-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/
-- | TLS bindings for Rustls
--
-- TLS bindings for Rustls via rustls-ffi.
@package rustls
@version 0.2.0.0
-- | Internal module, not subject to PVP.
module Rustls.Internal.FFI
-- | A pointer with the C const qualifier. For instance, an
-- argument of type ConstPtr CInt would be marshalled as
-- const int*.
--
-- While const-ness generally does not matter for ccall
-- imports (since const and non-const pointers
-- typically have equivalent calling conventions), it does matter for
-- capi imports. See GHC #22043.
--
-- @since base-4.18.0.0
newtype ConstPtr a
ConstPtr :: Ptr a -> ConstPtr a
[unConstPtr] :: ConstPtr a -> Ptr a
type ConstCString = ConstPtr CChar
data ClientConfig
data ClientConfigBuilder
clientConfigBuilderNewCustom :: ConstPtr CryptoProvider -> ConstPtr TLSVersion -> CSize -> Ptr (Ptr ClientConfigBuilder) -> IO Result
clientConfigBuilderFree :: Ptr ClientConfigBuilder -> IO ()
clientConfigBuilderBuild :: Ptr ClientConfigBuilder -> Ptr (ConstPtr ClientConfig) -> IO Result
clientConfigFree :: FinalizerPtr ClientConfig
clientConfigBuilderSetALPNProtocols :: Ptr ClientConfigBuilder -> ConstPtr SliceBytes -> CSize -> IO Result
clientConfigBuilderSetEnableSNI :: Ptr ClientConfigBuilder -> CBool -> IO ()
clientConfigBuilderSetCertifiedKey :: Ptr ClientConfigBuilder -> ConstPtr (ConstPtr CertifiedKey) -> CSize -> IO Result
data WebPkiServerCertVerifierBuilder
data ServerCertVerifier
webPkiServerCertVerifierBuilderNewWithProvider :: ConstPtr CryptoProvider -> ConstPtr RootCertStore -> IO (Ptr WebPkiServerCertVerifierBuilder)
webPkiServerCertVerifierBuilderAddCrl :: Ptr WebPkiServerCertVerifierBuilder -> ConstPtr Word8 -> CSize -> IO Result
webPkiServerCertVerifierBuilderFree :: Ptr WebPkiServerCertVerifierBuilder -> IO ()
webPkiServerCertVerifierBuilderBuild :: Ptr WebPkiServerCertVerifierBuilder -> Ptr (Ptr ServerCertVerifier) -> IO Result
platformServerCertVerifierWithProvider :: ConstPtr CryptoProvider -> IO (Ptr ServerCertVerifier)
serverCertVerifierFree :: Ptr ServerCertVerifier -> IO ()
clientConfigBuilderSetServerVerifier :: Ptr ClientConfigBuilder -> ConstPtr ServerCertVerifier -> IO ()
clientConnectionNew :: ConstPtr ClientConfig -> ConstCString -> Ptr (Ptr Connection) -> IO Result
serverConnectionNew :: ConstPtr ServerConfig -> Ptr (Ptr Connection) -> IO Result
data ServerConfig
data ServerConfigBuilder
serverConfigBuilderNewCustom :: ConstPtr CryptoProvider -> ConstPtr TLSVersion -> CSize -> Ptr (Ptr ServerConfigBuilder) -> IO Result
serverConfigBuilderFree :: Ptr ServerConfigBuilder -> IO ()
serverConfigBuilderBuild :: Ptr ServerConfigBuilder -> Ptr (ConstPtr ServerConfig) -> IO Result
serverConfigFree :: FinalizerPtr ServerConfig
serverConfigBuilderSetALPNProtocols :: Ptr ServerConfigBuilder -> ConstPtr SliceBytes -> CSize -> IO Result
serverConfigBuilderSetIgnoreClientOrder :: Ptr ServerConfigBuilder -> CBool -> IO Result
serverConfigBuilderSetCertifiedKeys :: Ptr ServerConfigBuilder -> ConstPtr (ConstPtr CertifiedKey) -> CSize -> IO Result
data WebPkiClientCertVerifierBuilder
data ClientCertVerifier
webPkiClientCertVerifierBuilderNewWithProvider :: ConstPtr CryptoProvider -> ConstPtr RootCertStore -> IO (Ptr WebPkiClientCertVerifierBuilder)
webPkiClientCertVerifierBuilderAddCrl :: Ptr WebPkiClientCertVerifierBuilder -> ConstPtr Word8 -> CSize -> IO Result
webPkiClientCertVerifierBuilderAllowUnauthenticated :: Ptr WebPkiClientCertVerifierBuilder -> IO Result
webPkiClientCertVerifierBuilderFree :: Ptr WebPkiClientCertVerifierBuilder -> IO ()
webPkiClientCertVerifierBuilderBuild :: Ptr WebPkiClientCertVerifierBuilder -> Ptr (Ptr ClientCertVerifier) -> IO Result
clientCertVerifierFree :: Ptr ClientCertVerifier -> IO ()
serverConfigBuilderSetClientVerifier :: Ptr ServerConfigBuilder -> ConstPtr ClientCertVerifier -> IO ()
data CertifiedKey
certifiedKeyBuild :: ConstPtr Word8 -> CSize -> ConstPtr Word8 -> CSize -> Ptr (ConstPtr CertifiedKey) -> IO Result
certifiedKeyFree :: ConstPtr CertifiedKey -> IO ()
data Certificate
certificateGetDER :: ConstPtr Certificate -> Ptr (ConstPtr Word8) -> Ptr CSize -> IO Result
data Connection
connectionFree :: Ptr Connection -> IO ()
type ReadCallback = Ptr Userdata -> Ptr Word8 -> CSize -> Ptr CSize -> IO IOResult
mkReadCallback :: ReadCallback -> IO (FunPtr ReadCallback)
connectionWantsRead :: ConstPtr Connection -> IO CBool
connectionRead :: Ptr Connection -> Ptr Word8 -> CSize -> Ptr CSize -> IO Result
connectionReadTls :: Ptr Connection -> FunPtr ReadCallback -> Ptr Userdata -> Ptr CSize -> IO IOResult
type WriteCallback = Ptr Userdata -> ConstPtr Word8 -> CSize -> Ptr CSize -> IO IOResult
mkWriteCallback :: WriteCallback -> IO (FunPtr WriteCallback)
