private_ssl.ml1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233# 1 "src/conduit-async/private_ssl.real.ml" open Core open Async open Async_ssl let verify_certificate connection = match Ssl.Connection.peer_certificate connection with | None -> return false | Some (Error _) -> return false | Some (Ok _) -> return true let teardown_connection r w = Writer.close ~force_close:(Clock.after (sec 30.)) w >>= fun () -> Reader.close r (* One needs to be careful around Async Readers and Writers that share the same underyling file descriptor, which is something that happens when they're used for sockets. Closing the Reader before the Writer will cause the Writer to throw and complain about its underlying file descriptor being closed. This is why instead of using Reader.pipe directly below, we write out an equivalent version which will first close the Writer before closing the Reader once the input pipe is fully consumed. Additionally, [Writer.pipe] will not close the writer if the pipe is closed, so in order to avoid leaking file descriptors, we allow the pipe 30 seconds to flush before closing the writer. *) let reader_writer_pipes r w = let reader_pipe_r, reader_pipe_w = Pipe.create () in let writer_pipe = Writer.pipe w in upon (Reader.transfer r reader_pipe_w) (fun () -> teardown_connection r w >>> fun () -> Pipe.close reader_pipe_w); upon (Pipe.closed writer_pipe) (fun () -> Deferred.choose [ Deferred.choice (Clock.after (sec 30.)) (fun () -> ()); Deferred.choice (Pipe.downstream_flushed writer_pipe) (fun (_ : Pipe.Flushed_result.t) -> ()); ] >>> fun () -> don't_wait_for (teardown_connection r w)); (reader_pipe_r, writer_pipe) (* [Reader.of_pipe] will not close the pipe when the returned [Reader] is closed, so we manually do that ourselves. [Writer.of_pipe] will create a writer that will raise once the pipe is closed, so we set [raise_when_consumer_leaves] to false. *) let reader_writer_of_pipes app_rd app_wr = Reader.of_pipe (Info.of_string "async_conduit_ssl_reader") app_rd >>= fun app_reader -> upon (Reader.close_finished app_reader) (fun () -> Pipe.close_read app_rd); Writer.of_pipe (Info.of_string "async_conduit_ssl_writer") app_wr >>| fun (app_writer, _) -> Writer.set_raise_when_consumer_leaves app_writer false; (app_reader, app_writer) module V1 = struct module Ssl = struct module Config = struct type t = { version : Ssl.Version.t option; name : string option; ca_file : string option; ca_path : string option; session : (Ssl.Session.t[@sexp.opaque]) option; verify : (Ssl.Connection.t -> bool Deferred.t) option; } [@@deriving sexp] let verify_certificate = verify_certificate let create ?version ?name ?ca_file ?ca_path ?session ?verify () = { version; name; ca_file; ca_path; session; verify } end let connect cfg r w = let { Config.version; name; ca_file; ca_path; session; verify } = cfg in let net_to_ssl, ssl_to_net = reader_writer_pipes r w in let app_to_ssl, app_wr = Pipe.create () in let app_rd, ssl_to_app = Pipe.create () in let verify_connection = match verify with None -> Fn.const (return true) | Some f -> f in Ssl.client ?version ?name ?ca_file ?ca_path ?session ~app_to_ssl ~ssl_to_app ~net_to_ssl ~ssl_to_net () >>= function | Error error -> teardown_connection r w >>= fun () -> Error.raise error | Ok conn -> ( verify_connection conn >>= function | false -> teardown_connection r w >>= fun () -> failwith "Connection verification failed." | true -> reader_writer_of_pipes app_rd app_wr >>| fun (app_reader, app_writer) -> (app_reader, app_writer)) let listen ?