module Network.TLS.Parameters (
    ClientParams (..),
    ServerParams (..),
    CommonParams,
    DebugParams (..),
    ClientHooks (..),
    OnCertificateRequest,
    OnServerCertificate,
    ServerHooks (..),
    Supported (..),
    Shared (..),

    -- * special default
    defaultParamsClient,

    -- * Parameters
    MaxFragmentEnum (..),
    EMSMode (..),
    GroupUsage (..),
    CertificateUsage (..),
    CertificateRejectReason (..),
    Information (..),
) where

import qualified Data.ByteString as B
import Data.Default.Class
import Network.TLS.Cipher
import Network.TLS.Compression
import Network.TLS.Credentials
import Network.TLS.Crypto
import Network.TLS.Extension
import Network.TLS.Extra.Cipher
import Network.TLS.Handshake.State
import Network.TLS.Imports
import Network.TLS.Measurement
import Network.TLS.RNG (Seed)
import Network.TLS.Session
import Network.TLS.Struct
import qualified Network.TLS.Struct as Struct
import Network.TLS.Types (HostName)
import Network.TLS.X509

type CommonParams = (Supported, Shared, DebugParams)

-- | All settings should not be used in production
data DebugParams = DebugParams
    { DebugParams -> Maybe Seed
debugSeed :: Maybe Seed
    -- ^ Disable the true randomness in favor of deterministic seed that will produce
    -- a deterministic random from. This is useful for tests and debugging purpose.
    -- Do not use in production
    --
    -- Default: 'Nothing'
    , DebugParams -> Seed -> IO ()
debugPrintSeed :: Seed -> IO ()
    -- ^ Add a way to print the seed that was randomly generated. re-using the same seed
    -- will reproduce the same randomness with 'debugSeed'
    --
    -- Default: no printing
    , DebugParams -> Maybe Version
debugVersionForced :: Maybe Version
    -- ^ Force to choose this version in the server side.
    --
    -- Default: 'Nothing'
    , DebugParams -> String -> IO ()
debugKeyLogger :: String -> IO ()
    -- ^ Printing main keys.
    --
    -- Default: no printing
    }

defaultDebugParams :: DebugParams
defaultDebugParams :: DebugParams
defaultDebugParams =
    DebugParams
        { debugSeed :: Maybe Seed
debugSeed = Maybe Seed
forall a. Maybe a
Nothing
        , debugPrintSeed :: Seed -> IO ()
debugPrintSeed = IO () -> Seed -> IO ()
forall a b. a -> b -> a
const (() -> IO ()
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return ())
        , debugVersionForced :: Maybe Version
debugVersionForced = Maybe Version
forall a. Maybe a
Nothing
        , debugKeyLogger :: String -> IO ()
debugKeyLogger = \String
_ -> () -> IO ()
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return ()
        }

instance Show DebugParams where
    show :: DebugParams -> String
show DebugParams
_ = String
"DebugParams"
instance Default DebugParams where
    def :: DebugParams
def = DebugParams
defaultDebugParams

data ClientParams = ClientParams
    { ClientParams -> Maybe MaxFragmentEnum
clientUseMaxFragmentLength :: Maybe MaxFragmentEnum
    -- ^
    --
    -- Default: 'Nothing'
    , ClientParams -> (String, ByteString)
clientServerIdentification :: (HostName, ByteString)
    -- ^ Define the name of the server, along with an extra service identification blob.
    -- this is important that the hostname part is properly filled for security reason,
    -- as it allow to properly associate the remote side with the given certificate
    -- during a handshake.
    --
    -- The extra blob is useful to differentiate services running on the same host, but that
    -- might have different certificates given. It's only used as part of the X509 validation
    -- infrastructure.
    --
    -- This value is typically set by 'defaultParamsClient'.
    , ClientParams -> Bool
clientUseServerNameIndication :: Bool
    -- ^ Allow the use of the Server Name Indication TLS extension during handshake, which allow
    -- the client to specify which host name, it's trying to access. This is useful to distinguish
    -- CNAME aliasing (e.g. web virtual host).
    --
    -- Default: 'True'
    , ClientParams -> Maybe (ByteString, SessionData)
clientWantSessionResume :: Maybe (SessionID, SessionData)
    -- ^ try to establish a connection using this session for TLS 1.2/TLS 1.3.
    -- This can be used for TLS 1.3 but for backward compatibility purpose only.
    -- Use 'clientWantSessionResume13' instead for TLS 1.3.
    --
    -- Default: 'Nothing'
    , ClientParams -> [(ByteString, SessionData)]
clientWantSessionResumeList :: [(SessionID, SessionData)]
    -- ^ try to establish a connection using one of this sessions
    -- especially for TLS 1.3.
    -- This take precedence over 'clientWantSessionResume'.
    -- For convenience, this can be specified for TLS 1.2 but only the first
    -- entry is used.
    --
    -- Default: '[]'
    , ClientParams -> Shared
clientShared :: Shared
    -- ^ See the default value of 'Shared'.
    , ClientParams -> ClientHooks
clientHooks :: ClientHooks
    -- ^ See the default value of 'ClientHooks'.
    , ClientParams -> Supported
clientSupported :: Supported
    -- ^ In this element, you'll  need to override the default empty value of
    -- of 'supportedCiphers' with a suitable cipherlist.
    --
    -- See the default value of 'Supported'.
    , ClientParams -> DebugParams
clientDebug :: DebugParams
    -- ^ See the default value of 'DebugParams'.
    , ClientParams -> Bool
clientUseEarlyData :: Bool
    -- ^ Client tries to send early data in TLS 1.3
    -- via 'sendData' if possible.
    -- If not accepted by the server, the early data
    -- is automatically re-sent.
    --
    -- Default: 'False'
    }
    deriving (Int -> ClientParams -> ShowS
[ClientParams] -> ShowS
ClientParams -> String
(Int -> ClientParams -> ShowS)
-> (ClientParams -> String)
-> ([ClientParams] -> ShowS)
-> Show ClientParams
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
$cshowsPrec :: Int -> ClientParams -> ShowS
showsPrec :: Int -> ClientParams -> ShowS
$cshow :: ClientParams -> String
show :: ClientParams -> String
$cshowList :: [ClientParams] -> ShowS
showList :: [ClientParams] -> ShowS
Show)

