Update Files

Kha/Tools/macos/std/cpp/_std/sys/ssl/Certificate.hx

@@ -0,0 +1,136 @@
+/*
+ * Copyright (C)2005-2019 Haxe Foundation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+package sys.ssl;
+
+import cpp.NativeSsl;
+
+@:coreApi
+class Certificate {
+	var __h:Null<Certificate>;
+	var __x:Dynamic;
+
+	@:allow(sys.ssl.Socket)
+	function new(x:Dynamic, ?h:Certificate) {
+		__x = x;
+		__h = h;
+	}
+
+	public static function loadFile(file:String):Certificate {
+		return new Certificate(NativeSsl.cert_load_file(file));
+	}
+
+	public static function loadPath(path:String):Certificate {
+		return new Certificate(NativeSsl.cert_load_path(path));
+	}
+
+	public static function fromString(str:String):Certificate {
+		return new Certificate(NativeSsl.cert_add_pem(null, str));
+	}
+
+	public static function loadDefaults():Certificate {
+		var x = NativeSsl.cert_load_defaults();
+		if (x != null)
+			return new Certificate(x);
+
+		var defPaths = null;
+		switch (Sys.systemName()) {
+			case "Linux":
+				defPaths = [
+					"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
+					"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL
+					"/etc/ssl/ca-bundle.pem", // OpenSUSE
+					"/etc/pki/tls/cacert.pem", // OpenELEC
+					"/etc/ssl/certs", // SLES10/SLES11
+					"/system/etc/security/cacerts" // Android
+				];
+			case "BSD":
+				defPaths = [
+					"/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly
+					"/etc/ssl/cert.pem", // OpenBSD
+					"/etc/openssl/certs/ca-certificates.crt", // NetBSD
+				];
+			case "Android":
+				defPaths = ["/system/etc/security/cacerts"];
+			default:
+		}
+		if (defPaths != null) {
+			for (path in defPaths) {
+				if (sys.FileSystem.exists(path)) {
+					if (sys.FileSystem.isDirectory(path))
+						return loadPath(path);
+					else
+						return loadFile(path);
+				}
+			}
+		}
+		return null;
+	}
+
+	public var commonName(get, null):Null<String>;
+	public var altNames(get, null):Array<String>;
+	public var notBefore(get, null):Date;
+	public var notAfter(get, null):Date;
+
+	function get_commonName():Null<String> {
+		return subject("CN");
+	}
+
+	function get_altNames():Array<String> {
+		return NativeSsl.cert_get_altnames(__x);
+	}
+
+	public function subject(field:String):Null<String> {
+		return NativeSsl.cert_get_subject(__x, field);
+	}
+
+	public function issuer(field:String):Null<String> {
+		return NativeSsl.cert_get_issuer(__x, field);
+	}
+
+	function get_notBefore():Date {
+		var a = NativeSsl.cert_get_notbefore(__x);
+		return new Date(a[0], a[1] - 1, a[2], a[3], a[4], a[5]);
+	}
+
+	function get_notAfter():Date {
+		var a = NativeSsl.cert_get_notafter(__x);
+		return new Date(a[0], a[1] - 1, a[2], a[3], a[4], a[5]);
+	}
+
+	public function next():Null<Certificate> {
+		var n = NativeSsl.cert_get_next(__x);
+		return n == null ? null : new Certificate(n, __h == null ? this : __h);
+	}
+
+	public function add(pem:String):Void {
+		NativeSsl.cert_add_pem(__x, pem);
+	}
+
+	public function addDER(der:haxe.io.Bytes):Void {
+		NativeSsl.cert_add_der(__x, der.getData());
+	}
+
+	static function __init__():Void {
+		NativeSsl.init();
+	}
+}

Kha/Tools/macos/std/cpp/_std/sys/ssl/Digest.hx

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C)2005-2019 Haxe Foundation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+package sys.ssl;
+
+import cpp.NativeSsl;
+
+@:coreApi
+class Digest {
+	public static function make(data:haxe.io.Bytes, alg:DigestAlgorithm):haxe.io.Bytes {
+		return haxe.io.Bytes.ofData(NativeSsl.dgst_make(data.getData(), alg));
+	}
+
+	public static function sign(data:haxe.io.Bytes, privKey:Key, alg:DigestAlgorithm):haxe.io.Bytes {
+		return haxe.io.Bytes.ofData(NativeSsl.dgst_sign(data.getData(), @:privateAccess privKey.__k, alg));
+	}
+
+	public static function verify(data:haxe.io.Bytes, signature:haxe.io.Bytes, pubKey:Key, alg:DigestAlgorithm):Bool {
+		return NativeSsl.dgst_verify(data.getData(), signature.getData(), @:privateAccess pubKey.__k, alg);
+	}
+}

