From b82b271ceff238d482416691ab4e232bafd7bce6 Mon Sep 17 00:00:00 2001 From: Lin Liu Date: Tue, 24 Mar 2026 08:45:16 +0000 Subject: [PATCH 1/2] CP-311259: Define tls lib to manage TLS version and ciphers Dom0 got two TLS library implementations, openssl and gnutls And they use different format to identify the cipher policies. To keep system consistent with TLS configrations, tls lib is introduced for central management. Signed-off-by: Lin Liu --- dune-project | 9 ++ ocaml/libs/tls/dune | 5 ++ ocaml/libs/tls/tls.ml | 190 ++++++++++++++++++++++++++++++++++++++++ ocaml/libs/tls/tls.mli | 95 ++++++++++++++++++++ ocaml/tests/dune | 10 ++- ocaml/tests/test_tls.ml | 166 +++++++++++++++++++++++++++++++++++ opam/tls.opam | 31 +++++++ 7 files changed, 505 insertions(+), 1 deletion(-) create mode 100644 ocaml/libs/tls/dune create mode 100644 ocaml/libs/tls/tls.ml create mode 100644 ocaml/libs/tls/tls.mli create mode 100644 ocaml/tests/test_tls.ml create mode 100644 opam/tls.opam diff --git a/dune-project b/dune-project index 94f67c4c19..76cd0a0300 100644 --- a/dune-project +++ b/dune-project @@ -31,6 +31,15 @@ (package (name zstd)) +(package + (name tls) + (synopsis "TLS policy types and format-specific string renderers") + (description + "Provides TLS policy types and renderers for GnuTLS priority strings and OpenSSL cipher lists.") + (depends + (ocaml + (>= 4.14)))) + (package (name clock) (synopsis "Xapi's library for managing time") diff --git a/ocaml/libs/tls/dune b/ocaml/libs/tls/dune new file mode 100644 index 0000000000..e60487231e --- /dev/null +++ b/ocaml/libs/tls/dune @@ -0,0 +1,5 @@ +(library + (name tls) + (public_name tls) + (wrapped false) +) diff --git a/ocaml/libs/tls/tls.ml b/ocaml/libs/tls/tls.ml new file mode 100644 index 0000000000..54884cb8af --- /dev/null +++ b/ocaml/libs/tls/tls.ml @@ -0,0 +1,190 @@ +(* + * Copyright (C) Citrix Systems Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published + * by the Free Software Foundation; version 2.1 only. with the special + * exception on linking described in file LICENSE. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + *) + +type version = TLS_1_2 | TLS_1_3 + +type cipher = AES_128_GCM | AES_256_GCM + +type curve = Secp384r1 + +type kex = ECDHE_RSA + +type policy = { + versions: version list + ; ciphers: cipher list + ; curves: curve list + ; kex: kex list + ; server_preference: bool +} + +(* ---- Default XenServer policy ------------------------------------------- *) + +let default = + { + versions= [TLS_1_2] + ; ciphers= [AES_256_GCM; AES_128_GCM] + ; curves= [Secp384r1] + ; kex= [ECDHE_RSA] + ; server_preference= true + } + +(** Common interface both renderers implement. *) +module type Renderer = sig + val string_of_versions : version list -> string + (** Format-specific colon-joined version list from a version list. *) + + val string_of_ciphers : cipher list -> string + (** Format-specific colon-joined cipher list from a cipher list. *) + + val string_of_policy : policy -> string + (** Format-specific combined cipher suite string from a policy. *) + + val string_of_curves : curve list -> string + (** Format-specific colon-joined curve list from a curve list. *) + + val string_of_server_preference : bool -> string + (** Format-specific server-preference flag *) +end + +(* ---- GnuTLS renderer ---------------------------------------------------- *) + +module GnutlsImpl = struct + let string_of_version = function + | TLS_1_2 -> + "+VERS-TLS1.2" + | TLS_1_3 -> + "+VERS-TLS1.3" + + let string_of_cipher = function + | AES_128_GCM -> + "+AES-128-GCM" + | AES_256_GCM -> + "+AES-256-GCM" + + let string_of_versions versions = + List.map string_of_version versions |> String.concat ":" + + let string_of_ciphers ciphers = + List.map string_of_cipher ciphers |> String.concat ":" + + let string_of_curve = function Secp384r1 -> "+GROUP-SECP384R1" + + let string_of_curves curves = + List.map string_of_curve curves |> String.concat ":" + + let string_of_kex = function ECDHE_RSA -> "+ECDHE-RSA" + + let string_of_server_preference = function + | true -> + "%SERVER_PRECEDENCE" + | false -> + "" + + (** Build a GnuTLS priority string from a policy. + Example: + ["NONE:+VERS-TLS1.2:+AES-256-GCM:+AES-128-GCM:+AEAD:+ECDHE-RSA:+SIGN-ALL:+GROUP-SECP384R1:+COMP-NULL:%SERVER_PRECEDENCE"] + Suitable for Samba's [tls priority =] in [smb.conf]. *) + let string_of_policy {versions; ciphers; kex; curves; server_preference} = + (* GnuTLS priority token order (from the GnuTLS manual): + versions -> ciphers -> MACs -> KEX -> signatures -> groups -> compression -> flags *) + let is_aead = + List.exists (function AES_128_GCM | AES_256_GCM -> true) ciphers + in + let tokens = + List.map string_of_version versions + @ List.map string_of_cipher ciphers + @ ( if is_aead then + ["+AEAD"] + else + [] + ) + @ List.map string_of_kex kex + @ ["+SIGN-ALL"] + @ List.map string_of_curve curves + @ ["+COMP-NULL"] + @ + if server_preference then + ["%SERVER_PRECEDENCE"] + else + [] + in + Printf.sprintf "NONE:%s" (String.concat ":" tokens) +end + +(* ---- OpenSSL renderer --------------------------------------------------- *) + +module OpensslImpl = struct + (* OpenSSL TLS 1.2 suite name: ECDHE-RSA-CIPHER-HASH. + For GCM (AEAD) suites the hash is used only as the PRF: + AES-256-GCM -> SHA-384, AES-128-GCM -> SHA-256. *) + let string_of_cipher = function + | AES_256_GCM -> + "ECDHE-RSA-AES256-GCM-SHA384" + | AES_128_GCM -> + "ECDHE-RSA-AES128-GCM-SHA256" + + let string_of_version = function TLS_1_2 -> "TLSv1.2" | TLS_1_3 -> "TLSv1.3" + + let string_of_versions versions = + List.map string_of_version versions |> String.concat ":" + + let string_of_ciphers ciphers = + List.map string_of_cipher ciphers |> String.concat ":" + + let string_of_curve = function Secp384r1 -> "secp384r1" + + let string_of_curves curves = + List.map string_of_curve curves |> String.concat ":" + + let string_of_server_preference = function + | true -> + "CIPHER_SERVER_PREFERENCE" + | false -> + "" + + let string_of_policy _ = failwith "Not supported" +end + +(** Extends any [Renderer] with convenience values pre-applied to [default]. *) +module type RendererWithDefaults = sig + include Renderer + + val default_policy : unit -> string + + val default_ciphers : string + + val default_version : string + + val default_curve : string + + val default_server_preference : string +end + +module WithDefaults (R : Renderer) : RendererWithDefaults = struct + include R + + let default_policy () = R.string_of_policy default + + let default_ciphers = R.string_of_ciphers default.ciphers + + let default_version = R.string_of_versions default.versions + + let default_curve = R.string_of_curves default.curves + + let default_server_preference = + R.string_of_server_preference default.server_preference +end + +module Gnutls = WithDefaults (GnutlsImpl) +module Openssl = WithDefaults (OpensslImpl) diff --git a/ocaml/libs/tls/tls.mli b/ocaml/libs/tls/tls.mli new file mode 100644 index 0000000000..923b230758 --- /dev/null +++ b/ocaml/libs/tls/tls.mli @@ -0,0 +1,95 @@ +(* + * Copyright (C) Citrix Systems Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published + * by the Free Software Foundation; version 2.1 only. with the special + * exception on linking described in file LICENSE. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + *) + +(** TLS policy types and format-specific string renderers. + + Usage: + {[ + let () = print_endline (Tls.Gnutls.default_policy ()) + let () = print_endline (Tls.Openssl.default_policy ()) + let () = print_endline Tls.Openssl.default_curve + (* or with a custom policy: *) + let my_policy = { ... } + let () = print_endline (Tls.Openssl.string_of_policy my_policy) + ]} *) + +type version = TLS_1_2 | TLS_1_3 + +type cipher = + | AES_128_GCM (** AEAD; paired with SHA-256 in OpenSSL suite names *) + | AES_256_GCM (** AEAD; paired with SHA-384 in OpenSSL suite names *) + +type curve = Secp384r1 + +type kex = ECDHE_RSA + +type policy = { + versions: version list + ; ciphers: cipher list + ; curves: curve list (** Only the first curve is used for stunnel. *) + ; kex: kex list + ; server_preference: bool (** When [true], the server picks the cipher. *) +} + +(** Common interface both renderers implement. *) +module type Renderer = sig + val string_of_versions : version list -> string + (** Format-specific colon-joined version list from a version list. *) + + val string_of_ciphers : cipher list -> string + (** Format-specific colon-joined cipher list from a cipher list. *) + + val string_of_policy : policy -> string + (** Format-specific combined cipher suite string from a policy. *) + + val string_of_curves : curve list -> string + (** Format-specific colon-joined curve list from a curve list. *) + + val string_of_server_preference : bool -> string + (** Format-specific server-preference flag, or ["" ] if disabled. *) +end + +(** Extends [Renderer] with convenience values pre-applied to the default policy. *) +module type RendererWithDefaults = sig + include Renderer + + val default_policy : unit -> string + (** Format-specific combined cipher suite string for the default policy. + + This is a [unit -> string] function rather than a plain [string] value to + avoid eager evaluation at module initialisation time. OCaml evaluates + every top-level [let] in a functor body when the functor is applied, so a + plain [string] binding would call [string_of_policy] immediately — + crashing for renderers (e.g. [Openssl]) where [string_of_policy] raises. + The other [default_*] values are plain strings because their underlying + functions are defined for every renderer. *) + + val default_ciphers : string + (** Colon-joined cipher string for the default cipher list. *) + + val default_version : string + (** Colon-joined version string for the default version list. *) + + val default_curve : string + (** Colon-joined curve string for the default curve list. *) + + val default_server_preference : string + (** Server-preference string for the default policy. *) +end + +(** GnuTLS priority string renderer. *) +module Gnutls : RendererWithDefaults + +(** OpenSSL cipher list renderer. *) +module Openssl : RendererWithDefaults diff --git a/ocaml/tests/dune b/ocaml/tests/dune index 545e0f748b..1853218cda 100644 --- a/ocaml/tests/dune +++ b/ocaml/tests/dune @@ -9,7 +9,8 @@ test_vm_placement test_vm_helpers test_repository test_repository_helpers test_ref test_xapi_helpers test_vm_group test_livepatch test_rpm test_updateinfo test_storage_smapiv1_wrapper test_storage_quicktest test_observer - test_pool_periodic_update_sync test_pkg_mgr test_tar_ext test_pool_repository)) + test_pool_periodic_update_sync test_pkg_mgr test_tar_ext test_pool_repository + test_tls)) (libraries alcotest angstrom @@ -172,6 +173,13 @@ (action (run ./check-no-xenctrl %{x})) ) +(test + (name test_tls) + (modes exe) + (modules test_tls) + (libraries alcotest tls) +) + (env (_ (env-vars (XAPI_TEST 1)))) ; disassemble, but without sources diff --git a/ocaml/tests/test_tls.ml b/ocaml/tests/test_tls.ml new file mode 100644 index 0000000000..4c34bdb57d --- /dev/null +++ b/ocaml/tests/test_tls.ml @@ -0,0 +1,166 @@ +(* + * Copyright (C) Citrix Systems Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published + * by the Free Software Foundation; version 2.1 only. with the special + * exception on linking described in file LICENSE. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + *) + +open Tls + +(* ---- GnuTLS tests ------------------------------------------------------- *) + +let test_gnutls_default_policy () = + let expected = + "NONE:+VERS-TLS1.2:+AES-256-GCM:+AES-128-GCM:+AEAD:+ECDHE-RSA:+SIGN-ALL:+GROUP-SECP384R1:+COMP-NULL:%SERVER_PRECEDENCE" + in + Alcotest.(check string) + "default GnuTLS policy" expected (Gnutls.default_policy ()) + +let test_gnutls_default_ciphers () = + Alcotest.(check string) + "default GnuTLS ciphers" "+AES-256-GCM:+AES-128-GCM" Gnutls.default_ciphers + +let test_gnutls_default_version () = + Alcotest.(check string) + "default GnuTLS version" "+VERS-TLS1.2" Gnutls.default_version + +let test_gnutls_default_curve () = + Alcotest.(check string) + "default GnuTLS curve" "+GROUP-SECP384R1" Gnutls.default_curve + +let test_gnutls_default_server_preference () = + Alcotest.(check string) + "default GnuTLS server preference" "%SERVER_PRECEDENCE" + Gnutls.default_server_preference + +let test_gnutls_string_of_versions () = + Alcotest.(check string) + "GnuTLS string_of_versions TLS1.2+TLS1.3" "+VERS-TLS1.2:+VERS-TLS1.3" + (Gnutls.string_of_versions [TLS_1_2; TLS_1_3]) + +let test_gnutls_string_of_ciphers () = + Alcotest.(check string) + "GnuTLS string_of_ciphers AES128+AES256" "+AES-128-GCM:+AES-256-GCM" + (Gnutls.string_of_ciphers [AES_128_GCM; AES_256_GCM]) + +let test_gnutls_string_of_curves () = + Alcotest.(check string) + "GnuTLS string_of_curves secp384r1" "+GROUP-SECP384R1" + (Gnutls.string_of_curves [Secp384r1]) + +let test_gnutls_policy_no_server_pref () = + let policy = + { + versions= [TLS_1_2] + ; ciphers= [AES_256_GCM] + ; curves= [Secp384r1] + ; kex= [ECDHE_RSA] + ; server_preference= false + } + in + let expected = + "NONE:+VERS-TLS1.2:+AES-256-GCM:+AEAD:+ECDHE-RSA:+SIGN-ALL:+GROUP-SECP384R1:+COMP-NULL" + in + Alcotest.(check string) + "GnuTLS policy without server preference" expected + (Gnutls.string_of_policy policy) + +let test_gnutls_policy_tls13 () = + let policy = + { + versions= [TLS_1_2; TLS_1_3] + ; ciphers= [AES_256_GCM; AES_128_GCM] + ; curves= [Secp384r1] + ; kex= [ECDHE_RSA] + ; server_preference= true + } + in + let expected = + "NONE:+VERS-TLS1.2:+VERS-TLS1.3:+AES-256-GCM:+AES-128-GCM:+AEAD:+ECDHE-RSA:+SIGN-ALL:+GROUP-SECP384R1:+COMP-NULL:%SERVER_PRECEDENCE" + in + Alcotest.