projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tidying: dkim output function args
[exim.git] / src / src / dane-openssl.c
1 /*
2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
4 *
5 * Copyright (c) The Exim Maintainers 2014 - 2016
6 */
7 #include <stdio.h>
8 #include <string.h>
9 #include <stdint.h>
10
11 #include <openssl/opensslv.h>
12 #include <openssl/err.h>
13 #include <openssl/crypto.h>
14 #include <openssl/safestack.h>
15 #include <openssl/objects.h>
16 #include <openssl/x509.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/evp.h>
19 #include <openssl/bn.h>
20
21 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
22 # error "OpenSSL 1.0.0 or higher required"
23 #else /* remainder of file */
24
25 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
26 # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
27 #endif
28 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
29 # define EXIM_HAVE_ASN1_MACROS
30 # define EXIM_OPAQUE_X509
31 #endif
32
33
34 #include "danessl.h"
35
36 #define DANESSL_F_ADD_SKID 100
37 #define DANESSL_F_ADD_TLSA 101
38 #define DANESSL_F_CHECK_END_ENTITY 102
39 #define DANESSL_F_CTX_INIT 103
40 #define DANESSL_F_GROW_CHAIN 104
41 #define DANESSL_F_INIT 105
42 #define DANESSL_F_LIBRARY_INIT 106
43 #define DANESSL_F_LIST_ALLOC 107
44 #define DANESSL_F_MATCH 108
45 #define DANESSL_F_PUSH_EXT 109
46 #define DANESSL_F_SET_TRUST_ANCHOR 110
47 #define DANESSL_F_VERIFY_CERT 111
48 #define DANESSL_F_WRAP_CERT 112
49
50 #define DANESSL_R_BAD_CERT 100
51 #define DANESSL_R_BAD_CERT_PKEY 101
52 #define DANESSL_R_BAD_DATA_LENGTH 102
53 #define DANESSL_R_BAD_DIGEST 103
54 #define DANESSL_R_BAD_NULL_DATA 104
55 #define DANESSL_R_BAD_PKEY 105
56 #define DANESSL_R_BAD_SELECTOR 106
57 #define DANESSL_R_BAD_USAGE 107
58 #define DANESSL_R_INIT 108
59 #define DANESSL_R_LIBRARY_INIT 109
60 #define DANESSL_R_NOSIGN_KEY 110
61 #define DANESSL_R_SCTX_INIT 111
62 #define DANESSL_R_SUPPORT 112
63
64 #ifndef OPENSSL_NO_ERR
65 #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
66 static ERR_STRING_DATA dane_str_functs[] = {
67 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
68 {DANESSL_F_ADD_SKID, "add_skid"},
69 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
70 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
71 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
72 {DANESSL_F_GROW_CHAIN, "grow_chain"},
73 {DANESSL_F_INIT, "DANESSL_init"},
74 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
75 {DANESSL_F_LIST_ALLOC, "list_alloc"},
76 {DANESSL_F_MATCH, "match"},
77 {DANESSL_F_PUSH_EXT, "push_ext"},
78 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
79 {DANESSL_F_VERIFY_CERT, "verify_cert"},
80 {DANESSL_F_WRAP_CERT, "wrap_cert"},
81 {0, NULL}
82 };
83 static ERR_STRING_DATA dane_str_reasons[] = {
84 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
85 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
86 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
87 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
88 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
89 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
90 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
91 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
92 {DANESSL_R_INIT, "DANESSL_init() required"},
93 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
94 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
95 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
96 {DANESSL_R_SUPPORT, "DANE library features not supported"},
97 {0, NULL}
98 };
99 #endif
100
101 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
102
103 static int err_lib_dane = -1;
104 static int dane_idx = -1;
105
106 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
107 static int wrap_to_root = 0;
108 #else
109 static int wrap_to_root = 1;
110 #endif
111
112 static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
113 static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
114
115 typedef struct dane_list
116 {
117 struct dane_list *next;
118 void *value;
119 } *dane_list;
120
121 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
122
123 typedef struct dane_host_list
124 {
125 struct dane_host_list *next;
126 char *value;
127 } *dane_host_list;
128
129 typedef struct dane_data
130 {
131 size_t datalen;
132 unsigned char data[0];
133 } *dane_data;
134
135 typedef struct dane_data_list
136 {
137 struct dane_data_list *next;
138 dane_data value;
139 } *dane_data_list;
140
141 typedef struct dane_mtype
142 {
143 int mdlen;
144 const EVP_MD *md;
145 dane_data_list data;
146 } *dane_mtype;
147
148 typedef struct dane_mtype_list
149 {
150 struct dane_mtype_list *next;
151 dane_mtype value;
152 } *dane_mtype_list;
153
154 typedef struct dane_selector
155 {
156 uint8_t selector;
157 dane_mtype_list mtype;
158 } *dane_selector;
159
160 typedef struct dane_selector_list
161 {
162 struct dane_selector_list *next;
163 dane_selector value;
164 } *dane_selector_list;
165
166 typedef struct dane_pkey_list
167 {
168 struct dane_pkey_list *next;
169 EVP_PKEY *value;
170 } *dane_pkey_list;
171
172 typedef struct dane_cert_list
173 {
174 struct dane_cert_list *next;
175 X509 *value;
176 } *dane_cert_list;
177
178 typedef struct ssl_dane
179 {
180 int (*verify)(X509_STORE_CTX *);
181 STACK_OF(X509) *roots;
182 STACK_OF(X509) *chain;
183 X509 *match; /* Matched cert */
184 const char *thost; /* TLSA base domain */
185 char *mhost; /* Matched peer name */
186 dane_pkey_list pkeys;
187 dane_cert_list certs;
188 dane_host_list hosts;
189 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
190 int depth;
191 int mdpth; /* Depth of matched cert */
192 int multi; /* Multi-label wildcards? */
193 int count; /* Number of TLSA records */
194 } ssl_dane;
195
196 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
197 # define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
198 #endif
199
200
201
202 static int
203 match(dane_selector_list slist, X509 *cert, int depth)
204 {
205 int matched;
206
207 /*
208 * Note, set_trust_anchor() needs to know whether the match was for a
209 * pkey digest or a certificate digest. We return MATCHED_PKEY or
210 * MATCHED_CERT accordingly.
