-- Hoogle documentation, generated by Haddock -- See Hoogle, http://www.haskell.org/hoogle/ -- | TLS bindings for Rustls -- -- TLS bindings for Rustls via rustls-ffi. @package rustls @version 0.1.0.0 -- | Internal module, not subject to PVP. module Rustls.Internal.FFI -- | A pointer with the C const qualifier. For instance, an -- argument of type ConstPtr CInt would be marshalled as -- const int*. -- -- While const-ness generally does not matter for ccall -- imports (since const and non-const pointers -- typically have equivalent calling conventions), it does matter for -- capi imports. See GHC #22043. newtype () => ConstPtr a ConstPtr :: Ptr a -> ConstPtr a [unConstPtr] :: ConstPtr a -> Ptr a type ConstCString = ConstPtr CChar data {-# CTYPE "rustls.h" "rustls_client_config" #-} ClientConfig data {-# CTYPE "rustls.h" "rustls_client_config_builder" #-} ClientConfigBuilder clientConfigBuilderNewCustom :: ConstPtr (ConstPtr SupportedCipherSuite) -> CSize -> ConstPtr TLSVersion -> CSize -> Ptr (Ptr ClientConfigBuilder) -> IO Result clientConfigBuilderFree :: Ptr ClientConfigBuilder -> IO () clientConfigBuilderBuild :: Ptr ClientConfigBuilder -> IO (ConstPtr ClientConfig) clientConfigFree :: FinalizerPtr ClientConfig clientConfigBuilderSetALPNProtocols :: Ptr ClientConfigBuilder -> ConstPtr SliceBytes -> CSize -> IO Result clientConfigBuilderSetEnableSNI :: Ptr ClientConfigBuilder -> CBool -> IO () clientConfigBuilderSetCertifiedKey :: Ptr ClientConfigBuilder -> ConstPtr (ConstPtr CertifiedKey) -> CSize -> IO Result data {-# CTYPE "rustls.h" "rustls_web_pki_server_cert_verifier_builder" #-} WebPkiServerCertVerifierBuilder data {-# CTYPE "rustls.h" "rustls_server_cert_verifier" #-} ServerCertVerifier webPkiServerCertVerifierBuilderNew :: ConstPtr RootCertStore -> IO (Ptr WebPkiServerCertVerifierBuilder) webPkiServerCertVerifierBuilderAddCrl :: Ptr WebPkiServerCertVerifierBuilder -> ConstPtr Word8 -> CSize -> IO Result webPkiServerCertVerifierBuilderFree :: Ptr WebPkiServerCertVerifierBuilder -> IO () webPkiServerCertVerifierBuilderBuild :: Ptr WebPkiServerCertVerifierBuilder -> Ptr (Ptr ServerCertVerifier) -> IO Result serverCertVerifierFree :: Ptr ServerCertVerifier -> IO () clientConfigBuilderSetServerVerifier :: Ptr ClientConfigBuilder -> ConstPtr ServerCertVerifier -> IO () clientConnectionNew :: ConstPtr ClientConfig -> ConstCString -> Ptr (Ptr Connection) -> IO Result serverConnectionNew :: ConstPtr ServerConfig -> Ptr (Ptr Connection) -> IO Result data {-# CTYPE "rustls.h" "rustls_server_config" #-} ServerConfig data {-# CTYPE "rustls.h" "rustls_server_config_builder" #-} ServerConfigBuilder serverConfigBuilderNewCustom :: ConstPtr (ConstPtr SupportedCipherSuite) -> CSize -> ConstPtr TLSVersion -> CSize -> Ptr (Ptr ServerConfigBuilder) -> IO Result serverConfigBuilderFree :: Ptr ServerConfigBuilder -> IO () serverConfigBuilderBuild :: Ptr ServerConfigBuilder -> IO (ConstPtr ServerConfig) serverConfigFree :: FinalizerPtr ServerConfig serverConfigBuilderSetALPNProtocols :: Ptr ServerConfigBuilder -> ConstPtr SliceBytes -> CSize -> IO Result serverConfigBuilderSetIgnoreClientOrder :: Ptr ServerConfigBuilder -> CBool -> IO Result serverConfigBuilderSetCertifiedKeys :: Ptr ServerConfigBuilder -> ConstPtr (ConstPtr CertifiedKey) -> CSize -> IO Result data {-# CTYPE "rustls.h" "rustls_web_pki_client_cert_verifier_builder" #-} WebPkiClientCertVerifierBuilder data {-# CTYPE "rustls.h" "rustls_client_cert_verifier" #-} ClientCertVerifier webPkiClientCertVerifierBuilderNew :: ConstPtr RootCertStore -> IO (Ptr WebPkiClientCertVerifierBuilder) webPkiClientCertVerifierBuilderAddCrl :: Ptr WebPkiClientCertVerifierBuilder -> ConstPtr Word8 -> CSize -> IO Result webPkiClientCertVerifierBuilderAllowUnauthenticated :: Ptr WebPkiClientCertVerifierBuilder -> IO Result webPkiClientCertVerifierBuilderFree :: Ptr WebPkiClientCertVerifierBuilder -> IO () webPkiClientCertVerifierBuilderBuild :: Ptr WebPkiClientCertVerifierBuilder -> Ptr (Ptr ClientCertVerifier) -> IO Result clientCertVerifierFree :: Ptr ClientCertVerifier -> IO () serverConfigBuilderSetClientVerifier :: Ptr ServerConfigBuilder -> ConstPtr ClientCertVerifier -> IO () data {-# CTYPE "rustls.h" "rustls_certified_key" #-} CertifiedKey certifiedKeyBuild :: ConstPtr Word8 -> CSize -> ConstPtr Word8 -> CSize -> Ptr (ConstPtr CertifiedKey) -> IO Result certifiedKeyFree :: ConstPtr CertifiedKey -> IO () data {-# CTYPE "rustls.h" "rustls_certificate" #-} Certificate certificateGetDER :: ConstPtr Certificate -> Ptr (ConstPtr Word8) -> Ptr CSize -> IO Result data {-# CTYPE "rustls.h" "rustls_connection" #-} Connection connectionFree :: Ptr Connection -> IO () type ReadCallback = Ptr Userdata -> Ptr Word8 -> CSize -> Ptr CSize -> IO IOResult mkReadCallback :: ReadCallback -> IO (FunPtr ReadCallback) connectionWantsRead :: ConstPtr Connection -> IO CBool connectionRead :: Ptr Connection -> Ptr Word8 -> CSize -> Ptr CSize -> IO Result connectionReadTls :: Ptr Connection -> FunPtr ReadCallback -> Ptr Userdata -> Ptr CSize -> IO IOResult type WriteCallback = Ptr Userdata -> ConstPtr Word8 -> CSize -> Ptr CSize -> IO IOResult mkWriteCallback :: WriteCallback -> IO (FunPtr WriteCallback) connectionWantsWrite :: ConstPtr Connection -> IO CBool connectionWrite :: Ptr Connection -> Ptr Word8 -> CSize -> Ptr CSize -> IO Result connectionWriteTls :: Ptr Connection -> FunPtr WriteCallback -> Ptr Userdata -> Ptr CSize -> IO IOResult connectionProcessNewPackets :: Ptr Connection -> IO Result connectionIsHandshaking :: ConstPtr Connection -> IO CBool connectionSendCloseNotify :: Ptr Connection -> IO () connectionSetBufferLimit :: Ptr Connection -> CSize -> IO () connectionGetALPNProtocol :: ConstPtr Connection -> Ptr (ConstPtr Word8) -> Ptr CSize -> IO () connectionGetProtocolVersion :: ConstPtr Connection -> IO TLSVersion connectionGetNegotiatedCipherSuite :: ConstPtr Connection -> IO (ConstPtr SupportedCipherSuite) serverConnectionGetSNIHostname :: ConstPtr Connection -> Ptr Word8 -> CSize -> Ptr CSize -> IO Result connectionGetPeerCertificate :: ConstPtr Connection -> CSize -> IO (ConstPtr Certificate) connectionSetLogCallback :: Ptr Connection -> FunPtr LogCallback -> IO () type LogCallback = Ptr Userdata -> ConstPtr LogParams -> IO () mkLogCallback :: LogCallback -> IO (FunPtr LogCallback) data LogParams LogParams :: LogLevel -> Str -> LogParams [rustlsLogParamsLevel] :: LogParams -> LogLevel [rustlsLogParamsMessage] :: LogParams -> Str newtype LogLevel LogLevel :: CSize -> LogLevel data {-# CTYPE "rustls.h" "rustls_str" #-} Str Str :: CString -> CSize -> Str data {-# CTYPE "rustls.h" "rustls_slice_bytes" #-} SliceBytes SliceBytes :: Ptr Word8 -> CSize -> SliceBytes hsVersion :: Ptr Str -> IO () -- | (Unused) userdata. data Userdata newtype {-# CTYPE "rustls.h" "rustls_result" #-} Result Result :: Word32 -> Result resultIsCertError :: Result -> CBool errorMsg :: Result -> CString -> CSize -> Ptr CSize -> IO () resultOk :: Result resultInsufficientSize :: Result newtype {-# CTYPE "rustls.h" "rustls_io_result" #-} IOResult IOResult :: CInt -> IOResult ioResultOk :: IOResult ioResultErr :: IOResult data {-# CTYPE "rustls.h" "rustls_supported_ciphersuite" #-} SupportedCipherSuite allCipherSuites :: ConstPtr (Ptr SupportedCipherSuite) allCipherSuitesLen :: CSize defaultCipherSuites :: ConstPtr (ConstPtr SupportedCipherSuite) defaultCipherSuitesLen :: CSize supportedCipherSuiteGetSuite :: ConstPtr SupportedCipherSuite -> Word16 hsSupportedCipherSuiteGetName :: ConstPtr SupportedCipherSuite -> Ptr Str -> IO () -- | A TLS protocol version supported by Rustls. newtype {-# CTYPE "stdint.h" "uint16_t" #-} TLSVersion TLSVersion :: Word16 -> TLSVersion [unTLSVersion] :: TLSVersion -> Word16 pattern TLS12 :: TLSVersion pattern TLS13 :: TLSVersion allVersions :: ConstPtr TLSVersion allVersionsLen :: CSize defaultVersions :: ConstPtr TLSVersion defaultVersionsLen :: CSize data {-# CTYPE "rustls.h" "rustls_root_cert_store_builder" #-} RootCertStoreBuilder data {-# CTYPE "rustls.h" "rustls_root_cert_store" #-} RootCertStore rootCertStoreBuilderNew :: IO (Ptr RootCertStoreBuilder) rootCertStoreBuilderAddPem :: Ptr RootCertStoreBuilder -> ConstPtr Word8 -> CSize -> CBool -> IO Result rootCertStoreBuilderLoadRootsFromFile :: Ptr RootCertStoreBuilder -> ConstCString -> CBool -> IO Result rootCertStoreBuilderFree :: Ptr RootCertStoreBuilder -> IO () rootCertStoreBuilderBuild :: Ptr RootCertStoreBuilder -> Ptr (ConstPtr RootCertStore) -> IO Result rootCertStoreFree :: ConstPtr RootCertStore -> IO () instance Foreign.Storable.Generic.Internal.GStorable Rustls.Internal.FFI.Str instance GHC.Generics.Generic Rustls.Internal.FFI.Str instance Foreign.Storable.Generic.Internal.GStorable Rustls.Internal.FFI.SliceBytes instance GHC.Generics.Generic Rustls.Internal.FFI.SliceBytes instance GHC.Classes.Ord Rustls.Internal.FFI.Result instance GHC.Classes.Eq Rustls.Internal.FFI.Result instance GHC.Show.Show Rustls.Internal.FFI.Result instance GHC.Classes.Eq Rustls.Internal.FFI.IOResult instance Foreign.Storable.Storable Rustls.Internal.FFI.LogLevel instance GHC.Classes.Eq Rustls.Internal.FFI.LogLevel instance GHC.Show.Show Rustls.Internal.FFI.LogLevel instance Foreign.Storable.Generic.Internal.GStorable Rustls.Internal.FFI.LogParams instance GHC.Generics.Generic Rustls.Internal.FFI.LogParams