static int tls_connect_common(struct tls *ctx, const char *servername) { union tls_addr addrbuf; int rv = -1; if ((ctx->flags & TLS_CLIENT) == 0) { tls_set_errorx(ctx, "not a client context"); goto err; } if (servername != NULL) { if ((ctx->servername = strdup(servername)) == NULL) { tls_set_errorx(ctx, "out of memory"); goto err; } } if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { tls_set_errorx(ctx, "ssl context failure"); goto err; } if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0) goto err; if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 0) != 0) goto err; if (ctx->config->verify_name) { if (servername == NULL) { tls_set_errorx(ctx, "server name not specified"); goto err; } } if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1) goto err; if (ctx->config->ecdhecurves != NULL) { if (SSL_CTX_set1_groups(ctx->ssl_ctx, ctx->config->ecdhecurves, ctx->config->ecdhecurves_len) != 1) { tls_set_errorx(ctx, "failed to set ecdhe curves"); goto err; } } if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) { tls_set_errorx(ctx, "ssl OCSP verification setup failure"); goto err; } if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { tls_set_errorx(ctx, "ssl connection failure"); goto err; } if (SSL_set_app_data(ctx->ssl_conn, ctx) != 1) { tls_set_errorx(ctx, "ssl application data failure"); goto err; } if (SSL_set_tlsext_status_type(ctx->ssl_conn, TLSEXT_STATUSTYPE_ocsp) != 1) { tls_set_errorx(ctx, "ssl OCSP extension setup failure"); goto err; } /* * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not * permitted in "HostName". */ if (servername != NULL && inet_pton(AF_INET, servername, &addrbuf) != 1 && inet_pton(AF_INET6, servername, &addrbuf) != 1) { if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) { tls_set_errorx(ctx, "server name indication failure"); goto err; } } ctx->state |= TLS_CONNECTED; rv = 0; err: return (rv); }
static int tls_connect_common(struct tls *ctx, const char *servername) { union tls_addr addrbuf; int rv = -1; if ((ctx->flags & TLS_CLIENT) == 0) { tls_set_errorx(ctx, "not a client context"); goto err; } if (servername != NULL) { if ((ctx->servername = strdup(servername)) == NULL) { tls_set_errorx(ctx, "out of memory"); goto err; } } if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { tls_set_errorx(ctx, "ssl context failure"); goto err; } if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0) goto err; if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 0) != 0) goto err; if (ctx->config->verify_name) { if (servername == NULL) { tls_set_errorx(ctx, "server name not specified"); goto err; } } if (ctx->config->verify_cert && (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1)) goto err; if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { tls_set_errorx(ctx, "ssl connection failure"); goto err; } if (SSL_set_app_data(ctx->ssl_conn, ctx) != 1) { tls_set_errorx(ctx, "ssl application data failure"); goto err; } /* * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not * permitted in "HostName". */ if (servername != NULL && inet_pton(AF_INET, servername, &addrbuf) != 1 && inet_pton(AF_INET6, servername, &addrbuf) != 1) { if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) { tls_set_errorx(ctx, "server name indication failure"); goto err; } } rv = 0; err: return (rv); }