211 */
212 #define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
213 #define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
214
215 /*
216 * Loop over each selector, mtype, and associated data element looking
217 * for a match.
218 */
219 for (matched = 0; !matched && slist; slist = slist->next)
220 {
221 dane_mtype_list m;
222 unsigned char mdbuf[EVP_MAX_MD_SIZE];
223 unsigned char *buf = NULL;
224 unsigned char *buf2;
225 unsigned int len = 0;
226
227 /*
228 * Extract ASN.1 DER form of certificate or public key.
229 */
230 switch(slist->value->selector)
231 {
232 case DANESSL_SELECTOR_CERT:
233 len = i2d_X509(cert, NULL);
234 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
235 if(buf) i2d_X509(cert, &buf2);
236 break;
237 case DANESSL_SELECTOR_SPKI:
238 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
239 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
240 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
241 break;
242 }
243
244 if (!buf)
245 {
246 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
247 return 0;
248 }
249 OPENSSL_assert(buf2 - buf == len);
250
251 /*
252 * Loop over each mtype and data element
253 */
254 for (m = slist->value->mtype; !matched && m; m = m->next)
255 {
256 dane_data_list d;
257 unsigned char *cmpbuf = buf;
258 unsigned int cmplen = len;
259
260 /*
261 * If it is a digest, compute the corresponding digest of the
262 * DER data for comparison, otherwise, use the full object.
263 */
264 if (m->value->md)
265 {
266 cmpbuf = mdbuf;
267 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
268 matched = -1;
269 }
270 for (d = m->value->data; !matched && d; d = d->next)
271 if ( cmplen == d->value->datalen
272 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
273 matched = slist->value->selector + 1;
274 }
275
276 OPENSSL_free(buf);
277 }
278
279 return matched;
280 }
281
282 static int
283 push_ext(X509 *cert, X509_EXTENSION *ext)
284 {
285 if (ext) {
286 if (X509_add_ext(cert, ext, -1))
287 return 1;
288 X509_EXTENSION_free(ext);
289 }
290 DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
291 return 0;
292 }
293
294 static int
295 add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
296 {
297 X509V3_CTX v3ctx;
298
299 X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
300 return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
301 }
302
303 static int
304 set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
305 {
306 int ret = 0;
307 BIGNUM *bn;
308
309 if (akid && akid->serial)
310 return (X509_set_serialNumber(cert, akid->serial));
311
312 /*
313 * Add one to subject's serial to avoid collisions between TA serial and
314 * serial of signing root.
315 */
316 if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
317 && BN_add_word(bn, 1)
318 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
319 ret = 1;
320
321 if (bn)
322 BN_free(bn);
323 return ret;
324 }
325
326 static int
327 add_akid(X509 *cert, AUTHORITY_KEYID *akid)
328 {
329 int nid = NID_authority_key_identifier;
330 ASN1_STRING *id;
331 unsigned char c = 0;
332 int ret = 0;
333
334 /*
335 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
336 * our subject keyid if forced from child's akid. If so, set our
337 * authority keyid to 1. This way we are never self-signed, and thus
338 * exempt from any potential (off by default for now in OpenSSL)
339 * self-signature checks!
340 */
341 id = (akid && akid->keyid) ? akid->keyid : 0;
342 if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c)
343 c = 1;
344
345 if ( (akid = AUTHORITY_KEYID_new()) != 0
346 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
347 #ifdef EXIM_HAVE_ASN1_MACROS
348 && ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
349 #else
350 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
351 #endif
352 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
353 ret = 1;
354 if (akid)
355 AUTHORITY_KEYID_free(akid);
356 return ret;
357 }
358
359 static int
360 add_skid(X509 *cert, AUTHORITY_KEYID *akid)
361 {
362 int nid = NID_subject_key_identifier;
363
364 if (!akid || !akid->keyid)
365 return add_ext(0, cert, nid, "hash");
366 return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
367 }
368
369 static X509_NAME *
370 akid_issuer_name(AUTHORITY_KEYID *akid)
371 {
372 if (akid && akid->issuer)
373 {
374 int i;
375 GENERAL_NAMES *gens = akid->issuer;
376
377 for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
378 {
379 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
380
381 if (gn->type == GEN_DIRNAME)
382 return (gn->d.dirn);
383 }
384 }
385 return 0;
386 }
387
388 static int
389 set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
390 {
391 X509_NAME *name = akid_issuer_name(akid);
392
393 /*
394 * If subject's akid specifies an authority key identifer issuer name, we
395 * must use that.
