This file is indexed.

/usr/lib/ocaml/netsys/netsys_tls.mli is in libocamlnet-ocaml-dev 4.1.2-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
(* $Id$ *)

(** User-level TLS API *)

open Netsys_types

(** The following functions are a very thin layer on top of
    {!Netsys_crypto_types.TLS_PROVIDER}. The provider is passed
    here as first-class value together with the configuration and
    with the endpoint (socket). In particular, we have

    {[
module type FILE_TLS_ENDPOINT =
  sig
    module TLS : TLS_PROVIDER
    val endpoint : TLS.endpoint
    val rd_file : Unix.file_descr
    val wr_file : Unix.file_descr
  end
    ]}

    (see {!Netsys_crypto_types}). In many cases, you can consider the
    packed modules as opaque values. Sometimes, however, it is
    useful to call functions of the provider directly. You can do this
    as follows, demonstrated by calling the provider function
    [get_peer_crt_list] for [endpoint]:

    {[
let module Endpoint =
  (val endpoint : Netsys_crypto_types.FILE_TLS_ENDPOINT) in
let certificates =
  Endpoint.TLS.get_peer_crt_list Endpoint.endpoint
    ]}

    If you do this, be aware that the inner types of the
    provider are meaningless outside, and you get a compiler error
    "type ... would escape its scope" if you try to export such typed
    values. Exceptions thrown by the provider should be caught and
    translated to [Error] with {!Netsys_tls.translate_exn}.
 *)

type dh_params =
  [ `PKCS3_PEM_file of string
  | `PKCS3_DER of string
  | `Generate of int
  ]
  (** Diffie-Hellman parameters:

           - [`PKCS3_PEM_file name]: points to a PEM-encoded PKCS3-file
             ("BEGIN DH PARAMETERS")
           - [`PKCS3_DER data]: the parameters are in a DER-encoded PKCS3
             structure
           - [`Generate bits]: the parameters are generated with the
             passed number of bits
   *)

type crt_list =
  [`PEM_file of string | `DER of string list]
  (** Certificates are given either as:

          - [`PEM_file name]: The certs are stored in this file, and are
            PEM-encoded.
          - [`DER l]: The certs are given directly in their DER-encoded form

      See also {!Credentials.tls}.
   *)

type crl_list =
  [`PEM_file of string | `DER of string list]
  (** Certificate revocation lists are given either as:

          - [`PEM_file name]: The CRLs are stored in this file, and are
            PEM-encoded.
          - [`DER l]: The CRLs are given directly in their DER-encoded form

      See also {!Credentials.tls}.
   *)

type private_key =
  [ `PEM_file of string 
  | `RSA of string 
  | `DSA of string
  | `EC of string
  | `PKCS8 of string
  | `PKCS8_encrypted of string
  ]
  (** Private keys are given either as:

          - [`PEM_file name]: The key is stored PEM-encoded in this file.
            The PEM header indicates the format.
          - [`RSA data]: The key is a PKCS1 RSA key
          - [`DSA data]: The key is a DSA key
          - [`EC data]: The key is for an elliptic curve
          - [`PKCS8 data]: The key is in a PKCS8 data structure
          - [`PKCS8_encrypted data]: The key is in a PKCS8 data structure,
            and is additionally encrypted.

      See also {!Credentials.tls}.
   *)


val error_message : (module Netsys_crypto_types.TLS_PROVIDER) -> 
                    string -> string
  (** Returns the message for humans (display, log files etc.) when
      called with an error or warning symbol.
   *)

val create_x509_config :
      ?algorithms : string ->
      ?dh_params : dh_params ->
      ?verify : ((module Netsys_crypto_types.TLS_ENDPOINT) -> 
                 bool -> bool -> bool) ->
      ?system_trust:bool ->
      ?trust : crt_list list ->
      ?revoke : crl_list list ->
      ?keys : (crt_list * private_key * string option) list ->
      peer_auth : [ `None | `Optional | `Required ] ->
      (module Netsys_crypto_types.TLS_PROVIDER) ->
        (module Netsys_crypto_types.TLS_CONFIG)
  (** The configuration includes:

          - [algorithms]: a string specifying which cryptographic algorithms,
            protocols and protocol options
            are enabled, and in which priority they are used in the negotiation.
            (GnuTLS calls this "priority string".) The syntax is
            implementation-defined.
          - [dh_params]: parameters for Diffie-Hellman key exchange (used for
            DH-based authentication, but only on the server side)
          - [peer_auth]: controls whether the peer is requested to authenticate.
            This can be set to [`None] meaning not to request authentication
            and to ignore credentials, or to [`Optional] meaning not to request
            authentication but to check credentials if they are sent 
            nevertheless, or to [`Required] meaning to request and check
            credentials. For "standard clients" you should set this to
            [`Required], and for "standard servers" to [`None] or
            [`Required].
          - [verify] is a function called to verify the peer certificate
            in addition to the actions of [peer_auth]. The function must
            return [true] in order to be successful. The arguments of the
            function are the TLS endpoint, and two bools indicating the
            success of previous checks. The first bool says whether the
            certificate is trusted (based on [peer_auth], [trust] and
            [system_trust]), and the second bool says whether the host name
            of the peer matches the name in the certificate. If not
            passed, [verify] defaults to [(fun _ cert_ok name_ok ->
            cert_ok && name_ok)], i.e. both bools must be true.
          - [system_trust]: if set, the system certificates are trusted
          - [trust] specifies the CAs of peers to trust (default: empty)
          - [revoke] specifies CRLs for revocation of peer certificates
            (default: empty)
          - [keys] are our own certificates, as triples
            [(cert_path, private_key, password)] (default: empty)

          A configuration is read-only once created, and can be used for
          several endpoints. In particular, it does not cache TLS sessions.

          A client should set [trust] to the list of CAs it can accept on
          the server side. It is not required to specify a key.

          A server must specify a key (but can also specify several keys).
          If a server requests authentication from the client, it must also
          set [trust].

          The keys must include the full certificate path [cert_path], starting
          with the endpoint certificate, followed by all middle certificates, and
          ending with the certificate of the CA. The [private_key]
          is the key of the endpoint. If it is password-encrypted, the
          password must be given.
   *)

(* TODO:
   - peer_auth:`None should trust any cert of the peer
   - Clients should fail if peer_auth<>`None and there is no peer_name
 *)


val create_file_endpoint :
       ?resume:string ->
       role : [ `Server | `Client ] ->
       rd:Unix.file_descr ->
       wr:Unix.file_descr ->
       peer_name : string option ->
       (module Netsys_crypto_types.TLS_CONFIG) ->
         (module Netsys_crypto_types.FILE_TLS_ENDPOINT)
  (** [create_file_endpoint ~role ~rd ~wr ~peer_name tls_config]:
      Creates a new TLS endpoint (encapsulated as module, together with
      the provider) for the case that the data flows over file descriptors.
      [rd] is used for reading data, and [wr] for writing (of
      course, both descriptors may be identical).

      [peer_name] is the expected common name or DNS name of the
      peer.  [peer_name] has an option type as it is not always
      required to pass it. However, keep in mind that clients
      normally authenticate servers ([peer_auth=`Required]). In
      order to do so, they need to check whether the name in the
      server certificate equals the DNS name of the service they
      are connected to. This check is done by comparing [peer_name]
      with the name in the certificate.

      [peer_name] is also used for the SNI extension.

      Servers normally need not to set [peer_name]. You can also omit it
      when there is no name-driven authentication at all.

      [resume]: The endpoint resumes an old session whose data are passed here.
      This is only possible for client endpoints.
   *)


val endpoint : (module Netsys_crypto_types.FILE_TLS_ENDPOINT) ->
               (module Netsys_crypto_types.TLS_ENDPOINT)
  (** Coercion *)


val handshake : (module Netsys_crypto_types.TLS_ENDPOINT) -> unit
  (** Procedes the TLS protocol until payload data can be exchanged.
      This includes the initial handshake (if not yet done), and the
      verification.
   *)


val recv : ?on_rehandshake:
             ((module Netsys_crypto_types.TLS_ENDPOINT) -> bool) ->
           (module Netsys_crypto_types.TLS_ENDPOINT) ->
           Bytes.t -> int -> int -> int
  (** [recv endpoint buffer pos len]: Receives data from [endpoint],
      and puts the received bytes into [buffer] at byte position [pos].
      At most [len] bytes can be received. Returns the actually received
      number of bytes.

      If the TLS protocol is not yet at the stage where data can be
      received, the protocol is proceeded until this point (i.e.
      [handshake] is "included"). Also, renegotiation alerts are interpreted.
      Both phenomenons can cause that data needs to be written first.

      on_rehandshake: returns whether renegotiations are allowed. Defaults to
      [true]. Also, this function is guaranteed to be called when a
      renegotiation request arrives. In this case, [recv] will raise
      an exception such as {!Netsys_types.EAGAIN_RD} or
      {!Netsys_types.EAGAIN_WR}, but never return normally.

      If interrupted the function can be safely invoked again.

      May raise {!Netsys_types.EAGAIN_RD}, {!Netsys_types.EAGAIN_WR},
      [Unix_error(EINTR,_,_)], and [Error].
   *)


val mem_recv : ?on_rehandshake:
                 ((module Netsys_crypto_types.TLS_ENDPOINT) -> bool) ->
               (module Netsys_crypto_types.TLS_ENDPOINT) ->
               Netsys_types.memory -> int -> int -> int
  (** Same for a memory-backed buffer *)

val send : (module Netsys_crypto_types.TLS_ENDPOINT) ->
           Bytes.t -> int -> int -> int
  (** [send endpoint buffer pos len]: Sends data via [endpoint],
      and takes the emitted bytes from [buffer] at byte position [pos].
      At most [len] bytes can be sent. Returns the actually sent
      number of bytes.

      If the TLS protocol is not yet at the stage where data can be
      received, the protocol is proceeded until this point (i.e.
      [handshake] is "included"). Also, renegotiation alerts are interpreted.
      Both phenomenons can cause that data needs to be received as well
      as sent.

      If interrupted the function can be safely invoked again.

      May raise {!Netsys_types.EAGAIN_RD}, {!Netsys_types.EAGAIN_WR},
      [Unix_error(EINTR,_,_)], and [Error].
   *)

val mem_send : (module Netsys_crypto_types.TLS_ENDPOINT) ->
               Netsys_types.memory -> int -> int -> int
  (** Same for a memory-backed buffer *)

val str_send : (module Netsys_crypto_types.TLS_ENDPOINT) ->
           string -> int -> int -> int
  (** Same for immutable string *)

val shutdown : (module Netsys_crypto_types.TLS_ENDPOINT) ->
              Unix.shutdown_command -> unit
  (** Ends the TLS encapsulation of data:

      - [SHUTDOWN_SEND]: The payload stream is closed for sending.
      - [SHUTDOWN_ALL]: The payload stream is closed for sending and
        receiving.

      The mode [SHUTDOWN_RECEIVE] is unsupported and silently ignored.

      The function does not shut down or close the underlying file
      descriptors.

      If interrupted the function can be safely invoked again.

      May raise {!Netsys_types.EAGAIN_RD}, {!Netsys_types.EAGAIN_WR},
      [Unix_error(EINTR,_,_)], and [Error].
   *)

val at_transport_eof : (module Netsys_crypto_types.TLS_ENDPOINT) -> bool
  (** Whether the underlying transport channel has seen the end of
      input. Use this after [recv] or [mem_recv] returned 0 to
      check whether only the TLS enf-of-input message has been read,
      or the underlying channel (usually the file descriptor) has
      indicated EOF.
   *)

module Debug : sig
  val enable : bool ref
end