Kha/Tools/macos/std/cpp/_std/sys/ssl/Key.hx

@@ -0,0 +1,57 @@
+/*
+ * Copyright (C)2005-2019 Haxe Foundation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+package sys.ssl;
+
+import cpp.NativeSsl;
+
+private typedef PKEY = Dynamic;
+
+@:coreApi
+class Key {
+	private var __k:PKEY;
+
+	private function new(k:PKEY) {
+		__k = k;
+	}
+
+	public static function loadFile(file:String, ?isPublic:Bool, ?pass:String):Key {
+		var data = sys.io.File.getBytes(file);
+		var str = cpp.Lib.stringReference(data);
+		if (str.indexOf("-----BEGIN ") >= 0)
+			return readPEM(str, isPublic == true, pass);
+		else
+			return readDER(data, isPublic == true);
+	}
+
+	public static function readPEM(data:String, isPublic:Bool, ?pass:String):Key {
+		return new Key(NativeSsl.key_from_pem(data, isPublic, pass));
+	}
+
+	public static function readDER(data:haxe.io.Bytes, isPublic:Bool):Key {
+		return new Key(NativeSsl.key_from_der(data.getData(), isPublic));
+	}
+
+	static function __init__():Void {
+		NativeSsl.init();
+	}
+}

Kha/Tools/macos/std/cpp/_std/sys/ssl/Socket.hx

@@ -0,0 +1,297 @@
+/*
+ * Copyright (C)2005-2019 Haxe Foundation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+package sys.ssl;
+
+import cpp.NativeSocket;
+import cpp.NativeSsl;
+
+private typedef SocketHandle = Dynamic;
+private typedef CONF = Dynamic;
+private typedef SSL = Dynamic;
+
+private class SocketInput extends haxe.io.Input {
+	@:allow(sys.ssl.Socket) private var __s:Socket;
+
+	public function new(s:Socket) {
+		this.__s = s;
+	}
+
+	public override function readByte() {
+		return try {
+			__s.handshake();
+			NativeSsl.ssl_recv_char(@:privateAccess __s.ssl);
+		} catch (e:Dynamic) {
+			if (e == "Blocking")
+				throw haxe.io.Error.Blocked;
+			else if (__s == null)
+				throw haxe.io.Error.Custom(e);
+			else
+				throw new haxe.io.Eof();
+		}
+	}
+
+	public override function readBytes(buf:haxe.io.Bytes, pos:Int, len:Int):Int {
+		var r:Int;
+		if (__s == null)
+			throw "Invalid handle";
+		try {
+			__s.handshake();
+			r = NativeSsl.ssl_recv(@:privateAccess __s.ssl, buf.getData(), pos, len);
+		} catch (e:Dynamic) {
+			if (e == "Blocking")
+				throw haxe.io.Error.Blocked;
+			else
+				throw haxe.io.Error.Custom(e);
+		}
+		if (r == 0)
+			throw new haxe.io.Eof();
+		return r;
+	}
+
+	public override function close() {
+		super.close();
+		if (__s != null)
+			__s.close();
+	}
+}
+
+private class SocketOutput extends haxe.io.Output {
+	@:allow(sys.ssl.Socket) private var __s:Socket;
+
+	public function new(s:Socket) {
+		this.__s = s;
+	}
+
+	public override function writeByte(c:Int) {
+		if (__s == null)
+			throw "Invalid handle";
+		try {
+			__s.handshake();
+			NativeSsl.ssl_send_char(@:privateAccess __s.ssl, c);
+		} catch (e:Dynamic) {
+			if (e == "Blocking")
+				throw haxe.io.Error.Blocked;
+			else
+				throw haxe.io.Error.Custom(e);
+		}
+	}
+
+	public override function writeBytes(buf:haxe.io.Bytes, pos:Int, len:Int):Int {
+		return try {
+			__s.handshake();
+			NativeSsl.ssl_send(@:privateAccess __s.ssl, buf.getData(), pos, len);
+		} catch (e:Dynamic) {
+			if (e == "Blocking")
+				throw haxe.io.Error.Blocked;
+			else
+				throw haxe.io.Error.Custom(e);
+		}
+	}
+
+	public override function close() {
+		super.close();
+		if (__s != null)
+			__s.close();
+	}
+}
+
+@:coreApi
+class Socket extends sys.net.Socket {
+	public static var DEFAULT_VERIFY_CERT:Null<Bool> = true;
+
+	public static var DEFAULT_CA:Null<Certificate>;
+
+	private var conf:CONF;
+	private var ssl:SSL;
+
+	public var verifyCert:Null<Bool>;
+
+	private var caCert:Null<Certificate>;
+	private var hostname:String;
+
+	private var ownCert:Null<Certificate>;
+	private var ownKey:Null<Key>;
+	private var altSNIContexts:Null<Array<{match:String->Bool, key:Key, cert:Certificate}>>;
+	private var sniCallback:Dynamic;
+	private var handshakeDone:Bool;
+
+	private override function init():Void {
+		__s = NativeSocket.socket_new(false);
+		input = new SocketInput(this);
+		output = new SocketOutput(this);
+		if (DEFAULT_VERIFY_CERT && DEFAULT_CA == null) {
