ObjOpenSSL  Check-in [74db1e8212]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>CFBundleExecutable</key>
	<string>${EXECUTABLE_NAME}</string>
	<key>CFBundleIdentifier</key>
	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundleName</key>
	<string>${PRODUCT_NAME}</string>
	<key>CFBundlePackageType</key>
	<string>FMWK</string>
	<key>CFBundleShortVersionString</key>

		4B19F58C14D17250005D52DC /* SSLInvalidCertificateException.m in Sources */ = {isa = PBXBuildFile; fileRef = 4B19F58814D17250005D52DC /* SSLInvalidCertificateException.m */; };
		4B19F58D14D17250005D52DC /* X509Certificate.h in Headers */ = {isa = PBXBuildFile; fileRef = 4B19F58914D17250005D52DC /* X509Certificate.h */; settings = {ATTRIBUTES = (Public, ); }; };
		4B19F58E14D17250005D52DC /* X509Certificate.m in Sources */ = {isa = PBXBuildFile; fileRef = 4B19F58A14D17250005D52DC /* X509Certificate.m */; };
		4B4F087813A01EEF00B60C3F /* ObjOpenSSL.h in Headers */ = {isa = PBXBuildFile; fileRef = 4B4F087713A01EEF00B60C3F /* ObjOpenSSL.h */; settings = {ATTRIBUTES = (Public, ); }; };
		4B9671B6193E55C800F9F80D /* ObjFW.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4B9671B5193E55C800F9F80D /* ObjFW.framework */; };
		4BD0AAEC1341289500445289 /* SSLSocket.h in Headers */ = {isa = PBXBuildFile; fileRef = 4BD0AAEA1341289500445289 /* SSLSocket.h */; settings = {ATTRIBUTES = (Public, ); }; };
		4BD0AAED1341289500445289 /* SSLSocket.m in Sources */ = {isa = PBXBuildFile; fileRef = 4BD0AAEB1341289500445289 /* SSLSocket.m */; };
		4BDE04741D319BFC0051EDB8 /* SSLConnectionFailedException.h in Headers */ = {isa = PBXBuildFile; fileRef = 4BDE04721D319BFC0051EDB8 /* SSLConnectionFailedException.h */; settings = {ATTRIBUTES = (Public, ); }; };
		4BDE04751D319BFC0051EDB8 /* SSLConnectionFailedException.m in Sources */ = {isa = PBXBuildFile; fileRef = 4BDE04731D319BFC0051EDB8 /* SSLConnectionFailedException.m */; };
/* End PBXBuildFile section */

/* Begin PBXFileReference section */
		4B1918EA1341272300D82152 /* ObjOpenSSL.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = ObjOpenSSL.framework; sourceTree = BUILT_PRODUCTS_DIR; };
		4B19F58714D17250005D52DC /* SSLInvalidCertificateException.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SSLInvalidCertificateException.h; path = src/SSLInvalidCertificateException.h; sourceTree = SOURCE_ROOT; };
		4B19F58814D17250005D52DC /* SSLInvalidCertificateException.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = SSLInvalidCertificateException.m; path = src/SSLInvalidCertificateException.m; sourceTree = SOURCE_ROOT; };
		4B19F58914D17250005D52DC /* X509Certificate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = X509Certificate.h; path = src/X509Certificate.h; sourceTree = SOURCE_ROOT; };
		4B19F58A14D17250005D52DC /* X509Certificate.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = X509Certificate.m; path = src/X509Certificate.m; sourceTree = SOURCE_ROOT; };
		4B4F087713A01EEF00B60C3F /* ObjOpenSSL.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ObjOpenSSL.h; path = src/ObjOpenSSL.h; sourceTree = SOURCE_ROOT; };
		4B9671B5193E55C800F9F80D /* ObjFW.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = ObjFW.framework; path = /Library/Frameworks/ObjFW.framework; sourceTree = "<absolute>"; };
		4BD0AAE91341286B00445289 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = SOURCE_ROOT; };
		4BD0AAEA1341289500445289 /* SSLSocket.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SSLSocket.h; path = src/SSLSocket.h; sourceTree = SOURCE_ROOT; };
		4BD0AAEB1341289500445289 /* SSLSocket.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = SSLSocket.m; path = src/SSLSocket.m; sourceTree = SOURCE_ROOT; };
		4BDE04721D319BFC0051EDB8 /* SSLConnectionFailedException.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SSLConnectionFailedException.h; path = src/SSLConnectionFailedException.h; sourceTree = SOURCE_ROOT; };
		4BDE04731D319BFC0051EDB8 /* SSLConnectionFailedException.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = SSLConnectionFailedException.m; path = src/SSLConnectionFailedException.m; sourceTree = SOURCE_ROOT; };
/* End PBXFileReference section */

