2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
9 #include <openssl/opensslv.h>
10 #include <openssl/err.h>
11 #include <openssl/crypto.h>
12 #include <openssl/safestack.h>
13 #include <openssl/objects.h>
14 #include <openssl/x509.h>
15 #include <openssl/x509v3.h>
16 #include <openssl/evp.h>
17 #include <openssl/bn.h>
19 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
20 # error "OpenSSL 1.0.0 or higher required"
21 #else /* remainder of file */
23 #if OPENSSL_VERSION_NUMBER < 0x10100000L
24 #define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
29 #define DANESSL_F_ADD_SKID 100
30 #define DANESSL_F_ADD_TLSA 101
31 #define DANESSL_F_CHECK_END_ENTITY 102
32 #define DANESSL_F_CTX_INIT 103
33 #define DANESSL_F_GROW_CHAIN 104
34 #define DANESSL_F_INIT 105
35 #define DANESSL_F_LIBRARY_INIT 106
36 #define DANESSL_F_LIST_ALLOC 107
37 #define DANESSL_F_MATCH 108
38 #define DANESSL_F_PUSH_EXT 109
39 #define DANESSL_F_SET_TRUST_ANCHOR 110
40 #define DANESSL_F_VERIFY_CERT 111
41 #define DANESSL_F_WRAP_CERT 112
43 #define DANESSL_R_BAD_CERT 100
44 #define DANESSL_R_BAD_CERT_PKEY 101
45 #define DANESSL_R_BAD_DATA_LENGTH 102
46 #define DANESSL_R_BAD_DIGEST 103
47 #define DANESSL_R_BAD_NULL_DATA 104
48 #define DANESSL_R_BAD_PKEY 105
49 #define DANESSL_R_BAD_SELECTOR 106
50 #define DANESSL_R_BAD_USAGE 107
51 #define DANESSL_R_INIT 108
52 #define DANESSL_R_LIBRARY_INIT 109
53 #define DANESSL_R_NOSIGN_KEY 110
54 #define DANESSL_R_SCTX_INIT 111
55 #define DANESSL_R_SUPPORT 112
57 #ifndef OPENSSL_NO_ERR
58 #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
59 static ERR_STRING_DATA dane_str_functs[] = {
60 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
61 {DANESSL_F_ADD_SKID, "add_skid"},
62 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
63 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
64 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
65 {DANESSL_F_GROW_CHAIN, "grow_chain"},
66 {DANESSL_F_INIT, "DANESSL_init"},
67 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
68 {DANESSL_F_LIST_ALLOC, "list_alloc"},
69 {DANESSL_F_MATCH, "match"},
70 {DANESSL_F_PUSH_EXT, "push_ext"},
71 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
72 {DANESSL_F_VERIFY_CERT, "verify_cert"},
73 {DANESSL_F_WRAP_CERT, "wrap_cert"},
76 static ERR_STRING_DATA dane_str_reasons[] = {
77 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
78 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
79 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
80 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
81 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
82 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
83 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
84 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
85 {DANESSL_R_INIT, "DANESSL_init() required"},
86 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
87 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
88 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
89 {DANESSL_R_SUPPORT, "DANE library features not supported"},
94 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
96 static int err_lib_dane = -1;
97 static int dane_idx = -1;
99 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
100 static int wrap_to_root = 0;
102 static int wrap_to_root = 1;
105 static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
106 static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
108 typedef struct dane_list
110 struct dane_list *next;
114 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
116 typedef struct dane_host_list
118 struct dane_host_list *next;
122 typedef struct dane_data
125 unsigned char data[0];
128 typedef struct dane_data_list
130 struct dane_data_list *next;
134 typedef struct dane_mtype
141 typedef struct dane_mtype_list
143 struct dane_mtype_list *next;
147 typedef struct dane_selector
150 dane_mtype_list mtype;
153 typedef struct dane_selector_list
155 struct dane_selector_list *next;
157 } *dane_selector_list;
159 typedef struct dane_pkey_list
161 struct dane_pkey_list *next;
165 typedef struct dane_cert_list
167 struct dane_cert_list *next;
171 typedef struct ssl_dane
173 int (*verify)(X509_STORE_CTX *);
174 STACK_OF(X509) *roots;
175 STACK_OF(X509) *chain;
176 X509 *match; /* Matched cert */
177 const char *thost; /* TLSA base domain */
178 char *mhost; /* Matched peer name */
179 dane_pkey_list pkeys;
180 dane_cert_list certs;
181 dane_host_list hosts;
182 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
184 int mdpth; /* Depth of matched cert */
185 int multi; /* Multi-label wildcards? */
186 int count; /* Number of TLSA records */
189 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
190 # define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
194 match(dane_selector_list slist, X509 *cert, int depth)
199 * Note, set_trust_anchor() needs to know whether the match was for a
200 * pkey digest or a certificate digest. We return MATCHED_PKEY or
201 * MATCHED_CERT accordingly.
