GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libtls/tls_client.c Lines: 57 145 39.3 %
Date: 2017-11-13 Branches: 31 92 33.7 %

Line Branch Exec Source
1
/* $OpenBSD: tls_client.c,v 1.43 2017/08/10 18:18:30 jsing Exp $ */
2
/*
3
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4
 *
5
 * Permission to use, copy, modify, and distribute this software for any
6
 * purpose with or without fee is hereby granted, provided that the above
7
 * copyright notice and this permission notice appear in all copies.
8
 *
9
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16
 */
17
18
#include <sys/types.h>
19
#include <sys/socket.h>
20
21
#include <arpa/inet.h>
22
#include <netinet/in.h>
23
24
#include <netdb.h>
25
#include <stdlib.h>
26
#include <unistd.h>
27
28
#include <openssl/err.h>
29
#include <openssl/x509.h>
30
31
#include <tls.h>
32
#include "tls_internal.h"
33
34
struct tls *
35
tls_client(void)
36
{
37
	struct tls *ctx;
38
39
180
	if ((ctx = tls_new()) == NULL)
40
		return (NULL);
41
42
90
	ctx->flags |= TLS_CLIENT;
43
44
90
	return (ctx);
45
90
}
46
47
int
48
tls_connect(struct tls *ctx, const char *host, const char *port)
49
{
50
	return tls_connect_servername(ctx, host, port, NULL);
51
}
52
53
int
54
tls_connect_servername(struct tls *ctx, const char *host, const char *port,
55
    const char *servername)
56
{
57
	struct addrinfo hints, *res, *res0;
58
	const char *h = NULL, *p = NULL;
59
	char *hs = NULL, *ps = NULL;
60
	int rv = -1, s = -1, ret;
61
62
	if ((ctx->flags & TLS_CLIENT) == 0) {
63
		tls_set_errorx(ctx, "not a client context");
64
		goto err;
65
	}
66
67
	if (host == NULL) {
68
		tls_set_errorx(ctx, "host not specified");
69
		goto err;
70
	}
71
72
	/*
73
	 * If port is NULL try to extract a port from the specified host,
74
	 * otherwise use the default.
75
	 */
76
	if ((p = (char *)port) == NULL) {
77
		ret = tls_host_port(host, &hs, &ps);
78
		if (ret == -1) {
79
			tls_set_errorx(ctx, "memory allocation failure");
80
			goto err;
81
		}
82
		if (ret != 0) {
83
			tls_set_errorx(ctx, "no port provided");
84
			goto err;
85
		}
86
	}
87
88
	h = (hs != NULL) ? hs : host;
89
	p = (ps != NULL) ? ps : port;
90
91
	/*
92
	 * First check if the host is specified as a numeric IP address,
93
	 * either IPv4 or IPv6, before trying to resolve the host.
94
	 * The AI_ADDRCONFIG resolver option will not return IPv4 or IPv6
95
	 * records if it is not configured on an interface;  not considering
96
	 * loopback addresses.  Checking the numeric addresses first makes
97
	 * sure that connection attempts to numeric addresses and especially
98
	 * 127.0.0.1 or ::1 loopback addresses are always possible.
99
	 */
100
	memset(&hints, 0, sizeof(hints));
101
	hints.ai_socktype = SOCK_STREAM;
102
103
	/* try as an IPv4 literal */
104
	hints.ai_family = AF_INET;
105
	hints.ai_flags = AI_NUMERICHOST;
106
	if (getaddrinfo(h, p, &hints, &res0) != 0) {
107
		/* try again as an IPv6 literal */
108
		hints.ai_family = AF_INET6;
109
		if (getaddrinfo(h, p, &hints, &res0) != 0) {
110
			/* last try, with name resolution and save the error */
111
			hints.ai_family = AF_UNSPEC;
112
			hints.ai_flags = AI_ADDRCONFIG;
113
			if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) {
114
				tls_set_error(ctx, "%s", gai_strerror(s));
115
				goto err;
116
			}
117
		}
118
	}
119
120
	/* It was resolved somehow; now try connecting to what we got */
121
	s = -1;
122
	for (res = res0; res; res = res->ai_next) {
123
		s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
124
		if (s == -1) {
125
			tls_set_error(ctx, "socket");
126
			continue;
127
		}
128
		if (connect(s, res->ai_addr, res->ai_addrlen) == -1) {
129
			tls_set_error(ctx, "connect");
130
			close(s);
131
			s = -1;
132
			continue;
133
		}
134
135
		break;  /* Connected. */
136
	}
137
	freeaddrinfo(res0);
138
139
	if (s == -1)
140
		goto err;
141
142
	if (servername == NULL)
143
		servername = h;
144
145
	if (tls_connect_socket(ctx, s, servername) != 0) {
146
		close(s);
147
		goto err;
148
	}
149
150
	ctx->socket = s;
151
152
	rv = 0;
153
154
 err:
155
	free(hs);
156
	free(ps);
157
158
	return (rv);
159
}
160
161
static int
162
tls_connect_common(struct tls *ctx, const char *servername)
163
{
164
24
	union tls_addr addrbuf;
165
	int rv = -1;
166
167
12
	if ((ctx->flags & TLS_CLIENT) == 0) {
168
		tls_set_errorx(ctx, "not a client context");
169
		goto err;
170
	}
171
172
12
	if (servername != NULL) {
173
12
		if ((ctx->servername = strdup(servername)) == NULL) {
174
			tls_set_errorx(ctx, "out of memory");
175
			goto err;
176
		}
177
	}
178
179
12
	if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
180
		tls_set_errorx(ctx, "ssl context failure");
181
		goto err;
182
	}
183
184
12
	if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0)
185
		goto err;
186
187
36
	if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx,
188
24
	    ctx->config->keypair, 0) != 0)
189
		goto err;
190
191
24
	if (ctx->config->verify_name) {
192
12
		if (servername == NULL) {
193
			tls_set_errorx(ctx, "server name not specified");
194
			goto err;
195
		}
196
	}
197
198
12
	if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1)
199
		goto err;
200
201
12
	if (ctx->config->ecdhecurves != NULL) {
202
36
		if (SSL_CTX_set1_groups(ctx->ssl_ctx, ctx->config->ecdhecurves,
203
24
		    ctx->config->ecdhecurves_len) != 1) {
204
			tls_set_errorx(ctx, "failed to set ecdhe curves");
205
			goto err;
206
		}
207
	}
208
209
12
	if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) {
210
		tls_set_errorx(ctx, "ssl OCSP verification setup failure");
211
		goto err;
212
	}
213
214
12
	if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
215
		tls_set_errorx(ctx, "ssl connection failure");
216
		goto err;
217
	}
218
219
12
	if (SSL_set_app_data(ctx->ssl_conn, ctx) != 1) {
220
		tls_set_errorx(ctx, "ssl application data failure");
221
		goto err;
222
	}
223
224
12
	if (SSL_set_tlsext_status_type(ctx->ssl_conn, TLSEXT_STATUSTYPE_ocsp) != 1) {
225
		tls_set_errorx(ctx, "ssl OCSP extension setup failure");
226
		goto err;
227
	}
228
229
	/*
230
	 * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
231
	 * permitted in "HostName".
232
	 */
233

