Overview
Comment: | Mbed TLS: Don't hardcode path to CA file |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
027f5e11cf78473b19df58b3c19eb2fc |
User & Date: | js on 2024-01-14 11:01:54 |
Other Links: | manifest | tags |
Context
2024-01-14
| ||
11:47 | Move out subclasses of OFDNSResourceRecord check-in: 487d5cbd83 user: js tags: trunk | |
11:01 | Mbed TLS: Don't hardcode path to CA file check-in: 027f5e11cf user: js tags: trunk | |
2024-01-11
| ||
20:50 | GitHub Actions: Test Mbed TLS on Ubuntu check-in: ee1e7c73be user: js tags: trunk | |
Changes
Modified .github/workflows/ubuntu-latest-gcc.yml from [af6c213c01] to [aebb3c6867].
︙ | ︙ | |||
17 18 19 20 21 22 23 | - --disable-sockets --disable-files - --disable-files - --disable-shared - --disable-shared --enable-seluid24 - --disable-compiler-tls --disable-threads - --with-tls=gnutls - --with-tls=gnutls --disable-shared | | | | 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | - --disable-sockets --disable-files - --disable-files - --disable-shared - --disable-shared --enable-seluid24 - --disable-compiler-tls --disable-threads - --with-tls=gnutls - --with-tls=gnutls --disable-shared - --with-tls=mbedtls - --with-tls=mbedtls --disable-shared steps: - name: Install dependencies run: | sudo apt-get update sudo apt-get install gobjc libssl-dev gnutls-dev libmbedtls-dev - uses: actions/checkout@v4 - name: autogen.sh |
︙ | ︙ |
Modified .github/workflows/ubuntu-latest.yml from [9882b16bd8] to [c0481fd267].
︙ | ︙ | |||
17 18 19 20 21 22 23 | - --disable-sockets --disable-files - --disable-files - --disable-shared - --disable-shared --enable-seluid24 - --disable-compiler-tls --disable-threads - --with-tls=gnutls - --with-tls=gnutls --disable-shared | | | | 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | - --disable-sockets --disable-files - --disable-files - --disable-shared - --disable-shared --enable-seluid24 - --disable-compiler-tls --disable-threads - --with-tls=gnutls - --with-tls=gnutls --disable-shared - --with-tls=mbedtls - --with-tls=mbedtls --disable-shared steps: - name: Install dependencies run: | sudo apt-get update sudo apt-get install libssl-dev gnutls-dev libmbedtls-dev - uses: actions/checkout@v4 - name: autogen.sh |
︙ | ︙ |
Modified configure.ac from [92123c5a4c] to [4749647762].
︙ | ︙ | |||
1851 1852 1853 1854 1855 1856 1857 | dnl Disable default action-if-not-found, which exits dnl configure with an error. : ]) ]) AS_IF([test x"$with_tls" = x"mbedtls"], [ | < < < < < < < < < < < | 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 | dnl Disable default action-if-not-found, which exits dnl configure with an error. : ]) ]) AS_IF([test x"$with_tls" = x"mbedtls"], [ AC_CHECK_LIB(mbedtls, mbedtls_net_init, [ AC_CHECK_HEADER(mbedtls/ssl.h, [ tls_support="Mbed TLS" TLS_LIBS="-lmbedx509 -lmbedcrypto $TLS_LIBS" TLS_LIBS="-lmbedtls $TLS_LIBS" AC_SUBST(OF_MBEDTLS_TLS_STREAM_M, |
︙ | ︙ |
Modified src/tls/OFGnuTLSTLSStream.m from [570186048d] to [25d18fe2f0].
