2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
5 * Copyright (c) The Exim Maintainers 2014 - 2019
11 #include <openssl/opensslv.h>
12 #include <openssl/err.h>
13 #include <openssl/crypto.h>
14 #include <openssl/safestack.h>
15 #include <openssl/objects.h>
16 #include <openssl/x509.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/evp.h>
19 #include <openssl/bn.h>
21 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
22 # error "OpenSSL 1.0.0 or higher required"
25 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
26 # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
29 #ifdef LIBRESSL_VERSION_NUMBER /* LibreSSL */
30 # if LIBRESSL_VERSION_NUMBER >= 0x2090000fL
31 # define EXIM_HAVE_ASN1_MACROS
34 # if OPENSSL_VERSION_NUMBER >= 0x10100000L
35 # define EXIM_HAVE_ASN1_MACROS
36 # define EXIM_OPAQUE_X509
38 # define X509_STORE_CTX_get_verify(ctx) (ctx)->verify
39 # define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb
40 # define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert
41 # define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain
42 # define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted
44 # define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain)
45 # define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk)
46 # define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val)
47 # define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert)
49 # define ASN1_STRING_get0_data ASN1_STRING_data
50 # define X509_getm_notBefore X509_get_notBefore
51 # define X509_getm_notAfter X509_get_notAfter
53 # define CRYPTO_ONCE_STATIC_INIT 0
54 # define CRYPTO_THREAD_run_once run_once
55 typedef int CRYPTO_ONCE;
62 #define DANESSL_F_ADD_SKID 100
63 #define DANESSL_F_ADD_TLSA 101
64 #define DANESSL_F_CHECK_END_ENTITY 102
65 #define DANESSL_F_CTX_INIT 103
66 #define DANESSL_F_GROW_CHAIN 104
67 #define DANESSL_F_INIT 105
68 #define DANESSL_F_LIBRARY_INIT 106
69 #define DANESSL_F_LIST_ALLOC 107
70 #define DANESSL_F_MATCH 108
71 #define DANESSL_F_PUSH_EXT 109
72 #define DANESSL_F_SET_TRUST_ANCHOR 110
73 #define DANESSL_F_VERIFY_CERT 111
74 #define DANESSL_F_WRAP_CERT 112
75 #define DANESSL_F_DANESSL_VERIFY_CHAIN 113
77 #define DANESSL_R_BAD_CERT 100
78 #define DANESSL_R_BAD_CERT_PKEY 101
79 #define DANESSL_R_BAD_DATA_LENGTH 102
80 #define DANESSL_R_BAD_DIGEST 103
81 #define DANESSL_R_BAD_NULL_DATA 104
82 #define DANESSL_R_BAD_PKEY 105
83 #define DANESSL_R_BAD_SELECTOR 106
84 #define DANESSL_R_BAD_USAGE 107
85 #define DANESSL_R_INIT 108
86 #define DANESSL_R_LIBRARY_INIT 109
87 #define DANESSL_R_NOSIGN_KEY 110
88 #define DANESSL_R_SCTX_INIT 111
89 #define DANESSL_R_SUPPORT 112
91 #ifndef OPENSSL_NO_ERR
92 #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
93 static ERR_STRING_DATA dane_str_functs[] = {
95 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
96 {DANESSL_F_ADD_SKID, "add_skid"},
97 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
98 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
99 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
100 {DANESSL_F_GROW_CHAIN, "grow_chain"},
101 {DANESSL_F_INIT, "DANESSL_init"},
102 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
103 {DANESSL_F_LIST_ALLOC, "list_alloc"},
104 {DANESSL_F_MATCH, "match"},
105 {DANESSL_F_PUSH_EXT, "push_ext"},
106 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
107 {DANESSL_F_VERIFY_CERT, "verify_cert"},
108 {DANESSL_F_WRAP_CERT, "wrap_cert"},
111 static ERR_STRING_DATA dane_str_reasons[] = {
113 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
114 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
115 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
116 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
117 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
118 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
119 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
120 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
121 {DANESSL_R_INIT, "DANESSL_init() required"},
122 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
123 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
