DANE: current src version
[exim.git] / src / src / dane-openssl.c
1 /*
2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
4 */
5 #include <stdio.h>
6 #include <string.h>
7 #include <stdint.h>
8
9 #include <openssl/opensslv.h>
10 #include <openssl/err.h>
11 #include <openssl/crypto.h>
12 #include <openssl/safestack.h>
13 #include <openssl/objects.h>
14 #include <openssl/x509.h>
15 #include <openssl/x509v3.h>
16 #include <openssl/evp.h>
17 #include <openssl/bn.h>
18
19 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
20 # error "OpenSSL 1.0.0 or higher required"
21 #else /* remainder of file */
22
23 #if OPENSSL_VERSION_NUMBER < 0x10100000L
24 #define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
25 #endif
26
27 #include "danessl.h"
28
29 #define DANESSL_F_ADD_SKID 100
30 #define DANESSL_F_ADD_TLSA 101
31 #define DANESSL_F_CHECK_END_ENTITY 102
32 #define DANESSL_F_CTX_INIT 103
33 #define DANESSL_F_GROW_CHAIN 104
34 #define DANESSL_F_INIT 105
35 #define DANESSL_F_LIBRARY_INIT 106
36 #define DANESSL_F_LIST_ALLOC 107
37 #define DANESSL_F_MATCH 108
38 #define DANESSL_F_PUSH_EXT 109
39 #define DANESSL_F_SET_TRUST_ANCHOR 110
40 #define DANESSL_F_VERIFY_CERT 111
41 #define DANESSL_F_WRAP_CERT 112
42
43 #define DANESSL_R_BAD_CERT 100
44 #define DANESSL_R_BAD_CERT_PKEY 101
45 #define DANESSL_R_BAD_DATA_LENGTH 102
46 #define DANESSL_R_BAD_DIGEST 103
47 #define DANESSL_R_BAD_NULL_DATA 104
48 #define DANESSL_R_BAD_PKEY 105
49 #define DANESSL_R_BAD_SELECTOR 106
50 #define DANESSL_R_BAD_USAGE 107
51 #define DANESSL_R_INIT 108
52 #define DANESSL_R_LIBRARY_INIT 109
53 #define DANESSL_R_NOSIGN_KEY 110
54 #define DANESSL_R_SCTX_INIT 111
55 #define DANESSL_R_SUPPORT 112
56
57 #ifndef OPENSSL_NO_ERR
58 #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
59 static ERR_STRING_DATA dane_str_functs[] = {
60 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
61 {DANESSL_F_ADD_SKID, "add_skid"},
62 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
63 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
64 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
65 {DANESSL_F_GROW_CHAIN, "grow_chain"},
66 {DANESSL_F_INIT, "DANESSL_init"},
67 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
68 {DANESSL_F_LIST_ALLOC, "list_alloc"},
69 {DANESSL_F_MATCH, "match"},
70 {DANESSL_F_PUSH_EXT, "push_ext"},
71 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
72 {DANESSL_F_VERIFY_CERT, "verify_cert"},
73 {DANESSL_F_WRAP_CERT, "wrap_cert"},
74 {0, NULL}
75 };
76 static ERR_STRING_DATA dane_str_reasons[] = {
77 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
78 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
79 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
80 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
81 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
82 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
83 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
84 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
85 {DANESSL_R_INIT, "DANESSL_init() required"},
86 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
87 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
88 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
89 {DANESSL_R_SUPPORT, "DANE library features not supported"},
90 {0, NULL}
91 };
92 #endif
93
94 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
95
96 static int err_lib_dane = -1;
97 static int dane_idx = -1;
98
99 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
100 static int wrap_to_root = 0;
101 #else
102 static int wrap_to_root = 1;
103 #endif
104
105 static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
106 static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
107
108 typedef struct dane_list
109 {
110 struct dane_list *next;
111 void *value;
112 } *dane_list;
113
114 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
115
116 typedef struct dane_host_list
117 {
118 struct dane_host_list *next;
119 char *value;
120 } *dane_host_list;
121
122 typedef struct dane_data
123 {
124 size_t datalen;
125 unsigned char data[0];
126 } *dane_data;
127
128 typedef struct dane_data_list
129 {
130 struct dane_data_list *next;
131 dane_data value;
132 } *dane_data_list;
133
134 typedef struct dane_mtype
135 {
136 int mdlen;
137 const EVP_MD *md;
138 dane_data_list data;
139 } *dane_mtype;
140
141 typedef struct dane_mtype_list
142 {
143 struct dane_mtype_list *next;
144 dane_mtype value;
145 } *dane_mtype_list;
146
147 typedef struct dane_selector
148 {
149 uint8_t selector;
150 dane_mtype_list mtype;
151 } *dane_selector;
152
153 typedef struct dane_selector_list
154 {
155 struct dane_selector_list *next;
156 dane_selector value;
157 } *dane_selector_list;
158
159 typedef struct dane_pkey_list
160 {
161 struct dane_pkey_list *next;
162 EVP_PKEY *value;
163 } *dane_pkey_list;
164
165 typedef struct dane_cert_list
166 {
167 struct dane_cert_list *next;
168 X509 *value;
169 } *dane_cert_list;
170
171 typedef struct ssl_dane
172 {
173 int (*verify)(X509_STORE_CTX *);
174 STACK_OF(X509) *roots;
175 STACK_OF(X509) *chain;
176 X509 *match; /* Matched cert */
177 const char *thost; /* TLSA base domain */
178 char *mhost; /* Matched peer name */
179 dane_pkey_list pkeys;
180 dane_cert_list certs;
181 dane_host_list hosts;
182 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
183 int depth;
184 int mdpth; /* Depth of matched cert */
185 int multi; /* Multi-label wildcards? */
186 int count; /* Number of TLSA records */
187 } ssl_dane;
188
189 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
190 # define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
191 #endif
192
193 static int
194 match(dane_selector_list slist, X509 *cert, int depth)
195 {
196 int matched;
197
198 /*
199 * Note, set_trust_anchor() needs to know whether the match was for a
200 * pkey digest or a certificate digest. We return MATCHED_PKEY or
201 * MATCHED_CERT accordingly.
