-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/
-- | Partial OpenSSL binding for Haskell
--
-- HsOpenSSL is an OpenSSL binding for Haskell. It can generate RSA and
-- DSA keys, read and write PEM files, generate message digests, sign and
-- verify messages, encrypt and decrypt messages. It has also some
-- capabilities of creating SSL clients and servers.
--
-- This package is in production use by a number of Haskell based systems
-- and stable. You may also be interested in the tls package,
-- http://hackage.haskell.org/package/tls, which is a pure Haskell
-- implementation of SSL.
@package HsOpenSSL
@version 0.11.2
-- | An interface to Base64 codec.
module OpenSSL.EVP.Base64
-- | encodeBase64 str lazilly encodes a stream of data to
-- Base64. The string doesn't have to be finite. Note that the string
-- must not contain any letters which aren't in the range of U+0000 -
-- U+00FF.
-- | Deprecated: Use encodeBase64BS or encodeBase64LBS instead.
encodeBase64 :: String -> String
-- | encodeBase64BS bs strictly encodes a chunk of data to
-- Base64.
encodeBase64BS :: ByteString -> ByteString
-- | encodeBase64LBS lbs lazilly encodes a stream of data
-- to Base64. The string doesn't have to be finite.
encodeBase64LBS :: ByteString -> ByteString
-- | decodeBase64 str lazilly decodes a stream of data from
-- Base64. The string doesn't have to be finite.
-- | Deprecated: Use decodeBase64BS or decodeBase64LBS instead.
decodeBase64 :: String -> String
-- | decodeBase64BS bs strictly decodes a chunk of data
-- from Base64.
decodeBase64BS :: ByteString -> ByteString
-- | decodeBase64LBS lbs lazilly decodes a stream of data
-- from Base64. The string doesn't have to be finite.
decodeBase64LBS :: ByteString -> ByteString
module OpenSSL.EVP.Internal
-- | Cipher is an opaque object that represents an algorithm of
-- symmetric cipher.
newtype Cipher
Cipher :: (Ptr EVP_CIPHER) -> Cipher
data EVP_CIPHER
withCipherPtr :: Cipher -> (Ptr EVP_CIPHER -> IO a) -> IO a
cipherIvLength :: Cipher -> Int
newtype CipherCtx
CipherCtx :: (ForeignPtr EVP_CIPHER_CTX) -> CipherCtx
data EVP_CIPHER_CTX
newCipherCtx :: IO CipherCtx
withCipherCtxPtr :: CipherCtx -> (Ptr EVP_CIPHER_CTX -> IO a) -> IO a
withNewCipherCtxPtr :: (Ptr EVP_CIPHER_CTX -> IO a) -> IO a
-- | CryptoMode represents instruction to cipher and such
-- like.
data CryptoMode
Encrypt :: CryptoMode
Decrypt :: CryptoMode
cipherSetPadding :: CipherCtx -> Int -> IO CipherCtx
cipherInitBS :: Cipher -> ByteString -> ByteString -> CryptoMode -> IO CipherCtx
cipherUpdateBS :: CipherCtx -> ByteString -> IO ByteString
cipherFinalBS :: CipherCtx -> IO ByteString
cipherStrictly :: CipherCtx -> ByteString -> IO ByteString
cipherLazily :: CipherCtx -> ByteString -> IO ByteString
-- | Digest is an opaque object that represents an algorithm of
-- message digest.
newtype Digest
Digest :: (Ptr EVP_MD) -> Digest
data EVP_MD
withMDPtr :: Digest -> (Ptr EVP_MD -> IO a) -> IO a
newtype DigestCtx
DigestCtx :: (ForeignPtr EVP_MD_CTX) -> DigestCtx
data EVP_MD_CTX
withDigestCtxPtr :: DigestCtx -> (Ptr EVP_MD_CTX -> IO a) -> IO a
digestUpdateBS :: DigestCtx -> ByteString -> IO ()
digestFinalBS :: DigestCtx -> IO ByteString
digestFinal :: DigestCtx -> IO String
digestStrictly :: Digest -> ByteString -> IO DigestCtx
digestLazily :: Digest -> ByteString -> IO DigestCtx
-- | VaguePKey is a ForeignPtr to EVP_PKEY, that is either
-- public key or a ker pair. We can't tell which at compile time.
newtype VaguePKey
VaguePKey :: (ForeignPtr EVP_PKEY) -> VaguePKey
data EVP_PKEY
-- | Instances of class PKey can be converted back and forth to
-- VaguePKey.
class PKey k
-- | Wrap the key (i.g. RSA) into EVP_PKEY.
toPKey :: PKey k => k -> IO VaguePKey
-- | Extract the concrete key from the EVP_PKEY. Returns
-- Nothing if the type mismatches.
fromPKey :: PKey k => VaguePKey -> IO (Maybe k)
-- | Do the same as EVP_PKEY_size().
pkeySize :: PKey k => k -> Int
-- | Return the default digesting algorithm for the key.
pkeyDefaultMD :: PKey k => k -> IO Digest
createPKey :: (Ptr EVP_PKEY -> IO a) -> IO VaguePKey
wrapPKeyPtr :: Ptr EVP_PKEY -> IO VaguePKey
withPKeyPtr :: VaguePKey -> (Ptr EVP_PKEY -> IO a) -> IO a
withPKeyPtr' :: PKey k => k -> (Ptr EVP_PKEY -> IO a) -> IO a
unsafePKeyToPtr :: VaguePKey -> Ptr EVP_PKEY
touchPKey :: VaguePKey -> IO ()
-- | An interface to symmetric cipher algorithms.
module OpenSSL.EVP.Cipher
-- | Cipher is an opaque object that represents an algorithm of
-- symmetric cipher.
data Cipher
-- | getCipherByName name returns a symmetric cipher
-- algorithm whose name is name. If no algorithms are found, the
-- result is Nothing.
getCipherByName :: String -> IO (Maybe Cipher)
-- | getCipherNames returns a list of name of symmetric
-- cipher algorithms.
getCipherNames :: IO [String]
-- | CryptoMode represents instruction to cipher and such
-- like.
data CryptoMode
Encrypt :: CryptoMode
Decrypt :: CryptoMode
-- | cipher lazilly encrypts or decrypts a stream of data.
-- The input string doesn't necessarily have to be finite.
-- | Deprecated: Use cipherBS, cipherLBS or cipherStrictLBS.
cipher :: Cipher -> String -> String -> CryptoMode -> String -> IO String
-- | cipherBS strictly encrypts or decrypts a chunk of
-- data.
cipherBS :: Cipher -> ByteString -> ByteString -> CryptoMode -> ByteString -> IO ByteString
-- | cipherLBS lazilly encrypts or decrypts a stream of
-- data. The input string doesn't necessarily have to be finite.
cipherLBS :: Cipher -> ByteString -> ByteString -> CryptoMode -> ByteString -> IO ByteString
-- | Encrypt a lazy bytestring in a strict manner. Does not leak the keys.
cipherStrictLBS :: Cipher -> ByteString -> ByteString -> CryptoMode -> ByteString -> IO ByteString
-- | An interface to message digest algorithms.
module OpenSSL.EVP.Digest
-- | Digest is an opaque object that represents an algorithm of
-- message digest.
data Digest
-- | getDigestByName name returns a message digest
-- algorithm whose name is name. If no algorithms are found, the
-- result is Nothing.
getDigestByName :: String -> IO (Maybe Digest)
-- | getDigestNames returns a list of name of message
-- digest algorithms.
getDigestNames :: IO [String]
-- | digest digests a stream of data. The string must not
-- contain any letters which aren't in the range of U+0000 - U+00FF.