connectionWantsWrite :: ConstPtr Connection -> IO CBool
connectionWrite :: Ptr Connection -> Ptr Word8 -> CSize -> Ptr CSize -> IO Result
connectionWriteTls :: Ptr Connection -> FunPtr WriteCallback -> Ptr Userdata -> Ptr CSize -> IO IOResult
connectionProcessNewPackets :: Ptr Connection -> IO Result
connectionIsHandshaking :: ConstPtr Connection -> IO CBool
connectionSendCloseNotify :: Ptr Connection -> IO ()
connectionSetBufferLimit :: Ptr Connection -> CSize -> IO ()
connectionGetALPNProtocol :: ConstPtr Connection -> Ptr (ConstPtr Word8) -> Ptr CSize -> IO ()
connectionGetProtocolVersion :: ConstPtr Connection -> IO TLSVersion
connectionGetNegotiatedCipherSuite :: ConstPtr Connection -> IO Word16
connectionGetNegotiatedCipherSuiteName :: ConstPtr Connection -> Ptr Str -> IO ()
serverConnectionGetSNIHostname :: ConstPtr Connection -> Ptr Word8 -> CSize -> Ptr CSize -> IO Result
connectionGetPeerCertificate :: ConstPtr Connection -> CSize -> IO (ConstPtr Certificate)
connectionSetLogCallback :: Ptr Connection -> FunPtr LogCallback -> IO ()
type LogCallback = Ptr Userdata -> ConstPtr LogParams -> IO ()
mkLogCallback :: LogCallback -> IO (FunPtr LogCallback)
data LogParams
LogParams :: LogLevel -> Str -> LogParams
[rustlsLogParamsLevel] :: LogParams -> LogLevel
[rustlsLogParamsMessage] :: LogParams -> Str
newtype LogLevel
LogLevel :: CSize -> LogLevel
data Str
Str :: CString -> CSize -> Str
data SliceBytes
SliceBytes :: Ptr Word8 -> CSize -> SliceBytes
hsVersion :: Ptr Str -> IO ()
-- | (Unused) userdata.
data Userdata
newtype Result
Result :: Word32 -> Result
resultIsCertError :: Result -> CBool
errorMsg :: Result -> CString -> CSize -> Ptr CSize -> IO ()
resultOk :: Result
resultInsufficientSize :: Result
newtype IOResult
IOResult :: CInt -> IOResult
ioResultOk :: IOResult
ioResultErr :: IOResult
data SupportedCipherSuite
supportedCipherSuiteGetSuite :: ConstPtr SupportedCipherSuite -> Word16
hsSupportedCipherSuiteGetName :: ConstPtr SupportedCipherSuite -> Ptr Str -> IO ()
hsSupportedCiphersuiteProtocolVersion :: ConstPtr SupportedCipherSuite -> IO TLSVersion
-- | A TLS protocol version supported by Rustls.
newtype TLSVersion
TLSVersion :: Word16 -> TLSVersion
[unTLSVersion] :: TLSVersion -> Word16
pattern TLS12 :: TLSVersion
pattern TLS13 :: TLSVersion
data CryptoProvider
data CryptoProviderBuilder
cryptoProviderBuilderNewFromDefault :: Ptr (Ptr CryptoProviderBuilder) -> IO Result
cryptoProviderBuilderNewWithBase :: ConstPtr CryptoProvider -> IO (Ptr CryptoProviderBuilder)
cryptoProviderBuilderSetCipherSuites :: Ptr CryptoProviderBuilder -> ConstPtr (ConstPtr SupportedCipherSuite) -> CSize -> IO Result
cryptoProviderBuilderBuild :: Ptr CryptoProviderBuilder -> Ptr (ConstPtr CryptoProvider) -> IO Result
cryptoProviderBuilderFree :: Ptr CryptoProviderBuilder -> IO ()
cryptoProviderFree :: FinalizerPtr CryptoProvider
cryptoProviderCiphersuitesLen :: ConstPtr CryptoProvider -> CSize
cryptoProviderCiphersuitesGet :: ConstPtr CryptoProvider -> CSize -> ConstPtr SupportedCipherSuite
data RootCertStoreBuilder
data RootCertStore
rootCertStoreBuilderNew :: IO (Ptr RootCertStoreBuilder)
rootCertStoreBuilderAddPem :: Ptr RootCertStoreBuilder -> ConstPtr Word8 -> CSize -> CBool -> IO Result
rootCertStoreBuilderLoadRootsFromFile :: Ptr RootCertStoreBuilder -> ConstCString -> CBool -> IO Result
rootCertStoreBuilderFree :: Ptr RootCertStoreBuilder -> IO ()
rootCertStoreBuilderBuild :: Ptr RootCertStoreBuilder -> Ptr (ConstPtr RootCertStore) -> IO Result
rootCertStoreFree :: ConstPtr RootCertStore -> IO ()
instance GHC.Classes.Eq Rustls.Internal.FFI.IOResult
instance GHC.Classes.Eq Rustls.Internal.FFI.LogLevel
instance GHC.Classes.Eq Rustls.Internal.FFI.Result
instance GHC.Classes.Eq Rustls.Internal.FFI.TLSVersion
instance Foreign.Storable.Generic.Internal.GStorable Rustls.Internal.FFI.LogParams
instance Foreign.Storable.Generic.Internal.GStorable Rustls.Internal.FFI.SliceBytes
instance Foreign.Storable.Generic.Internal.GStorable Rustls.Internal.FFI.Str
instance GHC.Internal.Generics.Generic Rustls.Internal.FFI.LogParams
instance GHC.Internal.Generics.Generic Rustls.Internal.FFI.SliceBytes
instance GHC.Internal.Generics.Generic Rustls.Internal.FFI.Str
instance GHC.Classes.Ord Rustls.Internal.FFI.Result
instance GHC.Classes.Ord Rustls.Internal.FFI.TLSVersion
instance GHC.Internal.Show.Show Rustls.Internal.FFI.LogLevel
instance GHC.Internal.Show.Show Rustls.Internal.FFI.Result
instance GHC.Internal.Show.Show Rustls.Internal.FFI.TLSVersion
instance GHC.Internal.Foreign.Storable.Storable Rustls.Internal.FFI.LogLevel
instance GHC.Internal.Foreign.Storable.Storable Rustls.Internal.FFI.TLSVersion
-- | Internal module, not subject to PVP.
