2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
5 * Copyright (c) The Exim Maintainers 2014 - 2016
11 #include <openssl/opensslv.h>
12 #include <openssl/err.h>
13 #include <openssl/crypto.h>
14 #include <openssl/safestack.h>
15 #include <openssl/objects.h>
16 #include <openssl/x509.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/evp.h>
19 #include <openssl/bn.h>
21 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
22 # error "OpenSSL 1.0.0 or higher required"
25 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
26 # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
28 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
29 # define EXIM_HAVE_ASN1_MACROS
30 # define EXIM_OPAQUE_X509
32 # define X509_STORE_CTX_get_verify(ctx) (ctx)->verify
33 # define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb
34 # define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert
35 # define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain
36 # define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted
38 # define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain)
39 # define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk)
40 # define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val)
41 # define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert)
43 # define ASN1_STRING_get0_data ASN1_STRING_data
44 # define X509_getm_notBefore X509_get_notBefore
45 # define X509_getm_notAfter X509_get_notAfter
47 # define CRYPTO_ONCE_STATIC_INIT 0
48 # define CRYPTO_THREAD_run_once run_once
49 typedef int CRYPTO_ONCE;
55 #define DANESSL_F_ADD_SKID 100
56 #define DANESSL_F_ADD_TLSA 101
57 #define DANESSL_F_CHECK_END_ENTITY 102
58 #define DANESSL_F_CTX_INIT 103
59 #define DANESSL_F_GROW_CHAIN 104
60 #define DANESSL_F_INIT 105
61 #define DANESSL_F_LIBRARY_INIT 106
62 #define DANESSL_F_LIST_ALLOC 107
63 #define DANESSL_F_MATCH 108
64 #define DANESSL_F_PUSH_EXT 109
65 #define DANESSL_F_SET_TRUST_ANCHOR 110
66 #define DANESSL_F_VERIFY_CERT 111
67 #define DANESSL_F_WRAP_CERT 112
68 #define DANESSL_F_DANESSL_VERIFY_CHAIN 113
70 #define DANESSL_R_BAD_CERT 100
71 #define DANESSL_R_BAD_CERT_PKEY 101
72 #define DANESSL_R_BAD_DATA_LENGTH 102
73 #define DANESSL_R_BAD_DIGEST 103
74 #define DANESSL_R_BAD_NULL_DATA 104
75 #define DANESSL_R_BAD_PKEY 105
76 #define DANESSL_R_BAD_SELECTOR 106
77 #define DANESSL_R_BAD_USAGE 107
78 #define DANESSL_R_INIT 108
79 #define DANESSL_R_LIBRARY_INIT 109
80 #define DANESSL_R_NOSIGN_KEY 110
81 #define DANESSL_R_SCTX_INIT 111
82 #define DANESSL_R_SUPPORT 112
84 #ifndef OPENSSL_NO_ERR
85 #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
86 static ERR_STRING_DATA dane_str_functs[] = {
88 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
89 {DANESSL_F_ADD_SKID, "add_skid"},
90 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
91 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
92 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
93 {DANESSL_F_GROW_CHAIN, "grow_chain"},
94 {DANESSL_F_INIT, "DANESSL_init"},
95 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
96 {DANESSL_F_LIST_ALLOC, "list_alloc"},
97 {DANESSL_F_MATCH, "match"},
98 {DANESSL_F_PUSH_EXT, "push_ext"},
99 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
100 {DANESSL_F_VERIFY_CERT, "verify_cert"},
101 {DANESSL_F_WRAP_CERT, "wrap_cert"},
104 static ERR_STRING_DATA dane_str_reasons[] = {
106 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
107 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
108 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
109 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
110 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
111 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
112 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
113 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
114 {DANESSL_R_INIT, "DANESSL_init() required"},
115 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
116 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
117 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
118 {DANESSL_R_SUPPORT, "DANE library features not supported"},
123 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
125 static int err_lib_dane = -1;
126 static int dane_idx = -1;
128 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
129 static int wrap_to_root = 0;
