From 4d4c2a9bc67a4cb368703cc26fbc520e7428a428 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 10 Aug 2014 11:58:06 +0100 Subject: [PATCH] Add support in the fakens utility for marking records as "secure" and returning an AD bit for lookups. --- test/dnszones-src/db.test.ex | 4 +++- test/log/5850 | 11 ++++++----- test/scripts/5850-DANE-OpenSSL/5850 | 2 +- test/src/fakens.c | 30 +++++++++++++++++++++++++---- 4 files changed, 36 insertions(+), 11 deletions(-) diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 843a35b09..c65baa470 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -78,7 +78,7 @@ v6 AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c032 ; Alias A and CNAME records for the local host, under the name "eximtesthost" -eximtesthost A HOSTIPV4 +DNSSEC eximtesthost A HOSTIPV4 alias-eximtesthost CNAME eximtesthost.test.ex. ; A bad CNAME @@ -186,6 +186,8 @@ recurse.test.ex A V4NET.99.0.2 ; -------- Testing MX records -------- +DNSSEC mxplain MX 1 eximtesthost. + mxcased MX 5 ten-99.TEST.EX. ; Points to a host with both A and AAAA diff --git a/test/log/5850 b/test/log/5850 index 2913e7c4a..f0432dd7e 100644 --- a/test/log/5850 +++ b/test/log/5850 @@ -1,13 +1,14 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaX-0005vi-00 DANE error: TLSA lookup failed +1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@mxplain.test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaX-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/scripts/5850-DANE-OpenSSL/5850 b/test/scripts/5850-DANE-OpenSSL/5850 index 0776fb6b4..963bf4f4e 100644 --- a/test/scripts/5850-DANE-OpenSSL/5850 +++ b/test/scripts/5850-DANE-OpenSSL/5850 @@ -2,7 +2,7 @@ # exim -DSERVER=server -bd -oX PORT_D **** -exim CALLER@test.ex +exim CALLER@mxplain.test.ex Testing **** exim -d+all -qf diff --git a/test/src/fakens.c b/test/src/fakens.c index fa4431810..ec7588cc8 100644 --- a/test/src/fakens.c +++ b/test/src/fakens.c @@ -48,7 +48,11 @@ line in the zone file contains exactly this: PASS ON NOT FOUND and the domain is not found. It converts the the result to PASS_ON instead of -HOST_NOT_FOUND. */ +HOST_NOT_FOUND. + +Any DNS record line in a zone file can be prefixed with "DNSSEC" and +at least one space; if all the records found by a lookup are marked +as such then the response will have the "AD" bit set. */ #include #include @@ -209,7 +213,7 @@ Returns: 0 on success, else HOST_NOT_FOUND or NO_DATA or NO_RECOVERY or static int find_records(FILE *f, uschar *zone, uschar *domain, uschar *qtype, - int qtypelen, uschar **pkptr, int *countptr) + int qtypelen, uschar **pkptr, int *countptr, BOOL * dnssec) { int yield = HOST_NOT_FOUND; int domainlen = Ustrlen(domain); @@ -233,6 +237,8 @@ if (typeptr->name == NULL) rrdomain[0] = 0; /* No previous domain */ (void)fseek(f, 0, SEEK_SET); /* Start again at the beginning */ +*dnssec = TRUE; /* cancelled by first nonsecure rec found */ + /* Scan for RRs */ while (fgets(CS buffer, sizeof(buffer), f) != NULL) @@ -243,12 +249,13 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) int i, plen, value; int tvalue = typeptr->value; int qtlen = qtypelen; + BOOL rr_sec = FALSE; p = buffer; while (isspace(*p)) p++; if (*p == 0 || *p == ';') continue; - if (Ustrncmp(p, "PASS ON NOT FOUND", 17) == 0) + if (Ustrncmp(p, US"PASS ON NOT FOUND", 17) == 0) { pass_on_not_found = TRUE; continue; @@ -259,6 +266,12 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) *ep = 0; p = buffer; + if (Ustrncmp(p, US"DNSSEC ", 7) == 0) /* tagged as secure */ + { + rr_sec = TRUE; + p += 7; + } + if (!isspace(*p)) { uschar *pp = rrdomain; @@ -311,6 +324,9 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) /* Found a relevant record */ + if (!rr_sec) + *dnssec = FALSE; /* cancel AD return */ + yield = 0; *countptr = *countptr + 1; @@ -444,6 +460,7 @@ uschar buffer[256]; uschar qtype[12]; uschar packet[512]; uschar *pk = packet; +BOOL dnssec; if (argc != 4) { @@ -545,7 +562,7 @@ if (f == NULL) /* Find the records we want, and add them to the result. */ count = 0; -yield = find_records(f, zone, domain, qtype, qtypelen, &pk, &count); +yield = find_records(f, zone, domain, qtype, qtypelen, &pk, &count, &dnssec); if (yield == NO_RECOVERY) goto END_OFF; packet[6] = (count >> 8) & 255; @@ -557,6 +574,9 @@ packet[7] = count & 255; packet[10] = 0; packet[11] = 0; +if (dnssec) + ((HEADER *)packet)->ad = 1; + /* Close the zone file, write the result, and return. */ END_OFF: @@ -565,4 +585,6 @@ END_OFF: return yield; } +/* vi: aw ai sw=2 +*/ /* End of fakens.c */ -- 2.25.1