# All of the following is disabled by default (RC5 was enabled before 0.9.8):
my %disabled = ( # "what" => "comment" [or special keyword "experimental"]
- "dane" => "experimental",
"ec_nistp_64_gcc_128" => "default",
"gmp" => "default",
"jpake" => "experimental",
# This is what $depflags will look like with the above defaults
# (we need this to see if we should advise the user to run "make depend"):
-my $default_depflags = " -DOPENSSL_NO_DANE -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_MULTIBLOCK -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE";
+my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_MULTIBLOCK -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE";
# Explicit "no-..." options will be collected in %disabled along with the defaults.
# To remove something from %disabled, use "enable-foo" (unless it's experimental).
ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
ssl_ciph.c ssl_stat.c ssl_rsa.c \
ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \
- bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c dnssec.c
+ bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c
LIBOBJ= \
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
ssl_ciph.o ssl_stat.o ssl_rsa.o \
ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \
- bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o dnssec.o
+ bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o
SRC= $(LIBSRC)
d1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
d1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srvr.c
d1_srvr.o: ssl_locl.h
-dnssec.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-dnssec.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-dnssec.o: ../include/openssl/crypto.h ../include/openssl/dso.h
-dnssec.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-dnssec.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-dnssec.o: ../include/openssl/ecdsa.h ../include/openssl/evp.h
-dnssec.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
-dnssec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-dnssec.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-dnssec.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-dnssec.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-dnssec.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-dnssec.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-dnssec.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-dnssec.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-dnssec.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-dnssec.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-dnssec.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h dnssec.c
-dnssec.o: ssl.h
kssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
kssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h
kssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+++ /dev/null
-#include <openssl/opensslconf.h>
-
-#include <string.h>
-#include <openssl/bio.h>
-#include <openssl/dso.h>
-
-#include "ssl.h"
-
-#ifndef OPENSSL_SYS_WIN32
-#include <netdb.h>
-#include <sys/socket.h>
-#endif
-
-#ifndef OPENSSL_NO_LIBUNBOUND
-#include <unbound.h>
-
-static struct ub_ctx *ctx = NULL;
-static DSO *unbound_dso = NULL;
-
-static union {
- void *p; struct ub_ctx *(*f)(); }
- p_ub_ctx_create = {NULL};
-
-static union {
- void *p; int (*f)(struct ub_ctx *,const char *); }
- p_ub_ctx_resolvconf = {NULL};
-
-static union {
- void *p; int (*f)(struct ub_ctx *,const char *); }
