diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-03-20 20:40:13 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-03-20 21:03:47 -0400 |
commit | 89ff989d01314a6104e5063edfce316c8325f339 (patch) | |
tree | a64ae34a1a01c0a00eba3b3d0f124df7e08ac011 /crypto/x509/x509_vfy.c | |
parent | 3c27208fab1dc29f47f088490404df5abfcdfb05 (diff) | |
download | openssl-89ff989d01314a6104e5063edfce316c8325f339.tar.gz |
Add a comment on dane_verify() logic
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/x509/x509_vfy.c')
-rw-r--r-- | crypto/x509/x509_vfy.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index e2b1b9654b..afd8299bb4 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2591,7 +2591,7 @@ static int check_dane_issuer(X509_STORE_CTX *ctx, int depth) return X509_TRUST_UNTRUSTED; /* - * Record any DANE trust anchor matches, for the first depth to test, if + * Record any DANE trust-anchor matches, for the first depth to test, if * there's one at that depth. (This'll be false for length 1 chains looking * for an exact match for the leaf certificate). */ @@ -2676,6 +2676,18 @@ static int dane_verify(X509_STORE_CTX *ctx) dane_reset(dane); + /*- + * When testing the leaf certificate, if we match a DANE-EE(3) record, + * dane_match() returns 1 and we're done. If however we match a PKIX-EE(1) + * record, the match depth and matching TLSA record are recorded, but the + * return value is 0, because we still need to find a PKIX trust-anchor. + * Therefore, when DANE authentication is enabled (required), we're done + * if: + * + matched < 0, internal error. + * + matched == 1, we matched a DANE-EE(3) record + * + matched == 0, mdepth < 0 (no PKIX-EE match) and there are no + * DANE-TA(2) or PKIX-TA(0) to test. + */ matched = dane_match(ctx, ctx->cert, 0); done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0); |