interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

getdns_dane_verify in the tests_dane example

This commit is contained in:
Willem Toorop 2014-04-15 23:39:52 +02:00
parent 804a64aada
commit 0d37d3d380
4 changed files with 546 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

284
configure vendored
View File

@ -1,11 +1,13 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for getdns 0.1.1.
# Generated by GNU Autoconf 2.68 for getdns 0.1.1.
#
# Report bugs to <stub-resolver@verisignlabs.com>.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
# Foundation, Inc.
#
#
# This configure script is free software; the Free Software Foundation
@ -134,31 +136,6 @@ export LANGUAGE
# CDPATH.
(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
# Use a proper internal environment variable to ensure we don't fall
# into an infinite loop, continuously re-executing ourselves.
if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
_as_can_reexec=no; export _as_can_reexec;
# We cannot yet assume a decent shell, so we have to provide a
# neutralization value for shells without unset; and this also
# works around shells that cannot unset nonexistent variables.
# Preserve -v and -x to the replacement shell.
BASH_ENV=/dev/null
ENV=/dev/null
(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
case $- in # ((((
*v*x* | *x*v* ) as_opts=-vx ;;
*v* ) as_opts=-v ;;
*x* ) as_opts=-x ;;
* ) as_opts= ;;
esac
exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
# Admittedly, this is quite paranoid, since all the known shells bail
# out after a failed `exec'.
$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
as_fn_exit 255
fi
# We don't want this to propagate to other subprocesses.
{ _as_can_reexec=; unset _as_can_reexec;}
if test "x$CONFIG_SHELL" = x; then
as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
emulate sh
@ -192,8 +169,7 @@ if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
else
exitcode=1; echo positional parameters were not saved.
fi
test x\$exitcode = x0 || exit 1
test -x / || exit 1"
test x\$exitcode = x0 || exit 1"
as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
@ -246,25 +222,21 @@ IFS=$as_save_IFS
if test "x$CONFIG_SHELL" != x; then :
export CONFIG_SHELL
# We cannot yet assume a decent shell, so we have to provide a
# neutralization value for shells without unset; and this also
# works around shells that cannot unset nonexistent variables.
# Preserve -v and -x to the replacement shell.
BASH_ENV=/dev/null
ENV=/dev/null
(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
case $- in # ((((
*v*x* | *x*v* ) as_opts=-vx ;;
*v* ) as_opts=-v ;;
*x* ) as_opts=-x ;;
* ) as_opts= ;;
esac
exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
# Admittedly, this is quite paranoid, since all the known shells bail
# out after a failed `exec'.
$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
exit 255
# We cannot yet assume a decent shell, so we have to provide a
# neutralization value for shells without unset; and this also
# works around shells that cannot unset nonexistent variables.
# Preserve -v and -x to the replacement shell.
BASH_ENV=/dev/null
ENV=/dev/null
(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
export CONFIG_SHELL
case $- in # ((((
*v*x* | *x*v* ) as_opts=-vx ;;
*v* ) as_opts=-v ;;
*x* ) as_opts=-x ;;
* ) as_opts= ;;
esac
exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
fi
if test x$as_have_required = xno; then :
@ -367,14 +339,6 @@ $as_echo X"$as_dir" |
} # as_fn_mkdir_p
# as_fn_executable_p FILE
# -----------------------
# Test if FILE is an executable regular file.
as_fn_executable_p ()
{
test -f "$1" && test -x "$1"
