-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/
-- | TLS/SSL protocol native implementation (Server and Client)
--
-- Native Haskell TLS and SSL protocol implementation for server and
-- client.
--
-- This provides a high-level implementation of a sensitive security
-- protocol, eliminating a common set of security issues through the use
-- of the advanced type system, high level constructions and common
-- Haskell features.
--
-- Currently implement the SSL3.0, TLS1.0, TLS1.1, TLS1.2 and TLS 1.3
-- protocol, and support RSA and Ephemeral (Elliptic curve and regular)
-- Diffie Hellman key exchanges, and many extensions.
--
-- Some debug tools linked with tls, are available through the
-- http://hackage.haskell.org/package/tls-debug/.
@package tls
@version 1.5.7
-- | Finite Field Diffie-Hellman Ephemeral Parameters defined in RFC 7919.
module Network.TLS.Extra.FFDHE
-- | 2048 bits finite field Diffie-Hellman ephemeral parameters defined in
-- RFC 7919. The estimated symmetric-equivalent strength is 103 bits.
ffdhe2048 :: DHParams
-- | 3072 bits finite field Diffie-Hellman ephemeral parameters defined in
-- RFC 7919. The estimated symmetric-equivalent strength is 125 bits.
ffdhe3072 :: DHParams
-- | 4096 bits finite field Diffie-Hellman ephemeral parameters defined in
-- RFC 7919. The estimated symmetric-equivalent strength is 150 bits.
ffdhe4096 :: DHParams
-- | 6144 bits finite field Diffie-Hellman ephemeral parameters defined in
-- RFC 7919. The estimated symmetric-equivalent strength is 175 bits.
ffdhe6144 :: DHParams
-- | 8192 bits finite field Diffie-Hellman ephemeral parameters defined in
-- RFC 7919. The estimated symmetric-equivalent strength is 192 bits.
ffdhe8192 :: DHParams
module Network.TLS.Extra.Cipher
-- | All AES and ChaCha20-Poly1305 ciphers supported ordered from strong to
-- weak. This choice of ciphersuites should satisfy most normal needs.
-- For otherwise strong ciphers we make little distinction between AES128
-- and AES256, and list each but the weakest of the AES128 ciphers ahead
-- of the corresponding AES256 ciphers.
--
-- AEAD ciphers with equivalent security properties are ordered based on
-- CPU hardware-acceleration support. If this dynamic runtime behavior is
-- not desired, use ciphersuite_default_det instead.
ciphersuite_default :: [Cipher]
-- | Same as ciphersuite_default, but using deterministic preference
-- not influenced by the CPU.
ciphersuite_default_det :: [Cipher]
-- | The default ciphersuites + some not recommended last resort ciphers.
--
-- AEAD ciphers with equivalent security properties are ordered based on
-- CPU hardware-acceleration support. If this dynamic runtime behavior is
-- not desired, use ciphersuite_all_det instead.
-- | Warning: This ciphersuite list contains RC4. Use ciphersuite_strong
-- or ciphersuite_default instead.
ciphersuite_all :: [Cipher]
-- | Same as ciphersuite_all, but using deterministic preference not
-- influenced by the CPU.
-- | Warning: This ciphersuite list contains RC4. Use
-- ciphersuite_strong_det or ciphersuite_default_det instead.
ciphersuite_all_det :: [Cipher]
-- | list of medium ciphers.
-- | Deprecated: Use ciphersuite_strong or ciphersuite_default
-- instead.
ciphersuite_medium :: [Cipher]
-- | The strongest ciphers supported. For ciphers with PFS, AEAD and SHA2,
-- we list each AES128 variant after the corresponding AES256 and
-- ChaCha20-Poly1305 variants. For weaker constructs, we use just the
-- AES256 form.
--
-- AEAD ciphers with equivalent security properties are ordered based on
-- CPU hardware-acceleration support. If this dynamic runtime behavior is
-- not desired, use ciphersuite_strong_det instead.
ciphersuite_strong :: [Cipher]
-- | Same as ciphersuite_strong, but using deterministic preference
-- not influenced by the CPU.
ciphersuite_strong_det :: [Cipher]
-- | all unencrypted ciphers, do not use on insecure network.
ciphersuite_unencrypted :: [Cipher]
-- | DHE-RSA cipher suite. This only includes ciphers bound specifically to
-- DHE-RSA so TLS 1.3 ciphers must be added separately.
ciphersuite_dhe_rsa :: [Cipher]
ciphersuite_dhe_dss :: [Cipher]
-- | unencrypted cipher using RSA for key exchange and SHA1 for digest
cipher_null_SHA1 :: Cipher
-- | AES cipher (128 bit key), RSA key exchange and SHA1 for digest
cipher_AES128_SHA1 :: Cipher
-- | AES cipher (256 bit key), RSA key exchange and SHA1 for digest
cipher_AES256_SHA1 :: Cipher
-- | AES cipher (128 bit key), RSA key exchange and SHA256 for digest
cipher_AES128_SHA256 :: Cipher
-- | AES cipher (256 bit key), RSA key exchange and SHA256 for digest
cipher_AES256_SHA256 :: Cipher
-- | AESCCM cipher (128 bit key), RSA key exchange. The SHA256 digest is
-- used as a PRF, not as a MAC.
cipher_AES128CCM_SHA256 :: Cipher
-- | AESCCM8 cipher (128 bit key), RSA key exchange. The SHA256 digest is
-- used as a PRF, not as a MAC.
cipher_AES128CCM8_SHA256 :: Cipher
-- | AESGCM cipher (128 bit key), RSA key exchange. The SHA256 digest is
-- used as a PRF, not as a MAC.
cipher_AES128GCM_SHA256 :: Cipher
-- | AESCCM cipher (256 bit key), RSA key exchange. The SHA256 digest is
-- used as a PRF, not as a MAC.
cipher_AES256CCM_SHA256 :: Cipher
-- | AESCCM8 cipher (256 bit key), RSA key exchange. The SHA256 digest is
-- used as a PRF, not as a MAC.
cipher_AES256CCM8_SHA256 :: Cipher
-- | AESGCM cipher (256 bit key), RSA key exchange. The SHA384 digest is
-- used as a PRF, not as a MAC.
cipher_AES256GCM_SHA384 :: Cipher
-- | AES cipher (128 bit key), DHE key exchanged signed by RSA and SHA1 for
-- digest
cipher_DHE_RSA_AES128_SHA1 :: Cipher
-- | AES cipher (256 bit key), DHE key exchanged signed by RSA and SHA1 for
-- digest
cipher_DHE_RSA_AES256_SHA1 :: Cipher
cipher_DHE_RSA_AES128_SHA256 :: Cipher
cipher_DHE_RSA_AES256_SHA256 :: Cipher
-- | AES cipher (128 bit key), DHE key exchanged signed by DSA and SHA1 for
-- digest
cipher_DHE_DSS_AES128_SHA1 :: Cipher
-- | AES cipher (256 bit key), DHE key exchanged signed by DSA and SHA1 for
-- digest
cipher_DHE_DSS_AES256_SHA1 :: Cipher
cipher_DHE_RSA_AES128CCM_SHA256 :: Cipher
cipher_DHE_RSA_AES128CCM8_SHA256 :: Cipher
cipher_DHE_RSA_AES128GCM_SHA256 :: Cipher
cipher_DHE_RSA_AES256CCM_SHA256 :: Cipher
cipher_DHE_RSA_AES256CCM8_SHA256 :: Cipher
cipher_DHE_RSA_AES256GCM_SHA384 :: Cipher
cipher_DHE_RSA_CHACHA20POLY1305_SHA256 :: Cipher
cipher_ECDHE_RSA_AES128GCM_SHA256 :: Cipher
cipher_ECDHE_RSA_AES256GCM_SHA384 :: Cipher
cipher_ECDHE_RSA_AES128CBC_SHA256 :: Cipher
cipher_ECDHE_RSA_AES128CBC_SHA :: Cipher
cipher_ECDHE_RSA_AES256CBC_SHA :: Cipher
cipher_ECDHE_RSA_AES256CBC_SHA384 :: Cipher
cipher_ECDHE_RSA_CHACHA20POLY1305_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES128CBC_SHA :: Cipher
cipher_ECDHE_ECDSA_AES256CBC_SHA :: Cipher
cipher_ECDHE_ECDSA_AES128CBC_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES256CBC_SHA384 :: Cipher
cipher_ECDHE_ECDSA_AES128CCM_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES128CCM8_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES128GCM_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES256CCM_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES256CCM8_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES256GCM_SHA384 :: Cipher
cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256 :: Cipher
cipher_TLS13_AES128GCM_SHA256 :: Cipher
cipher_TLS13_AES256GCM_SHA384 :: Cipher
cipher_TLS13_CHACHA20POLY1305_SHA256 :: Cipher
cipher_TLS13_AES128CCM_SHA256 :: Cipher
cipher_TLS13_AES128CCM8_SHA256 :: Cipher
-- | 3DES cipher (168 bit key), RSA key exchange and SHA1 for digest
cipher_RSA_3DES_EDE_CBC_SHA1 :: Cipher
-- | RC4 cipher, RSA key exchange and MD5 for digest
cipher_RC4_128_MD5 :: Cipher
-- | RC4 cipher, RSA key exchange and SHA1 for digest
cipher_RC4_128_SHA1 :: Cipher
-- | unencrypted cipher using RSA for key exchange and MD5 for digest
cipher_null_MD5 :: Cipher
cipher_DHE_DSS_RC4_SHA1 :: Cipher
-- | default values and ciphers
module Network.TLS.Extra
-- | Experimental API to run the TLS handshake establishing a QUIC
-- connection.
