tls

Transport Layer Security purely in OCaml
Library tls
val src : Logs.src
module Log : Logs.LOG
val trace_cipher : [< `AES_128_CCM_SHA256 | `AES_128_GCM_SHA256 | `AES_256_GCM_SHA384 | `CHACHA20_POLY1305_SHA256 | `DHE_RSA_WITH_3DES_EDE_CBC_SHA | `DHE_RSA_WITH_AES_128_CBC_SHA | `DHE_RSA_WITH_AES_128_CBC_SHA256 | `DHE_RSA_WITH_AES_128_CCM | `DHE_RSA_WITH_AES_128_GCM_SHA256 | `DHE_RSA_WITH_AES_256_CBC_SHA | `DHE_RSA_WITH_AES_256_CBC_SHA256 | `DHE_RSA_WITH_AES_256_CCM | `DHE_RSA_WITH_AES_256_GCM_SHA384 | `DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | `ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | `ECDHE_ECDSA_WITH_AES_128_CBC_SHA | `ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | `ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | `ECDHE_ECDSA_WITH_AES_256_CBC_SHA | `ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | `ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | `ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | `ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | `ECDHE_RSA_WITH_AES_128_CBC_SHA | `ECDHE_RSA_WITH_AES_128_CBC_SHA256 | `ECDHE_RSA_WITH_AES_128_GCM_SHA256 | `ECDHE_RSA_WITH_AES_256_CBC_SHA | `ECDHE_RSA_WITH_AES_256_CBC_SHA384 | `ECDHE_RSA_WITH_AES_256_GCM_SHA384 | `ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | `RSA_WITH_3DES_EDE_CBC_SHA | `RSA_WITH_AES_128_CBC_SHA | `RSA_WITH_AES_128_CBC_SHA256 | `RSA_WITH_AES_128_CCM | `RSA_WITH_AES_128_GCM_SHA256 | `RSA_WITH_AES_256_CBC_SHA | `RSA_WITH_AES_256_CBC_SHA256 | `RSA_WITH_AES_256_CCM | `RSA_WITH_AES_256_GCM_SHA384 ] -> unit
val empty : 'a list -> bool
val change_cipher_spec : Packet.content_type * Cstruct.t
val hostname : Core.client_hello -> [ `host ] Domain_name.t option
val groups : Core.client_hello -> [> `FFDHE2048 | `FFDHE3072 | `FFDHE4096 | `FFDHE6144 | `FFDHE8192 | `P256 | `P384 | `P521 | `X25519 ] list
val find_matching : [ `host ] Domain_name.t -> (X509.Certificate.t list * 'a) list -> (X509.Certificate.t list * 'a) option
val agreed_cert : [< `Multiple of (X509.Certificate.t list * [> `ED25519 of 'b | `P256 of 'c | `P384 of 'd | `P521 of 'e | `RSA of 'f ] as 'a) list | `Multiple_default of (X509.Certificate.t list * 'g) * (X509.Certificate.t list * 'h) list | `None | `Single of X509.Certificate.t list * 'g ] -> ?f:( X509.Certificate.t -> bool ) -> ?signature_algorithms: [< `ECDSA_SECP256R1_SHA1 | `ECDSA_SECP256R1_SHA256 | `ECDSA_SECP384R1_SHA384 | `ECDSA_SECP521R1_SHA512 | `ED25519 | `RSA_PKCS1_MD5 | `RSA_PKCS1_SHA1 | `RSA_PKCS1_SHA224 | `RSA_PKCS1_SHA256 | `RSA_PKCS1_SHA384 | `RSA_PKCS1_SHA512 | `RSA_PSS_RSAENC_SHA256 | `RSA_PSS_RSAENC_SHA384 | `RSA_PSS_RSAENC_SHA512 ECDSA_SECP256R1_SHA1 ECDSA_SECP256R1_SHA256 ECDSA_SECP384R1_SHA384 ECDSA_SECP521R1_SHA512 ED25519 ] list -> [ `host ] Domain_name.t option -> ( X509.Certificate.t list * 'g, [> `Error of [> `CouldntSelectCertificate | `NoCertificateConfigured | `NoMatchingCertificateFound of string ] ] ) result
val get_secure_renegotiation : [> `SecureRenegotiation of 'a ] list -> 'b option
val get_alpn_protocols : Core.client_hello -> string list option
val alpn_protocol : Config.config -> Core.client_hello -> ( string option, [> `Fatal of [> `NoApplicationProtocol ] ] ) result
val get_alpn_protocol : Core.server_hello -> string option
val empty_common_session_data : State.common_session_data
val empty_session : State.session_data
val session_of_epoch : Core.epoch_data -> State.session_data
val supported_protocol_version : ([< `TLS_1_0 | `TLS_1_1 | `TLS_1_2 | `TLS_1_3 ] * [< `TLS_1_0 | `TLS_1_1 | `TLS_1_2 | `TLS_1_3 ]) -> [< `TLS_1_0 | `TLS_1_1 | `TLS_1_2 | `TLS_1_3 ] as 'a -> 'b option
