[openssl-commits] [openssl] master update
Viktor Dukhovni
viktor at openssl.org
Tue Jul 12 14:17:57 UTC 2016
The branch master has been updated
via 5ae4ceb92c2ae6c677b1de2c477dce71a4d94716 (commit)
from d83b7e1a580b2f68a041d178e91e9495ec95e383 (commit)
- Log -----------------------------------------------------------------
commit 5ae4ceb92c2ae6c677b1de2c477dce71a4d94716
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date: Sun Jul 10 20:36:02 2016 -0400
Perform DANE-EE(3) name checks by default
In light of potential UKS (unknown key share) attacks on some
applications, primarily browsers, despite RFC761, name checks are
by default applied with DANE-EE(3) TLSA records. Applications for
which UKS is not a problem can optionally disable DANE-EE(3) name
checks via the new SSL_CTX_dane_set_flags() and friends.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x509_vfy.c | 4 ++
doc/ssl/SSL_CTX_dane_enable.pod | 47 ++++++++++++-
include/internal/dane.h | 2 +
include/openssl/ssl.h | 7 ++
include/openssl/x509_vfy.h | 1 +
ssl/ssl_lib.c | 37 ++++++++++
test/danetest.c | 6 +-
test/danetest.in | 147 ++++++++++++++++++++++++++--------------
8 files changed, 200 insertions(+), 51 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 469a0a8..ee1c9af 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2765,6 +2765,10 @@ static int dane_verify(X509_STORE_CTX *ctx)
/* Callback invoked as needed */
if (!check_leaf_suiteb(ctx, cert))
return 0;
+ /* Callback invoked as needed */
+ if ((dane->flags & DANE_FLAG_NO_DANE_EE_NAMECHECKS) == 0 &&
+ !check_id(ctx))
+ return 0;
/* Bypass internal_verify(), issue depth 0 success callback */
ctx->error_depth = 0;
ctx->current_cert = cert;
diff --git a/doc/ssl/SSL_CTX_dane_enable.pod b/doc/ssl/SSL_CTX_dane_enable.pod
index 7923bf4..fb535ec 100644
--- a/doc/ssl/SSL_CTX_dane_enable.pod
+++ b/doc/ssl/SSL_CTX_dane_enable.pod
@@ -3,7 +3,9 @@
=head1 NAME
SSL_CTX_dane_enable, SSL_CTX_dane_mtype_set, SSL_dane_enable,
-SSL_dane_tlsa_add, SSL_get0_dane_authority, SSL_get0_dane_tlsa -
+SSL_dane_tlsa_add, SSL_get0_dane_authority, SSL_get0_dane_tlsa
+SSL_CTX_dane_set_flags, SSL_CTX_dane_clear_flags,
+SSL_dane_set_flags, SSL_dane_clear_flags -
enable DANE TLS authentication of the remote TLS server in the local
TLS client
@@ -21,6 +23,10 @@ TLS client
int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
uint8_t *mtype, unsigned const char **data,
size_t *dlen);
+ unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags);
+ unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags);
+ unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags);
+ unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags);
=head1 DESCRIPTION
@@ -124,6 +130,33 @@ The B<data> parameter is set to a short-term internal-copy of the associated
data field and must not be freed by the application.
Applications that need long-term access to this field need to copy the content.
+SSL_CTX_dane_set_flags() and SSL_dane_set_flags() can be used to enable
+optional DANE verification features.
+SSL_CTX_dane_clear_flags() and SSL_dane_clear_flags() can be used to disable
+the same features.
+The B<flags> argument is a bitmask of the features to enable or disable.
+The B<flags> set for an B<SSL_CTX> context are copied to each B<SSL> handle
+associated with that context at the time the handle is created.
+Subsequent changes in the context's B<flags> have no effect on the B<flags> set
+for the handle.
+
+At present, the only available option is B<DANE_FLAG_NO_DANE_EE_NAMECHECKS>
+which can be used to disable server name checks when authenticating via
+DANE-EE(3) TLSA records.
+For some applications, primarily web browsers, it is not safe to disable name
+checks due to "unknown key share" attacks, in which a malicious server can
+convince a client that a connection to a victim server is instead a secure
+connection to the malicious server.
+The malicious server may then be able to violate cross-origin scripting
+restrictions.
