1 /* $NetBSD: tls_dane.c,v 1.4 2022/10/08 16:12:50 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* tls_dane 3 6 /* SUMMARY 7 /* Support for RFC 6698, 7671, 7672 (DANE) certificate matching 8 /* SYNOPSIS 9 /* #include <tls.h> 10 /* 11 /* void tls_dane_loglevel(log_param, log_level); 12 /* const char *log_param; 13 /* const char *log_level; 14 /* 15 /* int tls_dane_avail() 16 /* 17 /* void tls_dane_flush() 18 /* 19 /* TLS_DANE *tls_dane_alloc() 20 /* 21 /* void tls_tlsa_free(tlsa) 22 /* TLS_TLSA *tlsa; 23 /* 24 /* void tls_dane_free(dane) 25 /* TLS_DANE *dane; 26 /* 27 /* void tls_dane_add_fpt_digests(dane, digest, delim, smtp_mode) 28 /* TLS_DANE *dane; 29 /* const char *digest; 30 /* const char *delim; 31 /* int smtp_mode; 32 /* 33 /* TLS_TLSA *tlsa_prepend(tlsa, usage, selector, mtype, data, len) 34 /* TLS_TLSA *tlsa; 35 /* uint8_t usage; 36 /* uint8_t selector; 37 /* uint8_t mtype; 38 /* const unsigned char *data; 39 /* uint16_t length; 40 /* 41 /* int tls_dane_load_trustfile(dane, tafile) 42 /* TLS_DANE *dane; 43 /* const char *tafile; 44 /* 45 /* TLS_DANE *tls_dane_resolve(port, proto, hostrr, forcetlsa) 46 /* unsigned port; 47 /* const char *proto; 48 /* DNS_RR *hostrr; 49 /* int forcetlsa; 50 /* 51 /* void tls_dane_digest_init(ctx, fpt_alg) 52 /* SSL_CTX *ctx; 53 /* const EVP_MD *fpt_alg; 54 /* 55 /* void tls_dane_enable(TLScontext) 56 /* TLS_SESS_STATE *TLScontext; 57 /* 58 /* void tls_dane_log(TLScontext) 59 /* TLS_SESS_STATE *TLScontext; 60 /* 61 /* int tls_dane_unusable(dane) 62 /* const TLS_DANE *dane; 63 /* 64 /* int tls_dane_notfound(dane) 65 /* const TLS_DANE *dane; 66 /* DESCRIPTION 67 /* tls_dane_loglevel() allows the policy lookup functions in the DANE 68 /* library to examine the application's TLS loglevel in and possibly 69 /* produce a more detailed activity log. 70 /* 71 /* tls_dane_avail() returns true if the features required to support DANE 72 /* are present in libresolv. 73 /* 74 /* tls_dane_flush() flushes all entries from the cache, and deletes 75 /* the cache. 76 /* 77 /* tls_dane_alloc() returns a pointer to a newly allocated TLS_DANE 78 /* structure with null ta and ee digest sublists. 79 /* 80 /* tls_tlsa_free() frees a TLSA record linked list. 81 /* 82 /* tls_dane_free() frees the structure allocated by tls_dane_alloc(). 83 /* 84 /* tls_dane_digest_init() configures OpenSSL to support the configured 85 /* DANE TLSA digests and private-use fingerprint digest. 86 /* 87 /* tlsa_prepend() prepends a TLSA record to the head of a linked list 88 /* which may be null when the list is empty. The result value is the 89 /* new list head. 90 /* 91 /* tls_dane_add_fpt_digests() splits "digest" using the characters in 92 /* "delim" as delimiters and generates corresponding synthetic DANE TLSA 93 /* records with matching type 255 (private-use), which we associated with 94 /* the configured fingerprint digest algorithm. This is an incremental 95 /* interface, that builds a TLS_DANE structure outside the cache by 96 /* manually adding entries. 97 /* 98 /* tls_dane_load_trustfile() imports trust-anchor certificates and 99 /* public keys from a file (rather than DNS TLSA records). 100 /* 101 /* tls_dane_resolve() maps a (port, protocol, hostrr) tuple to a 102 /* corresponding TLS_DANE policy structure found in the DNS. The port 103 /* argument is in network byte order. A null pointer is returned when 104 /* the DNS query for the TLSA record tempfailed. In all other cases the 105 /* return value is a pointer to the corresponding TLS_DANE structure. 106 /* The caller must free the structure via tls_dane_free(). 107 /* 108 /* tls_dane_enable() enables DANE-style certificate checks for connections 109 /* that are configured with TLSA records. The TLSA records may be from 110 /* DNS (at the "dane", "dane-only" and "half-dane" security levels), or be 111 /* synthetic in support of either the "fingerprint" level or local trust 112 /* anchor based validation with the "secure" and "verify" levels. The 113 /* return value is the number of "usable" TLSA records loaded, or negative 114 /* if a record failed to load due to an internal OpenSSL problems, rather 115 /* than an issue with the record making that record "unusable". 116 /* 117 /* tls_dane_log() logs successful verification via DNS-based or 118 /* synthetic DANE TLSA RRs (fingerprint or "tafile"). 119 /* 120 /* tls_dane_unusable() checks whether a cached TLS_DANE record is 121 /* the result of a validated RRset, with no usable elements. In 122 /* this case, TLS is mandatory, but certificate verification is 123 /* not DANE-based. 124 /* 125 /* tls_dane_notfound() checks whether a cached TLS_DANE record is 126 /* the result of a validated DNS lookup returning NODATA. In 127 /* this case, TLS is not required by RFC, though users may elect 128 /* a mandatory TLS fallback policy. 129 /* 130 /* Arguments: 131 /* .IP ctx 132 /* SSL context to be configured with the chosen digest algorithms. 133 /* .IP fpt_alg 134 /* The OpenSSL EVP digest algorithm handle for the fingerprint digest. 135 /* .IP tlsa 136 /* TLSA record linked list head, initially NULL. 137 /* .IP usage 138 /* DANE TLSA certificate usage field. 139 /* .IP selector 140 /* DANE TLSA selector field. 