X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/4c04137d73637107669e02b21f890387aaa2ef34..1fbf41cdf61bc864662c7b766a1db38ae888db20:/src/src/dane-openssl.c diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index aa4760b94..4ac5747c9 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -2,7 +2,7 @@ * Author: Viktor Dukhovni * License: THIS CODE IS IN THE PUBLIC DOMAIN. * - * Copyright (c) The Exim Maintainers 2014 - 2016 + * Copyright (c) The Exim Maintainers 2014 - 2019 */ #include #include @@ -25,28 +25,35 @@ #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509) #endif -#if OPENSSL_VERSION_NUMBER >= 0x10100000L -# define EXIM_HAVE_ASN1_MACROS -# define EXIM_OPAQUE_X509 -#else -# define X509_STORE_CTX_get_verify(ctx) (ctx)->verify -# define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb -# define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert -# define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain -# define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted - -# define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain) -# define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk) -# define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val) -# define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert) - -# define ASN1_STRING_get0_data ASN1_STRING_data -# define X509_getm_notBefore X509_get_notBefore -# define X509_getm_notAfter X509_get_notAfter - -# define CRYPTO_ONCE_STATIC_INIT 0 -# define CRYPTO_THREAD_run_once run_once + +#ifdef LIBRESSL_VERSION_NUMBER /* LibreSSL */ +# if LIBRESSL_VERSION_NUMBER >= 0x2090000fL +# define EXIM_HAVE_ASN1_MACROS +# endif +#else /* OpenSSL */ +# if OPENSSL_VERSION_NUMBER >= 0x10100000L +# define EXIM_HAVE_ASN1_MACROS +# define EXIM_OPAQUE_X509 +# else +# define X509_STORE_CTX_get_verify(ctx) (ctx)->verify +# define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb +# define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert +# define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain +# define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted + +# define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain) +# define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk) +# define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val) +# define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert) + +# define ASN1_STRING_get0_data ASN1_STRING_data +# define X509_getm_notBefore X509_get_notBefore +# define X509_getm_notAfter X509_get_notAfter + +# define CRYPTO_ONCE_STATIC_INIT 0 +# define CRYPTO_THREAD_run_once run_once typedef int CRYPTO_ONCE; +# endif #endif @@ -84,6 +91,7 @@ typedef int CRYPTO_ONCE; #ifndef OPENSSL_NO_ERR #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */ static ERR_STRING_DATA dane_str_functs[] = { + /* error string */ {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */ {DANESSL_F_ADD_SKID, "add_skid"}, {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"}, @@ -101,6 +109,7 @@ static ERR_STRING_DATA dane_str_functs[] = { {0, NULL} }; static ERR_STRING_DATA dane_str_reasons[] = { + /* error string */ {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"}, {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"}, {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"}, @@ -238,7 +247,6 @@ int matched; */ for (matched = 0; !matched && slist; slist = slist->next) { - dane_mtype_list m; unsigned char mdbuf[EVP_MAX_MD_SIZE]; unsigned char *buf = NULL; unsigned char *buf2; @@ -251,12 +259,12 @@ for (matched = 0; !matched && slist; slist = slist->next) { case DANESSL_SELECTOR_CERT: len = i2d_X509(cert, NULL); - buf2 = buf = (unsigned char *) OPENSSL_malloc(len); + buf2 = buf = US OPENSSL_malloc(len); if(buf) i2d_X509(cert, &buf2); break; case DANESSL_SELECTOR_SPKI: len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL); - buf2 = buf = (unsigned char *) OPENSSL_malloc(len); + buf2 = buf = US OPENSSL_malloc(len); if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2); break; } @@ -271,9 +279,8 @@ for (matched = 0; !matched && slist; slist = slist->next) /* * Loop over each mtype and data element */ - for (m = slist->value->mtype; !matched && m; m = m->next) + for (dane_mtype_list m = slist->value->mtype; !matched && m; m = m->next) { - dane_data_list d; unsigned char *cmpbuf = buf; unsigned int cmplen = len; @@ -287,7 +294,7 @@ for (matched = 0; !matched && slist; slist = slist->next) if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0)) matched = -1; } - for (d = m->value->data; !matched && d; d = d->next) + for (dane_data_list d = m->value->data; !matched && d; d = d->next) if ( cmplen == d->value->datalen && memcmp(cmpbuf, d->value->data, cmplen) == 0) matched = slist->value->selector + 1; @@ -392,10 +399,9 @@ akid_issuer_name(AUTHORITY_KEYID *akid) { if (akid && akid->issuer) { - int i; GENERAL_NAMES *gens = akid->issuer; - for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i) + for (int i = 0; i < sk_GENERAL_NAME_num(gens); ++i) { GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i); @@ -407,16 +413,16 @@ return 0; } static int -set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid) +set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj) { X509_NAME *name = akid_issuer_name(akid); /* - * If subject's akid specifies an authority key identifer issuer name, we + * If subject's akid specifies an authority key identifier issuer name, we * must use that. */ return X509_set_issuer_name(cert, - name ? name : X509_get_subject_name(cert)); + name ? name : subj); } static int @@ -498,7 +504,7 @@ akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0); */ if ( !X509_set_version(cert, 2) || !set_serial(cert, akid, subject) - || !set_issuer_name(cert, akid) + || !set_issuer_name(cert, akid, name) || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L) || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L) || !X509_set_subject_name(cert, name) @@ -543,8 +549,6 @@ return 0; static int ta_signed(ssl_dane *dane, X509 *cert, int depth) { -dane_cert_list x; -dane_pkey_list k; EVP_PKEY *pk; int done = 0; @@ -555,7 +559,7 @@ int done = 0; * first (name comparisons), before we bother with signature checks * (public key operations). */ -for (x = dane->certs; !done && x; x = x->next) +for (dane_cert_list x = dane->certs; !done && x; x = x->next) { if (X509_check_issued(x->value, cert) == X509_V_OK) { @@ -595,7 +599,7 @@ for (x = dane->certs; !done && x; x = x->next) * This may push errors onto the stack when the certificate signature is * not of the right type or length, throw these away, */ -for (k = dane->pkeys; !done && k; k = k->next) +for (dane_pkey_list k = dane->pkeys; !done && k; k = k->next) if (X509_verify(cert, k->value) > 0) done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1; else @@ -608,8 +612,6 @@ static int set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert) { int matched = 0; -int n; -int i; int depth = 0; EVP_PKEY *takey; X509 *ca; @@ -645,8 +647,9 @@ if (!(in = sk_X509_dup(in))) * * Caller ensures that the initial certificate is not self-signed. */ -for (n = sk_X509_num(in); n > 0; --n, ++depth) +for (int n = sk_X509_num(in); n > 0; --n, ++depth) { + int i; for (i = 0; i < n; ++i) if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK) break; @@ -667,7 +670,7 @@ for (n = sk_X509_num(in); n > 0; --n, ++depth) { if (grow_chain(dane, UNTRUSTED, ca)) { - if (!X509_check_issued(ca, ca) == X509_V_OK) + if (X509_check_issued(ca, ca) != X509_V_OK) { /* Restart with issuer as subject */ cert = ca; @@ -747,9 +750,8 @@ static int match_name(const char *certid, ssl_dane *dane) { int multi = dane->multi; -dane_host_list hosts; -for (hosts = dane->hosts; hosts; hosts = hosts->next) +for (dane_host_list hosts = dane->hosts; hosts; hosts = hosts->next) { int match_subdomain = 0; const char *domain = hosts->value; @@ -822,7 +824,7 @@ if (gn->type != GEN_DNS) return 0; if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING) return 0; -return check_name((const char *) ASN1_STRING_get0_data(gn->d.ia5), +return check_name(CCS ASN1_STRING_get0_data(gn->d.ia5), ASN1_STRING_length(gn->d.ia5)); } @@ -846,12 +848,12 @@ if (!