module Rustls.Internal
-- | A cryptography provider for Rustls.
--
-- In particular, this contains the set of supported TLS cipher suites.
newtype CryptoProvider
CryptoProvider :: ForeignPtr CryptoProvider -> CryptoProvider
[unCryptoProvider] :: CryptoProvider -> ForeignPtr CryptoProvider
-- | An ALPN protocol ID. See
-- https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
-- for a list of registered IDs.
newtype ALPNProtocol
ALPNProtocol :: ByteString -> ALPNProtocol
[unALPNProtocol] :: ALPNProtocol -> ByteString
-- | A TLS cipher suite supported by a Rustls cryptography provider.
data CipherSuite
CipherSuite :: Word16 -> Text -> TLSVersion -> CipherSuite
-- | The IANA value of the cipher suite. The bytes are interpreted in
-- network order.
--
-- See
-- https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
-- for a list.
[cipherSuiteID] :: CipherSuite -> Word16
-- | The text representation of the cipher suite.
[cipherSuiteName] :: CipherSuite -> Text
-- | The TLS version of the cipher suite.
[cipherSuiteTLSVersion] :: CipherSuite -> TLSVersion
-- | A negotiated TLS cipher suite. Subset of CipherSuite.
data NegotiatedCipherSuite
NegotiatedCipherSuite :: Word16 -> Text -> NegotiatedCipherSuite
-- | The IANA value of the cipher suite. The bytes are interpreted in
-- network order.
--
-- See
-- https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
-- for a list.
[negotiatedCipherSuiteID] :: NegotiatedCipherSuite -> Word16
-- | The text representation of the cipher suite.
[negotiatedCipherSuiteName] :: NegotiatedCipherSuite -> Text
-- | Rustls client config builder.
data ClientConfigBuilder
ClientConfigBuilder :: CryptoProvider -> ServerCertVerifier -> [ALPNProtocol] -> Bool -> [CertifiedKey] -> ClientConfigBuilder
-- | The cryptography provider.
[clientConfigCryptoProvider] :: ClientConfigBuilder -> CryptoProvider
-- | The server certificate verifier.
[clientConfigServerCertVerifier] :: ClientConfigBuilder -> ServerCertVerifier
-- | ALPN protocols.
[clientConfigALPNProtocols] :: ClientConfigBuilder -> [ALPNProtocol]
-- | Whether to enable Server Name Indication. Defaults to True.
[clientConfigEnableSNI] :: ClientConfigBuilder -> Bool
-- | List of CertifiedKeys for client authentication.
--
-- Clients that want to support both ECDSA and RSA certificates will want
-- the ECDSA to go first in the list.
[clientConfigCertifiedKeys] :: ClientConfigBuilder -> [CertifiedKey]
-- | How to verify TLS server certificates.
data ServerCertVerifier
-- | Verify the validity of TLS certificates based on the operating
-- system's certificate facilities, using
-- rustls-platform-verifier.
PlatformServerCertVerifier :: ServerCertVerifier
ServerCertVerifier :: NonEmpty PEMCertificates -> [CertificateRevocationList] -> ServerCertVerifier
-- | Certificates used to verify TLS server certificates.
[serverCertVerifierCertificates] :: ServerCertVerifier -> NonEmpty PEMCertificates
-- | List of certificate revocation lists used to verify TLS server
-- certificates.
[serverCertVerifierCRLs] :: ServerCertVerifier -> [CertificateRevocationList]
-- | A source of PEM-encoded certificates.
data PEMCertificates
-- | In-memory PEM-encoded certificates.
PEMCertificatesInMemory :: ByteString -> PEMCertificateParsing -> PEMCertificates
-- | Fetch PEM-encoded root certificates from a file.
PemCertificatesFromFile :: FilePath -> PEMCertificateParsing -> PEMCertificates
-- | Parsing mode for PEM-encoded certificates.
data PEMCertificateParsing
-- | Fail if syntactically invalid.
PEMCertificateParsingStrict :: PEMCertificateParsing
-- | Ignore if syntactically invalid.
--
-- This may be useful on systems that have syntactically invalid root
-- certificates.
PEMCertificateParsingLax :: PEMCertificateParsing
-- | A complete chain of certificates plus a private key for the leaf
-- certificate.
data CertifiedKey
CertifiedKey :: ByteString -> ByteString -> CertifiedKey
-- | PEM-encoded certificate chain.
[certificateChain] :: CertifiedKey -> ByteString
-- | PEM-encoded private key.
[privateKey] :: CertifiedKey -> ByteString
-- | Assembled configuration for a Rustls client connection.
data ClientConfig
ClientConfig :: ForeignPtr ClientConfig -> Maybe LogCallback -> ClientConfig
[clientConfigPtr] :: ClientConfig -> ForeignPtr ClientConfig
-- | A logging callback.
