tttls1.3 0.3.4 → 0.3.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '0913f70f0bdbfd6740f41ce7902f55660ea1bd99533a8f765f9d98a1bd56a58c'
-  data.tar.gz: 611a063ae74498d19636ebf3ee3741b76164856341bb38ec9966a999579bdfb1
+  metadata.gz: f96bc3fd01ddafecaaa2871ffb65b8126f98d4ae3f7e227ec60d4d3b84fb20f4
+  data.tar.gz: d4f76a3799d201a2ad830182e00dab1becbdb3927ecf9a9b4afef77276de4b0c
 SHA512:
-  metadata.gz: 88f39003d30f4642c67a61169923fe248bc572b4a1c638eb36803dc4278aa91a499919784cd060fa35c522bcb935745d1b4542abb1963514aba1f86f1ea789fd
-  data.tar.gz: cd2ae8cd383cd9737a732d53c8ca27cbacdcd3c4a5b6bee62f5f43faba4fd8eb8067b0621df18d8b77db679823c3aa26947508fe5827939bf6741e6f417a1d80
+  metadata.gz: 4ae20c65462966ad685029f1f419e8fe141ccdd7fba9a61a04a7f1f238fd1e62ee88ac06e8f80bd6d5ea907b1571914acd23561d53350238adcc30eacac84885
+  data.tar.gz: 8e11fb873969e1b3a37a582d7e7b6db06bfe2c55aaa0c5f2035b3b9ca0c79fd1a35d8f4bb064ad0b3f2708f545624925f1f4c95aa9fee8ed8635b64c8f64d730

data/.github/workflows/ci.yml

@@ -14,11 +14,13 @@ jobs:
     strategy:
       matrix:
         ruby-version: ['3.1', '3.2', '3.3']
+    env:
+      SPEC_VERBOSE: true
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: docker://thekuwayama/openssl:latest
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c # v1.237.0
         with:
           ruby-version: ${{ matrix.ruby-version }}
       - name: Install dependencies

data/.rubocop.yml

@@ -1,11 +1,5 @@
 AllCops:
-  TargetRubyVersion: 2.7
-
-Gemspec/RequiredRubyVersion:
-  Enabled: false
-
-Semicolon:
-  AllowAsExpressionSeparator: true
+  TargetRubyVersion: 3.1
 
 Style/ConditionalAssignment:
   Enabled: false
@@ -16,25 +10,36 @@ Style/Documentation:
 Style/NumericLiterals:
   Enabled: false
 
+Style/Semicolon:
+  Enabled: false
+
+Style/StringConcatenation:
+  Enabled: false
+
 Metrics/AbcSize:
   Max: 30
 
+Metrics/CyclomaticComplexity:
+  Max: 15
+
 Metrics/MethodLength:
   Max: 30
 
+Metrics/PerceivedComplexity:
+  Max: 15
+
 Naming/MethodParameterName:
   MinNameLength: 1
 
+Naming/VariableNumber:
+  Enabled: false
+
 Metrics/BlockLength:
   Exclude:
     - 'Rakefile'
     - 'spec/*.rb'
     - 'interop/*.rb'
 
-Layout/LineLength:
-  Exclude:
-    - 'tttls1.3.gemspec'
-
 # https://github.com/rubocop/rubocop/issues/10258
 Layout/BlockAlignment:
   Enabled: false

data/.ruby-version

@@ -1 +1 @@
-3.2.2
+3.4.3

data/Gemfile

@@ -6,15 +6,15 @@ gem 'ech_config', '~> 0.0.3'
 gem 'hpke'
 gem 'logger'
 gem 'openssl'
-gem 'rake'
 
 group :development do
   gem 'base64'
   gem 'byebug'
   gem 'http_parser.rb'
+  gem 'rake'
   gem 'resolv', '~> 0.4.0'
-  gem 'rspec', '3.9.0'
-  gem 'rubocop', '0.78.0'
+  gem 'rspec'
+  gem 'rubocop', '1.62.0'
   gem 'webrick'
 end
 

data/README.md

@@ -24,7 +24,7 @@ tttls1.3 provides client API with the following features:
 * Resumed 0-RTT Handshake (with PSK from NST)
 * [ECH](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/)
 
-**NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate and external PSKs.
+**NOT supports** certificate with OID RSASSA-PSS, FFDHE, Client Authentication, Post-Handshake Authentication, KeyUpdate and external PSKs.
 
