2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
9 #include <openssl/opensslv.h>
10 #include <openssl/err.h>
11 #include <openssl/crypto.h>
12 #include <openssl/safestack.h>
13 #include <openssl/objects.h>
14 #include <openssl/x509.h>
15 #include <openssl/x509v3.h>
16 #include <openssl/evp.h>
17 #include <openssl/bn.h>
19 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
20 # error "OpenSSL 1.0.0 or higher required"
21 #else /* remainder of file */
23 #if OPENSSL_VERSION_NUMBER < 0x10100000L
24 #define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
29 #define DANESSL_F_ADD_SKID 100
30 #define DANESSL_F_ADD_TLSA 101
31 #define DANESSL_F_CHECK_END_ENTITY 102
32 #define DANESSL_F_CTX_INIT 103
33 #define DANESSL_F_GROW_CHAIN 104
34 #define DANESSL_F_INIT 105
35 #define DANESSL_F_LIBRARY_INIT 106
36 #define DANESSL_F_LIST_ALLOC 107
37 #define DANESSL_F_MATCH 108
38 #define DANESSL_F_PUSH_EXT 109
39 #define DANESSL_F_SET_TRUST_ANCHOR 110
40 #define DANESSL_F_VERIFY_CERT 111
41 #define DANESSL_F_WRAP_CERT 112
43 #define DANESSL_R_BAD_CERT 100
44 #define DANESSL_R_BAD_CERT_PKEY 101
45 #define DANESSL_R_BAD_DATA_LENGTH 102
46 #define DANESSL_R_BAD_DIGEST 103
47 #define DANESSL_R_BAD_NULL_DATA 104
48 #define DANESSL_R_BAD_PKEY 105
49 #define DANESSL_R_BAD_SELECTOR 106
50 #define DANESSL_R_BAD_USAGE 107
51 #define DANESSL_R_INIT 108
52 #define DANESSL_R_LIBRARY_INIT 109
53 #define DANESSL_R_NOSIGN_KEY 110
54 #define DANESSL_R_SCTX_INIT 111
55 #define DANESSL_R_SUPPORT 112
57 #ifndef OPENSSL_NO_ERR
58 #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
59 static ERR_STRING_DATA dane_str_functs[] = {
60 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
61 {DANESSL_F_ADD_SKID, "add_skid"},
62 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
63 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
64 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
65 {DANESSL_F_GROW_CHAIN, "grow_chain"},
66 {DANESSL_F_INIT, "DANESSL_init"},
67 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
68 {DANESSL_F_LIST_ALLOC, "list_alloc"},
69 {DANESSL_F_MATCH, "match"},
70 {DANESSL_F_PUSH_EXT, "push_ext"},
71 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
72 {DANESSL_F_VERIFY_CERT, "verify_cert"},
73 {DANESSL_F_WRAP_CERT, "wrap_cert"},
76 static ERR_STRING_DATA dane_str_reasons[] = {
77 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
78 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
79 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
80 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
81 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
82 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
83 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
84 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
85 {DANESSL_R_INIT, "DANESSL_init() required"},
86 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
87 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
88 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
89 {DANESSL_R_SUPPORT, "DANE library features not supported"},
94 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
96 static int err_lib_dane = -1;
97 static int dane_idx = -1;
99 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
100 static int wrap_to_root = 0;
102 static int wrap_to_root = 1;
105 static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
106 static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
108 typedef struct dane_list
110 struct dane_list *next;
114 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
116 typedef struct dane_host_list
118 struct dane_host_list *next;
122 typedef struct dane_data
125 unsigned char data[0];
128 typedef struct dane_data_list
130 struct dane_data_list *next;
134 typedef struct dane_mtype
141 typedef struct dane_mtype_list
143 struct dane_mtype_list *next;
147 typedef struct dane_selector
150 dane_mtype_list mtype;
153 typedef struct dane_selector_list
155 struct dane_selector_list *next;
157 } *dane_selector_list;
159 typedef struct dane_pkey_list
161 struct dane_pkey_list *next;
165 typedef struct dane_cert_list
167 struct dane_cert_list *next;
171 typedef struct ssl_dane
173 int (*verify)(X509_STORE_CTX *);
174 STACK_OF(X509) *roots;
175 STACK_OF(X509) *chain;
176 X509 *match; /* Matched cert */
177 const char *thost; /* TLSA base domain */
178 char *mhost; /* Matched peer name */
179 dane_pkey_list pkeys;
180 dane_cert_list certs;
181 dane_host_list hosts;
182 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
184 int mdpth; /* Depth of matched cert */
185 int multi; /* Multi-label wildcards? */
186 int count; /* Number of TLSA records */
189 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
190 # define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
194 match(dane_selector_list slist, X509 *cert, int depth)
199 * Note, set_trust_anchor() needs to know whether the match was for a
200 * pkey digest or a certificate digest. We return MATCHED_PKEY or
201 * MATCHED_CERT accordingly.
