projects / exim.git / blob
? search:


674ca380b3c316ca4565ee7445a206af4cdbdc3c
[exim.git] / src / src / dane-openssl.c
1 /*
2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
4 */
5 #include <stdio.h>
6 #include <string.h>
7 #include <stdint.h>
8
9 #include <openssl/opensslv.h>
10 #include <openssl/err.h>
11 #include <openssl/crypto.h>
12 #include <openssl/safestack.h>
13 #include <openssl/objects.h>
14 #include <openssl/x509.h>
15 #include <openssl/x509v3.h>
16 #include <openssl/evp.h>
17 #include <openssl/bn.h>
18
19 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
20 # error "OpenSSL 1.0.0 or higher required"
21 #else /* remainder of file */
22
23 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
24 # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
25 #endif
26 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
27 # define EXIM_HAVE_ASN1_MACROS
28 # define EXIM_OPAQUE_X509
29 #endif
30
31
32 #include "danessl.h"
33
34 #define DANESSL_F_ADD_SKID 100
35 #define DANESSL_F_ADD_TLSA 101
36 #define DANESSL_F_CHECK_END_ENTITY 102
37 #define DANESSL_F_CTX_INIT 103
38 #define DANESSL_F_GROW_CHAIN 104
39 #define DANESSL_F_INIT 105
40 #define DANESSL_F_LIBRARY_INIT 106
41 #define DANESSL_F_LIST_ALLOC 107
42 #define DANESSL_F_MATCH 108
43 #define DANESSL_F_PUSH_EXT 109
44 #define DANESSL_F_SET_TRUST_ANCHOR 110
45 #define DANESSL_F_VERIFY_CERT 111
46 #define DANESSL_F_WRAP_CERT 112
47
48 #define DANESSL_R_BAD_CERT 100
49 #define DANESSL_R_BAD_CERT_PKEY 101
50 #define DANESSL_R_BAD_DATA_LENGTH 102
51 #define DANESSL_R_BAD_DIGEST 103
52 #define DANESSL_R_BAD_NULL_DATA 104
53 #define DANESSL_R_BAD_PKEY 105
54 #define DANESSL_R_BAD_SELECTOR 106
55 #define DANESSL_R_BAD_USAGE 107
56 #define DANESSL_R_INIT 108
57 #define DANESSL_R_LIBRARY_INIT 109
58 #define DANESSL_R_NOSIGN_KEY 110
59 #define DANESSL_R_SCTX_INIT 111
60 #define DANESSL_R_SUPPORT 112
61
62 #ifndef OPENSSL_NO_ERR
63 #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
64 static ERR_STRING_DATA dane_str_functs[] = {
65 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
66 {DANESSL_F_ADD_SKID, "add_skid"},
67 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
68 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
69 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
70 {DANESSL_F_GROW_CHAIN, "grow_chain"},
71 {DANESSL_F_INIT, "DANESSL_init"},
72 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
73 {DANESSL_F_LIST_ALLOC, "list_alloc"},
74 {DANESSL_F_MATCH, "match"},
75 {DANESSL_F_PUSH_EXT, "push_ext"},
76 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
77 {DANESSL_F_VERIFY_CERT, "verify_cert"},
78 {DANESSL_F_WRAP_CERT, "wrap_cert"},
79 {0, NULL}
80 };
81 static ERR_STRING_DATA dane_str_reasons[] = {
82 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
83 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
84 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
85 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
86 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
87 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
88 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
89 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
90 {DANESSL_R_INIT, "DANESSL_init() required"},
91 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
92 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
93 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
94 {DANESSL_R_SUPPORT, "DANE library features not supported"},
95 {0, NULL}
96 };
97 #endif
98
99 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
100
101 static int err_lib_dane = -1;
102 static int dane_idx = -1;
103
104 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
105 static int wrap_to_root = 0;
106 #else
107 static int wrap_to_root = 1;
108 #endif
109
110 static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
111 static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
112
113 typedef struct dane_list
114 {
115 struct dane_list *next;
116 void *value;
117 } *dane_list;
118
119 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
120
121 typedef struct dane_host_list
122 {
123 struct dane_host_list *next;
124 char *value;
125 } *dane_host_list;
126
127 typedef struct dane_data
128 {
129 size_t datalen;
130 unsigned char data[0];
131 } *dane_data;
132
133 typedef struct dane_data_list
134 {
135 struct dane_data_list *next;
136 dane_data value;
137 } *dane_data_list;
138
139 typedef struct dane_mtype
140 {
141 int mdlen;
142 const EVP_MD *md;
143 dane_data_list data;
144 } *dane_mtype;
145
146 typedef struct dane_mtype_list
147 {
148 struct dane_mtype_list *next;
149 dane_mtype value;
150 } *dane_mtype_list;
151
152 typedef struct dane_selector
153 {
154 uint8_t selector;
155 dane_mtype_list mtype;
156 } *dane_selector;
157
158 typedef struct dane_selector_list
159 {
160 struct dane_selector_list *next;
161 dane_selector value;
162 } *dane_selector_list;
163
164 typedef struct dane_pkey_list
165 {
166 struct dane_pkey_list *next;
167 EVP_PKEY *value;
168 } *dane_pkey_list;
169
170 typedef struct dane_cert_list
171 {
172 struct dane_cert_list *next;
173 X509 *value;
174 } *dane_cert_list;
175
176 typedef struct ssl_dane
177 {
178 int (*verify)(X509_STORE_CTX *);
179 STACK_OF(X509) *roots;
180 STACK_OF(X509) *chain;
181 X509 *match; /* Matched cert */
182 const char *thost; /* TLSA base domain */
183 char *mhost; /* Matched peer name */
184 dane_pkey_list pkeys;
185 dane_cert_list certs;
186 dane_host_list hosts;
187 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
188 int depth;
189 int mdpth; /* Depth of matched cert */
190 int multi; /* Multi-label wildcards? */
191 int count; /* Number of TLSA records */
192 } ssl_dane;
193
194 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
195 # define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
196 #endif
197
198
199
200 static int
201 match(dane_selector_list slist, X509 *cert, int depth)
202 {
203 int matched;
204
205 /*
206 * Note, set_trust_anchor() needs to know whether the match was for a
207 * pkey digest or a certificate digest. We return MATCHED_PKEY or
208 * MATCHED_CERT accordingly.
