projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
DANE: do not override a cert verify failure, in callback. Also fix some test mistakes
[exim.git] / src / src / dane-openssl.c
1 /*
2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
4 */
5 #include <stdio.h>
6 #include <string.h>
7 #include <stdint.h>
8
9 #include <openssl/opensslv.h>
10 #include <openssl/err.h>
11 #include <openssl/crypto.h>
12 #include <openssl/safestack.h>
13 #include <openssl/objects.h>
14 #include <openssl/x509.h>
15 #include <openssl/x509v3.h>
16 #include <openssl/evp.h>
17 #include <openssl/bn.h>
18
19 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
20 # error "OpenSSL 1.0.0 or higher required"
21 #else /* remainder of file */
22
23 #if OPENSSL_VERSION_NUMBER < 0x10100000L
24 #define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
25 #endif
26
27 #include "danessl.h"
28
29 #define DANESSL_F_ADD_SKID 100
30 #define DANESSL_F_ADD_TLSA 101
31 #define DANESSL_F_CHECK_END_ENTITY 102
32 #define DANESSL_F_CTX_INIT 103
33 #define DANESSL_F_GROW_CHAIN 104
34 #define DANESSL_F_INIT 105
35 #define DANESSL_F_LIBRARY_INIT 106
36 #define DANESSL_F_LIST_ALLOC 107
37 #define DANESSL_F_MATCH 108
38 #define DANESSL_F_PUSH_EXT 109
39 #define DANESSL_F_SET_TRUST_ANCHOR 110
40 #define DANESSL_F_VERIFY_CERT 111
41 #define DANESSL_F_WRAP_CERT 112
42
43 #define DANESSL_R_BAD_CERT 100
44 #define DANESSL_R_BAD_CERT_PKEY 101
45 #define DANESSL_R_BAD_DATA_LENGTH 102
46 #define DANESSL_R_BAD_DIGEST 103
47 #define DANESSL_R_BAD_NULL_DATA 104
48 #define DANESSL_R_BAD_PKEY 105
49 #define DANESSL_R_BAD_SELECTOR 106
50 #define DANESSL_R_BAD_USAGE 107
51 #define DANESSL_R_INIT 108
52 #define DANESSL_R_LIBRARY_INIT 109
53 #define DANESSL_R_NOSIGN_KEY 110
54 #define DANESSL_R_SCTX_INIT 111
55 #define DANESSL_R_SUPPORT 112
56
57 #ifndef OPENSSL_NO_ERR
58 #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
59 static ERR_STRING_DATA dane_str_functs[] = {
60 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
61 {DANESSL_F_ADD_SKID, "add_skid"},
62 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
63 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
64 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
65 {DANESSL_F_GROW_CHAIN, "grow_chain"},
66 {DANESSL_F_INIT, "DANESSL_init"},
67 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
68 {DANESSL_F_LIST_ALLOC, "list_alloc"},
69 {DANESSL_F_MATCH, "match"},
70 {DANESSL_F_PUSH_EXT, "push_ext"},
71 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
72 {DANESSL_F_VERIFY_CERT, "verify_cert"},
73 {DANESSL_F_WRAP_CERT, "wrap_cert"},
74 {0, NULL}
75 };
76 static ERR_STRING_DATA dane_str_reasons[] = {
77 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
78 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
79 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
80 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
81 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
82 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
83 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
84 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
85 {DANESSL_R_INIT, "DANESSL_init() required"},
86 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
87 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
88 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
89 {DANESSL_R_SUPPORT, "DANE library features not supported"},
90 {0, NULL}
91 };
92 #endif
93
94 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
95
96 static int err_lib_dane = -1;
97 static int dane_idx = -1;
98
99 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
100 static int wrap_to_root = 0;
101 #else
102 static int wrap_to_root = 1;
103 #endif
104
105 static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
106 static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
107
108 typedef struct dane_list
109 {
110 struct dane_list *next;
111 void *value;
112 } *dane_list;
113
114 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
115
116 typedef struct dane_host_list
117 {
118 struct dane_host_list *next;
119 char *value;
120 } *dane_host_list;
121
122 typedef struct dane_data
123 {
124 size_t datalen;
125 unsigned char data[0];
126 } *dane_data;
127
128 typedef struct dane_data_list
129 {
130 struct dane_data_list *next;
131 dane_data value;
132 } *dane_data_list;
133
134 typedef struct dane_mtype
135 {
136 int mdlen;
137 const EVP_MD *md;
138 dane_data_list data;
139 } *dane_mtype;
140
141 typedef struct dane_mtype_list
142 {
143 struct dane_mtype_list *next;
144 dane_mtype value;
145 } *dane_mtype_list;
146
147 typedef struct dane_selector
148 {
149 uint8_t selector;
150 dane_mtype_list mtype;
151 } *dane_selector;
152
153 typedef struct dane_selector_list
154 {
155 struct dane_selector_list *next;
156 dane_selector value;
157 } *dane_selector_list;
158
159 typedef struct dane_pkey_list
160 {
161 struct dane_pkey_list *next;
162 EVP_PKEY *value;
163 } *dane_pkey_list;
164
165 typedef struct dane_cert_list
166 {
167 struct dane_cert_list *next;
168 X509 *value;
169 } *dane_cert_list;
170
171 typedef struct ssl_dane
172 {
173 int (*verify)(X509_STORE_CTX *);
174 STACK_OF(X509) *roots;
175 STACK_OF(X509) *chain;
176 X509 *match; /* Matched cert */
177 const char *thost; /* TLSA base domain */
178 char *mhost; /* Matched peer name */
179 dane_pkey_list pkeys;
180 dane_cert_list certs;
181 dane_host_list hosts;
182 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
183 int depth;
184 int mdpth; /* Depth of matched cert */
185 int multi; /* Multi-label wildcards? */
186 int count; /* Number of TLSA records */
187 } ssl_dane;
188
189 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
190 # define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
191 #endif
192
193
194
195 static int
196 match(dane_selector_list slist, X509 *cert, int depth)
197 {
198 int matched;
199
200 /*
201 * Note, set_trust_anchor() needs to know whether the match was for a
202 * pkey digest or a certificate digest. We return MATCHED_PKEY or
203 * MATCHED_CERT accordingly.
