RubyGems - tttls1.3 - Versions diffs - 0.1.3 → 0.1.4 - Mend

tttls1.3 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1951707edb6c1281f07975d9632817a783a0e9f69e9e40da6b1fe45487955c2a
-  data.tar.gz: 1c4aa360d27a89a9f81dfa6ae3f744115da70189c641618f8d6b9dd0e4519da9
+  metadata.gz: e5e95ca87bc146cc9021a42dc44ed5daef30a5d8fc7040ab4531c77045077e82
+  data.tar.gz: cae31fb5ec83ac405142d7c67b1b9298d2d0880dbd053e37e7edfd888e70cf9e
 SHA512:
-  metadata.gz: b6ee2640200f2384732e9c24c2cdd02aad995b6da04f94a3dcc70cae19ef501f9b90e26cddad399822e9514e2aae1cecf4252d513741234e428f9b94fe8f1de3
-  data.tar.gz: e5de7b6c20bad449cec2a0fb041db8e4d03a12d6932fcef9ee3b579f9b0e35da80e19604b5b328d292a2cb6393de1f3fe515e4289233b09f6cbff916f6d43735
+  metadata.gz: 32080b68a237890982c9407491e754df789460550e7b68a87d1f77a01749da79a7bc463dbb8b53659eb27aa1fc990e168454754fc7b1636ac474e43c61fecd1f
+  data.tar.gz: 5a43785680db1cda38f704ac0df711ff10c0d2cded4fc2620c7c5ad8ee15d4f682672983642ce50f4b371cddd93760d06d98839d6c7811323482add07fe7fbc9

data/interop/client_spec.rb CHANGED Viewed

@@ -46,6 +46,10 @@ RSpec.describe Client do
       ' -sigalgs RSA-PSS+SHA512',
       signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
       signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA512]
+    ],
+    [
+      ' -record_padding 8446',
+      {}
     ]
   ].each do |opt, settings|
     context 'client interop' do
@@ -56,6 +60,7 @@ RSpec.describe Client do
               + '-key /tmp/server.key ' \
               + '-tls1_3 ' \
               + '-www ' \
+              + '-quiet ' \
               + opt
         pid = spawn(cmd)
         Process.detach(pid)

data/lib/tttls1.3/client.rb CHANGED Viewed

@@ -25,9 +25,6 @@ module TTTLS13
     SignatureScheme::ECDSA_SECP256R1_SHA256,
     SignatureScheme::ECDSA_SECP384R1_SHA384,
     SignatureScheme::ECDSA_SECP521R1_SHA512,
-    SignatureScheme::RSA_PSS_PSS_SHA256,
-    SignatureScheme::RSA_PSS_PSS_SHA384,
-    SignatureScheme::RSA_PSS_PSS_SHA512,
     SignatureScheme::RSA_PSS_RSAE_SHA256,
     SignatureScheme::RSA_PSS_RSAE_SHA384,
     SignatureScheme::RSA_PSS_RSAE_SHA512,
@@ -154,6 +151,7 @@ module TTTLS13
           terminate(:illegal_parameter) unless valid_sh_cipher_suite?
           terminate(:illegal_parameter) unless valid_sh_compression_method?
           # only TLS 1.3
+          terminate(:illegal_parameter) unless valid_sh_random?
           terminate(:protocol_version) unless negotiated_tls_1_3?
           if sh.hrr?
@@ -387,7 +385,7 @@ module TTTLS13
     # @return [TTTLS13::Message::Extensions]
     # rubocop: disable Metrics/AbcSize
     # rubocop: disable Metrics/CyclomaticComplexity
-    def gen_extensions
+    def gen_ch_extensions
       exs = []
       # supported_versions: only TLS 1.3
       exs << Message::Extension::SupportedVersions.new(
@@ -431,7 +429,7 @@ module TTTLS13
     # @return [TTTLS13::Message::ClientHello]
     def send_client_hello
-      exs = gen_extensions
+      exs = gen_ch_extensions
       ch = Message::ClientHello.new(
         cipher_suites: CipherSuites.new(@settings[:cipher_suites]),
         extensions: exs
@@ -648,23 +646,23 @@ module TTTLS13
     #     1. supported_versions == ["\x03\x04"]
     #     2. legacy_versions == ["\x03\x03"]
     #
-    # @raise [TTTLS13::Error::ErrorAlerts]
-    #
     # @return [Boolean]
     def negotiated_tls_1_3?
       sh = @transcript[SH]
+      sh_lv = sh.legacy_version
       sh_sv = sh.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
                 &.versions
-      sh_r8 = sh.random[-8..]
-      if sh_sv&.first == Message::ProtocolVersion::TLS_1_3 &&
-         sh_r8 != DOWNGRADE_PROTECTION_TLS_1_2 &&
-         sh_r8 != DOWNGRADE_PROTECTION_TLS_1_1
-        true
-      elsif sh_sv.nil?
-        false
-      else
-        terminate(:illegal_parameter)
-      end
+      sh_lv == Message::ProtocolVersion::TLS_1_2 &&
+        sh_sv&.first == Message::ProtocolVersion::TLS_1_3
+    end
+    # @return [Boolean]
+    def valid_sh_random?
+      sh_r8 = @transcript[SH].random[-8..]
+      sh_r8 != DOWNGRADE_PROTECTION_TLS_1_2 &&
+        sh_r8 != DOWNGRADE_PROTECTION_TLS_1_1
     end
     # @return [Boolean]

