Hello community,
here is the log from the commit of package ghc-tls for openSUSE:Factory checked
in at 2016-05-12 09:34:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ghc-tls (Old)
and /work/SRC/openSUSE:Factory/.ghc-tls.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-tls"
Changes:
--------
--- /work/SRC/openSUSE:Factory/ghc-tls/ghc-tls.changes 2016-04-30
23:30:42.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.ghc-tls.new/ghc-tls.changes 2016-05-12
09:34:10.000000000 +0200
@@ -1,0 +2,13 @@
+Wed May 11 15:35:33 UTC 2016 - mimi...@gmail.com
+
+- update to 1.3.7
+* Disable SHA384 based cipher, as they don't work properly yet.
+
+-------------------------------------------------------------------
+Sun May 8 11:22:31 UTC 2016 - mimi...@gmail.com
+
+- update to 1.3.6
+* Add new ciphers
+* Improve some debugging and outputs
+
+-------------------------------------------------------------------
Old:
----
tls-1.3.5.tar.gz
New:
----
tls-1.3.7.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ghc-tls.spec ++++++
--- /var/tmp/diff_new_pack.B4HGvy/_old 2016-05-12 09:34:11.000000000 +0200
+++ /var/tmp/diff_new_pack.B4HGvy/_new 2016-05-12 09:34:11.000000000 +0200
@@ -21,7 +21,7 @@
%bcond_with tests
Name: ghc-tls
-Version: 1.3.5
+Version: 1.3.7
Release: 0
Summary: TLS/SSL protocol native implementation (Server and Client)
License: BSD-3-Clause
++++++ tls-1.3.5.tar.gz -> tls-1.3.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/CHANGELOG.md new/tls-1.3.7/CHANGELOG.md
--- old/tls-1.3.5/CHANGELOG.md 2016-04-09 15:47:25.000000000 +0200
+++ new/tls-1.3.7/CHANGELOG.md 2016-05-08 07:10:23.000000000 +0200
@@ -1,3 +1,12 @@
+## Version 1.3.7
+
+- Disable SHA384 based cipher, as they don't work properly yet.
+
+## Version 1.3.6
+
+- Add new ciphers
+- Improve some debugging and outputs
+
## Version 1.3.5
- Fix a bug with ECDHE based cipher where serialization
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Extension/EC.hs
new/tls-1.3.7/Network/TLS/Extension/EC.hs
--- old/tls-1.3.5/Network/TLS/Extension/EC.hs 2016-04-09 15:47:25.000000000
+0200
+++ new/tls-1.3.7/Network/TLS/Extension/EC.hs 2016-05-08 07:10:23.000000000
+0200
@@ -33,6 +33,9 @@
toCurveName 23 = Just SEC_p256r1
toCurveName 24 = Just SEC_p384r1
toCurveName 25 = Just SEC_p521r1
+--toCurveName 26 = Just Brainpool_P256r1
+--toCurveName 27 = Just Brainpool_P384r1
+--toCurveName 28 = Just Brainpool_P512r1
toCurveName _ = Nothing
fromCurveName :: CurveName -> Maybe Word16
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Extension.hs
new/tls-1.3.7/Network/TLS/Extension.hs
--- old/tls-1.3.5/Network/TLS/Extension.hs 2016-04-09 15:47:25.000000000
+0200
+++ new/tls-1.3.7/Network/TLS/Extension.hs 2016-05-08 07:10:23.000000000
+0200
@@ -41,7 +41,6 @@
, availableEllipticCurves
) where
-import Control.Applicative ((<$>),(<*>))
import Control.Monad
import Data.Word
@@ -53,6 +52,7 @@
import Network.TLS.Extension.EC
import Network.TLS.Struct (ExtensionID, EnumSafe8(..), EnumSafe16(..),
HashAndSignatureAlgorithm)
import Network.TLS.Wire
+import Network.TLS.Imports
import Network.TLS.Packet (putSignatureHashAlgorithm,
getSignatureHashAlgorithm)
type HostName = String
@@ -258,21 +258,32 @@
data NamedCurve =
SEC CurveName
+ | BrainPool BrainPoolCurve
| NamedCurve_arbitrary_explicit_prime_curves
| NamedCurve_arbitrary_explicit_char2_curves
deriving (Show,Eq)
--- FIXME: currently maximum crypto strength of our supported
--- cipher suite is 128 bits. Not support 384 and 512.