+Thus, despite the text of RFC7671, name checks are by default enabled for
+DANE-EE(3) TLSA records, and can be disabled in applications where it is safe
+to do so.
+In particular, SMTP and XMPP clients should set this option as SRV and MX
+records already make it possible for a remote domain to redirect client
+connections to any server of its choice, and in any case SMTP and XMPP clients
+do not execute scripts downloaded from remote servers.
+
=head1 RETURN VALUES
The functions SSL_CTX_dane_enable(), SSL_CTX_dane_mtype_set(),
@@ -142,6 +175,10 @@ non-negative value indicates the chain depth at which the TLSA record matched a
chain certificate, or the depth of the top-most certificate, when the TLSA
record is a full public key that is its signer.
+The functions SSL_CTX_dane_set_flags(), SSL_CTX_dane_clear_flags(),
+SSL_dane_set_flags() and SSL_dane_clear_flags() return the B<flags> in effect
+before they were called.
+
=head1 EXAMPLE
Suppose "smtp.example.com" is the MX host of the domain "example.com", and has
@@ -171,6 +208,14 @@ the lifetime of the SSL connection.
if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0)
/* handle error */
+
+ /*
+ * For many applications it is safe to skip DANE-EE(3) namechecks. Do not
+ * disable the checks unless "unknown key share" attacks pose no risk for
+ * your application.
+ */
+ SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
+
if (!SSL_add1_host(ssl, nexthop_domain))
/* handle error */
SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
diff --git a/include/internal/dane.h b/include/internal/dane.h
index 65bf244..a1cb548 100644
--- a/include/internal/dane.h
+++ b/include/internal/dane.h
@@ -57,6 +57,7 @@ struct dane_ctx_st {
const EVP_MD **mdevp; /* mtype -> digest */
uint8_t *mdord; /* mtype -> preference */
uint8_t mdmax; /* highest supported mtype */
+ unsigned long flags; /* feature bitmask */
};
/*
@@ -71,6 +72,7 @@ struct ssl_dane_st {
uint32_t umask; /* Usages present */
int mdpth; /* Depth of matched cert */
int pdpth; /* Depth of PKIX trust */
+ unsigned long flags; /* feature bitmask */
};
#define DANETLS_ENABLED(dane) \
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 3d44a4f..ce7110d 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1499,6 +1499,13 @@ __owur int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
* offline testing in test/danetest.c
*/
SSL_DANE *SSL_get0_dane(SSL *ssl);
+/*
+ * DANE flags
+ */
+unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags);
+unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags);
+unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags);
+unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags);
__owur int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
__owur int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 4e44e1d..183889a 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -376,6 +376,7 @@ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
* offline testing in test/danetest.c
*/
void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane);
+#define DANE_FLAG_NO_DANE_EE_NAMECHECKS (1L << 0)
/* X509_VERIFY_PARAM functions */
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 08e3673..4fafd18 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -108,6 +108,9 @@ static int dane_ctx_enable(struct dane_ctx_st *dctx)
int n = ((int) mdmax) + 1; /* int to handle PrivMatch(255) */
size_t i;
+ if (dctx->mdevp != NULL)
+ return 1;
+
mdevp = OPENSSL_zalloc(n * sizeof(*mdevp));
mdord = OPENSSL_zalloc(n * sizeof(*mdord));
@@ -182,6 +185,7 @@ static int ssl_dane_dup(SSL *to, SSL *from)
return 1;
dane_final(&to->dane);
+ to->dane.flags = from->dane.flags;
to->dane.dctx = &to->ctx->dane;
to->dane.trecs = sk_danetls_record_new_null();
@@ -542,6 +546,7 @@ SSL *SSL_new(SSL_CTX *ctx)
RECORD_LAYER_init(&s->rlayer, s);
s->options = ctx->options;
+ s->dane.flags = ctx->dane.flags;
s->min_proto_version = ctx->min_proto_version;
s->max_proto_version = ctx->max_proto_version;
s->mode = ctx->mode;
@@ -802,6 +807,22 @@ int SSL_CTX_dane_enable(SSL_CTX *ctx)
return dane_ctx_enable(&ctx->dane);
}
+unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags)
+{
+ unsigned long orig = ctx->dane.flags;
+
+ ctx->dane.flags |= flags;
+ return orig;
+}
+
+unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags)
+{
+ unsigned long orig = ctx->dane.flags;
+
+ ctx->dane.flags &= ~flags;
+ return orig;
+}
+
int SSL_dane_enable(SSL *s, const char *basedomain)
{
SSL_DANE *dane = &s->dane;
@@ -845,6 +866,22 @@ int SSL_dane_enable(SSL *s, const char *basedomain)
return 1;
