]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Always require DNSSEC.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Sat, 6 Oct 2012 15:30:15 +0000 (17:30 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Sat, 6 Oct 2012 15:30:15 +0000 (17:30 +0200)
libdane/dane.c
libdane/includes/gnutls/dane.h

index f3d28341e3eed0240aa087911da585c3969a9a98..6f9a2db4cdba0933dd1e88ff2ab6674ea22cc200 100644 (file)
@@ -240,13 +240,11 @@ int dane_query_resolve_tlsa(dane_query_t q, const char* host, const char* proto,
        
        q->data_entries = i;
 
-       if (q->flags & DANE_F_REQUIRE_DNSSEC) {
-               if (!q->result->secure) {
-                       if (q->result->bogus)
-                               ret = DANE_E_INVALID_DNSSEC_SIG;
-                       else
-                               ret = DANE_E_NO_DNSSEC_SIG;
-               }
+       if (!q->result->secure) {
+               if (q->result->bogus)
+                       ret = DANE_E_INVALID_DNSSEC_SIG;
+               else
+                       ret = DANE_E_NO_DNSSEC_SIG;
        }
 
        /* show security status */
@@ -446,9 +444,6 @@ cleanup:
  * is set. If a DNSSEC signature is not available for the DANE 
  * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set.
  * 
- * Note that when verifying untrusted certificates, it is recommended to 
- * use the %DANE_F_REQUIRE_DNSSEC flag.
- * 
  * Due to the many possible options of DANE, there is no single threat
  * model countered. When notifying the user about DANE verification results
  * it may be better to mention: DANE verification did not reject the certificate,
index fbe9b8988303f40cc51ddc91819296f9c8ca3069..9a3a5e8c43a157c0f8d6d46f3ba0e9bd9e1d91ea 100644 (file)
@@ -130,8 +130,7 @@ typedef enum dane_verify_status_t
  */
 typedef enum dane_verify_flags_t 
 {
-  DANE_F_REQUIRE_DNSSEC = 1,
-  DANE_F_IGNORE_LOCAL_RESOLVER = 1<<2,
+  DANE_F_IGNORE_LOCAL_RESOLVER = 1,
 } dane_verify_flags_t;
 
 int dane_verify_crt (