hs-tls/Network/TLS/Receiving.hs

-- |
-- Module      : Network.TLS.Receiving
-- License     : BSD-style
-- Maintainer  : Vincent Hanquez <vincent@snarc.org>
-- Stability   : experimental
-- Portability : unknown
--
-- the Receiving module contains calls related to unmarshalling packets according
-- to the TLS state
--
module Network.TLS.Receiving (processHandshake, processPacket, processServerHello
                             , verifyRSA) where

import Control.Applicative ((<$>))
import Control.Monad.State
import Control.Monad.Error

import Data.ByteString (ByteString)
import qualified Data.ByteString as B

import Network.TLS.Util
import Network.TLS.Struct
import Network.TLS.Record
import Network.TLS.Packet
import Network.TLS.State
import Network.TLS.Cipher
import Network.TLS.Crypto
import Network.TLS.Extension
import Data.Certificate.X509

returnEither :: Either TLSError a -> TLSSt a
returnEither (Left err) = throwError err
returnEither (Right a)  = return a

processPacket :: Record Plaintext -> TLSSt Packet

processPacket (Record ProtocolType_AppData _ fragment) = return $ AppData $ fragmentGetBytes fragment

processPacket (Record ProtocolType_Alert _ fragment) = return . Alert =<< returnEither (decodeAlerts $ fragmentGetBytes fragment)

processPacket (Record ProtocolType_ChangeCipherSpec _ fragment) = do
        returnEither $ decodeChangeCipherSpec $ fragmentGetBytes fragment
        switchRxEncryption
        return ChangeCipherSpec

processPacket (Record ProtocolType_Handshake ver fragment) = do
        keyxchg <- getCipherKeyExchangeType
        npn <- getExtensionNPN
        let currentparams = CurrentParams
                { cParamsVersion     = ver
                , cParamsKeyXchgType = maybe CipherKeyExchange_RSA id $ keyxchg
                , cParamsSupportNPN  = npn
                }
        handshakes <- returnEither (decodeHandshakes $ fragmentGetBytes fragment)
        hss <- forM handshakes $ \(ty, content) -> do
                case decodeHandshake currentparams ty content of
                        Left err -> throwError err
                        Right hs -> return hs
        return $ Handshake hss

processHandshake :: Handshake -> TLSSt ()
processHandshake hs = do
        clientmode <- isClientContext
        case hs of
                ClientHello cver ran _ _ _ ex -> unless clientmode $ do
                        mapM_ processClientExtension ex
                        startHandshakeClient cver ran
                Certificates certs            -> processCertificates clientmode certs
                ClientKeyXchg content         -> unless clientmode $ do
                        processClientKeyXchg content
                HsNextProtocolNegotiation selected_protocol ->
                        unless clientmode $ do
                        setNegotiatedProtocol selected_protocol
                Finished fdata                -> processClientFinished fdata
                _                             -> return ()
        when (typeOfHandshake hs /= HandshakeType_HelloRequest) $ addHandshakeMessage $ encodeHandshake hs
        when (finishHandshakeTypeMaterial $ typeOfHandshake hs) (updateHandshakeDigest $ encodeHandshake hs)
        when (certVerifyHandshakeTypeMaterial $ typeOfHandshake hs) (updateCertVerifyDigest $ encodeHandshake hs)
        where
                -- secure renegotiation
                processClientExtension (0xff01, content) = do
                        v <- getVerifiedData True
                        let bs = extensionEncode (SecureRenegotiation v Nothing)
                        unless (bs `bytesEq` content) $ throwError $ Error_Protocol ("client verified data not matching: " ++ show v ++ ":" ++ show content, True, HandshakeFailure)

                        setSecureRenegotiation True
                -- unknown extensions
                processClientExtension _ = return ()

decryptRSA :: ByteString -> TLSSt (Either KxError ByteString)
decryptRSA econtent = do
        ver <- stVersion <$> get
        rsapriv <- fromJust "rsa private key" . hstRSAPrivateKey . fromJust "handshake" . stHandshake <$> get
        return $ kxDecrypt rsapriv (if ver < TLS10 then econtent else B.drop 2 econtent)

