From 500803ae4d9baaaa54ddbce70e2d5ef89e6e3e18 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 8 Nov 2016 14:53:24 +0100
Subject: [PATCH] A --disable-dane-verify option for configure

---
 configure.ac         | 31 +++++++++++++++++++++----------
 dane.c               |  6 +++++-
 examples/ldns-dane.c | 28 +++++++++++++++++++++++++++-
 3 files changed, 53 insertions(+), 12 deletions(-)

diff --git a/configure.ac b/configure.ac
index 05f576f5..53873126 100644
--- a/configure.ac
+++ b/configure.ac
@@ -410,10 +410,12 @@ case "$enable_ed448" in
 esac
 
 AC_ARG_ENABLE(dane, AC_HELP_STRING([--disable-dane], [Disable DANE support]))
+AC_ARG_ENABLE(dane-verify, AC_HELP_STRING([--disable-dane-verify], [Disable DANE verify support]))
 AC_ARG_ENABLE(dane-ta-usage, AC_HELP_STRING([--disable-dane-ta-usage], [Disable DANE-TA usage type support]))
 case "$enable_dane" in
     no)
       AC_SUBST(ldns_build_config_use_dane, 0)
+      AC_SUBST(ldns_build_config_use_dane_verify, 0)
       AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
       ;;
     *) dnl default
@@ -421,19 +423,28 @@ case "$enable_dane" in
         AC_MSG_ERROR([DANE enabled, but no SSL support])
       fi
       AC_CHECK_FUNC(X509_check_ca, [], [AC_MSG_ERROR([OpenSSL does not support DANE: please upgrade OpenSSL or rerun with --disable-dane])])
-      AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.])
       AC_SUBST(ldns_build_config_use_dane, 1)
-      case "$enable_dane_ta_usage" in
+      AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.])
+      case "$enable_dane_verify" in
           no)
+            AC_SUBST(ldns_build_config_use_dane_verify, 0)
             AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
-            ;;
-          *) dnl default
-	    LIBS="$LIBS -lssl"
-            AC_CHECK_FUNC(SSL_get0_dane, [], [AC_MSG_ERROR([OpenSSL does not support offline DANE verification (Needed for the DANE-TA usage type).  Please upgrade OpenSSL to version >= 1.1.0 or rerun with --disable-dane-ta-usage])])
-            LIBSSL_LIBS="$LIBSSL_LIBS -lssl"
-            AC_DEFINE_UNQUOTED([USE_DANE_TA_USAGE], [1], [Define this to enable DANE-TA usage type support.])
-            AC_SUBST(ldns_build_config_use_dane_ta_usage, 1)
-            ;;
+	    ;;
+	  *)
+	    AC_SUBST(ldns_build_config_use_dane_verify, 1)
+	    AC_DEFINE_UNQUOTED([USE_DANE_VERIFY], [1], [Define this to enable DANE verify support.])
+            case "$enable_dane_ta_usage" in
+                no)
+                  AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
+                  ;;
+                *) dnl default
+      	    LIBS="$LIBS -lssl"
+                  AC_CHECK_FUNC(SSL_get0_dane, [], [AC_MSG_ERROR([OpenSSL does not support offline DANE verification (Needed for the DANE-TA usage type).  Please upgrade OpenSSL to version >= 1.1.0 or rerun with --disable-dane-verify or --disable-dane-ta-usage])])
+                  LIBSSL_LIBS="$LIBSSL_LIBS -lssl"
+                  AC_SUBST(ldns_build_config_use_dane_ta_usage, 1)
+                  AC_DEFINE_UNQUOTED([USE_DANE_TA_USAGE], [1], [Define this to enable DANE-TA usage type support.])
+                  ;;
+            esac
       esac
       ;;
 esac
diff --git a/dane.c b/dane.c
index f9b5c661..30dc1f70 100644
--- a/dane.c
+++ b/dane.c
@@ -504,6 +504,7 @@ memerror:
 }
 
 
+#ifdef USE_DANE_VERIFY
 /* Return tlsas that actually are TLSA resource records with known values
  * for the Certificate usage, Selector and Matching type rdata fields.
  */
@@ -592,8 +593,10 @@ ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
 	}
 	return s;
 }
-#endif
+#endif /* !defined(USE_DANE_TA_USAGE) */
+#endif /* USE_DANE_VERIFY */
 
