diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-11-08 22:14:07 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-11-08 22:17:10 +0100 |
| commit | 76c93d23c073ef8b885503b7d28a31ffe2add6d8 (patch) | |
| tree | 1dd2d22a197bc40c5330e516969a7cb1ae9bc96f /libdane | |
| parent | 559a144f6bbcbb611453f82e655dd7438c14d1a7 (diff) | |
| download | gnutls-76c93d23c073ef8b885503b7d28a31ffe2add6d8.tar.gz | |
reindented code
Diffstat (limited to 'libdane')
| -rw-r--r-- | libdane/dane-params.c | 117 | ||||
| -rw-r--r-- | libdane/dane.c | 1086 | ||||
| -rw-r--r-- | libdane/errors.c | 98 | ||||
| -rw-r--r-- | libdane/includes/gnutls/dane.h | 139 |
4 files changed, 687 insertions, 753 deletions
diff --git a/libdane/dane-params.c b/libdane/dane-params.c index 86b4d27519..eff3548cb2 100644 --- a/libdane/dane-params.c +++ b/libdane/dane-params.c @@ -32,46 +32,40 @@ #include <gnutls/x509.h> #include <gnutls/abstract.h> -typedef struct cert_type_entry -{ - const char* name; - dane_cert_type_t type; +typedef struct cert_type_entry { + const char *name; + dane_cert_type_t type; } cert_type_entry; -static const cert_type_entry dane_cert_types[] = -{ - {"X.509", DANE_CERT_X509}, - {"SubjectPublicKeyInfo", DANE_CERT_PK}, - {NULL, 0} +static const cert_type_entry dane_cert_types[] = { + {"X.509", DANE_CERT_X509}, + {"SubjectPublicKeyInfo", DANE_CERT_PK}, + {NULL, 0} }; -typedef struct match_type_entry -{ - const char* name; - dane_match_type_t type; +typedef struct match_type_entry { + const char *name; + dane_match_type_t type; } match_type_entry; -static const match_type_entry dane_match_types[] = -{ - {"Exact match", DANE_MATCH_EXACT}, - {"SHA2-256 hash", DANE_MATCH_SHA2_256}, - {"SHA2-512 hash", DANE_MATCH_SHA2_512}, - {NULL, 0} +static const match_type_entry dane_match_types[] = { + {"Exact match", DANE_MATCH_EXACT}, + {"SHA2-256 hash", DANE_MATCH_SHA2_256}, + {"SHA2-512 hash", DANE_MATCH_SHA2_512}, + {NULL, 0} }; -typedef struct cert_usage_entry -{ - const char* name; - dane_cert_usage_t usage; +typedef struct cert_usage_entry { + const char *name; + dane_cert_usage_t usage; } cert_usage_entry; -static const cert_usage_entry dane_cert_usages[] = -{ - {"CA", DANE_CERT_USAGE_CA}, - {"End-entity", DANE_CERT_USAGE_EE}, - {"Local CA", DANE_CERT_USAGE_LOCAL_CA}, - {"Local end-entity", DANE_CERT_USAGE_LOCAL_EE}, - {NULL, 0} +static const cert_usage_entry dane_cert_usages[] = { + {"CA", DANE_CERT_USAGE_CA}, + {"End-entity", DANE_CERT_USAGE_EE}, + {"Local CA", DANE_CERT_USAGE_LOCAL_CA}, + {"Local end-entity", DANE_CERT_USAGE_LOCAL_EE}, + {NULL, 0} }; @@ -85,18 +79,17 @@ static const cert_usage_entry dane_cert_usages[] = * Returns: a string that contains the name of the specified * type, or %NULL. **/ -const char* dane_cert_type_name(dane_cert_type_t type) +const char *dane_cert_type_name(dane_cert_type_t type) { -const cert_type_entry* e = dane_cert_types; - - while(e->name != NULL) - { - if (e->type == type) - return e->name; - e++; - } - - return NULL; + const cert_type_entry *e = dane_cert_types; + + while (e->name != NULL) { + if (e->type == type) + return e->name; + e++; + } + + return NULL; } /** @@ -108,18 +101,17 @@ const cert_type_entry* e = dane_cert_types; * Returns: a string that contains the name of the specified * type, or %NULL. **/ -const char* dane_match_type_name(dane_match_type_t type) +const char *dane_match_type_name(dane_match_type_t type) { -const match_type_entry* e = dane_match_types; - - while(e->name != NULL) - { - if (e->type == type) - return e->name; - e++; - } - - return NULL; + const match_type_entry *e = dane_match_types; + + while (e->name != NULL) { + if (e->type == type) + return e->name; + e++; + } + + return NULL; } /** @@ -131,17 +123,16 @@ const match_type_entry* e = dane_match_types; * Returns: a string that contains the name of the specified * type, or %NULL. **/ -const char* dane_cert_usage_name(dane_cert_usage_t usage) +const char *dane_cert_usage_name(dane_cert_usage_t usage) { -const cert_usage_entry* e = dane_cert_usages; - - while(e->name != NULL) - { - if (e->usage == usage) - return e->name; - e++; - } - - return NULL; + const cert_usage_entry *e = dane_cert_usages; + + while (e->name != NULL) { + if (e->usage == usage) + return e->name; + e++; + } + + return NULL; } diff --git a/libdane/dane.c b/libdane/dane.c index b9d9ba293c..26b9a86eeb 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -41,33 +41,30 @@ #ifdef DEBUG #define gnutls_assert() fprintf(stderr, "ASSERT: %s: %d\n", __FILE__, __LINE__); #define gnutls_assert_val(x) gnutls_assert_val_int(x, __FILE__, __LINE__) -static int -gnutls_assert_val_int (int val, const char *file, int line) +static int gnutls_assert_val_int(int val, const char *file, int line) { - fprintf (stderr, "ASSERT: %s: %d\n", file, line); - return val; + fprintf(stderr, "ASSERT: %s: %d\n", file, line); + return val; } #else #define gnutls_assert() #define gnutls_assert_val(x) (x) #endif -struct dane_state_st -{ - struct ub_ctx *ctx; - unsigned int flags; +struct dane_state_st { + struct ub_ctx *ctx; + unsigned int flags; }; -struct dane_query_st -{ - struct ub_result *result; - unsigned int data_entries; - dane_cert_usage_t usage[MAX_DATA_ENTRIES]; - dane_cert_type_t