projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add interface documentation for the DANE library
[exim.git] / src / src / dane-openssl.c
CommitLineData
e682570f
TL		 1#include <stdio.h>
2#include <string.h>
3#include <stdint.h>
4
5#include <openssl/opensslv.h>
6#include <openssl/err.h>
7#include <openssl/crypto.h>
8#include <openssl/safestack.h>
9#include <openssl/objects.h>
10#include <openssl/x509.h>
11#include <openssl/x509v3.h>
12#include <openssl/evp.h>
13
14#if OPENSSL_VERSION_NUMBER < 0x1000000fL
880a1e77
JH		 15# error "OpenSSL 1.0.0 or higher required"
16#else /* remainder of file */
e682570f
TL		 17
18#include "danessl.h"
19
20#define DANE_F_ADD_SKID 100
21#define DANE_F_CHECK_END_ENTITY 101
22#define DANE_F_GROW_CHAIN 102
23#define DANE_F_LIST_ALLOC 103
24#define DANE_F_MATCH 104
25#define DANE_F_PUSH_EXT 105
26#define DANE_F_SET_TRUST_ANCHOR 106
27#define DANE_F_SSL_CTX_DANE_INIT 107
28#define DANE_F_SSL_DANE_ADD_TLSA 108
29#define DANE_F_SSL_DANE_INIT 109
30#define DANE_F_SSL_DANE_LIBRARY_INIT 110
31#define DANE_F_VERIFY_CERT 111
32#define DANE_F_WRAP_CERT 112
33
34#define DANE_R_BAD_CERT 100
35#define DANE_R_BAD_CERT_PKEY 101
36#define DANE_R_BAD_DATA_LENGTH 102
37#define DANE_R_BAD_DIGEST 103
38#define DANE_R_BAD_NULL_DATA 104
39#define DANE_R_BAD_PKEY 105
40#define DANE_R_BAD_SELECTOR 106
41#define DANE_R_BAD_USAGE 107
42#define DANE_R_DANE_INIT 108
43#define DANE_R_DANE_SUPPORT 109
44#define DANE_R_LIBRARY_INIT 110
45#define DANE_R_NOSIGN_KEY 111
46#define DANE_R_SCTX_INIT 112
47
48#ifndef OPENSSL_NO_ERR
880a1e77
JH		 49# define DANE_F_PLACEHOLDER 0 /* FIRST! Value TBD */
50static ERR_STRING_DATA dane_str_functs[] =
51{
e682570f
TL		 52 {DANE_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
53 {DANE_F_ADD_SKID, "add_skid"},
54 {DANE_F_CHECK_END_ENTITY, "check_end_entity"},
55 {DANE_F_GROW_CHAIN, "grow_chain"},
56 {DANE_F_LIST_ALLOC, "list_alloc"},
57 {DANE_F_MATCH, "match"},
58 {DANE_F_PUSH_EXT, "push_ext"},
59 {DANE_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
60 {DANE_F_SSL_CTX_DANE_INIT, "SSL_CTX_dane_init"},
61 {DANE_F_SSL_DANE_ADD_TLSA, "SSL_dane_add_tlsa"},
62 {DANE_F_SSL_DANE_INIT, "SSL_dane_init"},
63 {DANE_F_SSL_DANE_LIBRARY_INIT, "SSL_dane_library_init"},
64 {DANE_F_VERIFY_CERT, "verify_cert"},
65 {DANE_F_WRAP_CERT, "wrap_cert"},
66 {0, NULL}
67};
880a1e77
JH		 68static ERR_STRING_DATA dane_str_reasons[] =
69{
e682570f
TL		 70 {DANE_R_BAD_CERT, "Bad TLSA record certificate"},
71 {DANE_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
72 {DANE_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
73 {DANE_R_BAD_DIGEST, "Bad TLSA record digest"},
74 {DANE_R_BAD_NULL_DATA, "Bad TLSA record null data"},
75 {DANE_R_BAD_PKEY, "Bad TLSA record public key"},
76 {DANE_R_BAD_SELECTOR, "Bad TLSA record selector"},
77 {DANE_R_BAD_USAGE, "Bad TLSA record usage"},
78 {DANE_R_DANE_INIT, "SSL_dane_init() required"},
79 {DANE_R_DANE_SUPPORT, "DANE library features not supported"},
80 {DANE_R_LIBRARY_INIT, "SSL_dane_library_init() required"},
81 {DANE_R_SCTX_INIT, "SSL_CTX_dane_init() required"},
82 {DANE_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
83 {0, NULL}
84};
880a1e77 85#endif /*OPENSSL_NO_ERR*/
e682570f
TL		 86
87#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
88
89static int err_lib_dane = -1;
90static int dane_idx = -1;
91
92#ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
93static int wrap_to_root = 0;
94#else
95static int wrap_to_root = 1;
96#endif
97
98static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
99static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
100
880a1e77
JH		 101typedef struct dane_list
102{
e682570f
TL		 103 struct dane_list *next;
104 void *value;
105} *dane_list;
106
107#define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
108
880a1e77
JH		 109typedef struct dane_host_list
110{
111 struct dane_host_list *next;
e682570f 112 char *value;
880a1e77 113} *dane_host_list;
e682570f 114
880a1e77
JH		 115typedef struct dane_data
116{
e682570f
TL		 117 size_t datalen;
118 unsigned char data[0];
119} *dane_data;
120
880a1e77
JH		 121typedef struct dane_data_list
122{
123 struct dane_data_list *next;
e682570f 124 dane_data value;
880a1e77 125} *dane_data_list;
e682570f 126
880a1e77
JH		 127typedef struct dane_mtype
128{
e682570f
TL		 129 int mdlen;
130 const EVP_MD *md;
880a1e77 131 dane_data_list data;
e682570f
TL		 132} *dane_mtype;
133
880a1e77
JH		 134typedef struct dane_mtype_list
135{
136 struct dane_mtype_list *next;
e682570f 137 dane_mtype value;
880a1e77 138} *dane_mtype_list;
e682570f 139
880a1e77
JH		 140typedef struct dane_selector
141{
e682570f 142 uint8_t selector;
880a1e77 143 dane_mtype_list mtype;
e682570f
TL		 144} *dane_selector;
145
880a1e77
JH		 146typedef struct dane_selector_list
147{
148 struct dane_selector_list *next;
e682570f 149 dane_selector value;
880a1e77 150} *dane_selector_list;
e682570f 151
880a1e77
JH		 152typedef struct dane_pkey_list
153{
154 struct dane_pkey_list *next;
e682570f 155 EVP_PKEY *value;
