2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
9 #include <openssl/opensslv.h>
10 #include <openssl/err.h>
11 #include <openssl/crypto.h>
12 #include <openssl/safestack.h>
13 #include <openssl/objects.h>
14 #include <openssl/x509.h>
15 #include <openssl/x509v3.h>
16 #include <openssl/evp.h>
17 #include <openssl/bn.h>
19 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
20 # error "OpenSSL 1.0.0 or higher required"
21 #else /* remainder of file */
23 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
24 # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
29 #define DANESSL_F_ADD_SKID 100
30 #define DANESSL_F_ADD_TLSA 101
31 #define DANESSL_F_CHECK_END_ENTITY 102
32 #define DANESSL_F_CTX_INIT 103
33 #define DANESSL_F_GROW_CHAIN 104
34 #define DANESSL_F_INIT 105
35 #define DANESSL_F_LIBRARY_INIT 106
36 #define DANESSL_F_LIST_ALLOC 107
37 #define DANESSL_F_MATCH 108
38 #define DANESSL_F_PUSH_EXT 109
39 #define DANESSL_F_SET_TRUST_ANCHOR 110
40 #define DANESSL_F_VERIFY_CERT 111
41 #define DANESSL_F_WRAP_CERT 112
43 #define DANESSL_R_BAD_CERT 100
44 #define DANESSL_R_BAD_CERT_PKEY 101
45 #define DANESSL_R_BAD_DATA_LENGTH 102
46 #define DANESSL_R_BAD_DIGEST 103
47 #define DANESSL_R_BAD_NULL_DATA 104
48 #define DANESSL_R_BAD_PKEY 105
49 #define DANESSL_R_BAD_SELECTOR 106
50 #define DANESSL_R_BAD_USAGE 107
51 #define DANESSL_R_INIT 108
52 #define DANESSL_R_LIBRARY_INIT 109
53 #define DANESSL_R_NOSIGN_KEY 110
54 #define DANESSL_R_SCTX_INIT 111
55 #define DANESSL_R_SUPPORT 112
57 #ifndef OPENSSL_NO_ERR
58 #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
59 static ERR_STRING_DATA dane_str_functs[] = {
60 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
61 {DANESSL_F_ADD_SKID, "add_skid"},
62 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
63 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
64 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
65 {DANESSL_F_GROW_CHAIN, "grow_chain"},
66 {DANESSL_F_INIT, "DANESSL_init"},
67 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
68 {DANESSL_F_LIST_ALLOC, "list_alloc"},
69 {DANESSL_F_MATCH, "match"},
70 {DANESSL_F_PUSH_EXT, "push_ext"},
71 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
72 {DANESSL_F_VERIFY_CERT, "verify_cert"},
73 {DANESSL_F_WRAP_CERT, "wrap_cert"},
76 static ERR_STRING_DATA dane_str_reasons[] = {
77 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
78 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
79 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
80 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
81 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
82 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
83 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
84 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
85 {DANESSL_R_INIT, "DANESSL_init() required"},
86 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
87 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
88 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
89 {DANESSL_R_SUPPORT, "DANE library features not supported"},
94 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
96 static int err_lib_dane = -1;
97 static int dane_idx = -1;
99 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
100 static int wrap_to_root = 0;
102 static int wrap_to_root = 1;
105 static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
106 static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
108 typedef struct dane_list
110 struct dane_list *next;
114 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
116 typedef struct dane_host_list
118 struct dane_host_list *next;
122 typedef struct dane_data
125 unsigned char data[0];
128 typedef struct dane_data_list
130 struct dane_data_list *next;
134 typedef struct dane_mtype
141 typedef struct dane_mtype_list
143 struct dane_mtype_list *next;
147 typedef struct dane_selector
150 dane_mtype_list mtype;
153 typedef struct dane_selector_list
155 struct dane_selector_list *next;
157 } *dane_selector_list;
159 typedef struct dane_pkey_list
161 struct dane_pkey_list *next;
165 typedef struct dane_cert_list
167 struct dane_cert_list *next;
171 typedef struct ssl_dane
173 int (*verify)(X509_STORE_CTX *);
174 STACK_OF(X509) *roots;
175 STACK_OF(X509) *chain;
176 X509 *match; /* Matched cert */
177 const char *thost; /* TLSA base domain */
178 char *mhost; /* Matched peer name */
179 dane_pkey_list pkeys;
180 dane_cert_list certs;
181 dane_host_list hosts;
182 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
184 int mdpth; /* Depth of matched cert */
185 int multi; /* Multi-label wildcards? */
186 int count; /* Number of TLSA records */
189 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
190 # define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
196 match(dane_selector_list slist, X509 *cert, int depth)
201 * Note, set_trust_anchor() needs to know whether the match was for a
202 * pkey digest or a certificate digest. We return MATCHED_PKEY or
203 * MATCHED_CERT accordingly.
