5 #include <openssl/opensslv.h>
6 #include <openssl/err.h>
7 #include <openssl/crypto.h>
8 #include <openssl/safestack.h>
9 #include <openssl/objects.h>
10 #include <openssl/x509.h>
11 #include <openssl/x509v3.h>
12 #include <openssl/evp.h>
14 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
15 #error "OpenSSL 1.0.0 or higher required"
20 #define DANE_F_ADD_SKID 100
21 #define DANE_F_CHECK_END_ENTITY 101
22 #define DANE_F_GROW_CHAIN 102
23 #define DANE_F_LIST_ALLOC 103
24 #define DANE_F_MATCH 104
25 #define DANE_F_PUSH_EXT 105
26 #define DANE_F_SET_TRUST_ANCHOR 106
27 #define DANE_F_SSL_CTX_DANE_INIT 107
28 #define DANE_F_SSL_DANE_ADD_TLSA 108
29 #define DANE_F_SSL_DANE_INIT 109
30 #define DANE_F_SSL_DANE_LIBRARY_INIT 110
31 #define DANE_F_VERIFY_CERT 111
32 #define DANE_F_WRAP_CERT 112
34 #define DANE_R_BAD_CERT 100
35 #define DANE_R_BAD_CERT_PKEY 101
36 #define DANE_R_BAD_DATA_LENGTH 102
37 #define DANE_R_BAD_DIGEST 103
38 #define DANE_R_BAD_NULL_DATA 104
39 #define DANE_R_BAD_PKEY 105
40 #define DANE_R_BAD_SELECTOR 106
41 #define DANE_R_BAD_USAGE 107
42 #define DANE_R_DANE_INIT 108
43 #define DANE_R_DANE_SUPPORT 109
44 #define DANE_R_LIBRARY_INIT 110
45 #define DANE_R_NOSIGN_KEY 111
46 #define DANE_R_SCTX_INIT 112
48 #ifndef OPENSSL_NO_ERR
49 #define DANE_F_PLACEHOLDER 0 /* FIRST! Value TBD */
50 static ERR_STRING_DATA dane_str_functs
[] = {
51 {DANE_F_PLACEHOLDER
, "DANE library"}, /* FIRST!!! */
52 {DANE_F_ADD_SKID
, "add_skid"},
53 {DANE_F_CHECK_END_ENTITY
, "check_end_entity"},
54 {DANE_F_GROW_CHAIN
, "grow_chain"},
55 {DANE_F_LIST_ALLOC
, "list_alloc"},
56 {DANE_F_MATCH
, "match"},
57 {DANE_F_PUSH_EXT
, "push_ext"},
58 {DANE_F_SET_TRUST_ANCHOR
, "set_trust_anchor"},
59 {DANE_F_SSL_CTX_DANE_INIT
, "SSL_CTX_dane_init"},
60 {DANE_F_SSL_DANE_ADD_TLSA
, "SSL_dane_add_tlsa"},
61 {DANE_F_SSL_DANE_INIT
, "SSL_dane_init"},
62 {DANE_F_SSL_DANE_LIBRARY_INIT
, "SSL_dane_library_init"},
63 {DANE_F_VERIFY_CERT
, "verify_cert"},
64 {DANE_F_WRAP_CERT
, "wrap_cert"},
67 static ERR_STRING_DATA dane_str_reasons
[] = {
68 {DANE_R_BAD_CERT
, "Bad TLSA record certificate"},
69 {DANE_R_BAD_CERT_PKEY
, "Bad TLSA record certificate public key"},
70 {DANE_R_BAD_DATA_LENGTH
, "Bad TLSA record digest length"},
71 {DANE_R_BAD_DIGEST
, "Bad TLSA record digest"},
72 {DANE_R_BAD_NULL_DATA
, "Bad TLSA record null data"},
73 {DANE_R_BAD_PKEY
, "Bad TLSA record public key"},
74 {DANE_R_BAD_SELECTOR
, "Bad TLSA record selector"},
75 {DANE_R_BAD_USAGE
, "Bad TLSA record usage"},
76 {DANE_R_DANE_INIT
, "SSL_dane_init() required"},
77 {DANE_R_DANE_SUPPORT
, "DANE library features not supported"},
78 {DANE_R_LIBRARY_INIT
, "SSL_dane_library_init() required"},
79 {DANE_R_SCTX_INIT
, "SSL_CTX_dane_init() required"},
80 {DANE_R_NOSIGN_KEY
, "Certificate usage 2 requires EC support"},
85 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
87 static int err_lib_dane
= -1;
88 static int dane_idx
= -1;
90 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
91 static int wrap_to_root
= 0;
93 static int wrap_to_root
= 1;
96 static void (*cert_free
)(void *) = (void (*)(void *)) X509_free
;
97 static void (*pkey_free
)(void *) = (void (*)(void *)) EVP_PKEY_free
;
99 typedef struct dane_list
{
100 struct dane_list
*next
;
104 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
106 typedef struct DANE_HOST_LIST
{
107 struct DANE_HOST_LIST
*next
;
111 typedef struct dane_data
{
113 unsigned char data
[0];
116 typedef struct DANE_DATA_LIST
{
117 struct DANE_DATA_LIST
*next
;
121 typedef struct dane_mtype
{
127 typedef struct DANE_MTYPE_LIST
{
128 struct DANE_MTYPE_LIST
*next
;
132 typedef struct dane_selector
{
134 DANE_MTYPE_LIST mtype
;
137 typedef struct DANE_SELECTOR_LIST
{
138 struct DANE_SELECTOR_LIST
*next
;
140 } *DANE_SELECTOR_LIST
;
142 typedef struct DANE_PKEY_LIST
{
143 struct DANE_PKEY_LIST
*next
;
147 typedef struct DANE_CERT_LIST
{
148 struct DANE_CERT_LIST
*next
;
152 typedef struct SSL_DANE
{
153 int (*verify
)(X509_STORE_CTX
*);
154 STACK_OF(X509
) *roots
;
155 STACK_OF(X509
) *chain
;
156 const char *thost
; /* TLSA base domain */
157 char *mhost
; /* Matched, peer name */
158 DANE_PKEY_LIST pkeys
;
159 DANE_CERT_LIST certs
;
160 DANE_HOST_LIST hosts
;
161 DANE_SELECTOR_LIST selectors
[SSL_DANE_USAGE_LAST
+ 1];
163 int multi
; /* Multi-label wildcards? */
164 int count
; /* Number of TLSA records */
167 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
168 #define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
171 static int match(DANE_SELECTOR_LIST slist
, X509
*cert
, int depth
)
176 * Note, set_trust_anchor() needs to know whether the match was for a
177 * pkey digest or a certificate digest. We return MATCHED_PKEY or
178 * MATCHED_CERT accordingly.