-- | Deprecated: Use digestBS or digestLBS instead.
digest :: Digest -> String -> String
-- | digestBS digests a chunk of data.
digestBS :: Digest -> ByteString -> ByteString
-- | digestLBS digests a stream of data.
digestLBS :: Digest -> ByteString -> ByteString
-- | Perform a private key signing using the HMAC template with a given
-- hash
hmacBS :: Digest -> ByteString -> ByteString -> ByteString
-- | Calculate a PKCS5-PBKDF2 SHA1-HMAC suitable for password hashing.
pkcs5_pbkdf2_hmac_sha1 :: ByteString -> ByteString -> Int -> Int -> ByteString
-- | This module interfaces to some of the OpenSSL ciphers without using
-- EVP (see OpenSSL.EVP.Cipher). The EVP ciphers are easier to use,
-- however, in some cases you cannot do without using the OpenSSL
-- fuctions directly.
--
-- One of these cases (and the motivating example for this module) is
-- that the EVP CBC functions try to encode the length of the input
-- string in the output (thus hiding the fact that the cipher is, in
-- fact, block based and needs padding). This means that the EVP CBC
-- functions cannot, in some cases, interface with other users which
-- don't use that system (like SSH).
module OpenSSL.Cipher
data Mode
Encrypt :: Mode
Decrypt :: Mode
data AESCtx
-- | Construct a new context which holds the key schedule and IV.
newAESCtx :: Mode -> ByteString -> ByteString -> IO AESCtx
-- | Encrypt some number of blocks using CBC. This is an IO function
-- because the context is destructivly updated.
aesCBC :: AESCtx -> ByteString -> IO ByteString
-- | Encrypt some number of bytes using CTR mode. This is an IO function
-- because the context is destructivly updated.
aesCTR :: AESCtx -> ByteString -> IO ByteString
instance GHC.Show.Show OpenSSL.Cipher.Mode
instance GHC.Classes.Eq OpenSSL.Cipher.Mode
-- | PRNG services See http://www.openssl.org/docs/crypto/rand.html
-- For random Integer generation, see OpenSSL.BN
module OpenSSL.Random
-- | Return a bytestring consisting of the given number of strongly random
-- bytes
randBytes :: Int -> IO ByteString
-- | Return a bytestring consisting of the given number of pseudo random
-- bytes
prandBytes :: Int -> IO ByteString
-- | Add data to the entropy pool. It's safe to add sensitive information
-- (e.g. user passwords etc) to the pool. Also, adding data with an
-- entropy of 0 can never hurt.
add :: ByteString -> Int -> IO ()
-- | BN - multiprecision integer arithmetics
module OpenSSL.BN
-- | BigNum is an opaque object representing a big number.
data BigNum
-- | allocaBN f allocates a BigNum and computes
-- f. Then it frees the BigNum.
allocaBN :: (BigNum -> IO a) -> IO a
-- | withBN n f converts n to a BigNum and computes
-- f. Then it frees the BigNum.
withBN :: Integer -> (BigNum -> IO a) -> IO a
-- | This is an alias to integerToBN.
newBN :: Integer -> IO BigNum
-- | This is an alias to bnToInteger.
peekBN :: BigNum -> IO Integer
-- | Return a new, alloced BIGNUM.
integerToBN :: Integer -> IO BigNum
-- | Convert a BIGNUM to an Integer.
bnToInteger :: BigNum -> IO Integer
-- | Convert an Integer to an MPI. See bnToMPI for the format
integerToMPI :: Integer -> IO ByteString
-- | Convert an MPI to an Integer. See bnToMPI for the format
mpiToInteger :: ByteString -> IO Integer
-- | modexp a p m computes a to the p-th
-- power modulo m.
modexp :: Integer -> Integer -> Integer -> Integer
-- | Return a strongly random number in the range 0 <= x < n where
-- the given filter function returns true.
randIntegerUptoNMinusOneSuchThat :: (Integer -> Bool) -> Integer -> IO Integer
-- | Return a random number in the range 0 <= x < n where the given
-- filter function returns true.
prandIntegerUptoNMinusOneSuchThat :: (Integer -> Bool) -> Integer -> IO Integer
-- | Return a strongly random number in the range 0 <= x < n
randIntegerZeroToNMinusOne :: Integer -> IO Integer
-- | Return a random number in the range 0 <= x < n
prandIntegerZeroToNMinusOne :: Integer -> IO Integer
-- | Return a strongly random number in the range 0 < x < n
randIntegerOneToNMinusOne :: Integer -> IO Integer
-- | Return a random number in the range 0 < x < n
prandIntegerOneToNMinusOne :: Integer -> IO Integer
-- | The Digital Signature Algorithm (FIPS 186-2). See
-- http://www.openssl.org/docs/crypto/dsa.html
module OpenSSL.DSA
-- | DSAKey a is either DSAPubKey or
-- DSAKeyPair.
class DSAKey k where dsaSize dsa = unsafePerformIO $ withDSAPtr dsa $ \ dsaPtr -> fmap fromIntegral (_size dsaPtr) dsaP = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 24)) dsaQ = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 32)) dsaG = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 40)) dsaPublic = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 48))
-- | Return the length of key.
dsaSize :: DSAKey k => k -> Int
-- | Return the public prime number of the key.
dsaP :: DSAKey k => k -> Integer
-- | Return the public 160-bit subprime, q | p - 1 of the key.
dsaQ :: DSAKey k => k -> Integer
-- | Return the public generator of subgroup of the key.
dsaG :: DSAKey k => k -> Integer
-- | Return the public key y = g^x.
dsaPublic :: DSAKey k => k -> Integer
withDSAPtr :: DSAKey k => k -> (Ptr DSA -> IO a) -> IO a
peekDSAPtr :: DSAKey k => Ptr DSA -> IO (Maybe k)
absorbDSAPtr :: DSAKey k => Ptr DSA -> IO (Maybe k)
-- | The type of a DSA public key, includes parameters p, q, g and public.
data DSAPubKey
-- | The type of a DSA keypair, includes parameters p, q, g, public and
-- private.
data DSAKeyPair
-- | Generate DSA parameters (*not* a key, but required for a key). This is
-- a compute intensive operation. See FIPS 186-2, app 2. This agrees with
-- the test vectors given in FIP 186-2, app 5
generateDSAParameters :: Int -> Maybe ByteString -> IO (Int, Int, Integer, Integer, Integer)
-- | Generate a new DSA keypair, given valid parameters
generateDSAKey :: Integer -> Integer -> Integer -> IO DSAKeyPair
-- | A utility function to generate both the parameters and the key pair at
-- the same time. Saves serialising and deserialising the parameters too
generateDSAParametersAndKey :: Int -> Maybe ByteString -> IO DSAKeyPair
-- | Sign pre-digested data. The DSA specs call for SHA1 to be used so, if
-- you use anything else, YMMV. Returns a pair of Integers which,
-- together, are the signature
signDigestedDataWithDSA :: DSAKeyPair -> ByteString -> IO (Integer, Integer)
-- | Verify pre-digested data given a signature.
verifyDigestedDataWithDSA :: DSAKey k => k -> ByteString -> (Integer, Integer) -> IO Bool
-- | Return the private key x.
dsaPrivate :: DSAKeyPair -> Integer
-- | Convert a DSAPubKey object to a tuple of its members in the order p,
-- q, g, and public.
dsaPubKeyToTuple :: DSAKeyPair -> (Integer, Integer, Integer, Integer)
-- | Convert a DSAKeyPair object to a tuple of its members in the order p,
-- q, g, public and private.