/* Begin PBXFrameworksBuildPhase section */
		4B1918E61341272300D82152 /* Frameworks */ = {
			isa = PBXFrameworksBuildPhase;
			buildActionMask = 2147483647;
			files = (

			sourceTree = "<group>";
		};
		4B1918F31341272300D82152 /* ObjOpenSSL */ = {
			isa = PBXGroup;
			children = (
				4B1918F41341272300D82152 /* Supporting Files */,
				4B4F087713A01EEF00B60C3F /* ObjOpenSSL.h */,
				4BDE04721D319BFC0051EDB8 /* SSLConnectionFailedException.h */,
				4BDE04731D319BFC0051EDB8 /* SSLConnectionFailedException.m */,
				4B19F58714D17250005D52DC /* SSLInvalidCertificateException.h */,
				4B19F58814D17250005D52DC /* SSLInvalidCertificateException.m */,
				4BD0AAEA1341289500445289 /* SSLSocket.h */,
				4BD0AAEB1341289500445289 /* SSLSocket.m */,
				4B19F58914D17250005D52DC /* X509Certificate.h */,
				4B19F58A14D17250005D52DC /* X509Certificate.m */,
			);

/* Begin PBXHeadersBuildPhase section */
		4B1918E71341272300D82152 /* Headers */ = {
			isa = PBXHeadersBuildPhase;
			buildActionMask = 2147483647;
			files = (
				4B4F087813A01EEF00B60C3F /* ObjOpenSSL.h in Headers */,
				4BDE04741D319BFC0051EDB8 /* SSLConnectionFailedException.h in Headers */,
				4B19F58B14D17250005D52DC /* SSLInvalidCertificateException.h in Headers */,
				4BD0AAEC1341289500445289 /* SSLSocket.h in Headers */,
				4B19F58D14D17250005D52DC /* X509Certificate.h in Headers */,
			);
			runOnlyForDeploymentPostprocessing = 0;
		};
/* End PBXHeadersBuildPhase section */

		};
/* End PBXNativeTarget section */

/* Begin PBXProject section */
		4B1918E01341272300D82152 /* Project object */ = {
			isa = PBXProject;
			attributes = {
				LastUpgradeCheck = 0730;
			};
			buildConfigurationList = 4B1918E31341272300D82152 /* Build configuration list for PBXProject "ObjOpenSSL" */;
			compatibilityVersion = "Xcode 3.2";
			developmentRegion = English;
			hasScannedForEncodings = 0;
			knownRegions = (
				en,

/* End PBXResourcesBuildPhase section */

/* Begin PBXSourcesBuildPhase section */
		4B1918E51341272300D82152 /* Sources */ = {
			isa = PBXSourcesBuildPhase;
			buildActionMask = 2147483647;
			files = (
				4BDE04751D319BFC0051EDB8 /* SSLConnectionFailedException.m in Sources */,
				4B19F58C14D17250005D52DC /* SSLInvalidCertificateException.m in Sources */,
				4BD0AAED1341289500445289 /* SSLSocket.m in Sources */,
				4B19F58E14D17250005D52DC /* X509Certificate.m in Sources */,
			);
			runOnlyForDeploymentPostprocessing = 0;
		};
/* End PBXSourcesBuildPhase section */

/* Begin XCBuildConfiguration section */
		4B1918FA1341272300D82152 /* Debug */ = {
			isa = XCBuildConfiguration;
			buildSettings = {
				ENABLE_TESTABILITY = YES;
				GCC_C_LANGUAGE_STANDARD = gnu99;
				GCC_OPTIMIZATION_LEVEL = 0;
				GCC_PREPROCESSOR_DEFINITIONS = DEBUG;
				GCC_SYMBOLS_PRIVATE_EXTERN = NO;
				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
				GCC_WARN_ABOUT_RETURN_TYPE = YES;
				GCC_WARN_UNUSED_VARIABLE = YES;

					"-fno-constant-cfstrings",
				);
				OTHER_LDFLAGS = (
					"-lssl",
					"-lcrypto",
					"-lz",
				);
				PRODUCT_BUNDLE_IDENTIFIER = "zone.heap.${PRODUCT_NAME:rfc1034identifier}";
				PRODUCT_NAME = "$(TARGET_NAME)";
				WARNING_CFLAGS = (
					"-Wall",
					"-Wshorten-64-to-32",
					"-Wwrite-strings",
					"-Wcast-align",
					"-Wpointer-arith",

