1 /*
2 * Verify or create TLS authentication with DANE (RFC6698)
3 *
4 * (c) NLnetLabs 2012
5 *
6 * See the file LICENSE for the license.
7 *
8 * wish list:
9 * - nicer reporting (tracing of evaluation process)
10 * - verbosity levels
11 * - STARTTLS support
12 */
13
14 #include "config.h"
15 #include <unistd.h>
16 #include <stdlib.h>
17 #include <sys/types.h>
18
19 #ifdef HAVE_NETINET_IN_H
20 #include <netinet/in.h>
21 #endif
22 #ifdef HAVE_SYS_SOCKET_H
23 #include <sys/socket.h>
24 #endif
25 #ifdef HAVE_NETDB_H
26 #include <netdb.h>
27 #endif
28 #ifdef HAVE_ARPA_INET_H
29 #include <arpa/inet.h>
30 #endif
31 #include <sys/time.h>
32 #include <errno.h>
33 #include <fcntl.h>
34
35 #include <ldns/ldns.h>
36
37 #ifdef USE_DANE
38 #ifdef HAVE_SSL
39 #include <openssl/ssl.h>
40 #include <openssl/err.h>
41 #include <openssl/x509v3.h>
42
43 #ifndef IPPROTO_SCTP
44 #define IPPROTO_SCTP 132
45 #endif
46
47 #define LDNS_ERR(code, msg) do { if (code != LDNS_STATUS_OK) \
48 ldns_err(msg, code); } while (false)
49 #define MEMERR(msg) do { fprintf(stderr, "memory error in %s\n", msg); \
50 exit(EXIT_FAILURE); } while (false)
51 #define BUFSIZE 16384
52
53 /* Exit status on a PKIX validated connection but without TLSA records
54 * when the -T option was given:
55 */
56 #define NO_TLSAS_EXIT_STATUS 2
57
58 /* int verbosity = 3; */
59
60 static void
print_usage(const char * progname)61 print_usage(const char* progname)
62 {
63 #ifdef USE_DANE_VERIFY
64 printf("Usage: %s [OPTIONS] verify <name> <port>\n", progname);
65 printf(" or: %s [OPTIONS] -t <tlsafile> verify\n", progname);
66 printf("\n\tVerify the TLS connection at <name>:<port> or"
67 "\n\tuse TLSA record(s) from <tlsafile> to verify the\n"
68 "\tTLS service they reference.\n");
69 printf("\n or: %s [OPTIONS] create <name> <port> [<usage> "
70 #else
71 printf("Usage: %s [OPTIONS] create <name> <port> [<usage> "
72 #endif
73 "[<selector> [<type>]]]\n", progname);
74 printf("\n\tUse the TLS connection(s) to <name> <port> "
75 "to create the TLSA\n\t"
76 "resource record(s) that would "
77 "authenticate the connection.\n");
78 printf("\n\t<usage>"
79 "\t\t0 | PKIX-TA : CA constraint\n"
80 "\t\t\t1 | PKIX-EE : Service certificate constraint\n"
81 "\t\t\t2 | DANE-TA : Trust anchor assertion\n"
82 "\t\t\t3 | DANE-EE : Domain-issued certificate "
83 "(default)\n");
84 printf("\n\t<selector>"
85 "\t0 | Cert : Full certificate\n"
86 "\t\t\t1 | SPKI : SubjectPublicKeyInfo "
87 "(default)\n");
88 printf("\n\t<type>"
89 "\t\t0 | Full : No hash used\n"
90 "\t\t\t1 | SHA2-256 : SHA-256 (default)\n"
91 "\t\t\t2 | SHA2-512 : SHA-512\n");
92
93 printf("OPTIONS:\n");
94 printf("\t-h\t\tshow this text\n");
95 printf("\t-4\t\tTLS connect IPv4 only\n");
96 printf("\t-6\t\tTLS connect IPv6 only\n");
97 printf("\t-r <address>\t"
98 "use resolver at <address> instead of local resolver\n");
99 printf("\t-a <address>\t"
100 "don't resolve <name>, but connect to <address>(es)\n");
101 printf("\t-b\t\t"
102 "print \"<name>. TYPE52 \\#<size> <hex data>\" form\n"
103 );
104 printf("\t-c <certfile>\t"
105 "verify or create TLSA records for the\n"
106 "\t\t\tcertificate (chain) in <certfile>\n"
107 );
108 printf("\t-d\t\tassume DNSSEC validity even when insecure or bogus\n");
109 printf("\t-f <CAfile>\tuse CAfile to validate\n");
110 #if HAVE_DANE_CA_FILE
111 printf("\t\t\tDefault is %s\n", LDNS_DANE_CA_FILE);
112 #endif
113 printf("\t-i\t\tinteract after connecting\n");
114 printf("\t-k <keyfile>\t"
115 "use DNSKEY/DS rr(s) in <keyfile> to validate TLSAs\n"
116 "\t\t\twhen signature chasing (i.e. -S)\n"
117 );
118 printf("\t\t\tDefault is %s\n", LDNS_TRUST_ANCHOR_FILE);
119 printf("\t-n\t\tdo *not* verify server name in certificate\n");
120 printf("\t-o <offset>\t"
121 "select <offset>th certificate from the end of\n"
122 "\t\t\tthe validation chain. -1 means self-signed at end\n"
123 );
124 printf("\t-p <CApath>\t"
125 "use certificates in the <CApath> directory to validate\n"
126 );
127 #if HAVE_DANE_CA_PATH
128 printf("\t\t\tDefaults is %s\n", LDNS_DANE_CA_PATH);
129 #endif
130 printf("\t-s\t\tassume PKIX validity\n");
131 printf("\t-S\t\tChase signature(s) to a known key\n");
132 printf("\t-t <tlsafile>\tdo not use DNS, "
133 "but read TLSA record(s) from <tlsafile>\n"
134 );
135 printf("\t-T\t\tReturn exit status 2 for PKIX validated connections\n"
136 "\t\t\twithout (secure) TLSA records(s)\n");
137 printf("\t-u\t\tuse UDP transport instead of TCP\n");
138 printf("\t-v\t\tshow version and exit\n");
139 /* printf("\t-V [0-5]\tset verbosity level (default 3)\n"); */
140 exit(EXIT_SUCCESS);
141 }
142
143 static int
dane_int_within_range(const char * arg,int max,const char * name)144 dane_int_within_range(const char* arg, int max, const char* name)
145 {
146 char* endptr; /* utility var for strtol usage */
147 int val = strtol(arg, &endptr, 10);
148
149 if ((val < 0 || val > max)
150 || (errno != 0 && val == 0) /* out of range */
151 || endptr == arg /* no digits */
152 || *endptr != '\0' /* more chars */
153 ) {
154 fprintf(stderr, "<%s> should be in range [0-%d]\n", name, max);
155 exit(EXIT_FAILURE);
156 }
157 return val;
158 }
159
160 struct dane_param_choice_struct {
161 const char* name;
162 int number;
163 };
164 typedef struct dane_param_choice_struct dane_param_choice;
165
166 dane_param_choice dane_certificate_usage_table[] = {
167 { "PKIX-TA" , 0 },
168 { "CA constraint" , 0 },
169 { "CA-constraint" , 0 },
170 { "PKIX-EE" , 1 },
171 { "Service certificate constraint" , 1 },
172 { "Service-certificate-constraint" , 1 },
173 { "DANE-TA" , 2 },
174 { "Trust anchor assertion" , 2 },
175 { "Trust-anchor-assertion" , 2 },
176 { "anchor" , 2 },
177 { "DANE-EE" , 3 },
178 { "Domain-issued certificate" , 3 },
179 { "Domain-issued-certificate" , 3 },
180 { "PrivCert" , 255 },
181 { NULL, -1 }
182 };
183
184 dane_param_choice dane_selector_table[] = {
185 { "Cert" , 0 },
186 { "Full certificate" , 0 },
187 { "Full-certificate" , 0 },
188 { "certificate" , 0 },
189 { "SPKI" , 1 },
190 { "SubjectPublicKeyInfo", 1 },
191 { "PublicKey" , 1 },
192 { "pubkey" , 1 },
193 { "key" , 1 },
194 { "PrivSel" , 255 },
195 { NULL, -1 }
196 };
197
198 dane_param_choice dane_matching_type_table[] = {
199 { "Full" , 0 },
200 { "no-hash-used" , 0 },
201 { "no hash used" , 0 },
202 { "SHA2-256" , 1 },
203 { "sha256" , 1 },
204 { "sha-256" , 1 },
205 { "SHA2-512" , 2 },
206 { "sha512" , 2 },
207 { "sha-512" , 2 },
208 { "PrivMatch" , 255 },
209 { NULL, -1 }
210 };
211
212 static int
dane_int_within_range_table(const char * arg,int max,const char * name,dane_param_choice table[])213 dane_int_within_range_table(const char* arg, int max, const char* name,
214 dane_param_choice table[])
215 {
216 dane_param_choice* t;
217
218 if (*arg) {
219 for (t = table; t->name; t++) {
220 if (strncasecmp(arg, t->name, strlen(arg)) == 0) {
221 return t->number;
222 }
223 }
224 }
225 return dane_int_within_range(arg, max, name);
226 }
227
228 static void
ssl_err(const char * s)229 ssl_err(const char* s)
230 {
231 fprintf(stderr, "error: %s\n", s);
232 ERR_print_errors_fp(stderr);
233 exit(EXIT_FAILURE);
234 }
235
236 static void
ldns_err(const char * s,ldns_status err)237 ldns_err(const char* s, ldns_status err)
238 {
239 if (err == LDNS_STATUS_SSL_ERR) {
240 ssl_err(s);
241 } else {
242 fprintf(stderr, "%s: %s\n", s, ldns_get_errorstr_by_id(err));
243 exit(EXIT_FAILURE);
244 }
245 }
246
247 static ldns_status
ssl_connect_and_get_cert_chain(X509 ** cert,STACK_OF (X509)** extra_certs,SSL * ssl,const char * name_str,ldns_rdf * address,uint16_t port,ldns_dane_transport transport)248 ssl_connect_and_get_cert_chain(
249 X509** cert, STACK_OF(X509)** extra_certs,
250 SSL* ssl, const char* name_str,
251 ldns_rdf* address, uint16_t port,
252 ldns_dane_transport transport)
253 {
254 struct sockaddr_storage *a = NULL;
255 size_t a_len = 0;
256 int sock;
257 int r;
258
259 assert(cert != NULL);
260 assert(extra_certs != NULL);
261
262 a = ldns_rdf2native_sockaddr_storage(address, port, &a_len);
263 switch (transport) {
264 case LDNS_DANE_TRANSPORT_TCP:
265
266 sock = socket((int)((struct sockaddr*)a)->sa_family,
267 SOCK_STREAM, IPPROTO_TCP);
268 break;
269
270 case LDNS_DANE_TRANSPORT_UDP:
271
272 sock = socket((int)((struct sockaddr*)a)->sa_family,
273 SOCK_DGRAM, IPPROTO_UDP);
274 break;
275
276 case LDNS_DANE_TRANSPORT_SCTP:
277
278 sock = socket((int)((struct sockaddr*)a)->sa_family,
279 SOCK_STREAM, IPPROTO_SCTP);
280 break;
281
282 default:
283 LDNS_FREE(a);
284 return LDNS_STATUS_DANE_UNKNOWN_TRANSPORT;
285 }
286 if (sock == -1) {
287 LDNS_FREE(a);
288 return LDNS_STATUS_NETWORK_ERR;
289 }
290 if (connect(sock, (struct sockaddr*)a, (socklen_t)a_len) == -1) {
291 LDNS_FREE(a);
292 return LDNS_STATUS_NETWORK_ERR;
293 }
294 LDNS_FREE(a);
295 if (! SSL_clear(ssl)) {
296 close(sock);
297 fprintf(stderr, "SSL_clear\n");
298 return LDNS_STATUS_SSL_ERR;
299 }
300 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
301 (void) SSL_set_tlsext_host_name(ssl, name_str);
302 #endif
303 SSL_set_connect_state(ssl);
304 (void) SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
305 if (! SSL_set_fd(ssl, sock)) {
306 close(sock);
307 fprintf(stderr, "SSL_set_fd\n");
308 return LDNS_STATUS_SSL_ERR;
309 }
310 for (;;) {
311 ERR_clear_error();
312 if ((r = SSL_do_handshake(ssl)) == 1) {
313 break;
314 }
315 r = SSL_get_error(ssl, r);
316 if (r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) {
317 fprintf(stderr, "handshaking SSL_get_error: %d\n", r);
318 return LDNS_STATUS_SSL_ERR;
319 }
320 }
321 *cert = SSL_get_peer_certificate(ssl);
322 *extra_certs = SSL_get_peer_cert_chain(ssl);
323
324 return LDNS_STATUS_OK;
325 }
326
327
328 #ifdef USE_DANE_VERIFY
329 static void
ssl_interact(SSL * ssl)330 ssl_interact(SSL* ssl)
331 {
332 fd_set rfds;
333 int maxfd;
334 int sock;
335 int r;
336
337 char buf[BUFSIZE];
338 char* bufptr;
339 int to_write;
340 int written;
341
342 sock = SSL_get_fd(ssl);
343 if (sock == -1) {
344 return;
345 }
346 maxfd = (STDIN_FILENO > sock ? STDIN_FILENO : sock) + 1;
347 for (;;) {
348 #ifndef S_SPLINT_S
349 FD_ZERO(&rfds);
350 #endif /* splint */
351 FD_SET(sock, &rfds);
352 FD_SET(STDIN_FILENO, &rfds);
353
354 r = select(maxfd, &rfds, NULL, NULL, NULL);
355 if (r == -1) {
356 perror("select");
357 break;
358 }
359 if (FD_ISSET(sock, &rfds)) {
360 to_write = SSL_read(ssl, buf, BUFSIZE);
361 if (to_write <= 0) {
362 r = SSL_get_error(ssl, to_write);
363 if (r != SSL_ERROR_ZERO_RETURN) {
364 fprintf(stderr,
365 "reading SSL_get_error:"
366 " %d\n", r);
367 }
368 break;
369 }
370 bufptr = buf;
371 while (to_write > 0) {
372 written = (int) fwrite(bufptr, 1,
373 (size_t) to_write, stdout);
374 if (written == 0) {
375 perror("fwrite");
376 break;
377 }
378 to_write -= written;
379 bufptr += written;
380 }
381 } /* if (FD_ISSET(sock, &rfds)) */
382
383 if (FD_ISSET(STDIN_FILENO, &rfds)) {
384 to_write = (int) read(STDIN_FILENO, buf, BUFSIZE - 1);
385 if (to_write <= 0) {
386 if (to_write == -1) {
387 perror("read");
388 }
389 break;
390 }
391 if (buf[to_write - 1] == '\n') {
392 buf[to_write - 1] = '\r';
393 buf[to_write ] = '\n';
394 to_write += 1;
395 }
396 bufptr = buf;
397 while (to_write > 0) {
398 written = SSL_write(ssl, bufptr, to_write);
399 if (written <= 0) {
400 r = SSL_get_error(ssl, to_write);
401 if (r != SSL_ERROR_ZERO_RETURN) {
402 fprintf(stderr,
403 "writing SSL_get_error"
404 ": %d\n", r);
405 }
406 break;
407 }
408 to_write -= written;
409 bufptr += written;
410 }
411 } /* if (FD_ISSET(STDIN_FILENO, &rfds)) */
412
413 } /* for (;;) */
414 }
415 #endif /* USE_DANE_VERIFY */
416
417
418 static ldns_rr_list*
rr_list_filter_rr_type(ldns_rr_list * l,ldns_rr_type t)419 rr_list_filter_rr_type(ldns_rr_list* l, ldns_rr_type t)
420 {
421 size_t i;
422 ldns_rr* rr;
423 ldns_rr_list* r = ldns_rr_list_new();
424
425 if (r == NULL) {
426 return r;
427 }
428 for (i = 0; i < ldns_rr_list_rr_count(l); i++) {
429 rr = ldns_rr_list_rr(l, i);
430 if (ldns_rr_get_type(rr) == t) {
431 if (! ldns_rr_list_push_rr(r, rr)) {
432 ldns_rr_list_free(r);
433 return NULL;
434 }
435 }
436 }
437 return r;
438 }
439
440
441 /* Return a copy of the list of tlsa records where the usage types
442 * "CA constraint" are replaced with "Trust anchor assertion" and the usage
443 * types "Service certificate constraint" are replaced with
444 * "Domain-issued certificate".
445 *
446 * This to check what would happen if PKIX validation was successful always.