202 */
203 #define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
204 #define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
205
206 /*
207 * Loop over each selector, mtype, and associated data element looking
208 * for a match.
209 */
210 for (matched = 0; !matched && slist; slist = slist->next)
211 {
212 dane_mtype_list m;
213 unsigned char mdbuf[EVP_MAX_MD_SIZE];
214 unsigned char *buf = NULL;
215 unsigned char *buf2;
216 unsigned int len = 0;
217
218 /*
219 * Extract ASN.1 DER form of certificate or public key.
220 */
221 switch(slist->value->selector)
222 {
223 case DANESSL_SELECTOR_CERT:
224 len = i2d_X509(cert, NULL);
225 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
226 if(buf) i2d_X509(cert, &buf2);
227 break;
228 case DANESSL_SELECTOR_SPKI:
229 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
230 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
231 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
232 break;
233 }
234
235 if (!buf)
236 {
237 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
238 return 0;
239 }
240 OPENSSL_assert(buf2 - buf == len);
241
242 /*
243 * Loop over each mtype and data element
244 */
245 for (m = slist->value->mtype; !matched && m; m = m->next)
246 {
247 dane_data_list d;
248 unsigned char *cmpbuf = buf;
249 unsigned int cmplen = len;
250
251 /*
252 * If it is a digest, compute the corresponding digest of the
253 * DER data for comparison, otherwise, use the full object.
254 */
255 if (m->value->md)
256 {
257 cmpbuf = mdbuf;
258 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
259 matched = -1;
260 }
261 for (d = m->value->data; !matched && d; d = d->next)
262 if ( cmplen == d->value->datalen
263 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
264 matched = slist->value->selector + 1;
265 }
266
267 OPENSSL_free(buf);
268 }
269
270 return matched;
271 }
272
273 static int
274 push_ext(X509 *cert, X509_EXTENSION *ext)
275 {
276 if (ext) {
277 if (X509_add_ext(cert, ext, -1))
278 return 1;
279 X509_EXTENSION_free(ext);
280 }
281 DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
282 return 0;
283 }
284
285 static int
286 add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
287 {
288 X509V3_CTX v3ctx;
289
290 X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
291 return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
292 }
293
294 static int
295 set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
296 {
297 int ret = 0;
298 BIGNUM *bn;
299
300 if (akid && akid->serial)
301 return (X509_set_serialNumber(cert, akid->serial));
302
303 /*
304 * Add one to subject's serial to avoid collisions between TA serial and
305 * serial of signing root.
306 */
307 if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
308 && BN_add_word(bn, 1)
309 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
310 ret = 1;
311
312 if (bn)
313 BN_free(bn);
314 return ret;
315 }
316
317 static int
318 add_akid(X509 *cert, AUTHORITY_KEYID *akid)
319 {
320 int nid = NID_authority_key_identifier;
321 ASN1_STRING *id;
322 unsigned char c = 0;
323 int ret = 0;
324
325 /*
326 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
327 * our subject keyid if forced from child's akid. If so, set our
328 * authority keyid to 1. This way we are never self-signed, and thus
329 * exempt from any potential (off by default for now in OpenSSL)
330 * self-signature checks!
331 */
332 id = (akid && akid->keyid) ? akid->keyid : 0;
333 if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c)
334 c = 1;
335
336 if ( (akid = AUTHORITY_KEYID_new()) != 0
337 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
338 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
339 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
340 ret = 1;
341 if (akid)
342 AUTHORITY_KEYID_free(akid);
343 return ret;
344 }
345
346 static int
347 add_skid(X509 *cert, AUTHORITY_KEYID *akid)
348 {
349 int nid = NID_subject_key_identifier;
350
351 if (!akid || !akid->keyid)
352 return add_ext(0, cert, nid, "hash");
353 return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
354 }
355
356 static X509_NAME *
357 akid_issuer_name(AUTHORITY_KEYID *akid)
358 {
359 if (akid && akid->issuer)
360 {
361 int i;
362 GENERAL_NAMES *gens = akid->issuer;
363
364 for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
365 {
366 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
367
368 if (gn->type == GEN_DIRNAME)
369 return (gn->d.dirn);
370 }
371 }
372 return 0;
373 }
374
375 static int
376 set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
377 {
378 X509_NAME *name = akid_issuer_name(akid);
379
380 /*
381 * If subject's akid specifies an authority key identifer issuer name, we
382 * must use that.