︙ | ︙ | |||
192 193 194 195 196 197 198 199 200 201 202 203 204 205 | } - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; id exception = nil; int status; if (_initialized) @throw [OFAlreadyOpenException exceptionWithObject: self]; if (gnutls_init(&_session, GNUTLS_CLIENT | GNUTLS_NONBLOCK | | > | 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 | } - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; void *pool = objc_autoreleasePoolPush(); id exception = nil; int status; if (_initialized) @throw [OFAlreadyOpenException exceptionWithObject: self]; if (gnutls_init(&_session, GNUTLS_CLIENT | GNUTLS_NONBLOCK | |
︙ | ︙ | |||
243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 | runLoopMode: runLoopMode]; else [_underlyingStream asyncReadIntoBuffer: (void *)"" length: 0 runLoopMode: runLoopMode]; [_delegate retain]; return; } if (status == GNUTLS_E_SUCCESS) _handshakeDone = true; else /* FIXME: Map to better errors */ exception = [OFTLSHandshakeFailedException exceptionWithStream: self host: host errorCode: OFTLSStreamErrorCodeUnknown]; if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: host exception: exception]; } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length exception: (id)exception { | > > > | 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 | runLoopMode: runLoopMode]; else [_underlyingStream asyncReadIntoBuffer: (void *)"" length: 0 runLoopMode: runLoopMode]; [_delegate retain]; objc_autoreleasePoolPop(pool); return; } if (status == GNUTLS_E_SUCCESS) _handshakeDone = true; else /* FIXME: Map to better errors */ exception = [OFTLSHandshakeFailedException exceptionWithStream: self host: host errorCode: OFTLSStreamErrorCodeUnknown]; if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: host exception: exception]; objc_autoreleasePoolPop(pool); } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length exception: (id)exception { |
︙ | ︙ |
Modified src/tls/OFMbedTLSTLSStream.h from [b21f7f1267] to [9e5643f69d].
︙ | ︙ | |||
20 21 22 23 24 25 26 27 28 29 30 31 | OF_ASSUME_NONNULL_BEGIN @interface OFMbedTLSTLSStream: OFTLSStream <OFStreamDelegate> { bool _initialized, _handshakeDone; mbedtls_ssl_config _config; mbedtls_ssl_context _SSL; OFString *_host; } @end OF_ASSUME_NONNULL_END | > | 20 21 22 23 24 25 26 27 28 29 30 31 32 | OF_ASSUME_NONNULL_BEGIN @interface OFMbedTLSTLSStream: OFTLSStream <OFStreamDelegate> { bool _initialized, _handshakeDone; mbedtls_ssl_config _config; mbedtls_ssl_context _SSL; mbedtls_x509_crt _CAChain; OFString *_host; } @end OF_ASSUME_NONNULL_END |
Modified src/tls/OFMbedTLSTLSStream.m from [14845fbfc0] to [0265ea26a9].
︙ | ︙ | |||
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | */ #include "config.h" #include <errno.h> #import "OFMbedTLSTLSStream.h" #import "OFData.h" #import "OFAlreadyOpenException.h" #import "OFInitializationFailedException.h" #import "OFNotOpenException.h" #import "OFOutOfRangeException.h" #import "OFReadFailedException.h" #import "OFTLSHandshakeFailedException.h" #import "OFWriteFailedException.h" #include <mbedtls/ctr_drbg.h> #include <mbedtls/entropy.h> int _ObjFWTLS_reference; static mbedtls_entropy_context entropy; static mbedtls_ctr_drbg_context CTRDRBG; | > > > < | 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | */ #include "config.h" #include <errno.h> #import "OFMbedTLSTLSStream.h" #import "OFApplication.h" #import "OFData.h" #import "OFDictionary.h" #import "OFLocale.h" #import "OFAlreadyOpenException.h" #import "OFInitializationFailedException.h" #import "OFNotOpenException.h" #import "OFOutOfRangeException.h" #import "OFReadFailedException.h" #import "OFTLSHandshakeFailedException.h" #import "OFWriteFailedException.h" #include <mbedtls/ctr_drbg.h> #include <mbedtls/entropy.h> int _ObjFWTLS_reference; static mbedtls_entropy_context entropy; static mbedtls_ctr_drbg_context CTRDRBG; @implementation OFMbedTLSTLSStream static int readFunc(void *ctx, unsigned char *buffer, size_t length) { OFMbedTLSTLSStream *stream = (OFMbedTLSTLSStream *)ctx; |
︙ | ︙ | |||