131 static int wrap_to_root = 1;
134 static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
135 static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
137 typedef struct dane_list
139 struct dane_list *next;
143 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
145 typedef struct dane_host_list
147 struct dane_host_list *next;
151 typedef struct dane_data
154 unsigned char data[0];
157 typedef struct dane_data_list
159 struct dane_data_list *next;
163 typedef struct dane_mtype
170 typedef struct dane_mtype_list
172 struct dane_mtype_list *next;
176 typedef struct dane_selector
179 dane_mtype_list mtype;
182 typedef struct dane_selector_list
184 struct dane_selector_list *next;
186 } *dane_selector_list;
188 typedef struct dane_pkey_list
190 struct dane_pkey_list *next;
194 typedef struct dane_cert_list
196 struct dane_cert_list *next;
200 typedef struct ssl_dane
202 int (*verify)(X509_STORE_CTX *);
203 STACK_OF(X509) *roots;
204 STACK_OF(X509) *chain;
205 X509 *match; /* Matched cert */
206 const char *thost; /* TLSA base domain */
207 char *mhost; /* Matched peer name */
208 dane_pkey_list pkeys;
209 dane_cert_list certs;
210 dane_host_list hosts;
211 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
213 int mdpth; /* Depth of matched cert */
214 int multi; /* Multi-label wildcards? */
215 int count; /* Number of TLSA records */
218 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
219 # define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
225 match(dane_selector_list slist, X509 *cert, int depth)
230 * Note, set_trust_anchor() needs to know whether the match was for a
231 * pkey digest or a certificate digest. We return MATCHED_PKEY or
232 * MATCHED_CERT accordingly.
234 #define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
235 #define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
238 * Loop over each selector, mtype, and associated data element looking
241 for (matched = 0; !matched && slist; slist = slist->next)
244 unsigned char mdbuf[EVP_MAX_MD_SIZE];
245 unsigned char *buf = NULL;
247 unsigned int len = 0;
250 * Extract ASN.1 DER form of certificate or public key.
252 switch(slist->value->selector)
254 case DANESSL_SELECTOR_CERT:
255 len = i2d_X509(cert, NULL);
256 buf2 = buf = US OPENSSL_malloc(len);
257 if(buf) i2d_X509(cert, &buf2);
259 case DANESSL_SELECTOR_SPKI:
260 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
261 buf2 = buf = US OPENSSL_malloc(len);
262 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
268 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
271 OPENSSL_assert(buf2 - buf == len);
274 * Loop over each mtype and data element
276 for (m = slist->value->mtype; !matched && m; m = m->next)
279 unsigned char *cmpbuf = buf;
280 unsigned int cmplen = len;
283 * If it is a digest, compute the corresponding digest of the
284 * DER data for comparison, otherwise, use the full object.
289 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
292 for (d = m->value->data; !matched && d; d = d->next)
293 if ( cmplen == d->value->datalen
294 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
295 matched = slist->value->selector + 1;
305 push_ext(X509 *cert, X509_EXTENSION *ext)
309 if (X509_add_ext(cert, ext, -1))
311 X509_EXTENSION_free(ext);
313 DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
318 add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
322 X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
323 return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
327 set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
332 if (akid && akid->serial)
333 return (X509_set_serialNumber(cert, akid->serial));
336 * Add one to subject's serial to avoid collisions between TA serial and
337 * serial of signing root.
339 if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
340 && BN_add_word(bn, 1)
341 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
350 add_akid(X509 *cert, AUTHORITY_KEYID *akid)
352 int nid = NID_authority_key_identifier;
353 ASN1_OCTET_STRING *id;
358 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
359 * our subject keyid if forced from child's akid. If so, set our
360 * authority keyid to 1. This way we are never self-signed, and thus
361 * exempt from any potential (off by default for now in OpenSSL)
362 * self-signature checks!
364 id = akid && akid->keyid ? akid->keyid : 0;
365 if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_get0_data(id) == c)
368 if ( (akid = AUTHORITY_KEYID_new()) != 0
369 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
370 #ifdef EXIM_HAVE_ASN1_MACROS
371 && ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
373 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
375 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
378 AUTHORITY_KEYID_free(akid);
383 add_skid(X509 *cert, AUTHORITY_KEYID *akid)
385 int nid = NID_subject_key_identifier;
387 if (!akid || !akid->keyid)
388 return add_ext(0, cert, nid, "hash");
389 return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
393 akid_issuer_name(AUTHORITY_KEYID *akid)
395 if (akid && akid->issuer)
398 GENERAL_NAMES *gens = akid->issuer;
400 for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
402 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
404 if (gn->type == GEN_DIRNAME)
412 set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
414 X509_NAME *name = akid_issuer_name(akid);
417 * If subject's akid specifies an authority key identifer issuer name, we
420 return X509_set_issuer_name(cert,
421 name ? name : X509_get_subject_name(cert));
425 grow_chain(ssl_dane *dane, int trusted, X509 *cert)
427 STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
428 static ASN1_OBJECT *serverAuth = 0;
433 if ( trusted && !serverAuth
434 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
436 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
439 if (!*xs && !(*xs = sk_X509_new_null()))
441 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
447 if (trusted && !X509_add1_trust_object(cert, serverAuth))
449 #ifdef EXIM_OPAQUE_X509
452 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
454 if (!sk_X509_push(*xs, cert))
457 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
465 wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
469 AUTHORITY_KEYID *akid;
470 X509_NAME *name = X509_get_issuer_name(subject);
471 EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
473 #define WRAP_MID 0 /* Ensure intermediate. */
474 #define WRAP_TOP 1 /* Ensure self-signed. */
476 if (!name || !newkey || !(cert = X509_new()))
480 * Record the depth of the trust-anchor certificate.
483 dane->depth = depth + 1;
486 * XXX: Uncaught error condition:
488 * The return value is NULL both when the extension is missing, and when
489 * OpenSSL rans out of memory while parsing the extension.
492 akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
493 /* XXX: Should we peek at the error stack here??? */
496 * If top is true generate a self-issued root CA, otherwise an
497 * intermediate CA and possibly its self-signed issuer.
499 * CA cert valid for +/- 30 days
501 if ( !X509_set_version(cert, 2)
502 || !set_serial(cert, akid, subject)
503 || !set_issuer_name(cert, akid)
504 || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
505 || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
506 || !X509_set_subject_name(cert, name)
507 || !X509_set_pubkey(cert, newkey)
508 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
509 || (!top && !add_akid(cert, akid))
510 || !add_skid(cert, akid)
511 || ( !top && wrap_to_root
512 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
516 AUTHORITY_KEYID_free(akid);
518 EVP_PKEY_free(newkey);
520 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
527 wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
530 dane->depth = depth + 1;
533 * If the TA certificate is self-issued, or need not be, use it directly.
534 * Otherwise, synthesize requisite ancestors.
537 || X509_check_issued(tacert, tacert) == X509_V_OK)
538 return grow_chain(dane, TRUSTED, tacert);
540 if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
541 return grow_chain(dane, UNTRUSTED, tacert);
546 ta_signed(ssl_dane *dane, X509 *cert, int depth)
554 * First check whether issued and signed by a TA cert, this is cheaper
555 * than the bare-public key checks below, since we can determine whether
556 * the candidate TA certificate issued the certificate to be checked
557 * first (name comparisons), before we bother with signature checks
558 * (public key operations).
560 for (x = dane->certs; !done && x; x = x->next)
562 if (X509_check_issued(x->value, cert) == X509_V_OK)
564 if (!(pk = X509_get_pubkey(x->value)))
567 * The cert originally contained a valid pkey, which does
568 * not just vanish, so this is most likely a memory error.
