I have more questions.
Wietse Venema:
> Viktor Dukhovni:
> > state->client_start_props->fd = state->ciphertext_fd;
> > /* These predicates and warning belong inside tls_client_start(). */
> > if (!tls_dane_avail() /* mandatory side effects!! */
> > - &&TLS_DANE_BASED(state->client_start_props->tls_level))
> > + && TLS_DANE_HASTA(state->client_start_props->dane))
> > msg_warn("%s: DANE requested, but not available",
> > state->client_start_props->namaddr);
Should there be a warning when tls_dane_avail() fails AND the
TLS_DANE_BASED is true?
Would the following be more correct:
int missing_infrastructure = 0;
if (!tls_dane_avail()) { /* mandatory side effects!! */
/* True DANE request. */
if (TLS_DANE_BASED(state->client_start_props->tls_level)) {
msg_warn("%s: DANE requested, but not available",
state->client_start_props->namaddr);
missing_infrastructure = 1;
}
/* Not DANE, but TA support implicitly dependss on the DANE stack. */
else if (TLS_DANE_HASTA(state->client_start_props->dane)) {
msg_warn("%s: TA support requested, but DANE is not available",
state->client_start_props->namaddr);
missing_infrastructure = 1;
}
)
if (missing_infrastructure == 0)
state->tls_context = tls_client_start(state->client_start_props);
Sorry that the above looks like "my first program" but it is the
best I can do given the libtls API semantics.
But wait, there is more...
> > state->appl_state = tlsp_client_init(state->tls_params,
> > state->client_init_props,
> > - TLS_DANE_BASED(state->client_start_props->tls_level));
> > + TLS_DANE_HASTA(state->client_start_props->dane));
Will this also use the right verify callback function pointer when
real DANE is requested? Or does real DANE not use those same
callbacks?
Wietse
