diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-07 12:10:59 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-07 12:10:59 +0200 |
commit | 565f2c39c51af3c05dfc25362dca83d32187430d (patch) | |
tree | 2508f3ad5a4f1f57423d1f80388379b2bec945f2 /libdane/dane.c | |
parent | e25f212040b5ddf0e5958c13346a0ab353d92cb7 (diff) | |
download | gnutls-565f2c39c51af3c05dfc25362dca83d32187430d.tar.gz |
Bug fixes in DANE.
Corrected packet length parsing and removed the verify
options DANE_VERIFY_DNSSEC_DATA_INVALID and DANE_VERIFY_NO_DNSSEC_DATA.
There is longer use for them since using the DANE API requires DNSSEC.
Diffstat (limited to 'libdane/dane.c')
-rw-r--r-- | libdane/dane.c | 17 |
1 files changed, 4 insertions, 13 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index ebf362c498..e008ad899e 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -234,7 +234,7 @@ int dane_query_resolve_tlsa(dane_query_t q, const char* host, const char* proto, q->type[i] = q->result->data[i][1]; q->match[i] = q->result->data[i][2]; q->data[i].data = (void*)&q->result->data[i][3]; - q->data[i].size = q->result->len[i]; + q->data[i].size = q->result->len[i] - 3; i++; } while(q->result->data[i] != NULL); @@ -273,7 +273,7 @@ int ret; return 1; } else if (match == DANE_MATCH_SHA2_256) { - if (raw2->size < 32) + if (raw2->size != 32) return 0; ret = gnutls_hash_fast(GNUTLS_DIG_SHA256, raw1->data, raw1->size, digest); @@ -285,7 +285,7 @@ int ret; return 1; } else if (match == DANE_MATCH_SHA2_512) { - if (raw2->size < 64) + if (raw2->size != 64) return 0; ret = gnutls_hash_fast(GNUTLS_DIG_SHA512, raw1->data, raw1->size, digest); @@ -445,7 +445,7 @@ int dane_verify_crt ( { dane_query_t q; int ret; -unsigned int usage, type, match, idx, status; +unsigned int usage, type, match, idx; gnutls_datum_t data; if (chain_type != GNUTLS_CRT_X509) @@ -463,15 +463,6 @@ gnutls_datum_t data; goto cleanup; } - status = dane_query_status(q); - if (status == DANE_QUERY_BOGUS) { - *verify |= DANE_VERIFY_DNSSEC_DATA_INVALID; - goto cleanup; - } else if (status == DANE_QUERY_NO_DNSSEC) { - *verify |= DANE_VERIFY_NO_DNSSEC_DATA; - goto cleanup; - } - idx = 0; do { ret = dane_query_data(q, idx++, &usage, &type, &match, &data); |