projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
LDAP: Fix comment about delimiter
[exim.git] / src / src / dane-openssl.c
CommitLineData
e682570f
TL		 1#include <stdio.h>
2#include <string.h>
3#include <stdint.h>
4
5#include <openssl/opensslv.h>
6#include <openssl/err.h>
7#include <openssl/crypto.h>
8#include <openssl/safestack.h>
9#include <openssl/objects.h>
10#include <openssl/x509.h>
11#include <openssl/x509v3.h>
12#include <openssl/evp.h>
13
14#if OPENSSL_VERSION_NUMBER < 0x1000000fL
880a1e77
JH		 15# error "OpenSSL 1.0.0 or higher required"
16#else /* remainder of file */
e682570f
TL		 17
18#include "danessl.h"
19
20#define DANE_F_ADD_SKID 100
21#define DANE_F_CHECK_END_ENTITY 101
22#define DANE_F_GROW_CHAIN 102
23#define DANE_F_LIST_ALLOC 103
24#define DANE_F_MATCH 104
25#define DANE_F_PUSH_EXT 105
26#define DANE_F_SET_TRUST_ANCHOR 106
27#define DANE_F_SSL_CTX_DANE_INIT 107
28#define DANE_F_SSL_DANE_ADD_TLSA 108
29#define DANE_F_SSL_DANE_INIT 109
30#define DANE_F_SSL_DANE_LIBRARY_INIT 110
31#define DANE_F_VERIFY_CERT 111
32#define DANE_F_WRAP_CERT 112
33
34#define DANE_R_BAD_CERT 100
35#define DANE_R_BAD_CERT_PKEY 101
36#define DANE_R_BAD_DATA_LENGTH 102
37#define DANE_R_BAD_DIGEST 103
38#define DANE_R_BAD_NULL_DATA 104
39#define DANE_R_BAD_PKEY 105
40#define DANE_R_BAD_SELECTOR 106
41#define DANE_R_BAD_USAGE 107
42#define DANE_R_DANE_INIT 108
43#define DANE_R_DANE_SUPPORT 109
44#define DANE_R_LIBRARY_INIT 110
45#define DANE_R_NOSIGN_KEY 111
46#define DANE_R_SCTX_INIT 112
47
48#ifndef OPENSSL_NO_ERR
880a1e77
JH		 49# define DANE_F_PLACEHOLDER 0 /* FIRST! Value TBD */
50static ERR_STRING_DATA dane_str_functs[] =
51{
e682570f
TL		 52 {DANE_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
53 {DANE_F_ADD_SKID, "add_skid"},
54 {DANE_F_CHECK_END_ENTITY, "check_end_entity"},
55 {DANE_F_GROW_CHAIN, "grow_chain"},
56 {DANE_F_LIST_ALLOC, "list_alloc"},
57 {DANE_F_MATCH, "match"},
58 {DANE_F_PUSH_EXT, "push_ext"},
59 {DANE_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
60 {DANE_F_SSL_CTX_DANE_INIT, "SSL_CTX_dane_init"},
61 {DANE_F_SSL_DANE_ADD_TLSA, "SSL_dane_add_tlsa"},
62 {DANE_F_SSL_DANE_INIT, "SSL_dane_init"},
63 {DANE_F_SSL_DANE_LIBRARY_INIT, "SSL_dane_library_init"},
64 {DANE_F_VERIFY_CERT, "verify_cert"},
65 {DANE_F_WRAP_CERT, "wrap_cert"},
66 {0, NULL}
67};
880a1e77
JH		 68static ERR_STRING_DATA dane_str_reasons[] =
69{
e682570f
TL		 70 {DANE_R_BAD_CERT, "Bad TLSA record certificate"},
71 {DANE_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
72 {DANE_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
73 {DANE_R_BAD_DIGEST, "Bad TLSA record digest"},
74 {DANE_R_BAD_NULL_DATA, "Bad TLSA record null data"},
75 {DANE_R_BAD_PKEY, "Bad TLSA record public key"},
76 {DANE_R_BAD_SELECTOR, "Bad TLSA record selector"},
77 {DANE_R_BAD_USAGE, "Bad TLSA record usage"},
78 {DANE_R_DANE_INIT, "SSL_dane_init() required"},
79 {DANE_R_DANE_SUPPORT, "DANE library features not supported"},
80 {DANE_R_LIBRARY_INIT, "SSL_dane_library_init() required"},
81 {DANE_R_SCTX_INIT, "SSL_CTX_dane_init() required"},
82 {DANE_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
83 {0, NULL}
84};
880a1e77 85#endif /*OPENSSL_NO_ERR*/
e682570f
TL		 86
87#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
88
89static int err_lib_dane = -1;
90static int dane_idx = -1;
91
92#ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
93static int wrap_to_root = 0;
94#else
95static int wrap_to_root = 1;
96#endif
97
98static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
99static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
100
880a1e77
JH		 101typedef struct dane_list
102{
e682570f
TL		 103 struct dane_list *next;
104 void *value;
105} *dane_list;
106
107#define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
108
880a1e77
JH		 109typedef struct dane_host_list
110{
111 struct dane_host_list *next;
e682570f 112 char *value;
880a1e77 113} *dane_host_list;
e682570f 114
880a1e77
JH		 115typedef struct dane_data
116{
e682570f
TL		 117 size_t datalen;
118 unsigned char data[0];
119} *dane_data;
120
880a1e77
JH		 121typedef struct dane_data_list
122{
123 struct dane_data_list *next;
e682570f 124 dane_data value;
880a1e77 125} *dane_data_list;
e682570f 126
880a1e77
JH		 127typedef struct dane_mtype
128{
e682570f
TL		 129 int mdlen;
130 const EVP_MD *md;
880a1e77 131 dane_data_list data;
e682570f
TL		 132} *dane_mtype;
133
880a1e77
JH		 134typedef struct dane_mtype_list
135{
136 struct dane_mtype_list *next;
e682570f 137 dane_mtype value;
880a1e77 138} *dane_mtype_list;
e682570f 139
880a1e77
JH		 140typedef struct dane_selector
141{
e682570f 142 uint8_t selector;
880a1e77 143 dane_mtype_list mtype;
e682570f
TL		 144} *dane_selector;
145
880a1e77
JH		 146typedef struct dane_selector_list
147{
148 struct dane_selector_list *next;
e682570f 149 dane_selector value;
880a1e77 150} *dane_selector_list;
e682570f 151
880a1e77
JH		 152typedef struct dane_pkey_list
153{
154 struct dane_pkey_list *next;
e682570f 155 EVP_PKEY *value;
880a1e77 156} *dane_pkey_list;
e682570f 157
