wip

docs/CHANGELOG.md

@@ -3,7 +3,7 @@ All changes to this project will be documented in this file.
 
 ## [7.6.4] - 2019-12-22
 
-(client) error handling, quote url in error case when failing to parse on
+(client) error handling, quote url in error case when failing to parse one
 (ws) ws_cobra_publish: register callbacks before connecting
 (doc) mention mbedtls in supported ssl server backend
 

ixwebsocket/IXSocketAppleSSL.cpp

@@ -24,9 +24,47 @@
 
 #include <Security/SecureTransport.h>
 
-namespace
+namespace ix
 {
-    OSStatus read_from_socket(SSLConnectionRef connection, void* data, size_t* len)
+    SocketAppleSSL::SocketAppleSSL(const SocketTLSOptions& tlsOptions, int fd)
+        : Socket(fd)
+        , _sslContext(nullptr)
+        , _tlsOptions(tlsOptions)
+    {
+        ;
+    }
+
+    SocketAppleSSL::~SocketAppleSSL()
+    {
+        SocketAppleSSL::close();
+    }
+
+    std::string SocketAppleSSL::getSSLErrorDescription(OSStatus status)
+    {
+        std::string errMsg("Unknown SSL error.");
+
+        CFErrorRef error = CFErrorCreate(kCFAllocatorDefault, kCFErrorDomainOSStatus, status, NULL);
+        if (error)
+        {
+            CFStringRef message = CFErrorCopyDescription(error);
+            if (message)
+            {
+                char localBuffer[128];
+                Boolean success;
+                success = CFStringGetCString(message, localBuffer, 128, kCFStringEncodingUTF8);
+                if (success)
+                {
+                    errMsg = localBuffer;
+                }
+                CFRelease(message);
+            }
+            CFRelease(error);
+        }
+
+        return errMsg;
+    }
+
+    OSStatus SocketAppleSSL::readFromSocket(SSLConnectionRef connection, void* data, size_t* len)
     {
         int fd = (int) (long) connection;
         if (fd < 0) return errSSLInternal;
@@ -67,7 +105,7 @@ namespace
         }
     }
 
-    OSStatus write_to_socket(SSLConnectionRef connection, const void* data, size_t* len)
+    OSStatus SocketAppleSSL::writeToSocket(SSLConnectionRef connection, const void* data, size_t* len)
     {
         int fd = (int) (long) connection;
         if (fd < 0) return errSSLInternal;
@@ -105,52 +143,55 @@ namespace
         }
     }
 
-    std::string getSSLErrorDescription(OSStatus status)
-    {
-        std::string errMsg("Unknown SSL error.");
-
-        CFErrorRef error = CFErrorCreate(kCFAllocatorDefault, kCFErrorDomainOSStatus, status, NULL);
-        if (error)
-        {
-            CFStringRef message = CFErrorCopyDescription(error);
-            if (message)
-            {
-                char localBuffer[128];
-                Boolean success;
-                success = CFStringGetCString(message, localBuffer, 128, kCFStringEncodingUTF8);
-                if (success)
-                {
-                    errMsg = localBuffer;
-                }
-                CFRelease(message);
-            }
-            CFRelease(error);
-        }
-
-        return errMsg;
-    }
-
-} // anonymous namespace
-
-namespace ix
-{
-    SocketAppleSSL::SocketAppleSSL(const SocketTLSOptions& tlsOptions, int fd)
-        : Socket(fd)
-        , _sslContext(nullptr)
-        , _tlsOptions(tlsOptions)
-    {
-        ;
-    }
-
-    SocketAppleSSL::~SocketAppleSSL()
-    {
-        SocketAppleSSL::close();
-    }
 
     bool SocketAppleSSL::accept(std::string& errMsg)
     {
-        errMsg = "TLS not supported yet in server mode with apple ssl backend";
+        OSStatus status;
-        return false;
+        {
+            std::lock_guard<std::mutex> lock(_mutex);
+
+            _sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLServerSide, kSSLStreamType);
+
+            SSLSetIOFuncs(_sslContext, SocketAppleSSL::readFromSocket, SocketAppleSSL::writeToSocket);
+            SSLSetConnection(_sslContext, (SSLConnectionRef)(long) _sockfd);
+            SSLSetProtocolVersionMin(_sslContext, kTLSProtocol12);
+
+            if (_tlsOptions.isPeerVerifyDisabled())
+            {
+                Boolean option(1);
+                SSLSetSessionOption(_sslContext, kSSLSessionOptionBreakOnServerAuth, option);
+
+                do
+                {
+                    status = SSLHandshake(_sslContext);
+                } while (errSSLWouldBlock == status || errSSLServerAuthCompleted == status);
+
+                if (status == errSSLServerAuthCompleted)
+                {
+                    // proceed with the handshake
+                    do
+                    {
+                        status = SSLHandshake(_sslContext);
+                    } while (errSSLWouldBlock == status || errSSLServerAuthCompleted == status);
+                }
+            }
+            else
+            {
+                do
+                {
+                    status = SSLHandshake(_sslContext);
+                } while (errSSLWouldBlock == status || errSSLServerAuthCompleted == status);
+            }
+        }
+
+        if (noErr != status)
+        {
+            errMsg = getSSLErrorDescription(status);
+            close();
+            return false;
+        }
+
+        return true;
     }
 
     // No wait support
@@ -168,7 +209,7 @@ namespace ix
 
             _sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
 
-            SSLSetIOFuncs(_sslContext, read_from_socket, write_to_socket);
+            SSLSetIOFuncs(_sslContext, SocketAppleSSL::readFromSocket, SocketAppleSSL::writeToSocket);
             SSLSetConnection(_sslContext, (SSLConnectionRef)(long) _sockfd);
             SSLSetProtocolVersionMin(_sslContext, kTLSProtocol12);
             SSLSetPeerDomainName(_sslContext, host.c_str(), host.size());

ixwebsocket/IXSocketAppleSSL.h

@@ -34,6 +34,10 @@ namespace ix
         virtual ssize_t recv(void* buffer, size_t length) final;
 
     private:
+        static std::string getSSLErrorDescription(OSStatus status);
+        static OSStatus writeToSocket(SSLConnectionRef connection, const void* data, size_t* len);
+        static OSStatus readFromSocket(SSLConnectionRef connection, void* data, size_t* len);
+
         SSLContextRef _sslContext;
         mutable std::mutex _mutex; // AppleSSL routines are not thread-safe
 

ixwebsocket/IXSocketTLSOptions.cpp

@@ -81,6 +81,7 @@ namespace ix
         ss << "  keyFile  = " << keyFile << std::endl;
         ss << "  caFile   = " << caFile << std::endl;
         ss << "  ciphers  = " << ciphers << std::endl;
+        ss << "  ciphers  = " << ciphers << std::endl;
         return ss.str();
     }
 } // namespace ix