packages feed

tls-2.0.0: util/client.hs

{-# LANGUAGE OverloadedStrings #-}

import Control.Exception (SomeException (..))
import qualified Control.Exception as E
import Crypto.Random
import qualified Data.ByteString as B
import qualified Data.ByteString.Char8 as BC
import qualified Data.ByteString.Lazy.Char8 as LC
import Data.Default.Class
import Data.IORef
import Data.X509.CertificateStore
import Network.Socket (PortNumber, close, connect, socket)
import System.Console.GetOpt
import System.Environment
import System.Exit
import System.IO
import System.Timeout

import Network.TLS
import Network.TLS.Extra.Cipher

import Common
import HexDump
import Imports

defaultBenchAmount :: Int
defaultBenchAmount = 1024 * 1024

defaultTimeout :: Int
defaultTimeout = 2000

bogusCipher :: CipherID -> Cipher
bogusCipher cid = cipher_ECDHE_RSA_AES128GCM_SHA256{cipherID = cid}

runTLS
    :: Bool
    -> Bool
    -> ClientParams
    -> String
    -> PortNumber
    -> (Context -> IO a)
    -> IO a
runTLS debug ioDebug params hostname portNumber f =
    E.bracket setup teardown $ \sock -> do
        ctx <- contextNew sock params
        contextHookSetLogging ctx getLogging
        f ctx
  where
    getLogging = ioLogging $ packetLogging def
    packetLogging logging
        | debug =
            logging
                { loggingPacketSent = putStrLn . ("debug: >> " ++)
                , loggingPacketRecv = putStrLn . ("debug: << " ++)
                }
        | otherwise = logging
    ioLogging logging
        | ioDebug =
            logging
                { loggingIOSent = mapM_ putStrLn . hexdump ">>"
                , loggingIORecv = \hdr body -> do
                    putStrLn ("<< " ++ show hdr)
                    mapM_ putStrLn $ hexdump "<<" body
                }
        | otherwise = logging
    setup = do
        ai <- makeAddrInfo (Just hostname) portNumber
        sock <- socket (addrFamily ai) (addrSocketType ai) (addrProtocol ai)
        let sockaddr = addrAddress ai
        connect sock sockaddr
        return sock
    teardown sock = close sock

sessionRef :: IORef (SessionID, SessionData) -> SessionManager
sessionRef ref =
    noSessionManager
        { sessionEstablish = \sid sdata -> writeIORef ref (sid, sdata) >> return Nothing
        }

getDefaultParams
    :: [Flag]
    -> String
    -> CertificateStore
    -> IORef (SessionID, SessionData)
    -> Maybe OnCertificateRequest
    -> Maybe (SessionID, SessionData)
    -> Maybe ByteString
    -> ClientParams
getDefaultParams flags host store sStorage certCredsRequest session earlyData =
    (defaultParamsClient serverName BC.empty)
        { clientSupported =
            def
                { supportedVersions = supportedVers
                , supportedCiphers = myCiphers
                , supportedGroups = getGroups flags
                }
        , clientWantSessionResume = session
        , clientUseServerNameIndication = NoSNI `notElem` flags
        , clientShared =
            def
                { sharedSessionManager = sessionRef sStorage
                , sharedCAStore = store
                , sharedValidationCache = validateCache
                }
        , clientHooks =
            def
                { onCertificateRequest = fromMaybe (onCertificateRequest def) certCredsRequest
                }
        , clientDebug =
            def
                { debugSeed = foldl getDebugSeed Nothing flags
                , debugPrintSeed =
                    if DebugPrintSeed `elem` flags
                        then (\seed -> putStrLn ("seed: " ++ show (seedToInteger seed)))
                        else (\_ -> return ())
                }
        , clientUseEarlyData = isJust earlyData
        }
  where
    serverName = foldl f host flags
      where
        f _ (SNI n) = n
        f acc _ = acc

    validateCache
        | validateCert = def
        | otherwise =
            ValidationCache
                (\_ _ _ -> return ValidationCachePass)
                (\_ _ _ -> return ())
    myCiphers = foldl accBogusCipher getSelectedCiphers flags
      where
        accBogusCipher acc (BogusCipher c) =
            case reads c of
                [(v, "")] -> acc ++ [bogusCipher v]
                _ -> acc
        accBogusCipher acc _ = acc

    getUsedCipherIDs = foldl f [] flags
      where
        f acc (UseCipher am) =
            case readCiphers am of
                Just l -> l ++ acc
                Nothing -> acc
        f acc _ = acc

    getSelectedCiphers =
        case getUsedCipherIDs of
            [] -> ciphersuite_all
            l -> mapMaybe (\cid -> find ((== cid) . cipherID) ciphersuite_all) l

    getDebugSeed :: Maybe Seed -> Flag -> Maybe Seed
    getDebugSeed _ (DebugSeed seed) = seedFromInteger `fmap` readNumber seed
    getDebugSeed acc _ = acc

    tlsConnectVer
        | Tls13 `elem` flags = TLS13
        | Tls12 `elem` flags = TLS12
        | Tls11 `elem` flags = TLS11
        | Ssl3 `elem` flags = SSL3
        | Tls10 `elem` flags = TLS10
        | otherwise = TLS13
    supportedVers
        | NoVersionDowngrade `elem` flags = [tlsConnectVer]
        | otherwise = filter (<= tlsConnectVer) allVers
    allVers = [TLS13, TLS12, TLS11, TLS10, SSL3]
    validateCert = NoValidateCert `notElem` flags

getGroups :: [Flag] -> [Group]
getGroups flags = case getGroup >>= readGroups of
    Nothing -> defaultGroups
    Just [] -> defaultGroups
    Just groups -> groups
  where
    defaultGroups = supportedGroups def
    getGroup = foldl f Nothing flags
      where
        f _ (NGroup g) = Just g
        f acc _ = acc

data Flag
    = Verbose
    | Debug
    | IODebug
    | NoValidateCert
    | Session
    | Http11
    | Ssl3
    | Tls10
    | Tls11
    | Tls12
    | Tls13
    | SNI String
    | NoSNI
    | Uri String
    | NoVersionDowngrade
    | UserAgent String
    | Input String
    | Output String
    | Timeout String
    | BogusCipher String
    | ClientCert String
    | TrustAnchor String
    | BenchSend
    | BenchRecv
    | BenchData String
    | UseCipher String
    | ListCiphers
    | ListGroups
    | DebugSeed String
    | DebugPrintSeed
    | NGroup String
    | Help
    | UpdateKey
    deriving (Show, Eq)

options :: [OptDescr Flag]
options =
    [ Option ['v'] ["verbose"] (NoArg Verbose) "verbose output on stdout"
    , Option ['d'] ["debug"] (NoArg Debug) "TLS debug output on stdout"
    , Option [] ["io-debug"] (NoArg IODebug) "TLS IO debug output on stdout"
    , Option ['s'] ["session"] (NoArg Session) "try to resume a session"
    , Option
        ['Z']
        ["zerortt"]
        (ReqArg Input "inpfile")
        "input for TLS 1.3 0RTT data"
    , Option ['O'] ["output"] (ReqArg Output "stdout") "output "
    , Option ['g'] ["group"] (ReqArg NGroup "group") "group"
    , Option
        ['t']
        ["timeout"]
        (ReqArg Timeout "timeout")
        "timeout in milliseconds (2s by default)"
    , Option
        ['u']
        ["update-key"]
        (NoArg UpdateKey)
        "Updating keys after sending the first request then sending the same request again (TLS 1.3 only)"
    , Option
        []
        ["no-validation"]
        (NoArg NoValidateCert)
        "disable certificate validation"
    , Option
        []
        ["client-cert"]
        (ReqArg ClientCert "cert-file:key-file")
        "add a client certificate to use with the server"
    , Option
        []
        ["trust-anchor"]
        (ReqArg TrustAnchor "pem-or-dir")
        "use provided CAs instead of system certificate store"
    , Option [] ["http1.1"] (NoArg Http11) "use http1.1 instead of http1.0"
    , Option [] ["ssl3"] (NoArg Ssl3) "use SSL 3.0"
    , Option
        []
        ["sni"]
        (ReqArg SNI "server-name")
        "use non-default server name indication"
    , Option [] ["no-sni"] (NoArg NoSNI) "don't use server name indication"
    , Option [] ["user-agent"] (ReqArg UserAgent "user-agent") "use a user agent"
    , Option [] ["tls10"] (NoArg Tls10) "use TLS 1.0"
    , Option [] ["tls11"] (NoArg Tls11) "use TLS 1.1"
    , Option [] ["tls12"] (NoArg Tls12) "use TLS 1.2"
    , Option [] ["tls13"] (NoArg Tls13) "use TLS 1.3 (default)"
    , Option
        []
        ["bogocipher"]
        (ReqArg BogusCipher "cipher-id")
        "add a bogus cipher id for testing"
    , Option
        ['x']
        ["no-version-downgrade"]
        (NoArg NoVersionDowngrade)
        "do not allow version downgrade"
    , Option
        []
        ["uri"]
        (ReqArg Uri "URI")
        "optional URI requested by default /"
    , Option ['h'] ["help"] (NoArg Help) "request help"
    , Option
        []
        ["bench-send"]
        (NoArg BenchSend)
        "benchmark send path. only with compatible server"
    , Option
        []
        ["bench-recv"]
        (NoArg BenchRecv)
        "benchmark recv path. only with compatible server"
    , Option
        []
        ["bench-data"]
        (ReqArg BenchData "amount")
        "amount of data to benchmark with"
    , Option
        []
        ["use-cipher"]
        (ReqArg UseCipher "cipher-id")
        "use a specific cipher"
    , Option
        []
        ["list-ciphers"]
        (NoArg ListCiphers)
        "list all ciphers supported and exit"
    , Option
        []
        ["list-groups"]
        (NoArg ListGroups)
        "list all groups supported and exit"
    , Option
        []
        ["debug-seed"]
        (ReqArg DebugSeed "debug-seed")
        "debug: set a specific seed for randomness"
    , Option
        []
        ["debug-print-seed"]
        (NoArg DebugPrintSeed)
        "debug: set a specific seed for randomness"
    ]

noSession :: Maybe (SessionID, SessionData)
noSession = Nothing

runOn
    :: (IORef (SessionID, SessionData), CertificateStore)
    -> [Flag]
    -> PortNumber
    -> String
    -> IO ()
runOn (sStorage, certStore) flags port hostname
    | BenchSend `elem` flags = runBench True
    | BenchRecv `elem` flags = runBench False
    | otherwise = do
        certCredRequest <- getCredRequest
        doTLS certCredRequest noSession Nothing `E.catch` \(SomeException e) -> print e
        when (Session `elem` flags) $ do
            putStrLn "\nResuming the session..."
            session <- readIORef sStorage
            earlyData <- case getInput of
                Nothing -> return Nothing
                Just i -> Just <$> B.readFile i
            doTLS certCredRequest (Just session) earlyData `E.catch` \(SomeException e) -> print e
  where
    runBench isSend =
        runTLS
            (Debug `elem` flags)
            (IODebug `elem` flags)
            (getDefaultParams flags hostname certStore sStorage Nothing noSession Nothing)
            hostname
            port
            $ \ctx -> do
                handshake ctx
                if isSend
                    then loopSendData getBenchAmount ctx
                    else loopRecvData getBenchAmount ctx
                bye ctx
      where
        dataSend = BC.replicate 4096 'a'
        loopSendData bytes ctx
            | bytes <= 0 = return ()
            | otherwise = do
                sendData ctx $
                    LC.fromChunks
                        [if bytes > B.length dataSend then dataSend else BC.take bytes dataSend]
                loopSendData (bytes - B.length dataSend) ctx

        loopRecvData bytes ctx
            | bytes <= 0 = return ()
            | otherwise = do
                d <- recvData ctx
                loopRecvData (bytes - B.length d) ctx

    doTLS certCredRequest sess earlyData = E.bracket setup teardown $ \out -> do
        let query =
                LC.pack
                    ( "GET "
                        ++ findURI flags
                        ++ ( if Http11 `elem` flags then " HTTP/1.1\r\nHost: " ++ hostname else " HTTP/1.0"
                           )
                        ++ userAgent
                        ++ "\r\n\r\n"
                    )
        when
            (Verbose `elem` flags)
            (putStrLn "sending query:" >> LC.putStrLn query >> putStrLn "")
        runTLS
            (Debug `elem` flags)
            (IODebug `elem` flags)
            ( getDefaultParams
                flags
                hostname
                certStore
                sStorage
                certCredRequest
                sess
                earlyData
            )
            hostname
            port
            $ \ctx -> do
                handshake ctx
                when (Verbose `elem` flags) $ printHandshakeInfo ctx
                case earlyData of
                    Just edata -> sendData ctx $ LC.fromStrict edata
                    _ -> return ()
                sendData ctx query
                loopRecv out ctx
                when (UpdateKey `elem` flags) $ do
                    _tls13 <- updateKey ctx TwoWay
                    sendData ctx query
                    loopRecv out ctx
                bye ctx `E.catch` \(SomeException e) -> putStrLn $ "bye failed: " ++ show e
                return ()
    setup = maybe (return stdout) (\f -> openFile f AppendMode) getOutput
    teardown out = when (isJust getOutput) $ hClose out
    loopRecv out ctx = do
        d <- timeout (timeoutMs * 1000) (recvData ctx) -- 2s per recv
        case d of
            Nothing ->
                when (Debug `elem` flags) (hPutStrLn stderr "timeout")
            Just b
                | BC.null b -> return ()
                | otherwise -> BC.hPutStrLn out b >> loopRecv out ctx

    getCredRequest =
        case clientCert of
            Nothing -> return Nothing
            Just s ->
                case break (== ':') s of
                    (_, "") -> error "wrong format for client-cert, expecting 'cert-file:key-file'"
                    (cert, ':' : key) -> do
                        ecred <- credentialLoadX509 cert key
                        case ecred of
                            Left err -> error ("cannot load client certificate: " ++ err)
                            Right cred -> do
                                let certRequest _ = return $ Just cred
                                return $ Just certRequest
                    (_, _) -> error "wrong format for client-cert, expecting 'cert-file:key-file'"

    findURI [] = "/"
    findURI (Uri u : _) = u
    findURI (_ : xs) = findURI xs

    userAgent = maybe "" ("\r\nUser-Agent: " ++) mUserAgent
    mUserAgent = foldl f Nothing flags
      where
        f _ (UserAgent ua) = Just ua
        f acc _ = acc
    getInput = foldl f Nothing flags
      where
        f _ (Input i) = Just i
        f acc _ = acc
    getOutput = foldl f Nothing flags
      where
        f _ (Output o) = Just o
        f acc _ = acc
    timeoutMs = foldl f defaultTimeout flags
      where
        f _ (Timeout t) = read t
        f acc _ = acc
    clientCert = foldl f Nothing flags
      where
        f _ (ClientCert c) = Just c
        f acc _ = acc
    getBenchAmount = foldl f defaultBenchAmount flags
      where
        f acc (BenchData am) = case readNumber am of
            Nothing -> acc
            Just i -> i
        f acc _ = acc

getTrustAnchors :: [Flag] -> IO CertificateStore
getTrustAnchors flags = getCertificateStore (foldr getPaths [] flags)
  where
    getPaths (TrustAnchor path) acc = path : acc
    getPaths _ acc = acc

printUsage :: IO ()
printUsage =
    putStrLn $
        usageInfo
            "usage: client [opts] <hostname> [port]\n\n\t(port default to: 443)\noptions:\n"
            options

main :: IO ()
main = do
    args <- getArgs
    let (opts, other, errs) = getOpt Permute options args
    unless (null errs) $ do
        print errs
        exitFailure

    when (Help `elem` opts) $ do
        printUsage
        exitSuccess

    when (ListCiphers `elem` opts) $ do
        printCiphers
        exitSuccess

    when (ListGroups `elem` opts) $ do
        printGroups
        exitSuccess

    certStore <- getTrustAnchors opts
    sStorage <- newIORef (error "storage ioref undefined")
    case other of
        [hostname] -> runOn (sStorage, certStore) opts 443 hostname
        [hostname, port] -> runOn (sStorage, certStore) opts (fromInteger $ read port) hostname
        _ -> printUsage >> exitFailure