124 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
125 {DANESSL_R_SUPPORT, "DANE library features not supported"},
130 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
132 static int err_lib_dane = -1;
133 static int dane_idx = -1;
135 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
136 static int wrap_to_root = 0;
138 static int wrap_to_root = 1;
141 static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
142 static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
144 typedef struct dane_list
146 struct dane_list *next;
150 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
152 typedef struct dane_host_list
154 struct dane_host_list *next;
158 typedef struct dane_data
161 unsigned char data[0];
164 typedef struct dane_data_list
166 struct dane_data_list *next;
170 typedef struct dane_mtype
177 typedef struct dane_mtype_list
179 struct dane_mtype_list *next;
183 typedef struct dane_selector
186 dane_mtype_list mtype;
189 typedef struct dane_selector_list
191 struct dane_selector_list *next;
193 } *dane_selector_list;
195 typedef struct dane_pkey_list
197 struct dane_pkey_list *next;
201 typedef struct dane_cert_list
203 struct dane_cert_list *next;
207 typedef struct ssl_dane
209 int (*verify)(X509_STORE_CTX *);
210 STACK_OF(X509) *roots;
211 STACK_OF(X509) *chain;
212 X509 *match; /* Matched cert */
213 const char *thost; /* TLSA base domain */
214 char *mhost; /* Matched peer name */
215 dane_pkey_list pkeys;
216 dane_cert_list certs;
217 dane_host_list hosts;
218 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
220 int mdpth; /* Depth of matched cert */
221 int multi; /* Multi-label wildcards? */
222 int count; /* Number of TLSA records */
225 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
226 # define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
232 match(dane_selector_list slist, X509 *cert, int depth)
237 * Note, set_trust_anchor() needs to know whether the match was for a
238 * pkey digest or a certificate digest. We return MATCHED_PKEY or
239 * MATCHED_CERT accordingly.
241 #define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
242 #define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
245 * Loop over each selector, mtype, and associated data element looking
248 for (matched = 0; !matched && slist; slist = slist->next)
250 unsigned char mdbuf[EVP_MAX_MD_SIZE];
251 unsigned char *buf = NULL;
253 unsigned int len = 0;
256 * Extract ASN.1 DER form of certificate or public key.
258 switch(slist->value->selector)
260 case DANESSL_SELECTOR_CERT:
261 len = i2d_X509(cert, NULL);
262 buf2 = buf = US OPENSSL_malloc(len);
263 if(buf) i2d_X509(cert, &buf2);
265 case DANESSL_SELECTOR_SPKI:
266 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
267 buf2 = buf = US OPENSSL_malloc(len);
268 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
274 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
277 OPENSSL_assert(buf2 - buf == len);
280 * Loop over each mtype and data element
282 for (dane_mtype_list m = slist->value->mtype; !matched && m; m = m->next)
284 unsigned char *cmpbuf = buf;
285 unsigned int cmplen = len;
288 * If it is a digest, compute the corresponding digest of the
289 * DER data for comparison, otherwise, use the full object.
294 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
297 for (dane_data_list d = m->value->data; !matched && d; d = d->next)
298 if ( cmplen == d->value->datalen
299 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
300 matched = slist->value->selector + 1;
310 push_ext(X509 *cert, X509_EXTENSION *ext)
314 if (X509_add_ext(cert, ext, -1))
316 X509_EXTENSION_free(ext);
318 DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
323 add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
327 X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
328 return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
332 set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
337 if (akid && akid->serial)
338 return (X509_set_serialNumber(cert, akid->serial));
341 * Add one to subject's serial to avoid collisions between TA serial and
342 * serial of signing root.
344 if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
345 && BN_add_word(bn, 1)
346 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
355 add_akid(X509 *cert, AUTHORITY_KEYID *akid)
357 int nid = NID_authority_key_identifier;
358 ASN1_OCTET_STRING *id;
363 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
364 * our subject keyid if forced from child's akid. If so, set our
365 * authority keyid to 1. This way we are never self-signed, and thus
366 * exempt from any potential (off by default for now in OpenSSL)
367 * self-signature checks!
369 id = akid && akid->keyid ? akid->keyid : 0;
370 if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_get0_data(id) == c)
373 if ( (akid = AUTHORITY_KEYID_new()) != 0
374 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
375 #ifdef EXIM_HAVE_ASN1_MACROS
376 && ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
378 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
380 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
383 AUTHORITY_KEYID_free(akid);
388 add_skid(X509 *cert, AUTHORITY_KEYID *akid)
390 int nid = NID_subject_key_identifier;
392 if (!akid || !akid->keyid)
393 return add_ext(0, cert, nid, "hash");
394 return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
398 akid_issuer_name(AUTHORITY_KEYID *akid)
400 if (akid && akid->issuer)
402 GENERAL_NAMES *gens = akid->issuer;
404 for (int i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
406 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
408 if (gn->type == GEN_DIRNAME)
416 set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
418 X509_NAME *name = akid_issuer_name(akid);
421 * If subject's akid specifies an authority key identifier issuer name, we
424 return X509_set_issuer_name(cert,
429 grow_chain(ssl_dane *dane, int trusted, X509 *cert)
431 STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
432 static ASN1_OBJECT *serverAuth = 0;
437 if ( trusted && !serverAuth
438 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
440 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
443 if (!*xs && !(*xs = sk_X509_new_null()))
445 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
451 if (trusted && !X509_add1_trust_object(cert, serverAuth))
453 #ifdef EXIM_OPAQUE_X509
456 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
458 if (!sk_X509_push(*xs, cert))
461 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
469 wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
473 AUTHORITY_KEYID *akid;
474 X509_NAME *name = X509_get_issuer_name(subject);
475 EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
477 #define WRAP_MID 0 /* Ensure intermediate. */
478 #define WRAP_TOP 1 /* Ensure self-signed. */
480 if (!name || !newkey || !(cert = X509_new()))
484 * Record the depth of the trust-anchor certificate.
487 dane->depth = depth + 1;
490 * XXX: Uncaught error condition:
492 * The return value is NULL both when the extension is missing, and when
493 * OpenSSL rans out of memory while parsing the extension.
496 akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
497 /* XXX: Should we peek at the error stack here??? */
500 * If top is true generate a self-issued root CA, otherwise an
501 * intermediate CA and possibly its self-signed issuer.
503 * CA cert valid for +/- 30 days
505 if ( !X509_set_version(cert, 2)
506 || !set_serial(cert, akid, subject)
507 || !set_issuer_name(cert, akid, name)
508 || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
509 || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
510 || !X509_set_subject_name(cert, name)
511 || !X509_set_pubkey(cert, newkey)
512 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
513 || (!top && !add_akid(cert, akid))
514 || !add_skid(cert, akid)
515 || ( !top && wrap_to_root
516 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
520 AUTHORITY_KEYID_free(akid);
522 EVP_PKEY_free(newkey);
524 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
531 wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
534 dane->depth = depth + 1;
537 * If the TA certificate is self-issued, or need not be, use it directly.
538 * Otherwise, synthesize requisite ancestors.
541 || X509_check_issued(tacert, tacert) == X509_V_OK)
542 return grow_chain(dane, TRUSTED, tacert);
544 if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
545 return grow_chain(dane, UNTRUSTED, tacert);
550 ta_signed(ssl_dane *dane, X509 *cert, int depth)
556 * First check whether issued and signed by a TA cert, this is cheaper
557 * than the bare-public key checks below, since we can determine whether
558 * the candidate TA certificate issued the certificate to be checked
559 * first (name comparisons), before we bother with signature checks
560 * (public key operations).
