-- Hoogle documentation, generated by Haddock -- See Hoogle, http://www.haskell.org/hoogle/ -- | TLS/SSL protocol native implementation (Server and Client) -- -- Native Haskell TLS and SSL protocol implementation for server and -- client. -- -- This provides a high-level implementation of a sensitive security -- protocol, eliminating a common set of security issues through the use -- of the advanced type system, high level constructions and common -- Haskell features. -- -- Currently implement the SSL3.0, TLS1.0, TLS1.1, TLS1.2 and TLS 1.3 -- protocol, and support RSA and Ephemeral (Elliptic curve and regular) -- Diffie Hellman key exchanges, and many extensions. -- -- Some debug tools linked with tls, are available through the -- http://hackage.haskell.org/package/tls-debug/. @package tls @version 1.5.2 -- | Finite Field Diffie-Hellman Ephemeral Parameters defined in RFC 7919. module Network.TLS.Extra.FFDHE -- | 2048 bits finite field Diffie-Hellman ephemeral parameters defined in -- RFC 7919. The estimated symmetric-equivalent strength is 103 bits. ffdhe2048 :: DHParams -- | 3072 bits finite field Diffie-Hellman ephemeral parameters defined in -- RFC 7919. The estimated symmetric-equivalent strength is 125 bits. ffdhe3072 :: DHParams -- | 4096 bits finite field Diffie-Hellman ephemeral parameters defined in -- RFC 7919. The estimated symmetric-equivalent strength is 150 bits. ffdhe4096 :: DHParams -- | 6144 bits finite field Diffie-Hellman ephemeral parameters defined in -- RFC 7919. The estimated symmetric-equivalent strength is 175 bits. ffdhe6144 :: DHParams -- | 8192 bits finite field Diffie-Hellman ephemeral parameters defined in -- RFC 7919. The estimated symmetric-equivalent strength is 192 bits. ffdhe8192 :: DHParams module Network.TLS.Extra.Cipher -- | All AES and ChaCha20-Poly1305 ciphers supported ordered from strong to -- weak. This choice of ciphersuites should satisfy most normal needs. -- For otherwise strong ciphers we make little distinction between AES128 -- and AES256, and list each but the weakest of the AES128 ciphers ahead -- of the corresponding AES256 ciphers, with the ChaCha20-Poly1305 -- variant placed just after. -- -- The CCM ciphers all come together after the GCM variants due to their -- relative performance cost. ciphersuite_default :: [Cipher] -- | The default ciphersuites + some not recommended last resort ciphers. -- | Warning: This ciphersuite list contains RC4. Use ciphersuite_strong -- or ciphersuite_default instead. ciphersuite_all :: [Cipher] -- | list of medium ciphers. -- | Deprecated: Use ciphersuite_strong or ciphersuite_default -- instead. ciphersuite_medium :: [Cipher] -- | The strongest ciphers supported. For ciphers with PFS, AEAD and SHA2, -- we list each AES128 variant after the corresponding AES256 and -- ChaCha20-Poly1305 variants. For weaker constructs, we use just the -- AES256 form. -- -- The CCM ciphers come just after the corresponding GCM ciphers despite -- their relative performance cost. ciphersuite_strong :: [Cipher] -- | all unencrypted ciphers, do not use on insecure network. ciphersuite_unencrypted :: [Cipher] -- | DHE-RSA cipher suite. This only includes ciphers bound specifically to -- DHE-RSA so TLS 1.3 ciphers must be added separately. ciphersuite_dhe_rsa :: [Cipher] ciphersuite_dhe_dss :: [Cipher] -- | unencrypted cipher using RSA for key exchange and SHA1 for digest cipher_null_SHA1 :: Cipher -- | AES cipher (128 bit key), RSA key exchange and SHA1 for digest cipher_AES128_SHA1 :: Cipher -- | AES cipher (256 bit key), RSA key exchange and SHA1 for digest cipher_AES256_SHA1 :: Cipher -- | AES cipher (128 bit key), RSA key exchange and SHA256 for digest cipher_AES128_SHA256 :: Cipher -- | AES cipher (256 bit key), RSA key exchange and SHA256 for digest cipher_AES256_SHA256 :: Cipher -- | AESCCM cipher (128 bit key), RSA key exchange. The SHA256 digest is -- used as a PRF, not as a MAC. cipher_AES128CCM_SHA256 :: Cipher -- | AESCCM8 cipher (128 bit key), RSA key exchange. The SHA256 digest is -- used as a PRF, not as a MAC. cipher_AES128CCM8_SHA256 :: Cipher -- | AESGCM cipher (128 bit key), RSA key exchange. The SHA256 digest is -- used as a PRF, not as a MAC. cipher_AES128GCM_SHA256 :: Cipher -- | AESCCM cipher (256 bit key), RSA key exchange. The SHA256 digest is -- used as a PRF, not as a MAC. cipher_AES256CCM_SHA256 :: Cipher -- | AESCCM8 cipher (256 bit key), RSA key exchange. The SHA256 digest is -- used as a PRF, not as a MAC. cipher_AES256CCM8_SHA256 :: Cipher -- | AESGCM cipher (256 bit key), RSA key exchange. The SHA384 digest is -- used as a PRF, not as a MAC. cipher_AES256GCM_SHA384 :: Cipher -- | AES cipher (128 bit key), DHE key exchanged signed by RSA and SHA1 for -- digest cipher_DHE_RSA_AES128_SHA1 :: Cipher -- | AES cipher (256 bit key), DHE key exchanged signed by RSA and SHA1 for -- digest cipher_DHE_RSA_AES256_SHA1 :: Cipher cipher_DHE_RSA_AES128_SHA256 :: Cipher cipher_DHE_RSA_AES256_SHA256 :: Cipher -- | AES cipher (128 bit key), DHE key exchanged signed by DSA and SHA1 for -- digest cipher_DHE_DSS_AES128_SHA1 :: Cipher -- | AES cipher (256 bit key), DHE key exchanged signed by DSA and SHA1 for -- digest cipher_DHE_DSS_AES256_SHA1 :: Cipher cipher_DHE_RSA_AES128CCM_SHA256 :: Cipher cipher_DHE_RSA_AES128CCM8_SHA256 :: Cipher cipher_DHE_RSA_AES128GCM_SHA256 :: Cipher cipher_DHE_RSA_AES256CCM_SHA256 :: Cipher cipher_DHE_RSA_AES256CCM8_SHA256 :: Cipher cipher_DHE_RSA_AES256GCM_SHA384 :: Cipher cipher_DHE_RSA_CHACHA20POLY1305_SHA256 :: Cipher cipher_ECDHE_RSA_AES128GCM_SHA256 :: Cipher cipher_ECDHE_RSA_AES256GCM_SHA384 :: Cipher cipher_ECDHE_RSA_AES128CBC_SHA256 :: Cipher cipher_ECDHE_RSA_AES128CBC_SHA :: Cipher cipher_ECDHE_RSA_AES256CBC_SHA :: Cipher cipher_ECDHE_RSA_AES256CBC_SHA384 :: Cipher cipher_ECDHE_RSA_CHACHA20POLY1305_SHA256 :: Cipher cipher_ECDHE_ECDSA_AES128CBC_SHA :: Cipher cipher_ECDHE_ECDSA_AES256CBC_SHA :: Cipher cipher_ECDHE_ECDSA_AES128CBC_SHA256 :: Cipher cipher_ECDHE_ECDSA_AES256CBC_SHA384 :: Cipher cipher_ECDHE_ECDSA_AES128CCM_SHA256 :: Cipher