1{-# LANGUAGE CPP #-} 2-- | 3-- Module : Network.TLS 4-- License : BSD-style 5-- Maintainer : Vincent Hanquez <vincent@snarc.org> 6-- Stability : experimental 7-- Portability : unknown 8-- 9-- Native Haskell TLS and SSL protocol implementation for server and 10-- client. 11-- 12-- This provides a high-level implementation of a sensitive security 13-- protocol, eliminating a common set of security issues through the 14-- use of the advanced type system, high level constructions and 15-- common Haskell features. 16-- 17-- Currently implement the SSL3.0, TLS1.0, TLS1.1, TLS1.2 and TLS 1.3 18-- protocol, and support RSA and Ephemeral (Elliptic curve and 19-- regular) Diffie Hellman key exchanges, and many extensions. 20-- 21-- Some debug tools linked with tls, are available through the 22-- http://hackage.haskell.org/package/tls-debug/. 23 24module Network.TLS 25 ( 26 -- * Basic APIs 27 Context 28 , contextNew 29 , handshake 30 , sendData 31 , recvData 32 , bye 33 34 -- * Backend abstraction 35 , HasBackend(..) 36 , Backend(..) 37 38 -- * Parameters 39 -- intentionally hide the internal methods even haddock warns. 40 , TLSParams 41 , ClientParams(..) 42 , defaultParamsClient 43 , ServerParams(..) 44 -- ** Shared 45 , Shared(..) 46 -- ** Hooks 47 , ClientHooks(..) 48 , OnCertificateRequest 49 , OnServerCertificate 50 , ServerHooks(..) 51 , Measurement(..) 52 -- ** Supported 53 , Supported(..) 54 -- ** Debug parameters 55 , DebugParams(..) 56 57 -- * Shared parameters 58 -- ** Credentials 59 , Credentials(..) 60 , Credential 61 , credentialLoadX509 62 , credentialLoadX509FromMemory 63 , credentialLoadX509Chain 64 , credentialLoadX509ChainFromMemory 65 -- ** Session manager 66 , SessionManager(..) 67 , noSessionManager 68 , SessionID 69 , SessionData(..) 70 , SessionFlag(..) 71 , TLS13TicketInfo 72 -- ** Validation Cache 73 , ValidationCache(..) 74 , ValidationCacheQueryCallback 75 , ValidationCacheAddCallback 76 , ValidationCacheResult(..) 77 , exceptionValidationCache 78 79 -- * Types 80 -- ** For 'Supported' 81 , Version(..) 82 , Compression(..) 83 , nullCompression 84 , HashAndSignatureAlgorithm 85 , HashAlgorithm(..) 86 , SignatureAlgorithm(..) 87 , Group(..) 88 , EMSMode(..) 89 -- ** For parameters and hooks 90 , DHParams 91 , DHPublic 92 , GroupUsage(..) 93 , CertificateUsage(..) 94 , CertificateRejectReason(..) 95 , CertificateType(..) 96 , HostName 97 , MaxFragmentEnum(..) 98 99 -- * Advanced APIs 100 -- ** Backend 101 , ctxConnection 102 , contextFlush 103 , contextClose 104 -- ** Information gathering 105 , Information(..) 106 , contextGetInformation 107 , ClientRandom 108 , ServerRandom 109 , unClientRandom 110 , unServerRandom 111 , HandshakeMode13(..) 112 , getClientCertificateChain 113 -- ** Negotiated 114 , getNegotiatedProtocol 115 , getClientSNI 116 -- ** Post-handshake actions 117 , updateKey 118 , KeyUpdateRequest(..) 119 , requestCertificate 120 -- ** Modifying hooks in context 121 , Hooks(..) 122 , contextModifyHooks 123 , Handshake 124 , contextHookSetHandshakeRecv 125 , Handshake13 126 , contextHookSetHandshake13Recv 127 , contextHookSetCertificateRecv 128 , Logging(..) 129 , Header(..) 130 , ProtocolType(..) 131 , contextHookSetLogging 132 133 -- * Errors and exceptions 134 -- ** Errors 135 , TLSError(..) 136 , KxError(..) 137 , AlertDescription(..) 138 -- ** Exceptions 139 , TLSException(..) 140 141 -- * Raw types 142 -- ** Compressions class 143 , CompressionC(..) 144 , CompressionID 145 -- ** Crypto Key 146 , PubKey(..) 147 , PrivKey(..) 148 -- ** Ciphers & Predefined ciphers 149 , module Network.TLS.Cipher 150 151 -- * Deprecated 152 , recvData' 153 , contextNewOnHandle 154#ifdef INCLUDE_NETWORK 155 , contextNewOnSocket 156#endif 157 , Bytes 158 , ValidationChecks(..) 159 , ValidationHooks(..) 160 ) where 161 162import Network.TLS.Backend (Backend(..), HasBackend(..)) 163import Network.TLS.Cipher 164import Network.TLS.Compression (CompressionC(..), Compression(..), nullCompression) 165import Network.TLS.Context 166import Network.TLS.Core 167import Network.TLS.Credentials 168import Network.TLS.Crypto (KxError(..), DHParams, DHPublic, Group(..)) 169import Network.TLS.Handshake.State (HandshakeMode13(..)) 170import Network.TLS.Hooks 171import Network.TLS.Measurement 172import Network.TLS.Parameters 173import Network.TLS.Session 174import qualified Network.TLS.State as S 175import Network.TLS.Struct ( TLSError(..), TLSException(..) 176 , HashAndSignatureAlgorithm, HashAlgorithm(..), SignatureAlgorithm(..) 177 , Header(..), ProtocolType(..), CertificateType(..) 178 , AlertDescription(..) 179 , ClientRandom(..), ServerRandom(..) 180 , Handshake) 181import Network.TLS.Struct13 ( Handshake13 ) 182import Network.TLS.Types 183import Network.TLS.X509 184 185import Data.ByteString as B 186import Data.X509 (PubKey(..), PrivKey(..)) 187import Data.X509.Validation hiding (HostName) 188 189{-# DEPRECATED Bytes "Use Data.ByteString.Bytestring instead of Bytes." #-} 190type Bytes = B.ByteString 191 192-- | Getting certificates from a client, if any. 193-- Note that the certificates are not sent by a client 194-- on resumption even if client authentication is required. 195-- So, this API would be replaced by the one which can treat 196-- both cases of full-negotiation and resumption. 197getClientCertificateChain :: Context -> IO (Maybe CertificateChain) 198getClientCertificateChain ctx = usingState_ ctx S.getClientCertificateChain 199