+			try {
+				DEFAULT_CA = Certificate.loadDefaults();
+			} catch (e:Dynamic) {}
+		}
+		caCert = DEFAULT_CA;
+		verifyCert = DEFAULT_VERIFY_CERT;
+	}
+
+	public override function connect(host:sys.net.Host, port:Int):Void {
+		try {
+			conf = buildSSLConfig(false);
+			ssl = NativeSsl.ssl_new(conf);
+			handshakeDone = false;
+			NativeSsl.ssl_set_socket(ssl, __s);
+			if (hostname == null)
+				hostname = host.host;
+			if (hostname != null)
+				NativeSsl.ssl_set_hostname(ssl, hostname);
+			NativeSocket.socket_connect(__s, host.ip, port);
+			handshake();
+		} catch (s:String) {
+			if (s == "Invalid socket handle")
+				throw "Failed to connect on " + host.host + ":" + port;
+			else
+				cpp.Lib.rethrow(s);
+		} catch (e:Dynamic) {
+			cpp.Lib.rethrow(e);
+		}
+	}
+
+	public function handshake():Void {
+		if (!handshakeDone) {
+			try {
+				NativeSsl.ssl_handshake(ssl);
+				handshakeDone = true;
+			} catch (e:Dynamic) {
+				if (e == "Blocking")
+					throw haxe.io.Error.Blocked;
+				else
+					cpp.Lib.rethrow(e);
+			}
+		}
+	}
+
+	public function setCA(cert:Certificate):Void {
+		caCert = cert;
+	}
+
+	public function setHostname(name:String):Void {
+		hostname = name;
+	}
+
+	public function setCertificate(cert:Certificate, key:Key):Void {
+		ownCert = cert;
+		ownKey = key;
+	}
+
+	public override function read():String {
+		handshake();
+		var b = NativeSsl.ssl_read(ssl);
+		if (b == null)
+			return "";
+		return haxe.io.Bytes.ofData(b).toString();
+	}
+
+	public override function write(content:String):Void {
+		handshake();
+		NativeSsl.ssl_write(ssl, haxe.io.Bytes.ofString(content).getData());
+	}
+
+	public override function close():Void {
+		if (ssl != null)
+			NativeSsl.ssl_close(ssl);
+		if (conf != null)
+			NativeSsl.conf_close(conf);
+		if (altSNIContexts != null)
+			sniCallback = null;
+		NativeSocket.socket_close(__s);
+		var input:SocketInput = cast input;
+		var output:SocketOutput = cast output;
+		@:privateAccess input.__s = output.__s = null;
+		input.close();
+		output.close();
+	}
+
+	public function addSNICertificate(cbServernameMatch:String->Bool, cert:Certificate, key:Key):Void {
+		if (altSNIContexts == null)
+			altSNIContexts = [];
+		altSNIContexts.push({match: cbServernameMatch, cert: cert, key: key});
+	}
+
+	public override function bind(host:sys.net.Host, port:Int):Void {
+		conf = buildSSLConfig(true);
+
+		NativeSocket.socket_bind(__s, host.ip, port);
+	}
+
+	public override function accept():Socket {
+		var c = NativeSocket.socket_accept(__s);
+		var ssl = NativeSsl.ssl_new(conf);
+		NativeSsl.ssl_set_socket(ssl, c);
+
+		var s = Type.createEmptyInstance(sys.ssl.Socket);
+		s.__s = c;
+		s.ssl = ssl;
+		s.input = new SocketInput(s);
+		s.output = new SocketOutput(s);
+		s.handshakeDone = false;
+
+		return s;
+	}
+
+	public function peerCertificate():sys.ssl.Certificate {
+		var x = NativeSsl.ssl_get_peer_certificate(ssl);
+		return x == null ? null : new sys.ssl.Certificate(x);
+	}
+
+	private function buildSSLConfig(server:Bool):CONF {
+		var conf:CONF = NativeSsl.conf_new(server);
+
+		if (ownCert != null && ownKey != null)
+			NativeSsl.conf_set_cert(conf, @:privateAccess ownCert.__x, @:privateAccess ownKey.__k);
+
+		if (altSNIContexts != null) {
+			sniCallback = function(servername) {
+				var servername = new String(cast servername);
+				for (c in altSNIContexts) {
+					if (c.match(servername))
+						return @:privateAccess {
+							key:c.key.__k, cert:c.cert.__x
+						};
+				}
+				if (ownKey != null && ownCert != null)
+					return @:privateAccess {
+						key:ownKey.__k, cert:ownCert.__x
+					};
+				return null;
+			}
+			NativeSsl.conf_set_servername_callback(conf, sniCallback);
+		}
+
+		if (caCert != null)
+			NativeSsl.conf_set_ca(conf, caCert == null ? null : @:privateAccess caCert.__x);
+		if (verifyCert == null)
+			NativeSsl.conf_set_verify(conf, 2);
+		else
+			NativeSsl.conf_set_verify(conf, verifyCert ? 1 : 0);
+
+		return conf;
+	}
+
+	static function __init__():Void {
+		NativeSsl.init();
+	}
+}