generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove experimental DANE code.

Browse Source 
Remove experimental DANE/dnssec code: not ready for use in an
official release yet.
This commit is contained in:
Dr. Stephen Henson 2014-06-06 18:56:24 +01:00
parent cea5a1d5f2
commit e3beef1e1b
7 changed files with 3 additions and 519 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Configure
View File

@ -724,7 +724,6 @@ if (exists $ENV{FIPSDIR})
# All of the following is disabled by default (RC5 was enabled before 0.9.8):
my %disabled = ( # "what" => "comment" [or special keyword "experimental"]
"dane" => "experimental",
"ec_nistp_64_gcc_128" => "default",
"gmp" => "default",
"jpake" => "experimental",
@ -744,7 +743,7 @@ my @experimental = ();
# This is what $depflags will look like with the above defaults
# (we need this to see if we should advise the user to run "make depend"):
my $default_depflags = " -DOPENSSL_NO_DANE -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_MULTIBLOCK -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE";
my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_MULTIBLOCK -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE";
# Explicit "no-..." options will be collected in %disabled along with the defaults.
# To remove something from %disabled, use "enable-foo" (unless it's experimental).

23
ssl/Makefile
View File

@ -30,7 +30,7 @@ LIBSRC= \
ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
ssl_ciph.c ssl_stat.c ssl_rsa.c \
ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \
bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c dnssec.c
bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c
LIBOBJ= \
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
@ -41,7 +41,7 @@ LIBOBJ= \
ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
ssl_ciph.o ssl_stat.o ssl_rsa.o \
ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \
bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o dnssec.o
bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o
SRC= $(LIBSRC)
@ -288,25 +288,6 @@ d1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
d1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
d1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srvr.c
d1_srvr.o: ssl_locl.h
dnssec.o: ../include/openssl/asn1.h ../include/openssl/bio.h
dnssec.o: ../include/openssl/buffer.h ../include/openssl/comp.h
dnssec.o: ../include/openssl/crypto.h ../include/openssl/dso.h
dnssec.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
dnssec.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
dnssec.o: ../include/openssl/ecdsa.h ../include/openssl/evp.h
dnssec.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
dnssec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
dnssec.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
dnssec.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
dnssec.o: ../include/openssl/pem.h ../include/openssl/pem2.h
dnssec.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
dnssec.o: ../include/openssl/safestack.h ../include/openssl/sha.h
dnssec.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
dnssec.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
dnssec.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
dnssec.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
dnssec.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h dnssec.c
dnssec.o: ssl.h
kssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
kssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h
kssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h