209 */
210 #define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
211 #define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
212
213 /*
214 * Loop over each selector, mtype, and associated data element looking
215 * for a match.
216 */
217 for (matched = 0; !matched && slist; slist = slist->next)
218 {
219 dane_mtype_list m;
220 unsigned char mdbuf[EVP_MAX_MD_SIZE];
221 unsigned char *buf = NULL;
222 unsigned char *buf2;
223 unsigned int len = 0;
224
225 /*
226 * Extract ASN.1 DER form of certificate or public key.
227 */
228 switch(slist->value->selector)
229 {
230 case DANESSL_SELECTOR_CERT:
231 len = i2d_X509(cert, NULL);
232 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
233 if(buf) i2d_X509(cert, &buf2);
234 break;
235 case DANESSL_SELECTOR_SPKI:
236 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
237 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
238 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
239 break;
240 }
241
242 if (!buf)
243 {
244 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
245 return 0;
246 }
247 OPENSSL_assert(buf2 - buf == len);
248
249 /*
250 * Loop over each mtype and data element
251 */
252 for (m = slist->value->mtype; !matched && m; m = m->next)
253 {
254 dane_data_list d;
255 unsigned char *cmpbuf = buf;
256 unsigned int cmplen = len;
257
258 /*
259 * If it is a digest, compute the corresponding digest of the
260 * DER data for comparison, otherwise, use the full object.
261 */
262 if (m->value->md)
263 {
264 cmpbuf = mdbuf;
265 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
266 matched = -1;
267 }
268 for (d = m->value->data; !matched && d; d = d->next)
269 if ( cmplen == d->value->datalen
270 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
271 matched = slist->value->selector + 1;
272 }
273
274 OPENSSL_free(buf);
275 }
276
277 return matched;
278 }
279
280 static int
281 push_ext(X509 *cert, X509_EXTENSION *ext)
282 {
283 if (ext) {
284 if (X509_add_ext(cert, ext, -1))
285 return 1;
286 X509_EXTENSION_free(ext);
287 }
288 DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
289 return 0;
290 }
291
292 static int
293 add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
294 {
295 X509V3_CTX v3ctx;
296
297 X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
298 return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
299 }
300
301 static int
302 set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
303 {
304 int ret = 0;
305 BIGNUM *bn;
306
307 if (akid && akid->serial)
308 return (X509_set_serialNumber(cert, akid->serial));
309
310 /*
311 * Add one to subject's serial to avoid collisions between TA serial and
312 * serial of signing root.
313 */
314 if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
315 && BN_add_word(bn, 1)
316 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
317 ret = 1;
318
319 if (bn)
320 BN_free(bn);
321 return ret;
322 }
323
324 static int
325 add_akid(X509 *cert, AUTHORITY_KEYID *akid)
326 {
327 int nid = NID_authority_key_identifier;
328 ASN1_STRING *id;
329 unsigned char c = 0;
330 int ret = 0;
331
332 /*
333 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
334 * our subject keyid if forced from child's akid. If so, set our
335 * authority keyid to 1. This way we are never self-signed, and thus
336 * exempt from any potential (off by default for now in OpenSSL)
337 * self-signature checks!
338 */
339 id = (akid && akid->keyid) ? akid->keyid : 0;
340 if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c)
341 c = 1;
342
343 if ( (akid = AUTHORITY_KEYID_new()) != 0
344 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
345 #ifdef EXIM_HAVE_ASN1_MACROS
346 && ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
347 #else
348 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
349 #endif
350 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
351 ret = 1;
352 if (akid)
353 AUTHORITY_KEYID_free(akid);
354 return ret;
355 }
356
357 static int
358 add_skid(X509 *cert, AUTHORITY_KEYID *akid)
359 {
360 int nid = NID_subject_key_identifier;
361
362 if (!akid || !akid->keyid)
363 return add_ext(0, cert, nid, "hash");
364 return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
365 }
366
367 static X509_NAME *
368 akid_issuer_name(AUTHORITY_KEYID *akid)
369 {
370 if (akid && akid->issuer)
371 {
372 int i;
373 GENERAL_NAMES *gens = akid->issuer;
374
375 for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
376 {
377 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
378
379 if (gn->type == GEN_DIRNAME)
380 return (gn->d.dirn);
381 }
382 }
383 return 0;
384 }
385
386 static int
387 set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
388 {
389 X509_NAME *name = akid_issuer_name(akid);
390
391 /*
392 * If subject's akid specifies an authority key identifer issuer name, we
393 * must use that.