+data BrainPoolCurve =
+ BrainPoolP512R1 -- 28
+ | BrainPoolP384R1 -- 27
+ | BrainPoolP256R1 -- 26
+ deriving (Show,Eq)
+
availableEllipticCurves :: [NamedCurve]
-availableEllipticCurves = [SEC SEC_p160r1, SEC SEC_p224r1, SEC SEC_p256r1]
+availableEllipticCurves = [SEC SEC_p256r1, SEC SEC_p521r1]
instance EnumSafe16 NamedCurve where
fromEnumSafe16 NamedCurve_arbitrary_explicit_prime_curves = 0xFF01
fromEnumSafe16 NamedCurve_arbitrary_explicit_char2_curves = 0xFF02
fromEnumSafe16 (SEC nc) = maybe (error "named curve: internal error") id $
fromCurveName nc
+ fromEnumSafe16 (BrainPool BrainPoolP512R1) = 28
+ fromEnumSafe16 (BrainPool BrainPoolP384R1) = 27
+ fromEnumSafe16 (BrainPool BrainPoolP256R1) = 26
toEnumSafe16 0xFF01 = Just NamedCurve_arbitrary_explicit_prime_curves
toEnumSafe16 0xFF02 = Just NamedCurve_arbitrary_explicit_char2_curves
+ toEnumSafe16 26 = Just (BrainPool BrainPoolP256R1)
+ toEnumSafe16 27 = Just (BrainPool BrainPoolP384R1)
+ toEnumSafe16 28 = Just (BrainPool BrainPoolP512R1)
toEnumSafe16 n = SEC <$> toCurveName n
-- on decode, filter all unknown curves
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Extra/Cipher.hs
new/tls-1.3.7/Network/TLS/Extra/Cipher.hs
--- old/tls-1.3.5/Network/TLS/Extra/Cipher.hs 2016-04-09 15:47:25.000000000
+0200
+++ new/tls-1.3.7/Network/TLS/Extra/Cipher.hs 2016-05-08 07:10:23.000000000
+0200
@@ -35,8 +35,11 @@
, cipher_DHE_DSS_RC4_SHA1
, cipher_DHE_RSA_AES128GCM_SHA256
, cipher_ECDHE_RSA_AES128GCM_SHA256
+ , cipher_ECDHE_RSA_AES256GCM_SHA384
, cipher_ECDHE_RSA_AES128CBC_SHA256
, cipher_ECDHE_RSA_AES128CBC_SHA
+ , cipher_ECDHE_RSA_AES256CBC_SHA
+ , cipher_ECDHE_RSA_AES256CBC_SHA384
, cipher_ECDHE_ECDSA_AES128GCM_SHA256
) where
@@ -89,6 +92,24 @@
(output, aeadFinal) = aeadDecrypt aead input
tag = aeadFinalize aeadFinal 16
+aes256gcm :: BulkDirection -> BulkKey -> BulkAEAD
+aes256gcm BulkEncrypt key =
+ let ctx = noFail (cipherInit key) :: AES256
+ in (\nonce d ad ->
+ let aeadIni = noFail (aeadInit AEAD_GCM ctx nonce)
+ in swap $ aeadSimpleEncrypt aeadIni ad d 16)
+aes256gcm BulkDecrypt key =
+ let ctx = noFail (cipherInit key) :: AES256
+ in (\nonce d ad ->
+ let aeadIni = noFail (aeadInit AEAD_GCM ctx nonce)
+ in simpleDecrypt aeadIni ad d)
+ where
+ simpleDecrypt aeadIni header input = (output, tag)
+ where
+ aead = aeadAppendHeader aeadIni header
+ (output, aeadFinal) = aeadDecrypt aead input
+ tag = aeadFinalize aeadFinal 16
+
noFail :: CryptoFailable a -> a
noFail = throwCryptoError
@@ -119,6 +140,7 @@
ciphersuite_all :: [Cipher]
ciphersuite_all =
[ cipher_ECDHE_RSA_AES128GCM_SHA256
+ , cipher_ECDHE_RSA_AES256CBC_SHA
, cipher_ECDHE_ECDSA_AES128GCM_SHA256
, cipher_DHE_RSA_AES256_SHA256, cipher_DHE_RSA_AES128_SHA256
, cipher_DHE_RSA_AES256_SHA1, cipher_DHE_RSA_AES128_SHA1
@@ -136,7 +158,14 @@
-- | the strongest ciphers supported.
