int matched = 0;
int chain_length = sk_X509_num(ctx->chain);
+DEBUG(D_tls) debug_printf("Dane verify_chain\n");
+
issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER];
leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF];
ctx->verify = dane->verify;
int matched;
X509 *cert = ctx->cert; /* XXX: accessor? */
+DEBUG(D_tls) debug_printf("Dane verify_cert\n");
+
if(ssl_idx < 0)
ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
if(dane_idx < 0)
OPENSSL_free(p);
}
+
+
+/*
+
+Tidy up once the connection is finished with.
+
+Arguments
+ ssl The ssl connection handle
+
+=> Before calling SSL_free()
+tls_close() and tls_getc() [the error path] are the obvious places.
+Could we do it earlier - right after verification? In tls_client_start()
+right after SSL_connect() returns, in that case.
+
+*/
+
void
DANESSL_cleanup(SSL *ssl)
{
ssl_dane *dane;
int u;
+DEBUG(D_tls) debug_printf("Dane library cleanup fn called\n");
+
if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
return;
(void) SSL_set_ex_data(ssl, dane_idx, 0);
if(dane->chain)
sk_X509_pop_free(dane->chain, X509_free);
OPENSSL_free(dane);
+DEBUG(D_tls) debug_printf("Dane library cleanup fn return\n");
}
static dane_host_list
return head;
}
+
+
+
+/*
+
+Call this for each TLSA record found for the target, after the
+DANE setup has been done on the ssl connection handle.
+
+Arguments:
+ ssl Connection handle
+ usage TLSA record field
+ selector TLSA record field
+ mdname ??? message digest name?
+ data ??? TLSA record megalump?
+ dlen length of data
+
+Return
+ -1 on error
+ 0 action not taken
+ 1 record accepted
+*/
+
int
DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
unsigned const char *data, size_t dlen)
dane_pkey_list klist = 0;
const EVP_MD *md = 0;
+DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
+ usage, selector, mdname);
+
if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
{
DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_DANE_INIT);
return 1;
}
+
+
+
+/*
+Call this once we have an ssl connection handle but before
+making the TLS connection.
+
+=> In tls_client_start() after the call to SSL_new()
+and before the call to SSL_connect(). Exactly where
+probably does not matter.
+We probably want to keep our existing SNI handling;
+call this with NULL.
+
+Arguments:
+ ssl Connection handle
+ sni_domain Optional peer server name
+ hostnames list of names to chack against peer cert
+
+Return
+ -1 on fatal error
+ 0 nonfatal error
+ 1 success
+*/
+
int
DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
{
#ifdef OPENSSL_INTERNAL
SSL_CTX *sctx = SSL_get_SSL_CTX(ssl);
+
if(sctx->app_verify_callback != verify_cert)
{
DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_SCTX_INIT);
return -1;
}
#else
+DEBUG(D_tls) debug_printf("Dane ssl-init\n");
if(dane_idx < 0)
{
DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT);
return 0;
}
+dane->verify = 0;
+dane->hosts = 0;
+dane->thost = 0;
dane->pkeys = 0;
dane->certs = 0;
dane->chain = 0;
return 1;
}
+
+/*
+
+Call this once we have a context to work with, but
+before DANESSL_init()
+
+=> in tls_client_start(), after tls_init() call gives us the ctx,
+if we decide we want to (policy) and can (TLSA records available)
+replacing (? what about fallback) everything from testing tls_verify_hosts
+down to just before calling SSL_new() for the conn handle.
+
+Arguments
+ ctx SSL context
+
+Return
+ -1 Error
+ 1 Success
+*/
+
int
DANESSL_CTX_init(SSL_CTX *ctx)
{
+DEBUG(D_tls) debug_printf("Dane ctx-init\n");
if(dane_idx >= 0)
{
SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
}
+
+
+/*
+
+Call this once. Probably early in startup will do; may need
+to be after SSL library init.
+
+=> put after call to tls_init() for now
+
+Return
+ 1 Success
+ 0 Fail
+*/
+
int
DANESSL_library_init(void)
{
+DEBUG(D_tls) debug_printf("Dane lib-init\n");
if(err_lib_dane < 0)
init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
return 0;
}
+
#endif /* OPENSSL_VERSION_NUMBER */
/* vi: aw ai sw=2
*/
git://git.exim.org / exim.git / blobdiff