From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 13 Sep 2014 13:55:57 +0000 (+0100)
Subject: Restrict dane to DANE-TA(2) and DANE-EE(3) usage TLSA records
X-Git-Tag: exim-4_85_RC1~54
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/133d2546c36766081aef8b8fc7c642862b83ea2e

Restrict dane to DANE-TA(2) and DANE-EE(3) usage TLSA records
Also, just ignore TLSA records with unsipported match types.
---

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index b77ed32e1..7e424f4f1 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1702,22 +1702,23 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
   uint8_t usage, selector, mtype;
   const char * mdname;
 
-  found++;
   usage = *p++;
+
+  /* Only DANE-TA(2) and DANE-EE(3) are supported */
+  if (usage != 2 && usage != 3) continue;
+
   selector = *p++;
   mtype = *p++;
 
   switch (mtype)
     {
-    default:
-      log_write(0, LOG_MAIN,
-		"DANE error: TLSA record w/bad mtype 0x%x", mtype);
-      return FAIL;
-    case 0:	mdname = NULL; break;
-    case 1:	mdname = "sha256"; break;
-    case 2:	mdname = "sha512"; break;
+    default: continue;	/* Only match-types 0, 1, 2 are supported */
+    case 0:  mdname = NULL; break;
+    case 1:  mdname = "sha256"; break;
+    case 2:  mdname = "sha512"; break;
     }
 
+  found++;
   switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
     {
     default:
@@ -1732,7 +1733,7 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
 if (found)
   return OK;
 
-log_write(0, LOG_MAIN, "DANE error: No TLSA records");
+log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
 return FAIL;
 }
 #endif	/*EXPERIMENTAL_DANE*/