diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-26 14:34:26 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-26 14:34:29 +0200 |
| commit | 157617ddca402e3a94b356d14e879c996528c4b6 (patch) | |
| tree | 828d87bcaa0462e67ea2b38173f3f3887032df35 | |
| parent | 04909a2093cb61d6f4df3efbdf5daf6c404e0b45 (diff) | |
| download | gnutls-157617ddca402e3a94b356d14e879c996528c4b6.tar.gz | |
dane: verification will not fail if a CA entry is encountered but cannot be verified
That addresses the issue of verifying a single certificate against a list
of TLSA entries that contain an entry with CA usage (cert usage 0). With
the previous behavior verification would have failed, while now this
entry will be skipped.
| -rw-r--r-- | libdane/dane.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index 64682b2983..79e83104d7 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -574,8 +574,8 @@ verify_ca(const gnutls_datum_t * raw_crt, unsigned raw_crt_size, gnutls_x509_crt_t crt = NULL, ca = NULL; unsigned is_ok = 0; - if (raw_crt_size < 2) - return gnutls_assert_val(DANE_E_INVALID_REQUEST); + if (raw_crt_size < 2) /* we cannot verify the CA */ + return gnutls_assert_val(DANE_E_UNKNOWN_DANE_DATA); if (ctype == DANE_CERT_X509 && crt_type == GNUTLS_CRT_X509) { is_ok = 0; @@ -920,7 +920,9 @@ dane_verify_crt(dane_state_t s, * * Returns: a negative error code on error and %DANE_E_SUCCESS (0) * when the DANE entries were successfully parsed, irrespective of - * whether they were verified (see @verify for that information). + * whether they were verified (see @verify for that information). If + * no usable entries were encountered %DANE_E_REQUESTED_DATA_NOT_AVAILABLE + * will be returned. * **/ int |