cipher_ECDHE_ECDSA_AES128CCM8_SHA256 :: Cipher cipher_ECDHE_ECDSA_AES128GCM_SHA256 :: Cipher cipher_ECDHE_ECDSA_AES256CCM_SHA256 :: Cipher cipher_ECDHE_ECDSA_AES256CCM8_SHA256 :: Cipher cipher_ECDHE_ECDSA_AES256GCM_SHA384 :: Cipher cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256 :: Cipher cipher_TLS13_AES128GCM_SHA256 :: Cipher cipher_TLS13_AES256GCM_SHA384 :: Cipher cipher_TLS13_CHACHA20POLY1305_SHA256 :: Cipher cipher_TLS13_AES128CCM_SHA256 :: Cipher cipher_TLS13_AES128CCM8_SHA256 :: Cipher -- | 3DES cipher (168 bit key), RSA key exchange and SHA1 for digest cipher_RSA_3DES_EDE_CBC_SHA1 :: Cipher -- | RC4 cipher, RSA key exchange and MD5 for digest cipher_RC4_128_MD5 :: Cipher -- | RC4 cipher, RSA key exchange and SHA1 for digest cipher_RC4_128_SHA1 :: Cipher -- | unencrypted cipher using RSA for key exchange and MD5 for digest cipher_null_MD5 :: Cipher cipher_DHE_DSS_RC4_SHA1 :: Cipher -- | default values and ciphers module Network.TLS.Extra module Network.TLS -- | A TLS Context keep tls specific state, parameters and backend -- information. data Context -- | create a new context using the backend and parameters specified. contextNew :: (MonadIO m, HasBackend backend, TLSParams params) => backend -> params -> m Context -- | Handshake for a new TLS connection This is to be called at the -- beginning of a connection, and during renegotiation handshake :: MonadIO m => Context -> m () -- | sendData sends a bunch of data. It will automatically chunk data to -- acceptable packet size sendData :: MonadIO m => Context -> ByteString -> m () -- | Get data out of Data packet, and automatically renegotiate if a -- Handshake ClientHello is received. An empty result means EOF. recvData :: MonadIO m => Context -> m ByteString -- | notify the context that this side wants to close connection. this is -- important that it is called before closing the handle, otherwise the -- session might not be resumable (for version < TLS1.2). -- -- this doesn't actually close the handle bye :: MonadIO m => Context -> m () class HasBackend a initializeBackend :: HasBackend a => a -> IO () getBackend :: HasBackend a => a -> Backend -- | Connection IO backend data Backend Backend :: IO () -> IO () -> (ByteString -> IO ()) -> (Int -> IO ByteString) -> Backend -- | Flush the connection sending buffer, if any. [backendFlush] :: Backend -> IO () -- | Close the connection. [backendClose] :: Backend -> IO () -- | Send a bytestring through the connection. [backendSend] :: Backend -> ByteString -> IO () -- | Receive specified number of bytes from the connection. [backendRecv] :: Backend -> Int -> IO ByteString class TLSParams a data ClientParams ClientParams :: Maybe MaxFragmentEnum -> (HostName, ByteString) -> Bool -> Maybe (SessionID, SessionData) -> Shared -> ClientHooks -> Supported -> DebugParams -> Maybe ByteString -> ClientParams [clientUseMaxFragmentLength] :: ClientParams -> Maybe MaxFragmentEnum -- | Define the name of the server, along with an extra service -- identification blob. this is important that the hostname part is -- properly filled for security reason, as it allow to properly associate -- the remote side with the given certificate during a handshake. -- -- The extra blob is useful to differentiate services running on the same -- host, but that might have different certificates given. It's only used -- as part of the X509 validation infrastructure. [clientServerIdentification] :: ClientParams -> (HostName, ByteString) -- | Allow the use of the Server Name Indication TLS extension during -- handshake, which allow the client to specify which host name, it's -- trying to access. This is useful to distinguish CNAME aliasing (e.g. -- web virtual host). [clientUseServerNameIndication] :: ClientParams -> Bool -- | try to establish a connection using this session. [clientWantSessionResume] :: ClientParams -> Maybe (SessionID, SessionData) [clientShared] :: ClientParams -> Shared [clientHooks] :: ClientParams -> ClientHooks -- | In this element, you'll need to override the default empty value of of -- supportedCiphers with a suitable cipherlist. [clientSupported] :: ClientParams -> Supported [clientDebug] :: ClientParams -> DebugParams -- | Client tries to send this early data in TLS 1.3 if possible. If not -- accepted by the server, it is application's responsibility to re-sent -- it. [clientEarlyData] :: ClientParams -> Maybe ByteString defaultParamsClient :: HostName -> ByteString -> ClientParams data ServerParams ServerParams :: Bool -> [SignedCertificate] -> Maybe DHParams -> Shared -> ServerHooks -> Supported -> DebugParams -> Int -> Int -> ServerParams -- | request a certificate from client. [serverWantClientCert] :: ServerParams -> Bool -- | This is a list of certificates from which the disinguished names are -- sent in certificate request messages. For TLS1.0, it should not be -- empty. [serverCACertificates] :: ServerParams -> [SignedCertificate] -- | Server Optional Diffie Hellman parameters. Setting parameters is -- necessary for FFDHE key exchange when clients are not compatible with -- RFC 7919. -- -- Value can be one of the standardized groups from module -- Network.TLS.Extra.FFDHE or custom parameters generated with -- generateParams. [serverDHEParams] :: ServerParams -> Maybe DHParams [serverShared] :: ServerParams -> Shared [serverHooks] :: ServerParams -> ServerHooks [serverSupported] :: ServerParams -> Supported [serverDebug] :: ServerParams -> DebugParams -- | Server accepts this size of early data in TLS 1.3. 