(entry_str = X509_NAME_ENTRY_get_data(entry))) if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0) return 0; -if (len <= 0 || check_name((char *) namebuf, len) == 0) +if (len <= 0 || check_name(CS namebuf, len) == 0) { OPENSSL_free(namebuf); return 0; } -return (char *) namebuf; +return CS namebuf; } static int @@ -865,9 +867,8 @@ gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0); if (gens) { int n = sk_GENERAL_NAME_num(gens); - int i; - for (i = 0; i < n; ++i) + for (int i = 0; i < n; ++i) { const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i); const char *certid; @@ -1155,10 +1156,9 @@ return l; static void list_free(void *list, void (*f)(void *)) { -dane_list head; dane_list next; -for (head = (dane_list) list; head; head = next) +for (dane_list head = (dane_list) list; head; head = next) { next = head->next; if (f && head->value) @@ -1207,7 +1207,6 @@ void DANESSL_cleanup(SSL *ssl) { ssl_dane *dane; -int u; DEBUG(D_tls) debug_printf("Dane lib-cleanup\n"); @@ -1218,7 +1217,7 @@ if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx))) dane_reset(dane); if (dane->hosts) list_free(dane->hosts, ossl_free); -for (u = 0; u <= DANESSL_USAGE_LAST; ++u) +for (int u = 0; u <= DANESSL_USAGE_LAST; ++u) if (dane->selectors[u]) list_free(dane->selectors[u], dane_selector_free); if (dane->pkeys) @@ -1368,38 +1367,38 @@ if (selector > DANESSL_SELECTOR_LAST) return 0; } - /* Support built-in standard one-digit mtypes */ - if (mdname && *mdname && mdname[1] == '\0') - switch (*mdname - '0') - { - case DANESSL_MATCHING_FULL: mdname = 0; break; - case DANESSL_MATCHING_2256: mdname = "sha256"; break; - case DANESSL_MATCHING_2512: mdname = "sha512"; break; - } - if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0) - { - DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST); - return 0; - } - if (mdname && *mdname && dlen != EVP_MD_size(md)) - { - DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH); - return 0; - } - if (!data) - { - DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA); - return 0; - } +/* Support built-in standard one-digit mtypes */ +if (mdname && *mdname && mdname[1] == '\0') + switch (*mdname - '0') + { + case DANESSL_MATCHING_FULL: mdname = 0; break; + case DANESSL_MATCHING_2256: mdname = "sha256"; break; + case DANESSL_MATCHING_2512: mdname = "sha512"; break; + } +if (mdname && *mdname && !(md = EVP_get_digestbyname(mdname))) + { + DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST); + return 0; + } +if (mdname && *mdname && dlen != EVP_MD_size(md)) + { + DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH); + return 0; + } +if (!data) + { + DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA); + return 0; + } - /* - * Full Certificate or Public Key when NULL or empty digest name - */ - if (!mdname || !*mdname) - { - X509 *x = 0; - EVP_PKEY *k = 0; - const unsigned char *p = data; +/* + * Full Certificate or Public Key when NULL or empty digest name + */ +if (!mdname || !*mdname) + { + X509 *x = 0; + EVP_PKEY *k = 0; + const unsigned char *p = data; #define xklistinit(lvar, ltype, var, freeFunc) do { \ (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \ @@ -1534,7 +1533,6 @@ int DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames) { ssl_dane *dane; -int i; DEBUG(D_tls) debug_printf("Dane ssl_init\n"); if (dane_idx < 0) @@ -1573,7 +1571,7 @@ dane->multi = 0; /* Future SSL control interface */ dane->count = 0; dane->hosts = 0; -for (i = 0; i <= DANESSL_USAGE_LAST; ++i) +for (int i = 0; i <= DANESSL_USAGE_LAST; ++i) dane->selectors[i] = 0; if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0) @@ -1658,7 +1656,7 @@ dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0); } -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static void run_once(volatile int * once, void (*init)(void)) {