880a1e77 156} *dane_pkey_list;
e682570f 157
880a1e77
JH		 158typedef struct dane_cert_list
159{
160 struct dane_cert_list *next;
e682570f 161 X509 *value;
880a1e77 162} *dane_cert_list;
e682570f 163
880a1e77
JH		 164typedef struct ssl_dane
165{
e682570f
TL		 166 int (*verify)(X509_STORE_CTX *);
167 STACK_OF(X509) *roots;
168 STACK_OF(X509) *chain;
169 const char *thost; /* TLSA base domain */
170 char *mhost; /* Matched, peer name */
880a1e77
JH		 171 dane_pkey_list pkeys;
172 dane_cert_list certs;
173 dane_host_list hosts;
174 dane_selector_list selectors[SSL_DANE_USAGE_LAST + 1];
e682570f
TL		 175 int depth;
176 int multi; /* Multi-label wildcards? */
177 int count; /* Number of TLSA records */
880a1e77 178} ssl_dane;
e682570f
TL		 179
180#ifndef X509_V_ERR_HOSTNAME_MISMATCH
880a1e77 181# define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
e682570f
TL		 182#endif
183
880a1e77
JH		 184static int
185match(dane_selector_list slist, X509 *cert, int depth)
e682570f 186{
880a1e77 187int matched;
e682570f 188
880a1e77
JH		 189/*
190 * Note, set_trust_anchor() needs to know whether the match was for a
191 * pkey digest or a certificate digest. We return MATCHED_PKEY or
192 * MATCHED_CERT accordingly.
193 */
e682570f
TL		 194#define MATCHED_CERT (SSL_DANE_SELECTOR_CERT + 1)
195#define MATCHED_PKEY (SSL_DANE_SELECTOR_SPKI + 1)
196
880a1e77
JH		 197/*
198 * Loop over each selector, mtype, and associated data element looking
199 * for a match.
200 */
201for(matched = 0; !matched && slist; slist = slist->next)
202 {
203 dane_mtype_list m;
204 unsigned char mdbuf[EVP_MAX_MD_SIZE];
205 unsigned char *buf;
206 unsigned char *buf2;
207 unsigned int len;
208
209 /*
210 * Extract ASN.1 DER form of certificate or public key.
211 */
212 switch(slist->value->selector)
213 {
214 case SSL_DANE_SELECTOR_CERT:
215 len = i2d_X509(cert, NULL);
216 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
217 if(buf) i2d_X509(cert, &buf2);
218 break;
219 case SSL_DANE_SELECTOR_SPKI:
220 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
221 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
222 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
223 break;
224 }
225
226 if(!buf)
227 {
228 DANEerr(DANE_F_MATCH, ERR_R_MALLOC_FAILURE);
229 return 0;
230 }
231 OPENSSL_assert(buf2 - buf == len);
232
233 /*
234 * Loop over each mtype and data element
235 */
236 for(m = slist->value->mtype; !matched && m; m = m->next)
237 {
238 dane_data_list d;
239 unsigned char *cmpbuf = buf;
240 unsigned int cmplen = len;
241
e682570f 242 /*
880a1e77
JH		 243 * If it is a digest, compute the corresponding digest of the
244 * DER data for comparison, otherwise, use the full object.
e682570f 245 */
880a1e77
JH		 246 if(m->value->md)
247 {
248 cmpbuf = mdbuf;
249 if(!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
250 matched = -1;
251 }
252 for(d = m->value->data; !matched && d; d = d->next)
253 if( cmplen == d->value->datalen
254 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
255 matched = slist->value->selector + 1;
e682570f
TL		 256 }
257
880a1e77
JH		 258 OPENSSL_free(buf);
259 }
e682570f 260
880a1e77 261return matched;
e682570f
TL		 262}
263
880a1e77
JH		 264static int
265push_ext(X509 *cert, X509_EXTENSION *ext)
e682570f 266{
880a1e77 267X509_EXTENSIONS *exts;
e682570f 268
880a1e77
JH		 269if(ext)
270 {
271 if(!(exts = cert->cert_info->extensions))
272 exts = cert->cert_info->extensions = sk_X509_EXTENSION_new_null();
273 if (exts && sk_X509_EXTENSION_push(exts, ext))
274 return 1;
275 X509_EXTENSION_free(ext);
276 }
277DANEerr(DANE_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
278return 0;
e682570f
TL		 279}
280
880a1e77
JH		 281static int
282add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
e682570f 283{
880a1e77 284X509V3_CTX v3ctx;
e682570f 285
880a1e77
JH		 286X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
287return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
e682570f
TL		 288}
289
880a1e77
JH		 290static int
291set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
e682570f 292{
880a1e77
JH		 293int ret = 0;
294BIGNUM *bn;
295
296if(akid && akid->serial)
297 return (X509_set_serialNumber(cert, akid->serial));
298
299/*
300 * Add one to subject's serial to avoid collisions between TA serial and
301 * serial of signing root.
302 */
303if( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
304 && BN_add_word(bn, 1)
305 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
306 ret = 1;
307
308if(bn)
309 BN_free(bn);
310return ret;
311}
e682570f 312
880a1e77
JH		 313static int
314add_akid(X509 *cert, AUTHORITY_KEYID *akid)
315{
316int nid = NID_authority_key_identifier;
317ASN1_STRING *id;
318unsigned char c = 0;
319int ret = 0;
320
321/*
322 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
323 * our subject keyid if forced from child's akid. If so, set our
324 * authority keyid to 1. This way we are never self-signed, and thus
325 * exempt from any potential (off by default for now in OpenSSL)
326 * self-signature checks!
