DANE: fix testcase 2/0/1 TLSA record
[exim.git] / src / src / dane-openssl.c
CommitLineData
e682570f
TL
1#include <stdio.h>
2#include <string.h>
3#include <stdint.h>
4
5#include <openssl/opensslv.h>
6#include <openssl/err.h>
7#include <openssl/crypto.h>
8#include <openssl/safestack.h>
9#include <openssl/objects.h>
10#include <openssl/x509.h>
11#include <openssl/x509v3.h>
12#include <openssl/evp.h>
13
14#if OPENSSL_VERSION_NUMBER < 0x1000000fL
880a1e77
JH
15# error "OpenSSL 1.0.0 or higher required"
16#else /* remainder of file */
e682570f
TL
17
18#include "danessl.h"
19
20#define DANE_F_ADD_SKID 100
21#define DANE_F_CHECK_END_ENTITY 101
22#define DANE_F_GROW_CHAIN 102
23#define DANE_F_LIST_ALLOC 103
24#define DANE_F_MATCH 104
25#define DANE_F_PUSH_EXT 105
26#define DANE_F_SET_TRUST_ANCHOR 106
27#define DANE_F_SSL_CTX_DANE_INIT 107
28#define DANE_F_SSL_DANE_ADD_TLSA 108
29#define DANE_F_SSL_DANE_INIT 109
30#define DANE_F_SSL_DANE_LIBRARY_INIT 110
31#define DANE_F_VERIFY_CERT 111
32#define DANE_F_WRAP_CERT 112
33
34#define DANE_R_BAD_CERT 100
35#define DANE_R_BAD_CERT_PKEY 101
36#define DANE_R_BAD_DATA_LENGTH 102
37#define DANE_R_BAD_DIGEST 103
38#define DANE_R_BAD_NULL_DATA 104
39#define DANE_R_BAD_PKEY 105
40#define DANE_R_BAD_SELECTOR 106
41#define DANE_R_BAD_USAGE 107
42#define DANE_R_DANE_INIT 108
43#define DANE_R_DANE_SUPPORT 109
44#define DANE_R_LIBRARY_INIT 110
45#define DANE_R_NOSIGN_KEY 111
46#define DANE_R_SCTX_INIT 112
47
48#ifndef OPENSSL_NO_ERR
880a1e77
JH
49# define DANE_F_PLACEHOLDER 0 /* FIRST! Value TBD */
50static ERR_STRING_DATA dane_str_functs[] =
51{
e682570f
TL
52 {DANE_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
53 {DANE_F_ADD_SKID, "add_skid"},
54 {DANE_F_CHECK_END_ENTITY, "check_end_entity"},
55 {DANE_F_GROW_CHAIN, "grow_chain"},
56 {DANE_F_LIST_ALLOC, "list_alloc"},
57 {DANE_F_MATCH, "match"},
58 {DANE_F_PUSH_EXT, "push_ext"},
59 {DANE_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
60 {DANE_F_SSL_CTX_DANE_INIT, "SSL_CTX_dane_init"},
61 {DANE_F_SSL_DANE_ADD_TLSA, "SSL_dane_add_tlsa"},
62 {DANE_F_SSL_DANE_INIT, "SSL_dane_init"},
63 {DANE_F_SSL_DANE_LIBRARY_INIT, "SSL_dane_library_init"},
64 {DANE_F_VERIFY_CERT, "verify_cert"},
65 {DANE_F_WRAP_CERT, "wrap_cert"},
66 {0, NULL}
67};
880a1e77
JH
68static ERR_STRING_DATA dane_str_reasons[] =
69{
e682570f
TL
70 {DANE_R_BAD_CERT, "Bad TLSA record certificate"},
71 {DANE_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
72 {DANE_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
73 {DANE_R_BAD_DIGEST, "Bad TLSA record digest"},
74 {DANE_R_BAD_NULL_DATA, "Bad TLSA record null data"},
75 {DANE_R_BAD_PKEY, "Bad TLSA record public key"},
76 {DANE_R_BAD_SELECTOR, "Bad TLSA record selector"},
77 {DANE_R_BAD_USAGE, "Bad TLSA record usage"},
78 {DANE_R_DANE_INIT, "SSL_dane_init() required"},
79 {DANE_R_DANE_SUPPORT, "DANE library features not supported"},
80 {DANE_R_LIBRARY_INIT, "SSL_dane_library_init() required"},
81 {DANE_R_SCTX_INIT, "SSL_CTX_dane_init() required"},
82 {DANE_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
83 {0, NULL}
84};
880a1e77 85#endif /*OPENSSL_NO_ERR*/
e682570f
TL
86
87#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
88
89static int err_lib_dane = -1;
90static int dane_idx = -1;
91
92#ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
93static int wrap_to_root = 0;
94#else
95static int wrap_to_root = 1;
96#endif
97
98static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
99static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
100
880a1e77
JH
101typedef struct dane_list
102{
e682570f
TL
103 struct dane_list *next;
104 void *value;
105} *dane_list;
106
107#define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
108
880a1e77
JH
109typedef struct dane_host_list
110{
111 struct dane_host_list *next;
e682570f 112 char *value;
880a1e77 113} *dane_host_list;
e682570f 114
880a1e77
JH
115typedef struct dane_data
116{
e682570f
TL
117 size_t datalen;
118 unsigned char data[0];
119} *dane_data;
120
880a1e77
JH
121typedef struct dane_data_list
122{
123 struct dane_data_list *next;
e682570f 124 dane_data value;
880a1e77 125} *dane_data_list;
e682570f 126
880a1e77
JH
127typedef struct dane_mtype
128{
e682570f
TL
129 int mdlen;
130 const EVP_MD *md;
880a1e77 131 dane_data_list data;
e682570f
TL
132} *dane_mtype;
133
880a1e77
JH
134typedef struct dane_mtype_list
135{
136 struct dane_mtype_list *next;
e682570f 137 dane_mtype value;
880a1e77 138} *dane_mtype_list;
e682570f 139
880a1e77
JH
140typedef struct dane_selector
141{
e682570f 142 uint8_t selector;
880a1e77 143 dane_mtype_list mtype;
e682570f
TL
144} *dane_selector;
145
880a1e77
JH
146typedef struct dane_selector_list
147{
148 struct dane_selector_list *next;
e682570f 149 dane_selector value;
880a1e77 150} *dane_selector_list;
e682570f 151
880a1e77
JH
152typedef struct dane_pkey_list
153{
154 struct dane_pkey_list *next;
e682570f 155 EVP_PKEY *value;
880a1e77 156} *dane_pkey_list;
e682570f 157
880a1e77
JH