383 */
384 return X509_set_issuer_name(cert,
385 name ? name : X509_get_subject_name(cert));
386 }
387
388 static int
389 grow_chain(ssl_dane *dane, int trusted, X509 *cert)
390 {
391 STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
392 static ASN1_OBJECT *serverAuth = 0;
393
394 #define UNTRUSTED 0
395 #define TRUSTED 1
396
397 if ( trusted && !serverAuth
398 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
399 {
400 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
401 return 0;
402 }
403 if (!*xs && !(*xs = sk_X509_new_null()))
404 {
405 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
406 return 0;
407 }
408
409 if (cert)
410 {
411 if (trusted && !X509_add1_trust_object(cert, serverAuth))
412 return 0;
413 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
414 if (!sk_X509_push(*xs, cert))
415 {
416 X509_free(cert);
417 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
418 return 0;
419 }
420 }
421 return 1;
422 }
423
424 static int
425 wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
426 {
427 int ret = 1;
428 X509 *cert = 0;
429 AUTHORITY_KEYID *akid;
430 X509_NAME *name = X509_get_issuer_name(subject);
431 EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
432
433 #define WRAP_MID 0 /* Ensure intermediate. */
434 #define WRAP_TOP 1 /* Ensure self-signed. */
435
436 if (!name || !newkey || !(cert = X509_new()))
437 return 0;
438
439 /*
440 * Record the depth of the trust-anchor certificate.
441 */
442 if (dane->depth < 0)
443 dane->depth = depth + 1;
444
445 /*
446 * XXX: Uncaught error condition:
447 *
448 * The return value is NULL both when the extension is missing, and when
449 * OpenSSL rans out of memory while parsing the extension.
450 */
451 ERR_clear_error();
452 akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
453 /* XXX: Should we peek at the error stack here??? */
454
455 /*
456 * If top is true generate a self-issued root CA, otherwise an
457 * intermediate CA and possibly its self-signed issuer.
458 *
459 * CA cert valid for +/- 30 days
460 */
461 if ( !X509_set_version(cert, 2)
462 || !set_serial(cert, akid, subject)
463 || !X509_set_subject_name(cert, name)
464 || !set_issuer_name(cert, akid)
465 || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
466 || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
467 || !X509_set_pubkey(cert, newkey)
468 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
469 || (!top && !add_akid(cert, akid))
470 || !add_skid(cert, akid)
471 || ( !top && wrap_to_root
472 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
473 ret = 0;
474
475 if (akid)
476 AUTHORITY_KEYID_free(akid);
477 if (!key)
478 EVP_PKEY_free(newkey);
479 if (ret)
480 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
481 if (cert)
482 X509_free(cert);
483 return ret;
484 }
485
486 static int
487 wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
488 {
489 if (dane->depth < 0)
490 dane->depth = depth + 1;
491
492 /*
493 * If the TA certificate is self-issued, or need not be, use it directly.
494 * Otherwise, synthesize requisuite ancestors.
495 */
496 if ( !wrap_to_root
497 || X509_check_issued(tacert, tacert) == X509_V_OK)
498 return grow_chain(dane, TRUSTED, tacert);
499
500 if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
501 return grow_chain(dane, UNTRUSTED, tacert);
502 return 0;
503 }
504
505 static int
506 ta_signed(ssl_dane *dane, X509 *cert, int depth)
507 {
508 dane_cert_list x;
509 dane_pkey_list k;
510 EVP_PKEY *pk;
511 int done = 0;
512
513 /*
514 * First check whether issued and signed by a TA cert, this is cheaper
515 * than the bare-public key checks below, since we can determine whether
516 * the candidate TA certificate issued the certificate to be checked
517 * first (name comparisons), before we bother with signature checks
518 * (public key operations).
519 */
520 for (x = dane->certs; !done && x; x = x->next)
521 {
522 if (X509_check_issued(x->value, cert) == X509_V_OK)
523 {
524 if (!(pk = X509_get_pubkey(x->value)))
525 {
526 /*
527 * The cert originally contained a valid pkey, which does
528 * not just vanish, so this is most likely a memory error.
529 */
530 done = -1;
531 break;
532 }
533 /* Check signature, since some other TA may work if not this. */
534 if (X509_verify(cert, pk) > 0)
535 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
536 EVP_PKEY_free(pk);
537 }
538 }
539
540 /*
541 * With bare TA public keys, we can't check whether the trust chain is
542 * issued by the key, but we can determine whether it is signed by the
543 * key, so we go with that.
544 *
545 * Ideally, the corresponding certificate was presented in the chain, and we
546 * matched it by its public key digest one level up. This code is here
547 * to handle adverse conditions imposed by sloppy administrators of
548 * receiving systems with poorly constructed chains.
549 *
550 * We'd like to optimize out keys that should not match when the cert's
551 * authority key id does not match the key id of this key computed via
552 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
553 * ASN1 tag and length thus also excluding the unused bits field that is
554 * logically part of the length). However, some CAs have a non-standard
555 * authority keyid, so we lose. Too bad.
556 *
557 * This may push errors onto the stack when the certificate signature is
558 * not of the right type or length, throw these away,
559 */
560 for (k = dane->pkeys; !done && k; k = k->next)
561 if (X509_verify(cert, k->value) > 0)
562 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
563 else
564 ERR_clear_error();
565
566 return done;
567 }
568
569 static int
570 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
571 {
572 int matched = 0;
573 int n;
574 int i;
575 int depth = 0;
576 EVP_PKEY *takey;
577 X509 *ca;
578 STACK_OF(X509) *in = ctx->untrusted; /* XXX: Accessor? */
579
580 if (!grow_chain(dane, UNTRUSTED, 0))
581 return -1;
582
583 /*
584 * Accept a degenerate case: depth 0 self-signed trust-anchor.