182
ssl/dnssec.c
View File

@ -1,182 +0,0 @@
#include <openssl/opensslconf.h>
#include <string.h>
#include <openssl/bio.h>
#include <openssl/dso.h>
#include "ssl.h"
#ifndef OPENSSL_SYS_WIN32
#include <netdb.h>
#include <sys/socket.h>
#endif
#ifndef OPENSSL_NO_LIBUNBOUND
#include <unbound.h>
static struct ub_ctx *ctx = NULL;
static DSO *unbound_dso = NULL;
static union {
void *p; struct ub_ctx *(*f)(); }
p_ub_ctx_create = {NULL};
static union {
void *p; int (*f)(struct ub_ctx *,const char *); }
p_ub_ctx_resolvconf = {NULL};
static union {
void *p; int (*f)(struct ub_ctx *,const char *); }
p_ub_ctx_add_ta_file = {NULL};
static union {
void *p; void (*f)(struct ub_ctx *); }
p_ub_ctx_delete = {NULL};
static union {
void *p; int (*f)(struct ub_ctx *,const char *,int,int,struct ub_result**); }
p_ub_resolve = {NULL};
static union {
void *p; void (*f)(struct ub_result*); }
p_ub_resolve_free = {NULL};
#if defined(__GNUC__) && __GNUC__>=2
static void unbound_init(void) __attribute__((constructor));
static void unbound_fini(void) __attribute__((destructor));
#endif
static void unbound_init(void)
{
DSO *dso;
if ((dso = DSO_load(NULL, "unbound", NULL, 0)) == NULL) return;
if ((p_ub_ctx_create.p = DSO_bind_func(dso,"ub_ctx_create")) == NULL ||
(p_ub_ctx_resolvconf.p = DSO_bind_func(dso,"ub_ctx_resolvconf")) == NULL ||
(p_ub_ctx_add_ta_file.p = DSO_bind_func(dso,"ub_ctx_add_ta_file")) == NULL ||
(p_ub_ctx_delete.p = DSO_bind_func(dso,"ub_ctx_delete")) == NULL ||
(p_ub_resolve.p = DSO_bind_func(dso,"ub_resolve")) == NULL ||
(p_ub_resolve_free.p = DSO_bind_func(dso,"ub_resolve_free")) == NULL ||
(ctx = p_ub_ctx_create.f()) == NULL) {
DSO_free(dso);
return;
}
unbound_dso = dso;
/* FIXME: parameterize these through CONF */
p_ub_ctx_resolvconf.f(ctx,"/etc/resolv.conf");
p_ub_ctx_add_ta_file.f(ctx,"/var/lib/unbound/root.key");
}
static void unbound_fini(void)
{
if (ctx != NULL) p_ub_ctx_delete.f(ctx);
if (unbound_dso != NULL) DSO_free(unbound_dso);
}
#endif
/*
* Output is array packed as [len][data][len][data][0]
*/
unsigned char *SSL_get_tlsa_record_byname (const char *name,int port,int type)
{
unsigned char *ret=NULL;
char *query=NULL;
size_t qlen;
#ifndef OPENSSL_NO_LIBUNBOUND
if (ctx == NULL) return NULL;
#elif defined(RRSET_VALIDATED)
static union {
void *p; int (*f)(const char*,unsigned int,unsigned int,unsigned int,struct rrsetinfo **); }
p_getrrsetbyname = {NULL};
static union {
void *p; void (*f)(struct rrsetinfo *); }
p_freerrset = {NULL};
if (p_getrrsetbyname.p==NULL) {
if ((p_getrrsetbyname.p = DSO_global_lookup("getrrsetbyname")) == NULL ||
(p_freerrset.p = DSO_global_lookup("freerrset")) == NULL)
p_getrrsetbyname.p = (void*)-1;
}
if (p_getrrsetbyname.p == (void *)-1) return NULL;
#endif
qlen = 7+5+strlen(name)+1;
if ((query = OPENSSL_malloc(qlen)) == NULL)
return NULL;
BIO_snprintf(query,qlen,"_%u._%s.%s",port&0xffff,type==SOCK_STREAM?"tcp":"udp",name);
#ifndef OPENSSL_NO_LIBUNBOUND
{
struct ub_result *tlsa=NULL;
if (p_ub_resolve.f(ctx,query,52,1,&tlsa)==0 &&
tlsa->havedata && tlsa->data[0]!=NULL) {
ret=(void*)-1; /* -1 means insecure */
if (tlsa->secure) do {
unsigned char *data;
unsigned int dlen, i;
for (dlen=0, i=0; tlsa->data[i]; i++)
dlen += sizeof(int)+(unsigned int)tlsa->len[i];
dlen +=sizeof(int);
if ((ret = OPENSSL_malloc(dlen)) == NULL) break;
for (data=ret, i=0; tlsa->data[i]; i++) {
dlen = (unsigned int)tlsa->len[i];
memcpy(data,&dlen,sizeof(dlen));
data += sizeof(dlen);
memcpy(data,tlsa->data[i],dlen);
data += dlen;
}
dlen = 0;
memcpy(data,&dlen,sizeof(dlen)); /* trailing zero */
} while (0);
p_ub_resolve_free.f(tlsa);
}
}
#elif defined(RRSET_VALIDATED)
{
struct rrsetinfo *rrset=NULL;
if (p_getrrsetbyname.f(query,1,52,RRSET_VALIDATED,&rrset) == 0 && rrset->rri_nrdatas) {
ret=(void*)-1; /* -1 means insecure */
if ((rrset->rri_flags&RRSET_VALIDATED)) do {
unsigned char *data;
unsigned int dlen, i;
for (dlen=0, i=0; i<rrset->rri_nrdatas; i++)
dlen += sizeof(int)+rrset->rri_rdatas[i].rdi_length;
dlen +=sizeof(int);
if ((ret = OPENSSL_malloc(sizeof(int)+dlen)) == NULL) break;
for (data=ret, i=0; i<rrset->rri_rdatas[i].rdi_length; i++) {
*(unsigned int *)data = dlen = rrset->rri_rdatas[i].rdi_length;
data += sizeof(unsigned int);
memcpy(data,rrset->rri_rdatas[i].rdi_data,dlen);
data += dlen;
}
*(unsigned int *)data = 0; /* trailing zero */
} while (0);
p_freerrset.f(rrset);
}
}
#elif defined(_WIN32_NOT_YET)
{
PDNS_RECORD rrset;
DnsQuery_A(query,52,DNS_QUERY_STANDARD,NULL,&rrset,NULL);
DnsRecordListFree(rrset,DnsFreeRecordList);
}
#endif
CRYPTO_free(query);
return ret;
}

264
ssl/ssl_cert.c
View File

@ -756,238 +756,12 @@ int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
return(1);
}
#ifndef OPENSSL_NO_DANE
static void tlsa_free(void *parent,void *ptr,CRYPTO_EX_DATA *ad,int idx,long argl,void *argp)
{
TLSA_EX_DATA *ex = ptr;
if (ex!=NULL)
{
if (ex->tlsa_record!=NULL && ex->tlsa_record!=(void *)-1)
OPENSSL_free(ex->tlsa_record);
OPENSSL_free(ex);
}
}
int SSL_get_TLSA_ex_data_idx(void)
{
static volatile int ssl_tlsa_idx= -1;
int got_write_lock = 0;
if (((size_t)&ssl_tlsa_idx&(sizeof(ssl_tlsa_idx)-1))
==0) /* check alignment, practically always true */
{
int ret;
if ((ret=ssl_tlsa_idx) < 0)
{
CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
if ((ret=ssl_tlsa_idx) < 0)
{
ret=ssl_tlsa_idx=SSL_get_ex_new_index(
0,"per-SSL TLSA",NULL,NULL,tlsa_free);
}
CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
}
return ret;
}
else /* commonly eliminated */
{
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
if (ssl_tlsa_idx < 0)
{
CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
got_write_lock = 1;
if (ssl_tlsa_idx < 0)
{
ssl_tlsa_idx=SSL_get_ex_new_index(
0,"pre-SSL TLSA",NULL,NULL,tlsa_free);
}
}
if (got_write_lock)
CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
else
CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
return ssl_tlsa_idx;
}
}
TLSA_EX_DATA *SSL_get_TLSA_ex_data(SSL *ssl)
{
int idx = SSL_get_TLSA_ex_data_idx();
TLSA_EX_DATA *ex;
if ((ex=SSL_get_ex_data(ssl,idx)) == NULL)
{
ex = OPENSSL_malloc(sizeof(TLSA_EX_DATA));
ex->tlsa_record = NULL;
ex->tlsa_witness = -1;
SSL_set_ex_data(ssl,idx,ex);
}
return ex;
}
/*
* return value:
* -1: format or digest error
* 0: match
* 1: no match
*/
static int tlsa_cmp(const X509 *cert, const unsigned char *tlsa_record,
int reclen)
{
const EVP_MD *md;
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int len, selector, matching_type;
int ret;
if (reclen<3 || tlsa_record[0]>3) return -1;
selector = tlsa_record[1];
matching_type = tlsa_record[2];
tlsa_record += 3;
reclen -= 3;
switch (matching_type) {
case 0: /* exact match */
if (selector==0) { /* full certificate */
ret = EVP_Digest(tlsa_record,reclen,digest,&len,EVP_sha1(),NULL);
return ret ? memcmp(cert->sha1_hash,digest,len)!=0 : -1;
}
else if (selector==1) { /* SubjectPublicKeyInfo */
ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert);
if (key == NULL) return -1;
if (key->length != reclen) return 1;
return memcmp(key->data,tlsa_record,reclen)!=0;
}
return -1;
case 1: /* SHA256 */
case 2: /* SHA512 */
md = matching_type==1 ? EVP_sha256() : EVP_sha512();
if (reclen!=EVP_MD_size(md)) return -1;
if (selector==0) { /* full certificate */
ret = X509_digest(cert,md,digest,&len);
}
else if (selector==1) { /* SubjectPublicKeyInfo */
ret = X509_pubkey_digest(cert,md,digest,&len);
}
else
return -1;
return ret ? memcmp(tlsa_record,digest,len)!=0 : -1;
default:
return -1;
}
}
static int dane_verify_callback(int ok, X509_STORE_CTX *ctx)
{
SSL *s = X509_STORE_CTX_get_ex_data(ctx,SSL_get_ex_data_X509_STORE_CTX_idx());
int depth=X509_STORE_CTX_get_error_depth(ctx);
X509 *cert = sk_X509_value(ctx->chain,depth);
TLSA_EX_DATA *ex;
const unsigned char *tlsa_record;
int tlsa_ret=-1, mask=1;
if ((ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx())) == NULL ||
(tlsa_record=ex->tlsa_record) == NULL ||
(tlsa_record==(void *)-1 && (ok=0,ctx->error=X509_V_ERR_INVALID_CA)) || /* temporary code? */
/*
* X509_verify_cert initially starts throwing ok=0 upon
* failure to build certificate chain. As all certificate
* usages except for 3 require verifiable chain, ok=0 at
* non-zero depth is fatal. More specifically ok=0 at zero
* depth is allowed only for usage 3. Special note about
* usage 2. The chain is supposed to be filled by
* dane_get_issuer, or once again we should tolerate ok=0
* only in usage 3 case.
*/
(!ok && depth!=0)) {
if (s->verify_callback) return s->verify_callback(ok,ctx);
else return ok;
}
while (1) {
unsigned int reclen, certificate_usage;
memcpy(&reclen,tlsa_record,sizeof(reclen));
if (reclen==0) break;
tlsa_record += sizeof(reclen);
if (!(ex->tlsa_mask&mask)) { /* not matched yet */
/*
* tlsa_record[0] Certificate Usage field
* tlsa_record[1] Selector field
* tlsa_record[2] Matching Type Field
* tlsa_record+3 Certificate Association data
*/
certificate_usage = tlsa_record[0];
if (depth==0 || certificate_usage==0 || certificate_usage==2) {
tlsa_ret = tlsa_cmp(cert,tlsa_record,reclen);
if (tlsa_ret==0) {
ex->tlsa_witness = depth<<8|certificate_usage;
ex->tlsa_mask |= mask;
break;
}
else if (tlsa_ret==-1) {
ex->tlsa_witness = -1; /* something phishy? */
ex->tlsa_mask |= mask;
}
}
}
tlsa_record += reclen;
mask <<= 1;
}
if (depth==0) {
if (ex->tlsa_witness==-1) /* no match */
ctx->error = X509_V_ERR_CERT_UNTRUSTED, ok=0;
else
ctx->error = X509_V_OK, ok=1;
}
if (s->verify_callback) return s->verify_callback(ok,ctx);
else return ok;
}
static int dane_get_issuer(X509 **issuer,X509_STORE_CTX *ctx,X509 *x)
{
SSL *s = X509_STORE_CTX_get_ex_data(ctx,SSL_get_ex_data_X509_STORE_CTX_idx());
TLSA_EX_DATA *ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx());
/* XXX TODO */
return ex->get_issuer(issuer,ctx,x);
}
#endif
int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
{
X509 *x;
int i;
X509_STORE *verify_store;
X509_STORE_CTX ctx;
#ifndef OPENSSL_NO_DANE
TLSA_EX_DATA *ex;
#endif
if (s->cert->verify_store)
verify_store = s->cert->verify_store;
@ -1023,44 +797,6 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
*/
X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
#ifndef OPENSSL_NO_DANE
if (!s->server &&
(ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx()))!=NULL)
{
const unsigned char *tlsa_record = ex->tlsa_record;
/*
* See if there are usable certificates we can add
* to chain.
*/
while (tlsa_record!=(void *)-1)
{
unsigned int reclen;
memcpy (&reclen,tlsa_record,sizeof(reclen));
if (reclen==0) break;
tlsa_record += sizeof(reclen);
if (tlsa_record[0]==2 &&
tlsa_record[1]==0 && /* full certificate */
tlsa_record[2]==0) /* itself */
{
ex->get_issuer = ctx.get_issuer;
ctx.get_issuer = dane_get_issuer;
break;
}
tlsa_record += reclen;
}
ex->tlsa_mask = 0;
ex->tlsa_witness = -1;
X509_STORE_CTX_set_verify_cb(&ctx, dane_verify_callback);
}
else
#endif
if (s->verify_callback)
X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);

38
ssl/ssl_lib.c
View File

@ -1100,9 +1100,6 @@ int SSL_renegotiate_pending(SSL *s)
long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
{
long l;
#ifndef OPENSSL_NO_DANE
const char *hostname = NULL;
#endif
switch (cmd)
{
@ -1167,41 +1164,6 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
}
else
return ssl_put_cipher_by_char(s,NULL,NULL);
#ifndef OPENSSL_NO_DANE
case SSL_CTRL_PULL_TLSA_RECORD:
hostname = parg;
parg = SSL_get_tlsa_record_byname (parg,larg,s->version<0xF000?1:0);
/* yes, fall through */
case SSL_CTRL_SET_TLSA_RECORD:
if (parg!=NULL)
{
TLSA_EX_DATA *ex = SSL_get_TLSA_ex_data(s);
unsigned char *tlsa_rec = parg;
int tlsa_len = 0;
if (hostname==NULL)
{
while (1)
{
int dlen;
memcpy(&dlen,tlsa_rec,sizeof(dlen));
tlsa_rec += sizeof(dlen)+dlen;
if (dlen==0) break;
}
if ((tlsa_rec = OPENSSL_malloc(tlsa_len)))
memcpy(tlsa_rec,parg,tlsa_len);
else
{
SSLerr(SSL_F_SSL_CTRL,SSL_R_UNINITIALIZED);
return 0;
}
}
ex->tlsa_record = tlsa_rec;
}
return 1;
#endif
default:
return(s->method->ssl_ctrl(s,cmd,larg,parg));
}

11
ssl/ssl_locl.h
View File

@ -1357,15 +1357,4 @@ void tls_fips_digest_extra(
const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
const unsigned char *data, size_t data_len, size_t orig_len);
#ifndef OPENSSL_NO_DANE
typedef struct {
unsigned char *tlsa_record;
int tlsa_witness, tlsa_mask;
int (*get_issuer)(X509 **issuer,X509_STORE_CTX *ctx,X509 *x);
} TLSA_EX_DATA;
TLSA_EX_DATA *SSL_get_TLSA_ex_data(SSL *);
int SSL_get_TLSA_ex_data_idx(void);
#endif
#endif

1
util/mk1mf.pl
View File

@ -1231,7 +1231,6 @@ sub read_options
"no-zlib" => 0,
"no-zlib-dynamic" => 0,
"no-ssl-trace" => 0,
"no-dane" => 0,
"no-libunbound" => 0,
"no-multiblock" => 0,
"fips" => \$fips