158typedef struct dane_cert_list
159{
160 struct dane_cert_list *next;
e682570f 161 X509 *value;
880a1e77 162} *dane_cert_list;
e682570f 163
880a1e77
JH
164typedef struct ssl_dane
165{
e682570f
TL
166 int (*verify)(X509_STORE_CTX *);
167 STACK_OF(X509) *roots;
168 STACK_OF(X509) *chain;
169 const char *thost; /* TLSA base domain */
170 char *mhost; /* Matched, peer name */
880a1e77
JH
171 dane_pkey_list pkeys;
172 dane_cert_list certs;
173 dane_host_list hosts;
174 dane_selector_list selectors[SSL_DANE_USAGE_LAST + 1];
e682570f
TL
175 int depth;
176 int multi; /* Multi-label wildcards? */
177 int count; /* Number of TLSA records */
880a1e77 178} ssl_dane;
e682570f
TL
179
180#ifndef X509_V_ERR_HOSTNAME_MISMATCH
880a1e77 181# define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
e682570f
TL
182#endif
183
880a1e77
JH
184static int
185match(dane_selector_list slist, X509 *cert, int depth)
e682570f 186{
880a1e77 187int matched;
e682570f 188
880a1e77
JH
189/*
190 * Note, set_trust_anchor() needs to know whether the match was for a
191 * pkey digest or a certificate digest. We return MATCHED_PKEY or
192 * MATCHED_CERT accordingly.
193 */
e682570f
TL
194#define MATCHED_CERT (SSL_DANE_SELECTOR_CERT + 1)
195#define MATCHED_PKEY (SSL_DANE_SELECTOR_SPKI + 1)
196
880a1e77
JH
197/*
198 * Loop over each selector, mtype, and associated data element looking
199 * for a match.
200 */
201for(matched = 0; !matched && slist; slist = slist->next)
202 {
203 dane_mtype_list m;
204 unsigned char mdbuf[EVP_MAX_MD_SIZE];
85098ee7 205 unsigned char *buf = NULL;
880a1e77 206 unsigned char *buf2;
85098ee7 207 unsigned int len = 0;
880a1e77
JH
208
209 /*
210 * Extract ASN.1 DER form of certificate or public key.
211 */
212 switch(slist->value->selector)
213 {
214 case SSL_DANE_SELECTOR_CERT:
215 len = i2d_X509(cert, NULL);
216 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
217 if(buf) i2d_X509(cert, &buf2);
218 break;
219 case SSL_DANE_SELECTOR_SPKI:
220 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
221 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
222 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
223 break;
224 }
225
226 if(!buf)
227 {
228 DANEerr(DANE_F_MATCH, ERR_R_MALLOC_FAILURE);
229 return 0;
230 }
231 OPENSSL_assert(buf2 - buf == len);
232
233 /*
234 * Loop over each mtype and data element
235 */
236 for(m = slist->value->mtype; !matched && m; m = m->next)
237 {
238 dane_data_list d;
239 unsigned char *cmpbuf = buf;
240 unsigned int cmplen = len;
241
e682570f 242 /*
880a1e77
JH
243 * If it is a digest, compute the corresponding digest of the
244 * DER data for comparison, otherwise, use the full object.
e682570f 245 */
880a1e77
JH
246 if(m->value->md)
247 {
248 cmpbuf = mdbuf;
249 if(!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
250 matched = -1;
251 }
252 for(d = m->value->data; !matched && d; d = d->next)
253 if( cmplen == d->value->datalen
254 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
255 matched = slist->value->selector + 1;
e682570f
TL
256 }
257
880a1e77
JH
258 OPENSSL_free(buf);
259 }
e682570f 260
880a1e77 261return matched;
e682570f
TL
262}
263
880a1e77
JH
264static int
265push_ext(X509 *cert, X509_EXTENSION *ext)
e682570f 266{
880a1e77 267X509_EXTENSIONS *exts;
e682570f 268
880a1e77
JH
269if(ext)
270 {
271 if(!(exts = cert->cert_info->extensions))
272 exts = cert->cert_info->extensions = sk_X509_EXTENSION_new_null();
273 if (exts && sk_X509_EXTENSION_push(exts, ext))
274 return 1;
275 X509_EXTENSION_free(ext);
276 }
277DANEerr(DANE_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
278return 0;
e682570f
TL
279}
280
880a1e77
JH
281static int
282add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
e682570f 283{
880a1e77 284X509V3_CTX v3ctx;
e682570f 285
880a1e77
JH
286X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
287return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
e682570f
TL
288}
289
880a1e77
JH
290static int
291set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
e682570f 292{
880a1e77
JH
293int ret = 0;
294BIGNUM *bn;
295
296if(akid && akid->serial)
297 return (X509_set_serialNumber(cert, akid->serial));
298
299/*
300 * Add one to subject's serial to avoid collisions between TA serial and
301 * serial of signing root.
302 */
303if( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
304 && BN_add_word(bn, 1)
305 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
306 ret = 1;
307
308if(bn)
309 BN_free(bn);
310return ret;
311}
e682570f 312
880a1e77
JH
313static int
314add_akid(X509 *cert, AUTHORITY_KEYID *akid)
315{
316int nid = NID_authority_key_identifier;
317ASN1_STRING *id;
318unsigned char c = 0;
319int ret = 0;
320
321/*
322 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
323 * our subject keyid if forced from child's akid. If so, set our
324 * authority keyid to 1. This way we are never self-signed, and thus
325 * exempt from any potential (off by default for now in OpenSSL)
326 * self-signature checks!
