Index: src/OFTLSSocket.h ================================================================== --- src/OFTLSSocket.h +++ src/OFTLSSocket.h @@ -15,31 +15,38 @@ */ #import "objfw-defs.h" @class OFString; -@class OFArray; +@class OFDictionary; @protocol OFTLSSocket; /*! * @protocol OFTLSSocketDelegate OFTLSSocket.h ObjFW/OFTLSSocket.h * * @brief A delegate for classes implementing the OFTLSSocket protocol. */ @protocol OFTLSSocketDelegate +#ifdef OF_HAVE_OPTIONAL_PROTOCOLS +@optional +#endif /*! * @brief This callback is called when the TLS socket wants to know if it - * should accept the received keychain. + * should accept the received certificate. + * + * @note This is only used to verify certain fields of a certificate to allow + * for protocol specific verification. The certificate chain is verified + * using the specified CAs, or the system's CAs if no CAs have been + * specified. * * @param socket The socket which wants to know if it should accept the received - * keychain - * @param keychain An array of objects implementing the OFX509Certificate - * protocol - * @return Whether the TLS socket should accept the received keychain + * certificate + * @param certificate A dictionary with the fields of the received certificate + * @return Whether the TLS socket should accept the received certificatechain */ -- (bool)socket: (id )socket - shouldAcceptKeychain: (OFArray*)keychain; +- (bool)socket: (id )socket + shouldAcceptCertificate: (OFDictionary*)certificate; @end /*! * @protocol OFTLSSocket OFTLSSocket.h ObjFW/OFTLSSocket.h * @@ -49,10 +56,12 @@ @protocol OFTLSSocket #ifdef OF_HAVE_PROPERTIES @property (assign) id delegate; @property (copy) OFString *certificateFile, *privateKeyFile; @property const char *privateKeyPassphrase; +@property (getter=isCertificateVerificationEnabled) + bool certificateVerificationEnabled; #endif /*! * @brief Initializes the TLS socket with the specified TCP socket as its * underlying socket. @@ -64,12 +73,15 @@ /*! * @brief Initiates the TLS handshake. * * @note This is only useful if you used @ref initWithSocket: to start TLS on * a TCP socket which is already connected! + * + * @param host The host to expect for certificate verification. + * May be nil if certificate verification is disabled. */ -- (void)startTLS; +- (void)startTLSWithExpectedHost: (OFString*)host; /*! * @brief Sets a delegate for the TLS socket. * * @param delegate The delegate to use @@ -205,6 +217,22 @@ * * @return The passphrase to decrypt the PKCS#8 private key file for the * specified SNI host */ - (const char*)privateKeyPassphraseForSNIHost: (OFString*)SNIHost; + +/** + * @brief Enable or disable certificate verification. + * + * The default is enabled. + * + * @param enabled Whether to enable or disable certificate verification + */ +- (void)setCertificateVerificationEnabled: (bool)enabled; + +/** + * @brief Returns whether certificate verification is enabled. + * + * @return Whether certificate verification is enabled + */ +- (bool)isCertificateVerificationEnabled; @end