562 for (dane_cert_list x = dane->certs; !done && x; x = x->next)
564 if (X509_check_issued(x->value, cert) == X509_V_OK)
566 if (!(pk = X509_get_pubkey(x->value)))
569 * The cert originally contained a valid pkey, which does
570 * not just vanish, so this is most likely a memory error.
575 /* Check signature, since some other TA may work if not this. */
576 if (X509_verify(cert, pk) > 0)
577 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
583 * With bare TA public keys, we can't check whether the trust chain is
584 * issued by the key, but we can determine whether it is signed by the
585 * key, so we go with that.
587 * Ideally, the corresponding certificate was presented in the chain, and we
588 * matched it by its public key digest one level up. This code is here
589 * to handle adverse conditions imposed by sloppy administrators of
590 * receiving systems with poorly constructed chains.
592 * We'd like to optimize out keys that should not match when the cert's
593 * authority key id does not match the key id of this key computed via
594 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
595 * ASN1 tag and length thus also excluding the unused bits field that is
596 * logically part of the length). However, some CAs have a non-standard
597 * authority keyid, so we lose. Too bad.
599 * This may push errors onto the stack when the certificate signature is
600 * not of the right type or length, throw these away,
602 for (dane_pkey_list k = dane->pkeys; !done && k; k = k->next)
603 if (X509_verify(cert, k->value) > 0)
604 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
612 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
618 STACK_OF(X509) *in = X509_STORE_CTX_get0_untrusted(ctx);
620 if (!grow_chain(dane, UNTRUSTED, 0))
624 * Accept a degenerate case: depth 0 self-signed trust-anchor.
626 if (X509_check_issued(cert, cert) == X509_V_OK)
629 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
630 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
635 /* Make a shallow copy of the input untrusted chain. */
636 if (!(in = sk_X509_dup(in)))
638 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
643 * At each iteration we consume the issuer of the current cert. This
644 * reduces the length of the "in" chain by one. If no issuer is found,
645 * we are done. We also stop when a certificate matches a TA in the
648 * Caller ensures that the initial certificate is not self-signed.
650 for (int n = sk_X509_num(in); n > 0; --n, ++depth)
653 for (i = 0; i < n; ++i)
654 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
658 * Final untrusted element with no issuer in the peer's chain, it may
659 * however be signed by a pkey or cert obtained via a TLSA RR.
664 /* Peer's chain contains an issuer ca. */
665 ca = sk_X509_delete(in, i);
667 /* If not a trust anchor, record untrusted ca and continue. */
668 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
671 if (grow_chain(dane, UNTRUSTED, ca))
673 if (X509_check_issued(ca, ca) != X509_V_OK)
675 /* Restart with issuer as subject */
679 /* Final self-signed element, skip ta_signed() check. */
685 else if(matched == MATCHED_CERT)
687 if(!wrap_cert(dane, ca, depth))
690 else if(matched == MATCHED_PKEY)
692 if ( !(takey = X509_get_pubkey(ca))
693 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
696 EVP_PKEY_free(takey);
698 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
705 /* Shallow free the duplicated input untrusted chain. */
709 * When the loop exits, if "cert" is set, it is not self-signed and has
710 * no issuer in the chain, we check for a possible signature via a DNS
711 * obtained TA cert or public key.
713 if (matched == 0 && cert)
714 matched = ta_signed(dane, cert, depth);
720 check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
724 matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
730 if(!X509_STORE_CTX_get0_chain(ctx))
732 STACK_OF(X509) * sk = sk_X509_new_null();
733 if (sk && sk_X509_push(sk, cert))
736 X509_STORE_CTX_set0_verified_chain(ctx, sk);
740 if (sk) sk_X509_free(sk);
741 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
750 match_name(const char *certid, ssl_dane *dane)
752 int multi = dane->multi;
754 for (dane_host_list hosts = dane->hosts; hosts; hosts = hosts->next)
756 int match_subdomain = 0;
757 const char *domain = hosts->value;
762 if (*domain == '.' && domain[1] != '\0')
769 * Sub-domain match: certid is any sub-domain of hostname.
