From e3beef1e1bdd70031d009dc61ab88b74a4c884c8 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 6 Jun 2014 18:56:24 +0100 Subject: Remove experimental DANE code. Remove experimental DANE/dnssec code: not ready for use in an official release yet. --- ssl/Makefile | 23 +---- ssl/dnssec.c | 182 --------------------------------------- ssl/ssl_cert.c | 264 --------------------------------------------------------- ssl/ssl_lib.c | 38 --------- ssl/ssl_locl.h | 11 --- 5 files changed, 2 insertions(+), 516 deletions(-) delete mode 100644 ssl/dnssec.c (limited to 'ssl') diff --git a/ssl/Makefile b/ssl/Makefile index b1d20b0253..be1460380e 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -30,7 +30,7 @@ LIBSRC= \ ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \ ssl_ciph.c ssl_stat.c ssl_rsa.c \ ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \ - bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c dnssec.c + bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c LIBOBJ= \ s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \ s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \ @@ -41,7 +41,7 @@ LIBOBJ= \ ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \ ssl_ciph.o ssl_stat.o ssl_rsa.o \ ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \ - bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o dnssec.o + bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o SRC= $(LIBSRC) @@ -288,25 +288,6 @@ d1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h d1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h d1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srvr.c d1_srvr.o: ssl_locl.h -dnssec.o: ../include/openssl/asn1.h ../include/openssl/bio.h -dnssec.o: ../include/openssl/buffer.h ../include/openssl/comp.h -dnssec.o: ../include/openssl/crypto.h ../include/openssl/dso.h -dnssec.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h -dnssec.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -dnssec.o: ../include/openssl/ecdsa.h ../include/openssl/evp.h -dnssec.o: ../include/openssl/hmac.h ../include/openssl/kssl.h -dnssec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -dnssec.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -dnssec.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -dnssec.o: ../include/openssl/pem.h ../include/openssl/pem2.h -dnssec.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h -dnssec.o: ../include/openssl/safestack.h ../include/openssl/sha.h -dnssec.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -dnssec.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -dnssec.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -dnssec.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -dnssec.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h dnssec.c -dnssec.o: ssl.h kssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h kssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h kssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h diff --git a/ssl/dnssec.c b/ssl/dnssec.c deleted file mode 100644 index 62b04b428b..0000000000 --- a/ssl/dnssec.c +++ /dev/null @@ -1,182 +0,0 @@ -#include - -#include -#include -#include - -#include "ssl.h" - -#ifndef OPENSSL_SYS_WIN32 -#include -#include -#endif - -#ifndef OPENSSL_NO_LIBUNBOUND -#include - -static struct ub_ctx *ctx = NULL; -static DSO *unbound_dso = NULL; - -static union { - void *p; struct ub_ctx *(*f)(); } - p_ub_ctx_create = {NULL}; - -static union { - void *p; int (*f)(struct ub_ctx *,const char *); } - p_ub_ctx_resolvconf = {NULL}; - -static union { - void *p; int (*f)(struct ub_ctx *,const char *); } - p_ub_ctx_add_ta_file = {NULL}; - -static union { - void *p; void (*f)(struct ub_ctx *); } - p_ub_ctx_delete = {NULL}; - -static union { - void *p; int (*f)(struct ub_ctx *,const char *,int,int,struct ub_result**); } - p_ub_resolve = {NULL}; - -static union { - void *p; void (*f)(struct ub_result*); } - p_ub_resolve_free = {NULL}; - -#if defined(__GNUC__) && __GNUC__>=2 - static void unbound_init(void) __attribute__((constructor)); - static void unbound_fini(void) __attribute__((destructor)); -#endif - -static void unbound_init(void) -{ - DSO *dso; - - if ((dso = DSO_load(NULL, "unbound", NULL, 0)) == NULL) return; - - if ((p_ub_ctx_create.p = DSO_bind_func(dso,"ub_ctx_create")) == NULL || - (p_ub_ctx_resolvconf.p = DSO_bind_func(dso,"ub_ctx_resolvconf")) == NULL || - (p_ub_ctx_add_ta_file.p = DSO_bind_func(dso,"ub_ctx_add_ta_file")) == NULL || - (p_ub_ctx_delete.p = DSO_bind_func(dso,"ub_ctx_delete")) == NULL || - (p_ub_resolve.p = DSO_bind_func(dso,"ub_resolve")) == NULL || - (p_ub_resolve_free.p = DSO_bind_func(dso,"ub_resolve_free")) == NULL || - (ctx = p_ub_ctx_create.f()) == NULL) { - DSO_free(dso); - return; - } - - unbound_dso = dso; - - /* FIXME: parameterize these through CONF */ - p_ub_ctx_resolvconf.f(ctx,"/etc/resolv.conf"); - p_ub_ctx_add_ta_file.f(ctx,"/var/lib/unbound/root.key"); -} - -static void unbound_fini(void) -{ - if (ctx != NULL) p_ub_ctx_delete.f(ctx); - if (unbound_dso != NULL) DSO_free(unbound_dso); -} -#endif - -/* - * Output is array packed as [len][data][len][data][0] - */ -unsigned char *SSL_get_tlsa_record_byname (const char *name,int port,int type) -{ - unsigned char *ret=NULL; - char *query=NULL; - size_t qlen; - -#ifndef OPENSSL_NO_LIBUNBOUND - if (ctx == NULL) return NULL; -#elif defined(RRSET_VALIDATED) - static union { - void *p; int (*f)(const char*,unsigned int,unsigned int,unsigned int,struct rrsetinfo **); } - p_getrrsetbyname = {NULL}; - static union { - void *p; void (*f)(struct rrsetinfo *); } - p_freerrset = {NULL}; - - if (p_getrrsetbyname.p==NULL) { - if ((p_getrrsetbyname.p = DSO_global_lookup("getrrsetbyname")) == NULL || - (p_freerrset.p = DSO_global_lookup("freerrset")) == NULL) - p_getrrsetbyname.p = (void*)-1; - } - - if (p_getrrsetbyname.p == (void *)-1) return NULL; -#endif - - qlen = 7+5+strlen(name)+1; - if ((query = OPENSSL_malloc(qlen)) == NULL) - return NULL; - - BIO_snprintf(query,qlen,"_%u._%s.%s",port&0xffff,type==SOCK_STREAM?"tcp":"udp",name); - -#ifndef OPENSSL_NO_LIBUNBOUND - { - struct ub_result *tlsa=NULL; - - if (p_ub_resolve.f(ctx,query,52,1,&tlsa)==0 && - tlsa->havedata && tlsa->data[0]!=NULL) { - ret=(void*)-1; /* -1 means insecure */ - if (tlsa->secure) do { - unsigned char *data; - unsigned int dlen, i; - - for (dlen=0, i=0; tlsa->data[i]; i++) - dlen += sizeof(int)+(unsigned int)tlsa->len[i]; - dlen +=sizeof(int); - - if ((ret = OPENSSL_malloc(dlen)) == NULL) break; - - for (data=ret, i=0; tlsa->data[i]; i++) { - dlen = (unsigned int)tlsa->len[i]; - memcpy(data,&dlen,sizeof(dlen)); - data += sizeof(dlen); - memcpy(data,tlsa->data[i],dlen); - data += dlen; - } - dlen = 0; - memcpy(data,&dlen,sizeof(dlen)); /* trailing zero */ - } while (0); - p_ub_resolve_free.f(tlsa); - } - } -#elif defined(RRSET_VALIDATED) - { - struct rrsetinfo *rrset=NULL; - - if (p_getrrsetbyname.f(query,1,52,RRSET_VALIDATED,&rrset) == 0 && rrset->rri_nrdatas) { - ret=(void*)-1; /* -1 means insecure */ - if ((rrset->rri_flags&RRSET_VALIDATED)) do { - unsigned char *data; - unsigned int dlen, i; - - for (dlen=0, i=0; irri_nrdatas; i++) - dlen += sizeof(int)+rrset->rri_rdatas[i].rdi_length; - dlen +=sizeof(int); - - if ((ret = OPENSSL_malloc(sizeof(int)+dlen)) == NULL) break; - - for (data=ret, i=0; irri_rdatas[i].rdi_length; i++) { - *(unsigned int *)data = dlen = rrset->rri_rdatas[i].rdi_length; - data += sizeof(unsigned int); - memcpy(data,rrset->rri_rdatas[i].rdi_data,dlen); - data += dlen; - } - *(unsigned int *)data = 0; /* trailing zero */ - } while (0); - p_freerrset.f(rrset); - } - } -#elif defined(_WIN32_NOT_YET) - { - PDNS_RECORD rrset; - - DnsQuery_A(query,52,DNS_QUERY_STANDARD,NULL,&rrset,NULL); - DnsRecordListFree(rrset,DnsFreeRecordList); - } -#endif - CRYPTO_free(query); - - return ret; -} diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index dcfdcde71e..fc63bdbf24 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -756,238 +756,12 @@ int ssl_set_peer_cert_type(SESS_CERT *sc,int type) return(1); } -#ifndef OPENSSL_NO_DANE -static void tlsa_free(void *parent,void *ptr,CRYPTO_EX_DATA *ad,int idx,long argl,void *argp) - { - TLSA_EX_DATA *ex = ptr; - - if (ex!=NULL) - { - if (ex->tlsa_record!=NULL && ex->tlsa_record!=(void *)-1) - OPENSSL_free(ex->tlsa_record); - - OPENSSL_free(ex); - } - } - -int SSL_get_TLSA_ex_data_idx(void) - { - static volatile int ssl_tlsa_idx= -1; - int got_write_lock = 0; - - if (((size_t)&ssl_tlsa_idx&(sizeof(ssl_tlsa_idx)-1)) - ==0) /* check alignment, practically always true */ - { - int ret; - - if ((ret=ssl_tlsa_idx) < 0) - { - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - if ((ret=ssl_tlsa_idx) < 0) - { - ret=ssl_tlsa_idx=SSL_get_ex_new_index( - 0,"per-SSL TLSA",NULL,NULL,tlsa_free); - } - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); - } - - return ret; - } - else /* commonly eliminated */ - { - CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - - if (ssl_tlsa_idx < 0) - { - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - got_write_lock = 1; - - if (ssl_tlsa_idx < 0) - { - ssl_tlsa_idx=SSL_get_ex_new_index( - 0,"pre-SSL TLSA",NULL,NULL,tlsa_free); - } - } - - if (got_write_lock) - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); - else - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - - return ssl_tlsa_idx; - } - } - -TLSA_EX_DATA *SSL_get_TLSA_ex_data(SSL *ssl) - { - int idx = SSL_get_TLSA_ex_data_idx(); - TLSA_EX_DATA *ex; - - if ((ex=SSL_get_ex_data(ssl,idx)) == NULL) - { - ex = OPENSSL_malloc(sizeof(TLSA_EX_DATA)); - ex->tlsa_record = NULL; - ex->tlsa_witness = -1; - SSL_set_ex_data(ssl,idx,ex); - } - - return ex; - } - -/* - * return value: - * -1: format or digest error - * 0: match - * 1: no match - */ -static int tlsa_cmp(const X509 *cert, const unsigned char *tlsa_record, - int reclen) - { - const EVP_MD *md; - unsigned char digest[EVP_MAX_MD_SIZE]; - unsigned int len, selector, matching_type; - int ret; - - if (reclen<3 || tlsa_record[0]>3) return -1; - - selector = tlsa_record[1]; - matching_type = tlsa_record[2]; - tlsa_record += 3; - reclen -= 3; - - switch (matching_type) { - case 0: /* exact match */ - if (selector==0) { /* full certificate */ - ret = EVP_Digest(tlsa_record,reclen,digest,&len,EVP_sha1(),NULL); - return ret ? memcmp(cert->sha1_hash,digest,len)!