xref: /openbsd-src/lib/libtls/tls_client.c (revision ae3cb403620ab940fbaabb3055fac045a63d56b7)
1 /* $OpenBSD: tls_client.c,v 1.43 2017/08/10 18:18:30 jsing Exp $ */
2 /*
3  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 
21 #include <arpa/inet.h>
22 #include <netinet/in.h>
23 
24 #include <netdb.h>
25 #include <stdlib.h>
26 #include <unistd.h>
27 
28 #include <openssl/err.h>
29 #include <openssl/x509.h>
30 
31 #include <tls.h>
32 #include "tls_internal.h"
33 
34 struct tls *
35 tls_client(void)
36 {
37 	struct tls *ctx;
38 
39 	if ((ctx = tls_new()) == NULL)
40 		return (NULL);
41 
42 	ctx->flags |= TLS_CLIENT;
43 
44 	return (ctx);
45 }
46 
47 int
48 tls_connect(struct tls *ctx, const char *host, const char *port)
49 {
50 	return tls_connect_servername(ctx, host, port, NULL);
51 }
52 
53 int
54 tls_connect_servername(struct tls *ctx, const char *host, const char *port,
55     const char *servername)
56 {
57 	struct addrinfo hints, *res, *res0;
58 	const char *h = NULL, *p = NULL;
59 	char *hs = NULL, *ps = NULL;
60 	int rv = -1, s = -1, ret;
61 
62 	if ((ctx->flags & TLS_CLIENT) == 0) {
63 		tls_set_errorx(ctx, "not a client context");
64 		goto err;
65 	}
66 
67 	if (host == NULL) {
68 		tls_set_errorx(ctx, "host not specified");
69 		goto err;
70 	}
71 
72 	/*
73 	 * If port is NULL try to extract a port from the specified host,
74 	 * otherwise use the default.
75 	 */
76 	if ((p = (char *)port) == NULL) {
77 		ret = tls_host_port(host, &hs, &ps);
78 		if (ret == -1) {
79 			tls_set_errorx(ctx, "memory allocation failure");
80 			goto err;
81 		}
82 		if (ret != 0) {
83 			tls_set_errorx(ctx, "no port provided");
84 			goto err;
85 		}
86 	}
87 
88 	h = (hs != NULL) ? hs : host;
89 	p = (ps != NULL) ? ps : port;
90 
91 	/*
92 	 * First check if the host is specified as a numeric IP address,
93 	 * either IPv4 or IPv6, before trying to resolve the host.
94 	 * The AI_ADDRCONFIG resolver option will not return IPv4 or IPv6
95 	 * records if it is not configured on an interface;  not considering
96 	 * loopback addresses.  Checking the numeric addresses first makes
97 	 * sure that connection attempts to numeric addresses and especially
98 	 * 127.0.0.1 or ::1 loopback addresses are always possible.
99 	 */
100 	memset(&hints, 0, sizeof(hints));
101 	hints.ai_socktype = SOCK_STREAM;
102 
103 	/* try as an IPv4 literal */
104 	hints.ai_family = AF_INET;
105 	hints.ai_flags = AI_NUMERICHOST;
106 	if (getaddrinfo(h, p, &hints, &res0) != 0) {
107 		/* try again as an IPv6 literal */
108 		hints.ai_family = AF_INET6;
109 		if (getaddrinfo(h, p, &hints, &res0) != 0) {
110 			/* last try, with name resolution and save the error */
111 			hints.ai_family = AF_UNSPEC;
112 			hints.ai_flags = AI_ADDRCONFIG;
113 			if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) {
114 				tls_set_error(ctx, "%s", gai_strerror(s));
115 				goto err;
116 			}
117 		}
118 	}
119 
120 	/* It was resolved somehow; now try connecting to what we got */
121 	s = -1;
122 	for (res = res0; res; res = res->ai_next) {
123 		s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
124 		if (s == -1) {
125 			tls_set_error(ctx, "socket");
126 			continue;
127 		}
128 		if (connect(s, res->ai_addr, res->ai_addrlen) == -1) {
129 			tls_set_error(ctx, "connect");
130 			close(s);
131 			s = -1;
132 			continue;
133 		}
134 
135 		break;  /* Connected. */
136 	}
137 	freeaddrinfo(res0);
138 
139 	if (s == -1)
140 		goto err;
141 
142 	if (servername == NULL)
143 		servername = h;
144 
145 	if (tls_connect_socket(ctx, s, servername) != 0) {
146 		close(s);
147 		goto err;
148 	}
149 
150 	ctx->socket = s;
151 
152 	rv = 0;
153 
154  err:
155 	free(hs);
156 	free(ps);
157 
158 	return (rv);
159 }
160 
161 static int
162 tls_connect_common(struct tls *ctx, const char *servername)
163 {
164 	union tls_addr addrbuf;
165 	int rv = -1;
166 
167 	if ((ctx->flags & TLS_CLIENT) == 0) {
168 		tls_set_errorx(ctx, "not a client context");
169 		goto err;
170 	}
171 
172 	if (servername != NULL) {
173 		if ((ctx->servername = strdup(servername)) == NULL) {
174 			tls_set_errorx(ctx, "out of memory");
175 			goto err;
176 		}
177 	}
178 
179 	if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
