From 617855f46458370dea8868bbeed73c68cb0e8b3e Mon Sep 17 00:00:00 2001 From: Hannes Mehnert Date: Wed, 14 Apr 2021 11:38:18 +0200 Subject: [PATCH 1/5] [new release] tls-mirage and tls (0.13.0) CHANGES: * Remove static RSA and CBC ciphersuites from default configuration. The default configuration now includes FFDHE and ECDHE key exchanges with RSA or ECDSA/EdDSA certificates, and AEAD ciphers (AES-GCM, AES-CCM, ChaCha20-Poly1305) (mirleft/ocaml-tls#429 by @hannesm) * Remove SHA1 from signature_algorithms in the default configuration (mirleft/ocaml-tls#429 by @hannesm) * Support ECDSA and EdDSA certificates and private keys via x509 0.12.0 and mirage-crypto-ec (mirleft/ocaml-tls#428 by @hannesm) Breaking changes: - the second part of type Tls.Config.certchain is now a X509.Private_key.t (previously Mirage_crypto_pk.Rsa.priv) - the type aliases X509_lwt.priv and X509_lwt.authenticator have been removed * Use mirage-crypto-ec instead of fiat-p256 and hacl_x25519 for elliptic curve support - this adds P384 and P521 ECDH support (mirleft/ocaml-tls#428 by @hannesm) * Remove custom Monad implementation, use Result and Rresult instead (mirleft/ocaml-tls#429 by @hannesm) * Remove Utils.Cs submodule, use Cstruct API instead (mirleft/ocaml-tls#429 by @hannesm) * Breaking: Tls.Engine.ret type is now a result instead of a custom variant type (mirleft/ocaml-tls#429 by @hannesm) * Breaking: Tls_lwt.Unix.epoch results in (Tls.Core.epoch_data, unit) result - it was a custom error type previously (mirleft/ocaml-tls#429 by @hannesm) --- packages/tls-mirage/tls-mirage.0.13.0/opam | 46 +++++++++++++++ packages/tls/tls.0.13.0/opam | 68 ++++++++++++++++++++++ 2 files changed, 114 insertions(+) create mode 100644 packages/tls-mirage/tls-mirage.0.13.0/opam create mode 100644 packages/tls/tls.0.13.0/opam diff --git a/packages/tls-mirage/tls-mirage.0.13.0/opam b/packages/tls-mirage/tls-mirage.0.13.0/opam new file mode 100644 index 000000000000..cb2e47ee95f3 --- /dev/null +++ b/packages/tls-mirage/tls-mirage.0.13.0/opam @@ -0,0 +1,46 @@ +opam-version: "2.0" +homepage: "https://github.com/mirleft/ocaml-tls" +dev-repo: "git+https://github.com/mirleft/ocaml-tls.git" +bug-reports: "https://github.com/mirleft/ocaml-tls/issues" +doc: "https://mirleft.github.io/ocaml-tls/doc" +maintainer: ["Hannes Mehnert " "David Kaloper "] +license: "BSD-2-Clause" + +build: [ + ["dune" "subst"] {pinned} + ["dune" "build" "-p" name "-j" jobs] + ["dune" "runtest" "-p" name "-j" jobs] {with-test} +] + +depends: [ + "ocaml" {>= "4.08.0"} + "dune" {>= "1.0"} + "tls" {= version} + "x509" {>= "0.10.0"} + "fmt" + "lwt" {>= "3.0.0"} + "mirage-flow" {>= "2.0.0"} + "mirage-kv" {>= "3.0.0"} + "mirage-clock" {>= "3.0.0"} + "ptime" {>= "0.8.1"} + "mirage-crypto" + "mirage-crypto-pk" +] +tags: [ "org:mirage"] +synopsis: "Transport Layer Security purely in OCaml, MirageOS layer" +description: """ +Tls-mirage provides an effectful FLOW module to be used in the MirageOS +ecosystem. +""" +x-commit-hash: "f9dd61f556d3f2790aa9eedcf2b6b3c8c99cb338" +authors: [ + "David Kaloper " "Hannes Mehnert " +] +url { + src: + "https://github.com/mirleft/ocaml-tls/releases/download/v0.13.0/tls-v0.13.0.tbz" + checksum: [ + "sha256=01fc67eff2ad5cd3c59ffdb55ee64ba78772cad963f7f1a1bef0b3935eb17ccd" + "sha512=03e249c7396153f311cf0bb640dea72b630372d3d4c650d597111d0fb2c4194b2eb4dda6c5d1d4c806d2a25f9c22658cec139aa0195d9090192888cc2c337a7b" + ] +} diff --git a/packages/tls/tls.0.13.0/opam b/packages/tls/tls.0.13.0/opam new file mode 100644 index 000000000000..959481d03bc9 --- /dev/null +++ b/packages/tls/tls.0.13.0/opam @@ -0,0 +1,68 @@ +opam-version: "2.0" +homepage: "https://github.com/mirleft/ocaml-tls" +dev-repo: "git+https://github.com/mirleft/ocaml-tls.git" +bug-reports: "https://github.com/mirleft/ocaml-tls/issues" +doc: "https://mirleft.github.io/ocaml-tls/doc" +maintainer: ["Hannes Mehnert " "David Kaloper "] +license: "BSD-2-Clause" + +build: [ + ["dune" "subst"] {pinned} + ["dune" "build" "-p" name "-j" jobs] + ["dune" "runtest" "-p" name "-j" jobs] {with-test} +] + +depends: [ + "ocaml" {>= "4.08.0"} + "dune" {>= "1.0"} + "ppx_sexp_conv" {>= "v0.9.0"} + "ppx_cstruct" {>= "3.0.0"} + "cstruct" {>= "4.0.0"} + "cstruct-sexp" + "sexplib" + "mirage-crypto" {>= "0.8.1"} + "mirage-crypto-ec" + "mirage-crypto-pk" + "mirage-crypto-rng" {>= "0.8.0"} + "x509" {>= "0.12.0"} + "domain-name" {>= "0.3.0"} + "fmt" + "rresult" + "cstruct-unix" {with-test & >= "3.0.0"} + "ounit2" {with-test & >= "2.2.0"} + "lwt" {>= "3.0.0"} + "ptime" {>= "0.8.1"} + "hkdf" + "logs" + "alcotest" {with-test} +] + +tags: [ "org:mirage"] +synopsis: "Transport Layer Security purely in OCaml" +description: """ +Transport Layer Security (TLS) is probably the most widely deployed security +protocol on the Internet. It provides communication privacy to prevent +eavesdropping, tampering, and message forgery. Furthermore, it optionally +provides authentication of the involved endpoints. TLS is commonly deployed for +securing web services ([HTTPS](http://tools.ietf.org/html/rfc2818)), emails, +virtual private networks, and wireless networks. + +TLS uses asymmetric cryptography to exchange a symmetric key, and optionally +authenticate (using X.509) either or both endpoints. It provides algorithmic +agility, which means that the key exchange method, symmetric encryption +algorithm, and hash algorithm are negotiated. + +Read [further](https://nqsb.io) and our [Usenix Security 2015 paper](https://usenix15.nqsb.io). +""" +x-commit-hash: "f9dd61f556d3f2790aa9eedcf2b6b3c8c99cb338" +authors: [ + "David Kaloper " "Hannes Mehnert " +] +url { + src: + "https://github.com/mirleft/ocaml-tls/releases/download/v0.13.0/tls-v0.13.0.tbz" + checksum: [ + "sha256=01fc67eff2ad5cd3c59ffdb55ee64ba78772cad963f7f1a1bef0b3935eb17ccd" + "sha512=03e249c7396153f311cf0bb640dea72b630372d3d4c650d597111d0fb2c4194b2eb4dda6c5d1d4c806d2a25f9c22658cec139aa0195d9090192888cc2c337a7b" + ] +} From 