instance Foreign.Storable.Storable Rustls.Internal.FFI.TLSVersion instance GHC.Classes.Ord Rustls.Internal.FFI.TLSVersion instance GHC.Classes.Eq Rustls.Internal.FFI.TLSVersion instance GHC.Show.Show Rustls.Internal.FFI.TLSVersion -- | Internal module, not subject to PVP. module Rustls.Internal -- | An ALPN protocol ID. See -- https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids -- for a list of registered IDs. newtype ALPNProtocol ALPNProtocol :: ByteString -> ALPNProtocol [unALPNProtocol] :: ALPNProtocol -> ByteString -- | A TLS cipher suite supported by Rustls. newtype CipherSuite CipherSuite :: ConstPtr SupportedCipherSuite -> CipherSuite -- | Get the IANA value from a cipher suite. The bytes are interpreted in -- network order. -- -- See -- https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 -- for a list. cipherSuiteID :: CipherSuite -> Word16 -- | Get the text representation of a cipher suite. showCipherSuite :: CipherSuite -> Text -- | Rustls client config builder. data ClientConfigBuilder ClientConfigBuilder :: ServerCertVerifier -> [TLSVersion] -> [CipherSuite] -> [ALPNProtocol] -> Bool -> [CertifiedKey] -> ClientConfigBuilder -- | The server certificate verifier. [clientConfigServerCertVerifier] :: ClientConfigBuilder -> ServerCertVerifier -- | Supported TLSVersions. When empty, good defaults are used. [clientConfigTLSVersions] :: ClientConfigBuilder -> [TLSVersion] -- | Supported CipherSuites in order of preference. When empty, good -- defaults are used. [clientConfigCipherSuites] :: ClientConfigBuilder -> [CipherSuite] -- | ALPN protocols. [clientConfigALPNProtocols] :: ClientConfigBuilder -> [ALPNProtocol] -- | Whether to enable Server Name Indication. Defaults to True. [clientConfigEnableSNI] :: ClientConfigBuilder -> Bool -- | List of CertifiedKeys for client authentication. -- -- Clients that want to support both ECDSA and RSA certificates will want -- the ECDSA to go first in the list. [clientConfigCertifiedKeys] :: ClientConfigBuilder -> [CertifiedKey] -- | How to verify TLS server certificates. data ServerCertVerifier ServerCertVerifier :: NonEmpty PEMCertificates -> [CertificateRevocationList] -> ServerCertVerifier -- | Certificates used to verify TLS server certificates. [serverCertVerifierCertificates] :: ServerCertVerifier -> NonEmpty PEMCertificates -- | List of certificate revocation lists used to verify TLS server -- certificates. [serverCertVerifierCRLs] :: ServerCertVerifier -> [CertificateRevocationList] -- | A source of PEM-encoded certificates. data PEMCertificates -- | In-memory PEM-encoded certificates. PEMCertificatesInMemory :: ByteString -> PEMCertificateParsing -> PEMCertificates -- | Fetch PEM-encoded root certificates from a file. PemCertificatesFromFile :: FilePath -> PEMCertificateParsing -> PEMCertificates -- | Parsing mode for PEM-encoded certificates. data PEMCertificateParsing -- | Fail if syntactically invalid. PEMCertificateParsingStrict :: PEMCertificateParsing -- | Ignore if syntactically invalid. -- -- This may be useful on systems that have syntactically invalid root -- certificates. PEMCertificateParsingLax :: PEMCertificateParsing -- | A complete chain of certificates plus a private key for the leaf -- certificate. data CertifiedKey CertifiedKey :: ByteString -> ByteString -> CertifiedKey -- | PEM-encoded certificate chain. [certificateChain] :: CertifiedKey -> ByteString -- | PEM-encoded private key. [privateKey] :: CertifiedKey -> ByteString -- | Assembled configuration for a Rustls client connection. data ClientConfig ClientConfig :: ForeignPtr ClientConfig -> Maybe LogCallback -> ClientConfig [clientConfigPtr] :: ClientConfig -> ForeignPtr ClientConfig -- | A logging callback. -- -- Note that this is a record selector, so you can use it as a setter: -- -- 
--   >>> :{
--   setLogCallback :: LogCallback -> ClientConfig -> ClientConfig
--   setLogCallback logCallback clientConfig =
--     clientConfig { clientConfigLogCallback = Just logCallback }
--   :}
--
[clientConfigLogCallback] :: ClientConfig -> Maybe LogCallback -- | How to verify TLS client certificates. data ClientCertVerifier ClientCertVerifier :: ClientCertVerifierPolicy -> NonEmpty PEMCertificates -> [CertificateRevocationList] -> ClientCertVerifier -- | Which client connections are allowed. [clientCertVerifierPolicy] :: ClientCertVerifier -> ClientCertVerifierPolicy -- | Certificates used to verify TLS client certificates. [clientCertVerifierCertificates] :: ClientCertVerifier -> NonEmpty PEMCertificates -- | List of certificate revocation lists used to verify TLS client -- certificates. [clientCertVerifierCRLs] :: ClientCertVerifier -> [CertificateRevocationList] -- | Which client connections are allowed by a ClientCertVerifier. data ClientCertVerifierPolicy -- | Allow any authenticated client (i.e. offering a trusted certificate), -- and reject clients offering none. AllowAnyAuthenticatedClient :: ClientCertVerifierPolicy -- | Allow any authenticated client (i.e. offering a trusted certificate), -- but also allow clients offering none. AllowAnyAnonymousOrAuthenticatedClient :: ClientCertVerifierPolicy -- | One or more PEM-encoded certificate revocation lists (CRL). newtype CertificateRevocationList CertificateRevocationList :: ByteString -> CertificateRevocationList [unCertificateRevocationList] :: CertificateRevocationList -> ByteString -- | Rustls client config builder. data ServerConfigBuilder ServerConfigBuilder :: NonEmpty CertifiedKey -> [TLSVersion] -> [CipherSuite] -> [ALPNProtocol] -> Bool -> Maybe ClientCertVerifier -> ServerConfigBuilder -- | List of CertifiedKeys. [serverConfigCertifiedKeys] :: ServerConfigBuilder -> NonEmpty CertifiedKey -- | Supported TLSVersions. When empty, good defaults are used. [serverConfigTLSVersions] :: ServerConfigBuilder -> [TLSVersion] -- | Supported CipherSuites in order of preference. When empty, good -- defaults are used. [serverConfigCipherSuites] :: ServerConfigBuilder -> [CipherSuite] -- | ALPN protocols. [serverConfigALPNProtocols] :: ServerConfigBuilder -> [ALPNProtocol] -- | Ignore the client's ciphersuite order. Defaults to False. [serverConfigIgnoreClientOrder] :: ServerConfigBuilder -> Bool -- | Optionally, a client cert verifier. [serverConfigClientCertVerifier] :: ServerConfigBuilder -> Maybe ClientCertVerifier -- | Assembled configuration for a Rustls server connection. data ServerConfig ServerConfig :: ForeignPtr ServerConfig -> Maybe LogCallback -> ServerConfig [serverConfigPtr] :: ServerConfig -> ForeignPtr ServerConfig -- | A logging callback. -- -- Note that this is a record selector, so you can use it as a setter: -- -- 
--   >>> :{
--   setLogCallback :: LogCallback -> ServerConfig -> ServerConfig
--   setLogCallback logCallback serverConfig =
--     serverConfig { serverConfigLogCallback = Just logCallback }
--   :}
--
[serverConfigLogCallback] :: ServerConfig -> Maybe LogCallback -- | Rustls log level. data LogLevel LogLevelError :: LogLevel LogLevelWarn :: LogLevel LogLevelInfo :: LogLevel LogLevelDebug :: LogLevel LogLevelTrace :: LogLevel -- | A Rustls connection logging callback. newtype LogCallback LogCallback :: FunPtr LogCallback -> LogCallback [unLogCallback] :: LogCallback -> FunPtr LogCallback -- | A Monad to get TLS connection information via handshake. newtype HandshakeQuery (side :: Side) a HandshakeQuery :: ReaderT Connection' IO a -> HandshakeQuery (side :: Side) a handshakeQuery :: (Connection' -> IO a) -> HandshakeQuery side a -- | TLS exception thrown by Rustls. -- -- Use displayException for a human-friendly representation. newtype RustlsException RustlsException :: Word32 -> RustlsException [rustlsErrorCode] :: RustlsException -> Word32 resultMsg :: Result -> Text -- | Checks if the given RustlsException represents a certificate -- error. isCertError :: RustlsException -> Bool rethrowR :: Result -> IO () -- | Wrapper for exceptions thrown in a LogCallback. newtype RustlsLogException RustlsLogException :: SomeException -> RustlsLogException data RustlsUnknownLogLevel RustlsUnknownLogLevel :: LogLevel -> RustlsUnknownLogLevel -- | Underlying data source for Rustls. data Backend Backend :: (Ptr Word8 -> CSize -> IO CSize) -> (Ptr Word8 -> CSize -> IO CSize) -> Backend -- | Read data from the backend into the given buffer. [backendRead] :: Backend -> Ptr Word8 -> CSize -> IO CSize -- | Write data from the given buffer to the backend. [backendWrite] :: Backend -> Ptr Word8 -> CSize -> IO CSize mkSocketBackend :: Socket -> Backend -- | An in-memory Backend. mkByteStringBackend :: (Int -> IO ByteString) -> (ByteString -> IO ()) -> Backend -- | Type-level indicator whether a Connection is client- or -- server-side. data Side Client :: Side Server :: Side -- | A Rustls connection. newtype Connection (side :: Side) Connection :: MVar Connection' -> Connection (side :: Side) data Connection' Connection' :: Ptr Connection -> Backend -> Ptr CSize -> MVar IOMsgReq -> MVar IOMsgRes -> ThreadId -> Connection' [conn] :: Connection' -> Ptr Connection [backend] :: Connection' -> Backend [lenPtr] :: Connection' -> Ptr CSize [ioMsgReq] :: Connection' -> MVar IOMsgReq [ioMsgRes] :: Connection' -> MVar IOMsgRes [interactThread] :: Connection' -> ThreadId withConnection :: Connection side -> (Connection' -> IO a) -> IO a data ReadOrWrite Read :: ReadOrWrite