[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] r30385 - in gnunet: . src/gns
From: |
gnunet |
Subject: |
[GNUnet-SVN] r30385 - in gnunet: . src/gns |
Date: |
Mon, 21 Oct 2013 19:01:58 +0200 |
Author: grothoff
Date: 2013-10-21 19:01:58 +0200 (Mon, 21 Oct 2013)
New Revision: 30385
Modified:
gnunet/configure.ac
gnunet/src/gns/Makefile.am
gnunet/src/gns/gnunet-gns-proxy.c
Log:
-adding logic for TLSA/DANE verification in combination with recently submitted
patches to GnuTLS
Modified: gnunet/configure.ac
===================================================================
--- gnunet/configure.ac 2013-10-21 16:45:00 UTC (rev 30384)
+++ gnunet/configure.ac 2013-10-21 17:01:58 UTC (rev 30385)
@@ -1032,9 +1032,16 @@
AC_CHECK_LIB([gnutls], [gnutls_priority_set],
gnutls=true))])
AM_CONDITIONAL(HAVE_GNUTLS, test x$gnutls = xtrue)
-AC_DEFINE_UNQUOTED([HAVE_GNUTLS], $gnutls, [We have gnutls])
+AC_DEFINE_UNQUOTED([HAVE_GNUTLS], $gnutls, [We have GnuTLS])
+gnutls_dane=0
+AC_CHECK_HEADERS([gnutls/dane.h],
+ AC_CHECK_LIB([gnutls-dane], [dane_verify_crt_raw],
+ gnutls_dane=true))
+AM_CONDITIONAL(HAVE_GNUTLS_DANE, test x$gnutls_dane = xtrue)
+AC_DEFINE_UNQUOTED([HAVE_GNUTLS_DANE], $gnutls_dane, [We have GnuTLS with DANE
support])
+
# Test if we are building for superMUC
AC_MSG_CHECKING(if GNUnet is being configured to run on the SuperMUC)
AC_ARG_ENABLE([supermuc],
@@ -1470,8 +1477,13 @@
#gnutls
if test x$gnutls != xtrue
then
- AC_MSG_NOTICE([NOTICE: gnutls not found, gnunet-gns-proxy will not be built])
+ AC_MSG_NOTICE([NOTICE: GnuTLS not found, gnunet-gns-proxy will not be built])
+else
+if test x$gnutls_dane != xtrue
+then
+ AC_MSG_NOTICE([NOTICE: GnuTLS has no DANE support, DANE validation will not
be possible])
fi
+fi
# java ports
if test "x$enable_java_ports" = "xyes"
Modified: gnunet/src/gns/Makefile.am
===================================================================
--- gnunet/src/gns/Makefile.am 2013-10-21 16:45:00 UTC (rev 30384)
+++ gnunet/src/gns/Makefile.am 2013-10-21 17:01:58 UTC (rev 30385)
@@ -124,6 +124,9 @@
$(top_builddir)/src/identity/libgnunetidentity.la \
$(top_builddir)/src/util/libgnunetutil.la \
$(GN_LIBINTL)
+if HAVE_GNUTLS_DANE
+gnunet_gns_proxy_LDADD += -lgnutls-dane
+endif
gnunet_gns_proxy_DEPENDENCIES = \
$(top_builddir)/src/identity/libgnunetidentity.la \
$(top_builddir)/src/util/libgnunetutil.la \
Modified: gnunet/src/gns/gnunet-gns-proxy.c
===================================================================
--- gnunet/src/gns/gnunet-gns-proxy.c 2013-10-21 16:45:00 UTC (rev 30384)
+++ gnunet/src/gns/gnunet-gns-proxy.c 2013-10-21 17:01:58 UTC (rev 30385)
@@ -35,6 +35,9 @@
#include <gnutls/x509.h>
#include <gnutls/abstract.h>
#include <gnutls/crypto.h>
+#if HAVE_GNUTLS_DANE
+#include <gnutls/dane.h>
+#endif
#include <regex.h>
#include "gnunet_util_lib.h"
#include "gnunet_gns_service.h"
@@ -502,6 +505,11 @@
char *leho;
/**
+ * Payload of the (last) DANE record encountered.
+ */
+ char *dane_data;
+
+ /**
* The URL to fetch
*/
char *url;
@@ -522,6 +530,11 @@
unsigned int response_code;
/**
+ * Number of bytes in @e dane_data.