327 */
328id = (ASN1_STRING *) ((akid && akid->keyid) ? akid->keyid : 0);
329if(id && M_ASN1_STRING_length(id) == 1 && *M_ASN1_STRING_data(id) == c)
330 c = 1;
331
332if( (akid = AUTHORITY_KEYID_new()) != 0
333 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
334 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
335 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
336 ret = 1;
337if(akid)
338 AUTHORITY_KEYID_free(akid);
339return ret;
e682570f
TL
340}
341
880a1e77
JH
342static int
343add_skid(X509 *cert, AUTHORITY_KEYID *akid)
e682570f 344{
880a1e77 345int nid = NID_subject_key_identifier;
e682570f 346
880a1e77
JH
347if(!akid || !akid->keyid)
348 return add_ext(0, cert, nid, "hash");
349return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
e682570f
TL
350}
351
880a1e77
JH
352static X509_NAME *
353akid_issuer_name(AUTHORITY_KEYID *akid)
e682570f 354{
880a1e77
JH
355if(akid && akid->issuer)
356 {
357 int i;
358 GENERAL_NAMES *gens = akid->issuer;
e682570f 359
880a1e77
JH
360 for(i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
361 {
362 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
e682570f 363
880a1e77
JH
364 if(gn->type == GEN_DIRNAME)
365 return (gn->d.dirn);
e682570f 366 }
880a1e77
JH
367 }
368return 0;
e682570f
TL
369}
370
880a1e77
JH
371static int
372set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
e682570f 373{
880a1e77
JH
374X509_NAME *name = akid_issuer_name(akid);
375
376/*
377 * If subject's akid specifies an authority key identifer issuer name, we
378 * must use that.
379 */
380return X509_set_issuer_name(cert,
381 name ? name : X509_get_subject_name(cert));
e682570f
TL
382}
383
880a1e77
JH
384static int
385grow_chain(ssl_dane *dane, int trusted, X509 *cert)
e682570f 386{
880a1e77
JH
387STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
388static ASN1_OBJECT *serverAuth = 0;
e682570f
TL
389
390#define UNTRUSTED 0
391#define TRUSTED 1
392
880a1e77
JH
393if( trusted && !serverAuth
394 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
395 {
396 DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
397 return 0;
398 }
399if(!*xs && !(*xs = sk_X509_new_null()))
400 {
401 DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
402 return 0;
403 }
404
405if(cert)
406 {
407 if(trusted && !X509_add1_trust_object(cert, serverAuth))
408 return 0;
409 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
410 if (!sk_X509_push(*xs, cert))
411 {
412 X509_free(cert);
413 DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
414 return 0;
e682570f 415 }
880a1e77
JH
416 }
417return 1;
e682570f
TL
418}
419
880a1e77
JH
420static int
421wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
e682570f 422{
880a1e77
JH
423int ret = 1;
424X509 *cert = 0;
425AUTHORITY_KEYID *akid;
426X509_NAME *name = X509_get_issuer_name(subject);
427EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
e682570f
TL
428
429#define WRAP_MID 0 /* Ensure intermediate. */
430#define WRAP_TOP 1 /* Ensure self-signed. */
431
880a1e77
JH
432if(!name || !newkey || !(cert = X509_new()))
433 return 0;
434
435/*
436 * Record the depth of the trust-anchor certificate.
437 */
438if(dane->depth < 0)
439 dane->depth = depth + 1;
440
441/*
442 * XXX: Uncaught error condition:
443 *
444 * The return value is NULL both when the extension is missing, and when
445 * OpenSSL rans out of memory while parsing the extension.
446 */
447ERR_clear_error();
448akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
449/* XXX: Should we peek at the error stack here??? */
450
451/*
452 * If top is true generate a self-issued root CA, otherwise an
453 * intermediate CA and possibly its self-signed issuer.
454 *
455 * CA cert valid for +/- 30 days
456 */
457if( !X509_set_version(cert, 2)
458 || !set_serial(cert, akid, subject)
459 || !X509_set_subject_name(cert, name)
460 || !set_issuer_name(cert, akid)
461 || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
462 || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
463 || !X509_set_pubkey(cert, newkey)
464 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
465 || (!top && !add_akid(cert, akid))
466 || !add_skid(cert, akid)
467 || ( !top && wrap_to_root
468 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
469 ret = 0;
470
471if(akid)
472 AUTHORITY_KEYID_free(akid);
473if(!key)
474 EVP_PKEY_free(newkey);
475if(ret)
476 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
477if(cert)
478 X509_free(cert);
479return ret;
e682570f
TL
480}
481
880a1e77
JH
482static int
483wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
e682570f 484{
880a1e77
JH
485if(dane->depth < 0)
486 dane->depth = depth + 1;
487
488/*
489 * If the TA certificate is self-issued, or need not be, use it directly.
490 * Otherwise, synthesize requisuite ancestors.
491 */
492if( !wrap_to_root
493 || X509_check_issued(tacert, tacert) == X509_V_OK)
494 return grow_chain(dane, TRUSTED, tacert);
495
496if(wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
497 return grow_chain(dane, UNTRUSTED, tacert);
498return 0;
e682570f
TL
499}
500
880a1e77
JH
501static int
502ta_signed(ssl_dane *dane, X509 *cert, int depth)
e682570f 503{
880a1e77
JH
504dane_cert_list x;
505dane_pkey_list k;
506EVP_PKEY *pk;
507int done = 0;
508
509/*
510 * First check whether issued and signed by a TA cert, this is cheaper
511 * than the bare-public key checks below, since we can determine whether
512 * the candidate TA certificate issued the certificate to be checked
513 * first (name comparisons), before we bother with signature checks
514 * (public key operations).
515 */
516for (x = dane->certs; !done && x; x = x->next)
517 {
518 if(X509_check_issued(x->value, cert) == X509_V_OK)
519 {
520 if(!(pk = X509_get_pubkey(x->value)))
521 {
522 /*
523 * The cert originally contained a valid pkey, which does
524 * not just vanish, so this is most likely a memory error.
