Enabled DANE only when at least one TLSA RR was added It is up to the caller of SSL_dane_tlsa_add() to take appropriate action when no records are added successfully or adding some records triggers an internal error (negative return value). With this change the caller can continue with PKIX if desired when none of the TLSA records are usable, or take some appropriate action if DANE is required. Also fixed the internal ssl_dane_dup() function to properly initialize the TLSA RR stack in the target SSL handle. Errors in ssl_dane_dup() are no longer ignored. Reviewed-by: Rich Salz <rsalz@openssl.org>

commit: 9f6b22b814a306677f6d5a829cf7fd62005ecdc2 [log] [tgz]
author: Viktor Dukhovni <openssl-users@dukhovni.org> Thu Apr 21 20:00:58 2016 -0400
committer: Viktor Dukhovni <openssl-users@dukhovni.org> Fri Apr 22 10:41:57 2016 -0400
tree: e6420ac6d4a61e5b0eefb3e5a59b4260f42e3e0f
parent: ee85fc1dd67faebdeecb8fe8834facaee0566324 [diff] [blame]
diff --git a/include/internal/dane.h b/include/internal/dane.h
index 1672849..557534a 100644
--- a/include/internal/dane.h
+++ b/include/internal/dane.h

@@ -121,7 +121,8 @@
     int             pdpth;      /* Depth of PKIX trust */
 };
 
-#define DANETLS_ENABLED(dane)  ((dane) != NULL && ((dane)->trecs != NULL))
+#define DANETLS_ENABLED(dane)  \
+    ((dane) != NULL && sk_danetls_record_num((dane)->trecs) > 0)
 
 #define DANETLS_USAGE_BIT(u)   (((uint32_t)1) << u)
commit	9f6b22b814a306677f6d5a829cf7fd62005ecdc2	[log] [tgz]
author	Viktor Dukhovni <openssl-users@dukhovni.org>	Thu Apr 21 20:00:58 2016 -0400
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	Fri Apr 22 10:41:57 2016 -0400
tree	e6420ac6d4a61e5b0eefb3e5a59b4260f42e3e0f
parent	ee85fc1dd67faebdeecb8fe8834facaee0566324 [diff] [blame]