From: Nikos Mavrogiannopoulos Date: Sat, 6 Oct 2012 15:30:15 +0000 (+0200) Subject: Always require DNSSEC. X-Git-Tag: gnutls_3_1_3~42 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=371d03855985bd3b22cb4ca90cb7bcfee48709f4;p=thirdparty%2Fgnutls.git Always require DNSSEC. --- diff --git a/libdane/dane.c b/libdane/dane.c index f3d28341e3..6f9a2db4cd 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -240,13 +240,11 @@ int dane_query_resolve_tlsa(dane_query_t q, const char* host, const char* proto, q->data_entries = i; - if (q->flags & DANE_F_REQUIRE_DNSSEC) { - if (!q->result->secure) { - if (q->result->bogus) - ret = DANE_E_INVALID_DNSSEC_SIG; - else - ret = DANE_E_NO_DNSSEC_SIG; - } + if (!q->result->secure) { + if (q->result->bogus) + ret = DANE_E_INVALID_DNSSEC_SIG; + else + ret = DANE_E_NO_DNSSEC_SIG; } /* show security status */ @@ -446,9 +444,6 @@ cleanup: * is set. If a DNSSEC signature is not available for the DANE * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set. * - * Note that when verifying untrusted certificates, it is recommended to - * use the %DANE_F_REQUIRE_DNSSEC flag. - * * Due to the many possible options of DANE, there is no single threat * model countered. When notifying the user about DANE verification results * it may be better to mention: DANE verification did not reject the certificate, diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h index fbe9b89883..9a3a5e8c43 100644 --- a/libdane/includes/gnutls/dane.h +++ b/libdane/includes/gnutls/dane.h @@ -130,8 +130,7 @@ typedef enum dane_verify_status_t */ typedef enum dane_verify_flags_t { - DANE_F_REQUIRE_DNSSEC = 1, - DANE_F_IGNORE_LOCAL_RESOLVER = 1<<2, + DANE_F_IGNORE_LOCAL_RESOLVER = 1, } dane_verify_flags_t; int dane_verify_crt (