} # as_fn_executable_p
# as_fn_append VAR VALUE
# ----------------------
# Append the text in VALUE to the end of the definition contained in VAR. Take
@ -496,10 +460,6 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits
chmod +x "$as_me.lineno" ||
{ $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
# If we had to re-execute with $CONFIG_SHELL, we're ensured to have
# already done that, so ensure we don't try to do so again and fall
# in an infinite loop. This has already happened in practice.
_as_can_reexec=no; export _as_can_reexec
# Don't try to exec as it changes $[0], causing all sort of problems
# (the dirname of $[0] is not the place where we might find the
# original and so on. Autoconf is especially sensitive to this).
@ -534,16 +494,16 @@ if (echo >conf$$.file) 2>/dev/null; then
# ... but there are two gotchas:
# 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
# 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
# In both cases, we have to default to `cp -pR'.
# In both cases, we have to default to `cp -p'.
ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
as_ln_s='cp -pR'
as_ln_s='cp -p'
elif ln conf$$.file conf$$ 2>/dev/null; then
as_ln_s=ln
else
as_ln_s='cp -pR'
as_ln_s='cp -p'
fi
else
as_ln_s='cp -pR'
as_ln_s='cp -p'
fi
rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
rmdir conf$$.dir 2>/dev/null
@ -555,8 +515,28 @@ else
as_mkdir_p=false
fi
as_test_x='test -x'
as_executable_p=as_fn_executable_p
if test -x / >/dev/null 2>&1; then
as_test_x='test -x'
else
if ls -dL / >/dev/null 2>&1; then
as_ls_L_option=L
else
as_ls_L_option=
fi
as_test_x='
eval sh -c '\''
if test -d "$1"; then
test -d "$1/.";
else
case $1 in #(
-*)set "./$1";;
esac;
case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
???[sx]*):;;*)false;;esac;fi
'\'' sh
'
fi
as_executable_p=$as_test_x
# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@ -1216,6 +1196,8 @@ target=$target_alias
if test "x$host_alias" != x; then
if test "x$build_alias" = x; then
cross_compiling=maybe
$as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
If a cross compiler is detected then cross compile mode will be used" >&2
elif test "x$build_alias" != "x$host_alias"; then
cross_compiling=yes
fi
@ -1478,9 +1460,9 @@ test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
getdns configure 0.1.1
generated by GNU Autoconf 2.69
generated by GNU Autoconf 2.68
Copyright (C) 2012 Free Software Foundation, Inc.
Copyright (C) 2010 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
_ACEOF
@ -1593,7 +1575,7 @@ $as_echo "$ac_try_echo"; } >&5
test ! -s conftest.err
} && test -s conftest$ac_exeext && {
test "$cross_compiling" = yes ||
test -x conftest$ac_exeext
$as_test_x conftest$ac_exeext
}; then :
ac_retval=0
else
@ -1830,8 +1812,7 @@ int
main ()
{
static int test_array [1 - 2 * !((($ac_type) -1 >> ($2 / 2 - 1)) >> ($2 / 2 - 1) == 3)];
test_array [0] = 0;
return test_array [0];
test_array [0] = 0
;
return 0;
@ -1864,7 +1845,7 @@ This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by getdns $as_me 0.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
generated by GNU Autoconf 2.68. Invocation command line was
$ $0 $@
@ -2241,7 +2222,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_CC="${ac_tool_prefix}gcc"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -2281,7 +2262,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_CC="gcc"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -2334,7 +2315,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_CC="${ac_tool_prefix}cc"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -2375,7 +2356,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
ac_prog_rejected=yes
continue
@ -2433,7 +2414,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -2477,7 +2458,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_CC="$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -2923,7 +2904,8 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <stdarg.h>
#include <stdio.h>
struct stat;
#include <sys/types.h>
#include <sys/stat.h>
/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */
struct buf { int x; };
FILE * (*rcsopen) (struct buf *, struct stat *, int);
@ -3377,7 +3359,7 @@ do
for ac_prog in sed gsed; do
for ac_exec_ext in '' $ac_executable_extensions; do
ac_path_SED="$as_dir/$ac_prog$ac_exec_ext"