 ### Server
 
@@ -33,7 +33,7 @@ tttls1.3 provides server API with the following features:
 * Simple 1-RTT Handshake
 * HelloRetryRequest
 
-**NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate, external PSKs and Resumed 0-RTT Handshake.
+**NOT supports** certificate with OID RSASSA-PSS, FFDHE, Client Authentication, Post-Handshake Authentication, KeyUpdate, external PSKs and Resumed 0-RTT Handshake.
 
 
 ## Getting started
@@ -90,7 +90,7 @@ tttls1.3 client is configurable using keyword arguments.
 | `:cipher_suites` | Array of TTTLS13::CipherSuite constant | `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256`, `TLS_AES_128_GCM_SHA256` | List of cipher suites offered in ClientHello. |
 | `:signature_algorithms` | Array of TTTLS13::SignatureScheme constant | `ECDSA_SECP256R1_SHA256`, `ECDSA_SECP384R1_SHA384`, `ECDSA_SECP521R1_SHA512`, `RSA_PSS_RSAE_SHA256`, `RSA_PSS_RSAE_SHA384`, `RSA_PSS_RSAE_SHA512`, `RSA_PKCS1_SHA256`, `RSA_PKCS1_SHA384`, `RSA_PKCS1_SHA512` | List of signature algorithms offered in ClientHello extensions. |
 | `:signature_algorithms_cert` | Array of TTTLS13::SignatureScheme constant | nil | List of certificate signature algorithms offered in ClientHello extensions. You can set this to signal the difference between the signature algorithm and `:signature_algorithms`. |
-| `:supported_groups` | Array of TTTLS13::NamedGroup constant | `SECP256R1`, `SECP384R1`, `SECP521R1` | List of named groups offered in ClientHello extensions. |
+| `:supported_groups` | Array of TTTLS13::NamedGroup constant | `X25519`, `SECP256R1`, `SECP384R1`, `SECP521R1` | List of named groups offered in ClientHello extensions. |
 | `:key_share_groups` | Array of TTTLS13::NamedGroup constant | nil | List of named groups offered in KeyShareClientHello. In default, KeyShareClientHello has only a KeyShareEntry of most preferred named group in `:supported_groups`. You can set this to send KeyShareClientHello that has multiple KeyShareEntry. |
 | `:alpn` | Array of String | nil | List of application protocols offered in ClientHello extensions. If not needed to be present, set nil. |
 | `:process_new_session_ticket` | Proc | nil | Proc that processes received NewSessionTicket. Its 3 arguments are TTTLS13::Message::NewSessionTicket, resumption main secret and cipher suite. If not needed to process NewSessionTicket, set nil. |
@@ -122,7 +122,7 @@ tttls1.3 server is configurable using keyword arguments.
 | `:key_file` | String | nil | Path to the private key file. This is a required setting. |
 | `:cipher_suites` | Array of TTTLS13::CipherSuite constant | `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256`, `TLS_AES_128_GCM_SHA256` | List of supported cipher suites. |
 | `:signature_algorithms` | Array of TTTLS13::SignatureScheme constant | `ECDSA_SECP256R1_SHA256`, `ECDSA_SECP384R1_SHA384`, `ECDSA_SECP521R1_SHA512`, `RSA_PSS_RSAE_SHA256`, `RSA_PSS_RSAE_SHA384`, `RSA_PSS_RSAE_SHA512`, `RSA_PKCS1_SHA256`, `RSA_PKCS1_SHA384`, `RSA_PKCS1_SHA512` | List of supported signature algorithms. |
-| `:supported_groups` | Array of TTTLS13::NamedGroup constant | `SECP256R1`, `SECP384R1`, `SECP521R1` | List of supported named groups. |
+| `:supported_groups` | Array of TTTLS13::NamedGroup constant | `X25519`, `SECP256R1`, `SECP384R1`, `SECP521R1` | List of supported named groups. |
 | `:alpn` | Array of String | nil | List of supported application protocols. If not needed to check this extension, set nil. |
 | `:process_ocsp_response` | Proc | nil | Proc that gets OpenSSL::OCSP::Response. If not needed to staple OCSP::Response, set nil. |
 | `:compress_certificate_algorithms` | Array of TTTLS13::Message::Extension::CertificateCompressionAlgorithm constant | `ZLIB` | The compression algorithms are supported for compressing the Certificate message. |

data/Rakefile

@@ -61,7 +61,7 @@ file CA_CRT => [TMP_DIR, CA_KEY] do
     )
   )
 
-  digest = OpenSSL::Digest::SHA256.new
+  digest = OpenSSL::Digest.new('SHA256')
   ca_crt.sign(ca_key, digest)
   File.write(CA_CRT, ca_crt.to_pem)
 end
@@ -112,7 +112,7 @@ file INTER_CRT => [TMP_DIR, INTER_KEY] do
     )
   )
 
-  digest = OpenSSL::Digest::SHA256.new
+  digest = OpenSSL::Digest.new('SHA256')
   inter_crt.sign(ca_key, digest)
   File.write(INTER_CRT, inter_crt.to_pem)
 end
@@ -169,7 +169,7 @@ file SERVER_CRT => [TMP_DIR, INTER_CRT, SERVER_KEY] do
     )
   )
 
-  digest = OpenSSL::Digest::SHA256.new
+  digest = OpenSSL::Digest.new('SHA256')
   server_crt.sign(inter_key, digest)
   File.write(SERVER_CRT, server_crt.to_pem)
 end

data/example/helper.rb

@@ -80,7 +80,7 @@ def transcript_htmlize(transcript)
     TTTLS13::CCT => 'Certificate',
     TTTLS13::CCV => 'CertificateVerify',
     TTTLS13::CF => 'Finished'
-  }.map { |k, v| [k, '<details><summary>' + v + '</summary>%s</details>'] }.to_h
+  }.transform_values { |v| '<details><summary>' + v + '</summary>%s</details>' }
   transcript.map do |k, v|
     format(m[k], TTTLS13::Convert.obj2html(v.first))
   end.join('<br>')

data/example/https_client_using_0rtt.rb

@@ -25,7 +25,7 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket,
+  process_new_session_ticket:,
   sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 

data/example/https_client_using_ech.rb

@@ -16,7 +16,7 @@ socket = TCPSocket.new(uri.host, uri.port)
 settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  ech_config: ech_config,
+  ech_config:,
   ech_hpke_cipher_suites:
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'

data/example/https_client_using_hrr_and_ech.rb

@@ -17,7 +17,7 @@ settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   key_share_groups: [], # empty KeyShareClientHello.client_shares
   alpn: ['http/1.1'],
-  ech_config: ech_config,
+  ech_config:,
   ech_hpke_cipher_suites:
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'

data/example/https_client_using_hrr_and_ticket.rb

@@ -26,7 +26,7 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket,
+  process_new_session_ticket:,
   sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 

data/example/https_client_using_status_request.rb

@@ -19,7 +19,7 @@ settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
   check_certificate_status: true,
-  process_certificate_status: process_certificate_status,
+  process_certificate_status:,
   sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 client = TTTLS13::Client.new(socket, uri.host, **settings)

data/example/https_client_using_ticket.rb

@@ -25,7 +25,7 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  process_new_session_ticket: process_new_session_ticket,
+  process_new_session_ticket:,
   sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 

data/example/https_client_using_ticket_and_ech.rb

@@ -15,7 +15,7 @@ ech_config = if ARGV.length > 1
 settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  ech_config: ech_config,
+  ech_config:,
   ech_hpke_cipher_suites:
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
   sslkeylogfile: '/tmp/sslkeylogfile.log'
@@ -33,10 +33,10 @@ end
 settings_1st = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
-  ech_config: ech_config,
+  ech_config:,
   ech_hpke_cipher_suites:
     TTTLS13::STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES,
-  process_new_session_ticket: process_new_session_ticket,
+  process_new_session_ticket:,
   sslkeylogfile: '/tmp/sslkeylogfile.log'
 }
 

data/example/https_server.rb

@@ -17,7 +17,7 @@ settings = {
 }
 
 q = Queue.new
-logger = Logger.new(STDERR, Logger::WARN)
+logger = Logger.new($stderr, Logger::WARN)
 # rubocop: disable Metrics/BlockLength
 Etc.nprocessors.times do
   Thread.start do