-- FIXME: Add support for different hash functions for TLS1.2
verifyRSA :: Maybe (ByteString -> ByteString, ByteString) -> ByteString -> ByteString -> TLSSt (Either KxError Bool)
verifyRSA hsh econtent sign = do
        rsapriv <- fromJust "rsa client public key" . hstRSAClientPublicKey . fromJust "handshake" . stHandshake <$> get
        return $ kxVerify rsapriv hsh econtent sign

processServerHello :: Handshake -> TLSSt ()
processServerHello (ServerHello sver ran _ _ _ ex) = do
        -- FIXME notify the user to take action if the extension requested is missing
        -- secreneg <- getSecureRenegotiation
        -- when (secreneg && (isNothing $ lookup 0xff01 ex)) $ ...
        mapM_ processServerExtension ex
        setServerRandom ran
        setVersion sver
        where
                processServerExtension (0xff01, content) = do
                        cv <- getVerifiedData True
                        sv <- getVerifiedData False
                        let bs = extensionEncode (SecureRenegotiation cv $ Just sv)
                        unless (bs `bytesEq` content) $ throwError $ Error_Protocol ("server secure renegotiation data not matching", True, HandshakeFailure)
                        return ()

                processServerExtension _ = return ()
processServerHello _ = error "processServerHello called on wrong type"

-- process the client key exchange message. the protocol expects the initial
-- client version received in ClientHello, not the negotiated version.
-- in case the version mismatch, generate a random master secret
processClientKeyXchg :: ByteString -> TLSSt ()
processClientKeyXchg encryptedPremaster = do
        expectedVer <- hstClientVersion . fromJust "handshake" . stHandshake <$> get
        random      <- genTLSRandom 48
        ePremaster  <- decryptRSA encryptedPremaster
        case ePremaster of
                Left _          -> setMasterSecretFromPre random
                Right premaster -> case decodePreMasterSecret premaster of
                        Left _                       -> setMasterSecretFromPre random
                        Right (ver, _)
                                | ver /= expectedVer -> setMasterSecretFromPre random
                                | otherwise          -> setMasterSecretFromPre premaster

processClientFinished :: FinishedData -> TLSSt ()
processClientFinished fdata = do
        cc <- stClientContext <$> get
        expected <- getHandshakeDigest (not cc)
        when (expected /= fdata) $ do
                throwError $ Error_Protocol("bad record mac", True, BadRecordMac)
        updateVerifiedData False fdata
        return ()

processCertificates :: Bool -> [X509] -> TLSSt ()
processCertificates clientmode certs = do
        if null certs 
         then when (clientmode) $
                 throwError $ Error_Protocol ("server certificate missing", True,
                                              HandshakeFailure)
         else do
          let (X509 mainCert _ _ _ _) = head certs
          case certPubKey mainCert of
                PubKeyRSA pubkey -> (if clientmode
                                     then setPublicKey
                                     else setClientPublicKey) (PubRSA pubkey)
                _                -> return ()
initial import 2010-09-09 21:47:19 +00:00			`-- \|`
			`-- Module : Network.TLS.Receiving`
			`-- License : BSD-style`
			`-- Maintainer : Vincent Hanquez <vincent@snarc.org>`
			`-- Stability : experimental`
			`-- Portability : unknown`
			`--`
			`-- the Receiving module contains calls related to unmarshalling packets according`
			`-- to the TLS state`
			`--`
Extend state to hold client private/public keys and add functions for signing and verifying with these keys. 2012-07-13 19:08:23 +00:00			`module Network.TLS.Receiving (processHandshake, processPacket, processServerHello`
			`, verifyRSA) where`
initial import 2010-09-09 21:47:19 +00:00
new state machine 2010-10-02 21:02:37 +00:00			`import Control.Applicative ((<$>))`
initial import 2010-09-09 21:47:19 +00:00			`import Control.Monad.State`
			`import Control.Monad.Error`

