ObjOpenSSL  Check-in [e5b470a14c]

 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#import "SSLSocket.h"
#import "X509Certificate.h"

#import "SSLConnectionFailedException.h"
#import "SSLInvalidCertificateException.h"

	return [[[self alloc] initWithHost: host
				      port: port
				    socket: socket
				  SSLError: SSLError
			      verifyResult: verifyResult] autorelease];
}

- initWithHost: (OFString *)host
	  port: (uint16_t)port
	socket: (id)socket
- (instancetype)initWithHost: (OFString *)host
			port: (uint16_t)port
		      socket: (id)socket
{
	OF_INVALID_INIT_METHOD
}

- initWithHost: (OFString *)host
	  port: (uint16_t)port
	socket: (id)socket
	 errNo: (int)errNo
- (instancetype)initWithHost: (OFString *)host
			port: (uint16_t)port
		      socket: (id)socket
		       errNo: (int)errNo
{
	OF_INVALID_INIT_METHOD
}

- initWithHost: (OFString *)host
	  port: (uint16_t)port
	socket: (SSLSocket *)socket
      SSLError: (unsigned long)SSLError
- (instancetype)initWithHost: (OFString *)host
			port: (uint16_t)port
		      socket: (SSLSocket *)socket
		    SSLError: (unsigned long)SSLError
{
	return [self initWithHost: host
			     port: port
			   socket: socket
			 SSLError: SSLError
		     verifyResult: 0];
}

- initWithHost: (OFString *)host
	  port: (uint16_t)port
	socket: (SSLSocket *)socket
      SSLError: (unsigned long)SSLError
  verifyResult: (long)verifyResult
- (instancetype)initWithHost: (OFString *)host
			port: (uint16_t)port
		      socket: (SSLSocket *)socket
		    SSLError: (unsigned long)SSLError
		verifyResult: (long)verifyResult
{
	self = [super initWithHost: host
	self = [super initWithHost: host port: port socket: socket errNo: 0];
			      port: port
			    socket: socket
			     errNo: 0];

	_SSLError = SSLError;
	_verifyResult = verifyResult;

	return self;
}

	OFString *_reason;
}

@property (readonly, nonatomic) OFString *reason;

+ (instancetype)exception;
+ (instancetype)exceptionWithReason: (OFString *)reason;
- init OF_UNAVAILABLE;
- initWithReason: (OFString *)reason OF_DESIGNATED_INITIALIZER;
- (instancetype)init OF_UNAVAILABLE;
- (instancetype)initWithReason: (OFString *)reason OF_DESIGNATED_INITIALIZER;
@end

OF_ASSUME_NONNULL_END

}

+ (instancetype)exceptionWithReason: (OFString *)reason
{
	return [[[self alloc] initWithReason: reason] autorelease];
}

- init
- (instancetype)init
{
	OF_INVALID_INIT_METHOD
}

- initWithReason: (OFString *)reason
- (instancetype)initWithReason: (OFString *)reason
{
	self = [super init];

	@try {
		_reason = [reason copy];
	} @catch (id e) {
		[self release];

	if (mode & CRYPTO_LOCK)
		of_mutex_lock(&ssl_mutexes[n]);
	else
		of_mutex_unlock(&ssl_mutexes[n]);
}

@interface SSLSocket ()
- (void)SSL_startTLSWithExpectedHost: (OFString *)host
- (void)SSL_startTLSWithExpectedHost: (OFString *)host port: (uint16_t)port;
				port: (uint16_t)port;
- (void)SSL_super_close;
@end

@interface SSLSocket_ConnectDelegate: OFObject <OFTLSSocketDelegate>
{
	SSLSocket *_socket;
	OFString *_host;

	[super dealloc];

	if (SSL_ != NULL)
		SSL_free(SSL_);
}

- (void)SSL_startTLSWithExpectedHost: (OFString *)host
- (void)SSL_startTLSWithExpectedHost: (OFString *)host port: (uint16_t)port
				port: (uint16_t)port
{
	of_string_encoding_t encoding;

	if ((_SSL = SSL_new(ctx)) == NULL || SSL_set_fd(_SSL, _socket) != 1) {
		unsigned long error = ERR_get_error();

		[super close];

				       socket: self
				     SSLError: error];
	}
}

- (void)startTLSWithExpectedHost: (OFString *)host
{
	[self SSL_startTLSWithExpectedHost: host
	[self SSL_startTLSWithExpectedHost: host port: 0];
				      port: 0];
}

- (void)asyncConnectToHost: (OFString *)host
		      port: (uint16_t)port
	       runLoopMode: (of_run_loop_mode_t)runLoopMode
{
	void *pool = objc_autoreleasePoolPush();

