1{-# LANGUAGE CPP #-}
2-- |
3-- Module      : Network.TLS
4-- License     : BSD-style
5-- Maintainer  : Vincent Hanquez <vincent@snarc.org>
6-- Stability   : experimental
7-- Portability : unknown
8--
9-- Native Haskell TLS and SSL protocol implementation for server and
10-- client.
11--
12-- This provides a high-level implementation of a sensitive security
13-- protocol, eliminating a common set of security issues through the
14-- use of the advanced type system, high level constructions and
15-- common Haskell features.
16--
17-- Currently implement the SSL3.0, TLS1.0, TLS1.1, TLS1.2 and TLS 1.3
18-- protocol, and support RSA and Ephemeral (Elliptic curve and
19-- regular) Diffie Hellman key exchanges, and many extensions.
20--
21-- Some debug tools linked with tls, are available through the
22-- http://hackage.haskell.org/package/tls-debug/.
23
24module Network.TLS
25    (
26    -- * Basic APIs
27      Context
28    , contextNew
29    , handshake
30    , sendData
31    , recvData
32    , bye
33
34    -- * Backend abstraction
35    , HasBackend(..)
36    , Backend(..)
37
38    -- * Parameters
39    -- intentionally hide the internal methods even haddock warns.
40    , TLSParams
41    , ClientParams(..)
42    , defaultParamsClient
43    , ServerParams(..)
44    -- ** Shared
45    , Shared(..)
46    -- ** Hooks
47    , ClientHooks(..)
48    , OnCertificateRequest
49    , OnServerCertificate
50    , ServerHooks(..)
51    , Measurement(..)
52    -- ** Supported
53    , Supported(..)
54    -- ** Debug parameters
55    , DebugParams(..)
56
57    -- * Shared parameters
58    -- ** Credentials
59    , Credentials(..)
60    , Credential
61    , credentialLoadX509
62    , credentialLoadX509FromMemory
63    , credentialLoadX509Chain
64    , credentialLoadX509ChainFromMemory
65    -- ** Session manager
66    , SessionManager(..)
67    , noSessionManager
68    , SessionID
69    , SessionData(..)
70    , SessionFlag(..)
71    , TLS13TicketInfo
72    -- ** Validation Cache
73    , ValidationCache(..)
74    , ValidationCacheQueryCallback
75    , ValidationCacheAddCallback
76    , ValidationCacheResult(..)
77    , exceptionValidationCache
78
79    -- * Types
80    -- ** For 'Supported'
81    , Version(..)
82    , Compression(..)
83    , nullCompression
84    , HashAndSignatureAlgorithm
85    , HashAlgorithm(..)
86    , SignatureAlgorithm(..)
87    , Group(..)
88    , EMSMode(..)
89    -- ** For parameters and hooks
90    , DHParams
91    , DHPublic
92    , GroupUsage(..)
93    , CertificateUsage(..)
94    , CertificateRejectReason(..)
95    , CertificateType(..)
96    , HostName
97    , MaxFragmentEnum(..)
98
99    -- * Advanced APIs
100    -- ** Backend
101    , ctxConnection
102    , contextFlush
103    , contextClose
104    -- ** Information gathering
105    , Information(..)
106    , contextGetInformation
107    , ClientRandom
108    , ServerRandom
109    , unClientRandom
110    , unServerRandom
111    , HandshakeMode13(..)
112    , getClientCertificateChain
113    -- ** Negotiated
114    , getNegotiatedProtocol
115    , getClientSNI
116    -- ** Post-handshake actions
117    , updateKey
118    , KeyUpdateRequest(..)
119    , requestCertificate
120    -- ** Modifying hooks in context
121    , Hooks(..)
122    , contextModifyHooks
123    , Handshake
124    , contextHookSetHandshakeRecv
125    , Handshake13
126    , contextHookSetHandshake13Recv
127    , contextHookSetCertificateRecv
128    , Logging(..)
129    , Header(..)
130    , ProtocolType(..)
131    , contextHookSetLogging
132
133    -- * Errors and exceptions
134    -- ** Errors
135    , TLSError(..)
136    , KxError(..)
137    , AlertDescription(..)
138    -- ** Exceptions
139    , TLSException(..)
140
141    -- * Raw types
142    -- ** Compressions class
143    , CompressionC(..)
144    , CompressionID
145    -- ** Crypto Key
146    , PubKey(..)
147    , PrivKey(..)
148    -- ** Ciphers & Predefined ciphers
149    , module Network.TLS.Cipher
150
151    -- * Deprecated
152    , recvData'
153    , contextNewOnHandle
154#ifdef INCLUDE_NETWORK
155    , contextNewOnSocket
156#endif
157    , Bytes
158    , ValidationChecks(..)
159    , ValidationHooks(..)
160    ) where
161
162import Network.TLS.Backend (Backend(..), HasBackend(..))
163import Network.TLS.Cipher
164import Network.TLS.Compression (CompressionC(..), Compression(..), nullCompression)
165import Network.TLS.Context
166import Network.TLS.Core
167import Network.TLS.Credentials
168import Network.TLS.Crypto (KxError(..), DHParams, DHPublic, Group(..))
169import Network.TLS.Handshake.State (HandshakeMode13(..))
170import Network.TLS.Hooks
171import Network.TLS.Measurement
172import Network.TLS.Parameters
173import Network.TLS.Session
174import qualified Network.TLS.State as S
175import Network.TLS.Struct ( TLSError(..), TLSException(..)
176                          , HashAndSignatureAlgorithm, HashAlgorithm(..), SignatureAlgorithm(..)
177                          , Header(..), ProtocolType(..), CertificateType(..)
178                          , AlertDescription(..)
179                          , ClientRandom(..), ServerRandom(..)
180                          , Handshake)
181import Network.TLS.Struct13 ( Handshake13 )
182import Network.TLS.Types
183import Network.TLS.X509
184
185import Data.ByteString as B
186import Data.X509 (PubKey(..), PrivKey(..))
187import Data.X509.Validation hiding (HostName)
188
189{-# DEPRECATED Bytes "Use Data.ByteString.Bytestring instead of Bytes." #-}
190type Bytes = B.ByteString
191
192-- | Getting certificates from a client, if any.
193--   Note that the certificates are not sent by a client
194--   on resumption even if client authentication is required.
195--   So, this API would be replaced by the one which can treat
196--   both cases of full-negotiation and resumption.
197getClientCertificateChain :: Context -> IO (Maybe CertificateChain)
198getClientCertificateChain ctx = usingState_ ctx S.getClientCertificateChain
199