xref: /freebsd/contrib/ldns/dane.c (revision 2008043f386721d58158e37e0d7e50df8095942d)
1 /*
2  * Verify or create TLS authentication with DANE (RFC6698)
3  *
4  * (c) NLnetLabs 2012-2020
5  *
6  * See the file LICENSE for the license.
7  *
8  */
9 
10 #include <ldns/config.h>
11 #ifdef USE_DANE
12 
13 #include <ldns/ldns.h>
14 #include <ldns/dane.h>
15 
16 #include <unistd.h>
17 #include <stdlib.h>
18 #include <sys/types.h>
19 #ifdef HAVE_SYS_SOCKET_H
20 #include <sys/socket.h>
21 #endif
22 #ifdef HAVE_NETDB_H
23 #include <netdb.h>
24 #endif
25 
26 #ifdef HAVE_SSL
27 #include <openssl/ssl.h>
28 #include <openssl/err.h>
29 #include <openssl/x509v3.h>
30 #endif
31 
32 /* OpenSSL context options. At the moment, disable SSLv2, SSLv3
33  * and Compression, if available. TLSv1.0 is allowed at the moment.
34  * TLSv1.1 is the first to provide elliptic curves, so it is usually
35  * allowed in a TLS stack. TLSv1.2 is the first to provide authentication
36  * modes of operation, like GCM. The defines below are a moving
37  * target based on OpenSSL library version. Grep is useful to find
38  * the defines: grep -IR SSL_OP_NO_ /usr/include/openssl.
39  */
40 #ifdef HAVE_SSL
41 # ifdef SSL_OP_NO_SSLv2
42 	const long NoOpenSSLv2 = SSL_OP_NO_SSLv2;
43 # else
44 	const long NoOpenSSLv2 = 0L;
45 # endif
46 # ifdef SSL_OP_NO_SSLv3
47 	const long NoOpenSSLv3 = SSL_OP_NO_SSLv3;
48 # else
49 	const long NoOpenSSLv3 = 0L;
50 # endif
51 # ifdef SSL_OP_NO_TLSv1
52 	const long NoOpenTLSv1 = SSL_OP_NO_TLSv1;
53 # else
54 	const long NoOpenTLSv1 = 0L;
55 # endif
56 # ifdef SSL_OP_NO_DTLSv1
57 	const long NoOpenDTLSv1 = SSL_OP_NO_DTLSv1;
58 # else
59 	const long NoOpenDTLSv1 = 0L;
60 # endif
61 # ifdef SSL_OP_NO_COMPRESSION
62 	const long NoOpenSSLCompression = SSL_OP_NO_COMPRESSION;
63 # else
64 	const long NoOpenSSLCompression = 0L;
65 # endif
66 #endif
67 
68 #if defined(USE_DANE_VERIFY) && defined(USE_DANE_TA_USAGE)
69 static SSL_CTX*
70 ldns_dane_new_ssl_context(void)
71 {
72 	SSL_CTX* ssl_ctx;
73 
74 	ssl_ctx = SSL_CTX_new(TLS_client_method());
75 	if (ssl_ctx != NULL)
76 	{
77 		/* ldns allows TLS and DTLS v1.0 at the moment. Some may disagree.
78 		 * Sometime in the future they may be disabled, too. Maybe
79 		 * --disable-tlsv1 and --disable-dtlsv1 should be configure options.
