]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Bug fixes in DANE.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Sun, 7 Oct 2012 10:10:59 +0000 (12:10 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Sun, 7 Oct 2012 10:10:59 +0000 (12:10 +0200)
Corrected packet length parsing and removed the verify
options DANE_VERIFY_DNSSEC_DATA_INVALID and DANE_VERIFY_NO_DNSSEC_DATA.
There is longer use for them since using the DANE API requires DNSSEC.

libdane/dane.c
libdane/includes/gnutls/dane.h
src/cli.c

index ebf362c498ec15fed5d873c143a1ac04097077ee..e008ad899e03428fead3aa7934ad17b200670b5a 100644 (file)
@@ -234,7 +234,7 @@ int dane_query_resolve_tlsa(dane_query_t q, const char* host, const char* proto,
                q->type[i] = q->result->data[i][1];
                q->match[i] = q->result->data[i][2];
                q->data[i].data = (void*)&q->result->data[i][3];
-               q->data[i].size = q->result->len[i];
+               q->data[i].size = q->result->len[i] - 3;
                i++;
        } while(q->result->data[i] != NULL);
        
@@ -273,7 +273,7 @@ int ret;
                return 1;
        } else if (match == DANE_MATCH_SHA2_256) {
 
-               if (raw2->size < 32)
+               if (raw2->size != 32)
                        return 0;
                
                ret = gnutls_hash_fast(GNUTLS_DIG_SHA256, raw1->data, raw1->size, digest);
@@ -285,7 +285,7 @@ int ret;
                
                return 1;
        } else if (match == DANE_MATCH_SHA2_512) {
-               if (raw2->size < 64)
+               if (raw2->size != 64)
                        return 0;
                
                ret = gnutls_hash_fast(GNUTLS_DIG_SHA512, raw1->data, raw1->size, digest);
@@ -445,7 +445,7 @@ int dane_verify_crt (
 {
 dane_query_t q;
 int ret;
-unsigned int usage, type, match, idx, status;
+unsigned int usage, type, match, idx;
 gnutls_datum_t data;
        
        if (chain_type != GNUTLS_CRT_X509)
@@ -463,15 +463,6 @@ gnutls_datum_t data;
                goto cleanup;
        }
 
-       status = dane_query_status(q);
-       if (status == DANE_QUERY_BOGUS) {
-               *verify |= DANE_VERIFY_DNSSEC_DATA_INVALID;
-               goto cleanup;
-       } else if (status == DANE_QUERY_NO_DNSSEC) {
-               *verify |= DANE_VERIFY_NO_DNSSEC_DATA;
-               goto cleanup;
-       }
-
        idx = 0;
        do {
                ret = dane_query_data(q, idx++, &usage, &type, &match, &data);
index 9a3a5e8c43a157c0f8d6d46f3ba0e9bd9e1d91ea..366d10a98014c2a1af960f735c0997fffff21e47 100644 (file)
@@ -107,8 +107,6 @@ unsigned int dane_query_entries(dane_query_t q);
  * @DANE_VERIFY_CA_CONSTRAINS_VIOLATED: The CA constrains was violated.
  * @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
  * @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
- * @DANE_VERIFY_DNSSEC_DATA_INVALID: The DNSSEC data are invalid.
- * @DANE_VERIFY_NO_DNSSEC_DATA: The DNS data were not signed using DNSSEC.
  *
  * Enumeration of different verification status flags.
  */
@@ -117,8 +115,6 @@ typedef enum dane_verify_status_t
   DANE_VERIFY_CA_CONSTRAINS_VIOLATED = 1,
   DANE_VERIFY_CERT_DIFFERS = 1<<1,
   DANE_VERIFY_NO_DANE_INFO = 1<<2,
-  DANE_VERIFY_DNSSEC_DATA_INVALID = 1<<3,
-  DANE_VERIFY_NO_DNSSEC_DATA = 1<<4,
 } dane_verify_status_t;
 
 /**
index 179e2742fa1750343a03072b463cc158a1876c2b..ca3a4f88861ca447c75d3d29b6f1baae305222ba 100644 (file)
--- a/src/cli.c
+++ b/src/cli.c
@@ -503,10 +503,6 @@ cert_verify_callback (gnutls_session_t session)
                 fprintf(stderr, "- The certificate differs.\n");
               if (status & DANE_VERIFY_NO_DANE_INFO)
                 fprintf(stderr, "- There was no DANE information.\n");
-              if (status & DANE_VERIFY_DNSSEC_DATA_INVALID)
-                fprintf(stderr, "- The DNSSEC signature is invalid.\n");
-              if (status & DANE_VERIFY_NO_DNSSEC_DATA)
-                fprintf(stderr, "- There was no DNSSEC signature.\n");
               if (!insecure)
                 return -1;
             }