573 /* Check signature, since some other TA may work if not this. */
574 if (X509_verify(cert, pk) > 0)
575 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
581 * With bare TA public keys, we can't check whether the trust chain is
582 * issued by the key, but we can determine whether it is signed by the
583 * key, so we go with that.
585 * Ideally, the corresponding certificate was presented in the chain, and we
586 * matched it by its public key digest one level up. This code is here
587 * to handle adverse conditions imposed by sloppy administrators of
588 * receiving systems with poorly constructed chains.
590 * We'd like to optimize out keys that should not match when the cert's
591 * authority key id does not match the key id of this key computed via
592 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
593 * ASN1 tag and length thus also excluding the unused bits field that is
594 * logically part of the length). However, some CAs have a non-standard
595 * authority keyid, so we lose. Too bad.
597 * This may push errors onto the stack when the certificate signature is
598 * not of the right type or length, throw these away,
600 for (k = dane->pkeys; !done && k; k = k->next)
601 if (X509_verify(cert, k->value) > 0)
602 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
610 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
618 STACK_OF(X509) *in = X509_STORE_CTX_get0_untrusted(ctx);
620 if (!grow_chain(dane, UNTRUSTED, 0))
624 * Accept a degenerate case: depth 0 self-signed trust-anchor.
626 if (X509_check_issued(cert, cert) == X509_V_OK)
629 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
630 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
635 /* Make a shallow copy of the input untrusted chain. */
636 if (!(in = sk_X509_dup(in)))
638 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
643 * At each iteration we consume the issuer of the current cert. This
644 * reduces the length of the "in" chain by one. If no issuer is found,
645 * we are done. We also stop when a certificate matches a TA in the
648 * Caller ensures that the initial certificate is not self-signed.
650 for (n = sk_X509_num(in); n > 0; --n, ++depth)
652 for (i = 0; i < n; ++i)
653 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
657 * Final untrusted element with no issuer in the peer's chain, it may
658 * however be signed by a pkey or cert obtained via a TLSA RR.
663 /* Peer's chain contains an issuer ca. */
664 ca = sk_X509_delete(in, i);
666 /* If not a trust anchor, record untrusted ca and continue. */
667 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
670 if (grow_chain(dane, UNTRUSTED, ca))
672 if (X509_check_issued(ca, ca) != X509_V_OK)
674 /* Restart with issuer as subject */
678 /* Final self-signed element, skip ta_signed() check. */
684 else if(matched == MATCHED_CERT)
686 if(!wrap_cert(dane, ca, depth))
689 else if(matched == MATCHED_PKEY)
691 if ( !(takey = X509_get_pubkey(ca))
692 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
695 EVP_PKEY_free(takey);
697 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
704 /* Shallow free the duplicated input untrusted chain. */
708 * When the loop exits, if "cert" is set, it is not self-signed and has
709 * no issuer in the chain, we check for a possible signature via a DNS
710 * obtained TA cert or public key.
712 if (matched == 0 && cert)
713 matched = ta_signed(dane, cert, depth);
719 check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
723 matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
729 if(!X509_STORE_CTX_get0_chain(ctx))
731 STACK_OF(X509) * sk = sk_X509_new_null();
732 if (sk && sk_X509_push(sk, cert))
735 X509_STORE_CTX_set0_verified_chain(ctx, sk);
739 if (sk) sk_X509_free(sk);
740 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
749 match_name(const char *certid, ssl_dane *dane)
751 int multi = dane->multi;
752 dane_host_list hosts;
754 for (hosts = dane->hosts; hosts; hosts = hosts->next)
756 int match_subdomain = 0;
757 const char *domain = hosts->value;
762 if (*domain == '.' && domain[1] != '\0')
769 * Sub-domain match: certid is any sub-domain of hostname.
