git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fix fakens TLSA generation and DANE TLSA lookup
[exim.git]
/
src
/
src
/
tls-openssl.c
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index 1ec7786bd55c39e122d6fc077b6b56ab40c79a36..79beffadf222175d9005a6a02b681a7b6d925ea1 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-1806,6
+1806,7
@@
if (dane)
dns_record * rr;
dns_scan dnss;
uschar * hostnames[2] = { host->name, NULL };
dns_record * rr;
dns_scan dnss;
uschar * hostnames[2] = { host->name, NULL };
+ int found = 0;
if (DANESSL_init(client_ssl, NULL, hostnames) != 1)
return tls_error(US"hostnames load", host, NULL);
if (DANESSL_init(client_ssl, NULL, hostnames) != 1)
return tls_error(US"hostnames load", host, NULL);
@@
-1819,13
+1820,16
@@
if (dane)
int usage, selector, mtype;
const char * mdname;
int usage, selector, mtype;
const char * mdname;
- GETSHORT(usage, p);
- GETSHORT(selector, p);
- GETSHORT(mtype, p);
+ found++;
+ usage = *p++;
+ selector = *p++;
+ mtype = *p++;
switch (mtype)
{
switch (mtype)
{
- default: /* log bad */ return FAIL;
+ default:
+ log_write(0, LOG_MAIN, "DANE error: TLSA record w/bad mtype 0x%x", mtype);
+ return FAIL;
case 0: mdname = NULL; break;
case 1: mdname = "sha256"; break;
case 2: mdname = "sha512"; break;
case 0: mdname = NULL; break;
case 1: mdname = "sha256"; break;
case 2: mdname = "sha512"; break;
@@
-1841,6
+1845,12
@@
if (dane)
case 1: break;
}
}
case 1: break;
}
}
+
+ if (!found)
+ {
+ log_write(0, LOG_MAIN, "DANE error: No TLSA records");
+ return FAIL;
+ }
}
#endif
}
#endif