use strict bytestring instead of lazy bytestring. the API stays mostly similar except for clientkeyxchg that need a bytes instead of [word8]. remove lots of unnessary packing/unpacking when setting up ciphers. 2010-09-26 09:34:47 +00:00			`import Data.ByteString (ByteString)`
fix TLS key exchange with version >= 1.0. 2011-12-05 20:10:28 +00:00			`import qualified Data.ByteString as B`
initial import 2010-09-09 21:47:19 +00:00
get a util file for some bytestring stuff 2010-09-26 17:51:23 +00:00			`import Network.TLS.Util`
initial import 2010-09-09 21:47:19 +00:00			`import Network.TLS.Struct`
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`import Network.TLS.Record`
initial import 2010-09-09 21:47:19 +00:00			`import Network.TLS.Packet`
			`import Network.TLS.State`
			`import Network.TLS.Cipher`
			`import Network.TLS.Crypto`
move extension decoding and encoding in a separate file. 2012-05-14 05:39:20 +00:00			`import Network.TLS.Extension`
initial import 2010-09-09 21:47:19 +00:00			`import Data.Certificate.X509`

simplify state manipulation separate the pure state manipulation from the monad doing the IO. add some duplicate helpers to use the new monad. 2011-03-01 20:01:40 +00:00			`returnEither :: Either TLSError a -> TLSSt a`
initial import 2010-09-09 21:47:19 +00:00			`returnEither (Left err) = throwError err`
			`returnEither (Right a) = return a`

Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`processPacket :: Record Plaintext -> TLSSt Packet`
initial import 2010-09-09 21:47:19 +00:00
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`processPacket (Record ProtocolType_AppData _ fragment) = return $ AppData $ fragmentGetBytes fragment`
refactorize receiving packet thing 2010-10-02 08:09:46 +00:00
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`processPacket (Record ProtocolType_Alert _ fragment) = return . Alert =<< returnEither (decodeAlerts $ fragmentGetBytes fragment)`
refactorize receiving packet thing 2010-10-02 08:09:46 +00:00
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`processPacket (Record ProtocolType_ChangeCipherSpec _ fragment) = do`
expand tabs. 2012-03-27 07:57:51 +00:00			`returnEither $ decodeChangeCipherSpec $ fragmentGetBytes fragment`
			`switchRxEncryption`
			`return ChangeCipherSpec`
initial import 2010-09-09 21:47:19 +00:00
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`processPacket (Record ProtocolType_Handshake ver fragment) = do`
expand tabs. 2012-03-27 07:57:51 +00:00			`keyxchg <- getCipherKeyExchangeType`
Use callback instead of static state for supported NPN protocols. onSuggestNextProtocols in TLSParams. Expose getNegotiatedProtocol to users. Fix condition for when to understand NPN messages. 2012-02-12 18:59:19 +00:00			`npn <- getExtensionNPN`
expand tabs. 2012-03-27 07:57:51 +00:00			`let currentparams = CurrentParams`
			`{ cParamsVersion = ver`
			`, cParamsKeyXchgType = maybe CipherKeyExchange_RSA id $ keyxchg`
			`, cParamsSupportNPN = npn`
			`}`
			`handshakes <- returnEither (decodeHandshakes $ fragmentGetBytes fragment)`
			`hss <- forM handshakes $ \(ty, content) -> do`
			`case decodeHandshake currentparams ty content of`
			`Left err -> throwError err`
			`Right hs -> return hs`
			`return $ Handshake hss`
handle digest update after processing the packet 2011-12-01 08:42:43 +00:00
			`processHandshake :: Handshake -> TLSSt ()`
			`processHandshake hs = do`
expand tabs. 2012-03-27 07:57:51 +00:00			`clientmode <- isClientContext`
			`case hs of`
			`ClientHello cver ran _ _ _ ex -> unless clientmode $ do`
			`mapM_ processClientExtension ex`
			`startHandshakeClient cver ran`
Store public key from client certificate in server mode. 2012-07-13 19:33:45 +00:00			`Certificates certs -> processCertificates clientmode certs`
expand tabs. 2012-03-27 07:57:51 +00:00			`ClientKeyXchg content -> unless clientmode $ do`
			`processClientKeyXchg content`
rename NextProtocolNegotiation as HsNextProtocolNegotiation 2012-05-14 05:35:55 +00:00			`HsNextProtocolNegotiation selected_protocol ->`
Partial, but working, implementation of serverside NPN. 2012-02-08 09:20:28 +00:00			`unless clientmode $ do`
Use callback instead of static state for supported NPN protocols. onSuggestNextProtocols in TLSParams. Expose getNegotiatedProtocol to users. Fix condition for when to understand NPN messages. 2012-02-12 18:59:19 +00:00			`setNegotiatedProtocol selected_protocol`
expand tabs. 2012-03-27 07:57:51 +00:00			`Finished fdata -> processClientFinished fdata`
			`_ -> return ()`
Fix encoding of CertRequest, so that encoding and decoding are inverses. 2012-07-17 15:33:11 +00:00			`when (typeOfHandshake hs /= HandshakeType_HelloRequest) $ addHandshakeMessage $ encodeHandshake hs`
expand tabs. 2012-03-27 07:57:51 +00:00			`when (finishHandshakeTypeMaterial $ typeOfHandshake hs) (updateHandshakeDigest $ encodeHandshake hs)`
Separate finish from certificate verify digests. Will make it easier to support TLS1.2. 2012-07-16 14:19:48 +00:00			`when (certVerifyHandshakeTypeMaterial $ typeOfHandshake hs) (updateCertVerifyDigest $ encodeHandshake hs)`
expand tabs. 2012-03-27 07:57:51 +00:00			`where`
			`-- secure renegotiation`
			`processClientExtension (0xff01, content) = do`
			`v <- getVerifiedData True`
move extension decoding and encoding in a separate file. 2012-05-14 05:39:20 +00:00			`let bs = extensionEncode (SecureRenegotiation v Nothing)`
[SECURITY] use constant equality testing to prevent timing determination of the expected value. it doesn't seems to be in an usable context though. 2012-05-14 05:32:14 +00:00			unless (bs `bytesEq` content) $ throwError $ Error_Protocol ("client verified data not matching: " ++ show v ++ ":" ++ show content, True, HandshakeFailure)
move extension decoding and encoding in a separate file. 2012-05-14 05:39:20 +00:00
expand tabs. 2012-03-27 07:57:51 +00:00			`setSecureRenegotiation True`
			`-- unknown extensions`
			`processClientExtension _ = return ()`
misc change and start to trickle through the support for secure renegotiation 2011-06-07 07:13:43 +00:00
trivial code movement for decryptRSA 2011-12-20 07:47:46 +00:00			`decryptRSA :: ByteString -> TLSSt (Either KxError ByteString)`
			`decryptRSA econtent = do`
expand tabs. 2012-03-27 07:57:51 +00:00			`ver <- stVersion <$> get`
			`rsapriv <- fromJust "rsa private key" . hstRSAPrivateKey . fromJust "handshake" . stHandshake <$> get`
			`return $ kxDecrypt rsapriv (if ver < TLS10 then econtent else B.drop 2 econtent)`
trivial code movement for decryptRSA 2011-12-20 07:47:46 +00:00
Add comments and FIXMEs. 2012-07-14 14:49:46 +00:00			`-- FIXME: Add support for different hash functions for TLS1.2`
Start client certificate support for TLS1.2. Add some checks for matching cert types, sig/hash algorithms, etc. Remove some obsolete FIXMEs and comments. 2012-07-18 20:19:11 +00:00			`verifyRSA :: Maybe (ByteString -> ByteString, ByteString) -> ByteString -> ByteString -> TLSSt (Either KxError Bool)`
			`verifyRSA hsh econtent sign = do`
Extend state to hold client private/public keys and add functions for signing and verifying with these keys. 2012-07-13 19:08:23 +00:00			`rsapriv <- fromJust "rsa client public key" . hstRSAClientPublicKey . fromJust "handshake" . stHandshake <$> get`
Start client certificate support for TLS1.2. Add some checks for matching cert types, sig/hash algorithms, etc. Remove some obsolete FIXMEs and comments. 2012-07-18 20:19:11 +00:00			`return $ kxVerify rsapriv hsh econtent sign`
Extend state to hold client private/public keys and add functions for signing and verifying with these keys. 2012-07-13 19:08:23 +00:00
switch client to process Server hello explicitely. also switch everything properly when receiving a server hello with session. 2011-12-20 07:46:40 +00:00			`processServerHello :: Handshake -> TLSSt ()`
			`processServerHello (ServerHello sver ran _ _ _ ex) = do`
expand tabs. 2012-03-27 07:57:51 +00:00			`-- FIXME notify the user to take action if the extension requested is missing`
			`-- secreneg <- getSecureRenegotiation`
			`-- when (secreneg && (isNothing $ lookup 0xff01 ex)) $ ...`
			`mapM_ processServerExtension ex`
			`setServerRandom ran`
			`setVersion sver`
			`where`
			`processServerExtension (0xff01, content) = do`
			`cv <- getVerifiedData True`
			`sv <- getVerifiedData False`
move extension decoding and encoding in a separate file. 2012-05-14 05:39:20 +00:00			`let bs = extensionEncode (SecureRenegotiation cv $ Just sv)`
[SECURITY] use constant equality testing to prevent timing determination of the expected value. it doesn't seems to be in an usable context though. 2012-05-14 05:32:14 +00:00			unless (bs `bytesEq` content) $ throwError $ Error_Protocol ("server secure renegotiation data not matching", True, HandshakeFailure)
expand tabs. 2012-03-27 07:57:51 +00:00			`return ()`

