diff options
| author | Christian Grothoff <christian@grothoff.org> | 2013-10-21 18:15:57 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-10-21 19:48:01 +0200 |
| commit | 4c45e35790f50818d1179ee4443e77e16424f5dc (patch) | |
| tree | 6b2783debb34d6e37fc8548022aa85bf3ea3cf53 /libdane | |
| parent | b4ece0d57c1a41bf059b1c822b8c23030145ecd7 (diff) | |
| download | gnutls-4c45e35790f50818d1179ee4443e77e16424f5dc.tar.gz | |
Adding dane_verify_crt_raw to allow direct verification of a certificate chain against a dane_query_t (for example, as provided by the new dane_raw_tlsa).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Diffstat (limited to 'libdane')
| -rw-r--r-- | libdane/dane.c | 92 | ||||
| -rw-r--r-- | libdane/includes/gnutls/dane.h | 7 |
2 files changed, 77 insertions, 22 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index c53e2f95c4..01872b519c 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -581,9 +581,7 @@ cleanup: * @chain: A certificate chain * @chain_size: The size of the chain * @chain_type: The type of the certificate chain - * @hostname: The hostname associated with the chain - * @proto: The protocol of the service connecting (e.g. tcp) - * @port: The port of the service connecting (e.g. 443) + * @r DANE data to check against * @sflags: Flags for the the initialization of @s (if NULL) * @vflags: Verification flags; an OR'ed list of %dane_verify_flags_t. * @verify: An OR'ed list of %dane_verify_status_t. @@ -608,15 +606,14 @@ cleanup: * negative error value. * **/ -int dane_verify_crt (dane_state_t s, +int dane_verify_crt_raw (dane_state_t s, const gnutls_datum_t *chain, unsigned chain_size, gnutls_certificate_type_t chain_type, - const char * hostname, const char* proto, unsigned int port, + dane_query_t r, unsigned int sflags, unsigned int vflags, unsigned int *verify) { dane_state_t _s = NULL; -dane_query_t r = NULL; int ret; unsigned checked = 0; unsigned int usage, type, match, idx; @@ -626,22 +623,6 @@ gnutls_datum_t data; return gnutls_assert_val(DANE_E_INVALID_REQUEST); *verify = 0; - - if (s == NULL) { - ret = dane_state_init(&_s, sflags); - if (ret < 0) { - gnutls_assert(); - return ret; - } - } else - _s = s; - - ret = dane_query_tlsa(_s, &r, hostname, proto, port); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - idx = 0; do { ret = dane_query_data(r, idx++, &usage, &type, &match, &data); @@ -677,6 +658,73 @@ gnutls_datum_t data; cleanup: if (s == NULL) dane_state_deinit(_s); + return ret; +} + + +/** + * dane_verify_crt: + * @s: A DANE state structure (may be NULL) + * @chain: A certificate chain + * @chain_size: The size of the chain + * @chain_type: The type of the certificate chain + * @hostname: The hostname associated with the chain + * @proto: The protocol of the service connecting (e.g. tcp) + * @port: The port of the service connecting (e.g. 443) + * @sflags: Flags for the the initialization of @s (if NULL) + * @vflags: Verification flags; an OR'ed list of %dane_verify_flags_t. + * @verify: An OR'ed list of %dane_verify_status_t. + * + * This function will verify the given certificate chain against the + * CA constrains and/or the certificate available via DANE. + * If no information via DANE can be obtained the flag %DANE_VERIFY_NO_DANE_INFO + * is set. If a DNSSEC signature is not available for the DANE + * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set. + * + * Note that the CA constraint only applies for the directly certifying CA + * and does not account for long CA chains. + * + * Due to the many possible options of DANE, there is no single threat + * model countered. When notifying the user about DANE verification results + * it may be better to mention: DANE verification did not reject the certificate, + * rather than mentioning a successful DANE verication. + * + * If the @q parameter is provided it will be used for caching entries. + * + * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a + * negative error value. + * + **/ +int dane_verify_crt (dane_state_t s, + const gnutls_datum_t *chain, unsigned chain_size, + gnutls_certificate_type_t chain_type, + const char * hostname, const char* proto, unsigned int port, + unsigned int sflags, unsigned int vflags, + unsigned int *verify) +{ +dane_state_t _s = NULL; +dane_query_t r = NULL; +int ret; + + *verify = 0; + if (s == NULL) { + ret = dane_state_init(&_s, sflags); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } else + _s = s; + + ret = dane_query_tlsa(_s, &r, hostname, proto, port); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + ret = dane_verify_crt_raw (s, chain, chain_size, chain_type, + r, sflags, vflags, verify); +cleanup: + if (s == NULL) dane_state_deinit(_s); if (r != NULL) dane_query_deinit(r); return ret; } diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h index 3b0bbf63b9..21413ea14c 100644 --- a/libdane/includes/gnutls/dane.h +++ b/libdane/includes/gnutls/dane.h @@ -161,6 +161,13 @@ int dane_verification_status_print (unsigned int status, gnutls_datum_t * out, unsigned int flags); +int dane_verify_crt_raw (dane_state_t s, + const gnutls_datum_t *chain, unsigned chain_size, + gnutls_certificate_type_t chain_type, + dane_query_t r, + unsigned int sflags, unsigned int vflags, + unsigned int *verify); + int dane_verify_crt (dane_state_t s, const gnutls_datum_t *chain, unsigned chain_size, gnutls_certificate_type_t chain_type, |