Write :: ReadOrWrite -- | Messages sent to the background thread. data IOMsgReq -- | Request to start a read or a write FFI call from the background -- thread. It should respond with UsingBuffer. Request :: ReadOrWrite -> IOMsgReq -- | Notify the background thread that we are done interacting with the -- buffer. Done :: IOResult -> IOMsgReq -- | Messages sent from the background thread. data IOMsgRes -- | Reply with a buffer, either containing the read data, or awaiting a -- write to this buffer. UsingBuffer :: Ptr Word8 -> CSize -> Ptr CSize -> IOMsgRes -- | Notify that the FFI call finished. DoneFFI :: IOMsgRes interactTLS :: Connection' -> ReadOrWrite -> IO CSize data IsEOF IsEOF :: IsEOF NotEOF :: IsEOF -- | Helper function, see complete_io from rustls. -- -- -- https://github.com/rustls/rustls/blob/v/0.23.4/rustls/src/conn.rs#L544 completeIO :: Connection' -> IO IsEOF completePriorIO :: Connection' -> IO () getIsHandshaking :: Connection' -> IO Bool getWantsRead :: Connection' -> IO Bool getWantsWrite :: Connection' -> IO Bool whenM :: Monad m => m Bool -> m () -> m () loopWhileTrue :: Monad m => m Bool -> m () cSizeToInt :: CSize -> Int intToCSize :: Int -> CSize strToText :: Str -> IO Text ignoreExceptions :: IO () -> IO () ignoreSyncExceptions :: IO () -> IO () instance GHC.Generics.Generic Rustls.Internal.ALPNProtocol instance GHC.Classes.Ord Rustls.Internal.ALPNProtocol instance GHC.Classes.Eq Rustls.Internal.ALPNProtocol instance GHC.Show.Show Rustls.Internal.ALPNProtocol instance GHC.Generics.Generic Rustls.Internal.PEMCertificateParsing instance GHC.Enum.Bounded Rustls.Internal.PEMCertificateParsing instance GHC.Enum.Enum Rustls.Internal.PEMCertificateParsing instance GHC.Classes.Ord Rustls.Internal.PEMCertificateParsing instance GHC.Classes.Eq Rustls.Internal.PEMCertificateParsing instance GHC.Show.Show Rustls.Internal.PEMCertificateParsing instance GHC.Generics.Generic Rustls.Internal.PEMCertificates instance GHC.Show.Show Rustls.Internal.PEMCertificates instance GHC.Generics.Generic Rustls.Internal.CertifiedKey instance GHC.Generics.Generic Rustls.Internal.ClientCertVerifierPolicy instance GHC.Enum.Bounded Rustls.Internal.ClientCertVerifierPolicy instance GHC.Enum.Enum Rustls.Internal.ClientCertVerifierPolicy instance GHC.Classes.Ord Rustls.Internal.ClientCertVerifierPolicy instance GHC.Classes.Eq Rustls.Internal.ClientCertVerifierPolicy instance GHC.Show.Show Rustls.Internal.ClientCertVerifierPolicy instance GHC.Generics.Generic Rustls.Internal.CertificateRevocationList instance GHC.Show.Show Rustls.Internal.CertificateRevocationList instance GHC.Generics.Generic Rustls.Internal.ClientCertVerifier instance GHC.Show.Show Rustls.Internal.ClientCertVerifier instance GHC.Generics.Generic Rustls.Internal.ServerCertVerifier instance GHC.Show.Show Rustls.Internal.ServerCertVerifier instance GHC.Generics.Generic Rustls.Internal.ClientConfigBuilder instance GHC.Show.Show Rustls.Internal.ClientConfigBuilder instance GHC.Generics.Generic Rustls.Internal.ServerConfigBuilder instance GHC.Show.Show Rustls.Internal.ServerConfigBuilder instance GHC.Generics.Generic Rustls.Internal.LogLevel instance GHC.Enum.Bounded Rustls.Internal.LogLevel instance GHC.Enum.Enum Rustls.Internal.LogLevel instance GHC.Classes.Ord Rustls.Internal.LogLevel instance GHC.Classes.Eq Rustls.Internal.LogLevel instance GHC.Show.Show Rustls.Internal.LogLevel instance GHC.Show.Show Rustls.Internal.RustlsException instance GHC.Exception.Type.Exception Rustls.Internal.RustlsLogException instance GHC.Show.Show Rustls.Internal.RustlsLogException instance GHC.Exception.Type.Exception Rustls.Internal.RustlsUnknownLogLevel instance GHC.Show.Show Rustls.Internal.RustlsUnknownLogLevel instance GHC.Base.Monad (Rustls.Internal.HandshakeQuery side) instance GHC.Base.Applicative (Rustls.Internal.HandshakeQuery side) instance GHC.Base.Functor (Rustls.Internal.HandshakeQuery side) instance GHC.Classes.Eq Rustls.Internal.IsEOF instance GHC.Show.Show Rustls.Internal.IsEOF instance GHC.Exception.Type.Exception Rustls.Internal.RustlsException instance GHC.Show.Show Rustls.Internal.CertifiedKey instance GHC.Classes.Eq Rustls.Internal.CipherSuite instance GHC.Classes.Ord Rustls.Internal.CipherSuite instance GHC.Show.Show Rustls.Internal.CipherSuite -- | TLS bindings for Rustls via rustls-ffi. -- -- See the README on GitHub for setup instructions. -- -- Currently, most of the functionality exposed by rustls-ffi is -- available, while rustls-ffi is still missing some more niche Rustls -- features. -- -- Also see http-client-rustls for making HTTPS requests using -- http-client and Rustls. -- --

Client example