180 #define MATCHED_CERT (SSL_DANE_SELECTOR_CERT + 1)
181 #define MATCHED_PKEY (SSL_DANE_SELECTOR_SPKI + 1)
184 * Loop over each selector, mtype, and associated data element looking
187 for (matched
= 0; !matched
&& slist
; slist
= slist
->next
) {
189 unsigned char mdbuf
[EVP_MAX_MD_SIZE
];
195 * Extract ASN.1 DER form of certificate or public key.
197 switch (slist
->value
->selector
) {
198 case SSL_DANE_SELECTOR_CERT
:
199 len
= i2d_X509(cert
, NULL
);
200 buf2
= buf
= (unsigned char *) OPENSSL_malloc(len
);
202 i2d_X509(cert
, &buf2
);
204 case SSL_DANE_SELECTOR_SPKI
:
205 len
= i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert
), NULL
);
206 buf2
= buf
= (unsigned char *) OPENSSL_malloc(len
);
208 i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert
), &buf2
);
213 DANEerr(DANE_F_MATCH
, ERR_R_MALLOC_FAILURE
);
216 OPENSSL_assert(buf2
- buf
== len
);
219 * Loop over each mtype and data element
221 for (m
= slist
->value
->mtype
; !matched
&& m
; m
= m
->next
) {
223 unsigned char *cmpbuf
= buf
;
224 unsigned int cmplen
= len
;
227 * If it is a digest, compute the corresponding digest of the
228 * DER data for comparison, otherwise, use the full object.
232 if (!EVP_Digest(buf
, len
, cmpbuf
, &cmplen
, m
->value
->md
, 0))
235 for (d
= m
->value
->data
; !matched
&& d
; d
= d
->next
)
236 if (cmplen
== d
->value
->datalen
&&
237 memcmp(cmpbuf
, d
->value
->data
, cmplen
) == 0)
238 matched
= slist
->value
->selector
+ 1;
247 static int push_ext(X509
*cert
, X509_EXTENSION
*ext
)
249 X509_EXTENSIONS
*exts
;
252 if ((exts
= cert
->cert_info
->extensions
) == 0)
253 exts
= cert
->cert_info
->extensions
= sk_X509_EXTENSION_new_null();
254 if (exts
&& sk_X509_EXTENSION_push(exts
, ext
))
256 X509_EXTENSION_free(ext
);
258 DANEerr(DANE_F_PUSH_EXT
, ERR_R_MALLOC_FAILURE
);
262 static int add_ext(X509
*issuer
, X509
*subject
, int ext_nid
, char *ext_val
)
266 X509V3_set_ctx(&v3ctx
, issuer
, subject
, 0, 0, 0);
267 return push_ext(subject
, X509V3_EXT_conf_nid(0, &v3ctx
, ext_nid
, ext_val
));
270 static int set_serial(X509
*cert
, AUTHORITY_KEYID
*akid
, X509
*subject
)
275 if (akid
&& akid
->serial
)
276 return (X509_set_serialNumber(cert
, akid
->serial
));
279 * Add one to subject's serial to avoid collisions between TA serial and
280 * serial of signing root.
282 if ((bn
= ASN1_INTEGER_to_BN(X509_get_serialNumber(subject
), 0)) != 0
283 && BN_add_word(bn
, 1)
284 && BN_to_ASN1_INTEGER(bn
, X509_get_serialNumber(cert
)))
292 static int add_akid(X509
*cert
, AUTHORITY_KEYID
*akid
)
294 int nid
= NID_authority_key_identifier
;
300 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
301 * our subject keyid if forced from child's akid. If so, set our
302 * authority keyid to 1. This way we are never self-signed, and thus
303 * exempt from any potential (off by default for now in OpenSSL)
304 * self-signature checks!