773 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
774 && certid[idlen - domlen - 1] == '.'
775 && !strcasecmp(certid + (idlen - domlen), domain))
782 * Exact match and initial "*" match. The initial "*" in a certid
783 * matches one (if multi is false) or more hostname components under
784 * the condition that the certid contains multiple hostname components.
786 if ( !strcasecmp(certid, domain)
787 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
788 && (parent = strchr(domain, '.')) != 0
789 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
790 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
797 check_name(const char *name, int len)
799 const char *cp = name + len;
801 while (len > 0 && !*--cp)
802 --len; /* Ignore trailing NULs */
805 for (cp = name; *cp; cp++)
808 if (!((c >= 'a' && c <= 'z') ||
809 (c >= '0' && c <= '9') ||
810 (c >= 'A' && c <= 'Z') ||
811 (c == '.' || c == '-') ||
813 return 0; /* Only LDH, '.' and '*' */
815 if (cp - name != len) /* Guard against internal NULs */
821 parse_dns_name(const GENERAL_NAME *gn)
823 if (gn->type != GEN_DNS)
825 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
827 return check_name(CCS ASN1_STRING_get0_data(gn->d.ia5),
828 ASN1_STRING_length(gn->d.ia5));
832 parse_subject_name(X509 *cert)
834 X509_NAME *name = X509_get_subject_name(cert);
835 X509_NAME_ENTRY *entry;
836 ASN1_STRING *entry_str;
837 unsigned char *namebuf;
838 int nid = NID_commonName;
842 if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
844 if (!(entry = X509_NAME_get_entry(name, i)))
846 if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
849 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
851 if (len <= 0 || check_name(CS namebuf, len) == 0)
853 OPENSSL_free(namebuf);
860 name_check(ssl_dane *dane, X509 *cert)
863 BOOL got_altname = FALSE;
866 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
869 int n = sk_GENERAL_NAME_num(gens);
872 for (i = 0; i < n; ++i)
874 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
877 if (gn->type != GEN_DNS)
880 certid = parse_dns_name(gn);
881 if (certid && *certid)
883 if ((matched = match_name(certid, dane)) == 0)
885 if (!(dane->mhost = OPENSSL_strdup(certid)))
887 DEBUG(D_tls) debug_printf("Dane name_check: matched SAN %s\n", certid);
891 GENERAL_NAMES_free(gens);
895 * XXX: Should the subjectName be skipped when *any* altnames are present,
896 * or only when DNS altnames are present?
900 char *certid = parse_subject_name(cert);
901 if (certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
903 DEBUG(D_tls) debug_printf("Dane name_check: matched SN %s\n", certid);
904 dane->mhost = OPENSSL_strdup(certid);
907 OPENSSL_free(certid);
913 verify_chain(X509_STORE_CTX *ctx)
915 int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
916 X509 *cert = X509_STORE_CTX_get0_cert(ctx);
917 STACK_OF(X509) * chain = X509_STORE_CTX_get0_chain(ctx);
918 int chain_length = sk_X509_num(chain);
919 int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
920 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
921 ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
922 dane_selector_list issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
923 dane_selector_list leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
926 DEBUG(D_tls) debug_printf("Dane verify_chain\n");
928 /* Restore OpenSSL's internal_verify() as the signature check function */
929 X509_STORE_CTX_set_verify(ctx, dane->verify);
931 if ((matched = name_check(dane, cert)) < 0)
933 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
939 X509_STORE_CTX_set_error_depth(ctx, 0);
940 X509_STORE_CTX_set_current_cert(ctx, cert);
941 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
948 * Satisfy at least one usage 0 or 1 constraint, unless we've already
949 * matched a usage 2 trust anchor.
951 * XXX: internal_verify() doesn't callback with top certs that are not
952 * self-issued. This is fixed in OpenSSL 1.1.0.