ciphersuite_strong :: [Cipher]
-ciphersuite_strong = [cipher_ECDHE_RSA_AES128GCM_SHA256,
cipher_ECDHE_ECDSA_AES128GCM_SHA256, cipher_DHE_RSA_AES256_SHA256,
cipher_AES256_SHA256, cipher_AES256_SHA1]
+ciphersuite_strong =
+ [ cipher_ECDHE_RSA_AES128GCM_SHA256
+ , cipher_ECDHE_RSA_AES256CBC_SHA
+ , cipher_ECDHE_ECDSA_AES128GCM_SHA256
+ , cipher_DHE_RSA_AES256_SHA256
+ , cipher_AES256_SHA256
+ , cipher_AES256_SHA1
+ ]
-- | DHE-RSA cipher suite
ciphersuite_dhe_rsa :: [Cipher]
@@ -151,7 +180,7 @@
ciphersuite_unencrypted :: [Cipher]
ciphersuite_unencrypted = [cipher_null_MD5, cipher_null_SHA1]
-bulk_null, bulk_rc4, bulk_aes128, bulk_aes256, bulk_tripledes_ede,
bulk_aes128gcm :: Bulk
+bulk_null, bulk_rc4, bulk_aes128, bulk_aes256, bulk_tripledes_ede,
bulk_aes128gcm, bulk_aes256gcm :: Bulk
bulk_null = Bulk
{ bulkName = "null"
, bulkKeySize = 0
@@ -194,6 +223,16 @@
, bulkF = BulkAeadF aes128gcm
}
+bulk_aes256gcm = Bulk
+ { bulkName = "AES256GCM"
+ , bulkKeySize = 32 -- RFC 5116 Sec 5.1: K_LEN
+ , bulkIVSize = 4 -- RFC 5288 GCMNonce.salt, fixed_iv_length
+ , bulkExplicitIV = 8
+ , bulkAuthTagLen = 16
+ , bulkBlockSize = 0 -- dummy, not used
+ , bulkF = BulkAeadF aes256gcm
+ }
+
bulk_aes256 = Bulk
{ bulkName = "AES256"
, bulkKeySize = 32
@@ -269,6 +308,28 @@
, cipherMinVer = Just SSL3
}
+-- | AES cipher (128 bit key), DHE key exchanged signed by DSA and SHA1 for
digest
+cipher_DHE_DSS_AES128_SHA1 :: Cipher
+cipher_DHE_DSS_AES128_SHA1 = Cipher
+ { cipherID = 0x32
+ , cipherName = "DHE-DSA-AES128-SHA1"
+ , cipherBulk = bulk_aes128
+ , cipherHash = SHA1
+ , cipherKeyExchange = CipherKeyExchange_DHE_DSS
+ , cipherMinVer = Nothing
+ }
+
+-- | AES cipher (128 bit key), DHE key exchanged signed by RSA and SHA1 for
digest
+cipher_DHE_RSA_AES128_SHA1 :: Cipher
+cipher_DHE_RSA_AES128_SHA1 = Cipher
+ { cipherID = 0x33
+ , cipherName = "DHE-RSA-AES128-SHA1"
+ , cipherBulk = bulk_aes128
+ , cipherHash = SHA1
+ , cipherKeyExchange = CipherKeyExchange_DHE_RSA
+ , cipherMinVer = Nothing
+ }
+
-- | AES cipher (256 bit key), RSA key exchange and SHA1 for digest
cipher_AES256_SHA1 :: Cipher
cipher_AES256_SHA1 = Cipher
@@ -280,6 +341,22 @@
, cipherMinVer = Just SSL3
}
+-- | AES cipher (256 bit key), DHE key exchanged signed by DSA and SHA1 for
digest
+cipher_DHE_DSS_AES256_SHA1 :: Cipher
+cipher_DHE_DSS_AES256_SHA1 = cipher_DHE_DSS_AES128_SHA1
+ { cipherID = 0x38
+ , cipherName = "DHE-DSA-AES256-SHA1"
+ , cipherBulk = bulk_aes256
+ }
+
+-- | AES cipher (256 bit key), DHE key exchanged signed by RSA and SHA1 for
digest
+cipher_DHE_RSA_AES256_SHA1 :: Cipher
+cipher_DHE_RSA_AES256_SHA1 = cipher_DHE_RSA_AES128_SHA1
+ { cipherID = 0x39
+ , cipherName = "DHE-RSA-AES256-SHA1"
+ , cipherBulk = bulk_aes256
+ }
+
-- | AES cipher (128 bit key), RSA key exchange and SHA256 for digest
cipher_AES128_SHA256 :: Cipher
cipher_AES128_SHA256 = Cipher
@@ -302,43 +379,6 @@
, cipherMinVer = Just TLS12
}
--- | AES cipher (128 bit key), DHE key exchanged signed by RSA and SHA1 for
digest
-cipher_DHE_RSA_AES128_SHA1 :: Cipher
-cipher_DHE_RSA_AES128_SHA1 = Cipher
- { cipherID = 0x33
- , cipherName = "DHE-RSA-AES128-SHA1"
- , cipherBulk = bulk_aes128
- , cipherHash = SHA1
- , cipherKeyExchange = CipherKeyExchange_DHE_RSA
- , cipherMinVer = Nothing
- }
-
--- | AES cipher (256 bit key), DHE key exchanged signed by RSA and SHA1 for
digest
-cipher_DHE_RSA_AES256_SHA1 :: Cipher
-cipher_DHE_RSA_AES256_SHA1 = cipher_DHE_RSA_AES128_SHA1
- { cipherID = 0x39
- , cipherName = "DHE-RSA-AES256-SHA1"
- , cipherBulk = bulk_aes256
- }
-
--- | AES cipher (128 bit key), DHE key exchanged signed by DSA and SHA1 for
digest
-cipher_DHE_DSS_AES128_SHA1 :: Cipher
-cipher_DHE_DSS_AES128_SHA1 = Cipher
- { cipherID = 0x32
- , cipherName = "DHE-DSA-AES128-SHA1"
- , cipherBulk = bulk_aes128
- , cipherHash = SHA1
- , cipherKeyExchange = CipherKeyExchange_DHE_DSS
- , cipherMinVer = Nothing
- }
-
--- | AES cipher (256 bit key), DHE key exchanged signed by DSA and SHA1 for
digest
-cipher_DHE_DSS_AES256_SHA1 :: Cipher
-cipher_DHE_DSS_AES256_SHA1 = cipher_DHE_DSS_AES128_SHA1
- { cipherID = 0x38
- , cipherName = "DHE-DSA-AES256-SHA1"
- , cipherBulk = bulk_aes256
- }
cipher_DHE_DSS_RC4_SHA1 :: Cipher
cipher_DHE_DSS_RC4_SHA1 = cipher_DHE_DSS_AES128_SHA1
