diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-04-21 20:00:58 -0400 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-04-22 10:41:57 -0400 |
| commit | 9f6b22b814a306677f6d5a829cf7fd62005ecdc2 (patch) | |
| tree | e6420ac6d4a61e5b0eefb3e5a59b4260f42e3e0f /ssl | |
| parent | ee85fc1dd67faebdeecb8fe8834facaee0566324 (diff) | |
| download | openssl-9f6b22b814a306677f6d5a829cf7fd62005ecdc2.tar.gz | |
Enabled DANE only when at least one TLSA RR was added
It is up to the caller of SSL_dane_tlsa_add() to take appropriate
action when no records are added successfully or adding some records
triggers an internal error (negative return value).
With this change the caller can continue with PKIX if desired when
none of the TLSA records are usable, or take some appropriate action
if DANE is required.
Also fixed the internal ssl_dane_dup() function to properly initialize
the TLSA RR stack in the target SSL handle. Errors in ssl_dane_dup()
are no longer ignored.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/ssl_lib.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 06d972349a..994d093466 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -284,10 +284,18 @@ static int ssl_dane_dup(SSL *to, SSL *from) return 1; dane_final(&to->dane); + to->dane.dctx = &to->ctx->dane; + to->dane.trecs = sk_danetls_record_new_null(); + + if (to->dane.trecs == NULL) { + SSLerr(SSL_F_SSL_DANE_DUP, ERR_R_MALLOC_FAILURE); + return 0; + } num = sk_danetls_record_num(from->dane.trecs); for (i = 0; i < num; ++i) { danetls_record *t = sk_danetls_record_value(from->dane.trecs, i); + if (SSL_dane_tlsa_add(to, t->usage, t->selector, t->mtype, t->data, t->dlen) <= 0) return 0; @@ -363,6 +371,7 @@ static int dane_tlsa_add( const EVP_MD *md = NULL; int ilen = (int)dlen; int i; + int num; if (dane->trecs == NULL) { SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_NOT_ENABLED); @@ -495,8 +504,10 @@ static int dane_tlsa_add( * The choice of order for the selector is not significant, so we * use the same descending order for consistency. */ - for (i = 0; i < sk_danetls_record_num(dane->trecs); ++i) { + num = sk_danetls_record_num(dane->trecs); + for (i = 0; i < num; ++i) { danetls_record *rec = sk_danetls_record_value(dane->trecs, i); + if (rec->usage > usage) continue; if (rec->usage < usage) @@ -3135,7 +3146,8 @@ SSL *SSL_dup(SSL *s) goto err; } - ssl_dane_dup(ret, s); + if (!ssl_dane_dup(ret, s)) + goto err; ret->version = s->version; ret->options = s->options; ret->mode = s->mode; |