type[MAX_DATA_ENTRIES]; - dane_match_type_t match[MAX_DATA_ENTRIES]; - gnutls_datum_t data[MAX_DATA_ENTRIES]; - unsigned int flags; - dane_query_status_t status; +struct dane_query_st { + struct ub_result *result; + unsigned int data_entries; + dane_cert_usage_t usage[MAX_DATA_ENTRIES]; + dane_cert_type_t type[MAX_DATA_ENTRIES]; + dane_match_type_t match[MAX_DATA_ENTRIES]; + gnutls_datum_t data[MAX_DATA_ENTRIES]; + unsigned int flags; + dane_query_status_t status; }; /** @@ -79,10 +76,9 @@ struct dane_query_st * * Returns: The status type. **/ -dane_query_status_t -dane_query_status (dane_query_t q) +dane_query_status_t dane_query_status(dane_query_t q) { - return q->status; + return q->status; } /** @@ -93,10 +89,9 @@ dane_query_status (dane_query_t q) * * Returns: The number of entries. **/ -unsigned int -dane_query_entries (dane_query_t q) +unsigned int dane_query_entries(dane_query_t q) { - return q->data_entries; + return q->data_entries; } /** @@ -115,26 +110,26 @@ dane_query_entries (dane_query_t q) * negative error value. **/ int -dane_query_data (dane_query_t q, unsigned int idx, - unsigned int *usage, unsigned int *type, - unsigned int *match, gnutls_datum_t * data) +dane_query_data(dane_query_t q, unsigned int idx, + unsigned int *usage, unsigned int *type, + unsigned int *match, gnutls_datum_t * data) { - if (idx >= q->data_entries) - return gnutls_assert_val (DANE_E_REQUESTED_DATA_NOT_AVAILABLE); - - if (usage) - *usage = q->usage[idx]; - if (type) - *type = q->type[idx]; - if (match) - *match = q->match[idx]; - if (data) - { - data->data = q->data[idx].data; - data->size = q->data[idx].size; - } - - return DANE_E_SUCCESS; + if (idx >= q->data_entries) + return + gnutls_assert_val(DANE_E_REQUESTED_DATA_NOT_AVAILABLE); + + if (usage) + *usage = q->usage[idx]; + if (type) + *type = q->type[idx]; + if (match) + *match = q->match[idx]; + if (data) { + data->data = q->data[idx].data; + data->size = q->data[idx].size; + } + + return DANE_E_SUCCESS; } /** @@ -147,65 +142,60 @@ dane_query_data (dane_query_t q, unsigned int idx, * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -dane_state_init (dane_state_t * s, unsigned int flags) +int dane_state_init(dane_state_t * s, unsigned int flags) { - struct ub_ctx *ctx; - int ret; - - *s = calloc (1, sizeof (struct dane_state_st)); - if (*s == NULL) - return gnutls_assert_val (DANE_E_MEMORY_ERROR); - - ctx = ub_ctx_create (); - if (!ctx) - { - gnutls_assert (); - ret = DANE_E_INITIALIZATION_ERROR; - goto cleanup; - } - ub_ctx_debugout (ctx, stderr); - - if (!(flags & DANE_F_IGNORE_LOCAL_RESOLVER)) - { - if ((ret = ub_ctx_resolvconf (ctx, NULL)) != 0) - { - gnutls_assert (); - ret = DANE_E_INITIALIZATION_ERROR; - goto cleanup; - } - - if ((ret = ub_ctx_hosts (ctx, NULL)) != 0) - { - gnutls_assert (); - ret = DANE_E_INITIALIZATION_ERROR; - goto cleanup; - } - } - - /* read public keys for DNSSEC verification */ - if (!(flags & DANE_F_IGNORE_DNSSEC)) - { - if ((ret = - ub_ctx_add_ta_file (ctx, (char *) UNBOUND_ROOT_KEY_FILE)) != 0) - { - gnutls_assert (); - ret = DANE_E_INITIALIZATION_ERROR; - goto cleanup; - } - } - - (*s)->ctx = ctx; - (*s)->flags = flags; - - return DANE_E_SUCCESS; -cleanup: - - if (ctx) - ub_ctx_delete (ctx); - free (*s); - - return ret; + struct ub_ctx *ctx; + int ret; + + *s = calloc(1, sizeof(struct dane_state_st)); + if (*s == NULL) + return gnutls_assert_val(DANE_E_MEMORY_ERROR); + + ctx = ub_ctx_create(); + if (!ctx) { + gnutls_assert(); + ret = DANE_E_INITIALIZATION_ERROR; + goto cleanup; + } + ub_ctx_debugout(ctx, stderr); + + if (!(flags & DANE_F_IGNORE_LOCAL_RESOLVER)) { + if ((ret = ub_ctx_resolvconf(ctx, NULL)) != 0) { + gnutls_assert(); + ret = DANE_E_INITIALIZATION_ERROR; + goto cleanup; + } + + if ((ret = ub_ctx_hosts(ctx, NULL)) != 0) { + gnutls_assert(); + ret = DANE_E_INITIALIZATION_ERROR; + goto cleanup; + } + } + + /* read public keys for DNSSEC verification */ + if (!(flags & DANE_F_IGNORE_DNSSEC)) { + if ((ret = + ub_ctx_add_ta_file(ctx, + (char *) UNBOUND_ROOT_KEY_FILE)) != + 0) { + gnutls_assert(); + ret = DANE_E_INITIALIZATION_ERROR; + goto cleanup; + } + } + + (*s)->ctx = ctx; + (*s)->flags = flags; + + return DANE_E_SUCCESS; + cleanup: + + if (ctx) + ub_ctx_delete(ctx); + free(*s); + + return ret; } /** @@ -215,11 +205,10 @@ cleanup: * This function will deinitialize a DANE query structure. * **/ -void -dane_state_deinit (dane_state_t s) +void dane_state_deinit(dane_state_t s) { - ub_ctx_delete (s->ctx); - free (s); + ub_ctx_delete(s->ctx); + free(s); } /** @@ -231,17 +220,17 @@ dane_state_deinit (dane_state_t s) * for DLV (DNSSEC Lookaside Validation). * **/ -int -dane_state_set_dlv_file (dane_state_t s, const char *file) +int dane_state_set_dlv_file(dane_state_t s, const char *file) { - int ret; + int ret; - ret = - ub_ctx_set_option (s->ctx, (char *) "dlv-anchor-file:", (void *) file); - if (ret != 0) - return gnutls_assert_val (DANE_E_FILE_ERROR); + ret = + ub_ctx_set_option(s->ctx, (char *) "dlv-anchor-file:", + (void *) file); + if (ret != 0) + return gnutls_assert_val(DANE_E_FILE_ERROR); - return 0; + return 0; } /** @@ -251,12 +240,11 @@ dane_state_set_dlv_file (dane_state_t s, const char *file) * This function will deinitialize a DANE query result structure. * **/ -void -dane_query_deinit (dane_query_t q) +void dane_query_deinit(dane_query_t q) { - if (q->result) - ub_resolve_free (q->result); - free (q); + if (q->result) + ub_resolve_free(q->result); + free(q); } @@ -280,59 +268,54 @@ dane_query_deinit (dane_query_t q) * negative error value. **/ int -dane_raw_tlsa (dane_state_t s, dane_query_t * r, char *const *dane_data, - const int *dane_data_len, int secure, int bogus) +dane_raw_tlsa(dane_state_t s, dane_query_t * r, char *const *dane_data, + const int *dane_data_len, int secure, int bogus) { - int ret = DANE_E_SUCCESS; - unsigned int i; - - *r = calloc (1, sizeof (struct dane_query_st)); - if (*r == NULL) - return gnutls_assert_val (DANE_E_MEMORY_ERROR); - - (*r)->data_entries = 0; - - for (i = 0; i < MAX_DATA_ENTRIES; i++) - { - if (dane_data[i] == NULL) - break; - - if (dane_data_len[i] <= 3) - return gnutls_assert_val (DANE_E_RECEIVED_CORRUPT_DATA); - - (*r)->usage[i] = dane_data[i][0]; - (*r)->type[i] = dane_data[i][1]; - (*r)->match[i] = dane_data[i][2]; - (*r)->data[i].data = (void *) &dane_data[i][3]; - (*r)->data[i].size = dane_data_len[i] - 3; - (*r)->data_entries++; - } - - if (!(s->flags & DANE_F_INSECURE) && !secure) - { - if (bogus) - ret = gnutls_assert_val (DANE_E_INVALID_DNSSEC_SIG); - else - ret = gnutls_assert_val (DANE_E_NO_DNSSEC_SIG); - } - - /* show security status */ - if (secure) - { - (*r)->status = DANE_QUERY_DNSSEC_VERIFIED; - } - else if (bogus) - { - gnutls_assert (); - (*r)->status = DANE_QUERY_BOGUS; - } - else - { - gnutls_assert (); - (*r)->status = DANE_QUERY_NO_DNSSEC; - } - - return ret; + int ret = DANE_E_SUCCESS; + unsigned int i; + + *r = calloc(1, sizeof(struct dane_query_st)); + if (*r == NULL) + return gnutls_assert_val(DANE_E_MEMORY_ERROR); + + (*r)->data_entries = 0; + + for (i = 0; i < MAX_DATA_ENTRIES; i++) { + if (dane_data[i] == NULL) + break; + + if (dane_data_len[i] <= 3) + return + gnutls_assert_val + (DANE_E_RECEIVED_CORRUPT_DATA); + + (*r)->usage[i] = dane_data[i][0]; + (*r)->type[i] = dane_data[i][1]; + (*r)->match[i] = dane_data[i][2]; + (*r)->data[i].data = (void *) &dane_data[i][3]; + (*r)->data[i].size = dane_data_len[i] - 3; + (*r)->data_entries++; + } + + if (!(s->flags & DANE_F_INSECURE) && !secure) { + if (bogus) + ret = gnutls_assert_val(DANE_E_INVALID_DNSSEC_SIG); + else + ret = gnutls_assert_val(DANE_E_NO_DNSSEC_SIG); + } + + /* show security status */ + if (secure) { + (*r)->status = DANE_QUERY_DNSSEC_VERIFIED; + } else if (bogus) { + gnutls_assert(); + (*r)->status = DANE_QUERY_BOGUS; + } else { + gnutls_assert(); + (*r)->status = DANE_QUERY_NO_DNSSEC; + } + + return ret; } @@ -351,299 +334,269 @@ dane_raw_tlsa (dane_state_t s, dane_query_t * r, char *const *dane_data, * negative error value. **/ int -dane_query_tlsa (dane_state_t s, dane_query_t * r, const char *host, - const char *proto, unsigned int port) +dane_query_tlsa(dane_state_t s, dane_query_t * r, const char *host, + const char *proto, unsigned int port) { - char ns[1024]; - int ret; - struct ub_result *result; + char ns[1024]; + int ret; + struct ub_result *result; - snprintf (ns, sizeof (ns), "_%u._%s.%s", port, proto, host); + snprintf(ns, sizeof(ns), "_%u._%s.%s", port, proto, host); - /* query for webserver */ - ret = ub_resolve (s->ctx, ns, 52, 1, &result); - if (ret != 0) - { - return gnutls_assert_val (DANE_E_RESOLVING_ERROR); - } + /* query for webserver */ + ret = ub_resolve(s->ctx, ns, 52, 1, &result); + if (ret != 0) { + return gnutls_assert_val(DANE_E_RESOLVING_ERROR); + } /* show first result */ - if (!result->havedata) - { - ub_resolve_free (result); - return gnutls_assert_val (DANE_E_NO_DANE_DATA); - } - - ret = - dane_raw_tlsa (s, r, result->data, result->len, result->secure, - result->bogus); - if (*r == NULL) - { - ub_resolve_free (result); - return ret; - } - (*r)->result = result; - return ret; + if (!result->havedata) { + ub_resolve_free(result); + return gnutls_assert_val(DANE_E_NO_DANE_DATA); + } + + ret = + dane_raw_tlsa(s, r, result->data, result->len, result->secure, + result->bogus); + if (*r == NULL) { + ub_resolve_free(result); + return ret; + } + (*r)->result = result; + return ret; } static unsigned int -matches (const gnutls_datum_t * raw1, const gnutls_datum_t * raw2, - dane_match_type_t match) +matches(const gnutls_datum_t * raw1, const gnutls_datum_t * raw2, + dane_match_type_t match) { - uint8_t digest[64]; - int ret; + uint8_t digest[64]; + int ret; - if (match == DANE_MATCH_EXACT) - { - if (raw1->size != raw2->size) - return gnutls_assert_val (0); + if (match == DANE_MATCH_EXACT) { + if (raw1->size != raw2->size) + return gnutls_assert_val(0); - if (memcmp (raw1->data, raw2->data, raw1->size) != 0) - return gnutls_assert_val (0); + if (memcmp(raw1->data, raw2->data, raw1->size) != 0) + return gnutls_assert_val(0); - return 1; - } - else if (match == DANE_MATCH_SHA2_256) - { + return 1; + } else if (match == DANE_MATCH_SHA2_256) { - if (raw2->size != 32) - return gnutls_assert_val (0); + if (raw2->size != 32) + return gnutls_assert_val(0); - ret = - gnutls_hash_fast (GNUTLS_DIG_SHA256, raw1->data, raw1->size, digest); - if (ret < 0) - return gnutls_assert_val (0); + ret = + gnutls_hash_fast(GNUTLS_DIG_SHA256, raw1->data, + raw1->size, digest); + if (ret < 0) + return gnutls_assert_val(0); - if (memcmp (digest, raw2->data, 32) != 0) - return gnutls_assert_val (0); + if (memcmp(digest, raw2->data, 32) != 0) + return gnutls_assert_val(0); - return 1; - } - else if (match == DANE_MATCH_SHA2_512) - { - if (raw2->size != 64) - return gnutls_assert_val (0); + return 1; + } else if (match == DANE_MATCH_SHA2_512) { + if (raw2->size != 64) + return gnutls_assert_val(0); - ret = - gnutls_hash_fast (GNUTLS_DIG_SHA512, raw1->data, raw1->size, digest); - if (ret < 0) - return gnutls_assert_val (0); + ret = + gnutls_hash_fast(GNUTLS_DIG_SHA512, raw1->data, + raw1->size, digest); + if (ret < 0) + return gnutls_assert_val(0); - if (memcmp (digest, raw2->data, 64) != 0) - return gnutls_assert_val (0); + if (memcmp(digest, raw2->data, 64) != 0) + return gnutls_assert_val(0); - return 1; - } + return 1; + } - return gnutls_assert_val (0); + return gnutls_assert_val(0); } static int -crt_to_pubkey (const gnutls_datum_t * raw_crt, gnutls_datum_t * out) +crt_to_pubkey(const gnutls_datum_t * raw_crt, gnutls_datum_t * out) { - gnutls_pubkey_t pub = NULL; - gnutls_x509_crt_t crt = NULL; - int ret; - - out->data = NULL; - - ret = gnutls_x509_crt_init (&crt); - if (ret < 0) - return gnutls_assert_val (DANE_E_PUBKEY_ERROR); - - ret = gnutls_pubkey_init (&pub); - if (ret < 0) - { - gnutls_assert (); - ret = DANE_E_PUBKEY_ERROR; - goto cleanup; - } - - ret = gnutls_x509_crt_import (crt, raw_crt, GNUTLS_X509_FMT_DER); - if (ret < 0) - { - gnutls_assert (); - ret = DANE_E_PUBKEY_ERROR; - goto cleanup; - } - - ret = gnutls_pubkey_import_x509 (pub, crt, 0); - if (ret < 0) - { - gnutls_assert (); - ret = DANE_E_PUBKEY_ERROR; - goto cleanup; - } - - ret = gnutls_pubkey_export2 (pub, GNUTLS_X509_FMT_DER, out); - if (ret < 0) - { - gnutls_assert (); - ret = DANE_E_PUBKEY_ERROR; - goto cleanup; - } - - ret = 0; - goto clean_certs; - -cleanup: - free (out->data); - out->data = NULL; -clean_certs: - if (pub) - gnutls_pubkey_deinit (pub); - if (crt) - gnutls_x509_crt_deinit (crt); - - return ret; + gnutls_pubkey_t pub = NULL; + gnutls_x509_crt_t crt = NULL; + int ret; + + out->data = NULL; + + ret = gnutls_x509_crt_init(&crt); + if (ret < 0) + return gnutls_assert_val(DANE_E_PUBKEY_ERROR); + + ret = gnutls_pubkey_init(&pub); + if (ret < 0) { + gnutls_assert(); + ret = DANE_E_PUBKEY_ERROR; + goto cleanup; + } + + ret = gnutls_x509_crt_import(crt, raw_crt, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + ret = DANE_E_PUBKEY_ERROR; + goto cleanup; + } + + ret = gnutls_pubkey_import_x509(pub, crt, 0); + if (ret < 0) { + gnutls_assert(); + ret = DANE_E_PUBKEY_ERROR; + goto cleanup; + } + + ret = gnutls_pubkey_export2(pub, GNUTLS_X509_FMT_DER, out); + if (ret < 0) { + gnutls_assert(); + ret = DANE_E_PUBKEY_ERROR; + goto cleanup; + } + + ret = 0; + goto clean_certs; + + cleanup: + free(out->data); + out->data = NULL; + clean_certs: + if (pub) + gnutls_pubkey_deinit(pub); + if (crt) + gnutls_x509_crt_deinit(crt); + + return ret; } static int -verify_ca (const gnutls_datum_t * raw_crt, unsigned raw_crt_size, - gnutls_certificate_type_t crt_type, - dane_cert_type_t ctype, - dane_match_type_t match, gnutls_datum_t * data, - unsigned int *verify) +verify_ca(const gnutls_datum_t * raw_crt, unsigned raw_crt_size, + gnutls_certificate_type_t crt_type, + dane_cert_type_t ctype, + dane_match_type_t match, gnutls_datum_t * data, + unsigned int *verify) { - gnutls_datum_t pubkey = { NULL, 0 }; - int ret; - unsigned int vstatus; - gnutls_x509_crt_t crt = NULL, ca = NULL; - - if (raw_crt_size < 2) - return gnutls_assert_val (DANE_E_INVALID_REQUEST); - - if (ctype == DANE_CERT_X509 && crt_type == GNUTLS_CRT_X509) - { - - if (!matches (&raw_crt[1], data, match)) - { - gnutls_assert (); - *verify |= DANE_VERIFY_CA_CONSTRAINTS_VIOLATED; - } - - } - else if (ctype == DANE_CERT_PK && crt_type == GNUTLS_CRT_X509) - { - ret = crt_to_pubkey (&raw_crt[1], &pubkey); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - if (!matches (&pubkey, data, match)) - { - gnutls_assert (); - *verify |= DANE_VERIFY_CA_CONSTRAINTS_VIOLATED; - } - } - else - { - ret = gnutls_assert_val (DANE_E_UNKNOWN_DANE_DATA); - goto cleanup; - } - - /* check if the certificate chain is actually a chain */ - ret = gnutls_x509_crt_init (&crt); - if (ret < 0) - { - ret = gnutls_assert_val (DANE_E_CERT_ERROR); - goto cleanup; - } - - ret = gnutls_x509_crt_init (&ca); - if (ret < 0) - { - ret = gnutls_assert_val (DANE_E_CERT_ERROR); - goto cleanup; - } - - ret = gnutls_x509_crt_import (crt, &raw_crt[0], GNUTLS_X509_FMT_DER); - if (ret < 0) - { - ret = gnutls_assert_val (DANE_E_CERT_ERROR); - goto cleanup; - } - - ret = gnutls_x509_crt_import (ca, &raw_crt[1], GNUTLS_X509_FMT_DER); - if (ret < 0) - { - ret = gnutls_assert_val (DANE_E_CERT_ERROR); - goto cleanup; - } - - ret = gnutls_x509_crt_check_issuer (crt, ca); - if (ret == 0) - { - gnutls_assert (); - *verify |= DANE_VERIFY_CA_CONSTRAINTS_VIOLATED; - } - - ret = gnutls_x509_crt_verify (crt, &ca, 1, 0, &vstatus); - if (ret < 0) - { - ret = gnutls_assert_val (DANE_E_CERT_ERROR); - goto cleanup; - } - if (vstatus != 0) - *verify |= DANE_VERIFY_CA_CONSTRAINTS_VIOLATED; - - ret = 0; -cleanup: - free (pubkey.data); - if (crt != NULL) - gnutls_x509_crt_deinit (crt); - if (ca != NULL) - gnutls_x509_crt_deinit (ca); - return ret; + gnutls_datum_t pubkey = { NULL, 0 }; + int ret; + unsigned int vstatus; + gnutls_x509_crt_t crt = NULL, ca = NULL; + + if (raw_crt_size < 2) + return gnutls_assert_val(DANE_E_INVALID_REQUEST); + + if (ctype == DANE_CERT_X509 && crt_type == GNUTLS_CRT_X509) { + + if (!matches(&raw_crt[1], data, match)) { + gnutls_assert(); + *verify |= DANE_VERIFY_CA_CONSTRAINTS_VIOLATED; + } + + } else if (ctype == DANE_CERT_PK && crt_type == GNUTLS_CRT_X509) { + ret = crt_to_pubkey(&raw_crt[1], &pubkey); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + if (!matches(&pubkey, data, match)) { + gnutls_assert(); + *verify |= DANE_VERIFY_CA_CONSTRAINTS_VIOLATED; + } + } else { + ret = gnutls_assert_val(DANE_E_UNKNOWN_DANE_DATA); + goto cleanup; + } + + /* check if the certificate chain is actually a chain */ + ret = gnutls_x509_crt_init(&crt); + if (ret < 0) { + ret = gnutls_assert_val(DANE_E_CERT_ERROR); + goto cleanup; + } + + ret = gnutls_x509_crt_init(&ca); + if (ret < 0) { + ret = gnutls_assert_val(DANE_E_CERT_ERROR); + goto cleanup; + } + + ret = + gnutls_x509_crt_import(crt, &raw_crt[0], GNUTLS_X509_FMT_DER); + if (ret < 0) { + ret = gnutls_assert_val(DANE_E_CERT_ERROR); + goto cleanup; + } + + ret = gnutls_x509_crt_import(ca, &raw_crt[1], GNUTLS_X509_FMT_DER); + if (ret < 0) { + ret = gnutls_assert_val(DANE_E_CERT_ERROR); + goto cleanup; + } + + ret = gnutls_x509_crt_check_issuer(crt, ca); + if (ret == 0) { + gnutls_assert(); + *verify |= DANE_VERIFY_CA_CONSTRAINTS_VIOLATED; + } + + ret = gnutls_x509_crt_verify(crt, &ca, 1, 0, &vstatus); + if (ret < 0) { + ret = gnutls_assert_val(DANE_E_CERT_ERROR); + goto cleanup; + } + if (vstatus != 0) + *verify |= DANE_VERIFY_CA_CONSTRAINTS_VIOLATED; + + ret = 0; + cleanup: + free(pubkey.data); + if (crt != NULL) + gnutls_x509_crt_deinit(crt); + if (ca != NULL) + gnutls_x509_crt_deinit(ca); + return ret; } static int -verify_ee (const gnutls_datum_t * raw_crt, gnutls_certificate_type_t crt_type, - dane_cert_type_t ctype, dane_match_type_t match, - gnutls_datum_t * data, unsigned int *verify) +verify_ee(const gnutls_datum_t * raw_crt, + gnutls_certificate_type_t crt_type, dane_cert_type_t ctype, + dane_match_type_t match, gnutls_datum_t * data, + unsigned int *verify) { - gnutls_datum_t pubkey = { NULL, 0 }; - int ret; - - if (ctype == DANE_CERT_X509 && crt_type == GNUTLS_CRT_X509) - { - - if (!matches (raw_crt, data, match)) - { - gnutls_assert (); - *verify |= DANE_VERIFY_CERT_DIFFERS; - } - - } - else if (ctype == DANE_CERT_PK && crt_type == GNUTLS_CRT_X509) - { - - ret = crt_to_pubkey (raw_crt, &pubkey); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - if (!matches (&pubkey, data, match)) - { - gnutls_assert (); - *verify |= DANE_VERIFY_CERT_DIFFERS; - } - } - else - { - ret = gnutls_assert_val (DANE_E_UNKNOWN_DANE_DATA); - goto cleanup; - } - - ret = 0; -cleanup: - free (pubkey.data); - return ret; + gnutls_datum_t pubkey = { NULL, 0 }; + int ret; + + if (ctype == DANE_CERT_X509 && crt_type == GNUTLS_CRT_X509) { + + if (!matches(raw_crt, data, match)) { + gnutls_assert(); + *verify |= DANE_VERIFY_CERT_DIFFERS; + } + + } else if (ctype == DANE_CERT_PK && crt_type == GNUTLS_CRT_X509) { + + ret = crt_to_pubkey(raw_crt, &pubkey); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + if (!matches(&pubkey, data, match)) { + gnutls_assert(); + *verify |= DANE_VERIFY_CERT_DIFFERS; + } + } else { + ret = gnutls_assert_val(DANE_E_UNKNOWN_DANE_DATA); + goto cleanup; + } + + ret = 0; + cleanup: + free(pubkey.data); + return ret; } /** @@ -678,71 +631,69 @@ cleanup: * **/ int -dane_verify_crt_raw (dane_state_t s, - const gnutls_datum_t * chain, unsigned chain_size, - gnutls_certificate_type_t chain_type, - dane_query_t r, - unsigned int sflags, unsigned int vflags, - unsigned int *verify) +dane_verify_crt_raw(dane_state_t s, + const gnutls_datum_t * chain, unsigned chain_size, + gnutls_certificate_type_t chain_type, + dane_query_t r, + unsigned int sflags, unsigned int vflags, + unsigned int *verify) { - int ret; - unsigned checked = 0; - unsigned int usage, type, match, idx; - gnutls_datum_t data; - - if (chain_type != GNUTLS_CRT_X509) - return gnutls_assert_val (DANE_E_INVALID_REQUEST); - - *verify = 0; - idx = 0; - do - { - ret = dane_query_data (r, idx++, &usage, &type, &match, &data); - if (ret == DANE_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - if (!(vflags & DANE_VFLAG_ONLY_CHECK_EE_USAGE) - && (usage == DANE_CERT_USAGE_LOCAL_CA - || usage == DANE_CERT_USAGE_CA)) - { - ret = - verify_ca (chain, chain_size, chain_type, type, match, &data, - verify); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - checked = 1; - } - else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE) - && (usage == DANE_CERT_USAGE_LOCAL_EE - || usage == DANE_CERT_USAGE_EE)) - { - ret = verify_ee (&chain[0], chain_type, type, match, &data, verify); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - checked = 1; - } - } - while (1); - - if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0) - ret = gnutls_assert_val (DANE_E_REQUESTED_DATA_NOT_AVAILABLE); - else - ret = 0; - -cleanup: - return ret; + int ret; + unsigned checked = 0; + unsigned int usage, type, match, idx; + gnutls_datum_t data; + + if (chain_type != GNUTLS_CRT_X509) + return gnutls_assert_val(DANE_E_INVALID_REQUEST); + + *verify = 0; + idx = 0; + do { + ret = + dane_query_data(r, idx++, &usage, &type, &match, + &data); + if (ret == DANE_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + if (!