diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-26 14:34:26 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-26 15:09:21 +0200 |
commit | 31efe96b876eb4f1b4c6a61fa8192e9f9b23334e (patch) | |
tree | aac4df417a9110b7773aa06f90fecfd7f6898fc2 | |
parent | 1dda7cfe6ad83590f39ee9119b32e014239662ca (diff) | |
download | gnutls-31efe96b876eb4f1b4c6a61fa8192e9f9b23334e.tar.gz |
dane: verification will not fail if a CA entry is encountered but cannot be verified
That addresses the issue of verifying a single certificate against a list
of TLSA entries that contain an entry with CA usage (cert usage 0). With
the previous behavior verification would have failed, while now this
entry will be skipped.
-rw-r--r-- | libdane/dane.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index c46d5e3b8f..3b5ed66eff 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -572,8 +572,8 @@ verify_ca(const gnutls_datum_t * raw_crt, unsigned raw_crt_size, gnutls_x509_crt_t crt = NULL, ca = NULL; unsigned is_ok = 0; - if (raw_crt_size < 2) - return gnutls_assert_val(DANE_E_INVALID_REQUEST); + if (raw_crt_size < 2) /* we cannot verify the CA */ + return gnutls_assert_val(DANE_E_UNKNOWN_DANE_DATA); if (ctype == DANE_CERT_X509 && crt_type == GNUTLS_CRT_X509) { is_ok = 0; @@ -918,7 +918,9 @@ dane_verify_crt(dane_state_t s, * * Returns: a negative error code on error and %DANE_E_SUCCESS (0) * when the DANE entries were successfully parsed, irrespective of - * whether they were verified (see @verify for that information). + * whether they were verified (see @verify for that information). If + * no usable entries were encountered %DANE_E_REQUESTED_DATA_NOT_AVAILABLE + * will be returned. * **/ int |