dsaKeyPairToTuple :: DSAKeyPair -> (Integer, Integer, Integer, Integer, Integer)
-- | Convert a tuple of members (in the same format as from
-- dsaPubKeyToTuple) into a DSAPubKey object
tupleToDSAPubKey :: (Integer, Integer, Integer, Integer) -> DSAPubKey
-- | Convert a tuple of members (in the same format as from
-- dsaPubKeyToTuple) into a DSAPubKey object
tupleToDSAKeyPair :: (Integer, Integer, Integer, Integer, Integer) -> DSAKeyPair
instance OpenSSL.DSA.DSAKey OpenSSL.DSA.DSAPubKey
instance OpenSSL.DSA.DSAKey OpenSSL.DSA.DSAKeyPair
instance GHC.Classes.Eq OpenSSL.DSA.DSAPubKey
instance GHC.Classes.Eq OpenSSL.DSA.DSAKeyPair
instance GHC.Classes.Ord OpenSSL.DSA.DSAPubKey
instance GHC.Classes.Ord OpenSSL.DSA.DSAKeyPair
instance GHC.Show.Show OpenSSL.DSA.DSAPubKey
instance GHC.Show.Show OpenSSL.DSA.DSAKeyPair
-- | An interface to RSA public key generator.
module OpenSSL.RSA
-- | RSAKey a is either RSAPubKey or
-- RSAKeyPair.
class RSAKey k where rsaSize rsa = unsafePerformIO $ withRSAPtr rsa $ \ rsaPtr -> fmap fromIntegral (_size rsaPtr) rsaN = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 32)) rsaE = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 40))
-- | rsaSize key returns the length of key.
rsaSize :: RSAKey k => k -> Int
-- | rsaN key returns the public modulus of the key.
rsaN :: RSAKey k => k -> Integer
-- | rsaE key returns the public exponent of the key.
rsaE :: RSAKey k => k -> Integer
withRSAPtr :: RSAKey k => k -> (Ptr RSA -> IO a) -> IO a
peekRSAPtr :: RSAKey k => Ptr RSA -> IO (Maybe k)
absorbRSAPtr :: RSAKey k => Ptr RSA -> IO (Maybe k)
-- | RSAPubKey is an opaque object that represents RSA
-- public key.
data RSAPubKey
-- | RSAKeyPair is an opaque object that represents RSA
-- keypair.
data RSAKeyPair
-- | RSAGenKeyCallback represents a callback function to
-- get informed the progress of RSA key generation.
--
--
-- - callback 0 i is called after generating the i-th
-- potential prime number.
-- - While the number is being tested for primality, callback 1
-- j is called after the j-th iteration (j = 0, 1,
-- ...).
-- - When the n-th randomly generated prime is rejected as not
-- suitable for the key, callback 2 n is called.
-- - When a random p has been found with p-1
-- relatively prime to e, it is called as callback 3
-- 0.
-- - The process is then repeated for prime q with
-- callback 3 1.
--
type RSAGenKeyCallback = Int -> Int -> IO ()
-- | generateRSAKey generates an RSA keypair.
generateRSAKey :: Int -> Int -> Maybe RSAGenKeyCallback -> IO RSAKeyPair
-- | A simplified alternative to generateRSAKey
generateRSAKey' :: Int -> Int -> IO RSAKeyPair
-- | rsaD privKey returns the private exponent of the key.
rsaD :: RSAKeyPair -> Integer
-- | rsaP privkey returns the secret prime factor
-- p of the key.
rsaP :: RSAKeyPair -> Integer
-- | rsaQ privkey returns the secret prime factor
-- q of the key.
rsaQ :: RSAKeyPair -> Integer
-- | rsaDMP1 privkey returns d mod (p-1) of the
-- key.
rsaDMP1 :: RSAKeyPair -> Maybe Integer
-- | rsaDMQ1 privkey returns d mod (q-1) of the
-- key.
rsaDMQ1 :: RSAKeyPair -> Maybe Integer
-- | rsaIQMP privkey returns q^-1 mod p of the
-- key.
rsaIQMP :: RSAKeyPair -> Maybe Integer
-- | Make a copy of the public parameters of the given key.
rsaCopyPublic :: RSAKey key => key -> IO RSAPubKey
-- | Parse a public key from ASN.1 DER format
fromDERPub :: ByteString -> Maybe RSAPubKey
-- | Dump a public key to ASN.1 DER format
toDERPub :: RSAKey k => k -> ByteString
instance OpenSSL.RSA.RSAKey OpenSSL.RSA.RSAPubKey
instance OpenSSL.RSA.RSAKey OpenSSL.RSA.RSAKeyPair
instance GHC.Classes.Eq OpenSSL.RSA.RSAPubKey
instance GHC.Classes.Eq OpenSSL.RSA.RSAKeyPair
instance GHC.Classes.Ord OpenSSL.RSA.RSAPubKey
instance GHC.Classes.Ord OpenSSL.RSA.RSAKeyPair
instance GHC.Show.Show OpenSSL.RSA.RSAPubKey
instance GHC.Show.Show OpenSSL.RSA.RSAKeyPair
-- | An interface to asymmetric cipher keypair.
module OpenSSL.EVP.PKey
-- | Instances of this class has at least public portion of a keypair. They
-- might or might not have the private key.
class (Eq k, Typeable k, PKey k) => PublicKey k where fromPublicKey = SomePublicKey toPublicKey (SomePublicKey pk) = cast pk
-- | Wrap an arbitrary public key into polymorphic type
-- SomePublicKey.
fromPublicKey :: PublicKey k => k -> SomePublicKey
-- | Cast from the polymorphic type SomePublicKey to the concrete
-- type. Return Nothing if failed.
toPublicKey :: PublicKey k => SomePublicKey -> Maybe k
-- | Instances of this class has both of public and private portions of a
-- keypair.
class PublicKey a => KeyPair a where fromKeyPair = SomeKeyPair toKeyPair (SomeKeyPair pk) = cast pk
-- | Wrap an arbitrary keypair into polymorphic type SomeKeyPair.
fromKeyPair :: KeyPair a => a -> SomeKeyPair
-- | Cast from the polymorphic type SomeKeyPair to the concrete
-- type. Return Nothing if failed.
toKeyPair :: KeyPair a => SomeKeyPair -> Maybe a
-- | This is an opaque type to hold an arbitrary public key in it. The
-- actual key type can be safelly type-casted using toPublicKey.
data SomePublicKey
-- | This is an opaque type to hold an arbitrary keypair in it. The actual
-- key type can be safelly type-casted using toKeyPair.
data SomeKeyPair
instance GHC.Classes.Eq OpenSSL.EVP.PKey.SomePublicKey
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.EVP.PKey.SomePublicKey
instance OpenSSL.EVP.Internal.PKey OpenSSL.EVP.PKey.SomePublicKey
instance GHC.Classes.Eq OpenSSL.EVP.PKey.SomeKeyPair
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.EVP.PKey.SomeKeyPair
instance OpenSSL.EVP.PKey.KeyPair OpenSSL.EVP.PKey.SomeKeyPair
instance OpenSSL.EVP.Internal.PKey OpenSSL.EVP.PKey.SomeKeyPair
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.RSA.RSAPubKey
instance OpenSSL.EVP.Internal.PKey OpenSSL.RSA.RSAPubKey
instance OpenSSL.EVP.PKey.KeyPair OpenSSL.RSA.RSAKeyPair
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.RSA.RSAKeyPair
instance OpenSSL.EVP.Internal.PKey OpenSSL.RSA.RSAKeyPair
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.DSA.DSAPubKey
instance OpenSSL.EVP.Internal.PKey OpenSSL.DSA.DSAPubKey
instance OpenSSL.EVP.PKey.KeyPair OpenSSL.DSA.DSAKeyPair
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.DSA.DSAKeyPair
instance OpenSSL.EVP.Internal.PKey OpenSSL.DSA.DSAKeyPair
-- | Asymmetric cipher decryption using encrypted symmetric key. This is an
-- opposite of OpenSSL.EVP.Seal.