306 id
= (ASN1_STRING
*) ((akid
&& akid
->keyid
) ? akid
->keyid
: 0);
307 if (id
&& M_ASN1_STRING_length(id
) == 1 && *M_ASN1_STRING_data(id
) == c
)
310 if ((akid
= AUTHORITY_KEYID_new()) != 0
311 && (akid
->keyid
= ASN1_OCTET_STRING_new()) != 0
312 && M_ASN1_OCTET_STRING_set(akid
->keyid
, (void *) &c
, 1)
313 && X509_add1_ext_i2d(cert
, nid
, akid
, 0, X509V3_ADD_APPEND
))
316 AUTHORITY_KEYID_free(akid
);
320 static int add_skid(X509
*cert
, AUTHORITY_KEYID
*akid
)
322 int nid
= NID_subject_key_identifier
;
324 if (!akid
|| !akid
->keyid
)
325 return add_ext(0, cert
, nid
, "hash");
326 return X509_add1_ext_i2d(cert
, nid
, akid
->keyid
, 0, X509V3_ADD_APPEND
) > 0;
329 static X509_NAME
*akid_issuer_name(AUTHORITY_KEYID
*akid
)
331 if (akid
&& akid
->issuer
) {
333 GENERAL_NAMES
*gens
= akid
->issuer
;
335 for (i
= 0; i
< sk_GENERAL_NAME_num(gens
); ++i
) {
336 GENERAL_NAME
*gn
= sk_GENERAL_NAME_value(gens
, i
);
338 if (gn
->type
== GEN_DIRNAME
)
345 static int set_issuer_name(X509
*cert
, AUTHORITY_KEYID
*akid
)
347 X509_NAME
*name
= akid_issuer_name(akid
);
350 * If subject's akid specifies an authority key identifer issuer name, we
354 return X509_set_issuer_name(cert
, name
);
355 return X509_set_issuer_name(cert
, X509_get_subject_name(cert
));
358 static int grow_chain(SSL_DANE
*dane
, int trusted
, X509
*cert
)
360 STACK_OF(X509
) **xs
= trusted
? &dane
->roots
: &dane
->chain
;
361 static ASN1_OBJECT
*serverAuth
= 0;
366 if (trusted
&& serverAuth
== 0 &&
367 (serverAuth
= OBJ_nid2obj(NID_server_auth
)) == 0) {
368 DANEerr(DANE_F_GROW_CHAIN
, ERR_R_MALLOC_FAILURE
);
371 if (!*xs
&& (*xs
= sk_X509_new_null()) == 0) {
372 DANEerr(DANE_F_GROW_CHAIN
, ERR_R_MALLOC_FAILURE
);
377 if (trusted
&& !X509_add1_trust_object(cert
, serverAuth
))
379 CRYPTO_add(&cert
->references
, 1, CRYPTO_LOCK_X509
);
380 if (!sk_X509_push(*xs
, cert
)) {
382 DANEerr(DANE_F_GROW_CHAIN
, ERR_R_MALLOC_FAILURE
);
389 static int wrap_issuer(
399 AUTHORITY_KEYID
*akid
;
400 X509_NAME
*name
= X509_get_issuer_name(subject
);
401 EVP_PKEY
*newkey
= key
? key
: X509_get_pubkey(subject
);
403 #define WRAP_MID 0 /* Ensure intermediate. */
404 #define WRAP_TOP 1 /* Ensure self-signed. */
406 if (name
== 0 || newkey
== 0 || (cert
= X509_new()) == 0)
410 * Record the depth of the trust-anchor certificate.
413 dane
->depth
= depth
+ 1;
416 * XXX: Uncaught error condition:
418 * The return value is NULL both when the extension is missing, and when
419 * OpenSSL rans out of memory while parsing the extension.
422 akid
= X509_get_ext_d2i(subject
, NID_authority_key_identifier
, 0, 0);
423 /* XXX: Should we peek at the error stack here??? */
426 * If top is true generate a self-issued root CA, otherwise an
427 * intermediate CA and possibly its self-signed issuer.
429 * CA cert valid for +/- 30 days
431 if (!X509_set_version(cert
, 2)
432 || !set_serial(cert
, akid
, subject
)
433 || !X509_set_subject_name(cert
, name
)
434 || !set_issuer_name(cert
, akid
)
435 || !X509_gmtime_adj(X509_get_notBefore(cert
), -30 * 86400L)
436 || !X509_gmtime_adj(X509_get_notAfter(cert
), 30 * 86400L)
437 || !X509_set_pubkey(cert
, newkey
)
438 || !add_ext(0, cert
, NID_basic_constraints
, "CA:TRUE")
439 || (!top
&& !add_akid(cert
, akid
))
440 || !add_skid(cert
, akid
)
441 || (!top
&& wrap_to_root
&&
442 !wrap_issuer(dane
, newkey
, cert
, depth
, WRAP_TOP
))) {
446 AUTHORITY_KEYID_free(akid
);
448 EVP_PKEY_free(newkey
);
450 if (!top
&& wrap_to_root
)
451 ret
= grow_chain(dane
, UNTRUSTED
, cert
);
453 ret
= grow_chain(dane
, TRUSTED
, cert
);
460 static int wrap_cert(SSL_DANE
*dane
, X509
*tacert
, int depth
)
463 dane
->depth
= depth
+ 1;
466 * If the TA certificate is self-issued, or need not be, use it directly.