880a1e77
JH		 158typedef struct dane_cert_list
159{
160 struct dane_cert_list *next;
e682570f 161 X509 *value;
880a1e77 162} *dane_cert_list;
e682570f 163
880a1e77
JH		 164typedef struct ssl_dane
165{
e682570f
TL		 166 int (*verify)(X509_STORE_CTX *);
167 STACK_OF(X509) *roots;
168 STACK_OF(X509) *chain;
169 const char *thost; /* TLSA base domain */
170 char *mhost; /* Matched, peer name */
880a1e77
JH		 171 dane_pkey_list pkeys;
172 dane_cert_list certs;
173 dane_host_list hosts;
174 dane_selector_list selectors[SSL_DANE_USAGE_LAST + 1];
e682570f
TL		 175 int depth;
176 int multi; /* Multi-label wildcards? */
177 int count; /* Number of TLSA records */
880a1e77 178} ssl_dane;
e682570f
TL		 179
180#ifndef X509_V_ERR_HOSTNAME_MISMATCH
880a1e77 181# define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
e682570f
TL		 182#endif
183
880a1e77
JH		 184static int
185match(dane_selector_list slist, X509 *cert, int depth)
e682570f 186{
880a1e77 187int matched;
e682570f 188
880a1e77
JH		 189/*
190 * Note, set_trust_anchor() needs to know whether the match was for a
191 * pkey digest or a certificate digest. We return MATCHED_PKEY or
192 * MATCHED_CERT accordingly.
193 */
e682570f
TL		 194#define MATCHED_CERT (SSL_DANE_SELECTOR_CERT + 1)
195#define MATCHED_PKEY (SSL_DANE_SELECTOR_SPKI + 1)
196
880a1e77
JH		 197/*
198 * Loop over each selector, mtype, and associated data element looking
199 * for a match.
200 */
201for(matched = 0; !matched && slist; slist = slist->next)
202 {
203 dane_mtype_list m;
204 unsigned char mdbuf[EVP_MAX_MD_SIZE];
85098ee7 205 unsigned char *buf = NULL;
880a1e77 206 unsigned char *buf2;
85098ee7 207 unsigned int len = 0;
880a1e77
JH		 208
209 /*
210 * Extract ASN.1 DER form of certificate or public key.
211 */
212 switch(slist->value->selector)
213 {
214 case SSL_DANE_SELECTOR_CERT:
215 len = i2d_X509(cert, NULL);
216 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
217 if(buf) i2d_X509(cert, &buf2);
218 break;
219 case SSL_DANE_SELECTOR_SPKI:
220 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
221 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
222 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
223 break;
224 }
225
226 if(!buf)
227 {
228 DANEerr(DANE_F_MATCH, ERR_R_MALLOC_FAILURE);
229 return 0;
230 }
231 OPENSSL_assert(buf2 - buf == len);
232
233 /*
234 * Loop over each mtype and data element
235 */
236 for(m = slist->value->mtype; !matched && m; m = m->next)
237 {
238 dane_data_list d;
239 unsigned char *cmpbuf = buf;
240 unsigned int cmplen = len;
241
e682570f 242 /*
880a1e77
JH		 243 * If it is a digest, compute the corresponding digest of the
244 * DER data for comparison, otherwise, use the full object.
e682570f 245 */
880a1e77
JH		 246 if(m->value->md)
247 {
248 cmpbuf = mdbuf;
249 if(!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
250 matched = -1;
251 }
252 for(d = m->value->data; !matched && d; d = d->next)
253 if( cmplen == d->value->datalen
254 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
255 matched = slist->value->selector + 1;
e682570f
TL		 256 }
257
880a1e77
JH		 258 OPENSSL_free(buf);
259 }
e682570f 260
880a1e77 261return matched;
e682570f
TL		 262}
263
880a1e77
JH		 264static int
265push_ext(X509 *cert, X509_EXTENSION *ext)
e682570f 266{
880a1e77 267X509_EXTENSIONS *exts;
e682570f 268
880a1e77
JH		 269if(ext)
270 {
271 if(!(exts = cert->cert_info->extensions))
272 exts = cert->cert_info->extensions = sk_X509_EXTENSION_new_null();
273 if (exts && sk_X509_EXTENSION_push(exts, ext))
274 return 1;
275 X509_EXTENSION_free(ext);
276 }
277DANEerr(DANE_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
278return 0;
e682570f
TL		 279}
280
880a1e77
JH		 281static int
282add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
e682570f 283{
880a1e77 284X509V3_CTX v3ctx;
e682570f 285
880a1e77
JH		 286X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
287return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
e682570f
TL		 288}
289
880a1e77
JH		 290static int
291set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
e682570f 292{
880a1e77
JH		 293int ret = 0;
294BIGNUM *bn;
295
296if(akid && akid->serial)
297 return (X509_set_serialNumber(cert, akid->serial));
298
299/*
300 * Add one to subject's serial to avoid collisions between TA serial and
301 * serial of signing root.
302 */
303if( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
304 && BN_add_word(bn, 1)
305 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
306 ret = 1;
307
308if(bn)
309 BN_free(bn);
310return ret;
311}
e682570f 312
880a1e77
JH		 313static int
314add_akid(X509 *cert, AUTHORITY_KEYID *akid)
315{
316int nid = NID_authority_key_identifier;
317ASN1_STRING *id;
318unsigned char c = 0;
319int ret = 0;
320
321/*
322 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
323 * our subject keyid if forced from child's akid. If so, set our
324 * authority keyid to 1. This way we are never self-signed, and thus
325 * exempt from any potential (off by default for now in OpenSSL)
326 * self-signature checks!
327 */
328id = (ASN1_STRING *) ((akid && akid->keyid) ? akid->keyid : 0);
329if(id && M_ASN1_STRING_length(id) == 1 && *M_ASN1_STRING_data(id) == c)
330 c = 1;
331
332if( (akid = AUTHORITY_KEYID_new()) != 0
333 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
334 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
335 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
336 ret = 1;
337if(akid)
338 AUTHORITY_KEYID_free(akid);
339return ret;
e682570f
TL		 340}
341
880a1e77
JH		 342static int
343add_skid(X509 *cert, AUTHORITY_KEYID *akid)
e682570f 344{
880a1e77 345int nid = NID_subject_key_identifier;
e682570f 346
880a1e77
JH		 347if(!akid || !akid->keyid)
348 return add_ext(0, cert, nid, "hash");
349return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
e682570f
TL		 350}
351
880a1e77
JH		 352static X509_NAME *
353akid_issuer_name(AUTHORITY_KEYID *akid)
e682570f 354{
880a1e77
JH		 355if(akid && akid->issuer)
356 {
357 int i;
358 GENERAL_NAMES *gens = akid->issuer;
e682570f 359
880a1e77
JH		 360 for(i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
361 {
362 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
e682570f 363
880a1e77
JH		 364 if(gn->type == GEN_DIRNAME)
365 return (gn->d.dirn);
e682570f 366 }
880a1e77
JH		 367 }
368return 0;
e682570f
TL		 369}
370
880a1e77
JH		 371static int
372set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
e682570f 373{
880a1e77
JH		 374X509_NAME *name = akid_issuer_name(akid);
375
376/*
377 * If subject's akid specifies an authority key identifer issuer name, we
378 * must use that.
379 */
380return X509_set_issuer_name(cert,
381 name ? name : X509_get_subject_name(cert));
e682570f
TL		 382}
383
880a1e77
JH		 384static int
385grow_chain(ssl_dane *dane, int trusted, X509 *cert)
e682570f 386{
880a1e77
JH		 387STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
388static ASN1_OBJECT *serverAuth = 0;
e682570f
TL		 389
390#define UNTRUSTED 0
391#define TRUSTED 1
392
880a1e77
JH		 393if( trusted && !serverAuth
394 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
395 {
396 DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
397 return 0;
398 }
399if(!*xs && !(*xs = sk_X509_new_null()))
400 {
401 DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
402 return 0;
403 }
404
405if(cert)
406 {
407 if(trusted && !X509_add1_trust_object(cert, serverAuth))
408 return 0;
409 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
410 if (!sk_X509_push(*xs, cert))
411 {
412 X509_free(cert);
413 DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
414 return 0;
e682570f 415 }
880a1e77
JH		 416 }
417return 1;
e682570f
TL		 418}
419
880a1e77
JH		 420static int
421wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
e682570f 422{
880a1e77
JH		 423int ret = 1;
424X509 *cert = 0;
425AUTHORITY_KEYID *akid;
426X509_NAME *name = X509_get_issuer_name(subject);
427EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
e682570f
TL		 428
429#define WRAP_MID 0 /* Ensure intermediate. */
430#define WRAP_TOP 1 /* Ensure self-signed. */
431
880a1e77
JH		 432if(!name || !newkey || !(cert = X509_new()))
433 return 0;
434
435/*
436 * Record the depth of the trust-anchor certificate.
437 */
438if(dane->depth < 0)
439 dane->depth = depth + 1;
440
441/*
442 * XXX: Uncaught error condition:
443 *
444 * The return value is NULL both when the extension is missing, and when
445 * OpenSSL rans out of memory while parsing the extension.
446 */
447ERR_clear_error();
448akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
449/* XXX: Should we peek at the error stack here??? */
450
451/*
452 * If top is true generate a self-issued root CA, otherwise an
453 * intermediate CA and possibly its self-signed issuer.
454 *
455 * CA cert valid for +/- 30 days
456 */
457if( !X509_set_version(cert, 2)
458 || !set_serial(cert, akid, subject)
459 || !X509_set_subject_name(cert, name)
460 || !set_issuer_name(cert, akid)
461 || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
462 || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
463 || !X509_set_pubkey(cert, newkey)
464 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
465 || (!top && !add_akid(cert, akid))
466 || !add_skid(cert, akid)
467 || ( !top && wrap_to_root
468 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
469 ret = 0;
470
471if(akid)
472 AUTHORITY_KEYID_free(akid);
473if(!key)
474 EVP_PKEY_free(newkey);
475if(ret)
476 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
477if(cert)
478 X509_free(cert);
479return ret;
e682570f
TL		 480}
481
880a1e77
JH		 482static int
483wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
e682570f 484{
880a1e77
JH		 485if(dane->depth < 0)
486 dane->depth = depth + 1;
487
488/*
489 * If the TA certificate is self-issued, or need not be, use it directly.
490 * Otherwise, synthesize requisuite ancestors.
491 */
492if( !wrap_to_root
493 || X509_check_issued(tacert, tacert) == X509_V_OK)
494 return grow_chain(dane, TRUSTED, tacert);
495
496if(wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
497 return grow_chain(dane, UNTRUSTED, tacert);
498return 0;
e682570f
TL		 499}
500
880a1e77
JH		 501static int
502ta_signed(ssl_dane *dane, X509 *cert, int depth)
e682570f 503{
880a1e77
JH		 504dane_cert_list x;
505dane_pkey_list k;
506EVP_PKEY *pk;
507int done = 0;
508
509/*
510 * First check whether issued and signed by a TA cert, this is cheaper
511 * than the bare-public key checks below, since we can determine whether
512 * the candidate TA certificate issued the certificate to be checked
513 * first (name comparisons), before we bother with signature checks
514 * (public key operations).
515 */
516for (x = dane->certs; !done && x; x = x->next)
517 {
518 if(X509_check_issued(x->value, cert) == X509_V_OK)
519 {
520 if(!(pk = X509_get_pubkey(x->value)))
521 {
522 /*
523 * The cert originally contained a valid pkey, which does
524 * not just vanish, so this is most likely a memory error.