585 */
586 if (X509_check_issued(cert, cert) == X509_V_OK)
587 {
588 dane->depth = 0;
589 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
590 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
591 matched = -1;
592 return matched;
593 }
594
595 /* Make a shallow copy of the input untrusted chain. */
596 if (!(in = sk_X509_dup(in)))
597 {
598 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
599 return -1;
600 }
601
602 /*
603 * At each iteration we consume the issuer of the current cert. This
604 * reduces the length of the "in" chain by one. If no issuer is found,
605 * we are done. We also stop when a certificate matches a TA in the
606 * peer's TLSA RRset.
607 *
608 * Caller ensures that the initial certificate is not self-signed.
609 */
610 for (n = sk_X509_num(in); n > 0; --n, ++depth)
611 {
612 for (i = 0; i < n; ++i)
613 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
614 break;
615
616 /*
617 * Final untrusted element with no issuer in the peer's chain, it may
618 * however be signed by a pkey or cert obtained via a TLSA RR.
619 */
620 if (i == n)
621 break;
622
623 /* Peer's chain contains an issuer ca. */
624 ca = sk_X509_delete(in, i);
625
626 /* If not a trust anchor, record untrusted ca and continue. */
627 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
628 depth + 1)) == 0)
629 {
630 if (grow_chain(dane, UNTRUSTED, ca))
631 {
632 if (!X509_check_issued(ca, ca) == X509_V_OK)
633 {
634 /* Restart with issuer as subject */
635 cert = ca;
636 continue;
637 }
638 /* Final self-signed element, skip ta_signed() check. */
639 cert = 0;
640 }
641 else
642 matched = -1;
643 }
644 else if(matched == MATCHED_CERT)
645 {
646 if(!wrap_cert(dane, ca, depth))
647 matched = -1;
648 }
649 else if(matched == MATCHED_PKEY)
650 {
651 if ( !(takey = X509_get_pubkey(ca))
652 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
653 {
654 if (takey)
655 EVP_PKEY_free(takey);
656 else
657 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
658 matched = -1;
659 }
660 }
661 break;
662 }
663
664 /* Shallow free the duplicated input untrusted chain. */
665 sk_X509_free(in);
666
667 /*
668 * When the loop exits, if "cert" is set, it is not self-signed and has
669 * no issuer in the chain, we check for a possible signature via a DNS
670 * obtained TA cert or public key.
671 */
672 if (matched == 0 && cert)
673 matched = ta_signed(dane, cert, depth);
674
675 return matched;
676 }
677
678 static int
679 check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
680 {
681 int matched;
682
683 matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
684 if (matched > 0)
685 {
686 dane->mdpth = 0;
687 dane->match = cert;
688 X509_up_ref(cert);
689 if(!ctx->chain)
690 {
691 if ( (ctx->chain = sk_X509_new_null()) != 0
692 && sk_X509_push(ctx->chain, cert))
693 X509_up_ref(cert);
694 else
695 {
696 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
697 return -1;
698 }
699 }
700 }
701 return matched;
702 }
703
704 static int
705 match_name(const char *certid, ssl_dane *dane)
706 {
707 int multi = dane->multi;
708 dane_host_list hosts;
709
710 for (hosts = dane->hosts; hosts; hosts = hosts->next)
711 {
712 int match_subdomain = 0;
713 const char *domain = hosts->value;
714 const char *parent;
715 int idlen;
716 int domlen;
717
718 if (*domain == '.' && domain[1] != '\0')
719 {
720 ++domain;
721 match_subdomain = 1;
722 }
723
724 /*
725 * Sub-domain match: certid is any sub-domain of hostname.
726 */
727 if(match_subdomain)
728 {
729 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
730 && certid[idlen - domlen - 1] == '.'
731 && !strcasecmp(certid + (idlen - domlen), domain))
732 return 1;
733 else
734 continue;
735 }
736
737 /*
738 * Exact match and initial "*" match. The initial "*" in a certid
739 * matches one (if multi is false) or more hostname components under
740 * the condition that the certid contains multiple hostname components.
741 */
742 if ( !strcasecmp(certid, domain)
743 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
744 && (parent = strchr(domain, '.')) != 0
745 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
746 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
747 return 1;
748 }
749 return 0;
750 }
751
752 static char *
753 check_name(char *name, int len)
754 {
755 char *cp = name + len;
756
757 while (len > 0 && !*--cp)
758 --len; /* Ignore trailing NULs */
759 if (len <= 0)
760 return 0;
761 for (cp = name; *cp; cp++)
762 {
763 char c = *cp;
764 if (!((c >= 'a' && c <= 'z') ||
765 (c >= '0' && c <= '9') ||
766 (c >= 'A' && c <= 'Z') ||
767 (c == '.' || c == '-') ||
768 (c == '*')))
769 return 0; /* Only LDH, '.' and '*' */
770 }
771 if (cp - name != len) /* Guard against internal NULs */
772 return 0;
773 return name;
774 }
775
776 static char *
777 parse_dns_name(const GENERAL_NAME *gn)
778 {
779 if (gn->type != GEN_DNS)
780 return 0;
781 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
782 return 0;
783 return check_name((char *) ASN1_STRING_data(gn->d.ia5),
784 ASN1_STRING_length(gn->d.ia5));
785 }
786
787 static char *
788 parse_subject_name(X509 *cert)
789 {
790 X509_NAME *name = X509_get_subject_name(cert);
791 X509_NAME_ENTRY *entry;
792 ASN1_STRING *entry_str;
793 unsigned char *namebuf;
794 int nid = NID_commonName;
795 int len;
796 int i;
797
798 if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
799 return 0;
800 if (!(entry = X509_NAME_get_entry(name, i)))
801 return 0;
802 if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
803 return 0;
804
805 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
806 return 0;
807 if (len <= 0 || check_name((char *) namebuf, len) == 0)
808 {
809 OPENSSL_free(namebuf);
810 return 0;
811 }
812 return (char *) namebuf;
813 }
814
815 static int
816 name_check(ssl_dane *dane, X509 *cert)
817 {
818 int matched = 0;
819 BOOL got_altname = FALSE;
820 GENERAL_NAMES *gens;
821
822 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
823 if (gens)
824 {
825 int n = sk_GENERAL_NAME_num(gens);
826 int i;
827
828 for (i = 0; i < n; ++i)
829 {
830 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
831 const char *certid;
832
833 if (gn->type != GEN_DNS)
834 continue;
835 got_altname = TRUE;
836 certid = parse_dns_name(gn);
837 if (certid && *certid)
838 {
839 if ((matched = match_name(certid, dane)) == 0)
840 continue;
841 if (!(dane->mhost = OPENSSL_strdup(certid)))
842 matched = -1;
843 break;
844 }
845 }
846 GENERAL_NAMES_free(gens);
847 }
848
849 /*
850 * XXX: Should the subjectName be skipped when *any* altnames are present,
851 * or only when DNS altnames are present?
