Update libressl README.DRAGONFLY for v2.4.4
[dragonfly.git] / crypto / libressl / tls / tls_client.c
CommitLineData
f5b1c8a1
JM
1/* $OpenBSD: tls_client.c,v 1.32 2015/10/09 04:13:34 deraadt Exp $ */
2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <arpa/inet.h>
22#include <netinet/in.h>
23
24#include <netdb.h>
25#include <stdlib.h>
26#include <unistd.h>
27
28#include <openssl/err.h>
29#include <openssl/x509.h>
30
31#include <tls.h>
32#include "tls_internal.h"
33
34struct tls *
35tls_client(void)
36{
37 struct tls *ctx;
38
39 if ((ctx = tls_new()) == NULL)
40 return (NULL);
41
42 ctx->flags |= TLS_CLIENT;
43
44 return (ctx);
45}
46
47int
48tls_connect(struct tls *ctx, const char *host, const char *port)
49{
50 return tls_connect_servername(ctx, host, port, NULL);
51}
52
53int
54tls_connect_servername(struct tls *ctx, const char *host, const char *port,
55 const char *servername)
56{
57 struct addrinfo hints, *res, *res0;
58 const char *h = NULL, *p = NULL;
59 char *hs = NULL, *ps = NULL;
60 int rv = -1, s = -1, ret;
61
62 if ((ctx->flags & TLS_CLIENT) == 0) {
63 tls_set_errorx(ctx, "not a client context");
64 goto err;
65 }
66
67 if (host == NULL) {
68 tls_set_errorx(ctx, "host not specified");
69 goto err;
70 }
71
72 /*
73 * If port is NULL try to extract a port from the specified host,
74 * otherwise use the default.
75 */
76 if ((p = (char *)port) == NULL) {
77 ret = tls_host_port(host, &hs, &ps);
78 if (ret == -1) {
79 tls_set_errorx(ctx, "memory allocation failure");
80 goto err;
81 }
82 if (ret != 0) {
83 tls_set_errorx(ctx, "no port provided");
84 goto err;
85 }
86 }
87
88 h = (hs != NULL) ? hs : host;
89 p = (ps != NULL) ? ps : port;
90
91 /*
92 * First check if the host is specified as a numeric IP address,
93 * either IPv4 or IPv6, before trying to resolve the host.
94 * The AI_ADDRCONFIG resolver option will not return IPv4 or IPv6
95 * records if it is not configured on an interface; not considering
96 * loopback addresses. Checking the numeric addresses first makes
97 * sure that connection attempts to numeric addresses and especially
98 * 127.0.0.1 or ::1 loopback addresses are always possible.
99 */
100 memset(&hints, 0, sizeof(hints));
101 hints.ai_socktype = SOCK_STREAM;
102
103 /* try as an IPv4 literal */
104 hints.ai_family = AF_INET;
105 hints.ai_flags = AI_NUMERICHOST;
106 if (getaddrinfo(h, p, &hints, &res0) != 0) {
107 /* try again as an IPv6 literal */
108 hints.ai_family = AF_INET6;
109 if (getaddrinfo(h, p, &hints, &res0) != 0) {
110 /* last try, with name resolution and save the error */
111 hints.ai_family = AF_UNSPEC;
112 hints.ai_flags = AI_ADDRCONFIG;
113 if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) {
114 tls_set_error(ctx, "%s", gai_strerror(s));
115 goto err;
116 }
117 }
118 }
119
120 /* It was resolved somehow; now try connecting to what we got */
121 s = -1;
122 for (res = res0; res; res = res->ai_next) {
123 s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
124 if (s == -1) {
125 tls_set_error(ctx, "socket");
126 continue;
127 }
128 if (connect(s, res->ai_addr, res->ai_addrlen) == -1) {
129 tls_set_error(ctx, "connect");
130 close(s);
131 s = -1;
132 continue;
133 }
134
135 break; /* Connected. */
136 }
137 freeaddrinfo(res0);
138
139 if (s == -1)
