ObjOpenSSL  Check-in [944f3dbb18]

Overview
Comment:Adjust to ObjFW changes
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 944f3dbb188e2214aff67436581e6a1c87034e9ae10ece82ea63fe3868b7fe2c
User & Date: js on 2020-05-06 00:37:29
Other Links: manifest | tags
Context
2020-05-31
16:54
Update URL check-in: 66bd0c554f user: js tags: trunk
2020-05-06
00:37
Adjust to ObjFW changes check-in: 944f3dbb18 user: js tags: trunk
2020-04-05
23:10
Fix type mismatch with GCC check-in: 8d32ca35ce user: js tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Modified src/SSLSocket.h from [b1fffa112d] to [f131b16758]. 

38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

@class X509Certificate;

@interface SSLSocket: OFTCPSocket <OFTLSSocket>
{
	SSL *_SSL;
	OFString *_certificateFile, *_privateKeyFile;
	const char *_privateKeyPassphrase;
	bool _certificateVerificationEnabled;
	bool _requestClientCertificatesEnabled;
}

@property (nonatomic, getter=isRequestClientCertificatesEnabled)
    bool requestClientCertificatesEnabled;
@property OF_NULLABLE_PROPERTY (readonly, nonatomic)
    X509Certificate *peerCertificate;

- initWithSocket: (OFTCPSocket *)socket;
- (OFData *)channelBindingDataWithType: (OFString *)type;
- (nullable X509Certificate *)peerCertificate;
- (void)verifyPeerCertificate;
@end

OF_ASSUME_NONNULL_END








<
|


<
|



|







38
39
40
41
42
43
44

45
46
47

48
49
50
51
52
53
54
55
56
57
58

@class X509Certificate;

@interface SSLSocket: OFTCPSocket <OFTLSSocket>
{
	SSL *_SSL;
	OFString *_certificateFile, *_privateKeyFile;
	const char *_privateKeyPassphrase;

	bool _verifiesCertificates, _requestsClientCertificates;
}


@property (nonatomic) bool requestsClientCertificates;
@property OF_NULLABLE_PROPERTY (readonly, nonatomic)
    X509Certificate *peerCertificate;

- (instancetype)initWithSocket: (OFTCPSocket *)socket;
- (OFData *)channelBindingDataWithType: (OFString *)type;
- (nullable X509Certificate *)peerCertificate;
- (void)verifyPeerCertificate;
@end

OF_ASSUME_NONNULL_END

Modified src/SSLSocket.m from [4db12c8daa] to [dd561157a7]. 

167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

@end

@implementation SSLSocket
@dynamic delegate;
@synthesize certificateFile = _certificateFile;
@synthesize privateKeyFile = _privateKeyFile;
@synthesize privateKeyPassphrase = _privateKeyPassphrase;
@synthesize certificateVerificationEnabled = _certificateVerificationEnabled;
@synthesize requestClientCertificatesEnabled =
    _requestClientCertificatesEnabled;

+ (void)load
{
	of_tls_socket_class = self;
}

+ (void)initialize








<
|
|








167
168
169
170
171
172
173

174
175
176
177
178
179
180
181
182

@end

@implementation SSLSocket
@dynamic delegate;
@synthesize certificateFile = _certificateFile;
@synthesize privateKeyFile = _privateKeyFile;
@synthesize privateKeyPassphrase = _privateKeyPassphrase;

@synthesize verifiesCertificates = _verifiesCertificates;
@synthesize requestsClientCertificates = _requestsClientCertificates;

+ (void)load
{
	of_tls_socket_class = self;
}

+ (void)initialize

214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237

#endif

	if (SSL_CTX_set_default_verify_paths(ctx) == 0)
		@throw [OFInitializationFailedException
		    exceptionWithClass: self];
}

- init
{
	self = [super init];

	_certificateVerificationEnabled = true;

	return self;
}

- initWithSocket: (OFTCPSocket *)socket
{
	self = [self init];

	@try {
		if ((_socket = dup(socket->_socket)) < 0)
			@throw [OFInitializationFailedException exception];
	} @catch (id e) {








|



|




|








213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236

#endif

	if (SSL_CTX_set_default_verify_paths(ctx) == 0)
		@throw [OFInitializationFailedException
		    exceptionWithClass: self];
}