525 */
526 done = -1;
527 break;
528 }
529 /* Check signature, since some other TA may work if not this. */
530 if(X509_verify(cert, pk) > 0)
531 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
532 EVP_PKEY_free(pk);
e682570f 533 }
880a1e77
JH		 534 }
535
536/*
537 * With bare TA public keys, we can't check whether the trust chain is
538 * issued by the key, but we can determine whether it is signed by the
539 * key, so we go with that.
540 *
541 * Ideally, the corresponding certificate was presented in the chain, and we
542 * matched it by its public key digest one level up. This code is here
543 * to handle adverse conditions imposed by sloppy administrators of
544 * receiving systems with poorly constructed chains.
545 *
546 * We'd like to optimize out keys that should not match when the cert's
547 * authority key id does not match the key id of this key computed via
548 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
549 * ASN1 tag and length thus also excluding the unused bits field that is
550 * logically part of the length). However, some CAs have a non-standard
551 * authority keyid, so we lose. Too bad.
552 *
553 * This may push errors onto the stack when the certificate signature is
554 * not of the right type or length, throw these away,
555 */
556for(k = dane->pkeys; !done && k; k = k->next)
557 if(X509_verify(cert, k->value) > 0)
558 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
559 else
560 ERR_clear_error();
e682570f 561
880a1e77 562return done;
e682570f
TL		 563}
564
880a1e77
JH		 565static int
566set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
e682570f 567{
880a1e77
JH		 568int matched = 0;
569int n;
570int i;
571int depth = 0;
572EVP_PKEY *takey;
573X509 *ca;
574STACK_OF(X509) *in = ctx->untrusted; /* XXX: Accessor? */
575
576if(!grow_chain(dane, UNTRUSTED, 0))
577 return -1;
578
579/*
580 * Accept a degenerate case: depth 0 self-signed trust-anchor.
581 */
582if(X509_check_issued(cert, cert) == X509_V_OK)
583 {
584 dane->depth = 0;
585 matched = match(dane->selectors[SSL_DANE_USAGE_TRUSTED_CA], cert, 0);
586 if(matched > 0 && !grow_chain(dane, TRUSTED, cert))
587 matched = -1;
588 return matched;
589 }
590
591/* Make a shallow copy of the input untrusted chain. */
592if(!(in = sk_X509_dup(in)))
593 {
594 DANEerr(DANE_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
595 return -1;
596 }
597
598/*
599 * At each iteration we consume the issuer of the current cert. This
600 * reduces the length of the "in" chain by one. If no issuer is found,
601 * we are done. We also stop when a certificate matches a TA in the
602 * peer's TLSA RRset.
603 *
604 * Caller ensures that the initial certificate is not self-signed.
605 */
606for(n = sk_X509_num(in); n > 0; --n, ++depth)
607 {
608 for(i = 0; i < n; ++i)
609 if(X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
610 break;
611
612 /*
613 * Final untrusted element with no issuer in the peer's chain, it may
614 * however be signed by a pkey or cert obtained via a TLSA RR.
615 */
616 if(i == n)
617 break;
618
619 /* Peer's chain contains an issuer ca. */
620 ca = sk_X509_delete(in, i);
621
622 /* If not a trust anchor, record untrusted ca and continue. */
623 if((matched = match(dane->selectors[SSL_DANE_USAGE_TRUSTED_CA], ca, depth+1))
624 == 0)
625 {
626 if(grow_chain(dane, UNTRUSTED, ca))
627 {
628 if(!X509_check_issued(ca, ca) == X509_V_OK)
629 {
630 /* Restart with issuer as subject */
631 cert = ca;
632 continue;
633 }
634 /* Final self-signed element, skip ta_signed() check. */
635 cert = 0;
636 }
637 else
638 matched = -1;
e682570f 639 }
880a1e77
JH		 640 else if(matched == MATCHED_CERT)
641 {
642 if(!wrap_cert(dane, ca, depth))
643 matched = -1;
e682570f 644 }
880a1e77
JH		 645 else if(matched == MATCHED_PKEY)
646 {
647 if( !(takey = X509_get_pubkey(ca))
648 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
649 {
650 if(takey)
651 EVP_PKEY_free(takey);
652 else
653 DANEerr(DANE_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
654 matched = -1;
655 }
e682570f 656 }
880a1e77
JH		 657 break;
658 }
e682570f 659
880a1e77
JH		 660/* Shallow free the duplicated input untrusted chain. */
661sk_X509_free(in);
e682570f 662
880a1e77
JH		 663/*
664 * When the loop exits, if "cert" is set, it is not self-signed and has
665 * no issuer in the chain, we check for a possible signature via a DNS
666 * obtained TA cert or public key.
667 */
668if(matched == 0 && cert)
669 matched = ta_signed(dane, cert, depth);
e682570f 670
880a1e77 671return matched;
e682570f
TL		 672}
673
880a1e77
JH		 674static int
675check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
e682570f 676{
880a1e77
JH		 677int matched;
678
679matched = match(dane->selectors[SSL_DANE_USAGE_FIXED_LEAF], cert, 0);
680if(matched > 0)
681 if(!ctx->chain)
85098ee7 682 {
880a1e77
JH		 683 if( (ctx->chain = sk_X509_new_null())
684 && sk_X509_push(ctx->chain, cert))
685 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
686 else
687 {
688 DANEerr(DANE_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
689 return -1;
690 }
85098ee7 691 }
880a1e77 692return matched;
e682570f
TL		 693}
694
880a1e77
JH		 695static int
696match_name(const char *certid, ssl_dane *dane)
e682570f 697{
880a1e77
JH		 698int multi = dane->multi;
699dane_host_list hosts;
700
701for(hosts = dane->hosts; hosts; hosts = hosts->next)
702 {
703 int match_subdomain = 0;
704 const char *domain = hosts->value;
705 const char *parent;
706 int idlen;
707 int domlen;
708
709 if(*domain == '.' && domain[1] != '\0')
710 {
711 ++domain;
712 match_subdomain = 1;
e682570f 713 }
880a1e77
JH		 714
715 /*
716 * Sub-domain match: certid is any sub-domain of hostname.
717 */
718 if(match_subdomain)
85098ee7 719 {
880a1e77
JH		 720 if( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
721 && certid[idlen - domlen - 1] == '.'
