commit ghc-warp-tls for openSUSE:Factory

h_root Fri, 01 Jul 2016 00:59:10 -0700

Hello community,

here is the log from the commit of package ghc-warp-tls for openSUSE:Factory 
checked in at 2016-07-01 09:58:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ghc-warp-tls (Old)
 and      /work/SRC/openSUSE:Factory/.ghc-warp-tls.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "ghc-warp-tls"

Changes:
--------
--- /work/SRC/openSUSE:Factory/ghc-warp-tls/ghc-warp-tls.changes        
2016-05-03 09:36:11.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.ghc-warp-tls.new/ghc-warp-tls.changes   
2016-07-01 09:58:52.000000000 +0200
@@ -1,0 +2,7 @@
+Mon Jun 27 10:59:54 UTC 2016 - mimi...@gmail.com
+
+- update to 3.2.2
+* New settting parameter: tlsServerDHEParams
+* Preventing socket leakage
+
+-------------------------------------------------------------------

Old:
----
  warp-tls-3.2.1.tar.gz

New:
----
  warp-tls-3.2.2.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ ghc-warp-tls.spec ++++++
--- /var/tmp/diff_new_pack.ae6F32/_old  2016-07-01 09:58:53.000000000 +0200
+++ /var/tmp/diff_new_pack.ae6F32/_new  2016-07-01 09:58:53.000000000 +0200
@@ -18,7 +18,7 @@
 
 %global pkg_name warp-tls
 Name:           ghc-%{pkg_name}
-Version:        3.2.1
+Version:        3.2.2
 Release:        0
 Summary:        HTTP over TLS support for Warp via the TLS package
 License:        MIT
@@ -28,6 +28,7 @@
 BuildRequires:  ghc-Cabal-devel
 # Begin cabal-rpm deps:
 BuildRequires:  ghc-bytestring-devel
+BuildRequires:  ghc-cryptonite-devel
 BuildRequires:  ghc-data-default-class-devel
 BuildRequires:  ghc-network-devel
 BuildRequires:  ghc-rpm-macros

++++++ warp-tls-3.2.1.tar.gz -> warp-tls-3.2.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/warp-tls-3.2.1/ChangeLog.md 
new/warp-tls-3.2.2/ChangeLog.md
--- old/warp-tls-3.2.1/ChangeLog.md     2016-02-27 00:24:38.000000000 +0100
+++ new/warp-tls-3.2.2/ChangeLog.md     2016-06-22 07:54:17.000000000 +0200
@@ -1,3 +1,8 @@
+## 3.2.2
+
+* New settting parameter: tlsServerDHEParams 
[#556](https://github.com/yesodweb/wai/pull/556)
+* Preventing socket leakage [#559](https://github.com/yesodweb/wai/pull/559)
+
 ## 3.2.1
 
 * Removing dependency to cprng-aes.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/warp-tls-3.2.1/Network/Wai/Handler/WarpTLS.hs 
new/warp-tls-3.2.2/Network/Wai/Handler/WarpTLS.hs
--- old/warp-tls-3.2.1/Network/Wai/Handler/WarpTLS.hs   2016-02-27 
00:24:38.000000000 +0100
+++ new/warp-tls-3.2.2/Network/Wai/Handler/WarpTLS.hs   2016-06-22 
07:54:17.000000000 +0200
@@ -30,6 +30,7 @@
     , tlsCiphers
     , tlsWantClientCert
     , tlsServerHooks
+    , tlsServerDHEParams
     , onInsecure
     , OnInsecure (..)
     -- * Runner
@@ -37,6 +38,8 @@
     , runTLSSocket
     -- * Exception
     , WarpTLSException (..)
+    , DH.Params
+    , DH.generateParams
     ) where
 
 #if __GLASGOW_HASKELL__ < 709
@@ -55,6 +58,7 @@
 import Network.Socket (Socket, sClose, withSocketsDo, SockAddr, accept)
 import Network.Socket.ByteString (sendAll)
 import qualified Network.TLS as TLS
+import qualified Crypto.PubKey.DH as DH
 import qualified Network.TLS.Extra as TLSExtra
 import Network.Wai (Application)
 import Network.Wai.Handler.Warp
@@ -118,6 +122,13 @@
     -- Default: def
     --
     -- Since 3.0.2
+  , tlsServerDHEParams :: Maybe DH.Params
+    -- ^ Configuration for ServerDHEParams
+    -- more function lives in `cryptonite` package
+    --
+    -- Default: Nothing
+    --
+    -- Since 3.2.2
   }
 