					"-fno-constant-cfstrings",
				);
				OTHER_LDFLAGS = (
					"-lssl",
					"-lcrypto",
					"-lz",
				);
				PRODUCT_BUNDLE_IDENTIFIER = "zone.heap.${PRODUCT_NAME:rfc1034identifier}";
				PRODUCT_NAME = "$(TARGET_NAME)";
				WARNING_CFLAGS = (
					"-Wall",
					"-Wshorten-64-to-32",
					"-Wwrite-strings",
					"-Wcast-align",
					"-Wpointer-arith",

include ../extra.mk

SHARED_LIB = ${OBJOPENSSL_SHARED_LIB}
STATIC_LIB = ${OBJOPENSSL_STATIC_LIB}
LIB_MAJOR = 0
LIB_MINOR = 0

SRCS = SSLConnectionFailedException.m	\
       SSLInvalidCertificateException.m	\
       SSLSocket.m			\
       X509Certificate.m

INCLUDES = ${SRCS:.m=.h}	\
	   ObjOpenSSL.h

include ../buildsys.mk

LD = ${OBJC}

/*
 * Copyright (c) 2016, Jonathan Schleifer <js@heap.zone>
 *
 * https://heap.zone/git/?p=objopenssl.git
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice is present in all copies.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#import <ObjFW/OFConnectionFailedException.h>

@class SSLSocket;

@interface SSLConnectionFailedException: OFConnectionFailedException
{
	unsigned long _SSLError;
	long _verifyResult;
}

@property (readonly) unsigned long SSLError;
@property (readonly) long verifyResult;

+ (instancetype)exceptionWithHost: (OFString*)host
			     port: (uint16_t)port
			   socket: (SSLSocket*)socket
			 SSLError: (unsigned long)SSLError;
+ (instancetype)exceptionWithHost: (OFString*)host
			     port: (uint16_t)port
			   socket: (SSLSocket*)socket
			 SSLError: (unsigned long)SSLError
		     verifyResult: (long)verifyResult;
- initWithHost: (OFString*)host
	  port: (uint16_t)port
	socket: (SSLSocket*)socket
      SSLError: (unsigned long)SSLError;
- initWithHost: (OFString*)host
	  port: (uint16_t)port
	socket: (SSLSocket*)socket
      SSLError: (unsigned long)SSLError
  verifyResult: (long)verifyResult;
@end

/*
 * Copyright (c) 2016, Jonathan Schleifer <js@heap.zone>
 *
 * https://heap.zone/git/?p=objopenssl.git
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice is present in all copies.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include <inttypes.h>

#import <ObjFW/OFString.h>

#import "SSLConnectionFailedException.h"

#if defined(__clang__)
# pragma clang diagnostic push
# pragma clang diagnostic ignored "-Wdocumentation"
#endif

#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/x509v3.h>

#if defined(__clang__)
# pragma clang diagnostic pop
#endif

@implementation SSLConnectionFailedException
@synthesize SSLError = _SSLError, verifyResult = _verifyResult;

+ (instancetype)exceptionWithHost: (OFString*)host
			     port: (uint16_t)port
			   socket: (SSLSocket*)socket
			 SSLError: (unsigned long)SSLError
{
	return [[[self alloc] initWithHost: host
				      port: port
				    socket: socket
				  SSLError: SSLError] autorelease];
}


+ (instancetype)exceptionWithHost: (OFString*)host
			     port: (uint16_t)port
			   socket: (SSLSocket*)socket
			 SSLError: (unsigned long)SSLError
		     verifyResult: (long)verifyResult
{
	return [[[self alloc] initWithHost: host
				      port: port
				    socket: socket
				  SSLError: SSLError
			      verifyResult: verifyResult] autorelease];
}

- initWithHost: (OFString*)host
	  port: (uint16_t)port
	socket: (SSLSocket*)socket
      SSLError: (unsigned long)SSLError
{
	self = [super initWithHost: host
			      port: port
			    socket: socket];

	_SSLError = SSLError;

	return self;
}

- initWithHost: (OFString*)host
	  port: (uint16_t)port
	socket: (SSLSocket*)socket
      SSLError: (unsigned long)SSLError
  verifyResult: (long)verifyResult
{
	self = [super initWithHost: host
			      port: port
			    socket: socket];

