Merge remote-tracking branch 'origin/master'

savonet · Sep 26, 2022 · a346580 · a346580
2 parents 4273613 + e844126
commit a346580
Show file tree

Hide file tree

Showing 13 changed files with 570 additions and 144 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,5 +1,11 @@
 name: Build
-on: [push]
+on:
+  pull_request:
+    branches:
+    - master
+  push:
+    branches:
+      - master
 jobs:
   build:
     runs-on: ${{ matrix.operating-system }}
@@ -11,10 +17,27 @@ jobs:
     - uses: actions/checkout@v2
     - uses: ocaml/setup-ocaml@v2
       with:
-        ocaml-version: ${{ matrix.ocaml-version }}
+        ocaml-compiler: ${{ matrix.ocaml-version }}
+    - name: Ensure openssl
+      if: runner.os == 'macOS'
+      run: brew install openssl@3
     - name: Setup opam
       run: opam pin add -n .
     - name: Install dependencies
       run: opam depext -yt mad
     - name: Build and test
       run: opam install -t .
+  nix-build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ocamlVersion: [4_12, 4_13, 4_14, 5_00]
+    steps:
+    - uses: actions/checkout@v2
+    - uses: cachix/install-nix-action@v17
+    - uses: cachix/cachix-action@v10
+      with:
+        name: anmonteiro
+    - name: "Run nix-build"
+      run: nix-build ./nix/ci/test.nix --argstr ocamlVersion ${{ matrix.ocamlVersion }}
+
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,9 +1,28 @@
-0.5.11 (unreleased)
-======
+Unreleased
+=====
+
+0.5.12 (2022-08-12)
+=====
+
+- Add a few verification functions (#71):
+  - `add_extra_chain_cert` to send additional chain certificates to the peer.
+  - `add_cert_to_store`: to allow verification of the peer certificate CA.
+  - `set_ip`: sets the expected IP address to be verified on a SSL socket.
+- Improve `use_certificate_from_string` (#71) to read any type of key (rather
+  than just RSA).
+- Fix a segmentation fault in the ALPN selection callback under OCaml 5 (#89).
+- Audit the C FFI and add `CAMLparamX` and `CAMLreturn` calls (#90).
+
+0.5.11 (2022-07-24)
+=====
 
 - Add `digest` function (#65, #66).
 - Restore compatibility with openssl < 1.1.0 (#73).
 - Improved compatibility with OCaml 5 (#79).
+- Fix `client_verify_callback` for `NO_NAKED_POINTERS` mode. A user-provided
+  verification function in C remains an out-of-heap pointer for 4.x for
+  compatibility, but is boxed for OCaml 5.x or 4.x when configured with
+  `--disable-naked-pointers`. (#83)
 