@@ -383,16 +423,6 @@
, cipherMinVer = Just TLS12 -- RFC 5288 Sec 4
}
-cipher_ECDHE_RSA_AES128GCM_SHA256 :: Cipher
-cipher_ECDHE_RSA_AES128GCM_SHA256 = Cipher
- { cipherID = 0xc02f
- , cipherName = "ECDHE-RSA-AES128GCM-SHA256"
- , cipherBulk = bulk_aes128gcm
- , cipherHash = SHA256
- , cipherKeyExchange = CipherKeyExchange_ECDHE_RSA
- , cipherMinVer = Just TLS12 -- RFC 5288 Sec 4
- }
-
cipher_ECDHE_RSA_AES128CBC_SHA :: Cipher
cipher_ECDHE_RSA_AES128CBC_SHA = Cipher
{ cipherID = 0xc013
@@ -403,17 +433,36 @@
, cipherMinVer = Just TLS10
}
---TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+cipher_ECDHE_RSA_AES256CBC_SHA :: Cipher
+cipher_ECDHE_RSA_AES256CBC_SHA = Cipher
+ { cipherID = 0xc014
+ , cipherName = "ECDHE-RSA-AES256CBC-SHA"
+ , cipherBulk = bulk_aes256
+ , cipherHash = SHA1
+ , cipherKeyExchange = CipherKeyExchange_ECDHE_RSA
+ , cipherMinVer = Just TLS10
+ }
+
cipher_ECDHE_RSA_AES128CBC_SHA256 :: Cipher
cipher_ECDHE_RSA_AES128CBC_SHA256 = Cipher
{ cipherID = 0xc027
- , cipherName = "ECDHE-RSA-AES128CBC-SHA"
+ , cipherName = "ECDHE-RSA-AES128CBC-SHA256"
, cipherBulk = bulk_aes128
, cipherHash = SHA256
, cipherKeyExchange = CipherKeyExchange_ECDHE_RSA
, cipherMinVer = Just TLS12 -- RFC 5288 Sec 4
}
+cipher_ECDHE_RSA_AES256CBC_SHA384 :: Cipher
+cipher_ECDHE_RSA_AES256CBC_SHA384 = Cipher
+ { cipherID = 0xc027
+ , cipherName = "ECDHE-RSA-AES256CBC-SHA384"
+ , cipherBulk = bulk_aes256
+ , cipherHash = SHA384
+ , cipherKeyExchange = CipherKeyExchange_ECDHE_RSA
+ , cipherMinVer = Just TLS12 -- RFC 5288 Sec 4
+ }
+
cipher_ECDHE_ECDSA_AES128GCM_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES128GCM_SHA256 = Cipher
{ cipherID = 0xc02b
@@ -423,6 +472,27 @@
, cipherKeyExchange = CipherKeyExchange_ECDHE_ECDSA
, cipherMinVer = Just TLS12 -- RFC 5289
}
+
+cipher_ECDHE_RSA_AES128GCM_SHA256 :: Cipher
+cipher_ECDHE_RSA_AES128GCM_SHA256 = Cipher
+ { cipherID = 0xc02f
+ , cipherName = "ECDHE-RSA-AES128GCM-SHA256"
+ , cipherBulk = bulk_aes128gcm
+ , cipherHash = SHA256
+ , cipherKeyExchange = CipherKeyExchange_ECDHE_RSA
+ , cipherMinVer = Just TLS12 -- RFC 5288 Sec 4
+ }
+
+cipher_ECDHE_RSA_AES256GCM_SHA384 :: Cipher
+cipher_ECDHE_RSA_AES256GCM_SHA384 = Cipher
+ { cipherID = 0xc030
+ , cipherName = "ECDHE-RSA-AES256GCM-SHA256"
+ , cipherBulk = bulk_aes256gcm
+ , cipherHash = SHA384
+ , cipherKeyExchange = CipherKeyExchange_ECDHE_RSA
+ , cipherMinVer = Just TLS12 -- RFC 5289
+ }
+
{-
TLS 1.0 ciphers definition
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Handshake/Client.hs
new/tls-1.3.7/Network/TLS/Handshake/Client.hs
--- old/tls-1.3.5/Network/TLS/Handshake/Client.hs 2016-04-09
15:47:25.000000000 +0200
+++ new/tls-1.3.7/Network/TLS/Handshake/Client.hs 2016-05-08
07:10:23.000000000 +0200
@@ -21,6 +21,7 @@
import Network.TLS.ErrT
import Network.TLS.Extension
import Network.TLS.IO
+import Network.TLS.Imports
import Network.TLS.State hiding (getNegotiatedProtocol)
import Network.TLS.Measurement
import Network.TLS.Wire (encodeWord16)
@@ -32,7 +33,6 @@
import qualified Data.ByteString as B
import Data.ByteString.Char8 ()
-import Control.Applicative ((<$>), (<*>))
import Control.Monad.State
import Control.Exception (SomeException)
@@ -75,7 +75,7 @@
]
toExtensionRaw :: Extension e => e -> ExtensionRaw
- toExtensionRaw ext = (extensionID ext, extensionEncode ext)
+ toExtensionRaw ext = ExtensionRaw (extensionID ext) (extensionEncode
ext)
secureReneg =
if supportedSecureRenegotiation $ ctxSupported ctx
@@ -114,7 +114,7 @@
[ ClientHello highestVer crand clientSession (map cipherID
ciphers)
(map compressionID compressions) extensions
Nothing
]
- return $ map fst extensions
+ return $ map (\(ExtensionRaw i _) -> i) extensions
sendMaybeNPN = do
suggest <- usingState_ ctx $ getServerNextProtocolSuggest
@@ -262,8 +262,8 @@
_ -> return ()
-processServerExtension :: (ExtensionID, Bytes) -> TLSSt ()
-processServerExtension (0xff01, content) = do
+processServerExtension :: ExtensionRaw -> TLSSt ()
+processServerExtension (ExtensionRaw 0xff01 content) = do
cv <- getVerifiedData ClientRole
sv <- getVerifiedData ServerRole
let bs = extensionEncode (SecureRenegotiation cv $ Just sv)
@@ -300,7 +300,7 @@
-- intersect sent extensions in client and the received extensions from
server.
