projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
fixes
[exim.git] / src / src / dane-openssl.c
... / ...
CommitLineData
1/*
2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
4 *
5 * Copyright (c) The Exim Maintainers 2014 - 2019
6 */
7#include <stdio.h>
8#include <string.h>
9#include <stdint.h>
10
11#include <openssl/opensslv.h>
12#include <openssl/err.h>
13#include <openssl/crypto.h>
14#include <openssl/safestack.h>
15#include <openssl/objects.h>
16#include <openssl/x509.h>
17#include <openssl/x509v3.h>
18#include <openssl/evp.h>
19#include <openssl/bn.h>
20
21#if OPENSSL_VERSION_NUMBER < 0x1000000fL
22# error "OpenSSL 1.0.0 or higher required"
23#endif
24
25#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
26# define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
27#endif
28
29/* LibreSSL 2.9.0 and later - 2.9.0 has removed a number of macros ... */
30#ifdef LIBRESSL_VERSION_NUMBER
31# if LIBRESSL_VERSION_NUMBER >= 0x2090000fL
32# define EXIM_HAVE_ASN1_MACROS
33# endif
34#endif
35/* OpenSSL */
36#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
37# define EXIM_HAVE_ASN1_MACROS
38# define EXIM_OPAQUE_X509
39/* Older OpenSSL and all LibreSSL */
40#else
41# define X509_STORE_CTX_get_verify(ctx) (ctx)->verify
42# define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb
43# define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert
44# define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain
45# define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted
46
47# define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain)
48# define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk)
49# define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val)
50# define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert)
51
52# define ASN1_STRING_get0_data ASN1_STRING_data
53# define X509_getm_notBefore X509_get_notBefore
54# define X509_getm_notAfter X509_get_notAfter
55
56# define CRYPTO_ONCE_STATIC_INIT 0
57# define CRYPTO_THREAD_run_once run_once
58typedef int CRYPTO_ONCE;
59#endif
60
61
62#include "danessl.h"
63
64#define DANESSL_F_ADD_SKID 100
65#define DANESSL_F_ADD_TLSA 101
66#define DANESSL_F_CHECK_END_ENTITY 102
67#define DANESSL_F_CTX_INIT 103
68#define DANESSL_F_GROW_CHAIN 104
69#define DANESSL_F_INIT 105
70#define DANESSL_F_LIBRARY_INIT 106
71#define DANESSL_F_LIST_ALLOC 107
72#define DANESSL_F_MATCH 108
73#define DANESSL_F_PUSH_EXT 109
74#define DANESSL_F_SET_TRUST_ANCHOR 110
75#define DANESSL_F_VERIFY_CERT 111
76#define DANESSL_F_WRAP_CERT 112
77#define DANESSL_F_DANESSL_VERIFY_CHAIN 113
78
79#define DANESSL_R_BAD_CERT 100
80#define DANESSL_R_BAD_CERT_PKEY 101
81#define DANESSL_R_BAD_DATA_LENGTH 102
82#define DANESSL_R_BAD_DIGEST 103
83#define DANESSL_R_BAD_NULL_DATA 104
84#define DANESSL_R_BAD_PKEY 105
85#define DANESSL_R_BAD_SELECTOR 106
86#define DANESSL_R_BAD_USAGE 107
87#define DANESSL_R_INIT 108
88#define DANESSL_R_LIBRARY_INIT 109
89#define DANESSL_R_NOSIGN_KEY 110
90#define DANESSL_R_SCTX_INIT 111
91#define DANESSL_R_SUPPORT 112
92
93#ifndef OPENSSL_NO_ERR
94#define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
95static ERR_STRING_DATA dane_str_functs[] = {
96 /* error string */
97 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
98 {DANESSL_F_ADD_SKID, "add_skid"},
99 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
100 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
101 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
102 {DANESSL_F_GROW_CHAIN, "grow_chain"},
103 {DANESSL_F_INIT, "DANESSL_init"},
104 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
105 {DANESSL_F_LIST_ALLOC, "list_alloc"},
106 {DANESSL_F_MATCH, "match"},
107 {DANESSL_F_PUSH_EXT, "push_ext"},
108 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
109 {DANESSL_F_VERIFY_CERT, "verify_cert"},
110 {DANESSL_F_WRAP_CERT, "wrap_cert"},
111 {0, NULL}
112};
113static ERR_STRING_DATA dane_str_reasons[] = {
114 /* error string */
115 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
116 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
117 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
118 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
119 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
120 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
121 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
122 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
123 {DANESSL_R_INIT, "DANESSL_init() required"},
124 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
125 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
126 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
127 {DANESSL_R_SUPPORT, "DANE library features not supported"},
128 {0, NULL}
129};
130#endif
131
132#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FUNCTION__, __LINE__)
133
134static int err_lib_dane = -1;
135static int dane_idx = -1;
136
137#ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
138static int wrap_to_root = 0;
139#else
140static int wrap_to_root = 1;
141#endif
142
143static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
144static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
145
146typedef struct dane_list
147{
148 struct dane_list *next;
149 void *value;
150} *dane_list;
151
152#define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
153
154typedef struct dane_host_list
155{
156 struct dane_host_list *next;
157 char *value;
158} *dane_host_list;
159
160typedef struct dane_data
161{
162 size_t datalen;
163 unsigned char data[0];
164} *dane_data;
165
166typedef struct dane_data_list
167{
168 struct dane_data_list *next;
169 dane_data value;
170} *dane_data_list;
171
172typedef struct dane_mtype
173{
174 int mdlen;
175 const EVP_MD *md;
176 dane_data_list data;
177} *dane_mtype;
178
179typedef struct dane_mtype_list
180{
181 struct dane_mtype_list *next;
182 dane_mtype value;
183} *dane_mtype_list;
184
185typedef struct dane_selector
186{
187 uint8_t selector;
188 dane_mtype_list mtype;
189} *dane_selector;
190
191typedef struct dane_selector_list
192{
193 struct dane_selector_list *next;
194 dane_selector value;
195} *dane_selector_list;
196
197typedef struct dane_pkey_list
198{
199 struct dane_pkey_list *next;
200 EVP_PKEY *value;
201} *dane_pkey_list;
202
203typedef struct dane_cert_list
204{
205 struct dane_cert_list *next;
206 X509 *value;
207} *dane_cert_list;
208
209typedef struct ssl_dane
210{
211 int (*verify)(X509_STORE_CTX *);
212 STACK_OF(X509) *roots;
213 STACK_OF(X509) *chain;
214 X509 *match; /* Matched cert */
215 const char *thost; /* TLSA base domain */
216 char *mhost; /* Matched peer name */
217 dane_pkey_list pkeys;
218 dane_cert_list certs;
219 dane_host_list hosts;
220 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
221 int depth;
222 int mdpth; /* Depth of matched cert */
223 int multi; /* Multi-label wildcards? */
224 int count; /* Number of TLSA records */
225} ssl_dane;
226
227#ifndef X509_V_ERR_HOSTNAME_MISMATCH
228# define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
229#endif
230
231
232
233static int
234match(dane_selector_list slist, X509 *cert, int depth)
235{
236int matched;
237
238/*
239 * Note, set_trust_anchor() needs to know whether the match was for a
240 * pkey digest or a certificate digest. We return MATCHED_PKEY or
241 * MATCHED_CERT accordingly.
