Accept a certificate using DANE if there is at least one entry that matches the certificate.

This corrects the previous behavior that was rejecting the certificate if there were multiple entries and one couldn't be validated. Patch by simon@arlott.org. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-04-28 11:22:00 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-04-28 11:22:58 +0200
commit: 621a874c689e86f3b3fe8657b068f989827a072c (patch)
tree: 138d10b8c665564e54eb472afd73d5da2e421ea4
parent: 55e1d42ddb1db300008507d332343d2008fdbb1c (diff)
download: gnutls-621a874c689e86f3b3fe8657b068f989827a072c.tar.gz
1 files changed, 28 insertions, 2 deletions
diff --git a/libdane/dane.c b/libdane/dane.c
index 453316a08e..81da1e92d9 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -693,6 +693,8 @@ dane_verify_crt_raw (dane_state_t s,
   idx = 0;
   do
     {
+      unsigned int record_verify = 0;
+
       ret = dane_query_data (r, idx++, &usage, &type, &match, &data);
       if (ret == DANE_E_REQUESTED_DATA_NOT_AVAILABLE)
         break;
@@ -709,31 +711,55 @@ dane_verify_crt_raw (dane_state_t s,
         {
           ret =
             verify_ca (chain, chain_size, chain_type, type, match, &data,
-                       verify);
+                       &record_verify);
           if (ret < 0)
             {
               gnutls_assert ();
               goto cleanup;
             }
           checked = 1;
+          
+          if (record_verify == 0)
+            {
+              *verify = 0;
+              break;
+            }
+          else
+            {
+              *verify |= record_verify;
+            }
         }
       else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE)
                && (usage == DANE_CERT_USAGE_LOCAL_EE
                    || usage == DANE_CERT_USAGE_EE))
         {
-          ret = verify_ee (&chain[0], chain_type, type, match, &data, verify);
+          ret = verify_ee (&chain[0], chain_type, type, match, &data, &record_verify);
           if (ret < 0)
             {
               gnutls_assert ();
               goto cleanup;
             }
           checked = 1;
+
+          if (record_verify == 0)
+            {
+              *verify = 0;
+              break;
+            }
+          else
+            {
+              *verify |= record_verify;
+            }
         }
     }
   while (1);
 
   if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0)
     ret = gnutls_assert_val (DANE_E_REQUESTED_DATA_NOT_AVAILABLE);
+  else if (checked == 0)
+    {
+      *verify |= DANE_VERIFY_NO_DANE_INFO;
+    }
   else
     ret = 0;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-04-28 11:22:00 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-04-28 11:22:58 +0200
commit	621a874c689e86f3b3fe8657b068f989827a072c (patch)
tree	138d10b8c665564e54eb472afd73d5da2e421ea4
parent	55e1d42ddb1db300008507d332343d2008fdbb1c (diff)
download	gnutls-621a874c689e86f3b3fe8657b068f989827a072c.tar.gz