Source file `conduit_lwt_unix_ssl.ml`

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
(*
 * Copyright (c) 2012-2014 Anil Madhavapeddy <anil@recoil.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 *
 *)

open Lwt.Infix

let () = Ssl.init ()

let chans_of_fd sock =
  let shutdown () = Lwt_ssl.ssl_shutdown sock in
  let close () = Lwt_ssl.close sock in
  let oc = Lwt_io.make ~mode:Lwt_io.output ~close:shutdown (Lwt_ssl.write_bytes sock) in
  let ic = Lwt_io.make ~mode:Lwt_io.input ~close (Lwt_ssl.read_bytes sock) in
  ((Lwt_ssl.get_fd sock), ic, oc)

module Client = struct
  (* SSL TCP connection *)
  let default_ctx = Ssl.create_context Ssl.SSLv23 Ssl.Client_context
  let () = Ssl.disable_protocols default_ctx [Ssl.SSLv23]

  let connect ?(ctx=default_ctx) ?src ?hostname sa =
    Conduit_lwt_server.with_socket sa (fun fd ->
        (match src with
         | None        -> Lwt.return_unit
         | Some src_sa -> Lwt_unix.bind fd src_sa
        ) >>= fun () ->
        Lwt_unix.connect fd sa >>= fun () ->
        begin match hostname with
          | Some host ->
            let s = Lwt_ssl.embed_uninitialized_socket fd ctx in
            Ssl.set_client_SNI_hostname
              (Lwt_ssl.ssl_socket_of_uninitialized_socket s) host;
            Lwt_ssl.ssl_perform_handshake s
          | None ->
            Lwt_ssl.ssl_connect fd ctx
        end >>= fun sock ->
        Lwt.return (chans_of_fd sock)
      )
end

module Server = struct

  let default_ctx = Ssl.create_context Ssl.SSLv23 Ssl.Server_context
  let () = Ssl.disable_protocols default_ctx [Ssl.SSLv23]

  let listen ?(ctx=default_ctx) ?backlog ?password ~certfile ~keyfile sa =
    let fd = Conduit_lwt_server.listen ?backlog sa in
    (match password with
     | None -> ()
     | Some fn -> Ssl.set_password_callback ctx fn);
    Ssl.use_certificate ctx certfile keyfile;
    fd

  let init ?(ctx=default_ctx) ?backlog ?password ~certfile ~keyfile ?stop
      ?timeout sa cb =
    sa
    |> listen ~ctx ?backlog ?password ~certfile ~keyfile
    >>= Conduit_lwt_server.init ?stop (fun (fd, _) ->
        Lwt.try_bind (fun () -> Lwt_ssl.ssl_accept fd ctx)
          (fun sock -> Lwt.return (chans_of_fd sock))
          (fun exn -> Lwt_unix.close fd >>= fun () -> Lwt.fail exn)
        >>= Conduit_lwt_server.process_accept ?timeout cb)

end

let available = true