-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | TLS/SSL protocol native implementation (Server and Client)
--   
--   Native Haskell TLS and SSL protocol implementation for server and
--   client.
--   
--   This provides a high-level implementation of a sensitive security
--   protocol, eliminating a common set of security issues through the use
--   of the advanced type system, high level constructions and common
--   Haskell features.
--   
--   Currently implement the TLS1.0, TLS1.1, TLS1.2 and TLS 1.3 protocol,
--   and support RSA and Ephemeral (Elliptic curve and regular) Diffie
--   Hellman key exchanges, and many extensions.
--   
--   Some debug tools linked with tls, are available through the
--   <a>http://hackage.haskell.org/package/tls-debug/</a>.
@package tls
@version 1.6.0


-- | Finite Field Diffie-Hellman Ephemeral Parameters defined in RFC 7919.
module Network.TLS.Extra.FFDHE

-- | 2048 bits finite field Diffie-Hellman ephemeral parameters defined in
--   RFC 7919. The estimated symmetric-equivalent strength is 103 bits.
ffdhe2048 :: DHParams

-- | 3072 bits finite field Diffie-Hellman ephemeral parameters defined in
--   RFC 7919. The estimated symmetric-equivalent strength is 125 bits.
ffdhe3072 :: DHParams

-- | 4096 bits finite field Diffie-Hellman ephemeral parameters defined in
--   RFC 7919. The estimated symmetric-equivalent strength is 150 bits.
ffdhe4096 :: DHParams

-- | 6144 bits finite field Diffie-Hellman ephemeral parameters defined in
--   RFC 7919. The estimated symmetric-equivalent strength is 175 bits.
ffdhe6144 :: DHParams

-- | 8192 bits finite field Diffie-Hellman ephemeral parameters defined in
--   RFC 7919. The estimated symmetric-equivalent strength is 192 bits.
ffdhe8192 :: DHParams


module Network.TLS.Extra.Cipher

-- | All AES and ChaCha20-Poly1305 ciphers supported ordered from strong to
--   weak. This choice of ciphersuites should satisfy most normal needs.
--   For otherwise strong ciphers we make little distinction between AES128
--   and AES256, and list each but the weakest of the AES128 ciphers ahead
--   of the corresponding AES256 ciphers.
--   
--   AEAD ciphers with equivalent security properties are ordered based on
--   CPU hardware-acceleration support. If this dynamic runtime behavior is
--   not desired, use <a>ciphersuite_default_det</a> instead.
ciphersuite_default :: [Cipher]

-- | Same as <a>ciphersuite_default</a>, but using deterministic preference
--   not influenced by the CPU.
ciphersuite_default_det :: [Cipher]

-- | The default ciphersuites + some not recommended last resort ciphers.
--   
--   AEAD ciphers with equivalent security properties are ordered based on
--   CPU hardware-acceleration support. If this dynamic runtime behavior is
--   not desired, use <a>ciphersuite_all_det</a> instead.

-- | <i>Warning: This ciphersuite list contains RC4. Use ciphersuite_strong
--   or ciphersuite_default instead.</i>
ciphersuite_all :: [Cipher]

-- | Same as <a>ciphersuite_all</a>, but using deterministic preference not
--   influenced by the CPU.

-- | <i>Warning: This ciphersuite list contains RC4. Use
--   ciphersuite_strong_det or ciphersuite_default_det instead.</i>
ciphersuite_all_det :: [Cipher]

-- | list of medium ciphers.

-- | <i>Deprecated: Use ciphersuite_strong or ciphersuite_default
--   instead.</i>
ciphersuite_medium :: [Cipher]

-- | The strongest ciphers supported. For ciphers with PFS, AEAD and SHA2,
--   we list each AES128 variant after the corresponding AES256 and
--   ChaCha20-Poly1305 variants. For weaker constructs, we use just the
--   AES256 form.
--   
--   AEAD ciphers with equivalent security properties are ordered based on
--   CPU hardware-acceleration support. If this dynamic runtime behavior is
--   not desired, use <a>ciphersuite_strong_det</a> instead.
ciphersuite_strong :: [Cipher]

-- | Same as <a>ciphersuite_strong</a>, but using deterministic preference
--   not influenced by the CPU.
ciphersuite_strong_det :: [Cipher]

-- | all unencrypted ciphers, do not use on insecure network.
ciphersuite_unencrypted :: [Cipher]

-- | DHE-RSA cipher suite. This only includes ciphers bound specifically to
--   DHE-RSA so TLS 1.3 ciphers must be added separately.
ciphersuite_dhe_rsa :: [Cipher]
ciphersuite_dhe_dss :: [Cipher]

-- | unencrypted cipher using RSA for key exchange and SHA1 for digest
cipher_null_SHA1 :: Cipher

-- | AES cipher (128 bit key), RSA key exchange and SHA1 for digest
cipher_AES128_SHA1 :: Cipher

-- | AES cipher (256 bit key), RSA key exchange and SHA1 for digest
cipher_AES256_SHA1 :: Cipher

-- | AES cipher (128 bit key), RSA key exchange and SHA256 for digest
cipher_AES128_SHA256 :: Cipher

-- | AES cipher (256 bit key), RSA key exchange and SHA256 for digest
cipher_AES256_SHA256 :: Cipher

-- | AESCCM cipher (128 bit key), RSA key exchange. The SHA256 digest is
--   used as a PRF, not as a MAC.
cipher_AES128CCM_SHA256 :: Cipher

-- | AESCCM8 cipher (128 bit key), RSA key exchange. The SHA256 digest is
--   used as a PRF, not as a MAC.
cipher_AES128CCM8_SHA256 :: Cipher

-- | AESGCM cipher (128 bit key), RSA key exchange. The SHA256 digest is
--   used as a PRF, not as a MAC.
cipher_AES128GCM_SHA256 :: Cipher

-- | AESCCM cipher (256 bit key), RSA key exchange. The SHA256 digest is
--   used as a PRF, not as a MAC.
cipher_AES256CCM_SHA256 :: Cipher

-- | AESCCM8 cipher (256 bit key), RSA key exchange. The SHA256 digest is
--   used as a PRF, not as a MAC.
cipher_AES256CCM8_SHA256 :: Cipher

-- | AESGCM cipher (256 bit key), RSA key exchange. The SHA384 digest is
--   used as a PRF, not as a MAC.
cipher_AES256GCM_SHA384 :: Cipher

-- | AES cipher (128 bit key), DHE key exchanged signed by RSA and SHA1 for
--   digest
cipher_DHE_RSA_AES128_SHA1 :: Cipher

-- | AES cipher (256 bit key), DHE key exchanged signed by RSA and SHA1 for
--   digest
cipher_DHE_RSA_AES256_SHA1 :: Cipher
cipher_DHE_RSA_AES128_SHA256 :: Cipher
cipher_DHE_RSA_AES256_SHA256 :: Cipher

-- | AES cipher (128 bit key), DHE key exchanged signed by DSA and SHA1 for
--   digest
cipher_DHE_DSS_AES128_SHA1 :: Cipher

-- | AES cipher (256 bit key), DHE key exchanged signed by DSA and SHA1 for
--   digest
cipher_DHE_DSS_AES256_SHA1 :: Cipher
cipher_DHE_RSA_AES128CCM_SHA256 :: Cipher
cipher_DHE_RSA_AES128CCM8_SHA256 :: Cipher
cipher_DHE_RSA_AES128GCM_SHA256 :: Cipher
cipher_DHE_RSA_AES256CCM_SHA256 :: Cipher
cipher_DHE_RSA_AES256CCM8_SHA256 :: Cipher
cipher_DHE_RSA_AES256GCM_SHA384 :: Cipher
cipher_DHE_RSA_CHACHA20POLY1305_SHA256 :: Cipher
cipher_ECDHE_RSA_AES128GCM_SHA256 :: Cipher
cipher_ECDHE_RSA_AES256GCM_SHA384 :: Cipher
cipher_ECDHE_RSA_AES128CBC_SHA256 :: Cipher
cipher_ECDHE_RSA_AES128CBC_SHA :: Cipher
cipher_ECDHE_RSA_AES256CBC_SHA :: Cipher
cipher_ECDHE_RSA_AES256CBC_SHA384 :: Cipher
cipher_ECDHE_RSA_CHACHA20POLY1305_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES128CBC_SHA :: Cipher
cipher_ECDHE_ECDSA_AES256CBC_SHA :: Cipher
cipher_ECDHE_ECDSA_AES128CBC_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES256CBC_SHA384 :: Cipher
cipher_ECDHE_ECDSA_AES128CCM_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES128CCM8_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES128GCM_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES256CCM_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES256CCM8_SHA256 :: Cipher
cipher_ECDHE_ECDSA_AES256GCM_SHA384 :: Cipher
cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256 :: Cipher
cipher_TLS13_AES128GCM_SHA256 :: Cipher
cipher_TLS13_AES256GCM_SHA384 :: Cipher
cipher_TLS13_CHACHA20POLY1305_SHA256 :: Cipher
cipher_TLS13_AES128CCM_SHA256 :: Cipher
cipher_TLS13_AES128CCM8_SHA256 :: Cipher