327 */
328id = (ASN1_STRING *) ((akid && akid->keyid) ? akid->keyid : 0);
329if(id && M_ASN1_STRING_length(id) == 1 && *M_ASN1_STRING_data(id) == c)
330 c = 1;
331
332if( (akid = AUTHORITY_KEYID_new()) != 0
333 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
334 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
335 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
336 ret = 1;
337if(akid)
338 AUTHORITY_KEYID_free(akid);
339return ret;
e682570f
TL		 340}
341
880a1e77
JH		 342static int
343add_skid(X509 *cert, AUTHORITY_KEYID *akid)
e682570f 344{
880a1e77 345int nid = NID_subject_key_identifier;
e682570f 346
880a1e77
JH		 347if(!akid || !akid->keyid)
348 return add_ext(0, cert, nid, "hash");
349return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
e682570f
TL		 350}
351
880a1e77
JH		 352static X509_NAME *
353akid_issuer_name(AUTHORITY_KEYID *akid)
e682570f 354{
880a1e77
JH		 355if(akid && akid->issuer)
356 {
357 int i;
358 GENERAL_NAMES *gens = akid->issuer;
e682570f 359
880a1e77
JH		 360 for(i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
361 {
362 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
e682570f 363
880a1e77
JH		 364 if(gn->type == GEN_DIRNAME)
365 return (gn->d.dirn);
e682570f 366 }
880a1e77
JH		 367 }
368return 0;
e682570f
TL		 369}
370
880a1e77
JH		 371static int
372set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
e682570f 373{
880a1e77
JH		 374X509_NAME *name = akid_issuer_name(akid);
375
376/*
377 * If subject's akid specifies an authority key identifer issuer name, we
378 * must use that.
379 */
380return X509_set_issuer_name(cert,
381 name ? name : X509_get_subject_name(cert));
e682570f
TL		 382}
383
880a1e77
JH		 384static int
385grow_chain(ssl_dane *dane, int trusted, X509 *cert)
e682570f 386{
880a1e77
JH		 387STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
388static ASN1_OBJECT *serverAuth = 0;
e682570f
TL		 389
390#define UNTRUSTED 0
391#define TRUSTED 1
392
880a1e77
JH		 393if( trusted && !serverAuth
394 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
395 {
396 DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
397 return 0;
398 }
399if(!*xs && !(*xs = sk_X509_new_null()))
400 {
401 DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
402 return 0;
403 }
404
405if(cert)
406 {
407 if(trusted && !X509_add1_trust_object(cert, serverAuth))
408 return 0;
409 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
410 if (!sk_X509_push(*xs, cert))
411 {
412 X509_free(cert);
413 DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
414 return 0;
e682570f 415 }
880a1e77
JH		 416 }
417return 1;
e682570f
TL		 418}
419
880a1e77
JH		 420static int
421wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
e682570f 422{
880a1e77
JH		 423int ret = 1;
424X509 *cert = 0;
425AUTHORITY_KEYID *akid;
426X509_NAME *name = X509_get_issuer_name(subject);
427EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
e682570f
TL		 428
429#define WRAP_MID 0 /* Ensure intermediate. */
430#define WRAP_TOP 1 /* Ensure self-signed. */
431
880a1e77
JH		 432if(!name || !newkey || !(cert = X509_new()))
433 return 0;
434
435/*
436 * Record the depth of the trust-anchor certificate.
437 */
438if(dane->depth < 0)
439 dane->depth = depth + 1;
440
441/*
442 * XXX: Uncaught error condition:
443 *
444 * The return value is NULL both when the extension is missing, and when
445 * OpenSSL rans out of memory while parsing the extension.
446 */
447ERR_clear_error();
448akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
449/* XXX: Should we peek at the error stack here??? */
450
451/*
452 * If top is true generate a self-issued root CA, otherwise an
453 * intermediate CA and possibly its self-signed issuer.
454 *
455 * CA cert valid for +/- 30 days
456 */
457if( !X509_set_version(cert, 2)
458 || !set_serial(cert, akid, subject)
459 || !X509_set_subject_name(cert, name)
460 || !set_issuer_name(cert, akid)
461 || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
462 || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
463 || !X509_set_pubkey(cert, newkey)
464 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
465 || (!top && !add_akid(cert, akid))
466 || !add_skid(cert, akid)
467 || ( !top && wrap_to_root
468 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
469 ret = 0;
470
471if(akid)
472 AUTHORITY_KEYID_free(akid);
473if(!key)
474 EVP_PKEY_free(newkey);
475if(ret)
476 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
477if(cert)
478 X509_free(cert);
479return ret;
e682570f
TL		 480}
481
880a1e77
JH		 482static int
483wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
e682570f 484{
880a1e77
JH		 485if(dane->depth < 0)
486 dane->depth = depth + 1;
487
488/*
489 * If the TA certificate is self-issued, or need not be, use it directly.
490 * Otherwise, synthesize requisuite ancestors.
491 */
492if( !wrap_to_root
493 || X509_check_issued(tacert, tacert) == X509_V_OK)
494 return grow_chain(dane, TRUSTED, tacert);
495
496if(wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
497 return grow_chain(dane, UNTRUSTED, tacert);
498return 0;
e682570f
TL		 499}
500
880a1e77
JH		 501static int
502ta_signed(ssl_dane *dane, X509 *cert, int depth)
e682570f 503{
880a1e77
JH		 504dane_cert_list x;
505dane_pkey_list k;
506EVP_PKEY *pk;
507int done = 0;
508
509/*
510 * First check whether issued and signed by a TA cert, this is cheaper
511 * than the bare-public key checks below, since we can determine whether
512 * the candidate TA certificate issued the certificate to be checked
513 * first (name comparisons), before we bother with signature checks
514 * (public key operations).