--
-- Note that this is a record selector, so you can use it as a setter:
--
--
-- >>> :{
-- setLogCallback :: LogCallback -> ClientConfig -> ClientConfig
-- setLogCallback logCallback clientConfig =
-- clientConfig { clientConfigLogCallback = Just logCallback }
-- :}
--
[clientConfigLogCallback] :: ClientConfig -> Maybe LogCallback
-- | How to verify TLS client certificates.
data ClientCertVerifier
ClientCertVerifier :: ClientCertVerifierPolicy -> NonEmpty PEMCertificates -> [CertificateRevocationList] -> ClientCertVerifier
-- | Which client connections are allowed.
[clientCertVerifierPolicy] :: ClientCertVerifier -> ClientCertVerifierPolicy
-- | Certificates used to verify TLS client certificates.
[clientCertVerifierCertificates] :: ClientCertVerifier -> NonEmpty PEMCertificates
-- | List of certificate revocation lists used to verify TLS client
-- certificates.
[clientCertVerifierCRLs] :: ClientCertVerifier -> [CertificateRevocationList]
-- | Which client connections are allowed by a ClientCertVerifier.
data ClientCertVerifierPolicy
-- | Allow any authenticated client (i.e. offering a trusted certificate),
-- and reject clients offering none.
AllowAnyAuthenticatedClient :: ClientCertVerifierPolicy
-- | Allow any authenticated client (i.e. offering a trusted certificate),
-- but also allow clients offering none.
AllowAnyAnonymousOrAuthenticatedClient :: ClientCertVerifierPolicy
-- | One or more PEM-encoded certificate revocation lists (CRL).
newtype CertificateRevocationList
CertificateRevocationList :: ByteString -> CertificateRevocationList
[unCertificateRevocationList] :: CertificateRevocationList -> ByteString
-- | Rustls client config builder.
data ServerConfigBuilder
ServerConfigBuilder :: CryptoProvider -> NonEmpty CertifiedKey -> [ALPNProtocol] -> Bool -> Maybe ClientCertVerifier -> ServerConfigBuilder
-- | The cryptography provider.
[serverConfigCryptoProvider] :: ServerConfigBuilder -> CryptoProvider
-- | List of CertifiedKeys.
[serverConfigCertifiedKeys] :: ServerConfigBuilder -> NonEmpty CertifiedKey
-- | ALPN protocols.
[serverConfigALPNProtocols] :: ServerConfigBuilder -> [ALPNProtocol]
-- | Ignore the client's ciphersuite order. Defaults to False.
[serverConfigIgnoreClientOrder] :: ServerConfigBuilder -> Bool
-- | Optionally, a client cert verifier.
[serverConfigClientCertVerifier] :: ServerConfigBuilder -> Maybe ClientCertVerifier
-- | Assembled configuration for a Rustls server connection.
data ServerConfig
ServerConfig :: ForeignPtr ServerConfig -> Maybe LogCallback -> ServerConfig
[serverConfigPtr] :: ServerConfig -> ForeignPtr ServerConfig
-- | A logging callback.
--
-- Note that this is a record selector, so you can use it as a setter:
--
--
-- >>> :{
-- setLogCallback :: LogCallback -> ServerConfig -> ServerConfig
-- setLogCallback logCallback serverConfig =
-- serverConfig { serverConfigLogCallback = Just logCallback }
-- :}
--
[serverConfigLogCallback] :: ServerConfig -> Maybe LogCallback
-- | Rustls log level.
data LogLevel
LogLevelError :: LogLevel
LogLevelWarn :: LogLevel
LogLevelInfo :: LogLevel
LogLevelDebug :: LogLevel
LogLevelTrace :: LogLevel
-- | A Rustls connection logging callback.
newtype LogCallback
LogCallback :: FunPtr LogCallback -> LogCallback
[unLogCallback] :: LogCallback -> FunPtr LogCallback
-- | A Monad to get TLS connection information via handshake.
newtype HandshakeQuery (side :: Side) a
HandshakeQuery :: ReaderT Connection' IO a -> HandshakeQuery (side :: Side) a
handshakeQuery :: forall a (side :: Side). (Connection' -> IO a) -> HandshakeQuery side a
-- | TLS exception thrown by Rustls.
--
-- Use displayException for a human-friendly representation.
newtype RustlsException
RustlsException :: Word32 -> RustlsException
[rustlsErrorCode] :: RustlsException -> Word32
resultMsg :: Result -> Text
-- | Checks if the given RustlsException represents a certificate
-- error.
isCertError :: RustlsException -> Bool
rethrowR :: Result -> IO ()
-- | Wrapper for exceptions thrown in a LogCallback.
newtype RustlsLogException
RustlsLogException :: SomeException -> RustlsLogException
data RustlsUnknownLogLevel
RustlsUnknownLogLevel :: LogLevel -> RustlsUnknownLogLevel
-- | Underlying data source for Rustls.
data Backend
Backend :: (Ptr Word8 -> CSize -> IO CSize) -> (Ptr Word8 -> CSize -> IO CSize) -> Backend
-- | Read data from the backend into the given buffer.
[backendRead] :: Backend -> Ptr Word8 -> CSize -> IO CSize
-- | Write data from the given buffer to the backend.
[backendWrite] :: Backend -> Ptr Word8 -> CSize -> IO CSize
mkSocketBackend :: Socket -> Backend
-- | An in-memory Backend.
mkByteStringBackend :: (Int -> IO ByteString) -> (ByteString -> IO ()) -> Backend
-- | Type-level indicator whether a Connection is client- or
-- server-side.
data Side
Client :: Side
Server :: Side
-- | A Rustls connection.
newtype Connection (side :: Side)
Connection :: MVar Connection' -> Connection (side :: Side)
data Connection'
Connection' :: Ptr Connection -> Backend -> Ptr CSize -> MVar IOMsgReq -> MVar IOMsgRes -> ThreadId -> Connection'
[conn] :: Connection' -> Ptr Connection
[backend] :: Connection' -> Backend
[lenPtr] :: Connection' -> Ptr CSize
[ioMsgReq] :: Connection' -> MVar IOMsgReq
[ioMsgRes] :: Connection' -> MVar IOMsgRes
[interactThread] :: Connection' -> ThreadId
withConnection :: forall (side :: Side) a. Connection side -> (Connection' -> IO a) -> IO a
data ReadOrWrite
Read :: ReadOrWrite
Write :: ReadOrWrite
-- | Messages sent to the background thread.
data IOMsgReq
-- | Request to start a read or a write FFI call from the background
-- thread. It should respond with UsingBuffer.
Request :: ReadOrWrite -> IOMsgReq
-- | Notify the background thread that we are done interacting with the
-- buffer.
Done :: IOResult -> IOMsgReq
-- | Messages sent from the background thread.
data IOMsgRes
-- | Reply with a buffer, either containing the read data, or awaiting a
-- write to this buffer.
UsingBuffer :: Ptr Word8 -> CSize -> Ptr CSize -> IOMsgRes
-- | Notify that the FFI call finished.
DoneFFI :: IOMsgRes
interactTLS :: Connection' -> ReadOrWrite -> IO CSize
data IsEOF
IsEOF :: IsEOF
NotEOF :: IsEOF
-- | Helper function, see complete_io from rustls.
--
--
-- https://github.com/rustls/rustls/blob/v/0.23.4/rustls/src/conn.rs#L544
completeIO :: Connection' -> IO IsEOF
completePriorIO :: Connection' -> IO ()
getIsHandshaking :: Connection' -> IO Bool
getWantsRead :: Connection' -> IO Bool
getWantsWrite :: Connection' -> IO Bool
whenM :: Monad m => m Bool -> m () -> m ()
loopWhileTrue :: Monad m => m Bool -> m ()
cSizeToInt :: CSize -> Int
intToCSize :: Int -> CSize
strToText :: Str -> IO Text
ignoreExceptions :: IO () -> IO ()
ignoreSyncExceptions :: IO () -> IO ()
instance GHC.Internal.Base.Applicative (Rustls.Internal.HandshakeQuery side)
instance GHC.Internal.Enum.Bounded Rustls.Internal.ClientCertVerifierPolicy
instance GHC.Internal.Enum.Bounded Rustls.Internal.LogLevel
instance GHC.Internal.Enum.Bounded Rustls.Internal.PEMCertificateParsing
instance GHC.Internal.Enum.Enum Rustls.Internal.ClientCertVerifierPolicy
instance GHC.Internal.Enum.Enum Rustls.Internal.LogLevel
instance GHC.Internal.Enum.Enum Rustls.Internal.PEMCertificateParsing
instance GHC.Classes.Eq Rustls.Internal.ALPNProtocol
instance GHC.Classes.Eq Rustls.Internal.CipherSuite
instance GHC.Classes.Eq Rustls.Internal.ClientCertVerifierPolicy
instance GHC.Classes.Eq Rustls.Internal.IsEOF
instance GHC.Classes.Eq Rustls.Internal.LogLevel
instance GHC.Classes.Eq Rustls.Internal.NegotiatedCipherSuite
instance GHC.Classes.Eq Rustls.Internal.PEMCertificateParsing
instance GHC.Internal.Exception.Type.Exception Rustls.Internal.RustlsException
instance GHC.Internal.Exception.Type.Exception Rustls.Internal.RustlsLogException
instance GHC.Internal.Exception.Type.Exception Rustls.Internal.RustlsUnknownLogLevel
instance GHC.Internal.Base.Functor (Rustls.Internal.HandshakeQuery side)
instance GHC.Internal.Generics.Generic Rustls.Internal.ALPNProtocol
instance GHC.Internal.Generics.Generic Rustls.Internal.CertificateRevocationList
instance GHC.Internal.Generics.Generic Rustls.Internal.CertifiedKey
instance GHC.Internal.Generics.Generic Rustls.Internal.CipherSuite
instance GHC.Internal.Generics.Generic Rustls.Internal.ClientCertVerifier
instance GHC.Internal.Generics.Generic Rustls.Internal.ClientCertVerifierPolicy
instance GHC.Internal.Generics.Generic Rustls.Internal.ClientConfigBuilder
instance GHC.Internal.Generics.Generic Rustls.Internal.LogLevel
instance GHC.Internal.Generics.Generic Rustls.Internal.NegotiatedCipherSuite
instance GHC.Internal.Generics.Generic Rustls.Internal.PEMCertificateParsing
instance GHC.Internal.Generics.Generic Rustls.Internal.PEMCertificates
instance GHC.Internal.Generics.Generic Rustls.Internal.ServerCertVerifier
instance GHC.Internal.Generics.Generic Rustls.Internal.ServerConfigBuilder
instance GHC.Internal.Base.Monad (Rustls.Internal.HandshakeQuery side)
instance GHC.Classes.Ord Rustls.Internal.ALPNProtocol
instance GHC.Classes.Ord Rustls.Internal.CipherSuite
instance GHC.Classes.Ord Rustls.Internal.ClientCertVerifierPolicy
instance GHC.Classes.Ord Rustls.Internal.LogLevel
instance GHC.Classes.Ord Rustls.Internal.NegotiatedCipherSuite
instance GHC.Classes.Ord Rustls.Internal.PEMCertificateParsing
instance GHC.Internal.Show.Show Rustls.Internal.ALPNProtocol
instance GHC.Internal.Show.Show Rustls.Internal.CertificateRevocationList
instance GHC.Internal.Show.Show Rustls.Internal.CertifiedKey
instance GHC.Internal.Show.Show Rustls.Internal.CipherSuite
instance GHC.Internal.Show.Show Rustls.Internal.ClientCertVerifier
instance GHC.Internal.Show.Show Rustls.Internal.ClientCertVerifierPolicy
instance GHC.Internal.Show.Show Rustls.Internal.ClientConfigBuilder
instance GHC.Internal.Show.Show Rustls.Internal.CryptoProvider
instance GHC.Internal.Show.Show Rustls.Internal.IsEOF
instance GHC.Internal.Show.Show Rustls.Internal.LogLevel
instance GHC.Internal.Show.Show Rustls.Internal.NegotiatedCipherSuite
instance GHC.Internal.Show.Show Rustls.Internal.PEMCertificateParsing
instance GHC.Internal.Show.Show Rustls.Internal.PEMCertificates
instance GHC.Internal.Show.Show Rustls.Internal.RustlsException
instance GHC.Internal.Show.Show Rustls.Internal.RustlsLogException
instance GHC.Internal.Show.Show Rustls.Internal.RustlsUnknownLogLevel
instance GHC.Internal.Show.Show Rustls.Internal.ServerCertVerifier
instance GHC.Internal.Show.Show Rustls.Internal.ServerConfigBuilder
-- | TLS bindings for Rustls via rustls-ffi.