+#ifdef USE_DANE_VERIFY
 ldns_status
 ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
 		X509* cert, STACK_OF(X509)* extra_certs,
@@ -933,5 +936,6 @@ ldns_dane_verify(const ldns_rr_list* tlsas,
 	ldns_rr_list_free(usable_tlsas);
 	return s;
 }
+#endif /* USE_DANE_VERIFY */
 #endif /* HAVE_SSL */
 #endif /* USE_DANE */
diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c
index 7997e15f..8bffb530 100644
--- a/examples/ldns-dane.c
+++ b/examples/ldns-dane.c
@@ -61,12 +61,16 @@
 static void
 print_usage(const char* progname)
 {
+#ifdef USE_DANE_VERIY
 	printf("Usage: %s [OPTIONS] verify <name> <port>\n", progname);
 	printf("   or: %s [OPTIONS] -t <tlsafile> verify\n", progname);
 	printf("\n\tVerify the TLS connection at <name>:<port> or"
 	       "\n\tuse TLSA record(s) from <tlsafile> to verify the\n"
 			"\tTLS service they reference.\n");
 	printf("\n   or: %s [OPTIONS] create <name> <port> [<usage> "
+#else
+	printf("Usage: %s [OPTIONS] create <name> <port> [<usage> "
+#endif
 			"[<selector> [<type>]]]\n", progname);
 	printf("\n\tUse the TLS connection(s) to <name> <port> "
 			"to create the TLSA\n\t"
@@ -322,6 +326,7 @@ ssl_connect_and_get_cert_chain(
 }
 
 
+#ifdef USE_DANE_VERIFY
 static void
 ssl_interact(SSL* ssl)
 {
@@ -408,6 +413,7 @@ ssl_interact(SSL* ssl)
 
 	} /* for (;;) */
 }
+#endif /* USE_DANE_VERIFY */
 
 
 static ldns_rr_list*
@@ -1089,6 +1095,7 @@ dane_create(ldns_rr_list* tlsas, ldns_rdf* tlsa_owner,
 	}
 }
 
+#ifdef USE_DANE_VERIFY
 static bool
 dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
 		X509* cert, STACK_OF(X509)* extra_certs,
@@ -1129,6 +1136,7 @@ dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
 			ldns_get_errorstr_by_id(s));
 	return false;
 }
+#endif /* USE_DANE_VERIFY */
 
 /**
  * Return either an A or AAAA rdf, based on the given
@@ -1398,6 +1406,7 @@ main(int argc, char* const* argv)
 		argc--;
 		argv++;
 
+#ifdef USE_DANE_VERIFY
 	} else if (strncasecmp(*argv, "verify", strlen(*argv)) == 0) {
 
 		mode = VERIFY;
@@ -1406,9 +1415,20 @@ main(int argc, char* const* argv)
 
 	} else {
 		fprintf(stderr, "Specify create or verify mode\n");
+#else
+	} else {
+		fprintf(stderr, "Specify create mode\n");
+#endif
 		exit(EXIT_FAILURE);
 	}
 
+#ifndef USE_DANE_VERIFY
+	(void)transport_str;
+	(void)transport_rdf;
+	(void)port_str;
+	(void)port_rdf;
+	(void)interact;
+#else
 	if (mode == VERIFY && argc == 0) {
 
 		if (! tlsas_file) {
@@ -1508,7 +1528,9 @@ main(int argc, char* const* argv)
 		}
 
 
-	} else if (argc < 2) {
+	} else 
+#endif /* USE_DANE_VERIFY */
+		if (argc < 2) {
 
 		print_usage("ldns-dane");
 
@@ -1689,6 +1711,7 @@ main(int argc, char* const* argv)
 					     cert, extra_certs, store,
 					     verify_server_name, name);
 			     break;
+#ifdef USE_DANE_VERIFY
 		case VERIFY: if (! dane_verify(tlsas, NULL,
 			                       cert, extra_certs, store,
 					       verify_server_name, name,
@@ -1696,6 +1719,7 @@ main(int argc, char* const* argv)
 				     success = false;
 			     }
 			     break;
+#endif
 		default:     break; /* suppress warning */
 		}
 		SSL_free(ssl);
@@ -1748,6 +1772,7 @@ main(int argc, char* const* argv)
 						     verify_server_name, name);
 				     break;
 
+#ifdef USE_DANE_VERIFY
 			case VERIFY: if (! dane_verify(tlsas, address,
 						cert, extra_certs, store,
 						verify_server_name, name,
@@ -1758,6 +1783,7 @@ main(int argc, char* const* argv)
 					     ssl_interact(ssl);
 				     }
 				     break;
+#endif
 			default:     break; /* suppress warning */
 			}
 			while (SSL_shutdown(ssl) == 0);
-- 
2.47.3