git://git.exim.org
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
4d4c2a9
)
Add support in the fakens utility for TLSA records
author
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 10 Aug 2014 11:31:21 +0000
(12:31 +0100)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 10 Aug 2014 11:31:21 +0000
(12:31 +0100)
src/src/dane-openssl.c
patch
|
blob
|
history
src/src/dns.c
patch
|
blob
|
history
src/src/tls-openssl.c
patch
|
blob
|
history
test/dnszones-src/db.test.ex
patch
|
blob
|
history
test/log/5850
patch
|
blob
|
history
test/src/fakens.c
patch
|
blob
|
history
diff --git
a/src/src/dane-openssl.c
b/src/src/dane-openssl.c
index aee6323bfd90884de6b3dc317350a658b271f70f..4f90caa4a07647064df1f7b2079169abbc65d8e1 100644
(file)
--- a/
src/src/dane-openssl.c
+++ b/
src/src/dane-openssl.c
@@
-1162,7
+1162,8
@@
dane_cert_list xlist = 0;
dane_pkey_list klist = 0;
const EVP_MD *md = 0;
dane_pkey_list klist = 0;
const EVP_MD *md = 0;
-DEBUG(D_tls) debug_printf("Dane add_tlsa\n");
+DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
+ usage, selector, mdname);
if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
{
if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
{
@@
-1340,7
+1341,7
@@
if(sctx->app_verify_callback != verify_cert)
return -1;
}
#else
return -1;
}
#else
-DEBUG(D_tls) debug_printf("Dane ssl
_
init\n");
+DEBUG(D_tls) debug_printf("Dane ssl
-
init\n");
if(dane_idx < 0)
{
DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT);
if(dane_idx < 0)
{
DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT);
@@
-1362,7
+1363,6
@@
if(!SSL_set_ex_data(ssl, dane_idx, dane))
OPENSSL_free(dane);
return 0;
}
OPENSSL_free(dane);
return 0;
}
-DEBUG(D_tls) debug_printf("Dane ssl-init: new dane struct: %p\n", dane);
dane->verify = 0;
dane->hosts = 0;
dane->verify = 0;
dane->hosts = 0;
diff --git
a/src/src/dns.c
b/src/src/dns.c
index 6efb88d5843b4f96ee04cef42597b44644ce1ead..3d047abba11cbbbbe62ff8d60962b81b9830cfe1 100644
(file)
--- a/
src/src/dns.c
+++ b/
src/src/dns.c
@@
-607,7
+607,7
@@
if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
/* For an SRV lookup, skip over the first two components (the service and
protocol names, which both start with an underscore). */
/* For an SRV lookup, skip over the first two components (the service and
protocol names, which both start with an underscore). */
- if (type == T_SRV)
+ if (type == T_SRV
|| type == T_TLSA
)
{
while (*checkname++ != '.');
while (*checkname++ != '.');
{
while (*checkname++ != '.');
while (*checkname++ != '.');
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index eb74605da04125ef77a51c3dd3641a5dbf48e6f4..70ac63f16bee0c286133a1469edf126eea00b715 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-1663,8
+1663,8
@@
if (host->dnssec == DS_YES)
}
else if (dane_required)
{
}
else if (dane_required)
{
- /* Hmm - what lookup, precisely? */
/*XXX a shame we only find this after making tcp & smtp connection */
/*XXX a shame we only find this after making tcp & smtp connection */
+ /* move the test earlier? */
log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC");
return FAIL;
