tttls1.3 0.2.7 → 0.2.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c4d612bec845851394778f851e83cd26a402c28b28282eadf1630684781dbfad
-  data.tar.gz: 2b2ac159212b899dfd2f0281b756469033ab58ac57276a2c834166e9e1c1a659
+  metadata.gz: a040b2151b2f78c9e367a68a17f4ea10ca135939c0c2cffe28661b4ddb1162b5
+  data.tar.gz: 98707957f44e710898f5422f851dd1f1fb42f2694fe69cf2631422764a42498d
 SHA512:
-  metadata.gz: 902358ead54f4e37bcb6921f8ac26cb0d365ff90c96f8b1d148286a08a057af719989ed0b24d34e99e646965ca7dbfbcdf2b07d9f28b84d3e00e62d904d8ff3f
-  data.tar.gz: 33781ec8908342d9aa0670c1ce82516bd7a0fafbed7f49f470765b0d053883cee66b913fc14c060c83abe82dca863653ec7632efcbbcbc4b84dce577eef21764
+  metadata.gz: 9e8a23d34101af91fa0dd5c0e1853c54f3dd89c2c3611c319ccc9aa387a7f56347d15278f19a38a660ef1766679663e1432cedd48fd0b1a035b5c215b9df9a44
+  data.tar.gz: c6b513830b131fba783984079f68cd3026cec0e3811d045b11b8eef889b878e119067a0f09eaa73d81fc6dd4e52b910c5b7490571b551bf647281ce45cbd21d5

data/README.md

@@ -98,6 +98,7 @@ tttls1.3 client is configurable using keyword arguments.
 | `:ticket_nonce` | String | nil | The ticket\_nonce for PSK. |
 | `:ticket_age_add` | String | nil | The ticket\_age\_add for PSK. |
 | `:ticket_timestamp` | Integer | nil | The ticket\_timestamp for PSK. |
+| `:record_size_limit` | Integer | nil | The record\_size\_limit offerd in ClientHello extensions. If not needed to be present, set nil. |
 | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
 | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
 

data/example/https_server.rb

@@ -4,10 +4,10 @@
 require_relative 'helper'
 require 'etc'
 require 'logger'
+require 'timeout'
 
 port = ARGV[0] || 4433
 
-tcpserver = TCPServer.open(port)
 settings = {
   crt_file: __dir__ + '/../tmp/server.crt',
   key_file: __dir__ + '/../tmp/server.key',
@@ -54,7 +54,6 @@ Etc.nprocessors.times do
 end
 # rubocop: enable Metrics/BlockLength
 
-loop do
-  socket = tcpserver.accept
+Socket.tcp_server_loop(port) do |socket, _addr|
   q << socket
 end

data/lib/tttls1.3/cipher_suites.rb

@@ -57,6 +57,18 @@ module TTTLS13
           raise Error::ErrorAlerts, :internal_error
         end
       end
+
+      def auth_tag_len(cipher_suite)
+        case cipher_suite
+        when TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
+             TLS_CHACHA20_POLY1305_SHA256 # , TLS_AES_128_CCM_SHA256
+          16
+        # when TLS_AES_128_CCM_8_SHA256
+        #   8
+        else
+          raise Error::ErrorAlerts, :internal_error
+        end
+      end
     end
   end
 

data/lib/tttls1.3/client.rb

@@ -58,6 +58,7 @@ module TTTLS13
     ticket_nonce: nil,
     ticket_age_add: nil,
     ticket_timestamp: nil,
+    record_size_limit: nil,
     compatibility_mode: true,
     loglevel: Logger::WARN
   }.freeze
@@ -282,7 +283,7 @@ module TTTLS13
             unless (ee.extensions.keys - ch.extensions.keys).empty?
 
           rsl = ee.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT]
-          @send_record_size = rsl.record_size_limit unless rsl.nil?
+          @recv_record_size = rsl.record_size_limit unless rsl.nil?
 
           @succeed_early_data = true \
             if ee.extensions.include?(Message::ExtensionType::EARLY_DATA)
@@ -394,6 +395,7 @@ module TTTLS13
     private
 
     # @return [Boolean]
+    # rubocop: disable Metrics/AbcSize
     # rubocop: disable Metrics/CyclomaticComplexity
     # rubocop: disable Metrics/PerceivedComplexity
     def valid_settings?
@@ -418,8 +420,12 @@ module TTTLS13
         unless ksg.nil? ||
                ((ksg - sg).empty? && sg.select { |g| ksg.include?(g) } == ksg)
 
+      rsl = @settings[:record_size_limit]
+      return false if !rsl.nil? && (rsl < 64 || rsl > 2**14 + 1)
+
       true
     end
+    # rubocop: enable Metrics/AbcSize
     # rubocop: enable Metrics/CyclomaticComplexity
     # rubocop: enable Metrics/PerceivedComplexity
 
@@ -465,8 +471,19 @@ module TTTLS13
     # @return [Hash of NamedGroup => OpenSSL::PKey::EC.$Object]
     # rubocop: disable Metrics/AbcSize
     # rubocop: disable Metrics/CyclomaticComplexity
+    # rubocop: disable Metrics/PerceivedComplexity
     def gen_ch_extensions
       exs = []
+      # server_name
+      exs << Message::Extension::ServerName.new(@hostname)
+
+      # record_size_limit
+      unless @settings[:record_size_limit].nil?
+        exs << Message::Extension::RecordSizeLimit.new(
+          @settings[:record_size_limit]
+        )
+      end
+
       # supported_versions: only TLS 1.3
       exs << Message::Extension::SupportedVersions.new(
         msg_type: Message::HandshakeType::CLIENT_HELLO
@@ -495,9 +512,6 @@ module TTTLS13
                  = Message::Extension::KeyShare.gen_ch_key_share(ksg)
       exs << key_share
 
-      # server_name
-      exs << Message::Extension::ServerName.new(@hostname)
-
       # early_data
       exs << Message::Extension::EarlyDataIndication.new if use_early_data?
 
@@ -509,6 +523,7 @@ module TTTLS13
     end
     # rubocop: enable Metrics/AbcSize
     # rubocop: enable Metrics/CyclomaticComplexity
+    # rubocop: enable Metrics/PerceivedComplexity
 
     # @param extensions [TTTLS13::Message::Extensions]
     # @param binder_key [String, nil]

data/lib/tttls1.3/connection.rb

@@ -23,6 +23,7 @@ module TTTLS13
       @signature_scheme = nil # TTTLS13::SignatureScheme
       @state = 0 # ClientState or ServerState
       @send_record_size = Message::DEFAULT_RECORD_SIZE_LIMIT
+      @recv_record_size = Message::DEFAULT_RECORD_SIZE_LIMIT
       @alpn = nil # String
       @exporter_master_secret = nil # String
     end
@@ -263,7 +264,8 @@ module TTTLS13
 
       begin
         buffer = @binary_buffer
-        record = Message::Record.deserialize(binary, cipher, buffer)
+        record = Message::Record.deserialize(binary, cipher, buffer,
+                                             @recv_record_size)
         @binary_buffer = record.surplus_binary
       rescue Error::ErrorAlerts => e
         terminate(e.message.to_sym)

data/lib/tttls1.3/cryptograph/aead.rb

@@ -5,6 +5,8 @@ module TTTLS13
   using Refinements
   module Cryptograph
     class Aead
+      attr_reader :auth_tag_len
+
       # @param cipher_suite [TTTLS13::CipherSuite]
       # @param write_key [String]
       # @param write_iv [String]
@@ -31,6 +33,7 @@ module TTTLS13
         @write_iv = write_iv
         @sequence_number = sequence_number
         @length_of_padding = length_of_padding
+        @auth_tag_len = CipherSuite.auth_tag_len(@cipher_suite)
       end
 
       # NOTE:
@@ -60,14 +63,15 @@ module TTTLS13
       #
       # @raise [OpenSSL::Cipher::CipherError]
       #
-      # @return [String and TTTLS13::Message::ContentType]
+      # @return [String]
+      # @return [TTTLS13::Message::ContentType]
       def decrypt(encrypted_record, auth_data)
         reset_cipher
         decipher = @cipher.decrypt
-        auth_tag = encrypted_record[-16..-1]
+        auth_tag = encrypted_record[-@auth_tag_len..-1]
         decipher.auth_tag = auth_tag
         decipher.auth_data = auth_data # record header of TLSCiphertext
-        clear = decipher.update(encrypted_record[0...-16]) # auth_tag
+        clear = decipher.update(encrypted_record[0...-@auth_tag_len])
         decipher.final
         zeros_len = scan_zeros(clear)
         postfix_len = 1 + zeros_len # type || zeros
@@ -94,7 +98,7 @@ module TTTLS13
 
       # @return [String]
       def additional_data(plaintext_len)
-        ciphertext_len = plaintext_len + 16 # length of auth_tag is 16
+        ciphertext_len = plaintext_len + @auth_tag_len
 
         Message::ContentType::APPLICATION_DATA \
         + Message::ProtocolVersion::TLS_1_2 \

data/lib/tttls1.3/cryptograph/passer.rb

@@ -13,7 +13,8 @@ module TTTLS13
 
       # @param encrypted_record [String]
       #
-      # @return [String and TTTLS13::Message::ContentType]
+      # @return [String]
+      # @return [TTTLS13::Message::ContentType]
       def decrypt(encrypted_record, _auth_data)
         [encrypted_record, encrypted_record[0]]
       end

data/lib/tttls1.3/message/extension/record_size_limit.rb

@@ -15,7 +15,8 @@ module TTTLS13
         def initialize(record_size_limit)
           @extension_type = ExtensionType::RECORD_SIZE_LIMIT
           @record_size_limit = record_size_limit
-          raise Error::ErrorAlerts, :internal_error if @record_size_limit < 64
+          raise Error::ErrorAlerts, :internal_error \
+            if @record_size_limit < 64 || @record_size_limit > 2**14 + 1
         end
 
         # @return [String]

data/lib/tttls1.3/message/record.rb

@@ -1,4 +1,3 @@
-# encoding: ascii-8bit
 # frozen_string_literal: true
 
 module TTTLS13
@@ -22,7 +21,7 @@ module TTTLS13
       # @param cipher [TTTLS13::Cryptograph::$Object]
       def initialize(type:,
                      legacy_record_version: ProtocolVersion::TLS_1_2,
-                     messages: [],
+                     messages:,
                      surplus_binary: '',
                      cipher:)
         @type = type
@@ -48,7 +47,6 @@ module TTTLS13
         else
           fragments = [tlsplaintext]
         end
-        fragments = [''] if fragments.empty?
 
         fragments.map do |s|
           @type + @legacy_record_version \
@@ -63,13 +61,16 @@ module TTTLS13
       # @param binary [String]
       # @param cipher [TTTLS13::Cryptograph::$Object]
       # @param buffered [String] surplus_binary
+      # @param record_size_limit [Integer]
       #
       # @raise [TTTLS13::Error::ErrorAlerts]
       #
       # @return [TTTLS13::Message::Record]
+      # rubocop: disable Metrics/AbcSize
       # rubocop: disable Metrics/CyclomaticComplexity
       # rubocop: disable Metrics/PerceivedComplexity
-      def self.deserialize(binary, cipher, buffered = '')
+      def self.deserialize(binary, cipher, buffered = '',
+                           record_size_limit = DEFAULT_RECORD_SIZE_LIMIT)
         raise Error::ErrorAlerts, :internal_error if binary.nil?
         raise Error::ErrorAlerts, :decode_error if binary.length < 5
 