447 */
448 static ldns_rr_list*
dane_no_pkix_transform(const ldns_rr_list * tlas)449 dane_no_pkix_transform(const ldns_rr_list* tlas)
450 {
451 size_t i;
452 ldns_rr* rr;
453 ldns_rr* new_rr;
454 ldns_rdf* rdf;
455 ldns_rr_list* r = ldns_rr_list_new();
456
457 if (r == NULL) {
458 return r;
459 }
460 for (i = 0; i < ldns_rr_list_rr_count(tlas); i++) {
461 rr = ldns_rr_list_rr(tlas, i);
462 if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_TLSA) {
463
464 new_rr = ldns_rr_clone(rr);
465 if (!new_rr) {
466 ldns_rr_list_deep_free(r);
467 return NULL;
468 }
469 switch(ldns_rdf2native_int8(ldns_rr_rdf(new_rr, 0))) {
470
471 case LDNS_TLSA_USAGE_CA_CONSTRAINT:
472
473 rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
474 (uint8_t) LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION);
475 if (! rdf) {
476 ldns_rr_free(new_rr);
477 ldns_rr_list_deep_free(r);
478 return NULL;
479 }
480 (void) ldns_rr_set_rdf(new_rr, rdf, 0);
481 break;
482
483
484 case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
485
486 rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
487 (uint8_t) LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE);
488 if (! rdf) {
489 ldns_rr_free(new_rr);
490 ldns_rr_list_deep_free(r);
491 return NULL;
492 }
493 (void) ldns_rr_set_rdf(new_rr, rdf, 0);
494 break;
495
496
497 default:
498 break;
499 }
500 if (! ldns_rr_list_push_rr(r, new_rr)) {
501 ldns_rr_free(new_rr);
502 ldns_rr_list_deep_free(r);
503 return NULL;
504 }
505 }
506 }
507 return r;
508 }
509
510 static void
print_rr_as_TYPEXXX(FILE * out,ldns_rr * rr)511 print_rr_as_TYPEXXX(FILE* out, ldns_rr* rr)
512 {
513 size_t i, sz;
514 ldns_status s;
515 ldns_buffer* buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
516 char* str;
517
518 ldns_buffer_clear(buf);
519 s = ldns_rdf2buffer_str_dname(buf, ldns_rr_owner(rr));
520 LDNS_ERR(s, "could not ldns_rdf2buffer_str_dname");
521 ldns_buffer_printf(buf, "\t%d", ldns_rr_ttl(rr));
522 ldns_buffer_printf(buf, "\t");
523 s = ldns_rr_class2buffer_str(buf, ldns_rr_get_class(rr));
524 LDNS_ERR(s, "could not ldns_rr_class2buffer_str");
525 ldns_buffer_printf(buf, "\tTYPE%d", ldns_rr_get_type(rr));
526 sz = 0;
527 for (i = 0; i < ldns_rr_rd_count(rr); i++) {
528 sz += ldns_rdf_size(ldns_rr_rdf(rr, i));
529 }
530 ldns_buffer_printf(buf, "\t\\# %d ", sz);
531 for (i = 0; i < ldns_rr_rd_count(rr); i++) {
532 s = ldns_rdf2buffer_str_hex(buf, ldns_rr_rdf(rr, i));
533 LDNS_ERR(s, "could not ldns_rdf2buffer_str_hex");
534 }
535 str = ldns_buffer_export2str(buf);
536 ldns_buffer_free(buf);
537 fprintf(out, "%s\n", str);
538 LDNS_FREE(str);
539 }
540
541 static void
print_rr_list_as_TYPEXXX(FILE * out,ldns_rr_list * l)542 print_rr_list_as_TYPEXXX(FILE* out, ldns_rr_list* l)
543 {
544 size_t i;
545
546 for (i = 0; i < ldns_rr_list_rr_count(l); i++) {
547 print_rr_as_TYPEXXX(out, ldns_rr_list_rr(l, i));
548 }
549 }
550
551 static ldns_status
read_key_file(const char * filename,ldns_rr_list * keys)552 read_key_file(const char *filename, ldns_rr_list *keys)
553 {
554 ldns_status status = LDNS_STATUS_ERR;
555 ldns_rr *rr;
556 FILE *fp;
557 uint32_t my_ttl = 0;
558 ldns_rdf *my_origin = NULL;
559 ldns_rdf *my_prev = NULL;
560 int line_nr;
561
562 if (!(fp = fopen(filename, "r"))) {
563 return LDNS_STATUS_FILE_ERR;
564 }
565 while (!feof(fp)) {
566 status = ldns_rr_new_frm_fp_l(&rr, fp, &my_ttl, &my_origin,
567 &my_prev, &line_nr);
568
569 if (status == LDNS_STATUS_OK) {
570
571 if ( ldns_rr_get_type(rr) == LDNS_RR_TYPE_DS
572 || ldns_rr_get_type(rr) == LDNS_RR_TYPE_DNSKEY)
573
574 ldns_rr_list_push_rr(keys, rr);
575
576 } else if ( status == LDNS_STATUS_SYNTAX_EMPTY
577 || status == LDNS_STATUS_SYNTAX_TTL
578 || status == LDNS_STATUS_SYNTAX_ORIGIN
579 || status == LDNS_STATUS_SYNTAX_INCLUDE)
580
581 status = LDNS_STATUS_OK;
582 else
583 break;
584 }
585 fclose(fp);
586 return status;
587 }
588
589
590 static ldns_status
dane_setup_resolver(ldns_resolver ** res,ldns_rdf * nameserver_addr,ldns_rr_list * keys,bool dnssec_off)591 dane_setup_resolver(ldns_resolver** res, ldns_rdf* nameserver_addr,
592 ldns_rr_list* keys, bool dnssec_off)
593 {
594 ldns_status s = LDNS_STATUS_OK;
595
596 assert(res != NULL);
597
598 if (nameserver_addr) {
599 *res = ldns_resolver_new();
600 if (*res) {
601 s = ldns_resolver_push_nameserver(*res, nameserver_addr);
602 } else {
603 s = LDNS_STATUS_MEM_ERR;
604 }
605 } else {
606 s = ldns_resolver_new_frm_file(res, NULL);
607 }
608 if (s == LDNS_STATUS_OK) {
609 ldns_resolver_set_dnssec(*res, ! dnssec_off);
610
611 if (keys && ldns_rr_list_rr_count(keys) > 0) {
612 /* anchors must trigger signature chasing */
613 ldns_resolver_set_dnssec_anchors(*res, keys);
614 ldns_resolver_set_dnssec_cd(*res, true);
615 }
616 }
617 return s;
618 }
619
620
621 static ldns_status
dane_query(ldns_rr_list ** rrs,ldns_resolver * r,ldns_rdf * name,ldns_rr_type t,ldns_rr_class c,bool insecure_is_ok)622 dane_query(ldns_rr_list** rrs, ldns_resolver* r,
623 ldns_rdf *name, ldns_rr_type t, ldns_rr_class c,
624 bool insecure_is_ok)
625 {
626 ldns_pkt* p = NULL;
627 ldns_rr_list* keys = NULL;
628 ldns_rr_list* rrsigs = NULL;
629 ldns_rdf* signame = NULL;
630 ldns_status s;
631
632 assert(rrs != NULL);
633
634 p = ldns_resolver_query(r, name, t, c, LDNS_RD);
635 if (! p) {
636 return LDNS_STATUS_MEM_ERR;
637 }
638 *rrs = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_ANSWER);
639
640 if (! ldns_resolver_dnssec(r)) { /* DNSSEC explicitly disabled,
641 anything goes */
642 ldns_pkt_free(p);
643 return LDNS_STATUS_OK;
644 }
645 if (ldns_rr_list_rr_count(*rrs) == 0) { /* assert(*rrs == NULL) */
646
647 if (ldns_pkt_get_rcode(p) == LDNS_RCODE_SERVFAIL) {
648
649 ldns_pkt_free(p);
650 return LDNS_STATUS_DANE_BOGUS;
651 } else {
652 ldns_pkt_free(p);
653 return LDNS_STATUS_OK;
654 }
655 }
656 /* We have answers and we have dnssec. */
657
658 if (! ldns_pkt_cd(p)) { /* we act as stub resolver (no sigchase) */
659
660 if (! ldns_pkt_ad(p)) { /* Not secure */
661
662 goto insecure;
663 }
664 ldns_pkt_free(p);
665 return LDNS_STATUS_OK;
666 }
667
668 /* sigchase */
669
670 /* TODO: handle cname reference check */
671
672 rrsigs = ldns_pkt_rr_list_by_type(p,
673 LDNS_RR_TYPE_RRSIG,
674 LDNS_SECTION_ANSWER);
675
676 if (! rrsigs || ldns_rr_list_rr_count(rrsigs) == 0) {
677 goto insecure;
678 }
679
680 signame = ldns_rr_rrsig_signame(ldns_rr_list_rr(rrsigs, 0));
681 if (! signame) {
682 s = LDNS_STATUS_ERR;
683 goto error;
684 }
685 /* First try with the keys we already have */
686 s = ldns_verify(*rrs, rrsigs, ldns_resolver_dnssec_anchors(r), NULL);
687 if (s == LDNS_STATUS_OK) {
688 goto cleanup;
689 }
690 /* Fetch the necessary keys and recheck */
691 keys = ldns_fetch_valid_domain_keys(r, signame,
692 ldns_resolver_dnssec_anchors(r), &s);
693
694 if (s != LDNS_STATUS_OK) {
695 goto error;
696 }
697 if (ldns_rr_list_rr_count(keys) == 0) { /* An insecure island */
698 goto insecure;
699 }
700 s = ldns_verify(*rrs, rrsigs, keys, NULL);
701 switch (s) {
702 case LDNS_STATUS_CRYPTO_BOGUS: goto bogus;
703 case LDNS_STATUS_OK : goto cleanup;
704 default : break;
705 }
706 insecure:
707 s = LDNS_STATUS_DANE_INSECURE;
708 bogus:
709 if (! insecure_is_ok) {
710 error:
711 ldns_rr_list_deep_free(*rrs);
712 *rrs = ldns_rr_list_new();
713 }
714 cleanup:
715 if (keys) {
716 ldns_rr_list_deep_free(keys);
717 }
718 if (rrsigs) {
719 ldns_rr_list_deep_free(rrsigs);
720 }
721 ldns_pkt_free(p);
722 return s;
723 }
724
725