- p_ub_ctx_add_ta_file = {NULL};
-
-static union {
- void *p; void (*f)(struct ub_ctx *); }
- p_ub_ctx_delete = {NULL};
-
-static union {
- void *p; int (*f)(struct ub_ctx *,const char *,int,int,struct ub_result**); }
- p_ub_resolve = {NULL};
-
-static union {
- void *p; void (*f)(struct ub_result*); }
- p_ub_resolve_free = {NULL};
-
-#if defined(__GNUC__) && __GNUC__>=2
- static void unbound_init(void) __attribute__((constructor));
- static void unbound_fini(void) __attribute__((destructor));
-#endif
-
-static void unbound_init(void)
-{
- DSO *dso;
-
- if ((dso = DSO_load(NULL, "unbound", NULL, 0)) == NULL) return;
-
- if ((p_ub_ctx_create.p = DSO_bind_func(dso,"ub_ctx_create")) == NULL ||
- (p_ub_ctx_resolvconf.p = DSO_bind_func(dso,"ub_ctx_resolvconf")) == NULL ||
- (p_ub_ctx_add_ta_file.p = DSO_bind_func(dso,"ub_ctx_add_ta_file")) == NULL ||
- (p_ub_ctx_delete.p = DSO_bind_func(dso,"ub_ctx_delete")) == NULL ||
- (p_ub_resolve.p = DSO_bind_func(dso,"ub_resolve")) == NULL ||
- (p_ub_resolve_free.p = DSO_bind_func(dso,"ub_resolve_free")) == NULL ||
- (ctx = p_ub_ctx_create.f()) == NULL) {
- DSO_free(dso);
- return;
- }
-
- unbound_dso = dso;
-
- /* FIXME: parameterize these through CONF */
- p_ub_ctx_resolvconf.f(ctx,"/etc/resolv.conf");
- p_ub_ctx_add_ta_file.f(ctx,"/var/lib/unbound/root.key");
-}
-
-static void unbound_fini(void)
-{
- if (ctx != NULL) p_ub_ctx_delete.f(ctx);
- if (unbound_dso != NULL) DSO_free(unbound_dso);
-}
-#endif
-
-/*
- * Output is array packed as [len][data][len][data][0]
- */
-unsigned char *SSL_get_tlsa_record_byname (const char *name,int port,int type)
-{
- unsigned char *ret=NULL;
- char *query=NULL;
- size_t qlen;
-
-#ifndef OPENSSL_NO_LIBUNBOUND
- if (ctx == NULL) return NULL;
-#elif defined(RRSET_VALIDATED)
- static union {
- void *p; int (*f)(const char*,unsigned int,unsigned int,unsigned int,struct rrsetinfo **); }
- p_getrrsetbyname = {NULL};
- static union {
- void *p; void (*f)(struct rrsetinfo *); }
- p_freerrset = {NULL};
-
- if (p_getrrsetbyname.p==NULL) {
- if ((p_getrrsetbyname.p = DSO_global_lookup("getrrsetbyname")) == NULL ||
- (p_freerrset.p = DSO_global_lookup("freerrset")) == NULL)
- p_getrrsetbyname.p = (void*)-1;
- }
-
- if (p_getrrsetbyname.p == (void *)-1) return NULL;
-#endif
-
- qlen = 7+5+strlen(name)+1;
- if ((query = OPENSSL_malloc(qlen)) == NULL)
- return NULL;
-
- BIO_snprintf(query,qlen,"_%u._%s.%s",port&0xffff,type==SOCK_STREAM?"tcp":"udp",name);
-
-#ifndef OPENSSL_NO_LIBUNBOUND
- {
- struct ub_result *tlsa=NULL;
-
- if (p_ub_resolve.f(ctx,query,52,1,&tlsa)==0 &&
- tlsa->havedata && tlsa->data[0]!=NULL) {
- ret=(void*)-1; /* -1 means insecure */
- if (tlsa->secure) do {
- unsigned char *data;
- unsigned int dlen, i;
-
- for (dlen=0, i=0; tlsa->data[i]; i++)
- dlen += sizeof(int)+(unsigned int)tlsa->len[i];
- dlen +=sizeof(int);
-
- if ((ret = OPENSSL_malloc(dlen)) == NULL) break;
-
- for (data=ret, i=0; tlsa->data[i]; i++) {
- dlen = (unsigned int)tlsa->len[i];
- memcpy(data,&dlen,sizeof(dlen));
- data += sizeof(dlen);
- memcpy(data,tlsa->data[i],dlen);
- data += dlen;
- }
- dlen = 0;
- memcpy(data,&dlen,sizeof(dlen)); /* trailing zero */
- } while (0);
- p_ub_resolve_free.f(tlsa);
- }
- }
-#elif defined(RRSET_VALIDATED)
- {
- struct rrsetinfo *rrset=NULL;
-
- if (p_getrrsetbyname.f(query,1,52,RRSET_VALIDATED,&rrset) == 0 && rrset->rri_nrdatas) {
- ret=(void*)-1; /* -1 means insecure */
- if ((rrset->rri_flags&RRSET_VALIDATED)) do {
- unsigned char *data;
- unsigned int dlen, i;
-
- for (dlen=0, i=0; i<rrset->rri_nrdatas; i++)
- dlen += sizeof(int)+rrset->rri_rdatas[i].rdi_length;
- dlen +=sizeof(int);
-
- if ((ret = OPENSSL_malloc(sizeof(int)+dlen)) == NULL) break;
-
- for (data=ret, i=0; i<rrset->rri_rdatas[i].rdi_length; i++) {
- *(unsigned int *)data = dlen = rrset->rri_rdatas[i].rdi_length;
- data += sizeof(unsigned int);
- memcpy(data,rrset->rri_rdatas[i].rdi_data,dlen);
- data += dlen;
- }
- *(unsigned int *)data = 0; /* trailing zero */
- } while (0);
- p_freerrset.f(rrset);
- }
- }
-#elif defined(_WIN32_NOT_YET)
- {
- PDNS_RECORD rrset;
-
- DnsQuery_A(query,52,DNS_QUERY_STANDARD,NULL,&rrset,NULL);
- DnsRecordListFree(rrset,DnsFreeRecordList);
- }
-#endif
- CRYPTO_free(query);
-
- return ret;
-}
return(1);
}
-#ifndef OPENSSL_NO_DANE
-static void tlsa_free(void *parent,void *ptr,CRYPTO_EX_DATA *ad,int idx,long argl,void *argp)
- {
- TLSA_EX_DATA *ex = ptr;
-
- if (ex!=NULL)
- {
- if (ex->tlsa_record!=NULL && ex->tlsa_record!=(void *)-1)
- OPENSSL_free(ex->tlsa_record);
-
- OPENSSL_free(ex);
- }
- }
-
-int SSL_get_TLSA_ex_data_idx(void)
- {
- static volatile int ssl_tlsa_idx= -1;
- int got_write_lock = 0;
-
- if (((size_t)&ssl_tlsa_idx&(sizeof(ssl_tlsa_idx)-1))
- ==0) /* check alignment, practically always true */
- {
- int ret;
-
- if ((ret=ssl_tlsa_idx) < 0)
- {
- CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
- if ((ret=ssl_tlsa_idx) < 0)
- {
- ret=ssl_tlsa_idx=SSL_get_ex_new_index(
- 0,"per-SSL TLSA",NULL,NULL,tlsa_free);
- }
- CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
- }
-
- return ret;
- }
- else /* commonly eliminated */
- {
- CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-
- if (ssl_tlsa_idx < 0)
- {
- CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
- CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
- got_write_lock = 1;
-
- if (ssl_tlsa_idx < 0)
- {
- ssl_tlsa_idx=SSL_get_ex_new_index(
- 0,"pre-SSL TLSA",NULL,NULL,tlsa_free);
- }
- }
-
- if (got_write_lock)
- CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
- else
- CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-
- return ssl_tlsa_idx;
- }
- }
-
-TLSA_EX_DATA *SSL_get_TLSA_ex_data(SSL *ssl)
- {
- int idx = SSL_get_TLSA_ex_data_idx();
- TLSA_EX_DATA *ex;
-
- if ((ex=SSL_get_ex_data(ssl,idx)) == NULL)
- {
- ex = OPENSSL_malloc(sizeof(TLSA_EX_DATA));
- ex->tlsa_record = NULL;
- ex->tlsa_witness = -1;
- SSL_set_ex_data(ssl,idx,ex);
- }
-
- return ex;
- }
-
-/*
- * return value:
- * -1: format or digest error
- * 0: match
- * 1: no match
- */
-static int tlsa_cmp(const X509 *cert, const unsigned char *tlsa_record,
- int reclen)
- {
- const EVP_MD *md;
- unsigned char digest[EVP_MAX_MD_SIZE];
- unsigned int len, selector, matching_type;
- int ret;
-
- if (reclen<3 || tlsa_record[0]>3) return -1;
-
- selector = tlsa_record[1];
- matching_type = tlsa_record[2];
- tlsa_record += 3;
- reclen -= 3;
-
- switch (matching_type) {
- case 0: /* exact match */
- if (selector==0) { /* full certificate */
- ret = EVP_Digest(tlsa_record,reclen,digest,&len,EVP_sha1(),NULL);
- return ret ? memcmp(cert->sha1_hash,digest,len)!=0 : -1;
- }
- else if (selector==1) { /* SubjectPublicKeyInfo */
- ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert);
-
- if (key == NULL) return -1;
- if (key->length != reclen) return 1;
-
- return memcmp(key->data,tlsa_record,reclen)!=0;
- }
- return -1;
-
- case 1: /* SHA256 */
- case 2: /* SHA512 */
- md = matching_type==1 ? EVP_sha256() : EVP_sha512();
-
- if (reclen!=EVP_MD_size(md)) return -1;
-
- if (selector==0) { /* full certificate */
- ret = X509_digest(cert,md,digest,&len);
- }
- else if (selector==1) { /* SubjectPublicKeyInfo */
- ret = X509_pubkey_digest(cert,md,digest,&len);
- }
- else
- return -1;
-
- return ret ? memcmp(tlsa_record,digest,len)!=0 : -1;
- default:
- return -1;
- }
- }
-
-static int dane_verify_callback(int ok, X509_STORE_CTX *ctx)
- {
- SSL *s = X509_STORE_CTX_get_ex_data(ctx,SSL_get_ex_data_X509_STORE_CTX_idx());
- int depth=X509_STORE_CTX_get_error_depth(ctx);
- X509 *cert = sk_X509_value(ctx->chain,depth);
- TLSA_EX_DATA *ex;
- const unsigned char *tlsa_record;
- int tlsa_ret=-1, mask=1;
-
-
- if ((ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx())) == NULL ||
- (tlsa_record=ex->tlsa_record) == NULL ||
- (tlsa_record==(void *)-1 && (ok=0,ctx->error=X509_V_ERR_INVALID_CA)) || /* temporary code? */
- /*
- * X509_verify_cert initially starts throwing ok=0 upon
- * failure to build certificate chain. As all certificate
- * usages except for 3 require verifiable chain, ok=0 at
- * non-zero depth is fatal. More specifically ok=0 at zero
- * depth is allowed only for usage 3. Special note about
- * usage 2. The chain is supposed to be filled by
- * dane_get_issuer, or once again we should tolerate ok=0
- * only in usage 3 case.
- */
- (!ok && depth!=0)) {
- if (s->verify_callback) return s->verify_callback(ok,ctx);
- else return ok;
- }
-
- while (1) {
- unsigned int reclen, certificate_usage;
-
- memcpy(&reclen,tlsa_record,sizeof(reclen));
-
- if (reclen==0) break;
-
- tlsa_record += sizeof(reclen);
-
- if (!(ex->tlsa_mask&mask)) { /* not matched yet */
- /*
- * tlsa_record[0] Certificate Usage field
- * tlsa_record[1] Selector field
- * tlsa_record[2] Matching Type Field
- * tlsa_record+3 Certificate Association data
- */
- certificate_usage = tlsa_record[0];
-
- if (depth==0 || certificate_usage==0 || certificate_usage==2) {
- tlsa_ret = tlsa_cmp(cert,tlsa_record,reclen);
- if (tlsa_ret==0) {
- ex->tlsa_witness = depth<<8|certificate_usage;
- ex->tlsa_mask |= mask;
- break;
- }
- else if (tlsa_ret==-1) {
- ex->tlsa_witness = -1; /* something phishy? */
- ex->tlsa_mask |= mask;
- }
- }
-
- }
- tlsa_record += reclen;
- mask <<= 1;
- }
-
- if (depth==0) {
- if (ex->tlsa_witness==-1) /* no match */
- ctx->error = X509_V_ERR_CERT_UNTRUSTED, ok=0;
- else
- ctx->error = X509_V_OK, ok=1;
- }
-
- if (s->verify_callback) return s->verify_callback(ok,ctx);
- else return ok;
- }
-
-static int dane_get_issuer(X509 **issuer,X509_STORE_CTX *ctx,X509 *x)
- {
- SSL *s = X509_STORE_CTX_get_ex_data(ctx,SSL_get_ex_data_X509_STORE_CTX_idx());
- TLSA_EX_DATA *ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx());
-
- /* XXX TODO */
-
- return ex->get_issuer(issuer,ctx,x);
- }
-#endif
-
int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
{
X509 *x;
int i;
X509_STORE *verify_store;
X509_STORE_CTX ctx;
-#ifndef OPENSSL_NO_DANE
- TLSA_EX_DATA *ex;
-#endif
if (s->cert->verify_store)
verify_store = s->cert->verify_store;
*/
X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
-#ifndef OPENSSL_NO_DANE
- if (!s->server &&
- (ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx()))!=NULL)
- {
- const unsigned char *tlsa_record = ex->tlsa_record;
-
- /*
- * See if there are usable certificates we can add
- * to chain.
- */
- while (tlsa_record!=(void *)-1)
- {
- unsigned int reclen;
-
- memcpy (&reclen,tlsa_record,sizeof(reclen));
-
- if (reclen==0) break;
-
- tlsa_record += sizeof(reclen);
-
- if (tlsa_record[0]==2 &&
- tlsa_record[1]==0 && /* full certificate */
- tlsa_record[2]==0) /* itself */
- {
- ex->get_issuer = ctx.get_issuer;
- ctx.get_issuer = dane_get_issuer;
-
- break;
- }
- tlsa_record += reclen;
- }
-
- ex->tlsa_mask = 0;
- ex->tlsa_witness = -1;
- X509_STORE_CTX_set_verify_cb(&ctx, dane_verify_callback);
- }
- else
-#endif
if (s->verify_callback)
X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
{
long l;
-#ifndef OPENSSL_NO_DANE
- const char *hostname = NULL;
-#endif
switch (cmd)
{
}
else
return ssl_put_cipher_by_char(s,NULL,NULL);
-#ifndef OPENSSL_NO_DANE
- case SSL_CTRL_PULL_TLSA_RECORD:
- hostname = parg;
- parg = SSL_get_tlsa_record_byname (parg,larg,s->version<0xF000?1:0);
- /* yes, fall through */
- case SSL_CTRL_SET_TLSA_RECORD:
- if (parg!=NULL)
- {
- TLSA_EX_DATA *ex = SSL_get_TLSA_ex_data(s);
- unsigned char *tlsa_rec = parg;
- int tlsa_len = 0;
-
- if (hostname==NULL)
- {
- while (1)
- {
- int dlen;
-
- memcpy(&dlen,tlsa_rec,sizeof(dlen));
- tlsa_rec += sizeof(dlen)+dlen;
-
- if (dlen==0) break;
- }
- if ((tlsa_rec = OPENSSL_malloc(tlsa_len)))
- memcpy(tlsa_rec,parg,tlsa_len);
- else
- {
- SSLerr(SSL_F_SSL_CTRL,SSL_R_UNINITIALIZED);
- return 0;
- }
- }
- ex->tlsa_record = tlsa_rec;
- }
- return 1;
-#endif
default:
return(s->method->ssl_ctrl(s,cmd,larg,parg));
}
const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
const unsigned char *data, size_t data_len, size_t orig_len);
-#ifndef OPENSSL_NO_DANE
-
-typedef struct {
- unsigned char *tlsa_record;
- int tlsa_witness, tlsa_mask;
- int (*get_issuer)(X509 **issuer,X509_STORE_CTX *ctx,X509 *x);
- } TLSA_EX_DATA;
-
-TLSA_EX_DATA *SSL_get_TLSA_ex_data(SSL *);
-int SSL_get_TLSA_ex_data_idx(void);
-#endif
#endif
"no-zlib" => 0,
"no-zlib-dynamic" => 0,
"no-ssl-trace" => 0,
- "no-dane" => 0,
"no-libunbound" => 0,
"no-multiblock" => 0,
"fips" => \$fips
projects / openssl.git / commitdiff