gnutls-cli: if dane verification is used but not PKIX only check the end certificate.

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-05-13 09:52:22 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-05-13 09:52:22 +0200
commit: 5e72831da990dbd075d836c3e3a4df9db1ff8fef (patch)
tree: 8ac7889d833a64e1bbe82805bb5405097313cbf0 /src/cli.c
parent: b81799169867783cfee2c7755ddb634f98c333d3 (diff)
download: gnutls-5e72831da990dbd075d836c3e3a4df9db1ff8fef.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/src/cli.c b/src/cli.c
index 140de65f9f..ddf9a832ca 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -461,14 +461,20 @@ static int cert_verify_callback(gnutls_session_t session)
 #ifdef HAVE_DANE
 	if (dane) {		/* try DANE auth */
 		int port;
+		unsigned vflags = 0;
 		unsigned int sflags =
 		    ENABLED_OPT(LOCAL_DNS) ? 0 :
 		    DANE_F_IGNORE_LOCAL_RESOLVER;
 
+		/* if we didn't verify the chain it only makes sense
+		 * to check the end certificate using dane. */
+		if (ca_verify == 0)
+			vflags |= DANE_VFLAG_ONLY_CHECK_EE_USAGE;
+
 		port = service_to_port(service);
 		rc = dane_verify_session_crt(NULL, session, hostname,
 					     udp ? "udp" : "tcp", port,
-					     sflags, 0, &status);
+					     sflags, vflags, &status);
 		if (rc < 0) {
 			fprintf(stderr,
 				"*** DANE verification error: %s\n",
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-05-13 09:52:22 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-05-13 09:52:22 +0200
commit	5e72831da990dbd075d836c3e3a4df9db1ff8fef (patch)
tree	8ac7889d833a64e1bbe82805bb5405097313cbf0 /src/cli.c
parent	b81799169867783cfee2c7755ddb634f98c333d3 (diff)
download	gnutls-5e72831da990dbd075d836c3e3a4df9db1ff8fef.tar.gz