as_fn_executable_p "$ac_path_SED" || continue
{ test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue
# Check for GNU ac_path_SED and select it if it is found.
# Check for GNU $ac_path_SED
case `"$ac_path_SED" --version 2>&1` in
@ -3453,7 +3435,7 @@ do
for ac_prog in grep ggrep; do
for ac_exec_ext in '' $ac_executable_extensions; do
ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
as_fn_executable_p "$ac_path_GREP" || continue
{ test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
# Check for GNU ac_path_GREP and select it if it is found.
# Check for GNU $ac_path_GREP
case `"$ac_path_GREP" --version 2>&1` in
@ -3519,7 +3501,7 @@ do
for ac_prog in egrep; do
for ac_exec_ext in '' $ac_executable_extensions; do
ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
as_fn_executable_p "$ac_path_EGREP" || continue
{ test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
# Check for GNU ac_path_EGREP and select it if it is found.
# Check for GNU $ac_path_EGREP
case `"$ac_path_EGREP" --version 2>&1` in
@ -3586,7 +3568,7 @@ do
for ac_prog in fgrep; do
for ac_exec_ext in '' $ac_executable_extensions; do
ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext"
as_fn_executable_p "$ac_path_FGREP" || continue
{ test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue
# Check for GNU ac_path_FGREP and select it if it is found.
# Check for GNU $ac_path_FGREP
case `"$ac_path_FGREP" --version 2>&1` in
@ -3842,7 +3824,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -3886,7 +3868,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_DUMPBIN="$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -4310,7 +4292,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -4350,7 +4332,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_OBJDUMP="objdump"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -4522,7 +4504,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
lt_cv_deplibs_check_method=pass_all
;;
netbsd*)
netbsd* | netbsdelf*-gnu)
if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
else
@ -4656,7 +4638,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -4696,7 +4678,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_DLLTOOL="dlltool"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -4800,7 +4782,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_AR="$ac_tool_prefix$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -4844,7 +4826,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_AR="$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -4969,7 +4951,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_STRIP="${ac_tool_prefix}strip"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -5009,7 +4991,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_STRIP="strip"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -5068,7 +5050,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -5108,7 +5090,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_RANLIB="ranlib"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -5212,7 +5194,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_AWK="$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -5799,7 +5781,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -5839,7 +5821,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_MANIFEST_TOOL="mt"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -5919,7 +5901,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -5959,7 +5941,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -6011,7 +5993,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -6051,7 +6033,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_NMEDIT="nmedit"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -6103,7 +6085,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_LIPO="${ac_tool_prefix}lipo"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -6143,7 +6125,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_LIPO="lipo"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -6195,7 +6177,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_OTOOL="${ac_tool_prefix}otool"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -6235,7 +6217,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_OTOOL="otool"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -6287,7 +6269,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -6327,7 +6309,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_OTOOL64="otool64"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -7134,10 +7116,6 @@ _lt_linker_boilerplate=`cat conftest.err`
$RM -r conftest*
## CAVEAT EMPTOR:
## There is no encapsulation within the following macros, do not change
## the running order or otherwise move them around unless you know exactly
## what you are doing...
if test -n "$compiler"; then
lt_prog_compiler_no_builtin_flag=
@ -7828,6 +7806,9 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
openbsd*)
with_gnu_ld=no
;;
linux* | k*bsd*-gnu | gnu*)
link_all_deplibs=no
;;
esac
ld_shlibs=yes
@ -8049,7 +8030,7 @@ _LT_EOF
fi
;;
netbsd*)
netbsd* | netbsdelf*-gnu)
if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
wlarc=
@ -8226,6 +8207,7 @@ _LT_EOF
if test "$aix_use_runtimelinking" = yes; then
shared_flag="$shared_flag "'${wl}-G'
fi
link_all_deplibs=no
else
# not using gcc
if test "$host_cpu" = ia64; then
@ -8679,7 +8661,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
link_all_deplibs=yes
;;
netbsd*)
netbsd* | netbsdelf*-gnu)