954 if (dane->roots && sk_X509_num(dane->roots))
956 X509 *top = sk_X509_value(chain, dane->depth);
958 dane->mdpth = dane->depth;
962 #if OPENSSL_VERSION_NUMBER < 0x10100000L
963 if (X509_check_issued(top, top) != X509_V_OK)
965 X509_STORE_CTX_set_error_depth(ctx, dane->depth);
966 X509_STORE_CTX_set_current_cert(ctx, top);
971 /* Pop synthetic trust-anchor ancestors off the chain! */
972 while (--chain_length > dane->depth)
973 X509_free(sk_X509_pop(chain));
981 * Check for an EE match, then a CA match at depths > 0, and
982 * finally, if the EE cert is self-issued, for a depth 0 CA match.
985 matched = match(leaf_rrs, xn, 0);
986 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched EE\n");
988 if (!matched && issuer_rrs)
989 for (n = chain_length-1; !matched && n >= 0; --n)
991 xn = sk_X509_value(chain, n);
992 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
993 matched = match(issuer_rrs, xn, n);
995 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched %s\n",
996 n>0 ? "CA" : "selfisssued EE");
1000 X509_STORE_CTX_set_error_depth(ctx, 0);
1001 X509_STORE_CTX_set_current_cert(ctx, cert);
1002 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
1014 /* Tail recurse into OpenSSL's internal_verify */
1015 return dane->verify(ctx);
1019 dane_reset(ssl_dane *dane)
1024 OPENSSL_free(dane->mhost);
1029 sk_X509_pop_free(dane->roots, X509_free);
1034 sk_X509_pop_free(dane->chain, X509_free);
1039 X509_free(dane->match);
1046 verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
1048 static int ssl_idx = -1;
1051 int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
1052 X509 *cert = X509_STORE_CTX_get0_cert(ctx);
1055 DEBUG(D_tls) debug_printf("Dane verify_cert\n");
1058 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1061 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1065 ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1066 if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1067 return X509_verify_cert(ctx);
1069 /* Reset for verification of a new chain, perhaps a renegotiation. */
1072 if (dane->selectors[DANESSL_USAGE_DANE_EE])
1074 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1076 X509_STORE_CTX_set_error_depth(ctx, 0);
1077 X509_STORE_CTX_set_current_cert(ctx, cert);
1082 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1087 if (dane->selectors[DANESSL_USAGE_DANE_TA])
1089 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1091 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1097 * Check that setting the untrusted chain updates the expected
1098 * structure member at the expected offset.
1100 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1101 X509_STORE_CTX_set_chain(ctx, dane->chain);
1102 OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
1107 * Name checks and usage 0/1 constraint enforcement are delayed until
1108 * X509_verify_cert() builds the full chain and calls our verify_chain()
1111 dane->verify = X509_STORE_CTX_get_verify(ctx);
1112 X509_STORE_CTX_set_verify(ctx, verify_chain);
1114 if (X509_verify_cert(ctx))
1118 * If the chain is invalid, clear any matching cert or hostname, to
1119 * protect callers that might erroneously rely on these alone without
1120 * checking the validation status.
1124 X509_free(dane->match);
1129 OPENSSL_free(dane->mhost);
1136 list_alloc(size_t vsize)
1138 void *value = (void *) OPENSSL_malloc(vsize);
1143 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1146 if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1148 OPENSSL_free(value);
1149 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1158 list_free(void *list, void (*f)(void *))
1163 for (head = (dane_list) list; head; head = next)
1166 if (f && head->value)
1179 dane_mtype_free(void *p)
1181 list_free(((dane_mtype) p)->data, ossl_free);
1186 dane_selector_free(void *p)
1188 list_free(((dane_selector) p)->mtype, dane_mtype_free);
1196 Tidy up once the connection is finished with.
1199 ssl The ssl connection handle
1201 => Before calling SSL_free()
1202 tls_close() and tls_getc() [the error path] are the obvious places.
1203 Could we do it earlier - right after verification? In tls_client_start()
1204 right after SSL_connect() returns, in that case.