467 * Otherwise, synthesize requisuite ancestors.
470 || X509_check_issued(tacert
, tacert
) == X509_V_OK
)
471 return grow_chain(dane
, TRUSTED
, tacert
);
473 if (wrap_issuer(dane
, 0, tacert
, depth
, WRAP_MID
))
474 return grow_chain(dane
, UNTRUSTED
, tacert
);
478 static int ta_signed(SSL_DANE
*dane
, X509
*cert
, int depth
)
486 * First check whether issued and signed by a TA cert, this is cheaper
487 * than the bare-public key checks below, since we can determine whether
488 * the candidate TA certificate issued the certificate to be checked
489 * first (name comparisons), before we bother with signature checks
490 * (public key operations).
492 for (x
= dane
->certs
; !done
&& x
; x
= x
->next
) {
493 if (X509_check_issued(x
->value
, cert
) == X509_V_OK
) {
494 if ((pk
= X509_get_pubkey(x
->value
)) == 0) {
496 * The cert originally contained a valid pkey, which does
497 * not just vanish, so this is most likely a memory error.
502 /* Check signature, since some other TA may work if not this. */
503 if (X509_verify(cert
, pk
) > 0)
504 done
= wrap_cert(dane
, x
->value
, depth
) ? 1 : -1;
510 * With bare TA public keys, we can't check whether the trust chain is
511 * issued by the key, but we can determine whether it is signed by the
512 * key, so we go with that.
514 * Ideally, the corresponding certificate was presented in the chain, and we
515 * matched it by its public key digest one level up. This code is here
516 * to handle adverse conditions imposed by sloppy administrators of
517 * receiving systems with poorly constructed chains.
519 * We'd like to optimize out keys that should not match when the cert's
520 * authority key id does not match the key id of this key computed via
521 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
522 * ASN1 tag and length thus also excluding the unused bits field that is
523 * logically part of the length). However, some CAs have a non-standard
524 * authority keyid, so we lose. Too bad.
526 * This may push errors onto the stack when the certificate signature is
527 * not of the right type or length, throw these away,
529 for (k
= dane
->pkeys
; !done
&& k
; k
= k
->next
)
530 if (X509_verify(cert
, k
->value
) > 0)
531 done
= wrap_issuer(dane
, k
->value
, cert
, depth
, WRAP_MID
) ? 1 : -1;
538 static int set_trust_anchor(X509_STORE_CTX
*ctx
, SSL_DANE
*dane
, X509
*cert
)
546 STACK_OF(X509
) *in
= ctx
->untrusted
; /* XXX: Accessor? */
548 if (!grow_chain(dane
, UNTRUSTED
, 0))
552 * Accept a degenerate case: depth 0 self-signed trust-anchor.
554 if (X509_check_issued(cert
, cert
) == X509_V_OK
) {
556 matched
= match(dane
->selectors
[SSL_DANE_USAGE_TRUSTED_CA
], cert
, 0);
557 if (matched
> 0 && !grow_chain(dane
, TRUSTED
, cert
))
562 /* Make a shallow copy of the input untrusted chain. */
563 if ((in
= sk_X509_dup(in
)) == 0) {
564 DANEerr(DANE_F_SET_TRUST_ANCHOR
, ERR_R_MALLOC_FAILURE
);
569 * At each iteration we consume the issuer of the current cert. This
570 * reduces the length of the "in" chain by one. If no issuer is found,
571 * we are done. We also stop when a certificate matches a TA in the
574 * Caller ensures that the initial certificate is not self-signed.
576 for (n
= sk_X509_num(in
); n
> 0; --n
, ++depth
) {
577 for (i
= 0; i
< n
; ++i
)
578 if (X509_check_issued(sk_X509_value(in
, i
), cert
) == X509_V_OK
)
582 * Final untrusted element with no issuer in the peer's chain, it may
583 * however be signed by a pkey or cert obtained via a TLSA RR.
588 /* Peer's chain contains an issuer ca. */
589 ca
= sk_X509_delete(in
, i
);
591 /* If not a trust anchor, record untrusted ca and continue. */
592 if ((matched
= match(dane
->selectors
[SSL_DANE_USAGE_TRUSTED_CA
], ca
,
594 if (grow_chain(dane
, UNTRUSTED
, ca
)) {
595 if (!X509_check_issued(ca
, ca
) == X509_V_OK
) {
596 /* Restart with issuer as subject */
600 /* Final self-signed element, skip ta_signed() check. */
604 } else if (matched
== MATCHED_CERT
) {
605 if (!wrap_cert(dane
, ca
, depth
))
607 } else if (matched
== MATCHED_PKEY
) {
608 if ((takey
= X509_get_pubkey(ca
)) == 0 ||
609 !wrap_issuer(dane
, takey
, cert
, depth
, WRAP_MID
)) {
611 EVP_PKEY_free(takey
);
613 DANEerr(DANE_F_SET_TRUST_ANCHOR
, ERR_R_MALLOC_FAILURE
);
620 /* Shallow free the duplicated input untrusted chain. */
624 * When the loop exits, if "cert" is set, it is not self-signed and has
625 * no issuer in the chain, we check for a possible signature via a DNS
626 * obtained TA cert or public key.
