2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
5 * Copyright (c) The Exim Maintainers 2014 - 2016
11 #include <openssl/opensslv.h>
12 #include <openssl/err.h>
13 #include <openssl/crypto.h>
14 #include <openssl/safestack.h>
15 #include <openssl/objects.h>
16 #include <openssl/x509.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/evp.h>
19 #include <openssl/bn.h>
21 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
22 # error "OpenSSL 1.0.0 or higher required"
23 #else /* remainder of file */
25 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
26 # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
28 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
29 # define EXIM_HAVE_ASN1_MACROS
30 # define EXIM_OPAQUE_X509
32 # define X509_STORE_CTX_get_verify(ctx) (ctx)->verify
33 # define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb
34 # define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert
35 # define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain
36 # define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted
38 # define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain)
39 # define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk)
40 # define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val)
41 # define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert)
47 #define DANESSL_F_ADD_SKID 100
48 #define DANESSL_F_ADD_TLSA 101
49 #define DANESSL_F_CHECK_END_ENTITY 102
50 #define DANESSL_F_CTX_INIT 103
51 #define DANESSL_F_GROW_CHAIN 104
52 #define DANESSL_F_INIT 105
53 #define DANESSL_F_LIBRARY_INIT 106
54 #define DANESSL_F_LIST_ALLOC 107
55 #define DANESSL_F_MATCH 108
56 #define DANESSL_F_PUSH_EXT 109
57 #define DANESSL_F_SET_TRUST_ANCHOR 110
58 #define DANESSL_F_VERIFY_CERT 111
59 #define DANESSL_F_WRAP_CERT 112
61 #define DANESSL_R_BAD_CERT 100
62 #define DANESSL_R_BAD_CERT_PKEY 101
63 #define DANESSL_R_BAD_DATA_LENGTH 102
64 #define DANESSL_R_BAD_DIGEST 103
65 #define DANESSL_R_BAD_NULL_DATA 104
66 #define DANESSL_R_BAD_PKEY 105
67 #define DANESSL_R_BAD_SELECTOR 106
68 #define DANESSL_R_BAD_USAGE 107
69 #define DANESSL_R_INIT 108
70 #define DANESSL_R_LIBRARY_INIT 109
71 #define DANESSL_R_NOSIGN_KEY 110
72 #define DANESSL_R_SCTX_INIT 111
73 #define DANESSL_R_SUPPORT 112
75 #ifndef OPENSSL_NO_ERR
76 #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
77 static ERR_STRING_DATA dane_str_functs[] = {
78 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
79 {DANESSL_F_ADD_SKID, "add_skid"},
80 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
81 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
82 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
83 {DANESSL_F_GROW_CHAIN, "grow_chain"},
84 {DANESSL_F_INIT, "DANESSL_init"},
85 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
86 {DANESSL_F_LIST_ALLOC, "list_alloc"},
87 {DANESSL_F_MATCH, "match"},
88 {DANESSL_F_PUSH_EXT, "push_ext"},
89 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
90 {DANESSL_F_VERIFY_CERT, "verify_cert"},
91 {DANESSL_F_WRAP_CERT, "wrap_cert"},
94 static ERR_STRING_DATA dane_str_reasons[] = {
95 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
96 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
97 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
98 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
99 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
100 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
101 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
102 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
103 {DANESSL_R_INIT, "DANESSL_init() required"},
104 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
105 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
106 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
107 {DANESSL_R_SUPPORT, "DANE library features not supported"},
112 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
114 static int err_lib_dane = -1;
115 static int dane_idx = -1;
117 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
118 static int wrap_to_root = 0;
120 static int wrap_to_root = 1;
123 static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
124 static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
126 typedef struct dane_list
128 struct dane_list *next;
132 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
134 typedef struct dane_host_list
136 struct dane_host_list *next;
140 typedef struct dane_data
143 unsigned char data[0];
146 typedef struct dane_data_list
148 struct dane_data_list *next;
152 typedef struct dane_mtype
159 typedef struct dane_mtype_list
161 struct dane_mtype_list *next;
165 typedef struct dane_selector
168 dane_mtype_list mtype;
171 typedef struct dane_selector_list
173 struct dane_selector_list *next;
175 } *dane_selector_list;
177 typedef struct dane_pkey_list
179 struct dane_pkey_list *next;
183 typedef struct dane_cert_list
185 struct dane_cert_list *next;
189 typedef struct ssl_dane
191 int (*verify)(X509_STORE_CTX *);
192 STACK_OF(X509) *roots;
193 STACK_OF(X509) *chain;
194 X509 *match; /* Matched cert */
195 const char *thost; /* TLSA base domain */
196 char *mhost; /* Matched peer name */
197 dane_pkey_list pkeys;
198 dane_cert_list certs;
199 dane_host_list hosts;
200 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
202 int mdpth; /* Depth of matched cert */
203 int multi; /* Multi-label wildcards? */
204 int count; /* Number of TLSA records */
207 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
208 # define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
214 match(dane_selector_list slist, X509 *cert, int depth)
219 * Note, set_trust_anchor() needs to know whether the match was for a
220 * pkey digest or a certificate digest. We return MATCHED_PKEY or
221 * MATCHED_CERT accordingly.