}
log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC");
return FAIL;
}
@@
-1714,9
+1714,9
@@
if (expciphers != NULL)
if (dane)
{
if (!DANESSL_library_init())
if (dane)
{
if (!DANESSL_library_init())
- return tls_error(US"library init", host,
US"DANE library error"
);
+ return tls_error(US"library init", host,
NULL
);
if (DANESSL_CTX_init(client_ctx) <= 0)
if (DANESSL_CTX_init(client_ctx) <= 0)
- return tls_error(US"context init", host,
US"DANE library error"
);
+ return tls_error(US"context init", host,
NULL
);
}
else
}
else
@@
-1777,7
+1777,7
@@
if (dane)
uschar * hostnames[2] = { host->name, NULL };
if (DANESSL_init(client_ssl, NULL, hostnames) != 1)
uschar * hostnames[2] = { host->name, NULL };
if (DANESSL_init(client_ssl, NULL, hostnames) != 1)
- return tls_error(US"hostnames load", host,
US"DANE library error"
);
+ return tls_error(US"hostnames load", host,
NULL
);
for (rr = dns_next_rr(&tlsa_dnsa, &dnss, RESET_ANSWERS);
rr;
for (rr = dns_next_rr(&tlsa_dnsa, &dnss, RESET_ANSWERS);
rr;
@@
-1805,8
+1805,8
@@
if (dane)
mdname, p, rr->size - (p - rr->data)))
{
default:
mdname, p, rr->size - (p - rr->data)))
{
default:
- case 0: /* action not taken
; log error
*/
-
return FAIL
;
+ case 0: /* action not taken */
+
return tls_error(US"tlsa load", host, NULL)
;
case 1: break;
}
}
case 1: break;
}
}
diff --git
a/test/dnszones-src/db.test.ex
b/test/dnszones-src/db.test.ex
index c65baa470989ac2fceea9d377bc2b34c1dba2235..bd334918bd5dcefed22b8444fca66ce3f4d5def2 100644
(file)
--- a/
test/dnszones-src/db.test.ex
+++ b/
test/dnszones-src/db.test.ex
@@
-77,10
+77,13
@@
badloop A V4NET.0.0.1
v6 AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c032
; Alias A and CNAME records for the local host, under the name "eximtesthost"
v6 AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c032
; Alias A and CNAME records for the local host, under the name "eximtesthost"
+; Make the A covered by DNSSEC and add a TLSA for it.
DNSSEC eximtesthost A HOSTIPV4
alias-eximtesthost CNAME eximtesthost.test.ex.
DNSSEC eximtesthost A HOSTIPV4
alias-eximtesthost CNAME eximtesthost.test.ex.
+DNSSEC _1225._tcp.eximtesthost TLSA 3 1 2 f000baaa
+
; A bad CNAME
badcname CNAME rhubarb.test.ex.
; A bad CNAME
badcname CNAME rhubarb.test.ex.
diff --git
a/test/log/5850
b/test/log/5850
index f0432dd7e232509bf489ef93f9f5fd38ef979f73..e8b37bb61f7d3230304b028570b5f461a8380f4c 100644
(file)
--- a/
test/log/5850
+++ b/
test/log/5850
@@
-1,6
+1,6
@@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00
DANE error: TLSA lookup failed
+1999-03-02 09:44:33 10HmaX-0005vi-00
TLS error on connection to eximtesthost.test.ex [ip4.ip4.ip4.ip4] (tlsa load): error:8006C067:DANE library:func(108):Bad TLSA record digest
1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@mxplain.test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@mxplain.test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session
1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git
a/test/src/fakens.c
b/test/src/fakens.c
index ec7588cc8dca634275be3e35104de1553010d770..912f41984d1da3c91f342a0004e44e3f5ad206b5 100644