--
-- On the northbound API:
--
--
--
-- TLS invokes QUIC callbacks to use the QUIC transport
--
--
-- - TLS uses quicSend and quicRecv to send and receive
-- handshake message fragments.
-- - TLS calls quicInstallKeys to provide to QUIC the traffic
-- secrets it should use for encryption/decryption.
-- - TLS calls quicNotifyExtensions to notify to QUIC the
-- transport parameters exchanged through the handshake protocol.
-- - TLS calls quicDone when the handshake is done.
--
module Network.TLS.QUIC
-- | Start a TLS handshake thread for a QUIC client. The client will use
-- the specified TLS parameters and call the provided callback functions
-- to send and receive handshake data.
tlsQUICClient :: ClientParams -> QUICCallbacks -> IO ()
-- | Start a TLS handshake thread for a QUIC server. The server will use
-- the specified TLS parameters and call the provided callback functions
-- to send and receive handshake data.
tlsQUICServer :: ServerParams -> QUICCallbacks -> IO ()
-- | Callbacks implemented by QUIC and to be called by TLS at specific
-- points during the handshake. TLS may invoke them from external threads
-- but calls are not concurrent. Only a single callback function is
-- called at a given point in time.
data QUICCallbacks
QUICCallbacks :: ([(CryptLevel, ByteString)] -> IO ()) -> (CryptLevel -> IO (Either TLSError ByteString)) -> (Context -> KeyScheduleEvent -> IO ()) -> (Context -> [ExtensionRaw] -> IO ()) -> (Context -> IO ()) -> QUICCallbacks
-- | Called by TLS so that QUIC sends one or more handshake fragments. The
-- content transiting on this API is the plaintext of the fragments and
-- QUIC responsability is to encrypt this payload with the key material
-- given for the specified level and an appropriate encryption scheme.
--
-- The size of the fragments may exceed QUIC datagram limits so QUIC may
-- break them into smaller fragments.
--
-- The handshake protocol sometimes combines content at two levels in a
-- single flight. The TLS library does its best to provide this in the
-- same quicSend call and with a multi-valued argument. QUIC can
-- then decide how to transmit this optimally.
[quicSend] :: QUICCallbacks -> [(CryptLevel, ByteString)] -> IO ()
-- | Called by TLS to receive from QUIC the next plaintext handshake
-- fragment. The argument specifies with which encryption level the
-- fragment should be decrypted.
--
-- QUIC may return partial fragments to TLS. TLS will then call
-- quicRecv again as long as necessary. Note however that
-- fragments must be returned in the correct sequence, i.e. the order the
-- TLS peer emitted them.
--
-- The function may return an error to TLS if end of stream is reached or
-- if a protocol error has been received, believing the handshake cannot
-- proceed any longer. If the TLS handshake protocol cannot recover from
-- this error, the failure condition will be reported back to QUIC
-- through the control interface.
[quicRecv] :: QUICCallbacks -> CryptLevel -> IO (Either TLSError ByteString)
-- | Called by TLS when new encryption material is ready to be used in the
-- handshake. The next quicSend or quicRecv may now use the
-- associated encryption level (although the previous level is also
-- possible: directions Send/Recv do not change at the same time).
[quicInstallKeys] :: QUICCallbacks -> Context -> KeyScheduleEvent -> IO ()
-- | Called by TLS when QUIC-specific extensions have been received from
-- the peer.
[quicNotifyExtensions] :: QUICCallbacks -> Context -> [ExtensionRaw] -> IO ()
-- | Called when handshake is done. tlsQUICServer is finished
-- after calling this hook. tlsQUICClient calls recvData
-- after calling this hook to wait for new session tickets.
[quicDone] :: QUICCallbacks -> Context -> IO ()
-- | TLS encryption level.
data CryptLevel
-- | Unprotected traffic
CryptInitial :: CryptLevel
-- | Protected with master secret (TLS < 1.3)
CryptMasterSecret :: CryptLevel
-- | Protected with early traffic secret (TLS 1.3)
CryptEarlySecret :: CryptLevel
-- | Protected with handshake traffic secret (TLS 1.3)
CryptHandshakeSecret :: CryptLevel
-- | Protected with application traffic secret (TLS 1.3)
CryptApplicationSecret :: CryptLevel
-- | Argument given to quicInstallKeys when encryption material is
-- available.
data KeyScheduleEvent
-- | Key material and parameters for traffic at 0-RTT level
InstallEarlyKeys :: Maybe EarlySecretInfo -> KeyScheduleEvent
-- | Key material and parameters for traffic at handshake level
InstallHandshakeKeys :: HandshakeSecretInfo -> KeyScheduleEvent
-- | Key material and parameters for traffic at application level
InstallApplicationKeys :: ApplicationSecretInfo -> KeyScheduleEvent
-- | Handshake information generated for traffic at 0-RTT level.
data EarlySecretInfo
EarlySecretInfo :: Cipher -> ClientTrafficSecret EarlySecret -> EarlySecretInfo
-- | Handshake information generated for traffic at handshake level.
data HandshakeSecretInfo
HandshakeSecretInfo :: Cipher -> TrafficSecrets HandshakeSecret -> HandshakeSecretInfo
-- | Handshake information generated for traffic at application level.
newtype ApplicationSecretInfo
ApplicationSecretInfo :: TrafficSecrets ApplicationSecret -> ApplicationSecretInfo
-- | Phantom type indicating early traffic secret.
data EarlySecret
-- | Phantom type indicating handshake traffic secrets.
data HandshakeSecret
-- | Phantom type indicating application traffic secrets.
data ApplicationSecret
-- | Hold both client and server traffic secrets at the same step.
type TrafficSecrets a = (ClientTrafficSecret a, ServerTrafficSecret a)
-- | A server traffic secret, typed with a parameter indicating a step in
-- the TLS key schedule.
newtype ServerTrafficSecret a
ServerTrafficSecret :: ByteString -> ServerTrafficSecret a
-- | A client traffic secret, typed with a parameter indicating a step in
-- the TLS key schedule.
newtype ClientTrafficSecret a
ClientTrafficSecret :: ByteString -> ClientTrafficSecret a
-- | ID of the application-level protocol negotiated between client and
-- server. See values listed in the IANA registry.
type NegotiatedProtocol = ByteString
-- | Type to show which handshake mode is used in TLS 1.3.
data HandshakeMode13
-- | Full handshake is used.
FullHandshake :: HandshakeMode13
-- | Full handshake is used with hello retry request.
HelloRetryRequest :: HandshakeMode13
-- | Server authentication is skipped.
PreSharedKey :: HandshakeMode13
-- | Server authentication is skipped and early data is sent.