394 */
395 return X509_set_issuer_name(cert,
396 name ? name : X509_get_subject_name(cert));
397 }
398
399 static int
400 grow_chain(ssl_dane *dane, int trusted, X509 *cert)
401 {
402 STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
403 static ASN1_OBJECT *serverAuth = 0;
404
405 #define UNTRUSTED 0
406 #define TRUSTED 1
407
408 if ( trusted && !serverAuth
409 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
410 {
411 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
412 return 0;
413 }
414 if (!*xs && !(*xs = sk_X509_new_null()))
415 {
416 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
417 return 0;
418 }
419
420 if (cert)
421 {
422 if (trusted && !X509_add1_trust_object(cert, serverAuth))
423 return 0;
424 #ifdef EXIM_OPAQUE_X509
425 X509_up_ref(cert);
426 #else
427 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
428 #endif
429 if (!sk_X509_push(*xs, cert))
430 {
431 X509_free(cert);
432 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
433 return 0;
434 }
435 }
436 return 1;
437 }
438
439 static int
440 wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
441 {
442 int ret = 1;
443 X509 *cert = 0;
444 AUTHORITY_KEYID *akid;
445 X509_NAME *name = X509_get_issuer_name(subject);
446 EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
447
448 #define WRAP_MID 0 /* Ensure intermediate. */
449 #define WRAP_TOP 1 /* Ensure self-signed. */
450
451 if (!name || !newkey || !(cert = X509_new()))
452 return 0;
453
454 /*
455 * Record the depth of the trust-anchor certificate.
456 */
457 if (dane->depth < 0)
458 dane->depth = depth + 1;
459
460 /*
461 * XXX: Uncaught error condition:
462 *
463 * The return value is NULL both when the extension is missing, and when
464 * OpenSSL rans out of memory while parsing the extension.
465 */
466 ERR_clear_error();
467 akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
468 /* XXX: Should we peek at the error stack here??? */
469
470 /*
471 * If top is true generate a self-issued root CA, otherwise an
472 * intermediate CA and possibly its self-signed issuer.
473 *
474 * CA cert valid for +/- 30 days
475 */
476 if ( !X509_set_version(cert, 2)
477 || !set_serial(cert, akid, subject)
478 || !X509_set_subject_name(cert, name)
479 || !set_issuer_name(cert, akid)
480 || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
481 || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
482 || !X509_set_pubkey(cert, newkey)
483 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
484 || (!top && !add_akid(cert, akid))
485 || !add_skid(cert, akid)
486 || ( !top && wrap_to_root
487 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
488 ret = 0;
489
490 if (akid)
491 AUTHORITY_KEYID_free(akid);
492 if (!key)
493 EVP_PKEY_free(newkey);
494 if (ret)
495 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
496 if (cert)
497 X509_free(cert);
498 return ret;
499 }
500
501 static int
502 wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
503 {
504 if (dane->depth < 0)
505 dane->depth = depth + 1;
506
507 /*
508 * If the TA certificate is self-issued, or need not be, use it directly.
509 * Otherwise, synthesize requisuite ancestors.
510 */
511 if ( !wrap_to_root
512 || X509_check_issued(tacert, tacert) == X509_V_OK)
513 return grow_chain(dane, TRUSTED, tacert);
514
515 if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
516 return grow_chain(dane, UNTRUSTED, tacert);
517 return 0;
518 }
519
520 static int
521 ta_signed(ssl_dane *dane, X509 *cert, int depth)
522 {
523 dane_cert_list x;
524 dane_pkey_list k;
525 EVP_PKEY *pk;
526 int done = 0;
527
528 /*
529 * First check whether issued and signed by a TA cert, this is cheaper
530 * than the bare-public key checks below, since we can determine whether
531 * the candidate TA certificate issued the certificate to be checked
532 * first (name comparisons), before we bother with signature checks
533 * (public key operations).
534 */
535 for (x = dane->certs; !done && x; x = x->next)
536 {
537 if (X509_check_issued(x->value, cert) == X509_V_OK)
538 {
539 if (!(pk = X509_get_pubkey(x->value)))
540 {
541 /*
542 * The cert originally contained a valid pkey, which does
543 * not just vanish, so this is most likely a memory error.
544 */
545 done = -1;
546 break;
547 }
548 /* Check signature, since some other TA may work if not this. */
549 if (X509_verify(cert, pk) > 0)
550 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
551 EVP_PKEY_free(pk);
552 }
553 }
554
555 /*
556 * With bare TA public keys, we can't check whether the trust chain is
557 * issued by the key, but we can determine whether it is signed by the
558 * key, so we go with that.
559 *
560 * Ideally, the corresponding certificate was presented in the chain, and we
561 * matched it by its public key digest one level up. This code is here
562 * to handle adverse conditions imposed by sloppy administrators of
563 * receiving systems with poorly constructed chains.
564 *
565 * We'd like to optimize out keys that should not match when the cert's
566 * authority key id does not match the key id of this key computed via
567 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
568 * ASN1 tag and length thus also excluding the unused bits field that is
569 * logically part of the length). However, some CAs have a non-standard
570 * authority keyid, so we lose. Too bad.
571 *
572 * This may push errors onto the stack when the certificate signature is
573 * not of the right type or length, throw these away,
574 */
575 for (k = dane->pkeys; !done && k; k = k->next)
576 if (X509_verify(cert, k->value) > 0)
577 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
578 else
579 ERR_clear_error();
580
581 return done;
582 }
583
584 static int
585 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
586 {
587 int matched = 0;
588 int n;
589 int i;
590 int depth = 0;
591 EVP_PKEY *takey;
592 X509 *ca;
593 STACK_OF(X509) *in = ctx->untrusted; /* XXX: Accessor? */
594
595 if (!grow_chain(dane, UNTRUSTED, 0))
596 return -1;
597
598 /*
599 * Accept a degenerate case: depth 0 self-signed trust-anchor.
600 */
601 if (X509_check_issued(cert, cert) == X509_V_OK)
602 {
603 dane->depth = 0;
604 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
605 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
606 matched = -1;
607 return matched;
608 }
609
610 /* Make a shallow copy of the input untrusted chain. */
611 if (!(in = sk_X509_dup(in)))
612 {
613 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
614 return -1;
615 }
616
617 /*
618 * At each iteration we consume the issuer of the current cert. This
619 * reduces the length of the "in" chain by one. If no issuer is found,
620 * we are done. We also stop when a certificate matches a TA in the
621 * peer's TLSA RRset.
622 *
623 * Caller ensures that the initial certificate is not self-signed.
624 */
625 for (n = sk_X509_num(in); n > 0; --n, ++depth)
626 {
627 for (i = 0; i < n; ++i)
628 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
629 break;
630
631 /*
632 * Final untrusted element with no issuer in the peer's chain, it may
633 * however be signed by a pkey or cert obtained via a TLSA RR.
634 */
635 if (i == n)
636 break;
637
638 /* Peer's chain contains an issuer ca. */
639 ca = sk_X509_delete(in, i);
640
641 /* If not a trust anchor, record untrusted ca and continue. */
642 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
643 depth + 1)) == 0)
644 {
645 if (grow_chain(dane, UNTRUSTED, ca))
646 {
647 if (!X509_check_issued(ca, ca) == X509_V_OK)
648 {
649 /* Restart with issuer as subject */
650 cert = ca;
651 continue;
652 }
653 /* Final self-signed element, skip ta_signed() check. */
654 cert = 0;
655 }
656 else
657 matched = -1;
658 }
659 else if(matched == MATCHED_CERT)
660 {
661 if(!wrap_cert(dane, ca, depth))
662 matched = -1;
663 }
664 else if(matched == MATCHED_PKEY)
665 {
666 if ( !(takey = X509_get_pubkey(ca))
667 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
668 {
669 if (takey)
670 EVP_PKEY_free(takey);
671 else
672 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
673 matched = -1;
674 }
675 }
676 break;
677 }
678
679 /* Shallow free the duplicated input untrusted chain. */
680 sk_X509_free(in);
681
682 /*
683 * When the loop exits, if "cert" is set, it is not self-signed and has
684 * no issuer in the chain, we check for a possible signature via a DNS
685 * obtained TA cert or public key.
686 */
687 if (matched == 0 && cert)
688 matched = ta_signed(dane, cert, depth);
689
690 return matched;
691 }
692
693 static int
694 check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
695 {
696 int matched;
697
698 matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
699 if (matched > 0)
700 {
701 dane->mdpth = 0;
702 dane->match = cert;
703 X509_up_ref(cert);
704 if(!ctx->chain)
705 {
706 if ( (ctx->chain = sk_X509_new_null()) != 0
707 && sk_X509_push(ctx->chain, cert))
708 X509_up_ref(cert);
709 else
710 {
711 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
712 return -1;
713 }
714 }
715 }
716 return matched;
717 }
718
719 static int
720 match_name(const char *certid, ssl_dane *dane)
721 {
722 int multi = dane->multi;
723 dane_host_list hosts;
724
725 for (hosts = dane->hosts; hosts; hosts = hosts->next)
726 {
727 int match_subdomain = 0;
728 const char *domain = hosts->value;
729 const char *parent;
730 int idlen;
731 int domlen;
732
733 if (*domain == '.' && domain[1] != '\0')
734 {
735 ++domain;
736 match_subdomain = 1;
737 }
738
739 /*
740 * Sub-domain match: certid is any sub-domain of hostname.
741 */
742 if(match_subdomain)
743 {
744 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
745 && certid[idlen - domlen - 1] == '.'
746 && !strcasecmp(certid + (idlen - domlen), domain))
747 return 1;
748 else
749 continue;
750 }
751
752 /*
753 * Exact match and initial "*" match. The initial "*" in a certid
754 * matches one (if multi is false) or more hostname components under
755 * the condition that the certid contains multiple hostname components.