396 */
397 return X509_set_issuer_name(cert,
398 name ? name : X509_get_subject_name(cert));
399 }
400
401 static int
402 grow_chain(ssl_dane *dane, int trusted, X509 *cert)
403 {
404 STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
405 static ASN1_OBJECT *serverAuth = 0;
406
407 #define UNTRUSTED 0
408 #define TRUSTED 1
409
410 if ( trusted && !serverAuth
411 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
412 {
413 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
414 return 0;
415 }
416 if (!*xs && !(*xs = sk_X509_new_null()))
417 {
418 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
419 return 0;
420 }
421
422 if (cert)
423 {
424 if (trusted && !X509_add1_trust_object(cert, serverAuth))
425 return 0;
426 #ifdef EXIM_OPAQUE_X509
427 X509_up_ref(cert);
428 #else
429 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
430 #endif
431 if (!sk_X509_push(*xs, cert))
432 {
433 X509_free(cert);
434 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
435 return 0;
436 }
437 }
438 return 1;
439 }
440
441 static int
442 wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
443 {
444 int ret = 1;
445 X509 *cert = 0;
446 AUTHORITY_KEYID *akid;
447 X509_NAME *name = X509_get_issuer_name(subject);
448 EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
449
450 #define WRAP_MID 0 /* Ensure intermediate. */
451 #define WRAP_TOP 1 /* Ensure self-signed. */
452
453 if (!name || !newkey || !(cert = X509_new()))
454 return 0;
455
456 /*
457 * Record the depth of the trust-anchor certificate.
458 */
459 if (dane->depth < 0)
460 dane->depth = depth + 1;
461
462 /*
463 * XXX: Uncaught error condition:
464 *
465 * The return value is NULL both when the extension is missing, and when
466 * OpenSSL rans out of memory while parsing the extension.
467 */
468 ERR_clear_error();
469 akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
470 /* XXX: Should we peek at the error stack here??? */
471
472 /*
473 * If top is true generate a self-issued root CA, otherwise an
474 * intermediate CA and possibly its self-signed issuer.
475 *
476 * CA cert valid for +/- 30 days
477 */
478 if ( !X509_set_version(cert, 2)
479 || !set_serial(cert, akid, subject)
480 || !X509_set_subject_name(cert, name)
481 || !set_issuer_name(cert, akid)
482 || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
483 || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
484 || !X509_set_pubkey(cert, newkey)
485 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
486 || (!top && !add_akid(cert, akid))
487 || !add_skid(cert, akid)
488 || ( !top && wrap_to_root
489 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
490 ret = 0;
491
492 if (akid)
493 AUTHORITY_KEYID_free(akid);
494 if (!key)
495 EVP_PKEY_free(newkey);
496 if (ret)
497 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
498 if (cert)
499 X509_free(cert);
500 return ret;
501 }
502
503 static int
504 wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
505 {
506 if (dane->depth < 0)
507 dane->depth = depth + 1;
508
509 /*
510 * If the TA certificate is self-issued, or need not be, use it directly.
511 * Otherwise, synthesize requisuite ancestors.
512 */
513 if ( !wrap_to_root
514 || X509_check_issued(tacert, tacert) == X509_V_OK)
515 return grow_chain(dane, TRUSTED, tacert);
516
517 if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
518 return grow_chain(dane, UNTRUSTED, tacert);
519 return 0;
520 }
521
522 static int
523 ta_signed(ssl_dane *dane, X509 *cert, int depth)
524 {
525 dane_cert_list x;
526 dane_pkey_list k;
527 EVP_PKEY *pk;
528 int done = 0;
529
530 /*
531 * First check whether issued and signed by a TA cert, this is cheaper
532 * than the bare-public key checks below, since we can determine whether
533 * the candidate TA certificate issued the certificate to be checked
534 * first (name comparisons), before we bother with signature checks
535 * (public key operations).
536 */
537 for (x = dane->certs; !done && x; x = x->next)
538 {
539 if (X509_check_issued(x->value, cert) == X509_V_OK)
540 {
541 if (!(pk = X509_get_pubkey(x->value)))
542 {
543 /*
544 * The cert originally contained a valid pkey, which does
545 * not just vanish, so this is most likely a memory error.
546 */
547 done = -1;
548 break;
549 }
550 /* Check signature, since some other TA may work if not this. */
551 if (X509_verify(cert, pk) > 0)
552 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
553 EVP_PKEY_free(pk);
554 }
555 }
556
557 /*
558 * With bare TA public keys, we can't check whether the trust chain is
559 * issued by the key, but we can determine whether it is signed by the
560 * key, so we go with that.
561 *
562 * Ideally, the corresponding certificate was presented in the chain, and we
563 * matched it by its public key digest one level up. This code is here
564 * to handle adverse conditions imposed by sloppy administrators of
565 * receiving systems with poorly constructed chains.
566 *
567 * We'd like to optimize out keys that should not match when the cert's
568 * authority key id does not match the key id of this key computed via
569 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
570 * ASN1 tag and length thus also excluding the unused bits field that is
571 * logically part of the length). However, some CAs have a non-standard
572 * authority keyid, so we lose. Too bad.
573 *
574 * This may push errors onto the stack when the certificate signature is
575 * not of the right type or length, throw these away,
576 */
577 for (k = dane->pkeys; !done && k; k = k->next)
578 if (X509_verify(cert, k->value) > 0)
579 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
580 else
581 ERR_clear_error();
582
583 return done;
584 }
585
586 static int
587 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
588 {
589 int matched = 0;
590 int n;
591 int i;
592 int depth = 0;
593 EVP_PKEY *takey;
594 X509 *ca;
595 STACK_OF(X509) *in = ctx->untrusted; /* XXX: Accessor? */
596
597 if (!grow_chain(dane, UNTRUSTED, 0))
598 return -1;
599
600 /*
601 * Accept a degenerate case: depth 0 self-signed trust-anchor.
602 */
603 if (X509_check_issued(cert, cert) == X509_V_OK)
604 {
605 dane->depth = 0;
606 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
607 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
608 matched = -1;
609 return matched;
610 }
611
612 /* Make a shallow copy of the input untrusted chain. */
613 if (!(in = sk_X509_dup(in)))
614 {
615 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
616 return -1;
617 }
618
619 /*
620 * At each iteration we consume the issuer of the current cert. This
621 * reduces the length of the "in" chain by one. If no issuer is found,
622 * we are done. We also stop when a certificate matches a TA in the
623 * peer's TLSA RRset.
624 *
625 * Caller ensures that the initial certificate is not self-signed.
626 */
627 for (n = sk_X509_num(in); n > 0; --n, ++depth)
628 {
629 for (i = 0; i < n; ++i)
630 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
631 break;
632
633 /*
634 * Final untrusted element with no issuer in the peer's chain, it may
635 * however be signed by a pkey or cert obtained via a TLSA RR.
636 */
637 if (i == n)
638 break;
639
640 /* Peer's chain contains an issuer ca. */
641 ca = sk_X509_delete(in, i);
642
643 /* If not a trust anchor, record untrusted ca and continue. */
644 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
645 depth + 1)) == 0)
646 {
647 if (grow_chain(dane, UNTRUSTED, ca))
648 {
649 if (!X509_check_issued(ca, ca) == X509_V_OK)
650 {
651 /* Restart with issuer as subject */
652 cert = ca;
653 continue;
654 }
655 /* Final self-signed element, skip ta_signed() check. */
656 cert = 0;
657 }
658 else
659 matched = -1;
660 }
661 else if(matched == MATCHED_CERT)
662 {
663 if(!wrap_cert(dane, ca, depth))
664 matched = -1;
665 }
666 else if(matched == MATCHED_PKEY)
667 {
668 if ( !(takey = X509_get_pubkey(ca))
669 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
670 {
671 if (takey)
672 EVP_PKEY_free(takey);
673 else
674 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
675 matched = -1;
676 }
677 }
678 break;
679 }
680
681 /* Shallow free the duplicated input untrusted chain. */
682 sk_X509_free(in);
683
684 /*
685 * When the loop exits, if "cert" is set, it is not self-signed and has
686 * no issuer in the chain, we check for a possible signature via a DNS
687 * obtained TA cert or public key.
688 */
689 if (matched == 0 && cert)
690 matched = ta_signed(dane, cert, depth);
691
692 return matched;
693 }
694
695 static int
696 check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
697 {
698 int matched;
699
700 matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
701 if (matched > 0)
702 {
703 dane->mdpth = 0;
704 dane->match = cert;
705 X509_up_ref(cert);
706 if(!ctx->chain)
707 {
708 if ( (ctx->chain = sk_X509_new_null()) != 0
709 && sk_X509_push(ctx->chain, cert))
710 X509_up_ref(cert);
711 else
712 {
713 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
714 return -1;
715 }
716 }
717 }
718 return matched;
719 }
720
721 static int
722 match_name(const char *certid, ssl_dane *dane)
723 {
724 int multi = dane->multi;
725 dane_host_list hosts;
726
727 for (hosts = dane->hosts; hosts; hosts = hosts->next)
728 {
729 int match_subdomain = 0;
730 const char *domain = hosts->value;
731 const char *parent;
732 int idlen;
733 int domlen;
734
735 if (*domain == '.' && domain[1] != '\0')
736 {
737 ++domain;
738 match_subdomain = 1;
739 }
740
741 /*
742 * Sub-domain match: certid is any sub-domain of hostname.
743 */
744 if(match_subdomain)
745 {
746 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
747 && certid[idlen - domlen - 1] == '.'
748 && !strcasecmp(certid + (idlen - domlen), domain))
749 return 1;
750 else
751 continue;
752 }
753
754 /*
755 * Exact match and initial "*" match. The initial "*" in a certid
756 * matches one (if multi is false) or more hostname components under
757 * the condition that the certid contains multiple hostname components.
758 */
759 if ( !strcasecmp(certid, domain)
760 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
761 && (parent = strchr(domain, '.')) != 0
762 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
763 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
764 return 1;
765 }
766 return 0;
767 }
768
769 static char *
770 check_name(char *name, int len)
771 {
772 char *cp = name + len;
773
774 while (len > 0 && !*--cp)
775 --len; /* Ignore trailing NULs */
776 if (len <= 0)
777 return 0;
778 for (cp = name; *cp; cp++)
779 {
780 char c = *cp;
781 if (!((c >= 'a' && c <= 'z') ||
782 (c >= '0' && c <= '9') ||
783 (c >= 'A' && c <= 'Z') ||
784 (c == '.' || c == '-') ||
785 (c == '*')))
786 return 0; /* Only LDH, '.' and '*' */
787 }
788 if (cp - name != len) /* Guard against internal NULs */
789 return 0;
790 return name;
791 }
792
793 static char *
794 parse_dns_name(const GENERAL_NAME *gn)
795 {
796 if (gn->type != GEN_DNS)
797 return 0;
798 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
799 return 0;
800 return check_name((char *) ASN1_STRING_data(gn->d.ia5),
801 ASN1_STRING_length(gn->d.ia5));
802 }
803
804 static char *
805 parse_subject_name(X509 *cert)
806 {
807 X509_NAME *name = X509_get_subject_name(cert);
808 X509_NAME_ENTRY *entry;
809 ASN1_STRING *entry_str;
810 unsigned char *namebuf;
811 int nid = NID_commonName;
812 int len;
813 int i;
814
815 if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
816 return 0;
817 if (!(entry = X509_NAME_get_entry(name, i)))
818 return 0;
819 if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
820 return 0;
821
822 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
823 return 0;
824 if (len <= 0 || check_name((char *) namebuf, len) == 0)
825 {
826 OPENSSL_free(namebuf);
827 return 0;
828 }
829 return (char *) namebuf;
830 }
831
832 static int
833 name_check(ssl_dane *dane, X509 *cert)
834 {
835 int matched = 0;
836 BOOL got_altname = FALSE;
837 GENERAL_NAMES *gens;
838
839 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
840 if (gens)
841 {
842 int n = sk_GENERAL_NAME_num(gens);
843 int i;
844
845 for (i = 0; i < n; ++i)
846 {
847 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
848 const char *certid;
849
850 if (gn->type != GEN_DNS)
851 continue;
852 got_altname = TRUE;
853 certid = parse_dns_name(gn);
854 if (certid && *certid)
855 {
856 if ((matched = match_name(certid, dane)) == 0)
857 continue;
858 if (!(dane->mhost = OPENSSL_strdup(certid)))
859 matched = -1;
860 DEBUG(D_tls) debug_printf("Dane name_check: matched SAN %s\n", certid);
861 break;
862 }
863 }
864 GENERAL_NAMES_free(gens);
865 }
866
867 /*
868 * XXX: Should the subjectName be skipped when *any* altnames are present,
869 * or only when DNS altnames are present?
