
17
17
  require 'tttls1.3/key_schedule'
18
18
  require 'tttls1.3/message'
19
19
  require 'tttls1.3/sequence_number'
20
+ require 'tttls1.3/sslkeylogfile'
20
21
  require 'tttls1.3/connection'
21
22
  require 'tttls1.3/client'
22
23
  require 'tttls1.3/server'
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: tttls1.3
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.17
4
+ version: 0.2.18
5
5
  platform: ruby
6
6
  authors:
7
7
  - thekuwayama
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-08-14 00:00:00.000000000 Z
11
+ date: 2022-08-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -63,6 +63,7 @@ files:
63
63
  - ".gitignore"
64
64
  - ".rspec"
65
65
  - ".rubocop.yml"
66
+ - ".ruby-version"
66
67
  - Gemfile
67
68
  - LICENSE.txt
68
69
  - README.md
@@ -123,6 +124,7 @@ files:
123
124
  - lib/tttls1.3/sequence_number.rb
124
125
  - lib/tttls1.3/server.rb
125
126
  - lib/tttls1.3/signature_scheme.rb
127
+ - lib/tttls1.3/sslkeylogfile.rb
126
128
  - lib/tttls1.3/transcript.rb
127
129
  - lib/tttls1.3/utils.rb
128
130
  - lib/tttls1.3/version.rb
@@ -198,7 +200,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
198
200
  - !ruby/object:Gem::Version
199
201
  version: '0'
200
202
  requirements: []
201
- rubygems_version: 3.2.22
203
+ rubygems_version: 3.3.7
202
204
  signing_key:
203
205
  specification_version: 4
204
206
  summary: TLS 1.3 implementation in Ruby (Tiny Trial TLS1.3 aka tttls1.3)