-- | 3DES cipher (168 bit key), RSA key exchange and SHA1 for digest
cipher_RSA_3DES_EDE_CBC_SHA1 :: Cipher

-- | RC4 cipher, RSA key exchange and MD5 for digest
cipher_RC4_128_MD5 :: Cipher

-- | RC4 cipher, RSA key exchange and SHA1 for digest
cipher_RC4_128_SHA1 :: Cipher

-- | unencrypted cipher using RSA for key exchange and MD5 for digest
cipher_null_MD5 :: Cipher
cipher_DHE_DSS_RC4_SHA1 :: Cipher


-- | default values and ciphers
module Network.TLS.Extra


-- | Experimental API to run the TLS handshake establishing a QUIC
--   connection.
--   
--   On the northbound API:
--   
--   <ul>
--   <li>QUIC starts a TLS client or server thread with
--   <a>tlsQUICClient</a> or <a>tlsQUICServer</a>.</li>
--   </ul>
--   
--   TLS invokes QUIC callbacks to use the QUIC transport
--   
--   <ul>
--   <li>TLS uses <a>quicSend</a> and <a>quicRecv</a> to send and receive
--   handshake message fragments.</li>
--   <li>TLS calls <a>quicInstallKeys</a> to provide to QUIC the traffic
--   secrets it should use for encryption/decryption.</li>
--   <li>TLS calls <a>quicNotifyExtensions</a> to notify to QUIC the
--   transport parameters exchanged through the handshake protocol.</li>
--   <li>TLS calls <a>quicDone</a> when the handshake is done.</li>
--   </ul>
module Network.TLS.QUIC

-- | Start a TLS handshake thread for a QUIC client. The client will use
--   the specified TLS parameters and call the provided callback functions
--   to send and receive handshake data.
tlsQUICClient :: ClientParams -> QUICCallbacks -> IO ()

-- | Start a TLS handshake thread for a QUIC server. The server will use
--   the specified TLS parameters and call the provided callback functions
--   to send and receive handshake data.
tlsQUICServer :: ServerParams -> QUICCallbacks -> IO ()

-- | Callbacks implemented by QUIC and to be called by TLS at specific
--   points during the handshake. TLS may invoke them from external threads
--   but calls are not concurrent. Only a single callback function is
--   called at a given point in time.
data QUICCallbacks
QUICCallbacks :: ([(CryptLevel, ByteString)] -> IO ()) -> (CryptLevel -> IO (Either TLSError ByteString)) -> (Context -> KeyScheduleEvent -> IO ()) -> (Context -> [ExtensionRaw] -> IO ()) -> (Context -> IO ()) -> QUICCallbacks

-- | Called by TLS so that QUIC sends one or more handshake fragments. The
--   content transiting on this API is the plaintext of the fragments and
--   QUIC responsability is to encrypt this payload with the key material
--   given for the specified level and an appropriate encryption scheme.
--   
--   The size of the fragments may exceed QUIC datagram limits so QUIC may
--   break them into smaller fragments.
--   
--   The handshake protocol sometimes combines content at two levels in a
--   single flight. The TLS library does its best to provide this in the
--   same <tt>quicSend</tt> call and with a multi-valued argument. QUIC can
--   then decide how to transmit this optimally.
[quicSend] :: QUICCallbacks -> [(CryptLevel, ByteString)] -> IO ()

-- | Called by TLS to receive from QUIC the next plaintext handshake
--   fragment. The argument specifies with which encryption level the
--   fragment should be decrypted.
--   
--   QUIC may return partial fragments to TLS. TLS will then call
--   <tt>quicRecv</tt> again as long as necessary. Note however that
--   fragments must be returned in the correct sequence, i.e. the order the
--   TLS peer emitted them.
--   
--   The function may return an error to TLS if end of stream is reached or
--   if a protocol error has been received, believing the handshake cannot
--   proceed any longer. If the TLS handshake protocol cannot recover from
--   this error, the failure condition will be reported back to QUIC
--   through the control interface.
[quicRecv] :: QUICCallbacks -> CryptLevel -> IO (Either TLSError ByteString)

-- | Called by TLS when new encryption material is ready to be used in the
--   handshake. The next <a>quicSend</a> or <a>quicRecv</a> may now use the
--   associated encryption level (although the previous level is also
--   possible: directions Send/Recv do not change at the same time).
[quicInstallKeys] :: QUICCallbacks -> Context -> KeyScheduleEvent -> IO ()

-- | Called by TLS when QUIC-specific extensions have been received from
--   the peer.
[quicNotifyExtensions] :: QUICCallbacks -> Context -> [ExtensionRaw] -> IO ()

-- | Called when <a>handshake</a> is done. <a>tlsQUICServer</a> is finished
--   after calling this hook. <a>tlsQUICClient</a> calls <a>recvData</a>
--   after calling this hook to wait for new session tickets.
[quicDone] :: QUICCallbacks -> Context -> IO ()

-- | TLS encryption level.
data CryptLevel

-- | Unprotected traffic
CryptInitial :: CryptLevel

-- | Protected with master secret (TLS &lt; 1.3)
CryptMasterSecret :: CryptLevel

-- | Protected with early traffic secret (TLS 1.3)
CryptEarlySecret :: CryptLevel

-- | Protected with handshake traffic secret (TLS 1.3)
CryptHandshakeSecret :: CryptLevel

-- | Protected with application traffic secret (TLS 1.3)
CryptApplicationSecret :: CryptLevel

-- | Argument given to <a>quicInstallKeys</a> when encryption material is
--   available.
data KeyScheduleEvent

-- | Key material and parameters for traffic at 0-RTT level
InstallEarlyKeys :: Maybe EarlySecretInfo -> KeyScheduleEvent

-- | Key material and parameters for traffic at handshake level
InstallHandshakeKeys :: HandshakeSecretInfo -> KeyScheduleEvent

-- | Key material and parameters for traffic at application level
InstallApplicationKeys :: ApplicationSecretInfo -> KeyScheduleEvent

-- | Handshake information generated for traffic at 0-RTT level.
data EarlySecretInfo
EarlySecretInfo :: Cipher -> ClientTrafficSecret EarlySecret -> EarlySecretInfo

-- | Handshake information generated for traffic at handshake level.
data HandshakeSecretInfo
HandshakeSecretInfo :: Cipher -> TrafficSecrets HandshakeSecret -> HandshakeSecretInfo

-- | Handshake information generated for traffic at application level.
newtype ApplicationSecretInfo
ApplicationSecretInfo :: TrafficSecrets ApplicationSecret -> ApplicationSecretInfo

-- | Phantom type indicating early traffic secret.
data EarlySecret

-- | Phantom type indicating handshake traffic secrets.
data HandshakeSecret

-- | Phantom type indicating application traffic secrets.
data ApplicationSecret

-- | Hold both client and server traffic secrets at the same step.
type TrafficSecrets a = (ClientTrafficSecret a, ServerTrafficSecret a)

-- | A server traffic secret, typed with a parameter indicating a step in
--   the TLS key schedule.
newtype ServerTrafficSecret a
ServerTrafficSecret :: ByteString -> ServerTrafficSecret a

-- | A client traffic secret, typed with a parameter indicating a step in
--   the TLS key schedule.
newtype ClientTrafficSecret a
ClientTrafficSecret :: ByteString -> ClientTrafficSecret a

-- | ID of the application-level protocol negotiated between client and
--   server. See values listed in the <a>IANA registry</a>.
type NegotiatedProtocol = ByteString

-- | Type to show which handshake mode is used in TLS 1.3.
data HandshakeMode13

-- | Full handshake is used.
FullHandshake :: HandshakeMode13

-- | Full handshake is used with hello retry request.
HelloRetryRequest :: HandshakeMode13

-- | Server authentication is skipped.
PreSharedKey :: HandshakeMode13

-- | Server authentication is skipped and early data is sent.
RTT0 :: HandshakeMode13

-- | The raw content of a TLS extension.
data ExtensionRaw
ExtensionRaw :: ExtensionID -> ByteString -> ExtensionRaw

-- | Identifier of a TLS extension.
type ExtensionID = Word16
extensionID_QuicTransportParameters :: ExtensionID

