SSL_CTX_dane_enable.pod 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382
  1. =pod
  2. =head1 NAME
  3. SSL_CTX_dane_enable, SSL_CTX_dane_mtype_set, SSL_dane_enable,
  4. SSL_dane_tlsa_add, SSL_get0_dane_authority, SSL_get0_dane_tlsa,
  5. SSL_CTX_dane_set_flags, SSL_CTX_dane_clear_flags,
  6. SSL_dane_set_flags, SSL_dane_clear_flags
  7. - enable DANE TLS authentication of the remote TLS server in the local
  8. TLS client
  9. =head1 SYNOPSIS
  10. #include <openssl/ssl.h>
  11. int SSL_CTX_dane_enable(SSL_CTX *ctx);
  12. int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md,
  13. uint8_t mtype, uint8_t ord);
  14. int SSL_dane_enable(SSL *s, const char *basedomain);
  15. int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
  16. uint8_t mtype, unsigned const char *data, size_t dlen);
  17. int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki);
  18. int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
  19. uint8_t *mtype, unsigned const char **data,
  20. size_t *dlen);
  21. unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags);
  22. unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags);
  23. unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags);
  24. unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags);
  25. =head1 DESCRIPTION
  26. These functions implement support for DANE TLSA (RFC6698 and RFC7671)
  27. peer authentication.
  28. SSL_CTX_dane_enable() must be called first to initialize the shared state
  29. required for DANE support.
  30. Individual connections associated with the context can then enable
  31. per-connection DANE support as appropriate.
  32. DANE authentication is implemented in the L<X509_verify_cert(3)> function, and
  33. applications that override L<X509_verify_cert(3)> via
  34. L<SSL_CTX_set_cert_verify_callback(3)> are responsible to authenticate the peer
  35. chain in whatever manner they see fit.
  36. SSL_CTX_dane_mtype_set() may then be called zero or more times to adjust the
  37. supported digest algorithms.
  38. This must be done before any SSL handles are created for the context.
  39. The B<mtype> argument specifies a DANE TLSA matching type and the B<md>
  40. argument specifies the associated digest algorithm handle.
  41. The B<ord> argument specifies a strength ordinal.
  42. Algorithms with a larger strength ordinal are considered more secure.
  43. Strength ordinals are used to implement RFC7671 digest algorithm agility.
  44. Specifying a B<NULL> digest algorithm for a matching type disables
  45. support for that matching type.
  46. Matching type Full(0) cannot be modified or disabled.
  47. By default, matching type C<SHA2-256(1)> (see RFC7218 for definitions
  48. of the DANE TLSA parameter acronyms) is mapped to C<EVP_sha256()>
  49. with a strength ordinal of C<1> and matching type C<SHA2-512(2)>
  50. is mapped to C<EVP_sha512()> with a strength ordinal of C<2>.
  51. SSL_dane_enable() must be called before the SSL handshake is initiated with
  52. L<SSL_connect(3)> if (and only if) you want to enable DANE for that connection.
  53. (The connection must be associated with a DANE-enabled SSL context).
  54. The B<basedomain> argument specifies the RFC7671 TLSA base domain,
  55. which will be the primary peer reference identifier for certificate
  56. name checks.
  57. Additional server names can be specified via L<SSL_add1_host(3)>.
  58. The B<basedomain> is used as the default SNI hint if none has yet been
  59. specified via L<SSL_set_tlsext_host_name(3)>.
  60. SSL_dane_tlsa_add() may then be called one or more times, to load each of the
  61. TLSA records that apply to the remote TLS peer.
  62. (This too must be done prior to the beginning of the SSL handshake).
  63. The arguments specify the fields of the TLSA record.
  64. The B<data> field is provided in binary (wire RDATA) form, not the hexadecimal
  65. ASCII presentation form, with an explicit length passed via B<dlen>.
  66. The library takes a copy of the B<data> buffer contents and the caller may
  67. free the original B<data> buffer when convenient.
  68. A return value of 0 indicates that "unusable" TLSA records (with invalid or
  69. unsupported parameters) were provided.
  70. A negative return value indicates an internal error in processing the record.
  71. The caller is expected to check the return value of each SSL_dane_tlsa_add()
  72. call and take appropriate action if none are usable or an internal error
  73. is encountered in processing some records.
  74. If no TLSA records are added successfully, DANE authentication is not enabled,
  75. and authentication will be based on any configured traditional trust-anchors;
  76. authentication success in this case does not mean that the peer was
  77. DANE-authenticated.
  78. SSL_get0_dane_authority() can be used to get more detailed information about
  79. the matched DANE trust-anchor after successful connection completion.
  80. The return value is negative if DANE verification failed (or was not enabled),
  81. 0 if an EE TLSA record directly matched the leaf certificate, or a positive
  82. number indicating the depth at which a TA record matched an issuer certificate.
  83. The complete verified chain can be retrieved via L<SSL_get0_verified_chain(3)>.
  84. The return value is an index into this verified chain, rather than the list of
  85. certificates sent by the peer as returned by L<SSL_get_peer_cert_chain(3)>.
  86. If the B<mcert> argument is not B<NULL> and a TLSA record matched a chain
  87. certificate, a pointer to the matching certificate is returned via B<mcert>.
  88. The returned address is a short-term internal reference to the certificate and
  89. must not be freed by the application.
  90. Applications that want to retain access to the certificate can call
  91. L<X509_up_ref(3)> to obtain a long-term reference which must then be freed via
  92. L<X509_free(3)> once no longer needed.
  93. If no TLSA records directly matched any elements of the certificate chain, but
  94. a DANE-TA(2) SPKI(1) Full(0) record provided the public key that signed an
  95. element of the chain, then that key is returned via B<mspki> argument (if not
  96. NULL).
  97. In this case the return value is the depth of the top-most element of the
  98. validated certificate chain.
  99. As with B<mcert> this is a short-term internal reference, and
  100. L<EVP_PKEY_up_ref(3)> and L<EVP_PKEY_free(3)> can be used to acquire and
  101. release long-term references respectively.
  102. SSL_get0_dane_tlsa() can be used to retrieve the fields of the TLSA record that
  103. matched the peer certificate chain.
  104. The return value indicates the match depth or failure to match just as with
  105. SSL_get0_dane_authority().
  106. When the return value is non-negative, the storage pointed to by the B<usage>,
  107. B<selector>, B<mtype> and B<data> parameters is updated to the corresponding
  108. TLSA record fields.
  109. The B<data> field is in binary wire form, and is therefore not NUL-terminated,
  110. its length is returned via the B<dlen> parameter.
  111. If any of these parameters is NULL, the corresponding field is not returned.
  112. The B<data> parameter is set to a short-term internal-copy of the associated
  113. data field and must not be freed by the application.
  114. Applications that need long-term access to this field need to copy the content.
  115. SSL_CTX_dane_set_flags() and SSL_dane_set_flags() can be used to enable
  116. optional DANE verification features.
  117. SSL_CTX_dane_clear_flags() and SSL_dane_clear_flags() can be used to disable
  118. the same features.
  119. The B<flags> argument is a bitmask of the features to enable or disable.
  120. The B<flags> set for an B<SSL_CTX> context are copied to each B<SSL> handle
  121. associated with that context at the time the handle is created.
  122. Subsequent changes in the context's B<flags> have no effect on the B<flags> set
  123. for the handle.
  124. At present, the only available option is B<DANE_FLAG_NO_DANE_EE_NAMECHECKS>
  125. which can be used to disable server name checks when authenticating via
  126. DANE-EE(3) TLSA records.
  127. For some applications, primarily web browsers, it is not safe to disable name
  128. checks due to "unknown key share" attacks, in which a malicious server can
  129. convince a client that a connection to a victim server is instead a secure
  130. connection to the malicious server.
  131. The malicious server may then be able to violate cross-origin scripting
  132. restrictions.
  133. Thus, despite the text of RFC7671, name checks are by default enabled for
  134. DANE-EE(3) TLSA records, and can be disabled in applications where it is safe
  135. to do so.
  136. In particular, SMTP and XMPP clients should set this option as SRV and MX
  137. records already make it possible for a remote domain to redirect client
  138. connections to any server of its choice, and in any case SMTP and XMPP clients
  139. do not execute scripts downloaded from remote servers.
  140. =head1 RETURN VALUES
  141. The functions SSL_CTX_dane_enable(), SSL_CTX_dane_mtype_set(),
  142. SSL_dane_enable() and SSL_dane_tlsa_add() return a positive value on success.
  143. Negative return values indicate resource problems (out of memory, etc.) in the
  144. SSL library, while a return value of B<0> indicates incorrect usage or invalid
  145. input, such as an unsupported TLSA record certificate usage, selector or
  146. matching type.
  147. Invalid input also includes malformed data, either a digest length that does
  148. not match the digest algorithm, or a C<Full(0)> (binary ASN.1 DER form)
  149. certificate or a public key that fails to parse.
  150. The functions SSL_get0_dane_authority() and SSL_get0_dane_tlsa() return a
  151. negative value when DANE authentication failed or was not enabled, a
  152. non-negative value indicates the chain depth at which the TLSA record matched a
  153. chain certificate, or the depth of the top-most certificate, when the TLSA
  154. record is a full public key that is its signer.
  155. The functions SSL_CTX_dane_set_flags(), SSL_CTX_dane_clear_flags(),
  156. SSL_dane_set_flags() and SSL_dane_clear_flags() return the B<flags> in effect
  157. before they were called.
  158. =head1 EXAMPLE
  159. Suppose "smtp.example.com" is the MX host of the domain "example.com", and has
  160. DNSSEC-validated TLSA records.
  161. The calls below will perform DANE authentication and arrange to match either
  162. the MX hostname or the destination domain name in the SMTP server certificate.
  163. Wildcards are supported, but must match the entire label.
  164. The actual name matched in the certificate (which might be a wildcard) is
  165. retrieved, and must be copied by the application if it is to be retained beyond
  166. the lifetime of the SSL connection.
  167. SSL_CTX *ctx;
  168. SSL *ssl;
  169. int (*verify_cb)(int ok, X509_STORE_CTX *sctx) = NULL;
  170. int num_usable = 0;
  171. const char *nexthop_domain = "example.com";
  172. const char *dane_tlsa_domain = "smtp.example.com";
  173. uint8_t usage, selector, mtype;
  174. if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL)
  175. /* error */
  176. if (SSL_CTX_dane_enable(ctx) <= 0)
  177. /* error */
  178. if ((ssl = SSL_new(ctx)) == NULL)
  179. /* error */
  180. if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0)
  181. /* error */
  182. /*
  183. * For many applications it is safe to skip DANE-EE(3) namechecks. Do not
  184. * disable the checks unless "unknown key share" attacks pose no risk for
  185. * your application.
  186. */
  187. SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
  188. if (!SSL_add1_host(ssl, nexthop_domain))
  189. /* error */
  190. SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
  191. for (... each TLSA record ...) {
  192. unsigned char *data;
  193. size_t len;
  194. int ret;
  195. /* set usage, selector, mtype, data, len */
  196. /*
  197. * Opportunistic DANE TLS clients support only DANE-TA(2) or DANE-EE(3).
  198. * They treat all other certificate usages, and in particular PKIX-TA(0)
  199. * and PKIX-EE(1), as unusable.
  200. */
  201. switch (usage) {
  202. default:
  203. case 0: /* PKIX-TA(0) */
  204. case 1: /* PKIX-EE(1) */
  205. continue;
  206. case 2: /* DANE-TA(2) */
  207. case 3: /* DANE-EE(3) */
  208. break;
  209. }
  210. ret = SSL_dane_tlsa_add(ssl, usage, selector, mtype, data, len);
  211. /* free data as appropriate */
  212. if (ret < 0)
  213. /* handle SSL library internal error */
  214. else if (ret == 0)
  215. /* handle unusable TLSA record */
  216. else
  217. ++num_usable;
  218. }
  219. /*
  220. * At this point, the verification mode is still the default SSL_VERIFY_NONE.
  221. * Opportunistic DANE clients use unauthenticated TLS when all TLSA records
  222. * are unusable, so continue the handshake even if authentication fails.
  223. */
  224. if (num_usable == 0) {
  225. /* Log all records unusable? */
  226. /* Optionally set verify_cb to a suitable non-NULL callback. */
  227. SSL_set_verify(ssl, SSL_VERIFY_NONE, verify_cb);
  228. } else {
  229. /* At least one usable record. We expect to verify the peer */
  230. /* Optionally set verify_cb to a suitable non-NULL callback. */
  231. /*
  232. * Below we elect to fail the handshake when peer verification fails.
  233. * Alternatively, use the permissive SSL_VERIFY_NONE verification mode,
  234. * complete the handshake, check the verification status, and if not
  235. * verified disconnect gracefully at the application layer, especially if
  236. * application protocol supports informing the server that authentication
  237. * failed.
  238. */
  239. SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);
  240. }
  241. /*
  242. * Load any saved session for resumption, making sure that the previous
  243. * session applied the same security and authentication requirements that
  244. * would be expected of a fresh connection.
  245. */
  246. /* Perform SSL_connect() handshake and handle errors here */
  247. if (SSL_session_reused(ssl)) {
  248. if (SSL_get_verify_result(ssl) == X509_V_OK) {
  249. /*
  250. * Resumed session was originally verified, this connection is
  251. * authenticated.
  252. */
  253. } else {
  254. /*
  255. * Resumed session was not originally verified, this connection is not
  256. * authenticated.
  257. */
  258. }
  259. } else if (SSL_get_verify_result(ssl) == X509_V_OK) {
  260. const char *peername = SSL_get0_peername(ssl);
  261. EVP_PKEY *mspki = NULL;
  262. int depth = SSL_get0_dane_authority(ssl, NULL, &mspki);
  263. if (depth >= 0) {
  264. (void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, NULL);
  265. printf("DANE TLSA %d %d %d %s at depth %d\n", usage, selector, mtype,
  266. (mspki != NULL) ? "TA public key verified certificate" :
  267. depth ? "matched TA certificate" : "matched EE certificate",
  268. depth);
  269. }
  270. if (peername != NULL) {
  271. /* Name checks were in scope and matched the peername */
  272. printf("Verified peername: %s\n", peername);
  273. }
  274. } else {
  275. /*
  276. * Not authenticated, presumably all TLSA rrs unusable, but possibly a
  277. * callback suppressed connection termination despite the presence of
  278. * usable TLSA RRs none of which matched. Do whatever is appropriate for
  279. * fresh unauthenticated connections.
  280. */
  281. }
  282. =head1 NOTES
  283. It is expected that the majority of clients employing DANE TLS will be doing
  284. "opportunistic DANE TLS" in the sense of RFC7672 and RFC7435.
  285. That is, they will use DANE authentication when DNSSEC-validated TLSA records
  286. are published for a given peer, and otherwise will use unauthenticated TLS or
  287. even cleartext.
  288. Such applications should generally treat any TLSA records published by the peer
  289. with usages PKIX-TA(0) and PKIX-EE(1) as "unusable", and should not include
  290. them among the TLSA records used to authenticate peer connections.
  291. In addition, some TLSA records with supported usages may be "unusable" as a
  292. result of invalid or unsupported parameters.
  293. When a peer has TLSA records, but none are "usable", an opportunistic
  294. application must avoid cleartext, but cannot authenticate the peer,
  295. and so should generally proceed with an unauthenticated connection.
  296. Opportunistic applications need to note the return value of each
  297. call to SSL_dane_tlsa_add(), and if all return 0 (due to invalid
  298. or unsupported parameters) disable peer authentication by calling
  299. L<SSL_set_verify(3)> with B<mode> equal to B<SSL_VERIFY_NONE>.
  300. =head1 SEE ALSO
  301. L<SSL_new(3)>,
  302. L<SSL_add1_host(3)>,
  303. L<SSL_set_hostflags(3)>,
  304. L<SSL_set_tlsext_host_name(3)>,
  305. L<SSL_set_verify(3)>,
  306. L<SSL_CTX_set_cert_verify_callback(3)>,
  307. L<SSL_get0_verified_chain(3)>,
  308. L<SSL_get_peer_cert_chain(3)>,
  309. L<SSL_get_verify_result(3)>,
  310. L<SSL_connect(3)>,
  311. L<SSL_get0_peername(3)>,
  312. L<X509_verify_cert(3)>,
  313. L<X509_up_ref(3)>,
  314. L<X509_free(3)>,
  315. L<EVP_get_digestbyname(3)>,
  316. L<EVP_PKEY_up_ref(3)>,
  317. L<EVP_PKEY_free(3)>
  318. =head1 HISTORY
  319. These functions were added in OpenSSL 1.1.0.
  320. =head1 COPYRIGHT
  321. Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
  322. Licensed under the Apache License 2.0 (the "License"). You may not use
  323. this file except in compliance with the License. You can obtain a copy
  324. in the file LICENSE in the source distribution or at
  325. L<https://www.openssl.org/source/license.html>.
  326. =cut