242 */
243#define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
244#define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
245
246/*
247 * Loop over each selector, mtype, and associated data element looking
248 * for a match.
249 */
250for (matched = 0; !matched && slist; slist = slist->next)
251 {
252 unsigned char mdbuf[EVP_MAX_MD_SIZE];
253 unsigned char *buf = NULL;
254 unsigned char *buf2;
255 unsigned int len = 0;
256
257 /*
258 * Extract ASN.1 DER form of certificate or public key.
259 */
260 switch(slist->value->selector)
261 {
262 case DANESSL_SELECTOR_CERT:
263 len = i2d_X509(cert, NULL);
264 buf2 = buf = US OPENSSL_malloc(len);
265 if(buf) i2d_X509(cert, &buf2);
266 break;
267 case DANESSL_SELECTOR_SPKI:
268 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
269 buf2 = buf = US OPENSSL_malloc(len);
270 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
271 break;
272 }
273
274 if (!buf)
275 {
276 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
277 return 0;
278 }
279 OPENSSL_assert(buf2 - buf == len);
280
281 /*
282 * Loop over each mtype and data element
283 */
284 for (dane_mtype_list m = slist->value->mtype; !matched && m; m = m->next)
285 {
286 unsigned char *cmpbuf = buf;
287 unsigned int cmplen = len;
288
289 /*
290 * If it is a digest, compute the corresponding digest of the
291 * DER data for comparison, otherwise, use the full object.
292 */
293 if (m->value->md)
294 {
295 cmpbuf = mdbuf;
296 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
297 matched = -1;
298 }
299 for (dane_data_list d = m->value->data; !matched && d; d = d->next)
300 if ( cmplen == d->value->datalen
301 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
302 matched = slist->value->selector + 1;
303 }
304
305 OPENSSL_free(buf);
306 }
307
308return matched;
309}
310
311static int
312push_ext(X509 *cert, X509_EXTENSION *ext)
313{
314if (ext)
315 {
316 if (X509_add_ext(cert, ext, -1))
317 return 1;
318 X509_EXTENSION_free(ext);
319 }
320DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
321return 0;
322}
323
324static int
325add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
326{
327X509V3_CTX v3ctx;
328
329X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
330return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
331}
332
333static int
334set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
335{
336int ret = 0;
337BIGNUM *bn;
338
339if (akid && akid->serial)
340 return (X509_set_serialNumber(cert, akid->serial));
341
342/*
343 * Add one to subject's serial to avoid collisions between TA serial and
344 * serial of signing root.
345 */
346if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
347 && BN_add_word(bn, 1)
348 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
349 ret = 1;
350
351if (bn)
352 BN_free(bn);
353return ret;
354}
355
356static int
357add_akid(X509 *cert, AUTHORITY_KEYID *akid)
358{
359int nid = NID_authority_key_identifier;
360ASN1_OCTET_STRING *id;
361unsigned char c = 0;
362int ret = 0;
363
364/*
365 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
366 * our subject keyid if forced from child's akid. If so, set our
367 * authority keyid to 1. This way we are never self-signed, and thus
368 * exempt from any potential (off by default for now in OpenSSL)
369 * self-signature checks!
370 */
371id = akid && akid->keyid ? akid->keyid : 0;
372if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_get0_data(id) == c)
373 c = 1;
374
375if ( (akid = AUTHORITY_KEYID_new()) != 0
376 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
377#ifdef EXIM_HAVE_ASN1_MACROS
378 && ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
379#else
380 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
381#endif
382 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
383 ret = 1;
384if (akid)
385 AUTHORITY_KEYID_free(akid);
386return ret;
387}
388
389static int
390add_skid(X509 *cert, AUTHORITY_KEYID *akid)
391{
392int nid = NID_subject_key_identifier;
393
394if (!akid || !akid->keyid)
395 return add_ext(0, cert, nid, "hash");
396return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
397}
398
399static X509_NAME *
400akid_issuer_name(AUTHORITY_KEYID *akid)
401{
402if (akid && akid->issuer)
403 {
404 GENERAL_NAMES *gens = akid->issuer;
405
406 for (int i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
407 {
408 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
409
410 if (gn->type == GEN_DIRNAME)
411 return (gn->d.dirn);
412 }
413 }
414return 0;
415}
416
417static int
418set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
419{
420X509_NAME *name = akid_issuer_name(akid);
421
422/*
423 * If subject's akid specifies an authority key identifier issuer name, we
424 * must use that.