 0.5.10 (2021-02-01)
 ======

diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -0,0 +1,26 @@
+{
+  description = "OCaml-SSL Nix Flake";
+
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+  inputs.nixpkgs.inputs.flake-utils.follows = "flake-utils";
+  inputs.nixpkgs.url = "github:anmonteiro/nix-overlays";
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = nixpkgs.legacyPackages."${system}";
+      in
+      rec {
+        defaultPackage = pkgs.callPackage ./nix { };
+        devShells = {
+          default = pkgs.callPackage ./shell.nix {
+            packages = [ defaultPackage ];
+          };
+
+          release = pkgs.callPackage ./shell.nix {
+            packages = [ defaultPackage ];
+            release-mode = true;
+          };
+        };
+      });
+}
diff --git a/nix/ci/test.nix b/nix/ci/test.nix
@@ -0,0 +1,21 @@
+{ ocamlVersion }:
+
+let
+  lock = builtins.fromJSON (builtins.readFile ./../../flake.lock);
+  src = fetchGit {
+    url = with lock.nodes.nixpkgs.locked; "https://github.com/${owner}/${repo}";
+    inherit (lock.nodes.nixpkgs.locked) rev;
+    # inherit (lock.nodes.nixpkgs.original) ref;
+    allRefs = true;
+  };
+
+  pkgs = import "${src}" {
+    extraOverlays = [
+      (self: super: {
+        ocamlPackages = super.ocaml-ng."ocamlPackages_${ocamlVersion}";
+      })
+    ];
+  };
+
+in
+pkgs.callPackage ./.. { doCheck = true; }
diff --git a/nix/default.nix b/nix/default.nix
@@ -0,0 +1,27 @@
+{ stdenv
+, lib
+, ocamlPackages
+, openssl-oc
+, doCheck ? false
+, pkg-config
+}:
+
+with ocamlPackages;
+
+buildDunePackage {
+  pname = "ssl";
+  version = "n/a";
+
+  useDune2 = true;
+
+  src = ../.;
+
+  nativeBuildInputs = [ ocaml dune findlib pkg-config ];
+  buildInputs = [ dune-configurator ];
+  propagatedBuildInputs = [
+    openssl-oc.dev
+  ];
+  checkInputs = [ alcotest ];
+
+  inherit doCheck;
+}
diff --git a/nix/gh-actions.nix b/nix/gh-actions.nix
@@ -0,0 +1,87 @@
+{ lib }:
+
+let
+  commonSteps = { name, signingKey }: [
+    {
+      uses = "actions/checkout@v2";
+      "with" = {
+        "submodules" = "recursive";
+      };
+    }
+    {
+      uses = "cachix/[email protected]";
+    }
+    {
+      uses = "cachix/cachix-action@v10";
+      "with" = {
+        inherit name signingKey;
+      };
+    }
+
+  ];
+
+  job =
+    { steps
+    , ocamlVersions ? [
+        "4_12"
+        "4_13"
+        "4_14"
+        "5_00"
+      ]
+    , ...
+    }@attrs: (builtins.removeAttrs attrs [ "ocamlVersions" ]) // {
+      strategy = {
+        fail-fast = false;
+        matrix = {
+          ocamlVersion = ocamlVersions
+          ;
+        };
+      };
+    };
+
+  gh-actions = {
+    cachixBuild = { name, branches ? [ "master" ], os, cachix }:
+      lib.generators.toYAML { } {
+        inherit name;
+        on = {
+          pull_request = null;
+          push = {
+            inherit branches;
+          };
+        };
+
+        jobs = lib.mapAttrs
+          (os: { run, name, ... }@conf:
+            job ({
+              runs-on = os;
+              steps = commonSteps cachix
+                ++ [{ inherit name run; }];
+            } // (if (conf ? ocamlVersions) then {
+              inherit (conf) ocamlVersions;
+            } else { })))
+          os;
+      };
+  };
+
+in
+
+gh-actions.cachixBuild {
+  name = "Build";
+  cachix = {
+    name = "anmonteiro";
+    signingKey = "\${{ secrets.CACHIX_SIGNING_KEY }}";
+  };
+  os = {
+    macos-latest = {
+      name = "Run nix-build";
+      ocamlVersions = [ "4_13" "4_14" "5_00" ];
+      run = "nix-build ./nix/ci/test.nix -A native --argstr ocamlVersion \${{ matrix.ocamlVersion }}";
+    };
+    ubuntu-latest = {
+      ocamlVersions = [ "4_12" "4_13" "4_14" "5_00" ];
+      name = "Run nix-build";
+      run = "nix-build ./nix/ci/test.nix -A native -A musl64 --argstr ocamlVersion \${{ matrix.ocamlVersion }}";
+    };
+  };
+
+}
diff --git a/shell.nix b/shell.nix
@@ -0,0 +1,28 @@
+{ packages
+, lib
+, mkShell
+, release-mode ? false
+, cacert
+, curl
+, ocamlPackages
+, git
+, opam
+}:
+
+mkShell {
+  OCAMLRUNPARAM = "b";
+  inputsFrom = packages;
+  buildInputs =
+    (with ocamlPackages; [
+      merlin
+      ocamlformat
+      utop
+      alcotest
+    ]) ++ lib.optional release-mode [
+      cacert
+      curl
+      ocamlPackages.dune-release
+      git
+      opam
+    ];
+}
diff --git a/src/ssl.ml b/src/ssl.ml
@@ -153,6 +153,10 @@ type context_type =
 
 external create_context : protocol -> context_type -> context = "ocaml_ssl_create_context"
 
+external add_extra_chain_cert : context -> string -> unit = "ocaml_ssl_ctx_add_extra_chain_cert"
+
+external add_cert_to_store : context -> string -> unit = "ocaml_ssl_ctx_add_cert_to_store"
+
 external use_certificate : context -> string -> string -> unit = "ocaml_ssl_ctx_use_certificate"
 
 external use_certificate_from_string : context -> string -> string -> unit = "ocaml_ssl_ctx_use_certificate_from_string"
@@ -255,6 +259,8 @@ external set_hostflags : socket -> x509_check_flag list -> unit = "ocaml_ssl_set
 
 external set_host : socket -> string -> unit = "ocaml_ssl_set1_host"
 
+external set_ip : socket -> string -> unit = "ocaml_ssl_set1_ip"
+
 external write : socket -> Bytes.t -> int -> int -> int = "ocaml_ssl_write"
 
 external write_substring : socket -> string -> int -> int -> int = "ocaml_ssl_write"

diff --git a/src/ssl.mli b/src/ssl.mli
@@ -238,6 +238,17 @@ type context_type =
 (** Create a context. *)
 val create_context : protocol -> context_type -> context
 
+(** Add an additional certificate to the extra chain certificates
+    associated with the [ctx]. Extra chain certificates will be 
+    sent to the peer for verification and are sent in order following the 
+    end entity certificate. The value should be contents of the 
+    certificate as string in PEM format. *)
+val add_extra_chain_cert : context -> string -> unit
+
+(** Add a certificate to the [ctx] trust storage. The value should be contents 
+    of the certificate as string in PEM format. *)
+val add_cert_to_store : context -> string -> unit
+
 (** [use_certificate ctx cert privkey] makes the context [ctx] use [cert] as
   * certificate's file name (in PEM format) and [privkey] as private key file
   * name. *)
@@ -451,6 +462,11 @@ val set_hostflags : socket -> x509_check_flag list -> unit
 (* Set the expected host name to be verified. *)
 val set_host : socket -> string -> unit
 
+(** Set the expected ip address to be verified. Ip address is dotted decimal quad
+    for IPv4 and colon-separated hexadecimal for IPv6.
+    The condensed "::" notation is supported for IPv6 addresses. *)
+val set_ip : socket -> string -> unit
+
 (** Get the file descriptor associated with a socket. It is primarly useful for
     [select]ing on it; you should not write or read on it. *)
 val file_descr_of_socket : socket -> Unix.file_descr