-- | Can be used by callbacks to signal an unexpected condition. This will
--   then generate an "internal_error" alert in the TLS stack.
errorTLS :: String -> IO a

-- | Return the alert that a TLS endpoint would send to the peer for the
--   specified library error.
errorToAlertDescription :: TLSError -> AlertDescription

-- | Return the message that a TLS endpoint can add to its local log for
--   the specified library error.
errorToAlertMessage :: TLSError -> String

-- | Encode an alert to the assigned value.
fromAlertDescription :: AlertDescription -> Word8

-- | Decode an alert from the assigned value.
toAlertDescription :: Word8 -> Maybe AlertDescription

-- | <tt>HKDF-Expand-Label</tt> function. Returns output keying material of
--   the specified length from the PRK, customized for a TLS label and
--   context.
hkdfExpandLabel :: Hash -> ByteString -> ByteString -> ByteString -> Int -> ByteString

-- | <tt>HKDF-Extract</tt> function. Returns the pseudorandom key (PRK)
--   from salt and input keying material (IKM).
hkdfExtract :: Hash -> ByteString -> ByteString -> ByteString

-- | Digest size in bytes.
hashDigestSize :: Hash -> Int

-- | Max early data size for QUIC.
quicMaxEarlyDataSize :: Int
defaultSupported :: Supported


-- | Native Haskell TLS and SSL protocol implementation for server and
--   client.
--   
--   This provides a high-level implementation of a sensitive security
--   protocol, eliminating a common set of security issues through the use
--   of the advanced type system, high level constructions and common
--   Haskell features.
--   
--   Currently implement the SSL3.0, TLS1.0, TLS1.1, TLS1.2 and TLS 1.3
--   protocol, and support RSA and Ephemeral (Elliptic curve and regular)
--   Diffie Hellman key exchanges, and many extensions.
--   
--   Some debug tools linked with tls, are available through the
--   <a>http://hackage.haskell.org/package/tls-debug/</a>.
module Network.TLS

-- | A TLS Context keep tls specific state, parameters and backend
--   information.
data Context

-- | create a new context using the backend and parameters specified.
contextNew :: (MonadIO m, HasBackend backend, TLSParams params) => backend -> params -> m Context

-- | Handshake for a new TLS connection This is to be called at the
--   beginning of a connection, and during renegotiation
handshake :: MonadIO m => Context -> m ()

-- | sendData sends a bunch of data. It will automatically chunk data to
--   acceptable packet size
sendData :: MonadIO m => Context -> ByteString -> m ()

-- | Get data out of Data packet, and automatically renegotiate if a
--   Handshake ClientHello is received. An empty result means EOF.
recvData :: MonadIO m => Context -> m ByteString

-- | notify the context that this side wants to close connection. this is
--   important that it is called before closing the handle, otherwise the
--   session might not be resumable (for version &lt; TLS1.2).
--   
--   this doesn't actually close the handle
bye :: MonadIO m => Context -> m ()
class HasBackend a
initializeBackend :: HasBackend a => a -> IO ()
getBackend :: HasBackend a => a -> Backend

-- | Connection IO backend
data Backend
Backend :: IO () -> IO () -> (ByteString -> IO ()) -> (Int -> IO ByteString) -> Backend

-- | Flush the connection sending buffer, if any.
[backendFlush] :: Backend -> IO ()

-- | Close the connection.
[backendClose] :: Backend -> IO ()

-- | Send a bytestring through the connection.
[backendSend] :: Backend -> ByteString -> IO ()

-- | Receive specified number of bytes from the connection.
[backendRecv] :: Backend -> Int -> IO ByteString
class TLSParams a
data ClientParams
ClientParams :: Maybe MaxFragmentEnum -> (HostName, ByteString) -> Bool -> Maybe (SessionID, SessionData) -> Shared -> ClientHooks -> Supported -> DebugParams -> Maybe ByteString -> ClientParams

-- | Default: <a>Nothing</a>
[clientUseMaxFragmentLength] :: ClientParams -> Maybe MaxFragmentEnum

-- | Define the name of the server, along with an extra service
--   identification blob. this is important that the hostname part is
--   properly filled for security reason, as it allow to properly associate
--   the remote side with the given certificate during a handshake.
--   
--   The extra blob is useful to differentiate services running on the same
--   host, but that might have different certificates given. It's only used
--   as part of the X509 validation infrastructure.
--   
--   This value is typically set by <a>defaultParamsClient</a>.
[clientServerIdentification] :: ClientParams -> (HostName, ByteString)

-- | Allow the use of the Server Name Indication TLS extension during
--   handshake, which allow the client to specify which host name, it's
--   trying to access. This is useful to distinguish CNAME aliasing (e.g.
--   web virtual host).
--   
--   Default: <a>True</a>
[clientUseServerNameIndication] :: ClientParams -> Bool

-- | try to establish a connection using this session.
--   
--   Default: <a>Nothing</a>
[clientWantSessionResume] :: ClientParams -> Maybe (SessionID, SessionData)

-- | See the default value of <a>Shared</a>.
[clientShared] :: ClientParams -> Shared

-- | See the default value of <a>ClientHooks</a>.
[clientHooks] :: ClientParams -> ClientHooks

-- | In this element, you'll need to override the default empty value of of
--   <a>supportedCiphers</a> with a suitable cipherlist.
--   
--   See the default value of <a>Supported</a>.
[clientSupported] :: ClientParams -> Supported

-- | See the default value of <a>DebugParams</a>.
[clientDebug] :: ClientParams -> DebugParams

-- | Client tries to send this early data in TLS 1.3 if possible. If not
--   accepted by the server, it is application's responsibility to re-sent
--   it.
--   
--   Default: <a>Nothing</a>
[clientEarlyData] :: ClientParams -> Maybe ByteString
defaultParamsClient :: HostName -> ByteString -> ClientParams
data ServerParams
ServerParams :: Bool -> [SignedCertificate] -> Maybe DHParams -> ServerHooks -> Shared -> Supported -> DebugParams -> Int -> Int -> ServerParams

-- | Request a certificate from client.
--   
--   Default: <a>False</a>
[serverWantClientCert] :: ServerParams -> Bool

-- | This is a list of certificates from which the disinguished names are
--   sent in certificate request messages. For TLS1.0, it should not be
--   empty.
--   
--   Default: '[]'
[serverCACertificates] :: ServerParams -> [SignedCertificate]

-- | Server Optional Diffie Hellman parameters. Setting parameters is
--   necessary for FFDHE key exchange when clients are not compatible with
--   RFC 7919.
--   
--   Value can be one of the standardized groups from module
--   <a>Network.TLS.Extra.FFDHE</a> or custom parameters generated with
--   <a>generateParams</a>.
--   
--   Default: <a>Nothing</a>
[serverDHEParams] :: ServerParams -> Maybe DHParams

-- | See the default value of <a>ServerHooks</a>.
[serverHooks] :: ServerParams -> ServerHooks

-- | See the default value of <a>Shared</a>.
[serverShared] :: ServerParams -> Shared

-- | See the default value of <a>Supported</a>.
[serverSupported] :: ServerParams -> Supported

-- | See the default value of <a>DebugParams</a>.
[serverDebug] :: ServerParams -> DebugParams

-- | Server accepts this size of early data in TLS 1.3. 0 (or lower) means
--   that the server does not accept early data.
--   
--   Default: 0
[serverEarlyDataSize] :: ServerParams -> Int

-- | Lifetime in seconds for session tickets generated by the server.
--   Acceptable value range is 0 to 604800 (7 days). The default lifetime
--   is 86400 seconds (1 day).
--   
--   Default: 86400 (one day)
[serverTicketLifetime] :: ServerParams -> Int

-- | Parameters that are common to clients and servers.
data Shared
Shared :: Credentials -> SessionManager -> CertificateStore -> ValidationCache -> [ExtensionRaw] -> Shared

-- | The list of certificates and private keys that a server will use as
--   part of authentication to clients. Actual credentials that are used
--   are selected dynamically from this list based on client capabilities.
--   Additional credentials returned by <a>onServerNameIndication</a> are
--   also considered.
--   
--   When credential list is left empty (the default value), no key
--   exchange can take place.
--   
--   Default: <a>mempty</a>
[sharedCredentials] :: Shared -> Credentials

-- | Callbacks used by clients and servers in order to resume TLS sessions.
--   The default implementation never resumes sessions. Package
--   <a>tls-session-manager</a> provides an in-memory implementation.
--   
--   Default: <a>noSessionManager</a>
[sharedSessionManager] :: Shared -> SessionManager

