}
+#if !defined(USE_DANE_TA_USAGE)
/* Return whether cert/selector/matching_type matches data.
*/
static ldns_status
}
return s;
}
-
+#endif
ldns_status
ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
X509* cert, STACK_OF(X509)* extra_certs,
X509_STORE* pkix_validation_store)
{
- ldns_status s;
-
+#if defined(USE_DANE_TA_USAGE)
+ SSL_CTX *ssl_ctx = NULL;
+ SSL *ssl = NULL;
+ X509_STORE_CTX *store_ctx = NULL;
+#else
STACK_OF(X509)* pkix_validation_chain = NULL;
+#endif
+ ldns_status s = LDNS_STATUS_OK;
- ldns_tlsa_certificate_usage cert_usage;
+ ldns_tlsa_certificate_usage usage;
ldns_tlsa_selector selector;
- ldns_tlsa_matching_type matching_type;
+ ldns_tlsa_matching_type mtype;
ldns_rdf* data;
- if (! tlsa_rr) {
- /* No TLSA, so regular PKIX validation
+ if (! tlsa_rr || ldns_rr_get_type(tlsa_rr) != LDNS_RR_TYPE_TLSA ||
+ ldns_rr_rd_count(tlsa_rr) != 4 ||
+ ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) > 3 ||
+ ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)) > 1 ||
+ ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)) > 2 ) {
+ /* No (usable) TLSA, so regular PKIX validation
*/
return ldns_dane_pkix_validate(cert, extra_certs,
pkix_validation_store);
}
- cert_usage = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0));
- selector = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1));
- matching_type = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2));
- data = ldns_rr_rdf(tlsa_rr, 3) ;
+ usage = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0));
+ selector = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1));
+ mtype = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2));
+ data = ldns_rr_rdf(tlsa_rr, 3) ;
+
+#if defined(USE_DANE_TA_USAGE)
+ /* Rely on OpenSSL dane functions.
+ *
+ * OpenSSL does not provide offline dane verification. The dane unit
+ * tests within openssl use the undocumented SSL_get0_dane() and
+ * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and
+ * SSL_CTX to a X509_STORE_CTX that can be used to do offline
+ * verification. We use these undocumented means with the ldns
+ * dane function prototypes which did only offline dane verification.
+ */
+ if (!(ssl_ctx = SSL_CTX_new(TLS_client_method())))
+ s = LDNS_STATUS_MEM_ERR;
- switch (cert_usage) {
+ else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
+ s = LDNS_STATUS_SSL_ERR;
+
+ else if (SSL_CTX_dane_set_flags(
+ ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
+ !(ssl = SSL_new(ssl_ctx)))
+ s = LDNS_STATUS_MEM_ERR;
+
+ else if (SSL_set_connect_state(ssl),
+ (SSL_dane_enable(ssl, NULL) <= 0))
+ s = LDNS_STATUS_SSL_ERR;
+
+ else if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
+ ldns_rdf_data(data), ldns_rdf_size(data)) <= 0)
+ s = LDNS_STATUS_SSL_ERR;
+
+ else if (!(store_ctx = X509_STORE_CTX_new()))
+ s = LDNS_STATUS_MEM_ERR;
+
+ else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
+ s = LDNS_STATUS_SSL_ERR;
+
+ else {
+ int ret;
+
+ X509_STORE_CTX_set_default(store_ctx,
+ SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
+ X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
+ SSL_get0_param(ssl));
+ X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
+ if (SSL_get_verify_callback(ssl))
+ X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
+
+ ret = X509_verify_cert(store_ctx);
+ if (!ret) {
+ if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
+ s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
+ else
+ s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
+ }
+ X509_STORE_CTX_cleanup(store_ctx);
+ }
+ if (store_ctx)
+ X509_STORE_CTX_free(store_ctx);
+ if (ssl)
+ SSL_free(ssl);
+ if (ssl_ctx)
+ SSL_CTX_free(ssl_ctx);
+ return s;
+#else
+ switch (usage) {
case LDNS_TLSA_USAGE_CA_CONSTRAINT:
s = ldns_dane_pkix_validate_and_get_chain(
&pkix_validation_chain,
*/
s = ldns_dane_match_any_cert_with_data(
pkix_validation_chain,
- selector, matching_type, data, true);
+ selector, mtype, data, true);
if (s == LDNS_STATUS_OK) {
/* A TLSA record did match a cert from the
s = ldns_dane_match_any_cert_with_data(
pkix_validation_chain,
- selector, matching_type, data, true);
+ selector, mtype, data, true);
}
sk_X509_pop_free(pkix_validation_chain, X509_free);
return s;
break;
case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
+
s = ldns_dane_match_cert_with_data(cert,
- selector, matching_type, data);
+ selector, mtype, data);
if (s == LDNS_STATUS_OK) {
return ldns_dane_pkix_validate(cert, extra_certs,
break;
case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
+#if 0
s = ldns_dane_pkix_get_chain(&pkix_validation_chain,
cert, extra_certs);
if (s == LDNS_STATUS_OK) {
s = ldns_dane_match_any_cert_with_data(
pkix_validation_chain,
- selector, matching_type, data, false);
+ selector, mtype, data, false);
} else if (! pkix_validation_chain) {
return s;
}
sk_X509_pop_free(pkix_validation_chain, X509_free);
return s;
+#else
+ return LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA;
+#endif
break;
case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
return ldns_dane_match_cert_with_data(cert,
- selector, matching_type, data);
+ selector, mtype, data);
break;
default:
break;
}
+#endif
return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
}
X509* cert, STACK_OF(X509)* extra_certs,
X509_STORE* pkix_validation_store)
{
+#if defined(USE_DANE_TA_USAGE)
+ SSL_CTX *ssl_ctx = NULL;
+ ldns_rdf *basename_rdf = NULL;
+ char *basename = NULL;
+ SSL *ssl = NULL;
+ X509_STORE_CTX *store_ctx = NULL;
+#else
+ ldns_status ps;
+#endif
size_t i;
ldns_rr* tlsa_rr;
- ldns_status s = LDNS_STATUS_OK, ps;
+ ldns_rr_list *usable_tlsas;
+ ldns_status s = LDNS_STATUS_OK;
assert(cert != NULL);
return ldns_dane_pkix_validate(cert, extra_certs,
pkix_validation_store);
- else if (!(tlsas = ldns_dane_filter_unusable_records(tlsas)))
+/* To enable name checks (which we don't) */
+#if defined(USE_DANE_TA_USAGE) && 0
+ else if (!(basename_rdf = ldns_dname_clone_from(
+ ldns_rr_list_owner(tlsas), 2)))
+ /* Could nog get DANE base name */
+ s = LDNS_STATUS_ERR;
+
+ else if (!(basename = ldns_rdf2str(basename_rdf)))
+ s = LDNS_STATUS_MEM_ERR;
+
+ else if (strlen(basename) && (basename[strlen(basename)-1] = 0))
+ s = LDNS_STATUS_ERR; /* Intended to be unreachable */
+#endif
+
+ else if (!(usable_tlsas = ldns_dane_filter_unusable_records(tlsas)))
return LDNS_STATUS_MEM_ERR;
- else if (ldns_rr_list_rr_count(tlsas) == 0) {
+ else if (ldns_rr_list_rr_count(usable_tlsas) == 0) {
/* No TLSA's, so regular PKIX validation
*/
- ldns_rr_list_free((ldns_rr_list *)tlsas);
+ ldns_rr_list_free(usable_tlsas);
return ldns_dane_pkix_validate(cert, extra_certs,
pkix_validation_store);
}
- for (i = 0; i < ldns_rr_list_rr_count(tlsas); i++) {
- tlsa_rr = ldns_rr_list_rr(tlsas, i);
+#if defined(USE_DANE_TA_USAGE)
+ /* Rely on OpenSSL dane functions.
+ *
+ * OpenSSL does not provide offline dane verification. The dane unit
+ * tests within openssl use the undocumented SSL_get0_dane() and
+ * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and
+ * SSL_CTX to a X509_STORE_CTX that can be used to do offline
+ * verification. We use these undocumented means with the ldns
+ * dane function prototypes which did only offline dane verification.
+ */
+ if (!(ssl_ctx = SSL_CTX_new(TLS_client_method())))
+ s = LDNS_STATUS_MEM_ERR;
+
+ else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
+ s = LDNS_STATUS_SSL_ERR;
+
+ else if (SSL_CTX_dane_set_flags(
+ ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
+ !(ssl = SSL_new(ssl_ctx)))
+ s = LDNS_STATUS_MEM_ERR;
+
+ else if (SSL_set_connect_state(ssl),
+ (SSL_dane_enable(ssl, basename) <= 0))
+ s = LDNS_STATUS_SSL_ERR;
+
+ else for (i = 0; i < ldns_rr_list_rr_count(usable_tlsas); i++) {
+ ldns_tlsa_certificate_usage usage;
+ ldns_tlsa_selector selector;
+ ldns_tlsa_matching_type mtype;
+ ldns_rdf* data;
+
+ tlsa_rr = ldns_rr_list_rr(usable_tlsas, i);
+ usage = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,0));
+ selector= ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,1));
+ mtype = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,2));
+ data = ldns_rr_rdf(tlsa_rr,3) ;
+
+ if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
+ ldns_rdf_data(data),
+ ldns_rdf_size(data)) <= 0) {
+ s = LDNS_STATUS_SSL_ERR;
+ break;
+ }
+ }
+ if (!s && !(store_ctx = X509_STORE_CTX_new()))
+ s = LDNS_STATUS_MEM_ERR;
+
+ else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
+ s = LDNS_STATUS_SSL_ERR;
+
+ else {
+ int ret;
+
+ X509_STORE_CTX_set_default(store_ctx,
+ SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
+ X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
+ SSL_get0_param(ssl));
+ X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
+ if (SSL_get_verify_callback(ssl))
+ X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
+
+ ret = X509_verify_cert(store_ctx);
+ if (!ret) {
+ if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
+ s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
+ else
+ s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
+ }
+ X509_STORE_CTX_cleanup(store_ctx);
+ }
+ if (store_ctx)
+ X509_STORE_CTX_free(store_ctx);
+ if (ssl)
+ SSL_free(ssl);
+ if (ssl_ctx)
+ SSL_CTX_free(ssl_ctx);
+ if (basename)
+ free(basename);
+ ldns_rdf_deep_free(basename_rdf);
+#else
+ for (i = 0; i < ldns_rr_list_rr_count(usable_tlsas); i++) {
+ tlsa_rr = ldns_rr_list_rr(usable_tlsas, i);
ps = s;
s = ldns_dane_verify_rr(tlsa_rr, cert, extra_certs,
pkix_validation_store);
if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH &&
- s != LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE) {
+ s != LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE &&
+ s != LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA) {
/* which would be LDNS_STATUS_OK (match)
* or some fatal error preventing use from
*/
break;
}
- s = (s > ps ? s : ps); /* prefer PKIX_DID_NOT_VALIDATE
- * over TLSA_DID_NOT_MATCH
+ s = (s > ps ? s : ps); /* pref NEED_OPENSSL_GE_1_1_FOR_DANE_TA
+ * over PKIX_DID_NOT_VALIDATE
+ * over TLSA_DID_NOT_MATCH
*/
}
- ldns_rr_list_free((ldns_rr_list *)tlsas);
+#endif
+ ldns_rr_list_free(usable_tlsas);
return s;
}
#endif /* HAVE_SSL */
projects / thirdparty / ldns.git / commitdiff