204 */
205 #define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
206 #define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
207
208 /*
209 * Loop over each selector, mtype, and associated data element looking
210 * for a match.
211 */
212 for (matched = 0; !matched && slist; slist = slist->next)
213 {
214 dane_mtype_list m;
215 unsigned char mdbuf[EVP_MAX_MD_SIZE];
216 unsigned char *buf = NULL;
217 unsigned char *buf2;
218 unsigned int len = 0;
219
220 /*
221 * Extract ASN.1 DER form of certificate or public key.
222 */
223 switch(slist->value->selector)
224 {
225 case DANESSL_SELECTOR_CERT:
226 len = i2d_X509(cert, NULL);
227 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
228 if(buf) i2d_X509(cert, &buf2);
229 break;
230 case DANESSL_SELECTOR_SPKI:
231 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
232 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
233 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
234 break;
235 }
236
237 if (!buf)
238 {
239 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
240 return 0;
241 }
242 OPENSSL_assert(buf2 - buf == len);
243
244 /*
245 * Loop over each mtype and data element
246 */
247 for (m = slist->value->mtype; !matched && m; m = m->next)
248 {
249 dane_data_list d;
250 unsigned char *cmpbuf = buf;
251 unsigned int cmplen = len;
252
253 /*
254 * If it is a digest, compute the corresponding digest of the
255 * DER data for comparison, otherwise, use the full object.
256 */
257 if (m->value->md)
258 {
259 cmpbuf = mdbuf;
260 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
261 matched = -1;
262 }
263 for (d = m->value->data; !matched && d; d = d->next)
264 if ( cmplen == d->value->datalen
265 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
266 matched = slist->value->selector + 1;
267 }
268
269 OPENSSL_free(buf);
270 }
271
272 return matched;
273 }
274
275 static int
276 push_ext(X509 *cert, X509_EXTENSION *ext)
277 {
278 if (ext) {
279 if (X509_add_ext(cert, ext, -1))
280 return 1;
281 X509_EXTENSION_free(ext);
282 }
283 DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
284 return 0;
285 }
286
287 static int
288 add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
289 {
290 X509V3_CTX v3ctx;
291
292 X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
293 return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
294 }
295
296 static int
297 set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
298 {
299 int ret = 0;
300 BIGNUM *bn;
301
302 if (akid && akid->serial)
303 return (X509_set_serialNumber(cert, akid->serial));
304
305 /*
306 * Add one to subject's serial to avoid collisions between TA serial and
307 * serial of signing root.
308 */
309 if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
310 && BN_add_word(bn, 1)
311 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
312 ret = 1;
313
314 if (bn)
315 BN_free(bn);
316 return ret;
317 }
318
319 static int
320 add_akid(X509 *cert, AUTHORITY_KEYID *akid)
321 {
322 int nid = NID_authority_key_identifier;
323 ASN1_STRING *id;
324 unsigned char c = 0;
325 int ret = 0;
326
327 /*
328 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
329 * our subject keyid if forced from child's akid. If so, set our
330 * authority keyid to 1. This way we are never self-signed, and thus
331 * exempt from any potential (off by default for now in OpenSSL)
332 * self-signature checks!
333 */
334 id = (akid && akid->keyid) ? akid->keyid : 0;
335 if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c)
336 c = 1;
337
338 if ( (akid = AUTHORITY_KEYID_new()) != 0
339 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
340 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
341 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
342 ret = 1;
343 if (akid)
344 AUTHORITY_KEYID_free(akid);
345 return ret;
346 }
347
348 static int
349 add_skid(X509 *cert, AUTHORITY_KEYID *akid)
350 {
351 int nid = NID_subject_key_identifier;
352
353 if (!akid || !akid->keyid)
354 return add_ext(0, cert, nid, "hash");
355 return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
356 }
357
358 static X509_NAME *
359 akid_issuer_name(AUTHORITY_KEYID *akid)
360 {
361 if (akid && akid->issuer)
362 {
363 int i;
364 GENERAL_NAMES *gens = akid->issuer;
365
366 for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
367 {
368 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
369
370 if (gn->type == GEN_DIRNAME)
371 return (gn->d.dirn);
372 }
373 }
374 return 0;
375 }
376
377 static int
378 set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
379 {
380 X509_NAME *name = akid_issuer_name(akid);
381
382 /*
383 * If subject's akid specifies an authority key identifer issuer name, we
384 * must use that.