- (instancetype)init
{
	self = [super init];

	_verifiesCertificates = true;

	return self;
}

- (instancetype)initWithSocket: (OFTCPSocket *)socket
{
	self = [self init];

	@try {
		if ((_socket = dup(socket->_socket)) < 0)
			@throw [OFInitializationFailedException exception];
	} @catch (id e) {

279
280
281
282
283
284
285
286
287
288
289
290
291
292
293


		@throw [SSLConnectionFailedException exceptionWithHost: host
								  port: port
								socket: self
							      SSLError: error];
	}

	if (_certificateVerificationEnabled) {
		X509_VERIFY_PARAM *param = SSL_get0_param(_SSL);

		X509_VERIFY_PARAM_set_hostflags(param,
		    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);

		if (X509_VERIFY_PARAM_set1_host(param,
		    host.UTF8String, host.UTF8StringLength) != 1) {








|








278
279
280
281
282
283
284
285
286
287
288
289
290
291
292


		@throw [SSLConnectionFailedException exceptionWithHost: host
								  port: port
								socket: self
							      SSLError: error];
	}

	if (_verifiesCertificates) {
		X509_VERIFY_PARAM *param = SSL_get0_param(_SSL);

		X509_VERIFY_PARAM_set_hostflags(param,
		    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);

		if (X509_VERIFY_PARAM_set1_host(param,
		    host.UTF8String, host.UTF8StringLength) != 1) {

376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421

		      port: (uint16_t)port
	       runLoopMode: (of_run_loop_mode_t)runLoopMode
		     block: (of_tcp_socket_async_connect_block_t)block
{
	[super asyncConnectToHost: host
			     port: port
		      runLoopMode: runLoopMode
			    block: ^ (OFTCPSocket *sock_, id exception) {
		SSLSocket *sock = (SSLSocket *)sock_;

		if (exception == nil) {
			@try {
				[sock SSL_startTLSWithExpectedHost: host
							      port: port];
			} @catch (id e) {
				block(sock, e);
				return;
			}
		}

		block(sock, exception);
	}];
}
#endif

- (instancetype)accept
{
	SSLSocket *client = (SSLSocket *)[super accept];
	of_string_encoding_t encoding;

	if ((client->_SSL = SSL_new(ctx)) == NULL ||
	    !SSL_set_fd(client->_SSL, client->_socket)) {
		[client SSL_super_close];
		/* FIXME: Get a proper errno */
		@throw [OFAcceptFailedException exceptionWithSocket: self
							      errNo: 0];
	}

	if (_requestClientCertificatesEnabled)
		SSL_set_verify(client->_SSL, SSL_VERIFY_PEER, NULL);

	SSL_set_accept_state(client->_SSL);

	encoding = [OFLocale encoding];

	if (!SSL_use_PrivateKey_file(client->_SSL, [_privateKeyFile








|
<
<


|


|




|

















|








375
376
377
378
379
380
381
382


383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418

		      port: (uint16_t)port
	       runLoopMode: (of_run_loop_mode_t)runLoopMode
		     block: (of_tcp_socket_async_connect_block_t)block
{
	[super asyncConnectToHost: host
			     port: port
		      runLoopMode: runLoopMode
			    block: ^ (id exception) {


		if (exception == nil) {
			@try {
				[self SSL_startTLSWithExpectedHost: host
							      port: port];
			} @catch (id e) {
				block(e);
				return;
			}
		}

		block(exception);
	}];
}
#endif

- (instancetype)accept
{
	SSLSocket *client = (SSLSocket *)[super accept];
	of_string_encoding_t encoding;

	if ((client->_SSL = SSL_new(ctx)) == NULL ||
	    !SSL_set_fd(client->_SSL, client->_socket)) {
		[client SSL_super_close];
		/* FIXME: Get a proper errno */
		@throw [OFAcceptFailedException exceptionWithSocket: self
							      errNo: 0];
	}

	if (_requestsClientCertificates)
		SSL_set_verify(client->_SSL, SSL_VERIFY_PEER, NULL);

	SSL_set_accept_state(client->_SSL);

	encoding = [OFLocale encoding];

	if (!SSL_use_PrivateKey_file(client->_SSL, [_privateKeyFile