852 */
853 if (got_altname == 0)
854 {
855 char *certid = parse_subject_name(cert);
856 if (certid != 0 && *certid
857 && (matched = match_name(certid, dane)) != 0)
858 dane->mhost = OPENSSL_strdup(certid);
859 if (certid)
860 OPENSSL_free(certid);
861 }
862 return matched;
863 }
864
865 static int
866 verify_chain(X509_STORE_CTX *ctx)
867 {
868 dane_selector_list issuer_rrs;
869 dane_selector_list leaf_rrs;
870 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
871 int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
872 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
873 ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
874 X509 *cert = ctx->cert; /* XXX: accessor? */
875 int matched = 0;
876 int chain_length = sk_X509_num(ctx->chain);
877
878 DEBUG(D_tls) debug_printf("Dane verify-chain\n");
879
880 issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
881 leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
882 ctx->verify = dane->verify;
883
884 if ((matched = name_check(dane, cert)) < 0)
885 {
886 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
887 return 0;
888 }
889
890 if (!matched)
891 {
892 ctx->error_depth = 0;
893 ctx->current_cert = cert;
894 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
895 if (!cb(0, ctx))
896 return 0;
897 }
898 matched = 0;
899
900 /*
901 * Satisfy at least one usage 0 or 1 constraint, unless we've already
902 * matched a usage 2 trust anchor.
903 *
904 * XXX: internal_verify() doesn't callback with top certs that are not
905 * self-issued. This should be fixed in a future OpenSSL.
906 */
907 if (dane->roots && sk_X509_num(dane->roots))
908 {
909 X509 *top = sk_X509_value(ctx->chain, dane->depth);
910
911 dane->mdpth = dane->depth;
912 dane->match = top;
913 X509_up_ref(top);
914
915 #ifndef NO_CALLBACK_WORKAROUND
916 if (X509_check_issued(top, top) != X509_V_OK)
917 {
918 ctx->error_depth = dane->depth;
919 ctx->current_cert = top;
920 if (!cb(1, ctx))
921 return 0;
922 }
923 #endif
924 /* Pop synthetic trust-anchor ancestors off the chain! */
925 while (--chain_length > dane->depth)
926 X509_free(sk_X509_pop(ctx->chain));
927 }
928 else
929 {
930 int n = 0;
931 X509 *xn = cert;
932
933 /*
934 * Check for an EE match, then a CA match at depths > 0, and
935 * finally, if the EE cert is self-issued, for a depth 0 CA match.
936 */
937 if (leaf_rrs)
938 matched = match(leaf_rrs, xn, 0);
939 if (issuer_rrs)
940 {
941 for (n = chain_length-1; !matched && n >= 0; --n)
942 {
943 xn = sk_X509_value(ctx->chain, n);
944 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
945 matched = match(issuer_rrs, xn, n);
946 }
947 }
948
949 if (!matched)
950 {
951 ctx->current_cert = cert;
952 ctx->error_depth = 0;
953 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
954 if (!cb(0, ctx))
955 return 0;
956 }
957 else
958 {
959 dane->mdpth = n;
960 dane->match = xn;
961 X509_up_ref(xn);
962 }
963 }
964
965 return ctx->verify(ctx);
966 }
967
968 static void
969 dane_reset(ssl_dane *dane)
970 {
971 dane->depth = -1;
972 if (dane->mhost)
973 {
974 OPENSSL_free(dane->mhost);
975 dane->mhost = 0;
976 }
977 if (dane->roots)
978 {
979 sk_X509_pop_free(dane->roots, X509_free);
980 dane->roots = 0;
981 }
982 if (dane->chain)
983 {
984 sk_X509_pop_free(dane->chain, X509_free);
985 dane->chain = 0;
986 }
987 if (dane->match)
988 {
989 X509_free(dane->match);
990 dane->match = 0;
991 }
992 dane->mdpth = -1;
993 }
994
995 static int
996 verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
997 {
998 static int ssl_idx = -1;
999 SSL *ssl;
1000 ssl_dane *dane;
1001 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
1002 int matched;
1003 X509 *cert = ctx->cert; /* XXX: accessor? */
1004
1005 DEBUG(D_tls) debug_printf("Dane verify-cert\n");
1006
1007 if (ssl_idx < 0)
1008 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1009 if (dane_idx < 0)
1010 {
1011 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1012 return -1;
1013 }
1014
1015 ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1016 if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1017 return X509_verify_cert(ctx);
1018
1019 /* Reset for verification of a new chain, perhaps a renegotiation. */
1020 dane_reset(dane);
1021
1022 if (dane->selectors[DANESSL_USAGE_DANE_EE])
1023 {
1024 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1025 {
1026 ctx->error_depth = 0;
1027 ctx->current_cert = cert;
1028 return cb(1, ctx);
1029 }
1030 if (matched < 0)
1031 {
1032 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1033 return -1;
1034 }
1035 }
1036
1037 if (dane->selectors[DANESSL_USAGE_DANE_TA])
1038 {
1039 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1040 {
1041 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1042 return -1;
1043 }
1044 if (matched)
1045 {
1046 /*
1047 * Check that setting the untrusted chain updates the expected
1048 * structure member at the expected offset.