525 */
526 done = -1;
527 break;
528 }
529 /* Check signature, since some other TA may work if not this. */
530 if(X509_verify(cert, pk) > 0)
531 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
532 EVP_PKEY_free(pk);
e682570f 533 }
880a1e77
JH
534 }
535
536/*
537 * With bare TA public keys, we can't check whether the trust chain is
538 * issued by the key, but we can determine whether it is signed by the
539 * key, so we go with that.
540 *
541 * Ideally, the corresponding certificate was presented in the chain, and we
542 * matched it by its public key digest one level up. This code is here
543 * to handle adverse conditions imposed by sloppy administrators of
544 * receiving systems with poorly constructed chains.
545 *
546 * We'd like to optimize out keys that should not match when the cert's
547 * authority key id does not match the key id of this key computed via
548 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
549 * ASN1 tag and length thus also excluding the unused bits field that is
550 * logically part of the length). However, some CAs have a non-standard
551 * authority keyid, so we lose. Too bad.
552 *
553 * This may push errors onto the stack when the certificate signature is
554 * not of the right type or length, throw these away,
555 */
556for(k = dane->pkeys; !done && k; k = k->next)
557 if(X509_verify(cert, k->value) > 0)
558 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
559 else
560 ERR_clear_error();
e682570f 561
880a1e77 562return done;
e682570f
TL
563}
564
880a1e77
JH
565static int
566set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
e682570f 567{
880a1e77
JH
568int matched = 0;
569int n;
570int i;
571int depth = 0;
572EVP_PKEY *takey;
573X509 *ca;
574STACK_OF(X509) *in = ctx->untrusted; /* XXX: Accessor? */
575
576if(!grow_chain(dane, UNTRUSTED, 0))
577 return -1;
578
579/*
580 * Accept a degenerate case: depth 0 self-signed trust-anchor.
581 */
582if(X509_check_issued(cert, cert) == X509_V_OK)
583 {
584 dane->depth = 0;
585 matched = match(dane->selectors[SSL_DANE_USAGE_TRUSTED_CA], cert, 0);
586 if(matched > 0 && !grow_chain(dane, TRUSTED, cert))
587 matched = -1;
588 return matched;
589 }
590
591/* Make a shallow copy of the input untrusted chain. */
592if(!(in = sk_X509_dup(in)))
593 {
594 DANEerr(DANE_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
595 return -1;
596 }
597
598/*
599 * At each iteration we consume the issuer of the current cert. This
600 * reduces the length of the "in" chain by one. If no issuer is found,
601 * we are done. We also stop when a certificate matches a TA in the
602 * peer's TLSA RRset.
603 *
604 * Caller ensures that the initial certificate is not self-signed.
605 */
606for(n = sk_X509_num(in); n > 0; --n, ++depth)
607 {
608 for(i = 0; i < n; ++i)
609 if(X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
610 break;
611
612 /*
613 * Final untrusted element with no issuer in the peer's chain, it may
614 * however be signed by a pkey or cert obtained via a TLSA RR.
615 */
616 if(i == n)
617 break;
618
619 /* Peer's chain contains an issuer ca. */
620 ca = sk_X509_delete(in, i);
621
622 /* If not a trust anchor, record untrusted ca and continue. */
623 if((matched = match(dane->selectors[SSL_DANE_USAGE_TRUSTED_CA], ca, depth+1))
624 == 0)
625 {
626 if(grow_chain(dane, UNTRUSTED, ca))
627 {
628 if(!X509_check_issued(ca, ca) == X509_V_OK)
629 {
630 /* Restart with issuer as subject */
631 cert = ca;
632 continue;
633 }
634 /* Final self-signed element, skip ta_signed() check. */
635 cert = 0;
636 }
637 else
638 matched = -1;
e682570f 639 }
880a1e77
JH
640 else if(matched == MATCHED_CERT)
641 {
642 if(!wrap_cert(dane, ca, depth))
643 matched = -1;
e682570f 644 }
880a1e77
JH
645 else if(matched == MATCHED_PKEY)
646 {
647 if( !(takey = X509_get_pubkey(ca))
648 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
649 {
650 if(takey)
651 EVP_PKEY_free(takey);
652 else
653 DANEerr(DANE_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
654 matched = -1;
655 }
e682570f 656 }
880a1e77
JH
657 break;
658 }
e682570f 659
880a1e77
JH
660/* Shallow free the duplicated input untrusted chain. */
661sk_X509_free(in);
e682570f 662
880a1e77
JH
663/*
664 * When the loop exits, if "cert" is set, it is not self-signed and has
665 * no issuer in the chain, we check for a possible signature via a DNS
666 * obtained TA cert or public key.
667 */
668if(matched == 0 && cert)
669 matched = ta_signed(dane, cert, depth);
e682570f 670
880a1e77 671return matched;
e682570f
TL
672}
673
880a1e77
JH
674static int
675check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
e682570f 676{
880a1e77
JH
677int matched;
678
679matched = match(dane->selectors[SSL_DANE_USAGE_FIXED_LEAF], cert, 0);
680if(matched > 0)
681 if(!ctx->chain)
85098ee7 682 {
880a1e77
JH
683 if( (ctx->chain = sk_X509_new_null())
684 && sk_X509_push(ctx->chain, cert))
685 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
686 else
687 {
688 DANEerr(DANE_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
689 return -1;
690 }
85098ee7 691 }
880a1e77 692return matched;
e682570f
TL
693}
694
880a1e77
JH
695static int
696match_name(const char *certid, ssl_dane *dane)
e682570f 697{
880a1e77
JH
698int multi = dane->multi;
699dane_host_list hosts;
700
701for(hosts = dane->hosts; hosts; hosts = hosts->next)
702 {
703 int match_subdomain = 0;
704 const char *domain = hosts->value;
705 const char *parent;
706 int idlen;
707 int domlen;
708
709 if(*domain == '.' && domain[1] != '\0')
710 {
711 ++domain;
712 match_subdomain = 1;
e682570f 713 }
880a1e77
JH
714
715 /*
716 * Sub-domain match: certid is any sub-domain of hostname.
717 */
718 if(match_subdomain)
85098ee7 719 {
880a1e77
JH
720 if( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
721 && certid[idlen - domlen - 1] == '.'
