Index: .github/workflows/ubuntu-latest-gcc.yml ================================================================== --- .github/workflows/ubuntu-latest-gcc.yml +++ .github/workflows/ubuntu-latest-gcc.yml @@ -19,12 +19,12 @@ - --disable-shared - --disable-shared --enable-seluid24 - --disable-compiler-tls --disable-threads - --with-tls=gnutls - --with-tls=gnutls --disable-shared - - --with-tls=mbedtls --with-mbedtls-ca-path=/etc/ssl/certs/ca-certificates.crt - - --with-tls=mbedtls --with-mbedtls-ca-path=/etc/ssl/certs/ca-certificates.crt --disable-shared + - --with-tls=mbedtls + - --with-tls=mbedtls --disable-shared steps: - name: Install dependencies run: | sudo apt-get update sudo apt-get install gobjc libssl-dev gnutls-dev libmbedtls-dev Index: .github/workflows/ubuntu-latest.yml ================================================================== --- .github/workflows/ubuntu-latest.yml +++ .github/workflows/ubuntu-latest.yml @@ -19,12 +19,12 @@ - --disable-shared - --disable-shared --enable-seluid24 - --disable-compiler-tls --disable-threads - --with-tls=gnutls - --with-tls=gnutls --disable-shared - - --with-tls=mbedtls --with-mbedtls-ca-path=/etc/ssl/certs/ca-certificates.crt - - --with-tls=mbedtls --with-mbedtls-ca-path=/etc/ssl/certs/ca-certificates.crt --disable-shared + - --with-tls=mbedtls + - --with-tls=mbedtls --disable-shared steps: - name: Install dependencies run: | sudo apt-get update sudo apt-get install libssl-dev gnutls-dev libmbedtls-dev Index: configure.ac ================================================================== --- configure.ac +++ configure.ac @@ -1853,21 +1853,10 @@ : ]) ]) AS_IF([test x"$with_tls" = x"mbedtls"], [ - AC_ARG_WITH(mbedtls-ca-path, - AS_HELP_STRING([path to CA file for Mbed TLS])) - - AS_IF([test x"$with_mbedtls_ca_path" = x""], [ - AC_MSG_ERROR(m4_normalize([ - --with-mbedtls-ca-path needs to be specified! - ])) - ]) - AC_DEFINE_UNQUOTED(OF_MBEDTLS_CA_PATH, "$with_mbedtls_ca_path", - [Path to CA file for Mbed TLS]) - AC_CHECK_LIB(mbedtls, mbedtls_net_init, [ AC_CHECK_HEADER(mbedtls/ssl.h, [ tls_support="Mbed TLS" TLS_LIBS="-lmbedx509 -lmbedcrypto $TLS_LIBS" TLS_LIBS="-lmbedtls $TLS_LIBS" Index: src/tls/OFGnuTLSTLSStream.m ================================================================== --- src/tls/OFGnuTLSTLSStream.m +++ src/tls/OFGnuTLSTLSStream.m @@ -194,10 +194,11 @@ - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; + void *pool = objc_autoreleasePoolPush(); id exception = nil; int status; if (_initialized) @throw [OFAlreadyOpenException exceptionWithObject: self]; @@ -245,10 +246,11 @@ [_underlyingStream asyncReadIntoBuffer: (void *)"" length: 0 runLoopMode: runLoopMode]; [_delegate retain]; + objc_autoreleasePoolPop(pool); return; } if (status == GNUTLS_E_SUCCESS) _handshakeDone = true; @@ -262,10 +264,12 @@ if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: host exception: exception]; + + objc_autoreleasePoolPop(pool); } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length Index: src/tls/OFMbedTLSTLSStream.h ================================================================== --- src/tls/OFMbedTLSTLSStream.h +++ src/tls/OFMbedTLSTLSStream.h @@ -22,10 +22,11 @@ @interface OFMbedTLSTLSStream: OFTLSStream { bool _initialized, _handshakeDone; mbedtls_ssl_config _config; mbedtls_ssl_context _SSL; + mbedtls_x509_crt _CAChain; OFString *_host; } @end OF_ASSUME_NONNULL_END Index: src/tls/OFMbedTLSTLSStream.m ================================================================== --- src/tls/OFMbedTLSTLSStream.m +++ src/tls/OFMbedTLSTLSStream.m @@ -16,11 +16,14 @@ #include "config.h" #include #import "OFMbedTLSTLSStream.h" +#import "OFApplication.h" #import "OFData.h" +#import "OFDictionary.h" +#import "OFLocale.h" #import "OFAlreadyOpenException.h" #import "OFInitializationFailedException.h" #import "OFNotOpenException.h" #import "OFOutOfRangeException.h" @@ -32,11 +35,10 @@ #include int _ObjFWTLS_reference; static mbedtls_entropy_context entropy; static mbedtls_ctr_drbg_context CTRDRBG; -static mbedtls_x509_crt CAChain; @implementation OFMbedTLSTLSStream static int readFunc(void *ctx, unsigned char *buffer, size_t length) { @@ -99,24 +101,21 @@ mbedtls_entropy_init(&entropy); if (mbedtls_ctr_drbg_seed(&CTRDRBG, mbedtls_entropy_func, &entropy, NULL, 0) != 0) @throw [OFInitializationFailedException exceptionWithClass: self]; - - mbedtls_x509_crt_init(&CAChain); - if (mbedtls_x509_crt_parse_file(&CAChain, OF_MBEDTLS_CA_PATH) != 