203 #define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
204 #define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
207 * Loop over each selector, mtype, and associated data element looking
210 for (matched = 0; !matched && slist; slist = slist->next)
213 unsigned char mdbuf[EVP_MAX_MD_SIZE];
214 unsigned char *buf = NULL;
216 unsigned int len = 0;
219 * Extract ASN.1 DER form of certificate or public key.
221 switch(slist->value->selector)
223 case DANESSL_SELECTOR_CERT:
224 len = i2d_X509(cert, NULL);
225 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
226 if(buf) i2d_X509(cert, &buf2);
228 case DANESSL_SELECTOR_SPKI:
229 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
230 buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
231 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
237 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
240 OPENSSL_assert(buf2 - buf == len);
243 * Loop over each mtype and data element
245 for (m = slist->value->mtype; !matched && m; m = m->next)
248 unsigned char *cmpbuf = buf;
249 unsigned int cmplen = len;
252 * If it is a digest, compute the corresponding digest of the
253 * DER data for comparison, otherwise, use the full object.
258 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
261 for (d = m->value->data; !matched && d; d = d->next)
262 if ( cmplen == d->value->datalen
263 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
264 matched = slist->value->selector + 1;
274 push_ext(X509 *cert, X509_EXTENSION *ext)
277 if (X509_add_ext(cert, ext, -1))
279 X509_EXTENSION_free(ext);
281 DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
286 add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
290 X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
291 return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
295 set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
300 if (akid && akid->serial)
301 return (X509_set_serialNumber(cert, akid->serial));
304 * Add one to subject's serial to avoid collisions between TA serial and
305 * serial of signing root.
307 if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
308 && BN_add_word(bn, 1)
309 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
318 add_akid(X509 *cert, AUTHORITY_KEYID *akid)
320 int nid = NID_authority_key_identifier;
326 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
327 * our subject keyid if forced from child's akid. If so, set our
328 * authority keyid to 1. This way we are never self-signed, and thus
329 * exempt from any potential (off by default for now in OpenSSL)
330 * self-signature checks!
332 id = (akid && akid->keyid) ? akid->keyid : 0;
333 if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c)
336 if ( (akid = AUTHORITY_KEYID_new()) != 0
337 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
338 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
339 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
342 AUTHORITY_KEYID_free(akid);
347 add_skid(X509 *cert, AUTHORITY_KEYID *akid)
349 int nid = NID_subject_key_identifier;
351 if (!akid || !akid->keyid)
352 return add_ext(0, cert, nid, "hash");
353 return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
357 akid_issuer_name(AUTHORITY_KEYID *akid)
359 if (akid && akid->issuer)
362 GENERAL_NAMES *gens = akid->issuer;
364 for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
366 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
368 if (gn->type == GEN_DIRNAME)
376 set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
378 X509_NAME *name = akid_issuer_name(akid);
381 * If subject's akid specifies an authority key identifer issuer name, we
384 return X509_set_issuer_name(cert,
385 name ? name : X509_get_subject_name(cert));
389 grow_chain(ssl_dane *dane, int trusted, X509 *cert)
391 STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
392 static ASN1_OBJECT *serverAuth = 0;
397 if ( trusted && !serverAuth
398 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
400 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
403 if (!*xs && !(*xs = sk_X509_new_null()))
405 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
411 if (trusted && !X509_add1_trust_object(cert, serverAuth))
413 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
414 if (!sk_X509_push(*xs, cert))
417 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
425 wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
429 AUTHORITY_KEYID *akid;
430 X509_NAME *name = X509_get_issuer_name(subject);
431 EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
433 #define WRAP_MID 0 /* Ensure intermediate. */
434 #define WRAP_TOP 1 /* Ensure self-signed. */
436 if (!name || !newkey || !(cert = X509_new()))
440 * Record the depth of the trust-anchor certificate.
