tls-extra 0.5.1 → 0.6.0
raw patch · 4 files changed
+30/−70 lines, 4 filesdep +cipher-rc4dep +crypto-pubkeydep +crypto-random-apidep −crypto-apidep −cryptocipherdep ~tls
Dependencies added: cipher-rc4, crypto-pubkey, crypto-random-api
Dependencies removed: crypto-api, cryptocipher
Dependency ranges changed: tls
Files
- Network/TLS/Extra/Certificate.hs +15/−27
- Network/TLS/Extra/Cipher.hs +6/−33
- Network/TLS/Extra/Connection.hs +2/−2
- tls-extra.cabal +7/−8
Network/TLS/Extra/Certificate.hs view
@@ -23,10 +23,9 @@ -- for signing/verifying certificate import qualified Crypto.Hash.SHA1 as SHA1-import qualified Crypto.Hash.MD2 as MD2-import qualified Crypto.Hash.MD5 as MD5-import qualified Crypto.Cipher.RSA as RSA-import qualified Crypto.Cipher.DSA as DSA+import qualified Crypto.PubKey.HashDescr as HD+import qualified Crypto.PubKey.RSA.PKCS15 as RSA+import qualified Crypto.PubKey.DSA as DSA import Data.CertificateStore import Data.Certificate.X509.Cert (oidCommonName)@@ -110,15 +109,12 @@ -- | verify a certificate against another one. -- the first certificate need to be signed by the second one for this function to succeed. certificateVerifyAgainst :: X509 -> X509 -> IO Bool-certificateVerifyAgainst ux509@(X509 _ _ _ sigalg sig) (X509 scert _ _ _ _) = do- let f = verifyF sigalg pk- case f udata esig of- Right True -> return True- _ -> return False- where- udata = B.concat $ L.toChunks $ getSigningData ux509- esig = B.pack sig- pk = certPubKey scert+certificateVerifyAgainst ux509@(X509 _ _ _ sigalg sig) (X509 scert _ _ _ _) =+ return $ (verifyF sigalg pk) udata esig+ where+ udata = B.concat $ L.toChunks $ getSigningData ux509+ esig = B.pack sig+ pk = certPubKey scert -- | Is this certificate self signed? certificateSelfSigned :: X509 -> Bool@@ -128,7 +124,7 @@ certMatchDN (X509 testedCert _ _ _ _) (X509 issuerCert _ _ _ _) = certSubjectDN issuerCert == certIssuerDN testedCert -verifyF :: SignatureALG -> PubKey -> B.ByteString -> B.ByteString -> Either String Bool+verifyF :: SignatureALG -> PubKey -> B.ByteString -> B.ByteString -> Bool -- md[245]WithRSAEncryption: --@@ -137,23 +133,15 @@ -- md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } -- md4WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 3 } -- md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }-verifyF (SignatureALG HashMD2 PubKeyALG_RSA) (PubKeyRSA rsak) = rsaVerify MD2.hash asn1 rsak- where asn1 = "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x02\x10"--verifyF (SignatureALG HashMD5 PubKeyALG_RSA) (PubKeyRSA rsak) = rsaVerify MD5.hash asn1 rsak- where asn1 = "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10"--verifyF (SignatureALG HashSHA1 PubKeyALG_RSA) (PubKeyRSA rsak) = rsaVerify SHA1.hash asn1 rsak- where asn1 = "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14"-+verifyF (SignatureALG HashMD2 PubKeyALG_RSA) (PubKeyRSA rsak) = RSA.verify HD.hashDescrMD2 rsak+verifyF (SignatureALG HashMD5 PubKeyALG_RSA) (PubKeyRSA rsak) = RSA.verify HD.hashDescrMD5 rsak+verifyF (SignatureALG HashSHA1 PubKeyALG_RSA) (PubKeyRSA rsak) = RSA.verify HD.hashDescrSHA1 rsak verifyF (SignatureALG HashSHA1 PubKeyALG_DSA) (PubKeyDSA dsak) = dsaSHA1Verify dsak -verifyF _ _ = (\_ _ -> Left "unexpected/wrong signature")+verifyF _ _ = \_ _ -> False -dsaSHA1Verify pk _ b = either (Left . show) (Right) $ DSA.verify asig SHA1.hash pk b+dsaSHA1Verify pk _ b = DSA.verify SHA1.hash pk asig b where asig = (0,0) {- FIXME : need to work out how to get R/S from the bytestring a -}--rsaVerify h hdesc pk a b = either (Left . show) (Right) $ RSA.verify h hdesc pk a b -- | Verify that the given certificate chain is application to the given fully qualified host name. certificateVerifyDomain :: String -> [X509] -> CertificateUsage
Network/TLS/Extra/Cipher.hs view
@@ -26,21 +26,18 @@ , cipher_AES256_SHA256 ) where -import qualified Data.Vector.Unboxed as Vector (fromList, toList) import qualified Data.ByteString as B import Network.TLS (Version(..)) import Network.TLS.Cipher-import qualified Crypto.Cipher.RC4 as RC4+import qualified "cipher-rc4" Crypto.Cipher.RC4 as RC4 import qualified Crypto.Hash.SHA256 as SHA256 import qualified Crypto.Hash.SHA1 as SHA1 import qualified Crypto.Hash.MD5 as MD5 -#ifdef CIPHER_AES import qualified "cipher-aes" Crypto.Cipher.AES as AES - aes_cbc_encrypt :: Key -> IV -> B.ByteString -> B.ByteString aes_cbc_encrypt key iv d = AES.encryptCBC (AES.initKey key) (AES.IV iv) d @@ -52,44 +49,20 @@ aes256_cbc_encrypt = aes_cbc_encrypt aes256_cbc_decrypt = aes_cbc_decrypt -#else-import qualified "cryptocipher" Crypto.Cipher.AES as AES--aes128_cbc_encrypt :: Key -> IV -> B.ByteString -> B.ByteString-aes128_cbc_encrypt key iv d = AES.encryptCBC pkey iv d- where (Right pkey) = AES.initKey128 key--aes128_cbc_decrypt :: Key -> IV -> B.ByteString -> B.ByteString-aes128_cbc_decrypt key iv d = AES.decryptCBC pkey iv d- where (Right pkey) = AES.initKey128 key--aes256_cbc_encrypt :: Key -> IV -> B.ByteString -> B.ByteString-aes256_cbc_encrypt key iv d = AES.encryptCBC pkey iv d- where (Right pkey) = AES.initKey256 key--aes256_cbc_decrypt :: Key -> IV -> B.ByteString -> B.ByteString-aes256_cbc_decrypt key iv d = AES.decryptCBC pkey iv d- where (Right pkey) = AES.initKey256 key--#endif- toIV :: RC4.Ctx -> IV-toIV (v, x, y) = B.pack (x : y : Vector.toList v)+toIV (RC4.Ctx ctx) = ctx toCtx :: IV -> RC4.Ctx-toCtx iv =- case B.unpack iv of- x:y:l -> (Vector.fromList l, x, y)- _ -> (Vector.fromList [], 0, 0)+toCtx iv = RC4.Ctx iv initF_rc4 :: Key -> IV-initF_rc4 key = toIV $ RC4.initCtx (B.unpack key)+initF_rc4 key = toIV $ RC4.initCtx key encryptF_rc4 :: IV -> B.ByteString -> (B.ByteString, IV)-encryptF_rc4 iv d = (\(ctx, e) -> (e, toIV ctx)) $ RC4.encrypt (toCtx iv) d+encryptF_rc4 iv d = (\(ctx, e) -> (e, toIV ctx)) $ RC4.combine (toCtx iv) d decryptF_rc4 :: IV -> B.ByteString -> (B.ByteString, IV)-decryptF_rc4 iv e = (\(ctx, d) -> (d, toIV ctx)) $ RC4.decrypt (toCtx iv) e+decryptF_rc4 iv e = (\(ctx, d) -> (d, toIV ctx)) $ RC4.combine (toCtx iv) e -- | all encrypted ciphers supported ordered from strong to weak.
Network/TLS/Extra/Connection.hs view
@@ -9,7 +9,7 @@ ( connectionClient ) where -import Crypto.Random+import Crypto.Random.API import Control.Applicative ((<$>)) import Control.Exception import Data.Char@@ -33,7 +33,7 @@ -- -- will make a new RNG (using system entropy) and connect to IP 192.168.2.2 -- on port 7777.-connectionClient :: CryptoRandomGen g => String -> String -> TLSParams -> g -> IO Context+connectionClient :: CPRG g => String -> String -> TLSParams -> g -> IO Context connectionClient s p params rng = do pn <- if and $ map isDigit $ p then return $ fromIntegral $ (read p :: Int)
tls-extra.cabal view
@@ -1,5 +1,5 @@ Name: tls-extra-Version: 0.5.1+Version: 0.6.0 Description: a set of extra definitions, default values and helpers for tls. License: BSD3@@ -24,15 +24,17 @@ Library Build-Depends: base > 3 && < 5- , tls >= 1.0.0 && < 1.1.0+ , tls >= 1.1.0 && < 1.2.0 , mtl , network >= 2.3 , cryptohash >= 0.6 , bytestring , vector- , crypto-api >= 0.5- , cryptocipher >= 0.3.0 && < 0.4.0+ , cipher-rc4+ , cipher-aes >= 0.1 && < 0.2 , certificate >= 1.3.0 && < 1.4.0+ , crypto-pubkey+ , crypto-random-api , pem >= 0.1.0 && < 0.2.0 , text >= 0.5 && < 1.0 , time@@ -46,9 +48,6 @@ ghc-options: -Wall -fno-warn-missing-signatures if os(windows) cpp-options: -DNOCERTVERIFY- if os(linux) && flag(fastaes) && (arch(i386) || arch(x86_64))- cpp-options: -DCIPHER_AES- Build-Depends: cipher-aes >= 0.1 && < 0.2 executable Tests Main-is: Tests.hs@@ -63,7 +62,7 @@ Buildable: False if os(windows) cpp-options: -DNOCERTVERIFY- if os(linux) && flag(fastaes)+ if flag(fastaes) cpp-options: -DCIPHER_AES Build-Depends: cipher-aes >= 0.1 && < 0.2