defaultParamsClient :: HostName -> ByteString -> ClientParams
defaultParamsClient :: String -> ByteString -> ClientParams
defaultParamsClient String
serverName ByteString
serverId =
    ClientParams
        { clientUseMaxFragmentLength :: Maybe MaxFragmentEnum
clientUseMaxFragmentLength = Maybe MaxFragmentEnum
forall a. Maybe a
Nothing
        , clientServerIdentification :: (String, ByteString)
clientServerIdentification = (String
serverName, ByteString
serverId)
        , clientUseServerNameIndication :: Bool
clientUseServerNameIndication = Bool
True
        , clientWantSessionResume :: Maybe (ByteString, SessionData)
clientWantSessionResume = Maybe (ByteString, SessionData)
forall a. Maybe a
Nothing
        , clientWantSessionResumeList :: [(ByteString, SessionData)]
clientWantSessionResumeList = []
        , clientShared :: Shared
clientShared = Shared
forall a. Default a => a
def
        , clientHooks :: ClientHooks
clientHooks = ClientHooks
forall a. Default a => a
def
        , clientSupported :: Supported
clientSupported = Supported
forall a. Default a => a
def
        , clientDebug :: DebugParams
clientDebug = DebugParams
defaultDebugParams
        , clientUseEarlyData :: Bool
clientUseEarlyData = Bool
False
        }

data ServerParams = ServerParams
    { ServerParams -> Bool
serverWantClientCert :: Bool
    -- ^ Request a certificate from client.
    --
    -- Default: 'False'
    , ServerParams -> [SignedCertificate]
serverCACertificates :: [SignedCertificate]
    -- ^ This is a list of certificates from which the
    -- disinguished names are sent in certificate request
    -- messages.  For TLS1.0, it should not be empty.
    --
    -- Default: '[]'
    , ServerParams -> Maybe DHParams
serverDHEParams :: Maybe DHParams
    -- ^ Server Optional Diffie Hellman parameters.  Setting parameters is
    -- necessary for FFDHE key exchange when clients are not compatible
    -- with RFC 7919.
    --
    -- Value can be one of the standardized groups from module
    -- "Network.TLS.Extra.FFDHE" or custom parameters generated with
    -- 'Crypto.PubKey.DH.generateParams'.
    --
    -- Default: 'Nothing'
    , ServerParams -> ServerHooks
serverHooks :: ServerHooks
    -- ^ See the default value of 'ServerHooks'.
    , ServerParams -> Shared
serverShared :: Shared
    -- ^ See the default value of 'Shared'.
    , ServerParams -> Supported
serverSupported :: Supported
    -- ^ See the default value of 'Supported'.
    , ServerParams -> DebugParams
serverDebug :: DebugParams
    -- ^ See the default value of 'DebugParams'.
    , ServerParams -> Int
serverEarlyDataSize :: Int
    -- ^ Server accepts this size of early data in TLS 1.3.
    -- 0 (or lower) means that the server does not accept early data.
    --
    -- Default: 0
    , ServerParams -> Int
serverTicketLifetime :: Int
    -- ^ Lifetime in seconds for session tickets generated by the server.
    -- Acceptable value range is 0 to 604800 (7 days).
    --
    -- Default: 7200 (2 hours)
    }
    deriving (Int -> ServerParams -> ShowS
[ServerParams] -> ShowS
ServerParams -> String
(Int -> ServerParams -> ShowS)
-> (ServerParams -> String)
-> ([ServerParams] -> ShowS)
-> Show ServerParams
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
$cshowsPrec :: Int -> ServerParams -> ShowS
showsPrec :: Int -> ServerParams -> ShowS
$cshow :: ServerParams -> String
show :: ServerParams -> String
$cshowList :: [ServerParams] -> ShowS
showList :: [ServerParams] -> ShowS
Show)