0 (or lower) means -- that the server does not accept early data. [serverEarlyDataSize] :: ServerParams -> Int -- | Lifetime in seconds for session tickets generated by the server. -- Acceptable value range is 0 to 604800 (7 days). The default lifetime -- is 86400 seconds (1 day). [serverTicketLifetime] :: ServerParams -> Int -- | List all the supported algorithms, versions, ciphers, etc supported. data Supported Supported :: [Version] -> [Cipher] -> [Compression] -> [HashAndSignatureAlgorithm] -> Bool -> Bool -> Bool -> Bool -> Bool -> [Group] -> Supported -- | Supported versions by this context. On the client side, the highest -- version will be used to establish the connection. On the server side, -- the highest version that is less or equal than the client version will -- be chosen. -- -- Versions should be listed in preference order, i.e. higher versions -- first. [supportedVersions] :: Supported -> [Version] -- | Supported cipher methods. The default is empty, specify a suitable -- cipher list. ciphersuite_default is often a good choice. [supportedCiphers] :: Supported -> [Cipher] -- | Supported compressions methods. By default only the "null" compression -- is supported, which means no compression will be performed. Allowing -- other compression method is not advised as it causes a connection -- failure when TLS 1.3 is negotiated. [supportedCompressions] :: Supported -> [Compression] -- | All supported hash/signature algorithms pair for client certificate -- verification and server signature in (EC)DHE, ordered by decreasing -- priority. -- -- This list is sent to the peer as part of the "signature_algorithms" -- extension. It is used to restrict accepted signatures received from -- the peer at TLS level (not in X.509 certificates), but only when the -- TLS version is 1.2 or above. In order to disable SHA-1 one must then -- also disable earlier protocol versions in supportedVersions. -- -- The list also impacts the selection of possible algorithms when -- generating signatures. -- -- Note: with TLS 1.3 some algorithms have been deprecated and will not -- be used even when listed in the parameter: MD5, SHA-1, SHA-224, RSA -- PKCS#1, DSS. [supportedHashSignatures] :: Supported -> [HashAndSignatureAlgorithm] -- | Secure renegotiation defined in RFC5746. If True, clients send -- the renegotiation_info extension. If True, servers handle the -- extension or the renegotiation SCSV then send the renegotiation_info -- extension. [supportedSecureRenegotiation] :: Supported -> Bool -- | If True, renegotiation is allowed from the client side. This is -- vulnerable to DOS attacks. If False, renegotiation is allowed -- only from the server side via HelloRequest. [supportedClientInitiatedRenegotiation] :: Supported -> Bool -- | Set if we support session. [supportedSession] :: Supported -> Bool -- | Support for fallback SCSV defined in RFC7507. If True, servers -- reject handshakes which suggest a lower protocol than the highest -- protocol supported. [supportedFallbackScsv] :: Supported -> Bool -- | In ver <= TLS1.0, block ciphers using CBC are using CBC residue as -- IV, which can be guessed by an attacker. Hence, an empty packet is -- normally sent before a normal data packet, to prevent guessability. -- Some Microsoft TLS-based protocol implementations, however, consider -- these empty packets as a protocol violation and disconnect. If this -- parameter is False, empty packets will never be added, which is -- less secure, but might help in rare cases. [supportedEmptyPacket] :: Supported -> Bool -- | A list of supported elliptic curves and finite-field groups in the -- preferred order. -- -- The list is sent to the server as part of the "supported_groups" -- extension. It is used in both clients and servers to restrict accepted -- groups in DH key exchange. -- -- The default value is -- [X25519,P256,P384,P521]. X25519 and -- P256 provide 128-bit security which is strong enough until -- 2030. Both curves are fast because their backends are written in C. [supportedGroups] :: Supported -> [Group] -- | Parameters that are common to clients and servers. data Shared Shared :: Credentials -> SessionManager -> CertificateStore -> ValidationCache -> Shared -- | The list of certificates and private keys that a server will use as -- part of authentication to clients. Actual credentials that are used -- are selected dynamically from this list based on client capabilities. -- Additional credentials returned by onServerNameIndication are -- also considered. -- -- When credential list is left empty (the default value), no key -- exchange can take place. [sharedCredentials] :: Shared -> Credentials -- | Callbacks used by clients and servers in order to resume TLS sessions. -- The default implementation never resumes sessions. Package -- tls-session-manager provides an in-memory implementation. [sharedSessionManager] :: Shared -> SessionManager -- | A collection of trust anchors to be used by a client as part of -- validation of server certificates. This is set as first argument to -- function onServerCertificate. Package x509-system gives -- access to a default certificate store configured in the system. [sharedCAStore] :: Shared -> CertificateStore -- | Callbacks that may be used by a client to cache certificate validation -- results (positive or negative) and avoid expensive signature check. -- The default implementation does not have any caching. [sharedValidationCache] :: Shared -> ValidationCache -- | All settings should not be used in production data DebugParams DebugParams :: Maybe Seed -> (Seed -> IO ()) -> Maybe Version -> (String -> IO ()) -> DebugParams -- | Disable the true randomness in favor of deterministic seed that will -- produce a deterministic random from. This is useful for tests and -- debugging purpose. Do not use in production [debugSeed] :: DebugParams -> Maybe Seed -- | Add a way to print the seed that was randomly generated. re-using the -- same seed will reproduce the same randomness with debugSeed [debugPrintSeed] :: DebugParams -> Seed -> IO () -- | Force to choose this version in the server side. [debugVersionForced] :: DebugParams -> Maybe Version -- | Printing master keys. The default is no printing. [debugKeyLogger] :: DebugParams -> String -> IO () -- | A set of callbacks run by the clients for various corners of TLS -- establishment data ClientHooks ClientHooks :: OnCertificateRequest -> OnServerCertificate -> IO (Maybe [ByteString]) -> (DHParams -> DHPublic -> IO GroupUsage) -> ClientHooks -- | This action is called when the a certificate request is received from -- the server. The callback argument is the information