tttls1.3 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1951707edb6c1281f07975d9632817a783a0e9f69e9e40da6b1fe45487955c2a
-  data.tar.gz: 1c4aa360d27a89a9f81dfa6ae3f744115da70189c641618f8d6b9dd0e4519da9
+  metadata.gz: e5e95ca87bc146cc9021a42dc44ed5daef30a5d8fc7040ab4531c77045077e82
+  data.tar.gz: cae31fb5ec83ac405142d7c67b1b9298d2d0880dbd053e37e7edfd888e70cf9e
 SHA512:
-  metadata.gz: b6ee2640200f2384732e9c24c2cdd02aad995b6da04f94a3dcc70cae19ef501f9b90e26cddad399822e9514e2aae1cecf4252d513741234e428f9b94fe8f1de3
-  data.tar.gz: e5de7b6c20bad449cec2a0fb041db8e4d03a12d6932fcef9ee3b579f9b0e35da80e19604b5b328d292a2cb6393de1f3fe515e4289233b09f6cbff916f6d43735
+  metadata.gz: 32080b68a237890982c9407491e754df789460550e7b68a87d1f77a01749da79a7bc463dbb8b53659eb27aa1fc990e168454754fc7b1636ac474e43c61fecd1f
+  data.tar.gz: 5a43785680db1cda38f704ac0df711ff10c0d2cded4fc2620c7c5ad8ee15d4f682672983642ce50f4b371cddd93760d06d98839d6c7811323482add07fe7fbc9

data/interop/client_spec.rb

@@ -46,6 +46,10 @@ RSpec.describe Client do
       ' -sigalgs RSA-PSS+SHA512',
       signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
       signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA512]
+    ],
+    [
+      ' -record_padding 8446',
+      {}
     ]
   ].each do |opt, settings|
     context 'client interop' do
@@ -56,6 +60,7 @@ RSpec.describe Client do
               + '-key /tmp/server.key ' \
               + '-tls1_3 ' \
               + '-www ' \
+              + '-quiet ' \
               + opt
         pid = spawn(cmd)
         Process.detach(pid)

data/lib/tttls1.3/client.rb

@@ -25,9 +25,6 @@ module TTTLS13
     SignatureScheme::ECDSA_SECP256R1_SHA256,
     SignatureScheme::ECDSA_SECP384R1_SHA384,
     SignatureScheme::ECDSA_SECP521R1_SHA512,
-    SignatureScheme::RSA_PSS_PSS_SHA256,
-    SignatureScheme::RSA_PSS_PSS_SHA384,
-    SignatureScheme::RSA_PSS_PSS_SHA512,
     SignatureScheme::RSA_PSS_RSAE_SHA256,
     SignatureScheme::RSA_PSS_RSAE_SHA384,
     SignatureScheme::RSA_PSS_RSAE_SHA512,
@@ -154,6 +151,7 @@ module TTTLS13
           terminate(:illegal_parameter) unless valid_sh_cipher_suite?
           terminate(:illegal_parameter) unless valid_sh_compression_method?
           # only TLS 1.3
+          terminate(:illegal_parameter) unless valid_sh_random?
           terminate(:protocol_version) unless negotiated_tls_1_3?
 
           if sh.hrr?
@@ -387,7 +385,7 @@ module TTTLS13
     # @return [TTTLS13::Message::Extensions]
     # rubocop: disable Metrics/AbcSize
     # rubocop: disable Metrics/CyclomaticComplexity
-    def gen_extensions
+    def gen_ch_extensions
       exs = []
       # supported_versions: only TLS 1.3
       exs << Message::Extension::SupportedVersions.new(
@@ -431,7 +429,7 @@ module TTTLS13
 