870 */
871 if (!got_altname)
872 {
873 char *certid = parse_subject_name(cert);
874 if (certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
875 {
876 DEBUG(D_tls) debug_printf("Dane name_check: matched SN %s\n", certid);
877 dane->mhost = OPENSSL_strdup(certid);
878 }
879 if (certid)
880 OPENSSL_free(certid);
881 }
882 return matched;
883 }
884
885 static int
886 verify_chain(X509_STORE_CTX *ctx)
887 {
888 dane_selector_list issuer_rrs;
889 dane_selector_list leaf_rrs;
890 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
891 int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
892 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
893 ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
894 X509 *cert = ctx->cert; /* XXX: accessor? */
895 int matched = 0;
896 int chain_length = sk_X509_num(ctx->chain);
897
898 DEBUG(D_tls) debug_printf("Dane verify_chain\n");
899
900 issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
901 leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
902 ctx->verify = dane->verify;
903
904 if ((matched = name_check(dane, cert)) < 0)
905 {
906 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
907 return 0;
908 }
909
910 if (!matched)
911 {
912 ctx->error_depth = 0;
913 ctx->current_cert = cert;
914 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
915 if (!cb(0, ctx))
916 return 0;
917 }
918 matched = 0;
919
920 /*
921 * Satisfy at least one usage 0 or 1 constraint, unless we've already
922 * matched a usage 2 trust anchor.
923 *
924 * XXX: internal_verify() doesn't callback with top certs that are not
925 * self-issued. This should be fixed in a future OpenSSL.
926 */
927 if (dane->roots && sk_X509_num(dane->roots))
928 {
929 X509 *top = sk_X509_value(ctx->chain, dane->depth);
930
931 dane->mdpth = dane->depth;
932 dane->match = top;
933 X509_up_ref(top);
934
935 #ifndef NO_CALLBACK_WORKAROUND
936 if (X509_check_issued(top, top) != X509_V_OK)
937 {
938 ctx->error_depth = dane->depth;
939 ctx->current_cert = top;
940 if (!cb(1, ctx))
941 return 0;
942 }
943 #endif
944 /* Pop synthetic trust-anchor ancestors off the chain! */
945 while (--chain_length > dane->depth)
946 X509_free(sk_X509_pop(ctx->chain));
947 }
948 else
949 {
950 int n = 0;
951 X509 *xn = cert;
952
953 /*
954 * Check for an EE match, then a CA match at depths > 0, and
955 * finally, if the EE cert is self-issued, for a depth 0 CA match.
956 */
957 if (leaf_rrs)
958 matched = match(leaf_rrs, xn, 0);
959 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched EE\n");
960
961 if (!matched && issuer_rrs)
962 for (n = chain_length-1; !matched && n >= 0; --n)
963 {
964 xn = sk_X509_value(ctx->chain, n);
965 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
966 matched = match(issuer_rrs, xn, n);
967 }
968 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched %s\n",
969 n>0 ? "CA" : "selfisssued EE");
970
971 if (!matched)
972 {
973 ctx->current_cert = cert;
974 ctx->error_depth = 0;
975 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
976 if (!cb(0, ctx))
977 return 0;
978 }
979 else
980 {
981 dane->mdpth = n;
982 dane->match = xn;
983 X509_up_ref(xn);
984 }
985 }
986
987 return ctx->verify(ctx);
988 }
989
990 static void
991 dane_reset(ssl_dane *dane)
992 {
993 dane->depth = -1;
994 if (dane->mhost)
995 {
996 OPENSSL_free(dane->mhost);
997 dane->mhost = 0;
998 }
999 if (dane->roots)
1000 {
1001 sk_X509_pop_free(dane->roots, X509_free);
1002 dane->roots = 0;
1003 }
1004 if (dane->chain)
1005 {
1006 sk_X509_pop_free(dane->chain, X509_free);
1007 dane->chain = 0;
1008 }
1009 if (dane->match)
1010 {
1011 X509_free(dane->match);
1012 dane->match = 0;
1013 }
1014 dane->mdpth = -1;
1015 }
1016
1017 static int
1018 verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
1019 {
1020 static int ssl_idx = -1;
1021 SSL *ssl;
1022 ssl_dane *dane;
1023 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
1024 int matched;
1025 X509 *cert = ctx->cert; /* XXX: accessor? */
1026
1027 DEBUG(D_tls) debug_printf("Dane verify_cert\n");
1028
1029 if (ssl_idx < 0)
1030 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1031 if (dane_idx < 0)
1032 {
1033 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1034 return -1;
1035 }
1036
1037 ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1038 if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1039 return X509_verify_cert(ctx);
1040
1041 /* Reset for verification of a new chain, perhaps a renegotiation. */
1042 dane_reset(dane);
1043
1044 if (dane->selectors[DANESSL_USAGE_DANE_EE])
1045 {
1046 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1047 {
1048 ctx->error_depth = 0;
1049 ctx->current_cert = cert;
1050 return cb(1, ctx);
1051 }
1052 if (matched < 0)
1053 {
1054 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1055 return -1;
1056 }
1057 }
1058
1059 if (dane->selectors[DANESSL_USAGE_DANE_TA])
1060 {
1061 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1062 {
1063 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1064 return -1;
1065 }
1066 if (matched)
1067 {
1068 /*
1069 * Check that setting the untrusted chain updates the expected
1070 * structure member at the expected offset.