if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out
else
@ -9692,14 +9674,10 @@ fi
# before this can be enabled.
hardcode_into_libs=yes
# Add ABI-specific directories to the system library path.
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on
@ -9711,6 +9689,18 @@ fi
dynamic_linker='GNU/Linux ld.so'
;;
netbsdelf*-gnu)
version_type=linux
need_lib_prefix=no
need_version=no
library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
hardcode_into_libs=yes
dynamic_linker='NetBSD ld.elf_so'
;;
netbsd*)
version_type=sunos
need_lib_prefix=no
@ -10718,7 +10708,7 @@ case $as_dir/ in #((
# by default.
for ac_prog in ginstall scoinst install; do
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
if test $ac_prog = install &&
grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
# AIX install. It has an incompatible calling convention.
@ -11061,7 +11051,7 @@ do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_DOXYGEN=""
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@ -11088,7 +11078,7 @@ $as_echo "$as_me: WARNING: doxygen not found, continuing without" >&2;}
fi
# Checks for header files.
for ac_header in inttypes.h netinet/in.h stdint.h stdlib.h string.h
for ac_header in arpa/inet.h inttypes.h netdb.h netinet/in.h openssl/ssl.h stdint.h stdlib.h string.h sys/socket.h
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@ -12021,16 +12011,16 @@ if (echo >conf$$.file) 2>/dev/null; then
# ... but there are two gotchas:
# 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
# 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
# In both cases, we have to default to `cp -pR'.
# In both cases, we have to default to `cp -p'.
ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
as_ln_s='cp -pR'
as_ln_s='cp -p'
elif ln conf$$.file conf$$ 2>/dev/null; then
as_ln_s=ln
else
as_ln_s='cp -pR'
as_ln_s='cp -p'
fi
else
as_ln_s='cp -pR'
as_ln_s='cp -p'
fi
rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
rmdir conf$$.dir 2>/dev/null
@ -12090,16 +12080,28 @@ else
as_mkdir_p=false
fi
# as_fn_executable_p FILE
# -----------------------
# Test if FILE is an executable regular file.
as_fn_executable_p ()
{
test -f "$1" && test -x "$1"
} # as_fn_executable_p
as_test_x='test -x'
as_executable_p=as_fn_executable_p
if test -x / >/dev/null 2>&1; then
as_test_x='test -x'
else
if ls -dL / >/dev/null 2>&1; then
as_ls_L_option=L
else
as_ls_L_option=
fi
as_test_x='
eval sh -c '\''
if test -d "$1"; then
test -d "$1/.";
else
case $1 in #(
-*)set "./$1";;
esac;
case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
???[sx]*):;;*)false;;esac;fi
'\'' sh
'
fi
as_executable_p=$as_test_x
# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@ -12121,7 +12123,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# values after options handling.
ac_log="
This file was extended by getdns $as_me 0.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
generated by GNU Autoconf 2.68. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
CONFIG_HEADERS = $CONFIG_HEADERS
@ -12188,10 +12190,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
getdns config.status 0.1.1
configured by $0, generated by GNU Autoconf 2.69,
configured by $0, generated by GNU Autoconf 2.68,
with options \\"\$ac_cs_config\\"
Copyright (C) 2012 Free Software Foundation, Inc.
Copyright (C) 2010 Free Software Foundation, Inc.
This config.status script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it."
@ -12281,7 +12283,7 @@ fi
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
if \$ac_cs_recheck; then
set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
shift
\$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
CONFIG_SHELL='$SHELL'

2
configure.ac
View File

@ -181,7 +181,7 @@ if test -z "$DOXYGEN";
fi
# Checks for header files.
AC_CHECK_HEADERS([inttypes.h netinet/in.h stdint.h stdlib.h string.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([arpa/inet.h inttypes.h netdb.h netinet/in.h openssl/ssl.h stdint.h stdlib.h string.h sys/socket.h],,, [AC_INCLUDES_DEFAULT])
