From 43a042eaee4ae4100a795ba60ffa5cb3a765d42c Mon Sep 17 00:00:00 2001
From: Hannes Mehnert <hannes@mehnert.org>
Date: Mon, 21 Mar 2016 10:14:49 +0000
Subject: [PATCH 1/5] release

---
 CHANGES.md | 5 +++--
 _oasis     | 2 +-
 opam       | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index d1c5bdde..26a7a2ec 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,4 +1,5 @@
-master:
+0.7.1 (2016-03-21):
+* remove camlp4 dependency (use cstruct ppx and sexplib ppx instead)
 * sort client extensions, there are servers which dislike an extension without
   data at the end, thus try to send extensions with data at the end (#319)
 * initial GCM support (#310)
@@ -26,7 +27,7 @@ master:
 
     In the end, it is a pretty academic thing anyways, since nobody uses
     renegotiation with OCaml-TLS in the field.
-* durinng verification of a digitally signed: checked that the used hash
+* during verification of a digitally signed: checked that the used hash
   algorithm is one of the configured ones (#313)
 * unify return type of handshake and change cipher spec handler (#314)
 * separate client and server extensions (#317)
diff --git a/_oasis b/_oasis
index 031bbd20..6202a11b 100644
--- a/_oasis
+++ b/_oasis
@@ -1,6 +1,6 @@
 OASISFormat: 0.4
 Name:        tls
-Version:     0.7.0
+Version:     0.7.1
 Synopsis:    TLS support for OCaml
 Authors:     Hannes Mehnert <hannes@mehnert.org>, David Kaloper <david@numm.org>
 Maintainers: David Kaloper <david@numm.org>, Hannes Mehnert <hannes@mehnert.org>
diff --git a/opam b/opam
index fff74f32..f222ed1c 100644
--- a/opam
+++ b/opam
@@ -25,7 +25,7 @@ depends: [
   "cstruct" {>= "1.9.0"}
   "sexplib"
   "ppx_sexp_conv"
-  "nocrypto" {>= "0.5.0"}
+  "nocrypto" {>= "0.5.3"}
   "x509" {>= "0.5.0"}
   "ounit" {test}
 ]

From a969892777759d788dd5b6d514f905ecf1d8f08e Mon Sep 17 00:00:00 2001
From: Hannes Mehnert <hannes@mehnert.org>
Date: Mon, 21 Mar 2016 10:39:33 +0000
Subject: [PATCH 2/5] fix mirage examples for 2.7.3

---
 mirage/example/unikernel.ml  | 38 +++++++++++++++++--------------
 mirage/example2/config.ml    |  4 ++--
 mirage/example2/unikernel.ml | 43 ++++++++++++++++++------------------
 3 files changed, 44 insertions(+), 41 deletions(-)

diff --git a/mirage/example/unikernel.ml b/mirage/example/unikernel.ml
index 01ee2a35..f98356e6 100644
--- a/mirage/example/unikernel.ml
+++ b/mirage/example/unikernel.ml
@@ -1,4 +1,4 @@
-open Lwt
+open Lwt.Infix
 
 open V1
 open V1_LWT
@@ -9,7 +9,7 @@ type ('a, 'e, 'c) m = ([< `Ok of 'a | `Error of 'e | `Eof ] as 'c) Lwt.t
 let (>>==) (a : ('a, 'e, _) m) (f : 'a -> ('b, 'e, _) m) : ('b, 'e, _) m =
   a >>= function
     | `Ok x                -> f x
-    | `Error _ | `Eof as e -> return e
+    | `Error _ | `Eof as e -> Lwt.return e
 
 
 module Color = struct
@@ -53,27 +53,29 @@ struct
   module L    = Log (C)
 
   let rec handle c flush tls =
-    lwt res = TLS.read tls in
-    flush () >> match res with
-      | `Ok buf ->
-          L.log_data c "recv" buf
-          >> TLS.write tls buf >> handle c flush tls
-      | err     -> return err
+    TLS.read tls >>= fun res ->
+    flush () >>= fun () ->
+    match res with
+    | `Ok buf ->
+      L.log_data c "recv" buf >>= fun () ->
+      TLS.write tls buf >>== fun () ->
+      handle c flush tls
+    | err     -> Lwt.return err
 
   let accept c conf k flow =
     let (trace, flush_trace) = make_tracer (C.log_s c) in
-    L.log_trace c "accepted." >>
+    L.log_trace c "accepted." >>= fun () ->
     TLS.server_of_flow ~trace conf flow
-    >>== (fun tls -> L.log_trace c "shook hands" >> k c flush_trace tls)
+    >>== (fun tls -> L.log_trace c "shook hands" >>= fun () -> k c flush_trace tls)
     >>= function
       | `Ok _    -> assert false
       | `Error e -> L.log_error c (TLS.error_message e)
       | `Eof     -> L.log_trace c "eof."
 
