1 /*
2 * Author: Viktor Dukhovni
3 * License: THIS CODE IS IN THE PUBLIC DOMAIN.
4 *
5 * Copyright (c) The Exim Maintainers 2014 - 2019
6 */
7 #include <stdio.h>
8 #include <string.h>
9 #include <stdint.h>
10
11 #include <openssl/opensslv.h>
12 #include <openssl/err.h>
13 #include <openssl/crypto.h>
14 #include <openssl/safestack.h>
15 #include <openssl/objects.h>
16 #include <openssl/x509.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/evp.h>
19 #include <openssl/bn.h>
20
21 #if OPENSSL_VERSION_NUMBER < 0x1000000fL
22 # error "OpenSSL 1.0.0 or higher required"
23 #endif
24
25 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
26 # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
27 #endif
28
29 /* LibreSSL 2.9.0 and later - 2.9.0 has removed a number of macros ... */
30 #ifdef LIBRESSL_VERSION_NUMBER
31 # if LIBRESSL_VERSION_NUMBER >= 0x2090000fL
32 # define EXIM_HAVE_ASN1_MACROS
33 # endif
34 #endif
35 /* OpenSSL */
36 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
37 # define EXIM_HAVE_ASN1_MACROS
38 # define EXIM_OPAQUE_X509
39 /* Older OpenSSL and all LibreSSL */
40 #else
41 # define X509_STORE_CTX_get_verify(ctx) (ctx)->verify
42 # define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb
43 # define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert
44 # define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain
45 # define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted
46
47 # define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain)
48 # define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk)
49 # define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val)
50 # define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert)
51
52 # define ASN1_STRING_get0_data ASN1_STRING_data
53 # define X509_getm_notBefore X509_get_notBefore
54 # define X509_getm_notAfter X509_get_notAfter
55
56 # define CRYPTO_ONCE_STATIC_INIT 0
57 # define CRYPTO_THREAD_run_once run_once
58 typedef int CRYPTO_ONCE;
59 #endif
60
61
62 #include "danessl.h"
63
64 #define DANESSL_F_ADD_SKID 100
65 #define DANESSL_F_ADD_TLSA 101
66 #define DANESSL_F_CHECK_END_ENTITY 102
67 #define DANESSL_F_CTX_INIT 103
68 #define DANESSL_F_GROW_CHAIN 104
69 #define DANESSL_F_INIT 105
70 #define DANESSL_F_LIBRARY_INIT 106
71 #define DANESSL_F_LIST_ALLOC 107
72 #define DANESSL_F_MATCH 108
73 #define DANESSL_F_PUSH_EXT 109
74 #define DANESSL_F_SET_TRUST_ANCHOR 110
75 #define DANESSL_F_VERIFY_CERT 111
76 #define DANESSL_F_WRAP_CERT 112
77 #define DANESSL_F_DANESSL_VERIFY_CHAIN 113
78
79 #define DANESSL_R_BAD_CERT 100
80 #define DANESSL_R_BAD_CERT_PKEY 101
81 #define DANESSL_R_BAD_DATA_LENGTH 102
82 #define DANESSL_R_BAD_DIGEST 103
83 #define DANESSL_R_BAD_NULL_DATA 104
84 #define DANESSL_R_BAD_PKEY 105
85 #define DANESSL_R_BAD_SELECTOR 106
86 #define DANESSL_R_BAD_USAGE 107
87 #define DANESSL_R_INIT 108
88 #define DANESSL_R_LIBRARY_INIT 109
89 #define DANESSL_R_NOSIGN_KEY 110
90 #define DANESSL_R_SCTX_INIT 111
91 #define DANESSL_R_SUPPORT 112
92
93 #ifndef OPENSSL_NO_ERR
94 #define DANESSL_F_PLACEHOLDER 0 /* FIRST! Value TBD */
95 static ERR_STRING_DATA dane_str_functs[] = {
96 /* error string */
97 {DANESSL_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */
98 {DANESSL_F_ADD_SKID, "add_skid"},
99 {DANESSL_F_ADD_TLSA, "DANESSL_add_tlsa"},
100 {DANESSL_F_CHECK_END_ENTITY, "check_end_entity"},
101 {DANESSL_F_CTX_INIT, "DANESSL_CTX_init"},
102 {DANESSL_F_GROW_CHAIN, "grow_chain"},
103 {DANESSL_F_INIT, "DANESSL_init"},
104 {DANESSL_F_LIBRARY_INIT, "DANESSL_library_init"},
105 {DANESSL_F_LIST_ALLOC, "list_alloc"},
106 {DANESSL_F_MATCH, "match"},
107 {DANESSL_F_PUSH_EXT, "push_ext"},
108 {DANESSL_F_SET_TRUST_ANCHOR, "set_trust_anchor"},
109 {DANESSL_F_VERIFY_CERT, "verify_cert"},
110 {DANESSL_F_WRAP_CERT, "wrap_cert"},
111 {0, NULL}
112 };
113 static ERR_STRING_DATA dane_str_reasons[] = {
114 /* error string */
115 {DANESSL_R_BAD_CERT, "Bad TLSA record certificate"},
116 {DANESSL_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"},
117 {DANESSL_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"},
118 {DANESSL_R_BAD_DIGEST, "Bad TLSA record digest"},
119 {DANESSL_R_BAD_NULL_DATA, "Bad TLSA record null data"},
120 {DANESSL_R_BAD_PKEY, "Bad TLSA record public key"},
121 {DANESSL_R_BAD_SELECTOR, "Bad TLSA record selector"},
122 {DANESSL_R_BAD_USAGE, "Bad TLSA record usage"},
123 {DANESSL_R_INIT, "DANESSL_init() required"},
124 {DANESSL_R_LIBRARY_INIT, "DANESSL_library_init() required"},
125 {DANESSL_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"},
126 {DANESSL_R_SCTX_INIT, "DANESSL_CTX_init() required"},
127 {DANESSL_R_SUPPORT, "DANE library features not supported"},
128 {0, NULL}
129 };
130 #endif
131
132 #define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FUNCTION__, __LINE__)
133
134 static int err_lib_dane = -1;
135 static int dane_idx = -1;
136
137 #ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */
138 static int wrap_to_root = 0;
139 #else
140 static int wrap_to_root = 1;
141 #endif
142
143 static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
144 static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
145
146 typedef struct dane_list
147 {
148 struct dane_list *next;
149 void *value;
150 } *dane_list;
151
152 #define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
153
154 typedef struct dane_host_list
155 {
156 struct dane_host_list *next;
157 char *value;
158 } *dane_host_list;
159
160 typedef struct dane_data
161 {
162 size_t datalen;