223 #define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
224 #define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
227 * Loop over each selector, mtype, and associated data element looking
230 for (matched = 0; !matched && slist; slist = slist->next)
233 unsigned char mdbuf[EVP_MAX_MD_SIZE];
234 unsigned char *buf = NULL;
236 unsigned int len = 0;
239 * Extract ASN.1 DER form of certificate or public key.
241 switch(slist->value->selector)
243 case DANESSL_SELECTOR_CERT:
244 len = i2d_X509(cert, NULL);
245 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
246 if(buf) i2d_X509(cert, &buf2);
248 case DANESSL_SELECTOR_SPKI:
249 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
250 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
251 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
257 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
260 OPENSSL_assert(buf2 - buf == len);
263 * Loop over each mtype and data element
265 for (m = slist->value->mtype; !matched && m; m = m->next)
268 unsigned char *cmpbuf = buf;
269 unsigned int cmplen = len;
272 * If it is a digest, compute the corresponding digest of the
273 * DER data for comparison, otherwise, use the full object.
278 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
281 for (d = m->value->data; !matched && d; d = d->next)
282 if ( cmplen == d->value->datalen
283 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
284 matched = slist->value->selector + 1;
294 push_ext(X509 *cert, X509_EXTENSION *ext)
297 if (X509_add_ext(cert, ext, -1))
299 X509_EXTENSION_free(ext);
301 DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
306 add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
310 X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
311 return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
315 set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
320 if (akid && akid->serial)
321 return (X509_set_serialNumber(cert, akid->serial));
324 * Add one to subject's serial to avoid collisions between TA serial and
325 * serial of signing root.
327 if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
328 && BN_add_word(bn, 1)
329 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
338 add_akid(X509 *cert, AUTHORITY_KEYID *akid)
340 int nid = NID_authority_key_identifier;
346 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
347 * our subject keyid if forced from child's akid. If so, set our
348 * authority keyid to 1. This way we are never self-signed, and thus
349 * exempt from any potential (off by default for now in OpenSSL)
350 * self-signature checks!
352 id = (akid && akid->keyid) ? akid->keyid : 0;
353 if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c)
356 if ( (akid = AUTHORITY_KEYID_new()) != 0
357 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
358 #ifdef EXIM_HAVE_ASN1_MACROS
359 && ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
361 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
363 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
366 AUTHORITY_KEYID_free(akid);
371 add_skid(X509 *cert, AUTHORITY_KEYID *akid)
373 int nid = NID_subject_key_identifier;
375 if (!akid || !akid->keyid)
376 return add_ext(0, cert, nid, "hash");
377 return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
381 akid_issuer_name(AUTHORITY_KEYID *akid)
383 if (akid && akid->issuer)
386 GENERAL_NAMES *gens = akid->issuer;
388 for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
390 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
392 if (gn->type == GEN_DIRNAME)
400 set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
402 X509_NAME *name = akid_issuer_name(akid);
405 * If subject's akid specifies an authority key identifer issuer name, we
408 return X509_set_issuer_name(cert,
409 name ? name : X509_get_subject_name(cert));
413 grow_chain(ssl_dane *dane, int trusted, X509 *cert)
415 STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
416 static ASN1_OBJECT *serverAuth = 0;
421 if ( trusted && !serverAuth
422 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
424 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
427 if (!*xs && !(*xs = sk_X509_new_null()))
429 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
435 if (trusted && !X509_add1_trust_object(cert, serverAuth))
437 #ifdef EXIM_OPAQUE_X509
440 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
442 if (!sk_X509_push(*xs, cert))
445 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
453 wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
457 AUTHORITY_KEYID *akid;
458 X509_NAME *name = X509_get_issuer_name(subject);
459 EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
461 #define WRAP_MID 0 /* Ensure intermediate. */
462 #define WRAP_TOP 1 /* Ensure self-signed. */
464 if (!name || !newkey || !(cert = X509_new()))
468 * Record the depth of the trust-anchor certificate.