# Checks for typedefs, structures, and compiler characteristics.
AC_TYPE_SIZE_T

12
src/config.h.in
View File

@ -1,5 +1,8 @@
/* src/config.h.in. Generated from configure.ac by autoheader. */
/* Define to 1 if you have the <arpa/inet.h> header file. */
#undef HAVE_ARPA_INET_H
/* Define to 1 if you have the <dlfcn.h> header file. */
#undef HAVE_DLFCN_H
@ -33,9 +36,15 @@
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
/* Define to 1 if you have the <netdb.h> header file. */
#undef HAVE_NETDB_H
/* Define to 1 if you have the <netinet/in.h> header file. */
#undef HAVE_NETINET_IN_H
/* Define to 1 if you have the <openssl/ssl.h> header file. */
#undef HAVE_OPENSSL_SSL_H
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
@ -48,6 +57,9 @@
/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H
/* Define to 1 if you have the <sys/socket.h> header file. */
#undef HAVE_SYS_SOCKET_H
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H

409
src/test/tests_dane.c
View File

@ -54,11 +54,393 @@
#include <arpa/inet.h>
#endif
#ifdef HAVE_LDNS_DANE_VERIFY
#ifdef HAVE_SSL
#ifndef getdns_get_errorstr_by_id
const char *getdns_get_errorstr_by_id(uint16_t err);
#endif
#ifdef HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
#include <openssl/sha.h>
#define GETDNS_DANE_TLSA_DID_NOT_MATCH 3000
#define GETDNS_DANE_TLSA_DID_NOT_MATCH_TEXT "None of the given TLSAs matched"
#define GETDNS_DANE_PKIX_DID_NOT_VALIDATE 3001
#define GETDNS_DANE_PKIX_DID_NOT_VALIDATE_TEXT \
"A TLSA matched but PKIX validation failed."
#define GETDNS_DANE_NON_CA_CERTIFICATE 3002
#define GETDNS_DANE_NON_CA_CERTIFICATE_TEXT \
"A non CA certificate is matched"
#define GETDNS_DANE_USAGE_PKIX_TA 0
#define GETDNS_DANE_USAGE_PKIX_EE 1
#define GETDNS_DANE_USAGE_DANE_TA 2
#define GETDNS_DANE_USAGE_DANE_EE 3
#define GETDNS_DANE_SELECTOR_CERT 0
#define GETDNS_DANE_SELECTOR_SPKI 1
#define GETDNS_DANE_MATCHING_TYPE_FULL 0
#define GETDNS_DANE_MATCHING_TYPE_SHA2_256 1
#define GETDNS_DANE_MATCHING_TYPE_SHA2_512 2
/* Ordinary PKIX validation of cert (with extra_certs to help)
* against the CA's in store
*/
static int
getdns_dane_pkix_validate(
X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* store)
{
X509_STORE_CTX* vrfy_ctx;
int r;
if (! store)
return GETDNS_DANE_PKIX_DID_NOT_VALIDATE;
vrfy_ctx = X509_STORE_CTX_new();
if (! vrfy_ctx)
return GETDNS_RETURN_MEMORY_ERROR;
else if (X509_STORE_CTX_init(vrfy_ctx, store,
cert, extra_certs) != 1)
r = GETDNS_RETURN_GENERIC_ERROR;
else if (X509_verify_cert(vrfy_ctx) == 1)
r = GETDNS_RETURN_GOOD;
else
r = GETDNS_DANE_PKIX_DID_NOT_VALIDATE;
X509_STORE_CTX_free(vrfy_ctx);
return r;
}
/* Ordinary PKIX validation of cert (with extra_certs to help)
* against the CA's in store, but also return the validation chain.