-- if server returns extensions that we didn't request, fail.
- when (not $ null $ filter (not . flip elem sentExts . fst) exts) $
+ when (not $ null $ filter (not . flip elem sentExts . (\(ExtensionRaw i _)
-> i)) exts) $
throwCore $ Error_Protocol ("spurious extensions received", True,
UnsupportedExtension)
let resumingSession =
@@ -313,7 +313,7 @@
setVersion rver
usingHState ctx $ setServerHelloParameters rver serverRan cipherAlg
compressAlg
- case extensionDecode False `fmap` (lookup
extensionID_ApplicationLayerProtocolNegotiation exts) of
+ case extensionDecode False `fmap` (extensionLookup
extensionID_ApplicationLayerProtocolNegotiation exts) of
Just (Just (ApplicationLayerProtocolNegotiation [proto])) ->
usingState_ ctx $ do
mprotos <- getClientALPNSuggest
case mprotos of
@@ -323,7 +323,7 @@
_ -> return ()
_ -> return ()
- case extensionDecode False `fmap` (lookup
extensionID_NextProtocolNegotiation exts) of
+ case extensionDecode False `fmap` (extensionLookup
extensionID_NextProtocolNegotiation exts) of
Just (Just (NextProtocolNegotiation protos)) -> usingState_ ctx $ do
alpnDone <- getExtensionALPN
unless alpnDone $ do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Handshake/Common.hs
new/tls-1.3.7/Network/TLS/Handshake/Common.hs
--- old/tls-1.3.5/Network/TLS/Handshake/Common.hs 2016-04-09
15:47:25.000000000 +0200
+++ new/tls-1.3.7/Network/TLS/Handshake/Common.hs 2016-05-08
07:10:23.000000000 +0200
@@ -13,6 +13,7 @@
, runRecvState
, recvPacketHandshake
, onRecvStateHandshake
+ , extensionLookup
) where
import Control.Concurrent.MVar
@@ -30,6 +31,7 @@
import Network.TLS.Types
import Network.TLS.Cipher
import Network.TLS.Util
+import Data.List (find)
import Data.ByteString.Char8 ()
import Control.Monad.State
@@ -132,3 +134,6 @@
, sessionCipher = cipherID $ fromJust "cipher" $
stCipher tx
, sessionSecret = ms
}
+
+extensionLookup toFind = fmap (\(ExtensionRaw _ content) -> content)
+ . find (\(ExtensionRaw eid content) -> eid == toFind)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Handshake/Process.hs
new/tls-1.3.7/Network/TLS/Handshake/Process.hs
--- old/tls-1.3.5/Network/TLS/Handshake/Process.hs 2016-04-09
15:47:25.000000000 +0200
+++ new/tls-1.3.7/Network/TLS/Handshake/Process.hs 2016-05-08
07:10:23.000000000 +0200
@@ -13,7 +13,6 @@
, getHandshakeDigest
) where
-import Control.Applicative
import Control.Concurrent.MVar
import Control.Monad.State (gets)
import Control.Monad
@@ -27,6 +26,7 @@
import Network.TLS.State
import Network.TLS.Context.Internal
import Network.TLS.Crypto
+import Network.TLS.Imports
import Network.TLS.Handshake.State
import Network.TLS.Handshake.Key
import Network.TLS.Extension
@@ -57,7 +57,7 @@
where secureRenegotiation = supportedSecureRenegotiation $ ctxSupported ctx
-- RFC5746: secure renegotiation
-- the renegotiation_info extension: 0xff01
- processClientExtension (0xff01, content) | secureRenegotiation = do
+ processClientExtension (ExtensionRaw 0xff01 content) |
secureRenegotiation = do
v <- getVerifiedData ClientRole
let bs = extensionEncode (SecureRenegotiation v Nothing)
unless (bs `bytesEq` content) $ throwError $ Error_Protocol
("client verified data not matching: " ++ show v ++ ":" ++ show content, True,
HandshakeFailure)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Handshake/Server.hs
new/tls-1.3.7/Network/TLS/Handshake/Server.hs
--- old/tls-1.3.5/Network/TLS/Handshake/Server.hs 2016-04-09
15:47:25.000000000 +0200
+++ new/tls-1.3.7/Network/TLS/Handshake/Server.hs 2016-05-08
07:10:23.000000000 +0200
@@ -12,6 +12,7 @@
) where
import Network.TLS.Parameters
+import Network.TLS.Imports
import Network.TLS.Context.Internal
import Network.TLS.Session
import Network.TLS.Struct
@@ -28,13 +29,11 @@
import Network.TLS.Handshake.Process
import Network.TLS.Handshake.Key
import Network.TLS.Measurement
-import Data.Monoid
import Data.Maybe (isJust, listToMaybe, mapMaybe)
import Data.List (intersect, sortBy)