722 && !strcasecmp(certid + (idlen - domlen), domain))
723 return 1;
724 else
725 continue;
85098ee7 726 }
880a1e77
JH
727
728 /*
729 * Exact match and initial "*" match. The initial "*" in a certid
730 * matches one (if multi is false) or more hostname components under
731 * the condition that the certid contains multiple hostname components.
732 */
733 if( !strcasecmp(certid, domain)
734 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
735 && (parent = strchr(domain, '.')) != 0
736 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
737 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
738 return 1;
739 }
740return 0;
e682570f
TL
741}
742
880a1e77
JH
743static char *
744check_name(char *name, int len)
e682570f 745{
880a1e77
JH
746char *cp = name + len;
747
748while(len > 0 && !*--cp)
749 --len; /* Ignore trailing NULs */
750if(len <= 0)
751 return 0;
752for(cp = name; *cp; cp++)
753 {
754 char c = *cp;
755 if (!((c >= 'a' && c <= 'z') ||
756 (c >= '0' && c <= '9') ||
757 (c >= 'A' && c <= 'Z') ||
758 (c == '.' || c == '-') ||
759 (c == '*')))
760 return 0; /* Only LDH, '.' and '*' */
761 }
762if(cp - name != len) /* Guard against internal NULs */
763 return 0;
764return name;
e682570f
TL
765}
766
880a1e77
JH
767static char *
768parse_dns_name(const GENERAL_NAME *gn)
e682570f 769{
880a1e77
JH
770if(gn->type != GEN_DNS)
771 return 0;
772if(ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
773 return 0;
774return check_name((char *) ASN1_STRING_data(gn->d.ia5),
775 ASN1_STRING_length(gn->d.ia5));
e682570f
TL
776}
777
880a1e77
JH
778static char *
779parse_subject_name(X509 *cert)
e682570f 780{
880a1e77
JH
781X509_NAME *name = X509_get_subject_name(cert);
782X509_NAME_ENTRY *entry;
783ASN1_STRING *entry_str;
784unsigned char *namebuf;
785int nid = NID_commonName;
786int len;
787int i;
788
789if(!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
790 return 0;
791if(!(entry = X509_NAME_get_entry(name, i)))
792 return 0;
793if(!(entry_str = X509_NAME_ENTRY_get_data(entry)))
794 return 0;
795
796if((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
797 return 0;
798if(len <= 0 || check_name((char *) namebuf, len) == 0)
799 {
800 OPENSSL_free(namebuf);
801 return 0;
802 }
803return (char *) namebuf;
e682570f
TL
804}
805
880a1e77
JH
806static int
807name_check(ssl_dane *dane, X509 *cert)
e682570f 808{
880a1e77
JH
809int matched = 0;
810BOOL got_altname = FALSE;
811GENERAL_NAMES *gens;
812
813gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
814if(gens)
815 {
816 int n = sk_GENERAL_NAME_num(gens);
817 int i;
818
819 for(i = 0; i < n; ++i)
820 {
821 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
822 const char *certid;
823
824 if(gn->type != GEN_DNS)
825 continue;
826 got_altname = TRUE;
827 certid = parse_dns_name(gn);
828 if(certid && *certid)
829 {
830 if((matched = match_name(certid, dane)) == 0)
831 continue;
832 if(!(dane->mhost = OPENSSL_strdup(certid)))
833 matched = -1;
834 break;
835 }
e682570f 836 }
880a1e77
JH
837 GENERAL_NAMES_free(gens);
838 }
839
840/*
841 * XXX: Should the subjectName be skipped when *any* altnames are present,
842 * or only when DNS altnames are present?
843 */
844if(got_altname)
845 {
846 char *certid = parse_subject_name(cert);
847 if(certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
848 dane->mhost = certid; /* Already a copy */
849 }
850return matched;
e682570f
TL
851}
852
880a1e77
JH
853static int
854verify_chain(X509_STORE_CTX *ctx)
e682570f 855{
880a1e77
JH
856dane_selector_list issuer_rrs;
857dane_selector_list leaf_rrs;
858int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
859int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
860SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
861ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
862X509 *cert = ctx->cert; /* XXX: accessor? */
863int matched = 0;
864int chain_length = sk_X509_num(ctx->chain);
865
e5cccda9 866DEBUG(D_tls) debug_printf("Dane verify-chain\n");
6634ac8d 867
880a1e77
JH
868issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER];
869leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF];
870ctx->verify = dane->verify;
871
872if((matched = name_check(dane, cert)) < 0)
873 {
874 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
875 return 0;
876 }
877
878if(!matched)
879 {
880 ctx->error_depth = 0;
881 ctx->current_cert = cert;
882 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
883 if(!cb(0, ctx))
884 return 0;
885 }
886matched = 0;
887
888/*
889 * Satisfy at least one usage 0 or 1 constraint, unless we've already
890 * matched a usage 2 trust anchor.
891 *
892 * XXX: internal_verify() doesn't callback with top certs that are not
893 * self-issued. This should be fixed in a future OpenSSL.
894 */
895if(dane->roots && sk_X509_num(dane->roots))
896 {
897#ifndef NO_CALLBACK_WORKAROUND
898 X509 *top = sk_X509_value(ctx->chain, dane->depth);
899
900 if(X509_check_issued(top, top) != X509_V_OK)
901 {
902 ctx->error_depth = dane->depth;
903 ctx->current_cert = top;
904 if(!cb(1, ctx))
905 return 0;
906 }
907#endif
908 /* Pop synthetic trust-anchor ancestors off the chain! */
909 while (--chain_length > dane->depth)
910 X509_free(sk_X509_pop(ctx->chain));
911 }
912else if(issuer_rrs || leaf_rrs)
913 {
914 int n = chain_length;
915
916 /*
917 * Check for an EE match, then a CA match at depths > 0, and
918 * finally, if the EE cert is self-issued, for a depth 0 CA match.