*/
static int
getdns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert,
STACK_OF(X509)* extra_certs, X509_STORE* store)
{
int r;
X509_STORE* empty_store = NULL;
X509_STORE_CTX* vrfy_ctx;
if (! store)
store = empty_store = X509_STORE_new();
r = GETDNS_RETURN_GENERIC_ERROR;
vrfy_ctx = X509_STORE_CTX_new();
if (! vrfy_ctx)
goto exit_free_empty_store;
else if (X509_STORE_CTX_init(vrfy_ctx, store,
cert, extra_certs) != 1)
goto exit_free_vrfy_ctx;
else if (X509_verify_cert(vrfy_ctx) == 1)
r = GETDNS_RETURN_GOOD;
else
r = GETDNS_DANE_PKIX_DID_NOT_VALIDATE;
*chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
if (! *chain)
r = GETDNS_RETURN_GENERIC_ERROR;
exit_free_vrfy_ctx:
X509_STORE_CTX_free(vrfy_ctx);
exit_free_empty_store:
if (empty_store)
X509_STORE_free(empty_store);
return r;
}
/* Return the validation chain that can be build out of cert, with extra_certs.
*/
static int
getdns_dane_pkix_get_chain(STACK_OF(X509)** chain,
X509* cert, STACK_OF(X509)* extra_certs)
{
int r;
X509_STORE* empty_store = NULL;
X509_STORE_CTX* vrfy_ctx;
empty_store = X509_STORE_new();
r = GETDNS_RETURN_GENERIC_ERROR;
vrfy_ctx = X509_STORE_CTX_new();
if (! vrfy_ctx)
goto exit_free_empty_store;
else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
cert, extra_certs) != 1)
goto exit_free_vrfy_ctx;
(void) X509_verify_cert(vrfy_ctx);
*chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
if (! *chain)
r = GETDNS_RETURN_GENERIC_ERROR;
else
r = GETDNS_RETURN_GOOD;
exit_free_vrfy_ctx:
X509_STORE_CTX_free(vrfy_ctx);
exit_free_empty_store:
X509_STORE_free(empty_store);
return r;
}
/* Return whether cert/selector/matching_type matches data.
*/
static int
getdns_dane_match_cert_with_data(X509* cert,
uint32_t selector, uint32_t matching_type, getdns_bindata *data)
{
int r = GETDNS_RETURN_GOOD;
unsigned char *buf = NULL;
size_t len;
X509_PUBKEY* xpubkey;
EVP_PKEY* epubkey;
unsigned char hash[SHA512_DIGEST_LENGTH];
SHA256_CTX sha256;
SHA512_CTX sha512;
switch (selector) {
case GETDNS_DANE_SELECTOR_CERT:
len = (size_t)i2d_X509(cert, &buf);
break;
case GETDNS_DANE_SELECTOR_SPKI:
xpubkey = X509_get_X509_PUBKEY(cert);
if (! xpubkey)
return GETDNS_RETURN_GENERIC_ERROR;
epubkey = X509_PUBKEY_get(xpubkey);
if (! epubkey)
return GETDNS_RETURN_GENERIC_ERROR;
len = (size_t)i2d_PUBKEY(epubkey, &buf);
break;
default:
return GETDNS_RETURN_GENERIC_ERROR;
}
switch(matching_type) {
case GETDNS_DANE_MATCHING_TYPE_FULL:
if (data->size != len || memcmp(data->data, buf, len))
r = GETDNS_DANE_TLSA_DID_NOT_MATCH;
break;
case GETDNS_DANE_MATCHING_TYPE_SHA2_256:
if (data->size != SHA256_DIGEST_LENGTH)
r = GETDNS_DANE_TLSA_DID_NOT_MATCH;
else {
SHA256_Init(&sha256);
SHA256_Update(&sha256, buf, len);
SHA256_Final(hash, &sha256);
if (memcmp(data->data, hash, SHA256_DIGEST_LENGTH))
r = GETDNS_DANE_TLSA_DID_NOT_MATCH;
}
break;
case GETDNS_DANE_MATCHING_TYPE_SHA2_512:
if (data->size != SHA512_DIGEST_LENGTH)
r = GETDNS_DANE_TLSA_DID_NOT_MATCH;
else {
SHA512_Init(&sha512);
SHA512_Update(&sha512, buf, len);
SHA512_Final(hash, &sha512);
if (memcmp(data->data, hash, SHA512_DIGEST_LENGTH))
r = GETDNS_DANE_TLSA_DID_NOT_MATCH;
}
break;
default:
r = GETDNS_RETURN_GENERIC_ERROR;
}
free(buf);
return r;
}
/* Return whether any certificate from the chain with selector/matching_type
* matches data.
