18 #include <sys/types.h> 19 #ifdef HAVE_SYS_SOCKET_H 20 #include <sys/socket.h> 27 #include <openssl/ssl.h> 28 #include <openssl/err.h> 29 #include <openssl/x509v3.h> 39 assert(tlsa_owner != NULL);
44 buf[0] = (char)(s - 1);
68 if (*tlsa_owner == NULL) {
81 unsigned char* buf = NULL;
87 unsigned char* digest;
95 len = (size_t)i2d_X509(cert, &buf);
101 xpubkey = X509_get_X509_PUBKEY(cert);
106 epubkey = X509_PUBKEY_get(xpubkey);
110 len = (size_t)i2d_PUBKEY(epubkey, &buf);
117 switch(matching_type) {
128 if (digest == NULL) {
132 (void)
ldns_sha256(buf, (
unsigned int)len, digest);
143 if (digest == NULL) {
147 (void)
ldns_sha512(buf, (
unsigned int)len, digest);
166 ldns_dane_pkix_validate(X509* cert, STACK_OF(X509)* extra_certs,
169 X509_STORE_CTX* vrfy_ctx;
175 vrfy_ctx = X509_STORE_CTX_new();
180 }
else if (X509_STORE_CTX_init(vrfy_ctx, store,
181 cert, extra_certs) != 1) {
184 }
else if (X509_verify_cert(vrfy_ctx) == 1) {
191 X509_STORE_CTX_free(vrfy_ctx);
200 ldns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert,
201 STACK_OF(X509)* extra_certs, X509_STORE* store)
204 X509_STORE* empty_store = NULL;
205 X509_STORE_CTX* vrfy_ctx;
207 assert(chain != NULL);
210 store = empty_store = X509_STORE_new();
213 vrfy_ctx = X509_STORE_CTX_new();
216 goto exit_free_empty_store;
218 }
else if (X509_STORE_CTX_init(vrfy_ctx, store,
219 cert, extra_certs) != 1) {
220 goto exit_free_vrfy_ctx;
222 }
else if (X509_verify_cert(vrfy_ctx) == 1) {
229 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
235 X509_STORE_CTX_free(vrfy_ctx);
237 exit_free_empty_store:
239 X509_STORE_free(empty_store);
248 ldns_dane_pkix_get_chain(STACK_OF(X509)** chain,
249 X509* cert, STACK_OF(X509)* extra_certs)
252 X509_STORE* empty_store = NULL;
253 X509_STORE_CTX* vrfy_ctx;
255 assert(chain != NULL);
257 empty_store = X509_STORE_new();
259 vrfy_ctx = X509_STORE_CTX_new();
262 goto exit_free_empty_store;
264 }
else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
265 cert, extra_certs) != 1) {
266 goto exit_free_vrfy_ctx;
268 (void) X509_verify_cert(vrfy_ctx);
269 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
276 X509_STORE_CTX_free(vrfy_ctx);
278 exit_free_empty_store:
279 X509_STORE_free(empty_store);
287 ldns_dane_get_nth_cert_from_validation_chain(
288 X509** cert, STACK_OF(X509)* chain,
int n,
bool ca)
290 if (n >= sk_X509_num(chain) || n < 0) {
293 *cert = sk_X509_pop(chain);
296 *cert = sk_X509_pop(chain);
298 if (ca && ! X509_check_ca(*cert)) {
309 ldns_dane_pkix_get_last_self_signed(X509** out_cert,
310 X509* cert, STACK_OF(X509)* extra_certs)
313 X509_STORE* empty_store = NULL;
314 X509_STORE_CTX* vrfy_ctx;
316 assert(out_cert != NULL);
318 empty_store = X509_STORE_new();
320 vrfy_ctx = X509_STORE_CTX_new();
322 goto exit_free_empty_store;
324 }
else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
325 cert, extra_certs) != 1) {
326 goto exit_free_vrfy_ctx;
329 (void) X509_verify_cert(vrfy_ctx);
330 if (X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
331 X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){
333 *out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx);
339 X509_STORE_CTX_free(vrfy_ctx);
341 exit_free_empty_store:
342 X509_STORE_free(empty_store);
349 X509* cert, STACK_OF(X509)* extra_certs,
350 X509_STORE* pkix_validation_store,
354 STACK_OF(X509)* pkix_validation_chain = NULL;
356 assert(selected_cert != NULL);
357 assert(cert != NULL);
364 if (pkix_validation_store == NULL) {
365 switch (cert_usage) {
384 switch (cert_usage) {
388 s = ldns_dane_pkix_validate_and_get_chain(
389 &pkix_validation_chain,
391 pkix_validation_store);
392 if (! pkix_validation_chain) {
399 s = ldns_dane_get_nth_cert_from_validation_chain(
400 selected_cert, pkix_validation_chain,
403 sk_X509_pop_free(pkix_validation_chain, X509_free);
410 *selected_cert = cert;
411 return ldns_dane_pkix_validate(cert, extra_certs,
412 pkix_validation_store);
419 s = ldns_dane_pkix_get_last_self_signed(
420 selected_cert, cert, extra_certs);
423 s = ldns_dane_pkix_get_chain(