1071 */
1072 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1073 X509_STORE_CTX_set_chain(ctx, dane->chain);
1074 OPENSSL_assert(ctx->untrusted == dane->chain);
1075 }
1076 }
1077
1078 /*
1079 * Name checks and usage 0/1 constraint enforcement are delayed until
1080 * X509_verify_cert() builds the full chain and calls our verify_chain()
1081 * wrapper.
1082 */
1083 dane->verify = ctx->verify;
1084 ctx->verify = verify_chain;
1085
1086 if (X509_verify_cert(ctx))
1087 return 1;
1088
1089 /*
1090 * If the chain is invalid, clear any matching cert or hostname, to
1091 * protect callers that might erroneously rely on these alone without
1092 * checking the validation status.
1093 */
1094 if (dane->match)
1095 {
1096 X509_free(dane->match);
1097 dane->match = 0;
1098 }
1099 if (dane->mhost)
1100 {
1101 OPENSSL_free(dane->mhost);
1102 dane->mhost = 0;
1103 }
1104 return 0;
1105 }
1106
1107 static dane_list
1108 list_alloc(size_t vsize)
1109 {
1110 void *value = (void *) OPENSSL_malloc(vsize);
1111 dane_list l;
1112
1113 if (!value)
1114 {
1115 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1116 return 0;
1117 }
1118 if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1119 {
1120 OPENSSL_free(value);
1121 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1122 return 0;
1123 }
1124 l->next = 0;
1125 l->value = value;
1126 return l;
1127 }
1128
1129 static void
1130 list_free(void *list, void (*f)(void *))
1131 {
1132 dane_list head;
1133 dane_list next;
1134
1135 for (head = (dane_list) list; head; head = next)
1136 {
1137 next = head->next;
1138 if (f && head->value)
1139 f(head->value);
1140 OPENSSL_free(head);
1141 }
1142 }
1143
1144 static void
1145 dane_mtype_free(void *p)
1146 {
1147 list_free(((dane_mtype) p)->data, CRYPTO_free);
1148 OPENSSL_free(p);
1149 }
1150
1151 static void
1152 dane_selector_free(void *p)
1153 {
1154 list_free(((dane_selector) p)->mtype, dane_mtype_free);
1155 OPENSSL_free(p);
1156 }
1157
1158
1159
1160 /*
1161
1162 Tidy up once the connection is finished with.
1163
1164 Arguments
1165 ssl The ssl connection handle
1166
1167 => Before calling SSL_free()
1168 tls_close() and tls_getc() [the error path] are the obvious places.
1169 Could we do it earlier - right after verification? In tls_client_start()
1170 right after SSL_connect() returns, in that case.
1171
1172 */
1173
1174 void
1175 DANESSL_cleanup(SSL *ssl)
1176 {
1177 ssl_dane *dane;
1178 int u;
1179
1180 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1181
1182 if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1183 return;
1184 (void) SSL_set_ex_data(ssl, dane_idx, 0);
1185
1186 dane_reset(dane);
1187 if (dane->hosts)
1188 list_free(dane->hosts, CRYPTO_free);
1189 for (u = 0; u <= DANESSL_USAGE_LAST; ++u)
1190 if (dane->selectors[u])
1191 list_free(dane->selectors[u], dane_selector_free);
1192 if (dane->pkeys)
1193 list_free(dane->pkeys, pkey_free);
1194 if (dane->certs)
1195 list_free(dane->certs, cert_free);
1196 OPENSSL_free(dane);
1197 }
1198
1199 static dane_host_list
1200 host_list_init(const char **src)
1201 {
1202 dane_host_list head = NULL;
1203
1204 while (*src)
1205 {
1206 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1207 if (elem == 0)
1208 {
1209 list_free(head, CRYPTO_free);
1210 return 0;
1211 }
1212 elem->value = OPENSSL_strdup(*src++);
1213 LINSERT(head, elem);
1214 }
1215 return head;
1216 }
1217
1218
1219 int
1220 DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1221 {
1222 ssl_dane *dane;
1223
1224 if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1225 {
1226 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1227 return -1;
1228 }
1229
1230 if (dane->match)
1231 {
1232 if (match)
1233 *match = dane->match;
1234 if (mhost)
1235 *mhost = dane->mhost;
1236 if (depth)
1237 *depth = dane->mdpth;
1238 }
1239
1240 return (dane->match != 0);
1241 }
1242
1243
1244 #ifdef never_called
1245 int
1246 DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1247 {
1248 int ret;
1249 X509 *cert;
1250 X509_STORE_CTX store_ctx;
1251 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1252 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1253 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1254
1255 cert = sk_X509_value(chain, 0);
1256 if (!X509_STORE_CTX_init(&store_ctx, store, cert, chain))
1257 return 0;
1258 X509_STORE_CTX_set_ex_data(&store_ctx, store_ctx_idx, ssl);
1259
1260 X509_STORE_CTX_set_default(&store_ctx,
1261 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1262 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&store_ctx),
1263 SSL_get0_param(ssl));
1264
1265 if (SSL_get_verify_callback(ssl))
1266 X509_STORE_CTX_set_verify_cb(&store_ctx, SSL_get_verify_callback(ssl));
1267
1268 ret = verify_cert(&store_ctx, NULL);
1269
1270 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(&store_ctx));
1271 X509_STORE_CTX_cleanup(&store_ctx);
1272
1273 return (ret);