726 static ldns_rr_list*
dane_lookup_addresses(ldns_resolver * res,ldns_rdf * dname,int ai_family)727 dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname,
728 int ai_family)
729 {
730 ldns_status s;
731 ldns_rr_list *as = NULL;
732 ldns_rr_list *aaas = NULL;
733 ldns_rr_list *r = ldns_rr_list_new();
734
735 if (r == NULL) {
736 MEMERR("ldns_rr_list_new");
737 }
738 if (ai_family == AF_UNSPEC || ai_family == AF_INET) {
739
740 s = dane_query(&as, res,
741 dname, LDNS_RR_TYPE_A, LDNS_RR_CLASS_IN,
742 true);
743
744 if (s == LDNS_STATUS_DANE_INSECURE &&
745 ldns_rr_list_rr_count(as) > 0) {
746 fprintf(stderr, "Warning! Insecure IPv4 addresses. "
747 "Continuing with them...\n");
748
749 } else if (s == LDNS_STATUS_DANE_BOGUS ||
750 LDNS_STATUS_CRYPTO_BOGUS == s) {
751 fprintf(stderr, "Warning! Bogus IPv4 addresses. "
752 "Discarding...\n");
753 ldns_rr_list_deep_free(as);
754 as = ldns_rr_list_new();
755
756 } else if (s != LDNS_STATUS_OK) {
757 LDNS_ERR(s, "dane_query");
758
759 }
760 if (! ldns_rr_list_push_rr_list(r, as)) {
761 MEMERR("ldns_rr_list_push_rr_list");
762 }
763 }
764 if (ai_family == AF_UNSPEC || ai_family == AF_INET6) {
765
766 s = dane_query(&aaas, res,
767 dname, LDNS_RR_TYPE_AAAA, LDNS_RR_CLASS_IN,
768 true);
769
770 if (s == LDNS_STATUS_DANE_INSECURE &&
771 ldns_rr_list_rr_count(aaas) > 0) {
772 fprintf(stderr, "Warning! Insecure IPv6 addresses. "
773 "Continuing with them...\n");
774
775 } else if (s == LDNS_STATUS_DANE_BOGUS ||
776 LDNS_STATUS_CRYPTO_BOGUS == s) {
777 fprintf(stderr, "Warning! Bogus IPv6 addresses. "
778 "Discarding...\n");
779 ldns_rr_list_deep_free(aaas);
780 aaas = ldns_rr_list_new();
781
782 } else if (s != LDNS_STATUS_OK) {
783 LDNS_ERR(s, "dane_query");
784
785 }
786 if (! ldns_rr_list_push_rr_list(r, aaas)) {
787 MEMERR("ldns_rr_list_push_rr_list");
788 }
789 }
790 return r;
791 }
792
793 static ldns_status
dane_read_tlsas_from_file(ldns_rr_list ** tlsas,char * filename,ldns_rdf * origin)794 dane_read_tlsas_from_file(ldns_rr_list** tlsas,
795 char* filename, ldns_rdf* origin)
796 {
797 FILE* fp = NULL;
798 ldns_rr* rr = NULL;
799 ldns_rdf *my_origin = NULL;
800 ldns_rdf *my_prev = NULL;
801 ldns_rdf *origin_lc = NULL;
802 int line_nr;
803 ldns_status s = LDNS_STATUS_MEM_ERR;
804
805 assert(tlsas != NULL);
806 assert(filename != NULL);
807
808 if (strcmp(filename, "-") == 0) {
809 fp = stdin;
810 } else {
811 fp = fopen(filename, "r");
812 if (!fp) {
813 fprintf(stderr, "Unable to open %s: %s\n",
814 filename, strerror(errno));
815 exit(EXIT_FAILURE);
816 }
817 }
818 if (origin) {
819 my_origin = ldns_rdf_clone(origin);
820 if (! my_origin) {
821 goto error;
822 }
823 my_prev = ldns_rdf_clone(origin);
824 if (! my_prev) {
825 goto error;
826 }
827 origin_lc = ldns_rdf_clone(origin);
828 if (! origin_lc) {
829 goto error;
830 }
831 ldns_dname2canonical(origin_lc);
832 }
833 *tlsas = ldns_rr_list_new();
834 if (! *tlsas) {
835 goto error;
836 }
837 while (! feof(fp)) {
838 s = ldns_rr_new_frm_fp_l(&rr, fp, NULL,
839 &my_origin, &my_prev, &line_nr);
840 if (s != LDNS_STATUS_OK) {
841 goto error;
842 }
843 if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_TLSA) {
844 ldns_dname2canonical(ldns_rr_owner(rr));
845 if (! origin || ldns_dname_compare(ldns_rr_owner(rr),
846 origin_lc) == 0) {
847 if (ldns_rr_list_push_rr(*tlsas, rr)) {
848 continue;
849 } else {
850 s = LDNS_STATUS_MEM_ERR;
851 goto error;
852 }
853 }
854 }
855 ldns_rr_free(rr);
856 }
857
858 ldns_rdf_deep_free(origin_lc);
859 ldns_rdf_deep_free(my_prev);
860 ldns_rdf_deep_free(my_origin);
861 fclose(fp);
862
863 return LDNS_STATUS_OK;
864
865 error:
866 if (*tlsas) {
867 ldns_rr_list_deep_free(*tlsas);
868 *tlsas = NULL;
869 }
870 if (origin_lc) {
871 ldns_rdf_deep_free(origin_lc);
872 }
873 if (my_prev) {
874 ldns_rdf_deep_free(my_prev);
875 }
876 if (my_origin) {
877 ldns_rdf_deep_free(my_origin);
878 }
879 if (fp && fp != stdin) {
880 fclose(fp);
881 }
882 return s;
883 }
884
885 static bool
dane_wildcard_label_cmp(uint8_t iw,const char * w,uint8_t il,const char * l)886 dane_wildcard_label_cmp(uint8_t iw, const char* w, uint8_t il, const char* l)
887 {
888 if (iw == 0) { /* End of match label */
889 if (il == 0) { /* And end in the to be matched label */
890 return true;
891 }
892 return false;
893 }
894 do {
895 if (*w == '*') {
896 if (iw == 1) { /* '*' is the last match char,
897 remainder matches wildcard */
898 return true;
899 }
900 while (il > 0) { /* more to match? */
901
902 if (w[1] == *l) { /* Char after '*' matches.
903 * Recursion for backtracking
904 */
905 if (dane_wildcard_label_cmp(
906 iw - 1, w + 1,
907 il , l)) {
908 return true;
909 }
910 }
911 l += 1;
912 il -= 1;
913 }
914 }
915 /* Skip up till next wildcard (if possible) */
916 while (il > 0 && iw > 0 && *w != '*' && *w == *l) {
917 w += 1;
918 l += 1;
919 il -= 1;
920 iw -= 1;
921 }
922 } while (iw > 0 && *w == '*' && /* More to match a next wildcard? */
923 (il > 0 || iw == 1));
924
925 return iw == 0 && il == 0;
926 }
927
928 static bool
dane_label_matches_label(ldns_rdf * w,ldns_rdf * l)929 dane_label_matches_label(ldns_rdf* w, ldns_rdf* l)
930 {
931 uint8_t iw;
932 uint8_t il;
933
934 iw = ldns_rdf_data(w)[0];
935 il = ldns_rdf_data(l)[0];
936 return dane_wildcard_label_cmp(
937 iw, (const char*)ldns_rdf_data(w) + 1,
938 il, (const char*)ldns_rdf_data(l) + 1);
939 }
940
941 static bool
dane_name_matches_server_name(const char * name_str,ldns_rdf * server_name)942 dane_name_matches_server_name(const char* name_str, ldns_rdf* server_name)
943 {
944 ldns_rdf* name;
945 uint8_t nn, ns, i;
946 ldns_rdf* ln;
947 ldns_rdf* ls;
948
949 name = ldns_dname_new_frm_str((const char*)name_str);
950 if (! name) {
951 LDNS_ERR(LDNS_STATUS_ERR, "ldns_dname_new_frm_str");
952 }
953 nn = ldns_dname_label_count(name);
954 ns = ldns_dname_label_count(server_name);
955 if (nn != ns) {
956 ldns_rdf_free(name);
957 return false;
958 }
959 ldns_dname2canonical(name);
960 for (i = 0; i < nn; i++) {
961 ln = ldns_dname_label(name, i);
962 if (! ln) {
963 return false;
964 }
965 ls = ldns_dname_label(server_name, i);
966 if (! ls) {
967 ldns_rdf_free(ln);
968 return false;
969 }
970 if (! dane_label_matches_label(ln, ls)) {
971 ldns_rdf_free(ln);
972 ldns_rdf_free(ls);
973 return false;
974 }
975 ldns_rdf_free(ln);
976 ldns_rdf_free(ls);
977 }
978 return true;
979 }
980
981 static bool
dane_X509_any_subject_alt_name_matches_server_name(X509 * cert,ldns_rdf * server_name)982 dane_X509_any_subject_alt_name_matches_server_name(
983 X509 *cert, ldns_rdf* server_name)
984 {
985 GENERAL_NAMES* names;
986 GENERAL_NAME* name;
987 unsigned char* subject_alt_name_str = NULL;
988 int i, n;
989
990 names = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0 );
991 if (! names) { /* No subjectAltName extension */
992 return false;
993 }
994 n = sk_GENERAL_NAME_num(names);
995 for (i = 0; i < n; i++) {
996 name = sk_GENERAL_NAME_value(names, i);
997 if (name->type == GEN_DNS) {
998 (void) ASN1_STRING_to_UTF8(&subject_alt_name_str,
999 name->d.dNSName);
1000 if (subject_alt_name_str) {
1001 if (dane_name_matches_server_name((char*)
1002 subject_alt_name_str,
1003 server_name)) {
1004 OPENSSL_free(subject_alt_name_str);
1005 return true;
1006 }
1007 OPENSSL_free(subject_alt_name_str);
1008 }
1009 }
1010 }
1011 /* sk_GENERAL_NAMES_pop_free(names, sk_GENERAL_NAME_free); */
1012 return false;
1013 }
1014
1015 static bool
