From 133d2546c36766081aef8b8fc7c642862b83ea2e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 13 Sep 2014 14:55:57 +0100 Subject: [PATCH 1/1] Restrict dane to DANE-TA(2) and DANE-EE(3) usage TLSA records Also, just ignore TLSA records with unsipported match types. --- src/src/tls-openssl.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index b77ed32e1..7e424f4f1 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1702,22 +1702,23 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); uint8_t usage, selector, mtype; const char * mdname; - found++; usage = *p++; + + /* Only DANE-TA(2) and DANE-EE(3) are supported */ + if (usage != 2 && usage != 3) continue; + selector = *p++; mtype = *p++; switch (mtype) { - default: - log_write(0, LOG_MAIN, - "DANE error: TLSA record w/bad mtype 0x%x", mtype); - return FAIL; - case 0: mdname = NULL; break; - case 1: mdname = "sha256"; break; - case 2: mdname = "sha512"; break; + default: continue; /* Only match-types 0, 1, 2 are supported */ + case 0: mdname = NULL; break; + case 1: mdname = "sha256"; break; + case 2: mdname = "sha512"; break; } + found++; switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3)) { default: @@ -1732,7 +1733,7 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); if (found) return OK; -log_write(0, LOG_MAIN, "DANE error: No TLSA records"); +log_write(0, LOG_MAIN, "DANE error: No usable TLSA records"); return FAIL; } #endif /*EXPERIMENTAL_DANE*/ -- 2.30.2