summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2013-10-21 18:15:57 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2013-10-21 19:48:01 +0200
commit4c45e35790f50818d1179ee4443e77e16424f5dc (patch)
tree6b2783debb34d6e37fc8548022aa85bf3ea3cf53
parentb4ece0d57c1a41bf059b1c822b8c23030145ecd7 (diff)
downloadgnutls-4c45e35790f50818d1179ee4443e77e16424f5dc.tar.gz
Adding dane_verify_crt_raw to allow direct verification of a certificate chain against a dane_query_t (for example, as provided by the new dane_raw_tlsa).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-rw-r--r--libdane/dane.c92
-rw-r--r--libdane/includes/gnutls/dane.h7
2 files changed, 77 insertions, 22 deletions
diff --git a/libdane/dane.c b/libdane/dane.c
index c53e2f95c4..01872b519c 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -581,9 +581,7 @@ cleanup:
* @chain: A certificate chain
* @chain_size: The size of the chain
* @chain_type: The type of the certificate chain
- * @hostname: The hostname associated with the chain
- * @proto: The protocol of the service connecting (e.g. tcp)
- * @port: The port of the service connecting (e.g. 443)
+ * @r DANE data to check against
* @sflags: Flags for the the initialization of @s (if NULL)
* @vflags: Verification flags; an OR'ed list of %dane_verify_flags_t.
* @verify: An OR'ed list of %dane_verify_status_t.
@@ -608,15 +606,14 @@ cleanup:
* negative error value.
*
**/
-int dane_verify_crt (dane_state_t s,
+int dane_verify_crt_raw (dane_state_t s,
const gnutls_datum_t *chain, unsigned chain_size,
gnutls_certificate_type_t chain_type,
- const char * hostname, const char* proto, unsigned int port,
+ dane_query_t r,
unsigned int sflags, unsigned int vflags,
unsigned int *verify)
{
dane_state_t _s = NULL;
-dane_query_t r = NULL;
int ret;
unsigned checked = 0;
unsigned int usage, type, match, idx;
@@ -626,22 +623,6 @@ gnutls_datum_t data;
return gnutls_assert_val(DANE_E_INVALID_REQUEST);
*verify = 0;
-
- if (s == NULL) {
- ret = dane_state_init(&_s, sflags);
- if (ret < 0) {
- gnutls_assert();
- return ret;
- }
- } else
- _s = s;
-
- ret = dane_query_tlsa(_s, &r, hostname, proto, port);
- if (ret < 0) {
- gnutls_assert();
- goto cleanup;
- }
-
idx = 0;
do {
ret = dane_query_data(r, idx++, &usage, &type, &match, &data);
@@ -677,6 +658,73 @@ gnutls_datum_t data;
cleanup:
if (s == NULL) dane_state_deinit(_s);
+ return ret;
+}
+
+
+/**
+ * dane_verify_crt:
+ * @s: A DANE state structure (may be NULL)
+ * @chain: A certificate chain
+ * @chain_size: The size of the chain
+ * @chain_type: The type of the certificate chain
+ * @hostname: The hostname associated with the chain
+ * @proto: The protocol of the service connecting (e.g. tcp)
+ * @port: The port of the service connecting (e.g. 443)
+ * @sflags: Flags for the the initialization of @s (if NULL)
+ * @vflags: Verification flags; an OR'ed list of %dane_verify_flags_t.
+ * @verify: An OR'ed list of %dane_verify_status_t.
+ *
+ * This function will verify the given certificate chain against the
+ * CA constrains and/or the certificate available via DANE.
+ * If no information via DANE can be obtained the flag %DANE_VERIFY_NO_DANE_INFO
+ * is set. If a DNSSEC signature is not available for the DANE
+ * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set.
+ *
+ * Note that the CA constraint only applies for the directly certifying CA
+ * and does not account for long CA chains.
+ *
+ * Due to the many possible options of DANE, there is no single threat
+ * model countered. When notifying the user about DANE verification results
+ * it may be better to mention: DANE verification did not reject the certificate,
+ * rather than mentioning a successful DANE verication.
+ *
+ * If the @q parameter is provided it will be used for caching entries.
+ *
+ * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ **/
+int dane_verify_crt (dane_state_t s,
+ const gnutls_datum_t *chain, unsigned chain_size,
+ gnutls_certificate_type_t chain_type,
+ const char * hostname, const char* proto, unsigned int port,
+ unsigned int sflags, unsigned int vflags,
+ unsigned int *verify)
+{
+dane_state_t _s = NULL;
+dane_query_t r = NULL;
+int ret;
+
+ *verify = 0;
+ if (s == NULL) {
+ ret = dane_state_init(&_s, sflags);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+ } else
+ _s = s;
+
+ ret = dane_query_tlsa(_s, &r, hostname, proto, port);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ ret = dane_verify_crt_raw (s, chain, chain_size, chain_type,
+ r, sflags, vflags, verify);
+cleanup:
+ if (s == NULL) dane_state_deinit(_s);
if (r != NULL) dane_query_deinit(r);
return ret;
}
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index 3b0bbf63b9..21413ea14c 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -161,6 +161,13 @@ int
dane_verification_status_print (unsigned int status,
gnutls_datum_t * out, unsigned int flags);
+int dane_verify_crt_raw (dane_state_t s,
+ const gnutls_datum_t *chain, unsigned chain_size,
+ gnutls_certificate_type_t chain_type,
+ dane_query_t r,
+ unsigned int sflags, unsigned int vflags,
+ unsigned int *verify);
+
int dane_verify_crt (dane_state_t s,
const gnutls_datum_t *chain, unsigned chain_size,
gnutls_certificate_type_t chain_type,