/*
* Copyright (c) 2008-2024 Jonathan Schleifer <js@nil.im>
*
* All rights reserved.
*
* This file is part of ObjFW. It may be distributed under the terms of the
* Q Public License 1.0, which can be found in the file LICENSE.QPL included in
* the packaging of this file.
*
* Alternatively, it may be distributed under the terms of the GNU General
* Public License, either version 2 or 3, which can be found in the file
* LICENSE.GPLv2 or LICENSE.GPLv3 respectively included in the packaging of this
* file.
*/
#include "config.h"
#include <errno.h>
#import "OFSecureTransportTLSStream.h"
#import "OFStream+Private.h"
#import "OFAlreadyOpenException.h"
#import "OFNotOpenException.h"
#import "OFReadFailedException.h"
#import "OFTLSHandshakeFailedException.h"
#import "OFWriteFailedException.h"
int _ObjFWTLS_reference;
static OSStatus
readFunc(SSLConnectionRef connection, void *data, size_t *dataLength)
{
bool incomplete;
size_t length;
@try {
length = [((OFTLSStream *)connection).underlyingStream
readIntoBuffer: data
length: *dataLength];
} @catch (OFReadFailedException *e) {
if (e.errNo == EWOULDBLOCK || e.errNo == EAGAIN) {
*dataLength = 0;
return errSSLWouldBlock;
}
@throw e;
}
incomplete = (length < *dataLength);
*dataLength = length;
return (incomplete ? errSSLWouldBlock : noErr);
}
static OSStatus
writeFunc(SSLConnectionRef connection, const void *data, size_t *dataLength)
{
@try {
[((OFTLSStream *)connection).underlyingStream
writeBuffer: data
length: *dataLength];
} @catch (OFWriteFailedException *e) {
*dataLength = e.bytesWritten;
if (e.errNo == EWOULDBLOCK || e.errNo == EAGAIN)
return errSSLWouldBlock;
@throw e;
}
return noErr;
}
/*
* Apple deprecated Secure Transport without providing a replacement that can
* work with any socket. On top of that, their replacement, Network.framework,
* doesn't support STARTTLS at all.
*/
#if OF_GCC_VERSION >= 402
# pragma GCC diagnostic ignored "-Wdeprecated"
#endif
@implementation OFSecureTransportTLSStream
+ (void)load
{
if (OFTLSStreamImplementation == Nil)
OFTLSStreamImplementation = self;
}
- (instancetype)initWithStream: (OFStream <OFReadyForReadingObserving,
OFReadyForWritingObserving> *)stream
{
self = [super initWithStream: stream];
@try {
_underlyingStream.delegate = self;
} @catch (id e) {
[self release];
@throw e;
}
return self;
}
- (void)dealloc
{
if (_context != NULL)
[self close];
[_host release];
[super dealloc];
}
- (void)close
{
if (_context == NULL)
@throw [OFNotOpenException exceptionWithObject: self];
[_host release];
_host = nil;
SSLClose(_context);
#ifdef HAVE_SSLCREATECONTEXT
CFRelease(_context);
#else
SSLDisposeContext(_context);
#endif
_context = NULL;
[super close];
}
- (size_t)lowlevelReadIntoBuffer: (void *)buffer length: (size_t)length
{
OSStatus status;
size_t ret;
if (_context == NULL)
@throw [OFNotOpenException exceptionWithObject: self];
status = SSLRead(_context, buffer, length, &ret);
if (status != noErr && status != errSSLWouldBlock)
/* FIXME: Translate status to errNo */
@throw [OFReadFailedException exceptionWithObject: self
requestedLength: length
errNo: 0];
return ret;
}
- (size_t)lowlevelWriteBuffer: (const void *)buffer length: (size_t)length
{
OSStatus status;
size_t bytesWritten = 0;
if (_context == NULL)
@throw [OFNotOpenException exceptionWithObject: self];
status = SSLWrite(_context, buffer, length, &bytesWritten);
if (status != noErr && status != errSSLWouldBlock)
/* FIXME: Translate status to errNo */
@throw [OFWriteFailedException exceptionWithObject: self
requestedLength: length
bytesWritten: bytesWritten
errNo: 0];
return bytesWritten;
}
- (bool)hasDataInReadBuffer
{
size_t bufferSize;
if (SSLGetBufferedReadSize(_context, &bufferSize) == noErr &&
bufferSize > 0)
return true;
return super.hasDataInReadBuffer;
}
- (bool)of_isWaitingForDelimiter
{
size_t bufferSize;
/* FIXME: There should be a non-private API for this. */
/*
* If we still have pending data in the context, we haven't processed
* it yet to see if our delimiter is in there. So return false here, as
* that will signal the stream as ready for reading, which in turn will
* cause a read and checking for the delimiter.