205 #define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
206 #define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
209 * Loop over each selector, mtype, and associated data element looking
212 for (matched = 0; !matched && slist; slist = slist->next)
215 unsigned char mdbuf[EVP_MAX_MD_SIZE];
216 unsigned char *buf = NULL;
218 unsigned int len = 0;
221 * Extract ASN.1 DER form of certificate or public key.
223 switch(slist->value->selector)
225 case DANESSL_SELECTOR_CERT:
226 len = i2d_X509(cert, NULL);
227 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
228 if(buf) i2d_X509(cert, &buf2);
230 case DANESSL_SELECTOR_SPKI:
231 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
232 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
233 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
239 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
242 OPENSSL_assert(buf2 - buf == len);
245 * Loop over each mtype and data element
247 for (m = slist->value->mtype; !matched && m; m = m->next)
250 unsigned char *cmpbuf = buf;
251 unsigned int cmplen = len;
254 * If it is a digest, compute the corresponding digest of the
255 * DER data for comparison, otherwise, use the full object.
260 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
263 for (d = m->value->data; !matched && d; d = d->next)
264 if ( cmplen == d->value->datalen
265 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
266 matched = slist->value->selector + 1;
276 push_ext(X509 *cert, X509_EXTENSION *ext)
279 if (X509_add_ext(cert, ext, -1))
281 X509_EXTENSION_free(ext);
283 DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
288 add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
292 X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
293 return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
297 set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
302 if (akid && akid->serial)
303 return (X509_set_serialNumber(cert, akid->serial));
306 * Add one to subject's serial to avoid collisions between TA serial and
307 * serial of signing root.
309 if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
310 && BN_add_word(bn, 1)
311 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
320 add_akid(X509 *cert, AUTHORITY_KEYID *akid)
322 int nid = NID_authority_key_identifier;
328 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
329 * our subject keyid if forced from child's akid. If so, set our
330 * authority keyid to 1. This way we are never self-signed, and thus
331 * exempt from any potential (off by default for now in OpenSSL)
332 * self-signature checks!
334 id = (akid && akid->keyid) ? akid->keyid : 0;
335 if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c)
338 if ( (akid = AUTHORITY_KEYID_new()) != 0
339 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
340 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
341 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
344 AUTHORITY_KEYID_free(akid);
349 add_skid(X509 *cert, AUTHORITY_KEYID *akid)
351 int nid = NID_subject_key_identifier;
353 if (!akid || !akid->keyid)
354 return add_ext(0, cert, nid, "hash");
355 return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
359 akid_issuer_name(AUTHORITY_KEYID *akid)
361 if (akid && akid->issuer)
364 GENERAL_NAMES *gens = akid->issuer;
366 for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
368 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
370 if (gn->type == GEN_DIRNAME)
378 set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
380 X509_NAME *name = akid_issuer_name(akid);
383 * If subject's akid specifies an authority key identifer issuer name, we
386 return X509_set_issuer_name(cert,
387 name ? name : X509_get_subject_name(cert));
391 grow_chain(ssl_dane *dane, int trusted, X509 *cert)
393 STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
394 static ASN1_OBJECT *serverAuth = 0;
399 if ( trusted && !serverAuth
400 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
402 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
405 if (!*xs && !(*xs = sk_X509_new_null()))
407 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
413 if (trusted && !X509_add1_trust_object(cert, serverAuth))
415 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
416 if (!sk_X509_push(*xs, cert))
419 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
427 wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
431 AUTHORITY_KEYID *akid;
432 X509_NAME *name = X509_get_issuer_name(subject);
433 EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
435 #define WRAP_MID 0 /* Ensure intermediate. */
436 #define WRAP_TOP 1 /* Ensure self-signed. */
438 if (!name || !newkey || !(cert = X509_new()))
442 * Record the depth of the trust-anchor certificate.