   let start c stack kv _ _ =
-    lwt cert = X509.certificate kv `Default in
+    X509.certificate kv `Default >>= fun cert ->
     let conf = Tls.Config.server ~certificates:(`Single cert) () in
-    S.listen_tcpv4 stack 4433 (accept c conf handle) ;
+    S.listen_tcpv4 stack ~port:4433 (accept c conf handle) ;
     S.listen stack
 
 end
@@ -103,12 +105,14 @@ struct
   let chat c tls =
     let rec dump () =
       TLS.read tls >>== fun buf ->
-        L.log_data c "recv" buf >> dump () in
-    TLS.write tls initial >> dump ()
+      L.log_data c "recv" buf >>= fun () ->
+      dump ()
+    in
+    TLS.write tls initial >>== dump
 
-  let start c stack kv _ =
-    lwt authenticator = X509.authenticator kv `CAs in
-    let conf          = Tls.Config.client ~authenticator () in
+  let start c stack kv _ _ =
+    X509.authenticator kv `CAs >>= fun authenticator ->
+    let conf = Tls.Config.client ~authenticator () in
     S.TCPV4.create_connection (S.tcpv4 stack) (fst peer)
     >>= function
     | `Error e -> L.log_error c (S.TCPV4.error_message e)
diff --git a/mirage/example2/config.ml b/mirage/example2/config.ml
index f93f5d33..c56d8f0f 100644
--- a/mirage/example2/config.ml
+++ b/mirage/example2/config.ml
@@ -5,7 +5,7 @@ let secrets_dir = "sekrit"
 let disk  = direct_kv_ro secrets_dir
 and stack = socket_stackv4 default_console [Ipaddr.V4.any]
 
-let server = foreign "Unikernel.Main" @@ console @-> stackv4 @-> kv_ro @-> job
+let server = foreign ~deps:[abstract nocrypto] "Unikernel.Main" @@ console @-> stackv4 @-> kv_ro @-> clock @-> job
 
 let () =
   add_to_opam_packages [
@@ -21,4 +21,4 @@ let () =
     "cohttp.lwt-core" ;
     "mirage-http"
   ] ;
-  register "tls-server" [ server $ default_console $ stack $ disk ]
+  register "tls-server" [ server $ default_console $ stack $ disk $ default_clock ]
diff --git a/mirage/example2/unikernel.ml b/mirage/example2/unikernel.ml
index 572b7e48..baae46df 100644
--- a/mirage/example2/unikernel.ml
+++ b/mirage/example2/unikernel.ml
@@ -1,44 +1,43 @@
-
-open Lwt
+open Lwt.Infix
 open V1_LWT
 
 module Main (C  : CONSOLE)
             (S  : STACKV4)
-            (KV : KV_RO) =
+            (KV : KV_RO)
+            (CL : V1.CLOCK) =
 struct
 
   module TLS  = Tls_mirage.Make (S.TCPV4)
-  module X509 = Tls_mirage.X509 (KV) (Clock)
+  module X509 = Tls_mirage.X509 (KV) (CL)
   module Http = Cohttp_mirage.Server (TLS)
 
   module Body = Cohttp_lwt_body
 
   let handle c conn req body =
     let resp = Cohttp.Response.make ~status:`OK () in
-    lwt body =
-      lwt inlet = match Cohttp.Request.meth req with
-        | `POST ->
-            lwt contents = Body.to_string body in
-            return @@ "<pre>" ^ contents ^ "</pre>"
-        | _     -> return "" in
-      return @@ Body.of_string @@
-        "<html><head><title>ohai</title></head>
-         <body><h3>Secure CoHTTP on-line.</h3>"
-         ^ inlet ^ "</body></html>\r\n"
+    (match Cohttp.Request.meth req with
+     | `POST ->
+       Body.to_string body >|= fun contents ->
+       "<pre>" ^ contents ^ "</pre>"
+     | _     -> Lwt.return "") >|= fun inlet ->
+    let body = Body.of_string @@
+    "<html><head><title>ohai</title></head> \
+     <body><h3>Secure CoHTTP on-line.</h3>"
+    ^ inlet ^ "</body></html>\r\n"
     in
-    return (resp, body)
+    (resp, body)
 
   let upgrade c conf tcp =
     TLS.server_of_flow conf tcp >>= function
-      | `Error _  | `Eof -> fail (Failure "tls init")
-      | `Ok tls  ->
-        let t = Http.make (handle c) () in
-        Http.listen t tls
+    | `Error _  | `Eof -> Lwt.fail (Failure "tls init")
+    | `Ok tls  ->
+      let t = Http.make (handle c) () in
+      Http.listen t tls
 
