diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-07-10 20:36:02 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-07-12 10:16:34 -0400 |
commit | 5ae4ceb92c2ae6c677b1de2c477dce71a4d94716 (patch) | |
tree | e3df5a313a7e45524115e1cca438256f0405bd6a /test/danetest.c | |
parent | d83b7e1a580b2f68a041d178e91e9495ec95e383 (diff) |
Perform DANE-EE(3) name checks by default
In light of potential UKS (unknown key share) attacks on some
applications, primarily browsers, despite RFC761, name checks are
by default applied with DANE-EE(3) TLSA records. Applications for
which UKS is not a problem can optionally disable DANE-EE(3) name
checks via the new SSL_CTX_dane_set_flags() and friends.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'test/danetest.c')
-rw-r--r-- | test/danetest.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/test/danetest.c b/test/danetest.c index d473b12689..aea3a7a43e 100644 --- a/test/danetest.c +++ b/test/danetest.c @@ -329,6 +329,7 @@ static int test_tlsafile(SSL_CTX *ctx, const char *basename, STACK_OF(X509) *chain; int ntlsa; int ncert; + int noncheck; int want; int want_depth; int off; @@ -341,7 +342,8 @@ static int test_tlsafile(SSL_CTX *ctx, const char *basename, continue; ++testno; - if (sscanf(line, "%d %d %d %d%n", &ntlsa, &ncert, &want, &want_depth, &off) != 4 + if (sscanf(line, "%d %d %d %d %d%n", + &ntlsa, &ncert, &noncheck, &want, &want_depth, &off) != 5 || !allws(line + off)) { fprintf(stderr, "Expected tlsa count, cert count and result" " at test %d of %s\n", testno, path); @@ -355,6 +357,8 @@ static int test_tlsafile(SSL_CTX *ctx, const char *basename, SSL_free(ssl); return -1; } + if (noncheck) + SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS); for (i = 0; i < ntlsa; ++i) { if ((line = read_to_eol(f)) == NULL || !tlsa_import_rr(ssl, line)) { |