From e83a184c54c9c705306ba4941f5600620cd3b597 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Fri, 1 Mar 2013 16:54:12 +0100
Subject: Added verify flags for DANE to enforce verification and restrict it
 to a field.

---
 libdane/dane.c                 | 17 +++++++++++------
 libdane/includes/gnutls/dane.h | 15 +++++++++++++++
 2 files changed, 26 insertions(+), 6 deletions(-)

(limited to 'libdane')

diff --git a/libdane/dane.c b/libdane/dane.c
index 9f2d8d7156..7c2be56a07 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -545,7 +545,7 @@ cleanup:
  * @proto: The protocol of the service connecting (e.g. tcp)
  * @port: The port of the service connecting (e.g. 443)
  * @sflags: Flags for the the initialization of @s (if NULL)
- * @vflags: Verification flags; should be zero
+ * @vflags: Verification flags; an OR'ed list of %dane_verify_flags_t.
  * @verify: An OR'ed list of %dane_verify_status_t.
  *
  * This function will verify the given certificate chain against the
@@ -578,6 +578,7 @@ int dane_verify_crt (dane_state_t s,
 dane_state_t _s = NULL;
 dane_query_t r = NULL;
 int ret;
+unsigned checked = 0;
 unsigned int usage, type, match, idx;
 gnutls_datum_t data;
 	
@@ -611,24 +612,28 @@ gnutls_datum_t data;
 			gnutls_assert();
 			goto cleanup;
 		}
-	
-		if (usage == DANE_CERT_USAGE_LOCAL_CA || usage == DANE_CERT_USAGE_CA) {
+		
+		if (!(vflags & DANE_VFLAG_ONLY_CHECK_EE_USAGE) && (usage == DANE_CERT_USAGE_LOCAL_CA || usage == DANE_CERT_USAGE_CA)) {
 			ret = verify_ca(chain, chain_size, chain_type, type, match, &data, verify);
 			if (ret < 0) {
 				gnutls_assert();
 				goto cleanup;
                         }
-		
-		} else if (usage == DANE_CERT_USAGE_LOCAL_EE || usage == DANE_CERT_USAGE_EE) {
+                        checked = 1;
+		} else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE) && (usage == DANE_CERT_USAGE_LOCAL_EE || usage == DANE_CERT_USAGE_EE)) {
 			ret = verify_ee(&chain[0], chain_type, type, match, &data, verify);
 			if (ret < 0) {
 				gnutls_assert();
 				goto cleanup;
                         }
+                        checked = 1;
 		}
 	} while(1);
 
-	ret = 0;
+	if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0)
+		ret = gnutls_assert_val(DANE_E_REQUESTED_DATA_NOT_AVAILABLE);
+	else
+		ret = 0;
 
 cleanup:
 	if (s == NULL) dane_state_deinit(_s);
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index 94841b9989..f5b9104611 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -122,6 +122,21 @@ const char* dane_cert_type_name(dane_cert_type_t type);
 const char* dane_match_type_name(dane_match_type_t type);
 const char* dane_cert_usage_name(dane_cert_usage_t usage);
 
+/**
+ * dane_verify_flags_t:
+ * @DANE_VFLAG_FAIL_IF_NOT_CHECKED: If irrelevant to this certificate DANE entries are received fail instead of succeeding.
+ * @DANE_VFLAG_CHECK_EE_USAGE: The provided certificates will be verified only against any EE field. Combine with %DANE_VFLAG_FAIL_IF_NOT_CHECKED to fail if EE entries are not present.
+ * @DANE_VFLAG_CHECK_CA_USAGE: The provided certificates will be verified only against any CA field. Combine with %DANE_VFLAG_FAIL_IF_NOT_CHECKED to fail if CA entries are not present.
+ *
+ * Enumeration of different verification status flags.
+ */
+typedef enum dane_verify_flags_t 
+{
+  DANE_VFLAG_FAIL_IF_NOT_CHECKED = 1,
+  DANE_VFLAG_ONLY_CHECK_EE_USAGE = 1<<1,
+  DANE_VFLAG_ONLY_CHECK_CA_USAGE = 1<<2,
+} dane_verify_flags_t;
+
 /**
  * dane_verify_status_t:
  * @DANE_VERIFY_CA_CONSTRAINS_VIOLATED: The CA constrains was violated.
-- 
cgit v1.2.1