diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-07-10 20:36:02 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-07-12 10:16:34 -0400 |
commit | 5ae4ceb92c2ae6c677b1de2c477dce71a4d94716 (patch) | |
tree | e3df5a313a7e45524115e1cca438256f0405bd6a /include | |
parent | d83b7e1a580b2f68a041d178e91e9495ec95e383 (diff) | |
download | openssl-5ae4ceb92c2ae6c677b1de2c477dce71a4d94716.tar.gz |
Perform DANE-EE(3) name checks by default
In light of potential UKS (unknown key share) attacks on some
applications, primarily browsers, despite RFC761, name checks are
by default applied with DANE-EE(3) TLSA records. Applications for
which UKS is not a problem can optionally disable DANE-EE(3) name
checks via the new SSL_CTX_dane_set_flags() and friends.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/internal/dane.h | 2 | ||||
-rw-r--r-- | include/openssl/ssl.h | 7 | ||||
-rw-r--r-- | include/openssl/x509_vfy.h | 1 |
3 files changed, 10 insertions, 0 deletions
diff --git a/include/internal/dane.h b/include/internal/dane.h index 65bf24439d..a1cb5488ba 100644 --- a/include/internal/dane.h +++ b/include/internal/dane.h @@ -57,6 +57,7 @@ struct dane_ctx_st { const EVP_MD **mdevp; /* mtype -> digest */ uint8_t *mdord; /* mtype -> preference */ uint8_t mdmax; /* highest supported mtype */ + unsigned long flags; /* feature bitmask */ }; /* @@ -71,6 +72,7 @@ struct ssl_dane_st { uint32_t umask; /* Usages present */ int mdpth; /* Depth of matched cert */ int pdpth; /* Depth of PKIX trust */ + unsigned long flags; /* feature bitmask */ }; #define DANETLS_ENABLED(dane) \ diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 3d44a4f246..ce7110da59 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1499,6 +1499,13 @@ __owur int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, * offline testing in test/danetest.c */ SSL_DANE *SSL_get0_dane(SSL *ssl); +/* + * DANE flags + */ +unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags); +unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags); +unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags); +unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags); __owur int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm); __owur int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm); diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 4e44e1daea..183889a2f1 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -376,6 +376,7 @@ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name); * offline testing in test/danetest.c */ void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane); +#define DANE_FLAG_NO_DANE_EE_NAMECHECKS (1L << 0) /* X509_VERIFY_PARAM functions */ |