WIP Add support for native SecureTransport on OS X

Makefile.am

@@ -29,7 +29,7 @@ endif
 include build/cmake/Makefile.am
 
 ACLOCAL_AMFLAGS = -I build/autotools/m4 ${ACLOCAL_FLAGS}
-DISTCHECK_CONFIGURE_FLAGS = --enable-silent-rules --enable-man-pages --enable-html-doc --enable-sasl --enable-ssl --enable-maintainer-flags --enable-debug --with-libbson=bundled
+DISTCHECK_CONFIGURE_FLAGS = --enable-silent-rules --enable-man-pages --enable-html-doc --enable-sasl --enable-ssl --enable-maintainer-flags --enable-debug --with-libbson=bundled --enable-apple-native-tls
 
 mongocdocdir = ${docdir}
 mongocdoc_DATA = \

build/autotools/CheckSSL.m4

@@ -32,14 +32,38 @@ AS_IF([test "$enable_ssl" != "no"],[
   ])
 ])
 
-
+AM_CONDITIONAL([ENABLE_APPLE_NATIVE_TLS], [test "$enable-apple-native-tls" = "yes"])
 AM_CONDITIONAL([ENABLE_SSL], [test "$enable_ssl" = "yes"])
+
+dnl For SecureTransport, link against proper frameworks
+if test "$enable_apple_native_tls" = "yes" ; then
+   dnl TODO this doesn't actually work...
+   SSL_CFLAGS="-framework Security -framework CoreFoundation"
+fi
+
 AC_SUBST(SSL_CFLAGS)
 AC_SUBST(SSL_LIBS)
 
 dnl Let mongoc-config.h.in know about SSL status.
+dnl TODO decouple OpenSSL support from general SSL support.
 if test "$enable_ssl" = "yes" ; then
   AC_SUBST(MONGOC_ENABLE_SSL, 1)
 else
   AC_SUBST(MONGOC_ENABLE_SSL, 0)
 fi
+
+dnl Same deal for Apple native TLS
+if test "$enable_apple_native_tls" = "yes" ; then
+   AC_SUBST(MONGOC_APPLE_NATIVE_TLS, 1)
+else
+   AC_SUBST(MONGOC_APPLE_NATIVE_TLS, 0)
+fi
+
+dnl TODO do a better job of this...
+if test "$enable_ssl" = "yes" ; then
+   if test "$enable_apple_native_tls" = "yes" ; then
+      AC_SUBST(MONGOC_OPENSSL, 0)
+   else
+      AC_SUBST(MONGOC_OPENSSL, 1)
+   fi
+fi

build/autotools/PrintBuildConfiguration.m4

@@ -2,7 +2,7 @@ AC_OUTPUT
 
 if test $(( ${MONGOC_MINOR_VERSION} % 2 )) -eq 1; then
 cat << EOF
- *** IMPORTANT *** 
+ *** IMPORTANT ***
 
  This is an unstable version of libmongoc.
  It is for test purposes only.
@@ -35,6 +35,7 @@ Build configuration:
   Fast counters                                    : ${enable_rdtscp}
   SASL                                             : ${sasl_mode}
   SSL                                              : ${enable_ssl}
+  Apple Native TLS                                 : ${enable_apple_native_tls}
   Libbson                                          : ${with_libbson}
 
 Documentation:

build/autotools/ReadCommandLineArguments.m4

@@ -10,6 +10,12 @@ AC_ARG_ENABLE(tracing,
     [],[enable_tracing="no"])
 AC_MSG_RESULT([$enable_tracing])
 
+AC_MSG_CHECKING([whether to use native TLS on OSX/iOS])
+AC_ARG_ENABLE(apple-native-tls,
+    AC_HELP_STRING([--enable-apple-native-tls], [use native TLS on OSX/iOS [default=no]]),
+    [],[enable_apple_native_tls="no"])
+AC_MSG_RESULT([$enable_apple_native_tls])
+
 AC_MSG_CHECKING([whether to enable optimized builds])
 AC_ARG_ENABLE(optimizations, 
     AC_HELP_STRING([--enable-optimizations], [turn on build-time optimizations [default=yes]]),