919 */
920 if(leaf_rrs)
921 matched = match(leaf_rrs, cert, 0);
922 while(!matched && issuer_rrs && --n >= 0)
923 {
924 X509 *xn = sk_X509_value(ctx->chain, n);
925
926 if(n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
927 matched = match(issuer_rrs, xn, n);
e682570f
TL
928 }
929
880a1e77
JH
930 if(matched < 0)
931 {
932 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
933 return 0;
e682570f 934 }
e682570f 935
880a1e77
JH
936 if(!matched)
937 {
938 ctx->current_cert = cert;
939 ctx->error_depth = 0;
940 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
941 if(!cb(0, ctx))
942 return 0;
e682570f 943 }
880a1e77 944 }
e682570f 945
880a1e77 946return ctx->verify(ctx);
e682570f
TL
947}
948
880a1e77
JH
949static int
950verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
e682570f 951{
880a1e77
JH
952static int ssl_idx = -1;
953SSL *ssl;
954ssl_dane *dane;
955int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
956int matched;
957X509 *cert = ctx->cert; /* XXX: accessor? */
958
e5cccda9 959DEBUG(D_tls) debug_printf("Dane verify-cert\n");
6634ac8d 960
880a1e77
JH
961if(ssl_idx < 0)
962 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
963if(dane_idx < 0)
964 {
965 DANEerr(DANE_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
966 return -1;
967 }
968
969ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
970if(!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
971 return X509_verify_cert(ctx);
972
973if(dane->selectors[SSL_DANE_USAGE_FIXED_LEAF])
974 {
975 if((matched = check_end_entity(ctx, dane, cert)) > 0)
976 {
977 ctx->error_depth = 0;
978 ctx->current_cert = cert;
979 return cb(1, ctx);
e682570f 980 }
880a1e77
JH
981 if(matched < 0)
982 {
983 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
984 return -1;
e682570f 985 }
880a1e77 986 }
e682570f 987
880a1e77
JH
988if(dane->selectors[SSL_DANE_USAGE_TRUSTED_CA])
989 {
990 if((matched = set_trust_anchor(ctx, dane, cert)) < 0)
991 {
992 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
993 return -1;
e682570f 994 }
880a1e77
JH
995 if(matched)
996 {
e682570f 997 /*
880a1e77
JH
998 * Check that setting the untrusted chain updates the expected
999 * structure member at the expected offset.
e682570f 1000 */
880a1e77
JH
1001 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1002 X509_STORE_CTX_set_chain(ctx, dane->chain);
1003 OPENSSL_assert(ctx->untrusted == dane->chain);
1004 }
1005 }
e682570f 1006
880a1e77
JH
1007/*
1008 * Name checks and usage 0/1 constraint enforcement are delayed until
1009 * X509_verify_cert() builds the full chain and calls our verify_chain()
1010 * wrapper.
1011 */
1012dane->verify = ctx->verify;
1013ctx->verify = verify_chain;
1014
1015return X509_verify_cert(ctx);
e682570f
TL
1016}
1017
880a1e77
JH
1018static dane_list
1019list_alloc(size_t vsize)
e682570f 1020{
880a1e77
JH
1021void *value = (void *) OPENSSL_malloc(vsize);
1022dane_list l;
1023
1024if(!value)
1025 {
1026 DANEerr(DANE_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1027 return 0;
1028 }
1029if(!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1030 {
1031 OPENSSL_free(value);
1032 DANEerr(DANE_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1033 return 0;
1034 }
1035l->next = 0;
1036l->value = value;
1037return l;
e682570f
TL
1038}
1039
880a1e77
JH
1040static void
1041list_free(void *list, void (*f)(void *))
e682570f 1042{
880a1e77
JH
1043dane_list head;
1044dane_list next;
1045
1046for(head = (dane_list) list; head; head = next)
1047 {
1048 next = head->next;
1049 if (f && head->value)
1050 f(head->value);
1051 OPENSSL_free(head);
1052 }
e682570f
TL
1053}
1054
880a1e77
JH
1055static void
1056dane_mtype_free(void *p)
e682570f 1057{
880a1e77
JH
1058list_free(((dane_mtype) p)->data, OPENSSL_freeFunc);
1059OPENSSL_free(p);
e682570f
TL
1060}
1061
880a1e77
JH
1062static void
1063dane_selector_free(void *p)
e682570f 1064{
880a1e77
JH
1065list_free(((dane_selector) p)->mtype, dane_mtype_free);
1066OPENSSL_free(p);
e682570f
TL
1067}
1068
946ecbe0
JH
1069
1070
1071/*
1072
1073Tidy up once the connection is finished with.
1074
1075Arguments
1076 ssl The ssl connection handle
1077
1078=> Before calling SSL_free()
1079tls_close() and tls_getc() [the error path] are the obvious places.
1080Could we do it earlier - right after verification? In tls_client_start()
1081right after SSL_connect() returns, in that case.
1082
1083*/
1084
880a1e77
JH
1085void
1086DANESSL_cleanup(SSL *ssl)
e682570f 1087{
880a1e77
JH
1088ssl_dane *dane;
1089int u;
1090
e5cccda9 1091DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
6634ac8d 1092
880a1e77
JH
1093if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1094 return;
1095(void) SSL_set_ex_data(ssl, dane_idx, 0);
1096
1097if(dane->hosts)
1098 list_free(dane->hosts, OPENSSL_freeFunc);
1099if(dane->mhost)
1100 OPENSSL_free(dane->mhost);
1101for(u = 0; u <= SSL_DANE_USAGE_LAST; ++u)
1102 if(dane->selectors[u])
1103 list_free(dane->selectors[u], dane_selector_free);
1104if(dane->pkeys)
1105 list_free(dane->pkeys, pkey_free);
1106if(dane->certs)
1107 list_free(dane->certs, cert_free);
1108if(dane->roots)
1109 sk_X509_pop_free(dane->roots, X509_free);
1110if(dane->chain)
1111 sk_X509_pop_free(dane->chain, X509_free);
1112OPENSSL_free(dane);
e682570f
TL
1113}
1114
880a1e77
JH
1115static dane_host_list
1116host_list_init(const char **src)
e682570f 1117{
880a1e77
JH
1118dane_host_list head = NULL;
1119
1120while(*src)
1121 {
1122 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1123 if(!elem)
1124 {
1125 list_free(head, OPENSSL_freeFunc);
1126 return 0;
e682570f 1127 }
880a1e77
JH
1128 elem->value = OPENSSL_strdup(*src++);
1129 LINSERT(head, elem);
1130 }
1131return head;
e682570f
TL
1132}
1133
946ecbe0
JH
1134
1135
1136
1137/*
1138
1139Call this for each TLSA record found for the target, after the
1140DANE setup has been done on the ssl connection handle.