471 dane->depth = depth + 1;
474 * XXX: Uncaught error condition:
476 * The return value is NULL both when the extension is missing, and when
477 * OpenSSL rans out of memory while parsing the extension.
480 akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
481 /* XXX: Should we peek at the error stack here??? */
484 * If top is true generate a self-issued root CA, otherwise an
485 * intermediate CA and possibly its self-signed issuer.
487 * CA cert valid for +/- 30 days
489 if ( !X509_set_version(cert, 2)
490 || !set_serial(cert, akid, subject)
491 || !X509_set_subject_name(cert, name)
492 || !set_issuer_name(cert, akid)
493 || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
494 || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
495 || !X509_set_pubkey(cert, newkey)
496 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
497 || (!top && !add_akid(cert, akid))
498 || !add_skid(cert, akid)
499 || ( !top && wrap_to_root
500 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
504 AUTHORITY_KEYID_free(akid);
506 EVP_PKEY_free(newkey);
508 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
515 wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
518 dane->depth = depth + 1;
521 * If the TA certificate is self-issued, or need not be, use it directly.
522 * Otherwise, synthesize requisuite ancestors.
525 || X509_check_issued(tacert, tacert) == X509_V_OK)
526 return grow_chain(dane, TRUSTED, tacert);
528 if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
529 return grow_chain(dane, UNTRUSTED, tacert);
534 ta_signed(ssl_dane *dane, X509 *cert, int depth)
542 * First check whether issued and signed by a TA cert, this is cheaper
543 * than the bare-public key checks below, since we can determine whether
544 * the candidate TA certificate issued the certificate to be checked
545 * first (name comparisons), before we bother with signature checks
546 * (public key operations).
548 for (x = dane->certs; !done && x; x = x->next)
550 if (X509_check_issued(x->value, cert) == X509_V_OK)
552 if (!(pk = X509_get_pubkey(x->value)))
555 * The cert originally contained a valid pkey, which does
556 * not just vanish, so this is most likely a memory error.
561 /* Check signature, since some other TA may work if not this. */
562 if (X509_verify(cert, pk) > 0)
563 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
569 * With bare TA public keys, we can't check whether the trust chain is
570 * issued by the key, but we can determine whether it is signed by the
571 * key, so we go with that.
573 * Ideally, the corresponding certificate was presented in the chain, and we
574 * matched it by its public key digest one level up. This code is here
575 * to handle adverse conditions imposed by sloppy administrators of
576 * receiving systems with poorly constructed chains.
578 * We'd like to optimize out keys that should not match when the cert's
579 * authority key id does not match the key id of this key computed via
580 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
581 * ASN1 tag and length thus also excluding the unused bits field that is
582 * logically part of the length). However, some CAs have a non-standard
583 * authority keyid, so we lose. Too bad.
585 * This may push errors onto the stack when the certificate signature is
586 * not of the right type or length, throw these away,
588 for (k = dane->pkeys; !done && k; k = k->next)
589 if (X509_verify(cert, k->value) > 0)
590 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
598 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
606 STACK_OF(X509) *in = X509_STORE_CTX_get0_untrusted(ctx);
608 if (!grow_chain(dane, UNTRUSTED, 0))
612 * Accept a degenerate case: depth 0 self-signed trust-anchor.
614 if (X509_check_issued(cert, cert) == X509_V_OK)
617 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
618 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
623 /* Make a shallow copy of the input untrusted chain. */
624 if (!(in = sk_X509_dup(in)))
626 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
631 * At each iteration we consume the issuer of the current cert. This
632 * reduces the length of the "in" chain by one. If no issuer is found,
633 * we are done. We also stop when a certificate matches a TA in the
636 * Caller ensures that the initial certificate is not self-signed.