385 */
386 return X509_set_issuer_name(cert,
387 name ? name : X509_get_subject_name(cert));
388 }
389
390 static int
391 grow_chain(ssl_dane *dane, int trusted, X509 *cert)
392 {
393 STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
394 static ASN1_OBJECT *serverAuth = 0;
395
396 #define UNTRUSTED 0
397 #define TRUSTED 1
398
399 if ( trusted && !serverAuth
400 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
401 {
402 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
403 return 0;
404 }
405 if (!*xs && !(*xs = sk_X509_new_null()))
406 {
407 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
408 return 0;
409 }
410
411 if (cert)
412 {
413 if (trusted && !X509_add1_trust_object(cert, serverAuth))
414 return 0;
415 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
416 if (!sk_X509_push(*xs, cert))
417 {
418 X509_free(cert);
419 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
420 return 0;
421 }
422 }
423 return 1;
424 }
425
426 static int
427 wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
428 {
429 int ret = 1;
430 X509 *cert = 0;
431 AUTHORITY_KEYID *akid;
432 X509_NAME *name = X509_get_issuer_name(subject);
433 EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
434
435 #define WRAP_MID 0 /* Ensure intermediate. */
436 #define WRAP_TOP 1 /* Ensure self-signed. */
437
438 if (!name || !newkey || !(cert = X509_new()))
439 return 0;
440
441 /*
442 * Record the depth of the trust-anchor certificate.
443 */
444 if (dane->depth < 0)
445 dane->depth = depth + 1;
446
447 /*
448 * XXX: Uncaught error condition:
449 *
450 * The return value is NULL both when the extension is missing, and when
451 * OpenSSL rans out of memory while parsing the extension.
452 */
453 ERR_clear_error();
454 akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
455 /* XXX: Should we peek at the error stack here??? */
456
457 /*
458 * If top is true generate a self-issued root CA, otherwise an
459 * intermediate CA and possibly its self-signed issuer.
460 *
461 * CA cert valid for +/- 30 days
462 */
463 if ( !X509_set_version(cert, 2)
464 || !set_serial(cert, akid, subject)
465 || !X509_set_subject_name(cert, name)
466 || !set_issuer_name(cert, akid)
467 || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
468 || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
469 || !X509_set_pubkey(cert, newkey)
470 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
471 || (!top && !add_akid(cert, akid))
472 || !add_skid(cert, akid)
473 || ( !top && wrap_to_root
474 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
475 ret = 0;
476
477 if (akid)
478 AUTHORITY_KEYID_free(akid);
479 if (!key)
480 EVP_PKEY_free(newkey);
481 if (ret)
482 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
483 if (cert)
484 X509_free(cert);
485 return ret;
486 }
487
488 static int
489 wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
490 {
491 if (dane->depth < 0)
492 dane->depth = depth + 1;
493
494 /*
495 * If the TA certificate is self-issued, or need not be, use it directly.
496 * Otherwise, synthesize requisuite ancestors.
497 */
498 if ( !wrap_to_root
499 || X509_check_issued(tacert, tacert) == X509_V_OK)
500 return grow_chain(dane, TRUSTED, tacert);
501
502 if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
503 return grow_chain(dane, UNTRUSTED, tacert);
504 return 0;
505 }
506
507 static int
508 ta_signed(ssl_dane *dane, X509 *cert, int depth)
509 {
510 dane_cert_list x;
511 dane_pkey_list k;
512 EVP_PKEY *pk;
513 int done = 0;
514
515 /*
516 * First check whether issued and signed by a TA cert, this is cheaper
517 * than the bare-public key checks below, since we can determine whether
518 * the candidate TA certificate issued the certificate to be checked
519 * first (name comparisons), before we bother with signature checks
520 * (public key operations).
521 */
522 for (x = dane->certs; !done && x; x = x->next)
523 {
524 if (X509_check_issued(x->value, cert) == X509_V_OK)
525 {
526 if (!(pk = X509_get_pubkey(x->value)))
527 {
528 /*
529 * The cert originally contained a valid pkey, which does
530 * not just vanish, so this is most likely a memory error.
531 */
532 done = -1;
533 break;
534 }
535 /* Check signature, since some other TA may work if not this. */
536 if (X509_verify(cert, pk) > 0)
537 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
538 EVP_PKEY_free(pk);
539 }
540 }
541
542 /*
543 * With bare TA public keys, we can't check whether the trust chain is
544 * issued by the key, but we can determine whether it is signed by the
545 * key, so we go with that.
546 *
547 * Ideally, the corresponding certificate was presented in the chain, and we
548 * matched it by its public key digest one level up. This code is here
549 * to handle adverse conditions imposed by sloppy administrators of
550 * receiving systems with poorly constructed chains.
551 *
552 * We'd like to optimize out keys that should not match when the cert's
553 * authority key id does not match the key id of this key computed via
554 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
555 * ASN1 tag and length thus also excluding the unused bits field that is
556 * logically part of the length). However, some CAs have a non-standard
557 * authority keyid, so we lose. Too bad.
558 *
559 * This may push errors onto the stack when the certificate signature is
560 * not of the right type or length, throw these away,
561 */
562 for (k = dane->pkeys; !done && k; k = k->next)
563 if (X509_verify(cert, k->value) > 0)
564 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
565 else
566 ERR_clear_error();
567
568 return done;
569 }
570
571 static int
572 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
573 {
574 int matched = 0;
575 int n;
576 int i;
577 int depth = 0;
578 EVP_PKEY *takey;
579 X509 *ca;
580 STACK_OF(X509) *in = ctx->untrusted; /* XXX: Accessor? */
581
582 if (!grow_chain(dane, UNTRUSTED, 0))
583 return -1;
584
585 /*
586 * Accept a degenerate case: depth 0 self-signed trust-anchor.