defaultParamsServer :: ServerParams
defaultParamsServer :: ServerParams
defaultParamsServer =
    ServerParams
        { serverWantClientCert :: Bool
serverWantClientCert = Bool
False
        , serverCACertificates :: [SignedCertificate]
serverCACertificates = []
        , serverDHEParams :: Maybe DHParams
serverDHEParams = Maybe DHParams
forall a. Maybe a
Nothing
        , serverHooks :: ServerHooks
serverHooks = ServerHooks
forall a. Default a => a
def
        , serverShared :: Shared
serverShared = Shared
forall a. Default a => a
def
        , serverSupported :: Supported
serverSupported = Supported
forall a. Default a => a
def
        , serverDebug :: DebugParams
serverDebug = DebugParams
defaultDebugParams
        , serverEarlyDataSize :: Int
serverEarlyDataSize = Int
0
        , serverTicketLifetime :: Int
serverTicketLifetime = Int
7200
        }

instance Default ServerParams where
    def :: ServerParams
def = ServerParams
defaultParamsServer

-- | List all the supported algorithms, versions, ciphers, etc supported.
data Supported = Supported
    { Supported -> [Version]
supportedVersions :: [Version]
    -- ^ Supported versions by this context.  On the client side, the highest
    -- version will be used to establish the connection.  On the server side,
    -- the highest version that is less or equal than the client version will
    -- be chosen.
    --
    -- Versions should be listed in preference order, i.e. higher versions
    -- first.
    --
    -- Default: @[TLS13,TLS12]@
    , Supported -> [Cipher]
supportedCiphers :: [Cipher]
    -- ^ Supported cipher methods.  The default is empty, specify a suitable
    -- cipher list.  'Network.TLS.Extra.Cipher.ciphersuite_default' is often
    -- a good choice.
    --
    -- Default: @[]@
    , Supported -> [Compression]
supportedCompressions :: [Compression]
    -- ^ Supported compressions methods.  By default only the "null"
    -- compression is supported, which means no compression will be performed.
    -- Allowing other compression method is not advised as it causes a
    -- connection failure when TLS 1.3 is negotiated.
    --
    -- Default: @[nullCompression]@
    , Supported -> [HashAndSignatureAlgorithm]
supportedHashSignatures :: [HashAndSignatureAlgorithm]
    -- ^ All supported hash/signature algorithms pair for client
    -- certificate verification and server signature in (EC)DHE,
    -- ordered by decreasing priority.
    --
    -- This list is sent to the peer as part of the "signature_algorithms"
    -- extension.  It is used to restrict accepted signatures received from
    -- the peer at TLS level (not in X.509 certificates), but only when the
    -- TLS version is 1.2 or above.  In order to disable SHA-1 one must then
    -- also disable earlier protocol versions in 'supportedVersions'.
    --
    -- The list also impacts the selection of possible algorithms when
    -- generating signatures.
    --
    -- Note: with TLS 1.3 some algorithms have been deprecated and will not be
    -- used even when listed in the parameter: MD5, SHA-1, SHA-224, RSA
    -- PKCS#1, DSA.
    --
    -- Default:
    --
    -- @
    --   [ (HashIntrinsic,     SignatureEd448)
    --   , (HashIntrinsic,     SignatureEd25519)
    --   , (Struct.HashSHA256, SignatureECDSA)
    --   , (Struct.HashSHA384, SignatureECDSA)
    --   , (Struct.HashSHA512, SignatureECDSA)
    --   , (HashIntrinsic,     SignatureRSApssRSAeSHA512)
    --   , (HashIntrinsic,     SignatureRSApssRSAeSHA384)
    --   , (HashIntrinsic,     SignatureRSApssRSAeSHA256)
    --   , (Struct.HashSHA512, SignatureRSA)
    --   , (Struct.HashSHA384, SignatureRSA)
    --   , (Struct.HashSHA256, SignatureRSA)
    --   , (Struct.HashSHA1,   SignatureRSA)
    --   , (Struct.HashSHA1,   SignatureDSA)
    --   ]
    -- @
    , Supported -> Bool
supportedSecureRenegotiation :: Bool
    -- ^ Secure renegotiation defined in RFC5746.
    --   If 'True', clients send the renegotiation_info extension.
    --   If 'True', servers handle the extension or the renegotiation SCSV
    --   then send the renegotiation_info extension.
    --
    --   Default: 'True'
    , Supported -> Bool
supportedClientInitiatedRenegotiation :: Bool
    -- ^ If 'True', renegotiation is allowed from the client side.
    --   This is vulnerable to DOS attacks.
    --   If 'False', renegotiation is allowed only from the server side
    --   via HelloRequest.
    --
    --   Default: 'False'
    , Supported -> EMSMode
supportedExtendedMainSecret :: EMSMode
    -- ^ The mode regarding extended main secret.  Enabling this extension
    -- provides better security for TLS versions 1.2.  TLS 1.3 provides
    -- the security properties natively and does not need the extension.
    --
    -- By default the extension is 'RequireEMS'.
    -- So, the handshake will fail when the peer does not support
    -- the extension.
    --
    -- Default: 'RequireEMS'
    , Supported -> Bool
supportedSession :: Bool
    -- ^ Set if we support session.
    --
    --   Default: 'True'
    , Supported -> Bool
supportedFallbackScsv :: Bool
    -- ^ Support for fallback SCSV defined in RFC7507.
    --   If 'True', servers reject handshakes which suggest
    --   a lower protocol than the highest protocol supported.
    --
    --   Default: 'True'
    , Supported -> Bool
supportedEmptyPacket :: Bool
    -- ^ In ver <= TLS1.0, block ciphers using CBC are using CBC residue as IV, which can be guessed
    -- by an attacker. Hence, an empty packet is normally sent before a normal data packet, to
    -- prevent guessability. Some Microsoft TLS-based protocol implementations, however,
    -- consider these empty packets as a protocol violation and disconnect. If this parameter is
    -- 'False', empty packets will never be added, which is less secure, but might help in rare
    -- cases.
    --
    --   Default: 'True'
    , Supported -> [Group]
supportedGroups :: [Group]
    -- ^ A list of supported elliptic curves and finite-field groups in the
    --   preferred order.
    --
    --   The list is sent to the server as part of the "supported_groups"
    --   extension.  It is used in both clients and servers to restrict
    --   accepted groups in DH key exchange.  Up until TLS v1.2, it is also
    --   used by a client to restrict accepted elliptic curves in ECDSA
    --   signatures.
    --
    --   The default value includes all groups with security strength of 128
    --   bits or more.
    --
    --   Default: @[X25519,X448,P256,FFDHE3072,FFDHE4096,P384,FFDHE6144,FFDHE8192,P521]@
    }
    deriving (Int -> Supported -> ShowS
[Supported] -> ShowS
Supported -> String
(Int -> Supported -> ShowS)
-> (Supported -> String)
-> ([Supported] -> ShowS)
-> Show Supported
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
$cshowsPrec :: Int -> Supported -> ShowS
showsPrec :: Int -> Supported -> ShowS
$cshow :: Supported -> String
show :: Supported -> String
$cshowList :: [Supported] -> ShowS
showList :: [Supported] -> ShowS
Show, Supported -> Supported -> Bool
(Supported -> Supported -> Bool)
-> (Supported -> Supported -> Bool) -> Eq Supported
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
$c== :: Supported -> Supported -> Bool
== :: Supported -> Supported -> Bool
$c/= :: Supported -> Supported -> Bool
/= :: Supported -> Supported -> Bool
Eq)

