Changeset View
Changeset View
Standalone View
Standalone View
contrib/ldns/dane.c
/* | /* | ||||
* Verify or create TLS authentication with DANE (RFC6698) | * Verify or create TLS authentication with DANE (RFC6698) | ||||
* | * | ||||
* (c) NLnetLabs 2012 | * (c) NLnetLabs 2012-2020 | ||||
* | * | ||||
* See the file LICENSE for the license. | * See the file LICENSE for the license. | ||||
* | * | ||||
*/ | */ | ||||
#include <ldns/config.h> | #include <ldns/config.h> | ||||
#ifdef USE_DANE | #ifdef USE_DANE | ||||
Show All 11 Lines | |||||
#endif | #endif | ||||
#ifdef HAVE_SSL | #ifdef HAVE_SSL | ||||
#include <openssl/ssl.h> | #include <openssl/ssl.h> | ||||
#include <openssl/err.h> | #include <openssl/err.h> | ||||
#include <openssl/x509v3.h> | #include <openssl/x509v3.h> | ||||
#endif | #endif | ||||
/* OpenSSL context options. At the moment, disable SSLv2, SSLv3 | |||||
* and Compression, if available. TLSv1.0 is allowed at the moment. | |||||
* TLSv1.1 is the first to provide elliptic curves, so it is usually | |||||
* allowed in a TLS stack. TLSv1.2 is the first to provide authentication | |||||
* modes of operation, like GCM. The defines below are a moving | |||||
* target based on OpenSSL library version. Grep is useful to find | |||||
* the defines: grep -IR SSL_OP_NO_ /usr/include/openssl. | |||||
*/ | |||||
#ifdef HAVE_SSL | |||||
# ifdef SSL_OP_NO_SSLv2 | |||||
const long NoOpenSSLv2 = SSL_OP_NO_SSLv2; | |||||
# else | |||||
const long NoOpenSSLv2 = 0L; | |||||
# endif | |||||
# ifdef SSL_OP_NO_SSLv3 | |||||
const long NoOpenSSLv3 = SSL_OP_NO_SSLv3; | |||||
# else | |||||
const long NoOpenSSLv3 = 0L; | |||||
# endif | |||||
# ifdef SSL_OP_NO_TLSv1 | |||||
const long NoOpenTLSv1 = SSL_OP_NO_TLSv1; | |||||
# else | |||||
const long NoOpenTLSv1 = 0L; | |||||
# endif | |||||
# ifdef SSL_OP_NO_DTLSv1 | |||||
const long NoOpenDTLSv1 = SSL_OP_NO_DTLSv1; | |||||
# else | |||||
const long NoOpenDTLSv1 = 0L; | |||||
# endif | |||||
# ifdef SSL_OP_NO_COMPRESSION | |||||
const long NoOpenSSLCompression = SSL_OP_NO_COMPRESSION; | |||||
# else | |||||
const long NoOpenSSLCompression = 0L; | |||||
# endif | |||||
#endif | |||||
#if defined(USE_DANE_VERIFY) && defined(USE_DANE_TA_USAGE) | |||||
static SSL_CTX* | |||||
ldns_dane_new_ssl_context(void) | |||||
{ | |||||
SSL_CTX* ssl_ctx; | |||||
ssl_ctx = SSL_CTX_new(TLS_client_method()); | |||||
if (ssl_ctx != NULL) | |||||
{ | |||||
/* ldns allows TLS and DTLS v1.0 at the moment. Some may disagree. | |||||
* Sometime in the future they may be disabled, too. Maybe | |||||
* --disable-tlsv1 and --disable-dtlsv1 should be configure options. | |||||
*/ | |||||
long flags = NoOpenSSLv2 | NoOpenSSLv3 | NoOpenSSLCompression; | |||||
SSL_CTX_set_options(ssl_ctx, flags); | |||||
} | |||||
return ssl_ctx; | |||||
} | |||||
#endif | |||||
ldns_status | ldns_status | ||||
ldns_dane_create_tlsa_owner(ldns_rdf** tlsa_owner, const ldns_rdf* name, | ldns_dane_create_tlsa_owner(ldns_rdf** tlsa_owner, const ldns_rdf* name, | ||||
uint16_t port, ldns_dane_transport transport) | uint16_t port, ldns_dane_transport transport) | ||||
{ | { | ||||
char buf[LDNS_MAX_DOMAINLEN]; | char buf[LDNS_MAX_DOMAINLEN]; | ||||
size_t s; | size_t s; | ||||
assert(tlsa_owner != NULL); | assert(tlsa_owner != NULL); | ||||
▲ Show 20 Lines • Show All 148 Lines • ▼ Show 20 Lines | ldns_dane_pkix_validate(X509* cert, STACK_OF(X509)* extra_certs, | ||||
} else { | } else { | ||||
s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE; | s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE; | ||||
} | } | ||||
X509_STORE_CTX_free(vrfy_ctx); | X509_STORE_CTX_free(vrfy_ctx); | ||||
return s; | return s; | ||||
} | } | ||||
/* Orinary PKIX validation of cert (with extra_certs to help) | /* Ordinary PKIX validation of cert (with extra_certs to help) | ||||
* against the CA's in store, but also return the validation chain. | * against the CA's in store, but also return the validation chain. | ||||
*/ | */ | ||||
static ldns_status | static ldns_status | ||||
ldns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert, | ldns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert, | ||||
STACK_OF(X509)* extra_certs, X509_STORE* store) | STACK_OF(X509)* extra_certs, X509_STORE* store) | ||||
{ | { | ||||
ldns_status s; | ldns_status s; | ||||
X509_STORE* empty_store = NULL; | X509_STORE* empty_store = NULL; | ||||
▲ Show 20 Lines • Show All 431 Lines • ▼ Show 20 Lines | #if defined(USE_DANE_TA_USAGE) | ||||
* | * | ||||
* OpenSSL does not provide offline dane verification. The dane unit | * OpenSSL does not provide offline dane verification. The dane unit | ||||
* tests within openssl use the undocumented SSL_get0_dane() and | * tests within openssl use the undocumented SSL_get0_dane() and | ||||
* X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and | * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and | ||||
* SSL_CTX to a X509_STORE_CTX that can be used to do offline | * SSL_CTX to a X509_STORE_CTX that can be used to do offline | ||||
* verification. We use these undocumented means with the ldns | * verification. We use these undocumented means with the ldns | ||||
* dane function prototypes which did only offline dane verification. | * dane function prototypes which did only offline dane verification. | ||||
*/ | */ | ||||
if (!(ssl_ctx = SSL_CTX_new(TLS_client_method()))) | if (!(ssl_ctx = ldns_dane_new_ssl_context())) | ||||
s = LDNS_STATUS_MEM_ERR; | s = LDNS_STATUS_MEM_ERR; | ||||
else if (SSL_CTX_dane_enable(ssl_ctx) <= 0) | else if (SSL_CTX_dane_enable(ssl_ctx) <= 0) | ||||
s = LDNS_STATUS_SSL_ERR; | s = LDNS_STATUS_SSL_ERR; | ||||
else if (SSL_CTX_dane_set_flags( | else if (SSL_CTX_dane_set_flags( | ||||
ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS), | ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS), | ||||
!(ssl = SSL_new(ssl_ctx))) | !(ssl = SSL_new(ssl_ctx))) | ||||
▲ Show 20 Lines • Show All 183 Lines • ▼ Show 20 Lines | #if defined(USE_DANE_TA_USAGE) | ||||
* | * | ||||
* OpenSSL does not provide offline dane verification. The dane unit | * OpenSSL does not provide offline dane verification. The dane unit | ||||
* tests within openssl use the undocumented SSL_get0_dane() and | * tests within openssl use the undocumented SSL_get0_dane() and | ||||
* X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and | * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and | ||||
* SSL_CTX to a X509_STORE_CTX that can be used to do offline | * SSL_CTX to a X509_STORE_CTX that can be used to do offline | ||||
* verification. We use these undocumented means with the ldns | * verification. We use these undocumented means with the ldns | ||||
* dane function prototypes which did only offline dane verification. | * dane function prototypes which did only offline dane verification. | ||||
*/ | */ | ||||
if (!(ssl_ctx = SSL_CTX_new(TLS_client_method()))) | if (!(ssl_ctx = ldns_dane_new_ssl_context())) | ||||
s = LDNS_STATUS_MEM_ERR; | s = LDNS_STATUS_MEM_ERR; | ||||
else if (SSL_CTX_dane_enable(ssl_ctx) <= 0) | else if (SSL_CTX_dane_enable(ssl_ctx) <= 0) | ||||
s = LDNS_STATUS_SSL_ERR; | s = LDNS_STATUS_SSL_ERR; | ||||
else if (SSL_CTX_dane_set_flags( | else if (SSL_CTX_dane_set_flags( | ||||
ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS), | ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS), | ||||
!(ssl = SSL_new(ssl_ctx))) | !(ssl = SSL_new(ssl_ctx))) | ||||
▲ Show 20 Lines • Show All 89 Lines • Show Last 20 Lines |