git://git.exim.org
/
users
/
heiko
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
e5cccda
)
Change CV= log line element for dane-verified cert
author
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 10 Aug 2014 16:25:26 +0000
(17:25 +0100)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 10 Aug 2014 16:25:26 +0000
(17:25 +0100)
src/src/deliver.c
patch
|
blob
|
history
src/src/globals.h
patch
|
blob
|
history
src/src/spool_in.c
patch
|
blob
|
history
src/src/structs.h
patch
|
blob
|
history
src/src/tls-openssl.c
patch
|
blob
|
history
test/log/5850
patch
|
blob
|
history
diff --git
a/src/src/deliver.c
b/src/src/deliver.c
index b0b4601dc3575df6188bec955dfc2f9a93999b2c..ebd06b504b01b0ae67c1bf34fc10cd2e98ad9fd3 100644
(file)
--- a/
src/src/deliver.c
+++ b/
src/src/deliver.c
@@
-697,7
+697,15
@@
d_tlslog(uschar * s, int * sizep, int * ptrp, address_item * addr)
if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
addr->cipher != NULL)
s = string_append(s, sizep, ptrp, 2, US" CV=",
if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
addr->cipher != NULL)
s = string_append(s, sizep, ptrp, 2, US" CV=",
- testflag(addr, af_cert_verified)? "yes":"no");
+ testflag(addr, af_cert_verified)
+ ?
+#ifdef EXPERIMENTAL_DANE
+ testflag(addr, af_dane_verified)
+ ? "dane"
+ :
+#endif
+ "yes"
+ : "no");
if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL)
s = string_append(s, sizep, ptrp, 3, US" DN=\"",
string_printing(addr->peerdn), US"\"");
if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL)
s = string_append(s, sizep, ptrp, 3, US" DN=\"",
string_printing(addr->peerdn), US"\"");
@@
-4125,6
+4133,7
@@
for (delivery_count = 0; addr_remote != NULL; delivery_count++)
/* The certificate verification status goes into the flags */
if (tls_out.certificate_verified) setflag(addr, af_cert_verified);
/* The certificate verification status goes into the flags */
if (tls_out.certificate_verified) setflag(addr, af_cert_verified);
+ if (tls_out.dane_verified) setflag(addr, af_dane_verified);
/* Use an X item only if there's something to send */
#ifdef SUPPORT_TLS
/* Use an X item only if there's something to send */
#ifdef SUPPORT_TLS
diff --git
a/src/src/globals.h
b/src/src/globals.h
index 32ddd16e29f6d249ca75996255f8f8a62cb59146..654114848beee29d63dda61e95d168d097b376b4 100644
(file)
--- a/
src/src/globals.h
+++ b/
src/src/globals.h
@@
-82,6
+82,9
@@
typedef struct {
int active; /* fd/socket when in a TLS session */
int bits; /* bits used in TLS session */
BOOL certificate_verified; /* Client certificate verified */
int active; /* fd/socket when in a TLS session */
int bits; /* bits used in TLS session */
BOOL certificate_verified; /* Client certificate verified */
+#ifdef EXPERIMENTAL_DANE
+ BOOL dane_verified; /* ... via DANE */
+#endif
uschar *cipher; /* Cipher used */
BOOL on_connect; /* For older MTAs that don't STARTTLS */
uschar *on_connect_ports; /* Ports always tls-on-connect */
uschar *cipher; /* Cipher used */
BOOL on_connect; /* For older MTAs that don't STARTTLS */
uschar *on_connect_ports; /* Ports always tls-on-connect */
diff --git
a/src/src/spool_in.c
b/src/src/spool_in.c
index 6dcb512e42c9c75d7a59ef53d1378b6a197dfcd4..f53251a86fa7ce3a911ea84d299174c7e75b7e71 100644
(file)
--- a/
src/src/spool_in.c
+++ b/
src/src/spool_in.c
@@
-284,6
+284,9
@@
dkim_collect_input = FALSE;
#ifdef SUPPORT_TLS