1274 }
1275 #endif
1276
1277
1278
1279
1280 /*
1281
1282 Call this for each TLSA record found for the target, after the
1283 DANE setup has been done on the ssl connection handle.
1284
1285 Arguments:
1286 ssl Connection handle
1287 usage TLSA record field
1288 selector TLSA record field
1289 mdname ??? message digest name?
1290 data ??? TLSA record megalump?
1291 dlen length of data
1292
1293 Return
1294 -1 on error
1295 0 action not taken
1296 1 record accepted
1297 */
1298
1299 int
1300 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1301 unsigned const char *data, size_t dlen)
1302 {
1303 ssl_dane *dane;
1304 dane_selector_list s = 0;
1305 dane_mtype_list m = 0;
1306 dane_data_list d = 0;
1307 dane_cert_list xlist = 0;
1308 dane_pkey_list klist = 0;
1309 const EVP_MD *md = 0;
1310
1311 DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1312 usage, selector, mdname);
1313
1314 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1315 {
1316 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1317 return -1;
1318 }
1319
1320 if (usage > DANESSL_USAGE_LAST)
1321 {
1322 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1323 return 0;
1324 }
1325 if (selector > DANESSL_SELECTOR_LAST)
1326 {
1327 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1328 return 0;
1329 }
1330
1331 /* Support built-in standard one-digit mtypes */
1332 if (mdname && *mdname && mdname[1] == '\0')
1333 switch (*mdname - '0')
1334 {
1335 case DANESSL_MATCHING_FULL: mdname = 0; break;
1336 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1337 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1338 }
1339 if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0)
1340 {
1341 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1342 return 0;
1343 }
1344 if (mdname && *mdname && dlen != EVP_MD_size(md))
1345 {
1346 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1347 return 0;
1348 }
1349 if (!data)
1350 {
1351 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1352 return 0;
1353 }
1354
1355 /*
1356 * Full Certificate or Public Key when NULL or empty digest name
1357 */
1358 if (!mdname || !*mdname)
1359 {
1360 X509 *x = 0;
1361 EVP_PKEY *k = 0;
1362 const unsigned char *p = data;
1363
1364 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1365 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1366 if ((lvar) == 0) { \
1367 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1368 freeFunc((var)); \
1369 return 0; \
1370 } \
1371 (lvar)->next = 0; \
1372 lvar->value = var; \
1373 } while (0)
1374 #define xkfreeret(ret) do { \
1375 if (xlist) list_free(xlist, cert_free); \
1376 if (klist) list_free(klist, pkey_free); \
1377 return (ret); \
1378 } while (0)
1379
1380 switch (selector)
1381 {
1382 case DANESSL_SELECTOR_CERT:
1383 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1384 {
1385 if (x)
1386 X509_free(x);
1387 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1388 return 0;
1389 }
1390 k = X509_get_pubkey(x);
1391 EVP_PKEY_free(k);
1392 if (k == 0)
1393 {
1394 X509_free(x);
1395 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1396 return 0;
1397 }
1398 if (usage == DANESSL_USAGE_DANE_TA)
1399 xklistinit(xlist, dane_cert_list, x, X509_free);
1400 break;
1401
1402 case DANESSL_SELECTOR_SPKI:
1403 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1404 {
1405 if (k)
1406 EVP_PKEY_free(k);
1407 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1408 return 0;
1409 }
1410 if (usage == DANESSL_USAGE_DANE_TA)
1411 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1412 break;
1413 }
1414 }
1415
1416 /* Find insertion point and don't add duplicate elements. */
1417 for (s = dane->selectors[usage]; s; s = s->next)
1418 if (s->value->selector == selector)
1419 {
1420 for (m = s->value->mtype; m; m = m->next)
1421 if (m->value->md == md)
1422 {
1423 for (d = m->value->data; d; d = d->next)
1424 if ( d->value->datalen == dlen
1425 && memcmp(d->value->data, data, dlen) == 0)
1426 xkfreeret(1);
1427 break;
1428 }
1429 break;
1430 }
1431
1432 if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1433 xkfreeret(0);
1434 d->value->datalen = dlen;
1435 memcpy(d->value->data, data, dlen);
1436 if (!m)
1437 {
1438 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1439 {
1440 list_free(d, CRYPTO_free);
1441 xkfreeret(0);
1442 }
1443 m->value->data = 0;
1444 if ((m->value->md = md) != 0)
1445 m->value->mdlen = dlen;
1446 if (!s)
1447 {
1448 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1449 {
1450 list_free(m, dane_mtype_free);
1451 xkfreeret(0);
1452 }
1453 s->value->mtype = 0;
1454 s->value->selector = selector;
1455 LINSERT(dane->selectors[usage], s);
1456 }
1457 LINSERT(s->value->mtype, m);
1458 }
1459 LINSERT(m->value->data, d);
1460
1461 if (xlist)
1462 LINSERT(dane->certs, xlist);
1463 else if (klist)
1464 LINSERT(dane->pkeys, klist);
1465 ++dane->count;
1466 return 1;
1467 }
1468
1469
1470
1471
1472 /*
1473 Call this once we have an ssl connection handle but before
1474 making the TLS connection.
