A --disable-dane-verify option for configure

diff --git a/configure.ac b/configure.ac
index 05f576f5a06cdb34c8afa68ed5dfaf1e152a3cc7..5387312664bc32ffdbab35a521e20beaf4d12132 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -410,10 +410,12 @@ case "$enable_ed448" in
 esac
 
 AC_ARG_ENABLE(dane, AC_HELP_STRING([--disable-dane], [Disable DANE support]))
+AC_ARG_ENABLE(dane-verify, AC_HELP_STRING([--disable-dane-verify], [Disable DANE verify support]))
 AC_ARG_ENABLE(dane-ta-usage, AC_HELP_STRING([--disable-dane-ta-usage], [Disable DANE-TA usage type support]))
 case "$enable_dane" in
     no)
       AC_SUBST(ldns_build_config_use_dane, 0)
+      AC_SUBST(ldns_build_config_use_dane_verify, 0)
       AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
       ;;
     *) dnl default
@@ -421,19 +423,28 @@ case "$enable_dane" in
         AC_MSG_ERROR([DANE enabled, but no SSL support])
       fi
       AC_CHECK_FUNC(X509_check_ca, [], [AC_MSG_ERROR([OpenSSL does not support DANE: please upgrade OpenSSL or rerun with --disable-dane])])
-      AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.])
       AC_SUBST(ldns_build_config_use_dane, 1)
-      case "$enable_dane_ta_usage" in
+      AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.])
+      case "$enable_dane_verify" in
           no)
+            AC_SUBST(ldns_build_config_use_dane_verify, 0)
             AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
-            ;;
-          *) dnl default
-           LIBS="$LIBS -lssl"
-            AC_CHECK_FUNC(SSL_get0_dane, [], [AC_MSG_ERROR([OpenSSL does not support offline DANE verification (Needed for the DANE-TA usage type).  Please upgrade OpenSSL to version >= 1.1.0 or rerun with --disable-dane-ta-usage])])
-            LIBSSL_LIBS="$LIBSSL_LIBS -lssl"
-            AC_DEFINE_UNQUOTED([USE_DANE_TA_USAGE], [1], [Define this to enable DANE-TA usage type support.])
-            AC_SUBST(ldns_build_config_use_dane_ta_usage, 1)
-            ;;
+           ;;
+         *)
+           AC_SUBST(ldns_build_config_use_dane_verify, 1)
+           AC_DEFINE_UNQUOTED([USE_DANE_VERIFY], [1], [Define this to enable DANE verify support.])
+            case "$enable_dane_ta_usage" in
+                no)
+                  AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
+                  ;;
+                *) dnl default
+           LIBS="$LIBS -lssl"
+                  AC_CHECK_FUNC(SSL_get0_dane, [], [AC_MSG_ERROR([OpenSSL does not support offline DANE verification (Needed for the DANE-TA usage type).  Please upgrade OpenSSL to version >= 1.1.0 or rerun with --disable-dane-verify or --disable-dane-ta-usage])])
+                  LIBSSL_LIBS="$LIBSSL_LIBS -lssl"
+                  AC_SUBST(ldns_build_config_use_dane_ta_usage, 1)
+                  AC_DEFINE_UNQUOTED([USE_DANE_TA_USAGE], [1], [Define this to enable DANE-TA usage type support.])
+                  ;;
+            esac
       esac
       ;;
 esac

diff --git a/dane.c b/dane.c
index f9b5c661caec66ad5b43cc90e35cd0f89c6561bd..30dc1f700519e9e83d1cfa4cccc374dba9929818 100644 (file)
--- a/dane.c
+++ b/dane.c
@@ -504,6 +504,7 @@ memerror:
 }
 
 
+#ifdef USE_DANE_VERIFY
 /* Return tlsas that actually are TLSA resource records with known values
  * for the Certificate usage, Selector and Matching type rdata fields.
  */
@@ -592,8 +593,10 @@ ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
        }
        return s;
 }
-#endif
+#endif /* !defined(USE_DANE_TA_USAGE) */
+#endif /* USE_DANE_VERIFY */
 
