From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 10 Aug 2014 16:25:26 +0000 (+0100)
Subject: Change CV= log line element for dane-verified cert
X-Git-Tag: exim-4_85_RC1~67^2~19
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/53a7196b578115484068f8c13326741824002c32

Change CV= log line element for dane-verified cert
---

diff --git a/src/src/deliver.c b/src/src/deliver.c
index b0b4601dc..ebd06b504 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -697,7 +697,15 @@ d_tlslog(uschar * s, int * sizep, int * ptrp, address_item * addr)
   if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
        addr->cipher != NULL)
     s = string_append(s, sizep, ptrp, 2, US" CV=",
-      testflag(addr, af_cert_verified)? "yes":"no");
+      testflag(addr, af_cert_verified)
+      ?
+#ifdef EXPERIMENTAL_DANE
+        testflag(addr, af_dane_verified)
+      ? "dane"
+      :
+#endif
+        "yes"
+      : "no");
   if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL)
     s = string_append(s, sizep, ptrp, 3, US" DN=\"",
       string_printing(addr->peerdn), US"\"");
@@ -4125,6 +4133,7 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++)
 
       /* The certificate verification status goes into the flags */
       if (tls_out.certificate_verified) setflag(addr, af_cert_verified);
+      if (tls_out.dane_verified)        setflag(addr, af_dane_verified);
 
       /* Use an X item only if there's something to send */
       #ifdef SUPPORT_TLS
diff --git a/src/src/globals.h b/src/src/globals.h
index 32ddd16e2..654114848 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -82,6 +82,9 @@ typedef struct {
   int     active;             /* fd/socket when in a TLS session */
   int     bits;               /* bits used in TLS session */
   BOOL    certificate_verified; /* Client certificate verified */
+#ifdef EXPERIMENTAL_DANE
+  BOOL    dane_verified;        /* ... via DANE */
+#endif
   uschar *cipher;             /* Cipher used */
   BOOL    on_connect;         /* For older MTAs that don't STARTTLS */
   uschar *on_connect_ports;   /* Ports always tls-on-connect */
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 6dcb512e4..f53251a86 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -284,6 +284,9 @@ dkim_collect_input = FALSE;
 
 #ifdef SUPPORT_TLS
 tls_in.certificate_verified = FALSE;
+# ifdef EXPERIMENTAL_DANE
+tls_in.dane_verified = FALSE;
+# endif
 tls_in.cipher = NULL;
 tls_in.ourcert = NULL;
 tls_in.peercert = NULL;
diff --git a/src/src/structs.h b/src/src/structs.h
index 71ac5d8e3..27b73e903 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -495,6 +495,9 @@ typedef struct address_item_propagated {
 # define af_prdr_used          0x08000000 /* delivery used SMTP PRDR */
 #endif
 #define af_force_command       0x10000000 /* force_command in pipe transport */
+#ifdef EXPERIMENTAL_DANE
+# define af_dane_verified      0x20000000 /* TLS cert verify done with DANE */
+#endif
 
 /* These flags must be propagated when a child is created */
 
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index e37b1add5..c05253f73 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -386,6 +386,7 @@ return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called,
 
 
 #ifdef EXPERIMENTAL_DANE
+
 /* This gets called *by* the dane library verify callback, which interposes
 itself.
 */
@@ -402,10 +403,12 @@ tls_out.peerdn = txt;
 tls_out.peercert = X509_dup(cert);
 
 if (state == 1)
+  tls_out.dane_verified =
   tls_out.certificate_verified = TRUE;
 return 1;
 }
-#endif
+
+#endif	/*EXPERIMENTAL_DANE*/
 
 
 /*************************************************
@@ -1442,6 +1445,9 @@ if (expciphers != NULL)
 optional, set up appropriately. */
 
 tls_in.certificate_verified = FALSE;
+#ifdef EXPERIMENTAL_DANE
+tls_in.dane_verified = FALSE;
+#endif
 server_verify_callback_called = FALSE;
 
 if (verify_check_host(&tls_verify_hosts) == OK)
@@ -1712,6 +1718,9 @@ rc = tls_init(&client_ctx, host, NULL,
 if (rc != OK) return rc;
 
 tls_out.certificate_verified = FALSE;
+#ifdef EXPERIMENTAL_DANE
+tls_out.dane_verified = FALSE;
+#endif
 client_verify_callback_called = FALSE;
 
 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
diff --git a/test/log/5850 b/test/log/5850
index 7266ec26a..498137321 100644
--- a/test/log/5850
+++ b/test/log/5850
@@ -1,9 +1,9 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf