preprocessor cleanup: __lint
[unleashed/tickless.git] / lib / libtls / tls_client.c
bloba1e2caa71780972a9cb5cbb9cadaaf85b7e7d674
1 /* $OpenBSD: tls_client.c,v 1.40 2017/01/26 12:56:37 jsing Exp $ */
2 /*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <arpa/inet.h>
22 #include <netinet/in.h>
24 #include <netdb.h>
25 #include <stdlib.h>
26 #include <unistd.h>
28 #include <openssl/err.h>
29 #include <openssl/x509.h>
31 #include <tls.h>
32 #include "tls_internal.h"
34 struct tls *
35 tls_client(void)
37 struct tls *ctx;
39 if ((ctx = tls_new()) == NULL)
40 return (NULL);
42 ctx->flags |= TLS_CLIENT;
44 return (ctx);
47 int
48 tls_connect(struct tls *ctx, const char *host, const char *port)
50 return tls_connect_servername(ctx, host, port, NULL);
53 int
54 tls_connect_servername(struct tls *ctx, const char *host, const char *port,
55 const char *servername)
57 struct addrinfo hints, *res, *res0;
58 const char *h = NULL, *p = NULL;
59 char *hs = NULL, *ps = NULL;
60 int rv = -1, s = -1, ret;
62 if ((ctx->flags & TLS_CLIENT) == 0) {
63 tls_set_errorx(ctx, "not a client context");
64 goto err;
67 if (host == NULL) {
68 tls_set_errorx(ctx, "host not specified");
69 goto err;
73 * If port is NULL try to extract a port from the specified host,
74 * otherwise use the default.
76 if ((p = (char *)port) == NULL) {
77 ret = tls_host_port(host, &hs, &ps);
78 if (ret == -1) {
79 tls_set_errorx(ctx, "memory allocation failure");
80 goto err;
82 if (ret != 0) {
83 tls_set_errorx(ctx, "no port provided");
84 goto err;
88 h = (hs != NULL) ? hs : host;
89 p = (ps != NULL) ? ps : port;
92 * First check if the host is specified as a numeric IP address,
93 * either IPv4 or IPv6, before trying to resolve the host.
94 * The AI_ADDRCONFIG resolver option will not return IPv4 or IPv6
95 * records if it is not configured on an interface; not considering
96 * loopback addresses. Checking the numeric addresses first makes
97 * sure that connection attempts to numeric addresses and especially
98 * 127.0.0.1 or ::1 loopback addresses are always possible.
100 memset(&hints, 0, sizeof(hints));
101 hints.ai_socktype = SOCK_STREAM;
103 /* try as an IPv4 literal */
104 hints.ai_family = AF_INET;
105 hints.ai_flags = AI_NUMERICHOST;
106 if (getaddrinfo(h, p, &hints, &res0) != 0) {
107 /* try again as an IPv6 literal */
108 hints.ai_family = AF_INET6;
109 if (getaddrinfo(h, p, &hints, &res0) != 0) {
110 /* last try, with name resolution and save the error */
111 hints.ai_family = AF_UNSPEC;
112 hints.ai_flags = AI_ADDRCONFIG;
113 if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) {
114 tls_set_error(ctx, "%s", gai_strerror(s));
115 goto err;
120 /* It was resolved somehow; now try connecting to what we got */
121 s = -1;
122 for (res = res0; res; res = res->ai_next) {
123 s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
124 if (s == -1) {
125 tls_set_error(ctx, "socket");
126 continue;
128 if (connect(s, res->ai_addr, res->ai_addrlen) == -1) {
129 tls_set_error(ctx, "connect");
130 close(s);
131 s = -1;
132 continue;
135 break; /* Connected. */
137 freeaddrinfo(res0);
139 if (s == -1)
140 goto err;
142 if (servername == NULL)
143 servername = h;
145 if (tls_connect_socket(ctx, s, servername) != 0) {
146 close(s);
147 goto err;
150 ctx->socket = s;
152 rv = 0;
154 err:
155 free(hs);
156 free(ps);
158 return (rv);
161 static int
162 tls_connect_common(struct tls *ctx, const char *servername)
164 union tls_addr addrbuf;
165 int rv = -1;
167 if ((ctx->flags & TLS_CLIENT) == 0) {
