summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWillem Toorop <willem@nlnetlabs.nl>2016-11-08 14:53:24 +0100
committerWillem Toorop <willem@nlnetlabs.nl>2016-11-08 14:53:24 +0100
commit500803ae4d9baaaa54ddbce70e2d5ef89e6e3e18 (patch)
tree3b1de5a393ea993f2dfbdfd1473fe9ea5185318b
parent8dfce305a6329adac6730dea0287b3c91781e0a2 (diff)
downloadldns-devel/openssl-1.1-dane.tar.gz
A --disable-dane-verify option for configuredevel/openssl-1.1-dane
-rw-r--r--configure.ac31
-rw-r--r--dane.c6
-rw-r--r--examples/ldns-dane.c28
3 files changed, 53 insertions, 12 deletions
diff --git a/configure.ac b/configure.ac
index 05f576f5..53873126 100644
--- a/configure.ac
+++ b/configure.ac
@@ -410,10 +410,12 @@ case "$enable_ed448" in
esac
AC_ARG_ENABLE(dane, AC_HELP_STRING([--disable-dane], [Disable DANE support]))
+AC_ARG_ENABLE(dane-verify, AC_HELP_STRING([--disable-dane-verify], [Disable DANE verify support]))
AC_ARG_ENABLE(dane-ta-usage, AC_HELP_STRING([--disable-dane-ta-usage], [Disable DANE-TA usage type support]))
case "$enable_dane" in
no)
AC_SUBST(ldns_build_config_use_dane, 0)
+ AC_SUBST(ldns_build_config_use_dane_verify, 0)
AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
;;
*) dnl default
@@ -421,19 +423,28 @@ case "$enable_dane" in
AC_MSG_ERROR([DANE enabled, but no SSL support])
fi
AC_CHECK_FUNC(X509_check_ca, [], [AC_MSG_ERROR([OpenSSL does not support DANE: please upgrade OpenSSL or rerun with --disable-dane])])
- AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.])
AC_SUBST(ldns_build_config_use_dane, 1)
- case "$enable_dane_ta_usage" in
+ AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.])
+ case "$enable_dane_verify" in
no)
+ AC_SUBST(ldns_build_config_use_dane_verify, 0)
AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
- ;;
- *) dnl default
- LIBS="$LIBS -lssl"
- AC_CHECK_FUNC(SSL_get0_dane, [], [AC_MSG_ERROR([OpenSSL does not support offline DANE verification (Needed for the DANE-TA usage type). Please upgrade OpenSSL to version >= 1.1.0 or rerun with --disable-dane-ta-usage])])
- LIBSSL_LIBS="$LIBSSL_LIBS -lssl"
- AC_DEFINE_UNQUOTED([USE_DANE_TA_USAGE], [1], [Define this to enable DANE-TA usage type support.])
- AC_SUBST(ldns_build_config_use_dane_ta_usage, 1)
- ;;
+ ;;
+ *)
+ AC_SUBST(ldns_build_config_use_dane_verify, 1)
+ AC_DEFINE_UNQUOTED([USE_DANE_VERIFY], [1], [Define this to enable DANE verify support.])
+ case "$enable_dane_ta_usage" in
+ no)
+ AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
+ ;;
+ *) dnl default
+ LIBS="$LIBS -lssl"
+ AC_CHECK_FUNC(SSL_get0_dane, [], [AC_MSG_ERROR([OpenSSL does not support offline DANE verification (Needed for the DANE-TA usage type). Please upgrade OpenSSL to version >= 1.1.0 or rerun with --disable-dane-verify or --disable-dane-ta-usage])])
+ LIBSSL_LIBS="$LIBSSL_LIBS -lssl"
+ AC_SUBST(ldns_build_config_use_dane_ta_usage, 1)
+ AC_DEFINE_UNQUOTED([USE_DANE_TA_USAGE], [1], [Define this to enable DANE-TA usage type support.])
+ ;;
+ esac
esac
;;
esac
diff --git a/dane.c b/dane.c
index f9b5c661..30dc1f70 100644
--- a/dane.c
+++ b/dane.c
@@ -504,6 +504,7 @@ memerror:
}
+#ifdef USE_DANE_VERIFY
/* Return tlsas that actually are TLSA resource records with known values
* for the Certificate usage, Selector and Matching type rdata fields.
