packages feed

tls 2.4.2 → 2.4.3

raw patch · 4 files changed

+37/−5 lines, 4 files

Files

CHANGELOG.md view
@@ -1,5 +1,15 @@ # Change log for "tls" +## Version 2.4.3++* A server checks clientAuth of ExtendedKeyUsage in a client+  certificate on client authentication.++## Version 2.4.2++* The `Network.TLS.Extra.CipherCBC` module is added.+  [#526](https://github.com/haskell-tls/hs-tls/pull/526)+ ## Version 2.4.1  * Ensure same `supported_groups` before/after HRR.
Network/TLS/Handshake/Certificate.hs view
@@ -3,13 +3,20 @@     badCertificate,     rejectOnException,     verifyLeafKeyUsage,+    verifyLeafKeyUsagePurpose,     extractCAname, ) where  import Control.Exception (SomeException) import Control.Monad (unless) import Control.Monad.State.Strict-import Data.X509 (ExtKeyUsage (..), ExtKeyUsageFlag, extensionGet)+import Data.X509 (+    ExtExtendedKeyUsage (..),+    ExtKeyUsage (..),+    ExtKeyUsageFlag,+    ExtKeyUsagePurpose (..),+    extensionGet,+ )  import Network.TLS.Context.Internal import Network.TLS.Struct@@ -46,6 +53,19 @@         case extensionGet (certExtensions cert) of             Nothing -> True -- unrestricted cert             Just (ExtKeyUsage flags) -> any (`elem` validFlags) flags++verifyLeafKeyUsagePurpose+    :: MonadIO m => ExtKeyUsagePurpose -> CertificateChain -> m ()+verifyLeafKeyUsagePurpose _ (CertificateChain []) = return ()+verifyLeafKeyUsagePurpose validPurpose (CertificateChain (signed : _)) =+    unless verified $+        badCertificate $+            "certificate is not allowed for " ++ show validPurpose+  where+    cert = getCertificate signed+    verified = case extensionGet (certExtensions cert) of+        Nothing -> True+        Just (ExtExtendedKeyUsage purposes) -> validPurpose `elem` purposes  extractCAname :: SignedCertificate -> DistinguishedName extractCAname cert = certSubjectDN $ getCertificate cert
Network/TLS/Handshake/Server/Common.hs view
@@ -15,7 +15,7 @@ ) where  import Control.Monad.State.Strict-import Data.X509 (ExtKeyUsageFlag (..))+import Data.X509 (ExtKeyUsageFlag (..), ExtKeyUsagePurpose (..))  import Network.TLS.Context.Internal import Network.TLS.Credentials@@ -151,7 +151,9 @@                 (onClientCertificate (serverHooks sparams) certs)                 rejectOnException     case usage of-        CertificateUsageAccept -> verifyLeafKeyUsage [KeyUsage_digitalSignature] certs+        CertificateUsageAccept -> do+            verifyLeafKeyUsage [KeyUsage_digitalSignature] certs+            verifyLeafKeyUsagePurpose KeyUsagePurpose_ClientAuth certs         CertificateUsageReject reason -> certificateRejected reason      -- Remember cert chain for later use.
tls.cabal view
@@ -1,6 +1,6 @@ cabal-version:      >=1.10 name:               tls-version:            2.4.2+version:            2.4.3 license:            BSD3 license-file:       LICENSE copyright:          Vincent Hanquez <vincent@snarc.org>@@ -138,7 +138,7 @@         random >=1.2 && <1.4,         serialise >=0.2 && <0.3,         transformers >=0.5 && <0.7,-        unix-time >=0.4.11 && <0.5,+        unix-time >=0.4.11 && <0.6,         zlib >=0.7 && <0.8  executable tls-server