180 		tls_set_errorx(ctx, "ssl context failure");
181 		goto err;
182 	}
183 
184 	if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0)
185 		goto err;
186 
187 	if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx,
188 	    ctx->config->keypair, 0) != 0)
189 		goto err;
190 
191 	if (ctx->config->verify_name) {
192 		if (servername == NULL) {
193 			tls_set_errorx(ctx, "server name not specified");
194 			goto err;
195 		}
196 	}
197 
198 	if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1)
199 		goto err;
200 
201 	if (ctx->config->ecdhecurves != NULL) {
202 		if (SSL_CTX_set1_groups(ctx->ssl_ctx, ctx->config->ecdhecurves,
203 		    ctx->config->ecdhecurves_len) != 1) {
204 			tls_set_errorx(ctx, "failed to set ecdhe curves");
205 			goto err;
206 		}
207 	}
208 
209 	if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) {
210 		tls_set_errorx(ctx, "ssl OCSP verification setup failure");
211 		goto err;
212 	}
213 
214 	if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
215 		tls_set_errorx(ctx, "ssl connection failure");
216 		goto err;
217 	}
218 
219 	if (SSL_set_app_data(ctx->ssl_conn, ctx) != 1) {
220 		tls_set_errorx(ctx, "ssl application data failure");
221 		goto err;
222 	}
223 
224 	if (SSL_set_tlsext_status_type(ctx->ssl_conn, TLSEXT_STATUSTYPE_ocsp) != 1) {
225 		tls_set_errorx(ctx, "ssl OCSP extension setup failure");
226 		goto err;
227 	}
228 
229 	/*
230 	 * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
231 	 * permitted in "HostName".
232 	 */
233 	if (servername != NULL &&
234 	    inet_pton(AF_INET, servername, &addrbuf) != 1 &&
235 	    inet_pton(AF_INET6, servername, &addrbuf) != 1) {
236 		if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) {
237 			tls_set_errorx(ctx, "server name indication failure");
238 			goto err;
239 		}
240 	}
241 
242 	ctx->state |= TLS_CONNECTED;
243 	rv = 0;
244 
245  err:
246 	return (rv);
247 }
248 
249 int
250 tls_connect_socket(struct tls *ctx, int s, const char *servername)
251 {
252 	return tls_connect_fds(ctx, s, s, servername);
253 }
254 
255 int
256 tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
257     const char *servername)
258 {
259 	int rv = -1;
260 
261 	if (fd_read < 0 || fd_write < 0) {
262 		tls_set_errorx(ctx, "invalid file descriptors");
263 		goto err;
264 	}
265 
266 	if (tls_connect_common(ctx, servername) != 0)
267 		goto err;
268 
269 	if (SSL_set_rfd(ctx->ssl_conn, fd_read) != 1 ||
270 	    SSL_set_wfd(ctx->ssl_conn, fd_write) != 1) {
271 		tls_set_errorx(ctx, "ssl file descriptor failure");
272 		goto err;
273 	}
274 
275 	rv = 0;
276  err:
277 	return (rv);
278 }
279 
280 int
281 tls_connect_cbs(struct tls *ctx, tls_read_cb read_cb,
282     tls_write_cb write_cb, void *cb_arg, const char *servername)
283 {
284 	int rv = -1;
285 
286 	if (tls_connect_common(ctx, servername) != 0)
287 		goto err;
288 
289 	if (tls_set_cbs(ctx, read_cb, write_cb, cb_arg) != 0)
290 		goto err;
291 
292 	rv = 0;
293 
294  err:
295 	return (rv);
296 }
297 
298 int
299 tls_handshake_client(struct tls *ctx)
300 {
301 	X509 *cert = NULL;
302 	int match, ssl_ret;
303 	int rv = -1;
304 
305 	if ((ctx->flags & TLS_CLIENT) == 0) {
306 		tls_set_errorx(ctx, "not a client context");
307 		goto err;
308 	}
309 
310 	if ((ctx->state & TLS_CONNECTED) == 0) {
311 		tls_set_errorx(ctx, "context not connected");
312 		goto err;
313 	}
314 
315 	ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
316 
317 	ERR_clear_error();
318 	if ((ssl_ret = SSL_connect(ctx->ssl_conn)) != 1) {
319 		rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
320 		goto err;
321 	}
322 
323 	if (ctx->config->verify_name) {
324 		cert = SSL_get_peer_certificate(ctx->ssl_conn);
325 		if (cert == NULL) {
326 			tls_set_errorx(ctx, "no server certificate");
327 			goto err;
328 		}
329 		if (tls_check_name(ctx, cert, ctx->servername, &match) == -1)
330 			goto err;
331 		if (!match) {
332 			tls_set_errorx(ctx, "name `%s' not present in"
333 			    " server certificate", ctx->servername);
334 			goto err;
335 		}
336 	}
337 
338 	ctx->state |= TLS_HANDSHAKE_COMPLETE;
339 	rv = 0;
340 
341  err:
342 	X509_free(cert);
343 
344 	return (rv);
345 }
346