638 for (n = sk_X509_num(in); n > 0; --n, ++depth)
640 for (i = 0; i < n; ++i)
641 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
645 * Final untrusted element with no issuer in the peer's chain, it may
646 * however be signed by a pkey or cert obtained via a TLSA RR.
651 /* Peer's chain contains an issuer ca. */
652 ca = sk_X509_delete(in, i);
654 /* If not a trust anchor, record untrusted ca and continue. */
655 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
658 if (grow_chain(dane, UNTRUSTED, ca))
660 if (!X509_check_issued(ca, ca) == X509_V_OK)
662 /* Restart with issuer as subject */
666 /* Final self-signed element, skip ta_signed() check. */
672 else if(matched == MATCHED_CERT)
674 if(!wrap_cert(dane, ca, depth))
677 else if(matched == MATCHED_PKEY)
679 if ( !(takey = X509_get_pubkey(ca))
680 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
683 EVP_PKEY_free(takey);
685 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
692 /* Shallow free the duplicated input untrusted chain. */
696 * When the loop exits, if "cert" is set, it is not self-signed and has
697 * no issuer in the chain, we check for a possible signature via a DNS
698 * obtained TA cert or public key.
700 if (matched == 0 && cert)
701 matched = ta_signed(dane, cert, depth);
707 check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
711 matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
717 if(!X509_STORE_CTX_get0_chain(ctx))
719 STACK_OF(X509) * sk = sk_X509_new_null();
720 if (sk && sk_X509_push(sk, cert))
722 X509_STORE_CTX_set0_verified_chain(ctx, sk);
727 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
736 match_name(const char *certid, ssl_dane *dane)
738 int multi = dane->multi;
739 dane_host_list hosts;
741 for (hosts = dane->hosts; hosts; hosts = hosts->next)
743 int match_subdomain = 0;
744 const char *domain = hosts->value;
749 if (*domain == '.' && domain[1] != '\0')
756 * Sub-domain match: certid is any sub-domain of hostname.
760 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
761 && certid[idlen - domlen - 1] == '.'
762 && !strcasecmp(certid + (idlen - domlen), domain))
769 * Exact match and initial "*" match. The initial "*" in a certid
770 * matches one (if multi is false) or more hostname components under
771 * the condition that the certid contains multiple hostname components.
773 if ( !strcasecmp(certid, domain)
774 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
775 && (parent = strchr(domain, '.')) != 0
776 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
777 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
784 check_name(char *name, int len)
786 char *cp = name + len;
788 while (len > 0 && !*--cp)
789 --len; /* Ignore trailing NULs */
792 for (cp = name; *cp; cp++)
795 if (!((c >= 'a' && c <= 'z') ||
796 (c >= '0' && c <= '9') ||
797 (c >= 'A' && c <= 'Z') ||
798 (c == '.' || c == '-') ||
800 return 0; /* Only LDH, '.' and '*' */
802 if (cp - name != len) /* Guard against internal NULs */
808 parse_dns_name(const GENERAL_NAME *gn)
810 if (gn->type != GEN_DNS)
812 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
814 return check_name((char *) ASN1_STRING_data(gn->d.ia5),
815 ASN1_STRING_length(gn->d.ia5));
819 parse_subject_name(X509 *cert)
821 X509_NAME *name = X509_get_subject_name(cert);
822 X509_NAME_ENTRY *entry;
823 ASN1_STRING *entry_str;
824 unsigned char *namebuf;
825 int nid = NID_commonName;
829 if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
831 if (!(entry = X509_NAME_get_entry(name, i)))
833 if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
836 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
838 if (len <= 0 || check_name((char *) namebuf, len) == 0)
840 OPENSSL_free(namebuf);
843 return (char *) namebuf;
847 name_check(ssl_dane *dane, X509 *cert)
850 BOOL got_altname = FALSE;
853 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
856 int n = sk_GENERAL_NAME_num(gens);
859 for (i = 0; i < n; ++i)
861 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
864 if (gn->type != GEN_DNS)
867 certid = parse_dns_name(gn);
868 if (certid && *certid)
870 if ((matched = match_name(certid, dane)) == 0)
872 if (!(dane->mhost = OPENSSL_strdup(certid)))
874 DEBUG(D_tls) debug_printf("Dane name_check: matched SAN %s\n", certid);
878 GENERAL_NAMES_free(gens);
882 * XXX: Should the subjectName be skipped when *any* altnames are present,
883 * or only when DNS altnames are present?