515 */
516for (x = dane->certs; !done && x; x = x->next)
517 {
518 if(X509_check_issued(x->value, cert) == X509_V_OK)
519 {
520 if(!(pk = X509_get_pubkey(x->value)))
521 {
522 /*
523 * The cert originally contained a valid pkey, which does
524 * not just vanish, so this is most likely a memory error.
525 */
526 done = -1;
527 break;
528 }
529 /* Check signature, since some other TA may work if not this. */
530 if(X509_verify(cert, pk) > 0)
531 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
532 EVP_PKEY_free(pk);
e682570f 533 }
880a1e77
JH		 534 }
535
536/*
537 * With bare TA public keys, we can't check whether the trust chain is
538 * issued by the key, but we can determine whether it is signed by the
539 * key, so we go with that.
540 *
541 * Ideally, the corresponding certificate was presented in the chain, and we
542 * matched it by its public key digest one level up. This code is here
543 * to handle adverse conditions imposed by sloppy administrators of
544 * receiving systems with poorly constructed chains.
545 *
546 * We'd like to optimize out keys that should not match when the cert's
547 * authority key id does not match the key id of this key computed via
548 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
549 * ASN1 tag and length thus also excluding the unused bits field that is
550 * logically part of the length). However, some CAs have a non-standard
551 * authority keyid, so we lose. Too bad.
552 *
553 * This may push errors onto the stack when the certificate signature is
554 * not of the right type or length, throw these away,
555 */
556for(k = dane->pkeys; !done && k; k = k->next)
557 if(X509_verify(cert, k->value) > 0)
558 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
559 else
560 ERR_clear_error();
e682570f 561
880a1e77 562return done;
e682570f
TL		 563}
564
880a1e77
JH		 565static int
566set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
e682570f 567{
880a1e77
JH		 568int matched = 0;
569int n;
570int i;
571int depth = 0;
572EVP_PKEY *takey;
573X509 *ca;
574STACK_OF(X509) *in = ctx->untrusted; /* XXX: Accessor? */
575
576if(!grow_chain(dane, UNTRUSTED, 0))
577 return -1;
578
579/*
580 * Accept a degenerate case: depth 0 self-signed trust-anchor.
581 */
582if(X509_check_issued(cert, cert) == X509_V_OK)
583 {
584 dane->depth = 0;
585 matched = match(dane->selectors[SSL_DANE_USAGE_TRUSTED_CA], cert, 0);
586 if(matched > 0 && !grow_chain(dane, TRUSTED, cert))
587 matched = -1;
588 return matched;
589 }
590
591/* Make a shallow copy of the input untrusted chain. */
592if(!(in = sk_X509_dup(in)))
593 {
594 DANEerr(DANE_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
595 return -1;
596 }
597
598/*
599 * At each iteration we consume the issuer of the current cert. This
600 * reduces the length of the "in" chain by one. If no issuer is found,
601 * we are done. We also stop when a certificate matches a TA in the
602 * peer's TLSA RRset.
603 *
604 * Caller ensures that the initial certificate is not self-signed.
605 */
606for(n = sk_X509_num(in); n > 0; --n, ++depth)
607 {
608 for(i = 0; i < n; ++i)
609 if(X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
610 break;
611
612 /*
613 * Final untrusted element with no issuer in the peer's chain, it may
614 * however be signed by a pkey or cert obtained via a TLSA RR.
615 */
616 if(i == n)
617 break;
618
619 /* Peer's chain contains an issuer ca. */
620 ca = sk_X509_delete(in, i);
621
622 /* If not a trust anchor, record untrusted ca and continue. */
623 if((matched = match(dane->selectors[SSL_DANE_USAGE_TRUSTED_CA], ca, depth+1))
624 == 0)
625 {
626 if(grow_chain(dane, UNTRUSTED, ca))
627 {
628 if(!X509_check_issued(ca, ca) == X509_V_OK)
629 {
630 /* Restart with issuer as subject */
631 cert = ca;
632 continue;
633 }
634 /* Final self-signed element, skip ta_signed() check. */
635 cert = 0;
636 }
637 else
638 matched = -1;
e682570f 639 }
880a1e77
JH		 640 else if(matched == MATCHED_CERT)
641 {
642 if(!wrap_cert(dane, ca, depth))
643 matched = -1;
e682570f 644 }
880a1e77
JH		 645 else if(matched == MATCHED_PKEY)
646 {
647 if( !(takey = X509_get_pubkey(ca))
648 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
649 {
650 if(takey)
651 EVP_PKEY_free(takey);
652 else
653 DANEerr(DANE_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
654 matched = -1;
655 }
e682570f 656 }
880a1e77
JH		 657 break;
658 }
e682570f 659
880a1e77
JH		 660/* Shallow free the duplicated input untrusted chain. */
661sk_X509_free(in);
e682570f 662
880a1e77
JH		 663/*
664 * When the loop exits, if "cert" is set, it is not self-signed and has
665 * no issuer in the chain, we check for a possible signature via a DNS
666 * obtained TA cert or public key.
667 */
668if(matched == 0 && cert)
669 matched = ta_signed(dane, cert, depth);
e682570f 670
880a1e77 671return matched;
e682570f
TL		 672}
673
880a1e77
JH		 674static int
675check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
e682570f 676{
880a1e77
JH		 677int matched;
678
679matched = match(dane->selectors[SSL_DANE_USAGE_FIXED_LEAF], cert, 0);
680if(matched > 0)
681 if(!ctx->chain)
682 if( (ctx->chain = sk_X509_new_null())
683 && sk_X509_push(ctx->chain, cert))
684 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
685 else
686 {
687 DANEerr(DANE_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
688 return -1;
689 }
690return matched;
e682570f
TL		 691}
692
880a1e77
JH		 693static int
694match_name(const char *certid, ssl_dane *dane)
e682570f 695{
880a1e77
JH		 696int multi = dane->multi;
697dane_host_list hosts;
698
699for(hosts = dane->hosts; hosts; hosts = hosts->next)
700 {
701 int match_subdomain = 0;
702 const char *domain = hosts->value;
703 const char *parent;
704 int idlen;
705 int domlen;
706
707 if(*domain == '.' && domain[1] != '\0')
708 {
709 ++domain;
710 match_subdomain = 1;
e682570f 711 }
880a1e77
JH		 712
713 /*
714 * Sub-domain match: certid is any sub-domain of hostname.