-- | Client or server policy regarding Extended Main Secret
data EMSMode
    = -- | Extended Main Secret is not used
      NoEMS
    | -- | Extended Main Secret is allowed
      AllowEMS
    | -- | Extended Main Secret is required
      RequireEMS
    deriving (Int -> EMSMode -> ShowS
[EMSMode] -> ShowS
EMSMode -> String
(Int -> EMSMode -> ShowS)
-> (EMSMode -> String) -> ([EMSMode] -> ShowS) -> Show EMSMode
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
$cshowsPrec :: Int -> EMSMode -> ShowS
showsPrec :: Int -> EMSMode -> ShowS
$cshow :: EMSMode -> String
show :: EMSMode -> String
$cshowList :: [EMSMode] -> ShowS
showList :: [EMSMode] -> ShowS
Show, EMSMode -> EMSMode -> Bool
(EMSMode -> EMSMode -> Bool)
-> (EMSMode -> EMSMode -> Bool) -> Eq EMSMode
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
$c== :: EMSMode -> EMSMode -> Bool
== :: EMSMode -> EMSMode -> Bool
$c/= :: EMSMode -> EMSMode -> Bool
/= :: EMSMode -> EMSMode -> Bool
Eq)

defaultSupported :: Supported
defaultSupported :: Supported
defaultSupported =
    Supported
        { supportedVersions :: [Version]
supportedVersions = [Version
TLS13, Version
TLS12]
        , supportedCiphers :: [Cipher]
supportedCiphers = [Cipher]
ciphersuite_default
        , supportedCompressions :: [Compression]
supportedCompressions = [Compression
nullCompression]
        , supportedHashSignatures :: [HashAndSignatureAlgorithm]
supportedHashSignatures = [HashAndSignatureAlgorithm]
Struct.supportedSignatureSchemes
        , supportedSecureRenegotiation :: Bool
supportedSecureRenegotiation = Bool
True
        , supportedClientInitiatedRenegotiation :: Bool
supportedClientInitiatedRenegotiation = Bool
False
        , supportedExtendedMainSecret :: EMSMode
supportedExtendedMainSecret = EMSMode
RequireEMS
        , supportedSession :: Bool
supportedSession = Bool
True
        , supportedFallbackScsv :: Bool
supportedFallbackScsv = Bool
True
        , supportedEmptyPacket :: Bool
supportedEmptyPacket = Bool
True
        , supportedGroups :: [Group]
supportedGroups = [Group]
supportedNamedGroups
        }

instance Default Supported where
    def :: Supported
def = Supported
defaultSupported

