Gitweb:
http://git.exim.org/exim.git/commitdiff/133d2546c36766081aef8b8fc7c642862b83ea2e
Commit: 133d2546c36766081aef8b8fc7c642862b83ea2e
Parent: 4f59c424dabfc69b7313d84685df68dd406d6ff9
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Sep 13 14:55:57 2014 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sat Sep 13 15:38:07 2014 +0100
Restrict dane to DANE-TA(2) and DANE-EE(3) usage TLSA records
Also, just ignore TLSA records with unsipported match types.
---
src/src/tls-openssl.c | 19 ++++++++++---------
1 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index b77ed32..7e424f4 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1702,22 +1702,23 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
uint8_t usage, selector, mtype;
const char * mdname;
- found++;
usage = *p++;
+
+ /* Only DANE-TA(2) and DANE-EE(3) are supported */
+ if (usage != 2 && usage != 3) continue;
+
selector = *p++;
mtype = *p++;
switch (mtype)
{
- default:
- log_write(0, LOG_MAIN,
- "DANE error: TLSA record w/bad mtype 0x%x", mtype);
- return FAIL;
- case 0: mdname = NULL; break;
- case 1: mdname = "sha256"; break;
- case 2: mdname = "sha512"; break;
+ default: continue; /* Only match-types 0, 1, 2 are supported */
+ case 0: mdname = NULL; break;
+ case 1: mdname = "sha256"; break;
+ case 2: mdname = "sha512"; break;
}
+ found++;
switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
{
default:
@@ -1732,7 +1733,7 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
if (found)
return OK;
-log_write(0, LOG_MAIN, "DANE error: No TLSA records");
+log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
return FAIL;
}
#endif /*EXPERIMENTAL_DANE*/