722 && !strcasecmp(certid + (idlen - domlen), domain))
723 return 1;
724 else
725 continue;
85098ee7 726 }
880a1e77
JH		 727
728 /*
729 * Exact match and initial "*" match. The initial "*" in a certid
730 * matches one (if multi is false) or more hostname components under
731 * the condition that the certid contains multiple hostname components.
732 */
733 if( !strcasecmp(certid, domain)
734 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
735 && (parent = strchr(domain, '.')) != 0
736 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
737 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
738 return 1;
739 }
740return 0;
e682570f
TL		 741}
742
880a1e77
JH		 743static char *
744check_name(char *name, int len)
e682570f 745{
880a1e77
JH		 746char *cp = name + len;
747
748while(len > 0 && !*--cp)
749 --len; /* Ignore trailing NULs */
750if(len <= 0)
751 return 0;
752for(cp = name; *cp; cp++)
753 {
754 char c = *cp;
755 if (!((c >= 'a' && c <= 'z') ||
756 (c >= '0' && c <= '9') ||
757 (c >= 'A' && c <= 'Z') ||
758 (c == '.' || c == '-') ||
759 (c == '*')))
760 return 0; /* Only LDH, '.' and '*' */
761 }
762if(cp - name != len) /* Guard against internal NULs */
763 return 0;
764return name;
e682570f
TL		 765}
766
880a1e77
JH		 767static char *
768parse_dns_name(const GENERAL_NAME *gn)
e682570f 769{
880a1e77
JH		 770if(gn->type != GEN_DNS)
771 return 0;
772if(ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
773 return 0;
774return check_name((char *) ASN1_STRING_data(gn->d.ia5),
775 ASN1_STRING_length(gn->d.ia5));
e682570f
TL		 776}
777
880a1e77
JH		 778static char *
779parse_subject_name(X509 *cert)
e682570f 780{
880a1e77
JH		 781X509_NAME *name = X509_get_subject_name(cert);
782X509_NAME_ENTRY *entry;
783ASN1_STRING *entry_str;
784unsigned char *namebuf;
785int nid = NID_commonName;
786int len;
787int i;
788
789if(!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
790 return 0;
791if(!(entry = X509_NAME_get_entry(name, i)))
792 return 0;
793if(!(entry_str = X509_NAME_ENTRY_get_data(entry)))
794 return 0;
795
796if((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
797 return 0;
798if(len <= 0 || check_name((char *) namebuf, len) == 0)
799 {
800 OPENSSL_free(namebuf);
801 return 0;
802 }
803return (char *) namebuf;
e682570f
TL		 804}
805
880a1e77
JH		 806static int
807name_check(ssl_dane *dane, X509 *cert)
e682570f 808{
880a1e77
JH		 809int matched = 0;
810BOOL got_altname = FALSE;
811GENERAL_NAMES *gens;
812
813gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
814if(gens)
815 {
816 int n = sk_GENERAL_NAME_num(gens);
817 int i;
818
819 for(i = 0; i < n; ++i)
820 {
821 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
822 const char *certid;
823
824 if(gn->type != GEN_DNS)
825 continue;
826 got_altname = TRUE;
827 certid = parse_dns_name(gn);
828 if(certid && *certid)
829 {
830 if((matched = match_name(certid, dane)) == 0)
831 continue;
832 if(!(dane->mhost = OPENSSL_strdup(certid)))
833 matched = -1;
834 break;
835 }
e682570f 836 }
880a1e77
JH		 837 GENERAL_NAMES_free(gens);
838 }
839
840/*
841 * XXX: Should the subjectName be skipped when *any* altnames are present,
842 * or only when DNS altnames are present?
843 */
844if(got_altname)
845 {
846 char *certid = parse_subject_name(cert);
847 if(certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
848 dane->mhost = certid; /* Already a copy */
849 }
850return matched;
e682570f
TL		 851}
852
880a1e77
JH		 853static int
854verify_chain(X509_STORE_CTX *ctx)
e682570f 855{
880a1e77
JH		 856dane_selector_list issuer_rrs;
857dane_selector_list leaf_rrs;
858int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
859int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
860SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
861ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
862X509 *cert = ctx->cert; /* XXX: accessor? */
863int matched = 0;
864int chain_length = sk_X509_num(ctx->chain);
865
e5cccda9 866DEBUG(D_tls) debug_printf("Dane verify-chain\n");
6634ac8d 867
880a1e77
JH		 868issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER];
869leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF];
870ctx->verify = dane->verify;
871
872if((matched = name_check(dane, cert)) < 0)
873 {
874 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
875 return 0;
876 }
877
878if(!matched)
879 {
880 ctx->error_depth = 0;
881 ctx->current_cert = cert;
882 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
883 if(!cb(0, ctx))
884 return 0;
885 }
886matched = 0;
887
888/*
889 * Satisfy at least one usage 0 or 1 constraint, unless we've already
890 * matched a usage 2 trust anchor.
891 *
892 * XXX: internal_verify() doesn't callback with top certs that are not
893 * self-issued. This should be fixed in a future OpenSSL.
894 */
895if(dane->roots && sk_X509_num(dane->roots))
896 {
897#ifndef NO_CALLBACK_WORKAROUND
898 X509 *top = sk_X509_value(ctx->chain, dane->depth);
899
900 if(X509_check_issued(top, top) != X509_V_OK)
901 {
902 ctx->error_depth = dane->depth;
903 ctx->current_cert = top;
904 if(!cb(1, ctx))
905 return 0;
906 }
907#endif
908 /* Pop synthetic trust-anchor ancestors off the chain! */
909 while (--chain_length > dane->depth)
910 X509_free(sk_X509_pop(ctx->chain));
911 }
912else if(issuer_rrs || leaf_rrs)
913 {
914 int n = chain_length;
915
916 /*
917 * Check for an EE match, then a CA match at depths > 0, and
918 * finally, if the EE cert is self-issued, for a depth 0 CA match.
919 */
920 if(leaf_rrs)
921 matched = match(leaf_rrs, cert, 0);
922 while(!matched && issuer_rrs && --n >= 0)
923 {
924 X509 *xn = sk_X509_value(ctx->chain, n);
925
926 if(n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
927 matched = match(issuer_rrs, xn, n);
e682570f
TL		 928 }
929
880a1e77
JH		 930 if(matched < 0)
931 {
932 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
933 return 0;
e682570f 934 }
e682570f 935
880a1e77
JH		 936 if(!matched)
937 {
938 ctx->current_cert = cert;
939 ctx->error_depth = 0;
940 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
941 if(!cb(0, ctx))
942 return 0;
e682570f 943 }
880a1e77 944 }
e682570f 945
880a1e77 946return ctx->verify(ctx);
e682570f
TL		 947}
948
880a1e77
JH		 949static int
950verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
e682570f 951{
880a1e77
JH		 952static int ssl_idx = -1;
953SSL *ssl;
954ssl_dane *dane;
955int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
956int matched;
957X509 *cert = ctx->cert; /* XXX: accessor? */
958
e5cccda9 959DEBUG(D_tls) debug_printf("Dane verify-cert\n");
6634ac8d 960
880a1e77
JH		 961if(ssl_idx < 0)
962 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
963if(dane_idx < 0)
964 {
965 DANEerr(DANE_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
966 return -1;
967 }
968
969ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
970if(!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
971 return X509_verify_cert(ctx);
972
973if(dane->selectors[SSL_DANE_USAGE_FIXED_LEAF])
974 {
975 if((matched = check_end_entity(ctx, dane, cert)) > 0)
976 {
977 ctx->error_depth = 0;
978 ctx->current_cert = cert;
979 return cb(1, ctx);
e682570f 980 }
880a1e77
JH		 981 if(matched < 0)
982 {
983 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
984 return -1;
e682570f 985 }
880a1e77 986 }
e682570f 987
880a1e77
JH		 988if(dane->selectors[SSL_DANE_USAGE_TRUSTED_CA])
989 {
990 if((matched = set_trust_anchor(ctx, dane, cert)) < 0)
991 {
992 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
993 return -1;
e682570f 994 }
880a1e77
JH		 995 if(matched)
996 {
e682570f 997 /*
880a1e77
JH		 998 * Check that setting the untrusted chain updates the expected
999 * structure member at the expected offset.
e682570f 1000 */
880a1e77
JH		 1001 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1002 X509_STORE_CTX_set_chain(ctx, dane->chain);
1003 OPENSSL_assert(ctx->untrusted == dane->chain);
1004 }
1005 }
e682570f 1006
880a1e77
JH		 1007/*
1008 * Name checks and usage 0/1 constraint enforcement are delayed until
1009 * X509_verify_cert() builds the full chain and calls our verify_chain()
1010 * wrapper.
1011 */
1012dane->verify = ctx->verify;
1013ctx->verify = verify_chain;
1014
1015return X509_verify_cert(ctx);
e682570f
TL		 1016}
1017
880a1e77
JH		 1018static dane_list
1019list_alloc(size_t vsize)
e682570f 1020{
880a1e77
JH		 1021void *value = (void *) OPENSSL_malloc(vsize);
1022dane_list l;
1023
1024if(!value)
1025 {
1026 DANEerr(DANE_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1027 return 0;
1028 }
1029if(!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1030 {
1031 OPENSSL_free(value);
1032 DANEerr(DANE_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1033 return 0;
1034 }
1035l->next = 0;
1036l->value = value;
1037return l;
e682570f
TL		 1038}
1039
880a1e77
JH		 1040static void
1041list_free(void *list, void (*f)(void *))
e682570f 1042{
880a1e77
JH		 1043dane_list head;
1044dane_list next;
1045
1046for(head = (dane_list) list; head; head = next)
1047 {
1048 next = head->next;
1049 if (f && head->value)
1050 f(head->value);
1051 OPENSSL_free(head);
1052 }
e682570f
TL		 1053}
1054
880a1e77
JH		 1055static void
1056dane_mtype_free(void *p)
e682570f 1057{
880a1e77
JH		 1058list_free(((dane_mtype) p)->data, OPENSSL_freeFunc);
1059OPENSSL_free(p);
e682570f
TL		 1060}
1061
880a1e77
JH		 1062static void
1063dane_selector_free(void *p)
e682570f 1064{
880a1e77
JH		 1065list_free(((dane_selector) p)->mtype, dane_mtype_free);
1066OPENSSL_free(p);
e682570f
TL		 1067}
1068
946ecbe0
JH		 1069
1070
1071/*
1072
1073Tidy up once the connection is finished with.
1074
1075Arguments
1076 ssl The ssl connection handle
1077
1078=> Before calling SSL_free()
1079tls_close() and tls_getc() [the error path] are the obvious places.
1080Could we do it earlier - right after verification? In tls_client_start()
1081right after SSL_connect() returns, in that case.
1082
1083*/
1084
880a1e77
JH		 1085void
1086DANESSL_cleanup(SSL *ssl)
e682570f 1087{
880a1e77
JH		 1088ssl_dane *dane;
1089int u;
1090
e5cccda9 1091DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
6634ac8d 1092
880a1e77
JH		 1093if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1094 return;
1095(void) SSL_set_ex_data(ssl, dane_idx, 0);
1096
1097if(dane->hosts)
1098 list_free(dane->hosts, OPENSSL_freeFunc);
1099if(dane->mhost)
1100 OPENSSL_free(dane->mhost);
1101for(u = 0; u <= SSL_DANE_USAGE_LAST; ++u)
1102 if(dane->selectors[u])
1103 list_free(dane->selectors[u], dane_selector_free);
1104if(dane->pkeys)
1105 list_free(dane->pkeys, pkey_free);
1106if(dane->certs)
1107 list_free(dane->certs, cert_free);
1108if(dane->roots)
1109 sk_X509_pop_free(dane->roots, X509_free);
1110if(dane->chain)
1111 sk_X509_pop_free(dane->chain, X509_free);
1112OPENSSL_free(dane);
e682570f
TL		 1113}
1114
880a1e77
JH		 1115static dane_host_list
1116host_list_init(const char **src)
e682570f 1117{
880a1e77
JH		 1118dane_host_list head = NULL;
1119
1120while(*src)
1121 {
1122 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1123 if(!elem)
1124 {
1125 list_free(head, OPENSSL_freeFunc);
1126 return 0;
e682570f 1127 }
880a1e77
JH		 1128 elem->value = OPENSSL_strdup(*src++);
1129 LINSERT(head, elem);
1130 }
1131return head;
e682570f
TL		 1132}
1133
946ecbe0
JH		 1134
1135
1136
1137/*
1138
1139Call this for each TLSA record found for the target, after the
1140DANE setup has been done on the ssl connection handle.
