summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2012-10-07 12:10:59 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2012-10-07 12:10:59 +0200
commit565f2c39c51af3c05dfc25362dca83d32187430d (patch)
tree2508f3ad5a4f1f57423d1f80388379b2bec945f2
parente25f212040b5ddf0e5958c13346a0ab353d92cb7 (diff)
downloadgnutls-565f2c39c51af3c05dfc25362dca83d32187430d.tar.gz
Bug fixes in DANE.
Corrected packet length parsing and removed the verify options DANE_VERIFY_DNSSEC_DATA_INVALID and DANE_VERIFY_NO_DNSSEC_DATA. There is longer use for them since using the DANE API requires DNSSEC.
Diffstat
-rw-r--r--libdane/dane.c17
-rw-r--r--libdane/includes/gnutls/dane.h4
-rw-r--r--src/cli.c4
3 files changed, 4 insertions, 21 deletions
diff --git a/libdane/dane.c b/libdane/dane.c
index ebf362c498..e008ad899e 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -234,7 +234,7 @@ int dane_query_resolve_tlsa(dane_query_t q, const char* host, const char* proto,
q->type[i] = q->result->data[i][1];
q->match[i] = q->result->data[i][2];
q->data[i].data = (void*)&q->result->data[i][3];
- q->data[i].size = q->result->len[i];
+ q->data[i].size = q->result->len[i] - 3;
i++;
} while(q->result->data[i] != NULL);
@@ -273,7 +273,7 @@ int ret;
return 1;
} else if (match == DANE_MATCH_SHA2_256) {
- if (raw2->size < 32)
+ if (raw2->size != 32)
return 0;
ret = gnutls_hash_fast(GNUTLS_DIG_SHA256, raw1->data, raw1->size, digest);
@@ -285,7 +285,7 @@ int ret;
return 1;
} else if (match == DANE_MATCH_SHA2_512) {
- if (raw2->size < 64)
+ if (raw2->size != 64)
return 0;
ret = gnutls_hash_fast(GNUTLS_DIG_SHA512, raw1->data, raw1->size, digest);
@@ -445,7 +445,7 @@ int dane_verify_crt (
{
dane_query_t q;
int ret;
-unsigned int usage, type, match, idx, status;
+unsigned int usage, type, match, idx;
gnutls_datum_t data;
if (chain_type != GNUTLS_CRT_X509)
@@ -463,15 +463,6 @@ gnutls_datum_t data;
goto cleanup;
}
- status = dane_query_status(q);
- if (status == DANE_QUERY_BOGUS) {
- *verify |= DANE_VERIFY_DNSSEC_DATA_INVALID;
- goto cleanup;
- } else if (status == DANE_QUERY_NO_DNSSEC) {
- *verify |= DANE_VERIFY_NO_DNSSEC_DATA;
- goto cleanup;
- }
-
idx = 0;
do {
ret = dane_query_data(q, idx++, &usage, &type, &match, &data);
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index 9a3a5e8c43..366d10a980 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -107,8 +107,6 @@ unsigned int dane_query_entries(dane_query_t q);
* @DANE_VERIFY_CA_CONSTRAINS_VIOLATED: The CA constrains was violated.
* @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
* @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
- * @DANE_VERIFY_DNSSEC_DATA_INVALID: The DNSSEC data are invalid.
- * @DANE_VERIFY_NO_DNSSEC_DATA: The DNS data were not signed using DNSSEC.
*
* Enumeration of different verification status flags.
*/
@@ -117,8 +115,6 @@ typedef enum dane_verify_status_t
DANE_VERIFY_CA_CONSTRAINS_VIOLATED = 1,
DANE_VERIFY_CERT_DIFFERS = 1<<1,
DANE_VERIFY_NO_DANE_INFO = 1<<2,
- DANE_VERIFY_DNSSEC_DATA_INVALID = 1<<3,
- DANE_VERIFY_NO_DNSSEC_DATA = 1<<4,
} dane_verify_status_t;
/**
diff --git a/src/cli.c b/src/cli.c
index 179e2742fa..ca3a4f8886 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -503,10 +503,6 @@ cert_verify_callback (gnutls_session_t session)
fprintf(stderr, "- The certificate differs.\n");
if (status & DANE_VERIFY_NO_DANE_INFO)
fprintf(stderr, "- There was no DANE information.\n");
- if (status & DANE_VERIFY_DNSSEC_DATA_INVALID)
- fprintf(stderr, "- The DNSSEC signature is invalid.\n");
- if (status & DANE_VERIFY_NO_DNSSEC_DATA)
- fprintf(stderr, "- There was no DNSSEC signature.\n");
if (!insecure)
return -1;
}
View Lorry Controller Status