Lines Matching defs:dane
168 static void dane_final(SSL_DANE *dane)
170 sk_danetls_record_pop_free(dane->trecs, tlsa_free);
171 dane->trecs = NULL;
173 OSSL_STACK_OF_X509_free(dane->certs);
174 dane->certs = NULL;
176 X509_free(dane->mcert);
177 dane->mcert = NULL;
178 dane->mtlsa = NULL;
179 dane->mdpth = -1;
180 dane->pdpth = -1;
184 * dane_copy - Copy dane configuration, sans verification state.
191 if (!DANETLS_ENABLED(&from->dane))
194 num = sk_danetls_record_num(from->dane.trecs);
195 dane_final(&to->dane);
196 to->dane.flags = from->dane.flags;
197 to->dane.dctx = &SSL_CONNECTION_GET_CTX(to)->dane;
198 to->dane.trecs = sk_danetls_record_new_reserve(NULL, num);
200 if (to->dane.trecs == NULL) {
206 danetls_record *t = sk_danetls_record_value(from->dane.trecs, i);
257 static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype)
259 if (mtype > dane->dctx->mdmax)
261 return dane->dctx->mdevp[mtype];
264 static int dane_tlsa_add(SSL_DANE *dane,
276 if (dane->trecs == NULL) {
297 md = tlsa_md_get(dane, mtype);
356 * usages PKIX-EE(1) or DANE-EE(3), because at least the EE
369 * For usage DANE-TA(2), we support authentication via "2 0 0" TLSA
375 if ((dane->certs == NULL && (dane->certs = sk_X509_new_null()) == NULL) || !sk_X509_push(dane->certs, cert)) {
392 * For usage DANE-TA(2), we support authentication via "2 1 0" TLSA
407 * See crypto/x509/x509_vfy.c. We sort DANE-EE(3) records first, so that
409 * expiration or hostname checks. Because DANE-EE(3) is numerically
418 num = sk_danetls_record_num(dane->trecs);
420 danetls_record *rec = sk_danetls_record_value(dane->trecs, i);
430 if (dane->dctx->mdord[rec->mtype] > dane->dctx->mdord[mtype])
435 if (!sk_danetls_record_insert(dane->trecs, t, i)) {
440 dane->umask |= DANETLS_USAGE_BIT(usage);
623 /* Reset DANE verification result state */
624 sc->dane.mdpth = -1;
625 sc->dane.pdpth = -1;
626 X509_free(sc->dane.mcert);
627 sc->dane.mcert = NULL;
628 sc->dane.mtlsa = NULL;
755 s->dane.flags = ctx->dane.flags;
1210 return dane_ctx_enable(&ctx->dane);
1215 unsigned long orig = ctx->dane.flags;
1217 ctx->dane.flags |= flags;
1223 unsigned long orig = ctx->dane.flags;
1225 ctx->dane.flags &= ~flags;
1231 SSL_DANE *dane;
1237 dane = &sc->dane;
1238 if (s->ctx->dane.mdmax == 0) {
1242 if (dane->trecs != NULL) {
1265 dane->mdpth = -1;
1266 dane->pdpth = -1;
1267 dane->dctx = &s->ctx->dane;
1268 dane->trecs = sk_danetls_record_new_null();
1270 if (dane->trecs == NULL) {
1285 orig = sc->dane.flags;
1287 sc->dane.flags |= flags;
1299 orig = sc->dane.flags;
1301 sc->dane.flags &= ~flags;
1307 SSL_DANE *dane;
1313 dane = &sc->dane;
1315 if (!DANETLS_ENABLED(dane) || sc->verify_result != X509_V_OK)
1317 if (dane->mtlsa) {
1319 *mcert = dane->mcert;
1321 *mspki = (dane->mcert == NULL) ? dane->mtlsa->spki : NULL;
1323 return dane->mdpth;
1329 SSL_DANE *dane;
1335 dane = &sc->dane;
1337 if (!DANETLS_ENABLED(dane) || sc->verify_result != X509_V_OK)
1339 if (dane->mtlsa) {
1341 *usage = dane->mtlsa->usage;
1343 *selector = dane->mtlsa->selector;
1345 *mtype = dane->mtlsa->mtype;
1347 *data = dane->mtlsa->data;
1349 *dlen = dane->mtlsa->dlen;
1351 return dane->mdpth;
1361 return &sc->dane;
1372 return dane_tlsa_add(&sc->dane, usage, selector, mtype, data, dlen);
1378 return dane_mtype_set(&ctx->dane, md, mtype, ord);
1461 dane_final(&s->dane);
4369 dane_ctx_final(&a->dane);
6573 SSL_DANE *dane = &s->dane;
6592 * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3)
6595 if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) {
6596 switch (dane->mtlsa->usage) {
8146 SSL_DANE *dane = SSL_get0_dane(s);
8149 if (dane == NULL || dane->dctx == NULL)
Indexes created Tue Mar 03 05:31:39 UTC 2026