]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Accept a certificate using DANE if there is at least one entry that matches the certi...
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 28 Apr 2014 09:10:07 +0000 (11:10 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 28 Apr 2014 09:15:47 +0000 (11:15 +0200)
This corrects the previous behavior that was rejecting the certificate if there
were multiple entries and one couldn't be validated. New flag DANE_VERIFY_UNKNOWN_DANE_INFO
is synonymous to DANE_VERIFY_NO_DANE_INFO. Patch by simon@arlott.org.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
libdane/dane.c
libdane/includes/gnutls/dane.h

index 79be0271d040d15ae90cbc0369a653859dcd9f68..f423e27327b110fcef7b356629bc7d2a384385d8 100644 (file)
@@ -649,6 +649,8 @@ dane_verify_crt_raw(dane_state_t s,
        *verify = 0;
        idx = 0;
        do {
+               unsigned int record_verify = 0;
+
                ret =
                    dane_query_data(r, idx++, &usage, &type, &match,
                                    &data);
@@ -665,23 +667,35 @@ dane_verify_crt_raw(dane_state_t s,
                        || usage == DANE_CERT_USAGE_CA)) {
                        ret =
                            verify_ca(chain, chain_size, chain_type, type,
-                                     match, &data, verify);
+                                     match, &data, &record_verify);
                        if (ret < 0) {
                                gnutls_assert();
                                goto cleanup;
                        }
                        checked = 1;
+                       if (record_verify == 0) {
+                               *verify = 0;
+                               break;
+                       } else {
+                               *verify |= record_verify;
+                       }
                } else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE)
                           && (usage == DANE_CERT_USAGE_LOCAL_EE
                               || usage == DANE_CERT_USAGE_EE)) {
                        ret =
                            verify_ee(&chain[0], chain_type, type, match,
-                                     &data, verify);
+                                     &data, &record_verify);
                        if (ret < 0) {
                                gnutls_assert();
                                goto cleanup;
                        }
                        checked = 1;
+                       if (record_verify == 0) {
+                               *verify = 0;
+                               break;
+                       } else {
+                               *verify |= record_verify;
+                       }
                }
        }
        while (1);
@@ -689,6 +703,10 @@ dane_verify_crt_raw(dane_state_t s,
        if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0)
                ret =
                    gnutls_assert_val(DANE_E_REQUESTED_DATA_NOT_AVAILABLE);
+       else if (checked == 0)
+       {
+               *verify |= DANE_VERIFY_UNKNOWN_DANE_INFO;
+       }
        else
                ret = 0;
 
index 9fd807793ee23bb804cfa2e3ffbd5ea0ac28a1aa..98e4a96faaae40436a4896e3b277663cdd04d90f 100644 (file)
@@ -140,19 +140,20 @@ typedef enum dane_verify_flags_t {
 
 /**
  * dane_verify_status_t:
- * @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constrains was violated.
+ * @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constraints were violated.
  * @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
- * @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
+ * @DANE_VERIFY_UNKNOWN_DANE_INFO: No known DANE data was found in the DNS record.
  *
  * Enumeration of different verification status flags.
  */
 typedef enum dane_verify_status_t {
        DANE_VERIFY_CA_CONSTRAINTS_VIOLATED = 1,
        DANE_VERIFY_CERT_DIFFERS = 1 << 1,
-       DANE_VERIFY_NO_DANE_INFO = 1 << 2,
+       DANE_VERIFY_UNKNOWN_DANE_INFO = 1 << 2,
 } dane_verify_status_t;
 
 #define DANE_VERIFY_CA_CONSTRAINS_VIOLATED DANE_VERIFY_CA_CONSTRAINTS_VIOLATED
+#define DANE_VERIFY_NO_DANE_INFO DANE_VERIFY_UNKNOWN_DANE_INFO
 
 int
 dane_verification_status_print(unsigned int status,