715 */
716 if(match_subdomain)
717 if( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
718 && certid[idlen - domlen - 1] == '.'
719 && !strcasecmp(certid + (idlen - domlen), domain))
720 return 1;
721 else
722 continue;
723
724 /*
725 * Exact match and initial "*" match. The initial "*" in a certid
726 * matches one (if multi is false) or more hostname components under
727 * the condition that the certid contains multiple hostname components.
728 */
729 if( !strcasecmp(certid, domain)
730 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
731 && (parent = strchr(domain, '.')) != 0
732 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
733 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
734 return 1;
735 }
736return 0;
e682570f
TL		 737}
738
880a1e77
JH		 739static char *
740check_name(char *name, int len)
e682570f 741{
880a1e77
JH		 742char *cp = name + len;
743
744while(len > 0 && !*--cp)
745 --len; /* Ignore trailing NULs */
746if(len <= 0)
747 return 0;
748for(cp = name; *cp; cp++)
749 {
750 char c = *cp;
751 if (!((c >= 'a' && c <= 'z') ||
752 (c >= '0' && c <= '9') ||
753 (c >= 'A' && c <= 'Z') ||
754 (c == '.' || c == '-') ||
755 (c == '*')))
756 return 0; /* Only LDH, '.' and '*' */
757 }
758if(cp - name != len) /* Guard against internal NULs */
759 return 0;
760return name;
e682570f
TL		 761}
762
880a1e77
JH		 763static char *
764parse_dns_name(const GENERAL_NAME *gn)
e682570f 765{
880a1e77
JH		 766if(gn->type != GEN_DNS)
767 return 0;
768if(ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
769 return 0;
770return check_name((char *) ASN1_STRING_data(gn->d.ia5),
771 ASN1_STRING_length(gn->d.ia5));
e682570f
TL		 772}
773
880a1e77
JH		 774static char *
775parse_subject_name(X509 *cert)
e682570f 776{
880a1e77
JH		 777X509_NAME *name = X509_get_subject_name(cert);
778X509_NAME_ENTRY *entry;
779ASN1_STRING *entry_str;
780unsigned char *namebuf;
781int nid = NID_commonName;
782int len;
783int i;
784
785if(!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
786 return 0;
787if(!(entry = X509_NAME_get_entry(name, i)))
788 return 0;
789if(!(entry_str = X509_NAME_ENTRY_get_data(entry)))
790 return 0;
791
792if((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
793 return 0;
794if(len <= 0 || check_name((char *) namebuf, len) == 0)
795 {
796 OPENSSL_free(namebuf);
797 return 0;
798 }
799return (char *) namebuf;
e682570f
TL		 800}
801
880a1e77
JH		 802static int
803name_check(ssl_dane *dane, X509 *cert)
e682570f 804{
880a1e77
JH		 805int matched = 0;
806BOOL got_altname = FALSE;
807GENERAL_NAMES *gens;
808
809gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
810if(gens)
811 {
812 int n = sk_GENERAL_NAME_num(gens);
813 int i;
814
815 for(i = 0; i < n; ++i)
816 {
817 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
818 const char *certid;
819
820 if(gn->type != GEN_DNS)
821 continue;
822 got_altname = TRUE;
823 certid = parse_dns_name(gn);
824 if(certid && *certid)
825 {
826 if((matched = match_name(certid, dane)) == 0)
827 continue;
828 if(!(dane->mhost = OPENSSL_strdup(certid)))
829 matched = -1;
830 break;
831 }
e682570f 832 }
880a1e77
JH		 833 GENERAL_NAMES_free(gens);
834 }
835
836/*
837 * XXX: Should the subjectName be skipped when *any* altnames are present,
838 * or only when DNS altnames are present?
839 */
840if(got_altname)
841 {
842 char *certid = parse_subject_name(cert);
843 if(certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
844 dane->mhost = certid; /* Already a copy */
845 }
846return matched;
e682570f
TL		 847}
848
880a1e77
JH		 849static int
850verify_chain(X509_STORE_CTX *ctx)
e682570f 851{
880a1e77
JH		 852dane_selector_list issuer_rrs;
853dane_selector_list leaf_rrs;
854int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
855int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
856SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
857ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
858X509 *cert = ctx->cert; /* XXX: accessor? */
859int matched = 0;
860int chain_length = sk_X509_num(ctx->chain);
861
862issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER];
863leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF];
864ctx->verify = dane->verify;
865
866if((matched = name_check(dane, cert)) < 0)
867 {
868 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
869 return 0;
870 }
871
872if(!matched)
873 {
874 ctx->error_depth = 0;
875 ctx->current_cert = cert;
876 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
877 if(!cb(0, ctx))
878 return 0;
879 }
880matched = 0;
881
882/*
883 * Satisfy at least one usage 0 or 1 constraint, unless we've already
884 * matched a usage 2 trust anchor.
885 *
886 * XXX: internal_verify() doesn't callback with top certs that are not
887 * self-issued. This should be fixed in a future OpenSSL.
888 */
889if(dane->roots && sk_X509_num(dane->roots))
890 {
891#ifndef NO_CALLBACK_WORKAROUND
892 X509 *top = sk_X509_value(ctx->chain, dane->depth);
893
894 if(X509_check_issued(top, top) != X509_V_OK)
895 {
896 ctx->error_depth = dane->depth;
897 ctx->current_cert = top;
898 if(!cb(1, ctx))
899 return 0;
900 }
901#endif
902 /* Pop synthetic trust-anchor ancestors off the chain! */
903 while (--chain_length > dane->depth)
904 X509_free(sk_X509_pop(ctx->chain));
905 }
906else if(issuer_rrs || leaf_rrs)
907 {
908 int n = chain_length;
909
910 /*
911 * Check for an EE match, then a CA match at depths > 0, and
912 * finally, if the EE cert is self-issued, for a depth 0 CA match.
