search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
readelf: report ARM program and section header types
[freebsd-src.git] / contrib / ldns / dane.c
blob675dfa8bf33599d4d4cfff0be726978a295c4eb5
1 /*
2 * Verify or create TLS authentication with DANE (RFC6698)
3 *
4 * (c) NLnetLabs 2012
5 *
6 * See the file LICENSE for the license.
7 *
8 */
9
10 #include <ldns/config.h>
11 #ifdef USE_DANE
12
13 #include <ldns/ldns.h>
14 #include <ldns/dane.h>
15
16 #include <unistd.h>
17 #include <stdlib.h>
18 #include <sys/types.h>
19 #ifdef HAVE_SYS_SOCKET_H
20 #include <sys/socket.h>
21 #endif
22 #ifdef HAVE_NETDB_H
23 #include <netdb.h>
24 #endif
25
26 #ifdef HAVE_SSL
27 #include <openssl/ssl.h>
28 #include <openssl/err.h>
29 #include <openssl/x509v3.h>
30 #endif
31
32 ldns_status
33 ldns_dane_create_tlsa_owner(ldns_rdf** tlsa_owner, const ldns_rdf* name,
34 uint16_t port, ldns_dane_transport transport)
35 {
36 char buf[LDNS_MAX_DOMAINLEN];
37 size_t s;
38
39 assert(tlsa_owner != NULL);
40 assert(name != NULL);
41 assert(ldns_rdf_get_type(name) == LDNS_RDF_TYPE_DNAME);
42
43 s = (size_t)snprintf(buf, LDNS_MAX_DOMAINLEN, "X_%d", (int)port);
44 buf[0] = (char)(s - 1);
45
46 switch(transport) {
47 case LDNS_DANE_TRANSPORT_TCP:
48 s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\004_tcp");
49 break;
50
51 case LDNS_DANE_TRANSPORT_UDP:
52 s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\004_udp");
53 break;
54
55 case LDNS_DANE_TRANSPORT_SCTP:
56 s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\005_sctp");
57 break;
58
59 default:
60 return LDNS_STATUS_DANE_UNKNOWN_TRANSPORT;
61 }
62 if (s + ldns_rdf_size(name) > LDNS_MAX_DOMAINLEN) {
63 return LDNS_STATUS_DOMAINNAME_OVERFLOW;
64 }
65 memcpy(buf + s, ldns_rdf_data(name), ldns_rdf_size(name));
66 *tlsa_owner = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_DNAME,
67 s + ldns_rdf_size(name), buf);
68 if (*tlsa_owner == NULL) {
69 return LDNS_STATUS_MEM_ERR;
70 }
71 return LDNS_STATUS_OK;
72 }
73
74
75 #ifdef HAVE_SSL
76 ldns_status
77 ldns_dane_cert2rdf(ldns_rdf** rdf, X509* cert,
78 ldns_tlsa_selector selector,
79 ldns_tlsa_matching_type matching_type)
80 {
81 unsigned char* buf = NULL;
82 size_t len;
83
84 X509_PUBKEY* xpubkey;
85 EVP_PKEY* epubkey;
86
87 unsigned char* digest;
88
89 assert(rdf != NULL);
90 assert(cert != NULL);
91
92 switch(selector) {
93 case LDNS_TLSA_SELECTOR_FULL_CERTIFICATE:
94
95 len = (size_t)i2d_X509(cert, &buf);
96 break;
97
98 case LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO:
99
100 #ifndef S_SPLINT_S
101 xpubkey = X509_get_X509_PUBKEY(cert);
102 #endif
103 if (! xpubkey) {
104 return LDNS_STATUS_SSL_ERR;
105 }
106 epubkey = X509_PUBKEY_get(xpubkey);
107 if (! epubkey) {
108 return LDNS_STATUS_SSL_ERR;
109 }
110 len = (size_t)i2d_PUBKEY(epubkey, &buf);
111 break;
112
113 default:
114 return LDNS_STATUS_DANE_UNKNOWN_SELECTOR;
115 }
116
117 switch(matching_type) {
118 case LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED:
119
120 *rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, len, buf);
121
122 return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