-- -- Suppose you have already opened a Socket to -- example.org, port 443 (see e.g. the examples at -- Network.Socket). This small example showcases how to perform a -- simple HTTP GET request: -- -- 
--   >>> :set -XOverloadedStrings
--   
--   >>> import qualified Rustls
--   
--   >>> import Network.Socket (Socket)
--   
--   >>> import Data.Acquire (withAcquire)
--   
--   >>> :{
--   example :: Socket -> IO ()
--   example socket = do
--     -- It is encouraged to share a single `clientConfig` when creating multiple
--     -- TLS connections.
--     clientConfig <-
--       Rustls.buildClientConfig $
--         Rustls.defaultClientConfigBuilder serverCertVerifier
--     let backend = Rustls.mkSocketBackend socket
--         newConnection =
--           Rustls.newClientConnection backend clientConfig "example.org"
--     withAcquire newConnection $ \conn -> do
--       Rustls.writeBS conn "GET /"
--       recv <- Rustls.readBS conn 1000 -- max number of bytes to read
--       print recv
--     where
--       -- For now, rustls-ffi does not provide a built-in way to access
--       -- the OS certificate store.
--       serverCertVerifier =
--         Rustls.ServerCertVerifier
--           { Rustls.serverCertVerifierCertificates =
--               pure $
--                 Rustls.PemCertificatesFromFile
--                   "/etc/ssl/certs/ca-certificates.crt"
--                   Rustls.PEMCertificateParsingStrict,
--             Rustls.serverCertVerifierCRLs = []
--           }
--   :}
--
-- --

Using Acquire

-- -- Some API functions (like newClientConnection and -- newServerConnection) return an Acquire from -- resourcet, as it is a convenient abstraction for exposing a -- value that should be consumed in a "bracketed" manner. -- -- Usually, it can be used via with or withAcquire, or via -- allocateAcquire when a MonadResource constraint is -- available. If you really need the extra flexibility, you can also -- access separate open… and close… functions by -- reaching for Data.Acquire.Internal. module Rustls -- | Rustls client config builder. data ClientConfigBuilder ClientConfigBuilder :: ServerCertVerifier -> [TLSVersion] -> [CipherSuite] -> [ALPNProtocol] -> Bool -> [CertifiedKey] -> ClientConfigBuilder -- | The server certificate verifier. [clientConfigServerCertVerifier] :: ClientConfigBuilder -> ServerCertVerifier -- | Supported TLSVersions. When empty, good defaults are used. [clientConfigTLSVersions] :: ClientConfigBuilder -> [TLSVersion] -- | Supported CipherSuites in order of preference. When empty, good -- defaults are used. [clientConfigCipherSuites] :: ClientConfigBuilder -> [CipherSuite] -- | ALPN protocols. [clientConfigALPNProtocols] :: ClientConfigBuilder -> [ALPNProtocol] -- | Whether to enable Server Name Indication. Defaults to True. [clientConfigEnableSNI] :: ClientConfigBuilder -> Bool -- | List of CertifiedKeys for client authentication. -- -- Clients that want to support both ECDSA and RSA certificates will want -- the ECDSA to go first in the list. [clientConfigCertifiedKeys] :: ClientConfigBuilder -> [CertifiedKey] -- | A ClientConfigBuilder with good defaults. defaultClientConfigBuilder :: ServerCertVerifier -> ClientConfigBuilder -- | How to verify TLS server certificates. data ServerCertVerifier ServerCertVerifier :: NonEmpty PEMCertificates -> [CertificateRevocationList] -> ServerCertVerifier -- | Certificates used to verify TLS server certificates. [serverCertVerifierCertificates] :: ServerCertVerifier -> NonEmpty PEMCertificates -- | List of certificate revocation lists used to verify TLS server -- certificates. [serverCertVerifierCRLs] :: ServerCertVerifier -> [CertificateRevocationList] -- | Assembled configuration for a Rustls client connection. data ClientConfig -- | A logging callback. -- -- Note that this is a record selector, so you can use it as a setter: -- -- 
--   >>> :{
--   setLogCallback :: LogCallback -> ClientConfig -> ClientConfig
--   setLogCallback logCallback clientConfig =
--     clientConfig { clientConfigLogCallback = Just logCallback }
--   :}
--