--
-- See the README on GitHub for setup instructions.
--
-- Currently, most of the functionality exposed by rustls-ffi is
-- available, while rustls-ffi is still missing some more niche Rustls
-- features.
--
-- Also see http-client-rustls for making HTTPS requests using
-- http-client and Rustls.
--
-- Client example
--
-- Suppose you have already opened a Socket to
-- example.org, port 443 (see e.g. the examples at
-- Network.Socket). This small example showcases how to perform a
-- simple HTTP GET request:
--
--
-- >>> :set -XOverloadedStrings
--
-- >>> import qualified Rustls
--
-- >>> import Network.Socket (Socket)
--
-- >>> import Data.Acquire (withAcquire)
--
-- >>> :{
-- example :: Socket -> IO ()
-- example socket = do
-- -- It is encouraged to share a single `clientConfig` when creating multiple
-- -- TLS connections.
-- clientConfig <-
-- Rustls.buildClientConfig =<< Rustls.defaultClientConfigBuilder
-- let backend = Rustls.mkSocketBackend socket
-- newConnection =
-- Rustls.newClientConnection backend clientConfig "example.org"
-- withAcquire newConnection $ \conn -> do
-- Rustls.writeBS conn "GET /"
-- recv <- Rustls.readBS conn 1000 -- max number of bytes to read
-- print recv
-- :}
--
--
--
--
-- Some API functions (like newClientConnection and
-- newServerConnection) return an Acquire from
-- resourcet, as it is a convenient abstraction for exposing a
-- value that should be consumed in a "bracketed" manner.
--
-- Usually, it can be used via with or withAcquire, or via
-- allocateAcquire when a MonadResource constraint is
-- available. If you really need the extra flexibility, you can also
-- access separate open… and close… functions by
-- reaching for Data.Acquire.Internal.
module Rustls
-- | Rustls client config builder.
data ClientConfigBuilder
ClientConfigBuilder :: CryptoProvider -> ServerCertVerifier -> [ALPNProtocol] -> Bool -> [CertifiedKey] -> ClientConfigBuilder
-- | The cryptography provider.
[clientConfigCryptoProvider] :: ClientConfigBuilder -> CryptoProvider
-- | The server certificate verifier.
[clientConfigServerCertVerifier] :: ClientConfigBuilder -> ServerCertVerifier
-- | ALPN protocols.
[clientConfigALPNProtocols] :: ClientConfigBuilder -> [ALPNProtocol]
-- | Whether to enable Server Name Indication. Defaults to True.
[clientConfigEnableSNI] :: ClientConfigBuilder -> Bool
-- | List of CertifiedKeys for client authentication.
--
-- Clients that want to support both ECDSA and RSA certificates will want
-- the ECDSA to go first in the list.
[clientConfigCertifiedKeys] :: ClientConfigBuilder -> [CertifiedKey]
-- | A ClientConfigBuilder with good defaults, using the OS
-- certificate store.
defaultClientConfigBuilder :: MonadIO m => m ClientConfigBuilder
-- | How to verify TLS server certificates.
data ServerCertVerifier
-- | Verify the validity of TLS certificates based on the operating
-- system's certificate facilities, using
-- rustls-platform-verifier.
PlatformServerCertVerifier :: ServerCertVerifier
ServerCertVerifier :: NonEmpty PEMCertificates -> [CertificateRevocationList] -> ServerCertVerifier
-- | Certificates used to verify TLS server certificates.
[serverCertVerifierCertificates] :: ServerCertVerifier -> NonEmpty PEMCertificates
-- | List of certificate revocation lists used to verify TLS server
-- certificates.
[serverCertVerifierCRLs] :: ServerCertVerifier -> [CertificateRevocationList]
-- | Assembled configuration for a Rustls client connection.
data ClientConfig
-- | A logging callback.
--
-- Note that this is a record selector, so you can use it as a setter:
--
--
-- >>> :{
-- setLogCallback :: LogCallback -> ClientConfig -> ClientConfig
-- setLogCallback logCallback clientConfig =
-- clientConfig { clientConfigLogCallback = Just logCallback }
-- :}
--
clientConfigLogCallback :: ClientConfig -> Maybe LogCallback
-- | Build a ClientConfigBuilder into a ClientConfig.
--
-- This is a relatively expensive operation, so it is a good idea to
-- share one ClientConfig when creating multiple
-- Connections.
buildClientConfig :: MonadIO m => ClientConfigBuilder -> m ClientConfig
-- | Initialize a TLS connection as a client.
newClientConnection :: Backend -> ClientConfig -> Text -> Acquire (Connection 'Client)
-- | Rustls client config builder.
data ServerConfigBuilder
ServerConfigBuilder :: CryptoProvider -> NonEmpty CertifiedKey -> [ALPNProtocol] -> Bool -> Maybe ClientCertVerifier -> ServerConfigBuilder
-- | The cryptography provider.
