Various fixes for Apple SSL backend

.github/workflows/ci-mac.yml

@@ -144,15 +144,17 @@ jobs:
     - name: pjsip-test
       run: make pjsip-test
 
-  gnu-tls-1:
+  apple-ssl-1:
     runs-on: macos-latest
-    name: GnuTLS / pjlib,util,pjmedia,pjnath
+    name: AppleSSL / pjlib,util,pjmedia,pjnath
     steps:
     - uses: actions/checkout@v2
     - name: install dependencies
-      run: brew install gnutls swig
+      run: brew install swig
     - name: configure
-      run: CFLAGS="-fPIC" CXXFLAGS="-fPIC" ./configure --with-gnutls=`brew --prefix gnutls`
+      run: CFLAGS="-fPIC" CXXFLAGS="-fPIC" LDFLAGS="-framework Network -framework Security" ./configure
+    - name: config site
+      run: echo -e "#define PJ_HAS_SSL_SOCK 1\n#undef PJ_SSL_SOCK_IMP\n#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_APPLE\n" > pjlib/include/pj/config_site.h
     - name: make
       run: $MAKE_FAST
     - name: set up Python
@@ -163,8 +165,12 @@ jobs:
       run: cd pjsip-apps/src/swig && make
     - name: get SSL info
       run: pjlib/bin/pjlib-test-`make infotarget` --config --list | grep SSL
-    - name: verify gnu tls is used
-      run: pjlib/bin/pjlib-test-`make infotarget` --config --list | grep -E 'PJ_SSL_SOCK_IMP\s+:\s+2'
+    - name: verify Apple SSL is used
+      run: pjlib/bin/pjlib-test-`make infotarget` --config --list | grep -E 'PJ_SSL_SOCK_IMP\s+:\s+4'
+    - name: import private key
+      run: security import pjlib/build/privkey.p12 -k ~/Library/Keychains/login.keychain-db -P "pjsip" -T /usr/bin/codesign -T `pwd`/pjlib/bin/`ls pjlib/bin`
+    - name: unlock keychain
+      run: security unlock-keychain ~/Library/Keychains/login.keychain-db
     - name: pjlib-test
       run: make pjlib-test
     - name: pjlib-util-test
@@ -174,21 +180,23 @@ jobs:
     - name: pjnath-test
       run: make pjnath-test
 
-  gnu-tls-2:
+  apple-ssl-2:
     runs-on: macos-latest
-    name: GnuTLS / pjsip-test
+    name: AppleSSL / pjsip-test
     steps:
     - uses: actions/checkout@v2
     - name: install dependencies
-      run: brew install gnutls swig
+      run: brew install swig
     - name: configure
-      run: CFLAGS="-fPIC" CXXFLAGS="-fPIC" ./configure --with-gnutls=`brew --prefix gnutls`
+      run: CFLAGS="-fPIC" CXXFLAGS="-fPIC" LDFLAGS="-framework Network -framework Security" ./configure
+    - name: config site
+      run: echo -e "#undef PJ_SSL_SOCK_IMP\n#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_APPLE\n" > pjlib/include/pj/config_site.h
     - name: make
       run: $MAKE_FAST
     - name: get SSL info
       run: pjlib/bin/pjlib-test-`make infotarget` --config --list | grep SSL
-    - name: verify gnu tls is used
-      run: pjlib/bin/pjlib-test-`make infotarget` --config --list | grep -E 'PJ_SSL_SOCK_IMP\s+:\s+2'
+    - name: verify Apple SSL is used
+      run: pjlib/bin/pjlib-test-`make infotarget` --config --list | grep -E 'PJ_SSL_SOCK_IMP\s+:\s+4'
     - name: pjsip-test
       run: make pjsip-test
 

pjlib/src/pj/ssl_sock_apple.m

@@ -297,7 +297,7 @@ pj_status_t ssl_network_event_poll()
 
         if (ssock->is_closing || !ssock->pool ||
             (!ssock->is_server && !assock->connection) ||
-            (ssock->is_server && !assock->listener))
+            (ssock->is_server && !assock->listener && !assock->connection))
         {
             PJ_LOG(3, (THIS_FILE, "Warning: Discarding SSL event type %d of "
                        "a closing socket %p", event->type, ssock));
@@ -804,10 +804,8 @@ static pj_status_t network_start_read(pj_ssl_sock_t *ssock,
             if (is_complete &&
                 (context == NULL || nw_content_context_get_is_final(context)))
             {
-                return;
-            }
-
-            if (error != NULL) {
+                status = PJ_EEOF;
+            } else if (error != NULL) {
                 errno = nw_error_get_error_code(error);
                 if (errno == 89) {
                     /* Since error 89 is network intentionally cancelled by
@@ -823,7 +821,7 @@ static pj_status_t network_start_read(pj_ssl_sock_t *ssock,
             dispatch_block_t schedule_next_receive = 
             ^{
                 /* If there was no error in receiving, request more data. */
-                if (!error && !is_complete && assock->connection) {
+                if (!error && !is_complete && status != PJ_EEOF) {
                     network_start_read(ssock, async_count, buff_size,
                                        readbuf, flags);
                 }
@@ -1000,9 +998,11 @@ static pj_status_t network_create_params(pj_ssl_sock_t * ssock,
          */
         sec_protocol_options_set_tls_resumption_enabled(sec_options, false);
 
-        /* SSL verification options */
-        sec_protocol_options_set_peer_authentication_required(sec_options,
-            true);
+        /* SSL peer authentication options */
+        if (ssock->is_server && ssock->param.require_client_cert) {
+            sec_protocol_options_set_peer_authentication_required(sec_options,
+                                                                  true);
+        }
 
         /* Handshake flow:
          * 1. Server's challenge block, provide server's trust
@@ -1164,10 +1164,8 @@ static pj_status_t network_setup_connection(pj_ssl_sock_t *ssock,
             errno = nw_error_get_error_code(error);
             warn("Connection failed %p", assock);
             status = PJ_STATUS_FROM_OS(errno);
-#if SSL_DEBUG
-            PJ_LOG(3, (THIS_FILE, "SSL state and errno %d %d", state, errno));
-#endif
-            call_cb = PJ_TRUE;  
+            if (ssock->ssl_state == SSL_STATE_HANDSHAKING)
+                call_cb = PJ_TRUE;
         }
 
         if (state == nw_connection_state_ready) {
@@ -1398,7 +1396,8 @@ static pj_status_t network_start_connect(pj_ssl_sock_t *ssock,
 
     assock = PJ_POOL_ZALLOC_T(pool, applessl_sock_t);    
 
-    assock->queue = dispatch_queue_create("ssl_queue", DISPATCH_QUEUE_SERIAL);
+    assock->queue = dispatch_queue_create("ssl_queue",
+                                          DISPATCH_QUEUE_CONCURRENT);
     assock->ev_semaphore = dispatch_semaphore_create(0);    
     if (!assock->queue || !assock->ev_semaphore) {
         ssl_destroy(&assock->base);
@@ -1430,7 +1429,6 @@ static void close_connection(applessl_sock_t *assock)
 
         assock->connection = nil;
         nw_connection_force_cancel(conn);
-        nw_release(conn);
 
         /* We need to wait until the connection is at cancelled state,
          * otherwise events will still be delivered even though we
@@ -1448,6 +1446,9 @@ static void close_connection(applessl_sock_t *assock)
                                   "%p %d", assock, assock->con_state));
         }
 
+        nw_connection_set_state_changed_handler(conn, nil);
+        nw_release(conn);
+
 #if SSL_DEBUG
         PJ_LOG(3, (THIS_FILE, "SSL connection %p closed", assock));
 #endif

pjlib/src/pjlib-test/ssl_sock.c

@@ -466,7 +466,6 @@ static int https_client_test(unsigned ms_timeout)
     param.timer_heap = timer;
     param.timeout.sec = 0;
     param.timeout.msec = ms_timeout;
-    param.proto = PJ_SSL_SOCK_PROTO_SSL23;
     pj_time_val_normalize(&param.timeout);
 
     status = pj_ssl_sock_create(pool, &param, &ssock);
@@ -658,6 +657,12 @@ static int echo_test(pj_ssl_sock_proto srv_proto, pj_ssl_sock_proto cli_proto,
         pj_str_t privkey_file = pj_str(CERT_PRIVKEY_FILE);
         pj_str_t privkey_pass = pj_str(CERT_PRIVKEY_PASS);
 
+#if (PJ_SSL_SOCK_IMP == PJ_SSL_SOCK_IMP_APPLE)
+        /* We store private key in Keychain. */
+        privkey_file = pj_str("");
+        privkey_pass = pj_str("");
+#endif
+
 #if (defined(TEST_LOAD_FROM_FILES) && TEST_LOAD_FROM_FILES==1)
         status = pj_ssl_cert_load_from_files(pool, &ca_file, &cert_file, 
                                              &privkey_file, &privkey_pass,
@@ -810,8 +815,10 @@ static int echo_test(pj_ssl_sock_proto srv_proto, pj_ssl_sock_proto cli_proto,
 
     /* Clean up sockets */
     {
-        pj_time_val delay = {0, 100};
+        /* The delay must be at least PJ_SSL_SOCK_DELAYED_CLOSE_TIMEOUT. */
+        pj_time_val delay = {0, 500};
         while (pj_ioqueue_poll(ioqueue, &delay) > 0);
+        pj_timer_heap_poll(timer, &delay);
     }
 
     if (state_serv.err || state_cli.err) {