203 #define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
204 #define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
207 * Loop over each selector, mtype, and associated data element looking
210 for (matched = 0; !matched && slist; slist = slist->next)
213 unsigned char mdbuf[EVP_MAX_MD_SIZE];
214 unsigned char *buf = NULL;
216 unsigned int len = 0;
219 * Extract ASN.1 DER form of certificate or public key.
221 switch(slist->value->selector)
223 case DANESSL_SELECTOR_CERT:
224 len = i2d_X509(cert, NULL);
225 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
226 if(buf) i2d_X509(cert, &buf2);
228 case DANESSL_SELECTOR_SPKI:
229 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
230 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
231 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
237 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
240 OPENSSL_assert(buf2 - buf == len);
243 * Loop over each mtype and data element
245 for (m = slist->value->mtype; !matched && m; m = m->next)
248 unsigned char *cmpbuf = buf;
249 unsigned int cmplen = len;
252 * If it is a digest, compute the corresponding digest of the
253 * DER data for comparison, otherwise, use the full object.
258 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
261 for (d = m->value->data; !matched && d; d = d->next)
262 if ( cmplen == d->value->datalen
263 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
264 matched = slist->value->selector + 1;
274 push_ext(X509 *cert, X509_EXTENSION *ext)
277 if (X509_add_ext(cert, ext, -1))
279 X509_EXTENSION_free(ext);
281 DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
286 add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
290 X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
291 return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
295 set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
300 if (akid && akid->serial)
301 return (X509_set_serialNumber(cert, akid->serial));
304 * Add one to subject's serial to avoid collisions between TA serial and
305 * serial of signing root.
307 if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
308 && BN_add_word(bn, 1)
309 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
318 add_akid(X509 *cert, AUTHORITY_KEYID *akid)
320 int nid = NID_authority_key_identifier;
326 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
327 * our subject keyid if forced from child's akid. If so, set our
328 * authority keyid to 1. This way we are never self-signed, and thus
329 * exempt from any potential (off by default for now in OpenSSL)
330 * self-signature checks!
332 id = (akid && akid->keyid) ? akid->keyid : 0;
333 if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c)
336 if ( (akid = AUTHORITY_KEYID_new()) != 0
337 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
338 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
339 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
342 AUTHORITY_KEYID_free(akid);
347 add_skid(X509 *cert, AUTHORITY_KEYID *akid)
349 int nid = NID_subject_key_identifier;
351 if (!akid || !akid->keyid)
352 return add_ext(0, cert, nid, "hash");
353 return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
357 akid_issuer_name(AUTHORITY_KEYID *akid)
359 if (akid && akid->issuer)
362 GENERAL_NAMES *gens = akid->issuer;
364 for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
366 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
368 if (gn->type == GEN_DIRNAME)
376 set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
378 X509_NAME *name = akid_issuer_name(akid);
381 * If subject's akid specifies an authority key identifer issuer name, we
384 return X509_set_issuer_name(cert,
385 name ? name : X509_get_subject_name(cert));
389 grow_chain(ssl_dane *dane, int trusted, X509 *cert)
391 STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
392 static ASN1_OBJECT *serverAuth = 0;
397 if ( trusted && !serverAuth
398 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
400 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
403 if (!*xs && !(*xs = sk_X509_new_null()))
405 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
411 if (trusted && !X509_add1_trust_object(cert, serverAuth))
413 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
414 if (!sk_X509_push(*xs, cert))
417 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
425 wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
429 AUTHORITY_KEYID *akid;
430 X509_NAME *name = X509_get_issuer_name(subject);
431 EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
433 #define WRAP_MID 0 /* Ensure intermediate. */
434 #define WRAP_TOP 1 /* Ensure self-signed. */
436 if (!name || !newkey || !(cert = X509_new()))
440 * Record the depth of the trust-anchor certificate.