425 */
426return X509_set_issuer_name(cert,
427 name ? name : subj);
428}
429
430static int
431grow_chain(ssl_dane *dane, int trusted, X509 *cert)
432{
433STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
434static ASN1_OBJECT *serverAuth = 0;
435
436#define UNTRUSTED 0
437#define TRUSTED 1
438
439if ( trusted && !serverAuth
440 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
441 {
442 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
443 return 0;
444 }
445if (!*xs && !(*xs = sk_X509_new_null()))
446 {
447 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
448 return 0;
449 }
450
451if (cert)
452 {
453 if (trusted && !X509_add1_trust_object(cert, serverAuth))
454 return 0;
455#ifdef EXIM_OPAQUE_X509
456 X509_up_ref(cert);
457#else
458 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
459#endif
460 if (!sk_X509_push(*xs, cert))
461 {
462 X509_free(cert);
463 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
464 return 0;
465 }
466 }
467return 1;
468}
469
470static int
471wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
472{
473int ret = 1;
474X509 *cert = 0;
475AUTHORITY_KEYID *akid;
476X509_NAME *name = X509_get_issuer_name(subject);
477EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
478
479#define WRAP_MID 0 /* Ensure intermediate. */
480#define WRAP_TOP 1 /* Ensure self-signed. */
481
482if (!name || !newkey || !(cert = X509_new()))
483 return 0;
484
485/*
486 * Record the depth of the trust-anchor certificate.
487 */
488if (dane->depth < 0)
489 dane->depth = depth + 1;
490
491/*
492 * XXX: Uncaught error condition:
493 *
494 * The return value is NULL both when the extension is missing, and when
495 * OpenSSL rans out of memory while parsing the extension.
496 */
497ERR_clear_error();
498akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
499/* XXX: Should we peek at the error stack here??? */
500
501/*
502 * If top is true generate a self-issued root CA, otherwise an
503 * intermediate CA and possibly its self-signed issuer.
504 *
505 * CA cert valid for +/- 30 days
506 */
507if ( !X509_set_version(cert, 2)
508 || !set_serial(cert, akid, subject)
509 || !set_issuer_name(cert, akid, name)
510 || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
511 || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
512 || !X509_set_subject_name(cert, name)
513 || !X509_set_pubkey(cert, newkey)
514 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
515 || (!top && !add_akid(cert, akid))
516 || !add_skid(cert, akid)
517 || ( !top && wrap_to_root
518 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
519 ret = 0;
520
521if (akid)
522 AUTHORITY_KEYID_free(akid);
523if (!key)
524 EVP_PKEY_free(newkey);
525if (ret)
526 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
527if (cert)
528 X509_free(cert);
529return ret;
530}
531
532static int
533wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
534{
535if (dane->depth < 0)
536 dane->depth = depth + 1;
537
538/*
539 * If the TA certificate is self-issued, or need not be, use it directly.
540 * Otherwise, synthesize requisite ancestors.
541 */
542if ( !wrap_to_root
543 || X509_check_issued(tacert, tacert) == X509_V_OK)
544 return grow_chain(dane, TRUSTED, tacert);
545
546if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
547 return grow_chain(dane, UNTRUSTED, tacert);
548return 0;
549}
550
551static int
552ta_signed(ssl_dane *dane, X509 *cert, int depth)
553{
554EVP_PKEY *pk;
555int done = 0;
556
557/*
558 * First check whether issued and signed by a TA cert, this is cheaper
559 * than the bare-public key checks below, since we can determine whether
560 * the candidate TA certificate issued the certificate to be checked
561 * first (name comparisons), before we bother with signature checks
562 * (public key operations).
563 */
564for (dane_cert_list x = dane->certs; !done && x; x = x->next)
565 {
566 if (X509_check_issued(x->value, cert) == X509_V_OK)
567 {
568 if (!(pk = X509_get_pubkey(x->value)))
569 {
570 /*
571 * The cert originally contained a valid pkey, which does
572 * not just vanish, so this is most likely a memory error.
573 */
574 done = -1;
575 break;
576 }
577 /* Check signature, since some other TA may work if not this. */
578 if (X509_verify(cert, pk) > 0)
579 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
580 EVP_PKEY_free(pk);
581 }
582 }
583
584/*
585 * With bare TA public keys, we can't check whether the trust chain is
586 * issued by the key, but we can determine whether it is signed by the
587 * key, so we go with that.
588 *
589 * Ideally, the corresponding certificate was presented in the chain, and we
590 * matched it by its public key digest one level up. This code is here
591 * to handle adverse conditions imposed by sloppy administrators of
592 * receiving systems with poorly constructed chains.
593 *
594 * We'd like to optimize out keys that should not match when the cert's
595 * authority key id does not match the key id of this key computed via
596 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
597 * ASN1 tag and length thus also excluding the unused bits field that is
598 * logically part of the length). However, some CAs have a non-standard
599 * authority keyid, so we lose. Too bad.
600 *
601 * This may push errors onto the stack when the certificate signature is
602 * not of the right type or length, throw these away,
603 */
604for (dane_pkey_list k = dane->pkeys; !done && k; k = k->next)
605 if (X509_verify(cert, k->value) > 0)
606 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
607 else
608 ERR_clear_error();
609
610return done;
611}
612
613static int
614set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
615{
616int matched = 0;
617int depth = 0;
618EVP_PKEY *takey;
619X509 *ca;
620STACK_OF(X509) *in = X509_STORE_CTX_get0_untrusted(ctx);
621
622if (!grow_chain(dane, UNTRUSTED, 0))
623 return -1;
624
625/*
626 * Accept a degenerate case: depth 0 self-signed trust-anchor.
627 */
628if (X509_check_issued(cert, cert) == X509_V_OK)
629 {
630 dane->depth = 0;
631 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
632 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
633 matched = -1;
634 return matched;
635 }
636
637/* Make a shallow copy of the input untrusted chain. */
638if (!(in = sk_X509_dup(in)))
639 {
640 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
641 return -1;
642 }
643
644/*
645 * At each iteration we consume the issuer of the current cert. This
646 * reduces the length of the "in" chain by one. If no issuer is found,
647 * we are done. We also stop when a certificate matches a TA in the
648 * peer's TLSA RRset.
649 *
650 * Caller ensures that the initial certificate is not self-signed.
651 */
652for (int n = sk_X509_num(in); n > 0; --n, ++depth)
653 {
654 int i;
655 for (i = 0; i < n; ++i)
656 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
657 break;
658
659 /*
660 * Final untrusted element with no issuer in the peer's chain, it may
661 * however be signed by a pkey or cert obtained via a TLSA RR.
662 */
663 if (i == n)
664 break;
665
666 /* Peer's chain contains an issuer ca. */
667 ca = sk_X509_delete(in, i);
668
669 /* If not a trust anchor, record untrusted ca and continue. */
670 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
671 depth + 1)) == 0)
672 {
673 if (grow_chain(dane, UNTRUSTED, ca))
674 {
675 if (X509_check_issued(ca, ca) != X509_V_OK)
676 {
677 /* Restart with issuer as subject */
678 cert = ca;
679 continue;
680 }
681 /* Final self-signed element, skip ta_signed() check. */
682 cert = 0;
683 }
684 else
685 matched = -1;
686 }
687 else if(matched == MATCHED_CERT)
688 {
689 if(!wrap_cert(dane, ca, depth))
690 matched = -1;
691 }
692 else if(matched == MATCHED_PKEY)
693 {
694 if ( !(takey = X509_get_pubkey(ca))
695 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
696 {
697 if (takey)
698 EVP_PKEY_free(takey);
699 else
700 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
701 matched = -1;
702 }
703 }
704 break;
705 }
706
707/* Shallow free the duplicated input untrusted chain. */
708sk_X509_free(in);
709
710/*
711 * When the loop exits, if "cert" is set, it is not self-signed and has
712 * no issuer in the chain, we check for a possible signature via a DNS
713 * obtained TA cert or public key.
714 */
715if (matched == 0 && cert)
716 matched = ta_signed(dane, cert, depth);
717
718return matched;
719}
720
721static int
722check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
723{
724int matched;
725
726matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
727if (matched > 0)
728 {
729 dane->mdpth = 0;
730 dane->match = cert;
731 X509_up_ref(cert);
732 if(!X509_STORE_CTX_get0_chain(ctx))
733 {
734 STACK_OF(X509) * sk = sk_X509_new_null();
735 if (sk && sk_X509_push(sk, cert))
736 {
737 X509_up_ref(cert);
738 X509_STORE_CTX_set0_verified_chain(ctx, sk);
739 }
740 else
741 {
742 if (sk) sk_X509_free(sk);
743 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
744 return -1;
745 }
746 }
747 }
748return matched;
749}
750
751static int
752match_name(const char *certid, ssl_dane *dane)
753{
754int multi = dane->multi;
755
756for (dane_host_list hosts = dane->hosts; hosts; hosts = hosts->next)
757 {
758 int match_subdomain = 0;
759 const char *domain = hosts->value;
760 const char *parent;
761 int idlen;
762 int domlen;
763
764 if (*domain == '.' && domain[1] != '\0')
765 {
766 ++domain;
767 match_subdomain = 1;
768 }
769
770 /*
771 * Sub-domain match: certid is any sub-domain of hostname.
772 */
773 if(match_subdomain)
774 {
775 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
776 && certid[idlen - domlen - 1] == '.'
777 && !strcasecmp(certid + (idlen - domlen), domain))
778 return 1;
779 else
780 continue;
781 }
782
783 /*
784 * Exact match and initial "*" match. The initial "*" in a certid
785 * matches one (if multi is false) or more hostname components under
786 * the condition that the certid contains multiple hostname components.
