gnustep/libs-base
0
0
Fork 0
mirror of https://github.com/gnustep/libs-base.git synced 2025-04-23 00:41:02 +00:00
Code Issues Projects Releases Packages Wiki Activity

add priority settings.

Browse source 
git-svn-id: svn+ssh://svn.gna.org/svn/gnustep/libs/base/trunk@35616 72102866-910b-0410-8b05-ffd578937521
This commit is contained in:
Richard Frith-MacDonald 2012-09-28 16:08:19 +00:00
parent 4adbcbb584
commit 7771aba9e1
3 changed files with 104 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
Headers/Foundation/NSFileHandle.h
View file

@ -272,25 +272,54 @@ GS_EXPORT NSString * const NSFileHandleOperationException;
/** <override-dummy />
* Sets options to be used to configure this channel before the handshake.<br />
* Returns nil on success, or an error message if some options could not
* be set.<br />>
* be set.<br />
* Expects key value pairs with the follwiing names/meanings:
* <deflist>
* <term>GSTLSCAFile</term>
* <desc>A string identifying the full path to the file containing any
* trusted certificate authorities to be used when verifying a certificate
* presented by the remote end of a connection.
* </desc>
* <term>GSTLSCertificateFile</term>
* <desc>The path to a PEM encoded certificate used to identify this end
* of the connection. This option <em>must</em> be set for handing an
* incoming connection, but is optional for outgoing connections.<br />
* This must be used in conjunction with GSTLSCertificateKeyFile.
* </desc>
* </desc>
* <term>GSTLSCertificateKeyFile</term>
* <desc>The path to a PEM encoded key used to unlock the certificate
* file for the connection. The key in the file may or may not be
* encrypted, but if it is encrypted you must specify
* GSTLSCertificateKeyPassword.
* </desc>
* </desc>
* <term>GSTLSCertificateKeyPassword</term>
* <desc>A string to be used as the password to decrypt a key which was
* specified using GSTLSKeyPassword.
* </desc>
* </desc>
* <term>GSTLSDebug</term>
* <desc>A boolean specifying whether diagnostic debug is to be enabled
* to log information about a connection where the handshake fails.<br />
* </desc>
* <term>GSTLSPriority</term>
* <desc>A GNUTLS priority string describing the ciphers etc which may be
* used for the connection. In addition the string may be one of
* SSLv2, SSLv3, or TLSv1 to use the appropriate general settings
* for negotiating a connection of the specified type.
* </desc>
* <term>GSTLSRemoteHosts</term>
* <desc>A comma delimited list of host names to be allowed when verifying
* the certificate of the host we are connecting to.<br />
* If this is not specified, all the names provided by NSHost are used.
* </desc>
* <term>GSTLSRevokeFile</term>
* <desc>The full path of a file containing certificate revocation
* information for certificates issued by our trusted authorites but
* no longer valid.
* </desc>
* <term>GSTLSVerify</term>
* <desc>A boolean specifying whether we should require the remote end to
* supply a valid certificate in order to establish an encrypted connection.
* </desc>
* </deflist>
*/
- (NSString*) sslSetOptions: (NSDictionary*)options;

1
Source/GSTLS.h
View file

@ -33,6 +33,7 @@ extern NSString * const GSTLSCertificateFile;
extern NSString * const GSTLSCertificateKeyFile;
extern NSString * const GSTLSCertificateKeyPassword;
extern NSString * const GSTLSDebug;
extern NSString * const GSTLSPriority;
extern NSString * const GSTLSRemoteHosts;
extern NSString * const GSTLSRevokeFile;
extern NSString * const GSTLSVerify;

