yogsototh/hs-tls
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
hs-tls/Stunnel.hs

262 lines
8.3 KiB
Haskell
Raw Normal View History

use cmdargs in stunnel instead of GetArgs prepare options for the implementation of an actual stunnel program, where data are relayed from encrypted to normal connection and vice versa.
2010-11-28 11:37:36 +00:00
{-# LANGUAGE DeriveDataTypeable #-}
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
import Network.BSD
import Network.Socket
initial import
2010-09-09 21:47:19 +00:00
import System.IO
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
import System.IO.Error hiding (try)
use cmdargs in stunnel instead of GetArgs prepare options for the implementation of an actual stunnel program, where data are relayed from encrypted to normal connection and vice versa.
2010-11-28 11:37:36 +00:00
import System.Console.CmdArgs
tidy up imports
2010-09-19 09:50:37 +00:00
initial import
2010-09-09 21:47:19 +00:00
import qualified Data.ByteString as B
import qualified Data.ByteString.Lazy as L
tidy up imports
2010-09-19 09:50:37 +00:00
import Control.Concurrent (forkIO)
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
import Control.Exception (finally, try, throw)
import Control.Monad (when, forever)
tidy up imports
2010-09-19 09:50:37 +00:00
import Control.Monad.Trans (lift)
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
import Data.Char (isDigit)
tidy up imports
2010-09-19 09:50:37 +00:00
initial import
2010-09-09 21:47:19 +00:00
import Data.Certificate.PEM
import Data.Certificate.X509
move to certificate 0.5
2011-01-02 09:49:21 +00:00
import qualified Data.Certificate.KeyRSA as KeyRSA
initial import
2010-09-09 21:47:19 +00:00
tidy up imports
2010-09-19 09:50:37 +00:00
import Network.TLS.Cipher
import Network.TLS.SRandom
import Network.TLS.Struct
import qualified Network.TLS.Client as C
import qualified Network.TLS.Server as S
initial import
2010-09-09 21:47:19 +00:00
ciphers :: [Cipher]
ciphers =
[ cipher_AES128_SHA1
, cipher_AES256_SHA1
, cipher_RC4_128_MD5
, cipher_RC4_128_SHA1
]
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
loopUntil :: Monad m => m Bool -> m ()
loopUntil f = f >>= \v -> if v then return () else loopUntil f
initial import
2010-09-09 21:47:19 +00:00
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
readOne h = do
r <- try $ hWaitForInput h (-1)
case r of
Left err -> if isEOFError err then return B.empty else throw err
Right True -> B.hGetNonBlocking h 4096
Right False -> return B.empty
initial import
2010-09-09 21:47:19 +00:00
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
tlsclient :: Handle -> Handle -> C.TLSClient IO ()
tlsclient srchandle dsthandle = do
lift $ hSetBuffering dsthandle NoBuffering
lift $ hSetBuffering srchandle NoBuffering
initial import
2010-09-09 21:47:19 +00:00
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
C.initiate dsthandle
initial import
2010-09-09 21:47:19 +00:00
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
loopUntil $ do
b <- lift $ readOne srchandle
lift $ putStrLn ("sending " ++ show b)
if B.null b
then do
C.close dsthandle
return True
else do
C.sendData dsthandle (L.fromChunks [b])
return False
initial import
2010-09-09 21:47:19 +00:00
return ()
massive change on the RNG and add support for CryptoRandomGen use an inline AES counter system to generate random data.
2010-11-04 19:05:36 +00:00
getRandomGen :: IO SRandomGen
getRandomGen = makeSRandomGen >>= either (fail . show) (return . id)
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
tlsserver srchandle dsthandle = do
lift $ hSetBuffering dsthandle NoBuffering
lift $ hSetBuffering srchandle NoBuffering
S.listen srchandle
loopUntil $ do
d <- S.recvData srchandle
lift $ putStrLn ("received: " ++ show d)
S.sendData srchandle (L.pack $ map (toEnum . fromEnum) "this is some data")
lift $ hFlush srchandle
return False
initial import
2010-09-09 21:47:19 +00:00
lift $ putStrLn "end"
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
clientProcess ((certdata, cert), pk) handle dsthandle _ = do
massive change on the RNG and add support for CryptoRandomGen use an inline AES counter system to generate random data.
2010-11-04 19:05:36 +00:00
rng <- getRandomGen
initial import
2010-09-09 21:47:19 +00:00
let serverstate = S.TLSServerParams
allow SSL3 in stunnel
2010-12-14 23:26:51 +00:00
{ S.spAllowedVersions = [SSL3,TLS10,TLS11]
initial import
2010-09-09 21:47:19 +00:00
, S.spSessions = []
, S.spCiphers = ciphers
, S.spCertificate = Just (certdata, cert, pk)
, S.spWantClientCert = False
add a server callbacks when receiving Certificates
2010-09-20 07:45:41 +00:00
, S.spCallbacks = S.TLSServerCallbacks
{ S.cbCertificates = Nothing }
initial import
2010-09-09 21:47:19 +00:00
}
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
S.runTLSServer (tlsserver handle dsthandle) serverstate rng
initial import
2010-09-09 21:47:19 +00:00
use strict bytestring instead of lazy bytestring. the API stays mostly similar except for clientkeyxchg that need a bytes instead of [word8]. remove lots of unnessary packing/unpacking when setting up ciphers.
2010-09-26 09:34:47 +00:00
readCertificate :: FilePath -> IO (B.ByteString, Certificate)
initial import
2010-09-09 21:47:19 +00:00
readCertificate filepath = do
content <- B.readFile filepath
let certdata = case parsePEMCert content of
requires certificate v0.3
2010-10-03 09:32:37 +00:00
Nothing -> error ("no valid certificate section")
Just x -> x
use strict bytestring instead of lazy bytestring. the API stays mostly similar except for clientkeyxchg that need a bytes instead of [word8]. remove lots of unnessary packing/unpacking when setting up ciphers.
2010-09-26 09:34:47 +00:00
let cert = case decodeCertificate $ L.fromChunks [certdata] of
initial import
2010-09-09 21:47:19 +00:00
Left err -> error ("cannot decode certificate: " ++ err)
Right x -> x
return (certdata, cert)
move to certificate 0.5
2011-01-02 09:49:21 +00:00
readPrivateKey :: FilePath -> IO (L.ByteString, KeyRSA.Private)
initial import
2010-09-09 21:47:19 +00:00
readPrivateKey filepath = do
content <- B.readFile filepath
requires certificate v0.3
2010-10-03 09:32:37 +00:00
let pkdata = case parsePEMKeyRSA content of
Nothing -> error ("no valid RSA key section")
Just x -> L.fromChunks [x]
move to certificate 0.5
2011-01-02 09:49:21 +00:00
let pk = case KeyRSA.decodePrivate pkdata of
initial import
2010-09-09 21:47:19 +00:00
Left err -> error ("cannot decode key: " ++ err)
Right x -> x
return (pkdata, pk)
use cmdargs in stunnel instead of GetArgs prepare options for the implementation of an actual stunnel program, where data are relayed from encrypted to normal connection and vice versa.
2010-11-28 11:37:36 +00:00
data Stunnel =
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
Client
{ destinationType :: String
, destination :: String
, sourceType :: String
, source :: String }
| Server
{ destinationType :: String
, destination :: String
, sourceType :: String
, source :: String
, certificate :: FilePath
, key :: FilePath }
use cmdargs in stunnel instead of GetArgs prepare options for the implementation of an actual stunnel program, where data are relayed from encrypted to normal connection and vice versa.
2010-11-28 11:37:36 +00:00
deriving (Show, Data, Typeable)
clientOpts = Client
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
{ destinationType = "tcp" &= help "type of source (tcp, unix, fd)" &= typ "DESTTYPE"
, destination = "localhost:6061" &= help "destination address influenced by destination type" &= typ "ADDRESS"
add options to bind to unix socket or file descriptor
2010-11-28 11:50:55 +00:00
, sourceType = "tcp" &= help "type of source (tcp, unix, fd)" &= typ "SOURCETYPE"
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
, source = "localhost:6060" &= help "source address influenced by source type" &= typ "ADDRESS"
use cmdargs in stunnel instead of GetArgs prepare options for the implementation of an actual stunnel program, where data are relayed from encrypted to normal connection and vice versa.
2010-11-28 11:37:36 +00:00
}
&= help "connect to a remote destination that use SSL/TLS"
serverOpts = Server
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
{ destinationType = "tcp" &= help "type of source (tcp, unix, fd)" &= typ "DESTTYPE"
, destination = "localhost:6060" &= help "destination address influenced by destination type" &= typ "ADDRESS"
, sourceType = "tcp" &= help "type of source (tcp, unix, fd)" &= typ "SOURCETYPE"
, source = "localhost:6061" &= help "source address influenced by source type" &= typ "ADDRESS"
use cmdargs in stunnel instead of GetArgs prepare options for the implementation of an actual stunnel program, where data are relayed from encrypted to normal connection and vice versa.
2010-11-28 11:37:36 +00:00
, certificate = "certificate.pem" &= help "X509 public certificate to use" &= typ "FILE"
, key = "certificate.key" &= help "private key linked to the certificate" &= typ "FILE"
}
&= help "listen for connection that use SSL/TLS and relay it to a different connection"
mode = cmdArgsMode $ modes [clientOpts,serverOpts]
&= help "create SSL/TLS tunnel in client or server mode" &= program "stunnel" &= summary "Stunnel v0.1 (Haskell TLS)"
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
data StunnelAddr =
AddrSocket Family SockAddr
| AddrFD Handle Handle
use cmdargs in stunnel instead of GetArgs prepare options for the implementation of an actual stunnel program, where data are relayed from encrypted to normal connection and vice versa.
2010-11-28 11:37:36 +00:00
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
data StunnelHandle =
StunnelSocket Socket
| StunnelFd Handle Handle
getAddressDescription :: String -> String -> IO StunnelAddr
getAddressDescription "tcp" desc = do
let (s, p) = break ((==) ':') desc
when (p == "") (error "missing port: expecting [source]:port")
pn <- if and $ map isDigit $ drop 1 p
then return $ fromIntegral $ (read (drop 1 p) :: Int)
else do
service <- getServiceByName (drop 1 p) "tcp"
return $ servicePort service
he <- getHostByName s
return $ AddrSocket AF_INET (SockAddrInet pn (head $ hostAddresses he))
getAddressDescription "unix" desc = do
return $ AddrSocket AF_UNIX (SockAddrUnix desc)
getAddressDescription "fd" _ =
return $ AddrFD stdin stdout
use cmdargs in stunnel instead of GetArgs prepare options for the implementation of an actual stunnel program, where data are relayed from encrypted to normal connection and vice versa.
2010-11-28 11:37:36 +00:00
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
getAddressDescription _ _ = error "unrecognized source type (expecting tcp/unix/fd)"
connectAddressDescription (AddrSocket family sockaddr) = do
sock <- socket family Stream defaultProtocol
catch (connect sock sockaddr)
(\_ -> sClose sock >> error ("cannot open socket " ++ show sockaddr))
return $ StunnelSocket sock
connectAddressDescription (AddrFD h1 h2) = do
return $ StunnelFd h1 h2
listenAddressDescription (AddrSocket family sockaddr) = do
sock <- socket family Stream defaultProtocol
catch (bindSocket sock sockaddr >> listen sock 10 >> setSocketOption sock ReuseAddr 1)
(\_ -> sClose sock >> error ("cannot open socket " ++ show sockaddr))
return $ StunnelSocket sock
listenAddressDescription (AddrFD _ _) = do
error "cannot listen on fd"
doClient :: Stunnel -> IO ()
doClient pargs = do
srcaddr <- getAddressDescription (sourceType pargs) (source pargs)
dstaddr <- getAddressDescription (destinationType pargs) (destination pargs)
use cmdargs in stunnel instead of GetArgs prepare options for the implementation of an actual stunnel program, where data are relayed from encrypted to normal connection and vice versa.
2010-11-28 11:37:36 +00:00
let clientstate = C.TLSClientParams
{ C.cpConnectVersion = TLS10
, C.cpAllowedVersions = [ TLS10, TLS11 ]
, C.cpSession = Nothing
, C.cpCiphers = ciphers
, C.cpCertificate = Nothing
, C.cpCallbacks = C.TLSClientCallbacks
{ C.cbCertificates = Nothing
}
}
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
case srcaddr of
AddrSocket _ _ -> do
(StunnelSocket srcsocket) <- listenAddressDescription srcaddr
forever $ do
(s, _) <- accept srcsocket
rng <- getRandomGen
srch <- socketToHandle s ReadWriteMode
(StunnelSocket dst) <- connectAddressDescription dstaddr
dsth <- socketToHandle dst ReadWriteMode
_ <- forkIO $ finally
(C.runTLSClient (tlsclient srch dsth) clientstate rng >> return ())
(hClose srch >> hClose dsth)
return ()
AddrFD _ _ -> error "bad error fd. not implemented"
use cmdargs in stunnel instead of GetArgs prepare options for the implementation of an actual stunnel program, where data are relayed from encrypted to normal connection and vice versa.
2010-11-28 11:37:36 +00:00
doServer :: Stunnel -> IO ()
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
doServer pargs = do
cert <- readCertificate $ certificate pargs
pk <- readPrivateKey $ key pargs
srcaddr <- getAddressDescription (sourceType pargs) (source pargs)
dstaddr <- getAddressDescription (destinationType pargs) (destination pargs)
case srcaddr of
AddrSocket _ _ -> do
(StunnelSocket srcsocket) <- listenAddressDescription srcaddr
forever $ do
(s, addr) <- accept srcsocket
srch <- socketToHandle s ReadWriteMode
(StunnelSocket dst) <- connectAddressDescription dstaddr
dsth <- socketToHandle dst ReadWriteMode
_ <- forkIO $ finally
(clientProcess (cert, snd pk) srch dsth addr >> return ())
(hClose srch >> hClose dsth)
return ()
AddrFD _ _ -> error "bad error fd. not implemented"
use cmdargs in stunnel instead of GetArgs prepare options for the implementation of an actual stunnel program, where data are relayed from encrypted to normal connection and vice versa.
2010-11-28 11:37:36 +00:00
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
main :: IO ()
initial import
2010-09-09 21:47:19 +00:00
main = do
Improve stunnel example to behave more like a stunnel program. The client side is behaving like a real stunnel now, waiting local connection and relaying it through the TLS connection and back to the local connection. The server side is improved, however it doesn't properly relay it to the local port on the server. For now it prints the message to stdout and reply a constant to a client. it waits for EOF from the client before finishing.
2010-11-30 08:12:49 +00:00
x <- cmdArgsRun mode
case x of
Client _ _ _ _ -> doClient x
Server _ _ _ _ _ _ -> doServer x
Reference in a new issue Copy permalink