diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-28 11:10:07 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-28 11:12:23 +0200 |
| commit | ea0787307c348fe26ddcb28f59e1689a487dff97 (patch) | |
| tree | ca3108d4b1442db704dffb5f77b707e175d295a8 | |
| parent | 8074860e16594cdf14472af454972a1961e17e73 (diff) | |
| download | gnutls-ea0787307c348fe26ddcb28f59e1689a487dff97.tar.gz | |
Accept a certificate using DANE if there is at least one entry that matches the certificate.
This corrects the previous behavior that was rejecting the certificate if there
were multiple entries and one couldn't be validated. New flag DANE_VERIFY_UNKNOWN_DANE_INFO
is synonymous to DANE_VERIFY_NO_DANE_INFO. Patch by simon@arlott.org.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | libdane/dane.c | 22 | ||||
| -rw-r--r-- | libdane/includes/gnutls/dane.h | 7 |
2 files changed, 24 insertions, 5 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index 6f7698ff50..666e12b517 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -648,6 +648,8 @@ dane_verify_crt_raw(dane_state_t s, *verify = 0; idx = 0; do { + unsigned int record_verify = 0; + ret = dane_query_data(r, idx++, &usage, &type, &match, &data); @@ -664,23 +666,35 @@ dane_verify_crt_raw(dane_state_t s, || usage == DANE_CERT_USAGE_CA)) { ret = verify_ca(chain, chain_size, chain_type, type, - match, &data, verify); + match, &data, &record_verify); if (ret < 0) { gnutls_assert(); goto cleanup; } checked = 1; + if (record_verify == 0) { + *verify = 0; + break; + } else { + *verify |= record_verify; + } } else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE) && (usage == DANE_CERT_USAGE_LOCAL_EE || usage == DANE_CERT_USAGE_EE)) { ret = verify_ee(&chain[0], chain_type, type, match, - &data, verify); + &data, &record_verify); if (ret < 0) { gnutls_assert(); goto cleanup; } checked = 1; + if (record_verify == 0) { + *verify = 0; + break; + } else { + *verify |= record_verify; + } } } while (1); @@ -688,6 +702,10 @@ dane_verify_crt_raw(dane_state_t s, if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0) ret = gnutls_assert_val(DANE_E_REQUESTED_DATA_NOT_AVAILABLE); + else if (checked == 0) + { + *verify |= DANE_VERIFY_UNKNOWN_DANE_INFO; + } else ret = 0; diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h index 9fd807793e..98e4a96faa 100644 --- a/libdane/includes/gnutls/dane.h +++ b/libdane/includes/gnutls/dane.h @@ -140,19 +140,20 @@ typedef enum dane_verify_flags_t { /** * dane_verify_status_t: - * @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constrains was violated. + * @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constraints were violated. * @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs. - * @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record. + * @DANE_VERIFY_UNKNOWN_DANE_INFO: No known DANE data was found in the DNS record. * * Enumeration of different verification status flags. */ typedef enum dane_verify_status_t { DANE_VERIFY_CA_CONSTRAINTS_VIOLATED = 1, DANE_VERIFY_CERT_DIFFERS = 1 << 1, - DANE_VERIFY_NO_DANE_INFO = 1 << 2, + DANE_VERIFY_UNKNOWN_DANE_INFO = 1 << 2, } dane_verify_status_t; #define DANE_VERIFY_CA_CONSTRAINS_VIOLATED DANE_VERIFY_CA_CONSTRAINTS_VIOLATED +#define DANE_VERIFY_NO_DANE_INFO DANE_VERIFY_UNKNOWN_DANE_INFO int dane_verification_status_print(unsigned int status, |