dane_X509_subject_name_matches_server_name(X509 * cert,ldns_rdf * server_name)1016 dane_X509_subject_name_matches_server_name(X509 *cert, ldns_rdf* server_name)
1017 {
1018 X509_NAME* subject_name;
1019 int i;
1020 X509_NAME_ENTRY* entry;
1021 ASN1_STRING* entry_data;
1022 unsigned char* subject_name_str = NULL;
1023 bool r;
1024
1025 subject_name = X509_get_subject_name(cert);
1026 if (! subject_name ) {
1027 ssl_err("could not X509_get_subject_name");
1028 }
1029 i = X509_NAME_get_index_by_NID(subject_name, NID_commonName, -1);
1030 entry = X509_NAME_get_entry(subject_name, i);
1031 entry_data = X509_NAME_ENTRY_get_data(entry);
1032 (void) ASN1_STRING_to_UTF8(&subject_name_str, entry_data);
1033 if (subject_name_str) {
1034 r = dane_name_matches_server_name(
1035 (char*)subject_name_str, server_name);
1036 OPENSSL_free(subject_name_str);
1037 return r;
1038 } else {
1039 return false;
1040 }
1041 }
1042
1043 static bool
dane_verify_server_name(X509 * cert,ldns_rdf * server_name)1044 dane_verify_server_name(X509* cert, ldns_rdf* server_name)
1045 {
1046 ldns_rdf* server_name_lc;
1047 bool r;
1048 server_name_lc = ldns_rdf_clone(server_name);
1049 if (! server_name_lc) {
1050 LDNS_ERR(LDNS_STATUS_MEM_ERR, "ldns_rdf_clone");
1051 }
1052 ldns_dname2canonical(server_name_lc);
1053 r = dane_X509_any_subject_alt_name_matches_server_name(
1054 cert, server_name_lc) ||
1055 dane_X509_subject_name_matches_server_name(
1056 cert, server_name_lc);
1057 ldns_rdf_free(server_name_lc);
1058 return r;
1059 }
1060
1061 static void
dane_create(ldns_rr_list * tlsas,ldns_rdf * tlsa_owner,ldns_tlsa_certificate_usage certificate_usage,int offset,ldns_tlsa_selector selector,ldns_tlsa_matching_type matching_type,X509 * cert,STACK_OF (X509)* extra_certs,X509_STORE * validate_store,bool verify_server_name,ldns_rdf * name)1062 dane_create(ldns_rr_list* tlsas, ldns_rdf* tlsa_owner,
1063 ldns_tlsa_certificate_usage certificate_usage, int offset,
1064 ldns_tlsa_selector selector,
1065 ldns_tlsa_matching_type matching_type,
1066 X509* cert, STACK_OF(X509)* extra_certs,
1067 X509_STORE* validate_store,
1068 bool verify_server_name, ldns_rdf* name)
1069 {
1070 ldns_status s;
1071 X509* selected_cert;
1072 ldns_rr* tlsa_rr;
1073
1074 if (verify_server_name && ! dane_verify_server_name(cert, name)) {
1075 fprintf(stderr, "The certificate does not match the "
1076 "server name\n");
1077 exit(EXIT_FAILURE);
1078 }
1079
1080 s = ldns_dane_select_certificate(&selected_cert,
1081 cert, extra_certs, validate_store,
1082 certificate_usage, offset);
1083 LDNS_ERR(s, "could not select certificate");
1084
1085 s = ldns_dane_create_tlsa_rr(&tlsa_rr,
1086 certificate_usage, selector, matching_type,
1087 selected_cert);
1088 LDNS_ERR(s, "could not create tlsa rr");
1089
1090 ldns_rr_set_owner(tlsa_rr, ldns_rdf_clone(tlsa_owner));
1091
1092 if (! ldns_rr_list_contains_rr(tlsas, tlsa_rr)) {
1093 if (! ldns_rr_list_push_rr(tlsas, tlsa_rr)) {
1094 MEMERR("ldns_rr_list_push_rr");
1095 }
1096 }
1097 }
1098
1099 #if defined(USE_DANE_VERIFY) && ( OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) )
1100 static bool
dane_verify(ldns_rr_list * tlsas,ldns_rdf * address,X509 * cert,STACK_OF (X509)* extra_certs,X509_STORE * validate_store,bool verify_server_name,ldns_rdf * name,bool assume_pkix_validity)1101 dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
1102 X509* cert, STACK_OF(X509)* extra_certs,
1103 X509_STORE* validate_store,
1104 bool verify_server_name, ldns_rdf* name,
1105 bool assume_pkix_validity)
1106 {
1107 ldns_status s;
1108 char* address_str = NULL;
1109
1110 s = ldns_dane_verify(tlsas, cert, extra_certs, validate_store);
1111 if (address) {
1112 address_str = ldns_rdf2str(address);
1113 fprintf(stdout, "%s", address_str ? address_str : "<address>");
1114 free(address_str);
1115 } else {
1116 X509_NAME_print_ex_fp(stdout,
1117 X509_get_subject_name(cert), 0, 0);
1118 }
1119 if (s == LDNS_STATUS_OK) {
1120 if (verify_server_name &&
1121 ! dane_verify_server_name(cert, name)) {
1122
1123 fprintf(stdout, " did not dane-validate, because:"
1124 " the certificate name did not match"
1125 " the server name\n");
1126 return false;
1127 }
1128 fprintf(stdout, " dane-validated successfully\n");
1129 return true;
1130 } else if (assume_pkix_validity &&
1131 s == LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE) {
1132 fprintf(stdout, " dane-validated successfully,"
1133 " because PKIX is assumed valid\n");
1134 return true;
1135 }
1136 fprintf(stdout, " did not dane-validate, because: %s\n",
1137 ldns_get_errorstr_by_id(s));
1138 return false;
1139 }
1140 #endif /* defined(USE_DANE_VERIFY) && OPENSSL_VERSION_NUMBER < 0x10100000 */
1141
1142 #if OPENSSL_VERSION_NUMBER >= 0x10100000 && ! defined(HAVE_LIBRESSL)
_ldns_tls_verify_always_ok(int ok,X509_STORE_CTX * ctx)1143 static int _ldns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
1144 {
1145 (void)ok;
1146 (void)ctx;
1147 return 1;
1148 }
1149 #endif
1150
1151 /**
1152 * Return either an A or AAAA rdf, based on the given
1153 * string. If it it not a valid ip address, return null.
1154 *
1155 * Caller receives ownership of returned rdf (if not null),
1156 * and must free it.
1157 */
rdf_addr_frm_str(const char * str)1158 static inline ldns_rdf* rdf_addr_frm_str(const char* str) {
1159 ldns_rdf *a = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_A, str);
1160 if (!a) {
1161 a = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_AAAA, str);
1162 }
1163 return a;
1164 }
1165
1166
1167 int
main(int argc,char * const * argv)1168 main(int argc, char* const* argv)
1169 {
1170 int c;
1171 enum { UNDETERMINED, VERIFY, CREATE } mode = UNDETERMINED;
1172
1173 ldns_status s;
1174 size_t i;
1175
1176 #if OPENSSL_VERSION_NUMBER >= 0x10100000 && ! defined(HAVE_LIBRESSL)
1177 size_t j, usable_tlsas = 0;
1178 # ifdef USE_DANE_VERIFY
1179 X509_STORE_CTX *store_ctx = NULL;
1180 # endif /* USE_DANE_VERIFY */
1181 #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
1182
1183 bool print_tlsa_as_type52 = false;
1184 bool assume_dnssec_validity = false;
1185 bool assume_pkix_validity = false;
1186 bool verify_server_name = true;
1187 bool interact = false;
1188
1189 #if HAVE_DANE_CA_FILE
1190 const char* CAfile = LDNS_DANE_CA_FILE;
1191 #else
1192 const char* CAfile = NULL;
1193 #endif
1194 #if HAVE_DANE_CA_PATH
1195 const char* CApath = LDNS_DANE_CA_PATH;
1196 #else
1197 const char* CApath = NULL;
1198 #endif
1199 char* cert_file = NULL;
1200 X509* cert = NULL;
1201 STACK_OF(X509)* extra_certs = NULL;
1202
1203 ldns_rr_list* keys = ldns_rr_list_new();
1204 size_t nkeys = 0;
1205 bool do_sigchase = false;
1206
1207 ldns_rr_list* addresses = ldns_rr_list_new();
1208 ldns_rr* address_rr;
1209 ldns_rdf* address;
1210
1211 int ai_family = AF_UNSPEC;
1212 int transport = LDNS_DANE_TRANSPORT_TCP;
1213
1214 char* name_str = NULL; /* suppress uninitialized warning */
1215 ldns_rdf* name;
1216 uint16_t port = 0; /* suppress uninitialized warning */
1217
1218 ldns_resolver* res = NULL;
1219 ldns_rdf* nameserver_rdf = NULL;
1220 ldns_rdf* tlsa_owner = NULL;
1221 char* tlsa_owner_str = NULL;
1222 ldns_rr_list* tlsas = NULL;
1223 char* tlsas_file = NULL;
1224
1225 /* For extracting service port and transport from tla_owner. */
1226 ldns_rdf* port_rdf = NULL;
1227 char* port_str = NULL;
1228 ldns_rdf* transport_rdf = NULL;
1229 char* transport_str = NULL;
1230
1231 ldns_rr_list* originals = NULL; /* original tlsas (before
1232 * transform), but also used
1233 * as temporary.