756 */
757 if ( !strcasecmp(certid, domain)
758 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
759 && (parent = strchr(domain, '.')) != 0
760 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
761 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
762 return 1;
763 }
764 return 0;
765 }
766
767 static char *
768 check_name(char *name, int len)
769 {
770 char *cp = name + len;
771
772 while (len > 0 && !*--cp)
773 --len; /* Ignore trailing NULs */
774 if (len <= 0)
775 return 0;
776 for (cp = name; *cp; cp++)
777 {
778 char c = *cp;
779 if (!((c >= 'a' && c <= 'z') ||
780 (c >= '0' && c <= '9') ||
781 (c >= 'A' && c <= 'Z') ||
782 (c == '.' || c == '-') ||
783 (c == '*')))
784 return 0; /* Only LDH, '.' and '*' */
785 }
786 if (cp - name != len) /* Guard against internal NULs */
787 return 0;
788 return name;
789 }
790
791 static char *
792 parse_dns_name(const GENERAL_NAME *gn)
793 {
794 if (gn->type != GEN_DNS)
795 return 0;
796 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
797 return 0;
798 return check_name((char *) ASN1_STRING_data(gn->d.ia5),
799 ASN1_STRING_length(gn->d.ia5));
800 }
801
802 static char *
803 parse_subject_name(X509 *cert)
804 {
805 X509_NAME *name = X509_get_subject_name(cert);
806 X509_NAME_ENTRY *entry;
807 ASN1_STRING *entry_str;
808 unsigned char *namebuf;
809 int nid = NID_commonName;
810 int len;
811 int i;
812
813 if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
814 return 0;
815 if (!(entry = X509_NAME_get_entry(name, i)))
816 return 0;
817 if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
818 return 0;
819
820 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
821 return 0;
822 if (len <= 0 || check_name((char *) namebuf, len) == 0)
823 {
824 OPENSSL_free(namebuf);
825 return 0;
826 }
827 return (char *) namebuf;
828 }
829
830 static int
831 name_check(ssl_dane *dane, X509 *cert)
832 {
833 int matched = 0;
834 BOOL got_altname = FALSE;
835 GENERAL_NAMES *gens;
836
837 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
838 if (gens)
839 {
840 int n = sk_GENERAL_NAME_num(gens);
841 int i;
842
843 for (i = 0; i < n; ++i)
844 {
845 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
846 const char *certid;
847
848 if (gn->type != GEN_DNS)
849 continue;
850 got_altname = TRUE;
851 certid = parse_dns_name(gn);
852 if (certid && *certid)
853 {
854 if ((matched = match_name(certid, dane)) == 0)
855 continue;
856 if (!(dane->mhost = OPENSSL_strdup(certid)))
857 matched = -1;
858 DEBUG(D_tls) debug_printf("Dane name_check: matched SAN %s\n", certid);
859 break;
860 }
861 }
862 GENERAL_NAMES_free(gens);
863 }
864
865 /*
866 * XXX: Should the subjectName be skipped when *any* altnames are present,
867 * or only when DNS altnames are present?
868 */
869 if (!got_altname)
870 {
871 char *certid = parse_subject_name(cert);
872 if (certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
873 {
874 DEBUG(D_tls) debug_printf("Dane name_check: matched SN %s\n", certid);
875 dane->mhost = OPENSSL_strdup(certid);
876 }
877 if (certid)
878 OPENSSL_free(certid);
879 }
880 return matched;
881 }
882
883 static int
884 verify_chain(X509_STORE_CTX *ctx)
885 {
886 dane_selector_list issuer_rrs;
887 dane_selector_list leaf_rrs;
888 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
889 int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
890 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
891 ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
892 X509 *cert = ctx->cert; /* XXX: accessor? */
893 int matched = 0;
894 int chain_length = sk_X509_num(ctx->chain);
895
896 DEBUG(D_tls) debug_printf("Dane verify_chain\n");
897
898 issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
899 leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
900 ctx->verify = dane->verify;
901
902 if ((matched = name_check(dane, cert)) < 0)
903 {
904 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
905 return 0;
906 }
907
908 if (!matched)
909 {
910 ctx->error_depth = 0;
911 ctx->current_cert = cert;
912 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
913 if (!cb(0, ctx))
914 return 0;
915 }
916 matched = 0;
917
918 /*
919 * Satisfy at least one usage 0 or 1 constraint, unless we've already
920 * matched a usage 2 trust anchor.
921 *
922 * XXX: internal_verify() doesn't callback with top certs that are not
923 * self-issued. This should be fixed in a future OpenSSL.
924 */
925 if (dane->roots && sk_X509_num(dane->roots))
926 {
927 X509 *top = sk_X509_value(ctx->chain, dane->depth);
928
929 dane->mdpth = dane->depth;
930 dane->match = top;
931 X509_up_ref(top);
932
933 #ifndef NO_CALLBACK_WORKAROUND
934 if (X509_check_issued(top, top) != X509_V_OK)
935 {
936 ctx->error_depth = dane->depth;
937 ctx->current_cert = top;
938 if (!cb(1, ctx))
939 return 0;
940 }
941 #endif
942 /* Pop synthetic trust-anchor ancestors off the chain! */
943 while (--chain_length > dane->depth)
944 X509_free(sk_X509_pop(ctx->chain));
945 }
946 else
947 {
948 int n = 0;
949 X509 *xn = cert;
950
951 /*
952 * Check for an EE match, then a CA match at depths > 0, and
953 * finally, if the EE cert is self-issued, for a depth 0 CA match.
954 */
955 if (leaf_rrs)
956 matched = match(leaf_rrs, xn, 0);
957 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched EE\n");
958
959 if (!matched && issuer_rrs)
960 for (n = chain_length-1; !matched && n >= 0; --n)
961 {
962 xn = sk_X509_value(ctx->chain, n);
963 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
964 matched = match(issuer_rrs, xn, n);
965 }
966 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched %s\n",
967 n>0 ? "CA" : "selfisssued EE");
968
969 if (!matched)
970 {
971 ctx->current_cert = cert;
972 ctx->error_depth = 0;
973 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
974 if (!cb(0, ctx))
975 return 0;
976 }
977 else
978 {
979 dane->mdpth = n;
980 dane->match = xn;
981 X509_up_ref(xn);
982 }
983 }
984
985 return ctx->verify(ctx);
986 }
987
988 static void
989 dane_reset(ssl_dane *dane)
990 {
991 dane->depth = -1;
992 if (dane->mhost)
993 {
994 OPENSSL_free(dane->mhost);
995 dane->mhost = 0;
996 }
997 if (dane->roots)
998 {
999 sk_X509_pop_free(dane->roots, X509_free);
1000 dane->roots = 0;
1001 }
1002 if (dane->chain)
1003 {
1004 sk_X509_pop_free(dane->chain, X509_free);
1005 dane->chain = 0;
1006 }
1007 if (dane->match)
1008 {
1009 X509_free(dane->match);
1010 dane->match = 0;
1011 }
1012 dane->mdpth = -1;
1013 }
1014
1015 static int
1016 verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
1017 {
1018 static int ssl_idx = -1;
1019 SSL *ssl;
1020 ssl_dane *dane;
1021 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
1022 int matched;
1023 X509 *cert = ctx->cert; /* XXX: accessor? */
1024
1025 DEBUG(D_tls) debug_printf("Dane verify_cert\n");
1026
1027 if (ssl_idx < 0)
1028 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1029 if (dane_idx < 0)
1030 {
1031 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1032 return -1;
1033 }
1034
1035 ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1036 if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1037 return X509_verify_cert(ctx);
1038
1039 /* Reset for verification of a new chain, perhaps a renegotiation. */
1040 dane_reset(dane);
1041
1042 if (dane->selectors[DANESSL_USAGE_DANE_EE])
1043 {
1044 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1045 {
1046 ctx->error_depth = 0;
1047 ctx->current_cert = cert;
1048 return cb(1, ctx);
1049 }
1050 if (matched < 0)
1051 {
1052 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1053 return -1;
1054 }
1055 }
1056
1057 if (dane->selectors[DANESSL_USAGE_DANE_TA])
1058 {
1059 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1060 {
1061 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1062 return -1;
1063 }
1064 if (matched)
1065 {
1066 /*
1067 * Check that setting the untrusted chain updates the expected
1068 * structure member at the expected offset.
1069 */
1070 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1071 X509_STORE_CTX_set_chain(ctx, dane->chain);
1072 OPENSSL_assert(ctx->untrusted == dane->chain);
1073 }
1074 }
1075
1076 /*
1077 * Name checks and usage 0/1 constraint enforcement are delayed until
1078 * X509_verify_cert() builds the full chain and calls our verify_chain()
1079 * wrapper.
1080 */
1081 dane->verify = ctx->verify;
1082 ctx->verify = verify_chain;
1083
1084 if (X509_verify_cert(ctx))
1085 return 1;
1086
1087 /*
1088 * If the chain is invalid, clear any matching cert or hostname, to
1089 * protect callers that might erroneously rely on these alone without
1090 * checking the validation status.
1091 */
1092 if (dane->match)
1093 {
1094 X509_free(dane->match);
1095 dane->match = 0;
1096 }
1097 if (dane->mhost)
1098 {
1099 OPENSSL_free(dane->mhost);
1100 dane->mhost = 0;
1101 }
1102 return 0;
1103 }
1104
1105 static dane_list
1106 list_alloc(size_t vsize)
1107 {
1108 void *value = (void *) OPENSSL_malloc(vsize);
1109 dane_list l;
1110
1111 if (!value)
1112 {
1113 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1114 return 0;
1115 }
1116 if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1117 {
1118 OPENSSL_free(value);
1119 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1120 return 0;
1121 }
1122 l->next = 0;
1123 l->value = value;
1124 return l;
1125 }
1126
1127 static void
1128 list_free(void *list, void (*f)(void *))
1129 {
1130 dane_list head;
1131 dane_list next;
1132
1133 for (head = (dane_list) list; head; head = next)
1134 {
1135 next = head->next;
1136 if (f && head->value)
1137 f(head->value);
1138 OPENSSL_free(head);
1139 }
1140 }
1141
1142 static void
1143 dane_mtype_free(void *p)
1144 {
1145 list_free(((dane_mtype) p)->data, CRYPTO_free);
1146 OPENSSL_free(p);
1147 }
1148
1149 static void
1150 dane_selector_free(void *p)
1151 {
1152 list_free(((dane_selector) p)->mtype, dane_mtype_free);
1153 OPENSSL_free(p);
1154 }
1155
1156
1157
1158 /*
1159
1160 Tidy up once the connection is finished with.
1161
1162 Arguments
1163 ssl The ssl connection handle
1164
1165 => Before calling SSL_free()
1166 tls_close() and tls_getc() [the error path] are the obvious places.
1167 Could we do it earlier - right after verification? In tls_client_start()
1168 right after SSL_connect() returns, in that case.
1169
1170 */
1171
1172 void
1173 DANESSL_cleanup(SSL *ssl)
1174 {
1175 ssl_dane *dane;
1176 int u;
1177
1178 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1179
1180 if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1181 return;
1182 (void) SSL_set_ex_data(ssl, dane_idx, 0);
1183
1184 dane_reset(dane);
1185 if (dane->hosts)
1186 list_free(dane->hosts, CRYPTO_free);
1187 for (u = 0; u <= DANESSL_USAGE_LAST; ++u)
1188 if (dane->selectors[u])
1189 list_free(dane->selectors[u], dane_selector_free);
1190 if (dane->pkeys)
1191 list_free(dane->pkeys, pkey_free);
1192 if (dane->certs)
1193 list_free(dane->certs, cert_free);
1194 OPENSSL_free(dane);
1195 }
1196
1197 static dane_host_list
1198 host_list_init(const char **src)
1199 {
1200 dane_host_list head = NULL;
1201
1202 while (*src)
1203 {
1204 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1205 if (elem == 0)
1206 {
1207 list_free(head, CRYPTO_free);
1208 return 0;
1209 }
1210 elem->value = OPENSSL_strdup(*src++);
1211 LINSERT(head, elem);
1212 }
1213 return head;
1214 }
1215
1216
1217 int
1218 DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1219 {
1220 ssl_dane *dane;
1221
1222 if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1223 {
1224 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1225 return -1;
1226 }
1227
1228 if (dane->match)
1229 {
1230 if (match)
1231 *match = dane->match;
1232 if (mhost)
1233 *mhost = dane->mhost;
1234 if (depth)
1235 *depth = dane->mdpth;
1236 }
1237
1238 return (dane->match != 0);
1239 }
1240
1241
1242 #ifdef never_called
1243 int
1244 DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1245 {
1246 int ret;
1247 X509 *cert;
1248 X509_STORE_CTX store_ctx;
1249 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1250 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1251 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1252
1253 cert = sk_X509_value(chain, 0);
1254 if (!X509_STORE_CTX_init(&store_ctx, store, cert, chain))
1255 return 0;
1256 X509_STORE_CTX_set_ex_data(&store_ctx, store_ctx_idx, ssl);
1257
1258 X509_STORE_CTX_set_default(&store_ctx,
1259 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1260 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&store_ctx),
1261 SSL_get0_param(ssl));
1262
1263 if (SSL_get_verify_callback(ssl))
1264 X509_STORE_CTX_set_verify_cb(&store_ctx, SSL_get_verify_callback(ssl));
1265
1266 ret = verify_cert(&store_ctx, NULL);
1267
1268 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(&store_ctx));
1269 X509_STORE_CTX_cleanup(&store_ctx);
1270
1271 return (ret);