module OpenSSL.EVP.Open
-- | open lazilly decrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
-- | Deprecated: Use openBS or openLBS instead.
open :: KeyPair key => Cipher -> String -> String -> key -> String -> String
-- | openBS decrypts a chunk of data.
openBS :: KeyPair key => Cipher -> ByteString -> ByteString -> key -> ByteString -> ByteString
-- | openLBS lazilly decrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
openLBS :: KeyPair key => Cipher -> ByteString -> ByteString -> key -> ByteString -> ByteString
-- | Asymmetric cipher decryption using encrypted symmetric key. This is an
-- opposite of OpenSSL.EVP.Open.
module OpenSSL.EVP.Seal
-- | seal lazilly encrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
-- | Deprecated: Use sealBS or sealLBS instead.
seal :: Cipher -> [SomePublicKey] -> String -> IO (String, [String], String)
-- | sealBS strictly encrypts a chunk of data.
sealBS :: Cipher -> [SomePublicKey] -> ByteString -> IO (ByteString, [ByteString], ByteString)
-- | sealLBS lazilly encrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
sealLBS :: Cipher -> [SomePublicKey] -> ByteString -> IO (ByteString, [ByteString], ByteString)
-- | Message signing using asymmetric cipher and message digest algorithm.
-- This is an opposite of OpenSSL.EVP.Verify.
module OpenSSL.EVP.Sign
-- | sign generates a signature from a stream of data. The
-- string must not contain any letters which aren't in the range of
-- U+0000 - U+00FF.
-- | Deprecated: Use signBS or signLBS instead.
sign :: KeyPair key => Digest -> key -> String -> IO String
-- | signBS generates a signature from a chunk of data.
signBS :: KeyPair key => Digest -> key -> ByteString -> IO ByteString
-- | signLBS generates a signature from a stream of data.
signLBS :: KeyPair key => Digest -> key -> ByteString -> IO ByteString
-- | Message verification using asymmetric cipher and message digest
-- algorithm. This is an opposite of OpenSSL.EVP.Sign.
module OpenSSL.EVP.Verify
-- | VerifyStatus represents a result of verification.
data VerifyStatus
VerifySuccess :: VerifyStatus
VerifyFailure :: VerifyStatus
-- | verify verifies a signature and a stream of data. The
-- string must not contain any letters which aren't in the range of
-- U+0000 - U+00FF.
-- | Deprecated: Use verifyBS or verifyLBS instead.
verify :: PublicKey key => Digest -> String -> key -> String -> IO VerifyStatus
-- | verifyBS verifies a signature and a chunk of data.
verifyBS :: PublicKey key => Digest -> ByteString -> key -> ByteString -> IO VerifyStatus
-- | verifyLBS verifies a signature of a stream of data.
verifyLBS :: PublicKey key => Digest -> ByteString -> key -> ByteString -> IO VerifyStatus
instance GHC.Classes.Eq OpenSSL.EVP.Verify.VerifyStatus
instance GHC.Show.Show OpenSSL.EVP.Verify.VerifyStatus
-- | Diffie-Hellman key exchange
module OpenSSL.DH
data DHP
data DH
data DHGen
DHGen2 :: DHGen
DHGen5 :: DHGen
-- | genDHParams gen n generates n-bit long DH
-- parameters.
genDHParams :: DHGen -> Int -> IO DHP
-- | Get DH parameters length (in bits).
getDHLength :: DHP -> IO Int
-- | Check that DH parameters are coherent.
checkDHParams :: DHP -> IO Bool
-- | The first step of a key exchange. Public and private keys are
-- generated.
genDH :: DHP -> IO DH
-- | Get parameters of a key exchange.
getDHParams :: DH -> DHP
-- | Get the public key.
getDHPublicKey :: DH -> IO Integer
-- | Compute the shared key using the other party's public key.
computeDHKey :: DH -> Integer -> IO ByteString
instance GHC.Show.Show OpenSSL.DH.DHGen
instance GHC.Classes.Ord OpenSSL.DH.DHGen
instance GHC.Classes.Eq OpenSSL.DH.DHGen
-- | An interface to X.509 certificate.
module OpenSSL.X509
-- | X509 is an opaque object that represents X.509
-- certificate.
data X509
-- | newX509 creates an empty certificate. You must set the
-- following properties to and sign it (see signX509) to actually
-- use the certificate.
--
--
newX509 :: IO X509
-- | writeDerX509 cert writes an X.509 certificate to DER
-- string.
writeDerX509 :: X509 -> IO ByteString
-- | readDerX509 der reads in a certificate.
readDerX509 :: ByteString -> IO X509
-- | compareX509 cert1 cert2 compares two certificates.
compareX509 :: X509 -> X509 -> IO Ordering
-- | signX509 signs a certificate with an issuer private
-- key.
signX509 :: KeyPair key => X509 -> key -> Maybe Digest -> IO ()
-- | verifyX509 verifies a signature of certificate with an
-- issuer public key.
verifyX509 :: PublicKey key => X509 -> key -> IO VerifyStatus
-- | printX509 cert translates a certificate into
-- human-readable format.
printX509 :: X509 -> IO String
-- | getVersion cert returns the version number of
-- certificate. It seems the number is 0-origin: version 2 means X.509
-- v3.
getVersion :: X509 -> IO Int
-- | setVersion cert ver updates the version number of
-- certificate.
setVersion :: X509 -> Int -> IO ()
-- | getSerialNumber cert returns the serial number of
-- certificate.
getSerialNumber :: X509 -> IO Integer
-- | setSerialNumber cert num updates the serial number of
-- certificate.
setSerialNumber :: X509 -> Integer -> IO ()
-- | getIssuerName returns the issuer name of certificate.
getIssuerName :: X509 -> Bool -> IO [(String, String)]
-- | setIssuerName cert name updates the issuer name of
-- certificate. Keys of each parts may be of either long form or short
-- form. See getIssuerName.
setIssuerName :: X509 -> [(String, String)] -> IO ()
-- | getSubjectName cert wantLongName returns the subject
-- name of certificate. See getIssuerName.
getSubjectName :: X509 -> Bool -> IO [(String, String)]
-- | setSubjectName cert name updates the subject name of
-- certificate. See setIssuerName.
setSubjectName :: X509 -> [(String, String)] -> IO ()
-- | getNotBefore cert returns the time when the
-- certificate begins to be valid.
getNotBefore :: X509 -> IO UTCTime
-- | setNotBefore cert utc updates the time when the
-- certificate begins to be valid.
setNotBefore :: X509 -> UTCTime -> IO ()
-- | getNotAfter cert returns the time when the certificate
-- expires.
getNotAfter :: X509 -> IO UTCTime
-- | setNotAfter cert utc updates the time when the
-- certificate expires.
setNotAfter :: X509 -> UTCTime -> IO ()
-- | getPublicKey cert returns the public key of the
-- subject of certificate.
getPublicKey :: X509 -> IO SomePublicKey
-- | setPublicKey cert pubkey updates the public key of the
-- subject of certificate.
setPublicKey :: PublicKey key => X509 -> key -> IO ()
-- | getSubjectEmail cert returns every subject email
-- addresses in the certificate.
getSubjectEmail :: X509 -> IO [String]
-- | An interface to PKCS#10 certificate request.
module OpenSSL.X509.Request
-- | X509Req is an opaque object that represents PKCS#10
-- certificate request.
data X509Req
-- | newX509Req creates an empty certificate request. You
-- must set the following properties to and sign it (see
-- signX509Req) to actually use the certificate request.