95ade695d01206b8e9434f7af702b87ead639aaa Mon Sep 17 00:00:00 2001 From: Marcello Seri Date: Wed, 14 Apr 2021 11:41:42 +0200 Subject: [PATCH 2/5] Apply suggestions from code review --- packages/tls-mirage/tls-mirage.0.13.0/opam | 2 +- packages/tls/tls.0.13.0/opam | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/tls-mirage/tls-mirage.0.13.0/opam b/packages/tls-mirage/tls-mirage.0.13.0/opam index cb2e47ee95f3..d7d35f5205c7 100644 --- a/packages/tls-mirage/tls-mirage.0.13.0/opam +++ b/packages/tls-mirage/tls-mirage.0.13.0/opam @@ -7,7 +7,7 @@ maintainer: ["Hannes Mehnert " "David Kaloper " "David Kaloper Date: Wed, 14 Apr 2021 15:03:32 +0200 Subject: [PATCH 3/5] upper bounds for tls 0.13.0 in packages that run into the breaking changes --- packages/colombe/colombe.0.1.0/opam | 2 +- packages/conduit-lwt-unix/conduit-lwt-unix.2.3.0/opam | 1 + packages/conduit-tls/conduit-tls.3.0.0/opam | 2 +- packages/dns-certify/dns-certify.4.4.0/opam | 2 +- packages/dns-certify/dns-certify.4.4.1/opam | 2 +- packages/dns-certify/dns-certify.4.5.0/opam | 2 +- packages/dns-certify/dns-certify.4.6.0/opam | 2 +- packages/dns-certify/dns-certify.4.6.1/opam | 2 +- packages/dns-certify/dns-certify.4.6.2/opam | 2 +- packages/dns-certify/dns-certify.4.6.3/opam | 4 ++-- packages/gluten-lwt-unix/gluten-lwt-unix.0.1.0/opam | 1 + packages/sendmail/sendmail.0.2.0/opam | 2 +- packages/sendmail/sendmail.0.3.0/opam | 2 +- packages/sendmail/sendmail.0.4.0/opam | 2 +- 14 files changed, 15 insertions(+), 13 deletions(-) diff --git a/packages/colombe/colombe.0.1.0/opam b/packages/colombe/colombe.0.1.0/opam index a57f7d04b1a7..ae3e23502de6 100644 --- a/packages/colombe/colombe.0.1.0/opam +++ b/packages/colombe/colombe.0.1.0/opam @@ -20,7 +20,7 @@ depends: [ "angstrom" {< "0.14.0"} "ipaddr" {>= "2.9.0"} "fmt" - "tls" + "tls" {< "0.13.0"} "logs" "base64" "rresult" diff --git a/packages/conduit-lwt-unix/conduit-lwt-unix.2.3.0/opam b/packages/conduit-lwt-unix/conduit-lwt-unix.2.3.0/opam index 4ed5b9ab7e5b..4c0db6739015 100644 --- a/packages/conduit-lwt-unix/conduit-lwt-unix.2.3.0/opam +++ b/packages/conduit-lwt-unix/conduit-lwt-unix.2.3.0/opam @@ -26,6 +26,7 @@ depends: [ depopts: ["tls" "lwt_ssl" "launchd"] conflicts: [ "tls" {< "0.11.0"} + "tls" {>= "0.13.0"} "ssl" {< "0.5.9"} ] build: [ diff --git a/packages/conduit-tls/conduit-tls.3.0.0/opam b/packages/conduit-tls/conduit-tls.3.0.0/opam index 0e97b64825a6..cb832e996f6f 100644 --- a/packages/conduit-tls/conduit-tls.3.0.0/opam +++ b/packages/conduit-tls/conduit-tls.3.0.0/opam @@ -43,7 +43,7 @@ depends: [ "dune" "conduit" "ke" - "tls" + "tls" {< "0.13.0"} "logs" "bigstringaf" ] diff --git a/packages/dns-certify/dns-certify.4.4.0/opam b/packages/dns-certify/dns-certify.4.4.0/opam index 3b9eeea1685c..1425711d3004 100644 --- a/packages/dns-certify/dns-certify.4.4.0/opam +++ b/packages/dns-certify/dns-certify.4.4.0/opam @@ -17,7 +17,7 @@ depends: [ "duration" {>= "0.1.2"} "x509" {>= "0.10.0"} "lwt" {>= "4.2.1"} - "tls" {>= "0.11.0"} + "tls" {>= "0.11.0" & < "0.13.0"} "mirage-random" {>= "2.0.0"} "mirage-time" {>= "2.0.0"} "mirage-clock" {>= "3.0.0"} diff --git a/packages/dns-certify/dns-certify.4.4.1/opam b/packages/dns-certify/dns-certify.4.4.1/opam index 46c7c1984237..a17bef8f03a1 100644 --- a/packages/dns-certify/dns-certify.4.4.1/opam +++ b/packages/dns-certify/dns-certify.4.4.1/opam @@ -17,7 +17,7 @@ depends: [ "duration" {>= "0.1.2"} "x509" {>= "0.10.0"} "lwt" {>= "4.2.1"} - "tls" {>= "0.11.0"} + "tls" {>= "0.11.0" & < "0.13.0"} "mirage-random" {>= "2.0.0"} "mirage-time" {>= "2.0.0"} "mirage-clock" {>= "3.0.0"} diff --git a/packages/dns-certify/dns-certify.4.5.0/opam b/packages/dns-certify/dns-certify.4.5.0/opam index 24e75ea6713c..2767b1dfe4fa 100644 --- a/packages/dns-certify/dns-certify.4.5.0/opam +++ b/packages/dns-certify/dns-certify.4.5.0/opam @@ -17,7 +17,7 @@ depends: [ "duration" {>= "0.1.2"} "x509" {>= "0.10.0"} "lwt" {>= "4.2.1"} - "tls" {>= "0.11.0"} + "tls" {>= "0.11.0" & < "0.13.0"} "mirage-random" {>= "2.0.0"} "mirage-time" {>= "2.0.0"} "mirage-clock" {>= "3.0.0"} diff --git a/packages/dns-certify/dns-certify.4.6.0/opam b/packages/dns-certify/dns-certify.4.6.0/opam index 926598cab937..645a02a261e6 100644 --- a/packages/dns-certify/dns-certify.4.6.0/opam +++ b/packages/dns-certify/dns-certify.4.6.0/opam @@ -17,7 +17,7 @@ depends: [ "duration" {>= "0.1.2"} "x509" {>= "0.10.0"} "lwt" {>= "4.2.1"} - "tls" {>= "0.11.0"} + "tls" {>= "0.11.0" & < "0.13.0"} "mirage-random" {>= "2.0.0"} "mirage-time" {>= "2.0.0"} "mirage-clock" {>= "3.0.0"} diff --git a/packages/dns-certify/dns-certify.4.6.1/opam b/packages/dns-certify/dns-certify.4.6.1/opam index 9082cd593557..9528eeffdf7c 100644 --- a/packages/dns-certify/dns-certify.4.6.1/opam +++ b/packages/dns-certify/dns-certify.4.6.1/opam @@ -17,7 +17,7 @@ depends: [ "duration" {>= "0.1.2"} "x509" {>= "0.10.0"} "lwt" {>= "4.2.1"} - "tls" {>= "0.11.0"} + "tls" {>= "0.11.0" & < "0.13.0"} "mirage-random" {>= "2.0.0"} "mirage-time" {>= "2.0.0"} "mirage-clock" {>= "3.0.0"} diff --git a/packages/dns-certify/dns-certify.4.6.2/opam b/packages/dns-certify/dns-certify.4.6.2/opam index bd99ee616d13..d552258a4713 100644 --- a/packages/dns-certify/dns-certify.4.6.2/opam +++ b/packages/dns-certify/dns-certify.4.6.2/opam @@ -17,7 +17,7 @@ depends: [ "duration" {>= "0.1.2"} "x509" {>= "0.10.0"} "lwt" {>= "4.2.1"} - "tls" {>= "0.11.0"} + "tls" {>= "0.11.0" & < "0.13.0"} "mirage-random" {>= "2.0.0"} "mirage-time" {>= "2.0.0"} "mirage-clock" {>= "3.0.0"} diff --git a/packages/dns-certify/dns-certify.4.6.3/opam b/packages/dns-certify/dns-certify.4.6.3/opam index 0e1b4833a68e..3f97f3aead45 100644 --- a/packages/dns-certify/dns-certify.4.6.3/opam +++ b/packages/dns-certify/dns-certify.4.6.3/opam @@ -15,9 +15,9 @@ depends: [ "dns-mirage" {= version} "randomconv" {>= "0.1.2"} "duration" {>= "0.1.2"} - "x509" {>= "0.10.0"} + "x509" {>= "0.10.0" & < "0.12.0"} "lwt" {>= "4.2.1"} - "tls" {>= "0.11.0"} + "tls" {>= "0.11.0" & < "0.13.0"} "mirage-random" {>= "2.0.0"} "mirage-time" {>= "2.0.0"} "mirage-clock" {>= "3.0.0"} diff --git a/packages/gluten-lwt-unix/gluten-lwt-unix.0.1.0/opam b/packages/gluten-lwt-unix/gluten-lwt-unix.0.1.0/opam index e3d51918c7a7..b11a244de033 100644 --- a/packages/gluten-lwt-unix/gluten-lwt-unix.0.1.0/opam +++ b/packages/gluten-lwt-unix/gluten-lwt-unix.0.1.0/opam @@ -21,6 +21,7 @@ depopts: [ "tls" "lwt_ssl" ] +conflicts: [ "tls" {>= "0.13.0"} ] synopsis: "Lwt + Unix support for gluten" url { src: diff --git a/packages/sendmail/sendmail.0.2.0/opam b/packages/sendmail/sendmail.0.2.0/opam index 76543bed4b5a..a1c61ad5b68e 100644 --- a/packages/sendmail/sendmail.0.2.0/opam +++ b/packages/sendmail/sendmail.0.2.0/opam @@ -18,7 +18,7 @@ depends: [ "ocaml" {>= "4.03.0"} "dune" {>= "1.8"} "colombe" {= version} - "tls" + "tls" {< "0.13.0"} "base64" {>= "3.0.0"} "logs" "emile" {>= "0.8" & < "1.0" & with-test} diff --git a/packages/sendmail/sendmail.0.3.0/opam b/packages/sendmail/sendmail.0.3.0/opam index eca7d42d625d..3884c7f8b098 100644 --- a/packages/sendmail/sendmail.0.3.0/opam +++ b/packages/sendmail/sendmail.0.3.0/opam @@ -18,7 +18,7 @@ depends: [ "ocaml" {>= "4.03.0"} "dune" {>= "1.8"} "colombe" {= version} - "tls" + "tls" {< "0.13.0"} "base64" {>= "3.0.0"} "logs" "emile" {>= "0.8" & < "1.0" & with-test} diff --git a/packages/sendmail/sendmail.0.4.0/opam b/packages/sendmail/sendmail.0.4.0/opam index e68bd406433a..2d78e416e337 100644 --- a/packages/sendmail/sendmail.0.4.0/opam +++ b/packages/sendmail/sendmail.0.4.0/opam @@ -18,7 +18,7 @@ depends: [ "ocaml" {>= "4.03.0"} "dune" {>= "1.8"} "colombe" {= version} - "tls" + "tls" {< "0.13.0"} "base64" {>= "3.0.0"} "logs" "emile" {>= "0.8" & with-test} From af852c88d0cecf13ec794496549cd6d8bc763d69 Mon Sep 17 00:00:00 2001 From: Kate Date: Thu, 15 Apr 2021 11:50:25 +0100 Subject: [PATCH 4/5] conduit-tls.3.0.0: Synch up with conduit --- packages/conduit-tls/conduit-tls.3.0.0/opam | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/conduit-tls/conduit-tls.3.0.0/opam b/packages/conduit-tls/conduit-tls.3.0.0/opam index cb832e996f6f..291cc6704612 100644 --- a/packages/conduit-tls/conduit-tls.3.0.0/opam +++ b/packages/conduit-tls/conduit-tls.3.0.0/opam @@ -41,7 +41,7 @@ build: [ depends: [ "ocaml" {>= "4.07.0"} "dune" - "conduit" + "conduit" {= version} "ke" "tls" {< "0.13.0"} "logs" From 5ac44de888a481a82f378f01e9788b597c28173b Mon Sep 17 00:00:00 2001 From: Hannes Mehnert Date: Thu, 15 Apr 2021 20:08:15 +0200 Subject: [PATCH 5/5] paf requires tls < 0.13.0 (cc @dinosaure) --- packages/paf/paf.0.0.1/opam | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/paf/paf.0.0.1/opam b/packages/paf/paf.0.0.1/opam index 76352f108908..54f1fad98e4b 100644 --- a/packages/paf/paf.0.0.1/opam +++ b/packages/paf/paf.0.0.1/opam @@ -20,7 +20,7 @@ depends: [ "mirage-stack" "mirage-time" "httpaf" - "tls-mirage" + "tls-mirage" {< "0.13.0"} "mimic" "cohttp-lwt" "letsencrypt"