587 */
588 if (X509_check_issued(cert, cert) == X509_V_OK)
589 {
590 dane->depth = 0;
591 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
592 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
593 matched = -1;
594 return matched;
595 }
596
597 /* Make a shallow copy of the input untrusted chain. */
598 if (!(in = sk_X509_dup(in)))
599 {
600 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
601 return -1;
602 }
603
604 /*
605 * At each iteration we consume the issuer of the current cert. This
606 * reduces the length of the "in" chain by one. If no issuer is found,
607 * we are done. We also stop when a certificate matches a TA in the
608 * peer's TLSA RRset.
609 *
610 * Caller ensures that the initial certificate is not self-signed.
611 */
612 for (n = sk_X509_num(in); n > 0; --n, ++depth)
613 {
614 for (i = 0; i < n; ++i)
615 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
616 break;
617
618 /*
619 * Final untrusted element with no issuer in the peer's chain, it may
620 * however be signed by a pkey or cert obtained via a TLSA RR.
621 */
622 if (i == n)
623 break;
624
625 /* Peer's chain contains an issuer ca. */
626 ca = sk_X509_delete(in, i);
627
628 /* If not a trust anchor, record untrusted ca and continue. */
629 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
630 depth + 1)) == 0)
631 {
632 if (grow_chain(dane, UNTRUSTED, ca))
633 {
634 if (!X509_check_issued(ca, ca) == X509_V_OK)
635 {
636 /* Restart with issuer as subject */
637 cert = ca;
638 continue;
639 }
640 /* Final self-signed element, skip ta_signed() check. */
641 cert = 0;
642 }
643 else
644 matched = -1;
645 }
646 else if(matched == MATCHED_CERT)
647 {
648 if(!wrap_cert(dane, ca, depth))
649 matched = -1;
650 }
651 else if(matched == MATCHED_PKEY)
652 {
653 if ( !(takey = X509_get_pubkey(ca))
654 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
655 {
656 if (takey)
657 EVP_PKEY_free(takey);
658 else
659 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
660 matched = -1;
661 }
662 }
663 break;
664 }
665
666 /* Shallow free the duplicated input untrusted chain. */
667 sk_X509_free(in);
668
669 /*
670 * When the loop exits, if "cert" is set, it is not self-signed and has
671 * no issuer in the chain, we check for a possible signature via a DNS
672 * obtained TA cert or public key.
673 */
674 if (matched == 0 && cert)
675 matched = ta_signed(dane, cert, depth);
676
677 return matched;
678 }
679
680 static int
681 check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
682 {
683 int matched;
684
685 matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
686 if (matched > 0)
687 {
688 dane->mdpth = 0;
689 dane->match = cert;
690 X509_up_ref(cert);
691 if(!ctx->chain)
692 {
693 if ( (ctx->chain = sk_X509_new_null()) != 0
694 && sk_X509_push(ctx->chain, cert))
695 X509_up_ref(cert);
696 else
697 {
698 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
699 return -1;
700 }
701 }
702 }
703 return matched;
704 }
705
706 static int
707 match_name(const char *certid, ssl_dane *dane)
708 {
709 int multi = dane->multi;
710 dane_host_list hosts;
711
712 for (hosts = dane->hosts; hosts; hosts = hosts->next)
713 {
714 int match_subdomain = 0;
715 const char *domain = hosts->value;
716 const char *parent;
717 int idlen;
718 int domlen;
719
720 if (*domain == '.' && domain[1] != '\0')
721 {
722 ++domain;
723 match_subdomain = 1;
724 }
725
726 /*
727 * Sub-domain match: certid is any sub-domain of hostname.
728 */
729 if(match_subdomain)
730 {
731 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
732 && certid[idlen - domlen - 1] == '.'
733 && !strcasecmp(certid + (idlen - domlen), domain))
734 return 1;
735 else
736 continue;
737 }
738
739 /*
740 * Exact match and initial "*" match. The initial "*" in a certid
741 * matches one (if multi is false) or more hostname components under
742 * the condition that the certid contains multiple hostname components.
743 */
744 if ( !strcasecmp(certid, domain)
745 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
746 && (parent = strchr(domain, '.')) != 0
747 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
748 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
749 return 1;
750 }
751 return 0;
752 }
753
754 static char *
755 check_name(char *name, int len)
756 {
757 char *cp = name + len;
758
759 while (len > 0 && !*--cp)
760 --len; /* Ignore trailing NULs */
761 if (len <= 0)
762 return 0;
763 for (cp = name; *cp; cp++)
764 {
765 char c = *cp;
766 if (!((c >= 'a' && c <= 'z') ||
767 (c >= '0' && c <= '9') ||
768 (c >= 'A' && c <= 'Z') ||
769 (c == '.' || c == '-') ||
770 (c == '*')))
771 return 0; /* Only LDH, '.' and '*' */
772 }
773 if (cp - name != len) /* Guard against internal NULs */
774 return 0;
775 return name;
776 }
777
778 static char *
779 parse_dns_name(const GENERAL_NAME *gn)
780 {
781 if (gn->type != GEN_DNS)
782 return 0;
783 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
784 return 0;
785 return check_name((char *) ASN1_STRING_data(gn->d.ia5),
786 ASN1_STRING_length(gn->d.ia5));
787 }
788
789 static char *
790 parse_subject_name(X509 *cert)
791 {
792 X509_NAME *name = X509_get_subject_name(cert);
793 X509_NAME_ENTRY *entry;
794 ASN1_STRING *entry_str;
795 unsigned char *namebuf;
796 int nid = NID_commonName;
797 int len;
798 int i;
799
800 if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
801 return 0;
802 if (!(entry = X509_NAME_get_entry(name, i)))
803 return 0;
804 if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
805 return 0;
806
807 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
808 return 0;
809 if (len <= 0 || check_name((char *) namebuf, len) == 0)
810 {
811 OPENSSL_free(namebuf);
812 return 0;
813 }
814 return (char *) namebuf;
815 }
816
817 static int
818 name_check(ssl_dane *dane, X509 *cert)
819 {
820 int matched = 0;
821 BOOL got_altname = FALSE;
822 GENERAL_NAMES *gens;
823
824 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
825 if (gens)
826 {
827 int n = sk_GENERAL_NAME_num(gens);
828 int i;
829
830 for (i = 0; i < n; ++i)
831 {
832 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
833 const char *certid;
834
835 if (gn->type != GEN_DNS)
836 continue;
837 got_altname = TRUE;
838 certid = parse_dns_name(gn);
839 if (certid && *certid)
840 {
841 if ((matched = match_name(certid, dane)) == 0)
842 continue;
843 if (!(dane->mhost = OPENSSL_strdup(certid)))
844 matched = -1;
845 DEBUG(D_tls) debug_printf("Dane name_check: matched SAN %s\n", certid);
846 break;
847 }
848 }
849 GENERAL_NAMES_free(gens);
850 }
851
852 /*
853 * XXX: Should the subjectName be skipped when *any* altnames are present,
854 * or only when DNS altnames are present?