141 /* .IP mtype 142 /* DANE TLSA matching type field 143 /* .IP data 144 /* DANE TLSA associated data field (raw binary form), copied for internal 145 /* use. The caller is responsible for freeing his own copy. 146 /* .IP length 147 /* Length of DANE TLSA associated DATA field. 148 /* .IP dane 149 /* Pointer to a TLS_DANE structure that lists the valid trust-anchor 150 /* and end-entity full-certificate and/or public-key digests. 151 /* .IP port 152 /* The TCP port in network byte order. 153 /* .IP proto 154 /* Almost certainly "tcp". 155 /* .IP hostrr 156 /* DNS_RR pointer to TLSA base domain data. 157 /* .IP forcetlsa 158 /* When true, TLSA lookups are performed even when the qname and rname 159 /* are insecure. This is only useful in the unlikely case that DLV is 160 /* used to secure the TLSA RRset in an otherwise insecure zone. 161 /* .IP log_param 162 /* The TLS log level parameter name whose value is the log_level argument. 163 /* .IP log_level 164 /* The application TLS log level, which may affect dane lookup verbosity. 165 /* .IP digest 166 /* The digest (or list of digests concatenated with characters from 167 /* "delim") to be added to the TLS_DANE record. 168 /* .IP delim 169 /* The set of delimiter characters used above. 170 /* .IP smtp_mode 171 /* Is the caller an SMTP client or an LMTP client? 172 /* .IP tafile; 173 /* A file with trust anchor certificates or public keys in PEM format. 174 /* LICENSE 175 /* .ad 176 /* .fi 177 /* This software is free. You can do with it whatever you want. 178 /* The original author kindly requests that you acknowledge 179 /* the use of his software. 180 /* AUTHOR(S) 181 /* Wietse Venema 182 /* IBM T.J. Watson Research 183 /* P.O. Box 704 184 /* Yorktown Heights, NY 10598, USA 185 /* 186 /* Wietse Venema 187 /* Google, Inc. 188 /* 111 8th Avenue 189 /* New York, NY 10011, USA 190 /* 191 /* Viktor Dukhovni 192 /*--*/ 193 194 /* System library. */ 195 196 #include <sys_defs.h> 197 #include <ctype.h> 198 199 #ifdef STRCASECMP_IN_STRINGS_H 200 #include <strings.h> 201 #endif 202 203 #ifdef USE_TLS 204 #include <string.h> 205 206 /* Utility library. */ 207 208 #include <msg.h> 209 #include <mymalloc.h> 210 #include <stringops.h> 211 #include <midna_domain.h> 212 #include <vstring.h> 213 #include <events.h> /* event_time() */ 214 #include <timecmp.h> 215 #include <ctable.h> 216 #include <hex_code.h> 217 #include <safe_ultostr.h> 218 #include <split_at.h> 219 #include <name_code.h> 220 221 #define STR(x) vstring_str(x) 222 223 /* Global library */ 224 225 #include <mail_params.h> 226 227 /* DNS library. */ 228 229 #include <dns.h> 230 231 /* TLS library. */ 232 233 #define TLS_INTERNAL 234 #include <tls.h> 235 236 /* Application-specific. */ 237 238 #undef DANE_TLSA_SUPPORT 239 240 #if RES_USE_DNSSEC && RES_USE_EDNS0 241 #define DANE_TLSA_SUPPORT 242 static int dane_tlsa_support = 1; 243 244 #else 245 static int dane_tlsa_support = 0; 246 247 #endif 248 249 /* 250 * A NULL alg field disables the algorithm at the codepoint passed to the 251 * SSL_CTX_dane_mtype_set(3) function. The ordinals are used for digest 252 * agility, higher is "better" (presumed stronger). 253 */ 254 typedef struct dane_mtype { 255 const EVP_MD *alg; 256 uint8_t ord; 257 } dane_mtype; 258 259 /* 260 * This is not intended to be a long-term cache of pre-parsed TLSA data, 261 * rather we primarily want to avoid fetching and parsing the TLSA records 262 * for a single multi-homed MX host more than once per delivery. Therefore, 263 * we keep the table reasonably small. 264 */ 265 #define CACHE_SIZE 20 266 static CTABLE *dane_cache; 267 268 static int log_mask; 269 270 /* tls_dane_logmask - configure policy lookup logging */ 271 272 void tls_dane_loglevel(const char *log_param, const char *log_level) 273 { 274 log_mask = tls_log_mask(log_param, log_level); 275 } 276 277 /* tls_dane_avail - check for availability of dane required digests */ 278 279 int tls_dane_avail(void) 280 { 281 return (dane_tlsa_support); 282 } 283 284 /* tls_dane_alloc - allocate a TLS_DANE structure */ 285 286 TLS_DANE *tls_dane_alloc(void) 287 { 288 TLS_DANE *dane = (TLS_DANE *) mymalloc(sizeof(*dane)); 289 290 dane->tlsa = 0; 291 dane->base_domain = 0; 292 dane->flags = 0; 293 dane->expires = 0; 294 dane->refs = 1; 295 return (dane); 296 } 297 298 /* tls_tlsa_free - free a TLSA RR linked list */ 299 300 void tls_tlsa_free(TLS_TLSA *tlsa) 301 { 302 TLS_TLSA *next; 303 304 for (; tlsa; tlsa = next) { 305 next = tlsa->next; 306 myfree(tlsa->data); 307 myfree(tlsa); 308 } 309 } 310 311 /* tls_dane_free - free a TLS_DANE structure */ 312 313 void tls_dane_free(TLS_DANE *dane) 314 { 315 if (--dane->refs > 0) 316 return; 317 if (dane->base_domain) 318 myfree(dane->base_domain); 319 if (dane->tlsa) 320 tls_tlsa_free(dane->tlsa); 321 myfree((void *) dane); 322 } 323 324 /* tlsa_prepend - Prepend internal-form TLSA record to the RRset linked list */ 325 326 TLS_TLSA *tlsa_prepend(TLS_TLSA *tlsa, uint8_t usage, uint8_t selector, 327 uint8_t mtype, const unsigned char *data, 328 uint16_t data_len) 329 { 330 TLS_TLSA *head; 331 332 head = (TLS_TLSA *) mymalloc(sizeof(*head)); 333 head->usage = usage; 334 head->selector = selector; 335 head->mtype = mtype; 336 head->length = data_len; 337 