From 9f6b22b814a306677f6d5a829cf7fd62005ecdc2 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Thu, 21 Apr 2016 20:00:58 -0400
Subject: Enabled DANE only when at least one TLSA RR was added

It is up to the caller of SSL_dane_tlsa_add() to take appropriate
action when no records are added successfully or adding some records
triggers an internal error (negative return value).

With this change the caller can continue with PKIX if desired when
none of the TLSA records are usable, or take some appropriate action
if DANE is required.

Also fixed the internal ssl_dane_dup() function to properly initialize
the TLSA RR stack in the target SSL handle.  Errors in ssl_dane_dup()
are no longer ignored.

Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 include/internal/dane.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'include/internal/dane.h')

diff --git a/include/internal/dane.h b/include/internal/dane.h
index 1672849c83..557534adec 100644
--- a/include/internal/dane.h
+++ b/include/internal/dane.h
@@ -121,7 +121,8 @@ struct ssl_dane_st {
     int             pdpth;      /* Depth of PKIX trust */
 };
 
-#define DANETLS_ENABLED(dane)  ((dane) != NULL && ((dane)->trecs != NULL))
+#define DANETLS_ENABLED(dane)  \
+    ((dane) != NULL && sk_danetls_record_num((dane)->trecs) > 0)
 
 #define DANETLS_USAGE_BIT(u)   (((uint32_t)1) << u)
 
-- 
cgit v1.2.3