-- | Parameters that are common to clients and servers.
data Shared = Shared
    { Shared -> Credentials
sharedCredentials :: Credentials
    -- ^ The list of certificates and private keys that a server will use as
    -- part of authentication to clients.  Actual credentials that are used
    -- are selected dynamically from this list based on client capabilities.
    -- Additional credentials returned by 'onServerNameIndication' are also
    -- considered.
    --
    -- When credential list is left empty (the default value), no key
    -- exchange can take place.
    --
    -- Default: 'mempty'
    , Shared -> SessionManager
sharedSessionManager :: SessionManager
    -- ^ Callbacks used by clients and servers in order to resume TLS
    -- sessions.  The default implementation never resumes sessions.  Package
    -- <https://hackage.haskell.org/package/tls-session-manager tls-session-manager>
    -- provides an in-memory implementation.
    --
    -- Default: 'noSessionManager'
    , Shared -> CertificateStore
sharedCAStore :: CertificateStore
    -- ^ A collection of trust anchors to be used by a client as
    -- part of validation of server certificates.  This is set as
    -- first argument to function 'onServerCertificate'.  Package
    -- <https://hackage.haskell.org/package/crypton-x509-system crypton-x509-system>
    -- gives access to a default certificate store configured in the
    -- system.
    --
    -- Default: 'mempty'
    , Shared -> ValidationCache
sharedValidationCache :: ValidationCache
    -- ^ Callbacks that may be used by a client to cache certificate
    -- validation results (positive or negative) and avoid expensive
    -- signature check.  The default implementation does not have
    -- any caching.
    --
    -- See the default value of 'ValidationCache'.
    , Shared -> [ExtensionRaw]
sharedHelloExtensions :: [ExtensionRaw]
    -- ^ Additional extensions to be sent during the Hello sequence.
    --
    -- For a client this is always included in message ClientHello.  For a
    -- server, this is sent in messages ServerHello or EncryptedExtensions
    -- based on the TLS version.
    --
    -- Default: @[]@
    }

instance Show Shared where
    show :: Shared -> String
show Shared
_ = String
"Shared"
instance Default Shared where
    def :: Shared
def =
        Shared
            { sharedCredentials :: Credentials
sharedCredentials = Credentials
forall a. Monoid a => a
mempty
            , sharedSessionManager :: SessionManager
sharedSessionManager = SessionManager
noSessionManager
            , sharedCAStore :: CertificateStore
sharedCAStore = CertificateStore
forall a. Monoid a => a
mempty
            , sharedValidationCache :: ValidationCache
sharedValidationCache = ValidationCache
forall a. Default a => a
def
            , sharedHelloExtensions :: [ExtensionRaw]
sharedHelloExtensions = []
            }

-- | Group usage callback possible return values.
data GroupUsage
    = -- | usage of group accepted
      GroupUsageValid
    | -- | usage of group provides insufficient security
      GroupUsageInsecure
    | -- | usage of group rejected for other reason (specified as string)
      GroupUsageUnsupported String
    | -- | usage of group with an invalid public value
      GroupUsageInvalidPublic
    deriving (Int -> GroupUsage -> ShowS
[GroupUsage] -> ShowS
GroupUsage -> String
(Int -> GroupUsage -> ShowS)
-> (GroupUsage -> String)
-> ([GroupUsage] -> ShowS)
-> Show GroupUsage
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
$cshowsPrec :: Int -> GroupUsage -> ShowS
showsPrec :: Int -> GroupUsage -> ShowS
$cshow :: GroupUsage -> String
show :: GroupUsage -> String
$cshowList :: [GroupUsage] -> ShowS
showList :: [GroupUsage] -> ShowS
Show, GroupUsage -> GroupUsage -> Bool
(GroupUsage -> GroupUsage -> Bool)
-> (GroupUsage -> GroupUsage -> Bool) -> Eq GroupUsage
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
$c== :: GroupUsage -> GroupUsage -> Bool
== :: GroupUsage -> GroupUsage -> Bool
$c/= :: GroupUsage -> GroupUsage -> Bool
/= :: GroupUsage -> GroupUsage -> Bool
Eq)

