summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-09-13 14:55:57 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2014-09-13 15:38:07 +0100
commit133d2546c36766081aef8b8fc7c642862b83ea2e (patch)
tree2b75d3faaf3cc910448361fdd6a2ca93ef04793d
parent4f59c424dabfc69b7313d84685df68dd406d6ff9 (diff)
Restrict dane to DANE-TA(2) and DANE-EE(3) usage TLSA records
Also, just ignore TLSA records with unsipported match types.
-rw-r--r--src/src/tls-openssl.c19
1 files changed, 10 insertions, 9 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index b77ed32e1..7e424f4f1 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1702,22 +1702,23 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
uint8_t usage, selector, mtype;
const char * mdname;
- found++;
usage = *p++;
+
+ /* Only DANE-TA(2) and DANE-EE(3) are supported */
+ if (usage != 2 && usage != 3) continue;
+
selector = *p++;
mtype = *p++;
switch (mtype)
{
- default:
- log_write(0, LOG_MAIN,
- "DANE error: TLSA record w/bad mtype 0x%x", mtype);
- return FAIL;
- case 0: mdname = NULL; break;
- case 1: mdname = "sha256"; break;
- case 2: mdname = "sha512"; break;
+ default: continue; /* Only match-types 0, 1, 2 are supported */
+ case 0: mdname = NULL; break;
+ case 1: mdname = "sha256"; break;
+ case 2: mdname = "sha512"; break;
}
+ found++;
switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
{
default:
@@ -1732,7 +1733,7 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
if (found)
return OK;
-log_write(0, LOG_MAIN, "DANE error: No TLSA records");
+log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
return FAIL;
}
#endif /*EXPERIMENTAL_DANE*/