+#ifdef USE_DANE_VERIFY
 ldns_status
 ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
                X509* cert, STACK_OF(X509)* extra_certs,
@@ -933,5 +936,6 @@ ldns_dane_verify(const ldns_rr_list* tlsas,
        ldns_rr_list_free(usable_tlsas);
        return s;
 }
+#endif /* USE_DANE_VERIFY */
 #endif /* HAVE_SSL */
 #endif /* USE_DANE */

diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c
index 7997e15f2befa788810f61059f42f3b6b9066e78..8bffb530c12ac6f5b513cd26dcca8b6ce1ad1d2a 100644 (file)
--- a/examples/ldns-dane.c
+++ b/examples/ldns-dane.c
@@ -61,12 +61,16 @@
 static void
 print_usage(const char* progname)
 {
+#ifdef USE_DANE_VERIY
        printf("Usage: %s [OPTIONS] verify <name> <port>\n", progname);
        printf("   or: %s [OPTIONS] -t <tlsafile> verify\n", progname);
        printf("\n\tVerify the TLS connection at <name>:<port> or"
               "\n\tuse TLSA record(s) from <tlsafile> to verify the\n"
                        "\tTLS service they reference.\n");
        printf("\n   or: %s [OPTIONS] create <name> <port> [<usage> "
+#else
+       printf("Usage: %s [OPTIONS] create <name> <port> [<usage> "
+#endif
                        "[<selector> [<type>]]]\n", progname);
        printf("\n\tUse the TLS connection(s) to <name> <port> "
                        "to create the TLSA\n\t"
@@ -322,6 +326,7 @@ ssl_connect_and_get_cert_chain(
 }
 
 
+#ifdef USE_DANE_VERIFY
 static void
 ssl_interact(SSL* ssl)
 {
@@ -408,6 +413,7 @@ ssl_interact(SSL* ssl)
 
        } /* for (;;) */
 }
+#endif /* USE_DANE_VERIFY */
 
 
 static ldns_rr_list*
@@ -1089,6 +1095,7 @@ dane_create(ldns_rr_list* tlsas, ldns_rdf* tlsa_owner,
        }
 }
 
+#ifdef USE_DANE_VERIFY
 static bool
 dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
                X509* cert, STACK_OF(X509)* extra_certs,
@@ -1129,6 +1136,7 @@ dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
                        ldns_get_errorstr_by_id(s));
        return false;
 }
+#endif /* USE_DANE_VERIFY */
 
 /**
  * Return either an A or AAAA rdf, based on the given
@@ -1398,6 +1406,7 @@ main(int argc, char* const* argv)
                argc--;
                argv++;
 
+#ifdef USE_DANE_VERIFY
        } else if (strncasecmp(*argv, "verify", strlen(*argv)) == 0) {
 
                mode = VERIFY;
@@ -1406,9 +1415,20 @@ main(int argc, char* const* argv)
 
        } else {
                fprintf(stderr, "Specify create or verify mode\n");
+#else
+       } else {
+               fprintf(stderr, "Specify create mode\n");
+#endif
                exit(EXIT_FAILURE);
        }
 
+#ifndef USE_DANE_VERIFY
+       (void)transport_str;
+       (void)transport_rdf;
+       (void)port_str;
+       (void)port_rdf;
+       (void)interact;
+#else
        if (mode == VERIFY && argc == 0) {
 
                if (! tlsas_file) {
@@ -1508,7 +1528,9 @@ main(int argc, char* const* argv)
                }
 
 
-       } else if (argc < 2) {
+       } else 
+#endif /* USE_DANE_VERIFY */
+               if (argc < 2) {
 
                print_usage("ldns-dane");
 
@@ -1689,6 +1711,7 @@ main(int argc, char* const* argv)
                                             cert, extra_certs, store,
                                             verify_server_name, name);
                             break;
+#ifdef USE_DANE_VERIFY
                case VERIFY: if (! dane_verify(tlsas, NULL,
                                               cert, extra_certs, store,
                                               verify_server_name, name,
@@ -1696,6 +1719,7 @@ main(int argc, char* const* argv)
                                     success = false;
                             }
                             break;
+#endif
                default:     break; /* suppress warning */
                }
                SSL_free(ssl);
@@ -1748,6 +1772,7 @@ main(int argc, char* const* argv)
                                                     verify_server_name, name);
                                     break;
 
+#ifdef USE_DANE_VERIFY
                        case VERIFY: if (! dane_verify(tlsas, address,
                                                cert, extra_certs, store,
                                                verify_server_name, name,
@@ -1758,6 +1783,7 @@ main(int argc, char* const* argv)
                                             ssl_interact(ssl);
                                     }
                                     break;
+#endif
                        default:     break; /* suppress warning */
                        }
                        while (SSL_shutdown(ssl) == 0);