support TLS 1.3 (#300)

2026-03-30 12:05:49 +00:00 · 2022-01-18 18:59:02 +04:00
parent 6e7089284e
commit ac899a67c4
6 changed files with 22 additions and 11 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@
 *.db.bak
 *.session.sql
 tests/tmp
+dist-newstyle/
--- a/cabal.project
+++ b/cabal.project
@@ -0,0 +1,7 @@
+packages: .
+
+source-repository-package
+  type: git
+  location: git://github.com/simplex-chat/hs-tls.git
+  tag: f6cc753611f80af300401cfae63846e9d7c40d9e
+  subdir: core
--- a/protocol/simplex-messaging.md
+++ b/protocol/simplex-messaging.md
@@ -835,7 +835,7 @@ smpVersion = 2*2OCTET ; Word16 version number
 pad = *OCTET
 ```

-For TLS 1.3 transport client should assert that `sessionIdentifier` is equal to `tls-unique` channel binding defined in [RFC 5929][14] (TLS Finished message struct); we pass it in `serverHello` block to allow communication over some other transport protocol (possibly, with another channel binding).
+For TLS transport client should assert that `sessionIdentifier` is equal to `tls-unique` channel binding defined in [RFC 5929][14] (TLS Finished message struct); we pass it in `serverHello` block to allow communication over some other transport protocol (possibly, with another channel binding).

 [1]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
 [2]: https://en.wikipedia.org/wiki/End-to-end_encryption
@@ -852,4 +852,4 @@ For TLS 1.3 transport client should assert that `sessionIdentifier` is equal to
 [13]: https://datatracker.ietf.org/doc/html/rfc8446
 [14]: https://datatracker.ietf.org/doc/html/rfc5929#section-3
 [15]: https://www.rfc-editor.org/rfc/rfc8709.html
-[16]: https://nacl.cr.yp.to/box.html
+[16]: https://nacl.cr.yp.to/box.html
--- a/src/Simplex/Messaging/Transport.hs
+++ b/src/Simplex/Messaging/Transport.hs
@@ -36,13 +36,13 @@ module Simplex.Messaging.Transport
    ATransport (..),
    TransportPeer (..),

-    -- * Transport over TLS 1.2
+    -- * Transport over TLS
    runTransportServer,
    runTransportClient,
    loadTLSServerParams,
    loadFingerprint,

-    -- * TLS 1.2 Transport
+    -- * TLS Transport
    TLS (..),
    closeTLS,
    withTlsUnique,
@@ -154,7 +154,7 @@ data TProxy c = TProxy

 data ATransport = forall c. Transport c => ATransport (TProxy c)

-- * Transport over TLS 1.2
+-- * Transport over TLS

 -- | Run transport server (plain TCP or WebSockets) on passed TCP port and signal when server started and stopped via passed TMVar.
 --
@@ -251,7 +251,7 @@ loadFingerprint certificateFile = do
  (cert : _) <- SX.readSignedObject certificateFile
  pure $ XV.getFingerprint (cert :: X.SignedExact X.Certificate) X.HashSHA256

-- * TLS 1.2 Transport
+-- * TLS Transport

 data TLS = TLS
  { tlsContext :: T.Context,
@@ -319,15 +319,18 @@ validateCertificateChain _ _ _ _ = pure [XV.AuthorityTooDeep]
 supportedParameters :: T.Supported
 supportedParameters =
  def
-    { T.supportedVersions = [T.TLS12],
-      T.supportedCiphers = [TE.cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256],
+    { T.supportedVersions = [T.TLS13, T.TLS12],
+      T.supportedCiphers =
+        [ TE.cipher_TLS13_CHACHA20POLY1305_SHA256, -- for TLS13
+          TE.cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256 -- for TLS12
+        ],
      T.supportedHashSignatures = [(T.HashIntrinsic, T.SignatureEd448), (T.HashIntrinsic, T.SignatureEd25519)],
      T.supportedSecureRenegotiation = False,
      T.supportedGroups = [T.X448, T.X25519]
    }

 instance Transport TLS where
-  transportName _ = "TLS 1.2"
+  transportName _ = "TLS"
  transportPeer = tlsPeer
  getServerConnection = getTLS TServer
  getClientConnection = getTLS TClient
--- a/stack.yaml
+++ b/stack.yaml
@@ -39,7 +39,7 @@ extra-deps:
  - simple-logger-0.1.0@sha256:be8ede4bd251a9cac776533bae7fb643369ebd826eb948a9a18df1a8dd252ff8,1079
  # - ../hs-tls/core
  - github: simplex-chat/hs-tls
-    commit: cea6d52c512716ff09adcac86ebc95bb0b3bb797
+    commit: f6cc753611f80af300401cfae63846e9d7c40d9e
    subdirs:
      - core
 # - network-run-0.2.4@sha256:7dbb06def522dab413bce4a46af476820bffdff2071974736b06f52f4ab57c96,885
--- a/tests/Test.hs
+++ b/tests/Test.hs
@@ -18,7 +18,7 @@ main = do
      describe "Encoding tests" encodingTests
      describe "Protocol error tests" protocolErrorTests
      describe "Version range" versionRangeTests
-    describe "SMP server via TLS 1.3" $ serverTests (transport @TLS)
+    describe "SMP server via TLS" $ serverTests (transport @TLS)
    describe "SMP server via WebSockets" $ serverTests (transport @WS)
    describe "SMP client agent" $ agentTests (transport @TLS)
  removeDirectoryRecursive "tests/tmp"