(file)
--- a/
test/src/fakens.c
+++ b/
test/src/fakens.c
@@
-99,21
+99,25
@@
not defined, assume we are in this state. A really old system might not even
know about AAAA and SRV at all. */
#ifndef ns_t_a
know about AAAA and SRV at all. */
#ifndef ns_t_a
-#define ns_t_a T_A
-#define ns_t_ns T_NS
-#define ns_t_cname T_CNAME
-#define ns_t_soa T_SOA
-#define ns_t_ptr T_PTR
-#define ns_t_mx T_MX
-#define ns_t_txt T_TXT
-#define ns_t_aaaa T_AAAA
-#define ns_t_srv T_SRV
-#ifndef T_AAAA
-#define T_AAAA 28
-#endif
-#ifndef T_SRV
-#define T_SRV 33
-#endif
+# define ns_t_a T_A
+# define ns_t_ns T_NS
+# define ns_t_cname T_CNAME
+# define ns_t_soa T_SOA
+# define ns_t_ptr T_PTR
+# define ns_t_mx T_MX
+# define ns_t_txt T_TXT
+# define ns_t_aaaa T_AAAA
+# define ns_t_srv T_SRV
+# define ns_t_tlsa T_TLSA
+# ifndef T_AAAA
+# define T_AAAA 28
+# endif
+# ifndef T_SRV
+# define T_SRV 33
+# endif
+# ifndef T_TLSA
+# define T_TLSA 52
+# endif
#endif
static tlist type_list[] = {
#endif
static tlist type_list[] = {
@@
-126,6
+130,7
@@
static tlist type_list[] = {
{ US"TXT", ns_t_txt },
{ US"AAAA", ns_t_aaaa },
{ US"SRV", ns_t_srv },
{ US"TXT", ns_t_txt },
{ US"AAAA", ns_t_aaaa },
{ US"SRV", ns_t_srv },
+ { US"TLSA", ns_t_tlsa },
{ NULL, 0 }
};
{ NULL, 0 }
};
@@
-189,6
+194,20
@@
while (*name != 0)
return pk;
}
return pk;
}
+uschar *
+shortfield(uschar ** pp, uschar * pk)
+{
+unsigned value = 0;
+uschar * p = *pp;
+
+while (isdigit(*p)) value = value*10 + *p++ - '0';
+while (isspace(*p)) p++;
+*pp = p;
+*pk++ = (value >> 8) & 255;
+*pk++ = value & 255;
+return pk;
+}
+
/*************************************************
/*************************************************
@@
-237,7
+256,7
@@
if (typeptr->name == NULL)
rrdomain[0] = 0; /* No previous domain */
(void)fseek(f, 0, SEEK_SET); /* Start again at the beginning */
rrdomain[0] = 0; /* No previous domain */
(void)fseek(f, 0, SEEK_SET); /* Start again at the beginning */
-*dnssec = TRUE; /* cancelled by first nonsecure rec found */
+*dnssec = TRUE; /* cancelled by first nonsecure rec found */
/* Scan for RRs */
/* Scan for RRs */
@@
-387,11
+406,7
@@
while (fgets(CS buffer, sizeof(buffer), f) != NULL)
break;
case ns_t_mx:
break;
case ns_t_mx:
- value = 0;
- while (isdigit(*p)) value = value*10 + *p++ - '0';
- while (isspace(*p)) p++;
- *pk++ = (value >> 8) & 255;
- *pk++ = value & 255;
+ pk = shortfield(&p, pk);
if (ep[-1] != '.') sprintf(ep, "%s.", zone);
pk = packname(p, pk);
plen = Ustrlen(p);
if (ep[-1] != '.') sprintf(ep, "%s.", zone);
pk = packname(p, pk);
plen = Ustrlen(p);
@@
-404,6
+419,23
@@
while (fgets(CS buffer, sizeof(buffer), f) != NULL)
*pp = pk - pp - 1;
break;
*pp = pk - pp - 1;
break;
+ case ns_t_tlsa:
+ pk = shortfield(&p, pk); /* usage */
+ pk = shortfield(&p, pk); /* selector */
+ pk = shortfield(&p, pk); /* match type */
+ while (isxdigit(*p))
+ {
+ value = toupper(*p) - (isdigit(*p) ? '0' : '7') << 4;
+ if (isxdigit(*++p))
+ {
+ value |= toupper(*p) - (isdigit(*p) ? '0' : '7');
+ p++;
+ }
+ *pk++ = value & 255;
+ }
+
+ break;
+
case ns_t_srv:
for (i = 0; i < 3; i++)
{
case ns_t_srv:
for (i = 0; i < 3; i++)
{