(vflags & DANE_VFLAG_ONLY_CHECK_EE_USAGE) + && (usage == DANE_CERT_USAGE_LOCAL_CA + || usage == DANE_CERT_USAGE_CA)) { + ret = + verify_ca(chain, chain_size, chain_type, type, + match, &data, verify); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + checked = 1; + } else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE) + && (usage == DANE_CERT_USAGE_LOCAL_EE + || usage == DANE_CERT_USAGE_EE)) { + ret = + verify_ee(&chain[0], chain_type, type, match, + &data, verify); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + checked = 1; + } + } + while (1); + + if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0) + ret = + gnutls_assert_val(DANE_E_REQUESTED_DATA_NOT_AVAILABLE); + else + ret = 0; + + cleanup: + return ret; } @@ -780,44 +731,40 @@ cleanup: * **/ int -dane_verify_crt (dane_state_t s, - const gnutls_datum_t * chain, unsigned chain_size, - gnutls_certificate_type_t chain_type, - const char *hostname, const char *proto, unsigned int port, - unsigned int sflags, unsigned int vflags, - unsigned int *verify) +dane_verify_crt(dane_state_t s, + const gnutls_datum_t * chain, unsigned chain_size, + gnutls_certificate_type_t chain_type, + const char *hostname, const char *proto, unsigned int port, + unsigned int sflags, unsigned int vflags, + unsigned int *verify) { - dane_state_t _s = NULL; - dane_query_t r = NULL; - int ret; - - *verify = 0; - if (s == NULL) - { - ret = dane_state_init (&_s, sflags); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - } - else - _s = s; - - ret = dane_query_tlsa (_s, &r, hostname, proto, port); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - ret = dane_verify_crt_raw (s, chain, chain_size, chain_type, - r, sflags, vflags, verify); -cleanup: - if (s == NULL) - dane_state_deinit (_s); - if (r != NULL) - dane_query_deinit (r); - return ret; + dane_state_t _s = NULL; + dane_query_t r = NULL; + int ret; + + *verify = 0; + if (s == NULL) { + ret = dane_state_init(&_s, sflags); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } else + _s = s; + + ret = dane_query_tlsa(_s, &r, hostname, proto, port); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + ret = dane_verify_crt_raw(s, chain, chain_size, chain_type, + r, sflags, vflags, verify); + cleanup: + if (s == NULL) + dane_state_deinit(_s); + if (r != NULL) + dane_query_deinit(r); + return ret; } /** @@ -840,26 +787,26 @@ cleanup: * **/ int -dane_verify_session_crt (dane_state_t s, - gnutls_session_t session, - const char *hostname, const char *proto, - unsigned int port, unsigned int sflags, - unsigned int vflags, unsigned int *verify) +dane_verify_session_crt(dane_state_t s, + gnutls_session_t session, + const char *hostname, const char *proto, + unsigned int port, unsigned int sflags, + unsigned int vflags, unsigned int *verify) { - const gnutls_datum_t *cert_list; - unsigned int cert_list_size = 0; - unsigned int type; + const gnutls_datum_t *cert_list; + unsigned int cert_list_size = 0; + unsigned int type; - cert_list = gnutls_certificate_get_peers (session, &cert_list_size); - if (cert_list_size == 0) - { - return gnutls_assert_val (DANE_E_NO_CERT); - } + cert_list = gnutls_certificate_get_peers(session, &cert_list_size); + if (cert_list_size == 0) { + return gnutls_assert_val(DANE_E_NO_CERT); + } - type = gnutls_certificate_type_get (session); + type = gnutls_certificate_type_get(session); - return dane_verify_crt (s, cert_list, cert_list_size, type, hostname, proto, - port, sflags, vflags, verify); + return dane_verify_crt(s, cert_list, cert_list_size, type, + hostname, proto, port, sflags, vflags, + verify); } /** @@ -878,31 +825,38 @@ dane_verify_session_crt (dane_state_t s, * negative error value. **/ int -dane_verification_status_print (unsigned int status, - gnutls_datum_t * out, unsigned int flags) +dane_verification_status_print(unsigned int status, + gnutls_datum_t * out, unsigned int flags) { - gnutls_buffer_st str; - int ret; + gnutls_buffer_st str; + int ret; - _gnutls_buffer_init (&str); + _gnutls_buffer_init(&str); - if (status == 0) - _gnutls_buffer_append_str (&str, _("Certificate matches. ")); - else - _gnutls_buffer_append_str (&str, _("Verification failed. ")); + if (status == 0) + _gnutls_buffer_append_str(&str, + _("Certificate matches. ")); + else + _gnutls_buffer_append_str(&str, + _("Verification failed. ")); - if (status & DANE_VERIFY_CA_CONSTRAINTS_VIOLATED) - _gnutls_buffer_append_str (&str, _("CA constrains were violated. ")); + if (status & DANE_VERIFY_CA_CONSTRAINTS_VIOLATED) + _gnutls_buffer_append_str(&str, + _ + ("CA constrains were violated. ")); - if (status & DANE_VERIFY_CERT_DIFFERS) - _gnutls_buffer_append_str (&str, _("The certificate differs. ")); + if (status & DANE_VERIFY_CERT_DIFFERS) + _gnutls_buffer_append_str(&str, + _("The certificate differs. ")); - if (status & DANE_VERIFY_NO_DANE_INFO) - _gnutls_buffer_append_str (&str, _("There were no DANE information. ")); + if (status & DANE_VERIFY_NO_DANE_INFO) + _gnutls_buffer_append_str(&str, + _ + ("There were no DANE information. ")); - ret = _gnutls_buffer_to_datum (&str, out); - if (out->size > 0) - out->size--; + ret = _gnutls_buffer_to_datum(&str, out); + if (out->size > 0) + out->size--; - return ret; + return ret; } diff --git a/libdane/errors.c b/libdane/errors.c index 2e345ad20f..84be88499e 100644 --- a/libdane/errors.c +++ b/libdane/errors.c @@ -31,45 +31,44 @@ #define ERROR_ENTRY(desc, name) \ { desc, #name, name} -struct error_entry -{ - const char *desc; - const char *_name; - int number; +struct error_entry { + const char *desc; + const char *_name; + int number; }; typedef struct error_entry error_entry; static const error_entry error_algorithms[] = { - ERROR_ENTRY (N_("Success."), DANE_E_SUCCESS), - ERROR_ENTRY (N_("There was error initializing the DNS query."), - DANE_E_INITIALIZATION_ERROR), - ERROR_ENTRY (N_("There was an error while resolving."), - DANE_E_RESOLVING_ERROR), - ERROR_ENTRY (N_("No DANE data were found."), - DANE_E_NO_DANE_DATA), - ERROR_ENTRY (N_("Unknown DANE data were found."), - DANE_E_UNKNOWN_DANE_DATA), - ERROR_ENTRY (N_("No DNSSEC signature was found."), - DANE_E_NO_DNSSEC_SIG), - ERROR_ENTRY (N_("Received corrupt data."), - DANE_E_RECEIVED_CORRUPT_DATA), - ERROR_ENTRY (N_("The DNSSEC signature is invalid."), - DANE_E_INVALID_DNSSEC_SIG), - ERROR_ENTRY (N_("There was a memory error."), - DANE_E_MEMORY_ERROR), - ERROR_ENTRY (N_("There requested data are not available."), - DANE_E_REQUESTED_DATA_NOT_AVAILABLE), - ERROR_ENTRY (N_("There request is invalid."), - DANE_E_INVALID_REQUEST), - ERROR_ENTRY (N_("There was an error in the certificate."), - DANE_E_CERT_ERROR), - ERROR_ENTRY (N_("There was an error in the public key."), - DANE_E_PUBKEY_ERROR), - ERROR_ENTRY (N_("No certificate was found."), - DANE_E_NO_CERT), - ERROR_ENTRY (N_("Error in file."), - DANE_E_FILE_ERROR), - {NULL, NULL, 0} + ERROR_ENTRY(N_("Success."), DANE_E_SUCCESS), + ERROR_ENTRY(N_("There was error initializing the DNS query."), + DANE_E_INITIALIZATION_ERROR), + ERROR_ENTRY(N_("There was an error while resolving."), + DANE_E_RESOLVING_ERROR), + ERROR_ENTRY(N_("No DANE data were found."), + DANE_E_NO_DANE_DATA), + ERROR_ENTRY(N_("Unknown DANE data were found."), + DANE_E_UNKNOWN_DANE_DATA), + ERROR_ENTRY(N_("No DNSSEC signature was found."), + DANE_E_NO_DNSSEC_SIG), + ERROR_ENTRY(N_("Received corrupt data."), + DANE_E_RECEIVED_CORRUPT_DATA), + ERROR_ENTRY(N_("The DNSSEC signature is invalid."), + DANE_E_INVALID_DNSSEC_SIG), + ERROR_ENTRY(N_("There was a memory error."), + DANE_E_MEMORY_ERROR), + ERROR_ENTRY(N_("There requested data are not available."), + DANE_E_REQUESTED_DATA_NOT_AVAILABLE), + ERROR_ENTRY(N_("There request is invalid."), + DANE_E_INVALID_REQUEST), + ERROR_ENTRY(N_("There was an error in the certificate."), + DANE_E_CERT_ERROR), + ERROR_ENTRY(N_("There was an error in the public key."), + DANE_E_PUBKEY_ERROR), + ERROR_ENTRY(N_("No certificate was found."), + DANE_E_NO_CERT), + ERROR_ENTRY(N_("Error in file."), + DANE_E_FILE_ERROR), + {NULL, NULL, 0} }; /** @@ -84,24 +83,21 @@ static const error_entry error_algorithms[] = { * * Returns: A string explaining the DANE error message. **/ -const char * -dane_strerror (int error) +const char *dane_strerror(int error) { - const char *ret = NULL; - const error_entry *p; + const char *ret = NULL; + const error_entry *p; - for (p = error_algorithms; p->desc != NULL; p++) - { - if (p->number == error) - { - ret = p->desc; - break; - } - } + for (p = error_algorithms; p->desc != NULL; p++) { + if (p->number == error) { + ret = p->desc; + break; + } + } - /* avoid prefix */ - if (ret == NULL) - return _("(unknown error code)"); + /* avoid prefix */ + if (ret == NULL) + return _("(unknown error code)"); - return _(ret); + return _(ret); } diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h index 3ce56fb808..9fd807793e 100644 --- a/libdane/includes/gnutls/dane.h +++ b/libdane/includes/gnutls/dane.h @@ -21,7 +21,7 @@ */ -#include <gnutls/gnutls.h> /* for gnutls_datum_t */ +#include <gnutls/gnutls.h> /* for gnutls_datum_t */ /** * dane_cert_usage_t: @@ -36,12 +36,11 @@ * * Enumeration of different certificate usage types. */ -typedef enum dane_cert_usage_t -{ - DANE_CERT_USAGE_CA = 0, - DANE_CERT_USAGE_EE = 1, - DANE_CERT_USAGE_LOCAL_CA = 2, - DANE_CERT_USAGE_LOCAL_EE = 3 +typedef enum dane_cert_usage_t { + DANE_CERT_USAGE_CA = 0, + DANE_CERT_USAGE_EE = 1, + DANE_CERT_USAGE_LOCAL_CA = 2, + DANE_CERT_USAGE_LOCAL_EE = 3 } dane_cert_usage_t; /** @@ -51,10 +50,9 @@ typedef enum dane_cert_usage_t * * Enumeration of different certificate types. */ -typedef enum dane_cert_type_t -{ - DANE_CERT_X509 = 0, - DANE_CERT_PK = 1 +typedef enum dane_cert_type_t { + DANE_CERT_X509 = 0, + DANE_CERT_PK = 1 } dane_cert_type_t; /** @@ -65,11 +63,10 @@ typedef enum dane_cert_type_t * * Enumeration of different content matching types. */ -typedef enum dane_match_type_t -{ - DANE_MATCH_EXACT = 0, - DANE_MATCH_SHA2_256 = 1, - DANE_MATCH_SHA2_512 = 2 +typedef enum dane_match_type_t { + DANE_MATCH_EXACT = 0, + DANE_MATCH_SHA2_256 = 1, + DANE_MATCH_SHA2_512 = 2 } dane_match_type_t; /** @@ -81,12 +78,11 @@ typedef enum dane_match_type_t * * Enumeration of different certificate types. */ -typedef enum dane_query_status_t -{ - DANE_QUERY_UNKNOWN = 0, - DANE_QUERY_DNSSEC_VERIFIED, - DANE_QUERY_BOGUS, - DANE_QUERY_NO_DNSSEC +typedef enum dane_query_status_t { + DANE_QUERY_UNKNOWN = 0, + DANE_QUERY_DNSSEC_VERIFIED, + DANE_QUERY_BOGUS, + DANE_QUERY_NO_DNSSEC } dane_query_status_t; typedef struct dane_state_st *dane_state_t; @@ -100,32 +96,33 @@ typedef struct dane_query_st *dane_query_t; * * Enumeration of different verification flags. */ -typedef enum dane_state_flags_t -{ - DANE_F_IGNORE_LOCAL_RESOLVER = 1, - DANE_F_INSECURE=2, - DANE_F_IGNORE_DNSSEC=4 +typedef enum dane_state_flags_t { + DANE_F_IGNORE_LOCAL_RESOLVER = 1, + DANE_F_INSECURE = 2, + DANE_F_IGNORE_DNSSEC = 4 } dane_state_flags_t; -int dane_state_init (dane_state_t* s, unsigned int flags); -int dane_state_set_dlv_file(dane_state_t s, const char* file); -void dane_state_deinit (dane_state_t s); +int dane_state_init(dane_state_t * s, unsigned int flags); +int dane_state_set_dlv_file(dane_state_t s, const char *file); +void dane_state_deinit(dane_state_t s); -int dane_raw_tlsa(dane_state_t s, dane_query_t *r, char *const*dane_data, const int *dane_data_len, int secure, int bogus); +int dane_raw_tlsa(dane_state_t s, dane_query_t * r, char *const *dane_data, + const int *dane_data_len, int secure, int bogus); -int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port); +int dane_query_tlsa(dane_state_t s, dane_query_t * r, const char *host, + const char *proto, unsigned int port); dane_query_status_t dane_query_status(dane_query_t q); unsigned int dane_query_entries(dane_query_t q); int dane_query_data(dane_query_t q, unsigned int idx, - unsigned int *usage, unsigned int *type, - unsigned int *match, gnutls_datum_t * data); + unsigned int *usage, unsigned int *type, + unsigned int *match, gnutls_datum_t * data); void dane_query_deinit(dane_query_t q); -const char* dane_cert_type_name(dane_cert_type_t type); -const char* dane_match_type_name(dane_match_type_t type); -const char* dane_cert_usage_name(dane_cert_usage_t usage); +const char *dane_cert_type_name(dane_cert_type_t type); +const char *dane_match_type_name(dane_match_type_t type); +const char *dane_cert_usage_name(dane_cert_usage_t usage); /** * dane_verify_flags_t: @@ -135,11 +132,10 @@ const char* dane_cert_usage_name(dane_cert_usage_t usage); * * Enumeration of different verification status flags. */ -typedef enum dane_verify_flags_t -{ - DANE_VFLAG_FAIL_IF_NOT_CHECKED = 1, - DANE_VFLAG_ONLY_CHECK_EE_USAGE = 1<<1, - DANE_VFLAG_ONLY_CHECK_CA_USAGE = 1<<2, +typedef enum dane_verify_flags_t { + DANE_VFLAG_FAIL_IF_NOT_CHECKED = 1, + DANE_VFLAG_ONLY_CHECK_EE_USAGE = 1 << 1, + DANE_VFLAG_ONLY_CHECK_CA_USAGE = 1 << 2, } dane_verify_flags_t; /** @@ -150,41 +146,39 @@ typedef enum dane_verify_flags_t * * Enumeration of different verification status flags. */ -typedef enum dane_verify_status_t -{ - DANE_VERIFY_CA_CONSTRAINTS_VIOLATED = 1, - DANE_VERIFY_CERT_DIFFERS = 1<<1, - DANE_VERIFY_NO_DANE_INFO = 1<<2, +typedef enum dane_verify_status_t { + DANE_VERIFY_CA_CONSTRAINTS_VIOLATED = 1, + DANE_VERIFY_CERT_DIFFERS = 1 << 1, + DANE_VERIFY_NO_DANE_INFO = 1 << 2, } dane_verify_status_t; #define DANE_VERIFY_CA_CONSTRAINS_VIOLATED DANE_VERIFY_CA_CONSTRAINTS_VIOLATED int -dane_verification_status_print (unsigned int status, - gnutls_datum_t * out, unsigned int flags); - -int dane_verify_crt_raw (dane_state_t s, - const gnutls_datum_t *chain, unsigned chain_size, - gnutls_certificate_type_t chain_type, - dane_query_t r, - unsigned int sflags, unsigned int vflags, - unsigned int *verify); - -int dane_verify_crt (dane_state_t s, - const gnutls_datum_t *chain, unsigned chain_size, - gnutls_certificate_type_t chain_type, - const char * hostname, const char* proto, unsigned int port, - unsigned int sflags, unsigned int vflags, - unsigned int *verify); - -int dane_verify_session_crt ( - dane_state_t s, - gnutls_session_t session, - const char * hostname, const char* proto, unsigned int port, - unsigned int sflags, unsigned int vflags, - unsigned int *verify); - -const char * dane_strerror (int error); +dane_verification_status_print(unsigned int status, + gnutls_datum_t * out, unsigned int flags); + +int dane_verify_crt_raw(dane_state_t s, + const gnutls_datum_t * chain, unsigned chain_size, + gnutls_certificate_type_t chain_type, + dane_query_t r, + unsigned int sflags, unsigned int vflags, + unsigned int *verify); + +int dane_verify_crt(dane_state_t s, + const gnutls_datum_t * chain, unsigned chain_size, + gnutls_certificate_type_t chain_type, + const char *hostname, const char *proto, + unsigned int port, unsigned int sflags, + unsigned int vflags, unsigned int *verify); + +int dane_verify_session_crt(dane_state_t s, + gnutls_session_t session, + const char *hostname, const char *proto, + unsigned int port, unsigned int sflags, + unsigned int vflags, unsigned int *verify); + +const char *dane_strerror(int error); #define DANE_E_SUCCESS 0 #define DANE_E_INITIALIZATION_ERROR -1 @@ -201,4 +195,3 @@ const char * dane_strerror (int error); #define DANE_E_FILE_ERROR -12 #define DANE_E_CERT_ERROR -13 #define DANE_E_UNKNOWN_DANE_DATA -14 - |