443 dane->depth = depth + 1;
446 * XXX: Uncaught error condition:
448 * The return value is NULL both when the extension is missing, and when
449 * OpenSSL rans out of memory while parsing the extension.
452 akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
453 /* XXX: Should we peek at the error stack here??? */
456 * If top is true generate a self-issued root CA, otherwise an
457 * intermediate CA and possibly its self-signed issuer.
459 * CA cert valid for +/- 30 days
461 if ( !X509_set_version(cert, 2)
462 || !set_serial(cert, akid, subject)
463 || !X509_set_subject_name(cert, name)
464 || !set_issuer_name(cert, akid)
465 || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
466 || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
467 || !X509_set_pubkey(cert, newkey)
468 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
469 || (!top && !add_akid(cert, akid))
470 || !add_skid(cert, akid)
471 || ( !top && wrap_to_root
472 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
476 AUTHORITY_KEYID_free(akid);
478 EVP_PKEY_free(newkey);
480 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
487 wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
490 dane->depth = depth + 1;
493 * If the TA certificate is self-issued, or need not be, use it directly.
494 * Otherwise, synthesize requisuite ancestors.
497 || X509_check_issued(tacert, tacert) == X509_V_OK)
498 return grow_chain(dane, TRUSTED, tacert);
500 if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
501 return grow_chain(dane, UNTRUSTED, tacert);
506 ta_signed(ssl_dane *dane, X509 *cert, int depth)
514 * First check whether issued and signed by a TA cert, this is cheaper
515 * than the bare-public key checks below, since we can determine whether
516 * the candidate TA certificate issued the certificate to be checked
517 * first (name comparisons), before we bother with signature checks
518 * (public key operations).
520 for (x = dane->certs; !done && x; x = x->next)
522 if (X509_check_issued(x->value, cert) == X509_V_OK)
524 if (!(pk = X509_get_pubkey(x->value)))
527 * The cert originally contained a valid pkey, which does
528 * not just vanish, so this is most likely a memory error.
533 /* Check signature, since some other TA may work if not this. */
534 if (X509_verify(cert, pk) > 0)
535 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
541 * With bare TA public keys, we can't check whether the trust chain is
542 * issued by the key, but we can determine whether it is signed by the
543 * key, so we go with that.
545 * Ideally, the corresponding certificate was presented in the chain, and we
546 * matched it by its public key digest one level up. This code is here
547 * to handle adverse conditions imposed by sloppy administrators of
548 * receiving systems with poorly constructed chains.
550 * We'd like to optimize out keys that should not match when the cert's
551 * authority key id does not match the key id of this key computed via
552 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
553 * ASN1 tag and length thus also excluding the unused bits field that is
554 * logically part of the length). However, some CAs have a non-standard
555 * authority keyid, so we lose. Too bad.
557 * This may push errors onto the stack when the certificate signature is
558 * not of the right type or length, throw these away,
560 for (k = dane->pkeys; !done && k; k = k->next)
561 if (X509_verify(cert, k->value) > 0)
562 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
570 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
578 STACK_OF(X509) *in = ctx->untrusted; /* XXX: Accessor? */
580 if (!grow_chain(dane, UNTRUSTED, 0))
584 * Accept a degenerate case: depth 0 self-signed trust-anchor.
586 if (X509_check_issued(cert, cert) == X509_V_OK)
589 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
590 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
595 /* Make a shallow copy of the input untrusted chain. */
596 if (!(in = sk_X509_dup(in)))
598 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
603 * At each iteration we consume the issuer of the current cert. This
604 * reduces the length of the "in" chain by one. If no issuer is found,
605 * we are done. We also stop when a certificate matches a TA in the
608 * Caller ensures that the initial certificate is not self-signed.