773 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
774 && certid[idlen - domlen - 1] == '.'
775 && !strcasecmp(certid + (idlen - domlen), domain))
782 * Exact match and initial "*" match. The initial "*" in a certid
783 * matches one (if multi is false) or more hostname components under
784 * the condition that the certid contains multiple hostname components.
786 if ( !strcasecmp(certid, domain)
787 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
788 && (parent = strchr(domain, '.')) != 0
789 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
790 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
797 check_name(const char *name, int len)
799 const char *cp = name + len;
801 while (len > 0 && !*--cp)
802 --len; /* Ignore trailing NULs */
805 for (cp = name; *cp; cp++)
808 if (!((c >= 'a' && c <= 'z') ||
809 (c >= '0' && c <= '9') ||
810 (c >= 'A' && c <= 'Z') ||
811 (c == '.' || c == '-') ||
813 return 0; /* Only LDH, '.' and '*' */
815 if (cp - name != len) /* Guard against internal NULs */
821 parse_dns_name(const GENERAL_NAME *gn)
823 if (gn->type != GEN_DNS)
825 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
827 return check_name(CCS ASN1_STRING_get0_data(gn->d.ia5),
828 ASN1_STRING_length(gn->d.ia5));
832 parse_subject_name(X509 *cert)
834 X509_NAME *name = X509_get_subject_name(cert);
835 X509_NAME_ENTRY *entry;
836 ASN1_STRING *entry_str;
837 unsigned char *namebuf;
838 int nid = NID_commonName;
842 if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
844 if (!(entry = X509_NAME_get_entry(name, i)))
846 if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
849 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
851 if (len <= 0 || check_name(CS namebuf, len) == 0)
853 OPENSSL_free(namebuf);
860 name_check(ssl_dane *dane, X509 *cert)
863 BOOL got_altname = FALSE;
866 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
869 int n = sk_GENERAL_NAME_num(gens);
871 for (int i = 0; i < n; ++i)
873 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
876 if (gn->type != GEN_DNS)
879 certid = parse_dns_name(gn);
880 if (certid && *certid)
882 if ((matched = match_name(certid, dane)) == 0)
884 if (!(dane->mhost = OPENSSL_strdup(certid)))
886 DEBUG(D_tls) debug_printf("Dane name_check: matched SAN %s\n", certid);
890 GENERAL_NAMES_free(gens);
894 * XXX: Should the subjectName be skipped when *any* altnames are present,
895 * or only when DNS altnames are present?
899 char *certid = parse_subject_name(cert);
900 if (certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
902 DEBUG(D_tls) debug_printf("Dane name_check: matched SN %s\n", certid);
903 dane->mhost = OPENSSL_strdup(certid);
906 OPENSSL_free(certid);
912 verify_chain(X509_STORE_CTX *ctx)
914 int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
915 X509 *cert = X509_STORE_CTX_get0_cert(ctx);
916 STACK_OF(X509) * chain = X509_STORE_CTX_get0_chain(ctx);
917 int chain_length = sk_X509_num(chain);
918 int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
919 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
920 ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
921 dane_selector_list issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
922 dane_selector_list leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
925 DEBUG(D_tls) debug_printf("Dane verify_chain\n");
927 /* Restore OpenSSL's internal_verify() as the signature check function */
928 X509_STORE_CTX_set_verify(ctx, dane->verify);
930 if ((matched = name_check(dane, cert)) < 0)
932 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
938 X509_STORE_CTX_set_error_depth(ctx, 0);
939 X509_STORE_CTX_set_current_cert(ctx, cert);
940 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
947 * Satisfy at least one usage 0 or 1 constraint, unless we've already
948 * matched a usage 2 trust anchor.
950 * XXX: internal_verify() doesn't callback with top certs that are not
951 * self-issued. This is fixed in OpenSSL 1.1.0.