-  let start c stack kv =
-    lwt cert = X509.certificate kv `Default in
+  let start c stack kv _ _ =
+    X509.certificate kv `Default >>= fun cert ->
     let conf = Tls.Config.server ~certificates:(`Single cert) () in
-    S.listen_tcpv4 stack 4433 (upgrade c conf) ;
+    S.listen_tcpv4 stack ~port:4433 (upgrade c conf) ;
     S.listen stack
 
 end

From fada593960f72451f9215fceb916b9e5cb2f6069 Mon Sep 17 00:00:00 2001
From: Hannes Mehnert <hannes@mehnert.org>
Date: Mon, 21 Mar 2016 10:48:04 +0000
Subject: [PATCH 3/5] do not enable GCM by default (for performance reasons)

---
 lib/config.ml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/config.ml b/lib/config.ml
index 6af04c21..84f9de3c 100644
--- a/lib/config.ml
+++ b/lib/config.ml
@@ -40,8 +40,6 @@ module Ciphers = struct
    * slice and groom those lists. *)
 
   let default = [
-    `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ;
-    `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ;
     `TLS_DHE_RSA_WITH_AES_256_CCM ;
     `TLS_DHE_RSA_WITH_AES_128_CCM ;
     `TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 ;
@@ -49,8 +47,6 @@ module Ciphers = struct
     `TLS_DHE_RSA_WITH_AES_256_CBC_SHA ;
     `TLS_DHE_RSA_WITH_AES_128_CBC_SHA ;
     `TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA ;
-    `TLS_RSA_WITH_AES_256_GCM_SHA384 ;
-    `TLS_RSA_WITH_AES_128_GCM_SHA256 ;
     `TLS_RSA_WITH_AES_256_CCM ;
     `TLS_RSA_WITH_AES_128_CCM ;
     `TLS_RSA_WITH_AES_256_CBC_SHA256 ;
@@ -61,6 +57,10 @@ module Ciphers = struct
     ]
 
   let supported = default @ [
+    `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ;
+    `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ;
+    `TLS_RSA_WITH_AES_256_GCM_SHA384 ;
+    `TLS_RSA_WITH_AES_128_GCM_SHA256 ;
     `TLS_RSA_WITH_RC4_128_SHA ;
     `TLS_RSA_WITH_RC4_128_MD5
     ]

From de68637f21f3ef764552d8d3076c01a591ee78e8 Mon Sep 17 00:00:00 2001
From: Hannes Mehnert <hannes@mehnert.org>
Date: Mon, 21 Mar 2016 11:05:21 +0000
Subject: [PATCH 4/5] fix mirage test script

---
 .travis-test-mirage.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.travis-test-mirage.sh b/.travis-test-mirage.sh
index 5bf5a850..bea511fe 100755
--- a/.travis-test-mirage.sh
+++ b/.travis-test-mirage.sh
@@ -6,8 +6,8 @@ opam install mirage
 
 cd mirage/example
 
-mirage clean && mirage configure && mirage build
-export BUILD=client && mirage clean && mirage configure && mirage build && ./mir-tls-client
+mirage clean && mirage configure --unix --net=socket && mirage build
+export BUILD=client && mirage clean && mirage configure --unix --net=socket && mirage build && ./mir-tls-client
 
 cd ../example2
 mirage clean && mirage configure && mirage build

From 38e11d9716e031ef1227bfbf8dc376f09ea6c6f4 Mon Sep 17 00:00:00 2001
From: Hannes Mehnert <hannes@mehnert.org>
Date: Mon, 21 Mar 2016 11:27:10 +0000
Subject: [PATCH 5/5] polar is now mbedtls, also test GCM here

---
 ...-polarssl-client2.sh => interop-mbedtls-client2.sh} | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
 rename tests/{interop-polarssl-client2.sh => interop-mbedtls-client2.sh} (87%)

diff --git a/tests/interop-polarssl-client2.sh b/tests/interop-mbedtls-client2.sh
similarity index 87%
rename from tests/interop-polarssl-client2.sh
rename to tests/interop-mbedtls-client2.sh
index 6e254f0a..efb21ef1 100755
--- a/tests/interop-polarssl-client2.sh
+++ b/tests/interop-mbedtls-client2.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 port=4455
-polarssl="/opt/bin/polarssl_ssl_client2 auth_mode=none server_port="
+polarssl="/opt/bin/mbedtls_ssl_client2 auth_mode=none server_port="
 
 extra_args=""
 statfile="/tmp/test_server.status"
@@ -72,10 +72,14 @@ TLS-DHE-RSA-WITH-AES-256-CCM
 TLS-DHE-RSA-WITH-AES-128-CCM
 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
+TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
 TLS-RSA-WITH-AES-256-CCM
-TLS-RSA-WITH-AES-256-CBC-SHA256
 TLS-RSA-WITH-AES-128-CCM
-TLS-RSA-WITH-AES-128-CBC-SHA256"
+TLS-RSA-WITH-AES-256-CBC-SHA256
+TLS-RSA-WITH-AES-128-CBC-SHA256
+TLS-RSA-WITH-AES-256-GCM-SHA384
+TLS-RSA-WITH-AES-128-GCM-SHA256"
 for i in $tls12_ciphers; do
     extra_args="force_ciphersuite=$i"
     testit