Revert "Added dane_verify_crt_raw2() which allows verifying against the certificate name."

This reverts commit d19ac66361300aaf188bc69ae64d5fcd7e89b0f6.
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-05-10 14:05:02 +0200
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-05-10 14:05:02 +0200
commit: cd7773e429421936cc6a369fd38899aacdc21f06 (patch)
tree: 0f71ddb621f61988638e5185ab2fae04a23d261f /libdane
parent: ec68060caaf1715a5cc73b3a61b14d6f71911ff6 (diff)
download: gnutls-cd7773e429421936cc6a369fd38899aacdc21f06.tar.gz
3 files changed, 7 insertions, 89 deletions
diff --git a/libdane/dane.c b/libdane/dane.c
index 1199091c22..44734257bc 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -37,7 +37,7 @@
 #include "../lib/gnutls_int.h"
 
 #define MAX_DATA_ENTRIES 100
-
+#define DEBUG
 #ifdef DEBUG
 #define gnutls_assert() fprintf(stderr, "ASSERT: %s: %d\n", __FILE__, __LINE__);
 #define gnutls_assert_val(x) gnutls_assert_val_int(x, __FILE__, __LINE__)
@@ -561,7 +561,7 @@ verify_ca(const gnutls_datum_t * raw_crt, unsigned raw_crt_size,
 }
 
 static int
-verify_ee(const char *hostname, const gnutls_datum_t * raw_crt,
+verify_ee(const gnutls_datum_t * raw_crt,
 	  gnutls_certificate_type_t crt_type, dane_cert_type_t ctype,
 	  dane_match_type_t match, gnutls_datum_t * data,
 	  unsigned int *verify)
@@ -569,30 +569,8 @@ verify_ee(const char *hostname, const gnutls_datum_t * raw_crt,
 	gnutls_datum_t pubkey = { NULL, 0 };
 	int ret;
 