123 break;
124
125 case LDNS_TLSA_MATCHING_TYPE_SHA256:
126
127 digest = LDNS_XMALLOC(unsigned char, LDNS_SHA256_DIGEST_LENGTH);
128 if (digest == NULL) {
129 LDNS_FREE(buf);
130 return LDNS_STATUS_MEM_ERR;
131 }
132 (void) ldns_sha256(buf, (unsigned int)len, digest);
133 *rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, LDNS_SHA256_DIGEST_LENGTH,
134 digest);
135 LDNS_FREE(buf);
136
137 return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
138 break;
139
140 case LDNS_TLSA_MATCHING_TYPE_SHA512:
141
142 digest = LDNS_XMALLOC(unsigned char, LDNS_SHA512_DIGEST_LENGTH);
143 if (digest == NULL) {
144 LDNS_FREE(buf);
145 return LDNS_STATUS_MEM_ERR;
146 }
147 (void) ldns_sha512(buf, (unsigned int)len, digest);
148 *rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, LDNS_SHA512_DIGEST_LENGTH,
149 digest);
150 LDNS_FREE(buf);
151
152 return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
153 break;
154
155 default:
156 LDNS_FREE(buf);
157 return LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE;
158 }
159 }
160
161
162 /* Ordinary PKIX validation of cert (with extra_certs to help)
163 * against the CA's in store
164 */
165 static ldns_status
166 ldns_dane_pkix_validate(X509* cert, STACK_OF(X509)* extra_certs,
167 X509_STORE* store)
168 {
169 X509_STORE_CTX* vrfy_ctx;
170 ldns_status s;
171
172 if (! store) {
173 return LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
174 }
175 vrfy_ctx = X509_STORE_CTX_new();
176 if (! vrfy_ctx) {
177
178 return LDNS_STATUS_SSL_ERR;
179
180 } else if (X509_STORE_CTX_init(vrfy_ctx, store,
181 cert, extra_certs) != 1) {
182 s = LDNS_STATUS_SSL_ERR;
183
184 } else if (X509_verify_cert(vrfy_ctx) == 1) {
185
186 s = LDNS_STATUS_OK;
187
188 } else {
189 s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
190 }
191 X509_STORE_CTX_free(vrfy_ctx);
192 return s;
193 }
194
195
196 /* Orinary PKIX validation of cert (with extra_certs to help)
197 * against the CA's in store, but also return the validation chain.
198 */
199 static ldns_status
200 ldns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert,
201 STACK_OF(X509)* extra_certs, X509_STORE* store)
202 {
203 ldns_status s;
204 X509_STORE* empty_store = NULL;
205 X509_STORE_CTX* vrfy_ctx;
206
207 assert(chain != NULL);
208
209 if (! store) {
210 store = empty_store = X509_STORE_new();
211 }
212 s = LDNS_STATUS_SSL_ERR;
213 vrfy_ctx = X509_STORE_CTX_new();
214 if (! vrfy_ctx) {
215
216 goto exit_free_empty_store;
217
218 } else if (X509_STORE_CTX_init(vrfy_ctx, store,
219 cert, extra_certs) != 1) {
220 goto exit_free_vrfy_ctx;
221
222 } else if (X509_verify_cert(vrfy_ctx) == 1) {
223
224 s = LDNS_STATUS_OK;
225
226 } else {
227 s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
228 }
229 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
230 if (! *chain) {
231 s = LDNS_STATUS_SSL_ERR;
232 }
233
234 exit_free_vrfy_ctx:
235 X509_STORE_CTX_free(vrfy_ctx);
236
237 exit_free_empty_store:
238 if (empty_store) {
239 X509_STORE_free(empty_store);
240 }
241 return s;
242 }
243
244
245 /* Return the validation chain that can be build out of cert, with extra_certs.
246 */
247 static ldns_status
248 ldns_dane_pkix_get_chain(STACK_OF(X509)** chain,
249 X509* cert, STACK_OF(X509)* extra_certs)
250 {
251 ldns_status s;
252 X509_STORE* empty_store = NULL;
253 X509_STORE_CTX* vrfy_ctx;
254
255 assert(chain != NULL);
256
257 empty_store = X509_STORE_new();
258 s = LDNS_STATUS_SSL_ERR;
259 vrfy_ctx = X509_STORE_CTX_new();
260 if (! vrfy_ctx) {
261
262 goto exit_free_empty_store;
263
264 } else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
265 cert, extra_certs) != 1) {
266 goto exit_free_vrfy_ctx;
267 }
268 (void) X509_verify_cert(vrfy_ctx);
269 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
270 if (! *chain) {
271 s = LDNS_STATUS_SSL_ERR;
272 } else {
273 s = LDNS_STATUS_OK;
274 }
275 exit_free_vrfy_ctx:
276 X509_STORE_CTX_free(vrfy_ctx);
277
278 exit_free_empty_store:
279 X509_STORE_free(empty_store);
280 return s;
281 }
282
283
284 /* Pop n+1 certs and return the last popped.
285 */
286 static ldns_status
287 ldns_dane_get_nth_cert_from_validation_chain(
288 X509** cert, STACK_OF(X509)* chain, int n, bool ca)
289 {
290 if (n >= sk_X509_num(chain) || n < 0) {
291 return LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE;
292 }
293 *cert = sk_X509_pop(chain);
294 while (n-- > 0) {
295 X509_free(*cert);
296 *cert = sk_X509_pop(chain);
297 }
298 if (ca && ! X509_check_ca(*cert)) {
299 return LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
300 }
301 return LDNS_STATUS_OK;
302 }
303
304
305 /* Create validation chain with cert and extra_certs and returns the last
306 * self-signed (if present).
307 */
308 static ldns_status
309 ldns_dane_pkix_get_last_self_signed(X509** out_cert,
310 X509* cert, STACK_OF(X509)* extra_certs)
311 {
312 ldns_status s;
313 X509_STORE* empty_store = NULL;
314 X509_STORE_CTX* vrfy_ctx;
315
316 assert(out_cert != NULL);
317
318 empty_store = X509_STORE_new();
319 s = LDNS_STATUS_SSL_ERR;
320 vrfy_ctx = X509_STORE_CTX_new();
321 if (! vrfy_ctx) {
322 goto exit_free_empty_store;
323
324 } else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
325 cert, extra_certs) != 1) {
326 goto exit_free_vrfy_ctx;
327
328 }
329 (void) X509_verify_cert(vrfy_ctx);
330 if (vrfy_ctx->error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
331 vrfy_ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){
332
333 *out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx);
334 s = LDNS_STATUS_OK;
335 } else {
336 s = LDNS_STATUS_DANE_PKIX_NO_SELF_SIGNED_TRUST_ANCHOR;
337 }
338 exit_free_vrfy_ctx:
339 X509_STORE_CTX_free(vrfy_ctx);
340
341 exit_free_empty_store:
342 X509_STORE_free(empty_store);
343 return s;
344 }
345
346
347 ldns_status
348 ldns_dane_select_certificate(X509** selected_cert,
349 X509* cert, STACK_OF(X509)* extra_certs,
350 X509_STORE* pkix_validation_store,
351 ldns_tlsa_certificate_usage cert_usage, int offset)
352 {
353 ldns_status s;
354 STACK_OF(X509)* pkix_validation_chain = NULL;
355
356 assert(selected_cert != NULL);
357 assert(cert != NULL);
358
359 /* With PKIX validation explicitely turned off (pkix_validation_store
360 * == NULL), treat the "CA constraint" and "Service certificate
361 * constraint" the same as "Trust anchor assertion" and "Domain issued
362 * certificate" respectively.
363 */
364 if (pkix_validation_store == NULL) {
365 switch (cert_usage) {
366
367 case LDNS_TLSA_USAGE_CA_CONSTRAINT:
368
369 cert_usage = LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION;
370 break;
371
372 case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
373
374 cert_usage = LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE;
375 break;
376
377 default:
378 break;
379 }
380 }
381
382 /* Now what to do with each Certificate usage...
383 */
384 switch (cert_usage) {
385
386 case LDNS_TLSA_USAGE_CA_CONSTRAINT:
387
388 s = ldns_dane_pkix_validate_and_get_chain(
389 &pkix_validation_chain,
390 cert, extra_certs,
391 pkix_validation_store);
392 if (! pkix_validation_chain) {
393 return s;
394 }
395 if (s == LDNS_STATUS_OK) {
396 if (offset == -1) {
397 offset = 0;
398 }
399 s = ldns_dane_get_nth_cert_from_validation_chain(
400 selected_cert, pkix_validation_chain,
401 offset, true);
402 }
403 sk_X509_pop_free(pkix_validation_chain, X509_free);
404 return s;
405 break;
406
407
408 case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
409
410 *selected_cert = cert;
411 return ldns_dane_pkix_validate(cert, extra_certs,
412 pkix_validation_store);
413 break;
414
415
416 case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
417
418 if (offset == -1) {
419 s = ldns_dane_pkix_get_last_self_signed(
420 selected_cert, cert, extra_certs);
421 return s;
422 } else {
423 s = ldns_dane_pkix_get_chain(
424 &pkix_validation_chain,
425 cert, extra_certs);
426 if (s == LDNS_STATUS_OK) {
427 s =
428 ldns_dane_get_nth_cert_from_validation_chain(
429 selected_cert, pkix_validation_chain,
430 offset, false);
431 } else if (! pkix_validation_chain) {
432 return s;
433 }
434 sk_X509_pop_free(pkix_validation_chain, X509_free);
435 return s;
436 }
437 break;
438
439
440 case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
441
442 *selected_cert = cert;
443 return LDNS_STATUS_OK;
444 break;
445
446 default:
447 return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
448 break;
449 }
450 }
451
452
453 ldns_status
454 ldns_dane_create_tlsa_rr(ldns_rr** tlsa,
455 ldns_tlsa_certificate_usage certificate_usage,
456 ldns_tlsa_selector selector,
457 ldns_tlsa_matching_type matching_type,
458 X509* cert)
459 {
460 ldns_rdf* rdf;
461 ldns_status s;
462
463 assert(tlsa != NULL);
464 assert(cert != NULL);
465
466 /* create rr */
467 *tlsa = ldns_rr_new_frm_type(LDNS_RR_TYPE_TLSA);
468 if (*tlsa == NULL) {
469 return LDNS_STATUS_MEM_ERR;
470 }
471
472 rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
473 (uint8_t)certificate_usage);
474 if (rdf == NULL) {
475 goto memerror;
476 }
477 (void) ldns_rr_set_rdf(*tlsa, rdf, 0);
478
479 rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, (uint8_t)selector);
480 if (rdf == NULL) {
481 goto memerror;
482 }
483 (void) ldns_rr_set_rdf(*tlsa, rdf, 1);
484
485 rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, (uint8_t)matching_type);
486 if (rdf == NULL) {
487 goto memerror;
488 }
489 (void) ldns_rr_set_rdf(*tlsa, rdf, 2);
490
491 s = ldns_dane_cert2rdf(&rdf, cert, selector, matching_type);
492 if (s == LDNS_STATUS_OK) {
493 (void) ldns_rr_set_rdf(*tlsa, rdf, 3);
494 return LDNS_STATUS_OK;
495 }
496 ldns_rr_free(*tlsa);
497 *tlsa = NULL;
498 return s;
499
500 memerror:
501 ldns_rr_free(*tlsa);
502 *tlsa = NULL;
503 return LDNS_STATUS_MEM_ERR;
504 }
505
506
507 /* Return tlsas that actually are TLSA resource records with known values
508 * for the Certificate usage, Selector and Matching type rdata fields.
509 */
510 static ldns_rr_list*
511 ldns_dane_filter_unusable_records(const ldns_rr_list* tlsas)
512 {
513 size_t i;
514 ldns_rr_list* r = ldns_rr_list_new();
515 ldns_rr* tlsa_rr;
516
517 if (! r) {
518 return NULL;
519 }
520 for (i = 0; i < ldns_rr_list_rr_count(tlsas); i++) {
521 tlsa_rr = ldns_rr_list_rr(tlsas, i);
522 if (ldns_rr_get_type(tlsa_rr) == LDNS_RR_TYPE_TLSA &&
523 ldns_rr_rd_count(tlsa_rr) == 4 &&
524 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) <= 3 &&
525 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)) <= 1 &&
526 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)) <= 2) {
527
528 if (! ldns_rr_list_push_rr(r, tlsa_rr)) {
529 ldns_rr_list_free(r);
530 return NULL;
531 }
532 }
533 }
534 return r;
535 }
536
537
538 /* Return whether cert/selector/matching_type matches data.
539 */
540 static ldns_status
541 ldns_dane_match_cert_with_data(X509* cert, ldns_tlsa_selector selector,
542 ldns_tlsa_matching_type matching_type, ldns_rdf* data)
543 {
544 ldns_status s;
545 ldns_rdf* match_data;
546
547 s = ldns_dane_cert2rdf(&match_data, cert, selector, matching_type);
548 if (s == LDNS_STATUS_OK) {
549 if (ldns_rdf_compare(data, match_data) != 0) {
550 s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
551 }
552 ldns_rdf_free(match_data);
553 }
554 return s;
555 }
556
557
558 /* Return whether any certificate from the chain with selector/matching_type
559 * matches data.
560 * ca should be true if the certificate has to be a CA certificate too.
561 */
562 static ldns_status
563 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
564 ldns_tlsa_selector selector,
565 ldns_tlsa_matching_type matching_type,
566 ldns_rdf* data, bool ca)
567 {
568 ldns_status s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
569 size_t n, i;
570 X509* cert;
571
572 n = (size_t)sk_X509_num(chain);
573 for (i = 0; i < n; i++) {
574 cert = sk_X509_pop(chain);
575 if (! cert) {
576 s = LDNS_STATUS_SSL_ERR;
577 break;
578 }
579 s = ldns_dane_match_cert_with_data(cert,
580 selector, matching_type, data);
581 if (ca && s == LDNS_STATUS_OK && ! X509_check_ca(cert)) {
582 s = LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
583 }
584 X509_free(cert);
585 if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) {
586 break;
587 }
588 /* when s == LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH,
589 * try to match the next certificate
590 */
591 }
592 return s;
593 }
594
595
596 ldns_status
597 ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
598 X509* cert, STACK_OF(X509)* extra_certs,
599 X509_STORE* pkix_validation_store)
600 {
601 ldns_status s;
602
603 STACK_OF(X509)* pkix_validation_chain = NULL;
604
605 ldns_tlsa_certificate_usage cert_usage;
606 ldns_tlsa_selector selector;
607 ldns_tlsa_matching_type matching_type;
608 ldns_rdf* data;
609
610 if (! tlsa_rr) {
611 /* No TLSA, so regular PKIX validation
612 */
613 return ldns_dane_pkix_validate(cert, extra_certs,
614 pkix_validation_store);
615 }
616 cert_usage = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0));
617 selector = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1));
618 matching_type = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2));
619 data = ldns_rr_rdf(tlsa_rr, 3) ;
620
621 switch (cert_usage) {
622 case LDNS_TLSA_USAGE_CA_CONSTRAINT:
623 s = ldns_dane_pkix_validate_and_get_chain(
624 &pkix_validation_chain,
625 cert, extra_certs,
626 pkix_validation_store);
627 if (! pkix_validation_chain) {
628 return s;
629 }
630 if (s == LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE) {
631 /*
632 * NO PKIX validation. We still try to match *any*
633 * certificate from the chain, so we return
634 * TLSA errors over PKIX errors.
635 *
636 * i.e. When the TLSA matches no certificate, we return
637 * TLSA_DID_NOT_MATCH and not PKIX_DID_NOT_VALIDATE
638 */
639 s = ldns_dane_match_any_cert_with_data(
640 pkix_validation_chain,
641 selector, matching_type, data, true);
642
643 if (s == LDNS_STATUS_OK) {
644 /* A TLSA record did match a cert from the
645 * chain, thus the error is failed PKIX
646 * validation.
647 */
648 s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
649 }
650
651 } else if (s == LDNS_STATUS_OK) {
652 /* PKIX validated, does the TLSA match too? */
653
654 s = ldns_dane_match_any_cert_with_data(
655 pkix_validation_chain,
656 selector, matching_type, data, true);
657 }
658 sk_X509_pop_free(pkix_validation_chain, X509_free);
659 return s;
660 break;
661
662 case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
663 s = ldns_dane_match_cert_with_data(cert,
664 selector, matching_type, data);
665
666 if (s == LDNS_STATUS_OK) {
667 return ldns_dane_pkix_validate(cert, extra_certs,
668 pkix_validation_store);
669 }
670 return s;
671 break;
672
673 case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
674 s = ldns_dane_pkix_get_chain(&pkix_validation_chain,
675 cert, extra_certs);
676
677 if (s == LDNS_STATUS_OK) {
678 s = ldns_dane_match_any_cert_with_data(
679 pkix_validation_chain,
680 selector, matching_type, data, false);
681
682 } else if (! pkix_validation_chain) {
683 return s;
684 }
685 sk_X509_pop_free(pkix_validation_chain, X509_free);
686 return s;
687 break;
688
689 case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
690 return ldns_dane_match_cert_with_data(cert,
691 selector, matching_type, data);
692 break;
693
694 default:
695 break;
696 }
697 return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
698 }
699
700
701 ldns_status
702 ldns_dane_verify(ldns_rr_list* tlsas,
703 X509* cert, STACK_OF(X509)* extra_certs,
704 X509_STORE* pkix_validation_store)
705 {
706 size_t i;
707 ldns_rr* tlsa_rr;
708 ldns_status s = LDNS_STATUS_OK, ps;
709
710 assert(cert != NULL);
711
712 if (tlsas && ldns_rr_list_rr_count(tlsas) > 0) {
713 tlsas = ldns_dane_filter_unusable_records(tlsas);
714 if (! tlsas) {
715 return LDNS_STATUS_MEM_ERR;
716 }
717 }
718 if (! tlsas || ldns_rr_list_rr_count(tlsas) == 0) {
719 /* No TLSA's, so regular PKIX validation
720 */
721 return ldns_dane_pkix_validate(cert, extra_certs,
722 pkix_validation_store);
723 } else {
724 for (i = 0; i < ldns_rr_list_rr_count(tlsas); i++) {
725 tlsa_rr = ldns_rr_list_rr(tlsas, i);
726 ps = s;
727 s = ldns_dane_verify_rr(tlsa_rr, cert, extra_certs,
728 pkix_validation_store);
729
730 if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH &&
731 s != LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE) {
732
733 /* which would be LDNS_STATUS_OK (match)
734 * or some fatal error preventing use from
735 * trying the next TLSA record.
736 */
737 break;
738 }
739 s = (s > ps ? s : ps); /* prefer PKIX_DID_NOT_VALIDATE
740 * over TLSA_DID_NOT_MATCH
741 */
742 }
743 ldns_rr_list_free(tlsas);
744 }
745 return s;
746 }
747 #endif /* HAVE_SSL */
748 #endif /* USE_DANE */
FreeBSD src