610 for (n = sk_X509_num(in); n > 0; --n, ++depth)
612 for (i = 0; i < n; ++i)
613 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
617 * Final untrusted element with no issuer in the peer's chain, it may
618 * however be signed by a pkey or cert obtained via a TLSA RR.
623 /* Peer's chain contains an issuer ca. */
624 ca = sk_X509_delete(in, i);
626 /* If not a trust anchor, record untrusted ca and continue. */
627 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
630 if (grow_chain(dane, UNTRUSTED, ca))
632 if (!X509_check_issued(ca, ca) == X509_V_OK)
634 /* Restart with issuer as subject */
638 /* Final self-signed element, skip ta_signed() check. */
644 else if(matched == MATCHED_CERT)
646 if(!wrap_cert(dane, ca, depth))
649 else if(matched == MATCHED_PKEY)
651 if ( !(takey = X509_get_pubkey(ca))
652 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
655 EVP_PKEY_free(takey);
657 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
664 /* Shallow free the duplicated input untrusted chain. */
668 * When the loop exits, if "cert" is set, it is not self-signed and has
669 * no issuer in the chain, we check for a possible signature via a DNS
670 * obtained TA cert or public key.
672 if (matched == 0 && cert)
673 matched = ta_signed(dane, cert, depth);
679 check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
683 matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
691 if ( (ctx->chain = sk_X509_new_null()) != 0
692 && sk_X509_push(ctx->chain, cert))
696 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
705 match_name(const char *certid, ssl_dane *dane)
707 int multi = dane->multi;
708 dane_host_list hosts;
710 for (hosts = dane->hosts; hosts; hosts = hosts->next)
712 int match_subdomain = 0;
713 const char *domain = hosts->value;
718 if (*domain == '.' && domain[1] != '\0')
725 * Sub-domain match: certid is any sub-domain of hostname.
729 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
730 && certid[idlen - domlen - 1] == '.'
731 && !strcasecmp(certid + (idlen - domlen), domain))
738 * Exact match and initial "*" match. The initial "*" in a certid
739 * matches one (if multi is false) or more hostname components under
740 * the condition that the certid contains multiple hostname components.
742 if ( !strcasecmp(certid, domain)
743 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
744 && (parent = strchr(domain, '.')) != 0
745 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
746 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
753 check_name(char *name, int len)
755 char *cp = name + len;
757 while (len > 0 && !*--cp)
758 --len; /* Ignore trailing NULs */
761 for (cp = name; *cp; cp++)
764 if (!((c >= 'a' && c <= 'z') ||
765 (c >= '0' && c <= '9') ||
766 (c >= 'A' && c <= 'Z') ||
767 (c == '.' || c == '-') ||
769 return 0; /* Only LDH, '.' and '*' */
771 if (cp - name != len) /* Guard against internal NULs */
777 parse_dns_name(const GENERAL_NAME *gn)
779 if (gn->type != GEN_DNS)
781 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
783 return check_name((char *) ASN1_STRING_data(gn->d.ia5),
784 ASN1_STRING_length(gn->d.ia5));
788 parse_subject_name(X509 *cert)
790 X509_NAME *name = X509_get_subject_name(cert);
791 X509_NAME_ENTRY *entry;
792 ASN1_STRING *entry_str;
793 unsigned char *namebuf;
794 int nid = NID_commonName;
798 if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
800 if (!(entry = X509_NAME_get_entry(name, i)))
802 if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
805 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
807 if (len <= 0 || check_name((char *) namebuf, len) == 0)
809 OPENSSL_free(namebuf);
812 return (char *) namebuf;
816 name_check(ssl_dane *dane, X509 *cert)
819 BOOL got_altname = FALSE;
822 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
825 int n = sk_GENERAL_NAME_num(gens);
828 for (i = 0; i < n; ++i)
830 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
833 if (gn->type != GEN_DNS)
836 certid = parse_dns_name(gn);
837 if (certid && *certid)
839 if ((matched = match_name(certid, dane)) == 0)
841 if (!(dane->mhost = OPENSSL_strdup(certid)))
846 GENERAL_NAMES_free(gens);
850 * XXX: Should the subjectName be skipped when *any* altnames are present,
851 * or only when DNS altnames are present?