855 */
856 if (!got_altname)
857 {
858 char *certid = parse_subject_name(cert);
859 if (certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
860 {
861 DEBUG(D_tls) debug_printf("Dane name_check: matched SN %s\n", certid);
862 dane->mhost = OPENSSL_strdup(certid);
863 }
864 if (certid)
865 OPENSSL_free(certid);
866 }
867 return matched;
868 }
869
870 static int
871 verify_chain(X509_STORE_CTX *ctx)
872 {
873 dane_selector_list issuer_rrs;
874 dane_selector_list leaf_rrs;
875 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
876 int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
877 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
878 ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
879 X509 *cert = ctx->cert; /* XXX: accessor? */
880 int matched = 0;
881 int chain_length = sk_X509_num(ctx->chain);
882
883 DEBUG(D_tls) debug_printf("Dane verify_chain\n");
884
885 issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
886 leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
887 ctx->verify = dane->verify;
888
889 if ((matched = name_check(dane, cert)) < 0)
890 {
891 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
892 return 0;
893 }
894
895 if (!matched)
896 {
897 ctx->error_depth = 0;
898 ctx->current_cert = cert;
899 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
900 if (!cb(0, ctx))
901 return 0;
902 }
903 matched = 0;
904
905 /*
906 * Satisfy at least one usage 0 or 1 constraint, unless we've already
907 * matched a usage 2 trust anchor.
908 *
909 * XXX: internal_verify() doesn't callback with top certs that are not
910 * self-issued. This should be fixed in a future OpenSSL.
911 */
912 if (dane->roots && sk_X509_num(dane->roots))
913 {
914 X509 *top = sk_X509_value(ctx->chain, dane->depth);
915
916 dane->mdpth = dane->depth;
917 dane->match = top;
918 X509_up_ref(top);
919
920 #ifndef NO_CALLBACK_WORKAROUND
921 if (X509_check_issued(top, top) != X509_V_OK)
922 {
923 ctx->error_depth = dane->depth;
924 ctx->current_cert = top;
925 if (!cb(1, ctx))
926 return 0;
927 }
928 #endif
929 /* Pop synthetic trust-anchor ancestors off the chain! */
930 while (--chain_length > dane->depth)
931 X509_free(sk_X509_pop(ctx->chain));
932 }
933 else
934 {
935 int n = 0;
936 X509 *xn = cert;
937
938 /*
939 * Check for an EE match, then a CA match at depths > 0, and
940 * finally, if the EE cert is self-issued, for a depth 0 CA match.
941 */
942 if (leaf_rrs)
943 matched = match(leaf_rrs, xn, 0);
944 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched EE\n");
945
946 if (!matched && issuer_rrs)
947 for (n = chain_length-1; !matched && n >= 0; --n)
948 {
949 xn = sk_X509_value(ctx->chain, n);
950 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
951 matched = match(issuer_rrs, xn, n);
952 }
953 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched %s\n",
954 n>0 ? "CA" : "selfisssued EE");
955
956 if (!matched)
957 {
958 ctx->current_cert = cert;
959 ctx->error_depth = 0;
960 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
961 if (!cb(0, ctx))
962 return 0;
963 }
964 else
965 {
966 dane->mdpth = n;
967 dane->match = xn;
968 X509_up_ref(xn);
969 }
970 }
971
972 return ctx->verify(ctx);
973 }
974
975 static void
976 dane_reset(ssl_dane *dane)
977 {
978 dane->depth = -1;
979 if (dane->mhost)
980 {
981 OPENSSL_free(dane->mhost);
982 dane->mhost = 0;
983 }
984 if (dane->roots)
985 {
986 sk_X509_pop_free(dane->roots, X509_free);
987 dane->roots = 0;
988 }
989 if (dane->chain)
990 {
991 sk_X509_pop_free(dane->chain, X509_free);
992 dane->chain = 0;
993 }
994 if (dane->match)
995 {
996 X509_free(dane->match);
997 dane->match = 0;
998 }
999 dane->mdpth = -1;
1000 }
1001
1002 static int
1003 verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
1004 {
1005 static int ssl_idx = -1;
1006 SSL *ssl;
1007 ssl_dane *dane;
1008 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
1009 int matched;
1010 X509 *cert = ctx->cert; /* XXX: accessor? */
1011
1012 DEBUG(D_tls) debug_printf("Dane verify_cert\n");
1013
1014 if (ssl_idx < 0)
1015 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1016 if (dane_idx < 0)
1017 {
1018 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1019 return -1;
1020 }
1021
1022 ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1023 if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1024 return X509_verify_cert(ctx);
1025
1026 /* Reset for verification of a new chain, perhaps a renegotiation. */
1027 dane_reset(dane);
1028
1029 if (dane->selectors[DANESSL_USAGE_DANE_EE])
1030 {
1031 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1032 {
1033 ctx->error_depth = 0;
1034 ctx->current_cert = cert;
1035 return cb(1, ctx);
1036 }
1037 if (matched < 0)
1038 {
1039 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1040 return -1;
1041 }
1042 }
1043
1044 if (dane->selectors[DANESSL_USAGE_DANE_TA])
1045 {
1046 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1047 {
1048 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1049 return -1;
1050 }
1051 if (matched)
1052 {
1053 /*
1054 * Check that setting the untrusted chain updates the expected
1055 * structure member at the expected offset.
1056 */
1057 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1058 X509_STORE_CTX_set_chain(ctx, dane->chain);
1059 OPENSSL_assert(ctx->untrusted == dane->chain);
1060 }
1061 }
1062
1063 /*
1064 * Name checks and usage 0/1 constraint enforcement are delayed until
1065 * X509_verify_cert() builds the full chain and calls our verify_chain()
1066 * wrapper.
1067 */
1068 dane->verify = ctx->verify;
1069 ctx->verify = verify_chain;
1070
1071 if (X509_verify_cert(ctx))
1072 return 1;
1073
1074 /*
1075 * If the chain is invalid, clear any matching cert or hostname, to
1076 * protect callers that might erroneously rely on these alone without
1077 * checking the validation status.
1078 */
1079 if (dane->match)
1080 {
1081 X509_free(dane->match);
1082 dane->match = 0;
1083 }
1084 if (dane->mhost)
1085 {
1086 OPENSSL_free(dane->mhost);
1087 dane->mhost = 0;
1088 }
1089 return 0;
1090 }
1091
1092 static dane_list
1093 list_alloc(size_t vsize)
1094 {
1095 void *value = (void *) OPENSSL_malloc(vsize);
1096 dane_list l;
1097
1098 if (!value)
1099 {
1100 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1101 return 0;
1102 }
1103 if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1104 {
1105 OPENSSL_free(value);
1106 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1107 return 0;
1108 }
1109 l->next = 0;
1110 l->value = value;
1111 return l;
1112 }
1113
1114 static void
1115 list_free(void *list, void (*f)(void *))
1116 {
1117 dane_list head;
1118 dane_list next;
1119
1120 for (head = (dane_list) list; head; head = next)
1121 {
1122 next = head->next;
1123 if (f && head->value)
1124 f(head->value);
1125 OPENSSL_free(head);
1126 }
1127 }
1128
1129 static void
1130 dane_mtype_free(void *p)
1131 {
1132 list_free(((dane_mtype) p)->data, CRYPTO_free);
1133 OPENSSL_free(p);
1134 }
1135
1136 static void
1137 dane_selector_free(void *p)
1138 {
1139 list_free(((dane_selector) p)->mtype, dane_mtype_free);
1140 OPENSSL_free(p);
1141 }
1142
1143
1144
1145 /*
1146
1147 Tidy up once the connection is finished with.
1148
1149 Arguments
1150 ssl The ssl connection handle
1151
1152 => Before calling SSL_free()
1153 tls_close() and tls_getc() [the error path] are the obvious places.
1154 Could we do it earlier - right after verification? In tls_client_start()
1155 right after SSL_connect() returns, in that case.
1156
1157 */
1158
1159 void
1160 DANESSL_cleanup(SSL *ssl)
1161 {
1162 ssl_dane *dane;
1163 int u;
1164
1165 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1166
1167 if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1168 return;
1169 (void) SSL_set_ex_data(ssl, dane_idx, 0);
1170
1171 dane_reset(dane);
1172 if (dane->hosts)
1173 list_free(dane->hosts, CRYPTO_free);
1174 for (u = 0; u <= DANESSL_USAGE_LAST; ++u)
1175 if (dane->selectors[u])
1176 list_free(dane->selectors[u], dane_selector_free);
1177 if (dane->pkeys)
1178 list_free(dane->pkeys, pkey_free);
1179 if (dane->certs)
1180 list_free(dane->certs, cert_free);
1181 OPENSSL_free(dane);
1182 }
1183
1184 static dane_host_list
1185 host_list_init(const char **src)
1186 {
1187 dane_host_list head = NULL;
1188
1189 while (*src)
1190 {
1191 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1192 if (elem == 0)
1193 {
1194 list_free(head, CRYPTO_free);
1195 return 0;
1196 }
1197 elem->value = OPENSSL_strdup(*src++);
1198 LINSERT(head, elem);
1199 }
1200 return head;
1201 }
1202
1203
1204 int
1205 DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1206 {
1207 ssl_dane *dane;
1208
1209 if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1210 {
1211 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1212 return -1;
1213 }
1214
1215 if (dane->match)
1216 {
1217 if (match)
1218 *match = dane->match;
1219 if (mhost)
1220 *mhost = dane->mhost;
1221 if (depth)
1222 *depth = dane->mdpth;
1223 }
1224
1225 return (dane->match != 0);
1226 }
1227
1228
1229 #ifdef never_called
1230 int
1231 DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1232 {
1233 int ret;
1234 X509 *cert;
1235 X509_STORE_CTX store_ctx;
1236 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1237 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1238 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1239
1240 cert = sk_X509_value(chain, 0);
1241 if (!X509_STORE_CTX_init(&store_ctx, store, cert, chain))
1242 return 0;
1243 X509_STORE_CTX_set_ex_data(&store_ctx, store_ctx_idx, ssl);
1244
1245 X509_STORE_CTX_set_default(&store_ctx,
1246 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1247 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&store_ctx),
1248 SSL_get0_param(ssl));
1249
1250 if (SSL_get_verify_callback(ssl))
1251 X509_STORE_CTX_set_verify_cb(&store_ctx, SSL_get_verify_callback(ssl));
1252
1253 ret = verify_cert(&store_ctx, NULL);
1254
1255 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(&store_ctx));
1256 X509_STORE_CTX_cleanup(&store_ctx);
1257
1258 return (ret);
