1 /* $OpenBSD: tls_client.c,v 1.43 2017/08/10 18:18:30 jsing Exp $ */ 2 /* 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <sys/types.h> 19 #include <sys/socket.h> 20 21 #include <arpa/inet.h> 22 #include <netinet/in.h> 23 24 #include <netdb.h> 25 #include <stdlib.h> 26 #include <unistd.h> 27 28 #include <openssl/err.h> 29 #include <openssl/x509.h> 30 31 #include <tls.h> 32 #include "tls_internal.h" 33 34 struct tls * 35 tls_client(void) 36 { 37 struct tls *ctx; 38 39 if ((ctx = tls_new()) == NULL) 40 return (NULL); 41 42 ctx->flags |= TLS_CLIENT; 43 44 return (ctx); 45 } 46 47 int 48 tls_connect(struct tls *ctx, const char *host, const char *port) 49 { 50 return tls_connect_servername(ctx, host, port, NULL); 51 } 52 53 int 54 tls_connect_servername(struct tls *ctx, const char *host, const char *port, 55 const char *servername) 56 { 57 struct addrinfo hints, *res, *res0; 58 const char *h = NULL, *p = NULL; 59 char *hs = NULL, *ps = NULL; 60 int rv = -1, s = -1, ret; 61 62 if ((ctx->flags & TLS_CLIENT) == 0) { 63 tls_set_errorx(ctx, "not a client context"); 64 goto err; 65 } 66 67 if (host == NULL) { 68 tls_set_errorx(ctx, "host not specified"); 69 goto err; 70 } 71 72 /* 73 * If port is NULL try to extract a port from the specified host, 74 * otherwise use the default. 75 */ 76 if ((p = (char *)port) == NULL) { 77 ret = tls_host_port(host, &hs, &ps); 78 if (ret == -1) { 79 tls_set_errorx(ctx, "memory allocation failure"); 80 goto err; 81 } 82 if (ret != 0) { 83 tls_set_errorx(ctx, "no port provided"); 84 goto err; 85 } 86 } 87 88 h = (hs != NULL) ? hs : host; 89 p = (ps != NULL) ? ps : port; 90 91 /* 92 * First check if the host is specified as a numeric IP address, 93 * either IPv4 or IPv6, before trying to resolve the host. 94 * The AI_ADDRCONFIG resolver option will not return IPv4 or IPv6 95 * records if it is not configured on an interface; not considering 96 * loopback addresses. Checking the numeric addresses first makes 97 * sure that connection attempts to numeric addresses and especially 98 * 127.0.0.1 or ::1 loopback addresses are always possible. 99 */ 100 memset(&hints, 0, sizeof(hints)); 101 hints.ai_socktype = SOCK_STREAM; 102 103 /* try as an IPv4 literal */ 104 hints.ai_family = AF_INET; 105 hints.ai_flags = AI_NUMERICHOST; 106 if (getaddrinfo(h, p, &hints, &res0) != 0) { 107 /* try again as an IPv6 literal */ 108 hints.ai_family = AF_INET6; 109 if (getaddrinfo(h, p, &hints, &res0) != 0) { 110 /* last try, with name resolution and save the error */ 111 hints.ai_family = AF_UNSPEC; 112 hints.ai_flags = AI_ADDRCONFIG; 113 if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) { 114 tls_set_error(ctx, "%s", gai_strerror(s)); 115 goto err; 116 } 117 } 118 } 119 120 /* It was resolved somehow; now try connecting to what we got */ 121 s = -1; 122 for (res = res0; res; res = res->ai_next) { 123 s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); 124 if (s == -1) { 125 tls_set_error(ctx, "socket"); 126 continue; 127 } 128 if (connect(s, res->ai_addr, res->ai_addrlen) == -1) { 129 tls_set_error(ctx, "connect"); 130 close(s); 131 s = -1; 132 continue; 133 } 134 135 break; /* Connected. */ 136 } 137 freeaddrinfo(res0); 138 139 if (s == -1) 140 goto err; 141 142 if (servername == NULL) 143 servername = h; 144 145 if (tls_connect_socket(ctx, s, servername) != 0) { 146 close(s); 147 goto err; 148 } 149 150 ctx->socket = s; 151 152 rv = 0; 153 154 err: 155 free(hs); 156 free(ps); 157 158 return (rv); 159 } 160 161 static int 162 tls_connect_common(struct tls *ctx, const char *servername) 163 { 164 union tls_addr addrbuf; 165 int rv = -1; 166 167 if ((ctx->flags & TLS_CLIENT) == 0) { 168 tls_set_errorx(ctx, "not a client context"); 169 goto err; 170 } 171 172 if (servername != NULL) { 173 if ((ctx->servername = strdup(servername)) == NULL) { 174 tls_set_errorx(ctx, "out of memory"); 175 goto err; 176 } 177 } 178 179 if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { 180 tls_set_errorx(ctx, "ssl context failure"); 181 goto err; 182 } 183 184 if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0) 185 goto err; 186 187 if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx, 188 ctx->config->keypair, 0) != 0) 189 goto err; 190 191 if (ctx->config->verify_name) { 192 if (servername == NULL) { 193 tls_set_errorx(ctx, "server name not specified"); 194 goto err; 195 } 196 } 197 198 if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1) 199 goto err; 200 201 if (ctx->config->ecdhecurves != NULL) { 202 if (SSL_CTX_set1_groups(ctx->ssl_ctx, ctx->config->ecdhecurves, 203 ctx->config->ecdhecurves_len) != 1) { 204 tls_set_errorx(ctx, "failed to set ecdhe curves"); 205 goto err; 206 } 207 } 208 209 if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) { 210 tls_set_errorx(ctx, "ssl OCSP verification setup failure"); 211 goto err; 212 } 213 214 if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { 215 tls_set_errorx(ctx, "ssl connection failure"); 216 goto err; 217 } 218 219 if (SSL_set_app_data(ctx->ssl_conn, ctx) != 1) { 220 tls_set_errorx(ctx, "ssl application data failure"); 221 goto err; 222 } 223 224 if (SSL_set_tlsext_status_type(ctx->ssl_conn, TLSEXT_STATUSTYPE_ocsp) != 1) { 225 tls_set_errorx(ctx, "ssl OCSP extension setup failure"); 226 goto err; 227 } 228 229 /* 230 * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not 231 * permitted in "HostName". 232 */ 233 if (servername != NULL && 234 inet_pton(AF_INET, servername, &addrbuf) != 1 && 235 inet_pton(AF_INET6, servername, &addrbuf) != 1) { 236 if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) { 237 tls_set_errorx(ctx, "server name indication failure"); 238 goto err; 239 } 240 } 241 242 ctx->state |= TLS_CONNECTED; 243 rv = 0; 244 245 err: 246 return (rv); 247 } 248 249 int 250 tls_connect_socket(struct tls *ctx, int s, const char *servername) 251 { 252 return tls_connect_fds(ctx, s, s, servername); 253 } 254 255 int 256 tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, 257 const char *servername) 258 { 259 int rv = -1; 260 261 if (fd_read < 0 || fd_write < 0) { 262 tls_set_errorx(ctx, "invalid file descriptors"); 263 goto err; 264 } 265 266 if (tls_connect_common(ctx, servername) != 0) 267 goto err; 268 269 if (SSL_set_rfd(ctx->ssl_conn, fd_read) != 1 || 270 SSL_set_wfd(ctx->ssl_conn, fd_write) != 1) { 271 tls_set_errorx(ctx, "ssl file descriptor failure"); 272 goto err; 273 } 274 275 rv = 0; 276 err: 277 return (rv); 278 } 279 280 int 281 tls_connect_cbs(struct tls *ctx, tls_read_cb read_cb, 282 tls_write_cb write_cb, void *cb_arg, const char *servername) 283 { 284 int rv = -1; 285 286 if (tls_connect_common(ctx, servername) != 0) 287 goto err; 288 289 if (tls_set_cbs(ctx, read_cb, write_cb, cb_arg) != 0) 290 goto err; 291 292 rv = 0; 293 294 err: 295 return (rv); 296 } 297 298 int 299 tls_handshake_client(struct tls *ctx) 300 { 301 X509 *cert = NULL; 302 int match, ssl_ret; 303 int rv = -1; 304 305 if ((ctx->flags & TLS_CLIENT) == 0) { 306 tls_set_errorx(ctx, "not a client context"); 307 goto err; 308 } 309 310 if ((ctx->state & TLS_CONNECTED) == 0) { 311 tls_set_errorx(ctx, "context not connected"); 312 goto err; 313 } 314 315 ctx->state |= TLS_SSL_NEEDS_SHUTDOWN; 316 317 ERR_clear_error(); 318 if ((ssl_ret = SSL_connect(ctx->ssl_conn)) != 1) { 319 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake"); 320 goto err; 321 } 322 323 if (ctx->config->verify_name) { 324 cert = SSL_get_peer_certificate(ctx->ssl_conn); 325 if (cert == NULL) { 326 tls_set_errorx(ctx, "no server certificate"); 327 goto err; 328 } 329 if (tls_check_name(ctx, cert, ctx->servername, &match) == -1) 330 goto err; 331 if (!match) { 332 tls_set_errorx(ctx, "name `%s' not present in" 333 " server certificate", ctx->servername); 334 goto err; 335 } 336 } 337 338 ctx->state |= TLS_HANDSHAKE_COMPLETE; 339 rv = 0; 340 341 err: 342 X509_free(cert); 343 344 return (rv); 345 } 346