853 if (got_altname == 0)
855 char *certid = parse_subject_name(cert);
856 if (certid != 0 && *certid
857 && (matched = match_name(certid, dane)) != 0)
858 dane->mhost = OPENSSL_strdup(certid);
860 OPENSSL_free(certid);
866 verify_chain(X509_STORE_CTX *ctx)
868 dane_selector_list issuer_rrs;
869 dane_selector_list leaf_rrs;
870 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
871 int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
872 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
873 ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
874 X509 *cert = ctx->cert; /* XXX: accessor? */
876 int chain_length = sk_X509_num(ctx->chain);
878 DEBUG(D_tls) debug_printf("Dane verify-chain\n");
880 issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
881 leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
882 ctx->verify = dane->verify;
884 if ((matched = name_check(dane, cert)) < 0)
886 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
892 ctx->error_depth = 0;
893 ctx->current_cert = cert;
894 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
901 * Satisfy at least one usage 0 or 1 constraint, unless we've already
902 * matched a usage 2 trust anchor.
904 * XXX: internal_verify() doesn't callback with top certs that are not
905 * self-issued. This should be fixed in a future OpenSSL.
907 if (dane->roots && sk_X509_num(dane->roots))
909 X509 *top = sk_X509_value(ctx->chain, dane->depth);
911 dane->mdpth = dane->depth;
915 #ifndef NO_CALLBACK_WORKAROUND
916 if (X509_check_issued(top, top) != X509_V_OK)
918 ctx->error_depth = dane->depth;
919 ctx->current_cert = top;
924 /* Pop synthetic trust-anchor ancestors off the chain! */
925 while (--chain_length > dane->depth)
926 X509_free(sk_X509_pop(ctx->chain));
934 * Check for an EE match, then a CA match at depths > 0, and
935 * finally, if the EE cert is self-issued, for a depth 0 CA match.
938 matched = match(leaf_rrs, xn, 0);
941 for (n = chain_length-1; !matched && n >= 0; --n)
943 xn = sk_X509_value(ctx->chain, n);
944 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
945 matched = match(issuer_rrs, xn, n);
951 ctx->current_cert = cert;
952 ctx->error_depth = 0;
953 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
965 return ctx->verify(ctx);
969 dane_reset(ssl_dane *dane)
974 OPENSSL_free(dane->mhost);
979 sk_X509_pop_free(dane->roots, X509_free);
984 sk_X509_pop_free(dane->chain, X509_free);
989 X509_free(dane->match);
996 verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
998 static int ssl_idx = -1;
1001 int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
1003 X509 *cert = ctx->cert; /* XXX: accessor? */
1005 DEBUG(D_tls) debug_printf("Dane verify-cert\n");
1008 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1011 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1015 ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1016 if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1017 return X509_verify_cert(ctx);
1019 /* Reset for verification of a new chain, perhaps a renegotiation. */
1022 if (dane->selectors[DANESSL_USAGE_DANE_EE])
1024 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1026 ctx->error_depth = 0;
1027 ctx->current_cert = cert;
1032 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1037 if (dane->selectors[DANESSL_USAGE_DANE_TA])
1039 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1041 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1047 * Check that setting the untrusted chain updates the expected
1048 * structure member at the expected offset.
1050 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1051 X509_STORE_CTX_set_chain(ctx, dane->chain);
1052 OPENSSL_assert(ctx->untrusted == dane->chain);
1057 * Name checks and usage 0/1 constraint enforcement are delayed until
1058 * X509_verify_cert() builds the full chain and calls our verify_chain()
1061 dane->verify = ctx->verify;
1062 ctx->verify = verify_chain;
1064 if (X509_verify_cert(ctx))
1068 * If the chain is invalid, clear any matching cert or hostname, to
1069 * protect callers that might erroneously rely on these alone without
1070 * checking the validation status.