import qualified Data.ByteString as B
import Data.ByteString.Char8 ()
-import Control.Applicative ((<$>))
import Control.Monad.State
import Network.TLS.Handshake.Signature
@@ -112,7 +111,7 @@
when (null commonCompressions) $ throwCore $
Error_Protocol ("no compression in common with the client", True,
HandshakeFailure)
- let serverName = case extensionDecode False `fmap` (lookup
extensionID_ServerName exts) of
+ let serverName = case extensionDecode False `fmap` (extensionLookup
extensionID_ServerName exts) of
Just (Just (ServerName ns)) -> listToMaybe (mapMaybe toHostName ns)
where toHostName (ServerNameHostName hostName) = Just hostName
toHostName (ServerNameOther _) = Nothing
@@ -136,17 +135,17 @@
maybe (return ()) (usingState_ ctx . setClientSNI) serverName
- case extensionDecode False `fmap` (lookup
extensionID_ApplicationLayerProtocolNegotiation exts) of
+ case extensionDecode False `fmap` (extensionLookup
extensionID_ApplicationLayerProtocolNegotiation exts) of
Just (Just (ApplicationLayerProtocolNegotiation protos)) ->
usingState_ ctx $ setClientALPNSuggest protos
_ -> return ()
- case extensionDecode False `fmap` (lookup extensionID_EllipticCurves exts)
of
+ case extensionDecode False `fmap` (extensionLookup
extensionID_EllipticCurves exts) of
Just (Just (EllipticCurvesSupported es)) -> usingState_ ctx $
setClientEllipticCurveSuggest es
_ -> return ()
-- Currently, we don't send back EcPointFormats. In this case,
-- the client chooses EcPointFormat_Uncompressed.
- case extensionDecode False `fmap` (lookup extensionID_EcPointFormats exts)
of
+ case extensionDecode False `fmap` (extensionLookup
extensionID_EcPointFormats exts) of
Just (Just (EcPointFormatsSupported fs)) -> usingState_ ctx $
setClientEcPointFormatSuggest fs
_ -> return ()
@@ -163,7 +162,7 @@
doHandshake :: ServerParams -> Maybe Credential -> Context -> Version -> Cipher
-> Compression -> Session -> Maybe SessionData
- -> [(ExtensionID, a)] -> IO ()
+ -> [ExtensionRaw] -> IO ()
doHandshake sparams mcred ctx chosenVersion usedCipher usedCompression
clientSession resumeSessionData exts = do
case resumeSessionData of
Nothing -> do
@@ -181,8 +180,8 @@
recvChangeCipherAndFinish ctx
handshakeTerminate ctx
where
- clientRequestedNPN = isJust $ lookup
extensionID_NextProtocolNegotiation exts
- clientALPNSuggest = isJust $ lookup
extensionID_ApplicationLayerProtocolNegotiation exts
+ clientRequestedNPN = isJust $ extensionLookup
extensionID_NextProtocolNegotiation exts
+ clientALPNSuggest = isJust $ extensionLookup
extensionID_ApplicationLayerProtocolNegotiation exts
applicationProtocol = do
protos <- alpn
@@ -196,8 +195,8 @@
usingState_ ctx $ do
setExtensionALPN True
setNegotiatedProtocol proto
- return $ [ (
extensionID_ApplicationLayerProtocolNegotiation
-
, extensionEncode $
ApplicationLayerProtocolNegotiation [proto]) ]
+ return $ [ ExtensionRaw
extensionID_ApplicationLayerProtocolNegotiation
+ (extensionEncode $
ApplicationLayerProtocolNegotiation [proto]) ]
(_, _) -> return []
| otherwise = return []
npn = do
@@ -210,8 +209,8 @@
usingState_ ctx $ do
setExtensionNPN True
setServerNextProtocolSuggest protos
- return [ ( extensionID_NextProtocolNegotiation
- , extensionEncode $ NextProtocolNegotiation
protos) ]
+ return [ ExtensionRaw extensionID_NextProtocolNegotiation
+ (extensionEncode $ NextProtocolNegotiation
protos) ]
Nothing -> return []
@@ -235,7 +234,7 @@
cvf <- getVerifiedData ClientRole
svf <- getVerifiedData ServerRole
return $ extensionEncode
(SecureRenegotiation cvf $ Just svf)
- return [ (0xff01, vf) ]
+ return [ ExtensionRaw 0xff01 vf ]
else return []
protoExt <- applicationProtocol
let extensions = secRengExt ++ protoExt
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Handshake/Signature.hs
new/tls-1.3.7/Network/TLS/Handshake/Signature.hs
--- old/tls-1.3.5/Network/TLS/Handshake/Signature.hs 2016-04-09
15:47:25.000000000 +0200
+++ new/tls-1.3.7/Network/TLS/Handshake/Signature.hs 2016-05-08
07:10:23.000000000 +0200
@@ -19,6 +19,7 @@
import Network.TLS.Crypto
import Network.TLS.Context.Internal
import Network.TLS.Struct
+import Network.TLS.Imports
import Network.TLS.Packet (generateCertificateVerify_SSL,
encodeSignedDHParams, encodeSignedECDHParams)
import Network.TLS.Parameters (supportedHashSignatures)
import Network.TLS.State
@@ -26,7 +27,6 @@
import Network.TLS.Handshake.Key
import Network.TLS.Util
-import Control.Applicative
import Control.Monad.State
certificateVerifyCheck :: Context
@@ -79,6 +79,7 @@
signatureHashData SignatureRSA mhash =
case mhash of
Just HashSHA512 -> SHA512
+ Just HashSHA384 -> SHA384
Just HashSHA256 -> SHA256
Just HashSHA1 -> SHA1
Nothing -> SHA1_MD5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Imports.hs
new/tls-1.3.7/Network/TLS/Imports.hs
--- old/tls-1.3.5/Network/TLS/Imports.hs 1970-01-01 01:00:00.000000000
+0100
+++ new/tls-1.3.7/Network/TLS/Imports.hs 2016-05-08 07:10:23.000000000
+0200
@@ -0,0 +1,30 @@
+-- |
+-- Module : Network.TLS.Imports
+-- License : BSD-style
+-- Maintainer : Vincent Hanquez <vinc...@snarc.org>
+-- Stability : experimental
+-- Portability : unknown
+--
+{-# LANGUAGE NoImplicitPrelude #-}
+module Network.TLS.Imports
+ (
+ -- generic exports
+ Control.Applicative.Applicative(..)
+ , (Control.Applicative.<$>)
+ , Data.Monoid.Monoid(..)
+ -- project definition
+ , Bytes
+ , showBytesHex
+ ) where
+
+import qualified Control.Applicative
+import qualified Data.Monoid
+
+import qualified Data.ByteString as B
+import Data.ByteArray.Encoding as B
+import qualified Prelude
+
+type Bytes = B.ByteString
+
+showBytesHex :: Bytes -> Prelude.String
+showBytesHex bs = Prelude.show (B.convertToBase B.Base16 bs :: Bytes)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Packet.hs
new/tls-1.3.7/Network/TLS/Packet.hs
--- old/tls-1.3.5/Network/TLS/Packet.hs 2016-04-09 15:47:25.000000000 +0200
+++ new/tls-1.3.7/Network/TLS/Packet.hs 2016-05-08 07:10:23.000000000 +0200
@@ -58,12 +58,12 @@
, putSignatureHashAlgorithm
) where
+import Network.TLS.Imports
import Network.TLS.Struct
import Network.TLS.Wire
import Network.TLS.Cap
import Data.Maybe (fromJust)
import Data.Word
-import Control.Applicative ((<$>), (<*>))
import Control.Monad
import Data.ASN1.Types (fromASN1, toASN1)
import Data.ASN1.Encoding (decodeASN1', encodeASN1')
@@ -474,10 +474,10 @@
extdatalen <- getWord16
extdata <- getBytes $ fromIntegral extdatalen
extxs <- getExtensions (len - fromIntegral extdatalen - 4)
- return $ (extty, extdata) : extxs
+ return $ ExtensionRaw extty extdata : extxs
putExtension :: ExtensionRaw -> Put
-putExtension (ty, l) = putWord16 ty >> putOpaque16 l
+putExtension (ExtensionRaw ty l) = putWord16 ty >> putOpaque16 l
putExtensions :: [ExtensionRaw] -> Put
putExtensions [] = return ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Parameters.hs
new/tls-1.3.7/Network/TLS/Parameters.hs
--- old/tls-1.3.5/Network/TLS/Parameters.hs 2016-04-09 15:47:25.000000000
+0200
+++ new/tls-1.3.7/Network/TLS/Parameters.hs 2016-05-08 07:10:23.000000000
+0200
@@ -34,7 +34,6 @@
import Network.TLS.Credentials
import Network.TLS.X509
import Network.TLS.RNG (Seed)
-import Data.Monoid
import Data.Default.Class
import qualified Data.ByteString as B
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/State.hs
new/tls-1.3.7/Network/TLS/State.hs
--- old/tls-1.3.5/Network/TLS/State.hs 2016-04-09 15:47:25.000000000 +0200
+++ new/tls-1.3.7/Network/TLS/State.hs 2016-05-08 07:10:23.000000000 +0200
@@ -57,7 +57,7 @@
, withRNG
) where
-import Control.Applicative
+import Network.TLS.Imports
import Network.TLS.Struct
import Network.TLS.RNG
import Network.TLS.Types (Role(..))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Struct.hs
new/tls-1.3.7/Network/TLS/Struct.hs
--- old/tls-1.3.5/Network/TLS/Struct.hs 2016-04-09 15:47:25.000000000 +0200
+++ new/tls-1.3.7/Network/TLS/Struct.hs 2016-05-08 07:10:23.000000000 +0200
@@ -17,7 +17,7 @@
, CipherType(..)