* ca should be 1 if the certificate has to be a CA certificate too.
*/
static int
getdns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
uint32_t selector, uint32_t matching_type, getdns_bindata* data, int ca)
{
int r = GETDNS_DANE_TLSA_DID_NOT_MATCH;
size_t n, i;
X509* cert;
n = (size_t)sk_X509_num(chain);
for (i = 0; i < n; i++) {
cert = sk_X509_pop(chain);
if (! cert) {
r = GETDNS_RETURN_GENERIC_ERROR;
break;
}
r = getdns_dane_match_cert_with_data(
cert, selector, matching_type, data);
if (ca && r == GETDNS_RETURN_GOOD && ! X509_check_ca(cert))
r = GETDNS_DANE_NON_CA_CERTIFICATE;
X509_free(cert);
if (r != GETDNS_DANE_TLSA_DID_NOT_MATCH)
break;
/* when r == GETDNS_DANE_TLSA_DID_NOT_MATCH,
* try to match the next certificate
*/
}
return r;
}
int /* actually extended getdns_return_t */
getdns_dane_verify(getdns_list *tlsas, X509 *cert,
STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store )
{
getdns_return_t r = GETDNS_RETURN_GOOD, prev_r = GETDNS_RETURN_GOOD;
size_t tlsas_len, i, n_tlsas;
getdns_dict *tlsa_rr;
uint32_t rr_type;
getdns_dict *rdata;
uint32_t usage, selector, matching_type;
getdns_bindata *data; /* Certificate association data */
STACK_OF(X509) *pkix_validation_chain;
if ((r = getdns_list_get_length(tlsas, &tlsas_len)))
return r;
for (n_tlsas = 0, i = 0; i < tlsas_len; i++) {
prev_r = r;
if ((r = getdns_list_get_dict(tlsas, i, &tlsa_rr)))
break;
if ((r = getdns_dict_get_int(tlsa_rr, "type", &rr_type)))
break;
if (rr_type != GETDNS_RRTYPE_TLSA
|| (r = getdns_dict_get_dict(tlsa_rr, "rdata", &rdata))
|| (r = getdns_dict_get_int(rdata,
"certificate_usage" , &usage))
|| (r = getdns_dict_get_int(rdata,
"selector", &selector))
|| (r = getdns_dict_get_int(rdata,
"matching_type", &matching_type))
|| (r = getdns_dict_get_bindata(rdata,
"certificate_association_data", &data))
|| usage > 3 || selector > 1 || matching_type > 2) {
r = prev_r;
continue;
} else
n_tlsas++;
pkix_validation_chain = NULL;
switch (usage) {
case GETDNS_DANE_USAGE_PKIX_TA:
r = getdns_dane_pkix_validate_and_get_chain(
&pkix_validation_chain,
cert, extra_certs,
pkix_validation_store);
if (! pkix_validation_chain)
break;
if (r == GETDNS_DANE_PKIX_DID_NOT_VALIDATE) {
/*
* NO PKIX validation. We still try to match
* *any* certificate from the chain, so we
* return TLSA errors over PKIX errors.
*
* i.e. When the TLSA matches no certificate,
* we return * TLSA_DID_NOT_MATCH and not
* PKIX_DID_NOT_VALIDATE
*/
r = getdns_dane_match_any_cert_with_data(
pkix_validation_chain,
selector, matching_type, data, 1);
if (r == GETDNS_RETURN_GOOD) {
/* A TLSA record did match a cert from
* the chain, thus the error is failed
* PKIX validation.