445 dane->depth = depth + 1;
448 * XXX: Uncaught error condition:
450 * The return value is NULL both when the extension is missing, and when
451 * OpenSSL rans out of memory while parsing the extension.
454 akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
455 /* XXX: Should we peek at the error stack here??? */
458 * If top is true generate a self-issued root CA, otherwise an
459 * intermediate CA and possibly its self-signed issuer.
461 * CA cert valid for +/- 30 days
463 if ( !X509_set_version(cert, 2)
464 || !set_serial(cert, akid, subject)
465 || !X509_set_subject_name(cert, name)
466 || !set_issuer_name(cert, akid)
467 || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
468 || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
469 || !X509_set_pubkey(cert, newkey)
470 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
471 || (!top && !add_akid(cert, akid))
472 || !add_skid(cert, akid)
473 || ( !top && wrap_to_root
474 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
478 AUTHORITY_KEYID_free(akid);
480 EVP_PKEY_free(newkey);
482 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
489 wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
492 dane->depth = depth + 1;
495 * If the TA certificate is self-issued, or need not be, use it directly.
496 * Otherwise, synthesize requisuite ancestors.
499 || X509_check_issued(tacert, tacert) == X509_V_OK)
500 return grow_chain(dane, TRUSTED, tacert);
502 if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
503 return grow_chain(dane, UNTRUSTED, tacert);
508 ta_signed(ssl_dane *dane, X509 *cert, int depth)
516 * First check whether issued and signed by a TA cert, this is cheaper
517 * than the bare-public key checks below, since we can determine whether
518 * the candidate TA certificate issued the certificate to be checked
519 * first (name comparisons), before we bother with signature checks
520 * (public key operations).
522 for (x = dane->certs; !done && x; x = x->next)
524 if (X509_check_issued(x->value, cert) == X509_V_OK)
526 if (!(pk = X509_get_pubkey(x->value)))
529 * The cert originally contained a valid pkey, which does
530 * not just vanish, so this is most likely a memory error.
535 /* Check signature, since some other TA may work if not this. */
536 if (X509_verify(cert, pk) > 0)
537 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
543 * With bare TA public keys, we can't check whether the trust chain is
544 * issued by the key, but we can determine whether it is signed by the
545 * key, so we go with that.
547 * Ideally, the corresponding certificate was presented in the chain, and we
548 * matched it by its public key digest one level up. This code is here
549 * to handle adverse conditions imposed by sloppy administrators of
550 * receiving systems with poorly constructed chains.
552 * We'd like to optimize out keys that should not match when the cert's
553 * authority key id does not match the key id of this key computed via
554 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
555 * ASN1 tag and length thus also excluding the unused bits field that is
556 * logically part of the length). However, some CAs have a non-standard
557 * authority keyid, so we lose. Too bad.
559 * This may push errors onto the stack when the certificate signature is
560 * not of the right type or length, throw these away,
562 for (k = dane->pkeys; !done && k; k = k->next)
563 if (X509_verify(cert, k->value) > 0)
564 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
572 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
580 STACK_OF(X509) *in = ctx->untrusted; /* XXX: Accessor? */
582 if (!grow_chain(dane, UNTRUSTED, 0))
586 * Accept a degenerate case: depth 0 self-signed trust-anchor.
588 if (X509_check_issued(cert, cert) == X509_V_OK)
591 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
592 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
597 /* Make a shallow copy of the input untrusted chain. */
598 if (!(in = sk_X509_dup(in)))
600 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
605 * At each iteration we consume the issuer of the current cert. This
606 * reduces the length of the "in" chain by one. If no issuer is found,
607 * we are done. We also stop when a certificate matches a TA in the
610 * Caller ensures that the initial certificate is not self-signed.
