diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-07-10 20:36:02 -0400 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-07-12 10:16:34 -0400 |
| commit | 5ae4ceb92c2ae6c677b1de2c477dce71a4d94716 (patch) | |
| tree | e3df5a313a7e45524115e1cca438256f0405bd6a /ssl/ssl_lib.c | |
| parent | d83b7e1a580b2f68a041d178e91e9495ec95e383 (diff) | |
Perform DANE-EE(3) name checks by default
In light of potential UKS (unknown key share) attacks on some
applications, primarily browsers, despite RFC761, name checks are
by default applied with DANE-EE(3) TLSA records. Applications for
which UKS is not a problem can optionally disable DANE-EE(3) name
checks via the new SSL_CTX_dane_set_flags() and friends.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl/ssl_lib.c')
| -rw-r--r-- | ssl/ssl_lib.c | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 08e36733fc..4fafd18987 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -108,6 +108,9 @@ static int dane_ctx_enable(struct dane_ctx_st *dctx) int n = ((int) mdmax) + 1; /* int to handle PrivMatch(255) */ size_t i; + if (dctx->mdevp != NULL) + return 1; + mdevp = OPENSSL_zalloc(n * sizeof(*mdevp)); mdord = OPENSSL_zalloc(n * sizeof(*mdord)); @@ -182,6 +185,7 @@ static int ssl_dane_dup(SSL *to, SSL *from) return 1; dane_final(&to->dane); + to->dane.flags = from->dane.flags; to->dane.dctx = &to->ctx->dane; to->dane.trecs = sk_danetls_record_new_null(); @@ -542,6 +546,7 @@ SSL *SSL_new(SSL_CTX *ctx) RECORD_LAYER_init(&s->rlayer, s); s->options = ctx->options; + s->dane.flags = ctx->dane.flags; s->min_proto_version = ctx->min_proto_version; s->max_proto_version = ctx->max_proto_version; s->mode = ctx->mode; @@ -802,6 +807,22 @@ int SSL_CTX_dane_enable(SSL_CTX *ctx) return dane_ctx_enable(&ctx->dane); } +unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags) +{ + unsigned long orig = ctx->dane.flags; + + ctx->dane.flags |= flags; + return orig; +} + +unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags) +{ + unsigned long orig = ctx->dane.flags; + + ctx->dane.flags &= ~flags; + return orig; +} + int SSL_dane_enable(SSL *s, const char *basedomain) { SSL_DANE *dane = &s->dane; @@ -845,6 +866,22 @@ int SSL_dane_enable(SSL *s, const char *basedomain) return 1; } +unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags) +{ + unsigned long orig = ssl->dane.flags; + + ssl->dane.flags |= flags; + return orig; +} + +unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags) +{ + unsigned long orig = ssl->dane.flags; + + ssl->dane.flags &= ~flags; + return orig; +} + int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki) { SSL_DANE *dane = &s->dane; |