913 */
914 if(leaf_rrs)
915 matched = match(leaf_rrs, cert, 0);
916 while(!matched && issuer_rrs && --n >= 0)
917 {
918 X509 *xn = sk_X509_value(ctx->chain, n);
919
920 if(n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
921 matched = match(issuer_rrs, xn, n);
e682570f
TL		 922 }
923
880a1e77
JH		 924 if(matched < 0)
925 {
926 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
927 return 0;
e682570f 928 }
e682570f 929
880a1e77
JH		 930 if(!matched)
931 {
932 ctx->current_cert = cert;
933 ctx->error_depth = 0;
934 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
935 if(!cb(0, ctx))
936 return 0;
e682570f 937 }
880a1e77 938 }
e682570f 939
880a1e77 940return ctx->verify(ctx);
e682570f
TL		 941}
942
880a1e77
JH		 943static int
944verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
e682570f 945{
880a1e77
JH		 946static int ssl_idx = -1;
947SSL *ssl;
948ssl_dane *dane;
949int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
950int matched;
951X509 *cert = ctx->cert; /* XXX: accessor? */
952
953if(ssl_idx < 0)
954 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
955if(dane_idx < 0)
956 {
957 DANEerr(DANE_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
958 return -1;
959 }
960
961ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
962if(!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
963 return X509_verify_cert(ctx);
964
965if(dane->selectors[SSL_DANE_USAGE_FIXED_LEAF])
966 {
967 if((matched = check_end_entity(ctx, dane, cert)) > 0)
968 {
969 ctx->error_depth = 0;
970 ctx->current_cert = cert;
971 return cb(1, ctx);
e682570f 972 }
880a1e77
JH		 973 if(matched < 0)
974 {
975 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
976 return -1;
e682570f 977 }
880a1e77 978 }
e682570f 979
880a1e77
JH		 980if(dane->selectors[SSL_DANE_USAGE_TRUSTED_CA])
981 {
982 if((matched = set_trust_anchor(ctx, dane, cert)) < 0)
983 {
984 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
985 return -1;
e682570f 986 }
880a1e77
JH		 987 if(matched)
988 {
e682570f 989 /*
880a1e77
JH		 990 * Check that setting the untrusted chain updates the expected
991 * structure member at the expected offset.
e682570f 992 */
880a1e77
JH		 993 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
994 X509_STORE_CTX_set_chain(ctx, dane->chain);
995 OPENSSL_assert(ctx->untrusted == dane->chain);
996 }
997 }
e682570f 998
880a1e77
JH		 999/*
1000 * Name checks and usage 0/1 constraint enforcement are delayed until
1001 * X509_verify_cert() builds the full chain and calls our verify_chain()
1002 * wrapper.
1003 */
1004dane->verify = ctx->verify;
1005ctx->verify = verify_chain;
1006
1007return X509_verify_cert(ctx);
e682570f
TL		 1008}
1009
880a1e77
JH		 1010static dane_list
1011list_alloc(size_t vsize)
e682570f 1012{
880a1e77
JH		 1013void *value = (void *) OPENSSL_malloc(vsize);
1014dane_list l;
1015
1016if(!value)
1017 {
1018 DANEerr(DANE_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1019 return 0;
1020 }
1021if(!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1022 {
1023 OPENSSL_free(value);
1024 DANEerr(DANE_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1025 return 0;
1026 }
1027l->next = 0;
1028l->value = value;
1029return l;
e682570f
TL		 1030}
1031
880a1e77
JH		 1032static void
1033list_free(void *list, void (*f)(void *))
e682570f 1034{
880a1e77
JH		 1035dane_list head;
1036dane_list next;
1037
1038for(head = (dane_list) list; head; head = next)
1039 {
1040 next = head->next;
1041 if (f && head->value)
1042 f(head->value);
1043 OPENSSL_free(head);
1044 }
e682570f
TL		 1045}
1046
880a1e77
JH		 1047static void
1048dane_mtype_free(void *p)
e682570f 1049{
880a1e77
JH		 1050list_free(((dane_mtype) p)->data, OPENSSL_freeFunc);
1051OPENSSL_free(p);
e682570f
TL		 1052}
1053
880a1e77
JH		 1054static void
1055dane_selector_free(void *p)
e682570f 1056{
880a1e77
JH		 1057list_free(((dane_selector) p)->mtype, dane_mtype_free);
1058OPENSSL_free(p);
e682570f
TL		 1059}
1060
946ecbe0
JH		 1061
1062
1063/*
1064
1065Tidy up once the connection is finished with.
1066
1067Arguments
1068 ssl The ssl connection handle
1069
1070=> Before calling SSL_free()
1071tls_close() and tls_getc() [the error path] are the obvious places.
1072Could we do it earlier - right after verification? In tls_client_start()
1073right after SSL_connect() returns, in that case.
1074
1075*/
1076
880a1e77
JH		 1077void
1078DANESSL_cleanup(SSL *ssl)
e682570f 1079{
880a1e77
JH		 1080ssl_dane *dane;
1081int u;
1082
1083if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1084 return;
1085(void) SSL_set_ex_data(ssl, dane_idx, 0);
1086
1087if(dane->hosts)
1088 list_free(dane->hosts, OPENSSL_freeFunc);
1089if(dane->mhost)
1090 OPENSSL_free(dane->mhost);
1091for(u = 0; u <= SSL_DANE_USAGE_LAST; ++u)
1092 if(dane->selectors[u])
1093 list_free(dane->selectors[u], dane_selector_free);
1094if(dane->pkeys)
1095 list_free(dane->pkeys, pkey_free);
1096if(dane->certs)
1097 list_free(dane->certs, cert_free);
1098if(dane->roots)
1099 sk_X509_pop_free(dane->roots, X509_free);
1100if(dane->chain)
1101 sk_X509_pop_free(dane->chain, X509_free);
1102OPENSSL_free(dane);
e682570f
TL		 1103}
1104
880a1e77
JH		 1105static dane_host_list
1106host_list_init(const char **src)
e682570f 1107{
880a1e77
JH		 1108dane_host_list head = NULL;
1109
1110while(*src)
1111 {
1112 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1113 if(!elem)
1114 {
1115 list_free(head, OPENSSL_freeFunc);
1116 return 0;
e682570f 1117 }
880a1e77
JH		 1118 elem->value = OPENSSL_strdup(*src++);
1119 LINSERT(head, elem);
1120 }
1121return head;
e682570f
TL		 1122}
1123
946ecbe0
JH		 1124
1125
1126
1127/*
1128
1129Call this for each TLSA record found for the target, after the
1130DANE setup has been done on the ssl connection handle.
