Add TLS support!

.github/scripts/build-posix.sh

@@ -40,6 +40,8 @@ export PKG_CONFIG_PATH=/usr/share/pkgconfig/pkgconfig
 git clone https://github.com/savonet/Camomile.git
 cd Camomile && opam install -y .
 
+opam install -y tls ca-certs
+
 echo "::endgroup::"
 
 echo "::group::Checking out CI commit"

.gitignore

@@ -3,3 +3,5 @@
 _build/
 liquidsoap.config
 *.install
+tests/streams/ssl.cert
+tests/streams/ssl.key

CHANGES.md

@@ -12,6 +12,7 @@ New:
 - Added support for FLAC metadata (#2952)
 - Added support for YAML parsing and rendering (#2855)
 - Added support for the proprietary shared stereotool library (#2953)
+- Added TLS support via `ocaml-tls` (#3074)
 - Added `video.align`.
 - Added `string.index`.
 - Added support for ffmpeg decoder parameters to allow decoding of
@@ -104,6 +105,8 @@ Changed:
   protocol.
 - The `sleeper` operator is now scripted (#2899).
 - Reworked remote request file extension resolution (#2947)
+- REMOVED `osx-secure-transport`. Doubt it was ever used, API deprecated
+  upstream (#3067)
 
 Fixed:
 
@@ -114,6 +117,7 @@ Fixed:
 - Fixed race condition when switching `input.ffmpeg`-based urls (#2956)
 - Fixed deadlock in `%external` encoder (#3029)
 - Fixed crash in encoders due to concurrent access (#3064)
+- Fixed long-term connection issues with SSL (#3067)
 
 ---
 

dune-project

@@ -62,7 +62,6 @@
     ogg
     opus
     osc-unix
-    osx-secure-transport
     portaudio
     posix-time2
     pulseaudio
@@ -74,6 +73,7 @@
     srt
     ssl
     taglib
+    tls-liquidsoap
     theora
     tsdl
     tsdl-image
@@ -168,3 +168,10 @@
      (liquidsoap-lang (<> :version)))
    (synopsis "Liquidosap emacs mode")
 )
+
+(package
+   (name tls-liquidsoap)
+   (allow_empty)
+   (depends tls ca-certs)
+   (synopsis "Liquidosap dependencies for TLS optional features")
+)

liquidsoap.opam

@@ -65,7 +65,6 @@ depopts: [
   "ogg"
   "opus"
   "osc-unix"
-  "osx-secure-transport"
   "portaudio"
   "posix-time2"
   "pulseaudio"
@@ -77,6 +76,7 @@ depopts: [
   "srt"
   "ssl"
   "taglib"
+  "tls-liquidsoap"
   "theora"
   "tsdl"
   "tsdl-image"
@@ -166,10 +166,10 @@ to decode metadata tags from many audio and video media files. This is a feature
 most users want."""
     {success & !taglib-enabled}
   """\
-We noticed that you did not install any ssl support package. Liquidsoap won't
-be able to use any of the `https.{get,...}` operators. You might want to install one of ssl or
-osx-secure-transport package."""
-    {success & !ssl-enabled & !secure-transport-enabled}
+We noticed that you did not install any ssl or tls support. Liquidsoap won't
+be able to use SSL encryption in its input or output operators. You might want
+to install one of ssl or tls-liquidsoap package."""
+    {success & !ssl-enabled & !tls-enabled}
   """\
 We noticed that your build includes GStreamer support. This support is DEPRECATED.
 We suggest you consider moving to FFmpeg, which should provide same the same level

liquidsoap.opam.template

@@ -23,10 +23,10 @@ to decode metadata tags from many audio and video media files. This is a feature
 most users want."""
     {success & !taglib-enabled}
   """\
-We noticed that you did not install any ssl support package. Liquidsoap won't
-be able to use any of the `https.{get,...}` operators. You might want to install one of ssl or
-osx-secure-transport package."""
-    {success & !ssl-enabled & !secure-transport-enabled}
+We noticed that you did not install any ssl or tls support. Liquidsoap won't
+be able to use SSL encryption in its input or output operators. You might want
+to install one of ssl or tls-liquidsoap package."""
+    {success & !ssl-enabled & !tls-enabled}
   """\
 We noticed that your build includes GStreamer support. This support is DEPRECATED.
 We suggest you consider moving to FFmpeg, which should provide same the same level