1234 */
1235
1236 ldns_tlsa_certificate_usage certificate_usage = 666;
1237 int offset = -1;
1238 ldns_tlsa_selector selector = 666;
1239 ldns_tlsa_matching_type matching_type = 666;
1240
1241
1242 X509_STORE *store = NULL;
1243
1244 SSL_CTX* ctx = NULL;
1245 SSL* ssl = NULL;
1246
1247 int no_tlsas_exit_status = EXIT_SUCCESS;
1248 int exit_success = EXIT_SUCCESS;
1249
1250 bool success = true;
1251
1252 if (! keys || ! addresses) {
1253 MEMERR("ldns_rr_list_new");
1254 }
1255 while((c = getopt(argc, argv, "46a:bc:df:hik:no:p:r:sSt:TuvV:")) != -1){
1256 switch(c) {
1257 case 'h':
1258 print_usage("ldns-dane");
1259 break;
1260 case '4':
1261 ai_family = AF_INET;
1262 break;
1263 case '6':
1264 ai_family = AF_INET6;
1265 break;
1266 case 'r':
1267 if (nameserver_rdf) {
1268 fprintf(stderr, "Can only specify -r once\n");
1269 exit(EXIT_FAILURE);
1270 }
1271 nameserver_rdf = rdf_addr_frm_str(optarg);
1272 if (!nameserver_rdf) {
1273 fprintf(stderr,
1274 "Could not interpret address %s\n",
1275 optarg);
1276 exit(EXIT_FAILURE);
1277 }
1278 break;
1279 case 'a':
1280 s = ldns_str2rdf_a(&address, optarg);
1281 if (s == LDNS_STATUS_OK) {
1282 address_rr = ldns_rr_new_frm_type(
1283 LDNS_RR_TYPE_A);
1284 } else {
1285 s = ldns_str2rdf_aaaa(&address, optarg);
1286 if (s == LDNS_STATUS_OK) {
1287 address_rr = ldns_rr_new_frm_type(
1288 LDNS_RR_TYPE_AAAA);
1289 } else {
1290 fprintf(stderr,
1291 "Could not interpret address "
1292 "%s\n",
1293 optarg);
1294 exit(EXIT_FAILURE);
1295 }
1296 }
1297 (void) ldns_rr_a_set_address(address_rr, address);
1298 for (i = 0; i < ldns_rr_list_rr_count(addresses); i++){
1299 if (ldns_rdf_compare(address,
1300 ldns_rr_a_address(
1301 ldns_rr_list_rr(addresses, i))) == 0) {
1302 break;
1303 }
1304 }
1305 if (i >= ldns_rr_list_rr_count(addresses)) {
1306 if (! ldns_rr_list_push_rr(addresses,
1307 address_rr)) {
1308 MEMERR("ldns_rr_list_push_rr");
1309 }
1310 }
1311 break;
1312 case 'b':
1313 print_tlsa_as_type52 = true;
1314 /* TODO: do it with output formats... maybe... */
1315 break;
1316 case 'c':
1317 cert_file = optarg; /* checking in SSL stuff below */
1318 break;
1319 case 'd':
1320 assume_dnssec_validity = true;
1321 break;
1322 case 'f':
1323 CAfile = optarg;
1324 break;
1325 case 'i':
1326 interact = true;
1327 break;
1328 case 'k':
1329 s = read_key_file(optarg, keys);
1330 if (s == LDNS_STATUS_FILE_ERR) {
1331 fprintf(stderr, "Error opening %s: %s\n",
1332 optarg, strerror(errno));
1333 }
1334 LDNS_ERR(s, "Could not parse key file");
1335 if (ldns_rr_list_rr_count(keys) == nkeys) {
1336 fprintf(stderr, "No keys found in file"
1337 " %s\n", optarg);
1338 exit(EXIT_FAILURE);
1339 }
1340 nkeys = ldns_rr_list_rr_count(keys);
1341 break;
1342 case 'n':
1343 verify_server_name = false;
1344 break;
1345 case 'o':
1346 offset = atoi(optarg); /* todo check if all numeric */
1347 break;
1348 case 'p':
1349 CApath = optarg;
1350 break;
1351 case 's':
1352 assume_pkix_validity = true;
1353 break;
1354 case 'S':
1355 do_sigchase = true;
1356 break;
1357 case 't':
1358 tlsas_file = optarg;
1359 break;
1360 case 'T':
1361 no_tlsas_exit_status = NO_TLSAS_EXIT_STATUS;
1362 break;
1363 case 'u':
1364 transport = LDNS_DANE_TRANSPORT_UDP;
1365 break;
1366 case 'v':
1367 printf("ldns-dane version %s (ldns version %s)\n",
1368 LDNS_VERSION, ldns_version());
1369 exit(EXIT_SUCCESS);
1370 break;
1371 /* case 'V':
1372 verbosity = atoi(optarg);
1373 break;
1374 */
1375 }
1376 }
1377
1378 /* Filter out given IPv4 addresses when -6 was given,
1379 * and IPv6 addresses when -4 was given.
1380 */
1381 if (ldns_rr_list_rr_count(addresses) > 0 &&
1382 ai_family != AF_UNSPEC) {
1383 originals = addresses;
1384 addresses = rr_list_filter_rr_type(originals,
1385 (ai_family == AF_INET
1386 ? LDNS_RR_TYPE_A : LDNS_RR_TYPE_AAAA));
1387 ldns_rr_list_free(originals);
1388 if (addresses == NULL) {
1389 MEMERR("rr_list_filter_rr_type");
1390 }
1391 if (ldns_rr_list_rr_count(addresses) == 0) {
1392 fprintf(stderr,
1393 "No addresses of the specified type remain\n");
1394 exit(EXIT_FAILURE);
1395 }
1396 }
1397
1398 if (do_sigchase) {
1399 if (nkeys == 0) {
1400 (void) read_key_file(LDNS_TRUST_ANCHOR_FILE, keys);
1401 nkeys = ldns_rr_list_rr_count(keys);
1402
1403 if (nkeys == 0) {
1404 fprintf(stderr, "Unable to chase "
1405 "signature without keys.\n");
1406 exit(EXIT_FAILURE);
1407 }
1408 }
1409 } else {
1410 keys = NULL;
1411 }
1412
1413 argc -= optind;
1414 argv += optind;
1415
1416 if (argc == 0) {
1417
1418 print_usage("ldns-dane");
1419 }
1420 if (strncasecmp(*argv, "create", strlen(*argv)) == 0) {
1421
1422 mode = CREATE;
1423 argc--;
1424 argv++;
1425
1426 #ifdef USE_DANE_VERIFY
1427 } else if (strncasecmp(*argv, "verify", strlen(*argv)) == 0) {
1428
1429 mode = VERIFY;
1430 argc--;
1431 argv++;
1432
1433 } else {
1434 fprintf(stderr, "Specify create or verify mode\n");
1435 #else
1436 } else {
1437 fprintf(stderr, "Specify create mode\n");
1438 #endif
1439 exit(EXIT_FAILURE);
1440 }
1441
1442 #ifndef USE_DANE_VERIFY
1443 (void)transport_str;
1444 (void)transport_rdf;
1445 (void)port_str;
1446 (void)port_rdf;
1447 (void)interact;
1448 #else
1449 if (mode == VERIFY && argc == 0) {
1450
1451 if (! tlsas_file) {
1452 fprintf(stderr, "ERROR! Nothing given to verify\n");
1453 exit(EXIT_FAILURE);
1454 }
1455 s = dane_read_tlsas_from_file(&tlsas, tlsas_file, NULL);
1456 LDNS_ERR(s, "could not read tlsas from file");
1457
1458 /* extract port, transport and hostname from TLSA owner name */
1459
1460 if (ldns_rr_list_rr_count(tlsas) == 0) {
1461
1462 fprintf(stderr, "ERROR! No TLSA records to extract "
1463 "service port, transport and hostname"
1464 "\n");
1465 exit(EXIT_FAILURE);
1466 }
1467 tlsa_owner = ldns_rr_list_owner(tlsas);
1468 if (ldns_dname_label_count(tlsa_owner) < 2) {
1469 fprintf(stderr, "ERROR! To few labels in TLSA owner\n");
1470 exit(EXIT_FAILURE);
1471 }
1472 do {
1473 s = LDNS_STATUS_MEM_ERR;
1474 port_rdf = ldns_dname_label(tlsa_owner, 0);
1475 if (! port_rdf) {
1476 break;
1477 }
1478 port_str = ldns_rdf2str(port_rdf);
1479 if (! port_str) {
1480 break;
1481 }
1482 if (*port_str != '_') {
1483 fprintf(stderr, "ERROR! Badly formatted "
1484 "service port label in the "
1485 "TLSA owner name\n");
1486 exit(EXIT_FAILURE);
1487 }
1488 if (port_str[strlen(port_str) - 1] == '.') {
1489 port_str[strlen(port_str) - 1] = '\000';
1490 }
1491 port = (uint16_t) dane_int_within_range(
1492 port_str + 1, 65535, "port");
1493 s = LDNS_STATUS_OK;
1494 } while (false);
1495 LDNS_ERR(s, "could not extract service port from TLSA owner");
1496
1497 do {
1498 s = LDNS_STATUS_MEM_ERR;
1499 transport_rdf = ldns_dname_label(tlsa_owner, 1);
1500 if (! transport_rdf) {
1501 break;
1502 }
1503 transport_str = ldns_rdf2str(transport_rdf);
1504 if (! transport_str) {
1505 break;
1506 }
1507 if (transport_str[strlen(transport_str) - 1] == '.') {
1508 transport_str[strlen(transport_str) - 1] =
1509 '\000';
1510 }
1511 if (strcmp(transport_str, "_tcp") == 0) {
1512
1513 transport = LDNS_DANE_TRANSPORT_TCP;
1514
1515 } else if (strcmp(transport_str, "_udp") == 0) {
1516
1517 transport = LDNS_DANE_TRANSPORT_UDP;
1518
1519 } else if (strcmp(transport_str, "_sctp") == 0) {
1520
1521 transport = LDNS_DANE_TRANSPORT_SCTP;
1522
1523 } else {
1524 fprintf(stderr, "ERROR! Badly formatted "
1525 "transport label in the "
1526 "TLSA owner name\n");
1527 exit(EXIT_FAILURE);
1528 }
1529 s = LDNS_STATUS_OK;
1530 break;
1531 } while(false);
1532 LDNS_ERR(s, "could not extract transport from TLSA owner");
1533
1534 tlsa_owner_str = ldns_rdf2str(tlsa_owner);
1535 if (! tlsa_owner_str) {
1536 MEMERR("ldns_rdf2str");
1537 }
1538 name = ldns_dname_clone_from(tlsa_owner, 2);
1539 if (! name) {
1540 MEMERR("ldns_dname_clone_from");
1541 }
1542 name_str = ldns_rdf2str(name);
1543 if (! name_str) {
1544 MEMERR("ldns_rdf2str");
1545 }
1546
1547
1548 } else
1549 #endif /* USE_DANE_VERIFY */
1550 if (argc < 2) {
1551
1552 print_usage("ldns-dane");
1553
1554 } else {
1555 name_str = *argv++; argc--;
1556 s = ldns_str2rdf_dname(&name, name_str);
1557 LDNS_ERR(s, "could not ldns_str2rdf_dname");
1558
1559 port = (uint16_t)dane_int_within_range(*argv++, 65535, "port");
1560 --argc;
1561
1562 s = ldns_dane_create_tlsa_owner(&tlsa_owner,
1563 name, port, transport);
1564 LDNS_ERR(s, "could not create TLSA owner name");
1565 tlsa_owner_str = ldns_rdf2str(tlsa_owner);
1566 if (! tlsa_owner_str) {
1567 MEMERR("ldns_rdf2str");
1568 }
1569 }
1570
1571 switch (mode) {
1572 case VERIFY:
1573 if (argc > 0) {
1574
1575 print_usage("ldns-dane");
1576 }
1577 if (tlsas_file) {
1578
1579 s = dane_read_tlsas_from_file(&tlsas, tlsas_file,
1580 tlsa_owner);
1581 LDNS_ERR(s, "could not read tlas from file");
1582 } else {
1583 /* lookup tlsas */
1584 s = dane_setup_resolver(&res, nameserver_rdf,
1585 keys, assume_dnssec_validity);
1586 LDNS_ERR(s, "could not dane_setup_resolver");
1587 s = dane_query(&tlsas, res, tlsa_owner,
1588 LDNS_RR_TYPE_TLSA, LDNS_RR_CLASS_IN,
1589 false);
1590 ldns_resolver_free(res);
1591 }
1592
1593 if (s == LDNS_STATUS_DANE_INSECURE) {
1594
1595 fprintf(stderr, "Warning! TLSA records for %s "
1596 "were found, but were insecure.\n"
1597 "PKIX validation without DANE will be "
1598 "performed. If you wish to perform DANE\n"
1599 "even though the RR's are insecure, "
1600 "use the -d option.\n", tlsa_owner_str);
1601
1602 exit_success = no_tlsas_exit_status;
1603
1604 } else if (s != LDNS_STATUS_OK) {
1605
1606 ldns_err("dane_query", s);
1607
1608 } else if (ldns_rr_list_rr_count(tlsas) == 0) {
1609
1610 fprintf(stderr, "Warning! No TLSA records for %s "
1611 "were found.\n"
1612 "PKIX validation without DANE will be "
1613 "performed.\n", ldns_rdf2str(tlsa_owner));
1614
1615 exit_success = no_tlsas_exit_status;
1616
1617 } else if (assume_pkix_validity) { /* number of tlsa's > 0 */
1618
1619 /* transform type "CA constraint" to "Trust anchor
1620 * assertion" and "Service Certificate Constraint"
1621 * to "Domain Issues Certificate"
1622 */
1623 originals = tlsas;
1624 tlsas = dane_no_pkix_transform(originals);
1625 }
1626
1627 break;
1628
1629 case CREATE:
1630 if (argc > 0) {
1631 certificate_usage = dane_int_within_range_table(
1632 *argv++, 3, "certificate usage",
1633 dane_certificate_usage_table);
1634 argc--;
1635 } else {
1636 certificate_usage = LDNS_TLSA_USAGE_DANE_EE;
1637 }
1638 if (argc > 0) {
1639 selector = dane_int_within_range_table(
1640 *argv++, 1, "selector",
1641 dane_selector_table);
1642 argc--;
1643 } else {
1644 selector = LDNS_TLSA_SELECTOR_SPKI;
1645 }
1646 if (argc > 0) {
1647 matching_type = dane_int_within_range_table(
1648 *argv++, 2, "matching type",
1649 dane_matching_type_table);
1650
1651 argc--;
1652 } else {
1653 matching_type = LDNS_TLSA_MATCHING_TYPE_SHA2_256;
1654 }
1655 if (argc > 0) {
1656
1657 print_usage("ldns-dane");
1658 }
1659 if ((certificate_usage == LDNS_TLSA_USAGE_CA_CONSTRAINT ||
1660 certificate_usage ==
1661 LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT) &&
1662 ! CAfile && ! CApath && ! assume_pkix_validity) {
1663
1664 fprintf(stderr,
1665 "When using the \"CA constraint\" or "
1666 "\"Service certificate constraint\",\n"
1667 "-f <CAfile> and/or -p <CApath> options "
1668 "must be given to perform PKIX validation.\n\n"
1669 "PKIX validation may be turned off "
1670 "with the -s option. Note that with\n"
1671 "\"CA constraint\" the verification process "
1672 "should then end with a self-signed\n"
1673 "certificate which must be present "
1674 "in the server certificate chain.\n\n");
1675
1676 exit(EXIT_FAILURE);
1677 }
1678 tlsas = ldns_rr_list_new();
1679 break;
1680 default:
1681 fprintf(stderr, "Unreachable code\n");
1682 assert(0);
1683 }
1684
1685 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
1686 /* ssl initialize */
1687 SSL_load_error_strings();
1688 SSL_library_init();
1689 #endif
1690
1691 /* ssl load validation store */
1692 if (! assume_pkix_validity || CAfile || CApath) {
1693 store = X509_STORE_new();
1694 if (! store) {
1695 ssl_err("could not X509_STORE_new");
1696 }
1697 if ((CAfile || CApath) && X509_STORE_load_locations(
1698 store, CAfile, CApath) != 1) {
1699 ssl_err("error loading CA certificates");
1700 }
1701 }
1702
1703 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
1704 ctx = SSL_CTX_new(SSLv23_client_method());
1705 #else
1706 ctx = SSL_CTX_new(TLS_client_method());
1707 if (ctx && SSL_CTX_dane_enable(ctx) <= 0) {
1708 ssl_err("could not SSL_CTX_dane_enable");
1709 }
1710
1711 /* Use TLSv1.0 or above for connection. */
1712 long flags = 0;
1713 # ifdef SSL_OP_NO_SSLv2
1714 flags |= SSL_OP_NO_SSLv2;
1715 # endif
1716 # ifdef SSL_OP_NO_SSLv3
1717 flags |= SSL_OP_NO_SSLv3;
1718 # endif
1719 # ifdef SSL_OP_NO_COMPRESSION
1720 flags |= SSL_OP_NO_COMPRESSION;
1721 # endif
1722 SSL_CTX_set_options(ctx, flags);
1723
1724 if (CAfile || CApath) {
1725 if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath))
1726 ssl_err("could not set verify locations\n");
1727
1728 } else if (!SSL_CTX_set_default_verify_paths(ctx))
1729 ssl_err("could not set default verify paths\n");
1730 #endif
1731 if (! ctx) {
1732 ssl_err("could not SSL_CTX_new");
1733 }
1734 if (cert_file &&
1735 SSL_CTX_use_certificate_chain_file(ctx, cert_file) != 1) {
1736 ssl_err("error loading certificate");
1737 }
1738
1739 if (cert_file) { /* ssl load certificate */
1740
1741 ssl = SSL_new(ctx);
1742 if (! ssl) {
1743 ssl_err("could not SSL_new");
1744 }
1745 cert = SSL_get_certificate(ssl);
1746 if (! cert) {
1747 ssl_err("could not SSL_get_certificate");
1748 }
1749 #ifndef SSL_CTX_get_extra_chain_certs
1750 #ifndef S_SPLINT_S
1751 extra_certs = ctx->extra_certs;
1752 #endif /* splint */
1753 #else
1754 if(!SSL_CTX_get_extra_chain_certs(ctx, &extra_certs)) {
1755 ssl_err("could not SSL_CTX_get_extra_chain_certs");
1756 }
1757 #endif
1758 switch (mode) {
1759 case CREATE: dane_create(tlsas, tlsa_owner, certificate_usage,
1760 offset, selector, matching_type,
1761 cert, extra_certs, store,
1762 verify_server_name, name);
1763 break;
1764 #ifdef USE_DANE_VERIFY
1765 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
1766 case VERIFY: if (! dane_verify(tlsas, NULL,
1767 cert, extra_certs, store,
1768 verify_server_name, name,
1769 assume_pkix_validity)) {
1770 success = false;
1771 }
1772 break;
1773 #else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
1774 case VERIFY:
1775 usable_tlsas = 0;
1776 SSL_set_connect_state(ssl);
1777 if (SSL_dane_enable(ssl, name_str) <= 0) {
1778 ssl_err("could not SSL_dane_enable");
1779 }
1780 if (!verify_server_name) {
1781 SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
1782 }
1783 for (j = 0; j < ldns_rr_list_rr_count(tlsas); j++) {
1784 int ret;
1785 ldns_rr *tlsa_rr = ldns_rr_list_rr(tlsas, j);
1786
1787 if (ldns_rr_get_type(tlsa_rr) != LDNS_RR_TYPE_TLSA) {
1788 fprintf(stderr, "Skipping non TLSA RR: ");
1789 ldns_rr_print(stderr, tlsa_rr);
1790 fprintf(stderr, "\n");
1791 continue;
1792 }
1793 if (ldns_rr_rd_count(tlsa_rr) != 4) {
1794 fprintf(stderr, "Skipping TLSA with wrong rdata RR: ");
1795 ldns_rr_print(stderr, tlsa_rr);
1796 fprintf(stderr, "\n");
1797 continue;
1798 }
1799 ret = SSL_dane_tlsa_add(ssl,
1800 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)),
1801 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)),
1802 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)),
1803 ldns_rdf_data(ldns_rr_rdf(tlsa_rr, 3)),
1804 ldns_rdf_size(ldns_rr_rdf(tlsa_rr, 3)));
1805 if (ret < 0) {
1806 ssl_err("could not SSL_dane_tlsa_add");
1807 }
1808 if (ret == 0) {
1809 fprintf(stderr, "Skipping unusable TLSA RR: ");
1810 ldns_rr_print(stderr, tlsa_rr);
1811 fprintf(stderr, "\n");
1812 continue;
1813 }
1814 usable_tlsas += 1;
1815 }
1816 if (!usable_tlsas) {
1817 fprintf(stderr, "No usable TLSA records were found.\n"
1818 "PKIX validation without DANE will be performed.\n");
1819 exit_success = no_tlsas_exit_status;
1820 }
1821 if (!(store_ctx = X509_STORE_CTX_new())) {
1822 ssl_err("could not SSL_new");
1823 }
1824 if (!X509_STORE_CTX_init(store_ctx, store, cert, extra_certs)) {
1825 ssl_err("could not X509_STORE_CTX_init");
1826 }
1827 X509_STORE_CTX_set_default(store_ctx,
1828 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1829 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
1830 SSL_get0_param(ssl));
1831 X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
1832 X509_NAME_print_ex_fp(stdout,
1833 X509_get_subject_name(cert), 0, 0);
1834 if (X509_verify_cert(store_ctx)) {
1835 fprintf(stdout, " %s-validated successfully\n",
1836 usable_tlsas
1837 ? "dane" : "PKIX");
1838 } else {
1839 fprintf(stdout, " did not dane-validate, because: %s\n",
1840 X509_verify_cert_error_string(
1841 X509_STORE_CTX_get_error(store_ctx)));
1842 success = false;
1843 }
1844 if (store_ctx) {
1845 X509_STORE_CTX_free(store_ctx);
1846 }
1847 break;
1848 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
1849 #endif /* ifdef USE_DANE_VERIFY */
1850 default: break; /* suppress warning */
1851 }
1852 SSL_free(ssl);
1853
1854 } else {/* No certificate file given, creation/validation via TLS. */
1855
1856 /* We need addresses to connect to */
1857 if (ldns_rr_list_rr_count(addresses) == 0) {
1858 s = dane_setup_resolver(&res, nameserver_rdf,
1859 keys, assume_dnssec_validity);
1860 LDNS_ERR(s, "could not dane_setup_resolver");
1861 ldns_rr_list_free(addresses);
1862 addresses =dane_lookup_addresses(res, name, ai_family);
1863 ldns_resolver_free(res);
1864 }
1865 if (ldns_rr_list_rr_count(addresses) == 0) {
1866 fprintf(stderr, "No addresses for %s\n", name_str);
1867 exit(EXIT_FAILURE);
1868 }
1869
1870 /* for all addresses, setup SSL and retrieve certificates */
1871 for (i = 0; i < ldns_rr_list_rr_count(addresses); i++) {
1872
1873 ssl = SSL_new(ctx);
1874 if (! ssl) {
1875 ssl_err("could not SSL_new");
1876 }
1877 address = ldns_rr_a_address(
1878 ldns_rr_list_rr(addresses, i));
1879 assert(address != NULL);
1880 #if OPENSSL_VERSION_NUMBER >= 0x10100000 && ! defined(HAVE_LIBRESSL)
1881 if (mode == VERIFY) {
1882 usable_tlsas = 0;
1883 if (SSL_dane_enable(ssl, name_str) <= 0) {
1884 ssl_err("could not SSL_dane_enable");
1885 }
1886 if (!verify_server_name) {
1887 SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
1888 }
1889 for (j = 0; j < ldns_rr_list_rr_count(tlsas); j++) {
1890 int ret;
1891 ldns_rr *tlsa_rr = ldns_rr_list_rr(tlsas, j);
1892
1893 if (ldns_rr_get_type(tlsa_rr) != LDNS_RR_TYPE_TLSA) {
1894 fprintf(stderr, "Skipping non TLSA RR: ");
1895 ldns_rr_print(stderr, tlsa_rr);
1896 fprintf(stderr, "\n");
1897 continue;
1898 }
1899 if (ldns_rr_rd_count(tlsa_rr) != 4) {
1900 fprintf(stderr, "Skipping TLSA with wrong rdata RR: ");
1901 ldns_rr_print(stderr, tlsa_rr);
1902 fprintf(stderr, "\n");
1903 continue;
1904 }
1905 ret = SSL_dane_tlsa_add(ssl,
1906 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) | (assume_pkix_validity ? 2 : 0),
1907 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)),
1908 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)),
1909 ldns_rdf_data(ldns_rr_rdf(tlsa_rr, 3)),
1910 ldns_rdf_size(ldns_rr_rdf(tlsa_rr, 3)));
1911 if (ret < 0) {
1912 ssl_err("could not SSL_dane_tlsa_add");
1913 }
1914 if (ret == 0) {
1915 fprintf(stderr, "Skipping unusable TLSA RR: ");
1916 ldns_rr_print(stderr, tlsa_rr);
1917 fprintf(stderr, "\n");
1918 continue;
1919 }
1920 usable_tlsas += 1;
1921 }
1922 if (!usable_tlsas) {
1923 fprintf(stderr, "No usable TLSA records were found.\n"
1924 "PKIX validation without DANE will be performed.\n");
1925
1926 exit_success = no_tlsas_exit_status;
1927 if (assume_pkix_validity)
1928 SSL_set_verify(ssl, SSL_VERIFY_PEER, _ldns_tls_verify_always_ok);
1929 }
1930 }
1931 #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
1932 s = ssl_connect_and_get_cert_chain(&cert, &extra_certs,
1933 ssl, name_str, address,port, transport);
1934 if (s == LDNS_STATUS_NETWORK_ERR) {
1935 fprintf(stderr, "Could not connect to ");
1936 ldns_rdf_print(stderr, address);
1937 fprintf(stderr, " %d\n", (int) port);
1938
1939 /* All addresses should succeed */
1940 success = false;
1941 continue;
1942 }
1943 LDNS_ERR(s, "could not get cert chain from ssl");
1944 #if OPENSSL_VERSION_NUMBER >= 0x10100000 && ! defined(HAVE_LIBRESSL)
1945
1946 if (mode == VERIFY) {
1947 char *address_str = ldns_rdf2str(address);
1948 long verify_result = SSL_get_verify_result(ssl);
1949
1950 fprintf(stdout, "%s", address_str ? address_str : "<address>");
1951 free(address_str);
1952
1953 if (verify_result == X509_V_OK) {
1954 fprintf(stdout, " %s-validated successfully\n",
1955 usable_tlsas
1956 ? "dane" : "PKIX");
1957 } else {
1958 fprintf(stdout, " did not dane-validate, because: %s\n",
1959 X509_verify_cert_error_string(verify_result));
1960 success = false;
1961 }
1962 }
1963 #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
1964 switch (mode) {
1965 case CREATE: dane_create(tlsas, tlsa_owner,
1966 certificate_usage, offset,
1967 selector, matching_type,
1968 cert, extra_certs, store,
1969 verify_server_name, name);
1970 break;
1971
1972 #ifdef USE_DANE_VERIFY
1973 case VERIFY:
1974 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
1975 if (! dane_verify(tlsas, address,
1976 cert, extra_certs, store,
1977 verify_server_name, name,
1978 assume_pkix_validity)) {
1979 success = false;
1980
1981 }
1982 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
1983 if (success && interact) {
1984 ssl_interact(ssl);
1985 }
1986 break;
1987 #endif /* USE_DANE_VERIFY */
1988
1989 default: break; /* suppress warning */
1990 }
1991 (void)SSL_shutdown(ssl);
1992 SSL_free(ssl);
1993 } /* end for all addresses */
1994 } /* end No certification file */
1995
1996 if (mode == CREATE) {
1997 if (print_tlsa_as_type52) {
1998 print_rr_list_as_TYPEXXX(stdout, tlsas);
1999 } else {
2000 ldns_rr_list_print(stdout, tlsas);
2001 }
2002 }
2003 ldns_rr_list_deep_free(tlsas);
2004
2005 /* cleanup */
2006 SSL_CTX_free(ctx);
2007
2008 if (nameserver_rdf) {
2009 ldns_rdf_deep_free(nameserver_rdf);
2010 }
2011 if (store) {
2012 X509_STORE_free(store);
2013 }
2014 if (tlsa_owner_str) {
2015 LDNS_FREE(tlsa_owner_str);
2016 }
2017 if (tlsa_owner) {
2018 ldns_rdf_free(tlsa_owner);
2019 }
2020 if (addresses) {
2021 ldns_rr_list_deep_free(addresses);
2022 }
2023 if (success) {
2024 exit(exit_success);
2025 } else {
2026 exit(EXIT_FAILURE);
2027 }
2028 }
2029 #else /* HAVE_SSL */
2030
2031 int
main(int argc,char ** argv)2032 main(int argc, char **argv)
2033 {
2034 fprintf(stderr, "ldns-dane needs OpenSSL support, "
2035 "which has not been compiled in\n");
2036 return 1;
2037 }
2038 #endif /* HAVE_SSL */
2039
2040 #else /* USE_DANE */
2041
2042 int
main(int argc,char ** argv)2043 main(int argc, char **argv)
2044 {
2045 (void)argc;
2046 (void)argv;
2047
2048 fprintf(stderr, "dane support was disabled with this build of ldns, "
2049 "and has not been compiled in\n");
2050 return 1;
2051 }
2052
2053 #endif /* USE_DANE */
2054