628 if (matched
== 0 && cert
)
629 matched
= ta_signed(dane
, cert
, depth
);
634 static int check_end_entity(X509_STORE_CTX
*ctx
, SSL_DANE
*dane
, X509
*cert
)
638 matched
= match(dane
->selectors
[SSL_DANE_USAGE_FIXED_LEAF
], cert
, 0);
640 if (ctx
->chain
== 0) {
641 if ((ctx
->chain
= sk_X509_new_null()) != 0 &&
642 sk_X509_push(ctx
->chain
, cert
)) {
643 CRYPTO_add(&cert
->references
, 1, CRYPTO_LOCK_X509
);
645 DANEerr(DANE_F_CHECK_END_ENTITY
, ERR_R_MALLOC_FAILURE
);
653 static int match_name(const char *certid
, SSL_DANE
*dane
)
655 int multi
= dane
->multi
;
656 DANE_HOST_LIST hosts
= dane
->hosts
;
658 for (/* NOP */; hosts
; hosts
= hosts
->next
) {
659 int match_subdomain
= 0;
660 const char *domain
= hosts
->value
;
665 if (*domain
== '.' && domain
[1] != '\0') {
671 * Sub-domain match: certid is any sub-domain of hostname.
673 if (match_subdomain
) {
674 if ((idlen
= strlen(certid
)) > (domlen
= strlen(domain
)) + 1
675 && certid
[idlen
- domlen
- 1] == '.'
676 && !strcasecmp(certid
+ (idlen
- domlen
), domain
))
683 * Exact match and initial "*" match. The initial "*" in a certid
684 * matches one (if multi is false) or more hostname components under
685 * the condition that the certid contains multiple hostname components.
687 if (!strcasecmp(certid
, domain
)
688 || (certid
[0] == '*' && certid
[1] == '.' && certid
[2] != 0
689 && (parent
= strchr(domain
, '.')) != 0
690 && (idlen
= strlen(certid
+ 1)) <= (domlen
= strlen(parent
))
691 && strcasecmp(multi
? parent
+ domlen
- idlen
: parent
,
698 static char *check_name(char *name
, int len
)
700 register char *cp
= name
+ len
;
702 while (len
> 0 && *--cp
== 0)
703 --len
; /* Ignore trailing NULs */
706 for (cp
= name
; *cp
; cp
++) {
707 register char c
= *cp
;
708 if (!((c
>= 'a' && c
<= 'z') ||
709 (c
>= '0' && c
<= '9') ||
710 (c
>= 'A' && c
<= 'Z') ||
711 (c
== '.' || c
== '-') ||
713 return 0; /* Only LDH, '.' and '*' */
715 if (cp
- name
!= len
) /* Guard against internal NULs */
720 static char *parse_dns_name(const GENERAL_NAME
*gn
)
722 if (gn
->type
!= GEN_DNS
)
724 if (ASN1_STRING_type(gn
->d
.ia5
) != V_ASN1_IA5STRING
)
726 return check_name((char *) ASN1_STRING_data(gn
->d
.ia5
),
727 ASN1_STRING_length(gn
->d
.ia5
));
730 static char *parse_subject_name(X509
*cert
)
732 X509_NAME
*name
= X509_get_subject_name(cert
);
733 X509_NAME_ENTRY
*entry
;
734 ASN1_STRING
*entry_str
;
735 unsigned char *namebuf
;
736 int nid
= NID_commonName
;
740 if (name
== 0 || (i
= X509_NAME_get_index_by_NID(name
, nid
, -1)) < 0)
742 if ((entry
= X509_NAME_get_entry(name
, i
)) == 0)
744 if ((entry_str
= X509_NAME_ENTRY_get_data(entry
)) == 0)
747 if ((len
= ASN1_STRING_to_UTF8(&namebuf
, entry_str
)) < 0)
749 if (len
<= 0 || check_name((char *) namebuf
, len
) == 0) {
750 OPENSSL_free(namebuf
);
753 return (char *) namebuf
;
756 static int name_check(SSL_DANE
*dane
, X509
*cert
)
762 gens
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, 0, 0);
764 int n
= sk_GENERAL_NAME_num(gens
);
767 for (i
= 0; i
< n
; ++i
) {
768 const GENERAL_NAME
*gn
= sk_GENERAL_NAME_value(gens
, i
);
771 if (gn
->type
!= GEN_DNS
)
774 certid
= parse_dns_name(gn
);
775 if (certid
&& *certid
) {
776 if ((matched
= match_name(certid
, dane
)) == 0)
778 if ((dane
->mhost
= OPENSSL_strdup(certid
)) == 0)
783 GENERAL_NAMES_free(gens
);
787 * XXX: Should the subjectName be skipped when *any* altnames are present,
788 * or only when DNS altnames are present?
790 if (got_altname
== 0) {
791 char *certid
= parse_subject_name(cert
);
792 if (certid
!= 0 && *certid
&& (matched
= match_name(certid
, dane
)) != 0)
793 dane
->mhost
= certid
; /* Already a copy */
798 static int verify_chain(X509_STORE_CTX
*ctx
)
800 DANE_SELECTOR_LIST issuer_rrs
;
801 DANE_SELECTOR_LIST leaf_rrs
;
802 int (*cb
)(int, X509_STORE_CTX
*) = ctx
->verify_cb
;
803 int ssl_idx
= SSL_get_ex_data_X509_STORE_CTX_idx();
804 SSL
*ssl
= X509_STORE_CTX_get_ex_data(ctx
, ssl_idx
);
805 SSL_DANE
*dane
= SSL_get_ex_data(ssl
, dane_idx
);
806 X509
*cert
= ctx
->cert
; /* XXX: accessor? */
808 int chain_length
= sk_X509_num(ctx
->chain
);
810 issuer_rrs
= dane
->selectors
[SSL_DANE_USAGE_LIMIT_ISSUER
];
811 leaf_rrs
= dane
->selectors
[SSL_DANE_USAGE_LIMIT_LEAF
];
812 ctx
->verify
= dane
->verify
;
814 if ((matched
= name_check(dane
, cert
)) < 0) {
815 X509_STORE_CTX_set_error(ctx
, X509_V_ERR_OUT_OF_MEM
);
820 ctx
->error_depth
= 0;
821 ctx
->current_cert
= cert
;
822 X509_STORE_CTX_set_error(ctx
, X509_V_ERR_HOSTNAME_MISMATCH
);
829 * Satisfy at least one usage 0 or 1 constraint, unless we've already
830 * matched a usage 2 trust anchor.
832 * XXX: internal_verify() doesn't callback with top certs that are not
833 * self-issued. This should be fixed in a future OpenSSL.
835 if (dane
->roots
&& sk_X509_num(dane
->roots
)) {
836 #ifndef NO_CALLBACK_WORKAROUND
837 X509
*top
= sk_X509_value(ctx
->chain
, dane
->depth
);
839 if (X509_check_issued(top
, top
) != X509_V_OK
) {
840 ctx
->error_depth
= dane
->depth
;
841 ctx
->current_cert
= top
;
846 /* Pop synthetic trust-anchor ancestors off the chain! */
847 while (--chain_length
> dane
->depth
)
848 X509_free(sk_X509_pop(ctx
->chain
));
849 } else if (issuer_rrs
|| leaf_rrs
) {
850 int n
= chain_length
;
853 * Check for an EE match, then a CA match at depths > 0, and
854 * finally, if the EE cert is self-issued, for a depth 0 CA match.
857 matched
= match(leaf_rrs
, cert
, 0);
858 while (!matched
&& issuer_rrs
&& --n
>= 0) {
859 X509
*xn
= sk_X509_value(ctx
->chain
, n
);
861 if (n
> 0 || X509_check_issued(xn
, xn
) == X509_V_OK
)
862 matched
= match(issuer_rrs
, xn
, n
);
866 X509_STORE_CTX_set_error(ctx
, X509_V_ERR_OUT_OF_MEM
);
871 ctx
->current_cert
= cert
;
872 ctx
->error_depth
= 0;
873 X509_STORE_CTX_set_error(ctx
, X509_V_ERR_CERT_UNTRUSTED
);
879 return ctx
->verify(ctx
);
882 static int verify_cert(X509_STORE_CTX
*ctx
, void *unused_ctx
)
884 static int ssl_idx
= -1;
887 int (*cb
)(int, X509_STORE_CTX
*) = ctx
->verify_cb
;
889 X509
*cert
= ctx
->cert
; /* XXX: accessor? */
892 ssl_idx
= SSL_get_ex_data_X509_STORE_CTX_idx();
894 DANEerr(DANE_F_VERIFY_CERT
, ERR_R_MALLOC_FAILURE
);
898 ssl
= X509_STORE_CTX_get_ex_data(ctx
, ssl_idx
);
899 if ((dane
= SSL_get_ex_data(ssl
, dane_idx
)) == 0 || cert
== 0)
900 return X509_verify_cert(ctx
);
902 if (dane
->selectors
[SSL_DANE_USAGE_FIXED_LEAF
]) {
903 if ((matched
= check_end_entity(ctx
, dane
, cert
)) > 0) {
904 ctx
->error_depth
= 0;
905 ctx
->current_cert
= cert
;
909 X509_STORE_CTX_set_error(ctx
, X509_V_ERR_OUT_OF_MEM
);
914 if (dane
->selectors
[SSL_DANE_USAGE_TRUSTED_CA
]) {
915 if ((matched
= set_trust_anchor(ctx
, dane
, cert
)) < 0) {
916 X509_STORE_CTX_set_error(ctx
, X509_V_ERR_OUT_OF_MEM
);
921 * Check that setting the untrusted chain updates the expected
922 * structure member at the expected offset.