RTT0 :: HandshakeMode13
-- | The raw content of a TLS extension.
data ExtensionRaw
ExtensionRaw :: ExtensionID -> ByteString -> ExtensionRaw
-- | Identifier of a TLS extension.
type ExtensionID = Word16
extensionID_QuicTransportParameters :: ExtensionID
-- | Can be used by callbacks to signal an unexpected condition. This will
-- then generate an "internal_error" alert in the TLS stack.
errorTLS :: String -> IO a
-- | Return the alert that a TLS endpoint would send to the peer for the
-- specified library error.
errorToAlertDescription :: TLSError -> AlertDescription
-- | Return the message that a TLS endpoint can add to its local log for
-- the specified library error.
errorToAlertMessage :: TLSError -> String
-- | Encode an alert to the assigned value.
fromAlertDescription :: AlertDescription -> Word8
-- | Decode an alert from the assigned value.
toAlertDescription :: Word8 -> Maybe AlertDescription
-- | HKDF-Expand-Label function. Returns output keying material of
-- the specified length from the PRK, customized for a TLS label and
-- context.
hkdfExpandLabel :: Hash -> ByteString -> ByteString -> ByteString -> Int -> ByteString
-- | HKDF-Extract function. Returns the pseudorandom key (PRK)
-- from salt and input keying material (IKM).
hkdfExtract :: Hash -> ByteString -> ByteString -> ByteString
-- | Digest size in bytes.
hashDigestSize :: Hash -> Int
-- | Max early data size for QUIC.
quicMaxEarlyDataSize :: Int
defaultSupported :: Supported
-- | Native Haskell TLS and SSL protocol implementation for server and
-- client.
--
-- This provides a high-level implementation of a sensitive security
-- protocol, eliminating a common set of security issues through the use
-- of the advanced type system, high level constructions and common
-- Haskell features.
--
-- Currently implement the SSL3.0, TLS1.0, TLS1.1, TLS1.2 and TLS 1.3
-- protocol, and support RSA and Ephemeral (Elliptic curve and regular)
-- Diffie Hellman key exchanges, and many extensions.
--
-- Some debug tools linked with tls, are available through the
-- http://hackage.haskell.org/package/tls-debug/.
module Network.TLS
-- | A TLS Context keep tls specific state, parameters and backend
-- information.
data Context
-- | create a new context using the backend and parameters specified.
contextNew :: (MonadIO m, HasBackend backend, TLSParams params) => backend -> params -> m Context
-- | Handshake for a new TLS connection This is to be called at the
-- beginning of a connection, and during renegotiation
handshake :: MonadIO m => Context -> m ()
-- | sendData sends a bunch of data. It will automatically chunk data to
-- acceptable packet size
sendData :: MonadIO m => Context -> ByteString -> m ()
-- | Get data out of Data packet, and automatically renegotiate if a
-- Handshake ClientHello is received. An empty result means EOF.
recvData :: MonadIO m => Context -> m ByteString
-- | notify the context that this side wants to close connection. this is
-- important that it is called before closing the handle, otherwise the
-- session might not be resumable (for version < TLS1.2).
--
-- this doesn't actually close the handle
bye :: MonadIO m => Context -> m ()
class HasBackend a
initializeBackend :: HasBackend a => a -> IO ()
getBackend :: HasBackend a => a -> Backend
-- | Connection IO backend
data Backend
Backend :: IO () -> IO () -> (ByteString -> IO ()) -> (Int -> IO ByteString) -> Backend
-- | Flush the connection sending buffer, if any.
[backendFlush] :: Backend -> IO ()
-- | Close the connection.
[backendClose] :: Backend -> IO ()
-- | Send a bytestring through the connection.
[backendSend] :: Backend -> ByteString -> IO ()
-- | Receive specified number of bytes from the connection.
[backendRecv] :: Backend -> Int -> IO ByteString
class TLSParams a
data ClientParams
ClientParams :: Maybe MaxFragmentEnum -> (HostName, ByteString) -> Bool -> Maybe (SessionID, SessionData) -> Shared -> ClientHooks -> Supported -> DebugParams -> Maybe ByteString -> ClientParams
-- | Default: Nothing
[clientUseMaxFragmentLength] :: ClientParams -> Maybe MaxFragmentEnum
-- | Define the name of the server, along with an extra service
-- identification blob. this is important that the hostname part is
-- properly filled for security reason, as it allow to properly associate
-- the remote side with the given certificate during a handshake.
--
-- The extra blob is useful to differentiate services running on the same
-- host, but that might have different certificates given. It's only used
-- as part of the X509 validation infrastructure.
--
-- This value is typically set by defaultParamsClient.
[clientServerIdentification] :: ClientParams -> (HostName, ByteString)
-- | Allow the use of the Server Name Indication TLS extension during
-- handshake, which allow the client to specify which host name, it's
-- trying to access. This is useful to distinguish CNAME aliasing (e.g.
-- web virtual host).
--
-- Default: True
[clientUseServerNameIndication] :: ClientParams -> Bool
-- | try to establish a connection using this session.
--
-- Default: Nothing
[clientWantSessionResume] :: ClientParams -> Maybe (SessionID, SessionData)
-- | See the default value of Shared.
[clientShared] :: ClientParams -> Shared
-- | See the default value of ClientHooks.
[clientHooks] :: ClientParams -> ClientHooks
-- | In this element, you'll need to override the default empty value of of
-- supportedCiphers with a suitable cipherlist.
--
-- See the default value of Supported.
[clientSupported] :: ClientParams -> Supported
-- | See the default value of DebugParams.
[clientDebug] :: ClientParams -> DebugParams
-- | Client tries to send this early data in TLS 1.3 if possible. If not
-- accepted by the server, it is application's responsibility to re-sent
-- it.
--
-- Default: Nothing
[clientEarlyData] :: ClientParams -> Maybe ByteString
defaultParamsClient :: HostName -> ByteString -> ClientParams
data ServerParams
ServerParams :: Bool -> [SignedCertificate] -> Maybe DHParams -> ServerHooks -> Shared -> Supported -> DebugParams -> Int -> Int -> ServerParams
-- | Request a certificate from client.
--
-- Default: False
[serverWantClientCert] :: ServerParams -> Bool
-- | This is a list of certificates from which the disinguished names are
-- sent in certificate request messages. For TLS1.0, it should not be
-- empty.
--
-- Default: '[]'
[serverCACertificates] :: ServerParams -> [SignedCertificate]
-- | Server Optional Diffie Hellman parameters. Setting parameters is
-- necessary for FFDHE key exchange when clients are not compatible with
-- RFC 7919.
--
-- Value can be one of the standardized groups from module
-- Network.TLS.Extra.FFDHE or custom parameters generated with
-- generateParams.
--
-- Default: Nothing
[serverDHEParams] :: ServerParams -> Maybe DHParams
-- | See the default value of ServerHooks.
[serverHooks] :: ServerParams -> ServerHooks
-- | See the default value of Shared.
[serverShared] :: ServerParams -> Shared
-- | See the default value of Supported.
[serverSupported] :: ServerParams -> Supported
-- | See the default value of DebugParams.
[serverDebug] :: ServerParams -> DebugParams
-- | Server accepts this size of early data in TLS 1.3. 0 (or lower) means
-- that the server does not accept early data.
--
-- Default: 0
[serverEarlyDataSize] :: ServerParams -> Int
-- | Lifetime in seconds for session tickets generated by the server.
-- Acceptable value range is 0 to 604800 (7 days). The default lifetime
-- is 86400 seconds (1 day).
--
-- Default: 86400 (one day)
[serverTicketLifetime] :: ServerParams -> Int
-- | Parameters that are common to clients and servers.
data Shared
Shared :: Credentials -> SessionManager -> CertificateStore -> ValidationCache -> [ExtensionRaw] -> Shared
-- | The list of certificates and private keys that a server will use as
-- part of authentication to clients. Actual credentials that are used
-- are selected dynamically from this list based on client capabilities.
-- Additional credentials returned by onServerNameIndication are
-- also considered.
--
-- When credential list is left empty (the default value), no key
-- exchange can take place.
--
-- Default: mempty
[sharedCredentials] :: Shared -> Credentials
-- | Callbacks used by clients and servers in order to resume TLS sessions.
-- The default implementation never resumes sessions. Package
-- tls-session-manager provides an in-memory implementation.
--
-- Default: noSessionManager
[sharedSessionManager] :: Shared -> SessionManager
-- | A collection of trust anchors to be used by a client as part of
-- validation of server certificates. This is set as first argument to
-- function onServerCertificate. Package x509-system gives
-- access to a default certificate store configured in the system.
--
-- Default: mempty
[sharedCAStore] :: Shared -> CertificateStore
-- | Callbacks that may be used by a client to cache certificate validation
-- results (positive or negative) and avoid expensive signature check.