, CipherData(..)
, ExtensionID
- , ExtensionRaw
+ , ExtensionRaw(..)
, CertificateType(..)
, HashAlgorithm(..)
, SignatureAlgorithm(..)
@@ -71,13 +71,12 @@
import Network.TLS.Crypto.DH
import Network.TLS.Crypto.ECDH
import Network.TLS.Util.Serialization
+import Network.TLS.Imports
#if MIN_VERSION_mtl(2,2,1)
#else
import Control.Monad.Error
#endif
-type Bytes = ByteString
-
data ConnectionEnd = ConnectionServer | ConnectionClient
data CipherType = CipherStream | CipherBlock | CipherAEAD
@@ -180,7 +179,12 @@
type FinishedData = Bytes
type ExtensionID = Word16
-type ExtensionRaw = (ExtensionID, Bytes)
+
+data ExtensionRaw = ExtensionRaw ExtensionID Bytes
+ deriving (Eq)
+
+instance Show ExtensionRaw where
+ show (ExtensionRaw eid bs) = "ExtensionRaw " ++ show eid ++ " " ++
showBytesHex bs ++ ""
constrRandom32 :: (Bytes -> a) -> Bytes -> Maybe a
constrRandom32 constr l = if B.length l == 32 then Just (constr l) else Nothing
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Network/TLS/Util.hs
new/tls-1.3.7/Network/TLS/Util.hs
--- old/tls-1.3.5/Network/TLS/Util.hs 2016-04-09 15:47:25.000000000 +0200
+++ new/tls-1.3.7/Network/TLS/Util.hs 2016-05-08 07:10:23.000000000 +0200
@@ -13,7 +13,7 @@
) where
import Data.List (foldl')
-import Network.TLS.Struct (Bytes)
+import Network.TLS.Imports (Bytes)
import qualified Data.ByteString as B
import Control.Exception (SomeException)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Tests/Connection.hs
new/tls-1.3.7/Tests/Connection.hs
--- old/tls-1.3.5/Tests/Connection.hs 2016-04-09 15:47:25.000000000 +0200
+++ new/tls-1.3.7/Tests/Connection.hs 2016-05-08 07:10:23.000000000 +0200
@@ -32,6 +32,8 @@
{ bulkName = "id"
, bulkKeySize = 16
, bulkIVSize = 16
+ , bulkExplicitIV= 0
+ , bulkAuthTagLen= 0
, bulkBlockSize = 16
, bulkF = BulkBlockF $ \_ _ _ -> (\m -> (m, B.empty))
}
@@ -61,6 +63,8 @@
{ bulkName = "stream"
, bulkKeySize = 16
, bulkIVSize = 0
+ , bulkExplicitIV= 0
+ , bulkAuthTagLen= 0
, bulkBlockSize = 0
, bulkF = BulkStreamF passThrough
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/Tests/PubKey.hs
new/tls-1.3.7/Tests/PubKey.hs
--- old/tls-1.3.5/Tests/PubKey.hs 2016-04-09 15:47:25.000000000 +0200
+++ new/tls-1.3.7/Tests/PubKey.hs 2016-05-08 07:10:23.000000000 +0200
@@ -56,6 +56,7 @@
dhParams = DH.Params
{ DH.params_p =
0x00ccaa3884b50789ebea8d39bef8bbc66e20f2a78f537a76f26b4edde5de8b0ff15a8193abf0873cbdc701323a2bf6e860affa6e043fe8300d47e95baf9f6354cb
, DH.params_g = 0x2
+ , DH.params_bits = 512
}
dsaParams :: DSA.Params
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tls-1.3.5/tls.cabal new/tls-1.3.7/tls.cabal
--- old/tls-1.3.5/tls.cabal 2016-04-09 15:47:25.000000000 +0200
+++ new/tls-1.3.7/tls.cabal 2016-05-08 07:10:23.000000000 +0200
@@ -1,5 +1,5 @@
Name: tls
-Version: 1.3.5
+Version: 1.3.7
Description:
Native Haskell TLS and SSL protocol implementation for server and client.
.
@@ -41,14 +41,14 @@
Library
Build-Depends: base >= 3 && < 5
- , mtl
+ , mtl >= 2
, transformers
, cereal >= 0.4
, bytestring
, data-default-class
-- crypto related
, memory
- , cryptonite >= 0.14
+ , cryptonite >= 0.15
-- certificate related
, asn1-types >= 0.2.0
, asn1-encoding
@@ -92,6 +92,7 @@
Network.TLS.Handshake.State
Network.TLS.Hooks
Network.TLS.IO
+ Network.TLS.Imports
Network.TLS.MAC
Network.TLS.Measurement
Network.TLS.Packet