}
+unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags)
+{
+ unsigned long orig = ssl->dane.flags;
+
+ ssl->dane.flags |= flags;
+ return orig;
+}
+
+unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags)
+{
+ unsigned long orig = ssl->dane.flags;
+
+ ssl->dane.flags &= ~flags;
+ return orig;
+}
+
int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki)
{
SSL_DANE *dane = &s->dane;
diff --git a/test/danetest.c b/test/danetest.c
index d473b12..aea3a7a 100644
--- a/test/danetest.c
+++ b/test/danetest.c
@@ -329,6 +329,7 @@ static int test_tlsafile(SSL_CTX *ctx, const char *basename,
STACK_OF(X509) *chain;
int ntlsa;
int ncert;
+ int noncheck;
int want;
int want_depth;
int off;
@@ -341,7 +342,8 @@ static int test_tlsafile(SSL_CTX *ctx, const char *basename,
continue;
++testno;
- if (sscanf(line, "%d %d %d %d%n", &ntlsa, &ncert, &want, &want_depth, &off) != 4
+ if (sscanf(line, "%d %d %d %d %d%n",
+ &ntlsa, &ncert, &noncheck, &want, &want_depth, &off) != 5
|| !allws(line + off)) {
fprintf(stderr, "Expected tlsa count, cert count and result"
" at test %d of %s\n", testno, path);
@@ -355,6 +357,8 @@ static int test_tlsafile(SSL_CTX *ctx, const char *basename,
SSL_free(ssl);
return -1;
}
+ if (noncheck)
+ SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
for (i = 0; i < ntlsa; ++i) {
if ((line = read_to_eol(f)) == NULL || !tlsa_import_rr(ssl, line)) {
diff --git a/test/danetest.in b/test/danetest.in
index 485c986..0cedf10 100644
--- a/test/danetest.in
+++ b/test/danetest.in
@@ -9,7 +9,7 @@
#
# The first line in each block takes the form:
#
-# <TLSA-count> <cert-count> <desired-verify-result> <desired-match-depth>
+# <TLSA-count> <cert-count> <nonamechecks> <desired-verify-result> <desired-match-depth>
#
# It is followed by <TLSA-count> lines of the form:
#
@@ -49,7 +49,7 @@
## -- Anonymous and "never valid" leaf certificate DANE-EE(3) tests
# 1
-1 1 0 0
+1 1 1 0 0
3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1365
subject=
issuer=
@@ -64,7 +64,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 2
-1 1 0 0
+1 1 1 0 0
3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33E
subject=
issuer=
@@ -79,7 +79,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 3
-1 1 0 0
+1 1 1 0 0
3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E1
subject=
issuer=
@@ -94,7 +94,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 4
-1 1 0 0
+1 1 1 0 0
3 1 2 D91A3E5DC34879CD77AD1E989F56FA78FACADF05EF8D445EDF5652BD58EE392C87C02F84C0119D62309041F2D5128A73399DF25D1F47BCD497357EAF1A1009A3
subject=
issuer=
@@ -109,7 +109,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 5
-1 1 65 -1
+1 1 1 65 -1
3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1366
subject=
issuer=
@@ -124,7 +124,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 6
-1 1 65 -1
+1 1 1 65 -1
3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33F
subject=
issuer=
@@ -139,7 +139,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 7
-1 1 65 -1
+1 1 1 65 -1
3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E2
subject=
issuer=
@@ -154,7 +154,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 8
-1 1 65 -1
+1 1 1 65 -1
3 1 2 D91A3E5DC34879CD77AD1E989F56FA78FACADF05EF8D445EDF5652BD58EE392C87C02F84C0119D62309041F2D5128A73399DF25D1F47BCD497357EAF1A1009A4
subject=
issuer=
@@ -171,7 +171,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
## -- DANE-?? chain tests --
# 9
-1 3 0 0
+1 3 0 0 0
3 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -218,7 +218,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 10
-1 3 0 0
+1 3 0 0 0
3 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -265,7 +265,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 11
-1 3 0 0
+1 3 0 0 0
3 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9923
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -312,7 +312,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 12
-1 3 0 0
+1 3 0 0 0
3 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -359,7 +359,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 13
-1 3 0 1
+1 3 0 0 1
2 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -406,7 +406,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 14
-1 3 0 1
+1 3 0 0 1
2 1 1 65A457617072DA3E7F1152471EB3D406526530097D0A9AA34EB47C990A1FCDA3
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -453,7 +453,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 15
-1 3 0 1
+1 3 0 0 1
2 0 2 6BC0C0F2500320A49392910965263A3EBDD594173D3E36CCE38A003D2EC3FAFBC315EDB776CD3139637DF494FB60359601542A4F821BF0542F926E6270C9762C