-- The default implementation does not have any caching.
--
-- See the default value of ValidationCache.
[sharedValidationCache] :: Shared -> ValidationCache
-- | Additional extensions to be sent during the Hello sequence.
--
-- For a client this is always included in message ClientHello. For a
-- server, this is sent in messages ServerHello or EncryptedExtensions
-- based on the TLS version.
--
-- Default: []
[sharedHelloExtensions] :: Shared -> [ExtensionRaw]
-- | A set of callbacks run by the clients for various corners of TLS
-- establishment
data ClientHooks
ClientHooks :: OnCertificateRequest -> OnServerCertificate -> IO (Maybe [ByteString]) -> (DHParams -> DHPublic -> IO GroupUsage) -> ClientHooks
-- | This action is called when the a certificate request is received from
-- the server. The callback argument is the information from the request.
-- The server, at its discretion, may be willing to continue the
-- handshake without a client certificate. Therefore, the callback is
-- free to return Nothing to indicate that no client certificate
-- should be sent, despite the server's request. In some cases it may be
-- appropriate to get user consent before sending the certificate; the
-- content of the user's certificate may be sensitive and intended only
-- for specific servers.
--
-- The action should select a certificate chain of one of the given
-- certificate types and one of the certificates in the chain should (if
-- possible) be signed by one of the given distinguished names. Some
-- servers, that don't have a narrow set of preferred issuer CAs, will
-- send an empty DistinguishedName list, rather than send all the
-- names from their trusted CA bundle. If the client does not have a
-- certificate chaining to a matching CA, it may choose a default
-- certificate instead.
--
-- Each certificate except the last should be signed by the following
-- one. The returned private key must be for the first certificates in
-- the chain. This key will be used to signing the certificate verify
-- message.
--
-- The public key in the first certificate, and the matching returned
-- private key must be compatible with one of the list of
-- HashAndSignatureAlgorithm value when provided. TLS 1.3 changes
-- the meaning of the list elements, adding explicit code points for each
-- supported pair of hash and signature (public key) algorithms, rather
-- than combining separate codes for the hash and key. For details see
-- RFC 8446 section 4.2.3. When no compatible certificate chain is
-- available, return Nothing if it is OK to continue without a
-- client certificate. Returning a non-matching certificate should result
-- in a handshake failure.
--
-- While the TLS version is not provided to the callback, the content of
-- the signature_algorithms list provides a strong hint, since
-- TLS 1.3 servers will generally list RSA pairs with a hash component of
-- Intrinsic (0x08).
--
-- Note that is is the responsibility of this action to select a
-- certificate matching one of the requested certificate types (public
-- key algorithms). Returning a non-matching one will lead to handshake
-- failure later.
--
-- Default: returns Nothing anyway.
[onCertificateRequest] :: ClientHooks -> OnCertificateRequest
-- | Used by the client to validate the server certificate. The default
-- implementation calls validateDefault which validates according
-- to the default hooks and checks provided by
-- Data.X509.Validation. This can be replaced with a custom
-- validation function using different settings.
--
-- The function is not expected to verify the key-usage extension of the
-- end-entity certificate, as this depends on the dynamically-selected
-- cipher and this part should not be cached. Key-usage verification is
-- performed by the library internally.
--
-- Default: validateDefault
[onServerCertificate] :: ClientHooks -> OnServerCertificate
-- | This action is called when the client sends ClientHello to determine
-- ALPN values such as '["h2", "http/1.1"]'.
--
-- Default: returns Nothing
[onSuggestALPN] :: ClientHooks -> IO (Maybe [ByteString])
-- | This action is called to validate DHE parameters when the server
-- selected a finite-field group not part of the "Supported Groups
-- Registry" or not part of supportedGroups list.
--
-- With TLS 1.3 custom groups have been removed from the protocol, so
-- this callback is only used when the version negotiated is 1.2 or
-- below.
--
-- The default behavior with (dh_p, dh_g, dh_size) and pub as follows:
--
--
-- - rejecting if dh_p is even
-- - rejecting unless 1 < dh_g && dh_g < dh_p - 1
-- - rejecting unless 1 < dh_p && pub < dh_p - 1
-- - rejecting if dh_size < 1024 (to prevent Logjam attack)
--
--
-- See RFC 7919 section 3.1 for recommandations.
[onCustomFFDHEGroup] :: ClientHooks -> DHParams -> DHPublic -> IO GroupUsage
-- | Type for onCertificateRequest. This type synonym is to make
-- document readable.
type OnCertificateRequest = ([CertificateType], Maybe [HashAndSignatureAlgorithm], [DistinguishedName]) -> IO (Maybe (CertificateChain, PrivKey))
-- | Type for onServerCertificate. This type synonym is to make
-- document readable.
type OnServerCertificate = CertificateStore -> ValidationCache -> ServiceID -> CertificateChain -> IO [FailedReason]
-- | A set of callbacks run by the server for various corners of the TLS
-- establishment
data ServerHooks
ServerHooks :: (CertificateChain -> IO CertificateUsage) -> IO Bool -> (Version -> [Cipher] -> Cipher) -> (Maybe HostName -> IO Credentials) -> (Measurement -> IO Bool) -> Maybe ([ByteString] -> IO ByteString) -> ([ExtensionRaw] -> IO [ExtensionRaw]) -> ServerHooks
-- | This action is called when a client certificate chain is received from
-- the client. When it returns a CertificateUsageReject value, the
-- handshake is aborted.
--
-- The function is not expected to verify the key-usage extension of the
-- certificate. This verification is performed by the library internally.
--
-- Default: returns the followings:
--
--
-- CertificateUsageReject (CertificateRejectOther "no client certificates expected")
--
[onClientCertificate] :: ServerHooks -> CertificateChain -> IO CertificateUsage
-- | This action is called when the client certificate cannot be verified.
-- Return True to accept the certificate anyway, or False
-- to fail verification.
--
-- Default: returns False
[onUnverifiedClientCert] :: ServerHooks -> IO Bool
-- | Allow the server to choose the cipher relative to the the client
-- version and the client list of ciphers.
--
-- This could be useful with old clients and as a workaround to the BEAST
-- (where RC4 is sometimes prefered with TLS < 1.1)
--
-- The client cipher list cannot be empty.
--
-- Default: taking the head of ciphers.
[onCipherChoosing] :: ServerHooks -> Version -> [Cipher] -> Cipher
-- | Allow the server to indicate additional credentials to be used
-- depending on the host name indicated by the client.
--
-- This is most useful for transparent proxies where credentials must be
-- generated on the fly according to the host the client is trying to
-- connect to.
--
-- Returned credentials may be ignored if a client does not support the
-- signature algorithms used in the certificate chain.
--
-- Default: returns mempty
[onServerNameIndication] :: ServerHooks -> Maybe HostName -> IO Credentials
-- | At each new handshake, we call this hook to see if we allow handshake
-- to happens.
--
-- Default: returns True
[onNewHandshake] :: ServerHooks -> Measurement -> IO Bool
-- | Allow the server to choose an application layer protocol suggested
-- from the client through the ALPN (Application Layer Protocol
-- Negotiation) extensions. If the server supports no protocols that the
-- client advertises an empty ByteString should be returned.
--
-- Default: Nothing
[onALPNClientSuggest] :: ServerHooks -> Maybe ([ByteString] -> IO ByteString)
-- | Allow to modify extensions to be sent in EncryptedExtensions of TLS
-- 1.3.
--
-- Default: 'return . id'
[onEncryptedExtensionsCreating] :: ServerHooks -> [ExtensionRaw] -> IO [ExtensionRaw]
-- | record some data about this connection.
data Measurement
Measurement :: !Word32 -> !Word32 -> !Word32 -> Measurement
-- | number of handshakes on this context
[nbHandshakes] :: Measurement -> !Word32
-- | bytes received since last handshake
[bytesReceived] :: Measurement -> !Word32
-- | bytes sent since last handshake
[bytesSent] :: Measurement -> !Word32
-- | List all the supported algorithms, versions, ciphers, etc supported.
data Supported
Supported :: [Version] -> [Cipher] -> [Compression] -> [HashAndSignatureAlgorithm] -> Bool -> Bool -> EMSMode -> Bool -> Bool -> Bool -> [Group] -> Supported
-- | Supported versions by this context. On the client side, the highest
-- version will be used to establish the connection. On the server side,
-- the highest version that is less or equal than the client version will
-- be chosen.
