[rt-commit] r190 - in /redwax-tool/trunk: redwax-tool.h redwax_openssl.c

Sat Nov 2 11:02:37 CET 2024

Author: minfrin at redwax.eu
Date: Sat Nov  2 11:02:36 2024
New Revision: 190

Log:
Make sure the case where no DANE TLSA records are resolved that openssl
verification fails, as openssl accepts this case by default.

Modified:
    redwax-tool/trunk/redwax-tool.h
    redwax-tool/trunk/redwax_openssl.c

Modified: redwax-tool/trunk/redwax-tool.h
==============================================================================

--- redwax-tool/trunk/redwax-tool.h	(original)
+++ redwax-tool/trunk/redwax-tool.h	Sat Nov  2 11:02:36 2024
@@ -162,6 +162,11 @@
     redwax_order_e order;
     redwax_expiry_e expiry;
     redwax_dane_e dane;
+    int dane_bogus;
+    int dane_insecure;
+    int dane_nxdomain;
+    int dane_malformed;
+    int dane_record;
     int poll_work;
     int current;
     int cert_out;

Modified: redwax-tool/trunk/redwax_openssl.c
==============================================================================
--- redwax-tool/trunk/redwax_openssl.c	(original)
+++ redwax-tool/trunk/redwax_openssl.c	Sat Nov  2 11:02:36 2024
@@ -1969,6 +1969,8 @@
                 "filter-verify-tlsa: DNS TLSA response for '%s' failed "
                 "DNSSEC validation, ignoring: %s.\n", dns->qname, dns->why_bogus);
 
+        r->dane_bogus++;
+
         return APR_SUCCESS;
     }
 
@@ -1978,6 +1980,8 @@
                 "filter-verify-tlsa: DNS TLSA response for '%s' is "
                 "not DNSSEC secured, ignoring.\n", dns->qname);
 
+        r->dane_insecure++;
+
         return APR_SUCCESS;
     }
 
@@ -1986,6 +1990,8 @@
         redwax_print_error(r,
                 "filter-verify-tlsa: DNS TLSA record for '%s' does "
                 "not exist, ignoring.\n", dns->qname);
+
+        r->dane_nxdomain++;
 
         return APR_SUCCESS;
     }
@@ -2006,6 +2012,8 @@
                 redwax_print_error(r,
                         "filter-verify-tlsa: DNS TLSA record for '%s' not "
                         "accepted, ignoring.\n", dns->qname);
+
+                r->dane_malformed++;
 
             }
             else {
@@ -2017,6 +2025,8 @@
                         rdata->rr.tlsa.selector_name, rdata->rr.tlsa.selector,
                         rdata->rr.tlsa.mtype_name, rdata->rr.tlsa.mtype,
                         rdata->rr.tlsa.len);
+
+                r->dane_record++;
 
             }
 
@@ -2224,6 +2234,18 @@
         return DECLINED;
     }
 
+    if (r->dane_basename && !r->dane_record) {
+
+        redwax_print_error(r,
+                "verify-filter: DANE TLSA record not found "
+        		"(%d bogus, %d insecure, %d nxdomain, %d malformed): %s\n",
+				r->dane_bogus, r->dane_insecure, r->dane_nxdomain,
+				r->dane_malformed, r->dane_basename);
+
+        return APR_ENOENT;
+
+    }
+
     store = X509_STORE_new();
 
     apr_pool_cleanup_register(r->pool, store, cleanup_x509_store,
@@ -2239,7 +2261,7 @@
 
         if (!(param = X509_VERIFY_PARAM_lookup(r->verify_param))) {
             redwax_print_error(r,
-                    "Verify parameter not found: %s", r->verify_param);
+                    "verify-filter: verify parameter not found: %s\n", r->verify_param);
             return APR_ENOENT;
         }
 
@@ -2256,7 +2278,7 @@
     }
     else {
         redwax_print_error(r,
-                "When verifying, email address can only be specified once\n");
+                "verify-filter: email address can only be specified once\n");
         return APR_ENOENT;
     }
 
@@ -2277,7 +2299,7 @@
     }
     else {
         redwax_print_error(r,
-                "When verifying, ip address can only be specified once\n");
+                "verify-filter: ip address can only be specified once\n");
         return APR_ENOENT;
     }
 
@@ -2289,7 +2311,7 @@
 
         if (purpose == -1) {
             redwax_print_error(r,
-                    "When verifying, purpose was not recognised: %s\n", r->purpose);
+                    "verify-filter: purpose was not recognised: %s\n", r->purpose);
             return APR_EINVAL;
         }
 
@@ -2301,7 +2323,7 @@
 
         if (!X509_VERIFY_PARAM_set_purpose(X509_STORE_get0_param(store), purpose)) {
             redwax_print_error(r,
-                    "When verifying, purpose could not be specifed\n");
+                    "verify-filter: purpose could not be specifed\n");
             redwax_openssl_print_errors(r);
             return APR_ENOENT;
         }
@@ -2369,8 +2391,8 @@
                      /* no compare module, give up */
                      if (diff == DECLINED)  {
                          redwax_print_error(r,
-                                 "When verifying, there was no implementation "
-                                 "to compare certificates. Giving up.\n");
+                                 "verify-filter: there was no implementation "
+                                 "to compare certificates, giving up.\n");
                          return APR_ENOENT;
                      }
 
@@ -5150,7 +5172,7 @@
             }
 
             if (conf->verification == X509_V_ERR_DANE_NO_MATCH) {
-                valid_error = apr_psprintf(m->pool, "DANE mismatch: TLSA records do not match: %s", apr_array_pstrcat(r->pool, r->tlsa_qnames, ','));
+                valid_error = apr_psprintf(m->pool, "DANE TLSA records do not match: %s", apr_array_pstrcat(r->pool, r->tlsa_qnames, ','));
             }
 
             if (valid_error) {