	[[[SSLSocket_ConnectDelegate alloc]
	    initWithSocket: self
		      host: host
		      port: port
		  delegate: _delegate] autorelease];
	[super asyncConnectToHost: host
	[super asyncConnectToHost: host port: port runLoopMode: runLoopMode];
			     port: port
		      runLoopMode: runLoopMode];

	objc_autoreleasePoolPop(pool);
}

#ifdef OF_HAVE_BLOCKS
- (void)asyncConnectToHost: (OFString *)host
		      port: (uint16_t)port

}

- (void)SSL_super_close
{
	[super close];
}

- (size_t)lowlevelReadIntoBuffer: (void *)buffer
- (size_t)lowlevelReadIntoBuffer: (void *)buffer length: (size_t)length
			  length: (size_t)length
{
	ssize_t ret;

	/*
	 * There is no SSL session yet. However, it might be necessary to read
	 * from and write to the socket before negotiating an SSL session: For
	 * example, the socket might be connected to a SOCKS5 proxy and needs
	 * to establish a SOCKS5 connection before negotiating an SSL session.
	 */
	if (_SSL == NULL)
		return [super lowlevelReadIntoBuffer: buffer
		return [super lowlevelReadIntoBuffer: buffer length: length];
					      length: length];

	if (length > INT_MAX)
		@throw [OFOutOfRangeException exception];

	if (_socket == INVALID_SOCKET)
		@throw [OFNotOpenException exceptionWithObject: self];

	if (ret == 0)
		_atEndOfStream = true;

	return ret;
}

- (size_t)lowlevelWriteBuffer: (const void *)buffer
- (size_t)lowlevelWriteBuffer: (const void *)buffer length: (size_t)length
		       length: (size_t)length
{
	int bytesWritten;

	/*
	 * There is no SSL session yet. However, it might be necessary to read
	 * from and write to the socket before negotiating an SSL session: For
	 * example, the socket might be connected to a SOCKS5 proxy and needs
	 * to establish a SOCKS5 connection before negotiating an SSL session.
	 *
	 * TODO: Think of a way to make this safer, so that it's impossible to
	 * forget to establish an SSL session and then send unencrypted data by
	 * accident.
	 */
	if (_SSL == NULL)
		return [super lowlevelWriteBuffer: buffer
		return [super lowlevelWriteBuffer: buffer length: length];
					   length: length];

	if (_socket == INVALID_SOCKET)
		@throw [OFNotOpenException exceptionWithObject: self];

	if (length > INT_MAX)
		@throw [OFOutOfRangeException exception];

		 */
		length = SSL_get_finished(_SSL, buffer, 64);
	} else {
		/* peer sent the finished message */
		length = SSL_get_peer_finished(_SSL, buffer, 64);
	}

	return [OFData dataWithItems: buffer
	return [OFData dataWithItems: buffer count: length];
			       count: length];
}

- (X509Certificate *)peerCertificate
{
	X509 *certificate = SSL_get_peer_certificate(_SSL);

	if (certificate == NULL)

@class OFDictionary;

@interface X509OID: OFObject <OFCopying>
{
	OFString *_string;
}

- init OF_UNAVAILABLE;
- initWithUTF8String: (const char *)string OF_DESIGNATED_INITIALIZER;
- (instancetype)init OF_UNAVAILABLE;
- (instancetype)initWithUTF8String: (const char *)string
    OF_DESIGNATED_INITIALIZER;
@end

@interface X509Certificate: OFObject
{
	X509 *_certificate;
	OFDictionary *_issuer;
	OFDictionary *_subject;
	OFDictionary *_subjectAlternativeName;
}

@property (readonly, nonatomic) OFDictionary *issuer;
@property (readonly, nonatomic) OFDictionary *subject;
@property (readonly, nonatomic) OFDictionary *subjectAlternativeName;

- init OF_UNAVAILABLE;
- initWithFile: (OFString *)file;
- initWithX509Struct: (X509 *)cert;
- (instancetype)init OF_UNAVAILABLE;
- (instancetype)initWithFile: (OFString *)file;
- (instancetype)initWithX509Struct: (X509 *)cert;
- (bool)hasCommonNameMatchingDomain: (OFString *)domain;
- (bool)hasDNSNameMatchingDomain: (OFString *)domain;
- (bool)hasSRVNameMatchingDomain: (OFString *)domain
			 service: (OFString *)service;
@end

OF_ASSUME_NONNULL_END

- (X509OID *)X509_stringFromASN1Object: (ASN1_OBJECT *)obj;
- (OFString *)X509_stringFromASN1String: (ASN1_STRING *)str;
@end

OF_ASSUME_NONNULL_END

@implementation X509Certificate
- init
- (instancetype)init
{
	OF_INVALID_INIT_METHOD
}