97 98 99 100 101 102 103 | return; mbedtls_entropy_init(&entropy); if (mbedtls_ctr_drbg_seed(&CTRDRBG, mbedtls_entropy_func, &entropy, NULL, 0) != 0) @throw [OFInitializationFailedException exceptionWithClass: self]; | < < < < < > > > > | 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 | return; mbedtls_entropy_init(&entropy); if (mbedtls_ctr_drbg_seed(&CTRDRBG, mbedtls_entropy_func, &entropy, NULL, 0) != 0) @throw [OFInitializationFailedException exceptionWithClass: self]; } - (instancetype)initWithStream: (OFStream <OFReadyForReadingObserving, OFReadyForWritingObserving> *)stream { self = [super initWithStream: stream]; @try { _underlyingStream.delegate = self; mbedtls_x509_crt_init(&_CAChain); } @catch (id e) { [self release]; @throw e; } return self; } - (void)dealloc { if (_initialized) [self close]; [_host release]; mbedtls_x509_crt_free(&_CAChain); [super dealloc]; } - (void)close { if (!_initialized) |
︙ | ︙ | |||
210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 | } - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; id exception = nil; int status; if (_initialized) @throw [OFAlreadyOpenException exceptionWithObject: self]; if (mbedtls_ssl_config_defaults(&_config, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT) != 0) @throw [OFTLSHandshakeFailedException exceptionWithStream: self host: host errorCode: initFailedErrorCode]; mbedtls_ssl_conf_rng(&_config, mbedtls_ctr_drbg_random, &CTRDRBG); mbedtls_ssl_conf_authmode(&_config, (_verifiesCertificates ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE)); | > > > > > > > > > > > > > > > | | 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 | } - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; void *pool = objc_autoreleasePoolPush(); OFString *CAFilePath; id exception = nil; int status; if (_initialized) @throw [OFAlreadyOpenException exceptionWithObject: self]; if (mbedtls_ssl_config_defaults(&_config, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT) != 0) @throw [OFTLSHandshakeFailedException exceptionWithStream: self host: host errorCode: initFailedErrorCode]; mbedtls_ssl_conf_rng(&_config, mbedtls_ctr_drbg_random, &CTRDRBG); mbedtls_ssl_conf_authmode(&_config, (_verifiesCertificates ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE)); /* TODO: Add other ways to add a CA chain */ CAFilePath = [[OFApplication environment] objectForKey: @"OBJFW_MBEDTLS_CA_PATH"]; if (CAFilePath != nil) { if (mbedtls_x509_crt_parse_file(&_CAChain, [CAFilePath cStringWithEncoding: [OFLocale encoding]]) != 0) @throw [OFTLSHandshakeFailedException exceptionWithStream: self host: host errorCode: initFailedErrorCode]; } mbedtls_ssl_conf_ca_chain(&_config, &_CAChain, NULL); mbedtls_ssl_init(&_SSL); if (mbedtls_ssl_setup(&_SSL, &_config) != 0) @throw [OFTLSHandshakeFailedException exceptionWithStream: self host: host errorCode: initFailedErrorCode]; |
︙ | ︙ | |||
252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 | status = mbedtls_ssl_handshake(&_SSL); if (status == MBEDTLS_ERR_SSL_WANT_READ) { [_underlyingStream asyncReadIntoBuffer: (void *)"" length: 0 runLoopMode: runLoopMode]; [_delegate retain]; return; } else if (status == MBEDTLS_ERR_SSL_WANT_WRITE) { [_underlyingStream asyncWriteData: [OFData data] runLoopMode: runLoopMode]; [_delegate retain]; return; } if (status == 0) _handshakeDone = true; else /* FIXME: Map to better errors */ exception = [OFTLSHandshakeFailedException exceptionWithStream: self host: host errorCode: OFTLSStreamErrorCodeUnknown]; if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: host exception: exception]; } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length exception: (id)exception { | > > > > | 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 | status = mbedtls_ssl_handshake(&_SSL); if (status == MBEDTLS_ERR_SSL_WANT_READ) { [_underlyingStream asyncReadIntoBuffer: (void *)"" length: 0 runLoopMode: runLoopMode]; [_delegate retain]; objc_autoreleasePoolPop(pool); return; } else if (status == MBEDTLS_ERR_SSL_WANT_WRITE) { [_underlyingStream asyncWriteData: [OFData data] runLoopMode: runLoopMode]; [_delegate retain]; objc_autoreleasePoolPop(pool); return; } if (status == 0) _handshakeDone = true; else /* FIXME: Map to better errors */ exception = [OFTLSHandshakeFailedException exceptionWithStream: self host: host errorCode: OFTLSStreamErrorCodeUnknown]; if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: host exception: exception]; objc_autoreleasePoolPop(pool); } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length exception: (id)exception { |
︙ | ︙ |
Modified src/tls/OFOpenSSLTLSStream.m from [acd160399f] to [2423ed840a].