1209 DANESSL_cleanup(SSL *ssl)
1214 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1216 if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1218 (void) SSL_set_ex_data(ssl, dane_idx, 0);
1222 list_free(dane->hosts, ossl_free);
1223 for (u = 0; u <= DANESSL_USAGE_LAST; ++u)
1224 if (dane->selectors[u])
1225 list_free(dane->selectors[u], dane_selector_free);
1227 list_free(dane->pkeys, pkey_free);
1229 list_free(dane->certs, cert_free);
1233 static dane_host_list
1234 host_list_init(const char **src)
1236 dane_host_list head = NULL;
1240 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1243 list_free(head, ossl_free);
1246 elem->value = OPENSSL_strdup(*src++);
1247 LINSERT(head, elem);
1254 DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1258 if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1260 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1267 *match = dane->match;
1269 *mhost = dane->mhost;
1271 *depth = dane->mdpth;
1274 return (dane->match != 0);
1280 DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1284 X509_STORE_CTX * store_ctx;
1285 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1286 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1287 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1289 cert = sk_X509_value(chain, 0);
1290 if (!(store_ctx = X509_STORE_CTX_new()))
1292 DANEerr(DANESSL_F_DANESSL_VERIFY_CHAIN, ERR_R_MALLOC_FAILURE);
1295 if (!X509_STORE_CTX_init(store_ctx, store, cert, chain))
1297 X509_STORE_CTX_free(store_ctx);
1300 X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, ssl);
1302 X509_STORE_CTX_set_default(store_ctx,
1303 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1304 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
1305 SSL_get0_param(ssl));
1307 if (SSL_get_verify_callback(ssl))
1308 X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
1310 ret = verify_cert(store_ctx, NULL);
1312 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(store_ctx));
1313 X509_STORE_CTX_cleanup(store_ctx);
1324 Call this for each TLSA record found for the target, after the
1325 DANE setup has been done on the ssl connection handle.
1328 ssl Connection handle
1329 usage TLSA record field
1330 selector TLSA record field
1331 mdname ??? message digest name?
1332 data ??? TLSA record megalump?
1342 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1343 unsigned const char *data, size_t dlen)
1346 dane_selector_list s = 0;
1347 dane_mtype_list m = 0;
1348 dane_data_list d = 0;
1349 dane_cert_list xlist = 0;
1350 dane_pkey_list klist = 0;
1351 const EVP_MD *md = 0;
1353 DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1354 usage, selector, mdname);
1356 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1358 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1362 if (usage > DANESSL_USAGE_LAST)
1364 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1367 if (selector > DANESSL_SELECTOR_LAST)
1369 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1373 /* Support built-in standard one-digit mtypes */
1374 if (mdname && *mdname && mdname[1] == '\0')
1375 switch (*mdname - '0')
1377 case DANESSL_MATCHING_FULL: mdname = 0; break;
1378 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1379 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1381 if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0)
1383 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1386 if (mdname && *mdname && dlen != EVP_MD_size(md))
1388 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1393 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1398 * Full Certificate or Public Key when NULL or empty digest name
1400 if (!mdname || !*mdname)
1404 const unsigned char *p = data;
1406 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1407 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1408 if ((lvar) == 0) { \
1409 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1414 lvar->value = var; \
1416 #define xkfreeret(ret) do { \
1417 if (xlist) list_free(xlist, cert_free); \
1418 if (klist) list_free(klist, pkey_free); \
1424 case DANESSL_SELECTOR_CERT:
1425 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1429 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1432 k = X509_get_pubkey(x);
1437 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1440 if (usage == DANESSL_USAGE_DANE_TA)
1441 xklistinit(xlist, dane_cert_list, x, X509_free);
1444 case DANESSL_SELECTOR_SPKI:
1445 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1449 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1452 if (usage == DANESSL_USAGE_DANE_TA)
1453 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1458 /* Find insertion point and don't add duplicate elements. */
1459 for (s = dane->selectors[usage]; s; s = s->next)
1460 if (s->value->selector == selector)
1462 for (m = s->value->mtype; m; m = m->next)
1463 if (m->value->md == md)
1465 for (d = m->value->data; d; d = d->next)
1466 if ( d->value->datalen == dlen
1467 && memcmp(d->value->data, data, dlen) == 0)
1474 if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1476 d->value->datalen = dlen;
1477 memcpy(d->value->data, data, dlen);
1480 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1482 list_free(d, ossl_free);
1486 if ((m->value->md = md) != 0)
1487 m->value->mdlen = dlen;
1490 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1492 list_free(m, dane_mtype_free);
1495 s->value->mtype = 0;
1496 s->value->selector = selector;
1497 LINSERT(dane->selectors[usage], s);
1499 LINSERT(s->value->mtype, m);
1501 LINSERT(m->value->data, d);
1504 LINSERT(dane->certs, xlist);
1506 LINSERT(dane->pkeys, klist);
1515 Call this once we have an ssl connection handle but before
1516 making the TLS connection.