from the request. -- The server, at its discretion, may be willing to continue the -- handshake without a client certificate. Therefore, the callback is -- free to return Nothing to indicate that no client certificate -- should be sent, despite the server's request. In some cases it may be -- appropriate to get user consent before sending the certificate; the -- content of the user's certificate may be sensitive and intended only -- for specific servers. -- -- The action should select a certificate chain of one of the given -- certificate types and one of the certificates in the chain should (if -- possible) be signed by one of the given distinguished names. Some -- servers, that don't have a narrow set of preferred issuer CAs, will -- send an empty DistinguishedName list, rather than send all the -- names from their trusted CA bundle. If the client does not have a -- certificate chaining to a matching CA, it may choose a default -- certificate instead. -- -- Each certificate except the last should be signed by the following -- one. The returned private key must be for the first certificates in -- the chain. This key will be used to signing the certificate verify -- message. -- -- The public key in the first certificate, and the matching returned -- private key must be compatible with one of the list of -- HashAndSignatureAlgorithm value when provided. TLS 1.3 changes -- the meaning of the list elements, adding explicit code points for each -- supported pair of hash and signature (public key) algorithms, rather -- than combining separate codes for the hash and key. For details see -- RFC 8446 section 4.2.3. When no compatible certificate chain is -- available, return Nothing if it is OK to continue without a -- client certificate. Returning a non-matching certificate should result -- in a handshake failure. -- -- While the TLS version is not provided to the callback, the content of -- the signature_algorithms list provides a strong hint, since -- TLS 1.3 servers will generally list RSA pairs with a hash component of -- Intrinsic (0x08). -- -- Note that is is the responsibility of this action to select a -- certificate matching one of the requested certificate types (public -- key algorithms). Returning a non-matching one will lead to handshake -- failure later. [onCertificateRequest] :: ClientHooks -> OnCertificateRequest -- | Used by the client to validate the server certificate. The default -- implementation calls validateDefault which validates according -- to the default hooks and checks provided by -- Data.X509.Validation. This can be replaced with a custom -- validation function using different settings. -- -- The function is not expected to verify the key-usage extension of the -- end-entity certificate, as this depends on the dynamically-selected -- cipher and this part should not be cached. Key-usage verification is -- performed by the library internally. [onServerCertificate] :: ClientHooks -> OnServerCertificate -- | This action is called when the client sends ClientHello to determine -- ALPN values such as '["h2", "http/1.1"]'. [onSuggestALPN] :: ClientHooks -> IO (Maybe [ByteString]) -- | This action is called to validate DHE parameters when the server -- selected a finite-field group not part of the "Supported Groups -- Registry" or not part of supportedGroups list. -- -- With TLS 1.3 custom groups have been removed from the protocol, so -- this callback is only used when the version negotiated is 1.2 or -- below. -- -- The default behavior with (dh_p, dh_g, dh_size) and pub as follows: -- --
    --
  1. rejecting if dh_p is even
    2. --
  2. rejecting unless 1 < dh_g && dh_g < dh_p - 1
    3. --
  3. rejecting unless 1 < dh_p && pub < dh_p - 1
    4. --
  4. rejecting if dh_size < 1024 (to prevent Logjam attack)
    5. --
-- -- See RFC 7919 section 3.1 for recommandations. [onCustomFFDHEGroup] :: ClientHooks -> DHParams -> DHPublic -> IO GroupUsage -- | Type for onCertificateRequest. This type synonym is to make -- document readable. type OnCertificateRequest = ([CertificateType], Maybe [HashAndSignatureAlgorithm], [DistinguishedName]) -> IO (Maybe (CertificateChain, PrivKey)) -- | Type for onServerCertificate. This type synonym is to make -- document readable. type OnServerCertificate = CertificateStore -> ValidationCache -> ServiceID -> CertificateChain -> IO [FailedReason] -- | A set of callbacks run by the server for various corners of the TLS -- establishment data ServerHooks ServerHooks :: (CertificateChain -> IO CertificateUsage) -> IO Bool -> (Version -> [Cipher] -> Cipher) -> (Maybe HostName -> IO Credentials) -> (Measurement -> IO Bool) -> Maybe ([ByteString] -> IO ByteString) -> ServerHooks -- | This action is called when a client certificate chain is received from -- the client. When it returns a CertificateUsageReject value, the -- handshake is aborted. -- -- The function is not expected to verify the key-usage extension of the -- certificate. This verification is performed by the library internally. [onClientCertificate] :: ServerHooks -> CertificateChain -> IO CertificateUsage -- | This action is called when the client certificate cannot be verified. -- Return True to accept the certificate anyway, or False -- to fail verification. [onUnverifiedClientCert] :: ServerHooks -> IO Bool -- | Allow the server to choose the cipher relative to the the client -- version and the client list of ciphers. -- -- This could be useful with old clients and as a workaround to the BEAST -- (where RC4 is sometimes prefered with TLS < 1.1) -- -- The client cipher list cannot be empty. [onCipherChoosing] :: ServerHooks -> Version -> [Cipher] -> Cipher -- | Allow the server to indicate additional credentials to be used -- depending on the host name indicated by the client. -- -- This is most useful for transparent proxies where credentials must be -- generated on the fly according to the host the client is trying to -- connect to. -- -- Returned credentials may be ignored if a client does not support the -- signature algorithms used in the certificate