-- | A collection of trust anchors to be used by a client as part of
--   validation of server certificates. This is set as first argument to
--   function <a>onServerCertificate</a>. Package <a>x509-system</a> gives
--   access to a default certificate store configured in the system.
--   
--   Default: <a>mempty</a>
[sharedCAStore] :: Shared -> CertificateStore

-- | Callbacks that may be used by a client to cache certificate validation
--   results (positive or negative) and avoid expensive signature check.
--   The default implementation does not have any caching.
--   
--   See the default value of <a>ValidationCache</a>.
[sharedValidationCache] :: Shared -> ValidationCache

-- | Additional extensions to be sent during the Hello sequence.
--   
--   For a client this is always included in message ClientHello. For a
--   server, this is sent in messages ServerHello or EncryptedExtensions
--   based on the TLS version.
--   
--   Default: <tt>[]</tt>
[sharedHelloExtensions] :: Shared -> [ExtensionRaw]

-- | A set of callbacks run by the clients for various corners of TLS
--   establishment
data ClientHooks
ClientHooks :: OnCertificateRequest -> OnServerCertificate -> IO (Maybe [ByteString]) -> (DHParams -> DHPublic -> IO GroupUsage) -> ClientHooks

-- | This action is called when the a certificate request is received from
--   the server. The callback argument is the information from the request.
--   The server, at its discretion, may be willing to continue the
--   handshake without a client certificate. Therefore, the callback is
--   free to return <a>Nothing</a> to indicate that no client certificate
--   should be sent, despite the server's request. In some cases it may be
--   appropriate to get user consent before sending the certificate; the
--   content of the user's certificate may be sensitive and intended only
--   for specific servers.
--   
--   The action should select a certificate chain of one of the given
--   certificate types and one of the certificates in the chain should (if
--   possible) be signed by one of the given distinguished names. Some
--   servers, that don't have a narrow set of preferred issuer CAs, will
--   send an empty <a>DistinguishedName</a> list, rather than send all the
--   names from their trusted CA bundle. If the client does not have a
--   certificate chaining to a matching CA, it may choose a default
--   certificate instead.
--   
--   Each certificate except the last should be signed by the following
--   one. The returned private key must be for the first certificates in
--   the chain. This key will be used to signing the certificate verify
--   message.
--   
--   The public key in the first certificate, and the matching returned
--   private key must be compatible with one of the list of
--   <a>HashAndSignatureAlgorithm</a> value when provided. TLS 1.3 changes
--   the meaning of the list elements, adding explicit code points for each
--   supported pair of hash and signature (public key) algorithms, rather
--   than combining separate codes for the hash and key. For details see
--   <a>RFC 8446</a> section 4.2.3. When no compatible certificate chain is
--   available, return <a>Nothing</a> if it is OK to continue without a
--   client certificate. Returning a non-matching certificate should result
--   in a handshake failure.
--   
--   While the TLS version is not provided to the callback, the content of
--   the <tt>signature_algorithms</tt> list provides a strong hint, since
--   TLS 1.3 servers will generally list RSA pairs with a hash component of
--   <tt>Intrinsic</tt> (<tt>0x08</tt>).
--   
--   Note that is is the responsibility of this action to select a
--   certificate matching one of the requested certificate types (public
--   key algorithms). Returning a non-matching one will lead to handshake
--   failure later.
--   
--   Default: returns <a>Nothing</a> anyway.
[onCertificateRequest] :: ClientHooks -> OnCertificateRequest

-- | Used by the client to validate the server certificate. The default
--   implementation calls <a>validateDefault</a> which validates according
--   to the default hooks and checks provided by
--   <a>Data.X509.Validation</a>. This can be replaced with a custom
--   validation function using different settings.
--   
--   The function is not expected to verify the key-usage extension of the
--   end-entity certificate, as this depends on the dynamically-selected
--   cipher and this part should not be cached. Key-usage verification is
--   performed by the library internally.
--   
--   Default: <a>validateDefault</a>
[onServerCertificate] :: ClientHooks -> OnServerCertificate

-- | This action is called when the client sends ClientHello to determine
--   ALPN values such as '["h2", "http/1.1"]'.
--   
--   Default: returns <a>Nothing</a>
[onSuggestALPN] :: ClientHooks -> IO (Maybe [ByteString])

-- | This action is called to validate DHE parameters when the server
--   selected a finite-field group not part of the "Supported Groups
--   Registry" or not part of <a>supportedGroups</a> list.
--   
--   With TLS 1.3 custom groups have been removed from the protocol, so
--   this callback is only used when the version negotiated is 1.2 or
--   below.
--   
--   The default behavior with (dh_p, dh_g, dh_size) and pub as follows:
--   
--   <ol>
--   <li>rejecting if dh_p is even</li>
--   <li>rejecting unless 1 &lt; dh_g &amp;&amp; dh_g &lt; dh_p - 1</li>
--   <li>rejecting unless 1 &lt; dh_p &amp;&amp; pub &lt; dh_p - 1</li>
--   <li>rejecting if dh_size &lt; 1024 (to prevent Logjam attack)</li>
--   </ol>
--   
--   See RFC 7919 section 3.1 for recommandations.
[onCustomFFDHEGroup] :: ClientHooks -> DHParams -> DHPublic -> IO GroupUsage

-- | Type for <a>onCertificateRequest</a>. This type synonym is to make
--   document readable.
type OnCertificateRequest = ([CertificateType], Maybe [HashAndSignatureAlgorithm], [DistinguishedName]) -> IO (Maybe (CertificateChain, PrivKey))

-- | Type for <a>onServerCertificate</a>. This type synonym is to make
--   document readable.
type OnServerCertificate = CertificateStore -> ValidationCache -> ServiceID -> CertificateChain -> IO [FailedReason]

-- | A set of callbacks run by the server for various corners of the TLS
--   establishment
data ServerHooks
ServerHooks :: (CertificateChain -> IO CertificateUsage) -> IO Bool -> (Version -> [Cipher] -> Cipher) -> (Maybe HostName -> IO Credentials) -> (Measurement -> IO Bool) -> Maybe ([ByteString] -> IO ByteString) -> ([ExtensionRaw] -> IO [ExtensionRaw]) -> ServerHooks

-- | This action is called when a client certificate chain is received from
--   the client. When it returns a CertificateUsageReject value, the
--   handshake is aborted.
--   
--   The function is not expected to verify the key-usage extension of the
--   certificate. This verification is performed by the library internally.
--   
--   Default: returns the followings:
--   
--   <pre>
--   CertificateUsageReject (CertificateRejectOther "no client certificates expected")
--   </pre>
[onClientCertificate] :: ServerHooks -> CertificateChain -> IO CertificateUsage

-- | This action is called when the client certificate cannot be verified.
--   Return <a>True</a> to accept the certificate anyway, or <a>False</a>
--   to fail verification.
--   
--   Default: returns <a>False</a>
[onUnverifiedClientCert] :: ServerHooks -> IO Bool

-- | Allow the server to choose the cipher relative to the the client
--   version and the client list of ciphers.
--   
--   This could be useful with old clients and as a workaround to the BEAST
--   (where RC4 is sometimes prefered with TLS &lt; 1.1)
--   
--   The client cipher list cannot be empty.
--   
--   Default: taking the head of ciphers.
[onCipherChoosing] :: ServerHooks -> Version -> [Cipher] -> Cipher

-- | Allow the server to indicate additional credentials to be used
--   depending on the host name indicated by the client.
--   
--   This is most useful for transparent proxies where credentials must be
--   generated on the fly according to the host the client is trying to
--   connect to.
--   
--   Returned credentials may be ignored if a client does not support the
--   signature algorithms used in the certificate chain.
--   
--   Default: returns <a>mempty</a>
[onServerNameIndication] :: ServerHooks -> Maybe HostName -> IO Credentials

-- | At each new handshake, we call this hook to see if we allow handshake
--   to happens.
--   
--   Default: returns <a>True</a>
[onNewHandshake] :: ServerHooks -> Measurement -> IO Bool

-- | Allow the server to choose an application layer protocol suggested
--   from the client through the ALPN (Application Layer Protocol
--   Negotiation) extensions. If the server supports no protocols that the
--   client advertises an empty <a>ByteString</a> should be returned.
--   
--   Default: <a>Nothing</a>
[onALPNClientSuggest] :: ServerHooks -> Maybe ([ByteString] -> IO ByteString)

-- | Allow to modify extensions to be sent in EncryptedExtensions of TLS
--   1.3.
--   
--   Default: 'return . id'
[onEncryptedExtensionsCreating] :: ServerHooks -> [ExtensionRaw] -> IO [ExtensionRaw]

-- | record some data about this connection.
data Measurement
Measurement :: !Word32 -> !Word32 -> !Word32 -> Measurement

-- | number of handshakes on this context
[nbHandshakes] :: Measurement -> !Word32