612 for (n = sk_X509_num(in); n > 0; --n, ++depth)
614 for (i = 0; i < n; ++i)
615 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
619 * Final untrusted element with no issuer in the peer's chain, it may
620 * however be signed by a pkey or cert obtained via a TLSA RR.
625 /* Peer's chain contains an issuer ca. */
626 ca = sk_X509_delete(in, i);
628 /* If not a trust anchor, record untrusted ca and continue. */
629 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
632 if (grow_chain(dane, UNTRUSTED, ca))
634 if (!X509_check_issued(ca, ca) == X509_V_OK)
636 /* Restart with issuer as subject */
640 /* Final self-signed element, skip ta_signed() check. */
646 else if(matched == MATCHED_CERT)
648 if(!wrap_cert(dane, ca, depth))
651 else if(matched == MATCHED_PKEY)
653 if ( !(takey = X509_get_pubkey(ca))
654 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
657 EVP_PKEY_free(takey);
659 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
666 /* Shallow free the duplicated input untrusted chain. */
670 * When the loop exits, if "cert" is set, it is not self-signed and has
671 * no issuer in the chain, we check for a possible signature via a DNS
672 * obtained TA cert or public key.
674 if (matched == 0 && cert)
675 matched = ta_signed(dane, cert, depth);
681 check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
685 matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
693 if ( (ctx->chain = sk_X509_new_null()) != 0
694 && sk_X509_push(ctx->chain, cert))
698 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
707 match_name(const char *certid, ssl_dane *dane)
709 int multi = dane->multi;
710 dane_host_list hosts;
712 for (hosts = dane->hosts; hosts; hosts = hosts->next)
714 int match_subdomain = 0;
715 const char *domain = hosts->value;
720 if (*domain == '.' && domain[1] != '\0')
727 * Sub-domain match: certid is any sub-domain of hostname.
731 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
732 && certid[idlen - domlen - 1] == '.'
733 && !strcasecmp(certid + (idlen - domlen), domain))
740 * Exact match and initial "*" match. The initial "*" in a certid
741 * matches one (if multi is false) or more hostname components under
742 * the condition that the certid contains multiple hostname components.
744 if ( !strcasecmp(certid, domain)
745 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
746 && (parent = strchr(domain, '.')) != 0
747 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
748 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
755 check_name(char *name, int len)
757 char *cp = name + len;
759 while (len > 0 && !*--cp)
760 --len; /* Ignore trailing NULs */
763 for (cp = name; *cp; cp++)
766 if (!((c >= 'a' && c <= 'z') ||
767 (c >= '0' && c <= '9') ||
768 (c >= 'A' && c <= 'Z') ||
769 (c == '.' || c == '-') ||
771 return 0; /* Only LDH, '.' and '*' */
773 if (cp - name != len) /* Guard against internal NULs */
779 parse_dns_name(const GENERAL_NAME *gn)
781 if (gn->type != GEN_DNS)
783 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
785 return check_name((char *) ASN1_STRING_data(gn->d.ia5),
786 ASN1_STRING_length(gn->d.ia5));
790 parse_subject_name(X509 *cert)
792 X509_NAME *name = X509_get_subject_name(cert);
793 X509_NAME_ENTRY *entry;
794 ASN1_STRING *entry_str;
795 unsigned char *namebuf;
796 int nid = NID_commonName;
800 if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
802 if (!(entry = X509_NAME_get_entry(name, i)))
804 if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
807 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
809 if (len <= 0 || check_name((char *) namebuf, len) == 0)
811 OPENSSL_free(namebuf);
814 return (char *) namebuf;
818 name_check(ssl_dane *dane, X509 *cert)
821 BOOL got_altname = FALSE;
824 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
827 int n = sk_GENERAL_NAME_num(gens);
830 for (i = 0; i < n; ++i)
832 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
835 if (gn->type != GEN_DNS)
838 certid = parse_dns_name(gn);
839 if (certid && *certid)
841 if ((matched = match_name(certid, dane)) == 0)
843 if (!(dane->mhost = OPENSSL_strdup(certid)))
845 DEBUG(D_tls) debug_printf("Dane name_check: matched SAN %s\n", certid);
849 GENERAL_NAMES_free(gens);
853 * XXX: Should the subjectName be skipped when *any* altnames are present,
854 * or only when DNS altnames are present?