887 char *certid = parse_subject_name(cert);
888 if (certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
890 DEBUG(D_tls) debug_printf("Dane name_check: matched SN %s\n", certid);
891 dane->mhost = OPENSSL_strdup(certid);
894 OPENSSL_free(certid);
900 verify_chain(X509_STORE_CTX *ctx)
902 int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
903 X509 *cert = X509_STORE_CTX_get0_cert(ctx);
904 int chain_length = sk_X509_num(X509_STORE_CTX_get0_chain(ctx));
905 int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
906 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
907 ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
908 dane_selector_list issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
909 dane_selector_list leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
912 DEBUG(D_tls) debug_printf("Dane verify_chain\n");
914 X509_STORE_CTX_set_verify(ctx, dane->verify);
916 if ((matched = name_check(dane, cert)) < 0)
918 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
924 X509_STORE_CTX_set_error_depth(ctx, 0);
925 X509_STORE_CTX_set_current_cert(ctx, cert);
926 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
933 * Satisfy at least one usage 0 or 1 constraint, unless we've already
934 * matched a usage 2 trust anchor.
936 * XXX: internal_verify() doesn't callback with top certs that are not
937 * self-issued. This should be fixed in a future OpenSSL.
939 if (dane->roots && sk_X509_num(dane->roots))
941 X509 *top = sk_X509_value(X509_STORE_CTX_get0_chain(ctx), dane->depth);
943 dane->mdpth = dane->depth;
947 #ifndef NO_CALLBACK_WORKAROUND
948 if (X509_check_issued(top, top) != X509_V_OK)
950 X509_STORE_CTX_set_error_depth(ctx, dane->depth);
951 X509_STORE_CTX_set_current_cert(ctx, top);
956 /* Pop synthetic trust-anchor ancestors off the chain! */
957 while (--chain_length > dane->depth)
958 X509_free(sk_X509_pop(X509_STORE_CTX_get0_chain(ctx)));
966 * Check for an EE match, then a CA match at depths > 0, and
967 * finally, if the EE cert is self-issued, for a depth 0 CA match.
970 matched = match(leaf_rrs, xn, 0);
971 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched EE\n");
973 if (!matched && issuer_rrs)
974 for (n = chain_length-1; !matched && n >= 0; --n)
976 xn = sk_X509_value(X509_STORE_CTX_get0_chain(ctx), n);
977 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
978 matched = match(issuer_rrs, xn, n);
980 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched %s\n",
981 n>0 ? "CA" : "selfisssued EE");
985 X509_STORE_CTX_set_error_depth(ctx, 0);
986 X509_STORE_CTX_set_current_cert(ctx, cert);
987 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
999 return (X509_STORE_CTX_get_verify(ctx))(ctx);
1003 dane_reset(ssl_dane *dane)
1008 OPENSSL_free(dane->mhost);
1013 sk_X509_pop_free(dane->roots, X509_free);
1018 sk_X509_pop_free(dane->chain, X509_free);
1023 X509_free(dane->match);
1030 verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
1032 static int ssl_idx = -1;
1035 int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
1036 X509 *cert = X509_STORE_CTX_get0_cert(ctx);
1039 DEBUG(D_tls) debug_printf("Dane verify_cert\n");
1042 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1045 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1049 ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1050 if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1051 return X509_verify_cert(ctx);
1053 /* Reset for verification of a new chain, perhaps a renegotiation. */
1056 if (dane->selectors[DANESSL_USAGE_DANE_EE])
1058 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1060 X509_STORE_CTX_set_error_depth(ctx, 0);
1061 X509_STORE_CTX_set_current_cert(ctx, cert);
1066 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1071 if (dane->selectors[DANESSL_USAGE_DANE_TA])
1073 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1075 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1081 * Check that setting the untrusted chain updates the expected
1082 * structure member at the expected offset.
1084 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1085 X509_STORE_CTX_set_chain(ctx, dane->chain);
1086 OPENSSL_assert(X509_STORE_CTX_get0_untrusted(ctx) == dane->chain);
1091 * Name checks and usage 0/1 constraint enforcement are delayed until
1092 * X509_verify_cert() builds the full chain and calls our verify_chain()
1095 dane->verify = X509_STORE_CTX_get_verify(ctx);
1096 X509_STORE_CTX_set_verify(ctx, verify_chain);
1098 if (X509_verify_cert(ctx))
1102 * If the chain is invalid, clear any matching cert or hostname, to
1103 * protect callers that might erroneously rely on these alone without
1104 * checking the validation status.
