q->type[i] = q->result->data[i][1];
q->match[i] = q->result->data[i][2];
q->data[i].data = (void*)&q->result->data[i][3];
- q->data[i].size = q->result->len[i];
+ q->data[i].size = q->result->len[i] - 3;
i++;
} while(q->result->data[i] != NULL);
return 1;
} else if (match == DANE_MATCH_SHA2_256) {
- if (raw2->size < 32)
+ if (raw2->size != 32)
return 0;
ret = gnutls_hash_fast(GNUTLS_DIG_SHA256, raw1->data, raw1->size, digest);
return 1;
} else if (match == DANE_MATCH_SHA2_512) {
- if (raw2->size < 64)
+ if (raw2->size != 64)
return 0;
ret = gnutls_hash_fast(GNUTLS_DIG_SHA512, raw1->data, raw1->size, digest);
{
dane_query_t q;
int ret;
-unsigned int usage, type, match, idx, status;
+unsigned int usage, type, match, idx;
gnutls_datum_t data;
if (chain_type != GNUTLS_CRT_X509)
goto cleanup;
}
- status = dane_query_status(q);
- if (status == DANE_QUERY_BOGUS) {
- *verify |= DANE_VERIFY_DNSSEC_DATA_INVALID;
- goto cleanup;
- } else if (status == DANE_QUERY_NO_DNSSEC) {
- *verify |= DANE_VERIFY_NO_DNSSEC_DATA;
- goto cleanup;
- }
-
idx = 0;
do {
ret = dane_query_data(q, idx++, &usage, &type, &match, &data);
* @DANE_VERIFY_CA_CONSTRAINS_VIOLATED: The CA constrains was violated.
* @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
* @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
- * @DANE_VERIFY_DNSSEC_DATA_INVALID: The DNSSEC data are invalid.
- * @DANE_VERIFY_NO_DNSSEC_DATA: The DNS data were not signed using DNSSEC.
*
* Enumeration of different verification status flags.
*/
DANE_VERIFY_CA_CONSTRAINS_VIOLATED = 1,
DANE_VERIFY_CERT_DIFFERS = 1<<1,
DANE_VERIFY_NO_DANE_INFO = 1<<2,
- DANE_VERIFY_DNSSEC_DATA_INVALID = 1<<3,
- DANE_VERIFY_NO_DNSSEC_DATA = 1<<4,
} dane_verify_status_t;
/**
fprintf(stderr, "- The certificate differs.\n");
if (status & DANE_VERIFY_NO_DANE_INFO)
fprintf(stderr, "- There was no DANE information.\n");
- if (status & DANE_VERIFY_DNSSEC_DATA_INVALID)
- fprintf(stderr, "- The DNSSEC signature is invalid.\n");
- if (status & DANE_VERIFY_NO_DNSSEC_DATA)
- fprintf(stderr, "- There was no DNSSEC signature.\n");
if (!insecure)
return -1;
}