data/interop/client_spec.rb

@@ -12,127 +12,154 @@ RSpec.describe Client do
   # crt [String] server crt file path
   # key [String] server key file path
   # settings [Hash] TTTLS13::Server settings
-  # rubocop: disable Layout/LineLength
   testcases = [
     [
       true,
       '-ciphersuites TLS_AES_256_GCM_SHA384',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      cipher_suites: [CipherSuite::TLS_AES_256_GCM_SHA384]
+      { cipher_suites: [CipherSuite::TLS_AES_256_GCM_SHA384] }
     ],
     [
       true,
       '-ciphersuites TLS_CHACHA20_POLY1305_SHA256',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      cipher_suites: [CipherSuite::TLS_CHACHA20_POLY1305_SHA256]
+      { cipher_suites: [CipherSuite::TLS_CHACHA20_POLY1305_SHA256] }
     ],
     [
       true,
       '-ciphersuites TLS_AES_128_GCM_SHA256',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256]
+      { cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256] }
+    ],
+    [
+      true,
+      '-ciphersuites TLS_AES_128_CCM_SHA256',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
+      { cipher_suites: [CipherSuite::TLS_AES_128_CCM_SHA256] }
+    ],
+    [
+      true,
+      "-ciphersuites TLS_AES_128_CCM_8_SHA256 -cipher 'DEFAULT:@SECLEVEL=0'",
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
+      { cipher_suites: [CipherSuite::TLS_AES_128_CCM_8_SHA256] }
     ],
     [
       false,
       '-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256]
+      { cipher_suites: [CipherSuite::TLS_AES_128_GCM_SHA256] }
+    ],
+    [
+      true,
+      '-groups X25519',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
+      { supported_groups: [NamedGroup::X25519] }
+    ],
+    [
+      true,
+      '-groups X448',
+      'rsa_rsa.crt',
+      'rsa_rsa.key',
+      { supported_groups: [NamedGroup::X448] }
     ],
     [
       true,
       '-groups P-256',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      supported_groups: [NamedGroup::SECP256R1]
+      { supported_groups: [NamedGroup::SECP256R1] }
     ],
     [
       true,
       '-groups P-384',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      supported_groups: [NamedGroup::SECP384R1]
+      { supported_groups: [NamedGroup::SECP384R1] }
     ],
     [
       true,
       '-groups P-521',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      supported_groups: [NamedGroup::SECP521R1]
+      { supported_groups: [NamedGroup::SECP521R1] }
     ],
     [
       false,
-      '-groups P-256:P-384',
+      '-groups P-256:P-384:P-521:X448',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      supported_groups: [NamedGroup::SECP521R1]
+      { supported_groups: [NamedGroup::X25519] }
     ],
     [
       true,
       '-sigalgs RSA-PSS+SHA256',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
-      signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
+      { signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+        signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256] }
     ],
     [
       true,
       '-sigalgs RSA-PSS+SHA384',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
-      signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA384]
+      { signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+        signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA384] }
     ],
     [
       true,
       '-sigalgs RSA-PSS+SHA512',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
-      signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA512]
+      { signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+        signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA512] }
     ],
     [
       true,
       '-sigalgs ECDSA+SHA256',
       'rsa_secp256r1.crt',
       'rsa_secp256r1.key',
-      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
-      signature_algorithms: [SignatureScheme::ECDSA_SECP256R1_SHA256]
+      { signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+        signature_algorithms: [SignatureScheme::ECDSA_SECP256R1_SHA256] }
     ],
     [
       true,
       '-sigalgs ECDSA+SHA384',
       'rsa_secp384r1.crt',
       'rsa_secp384r1.key',
-      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
-      signature_algorithms: [SignatureScheme::ECDSA_SECP384R1_SHA384]
+      { signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+        signature_algorithms: [SignatureScheme::ECDSA_SECP384R1_SHA384] }
     ],
     [
       true,
       '-sigalgs ECDSA+SHA512',
       'rsa_secp521r1.crt',
       'rsa_secp521r1.key',
-      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
-      signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
+      { signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+        signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512] }
     ],
     [
       true,
       '-sigalgs RSA-PSS+SHA256',
       'rsa_rsassaPss.crt',
       'rsa_rsassaPss.key',
-      signature_algorithms_cert: [SignatureScheme::RSA_PSS_RSAE_SHA256],
-      signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
+      { signature_algorithms_cert: [SignatureScheme::RSA_PSS_RSAE_SHA256],
+        signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256] }
     ],
     [
       false,
       '-sigalgs ECDSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256',
       'rsa_secp521r1.crt',
       'rsa_secp521r1.key',
-      signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
-      signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
+      { signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
+        signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512] }
     ],
     [
       true,
@@ -146,24 +173,23 @@ RSpec.describe Client do
       '',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      key_share_groups: []
+      { key_share_groups: [] }
     ],
     [
       true,
       '-alpn http/1.0',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      alpn: ['http/1.0']
+      { alpn: ['http/1.0'] }
     ],
     [
       true,
       '',
       'rsa_rsa.crt',
       'rsa_rsa.key',
-      compatibility_mode: false
+      { compatibility_mode: false }
     ]
   ]
-  # rubocop: enable Layout/LineLength
   testcases.each do |normal, opt, crt, key, settings|
     context 'client interop' do
       before do
@@ -181,7 +207,7 @@ RSpec.describe Client do
                     + 'thekuwayama/openssl ' + cmd)
         Process.detach(pid)
 
-        wait_to_listen('127.0.0.1', PORT)
+        wait_to_listen('127.0.0.1', PORT, ENV['SPEC_VERBOSE'])
       end
 
       let(:client) do