[exim-cvs] Restrict dane to DANE-TA(2) and DANE-EE(3) usage …

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Restrict dane to DANE-TA(2) and DANE-EE(3) usage TLSA records
Gitweb: http://git.exim.org/exim.git/commitdiff/133d2546c36766081aef8b8fc7c642862b83ea2e
Commit:     133d2546c36766081aef8b8fc7c642862b83ea2e
Parent:     4f59c424dabfc69b7313d84685df68dd406d6ff9
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Sep 13 14:55:57 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sat Sep 13 15:38:07 2014 +0100


    Restrict dane to DANE-TA(2) and DANE-EE(3) usage TLSA records
    Also, just ignore TLSA records with unsipported match types.
---
 src/src/tls-openssl.c |   19 ++++++++++---------
 1 files changed, 10 insertions(+), 9 deletions(-)


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index b77ed32..7e424f4 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1702,22 +1702,23 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
uint8_t usage, selector, mtype;
const char * mdname;

- found++;
usage = *p++;
+
+ /* Only DANE-TA(2) and DANE-EE(3) are supported */
+ if (usage != 2 && usage != 3) continue;
+
selector = *p++;
mtype = *p++;

   switch (mtype)
     {
-    default:
-      log_write(0, LOG_MAIN,
-        "DANE error: TLSA record w/bad mtype 0x%x", mtype);
-      return FAIL;
-    case 0:    mdname = NULL; break;
-    case 1:    mdname = "sha256"; break;
-    case 2:    mdname = "sha512"; break;
+    default: continue;    /* Only match-types 0, 1, 2 are supported */
+    case 0:  mdname = NULL; break;
+    case 1:  mdname = "sha256"; break;
+    case 2:  mdname = "sha512"; break;
     }


+  found++;
   switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
     {
     default:
@@ -1732,7 +1733,7 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
 if (found)
   return OK;


-log_write(0, LOG_MAIN, "DANE error: No TLSA records");
+log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
 return FAIL;
 }
 #endif    /*EXPERIMENTAL_DANE*/