24
	if (servername != NULL &&
234
12
	    inet_pton(AF_INET, servername, &addrbuf) != 1 &&
235
12
	    inet_pton(AF_INET6, servername, &addrbuf) != 1) {
236
12
		if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) {
237
			tls_set_errorx(ctx, "server name indication failure");
238
			goto err;
239
		}
240
	}
241
242
12
	ctx->state |= TLS_CONNECTED;
243
12
	rv = 0;
244
245
 err:
246
12
	return (rv);
247
12
}
248
249
int
250
tls_connect_socket(struct tls *ctx, int s, const char *servername)
251
{
252
6
	return tls_connect_fds(ctx, s, s, servername);
253
}
254
255
int
256
tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
257
    const char *servername)
258
{
259
	int rv = -1;
260
261
12
	if (fd_read < 0 || fd_write < 0) {
262
		tls_set_errorx(ctx, "invalid file descriptors");
263
		goto err;
264
	}
265
266
6
	if (tls_connect_common(ctx, servername) != 0)
267
		goto err;
268
269

12
	if (SSL_set_rfd(ctx->ssl_conn, fd_read) != 1 ||
270
6
	    SSL_set_wfd(ctx->ssl_conn, fd_write) != 1) {
271
		tls_set_errorx(ctx, "ssl file descriptor failure");
272
		goto err;
273
	}
274
275
6
	rv = 0;
276
 err:
277
6
	return (rv);
278
}
279
280
int
281
tls_connect_cbs(struct tls *ctx, tls_read_cb read_cb,
282
    tls_write_cb write_cb, void *cb_arg, const char *servername)
283
{
284
	int rv = -1;
285
286
12
	if (tls_connect_common(ctx, servername) != 0)
287
		goto err;
288
289
6
	if (tls_set_cbs(ctx, read_cb, write_cb, cb_arg) != 0)
290
		goto err;
291
292
6
	rv = 0;
293
294
 err:
295
6
	return (rv);
296
}
297
298
int
299
tls_handshake_client(struct tls *ctx)
300
{
301
	X509 *cert = NULL;
302
102
	int match, ssl_ret;
303
	int rv = -1;
304
305
51
	if ((ctx->flags & TLS_CLIENT) == 0) {
306
		tls_set_errorx(ctx, "not a client context");
307
		goto err;
308
	}
309
310
51
	if ((ctx->state & TLS_CONNECTED) == 0) {
311
3
		tls_set_errorx(ctx, "context not connected");
312
3
		goto err;
313
	}
314
315
48
	ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
316
317
48
	ERR_clear_error();
318
48
	if ((ssl_ret = SSL_connect(ctx->ssl_conn)) != 1) {
319
36
		rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
320
36
		goto err;
321
	}
322
323
12
	if (ctx->config->verify_name) {
324
		cert = SSL_get_peer_certificate(ctx->ssl_conn);
325
		if (cert == NULL) {
326
			tls_set_errorx(ctx, "no server certificate");
327
			goto err;
328
		}
329
		if (tls_check_name(ctx, cert, ctx->servername, &match) == -1)
330
			goto err;
331
		if (!match) {
332
			tls_set_errorx(ctx, "name `%s' not present in"
333
			    " server certificate", ctx->servername);
334
			goto err;
335
		}
336
	}
337
338
12
	ctx->state |= TLS_HANDSHAKE_COMPLETE;
339
12
	rv = 0;
340
341
 err:
342
51
	X509_free(cert);
343
344
51
	return (rv);
345
51
}