From e5cccda9bbf169ea7dc97fa3859735523dd4cec0 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 10 Aug 2014 16:57:15 +0100 Subject: [PATCH] Capture the knowlege that verification succeeded --- src/src/dane-openssl.c | 7 +++---- src/src/tls-openssl.c | 27 +++++++++++++++++++++++++-- test/confs/5850 | 2 +- test/log/5850 | 12 ++++++------ 4 files changed, 35 insertions(+), 13 deletions(-) diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index aab32cabd..2430d475f 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -859,7 +859,7 @@ X509 *cert = ctx->cert; /* XXX: accessor? */ int matched = 0; int chain_length = sk_X509_num(ctx->chain); -DEBUG(D_tls) debug_printf("Dane verify_chain\n"); +DEBUG(D_tls) debug_printf("Dane verify-chain\n"); issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER]; leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF]; @@ -952,7 +952,7 @@ int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb; int matched; X509 *cert = ctx->cert; /* XXX: accessor? */ -DEBUG(D_tls) debug_printf("Dane verify_cert\n"); +DEBUG(D_tls) debug_printf("Dane verify-cert\n"); if(ssl_idx < 0) ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); @@ -1084,7 +1084,7 @@ DANESSL_cleanup(SSL *ssl) ssl_dane *dane; int u; -DEBUG(D_tls) debug_printf("Dane library cleanup fn called\n"); +DEBUG(D_tls) debug_printf("Dane lib-cleanup\n"); if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx))) return; @@ -1106,7 +1106,6 @@ if(dane->roots) if(dane->chain) sk_X509_pop_free(dane->chain, X509_free); OPENSSL_free(dane); -DEBUG(D_tls) debug_printf("Dane library cleanup fn return\n"); } static dane_host_list diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 001403494..e37b1add5 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -361,7 +361,7 @@ else return 0; /* reject */ } # endif -#endif +#endif /*EXPERIMENTAL_CERTNAMES*/ DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n", *calledp ? "" : " authenticated", txt); @@ -385,6 +385,28 @@ return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, } +#ifdef EXPERIMENTAL_DANE +/* This gets called *by* the dane library verify callback, which interposes +itself. +*/ +static int +verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx) +{ +X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx); +static uschar txt[256]; + +X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt)); + +DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt); +tls_out.peerdn = txt; +tls_out.peercert = X509_dup(cert); + +if (state == 1) + tls_out.certificate_verified = TRUE; +return 1; +} +#endif + /************************************************* * Information callback * @@ -999,7 +1021,6 @@ return i; #endif /*!DISABLE_OCSP*/ - /************************************************* * Initialize for TLS * *************************************************/ @@ -1713,6 +1734,8 @@ if (expciphers != NULL) #ifdef EXPERIMENTAL_DANE if (dane) { + SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane); + if (!DANESSL_library_init()) return tls_error(US"library init", host, NULL); if (DANESSL_CTX_init(client_ctx) <= 0) diff --git a/test/confs/5850 b/test/confs/5850 index cd4ccc59f..b2c7cb7eb 100644 --- a/test/confs/5850 +++ b/test/confs/5850 @@ -16,7 +16,7 @@ gecos_name = CALLER_NAME acl_smtp_rcpt = accept -log_selector = +tls_peerdn +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified queue_only queue_run_in_order diff --git a/test/log/5850 b/test/log/5850 index 568396d01..7266ec26a 100644 --- a/test/log/5850 +++ b/test/log/5850 @@ -1,16 +1,16 @@ -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -- 2.30.2