1141
1142Arguments:
1143 ssl Connection handle
1144 usage TLSA record field
1145 selector TLSA record field
1146 mdname ??? message digest name?
1147 data ??? TLSA record megalump?
1148 dlen length of data
1149
1150Return
1151 -1 on error
1152 0 action not taken
1153 1 record accepted
1154*/
1155
880a1e77
JH		 1156int
1157DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1158 unsigned const char *data, size_t dlen)
e682570f 1159{
880a1e77
JH		 1160ssl_dane *dane;
1161dane_selector_list s = 0;
1162dane_mtype_list m = 0;
1163dane_data_list d = 0;
1164dane_cert_list xlist = 0;
1165dane_pkey_list klist = 0;
1166const EVP_MD *md = 0;
1167
b4161d10
JH		 1168DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1169 usage, selector, mdname);
6634ac8d 1170
880a1e77
JH		 1171if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1172 {
1173 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_DANE_INIT);
1174 return -1;
1175 }
1176
1177if(usage > SSL_DANE_USAGE_LAST)
1178 {
1179 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_USAGE);
1180 return 0;
1181 }
1182if(selector > SSL_DANE_SELECTOR_LAST)
1183 {
1184 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_SELECTOR);
1185 return 0;
1186 }
1187if(mdname && !(md = EVP_get_digestbyname(mdname)))
1188 {
1189 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_DIGEST);
1190 return 0;
1191 }
1192if(!data)
1193 {
1194 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_NULL_DATA);
1195 return 0;
1196 }
1197if(mdname && dlen != EVP_MD_size(md))
1198 {
1199 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_DATA_LENGTH);
1200 return 0;
1201 }
1202
1203if(!mdname)
1204 {
1205 X509 *x = 0;
1206 EVP_PKEY *k = 0;
1207 const unsigned char *p = data;
e682570f
TL		 1208
1209#define xklistinit(lvar, ltype, var, freeFunc) do { \
880a1e77
JH		 1210 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1211 if (!(lvar)) { \
1212 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1213 freeFunc((var)); \
1214 return 0; \
1215 } \
1216 (lvar)->next = 0; \
1217 lvar->value = var; \
1218 } while (0)
e682570f 1219#define xkfreeret(ret) do { \
880a1e77
JH		 1220 if (xlist) list_free(xlist, cert_free); \
1221 if (klist) list_free(klist, pkey_free); \
1222 return (ret); \
1223 } while (0)
1224
1225 switch(selector)
1226 {
1227 case SSL_DANE_SELECTOR_CERT:
1228 if(!d2i_X509(&x, &p, dlen) || dlen != p - data)
1229 {
1230 if (x)
1231 X509_free(x);
1232 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_CERT);
1233 return 0;
1234 }
1235 k = X509_get_pubkey(x);
1236 EVP_PKEY_free(k);
1237 if(!k)
1238 {
1239 X509_free(x);
1240 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_CERT_PKEY);
1241 return 0;
1242 }
1243 if(usage == SSL_DANE_USAGE_TRUSTED_CA)
1244 xklistinit(xlist, dane_cert_list, x, X509_free);
1245 break;
1246
1247 case SSL_DANE_SELECTOR_SPKI:
1248 if(!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1249 {
1250 if(k)
1251 EVP_PKEY_free(k);
1252 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_PKEY);
1253 return 0;
1254 }
1255 if(usage == SSL_DANE_USAGE_TRUSTED_CA)
1256 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1257 break;
e682570f 1258 }
880a1e77
JH		 1259 }
1260
1261/* Find insertion point and don't add duplicate elements. */
1262for(s = dane->selectors[usage]; s; s = s->next)
1263 if(s->value->selector == selector)
1264 for(m = s->value->mtype; m; m = m->next)
1265 if(m->value->md == md)
1266 for(d = m->value->data; d; d = d->next)
1267 if( d->value->datalen == dlen
1268 && memcmp(d->value->data, data, dlen) == 0)
1269 xkfreeret(1);
1270
1271if(!(d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)))
1272 xkfreeret(0);
1273d->value->datalen = dlen;
1274memcpy(d->value->data, data, dlen);
1275if(!m)
1276 {
1277 if(!(m = (dane_mtype_list) list_alloc(sizeof(*m->value))))
1278 {
1279 list_free(d, OPENSSL_freeFunc);
1280 xkfreeret(0);
e682570f 1281 }
880a1e77
JH		 1282 m->value->data = 0;
1283 if((m->value->md = md) != 0)
1284 m->value->mdlen = dlen;
1285 if(!s)
1286 {
1287 if(!(s = (dane_selector_list) list_alloc(sizeof(*s->value))))
1288 {
1289 list_free(m, dane_mtype_free);
1290 xkfreeret(0);
1291 }
1292 s->value->mtype = 0;
1293 s->value->selector = selector;
1294 LINSERT(dane->selectors[usage], s);
1295 }
1296 LINSERT(s->value->mtype, m);
1297 }
1298LINSERT(m->value->data, d);
1299
1300if(xlist)
1301 LINSERT(dane->certs, xlist);
1302else if(klist)
1303 LINSERT(dane->pkeys, klist);
1304++dane->count;
1305return 1;
e682570f
TL		 1306}
1307
946ecbe0
JH		 1308
1309
1310
1311/*
1312Call this once we have an ssl connection handle but before
1313making the TLS connection.
1314
1315=> In tls_client_start() after the call to SSL_new()
1316and before the call to SSL_connect(). Exactly where
1317probably does not matter.
1318We probably want to keep our existing SNI handling;
1319call this with NULL.
