Adding upstream version 1.44.3.upstream/1.44.3

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

8 files changed, 395 insertions, 0 deletions

diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLConnectionTests.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLConnectionTests.m
new file mode 100644
index 000000000..53d860785
--- /dev/null
+++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLConnectionTests.m
@@ -0,0 +1,154 @@
+//
+//  NSURLConnectionTests.m
+//  SSLCertificatePinning
+//
+//  Created by Alban Diquet on 1/14/14.
+//  Copyright (c) 2014 iSEC Partners. All rights reserved.
+//
+
+#import <XCTest/XCTest.h>
+
+#import "ISPPinnedNSURLConnectionDelegate.h"
+#import "ISPCertificatePinning.h"
+#import "SSLPinsTestUtility.h"
+
+
+// Delegate we'll use for our tests
+@interface NSURLConnectionDelegateTest : ISPPinnedNSURLConnectionDelegate <NSURLConnectionDelegate>
+    @property BOOL connectionFinished;
+    @property BOOL connectionSucceeded;
+@end
+
+
+
+@interface NSURLConnectionTests : XCTestCase
+
+@end
+
+
+@implementation NSURLConnectionTests
+
+
+- (void)setUp
+{
+    [super setUp];
+}
+
+- (void)tearDown
+{
+    [super tearDown];
+}
+
+#pragma mark SSL pinning test
+
+
+// This is sample code to demonstrate how to implement certificate pinning with NSURLConnection
+- (void)testNSURLConnectionSSLPinning
+{
+
+    // Create our SSL pins dictionnary for Twitter, iSEC and NCC
+    NSDictionary *domainsToPin = [SSLPinsTestUtility setupTestSSLPinsDictionnary];
+    if (domainsToPin == nil) {
+        NSLog(@"Failed to pin a certificate");
+    }
+    
+    
+    // Save the SSL pins so that our connection delegates automatically use them
+    if ([ISPCertificatePinning setupSSLPinsUsingDictionnary:domainsToPin] != YES) {
+        NSLog(@"Failed to pin the certificates");
+    }
+    
+    // Connect to Twitter
+    NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://twitter.com/"]];
+    NSURLConnectionDelegateTest *connectionDelegate = [[NSURLConnectionDelegateTest alloc] init];
+    NSURLConnection *connection=[[NSURLConnection alloc] initWithRequest:request delegate:connectionDelegate];
+    [connection start];
+    
+    // Connect to iSEC
+    NSURLRequest *request2 = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://www.isecpartners.com/"]];
+    NSURLConnectionDelegateTest *connectionDelegate2 = [[NSURLConnectionDelegateTest alloc] init];
+    NSURLConnection *connection2 = [[NSURLConnection alloc] initWithRequest:request2 delegate:connectionDelegate2];
+    [connection2 start];
+    
+    // Connect to NCC Group => will fail because we pinned a wrong certificate
+    NSURLRequest *request3 = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://www.nccgroup.com/"]];
+    NSURLConnectionDelegateTest *connectionDelegate3 = [[NSURLConnectionDelegateTest alloc] init];
+    NSURLConnection *connection3 = [[NSURLConnection alloc] initWithRequest:request3 delegate:connectionDelegate3];
+    [connection3 start];
+    
+    
+    // Do some polling to wait for the connections to complete
+#define POLL_INTERVAL 0.2 // 200ms
+#define N_SEC_TO_POLL 3.0 // poll for 3s
+#define MAX_POLL_COUNT N_SEC_TO_POLL / POLL_INTERVAL
+    
+    NSUInteger pollCount = 0;
+    while (!(connectionDelegate.connectionFinished && connectionDelegate2.connectionFinished && connectionDelegate3.connectionFinished) && (pollCount < MAX_POLL_COUNT)) {
+        NSDate* untilDate = [NSDate dateWithTimeIntervalSinceNow:POLL_INTERVAL];
+        [[NSRunLoop currentRunLoop] runUntilDate:untilDate];
+        pollCount++;
+    }
+    
+    if (pollCount == MAX_POLL_COUNT) {
+        XCTFail(@"Could not connect in time");
+    }
+    
+    
+    // The first two connections should succeed