1259 }
1260 #endif
1261
1262
1263
1264
1265 /*
1266
1267 Call this for each TLSA record found for the target, after the
1268 DANE setup has been done on the ssl connection handle.
1269
1270 Arguments:
1271 ssl Connection handle
1272 usage TLSA record field
1273 selector TLSA record field
1274 mdname ??? message digest name?
1275 data ??? TLSA record megalump?
1276 dlen length of data
1277
1278 Return
1279 -1 on error
1280 0 action not taken
1281 1 record accepted
1282 */
1283
1284 int
1285 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1286 unsigned const char *data, size_t dlen)
1287 {
1288 ssl_dane *dane;
1289 dane_selector_list s = 0;
1290 dane_mtype_list m = 0;
1291 dane_data_list d = 0;
1292 dane_cert_list xlist = 0;
1293 dane_pkey_list klist = 0;
1294 const EVP_MD *md = 0;
1295
1296 DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1297 usage, selector, mdname);
1298
1299 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1300 {
1301 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1302 return -1;
1303 }
1304
1305 if (usage > DANESSL_USAGE_LAST)
1306 {
1307 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1308 return 0;
1309 }
1310 if (selector > DANESSL_SELECTOR_LAST)
1311 {
1312 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1313 return 0;
1314 }
1315
1316 /* Support built-in standard one-digit mtypes */
1317 if (mdname && *mdname && mdname[1] == '\0')
1318 switch (*mdname - '0')
1319 {
1320 case DANESSL_MATCHING_FULL: mdname = 0; break;
1321 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1322 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1323 }
1324 if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0)
1325 {
1326 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1327 return 0;
1328 }
1329 if (mdname && *mdname && dlen != EVP_MD_size(md))
1330 {
1331 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1332 return 0;
1333 }
1334 if (!data)
1335 {
1336 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1337 return 0;
1338 }
1339
1340 /*
1341 * Full Certificate or Public Key when NULL or empty digest name
1342 */
1343 if (!mdname || !*mdname)
1344 {
1345 X509 *x = 0;
1346 EVP_PKEY *k = 0;
1347 const unsigned char *p = data;
1348
1349 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1350 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1351 if ((lvar) == 0) { \
1352 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1353 freeFunc((var)); \
1354 return 0; \
1355 } \
1356 (lvar)->next = 0; \
1357 lvar->value = var; \
1358 } while (0)
1359 #define xkfreeret(ret) do { \
1360 if (xlist) list_free(xlist, cert_free); \
1361 if (klist) list_free(klist, pkey_free); \
1362 return (ret); \
1363 } while (0)
1364
1365 switch (selector)
1366 {
1367 case DANESSL_SELECTOR_CERT:
1368 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1369 {
1370 if (x)
1371 X509_free(x);
1372 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1373 return 0;
1374 }
1375 k = X509_get_pubkey(x);
1376 EVP_PKEY_free(k);
1377 if (k == 0)
1378 {
1379 X509_free(x);
1380 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1381 return 0;
1382 }
1383 if (usage == DANESSL_USAGE_DANE_TA)
1384 xklistinit(xlist, dane_cert_list, x, X509_free);
1385 break;
1386
1387 case DANESSL_SELECTOR_SPKI:
1388 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1389 {
1390 if (k)
1391 EVP_PKEY_free(k);
1392 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1393 return 0;
1394 }
1395 if (usage == DANESSL_USAGE_DANE_TA)
1396 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1397 break;
1398 }
1399 }
1400
1401 /* Find insertion point and don't add duplicate elements. */
1402 for (s = dane->selectors[usage]; s; s = s->next)
1403 if (s->value->selector == selector)
1404 {
1405 for (m = s->value->mtype; m; m = m->next)
1406 if (m->value->md == md)
1407 {
1408 for (d = m->value->data; d; d = d->next)
1409 if ( d->value->datalen == dlen
1410 && memcmp(d->value->data, data, dlen) == 0)
1411 xkfreeret(1);
1412 break;
1413 }
1414 break;
1415 }
1416
1417 if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1418 xkfreeret(0);
1419 d->value->datalen = dlen;
1420 memcpy(d->value->data, data, dlen);
1421 if (!m)
1422 {
1423 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1424 {
1425 list_free(d, CRYPTO_free);
1426 xkfreeret(0);
1427 }
1428 m->value->data = 0;
1429 if ((m->value->md = md) != 0)
1430 m->value->mdlen = dlen;
1431 if (!s)
1432 {
1433 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1434 {
1435 list_free(m, dane_mtype_free);
1436 xkfreeret(0);
1437 }
1438 s->value->mtype = 0;
1439 s->value->selector = selector;
1440 LINSERT(dane->selectors[usage], s);
1441 }
1442 LINSERT(s->value->mtype, m);
1443 }
1444 LINSERT(m->value->data, d);
1445
1446 if (xlist)
1447 LINSERT(dane->certs, xlist);
1448 else if (klist)
1449 LINSERT(dane->pkeys, klist);
1450 ++dane->count;
1451 return 1;
1452 }
1453
1454
1455
1456
1457 /*
1458 Call this once we have an ssl connection handle but before
1459 making the TLS connection.