1518 => In tls_client_start() after the call to SSL_new()
1519 and before the call to SSL_connect(). Exactly where
1520 probably does not matter.
1521 We probably want to keep our existing SNI handling;
1522 call this with NULL.
1525 ssl Connection handle
1526 sni_domain Optional peer server name
1527 hostnames list of names to chack against peer cert
1536 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1541 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1544 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1548 if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1551 if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1553 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1556 if (!SSL_set_ex_data(ssl, dane_idx, dane))
1558 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1572 dane->mhost = 0; /* Future SSL control interface */
1573 dane->mdpth = 0; /* Future SSL control interface */
1574 dane->multi = 0; /* Future SSL control interface */
1578 for (i = 0; i <= DANESSL_USAGE_LAST; ++i)
1579 dane->selectors[i] = 0;
1581 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1583 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1584 DANESSL_cleanup(ssl);
1594 Call this once we have a context to work with, but
1595 before DANESSL_init()
1597 => in tls_client_start(), after tls_init() call gives us the ctx,
1598 if we decide we want to (policy) and can (TLSA records available)
1599 replacing (? what about fallback) everything from testing tls_verify_hosts
1600 down to just before calling SSL_new() for the conn handle.
1611 DANESSL_CTX_init(SSL_CTX *ctx)
1613 DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1616 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1619 DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1627 * Store library id in zeroth function slot, used to locate the library
1628 * name. This must be done before we load the error strings.
1630 err_lib_dane = ERR_get_next_error_library();
1632 #ifndef OPENSSL_NO_ERR
1633 if (err_lib_dane > 0)
1635 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1636 ERR_load_strings(err_lib_dane, dane_str_functs);
1637 ERR_load_strings(err_lib_dane, dane_str_reasons);
1642 * Register SHA-2 digests, if implemented and not already registered.
1644 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1645 if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1646 if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1648 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1649 if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1650 if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1654 * Register an SSL index for the connection-specific ssl_dane structure.
1655 * Using a separate index makes it possible to add DANE support to
1656 * existing OpenSSL releases that don't have a suitable pointer in the
1659 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1663 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
1665 run_once(volatile int * once, void (*init)(void))
1669 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1672 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1673 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1682 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1684 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1692 Call this once. Probably early in startup will do; may need
1693 to be after SSL library init.
1695 => put after call to tls_init() for now
1703 DANESSL_library_init(void)
1705 static CRYPTO_ONCE once = CRYPTO_ONCE_STATIC_INIT;
1707 DEBUG(D_tls) debug_printf("Dane lib-init\n");
1708 (void) CRYPTO_THREAD_run_once(&once, dane_init);
1710 #if defined(LN_sha256)
1711 /* No DANE without SHA256 support */
1712 if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1715 DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);