787 */
788 if ( !strcasecmp(certid, domain)
789 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
790 && (parent = strchr(domain, '.')) != 0
791 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
792 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
793 return 1;
794 }
795return 0;
796}
797
798static const char *
799check_name(const char *name, int len)
800{
801const char *cp = name + len;
802
803while (len > 0 && !*--cp)
804 --len; /* Ignore trailing NULs */
805if (len <= 0)
806 return 0;
807for (cp = name; *cp; cp++)
808 {
809 char c = *cp;
810 if (!((c >= 'a' && c <= 'z') ||
811 (c >= '0' && c <= '9') ||
812 (c >= 'A' && c <= 'Z') ||
813 (c == '.' || c == '-') ||
814 (c == '*')))
815 return 0; /* Only LDH, '.' and '*' */
816 }
817if (cp - name != len) /* Guard against internal NULs */
818 return 0;
819return name;
820}
821
822static const char *
823parse_dns_name(const GENERAL_NAME *gn)
824{
825if (gn->type != GEN_DNS)
826 return 0;
827if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
828 return 0;
829return check_name(CCS ASN1_STRING_get0_data(gn->d.ia5),
830 ASN1_STRING_length(gn->d.ia5));
831}
832
833static char *
834parse_subject_name(X509 *cert)
835{
836X509_NAME *name = X509_get_subject_name(cert);
837X509_NAME_ENTRY *entry;
838ASN1_STRING *entry_str;
839unsigned char *namebuf;
840int nid = NID_commonName;
841int len;
842int i;
843
844if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
845 return 0;
846if (!(entry = X509_NAME_get_entry(name, i)))
847 return 0;
848if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
849 return 0;
850
851if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
852 return 0;
853if (len <= 0 || check_name(CS namebuf, len) == 0)
854 {
855 OPENSSL_free(namebuf);
856 return 0;
857 }
858return CS namebuf;
859}
860
861static int
862name_check(ssl_dane *dane, X509 *cert)
863{
864int matched = 0;
865BOOL got_altname = FALSE;
866GENERAL_NAMES *gens;
867
868gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
869if (gens)
870 {
871 int n = sk_GENERAL_NAME_num(gens);
872
873 for (int i = 0; i < n; ++i)
874 {
875 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
876 const char *certid;
877
878 if (gn->type != GEN_DNS)
879 continue;
880 got_altname = TRUE;
881 certid = parse_dns_name(gn);
882 if (certid && *certid)
883 {
884 if ((matched = match_name(certid, dane)) == 0)
885 continue;
886 if (!(dane->mhost = OPENSSL_strdup(certid)))
887 matched = -1;
888 DEBUG(D_tls) debug_printf("Dane name_check: matched SAN %s\n", certid);
889 break;
890 }
891 }
892 GENERAL_NAMES_free(gens);
893 }
894
895/*
896 * XXX: Should the subjectName be skipped when *any* altnames are present,
897 * or only when DNS altnames are present?
898 */
899if (!got_altname)
900 {
901 char *certid = parse_subject_name(cert);
902 if (certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
903 {
904 DEBUG(D_tls) debug_printf("Dane name_check: matched SN %s\n", certid);
905 dane->mhost = OPENSSL_strdup(certid);
906 }
907 if (certid)
908 OPENSSL_free(certid);
909 }
910return matched;
911}
912
913static int
914verify_chain(X509_STORE_CTX *ctx)
915{
916int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
917X509 *cert = X509_STORE_CTX_get0_cert(ctx);
918STACK_OF(X509) * chain = X509_STORE_CTX_get0_chain(ctx);
919int chain_length = sk_X509_num(chain);
920int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
921SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
922ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
923dane_selector_list issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
924dane_selector_list leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
925int matched = 0;
926
927DEBUG(D_tls) debug_printf("Dane verify_chain\n");
928
929/* Restore OpenSSL's internal_verify() as the signature check function */
930X509_STORE_CTX_set_verify(ctx, dane->verify);
931
932if ((matched = name_check(dane, cert)) < 0)
933 {
934 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
935 return 0;
936 }
937
938if (!matched)
939 {
940 X509_STORE_CTX_set_error_depth(ctx, 0);
941 X509_STORE_CTX_set_current_cert(ctx, cert);
942 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
943 if (!cb(0, ctx))
944 return 0;
945 }
946matched = 0;
947
948/*
949 * Satisfy at least one usage 0 or 1 constraint, unless we've already
950 * matched a usage 2 trust anchor.
951 *
952 * XXX: internal_verify() doesn't callback with top certs that are not
953 * self-issued. This is fixed in OpenSSL 1.1.0.
954 */
955if (dane->roots && sk_X509_num(dane->roots))
956 {
957 X509 *top = sk_X509_value(chain, dane->depth);
958
959 dane->mdpth = dane->depth;
960 dane->match = top;
961 X509_up_ref(top);
962
963#if OPENSSL_VERSION_NUMBER < 0x10100000L
964 if (X509_check_issued(top, top) != X509_V_OK)
965 {
966 X509_STORE_CTX_set_error_depth(ctx, dane->depth);
967 X509_STORE_CTX_set_current_cert(ctx, top);
968 if (!cb(1, ctx))
969 return 0;
970 }
971#endif
972 /* Pop synthetic trust-anchor ancestors off the chain! */
973 while (--chain_length > dane->depth)
974 X509_free(sk_X509_pop(chain));
975 }
976else
977 {
978 int n = 0;
979 X509 *xn = cert;
980
981 /*
982 * Check for an EE match, then a CA match at depths > 0, and
983 * finally, if the EE cert is self-issued, for a depth 0 CA match.