*/
if (SSLGetBufferedReadSize(_context, &bufferSize) == noErr &&
bufferSize > 0)
return false;
return super.of_waitingForDelimiter;
}
- (void)asyncPerformClientHandshakeWithHost: (OFString *)host
runLoopMode: (OFRunLoopMode)runLoopMode
{
static const OFTLSStreamErrorCode initFailedErrorCode =
OFTLSStreamErrorCodeInitializationFailed;
id exception = nil;
OSStatus status;
if (_context != NULL)
@throw [OFAlreadyOpenException exceptionWithObject: self];
#ifdef HAVE_SSLCREATECONTEXT
if ((_context = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide,
kSSLStreamType)) == NULL)
#else
if (SSLNewContext(false, &_context) != noErr)
#endif
@throw [OFTLSHandshakeFailedException
exceptionWithStream: self
host: host
errorCode: initFailedErrorCode];
if (SSLSetIOFuncs(_context, readFunc, writeFunc) != noErr ||
SSLSetConnection(_context, self) != noErr)
@throw [OFTLSHandshakeFailedException
exceptionWithStream: self
host: host
errorCode: initFailedErrorCode];
_host = [host copy];
if (_verifiesCertificates)
if (SSLSetPeerDomainName(_context,
_host.UTF8String, _host.UTF8StringLength) != noErr)
@throw [OFTLSHandshakeFailedException
exceptionWithStream: self
host: _host
errorCode: initFailedErrorCode];
status = SSLHandshake(_context);
if (status == errSSLWouldBlock) {
/*
* Theoretically it is possible we block because Secure
* Transport cannot write without blocking. But unfortunately,
* Secure Transport does not tell us whether it's blocked on
* reading or writing. Waiting for the stream to be either
* readable or writable doesn't work either, as the stream is
* almost always at least ready for one of the two.
*/
[_underlyingStream asyncReadIntoBuffer: (void *)""
length: 0
runLoopMode: runLoopMode];
[_delegate retain];
return;
}
if (status != noErr)
/* FIXME: Map to better errors */
exception = [OFTLSHandshakeFailedException
exceptionWithStream: self
host: _host
errorCode: OFTLSStreamErrorCodeUnknown];
if ([_delegate respondsToSelector:
@selector(stream:didPerformClientHandshakeWithHost:exception:)])
[_delegate stream: self
didPerformClientHandshakeWithHost: _host
exception: exception];
}
- (bool)stream: (OFStream *)stream
didReadIntoBuffer: (void *)buffer
length: (size_t)length
exception: (nullable id)exception
{
if (exception == nil) {
OSStatus status = SSLHandshake(_context);
if (status == errSSLWouldBlock)
return true;
if (status != noErr)
exception = [OFTLSHandshakeFailedException
exceptionWithStream: self
host: _host
errorCode: OFTLSStreamErrorCodeUnknown];
}
if ([_delegate respondsToSelector:
@selector(stream:didPerformClientHandshakeWithHost:exception:)])
[_delegate stream: self
didPerformClientHandshakeWithHost: _host
exception: exception];
[_delegate release];
return false;
}
@end