1141
1142Arguments:
1143 ssl Connection handle
1144 usage TLSA record field
1145 selector TLSA record field
1146 mdname ??? message digest name?
1147 data ??? TLSA record megalump?
1148 dlen length of data
1149
1150Return
1151 -1 on error
1152 0 action not taken
1153 1 record accepted
1154*/
1155
880a1e77
JH
1156int
1157DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1158 unsigned const char *data, size_t dlen)
e682570f 1159{
880a1e77
JH
1160ssl_dane *dane;
1161dane_selector_list s = 0;
1162dane_mtype_list m = 0;
1163dane_data_list d = 0;
1164dane_cert_list xlist = 0;
1165dane_pkey_list klist = 0;
1166const EVP_MD *md = 0;
1167
b4161d10
JH
1168DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1169 usage, selector, mdname);
6634ac8d 1170
880a1e77
JH
1171if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1172 {
1173 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_DANE_INIT);
1174 return -1;
1175 }
1176
1177if(usage > SSL_DANE_USAGE_LAST)
1178 {
1179 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_USAGE);
1180 return 0;
1181 }
1182if(selector > SSL_DANE_SELECTOR_LAST)
1183 {
1184 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_SELECTOR);
1185 return 0;
1186 }
1187if(mdname && !(md = EVP_get_digestbyname(mdname)))
1188 {
1189 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_DIGEST);
1190 return 0;
1191 }
1192if(!data)
1193 {
1194 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_NULL_DATA);
1195 return 0;
1196 }
1197if(mdname && dlen != EVP_MD_size(md))
1198 {
1199 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_DATA_LENGTH);
1200 return 0;
1201 }
1202
1203if(!mdname)
1204 {
1205 X509 *x = 0;
1206 EVP_PKEY *k = 0;
1207 const unsigned char *p = data;
e682570f
TL
1208
1209#define xklistinit(lvar, ltype, var, freeFunc) do { \
880a1e77
JH
1210 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1211 if (!(lvar)) { \
1212 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1213 freeFunc((var)); \
1214 return 0; \
1215 } \
1216 (lvar)->next = 0; \
1217 lvar->value = var; \
1218 } while (0)
e682570f 1219#define xkfreeret(ret) do { \
880a1e77
JH
1220 if (xlist) list_free(xlist, cert_free); \
1221 if (klist) list_free(klist, pkey_free); \
1222 return (ret); \
1223 } while (0)
1224
1225 switch(selector)
1226 {
1227 case SSL_DANE_SELECTOR_CERT:
1228 if(!d2i_X509(&x, &p, dlen) || dlen != p - data)
1229 {
1230 if (x)
1231 X509_free(x);
1232 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_CERT);
1233 return 0;
1234 }
1235 k = X509_get_pubkey(x);
1236 EVP_PKEY_free(k);
1237 if(!k)
1238 {
1239 X509_free(x);
1240 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_CERT_PKEY);
1241 return 0;
1242 }
1243 if(usage == SSL_DANE_USAGE_TRUSTED_CA)
1244 xklistinit(xlist, dane_cert_list, x, X509_free);
1245 break;
1246
1247 case SSL_DANE_SELECTOR_SPKI:
1248 if(!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1249 {
1250 if(k)
1251 EVP_PKEY_free(k);
1252 DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_PKEY);
1253 return 0;
1254 }
1255 if(usage == SSL_DANE_USAGE_TRUSTED_CA)
1256 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1257 break;
e682570f 1258 }
880a1e77
JH
1259 }
1260
1261/* Find insertion point and don't add duplicate elements. */
1262for(s = dane->selectors[usage]; s; s = s->next)
1263 if(s->value->selector == selector)
1264 for(m = s->value->mtype; m; m = m->next)
1265 if(m->value->md == md)
1266 for(d = m->value->data; d; d = d->next)
1267 if( d->value->datalen == dlen
1268 && memcmp(d->value->data, data, dlen) == 0)
1269 xkfreeret(1);
1270
1271if(!(d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)))
1272 xkfreeret(0);
1273d->value->datalen = dlen;
1274memcpy(d->value->data, data, dlen);
1275if(!m)
1276 {
1277 if(!(m = (dane_mtype_list) list_alloc(sizeof(*m->value))))
1278 {
1279 list_free(d, OPENSSL_freeFunc);
1280 xkfreeret(0);
e682570f 1281 }
880a1e77
JH
1282 m->value->data = 0;
1283 if((m->value->md = md) != 0)
1284 m->value->mdlen = dlen;
1285 if(!s)
1286 {
1287 if(!(s = (dane_selector_list) list_alloc(sizeof(*s->value))))
1288 {
1289 list_free(m, dane_mtype_free);
1290 xkfreeret(0);
1291 }
1292 s->value->mtype = 0;
1293 s->value->selector = selector;
1294 LINSERT(dane->selectors[usage], s);
1295 }
1296 LINSERT(s->value->mtype, m);
1297 }
1298LINSERT(m->value->data, d);
1299
1300if(xlist)
1301 LINSERT(dane->certs, xlist);
1302else if(klist)
1303 LINSERT(dane->pkeys, klist);
1304++dane->count;
1305return 1;
e682570f
TL
1306}
1307
946ecbe0
JH
1308
1309
1310
1311/*
1312Call this once we have an ssl connection handle but before
1313making the TLS connection.
1314
1315=> In tls_client_start() after the call to SSL_new()
1316and before the call to SSL_connect(). Exactly where
1317probably does not matter.
1318We probably want to keep our existing SNI handling;
1319call this with NULL.
