+void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, struct dane_st *dane)
+{
+ ctx->dane = dane;
+}
+
+static unsigned char *dane_i2d(
+ X509 *cert,
+ uint8_t selector,
+ unsigned int *i2dlen)
+{
+ unsigned char *buf = NULL;
+ int len;
+
+ /*
+ * Extract ASN.1 DER form of certificate or public key.
+ */
+ switch (selector) {
+ case DANETLS_SELECTOR_CERT:
+ len = i2d_X509(cert, &buf);
+ break;
+ case DANETLS_SELECTOR_SPKI:
+ len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf);
+ break;
+ default:
+ X509err(X509_F_DANE_I2D, X509_R_BAD_SELECTOR);
+ return NULL;
+ }
+
+ if (len < 0 || buf == NULL) {
+ X509err(X509_F_DANE_I2D, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+
+ *i2dlen = (unsigned int)len;
+ return buf;
+}
+
+#define DANETLS_NONE 256 /* impossible uint8_t */
+
+static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth)
+{
+ struct dane_st *dane = (struct dane_st *)ctx->dane;
+ unsigned usage = DANETLS_NONE;
+ unsigned selector = DANETLS_NONE;
+ unsigned ordinal = DANETLS_NONE;
+ unsigned mtype = DANETLS_NONE;
+ unsigned char *i2dbuf = NULL;
+ unsigned int i2dlen = 0;
+ unsigned char mdbuf[EVP_MAX_MD_SIZE];
+ unsigned char *cmpbuf = NULL;
+ unsigned int cmplen = 0;
+ int i;
+ int recnum;
+ int matched = 0;
+ danetls_record *t = NULL;
+ uint32_t mask;
+
+ mask = (depth == 0) ? DANETLS_EE_MASK : DANETLS_TA_MASK;
+
+ /*
+ * The trust store is not applicable with DANE-TA(2)
+ */
+ if (depth >= ctx->num_untrusted)
+ mask &= DANETLS_PKIX_MASK;
+
+ /*
+ * If we've previously matched a PKIX-?? record, no need to test any
+ * furher PKIX-?? records, it remains to just build the PKIX chain.
+ * Had the match been a DANE-?? record, we'd be done already.
+ */
+ if (dane->mdpth >= 0)
+ mask &= ~DANETLS_PKIX_MASK;
+
+ /*-
+ * https://tools.ietf.org/html/rfc7671#section-5.1
+ * https://tools.ietf.org/html/rfc7671#section-5.2
+ * https://tools.ietf.org/html/rfc7671#section-5.3
+ * https://tools.ietf.org/html/rfc7671#section-5.4
+ *
+ * We handle DANE-EE(3) records first as they require no chain building
+ * and no expiration or hostname checks. We also process digests with
+ * higher ordinals first and ignore lower priorities except Full(0) which
+ * is always processed (last). If none match, we then process PKIX-EE(1).
+ *
+ * NOTE: This relies on DANE usages sorting before the corresponding PKIX
+ * usages in SSL_dane_tlsa_add(), and also on descending sorting of digest
+ * priorities. See twin comment in ssl/ssl_lib.c.
+ *
+ * We expect that most TLSA RRsets will have just a single usage, so we
+ * don't go out of our way to cache multiple selector-specific i2d buffers
+ * across usages, but if the selector happens to remain the same as switch
+ * usages, that's OK. Thus, a set of "3 1 1", "3 0 1", "1 1 1", "1 0 1",
+ * records would result in us generating each of the certificate and public
+ * key DER forms twice, but more typically we'd just see multiple "3 1 1"
+ * or multiple "3 0 1" records.
+ *
+ * As soon as we find a match at any given depth, we stop, because either
+ * we've matched a DANE-?? record and the peer is authenticated, or, after
+ * exhausing all DANE-?? records, we've matched a PKIX-?? record, which is
+ * sufficient for DANE, and what remains to do is ordinary PKIX validation.
+ */
+ recnum = (dane->umask & mask) ? sk_danetls_record_num(dane->trecs) : 0;
+ for (i = 0; matched == 0 && i < recnum; ++i) {
+ t = sk_danetls_record_value(dane->trecs, i);
+ if ((DANETLS_USAGE_BIT(t->usage) & mask) == 0)
+ continue;
+ if (t->usage != usage) {
+ usage = t->usage;
+
+ /* Reset digest agility for each usage/selector pair */
+ mtype = DANETLS_NONE;
+ ordinal = dane->dctx->mdord[t->mtype];
+ }
+ if (t->selector != selector) {
+ selector = t->selector;
+
+ /* Update per-selector state */
+ OPENSSL_free(i2dbuf);
+ i2dbuf = dane_i2d(cert, selector, &i2dlen);
+ if (i2dbuf == NULL)
+ return -1;
+
+ /* Reset digest agility for each usage/selector pair */
+ mtype = DANETLS_NONE;
+ ordinal = dane->dctx->mdord[t->mtype];
+ } else if (t->mtype != DANETLS_MATCHING_FULL) {
+ /*-
+ * Digest agility:
+ *
+ * <https://tools.ietf.org/html/rfc7671#section-9>
+ *
+ * For a fixed selector, after processing all records with the
+ * highest mtype ordinal, ignore all mtypes with lower ordinals
+ * other than "Full".
+ */
+ if (dane->dctx->mdord[t->mtype] < ordinal)
+ continue;
+ }
+
+ /*
+ * Each time we hit a (new selector or) mtype, re-compute the relevant
+ * digest, more complex caching is not worth the code space.
+ */
+ if (t->mtype != mtype) {
+ const EVP_MD *md = dane->dctx->mdevp[mtype = t->mtype];
+ cmpbuf = i2dbuf;
+ cmplen = i2dlen;
+
+ if (md != NULL) {
+ cmpbuf = mdbuf;
+ if (!EVP_Digest(i2dbuf, i2dlen, cmpbuf, &cmplen, md, 0)) {
+ matched = -1;
+ break;
+ }
+ }
+ }
+
+ /*
+ * Squirrel away the certificate and depth if we have a match. Any
+ * DANE match is dispositive, but with PKIX we still need to build a
+ * full chain.
+ */
+ if (cmplen == t->dlen &&
+ memcmp(cmpbuf, t->data, cmplen) == 0) {
+ if (DANETLS_USAGE_BIT(usage) & DANETLS_DANE_MASK)
+ matched = 1;
+ if (matched || dane->mdpth < 0) {
+ dane->mdpth = depth;
+ dane->mtlsa = t;
+ OPENSSL_free(dane->mcert);
+ dane->mcert = cert;
+ X509_up_ref(cert);
+ }
+ break;
+ }
+ }
+
+ /* Clear the one-element DER cache */
+ OPENSSL_free(i2dbuf);
+ return matched;
+}
+
+static int check_dane_issuer(X509_STORE_CTX *ctx, int depth)
+{
+ struct dane_st *dane = (struct dane_st *)ctx->dane;
+ int matched = 0;
+ X509 *cert;
+
+ if (!DANETLS_HAS_TA(dane) || depth == 0)
+ return X509_TRUST_UNTRUSTED;
+
+ /*
+ * Record any DANE trust anchor matches, for the first depth to test, if
+ * there's one at that depth. (This'll be false for length 1 chains looking
+ * for an exact match for the leaf certificate).
+ */
+ cert = sk_X509_value(ctx->chain, depth);
+ if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0)
+ return X509_TRUST_REJECTED;
+ if (matched > 0) {
+ ctx->num_untrusted = depth - 1;
+ return X509_TRUST_TRUSTED;
+ }
+
+ return X509_TRUST_UNTRUSTED;
+}
+
+static int check_dane_pkeys(X509_STORE_CTX *ctx)
+{
+ struct dane_st *dane = (struct dane_st *)ctx->dane;
+ danetls_record *t;
+ int num = ctx->num_untrusted;
+ X509 *cert = sk_X509_value(ctx->chain, num - 1);
+ int recnum = sk_danetls_record_num(dane->trecs);
+ int i;
+
+ for (i = 0; i < recnum; ++i) {
+ t = sk_danetls_record_value(dane->trecs, i);
+ if (t->usage != DANETLS_USAGE_DANE_TA ||
+ t->selector != DANETLS_SELECTOR_SPKI ||
+ t->mtype != DANETLS_MATCHING_FULL ||
+ X509_verify(cert, t->spki) <= 0)
+ continue;
+
+ /* Clear PKIX-?? matches that failed to panned out to a full chain */
+ X509_free(dane->mcert);
+ dane->mcert = NULL;
+
+ /* Record match via a bare TA public key */
+ ctx->bare_ta_signed = 1;
+ dane->mdpth = num - 1;
+ dane->mtlsa = t;
+
+ /* Prune any excess chain certificates */
+ num = sk_X509_num(ctx->chain);
+ for (; num > ctx->num_untrusted; --num)
+ X509_free(sk_X509_pop(ctx->chain));
+
+ return X509_TRUST_TRUSTED;
+ }
+
+ return X509_TRUST_UNTRUSTED;
+}
+
+static void dane_reset(struct dane_st *dane)
+{
+ /*
+ * Reset state to verify another chain, or clear after failure.
+ */
+ X509_free(dane->mcert);
+ dane->mcert = NULL;
+ dane->mtlsa = NULL;
+ dane->mdpth = -1;
+ dane->pdpth = -1;
+}
+
+static int dane_verify(X509_STORE_CTX *ctx)
+{
+ X509 *cert = ctx->cert;
+ int (*cb)(int xok, X509_STORE_CTX *xctx) = ctx->verify_cb;
+ struct dane_st *dane = (struct dane_st *)ctx->dane;
+ int matched;
+ int done;
+
+ dane_reset(dane);
+
+ matched = dane_match(ctx, ctx->cert, 0);
+ done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0);
+
+ if (done)
+ X509_get_pubkey_parameters(NULL, ctx->chain);
+
+ if (matched > 0) {
+ ctx->error_depth = 0;
+ ctx->current_cert = cert;
+ return cb(1, ctx);
+ }
+
+ if (matched < 0) {
+ ctx->error_depth = 0;
+ ctx->current_cert = cert;
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
+ return -1;
+ }
+
+ if (done) {
+ /* Fail early, TA-based success is not possible */
+ ctx->current_cert = cert;
+ ctx->error_depth = 0;
+ ctx->error = X509_V_ERR_CERT_UNTRUSTED;
+ return cb(0, ctx);
+ }
+
+ /*
+ * Chain verification for usages 0/1/2. TLSA record matching of depth > 0
+ * certificates happens in-line with building the rest of the chain.
+ */
+ return verify_chain(ctx);
+}
+
+static int build_chain(X509_STORE_CTX *ctx)
+{
+ struct dane_st *dane = (struct dane_st *)ctx->dane;
+ int (*cb) (int, X509_STORE_CTX *) = ctx->verify_cb;
+ int num = sk_X509_num(ctx->chain);
+ X509 *cert = sk_X509_value(ctx->chain, num - 1);
+ int ss = cert_self_signed(cert);
+ STACK_OF(X509) *sktmp = NULL;
+ unsigned int search;
+ int may_trusted = 0;
+ int may_alternate = 0;
+ int trust = X509_TRUST_UNTRUSTED;
+ int alt_untrusted = 0;
+ int depth;
+ int ok = 0;
+ int i;
+
+ /* Our chain starts with a single untrusted element. */
+ OPENSSL_assert(num == 1 && ctx->num_untrusted == num);
+
+#define S_DOUNTRUSTED (1 << 0) /* Search untrusted chain */
+#define S_DOTRUSTED (1 << 1) /* Search trusted store */
+#define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */
+ /*
+ * Set up search policy, untrusted if possible, trusted-first if enabled.
+ * If we're doing DANE and not doing PKIX-TA/PKIX-EE, we never look in the
+ * trust_store, otherwise we might look there first. If not trusted-first,
+ * and alternate chains are not disabled, try building an alternate chain
+ * if no luck with untrusted first.
+ */
+ search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0;
+ if (DANETLS_HAS_PKIX(dane) || !DANETLS_HAS_DANE(dane)) {
+ if (search == 0 || ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+ search |= S_DOTRUSTED;
+ else if (!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS))
+ may_alternate = 1;
+ may_trusted = 1;
+ }