xref: /freebsd/contrib/ldns/dane.c (revision 006afc9b5c6a74f22ce7bbea4c307a940c52f069)
1 /*
2  * Verify or create TLS authentication with DANE (RFC6698)
3  *
4  * (c) NLnetLabs 2012
5  *
6  * See the file LICENSE for the license.
7  *
8  */
9 
10 #include <ldns/config.h>
11 
12 #include <ldns/ldns.h>
13 #include <ldns/dane.h>
14 
15 #include <unistd.h>
16 #include <stdlib.h>
17 #include <sys/types.h>
18 #include <sys/socket.h>
19 #include <netdb.h>
20 
21 #ifdef HAVE_SSL
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/x509v3.h>
25 #endif
26 
27 ldns_status
28 ldns_dane_create_tlsa_owner(ldns_rdf** tlsa_owner, const ldns_rdf* name,
29 		uint16_t port, ldns_dane_transport transport)
30 {
31 	char buf[LDNS_MAX_DOMAINLEN];
32 	size_t s;
33 
34 	assert(tlsa_owner != NULL);
35 	assert(name != NULL);
36 	assert(ldns_rdf_get_type(name) == LDNS_RDF_TYPE_DNAME);
37 
38 	s = (size_t)snprintf(buf, LDNS_MAX_DOMAINLEN, "X_%d", (int)port);
39 	buf[0] = (char)(s - 1);
40 
41 	switch(transport) {
42 	case LDNS_DANE_TRANSPORT_TCP:
43 		s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\004_tcp");
44 		break;
45 
46 	case LDNS_DANE_TRANSPORT_UDP:
47 		s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\004_udp");
48 		break;
49 
50 	case LDNS_DANE_TRANSPORT_SCTP:
51 		s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\005_sctp");
52 		break;
53 
54 	default:
55 		return LDNS_STATUS_DANE_UNKNOWN_TRANSPORT;
56 	}
57 	if (s + ldns_rdf_size(name) > LDNS_MAX_DOMAINLEN) {
58 		return LDNS_STATUS_DOMAINNAME_OVERFLOW;
59 	}
60 	memcpy(buf + s, ldns_rdf_data(name), ldns_rdf_size(name));
61 	*tlsa_owner = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_DNAME,
62 			s + ldns_rdf_size(name), buf);
63 	if (*tlsa_owner == NULL) {
64 		return LDNS_STATUS_MEM_ERR;
65 	}
66 	return LDNS_STATUS_OK;
67 }
68 
69 
70 #ifdef HAVE_SSL
71 ldns_status
72 ldns_dane_cert2rdf(ldns_rdf** rdf, X509* cert,
73 		ldns_tlsa_selector      selector,
74 		ldns_tlsa_matching_type matching_type)
75 {
76 	unsigned char* buf = NULL;
77 	size_t len;
78 
79 	X509_PUBKEY* xpubkey;
80 	EVP_PKEY* epubkey;
81 
82 	unsigned char* digest;
83 
84 	assert(rdf != NULL);
85 	assert(cert != NULL);
86 
87 	switch(selector) {
88 	case LDNS_TLSA_SELECTOR_FULL_CERTIFICATE:
89 
90 		len = (size_t)i2d_X509(cert, &buf);
91 		break;
92 
93 	case LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO:
94 
95 #ifndef S_SPLINT_S
96 		xpubkey = X509_get_X509_PUBKEY(cert);
97 #endif
98 		if (! xpubkey) {
99 			return LDNS_STATUS_SSL_ERR;
100 		}
101 		epubkey = X509_PUBKEY_get(xpubkey);
102 		if (! epubkey) {
103 			return LDNS_STATUS_SSL_ERR;
104 		}
105 		len = (size_t)i2d_PUBKEY(epubkey, &buf);
106 		break;
107 
108 	default:
109 		return LDNS_STATUS_DANE_UNKNOWN_SELECTOR;
110 	}
111 
112 	switch(matching_type) {
113 	case LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED:
114 
115 		*rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, len, buf);
116 
117 		return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
118 		break;
119 
120 	case LDNS_TLSA_MATCHING_TYPE_SHA256:
121 
122 		digest = LDNS_XMALLOC(unsigned char, SHA256_DIGEST_LENGTH);
123 		if (digest == NULL) {
124 			LDNS_FREE(buf);
125 			return LDNS_STATUS_MEM_ERR;
126 		}
127 		(void) ldns_sha256(buf, (unsigned int)len, digest);
128 		*rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, SHA256_DIGEST_LENGTH,
129 				digest);
130 		LDNS_FREE(buf);
131 
132 		return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
133 		break;
134 
135 	case LDNS_TLSA_MATCHING_TYPE_SHA512:
136 
137 		digest = LDNS_XMALLOC(unsigned char, SHA512_DIGEST_LENGTH);
138 		if (digest == NULL) {
139 			LDNS_FREE(buf);
140 			return LDNS_STATUS_MEM_ERR;
141 		}
142 		(void) ldns_sha512(buf, (unsigned int)len, digest);
143 		*rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, SHA512_DIGEST_LENGTH,
144 				digest);
145 		LDNS_FREE(buf);
146 
147 		return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
148 		break;
149 
150 	default:
151 		LDNS_FREE(buf);
152 		return LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE;
153 	}
154 }
155 
156 
157 /* Ordinary PKIX validation of cert (with extra_certs to help)
158  * against the CA's in store
159  */
160 static ldns_status
161 ldns_dane_pkix_validate(X509* cert, STACK_OF(X509)* extra_certs,
162 		X509_STORE* store)
163 {
164 	X509_STORE_CTX* vrfy_ctx;
165 	ldns_status s;
166 
167 	if (! store) {
168 		return LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
169 	}
170 	vrfy_ctx = X509_STORE_CTX_new();
171 	if (! vrfy_ctx) {
172 
173 		return LDNS_STATUS_SSL_ERR;
174 
175 	} else if (X509_STORE_CTX_init(vrfy_ctx, store,
176 				cert, extra_certs) != 1) {
177 		s = LDNS_STATUS_SSL_ERR;
178 
179 	} else if (X509_verify_cert(vrfy_ctx) == 1) {
180 
181 		s = LDNS_STATUS_OK;
182 
183 	} else {
184 		s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
185 	}
186 	X509_STORE_CTX_free(vrfy_ctx);
187 	return s;
188 }
189 
190 
191 /* Orinary PKIX validation of cert (with extra_certs to help)
192  * against the CA's in store, but also return the validation chain.
193  */
194 static ldns_status
195 ldns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert,
196 		STACK_OF(X509)* extra_certs, X509_STORE* store)
197 {
198 	ldns_status s;
199 	X509_STORE* empty_store = NULL;
200 	X509_STORE_CTX* vrfy_ctx;
201 
202 	assert(chain != NULL);
203 
204 	if (! store) {
205 		store = empty_store = X509_STORE_new();
206 	}
207 	s = LDNS_STATUS_SSL_ERR;
208 	vrfy_ctx = X509_STORE_CTX_new();
209 	if (! vrfy_ctx) {
210 
211 		goto exit_free_empty_store;
212 
213 	} else if (X509_STORE_CTX_init(vrfy_ctx, store,
214 					cert, extra_certs) != 1) {
215 		goto exit_free_vrfy_ctx;
216 
217 	} else if (X509_verify_cert(vrfy_ctx) == 1) {
218 
219 		s = LDNS_STATUS_OK;
220 
221 	} else {
222 		s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
223 	}
224 	*chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
225 	if (! *chain) {
226 		s = LDNS_STATUS_SSL_ERR;
227 	}
228 
229 exit_free_vrfy_ctx:
230 	X509_STORE_CTX_free(vrfy_ctx);
231 
232 exit_free_empty_store:
233 	if (empty_store) {
234 		X509_STORE_free(empty_store);
235 	}
236 	return s;
237 }
238 
239 
240 /* Return the validation chain that can be build out of cert, with extra_certs.
241  */
242 static ldns_status
243 ldns_dane_pkix_get_chain(STACK_OF(X509)** chain,
244 		X509* cert, STACK_OF(X509)* extra_certs)
245 {
246 	ldns_status s;
247 	X509_STORE* empty_store = NULL;
248 	X509_STORE_CTX* vrfy_ctx;
249 
250 	assert(chain != NULL);
251 
252 	empty_store = X509_STORE_new();
253 	s = LDNS_STATUS_SSL_ERR;
254 	vrfy_ctx = X509_STORE_CTX_new();
255 	if (! vrfy_ctx) {
256 
257 		goto exit_free_empty_store;
258 
259 	} else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
260 					cert, extra_certs) != 1) {
261 		goto exit_free_vrfy_ctx;
262 	}
263 	(void) X509_verify_cert(vrfy_ctx);
264 	*chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
265 	if (! *chain) {
266 		s = LDNS_STATUS_SSL_ERR;
267 	} else {
268 		s = LDNS_STATUS_OK;
269 	}
270 exit_free_vrfy_ctx:
271 	X509_STORE_CTX_free(vrfy_ctx);
272 
273 exit_free_empty_store:
274 	X509_STORE_free(empty_store);
275 	return s;
276 }
277 
278 
279 /* Pop n+1 certs and return the last popped.
280  */
281 static ldns_status
282 ldns_dane_get_nth_cert_from_validation_chain(
283 		X509** cert, STACK_OF(X509)* chain, int n, bool ca)
284 {
285 	if (n >= sk_X509_num(chain) || n < 0) {
286 		return LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE;
287 	}
288 	*cert = sk_X509_pop(chain);
289 	while (n-- > 0) {
290 		X509_free(*cert);
291 		*cert = sk_X509_pop(chain);
292 	}
293 	if (ca && ! X509_check_ca(*cert)) {
294 		return LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
295 	}
296 	return LDNS_STATUS_OK;
297 }
298 
299 
300 /* Create validation chain with cert and extra_certs and returns the last
301  * self-signed (if present).
302  */
303 static ldns_status
304 ldns_dane_pkix_get_last_self_signed(X509** out_cert,
305 		X509* cert, STACK_OF(X509)* extra_certs)
306 {
307 	ldns_status s;
308 	X509_STORE* empty_store = NULL;
309 	X509_STORE_CTX* vrfy_ctx;
310 
311 	assert(out_cert != NULL);
312 
313 	empty_store = X509_STORE_new();
314 	s = LDNS_STATUS_SSL_ERR;
315 	vrfy_ctx = X509_STORE_CTX_new();
316 	if (! vrfy_ctx) {
317 		goto exit_free_empty_store;
318 
319 	} else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
320 					cert, extra_certs) != 1) {
321 		goto exit_free_vrfy_ctx;
322 
323 	}
324 	(void) X509_verify_cert(vrfy_ctx);
325 	if (vrfy_ctx->error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
326 	    vrfy_ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){
327 
328 		*out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx);
329 		s = LDNS_STATUS_OK;
330 	} else {
331 		s = LDNS_STATUS_DANE_PKIX_NO_SELF_SIGNED_TRUST_ANCHOR;
332 	}
333 exit_free_vrfy_ctx:
334 	X509_STORE_CTX_free(vrfy_ctx);
335 
336 exit_free_empty_store:
337 	X509_STORE_free(empty_store);
338 	return s;
339 }
340 
341 
342 ldns_status
343 ldns_dane_select_certificate(X509** selected_cert,
344 		X509* cert, STACK_OF(X509)* extra_certs,
345 		X509_STORE* pkix_validation_store,
346 		ldns_tlsa_certificate_usage cert_usage, int offset)
347 {
348 	ldns_status s;
349 	STACK_OF(X509)* pkix_validation_chain = NULL;
350 
351 	assert(selected_cert != NULL);
352 	assert(cert != NULL);
353 
354 	/* With PKIX validation explicitely turned off (pkix_validation_store
355 	 *  == NULL), treat the "CA constraint" and "Service certificate
356 	 * constraint" the same as "Trust anchor assertion" and "Domain issued
357 	 * certificate" respectively.
358 	 */
359 	if (pkix_validation_store == NULL) {
360 		switch (cert_usage) {
361 
362 		case LDNS_TLSA_USAGE_CA_CONSTRAINT:
363 
364 			cert_usage = LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION;
365 			break;
366 
367 		case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
368 
369 			cert_usage = LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE;
370 			break;
371 
372 		default:
373 			break;
374 		}
375 	}
376 
377 	/* Now what to do with each Certificate usage...
378 	 */
379 	switch (cert_usage) {
380 
381 	case LDNS_TLSA_USAGE_CA_CONSTRAINT:
382 
383 		s = ldns_dane_pkix_validate_and_get_chain(
384 				&pkix_validation_chain,
385 				cert, extra_certs,
386 				pkix_validation_store);
387 		if (! pkix_validation_chain) {
388 			return s;
389 		}
390 		if (s == LDNS_STATUS_OK) {
391 			if (offset == -1) {
392 				offset = 0;
393 			}
394 			s = ldns_dane_get_nth_cert_from_validation_chain(
395 					selected_cert, pkix_validation_chain,
396 					offset, true);
397 		}
398 		sk_X509_pop_free(pkix_validation_chain, X509_free);
399 		return s;
400 		break;
401 
402 
403 	case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
404 
405 		*selected_cert = cert;
406 		return ldns_dane_pkix_validate(cert, extra_certs,
407 				pkix_validation_store);
408 		break;
409 
410 
411 	case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
412 
413 		if (offset == -1) {
414 			s = ldns_dane_pkix_get_last_self_signed(
415 					selected_cert, cert, extra_certs);
416 			return s;
417 		} else {
418 			s = ldns_dane_pkix_get_chain(
419 					&pkix_validation_chain,
420 					cert, extra_certs);
421 			if (s == LDNS_STATUS_OK) {
422 				s =
423 				ldns_dane_get_nth_cert_from_validation_chain(
424 					selected_cert, pkix_validation_chain,
425 					offset, false);
426 			} else if (! pkix_validation_chain) {
427 				return s;
428 			}
429 			sk_X509_pop_free(pkix_validation_chain, X509_free);
430 			return s;
431 		}
432 		break;
433 
434 
435 	case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
436 
437 		*selected_cert = cert;
438 		return LDNS_STATUS_OK;
439 		break;
440 
441 	default:
442 		return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
443 		break;
444 	}
445 }
446 
447 
448 ldns_status
449 ldns_dane_create_tlsa_rr(ldns_rr** tlsa,
450 		ldns_tlsa_certificate_usage certificate_usage,
451 		ldns_tlsa_selector          selector,
452 		ldns_tlsa_matching_type     matching_type,
453 		X509* cert)
454 {
455 	ldns_rdf* rdf;
456 	ldns_status s;
457 
458 	assert(tlsa != NULL);
459 	assert(cert != NULL);
460 
461 	/* create rr */
462 	*tlsa = ldns_rr_new_frm_type(LDNS_RR_TYPE_TLSA);
463 	if (*tlsa == NULL) {
464 		return LDNS_STATUS_MEM_ERR;
465 	}
466 
467 	rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
468 			(uint8_t)certificate_usage);
469 	if (rdf == NULL) {
470 		goto memerror;
471 	}
472 	(void) ldns_rr_set_rdf(*tlsa, rdf, 0);
473 
474 	rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, (uint8_t)selector);
475 	if (rdf == NULL) {
476 		goto memerror;
477 	}
478 	(void) ldns_rr_set_rdf(*tlsa, rdf, 1);
479 
480 	rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, (uint8_t)matching_type);
481 	if (rdf == NULL) {
482 		goto memerror;
483 	}
484 	(void) ldns_rr_set_rdf(*tlsa, rdf, 2);
485 
486 	s = ldns_dane_cert2rdf(&rdf, cert, selector, matching_type);
487 	if (s == LDNS_STATUS_OK) {
488 		(void) ldns_rr_set_rdf(*tlsa, rdf, 3);
489 		return LDNS_STATUS_OK;
490 	}
491 	ldns_rr_free(*tlsa);
492 	*tlsa = NULL;
493 	return s;
494 
495 memerror:
496 	ldns_rr_free(*tlsa);
497 	*tlsa = NULL;
498 	return LDNS_STATUS_MEM_ERR;
499 }
500 
501 
502 /* Return tlsas that actually are TLSA resource records with known values
503  * for the Certificate usage, Selector and Matching type rdata fields.
504  */
505 static ldns_rr_list*
506 ldns_dane_filter_unusable_records(const ldns_rr_list* tlsas)
507 {
508 	size_t i;
509 	ldns_rr_list* r = ldns_rr_list_new();
510 	ldns_rr* tlsa_rr;
511 
512 	if (! r) {
513 		return NULL;
514 	}
515 	for (i = 0; i < ldns_rr_list_rr_count(tlsas); i++) {
516 		tlsa_rr = ldns_rr_list_rr(tlsas, i);
517 		if (ldns_rr_get_type(tlsa_rr) == LDNS_RR_TYPE_TLSA &&
518 		    ldns_rr_rd_count(tlsa_rr) == 4 &&
519 		    ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) <= 3 &&
520 		    ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)) <= 1 &&
521 		    ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)) <= 2) {
522 
523 			if (! ldns_rr_list_push_rr(r, tlsa_rr)) {
524 				ldns_rr_list_free(r);
525 				return NULL;
526 			}
527 		}
528 	}
529 	return r;
530 }
531 
532 
533 /* Return whether cert/selector/matching_type matches data.
534  */
535 static ldns_status
536 ldns_dane_match_cert_with_data(X509* cert, ldns_tlsa_selector selector,
537 		ldns_tlsa_matching_type matching_type, ldns_rdf* data)
538 {
539 	ldns_status s;
540 	ldns_rdf* match_data;
541 
542 	s = ldns_dane_cert2rdf(&match_data, cert, selector, matching_type);
543 	if (s == LDNS_STATUS_OK) {
544 		if (ldns_rdf_compare(data, match_data) != 0) {
545 			s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
546 		}
547 		ldns_rdf_free(match_data);
548 	}
549 	return s;
550 }
551 
552 
553 /* Return whether any certificate from the chain with selector/matching_type
554  * matches data.
555  * ca should be true if the certificate has to be a CA certificate too.
556  */
557 static ldns_status
558 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
559 		ldns_tlsa_selector      selector,
560 		ldns_tlsa_matching_type matching_type,
561 		ldns_rdf* data, bool ca)
562 {
563 	ldns_status s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
564 	size_t n, i;
565 	X509* cert;
566 
567 	n = (size_t)sk_X509_num(chain);
568 	for (i = 0; i < n; i++) {
569 		cert = sk_X509_pop(chain);
570 		if (! cert) {
571 			s = LDNS_STATUS_SSL_ERR;
572 			break;
573 		}
574 		s = ldns_dane_match_cert_with_data(cert,
575 				selector, matching_type, data);
576 		if (ca && s == LDNS_STATUS_OK && ! X509_check_ca(cert)) {
577 			s = LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
578 		}
579 		X509_free(cert);
580 		if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) {
581 			break;
582 		}
583 		/* when s == LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH,
584 		 * try to match the next certificate
585 		 */
586 	}
587 	return s;
588 }
589 
590 
591 ldns_status
592 ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
593 		X509* cert, STACK_OF(X509)* extra_certs,
594 		X509_STORE* pkix_validation_store)
595 {
596 	ldns_status s;
597 
598 	STACK_OF(X509)* pkix_validation_chain = NULL;
599 
600 	ldns_tlsa_certificate_usage cert_usage;
601 	ldns_tlsa_selector          selector;
602 	ldns_tlsa_matching_type     matching_type;
603 	ldns_rdf*                   data;
604 
605 	if (! tlsa_rr) {
606 		/* No TLSA, so regular PKIX validation
607 		 */
608 		return ldns_dane_pkix_validate(cert, extra_certs,
609 				pkix_validation_store);
610 	}
611 	cert_usage    = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0));
612 	selector      = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1));
613 	matching_type = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2));
614 	data          =                      ldns_rr_rdf(tlsa_rr, 3) ;
615 
616 	switch (cert_usage) {
617 	case LDNS_TLSA_USAGE_CA_CONSTRAINT:
618 		s = ldns_dane_pkix_validate_and_get_chain(
619 				&pkix_validation_chain,
620 				cert, extra_certs,
621 				pkix_validation_store);
622 		if (! pkix_validation_chain) {
623 			return s;
624 		}
625 		if (s == LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE) {
626 			/*
627 			 * NO PKIX validation. We still try to match *any*
628 			 * certificate from the chain, so we return
629 			 * TLSA errors over PKIX errors.
630 			 *
631 			 * i.e. When the TLSA matches no certificate, we return
632 			 * TLSA_DID_NOT_MATCH and not PKIX_DID_NOT_VALIDATE
633 			 */
634 			s = ldns_dane_match_any_cert_with_data(
635 					pkix_validation_chain,
636 					selector, matching_type, data, true);
637 
638 			if (s == LDNS_STATUS_OK) {
639 				/* A TLSA record did match a cert from the
640 				 * chain, thus the error is failed PKIX
641 				 * validation.
642 				 */
643 				s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
644 			}
645 
646 		} else if (s == LDNS_STATUS_OK) {
647 			/* PKIX validated, does the TLSA match too? */
648 
649 			s = ldns_dane_match_any_cert_with_data(
650 					pkix_validation_chain,
651 					selector, matching_type, data, true);
652 		}
653 		sk_X509_pop_free(pkix_validation_chain, X509_free);
654 		return s;
655 		break;
656 
657 	case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
658 		s = ldns_dane_match_cert_with_data(cert,
659 				selector, matching_type, data);
660 
661 		if (s == LDNS_STATUS_OK) {
662 			return ldns_dane_pkix_validate(cert, extra_certs,
663 					pkix_validation_store);
664 		}
665 		return s;
666 		break;
667 
668 	case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
669 		s = ldns_dane_pkix_get_chain(&pkix_validation_chain,
670 				cert, extra_certs);
671 
672 		if (s == LDNS_STATUS_OK) {
673 			s = ldns_dane_match_any_cert_with_data(
674 					pkix_validation_chain,
675 					selector, matching_type, data, false);
676 
677 		} else if (! pkix_validation_chain) {
678 			return s;
679 		}
680 		sk_X509_pop_free(pkix_validation_chain, X509_free);
681 		return s;
682 		break;
683 
684 	case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
685 		return ldns_dane_match_cert_with_data(cert,
686 				selector, matching_type, data);
687 		break;
688 
689 	default:
690 		break;
691 	}
692 	return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
693 }
694 
695 
696 ldns_status
697 ldns_dane_verify(ldns_rr_list* tlsas,
698 		X509* cert, STACK_OF(X509)* extra_certs,
699 		X509_STORE* pkix_validation_store)
700 {
701 	size_t i;
702 	ldns_rr* tlsa_rr;
703 	ldns_status s = LDNS_STATUS_OK, ps;
704 
705 	assert(cert != NULL);
706 
707 	if (tlsas && ldns_rr_list_rr_count(tlsas) > 0) {
708 		tlsas = ldns_dane_filter_unusable_records(tlsas);
709 		if (! tlsas) {
710 			return LDNS_STATUS_MEM_ERR;
711 		}
712 	}
713 	if (! tlsas || ldns_rr_list_rr_count(tlsas) == 0) {
714 		/* No TLSA's, so regular PKIX validation
715 		 */
716 		return ldns_dane_pkix_validate(cert, extra_certs,
717 				pkix_validation_store);
718 	} else {
719 		for (i = 0; i < ldns_rr_list_rr_count(tlsas); i++) {
720 			tlsa_rr = ldns_rr_list_rr(tlsas, i);
721 			ps = s;
722 			s = ldns_dane_verify_rr(tlsa_rr, cert, extra_certs,
723 					pkix_validation_store);
724 
725 			if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH &&
726 			    s != LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE) {
727 
728 				/* which would be LDNS_STATUS_OK (match)
729 				 * or some fatal error preventing use from
730 				 * trying the next TLSA record.
731 				 */
732 				break;
733 			}
734 			s = (s > ps ? s : ps); /* prefer PKIX_DID_NOT_VALIDATE
735 						* over   TLSA_DID_NOT_MATCH
736 						*/
737 		}
738 		ldns_rr_list_free(tlsas);
739 	}
740 	return s;
741 }
742 #endif /* HAVE_SSL */
743