src/mongoc/Makefile.am

@@ -66,7 +66,6 @@ INST_H_FILES = \
 	src/mongoc/mongoc-sasl-private.h \
 	src/mongoc/mongoc-scram-private.h \
 	src/mongoc/mongoc-socket.h \
-	src/mongoc/mongoc-ssl-private.h \
 	src/mongoc/mongoc-stream-buffered.h \
 	src/mongoc/mongoc-stream-file.h \
 	src/mongoc/mongoc-stream-gridfs.h \
@@ -85,9 +84,18 @@ INST_H_FILES = \
 if ENABLE_SSL
 INST_H_FILES += \
 	src/mongoc/mongoc-rand.h \
+	src/mongoc/mongoc-rand-apple.h \
+	src/mongoc/mongoc-rand-apple-private.h \
+	src/mongoc/mongoc-rand-openssl.h \
+	src/mongoc/mongoc-rand-openssl-private.h \
 	src/mongoc/mongoc-rand-private.h \
+	src/mongoc/mongoc-stream-apple-tls.h \
+	src/mongoc/mongoc-stream-openssl-tls.h \
 	src/mongoc/mongoc-stream-tls.h \
-	src/mongoc/mongoc-ssl.h
+	src/mongoc/mongoc-ssl.h \
+	src/mongoc/mongoc-ssl-apple-private.h \
+	src/mongoc/mongoc-ssl-openssl-private.h \
+	src/mongoc/mongoc-ssl-private.h
 endif
 
 MONGOC_SOURCES_SHARED += \
@@ -133,9 +141,15 @@ MONGOC_SOURCES_SHARED += \
 if ENABLE_SSL
 MONGOC_SOURCES_SHARED += \
 	src/mongoc/mongoc-rand.c \
+	src/mongoc/mongoc-rand-apple.c \
+	src/mongoc/mongoc-rand-openssl.c \
 	src/mongoc/mongoc-scram.c \
 	src/mongoc/mongoc-stream-tls.c \
-	src/mongoc/mongoc-ssl.c
+	src/mongoc/mongoc-stream-apple-tls.c \
+	src/mongoc/mongoc-stream-openssl-tls.c \
+	src/mongoc/mongoc-ssl.c \
+	src/mongoc/mongoc-ssl-apple.c \
+	src/mongoc/mongoc-ssl-openssl.c
 endif
 
 if ENABLE_SASL

src/mongoc/mongoc-config.h.in

@@ -29,6 +29,25 @@
 #  undef MONGOC_ENABLE_SSL
 #endif
 
+/*
+ * MONGOC_APPLE_NATIVE_TLS is set from configure to determine if we
+ * are compiled with support for native TLS on OSX and iOS.
+ */
+#define MONGOC_APPLE_NATIVE_TLS @MONGOC_APPLE_NATIVE_TLS@
+
+#if MONGOC_APPLE_NATIVE_TLS != 1
+#  undef MONGOC_APPLE_NATIVE_TLS
+#endif
+
+/*
+ * MONGOC_OPENSSL is set from configure to determine if we are compiled
+ * with support for OpenSSL.
+ */
+#define MONGOC_OPENSSL @MONGOC_OPENSSL@
+
+#if MONGOC_OPENSSL != 1
+#  undef MONGOC_OPENSSL
+#endif
 
 /*
  * MONGOC_ENABLE_SASL is set from configure to determine if we are

src/mongoc/mongoc-rand-apple-private.h

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2015 MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef MONGOC_RAND_APPLE_PRIVATE_H
+#define MONGOC_RAND_APPLE_PRIVATE_H
+
+#if !defined (MONGOC_I_AM_A_DRIVER) && !defined (MONGOC_COMPILATION)
+#error "Only <mongoc.h> can be included directly."
+#endif
+
+#ifdef MONGOC_APPLE_NATIVE_TLS
+
+#include <bson.h>
+
+BSON_BEGIN_DECLS
+
+int
+_mongoc_rand_apple_bytes (uint8_t *buf,
+                          int      num);
+
+int
+_mongoc_pseudo_rand_apple_bytes (uint8_t *buf,
+                                 int      num);
+
+BSON_END_DECLS
+
+/* API setup for Apple */
+#define _mongoc_rand_bytes_impl _mongoc_rand_apple_bytes
+#define _mongoc_pseudo_rand_bytes_impl _mongoc_pseudo_rand_apple_bytes
+
+#endif /* MONGOC_APPLE_NATIVE_TLS */
+#endif /* MONGOC_RAND_APPLE_PRIVATE_H */