1460
1461 => In tls_client_start() after the call to SSL_new()
1462 and before the call to SSL_connect(). Exactly where
1463 probably does not matter.
1464 We probably want to keep our existing SNI handling;
1465 call this with NULL.
1466
1467 Arguments:
1468 ssl Connection handle
1469 sni_domain Optional peer server name
1470 hostnames list of names to chack against peer cert
1471
1472 Return
1473 -1 on fatal error
1474 0 nonfatal error
1475 1 success
1476 */
1477
1478 int
1479 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1480 {
1481 ssl_dane *dane;
1482 int i;
1483
1484 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1485 if (dane_idx < 0)
1486 {
1487 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1488 return -1;
1489 }
1490
1491 if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1492 return 0;
1493
1494 if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1495 {
1496 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1497 return 0;
1498 }
1499 if (!SSL_set_ex_data(ssl, dane_idx, dane))
1500 {
1501 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1502 OPENSSL_free(dane);
1503 return 0;
1504 }
1505
1506 dane->verify = 0;
1507 dane->hosts = 0;
1508 dane->thost = 0;
1509 dane->pkeys = 0;
1510 dane->certs = 0;
1511 dane->chain = 0;
1512 dane->match = 0;
1513 dane->roots = 0;
1514 dane->depth = -1;
1515 dane->mhost = 0; /* Future SSL control interface */
1516 dane->mdpth = 0; /* Future SSL control interface */
1517 dane->multi = 0; /* Future SSL control interface */
1518 dane->count = 0;
1519 dane->hosts = 0;
1520
1521 for (i = 0; i <= DANESSL_USAGE_LAST; ++i)
1522 dane->selectors[i] = 0;
1523
1524 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1525 {
1526 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1527 DANESSL_cleanup(ssl);
1528 return 0;
1529 }
1530
1531 return 1;
1532 }
1533
1534
1535 /*
1536
1537 Call this once we have a context to work with, but
1538 before DANESSL_init()
1539
1540 => in tls_client_start(), after tls_init() call gives us the ctx,
1541 if we decide we want to (policy) and can (TLSA records available)
1542 replacing (? what about fallback) everything from testing tls_verify_hosts
1543 down to just before calling SSL_new() for the conn handle.
1544
1545 Arguments
1546 ctx SSL context
1547
1548 Return
1549 -1 Error
1550 1 Success
1551 */
1552
1553 int
1554 DANESSL_CTX_init(SSL_CTX *ctx)
1555 {
1556 DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1557 if (dane_idx >= 0)
1558 {
1559 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1560 return 1;
1561 }
1562 DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1563 return -1;
1564 }
1565
1566 static int
1567 init_once(volatile int *value, int (*init)(void), void (*postinit)(void))
1568 {
1569 int wlock = 0;
1570
1571 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1572 if (*value < 0)
1573 {
1574 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1575 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1576 wlock = 1;
1577 if (*value < 0)
1578 {
1579 *value = init();
1580 if (postinit)
1581 postinit();
1582 }
1583 }
1584 if (wlock)
1585 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1586 else
1587 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1588 return *value;
1589 }
1590
1591 static void
1592 dane_init(void)
1593 {
1594 /*
1595 * Store library id in zeroth function slot, used to locate the library
1596 * name. This must be done before we load the error strings.
1597 */
1598 #ifndef OPENSSL_NO_ERR
1599 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1600 ERR_load_strings(err_lib_dane, dane_str_functs);
1601 ERR_load_strings(err_lib_dane, dane_str_reasons);
1602 #endif
1603
1604 /*
1605 * Register SHA-2 digests, if implemented and not already registered.
1606 */
1607 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1608 if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1609 if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1610 #endif
1611 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1612 if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1613 if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1614 #endif
1615
1616 /*
1617 * Register an SSL index for the connection-specific ssl_dane structure.
1618 * Using a separate index makes it possible to add DANE support to
1619 * existing OpenSSL releases that don't have a suitable pointer in the
1620 * SSL structure.
1621 */
1622 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1623 }
1624
1625
1626
1627 /*
1628
1629 Call this once. Probably early in startup will do; may need
1630 to be after SSL library init.
1631
1632 => put after call to tls_init() for now
1633
1634 Return
1635 1 Success
1636 0 Fail
1637 */
1638
1639 int
1640 DANESSL_library_init(void)
1641 {
1642 DEBUG(D_tls) debug_printf("Dane lib-init\n");
1643 if (err_lib_dane < 0)
1644 init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
1645
1646 #if defined(LN_sha256)
1647 /* No DANE without SHA256 support */
1648 if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1649 return 1;
1650 #endif
1651 DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);
1652 return 0;
1653 }
1654
1655
1656 #endif /* OPENSSL_VERSION_NUMBER */
1657 /* vi: aw ai sw=2
1658 */
Unnamed repository; edit this file 'description' to name the repository.