+    XCTAssertTrue(connectionDelegate.connectionSucceeded, @"Connection to Twitter failed");
+    XCTAssertTrue(connectionDelegate2.connectionSucceeded, @"Connection to iSEC Partners failed");
+    
+    // The last connection should fail
+    XCTAssertFalse(connectionDelegate3.connectionSucceeded, @"Connection to NCC succeeded");
+}
+
+
+@end
+
+
+#pragma mark Delegate class
+
+@implementation NSURLConnectionDelegateTest
+
+@synthesize connectionSucceeded;
+@synthesize connectionFinished;
+
+-(instancetype) init {
+    if (self = [super init])
+    {
+        self.connectionSucceeded = NO;
+        self.connectionFinished = NO;
+    }
+    return self;
+}
+
+
+- (void)connectionDidFinishLoading:(NSURLConnection *)connection {
+    self.connectionSucceeded = YES;
+    self.connectionFinished = YES;
+}
+
+- (void)connection:(NSURLConnection *)connection didFailWithError:(NSError *)error {
+    self.connectionSucceeded = NO;
+    self.connectionFinished = YES;
+}
+
+- (void)connection:(NSURLConnection *)connection didReceiveData:(NSData *)data {
+    self.connectionSucceeded = YES;
+    self.connectionFinished = YES;
+}
+
+- (NSCachedURLResponse *)connection:(NSURLConnection *)connection willCacheResponse:(NSCachedURLResponse *)cachedResponse {
+    return cachedResponse;
+}
+
+- (void)connection:(NSURLConnection *)connection didReceiveResponse:(NSURLResponse *)response {
+    self.connectionSucceeded = YES;
+    self.connectionFinished = YES;
+}
+
+- (NSURLRequest *)connection:(NSURLConnection *)connection willSendRequest:(NSURLRequest *)request redirectResponse:(NSURLResponse *)redirectResponse {
+    return request;
+}
+
+@end
\ No newline at end of file
diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLSessionTests.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLSessionTests.m
new file mode 100644
index 000000000..5f1da51ba
--- /dev/null
+++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLSessionTests.m
@@ -0,0 +1,145 @@
+//
+//  NSURLSessionTests.m
+//  SSLCertificatePinning
+//
+//  Created by Alban Diquet on 1/14/14.
+//  Copyright (c) 2014 iSEC Partners. All rights reserved.
+//
+
+#import <XCTest/XCTest.h>
+
+#import "ISPPinnedNSURLSessionDelegate.h"
+#import "ISPCertificatePinning.h"
+#import "SSLPinsTestUtility.h"
+
+
+// Delegate we'll use for our tests
+@interface NSURLSessionTaskDelegateTest : ISPPinnedNSURLSessionDelegate <NSURLSessionTaskDelegate, NSURLSessionDataDelegate>
+@property BOOL connectionFinished;
+@property BOOL connectionSucceeded;
+@end
+
+
+@interface NSURLSessionTests : XCTestCase
+
+@end
+
+@implementation NSURLSessionTests
+
+- (void)setUp
+{
+    [super setUp];
+}
+
+- (void)tearDown
+{
+    [super tearDown];
+}
+
+
+#pragma mark SSL pinning test
+- (void)testNSURLSessionSSLPinning
+{
+    
+    // Create our SSL pins dictionnary for Twitter, iSEC and NCC
+    NSDictionary *domainsToPin = [SSLPinsTestUtility setupTestSSLPinsDictionnary];
+    if (domainsToPin == nil) {
+        NSLog(@"Failed to pin a certificate");
+    }
+    
+    // Save the SSL pins so that our session delegates automatically use them
+    if ([ISPCertificatePinning setupSSLPinsUsingDictionnary:domainsToPin] != YES) {
+        NSLog(@"Failed to pin the certificates");
+    }
+    
+    
+    // Connect to Twitter
+    NSURLSessionTaskDelegateTest *sessionDelegate1 = [[NSURLSessionTaskDelegateTest alloc] init];
+    NSURLSession *session1 = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration] delegate:sessionDelegate1 delegateQueue:nil];
+
+    NSURLSessionDataTask *dataTask1 = [session1 dataTaskWithURL:[NSURL URLWithString:@"https://twitter.com/"] completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
+        
+        sessionDelegate1.connectionFinished = YES;
+        if (!error) {