defaultGroupUsage :: Int -> DHParams -> DHPublic -> IO GroupUsage
defaultGroupUsage :: Int -> DHParams -> DHPublic -> IO GroupUsage
defaultGroupUsage Int
minBits DHParams
params DHPublic
public
    | Integer -> Bool
forall a. Integral a => a -> Bool
even (Integer -> Bool) -> Integer -> Bool
forall a b. (a -> b) -> a -> b
$ DHParams -> Integer
dhParamsGetP DHParams
params =
        GroupUsage -> IO GroupUsage
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return (GroupUsage -> IO GroupUsage) -> GroupUsage -> IO GroupUsage
forall a b. (a -> b) -> a -> b
$ String -> GroupUsage
GroupUsageUnsupported String
"invalid odd prime"
    | Bool -> Bool
not (Bool -> Bool) -> Bool -> Bool
forall a b. (a -> b) -> a -> b
$ DHParams -> Integer -> Bool
dhValid DHParams
params (DHParams -> Integer
dhParamsGetG DHParams
params) =
        GroupUsage -> IO GroupUsage
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return (GroupUsage -> IO GroupUsage) -> GroupUsage -> IO GroupUsage
forall a b. (a -> b) -> a -> b
$ String -> GroupUsage
GroupUsageUnsupported String
"invalid generator"
    | Bool -> Bool
not (Bool -> Bool) -> Bool -> Bool
forall a b. (a -> b) -> a -> b
$ DHParams -> Integer -> Bool
dhValid DHParams
params (DHPublic -> Integer
dhUnwrapPublic DHPublic
public) =
        GroupUsage -> IO GroupUsage
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return GroupUsage
GroupUsageInvalidPublic
    -- To prevent Logjam attack
    | DHParams -> Int
dhParamsGetBits DHParams
params Int -> Int -> Bool
forall a. Ord a => a -> a -> Bool
< Int
minBits = GroupUsage -> IO GroupUsage
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return GroupUsage
GroupUsageInsecure
    | Bool
otherwise = GroupUsage -> IO GroupUsage
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return GroupUsage
GroupUsageValid

-- | Type for 'onCertificateRequest'. This type synonym is to make
--   document readable.
type OnCertificateRequest =
    ( [CertificateType]
    , Maybe [HashAndSignatureAlgorithm]
    , [DistinguishedName]
    )
    -> IO (Maybe (CertificateChain, PrivKey))

-- | Type for 'onServerCertificate'. This type synonym is to make
--   document readable.
type OnServerCertificate =
    CertificateStore
    -> ValidationCache
    -> ServiceID
    -> CertificateChain
    -> IO [FailedReason]

-- | A set of callbacks run by the clients for various corners of TLS establishment
data ClientHooks = ClientHooks
    { ClientHooks -> OnCertificateRequest
onCertificateRequest :: OnCertificateRequest
    -- ^ This action is called when the a certificate request is
    -- received from the server. The callback argument is the
    -- information from the request.  The server, at its
    -- discretion, may be willing to continue the handshake
    -- without a client certificate.  Therefore, the callback is
    -- free to return 'Nothing' to indicate that no client
    -- certificate should be sent, despite the server's request.
    -- In some cases it may be appropriate to get user consent
    -- before sending the certificate; the content of the user's
    -- certificate may be sensitive and intended only for
    -- specific servers.
    --
    -- The action should select a certificate chain of one of
    -- the given certificate types and one of the certificates
    -- in the chain should (if possible) be signed by one of the
    -- given distinguished names.  Some servers, that don't have
    -- a narrow set of preferred issuer CAs, will send an empty
    -- 'DistinguishedName' list, rather than send all the names
    -- from their trusted CA bundle.  If the client does not
    -- have a certificate chaining to a matching CA, it may
    -- choose a default certificate instead.
    --
    -- Each certificate except the last should be signed by the
    -- following one.  The returned private key must be for the
    -- first certificates in the chain.  This key will be used
    -- to signing the certificate verify message.
    --
    -- The public key in the first certificate, and the matching
    -- returned private key must be compatible with one of the
    -- list of 'HashAndSignatureAlgorithm' value when provided.
    -- TLS 1.3 changes the meaning of the list elements, adding
    -- explicit code points for each supported pair of hash and
    -- signature (public key) algorithms, rather than combining
    -- separate codes for the hash and key.  For details see
    -- <https://tools.ietf.org/html/rfc8446#section-4.2.3 RFC 8446>
    -- section 4.2.3.  When no compatible certificate chain is
    -- available, return 'Nothing' if it is OK to continue
    -- without a client certificate.  Returning a non-matching
    -- certificate should result in a handshake failure.
    --
    -- While the TLS version is not provided to the callback,
    -- the content of the @signature_algorithms@ list provides
    -- a strong hint, since TLS 1.3 servers will generally list
    -- RSA pairs with a hash component of 'Intrinsic' (@0x08@).
    --
    -- Note that is is the responsibility of this action to
    -- select a certificate matching one of the requested
    -- certificate types (public key algorithms).  Returning
    -- a non-matching one will lead to handshake failure later.
    --
    -- Default: returns 'Nothing' anyway.
    , ClientHooks -> OnServerCertificate
onServerCertificate :: OnServerCertificate
    -- ^ Used by the client to validate the server certificate.  The default
    -- implementation calls 'validateDefault' which validates according to the
    -- default hooks and checks provided by "Data.X509.Validation".  This can
    -- be replaced with a custom validation function using different settings.
    --
    -- The function is not expected to verify the key-usage extension of the
    -- end-entity certificate, as this depends on the dynamically-selected
    -- cipher and this part should not be cached.  Key-usage verification
    -- is performed by the library internally.
    --
    -- Default: 'validateDefault'
    , ClientHooks -> IO (Maybe [ByteString])
onSuggestALPN :: IO (Maybe [B.ByteString])
    -- ^ This action is called when the client sends ClientHello
    --   to determine ALPN values such as '["h2", "http/1.1"]'.
    --
    -- Default: returns 'Nothing'
    , ClientHooks -> DHParams -> DHPublic -> IO GroupUsage
onCustomFFDHEGroup :: DHParams -> DHPublic -> IO GroupUsage
    -- ^ This action is called to validate DHE parameters when the server
    --   selected a finite-field group not part of the "Supported Groups
    --   Registry" or not part of 'supportedGroups' list.
    --
    --   With TLS 1.3 custom groups have been removed from the protocol, so
    --   this callback is only used when the version negotiated is 1.2 or
    --   below.
    --
    --   The default behavior with (dh_p, dh_g, dh_size) and pub as follows:
    --
    --   (1) rejecting if dh_p is even
    --   (2) rejecting unless 1 < dh_g && dh_g < dh_p - 1
    --   (3) rejecting unless 1 < dh_p && pub < dh_p - 1
    --   (4) rejecting if dh_size < 1024 (to prevent Logjam attack)
    --
    --   See RFC 7919 section 3.1 for recommandations.
    , ClientHooks -> Information -> IO ()
onServerFinished :: Information -> IO ()
    -- ^ When a handshake is done, this hook can check `Information`.
    }