443 dane->depth = depth + 1;
446 * XXX: Uncaught error condition:
448 * The return value is NULL both when the extension is missing, and when
449 * OpenSSL rans out of memory while parsing the extension.
452 akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
453 /* XXX: Should we peek at the error stack here??? */
456 * If top is true generate a self-issued root CA, otherwise an
457 * intermediate CA and possibly its self-signed issuer.
459 * CA cert valid for +/- 30 days
461 if ( !X509_set_version(cert, 2)
462 || !set_serial(cert, akid, subject)
463 || !X509_set_subject_name(cert, name)
464 || !set_issuer_name(cert, akid)
465 || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
466 || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
467 || !X509_set_pubkey(cert, newkey)
468 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
469 || (!top && !add_akid(cert, akid))
470 || !add_skid(cert, akid)
471 || ( !top && wrap_to_root
472 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
476 AUTHORITY_KEYID_free(akid);
478 EVP_PKEY_free(newkey);
480 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
487 wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
490 dane->depth = depth + 1;
493 * If the TA certificate is self-issued, or need not be, use it directly.
494 * Otherwise, synthesize requisuite ancestors.
497 || X509_check_issued(tacert, tacert) == X509_V_OK)
498 return grow_chain(dane, TRUSTED, tacert);
500 if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
501 return grow_chain(dane, UNTRUSTED, tacert);
506 ta_signed(ssl_dane *dane, X509 *cert, int depth)
514 * First check whether issued and signed by a TA cert, this is cheaper
515 * than the bare-public key checks below, since we can determine whether
516 * the candidate TA certificate issued the certificate to be checked
517 * first (name comparisons), before we bother with signature checks
518 * (public key operations).
520 for (x = dane->certs; !done && x; x = x->next)
522 if (X509_check_issued(x->value, cert) == X509_V_OK)
524 if (!(pk = X509_get_pubkey(x->value)))
527 * The cert originally contained a valid pkey, which does
528 * not just vanish, so this is most likely a memory error.
533 /* Check signature, since some other TA may work if not this. */
534 if (X509_verify(cert, pk) > 0)
535 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
541 * With bare TA public keys, we can't check whether the trust chain is
542 * issued by the key, but we can determine whether it is signed by the
543 * key, so we go with that.
545 * Ideally, the corresponding certificate was presented in the chain, and we
546 * matched it by its public key digest one level up. This code is here
547 * to handle adverse conditions imposed by sloppy administrators of
548 * receiving systems with poorly constructed chains.
550 * We'd like to optimize out keys that should not match when the cert's
551 * authority key id does not match the key id of this key computed via
552 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
553 * ASN1 tag and length thus also excluding the unused bits field that is
554 * logically part of the length). However, some CAs have a non-standard
555 * authority keyid, so we lose. Too bad.
557 * This may push errors onto the stack when the certificate signature is
558 * not of the right type or length, throw these away,
560 for (k = dane->pkeys; !done && k; k = k->next)
561 if (X509_verify(cert, k->value) > 0)
562 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
570 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
578 STACK_OF(X509) *in = ctx->untrusted; /* XXX: Accessor? */
580 if (!grow_chain(dane, UNTRUSTED, 0))
584 * Accept a degenerate case: depth 0 self-signed trust-anchor.
586 if (X509_check_issued(cert, cert) == X509_V_OK)
589 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
590 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
595 /* Make a shallow copy of the input untrusted chain. */
596 if (!(in = sk_X509_dup(in)))
598 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
603 * At each iteration we consume the issuer of the current cert. This
604 * reduces the length of the "in" chain by one. If no issuer is found,
605 * we are done. We also stop when a certificate matches a TA in the
608 * Caller ensures that the initial certificate is not self-signed.