80 		 */
81 		long flags = NoOpenSSLv2 | NoOpenSSLv3 | NoOpenSSLCompression;
82 		SSL_CTX_set_options(ssl_ctx, flags);
83 	}
84 
85 	return ssl_ctx;
86 }
87 #endif
88 
89 ldns_status
90 ldns_dane_create_tlsa_owner(ldns_rdf** tlsa_owner, const ldns_rdf* name,
91 		uint16_t port, ldns_dane_transport transport)
92 {
93 	char buf[LDNS_MAX_DOMAINLEN];
94 	size_t s;
95 
96 	assert(tlsa_owner != NULL);
97 	assert(name != NULL);
98 	assert(ldns_rdf_get_type(name) == LDNS_RDF_TYPE_DNAME);
99 
100 	s = (size_t)snprintf(buf, LDNS_MAX_DOMAINLEN, "X_%d", (int)port);
101 	buf[0] = (char)(s - 1);
102 
103 	switch(transport) {
104 	case LDNS_DANE_TRANSPORT_TCP:
105 		s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\004_tcp");
106 		break;
107 
108 	case LDNS_DANE_TRANSPORT_UDP:
109 		s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\004_udp");
110 		break;
111 
112 	case LDNS_DANE_TRANSPORT_SCTP:
113 		s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\005_sctp");
114 		break;
115 
116 	default:
117 		return LDNS_STATUS_DANE_UNKNOWN_TRANSPORT;
118 	}
119 	if (s + ldns_rdf_size(name) > LDNS_MAX_DOMAINLEN) {
120 		return LDNS_STATUS_DOMAINNAME_OVERFLOW;
121 	}
122 	memcpy(buf + s, ldns_rdf_data(name), ldns_rdf_size(name));
123 	*tlsa_owner = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_DNAME,
124 			s + ldns_rdf_size(name), buf);
125 	if (*tlsa_owner == NULL) {
126 		return LDNS_STATUS_MEM_ERR;
127 	}
128 	return LDNS_STATUS_OK;
129 }
130 
131 
132 #ifdef HAVE_SSL
133 ldns_status
134 ldns_dane_cert2rdf(ldns_rdf** rdf, X509* cert,
135 		ldns_tlsa_selector      selector,
136 		ldns_tlsa_matching_type matching_type)
137 {
138 	unsigned char* buf = NULL;
139 	size_t len;
140 
141 	X509_PUBKEY* xpubkey;
142 	EVP_PKEY* epubkey;
143 
144 	unsigned char* digest;
145 
146 	assert(rdf != NULL);
147 	assert(cert != NULL);
148 
149 	switch(selector) {
150 	case LDNS_TLSA_SELECTOR_FULL_CERTIFICATE:
151 
152 		len = (size_t)i2d_X509(cert, &buf);
153 		break;
154 
155 	case LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO:
156 
157 #ifndef S_SPLINT_S
158 		xpubkey = X509_get_X509_PUBKEY(cert);
159 #endif
160 		if (! xpubkey) {
161 			return LDNS_STATUS_SSL_ERR;
162 		}
163 		epubkey = X509_PUBKEY_get(xpubkey);
164 		if (! epubkey) {
165 			return LDNS_STATUS_SSL_ERR;
166 		}
167 		len = (size_t)i2d_PUBKEY(epubkey, &buf);
168 		break;
169 
170 	default:
171 		return LDNS_STATUS_DANE_UNKNOWN_SELECTOR;
172 	}
173 
174 	switch(matching_type) {
175 	case LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED:
176 
177 		*rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, len, buf);
178 
179 		return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
180 		break;
181 
182 	case LDNS_TLSA_MATCHING_TYPE_SHA256:
183 
184 		digest = LDNS_XMALLOC(unsigned char, LDNS_SHA256_DIGEST_LENGTH);
185 		if (digest == NULL) {
186 			LDNS_FREE(buf);
187 			return LDNS_STATUS_MEM_ERR;
188 		}
189 		(void) ldns_sha256(buf, (unsigned int)len, digest);
190 		*rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, LDNS_SHA256_DIGEST_LENGTH,
191 				digest);
192 		LDNS_FREE(buf);
193 
194 		return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
195 		break;
196 
197 	case LDNS_TLSA_MATCHING_TYPE_SHA512:
198 
199 		digest = LDNS_XMALLOC(unsigned char, LDNS_SHA512_DIGEST_LENGTH);
200 		if (digest == NULL) {
201 			LDNS_FREE(buf);
202 			return LDNS_STATUS_MEM_ERR;
203 		}
204 		(void) ldns_sha512(buf, (unsigned int)len, digest);
205 		*rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, LDNS_SHA512_DIGEST_LENGTH,
206 				digest);
207 		LDNS_FREE(buf);
208 
209 		return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
210 		break;
211 
212 	default:
213 		LDNS_FREE(buf);
214 		return LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE;
215 	}
216 }
217 
218 
219 /* Ordinary PKIX validation of cert (with extra_certs to help)
220  * against the CA's in store
221  */
222 static ldns_status
223 ldns_dane_pkix_validate(X509* cert, STACK_OF(X509)* extra_certs,
224 		X509_STORE* store)
225 {
226 	X509_STORE_CTX* vrfy_ctx;
227 	ldns_status s;
228 
229 	if (! store) {
230 		return LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
231 	}
232 	vrfy_ctx = X509_STORE_CTX_new();
233 	if (! vrfy_ctx) {
234 
235 		return LDNS_STATUS_SSL_ERR;
236 
237 	} else if (X509_STORE_CTX_init(vrfy_ctx, store,
238 				cert, extra_certs) != 1) {
239 		s = LDNS_STATUS_SSL_ERR;
240 
241 	} else if (X509_verify_cert(vrfy_ctx) == 1) {
242 
243 		s = LDNS_STATUS_OK;
244 
245 	} else {
246 		s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
247 	}
248 	X509_STORE_CTX_free(vrfy_ctx);
249 	return s;
250 }
251 
252 
253 /* Ordinary PKIX validation of cert (with extra_certs to help)
254  * against the CA's in store, but also return the validation chain.
255  */
256 static ldns_status
257 ldns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert,
258 		STACK_OF(X509)* extra_certs, X509_STORE* store)
259 {
260 	ldns_status s;
261 	X509_STORE* empty_store = NULL;
262 	X509_STORE_CTX* vrfy_ctx;
263 
264 	assert(chain != NULL);
265 
266 	if (! store) {
267 		store = empty_store = X509_STORE_new();
268 	}
269 	s = LDNS_STATUS_SSL_ERR;
270 	vrfy_ctx = X509_STORE_CTX_new();
271 	if (! vrfy_ctx) {
272 
273 		goto exit_free_empty_store;
274 
275 	} else if (X509_STORE_CTX_init(vrfy_ctx, store,
276 					cert, extra_certs) != 1) {
277 		goto exit_free_vrfy_ctx;
278 
279 	} else if (X509_verify_cert(vrfy_ctx) == 1) {
280 
281 		s = LDNS_STATUS_OK;
282 
283 	} else {
284 		s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
285 	}
286 	*chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
287 	if (! *chain) {
288 		s = LDNS_STATUS_SSL_ERR;
289 	}
290 
291 exit_free_vrfy_ctx:
292 	X509_STORE_CTX_free(vrfy_ctx);
293 
294 exit_free_empty_store:
295 	if (empty_store) {
296 		X509_STORE_free(empty_store);
297 	}
298 	return s;
299 }
300 
301 
302 /* Return the validation chain that can be build out of cert, with extra_certs.
303  */
304 static ldns_status
305 ldns_dane_pkix_get_chain(STACK_OF(X509)** chain,
306 		X509* cert, STACK_OF(X509)* extra_certs)
307 {
308 	ldns_status s;
309 	X509_STORE* empty_store = NULL;
310 	X509_STORE_CTX* vrfy_ctx;
311 
312 	assert(chain != NULL);
313 
314 	empty_store = X509_STORE_new();
315 	s = LDNS_STATUS_SSL_ERR;
316 	vrfy_ctx = X509_STORE_CTX_new();
317 	if (! vrfy_ctx) {
318 
319 		goto exit_free_empty_store;
320 
321 	} else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
322 					cert, extra_certs) != 1) {
323 		goto exit_free_vrfy_ctx;
324 	}
325 	(void) X509_verify_cert(vrfy_ctx);
326 	*chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
327 	if (! *chain) {
328 		s = LDNS_STATUS_SSL_ERR;
329 	} else {
330 		s = LDNS_STATUS_OK;
331 	}
332 exit_free_vrfy_ctx:
333 	X509_STORE_CTX_free(vrfy_ctx);
334 
335 exit_free_empty_store:
336 	X509_STORE_free(empty_store);
337 	return s;
338 }
339 
340 
341 /* Pop n+1 certs and return the last popped.
342  */
343 static ldns_status
344 ldns_dane_get_nth_cert_from_validation_chain(
345 		X509** cert, STACK_OF(X509)* chain, int n, bool ca)
346 {
347 	if (n >= sk_X509_num(chain) || n < 0) {
348 		return LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE;
349 	}
350 	*cert = sk_X509_pop(chain);
351 	while (n-- > 0) {
352 		X509_free(*cert);
353 		*cert = sk_X509_pop(chain);
354 	}
355 	if (ca && ! X509_check_ca(*cert)) {
356 		return LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
357 	}
358 	return LDNS_STATUS_OK;
359 }
360 
361 
362 /* Create validation chain with cert and extra_certs and returns the last
363  * self-signed (if present).