[serverConfigCryptoProvider] :: ServerConfigBuilder -> CryptoProvider
-- | List of CertifiedKeys.
[serverConfigCertifiedKeys] :: ServerConfigBuilder -> NonEmpty CertifiedKey
-- | ALPN protocols.
[serverConfigALPNProtocols] :: ServerConfigBuilder -> [ALPNProtocol]
-- | Ignore the client's ciphersuite order. Defaults to False.
[serverConfigIgnoreClientOrder] :: ServerConfigBuilder -> Bool
-- | Optionally, a client cert verifier.
[serverConfigClientCertVerifier] :: ServerConfigBuilder -> Maybe ClientCertVerifier
-- | A ServerConfigBuilder with good defaults.
defaultServerConfigBuilder :: MonadIO m => NonEmpty CertifiedKey -> m ServerConfigBuilder
-- | How to verify TLS client certificates.
data ClientCertVerifier
ClientCertVerifier :: ClientCertVerifierPolicy -> NonEmpty PEMCertificates -> [CertificateRevocationList] -> ClientCertVerifier
-- | Which client connections are allowed.
[clientCertVerifierPolicy] :: ClientCertVerifier -> ClientCertVerifierPolicy
-- | Certificates used to verify TLS client certificates.
[clientCertVerifierCertificates] :: ClientCertVerifier -> NonEmpty PEMCertificates
-- | List of certificate revocation lists used to verify TLS client
-- certificates.
[clientCertVerifierCRLs] :: ClientCertVerifier -> [CertificateRevocationList]
-- | Which client connections are allowed by a ClientCertVerifier.
data ClientCertVerifierPolicy
-- | Allow any authenticated client (i.e. offering a trusted certificate),
-- and reject clients offering none.
AllowAnyAuthenticatedClient :: ClientCertVerifierPolicy
-- | Allow any authenticated client (i.e. offering a trusted certificate),
-- but also allow clients offering none.
AllowAnyAnonymousOrAuthenticatedClient :: ClientCertVerifierPolicy
-- | Assembled configuration for a Rustls server connection.
data ServerConfig
-- | A logging callback.
--
-- Note that this is a record selector, so you can use it as a setter:
--
--
-- >>> :{
-- setLogCallback :: LogCallback -> ServerConfig -> ServerConfig
-- setLogCallback logCallback serverConfig =
-- serverConfig { serverConfigLogCallback = Just logCallback }
-- :}
--
serverConfigLogCallback :: ServerConfig -> Maybe LogCallback
-- | Build a ServerConfigBuilder into a ServerConfig.
--
-- This is a relatively expensive operation, so it is a good idea to
-- share one ServerConfig when creating multiple
-- Connections.
buildServerConfig :: MonadIO m => ServerConfigBuilder -> m ServerConfig
-- | Initialize a TLS connection as a server.
newServerConnection :: Backend -> ServerConfig -> Acquire (Connection 'Server)
-- | A Rustls connection.
data Connection (side :: Side)
-- | Type-level indicator whether a Connection is client- or
-- server-side.
data Side
Client :: Side
Server :: Side
-- | Read data from the Rustls Connection into a ByteString.
-- The result will not be longer than the given length.
readBS :: forall m (side :: Side). MonadIO m => Connection side -> Int -> m ByteString
-- | Write a ByteString to the Rustls Connection.
writeBS :: forall m (side :: Side). MonadIO m => Connection side -> ByteString -> m ()
-- | Ensure that the connection is handshaked. It is only necessary to call
-- this if you want to obtain connection information. You can do so by
-- providing a HandshakeQuery.
--
--
-- >>> :{
-- getALPNAndTLSVersion ::
-- MonadIO m =>
-- Connection side ->
-- m (Maybe ALPNProtocol, TLSVersion)
-- getALPNAndTLSVersion conn =
-- handshake conn $ (,) <$> getALPNProtocol <*> getTLSVersion
-- :}
--
handshake :: forall m (side :: Side) a. MonadIO m => Connection side -> HandshakeQuery side a -> m a
-- | A Monad to get TLS connection information via handshake.
data HandshakeQuery (side :: Side) a
-- | Get the negotiated ALPN protocol, if any.
getALPNProtocol :: forall (side :: Side). HandshakeQuery side (Maybe ALPNProtocol)
-- | Get the negotiated TLS protocol version.
getTLSVersion :: forall (side :: Side). HandshakeQuery side TLSVersion
-- | Get the negotiated cipher suite.
getNegotiatedCipherSuite :: forall (side :: Side). HandshakeQuery side NegotiatedCipherSuite
-- | Get the SNI hostname set by the client, if any.
getSNIHostname :: HandshakeQuery 'Server (Maybe Text)
-- | Get the i-th certificate provided by the peer.
--
-- Index 0 is the end entity certificate. Higher indices are
-- certificates in the chain. Requesting an index higher than what is
-- available returns Nothing.
getPeerCertificate :: forall (side :: Side). CSize -> HandshakeQuery side (Maybe DERCertificate)
-- | Send a close_notify warning alert. This informs the peer that
-- the connection is being closed.
sendCloseNotify :: forall m (side :: Side). MonadIO m => Connection side -> m ()
-- | A Rustls connection logging callback.
data LogCallback
-- | Allocate a new logging callback, taking a LogLevel and a
-- message.
--
-- If it throws an exception, it will be wrapped in a
-- RustlsLogException and passed to reportError.