	_SSLError = SSLError;
	_verifyResult = verifyResult;

	return self;
}

- (OFString*)description
{
	if (_SSLError != SSL_ERROR_NONE) {
		char error[512];

		ERR_error_string_n(_SSLError, error, 512);

		if (_verifyResult != X509_V_OK)
			return [OFString stringWithFormat:
			    @"A connection to %@ on port %" @PRIu16 @" could "
			    @"not be established in socket of type %@: "
			    @"Verification failed: %s [%s]",
			    _host, _port, [_socket class],
			    X509_verify_cert_error_string(_verifyResult),
			    error];
		else
			return [OFString stringWithFormat:
			    @"A connection to %@ on port %" @PRIu16 @" could "
			    @"not be established in socket of type %@: %s",
			    _host, _port, [_socket class], error];
	}

	return [super description];
}
@end

#if defined(__clang__)
# pragma clang diagnostic push
# pragma clang diagnostic ignored "-Wdocumentation"
#endif

#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/x509v3.h>

#if defined(__clang__)
# pragma clang diagnostic pop
#endif

#import <ObjFW/OFThread.h>
#import <ObjFW/OFHTTPRequest.h>
#import <ObjFW/OFDataArray.h>
#import <ObjFW/OFSystemInfo.h>

#import <ObjFW/OFAcceptFailedException.h>

#import <ObjFW/OFInitializationFailedException.h>
#import <ObjFW/OFInvalidArgumentException.h>
#import <ObjFW/OFNotOpenException.h>
#import <ObjFW/OFOutOfRangeException.h>
#import <ObjFW/OFReadFailedException.h>
#import <ObjFW/OFWriteFailedException.h>

#import <ObjFW/macros.h>
#import <ObjFW/threading.h>

#import "SSLSocket.h"

#import "X509Certificate.h"

#import "SSLConnectionFailedException.h"
#import "SSLInvalidCertificateException.h"

#ifndef INVALID_SOCKET
# define INVALID_SOCKET -1
#endif

static SSL_CTX *ctx;
static of_mutex_t *ssl_mutexes;

}

- (void)SSL_startTLSWithExpectedHost: (OFString*)host
				port: (uint16_t)port
{
	of_string_encoding_t encoding;

	if ((_SSL = SSL_new(ctx)) == NULL || SSL_set_fd(_SSL, _socket) != 1) {
		unsigned long error = ERR_get_error();

		[super close];

		@throw [SSLConnectionFailedException
		    exceptionWithHost: host
				 port: port
			       socket: self
			     SSLError: error];
	}

	if (_certificateVerificationEnabled) {
		X509_VERIFY_PARAM *param = SSL_get0_param(_SSL);

		X509_VERIFY_PARAM_set_hostflags(param,
		    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);

		if (X509_VERIFY_PARAM_set1_host(param,
		    [host UTF8String], [host UTF8StringLength]) != 1) {
			unsigned long error = ERR_get_error();

			[self close];

			@throw [SSLConnectionFailedException
			    exceptionWithHost: host
					 port: port
				       socket: self
				     SSLError: error];
		}

		SSL_set_verify(_SSL, SSL_VERIFY_PEER, NULL);
	}

	SSL_set_connect_state(_SSL);

	encoding = [OFSystemInfo native8BitEncoding];

	if ((_privateKeyFile != nil && !SSL_use_PrivateKey_file(_SSL,
	    [_privateKeyFile cStringWithEncoding: encoding],
	    SSL_FILETYPE_PEM)) || (_certificateFile != nil &&
	    !SSL_use_certificate_file(_SSL, [_certificateFile
	    cStringWithEncoding: encoding],
	    SSL_FILETYPE_PEM))) {
		unsigned long error = ERR_get_error();

		[super close];

		@throw [SSLConnectionFailedException
		    exceptionWithHost: host
				 port: port
			       socket: self
			     SSLError: error];
	}

	if (SSL_connect(_SSL) != 1) {
		unsigned long error = ERR_get_error();
		long res;

		[super close];

		if ((res = SSL_get_verify_result(_SSL)) != X509_V_OK)
			@throw [SSLConnectionFailedException
			    exceptionWithHost: host
					 port: port
				       socket: self
				     SSLError: error
				 verifyResult: res];
		else
			@throw [SSLConnectionFailedException
			    exceptionWithHost: host
					 port: port
				       socket: self
				     SSLError: error];
	}
}

- (void)startTLSWithExpectedHost: (OFString*)host
{
	[self SSL_startTLSWithExpectedHost: host
				      port: 0];