1320
1321Arguments:
1322 ssl Connection handle
1323 sni_domain Optional peer server name
868f5672 1324 hostnames list of names to chack against peer cert
946ecbe0
JH
1325
1326Return
1327 -1 on fatal error
1328 0 nonfatal error
1329 1 success
1330*/
1331
880a1e77
JH
1332int
1333DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
e682570f 1334{
880a1e77
JH
1335ssl_dane *dane;
1336int i;
e682570f 1337#ifdef OPENSSL_INTERNAL
880a1e77 1338SSL_CTX *sctx = SSL_get_SSL_CTX(ssl);
e682570f 1339
6634ac8d 1340
880a1e77
JH
1341if(sctx->app_verify_callback != verify_cert)
1342 {
1343 DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_SCTX_INIT);
1344 return -1;
1345 }
e682570f 1346#else
b4161d10 1347DEBUG(D_tls) debug_printf("Dane ssl-init\n");
880a1e77
JH
1348if(dane_idx < 0)
1349 {
1350 DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT);
1351 return -1;
1352 }
e682570f
TL
1353#endif
1354
880a1e77
JH
1355if(sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1356 return 0;
e682570f 1357
880a1e77
JH
1358if(!(dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))))
1359 {
1360 DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE);
1361 return 0;
1362 }
1363if(!SSL_set_ex_data(ssl, dane_idx, dane))
1364 {
1365 DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE);
1366 OPENSSL_free(dane);
1367 return 0;
1368 }
1369
6634ac8d
JH
1370dane->verify = 0;
1371dane->hosts = 0;
1372dane->thost = 0;
880a1e77
JH
1373dane->pkeys = 0;
1374dane->certs = 0;
1375dane->chain = 0;
1376dane->roots = 0;
1377dane->depth = -1;
1378dane->mhost = 0; /* Future SSL control interface */
1379dane->multi = 0; /* Future SSL control interface */
1380dane->count = 0;
1381
1382for(i = 0; i <= SSL_DANE_USAGE_LAST; ++i)
1383 dane->selectors[i] = 0;
1384
1385if(hostnames && !(dane->hosts = host_list_init(hostnames)))
1386 {
1387 DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE);
1388 DANESSL_cleanup(ssl);
1389 return 0;
1390 }
1391
1392return 1;
e682570f
TL
1393}
1394
946ecbe0
JH
1395
1396/*
1397
1398Call this once we have a context to work with, but
1399before DANESSL_init()
1400
1401=> in tls_client_start(), after tls_init() call gives us the ctx,
1402if we decide we want to (policy) and can (TLSA records available)
1403replacing (? what about fallback) everything from testing tls_verify_hosts
1404down to just before calling SSL_new() for the conn handle.
1405
1406Arguments
1407 ctx SSL context
1408
1409Return
1410 -1 Error
1411 1 Success
1412*/
1413
880a1e77
JH
1414int
1415DANESSL_CTX_init(SSL_CTX *ctx)
e682570f 1416{
6634ac8d 1417DEBUG(D_tls) debug_printf("Dane ctx-init\n");
880a1e77
JH
1418if(dane_idx >= 0)
1419 {
1420 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1421 return 1;
1422 }
1423DANEerr(DANE_F_SSL_CTX_DANE_INIT, DANE_R_LIBRARY_INIT);
1424return -1;
e682570f
TL
1425}
1426
880a1e77
JH
1427static int
1428init_once(volatile int *value, int (*init)(void), void (*postinit)(void))
e682570f 1429{
880a1e77
JH
1430int wlock = 0;
1431
1432CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1433if(*value < 0)
1434 {
1435 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1436 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1437 wlock = 1;
1438 if(*value < 0)
1439 {
1440 *value = init();
1441 if(postinit)
1442 postinit();
e682570f 1443 }
880a1e77
JH
1444 }
1445if (wlock)
1446 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1447else
1448 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1449return *value;
e682570f
TL
1450}
1451
880a1e77
JH
1452static void
1453dane_init(void)
e682570f 1454{
880a1e77
JH
1455/*
1456 * Store library id in zeroth function slot, used to locate the library
1457 * name. This must be done before we load the error strings.
1458 */
e682570f 1459#ifndef OPENSSL_NO_ERR
880a1e77
JH
1460dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1461ERR_load_strings(err_lib_dane, dane_str_functs);
1462ERR_load_strings(err_lib_dane, dane_str_reasons);
e682570f
TL
1463#endif
1464
880a1e77
JH
1465/*
1466 * Register SHA-2 digests, if implemented and not already registered.
1467 */
e682570f 1468#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
880a1e77
JH
1469if(!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1470if(!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
e682570f
TL
1471#endif
1472#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
880a1e77
JH
1473if(!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1474if(!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
e682570f
TL
1475#endif
1476
880a1e77
JH
1477/*
1478 * Register an SSL index for the connection-specific ssl_dane structure.
1479 * Using a separate index makes it possible to add DANE support to
1480 * existing OpenSSL releases that don't have a suitable pointer in the
1481 * SSL structure.
1482 */
1483dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
e682570f
TL
1484}
1485
946ecbe0
JH
1486
1487
1488/*
1489
1490Call this once. Probably early in startup will do; may need
1491to be after SSL library init.
1492
043b1248
JH
1493=> put after call to tls_init() for now
1494
1495Return
1496 1 Success
1497 0 Fail
946ecbe0
JH
1498*/
1499
880a1e77
JH
1500int
1501DANESSL_library_init(void)
e682570f 1502{
6634ac8d 1503DEBUG(D_tls) debug_printf("Dane lib-init\n");
880a1e77
JH
1504if(err_lib_dane < 0)
1505 init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
e682570f
TL
1506
1507#if defined(LN_sha256)
880a1e77
JH
1508/* No DANE without SHA256 support */
1509if(dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1510 return 1;
e682570f 1511#endif
880a1e77
JH
1512
1513DANEerr(DANE_F_SSL_DANE_LIBRARY_INIT, DANE_R_DANE_SUPPORT);
1514return 0;
e682570f
TL
1515}
1516
946ecbe0 1517
e682570f 1518#endif /* OPENSSL_VERSION_NUMBER */
880a1e77
JH
1519/* vi: aw ai sw=2
1520*/