From: Jeremy Harris Date: Sat, 13 Sep 2014 13:55:57 +0000 (+0100) Subject: Restrict dane to DANE-TA(2) and DANE-EE(3) usage TLSA records X-Git-Tag: exim-4_85_RC1~54 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/133d2546c36766081aef8b8fc7c642862b83ea2e?ds=sidebyside;hp=4f59c424dabfc69b7313d84685df68dd406d6ff9 Restrict dane to DANE-TA(2) and DANE-EE(3) usage TLSA records Also, just ignore TLSA records with unsipported match types. --- diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index b77ed32e1..7e424f4f1 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1702,22 +1702,23 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); uint8_t usage, selector, mtype; const char * mdname; - found++; usage = *p++; + + /* Only DANE-TA(2) and DANE-EE(3) are supported */ + if (usage != 2 && usage != 3) continue; + selector = *p++; mtype = *p++; switch (mtype) { - default: - log_write(0, LOG_MAIN, - "DANE error: TLSA record w/bad mtype 0x%x", mtype); - return FAIL; - case 0: mdname = NULL; break; - case 1: mdname = "sha256"; break; - case 2: mdname = "sha512"; break; + default: continue; /* Only match-types 0, 1, 2 are supported */ + case 0: mdname = NULL; break; + case 1: mdname = "sha256"; break; + case 2: mdname = "sha512"; break; } + found++; switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3)) { default: @@ -1732,7 +1733,7 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); if (found) return OK; -log_write(0, LOG_MAIN, "DANE error: No TLSA records"); +log_write(0, LOG_MAIN, "DANE error: No usable TLSA records"); return FAIL; } #endif /*EXPERIMENTAL_DANE*/