858 char *certid = parse_subject_name(cert);
859 if (certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
861 DEBUG(D_tls) debug_printf("Dane name_check: matched SN %s\n", certid);
862 dane->mhost = OPENSSL_strdup(certid);
865 OPENSSL_free(certid);
871 verify_chain(X509_STORE_CTX *ctx)
873 dane_selector_list issuer_rrs;
874 dane_selector_list leaf_rrs;
875 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
876 int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
877 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
878 ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
879 X509 *cert = ctx->cert; /* XXX: accessor? */
881 int chain_length = sk_X509_num(ctx->chain);
883 DEBUG(D_tls) debug_printf("Dane verify_chain\n");
885 issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
886 leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
887 ctx->verify = dane->verify;
889 if ((matched = name_check(dane, cert)) < 0)
891 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
897 ctx->error_depth = 0;
898 ctx->current_cert = cert;
899 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
906 * Satisfy at least one usage 0 or 1 constraint, unless we've already
907 * matched a usage 2 trust anchor.
909 * XXX: internal_verify() doesn't callback with top certs that are not
910 * self-issued. This should be fixed in a future OpenSSL.
912 if (dane->roots && sk_X509_num(dane->roots))
914 X509 *top = sk_X509_value(ctx->chain, dane->depth);
916 dane->mdpth = dane->depth;
920 #ifndef NO_CALLBACK_WORKAROUND
921 if (X509_check_issued(top, top) != X509_V_OK)
923 ctx->error_depth = dane->depth;
924 ctx->current_cert = top;
929 /* Pop synthetic trust-anchor ancestors off the chain! */
930 while (--chain_length > dane->depth)
931 X509_free(sk_X509_pop(ctx->chain));
939 * Check for an EE match, then a CA match at depths > 0, and
940 * finally, if the EE cert is self-issued, for a depth 0 CA match.
943 matched = match(leaf_rrs, xn, 0);
944 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched EE\n");
946 if (!matched && issuer_rrs)
947 for (n = chain_length-1; !matched && n >= 0; --n)
949 xn = sk_X509_value(ctx->chain, n);
950 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
951 matched = match(issuer_rrs, xn, n);
953 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched %s\n",
954 n>0 ? "CA" : "selfisssued EE");
958 ctx->current_cert = cert;
959 ctx->error_depth = 0;
960 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
972 return ctx->verify(ctx);
976 dane_reset(ssl_dane *dane)
981 OPENSSL_free(dane->mhost);
986 sk_X509_pop_free(dane->roots, X509_free);
991 sk_X509_pop_free(dane->chain, X509_free);
996 X509_free(dane->match);
1003 verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
1005 static int ssl_idx = -1;
1008 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
1010 X509 *cert = ctx->cert; /* XXX: accessor? */
1012 DEBUG(D_tls) debug_printf("Dane verify_cert\n");
1015 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1018 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1022 ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1023 if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1024 return X509_verify_cert(ctx);
1026 /* Reset for verification of a new chain, perhaps a renegotiation. */
1029 if (dane->selectors[DANESSL_USAGE_DANE_EE])
1031 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1033 ctx->error_depth = 0;
1034 ctx->current_cert = cert;
1039 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1044 if (dane->selectors[DANESSL_USAGE_DANE_TA])
1046 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1048 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1054 * Check that setting the untrusted chain updates the expected
1055 * structure member at the expected offset.
1057 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1058 X509_STORE_CTX_set_chain(ctx, dane->chain);
1059 OPENSSL_assert(ctx->untrusted == dane->chain);
1064 * Name checks and usage 0/1 constraint enforcement are delayed until
1065 * X509_verify_cert() builds the full chain and calls our verify_chain()
1068 dane->verify = ctx->verify;
1069 ctx->verify = verify_chain;
1071 if (X509_verify_cert(ctx))
1075 * If the chain is invalid, clear any matching cert or hostname, to
1076 * protect callers that might erroneously rely on these alone without
1077 * checking the validation status.