--
--
newX509Req :: IO X509Req
-- | signX509Req signs a certificate request with a subject
-- private key.
signX509Req :: KeyPair key => X509Req -> key -> Maybe Digest -> IO ()
-- | verifyX509Req verifies a signature of certificate
-- request with a subject public key.
verifyX509Req :: PublicKey key => X509Req -> key -> IO VerifyStatus
-- | printX509Req req translates a certificate request into
-- human-readable format.
printX509Req :: X509Req -> IO String
-- | writeX509ReqDER req writes a PKCS#10 certificate
-- request to DER string.
writeX509ReqDER :: X509Req -> IO ByteString
-- | makeX509FromReq req cert creates an empty X.509
-- certificate and copies as much data from the request as possible. The
-- resulting certificate doesn't have the following data and it isn't
-- signed so you must fill them and sign it yourself.
--
--
-- - Serial number
-- - Validity (Not Before and Not After)
--
--
-- Example:
--
--
-- import Data.Time.Clock
--
-- genCert :: X509 -> EvpPKey -> Integer -> Int -> X509Req -> IO X509
-- genCert caCert caKey serial days req
-- = do cert <- makeX509FromReq req caCert
-- now <- getCurrentTime
-- setSerialNumber cert serial
-- setNotBefore cert $ addUTCTime (-1) now
-- setNotAfter cert $ addUTCTime (days * 24 * 60 * 60) now
-- signX509 cert caKey Nothing
-- return cert
--
makeX509FromReq :: X509Req -> X509 -> IO X509
-- | getVersion req returns the version number of
-- certificate request.
getVersion :: X509Req -> IO Int
-- | setVersion req ver updates the version number of
-- certificate request.
setVersion :: X509Req -> Int -> IO ()
-- | getSubjectName req wantLongName returns the subject
-- name of certificate request. See getSubjectName of
-- OpenSSL.X509.
getSubjectName :: X509Req -> Bool -> IO [(String, String)]
-- | setSubjectName req name updates the subject name of
-- certificate request. See setSubjectName of OpenSSL.X509.
setSubjectName :: X509Req -> [(String, String)] -> IO ()
-- | getPublicKey req returns the public key of the subject
-- of certificate request.
getPublicKey :: X509Req -> IO SomePublicKey
-- | setPublicKey req updates the public key of the subject
-- of certificate request.
setPublicKey :: PublicKey key => X509Req -> key -> IO ()
-- |
-- addExtensions req [(nid, str)]
--
--
-- E.g., nid 85 = subjectAltName
-- http://osxr.org:8080/openssl/source/crypto/objects/objects.h#0476
--
-- (TODO: more docs; NID type)
addExtensions :: X509Req -> [(Int, String)] -> IO CInt
-- | An interface to Certificate Revocation List.
module OpenSSL.X509.Revocation
-- | CRL is an opaque object that represents Certificate
-- Revocation List.
data CRL
-- | RevokedCertificate represents a revoked certificate in
-- a list. Each certificates are supposed to be distinguishable by issuer
-- name and serial number, so it is sufficient to have only serial number
-- on each entries.
data RevokedCertificate
RevokedCertificate :: Integer -> UTCTime -> RevokedCertificate
[revSerialNumber] :: RevokedCertificate -> Integer
[revRevocationDate] :: RevokedCertificate -> UTCTime
-- | newCRL creates an empty revocation list. You must set
-- the following properties to and sign it (see signCRL) to
-- actually use the revocation list. If you have any certificates to be
-- listed, you must of course add them (see addRevoked) before
-- signing the list.
--
--
newCRL :: IO CRL
-- | signCRL signs a revocation list with an issuer private
-- key.
signCRL :: KeyPair key => CRL -> key -> Maybe Digest -> IO ()
-- | verifyCRL verifies a signature of revocation list with
-- an issuer public key.
verifyCRL :: PublicKey key => CRL -> key -> IO VerifyStatus
-- | printCRL translates a revocation list into
-- human-readable format.
printCRL :: CRL -> IO String
-- | sortCRL crl sorts the certificates in the revocation
-- list.
sortCRL :: CRL -> IO ()
-- | getVersion crl returns the version number of
-- revocation list.
getVersion :: CRL -> IO Int
-- | setVersion crl ver updates the version number of
-- revocation list.
setVersion :: CRL -> Int -> IO ()
-- | getLastUpdate crl returns the time when the revocation
-- list has last been updated.
getLastUpdate :: CRL -> IO UTCTime
-- | setLastUpdate crl utc updates the time when the
-- revocation list has last been updated.
setLastUpdate :: CRL -> UTCTime -> IO ()
-- | getNextUpdate crl returns the time when the revocation
-- list will next be updated.
getNextUpdate :: CRL -> IO UTCTime
-- | setNextUpdate crl utc updates the time when the
-- revocation list will next be updated.
setNextUpdate :: CRL -> UTCTime -> IO ()
-- | getIssuerName crl wantLongName returns the issuer name
-- of revocation list. See getIssuerName of OpenSSL.X509.
getIssuerName :: CRL -> Bool -> IO [(String, String)]
-- | setIssuerName crl name updates the issuer name of
-- revocation list. See setIssuerName of OpenSSL.X509.
setIssuerName :: CRL -> [(String, String)] -> IO ()
-- | getRevokedList crl returns the list of revoked
-- certificates.
getRevokedList :: CRL -> IO [RevokedCertificate]
-- | addRevoked crl revoked add the certificate to the
-- revocation list.
addRevoked :: CRL -> RevokedCertificate -> IO ()
-- | getRevoked crl serial looks up the corresponding
-- revocation.
getRevoked :: CRL -> Integer -> IO (Maybe RevokedCertificate)
instance GHC.Classes.Eq OpenSSL.X509.Revocation.RevokedCertificate
instance GHC.Show.Show OpenSSL.X509.Revocation.RevokedCertificate
-- | An interface to X.509 certificate store.
module OpenSSL.X509.Store
-- | X509Store is an opaque object that represents X.509
-- certificate store. The certificate store is usually used for chain
-- verification.
data X509Store
-- | newX509Store creates an empty X.509 certificate store.
newX509Store :: IO X509Store
-- | addCertToStore store cert adds a certificate to store.
addCertToStore :: X509Store -> X509 -> IO ()
-- | addCRLToStore store crl adds a revocation list to
-- store.
addCRLToStore :: X509Store -> CRL -> IO ()
-- | An interface to PKCS#7 structure and S/MIME message.
module OpenSSL.PKCS7
-- | Pkcs7 represents an abstract PKCS#7 structure. The
-- concrete type of structure is hidden in the object: such polymorphism
-- isn't very haskellish but please get it out of your mind since OpenSSL
-- is written in C.
data Pkcs7
-- | Pkcs7Flag is a set of flags that are used in many
-- operations related to PKCS#7.
data Pkcs7Flag
Pkcs7Text :: Pkcs7Flag
Pkcs7NoCerts :: Pkcs7Flag
Pkcs7NoSigs :: Pkcs7Flag
Pkcs7NoChain :: Pkcs7Flag
Pkcs7NoIntern :: Pkcs7Flag
Pkcs7NoVerify :: Pkcs7Flag
Pkcs7Detached :: Pkcs7Flag
Pkcs7Binary :: Pkcs7Flag
Pkcs7NoAttr :: Pkcs7Flag
Pkcs7NoSmimeCap :: Pkcs7Flag
Pkcs7NoOldMimeType :: Pkcs7Flag
Pkcs7CRLFEOL :: Pkcs7Flag
-- | Pkcs7VerifyStatus represents a result of PKCS#7
-- verification. See pkcs7Verify.
data Pkcs7VerifyStatus
-- | Nothing if the PKCS#7 signature was a detached signature, and Just
-- content if it wasn't.
Pkcs7VerifySuccess :: (Maybe String) -> Pkcs7VerifyStatus
Pkcs7VerifyFailure :: Pkcs7VerifyStatus
-- | pkcs7Sign creates a PKCS#7 signedData structure.
pkcs7Sign :: KeyPair key => X509 -> key -> [X509] -> String -> [Pkcs7Flag] -> IO Pkcs7
-- | pkcs7Verify verifies a PKCS#7 signedData structure.
pkcs7Verify :: Pkcs7 -> [X509] -> X509Store -> Maybe String -> [Pkcs7Flag] -> IO Pkcs7VerifyStatus
-- | pkcs7Encrypt creates a PKCS#7 envelopedData structure.
pkcs7Encrypt :: [X509] -> String -> Cipher -> [Pkcs7Flag] -> IO Pkcs7
-- | pkcs7Decrypt decrypts content from PKCS#7
-- envelopedData structure.
pkcs7Decrypt :: KeyPair key => Pkcs7 -> key -> X509 -> [Pkcs7Flag] -> IO String
-- | writeSmime writes PKCS#7 structure to S/MIME message.
writeSmime :: Pkcs7 -> Maybe String -> [Pkcs7Flag] -> IO String
-- | readSmime parses S/MIME message.
readSmime :: String -> IO (Pkcs7, Maybe String)
instance GHC.Classes.Eq OpenSSL.PKCS7.Pkcs7VerifyStatus
instance GHC.Show.Show OpenSSL.PKCS7.Pkcs7VerifyStatus
instance GHC.Classes.Eq OpenSSL.PKCS7.Pkcs7Flag
instance GHC.Show.Show OpenSSL.PKCS7.Pkcs7Flag
-- | An interface to PEM routines.
module OpenSSL.PEM
-- | PemPasswordCallback represents a callback function to
-- supply a password.
--
--
-- - Int The maximum length of the password to be
-- accepted.
-- - PemPasswordRWState The context.
-- - IO String The resulting password.
--
type PemPasswordCallback = Int -> PemPasswordRWState -> IO String
-- | PemPasswordRWState represents a context of
-- PemPasswordCallback.
data PemPasswordRWState
-- | The callback was called to get a password to read something encrypted.
PwRead :: PemPasswordRWState
-- | The callback was called to get a password to encrypt something.
PwWrite :: PemPasswordRWState
-- | PemPasswordSupply represents a way to supply password.
--
-- FIXME: using PwTTY causes an error but I don't know why:
-- "error:0906406D:PEM routines:DEF_CALLBACK:problems getting password"
data PemPasswordSupply
-- | no password
PwNone :: PemPasswordSupply
-- | password in a static string
PwStr :: String -> PemPasswordSupply
-- | password in a static bytestring.
PwBS :: ByteString -> PemPasswordSupply
-- | get a password by a callback
PwCallback :: PemPasswordCallback -> PemPasswordSupply
-- | read a password from TTY
PwTTY :: PemPasswordSupply
-- | writePKCS8PrivateKey writes a private key to PEM
-- string in PKCS#8 format.
writePKCS8PrivateKey :: KeyPair key => key -> Maybe (Cipher, PemPasswordSupply) -> IO String
-- | readPrivateKey pem supply reads a private key in PEM
-- string.
readPrivateKey :: String -> PemPasswordSupply -> IO SomeKeyPair
-- | writePublicKey pubkey writes a public to PEM string.
writePublicKey :: PublicKey key => key -> IO String
-- | readPublicKey pem reads a public key in PEM string.
readPublicKey :: String -> IO SomePublicKey
-- | writeX509 cert writes an X.509 certificate to PEM
-- string.
writeX509 :: X509 -> IO String
-- | readX509 pem reads an X.509 certificate in PEM string.
readX509 :: String -> IO X509
-- | PemX509ReqFormat represents format of PKCS#10
-- certificate request.
data PemX509ReqFormat
-- | The new format, whose header is "NEW CERTIFICATE REQUEST".
ReqNewFormat :: PemX509ReqFormat
-- | The old format, whose header is "CERTIFICATE REQUEST".
ReqOldFormat :: PemX509ReqFormat
-- | writeX509Req writes a PKCS#10 certificate request to
-- PEM string.
writeX509Req :: X509Req -> PemX509ReqFormat -> IO String
-- | readX509Req reads a PKCS#10 certificate request in PEM
-- string.
readX509Req :: String -> IO X509Req
-- | writeCRL crl writes a Certificate Revocation List to
-- PEM string.
writeCRL :: CRL -> IO String
-- | readCRL pem reads a Certificate Revocation List in PEM
-- string.
readCRL :: String -> IO CRL
-- | writePkcs7 p7 writes a PKCS#7 structure to PEM string.
writePkcs7 :: Pkcs7 -> IO String
-- | readPkcs7 pem reads a PKCS#7 structure in PEM string.
readPkcs7 :: String -> IO Pkcs7
-- | writeDHParams dh writes DH parameters to PEM string.
writeDHParams :: DHP -> IO String
-- | readDHParams pem reads DH parameters in PEM string.
readDHParams :: String -> IO DHP
-- | Functions for handling SSL connections. These functions use GHC
-- specific calls to cooperative the with the scheduler so that
-- blocking functions only actually block the Haskell thread,
-- not a whole OS thread.
module OpenSSL.Session
-- | An SSL context. Contexts carry configuration such as a server's
-- private key, root CA certiifcates etc. Contexts are stateful IO
-- objects; they start empty and various options are set on them by the
-- functions in this module. Note that an empty context will pretty much
-- cause any operation to fail since it doesn't even have any ciphers
-- enabled.
data SSLContext
-- | Create a new SSL context.
context :: IO SSLContext
-- | Add a protocol option to the context.
contextAddOption :: SSLContext -> SSLOption -> IO ()
-- | Remove a protocol option from the context.
contextRemoveOption :: SSLContext -> SSLOption -> IO ()
-- | Install a private key into a context.
contextSetPrivateKey :: KeyPair k => SSLContext -> k -> IO ()
-- | Install a certificate (public key) into a context.
contextSetCertificate :: SSLContext -> X509 -> IO ()
-- | Install a private key file in a context. The key is given as a path to
-- the file which contains the key. The file is parsed first as PEM and,
-- if that fails, as ASN1. If both fail, an exception is raised.
contextSetPrivateKeyFile :: SSLContext -> FilePath -> IO ()
-- | Install a certificate (public key) file in a context. The key is given
-- as a path to the file which contains the key. The file is parsed first
-- as PEM and, if that fails, as ASN1. If both fail, an exception is
-- raised.
contextSetCertificateFile :: SSLContext -> FilePath -> IO ()
-- | Install a certificate chain in a context. The certificates must be in
-- PEM format and must be sorted starting with the subject's certificate
-- (actual client or server certificate), followed by intermediate CA
-- certificates if applicable, and ending at the highest level (root) CA.
contextSetCertificateChainFile :: SSLContext -> FilePath -> IO ()
-- | Set the ciphers to be used by the given context. The string argument
-- is a list of ciphers, comma separated, as given at
-- http://www.openssl.org/docs/apps/ciphers.html
--
-- Unrecognised ciphers are ignored. If no ciphers from the list are
-- recognised, an exception is raised.