1475
1476 => In tls_client_start() after the call to SSL_new()
1477 and before the call to SSL_connect(). Exactly where
1478 probably does not matter.
1479 We probably want to keep our existing SNI handling;
1480 call this with NULL.
1481
1482 Arguments:
1483 ssl Connection handle
1484 sni_domain Optional peer server name
1485 hostnames list of names to chack against peer cert
1486
1487 Return
1488 -1 on fatal error
1489 0 nonfatal error
1490 1 success
1491 */
1492
1493 int
1494 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1495 {
1496 ssl_dane *dane;
1497 int i;
1498
1499 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1500 if (dane_idx < 0)
1501 {
1502 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1503 return -1;
1504 }
1505
1506 if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1507 return 0;
1508
1509 if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1510 {
1511 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1512 return 0;
1513 }
1514 if (!SSL_set_ex_data(ssl, dane_idx, dane))
1515 {
1516 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1517 OPENSSL_free(dane);
1518 return 0;
1519 }
1520
1521 dane->verify = 0;
1522 dane->hosts = 0;
1523 dane->thost = 0;
1524 dane->pkeys = 0;
1525 dane->certs = 0;
1526 dane->chain = 0;
1527 dane->match = 0;
1528 dane->roots = 0;
1529 dane->depth = -1;
1530 dane->mhost = 0; /* Future SSL control interface */
1531 dane->mdpth = 0; /* Future SSL control interface */
1532 dane->multi = 0; /* Future SSL control interface */
1533 dane->count = 0;
1534 dane->hosts = 0;
1535
1536 for (i = 0; i <= DANESSL_USAGE_LAST; ++i)
1537 dane->selectors[i] = 0;
1538
1539 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1540 {
1541 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1542 DANESSL_cleanup(ssl);
1543 return 0;
1544 }
1545
1546 return 1;
1547 }
1548
1549
1550 /*
1551
1552 Call this once we have a context to work with, but
1553 before DANESSL_init()
1554
1555 => in tls_client_start(), after tls_init() call gives us the ctx,
1556 if we decide we want to (policy) and can (TLSA records available)
1557 replacing (? what about fallback) everything from testing tls_verify_hosts
1558 down to just before calling SSL_new() for the conn handle.
1559
1560 Arguments
1561 ctx SSL context
1562
1563 Return
1564 -1 Error
1565 1 Success
1566 */
1567
1568 int
1569 DANESSL_CTX_init(SSL_CTX *ctx)
1570 {
1571 DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1572 if (dane_idx >= 0)
1573 {
1574 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1575 return 1;
1576 }
1577 DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1578 return -1;
1579 }
1580
1581 static int
1582 init_once(volatile int *value, int (*init)(void), void (*postinit)(void))
1583 {
1584 int wlock = 0;
1585
1586 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1587 if (*value < 0)
1588 {
1589 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1590 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1591 wlock = 1;
1592 if (*value < 0)
1593 {
1594 *value = init();
1595 if (postinit)
1596 postinit();
1597 }
1598 }
1599 if (wlock)
1600 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1601 else
1602 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1603 return *value;
1604 }
1605
1606 static void
1607 dane_init(void)
1608 {
1609 /*
1610 * Store library id in zeroth function slot, used to locate the library
1611 * name. This must be done before we load the error strings.
1612 */
1613 #ifndef OPENSSL_NO_ERR
1614 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1615 ERR_load_strings(err_lib_dane, dane_str_functs);
1616 ERR_load_strings(err_lib_dane, dane_str_reasons);
1617 #endif
1618
1619 /*
1620 * Register SHA-2 digests, if implemented and not already registered.
1621 */
1622 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1623 if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1624 if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1625 #endif
1626 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1627 if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1628 if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1629 #endif
1630
1631 /*
1632 * Register an SSL index for the connection-specific ssl_dane structure.
1633 * Using a separate index makes it possible to add DANE support to
1634 * existing OpenSSL releases that don't have a suitable pointer in the
1635 * SSL structure.
1636 */
1637 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1638 }
1639
1640
1641
1642 /*
1643
1644 Call this once. Probably early in startup will do; may need
1645 to be after SSL library init.
1646
1647 => put after call to tls_init() for now
1648
1649 Return
1650 1 Success
1651 0 Fail
1652 */
1653
1654 int
1655 DANESSL_library_init(void)
1656 {
1657 DEBUG(D_tls) debug_printf("Dane lib-init\n");
1658 if (err_lib_dane < 0)
1659 init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
1660
1661 #if defined(LN_sha256)
1662 /* No DANE without SHA256 support */
1663 if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1664 return 1;
1665 #endif
1666 DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);
1667 return 0;
1668 }
1669
1670
1671 #endif /* OPENSSL_VERSION_NUMBER */
1672 /* vi: aw ai sw=2
1673 */
Unnamed repository; edit this file 'description' to name the repository.