--
-- Versions should be listed in preference order, i.e. higher versions
-- first.
--
-- Default: [TLS13,TLS12,TLS11,TLS10]
[supportedVersions] :: Supported -> [Version]
-- | Supported cipher methods. The default is empty, specify a suitable
-- cipher list. ciphersuite_default is often a good choice.
--
-- Default: []
[supportedCiphers] :: Supported -> [Cipher]
-- | Supported compressions methods. By default only the "null" compression
-- is supported, which means no compression will be performed. Allowing
-- other compression method is not advised as it causes a connection
-- failure when TLS 1.3 is negotiated.
--
-- Default: [nullCompression]
[supportedCompressions] :: Supported -> [Compression]
-- | All supported hash/signature algorithms pair for client certificate
-- verification and server signature in (EC)DHE, ordered by decreasing
-- priority.
--
-- This list is sent to the peer as part of the "signature_algorithms"
-- extension. It is used to restrict accepted signatures received from
-- the peer at TLS level (not in X.509 certificates), but only when the
-- TLS version is 1.2 or above. In order to disable SHA-1 one must then
-- also disable earlier protocol versions in supportedVersions.
--
-- The list also impacts the selection of possible algorithms when
-- generating signatures.
--
-- Note: with TLS 1.3 some algorithms have been deprecated and will not
-- be used even when listed in the parameter: MD5, SHA-1, SHA-224, RSA
-- PKCS#1, DSS.
--
-- Default:
--
--
-- [ (HashIntrinsic, SignatureEd448)
-- , (HashIntrinsic, SignatureEd25519)
-- , (Struct.HashSHA256, SignatureECDSA)
-- , (Struct.HashSHA384, SignatureECDSA)
-- , (Struct.HashSHA512, SignatureECDSA)
-- , (HashIntrinsic, SignatureRSApssRSAeSHA512)
-- , (HashIntrinsic, SignatureRSApssRSAeSHA384)
-- , (HashIntrinsic, SignatureRSApssRSAeSHA256)
-- , (Struct.HashSHA512, SignatureRSA)
-- , (Struct.HashSHA384, SignatureRSA)
-- , (Struct.HashSHA256, SignatureRSA)
-- , (Struct.HashSHA1, SignatureRSA)
-- , (Struct.HashSHA1, SignatureDSS)
-- ]
--
[supportedHashSignatures] :: Supported -> [HashAndSignatureAlgorithm]
-- | Secure renegotiation defined in RFC5746. If True, clients send
-- the renegotiation_info extension. If True, servers handle the
-- extension or the renegotiation SCSV then send the renegotiation_info
-- extension.
--
-- Default: True
[supportedSecureRenegotiation] :: Supported -> Bool
-- | If True, renegotiation is allowed from the client side. This is
-- vulnerable to DOS attacks. If False, renegotiation is allowed
-- only from the server side via HelloRequest.
--
-- Default: False
[supportedClientInitiatedRenegotiation] :: Supported -> Bool
-- | The mode regarding extended master secret. Enabling this extension
-- provides better security for TLS versions 1.0 to 1.2. TLS 1.3 provides
-- the security properties natively and does not need the extension.
--
-- By default the extension is enabled but not required. If mode is set
-- to RequireEMS, the handshake will fail when the peer does not
-- support the extension. It is also advised to disable SSLv3 which does
-- not have this mechanism.
--
-- Default: AllowEMS
[supportedExtendedMasterSec] :: Supported -> EMSMode
-- | Set if we support session.
--
-- Default: True
[supportedSession] :: Supported -> Bool
-- | Support for fallback SCSV defined in RFC7507. If True, servers
-- reject handshakes which suggest a lower protocol than the highest
-- protocol supported.
--
-- Default: True
[supportedFallbackScsv] :: Supported -> Bool
-- | In ver <= TLS1.0, block ciphers using CBC are using CBC residue as
-- IV, which can be guessed by an attacker. Hence, an empty packet is
-- normally sent before a normal data packet, to prevent guessability.
-- Some Microsoft TLS-based protocol implementations, however, consider
-- these empty packets as a protocol violation and disconnect. If this
-- parameter is False, empty packets will never be added, which is
-- less secure, but might help in rare cases.
--
-- Default: True
[supportedEmptyPacket] :: Supported -> Bool
-- | A list of supported elliptic curves and finite-field groups in the
-- preferred order.
--
-- The list is sent to the server as part of the "supported_groups"
-- extension. It is used in both clients and servers to restrict accepted
-- groups in DH key exchange. Up until TLS v1.2, it is also used by a
-- client to restrict accepted elliptic curves in ECDSA signatures.
--
-- The default value includes all groups with security strength of 128
-- bits or more.
--
-- Default:
-- [X25519,X448,P256,FFDHE3072,FFDHE4096,P384,FFDHE6144,FFDHE8192,P521]
[supportedGroups] :: Supported -> [Group]
-- | All settings should not be used in production
data DebugParams
DebugParams :: Maybe Seed -> (Seed -> IO ()) -> Maybe Version -> (String -> IO ()) -> DebugParams
-- | Disable the true randomness in favor of deterministic seed that will
-- produce a deterministic random from. This is useful for tests and
-- debugging purpose. Do not use in production
--
-- Default: Nothing
[debugSeed] :: DebugParams -> Maybe Seed
-- | Add a way to print the seed that was randomly generated. re-using the
-- same seed will reproduce the same randomness with debugSeed
--
-- Default: no printing
[debugPrintSeed] :: DebugParams -> Seed -> IO ()
-- | Force to choose this version in the server side.
--
-- Default: Nothing
[debugVersionForced] :: DebugParams -> Maybe Version
-- | Printing master keys.
--
-- Default: no printing
[debugKeyLogger] :: DebugParams -> String -> IO ()
newtype Credentials
Credentials :: [Credential] -> Credentials
type Credential = (CertificateChain, PrivKey)
-- | try to create a new credential object from a public certificate and
-- the associated private key that are stored on the filesystem in PEM
-- format.
credentialLoadX509 :: FilePath -> FilePath -> IO (Either String Credential)
-- | similar to credentialLoadX509 but take the certificate and
-- private key from memory instead of from the filesystem.
credentialLoadX509FromMemory :: ByteString -> ByteString -> Either String Credential
-- | similar to credentialLoadX509 but also allow specifying chain
-- certificates.
credentialLoadX509Chain :: FilePath -> [FilePath] -> FilePath -> IO (Either String Credential)
-- | similar to credentialLoadX509FromMemory but also allow
-- specifying chain certificates.
credentialLoadX509ChainFromMemory :: ByteString -> [ByteString] -> ByteString -> Either String Credential
-- | A session manager
data SessionManager
SessionManager :: (SessionID -> IO (Maybe SessionData)) -> (SessionID -> IO (Maybe SessionData)) -> (SessionID -> SessionData -> IO ()) -> (SessionID -> IO ()) -> SessionManager
-- | used on server side to decide whether to resume a client session.
[sessionResume] :: SessionManager -> SessionID -> IO (Maybe SessionData)
-- | used on server side to decide whether to resume a client session for
-- TLS 1.3 0RTT. For a given SessionID, the implementation must
-- return its SessionData only once and must not return the same
-- SessionData after the call.
[sessionResumeOnlyOnce] :: SessionManager -> SessionID -> IO (Maybe SessionData)
-- | used when a session is established.
[sessionEstablish] :: SessionManager -> SessionID -> SessionData -> IO ()
-- | used when a session is invalidated.