+            sessionDelegate1.connectionSucceeded = YES;
+        }
+    }];
+    [dataTask1 resume];
+    
+    
+    // Connect to iSEC
+    NSURLSessionTaskDelegateTest *sessionDelegate2 = [[NSURLSessionTaskDelegateTest alloc] init];
+    NSURLSession *session2 = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration] delegate:sessionDelegate2 delegateQueue:nil];
+    
+    NSURLSessionDataTask *dataTask2 = [session2 dataTaskWithURL:[NSURL URLWithString:@"https://www.isecpartners.com/"] completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
+
+        sessionDelegate2.connectionFinished = YES;
+        if (!error) {
+            sessionDelegate2.connectionSucceeded = YES;
+        }
+    }];
+    [dataTask2 resume];
+    
+    
+    // Connect to NCC Group => will fail because we pinned a wrong certificate
+    NSURLSessionTaskDelegateTest *sessionDelegate3 = [[NSURLSessionTaskDelegateTest alloc] init];
+    NSURLSession *session3 = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration] delegate:sessionDelegate3 delegateQueue:nil];
+    
+    NSURLSessionDataTask *dataTask3 = [session3 dataTaskWithURL:[NSURL URLWithString:@"https://www.nccgroup.com/"] completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
+
+        sessionDelegate3.connectionFinished = YES;
+        if (!error) {
+            sessionDelegate3.connectionSucceeded = YES;
+        }
+    }];
+    [dataTask3 resume];
+
+    
+    // Do some polling to wait for the connections to complete
+#define POLL_INTERVAL 0.2 // 200ms
+#define N_SEC_TO_POLL 3.0 // poll for 3s
+#define MAX_POLL_COUNT N_SEC_TO_POLL / POLL_INTERVAL
+    
+    NSUInteger pollCount = 0;
+    while (!(sessionDelegate1.connectionFinished && sessionDelegate2.connectionFinished && sessionDelegate3.connectionFinished) && (pollCount < MAX_POLL_COUNT)) {
+        NSDate* untilDate = [NSDate dateWithTimeIntervalSinceNow:POLL_INTERVAL];
+        [[NSRunLoop currentRunLoop] runUntilDate:untilDate];
+        pollCount++;
+    }
+    
+    if (pollCount == MAX_POLL_COUNT) {
+        XCTFail(@"Could not connect in time");
+    }
+    
+    
+    // The first two connections should succeed
+    XCTAssertTrue(sessionDelegate1.connectionSucceeded, @"Connection to Twitter failed");
+    XCTAssertTrue(sessionDelegate2.connectionSucceeded, @"Connection to iSEC Partners failed");
+    
+    // The last connection should fail
+    XCTAssertFalse(sessionDelegate3.connectionSucceeded, @"Connection to NCC succeeded");
+}
+
+
+@end
+    
+    
+    
+    
+#pragma mark Delegate class
+    
+@implementation NSURLSessionTaskDelegateTest
+    
+    @synthesize connectionSucceeded;
+    @synthesize connectionFinished;
+    
+    -(instancetype) init {
+        if (self = [super init])
+        {
+            self.connectionSucceeded = NO;
+            self.connectionFinished = NO;
+        }
+        return self;
+    }
+
+@end
diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist
new file mode 100644
index 000000000..ccba61f8e
--- /dev/null
+++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleExecutable</key>
+	<string>${EXECUTABLE_NAME}</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.isecpartners.${PRODUCT_NAME:rfc1034identifier}</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundlePackageType</key>
+	<string>BNDL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+	<key>CFBundleVersion</key>
+	<string>1</string>
+</dict>
+</plist>
diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.h b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.h
new file mode 100644
index 000000000..56dde1ac7
--- /dev/null
+++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.h
@@ -0,0 +1,15 @@
+//
+//  SSLPinsTestUtility.h
+//  SSLCertificatePinning
+//
+//  Created by Alban Diquet on 2/2/14.