-- | bytes received since last handshake
[bytesReceived] :: Measurement -> !Word32

-- | bytes sent since last handshake
[bytesSent] :: Measurement -> !Word32

-- | List all the supported algorithms, versions, ciphers, etc supported.
data Supported
Supported :: [Version] -> [Cipher] -> [Compression] -> [HashAndSignatureAlgorithm] -> Bool -> Bool -> EMSMode -> Bool -> Bool -> Bool -> [Group] -> Supported

-- | Supported versions by this context. On the client side, the highest
--   version will be used to establish the connection. On the server side,
--   the highest version that is less or equal than the client version will
--   be chosen.
--   
--   Versions should be listed in preference order, i.e. higher versions
--   first.
--   
--   Default: <tt>[TLS13,TLS12,TLS11,TLS10]</tt>
[supportedVersions] :: Supported -> [Version]

-- | Supported cipher methods. The default is empty, specify a suitable
--   cipher list. <a>ciphersuite_default</a> is often a good choice.
--   
--   Default: <tt>[]</tt>
[supportedCiphers] :: Supported -> [Cipher]

-- | Supported compressions methods. By default only the "null" compression
--   is supported, which means no compression will be performed. Allowing
--   other compression method is not advised as it causes a connection
--   failure when TLS 1.3 is negotiated.
--   
--   Default: <tt>[nullCompression]</tt>
[supportedCompressions] :: Supported -> [Compression]

-- | All supported hash/signature algorithms pair for client certificate
--   verification and server signature in (EC)DHE, ordered by decreasing
--   priority.
--   
--   This list is sent to the peer as part of the "signature_algorithms"
--   extension. It is used to restrict accepted signatures received from
--   the peer at TLS level (not in X.509 certificates), but only when the
--   TLS version is 1.2 or above. In order to disable SHA-1 one must then
--   also disable earlier protocol versions in <a>supportedVersions</a>.
--   
--   The list also impacts the selection of possible algorithms when
--   generating signatures.
--   
--   Note: with TLS 1.3 some algorithms have been deprecated and will not
--   be used even when listed in the parameter: MD5, SHA-1, SHA-224, RSA
--   PKCS#1, DSS.
--   
--   Default:
--   
--   <pre>
--   [ (HashIntrinsic,     SignatureEd448)
--   , (HashIntrinsic,     SignatureEd25519)
--   , (Struct.HashSHA256, SignatureECDSA)
--   , (Struct.HashSHA384, SignatureECDSA)
--   , (Struct.HashSHA512, SignatureECDSA)
--   , (HashIntrinsic,     SignatureRSApssRSAeSHA512)
--   , (HashIntrinsic,     SignatureRSApssRSAeSHA384)
--   , (HashIntrinsic,     SignatureRSApssRSAeSHA256)
--   , (Struct.HashSHA512, SignatureRSA)
--   , (Struct.HashSHA384, SignatureRSA)
--   , (Struct.HashSHA256, SignatureRSA)
--   , (Struct.HashSHA1,   SignatureRSA)
--   , (Struct.HashSHA1,   SignatureDSS)
--   ]
--   </pre>
[supportedHashSignatures] :: Supported -> [HashAndSignatureAlgorithm]

-- | Secure renegotiation defined in RFC5746. If <a>True</a>, clients send
--   the renegotiation_info extension. If <a>True</a>, servers handle the
--   extension or the renegotiation SCSV then send the renegotiation_info
--   extension.
--   
--   Default: <a>True</a>
[supportedSecureRenegotiation] :: Supported -> Bool

-- | If <a>True</a>, renegotiation is allowed from the client side. This is
--   vulnerable to DOS attacks. If <a>False</a>, renegotiation is allowed
--   only from the server side via HelloRequest.
--   
--   Default: <a>False</a>
[supportedClientInitiatedRenegotiation] :: Supported -> Bool

-- | The mode regarding extended master secret. Enabling this extension
--   provides better security for TLS versions 1.0 to 1.2. TLS 1.3 provides
--   the security properties natively and does not need the extension.
--   
--   By default the extension is enabled but not required. If mode is set
--   to <a>RequireEMS</a>, the handshake will fail when the peer does not
--   support the extension. It is also advised to disable SSLv3 which does
--   not have this mechanism.
--   
--   Default: <a>AllowEMS</a>
[supportedExtendedMasterSec] :: Supported -> EMSMode

-- | Set if we support session.
--   
--   Default: <a>True</a>
[supportedSession] :: Supported -> Bool

-- | Support for fallback SCSV defined in RFC7507. If <a>True</a>, servers
--   reject handshakes which suggest a lower protocol than the highest
--   protocol supported.
--   
--   Default: <a>True</a>
[supportedFallbackScsv] :: Supported -> Bool

-- | In ver &lt;= TLS1.0, block ciphers using CBC are using CBC residue as
--   IV, which can be guessed by an attacker. Hence, an empty packet is
--   normally sent before a normal data packet, to prevent guessability.
--   Some Microsoft TLS-based protocol implementations, however, consider
--   these empty packets as a protocol violation and disconnect. If this
--   parameter is <a>False</a>, empty packets will never be added, which is
--   less secure, but might help in rare cases.
--   
--   Default: <a>True</a>
[supportedEmptyPacket] :: Supported -> Bool

-- | A list of supported elliptic curves and finite-field groups in the
--   preferred order.
--   
--   The list is sent to the server as part of the "supported_groups"
--   extension. It is used in both clients and servers to restrict accepted
--   groups in DH key exchange. Up until TLS v1.2, it is also used by a
--   client to restrict accepted elliptic curves in ECDSA signatures.
--   
--   The default value includes all groups with security strength of 128
--   bits or more.
--   
--   Default:
--   <tt>[X25519,X448,P256,FFDHE3072,FFDHE4096,P384,FFDHE6144,FFDHE8192,P521]</tt>
[supportedGroups] :: Supported -> [Group]

-- | All settings should not be used in production
data DebugParams
DebugParams :: Maybe Seed -> (Seed -> IO ()) -> Maybe Version -> (String -> IO ()) -> DebugParams

-- | Disable the true randomness in favor of deterministic seed that will
--   produce a deterministic random from. This is useful for tests and
--   debugging purpose. Do not use in production
--   
--   Default: <a>Nothing</a>
[debugSeed] :: DebugParams -> Maybe Seed

-- | Add a way to print the seed that was randomly generated. re-using the
--   same seed will reproduce the same randomness with <a>debugSeed</a>
--   
--   Default: no printing
[debugPrintSeed] :: DebugParams -> Seed -> IO ()

-- | Force to choose this version in the server side.
--   
--   Default: <a>Nothing</a>
[debugVersionForced] :: DebugParams -> Maybe Version

-- | Printing master keys.
--   
--   Default: no printing
[debugKeyLogger] :: DebugParams -> String -> IO ()
newtype Credentials
Credentials :: [Credential] -> Credentials
type Credential = (CertificateChain, PrivKey)

-- | try to create a new credential object from a public certificate and
--   the associated private key that are stored on the filesystem in PEM
--   format.
credentialLoadX509 :: FilePath -> FilePath -> IO (Either String Credential)

-- | similar to <a>credentialLoadX509</a> but take the certificate and
--   private key from memory instead of from the filesystem.
credentialLoadX509FromMemory :: ByteString -> ByteString -> Either String Credential

-- | similar to <a>credentialLoadX509</a> but also allow specifying chain
--   certificates.
credentialLoadX509Chain :: FilePath -> [FilePath] -> FilePath -> IO (Either String Credential)

-- | similar to <a>credentialLoadX509FromMemory</a> but also allow
--   specifying chain certificates.
credentialLoadX509ChainFromMemory :: ByteString -> [ByteString] -> ByteString -> Either String Credential

-- | A session manager
data SessionManager
SessionManager :: (SessionID -> IO (Maybe SessionData)) -> (SessionID -> IO (Maybe SessionData)) -> (SessionID -> SessionData -> IO ()) -> (SessionID -> IO ()) -> SessionManager

-- | used on server side to decide whether to resume a client session.
[sessionResume] :: SessionManager -> SessionID -> IO (Maybe SessionData)

-- | used on server side to decide whether to resume a client session for
--   TLS 1.3 0RTT. For a given <a>SessionID</a>, the implementation must
--   return its <a>SessionData</a> only once and must not return the same
--   <a>SessionData</a> after the call.
[sessionResumeOnlyOnce] :: SessionManager -> SessionID -> IO (Maybe SessionData)

-- | used when a session is established.
[sessionEstablish] :: SessionManager -> SessionID -> SessionData -> IO ()

-- | used when a session is invalidated.
[sessionInvalidate] :: SessionManager -> SessionID -> IO ()