︙ | ︙ | |||
210 211 212 213 214 215 216 217 218 219 220 221 222 223 | } - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; id exception = nil; int status; if (_SSL != NULL) @throw [OFAlreadyOpenException exceptionWithObject: self]; if ((_readBIO = BIO_new(BIO_s_mem())) == NULL) | > | 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 | } - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; void *pool = objc_autoreleasePoolPush(); id exception = nil; int status; if (_SSL != NULL) @throw [OFAlreadyOpenException exceptionWithObject: self]; if ((_readBIO = BIO_new(BIO_s_mem())) == NULL) |
︙ | ︙ | |||
283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 | else { switch (SSL_get_error(_SSL, status)) { case SSL_ERROR_WANT_READ: [_underlyingStream asyncReadIntoBuffer: _buffer length: bufferSize runLoopMode: runLoopMode]; [_delegate retain]; return; case SSL_ERROR_WANT_WRITE: [_underlyingStream asyncWriteData: [OFData data] runLoopMode: runLoopMode]; [_delegate retain]; return; default: /* FIXME: Map to better errors */ exception = [OFTLSHandshakeFailedException exceptionWithStream: self host: host errorCode: OFTLSStreamErrorCodeUnknown]; break; } } if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: host exception: exception]; } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length exception: (nullable id)exception { | > > > > | 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 | else { switch (SSL_get_error(_SSL, status)) { case SSL_ERROR_WANT_READ: [_underlyingStream asyncReadIntoBuffer: _buffer length: bufferSize runLoopMode: runLoopMode]; [_delegate retain]; objc_autoreleasePoolPop(pool); return; case SSL_ERROR_WANT_WRITE: [_underlyingStream asyncWriteData: [OFData data] runLoopMode: runLoopMode]; [_delegate retain]; objc_autoreleasePoolPop(pool); return; default: /* FIXME: Map to better errors */ exception = [OFTLSHandshakeFailedException exceptionWithStream: self host: host errorCode: OFTLSStreamErrorCodeUnknown]; break; } } if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: host exception: exception]; objc_autoreleasePoolPop(pool); } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length exception: (nullable id)exception { |
︙ | ︙ |
Modified src/tls/OFSecureTransportTLSStream.m from [b218de48f5] to [57e790b2b8].
︙ | ︙ | |||
178 179 180 181 182 183 184 185 186 187 188 189 190 191 | } - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; id exception = nil; OSStatus status; if (_context != NULL) @throw [OFAlreadyOpenException exceptionWithObject: self]; #ifdef HAVE_SSLCREATECONTEXT | > | 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 | } - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; void *pool = objc_autoreleasePoolPush(); id exception = nil; OSStatus status; if (_context != NULL) @throw [OFAlreadyOpenException exceptionWithObject: self]; #ifdef HAVE_SSLCREATECONTEXT |
︙ | ︙ | |||
227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 | * readable or writable doesn't work either, as the stream is * almost always at least ready for one of the two. */ [_underlyingStream asyncReadIntoBuffer: (void *)"" length: 0 runLoopMode: runLoopMode]; [_delegate retain]; return; } if (status != noErr) /* FIXME: Map to better errors */ exception = [OFTLSHandshakeFailedException exceptionWithStream: self host: _host errorCode: OFTLSStreamErrorCodeUnknown]; if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: _host exception: exception]; } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length exception: (nullable id)exception { | > > > | 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 | * readable or writable doesn't work either, as the stream is * almost always at least ready for one of the two. */ [_underlyingStream asyncReadIntoBuffer: (void *)"" length: 0 runLoopMode: runLoopMode]; [_delegate retain]; objc_autoreleasePoolPop(pool); return; } if (status != noErr) /* FIXME: Map to better errors */ exception = [OFTLSHandshakeFailedException exceptionWithStream: self host: _host errorCode: OFTLSStreamErrorCodeUnknown]; if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: _host exception: exception]; objc_autoreleasePoolPop(pool); } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length exception: (nullable id)exception { |
︙ | ︙ |