--
-- 🚫 Make sure that its lifetime encloses those of the Connections
-- which you configured to use it.
newLogCallback :: (LogLevel -> Text -> IO ()) -> Acquire LogCallback
-- | Rustls log level.
data LogLevel
LogLevelError :: LogLevel
LogLevelWarn :: LogLevel
LogLevelInfo :: LogLevel
LogLevelDebug :: LogLevel
LogLevelTrace :: LogLevel
-- | Read data from the Rustls Connection into the given buffer.
readPtr :: forall m (side :: Side). MonadIO m => Connection side -> Ptr Word8 -> CSize -> m CSize
-- | Write data to the Rustls Connection from the given buffer.
writePtr :: forall m (side :: Side). MonadIO m => Connection side -> Ptr Word8 -> CSize -> m CSize
-- | Combined version string of Rustls and rustls-ffi, as well as the
-- Rustls cryptography provider.
--
--
-- >>> version
-- "rustls-ffi/0.14.0/rustls/0.23.13/aws-lc-rs"
--
version :: Text
-- | Underlying data source for Rustls.
data Backend
Backend :: (Ptr Word8 -> CSize -> IO CSize) -> (Ptr Word8 -> CSize -> IO CSize) -> Backend
-- | Read data from the backend into the given buffer.
[backendRead] :: Backend -> Ptr Word8 -> CSize -> IO CSize
-- | Write data from the given buffer to the backend.
[backendWrite] :: Backend -> Ptr Word8 -> CSize -> IO CSize
mkSocketBackend :: Socket -> Backend
-- | An in-memory Backend.
mkByteStringBackend :: (Int -> IO ByteString) -> (ByteString -> IO ()) -> Backend
-- | A cryptography provider for Rustls.
--
-- In particular, this contains the set of supported TLS cipher suites.
data CryptoProvider
-- | Get the process-wide default Rustls cryptography provider.
getDefaultCryptoProvider :: MonadIO m => m CryptoProvider
-- | Create a derived CryptoProvider by restricting the cipher
-- suites to the ones in the given list.
setCryptoProviderCipherSuites :: MonadError RustlsException m => [CipherSuite] -> CryptoProvider -> m CryptoProvider
-- | Get the cipher suites supported by the given cryptography provider.
cryptoProviderCipherSuites :: CryptoProvider -> [CipherSuite]
-- | Get all TLS versions supported by at least one of the cipher suites
-- supported by the given cryptography provider.
cryptoProviderTLSVersions :: CryptoProvider -> [TLSVersion]
-- | An ALPN protocol ID. See
-- https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
-- for a list of registered IDs.
newtype ALPNProtocol
ALPNProtocol :: ByteString -> ALPNProtocol
[unALPNProtocol] :: ALPNProtocol -> ByteString
-- | A source of PEM-encoded certificates.
data PEMCertificates
-- | In-memory PEM-encoded certificates.
PEMCertificatesInMemory :: ByteString -> PEMCertificateParsing -> PEMCertificates
-- | Fetch PEM-encoded root certificates from a file.
PemCertificatesFromFile :: FilePath -> PEMCertificateParsing -> PEMCertificates
-- | Parsing mode for PEM-encoded certificates.
data PEMCertificateParsing
-- | Fail if syntactically invalid.
PEMCertificateParsingStrict :: PEMCertificateParsing
-- | Ignore if syntactically invalid.
--
-- This may be useful on systems that have syntactically invalid root
-- certificates.
PEMCertificateParsingLax :: PEMCertificateParsing
-- | A complete chain of certificates plus a private key for the leaf
-- certificate.
data CertifiedKey
CertifiedKey :: ByteString -> ByteString -> CertifiedKey
-- | PEM-encoded certificate chain.
[certificateChain] :: CertifiedKey -> ByteString
-- | PEM-encoded private key.
[privateKey] :: CertifiedKey -> ByteString
-- | A DER-encoded certificate.
newtype DERCertificate
DERCertificate :: ByteString -> DERCertificate
[unDERCertificate] :: DERCertificate -> ByteString
-- | One or more PEM-encoded certificate revocation lists (CRL).
newtype CertificateRevocationList
CertificateRevocationList :: ByteString -> CertificateRevocationList
[unCertificateRevocationList] :: CertificateRevocationList -> ByteString
-- | A TLS protocol version supported by Rustls.
data TLSVersion
pattern TLS12 :: TLSVersion
pattern TLS13 :: TLSVersion
-- | A TLS cipher suite supported by a Rustls cryptography provider.
data CipherSuite
CipherSuite :: Word16 -> Text -> TLSVersion -> CipherSuite
-- | The IANA value of the cipher suite. The bytes are interpreted in
-- network order.
--
-- See
-- https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
-- for a list.
[cipherSuiteID] :: CipherSuite -> Word16
-- | The text representation of the cipher suite.
[cipherSuiteName] :: CipherSuite -> Text
-- | The TLS version of the cipher suite.
[cipherSuiteTLSVersion] :: CipherSuite -> TLSVersion
-- | A negotiated TLS cipher suite. Subset of CipherSuite.
data NegotiatedCipherSuite
NegotiatedCipherSuite :: Word16 -> Text -> NegotiatedCipherSuite
-- | The IANA value of the cipher suite. The bytes are interpreted in
-- network order.
--
-- See
-- https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
-- for a list.
[negotiatedCipherSuiteID] :: NegotiatedCipherSuite -> Word16
-- | The text representation of the cipher suite.
[negotiatedCipherSuiteName] :: NegotiatedCipherSuite -> Text
-- | TLS exception thrown by Rustls.
--
-- Use displayException for a human-friendly representation.
data RustlsException
-- | Checks if the given RustlsException represents a certificate
-- error.
isCertError :: RustlsException -> Bool
-- | Wrapper for exceptions thrown in a LogCallback.
newtype RustlsLogException
RustlsLogException :: SomeException -> RustlsLogException
instance GHC.Classes.Eq Rustls.DERCertificate
instance GHC.Internal.Generics.Generic Rustls.DERCertificate
instance GHC.Classes.Ord Rustls.DERCertificate
instance GHC.Internal.Show.Show Rustls.DERCertificate