- initWithFile: (OFString *)path
- (instancetype)initWithFile: (OFString *)path
{
	self = [super init];

	@try {
		void *pool = objc_autoreleasePoolPush();
		OFData *data = [OFData dataWithContentsOfFile: path];
		const unsigned char *dataItems = data.items;

		[self release];
		@throw e;
	}

	return self;
}

- initWithX509Struct: (X509 *)certificate
- (instancetype)initWithX509Struct: (X509 *)certificate
{
	self = [super init];

	@try {
		_certificate = X509_dup(certificate);
		if (_certificate == NULL)
			@throw [OFInitializationFailedException

				}

				key = [self X509_stringFromASN1Object:
					otherName->type_id];
				list = [types objectForKey: key];
				if (list == nil) {
					list = [OFList list];
					[types setObject: list
					[types setObject: list forKey: key];
						  forKey: key];
				}

				[list appendObject:
				    [self X509_stringFromASN1String:
					otherName->value->value.asn1_string]];
				break;
			case GEN_EMAIL:

	return ret;
}

- (bool)hasCommonNameMatchingDomain: (OFString *)domain
{
	void *pool = objc_autoreleasePoolPush();

	for (OFString *name in [[self subject] objectForKey: OID_commonName]) {
		if ([self X509_isAssertedDomain: name
	for (OFString *name in [self.subject objectForKey: OID_commonName]) {
		if ([self X509_isAssertedDomain: name equalDomain: domain]) {
				    equalDomain: domain]) {
			objc_autoreleasePoolPop(pool);
			return true;
		}
	}

	objc_autoreleasePoolPop(pool);
	return false;
}

- (bool)hasDNSNameMatchingDomain: (OFString *)domain
{
	void *pool = objc_autoreleasePoolPush();

	for (OFString *name in
	    [[self subjectAlternativeName] objectForKey: @"dNSName"]) {
		if ([self X509_isAssertedDomain: name
	    [self.subjectAlternativeName objectForKey: @"dNSName"]) {
		if ([self X509_isAssertedDomain: name equalDomain: domain]) {
				    equalDomain: domain]) {
			objc_autoreleasePoolPop(pool);
			return true;
		}
	}

	objc_autoreleasePoolPop(pool);
	return false;
}

- (bool)hasSRVNameMatchingDomain: (OFString *)domain
			 service: (OFString *)service
{
	size_t serviceLength;
	void *pool = objc_autoreleasePoolPush();
	OFDictionary *SANs = self.subjectAlternativeName;
	OFList *assertedNames = [[SANs objectForKey: @"otherName"]
				       objectForKey: OID_SRVName];
	    objectForKey: OID_SRVName];

	if (![service hasPrefix: @"_"])
		service = [service stringByPrependingString: @"_"];

	service = [service stringByAppendingString: @"."];
	serviceLength = service.length;

	firstDot = [domain rangeOfString: @"."].location;
	if (firstDot == OF_NOT_FOUND)
		return false;

	domain = [domain substringWithRange:
	    of_range(firstDot + 1, domain.length - firstDot - 1)];

	if (![asserted caseInsensitiveCompare: domain])
	if ([asserted caseInsensitiveCompare: domain] == 0)
		return true;

	return false;
}

- (OFDictionary *)X509_dictionaryFromX509Name: (X509_NAME *)name
{
	OFMutableDictionary *dict = [OFMutableDictionary dictionary];
	int i, count = X509_NAME_entry_count(name);

	for (i = 0; i < count; i++) {
		void *pool = objc_autoreleasePoolPush();
		X509OID *key;
		OFString *value;
		X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
		ASN1_OBJECT *obj = X509_NAME_ENTRY_get_object(entry);
		ASN1_STRING *str = X509_NAME_ENTRY_get_data(entry);
		key = [self X509_stringFromASN1Object: obj];

		if ([dict objectForKey: key] == nil)
			[dict setObject: [OFList list]
			[dict setObject: [OFList list] forKey: key];
				 forKey: key];

		value = [self X509_stringFromASN1String: str];
		[[dict objectForKey: key] appendObject: value];

		objc_autoreleasePoolPop(pool);
	}

	}

	return ret;
}
@end

@implementation X509OID
- init
- (instancetype)init
{
	OF_INVALID_INIT_METHOD
}

- initWithUTF8String: (const char *)string
- (instancetype)initWithUTF8String: (const char *)string
{
	self = [super init];

	@try {
		_string = [[OFString alloc] initWithUTF8String: string];
	} @catch (id e) {
		[self release];

}

- (unsigned long)hash
{
	return _string.hash;
}

- copy
- (id)copy
{
	return [self retain];
}
@end