diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-26 14:34:26 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-26 15:09:21 +0200 |
| commit | 31efe96b876eb4f1b4c6a61fa8192e9f9b23334e (patch) | |
| tree | aac4df417a9110b7773aa06f90fecfd7f6898fc2 /libdane/dane.c | |
| parent | 1dda7cfe6ad83590f39ee9119b32e014239662ca (diff) | |
| download | gnutls-31efe96b876eb4f1b4c6a61fa8192e9f9b23334e.tar.gz | |
dane: verification will not fail if a CA entry is encountered but cannot be verified
That addresses the issue of verifying a single certificate against a list
of TLSA entries that contain an entry with CA usage (cert usage 0). With
the previous behavior verification would have failed, while now this
entry will be skipped.
Diffstat (limited to 'libdane/dane.c')
| -rw-r--r-- | libdane/dane.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index c46d5e3b8f..3b5ed66eff 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -572,8 +572,8 @@ verify_ca(const gnutls_datum_t * raw_crt, unsigned raw_crt_size, gnutls_x509_crt_t crt = NULL, ca = NULL; unsigned is_ok = 0; - if (raw_crt_size < 2) - return gnutls_assert_val(DANE_E_INVALID_REQUEST); + if (raw_crt_size < 2) /* we cannot verify the CA */ + return gnutls_assert_val(DANE_E_UNKNOWN_DANE_DATA); if (ctype == DANE_CERT_X509 && crt_type == GNUTLS_CRT_X509) { is_ok = 0; @@ -918,7 +918,9 @@ dane_verify_crt(dane_state_t s, * * Returns: a negative error code on error and %DANE_E_SUCCESS (0) * when the DANE entries were successfully parsed, irrespective of - * whether they were verified (see @verify for that information). + * whether they were verified (see @verify for that information). If + * no usable entries were encountered %DANE_E_REQUESTED_DATA_NOT_AVAILABLE + * will be returned. * **/ int |