-- | The session manager to do nothing.
noSessionManager :: SessionManager

-- | A session ID
type SessionID = ByteString

-- | Session data to resume
data SessionData
SessionData :: Version -> CipherID -> CompressionID -> Maybe HostName -> ByteString -> Maybe Group -> Maybe TLS13TicketInfo -> Maybe ByteString -> Int -> [SessionFlag] -> SessionData
[sessionVersion] :: SessionData -> Version
[sessionCipher] :: SessionData -> CipherID
[sessionCompression] :: SessionData -> CompressionID
[sessionClientSNI] :: SessionData -> Maybe HostName
[sessionSecret] :: SessionData -> ByteString
[sessionGroup] :: SessionData -> Maybe Group
[sessionTicketInfo] :: SessionData -> Maybe TLS13TicketInfo
[sessionALPN] :: SessionData -> Maybe ByteString
[sessionMaxEarlyDataSize] :: SessionData -> Int
[sessionFlags] :: SessionData -> [SessionFlag]

-- | Some session flags
data SessionFlag

-- | Session created with Extended Master Secret
SessionEMS :: SessionFlag
data TLS13TicketInfo

-- | All the callbacks needed for querying and adding to the cache.
data () => ValidationCache
ValidationCache :: ValidationCacheQueryCallback -> ValidationCacheAddCallback -> ValidationCache

-- | cache querying callback
[cacheQuery] :: ValidationCache -> ValidationCacheQueryCallback

-- | cache adding callback
[cacheAdd] :: ValidationCache -> ValidationCacheAddCallback

-- | Validation cache query callback type
type ValidationCacheQueryCallback = ServiceID -> Fingerprint -> Certificate -> IO ValidationCacheResult

-- | Validation cache callback type
type ValidationCacheAddCallback = ServiceID -> Fingerprint -> Certificate -> IO ()

-- | The result of a cache query
data () => ValidationCacheResult

-- | cache allow this fingerprint to go through
ValidationCachePass :: ValidationCacheResult

-- | cache denied this fingerprint for further validation
ValidationCacheDenied :: String -> ValidationCacheResult

-- | unknown fingerprint in cache
ValidationCacheUnknown :: ValidationCacheResult

-- | create a simple constant cache that list exceptions to the
--   certification validation. Typically this is use to allow self-signed
--   certificates for specific use, with out-of-bounds user checks.
--   
--   No fingerprints will be added after the instance is created.
--   
--   The underlying structure for the check is kept as a list, as usually
--   the exception list will be short, but when the list go above a dozen
--   exceptions it's recommended to use another cache mechanism with a
--   faster lookup mechanism (hashtable, map, etc).
--   
--   Note that only one fingerprint is allowed per ServiceID, for other
--   use, another cache mechanism need to be use.
exceptionValidationCache :: [(ServiceID, Fingerprint)] -> ValidationCache

-- | Versions known to TLS
--   
--   SSL2 is just defined, but this version is and will not be supported.
data Version
SSL2 :: Version
SSL3 :: Version
TLS10 :: Version
TLS11 :: Version
TLS12 :: Version
TLS13 :: Version

-- | every compression need to be wrapped in this, to fit in structure
data Compression
Compression :: a -> Compression

-- | default null compression
nullCompression :: Compression
type HashAndSignatureAlgorithm = (HashAlgorithm, SignatureAlgorithm)
data HashAlgorithm
HashNone :: HashAlgorithm
HashMD5 :: HashAlgorithm
HashSHA1 :: HashAlgorithm
HashSHA224 :: HashAlgorithm
HashSHA256 :: HashAlgorithm
HashSHA384 :: HashAlgorithm
HashSHA512 :: HashAlgorithm
HashIntrinsic :: HashAlgorithm
HashOther :: Word8 -> HashAlgorithm
data SignatureAlgorithm
SignatureAnonymous :: SignatureAlgorithm
SignatureRSA :: SignatureAlgorithm
SignatureDSS :: SignatureAlgorithm
SignatureECDSA :: SignatureAlgorithm
SignatureRSApssRSAeSHA256 :: SignatureAlgorithm
SignatureRSApssRSAeSHA384 :: SignatureAlgorithm
SignatureRSApssRSAeSHA512 :: SignatureAlgorithm
SignatureEd25519 :: SignatureAlgorithm
SignatureEd448 :: SignatureAlgorithm
SignatureRSApsspssSHA256 :: SignatureAlgorithm
SignatureRSApsspssSHA384 :: SignatureAlgorithm
SignatureRSApsspssSHA512 :: SignatureAlgorithm
SignatureOther :: Word8 -> SignatureAlgorithm
data Group
P256 :: Group
P384 :: Group
P521 :: Group
X25519 :: Group
X448 :: Group
FFDHE2048 :: Group
FFDHE3072 :: Group
FFDHE4096 :: Group
FFDHE6144 :: Group
FFDHE8192 :: Group

-- | Client or server policy regarding Extended Master Secret
data EMSMode

-- | Extended Master Secret is not used
NoEMS :: EMSMode

-- | Extended Master Secret is allowed
AllowEMS :: EMSMode

-- | Extended Master Secret is required
RequireEMS :: EMSMode
type DHParams = Params
type DHPublic = PublicNumber

-- | Group usage callback possible return values.
data GroupUsage

-- | usage of group accepted
GroupUsageValid :: GroupUsage

-- | usage of group provides insufficient security
GroupUsageInsecure :: GroupUsage

-- | usage of group rejected for other reason (specified as string)
GroupUsageUnsupported :: String -> GroupUsage

-- | usage of group with an invalid public value
GroupUsageInvalidPublic :: GroupUsage

-- | Certificate Usage callback possible returns values.
data CertificateUsage

-- | usage of certificate accepted
CertificateUsageAccept :: CertificateUsage

-- | usage of certificate rejected
CertificateUsageReject :: CertificateRejectReason -> CertificateUsage

-- | Certificate and Chain rejection reason
data CertificateRejectReason
CertificateRejectExpired :: CertificateRejectReason
CertificateRejectRevoked :: CertificateRejectReason
CertificateRejectUnknownCA :: CertificateRejectReason
CertificateRejectAbsent :: CertificateRejectReason
CertificateRejectOther :: String -> CertificateRejectReason

-- | Some of the IANA registered code points for <a>CertificateType</a> are
--   not currently supported by the library. Nor should they be, they're
--   are either unwise, obsolete or both. There's no point in conveying
--   these to the user in the client certificate request callback. The
--   request callback will be filtered to exclude unsupported values. If
--   the user cannot find a certificate for a supported code point, we'll
--   go ahead without a client certificate and hope for the best, unless
--   the user's callback decides to throw an exception.
data CertificateType

-- | TLS10 and up, RFC5246
CertificateType_RSA_Sign :: CertificateType

-- | TLS10 and up, RFC5246
CertificateType_DSS_Sign :: CertificateType

-- | TLS10 and up, RFC8422
CertificateType_ECDSA_Sign :: CertificateType

-- | TLS13 and up, synthetic
CertificateType_Ed25519_Sign :: CertificateType

-- | TLS13 and up, synthetic | None of the below will ever be presented to
--   the callback. Any future public key algorithms valid for client
--   certificates go above this line.
CertificateType_Ed448_Sign :: CertificateType
CertificateType_RSA_Fixed_DH :: CertificateType
CertificateType_DSS_Fixed_DH :: CertificateType
CertificateType_RSA_Ephemeral_DH :: CertificateType
CertificateType_DSS_Ephemeral_DH :: CertificateType
CertificateType_fortezza_dms :: CertificateType
CertificateType_RSA_Fixed_ECDH :: CertificateType
CertificateType_ECDSA_Fixed_ECDH :: CertificateType
CertificateType_Unknown :: Word8 -> CertificateType
type HostName = String
data MaxFragmentEnum
MaxFragment512 :: MaxFragmentEnum
MaxFragment1024 :: MaxFragmentEnum
MaxFragment2048 :: MaxFragmentEnum
MaxFragment4096 :: MaxFragmentEnum

-- | return the backend object associated with this context
ctxConnection :: Context -> Backend

-- | A shortcut for 'backendFlush . ctxConnection'.
contextFlush :: Context -> IO ()

-- | A shortcut for 'backendClose . ctxConnection'.
contextClose :: Context -> IO ()