1074 X509_free(dane->match);
1079 OPENSSL_free(dane->mhost);
1086 list_alloc(size_t vsize)
1088 void *value = (void *) OPENSSL_malloc(vsize);
1093 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1096 if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1098 OPENSSL_free(value);
1099 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1108 list_free(void *list, void (*f)(void *))
1113 for (head = (dane_list) list; head; head = next)
1116 if (f && head->value)
1123 dane_mtype_free(void *p)
1125 list_free(((dane_mtype) p)->data, CRYPTO_free);
1130 dane_selector_free(void *p)
1132 list_free(((dane_selector) p)->mtype, dane_mtype_free);
1140 Tidy up once the connection is finished with.
1143 ssl The ssl connection handle
1145 => Before calling SSL_free()
1146 tls_close() and tls_getc() [the error path] are the obvious places.
1147 Could we do it earlier - right after verification? In tls_client_start()
1148 right after SSL_connect() returns, in that case.
1153 DANESSL_cleanup(SSL *ssl)
1158 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1160 if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1162 (void) SSL_set_ex_data(ssl, dane_idx, 0);
1166 list_free(dane->hosts, CRYPTO_free);
1167 for (u = 0; u <= DANESSL_USAGE_LAST; ++u)
1168 if (dane->selectors[u])
1169 list_free(dane->selectors[u], dane_selector_free);
1171 list_free(dane->pkeys, pkey_free);
1173 list_free(dane->certs, cert_free);
1177 static dane_host_list
1178 host_list_init(const char **src)
1180 dane_host_list head = NULL;
1184 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1187 list_free(head, CRYPTO_free);
1190 elem->value = OPENSSL_strdup(*src++);
1191 LINSERT(head, elem);
1198 DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1202 if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1204 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1211 *match = dane->match;
1213 *mhost = dane->mhost;
1215 *depth = dane->mdpth;
1218 return (dane->match != 0);
1224 DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1228 X509_STORE_CTX store_ctx;
1229 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1230 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1231 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1233 cert = sk_X509_value(chain, 0);
1234 if (!X509_STORE_CTX_init(&store_ctx, store, cert, chain))
1236 X509_STORE_CTX_set_ex_data(&store_ctx, store_ctx_idx, ssl);
1238 X509_STORE_CTX_set_default(&store_ctx,
1239 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1240 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&store_ctx),
1241 SSL_get0_param(ssl));
1243 if (SSL_get_verify_callback(ssl))
1244 X509_STORE_CTX_set_verify_cb(&store_ctx, SSL_get_verify_callback(ssl));
1246 ret = verify_cert(&store_ctx, NULL);
1248 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(&store_ctx));
1249 X509_STORE_CTX_cleanup(&store_ctx);
1260 Call this for each TLSA record found for the target, after the
1261 DANE setup has been done on the ssl connection handle.
1264 ssl Connection handle
1265 usage TLSA record field
1266 selector TLSA record field
1267 mdname ??? message digest name?
1268 data ??? TLSA record megalump?
1278 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1279 unsigned const char *data, size_t dlen)
1282 dane_selector_list s = 0;
1283 dane_mtype_list m = 0;
1284 dane_data_list d = 0;
1285 dane_cert_list xlist = 0;
1286 dane_pkey_list klist = 0;
1287 const EVP_MD *md = 0;
1289 DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1290 usage, selector, mdname);
1292 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1294 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1298 if (usage > DANESSL_USAGE_LAST)
1300 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1303 if (selector > DANESSL_SELECTOR_LAST)
1305 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1309 /* Support built-in standard one-digit mtypes */
1310 if (mdname && *mdname && mdname[1] == '\0')
1311 switch (*mdname - '0')
1313 case DANESSL_MATCHING_FULL: mdname = 0; break;
1314 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1315 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1317 if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0)
1319 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1322 if (mdname && *mdname && dlen != EVP_MD_size(md))
1324 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1329 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1334 * Full Certificate or Public Key when NULL or empty digest name
1336 if (!mdname || !*mdname)
1340 const unsigned char *p = data;
1342 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1343 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1344 if ((lvar) == 0) { \
1345 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1350 lvar->value = var; \
1352 #define xkfreeret(ret) do { \
1353 if (xlist) list_free(xlist, cert_free); \
1354 if (klist) list_free(klist, pkey_free); \
1360 case DANESSL_SELECTOR_CERT:
1361 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1365 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1368 k = X509_get_pubkey(x);
1373 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1376 if (usage == DANESSL_USAGE_DANE_TA)
