*verify = 0;
idx = 0;
do {
+ unsigned int record_verify = 0;
+
ret =
dane_query_data(r, idx++, &usage, &type, &match,
&data);
|| usage == DANE_CERT_USAGE_CA)) {
ret =
verify_ca(chain, chain_size, chain_type, type,
- match, &data, verify);
+ match, &data, &record_verify);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
checked = 1;
+ if (record_verify == 0) {
+ *verify = 0;
+ break;
+ } else {
+ *verify |= record_verify;
+ }
} else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE)
&& (usage == DANE_CERT_USAGE_LOCAL_EE
|| usage == DANE_CERT_USAGE_EE)) {
ret =
verify_ee(&chain[0], chain_type, type, match,
- &data, verify);
+ &data, &record_verify);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
checked = 1;
+ if (record_verify == 0) {
+ *verify = 0;
+ break;
+ } else {
+ *verify |= record_verify;
+ }
}
}
while (1);
if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0)
ret =
gnutls_assert_val(DANE_E_REQUESTED_DATA_NOT_AVAILABLE);
+ else if (checked == 0)
+ {
+ *verify |= DANE_VERIFY_UNKNOWN_DANE_INFO;
+ }
else
ret = 0;
/**
* dane_verify_status_t:
- * @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constrains was violated.
+ * @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constraints were violated.
* @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
- * @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
+ * @DANE_VERIFY_UNKNOWN_DANE_INFO: No known DANE data was found in the DNS record.
*
* Enumeration of different verification status flags.
*/
typedef enum dane_verify_status_t {
DANE_VERIFY_CA_CONSTRAINTS_VIOLATED = 1,
DANE_VERIFY_CERT_DIFFERS = 1 << 1,
- DANE_VERIFY_NO_DANE_INFO = 1 << 2,
+ DANE_VERIFY_UNKNOWN_DANE_INFO = 1 << 2,
} dane_verify_status_t;
#define DANE_VERIFY_CA_CONSTRAINS_VIOLATED DANE_VERIFY_CA_CONSTRAINTS_VIOLATED
+#define DANE_VERIFY_NO_DANE_INFO DANE_VERIFY_UNKNOWN_DANE_INFO
int
dane_verification_status_print(unsigned int status,