 -- | Default 'TLSSettings'. Use this to create 'TLSSettings' with the field 
record name (aka accessors).
@@ -135,6 +146,7 @@
   , tlsCiphers = ciphers
   , tlsWantClientCert = False
   , tlsServerHooks = def
+  , tlsServerDHEParams = Nothing
   }
 
 -- taken from stunnel example in tls-extra
@@ -250,7 +262,7 @@
     params = def { -- TLS.ServerParams
         TLS.serverWantClientCert = tlsWantClientCert
       , TLS.serverCACertificates = []
-      , TLS.serverDHEParams      = Nothing
+      , TLS.serverDHEParams      = tlsServerDHEParams
       , TLS.serverHooks          = hooks
       , TLS.serverShared         = shared
       , TLS.serverSupported      = supported
@@ -297,12 +309,14 @@
     return (mkConn tlsset s params, sa)
 
 mkConn :: TLS.TLSParams params => TLSSettings -> Socket -> params -> IO 
(Connection, Transport)
-mkConn tlsset s params = do
-    firstBS <- safeRecv s 4096
-    (if not (S.null firstBS) && S.head firstBS == 0x16 then
-        httpOverTls tlsset s firstBS params
-      else
-        plainHTTP tlsset s firstBS) `onException` sClose s
+mkConn tlsset s params = switch `onException` sClose s
+  where
+    switch = do
+        firstBS <- safeRecv s 4096
+        if not (S.null firstBS) && S.head firstBS == 0x16 then
+            httpOverTls tlsset s firstBS params
+          else
+            plainHTTP tlsset s firstBS
 
 ----------------------------------------------------------------
 
@@ -434,8 +448,16 @@
                 }
         return (conn'', TCP)
     DenyInsecure lbs -> do
-        -- FIXME: what about HTTP/2?
-        -- http://tools.ietf.org/html/rfc2817#section-4.2
+        -- Listening port 443 but TLS records do not arrive.
+        -- We want to let the browser know that TLS is required.
+        -- So, we use 426.
+        --     http://tools.ietf.org/html/rfc2817#section-4.2
+        --     https://tools.ietf.org/html/rfc7231#section-6.5.15
+        -- FIXME: should we distinguish HTTP/1.1 and HTTP/2?
+        --        In the case of HTTP/2, should we send
+        --        GOAWAY + INADEQUATE_SECURITY?
+        -- FIXME: Content-Length:
+        -- FIXME: TLS/<version>
         sendAll s "HTTP/1.1 426 Upgrade Required\
         \r\nUpgrade: TLS/1.0, HTTP/1.1\
         \r\nConnection: Upgrade\
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/warp-tls-3.2.1/warp-tls.cabal 
new/warp-tls-3.2.2/warp-tls.cabal
--- old/warp-tls-3.2.1/warp-tls.cabal   2016-02-27 00:24:38.000000000 +0100
+++ new/warp-tls-3.2.2/warp-tls.cabal   2016-06-22 07:54:17.000000000 +0200
@@ -1,5 +1,5 @@
 Name:                warp-tls
-Version:             3.2.1
+Version:             3.2.2
 Synopsis:            HTTP over TLS support for Warp via the TLS package
 License:             MIT
 License-file:        LICENSE
@@ -22,7 +22,8 @@
                    , wai                           >= 3.2      && < 3.3
                    , warp                          >= 3.2      && < 3.3
                    , data-default-class            >= 0.0.1
-                   , tls                           >= 1.3.2
+                   , tls                           >= 1.3.5
+                   , cryptonite                    >= 0.12
                    , network                       >= 2.2.1
                    , streaming-commons
   Exposed-modules:   Network.Wai.Handler.WarpTLS

commit ghc-warp-tls for openSUSE:Factory

Reply via email to