Enabled DANE only when at least one TLSA RR was added

It is up to the caller of SSL_dane_tlsa_add() to take appropriate action when no records are added successfully or adding some records triggers an internal error (negative return value). With this change the caller can continue with PKIX if desired when none of the TLSA records are usable, or take some appropriate action if DANE is required. Also fixed the internal ssl_dane_dup() function to properly initialize the TLSA RR stack in the target SSL handle. Errors in ssl_dane_dup() are no longer ignored. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-04-21 20:00:58 -0400
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-04-22 10:41:57 -0400
commit: 9f6b22b814a306677f6d5a829cf7fd62005ecdc2 (patch)
tree: e6420ac6d4a61e5b0eefb3e5a59b4260f42e3e0f /include/internal/dane.h
parent: ee85fc1dd67faebdeecb8fe8834facaee0566324 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/include/internal/dane.h b/include/internal/dane.h
index 1672849c83..557534adec 100644
--- a/include/internal/dane.h
+++ b/include/internal/dane.h
@@ -121,7 +121,8 @@ struct ssl_dane_st {
     int             pdpth;      /* Depth of PKIX trust */
 };
 
-#define DANETLS_ENABLED(dane)  ((dane) != NULL && ((dane)->trecs != NULL))
+#define DANETLS_ENABLED(dane)  \
+    ((dane) != NULL && sk_danetls_record_num((dane)->trecs) > 0)
 
 #define DANETLS_USAGE_BIT(u)   (((uint32_t)1) << u)
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-04-21 20:00:58 -0400
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-04-22 10:41:57 -0400
commit	9f6b22b814a306677f6d5a829cf7fd62005ecdc2 (patch)
tree	e6420ac6d4a61e5b0eefb3e5a59b4260f42e3e0f /include/internal/dane.h
parent	ee85fc1dd67faebdeecb8fe8834facaee0566324 (diff)