summaryrefslogtreecommitdiffstats
path: root/src/posttls-finger
diff options
context:
space:
mode:
Diffstat (limited to 'src/posttls-finger')
-rw-r--r--src/posttls-finger/posttls-finger.c23
1 files changed, 17 insertions, 6 deletions
diff --git a/src/posttls-finger/posttls-finger.c b/src/posttls-finger/posttls-finger.c
index 849b05d..ce5d2c0 100644
--- a/src/posttls-finger/posttls-finger.c
+++ b/src/posttls-finger/posttls-finger.c
@@ -1244,6 +1244,8 @@ static DNS_RR *addr_one(STATE *state, DNS_RR *addr_list, const char *host,
msg_fatal("host %s: conversion error for address family %d: %m",
host, ((struct sockaddr *) (res0->ai_addr))->sa_family);
addr_list = dns_rr_append(addr_list, addr);
+ if (DNS_RR_IS_TRUNCATED(addr_list))
+ break;
}
freeaddrinfo(res0);
if (found == 0) {
@@ -1281,6 +1283,8 @@ static DNS_RR *mx_addr_list(STATE *state, DNS_RR *mx_names)
msg_panic("%s: bad resource type: %d", myname, rr->type);
addr_list = addr_one(state, addr_list, (char *) rr->data, res_opt,
rr->pref);
+ if (addr_list && DNS_RR_IS_TRUNCATED(addr_list))
+ break;
}
return (addr_list);
}
@@ -2048,8 +2052,20 @@ static void parse_match(STATE *state, int argc, char *argv[])
{
#ifdef USE_TLS
+ /*
+ * DANE match names are configured late, once the TLSA records are in
+ * hand. For now, prepare to fall back to "secure".
+ */
switch (state->level) {
- case TLS_LEV_SECURE:
+ default:
+ state->match = 0;
+ if (*argv)
+ msg_warn("TLS level '%s' does not implement certificate matching",
+ str_tls_level(state->level));
+ break;
+ case TLS_LEV_DANE:
+ case TLS_LEV_DANE_ONLY:
+ case TLS_LEV_SECURE:
state->match = argv_alloc(2);
while (*argv)
argv_split_append(state->match, *argv++, "");
@@ -2069,11 +2085,6 @@ static void parse_match(STATE *state, int argc, char *argv[])
tls_dane_add_ee_digests((TLS_DANE *) state->dane,
state->mdalg, *argv++, "");
break;
- case TLS_LEV_DANE:
- case TLS_LEV_DANE_ONLY:
- state->match = argv_alloc(2);
- argv_add(state->match, "nexthop", "hostname", ARGV_END);
- break;
}
#endif
}