1272 }
1273 #endif
1274
1275
1276
1277
1278 /*
1279
1280 Call this for each TLSA record found for the target, after the
1281 DANE setup has been done on the ssl connection handle.
1282
1283 Arguments:
1284 ssl Connection handle
1285 usage TLSA record field
1286 selector TLSA record field
1287 mdname ??? message digest name?
1288 data ??? TLSA record megalump?
1289 dlen length of data
1290
1291 Return
1292 -1 on error
1293 0 action not taken
1294 1 record accepted
1295 */
1296
1297 int
1298 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1299 unsigned const char *data, size_t dlen)
1300 {
1301 ssl_dane *dane;
1302 dane_selector_list s = 0;
1303 dane_mtype_list m = 0;
1304 dane_data_list d = 0;
1305 dane_cert_list xlist = 0;
1306 dane_pkey_list klist = 0;
1307 const EVP_MD *md = 0;
1308
1309 DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1310 usage, selector, mdname);
1311
1312 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1313 {
1314 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1315 return -1;
1316 }
1317
1318 if (usage > DANESSL_USAGE_LAST)
1319 {
1320 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1321 return 0;
1322 }
1323 if (selector > DANESSL_SELECTOR_LAST)
1324 {
1325 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1326 return 0;
1327 }
1328
1329 /* Support built-in standard one-digit mtypes */
1330 if (mdname && *mdname && mdname[1] == '\0')
1331 switch (*mdname - '0')
1332 {
1333 case DANESSL_MATCHING_FULL: mdname = 0; break;
1334 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1335 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1336 }
1337 if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0)
1338 {
1339 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1340 return 0;
1341 }
1342 if (mdname && *mdname && dlen != EVP_MD_size(md))
1343 {
1344 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1345 return 0;
1346 }
1347 if (!data)
1348 {
1349 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1350 return 0;
1351 }
1352
1353 /*
1354 * Full Certificate or Public Key when NULL or empty digest name
1355 */
1356 if (!mdname || !*mdname)
1357 {
1358 X509 *x = 0;
1359 EVP_PKEY *k = 0;
1360 const unsigned char *p = data;
1361
1362 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1363 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1364 if ((lvar) == 0) { \
1365 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1366 freeFunc((var)); \
1367 return 0; \
1368 } \
1369 (lvar)->next = 0; \
1370 lvar->value = var; \
1371 } while (0)
1372 #define xkfreeret(ret) do { \
1373 if (xlist) list_free(xlist, cert_free); \
1374 if (klist) list_free(klist, pkey_free); \
1375 return (ret); \
1376 } while (0)
1377
1378 switch (selector)
1379 {
1380 case DANESSL_SELECTOR_CERT:
1381 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1382 {
1383 if (x)
1384 X509_free(x);
1385 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1386 return 0;
1387 }
1388 k = X509_get_pubkey(x);
1389 EVP_PKEY_free(k);
1390 if (k == 0)
1391 {
1392 X509_free(x);
1393 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1394 return 0;
1395 }
1396 if (usage == DANESSL_USAGE_DANE_TA)
1397 xklistinit(xlist, dane_cert_list, x, X509_free);
1398 break;
1399
1400 case DANESSL_SELECTOR_SPKI:
1401 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1402 {
1403 if (k)
1404 EVP_PKEY_free(k);
1405 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1406 return 0;
1407 }
1408 if (usage == DANESSL_USAGE_DANE_TA)
1409 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1410 break;
1411 }
1412 }
1413
1414 /* Find insertion point and don't add duplicate elements. */
1415 for (s = dane->selectors[usage]; s; s = s->next)
1416 if (s->value->selector == selector)
1417 {
1418 for (m = s->value->mtype; m; m = m->next)
1419 if (m->value->md == md)
1420 {
1421 for (d = m->value->data; d; d = d->next)
1422 if ( d->value->datalen == dlen
1423 && memcmp(d->value->data, data, dlen) == 0)
1424 xkfreeret(1);
1425 break;
1426 }
1427 break;
1428 }
1429
1430 if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1431 xkfreeret(0);
1432 d->value->datalen = dlen;
1433 memcpy(d->value->data, data, dlen);
1434 if (!m)
1435 {
1436 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1437 {
1438 list_free(d, CRYPTO_free);
1439 xkfreeret(0);
1440 }
1441 m->value->data = 0;
1442 if ((m->value->md = md) != 0)
1443 m->value->mdlen = dlen;
1444 if (!s)
1445 {
1446 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1447 {
1448 list_free(m, dane_mtype_free);
1449 xkfreeret(0);
1450 }
1451 s->value->mtype = 0;
1452 s->value->selector = selector;
1453 LINSERT(dane->selectors[usage], s);
1454 }
1455 LINSERT(s->value->mtype, m);
1456 }
1457 LINSERT(m->value->data, d);
1458
1459 if (xlist)
1460 LINSERT(dane->certs, xlist);
1461 else if (klist)
1462 LINSERT(dane->pkeys, klist);
1463 ++dane->count;
1464 return 1;
1465 }
1466
1467
1468
1469
1470 /*
1471 Call this once we have an ssl connection handle but before
1472 making the TLS connection.