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -500,7 +500,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 16
-1 3 0 1
+1 3 0 0 1
2 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -547,7 +547,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 17
-1 3 0 2
+1 3 0 0 2
2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -594,7 +594,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 18
-1 3 0 2
+1 3 0 0 2
2 1 1 91D942E4A2D4226DDAF28CADAA7F13018E4ED0D9A43A529247E51C965188576C
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -641,7 +641,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 19
-1 3 0 2
+1 3 0 0 2
2 0 2 361029F20A3B59DAFAAF05D41811EFC1A9439B972BC6B9D7F13BC5469570E49ACAE0CB0C877C75D58346590EA950AC7A39AED6E8AA8004EA7F5DE3AB9462047E
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -688,7 +688,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 20
-1 3 0 2
+1 3 0 0 2
2 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -737,7 +737,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
## -- PKIX-?? chain tests --
# 21
-1 2 0 0
+1 2 0 0 0
1 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -770,7 +770,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 22
-1 2 0 0
+1 2 0 0 0
1 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -803,7 +803,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 23
-1 3 0 0
+1 3 0 0 0
1 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9923
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -850,7 +850,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 24
-1 3 0 0
+1 3 0 0 0
1 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -897,7 +897,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 25
-1 2 0 1
+1 2 0 0 1
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -930,7 +930,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 26
-1 2 0 1
+1 2 0 0 1
0 1 1 65A457617072DA3E7F1152471EB3D406526530097D0A9AA34EB47C990A1FCDA3
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -963,7 +963,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 27
-1 3 0 1
+1 3 0 0 1
0 0 2 6BC0C0F2500320A49392910965263A3EBDD594173D3E36CCE38A003D2EC3FAFBC315EDB776CD3139637DF494FB60359601542A4F821BF0542F926E6270C9762C
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1010,7 +1010,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 28
-1 3 0 1
+1 3 0 0 1
0 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1057,7 +1057,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 29
-1 2 0 2
+1 2 0 0 2
0 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1090,7 +1090,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 30
-1 2 0 2
+1 2 0 0 2
0 1 1 91D942E4A2D4226DDAF28CADAA7F13018E4ED0D9A43A529247E51C965188576C
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1123,7 +1123,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 31
-1 3 0 2
+1 3 0 0 2
0 0 2 361029F20A3B59DAFAAF05D41811EFC1A9439B972BC6B9D7F13BC5469570E49ACAE0CB0C877C75D58346590EA950AC7A39AED6E8AA8004EA7F5DE3AB9462047E
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1170,7 +1170,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 32
-1 3 0 2
+1 3 0 0 2
0 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1220,7 +1220,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 33
# Missing intermediate CA
-1 1 20 0
+1 1 0 20 0
1 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1240,7 +1240,7 @@ GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
# 34
# Missing PKIX intermediate, provided via DNS
-2 1 0 0
+2 1 0 0 0
1 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
0 0 0 308201683082010DA003020102020102300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233323030395A180F33303135303431353233323030395A30143112301006035504030C094973737565722043413059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AFA350304E301D0603551D0E041604147AB75A3CD295CA5DF7C5150916E18FF5CC376A15301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D0403020349003046022100831DCD882DA8785D50E41020898C0248879DDDF72D701D1DC1DE6BE08155B43E022100B84B2FB519C4CD3CBC791603D4488F7707597DB7980D9C173E7FDD0ECD7CA308
subject= /CN=example.com
@@ -1261,7 +1261,7 @@ GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
# 35
# Wrong leaf digest
-1 3 65 -1
+1 3 0 65 -1
1 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9924
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1309,7 +1309,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 36
# Wrong intermediate digest
-1 2 65 -1
+1 2 0 65 -1
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBE
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1343,7 +1343,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
# 37
# Wrong root digest
-1 2 65 -1
+1 2 0 65 -1
0 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3D
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1379,7 +1379,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
# 38
# DANE-EE(3) beats DANE-TA(2)
-1 3 0 0
+1 3 0 0 0
3 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
2 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
subject= /CN=example.com
@@ -1428,7 +1428,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 39
# DANE-TA(2) depth 1 beats DANE-TA(2) depth 2
-1 3 0 1
+1 3 0 0 1
2 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
2 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
subject= /CN=example.com
@@ -1477,7 +1477,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 40
# DANE-TA(2) depth 2 beats PKIX-TA(0) depth 1
-1 3 0 2
+1 3 0 0 2
2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
subject= /CN=example.com
@@ -1526,7 +1526,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 41
# DANE-TA(2) depth 2 beats PKIX-EE depth 0
-1 3 0 2
+1 3 0 0 2
2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
subject= /CN=example.com
@@ -1575,7 +1575,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 42
# DANE-TA(2) Full(0) root "from DNS":
-1 2 0 2
+1 2 0 0 2
2 0 0 308201643082010BA003020102020101300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233313330385A180F33303135303431353233313330385A30123110300E06035504030C07526F6F742043413059301306072A8648CE3D020106082A8648CE3D03010703420004D1DA578FD18FB86456B0D91B5656BDD68D4DDBD250E337571127C75E0560F41D0AF91BFAF8805F80C28C026A14D4FE8C30A9673B9EC0C05A84AA810D1341B76CA350304E301D0603551D0E04160414E4BD405F052A820DDF9883F93D7D3F90AAEC723F301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D040302034700304402206869E6AA9F9B4D4BF308091A5A7AB2C30E3619B0D75E528819468E4BB926F4C9022017F1B8458611966FBC109CAED3582966BF25FC0598EABA6C793C58DCC3537CC5
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1609,7 +1609,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
# 43
# DANE-TA(2) Full(0) intermediate "from DNS":
-1 1 0 1
+1 1 0 0 1
2 0 0 308201683082010DA003020102020102300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233323030395A180F33303135303431353233323030395A30143112301006035504030C094973737565722043413059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AFA350304E301D0603551D0E041604147AB75A3CD295CA5DF7C5150916E18FF5CC376A15301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D0403020349003046022100831DCD882DA8785D50E41020898C0248879DDDF72D701D1DC1DE6BE08155B43E022100B84B2FB519C4CD3CBC791603D4488F7707597DB7980D9C173E7FDD0ECD7CA308
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1629,7 +1629,7 @@ GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
# 44
# DANE-TA(2) SPKI(1) Full(0) intermediate "from DNS":
-1 1 0 0
+1 1 0 0 0
2 1 0 3059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AF
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1649,7 +1649,7 @@ GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
# 45
# DANE-TA(2) SPKI(1) Full(0) root "from DNS":
-1 2 0 1
+1 2 0 0 1
2 1 0 3059301306072A8648CE3D020106082A8648CE3D03010703420004D1DA578FD18FB86456B0D91B5656BDD68D4DDBD250E337571127C75E0560F41D0AF91BFAF8805F80C28C026A14D4FE8C30A9673B9EC0C05A84AA810D1341B76C
subject= /CN=example.com
issuer= /CN=Issuer CA
@@ -1684,7 +1684,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
# 46
# Mismatched name "example.org", should still succeed given a
# DANE-EE(3) match.
-1 3 0 0
+1 3 1 0 0
3 1 1 ee1477190203f5d8b4767f4451b89e7367cdec7f6965a4988227983562ac8270
subject= CN = example.org
issuer= CN = CA2
@@ -1733,7 +1733,7 @@ fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
# 47
# Mismatched name "example.org", should fail despite a DANE-TA(2)
# match for the intermediate CA.
-1 3 62 1
+1 3 0 62 1
2 1 1 946af0956378efaba7ee1bbedc17af110ea8de19c079a98e77398724a3708a1f
subject= CN = example.org
issuer= CN = CA2
@@ -1782,7 +1782,7 @@ fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
# 48
# Mismatched name "example.org", should fail despite a DANE-TA(2)
# match for the root CA.
-1 3 62 2
+1 3 0 62 2
2 1 1 34474f2fbc39da44dfbd11215bdafadf9507406c04de1f65dbd2a1bc4f2165cc
subject= CN = example.org
issuer= CN = CA2
@@ -1827,3 +1827,52 @@ FoAUFFv7+que2ySx6ZtqShlPBNmTwBcwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
-----END CERTIFICATE-----
+
+# 49
+# Mismatched name "example.org", should fail when name checks
+# are not disabled for DANE-EE(3).