(version = Ssl.Version.Tlsv1_2) ?ca_file ?ca_path ~crt_file ~key_file r w = let net_to_ssl, ssl_to_net = reader_writer_pipes r w in let app_to_ssl, app_wr = Pipe.create () in let app_rd, ssl_to_app = Pipe.create () in Ssl.server ?ca_file ?ca_path ~version ~crt_file ~key_file ~app_to_ssl ~ssl_to_app ~net_to_ssl ~ssl_to_net () >>= function | Error error -> teardown_connection r w >>= fun () -> Error.raise error | Ok _ -> reader_writer_of_pipes app_rd app_wr >>| fun (app_reader, app_writer) -> (app_reader, app_writer) type session = (Ssl.Session.t[@sexp.opaque]) [@@deriving sexp] type version = Ssl.Version.t [@@deriving sexp] type connection = (Ssl.Connection.t[@sexp.opaque]) [@@deriving sexp] end end module V2 = struct module Ssl = struct type allowed_ciphers = [ `Only of string list | `Openssl_default | `Secure ] [@@deriving sexp] module Config = struct type t = { version : Ssl.Version.t option; options : Ssl.Opt.t list option; name : string option; hostname : string option; allowed_ciphers : allowed_ciphers option; ca_file : string option; ca_path : string option; crt_file : string option; key_file : string option; session : (Ssl.Session.t[@sexp.opaque]) option; verify_modes : (Verify_mode.t[@sexp.opaque]) list option; verify : (Ssl.Connection.t -> bool Deferred.t) option; } [@@deriving sexp_of] let verify_certificate = verify_certificate let create ?version ?options ?name ?hostname ?allowed_ciphers ?ca_file ?ca_path ?crt_file ?key_file ?session ?verify_modes ?verify () = { version; options; name; hostname; allowed_ciphers; ca_file; ca_path; crt_file; key_file; session; verify_modes; verify; } end let connect ?(cfg = Config.create ()) r w = let { Config.version; options; name; hostname; allowed_ciphers; ca_file; ca_path; crt_file; key_file; session; verify_modes; verify; } = cfg in let net_to_ssl, ssl_to_net = reader_writer_pipes r w in let app_to_ssl, app_wr = Pipe.create () in let app_rd, ssl_to_app = Pipe.create () in let verify_connection = match verify with None -> Fn.const (return true) | Some f -> f in Ssl.client ?version ?options ?name ?hostname ?allowed_ciphers ?ca_file ?ca_path ?crt_file ?key_file ?session ?verify_modes ~app_to_ssl ~ssl_to_app ~net_to_ssl ~ssl_to_net () >>= function | Error error -> teardown_connection r w >>= fun () -> Error.raise error | Ok conn -> ( verify_connection conn >>= function | false -> teardown_connection r w >>= fun () -> failwith "Connection verification failed." | true -> reader_writer_of_pipes app_rd app_wr >>| fun (app_reader, app_writer) -> (app_reader, app_writer)) let listen { Config.version; options; name; allowed_ciphers; ca_file; ca_path; crt_file; key_file; verify_modes; _; } r w = let crt_file, key_file = match (crt_file, key_file) with | Some crt_file, Some key_file -> (crt_file, key_file) | _ -> invalid_arg "Conduit_async_ssl.ssl_listen: crt_file and key_file must be \ specified in cfg." in let net_to_ssl, ssl_to_net = reader_writer_pipes r w in let app_to_ssl, app_wr = Pipe.create () in let app_rd, ssl_to_app = Pipe.create () in Ssl.server ?version ?options ?name ?allowed_ciphers ?ca_file ?ca_path ~crt_file ~key_file ?verify_modes ~app_to_ssl ~ssl_to_app ~net_to_ssl ~ssl_to_net () >>= function | Error error -> teardown_connection r w >>= fun () -> Error.raise error | Ok _ -> reader_writer_of_pipes app_rd app_wr >>| fun (app_reader, app_writer) -> (app_reader, app_writer) type verify_mode = Ssl.Verify_mode.t [@@deriving sexp_of] type session = (Ssl.Session.t[@sexp.opaque]) [@@deriving sexp_of] type version = Ssl.Version.t [@@deriving sexp] type connection = Ssl.Connection.t [@@deriving sexp_of] type opt = Ssl.Opt.t [@@deriving sexp] end end