1473
1474 => In tls_client_start() after the call to SSL_new()
1475 and before the call to SSL_connect(). Exactly where
1476 probably does not matter.
1477 We probably want to keep our existing SNI handling;
1478 call this with NULL.
1479
1480 Arguments:
1481 ssl Connection handle
1482 sni_domain Optional peer server name
1483 hostnames list of names to chack against peer cert
1484
1485 Return
1486 -1 on fatal error
1487 0 nonfatal error
1488 1 success
1489 */
1490
1491 int
1492 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1493 {
1494 ssl_dane *dane;
1495 int i;
1496
1497 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1498 if (dane_idx < 0)
1499 {
1500 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1501 return -1;
1502 }
1503
1504 if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1505 return 0;
1506
1507 if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1508 {
1509 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1510 return 0;
1511 }
1512 if (!SSL_set_ex_data(ssl, dane_idx, dane))
1513 {
1514 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1515 OPENSSL_free(dane);
1516 return 0;
1517 }
1518
1519 dane->verify = 0;
1520 dane->hosts = 0;
1521 dane->thost = 0;
1522 dane->pkeys = 0;
1523 dane->certs = 0;
1524 dane->chain = 0;
1525 dane->match = 0;
1526 dane->roots = 0;
1527 dane->depth = -1;
1528 dane->mhost = 0; /* Future SSL control interface */
1529 dane->mdpth = 0; /* Future SSL control interface */
1530 dane->multi = 0; /* Future SSL control interface */
1531 dane->count = 0;
1532 dane->hosts = 0;
1533
1534 for (i = 0; i <= DANESSL_USAGE_LAST; ++i)
1535 dane->selectors[i] = 0;
1536
1537 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1538 {
1539 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1540 DANESSL_cleanup(ssl);
1541 return 0;
1542 }
1543
1544 return 1;
1545 }
1546
1547
1548 /*
1549
1550 Call this once we have a context to work with, but
1551 before DANESSL_init()
1552
1553 => in tls_client_start(), after tls_init() call gives us the ctx,
1554 if we decide we want to (policy) and can (TLSA records available)
1555 replacing (? what about fallback) everything from testing tls_verify_hosts
1556 down to just before calling SSL_new() for the conn handle.
1557
1558 Arguments
1559 ctx SSL context
1560
1561 Return
1562 -1 Error
1563 1 Success
1564 */
1565
1566 int
1567 DANESSL_CTX_init(SSL_CTX *ctx)
1568 {
1569 DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1570 if (dane_idx >= 0)
1571 {
1572 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1573 return 1;
1574 }
1575 DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1576 return -1;
1577 }
1578
1579 static int
1580 init_once(volatile int *value, int (*init)(void), void (*postinit)(void))
1581 {
1582 int wlock = 0;
1583
1584 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1585 if (*value < 0)
1586 {
1587 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1588 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1589 wlock = 1;
1590 if (*value < 0)
1591 {
1592 *value = init();
1593 if (postinit)
1594 postinit();
1595 }
1596 }
1597 if (wlock)
1598 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1599 else
1600 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1601 return *value;
1602 }
1603
1604 static void
1605 dane_init(void)
1606 {
1607 /*
1608 * Store library id in zeroth function slot, used to locate the library
1609 * name. This must be done before we load the error strings.
1610 */
1611 #ifndef OPENSSL_NO_ERR
1612 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1613 ERR_load_strings(err_lib_dane, dane_str_functs);
1614 ERR_load_strings(err_lib_dane, dane_str_reasons);
1615 #endif
1616
1617 /*
1618 * Register SHA-2 digests, if implemented and not already registered.
1619 */
1620 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1621 if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1622 if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1623 #endif
1624 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1625 if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1626 if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1627 #endif
1628
1629 /*
1630 * Register an SSL index for the connection-specific ssl_dane structure.
1631 * Using a separate index makes it possible to add DANE support to
1632 * existing OpenSSL releases that don't have a suitable pointer in the
1633 * SSL structure.
1634 */
1635 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1636 }
1637
1638
1639
1640 /*
1641
1642 Call this once. Probably early in startup will do; may need
1643 to be after SSL library init.
1644
1645 => put after call to tls_init() for now
1646
1647 Return
1648 1 Success
1649 0 Fail
1650 */
1651
1652 int
1653 DANESSL_library_init(void)
1654 {
1655 DEBUG(D_tls) debug_printf("Dane lib-init\n");
1656 if (err_lib_dane < 0)
1657 init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
1658
1659 #if defined(LN_sha256)
1660 /* No DANE without SHA256 support */
1661 if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1662 return 1;
1663 #endif
1664 DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);
1665 return 0;
1666 }
1667
1668
1669 #endif /* OPENSSL_VERSION_NUMBER */
1670 /* vi: aw ai sw=2
1671 */
Unnamed repository; edit this file 'description' to name the repository.