+ */
+ size_t dane_data_len;
+
+ /**
* Number of bytes already in read buffer
*/
size_t rbuf_len;
@@ -725,6 +738,7 @@
GNUNET_free_non_null (s5r->domain);
GNUNET_free_non_null (s5r->leho);
GNUNET_free_non_null (s5r->url);
+ GNUNET_free_non_null (s5r->dane_data);
GNUNET_free (s5r);
}
@@ -809,7 +823,7 @@
} gptr;
char certdn[GNUNET_DNSPARSER_MAX_NAME_LENGTH + 3];
size_t size;
- gnutls_x509_crt x509_cert;
+ gnutls_x509_crt_t x509_cert;
int rc;
const char *name;
@@ -846,34 +860,101 @@
&size)))
{
GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
- "Failed to fetch CN from cert: %s\n",
+ _("Failed to fetch CN from cert: %s\n"),
gnutls_strerror(rc));
gnutls_x509_crt_deinit (x509_cert);
return GNUNET_SYSERR;
}
- /* FIXME: here we should check for TLSA/DANE records */
+ /* check for TLSA/DANE records */
+#if HAVE_GNUTLS_DANE
+ if (NULL != s5r->dane_data)
+ {
+ char *dd[] = { s5r->dane_data, NULL };
+ int dlen[] = { s5r->dane_data_len, 0};
+ dane_state_t dane_state;
+ dane_query_t dane_query;
+ unsigned int verify;
- name = s5r->domain;
- if (NULL != s5r->leho)
- name = s5r->leho;
- if (NULL != name)
- {
- if (0 == (rc = gnutls_x509_crt_check_hostname (x509_cert,
- name)))
+ /* FIXME: add flags to gnutls to NOT read UNBOUND_ROOT_KEY_FILE here! */
+ if (0 != (rc = dane_state_init (&dane_state,
+ DANE_F_IGNORE_LOCAL_RESOLVER)))
{
GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
- _("SSL certificate subject name (%s) does not match `%s'\n"),
- certdn,
- name);
+ _("Failed to initialize DANE: %s\n"),
+ dane_strerror(rc));
gnutls_x509_crt_deinit (x509_cert);
return GNUNET_SYSERR;
}
+ if (0 != (rc = dane_raw_tlsa (dane_state,
+ &dane_query,
+ dd,
+ dlen,
+ GNUNET_YES,
+ GNUNET_NO)))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ _("Failed to parse DANE record: %s\n"),
+ dane_strerror(rc));
+ dane_state_deinit (dane_state);
+ gnutls_x509_crt_deinit (x509_cert);
+ return GNUNET_SYSERR;
+ }
+ if (0 != (rc = dane_verify_crt_raw (dane_state,
+ chainp,
+ cert_list_size,
+ gnutls_certificate_type_get
(tlsinfo.internals),
+ dane_query,
+ 0, 0,
+ &verify)))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ _("Failed to verify TLS connection using DANE: %s\n"),
+ dane_strerror(rc));
+ dane_query_deinit (dane_query);
+ dane_state_deinit (dane_state);
+ gnutls_x509_crt_deinit (x509_cert);
+ return GNUNET_SYSERR;
+ }
+ if (0 != verify)
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ _("Failed DANE verification failed with GnuTLS verify status
code: %u\n"),
+ verify);
+ dane_query_deinit (dane_query);
+ dane_state_deinit (dane_state);
+ gnutls_x509_crt_deinit (x509_cert);
+ return GNUNET_SYSERR;
+ }
+ dane_query_deinit (dane_query);
+ dane_state_deinit (dane_state);
+ /* success! */
}
else
+#endif
{
- GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
- _("No LEHO or domain name available and TLSA/DANE is not yet
implemented!\n"));
- return GNUNET_SYSERR;
+ /* try LEHO or ordinary domain name X509 verification */
+ name = s5r->domain;
+ if (NULL != s5r->leho)
+ name = s5r->leho;
+ if (NULL != name)
+ {
+ if (0 == (rc = gnutls_x509_crt_check_hostname (x509_cert,
+ name)))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ _("SSL certificate subject name (%s) does not match
`%s'\n"),
+ certdn,
+ name);
+ gnutls_x509_crt_deinit (x509_cert);
+ return GNUNET_SYSERR;
+ }
+ }
+ else
+ {
+ /* we did not even have the domain name!? */
+ GNUNET_break (0);
+ return GNUNET_SYSERR;
+ }
}
gnutls_x509_crt_deinit (x509_cert);
#if 0
@@ -2355,6 +2436,14 @@
s5r->leho = GNUNET_strndup (r->data,
r->data_size);
break;
+ case GNUNET_DNSPARSER_TYPE_TLSA:
+ GNUNET_free_non_null (s5r->dane_data);
+ s5r->dane_data_len = r->data_size;
+ s5r->dane_data = GNUNET_malloc (r->data_size);
+ memcpy (s5r->dane_data,
+ r->data,
+ r->data_size);
+ break;
default:
/* don't care */
break;
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] r30385 - in gnunet: . src/gns,
gnunet <=