1049 */
1050 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1051 X509_STORE_CTX_set_chain(ctx, dane->chain);
1052 OPENSSL_assert(ctx->untrusted == dane->chain);
1053 }
1054 }
1055
1056 /*
1057 * Name checks and usage 0/1 constraint enforcement are delayed until
1058 * X509_verify_cert() builds the full chain and calls our verify_chain()
1059 * wrapper.
1060 */
1061 dane->verify = ctx->verify;
1062 ctx->verify = verify_chain;
1063
1064 if (X509_verify_cert(ctx))
1065 return 1;
1066
1067 /*
1068 * If the chain is invalid, clear any matching cert or hostname, to
1069 * protect callers that might erroneously rely on these alone without
1070 * checking the validation status.
1071 */
1072 if (dane->match)
1073 {
1074 X509_free(dane->match);
1075 dane->match = 0;
1076 }
1077 if (dane->mhost)
1078 {
1079 OPENSSL_free(dane->mhost);
1080 dane->mhost = 0;
1081 }
1082 return 0;
1083 }
1084
1085 static dane_list
1086 list_alloc(size_t vsize)
1087 {
1088 void *value = (void *) OPENSSL_malloc(vsize);
1089 dane_list l;
1090
1091 if (!value)
1092 {
1093 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1094 return 0;
1095 }
1096 if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1097 {
1098 OPENSSL_free(value);
1099 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1100 return 0;
1101 }
1102 l->next = 0;
1103 l->value = value;
1104 return l;
1105 }
1106
1107 static void
1108 list_free(void *list, void (*f)(void *))
1109 {
1110 dane_list head;
1111 dane_list next;
1112
1113 for (head = (dane_list) list; head; head = next)
1114 {
1115 next = head->next;
1116 if (f && head->value)
1117 f(head->value);
1118 OPENSSL_free(head);
1119 }
1120 }
1121
1122 static void
1123 dane_mtype_free(void *p)
1124 {
1125 list_free(((dane_mtype) p)->data, CRYPTO_free);
1126 OPENSSL_free(p);
1127 }
1128
1129 static void
1130 dane_selector_free(void *p)
1131 {
1132 list_free(((dane_selector) p)->mtype, dane_mtype_free);
1133 OPENSSL_free(p);
1134 }
1135
1136
1137
1138 /*
1139
1140 Tidy up once the connection is finished with.
1141
1142 Arguments
1143 ssl The ssl connection handle
1144
1145 => Before calling SSL_free()
1146 tls_close() and tls_getc() [the error path] are the obvious places.
1147 Could we do it earlier - right after verification? In tls_client_start()
1148 right after SSL_connect() returns, in that case.
1149
1150 */
1151
1152 void
1153 DANESSL_cleanup(SSL *ssl)
1154 {
1155 ssl_dane *dane;
1156 int u;
1157
1158 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1159
1160 if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1161 return;
1162 (void) SSL_set_ex_data(ssl, dane_idx, 0);
1163
1164 dane_reset(dane);
1165 if (dane->hosts)
1166 list_free(dane->hosts, CRYPTO_free);
1167 for (u = 0; u <= DANESSL_USAGE_LAST; ++u)
1168 if (dane->selectors[u])
1169 list_free(dane->selectors[u], dane_selector_free);
1170 if (dane->pkeys)
1171 list_free(dane->pkeys, pkey_free);
1172 if (dane->certs)
1173 list_free(dane->certs, cert_free);
1174 OPENSSL_free(dane);
1175 }
1176
1177 static dane_host_list
1178 host_list_init(const char **src)
1179 {
1180 dane_host_list head = NULL;
1181
1182 while (*src)
1183 {
1184 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1185 if (elem == 0)
1186 {
1187 list_free(head, CRYPTO_free);
1188 return 0;
1189 }
1190 elem->value = OPENSSL_strdup(*src++);
1191 LINSERT(head, elem);
1192 }
1193 return head;
1194 }
1195
1196
1197 int
1198 DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1199 {
1200 ssl_dane *dane;
1201
1202 if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1203 {
1204 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1205 return -1;
1206 }
1207
1208 if (dane->match)
1209 {
1210 if (match)
1211 *match = dane->match;
1212 if (mhost)
1213 *mhost = dane->mhost;
1214 if (depth)
1215 *depth = dane->mdpth;
1216 }
1217
1218 return (dane->match != 0);
1219 }
1220
1221
1222 #ifdef never_called
1223 int
1224 DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1225 {
1226 int ret;
1227 X509 *cert;
1228 X509_STORE_CTX store_ctx;
1229 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1230 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1231 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1232
1233 cert = sk_X509_value(chain, 0);
1234 if (!X509_STORE_CTX_init(&store_ctx, store, cert, chain))
1235 return 0;
1236 X509_STORE_CTX_set_ex_data(&store_ctx, store_ctx_idx, ssl);
1237
1238 X509_STORE_CTX_set_default(&store_ctx,
1239 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1240 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&store_ctx),
1241 SSL_get0_param(ssl));
1242
1243 if (SSL_get_verify_callback(ssl))
1244 X509_STORE_CTX_set_verify_cb(&store_ctx, SSL_get_verify_callback(ssl));
1245
1246 ret = verify_cert(&store_ctx, NULL);
1247
1248 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(&store_ctx));
1249 X509_STORE_CTX_cleanup(&store_ctx);
1250
1251 return (ret);
