[openssl-commits] [openssl] master update

Viktor Dukhovni viktor at openssl.org
Mon Mar 21 01:04:03 UTC 2016 

The branch master has been updated
       via  89ff989d01314a6104e5063edfce316c8325f339 (commit)
      from  3c27208fab1dc29f47f088490404df5abfcdfb05 (commit)


- Log -----------------------------------------------------------------
commit 89ff989d01314a6104e5063edfce316c8325f339
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Sun Mar 20 20:40:13 2016 -0400

    Add a comment on dane_verify() logic
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vfy.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index e2b1b96..afd8299 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2591,7 +2591,7 @@ static int check_dane_issuer(X509_STORE_CTX *ctx, int depth)
         return  X509_TRUST_UNTRUSTED;
 
     /*
-     * Record any DANE trust anchor matches, for the first depth to test, if
+     * Record any DANE trust-anchor matches, for the first depth to test, if
      * there's one at that depth. (This'll be false for length 1 chains looking
      * for an exact match for the leaf certificate).
      */
@@ -2676,6 +2676,18 @@ static int dane_verify(X509_STORE_CTX *ctx)
 
     dane_reset(dane);
 
+    /*-
+     * When testing the leaf certificate, if we match a DANE-EE(3) record,
+     * dane_match() returns 1 and we're done.  If however we match a PKIX-EE(1)
+     * record, the match depth and matching TLSA record are recorded, but the
+     * return value is 0, because we still need to find a PKIX trust-anchor.
+     * Therefore, when DANE authentication is enabled (required), we're done
+     * if:
+     *   + matched < 0, internal error.
+     *   + matched == 1, we matched a DANE-EE(3) record
+     *   + matched == 0, mdepth < 0 (no PKIX-EE match) and there are no
+     *     DANE-TA(2) or PKIX-TA(0) to test.
+     */
     matched = dane_match(ctx, ctx->cert, 0);
     done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0);

More information about the openssl-commits mailing list