summaryrefslogtreecommitdiffstats
path: root/src/posttls-finger
diff options
context:
space:
mode:
Diffstat (limited to 'src/posttls-finger')
-rw-r--r--src/posttls-finger/posttls-finger.c21
1 files changed, 16 insertions, 5 deletions
diff --git a/src/posttls-finger/posttls-finger.c b/src/posttls-finger/posttls-finger.c
index b9a4699..d64c355 100644
--- a/src/posttls-finger/posttls-finger.c
+++ b/src/posttls-finger/posttls-finger.c
@@ -1260,6 +1260,8 @@ static DNS_RR *addr_one(STATE *state, DNS_RR *addr_list, const char *host,
msg_fatal("host %s: conversion error for address family %d: %m",
host, ((struct sockaddr *) (res0->ai_addr))->sa_family);
addr_list = dns_rr_append(addr_list, addr);
+ if (DNS_RR_IS_TRUNCATED(addr_list))
+ break;
}
freeaddrinfo(res0);
if (found == 0) {
@@ -1297,6 +1299,8 @@ static DNS_RR *mx_addr_list(STATE *state, DNS_RR *mx_names)
msg_panic("%s: bad resource type: %d", myname, rr->type);
addr_list = addr_one(state, addr_list, (char *) rr->data, res_opt,
rr->pref, rr->port);
+ if (addr_list && DNS_RR_IS_TRUNCATED(addr_list))
+ break;
}
return (addr_list);
}
@@ -2114,7 +2118,19 @@ static void parse_match(STATE *state, int argc, char *argv[])
#ifdef USE_TLS
int smtp_mode = 1;
+ /*
+ * DANE match names are configured late, once the TLSA records are in
+ * hand. For now, prepare to fall back to "secure".
+ */
switch (state->level) {
+ default:
+ state->match = 0;
+ if (*argv)
+ msg_warn("TLS level '%s' does not implement certificate matching",
+ str_tls_level(state->level));
+ break;
+ case TLS_LEV_DANE:
+ case TLS_LEV_DANE_ONLY:
case TLS_LEV_SECURE:
state->match = argv_alloc(2);
while (*argv)
@@ -2135,11 +2151,6 @@ static void parse_match(STATE *state, int argc, char *argv[])
tls_dane_add_fpt_digests((TLS_DANE *) state->dane, *argv++, "",
smtp_mode);
break;
- case TLS_LEV_DANE:
- case TLS_LEV_DANE_ONLY:
- state->match = argv_alloc(2);
- argv_add(state->match, "nexthop", "hostname", ARGV_END);
- break;
}
#endif
}