168 tls_set_errorx(ctx, "not a client context");
169 goto err;
172 if (servername != NULL) {
173 if ((ctx->servername = strdup(servername)) == NULL) {
174 tls_set_errorx(ctx, "out of memory");
175 goto err;
179 if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
180 tls_set_errorx(ctx, "ssl context failure");
181 goto err;
184 if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0)
185 goto err;
187 if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx,
188 ctx->config->keypair, 0) != 0)
189 goto err;
191 if (ctx->config->verify_name) {
192 if (servername == NULL) {
193 tls_set_errorx(ctx, "server name not specified");
194 goto err;
198 if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1)
199 goto err;
201 if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) {
202 tls_set_errorx(ctx, "ssl OCSP verification setup failure");
203 goto err;
206 if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
207 tls_set_errorx(ctx, "ssl connection failure");
208 goto err;
211 if (SSL_set_app_data(ctx->ssl_conn, ctx) != 1) {
212 tls_set_errorx(ctx, "ssl application data failure");
213 goto err;
216 if (SSL_set_tlsext_status_type(ctx->ssl_conn, TLSEXT_STATUSTYPE_ocsp) != 1) {
217 tls_set_errorx(ctx, "ssl OCSP extension setup failure");
218 goto err;
222 * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
223 * permitted in "HostName".
225 if (servername != NULL &&
226 inet_pton(AF_INET, servername, &addrbuf) != 1 &&
227 inet_pton(AF_INET6, servername, &addrbuf) != 1) {
228 if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) {
229 tls_set_errorx(ctx, "server name indication failure");
230 goto err;
233 rv = 0;
235 err:
236 return (rv);
240 tls_connect_socket(struct tls *ctx, int s, const char *servername)
242 return tls_connect_fds(ctx, s, s, servername);
246 tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
247 const char *servername)
249 int rv = -1;
251 if (fd_read < 0 || fd_write < 0) {
252 tls_set_errorx(ctx, "invalid file descriptors");
253 goto err;
256 if (tls_connect_common(ctx, servername) != 0)
257 goto err;
259 if (SSL_set_rfd(ctx->ssl_conn, fd_read) != 1 ||
260 SSL_set_wfd(ctx->ssl_conn, fd_write) != 1) {
261 tls_set_errorx(ctx, "ssl file descriptor failure");
262 goto err;
265 rv = 0;
266 err:
267 return (rv);
271 tls_connect_cbs(struct tls *ctx, tls_read_cb read_cb,
272 tls_write_cb write_cb, void *cb_arg, const char *servername)
274 int rv = -1;
276 if (tls_connect_common(ctx, servername) != 0)
277 goto err;
279 if (tls_set_cbs(ctx, read_cb, write_cb, cb_arg) != 0)
280 goto err;
282 rv = 0;
284 err:
285 return (rv);
289 tls_handshake_client(struct tls *ctx)
291 X509 *cert = NULL;
292 int ssl_ret;
293 int rv = -1;
295 if ((ctx->flags & TLS_CLIENT) == 0) {
296 tls_set_errorx(ctx, "not a client context");
297 goto err;
300 ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
302 ERR_clear_error();
303 if ((ssl_ret = SSL_connect(ctx->ssl_conn)) != 1) {
304 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
305 goto err;
308 if (ctx->config->verify_name) {
309 cert = SSL_get_peer_certificate(ctx->ssl_conn);
310 if (cert == NULL) {
311 tls_set_errorx(ctx, "no server certificate");
312 goto err;
314 if ((rv = tls_check_name(ctx, cert,
315 ctx->servername)) != 0) {
316 if (rv != -2)
317 tls_set_errorx(ctx, "name `%s' not present in"
318 " server certificate", ctx->servername);
319 goto err;
323 ctx->state |= TLS_HANDSHAKE_COMPLETE;
324 rv = 0;
326 err:
327 X509_free(cert);
329 return (rv);