984 */
985 if (leaf_rrs)
986 matched = match(leaf_rrs, xn, 0);
987 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched EE\n");
988
989 if (!matched && issuer_rrs)
990 for (n = chain_length-1; !matched && n >= 0; --n)
991 {
992 xn = sk_X509_value(chain, n);
993 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
994 matched = match(issuer_rrs, xn, n);
995 }
996 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched %s\n",
997 n>0 ? "CA" : "selfisssued EE");
998
999 if (!matched)
1000 {
1001 X509_STORE_CTX_set_error_depth(ctx, 0);
1002 X509_STORE_CTX_set_current_cert(ctx, cert);
1003 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
1004 if (!cb(0, ctx))
1005 return 0;
1006 }
1007 else
1008 {
1009 dane->mdpth = n;
1010 dane->match = xn;
1011 X509_up_ref(xn);
1012 }
1013 }
1014
1015/* Tail recurse into OpenSSL's internal_verify */
1016return dane->verify(ctx);
1017}
1018
1019static void
1020dane_reset(ssl_dane *dane)
1021{
1022dane->depth = -1;
1023if (dane->mhost)
1024 {
1025 OPENSSL_free(dane->mhost);
1026 dane->mhost = 0;
1027 }
1028if (dane->roots)
1029 {
1030 sk_X509_pop_free(dane->roots, X509_free);
1031 dane->roots = 0;
1032 }
1033if (dane->chain)
1034 {
1035 sk_X509_pop_free(dane->chain, X509_free);
1036 dane->chain = 0;
1037 }
1038if (dane->match)
1039 {
1040 X509_free(dane->match);
1041 dane->match = 0;
1042 }
1043dane->mdpth = -1;
1044}
1045
1046static int
1047verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
1048{
1049static int ssl_idx = -1;
1050SSL *ssl;
1051ssl_dane *dane;
1052int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
1053X509 *cert = X509_STORE_CTX_get0_cert(ctx);
1054int matched;
1055
1056DEBUG(D_tls) debug_printf("Dane verify_cert\n");
1057
1058if (ssl_idx < 0)
1059 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1060if (dane_idx < 0)
1061 {
1062 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1063 return -1;
1064 }
1065
1066ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1067if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1068 return X509_verify_cert(ctx);
1069
1070/* Reset for verification of a new chain, perhaps a renegotiation. */
1071dane_reset(dane);
1072
1073if (dane->selectors[DANESSL_USAGE_DANE_EE])
1074 {
1075 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1076 {
1077 X509_STORE_CTX_set_error_depth(ctx, 0);
1078 X509_STORE_CTX_set_current_cert(ctx, cert);
1079 return cb(1, ctx);
1080 }
1081 if (matched < 0)
1082 {
1083 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1084 return -1;
1085 }
1086 }
1087
1088if (dane->selectors[DANESSL_USAGE_DANE_TA])
1089 {
1090 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1091 {
1092 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1093 return -1;
1094 }
1095 if (matched)
1096 {
1097 /*
1098 * Check that setting the untrusted chain updates the expected
1099 * structure member at the expected offset.
1100 */
1101 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1102 X509_STORE_CTX_set_chain(ctx, dane->chain);
1103 OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
1104 }
1105 }
1106
1107/*
1108 * Name checks and usage 0/1 constraint enforcement are delayed until
1109 * X509_verify_cert() builds the full chain and calls our verify_chain()
1110 * wrapper.
1111 */
1112dane->verify = X509_STORE_CTX_get_verify(ctx);
1113X509_STORE_CTX_set_verify(ctx, verify_chain);
1114
1115if (X509_verify_cert(ctx))
1116 return 1;
1117
1118/*
1119 * If the chain is invalid, clear any matching cert or hostname, to
1120 * protect callers that might erroneously rely on these alone without
1121 * checking the validation status.
1122 */
1123if (dane->match)
1124 {
1125 X509_free(dane->match);
1126 dane->match = 0;
1127 }
1128if (dane->mhost)
1129 {
1130 OPENSSL_free(dane->mhost);
1131 dane->mhost = 0;
1132 }
1133 return 0;
1134}
1135
1136static dane_list
1137list_alloc(size_t vsize)
1138{
1139void *value = (void *) OPENSSL_malloc(vsize);
1140dane_list l;
1141
1142if (!value)
1143 {
1144 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1145 return 0;
1146 }
1147if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1148 {
1149 OPENSSL_free(value);
1150 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1151 return 0;
1152 }
1153l->next = 0;
1154l->value = value;
1155return l;
1156}
1157
1158static void
1159list_free(void *list, void (*f)(void *))
1160{
1161dane_list next;
1162
1163for (dane_list head = (dane_list) list; head; head = next)
1164 {
1165 next = head->next;
1166 if (f && head->value)
1167 f(head->value);
1168 OPENSSL_free(head);
1169 }
1170}
1171
1172static void
1173ossl_free(void * p)
1174{
1175OPENSSL_free(p);
1176}
1177
1178static void
1179dane_mtype_free(void *p)
1180{
1181list_free(((dane_mtype) p)->data, ossl_free);
1182OPENSSL_free(p);
1183}
1184
1185static void
1186dane_selector_free(void *p)
1187{
1188list_free(((dane_selector) p)->mtype, dane_mtype_free);
1189OPENSSL_free(p);
1190}
1191
1192
1193
1194/*
1195
1196Tidy up once the connection is finished with.
1197
1198Arguments
1199 ssl The ssl connection handle
1200
1201=> Before calling SSL_free()
1202tls_close() and tls_getc() [the error path] are the obvious places.
1203Could we do it earlier - right after verification? In tls_client_start()
1204right after SSL_connect() returns, in that case.
