Perform DANE-EE(3) name checks by default In light of potential UKS (unknown key share) attacks on some applications, primarily browsers, despite RFC761, name checks are by default applied with DANE-EE(3) TLSA records. Applications for which UKS is not a problem can optionally disable DANE-EE(3) name checks via the new SSL_CTX_dane_set_flags() and friends. Reviewed-by: Rich Salz <rsalz@openssl.org>

commit: 5ae4ceb92c2ae6c677b1de2c477dce71a4d94716 [log] [tgz]
author: Viktor Dukhovni <openssl-users@dukhovni.org> Sun Jul 10 20:36:02 2016 -0400
committer: Viktor Dukhovni <openssl-users@dukhovni.org> Tue Jul 12 10:16:34 2016 -0400
tree: e3df5a313a7e45524115e1cca438256f0405bd6a
parent: d83b7e1a580b2f68a041d178e91e9495ec95e383 [diff] [blame]
diff --git a/include/internal/dane.h b/include/internal/dane.h
index 65bf244..a1cb548 100644
--- a/include/internal/dane.h
+++ b/include/internal/dane.h

@@ -57,6 +57,7 @@
     const EVP_MD  **mdevp;      /* mtype -> digest */
     uint8_t        *mdord;      /* mtype -> preference */
     uint8_t         mdmax;      /* highest supported mtype */
+    unsigned long   flags;      /* feature bitmask */
 };
 
 /*
@@ -71,6 +72,7 @@
     uint32_t        umask;      /* Usages present */
     int             mdpth;      /* Depth of matched cert */
     int             pdpth;      /* Depth of PKIX trust */
+    unsigned long   flags;      /* feature bitmask */
 };
 
 #define DANETLS_ENABLED(dane)  \
commit	5ae4ceb92c2ae6c677b1de2c477dce71a4d94716	[log] [tgz]
author	Viktor Dukhovni <openssl-users@dukhovni.org>	Sun Jul 10 20:36:02 2016 -0400
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	Tue Jul 12 10:16:34 2016 -0400
tree	e3df5a313a7e45524115e1cca438256f0405bd6a
parent	d83b7e1a580b2f68a041d178e91e9495ec95e383 [diff] [blame]