[sessionInvalidate] :: SessionManager -> SessionID -> IO ()
-- | The session manager to do nothing.
noSessionManager :: SessionManager
-- | A session ID
type SessionID = ByteString
-- | Session data to resume
data SessionData
SessionData :: Version -> CipherID -> CompressionID -> Maybe HostName -> ByteString -> Maybe Group -> Maybe TLS13TicketInfo -> Maybe ByteString -> Int -> [SessionFlag] -> SessionData
[sessionVersion] :: SessionData -> Version
[sessionCipher] :: SessionData -> CipherID
[sessionCompression] :: SessionData -> CompressionID
[sessionClientSNI] :: SessionData -> Maybe HostName
[sessionSecret] :: SessionData -> ByteString
[sessionGroup] :: SessionData -> Maybe Group
[sessionTicketInfo] :: SessionData -> Maybe TLS13TicketInfo
[sessionALPN] :: SessionData -> Maybe ByteString
[sessionMaxEarlyDataSize] :: SessionData -> Int
[sessionFlags] :: SessionData -> [SessionFlag]
-- | Some session flags
data SessionFlag
-- | Session created with Extended Master Secret
SessionEMS :: SessionFlag
data TLS13TicketInfo
-- | All the callbacks needed for querying and adding to the cache.
data ValidationCache
ValidationCache :: ValidationCacheQueryCallback -> ValidationCacheAddCallback -> ValidationCache
-- | cache querying callback
[cacheQuery] :: ValidationCache -> ValidationCacheQueryCallback
-- | cache adding callback
[cacheAdd] :: ValidationCache -> ValidationCacheAddCallback
-- | Validation cache query callback type
type ValidationCacheQueryCallback = ServiceID -> Fingerprint -> Certificate -> IO ValidationCacheResult
-- | Validation cache callback type
type ValidationCacheAddCallback = ServiceID -> Fingerprint -> Certificate -> IO ()
-- | The result of a cache query
data ValidationCacheResult
-- | cache allow this fingerprint to go through
ValidationCachePass :: ValidationCacheResult
-- | cache denied this fingerprint for further validation
ValidationCacheDenied :: String -> ValidationCacheResult
-- | unknown fingerprint in cache
ValidationCacheUnknown :: ValidationCacheResult
-- | create a simple constant cache that list exceptions to the
-- certification validation. Typically this is use to allow self-signed
-- certificates for specific use, with out-of-bounds user checks.
--
-- No fingerprints will be added after the instance is created.
--
-- The underlying structure for the check is kept as a list, as usually
-- the exception list will be short, but when the list go above a dozen
-- exceptions it's recommended to use another cache mechanism with a
-- faster lookup mechanism (hashtable, map, etc).
--
-- Note that only one fingerprint is allowed per ServiceID, for other
-- use, another cache mechanism need to be use.
exceptionValidationCache :: [(ServiceID, Fingerprint)] -> ValidationCache
-- | Versions known to TLS
--
-- SSL2 is just defined, but this version is and will not be supported.
data Version
SSL2 :: Version
SSL3 :: Version
TLS10 :: Version
TLS11 :: Version
TLS12 :: Version
TLS13 :: Version
-- | every compression need to be wrapped in this, to fit in structure
data Compression
Compression :: a -> Compression
-- | default null compression
nullCompression :: Compression
type HashAndSignatureAlgorithm = (HashAlgorithm, SignatureAlgorithm)
data HashAlgorithm
HashNone :: HashAlgorithm
HashMD5 :: HashAlgorithm
HashSHA1 :: HashAlgorithm
HashSHA224 :: HashAlgorithm
HashSHA256 :: HashAlgorithm
HashSHA384 :: HashAlgorithm
HashSHA512 :: HashAlgorithm
HashIntrinsic :: HashAlgorithm
HashOther :: Word8 -> HashAlgorithm
data SignatureAlgorithm
SignatureAnonymous :: SignatureAlgorithm
SignatureRSA :: SignatureAlgorithm
SignatureDSS :: SignatureAlgorithm
SignatureECDSA :: SignatureAlgorithm
SignatureRSApssRSAeSHA256 :: SignatureAlgorithm
SignatureRSApssRSAeSHA384 :: SignatureAlgorithm
SignatureRSApssRSAeSHA512 :: SignatureAlgorithm
SignatureEd25519 :: SignatureAlgorithm
SignatureEd448 :: SignatureAlgorithm
SignatureRSApsspssSHA256 :: SignatureAlgorithm
SignatureRSApsspssSHA384 :: SignatureAlgorithm
SignatureRSApsspssSHA512 :: SignatureAlgorithm
SignatureOther :: Word8 -> SignatureAlgorithm
data Group
P256 :: Group
P384 :: Group
P521 :: Group
X25519 :: Group
X448 :: Group
FFDHE2048 :: Group
FFDHE3072 :: Group
FFDHE4096 :: Group
FFDHE6144 :: Group
FFDHE8192 :: Group
-- | Client or server policy regarding Extended Master Secret
data EMSMode
-- | Extended Master Secret is not used
NoEMS :: EMSMode
-- | Extended Master Secret is allowed
AllowEMS :: EMSMode
-- | Extended Master Secret is required
RequireEMS :: EMSMode
type DHParams = Params
type DHPublic = PublicNumber
-- | Group usage callback possible return values.
data GroupUsage
-- | usage of group accepted
GroupUsageValid :: GroupUsage
-- | usage of group provides insufficient security
GroupUsageInsecure :: GroupUsage
-- | usage of group rejected for other reason (specified as string)
GroupUsageUnsupported :: String -> GroupUsage
-- | usage of group with an invalid public value
GroupUsageInvalidPublic :: GroupUsage
-- | Certificate Usage callback possible returns values.
data CertificateUsage
-- | usage of certificate accepted
CertificateUsageAccept :: CertificateUsage
-- | usage of certificate rejected
CertificateUsageReject :: CertificateRejectReason -> CertificateUsage
-- | Certificate and Chain rejection reason
data CertificateRejectReason
CertificateRejectExpired :: CertificateRejectReason
CertificateRejectRevoked :: CertificateRejectReason
CertificateRejectUnknownCA :: CertificateRejectReason
CertificateRejectAbsent :: CertificateRejectReason
CertificateRejectOther :: String -> CertificateRejectReason
-- | Some of the IANA registered code points for CertificateType are
-- not currently supported by the library. Nor should they be, they're
-- are either unwise, obsolete or both. There's no point in conveying
-- these to the user in the client certificate request callback. The
-- request callback will be filtered to exclude unsupported values. If
-- the user cannot find a certificate for a supported code point, we'll
-- go ahead without a client certificate and hope for the best, unless
-- the user's callback decides to throw an exception.
data CertificateType
-- | TLS10 and up, RFC5246
CertificateType_RSA_Sign :: CertificateType
-- | TLS10 and up, RFC5246
CertificateType_DSS_Sign :: CertificateType
-- | TLS10 and up, RFC8422
CertificateType_ECDSA_Sign :: CertificateType
-- | TLS13 and up, synthetic
CertificateType_Ed25519_Sign :: CertificateType
-- | TLS13 and up, synthetic | None of the below will ever be presented to
-- the callback. Any future public key algorithms valid for client
-- certificates go above this line.
CertificateType_Ed448_Sign :: CertificateType
CertificateType_RSA_Fixed_DH :: CertificateType
CertificateType_DSS_Fixed_DH :: CertificateType
CertificateType_RSA_Ephemeral_DH :: CertificateType
CertificateType_DSS_Ephemeral_DH :: CertificateType
CertificateType_fortezza_dms :: CertificateType
CertificateType_RSA_Fixed_ECDH :: CertificateType
CertificateType_ECDSA_Fixed_ECDH :: CertificateType
CertificateType_Unknown :: Word8 -> CertificateType
type HostName = String
data MaxFragmentEnum
MaxFragment512 :: MaxFragmentEnum
MaxFragment1024 :: MaxFragmentEnum
MaxFragment2048 :: MaxFragmentEnum
MaxFragment4096 :: MaxFragmentEnum
-- | return the backend object associated with this context
ctxConnection :: Context -> Backend
-- | A shortcut for 'backendFlush . ctxConnection'.
contextFlush :: Context -> IO ()
-- | A shortcut for 'backendClose . ctxConnection'.
contextClose :: Context -> IO ()
-- | Information related to a running context, e.g. current cipher
data Information
Information :: Version -> Cipher -> Compression -> Maybe ByteString -> Bool -> Maybe ClientRandom -> Maybe ServerRandom -> Maybe Group -> Maybe HandshakeMode13 -> Bool -> Information
[infoVersion] :: Information -> Version
[infoCipher] :: Information -> Cipher
[infoCompression] :: Information -> Compression
[infoMasterSecret] :: Information -> Maybe ByteString
[infoExtendedMasterSec] :: Information -> Bool
[infoClientRandom] :: Information -> Maybe ClientRandom
[infoServerRandom] :: Information -> Maybe ServerRandom
[infoNegotiatedGroup] :: Information -> Maybe Group
[infoTLS13HandshakeMode] :: Information -> Maybe HandshakeMode13
[infoIsEarlyDataAccepted] :: Information -> Bool
-- | Information about the current context
contextGetInformation :: Context -> IO (Maybe Information)
data ClientRandom
data ServerRandom
unClientRandom :: ClientRandom -> ByteString
unServerRandom :: ServerRandom -> ByteString
-- | Type to show which handshake mode is used in TLS 1.3.
data HandshakeMode13
-- | Full handshake is used.