140 goto err;
141
142 if (servername == NULL)
143 servername = h;
144
145 if (tls_connect_socket(ctx, s, servername) != 0) {
146 close(s);
147 goto err;
148 }
149
150 ctx->socket = s;
151
152 rv = 0;
153
154 err:
155 free(hs);
156 free(ps);
157
158 return (rv);
159}
160
161int
162tls_connect_socket(struct tls *ctx, int s, const char *servername)
163{
164 return tls_connect_fds(ctx, s, s, servername);
165}
166
167int
168tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
169 const char *servername)
170{
171 union tls_addr addrbuf;
172 int rv = -1;
173
174 if ((ctx->flags & TLS_CLIENT) == 0) {
175 tls_set_errorx(ctx, "not a client context");
176 goto err;
177 }
178
179 if (fd_read < 0 || fd_write < 0) {
180 tls_set_errorx(ctx, "invalid file descriptors");
181 goto err;
182 }
183
184 if (servername != NULL) {
185 if ((ctx->servername = strdup(servername)) == NULL) {
186 tls_set_errorx(ctx, "out of memory");
187 goto err;
188 }
189 }
190
191 if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
192 tls_set_errorx(ctx, "ssl context failure");
193 goto err;
194 }
195
196 if (tls_configure_ssl(ctx) != 0)
197 goto err;
198 if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 0) != 0)
199 goto err;
200
201 if (ctx->config->verify_name) {
202 if (servername == NULL) {
203 tls_set_errorx(ctx, "server name not specified");
204 goto err;
205 }
206 }
207
208 if (ctx->config->verify_cert &&
209 (tls_configure_ssl_verify(ctx, SSL_VERIFY_PEER) == -1))
210 goto err;
211
212 if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
213 tls_set_errorx(ctx, "ssl connection failure");
214 goto err;
215 }
216 if (SSL_set_app_data(ctx->ssl_conn, ctx) != 1) {
217 tls_set_errorx(ctx, "ssl application data failure");
218 goto err;
219 }
220 if (SSL_set_rfd(ctx->ssl_conn, fd_read) != 1 ||
221 SSL_set_wfd(ctx->ssl_conn, fd_write) != 1) {
222 tls_set_errorx(ctx, "ssl file descriptor failure");
223 goto err;
224 }
225
226 /*
227 * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
228 * permitted in "HostName".
229 */
230 if (servername != NULL &&
231 inet_pton(AF_INET, servername, &addrbuf) != 1 &&
232 inet_pton(AF_INET6, servername, &addrbuf) != 1) {
233 if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) {
234 tls_set_errorx(ctx, "server name indication failure");
235 goto err;
236 }
237 }
238
239 rv = 0;
240
241 err:
242 return (rv);
243}
244
245int
246tls_handshake_client(struct tls *ctx)
247{
248 X509 *cert = NULL;
249 int ssl_ret;
250 int rv = -1;
251
252 if ((ctx->flags & TLS_CLIENT) == 0) {
253 tls_set_errorx(ctx, "not a client context");
254 goto err;
255 }
256
257 ERR_clear_error();
258 if ((ssl_ret = SSL_connect(ctx->ssl_conn)) != 1) {
259 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
260 goto err;
261 }
262
263 if (ctx->config->verify_name) {
264 cert = SSL_get_peer_certificate(ctx->ssl_conn);
265 if (cert == NULL) {
266 tls_set_errorx(ctx, "no server certificate");
267 goto err;
268 }
269 if ((rv = tls_check_name(ctx, cert,
270 ctx->servername)) != 0) {
271 if (rv != -2)
272 tls_set_errorx(ctx, "name `%s' not present in"
273 " server certificate", ctx->servername);
274 goto err;
275 }
276 }
277
278 ctx->state |= TLS_HANDSHAKE_COMPLETE;
279 rv = 0;
280
281 err:
282 X509_free(cert);
283
284 return (rv);
285}