head->data = (unsigned char *) mymemdup(data, data_len); 338 head->next = tlsa; 339 return (head); 340 } 341 342 #define MAX_HEAD_BYTES 32 343 #define MAX_TAIL_BYTES 32 344 #define MAX_DUMP_BYTES (MAX_HEAD_BYTES + MAX_TAIL_BYTES) 345 346 /* tlsa_info - log import of a particular TLSA record */ 347 348 static void tlsa_info(const char *tag, const char *msg, 349 uint8_t u, uint8_t s, uint8_t m, 350 const unsigned char *data, ssize_t dlen) 351 { 352 static VSTRING *top; 353 static VSTRING *bot; 354 355 if (top == 0) 356 top = vstring_alloc(2 * MAX_HEAD_BYTES); 357 if (bot == 0) 358 bot = vstring_alloc(2 * MAX_TAIL_BYTES); 359 360 if (dlen > MAX_DUMP_BYTES) { 361 hex_encode(top, (char *) data, MAX_HEAD_BYTES); 362 hex_encode(bot, (char *) data + dlen - MAX_TAIL_BYTES, MAX_TAIL_BYTES); 363 } else if (dlen > 0) { 364 hex_encode(top, (char *) data, dlen); 365 } else { 366 vstring_sprintf(top, "..."); 367 } 368 369 msg_info("%s: %s: %u %u %u %s%s%s", tag, msg, u, s, m, STR(top), 370 dlen > MAX_DUMP_BYTES ? "..." : "", 371 dlen > MAX_DUMP_BYTES ? STR(bot) : ""); 372 } 373 374 /* tlsa_carp - carp about a particular TLSA record */ 375 376 static void tlsa_carp(const char *s1, const char *s2, const char *s3, 377 const char *s4, uint8_t u, uint8_t s, uint8_t m, 378 const unsigned char *data, ssize_t dlen) 379 { 380 static VSTRING *top; 381 static VSTRING *bot; 382 383 if (top == 0) 384 top = vstring_alloc(2 * MAX_HEAD_BYTES); 385 if (bot == 0) 386 bot = vstring_alloc(2 * MAX_TAIL_BYTES); 387 388 if (dlen > MAX_DUMP_BYTES) { 389 hex_encode(top, (char *) data, MAX_HEAD_BYTES); 390 hex_encode(bot, (char *) data + dlen - MAX_TAIL_BYTES, MAX_TAIL_BYTES); 391 } else if (dlen > 0) { 392 hex_encode(top, (char *) data, dlen); 393 } else { 394 vstring_sprintf(top, "..."); 395 } 396 397 msg_warn("%s%s%s %s: %u %u %u %s%s%s", s1, s2, s3, s4, u, s, m, STR(top), 398 dlen > MAX_DUMP_BYTES ? "..." : "", 399 dlen > MAX_DUMP_BYTES ? STR(bot) : ""); 400 } 401 402 /* tls_dane_flush - flush the cache */ 403 404 void tls_dane_flush(void) 405 { 406 if (dane_cache) 407 ctable_free(dane_cache); 408 dane_cache = 0; 409 } 410 411 /* dane_free - ctable style */ 412 413 static void dane_free(void *dane, void *unused_context) 414 { 415 tls_dane_free((TLS_DANE *) dane); 416 } 417 418 /* tls_dane_add_fpt_digests - map fingerprint list to DANE TLSA RRset */ 419 420 void tls_dane_add_fpt_digests(TLS_DANE *dane, const char *digest, 421 const char *delim, int smtp_mode) 422 { 423 ARGV *values = argv_split(digest, delim); 424 ssize_t i; 425 426 if (smtp_mode) { 427 if (warn_compat_break_smtp_tls_fpt_dgst) 428 msg_info("using backwards-compatible default setting " 429 VAR_SMTP_TLS_FPT_DGST "=md5 to compute certificate " 430 "fingerprints"); 431 } else { 432 if (warn_compat_break_lmtp_tls_fpt_dgst) 433 msg_info("using backwards-compatible default setting " 434 VAR_LMTP_TLS_FPT_DGST "=md5 to compute certificate " 435 "fingerprints"); 436 } 437 438 for (i = 0; i < values->argc; ++i) { 439 const char *cp = values->argv[i]; 440 size_t ilen = strlen(cp); 441 VSTRING *raw; 442 443 /* 444 * Decode optionally colon-separated hex-encoded string, the input 445 * value requires at most 3 bytes per byte of payload, which must not 446 * exceed the size of the widest supported hash function. 447 */ 448 if (ilen > 3 * EVP_MAX_MD_SIZE) { 449 msg_warn("malformed fingerprint value: %.100s...", 450 values->argv[i]); 451 continue; 452 } 453 raw = vstring_alloc(ilen / 2); 454 if (hex_decode_opt(raw, cp, ilen, HEX_DECODE_FLAG_ALLOW_COLON) == 0) { 455 myfree(raw); 456 msg_warn("malformed fingerprint value: %.384s", values->argv[i]); 457 continue; 458 } 459 460 /* 461 * At the "fingerprint" security level certificate digests and public 462 * key digests are interchangeable. Each leaf certificate is matched 463 * via either the public key digest or full certificate digest. The 464 * DER encoding of a certificate is not a valid public key, and 465 * conversely, the DER encoding of a public key is not a valid 466 * certificate. An attacker would need a 2nd-preimage that is 467 * feasible across types (given cert digest == some pkey digest) and 468 * yet presumably difficult within a type (e.g. given cert digest == 469 * some other cert digest). No such attacks are known at this time, 470 * and it is expected that if any are found they would work within as 471 * well as across the cert/pkey data types. 472 * 473 * The private-use matching type "255" is mapped to the configured 474 * fingerprint digest, which may (harmlessly) coincide with one of 475 * the standard DANE digest algorithms. The private code point is 476 * however unconditionally enabled. 477 */ 478 if (log_mask & (TLS_LOG_VERBOSE | TLS_LOG_DANE)) 479 tlsa_info("fingerprint", "digest as private-use TLSA record", 480 3, 0, 255, (unsigned char *) STR(raw), VSTRING_LEN(raw)); 481 dane->tlsa = tlsa_prepend(dane->tlsa, 3, 0, 255, 482 (unsigned char *) STR(raw), VSTRING_LEN(raw)); 483 dane->tlsa = tlsa_prepend(dane->tlsa, 3, 1, 255, 484 (unsigned char *) STR(raw), VSTRING_LEN(raw)); 485 vstring_free(raw); 486 } 487 argv_free(values); 488 } 489 490 /* parse_tlsa_rr - parse a validated TLSA RRset */ 491 492 static int parse_tlsa_rr(TLS_DANE *dane, DNS_RR *rr) 493 { 494 const uint8_t *ip; 495 uint8_t usage; 496 uint8_t selector; 497 uint8_t mtype; 498 ssize_t dlen; 499 unsigned const char *data; 500 int iscname = strcasecmp(rr->rname, rr->qname); 501 const char *q = iscname ? rr->qname : ""; 502 const char *a = iscname ? " -> " : ""; 503 const char *r = rr->rname; 504 505 if (rr->type != T_TLSA) 506 msg_panic("%s%s%s: unexpected non-TLSA RR type: %u", 507 q, a, r, rr->type); 508 509 /* Drop truncated records */ 510 if ((dlen = rr->data_len - 3) < 0) { 511 msg_warn("%s%s%s: truncated TLSA RR length == %u", 512 q, a, r, (unsigned) rr->data_len); 513 return (0); 514 } 515 ip = (const uint8_t *) rr->data; 516 usage = *ip++; 517 selector = *ip++; 518 mtype = *ip++; 519 data = (const unsigned char *) ip; 520 521 /*- 522 * Drop unsupported usages. 523 * Note: NO SUPPORT for usages 0/1 which do not apply to SMTP. 524 */ 525 switch (usage) { 526 case DNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION: 527 case DNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE: 528 break; 529 default: 530 tlsa_carp(q, a, r, "unsupported TLSA certificate usage", 531 usage, selector, mtype, data, dlen); 532 return (0); 533 } 534 535 /* 536 * Drop private-use matching type, reserved for fingerprint matching. 537 */ 538 if (mtype == 255) { 539 tlsa_carp(q, a, r, "reserved private-use matching type", 540 usage, selector, mtype, data, dlen); 541 return (0); 542 } 543 if (log_mask & (TLS_LOG_VERBOSE | TLS_LOG_DANE)) 544 tlsa_info("DNSSEC-signed TLSA record", r, 545 usage, selector, mtype, data, dlen); 546 dane->tlsa = tlsa_prepend(dane->tlsa, usage, selector, mtype, data, dlen); 547 return (1); 548 } 549 550 /* dane_lookup - TLSA record lookup, ctable style */ 551 552 static void *dane_lookup(const char *tlsa_fqdn, void *unused_ctx) 553 { 554 static VSTRING *why = 0; 555 DNS_RR *rrs = 0; 556 DNS_RR *rr; 557 TLS_DANE *dane = tls_dane_alloc(); 558 int ret; 559 560 if (why == 0) 561 why = vstring_alloc(10); 562 563 ret = dns_lookup(tlsa_fqdn, T_TLSA, RES_USE_DNSSEC, &rrs, 0, why); 564 565 switch (ret) { 566 case DNS_OK: 567 if (TLS_DANE_CACHE_TTL_MIN && rrs->ttl < TLS_DANE_CACHE_TTL_MIN) 568 rrs->ttl = TLS_DANE_CACHE_TTL_MIN; 569 if (TLS_DANE_CACHE_TTL_MAX && rrs->ttl > TLS_DANE_CACHE_TTL_MAX) 570 rrs->ttl = TLS_DANE_CACHE_TTL_MAX; 571 572 /* One more second to account for discrete time */ 573 dane->expires = 1 + event_time() + rrs->ttl; 574 575 if (rrs->dnssec_valid) { 576 int n = 0; 577 578 for (rr = rrs; rr != 0; rr = rr->next) 579 n += parse_tlsa_rr(dane, rr); 580 if (n == 0) 581 dane->flags |= TLS_DANE_FLAG_EMPTY; 582 } else 583 dane->flags |= TLS_DANE_FLAG_NORRS; 584 585 if (rrs) 586 dns_rr_free(rrs); 587 break; 588 589 case DNS_NOTFOUND: 590 dane->flags |= TLS_DANE_FLAG_NORRS; 591 dane->expires = 1 + event_time() + TLS_DANE_CACHE_TTL_MIN; 592 break; 593 594 default: 595 msg_warn("DANE TLSA lookup problem: %s", STR(why)); 596 dane->flags |= TLS_DANE_FLAG_ERROR; 597 break; 598 } 599 600 return (void *) dane; 601 } 602 603 /* resolve_host - resolve TLSA RRs for hostname (rname or qname) */ 604 605 static TLS_DANE *resolve_host(const char *host, const char *proto, 606 unsigned port) 607 { 608 static VSTRING *query_domain; 609 TLS_DANE *dane; 610 611 if (query_domain == 0) 612 query_domain = vstring_alloc(64); 613 614 vstring_sprintf(query_domain, "_%u._%s.%s", ntohs(port), proto, host); 615 dane = (TLS_DANE *) ctable_locate(dane_cache, STR(query_domain)); 616 if (timecmp(event_time(), dane->expires) > 0) 617 dane = (TLS_DANE *) ctable_refresh(dane_cache, STR(query_domain)); 618 if (dane->base_domain == 0) 619 dane->base_domain = mystrdup(host); 620 /* Increment ref-count of cached entry */ 621 ++dane->refs; 622 return (dane); 623 } 624 625 /* qname_secure - Lookup qname DNSSEC status */ 626 627 static int qname_secure(const char *qname) 628 { 629 static VSTRING *why; 630 int ret = 0; 631 DNS_RR *rrs; 632 633 if (!why) 634 why = vstring_alloc(10); 635 636 /* 637 * We assume that qname is already an fqdn, and does not need any 638 * suffixes from RES_DEFNAME or RES_DNSRCH. This is typically the name 639 * of an MX host, and must be a complete DNS name. DANE initialization 640 * code in the SMTP client is responsible for checking that the default 641 * resolver flags do not include RES_DEFNAME and RES_DNSRCH. 642 */ 643 ret = dns_lookup(qname, T_CNAME, RES_USE_DNSSEC, &rrs, 0, why); 644 if (ret == DNS_OK) { 645 ret = rrs->dnssec_valid; 646 dns_rr_free(rrs); 647 return (ret); 648 } 649 if (ret == DNS_NOTFOUND) 650 vstring_sprintf(why, "no longer a CNAME"); 651 msg_warn("DNSSEC status lookup error for %s: %s", qname, STR(why)); 652 return (-1); 653 } 654 655 /* tls_dane_resolve - cached map: (name, proto, port) -> TLS_DANE */ 656 657 TLS_DANE *tls_dane_resolve(unsigned port, const char *proto, DNS_RR *hostrr, 658 int forcetlsa) 659 { 660 TLS_DANE *dane = 0; 661 int iscname = strcasecmp(hostrr->rname, hostrr->qname); 662 int isvalid = 1; 663 664 if (!tls_dane_avail()) 665 return (0); /* Error */ 666 667 /* 668 * By default suppress TLSA lookups for hosts in non-DNSSEC zones. If 669 * the host zone is not DNSSEC validated, the TLSA qname sub-domain is 670 * safely assumed to not be in a DNSSEC Look-aside Validation child zone. 671 */ 672 if (!forcetlsa && !hostrr->dnssec_valid) { 673 isvalid = iscname ? qname_secure(hostrr->qname) : 0; 674 if (isvalid < 0) 675 return (0); /* Error */ 676 } 677 if (!isvalid) { 678 dane = tls_dane_alloc(); 679 dane->flags = TLS_DANE_FLAG_NORRS; 680 } else { 681 if (!dane_cache) 682 dane_cache = ctable_create(CACHE_SIZE, dane_lookup, dane_free, 0); 683 684 /* 685 * Try the rname first if secure, if nothing there, try the qname if 686 * different. Note, lookup errors are distinct from success with 687 * nothing found. If the rname lookup fails we don't try the qname. 688 */ 689 if (hostrr->dnssec_valid) { 690 dane = resolve_host(hostrr->rname, proto, port); 691 if (tls_dane_notfound(dane) && iscname) { 692 tls_dane_free(dane); 693 dane = 0; 694 } 695 } 696 if (!dane) 697 dane = resolve_host(hostrr->qname, proto, port); 698 if (dane->flags & TLS_DANE_FLAG_ERROR) { 699 /* We don't return this object. */ 700 tls_dane_free(dane); 701 dane = 0; 702 } 703 } 704 705 return (dane); 706 } 707 708 /* tls_dane_load_trustfile - load trust anchor certs or keys from file */ 709 710 int tls_dane_load_trustfile(TLS_DANE *dane, const char *tafile) 711 { 712 BIO *bp; 713 char *name = 0; 714 char *header = 0; 715 unsigned char *data = 0; 716 long len; 717 int tacount; 718 char *errtype = 0; /* if error: cert or pkey? */ 719 720 /* nop */ 721 if (tafile == 0 || *tafile == 0) 722 return (1); 723 724 /* 725 * On each call, PEM_read() wraps a stdio file in a BIO_NOCLOSE bio, 726 * calls PEM_read_bio() and then frees the bio. It is just as easy to 727 * open a BIO as a stdio file, so we use BIOs and call PEM_read_bio() 728 * directly. 729 */ 730 if ((bp = BIO_new_file(tafile, "r")) == NULL) { 731 msg_warn("error opening trust anchor file: %s: %m", tafile); 732 return (0); 733 } 734 /* Don't report old news */ 735 ERR_clear_error(); 736 737 /* 738 * OpenSSL implements DANE strictly, with DANE-TA(2) only matching issuer 739 * certificates, and never the leaf cert. We also allow the 740 * trust-anchors to directly match the leaf certificate or public key. 741 */ 742 for (tacount = 0; 743 errtype == 0 && PEM_read_bio(bp, &name, &header, &data, &len); 744 ++tacount) { 745 uint8_t daneta = DNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION; 746 uint8_t daneee = DNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE; 747 uint8_t mtype = DNS_TLSA_MATCHING_TYPE_NO_HASH_USED; 748 749 if (strcmp(name, PEM_STRING_X509) == 0 750 || strcmp(name, PEM_STRING_X509_OLD) == 0) { 751 uint8_t selector = DNS_TLSA_SELECTOR_FULL_CERTIFICATE; 752 753 if (log_mask & (TLS_LOG_VERBOSE | TLS_LOG_DANE)) 754 tlsa_info("TA cert as TLSA record", tafile, 755 daneta, selector, mtype, data, len); 756 dane->tlsa = 757 tlsa_prepend(dane->tlsa, daneta, selector, mtype, data, len); 758 dane->tlsa = 759 tlsa_prepend(dane->tlsa, daneee, selector, mtype, data, len); 760 } else if (strcmp(name, PEM_STRING_PUBLIC) == 0) { 761 uint8_t selector = DNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO; 762 763 if (log_mask & (TLS_LOG_VERBOSE | TLS_LOG_DANE)) 764 tlsa_info("TA pkey as TLSA record", tafile, 765 daneta, selector, mtype, data, len); 766 dane->tlsa = 767 tlsa_prepend(dane->tlsa, daneta, selector, mtype, data, len); 768 dane->tlsa = tlsa_prepend(dane->tlsa, daneee, selector, mtype, data, len); 769 } 770 771 /* 772 * If any of these were null, PEM_read() would have failed. 773 */ 774 OPENSSL_free(name); 775 OPENSSL_free(header); 776 OPENSSL_free(data); 777 } 778 BIO_free(bp); 779 780 if (errtype) { 781 tls_print_errors(); 782 msg_warn("error reading: %s: malformed trust-anchor %s", 783 tafile, errtype); 784 return (0); 785 } 786 if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) { 787 /* Reached end of PEM file */ 788 ERR_clear_error(); 789 return (tacount > 0); 790 } 791 /* Some other PEM read error */ 792 tls_print_errors(); 793 return (0); 794 } 795 796 int tls_dane_enable(TLS_SESS_STATE *TLScontext) 797 { 798 const TLS_DANE *dane = TLScontext->dane; 799 TLS_TLSA *tp; 800 SSL *ssl = TLScontext->con; 801 int usable = 0; 802 int ret; 803 804 for (tp = dane->tlsa; tp != 0; tp = tp->next) { 805 ret = SSL_dane_tlsa_add(ssl, tp->usage, tp->selector, 806 tp->mtype, tp->data, tp->length); 807 if (ret > 0) { 808 ++usable; 809 continue; 810 } 811 if (ret == 0) { 812 tlsa_carp(TLScontext->namaddr, ":", "", "unusable TLSA RR", 813 tp->usage, tp->selector, tp->mtype, tp->data, 814 tp->length); 815 continue; 816 } 817 /* Internal problem in OpenSSL */ 818 tlsa_carp(TLScontext->namaddr, ":", "", "error loading trust settings", 819 tp->usage, tp->selector, tp->mtype, tp->data, tp->length); 820 tls_print_errors(); 821 return (-1); 822 } 823 return (usable); 824 } 825 826 /* tls_dane_digest_init - configure supported DANE digests */ 827 828 void tls_dane_digest_init(SSL_CTX *ctx, const EVP_MD * fpt_alg) 829 { 830 dane_mtype mtypes[256]; 831 char *cp; 832 char *save; 833 char *algname; 834 uint8_t m; 835 uint8_t ord = 0; 836 uint8_t maxtype; 837 838 memset((char *) mtypes, 0, sizeof(mtypes)); 839 840 /* 841 * The DANE SHA2-256(1) and SHA2-512(2) algorithms are disabled, unless 842 * explicitly enabled. Other codepoints can be disabled explicitly by 843 * giving them an empty digest name, which also implicitly disables all 844 * smaller codepoints that are not explicitly assigned. 845 * 846 * We reserve the private-use code point (255) for use with fingerprint 847 * matching. It MUST NOT be accepted in DNS replies. 848 */ 849 mtypes[1].alg = NULL; 850 mtypes[2].alg = NULL; 851 mtypes[255].alg = fpt_alg; 852 maxtype = 2; 853 854 save = cp = mystrdup(var_tls_dane_digests); 855 while ((algname = mystrtok(&cp, CHARS_COMMA_SP)) != 0) { 856 char *algcode = split_at(algname, '='); 857 int codepoint = -1; 858 859 if (algcode && *algcode) { 860 unsigned long l; 861 char *endcp; 862 863 /* 864 * XXX: safe_strtoul() does not flag empty or white-space only 865 * input. Since we get algcode by splitting white-space/comma 866 * delimited tokens, this is not a problem here. 867 */ 868 l = safe_strtoul(algcode, &endcp, 10); 869 if ((l == 0 && (errno == EINVAL || endcp == algcode)) 870 || l >= 255 || *endcp) { 871 msg_warn("Invalid matching type number in %s: %s=%s", 872 VAR_TLS_DANE_DIGESTS, algname, algcode); 873 continue; 874 } 875 if (l == 0 || l == 255) { 876 msg_warn("Reserved matching type number in %s: %s=%s", 877 VAR_TLS_DANE_DIGESTS, algname, algcode); 878 continue; 879 } 880 codepoint = l; 881 } 882 /* Disable any codepoint gaps */ 883 if (codepoint > maxtype) { 884 while (++maxtype < codepoint) 885 mtypes[codepoint].alg = NULL; 886 maxtype = codepoint; 887 } 888 /* Handle explicitly disabled codepoints */ 889 if (*algname == 0) { 890 /* Skip empty specifiers */ 891 if (codepoint < 0) 892 continue; 893 mtypes[codepoint].alg = NULL; 894 continue; 895 } 896 switch (codepoint) { 897 case -1: 898 if (strcasecmp(algname, LN_sha256) == 0) 899 codepoint = 1; /* SHA2-256(1) */ 900 else if (strcasecmp(algname, LN_sha512) == 0) 901 codepoint = 2; /* SHA2-512(2) */ 902 else { 903 msg_warn("%s: digest algorithm %s needs an explicit number", 904 VAR_TLS_DANE_DIGESTS, algname); 905 continue; 906 } 907 break; 908 case 1: 909 if (strcasecmp(algname, LN_sha256) != 0) { 910 msg_warn("%s: matching type 1 can only be %s", 911 VAR_TLS_DANE_DIGESTS, LN_sha256); 912 continue; 913 } 914 algname = LN_sha256; 915 break; 916 case 2: 917 if (strcasecmp(algname, LN_sha512) != 0) { 918 msg_warn("%s: matching type 2 can only be %s", 919 VAR_TLS_DANE_DIGESTS, LN_sha512); 920 continue; 921 } 922 algname = LN_sha512; 923 break; 924 default: 925 break; 926 } 927 928 if (mtypes[codepoint].ord != 0) { 929 msg_warn("%s: matching type %d specified more than once", 930 VAR_TLS_DANE_DIGESTS, codepoint); 931 continue; 932 } 933 mtypes[codepoint].ord = ++ord; 934 935 if ((mtypes[codepoint].alg = EVP_get_digestbyname(algname)) == 0) { 936 msg_warn("%s: digest algorithm \"%s\"(%d) unknown", 937 VAR_TLS_DANE_DIGESTS, algname, codepoint); 938 continue; 939 } 940 } 941 myfree(save); 942 943 for (m = 1; m != 0; m = m != maxtype ? m + 1 : 255) { 944 945 /* 946 * In OpenSSL higher order ordinals are preferred, but we list the 947 * most preferred algorithms first, so the last ordinal becomes 1, 948 * next-to-last, 2, ... 949 * 950 * The ordinals of non-disabled algorithms are always positive, and the 951 * computed value cannot overflow 254 (the largest possible value of 952 * 'ord' after loading each valid codepoint at most once). 953 */ 954 if (SSL_CTX_dane_mtype_set(ctx, mtypes[m].alg, m, 955 ord - mtypes[m].ord + 1) <= 0) { 956 msg_warn("%s: error configuring matching type %d", 957 VAR_TLS_DANE_DIGESTS, m); 958 tls_print_errors(); 959 } 960 } 961 } 962 963 /* tls_dane_log - log DANE-based verification success */ 964 965 void tls_dane_log(TLS_SESS_STATE *TLScontext) 966 { 967 static VSTRING *top; 968 static VSTRING *bot; 969 EVP_PKEY *mspki = 0; 970 int depth = SSL_get0_dane_authority(TLScontext->con, NULL, &mspki); 971 uint8_t u, s, m; 972 unsigned const char *data; 973 size_t dlen; 974 975 if (depth < 0) 976 return; /* No DANE auth */ 977 978 switch (TLScontext->level) { 979 case TLS_LEV_SECURE: 980 case TLS_LEV_VERIFY: 981 msg_info("%s: Matched trust anchor at depth %d", 982 TLScontext->namaddr, depth); 983 return; 984 } 985 986 if (top == 0) 987 top = vstring_alloc(2 * MAX_HEAD_BYTES); 988 if (bot == 0) 989 bot = vstring_alloc(2 * MAX_TAIL_BYTES); 990 991 (void) SSL_get0_dane_tlsa(TLScontext->con, &u, &s, &m, &data, &dlen); 992 if (dlen > MAX_DUMP_BYTES) { 993 hex_encode(top, (char *) data, MAX_HEAD_BYTES); 994 hex_encode(bot, (char *) data + dlen - MAX_TAIL_BYTES, MAX_TAIL_BYTES); 995 } else { 996 hex_encode(top, (char *) data, dlen); 997 } 998 999 switch (TLScontext->level) { 1000 case TLS_LEV_FPRINT: 1001 msg_info("%s: Matched fingerprint: %s%s%s", TLScontext->namaddr, 1002 STR(top), dlen > MAX_DUMP_BYTES ? "..." : "", 1003 dlen > MAX_DUMP_BYTES ? STR(bot) : ""); 1004 return; 1005 1006 default: 1007 msg_info("%s: Matched DANE %s at depth %d: %u %u %u %s%s%s", 1008 TLScontext->namaddr, mspki ? 1009 "TA public key verified certificate" : depth ? 1010 "TA certificate" : "EE certificate", depth, u, s, m, 1011 STR(top), dlen > MAX_DUMP_BYTES ? "..." : "", 1012 dlen > MAX_DUMP_BYTES ? STR(bot) : ""); 1013 return; 1014 } 1015 } 1016 1017 #ifdef TEST 1018 1019 #include <unistd.h> 1020 #include <stdarg.h> 1021 1022 #include <mail_params.h> 1023 #include <mail_conf.h> 1024 #include <msg_vstream.h> 1025 1026 static int verify_chain(SSL *ssl, x509_stack_t *chain, TLS_SESS_STATE *tctx) 1027 { 1028 int ret; 1029 X509 *cert; 1030 X509_STORE_CTX *store_ctx; 1031 SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl); 1032 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); 1033 int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); 1034 1035 cert = sk_X509_value(chain, 0); 1036 if ((store_ctx = X509_STORE_CTX_new()) == NULL) { 1037 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE); 1038 return 0; 1039 } 1040 if (!X509_STORE_CTX_init(store_ctx, store, cert, chain)) { 1041 X509_STORE_CTX_free(store_ctx); 1042 return 0; 1043 } 1044 X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, ssl); 1045 1046 /* We're *verifying* a server chain */ 1047 X509_STORE_CTX_set_default(store_ctx, "ssl_server"); 1048 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx), 1049 SSL_get0_param(ssl)); 1050 X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl)); 1051 1052 ret = X509_verify_cert(store_ctx); 1053 1054 SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(store_ctx)); 1055 X509_STORE_CTX_free(store_ctx); 1056 1057 return (ret); 1058 } 1059 1060 static void load_tlsa_args(SSL *ssl, char *argv[]) 1061 { 1062 const EVP_MD *md = 0; 1063 X509 *cert = 0; 1064 BIO *bp; 1065 unsigned char *buf; 1066 unsigned char *buf2; 1067 int len; 1068 uint8_t u = atoi(argv[1]); 1069 uint8_t s = atoi(argv[2]); 1070 uint8_t m = atoi(argv[3]); 1071 EVP_PKEY *pkey; 1072 1073 /* Unsupported usages are fatal */ 1074 switch (u) { 1075 case DNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION: 1076 case DNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE: 1077 break; 1078 default: 1079 msg_fatal("unsupported certificate usage %u", u); 1080 } 1081 1082 /* Unsupported selectors are fatal */ 1083 switch (s) { 1084 case DNS_TLSA_SELECTOR_FULL_CERTIFICATE: 1085 case DNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO: 1086 break; 1087 default: 1088 msg_fatal("unsupported selector %u", s); 1089 } 1090 1091 /* Unsupported selectors are fatal */ 1092 switch (m) { 1093 case DNS_TLSA_MATCHING_TYPE_NO_HASH_USED: 1094 case DNS_TLSA_MATCHING_TYPE_SHA256: 1095 case DNS_TLSA_MATCHING_TYPE_SHA512: 1096 break; 1097 default: 1098 msg_fatal("unsupported matching type %u", m); 1099 } 1100 1101 if ((bp = BIO_new_file(argv[4], "r")) == NULL) 1102 msg_fatal("error opening %s: %m", argv[4]); 1103 if (!PEM_read_bio_X509(bp, &cert, 0, 0)) { 1104 tls_print_errors(); 1105 msg_fatal("error loading certificate from %s: %m", argv[4]); 1106 } 1107 BIO_free(bp); 1108 1109 /* 1110 * Extract ASN.1 DER form of certificate or public key. 1111 */ 1112 switch (s) { 1113 case DNS_TLSA_SELECTOR_FULL_CERTIFICATE: 1114 len = i2d_X509(cert, NULL); 1115 if (len > 0xffff) 1116 msg_fatal("certificate too long: %d", len); 1117 buf2 = buf = (unsigned char *) mymalloc(len); 1118 i2d_X509(cert, &buf2); 1119 break; 1120 case DNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO: 1121 pkey = X509_get_pubkey(cert); 1122 len = i2d_PUBKEY(pkey, NULL); 1123 if (len > 0xffff) 1124 msg_fatal("public key too long: %d", len); 1125 buf2 = buf = (unsigned char *) mymalloc(len); 1126 i2d_PUBKEY(pkey, &buf2); 1127 EVP_PKEY_free(pkey); 1128 break; 1129 } 1130 X509_free(cert); 1131 OPENSSL_assert(buf2 - buf == len); 1132 1133 switch (m) { 1134 case 0: 1135 break; 1136 case 1: 1137 if ((md = EVP_get_digestbyname(LN_sha256)) == 0) 1138 msg_fatal("Digest %s not found", LN_sha256); 1139 break; 1140 case 2: 1141 if ((md = EVP_get_digestbyname(LN_sha512)) == 0) 1142 msg_fatal("Digest %s not found", LN_sha512); 1143 break; 1144 default: 1145 msg_fatal("Unsupported DANE mtype: %d", m); 1146 } 1147 1148 if (md != 0) { 1149 unsigned char mdbuf[EVP_MAX_MD_SIZE]; 1150 unsigned int mdlen = sizeof(mdbuf); 1151 1152 if (!EVP_Digest(buf, len, mdbuf, &mdlen, md, 0)) 1153 msg_fatal("Digest failure for mtype: %d", m); 1154 myfree(buf); 1155 buf = (unsigned char *) mymemdup(mdbuf, len = mdlen); 1156 } 1157 SSL_dane_tlsa_add(ssl, u, s, m, buf, len); 1158 myfree((void *) buf); 1159 } 1160 1161 static x509_stack_t *load_chain(const char *chainfile) 1162 { 1163 BIO *bp; 1164 char *name = 0; 1165 char *header = 0; 1166 unsigned char *data = 0; 1167 long len; 1168 int count; 1169 char *errtype = 0; /* if error: cert or pkey? */ 1170 x509_stack_t *chain; 1171 typedef X509 *(*d2i_X509_t) (X509 **, const unsigned char **, long); 1172 1173 if ((chain = sk_X509_new_null()) == 0) { 1174 perror("malloc"); 1175 exit(1); 1176 } 1177 1178 /* 1179 * On each call, PEM_read() wraps a stdio file in a BIO_NOCLOSE bio, 1180 * calls PEM_read_bio() and then frees the bio. It is just as easy to 1181 * open a BIO as a stdio file, so we use BIOs and call PEM_read_bio() 1182 * directly. 1183 */ 1184 if ((bp = BIO_new_file(chainfile, "r")) == NULL) { 1185 fprintf(stderr, "error opening chainfile: %s: %m\n", chainfile); 1186 exit(1); 1187 } 1188 /* Don't report old news */ 1189 ERR_clear_error(); 1190 1191 for (count = 0; 1192 errtype == 0 && PEM_read_bio(bp, &name, &header, &data, &len); 1193 ++count) { 1194 const unsigned char *p = data; 1195 1196 if (strcmp(name, PEM_STRING_X509) == 0 1197 || strcmp(name, PEM_STRING_X509_TRUSTED) == 0 1198 || strcmp(name, PEM_STRING_X509_OLD) == 0) { 1199 d2i_X509_t d; 1200 X509 *cert; 1201 1202 d = strcmp(name, PEM_STRING_X509_TRUSTED) ? d2i_X509_AUX : d2i_X509; 1203 if ((cert = d(0, &p, len)) == 0 || (p - data) != len) 1204 errtype = "certificate"; 1205 else if (sk_X509_push(chain, cert) == 0) { 1206 perror("malloc"); 1207 exit(1); 1208 } 1209 } else { 1210 fprintf(stderr, "unexpected chain file object: %s\n", name); 1211 exit(1); 1212 } 1213 1214 /* 1215 * If any of these were null, PEM_read() would have failed. 1216 */ 1217 OPENSSL_free(name); 1218 OPENSSL_free(header); 1219 OPENSSL_free(data); 1220 } 1221 BIO_free(bp); 1222 1223 if (errtype) { 1224 tls_print_errors(); 1225 fprintf(stderr, "error reading: %s: malformed %s", chainfile, errtype); 1226 exit(1); 1227 } 1228 if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) { 1229 /* Reached end of PEM file */ 1230 ERR_clear_error(); 1231 if (count > 0) 1232 return chain; 1233 fprintf(stderr, "no certificates found in: %s\n", chainfile); 1234 exit(1); 1235 } 1236 /* Some other PEM read error */ 1237 tls_print_errors(); 1238 fprintf(stderr, "error reading: %s\n", chainfile); 1239 exit(1); 1240 } 1241 1242 static void usage(const char *progname) 1243 { 1244 fprintf(stderr, "Usage: %s certificate-usage selector matching-type" 1245 " certfile \\\n\t\tCAfile chainfile hostname [certname ...]\n", 1246 progname); 1247 fprintf(stderr, " where, certificate-usage = TLSA certificate usage,\n"); 1248 fprintf(stderr, "\t selector = TLSA selector,\n"); 1249 fprintf(stderr, "\t matching-type = empty string or OpenSSL digest algorithm name,\n"); 1250 fprintf(stderr, "\t PEM certfile provides certificate association data,\n"); 1251 fprintf(stderr, "\t PEM CAfile contains any usage 0/1 trusted roots,\n"); 1252 fprintf(stderr, "\t PEM chainfile = server chain file to verify\n"); 1253 fprintf(stderr, "\t hostname = destination hostname,\n"); 1254 fprintf(stderr, "\t each certname augments the hostname for name checks.\n"); 1255 exit(1); 1256 } 1257 1258 static SSL_CTX *ctx_init(const char *CAfile) 1259 { 1260 SSL_CTX *client_ctx; 1261 1262 tls_param_init(); 1263 tls_check_version(); 1264 1265 if (!tls_validate_digest(LN_sha1)) 1266 msg_fatal("%s digest algorithm not available", LN_sha1); 1267 1268 if (TLScontext_index < 0) 1269 if ((TLScontext_index = SSL_get_ex_new_index(0, 0, 0, 0, 0)) < 0) 1270 msg_fatal("Cannot allocate SSL application data index"); 1271 1272 ERR_clear_error(); 1273 if ((client_ctx = SSL_CTX_new(TLS_client_method())) == 0) 1274 msg_fatal("cannot allocate client SSL_CTX"); 1275 SSL_CTX_set_verify_depth(client_ctx, 5); 1276 1277 /* Enable DANE support in OpenSSL */ 1278 if (SSL_CTX_dane_enable(client_ctx) <= 0) { 1279 tls_print_errors(); 1280 msg_fatal("OpenSSL DANE initialization failed"); 1281 } 1282 if (tls_set_ca_certificate_info(client_ctx, CAfile, "") < 0) { 1283 tls_print_errors(); 1284 msg_fatal("cannot load CAfile: %s", CAfile); 1285 } 1286 SSL_CTX_set_verify(client_ctx, SSL_VERIFY_NONE, 1287 tls_verify_certificate_callback); 1288 return (client_ctx); 1289 } 1290 1291 int main(int argc, char *argv[]) 1292 { 1293 SSL_CTX *ssl_ctx; 1294 const EVP_MD *fpt_alg; 1295 TLS_SESS_STATE *tctx; 1296 x509_stack_t *chain; 1297 int i; 1298 1299 var_procname = mystrdup(basename(argv[0])); 1300 set_mail_conf_str(VAR_PROCNAME, var_procname); 1301 msg_vstream_init(var_procname, VSTREAM_OUT); 1302 1303 if (argc < 8) 1304 usage(argv[0]); 1305 1306 ssl_ctx = ctx_init(argv[5]); 1307 if (!tls_dane_avail()) 1308 msg_fatal("DANE TLSA support not available"); 1309 1310 tctx = tls_alloc_sess_context(TLS_LOG_NONE, argv[7]); 1311 tctx->namaddr = argv[7]; 1312 tctx->mdalg = LN_sha256; 1313 tctx->dane = tls_dane_alloc(); 1314 1315 if ((fpt_alg = tls_validate_digest(tctx->mdalg)) == 0) 1316 msg_fatal("fingerprint digest algorithm %s not found", 1317 tctx->mdalg); 1318 tls_dane_digest_init(ssl_ctx, fpt_alg); 1319 1320 if ((tctx->con = SSL_new(ssl_ctx)) == 0 1321 || !SSL_set_ex_data(tctx->con, TLScontext_index, tctx)) { 1322 tls_print_errors(); 1323 msg_fatal("Error allocating SSL connection"); 1324 } 1325 if (SSL_dane_enable(tctx->con, 0) <= 0) { 1326 tls_print_errors(); 1327 msg_fatal("Error enabling DANE for SSL handle"); 1328 } 1329 SSL_dane_set_flags(tctx->con, DANE_FLAG_NO_DANE_EE_NAMECHECKS); 1330 SSL_dane_set_flags(tctx->con, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); 1331 for (i = 7; i < argc; ++i) 1332 if (!SSL_add1_host(tctx->con, argv[i])) 1333 msg_fatal("error adding hostname: %s", argv[i]); 1334 load_tlsa_args(tctx->con, argv); 1335 SSL_set_connect_state(tctx->con); 1336 1337 /* Verify saved server chain */ 1338 chain = load_chain(argv[6]); 1339 i = verify_chain(tctx->con, chain, tctx); 1340 tls_print_errors(); 1341 1342 if (i > 0) { 1343 const char *peername = SSL_get0_peername(tctx->con); 1344 1345 if (peername == 0) 1346 peername = argv[7]; 1347 msg_info("Verified %s", peername); 1348 } else { 1349 i = SSL_get_verify_result(tctx->con); 1350 msg_info("certificate verification failed for %s:%s: num=%d:%s", 1351 argv[6], argv[7], i, X509_verify_cert_error_string(i)); 1352 } 1353 1354 return (i <= 0); 1355 } 1356 1357 #endif /* TEST */ 1358 1359 #endif /* USE_TLS */ 1360