-- | Information related to a running context, e.g. current cipher
data Information
Information :: Version -> Cipher -> Compression -> Maybe ByteString -> Bool -> Maybe ClientRandom -> Maybe ServerRandom -> Maybe Group -> Maybe HandshakeMode13 -> Bool -> Information
[infoVersion] :: Information -> Version
[infoCipher] :: Information -> Cipher
[infoCompression] :: Information -> Compression
[infoMasterSecret] :: Information -> Maybe ByteString
[infoExtendedMasterSec] :: Information -> Bool
[infoClientRandom] :: Information -> Maybe ClientRandom
[infoServerRandom] :: Information -> Maybe ServerRandom
[infoNegotiatedGroup] :: Information -> Maybe Group
[infoTLS13HandshakeMode] :: Information -> Maybe HandshakeMode13
[infoIsEarlyDataAccepted] :: Information -> Bool

-- | Information about the current context
contextGetInformation :: Context -> IO (Maybe Information)
data ClientRandom
data ServerRandom
unClientRandom :: ClientRandom -> ByteString
unServerRandom :: ServerRandom -> ByteString

-- | Type to show which handshake mode is used in TLS 1.3.
data HandshakeMode13

-- | Full handshake is used.
FullHandshake :: HandshakeMode13

-- | Full handshake is used with hello retry request.
HelloRetryRequest :: HandshakeMode13

-- | Server authentication is skipped.
PreSharedKey :: HandshakeMode13

-- | Server authentication is skipped and early data is sent.
RTT0 :: HandshakeMode13

-- | Getting certificates from a client, if any. Note that the certificates
--   are not sent by a client on resumption even if client authentication
--   is required. So, this API would be replaced by the one which can treat
--   both cases of full-negotiation and resumption.
getClientCertificateChain :: Context -> IO (Maybe CertificateChain)

-- | If the ALPN extensions have been used, this will return get the
--   protocol agreed upon.
getNegotiatedProtocol :: MonadIO m => Context -> m (Maybe ByteString)

-- | If the Server Name Indication extension has been used, return the
--   hostname specified by the client.
getClientSNI :: MonadIO m => Context -> m (Maybe HostName)

-- | Updating appication traffic secrets for TLS 1.3. If this API is called
--   for TLS 1.3, <a>True</a> is returned. Otherwise, <a>False</a> is
--   returned.
updateKey :: MonadIO m => Context -> KeyUpdateRequest -> m Bool

-- | How to update keys in TLS 1.3
data KeyUpdateRequest

-- | Unidirectional key update
OneWay :: KeyUpdateRequest

-- | Bidirectional key update (normal case)
TwoWay :: KeyUpdateRequest

-- | Post-handshake certificate request with TLS 1.3. Returns <a>True</a>
--   if the request was possible, i.e. if TLS 1.3 is used and the remote
--   client supports post-handshake authentication.
requestCertificate :: MonadIO m => Context -> m Bool

-- | Get TLS Finished sent to peer
getFinished :: Context -> IO (Maybe FinishedData)

-- | Get TLS Finished received from peer
getPeerFinished :: Context -> IO (Maybe FinishedData)

-- | A collection of hooks actions.
data Hooks
Hooks :: (Handshake -> IO Handshake) -> (Handshake13 -> IO Handshake13) -> (CertificateChain -> IO ()) -> Logging -> Hooks

-- | called at each handshake message received
[hookRecvHandshake] :: Hooks -> Handshake -> IO Handshake

-- | called at each handshake message received for TLS 1.3
[hookRecvHandshake13] :: Hooks -> Handshake13 -> IO Handshake13

-- | called at each certificate chain message received
[hookRecvCertificates] :: Hooks -> CertificateChain -> IO ()

-- | hooks on IO and packets, receiving and sending.
[hookLogging] :: Hooks -> Logging
contextModifyHooks :: Context -> (Hooks -> Hooks) -> IO ()
data Handshake
contextHookSetHandshakeRecv :: Context -> (Handshake -> IO Handshake) -> IO ()
data Handshake13
contextHookSetHandshake13Recv :: Context -> (Handshake13 -> IO Handshake13) -> IO ()
contextHookSetCertificateRecv :: Context -> (CertificateChain -> IO ()) -> IO ()

-- | Hooks for logging
--   
--   This is called when sending and receiving packets and IO
data Logging
Logging :: (String -> IO ()) -> (String -> IO ()) -> (ByteString -> IO ()) -> (Header -> ByteString -> IO ()) -> Logging
[loggingPacketSent] :: Logging -> String -> IO ()
[loggingPacketRecv] :: Logging -> String -> IO ()
[loggingIOSent] :: Logging -> ByteString -> IO ()
[loggingIORecv] :: Logging -> Header -> ByteString -> IO ()
data Header
Header :: ProtocolType -> Version -> Word16 -> Header
data ProtocolType
ProtocolType_ChangeCipherSpec :: ProtocolType
ProtocolType_Alert :: ProtocolType
ProtocolType_Handshake :: ProtocolType
ProtocolType_AppData :: ProtocolType
ProtocolType_DeprecatedHandshake :: ProtocolType
contextHookSetLogging :: Context -> Logging -> IO ()

-- | TLSError that might be returned through the TLS stack
data TLSError

-- | mainly for instance of Error
Error_Misc :: String -> TLSError
Error_Protocol :: (String, Bool, AlertDescription) -> TLSError
Error_Certificate :: String -> TLSError

-- | handshake policy failed.
Error_HandshakePolicy :: String -> TLSError
Error_EOF :: TLSError
Error_Packet :: String -> TLSError
Error_Packet_unexpected :: String -> String -> TLSError
Error_Packet_Parsing :: String -> TLSError
data KxError
RSAError :: Error -> KxError
KxUnsupported :: KxError
data AlertDescription
CloseNotify :: AlertDescription
UnexpectedMessage :: AlertDescription
BadRecordMac :: AlertDescription

-- | deprecated alert, should never be sent by compliant implementation
DecryptionFailed :: AlertDescription
RecordOverflow :: AlertDescription
DecompressionFailure :: AlertDescription
HandshakeFailure :: AlertDescription
BadCertificate :: AlertDescription
UnsupportedCertificate :: AlertDescription
CertificateRevoked :: AlertDescription
CertificateExpired :: AlertDescription
CertificateUnknown :: AlertDescription
IllegalParameter :: AlertDescription
UnknownCa :: AlertDescription
AccessDenied :: AlertDescription
DecodeError :: AlertDescription
DecryptError :: AlertDescription
ExportRestriction :: AlertDescription
ProtocolVersion :: AlertDescription
InsufficientSecurity :: AlertDescription
InternalError :: AlertDescription
InappropriateFallback :: AlertDescription
UserCanceled :: AlertDescription
NoRenegotiation :: AlertDescription
MissingExtension :: AlertDescription
UnsupportedExtension :: AlertDescription
CertificateUnobtainable :: AlertDescription
UnrecognizedName :: AlertDescription
BadCertificateStatusResponse :: AlertDescription
BadCertificateHashValue :: AlertDescription
UnknownPskIdentity :: AlertDescription
CertificateRequired :: AlertDescription
NoApplicationProtocol :: AlertDescription

-- | TLS Exceptions related to bad user usage or asynchronous errors
data TLSException

-- | Early termination exception with the reason and the error associated
Terminated :: Bool -> String -> TLSError -> TLSException

-- | Handshake failed for the reason attached
HandshakeFailed :: TLSError -> TLSException

-- | Usage error when the connection has not been established and the user
--   is trying to send or receive data
ConnectionNotEstablished :: TLSException

-- | supported compression algorithms need to be part of this class
class CompressionC a
compressionCID :: CompressionC a => a -> CompressionID
compressionCDeflate :: CompressionC a => a -> ByteString -> (a, ByteString)
compressionCInflate :: CompressionC a => a -> ByteString -> (a, ByteString)

-- | Compression identification
type CompressionID = Word8

-- | Public key types known and used in X.509
data () => PubKey

-- | RSA public key
PubKeyRSA :: PublicKey -> PubKey

-- | DSA public key
PubKeyDSA :: PublicKey -> PubKey

-- | DH format with (p,g,q,j,(seed,pgenCounter))
PubKeyDH :: (Integer, Integer, Integer, Maybe Integer, ([Word8], Integer)) -> PubKey