			`processServerExtension _ = return ()`
switch client to process Server hello explicitely. also switch everything properly when receiving a server hello with session. 2011-12-20 07:46:40 +00:00			`processServerHello _ = error "processServerHello called on wrong type"`
initial import 2010-09-09 21:47:19 +00:00
refactor processclientkeyxchg 2011-04-24 10:34:11 +00:00			`-- process the client key exchange message. the protocol expects the initial`
Fix spelling of negotiate/negotiation in documentation 2012-03-10 21:04:44 +00:00			`-- client version received in ClientHello, not the negotiated version.`
refactor processclientkeyxchg 2011-04-24 10:34:11 +00:00			`-- in case the version mismatch, generate a random master secret`
consider clientkeyxchg as an opaque structure in internal layers, and make/process the content in higher layer. 2011-12-01 08:41:01 +00:00			`processClientKeyXchg :: ByteString -> TLSSt ()`
			`processClientKeyXchg encryptedPremaster = do`
expand tabs. 2012-03-27 07:57:51 +00:00			`expectedVer <- hstClientVersion . fromJust "handshake" . stHandshake <$> get`
			`random <- genTLSRandom 48`
			`ePremaster <- decryptRSA encryptedPremaster`
			`case ePremaster of`
			`Left _ -> setMasterSecretFromPre random`
			`Right premaster -> case decodePreMasterSecret premaster of`
			`Left _ -> setMasterSecretFromPre random`
			`Right (ver, _)`
			`\| ver /= expectedVer -> setMasterSecretFromPre random`
			`\| otherwise -> setMasterSecretFromPre premaster`
initial import 2010-09-09 21:47:19 +00:00
simplify state manipulation separate the pure state manipulation from the monad doing the IO. add some duplicate helpers to use the new monad. 2011-03-01 20:01:40 +00:00			`processClientFinished :: FinishedData -> TLSSt ()`
initial import 2010-09-09 21:47:19 +00:00			`processClientFinished fdata = do`
expand tabs. 2012-03-27 07:57:51 +00:00			`cc <- stClientContext <$> get`
			`expected <- getHandshakeDigest (not cc)`
			`when (expected /= fdata) $ do`
			`throwError $ Error_Protocol("bad record mac", True, BadRecordMac)`
			`updateVerifiedData False fdata`
			`return ()`
initial import 2010-09-09 21:47:19 +00:00
Store public key from client certificate in server mode. 2012-07-13 19:33:45 +00:00			`processCertificates :: Bool -> [X509] -> TLSSt ()`
			`processCertificates clientmode certs = do`
Accept empty client certificate list. Will error on verification. 2012-07-13 20:29:36 +00:00			`if null certs`
			`then when (clientmode) $`
			`throwError $ Error_Protocol ("server certificate missing", True,`
			`HandshakeFailure)`
			`else do`
			`let (X509 mainCert _ _ _ _) = head certs`
			`case certPubKey mainCert of`
Store public key from client certificate in server mode. 2012-07-13 19:33:45 +00:00			`PubKeyRSA pubkey -> (if clientmode`
			`then setPublicKey`
			`else setClientPublicKey) (PubRSA pubkey)`
expand tabs. 2012-03-27 07:57:51 +00:00			`_ -> return ()`