FullHandshake :: HandshakeMode13
-- | Full handshake is used with hello retry request.
HelloRetryRequest :: HandshakeMode13
-- | Server authentication is skipped.
PreSharedKey :: HandshakeMode13
-- | Server authentication is skipped and early data is sent.
RTT0 :: HandshakeMode13
-- | Getting certificates from a client, if any. Note that the certificates
-- are not sent by a client on resumption even if client authentication
-- is required. So, this API would be replaced by the one which can treat
-- both cases of full-negotiation and resumption.
getClientCertificateChain :: Context -> IO (Maybe CertificateChain)
-- | If the ALPN extensions have been used, this will return get the
-- protocol agreed upon.
getNegotiatedProtocol :: MonadIO m => Context -> m (Maybe ByteString)
-- | If the Server Name Indication extension has been used, return the
-- hostname specified by the client.
getClientSNI :: MonadIO m => Context -> m (Maybe HostName)
-- | Updating appication traffic secrets for TLS 1.3. If this API is called
-- for TLS 1.3, True is returned. Otherwise, False is
-- returned.
updateKey :: MonadIO m => Context -> KeyUpdateRequest -> m Bool
-- | How to update keys in TLS 1.3
data KeyUpdateRequest
-- | Unidirectional key update
OneWay :: KeyUpdateRequest
-- | Bidirectional key update (normal case)
TwoWay :: KeyUpdateRequest
-- | Post-handshake certificate request with TLS 1.3. Returns True
-- if the request was possible, i.e. if TLS 1.3 is used and the remote
-- client supports post-handshake authentication.
requestCertificate :: MonadIO m => Context -> m Bool
-- | Get TLS Finished sent to peer
getFinished :: Context -> IO (Maybe FinishedData)
-- | Get TLS Finished received from peer
getPeerFinished :: Context -> IO (Maybe FinishedData)
-- | A collection of hooks actions.
data Hooks
Hooks :: (Handshake -> IO Handshake) -> (Handshake13 -> IO Handshake13) -> (CertificateChain -> IO ()) -> Logging -> Hooks
-- | called at each handshake message received
[hookRecvHandshake] :: Hooks -> Handshake -> IO Handshake
-- | called at each handshake message received for TLS 1.3
[hookRecvHandshake13] :: Hooks -> Handshake13 -> IO Handshake13
-- | called at each certificate chain message received
[hookRecvCertificates] :: Hooks -> CertificateChain -> IO ()
-- | hooks on IO and packets, receiving and sending.
[hookLogging] :: Hooks -> Logging
contextModifyHooks :: Context -> (Hooks -> Hooks) -> IO ()
data Handshake
contextHookSetHandshakeRecv :: Context -> (Handshake -> IO Handshake) -> IO ()
data Handshake13
contextHookSetHandshake13Recv :: Context -> (Handshake13 -> IO Handshake13) -> IO ()
contextHookSetCertificateRecv :: Context -> (CertificateChain -> IO ()) -> IO ()
-- | Hooks for logging
--
-- This is called when sending and receiving packets and IO
data Logging
Logging :: (String -> IO ()) -> (String -> IO ()) -> (ByteString -> IO ()) -> (Header -> ByteString -> IO ()) -> Logging
[loggingPacketSent] :: Logging -> String -> IO ()
[loggingPacketRecv] :: Logging -> String -> IO ()
[loggingIOSent] :: Logging -> ByteString -> IO ()
[loggingIORecv] :: Logging -> Header -> ByteString -> IO ()
data Header
Header :: ProtocolType -> Version -> Word16 -> Header
data ProtocolType
ProtocolType_ChangeCipherSpec :: ProtocolType
ProtocolType_Alert :: ProtocolType
ProtocolType_Handshake :: ProtocolType
ProtocolType_AppData :: ProtocolType
ProtocolType_DeprecatedHandshake :: ProtocolType
contextHookSetLogging :: Context -> Logging -> IO ()
-- | TLSError that might be returned through the TLS stack
data TLSError
-- | mainly for instance of Error
Error_Misc :: String -> TLSError
Error_Protocol :: (String, Bool, AlertDescription) -> TLSError
Error_Certificate :: String -> TLSError
-- | handshake policy failed.
Error_HandshakePolicy :: String -> TLSError
Error_EOF :: TLSError
Error_Packet :: String -> TLSError
Error_Packet_unexpected :: String -> String -> TLSError
Error_Packet_Parsing :: String -> TLSError
data KxError
RSAError :: Error -> KxError
KxUnsupported :: KxError
data AlertDescription
CloseNotify :: AlertDescription
UnexpectedMessage :: AlertDescription
BadRecordMac :: AlertDescription
-- | deprecated alert, should never be sent by compliant implementation
DecryptionFailed :: AlertDescription
RecordOverflow :: AlertDescription
DecompressionFailure :: AlertDescription
HandshakeFailure :: AlertDescription
BadCertificate :: AlertDescription
UnsupportedCertificate :: AlertDescription
CertificateRevoked :: AlertDescription
CertificateExpired :: AlertDescription
CertificateUnknown :: AlertDescription
IllegalParameter :: AlertDescription
UnknownCa :: AlertDescription
AccessDenied :: AlertDescription
DecodeError :: AlertDescription
DecryptError :: AlertDescription
ExportRestriction :: AlertDescription
ProtocolVersion :: AlertDescription
InsufficientSecurity :: AlertDescription
InternalError :: AlertDescription
InappropriateFallback :: AlertDescription
UserCanceled :: AlertDescription
NoRenegotiation :: AlertDescription
MissingExtension :: AlertDescription
UnsupportedExtension :: AlertDescription
CertificateUnobtainable :: AlertDescription
UnrecognizedName :: AlertDescription
BadCertificateStatusResponse :: AlertDescription
BadCertificateHashValue :: AlertDescription
UnknownPskIdentity :: AlertDescription
CertificateRequired :: AlertDescription
NoApplicationProtocol :: AlertDescription
-- | TLS Exceptions related to bad user usage or asynchronous errors
data TLSException
-- | Early termination exception with the reason and the error associated
Terminated :: Bool -> String -> TLSError -> TLSException
-- | Handshake failed for the reason attached
HandshakeFailed :: TLSError -> TLSException
-- | Usage error when the connection has not been established and the user
-- is trying to send or receive data
ConnectionNotEstablished :: TLSException
-- | supported compression algorithms need to be part of this class
class CompressionC a
compressionCID :: CompressionC a => a -> CompressionID
compressionCDeflate :: CompressionC a => a -> ByteString -> (a, ByteString)
compressionCInflate :: CompressionC a => a -> ByteString -> (a, ByteString)
-- | Compression identification
type CompressionID = Word8
-- | Public key types known and used in X.509
data PubKey
-- | RSA public key
PubKeyRSA :: PublicKey -> PubKey
-- | DSA public key
PubKeyDSA :: PublicKey -> PubKey
-- | DH format with (p,g,q,j,(seed,pgenCounter))
PubKeyDH :: (Integer, Integer, Integer, Maybe Integer, ([Word8], Integer)) -> PubKey
-- | EC public key
PubKeyEC :: PubKeyEC -> PubKey
-- | X25519 public key
PubKeyX25519 :: PublicKey -> PubKey
-- | X448 public key
PubKeyX448 :: PublicKey -> PubKey
-- | Ed25519 public key
PubKeyEd25519 :: PublicKey -> PubKey
-- | Ed448 public key
PubKeyEd448 :: PublicKey -> PubKey
-- | unrecognized format
PubKeyUnknown :: OID -> ByteString -> PubKey
-- | Private key types known and used in X.509
data PrivKey
-- | RSA private key
PrivKeyRSA :: PrivateKey -> PrivKey
-- | DSA private key
PrivKeyDSA :: PrivateKey -> PrivKey
-- | EC private key
PrivKeyEC :: PrivKeyEC -> PrivKey
-- | X25519 private key
PrivKeyX25519 :: SecretKey -> PrivKey
-- | X448 private key
PrivKeyX448 :: SecretKey -> PrivKey
-- | Ed25519 private key
PrivKeyEd25519 :: SecretKey -> PrivKey