953 if (dane->roots && sk_X509_num(dane->roots))
955 X509 *top = sk_X509_value(chain, dane->depth);
957 dane->mdpth = dane->depth;
961 #if OPENSSL_VERSION_NUMBER < 0x10100000L
962 if (X509_check_issued(top, top) != X509_V_OK)
964 X509_STORE_CTX_set_error_depth(ctx, dane->depth);
965 X509_STORE_CTX_set_current_cert(ctx, top);
970 /* Pop synthetic trust-anchor ancestors off the chain! */
971 while (--chain_length > dane->depth)
972 X509_free(sk_X509_pop(chain));
980 * Check for an EE match, then a CA match at depths > 0, and
981 * finally, if the EE cert is self-issued, for a depth 0 CA match.
984 matched = match(leaf_rrs, xn, 0);
985 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched EE\n");
987 if (!matched && issuer_rrs)
988 for (n = chain_length-1; !matched && n >= 0; --n)
990 xn = sk_X509_value(chain, n);
991 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
992 matched = match(issuer_rrs, xn, n);
994 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched %s\n",
995 n>0 ? "CA" : "selfisssued EE");
999 X509_STORE_CTX_set_error_depth(ctx, 0);
1000 X509_STORE_CTX_set_current_cert(ctx, cert);
1001 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
1013 /* Tail recurse into OpenSSL's internal_verify */
1014 return dane->verify(ctx);
1018 dane_reset(ssl_dane *dane)
1023 OPENSSL_free(dane->mhost);
1028 sk_X509_pop_free(dane->roots, X509_free);
1033 sk_X509_pop_free(dane->chain, X509_free);
1038 X509_free(dane->match);
1045 verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
1047 static int ssl_idx = -1;
1050 int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
1051 X509 *cert = X509_STORE_CTX_get0_cert(ctx);
1054 DEBUG(D_tls) debug_printf("Dane verify_cert\n");
1057 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1060 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1064 ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1065 if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1066 return X509_verify_cert(ctx);
1068 /* Reset for verification of a new chain, perhaps a renegotiation. */
1071 if (dane->selectors[DANESSL_USAGE_DANE_EE])
1073 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1075 X509_STORE_CTX_set_error_depth(ctx, 0);
1076 X509_STORE_CTX_set_current_cert(ctx, cert);
1081 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1086 if (dane->selectors[DANESSL_USAGE_DANE_TA])
1088 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1090 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1096 * Check that setting the untrusted chain updates the expected
1097 * structure member at the expected offset.
1099 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1100 X509_STORE_CTX_set_chain(ctx, dane->chain);
1101 OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
1106 * Name checks and usage 0/1 constraint enforcement are delayed until
1107 * X509_verify_cert() builds the full chain and calls our verify_chain()
1110 dane->verify = X509_STORE_CTX_get_verify(ctx);
1111 X509_STORE_CTX_set_verify(ctx, verify_chain);
1113 if (X509_verify_cert(ctx))
1117 * If the chain is invalid, clear any matching cert or hostname, to
1118 * protect callers that might erroneously rely on these alone without
1119 * checking the validation status.
1123 X509_free(dane->match);
1128 OPENSSL_free(dane->mhost);
1135 list_alloc(size_t vsize)
1137 void *value = (void *) OPENSSL_malloc(vsize);
1142 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1145 if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1147 OPENSSL_free(value);
1148 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1157 list_free(void *list, void (*f)(void *))
1161 for (dane_list head = (dane_list) list; head; head = next)
1164 if (f && head->value)
1177 dane_mtype_free(void *p)
1179 list_free(((dane_mtype) p)->data, ossl_free);
1184 dane_selector_free(void *p)
1186 list_free(((dane_selector) p)->mtype, dane_mtype_free);
1194 Tidy up once the connection is finished with.
1197 ssl The ssl connection handle
1199 => Before calling SSL_free()
1200 tls_close() and tls_getc() [the error path] are the obvious places.