chain. [onServerNameIndication] :: ServerHooks -> Maybe HostName -> IO Credentials -- | at each new handshake, we call this hook to see if we allow handshake -- to happens. [onNewHandshake] :: ServerHooks -> Measurement -> IO Bool -- | Allow the server to choose an application layer protocol suggested -- from the client through the ALPN (Application Layer Protocol -- Negotiation) extensions. [onALPNClientSuggest] :: ServerHooks -> Maybe ([ByteString] -> IO ByteString) newtype Credentials Credentials :: [Credential] -> Credentials type Credential = (CertificateChain, PrivKey) -- | try to create a new credential object from a public certificate and -- the associated private key that are stored on the filesystem in PEM -- format. credentialLoadX509 :: FilePath -> FilePath -> IO (Either String Credential) -- | similar to credentialLoadX509 but take the certificate and -- private key from memory instead of from the filesystem. credentialLoadX509FromMemory :: ByteString -> ByteString -> Either String Credential -- | similar to credentialLoadX509 but also allow specifying chain -- certificates. credentialLoadX509Chain :: FilePath -> [FilePath] -> FilePath -> IO (Either String Credential) -- | similar to credentialLoadX509FromMemory but also allow -- specifying chain certificates. credentialLoadX509ChainFromMemory :: ByteString -> [ByteString] -> ByteString -> Either String Credential -- | A session ID type SessionID = ByteString -- | Session data to resume data SessionData SessionData :: Version -> CipherID -> CompressionID -> Maybe HostName -> ByteString -> Maybe Group -> Maybe TLS13TicketInfo -> Maybe ByteString -> Int -> SessionData [sessionVersion] :: SessionData -> Version [sessionCipher] :: SessionData -> CipherID [sessionCompression] :: SessionData -> CompressionID [sessionClientSNI] :: SessionData -> Maybe HostName [sessionSecret] :: SessionData -> ByteString [sessionGroup] :: SessionData -> Maybe Group [sessionTicketInfo] :: SessionData -> Maybe TLS13TicketInfo [sessionALPN] :: SessionData -> Maybe ByteString [sessionMaxEarlyDataSize] :: SessionData -> Int -- | A session manager data SessionManager SessionManager :: (SessionID -> IO (Maybe SessionData)) -> (SessionID -> IO (Maybe SessionData)) -> (SessionID -> SessionData -> IO ()) -> (SessionID -> IO ()) -> SessionManager -- | used on server side to decide whether to resume a client session. [sessionResume] :: SessionManager -> SessionID -> IO (Maybe SessionData) -- | used on server side to decide whether to resume a client session for -- TLS 1.3 0RTT. For a given SessionID, the implementation must -- return its SessionData only once and must not return the same -- SessionData after the call. [sessionResumeOnlyOnce] :: SessionManager -> SessionID -> IO (Maybe SessionData) -- | used when a session is established. [sessionEstablish] :: SessionManager -> SessionID -> SessionData -> IO () -- | used when a session is invalidated. [sessionInvalidate] :: SessionManager -> SessionID -> IO () noSessionManager :: SessionManager data TLS13TicketInfo -- | A collection of hooks actions. data Hooks Hooks :: (Handshake -> IO Handshake) -> (Handshake13 -> IO Handshake13) -> (CertificateChain -> IO ()) -> Logging -> Hooks -- | called at each handshake message received [hookRecvHandshake] :: Hooks -> Handshake -> IO Handshake -- | called at each handshake message received for TLS 1.3 [hookRecvHandshake13] :: Hooks -> Handshake13 -> IO Handshake13 -- | called at each certificate chain message received [hookRecvCertificates] :: Hooks -> CertificateChain -> IO () -- | hooks on IO and packets, receiving and sending. [hookLogging] :: Hooks -> Logging data Handshake -- | Hooks for logging -- -- This is called when sending and receiving packets and IO data Logging Logging :: (String -> IO ()) -> (String -> IO ()) -> (ByteString -> IO ()) -> (Header -> ByteString -> IO ()) -> Logging [loggingPacketSent] :: Logging -> String -> IO () [loggingPacketRecv] :: Logging -> String -> IO () [loggingIOSent] :: Logging -> ByteString -> IO () [loggingIORecv] :: Logging -> Header -> ByteString -> IO () contextHookSetHandshakeRecv :: Context -> (Handshake -> IO Handshake) -> IO () contextHookSetHandshake13Recv :: Context -> (Handshake13 -> IO Handshake13) -> IO () contextHookSetCertificateRecv :: Context -> (CertificateChain -> IO ()) -> IO () contextHookSetLogging :: Context -> Logging -> IO () contextModifyHooks :: Context -> (Hooks -> Hooks) -> IO () type HostName = String type DHParams = Params type DHPublic = PublicNumber -- | record some data about this connection. data Measurement Measurement :: !Word32 -> !Word32 -> !Word32 -> Measurement -- | number of handshakes on this context [nbHandshakes] :: Measurement -> !Word32 -- | bytes received since last handshake [bytesReceived] :: Measurement -> !Word32 -- | bytes sent since last handshake [bytesSent] :: Measurement -> !Word32 -- | Group usage callback possible return values. data GroupUsage -- | usage of group accepted GroupUsageValid :: GroupUsage -- | usage of group provides insufficient security GroupUsageInsecure :: GroupUsage -- | usage of group rejected for other reason (specified as string) GroupUsageUnsupported :: String -> GroupUsage -- | usage of group with an invalid public value GroupUsageInvalidPublic :: GroupUsage -- | Certificate Usage callback possible returns values. data CertificateUsage -- | usage of certificate accepted CertificateUsageAccept :: CertificateUsage -- | usage of certificate rejected CertificateUsageReject :: CertificateRejectReason -> CertificateUsage -- | Certificate and Chain rejection reason data CertificateRejectReason CertificateRejectExpired :: CertificateRejectReason CertificateRejectRevoked :: CertificateRejectReason CertificateRejectUnknownCA :: CertificateRejectReason CertificateRejectAbsent :: CertificateRejectReason CertificateRejectOther :: String -> CertificateRejectReason data MaxFragmentEnum MaxFragment512 :: MaxFragmentEnum MaxFragment1024 :: MaxFragmentEnum MaxFragment2048 :: MaxFragmentEnum MaxFragment4096 :: MaxFragmentEnum type HashAndSignatureAlgorithm = (HashAlgorithm, SignatureAlgorithm) data HashAlgorithm HashNone :: HashAlgorithm HashMD5 :: HashAlgorithm HashSHA1 :: HashAlgorithm HashSHA224 :: HashAlgorithm HashSHA256 :: HashAlgorithm HashSHA384 :: HashAlgorithm HashSHA512 :: HashAlgorithm HashIntrinsic :: HashAlgorithm HashOther :: Word8 -> HashAlgorithm data SignatureAlgorithm SignatureAnonymous :: SignatureAlgorithm SignatureRSA :: SignatureAlgorithm SignatureDSS :: SignatureAlgorithm SignatureECDSA :: SignatureAlgorithm SignatureRSApssRSAeSHA256 :: SignatureAlgorithm SignatureRSApssRSAeSHA384 :: SignatureAlgorithm SignatureRSApssRSAeSHA512 :: SignatureAlgorithm SignatureEd25519 :: SignatureAlgorithm SignatureEd448 :: SignatureAlgorithm SignatureRSApsspssSHA256 :: SignatureAlgorithm SignatureRSApsspssSHA384 :: SignatureAlgorithm SignatureRSApsspssSHA512 :: SignatureAlgorithm SignatureOther :: Word8 -> SignatureAlgorithm -- | Some of the IANA registered code points for CertificateType are -- not currently supported by the library. Nor should they be, they're -- are either unwise, obsolete or both. There's no point in conveying -- these to the user in the client certificate request callback. The -- request callback will be filtered to exclude unsupported values. If -- the user cannot find a certificate for a supported code point, we'll -- go ahead without a client certificate and hope for the best, unless -- the user's callback decides to throw an exception. data CertificateType -- | TLS10 and up, RFC5246 CertificateType_RSA_Sign :: CertificateType -- | TLS10 and up, RFC5246 CertificateType_DSS_Sign :: CertificateType -- | TLS10 and up, RFC8422 CertificateType_ECDSA_Sign :: CertificateType -- | TLS13 and up, synthetic CertificateType_Ed25519_Sign :: CertificateType -- | TLS13 and up, synthetic | None of the below will ever be presented to -- the callback. Any future public key algorithms valid for client -- certificates go above this line. CertificateType_Ed448_Sign :: CertificateType CertificateType_RSA_Fixed_DH :: CertificateType CertificateType_DSS_Fixed_DH :: CertificateType CertificateType_RSA_Ephemeral_DH :: CertificateType CertificateType_DSS_Ephemeral_DH :: CertificateType CertificateType_fortezza_dms :: CertificateType CertificateType_RSA_Fixed_ECDH :: CertificateType CertificateType_ECDSA_Fixed_ECDH :: CertificateType CertificateType_Unknown :: Word8 -> CertificateType -- | A set of checks to activate or parametrize to perform on certificates. -- -- It's recommended to use defaultChecks to create the structure, -- to better cope with future changes or expansion of the structure. data ValidationChecks ValidationChecks :: Bool -> Maybe DateTime -> Bool -> Bool -> Bool -> Bool -> [ExtKeyUsageFlag] -> [ExtKeyUsagePurpose] -> Bool -> ValidationChecks -- | check time validity of every certificate in the chain. the make sure -- that current time is between each validity bounds in the certificate [checkTimeValidity] :: ValidationChecks -> Bool -- | The time when the validity check happens. When set to Nothing, the -- current time will be used [checkAtTime] :: ValidationChecks -> Maybe DateTime -- | Check that no certificate is included that shouldn't be included. -- unfortunately despite the specification violation, a lots of real -- world server serves useless and usually old certificates that are not -- relevant to the certificate sent, in their chain. [checkStrictOrdering] :: ValidationChecks -> Bool -- | Check that signing certificate got the CA basic constraint. this is -- absolutely not recommended to turn it off. [checkCAConstraints] :: ValidationChecks -> Bool -- | Check the whole certificate chain without stopping at the first -- failure. Allow gathering a exhaustive list of failure reasons. if this -- is turn off, it's absolutely not safe to ignore a failed reason even -- it doesn't look serious (e.g. Expired) as other more serious checks -- would not have been performed. [checkExhaustive] :: ValidationChecks -> Bool -- | Check that the leaf certificate is version 3. If disable, version 2 -- certificate is authorized in leaf position and key usage cannot be -- checked. [checkLeafV3] :: ValidationChecks -> Bool -- | Check that the leaf certificate is authorized to be used for certain -- usage. If set to empty list no check are performed, otherwise all the -- flags is the list need to exists in the key usage extension. If the -- extension is not present, the check will pass and behave as if the -- certificate key is not restricted to any specific usage. [checkLeafKeyUsage] :: ValidationChecks -> [ExtKeyUsageFlag] -- | Check that the leaf certificate is authorized to be used for certain -- purpose. If set to empty list no check are performed, otherwise all -- the flags is the list need to exists in the extended key usage -- extension if present. If the extension is not present, then the check -- will pass and behave as if the certificate is not restricted to any -- specific purpose. [checkLeafKeyPurpose] :: ValidationChecks -> [ExtKeyUsagePurpose] -- | Check the top certificate names matching the fully qualified hostname -- (FQHN). it's not recommended to turn this check off, if no other name -- checks are performed. [checkFQHN] :: ValidationChecks -> Bool -- | A set of hooks to manipulate the way the verification works. -- -- BEWARE, it's easy to change behavior leading to compromised security. data ValidationHooks ValidationHooks :: (DistinguishedName -> Certificate -> Bool) -> (DateTime -> Certificate -> [FailedReason]) -> (HostName -> Certificate -> [FailedReason]) -> ([FailedReason] -> [FailedReason]) -> ValidationHooks -- | check whether a given issuer DistinguishedName matches the -- subject DistinguishedName of a candidate issuer certificate. [hookMatchSubjectIssuer] :: ValidationHooks -> DistinguishedName -> Certificate -> Bool -- | check whether the certificate in the second argument is valid at the -- time provided in the first argument. Return an empty list for success -- or else one or more failure reasons. [hookValidateTime] :: ValidationHooks -> DateTime -> Certificate -> [FailedReason] -- | validate the certificate leaf name with the DNS named used to connect [hookValidateName] :: ValidationHooks -> HostName -> Certificate -> [FailedReason] -- | user filter to modify the list of failure reasons [hookFilterReason] :: ValidationHooks -> [FailedReason] -> [FailedReason] -- | All the callbacks needed for querying and adding to the cache. data ValidationCache ValidationCache :: ValidationCacheQueryCallback -> ValidationCacheAddCallback -> ValidationCache -- | cache querying callback [cacheQuery] :: ValidationCache -> ValidationCacheQueryCallback -- | cache adding callback [cacheAdd] :: ValidationCache -> ValidationCacheAddCallback -- | The result of a cache query data ValidationCacheResult -- | cache allow this fingerprint to go through ValidationCachePass :: ValidationCacheResult -- | cache denied this fingerprint for further validation ValidationCacheDenied :: String -> ValidationCacheResult -- | unknown fingerprint in cache ValidationCacheUnknown :: ValidationCacheResult -- | create a simple constant cache that list exceptions to the -- certification validation. Typically this is use to allow self-signed -- certificates for specific use, with out-of-bounds user checks. -- -- No fingerprints will be added after the instance is created. -- -- The underlying structure for the check is kept as a list, as usually -- the exception list will be short, but when the list go above a dozen -- exceptions it's recommended to use another cache mechanism with a -- faster lookup mechanism (hashtable, map, etc). -- -- Note that only one fingerprint is allowed per ServiceID, for other -- use, another cache mechanism need to be use. exceptionValidationCache :: [(ServiceID, Fingerprint)] -> ValidationCache -- | return the backend object associated with this context ctxConnection :: Context -> Backend -- | A shortcut for 'backendFlush . ctxConnection'. contextFlush :: Context -> IO () -- | A shortcut for 'backendClose . ctxConnection'. contextClose :: Context -> IO () -- | Information related to a running context, e.g. current cipher data Information Information :: Version -> Cipher -> Compression -> Maybe ByteString -> Maybe ClientRandom -> Maybe ServerRandom -> Maybe Group -> Maybe HandshakeMode13 -> Bool -> Information [infoVersion] :: Information -> Version [infoCipher] :: Information -> Cipher [infoCompression] :: Information -> Compression [infoMasterSecret] :: Information -> Maybe ByteString [infoClientRandom] :: Information -> Maybe ClientRandom [infoServerRandom] :: Information -> Maybe ServerRandom [infoNegotiatedGroup] :: Information -> Maybe Group [infoTLS13HandshakeMode] :: Information -> Maybe HandshakeMode13 [infoIsEarlyDataAccepted] :: Information -> Bool -- | Information about the current context contextGetInformation :: Context -> IO (Maybe Information) data ClientRandom data ServerRandom unClientRandom :: ClientRandom -> ByteString unServerRandom :: ServerRandom -> ByteString -- | If the ALPN extensions have been used, this will return get the -- protocol agreed upon. getNegotiatedProtocol :: MonadIO m => Context -> m (Maybe ByteString) -- | If the Server Name Indication extension has been used, return the -- hostname specified by the client. getClientSNI :: MonadIO m => Context -> m (Maybe HostName) -- | Updating appication traffic secrets for TLS 1.3. If this API is called -- for TLS 1.3, True is returned. Otherwise, False is -- returned. updateKey :: MonadIO m => Context -> KeyUpdateRequest -> m Bool -- | How to update keys in TLS 1.3 data KeyUpdateRequest -- | Unidirectional key update OneWay :: KeyUpdateRequest -- | Bidirectional key update (normal case) TwoWay :: KeyUpdateRequest -- | Post-handshake certificate request with TLS 1.3. Returns True -- if the request was possible, i.e. if TLS 1.3 is used and the remote -- client supports post-handshake authentication. requestCertificate :: MonadIO m => Context -> m Bool data ProtocolType ProtocolType_ChangeCipherSpec :: ProtocolType ProtocolType_Alert :: ProtocolType ProtocolType_Handshake :: ProtocolType ProtocolType_AppData :: ProtocolType ProtocolType_DeprecatedHandshake :: ProtocolType data Header Header :: ProtocolType -> Version -> Word16 -> Header -- | Versions known to TLS -- -- SSL2 is just defined, but this version is and will not be supported. data Version SSL2 :: Version SSL3 :: Version TLS10 :: Version TLS11 :: Version TLS12 :: Version TLS13 :: Version -- | every compression need to be wrapped in this, to fit in structure data Compression Compression :: a -> Compression -- | supported compression algorithms need to be part of this class class CompressionC a compressionCID :: CompressionC a => a -> CompressionID compressionCDeflate :: CompressionC a => a -> ByteString -> (a, ByteString) compressionCInflate :: CompressionC a => a -> ByteString -> (a, ByteString) -- | default null compression nullCompression :: Compression -- | Compression identification type CompressionID = Word8 data CipherKeyExchangeType CipherKeyExchange_RSA :: CipherKeyExchangeType CipherKeyExchange_DH_Anon :: CipherKeyExchangeType CipherKeyExchange_DHE_RSA :: CipherKeyExchangeType CipherKeyExchange_ECDHE_RSA :: CipherKeyExchangeType CipherKeyExchange_DHE_DSS :: CipherKeyExchangeType CipherKeyExchange_DH_DSS :: CipherKeyExchangeType CipherKeyExchange_DH_RSA :: CipherKeyExchangeType CipherKeyExchange_ECDH_ECDSA :: CipherKeyExchangeType CipherKeyExchange_ECDH_RSA :: CipherKeyExchangeType CipherKeyExchange_ECDHE_ECDSA :: CipherKeyExchangeType CipherKeyExchange_TLS13 :: CipherKeyExchangeType data Bulk Bulk :: String -> Int -> Int -> Int -> Int -> Int -> BulkFunctions -> Bulk [bulkName] :: Bulk -> String [bulkKeySize] :: Bulk -> Int [bulkIVSize] :: Bulk -> Int [bulkExplicitIV] :: Bulk -> Int [bulkAuthTagLen] :: Bulk -> Int [bulkBlockSize] :: Bulk -> Int [bulkF] :: Bulk -> BulkFunctions data BulkFunctions BulkBlockF :: (BulkDirection -> BulkKey -> BulkBlock) -> BulkFunctions BulkStreamF :: (BulkDirection -> BulkKey -> BulkStream) -> BulkFunctions BulkAeadF :: (BulkDirection -> BulkKey -> BulkAEAD) -> BulkFunctions