-- | Ed448 private key
PrivKeyEd448 :: SecretKey -> PrivKey
data CipherKeyExchangeType
CipherKeyExchange_RSA :: CipherKeyExchangeType
CipherKeyExchange_DH_Anon :: CipherKeyExchangeType
CipherKeyExchange_DHE_RSA :: CipherKeyExchangeType
CipherKeyExchange_ECDHE_RSA :: CipherKeyExchangeType
CipherKeyExchange_DHE_DSS :: CipherKeyExchangeType
CipherKeyExchange_DH_DSS :: CipherKeyExchangeType
CipherKeyExchange_DH_RSA :: CipherKeyExchangeType
CipherKeyExchange_ECDH_ECDSA :: CipherKeyExchangeType
CipherKeyExchange_ECDH_RSA :: CipherKeyExchangeType
CipherKeyExchange_ECDHE_ECDSA :: CipherKeyExchangeType
CipherKeyExchange_TLS13 :: CipherKeyExchangeType
data Bulk
Bulk :: String -> Int -> Int -> Int -> Int -> Int -> BulkFunctions -> Bulk
[bulkName] :: Bulk -> String
[bulkKeySize] :: Bulk -> Int
[bulkIVSize] :: Bulk -> Int
[bulkExplicitIV] :: Bulk -> Int
[bulkAuthTagLen] :: Bulk -> Int
[bulkBlockSize] :: Bulk -> Int
[bulkF] :: Bulk -> BulkFunctions
data BulkFunctions
BulkBlockF :: (BulkDirection -> BulkKey -> BulkBlock) -> BulkFunctions
BulkStreamF :: (BulkDirection -> BulkKey -> BulkStream) -> BulkFunctions
BulkAeadF :: (BulkDirection -> BulkKey -> BulkAEAD) -> BulkFunctions
data BulkDirection
BulkEncrypt :: BulkDirection
BulkDecrypt :: BulkDirection
data BulkState
BulkStateStream :: BulkStream -> BulkState
BulkStateBlock :: BulkBlock -> BulkState
BulkStateAEAD :: BulkAEAD -> BulkState
BulkStateUninitialized :: BulkState
newtype BulkStream
BulkStream :: (ByteString -> (ByteString, BulkStream)) -> BulkStream
type BulkBlock = BulkIV -> ByteString -> (ByteString, BulkIV)
type BulkAEAD = BulkNonce -> ByteString -> BulkAdditionalData -> (ByteString, AuthTag)
bulkInit :: Bulk -> BulkDirection -> BulkKey -> BulkState
data Hash
MD5 :: Hash
SHA1 :: Hash
SHA224 :: Hash
SHA256 :: Hash
SHA384 :: Hash
SHA512 :: Hash
SHA1_MD5 :: Hash
-- | Cipher algorithm
data Cipher
Cipher :: CipherID -> String -> Hash -> Bulk -> CipherKeyExchangeType -> Maybe Version -> Maybe Hash -> Cipher
[cipherID] :: Cipher -> CipherID
[cipherName] :: Cipher -> String
[cipherHash] :: Cipher -> Hash
[cipherBulk] :: Cipher -> Bulk
[cipherKeyExchange] :: Cipher -> CipherKeyExchangeType
[cipherMinVer] :: Cipher -> Maybe Version
[cipherPRFHash] :: Cipher -> Maybe Hash
-- | Cipher identification
type CipherID = Word16
cipherKeyBlockSize :: Cipher -> Int
type BulkKey = ByteString
type BulkIV = ByteString
type BulkNonce = ByteString
type BulkAdditionalData = ByteString
-- | Check if a specific Cipher is allowed to be used with the
-- version specified
cipherAllowedForVersion :: Version -> Cipher -> Bool
hasMAC :: BulkFunctions -> Bool
hasRecordIV :: BulkFunctions -> Bool
-- | same as recvData but returns a lazy bytestring.
-- | Deprecated: use recvData that returns strict bytestring
recvData' :: MonadIO m => Context -> m ByteString
-- | create a new context on an handle.
-- | Deprecated: use contextNew
contextNewOnHandle :: (MonadIO m, TLSParams params) => Handle -> params -> m Context
-- | create a new context on a socket.
-- | Deprecated: use contextNew
contextNewOnSocket :: (MonadIO m, TLSParams params) => Socket -> params -> m Context
-- | Deprecated: Use Data.ByteString.Bytestring instead of Bytes.
type Bytes = ByteString
-- | A set of checks to activate or parametrize to perform on certificates.
--
-- It's recommended to use defaultChecks to create the structure,
-- to better cope with future changes or expansion of the structure.
data ValidationChecks
ValidationChecks :: Bool -> Maybe DateTime -> Bool -> Bool -> Bool -> Bool -> [ExtKeyUsageFlag] -> [ExtKeyUsagePurpose] -> Bool -> ValidationChecks
-- | check time validity of every certificate in the chain. the make sure
-- that current time is between each validity bounds in the certificate
[checkTimeValidity] :: ValidationChecks -> Bool
-- | The time when the validity check happens. When set to Nothing, the
-- current time will be used
[checkAtTime] :: ValidationChecks -> Maybe DateTime
-- | Check that no certificate is included that shouldn't be included.
-- unfortunately despite the specification violation, a lots of real
-- world server serves useless and usually old certificates that are not
-- relevant to the certificate sent, in their chain.
[checkStrictOrdering] :: ValidationChecks -> Bool
-- | Check that signing certificate got the CA basic constraint. this is
-- absolutely not recommended to turn it off.
[checkCAConstraints] :: ValidationChecks -> Bool
-- | Check the whole certificate chain without stopping at the first
-- failure. Allow gathering a exhaustive list of failure reasons. if this
-- is turn off, it's absolutely not safe to ignore a failed reason even
-- it doesn't look serious (e.g. Expired) as other more serious checks
-- would not have been performed.
[checkExhaustive] :: ValidationChecks -> Bool
-- | Check that the leaf certificate is version 3. If disable, version 2
-- certificate is authorized in leaf position and key usage cannot be
-- checked.
[checkLeafV3] :: ValidationChecks -> Bool
-- | Check that the leaf certificate is authorized to be used for certain
-- usage. If set to empty list no check are performed, otherwise all the
-- flags is the list need to exists in the key usage extension. If the
-- extension is not present, the check will pass and behave as if the
-- certificate key is not restricted to any specific usage.
[checkLeafKeyUsage] :: ValidationChecks -> [ExtKeyUsageFlag]
-- | Check that the leaf certificate is authorized to be used for certain
-- purpose. If set to empty list no check are performed, otherwise all
-- the flags is the list need to exists in the extended key usage
-- extension if present. If the extension is not present, then the check
-- will pass and behave as if the certificate is not restricted to any
-- specific purpose.
[checkLeafKeyPurpose] :: ValidationChecks -> [ExtKeyUsagePurpose]
-- | Check the top certificate names matching the fully qualified hostname
-- (FQHN). it's not recommended to turn this check off, if no other name
-- checks are performed.
[checkFQHN] :: ValidationChecks -> Bool
-- | A set of hooks to manipulate the way the verification works.
--
-- BEWARE, it's easy to change behavior leading to compromised security.
data ValidationHooks
ValidationHooks :: (DistinguishedName -> Certificate -> Bool) -> (DateTime -> Certificate -> [FailedReason]) -> (HostName -> Certificate -> [FailedReason]) -> ([FailedReason] -> [FailedReason]) -> ValidationHooks
-- | check whether a given issuer DistinguishedName matches the
-- subject DistinguishedName of a candidate issuer certificate.
[hookMatchSubjectIssuer] :: ValidationHooks -> DistinguishedName -> Certificate -> Bool
-- | check whether the certificate in the second argument is valid at the
-- time provided in the first argument. Return an empty list for success
-- or else one or more failure reasons.
[hookValidateTime] :: ValidationHooks -> DateTime -> Certificate -> [FailedReason]
-- | validate the certificate leaf name with the DNS named used to connect
[hookValidateName] :: ValidationHooks -> HostName -> Certificate -> [FailedReason]
-- | user filter to modify the list of failure reasons
[hookFilterReason] :: ValidationHooks -> [FailedReason] -> [FailedReason]