=0 : -1; - } - else if (selector==1) { /* SubjectPublicKeyInfo */ - ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert); - - if (key == NULL) return -1; - if (key->length != reclen) return 1; - - return memcmp(key->data,tlsa_record,reclen)!=0; - } - return -1; - - case 1: /* SHA256 */ - case 2: /* SHA512 */ - md = matching_type==1 ? EVP_sha256() : EVP_sha512(); - - if (reclen!=EVP_MD_size(md)) return -1; - - if (selector==0) { /* full certificate */ - ret = X509_digest(cert,md,digest,&len); - } - else if (selector==1) { /* SubjectPublicKeyInfo */ - ret = X509_pubkey_digest(cert,md,digest,&len); - } - else - return -1; - - return ret ? memcmp(tlsa_record,digest,len)!=0 : -1; - default: - return -1; - } - } - -static int dane_verify_callback(int ok, X509_STORE_CTX *ctx) - { - SSL *s = X509_STORE_CTX_get_ex_data(ctx,SSL_get_ex_data_X509_STORE_CTX_idx()); - int depth=X509_STORE_CTX_get_error_depth(ctx); - X509 *cert = sk_X509_value(ctx->chain,depth); - TLSA_EX_DATA *ex; - const unsigned char *tlsa_record; - int tlsa_ret=-1, mask=1; - - - if ((ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx())) == NULL || - (tlsa_record=ex->tlsa_record) == NULL || - (tlsa_record==(void *)-1 && (ok=0,ctx->error=X509_V_ERR_INVALID_CA)) || /* temporary code? */ - /* - * X509_verify_cert initially starts throwing ok=0 upon - * failure to build certificate chain. As all certificate - * usages except for 3 require verifiable chain, ok=0 at - * non-zero depth is fatal. More specifically ok=0 at zero - * depth is allowed only for usage 3. Special note about - * usage 2. The chain is supposed to be filled by - * dane_get_issuer, or once again we should tolerate ok=0 - * only in usage 3 case. - */ - (!ok && depth!=0)) { - if (s->verify_callback) return s->verify_callback(ok,ctx); - else return ok; - } - - while (1) { - unsigned int reclen, certificate_usage; - - memcpy(&reclen,tlsa_record,sizeof(reclen)); - - if (reclen==0) break; - - tlsa_record += sizeof(reclen); - - if (!(ex->tlsa_mask&mask)) { /* not matched yet */ - /* - * tlsa_record[0] Certificate Usage field - * tlsa_record[1] Selector field - * tlsa_record[2] Matching Type Field - * tlsa_record+3 Certificate Association data - */ - certificate_usage = tlsa_record[0]; - - if (depth==0 || certificate_usage==0 || certificate_usage==2) { - tlsa_ret = tlsa_cmp(cert,tlsa_record,reclen); - if (tlsa_ret==0) { - ex->tlsa_witness = depth<<8|certificate_usage; - ex->tlsa_mask |= mask; - break; - } - else if (tlsa_ret==-1) { - ex->tlsa_witness = -1; /* something phishy? */ - ex->tlsa_mask |= mask; - } - } - - } - tlsa_record += reclen; - mask <<= 1; - } - - if (depth==0) { - if (ex->tlsa_witness==-1) /* no match */ - ctx->error = X509_V_ERR_CERT_UNTRUSTED, ok=0; - else - ctx->error = X509_V_OK, ok=1; - } - - if (s->verify_callback) return s->verify_callback(ok,ctx); - else return ok; - } - -static int dane_get_issuer(X509 **issuer,X509_STORE_CTX *ctx,X509 *x) - { - SSL *s = X509_STORE_CTX_get_ex_data(ctx,SSL_get_ex_data_X509_STORE_CTX_idx()); - TLSA_EX_DATA *ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx()); - - /* XXX TODO */ - - return ex->get_issuer(issuer,ctx,x); - } -#endif - int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) { X509 *x; int i; X509_STORE *verify_store; X509_STORE_CTX ctx; -#ifndef OPENSSL_NO_DANE - TLSA_EX_DATA *ex; -#endif if (s->cert->verify_store) verify_store = s->cert->verify_store; @@ -1023,44 +797,6 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) */ X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param); -#ifndef OPENSSL_NO_DANE - if (!s->server && - (ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx()))!=NULL) - { - const unsigned char *tlsa_record = ex->tlsa_record; - - /* - * See if there are usable certificates we can add - * to chain. - */ - while (tlsa_record!=(void *)-1) - { - unsigned int reclen; - - memcpy (&reclen,tlsa_record,sizeof(reclen)); - - if (reclen==0) break; - - tlsa_record += sizeof(reclen); - - if (tlsa_record[0]==2 && - tlsa_record[1]==0 && /* full certificate */ - tlsa_record[2]==0) /* itself */ - { - ex->get_issuer = ctx.get_issuer; - ctx.get_issuer = dane_get_issuer; - - break; - } - tlsa_record += reclen; - } - - ex->tlsa_mask = 0; - ex->tlsa_witness = -1; - X509_STORE_CTX_set_verify_cb(&ctx, dane_verify_callback); - } - else -#endif if (s->verify_callback) X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 00b26ba429..3c2c471bc9 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1100,9 +1100,6 @@ int SSL_renegotiate_pending(SSL *s) long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) { long l; -#ifndef OPENSSL_NO_DANE - const char *hostname = NULL; -#endif switch (cmd) { @@ -1167,41 +1164,6 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) } else return ssl_put_cipher_by_char(s,NULL,NULL); -#ifndef OPENSSL_NO_DANE - case SSL_CTRL_PULL_TLSA_RECORD: - hostname = parg; - parg = SSL_get_tlsa_record_byname (parg,larg,s->version<0xF000?1:0); - /* yes, fall through */ - case SSL_CTRL_SET_TLSA_RECORD: - if (parg!=NULL) - { - TLSA_EX_DATA *ex = SSL_get_TLSA_ex_data(s); - unsigned char *tlsa_rec = parg; - int tlsa_len = 0; - - if (hostname==NULL) - { - while (1) - { - int dlen; - - memcpy(&dlen,tlsa_rec,sizeof(dlen)); - tlsa_rec += sizeof(dlen)+dlen; - - if (dlen==0) break; - } - if ((tlsa_rec = OPENSSL_malloc(tlsa_len))) - memcpy(tlsa_rec,parg,tlsa_len); - else - { - SSLerr(SSL_F_SSL_CTRL,SSL_R_UNINITIALIZED); - return 0; - } - } - ex->tlsa_record = tlsa_rec; - } - return 1; -#endif default: return(s->method->ssl_ctrl(s,cmd,larg,parg)); } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 1d90ddda53..adb1f3214b 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1357,15 +1357,4 @@ void tls_fips_digest_extra( const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, const unsigned char *data, size_t data_len, size_t orig_len); -#ifndef OPENSSL_NO_DANE - -typedef struct { - unsigned char *tlsa_record; - int tlsa_witness, tlsa_mask; - int (*get_issuer)(X509 **issuer,X509_STORE_CTX *ctx,X509 *x); - } TLSA_EX_DATA; - -TLSA_EX_DATA *SSL_get_TLSA_ex_data(SSL *); -int SSL_get_TLSA_ex_data_idx(void); -#endif #endif -- cgit v1.2.3