424 &pkix_validation_chain,
428 ldns_dane_get_nth_cert_from_validation_chain(
429 selected_cert, pkix_validation_chain,
431 }
else if (! pkix_validation_chain) {
434 sk_X509_pop_free(pkix_validation_chain, X509_free);
442 *selected_cert = cert;
463 assert(tlsa != NULL);
464 assert(cert != NULL);
473 (uint8_t)certificate_usage);
507 #ifdef USE_DANE_VERIFY 512 ldns_dane_filter_unusable_records(
const ldns_rr_list* tlsas)
539 #if !defined(USE_DANE_TA_USAGE) 565 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
574 n = (size_t)sk_X509_num(chain);
575 for (i = 0; i < n; i++) {
576 cert = sk_X509_pop(chain);
581 s = ldns_dane_match_cert_with_data(cert,
582 selector, matching_type, data);
599 #ifdef USE_DANE_VERIFY 602 X509* cert, STACK_OF(X509)* extra_certs,
603 X509_STORE* pkix_validation_store)
605 #if defined(USE_DANE_TA_USAGE) 606 SSL_CTX *ssl_ctx = NULL;
608 X509_STORE_CTX *store_ctx = NULL;
610 STACK_OF(X509)* pkix_validation_chain = NULL;
626 return ldns_dane_pkix_validate(cert, extra_certs,
627 pkix_validation_store);
634 #if defined(USE_DANE_TA_USAGE) 644 if (!(ssl_ctx = SSL_CTX_new(TLS_client_method())))
647 else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
650 else if (SSL_CTX_dane_set_flags(
651 ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
652 !(ssl = SSL_new(ssl_ctx)))
655 else if (SSL_set_connect_state(ssl),
656 (SSL_dane_enable(ssl, NULL) <= 0))
659 else if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
663 else if (!(store_ctx = X509_STORE_CTX_new()))
666 else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
672 X509_STORE_CTX_set_default(store_ctx,
673 SSL_is_server(ssl) ?
"ssl_client" :
"ssl_server");
674 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
675 SSL_get0_param(ssl));
676 X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
677 if (SSL_get_verify_callback(ssl))
678 X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
680 ret = X509_verify_cert(store_ctx);
682 if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
687 X509_STORE_CTX_cleanup(store_ctx);
690 X509_STORE_CTX_free(store_ctx);
694 SSL_CTX_free(ssl_ctx);
699 s = ldns_dane_pkix_validate_and_get_chain(
700 &pkix_validation_chain,
702 pkix_validation_store);
703 if (! pkix_validation_chain) {
715 s = ldns_dane_match_any_cert_with_data(
716 pkix_validation_chain,
717 selector, mtype, data,
true);
730 s = ldns_dane_match_any_cert_with_data(
731 pkix_validation_chain,
732 selector, mtype, data,
true);
734 sk_X509_pop_free(pkix_validation_chain, X509_free);
740 s = ldns_dane_match_cert_with_data(cert,
741 selector, mtype, data);
744 return ldns_dane_pkix_validate(cert, extra_certs,
745 pkix_validation_store);
752 s = ldns_dane_pkix_get_chain(&pkix_validation_chain,
756 s = ldns_dane_match_any_cert_with_data(
757 pkix_validation_chain,
758 selector, mtype, data,
false);
760 }
else if (! pkix_validation_chain) {
763 sk_X509_pop_free(pkix_validation_chain, X509_free);
771 return ldns_dane_match_cert_with_data(cert,
772 selector, mtype, data);
785 X509* cert, STACK_OF(X509)* extra_certs,
786 X509_STORE* pkix_validation_store)
788 #if defined(USE_DANE_TA_USAGE) 789 SSL_CTX *ssl_ctx = NULL;
791 char *basename = NULL;
793 X509_STORE_CTX *store_ctx = NULL;
802 assert(cert != NULL);
807 return ldns_dane_pkix_validate(cert, extra_certs,
808 pkix_validation_store);
811 #if defined(USE_DANE_TA_USAGE) && 0 820 else if (strlen(basename) && (basename[strlen(basename)-1] = 0))
824 else if (!(usable_tlsas = ldns_dane_filter_unusable_records(tlsas)))
831 return ldns_dane_pkix_validate(cert, extra_certs,
832 pkix_validation_store);
834 #if defined(USE_DANE_TA_USAGE) 844 if (!(ssl_ctx = SSL_CTX_new(TLS_client_method())))
847 else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
850 else if (SSL_CTX_dane_set_flags(
851 ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
852 !(ssl = SSL_new(ssl_ctx)))
855 else if (SSL_set_connect_state(ssl),
856 (SSL_dane_enable(ssl, basename) <= 0))
871 if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
878 if (!s && !(store_ctx = X509_STORE_CTX_new()))
881 else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
887 X509_STORE_CTX_set_default(store_ctx,
888 SSL_is_server(ssl) ?
"ssl_client" :
"ssl_server");
889 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
890 SSL_get0_param(ssl));
891 X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
892 if (SSL_get_verify_callback(ssl))
893 X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
895 ret = X509_verify_cert(store_ctx);
897 if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
902 X509_STORE_CTX_cleanup(store_ctx);
905 X509_STORE_CTX_free(store_ctx);
909 SSL_CTX_free(ssl_ctx);
918 pkix_validation_store);
930 s = (s > ps ? s : ps);
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
ldns_rdf * ldns_rr_set_rdf(ldns_rr *rr, const ldns_rdf *f, size_t position)
sets a rdf member, it will be set on the position given.
#define LDNS_SHA512_DIGEST_LENGTH
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
bool ldns_rr_list_push_rr(ldns_rr_list *rr_list, const ldns_rr *rr)
pushes an rr to an rrlist.
List or Set of Resource Records.
uint8_t ldns_rdf2native_int8(const ldns_rdf *rd)
returns the native uint8_t representation from the rdf.
#define LDNS_XMALLOC(type, count)
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
#define LDNS_SHA256_DIGEST_LENGTH
ldns_rr * ldns_rr_new_frm_type(ldns_rr_type t)
creates a new rr structure, based on the given type.
size_t ldns_rr_rd_count(const ldns_rr *rr)
returns the rd_count of an rr structure.
void ldns_rr_free(ldns_rr *rr)
frees an RR structure
unsigned char * ldns_sha256(unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
void ldns_rr_list_free(ldns_rr_list *rr_list)
frees an rr_list structure.
ldns_status ldns_dane_create_tlsa_rr(ldns_rr **tlsa, ldns_tlsa_certificate_usage certificate_usage, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type, X509 *cert)
Creates a TLSA resource record from the certificate.
void ldns_rdf_free(ldns_rdf *rd)
frees a rdf structure, leaving the data pointer intact.
This module contains base functions for creating and verifying TLSA RR's with PKIX certificates,...
Including this file will include all ldns files, and define some lookup tables.
ldns_rdf * ldns_native2rdf_int8(ldns_rdf_type type, uint8_t value)
returns the rdf containing the native uint8_t repr.
ldns_status ldns_dane_select_certificate(X509 **selected_cert, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store, ldns_tlsa_certificate_usage cert_usage, int offset)
Selects the certificate from cert, extra_certs or the pkix_validation_store based on the value of cer...
uint8_t * ldns_rdf_data(const ldns_rdf *rd)
returns the data of the rdf.
ldns_rdf * ldns_dname_clone_from(const ldns_rdf *d, uint16_t n)
Clones the given dname from the nth label on.
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
#define LDNS_MAX_DOMAINLEN
Maximum length of a complete dname.
ldns_status ldns_dane_cert2rdf(ldns_rdf **rdf, X509 *cert, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type)
Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data chosen by the selector and encoded usin...
unsigned char * ldns_sha512(unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
ldns_rr_list * ldns_rr_list_new(void)
creates a new rr_list structure.
enum ldns_enum_dane_transport ldns_dane_transport
ldns_rdf * ldns_rr_list_owner(const ldns_rr_list *rr_list)
Returns the owner domain name rdf of the first element of the RR If there are no elements present,...
ldns_rdf_type ldns_rdf_get_type(const ldns_rdf *rd)
returns the type of the rdf.
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
ldns_status ldns_dane_create_tlsa_owner(ldns_rdf **tlsa_owner, const ldns_rdf *name, uint16_t port, ldns_dane_transport transport)
Creates a dname consisting of the given name, prefixed by the service port and type of transport: _po...
enum ldns_enum_tlsa_selector ldns_tlsa_selector
ldns_status ldns_dane_verify_rr(const ldns_rr *tlsa_rr, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones pr...
enum ldns_enum_status ldns_status
ldns_rdf * ldns_rdf_new_frm_data(ldns_rdf_type type, size_t size, const void *data)
allocates a new rdf structure and fills it.
ldns_rdf * ldns_rdf_new(ldns_rdf_type type, size_t size, void *data)
allocates a new rdf structure and fills it.
enum ldns_enum_tlsa_matching_type ldns_tlsa_matching_type
ldns_status ldns_dane_verify(const ldns_rr_list *tlsas, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones pr...
char * ldns_rdf2str(const ldns_rdf *rdf)
Converts the data in the rdata field to presentation format and returns that as a char *.
Resource record data field.
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
enum ldns_enum_tlsa_certificate_usage ldns_tlsa_certificate_usage
int ldns_rdf_compare(const ldns_rdf *rd1, const ldns_rdf *rd2)
compares two rdf's on their wire formats.