tttls1.3 0.2.1 → 0.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +1 -0
- data/Rakefile +3 -3
- data/example/https_client_using_hrr_and_ticket.rb +40 -0
- data/interop/client_spec.rb +15 -0
- data/interop/server_spec.rb +8 -0
- data/lib/tttls1.3/client.rb +265 -272
- data/lib/tttls1.3/connection.rb +85 -62
- data/lib/tttls1.3/message/certificate.rb +1 -1
- data/lib/tttls1.3/message/client_hello.rb +26 -1
- data/lib/tttls1.3/message/encrypted_extensions.rb +1 -1
- data/lib/tttls1.3/message/new_session_ticket.rb +1 -1
- data/lib/tttls1.3/message/server_hello.rb +21 -1
- data/lib/tttls1.3/server.rb +179 -157
- data/lib/tttls1.3/version.rb +1 -1
- data/spec/certificate_spec.rb +4 -4
- data/spec/client_hello_spec.rb +3 -0
- data/spec/client_spec.rb +96 -157
- data/spec/connection_spec.rb +32 -23
- data/spec/encrypted_extensions_spec.rb +4 -4
- data/spec/fixtures/rsa_ca.crt +16 -27
- data/spec/fixtures/rsa_ca.key +25 -49
- data/spec/fixtures/rsa_rsa.crt +16 -21
- data/spec/fixtures/rsa_rsa.key +25 -25
- data/spec/fixtures/rsa_rsassaPss.crt +20 -0
- data/spec/fixtures/rsa_rsassaPss.key +27 -0
- data/spec/fixtures/rsa_secp256r1.crt +12 -17
- data/spec/fixtures/rsa_secp256r1.key +3 -3
- data/spec/fixtures/rsa_secp384r1.crt +12 -17
- data/spec/fixtures/rsa_secp384r1.key +4 -4
- data/spec/fixtures/rsa_secp521r1.crt +13 -18
- data/spec/fixtures/rsa_secp521r1.key +5 -5
- data/spec/server_hello_spec.rb +60 -0
- data/spec/server_spec.rb +79 -60
- metadata +7 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 356ce310f2323bede1cdfd21f6c18050d2ce9aca6da4c8ed67b439b597c92ba0
|
|
4
|
+
data.tar.gz: d1bcb99ae830df4c8c40688d85e5c7efcda76e0c608ef0707b5201862a5baff8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ae23baf431d2908aceae8e411deb2b8ebf33f8696e67602081c3f07b2d9dad523f8a21a251d5333243e2f44405e8efa0e6595e0af7a744c9fda05c026a824346
|
|
7
|
+
data.tar.gz: '0978b73204cc49a3fac033904c98c17eb05f45a2793a5f326298414db09599d065ab599ce34e4cc73bbd928abed9cb988a35ef7248ec9af1ff8a121f6378da61'
|
data/README.md
CHANGED
|
@@ -67,6 +67,7 @@ tttls1.3 provides client API with the following features:
|
|
|
67
67
|
tttls1.3 provides server API with the following features:
|
|
68
68
|
|
|
69
69
|
* Simple 1-RTT Handshake
|
|
70
|
+
* HelloRetryRequest
|
|
70
71
|
|
|
71
72
|
**NOT supports** certificate with OID RSASSA-PSS, X25519, X448, FFDHE, AES-CCM, Client Authentication, Post-Handshake Authentication, KeyUpdate, external PSKs.
|
|
72
73
|
|
data/Rakefile
CHANGED
|
@@ -17,7 +17,7 @@ directory TMP_DIR
|
|
|
17
17
|
|
|
18
18
|
file CA_KEY => TMP_DIR do
|
|
19
19
|
puts "generate #{CA_KEY}..."