src/config/tls_option.disabled.ml

@@ -0,0 +1,2 @@
+let detected = "no (requires tls-liquidsoap)"
+let enabled = false

src/core/builtins/builtins_cry.ml

@@ -114,6 +114,7 @@ let _ =
       in
       begin
         try
+          let transport = (transport :> Cry.transport) in
           Cry.manual_update_metadata ~host ~port ~protocol ~user ~password
             ~mount ~headers ~transport metas
         with e ->

src/core/builtins/builtins_optionals.ml

@@ -42,7 +42,6 @@ let () =
       ("opus", Opus_option.enabled);
       ("osc", Osc_option.enabled);
       ("oss", Oss_option.enabled);
-      ("osx_secure_transport", Osx_secure_transport_option.enabled);
       ("portaudio", Portaudio_option.enabled);
       ("posix_time2", Posix_time_option.enabled);
       ("prometheus", Prometheus_option.enabled);
@@ -54,6 +53,7 @@ let () =
       ("speex", Speex_option.enabled);
       ("srt", Srt_option.enabled);
       ("ssl", Ssl_option.enabled);
+      ("tls", Tls_option.enabled);
       ("taglib", Taglib_option.enabled);
       ("theora", Theora_option.enabled);
       ("vorbis", Vorbis_option.enabled);

src/core/builtins/builtins_socket.ml

@@ -405,7 +405,9 @@ module Socket_value = struct
       [
         ( "accept",
           Lang.val_fun [] (fun _ ->
-              let fd, sockaddr = socket#transport#accept socket#file_descr in
+              let fd, sockaddr =
+                socket#transport#server#accept socket#file_descr
+              in
               Lang.product (to_value fd) (Socket_addr.to_value sockaddr)) );
         ( "connect",
           Lang.val_fun

src/core/builtins/builtins_http_ssl.ml → src/core/builtins/builtins_ssl.ml

@@ -21,15 +21,6 @@
 
  *****************************************************************************)
 
-let get_ctx ~password ~certificate ~key () =
-  let ctx = Ssl.create_context Ssl.SSLv23 Ssl.Server_context in
-  ignore
-    (Option.map
-       (fun password -> Ssl.set_password_callback ctx (fun _ -> password))
-       password);
-  Ssl.use_certificate ctx certificate key;
-  ctx
-
 let set_socket_default ~read_timeout ~write_timeout fd =
   ignore (Option.map (Unix.setsockopt_float fd Unix.SO_RCVTIMEO) read_timeout);
   ignore (Option.map (Unix.setsockopt_float fd Unix.SO_SNDTIMEO) write_timeout)
@@ -57,6 +48,26 @@ let ssl_socket transport ssl =
       Unix.close (Ssl.file_descr_of_socket ssl)
   end
 
+let server ~read_timeout ~write_timeout ~password ~certificate ~key transport =
+  let context = Ssl.create_context Ssl.SSLv23 Ssl.Server_context in
+  let () =
+    ignore
+      (Option.map
+         (fun password -> Ssl.set_password_callback context (fun _ -> password))
+         password);
+    Ssl.use_certificate context (certificate ()) (key ())
+  in
+  object
+    method transport = transport
+
+    method accept sock =
+      let s, caller = Unix.accept ~cloexec:true sock in
+      set_socket_default ~read_timeout ~write_timeout s;
+      let ssl_s = Ssl.embed_socket s context in
+      Ssl.accept ssl_s;
+      (ssl_socket transport ssl_s, caller)
+  end
+
 let transport ~read_timeout ~write_timeout ~password ~certificate ~key () =
   object (self)
     method name = "ssl"
@@ -111,15 +122,8 @@ let transport ~read_timeout ~write_timeout ~password ~certificate ~key () =
         let bt = Printexc.get_raw_backtrace () in
         Lang.raise_as_runtime ~bt ~kind:"ssl" exn
 
-    method accept sock =
-      let s, caller = Unix.accept ~cloexec:true sock in
-      set_socket_default ~read_timeout ~write_timeout s;
-      let ctx =
-        get_ctx ~password ~certificate:(certificate ()) ~key:(key ()) ()
-      in
-      let ssl_s = Ssl.embed_socket s ctx in
-      Ssl.accept ssl_s;
-      (ssl_socket self ssl_s, caller)
+    method server =
+      server ~read_timeout ~write_timeout ~password ~certificate ~key self
   end
 
 let _ =