1 /* $OpenBSD: tls_client.c,v 1.32 2015/10/09 04:13:34 deraadt Exp $ */
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <arpa/inet.h>
22 #include <netinet/in.h>
28 #include <openssl/err.h>
29 #include <openssl/x509.h>
32 #include "tls_internal.h"
39 if ((ctx = tls_new()) == NULL)
42 ctx->flags |= TLS_CLIENT;
48 tls_connect(struct tls *ctx, const char *host, const char *port)
50 return tls_connect_servername(ctx, host, port, NULL);
54 tls_connect_servername(struct tls *ctx, const char *host, const char *port,
55 const char *servername)
57 struct addrinfo hints, *res, *res0;
58 const char *h = NULL, *p = NULL;
59 char *hs = NULL, *ps = NULL;
60 int rv = -1, s = -1, ret;
62 if ((ctx->flags & TLS_CLIENT) == 0) {
63 tls_set_errorx(ctx, "not a client context");
68 tls_set_errorx(ctx, "host not specified");
73 * If port is NULL try to extract a port from the specified host,
74 * otherwise use the default.
76 if ((p = (char *)port) == NULL) {
77 ret = tls_host_port(host, &hs, &ps);
79 tls_set_errorx(ctx, "memory allocation failure");
83 tls_set_errorx(ctx, "no port provided");
88 h = (hs != NULL) ? hs : host;
89 p = (ps != NULL) ? ps : port;
92 * First check if the host is specified as a numeric IP address,
93 * either IPv4 or IPv6, before trying to resolve the host.
94 * The AI_ADDRCONFIG resolver option will not return IPv4 or IPv6
95 * records if it is not configured on an interface; not considering
96 * loopback addresses. Checking the numeric addresses first makes
97 * sure that connection attempts to numeric addresses and especially
98 * 127.0.0.1 or ::1 loopback addresses are always possible.
100 memset(&hints, 0, sizeof(hints));
101 hints.ai_socktype = SOCK_STREAM;
103 /* try as an IPv4 literal */
104 hints.ai_family = AF_INET;
105 hints.ai_flags = AI_NUMERICHOST;
106 if (getaddrinfo(h, p, &hints, &res0) != 0) {
107 /* try again as an IPv6 literal */
108 hints.ai_family = AF_INET6;
109 if (getaddrinfo(h, p, &hints, &res0) != 0) {
110 /* last try, with name resolution and save the error */
111 hints.ai_family = AF_UNSPEC;
112 hints.ai_flags = AI_ADDRCONFIG;
113 if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) {
114 tls_set_error(ctx, "%s", gai_strerror(s));
120 /* It was resolved somehow; now try connecting to what we got */
122 for (res = res0; res; res = res->ai_next) {
123 s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
125 tls_set_error(ctx, "socket");
128 if (connect(s, res->ai_addr, res->ai_addrlen) == -1) {
129 tls_set_error(ctx, "connect");
135 break; /* Connected. */
142 if (servername == NULL)
145 if (tls_connect_socket(ctx, s, servername) != 0) {
162 tls_connect_socket(struct tls *ctx, int s, const char *servername)
164 return tls_connect_fds(ctx, s, s, servername);
168 tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
169 const char *servername)
171 union tls_addr addrbuf;
174 if ((ctx->flags & TLS_CLIENT) == 0) {
175 tls_set_errorx(ctx, "not a client context");
179 if (fd_read < 0 || fd_write < 0) {
180 tls_set_errorx(ctx, "invalid file descriptors");
184 if (servername != NULL) {
185 if ((ctx->servername = strdup(servername)) == NULL) {
186 tls_set_errorx(ctx, "out of memory");
191 if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
192 tls_set_errorx(ctx, "ssl context failure");
196 if (tls_configure_ssl(ctx) != 0)
198 if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 0) != 0)
201 if (ctx->config->verify_name) {
202 if (servername == NULL) {
203 tls_set_errorx(ctx, "server name not specified");
208 if (ctx->config->verify_cert &&
209 (tls_configure_ssl_verify(ctx, SSL_VERIFY_PEER) == -1))
212 if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
213 tls_set_errorx(ctx, "ssl connection failure");
216 if (SSL_set_app_data(ctx->ssl_conn, ctx) != 1) {
217 tls_set_errorx(ctx, "ssl application data failure");
220 if (SSL_set_rfd(ctx->ssl_conn, fd_read) != 1 ||
221 SSL_set_wfd(ctx->ssl_conn, fd_write) != 1) {
222 tls_set_errorx(ctx, "ssl file descriptor failure");
227 * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
228 * permitted in "HostName".
230 if (servername != NULL &&
231 inet_pton(AF_INET, servername, &addrbuf) != 1 &&
232 inet_pton(AF_INET6, servername, &addrbuf) != 1) {
233 if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) {
234 tls_set_errorx(ctx, "server name indication failure");
246 tls_handshake_client(struct tls *ctx)
252 if ((ctx->flags & TLS_CLIENT) == 0) {
253 tls_set_errorx(ctx, "not a client context");
258 if ((ssl_ret = SSL_connect(ctx->ssl_conn)) != 1) {
259 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
263 if (ctx->config->verify_name) {
264 cert = SSL_get_peer_certificate(ctx->ssl_conn);
266 tls_set_errorx(ctx, "no server certificate");
269 if ((rv = tls_check_name(ctx, cert,
270 ctx->servername)) != 0) {
272 tls_set_errorx(ctx, "name `%s' not present in"
273 " server certificate", ctx->servername);
278 ctx->state |= TLS_HANDSHAKE_COMPLETE;