924 X509_STORE_CTX_trusted_stack(ctx
, dane
->roots
);
925 X509_STORE_CTX_set_chain(ctx
, dane
->chain
);
926 OPENSSL_assert(ctx
->untrusted
== dane
->chain
);
931 * Name checks and usage 0/1 constraint enforcement are delayed until
932 * X509_verify_cert() builds the full chain and calls our verify_chain()
935 dane
->verify
= ctx
->verify
;
936 ctx
->verify
= verify_chain
;
938 return X509_verify_cert(ctx
);
941 static dane_list
list_alloc(size_t vsize
)
943 void *value
= (void *) OPENSSL_malloc(vsize
);
947 DANEerr(DANE_F_LIST_ALLOC
, ERR_R_MALLOC_FAILURE
);
950 if ((l
= (dane_list
) OPENSSL_malloc(sizeof(*l
))) == 0) {
952 DANEerr(DANE_F_LIST_ALLOC
, ERR_R_MALLOC_FAILURE
);
960 static void list_free(void *list
, void (*f
)(void *))
962 dane_list head
= (dane_list
) list
;
965 for (/* NOP */; head
; head
= next
) {
967 if (f
&& head
->value
)
973 static void dane_mtype_free(void *p
)
975 list_free(((dane_mtype
) p
)->data
, OPENSSL_freeFunc
);
979 static void dane_selector_free(void *p
)
981 list_free(((dane_selector
) p
)->mtype
, dane_mtype_free
);
985 void DANESSL_cleanup(SSL
*ssl
)
990 if (dane_idx
< 0 || (dane
= SSL_get_ex_data(ssl
, dane_idx
)) == 0)
992 (void) SSL_set_ex_data(ssl
, dane_idx
, 0);
995 list_free(dane
->hosts
, OPENSSL_freeFunc
);
997 OPENSSL_free(dane
->mhost
);
998 for (u
= 0; u
<= SSL_DANE_USAGE_LAST
; ++u
)
999 if (dane
->selectors
[u
])
1000 list_free(dane
->selectors
[u
], dane_selector_free
);
1002 list_free(dane
->pkeys
, pkey_free
);
1004 list_free(dane
->certs
, cert_free
);
1006 sk_X509_pop_free(dane
->roots
, X509_free
);
1008 sk_X509_pop_free(dane
->chain
, X509_free
);
1012 static DANE_HOST_LIST
host_list_init(const char **src
)
1014 DANE_HOST_LIST head
= 0;
1017 DANE_HOST_LIST elem
= (DANE_HOST_LIST
) OPENSSL_malloc(sizeof(*elem
));
1019 list_free(head
, OPENSSL_freeFunc
);
1022 elem
->value
= OPENSSL_strdup(*src
++);
1023 LINSERT(head
, elem
);
1028 int DANESSL_add_tlsa(
1033 unsigned const char *data
,
1038 DANE_SELECTOR_LIST s
= 0;
1039 DANE_MTYPE_LIST m
= 0;
1040 DANE_DATA_LIST d
= 0;
1041 DANE_CERT_LIST xlist
= 0;
1042 DANE_PKEY_LIST klist
= 0;
1043 const EVP_MD
*md
= 0;
1045 if (dane_idx
< 0 || (dane
= SSL_get_ex_data(ssl
, dane_idx
)) == 0) {
1046 DANEerr(DANE_F_SSL_DANE_ADD_TLSA
, DANE_R_DANE_INIT
);
1050 if (usage
> SSL_DANE_USAGE_LAST
) {
1051 DANEerr(DANE_F_SSL_DANE_ADD_TLSA
, DANE_R_BAD_USAGE
);
1054 if (selector
> SSL_DANE_SELECTOR_LAST
) {
1055 DANEerr(DANE_F_SSL_DANE_ADD_TLSA
, DANE_R_BAD_SELECTOR
);
1058 if (mdname
&& (md
= EVP_get_digestbyname(mdname
)) == 0) {
1059 DANEerr(DANE_F_SSL_DANE_ADD_TLSA
, DANE_R_BAD_DIGEST
);
1063 DANEerr(DANE_F_SSL_DANE_ADD_TLSA
, DANE_R_BAD_NULL_DATA
);
1066 if (mdname
&& dlen
!= EVP_MD_size(md
)) {
1067 DANEerr(DANE_F_SSL_DANE_ADD_TLSA
, DANE_R_BAD_DATA_LENGTH
);
1074 const unsigned char *p
= data
;
1076 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1077 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1078 if ((lvar) == 0) { \
1079 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1084 lvar->value = var; \
1086 #define xkfreeret(ret) do { \
1087 if (xlist) list_free(xlist, cert_free); \
1088 if (klist) list_free(klist, pkey_free); \
1093 case SSL_DANE_SELECTOR_CERT
:
1094 if (!d2i_X509(&x
, &p
, dlen
) || dlen
!= p
- data
) {
1097 DANEerr(DANE_F_SSL_DANE_ADD_TLSA
, DANE_R_BAD_CERT
);
1100 k
= X509_get_pubkey(x
);
1104 DANEerr(DANE_F_SSL_DANE_ADD_TLSA
, DANE_R_BAD_CERT_PKEY
);
1107 if (usage
== SSL_DANE_USAGE_TRUSTED_CA
)
1108 xklistinit(xlist
, DANE_CERT_LIST
, x
, X509_free
);
1111 case SSL_DANE_SELECTOR_SPKI
:
1112 if (!d2i_PUBKEY(&k
, &p
, dlen
) || dlen
!= p
- data
) {
1115 DANEerr(DANE_F_SSL_DANE_ADD_TLSA
, DANE_R_BAD_PKEY
);
1118 if (usage
== SSL_DANE_USAGE_TRUSTED_CA
)
1119 xklistinit(klist
, DANE_PKEY_LIST
, k
, EVP_PKEY_free
);
1124 /* Find insertion point and don't add duplicate elements. */
1125 for (s
= dane
->selectors
[usage
]; s
; s
= s
->next
)
1126 if (s
->value
->selector
== selector
)
1127 for (m
= s
->value
->mtype
; m
; m
= m
->next