163 unsigned char data[0];
164 } *dane_data;
165
166 typedef struct dane_data_list
167 {
168 struct dane_data_list *next;
169 dane_data value;
170 } *dane_data_list;
171
172 typedef struct dane_mtype
173 {
174 int mdlen;
175 const EVP_MD *md;
176 dane_data_list data;
177 } *dane_mtype;
178
179 typedef struct dane_mtype_list
180 {
181 struct dane_mtype_list *next;
182 dane_mtype value;
183 } *dane_mtype_list;
184
185 typedef struct dane_selector
186 {
187 uint8_t selector;
188 dane_mtype_list mtype;
189 } *dane_selector;
190
191 typedef struct dane_selector_list
192 {
193 struct dane_selector_list *next;
194 dane_selector value;
195 } *dane_selector_list;
196
197 typedef struct dane_pkey_list
198 {
199 struct dane_pkey_list *next;
200 EVP_PKEY *value;
201 } *dane_pkey_list;
202
203 typedef struct dane_cert_list
204 {
205 struct dane_cert_list *next;
206 X509 *value;
207 } *dane_cert_list;
208
209 typedef struct ssl_dane
210 {
211 int (*verify)(X509_STORE_CTX *);
212 STACK_OF(X509) *roots;
213 STACK_OF(X509) *chain;
214 X509 *match; /* Matched cert */
215 const char *thost; /* TLSA base domain */
216 char *mhost; /* Matched peer name */
217 dane_pkey_list pkeys;
218 dane_cert_list certs;
219 dane_host_list hosts;
220 dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
221 int depth;
222 int mdpth; /* Depth of matched cert */
223 int multi; /* Multi-label wildcards? */
224 int count; /* Number of TLSA records */
225 } ssl_dane;
226
227 #ifndef X509_V_ERR_HOSTNAME_MISMATCH
228 # define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
229 #endif
230
231
232
233 static int
match(dane_selector_list slist,X509 * cert,int depth)234 match(dane_selector_list slist, X509 *cert, int depth)
235 {
236 int matched;
237
238 /*
239 * Note, set_trust_anchor() needs to know whether the match was for a
240 * pkey digest or a certificate digest. We return MATCHED_PKEY or
241 * MATCHED_CERT accordingly.
242 */
243 #define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
244 #define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
245
246 /*
247 * Loop over each selector, mtype, and associated data element looking
248 * for a match.
249 */
250 for (matched = 0; !matched && slist; slist = slist->next)
251 {
252 unsigned char mdbuf[EVP_MAX_MD_SIZE];
253 unsigned char *buf = NULL;
254 unsigned char *buf2;
255 unsigned int len = 0;
256
257 /*
258 * Extract ASN.1 DER form of certificate or public key.
259 */
260 switch(slist->value->selector)
261 {
262 case DANESSL_SELECTOR_CERT:
263 len = i2d_X509(cert, NULL);
264 buf2 = buf = US OPENSSL_malloc(len);
265 if(buf) i2d_X509(cert, &buf2);
266 break;
267 case DANESSL_SELECTOR_SPKI:
268 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
269 buf2 = buf = US OPENSSL_malloc(len);
270 if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
271 break;
272 }
273
274 if (!buf)
275 {
276 DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
277 return 0;
278 }
279 OPENSSL_assert(buf2 - buf == len);
280
281 /*
282 * Loop over each mtype and data element
283 */
284 for (dane_mtype_list m = slist->value->mtype; !matched && m; m = m->next)
285 {
286 unsigned char *cmpbuf = buf;
287 unsigned int cmplen = len;
288
289 /*
290 * If it is a digest, compute the corresponding digest of the
291 * DER data for comparison, otherwise, use the full object.
292 */
293 if (m->value->md)
294 {
295 cmpbuf = mdbuf;
296 if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
297 matched = -1;
298 }
299 for (dane_data_list d = m->value->data; !matched && d; d = d->next)
300 if ( cmplen == d->value->datalen
301 && memcmp(cmpbuf, d->value->data, cmplen) == 0)
302 matched = slist->value->selector + 1;
303 }
304
305 OPENSSL_free(buf);
306 }
307
308 return matched;
309 }
310
311 static int
push_ext(X509 * cert,X509_EXTENSION * ext)312 push_ext(X509 *cert, X509_EXTENSION *ext)
313 {
314 if (ext)
315 {
316 if (X509_add_ext(cert, ext, -1))
317 return 1;
318 X509_EXTENSION_free(ext);
319 }
320 DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
321 return 0;
322 }
323
324 static int
add_ext(X509 * issuer,X509 * subject,int ext_nid,char * ext_val)325 add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
326 {
327 X509V3_CTX v3ctx;
328
329 X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
330 return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
331 }
332
333 static int
set_serial(X509 * cert,AUTHORITY_KEYID * akid,X509 * subject)334 set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
335 {
336 int ret = 0;
337 BIGNUM *bn;
338
339 if (akid && akid->serial)
340 return (X509_set_serialNumber(cert, akid->serial));
341
342 /*
343 * Add one to subject's serial to avoid collisions between TA serial and
344 * serial of signing root.
345 */
346 if ( (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
347 && BN_add_word(bn, 1)
348 && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
349 ret = 1;
350
351 if (bn)
352 BN_free(bn);
353 return ret;
354 }
355
356 static int
add_akid(X509 * cert,AUTHORITY_KEYID * akid)357 add_akid(X509 *cert, AUTHORITY_KEYID *akid)
358 {
359 int nid = NID_authority_key_identifier;
360 ASN1_OCTET_STRING *id;
361 unsigned char c = 0;
362 int ret = 0;
363
364 /*
365 * 0 will never be our subject keyid from a SHA-1 hash, but it could be
366 * our subject keyid if forced from child's akid. If so, set our
367 * authority keyid to 1. This way we are never self-signed, and thus
368 * exempt from any potential (off by default for now in OpenSSL)
369 * self-signature checks!