1377 xklistinit(xlist, dane_cert_list, x, X509_free);
1380 case DANESSL_SELECTOR_SPKI:
1381 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1385 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1388 if (usage == DANESSL_USAGE_DANE_TA)
1389 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1394 /* Find insertion point and don't add duplicate elements. */
1395 for (s = dane->selectors[usage]; s; s = s->next)
1396 if (s->value->selector == selector)
1398 for (m = s->value->mtype; m; m = m->next)
1399 if (m->value->md == md)
1401 for (d = m->value->data; d; d = d->next)
1402 if ( d->value->datalen == dlen
1403 && memcmp(d->value->data, data, dlen) == 0)
1410 if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1412 d->value->datalen = dlen;
1413 memcpy(d->value->data, data, dlen);
1416 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1418 list_free(d, CRYPTO_free);
1422 if ((m->value->md = md) != 0)
1423 m->value->mdlen = dlen;
1426 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1428 list_free(m, dane_mtype_free);
1431 s->value->mtype = 0;
1432 s->value->selector = selector;
1433 LINSERT(dane->selectors[usage], s);
1435 LINSERT(s->value->mtype, m);
1437 LINSERT(m->value->data, d);
1440 LINSERT(dane->certs, xlist);
1442 LINSERT(dane->pkeys, klist);
1451 Call this once we have an ssl connection handle but before
1452 making the TLS connection.
1454 => In tls_client_start() after the call to SSL_new()
1455 and before the call to SSL_connect(). Exactly where
1456 probably does not matter.
1457 We probably want to keep our existing SNI handling;
1458 call this with NULL.
1461 ssl Connection handle
1462 sni_domain Optional peer server name
1463 hostnames list of names to chack against peer cert
1472 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1477 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1480 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1484 if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1487 if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1489 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1492 if (!SSL_set_ex_data(ssl, dane_idx, dane))
1494 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1508 dane->mhost = 0; /* Future SSL control interface */
1509 dane->mdpth = 0; /* Future SSL control interface */
1510 dane->multi = 0; /* Future SSL control interface */
1514 for (i = 0; i <= DANESSL_USAGE_LAST; ++i)
1515 dane->selectors[i] = 0;
1517 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1519 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1520 DANESSL_cleanup(ssl);
1530 Call this once we have a context to work with, but
1531 before DANESSL_init()
1533 => in tls_client_start(), after tls_init() call gives us the ctx,
1534 if we decide we want to (policy) and can (TLSA records available)
1535 replacing (? what about fallback) everything from testing tls_verify_hosts
1536 down to just before calling SSL_new() for the conn handle.
1547 DANESSL_CTX_init(SSL_CTX *ctx)
1549 DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1552 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1555 DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1560 init_once(volatile int *value, int (*init)(void), void (*postinit)(void))
1564 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1567 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1568 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1578 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1580 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1588 * Store library id in zeroth function slot, used to locate the library
1589 * name. This must be done before we load the error strings.
1591 #ifndef OPENSSL_NO_ERR
1592 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1593 ERR_load_strings(err_lib_dane, dane_str_functs);
1594 ERR_load_strings(err_lib_dane, dane_str_reasons);
1598 * Register SHA-2 digests, if implemented and not already registered.
1600 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1601 if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1602 if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1604 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1605 if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1606 if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1610 * Register an SSL index for the connection-specific ssl_dane structure.
1611 * Using a separate index makes it possible to add DANE support to
1612 * existing OpenSSL releases that don't have a suitable pointer in the
1615 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1622 Call this once. Probably early in startup will do; may need
1623 to be after SSL library init.
1625 => put after call to tls_init() for now
1633 DANESSL_library_init(void)
1635 DEBUG(D_tls) debug_printf("Dane lib-init\n");
1636 if (err_lib_dane < 0)
1637 init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);
1639 #if defined(LN_sha256)
1640 /* No DANE without SHA256 support */
1641 if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1644 DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);
1649 #endif /* OPENSSL_VERSION_NUMBER */