contextSetCiphers :: SSLContext -> String -> IO ()
contextSetDefaultCiphers :: SSLContext -> IO ()
-- | Return true iff the private key installed in the given context matches
-- the certificate also installed.
contextCheckPrivateKey :: SSLContext -> IO Bool
-- | See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
data VerificationMode
VerifyNone :: VerificationMode
VerifyPeer :: Bool -> Bool -> Maybe (Bool -> X509StoreCtx -> IO Bool) -> VerificationMode
-- | is a certificate required
[vpFailIfNoPeerCert] :: VerificationMode -> Bool
-- | only request once per connection
[vpClientOnce] :: VerificationMode -> Bool
-- | optional callback
[vpCallback] :: VerificationMode -> Maybe (Bool -> X509StoreCtx -> IO Bool)
contextSetVerificationMode :: SSLContext -> VerificationMode -> IO ()
-- | Set the location of a PEM encoded list of CA certificates to be used
-- when verifying a server's certificate
contextSetCAFile :: SSLContext -> FilePath -> IO ()
-- | Set the path to a directory which contains the PEM encoded CA root
-- certificates. This is an alternative to contextSetCAFile. See
-- http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
-- for details of the file naming scheme
contextSetCADirectory :: SSLContext -> FilePath -> IO ()
-- | Get a reference to, not a copy of, the X.509 certificate storage in
-- the SSL context.
contextGetCAStore :: SSLContext -> IO X509Store
-- | This is the type of an SSL connection
--
-- IO with SSL objects is non-blocking and many SSL functions return a
-- error code which signifies that it needs to read or write more data.
-- We handle these calls and call threadWaitRead and threadWaitWrite at
-- the correct times. Thus multiple OS threads can be blocked
-- inside IO in the same SSL object at a time, because they aren't really
-- in the SSL object, they are waiting for the RTS to wake the Haskell
-- thread.
data SSL
-- | This is the type of an SSL IO operation. Errors are handled by
-- exceptions while everything else is one of these. Note that reading
-- from an SSL socket can result in WantWrite and vice versa.
data SSLResult a
-- | operation finished successfully
SSLDone :: a -> SSLResult a
-- | needs more data from the network
WantRead :: SSLResult a
-- | needs more outgoing buffer space
WantWrite :: SSLResult a
-- | Wrap a Socket in an SSL connection. Reading and writing to the Socket
-- after this will cause weird errors in the SSL code. The SSL object
-- carries a handle to the Socket so you need not worry about the garbage
-- collector closing the file descriptor out from under you.
connection :: SSLContext -> Socket -> IO SSL
-- | Wrap a socket Fd in an SSL connection.
fdConnection :: SSLContext -> Fd -> IO SSL
-- | Add a protocol option to the SSL connection.
addOption :: SSL -> SSLOption -> IO ()
-- | Remove a protocol option from the SSL connection.
removeOption :: SSL -> SSLOption -> IO ()
-- | Set host name for Server Name Indication (SNI)
setTlsextHostName :: SSL -> String -> IO ()
-- | Perform an SSL server handshake
accept :: SSL -> IO ()
-- | Try to perform an SSL server handshake without blocking
tryAccept :: SSL -> IO (SSLResult ())
-- | Perform an SSL client handshake
connect :: SSL -> IO ()
-- | Try to perform an SSL client handshake without blocking
tryConnect :: SSL -> IO (SSLResult ())
-- | Try to read the given number of bytes from an SSL connection. On EOF
-- an empty ByteString is returned. If the connection dies without a
-- graceful SSL shutdown, an exception is raised.
read :: SSL -> Int -> IO ByteString
-- | Try to read the given number of bytes from an SSL connection without
-- blocking.
tryRead :: SSL -> Int -> IO (SSLResult ByteString)
-- | Read some data into a raw pointer buffer. Retrns the number of bytes
-- read.
readPtr :: SSL -> Ptr a -> Int -> IO Int
-- | Try to read some data into a raw pointer buffer, without blocking.
tryReadPtr :: SSL -> Ptr a -> Int -> IO (SSLResult Int)
-- | Write a given ByteString to the SSL connection. Either all the data is
-- written or an exception is raised because of an error.
write :: SSL -> ByteString -> IO ()
-- | Try to write a given ByteString to the SSL connection without
-- blocking.
tryWrite :: SSL -> ByteString -> IO (SSLResult ())
-- | Send some data from a raw pointer buffer.
writePtr :: SSL -> Ptr a -> Int -> IO ()
-- | Send some data from a raw pointer buffer, without blocking.
tryWritePtr :: SSL -> Ptr a -> Int -> IO (SSLResult ())
-- | Lazily read all data until reaching EOF. If the connection dies
-- without a graceful SSL shutdown, an exception is raised.
lazyRead :: SSL -> IO ByteString
-- | Write a lazy ByteString to the SSL connection. In contrast to
-- write, there is a chance that the string is written partway and
-- then an exception is raised for an error. The string doesn't
-- necessarily have to be finite.
lazyWrite :: SSL -> ByteString -> IO ()
-- | Cleanly shutdown an SSL connection. Note that SSL has a concept of a
-- secure shutdown, which is distinct from just closing the TCP
-- connection. This performs the former and should always be preferred.
--
-- This can either just send a shutdown, or can send and wait for the
-- peer's shutdown message.
shutdown :: SSL -> ShutdownType -> IO ()
-- | Try to cleanly shutdown an SSL connection without blocking.
tryShutdown :: SSL -> ShutdownType -> IO (SSLResult ())
data ShutdownType
-- | wait for the peer to also shutdown
Bidirectional :: ShutdownType
-- | only send our shutdown
Unidirectional :: ShutdownType
-- | After a successful connection, get the certificate of the other party.
-- If this is a server connection, you probably won't get a certificate
-- unless you asked for it with contextSetVerificationMode
getPeerCertificate :: SSL -> IO (Maybe X509)
-- | Get the result of verifing the peer's certificate. This is mostly for
-- clients to verify the certificate of the server that they have
-- connected it. You must set a list of root CA certificates with
-- contextSetCA... for this to make sense.
--
-- Note that this returns True iff the peer's certificate has a valid
-- chain to a root CA. You also need to check that the certificate is
-- correct (i.e. has the correct hostname in it) with getPeerCertificate.
getVerifyResult :: SSL -> IO Bool
-- | Get the socket underlying an SSL connection
sslSocket :: SSL -> Maybe Socket
-- | Get the underlying socket Fd
sslFd :: SSL -> Fd
-- | The behaviour of the SSL library can be changed by setting several
-- options. During a handshake, the option settings of the SSL
-- object are used. When a new SSL object is created from a
-- SSLContext, the current option setting is copied. Changes to
-- SSLContext do not affect already created SSL objects.
data SSLOption
-- | As of OpenSSL 1.0.0 this option has no effect.
SSL_OP_MICROSOFT_SESS_ID_BUG :: SSLOption
-- | As of OpenSSL 1.0.0 this option has no effect.
SSL_OP_NETSCAPE_CHALLENGE_BUG :: SSLOption
-- | As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG :: SSLOption
SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG :: SSLOption
SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER :: SSLOption
-- | Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari
-- on OS X. OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
SSL_OP_SAFARI_ECDHE_ECDSA_BUG :: SSLOption
SSL_OP_SSLEAY_080_CLIENT_DH_BUG :: SSLOption
SSL_OP_TLS_D5_BUG :: SSLOption
SSL_OP_TLS_BLOCK_PADDING_BUG :: SSLOption
-- | Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
-- vulnerability affecting CBC ciphers, which cannot be handled by some
-- broken SSL implementations. This option has no effect for connections
-- using other ciphers.