@@ -85,17 +86,22 @@ module TTTLS13
           unless binary.length == 5 + fragment_len
 
         if type == ContentType::APPLICATION_DATA
+          if fragment.length - cipher.auth_tag_len > record_size_limit
+            raise Error::ErrorAlerts, :record_overflow
+          end
+
           fragment, inner_type = cipher.decrypt(fragment, binary.slice(0, 5))
         end
+
         messages, surplus_binary = deserialize_fragment(buffered + fragment,
                                                         inner_type || type)
-
         Record.new(type: type,
                    legacy_record_version: legacy_record_version,
                    messages: messages,
                    surplus_binary: surplus_binary,
                    cipher: cipher)
       end
+      # rubocop: enable Metrics/AbcSize
       # rubocop: enable Metrics/CyclomaticComplexity
       # rubocop: enable Metrics/PerceivedComplexity
 

data/lib/tttls1.3/server.rb

@@ -164,6 +164,10 @@ module TTTLS13
             terminate(:no_application_protocol) if @alpn.nil?
           end
 
+          # record_size_limit
+          ch_rsl = ch.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT]
+          @send_record_size = ch_rsl.record_size_limit unless ch_rsl.nil?
+
           @state = ServerState::RECVD_CH
         when ServerState::RECVD_CH
           logger.debug('ServerState::RECVD_CH')
@@ -222,7 +226,9 @@ module TTTLS13
           logger.debug('ServerState::WAIT_FLIGHT2')
 
           ch = transcript[CH]
-          ee = transcript[EE] = gen_encrypted_extensions(ch, @alpn)
+          rsl = @send_record_size \
+            unless ch.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT].nil?
+          ee = transcript[EE] = gen_encrypted_extensions(ch, @alpn, rsl)
           # TODO: [Send CertificateRequest]
           ct = transcript[CT] = gen_certificate(@crt)
           digest = CipherSuite.digest(@cipher_suite)
@@ -377,11 +383,14 @@ module TTTLS13
     end
 
     # @param ch [TTTLS13::Message::ClientHello]
-    # @param alpn [String]
+    # @param alpn [String, nil]
+    # @param record_size_limit [Integer, nil]
     #
     # @return [TTTLS13::Message::EncryptedExtensions]
-    def gen_encrypted_extensions(ch, alpn = nil)
-      Message::EncryptedExtensions.new(gen_ee_extensions(ch, alpn))
+    def gen_encrypted_extensions(ch, alpn = nil, record_size_limit = nil)
+      Message::EncryptedExtensions.new(
+        gen_ee_extensions(ch, alpn, record_size_limit)
+      )
     end
 
     # @param crt [OpenSSL::X509::Certificate]
@@ -440,9 +449,10 @@ module TTTLS13
 
     # @param ch [TTTLS13::Message::ClientHello]
     # @param alpn [String]
+    # @param record_size_limit [Integer, nil]
     #
     # @return [TTTLS13::Message::Extensions]
-    def gen_ee_extensions(ch, alpn)
+    def gen_ee_extensions(ch, alpn, record_size_limit)
       exs = []
 
       # server_name
@@ -456,6 +466,10 @@ module TTTLS13
       # alpn
       exs << Message::Extension::Alpn.new([alpn]) unless alpn.nil?
 
+      # record_size_limit
+      exs << Message::Extension::RecordSizeLimit.new(record_size_limit) \
+        unless record_size_limit.nil?
+
       Message::Extensions.new(exs)
     end
 

data/lib/tttls1.3/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module TTTLS13
-  VERSION = '0.2.7'
+  VERSION = '0.2.8'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tttls1.3
 version: !ruby/object:Gem::Version
-  version: 0.2.7
+  version: 0.2.8
 platform: ruby
 authors:
 - thekuwayama
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-19 00:00:00.000000000 Z
+date: 2019-08-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler