From e228669b5330dbcff7a9eb68a0ec0a94ffb8bdfe Mon Sep 17 00:00:00 2001 From: Kazu Yamamoto Date: Thu, 19 Dec 2024 20:44:39 +0900 Subject: [PATCH] pretty print for CipherID --- tls/Network/TLS/Extra/Cipher.hs | 38 +++++++++---------- .../TLS/Handshake/Server/ClientHello.hs | 3 +- .../TLS/Handshake/Server/ClientHello12.hs | 4 +- tls/Network/TLS/Packet.hs | 9 +++-- tls/Network/TLS/Packet13.hs | 4 +- tls/Network/TLS/Types.hs | 9 ++++- tls/test/Arbitrary.hs | 7 +++- tls/util/Common.hs | 5 ++- 8 files changed, 45 insertions(+), 34 deletions(-) diff --git a/tls/Network/TLS/Extra/Cipher.hs b/tls/Network/TLS/Extra/Cipher.hs index 8d61da098..d2bd3dace 100644 --- a/tls/Network/TLS/Extra/Cipher.hs +++ b/tls/Network/TLS/Extra/Cipher.hs @@ -73,7 +73,7 @@ import qualified Data.ByteString as B import Data.Tuple (swap) import Network.TLS.Cipher -import Network.TLS.Types (Version (..)) +import Network.TLS.Types (CipherID (..), Version (..)) import Crypto.Cipher.AES import qualified Crypto.Cipher.ChaChaPoly1305 as ChaChaPoly1305 @@ -435,7 +435,7 @@ bulk_aes128ccm8_13 = bulk_aes128ccm8{bulkIVSize = 12, bulkExplicitIV = 0} cipher_DHE_RSA_WITH_AES_128_GCM_SHA256 :: Cipher cipher_DHE_RSA_WITH_AES_128_GCM_SHA256 = Cipher - { cipherID = 0x009E + { cipherID = CipherID 0x009E , cipherName = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" , cipherBulk = bulk_aes128gcm , cipherHash = SHA256 @@ -455,7 +455,7 @@ cipher_DHE_RSA_AES128GCM_SHA256 = cipher_DHE_RSA_WITH_AES_128_GCM_SHA256 cipher_DHE_RSA_WITH_AES_256_GCM_SHA384 :: Cipher cipher_DHE_RSA_WITH_AES_256_GCM_SHA384 = Cipher - { cipherID = 0x009F + { cipherID = CipherID 0x009F , cipherName = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" , cipherBulk = bulk_aes256gcm , cipherHash = SHA384 @@ -478,7 +478,7 @@ cipher_DHE_RSA_AES256GCM_SHA384 = cipher_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher13_AES_128_GCM_SHA256 :: Cipher cipher13_AES_128_GCM_SHA256 = Cipher - { cipherID = 0x1301 + { cipherID = CipherID 0x1301 , cipherName = "TLS_AES_128_GCM_SHA256" , cipherBulk = bulk_aes128gcm_13 , cipherHash = SHA256 @@ -498,7 +498,7 @@ cipher_TLS13_AES128GCM_SHA256 = cipher13_AES_128_GCM_SHA256 cipher13_AES_256_GCM_SHA384 :: Cipher cipher13_AES_256_GCM_SHA384 = Cipher - { cipherID = 0x1302 + { cipherID = CipherID 0x1302 , cipherName = "TLS_AES_256_GCM_SHA384" , cipherBulk = bulk_aes256gcm_13 , cipherHash = SHA384 @@ -518,7 +518,7 @@ cipher_TLS13_AES256GCM_SHA384 = cipher13_AES_256_GCM_SHA384 cipher13_CHACHA20_POLY1305_SHA256 :: Cipher cipher13_CHACHA20_POLY1305_SHA256 = Cipher - { cipherID = 0x1303 + { cipherID = CipherID 0x1303 , cipherName = "TLS_CHACHA20_POLY1305_SHA256" , cipherBulk = bulk_chacha20poly1305 , cipherHash = SHA256 @@ -538,7 +538,7 @@ cipher_TLS13_CHACHA20POLY1305_SHA256 = cipher13_CHACHA20_POLY1305_SHA256 cipher13_AES_128_CCM_SHA256 :: Cipher cipher13_AES_128_CCM_SHA256 = Cipher - { cipherID = 0x1304 + { cipherID = CipherID 0x1304 , cipherName = "TLS_AES_128_CCM_SHA256" , cipherBulk = bulk_aes128ccm_13 , cipherHash = SHA256 @@ -558,7 +558,7 @@ cipher_TLS13_AES128CCM_SHA256 = cipher13_AES_128_CCM_SHA256 cipher13_TLS_AES_128_CCM_8_SHA256 :: Cipher cipher13_TLS_AES_128_CCM_8_SHA256 = Cipher - { cipherID = 0x1305 + { cipherID = CipherID 0x1305 , cipherName = "TLS_AES_128_CCM_8_SHA256" , cipherBulk = bulk_aes128ccm8_13 , cipherHash = SHA256 @@ -581,7 +581,7 @@ cipher_TLS13_AES128CCM8_SHA256 = cipher13_TLS_AES_128_CCM_8_SHA256 cipher_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 :: Cipher cipher_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = Cipher - { cipherID = 0xC02B + { cipherID = CipherID 0xC02B , cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" , cipherBulk = bulk_aes128gcm , cipherHash = SHA256 @@ -601,7 +601,7 @@ cipher_ECDHE_ECDSA_AES128GCM_SHA256 = cipher_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 :: Cipher cipher_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = Cipher - { cipherID = 0xC02C + { cipherID = CipherID 0xC02C , cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" , cipherBulk = bulk_aes256gcm , cipherHash = SHA384 @@ -621,7 +621,7 @@ cipher_ECDHE_ECDSA_AES256GCM_SHA384 = cipher_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher_ECDHE_RSA_WITH_AES_128_GCM_SHA256 :: Cipher cipher_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = Cipher - { cipherID = 0xC02F + { cipherID = CipherID 0xC02F , cipherName = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" , cipherBulk = bulk_aes128gcm , cipherHash = SHA256 @@ -641,7 +641,7 @@ cipher_ECDHE_RSA_AES128GCM_SHA256 = cipher_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher_ECDHE_RSA_WITH_AES_256_GCM_SHA384 :: Cipher cipher_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = Cipher - { cipherID = 0xC030 + { cipherID = CipherID 0xC030 , cipherName = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" , cipherBulk = bulk_aes256gcm , cipherHash = SHA384 @@ -664,7 +664,7 @@ cipher_ECDHE_RSA_AES256GCM_SHA384 = cipher_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher_ECDHE_ECDSA_WITH_AES_128_CCM :: Cipher cipher_ECDHE_ECDSA_WITH_AES_128_CCM = Cipher - { cipherID = 0xC0AC + { cipherID = CipherID 0xC0AC , cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" , cipherBulk = bulk_aes128ccm , cipherHash = SHA256 @@ -684,7 +684,7 @@ cipher_ECDHE_ECDSA_AES128CCM_SHA256 = cipher_ECDHE_ECDSA_WITH_AES_128_CCM cipher_ECDHE_ECDSA_WITH_AES_256_CCM :: Cipher cipher_ECDHE_ECDSA_WITH_AES_256_CCM = Cipher - { cipherID = 0xC0AD + { cipherID = CipherID 0xC0AD , cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" , cipherBulk = bulk_aes256ccm , cipherHash = SHA256 @@ -704,7 +704,7 @@ cipher_ECDHE_ECDSA_AES256CCM_SHA256 = cipher_ECDHE_ECDSA_WITH_AES_256_CCM cipher_ECDHE_ECDSA_WITH_AES_128_CCM_8 :: Cipher cipher_ECDHE_ECDSA_WITH_AES_128_CCM_8 = Cipher - { cipherID = 0xC0AE + { cipherID = CipherID 0xC0AE , cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" , cipherBulk = bulk_aes128ccm8 , cipherHash = SHA256 @@ -724,7 +724,7 @@ cipher_ECDHE_ECDSA_AES128CCM8_SHA256 = cipher_ECDHE_ECDSA_WITH_AES_128_CCM_8 cipher_ECDHE_ECDSA_WITH_AES_256_CCM_8 :: Cipher cipher_ECDHE_ECDSA_WITH_AES_256_CCM_8 = Cipher - { cipherID = 0xC0AF + { cipherID = CipherID 0xC0AF , cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" , cipherBulk = bulk_aes256ccm8 , cipherHash = SHA256 @@ -747,7 +747,7 @@ cipher_ECDHE_ECDSA_AES256CCM8_SHA256 = cipher_ECDHE_ECDSA_WITH_AES_256_CCM_8 cipher_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :: Cipher cipher_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = Cipher - { cipherID = 0xCCA8 + { cipherID = CipherID 0xCCA8 , cipherName = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" , cipherBulk = bulk_chacha20poly1305 , cipherHash = SHA256 @@ -767,7 +767,7 @@ cipher_ECDHE_RSA_CHACHA20POLY1305_SHA256 = cipher_ECDHE_RSA_WITH_CHACHA20_POLY13 cipher_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :: Cipher cipher_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = Cipher - { cipherID = 0xCCA9 + { cipherID = CipherID 0xCCA9 , cipherName = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" , cipherBulk = bulk_chacha20poly1305 , cipherHash = SHA256 @@ -787,7 +787,7 @@ cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256 = cipher_ECDHE_ECDSA_WITH_CHACHA20_PO cipher_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :: Cipher cipher_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = Cipher - { cipherID = 0xCCAA + { cipherID = CipherID 0xCCAA , cipherName = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" , cipherBulk = bulk_chacha20poly1305 , cipherHash = SHA256 diff --git a/tls/Network/TLS/Handshake/Server/ClientHello.hs b/tls/Network/TLS/Handshake/Server/ClientHello.hs index b0a53488b..2e873a784 100644 --- a/tls/Network/TLS/Handshake/Server/ClientHello.hs +++ b/tls/Network/TLS/Handshake/Server/ClientHello.hs @@ -13,6 +13,7 @@ import Network.TLS.Measurement import Network.TLS.Parameters import Network.TLS.State import Network.TLS.Struct +import Network.TLS.Types processClientHello :: ServerParams -> Context -> Handshake -> IO (Version, CH) @@ -51,7 +52,7 @@ processClientHello sparams ctx clientHello@(ClientHello legacyVersion cran compr -- TLS_FALLBACK_SCSV: {0x56, 0x00} when ( supportedFallbackScsv (ctxSupported ctx) - && (0x5600 `elem` chCiphers) + && (CipherID 0x5600 `elem` chCiphers) && legacyVersion < TLS12 ) $ throwCore diff --git a/tls/Network/TLS/Handshake/Server/ClientHello12.hs b/tls/Network/TLS/Handshake/Server/ClientHello12.hs index 95ec8dec0..6af7e2d2e 100644 --- a/tls/Network/TLS/Handshake/Server/ClientHello12.hs +++ b/tls/Network/TLS/Handshake/Server/ClientHello12.hs @@ -18,7 +18,7 @@ import Network.TLS.Imports import Network.TLS.Parameters import Network.TLS.State import Network.TLS.Struct -import Network.TLS.Types (Role (..)) +import Network.TLS.Types (CipherID (..), Role (..)) ---------------------------------------------------------------- @@ -49,7 +49,7 @@ checkSesecureRenegotiation :: Context -> CH -> IO () checkSesecureRenegotiation ctx CH{..} = do -- RFC 5746: secure renegotiation -- TLS_EMPTY_RENEGOTIATION_INFO_SCSV: {0x00, 0xFF} - when (0xff `elem` chCiphers) $ + when (CipherID 0xff `elem` chCiphers) $ usingState_ ctx $ setSecureRenegotiation True case extensionLookup EID_SecureRenegotiation chExtensions of diff --git a/tls/Network/TLS/Packet.hs b/tls/Network/TLS/Packet.hs index 9a9df9c30..096974584 100644 --- a/tls/Network/TLS/Packet.hs +++ b/tls/Network/TLS/Packet.hs @@ -72,6 +72,7 @@ import Network.TLS.Crypto import Network.TLS.Imports import Network.TLS.MAC import Network.TLS.Struct +import Network.TLS.Types import Network.TLS.Util.ASN1 import Network.TLS.Wire @@ -165,7 +166,7 @@ decodeClientHello = do ver <- getBinaryVersion random <- getClientRandom32 session <- getSession - ciphers <- getWords16 + ciphers <- map CipherID <$> getWords16 compressions <- getWords8 r <- remaining exts <- @@ -183,7 +184,7 @@ decodeServerHello = do ver <- getBinaryVersion random <- getServerRandom32 session <- getSession - cipherid <- getWord16 + cipherid <- CipherID <$> getWord16 compressionid <- getWord8 r <- remaining exts <- @@ -318,7 +319,7 @@ encodeHandshake' (ClientHello version random compressionIDs CH{..}) = runPut $ d putBinaryVersion version putClientRandom32 random putSession chSession - putWords16 chCiphers + putWords16 $ map getCipherID chCiphers putWords8 compressionIDs putExtensions chExtensions return () @@ -326,7 +327,7 @@ encodeHandshake' (ServerHello version random session cipherid compressionID exts putBinaryVersion version putServerRandom32 random putSession session - putWord16 cipherid + putWord16 $ getCipherID cipherid putWord8 compressionID putExtensions exts return () diff --git a/tls/Network/TLS/Packet13.hs b/tls/Network/TLS/Packet13.hs index e8cbe1b84..df44e1689 100644 --- a/tls/Network/TLS/Packet13.hs +++ b/tls/Network/TLS/Packet13.hs @@ -42,7 +42,7 @@ encodeHandshake13' (ServerHello13 random session cipherId exts) = runPut $ do putBinaryVersion TLS12 putServerRandom32 random putSession session - putWord16 cipherId + putWord16 $ getCipherID cipherId putWord8 0 -- compressionID nullCompression putExtensions exts encodeHandshake13' (EncryptedExtensions13 exts) = runPut $ putExtensions exts @@ -105,7 +105,7 @@ decodeServerHello13 = do _ver <- getBinaryVersion random <- getServerRandom32 session <- getSession - cipherid <- getWord16 + cipherid <- CipherID <$> getWord16 _comp <- getWord8 exts <- fromIntegral <$> getWord16 >>= getExtensions return $ ServerHello13 random session cipherid exts diff --git a/tls/Network/TLS/Types.hs b/tls/Network/TLS/Types.hs index 4d3caebb8..bda9cd1b9 100644 --- a/tls/Network/TLS/Types.hs +++ b/tls/Network/TLS/Types.hs @@ -14,7 +14,7 @@ module Network.TLS.Types ( SessionFlag (..), CertReqContext, TLS13TicketInfo (..), - CipherID, + CipherID (..), CompressionID, Role (..), invertRole, @@ -46,6 +46,7 @@ import Network.Socket (HostName) import Network.TLS.Crypto (Group, Hash (..), hash) import Network.TLS.Imports import Network.TLS.Util.Serialization +import Text.Printf type Second = Word32 type Millisecond = Word64 @@ -129,7 +130,10 @@ data TLS13TicketInfo = TLS13TicketInfo deriving (Show, Eq, Generic) -- | Cipher identification -type CipherID = Word16 +newtype CipherID = CipherID {getCipherID :: Word16} deriving (Eq, Generic) + +instance Show CipherID where + show (CipherID n) = printf "0x%04X" n -- | Compression identification type CompressionID = Word8 @@ -199,6 +203,7 @@ bigNumFromInteger i = BigNum $ i2osp i ---------------------------------------------------------------- +instance Serialise CipherID instance Serialise Version instance Serialise TLS13TicketInfo instance Serialise SessionFlag diff --git a/tls/test/Arbitrary.hs b/tls/test/Arbitrary.hs index 5ae45ed74..3e8ea1110 100644 --- a/tls/test/Arbitrary.hs +++ b/tls/test/Arbitrary.hs @@ -70,6 +70,9 @@ instance Arbitrary CertificateType where , CertificateType_ECDSA_Sign ] +instance Arbitrary CipherID where + arbitrary = CipherID <$> arbitrary + instance Arbitrary Handshake where arbitrary = oneof @@ -127,8 +130,8 @@ instance Arbitrary Handshake13 where ---------------------------------------------------------------- -arbitraryCiphersIDs :: Gen [Word16] -arbitraryCiphersIDs = choose (0, 200) >>= vector +arbitraryCiphersIDs :: Gen [CipherID] +arbitraryCiphersIDs = map CipherID <$> (choose (0, 200) >>= vector) arbitraryCompressionIDs :: Gen [Word8] arbitraryCompressionIDs = choose (0, 200) >>= vector diff --git a/tls/util/Common.hs b/tls/util/Common.hs index 8f8d05f32..179bfd9f4 100644 --- a/tls/util/Common.hs +++ b/tls/util/Common.hs @@ -23,6 +23,7 @@ import Data.X509.CertificateStore import Network.TLS hiding (HostName) import Network.TLS.Extra.Cipher import Network.TLS.Extra.FFDHE +import Network.TLS.Internal import Numeric (showHex) import System.Exit import System.X509 @@ -67,7 +68,7 @@ readNumber s readCiphers :: String -> Maybe [CipherID] readCiphers s = case lookup s namedCiphersuites of - Nothing -> (: []) `fmap` readNumber s + Nothing -> (: []) `fmap` (CipherID <$> readNumber s) just -> just readDHParams :: String -> IO (Maybe DHParams) @@ -91,7 +92,7 @@ printCiphers = do ++ " = " ++ pad 5 (show $ cipherID c) ++ " 0x" - ++ showHex (cipherID c) "" + ++ showHex (getCipherID (cipherID c)) "" ) putStrLn "" putStrLn "Ciphersuites"