+//  Copyright (c) 2014 iSEC Partners. All rights reserved.
+//
+
+#import <Foundation/Foundation.h>
+
+@interface SSLPinsTestUtility : NSObject
+
++ (NSDictionary*) setupTestSSLPinsDictionnary;
+
+@end
diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.m
new file mode 100644
index 000000000..7a5eb22c5
--- /dev/null
+++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.m
@@ -0,0 +1,57 @@
+//
+//  SSLPinsTestUtility.m
+//  SSLCertificatePinning
+//
+//  Created by Alban Diquet on 2/2/14.
+//  Copyright (c) 2014 iSEC Partners. All rights reserved.
+//
+
+#import "SSLPinsTestUtility.h"
+#import "ISPCertificatePinning.h"
+
+@implementation SSLPinsTestUtility
+
+
++ (NSData*)loadCertificateFromFile:(NSString*)fileName {
+    NSString *certPath =  [[NSBundle bundleForClass:[self class]] pathForResource:fileName ofType:@"der"];
+    NSData *certData = [[NSData alloc] initWithContentsOfFile:certPath];
+    return certData;
+}
+
+
++ (NSDictionary*) setupTestSSLPinsDictionnary {
+    // Build our dictionnary of domain => certificates
+    NSMutableDictionary *domainsToPin = [[NSMutableDictionary alloc] init];
+    
+    
+    // For Twitter, we pin the anchor/CA certificate
+    NSData *twitterCertData = [SSLPinsTestUtility loadCertificateFromFile:@"VeriSignClass3PublicPrimaryCertificationAuthority-G5"];
+    if (twitterCertData == nil) {
+        NSLog(@"Failed to load a certificate");
+        return nil;
+    }
+    NSArray *twitterTrustedCerts = [NSArray arrayWithObject:twitterCertData];
+    [domainsToPin setObject:twitterTrustedCerts forKey:@"twitter.com"];
+    
+    
+    // For iSEC, we pin the server/leaf certificate
+    NSData *isecCertData = [SSLPinsTestUtility loadCertificateFromFile:@"www.isecpartners.com"];
+    if (isecCertData == nil) {
+        NSLog(@"Failed to load a certificate");
+        return nil;
+    }
+    // We also pin Twitter's CA cert just to show that you can pin multiple certs to a single domain
+    // This is useful when transitioning between two certificates on the server
+    // The connection will be succesful if at least one of the pinned certs is found in the server's certificate trust chain
+    NSArray *iSECTrustedCerts = [NSArray arrayWithObjects:isecCertData, twitterCertData, nil];
+    [domainsToPin setObject:iSECTrustedCerts forKey:@"www.isecpartners.com"];
+    
+    
+    // For NCC group, we pin an invalid certificate (Twitter's)
+    NSArray *NCCTrustedCerts = [NSArray arrayWithObject:twitterCertData];
+    [domainsToPin setObject:NCCTrustedCerts forKey:@"www.nccgroup.com"];
+    
+    return domainsToPin;
+}
+
+@end
diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/VeriSignClass3PublicPrimaryCertificationAuthority-G5.der b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/VeriSignClass3PublicPrimaryCertificationAuthority-G5.der
new file mode 100644
index 000000000..9818d19d0
--- /dev/null
+++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/VeriSignClass3PublicPrimaryCertificationAuthority-G5.der
diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/en.lproj/InfoPlist.strings b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/en.lproj/InfoPlist.strings
new file mode 100644
index 000000000..477b28ff8
--- /dev/null
+++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/en.lproj/InfoPlist.strings
@@ -0,0 +1,2 @@
+/* Localized versions of Info.plist keys */
+
diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/www.isecpartners.com.der b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/www.isecpartners.com.der
new file mode 100644
index 000000000..886cf483e
--- /dev/null
+++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/www.isecpartners.com.der