-- | EC public key
PubKeyEC :: PubKeyEC -> PubKey

-- | X25519 public key
PubKeyX25519 :: PublicKey -> PubKey

-- | X448 public key
PubKeyX448 :: PublicKey -> PubKey

-- | Ed25519 public key
PubKeyEd25519 :: PublicKey -> PubKey

-- | Ed448 public key
PubKeyEd448 :: PublicKey -> PubKey

-- | unrecognized format
PubKeyUnknown :: OID -> ByteString -> PubKey

-- | Private key types known and used in X.509
data () => PrivKey

-- | RSA private key
PrivKeyRSA :: PrivateKey -> PrivKey

-- | DSA private key
PrivKeyDSA :: PrivateKey -> PrivKey

-- | EC private key
PrivKeyEC :: PrivKeyEC -> PrivKey

-- | X25519 private key
PrivKeyX25519 :: SecretKey -> PrivKey

-- | X448 private key
PrivKeyX448 :: SecretKey -> PrivKey

-- | Ed25519 private key
PrivKeyEd25519 :: SecretKey -> PrivKey

-- | Ed448 private key
PrivKeyEd448 :: SecretKey -> PrivKey
data CipherKeyExchangeType
CipherKeyExchange_RSA :: CipherKeyExchangeType
CipherKeyExchange_DH_Anon :: CipherKeyExchangeType
CipherKeyExchange_DHE_RSA :: CipherKeyExchangeType
CipherKeyExchange_ECDHE_RSA :: CipherKeyExchangeType
CipherKeyExchange_DHE_DSS :: CipherKeyExchangeType
CipherKeyExchange_DH_DSS :: CipherKeyExchangeType
CipherKeyExchange_DH_RSA :: CipherKeyExchangeType
CipherKeyExchange_ECDH_ECDSA :: CipherKeyExchangeType
CipherKeyExchange_ECDH_RSA :: CipherKeyExchangeType
CipherKeyExchange_ECDHE_ECDSA :: CipherKeyExchangeType
CipherKeyExchange_TLS13 :: CipherKeyExchangeType
data Bulk
Bulk :: String -> Int -> Int -> Int -> Int -> Int -> BulkFunctions -> Bulk
[bulkName] :: Bulk -> String
[bulkKeySize] :: Bulk -> Int
[bulkIVSize] :: Bulk -> Int
[bulkExplicitIV] :: Bulk -> Int
[bulkAuthTagLen] :: Bulk -> Int
[bulkBlockSize] :: Bulk -> Int
[bulkF] :: Bulk -> BulkFunctions
data BulkFunctions
BulkBlockF :: (BulkDirection -> BulkKey -> BulkBlock) -> BulkFunctions
BulkStreamF :: (BulkDirection -> BulkKey -> BulkStream) -> BulkFunctions
BulkAeadF :: (BulkDirection -> BulkKey -> BulkAEAD) -> BulkFunctions
data BulkDirection
BulkEncrypt :: BulkDirection
BulkDecrypt :: BulkDirection
data BulkState
BulkStateStream :: BulkStream -> BulkState
BulkStateBlock :: BulkBlock -> BulkState
BulkStateAEAD :: BulkAEAD -> BulkState
BulkStateUninitialized :: BulkState
newtype BulkStream
BulkStream :: (ByteString -> (ByteString, BulkStream)) -> BulkStream
type BulkBlock = BulkIV -> ByteString -> (ByteString, BulkIV)
type BulkAEAD = BulkNonce -> ByteString -> BulkAdditionalData -> (ByteString, AuthTag)
bulkInit :: Bulk -> BulkDirection -> BulkKey -> BulkState
data Hash
MD5 :: Hash
SHA1 :: Hash
SHA224 :: Hash
SHA256 :: Hash
SHA384 :: Hash
SHA512 :: Hash
SHA1_MD5 :: Hash

-- | Cipher algorithm
data Cipher
Cipher :: CipherID -> String -> Hash -> Bulk -> CipherKeyExchangeType -> Maybe Version -> Maybe Hash -> Cipher
[cipherID] :: Cipher -> CipherID
[cipherName] :: Cipher -> String
[cipherHash] :: Cipher -> Hash
[cipherBulk] :: Cipher -> Bulk
[cipherKeyExchange] :: Cipher -> CipherKeyExchangeType
[cipherMinVer] :: Cipher -> Maybe Version
[cipherPRFHash] :: Cipher -> Maybe Hash

-- | Cipher identification
type CipherID = Word16
cipherKeyBlockSize :: Cipher -> Int
type BulkKey = ByteString
type BulkIV = ByteString
type BulkNonce = ByteString
type BulkAdditionalData = ByteString

-- | Check if a specific <a>Cipher</a> is allowed to be used with the
--   version specified
cipherAllowedForVersion :: Version -> Cipher -> Bool
hasMAC :: BulkFunctions -> Bool
hasRecordIV :: BulkFunctions -> Bool

-- | same as recvData but returns a lazy bytestring.

-- | <i>Deprecated: use recvData that returns strict bytestring</i>
recvData' :: MonadIO m => Context -> m ByteString

-- | create a new context on an handle.

-- | <i>Deprecated: use contextNew</i>
contextNewOnHandle :: (MonadIO m, TLSParams params) => Handle -> params -> m Context

-- | create a new context on a socket.

-- | <i>Deprecated: use contextNew</i>
contextNewOnSocket :: (MonadIO m, TLSParams params) => Socket -> params -> m Context

-- | <i>Deprecated: Use Data.ByteString.Bytestring instead of Bytes.</i>
type Bytes = ByteString

-- | A set of checks to activate or parametrize to perform on certificates.
--   
--   It's recommended to use <a>defaultChecks</a> to create the structure,
--   to better cope with future changes or expansion of the structure.
data () => ValidationChecks
ValidationChecks :: Bool -> Maybe DateTime -> Bool -> Bool -> Bool -> Bool -> [ExtKeyUsageFlag] -> [ExtKeyUsagePurpose] -> Bool -> ValidationChecks

-- | check time validity of every certificate in the chain. the make sure
--   that current time is between each validity bounds in the certificate
[checkTimeValidity] :: ValidationChecks -> Bool

-- | The time when the validity check happens. When set to Nothing, the
--   current time will be used
[checkAtTime] :: ValidationChecks -> Maybe DateTime

-- | Check that no certificate is included that shouldn't be included.
--   unfortunately despite the specification violation, a lots of real
--   world server serves useless and usually old certificates that are not
--   relevant to the certificate sent, in their chain.
[checkStrictOrdering] :: ValidationChecks -> Bool

-- | Check that signing certificate got the CA basic constraint. this is
--   absolutely not recommended to turn it off.
[checkCAConstraints] :: ValidationChecks -> Bool

-- | Check the whole certificate chain without stopping at the first
--   failure. Allow gathering a exhaustive list of failure reasons. if this
--   is turn off, it's absolutely not safe to ignore a failed reason even
--   it doesn't look serious (e.g. Expired) as other more serious checks
--   would not have been performed.
[checkExhaustive] :: ValidationChecks -> Bool

-- | Check that the leaf certificate is version 3. If disable, version 2
--   certificate is authorized in leaf position and key usage cannot be
--   checked.
[checkLeafV3] :: ValidationChecks -> Bool

-- | Check that the leaf certificate is authorized to be used for certain
--   usage. If set to empty list no check are performed, otherwise all the
--   flags is the list need to exists in the key usage extension. If the
--   extension is not present, the check will pass and behave as if the
--   certificate key is not restricted to any specific usage.
[checkLeafKeyUsage] :: ValidationChecks -> [ExtKeyUsageFlag]

-- | Check that the leaf certificate is authorized to be used for certain
--   purpose. If set to empty list no check are performed, otherwise all
--   the flags is the list need to exists in the extended key usage
--   extension if present. If the extension is not present, then the check
--   will pass and behave as if the certificate is not restricted to any
--   specific purpose.
[checkLeafKeyPurpose] :: ValidationChecks -> [ExtKeyUsagePurpose]

-- | Check the top certificate names matching the fully qualified hostname
--   (FQHN). it's not recommended to turn this check off, if no other name
--   checks are performed.
[checkFQHN] :: ValidationChecks -> Bool

-- | A set of hooks to manipulate the way the verification works.
--   
--   BEWARE, it's easy to change behavior leading to compromised security.
data () => ValidationHooks
ValidationHooks :: (DistinguishedName -> Certificate -> Bool) -> (DateTime -> Certificate -> [FailedReason]) -> (HostName -> Certificate -> [FailedReason]) -> ([FailedReason] -> [FailedReason]) -> ValidationHooks

-- | check whether a given issuer <a>DistinguishedName</a> matches the
--   subject <a>DistinguishedName</a> of a candidate issuer certificate.
[hookMatchSubjectIssuer] :: ValidationHooks -> DistinguishedName -> Certificate -> Bool

-- | check whether the certificate in the second argument is valid at the
--   time provided in the first argument. Return an empty list for success
--   or else one or more failure reasons.
[hookValidateTime] :: ValidationHooks -> DateTime -> Certificate -> [FailedReason]

-- | validate the certificate leaf name with the DNS named used to connect
[hookValidateName] :: ValidationHooks -> HostName -> Certificate -> [FailedReason]

-- | user filter to modify the list of failure reasons
[hookFilterReason] :: ValidationHooks -> [FailedReason] -> [FailedReason]
