Shutdown #488
Shutdown #488
Conversation
this is the responsibility of the caller (esp. since we'll have half-closed flows soon)
|
In this PR, the changes to tls-lwt are done now. Curious to hear feedback if there's any. |
|
now the tls-mirage bits as well use the new API and provide the mirage-flow 4 interface (shutdown). reviews / suggestions would be welcome (esp. @reynir @dinosaure who had great reviews for the awa-ssh PR that is similar to this here) also, if there is anyone eager to adjust async (@torinnd @bcc32 @tmcgilchrist) and eio (@talex5 @bikallem) bits, that'd be great. I'm open for discussions about the changes to the Engine API above. |
|
I actually tested this PR with Miou and |
|
Thanks - this is great! I pushed updates for tls-eio to https://github.com/talex5/ocaml-tls/commits/shutdown/ (needs review). The first commit just ports the changes to tls-lwt directly to tls-eio. The second removes the work-arounds for missing half-shutdown in the fuzz tests, which are passing so far (after 5 minutes of afl-fuzz). |
|
CI failures are in the eio, I don't quite understand the issues there. @talex5 I see two options: you open your changes as a PR to this repository, I merge and release -- or I release without the eio part. any preference? |
|
I think you can just |
|
Or I can open a PR against this branch if you prefer. The logs for the fuzz failure on your branch look like this: But I didn't investigate since I assumed it wouldn't work without the changes anyway. |
|
if you open a PR against my branch, that'd be excellent |
This is a direct port of the changes to tls-lwt to tls-eio.
|
OK: hannesm#5 |
tls-eio: update for new shutdown system
CHANGES: * tls: handle half-closed connection properly: a received CLOSE_NOTIFY does not lead to a CLOSE_NOTIFY to be sent (a `send_close_notify` sends it explicitly) (mirleft/ocaml-tls#488 @hannesm) * tls: modify return type of `handle_tls` - the Alert is now in the right hand side, and `` `Eof `` is explicit in the second part of the tuple (mirleft/ocaml-tls#488 @hannesm) * tls: remove `can_handle_appdata`, the function `handshake_in_progress` is available (mirleft/ocaml-tls#488 @hannesm) * tls-mirage: avoid exceptions in reneg and rekey (mirleft/ocaml-tls#487 @hannesm) * tls: remove HEARTBEAT decoding - HEARTBEAT was never supported in this library, the decoder was superfluous (mirleft/ocaml-tls#487 @hannesm) * tls-mirage: provide `underlying : flow -> FLOW.flow` (mirleft/ocaml-tls#487 @hannesm, fixes mirleft/ocaml-tls#425 @dinosaure) * tls-mirage: implement mirage-flow 4 API (`val shutdown`) (mirleft/ocaml-tls#488 @hannesm) * tls-eio: adapt to half-closed connections (mirleft/ocaml-tls#488 @talex5)
CHANGES: * tls: handle half-closed connection properly: a received CLOSE_NOTIFY does not lead to a CLOSE_NOTIFY to be sent (a `send_close_notify` sends it explicitly) (mirleft/ocaml-tls#488 @hannesm) * tls: modify return type of `handle_tls` - the Alert is now in the right hand side, and `` `Eof `` is explicit in the second part of the tuple (mirleft/ocaml-tls#488 @hannesm) * tls: remove `can_handle_appdata`, the function `handshake_in_progress` is available (mirleft/ocaml-tls#488 @hannesm) * tls-mirage: avoid exceptions in reneg and rekey (mirleft/ocaml-tls#487 @hannesm) * tls: remove HEARTBEAT decoding - HEARTBEAT was never supported in this library, the decoder was superfluous (mirleft/ocaml-tls#487 @hannesm) * tls-mirage: provide `underlying : flow -> FLOW.flow` (mirleft/ocaml-tls#487 @hannesm, fixes mirleft/ocaml-tls#425 @dinosaure) * tls-mirage: implement mirage-flow 4 API (`val shutdown`) (mirleft/ocaml-tls#488 @hannesm) * tls-eio: adapt to half-closed connections (mirleft/ocaml-tls#488 @talex5) * tls-eio: implement Eio.Resource.Close (mirleft/ocaml-tls#489 @paurkedal, reviewed by @talex5)
CHANGES: * tls: handle half-closed connection properly: a received CLOSE_NOTIFY does not lead to a CLOSE_NOTIFY to be sent (a `send_close_notify` sends it explicitly) (mirleft/ocaml-tls#488 @hannesm) * tls: modify return type of `handle_tls` - the Alert is now in the right hand side, and `` `Eof `` is explicit in the second part of the tuple (mirleft/ocaml-tls#488 @hannesm) * tls: remove `can_handle_appdata`, the function `handshake_in_progress` is available (mirleft/ocaml-tls#488 @hannesm) * tls-mirage: avoid exceptions in reneg and rekey (mirleft/ocaml-tls#487 @hannesm) * tls: remove HEARTBEAT decoding - HEARTBEAT was never supported in this library, the decoder was superfluous (mirleft/ocaml-tls#487 @hannesm) * tls-mirage: provide `underlying : flow -> FLOW.flow` (mirleft/ocaml-tls#487 @hannesm, fixes mirleft/ocaml-tls#425 @dinosaure) * tls-mirage: implement mirage-flow 4 API (`val shutdown`) (mirleft/ocaml-tls#488 @hannesm) * tls-eio: adapt to half-closed connections (mirleft/ocaml-tls#488 @talex5) * tls-eio: implement Eio.Resource.Close (mirleft/ocaml-tls#489 @paurkedal, reviewed by @talex5)
this is still work in progress. The idea is to track in engine the status of (half-)closed connections - and implement the revised close_notify semantics (i.e. not replying immediately with a close_notify).
There are still some checks missing (e.g. for reneg/rekey/send_application_data), also should the effectful layers inform the engine when a read or write failed (unclear, tendency towards no)?