610 for (n = sk_X509_num(in); n > 0; --n, ++depth)
612 for (i = 0; i < n; ++i)
613 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
617 * Final untrusted element with no issuer in the peer's chain, it may
618 * however be signed by a pkey or cert obtained via a TLSA RR.
623 /* Peer's chain contains an issuer ca. */
624 ca = sk_X509_delete(in, i);
626 /* If not a trust anchor, record untrusted ca and continue. */
627 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
630 if (grow_chain(dane, UNTRUSTED, ca))
632 if (!X509_check_issued(ca, ca) == X509_V_OK)
634 /* Restart with issuer as subject */
638 /* Final self-signed element, skip ta_signed() check. */
644 else if(matched == MATCHED_CERT)
646 if(!wrap_cert(dane, ca, depth))
649 else if(matched == MATCHED_PKEY)
651 if ( !(takey = X509_get_pubkey(ca))
652 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
655 EVP_PKEY_free(takey);
657 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
664 /* Shallow free the duplicated input untrusted chain. */
668 * When the loop exits, if "cert" is set, it is not self-signed and has
669 * no issuer in the chain, we check for a possible signature via a DNS
670 * obtained TA cert or public key.
672 if (matched == 0 && cert)
673 matched = ta_signed(dane, cert, depth);
679 check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
683 matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
691 if ( (ctx->chain = sk_X509_new_null()) != 0
692 && sk_X509_push(ctx->chain, cert))
696 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
705 match_name(const char *certid, ssl_dane *dane)
707 int multi = dane->multi;
708 dane_host_list hosts;
710 for (hosts = dane->hosts; hosts; hosts = hosts->next)
712 int match_subdomain = 0;
713 const char *domain = hosts->value;
718 if (*domain == '.' && domain[1] != '\0')
725 * Sub-domain match: certid is any sub-domain of hostname.
729 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
730 && certid[idlen - domlen - 1] == '.'
731 && !strcasecmp(certid + (idlen - domlen), domain))
738 * Exact match and initial "*" match. The initial "*" in a certid
739 * matches one (if multi is false) or more hostname components under
740 * the condition that the certid contains multiple hostname components.
742 if ( !strcasecmp(certid, domain)
743 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
744 && (parent = strchr(domain, '.')) != 0
745 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
746 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
753 check_name(char *name, int len)
755 char *cp = name + len;
757 while (len > 0 && !*--cp)
758 --len; /* Ignore trailing NULs */
761 for (cp = name; *cp; cp++)
764 if (!((c >= 'a' && c <= 'z') ||
765 (c >= '0' && c <= '9') ||
766 (c >= 'A' && c <= 'Z') ||
767 (c == '.' || c == '-') ||
769 return 0; /* Only LDH, '.' and '*' */
771 if (cp - name != len) /* Guard against internal NULs */
777 parse_dns_name(const GENERAL_NAME *gn)
779 if (gn->type != GEN_DNS)
781 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
783 return check_name((char *) ASN1_STRING_data(gn->d.ia5),
784 ASN1_STRING_length(gn->d.ia5));
788 parse_subject_name(X509 *cert)
790 X509_NAME *name = X509_get_subject_name(cert);
791 X509_NAME_ENTRY *entry;
792 ASN1_STRING *entry_str;
793 unsigned char *namebuf;
794 int nid = NID_commonName;
798 if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
800 if (!(entry = X509_NAME_get_entry(name, i)))
802 if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
805 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
807 if (len <= 0 || check_name((char *) namebuf, len) == 0)
809 OPENSSL_free(namebuf);
812 return (char *) namebuf;
816 name_check(ssl_dane *dane, X509 *cert)
819 BOOL got_altname = FALSE;
822 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
825 int n = sk_GENERAL_NAME_num(gens);
828 for (i = 0; i < n; ++i)
830 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
833 if (gn->type != GEN_DNS)
836 certid = parse_dns_name(gn);
837 if (certid && *certid)
839 if ((matched = match_name(certid, dane)) == 0)
841 if (!(dane->mhost = OPENSSL_strdup(certid)))
846 GENERAL_NAMES_free(gens);
850 * XXX: Should the subjectName be skipped when *any* altnames are present,
851 * or only when DNS altnames are present?