1252 }
1253 #endif
1254
1255
1256
1257
1258 /*
1259
1260 Call this for each TLSA record found for the target, after the
1261 DANE setup has been done on the ssl connection handle.
1262
1263 Arguments:
1264 ssl Connection handle
1265 usage TLSA record field
1266 selector TLSA record field
1267 mdname ??? message digest name?
1268 data ??? TLSA record megalump?
1269 dlen length of data
1270
1271 Return
1272 -1 on error
1273 0 action not taken
1274 1 record accepted
1275 */
1276
1277 int
1278 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1279 unsigned const char *data, size_t dlen)
1280 {
1281 ssl_dane *dane;
1282 dane_selector_list s = 0;
1283 dane_mtype_list m = 0;
1284 dane_data_list d = 0;
1285 dane_cert_list xlist = 0;
1286 dane_pkey_list klist = 0;
1287 const EVP_MD *md = 0;
1288
1289 DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1290 usage, selector, mdname);
1291
1292 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1293 {
1294 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1295 return -1;
1296 }
1297
1298 if (usage > DANESSL_USAGE_LAST)
1299 {
1300 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1301 return 0;
1302 }
1303 if (selector > DANESSL_SELECTOR_LAST)
1304 {
1305 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1306 return 0;
1307 }
1308
1309 /* Support built-in standard one-digit mtypes */
1310 if (mdname && *mdname && mdname[1] == '\0')
1311 switch (*mdname - '0')
1312 {
1313 case DANESSL_MATCHING_FULL: mdname = 0; break;
1314 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1315 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1316 }
1317 if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0)
1318 {
1319 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1320 return 0;
1321 }
1322 if (mdname && *mdname && dlen != EVP_MD_size(md))
1323 {
1324 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1325 return 0;
1326 }
1327 if (!data)
1328 {
1329 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1330 return 0;
1331 }
1332
1333 /*
1334 * Full Certificate or Public Key when NULL or empty digest name
1335 */
1336 if (!mdname || !*mdname)
1337 {
1338 X509 *x = 0;
1339 EVP_PKEY *k = 0;
1340 const unsigned char *p = data;
1341
1342 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1343 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1344 if ((lvar) == 0) { \
1345 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1346 freeFunc((var)); \
1347 return 0; \
1348 } \
1349 (lvar)->next = 0; \
1350 lvar->value = var; \
1351 } while (0)
1352 #define xkfreeret(ret) do { \
1353 if (xlist) list_free(xlist, cert_free); \
1354 if (klist) list_free(klist, pkey_free); \
1355 return (ret); \
1356 } while (0)
1357
1358 switch (selector)
1359 {
1360 case DANESSL_SELECTOR_CERT:
1361 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1362 {
1363 if (x)
1364 X509_free(x);
1365 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1366 return 0;
1367 }
1368 k = X509_get_pubkey(x);
1369 EVP_PKEY_free(k);
1370 if (k == 0)
1371 {
1372 X509_free(x);
1373 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1374 return 0;
1375 }
1376 if (usage == DANESSL_USAGE_DANE_TA)
1377 xklistinit(xlist, dane_cert_list, x, X509_free);
1378 break;
1379
1380 case DANESSL_SELECTOR_SPKI:
1381 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1382 {
1383 if (k)
1384 EVP_PKEY_free(k);
1385 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1386 return 0;
1387 }
1388 if (usage == DANESSL_USAGE_DANE_TA)
1389 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1390 break;
1391 }
1392 }
1393
1394 /* Find insertion point and don't add duplicate elements. */
1395 for (s = dane->selectors[usage]; s; s = s->next)
1396 if (s->value->selector == selector)
1397 {
1398 for (m = s->value->mtype; m; m = m->next)
1399 if (m->value->md == md)
1400 {
1401 for (d = m->value->data; d; d = d->next)
1402 if ( d->value->datalen == dlen
1403 && memcmp(d->value->data, data, dlen) == 0)
1404 xkfreeret(1);
1405 break;
1406 }
1407 break;
1408 }
1409
1410 if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1411 xkfreeret(0);
1412 d->value->datalen = dlen;
1413 memcpy(d->value->data, data, dlen);
1414 if (!m)
1415 {
1416 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1417 {
1418 list_free(d, CRYPTO_free);
1419 xkfreeret(0);
1420 }
1421 m->value->data = 0;
1422 if ((m->value->md = md) != 0)
1423 m->value->mdlen = dlen;
1424 if (!s)
1425 {
1426 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1427 {
1428 list_free(m, dane_mtype_free);
1429 xkfreeret(0);
1430 }
1431 s->value->mtype = 0;
1432 s->value->selector = selector;
1433 LINSERT(dane->selectors[usage], s);
1434 }
1435 LINSERT(s->value->mtype, m);
1436 }
1437 LINSERT(m->value->data, d);
1438
1439 if (xlist)
1440 LINSERT(dane->certs, xlist);
1441 else if (klist)
1442 LINSERT(dane->pkeys, klist);
1443 ++dane->count;
1444 return 1;
1445 }
1446
1447
1448
1449
1450 /*
1451 Call this once we have an ssl connection handle but before
1452 making the TLS connection.