data/lib/tttls1.3/connection.rb CHANGED Viewed

@@ -353,34 +353,35 @@ module TTTLS13
     #
     # @return [Boolean]
     # rubocop: disable Metrics/AbcSize
+    # rubocop: disable Metrics/CyclomaticComplexity
     def certified_certificate?(certificate_list, ca_file = nil, hostname = nil)
-      store = OpenSSL::X509::Store.new
-      store.set_default_paths
-      store.add_file(ca_file) unless ca_file.nil?
       cert_bin = certificate_list.first.cert_data
       cert = OpenSSL::X509::Certificate.new(cert_bin)
-      chain = certificate_list[1..].map(&:cert_data).map do |c|
-        OpenSSL::X509::Certificate.new(c)
-      end
-      # TODO: parse authorityInfoAccess::CA Issuers
-      ctx = OpenSSL::X509::StoreContext.new(store, cert, chain)
       # not support CN matching, only support SAN matching
       unless hostname.nil?
         san = cert.extensions.find { |ex| ex.oid == 'subjectAltName' }
-        terminate(:bad_certificate) if san.nil?
+        return false if san.nil?
         ostr = OpenSSL::ASN1.decode(san.to_der).value.last
         san_match = OpenSSL::ASN1.decode(ostr.value).map(&:value)
                                  .map { |s| s.gsub('.', '\.').gsub('*', '.*') }
                                  .any? { |s| hostname.match(/#{s}/) }
-        return san_match && ctx.verify
+        return false unless san_match
       end
-      ctx.verify
+      store = OpenSSL::X509::Store.new
+      store.set_default_paths
+      store.add_file(ca_file) unless ca_file.nil?
+      chain = certificate_list[1..].map(&:cert_data).map do |c|
+        OpenSSL::X509::Certificate.new(c)
+      end
+      # TODO: parse authorityInfoAccess::CA Issuers
+      ctx = OpenSSL::X509::StoreContext.new(store, cert, chain)
+      now = Time.now
+      ctx.verify && cert.not_before < now && now < cert.not_after
     end
     # rubocop: enable Metrics/AbcSize
+    # rubocop: enable Metrics/CyclomaticComplexity
   end
   # rubocop: enable Metrics/ClassLength
 end

data/lib/tttls1.3/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module TTTLS13
-  VERSION = '0.1.3'
+  VERSION = '0.1.4'
 end

data/spec/client_spec.rb CHANGED Viewed

@@ -230,7 +230,8 @@ RSpec.describe Client do
     end
     it 'should check downgrade protection value' do
-      expect { client.send(:negotiated_tls_1_3?) }.to raise_error(ErrorAlerts)
+      expect(client.send(:valid_sh_random?)).to be false
+      expect(client.send(:negotiated_tls_1_3?)).to be true
     end
   end
@@ -252,7 +253,8 @@ RSpec.describe Client do
     end
     it 'should check downgrade protection value' do
-      expect { client.send(:negotiated_tls_1_3?) }.to raise_error(ErrorAlerts)
+      expect(client.send(:valid_sh_random?)).to be false
+      expect(client.send(:negotiated_tls_1_3?)).to be true
     end
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tttls1.3
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - thekuwayama
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-05-04 00:00:00.000000000 Z
+date: 2019-05-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -173,7 +173,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: TLS 1.3 implementation in Ruby