diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-28 11:22:00 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-28 11:22:58 +0200 |
commit | 621a874c689e86f3b3fe8657b068f989827a072c (patch) | |
tree | 138d10b8c665564e54eb472afd73d5da2e421ea4 | |
parent | 55e1d42ddb1db300008507d332343d2008fdbb1c (diff) | |
download | gnutls-621a874c689e86f3b3fe8657b068f989827a072c.tar.gz |
Accept a certificate using DANE if there is at least one entry that matches the certificate.
This corrects the previous behavior that was rejecting the certificate if there
were multiple entries and one couldn't be validated.
Patch by simon@arlott.org.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | libdane/dane.c | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index 453316a08e..81da1e92d9 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -693,6 +693,8 @@ dane_verify_crt_raw (dane_state_t s, idx = 0; do { + unsigned int record_verify = 0; + ret = dane_query_data (r, idx++, &usage, &type, &match, &data); if (ret == DANE_E_REQUESTED_DATA_NOT_AVAILABLE) break; @@ -709,31 +711,55 @@ dane_verify_crt_raw (dane_state_t s, { ret = verify_ca (chain, chain_size, chain_type, type, match, &data, - verify); + &record_verify); if (ret < 0) { gnutls_assert (); goto cleanup; } checked = 1; + + if (record_verify == 0) + { + *verify = 0; + break; + } + else + { + *verify |= record_verify; + } } else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE) && (usage == DANE_CERT_USAGE_LOCAL_EE || usage == DANE_CERT_USAGE_EE)) { - ret = verify_ee (&chain[0], chain_type, type, match, &data, verify); + ret = verify_ee (&chain[0], chain_type, type, match, &data, &record_verify); if (ret < 0) { gnutls_assert (); goto cleanup; } checked = 1; + + if (record_verify == 0) + { + *verify = 0; + break; + } + else + { + *verify |= record_verify; + } } } while (1); if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0) ret = gnutls_assert_val (DANE_E_REQUESTED_DATA_NOT_AVAILABLE); + else if (checked == 0) + { + *verify |= DANE_VERIFY_NO_DANE_INFO; + } else ret = 0; |