364  */
365 static ldns_status
366 ldns_dane_pkix_get_last_self_signed(X509** out_cert,
367 		X509* cert, STACK_OF(X509)* extra_certs)
368 {
369 	ldns_status s;
370 	X509_STORE* empty_store = NULL;
371 	X509_STORE_CTX* vrfy_ctx;
372 
373 	assert(out_cert != NULL);
374 
375 	empty_store = X509_STORE_new();
376 	s = LDNS_STATUS_SSL_ERR;
377 	vrfy_ctx = X509_STORE_CTX_new();
378 	if (! vrfy_ctx) {
379 		goto exit_free_empty_store;
380 
381 	} else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
382 					cert, extra_certs) != 1) {
383 		goto exit_free_vrfy_ctx;
384 
385 	}
386 	(void) X509_verify_cert(vrfy_ctx);
387 	if (X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
388 	    X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){
389 
390 		*out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx);
391 		s = LDNS_STATUS_OK;
392 	} else {
393 		s = LDNS_STATUS_DANE_PKIX_NO_SELF_SIGNED_TRUST_ANCHOR;
394 	}
395 exit_free_vrfy_ctx:
396 	X509_STORE_CTX_free(vrfy_ctx);
397 
398 exit_free_empty_store:
399 	X509_STORE_free(empty_store);
400 	return s;
401 }
402 
403 
404 ldns_status
405 ldns_dane_select_certificate(X509** selected_cert,
406 		X509* cert, STACK_OF(X509)* extra_certs,
407 		X509_STORE* pkix_validation_store,
408 		ldns_tlsa_certificate_usage cert_usage, int offset)
409 {
410 	ldns_status s;
411 	STACK_OF(X509)* pkix_validation_chain = NULL;
412 
413 	assert(selected_cert != NULL);
414 	assert(cert != NULL);
415 
416 	/* With PKIX validation explicitly turned off (pkix_validation_store
417 	 *  == NULL), treat the "CA constraint" and "Service certificate
418 	 * constraint" the same as "Trust anchor assertion" and "Domain issued
419 	 * certificate" respectively.
420 	 */
421 	if (pkix_validation_store == NULL) {
422 		switch (cert_usage) {
423 
424 		case LDNS_TLSA_USAGE_CA_CONSTRAINT:
425 
426 			cert_usage = LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION;
427 			break;
428 
429 		case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
430 
431 			cert_usage = LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE;
432 			break;
433 
434 		default:
435 			break;
436 		}
437 	}
438 
439 	/* Now what to do with each Certificate usage...
440 	 */
441 	switch (cert_usage) {
442 
443 	case LDNS_TLSA_USAGE_CA_CONSTRAINT:
444 
445 		s = ldns_dane_pkix_validate_and_get_chain(
446 				&pkix_validation_chain,
447 				cert, extra_certs,
448 				pkix_validation_store);
449 		if (! pkix_validation_chain) {
450 			return s;
451 		}
452 		if (s == LDNS_STATUS_OK) {
453 			if (offset == -1) {
454 				offset = 0;
455 			}
456 			s = ldns_dane_get_nth_cert_from_validation_chain(
457 					selected_cert, pkix_validation_chain,
458 					offset, true);
459 		}
460 		sk_X509_pop_free(pkix_validation_chain, X509_free);
461 		return s;
462 		break;
463 
464 
465 	case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
466 
467 		*selected_cert = cert;
468 		return ldns_dane_pkix_validate(cert, extra_certs,
469 				pkix_validation_store);
470 		break;
471 
472 
473 	case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
474 
475 		if (offset == -1) {
476 			s = ldns_dane_pkix_get_last_self_signed(
477 					selected_cert, cert, extra_certs);
478 			return s;
479 		} else {
480 			s = ldns_dane_pkix_get_chain(
481 					&pkix_validation_chain,
482 					cert, extra_certs);
483 			if (s == LDNS_STATUS_OK) {
484 				s =
485 				ldns_dane_get_nth_cert_from_validation_chain(
486 					selected_cert, pkix_validation_chain,
487 					offset, false);
488 			} else if (! pkix_validation_chain) {
489 				return s;
490 			}
491 			sk_X509_pop_free(pkix_validation_chain, X509_free);
492 			return s;
493 		}
494 		break;
495 
496 
497 	case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
498 
499 		*selected_cert = cert;
500 		return LDNS_STATUS_OK;
501 		break;
502 
503 	default:
504 		return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
505 		break;
506 	}
507 }
508 
509 
510 ldns_status
511 ldns_dane_create_tlsa_rr(ldns_rr** tlsa,
512 		ldns_tlsa_certificate_usage certificate_usage,
513 		ldns_tlsa_selector          selector,
514 		ldns_tlsa_matching_type     matching_type,
515 		X509* cert)
516 {
517 	ldns_rdf* rdf;
518 	ldns_status s;
519 
520 	assert(tlsa != NULL);
521 	assert(cert != NULL);
522 
523 	/* create rr */
524 	*tlsa = ldns_rr_new_frm_type(LDNS_RR_TYPE_TLSA);
525 	if (*tlsa == NULL) {
526 		return LDNS_STATUS_MEM_ERR;
527 	}
528 
529 	rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
530 			(uint8_t)certificate_usage);
531 	if (rdf == NULL) {
532 		goto memerror;
533 	}
534 	(void) ldns_rr_set_rdf(*tlsa, rdf, 0);
535 
536 	rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, (uint8_t)selector);
537 	if (rdf == NULL) {
538 		goto memerror;
539 	}
540 	(void) ldns_rr_set_rdf(*tlsa, rdf, 1);
541 
542 	rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, (uint8_t)matching_type);
543 	if (rdf == NULL) {
544 		goto memerror;
545 	}
546 	(void) ldns_rr_set_rdf(*tlsa, rdf, 2);
547 
548 	s = ldns_dane_cert2rdf(&rdf, cert, selector, matching_type);
549 	if (s == LDNS_STATUS_OK) {
550 		(void) ldns_rr_set_rdf(*tlsa, rdf, 3);
551 		return LDNS_STATUS_OK;
552 	}
553 	ldns_rr_free(*tlsa);
554 	*tlsa = NULL;
555 	return s;
556 
557 memerror:
558 	ldns_rr_free(*tlsa);
559 	*tlsa = NULL;
560 	return LDNS_STATUS_MEM_ERR;
561 }
562 
563 
564 #ifdef USE_DANE_VERIFY
565 /* Return tlsas that actually are TLSA resource records with known values
566  * for the Certificate usage, Selector and Matching type rdata fields.
567  */
568 static ldns_rr_list*
569 ldns_dane_filter_unusable_records(const ldns_rr_list* tlsas)
570 {
571 	size_t i;
572 	ldns_rr_list* r = ldns_rr_list_new();
573 	ldns_rr* tlsa_rr;
574 
575 	if (! r) {
576 		return NULL;
577 	}
578 	for (i = 0; i < ldns_rr_list_rr_count(tlsas); i++) {
579 		tlsa_rr = ldns_rr_list_rr(tlsas, i);
580 		if (ldns_rr_get_type(tlsa_rr) == LDNS_RR_TYPE_TLSA &&
581 		    ldns_rr_rd_count(tlsa_rr) == 4 &&
582 		    ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) <= 3 &&
583 		    ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)) <= 1 &&
584 		    ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)) <= 2) {
585 
586 			if (! ldns_rr_list_push_rr(r, tlsa_rr)) {
587 				ldns_rr_list_free(r);
588 				return NULL;
589 			}
590 		}
591 	}
592 	return r;
593 }
594 
595 
596 #if !defined(USE_DANE_TA_USAGE)
597 /* Return whether cert/selector/matching_type matches data.
598  */
599 static ldns_status
600 ldns_dane_match_cert_with_data(X509* cert, ldns_tlsa_selector selector,
601 		ldns_tlsa_matching_type matching_type, ldns_rdf* data)
602 {
603 	ldns_status s;
604 	ldns_rdf* match_data;
605 
606 	s = ldns_dane_cert2rdf(&match_data, cert, selector, matching_type);
607 	if (s == LDNS_STATUS_OK) {
608 		if (ldns_rdf_compare(data, match_data) != 0) {
609 			s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
610 		}
611 		ldns_rdf_free(match_data);
612 	}
613 	return s;
614 }
615 
616 
617 /* Return whether any certificate from the chain with selector/matching_type
618  * matches data.
619  * ca should be true if the certificate has to be a CA certificate too.
620  */
621 static ldns_status
622 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
623 		ldns_tlsa_selector      selector,
624 		ldns_tlsa_matching_type matching_type,
625 		ldns_rdf* data, bool ca)
626 {
627 	ldns_status s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
628 	size_t n, i;
629 	X509* cert;
630 
631 	n = (size_t)sk_X509_num(chain);
632 	for (i = 0; i < n; i++) {
633 		cert = sk_X509_pop(chain);
634 		if (! cert) {
635 			s = LDNS_STATUS_SSL_ERR;
636 			break;
637 		}
638 		s = ldns_dane_match_cert_with_data(cert,
639 				selector, matching_type, data);
640 		if (ca && s == LDNS_STATUS_OK && ! X509_check_ca(cert)) {
641 			s = LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
642 		}
643 		X509_free(cert);
644 		if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) {
645 			break;
646 		}
647 		/* when s == LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH,
648 		 * try to match the next certificate
649 		 */
650 	}
651 	return s;
652 }
653 #endif /* !defined(USE_DANE_TA_USAGE) */
654 #endif /* USE_DANE_VERIFY */
655 
656 #ifdef USE_DANE_VERIFY
657 ldns_status
658 ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
659 		X509* cert, STACK_OF(X509)* extra_certs,
660 		X509_STORE* pkix_validation_store)
661 {
662 #if defined(USE_DANE_TA_USAGE)
663 	SSL_CTX *ssl_ctx = NULL;
664 	SSL *ssl = NULL;
665 	X509_STORE_CTX *store_ctx = NULL;
666 #else
667 	STACK_OF(X509)* pkix_validation_chain = NULL;
668 #endif
669 	ldns_status s = LDNS_STATUS_OK;
670 
671 	ldns_tlsa_certificate_usage usage;
672 	ldns_tlsa_selector          selector;
673 	ldns_tlsa_matching_type     mtype;
674 	ldns_rdf*                   data;
675 
676 	if (! tlsa_rr || ldns_rr_get_type(tlsa_rr) != LDNS_RR_TYPE_TLSA ||
677 			ldns_rr_rd_count(tlsa_rr) != 4 ||
678 			ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) > 3 ||
679 			ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)) > 1 ||
680 			ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)) > 2 ) {
681 		/* No (usable) TLSA, so regular PKIX validation
682 		 */
683 		return ldns_dane_pkix_validate(cert, extra_certs,
684 				pkix_validation_store);
685 	}
686 	usage    = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0));
687 	selector = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1));
688 	mtype    = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2));
689 	data     =                      ldns_rr_rdf(tlsa_rr, 3) ;
690 
691 #if defined(USE_DANE_TA_USAGE)
692 	/* Rely on OpenSSL dane functions.
693 	 *
694 	 * OpenSSL does not provide offline dane verification.  The dane unit
695 	 * tests within openssl use the undocumented SSL_get0_dane() and
696 	 * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and
697 	 * SSL_CTX to a X509_STORE_CTX that can be used to do offline
698 	 * verification.  We use these undocumented means with the ldns
699 	 * dane function prototypes which did only offline dane verification.
700 	 */
701 	if (!(ssl_ctx = ldns_dane_new_ssl_context()))
702 		s = LDNS_STATUS_MEM_ERR;
703 
704 	else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
705 		s = LDNS_STATUS_SSL_ERR;
706 
707 	else if (SSL_CTX_dane_set_flags(
708 				ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
709 			!(ssl = SSL_new(ssl_ctx)))
710 		s = LDNS_STATUS_MEM_ERR;
711 
712 	else if (SSL_set_connect_state(ssl),
713 			(SSL_dane_enable(ssl, NULL) <= 0))
714 		s = LDNS_STATUS_SSL_ERR;
715 
716 	else if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
717 				ldns_rdf_data(data), ldns_rdf_size(data)) <= 0)
718 		s = LDNS_STATUS_SSL_ERR;
719 
720 	else if (!(store_ctx =  X509_STORE_CTX_new()))
721 		s = LDNS_STATUS_MEM_ERR;
722 
723 	else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
724 		s = LDNS_STATUS_SSL_ERR;
725 
726 	else {
727 		int ret;
728 
729 		X509_STORE_CTX_set_default(store_ctx,
730 				SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
731 		X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
732 				SSL_get0_param(ssl));
733 		X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
734 		if (SSL_get_verify_callback(ssl))
735 			X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
736 
737 		ret = X509_verify_cert(store_ctx);
738 		if (!ret) {
739 			if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
740 				s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
741 			else
742 				s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
743 		}
744 		X509_STORE_CTX_cleanup(store_ctx);
745 	}
746 	if (store_ctx)
747 		X509_STORE_CTX_free(store_ctx);
748 	if (ssl)
749 		SSL_free(ssl);
750 	if (ssl_ctx)
751 		SSL_CTX_free(ssl_ctx);
752 	return s;
753 #else
754 	switch (usage) {
755 	case LDNS_TLSA_USAGE_CA_CONSTRAINT:
756 		s = ldns_dane_pkix_validate_and_get_chain(
757 				&pkix_validation_chain,
758 				cert, extra_certs,
759 				pkix_validation_store);
760 		if (! pkix_validation_chain) {
761 			return s;
762 		}
763 		if (s == LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE) {
764 			/*
765 			 * NO PKIX validation. We still try to match *any*
766 			 * certificate from the chain, so we return
767 			 * TLSA errors over PKIX errors.
768 			 *
769 			 * i.e. When the TLSA matches no certificate, we return
770 			 * TLSA_DID_NOT_MATCH and not PKIX_DID_NOT_VALIDATE
771 			 */
772 			s = ldns_dane_match_any_cert_with_data(
773 					pkix_validation_chain,
774 					selector, mtype, data, true);
775 
776 			if (s == LDNS_STATUS_OK) {
777 				/* A TLSA record did match a cert from the
778 				 * chain, thus the error is failed PKIX
779 				 * validation.
780 				 */
781 				s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
782 			}
783 
784 		} else if (s == LDNS_STATUS_OK) {
785 			/* PKIX validated, does the TLSA match too? */
786 
787 			s = ldns_dane_match_any_cert_with_data(
788 					pkix_validation_chain,
789 					selector, mtype, data, true);
790 		}
791 		sk_X509_pop_free(pkix_validation_chain, X509_free);
792 		return s;
793 		break;
794 
795 	case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
796 
797 		s = ldns_dane_match_cert_with_data(cert,
798 				selector, mtype, data);
799 
800 		if (s == LDNS_STATUS_OK) {
801 			return ldns_dane_pkix_validate(cert, extra_certs,
802 					pkix_validation_store);
803 		}
804 		return s;
805 		break;
806 
807 	case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
808 #if 0
809 		s = ldns_dane_pkix_get_chain(&pkix_validation_chain,
810 				cert, extra_certs);
811 
812 		if (s == LDNS_STATUS_OK) {
813 			s = ldns_dane_match_any_cert_with_data(
814 					pkix_validation_chain,
815 					selector, mtype, data, false);
816 
817 		} else if (! pkix_validation_chain) {
818 			return s;
819 		}
820 		sk_X509_pop_free(pkix_validation_chain, X509_free);
821 		return s;
822 #else
823 		return LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA;
824 #endif
825 		break;
826 
827 	case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
828 		return ldns_dane_match_cert_with_data(cert,
829 				selector, mtype, data);
830 		break;
831 
832 	default:
833 		break;
834 	}
835 #endif
836 	return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
837 }
838 
839 
840 ldns_status
841 ldns_dane_verify(const ldns_rr_list* tlsas,
842 		X509* cert, STACK_OF(X509)* extra_certs,
843 		X509_STORE* pkix_validation_store)
844 {
845 #if defined(USE_DANE_TA_USAGE)
846 	SSL_CTX *ssl_ctx = NULL;
847 	ldns_rdf *basename_rdf = NULL;
848 	char *basename = NULL;
849 	SSL *ssl = NULL;
850 	X509_STORE_CTX *store_ctx = NULL;
851 #else
852 	ldns_status ps;
853 #endif
854 	size_t i;
855 	ldns_rr* tlsa_rr;
856 	ldns_rr_list *usable_tlsas;
857 	ldns_status s = LDNS_STATUS_OK;
858 
859 	assert(cert != NULL);
860 
861 	if (! tlsas || ldns_rr_list_rr_count(tlsas) == 0)
862 		/* No TLSA's, so regular PKIX validation
863 		 */
864 		return ldns_dane_pkix_validate(cert, extra_certs,
865 				pkix_validation_store);
866 
867 /* To enable name checks (which we don't) */
868 #if defined(USE_DANE_TA_USAGE) && 0
869 	else if (!(basename_rdf = ldns_dname_clone_from(
870 					ldns_rr_list_owner(tlsas), 2)))
871 		/* Could nog get DANE base name */
872 		s = LDNS_STATUS_ERR;
873 
874 	else if (!(basename = ldns_rdf2str(basename_rdf)))
875 		s = LDNS_STATUS_MEM_ERR;
876 
877 	else if (strlen(basename) && (basename[strlen(basename)-1]  = 0))
878 		s = LDNS_STATUS_ERR; /* Intended to be unreachable */
879 #endif
880 
881 	else if (!(usable_tlsas = ldns_dane_filter_unusable_records(tlsas)))
882 		return LDNS_STATUS_MEM_ERR;
883 
884 	else if (ldns_rr_list_rr_count(usable_tlsas) == 0) {
885 		/* No TLSA's, so regular PKIX validation
886 		 */
887 		ldns_rr_list_free(usable_tlsas);
888 		return ldns_dane_pkix_validate(cert, extra_certs,
889 				pkix_validation_store);
890 	}
891 #if defined(USE_DANE_TA_USAGE)
892 	/* Rely on OpenSSL dane functions.
893 	 *
894 	 * OpenSSL does not provide offline dane verification.  The dane unit
895 	 * tests within openssl use the undocumented SSL_get0_dane() and
896 	 * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and
897 	 * SSL_CTX to a X509_STORE_CTX that can be used to do offline
898 	 * verification.  We use these undocumented means with the ldns
899 	 * dane function prototypes which did only offline dane verification.
900 	 */
901 	if (!(ssl_ctx = ldns_dane_new_ssl_context()))
902 		s = LDNS_STATUS_MEM_ERR;
903 
904 	else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
905 		s = LDNS_STATUS_SSL_ERR;
906 
907 	else if (SSL_CTX_dane_set_flags(
908 				ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
909 			!(ssl = SSL_new(ssl_ctx)))
910 		s = LDNS_STATUS_MEM_ERR;
911 
912 	else if (SSL_set_connect_state(ssl),
913 			(SSL_dane_enable(ssl, basename) <= 0))
914 		s = LDNS_STATUS_SSL_ERR;
915 
916 	else for (i = 0; i < ldns_rr_list_rr_count(usable_tlsas); i++) {
917 		ldns_tlsa_certificate_usage usage;
918 		ldns_tlsa_selector          selector;
919 		ldns_tlsa_matching_type     mtype;
920 		ldns_rdf*                   data;
921 
922 		tlsa_rr = ldns_rr_list_rr(usable_tlsas, i);
923 		usage   = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,0));
924 		selector= ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,1));
925 		mtype   = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,2));
926 		data    =                      ldns_rr_rdf(tlsa_rr,3) ;
927 
928 		if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
929 					ldns_rdf_data(data),
930 					ldns_rdf_size(data)) <= 0) {
931 			s = LDNS_STATUS_SSL_ERR;
932 			break;
933 		}
934 	}
935 	if (!s && !(store_ctx =  X509_STORE_CTX_new()))
936 		s = LDNS_STATUS_MEM_ERR;
937 
938 	else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
939 		s = LDNS_STATUS_SSL_ERR;
940 
941 	else {
942 		int ret;
943 
944 		X509_STORE_CTX_set_default(store_ctx,
945 				SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
946 		X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
947 				SSL_get0_param(ssl));
948 		X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
949 		if (SSL_get_verify_callback(ssl))
950 			X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
951 
952 		ret = X509_verify_cert(store_ctx);
953 		if (!ret) {
954 			if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
955 				s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
956 			else
957 				s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
958 		}
959 		X509_STORE_CTX_cleanup(store_ctx);
960 	}
961 	if (store_ctx)
962 		X509_STORE_CTX_free(store_ctx);
963 	if (ssl)
964 		SSL_free(ssl);
965 	if (ssl_ctx)
966 		SSL_CTX_free(ssl_ctx);
967 	if (basename)
968 		free(basename);
969 	ldns_rdf_deep_free(basename_rdf);
970 #else
971 	for (i = 0; i < ldns_rr_list_rr_count(usable_tlsas); i++) {
972 		tlsa_rr = ldns_rr_list_rr(usable_tlsas, i);
973 		ps = s;
974 		s = ldns_dane_verify_rr(tlsa_rr, cert, extra_certs,
975 				pkix_validation_store);
976 
977 		if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH &&
978 		    s != LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE &&
979 		    s != LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA) {
980 
981 			/* which would be LDNS_STATUS_OK (match)
982 			 * or some fatal error preventing use from
983 			 * trying the next TLSA record.
984 			 */
985 			break;
986 		}
987 		s = (s > ps ? s : ps); /* pref NEED_OPENSSL_GE_1_1_FOR_DANE_TA
988 		                        * over PKIX_DID_NOT_VALIDATE
989 					* over TLSA_DID_NOT_MATCH
990 					*/
991 	}
992 #endif
993 	ldns_rr_list_free(usable_tlsas);
994 	return s;
995 }
996 #endif /* USE_DANE_VERIFY */
997 #endif /* HAVE_SSL */
998 #endif /* USE_DANE */
999