Skip to content

Commit 94ef39e

Browse files
robbiehansonrobbiehanson
committed
Improvements for manual trust evaluation. Addresses issue robbiehanson#161. Changed delegate method "socketShouldManuallyEvaluateTrust:" to be an option passed into startTLS. Also fixed the delegate invocation to dispatch asynchronously.
1 parent 151a30a commit 94ef39e

File tree

5 files changed

+350
-360
lines changed

5 files changed

+350
-360
lines changed

GCD/GCDAsyncSocket.h

Lines changed: 58 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,6 @@
1212
#import <Security/Security.h>
1313
#import <Security/SecureTransport.h>
1414
#import <dispatch/dispatch.h>
15-
#import <TargetConditionals.h>
1615
#import <Availability.h>
1716

1817
#include <sys/socket.h> // AF_INET, AF_INET6
@@ -27,11 +26,15 @@ extern NSString *const GCDAsyncSocketErrorDomain;
2726
extern NSString *const GCDAsyncSocketQueueName;
2827
extern NSString *const GCDAsyncSocketThreadName;
2928

30-
extern NSString *const GCDAsyncSocketSSLCipherSuites;
29+
extern NSString *const GCDAsyncSocketManuallyEvaluateTrust;
3130
#if TARGET_OS_IPHONE
31+
extern NSString *const GCDAsyncSocketUseCFStreamForTLS;
32+
#endif
33+
34+
extern NSString *const GCDAsyncSocketSSLCipherSuites;
3235
extern NSString *const GCDAsyncSocketSSLProtocolVersionMin;
3336
extern NSString *const GCDAsyncSocketSSLProtocolVersionMax;
34-
#else
37+
#if !TARGET_OS_IPHONE
3538
extern NSString *const GCDAsyncSocketSSLDiffieHellmanParameters;
3639
#endif
3740