1201 Could we do it earlier - right after verification? In tls_client_start()
1202 right after SSL_connect() returns, in that case.
1207 DANESSL_cleanup(SSL *ssl)
1211 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1213 if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1215 (void) SSL_set_ex_data(ssl, dane_idx, 0);
1219 list_free(dane->hosts, ossl_free);
1220 for (int u = 0; u <= DANESSL_USAGE_LAST; ++u)
1221 if (dane->selectors[u])
1222 list_free(dane->selectors[u], dane_selector_free);
1224 list_free(dane->pkeys, pkey_free);
1226 list_free(dane->certs, cert_free);
1230 static dane_host_list
1231 host_list_init(const char **src)
1233 dane_host_list head = NULL;
1237 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1240 list_free(head, ossl_free);
1243 elem->value = OPENSSL_strdup(*src++);
1244 LINSERT(head, elem);
1251 DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1255 if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1257 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1264 *match = dane->match;
1266 *mhost = dane->mhost;
1268 *depth = dane->mdpth;
1271 return (dane->match != 0);
1277 DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1281 X509_STORE_CTX * store_ctx;
1282 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1283 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1284 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1286 cert = sk_X509_value(chain, 0);
1287 if (!(store_ctx = X509_STORE_CTX_new()))
1289 DANEerr(DANESSL_F_DANESSL_VERIFY_CHAIN, ERR_R_MALLOC_FAILURE);
1292 if (!X509_STORE_CTX_init(store_ctx, store, cert, chain))
1294 X509_STORE_CTX_free(store_ctx);
1297 X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, ssl);
1299 X509_STORE_CTX_set_default(store_ctx,
1300 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1301 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
1302 SSL_get0_param(ssl));
1304 if (SSL_get_verify_callback(ssl))
1305 X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
1307 ret = verify_cert(store_ctx, NULL);
1309 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(store_ctx));
1310 X509_STORE_CTX_cleanup(store_ctx);
1321 Call this for each TLSA record found for the target, after the
1322 DANE setup has been done on the ssl connection handle.
1325 ssl Connection handle
1326 usage TLSA record field
1327 selector TLSA record field
1328 mdname ??? message digest name?
1329 data ??? TLSA record megalump?
1339 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1340 unsigned const char *data, size_t dlen)
1343 dane_selector_list s = 0;
1344 dane_mtype_list m = 0;
1345 dane_data_list d = 0;
1346 dane_cert_list xlist = 0;
1347 dane_pkey_list klist = 0;
1348 const EVP_MD *md = 0;
1350 DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1351 usage, selector, mdname);
1353 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1355 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1359 if (usage > DANESSL_USAGE_LAST)
1361 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1364 if (selector > DANESSL_SELECTOR_LAST)
1366 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1370 /* Support built-in standard one-digit mtypes */
1371 if (mdname && *mdname && mdname[1] == '\0')
1372 switch (*mdname - '0')
1374 case DANESSL_MATCHING_FULL: mdname = 0; break;
1375 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1376 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1378 if (mdname && *mdname && !(md = EVP_get_digestbyname(mdname)))
1380 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1383 if (mdname && *mdname && dlen != EVP_MD_size(md))
1385 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1390 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1395 * Full Certificate or Public Key when NULL or empty digest name
1397 if (!mdname || !*mdname)
1401 const unsigned char *p = data;
1403 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1404 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1405 if ((lvar) == 0) { \
1406 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1411 lvar->value = var; \
1413 #define xkfreeret(ret) do { \
1414 if (xlist) list_free(xlist, cert_free); \
1415 if (klist) list_free(klist, pkey_free); \
1421 case DANESSL_SELECTOR_CERT:
1422 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1426 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1429 k = X509_get_pubkey(x);
1434 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1437 if (usage == DANESSL_USAGE_DANE_TA)
1438 xklistinit(xlist, dane_cert_list, x, X509_free);
1441 case DANESSL_SELECTOR_SPKI:
1442 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1446 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1449 if (usage == DANESSL_USAGE_DANE_TA)
1450 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1455 /* Find insertion point and don't add duplicate elements. */