103
Source/GSTLS.m
View file

@ -48,6 +48,7 @@ NSString * const GSTLSCertificateFile = @"GSTLSCertificateFile";
NSString * const GSTLSCertificateKeyFile = @"GSTLSCertificateKeyFile";
NSString * const GSTLSCertificateKeyPassword = @"GSTLSCertificateKeyPassword";
NSString * const GSTLSDebug = @"GSTLSDebug";
NSString * const GSTLSPriority = @"GSTLSPriority";
NSString * const GSTLSRemoteHosts = @"GSTLSRemoteHosts";
NSString * const GSTLSRevokeFile = @"GSTLSRevokeFile";
NSString * const GSTLSVerify = @"GSTLSVerify";
@ -140,7 +141,9 @@ static BOOL verifyServer = NO;
*/
static int globalDebug = 0;
static NSString *cipherList = nil;
/* Defines the default priority list.
*/
static NSString *priority = nil;
static gnutls_anon_client_credentials_t anoncred;
@ -153,8 +156,11 @@ static gnutls_anon_client_credentials_t anoncred;
{
NSString *str;
cipherList
= [[NSUserDefaults standardUserDefaults] stringForKey: @"GSCipherList"];
str = [[NSUserDefaults standardUserDefaults] stringForKey: GSTLSPriority];
if (nil != str)
{
ASSIGN(priority, str);
}
/* The GSTLSCAFile user default overrides the builtin value or the
* GS_TLS_CA_FILE environment variable.
@ -1000,51 +1006,82 @@ static NSMutableDictionary *privateKeyCache1 = nil;
}
gnutls_set_default_priority(session);
pri = [opts objectForKey: NSStreamSocketSecurityLevelKey];
if ([pri isEqualToString: NSStreamSocketSecurityLevelNone] == YES)
str = [opts objectForKey: GSTLSPriority];
if (nil == pri && nil == str)
{
// pri = NSStreamSocketSecurityLevelNone;
GSOnceMLog(@"NSStreamSocketSecurityLevelNone is insecure ..."
@" not implemented");
DESTROY(self);
return nil;
str = priority; // Default setting
}
else if ([pri isEqualToString: NSStreamSocketSecurityLevelSSLv2] == YES)
if (YES == [str isEqual: @"SSLv3"])
{
// pri = NSStreamSocketSecurityLevelSSLv2;
GSOnceMLog(@"NSStreamSocketSecurityLevelTLSv2 is insecure ..."
@" not implemented");
DESTROY(self);
return nil;
pri = NSStreamSocketSecurityLevelSSLv3;
str = nil;
}
else if ([pri isEqualToString: NSStreamSocketSecurityLevelSSLv3] == YES)
else if (YES == [str isEqual: @"SSLv2"])
{
pri = NSStreamSocketSecurityLevelSSLv2;
str = nil;
}
else if (YES == [str isEqual: @"TLSv1"])
{
pri = NSStreamSocketSecurityLevelTLSv1;
str = nil;
}
if (nil == str)
{
if ([pri isEqual: NSStreamSocketSecurityLevelNone] == YES)
{
// pri = NSStreamSocketSecurityLevelNone;
GSOnceMLog(@"NSStreamSocketSecurityLevelNone is insecure ..."
@" not implemented");
DESTROY(self);
return nil;
}
else if ([pri isEqual: NSStreamSocketSecurityLevelSSLv2] == YES)
{
// pri = NSStreamSocketSecurityLevelSSLv2;
GSOnceMLog(@"NSStreamSocketSecurityLevelTLSv2 is insecure ..."
@" not implemented");
DESTROY(self);
return nil;
}
else if ([pri isEqual: NSStreamSocketSecurityLevelSSLv3] == YES)
{
#if GNUTLS_VERSION_NUMBER < 0x020C00
const int proto_prio[2] = {
GNUTLS_SSL3,
0 };
gnutls_protocol_set_priority(session, proto_prio);
const int proto_prio[2] = {
GNUTLS_SSL3,
0 };
gnutls_protocol_set_priority(session, proto_prio);
#else
gnutls_priority_set_direct(session,
"NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0", NULL);
gnutls_priority_set_direct(session,
"NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0", NULL);
#endif
}
else if ([pri isEqualToString: NSStreamSocketSecurityLevelTLSv1] == YES)
{
}
else if ([pri isEqual: NSStreamSocketSecurityLevelTLSv1] == YES)
{
#if GNUTLS_VERSION_NUMBER < 0x020C00
const int proto_prio[4] = {
const int proto_prio[4] = {
#if defined(GNUTLS_TLS1_2)
GNUTLS_TLS1_2,
GNUTLS_TLS1_2,
#endif
GNUTLS_TLS1_1,
GNUTLS_TLS1_0,
0 };
gnutls_protocol_set_priority(session, proto_prio);
GNUTLS_TLS1_1,
GNUTLS_TLS1_0,
0 };
gnutls_protocol_set_priority(session, proto_prio);
#else
gnutls_priority_set_direct(session,
"NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL", NULL);
gnutls_priority_set_direct(session,
"NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL", NULL);
#endif
}
}
#if GNUTLS_VERSION_NUMBER >= 0x020C00
else
{
gnutls_priority_set_direct(session, [str UTF8String], NULL);
}
#endif
/* Set certificate credentials for this session.
*/