1108 X509_free(dane->match);
1113 OPENSSL_free(dane->mhost);
1120 list_alloc(size_t vsize)
1122 void *value = (void *) OPENSSL_malloc(vsize);
1127 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1130 if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1132 OPENSSL_free(value);
1133 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1142 list_free(void *list, void (*f)(void *))
1147 for (head = (dane_list) list; head; head = next)
1150 if (f && head->value)
1157 dane_mtype_free(void *p)
1159 list_free(((dane_mtype) p)->data, CRYPTO_free);
1164 dane_selector_free(void *p)
1166 list_free(((dane_selector) p)->mtype, dane_mtype_free);
1174 Tidy up once the connection is finished with.
1177 ssl The ssl connection handle
1179 => Before calling SSL_free()
1180 tls_close() and tls_getc() [the error path] are the obvious places.
1181 Could we do it earlier - right after verification? In tls_client_start()
1182 right after SSL_connect() returns, in that case.
1187 DANESSL_cleanup(SSL *ssl)
1192 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1194 if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1196 (void) SSL_set_ex_data(ssl, dane_idx, 0);
1200 list_free(dane->hosts, CRYPTO_free);
1201 for (u = 0; u <= DANESSL_USAGE_LAST; ++u)
1202 if (dane->selectors[u])
1203 list_free(dane->selectors[u], dane_selector_free);
1205 list_free(dane->pkeys, pkey_free);
1207 list_free(dane->certs, cert_free);
1211 static dane_host_list
1212 host_list_init(const char **src)
1214 dane_host_list head = NULL;
1218 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1221 list_free(head, CRYPTO_free);
1224 elem->value = OPENSSL_strdup(*src++);
1225 LINSERT(head, elem);
1232 DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1236 if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1238 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1245 *match = dane->match;
1247 *mhost = dane->mhost;
1249 *depth = dane->mdpth;
1252 return (dane->match != 0);
1258 DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1262 X509_STORE_CTX store_ctx;
1263 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1264 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1265 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1267 cert = sk_X509_value(chain, 0);
1268 if (!X509_STORE_CTX_init(&store_ctx, store, cert, chain))
1270 X509_STORE_CTX_set_ex_data(&store_ctx, store_ctx_idx, ssl);
1272 X509_STORE_CTX_set_default(&store_ctx,
1273 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1274 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&store_ctx),
1275 SSL_get0_param(ssl));
1277 if (SSL_get_verify_callback(ssl))
1278 X509_STORE_CTX_set_verify_cb(&store_ctx, SSL_get_verify_callback(ssl));
1280 ret = verify_cert(&store_ctx, NULL);
1282 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(&store_ctx));
1283 X509_STORE_CTX_cleanup(&store_ctx);
1294 Call this for each TLSA record found for the target, after the
1295 DANE setup has been done on the ssl connection handle.
1298 ssl Connection handle
1299 usage TLSA record field
1300 selector TLSA record field
1301 mdname ??? message digest name?
1302 data ??? TLSA record megalump?
