summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/libressl/Makefile3
-rw-r--r--lib/libressl/ressl.c160
-rw-r--r--lib/libressl/ressl_client.c183
3 files changed, 185 insertions, 161 deletions
diff --git a/lib/libressl/Makefile b/lib/libressl/Makefile
index 167379edff9..397fefdf694 100644
--- a/lib/libressl/Makefile
+++ b/lib/libressl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.2 2014/07/13 22:13:52 jsing Exp $
+# $OpenBSD: Makefile,v 1.3 2014/07/13 22:42:01 jsing Exp $
CFLAGS+= -Wall -Werror -Wimplicit
CFLAGS+= -DLIBRESSL_INTERNAL
@@ -10,6 +10,7 @@ DPADD= ${LIBCRYPTO} ${LIBSSL}
HDRS= ressl.h
SRCS= ressl.c \
+ ressl_client.c \
ressl_config.c \
ressl_util.c \
ressl_verify.c
diff --git a/lib/libressl/ressl.c b/lib/libressl/ressl.c
index 7295c520d26..dc82f321b11 100644
--- a/lib/libressl/ressl.c
+++ b/lib/libressl/ressl.c
@@ -14,18 +14,12 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-#include <sys/types.h>
#include <sys/socket.h>
-#include <arpa/inet.h>
-
#include <errno.h>
-#include <netdb.h>
#include <stdlib.h>
#include <unistd.h>
-#include <openssl/x509.h>
-
#include <ressl.h>
#include "ressl_internal.h"
@@ -117,160 +111,6 @@ ressl_reset(struct ressl *ctx)
}
int
-ressl_connect(struct ressl *ctx, const char *host, const char *port)
-{
- struct addrinfo hints, *res, *res0;
- const char *h = NULL, *p = NULL;
- char *hs = NULL, *ps = NULL;
- int rv = -1, s = -1, ret;
-
- if (host == NULL) {
- ressl_set_error(ctx, "host not specified");
- goto err;
- }
-
- /*
- * If port is NULL try to extract a port from the specified host,
- * otherwise use the default.
- */
- if ((p = (char *)port) == NULL) {
- ret = ressl_host_port(host, &hs, &ps);
- if (ret == -1) {
- ressl_set_error(ctx, "memory allocation failure");
- goto err;
- }
- if (ret != 0)
- port = HTTPS_PORT;
- }
-
- h = (hs != NULL) ? hs : host;
- p = (ps != NULL) ? ps : port;
-
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = AF_UNSPEC;
- hints.ai_socktype = SOCK_STREAM;
-
- if ((ret = getaddrinfo(h, p, &hints, &res0)) != 0) {
- ressl_set_error(ctx, "%s", gai_strerror(ret));
- goto err;
- }
- for (res = res0; res; res = res->ai_next) {
- s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
- if (s == -1) {
- ressl_set_error(ctx, "socket");
- continue;
- }
- if (connect(s, res->ai_addr, res->ai_addrlen) == -1) {
- ressl_set_error(ctx, "connect");
- close(s);
- s = -1;
- continue;
- }
-
- break; /* Connected. */
- }
- freeaddrinfo(res0);
-
- if (s == -1)
- goto err;
-
- if (ressl_connect_socket(ctx, s, h) != 0) {
- close(s);
- goto err;
- }
-
- rv = 0;
-
-err:
-
- free(hs);
- free(ps);
-
- return (rv);
-}
-
-int
-ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname)
-{
- union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
- X509 *cert = NULL;
- int ret;
-
- ctx->socket = socket;
-
- /* XXX - add a configuration option to control versions. */
- if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
- ressl_set_error(ctx, "ssl context failure");
- goto err;
- }
- if (ctx->config->verify) {
- if (hostname == NULL) {
- ressl_set_error(ctx, "server name not specified");
- goto err;
- }
-
- SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
-
- if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
- ctx->config->ca_file, ctx->config->ca_path) != 1) {
- ressl_set_error(ctx, "ssl verify setup failure");
- goto err;
- }
- if (ctx->config->verify_depth >= 0)
- SSL_CTX_set_verify_depth(ctx->ssl_ctx,
- ctx->config->verify_depth);
- }
-
- if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
- ressl_set_error(ctx, "ssl connection failure");
- goto err;
- }
- if (SSL_set_fd(ctx->ssl_conn, ctx->socket) != 1) {
- ressl_set_error(ctx, "ssl file descriptor failure");
- goto err;
- }
-
- /*
- * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
- * permitted in "HostName".
