Skip to content

Commit a4b9c49

Browse files
robbiehansonrobbiehanson
committed
Adding support for TLS session resumption
1 parent 2a7f1c3 commit a4b9c49

File tree

2 files changed

+54
-33
lines changed

2 files changed

+54
-33
lines changed

GCD/GCDAsyncSocket.h

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ extern NSString *const GCDAsyncSocketManuallyEvaluateTrust;
3030
#if TARGET_OS_IPHONE
3131
extern NSString *const GCDAsyncSocketUseCFStreamForTLS;
3232
#endif
33-
33+
extern NSString *const GCDAsyncSocketSSLPeerID;
3434
extern NSString *const GCDAsyncSocketSSLCipherSuites;
3535
extern NSString *const GCDAsyncSocketSSLProtocolVersionMin;
3636
extern NSString *const GCDAsyncSocketSSLProtocolVersionMax;
@@ -684,19 +684,26 @@ typedef enum GCDAsyncSocketError GCDAsyncSocketError;
684684
* This is optional for iOS. If not supplied, a NO value is the default.
685685
* This is not needed for Mac OS X, and the value is ignored.
686686
*
687-
* - GCDAsyncSocketSSLCipherSuites
688-
* The values must be of type NSArray.
689-
* Each item within the array must be a NSNumber, encapsulating
690-
* See the documentation for SSLSetEnabledCiphers.
691-
* See also the SSLCipherSuite typedef.
687+
* - GCDAsyncSocketSSLPeerID
688+
* The value must be of type NSData.
689+
* You must set this value if you want to use TLS session resumption.
690+
* See the documentation for SSLSetPeerID.
692691
*
693692
* - GCDAsyncSocketSSLProtocolVersionMin
694693
* - GCDAsyncSocketSSLProtocolVersionMax
695694
* The value(s) must be of type NSNumber, encapsulting a SSLProtocol value.
696695
* See the documentation for SSLSetProtocolVersionMin & SSLSetProtocolVersionMax.
697696
* See also the SSLProtocol typedef.
697+
*
698+
* - GCDAsyncSocketSSLCipherSuites
699+
* The values must be of type NSArray.
700+
* Each item within the array must be a NSNumber, encapsulating
701+
* See the documentation for SSLSetEnabledCiphers.
702+
* See also the SSLCipherSuite typedef.
698703
*
699704
* - GCDAsyncSocketSSLDiffieHellmanParameters (Mac OS X only)
705+
* The value must be of type NSData.
706+
* See the documentation for SSLSetDiffieHellmanParams.
700707
*
701708
* ==== The following UNAVAILABLE KEYS are: (with throw an exception)
702709
*

GCD/GCDAsyncSocket.m

Lines changed: 41 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,7 @@
118118
#if TARGET_OS_IPHONE
119119
NSString *const GCDAsyncSocketUseCFStreamForTLS = @"GCDAsyncSocketUseCFStreamForTLS";
120120
#endif
121-
121+
NSString *const GCDAsyncSocketSSLPeerID = @"GCDAsyncSocketSSLPeerID";
122122
NSString *const GCDAsyncSocketSSLCipherSuites = @"GCDAsyncSocketSSLCipherSuites";
123123
NSString *const GCDAsyncSocketSSLProtocolVersionMin = @"GCDAsyncSocketSSLProtocolVersionMin";
124124
NSString *const GCDAsyncSocketSSLProtocolVersionMax = @"GCDAsyncSocketSSLProtocolVersionMax";
@@ -3615,17 +3615,14 @@ - (void)setupReadAndWriteSourcesForNewlyConnectedSocket:(int)socketFD
36153615
- (BOOL)usingCFStreamForTLS
36163616
{
36173617
#if TARGET_OS_IPHONE
3618-
{
3619-
if ((flags & kSocketSecure) && (flags & kUsingCFStreamForTLS))
3620-
{
3621-
// Due to the fact that Apple doesn't give us the full power of SecureTransport on iOS,
3622-
// we are relegated to using the slower, less powerful, and RunLoop based CFStream API. :( Boo!
3623-
//
3624-
// Thus we're not able to use the GCD read/write sources in this particular scenario.
3625-
3626-
return YES;
3627-
}
3618+
3619+
if ((flags & kSocketSecure) && (flags & kUsingCFStreamForTLS))
3620+
{
3621+
// The startTLS method was given the GCDAsyncSocketUseCFStreamForTLS flag.
3622+
3623+
return YES;
36283624
}
3625+
36293626
#endif
36303627