1320
1321Arguments:
1322 ssl Connection handle
1323 sni_domain Optional peer server name
868f5672 1324 hostnames list of names to chack against peer cert
946ecbe0
JH		 1325
1326Return
1327 -1 on fatal error
1328 0 nonfatal error
1329 1 success
1330*/
1331
880a1e77
JH		 1332int
1333DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
e682570f 1334{
880a1e77
JH		 1335ssl_dane *dane;
1336int i;
e682570f 1337#ifdef OPENSSL_INTERNAL
880a1e77 1338SSL_CTX *sctx = SSL_get_SSL_CTX(ssl);
e682570f 1339
6634ac8d 1340
880a1e77
JH		 1341if(sctx->app_verify_callback != verify_cert)
1342 {
1343 DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_SCTX_INIT);
1344 return -1;
1345 }
e682570f 1346#else
b4161d10 1347DEBUG(D_tls) debug_printf("Dane ssl-init\n");
880a1e77
JH		 1348if(dane_idx < 0)
1349 {
1350 DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT);
1351 return -1;
1352 }
e682570f
TL		 1353#endif
1354
880a1e77
JH		 1355if(sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1356 return 0;
e682570f 1357
880a1e77
JH		 1358if(!(dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))))
1359 {
1360 DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE);
1361 return 0;
1362 }
1363if(!SSL_set_ex_data(ssl, dane_idx, dane))
1364 {
1365 DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE);
1366 OPENSSL_free(dane);
1367 return 0;
1368 }
1369
6634ac8d
JH		 1370dane->verify = 0;
1371dane->hosts = 0;
1372dane->thost = 0;
880a1e77
JH		 1373dane->pkeys = 0;
1374dane->certs = 0;
1375dane->chain = 0;
1376dane->roots = 0;
1377dane->depth = -1;
1378dane->mhost = 0; /* Future SSL control interface */
1379dane->multi = 0; /* Future SSL control interface */
1380dane->count = 0;
1381
1382for(i = 0; i <= SSL_DANE_USAGE_LAST; ++i)
1383 dane->selectors[i] = 0;
1384
1385if(hostnames && !(dane->hosts = host_list_init(hostnames)))
1386 {
1387 DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE);
1388 DANESSL_cleanup(ssl);
1389 return 0;
1390 }
1391
1392return 1;
e682570f
TL		 1393}
1394
946ecbe0
JH		 1395
1396/*
1397
1398Call this once we have a context to work with, but
1399before DANESSL_init()
1400
1401=> in tls_client_start(), after tls_init() call gives us the ctx,
1402if we decide we want to (policy) and can (TLSA records available)
1403replacing (? what about fallback) everything from testing tls_verify_hosts
1404down to just before calling SSL_new() for the conn handle.
1405
1406Arguments
1407 ctx SSL context
1408
1409Return
1410 -1 Error
1411 1 Success
1412*/
1413
880a1e77
JH		 1414int
1415DANESSL_CTX_init(SSL_CTX *ctx)
e682570f 1416{
6634ac8d 1417DEBUG(D_tls) debug_printf("Dane ctx-init\n");
880a1e77
JH		 1418if(dane_idx >= 0)
1419 {
1420 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1421 return 1;
1422 }
1423DANEerr(DANE_F_SSL_CTX_DANE_INIT, DANE_R_LIBRARY_INIT);
1424return -1;
e682570f
TL		 1425}
1426
880a1e77
JH		 1427static int
1428init_once(volatile int *value, int (*init)(void), void (*postinit)(void))
e682570f 1429{
880a1e77
JH		 1430int wlock = 0;
1431
1432CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1433if(*value < 0)
1434 {
1435 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1436 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1437 wlock = 1;
1438 if(*value < 0)
1439 {
1440 *value = init();
1441 if(postinit)
1442 postinit();
e682570f 1443 }
880a1e77
JH		 1444 }
1445if (wlock)
1446 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1447else
1448 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1449return *value;
e682570f
TL		 1450}
1451
880a1e77
JH		 1452static void
1453dane_init(void)
e682570f 1454{
880a1e77
JH		 1455/*
1456 * Store library id in zeroth function slot, used to locate the library
1457 * name. This must be done before we load the error strings.
1458 */
e682570f 1459#ifndef OPENSSL_NO_ERR
880a1e77
JH		 1460dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1461ERR_load_strings(err_lib_dane, dane_str_functs);
1462ERR_load_strings(err_lib_dane, dane_str_reasons);
e682570f
TL		 1463#endif
1464
880a1e77
JH		 1465/*
1466 * Register SHA-2 digests, if implemented and not already registered.
1467 */
e682570f 1468#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
880a1e77
JH		 1469if(!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1470if(!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
e682570f
TL		 1471#endif
1472#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
880a1e77
JH		 1473if(!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1474if(!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
e682570f
TL		 1475#endif
1476
880a1e77
JH		 1477/*
1478 * Register an SSL index for the connection-specific ssl_dane structure.
1479 * Using a separate index makes it possible to add DANE support to
1480 * existing OpenSSL releases that don't have a suitable pointer in the
1481 * SSL structure.
1482 */
1483dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
e682570f
TL		 1484}
1485
946ecbe0
JH		 1486
1487
1488/*
1489
1490Call this once. Probably early in startup will do; may need
1491to be after SSL library init.
1492
043b1248
JH		 1493=> put after call to tls_init() for now
1494
1495Return
1496 1 Success
1497 0 Fail
946ecbe0
JH		 1498*/
1499
880a1e77
JH		 1500int
1501DANESSL_library_init(void)
e682570f 1502{
6634ac8d 1503DEBUG(D_tls) debug_printf("Dane lib-init\n");
880a1e77
JH		 1504if(err_lib_dane < 0)
1505 init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
e682570f
TL		 1506
1507#if defined(LN_sha256)
880a1e77
JH		 1508/* No DANE without SHA256 support */
1509if(dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1510 return 1;
e682570f 1511#endif
880a1e77
JH		 1512
1513DANEerr(DANE_F_SSL_DANE_LIBRARY_INIT, DANE_R_DANE_SUPPORT);
1514return 0;
e682570f
TL		 1515}
1516
946ecbe0 1517
e682570f 1518#endif /* OPENSSL_VERSION_NUMBER */
880a1e77
JH		 1519/* vi: aw ai sw=2
1520*/
Unnamed repository; edit this file 'description' to name the repository.