*/
r = GETDNS_DANE_PKIX_DID_NOT_VALIDATE;
}
} else if (r == GETDNS_RETURN_GOOD) {
/* PKIX validated, does the TLSA match too? */
r = getdns_dane_match_any_cert_with_data(
pkix_validation_chain,
selector, matching_type, data, 1);
}
sk_X509_pop_free(pkix_validation_chain, X509_free);
break;
case GETDNS_DANE_USAGE_PKIX_EE:
r = getdns_dane_match_cert_with_data(
cert, selector, matching_type, data);
r = r ? r : getdns_dane_pkix_validate(
cert, extra_certs, pkix_validation_store);
break;
case GETDNS_DANE_USAGE_DANE_TA:
r = getdns_dane_pkix_get_chain(
&pkix_validation_chain, cert, extra_certs);
r = r ? r : getdns_dane_match_any_cert_with_data(
pkix_validation_chain,
selector, matching_type, data, 0);
if (pkix_validation_chain)
sk_X509_pop_free(
pkix_validation_chain, X509_free);
break;
case GETDNS_DANE_USAGE_DANE_EE:
r = getdns_dane_match_cert_with_data(
cert, selector, matching_type, data);
break;
default:
r = GETDNS_RETURN_GENERIC_ERROR;
break;
}
if (r != GETDNS_DANE_TLSA_DID_NOT_MATCH &&
r != GETDNS_DANE_PKIX_DID_NOT_VALIDATE) {
/* which would be GETDNS_RETURN_GOOD (match)
* or some fatal error preventing use from
* trying the next TLSA record.
*/
break;
}
r = (r < prev_r ? prev_r : r); /* prefer PKIX_DID_NOT_VALIDATE
* over TLSA_DID_NOT_MATCH
*/
}
if (n_tlsas == 0)
return getdns_dane_pkix_validate(
cert, extra_certs, pkix_validation_store);
return r;
}
void
print_usage(const char *progname, FILE *out, int exit_code)
@ -474,8 +856,9 @@ main(int argc, char * const *argv)
/*
* Dane validate the certificate
*/
switch (getdns_dane_verify(tlsas, cert, extra_certs,
certificate_authorities)) {
int s;
switch ((s = getdns_dane_verify(tlsas, cert, extra_certs,
certificate_authorities))) {
case GETDNS_RETURN_GOOD:
/*****************************************************
@ -505,7 +888,7 @@ main(int argc, char * const *argv)
printf("No matching TLSA found\n");
break;
default:
printf("An error occurred when verifying TLSA's\n");
printf("An error occurred when verifying TLSA's (%d)\n", s);
break;
}
while (SSL_shutdown(ssl) == 0);
@ -535,7 +918,7 @@ done_destroy_context:
return r ? r : (naddresses == nsuccess ? EXIT_SUCCESS : EXIT_FAILURE);
}
#else /* HAVE_SSL */
#else /* HAVE_OPENSSL_SSL_H */
int
main(int argc, char *const *argv)
{
@ -545,18 +928,6 @@ main(int argc, char *const *argv)
"which has not been compiled in.\n", progname);
return EXIT_FAILURE;
}
#endif /* HAVE_SSL */
#else /* HAVE_LDNS_DANE_VERIFY */
int
main(int argc, char *const *argv)
{
const char *progname = strrchr(argv[0], '/');
progname = progname ? progname + 1 : argv[0];
fprintf(stderr, "%s needs dane support in the ldns library, "
"which has not been compiled in.\n", progname);
fprintf(stderr, "ldns has dane support since version 1.6.14.\n");
return EXIT_FAILURE;
}
#endif /* HAVE_LDNS_DANE_VERIFY */
#endif /* HAVE_OPENSSL_SSL_H */
/* tests_dane.c */