1205
1206*/
1207
1208void
1209DANESSL_cleanup(SSL *ssl)
1210{
1211ssl_dane *dane;
1212
1213DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1214
1215if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1216 return;
1217(void) SSL_set_ex_data(ssl, dane_idx, 0);
1218
1219dane_reset(dane);
1220if (dane->hosts)
1221 list_free(dane->hosts, ossl_free);
1222for (int u = 0; u <= DANESSL_USAGE_LAST; ++u)
1223 if (dane->selectors[u])
1224 list_free(dane->selectors[u], dane_selector_free);
1225if (dane->pkeys)
1226 list_free(dane->pkeys, pkey_free);
1227if (dane->certs)
1228 list_free(dane->certs, cert_free);
1229OPENSSL_free(dane);
1230}
1231
1232static dane_host_list
1233host_list_init(const char **src)
1234{
1235dane_host_list head = NULL;
1236
1237while (*src)
1238 {
1239 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1240 if (elem == 0)
1241 {
1242 list_free(head, ossl_free);
1243 return 0;
1244 }
1245 elem->value = OPENSSL_strdup(*src++);
1246 LINSERT(head, elem);
1247 }
1248return head;
1249}
1250
1251
1252int
1253DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1254{
1255ssl_dane *dane;
1256
1257if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1258 {
1259 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1260 return -1;
1261 }
1262
1263if (dane->match)
1264 {
1265 if (match)
1266 *match = dane->match;
1267 if (mhost)
1268 *mhost = dane->mhost;
1269 if (depth)
1270 *depth = dane->mdpth;
1271 }
1272
1273 return (dane->match != 0);
1274}
1275
1276
1277#ifdef never_called
1278int
1279DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1280{
1281int ret;
1282X509 *cert;
1283X509_STORE_CTX * store_ctx;
1284SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1285X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1286int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1287
1288cert = sk_X509_value(chain, 0);
1289if (!(store_ctx = X509_STORE_CTX_new()))
1290 {
1291 DANEerr(DANESSL_F_DANESSL_VERIFY_CHAIN, ERR_R_MALLOC_FAILURE);
1292 return 0;
1293 }
1294if (!X509_STORE_CTX_init(store_ctx, store, cert, chain))
1295 {
1296 X509_STORE_CTX_free(store_ctx);
1297 return 0;
1298 }
1299X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, ssl);
1300
1301X509_STORE_CTX_set_default(store_ctx,
1302 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1303X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
1304 SSL_get0_param(ssl));
1305
1306if (SSL_get_verify_callback(ssl))
1307 X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
1308
1309ret = verify_cert(store_ctx, NULL);
1310
1311SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(store_ctx));
1312X509_STORE_CTX_cleanup(store_ctx);
1313
1314return (ret);
1315}
1316#endif
1317
1318
1319
1320
1321/*
1322
1323Call this for each TLSA record found for the target, after the
1324DANE setup has been done on the ssl connection handle.
1325
1326Arguments:
1327 ssl Connection handle
1328 usage TLSA record field
1329 selector TLSA record field
1330 mdname ??? message digest name?
1331 data ??? TLSA record megalump?
1332 dlen length of data
1333
1334Return
1335 -1 on error
1336 0 action not taken
1337 1 record accepted
1338*/
1339
1340int
1341DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1342 unsigned const char *data, size_t dlen)
1343{
1344ssl_dane *dane;
1345dane_selector_list s = 0;
1346dane_mtype_list m = 0;
1347dane_data_list d = 0;
1348dane_cert_list xlist = 0;
1349dane_pkey_list klist = 0;
1350const EVP_MD *md = 0;
1351
1352DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1353 usage, selector, mdname);
1354
1355if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1356 {
1357 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1358 return -1;
1359 }
1360
1361if (usage > DANESSL_USAGE_LAST)
1362 {
1363 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1364 return 0;
1365 }
1366if (selector > DANESSL_SELECTOR_LAST)
1367 {
1368 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1369 return 0;
1370 }
1371
1372/* Support built-in standard one-digit mtypes */
1373if (mdname && *mdname && mdname[1] == '\0')
1374 switch (*mdname - '0')
1375 {
1376 case DANESSL_MATCHING_FULL: mdname = 0; break;
1377 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1378 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1379 }
1380if (mdname && *mdname && !(md = EVP_get_digestbyname(mdname)))
1381 {
1382 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1383 return 0;
1384 }
1385if (mdname && *mdname && dlen != EVP_MD_size(md))
1386 {
1387 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1388 return 0;
1389 }
1390if (!data)
1391 {
1392 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1393 return 0;
1394 }
1395
1396/*
1397 * Full Certificate or Public Key when NULL or empty digest name
1398 */
1399if (!mdname || !*mdname)
1400 {
1401 X509 *x = 0;
1402 EVP_PKEY *k = 0;
1403 const unsigned char *p = data;
1404
1405#define xklistinit(lvar, ltype, var, freeFunc) do { \
1406 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1407 if ((lvar) == 0) { \
1408 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1409 freeFunc((var)); \
1410 return 0; \
1411 } \
1412 (lvar)->next = 0; \
1413 lvar->value = var; \
1414 } while (0)
1415#define xkfreeret(ret) do { \
1416 if (xlist) list_free(xlist, cert_free); \
1417 if (klist) list_free(klist, pkey_free); \
1418 return (ret); \
1419 } while (0)
1420
1421 switch (selector)
1422 {
1423 case DANESSL_SELECTOR_CERT:
1424 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1425 {
1426 if (x)
1427 X509_free(x);
1428 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1429 return 0;
1430 }
1431 k = X509_get_pubkey(x);
1432 EVP_PKEY_free(k);
1433 if (k == 0)
1434 {
1435 X509_free(x);
1436 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1437 return 0;
1438 }
1439 if (usage == DANESSL_USAGE_DANE_TA)
1440 xklistinit(xlist, dane_cert_list, x, X509_free);
1441 break;
1442
1443 case DANESSL_SELECTOR_SPKI:
1444 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1445 {
1446 if (k)
1447 EVP_PKEY_free(k);
1448 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1449 return 0;
1450 }
1451 if (usage == DANESSL_USAGE_DANE_TA)
1452 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1453 break;
1454 }
1455 }
1456
1457/* Find insertion point and don't add duplicate elements. */
1458for (s = dane->selectors[usage]; s; s = s->next)
1459 if (s->value->selector == selector)
1460 {
1461 for (m = s->value->mtype; m; m = m->next)
1462 if (m->value->md == md)
1463 {
1464 for (d = m->value->data; d; d = d->next)
1465 if ( d->value->datalen == dlen
1466 && memcmp(d->value->data, data, dlen) == 0)
1467 xkfreeret(1);
1468 break;
1469 }
1470 break;
1471 }
1472
1473if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1474 xkfreeret(0);
1475d->value->datalen = dlen;
1476memcpy(d->value->data, data, dlen);
1477if (!m)
1478 {
1479 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1480 {
1481 list_free(d, ossl_free);
1482 xkfreeret(0);
1483 }
1484 m->value->data = 0;
1485 if ((m->value->md = md) != 0)
1486 m->value->mdlen = dlen;
1487 if (!s)
1488 {
1489 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1490 {
1491 list_free(m, dane_mtype_free);
1492 xkfreeret(0);
1493 }
1494 s->value->mtype = 0;
1495 s->value->selector = selector;
1496 LINSERT(dane->selectors[usage], s);
1497 }
1498 LINSERT(s->value->mtype, m);
1499 }
1500LINSERT(m->value->data, d);
1501
1502if (xlist)
1503 LINSERT(dane->certs, xlist);
1504else if (klist)
1505 LINSERT(dane->pkeys, klist);
1506++dane->count;
1507return 1;
1508}
1509
1510
1511
1512
1513/*
1514Call this once we have an ssl connection handle but before
1515making the TLS connection.