tls_in.certificate_verified = FALSE;
#ifdef SUPPORT_TLS
tls_in.certificate_verified = FALSE;
+# ifdef EXPERIMENTAL_DANE
+tls_in.dane_verified = FALSE;
+# endif
tls_in.cipher = NULL;
tls_in.ourcert = NULL;
tls_in.peercert = NULL;
tls_in.cipher = NULL;
tls_in.ourcert = NULL;
tls_in.peercert = NULL;
diff --git
a/src/src/structs.h
b/src/src/structs.h
index 71ac5d8e3b54a32e97b13f0ad40ce3ff48b1d4dd..27b73e903a82aa311e1fb3ed98fdd2690759b6ce 100644
(file)
--- a/
src/src/structs.h
+++ b/
src/src/structs.h
@@
-495,6
+495,9
@@
typedef struct address_item_propagated {
# define af_prdr_used 0x08000000 /* delivery used SMTP PRDR */
#endif
#define af_force_command 0x10000000 /* force_command in pipe transport */
# define af_prdr_used 0x08000000 /* delivery used SMTP PRDR */
#endif
#define af_force_command 0x10000000 /* force_command in pipe transport */
+#ifdef EXPERIMENTAL_DANE
+# define af_dane_verified 0x20000000 /* TLS cert verify done with DANE */
+#endif
/* These flags must be propagated when a child is created */
/* These flags must be propagated when a child is created */
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index e37b1add5001ad6ba8b6a2f02f07dee08f8b34df..c05253f732d910579a68d7a666b0aed4e6766927 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-386,6
+386,7
@@
return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called,
#ifdef EXPERIMENTAL_DANE
#ifdef EXPERIMENTAL_DANE
+
/* This gets called *by* the dane library verify callback, which interposes
itself.
*/
/* This gets called *by* the dane library verify callback, which interposes
itself.
*/
@@
-402,10
+403,12
@@
tls_out.peerdn = txt;
tls_out.peercert = X509_dup(cert);
if (state == 1)
tls_out.peercert = X509_dup(cert);
if (state == 1)
+ tls_out.dane_verified =
tls_out.certificate_verified = TRUE;
return 1;
}
tls_out.certificate_verified = TRUE;
return 1;
}
-#endif
+
+#endif /*EXPERIMENTAL_DANE*/
/*************************************************
/*************************************************
@@
-1442,6
+1445,9
@@
if (expciphers != NULL)
optional, set up appropriately. */
tls_in.certificate_verified = FALSE;
optional, set up appropriately. */
tls_in.certificate_verified = FALSE;
+#ifdef EXPERIMENTAL_DANE
+tls_in.dane_verified = FALSE;
+#endif
server_verify_callback_called = FALSE;
if (verify_check_host(&tls_verify_hosts) == OK)
server_verify_callback_called = FALSE;
if (verify_check_host(&tls_verify_hosts) == OK)
@@
-1712,6
+1718,9
@@
rc = tls_init(&client_ctx, host, NULL,
if (rc != OK) return rc;
tls_out.certificate_verified = FALSE;
if (rc != OK) return rc;
tls_out.certificate_verified = FALSE;
+#ifdef EXPERIMENTAL_DANE
+tls_out.dane_verified = FALSE;
+#endif
client_verify_callback_called = FALSE;
if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
client_verify_callback_called = FALSE;
if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
diff --git
a/test/log/5850
b/test/log/5850
index 7266ec26a3ce58aac425bf86e7a04aacd5955fdb..4981373210d9cec901a671f2e4d26a06e4ebeda6 100644
(file)
--- a/
test/log/5850
+++ b/
test/log/5850
@@
-1,9
+1,9
@@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=
yes
DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=
dane
DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=
yes
DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=
dane
DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf