diff options
author | Gilles Chehade <gilles@poolp.org> | 2015-05-01 11:03:23 +0200 |
---|---|---|
committer | Gilles Chehade <gilles@poolp.org> | 2015-05-01 11:03:23 +0200 |
commit | 6f9b0074504a8fd114951b6351780e3a03e7e92f (patch) | |
tree | 0702b7fb8999922a3e9c33e76d0c27be75bf9df4 | |
parent | i dont know why i mentionned dnssec, it's unrelated (diff) | |
download | OpenSMTPD-6f9b0074504a8fd114951b6351780e3a03e7e92f.tar.xz OpenSMTPD-6f9b0074504a8fd114951b6351780e3a03e7e92f.zip |
already committed as part of lka.c in a different branch
-rw-r--r-- | smtpd/lka_dane.c | 169 |
1 files changed, 0 insertions, 169 deletions
diff --git a/smtpd/lka_dane.c b/smtpd/lka_dane.c deleted file mode 100644 index 97072731..00000000 --- a/smtpd/lka_dane.c +++ /dev/null @@ -1,169 +0,0 @@ -/* $OpenBSD$ */ - -/* - * Copyright (c) 2015 Gilles Chehade <gilles@poolp.org> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include <sys/types.h> -#include <sys/queue.h> -#include <sys/tree.h> -#include <sys/socket.h> -#include <sys/wait.h> -#include <sys/uio.h> - -#include <netinet/in.h> - -#include <ctype.h> -#include <err.h> -#include <errno.h> -#include <event.h> -#include <imsg.h> -#include <openssl/err.h> -#include <openssl/ssl.h> -#include <pwd.h> -#include <resolv.h> -#include <limits.h> -#include <signal.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#include "smtpd.h" -#include "log.h" -#include "ssl.h" - -/* DANE support */ -/* - * Bringing DANE support to OpenSMTPD is relatively simple as soon as - * ASR supports TLSA RR. - * - * This file contains the OpenSMTPD-side DANE verification which will - * be plugged in the lookup process when ASR is ready. - * - * THIS IS A WORK IN PROGRESS, NOT THE ACTUAL FINAL CODE. - * - * -- gilles@ - * - */ - -struct tlsa { - uint8_t usage; - uint8_t selector; - uint8_t matching_type; - unsigned char *data; - size_t dlen; -}; - -static int -lka_dane_verify(struct tlsa *tlsa, X509 *cert) -{ - unsigned char *data; - size_t dlen; - - /* First, check usage and understand how it works */ - goto fail; - - /* Then, use selector to determine what to match against tlsa->data */ - switch (selector) { - case 0: - /* DER-encoded cert */ - data = NULL; - break; - case 1: - /* DER-encoded subjectPublickKeyInfo */ - data = NULL; - break; - default: - /* not valid */ - goto fail; - } - - switch (matching_type) { - case 0: { - /* binary match */ - int i; - unsigned char conv[] = "0123456789abcdef"; - - if (tlsa->dlen != dlen * 2) - goto fail; - - for (i = j = 0; i < dlen; ++i, j+=2) { - if (conv[dlen[i] / 16] != tlsa->data[j]) - goto fail; - if (conv[dlen[i] % 16] != tlsa->data[j+1]) - goto fail; - } - break; - } - case 1: { - /* SHA-256 match */ - int i; - SHA256_CTX sha256; - unsigned char hash[SHA256_DIGEST_LENGTH]; - unsigned char obuf[SHA256_DIGEST_LENGTH*2+1]; - unsigned char conv[] = "0123456789abcdef"; - - if (tlsa->dlen != SHA256_DIGEST_LENGTH*2) - goto fail; - - SHA256_Init(&sha256); - SHA256_Update(&sha256, data, dlen); - SHA256_Final(hash, &sha256); - - memset(obuf, 0, sizoef obuf); - for (i = 0; i < sizeof hash; i+=2) { - obuf[i] = conv[hash[i] / 16]; - obuf[i+1] = conv[hash[i] % 16]; - } - - if (memcmp(obuf, tlsa->data, dlen) != 0) - goto fail; - break; - } - case 2: { - /* SHA-512 match */ - int i; - SHA512_CTX sha512; - unsigned char hash[SHA512_DIGEST_LENGTH]; - unsigned char obuf[SHA512_DIGEST_LENGTH*2+1]; - unsigned char conv[] = "0123456789abcdef"; - - if (tlsa->dlen != SHA512_DIGEST_LENGTH*2) - goto fail; - - SHA512_Init(&sha512); - SHA512_Update(&sha512, data, dlen); - SHA512_Final(hash, &sha512); - - memset(obuf, 0, sizoef obuf); - for (i = 0; i < sizeof hash; i+=2) { - obuf[i] = conv[hash[i] / 16]; - obuf[i+1] = conv[hash[i] % 16]; - } - if (memcmp(obuf, tlsa->data, dlen) != 0) - goto fail; - break; - } - default: - /* not valid */ - goto error; - } - - return 1; - -fail: - return 0; -} |