1516
1517=> In tls_client_start() after the call to SSL_new()
1518and before the call to SSL_connect(). Exactly where
1519probably does not matter.
1520We probably want to keep our existing SNI handling;
1521call this with NULL.
1522
1523Arguments:
1524 ssl Connection handle
1525 sni_domain Optional peer server name
1526 hostnames list of names to chack against peer cert
1527
1528Return
1529 -1 on fatal error
1530 0 nonfatal error
1531 1 success
1532*/
1533
1534int
1535DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1536{
1537ssl_dane *dane;
1538
1539DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1540if (dane_idx < 0)
1541 {
1542 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1543 return -1;
1544 }
1545
1546if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1547 return 0;
1548
1549if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1550 {
1551 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1552 return 0;
1553 }
1554if (!SSL_set_ex_data(ssl, dane_idx, dane))
1555 {
1556 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1557 OPENSSL_free(dane);
1558 return 0;
1559 }
1560
1561dane->verify = 0;
1562dane->hosts = 0;
1563dane->thost = 0;
1564dane->pkeys = 0;
1565dane->certs = 0;
1566dane->chain = 0;
1567dane->match = 0;
1568dane->roots = 0;
1569dane->depth = -1;
1570dane->mhost = 0; /* Future SSL control interface */
1571dane->mdpth = 0; /* Future SSL control interface */
1572dane->multi = 0; /* Future SSL control interface */
1573dane->count = 0;
1574dane->hosts = 0;
1575
1576for (int i = 0; i <= DANESSL_USAGE_LAST; ++i)
1577 dane->selectors[i] = 0;
1578
1579if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1580 {
1581 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1582 DANESSL_cleanup(ssl);
1583 return 0;
1584 }
1585
1586return 1;
1587}
1588
1589
1590/*
1591
1592Call this once we have a context to work with, but
1593before DANESSL_init()
1594
1595=> in tls_client_start(), after tls_init() call gives us the ctx,
1596if we decide we want to (policy) and can (TLSA records available)
1597replacing (? what about fallback) everything from testing tls_verify_hosts
1598down to just before calling SSL_new() for the conn handle.
1599
1600Arguments
1601 ctx SSL context
1602
1603Return
1604 -1 Error
1605 1 Success
1606*/
1607
1608int
1609DANESSL_CTX_init(SSL_CTX *ctx)
1610{
1611DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1612if (dane_idx >= 0)
1613 {
1614 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1615 return 1;
1616 }
1617DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1618return -1;
1619}
1620
1621static void
1622dane_init(void)
1623{
1624/*
1625 * Store library id in zeroth function slot, used to locate the library
1626 * name. This must be done before we load the error strings.
1627 */
1628err_lib_dane = ERR_get_next_error_library();
1629
1630#ifndef OPENSSL_NO_ERR
1631if (err_lib_dane > 0)
1632 {
1633 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1634 ERR_load_strings(err_lib_dane, dane_str_functs);
1635 ERR_load_strings(err_lib_dane, dane_str_reasons);
1636 }
1637#endif
1638
1639/*
1640 * Register SHA-2 digests, if implemented and not already registered.
1641 */
1642#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1643if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1644if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1645#endif
1646#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1647if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1648if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1649#endif
1650
1651/*
1652 * Register an SSL index for the connection-specific ssl_dane structure.
1653 * Using a separate index makes it possible to add DANE support to
1654 * existing OpenSSL releases that don't have a suitable pointer in the
1655 * SSL structure.
1656 */
1657dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1658}
1659
1660
1661#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
1662static void
1663run_once(volatile int * once, void (*init)(void))
1664{
1665int wlock = 0;
1666
1667CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1668if (!*once)
1669 {
1670 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1671 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1672 wlock = 1;
1673 if (!*once)
1674 {
1675 *once = 1;
1676 init();
1677 }
1678 }
1679if (wlock)
1680 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1681else
1682 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1683}
1684#endif
1685
1686
1687
1688/*
1689
1690Call this once. Probably early in startup will do; may need
1691to be after SSL library init.
1692
1693=> put after call to tls_init() for now
1694
1695Return
1696 1 Success
1697 0 Fail
1698*/
1699
1700int
1701DANESSL_library_init(void)
1702{
1703static CRYPTO_ONCE once = CRYPTO_ONCE_STATIC_INIT;
1704
1705DEBUG(D_tls) debug_printf("Dane lib-init\n");
1706(void) CRYPTO_THREAD_run_once(&once, dane_init);
1707
1708#if defined(LN_sha256)
1709/* No DANE without SHA256 support */
1710if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1711 return 1;
1712#endif
1713DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);
1714return 0;
1715}
1716
1717
1718/* vi: aw ai sw=2
1719*/
Unnamed repository; edit this file 'description' to name the repository.