1456 for (s = dane->selectors[usage]; s; s = s->next)
1457 if (s->value->selector == selector)
1459 for (m = s->value->mtype; m; m = m->next)
1460 if (m->value->md == md)
1462 for (d = m->value->data; d; d = d->next)
1463 if ( d->value->datalen == dlen
1464 && memcmp(d->value->data, data, dlen) == 0)
1471 if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1473 d->value->datalen = dlen;
1474 memcpy(d->value->data, data, dlen);
1477 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1479 list_free(d, ossl_free);
1483 if ((m->value->md = md) != 0)
1484 m->value->mdlen = dlen;
1487 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1489 list_free(m, dane_mtype_free);
1492 s->value->mtype = 0;
1493 s->value->selector = selector;
1494 LINSERT(dane->selectors[usage], s);
1496 LINSERT(s->value->mtype, m);
1498 LINSERT(m->value->data, d);
1501 LINSERT(dane->certs, xlist);
1503 LINSERT(dane->pkeys, klist);
1512 Call this once we have an ssl connection handle but before
1513 making the TLS connection.
1515 => In tls_client_start() after the call to SSL_new()
1516 and before the call to SSL_connect(). Exactly where
1517 probably does not matter.
1518 We probably want to keep our existing SNI handling;
1519 call this with NULL.
1522 ssl Connection handle
1523 sni_domain Optional peer server name
1524 hostnames list of names to chack against peer cert
1533 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1537 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1540 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1544 if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1547 if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1549 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1552 if (!SSL_set_ex_data(ssl, dane_idx, dane))
1554 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1568 dane->mhost = 0; /* Future SSL control interface */
1569 dane->mdpth = 0; /* Future SSL control interface */
1570 dane->multi = 0; /* Future SSL control interface */
1574 for (int i = 0; i <= DANESSL_USAGE_LAST; ++i)
1575 dane->selectors[i] = 0;
1577 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1579 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1580 DANESSL_cleanup(ssl);
1590 Call this once we have a context to work with, but
1591 before DANESSL_init()
1593 => in tls_client_start(), after tls_init() call gives us the ctx,
1594 if we decide we want to (policy) and can (TLSA records available)
1595 replacing (? what about fallback) everything from testing tls_verify_hosts
1596 down to just before calling SSL_new() for the conn handle.
1607 DANESSL_CTX_init(SSL_CTX *ctx)
1609 DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1612 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1615 DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1623 * Store library id in zeroth function slot, used to locate the library
1624 * name. This must be done before we load the error strings.
1626 err_lib_dane = ERR_get_next_error_library();
1628 #ifndef OPENSSL_NO_ERR
1629 if (err_lib_dane > 0)
1631 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1632 ERR_load_strings(err_lib_dane, dane_str_functs);
1633 ERR_load_strings(err_lib_dane, dane_str_reasons);
1638 * Register SHA-2 digests, if implemented and not already registered.
1640 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1641 if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1642 if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1644 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1645 if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1646 if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1650 * Register an SSL index for the connection-specific ssl_dane structure.
1651 * Using a separate index makes it possible to add DANE support to
1652 * existing OpenSSL releases that don't have a suitable pointer in the
1655 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1659 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
1661 run_once(volatile int * once, void (*init)(void))
1665 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1668 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1669 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1678 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1680 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1688 Call this once. Probably early in startup will do; may need
1689 to be after SSL library init.
1691 => put after call to tls_init() for now
1699 DANESSL_library_init(void)
1701 static CRYPTO_ONCE once = CRYPTO_ONCE_STATIC_INIT;
1703 DEBUG(D_tls) debug_printf("Dane lib-init\n");
1704 (void) CRYPTO_THREAD_run_once(&once, dane_init);
1706 #if defined(LN_sha256)
1707 /* No DANE without SHA256 support */
1708 if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1711 DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);