|
|
20
|
-
ca_key = OpenSSL::PKey::RSA.generate(
|
|
20
|
+
ca_key = OpenSSL::PKey::RSA.generate(2048)
|
|
21
21
|
File.write(CA_KEY, ca_key.to_pem)
|
|
22
22
|
end
|
|
23
23
|
|
|
@@ -32,7 +32,7 @@ file CA_CRT => [TMP_DIR, CA_KEY] do
|
|
|
32
32
|
ca_crt.not_before = Time.now
|
|
33
33
|
ca_crt.not_after = Time.now + (60 * 60 * 24 * 365 * 10)
|
|
34
34
|
ca_crt.public_key = ca_key.public_key
|
|
35
|
-
ca_crt.serial =
|
|
35
|
+
ca_crt.serial = OpenSSL::BN.rand(64)
|
|
36
36
|
ca_crt.version = 2
|
|
37
37
|
ca_crt.issuer = issu
|
|
38
38
|
ca_crt.subject = sub
|
|
@@ -83,7 +83,7 @@ file SERVER_CRT => [TMP_DIR, CA_CRT, SERVER_KEY] do
|
|
|
83
83
|
server_crt.not_before = Time.now
|
|
84
84
|
server_crt.not_after = Time.now + (60 * 60 * 24 * 365)
|
|
85
85
|
server_crt.public_key = server_key.public_key
|
|
86
|
-
server_crt.serial =
|
|
86
|
+
server_crt.serial = OpenSSL::BN.rand(64)
|
|
87
87
|
server_crt.version = 2
|
|
88
88
|
server_crt.issuer = ca_crt.issuer
|
|
89
89
|
server_crt.subject = sub
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
# encoding: ascii-8bit
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require_relative 'helper'
|
|
5
|
+
|
|
6
|
+
hostname, port = (ARGV[0] || 'localhost:4433').split(':')
|
|
7
|
+
req = simple_http_request(hostname)
|
|
8
|
+
|
|
9
|
+
settings_2nd = {
|
|
10
|
+
ca_file: __dir__ + '/../tmp/ca.crt'
|
|
11
|
+
}
|
|
12
|
+
process_new_session_ticket = proc do |nst, rms, cs|
|
|
13
|
+
return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
|
|
14
|
+
|
|
15
|
+
settings_2nd[:key_share_groups] = [] # empty KeyShareClientHello.client_shares
|
|
16
|
+
settings_2nd[:ticket] = nst.ticket
|
|
17
|
+
settings_2nd[:resumption_master_secret] = rms
|
|
18
|
+
settings_2nd[:psk_cipher_suite] = cs
|
|
19
|
+
settings_2nd[:ticket_nonce] = nst.ticket_nonce
|
|
20
|
+
settings_2nd[:ticket_age_add] = nst.ticket_age_add
|
|
21
|
+
settings_2nd[:ticket_timestamp] = nst.timestamp
|
|
22
|
+
end
|
|
23
|
+
settings_1st = {
|
|
24
|
+
ca_file: __dir__ + '/../tmp/ca.crt',
|
|
25
|
+
process_new_session_ticket: process_new_session_ticket
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
[
|
|
29
|
+
# Initial Handshake:
|
|
30
|
+
settings_1st,
|
|
31
|
+
# Subsequent Handshake:
|
|
32
|
+
settings_2nd
|
|
33
|
+
].each do |settings|
|
|
34
|
+
socket = TCPSocket.new(hostname, port)
|
|
35
|
+
client = TTTLS13::Client.new(socket, hostname, settings)
|
|
36
|
+
client.connect
|
|
37
|
+
client.write(req)
|
|
38
|
+
print recv_http_response(client)
|
|
39
|
+
client.close
|
|
40
|
+
end
|
data/interop/client_spec.rb
CHANGED
|
@@ -118,6 +118,14 @@ RSpec.describe Client do
|
|
|
118
118
|
signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
|
|
119
119
|
signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
|
|
120
120
|
],
|
|
121
|
+
[
|
|
122
|
+
true,
|
|
123
|
+
'-sigalgs RSA-PSS+SHA256',
|
|
124
|
+
'rsa_rsassaPss.crt',
|
|
125
|
+
'rsa_rsassaPss.key',
|
|
126
|
+
signature_algorithms_cert: [SignatureScheme::RSA_PSS_RSAE_SHA256],
|
|
127
|
+
signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
|
|
128
|
+
],
|
|
121
129
|
[
|
|
122
130
|
false,
|
|
123
131
|
'-sigalgs ECDSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256',
|
|
@@ -132,6 +140,13 @@ RSpec.describe Client do
|
|
|
132
140
|
'rsa_rsa.crt',
|
|
133
141
|
'rsa_rsa.key',
|
|
134
142
|
{}
|
|
143
|
+
],
|
|
144
|
+
[
|
|
145
|
+
true,
|
|
146
|
+
'',
|
|
147
|
+
'rsa_rsa.crt',
|
|
148
|
+
'rsa_rsa.key',
|
|
149
|
+
key_share_groups: []
|
|
135
150
|
]
|
|
136
151
|
# rubocop: enable Metrics/LineLength
|
|
137
152
|
].each do |normal, opt, crt, key, settings|
|
data/interop/server_spec.rb
CHANGED
|
@@ -119,6 +119,14 @@ RSpec.describe Server do
|
|
|
119
119
|
signature_algorithms_cert: [SignatureScheme::RSA_PKCS1_SHA256],
|
|
120
120
|
signature_algorithms: [SignatureScheme::ECDSA_SECP521R1_SHA512]
|
|
121
121
|
],
|
|
122
|
+
[
|
|
123
|
+
true,
|
|
124
|
+
'-groups P-256:P-384:P-521 -sigalgs RSA-PSS+SHA256',
|
|
125
|
+
FIXTURES_DIR + '/rsa_rsassaPss.crt',
|
|
126
|
+
FIXTURES_DIR + '/rsa_rsassaPss.key',
|
|
127
|
+
signature_algorithms_cert: [SignatureScheme::RSA_PSS_RSAE_SHA256],
|
|
128
|
+
signature_algorithms: [SignatureScheme::RSA_PSS_RSAE_SHA256]
|
|
129
|
+
],
|
|
122
130
|
[
|
|
123
131
|
false,
|
|
124
132
|
'-groups P-256:P-384:P-521 -sigalgs ECDSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256',
|