)
1128 if (m
->value
->md
== md
)
1129 for (d
= m
->value
->data
; d
; d
= d
->next
)
1130 if (d
->value
->datalen
== dlen
&&
1131 memcmp(d
->value
->data
, data
, dlen
) == 0)
1134 if ((d
= (DANE_DATA_LIST
) list_alloc(sizeof(*d
->value
) + dlen
)) == 0)
1136 d
->value
->datalen
= dlen
;
1137 memcpy(d
->value
->data
, data
, dlen
);
1139 if ((m
= (DANE_MTYPE_LIST
) list_alloc(sizeof(*m
->value
))) == 0) {
1140 list_free(d
, OPENSSL_freeFunc
);
1144 if ((m
->value
->md
= md
) != 0)
1145 m
->value
->mdlen
= dlen
;
1147 if ((s
= (DANE_SELECTOR_LIST
) list_alloc(sizeof(*s
->value
))) == 0) {
1148 list_free(m
, dane_mtype_free
);
1151 s
->value
->mtype
= 0;
1152 s
->value
->selector
= selector
;
1153 LINSERT(dane
->selectors
[usage
], s
);
1155 LINSERT(s
->value
->mtype
, m
);
1157 LINSERT(m
->value
->data
, d
);
1160 LINSERT(dane
->certs
, xlist
);
1162 LINSERT(dane
->pkeys
, klist
);
1167 int DANESSL_init(SSL
*ssl
, const char *sni_domain
, const char **hostnames
)
1171 #ifdef OPENSSL_INTERNAL
1172 SSL_CTX
*sctx
= SSL_get_SSL_CTX(ssl
);
1174 if (sctx
->app_verify_callback
!= verify_cert
) {
1175 DANEerr(DANE_F_SSL_DANE_INIT
, DANE_R_SCTX_INIT
);
1180 DANEerr(DANE_F_SSL_DANE_INIT
, DANE_R_LIBRARY_INIT
);
1185 if (sni_domain
&& !SSL_set_tlsext_host_name(ssl
, sni_domain
))
1188 if ((dane
= (SSL_DANE
*) OPENSSL_malloc(sizeof(SSL_DANE
))) == 0) {
1189 DANEerr(DANE_F_SSL_DANE_INIT
, ERR_R_MALLOC_FAILURE
);
1192 if (!SSL_set_ex_data(ssl
, dane_idx
, dane
)) {
1193 DANEerr(DANE_F_SSL_DANE_INIT
, ERR_R_MALLOC_FAILURE
);
1203 dane
->mhost
= 0; /* Future SSL control interface */
1204 dane
->multi
= 0; /* Future SSL control interface */
1207 for (i
= 0; i
<= SSL_DANE_USAGE_LAST
; ++i
)
1208 dane
->selectors
[i
] = 0;
1210 if (hostnames
&& (dane
->hosts
= host_list_init(hostnames
)) == 0) {
1211 DANEerr(DANE_F_SSL_DANE_INIT
, ERR_R_MALLOC_FAILURE
);
1212 DANESSL_cleanup(ssl
);
1219 int DANESSL_CTX_init(SSL_CTX
*ctx
)
1221 if (dane_idx
>= 0) {
1222 SSL_CTX_set_cert_verify_callback(ctx
, verify_cert
, 0);
1225 DANEerr(DANE_F_SSL_CTX_DANE_INIT
, DANE_R_LIBRARY_INIT
);
1229 static int init_once(
1230 volatile int *value
,
1232 void (*postinit
)(void)
1237 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX
);
1239 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX
);
1240 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX
);
1249 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX
);
1251 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX
);
1255 static void dane_init(void)
1258 * Store library id in zeroth function slot, used to locate the library
1259 * name. This must be done before we load the error strings.
1261 #ifndef OPENSSL_NO_ERR
1262 dane_str_functs
[0].error
|= ERR_PACK(err_lib_dane
, 0, 0);
1263 ERR_load_strings(err_lib_dane
, dane_str_functs
);
1264 ERR_load_strings(err_lib_dane
, dane_str_reasons
);
1268 * Register SHA-2 digests, if implemented and not already registered.
1270 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1271 if (!EVP_get_digestbyname(LN_sha224
))
1272 EVP_add_digest(EVP_sha224());
1273 if (!EVP_get_digestbyname(LN_sha256
))
1274 EVP_add_digest(EVP_sha256());
1276 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1277 if (!EVP_get_digestbyname(LN_sha384
))
1278 EVP_add_digest(EVP_sha384());
1279 if (!EVP_get_digestbyname(LN_sha512
))
1280 EVP_add_digest(EVP_sha512());
1284 * Register an SSL index for the connection-specific SSL_DANE structure.
1285 * Using a separate index makes it possible to add DANE support to
1286 * existing OpenSSL releases that don't have a suitable pointer in the
1289 dane_idx
= SSL_get_ex_new_index(0, 0, 0, 0, 0);
1292 int DANESSL_library_init(void)
1294 if (err_lib_dane
< 0)
1295 init_once(&err_lib_dane
, ERR_get_next_error_library
, dane_init
);
1297 #if defined(LN_sha256)
1298 /* No DANE without SHA256 support */
1299 if (dane_idx
>= 0 && EVP_get_digestbyname(LN_sha256
) != 0)
1302 DANEerr(DANE_F_SSL_DANE_LIBRARY_INIT
, DANE_R_DANE_SUPPORT
);
1306 #endif /* OPENSSL_VERSION_NUMBER */