853 if (got_altname == 0)
855 char *certid = parse_subject_name(cert);
856 if (certid != 0 && *certid
857 && (matched = match_name(certid, dane)) != 0)
858 dane->mhost = OPENSSL_strdup(certid);
860 OPENSSL_free(certid);
866 verify_chain(X509_STORE_CTX *ctx)
868 dane_selector_list issuer_rrs;
869 dane_selector_list leaf_rrs;
870 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
871 int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
872 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
873 ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
874 X509 *cert = ctx->cert; /* XXX: accessor? */
876 int chain_length = sk_X509_num(ctx->chain);
878 DEBUG(D_tls) debug_printf("Dane verify-chain\n");
880 issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
881 leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
882 ctx->verify = dane->verify;
884 if ((matched = name_check(dane, cert)) < 0)
886 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
892 ctx->error_depth = 0;
893 ctx->current_cert = cert;
894 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
901 * Satisfy at least one usage 0 or 1 constraint, unless we've already
902 * matched a usage 2 trust anchor.
904 * XXX: internal_verify() doesn't callback with top certs that are not
905 * self-issued. This should be fixed in a future OpenSSL.
907 if (dane->roots && sk_X509_num(dane->roots))
909 X509 *top = sk_X509_value(ctx->chain, dane->depth);
911 dane->mdpth = dane->depth;
915 #ifndef NO_CALLBACK_WORKAROUND
916 if (X509_check_issued(top, top) != X509_V_OK)
918 ctx->error_depth = dane->depth;
919 ctx->current_cert = top;
924 /* Pop synthetic trust-anchor ancestors off the chain! */
925 while (--chain_length > dane->depth)
926 X509_free(sk_X509_pop(ctx->chain));
934 * Check for an EE match, then a CA match at depths > 0, and
935 * finally, if the EE cert is self-issued, for a depth 0 CA match.
938 matched = match(leaf_rrs, xn, 0);
940 if (!matched && issuer_rrs)
941 for (n = chain_length-1; !matched && n >= 0; --n)
943 xn = sk_X509_value(ctx->chain, n);
944 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
945 matched = match(issuer_rrs, xn, n);
950 ctx->current_cert = cert;
951 ctx->error_depth = 0;
952 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
964 return ctx->verify(ctx);
968 dane_reset(ssl_dane *dane)
973 OPENSSL_free(dane->mhost);
978 sk_X509_pop_free(dane->roots, X509_free);
983 sk_X509_pop_free(dane->chain, X509_free);
988 X509_free(dane->match);
995 verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
997 static int ssl_idx = -1;
1000 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
1002 X509 *cert = ctx->cert; /* XXX: accessor? */
1004 DEBUG(D_tls) debug_printf("Dane verify-cert\n");
1007 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1010 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1014 ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1015 if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1016 return X509_verify_cert(ctx);
1018 /* Reset for verification of a new chain, perhaps a renegotiation. */
1021 if (dane->selectors[DANESSL_USAGE_DANE_EE])
1023 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1025 ctx->error_depth = 0;
1026 ctx->current_cert = cert;
1031 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1036 if (dane->selectors[DANESSL_USAGE_DANE_TA])
1038 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1040 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1046 * Check that setting the untrusted chain updates the expected
1047 * structure member at the expected offset.
1049 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1050 X509_STORE_CTX_set_chain(ctx, dane->chain);
1051 OPENSSL_assert(ctx->untrusted == dane->chain);
1056 * Name checks and usage 0/1 constraint enforcement are delayed until
1057 * X509_verify_cert() builds the full chain and calls our verify_chain()
1060 dane->verify = ctx->verify;
1061 ctx->verify = verify_chain;
1063 if (X509_verify_cert(ctx))
1067 * If the chain is invalid, clear any matching cert or hostname, to
1068 * protect callers that might erroneously rely on these alone without
1069 * checking the validation status.
