Library
Module
Module type
Parameter
Class
Class type
TLS module given a flow
module F : Mirage_flow.S
type error = [
| `Tls_alert of Tls.Packet.alert_type
| `Tls_failure of Tls.Engine.failure
| `Read of F.error
| `Write of F.write_error
]
possible errors: incoming alert, processing failure, or a problem in the underlying flow.
The type for write errors.
we provide the FLOW interface
include Mirage_flow.S
with type error := error
and type write_error := write_error
val pp_write_error : write_error Fmt.t
pp_write_error
is the pretty-printer for write errors.
The type for flows. A flow represents the state of a single reliable stream that is connected to an endpoint.
val read : flow -> (Cstruct.t Mirage_flow.or_eof, error) Stdlib.result Lwt.t
read flow
blocks until some data is available and returns a fresh buffer containing it.
The returned buffer will be of a size convenient to the flow implementation, but will always have at least 1 byte.
When read
returns `Eof
or an error, close
(or shutdown
) should be called on the flow
by the client. Once read
returned `Eof
or an error, no subsequent read
call will be successful.
val write : flow -> Cstruct.t -> (unit, write_error) Stdlib.result Lwt.t
write flow buffer
writes a buffer to the flow. There is no indication when the buffer has actually been sent and, therefore, it must not be reused. The contents may be transmitted in separate packets, depending on the underlying transport. The result Ok ()
indicates success, Error `Closed
indicates that the connection is now closed and therefore the data could not be written. Other errors are possible.
The promise is resolved when the buffer has been accepted by the implementation (if a partial write occured, write
will wait until the remainder of the buffer has been accepted by the implementation).
If write
returns an error, close
(or shutdown
) should be called on the flow
by the client. Once write
returned an error, no subsequent write
or writev
call will be successful.
val writev : flow -> Cstruct.t list -> (unit, write_error) Stdlib.result Lwt.t
writev flow buffers
writes a sequence of buffers to the flow. There is no indication when the buffers have actually been sent and, therefore, they must not be reused. The result Ok ()
indicates success, Error `Closed
indicates that the connection is now closed and therefore the data could not be written. Other errors are possible.
The promise is resolved when the buffers have been accepted by the implementation (if a partial write occured, writev
will wait until all buffers have been accepted by the implementation).
If writev
returns an error, close
(or shutdown
) should be called on the flow
by the client. Once writev
returned an error, no subsequent writev
or write
call will be successful.
shutdown flow mode
shuts down the flow
for the specific mode
: A flow which is shutdown `read
(or `read_write
) will never be read
again (subsequent calls will return `Eof
); a flow which is shutdown `write
(or `read_write
) flushes all pending writes and signals the remote endpoint there won't be any future write
or writev
calls (subsequent calls will return `Closed
). E.g. in TCP, the signalling is done by sending a segment with the FIN flag.
If this flow
is layered upon another flow'
(e.g. TLS over TCP), and the internal state after shutdown
is `Closed
, close
on the underlying flow'
is executed.
close flow
terminates the flow
and frees all associated data. Any subsequent read
or write
will return an error. A subsequent close
will not do anything (esp. not raising an exception), but it may log an error.
If this flow
is layered upon another flow'
(e.g. TLS over TCP), close
on the underlying flow'
is executed.
underlying t
returns the underlying flow. This is useful to extract information such as src
and dst
of that flow.
val reneg :
?authenticator:X509.Authenticator.t ->
?acceptable_cas:X509.Distinguished_name.t list ->
?cert:Tls.Config.own_cert ->
?drop:bool ->
flow ->
(unit, [ write_error | `Msg of string ]) Stdlib.result Lwt.t
reneg ~authenticator ~acceptable_cas ~cert ~drop t
renegotiates the session, and blocks until the renegotiation finished. Optionally, a new authenticator
and acceptable_cas
can be used. The own certificate can be adjusted by cert
. If drop
is true
(the default), application data received before the renegotiation finished is dropped.
val key_update :
?request:bool ->
flow ->
(unit, [ write_error | `Msg of string ]) Stdlib.result Lwt.t
key_update ~request t
updates the traffic key and requests a traffic key update from the peer if request
is provided and true
(the default). This is only supported in TLS 1.3.
val client_of_flow :
Tls.Config.client ->
?host:[ `host ] Domain_name.t ->
F.flow ->
(flow, write_error) Stdlib.result Lwt.t
client_of_flow client ~host flow
upgrades the existing connection to TLS using the client
configuration, using host
as peer name.
val server_of_flow :
Tls.Config.server ->
F.flow ->
(flow, write_error) Stdlib.result Lwt.t
server_of_flow server flow
upgrades the flow to a TLS connection using the server
configuration.
val epoch : flow -> (Tls.Core.epoch_data, unit) Stdlib.result
epoch flow
extracts information of the established session.