36313628
return NO;
@@ -6121,16 +6118,17 @@ - (void)ssl_startTLS
61216118
// Checklist:
61226119
// 1. kCFStreamSSLPeerName
61236120
// 2. kCFStreamSSLCertificates
6124-
// 3. GCDAsyncSocketSSLProtocolVersionMin & GCDAsyncSocketSSLProtocolVersionMax
6125-
// 4. GCDAsyncSocketSSLCipherSuites
6126-
// 5. GCDAsyncSocketSSLDiffieHellmanParameters (Mac)
6121+
// 3. GCDAsyncSocketSSLPeerID
6122+
// 4. GCDAsyncSocketSSLProtocolVersionMin & GCDAsyncSocketSSLProtocolVersionMax
6123+
// 5. GCDAsyncSocketSSLCipherSuites
6124+
// 6. GCDAsyncSocketSSLDiffieHellmanParameters (Mac)
61276125
//
61286126
// Deprecated (throw error):
6129-
// 6. kCFStreamSSLAllowsAnyRoot
6130-
// 7. kCFStreamSSLAllowsExpiredRoots
6131-
// 8. kCFStreamSSLAllowsExpiredCertificates
6132-
// 9. kCFStreamSSLValidatesCertificateChain
6133-
// 10. kCFStreamSSLLevel
6127+
// 7. kCFStreamSSLAllowsAnyRoot
6128+
// 8. kCFStreamSSLAllowsExpiredRoots
6129+
// 9. kCFStreamSSLAllowsExpiredCertificates
6130+
// 10. kCFStreamSSLValidatesCertificateChain
6131+
// 11. kCFStreamSSLLevel
61346132

61356133
id value;
61366134

@@ -6167,7 +6165,22 @@ - (void)ssl_startTLS
61676165
}
61686166
}
61696167

6170-
// 3. GCDAsyncSocketSSLProtocolVersionMin & GCDAsyncSocketSSLProtocolVersionMax
6168+
// 3. GCDAsyncSocketSSLPeerID
6169+
6170+
value = [tlsSettings objectForKey:GCDAsyncSocketSSLPeerID];
6171+
if (value)
6172+
{
6173+
NSData *peerIdData = (NSData *)value;
6174+
6175+
status = SSLSetPeerID(sslContext, [peerIdData bytes], [peerIdData length]);
6176+
if (status != noErr)
6177+
{
6178+
[self closeWithError:[self otherError:@"Error in SSLSetPeerID"]];
6179+
return;
6180+
}
6181+
}
6182+
6183+
// 4. GCDAsyncSocketSSLProtocolVersionMin & GCDAsyncSocketSSLProtocolVersionMax
61716184

61726185
id sslMinLevel = [tlsSettings objectForKey:GCDAsyncSocketSSLProtocolVersionMin];
61736186
id sslMaxLevel = [tlsSettings objectForKey:GCDAsyncSocketSSLProtocolVersionMax];
@@ -6212,7 +6225,7 @@ - (void)ssl_startTLS
62126225
}
62136226
}
62146227

6215-
// 4. GCDAsyncSocketSSLCipherSuites
6228+
// 5. GCDAsyncSocketSSLCipherSuites
62166229

62176230
value = [tlsSettings objectForKey:GCDAsyncSocketSSLCipherSuites];
62186231
if (value)
@@ -6236,15 +6249,14 @@ - (void)ssl_startTLS
62366249
}
62376250
}
62386251

6239-
// 9. GCDAsyncSocketSSLDiffieHellmanParameters
6252+
// 6. GCDAsyncSocketSSLDiffieHellmanParameters
62406253

62416254
#if !TARGET_OS_IPHONE
62426255
value = [tlsSettings objectForKey:GCDAsyncSocketSSLDiffieHellmanParameters];
62436256
if (value)
62446257
{
62456258
NSData *diffieHellmanData = (NSData *)value;
62466259

6247-
// Still available
62486260
status = SSLSetDiffieHellmanParams(sslContext, [diffieHellmanData bytes], [diffieHellmanData length]);
62496261
if (status != noErr)
62506262
{
@@ -6256,7 +6268,7 @@ - (void)ssl_startTLS
62566268

62576269
// DEPRECATED checks
62586270

6259-
// 6. kCFStreamSSLAllowsAnyRoot
6271+
// 7. kCFStreamSSLAllowsAnyRoot
62606272

62616273
value = [tlsSettings objectForKey:(NSString *)kCFStreamSSLAllowsAnyRoot];
62626274
if (value)
@@ -6272,7 +6284,7 @@ - (void)ssl_startTLS
62726284
return;
62736285
}
62746286

6275-
// 7. kCFStreamSSLAllowsExpiredRoots
6287+
// 8. kCFStreamSSLAllowsExpiredRoots
62766288

62776289
value = [tlsSettings objectForKey:(NSString *)kCFStreamSSLAllowsExpiredRoots];
62786290
if (value)
@@ -6288,7 +6300,7 @@ - (void)ssl_startTLS
62886300
return;
62896301
}
62906302

6291-
// 8. kCFStreamSSLValidatesCertificateChain
6303+
// 9. kCFStreamSSLValidatesCertificateChain
62926304

62936305
value = [tlsSettings objectForKey:(NSString *)kCFStreamSSLValidatesCertificateChain];
62946306
if (value)
@@ -6304,7 +6316,7 @@ - (void)ssl_startTLS
63046316
return;
63056317
}
63066318

6307-
// 9. kCFStreamSSLAllowsExpiredCertificates
6319+
// 10. kCFStreamSSLAllowsExpiredCertificates
63086320

63096321
value = [tlsSettings objectForKey:(NSString *)kCFStreamSSLAllowsExpiredCertificates];
63106322
if (value)
@@ -6320,6 +6332,8 @@ - (void)ssl_startTLS
63206332
return;
63216333
}
63226334

6335+
// 11. kCFStreamSSLLevel
6336+
63236337
value = [tlsSettings objectForKey:(NSString *)kCFStreamSSLLevel];
63246338
if (value)
63256339
{

0 commit comments

Comments
 (0)