1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
|
{-# LANGUAGE CPP #-}
-- |
-- Module : Network.TLS
-- License : BSD-style
-- Maintainer : Vincent Hanquez <vincent@snarc.org>
-- Stability : experimental
-- Portability : unknown
--
-- Native Haskell TLS and SSL protocol implementation for server and
-- client.
--
-- This provides a high-level implementation of a sensitive security
-- protocol, eliminating a common set of security issues through the
-- use of the advanced type system, high level constructions and
-- common Haskell features.
--
-- Currently implement the SSL3.0, TLS1.0, TLS1.1, TLS1.2 and TLS 1.3
-- protocol, and support RSA and Ephemeral (Elliptic curve and
-- regular) Diffie Hellman key exchanges, and many extensions.
--
-- Some debug tools linked with tls, are available through the
-- http://hackage.haskell.org/package/tls-debug/.
module Network.TLS
(
-- * Basic APIs
Context
, contextNew
, handshake
, sendData
, recvData
, bye
-- * Exceptions
-- $exceptions
-- * Backend abstraction
, HasBackend(..)
, Backend(..)
-- * Parameters
-- intentionally hide the internal methods even haddock warns.
, TLSParams
, ClientParams(..)
, defaultParamsClient
, ServerParams(..)
-- ** Shared
, Shared(..)
-- ** Hooks
, ClientHooks(..)
, OnCertificateRequest
, OnServerCertificate
, ServerHooks(..)
, Measurement(..)
-- ** Supported
, Supported(..)
-- ** Debug parameters
, DebugParams(..)
-- * Shared parameters
-- ** Credentials
, Credentials(..)
, Credential
, credentialLoadX509
, credentialLoadX509FromMemory
, credentialLoadX509Chain
, credentialLoadX509ChainFromMemory
-- ** Session manager
, SessionManager(..)
, noSessionManager
, SessionID
, SessionData(..)
, SessionFlag(..)
, TLS13TicketInfo
-- ** Validation Cache
, ValidationCache(..)
, ValidationCacheQueryCallback
, ValidationCacheAddCallback
, ValidationCacheResult(..)
, exceptionValidationCache
-- * Types
-- ** For 'Supported'
, Version(..)
, Compression(..)
, nullCompression
, HashAndSignatureAlgorithm
, HashAlgorithm(..)
, SignatureAlgorithm(..)
, Group(..)
, EMSMode(..)
-- ** For parameters and hooks
, DHParams
, DHPublic
, GroupUsage(..)
, CertificateUsage(..)
, CertificateRejectReason(..)
, CertificateType(..)
, HostName
, MaxFragmentEnum(..)
-- * Advanced APIs
-- ** Backend
, ctxConnection
, contextFlush
, contextClose
-- ** Information gathering
, Information(..)
, contextGetInformation
, ClientRandom
, ServerRandom
, unClientRandom
, unServerRandom
, HandshakeMode13(..)
, getClientCertificateChain
-- ** Negotiated
, getNegotiatedProtocol
, getClientSNI
-- ** Post-handshake actions
, updateKey
, KeyUpdateRequest(..)
, requestCertificate
, getFinished
, getPeerFinished
-- ** Modifying hooks in context
, Hooks(..)
, contextModifyHooks
, Handshake
, contextHookSetHandshakeRecv
, Handshake13
, contextHookSetHandshake13Recv
, contextHookSetCertificateRecv
, Logging(..)
, Header(..)
, ProtocolType(..)
, contextHookSetLogging
-- * Errors and exceptions
-- ** Errors
, TLSError(..)
, KxError(..)
, AlertDescription(..)
-- ** Exceptions
, TLSException(..)
-- * Raw types
-- ** Compressions class
, CompressionC(..)
, CompressionID
-- ** Crypto Key
, PubKey(..)
, PrivKey(..)
-- ** Ciphers & Predefined ciphers
, module Network.TLS.Cipher
-- * Deprecated
, recvData'
, contextNewOnHandle
#ifdef INCLUDE_NETWORK
, contextNewOnSocket
#endif
, Bytes
, ValidationChecks(..)
, ValidationHooks(..)
) where
import Network.TLS.Backend (Backend(..), HasBackend(..))
import Network.TLS.Cipher
import Network.TLS.Compression (CompressionC(..), Compression(..), nullCompression)
import Network.TLS.Context
import Network.TLS.Core
import Network.TLS.Credentials
import Network.TLS.Crypto (KxError(..), DHParams, DHPublic, Group(..))
import Network.TLS.Handshake.State (HandshakeMode13(..))
import Network.TLS.Hooks
import Network.TLS.Measurement
import Network.TLS.Parameters
import Network.TLS.Session
import qualified Network.TLS.State as S
import Network.TLS.Struct ( TLSError(..), TLSException(..)
, HashAndSignatureAlgorithm, HashAlgorithm(..), SignatureAlgorithm(..)
, Header(..), ProtocolType(..), CertificateType(..)
, AlertDescription(..)
, ClientRandom(..), ServerRandom(..)
, Handshake)
import Network.TLS.Struct13 ( Handshake13 )
import Network.TLS.Types
import Network.TLS.X509
import Data.ByteString as B
import Data.X509 (PubKey(..), PrivKey(..))
import Data.X509.Validation hiding (HostName)
{-# DEPRECATED Bytes "Use Data.ByteString.Bytestring instead of Bytes." #-}
type Bytes = B.ByteString
-- | Getting certificates from a client, if any.
-- Note that the certificates are not sent by a client
-- on resumption even if client authentication is required.
-- So, this API would be replaced by the one which can treat
-- both cases of full-negotiation and resumption.
getClientCertificateChain :: Context -> IO (Maybe CertificateChain)
getClientCertificateChain ctx = usingState_ ctx S.getClientCertificateChain
{- $exceptions
Since 1.8.0, this library only throws exceptions of type 'TLSException'.
In the common case where the chosen backend is socket, 'IOException'
may be thrown as well. This happens because the backend for sockets,
opaque to most modules in the @tls@ library, throws those exceptions.
-}
|
