diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-03-01 16:54:12 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-03-01 17:28:24 +0100 |
| commit | e83a184c54c9c705306ba4941f5600620cd3b597 (patch) | |
| tree | ad1b81e90b02f83e0f3615dd579c36722c1a0523 /libdane/dane.c | |
| parent | 754daa7f4fe9dc125c9de24e60e16b7c9c431131 (diff) | |
| download | gnutls-e83a184c54c9c705306ba4941f5600620cd3b597.tar.gz | |
Added verify flags for DANE to enforce verification and restrict it to a field.
Diffstat (limited to 'libdane/dane.c')
| -rw-r--r-- | libdane/dane.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index 9f2d8d7156..7c2be56a07 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -545,7 +545,7 @@ cleanup: * @proto: The protocol of the service connecting (e.g. tcp) * @port: The port of the service connecting (e.g. 443) * @sflags: Flags for the the initialization of @s (if NULL) - * @vflags: Verification flags; should be zero + * @vflags: Verification flags; an OR'ed list of %dane_verify_flags_t. * @verify: An OR'ed list of %dane_verify_status_t. * * This function will verify the given certificate chain against the @@ -578,6 +578,7 @@ int dane_verify_crt (dane_state_t s, dane_state_t _s = NULL; dane_query_t r = NULL; int ret; +unsigned checked = 0; unsigned int usage, type, match, idx; gnutls_datum_t data; @@ -611,24 +612,28 @@ gnutls_datum_t data; gnutls_assert(); goto cleanup; } - - if (usage == DANE_CERT_USAGE_LOCAL_CA || usage == DANE_CERT_USAGE_CA) { + + if (!(vflags & DANE_VFLAG_ONLY_CHECK_EE_USAGE) && (usage == DANE_CERT_USAGE_LOCAL_CA || usage == DANE_CERT_USAGE_CA)) { ret = verify_ca(chain, chain_size, chain_type, type, match, &data, verify); if (ret < 0) { gnutls_assert(); goto cleanup; } - - } else if (usage == DANE_CERT_USAGE_LOCAL_EE || usage == DANE_CERT_USAGE_EE) { + checked = 1; + } else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE) && (usage == DANE_CERT_USAGE_LOCAL_EE || usage == DANE_CERT_USAGE_EE)) { ret = verify_ee(&chain[0], chain_type, type, match, &data, verify); if (ret < 0) { gnutls_assert(); goto cleanup; } + checked = 1; } } while(1); - ret = 0; + if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0) + ret = gnutls_assert_val(DANE_E_REQUESTED_DATA_NOT_AVAILABLE); + else + ret = 0; cleanup: if (s == NULL) dane_state_deinit(_s); |