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS :: SSLOption
-- | All of the above bug workarounds.
SSL_OP_ALL :: SSLOption
-- | Disable version rollback attack detection.
--
-- During the client key exchange, the client must send the same
-- information about acceptable SSL/TLS protocol levels as during the
-- first hello. Some clients violate this rule by adapting to the
-- server's answer. (Example: the client sends a SSLv2 hello and accepts
-- up to SSLv3.1=TLSv1, the server only understands up to SSLv3. In this
-- case the client must still use the same SSLv3.1=TLSv1 announcement.
-- Some clients step down to SSLv3 with respect to the server's answer
-- and violate the version rollback protection.)
SSL_OP_TLS_ROLLBACK_BUG :: SSLOption
-- | Always create a new key when using temporary/ephemeral DH parameters.
-- This option must be used to prevent small subgroup attacks, when the
-- DH parameters were not generated using "strong" primes (e.g. when
-- using DSA-parameters). If "strong" primes were used, it is not
-- strictly necessary to generate a new DH key during each handshake but
-- it is also recommended. SSL_OP_SINGLE_DH_USE should therefore
-- be enabled whenever temporary/ephemeral DH parameters are used.
SSL_OP_SINGLE_DH_USE :: SSLOption
-- | Always use ephemeral (temporary) RSA key when doing RSA operations.
-- According to the specifications this is only done, when a RSA key can
-- only be used for signature operations (namely under export ciphers
-- with restricted RSA keylength). By setting this option, ephemeral RSA
-- keys are always used. This option breaks compatibility with the
-- SSL/TLS specifications and may lead to interoperability problems with
-- clients and should therefore never be used. Ciphers with DHE
-- (ephemeral Diffie-Hellman) key exchange should be used instead.
SSL_OP_EPHEMERAL_RSA :: SSLOption
-- | When choosing a cipher, use the server's preferences instead of the
-- client preferences. When not set, the SSL server will always follow
-- the clients preferences. When set, the SSLv3/TLSv1 server will choose
-- following its own preferences. Because of the different protocol, for
-- SSLv2 the server will send its list of preferences to the client and
-- the client chooses.
SSL_OP_CIPHER_SERVER_PREFERENCE :: SSLOption
SSL_OP_PKCS1_CHECK_1 :: SSLOption
SSL_OP_PKCS1_CHECK_2 :: SSLOption
-- | If we accept a netscape connection, demand a client cert, have a
-- non-self-signed CA which does not have its CA in netscape, and the
-- browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
SSL_OP_NETSCAPE_CA_DN_BUG :: SSLOption
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG :: SSLOption
-- | Do not use the SSLv2 protocol.
SSL_OP_NO_SSLv2 :: SSLOption
-- | Do not use the SSLv3 protocol.
SSL_OP_NO_SSLv3 :: SSLOption
-- | Do not use the TLSv1 protocol.
SSL_OP_NO_TLSv1 :: SSLOption
-- | When performing renegotiation as a server, always start a new session
-- (i.e., session resumption requests are only accepted in the initial
-- handshake). This option is not needed for clients.
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION :: SSLOption
-- | Normally clients and servers will, where possible, transparently make
-- use of RFC 4507 tickets for stateless session resumption.
--
-- If this option is set this functionality is disabled and tickets will
-- not be used by clients or servers.
SSL_OP_NO_TICKET :: SSLOption
-- | Allow legacy insecure renegotiation between OpenSSL and unpatched
-- clients or servers. See SECURE RENEGOTIATION for more details.
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION :: SSLOption
-- | Allow legacy insecure renegotiation between OpenSSL and unpatched
-- servers _only_. See SECURE RENEGOTIATION for more details.
SSL_OP_LEGACY_SERVER_CONNECT :: SSLOption
-- | The root exception type for all SSL exceptions.
data SomeSSLException
-- | The peer uncleanly terminated the connection without sending the
-- "close notify" alert.
data ConnectionAbruptlyTerminated
-- | A failure in the SSL library occurred, usually a protocol error.
data ProtocolError
ProtocolError :: !String -> ProtocolError
instance GHC.Classes.Eq OpenSSL.Session.ProtocolError
instance GHC.Show.Show OpenSSL.Session.ProtocolError
instance GHC.Classes.Eq OpenSSL.Session.ConnectionAbruptlyTerminated
instance GHC.Show.Show OpenSSL.Session.ConnectionAbruptlyTerminated
instance GHC.Show.Show OpenSSL.Session.ShutdownType
instance GHC.Classes.Eq OpenSSL.Session.ShutdownType
instance Data.Traversable.Traversable OpenSSL.Session.SSLResult
instance Data.Foldable.Foldable OpenSSL.Session.SSLResult
instance GHC.Base.Functor OpenSSL.Session.SSLResult
instance GHC.Show.Show a => GHC.Show.Show (OpenSSL.Session.SSLResult a)
instance GHC.Classes.Eq a => GHC.Classes.Eq (OpenSSL.Session.SSLResult a)
instance GHC.Show.Show OpenSSL.Session.SomeSSLException
instance GHC.Exception.Exception OpenSSL.Session.SomeSSLException
instance GHC.Exception.Exception OpenSSL.Session.ConnectionAbruptlyTerminated
instance GHC.Exception.Exception OpenSSL.Session.ProtocolError
-- | HsOpenSSL is an OpenSSL binding for Haskell. It can generate RSA and
-- DSA keys, read and write PEM files, generate message digests, sign and
-- verify messages, encrypt and decrypt messages.
--
-- Please note that this project has started at the time when there were
-- no pure-Haskell implementations of TLS. Now there is tls package
-- (http://hackage.haskell.org/package/tls), which looks pretty
-- saner than HsOpenSSL especially for initialisation and error
-- handlings. So PHO (the initial author of HsOpenSSL) wants to encourage
-- you to use and improve the tls package instead as long as possible.
-- The only problem is that the tls package has not received as much
-- review as OpenSSL from cryptography specialists yet, thus we can't
-- assume it's secure enough.
--
-- Features that aren't (yet) supported:
--
--
-- - SSL network connection ssl(3) functionalities aren't
-- fully covered yet. See OpenSSL.Session.
-- - Complete coverage of Low-level API to symmetric
-- ciphers Only high-level APIs (EVP and BIO) are fully
-- available. But I believe no one will be lost without functions like
-- DES_set_odd_parity.
-- - Low-level API to asymmetric ciphers Only a
-- high-level API (EVP) is available. But I believe no one will complain
-- about the absence of functions like RSA_public_encrypt.
-- - X.509 v3 extension handling It should be supported
-- in the future.
-- - Low-level API to message digest functions Just use
-- EVP instead of something like MD5_Update.
-- - API to PKCS#12 functionality It should be covered
-- someday.
-- - BIO BIO isn't needed because we are Haskell hackers.
-- Though HsOpenSSL itself uses BIO internally.
-- - ENGINE cryptographic module The default
-- implementations work very well, don't they?
--
module OpenSSL
-- | Computation of withOpenSSL action initializes the
-- OpenSSL library as necessary, and computes action. Every
-- application that uses HsOpenSSL must wrap any operations involving
-- OpenSSL with withOpenSSL, or they might crash:
--
--
-- module Main where
-- import OpenSSL
--
-- main :: IO ()
-- main = withOpenSSL $
-- do ...
--
--
-- Since 0.10.3.5, withOpenSSL is safe to be applied redundantly.
-- Library authors may wish to wrap their functions not to force their
-- users to think about initialization:
--
--
-- get :: URI -> IO Response
-- get uri = withOpenSSL $ internalImplementationOfGet uri
--
withOpenSSL :: IO a -> IO a