1073 X509_free(dane->match);
1078 OPENSSL_free(dane->mhost);
1085 list_alloc(size_t vsize)
1087 void *value = (void *) OPENSSL_malloc(vsize);
1092 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1095 if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1097 OPENSSL_free(value);
1098 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1107 list_free(void *list, void (*f)(void *))
1112 for (head = (dane_list) list; head; head = next)
1115 if (f && head->value)
1122 dane_mtype_free(void *p)
1124 list_free(((dane_mtype) p)->data, CRYPTO_free);
1129 dane_selector_free(void *p)
1131 list_free(((dane_selector) p)->mtype, dane_mtype_free);
1139 Tidy up once the connection is finished with.
1142 ssl The ssl connection handle
1144 => Before calling SSL_free()
1145 tls_close() and tls_getc() [the error path] are the obvious places.
1146 Could we do it earlier - right after verification? In tls_client_start()
1147 right after SSL_connect() returns, in that case.
1152 DANESSL_cleanup(SSL *ssl)
1157 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1159 if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1161 (void) SSL_set_ex_data(ssl, dane_idx, 0);
1165 list_free(dane->hosts, CRYPTO_free);
1166 for (u = 0; u <= DANESSL_USAGE_LAST; ++u)
1167 if (dane->selectors[u])
1168 list_free(dane->selectors[u], dane_selector_free);
1170 list_free(dane->pkeys, pkey_free);
1172 list_free(dane->certs, cert_free);
1176 static dane_host_list
1177 host_list_init(const char **src)
1179 dane_host_list head = NULL;
1183 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1186 list_free(head, CRYPTO_free);
1189 elem->value = OPENSSL_strdup(*src++);
1190 LINSERT(head, elem);
1197 DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1201 if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1203 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1210 *match = dane->match;
1212 *mhost = dane->mhost;
1214 *depth = dane->mdpth;
1217 return (dane->match != 0);
1223 DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1227 X509_STORE_CTX store_ctx;
1228 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1229 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1230 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1232 cert = sk_X509_value(chain, 0);
1233 if (!X509_STORE_CTX_init(&store_ctx, store, cert, chain))
1235 X509_STORE_CTX_set_ex_data(&store_ctx, store_ctx_idx, ssl);
1237 X509_STORE_CTX_set_default(&store_ctx,
1238 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1239 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&store_ctx),
1240 SSL_get0_param(ssl));
1242 if (SSL_get_verify_callback(ssl))
1243 X509_STORE_CTX_set_verify_cb(&store_ctx, SSL_get_verify_callback(ssl));
1245 ret = verify_cert(&store_ctx, NULL);
1247 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(&store_ctx));
1248 X509_STORE_CTX_cleanup(&store_ctx);
1259 Call this for each TLSA record found for the target, after the
1260 DANE setup has been done on the ssl connection handle.
1263 ssl Connection handle
1264 usage TLSA record field
1265 selector TLSA record field
1266 mdname ??? message digest name?
1267 data ??? TLSA record megalump?
1277 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1278 unsigned const char *data, size_t dlen)
1281 dane_selector_list s = 0;
1282 dane_mtype_list m = 0;
1283 dane_data_list d = 0;
1284 dane_cert_list xlist = 0;
1285 dane_pkey_list klist = 0;
1286 const EVP_MD *md = 0;
1288 DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1289 usage, selector, mdname);
1291 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1293 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1297 if (usage > DANESSL_USAGE_LAST)
1299 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1302 if (selector > DANESSL_SELECTOR_LAST)
1304 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1308 /* Support built-in standard one-digit mtypes */
1309 if (mdname && *mdname && mdname[1] == '\0')
1310 switch (*mdname - '0')
1312 case DANESSL_MATCHING_FULL: mdname = 0; break;
1313 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1314 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1316 if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0)
1318 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1321 if (mdname && *mdname && dlen != EVP_MD_size(md))
1323 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1328 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1333 * Full Certificate or Public Key when NULL or empty digest name
1335 if (!mdname || !*mdname)
1339 const unsigned char *p = data;
1341 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1342 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1343 if ((lvar) == 0) { \
1344 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1349 lvar->value = var; \
1351 #define xkfreeret(ret) do { \
1352 if (xlist) list_free(xlist, cert_free); \
1353 if (klist) list_free(klist, pkey_free); \
1359 case DANESSL_SELECTOR_CERT:
1360 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1364 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1367 k = X509_get_pubkey(x);
1372 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1375 if (usage == DANESSL_USAGE_DANE_TA)