1453
1454 => In tls_client_start() after the call to SSL_new()
1455 and before the call to SSL_connect(). Exactly where
1456 probably does not matter.
1457 We probably want to keep our existing SNI handling;
1458 call this with NULL.
1459
1460 Arguments:
1461 ssl Connection handle
1462 sni_domain Optional peer server name
1463 hostnames list of names to chack against peer cert
1464
1465 Return
1466 -1 on fatal error
1467 0 nonfatal error
1468 1 success
1469 */
1470
1471 int
1472 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1473 {
1474 ssl_dane *dane;
1475 int i;
1476
1477 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1478 if (dane_idx < 0)
1479 {
1480 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1481 return -1;
1482 }
1483
1484 if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1485 return 0;
1486
1487 if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1488 {
1489 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1490 return 0;
1491 }
1492 if (!SSL_set_ex_data(ssl, dane_idx, dane))
1493 {
1494 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1495 OPENSSL_free(dane);
1496 return 0;
1497 }
1498
1499 dane->verify = 0;
1500 dane->hosts = 0;
1501 dane->thost = 0;
1502 dane->pkeys = 0;
1503 dane->certs = 0;
1504 dane->chain = 0;
1505 dane->match = 0;
1506 dane->roots = 0;
1507 dane->depth = -1;
1508 dane->mhost = 0; /* Future SSL control interface */
1509 dane->mdpth = 0; /* Future SSL control interface */
1510 dane->multi = 0; /* Future SSL control interface */
1511 dane->count = 0;
1512 dane->hosts = 0;
1513
1514 for (i = 0; i <= DANESSL_USAGE_LAST; ++i)
1515 dane->selectors[i] = 0;
1516
1517 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1518 {
1519 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1520 DANESSL_cleanup(ssl);
1521 return 0;
1522 }
1523
1524 return 1;
1525 }
1526
1527
1528 /*
1529
1530 Call this once we have a context to work with, but
1531 before DANESSL_init()
1532
1533 => in tls_client_start(), after tls_init() call gives us the ctx,
1534 if we decide we want to (policy) and can (TLSA records available)
1535 replacing (? what about fallback) everything from testing tls_verify_hosts
1536 down to just before calling SSL_new() for the conn handle.
1537
1538 Arguments
1539 ctx SSL context
1540
1541 Return
1542 -1 Error
1543 1 Success
1544 */
1545
1546 int
1547 DANESSL_CTX_init(SSL_CTX *ctx)
1548 {
1549 DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1550 if (dane_idx >= 0)
1551 {
1552 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1553 return 1;
1554 }
1555 DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1556 return -1;
1557 }
1558
1559 static int
1560 init_once(volatile int *value, int (*init)(void), void (*postinit)(void))
1561 {
1562 int wlock = 0;
1563
1564 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1565 if (*value < 0)
1566 {
1567 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1568 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1569 wlock = 1;
1570 if (*value < 0)
1571 {
1572 *value = init();
1573 if (postinit)
1574 postinit();
1575 }
1576 }
1577 if (wlock)
1578 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1579 else
1580 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1581 return *value;
1582 }
1583
1584 static void
1585 dane_init(void)
1586 {
1587 /*
1588 * Store library id in zeroth function slot, used to locate the library
1589 * name. This must be done before we load the error strings.
1590 */
1591 #ifndef OPENSSL_NO_ERR
1592 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1593 ERR_load_strings(err_lib_dane, dane_str_functs);
1594 ERR_load_strings(err_lib_dane, dane_str_reasons);
1595 #endif
1596
1597 /*
1598 * Register SHA-2 digests, if implemented and not already registered.
1599 */
1600 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1601 if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1602 if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1603 #endif
1604 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1605 if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1606 if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1607 #endif
1608
1609 /*
1610 * Register an SSL index for the connection-specific ssl_dane structure.
1611 * Using a separate index makes it possible to add DANE support to
1612 * existing OpenSSL releases that don't have a suitable pointer in the
1613 * SSL structure.
1614 */
1615 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1616 }
1617
1618
1619
1620 /*
1621
1622 Call this once. Probably early in startup will do; may need
1623 to be after SSL library init.
1624
1625 => put after call to tls_init() for now
1626
1627 Return
1628 1 Success
1629 0 Fail
1630 */
1631
1632 int
1633 DANESSL_library_init(void)
1634 {
1635 DEBUG(D_tls) debug_printf("Dane lib-init\n");
1636 if (err_lib_dane < 0)
1637 init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
1638
1639 #if defined(LN_sha256)
1640 /* No DANE without SHA256 support */
1641 if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1642 return 1;
1643 #endif
1644 DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);
1645 return 0;
1646 }
1647
1648
1649 #endif /* OPENSSL_VERSION_NUMBER */
1650 /* vi: aw ai sw=2
1651 */