1312 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1313 unsigned const char *data, size_t dlen)
1316 dane_selector_list s = 0;
1317 dane_mtype_list m = 0;
1318 dane_data_list d = 0;
1319 dane_cert_list xlist = 0;
1320 dane_pkey_list klist = 0;
1321 const EVP_MD *md = 0;
1323 DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1324 usage, selector, mdname);
1326 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1328 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1332 if (usage > DANESSL_USAGE_LAST)
1334 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1337 if (selector > DANESSL_SELECTOR_LAST)
1339 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1343 /* Support built-in standard one-digit mtypes */
1344 if (mdname && *mdname && mdname[1] == '\0')
1345 switch (*mdname - '0')
1347 case DANESSL_MATCHING_FULL: mdname = 0; break;
1348 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1349 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1351 if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0)
1353 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1356 if (mdname && *mdname && dlen != EVP_MD_size(md))
1358 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1363 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1368 * Full Certificate or Public Key when NULL or empty digest name
1370 if (!mdname || !*mdname)
1374 const unsigned char *p = data;
1376 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1377 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1378 if ((lvar) == 0) { \
1379 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1384 lvar->value = var; \
1386 #define xkfreeret(ret) do { \
1387 if (xlist) list_free(xlist, cert_free); \
1388 if (klist) list_free(klist, pkey_free); \
1394 case DANESSL_SELECTOR_CERT:
1395 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1399 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1402 k = X509_get_pubkey(x);
1407 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1410 if (usage == DANESSL_USAGE_DANE_TA)
1411 xklistinit(xlist, dane_cert_list, x, X509_free);
1414 case DANESSL_SELECTOR_SPKI:
1415 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1419 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1422 if (usage == DANESSL_USAGE_DANE_TA)
1423 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1428 /* Find insertion point and don't add duplicate elements. */
1429 for (s = dane->selectors[usage]; s; s = s->next)
1430 if (s->value->selector == selector)
1432 for (m = s->value->mtype; m; m = m->next)
1433 if (m->value->md == md)
1435 for (d = m->value->data; d; d = d->next)
1436 if ( d->value->datalen == dlen
1437 && memcmp(d->value->data, data, dlen) == 0)
1444 if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1446 d->value->datalen = dlen;
1447 memcpy(d->value->data, data, dlen);
1450 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1452 list_free(d, CRYPTO_free);
1456 if ((m->value->md = md) != 0)
1457 m->value->mdlen = dlen;
1460 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1462 list_free(m, dane_mtype_free);
1465 s->value->mtype = 0;
1466 s->value->selector = selector;
1467 LINSERT(dane->selectors[usage], s);
1469 LINSERT(s->value->mtype, m);
1471 LINSERT(m->value->data, d);
1474 LINSERT(dane->certs, xlist);
1476 LINSERT(dane->pkeys, klist);
1485 Call this once we have an ssl connection handle but before
1486 making the TLS connection.
1488 => In tls_client_start() after the call to SSL_new()
1489 and before the call to SSL_connect(). Exactly where
1490 probably does not matter.
1491 We probably want to keep our existing SNI handling;
1492 call this with NULL.
1495 ssl Connection handle
1496 sni_domain Optional peer server name
1497 hostnames list of names to chack against peer cert
1506 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1511 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1514 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1518 if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1521 if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1523 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1526 if (!SSL_set_ex_data(ssl, dane_idx, dane))
1528 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1542 dane->mhost = 0; /* Future SSL control interface */
1543 dane->mdpth = 0; /* Future SSL control interface */
1544 dane->multi = 0; /* Future SSL control interface */
1548 for (i = 0; i <= DANESSL_USAGE_LAST; ++i)
1549 dane->selectors[i] = 0;
1551 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1553 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1554 DANESSL_cleanup(ssl);
1564 Call this once we have a context to work with, but
1565 before DANESSL_init()
1567 => in tls_client_start(), after tls_init() call gives us the ctx,
1568 if we decide we want to (policy) and can (TLSA records available)
1569 replacing (? what about fallback) everything from testing tls_verify_hosts
1570 down to just before calling SSL_new() for the conn handle.
1581 DANESSL_CTX_init(SSL_CTX *ctx)
1583 DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1586 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1589 DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1594 init_once(volatile int *value, int (*init)(void), void (*postinit)(void))
1598 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1601 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1602 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1612 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1614 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1622 * Store library id in zeroth function slot, used to locate the library
1623 * name. This must be done before we load the error strings.
1625 #ifndef OPENSSL_NO_ERR
1626 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1627 ERR_load_strings(err_lib_dane, dane_str_functs);
1628 ERR_load_strings(err_lib_dane, dane_str_reasons);
1632 * Register SHA-2 digests, if implemented and not already registered.
1634 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1635 if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1636 if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1638 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1639 if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1640 if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1644 * Register an SSL index for the connection-specific ssl_dane structure.
1645 * Using a separate index makes it possible to add DANE support to
1646 * existing OpenSSL releases that don't have a suitable pointer in the
1649 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1656 Call this once. Probably early in startup will do; may need
1657 to be after SSL library init.
1659 => put after call to tls_init() for now
1667 DANESSL_library_init(void)
1669 DEBUG(D_tls) debug_printf("Dane lib-init\n");
1670 if (err_lib_dane < 0)
1671 init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
1673 #if defined(LN_sha256)
1674 /* No DANE without SHA256 support */
1675 if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1678 DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);
1683 #endif /* OPENSSL_VERSION_NUMBER */
git://git.exim.org / users / heiko / exim.git / blob