summaryrefslogtreecommitdiff
path: root/libdane
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2014-04-28 11:10:07 +0200
committerNikos Mavrogiannopoulos <nmav@redhat.com>2014-04-28 11:15:47 +0200
commit9fce428f14810e601960adbc9ba07e89bbe7c0d2 (patch)
treed4c3a5474f130e9c775c59521452d24b07a235a6 /libdane
parent61e6080aee027b20b31a03b37343615809036144 (diff)
downloadgnutls-9fce428f14810e601960adbc9ba07e89bbe7c0d2.tar.gz
Accept a certificate using DANE if there is at least one entry that matches the certificate.
This corrects the previous behavior that was rejecting the certificate if there were multiple entries and one couldn't be validated. New flag DANE_VERIFY_UNKNOWN_DANE_INFO is synonymous to DANE_VERIFY_NO_DANE_INFO. Patch by simon@arlott.org. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'libdane')
-rw-r--r--libdane/dane.c22
-rw-r--r--libdane/includes/gnutls/dane.h7
2 files changed, 24 insertions, 5 deletions
diff --git a/libdane/dane.c b/libdane/dane.c
index 79be0271d0..f423e27327 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -649,6 +649,8 @@ dane_verify_crt_raw(dane_state_t s,
*verify = 0;
idx = 0;
do {
+ unsigned int record_verify = 0;
+
ret =
dane_query_data(r, idx++, &usage, &type, &match,
&data);
@@ -665,23 +667,35 @@ dane_verify_crt_raw(dane_state_t s,
|| usage == DANE_CERT_USAGE_CA)) {
ret =
verify_ca(chain, chain_size, chain_type, type,
- match, &data, verify);
+ match, &data, &record_verify);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
checked = 1;
+ if (record_verify == 0) {
+ *verify = 0;
+ break;
+ } else {
+ *verify |= record_verify;
+ }
} else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE)
&& (usage == DANE_CERT_USAGE_LOCAL_EE
|| usage == DANE_CERT_USAGE_EE)) {
ret =
verify_ee(&chain[0], chain_type, type, match,
- &data, verify);
+ &data, &record_verify);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
checked = 1;
+ if (record_verify == 0) {
+ *verify = 0;
+ break;
+ } else {
+ *verify |= record_verify;
+ }
}
}
while (1);
@@ -689,6 +703,10 @@ dane_verify_crt_raw(dane_state_t s,
if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0)
ret =
gnutls_assert_val(DANE_E_REQUESTED_DATA_NOT_AVAILABLE);
+ else if (checked == 0)
+ {
+ *verify |= DANE_VERIFY_UNKNOWN_DANE_INFO;
+ }
else
ret = 0;
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index 9fd807793e..98e4a96faa 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -140,19 +140,20 @@ typedef enum dane_verify_flags_t {
/**
* dane_verify_status_t:
- * @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constrains was violated.
+ * @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constraints were violated.
* @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
- * @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
+ * @DANE_VERIFY_UNKNOWN_DANE_INFO: No known DANE data was found in the DNS record.
*
* Enumeration of different verification status flags.
*/
typedef enum dane_verify_status_t {
DANE_VERIFY_CA_CONSTRAINTS_VIOLATED = 1,
DANE_VERIFY_CERT_DIFFERS = 1 << 1,
- DANE_VERIFY_NO_DANE_INFO = 1 << 2,
+ DANE_VERIFY_UNKNOWN_DANE_INFO = 1 << 2,
} dane_verify_status_t;
#define DANE_VERIFY_CA_CONSTRAINS_VIOLATED DANE_VERIFY_CA_CONSTRAINTS_VIOLATED
+#define DANE_VERIFY_NO_DANE_INFO DANE_VERIFY_UNKNOWN_DANE_INFO
int
dane_verification_status_print(unsigned int status,