From 0afd1f46d4c35cc17cb412e94a1ffbcf8bd2991c Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Mon, 6 Jul 2015 00:05:03 +0200
Subject: fix missing check for invalid dane status

libval returns VAL_DANE_NOERROR if domain is insecure and no TLSA RR
exists. we should stop all further dane handling in this case
---
 qmail-remote.c | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

(limited to 'qmail-remote.c')

diff --git a/qmail-remote.c b/qmail-remote.c
index 4227718..ece335d 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -425,29 +425,30 @@ int tls_init()
     }
   }
 
-  /* DANE starts here */
+  /* DANE: starts here */
   int dane_retval = VAL_DANE_INTERNAL_ERROR;
   int tls_required = (smtps || servercert != NULL);
 
   if (partner_fqdn && !servercert && !dane_context_failed) {
-    if (val_create_context(NULL, &dane_context) != VAL_NO_ERROR) {
-      dane_context_failed = 1;
-      out("lUnable to initialize libval context\n");
-      zeroflush();
-    }
-
-    /* DANE lookup TLSA records */
-    if (dane_context) {
-      if (dane_status != NULL)
-        val_free_dane(dane_status);
+    if (val_create_context(NULL, &dane_context) == VAL_NO_ERROR) {
+      /* DANE: lookup TLSA records */
       struct val_daneparams dane_params = {
         .port  = smtp_port,
         .proto = DANE_PARAM_PROTO_TCP
       };
+      if (dane_status != NULL)
+        val_free_dane(dane_status);
       dane_retval = val_getdaneinfo(dane_context, partner_fqdn, &dane_params, &dane_status);
-      if (dane_retval == VAL_DANE_NOERROR)
+      if (dane_status == NULL) // insecure domain without TLSA RR will return VAL_DANE_NOERROR
+        dane_retval = VAL_DANE_CHECK_FAILED;
+      else if (dane_retval == VAL_DANE_NOERROR)
         tls_required = 1;
     }
+    else {
+      dane_context_failed = 1;
+      out("lUnable to initialize libval context\n");
+      zeroflush();
+    }
   }
 
   if (!smtps) {
@@ -596,7 +597,7 @@ int tls_init()
 
     X509_free(peercert);
   }
-  /* DANE verify tls connection */
+  /* DANE: verify tls connection */
   else if (dane_retval == VAL_DANE_NOERROR) {
     int do_certcheck = 0; // ignored. DANE SMTP doesn't do any PKIX checks
     dane_retval = val_dane_check(dane_context, ssl, dane_status, &do_certcheck);
-- 
cgit v1.2.3