@@ -629,31 +632,61 @@ typedef enum GCDAsyncSocketError GCDAsyncSocketError;
629632
* the upgrade to TLS at the same time, without having to wait for the write to finish.
630633
* Any reads or writes scheduled after this method is called will occur over the secured connection.
631634
*
632-
* The possible keys and values for the TLS settings are well documented.
633-
* Standard keys are:
634-
*
635-
* - kCFStreamSSLLevel
636-
* - kCFStreamSSLAllowsExpiredCertificates
637-
* - kCFStreamSSLAllowsExpiredRoots
638-
* - kCFStreamSSLAllowsAnyRoot
639-
* - kCFStreamSSLValidatesCertificateChain
635+
* The available keys are:
636+
*
640637
* - kCFStreamSSLPeerName
638+
* The value must be of type NSString.
639+
* It should match the name in the X.509 certificate given by the remote party.
640+
* See the documentation for SSLSetPeerDomainName.
641+
*
641642
* - kCFStreamSSLCertificates
643+
* The value must be of type NSArray.
644+
* See the documentation for SSLSetCertificate.
645+
*
642646
* - kCFStreamSSLIsServer
643-
*
644-
* If SecureTransport is available on iOS:
645-
*
647+
* The value must be of type NSNumber, encapsulationg a BOOL value.
648+
* See the documentation for SSLCreateContext for iOS.
649+
* This is optional for iOS. If not supplied, a NO value is the default.
650+
* This is not needed for Mac OS X, and the value is ignored.
651+
*
646652
* - GCDAsyncSocketSSLCipherSuites
653+
* The values must be of type NSArray.
654+
* Each item within the array must be a NSNumber, encapsulating
655+
* See the documentation for SSLSetEnabledCiphers.
656+
* See also the SSLCipherSuite typedef.
657+
*
647658
* - GCDAsyncSocketSSLProtocolVersionMin
648659
* - GCDAsyncSocketSSLProtocolVersionMax
660+
* The value(s) must be of type NSNumber, encapsulting a SSLProtocol value.
661+
* See the documentation for SSLSetProtocolVersionMin & SSLSetProtocolVersionMax.
662+
* See also the SSLProtocol typedef.
663+
*
664+
* - GCDAsyncSocketSSLDiffieHellmanParameters () [Mac OS X only]
649665
*
650-
* If SecureTransport is available on Mac OS X:
666+
* The following keys are NOT available (and with throw an exception):
651667
*
652-
* - GCDAsyncSocketSSLCipherSuites
653-
* - GCDAsyncSocketSSLDiffieHellmanParameters;
668+
* - kCFStreamSSLAllowsAnyRoot (UNAVAILABLE)
669+
* You MUST use manualTrustEvaluation.
670+
* Corresponding deprecated method: SSLSetAllowsAnyRoot
654671
*
672+
* - kCFStreamSSLAllowsExpiredRoots (UNAVAILABLE)
673+
* You MUST use manualTrustEvaluation.
674+
* Corresponding deprecated method: SSLSetAllowsExpiredRoots
675+
*
676+
* - kCFStreamSSLAllowsExpiredCertificates (UNAVAILABLE)
677+
* You MUST use manualTrustEvaluation.
678+
* Corresponding deprecated method: SSLSetAllowsExpiredCerts
679+
*
680+
* - kCFStreamSSLValidatesCertificateChain (UNAVAILABLE)
681+
* You MUST use manualTrustEvaluation.
682+
* Corresponding deprecated method: SSLSetEnableCertVerify
683+
*
684+
* - kCFStreamSSLLevel (UNAVAILABLE)
685+
* You MUST use GCDAsyncSocketSSLProtocolVersionMin / Max instead.
686+
* Corresponding deprecated method: SSLSetProtocolVersionEnabled
687+
*
655688
*
656-
* Please refer to Apple's documentation for associated values, as well as other possible keys.
689+
* Please refer to Apple's documentation for corresponding SSLFunctions.
657690
*
658691
* If you pass in nil or an empty dictionary, the default settings will be used.
659692
*
@@ -668,11 +701,9 @@ typedef enum GCDAsyncSocketError GCDAsyncSocketError;
668701
* the default settings will not detect any problems since the certificate is valid.
669702
* To properly secure your connection in this particular scenario you
670703
* should set the kCFStreamSSLPeerName property to "MySecureServer.com".
671-
* If you do not know the peer name of the remote host in advance (for example, you're not sure
672-
* if it will be "domain.com" or "www.domain.com"), then you can use the default settings to validate the
673-
* certificate, and then use the X509Certificate class to verify the issuer after the socket has been secured.
674-
* The X509Certificate class is part of the CocoaAsyncSocket open source project.
675-
**/
704+
*
705+
* You can also perform additional validation via the certificate provided in socketDidSecure.
706+
**/
676707
- (void)startTLS:(NSDictionary *)tlsSettings;
677708

678709
#pragma mark Advanced
@@ -1065,23 +1096,15 @@ typedef enum GCDAsyncSocketError GCDAsyncSocketError;
10651096
**/
10661097
- (void)socketDidSecure:(GCDAsyncSocket *)sock;
10671098

1068-
/**
1069-
* Called to determine if the -socket:shouldTrustPeer: callback should be enabled.
1070-
* Returning YES here will set the SSL session option kSSLSessionOptionBreakOnServerAuth.
1071-
*
1072-
* NOTE: Currently only implemented for client sockets. Returning YES in server socket
1073-
* will terminate the connection.
1074-
**/
1075-
- (BOOL)socketShouldManuallyEvaluateTrust:(GCDAsyncSocket *)sock;
1076-
10771099
/**
10781100
* Allows a socket delegate to hook into the TLS handshake and manually validate
10791101
* the peer it's connecting to.
10801102
*
1081-
* This is only called if -socketShouldManuallyEvaluateTrust: returns YES.
1103+
* This is only called if startTLS is invoked with options that include:
1104+
* - GCDAsyncSocketManuallyEvaluateTrust == YES
10821105
*
1083-
* Returning YES continues the SSL handshake, returning NO terminates the handshake
1084-
* and closes the connection.
1106+
* Returning YES continues the SSL handshake.
1107+
* Returning NO terminates the handshake and closes the connection.
10851108
**/
10861109
- (BOOL)socket:(GCDAsyncSocket *)sock shouldTrustPeer:(SecTrustRef)trust;
10871110

0 commit comments

Comments
 (0)