1131
1132Arguments:
1133 ssl Connection handle
1134 usage TLSA record field
1135 selector TLSA record field
1136 mdname ??? message digest name?
1137 data ??? TLSA record megalump?
1138 dlen length of data
1139
1140Return
1141 -1 on error
1142 0 action not taken
1143 1 record accepted
1144*/
1145
880a1e77
JH		 1146int
1147DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1148 unsigned const char *data, size_t dlen)
e682570f 1149{
880a1e77
JH		 1150ssl_dane *dane;
1151dane_selector_list s = 0;
1152dane_mtype_list m = 0;
1153dane_data_list d = 0;
1154dane_cert_list xlist = 0;
1155dane_pkey_list klist = 0;
1156const EVP_MD *md = 0;
1157
1158if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1159 {
1160 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_DANE_INIT);
1161 return -1;
1162 }
1163
1164if(usage > SSL_DANE_USAGE_LAST)
1165 {
1166 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_USAGE);
1167 return 0;
1168 }
1169if(selector > SSL_DANE_SELECTOR_LAST)
1170 {
1171 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_SELECTOR);
1172 return 0;
1173 }
1174if(mdname && !(md = EVP_get_digestbyname(mdname)))
1175 {
1176 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_DIGEST);
1177 return 0;
1178 }
1179if(!data)
1180 {
1181 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_NULL_DATA);
1182 return 0;
1183 }
1184if(mdname && dlen != EVP_MD_size(md))
1185 {
1186 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_DATA_LENGTH);
1187 return 0;
1188 }
1189
1190if(!mdname)
1191 {
1192 X509 *x = 0;
1193 EVP_PKEY *k = 0;
1194 const unsigned char *p = data;
e682570f
TL		 1195
1196#define xklistinit(lvar, ltype, var, freeFunc) do { \
880a1e77
JH		 1197 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1198 if (!(lvar)) { \
1199 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1200 freeFunc((var)); \
1201 return 0; \
1202 } \
1203 (lvar)->next = 0; \
1204 lvar->value = var; \
1205 } while (0)
e682570f 1206#define xkfreeret(ret) do { \
880a1e77
JH		 1207 if (xlist) list_free(xlist, cert_free); \
1208 if (klist) list_free(klist, pkey_free); \
1209 return (ret); \
1210 } while (0)
1211
1212 switch(selector)
1213 {
1214 case SSL_DANE_SELECTOR_CERT:
1215 if(!d2i_X509(&x, &p, dlen) || dlen != p - data)
1216 {
1217 if (x)
1218 X509_free(x);
1219 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_CERT);
1220 return 0;
1221 }
1222 k = X509_get_pubkey(x);
1223 EVP_PKEY_free(k);
1224 if(!k)
1225 {
1226 X509_free(x);
1227 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_CERT_PKEY);
1228 return 0;
1229 }
1230 if(usage == SSL_DANE_USAGE_TRUSTED_CA)
1231 xklistinit(xlist, dane_cert_list, x, X509_free);
1232 break;
1233
1234 case SSL_DANE_SELECTOR_SPKI:
1235 if(!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1236 {
1237 if(k)
1238 EVP_PKEY_free(k);
1239 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_PKEY);
1240 return 0;
1241 }
1242 if(usage == SSL_DANE_USAGE_TRUSTED_CA)
1243 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1244 break;
e682570f 1245 }
880a1e77
JH		 1246 }
1247
1248/* Find insertion point and don't add duplicate elements. */
1249for(s = dane->selectors[usage]; s; s = s->next)
1250 if(s->value->selector == selector)
1251 for(m = s->value->mtype; m; m = m->next)
1252 if(m->value->md == md)
1253 for(d = m->value->data; d; d = d->next)
1254 if( d->value->datalen == dlen
1255 && memcmp(d->value->data, data, dlen) == 0)
1256 xkfreeret(1);
1257
1258if(!(d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)))
1259 xkfreeret(0);
1260d->value->datalen = dlen;
1261memcpy(d->value->data, data, dlen);
1262if(!m)
1263 {
1264 if(!(m = (dane_mtype_list) list_alloc(sizeof(*m->value))))
1265 {
1266 list_free(d, OPENSSL_freeFunc);
1267 xkfreeret(0);
e682570f 1268 }
880a1e77
JH		 1269 m->value->data = 0;
1270 if((m->value->md = md) != 0)
1271 m->value->mdlen = dlen;
1272 if(!s)
1273 {
1274 if(!(s = (dane_selector_list) list_alloc(sizeof(*s->value))))
1275 {
1276 list_free(m, dane_mtype_free);
1277 xkfreeret(0);
1278 }
1279 s->value->mtype = 0;
1280 s->value->selector = selector;
1281 LINSERT(dane->selectors[usage], s);
1282 }
1283 LINSERT(s->value->mtype, m);
1284 }
1285LINSERT(m->value->data, d);
1286
1287if(xlist)
1288 LINSERT(dane->certs, xlist);
1289else if(klist)
1290 LINSERT(dane->pkeys, klist);
1291++dane->count;
1292return 1;
e682570f
TL		 1293}
1294
946ecbe0
JH		 1295
1296
1297
1298/*
1299Call this once we have an ssl connection handle but before
1300making the TLS connection.