1376 xklistinit(xlist, dane_cert_list, x, X509_free);
1379 case DANESSL_SELECTOR_SPKI:
1380 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1384 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1387 if (usage == DANESSL_USAGE_DANE_TA)
1388 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1393 /* Find insertion point and don't add duplicate elements. */
1394 for (s = dane->selectors[usage]; s; s = s->next)
1395 if (s->value->selector == selector)
1397 for (m = s->value->mtype; m; m = m->next)
1398 if (m->value->md == md)
1400 for (d = m->value->data; d; d = d->next)
1401 if ( d->value->datalen == dlen
1402 && memcmp(d->value->data, data, dlen) == 0)
1409 if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1411 d->value->datalen = dlen;
1412 memcpy(d->value->data, data, dlen);
1415 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1417 list_free(d, CRYPTO_free);
1421 if ((m->value->md = md) != 0)
1422 m->value->mdlen = dlen;
1425 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1427 list_free(m, dane_mtype_free);
1430 s->value->mtype = 0;
1431 s->value->selector = selector;
1432 LINSERT(dane->selectors[usage], s);
1434 LINSERT(s->value->mtype, m);
1436 LINSERT(m->value->data, d);
1439 LINSERT(dane->certs, xlist);
1441 LINSERT(dane->pkeys, klist);
1450 Call this once we have an ssl connection handle but before
1451 making the TLS connection.
1453 => In tls_client_start() after the call to SSL_new()
1454 and before the call to SSL_connect(). Exactly where
1455 probably does not matter.
1456 We probably want to keep our existing SNI handling;
1457 call this with NULL.
1460 ssl Connection handle
1461 sni_domain Optional peer server name
1462 hostnames list of names to chack against peer cert
1471 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1476 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1479 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1483 if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1486 if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1488 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1491 if (!SSL_set_ex_data(ssl, dane_idx, dane))
1493 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1507 dane->mhost = 0; /* Future SSL control interface */
1508 dane->mdpth = 0; /* Future SSL control interface */
1509 dane->multi = 0; /* Future SSL control interface */
1513 for (i = 0; i <= DANESSL_USAGE_LAST; ++i)
1514 dane->selectors[i] = 0;
1516 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1518 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1519 DANESSL_cleanup(ssl);
1529 Call this once we have a context to work with, but
1530 before DANESSL_init()
1532 => in tls_client_start(), after tls_init() call gives us the ctx,
1533 if we decide we want to (policy) and can (TLSA records available)
1534 replacing (? what about fallback) everything from testing tls_verify_hosts
1535 down to just before calling SSL_new() for the conn handle.
1546 DANESSL_CTX_init(SSL_CTX *ctx)
1548 DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1551 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1554 DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1559 init_once(volatile int *value, int (*init)(void), void (*postinit)(void))
1563 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1566 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1567 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1577 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1579 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1587 * Store library id in zeroth function slot, used to locate the library
1588 * name. This must be done before we load the error strings.
1590 #ifndef OPENSSL_NO_ERR
1591 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1592 ERR_load_strings(err_lib_dane, dane_str_functs);
1593 ERR_load_strings(err_lib_dane, dane_str_reasons);
1597 * Register SHA-2 digests, if implemented and not already registered.
1599 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1600 if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1601 if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1603 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1604 if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1605 if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1609 * Register an SSL index for the connection-specific ssl_dane structure.
1610 * Using a separate index makes it possible to add DANE support to
1611 * existing OpenSSL releases that don't have a suitable pointer in the
1614 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1621 Call this once. Probably early in startup will do; may need
1622 to be after SSL library init.
1624 => put after call to tls_init() for now
1632 DANESSL_library_init(void)
1634 DEBUG(D_tls) debug_printf("Dane lib-init\n");
1635 if (err_lib_dane < 0)
1636 init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
1638 #if defined(LN_sha256)
1639 /* No DANE without SHA256 support */
1640 if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1643 DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);
1648 #endif /* OPENSSL_VERSION_NUMBER */