1081 X509_free(dane->match);
1086 OPENSSL_free(dane->mhost);
1093 list_alloc(size_t vsize)
1095 void *value = (void *) OPENSSL_malloc(vsize);
1100 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1103 if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1105 OPENSSL_free(value);
1106 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1115 list_free(void *list, void (*f)(void *))
1120 for (head = (dane_list) list; head; head = next)
1123 if (f && head->value)
1130 dane_mtype_free(void *p)
1132 list_free(((dane_mtype) p)->data, CRYPTO_free);
1137 dane_selector_free(void *p)
1139 list_free(((dane_selector) p)->mtype, dane_mtype_free);
1147 Tidy up once the connection is finished with.
1150 ssl The ssl connection handle
1152 => Before calling SSL_free()
1153 tls_close() and tls_getc() [the error path] are the obvious places.
1154 Could we do it earlier - right after verification? In tls_client_start()
1155 right after SSL_connect() returns, in that case.
1160 DANESSL_cleanup(SSL *ssl)
1165 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1167 if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1169 (void) SSL_set_ex_data(ssl, dane_idx, 0);
1173 list_free(dane->hosts, CRYPTO_free);
1174 for (u = 0; u <= DANESSL_USAGE_LAST; ++u)
1175 if (dane->selectors[u])
1176 list_free(dane->selectors[u], dane_selector_free);
1178 list_free(dane->pkeys, pkey_free);
1180 list_free(dane->certs, cert_free);
1184 static dane_host_list
1185 host_list_init(const char **src)
1187 dane_host_list head = NULL;
1191 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1194 list_free(head, CRYPTO_free);
1197 elem->value = OPENSSL_strdup(*src++);
1198 LINSERT(head, elem);
1205 DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1209 if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1211 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1218 *match = dane->match;
1220 *mhost = dane->mhost;
1222 *depth = dane->mdpth;
1225 return (dane->match != 0);
1231 DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1235 X509_STORE_CTX store_ctx;
1236 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1237 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1238 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1240 cert = sk_X509_value(chain, 0);
1241 if (!X509_STORE_CTX_init(&store_ctx, store, cert, chain))
1243 X509_STORE_CTX_set_ex_data(&store_ctx, store_ctx_idx, ssl);
1245 X509_STORE_CTX_set_default(&store_ctx,
1246 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1247 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&store_ctx),
1248 SSL_get0_param(ssl));
1250 if (SSL_get_verify_callback(ssl))
1251 X509_STORE_CTX_set_verify_cb(&store_ctx, SSL_get_verify_callback(ssl));
1253 ret = verify_cert(&store_ctx, NULL);
1255 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(&store_ctx));
1256 X509_STORE_CTX_cleanup(&store_ctx);
1267 Call this for each TLSA record found for the target, after the
1268 DANE setup has been done on the ssl connection handle.
1271 ssl Connection handle
1272 usage TLSA record field
1273 selector TLSA record field
1274 mdname ??? message digest name?
1275 data ??? TLSA record megalump?
1285 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1286 unsigned const char *data, size_t dlen)
1289 dane_selector_list s = 0;
1290 dane_mtype_list m = 0;
1291 dane_data_list d = 0;
1292 dane_cert_list xlist = 0;
1293 dane_pkey_list klist = 0;
1294 const EVP_MD *md = 0;
1296 DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1297 usage, selector, mdname);
1299 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1301 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1305 if (usage > DANESSL_USAGE_LAST)
1307 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1310 if (selector > DANESSL_SELECTOR_LAST)
1312 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1316 /* Support built-in standard one-digit mtypes */
1317 if (mdname && *mdname && mdname[1] == '\0')
1318 switch (*mdname - '0')
1320 case DANESSL_MATCHING_FULL: mdname = 0; break;
1321 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1322 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1324 if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0)
1326 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1329 if (mdname && *mdname && dlen != EVP_MD_size(md))
1331 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1336 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1341 * Full Certificate or Public Key when NULL or empty digest name
1343 if (!mdname || !*mdname)
1347 const unsigned char *p = data;
1349 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1350 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1351 if ((lvar) == 0) { \
1352 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1357 lvar->value = var; \
1359 #define xkfreeret(ret) do { \
1360 if (xlist) list_free(xlist, cert_free); \
1361 if (klist) list_free(klist, pkey_free); \
1367 case DANESSL_SELECTOR_CERT:
1368 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1372 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1375 k = X509_get_pubkey(x);
1380 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1383 if (usage == DANESSL_USAGE_DANE_TA)