+1 3 0 62 0
+3 1 1 ee1477190203f5d8b4767f4451b89e7367cdec7f6965a4988227983562ac8270
+subject= CN = example.org
+issuer= CN = CA2
+notBefore=Feb 6 22:39:47 2016 GMT
+notAfter=Feb 7 22:39:47 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBkDCCATWgAwIBAgIBAjAKBggqhkjOPQQDAjAOMQwwCgYDVQQDDANDQTIwIBcN
+MTYwMjA2MjIzOTQ3WhgPMjExNjAyMDcyMjM5NDdaMBYxFDASBgNVBAMMC2V4YW1w
+bGUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/YCEn0pxClPTvpjioxU4
+ajopRa4j/6XTqxy9zqn1AcMCiVWp6j22B6RpLmKEHoRHQxFzebd2juTXIDq81CID
+z6N6MHgwHQYDVR0OBBYEFOrSA+2YKXa5KR6k0687CZuhai5OMB8GA1UdIwQYMBaA
+FLTY4vqgjcQ01aCcB8AYVbUhEU7VMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwCgYIKoZIzj0EAwIDSQAwRgIh
+AKSsLwlidPiSrgda6XWihov4D4KHu6ZX3ZAAZ2uiBAefAiEArCq5WiO3Zeunl0Ct
+PyDiaL1QKbJ7lnqPQCS1o8xn+RI=
+-----END CERTIFICATE-----
+subject= CN = CA2
+issuer= CN = Root CA2
+notBefore=Feb 6 22:39:13 2016 GMT
+notAfter=Feb 7 22:39:13 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBYjCCAQigAwIBAgIBAjAKBggqhkjOPQQDAjATMREwDwYDVQQDDAhSb290IENB
+MjAgFw0xNjAyMDYyMjM5MTNaGA8yMTE2MDIwNzIyMzkxM1owDjEMMAoGA1UEAwwD
+Q0EyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYr6zgBxpsxA31IFiGyb6uaGC
+CQdNMyJfDgqCihsU1eOEuauzXO7tydCbjfRmhqQK1EGd254IjcGY+37tZEbvPKNQ
+ME4wHQYDVR0OBBYEFLTY4vqgjcQ01aCcB8AYVbUhEU7VMB8GA1UdIwQYMBaAFBRb
++/qrntsksembakoZTwTZk8AXMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSAAw
+RQIgX2fmMykyiuryf1AeKyc1j8HgmM8u/nyQfJnTCwvYUcECIQC6JHd3ybV9eJQo
+7sfr/jV+rRlZY2iaRv160BWYd82L7g==
+-----END CERTIFICATE-----
+subject= CN = Root CA2
+issuer= CN = Root CA2
+notBefore=Feb 6 22:38:48 2016 GMT
+notAfter=Feb 7 22:38:48 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBaDCCAQ2gAwIBAgIBATAKBggqhkjOPQQDAjATMREwDwYDVQQDDAhSb290IENB
+MjAgFw0xNjAyMDYyMjM4NDhaGA8yMTE2MDIwNzIyMzg0OFowEzERMA8GA1UEAwwI
+Um9vdCBDQTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATlTxAPKteg+L1LmxMl
+sbAFMxj6/322nR5RRGeF07KZRBFPaFZLgwZ1DuNrwM3wxxNdUyoZ6iAyDmwNf3K1
+42/Uo1AwTjAdBgNVHQ4EFgQUFFv7+que2ySx6ZtqShlPBNmTwBcwHwYDVR0jBBgw
+FoAUFFv7+que2ySx6ZtqShlPBNmTwBcwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
+AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
+fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
+-----END CERTIFICATE-----
More information about the openssl-commits
mailing list