370 */
371 id = akid && akid->keyid ? akid->keyid : 0;
372 if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_get0_data(id) == c)
373 c = 1;
374
375 if ( (akid = AUTHORITY_KEYID_new()) != 0
376 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
377 #ifdef EXIM_HAVE_ASN1_MACROS
378 && ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
379 #else
380 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
381 #endif
382 && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
383 ret = 1;
384 if (akid)
385 AUTHORITY_KEYID_free(akid);
386 return ret;
387 }
388
389 static int
add_skid(X509 * cert,AUTHORITY_KEYID * akid)390 add_skid(X509 *cert, AUTHORITY_KEYID *akid)
391 {
392 int nid = NID_subject_key_identifier;
393
394 if (!akid || !akid->keyid)
395 return add_ext(0, cert, nid, "hash");
396 return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
397 }
398
399 static X509_NAME *
akid_issuer_name(AUTHORITY_KEYID * akid)400 akid_issuer_name(AUTHORITY_KEYID *akid)
401 {
402 if (akid && akid->issuer)
403 {
404 GENERAL_NAMES *gens = akid->issuer;
405
406 for (int i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
407 {
408 GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
409
410 if (gn->type == GEN_DIRNAME)
411 return (gn->d.dirn);
412 }
413 }
414 return 0;
415 }
416
417 static int
set_issuer_name(X509 * cert,AUTHORITY_KEYID * akid,X509_NAME * subj)418 set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
419 {
420 X509_NAME *name = akid_issuer_name(akid);
421
422 /*
423 * If subject's akid specifies an authority key identifier issuer name, we
424 * must use that.
425 */
426 return X509_set_issuer_name(cert,
427 name ? name : subj);
428 }
429
430 static int
grow_chain(ssl_dane * dane,int trusted,X509 * cert)431 grow_chain(ssl_dane *dane, int trusted, X509 *cert)
432 {
433 STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
434 static ASN1_OBJECT *serverAuth = 0;
435
436 #define UNTRUSTED 0
437 #define TRUSTED 1
438
439 if ( trusted && !serverAuth
440 && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
441 {
442 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
443 return 0;
444 }
445 if (!*xs && !(*xs = sk_X509_new_null()))
446 {
447 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
448 return 0;
449 }
450
451 if (cert)
452 {
453 if (trusted && !X509_add1_trust_object(cert, serverAuth))
454 return 0;
455 #ifdef EXIM_OPAQUE_X509
456 X509_up_ref(cert);
457 #else
458 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
459 #endif
460 if (!sk_X509_push(*xs, cert))
461 {
462 X509_free(cert);
463 DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
464 return 0;
465 }
466 }
467 return 1;
468 }
469
470 static int
wrap_issuer(ssl_dane * dane,EVP_PKEY * key,X509 * subject,int depth,int top)471 wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
472 {
473 int ret = 1;
474 X509 *cert = 0;
475 AUTHORITY_KEYID *akid;
476 X509_NAME *name = X509_get_issuer_name(subject);
477 EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
478
479 #define WRAP_MID 0 /* Ensure intermediate. */
480 #define WRAP_TOP 1 /* Ensure self-signed. */
481
482 if (!name || !newkey || !(cert = X509_new()))
483 return 0;
484
485 /*
486 * Record the depth of the trust-anchor certificate.
487 */
488 if (dane->depth < 0)
489 dane->depth = depth + 1;
490
491 /*
492 * XXX: Uncaught error condition:
493 *
494 * The return value is NULL both when the extension is missing, and when
495 * OpenSSL rans out of memory while parsing the extension.
496 */
497 ERR_clear_error();
498 akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
499 /* XXX: Should we peek at the error stack here??? */
500
501 /*
502 * If top is true generate a self-issued root CA, otherwise an
503 * intermediate CA and possibly its self-signed issuer.
504 *
505 * CA cert valid for +/- 30 days
506 */
507 if ( !X509_set_version(cert, 2)
508 || !set_serial(cert, akid, subject)
509 || !set_issuer_name(cert, akid, name)
510 || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
511 || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
512 || !X509_set_subject_name(cert, name)
513 || !X509_set_pubkey(cert, newkey)
514 || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
515 || (!top && !add_akid(cert, akid))
516 || !add_skid(cert, akid)
517 || ( !top && wrap_to_root
518 && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
519 ret = 0;
520
521 if (akid)
522 AUTHORITY_KEYID_free(akid);
523 if (!key)
524 EVP_PKEY_free(newkey);
525 if (ret)
526 ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
527 if (cert)
528 X509_free(cert);
529 return ret;
530 }
531
532 static int
wrap_cert(ssl_dane * dane,X509 * tacert,int depth)533 wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
534 {
535 if (dane->depth < 0)
536 dane->depth = depth + 1;
537
538 /*
539 * If the TA certificate is self-issued, or need not be, use it directly.
540 * Otherwise, synthesize requisite ancestors.
541 */
542 if ( !wrap_to_root
543 || X509_check_issued(tacert, tacert) == X509_V_OK)
544 return grow_chain(dane, TRUSTED, tacert);
545
546 if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
547 return grow_chain(dane, UNTRUSTED, tacert);
548 return 0;
549 }
550
551 static int
ta_signed(ssl_dane * dane,X509 * cert,int depth)552 ta_signed(ssl_dane *dane, X509 *cert, int depth)
553 {
554 EVP_PKEY *pk;
555 int done = 0;
556
557 /*
558 * First check whether issued and signed by a TA cert, this is cheaper
559 * than the bare-public key checks below, since we can determine whether
560 * the candidate TA certificate issued the certificate to be checked
561 * first (name comparisons), before we bother with signature checks
562 * (public key operations).
563 */
564 for (dane_cert_list x = dane->certs; !done && x; x = x->next)
565 {
566 if (X509_check_issued(x->value, cert) == X509_V_OK)
567 {
568 if (!(pk = X509_get_pubkey(x->value)))
569 {
570 /*
571 * The cert originally contained a valid pkey, which does
572 * not just vanish, so this is most likely a memory error.
573 */
574 done = -1;
575 break;
576 }
577 /* Check signature, since some other TA may work if not this. */
578 if (X509_verify(cert, pk) > 0)
579 done = wrap_cert(dane, x->value, depth) ? 1 : -1;
580 EVP_PKEY_free(pk);
581 }
582 }
583
584 /*
585 * With bare TA public keys, we can't check whether the trust chain is
586 * issued by the key, but we can determine whether it is signed by the
587 * key, so we go with that.
588 *
589 * Ideally, the corresponding certificate was presented in the chain, and we
590 * matched it by its public key digest one level up. This code is here
591 * to handle adverse conditions imposed by sloppy administrators of
592 * receiving systems with poorly constructed chains.