src/mongoc/mongoc-rand-apple.c

@@ -0,0 +1,82 @@
+/*
+ * Copyright 2014 MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mongoc-config.h"
+
+#ifdef MONGOC_ENABLE_SSL
+#ifdef MONGOC_APPLE_NATIVE_TLS
+
+#include "mongoc-rand-apple.h"
+#include "mongoc-rand-apple-private.h"
+
+#include "mongoc.h"
+
+#include <Security/Security.h>
+
+/*
+ *-------------------------------------------------------------------------
+ *
+ * _mongoc_rand_apple_bytes --
+ *
+ *       Uses SecureTransport's default random number generator to fill
+ *       @buf with @num cryptographically secure random bytes.
+ *
+ * Returns:
+ *       1 on success, 0 on failure, with error in errno system variable.
+ *
+ *-------------------------------------------------------------------------
+ */
+
+int _mongoc_rand_apple_bytes(uint8_t * buf, int num) {
+   if (0 == SecRandomCopyBytes(kSecRandomDefault, num, buf)) {
+      return 1;
+   }
+   return 0;
+}
+
+/*
+ *-------------------------------------------------------------------------
+ *
+ * _mongoc_pseudo_rand_apple_bytes --
+ *
+ *       With SecureTransport, behaves like _mongoc_rand_bytes.
+ *
+ * Returns:
+ *       1 on success, 0 on failure, with error in errno system variable.
+ *
+ *-------------------------------------------------------------------------
+ */
+
+int _mongoc_pseudo_rand_apple_bytes(uint8_t * buf, int num) {
+   return _mongoc_rand_apple_bytes(buf, num);
+}
+
+void mongoc_rand_apple_seed(const void* buf, int num) {
+    /* n/a */
+    // TODO why is this n/a?
+}
+
+void mongoc_rand_apple_add(const void* buf, int num, double entropy) {
+    /* n/a */
+    // TODO why is this n/a?
+}
+
+int mongoc_rand_apple_status(void) {
+    return 1;
+}
+
+#endif /* MONGOC_APPLE_NATIVE_TLS */
+#endif /* MONGOC_ENABLE_SSL */

src/mongoc/mongoc-rand-apple.h

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2015 MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef MONGOC_RAND_APPLE_H
+#define MONGOC_RAND_APPLE_H
+
+#if !defined (MONGOC_INSIDE) && !defined (MONGOC_COMPILATION)
+#error "Only <mongoc.h> can be included directly."
+#endif
+
+#ifdef MONGOC_APPLE_NATIVE_TLS
+
+#include <bson.h>
+
+BSON_BEGIN_DECLS
+
+
+void
+mongoc_rand_apple_seed (const void *buf,
+                        int         num);
+
+void
+mongoc_rand_apple_add (const void *buf,
+                       int         num,
+                       double      entropy);
+
+int
+mongoc_rand_apple_status (void);
+
+
+BSON_END_DECLS
+
+/* API setup for Apple */
+#define mongoc_rand_seed_impl mongoc_rand_apple_seed
+#define mongoc_rand_add_impl mongoc_rand_apple_add
+#define mongoc_rand_status_impl mongoc_rand_apple_status
+
+#endif /* MONGOC_APPLE_NATIVE_TLS */
+#endif /* MONGOC_RAND_APPLE_H */

src/mongoc/mongoc-rand-openssl-private.h

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2015 MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef MONGOC_RAND_OPENSSL_PRIVATE_H
+#define MONGOC_RAND_OPENSSL_PRIVATE_H
+
+#if !defined (MONGOC_I_AM_A_DRIVER) && !defined (MONGOC_COMPILATION)
+#error "Only <mongoc.h> can be included directly."
+#endif
+
+#ifdef MONGOC_OPENSSL
+
+#include <bson.h>
+
+BSON_BEGIN_DECLS
+
+int
+_mongoc_rand_openssl_bytes (uint8_t *buf,
+                            int      num);
+
+int
+_mongoc_pseudo_rand_openssl_bytes (uint8_t *buf,
+                                   int      num);
+
+BSON_END_DECLS
+
+/* API setup for OpenSSL */
+#define _mongoc_rand_bytes_impl _mongoc_rand_openssl_bytes
+#define _mongoc_pseudo_rand_bytes_impl _mongoc_pseudo_rand_openssl_bytes
+
+#endif /* MONGOC_OPENSSL */
+#endif /* MONGOC_RAND_OPENSSL_PRIVATE_H */