0) - @throw [OFInitializationFailedException - exceptionWithClass: self]; } - (instancetype)initWithStream: (OFStream *)stream { self = [super initWithStream: stream]; @try { _underlyingStream.delegate = self; + + mbedtls_x509_crt_init(&_CAChain); } @catch (id e) { [self release]; @throw e; } @@ -127,10 +126,12 @@ { if (_initialized) [self close]; [_host release]; + + mbedtls_x509_crt_free(&_CAChain); [super dealloc]; } - (void)close @@ -212,10 +213,12 @@ - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; + void *pool = objc_autoreleasePoolPush(); + OFString *CAFilePath; id exception = nil; int status; if (_initialized) @throw [OFAlreadyOpenException exceptionWithObject: self]; @@ -228,11 +231,24 @@ errorCode: initFailedErrorCode]; mbedtls_ssl_conf_rng(&_config, mbedtls_ctr_drbg_random, &CTRDRBG); mbedtls_ssl_conf_authmode(&_config, (_verifiesCertificates ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE)); - mbedtls_ssl_conf_ca_chain(&_config, &CAChain, NULL); + + /* TODO: Add other ways to add a CA chain */ + CAFilePath = [[OFApplication environment] + objectForKey: @"OBJFW_MBEDTLS_CA_PATH"]; + if (CAFilePath != nil) { + if (mbedtls_x509_crt_parse_file(&_CAChain, + [CAFilePath cStringWithEncoding: [OFLocale encoding]]) != 0) + @throw [OFTLSHandshakeFailedException + exceptionWithStream: self + host: host + errorCode: initFailedErrorCode]; + } + + mbedtls_ssl_conf_ca_chain(&_config, &_CAChain, NULL); mbedtls_ssl_init(&_SSL); if (mbedtls_ssl_setup(&_SSL, &_config) != 0) @throw [OFTLSHandshakeFailedException exceptionWithStream: self @@ -254,15 +270,17 @@ if (status == MBEDTLS_ERR_SSL_WANT_READ) { [_underlyingStream asyncReadIntoBuffer: (void *)"" length: 0 runLoopMode: runLoopMode]; [_delegate retain]; + objc_autoreleasePoolPop(pool); return; } else if (status == MBEDTLS_ERR_SSL_WANT_WRITE) { [_underlyingStream asyncWriteData: [OFData data] runLoopMode: runLoopMode]; [_delegate retain]; + objc_autoreleasePoolPop(pool); return; } if (status == 0) _handshakeDone = true; @@ -276,10 +294,12 @@ if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: host exception: exception]; + + objc_autoreleasePoolPop(pool); } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length Index: src/tls/OFOpenSSLTLSStream.m ================================================================== --- src/tls/OFOpenSSLTLSStream.m +++ src/tls/OFOpenSSLTLSStream.m @@ -212,10 +212,11 @@ - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; + void *pool = objc_autoreleasePoolPush(); id exception = nil; int status; if (_SSL != NULL) @throw [OFAlreadyOpenException exceptionWithObject: self]; @@ -285,15 +286,17 @@ case SSL_ERROR_WANT_READ: [_underlyingStream asyncReadIntoBuffer: _buffer length: bufferSize runLoopMode: runLoopMode]; [_delegate retain]; + objc_autoreleasePoolPop(pool); return; case SSL_ERROR_WANT_WRITE: [_underlyingStream asyncWriteData: [OFData data] runLoopMode: runLoopMode]; [_delegate retain]; + objc_autoreleasePoolPop(pool); return; default: /* FIXME: Map to better errors */ exception = [OFTLSHandshakeFailedException exceptionWithStream: self @@ -306,10 +309,12 @@ if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: host exception: exception]; + + objc_autoreleasePoolPop(pool); } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length Index: src/tls/OFSecureTransportTLSStream.m ================================================================== --- src/tls/OFSecureTransportTLSStream.m +++ src/tls/OFSecureTransportTLSStream.m @@ -180,10 +180,11 @@ - (void)asyncPerformClientHandshakeWithHost: (OFString *)host runLoopMode: (OFRunLoopMode)runLoopMode { static const OFTLSStreamErrorCode initFailedErrorCode = OFTLSStreamErrorCodeInitializationFailed; + void *pool = objc_autoreleasePoolPush(); id exception = nil; OSStatus status; if (_context != NULL) @throw [OFAlreadyOpenException exceptionWithObject: self]; @@ -229,10 +230,11 @@ */ [_underlyingStream asyncReadIntoBuffer: (void *)"" length: 0 runLoopMode: runLoopMode]; [_delegate retain]; + objc_autoreleasePoolPop(pool); return; } if (status != noErr) /* FIXME: Map to better errors */ @@ -244,10 +246,12 @@ if ([_delegate respondsToSelector: @selector(stream:didPerformClientHandshakeWithHost:exception:)]) [_delegate stream: self didPerformClientHandshakeWithHost: _host exception: exception]; + + objc_autoreleasePoolPop(pool); } - (bool)stream: (OFStream *)stream didReadIntoBuffer: (void *)buffer length: (size_t)length