package dream-httpaf

  1. Overview
  2. Docs
Legend:
Page
Library
Module
Module type
Parameter
Class
Class type
Source

Source file ssl_io.ml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# 1 "src/vendor/gluten/lwt-unix/ssl_io.real.ml"
(*----------------------------------------------------------------------------
 *  Copyright (c) 2019 António Nuno Monteiro
 *
 *  All rights reserved.
 *
 *  Redistribution and use in source and binary forms, with or without
 *  modification, are permitted provided that the following conditions are met:
 *
 *  1. Redistributions of source code must retain the above copyright notice,
 *  this list of conditions and the following disclaimer.
 *
 *  2. Redistributions in binary form must reproduce the above copyright
 *  notice, this list of conditions and the following disclaimer in the
 *  documentation and/or other materials provided with the distribution.
 *
 *  3. Neither the name of the copyright holder nor the names of its
 *  contributors may be used to endorse or promote products derived from this
 *  software without specific prior written permission.
 *
 *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 *  POSSIBILITY OF SUCH DAMAGE.
 *---------------------------------------------------------------------------*)

module Gluten_lwt = Dream_gluten_lwt.Gluten_lwt

open Lwt.Infix

type descriptor = Lwt_ssl.socket

module Io :
  Gluten_lwt.IO with type socket = descriptor and type addr = Unix.sockaddr =
struct
  type socket = Lwt_ssl.socket
  type addr = Unix.sockaddr

  let close ssl =
    let fd = Lwt_ssl.get_fd ssl in
    match Lwt_unix.state fd with
    | Closed | Aborted _ -> Lwt.return_unit
    | _ ->
      Lwt.catch
        (fun () ->
           Lwt_ssl.close_notify ssl >>= fun _shutdown ->
           Lwt.wrap2 Lwt_ssl.shutdown ssl Unix.SHUTDOWN_ALL >>= fun () ->
           Lwt_ssl.close ssl)
        (function
           | Unix.Unix_error (Unix.ENOTCONN, _, _) -> Lwt.return_unit
           | exn -> Lwt.fail exn)

  let read ssl bigstring ~off ~len =
    Lwt.catch
      (fun () ->
         Lwt_ssl.read_bytes ssl bigstring off len >|= function
         | 0 -> raise End_of_file
         | n -> n)
      (function
         | Unix.Unix_error (Unix.EBADF, _, _) -> Lwt.fail End_of_file
         | exn -> Lwt.fail exn)

  let writev ssl iovecs =
    Lwt.catch
      (fun () ->
         Lwt_list.fold_left_s
           (fun acc { Faraday.buffer; off; len } ->
              Lwt_ssl.write_bytes ssl buffer off len >|= fun written ->
              acc + written)
           0
           iovecs
         >|= fun n -> `Ok n)
      (function
         | Unix.Unix_error (Unix.EBADF, "check_descriptor", _) ->
           Lwt.return `Closed
         | exn -> Lwt.fail exn)

  (* From RFC8446§6.1:
   *   The client and the server must share knowledge that the connection is
   *   ending in order to avoid a truncation attack.
   *
   * Note: In the SSL / TLS runtimes we can't just shutdown one part of the
   * full-duplex connection, as both sides must know that the underlying TLS
   * conection is closing. *)
  let shutdown_receive _ssl = ()
end

let make_default_client ?alpn_protocols socket =
  let client_ctx =
    Ssl.create_context (Ssl.SSLv23 [@ocaml.warning "-3"]) Ssl.Client_context
  in
  Ssl.disable_protocols client_ctx [ (Ssl.SSLv23 [@ocaml.warning "-3"]) ];
  Ssl.honor_cipher_order client_ctx;
  (match alpn_protocols with
  | Some protos -> Ssl.set_context_alpn_protos client_ctx protos
  | None -> ());
  Lwt_ssl.ssl_connect socket client_ctx

let rec first_match l1 = function
  | [] -> None
  | x :: _ when List.mem x l1 -> Some x
  | _ :: xs -> first_match l1 xs

let make_server ?alpn_protocols ~certfile ~keyfile socket =
  let server_ctx =
    Ssl.create_context (Ssl.SSLv23 [@ocaml.warning "-3"]) Ssl.Server_context
  in
  Ssl.disable_protocols server_ctx [ (Ssl.SSLv23 [@ocaml.warning "-3"]) ];
  Ssl.use_certificate server_ctx certfile keyfile;
  (match alpn_protocols with
  | Some protos ->
    Ssl.set_context_alpn_protos server_ctx protos;
    Ssl.set_context_alpn_select_callback server_ctx (fun client_protos ->
      first_match client_protos protos)
  | None -> ());
  Lwt_ssl.ssl_accept socket server_ctx
OCaml

Innovation. Community. Security.