1384 xklistinit(xlist, dane_cert_list, x, X509_free);
1387 case DANESSL_SELECTOR_SPKI:
1388 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1392 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1395 if (usage == DANESSL_USAGE_DANE_TA)
1396 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1401 /* Find insertion point and don't add duplicate elements. */
1402 for (s = dane->selectors[usage]; s; s = s->next)
1403 if (s->value->selector == selector)
1405 for (m = s->value->mtype; m; m = m->next)
1406 if (m->value->md == md)
1408 for (d = m->value->data; d; d = d->next)
1409 if ( d->value->datalen == dlen
1410 && memcmp(d->value->data, data, dlen) == 0)
1417 if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1419 d->value->datalen = dlen;
1420 memcpy(d->value->data, data, dlen);
1423 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1425 list_free(d, CRYPTO_free);
1429 if ((m->value->md = md) != 0)
1430 m->value->mdlen = dlen;
1433 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1435 list_free(m, dane_mtype_free);
1438 s->value->mtype = 0;
1439 s->value->selector = selector;
1440 LINSERT(dane->selectors[usage], s);
1442 LINSERT(s->value->mtype, m);
1444 LINSERT(m->value->data, d);
1447 LINSERT(dane->certs, xlist);
1449 LINSERT(dane->pkeys, klist);
1458 Call this once we have an ssl connection handle but before
1459 making the TLS connection.
1461 => In tls_client_start() after the call to SSL_new()
1462 and before the call to SSL_connect(). Exactly where
1463 probably does not matter.
1464 We probably want to keep our existing SNI handling;
1465 call this with NULL.
1468 ssl Connection handle
1469 sni_domain Optional peer server name
1470 hostnames list of names to chack against peer cert
1479 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1484 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1487 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1491 if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1494 if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1496 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1499 if (!SSL_set_ex_data(ssl, dane_idx, dane))
1501 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1515 dane->mhost = 0; /* Future SSL control interface */
1516 dane->mdpth = 0; /* Future SSL control interface */
1517 dane->multi = 0; /* Future SSL control interface */
1521 for (i = 0; i <= DANESSL_USAGE_LAST; ++i)
1522 dane->selectors[i] = 0;
1524 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1526 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1527 DANESSL_cleanup(ssl);
1537 Call this once we have a context to work with, but
1538 before DANESSL_init()
1540 => in tls_client_start(), after tls_init() call gives us the ctx,
1541 if we decide we want to (policy) and can (TLSA records available)
1542 replacing (? what about fallback) everything from testing tls_verify_hosts
1543 down to just before calling SSL_new() for the conn handle.
1554 DANESSL_CTX_init(SSL_CTX *ctx)
1556 DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1559 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1562 DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1567 init_once(volatile int *value, int (*init)(void), void (*postinit)(void))
1571 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1574 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1575 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1585 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1587 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1595 * Store library id in zeroth function slot, used to locate the library
1596 * name. This must be done before we load the error strings.
1598 #ifndef OPENSSL_NO_ERR
1599 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1600 ERR_load_strings(err_lib_dane, dane_str_functs);
1601 ERR_load_strings(err_lib_dane, dane_str_reasons);
1605 * Register SHA-2 digests, if implemented and not already registered.
1607 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1608 if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1609 if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1611 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1612 if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1613 if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1617 * Register an SSL index for the connection-specific ssl_dane structure.
1618 * Using a separate index makes it possible to add DANE support to
1619 * existing OpenSSL releases that don't have a suitable pointer in the
1622 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1629 Call this once. Probably early in startup will do; may need
1630 to be after SSL library init.
1632 => put after call to tls_init() for now
1640 DANESSL_library_init(void)
1642 DEBUG(D_tls) debug_printf("Dane lib-init\n");
1643 if (err_lib_dane < 0)
1644 init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
1646 #if defined(LN_sha256)
1647 /* No DANE without SHA256 support */
1648 if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1651 DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);
1656 #endif /* OPENSSL_VERSION_NUMBER */