summaryrefslogtreecommitdiff
path: root/libdane
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2013-03-01 16:54:12 +0100
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2013-03-01 17:28:24 +0100
commite83a184c54c9c705306ba4941f5600620cd3b597 (patch)
treead1b81e90b02f83e0f3615dd579c36722c1a0523 /libdane
parent754daa7f4fe9dc125c9de24e60e16b7c9c431131 (diff)
downloadgnutls-e83a184c54c9c705306ba4941f5600620cd3b597.tar.gz
Added verify flags for DANE to enforce verification and restrict it to a field.
Diffstat (limited to 'libdane')
-rw-r--r--libdane/dane.c17
-rw-r--r--libdane/includes/gnutls/dane.h15
2 files changed, 26 insertions, 6 deletions
diff --git a/libdane/dane.c b/libdane/dane.c
index 9f2d8d7156..7c2be56a07 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -545,7 +545,7 @@ cleanup:
* @proto: The protocol of the service connecting (e.g. tcp)
* @port: The port of the service connecting (e.g. 443)
* @sflags: Flags for the the initialization of @s (if NULL)
- * @vflags: Verification flags; should be zero
+ * @vflags: Verification flags; an OR'ed list of %dane_verify_flags_t.
* @verify: An OR'ed list of %dane_verify_status_t.
*
* This function will verify the given certificate chain against the
@@ -578,6 +578,7 @@ int dane_verify_crt (dane_state_t s,
dane_state_t _s = NULL;
dane_query_t r = NULL;
int ret;
+unsigned checked = 0;
unsigned int usage, type, match, idx;
gnutls_datum_t data;
@@ -611,24 +612,28 @@ gnutls_datum_t data;
gnutls_assert();
goto cleanup;
}
-
- if (usage == DANE_CERT_USAGE_LOCAL_CA || usage == DANE_CERT_USAGE_CA) {
+
+ if (!(vflags & DANE_VFLAG_ONLY_CHECK_EE_USAGE) && (usage == DANE_CERT_USAGE_LOCAL_CA || usage == DANE_CERT_USAGE_CA)) {
ret = verify_ca(chain, chain_size, chain_type, type, match, &data, verify);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
-
- } else if (usage == DANE_CERT_USAGE_LOCAL_EE || usage == DANE_CERT_USAGE_EE) {
+ checked = 1;
+ } else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE) && (usage == DANE_CERT_USAGE_LOCAL_EE || usage == DANE_CERT_USAGE_EE)) {
ret = verify_ee(&chain[0], chain_type, type, match, &data, verify);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
+ checked = 1;
}
} while(1);
- ret = 0;
+ if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0)
+ ret = gnutls_assert_val(DANE_E_REQUESTED_DATA_NOT_AVAILABLE);
+ else
+ ret = 0;
cleanup:
if (s == NULL) dane_state_deinit(_s);
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index 94841b9989..f5b9104611 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -123,6 +123,21 @@ const char* dane_match_type_name(dane_match_type_t type);
const char* dane_cert_usage_name(dane_cert_usage_t usage);
/**
+ * dane_verify_flags_t:
+ * @DANE_VFLAG_FAIL_IF_NOT_CHECKED: If irrelevant to this certificate DANE entries are received fail instead of succeeding.
+ * @DANE_VFLAG_CHECK_EE_USAGE: The provided certificates will be verified only against any EE field. Combine with %DANE_VFLAG_FAIL_IF_NOT_CHECKED to fail if EE entries are not present.
+ * @DANE_VFLAG_CHECK_CA_USAGE: The provided certificates will be verified only against any CA field. Combine with %DANE_VFLAG_FAIL_IF_NOT_CHECKED to fail if CA entries are not present.
+ *
+ * Enumeration of different verification status flags.
+ */
+typedef enum dane_verify_flags_t
+{
+ DANE_VFLAG_FAIL_IF_NOT_CHECKED = 1,
+ DANE_VFLAG_ONLY_CHECK_EE_USAGE = 1<<1,
+ DANE_VFLAG_ONLY_CHECK_CA_USAGE = 1<<2,
+} dane_verify_flags_t;
+
+/**
* dane_verify_status_t:
* @DANE_VERIFY_CA_CONSTRAINS_VIOLATED: The CA constrains was violated.
* @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.