- */
- if (hostname != NULL &&
- inet_pton(AF_INET, hostname, &addrbuf) != 1 &&
- inet_pton(AF_INET6, hostname, &addrbuf) != 1) {
- if (SSL_set_tlsext_host_name(ctx->ssl_conn, hostname) == 0) {
- ressl_set_error(ctx, "SNI host name failed");
- goto err;
- }
- }
-
- if ((ret = SSL_connect(ctx->ssl_conn)) != 1) {
- ressl_set_error(ctx, "SSL connect failed: %i",
- SSL_get_error(ctx->ssl_conn, ret));
- goto err;
- }
-
- if (ctx->config->verify) {
- cert = SSL_get_peer_certificate(ctx->ssl_conn);
- if (cert == NULL) {
- ressl_set_error(ctx, "no server certificate");
- goto err;
- }
- if (ressl_check_hostname(cert, hostname) != 0) {
- ressl_set_error(ctx, "host `%s' not present in"
- " server certificate", hostname);
- goto err;
- }
- }
-
- return (0);
-
-err:
- X509_free(cert);
-
- return (-1);
-}
-
-int
ressl_read(struct ressl *ctx, char *buf, size_t buflen, size_t *outlen)
{
int ret;
diff --git a/lib/libressl/ressl_client.c b/lib/libressl/ressl_client.c
new file mode 100644
index 00000000000..2e4f2538567
--- /dev/null
+++ b/lib/libressl/ressl_client.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <arpa/inet.h>
+
+#include <netdb.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <openssl/x509.h>
+
+#include <ressl.h>
+#include "ressl_internal.h"
+
+int
+ressl_connect(struct ressl *ctx, const char *host, const char *port)
+{
+ struct addrinfo hints, *res, *res0;
+ const char *h = NULL, *p = NULL;
+ char *hs = NULL, *ps = NULL;
+ int rv = -1, s = -1, ret;
+
+ if (host == NULL) {
+ ressl_set_error(ctx, "host not specified");
+ goto err;
+ }
+
+ /*
+ * If port is NULL try to extract a port from the specified host,
+ * otherwise use the default.
+ */
+ if ((p = (char *)port) == NULL) {
+ ret = ressl_host_port(host, &hs, &ps);
+ if (ret == -1) {
+ ressl_set_error(ctx, "memory allocation failure");
+ goto err;
+ }
+ if (ret != 0)
+ port = HTTPS_PORT;
+ }
+
+ h = (hs != NULL) ? hs : host;
+ p = (ps != NULL) ? ps : port;
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+
+ if ((ret = getaddrinfo(h, p, &hints, &res0)) != 0) {
+ ressl_set_error(ctx, "%s", gai_strerror(ret));
+ goto err;
+ }
+ for (res = res0; res; res = res->ai_next) {
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == -1) {
+ ressl_set_error(ctx, "socket");
+ continue;
+ }
+ if (connect(s, res->ai_addr, res->ai_addrlen) == -1) {
+ ressl_set_error(ctx, "connect");
+ close(s);
+ s = -1;
+ continue;
+ }
+
+ break; /* Connected. */
+ }
+ freeaddrinfo(res0);
+
+ if (s == -1)
+ goto err;
+
+ if (ressl_connect_socket(ctx, s, h) != 0) {
+ close(s);
+ goto err;
+ }
+
+ rv = 0;
+
+err:
+
+ free(hs);
+ free(ps);
+
+ return (rv);
+}
+
+int
+ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname)
+{
+ union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
+ X509 *cert = NULL;
+ int ret;
+
+ ctx->socket = socket;
+
+ /* XXX - add a configuration option to control versions. */
+ if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
+ ressl_set_error(ctx, "ssl context failure");
+ goto err;
+ }
+ if (ctx->config->verify) {
+ if (hostname == NULL) {
+ ressl_set_error(ctx, "server name not specified");
+ goto err;
+ }
+
+ SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
+
+ if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
+ ctx->config->ca_file, ctx->config->ca_path) != 1) {
+ ressl_set_error(ctx, "ssl verify setup failure");
+ goto err;
+ }
+ if (ctx->config->verify_depth >= 0)
+ SSL_CTX_set_verify_depth(ctx->ssl_ctx,
+ ctx->config->verify_depth);
+ }
+
+ if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
+ ressl_set_error(ctx, "ssl connection failure");
+ goto err;
+ }
+ if (SSL_set_fd(ctx->ssl_conn, ctx->socket) != 1) {
+ ressl_set_error(ctx, "ssl file descriptor failure");
+ goto err;
+ }
+
+ /*
+ * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
+ * permitted in "HostName".
+ */
+ if (hostname != NULL &&
+ inet_pton(AF_INET, hostname, &addrbuf) != 1 &&
+ inet_pton(AF_INET6, hostname, &addrbuf) != 1) {
+ if (SSL_set_tlsext_host_name(ctx->ssl_conn, hostname) == 0) {
+ ressl_set_error(ctx, "SNI host name failed");
+ goto err;
+ }
+ }
+
+ if ((ret = SSL_connect(ctx->ssl_conn)) != 1) {
+ ressl_set_error(ctx, "SSL connect failed: %i",
+ SSL_get_error(ctx->ssl_conn, ret));
+ goto err;
+ }
+
+ if (ctx->config->verify) {
+ cert = SSL_get_peer_certificate(ctx->ssl_conn);
+ if (cert == NULL) {
+ ressl_set_error(ctx, "no server certificate");
+ goto err;
+ }
+ if (ressl_check_hostname(cert, hostname) != 0) {
+ ressl_set_error(ctx, "host `%s' not present in"
+ " server certificate", hostname);
+ goto err;
+ }
+ }
+
+ return (0);
+
+err:
+ X509_free(cert);
+
+ return (-1);
+}