defaultClientHooks :: ClientHooks
defaultClientHooks :: ClientHooks
defaultClientHooks =
    ClientHooks
        { onCertificateRequest :: OnCertificateRequest
onCertificateRequest = \([CertificateType], Maybe [HashAndSignatureAlgorithm],
 [DistinguishedName])
_ -> Maybe (CertificateChain, PrivKey)
-> IO (Maybe (CertificateChain, PrivKey))
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return Maybe (CertificateChain, PrivKey)
forall a. Maybe a
Nothing
        , onServerCertificate :: OnServerCertificate
onServerCertificate = OnServerCertificate
validateDefault
        , onSuggestALPN :: IO (Maybe [ByteString])
onSuggestALPN = Maybe [ByteString] -> IO (Maybe [ByteString])
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return Maybe [ByteString]
forall a. Maybe a
Nothing
        , onCustomFFDHEGroup :: DHParams -> DHPublic -> IO GroupUsage
onCustomFFDHEGroup = Int -> DHParams -> DHPublic -> IO GroupUsage
defaultGroupUsage Int
1024
        , onServerFinished :: Information -> IO ()
onServerFinished = \Information
_ -> () -> IO ()
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return ()
        }

instance Show ClientHooks where
    show :: ClientHooks -> String
show ClientHooks
_ = String
"ClientHooks"
instance Default ClientHooks where
    def :: ClientHooks
def = ClientHooks
defaultClientHooks

-- | A set of callbacks run by the server for various corners of the TLS establishment
data ServerHooks = ServerHooks
    { ServerHooks -> CertificateChain -> IO CertificateUsage
onClientCertificate :: CertificateChain -> IO CertificateUsage
    -- ^ This action is called when a client certificate chain
    -- is received from the client.  When it returns a
    -- CertificateUsageReject value, the handshake is aborted.
    --
    -- The function is not expected to verify the key-usage
    -- extension of the certificate.  This verification is
    -- performed by the library internally.
    --
    -- Default: returns the followings:
    --
    -- @
    -- CertificateUsageReject (CertificateRejectOther "no client certificates expected")
    -- @
    , ServerHooks -> IO Bool
onUnverifiedClientCert :: IO Bool
    -- ^ This action is called when the client certificate
    -- cannot be verified. Return 'True' to accept the certificate
    -- anyway, or 'False' to fail verification.
    --
    -- Default: returns 'False'
    , ServerHooks -> Version -> [Cipher] -> Cipher
onCipherChoosing :: Version -> [Cipher] -> Cipher
    -- ^ Allow the server to choose the cipher relative to the
    -- the client version and the client list of ciphers.
    --
    -- This could be useful with old clients and as a workaround
    -- to the BEAST (where RC4 is sometimes prefered with TLS < 1.1)
    --
    -- The client cipher list cannot be empty.
    --
    -- Default: taking the head of ciphers.
    , ServerHooks -> Maybe String -> IO Credentials
onServerNameIndication :: Maybe HostName -> IO Credentials
    -- ^ Allow the server to indicate additional credentials
    -- to be used depending on the host name indicated by the
    -- client.
    --
    -- This is most useful for transparent proxies where
    -- credentials must be generated on the fly according to
    -- the host the client is trying to connect to.
    --
    -- Returned credentials may be ignored if a client does not support
    -- the signature algorithms used in the certificate chain.
    --
    -- Default: returns 'mempty'
    , ServerHooks -> Measurement -> IO Bool
onNewHandshake :: Measurement -> IO Bool
    -- ^ At each new handshake, we call this hook to see if we allow handshake to happens.
    --
    -- Default: returns 'True'
    , ServerHooks -> Maybe ([ByteString] -> IO ByteString)
onALPNClientSuggest :: Maybe ([B.ByteString] -> IO B.ByteString)
    -- ^ Allow the server to choose an application layer protocol
    --   suggested from the client through the ALPN
    --   (Application Layer Protocol Negotiation) extensions.
    --   If the server supports no protocols that the client advertises
    --   an empty 'ByteString' should be returned.
    --
    -- Default: 'Nothing'
    , ServerHooks -> [ExtensionRaw] -> IO [ExtensionRaw]
onEncryptedExtensionsCreating :: [ExtensionRaw] -> IO [ExtensionRaw]
    -- ^ Allow to modify extensions to be sent in EncryptedExtensions
    --  of TLS 1.3.
    --
    -- Default: 'return'
    }

