diff options
| author | Todd Lyons <tlyons@exim.org> | 2014-03-05 06:17:54 -0800 |
|---|---|---|
| committer | Todd Lyons <tlyons@exim.org> | 2014-07-29 05:53:50 -0700 |
| commit | e682570f275e60cf75f013c234a0561a451ab559 (patch) | |
| tree | 86853c047a6909712982079d4f33033f9e61fddf | |
| parent | 91664d8f02e873e8d39ef46ed0e65ea26cf11232 (diff) | |
Framework to build dane support
| -rw-r--r-- | doc/doc-txt/OptionLists.txt | 1 | ||||
| -rw-r--r-- | src/OS/Makefile-Base | 3 | ||||
| -rwxr-xr-x | src/scripts/MakeLinks | 4 | ||||
| -rw-r--r-- | src/src/config.h.defaults | 1 | ||||
| -rw-r--r-- | src/src/dane-gnu.c | 21 | ||||
| -rw-r--r-- | src/src/dane-openssl.c | 1306 | ||||
| -rw-r--r-- | src/src/dane.c | 46 | ||||
| -rw-r--r-- | src/src/danessl.h | 31 | ||||
| -rw-r--r-- | src/src/globals.c | 3 | ||||
| -rw-r--r-- | src/src/globals.h | 3 |
10 files changed, 1418 insertions, 1 deletions
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index ef6195600..375850d6b 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -181,6 +181,7 @@ dns_check_names_pattern string + main dns_csa_search_limit integer 5 main 4.60 dns_csa_use_reverse boolean true main 4.60 dns_dnssec_ok integer -1 main 4.82 +dns_dane_ok integer -1 main 4.83 dns_ipv4_lookup boolean false main 3.20 dns_qualify_single boolean true smtp dns_retrans time 0s main 1.60 diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base index 87a803704..8937f3cad 100644 --- a/src/OS/Makefile-Base +++ b/src/OS/Makefile-Base @@ -298,7 +298,7 @@ convert4r4: Makefile ../src/convert4r4.src OBJ_WITH_CONTENT_SCAN = malware.o mime.o regex.o spam.o spool_mbox.o OBJ_WITH_OLD_DEMIME = demime.o -OBJ_EXPERIMENTAL = bmi_spam.o spf.o srs.o dcc.o dmarc.o +OBJ_EXPERIMENTAL = bmi_spam.o spf.o srs.o dcc.o dmarc.o dane.o # Targets for final binaries; the main one has a build number which is # updated each time. We don't bother with that for the auxiliaries. @@ -541,6 +541,7 @@ acl.o: $(HDRS) acl.c child.o: $(HDRS) child.c crypt16.o: $(HDRS) crypt16.c daemon.o: $(HDRS) daemon.c +dane.o: $(HDRS) dane.c dane-gnu.c dane-openssl.c dbfn.o: $(HDRS) dbfn.c debug.o: $(HDRS) debug.c deliver.o: $(HDRS) deliver.c diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks index 01cd21f1c..a50f75b36 100755 --- a/src/scripts/MakeLinks +++ b/src/scripts/MakeLinks @@ -271,6 +271,10 @@ ln -s ../src/srs.c srs.c ln -s ../src/srs.h srs.h ln -s ../src/dcc.c dcc.c ln -s ../src/dcc.h dcc.h +ln -s ../src/dane.c dane.c +ln -s ../src/dane-gnu.c dane-gnu.c +ln -s ../src/dane-openssl.c dane-openssl.c +ln -s ../src/danessl.h danessl.h # End of MakeLinks diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index ba4615c11..49ab276ff 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -168,6 +168,7 @@ it's a default value. */ /* EXPERIMENTAL features */ #define EXPERIMENTAL_BRIGHTMAIL #define EXPERIMENTAL_CERTNAMES +#define EXPERIMENTAL_DANE #define EXPERIMENTAL_DCC #define EXPERIMENTAL_DMARC #define EXPERIMENTAL_DSN diff --git a/src/src/dane-gnu.c b/src/src/dane-gnu.c new file mode 100644 index 000000000..b98bffad6 --- /dev/null +++ b/src/src/dane-gnu.c @@ -0,0 +1,21 @@ +/************************************************* +* Exim - an Internet mail transport agent * +*************************************************/ + +/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* See the file NOTICE for conditions of use and distribution. */ + +/* This file (will) provide DANE support for Exim using the GnuTLS library, +but is not yet an available supported implementation. This file is #included +into dane.c when USE_GNUTLS has been set. */ + +/* As of March 2014, the reference implementation for DANE that we are +using was written by Viktor Dukhovny and it supports OpenSSL only. At +some point we will add GnuTLS support, but for right now just abort the +build and explain why. */ + + +#error No support for DANE using GnuTLS yet. + + +/* End of dane-gnu.c */ diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c new file mode 100644 index 000000000..790b4f079 --- /dev/null +++ b/src/src/dane-openssl.c @@ -0,0 +1,1306 @@ +#include <stdio.h> +#include <string.h> +#include <stdint.h> + +#include <openssl/opensslv.h> +#include <openssl/err.h> +#include <openssl/crypto.h> +#include <openssl/safestack.h> +#include <openssl/objects.h> +#include <openssl/x509.h> +#include <openssl/x509v3.h> +#include <openssl/evp.h> + +#if OPENSSL_VERSION_NUMBER < 0x1000000fL +#error "OpenSSL 1.0.0 or higher required" +#else + +#include "danessl.h" + +#define DANE_F_ADD_SKID 100 +#define DANE_F_CHECK_END_ENTITY 101 +#define DANE_F_GROW_CHAIN 102 +#define DANE_F_LIST_ALLOC 103 +#define DANE_F_MATCH 104 +#define DANE_F_PUSH_EXT 105 +#define DANE_F_SET_TRUST_ANCHOR 106 +#define DANE_F_SSL_CTX_DANE_INIT 107 +#define DANE_F_SSL_DANE_ADD_TLSA 108 +#define DANE_F_SSL_DANE_INIT 109 +#define DANE_F_SSL_DANE_LIBRARY_INIT 110 +#define DANE_F_VERIFY_CERT 111 +#define DANE_F_WRAP_CERT 112 + +#define DANE_R_BAD_CERT 100 +#define DANE_R_BAD_CERT_PKEY 101 +#define DANE_R_BAD_DATA_LENGTH 102 +#define DANE_R_BAD_DIGEST 103 +#define DANE_R_BAD_NULL_DATA 104 +#define DANE_R_BAD_PKEY 105 +#define DANE_R_BAD_SELECTOR 106 +#define DANE_R_BAD_USAGE 107 +#define DANE_R_DANE_INIT 108 +#define DANE_R_DANE_SUPPORT 109 +#define DANE_R_LIBRARY_INIT 110 +#define DANE_R_NOSIGN_KEY 111 +#define