clientConfigLogCallback :: ClientConfig -> Maybe LogCallback -- | Build a ClientConfigBuilder into a ClientConfig. -- -- This is a relatively expensive operation, so it is a good idea to -- share one ClientConfig when creating multiple -- Connections. buildClientConfig :: MonadIO m => ClientConfigBuilder -> m ClientConfig -- | Initialize a TLS connection as a client. newClientConnection :: Backend -> ClientConfig -> Text -> Acquire (Connection Client) -- | Rustls client config builder. data ServerConfigBuilder ServerConfigBuilder :: NonEmpty CertifiedKey -> [TLSVersion] -> [CipherSuite] -> [ALPNProtocol] -> Bool -> Maybe ClientCertVerifier -> ServerConfigBuilder -- | List of CertifiedKeys. [serverConfigCertifiedKeys] :: ServerConfigBuilder -> NonEmpty CertifiedKey -- | Supported TLSVersions. When empty, good defaults are used. [serverConfigTLSVersions] :: ServerConfigBuilder -> [TLSVersion] -- | Supported CipherSuites in order of preference. When empty, good -- defaults are used. [serverConfigCipherSuites] :: ServerConfigBuilder -> [CipherSuite] -- | ALPN protocols. [serverConfigALPNProtocols] :: ServerConfigBuilder -> [ALPNProtocol] -- | Ignore the client's ciphersuite order. Defaults to False. [serverConfigIgnoreClientOrder] :: ServerConfigBuilder -> Bool -- | Optionally, a client cert verifier. [serverConfigClientCertVerifier] :: ServerConfigBuilder -> Maybe ClientCertVerifier -- | A ServerConfigBuilder with good defaults. defaultServerConfigBuilder :: NonEmpty CertifiedKey -> ServerConfigBuilder -- | How to verify TLS client certificates. data ClientCertVerifier ClientCertVerifier :: ClientCertVerifierPolicy -> NonEmpty PEMCertificates -> [CertificateRevocationList] -> ClientCertVerifier -- | Which client connections are allowed. [clientCertVerifierPolicy] :: ClientCertVerifier -> ClientCertVerifierPolicy -- | Certificates used to verify TLS client certificates. [clientCertVerifierCertificates] :: ClientCertVerifier -> NonEmpty PEMCertificates -- | List of certificate revocation lists used to verify TLS client -- certificates. [clientCertVerifierCRLs] :: ClientCertVerifier -> [CertificateRevocationList] -- | Which client connections are allowed by a ClientCertVerifier. data ClientCertVerifierPolicy -- | Allow any authenticated client (i.e. offering a trusted certificate), -- and reject clients offering none. AllowAnyAuthenticatedClient :: ClientCertVerifierPolicy -- | Allow any authenticated client (i.e. offering a trusted certificate), -- but also allow clients offering none. AllowAnyAnonymousOrAuthenticatedClient :: ClientCertVerifierPolicy -- | Assembled configuration for a Rustls server connection. data ServerConfig -- | A logging callback. -- -- Note that this is a record selector, so you can use it as a setter: -- -- 
--   >>> :{
--   setLogCallback :: LogCallback -> ServerConfig -> ServerConfig
--   setLogCallback logCallback serverConfig =
--     serverConfig { serverConfigLogCallback = Just logCallback }
--   :}
--
serverConfigLogCallback :: ServerConfig -> Maybe LogCallback -- | Build a ServerConfigBuilder into a ServerConfig. -- -- This is a relatively expensive operation, so it is a good idea to -- share one ServerConfig when creating multiple -- Connections. buildServerConfig :: MonadIO m => ServerConfigBuilder -> m ServerConfig -- | Initialize a TLS connection as a server. newServerConnection :: Backend -> ServerConfig -> Acquire (Connection Server) -- | A Rustls connection. data Connection (side :: Side) -- | Type-level indicator whether a Connection is client- or -- server-side. data Side Client :: Side Server :: Side -- | Read data from the Rustls Connection into a ByteString. -- The result will not be longer than the given length. readBS :: MonadIO m => Connection side -> Int -> m ByteString -- | Write a ByteString to the Rustls Connection. writeBS :: MonadIO m => Connection side -> ByteString -> m () -- | Ensure that the connection is handshaked. It is only necessary to call -- this if you want to obtain connection information. You can do so by -- providing a HandshakeQuery. -- -- 
--   >>> :{
--   getALPNAndTLSVersion ::
--     MonadIO m =>
--     Connection side ->
--     m (Maybe ALPNProtocol, TLSVersion)
--   getALPNAndTLSVersion conn =
--     handshake conn $ (,) <$> getALPNProtocol <*> getTLSVersion
--   :}
--
handshake :: MonadIO m => Connection side -> HandshakeQuery side a -> m a -- | A Monad to get TLS connection information via handshake. data HandshakeQuery (side :: Side) a -- | Get the negotiated ALPN protocol, if any. getALPNProtocol :: HandshakeQuery side (Maybe ALPNProtocol) -- | Get the negotiated TLS protocol version. getTLSVersion :: HandshakeQuery side TLSVersion -- | Get the negotiated cipher suite. getCipherSuite :: HandshakeQuery side CipherSuite -- | Get the SNI hostname set by the client, if any. getSNIHostname :: HandshakeQuery Server (Maybe Text) -- | Get the i-th certificate provided by the peer. -- -- Index 0 is the end entity certificate. Higher indices are -- certificates in the chain. Requesting an index higher than what is -- available returns Nothing. getPeerCertificate :: CSize -> HandshakeQuery side (Maybe DERCertificate) -- | Send a close_notify warning alert. This informs the peer that -- the connection is being closed. sendCloseNotify :: MonadIO m => Connection side -> m () -- | A Rustls connection logging callback. data LogCallback -- | Allocate a new logging callback, taking a LogLevel and a -- message. -- -- If it throws an exception, it will be wrapped in a -- RustlsLogException and passed to reportError. -- -- 🚫 Make sure that its lifetime encloses those of the Connections -- which you configured to use it. newLogCallback :: (LogLevel -> Text -> IO ()) -> Acquire LogCallback -- | Rustls log level. data LogLevel LogLevelError :: LogLevel LogLevelWarn :: LogLevel LogLevelInfo :: LogLevel LogLevelDebug :: LogLevel LogLevelTrace :: LogLevel -- | Read data from the Rustls Connection into the given buffer. readPtr :: MonadIO m => Connection side -> Ptr Word8 -> CSize -> m CSize -- | Write data to the Rustls Connection from the given buffer. writePtr :: MonadIO m => Connection side -> Ptr Word8 -> CSize -> m CSize -- | Combined version string of Rustls and rustls-ffi. -- -- 
--   >>> version
--   "rustls-ffi/0.13.0/rustls/0.23.4"
--
version :: Text -- | Underlying data source for Rustls. data Backend Backend :: (Ptr Word8 -> CSize -> IO CSize) -> (Ptr Word8 -> CSize -> IO CSize) -> Backend -- | Read data from the backend into the given buffer. [backendRead] :: Backend -> Ptr Word8 -> CSize -> IO CSize -- | Write data from the given buffer to the backend. [backendWrite] :: Backend -> Ptr Word8 -> CSize -> IO CSize mkSocketBackend :: Socket -> Backend -- | An in-memory Backend. mkByteStringBackend :: (Int -> IO ByteString) -> (ByteString -> IO ()) -> Backend -- | An ALPN protocol ID. See -- https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids -- for a list of registered IDs. newtype ALPNProtocol ALPNProtocol :: ByteString -> ALPNProtocol [unALPNProtocol] :: ALPNProtocol -> ByteString -- | A source of PEM-encoded certificates. data PEMCertificates -- | In-memory PEM-encoded certificates. PEMCertificatesInMemory :: ByteString -> PEMCertificateParsing -> PEMCertificates -- | Fetch PEM-encoded root certificates from a file. PemCertificatesFromFile :: FilePath -> PEMCertificateParsing -> PEMCertificates -- | Parsing mode for PEM-encoded certificates. data PEMCertificateParsing -- | Fail if syntactically invalid. PEMCertificateParsingStrict :: PEMCertificateParsing -- | Ignore if syntactically invalid. -- -- This may be useful on systems that have syntactically invalid root -- certificates. PEMCertificateParsingLax :: PEMCertificateParsing -- | A complete chain of certificates plus a private key for the leaf -- certificate. data CertifiedKey CertifiedKey :: ByteString -> ByteString -> CertifiedKey -- | PEM-encoded certificate chain. [certificateChain] :: CertifiedKey -> ByteString -- | PEM-encoded private key. [privateKey] :: CertifiedKey -> ByteString -- | A DER-encoded certificate. newtype DERCertificate DERCertificate :: ByteString -> DERCertificate [unDERCertificate] :: DERCertificate -> ByteString -- | One or more PEM-encoded certificate revocation lists (CRL). newtype CertificateRevocationList CertificateRevocationList :: ByteString -> CertificateRevocationList [unCertificateRevocationList] :: CertificateRevocationList -> ByteString -- | A TLS protocol version supported by Rustls. data {-# CTYPE "stdint.h" "uint16_t" #-} TLSVersion pattern TLS12 :: TLSVersion pattern TLS13 :: TLSVersion -- | The default TLSVersions used by Rustls. A subset of -- allTLSVersions. defaultTLSVersions :: NonEmpty TLSVersion -- | All TLSVersions supported by Rustls. allTLSVersions :: NonEmpty TLSVersion -- | A TLS cipher suite supported by Rustls. data CipherSuite -- | Get the IANA value from a cipher suite. The bytes are interpreted in -- network order. -- -- See -- https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 -- for a list. cipherSuiteID :: CipherSuite -> Word16 -- | Get the text representation of a cipher suite. showCipherSuite :: CipherSuite -> Text -- | The default CipherSuites used by Rustls. A subset of -- allCipherSuites. defaultCipherSuites :: NonEmpty CipherSuite -- | All CipherSuites supported by Rustls. allCipherSuites :: NonEmpty CipherSuite -- | TLS exception thrown by Rustls. -- -- Use displayException for a human-friendly representation. data RustlsException -- | Checks if the given RustlsException represents a certificate -- error. isCertError :: RustlsException -> Bool -- | Wrapper for exceptions thrown in a LogCallback. newtype RustlsLogException RustlsLogException :: SomeException -> RustlsLogException instance GHC.Generics.Generic Rustls.DERCertificate instance GHC.Classes.Ord Rustls.DERCertificate instance GHC.Classes.Eq Rustls.DERCertificate instance GHC.Show.Show Rustls.DERCertificate