593 *
594 * We'd like to optimize out keys that should not match when the cert's
595 * authority key id does not match the key id of this key computed via
596 * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
597 * ASN1 tag and length thus also excluding the unused bits field that is
598 * logically part of the length). However, some CAs have a non-standard
599 * authority keyid, so we lose. Too bad.
600 *
601 * This may push errors onto the stack when the certificate signature is
602 * not of the right type or length, throw these away,
603 */
604 for (dane_pkey_list k = dane->pkeys; !done && k; k = k->next)
605 if (X509_verify(cert, k->value) > 0)
606 done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
607 else
608 ERR_clear_error();
609
610 return done;
611 }
612
613 static int
set_trust_anchor(X509_STORE_CTX * ctx,ssl_dane * dane,X509 * cert)614 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
615 {
616 int matched = 0;
617 int depth = 0;
618 EVP_PKEY *takey;
619 X509 *ca;
620 STACK_OF(X509) *in = X509_STORE_CTX_get0_untrusted(ctx);
621
622 if (!grow_chain(dane, UNTRUSTED, 0))
623 return -1;
624
625 /*
626 * Accept a degenerate case: depth 0 self-signed trust-anchor.
627 */
628 if (X509_check_issued(cert, cert) == X509_V_OK)
629 {
630 dane->depth = 0;
631 matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
632 if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
633 matched = -1;
634 return matched;
635 }
636
637 /* Make a shallow copy of the input untrusted chain. */
638 if (!(in = sk_X509_dup(in)))
639 {
640 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
641 return -1;
642 }
643
644 /*
645 * At each iteration we consume the issuer of the current cert. This
646 * reduces the length of the "in" chain by one. If no issuer is found,
647 * we are done. We also stop when a certificate matches a TA in the
648 * peer's TLSA RRset.
649 *
650 * Caller ensures that the initial certificate is not self-signed.
651 */
652 for (int n = sk_X509_num(in); n > 0; --n, ++depth)
653 {
654 int i;
655 for (i = 0; i < n; ++i)
656 if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
657 break;
658
659 /*
660 * Final untrusted element with no issuer in the peer's chain, it may
661 * however be signed by a pkey or cert obtained via a TLSA RR.
662 */
663 if (i == n)
664 break;
665
666 /* Peer's chain contains an issuer ca. */
667 ca = sk_X509_delete(in, i);
668
669 /* If not a trust anchor, record untrusted ca and continue. */
670 if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
671 depth + 1)) == 0)
672 {
673 if (grow_chain(dane, UNTRUSTED, ca))
674 {
675 if (X509_check_issued(ca, ca) != X509_V_OK)
676 {
677 /* Restart with issuer as subject */
678 cert = ca;
679 continue;
680 }
681 /* Final self-signed element, skip ta_signed() check. */
682 cert = 0;
683 }
684 else
685 matched = -1;
686 }
687 else if(matched == MATCHED_CERT)
688 {
689 if(!wrap_cert(dane, ca, depth))
690 matched = -1;
691 }
692 else if(matched == MATCHED_PKEY)
693 {
694 if ( !(takey = X509_get_pubkey(ca))
695 || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
696 {
697 if (takey)
698 EVP_PKEY_free(takey);
699 else
700 DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
701 matched = -1;
702 }
703 }
704 break;
705 }
706
707 /* Shallow free the duplicated input untrusted chain. */
708 sk_X509_free(in);
709
710 /*
711 * When the loop exits, if "cert" is set, it is not self-signed and has
712 * no issuer in the chain, we check for a possible signature via a DNS
713 * obtained TA cert or public key.
714 */
715 if (matched == 0 && cert)
716 matched = ta_signed(dane, cert, depth);
717
718 return matched;
719 }
720
721 static int
check_end_entity(X509_STORE_CTX * ctx,ssl_dane * dane,X509 * cert)722 check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
723 {
724 int matched;
725
726 matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
727 if (matched > 0)
728 {
729 dane->mdpth = 0;
730 dane->match = cert;
731 X509_up_ref(cert);
732 if(!X509_STORE_CTX_get0_chain(ctx))
733 {
734 STACK_OF(X509) * sk = sk_X509_new_null();
735 if (sk && sk_X509_push(sk, cert))
736 {
737 X509_up_ref(cert);
738 X509_STORE_CTX_set0_verified_chain(ctx, sk);
739 }
740 else
741 {
742 if (sk) sk_X509_free(sk);
743 DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
744 return -1;
745 }
746 }
747 }
748 return matched;
749 }
750
751 static int
match_name(const char * certid,ssl_dane * dane)752 match_name(const char *certid, ssl_dane *dane)
753 {
754 int multi = dane->multi;
755
756 for (dane_host_list hosts = dane->hosts; hosts; hosts = hosts->next)
757 {
758 int match_subdomain = 0;
759 const char *domain = hosts->value;
760 const char *parent;
761 int idlen;
762 int domlen;
763
764 if (*domain == '.' && domain[1] != '\0')
765 {
766 ++domain;
767 match_subdomain = 1;
768 }
769
770 /*
771 * Sub-domain match: certid is any sub-domain of hostname.
772 */
773 if(match_subdomain)
774 {
775 if ( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
776 && certid[idlen - domlen - 1] == '.'
777 && !strcasecmp(certid + (idlen - domlen), domain))
778 return 1;
779 else
780 continue;
781 }
782
783 /*
784 * Exact match and initial "*" match. The initial "*" in a certid
785 * matches one (if multi is false) or more hostname components under
786 * the condition that the certid contains multiple hostname components.
787 */
788 if ( !strcasecmp(certid, domain)
789 || ( certid[0] == '*' && certid[1] == '.' && certid[2] != 0
790 && (parent = strchr(domain, '.')) != 0
791 && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
792 && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
793 return 1;
794 }
795 return 0;
796 }
797
798 static const char *
check_name(const char * name,int len)799 check_name(const char *name, int len)
800 {
801 const char *cp = name + len;
802
803 while (len > 0 && !*--cp)
804 --len; /* Ignore trailing NULs */
805 if (len <= 0)
806 return 0;
807 for (cp = name; *cp; cp++)
808 {
809 char c = *cp;
810 if (!((c >= 'a' && c <= 'z') ||
811 (c >= '0' && c <= '9') ||
812 (c >= 'A' && c <= 'Z') ||
813 (c == '.' || c == '-') ||
814 (c == '*')))
815 return 0; /* Only LDH, '.' and '*' */
816 }
817 if (cp - name != len) /* Guard against internal NULs */
818 return 0;
819 return name;
820 }
821
822 static const char *
parse_dns_name(const GENERAL_NAME * gn)823 parse_dns_name(const GENERAL_NAME *gn)
824 {
825 if (gn->type != GEN_DNS)
826 return 0;
827 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
828 return 0;
829 return check_name(CCS ASN1_STRING_get0_data(gn->d.ia5),
830 ASN1_STRING_length(gn->d.ia5));
831 }
832
833 static char *
parse_subject_name(X509 * cert)834 parse_subject_name(X509 *cert)
835 {
836 X509_NAME *name = X509_get_subject_name(cert);
837 X509_NAME_ENTRY *entry;
838 ASN1_STRING *entry_str;
839 unsigned char *namebuf;
840 int nid = NID_commonName;
841 int len;
842 int i;
843
844 if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
845 return 0;
846 if (!(entry = X509_NAME_get_entry(name, i)))
847 return 0;
848 if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
849 return 0;
850
851 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
852 return 0;
853 if (len <= 0 || check_name(CS namebuf, len) == 0)
854 {
855 OPENSSL_free(namebuf);
856 return 0;
857 }
858 return CS namebuf;
859 }
860
861 static int
name_check(ssl_dane * dane,X509 * cert)862 name_check(ssl_dane *dane, X509 *cert)
863 {
864 int matched = 0;
865 BOOL got_altname = FALSE;
866 GENERAL_NAMES *gens;
867
868 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
869 if (gens)
870 {
871 int n = sk_GENERAL_NAME_num(gens);
872
873 for (int i = 0; i < n; ++i)
874 {
875 const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
876 const char *certid;
877
878 if (gn->type != GEN_DNS)
879 continue;
880 got_altname = TRUE;
881 certid = parse_dns_name(gn);
882 if (certid && *certid)
883 {
884 if ((matched = match_name(certid, dane)) == 0)
885 continue;
886 if (!(dane->mhost = OPENSSL_strdup(certid)))
887 matched = -1;
888 DEBUG(D_tls) debug_printf("Dane name_check: matched SAN %s\n", certid);
889 break;
890 }
891 }
892 GENERAL_NAMES_free(gens);
893 }
894
895 /*
896 * XXX: Should the subjectName be skipped when *any* altnames are present,
897 * or only when DNS altnames are present?
898 */
899 if (!got_altname)
900 {
901 char *certid = parse_subject_name(cert);
902 if (certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
903 {
904 DEBUG(D_tls) debug_printf("Dane name_check: matched SN %s\n", certid);
905 dane->mhost = OPENSSL_strdup(certid);
906 }
907 if (certid)
908 OPENSSL_free(certid);
909 }
910 return matched;
911 }
912
913 static int
verify_chain(X509_STORE_CTX * ctx)914 verify_chain(X509_STORE_CTX *ctx)
915 {
916 int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
917 X509 *cert = X509_STORE_CTX_get0_cert(ctx);
918 STACK_OF(X509) * chain = X509_STORE_CTX_get0_chain(ctx);
919 int chain_length = sk_X509_num(chain);
920 int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
921 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
922 ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
923 dane_selector_list issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
924 dane_selector_list leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
925 int matched = 0;
926
927 DEBUG(D_tls) debug_printf("Dane verify_chain\n");
928
929 /* Restore OpenSSL's internal_verify() as the signature check function */
930 X509_STORE_CTX_set_verify(ctx, dane->verify);
931
932 if ((matched = name_check(dane, cert)) < 0)
933 {
934 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
935 return 0;
936 }
937
938 if (!matched)
939 {
940 X509_STORE_CTX_set_error_depth(ctx, 0);
941 X509_STORE_CTX_set_current_cert(ctx, cert);
942 X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
943 if (!cb(0, ctx))
944 return 0;
945 }
946 matched = 0;
947
948 /*
949 * Satisfy at least one usage 0 or 1 constraint, unless we've already
950 * matched a usage 2 trust anchor.
951 *
952 * XXX: internal_verify() doesn't callback with top certs that are not
953 * self-issued. This is fixed in OpenSSL 1.1.0.
954 */
955 if (dane->roots && sk_X509_num(dane->roots))
956 {
957 X509 *top = sk_X509_value(chain, dane->depth);
958
959 dane->mdpth = dane->depth;
960 dane->match = top;
961 X509_up_ref(top);
962
963 #if OPENSSL_VERSION_NUMBER < 0x10100000L
964 if (X509_check_issued(top, top) != X509_V_OK)
965 {
966 X509_STORE_CTX_set_error_depth(ctx, dane->depth);
967 X509_STORE_CTX_set_current_cert(ctx, top);
968 if (!cb(1, ctx))
969 return 0;
970 }
971 #endif
972 /* Pop synthetic trust-anchor ancestors off the chain! */
973 while (--chain_length > dane->depth)
974 X509_free(sk_X509_pop(chain));
975 }
976 else
977 {
978 int n = 0;
979 X509 *xn = cert;
980
981 /*
982 * Check for an EE match, then a CA match at depths > 0, and
983 * finally, if the EE cert is self-issued, for a depth 0 CA match.
984 */
985 if (leaf_rrs)
986 matched = match(leaf_rrs, xn, 0);
987 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched EE\n");
988
989 if (!matched && issuer_rrs)
990 for (n = chain_length-1; !matched && n >= 0; --n)
991 {
992 xn = sk_X509_value(chain, n);
993 if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
994 matched = match(issuer_rrs, xn, n);
995 }
996 if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched %s\n",
997 n>0 ? "CA" : "selfisssued EE");
998
999 if (!matched)
1000 {
1001 X509_STORE_CTX_set_error_depth(ctx, 0);
1002 X509_STORE_CTX_set_current_cert(ctx, cert);
1003 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
1004 if (!cb(0, ctx))
1005 return 0;
1006 }
1007 else
1008 {
1009 dane->mdpth = n;
1010 dane->match = xn;
1011 X509_up_ref(xn);
1012 }
1013 }
1014
1015 /* Tail recurse into OpenSSL's internal_verify */
1016 return dane->verify(ctx);
1017 }
1018
1019 static void
dane_reset(ssl_dane * dane)1020 dane_reset(ssl_dane *dane)
1021 {
1022 dane->depth = -1;
1023 if (dane->mhost)
1024 {
1025 OPENSSL_free(dane->mhost);
1026 dane->mhost = 0;
1027 }
1028 if (dane->roots)
1029 {
1030 sk_X509_pop_free(dane->roots, X509_free);
1031 dane->roots = 0;
1032 }
1033 if (dane->chain)
1034 {
1035 sk_X509_pop_free(dane->chain, X509_free);
1036 dane->chain = 0;
1037 }
1038 if (dane->match)
1039 {
1040 X509_free(dane->match);
1041 dane->match = 0;
1042 }
1043 dane->mdpth = -1;
1044 }
1045
1046 static int
verify_cert(X509_STORE_CTX * ctx,void * unused_ctx)1047 verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
1048 {
1049 static int ssl_idx = -1;
1050 SSL *ssl;
1051 ssl_dane *dane;
1052 int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
1053 X509 *cert = X509_STORE_CTX_get0_cert(ctx);
1054 int matched;
1055
1056 DEBUG(D_tls) debug_printf("Dane verify_cert\n");
1057
1058 if (ssl_idx < 0)
1059 ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1060 if (dane_idx < 0)
1061 {
1062 DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
1063 return -1;
1064 }
1065
1066 ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
1067 if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
1068 return X509_verify_cert(ctx);
1069
1070 /* Reset for verification of a new chain, perhaps a renegotiation. */
1071 dane_reset(dane);
1072
1073 if (dane->selectors[DANESSL_USAGE_DANE_EE])
1074 {
1075 if ((matched = check_end_entity(ctx, dane, cert)) > 0)
1076 {
1077 X509_STORE_CTX_set_error_depth(ctx, 0);
1078 X509_STORE_CTX_set_current_cert(ctx, cert);
1079 return cb(1, ctx);
1080 }
1081 if (matched < 0)
1082 {
1083 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1084 return -1;
1085 }
1086 }
1087
1088 if (dane->selectors[DANESSL_USAGE_DANE_TA])
1089 {
1090 if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
1091 {
1092 X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
1093 return -1;
1094 }
1095 if (matched)
1096 {
1097 /*
1098 * Check that setting the untrusted chain updates the expected
1099 * structure member at the expected offset.
1100 */
1101 X509_STORE_CTX_trusted_stack(ctx, dane->roots);
1102 X509_STORE_CTX_set_chain(ctx, dane->chain);
1103 OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
1104 }
1105 }
1106
1107 /*
1108 * Name checks and usage 0/1 constraint enforcement are delayed until
1109 * X509_verify_cert() builds the full chain and calls our verify_chain()
1110 * wrapper.
1111 */
1112 dane->verify = X509_STORE_CTX_get_verify(ctx);
1113 X509_STORE_CTX_set_verify(ctx, verify_chain);
1114
1115 if (X509_verify_cert(ctx))
1116 return 1;
1117
1118 /*
1119 * If the chain is invalid, clear any matching cert or hostname, to
1120 * protect callers that might erroneously rely on these alone without
1121 * checking the validation status.
1122 */
1123 if (dane->match)
1124 {
1125 X509_free(dane->match);
1126 dane->match = 0;
1127 }
1128 if (dane->mhost)
1129 {
1130 OPENSSL_free(dane->mhost);
1131 dane->mhost = 0;
1132 }
1133 return 0;
1134 }
1135
1136 static dane_list
list_alloc(size_t vsize)1137 list_alloc(size_t vsize)
1138 {
1139 void *value = (void *) OPENSSL_malloc(vsize);
1140 dane_list l;
1141
1142 if (!value)
1143 {
1144 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1145 return 0;
1146 }
1147 if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
1148 {
1149 OPENSSL_free(value);
1150 DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
1151 return 0;
1152 }
1153 l->next = 0;
1154 l->value = value;
1155 return l;
1156 }
1157
1158 static void
list_free(void * list,void (* f)(void *))1159 list_free(void *list, void (*f)(void *))
1160 {
1161 dane_list next;
1162
1163 for (dane_list head = (dane_list) list; head; head = next)
1164 {
1165 next = head->next;
1166 if (f && head->value)
1167 f(head->value);
1168 OPENSSL_free(head);
1169 }
1170 }
1171
1172 static void
ossl_free(void * p)1173 ossl_free(void * p)
1174 {
1175 OPENSSL_free(p);
1176 }
1177
1178 static void
dane_mtype_free(void * p)1179 dane_mtype_free(void *p)
1180 {
1181 list_free(((dane_mtype) p)->data, ossl_free);
1182 OPENSSL_free(p);
1183 }
1184
1185 static void
dane_selector_free(void * p)1186 dane_selector_free(void *p)
1187 {
1188 list_free(((dane_selector) p)->mtype, dane_mtype_free);
1189 OPENSSL_free(p);
1190 }
1191
1192
1193
1194 /*
1195
1196 Tidy up once the connection is finished with.
1197
1198 Arguments
1199 ssl The ssl connection handle
1200
1201 => Before calling SSL_free()
1202 tls_close() and tls_getc() [the error path] are the obvious places.
1203 Could we do it earlier - right after verification? In tls_client_start()
1204 right after SSL_connect() returns, in that case.
1205
1206 */
1207
1208 void
DANESSL_cleanup(SSL * ssl)1209 DANESSL_cleanup(SSL *ssl)
1210 {
1211 ssl_dane *dane;
1212
1213 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
1214
1215 if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1216 return;
1217 (void) SSL_set_ex_data(ssl, dane_idx, 0);
1218
1219 dane_reset(dane);
1220 if (dane->hosts)
1221 list_free(dane->hosts, ossl_free);
1222 for (int u = 0; u <= DANESSL_USAGE_LAST; ++u)
1223 if (dane->selectors[u])
1224 list_free(dane->selectors[u], dane_selector_free);
1225 if (dane->pkeys)
1226 list_free(dane->pkeys, pkey_free);
1227 if (dane->certs)
1228 list_free(dane->certs, cert_free);
1229 OPENSSL_free(dane);
1230 }
1231
1232 static dane_host_list
host_list_init(const char ** src)1233 host_list_init(const char **src)
1234 {
1235 dane_host_list head = NULL;
1236
1237 while (*src)
1238 {
1239 dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
1240 if (elem == 0)
1241 {
1242 list_free(head, ossl_free);
1243 return 0;
1244 }
1245 elem->value = OPENSSL_strdup(*src++);
1246 LINSERT(head, elem);
1247 }
1248 return head;
1249 }
1250
1251
1252 int
DANESSL_get_match_cert(SSL * ssl,X509 ** match,const char ** mhost,int * depth)1253 DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
1254 {
1255 ssl_dane *dane;
1256
1257 if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
1258 {
1259 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1260 return -1;
1261 }
1262
1263 if (dane->match)
1264 {
1265 if (match)
1266 *match = dane->match;
1267 if (mhost)
1268 *mhost = dane->mhost;
1269 if (depth)
1270 *depth = dane->mdpth;
1271 }
1272
1273 return (dane->match != 0);
1274 }
1275
1276
1277 #ifdef never_called
1278 int
DANESSL_verify_chain(SSL * ssl,STACK_OF (X509)* chain)1279 DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
1280 {
1281 int ret;
1282 X509 *cert;
1283 X509_STORE_CTX * store_ctx;
1284 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
1285 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
1286 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
1287
1288 cert = sk_X509_value(chain, 0);
1289 if (!(store_ctx = X509_STORE_CTX_new()))
1290 {
1291 DANEerr(DANESSL_F_DANESSL_VERIFY_CHAIN, ERR_R_MALLOC_FAILURE);
1292 return 0;
1293 }
1294 if (!X509_STORE_CTX_init(store_ctx, store, cert, chain))
1295 {
1296 X509_STORE_CTX_free(store_ctx);
1297 return 0;
1298 }
1299 X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, ssl);
1300
1301 X509_STORE_CTX_set_default(store_ctx,
1302 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
1303 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
1304 SSL_get0_param(ssl));
1305
1306 if (SSL_get_verify_callback(ssl))
1307 X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
1308
1309 ret = verify_cert(store_ctx, NULL);
1310
1311 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(store_ctx));
1312 X509_STORE_CTX_cleanup(store_ctx);
1313
1314 return (ret);
1315 }
1316 #endif
1317
1318
1319
1320
1321 /*
1322
1323 Call this for each TLSA record found for the target, after the
1324 DANE setup has been done on the ssl connection handle.
1325
1326 Arguments:
1327 ssl Connection handle
1328 usage TLSA record field
1329 selector TLSA record field
1330 mdname ??? message digest name?
1331 data ??? TLSA record megalump?
1332 dlen length of data
1333
1334 Return
1335 -1 on error
1336 0 action not taken
1337 1 record accepted
1338 */
1339
1340 int
DANESSL_add_tlsa(SSL * ssl,uint8_t usage,uint8_t selector,const char * mdname,unsigned const char * data,size_t dlen)1341 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
1342 unsigned const char *data, size_t dlen)
1343 {
1344 ssl_dane *dane;
1345 dane_selector_list s = 0;
1346 dane_mtype_list m = 0;
1347 dane_data_list d = 0;
1348 dane_cert_list xlist = 0;
1349 dane_pkey_list klist = 0;
1350 const EVP_MD *md = 0;
1351
1352 DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
1353 usage, selector, mdname);
1354
1355 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
1356 {
1357 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
1358 return -1;
1359 }
1360
1361 if (usage > DANESSL_USAGE_LAST)
1362 {
1363 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
1364 return 0;
1365 }
1366 if (selector > DANESSL_SELECTOR_LAST)
1367 {
1368 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
1369 return 0;
1370 }
1371
1372 /* Support built-in standard one-digit mtypes */
1373 if (mdname && *mdname && mdname[1] == '\0')
1374 switch (*mdname - '0')
1375 {
1376 case DANESSL_MATCHING_FULL: mdname = 0; break;
1377 case DANESSL_MATCHING_2256: mdname = "sha256"; break;
1378 case DANESSL_MATCHING_2512: mdname = "sha512"; break;
1379 }
1380 if (mdname && *mdname && !(md = EVP_get_digestbyname(mdname)))
1381 {
1382 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
1383 return 0;
1384 }
1385 if (mdname && *mdname && dlen != EVP_MD_size(md))
1386 {
1387 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
1388 return 0;
1389 }
1390 if (!data)
1391 {
1392 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
1393 return 0;
1394 }
1395
1396 /*
1397 * Full Certificate or Public Key when NULL or empty digest name
1398 */
1399 if (!mdname || !*mdname)
1400 {
1401 X509 *x = 0;
1402 EVP_PKEY *k = 0;
1403 const unsigned char *p = data;
1404
1405 #define xklistinit(lvar, ltype, var, freeFunc) do { \
1406 (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
1407 if ((lvar) == 0) { \
1408 DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
1409 freeFunc((var)); \
1410 return 0; \
1411 } \
1412 (lvar)->next = 0; \
1413 lvar->value = var; \
1414 } while (0)
1415 #define xkfreeret(ret) do { \
1416 if (xlist) list_free(xlist, cert_free); \
1417 if (klist) list_free(klist, pkey_free); \
1418 return (ret); \
1419 } while (0)
1420
1421 switch (selector)
1422 {
1423 case DANESSL_SELECTOR_CERT:
1424 if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
1425 {
1426 if (x)
1427 X509_free(x);
1428 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
1429 return 0;
1430 }
1431 k = X509_get_pubkey(x);
1432 EVP_PKEY_free(k);
1433 if (k == 0)
1434 {
1435 X509_free(x);
1436 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
1437 return 0;
1438 }
1439 if (usage == DANESSL_USAGE_DANE_TA)
1440 xklistinit(xlist, dane_cert_list, x, X509_free);
1441 break;
1442
1443 case DANESSL_SELECTOR_SPKI:
1444 if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
1445 {
1446 if (k)
1447 EVP_PKEY_free(k);
1448 DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
1449 return 0;
1450 }
1451 if (usage == DANESSL_USAGE_DANE_TA)
1452 xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
1453 break;
1454 }
1455 }
1456
1457 /* Find insertion point and don't add duplicate elements. */
1458 for (s = dane->selectors[usage]; s; s = s->next)
1459 if (s->value->selector == selector)
1460 {
1461 for (m = s->value->mtype; m; m = m->next)
1462 if (m->value->md == md)
1463 {
1464 for (d = m->value->data; d; d = d->next)
1465 if ( d->value->datalen == dlen
1466 && memcmp(d->value->data, data, dlen) == 0)
1467 xkfreeret(1);
1468 break;
1469 }
1470 break;
1471 }
1472
1473 if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
1474 xkfreeret(0);
1475 d->value->datalen = dlen;
1476 memcpy(d->value->data, data, dlen);
1477 if (!m)
1478 {
1479 if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
1480 {
1481 list_free(d, ossl_free);
1482 xkfreeret(0);
1483 }
1484 m->value->data = 0;
1485 if ((m->value->md = md) != 0)
1486 m->value->mdlen = dlen;
1487 if (!s)
1488 {
1489 if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
1490 {
1491 list_free(m, dane_mtype_free);
1492 xkfreeret(0);
1493 }
1494 s->value->mtype = 0;
1495 s->value->selector = selector;
1496 LINSERT(dane->selectors[usage], s);
1497 }
1498 LINSERT(s->value->mtype, m);
1499 }
1500 LINSERT(m->value->data, d);
1501
1502 if (xlist)
1503 LINSERT(dane->certs, xlist);
1504 else if (klist)
1505 LINSERT(dane->pkeys, klist);
1506 ++dane->count;
1507 return 1;
1508 }
1509
1510
1511
1512
1513 /*
1514 Call this once we have an ssl connection handle but before
1515 making the TLS connection.
1516
1517 => In tls_client_start() after the call to SSL_new()
1518 and before the call to SSL_connect(). Exactly where
1519 probably does not matter.
1520 We probably want to keep our existing SNI handling;
1521 call this with NULL.
1522
1523 Arguments:
1524 ssl Connection handle
1525 sni_domain Optional peer server name
1526 hostnames list of names to chack against peer cert
1527
1528 Return
1529 -1 on fatal error
1530 0 nonfatal error
1531 1 success
1532 */
1533
1534 int
DANESSL_init(SSL * ssl,const char * sni_domain,const char ** hostnames)1535 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
1536 {
1537 ssl_dane *dane;
1538
1539 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
1540 if (dane_idx < 0)
1541 {
1542 DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
1543 return -1;
1544 }
1545
1546 if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
1547 return 0;
1548
1549 if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
1550 {
1551 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1552 return 0;
1553 }
1554 if (!SSL_set_ex_data(ssl, dane_idx, dane))
1555 {
1556 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1557 OPENSSL_free(dane);
1558 return 0;
1559 }
1560
1561 dane->verify = 0;
1562 dane->hosts = 0;
1563 dane->thost = 0;
1564 dane->pkeys = 0;
1565 dane->certs = 0;
1566 dane->chain = 0;
1567 dane->match = 0;
1568 dane->roots = 0;
1569 dane->depth = -1;
1570 dane->mhost = 0; /* Future SSL control interface */
1571 dane->mdpth = 0; /* Future SSL control interface */
1572 dane->multi = 0; /* Future SSL control interface */
1573 dane->count = 0;
1574 dane->hosts = 0;
1575
1576 for (int i = 0; i <= DANESSL_USAGE_LAST; ++i)
1577 dane->selectors[i] = 0;
1578
1579 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
1580 {
1581 DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
1582 DANESSL_cleanup(ssl);
1583 return 0;
1584 }
1585
1586 return 1;
1587 }
1588
1589
1590 /*
1591
1592 Call this once we have a context to work with, but
1593 before DANESSL_init()
1594
1595 => in tls_client_start(), after tls_init() call gives us the ctx,
1596 if we decide we want to (policy) and can (TLSA records available)
1597 replacing (? what about fallback) everything from testing tls_verify_hosts
1598 down to just before calling SSL_new() for the conn handle.
1599
1600 Arguments
1601 ctx SSL context
1602
1603 Return
1604 -1 Error
1605 1 Success
1606 */
1607
1608 int
DANESSL_CTX_init(SSL_CTX * ctx)1609 DANESSL_CTX_init(SSL_CTX *ctx)
1610 {
1611 DEBUG(D_tls) debug_printf("Dane ctx-init\n");
1612 if (dane_idx >= 0)
1613 {
1614 SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
1615 return 1;
1616 }
1617 DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
1618 return -1;
1619 }
1620
1621 static void
dane_init(void)1622 dane_init(void)
1623 {
1624 /*
1625 * Store library id in zeroth function slot, used to locate the library
1626 * name. This must be done before we load the error strings.
1627 */
1628 err_lib_dane = ERR_get_next_error_library();
1629
1630 #ifndef OPENSSL_NO_ERR
1631 if (err_lib_dane > 0)
1632 {
1633 dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
1634 ERR_load_strings(err_lib_dane, dane_str_functs);
1635 ERR_load_strings(err_lib_dane, dane_str_reasons);
1636 }
1637 #endif
1638
1639 /*
1640 * Register SHA-2 digests, if implemented and not already registered.
1641 */
1642 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
1643 if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
1644 if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
1645 #endif
1646 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
1647 if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
1648 if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
1649 #endif
1650
1651 /*
1652 * Register an SSL index for the connection-specific ssl_dane structure.
1653 * Using a separate index makes it possible to add DANE support to
1654 * existing OpenSSL releases that don't have a suitable pointer in the
1655 * SSL structure.
1656 */
1657 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
1658 }
1659
1660
1661 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
1662 static void
run_once(volatile int * once,void (* init)(void))1663 run_once(volatile int * once, void (*init)(void))
1664 {
1665 int wlock = 0;
1666
1667 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1668 if (!*once)
1669 {
1670 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1671 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1672 wlock = 1;
1673 if (!*once)
1674 {
1675 *once = 1;
1676 init();
1677 }
1678 }
1679 if (wlock)
1680 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1681 else
1682 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1683 }
1684 #endif
1685
1686
1687
1688 /*
1689
1690 Call this once. Probably early in startup will do; may need
1691 to be after SSL library init.
1692
1693 => put after call to tls_init() for now
1694
1695 Return
1696 1 Success
1697 0 Fail
1698 */
1699
1700 int
DANESSL_library_init(void)1701 DANESSL_library_init(void)
1702 {
1703 static CRYPTO_ONCE once = CRYPTO_ONCE_STATIC_INIT;
1704
1705 DEBUG(D_tls) debug_printf("Dane lib-init\n");
1706 (void) CRYPTO_THREAD_run_once(&once, dane_init);
1707
1708 #if defined(LN_sha256)
1709 /* No DANE without SHA256 support */
1710 if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
1711 return 1;
1712 #endif
1713 DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);
1714 return 0;
1715 }
1716
1717
1718 /* vi: aw ai sw=2
1719 */
1720