data BulkDirection BulkEncrypt :: BulkDirection BulkDecrypt :: BulkDirection data BulkState BulkStateStream :: BulkStream -> BulkState BulkStateBlock :: BulkBlock -> BulkState BulkStateAEAD :: BulkAEAD -> BulkState BulkStateUninitialized :: BulkState newtype BulkStream BulkStream :: (ByteString -> (ByteString, BulkStream)) -> BulkStream type BulkBlock = BulkIV -> ByteString -> (ByteString, BulkIV) type BulkAEAD = BulkNonce -> ByteString -> BulkAdditionalData -> (ByteString, AuthTag) bulkInit :: Bulk -> BulkDirection -> BulkKey -> BulkState data Hash MD5 :: Hash SHA1 :: Hash SHA224 :: Hash SHA256 :: Hash SHA384 :: Hash SHA512 :: Hash SHA1_MD5 :: Hash -- | Cipher algorithm data Cipher Cipher :: CipherID -> String -> Hash -> Bulk -> CipherKeyExchangeType -> Maybe Version -> Maybe Hash -> Cipher [cipherID] :: Cipher -> CipherID [cipherName] :: Cipher -> String [cipherHash] :: Cipher -> Hash [cipherBulk] :: Cipher -> Bulk [cipherKeyExchange] :: Cipher -> CipherKeyExchangeType [cipherMinVer] :: Cipher -> Maybe Version [cipherPRFHash] :: Cipher -> Maybe Hash -- | Cipher identification type CipherID = Word16 cipherKeyBlockSize :: Cipher -> Int type BulkKey = ByteString type BulkIV = ByteString type BulkNonce = ByteString type BulkAdditionalData = ByteString -- | Check if a specific Cipher is allowed to be used with the -- version specified cipherAllowedForVersion :: Version -> Cipher -> Bool hasMAC :: BulkFunctions -> Bool hasRecordIV :: BulkFunctions -> Bool -- | Public key types known and used in X.509 data PubKey -- | RSA public key PubKeyRSA :: PublicKey -> PubKey -- | DSA public key PubKeyDSA :: PublicKey -> PubKey -- | DH format with (p,g,q,j,(seed,pgenCounter)) PubKeyDH :: (Integer, Integer, Integer, Maybe Integer, ([Word8], Integer)) -> PubKey -- | EC public key PubKeyEC :: PubKeyEC -> PubKey -- | X25519 public key PubKeyX25519 :: PublicKey -> PubKey -- | X448 public key PubKeyX448 :: PublicKey -> PubKey -- | Ed25519 public key PubKeyEd25519 :: PublicKey -> PubKey -- | Ed448 public key PubKeyEd448 :: PublicKey -> PubKey -- | unrecognized format PubKeyUnknown :: OID -> ByteString -> PubKey -- | Private key types known and used in X.509 data PrivKey -- | RSA private key PrivKeyRSA :: PrivateKey -> PrivKey -- | DSA private key PrivKeyDSA :: PrivateKey -> PrivKey -- | EC private key PrivKeyEC :: PrivKeyEC -> PrivKey -- | X25519 private key PrivKeyX25519 :: SecretKey -> PrivKey -- | X448 private key PrivKeyX448 :: SecretKey -> PrivKey -- | Ed25519 private key PrivKeyEd25519 :: SecretKey -> PrivKey -- | Ed448 private key PrivKeyEd448 :: SecretKey -> PrivKey data Group P256 :: Group P384 :: Group P521 :: Group X25519 :: Group X448 :: Group FFDHE2048 :: Group FFDHE3072 :: Group FFDHE4096 :: Group FFDHE6144 :: Group FFDHE8192 :: Group -- | Type to show which handshake mode is used in TLS 1.3. data HandshakeMode13 -- | Full handshake is used. FullHandshake :: HandshakeMode13 -- | Full handshake is used with hello retry reuest. HelloRetryRequest :: HandshakeMode13 -- | Server authentication is skipped. PreSharedKey :: HandshakeMode13 -- | Server authentication is skipped and early data is sent. RTT0 :: HandshakeMode13 -- | TLSError that might be returned through the TLS stack data TLSError -- | mainly for instance of Error Error_Misc :: String -> TLSError Error_Protocol :: (String, Bool, AlertDescription) -> TLSError Error_Certificate :: String -> TLSError -- | handshake policy failed. Error_HandshakePolicy :: String -> TLSError Error_EOF :: TLSError Error_Packet :: String -> TLSError Error_Packet_unexpected :: String -> String -> TLSError Error_Packet_Parsing :: String -> TLSError data KxError RSAError :: Error -> KxError KxUnsupported :: KxError data AlertDescription CloseNotify :: AlertDescription UnexpectedMessage :: AlertDescription BadRecordMac :: AlertDescription -- | deprecated alert, should never be sent by compliant implementation DecryptionFailed :: AlertDescription RecordOverflow :: AlertDescription DecompressionFailure :: AlertDescription HandshakeFailure :: AlertDescription BadCertificate :: AlertDescription UnsupportedCertificate :: AlertDescription CertificateRevoked :: AlertDescription CertificateExpired :: AlertDescription CertificateUnknown :: AlertDescription IllegalParameter :: AlertDescription UnknownCa :: AlertDescription AccessDenied :: AlertDescription DecodeError :: AlertDescription DecryptError :: AlertDescription ExportRestriction :: AlertDescription ProtocolVersion :: AlertDescription InsufficientSecurity :: AlertDescription InternalError :: AlertDescription InappropriateFallback :: AlertDescription UserCanceled :: AlertDescription NoRenegotiation :: AlertDescription MissingExtension :: AlertDescription UnsupportedExtension :: AlertDescription CertificateUnobtainable :: AlertDescription UnrecognizedName :: AlertDescription BadCertificateStatusResponse :: AlertDescription BadCertificateHashValue :: AlertDescription UnknownPskIdentity :: AlertDescription CertificateRequired :: AlertDescription NoApplicationProtocol :: AlertDescription -- | TLS Exceptions related to bad user usage or asynchronous errors data TLSException -- | Early termination exception with the reason and the error associated Terminated :: Bool -> String -> TLSError -> TLSException -- | Handshake failed for the reason attached HandshakeFailed :: TLSError -> TLSException -- | Usage error when the connection has not been established and the user -- is trying to send or receive data ConnectionNotEstablished :: TLSException -- | same as recvData but returns a lazy bytestring. -- | Deprecated: use recvData that returns strict bytestring recvData' :: MonadIO m => Context -> m ByteString -- | create a new context on an handle. -- | Deprecated: use contextNew contextNewOnHandle :: (MonadIO m, TLSParams params) => Handle -> params -> m Context -- | create a new context on a socket. -- | Deprecated: use contextNew contextNewOnSocket :: (MonadIO m, TLSParams params) => Socket -> params -> m Context -- | Deprecated: Use Data.ByteString.Bytestring instead of Bytes. type Bytes = ByteString