hs-tls/Network/TLS/Sending.hs

-- |
-- Module      : Network.TLS.Sending
-- License     : BSD-style
-- Maintainer  : Vincent Hanquez <vincent@snarc.org>
-- Stability   : experimental
-- Portability : unknown
--
-- the Sending module contains calls related to marshalling packets according
-- to the TLS state 
--
module Network.TLS.Sending (
	writePacket
	) where

import Control.Applicative ((<$>))
import Control.Monad.State

import Data.ByteString (ByteString)
import qualified Data.ByteString as B

import Network.TLS.Util
import Network.TLS.Cap
import Network.TLS.Wire
import Network.TLS.Struct
import Network.TLS.Record
import Network.TLS.Packet
import Network.TLS.State
import Network.TLS.Cipher
import Network.TLS.Compression
import Network.TLS.Crypto

{-
 - 'makePacketData' create a Header and a content bytestring related to a packet
 - this doesn't change any state
 -}
makeRecord :: Packet -> TLSSt (Record Plaintext)
makeRecord pkt = do
	ver <- stVersion <$> get
	content <- writePacketContent pkt
	return $ Record (packetType pkt) ver (fragmentPlaintext content)

{-
 - Handshake data need to update a digest
 -}
processRecord :: Record Plaintext -> TLSSt (Record Plaintext)
processRecord record@(Record ty _ fragment) = do
	when (ty == ProtocolType_Handshake) (updateHandshakeDigest $ fragmentGetBytes fragment)
	return record

compressRecord :: Record Plaintext -> TLSSt (Record Compressed)
compressRecord record =
	onRecordFragment record $ fragmentCompress $ \bytes -> do
		withCompression $ compressionDeflate bytes

{-
 - when Tx Encrypted is set, we pass the data through encryptContent, otherwise
 - we just return the packet
 -}
encryptRecord :: Record Compressed -> TLSSt (Record Ciphertext)
encryptRecord record = onRecordFragment record $ fragmentCipher $ \bytes -> do
	st <- get
	if stTxEncrypted st
		then encryptContent record bytes
		else return bytes

{-
 - ChangeCipherSpec state change need to be handled after encryption otherwise
 - its own packet would be encrypted with the new context, instead of beeing sent
 - under the current context
 -}
postprocessRecord :: Record Ciphertext -> TLSSt (Record Ciphertext)
postprocessRecord record@(Record ProtocolType_ChangeCipherSpec _ _) =
	switchTxEncryption >> isClientContext >>= \cc -> when cc setKeyBlock >> return record
postprocessRecord record = return record

{-
 - marshall packet data
 -}
encodeRecord :: Record Ciphertext -> TLSSt ByteString
encodeRecord record = return $ B.concat [ encodeHeader hdr, content ]
	where (hdr, content) = recordToRaw record

{-
 - just update TLS state machine
 -}
preProcessPacket :: Packet -> TLSSt ()
preProcessPacket (Alert _)          = return ()
preProcessPacket (AppData _)        = return ()
preProcessPacket (ChangeCipherSpec) = updateStatusCC True >> return () -- FIXME don't ignore this error just in case
preProcessPacket (Handshake hss)    = forM_ hss $ \hs -> do
	-- FIXME don't ignore this error
	_ <- updateStatusHs (typeOfHandshake hs)
	case hs of
		Finished fdata -> updateVerifiedData True fdata
		_              -> return ()

{-
 - writePacket transform a packet into marshalled data related to current state
 - and updating state on the go
 -}
writePacket :: Packet -> TLSSt ByteString
writePacket pkt = do
	preProcessPacket pkt
	makeRecord pkt >>= processRecord >>= compressRecord >>= encryptRecord >>= postprocessRecord >>= encodeRecord

{------------------------------------------------------------------------------}
{- SENDING Helpers                                                            -}
{------------------------------------------------------------------------------}

{- if the RSA encryption fails we just return an empty bytestring, and let the protocol
 - fail by itself; however it would be probably better to just report it since it's an internal problem.
 -}
encryptRSA :: ByteString -> TLSSt ByteString
encryptRSA content = do
	st <- get
	let rsakey = fromJust "rsa public key" $ hstRSAPublicKey $ fromJust "handshake" $ stHandshake st
	case withTLSRNG (stRandomGen st) (\g -> kxEncrypt g rsakey content) of
		Left err               -> fail ("rsa encrypt failed: " ++ show err)
		Right (econtent, rng') -> put (st { stRandomGen = rng' }) >> return econtent

encryptContent :: Record Compressed -> ByteString -> TLSSt ByteString
encryptContent record content = do
	digest <- makeDigest True (recordToHeader record) content
	encryptData $ B.concat [content, digest]

encryptData :: ByteString -> TLSSt ByteString
encryptData content = do
	st <- get

	let cipher = fromJust "cipher" $ stCipher st
	let bulk = cipherBulk cipher
	let cst = fromJust "tx crypt state" $ stTxCryptState st
	let padding_size = fromIntegral $ cipherPaddingSize cipher

	let msg_len = B.length content
	let padding = if padding_size > 0
		then
			let padbyte = padding_size - (msg_len `mod` padding_size) in
			let padbyte' = if padbyte == 0 then padding_size else padbyte in
			B.replicate padbyte' (fromIntegral (padbyte' - 1))
		else
			B.empty
	let writekey = cstKey cst

	case cipherF bulk of
		CipherNoneF -> return content
		CipherBlockF encrypt _ -> do
			-- before TLS 1.1, the block cipher IV is made of the residual of the previous block.
			iv <- if hasExplicitBlockIV $ stVersion st
				then genTLSRandom (fromIntegral $ cipherIVSize bulk)
				else return $ cstIV cst
			let e = encrypt writekey iv (B.concat [ content, padding ])
			if hasExplicitBlockIV $ stVersion st
				then return $ B.concat [iv,e]
				else do
					let newiv = fromJust "new iv" $ takelast (fromIntegral $ cipherIVSize bulk) e
					put $ st { stTxCryptState = Just $ cst { cstIV = newiv } }
					return e
		CipherStreamF initF encryptF _ -> do
			let iv = cstIV cst
			let (e, newiv) = encryptF (if iv /= B.empty then iv else initF writekey) content
			put $ st { stTxCryptState = Just $ cst { cstIV = newiv } }
			return e

writePacketContent :: Packet -> TLSSt ByteString
writePacketContent (Handshake hss) = return . B.concat =<< mapM makeContent hss where
	makeContent hs@(ClientKeyXchg _ _) = do
		ver <- get >>= return . stVersion
		let premastersecret = runPut $ encodeHandshakeContent hs
		setMasterSecret premastersecret
		econtent <- encryptRSA premastersecret

		let extralength =
			if ver < TLS10
			then B.empty
			else runPut $ putWord16 $ fromIntegral $ B.length econtent
		let hdr = runPut $ encodeHandshakeHeader (typeOfHandshake hs)
							 (fromIntegral (B.length econtent + B.length extralength))
		return $ B.concat [hdr, extralength, econtent]
	makeContent hs = return $ encodeHandshakes [hs]

writePacketContent (Alert a)          = return $ encodeAlerts a
writePacketContent (ChangeCipherSpec) = return $ encodeChangeCipherSpec
writePacketContent (AppData x)        = return x
initial import 2010-09-09 21:47:19 +00:00			`-- \|`
			`-- Module : Network.TLS.Sending`
			`-- License : BSD-style`
			`-- Maintainer : Vincent Hanquez <vincent@snarc.org>`
			`-- Stability : experimental`
			`-- Portability : unknown`
			`--`
			`-- the Sending module contains calls related to marshalling packets according`
			`-- to the TLS state`
			`--`
			`module Network.TLS.Sending (`
			`writePacket`
			`) where`

Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`import Control.Applicative ((<$>))`
initial import 2010-09-09 21:47:19 +00:00			`import Control.Monad.State`

use strict bytestring instead of lazy bytestring. the API stays mostly similar except for clientkeyxchg that need a bytes instead of [word8]. remove lots of unnessary packing/unpacking when setting up ciphers. 2010-09-26 09:34:47 +00:00			`import Data.ByteString (ByteString)`
initial import 2010-09-09 21:47:19 +00:00			`import qualified Data.ByteString as B`

get a util file for some bytestring stuff 2010-09-26 17:51:23 +00:00			`import Network.TLS.Util`
support TLS1.1 explicit block IV despite the fact that it works, it's missing a step at key block set time, so that we don't use the computed IV, but use a random generated one seeded by the computed IV. 2010-09-26 13:57:35 +00:00			`import Network.TLS.Cap`
use strict bytestring instead of lazy bytestring. the API stays mostly similar except for clientkeyxchg that need a bytes instead of [word8]. remove lots of unnessary packing/unpacking when setting up ciphers. 2010-09-26 09:34:47 +00:00			`import Network.TLS.Wire`
initial import 2010-09-09 21:47:19 +00:00			`import Network.TLS.Struct`
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`import Network.TLS.Record`
initial import 2010-09-09 21:47:19 +00:00			`import Network.TLS.Packet`
			`import Network.TLS.State`
			`import Network.TLS.Cipher`
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`import Network.TLS.Compression`
initial import 2010-09-09 21:47:19 +00:00			`import Network.TLS.Crypto`

			`{-`
			`- 'makePacketData' create a Header and a content bytestring related to a packet`
			`- this doesn't change any state`
			`-}`
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`makeRecord :: Packet -> TLSSt (Record Plaintext)`
			`makeRecord pkt = do`
			`ver <- stVersion <$> get`
initial import 2010-09-09 21:47:19 +00:00			`content <- writePacketContent pkt`
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`return $ Record (packetType pkt) ver (fragmentPlaintext content)`
initial import 2010-09-09 21:47:19 +00:00
			`{-`
			`- Handshake data need to update a digest`
			`-}`
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`processRecord :: Record Plaintext -> TLSSt (Record Plaintext)`
			`processRecord record@(Record ty _ fragment) = do`
			`when (ty == ProtocolType_Handshake) (updateHandshakeDigest $ fragmentGetBytes fragment)`
			`return record`

			`compressRecord :: Record Plaintext -> TLSSt (Record Compressed)`
			`compressRecord record =`
			`onRecordFragment record $ fragmentCompress $ \bytes -> do`
			`withCompression $ compressionDeflate bytes`
initial import 2010-09-09 21:47:19 +00:00
			`{-`
			`- when Tx Encrypted is set, we pass the data through encryptContent, otherwise`
			`- we just return the packet`
			`-}`
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`encryptRecord :: Record Compressed -> TLSSt (Record Ciphertext)`
			`encryptRecord record = onRecordFragment record $ fragmentCipher $ \bytes -> do`
simplify state manipulation separate the pure state manipulation from the monad doing the IO. add some duplicate helpers to use the new monad. 2011-03-01 20:01:40 +00:00			`st <- get`
initial import 2010-09-09 21:47:19 +00:00			`if stTxEncrypted st`
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`then encryptContent record bytes`
			`else return bytes`
initial import 2010-09-09 21:47:19 +00:00
			`{-`
			`- ChangeCipherSpec state change need to be handled after encryption otherwise`
			`- its own packet would be encrypted with the new context, instead of beeing sent`
			`- under the current context`
			`-}`
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`postprocessRecord :: Record Ciphertext -> TLSSt (Record Ciphertext)`
			`postprocessRecord record@(Record ProtocolType_ChangeCipherSpec _ _) =`
			`switchTxEncryption >> isClientContext >>= \cc -> when cc setKeyBlock >> return record`
			`postprocessRecord record = return record`
initial import 2010-09-09 21:47:19 +00:00
			`{-`
			`- marshall packet data`
			`-}`
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`encodeRecord :: Record Ciphertext -> TLSSt ByteString`
			`encodeRecord record = return $ B.concat [ encodeHeader hdr, content ]`
			`where (hdr, content) = recordToRaw record`
initial import 2010-09-09 21:47:19 +00:00
new state machine 2010-10-02 21:02:37 +00:00			`{-`
			`- just update TLS state machine`
			`-}`
reflect the fact in types that the record layer record returns list of same header type. 2011-06-10 20:24:46 +00:00			`preProcessPacket :: Packet -> TLSSt ()`
			`preProcessPacket (Alert _) = return ()`
			`preProcessPacket (AppData _) = return ()`
			`preProcessPacket (ChangeCipherSpec) = updateStatusCC True >> return () -- FIXME don't ignore this error just in case`
			`preProcessPacket (Handshake hss) = forM_ hss $ \hs -> do`
			`-- FIXME don't ignore this error`
			`_ <- updateStatusHs (typeOfHandshake hs)`
			`case hs of`
			`Finished fdata -> updateVerifiedData True fdata`
			`_ -> return ()`
initial import 2010-09-09 21:47:19 +00:00
			`{-`
			`- writePacket transform a packet into marshalled data related to current state`
			`- and updating state on the go`
			`-}`
simplify state manipulation separate the pure state manipulation from the monad doing the IO. add some duplicate helpers to use the new monad. 2011-03-01 20:01:40 +00:00			`writePacket :: Packet -> TLSSt ByteString`
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`writePacket pkt = do`
			`preProcessPacket pkt`
			`makeRecord pkt >>= processRecord >>= compressRecord >>= encryptRecord >>= postprocessRecord >>= encodeRecord`
initial import 2010-09-09 21:47:19 +00:00
			`{------------------------------------------------------------------------------}`
			`{- SENDING Helpers -}`
			`{------------------------------------------------------------------------------}`

			`{- if the RSA encryption fails we just return an empty bytestring, and let the protocol`
			`- fail by itself; however it would be probably better to just report it since it's an internal problem.`
			`-}`
simplify state manipulation separate the pure state manipulation from the monad doing the IO. add some duplicate helpers to use the new monad. 2011-03-01 20:01:40 +00:00			`encryptRSA :: ByteString -> TLSSt ByteString`
initial import 2010-09-09 21:47:19 +00:00			`encryptRSA content = do`
simplify state manipulation separate the pure state manipulation from the monad doing the IO. add some duplicate helpers to use the new monad. 2011-03-01 20:01:40 +00:00			`st <- get`
add a dedicated fromJust compared to the normal fromJust, it take an extra string to report what kind of fromJust we were doing. it's quite valuable when shuffling code and assertion break. at some point, it need to be removed completely in favor of better types that better reflect the actual state on the connection. 2011-02-20 08:37:19 +00:00			`let rsakey = fromJust "rsa public key" $ hstRSAPublicKey $ fromJust "handshake" $ stHandshake st`
Remove the hardcoded srandomgen in favor of any cryptorandomgen instance. srandomgen is available separately in the cprng-aes package as Crypto.Random.AESCtr 2011-04-11 18:54:21 +00:00			`case withTLSRNG (stRandomGen st) (\g -> kxEncrypt g rsakey content) of`
			`Left err -> fail ("rsa encrypt failed: " ++ show err)`
			`Right (econtent, rng') -> put (st { stRandomGen = rng' }) >> return econtent`
initial import 2010-09-09 21:47:19 +00:00
Create a record type to help type safety 2011-08-12 17:41:49 +00:00			`encryptContent :: Record Compressed -> ByteString -> TLSSt ByteString`
			`encryptContent record content = do`
			`digest <- makeDigest True (recordToHeader record) content`
			`encryptData $ B.concat [content, digest]`
initial import 2010-09-09 21:47:19 +00:00
simplify state manipulation separate the pure state manipulation from the monad doing the IO. add some duplicate helpers to use the new monad. 2011-03-01 20:01:40 +00:00			`encryptData :: ByteString -> TLSSt ByteString`
initial import 2010-09-09 21:47:19 +00:00			`encryptData content = do`
simplify state manipulation separate the pure state manipulation from the monad doing the IO. add some duplicate helpers to use the new monad. 2011-03-01 20:01:40 +00:00			`st <- get`
initial import 2010-09-09 21:47:19 +00:00
add a dedicated fromJust compared to the normal fromJust, it take an extra string to report what kind of fromJust we were doing. it's quite valuable when shuffling code and assertion break. at some point, it need to be removed completely in favor of better types that better reflect the actual state on the connection. 2011-02-20 08:37:19 +00:00			`let cipher = fromJust "cipher" $ stCipher st`
introduce a bulk object to separate the cipher object creation by chunks limit code movement by reusing the same name 2011-08-13 10:06:23 +00:00			`let bulk = cipherBulk cipher`
add a dedicated fromJust compared to the normal fromJust, it take an extra string to report what kind of fromJust we were doing. it's quite valuable when shuffling code and assertion break. at some point, it need to be removed completely in favor of better types that better reflect the actual state on the connection. 2011-02-20 08:37:19 +00:00			`let cst = fromJust "tx crypt state" $ stTxCryptState st`
initial import 2010-09-09 21:47:19 +00:00			`let padding_size = fromIntegral $ cipherPaddingSize cipher`

use strict bytestring instead of lazy bytestring. the API stays mostly similar except for clientkeyxchg that need a bytes instead of [word8]. remove lots of unnessary packing/unpacking when setting up ciphers. 2010-09-26 09:34:47 +00:00			`let msg_len = B.length content`
initial import 2010-09-09 21:47:19 +00:00			`let padding = if padding_size > 0`
			`then`
			let padbyte = padding_size - (msg_len `mod` padding_size) in
			`let padbyte' = if padbyte == 0 then padding_size else padbyte in`
use strict bytestring instead of lazy bytestring. the API stays mostly similar except for clientkeyxchg that need a bytes instead of [word8]. remove lots of unnessary packing/unpacking when setting up ciphers. 2010-09-26 09:34:47 +00:00			`B.replicate padbyte' (fromIntegral (padbyte' - 1))`
initial import 2010-09-09 21:47:19 +00:00			`else`
use strict bytestring instead of lazy bytestring. the API stays mostly similar except for clientkeyxchg that need a bytes instead of [word8]. remove lots of unnessary packing/unpacking when setting up ciphers. 2010-09-26 09:34:47 +00:00			`B.empty`
			`let writekey = cstKey cst`
initial import 2010-09-09 21:47:19 +00:00
introduce a bulk object to separate the cipher object creation by chunks limit code movement by reusing the same name 2011-08-13 10:06:23 +00:00			`case cipherF bulk of`
add support for ciphers without encryption. 2011-01-05 09:20:33 +00:00			`CipherNoneF -> return content`
initial import 2010-09-09 21:47:19 +00:00			`CipherBlockF encrypt _ -> do`
[SECURITY] fix TLS1.1 block cipher IV usage. In TLS1.1 and above, the IV is explicitely carried to the other side and is generated from random. It doesn't come from the CBC residue. 2011-05-13 07:10:13 +00:00			`-- before TLS 1.1, the block cipher IV is made of the residual of the previous block.`
			`iv <- if hasExplicitBlockIV $ stVersion st`
introduce a bulk object to separate the cipher object creation by chunks limit code movement by reusing the same name 2011-08-13 10:06:23 +00:00			`then genTLSRandom (fromIntegral $ cipherIVSize bulk)`
[SECURITY] fix TLS1.1 block cipher IV usage. In TLS1.1 and above, the IV is explicitely carried to the other side and is generated from random. It doesn't come from the CBC residue. 2011-05-13 07:10:13 +00:00			`else return $ cstIV cst`
use strict bytestring instead of lazy bytestring. the API stays mostly similar except for clientkeyxchg that need a bytes instead of [word8]. remove lots of unnessary packing/unpacking when setting up ciphers. 2010-09-26 09:34:47 +00:00			`let e = encrypt writekey iv (B.concat [ content, padding ])`
[SECURITY] fix TLS1.1 block cipher IV usage. In TLS1.1 and above, the IV is explicitely carried to the other side and is generated from random. It doesn't come from the CBC residue. 2011-05-13 07:10:13 +00:00			`if hasExplicitBlockIV $ stVersion st`
			`then return $ B.concat [iv,e]`
			`else do`
introduce a bulk object to separate the cipher object creation by chunks limit code movement by reusing the same name 2011-08-13 10:06:23 +00:00			`let newiv = fromJust "new iv" $ takelast (fromIntegral $ cipherIVSize bulk) e`
[SECURITY] fix TLS1.1 block cipher IV usage. In TLS1.1 and above, the IV is explicitely carried to the other side and is generated from random. It doesn't come from the CBC residue. 2011-05-13 07:10:13 +00:00			`put $ st { stTxCryptState = Just $ cst { cstIV = newiv } }`
			`return e`
initial import 2010-09-09 21:47:19 +00:00			`CipherStreamF initF encryptF _ -> do`
support TLS1.1 explicit block IV despite the fact that it works, it's missing a step at key block set time, so that we don't use the computed IV, but use a random generated one seeded by the computed IV. 2010-09-26 13:57:35 +00:00			`let iv = cstIV cst`
initial import 2010-09-09 21:47:19 +00:00			`let (e, newiv) = encryptF (if iv /= B.empty then iv else initF writekey) content`
simplify state manipulation separate the pure state manipulation from the monad doing the IO. add some duplicate helpers to use the new monad. 2011-03-01 20:01:40 +00:00			`put $ st { stTxCryptState = Just $ cst { cstIV = newiv } }`
initial import 2010-09-09 21:47:19 +00:00			`return e`

simplify state manipulation separate the pure state manipulation from the monad doing the IO. add some duplicate helpers to use the new monad. 2011-03-01 20:01:40 +00:00			`writePacketContent :: Packet -> TLSSt ByteString`
reflect the fact in types that the record layer record returns list of same header type. 2011-06-10 20:24:46 +00:00			`writePacketContent (Handshake hss) = return . B.concat =<< mapM makeContent hss where`
			`makeContent hs@(ClientKeyXchg _ _) = do`
			`ver <- get >>= return . stVersion`
			`let premastersecret = runPut $ encodeHandshakeContent hs`
			`setMasterSecret premastersecret`
			`econtent <- encryptRSA premastersecret`

			`let extralength =`
			`if ver < TLS10`
			`then B.empty`
			`else runPut $ putWord16 $ fromIntegral $ B.length econtent`
			`let hdr = runPut $ encodeHandshakeHeader (typeOfHandshake hs)`
			`(fromIntegral (B.length econtent + B.length extralength))`
			`return $ B.concat [hdr, extralength, econtent]`
			`makeContent hs = return $ encodeHandshakes [hs]`

			`writePacketContent (Alert a) = return $ encodeAlerts a`
			`writePacketContent (ChangeCipherSpec) = return $ encodeChangeCipherSpec`
			`writePacketContent (AppData x) = return x`