     # @return [TTTLS13::Message::ClientHello]
     def send_client_hello
-      exs = gen_extensions
+      exs = gen_ch_extensions
       ch = Message::ClientHello.new(
         cipher_suites: CipherSuites.new(@settings[:cipher_suites]),
         extensions: exs
@@ -648,23 +646,23 @@ module TTTLS13
     #     1. supported_versions == ["\x03\x04"]
     #     2. legacy_versions == ["\x03\x03"]
     #
-    # @raise [TTTLS13::Error::ErrorAlerts]
-    #
     # @return [Boolean]
     def negotiated_tls_1_3?
       sh = @transcript[SH]
+      sh_lv = sh.legacy_version
       sh_sv = sh.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
                 &.versions
-      sh_r8 = sh.random[-8..]
-      if sh_sv&.first == Message::ProtocolVersion::TLS_1_3 &&
-         sh_r8 != DOWNGRADE_PROTECTION_TLS_1_2 &&
-         sh_r8 != DOWNGRADE_PROTECTION_TLS_1_1
-        true
-      elsif sh_sv.nil?
-        false
-      else
-        terminate(:illegal_parameter)
-      end
+
+      sh_lv == Message::ProtocolVersion::TLS_1_2 &&
+        sh_sv&.first == Message::ProtocolVersion::TLS_1_3
+    end
+
+    # @return [Boolean]
+    def valid_sh_random?
+      sh_r8 = @transcript[SH].random[-8..]
+
+      sh_r8 != DOWNGRADE_PROTECTION_TLS_1_2 &&
+        sh_r8 != DOWNGRADE_PROTECTION_TLS_1_1
     end
 
     # @return [Boolean]

data/lib/tttls1.3/connection.rb

@@ -353,34 +353,35 @@ module TTTLS13
     #
     # @return [Boolean]
     # rubocop: disable Metrics/AbcSize
+    # rubocop: disable Metrics/CyclomaticComplexity
     def certified_certificate?(certificate_list, ca_file = nil, hostname = nil)
-      store = OpenSSL::X509::Store.new
-      store.set_default_paths
-      store.add_file(ca_file) unless ca_file.nil?
-
       cert_bin = certificate_list.first.cert_data
       cert = OpenSSL::X509::Certificate.new(cert_bin)
 
-      chain = certificate_list[1..].map(&:cert_data).map do |c|
-        OpenSSL::X509::Certificate.new(c)
-      end
-      # TODO: parse authorityInfoAccess::CA Issuers
-
-      ctx = OpenSSL::X509::StoreContext.new(store, cert, chain)
-
       # not support CN matching, only support SAN matching
       unless hostname.nil?
         san = cert.extensions.find { |ex| ex.oid == 'subjectAltName' }
-        terminate(:bad_certificate) if san.nil?
+        return false if san.nil?
+
         ostr = OpenSSL::ASN1.decode(san.to_der).value.last
         san_match = OpenSSL::ASN1.decode(ostr.value).map(&:value)
                                  .map { |s| s.gsub('.', '\.').gsub('*', '.*') }
                                  .any? { |s| hostname.match(/#{s}/) }
-        return san_match && ctx.verify
+        return false unless san_match
       end
-      ctx.verify
+      store = OpenSSL::X509::Store.new
+      store.set_default_paths
+      store.add_file(ca_file) unless ca_file.nil?
+      chain = certificate_list[1..].map(&:cert_data).map do |c|
+        OpenSSL::X509::Certificate.new(c)
+      end
+      # TODO: parse authorityInfoAccess::CA Issuers
+      ctx = OpenSSL::X509::StoreContext.new(store, cert, chain)
+      now = Time.now
+      ctx.verify && cert.not_before < now && now < cert.not_after
     end
     # rubocop: enable Metrics/AbcSize
+    # rubocop: enable Metrics/CyclomaticComplexity
   end
   # rubocop: enable Metrics/ClassLength
 end

data/lib/tttls1.3/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module TTTLS13
-  VERSION = '0.1.3'
+  VERSION = '0.1.4'
 end

data/spec/client_spec.rb

@@ -230,7 +230,8 @@ RSpec.describe Client do
     end
 
     it 'should check downgrade protection value' do
-      expect { client.send(:negotiated_tls_1_3?) }.to raise_error(ErrorAlerts)
+      expect(client.send(:valid_sh_random?)).to be false
+      expect(client.send(:negotiated_tls_1_3?)).to be true
     end
   end
 
@@ -252,7 +253,8 @@ RSpec.describe Client do
     end
 
     it 'should check downgrade protection value' do
-      expect { client.send(:negotiated_tls_1_3?) }.to raise_error(ErrorAlerts)
+      expect(client.send(:valid_sh_random?)).to be false
+      expect(client.send(:negotiated_tls_1_3?)).to be true
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tttls1.3
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - thekuwayama
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-05-04 00:00:00.000000000 Z
+date: 2019-05-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -173,7 +173,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: TLS 1.3 implementation in Ruby