defaultServerHooks :: ServerHooks
defaultServerHooks :: ServerHooks
defaultServerHooks =
    ServerHooks
        { onClientCertificate :: CertificateChain -> IO CertificateUsage
onClientCertificate = \CertificateChain
_ ->
            CertificateUsage -> IO CertificateUsage
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return (CertificateUsage -> IO CertificateUsage)
-> CertificateUsage -> IO CertificateUsage
forall a b. (a -> b) -> a -> b
$
                CertificateRejectReason -> CertificateUsage
CertificateUsageReject (CertificateRejectReason -> CertificateUsage)
-> CertificateRejectReason -> CertificateUsage
forall a b. (a -> b) -> a -> b
$
                    String -> CertificateRejectReason
CertificateRejectOther String
"no client certificates expected"
        , onUnverifiedClientCert :: IO Bool
onUnverifiedClientCert = Bool -> IO Bool
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return Bool
False
        , onCipherChoosing :: Version -> [Cipher] -> Cipher
onCipherChoosing = \Version
_ -> [Cipher] -> Cipher
forall a. HasCallStack => [a] -> a
head
        , onServerNameIndication :: Maybe String -> IO Credentials
onServerNameIndication = \Maybe String
_ -> Credentials -> IO Credentials
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return Credentials
forall a. Monoid a => a
mempty
        , onNewHandshake :: Measurement -> IO Bool
onNewHandshake = \Measurement
_ -> Bool -> IO Bool
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return Bool
True
        , onALPNClientSuggest :: Maybe ([ByteString] -> IO ByteString)
onALPNClientSuggest = Maybe ([ByteString] -> IO ByteString)
forall a. Maybe a
Nothing
        , onEncryptedExtensionsCreating :: [ExtensionRaw] -> IO [ExtensionRaw]
onEncryptedExtensionsCreating = [ExtensionRaw] -> IO [ExtensionRaw]
forall a. a -> IO a
forall (m :: * -> *) a. Monad m => a -> m a
return
        }

instance Show ServerHooks where
    show :: ServerHooks -> String
show ServerHooks
_ = String
"ServerHooks"
instance Default ServerHooks where
    def :: ServerHooks
def = ServerHooks
defaultServerHooks

-- | Information related to a running context, e.g. current cipher
data Information = Information
    { Information -> Version
infoVersion :: Version
    , Information -> Cipher
infoCipher :: Cipher
    , Information -> Compression
infoCompression :: Compression
    , Information -> Maybe ByteString
infoMainSecret :: Maybe ByteString
    , Information -> Bool
infoExtendedMainSecret :: Bool
    , Information -> Maybe ClientRandom
infoClientRandom :: Maybe ClientRandom
    , Information -> Maybe ServerRandom
infoServerRandom :: Maybe ServerRandom
    , Information -> Maybe Group
infoSupportedGroup :: Maybe Group
    , Information -> Bool
infoTLS12Resumption :: Bool
    , Information -> Maybe HandshakeMode13
infoTLS13HandshakeMode :: Maybe HandshakeMode13
    , Information -> Bool
infoIsEarlyDataAccepted :: Bool
    }
    deriving (Int -> Information -> ShowS
[Information] -> ShowS
Information -> String
(Int -> Information -> ShowS)
-> (Information -> String)
-> ([Information] -> ShowS)
-> Show Information
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
$cshowsPrec :: Int -> Information -> ShowS
showsPrec :: Int -> Information -> ShowS
$cshow :: Information -> String
show :: Information -> String
$cshowList :: [Information] -> ShowS
showList :: [Information] -> ShowS
Show, Information -> Information -> Bool
(Information -> Information -> Bool)
-> (Information -> Information -> Bool) -> Eq Information
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
$c== :: Information -> Information -> Bool
== :: Information -> Information -> Bool
$c/= :: Information -> Information -> Bool
/= :: Information -> Information -> Bool
Eq)