DANE_R_SCTX_INIT 112 + +#ifndef OPENSSL_NO_ERR +#define DANE_F_PLACEHOLDER 0 /* FIRST! Value TBD */ +static ERR_STRING_DATA dane_str_functs[] = { + {DANE_F_PLACEHOLDER, "DANE library"}, /* FIRST!!! */ + {DANE_F_ADD_SKID, "add_skid"}, + {DANE_F_CHECK_END_ENTITY, "check_end_entity"}, + {DANE_F_GROW_CHAIN, "grow_chain"}, + {DANE_F_LIST_ALLOC, "list_alloc"}, + {DANE_F_MATCH, "match"}, + {DANE_F_PUSH_EXT, "push_ext"}, + {DANE_F_SET_TRUST_ANCHOR, "set_trust_anchor"}, + {DANE_F_SSL_CTX_DANE_INIT, "SSL_CTX_dane_init"}, + {DANE_F_SSL_DANE_ADD_TLSA, "SSL_dane_add_tlsa"}, + {DANE_F_SSL_DANE_INIT, "SSL_dane_init"}, + {DANE_F_SSL_DANE_LIBRARY_INIT, "SSL_dane_library_init"}, + {DANE_F_VERIFY_CERT, "verify_cert"}, + {DANE_F_WRAP_CERT, "wrap_cert"}, + {0, NULL} +}; +static ERR_STRING_DATA dane_str_reasons[] = { + {DANE_R_BAD_CERT, "Bad TLSA record certificate"}, + {DANE_R_BAD_CERT_PKEY, "Bad TLSA record certificate public key"}, + {DANE_R_BAD_DATA_LENGTH, "Bad TLSA record digest length"}, + {DANE_R_BAD_DIGEST, "Bad TLSA record digest"}, + {DANE_R_BAD_NULL_DATA, "Bad TLSA record null data"}, + {DANE_R_BAD_PKEY, "Bad TLSA record public key"}, + {DANE_R_BAD_SELECTOR, "Bad TLSA record selector"}, + {DANE_R_BAD_USAGE, "Bad TLSA record usage"}, + {DANE_R_DANE_INIT, "SSL_dane_init() required"}, + {DANE_R_DANE_SUPPORT, "DANE library features not supported"}, + {DANE_R_LIBRARY_INIT, "SSL_dane_library_init() required"}, + {DANE_R_SCTX_INIT, "SSL_CTX_dane_init() required"}, + {DANE_R_NOSIGN_KEY, "Certificate usage 2 requires EC support"}, + {0, NULL} +}; +#endif + +#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__) + +static int err_lib_dane = -1; +static int dane_idx = -1; + +#ifdef X509_V_FLAG_PARTIAL_CHAIN /* OpenSSL >= 1.0.2 */ +static int wrap_to_root = 0; +#else +static int wrap_to_root = 1; +#endif + +static void (*cert_free)(void *) = (void (*)(void *)) X509_free; +static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free; + +typedef struct dane_list { + struct dane_list *next; + void *value; +} *dane_list; + +#define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0) + +typedef struct DANE_HOST_LIST { + struct DANE_HOST_LIST *next; + char *value; +} *DANE_HOST_LIST; + +typedef struct dane_data { + size_t datalen; + unsigned char data[0]; +} *dane_data; + +typedef struct DANE_DATA_LIST { + struct DANE_DATA_LIST *next; + dane_data value; +} *DANE_DATA_LIST; + +typedef struct dane_mtype { + int mdlen; + const EVP_MD *md; + DANE_DATA_LIST data; +} *dane_mtype; + +typedef struct DANE_MTYPE_LIST { + struct DANE_MTYPE_LIST *next; + dane_mtype value; +} *DANE_MTYPE_LIST; + +typedef struct dane_selector { + uint8_t selector; + DANE_MTYPE_LIST mtype; +} *dane_selector; + +typedef struct DANE_SELECTOR_LIST { + struct DANE_SELECTOR_LIST *next; + dane_selector value; +} *DANE_SELECTOR_LIST; + +typedef struct DANE_PKEY_LIST { + struct DANE_PKEY_LIST *next; + EVP_PKEY *value; +} *DANE_PKEY_LIST; + +typedef struct DANE_CERT_LIST { + struct DANE_CERT_LIST *next; + X509 *value; +} *DANE_CERT_LIST; + +typedef struct SSL_DANE { + int (*verify)(X509_STORE_CTX *); + STACK_OF(X509) *roots; + STACK_OF(X509) *chain; + const char *thost; /* TLSA base domain */ + char *mhost; /* Matched, peer name */ + DANE_PKEY_LIST pkeys; + DANE_CERT_LIST certs; + DANE_HOST_LIST hosts; + DANE_SELECTOR_LIST selectors[SSL_DANE_USAGE_LAST + 1]; + int depth; + int multi; /* Multi-label wildcards? */ + int count; /* Number of TLSA records */ +} SSL_DANE; + +#ifndef X509_V_ERR_HOSTNAME_MISMATCH +#define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION +#endif + +static int match(DANE_SELECTOR_LIST slist, X509 *cert, int depth) +{ + int matched; + + /* + * Note, set_trust_anchor() needs to know whether the match was for a + * pkey digest or a certificate digest. We return MATCHED_PKEY or + * MATCHED_CERT accordingly. + */ +#define MATCHED_CERT (SSL_DANE_SELECTOR_CERT + 1) +#define MATCHED_PKEY (SSL_DANE_SELECTOR_SPKI + 1) + + /* + * Loop over each selector, mtype, and associated data element looking + * for a match. + */ + for (matched = 0; !matched && slist; slist = slist->next) { + DANE_MTYPE_LIST m; + unsigned char mdbuf[EVP_MAX_MD_SIZE]; + unsigned char *buf; + unsigned char *buf2; + unsigned int len; + + /* + * Extract ASN.1 DER form of certificate or public key. + */ + switch (slist->value->selector) { + case SSL_DANE_SELECTOR_CERT: + len = i2d_X509(cert, NULL); + buf2 = buf = (unsigned char *) OPENSSL_malloc(len); + if (buf) + i2d_X509(cert, &buf2); + break; + case SSL_DANE_SELECTOR_SPKI: + len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL); + buf2 = buf = (unsigned char *) OPENSSL_malloc(len); + if (buf) + i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2); + break; + } + + if (buf == NULL) { + DANEerr(DANE_F_MATCH, ERR_R_MALLOC_FAILURE); + return 0; + } + OPENSSL_assert(buf2 - buf == len); + + /* + * Loop over each mtype and data element + */ + for (m = slist->value->mtype; !matched && m; m = m->next) { + DANE_DATA_LIST d; + unsigned char *cmpbuf = buf; + unsigned int cmplen = len; + + /* + * If it is a digest, compute the corresponding digest of the + * DER data for comparison, otherwise, use the full object. + */ + if (m->value->md) { + cmpbuf = mdbuf; + if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0)) + matched = -1; + } + for (d = m->value->data; !matched && d; d = d->next) + if (cmplen == d->value->datalen && + memcmp(cmpbuf, d->value->data, cmplen) == 0) + matched = slist->value->selector + 1; + } + + OPENSSL_free(buf); + } + + return matched; +} + +static int push_ext(X509 *cert, X509_EXTENSION *ext) +{ + X509_EXTENSIONS *exts; + + if (ext) { + if ((exts = cert->cert_info->extensions) == 0) + exts = cert->cert_info->extensions = sk_X509_EXTENSION_new_null(); + if (exts && sk_X509_EXTENSION_push(exts, ext)) + return 1; + X509_EXTENSION_free(ext); + } + DANEerr(DANE_F_PUSH_EXT, ERR_R_MALLOC_FAILURE); + return 0; +} + +static int add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val) +{ + X509V3_CTX v3ctx; + + X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0); + return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val)); +} + +static int set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject) +{ + int ret = 0; + BIGNUM *bn; + + if (akid && akid->serial) + return (X509_set_serialNumber(cert, akid->serial)); + + /* + * Add one to subject's serial to avoid collisions between TA serial and + * serial of signing root. + */ + if ((bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0 + && BN_add_word(bn, 1) + && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert))) + ret = 1; + + if (bn) + BN_free(bn); + return ret; +} + +static int add_akid(X509 *cert, AUTHORITY_KEYID *akid) +{ + int nid = NID_authority_key_identifier; + ASN1_STRING *id; + unsigned char c = 0; + int ret = 0; + + /* + * 0 will never be our subject keyid from a SHA-1 hash, but it could be + * our subject keyid if forced from child's akid. If so, set our + * authority keyid to 1. This way we are never self-signed, and thus + * exempt from any potential (off by default for now in OpenSSL) + * self-signature checks! + */ + id = (ASN1_STRING *) ((akid && akid->keyid) ? akid->keyid : 0); + if (id && M_ASN1_STRING_length(id) == 1 && *M_ASN1_STRING_data(id) == c) + c = 1; + + if ((akid = AUTHORITY_KEYID_new()) != 0 + && (akid->keyid = ASN1_OCTET_STRING_new()) != 0 + && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1) + && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND)) + ret = 1; + if (akid) + AUTHORITY_KEYID_free(akid); + return ret; +} + +static int add_skid(X509 *cert, AUTHORITY_KEYID *akid) +{ + int nid = NID_subject_key_identifier; + + if (!akid || !akid->keyid) + return add_ext(0, cert, nid, "hash"); + return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0; +} + +static X509_NAME *akid_issuer_name(AUTHORITY_KEYID *akid) +{ + if (akid && akid->issuer) { + int i; + GENERAL_NAMES *gens = akid->issuer; + + for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i) { + GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i); + + if (gn->type == GEN_DIRNAME) + return (gn->d.dirn); + } + } + return 0; +} + +static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid) +{ + X509_NAME *name = akid_issuer_name(akid); + + /* + * If subject's akid specifies an authority key identifer issuer name, we + * must use that. + */ + if (name) + return X509_set_issuer_name(cert, name); + return X509_set_issuer_name(cert, X509_get_subject_name(cert)); +} + +static int grow_chain(SSL_DANE *dane, int trusted, X509 *cert) +{ + STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain; + static ASN1_OBJECT *serverAuth = 0; + +#define UNTRUSTED 0 +#define TRUSTED 1 + + if (trusted && serverAuth == 0 && + (serverAuth = OBJ_nid2obj(NID_server_auth)) == 0) { + DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE); + return 0; + } + if (!*xs && (*xs = sk_X509_new_null()) == 0) { + DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE); + return 0; + } + + if (cert) { + if (trusted && !X509_add1_trust_object(cert, serverAuth)) + return 0; + CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); + if (!sk_X509_push(*xs, cert)) { + X509_free(cert); + DANEerr(DANE_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE); + return 0; + } + } + return 1; +} + +static int wrap_issuer( + SSL_DANE *dane, + EVP_PKEY *key, + X509 *subject, + int depth, + int top +) +{ + int ret = 1; + X509 *cert = 0; + AUTHORITY_KEYID *akid; + X509_NAME *name = X509_get_issuer_name(subject); + EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject); + +#define WRAP_MID 0 /* Ensure intermediate. */ +#define WRAP_TOP 1 /* Ensure self-signed. */ + + if (name == 0 || newkey == 0 || (cert = X509_new()) == 0) + return 0; + + /* + * Record the depth of the trust-anchor certificate. + */ + if (dane->depth < 0) + dane->depth = depth + 1; + + /* + * XXX: Uncaught error condition: + * + * The return value is NULL both when the extension is missing, and when + * OpenSSL rans out of memory while parsing the extension. + */ + ERR_clear_error(); + akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0); + /* XXX: Should we peek at the error stack here??? */ + + /* + * If top is true generate a self-issued root CA, otherwise an + * intermediate CA and possibly its self-signed issuer. + * + * CA cert valid for +/- 30 days + */ + if (!X509_set_version(cert, 2) + || !set_serial(cert, akid, subject) + || !X509_set_subject_name(cert, name) + || !set_issuer_name(cert, akid) + || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L) + || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L) + || !X509_set_pubkey(cert, newkey) + || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE") + || (!top && !add_akid(cert, akid)) + || !add_skid(cert, akid) + || (!top && wrap_to_root && + !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP))) { + ret = 0; + } + if (akid) + AUTHORITY_KEYID_free(akid); + if (!key) + EVP_PKEY_free(newkey); + if (ret) { + if (!top && wrap_to_root) + ret = grow_chain(dane, UNTRUSTED, cert); + else + ret = grow_chain(dane, TRUSTED, cert); + } + if (cert) + X509_free(cert); + return ret; +} + +static int wrap_cert(SSL_DANE *dane, X509 *tacert, int depth) +{ + if (dane->depth < 0) + dane->depth = depth + 1; + + /* + * If the TA certificate is self-issued, or need not be, use it directly. + * Otherwise, synthesize requisuite ancestors. + */ + if (!wrap_to_root + || X509_check_issued(tacert, tacert) == X509_V_OK) + return grow_chain(dane, TRUSTED, tacert); + + if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID)) + return grow_chain(dane, UNTRUSTED, tacert); + return 0; +} + +static int ta_signed(SSL_DANE *dane, X509 *cert, int depth) +{ + DANE_CERT_LIST x; + DANE_PKEY_LIST k; + EVP_PKEY *pk; + int done = 0; + + /* + * First check whether issued and signed by a TA cert, this is cheaper + * than the bare-public key checks below, since we can determine whether + * the candidate TA certificate issued the certificate to be checked + * first (name comparisons), before we bother with signature checks + * (public key operations). + */ + for (x = dane->certs; !done && x; x = x->next) { + if (X509_check_issued(x->value, cert) == X509_V_OK) { + if ((pk = X509_get_pubkey(x->value)) == 0) { + /* + * The cert originally contained a valid pkey, which does + * not just vanish, so this is most likely a memory error. + */ + done = -1; + break; + } + /* Check signature, since some other TA may work if not this. */ + if (X509_verify(cert, pk) > 0) + done = wrap_cert(dane, x->value, depth) ? 1 : -1; + EVP_PKEY_free(pk); + } + } + + /* + * With bare TA public keys, we can't check whether the trust chain is + * issued by the key, but we can determine whether it is signed by the + * key, so we go with that. + * + * Ideally, the corresponding certificate was presented in the chain, and we + * matched it by its public key digest one level up. This code is here + * to handle adverse conditions imposed by sloppy administrators of + * receiving systems with poorly constructed chains. + * + * We'd like to optimize out keys that should not match when the cert's + * authority key id does not match the key id of this key computed via + * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans + * ASN1 tag and length thus also excluding the unused bits field that is + * logically part of the length). However, some CAs have a non-standard + * authority keyid, so we lose. Too bad. + * + * This may push errors onto the stack when the certificate signature is + * not of the right type or length, throw these away, + */ + for (k = dane->pkeys; !done && k; k = k->next) + if (X509_verify(cert, k->value) > 0) + done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1; + else + ERR_clear_error(); + + return done; +} + +static int set_trust_anchor(X509_STORE_CTX *ctx, SSL_DANE *dane, X509 *cert) +{ + int matched = 0; + int n; + int i; + int depth = 0; + EVP_PKEY *takey; + X509 *ca; + STACK_OF(X509) *in = ctx->untrusted; /* XXX: Accessor? */ + + if (!grow_chain(dane, UNTRUSTED, 0)) + return -1; + + /* + * Accept a degenerate case: depth 0 self-signed trust-anchor. + */ + if (X509_check_issued(cert, cert) == X509_V_OK) { + dane->depth = 0; + matched = match(dane->selectors[SSL_DANE_USAGE_TRUSTED_CA], cert, 0); + if (matched > 0 && !grow_chain(dane, TRUSTED, cert)) + matched = -1; + return matched; + } + + /* Make a shallow copy of the input untrusted chain. */ + if ((in = sk_X509_dup(in)) == 0) { + DANEerr(DANE_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE); + return -1; + } + + /* + * At each iteration we consume the issuer of the current cert. This + * reduces the length of the "in" chain by one. If no issuer is found, + * we are done. We also stop when a certificate matches a TA in the + * peer's TLSA RRset. + * + * Caller ensures that the initial certificate is not self-signed. + */ + for (n = sk_X509_num(in); n > 0; --n, ++depth) { + for (i = 0; i < n; ++i) + if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK) + break; + + /* + * Final untrusted element with no issuer in the peer's chain, it may + * however be signed by a pkey or cert obtained via a TLSA RR. + */ + if (i == n) + break; + + /* Peer's chain contains an issuer ca. */ + ca = sk_X509_delete(in, i); + + /* If not a trust anchor, record untrusted ca and continue. */ + if ((matched = match(dane->selectors[SSL_DANE_USAGE_TRUSTED_CA], ca, + depth + 1)) == 0) { + if (grow_chain(dane, UNTRUSTED, ca)) { + if (!X509_check_issued(ca, ca) == X509_V_OK) { + /* Restart with issuer as subject */ + cert = ca; + continue; + } + /* Final self-signed element, skip ta_signed() check. */ + cert = 0; + } else + matched = -1; + } else if (matched == MATCHED_CERT) { + if (!wrap_cert(dane, ca, depth)) + matched = -1; + } else if (matched == MATCHED_PKEY) { + if ((takey = X509_get_pubkey(ca)) == 0 || + !wrap_issuer(dane, takey, cert, depth, WRAP_MID)) { + if (takey) + EVP_PKEY_free(takey); + else + DANEerr(DANE_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE); + matched = -1; + } + } + break; + } + + /* Shallow free the duplicated input untrusted chain. */ + sk_X509_free(in); + + /* + * When the loop exits, if "cert" is set, it is not self-signed and has + * no issuer in the chain, we check for a possible signature via a DNS + * obtained TA cert or public key. + */ + if (matched == 0 && cert) + matched = ta_signed(dane, cert, depth); + + return matched; +} + +static int check_end_entity(X509_STORE_CTX *ctx, SSL_DANE *dane, X509 *cert) +{ + int matched; + + matched = match(dane->selectors[SSL_DANE_USAGE_FIXED_LEAF], cert, 0); + if (matched > 0) { + if (ctx->chain == 0) { + if ((ctx->chain = sk_X509_new_null()) != 0 && + sk_X509_push(ctx->chain, cert)) { + CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); + } else { + DANEerr(DANE_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE); + return -1; + } + } + } + return matched; +} + +static int match_name(const char *certid, SSL_DANE *dane) +{ + int multi = dane->multi; + DANE_HOST_LIST hosts = dane->hosts; + + for (/* NOP */; hosts; hosts = hosts->next) { + int match_subdomain = 0; + const char *domain = hosts->value; + const char *parent; + int idlen; + int domlen; + + if (*domain == '.' && domain[1] != '\0') { + ++domain; + match_subdomain = 1; + } + + /* + * Sub-domain match: certid is any sub-domain of hostname. + */ + if (match_subdomain) { + if ((idlen = strlen(certid)) > (domlen = strlen(domain)) + 1 + && certid[idlen - domlen - 1] == '.' + && !strcasecmp(certid + (idlen - domlen), domain)) + return 1; + else + continue; + } + + /* + * Exact match and initial "*" match. The initial "*" in a certid + * matches one (if multi is false) or more hostname components under + * the condition that the certid contains multiple hostname components. + */ + if (!strcasecmp(certid, domain) + || (certid[0] == '*' && certid[1] == '.' && certid[2] != 0 + && (parent = strchr(domain, '.')) != 0 + && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent)) + && strcasecmp(multi ? parent + domlen - idlen : parent, + certid + 1) == 0)) + return 1; + } + return 0; +} + +static char *check_name(char *name, int len) +{ + register char *cp = name + len; + + while (len > 0 && *--cp == 0) + --len; /* Ignore trailing NULs */ + if (len <= 0) + return 0; + for (cp = name; *cp; cp++) { + register char c = *cp; + if (!((c >= 'a' && c <= 'z') || + (c >= '0' && c <= '9') || + (c >= 'A' && c <= 'Z') || + (c == '.' || c == '-') || + (c == '*'))) + return 0; /* Only LDH, '.' and '*' */ + } + if (cp - name != len) /* Guard against internal NULs */ + return 0; + return name; +} + +static char *parse_dns_name(const GENERAL_NAME *gn) +{ + if (gn->type != GEN_DNS) + return 0; + if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING) + return 0; + return check_name((char *) ASN1_STRING_data(gn->d.ia5), + ASN1_STRING_length(gn->d.ia5)); +} + +static char *parse_subject_name(X509 *cert) +{ + X509_NAME *name = X509_get_subject_name(cert); + X509_NAME_ENTRY *entry; + ASN1_STRING *entry_str; + unsigned char *namebuf; + int nid = NID_commonName; + int len; + int i; + + if (name == 0 || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0) + return 0; + if ((entry = X509_NAME_get_entry(name, i)) == 0) + return 0; + if ((entry_str = X509_NAME_ENTRY_get_data(entry)) == 0) + return 0; + + if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0) + return 0; + if (len <= 0 || check_name((char *) namebuf, len) == 0) { + OPENSSL_free(namebuf); + return 0; + } + return (char *) namebuf; +} + +static int name_check(SSL_DANE *dane, X509 *cert) +{ + int matched = 0; + int got_altname = 0; + GENERAL_NAMES *gens; + + gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0); + if (gens) { + int n = sk_GENERAL_NAME_num(gens); + int i; + + for (i = 0; i < n; ++i) { + const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i); + const char *certid; + + if (gn->type != GEN_DNS) + continue; + got_altname = 1; + certid = parse_dns_name(gn); + if (certid && *certid) { + if ((matched = match_name(certid, dane)) == 0) + continue; + if ((dane->mhost = OPENSSL_strdup(certid)) == 0) + matched = -1; + break; + } + } + GENERAL_NAMES_free(gens); + } + + /* + * XXX: Should the subjectName be skipped when *any* altnames are present, + * or only when DNS altnames are present? + */ + if (got_altname == 0) { + char *certid = parse_subject_name(cert); + if (certid != 0 && *certid && (matched = match_name(certid, dane)) != 0) + dane->mhost = certid; /* Already a copy */ + } + return matched; +} + +static int verify_chain(X509_STORE_CTX *ctx) +{ + DANE_SELECTOR_LIST issuer_rrs; + DANE_SELECTOR_LIST leaf_rrs; + int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb; + int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); + SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx); + SSL_DANE *dane = SSL_get_ex_data(ssl, dane_idx); + X509 *cert = ctx->cert; /* XXX: accessor? */ + int matched = 0; + int chain_length = sk_X509_num(ctx->chain); + + issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER]; + leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF]; + ctx->verify = dane->verify; + + if ((matched = name_check(dane, cert)) < 0) { + X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM); + return 0; + } + + if (!matched) { + ctx->error_depth = 0; + ctx->current_cert = cert; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH); + if (!cb(0, ctx)) + return 0; + } + matched = 0; + + /* + * Satisfy at least one usage 0 or 1 constraint, unless we've already + * matched a usage 2 trust anchor. + * + * XXX: internal_verify() doesn't callback with top certs that are not + * self-issued. This should be fixed in a future OpenSSL. + */ + if (dane->roots && sk_X509_num(dane->roots)) { +#ifndef NO_CALLBACK_WORKAROUND + X509 *top = sk_X509_value(ctx->chain, dane->depth); + + if (X509_check_issued(top, top) != X509_V_OK) { + ctx->error_depth = dane->depth; + ctx->current_cert = top; + if (!cb(1, ctx)) + return 0; + } +#endif + /* Pop synthetic trust-anchor ancestors off the chain! */ + while (--chain_length > dane->depth) + X509_free(sk_X509_pop(ctx->chain)); + } else if (issuer_rrs || leaf_rrs) { + int n = chain_length; + + /* + * Check for an EE match, then a CA match at depths > 0, and + * finally, if the EE cert is self-issued, for a depth 0 CA match. + */ + if (leaf_rrs) + matched = match(leaf_rrs, cert, 0); + while (!matched && issuer_rrs && --n >= 0) { + X509 *xn = sk_X509_value(ctx->chain, n); + + if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK) + matched = match(issuer_rrs, xn, n); + } + + if (matched < 0) { + X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM); + return 0; + } + + if (!matched) { + ctx->current_cert = cert; + ctx->error_depth = 0; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED); + if (!cb(0, ctx)) + return 0; + } + } + + return ctx->verify(ctx); +} + +static int verify_cert(X509_STORE_CTX *ctx, void *unused_ctx) +{ + static int ssl_idx = -1; + SSL *ssl; + SSL_DANE *dane; + int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb; + int matched; + X509 *cert = ctx->cert; /* XXX: accessor? */ + + if (ssl_idx < 0) + ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); + if (dane_idx < 0) { + DANEerr(DANE_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + return -1; + } + + ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx); + if ((dane = SSL_get_ex_data(ssl, dane_idx)) == 0 || cert == 0) + return X509_verify_cert(ctx); + + if (dane->selectors[SSL_DANE_USAGE_FIXED_LEAF]) { + if ((matched = check_end_entity(ctx, dane, cert)) > 0) { + ctx->error_depth = 0; + ctx->current_cert = cert; + return cb(1, ctx); + } + if (matched < 0) { + X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM); + return -1; + } + } + + if (dane->selectors[SSL_DANE_USAGE_TRUSTED_CA]) { + if ((matched = set_trust_anchor(ctx, dane, cert)) < 0) { + X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM); + return -1; + } + if (matched) { + /* + * Check that setting the untrusted chain updates the expected + * structure member at the expected offset. + */ + X509_STORE_CTX_trusted_stack(ctx, dane->roots); + X509_STORE_CTX_set_chain(ctx, dane->chain); + OPENSSL_assert(ctx->untrusted == dane->chain); + } + } + + /* + * Name checks and usage 0/1 constraint enforcement are delayed until + * X509_verify_cert() builds the full chain and calls our verify_chain() + * wrapper. + */ + dane->verify = ctx->verify; + ctx->verify = verify_chain; + + return X509_verify_cert(ctx); +} + +static dane_list list_alloc(size_t vsize) +{ + void *value = (void *) OPENSSL_malloc(vsize); + dane_list l; + + if (value == 0) { + DANEerr(DANE_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE); + return 0; + } + if ((l = (dane_list) OPENSSL_malloc(sizeof(*l))) == 0) { + OPENSSL_free(value); + DANEerr(DANE_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE); + return 0; + } + l->next = 0; + l->value = value; + return l; +} + +static void list_free(void *list, void (*f)(void *)) +{ + dane_list head = (dane_list) list; + dane_list next; + + for (/* NOP */; head; head = next) { + next = head->next; + if (f && head->value) + f(head->value); + OPENSSL_free(head); + } +} + +static void dane_mtype_free(void *p) +{ + list_free(((dane_mtype) p)->data, OPENSSL_freeFunc); + OPENSSL_free(p); +} + +static void dane_selector_free(void *p) +{ + list_free(((dane_selector) p)->mtype, dane_mtype_free); + OPENSSL_free(p); +} + +void DANESSL_cleanup(SSL *ssl) +{ + SSL_DANE *dane; + int u; + + if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0) + return; + (void) SSL_set_ex_data(ssl, dane_idx, 0); + + if (dane->hosts) + list_free(dane->hosts, OPENSSL_freeFunc); + if (dane->mhost) + OPENSSL_free(dane->mhost); + for (u = 0; u <= SSL_DANE_USAGE_LAST; ++u) + if (dane->selectors[u]) + list_free(dane->selectors[u], dane_selector_free); + if (dane->pkeys) + list_free(dane->pkeys, pkey_free); + if (dane->certs) + list_free(dane->certs, cert_free); + if (dane->roots) + sk_X509_pop_free(dane->roots, X509_free); + if (dane->chain) + sk_X509_pop_free(dane->chain, X509_free); + OPENSSL_free(dane); +} + +static DANE_HOST_LIST host_list_init(const char **src) +{ + DANE_HOST_LIST head = 0; + + while (*src) { + DANE_HOST_LIST elem = (DANE_HOST_LIST) OPENSSL_malloc(sizeof(*elem)); + if (elem == 0) { + list_free(head, OPENSSL_freeFunc); + return 0; + } + elem->value = OPENSSL_strdup(*src++); + LINSERT(head, elem); + } + return head; +} + +int DANESSL_add_tlsa( + SSL *ssl, + uint8_t usage, + uint8_t selector, + const char *mdname, + unsigned const char *data, + size_t dlen +) +{ + SSL_DANE *dane; + DANE_SELECTOR_LIST s = 0; + DANE_MTYPE_LIST m = 0; + DANE_DATA_LIST d = 0; + DANE_CERT_LIST xlist = 0; + DANE_PKEY_LIST klist = 0; + const EVP_MD *md = 0; + + if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0) { + DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_DANE_INIT); + return -1; + } + + if (usage > SSL_DANE_USAGE_LAST) { + DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_USAGE); + return 0; + } + if (selector > SSL_DANE_SELECTOR_LAST) { + DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_SELECTOR); + return 0; + } + if (mdname && (md = EVP_get_digestbyname(mdname)) == 0) { + DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_DIGEST); + return 0; + } + if (!data) { + DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_NULL_DATA); + return 0; + } + if (mdname && dlen != EVP_MD_size(md)) { + DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_DATA_LENGTH); + return 0; + } + + if (mdname == 0) { + X509 *x = 0; + EVP_PKEY *k = 0; + const unsigned char *p = data; + +#define xklistinit(lvar, ltype, var, freeFunc) do { \ + (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \ + if ((lvar) == 0) { \ + DANEerr(DANE_F_SSL_DANE_ADD_TLSA, ERR_R_MALLOC_FAILURE); \ + freeFunc((var)); \ + return 0; \ + } \ + (lvar)->next = 0; \ + lvar->value = var; \ + } while (0) +#define xkfreeret(ret) do { \ + if (xlist) list_free(xlist, cert_free); \ + if (klist) list_free(klist, pkey_free); \ + return (ret); \ + } while (0) + + switch (selector) { + case SSL_DANE_SELECTOR_CERT: + if (!d2i_X509(&x, &p, dlen) || dlen != p - data) { + if (x) + X509_free(x); + DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_CERT); + return 0; + } + k = X509_get_pubkey(x); + EVP_PKEY_free(k); + if (k == 0) { + X509_free(x); + DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_CERT_PKEY); + return 0; + } + if (usage == SSL_DANE_USAGE_TRUSTED_CA) + xklistinit(xlist, DANE_CERT_LIST, x, X509_free); + break; + + case SSL_DANE_SELECTOR_SPKI: + if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data) { + if (k) + EVP_PKEY_free(k); + DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_BAD_PKEY); + return 0; + } + if (usage == SSL_DANE_USAGE_TRUSTED_CA) + xklistinit(klist, DANE_PKEY_LIST, k, EVP_PKEY_free); + break; + } + } + + /* Find insertion point and don't add duplicate elements. */ + for (s = dane->selectors[usage]; s; s = s->next) + if (s->value->selector == selector) + for (m = s->value->mtype; m; m = m->next) + if (m->value->md == md) + for (d = m->value->data; d; d = d->next) + if (d->value->datalen == dlen && + memcmp(d->value->data, data, dlen) == 0) + xkfreeret(1); + + if ((d = (DANE_DATA_LIST) list_alloc(sizeof(*d->value) + dlen)) == 0) + xkfreeret(0); + d->value->datalen = dlen; + memcpy(d->value->data, data, dlen); + if (!m) { + if ((m = (DANE_MTYPE_LIST) list_alloc(sizeof(*m->value))) == 0) { + list_free(d, OPENSSL_freeFunc); + xkfreeret(0); + } + m->value->data = 0; + if ((m->value->md = md) != 0) + m->value->mdlen = dlen; + if (!s) { + if ((s = (DANE_SELECTOR_LIST) list_alloc(sizeof(*s->value))) == 0) { + list_free(m, dane_mtype_free); + xkfreeret(0); + } + s->value->mtype = 0; + s->value->selector = selector; + LINSERT(dane->selectors[usage], s); + } + LINSERT(s->value->mtype, m); + } + LINSERT(m->value->data, d); + + if (xlist) + LINSERT(dane->certs, xlist); + else if (klist) + LINSERT(dane->pkeys, klist); + ++dane->count; + return 1; +} + +int DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames) +{ + SSL_DANE *dane; + int i; +#ifdef OPENSSL_INTERNAL + SSL_CTX *sctx = SSL_get_SSL_CTX(ssl); + + if (sctx->app_verify_callback != verify_cert) { + DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_SCTX_INIT); + return -1; + } +#else + if (dane_idx < 0) { + DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT); + return -1; + } +#endif + + if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain)) + return 0; + + if ((dane = (SSL_DANE *) OPENSSL_malloc(sizeof(SSL_DANE))) == 0) { + DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE); + return 0; + } + if (!SSL_set_ex_data(ssl, dane_idx, dane)) { + DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE); + OPENSSL_free(dane); + return 0; + } + + dane->pkeys = 0; + dane->certs = 0; + dane->chain = 0; + dane->roots = 0; + dane->depth = -1; + dane->mhost = 0; /* Future SSL control interface */ + dane->multi = 0; /* Future SSL control interface */ + dane->count = 0; + + for (i = 0; i <= SSL_DANE_USAGE_LAST; ++i) + dane->selectors[i] = 0; + + if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0) { + DANEerr(DANE_F_SSL_DANE_INIT, ERR_R_MALLOC_FAILURE); + DANESSL_cleanup(ssl); + return 0; + } + + return 1; +} + +int DANESSL_CTX_init(SSL_CTX *ctx) +{ + if (dane_idx >= 0) { + SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0); + return 1; + } + DANEerr(DANE_F_SSL_CTX_DANE_INIT, DANE_R_LIBRARY_INIT); + return -1; +} + +static int init_once( + volatile int *value, + int (*init)(void), + void (*postinit)(void) +) +{ + int wlock = 0; + + CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); + if (*value < 0) { + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); + wlock = 1; + if (*value < 0) { + *value = init(); + if (postinit) + postinit(); + } + } + if (wlock) + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); + else + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); + return *value; +} + +static void dane_init(void) +{ + /* + * Store library id in zeroth function slot, used to locate the library + * name. This must be done before we load the error strings. + */ +#ifndef OPENSSL_NO_ERR + dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0); + ERR_load_strings(err_lib_dane, dane_str_functs); + ERR_load_strings(err_lib_dane, dane_str_reasons); +#endif + + /* + * Register SHA-2 digests, if implemented and not already registered. + */ +#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); +#endif +#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); +#endif + + /* + * Register an SSL index for the connection-specific SSL_DANE structure. + * Using a separate index makes it possible to add DANE support to + * existing OpenSSL releases that don't have a suitable pointer in the + * SSL structure. + */ + dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0); +} + +int DANESSL_library_init(void) +{ + if (err_lib_dane < 0) + init_once(&err_lib_dane, ERR_get_next_error_library, dane_init); + +#if defined(LN_sha256) + /* No DANE without SHA256 support */ + if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0) + return 1; +#endif + DANEerr(DANE_F_SSL_DANE_LIBRARY_INIT, DANE_R_DANE_SUPPORT); + return 0; +} + +#endif /* OPENSSL_VERSION_NUMBER */ diff --git a/src/src/dane.c b/src/src/dane.c new file mode 100644 index 000000000..54fd00cee --- /dev/null +++ b/src/src/dane.c @@ -0,0 +1,46 @@ +/************************************************* +* Exim - an Internet mail transport agent * +*************************************************/ + +/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* See the file NOTICE for conditions of use and distribution. */ + +/* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is +based on a patch that was originally contributed by Steve Haslam. It was +adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is +based on a patch contributed by Nikos Mavroyanopoulos. Because these packages +are so very different, the functions for each are kept in separate files. The +relevant file is #included as required, after any any common functions. + +No cryptographic code is included in Exim. All this module does is to call +functions from the OpenSSL or GNU TLS libraries. */ + + +#include "exim.h" + +/* This module is compiled only when it is specifically requested in the +build-time configuration. However, some compilers don't like compiling empty +modules, so keep them happy with a dummy when skipping the rest. Make it +reference itself to stop picky compilers complaining that it is unused, and put +in a dummy argument to stop even pickier compilers complaining about infinite +loops. */ + +#ifndef EXPERIMENTAL_DANE +static void dummy(int x) { dummy(x-1); } +#else + +/* Enabling DANE without enabling TLS cannot work. Abort the compilation. */ +#ifndef SUPPORT_TLS +#error DANE support requires that TLS support must be enabled. Abort build. +#endif + +#ifdef USE_GNUTLS +#include "dane-gnu.c" +#else +#include "dane-openssl.c" +#endif + + +#endif /* EXPERIMENTAL_DANE */ + +/* End of dane.c */ diff --git a/src/src/danessl.h b/src/src/danessl.h new file mode 100644 index 000000000..5b1584da2 --- /dev/null +++ b/src/src/danessl.h @@ -0,0 +1,31 @@ +#ifndef HEADER_SSL_DANE_H +#define HEADER_SSL_DANE_H + +#include <stdint.h> +#include <openssl/ssl.h> + +/*- + * Certificate usages: + * https://tools.ietf.org/html/rfc6698#section-2.1.1 + */ +#define SSL_DANE_USAGE_LIMIT_ISSUER 0 +#define SSL_DANE_USAGE_LIMIT_LEAF 1 +#define SSL_DANE_USAGE_TRUSTED_CA 2 +#define SSL_DANE_USAGE_FIXED_LEAF 3 +#define SSL_DANE_USAGE_LAST SSL_DANE_USAGE_FIXED_LEAF + +/*- + * Selectors: + * https://tools.ietf.org/html/rfc6698#section-2.1.2 + */ +#define SSL_DANE_SELECTOR_CERT 0 +#define SSL_DANE_SELECTOR_SPKI 1 +#define SSL_DANE_SELECTOR_LAST SSL_DANE_SELECTOR_SPKI + +extern int DANESSL_library_init(void); +extern int DANESSL_CTX_init(SSL_CTX *); +extern int DANESSL_init(SSL *, const char *, const char **); +extern void DANESSL_cleanup(SSL *); +extern int DANESSL_add_tlsa(SSL *, uint8_t, uint8_t, const char *, + unsigned const char *, size_t); +#endif diff --git a/src/src/globals.c b/src/src/globals.c index d3f99877c..7d4ab63a1 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -633,6 +633,9 @@ BOOL dmarc_enable_forensic = FALSE; uschar *dns_again_means_nonexist = NULL; int dns_csa_search_limit = 5; BOOL dns_csa_use_reverse = TRUE; +#ifdef EXPERIMENTAL_DANE +int dns_dane_ok = -1; +#endif uschar *dns_ipv4_lookup = NULL; int dns_retrans = 0; int dns_retry = 0; diff --git a/src/src/globals.h b/src/src/globals.h index 2bedcf523..32ddd16e2 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -385,6 +385,9 @@ extern uschar *dns_again_means_nonexist; /* Domains that are badly set up */ extern int dns_csa_search_limit; /* How deep to search for CSA SRV records */ extern BOOL dns_csa_use_reverse; /* Check CSA in reverse DNS? (non-standard) */ extern uschar *dns_ipv4_lookup; /* For these domains, don't look for AAAA (or A6) */ +#ifdef EXPERIMENTAL_DANE +extern int dns_dane_ok; /* Ok to use DANE when checking TLS authenticity */ +#endif extern int dns_retrans; /* Retransmission time setting */ extern int dns_retry; /* Number of retries */ extern int dns_dnssec_ok; /* When constructing DNS query, set DO flag */ |