-	if (crt_type == GNUTLS_CRT_X509 && hostname != NULL) {
-		gnutls_x509_crt_t crt;
-
-		ret = gnutls_x509_crt_init(&crt);
-		if (ret < 0) {
-			gnutls_assert();
-			return DANE_E_CERT_ERROR;
-		}
-
-		ret = gnutls_x509_crt_import(crt, raw_crt, GNUTLS_X509_FMT_DER);
-		if (ret < 0) {
-			gnutls_assert();
-			gnutls_x509_crt_deinit(crt);
-			return DANE_E_CERT_ERROR;
-		}
-
-		ret = gnutls_x509_crt_check_hostname2(crt, hostname, 0);
-		if (ret == 0) {
-			*verify |= DANE_VERIFY_HOSTNAME_DIFFERS;
-		}
-		gnutls_x509_crt_deinit(crt);
-	}
-
 	if (ctype == DANE_CERT_X509 && crt_type == GNUTLS_CRT_X509) {
+
 		if (!matches(raw_crt, data, match)) {
 			gnutls_assert();
 			*verify |= DANE_VERIFY_CERT_DIFFERS;
@@ -639,9 +617,7 @@ verify_ee(const char *hostname, const gnutls_datum_t * raw_crt,
  * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set.
  *
  * Note that the CA constraint only applies for the directly certifying CA
- * and does not account for long CA chains. Moreover this function will NOT
- * check the hostname of the end certificate. If that isn't done manually
- * use dane_verify_crt_raw2().
+ * and does not account for long CA chains.
  *
  * Due to the many possible options of DANE, there is no single threat
  * model countered. When notifying the user about DANE verification results
@@ -653,8 +629,6 @@ verify_ee(const char *hostname, const gnutls_datum_t * raw_crt,
  * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.
  *
- * Deprecated: use dane_verify_crt_raw2().
- *
  **/
 int
 dane_verify_crt_raw(dane_state_t s,
@@ -664,52 +638,6 @@ dane_verify_crt_raw(dane_state_t s,
 		    unsigned int sflags, unsigned int vflags,
 		    unsigned int *verify)
 {
-	return dane_verify_crt_raw2(s, chain, chain_size, chain_type, NULL,
-				r, sflags, vflags, verify);
-}
-
-/**
- * dane_verify_crt_raw2:
- * @s: A DANE state structure (may be NULL)
- * @chain: A certificate chain
- * @chain_size: The size of the chain
- * @chain_type: The type of the certificate chain
- * @hostname: The hostname of the end certificate (to be combined with %DANE_VFLAG_ONLY_CHECK_EE_USAGE)
- * @r: DANE data to check against
- * @sflags: Flags for the the initialization of @s (if NULL)
- * @vflags: Verification flags; an OR'ed list of %dane_verify_flags_t.
- * @verify: An OR'ed list of %dane_verify_status_t.
- *
- * This function will verify the given certificate chain against the
- * CA constrains and/or the certificate available via DANE.
- * If no information via DANE can be obtained the flag %DANE_VERIFY_NO_DANE_INFO
- * is set. If a DNSSEC signature is not available for the DANE
- * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set.
- *
- * Note that the CA constraint only applies for the directly certifying CA
- * and does not account for long CA chains. 
- *
- * Due to the many possible options of DANE, there is no single threat
- * model countered. When notifying the user about DANE verification results
- * it may be better to mention: DANE verification did not reject the certificate,
- * rather than mentioning a successful DANE verication.
- *
- * If the @q parameter is provided it will be used for caching entries.
- *
- * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
- *   negative error value.
- *
- * Since 3.3.3.
- *
- **/
-int
-dane_verify_crt_raw2(dane_state_t s,
-		    const gnutls_datum_t * chain, unsigned chain_size,
-		    gnutls_certificate_type_t chain_type,
-		    dane_query_t r,
-		    unsigned int sflags, unsigned int vflags,
-		    unsigned int *verify)
-{
 	int ret;
 	unsigned checked = 0;
 	unsigned int usage, type, match, idx;
@@ -755,7 +683,7 @@ dane_verify_crt_raw2(dane_state_t s,
 			   && (usage == DANE_CERT_USAGE_LOCAL_EE
 			       || usage == DANE_CERT_USAGE_EE)) {
 			ret =
-			    verify_ee(hostname, &chain[0], chain_type, type, match,
+			    verify_ee(&chain[0], chain_type, type, match,
 				      &data, &record_verify);
 			if (ret < 0) {
 				gnutls_assert();
@@ -847,8 +775,8 @@ dane_verify_crt(dane_state_t s,
 		gnutls_assert();
 		goto cleanup;
 	}
-	ret = dane_verify_crt_raw2(state, chain, chain_size, chain_type,
-				  hostname, r, sflags, vflags, verify);
+	ret = dane_verify_crt_raw(state, chain, chain_size, chain_type,
+				  r, sflags, vflags, verify);
       cleanup:
 	if (state != s)
 		dane_state_deinit(state);
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index d0067992a3..98e4a96faa 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -150,7 +150,6 @@ typedef enum dane_verify_status_t {
 	DANE_VERIFY_CA_CONSTRAINTS_VIOLATED = 1,
 	DANE_VERIFY_CERT_DIFFERS = 1 << 1,
 	DANE_VERIFY_UNKNOWN_DANE_INFO = 1 << 2,
-	DANE_VERIFY_HOSTNAME_DIFFERS = 1 << 3,
 } dane_verify_status_t;
 
 #define DANE_VERIFY_CA_CONSTRAINS_VIOLATED DANE_VERIFY_CA_CONSTRAINTS_VIOLATED
@@ -167,14 +166,6 @@ int dane_verify_crt_raw(dane_state_t s,
 			unsigned int sflags, unsigned int vflags,
 			unsigned int *verify);
 
-int
-dane_verify_crt_raw2(dane_state_t s,
-		    const gnutls_datum_t * chain, unsigned chain_size,
-		    gnutls_certificate_type_t chain_type,
-		    dane_query_t r,
-		    unsigned int sflags, unsigned int vflags,
-		    unsigned int *verify);
-
 int dane_verify_crt(dane_state_t s,
 		    const gnutls_datum_t * chain, unsigned chain_size,
 		    gnutls_certificate_type_t chain_type,
diff --git a/libdane/libdane.map b/libdane/libdane.map
index 12e13b06c5..3fee935ef3 100644
--- a/libdane/libdane.map
+++ b/libdane/libdane.map
@@ -20,7 +20,6 @@ DANE_0_0
 	dane_state_set_dlv_file;
 	dane_verify_crt_raw;
 	dane_raw_tlsa;
-	dane_verify_crt_raw2;
   local:
     *;
 };
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2014-05-10 14:05:02 +0200
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2014-05-10 14:05:02 +0200
commit	cd7773e429421936cc6a369fd38899aacdc21f06 (patch)
tree	0f71ddb621f61988638e5185ab2fae04a23d261f /libdane
parent	ec68060caaf1715a5cc73b3a61b14d6f71911ff6 (diff)
download	gnutls-cd7773e429421936cc6a369fd38899aacdc21f06.tar.gz