18 #include <sys/types.h>
19 #ifdef HAVE_SYS_SOCKET_H
20 #include <sys/socket.h>
27 #include <openssl/ssl.h>
28 #include <openssl/err.h>
29 #include <openssl/x509v3.h>
41 # ifdef SSL_OP_NO_SSLv2
46 # ifdef SSL_OP_NO_SSLv3
51 # ifdef SSL_OP_NO_TLSv1
56 # ifdef SSL_OP_NO_DTLSv1
61 # ifdef SSL_OP_NO_COMPRESSION
68 #if defined(USE_DANE_VERIFY) && defined(USE_DANE_TA_USAGE)
70 ldns_dane_new_ssl_context(
void)
74 ssl_ctx = SSL_CTX_new(TLS_client_method());
82 SSL_CTX_set_options(ssl_ctx, flags);
96 assert(tlsa_owner != NULL);
101 buf[0] = (char)(s - 1);
125 if (*tlsa_owner == NULL) {
138 unsigned char* buf = NULL;
141 X509_PUBKEY* xpubkey;
144 unsigned char* digest;
147 assert(cert != NULL);
152 len = (size_t)i2d_X509(cert, &buf);
158 xpubkey = X509_get_X509_PUBKEY(cert);
163 epubkey = X509_PUBKEY_get(xpubkey);
167 len = (size_t)i2d_PUBKEY(epubkey, &buf);
174 switch(matching_type) {
185 if (digest == NULL) {
189 (void)
ldns_sha256(buf, (
unsigned int)len, digest);
200 if (digest == NULL) {
204 (void)
ldns_sha512(buf, (
unsigned int)len, digest);
223 ldns_dane_pkix_validate(X509* cert, STACK_OF(X509)* extra_certs,
226 X509_STORE_CTX* vrfy_ctx;
232 vrfy_ctx = X509_STORE_CTX_new();
237 }
else if (X509_STORE_CTX_init(vrfy_ctx, store,
238 cert, extra_certs) != 1) {
241 }
else if (X509_verify_cert(vrfy_ctx) == 1) {
248 X509_STORE_CTX_free(vrfy_ctx);
257 ldns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert,
258 STACK_OF(X509)* extra_certs, X509_STORE* store)
261 X509_STORE* empty_store = NULL;
262 X509_STORE_CTX* vrfy_ctx;
264 assert(chain != NULL);
267 store = empty_store = X509_STORE_new();
270 vrfy_ctx = X509_STORE_CTX_new();
273 goto exit_free_empty_store;
275 }
else if (X509_STORE_CTX_init(vrfy_ctx, store,
276 cert, extra_certs) != 1) {
277 goto exit_free_vrfy_ctx;
279 }
else if (X509_verify_cert(vrfy_ctx) == 1) {
286 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
292 X509_STORE_CTX_free(vrfy_ctx);
294 exit_free_empty_store:
296 X509_STORE_free(empty_store);
305 ldns_dane_pkix_get_chain(STACK_OF(X509)** chain,
306 X509* cert, STACK_OF(X509)* extra_certs)
309 X509_STORE* empty_store = NULL;
310 X509_STORE_CTX* vrfy_ctx;
312 assert(chain != NULL);
314 empty_store = X509_STORE_new();
316 vrfy_ctx = X509_STORE_CTX_new();
319 goto exit_free_empty_store;
321 }
else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
322 cert, extra_certs) != 1) {
323 goto exit_free_vrfy_ctx;
325 (void) X509_verify_cert(vrfy_ctx);
326 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
333 X509_STORE_CTX_free(vrfy_ctx);
335 exit_free_empty_store:
336 X509_STORE_free(empty_store);
344 ldns_dane_get_nth_cert_from_validation_chain(
345 X509** cert, STACK_OF(X509)* chain,
int n,
bool ca)
347 if (n >= sk_X509_num(chain) || n < 0) {
350 *cert = sk_X509_pop(chain);
353 *cert = sk_X509_pop(chain);
355 if (ca && ! X509_check_ca(*cert)) {
366 ldns_dane_pkix_get_last_self_signed(X509** out_cert,
367 X509* cert, STACK_OF(X509)* extra_certs)
370 X509_STORE* empty_store = NULL;
371 X509_STORE_CTX* vrfy_ctx;
373 assert(out_cert != NULL);
375 empty_store = X509_STORE_new();
377 vrfy_ctx = X509_STORE_CTX_new();
379 goto exit_free_empty_store;
381 }
else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
382 cert, extra_certs) != 1) {
383 goto exit_free_vrfy_ctx;
386 (void) X509_verify_cert(vrfy_ctx);
387 if (X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
388 X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){
390 *out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx);
396 X509_STORE_CTX_free(vrfy_ctx);
398 exit_free_empty_store:
399 X509_STORE_free(empty_store);
406 X509* cert, STACK_OF(X509)* extra_certs,
407 X509_STORE* pkix_validation_store,
411 STACK_OF(X509)* pkix_validation_chain = NULL;
413 assert(selected_cert != NULL);
414 assert(cert != NULL);
421 if (pkix_validation_store == NULL) {
422 switch (cert_usage) {
441 switch (cert_usage) {
445 s = ldns_dane_pkix_validate_and_get_chain(
446 &pkix_validation_chain,
448 pkix_validation_store);
449 if (! pkix_validation_chain) {
456 s = ldns_dane_get_nth_cert_from_validation_chain(
457 selected_cert, pkix_validation_chain,
460 sk_X509_pop_free(pkix_validation_chain, X509_free);
467 *selected_cert = cert;
468 return ldns_dane_pkix_validate(cert, extra_certs,
469 pkix_validation_store);
476 s = ldns_dane_pkix_get_last_self_signed(
477 selected_cert, cert, extra_certs);
480 s = ldns_dane_pkix_get_chain(
481 &pkix_validation_chain,
485 ldns_dane_get_nth_cert_from_validation_chain(
486 selected_cert, pkix_validation_chain,
488 }
else if (! pkix_validation_chain) {
491 sk_X509_pop_free(pkix_validation_chain, X509_free);
499 *selected_cert = cert;
520 assert(tlsa != NULL);
521 assert(cert != NULL);
530 (uint8_t)certificate_usage);
564 #ifdef USE_DANE_VERIFY
569 ldns_dane_filter_unusable_records(
const ldns_rr_list* tlsas)
596 #if !defined(USE_DANE_TA_USAGE)
622 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
631 n = sk_X509_num(chain);
632 for (i = 0; i < n; i++) {
633 cert = sk_X509_pop(chain);
638 s = ldns_dane_match_cert_with_data(cert,
639 selector, matching_type, data);
656 #ifdef USE_DANE_VERIFY
659 X509* cert, STACK_OF(X509)* extra_certs,
660 X509_STORE* pkix_validation_store)
662 #if defined(USE_DANE_TA_USAGE)
663 SSL_CTX *ssl_ctx = NULL;
665 X509_STORE_CTX *store_ctx = NULL;
667 STACK_OF(X509)* pkix_validation_chain = NULL;
683 return ldns_dane_pkix_validate(cert, extra_certs,
684 pkix_validation_store);
691 #if defined(USE_DANE_TA_USAGE)
701 if (!(ssl_ctx = ldns_dane_new_ssl_context()))
704 else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
707 else if (SSL_CTX_dane_set_flags(
708 ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
709 !(ssl = SSL_new(ssl_ctx)))
712 else if (SSL_set_connect_state(ssl),
713 (SSL_dane_enable(ssl, NULL) <= 0))
716 else if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
720 else if (!(store_ctx = X509_STORE_CTX_new()))
723 else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
729 X509_STORE_CTX_set_default(store_ctx,
730 SSL_is_server(ssl) ?
"ssl_client" :
"ssl_server");
731 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
732 SSL_get0_param(ssl));
733 X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
734 if (SSL_get_verify_callback(ssl))
735 X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
737 ret = X509_verify_cert(store_ctx);
739 if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
744 X509_STORE_CTX_cleanup(store_ctx);
747 X509_STORE_CTX_free(store_ctx);
751 SSL_CTX_free(ssl_ctx);
756 s = ldns_dane_pkix_validate_and_get_chain(
757 &pkix_validation_chain,
759 pkix_validation_store);
760 if (! pkix_validation_chain) {
772 s = ldns_dane_match_any_cert_with_data(
773 pkix_validation_chain,
774 selector, mtype, data,
true);
787 s = ldns_dane_match_any_cert_with_data(
788 pkix_validation_chain,
789 selector, mtype, data,
true);
791 sk_X509_pop_free(pkix_validation_chain, X509_free);
797 s = ldns_dane_match_cert_with_data(cert,
798 selector, mtype, data);
801 return ldns_dane_pkix_validate(cert, extra_certs,
802 pkix_validation_store);
809 s = ldns_dane_pkix_get_chain(&pkix_validation_chain,
813 s = ldns_dane_match_any_cert_with_data(
814 pkix_validation_chain,
815 selector, mtype, data,
false);
817 }
else if (! pkix_validation_chain) {
820 sk_X509_pop_free(pkix_validation_chain, X509_free);
828 return ldns_dane_match_cert_with_data(cert,
829 selector, mtype, data);
842 X509* cert, STACK_OF(X509)* extra_certs,
843 X509_STORE* pkix_validation_store)
845 #if defined(USE_DANE_TA_USAGE)
846 SSL_CTX *ssl_ctx = NULL;
848 char *basename = NULL;
850 X509_STORE_CTX *store_ctx = NULL;
859 assert(cert != NULL);
864 return ldns_dane_pkix_validate(cert, extra_certs,
865 pkix_validation_store);
868 #if defined(USE_DANE_TA_USAGE) && 0
877 else if (strlen(basename) && (basename[strlen(basename)-1] = 0))
881 else if (!(usable_tlsas = ldns_dane_filter_unusable_records(tlsas)))
888 return ldns_dane_pkix_validate(cert, extra_certs,
889 pkix_validation_store);
891 #if defined(USE_DANE_TA_USAGE)
901 if (!(ssl_ctx = ldns_dane_new_ssl_context()))
904 else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
907 else if (SSL_CTX_dane_set_flags(
908 ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
909 !(ssl = SSL_new(ssl_ctx)))
912 else if (SSL_set_connect_state(ssl),
913 (SSL_dane_enable(ssl, basename) <= 0))
928 if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
935 if (!s && !(store_ctx = X509_STORE_CTX_new()))
938 else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
944 X509_STORE_CTX_set_default(store_ctx,
945 SSL_is_server(ssl) ?
"ssl_client" :
"ssl_server");
946 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
947 SSL_get0_param(ssl));
948 X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
949 if (SSL_get_verify_callback(ssl))
950 X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
952 ret = X509_verify_cert(store_ctx);
954 if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
959 X509_STORE_CTX_cleanup(store_ctx);
962 X509_STORE_CTX_free(store_ctx);
966 SSL_CTX_free(ssl_ctx);
975 pkix_validation_store);
987 s = (s > ps ? s : ps);
ldns_status ldns_dane_cert2rdf(ldns_rdf **rdf, X509 *cert, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type)
Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data chosen by the selector and encoded usin...
ldns_status ldns_dane_create_tlsa_rr(ldns_rr **tlsa, ldns_tlsa_certificate_usage certificate_usage, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type, X509 *cert)
Creates a TLSA resource record from the certificate.
const long NoOpenSSLCompression
ldns_status ldns_dane_select_certificate(X509 **selected_cert, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store, ldns_tlsa_certificate_usage cert_usage, int offset)
Selects the certificate from cert, extra_certs or the pkix_validation_store based on the value of cer...
ldns_status ldns_dane_create_tlsa_owner(ldns_rdf **tlsa_owner, const ldns_rdf *name, uint16_t port, ldns_dane_transport transport)
Creates a dname consisting of the given name, prefixed by the service port and type of transport: _po...
This module contains base functions for creating and verifying TLSA RR's with PKIX certificates,...
@ LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO
@ LDNS_TLSA_SELECTOR_FULL_CERTIFICATE
enum ldns_enum_tlsa_selector ldns_tlsa_selector
enum ldns_enum_dane_transport ldns_dane_transport
@ LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT
@ LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE
@ LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION
@ LDNS_TLSA_USAGE_CA_CONSTRAINT
ldns_status ldns_dane_verify_rr(const ldns_rr *tlsa_rr, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones pr...
ldns_status ldns_dane_verify(const ldns_rr_list *tlsas, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones pr...
enum ldns_enum_tlsa_certificate_usage ldns_tlsa_certificate_usage
enum ldns_enum_tlsa_matching_type ldns_tlsa_matching_type
@ LDNS_DANE_TRANSPORT_UDP
UDP.
@ LDNS_DANE_TRANSPORT_TCP
TCP.
@ LDNS_DANE_TRANSPORT_SCTP
SCTP.
@ LDNS_TLSA_MATCHING_TYPE_SHA256
@ LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED
@ LDNS_TLSA_MATCHING_TYPE_SHA512
ldns_rdf * ldns_dname_clone_from(const ldns_rdf *d, uint16_t n)
Clones the given dname from the nth label on.
@ LDNS_STATUS_DANE_UNKNOWN_SELECTOR
@ LDNS_STATUS_DANE_UNKNOWN_TRANSPORT
@ LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE
@ LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA
@ LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH
@ LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE
@ LDNS_STATUS_DANE_NON_CA_CERTIFICATE
@ LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE
@ LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE
@ LDNS_STATUS_DOMAINNAME_OVERFLOW
@ LDNS_STATUS_DANE_PKIX_NO_SELF_SIGNED_TRUST_ANCHOR
enum ldns_enum_status ldns_status
char * ldns_rdf2str(const ldns_rdf *rdf)
Converts the data in the rdata field to presentation format and returns that as a char *.
Including this file will include all ldns files, and define some lookup tables.
ldns_rdf_type ldns_rdf_get_type(const ldns_rdf *rd)
returns the type of the rdf.
ldns_rdf * ldns_native2rdf_int8(ldns_rdf_type type, uint8_t value)
returns the rdf containing the native uint8_t repr.
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
ldns_rdf * ldns_rdf_new(ldns_rdf_type type, size_t size, void *data)
allocates a new rdf structure and fills it.
uint8_t ldns_rdf2native_int8(const ldns_rdf *rd)
returns the native uint8_t representation from the rdf.
@ LDNS_RDF_TYPE_DNAME
domain name
@ LDNS_RDF_TYPE_HEX
hex string
@ LDNS_RDF_TYPE_INT8
8 bits
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
uint8_t * ldns_rdf_data(const ldns_rdf *rd)
returns the data of the rdf.
void ldns_rdf_free(ldns_rdf *rd)
frees a rdf structure, leaving the data pointer intact.
int ldns_rdf_compare(const ldns_rdf *rd1, const ldns_rdf *rd2)
compares two rdf's on their wire formats.
ldns_rdf * ldns_rdf_new_frm_data(ldns_rdf_type type, size_t size, const void *data)
allocates a new rdf structure and fills it.
void ldns_rr_list_free(ldns_rr_list *rr_list)
frees an rr_list structure.
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
void ldns_rr_free(ldns_rr *rr)
frees an RR structure
ldns_rr * ldns_rr_new_frm_type(ldns_rr_type t)
creates a new rr structure, based on the given type.
signed char ldns_rr_list_push_rr(ldns_rr_list *rr_list, const ldns_rr *rr)
pushes an rr to an rrlist.
size_t ldns_rr_rd_count(const ldns_rr *rr)
returns the rd_count of an rr structure.
ldns_rdf * ldns_rr_set_rdf(ldns_rr *rr, const ldns_rdf *f, size_t position)
sets a rdf member, it will be set on the position given.
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
ldns_rdf * ldns_rr_list_owner(const ldns_rr_list *rr_list)
Returns the owner domain name rdf of the first element of the RR If there are no elements present,...
ldns_rr_list * ldns_rr_list_new(void)
creates a new rr_list structure.
#define LDNS_MAX_DOMAINLEN
Maximum length of a complete dname.
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
unsigned char * ldns_sha256(const unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
#define LDNS_SHA512_DIGEST_LENGTH
unsigned char * ldns_sha512(const unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
#define LDNS_SHA256_DIGEST_LENGTH
Resource record data field.
List or Set of Resource Records.
#define LDNS_XMALLOC(type, count)