(check string) + "GnuTLS policy with TLS 1.3" expected + (Gnutls.string_of_policy policy) + +(* ---- OpenSSL tests ------------------------------------------------------ *) + +let test_openssl_default_ciphers () = + Alcotest.(check string) + "default OpenSSL ciphers" + "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" + Openssl.default_ciphers + +let test_openssl_default_version () = + Alcotest.(check string) + "default OpenSSL version" "TLSv1.2" Openssl.default_version + +let test_openssl_default_curve () = + Alcotest.(check string) + "default OpenSSL curve" "secp384r1" Openssl.default_curve + +let test_openssl_default_server_preference () = + Alcotest.(check string) + "default OpenSSL server preference" "CIPHER_SERVER_PREFERENCE" + Openssl.default_server_preference + +let test_openssl_string_of_ciphers () = + Alcotest.(check string) + "OpenSSL string_of_ciphers AES128 only" "ECDHE-RSA-AES128-GCM-SHA256" + (Openssl.string_of_ciphers [AES_128_GCM]) + +let test_openssl_string_of_curves () = + Alcotest.(check string) + "OpenSSL string_of_curves secp384r1" "secp384r1" + (Openssl.string_of_curves [Secp384r1]) + +let test_openssl_string_of_policy_raises () = + Alcotest.check_raises "OpenSSL string_of_policy raises" + (Failure "Not supported") (fun () -> + ignore + (Openssl.string_of_policy + { + versions= [TLS_1_2] + ; ciphers= [AES_256_GCM] + ; curves= [Secp384r1] + ; kex= [ECDHE_RSA] + ; server_preference= true + } + ) + ) + +(* ---- Test suite --------------------------------------------------------- *) + +let gnutls_tests = + [ + ("default_policy", `Quick, test_gnutls_default_policy) + ; ("default_ciphers", `Quick, test_gnutls_default_ciphers) + ; ("default_version", `Quick, test_gnutls_default_version) + ; ("default_curve", `Quick, test_gnutls_default_curve) + ; ("default_server_preference", `Quick, test_gnutls_default_server_preference) + ; ("string_of_versions", `Quick, test_gnutls_string_of_versions) + ; ("string_of_ciphers", `Quick, test_gnutls_string_of_ciphers) + ; ("string_of_curves", `Quick, test_gnutls_string_of_curves) + ; ("policy_no_server_preference", `Quick, test_gnutls_policy_no_server_pref) + ; ("policy_tls13", `Quick, test_gnutls_policy_tls13) + ] + +let openssl_tests = + [ + ("default_ciphers", `Quick, test_openssl_default_ciphers) + ; ("default_version", `Quick, test_openssl_default_version) + ; ("default_curve", `Quick, test_openssl_default_curve) + ; ("default_server_preference", `Quick, test_openssl_default_server_preference) + ; ("string_of_ciphers", `Quick, test_openssl_string_of_ciphers) + ; ("string_of_curves", `Quick, test_openssl_string_of_curves) + ; ("string_of_policy_raises", `Quick, test_openssl_string_of_policy_raises) + ] + +let () = + Alcotest.run "Tls" [("Gnutls", gnutls_tests); ("Openssl", openssl_tests)] diff --git a/opam/tls.opam b/opam/tls.opam new file mode 100644 index 0000000000..8190360ccc --- /dev/null +++ b/opam/tls.opam @@ -0,0 +1,31 @@ +# This file is generated by dune, edit dune-project instead +opam-version: "2.0" +synopsis: "TLS policy types and format-specific string renderers" +description: + "Provides TLS policy types and renderers for GnuTLS priority strings and OpenSSL cipher lists." +maintainer: ["Xapi project maintainers"] +authors: ["xen-api@lists.xen.org"] +license: "LGPL-2.1-only WITH OCaml-LGPL-linking-exception" +homepage: "https://xapi-project.github.io/" +bug-reports: "https://github.com/xapi-project/xen-api/issues" +depends: [ + "dune" {>= "3.20"} + "ocaml" {>= "4.14"} + "odoc" {with-doc} +] +build: [ + ["dune" "subst"] {dev} + [ + "dune" + "build" + "-p" + name + "-j" + jobs + "@install" + "@runtest" {with-test} + "@doc" {with-doc} + ] +] +dev-repo: "git+https://github.com/xapi-project/xen-api.git" +x-maintenance-intent: ["(latest)"] From 71b7d5ffa894177ae45e81e1e09df4a55818b8fa Mon Sep 17 00:00:00 2001 From: Lin Liu Date: Fri, 27 Mar 2026 03:17:41 +0000 Subject: [PATCH 2/2] CP-311259: Refine for comments - Move tls lib to xapi-consts - Ignore mli test check in ocaml/*/test_xxxt for quality-gate Signed-off-by: Lin Liu --- dune-project | 9 ------ ocaml/libs/tls/dune | 5 --- ocaml/tests/dune | 10 +----- ocaml/xapi-consts/test/dune | 5 +++ .../test/test_tls_policy.ml} | 7 +++-- ocaml/xapi-consts/test/test_tls_policy.mli | 15 +++++++++ .../tls/tls.ml => xapi-consts/tls_policy.ml} | 2 +- .../tls.mli => xapi-consts/tls_policy.mli} | 8 ++--- opam/tls.opam | 31 ------------------- 9 files changed, 30 insertions(+), 62 deletions(-) delete mode 100644 ocaml/libs/tls/dune create mode 100644 ocaml/xapi-consts/test/dune rename ocaml/{tests/test_tls.ml => xapi-consts/test/test_tls_policy.ml} (97%) create mode 100644 ocaml/xapi-consts/test/test_tls_policy.mli rename ocaml/{libs/tls/tls.ml => xapi-consts/tls_policy.ml} (98%) rename ocaml/{libs/tls/tls.mli => xapi-consts/tls_policy.mli} (92%) delete mode 100644 opam/tls.opam diff --git a/dune-project b/dune-project index 76cd0a0300..94f67c4c19 100644 --- a/dune-project +++ b/dune-project @@ -31,15 +31,6 @@ (package (name zstd)) -(package - (name tls) - (synopsis "TLS policy types and format-specific string renderers") - (description - "Provides TLS policy types and renderers for GnuTLS priority strings and OpenSSL cipher lists.") - (depends - (ocaml - (>= 4.14)))) - (package (name clock) (synopsis "Xapi's library for managing time") diff --git a/ocaml/libs/tls/dune b/ocaml/libs/tls/dune deleted file mode 100644 index e60487231e..0000000000 --- a/ocaml/libs/tls/dune +++ /dev/null @@ -1,5 +0,0 @@ -(library - (name tls) - (public_name tls) - (wrapped false) -) diff --git a/ocaml/tests/dune b/ocaml/tests/dune index 1853218cda..545e0f748b 100644 --- a/ocaml/tests/dune +++ b/ocaml/tests/dune @@ -9,8 +9,7 @@ test_vm_placement test_vm_helpers test_repository test_repository_helpers test_ref test_xapi_helpers test_vm_group test_livepatch test_rpm test_updateinfo test_storage_smapiv1_wrapper test_storage_quicktest test_observer - test_pool_periodic_update_sync test_pkg_mgr test_tar_ext test_pool_repository - test_tls)) + test_pool_periodic_update_sync test_pkg_mgr test_tar_ext test_pool_repository)) (libraries alcotest angstrom @@ -173,13 +172,6 @@ (action (run ./check-no-xenctrl %{x})) ) -(test - (name test_tls) - (modes exe) - (modules test_tls) - (libraries alcotest tls) -) - (env (_ (env-vars (XAPI_TEST 1)))) ; disassemble, but without sources diff --git a/ocaml/xapi-consts/test/dune b/ocaml/xapi-consts/test/dune new file mode 100644 index 0000000000..8329a2e05f --- /dev/null +++ b/ocaml/xapi-consts/test/dune @@ -0,0 +1,5 @@ +(test + (name test_tls_policy) + (package xapi-consts) + (libraries alcotest xapi-consts) +) diff --git a/ocaml/tests/test_tls.ml b/ocaml/xapi-consts/test/test_tls_policy.ml similarity index 97% rename from ocaml/tests/test_tls.ml rename to ocaml/xapi-consts/test/test_tls_policy.ml index 4c34bdb57d..e73ca1260a 100644 --- a/ocaml/tests/test_tls.ml +++ b/ocaml/xapi-consts/test/test_tls_policy.ml @@ -12,7 +12,7 @@ * GNU Lesser General Public License for more details. *) -open Tls +open Tls_policy (* ---- GnuTLS tests ------------------------------------------------------- *) @@ -162,5 +162,6 @@ let openssl_tests = ; ("string_of_policy_raises", `Quick, test_openssl_string_of_policy_raises) ] -let () = - Alcotest.run "Tls" [("Gnutls", gnutls_tests); ("Openssl", openssl_tests)] +let tests = [("Gnutls", gnutls_tests); ("Openssl", openssl_tests)] + +let () = Alcotest.run "Tls_policy" tests diff --git a/ocaml/xapi-consts/test/test_tls_policy.mli b/ocaml/xapi-consts/test/test_tls_policy.mli new file mode 100644 index 0000000000..c32d2a7e66 --- /dev/null +++ b/ocaml/xapi-consts/test/test_tls_policy.mli @@ -0,0 +1,15 @@ +(* + * Copyright (c) Cloud Software Group, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published + * by the Free Software Foundation; version 2.1 only. with the special + * exception on linking described in file LICENSE. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + *) + +val tests : unit Alcotest.test list diff --git a/ocaml/libs/tls/tls.ml b/ocaml/xapi-consts/tls_policy.ml similarity index 98% rename from ocaml/libs/tls/tls.ml rename to ocaml/xapi-consts/tls_policy.ml index 54884cb8af..943b2358c9 100644 --- a/ocaml/libs/tls/tls.ml +++ b/ocaml/xapi-consts/tls_policy.ml @@ -28,7 +28,7 @@ type policy = { ; server_preference: bool } -(* ---- Default XenServer policy ------------------------------------------- *) +(* ---- Default policy ------------------------------------------- *) let default = { diff --git a/ocaml/libs/tls/tls.mli b/ocaml/xapi-consts/tls_policy.mli similarity index 92% rename from ocaml/libs/tls/tls.mli rename to ocaml/xapi-consts/tls_policy.mli index 923b230758..52c449e4eb 100644 --- a/ocaml/libs/tls/tls.mli +++ b/ocaml/xapi-consts/tls_policy.mli @@ -16,12 +16,12 @@ Usage: {[ - let () = print_endline (Tls.Gnutls.default_policy ()) - let () = print_endline (Tls.Openssl.default_policy ()) - let () = print_endline Tls.Openssl.default_curve + let () = print_endline (Tls_policy.Gnutls.default_policy ()) + let () = print_endline (Tls_policy.Openssl.default_policy ()) + let () = print_endline Tls_policy.Openssl.default_curve (* or with a custom policy: *) let my_policy = { ... } - let () = print_endline (Tls.Openssl.string_of_policy my_policy) + let () = print_endline (Tls_policy.Openssl.string_of_policy my_policy) ]} *) type version = TLS_1_2 | TLS_1_3 diff --git a/opam/tls.opam b/opam/tls.opam deleted file mode 100644 index 8190360ccc..0000000000 --- a/opam/tls.opam +++ /dev/null @@ -1,31 +0,0 @@ -# This file is generated by dune, edit dune-project instead -opam-version: "2.0" -synopsis: "TLS policy types and format-specific string renderers" -description: - "Provides TLS policy types and renderers for GnuTLS priority strings and OpenSSL cipher lists." -maintainer: ["Xapi project maintainers"] -authors: ["xen-api@lists.xen.org"] -license: "LGPL-2.1-only WITH OCaml-LGPL-linking-exception" -homepage: "https://xapi-project.github.io/" -bug-reports: "https://github.com/xapi-project/xen-api/issues" -depends: [ - "dune" {>= "3.20"} - "ocaml" {>= "4.14"} - "odoc" {with-doc} -] -build: [ - ["dune" "subst"] {dev} - [ - "dune" - "build" - "-p" - name - "-j" - jobs - "@install" - "@runtest" {with-test} - "@doc" {with-doc} - ] -] -dev-repo: "git+https://github.com/xapi-project/xen-api.git" -x-maintenance-intent: ["(latest)"]