val to_client_ext_type : [< `ALPN of 'a | `Cookie of 'b | `Draft of 'c | `ECPointFormats | `EarlyDataIndication | `ExtendedMasterSecret | `Hostname of 'd | `KeyShare of 'e | `MaxFragmentLength of 'f | `Padding of 'g | `PostHandshakeAuthentication | `PreSharedKeys of 'h | `PskKeyExchangeModes of 'i | `SecureRenegotiation of 'j | `SignatureAlgorithms of 'k | `SupportedGroups of 'l | `SupportedVersions of 'm | `UnknownExtension of 'n ] -> [> `ALPN | `Cookie | `Draft | `ECPointFormats | `EarlyDataIndication | `ExtendedMasterSecret | `Hostname | `KeyShare | `MaxFragmentLength | `Padding | `PostHandshakeAuthentication | `PreSharedKey | `PskKeyExchangeMode | `SecureRenegotiation | `SignatureAlgorithms | `SupportedGroups | `SupportedVersion | `UnknownExtension ]
val to_server_ext_type : [< `ALPN of 'a | `Draft of 'b | `ECPointFormats | `EarlyDataIndication | `ExtendedMasterSecret | `Hostname | `KeyShare of 'c | `MaxFragmentLength of 'd | `PreSharedKey of 'e | `SecureRenegotiation of 'f | `SelectedVersion of 'g | `UnknownExtension of 'h ] -> [> `ALPN | `Draft | `ECPointFormats | `EarlyDataIndication | `ExtendedMasterSecret | `Hostname | `KeyShare | `MaxFragmentLength | `PreSharedKey | `SecureRenegotiation | `SupportedVersion | `UnknownExtension ]
val extension_types : ( 'a -> [> `UnknownExtension ] as 'b ) -> 'a list -> 'c list
val server_exts_subset_of_client : [< `ALPN of 'a | `Draft of 'b | `ECPointFormats | `EarlyDataIndication | `ExtendedMasterSecret | `Hostname | `KeyShare of 'c | `MaxFragmentLength of 'd | `PreSharedKey of 'e | `SecureRenegotiation of 'f | `SelectedVersion of 'g | `UnknownExtension of 'h ] list -> [< `ALPN of 'i | `Cookie of 'j | `Draft of 'k | `ECPointFormats | `EarlyDataIndication | `ExtendedMasterSecret | `Hostname of 'l | `KeyShare of 'm | `MaxFragmentLength of 'n | `Padding of 'o | `PostHandshakeAuthentication | `PreSharedKeys of 'p | `PskKeyExchangeModes of 'q | `SecureRenegotiation of 'r | `SignatureAlgorithms of 's | `SupportedGroups of 't | `SupportedVersions of 'u | `UnknownExtension of 'v ] list -> bool
module Group : sig ... end
module GroupSet : sig ... end
val of_list : GroupSet.elt list -> GroupSet.t
val client_hello_valid : [< `SSL_3 | `TLS_1_0 | `TLS_1_1 | `TLS_1_2 | `TLS_1_3 | `TLS_1_X of 'a ] -> Core.client_hello -> ( unit, [> `EmptyCiphersuites | `HasSignatureAlgorithmsExtension | `NoGoodSignatureAlgorithms of Core.signature_algorithm list | `NoKeyShareExtension | `NoSignatureAlgorithmsExtension | `NoSupportedCiphersuite of Packet.any_ciphersuite list | `NoSupportedGroupExtension | `NotSetExtension of Core.client_extension list | `NotSetKeyShare of (Packet.named_group * Cstruct_sexp.t) list | `NotSetSupportedGroup of Packet.named_group list | `NotSubsetKeyShareSupportedGroup of Packet.named_group list * (Packet.named_group * Cstruct_sexp.t) list ] ) result
val server_hello_valid : Core.server_hello -> bool
val to_sign_1_3 : string option -> Cstruct.t
val signature : [< `TLS_1_0 | `TLS_1_1 | `TLS_1_2 | `TLS_1_3 ] -> ?context_string:string -> Cstruct.t -> Core.signature_algorithm list option -> Core.signature_algorithm list -> X509.Private_key.t -> ( Cstruct.t, [> `Error of [> `NoConfiguredSignatureAlgorithm of Core.signature_algorithm list ] | `Fatal of [> `KeyTooSmall | `SigningFailed of string ] ] ) result
val peer_key : X509.Certificate.t option -> ( X509.Public_key.t, [> `Fatal of [> `NoCertificateReceived ] ] ) result
val verify_digitally_signed : [< `TLS_1_0 | `TLS_1_1 | `TLS_1_2 | `TLS_1_3 ] -> ?context_string:string -> Core.signature_algorithm list -> Cstruct.t -> Cstruct.t -> X509.Certificate.t option -> ( unit, [> `Error of [> `NoConfiguredSignatureAlgorithm of Core.signature_algorithm list ] | `Fatal of [> `NoCertificateReceived | `ReaderError of Reader.error | `SignatureVerificationFailed of string ] ] ) result
val validate_chain : ( ?ip:'a -> host:'b -> X509.Certificate.t list -> ( ('c list * 'd) option, 'e ) result ) option -> Cstruct.t list -> 'a option -> 'f -> ( X509.Certificate.t option * X509.Certificate.t list * 'c list * 'g option, [> `Error of [> `AuthenticationFailure of 'e ] | `Fatal of [> `BadCertificateChain | `KeyTooSmall ] ] ) result
val output_key_update : request:bool -> State.state -> ( State.state * (Packet.content_type * Cstruct.t), [> `Fatal of [> `InvalidSession ] ] ) result