*/
@@ -592,8 +593,10 @@ ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
}
return s;
}
-#endif
+#endif /* !defined(USE_DANE_TA_USAGE) */
+#endif /* USE_DANE_VERIFY */
+#ifdef USE_DANE_VERIFY
ldns_status
ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
X509* cert, STACK_OF(X509)* extra_certs,
@@ -933,5 +936,6 @@ ldns_dane_verify(const ldns_rr_list* tlsas,
ldns_rr_list_free(usable_tlsas);
return s;
}
+#endif /* USE_DANE_VERIFY */
#endif /* HAVE_SSL */
#endif /* USE_DANE */
diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c
index 7997e15f..8bffb530 100644
--- a/examples/ldns-dane.c
+++ b/examples/ldns-dane.c
@@ -61,12 +61,16 @@
static void
print_usage(const char* progname)
{
+#ifdef USE_DANE_VERIY
printf("Usage: %s [OPTIONS] verify <name> <port>\n", progname);
printf(" or: %s [OPTIONS] -t <tlsafile> verify\n", progname);
printf("\n\tVerify the TLS connection at <name>:<port> or"
"\n\tuse TLSA record(s) from <tlsafile> to verify the\n"
"\tTLS service they reference.\n");
printf("\n or: %s [OPTIONS] create <name> <port> [<usage> "
+#else
+ printf("Usage: %s [OPTIONS] create <name> <port> [<usage> "
+#endif
"[<selector> [<type>]]]\n", progname);
printf("\n\tUse the TLS connection(s) to <name> <port> "
"to create the TLSA\n\t"
@@ -322,6 +326,7 @@ ssl_connect_and_get_cert_chain(
}
+#ifdef USE_DANE_VERIFY
static void
ssl_interact(SSL* ssl)
{
@@ -408,6 +413,7 @@ ssl_interact(SSL* ssl)
} /* for (;;) */
}
+#endif /* USE_DANE_VERIFY */
static ldns_rr_list*
@@ -1089,6 +1095,7 @@ dane_create(ldns_rr_list* tlsas, ldns_rdf* tlsa_owner,
}
}
+#ifdef USE_DANE_VERIFY
static bool
dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
X509* cert, STACK_OF(X509)* extra_certs,
@@ -1129,6 +1136,7 @@ dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
ldns_get_errorstr_by_id(s));
return false;
}
+#endif /* USE_DANE_VERIFY */
/**
* Return either an A or AAAA rdf, based on the given
@@ -1398,6 +1406,7 @@ main(int argc, char* const* argv)
argc--;
argv++;
+#ifdef USE_DANE_VERIFY
} else if (strncasecmp(*argv, "verify", strlen(*argv)) == 0) {
mode = VERIFY;
@@ -1406,9 +1415,20 @@ main(int argc, char* const* argv)
} else {
fprintf(stderr, "Specify create or verify mode\n");
+#else
+ } else {
+ fprintf(stderr, "Specify create mode\n");
+#endif
exit(EXIT_FAILURE);
}
+#ifndef USE_DANE_VERIFY
+ (void)transport_str;
+ (void)transport_rdf;
+ (void)port_str;
+ (void)port_rdf;
+ (void)interact;
+#else
if (mode == VERIFY && argc == 0) {
if (! tlsas_file) {
@@ -1508,7 +1528,9 @@ main(int argc, char* const* argv)
}
- } else if (argc < 2) {
+ } else
+#endif /* USE_DANE_VERIFY */
+ if (argc < 2) {
print_usage("ldns-dane");
@@ -1689,6 +1711,7 @@ main(int argc, char* const* argv)
cert, extra_certs, store,
verify_server_name, name);
break;
+#ifdef USE_DANE_VERIFY
case VERIFY: if (! dane_verify(tlsas, NULL,
cert, extra_certs, store,
verify_server_name, name,
@@ -1696,6 +1719,7 @@ main(int argc, char* const* argv)
success = false;
}
break;
+#endif
default: break; /* suppress warning */
}
SSL_free(ssl);
@@ -1748,6 +1772,7 @@ main(int argc, char* const* argv)
verify_server_name, name);
break;
+#ifdef USE_DANE_VERIFY
case VERIFY: if (! dane_verify(tlsas, address,
cert, extra_certs, store,
verify_server_name, name,
@@ -1758,6 +1783,7 @@ main(int argc, char* const* argv)
ssl_interact(ssl);
}
break;
+#endif
default: break; /* suppress warning */
}
while (SSL_shutdown(ssl) == 0);