1301
1302=> In tls_client_start() after the call to SSL_new()
1303and before the call to SSL_connect(). Exactly where
1304probably does not matter.
1305We probably want to keep our existing SNI handling;
1306call this with NULL.
1307
1308Arguments:
1309 ssl Connection handle
1310 sni_domain Optional peer server name
1311 hostnames ?? list of names - but what names?
1312
1313Return
1314 -1 on fatal error
1315 0 nonfatal error
1316 1 success
1317*/
1318
880a1e77
JH		 1319int
1320DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
e682570f 1321{
880a1e77
JH		 1322ssl_dane *dane;
1323int i;
e682570f 1324#ifdef OPENSSL_INTERNAL
880a1e77 1325SSL_CTX *sctx = SSL_get_SSL_CTX(ssl);
e682570f 1326
880a1e77
JH		 1327if(sctx->app_verify_callback != verify_cert)
1328 {
1329 DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_SCTX_INIT);
1330 return -1;
1331 }
e682570f 1332#else
880a1e77
JH		 1333if(dane_idx < 0)
1334 {
1335 DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT);
1336 return -1;
1337 }
e682570f
TL		 1338#endif
1339
880a1e77
JH		 1340if(sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1341 return 0;
e682570f 1342
880a1e77
JH		 1343if(!(dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))))
1344 {
1345 DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE);
1346 return 0;
1347 }
1348if(!SSL_set_ex_data(ssl, dane_idx, dane))
1349 {
1350 DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE);
1351 OPENSSL_free(dane);
1352 return 0;
1353 }
1354
1355dane->pkeys = 0;
1356dane->certs = 0;
1357dane->chain = 0;
1358dane->roots = 0;
1359dane->depth = -1;
1360dane->mhost = 0; /* Future SSL control interface */
1361dane->multi = 0; /* Future SSL control interface */
1362dane->count = 0;
1363
1364for(i = 0; i <= SSL_DANE_USAGE_LAST; ++i)
1365 dane->selectors[i] = 0;
1366
1367if(hostnames && !(dane->hosts = host_list_init(hostnames)))
1368 {
1369 DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE);
1370 DANESSL_cleanup(ssl);
1371 return 0;
1372 }
1373
1374return 1;
e682570f
TL		 1375}
1376
946ecbe0
JH		 1377
1378/*
1379
1380Call this once we have a context to work with, but
1381before DANESSL_init()
1382
1383=> in tls_client_start(), after tls_init() call gives us the ctx,
1384if we decide we want to (policy) and can (TLSA records available)
1385replacing (? what about fallback) everything from testing tls_verify_hosts
1386down to just before calling SSL_new() for the conn handle.
1387
1388Arguments
1389 ctx SSL context
1390
1391Return
1392 -1 Error
1393 1 Success
1394*/
1395
880a1e77
JH		 1396int
1397DANESSL_CTX_init(SSL_CTX *ctx)
e682570f 1398{
880a1e77
JH		 1399if(dane_idx >= 0)
1400 {
1401 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1402 return 1;
1403 }
1404DANEerr(DANE_F_SSL_CTX_DANE_INIT, DANE_R_LIBRARY_INIT);
1405return -1;
e682570f
TL		 1406}
1407
880a1e77
JH		 1408static int
1409init_once(volatile int *value, int (*init)(void), void (*postinit)(void))
e682570f 1410{
880a1e77
JH		 1411int wlock = 0;
1412
1413CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1414if(*value < 0)
1415 {
1416 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1417 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1418 wlock = 1;
1419 if(*value < 0)
1420 {
1421 *value = init();
1422 if(postinit)
1423 postinit();
e682570f 1424 }
880a1e77
JH		 1425 }
1426if (wlock)
1427 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1428else
1429 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1430return *value;
e682570f
TL		 1431}
1432
880a1e77
JH		 1433static void
1434dane_init(void)
e682570f 1435{
880a1e77
JH		 1436/*
1437 * Store library id in zeroth function slot, used to locate the library
1438 * name. This must be done before we load the error strings.
1439 */
e682570f 1440#ifndef OPENSSL_NO_ERR
880a1e77
JH		 1441dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1442ERR_load_strings(err_lib_dane, dane_str_functs);
1443ERR_load_strings(err_lib_dane, dane_str_reasons);
e682570f
TL		 1444#endif
1445
880a1e77
JH		 1446/*
1447 * Register SHA-2 digests, if implemented and not already registered.
1448 */
e682570f 1449#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
880a1e77
JH		 1450if(!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1451if(!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
e682570f
TL		 1452#endif
1453#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
880a1e77
JH		 1454if(!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1455if(!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
e682570f
TL		 1456#endif
1457
880a1e77
JH		 1458/*
1459 * Register an SSL index for the connection-specific ssl_dane structure.
1460 * Using a separate index makes it possible to add DANE support to
1461 * existing OpenSSL releases that don't have a suitable pointer in the
1462 * SSL structure.
1463 */
1464dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
e682570f
TL		 1465}
1466
946ecbe0
JH		 1467
1468
1469/*
1470
1471Call this once. Probably early in startup will do; may need
1472to be after SSL library init.
1473
1474*/
1475
880a1e77
JH		 1476int
1477DANESSL_library_init(void)
e682570f 1478{
880a1e77
JH		 1479if(err_lib_dane < 0)
1480 init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
e682570f
TL		 1481
1482#if defined(LN_sha256)
880a1e77
JH		 1483/* No DANE without SHA256 support */
1484if(dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1485 return 1;
e682570f 1486#endif
880a1e77
JH		 1487
1488DANEerr(DANE_F_SSL_DANE_LIBRARY_INIT, DANE_R_DANE_SUPPORT);
1489return 0;
e682570f
TL		 1490}
1491
946ecbe0 1492
e682570f 1493#endif /* OPENSSL_VERSION_NUMBER */
880a1e77
JH		 1494/* vi: aw ai sw=2
1495*/
Unnamed repository; edit this file 'description' to name the repository.