From 53a7196b578115484068f8c13326741824002c32 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 10 Aug 2014 17:25:26 +0100 Subject: [PATCH] Change CV= log line element for dane-verified cert --- src/src/deliver.c | 11 ++++++++++- src/src/globals.h | 3 +++ src/src/spool_in.c | 3 +++ src/src/structs.h | 3 +++ src/src/tls-openssl.c | 11 ++++++++++- test/log/5850 | 4 ++-- 6 files changed, 31 insertions(+), 4 deletions(-) diff --git a/src/src/deliver.c b/src/src/deliver.c index b0b4601dc..ebd06b504 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -697,7 +697,15 @@ d_tlslog(uschar * s, int * sizep, int * ptrp, address_item * addr) if ((log_extra_selector & LX_tls_certificate_verified) != 0 && addr->cipher != NULL) s = string_append(s, sizep, ptrp, 2, US" CV=", - testflag(addr, af_cert_verified)? "yes":"no"); + testflag(addr, af_cert_verified) + ? +#ifdef EXPERIMENTAL_DANE + testflag(addr, af_dane_verified) + ? "dane" + : +#endif + "yes" + : "no"); if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL) s = string_append(s, sizep, ptrp, 3, US" DN=\"", string_printing(addr->peerdn), US"\""); @@ -4125,6 +4133,7 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) /* The certificate verification status goes into the flags */ if (tls_out.certificate_verified) setflag(addr, af_cert_verified); + if (tls_out.dane_verified) setflag(addr, af_dane_verified); /* Use an X item only if there's something to send */ #ifdef SUPPORT_TLS diff --git a/src/src/globals.h b/src/src/globals.h index 32ddd16e2..654114848 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -82,6 +82,9 @@ typedef struct { int active; /* fd/socket when in a TLS session */ int bits; /* bits used in TLS session */ BOOL certificate_verified; /* Client certificate verified */ +#ifdef EXPERIMENTAL_DANE + BOOL dane_verified; /* ... via DANE */ +#endif uschar *cipher; /* Cipher used */ BOOL on_connect; /* For older MTAs that don't STARTTLS */ uschar *on_connect_ports; /* Ports always tls-on-connect */ diff --git a/src/src/spool_in.c b/src/src/spool_in.c index 6dcb512e4..f53251a86 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -284,6 +284,9 @@ dkim_collect_input = FALSE; #ifdef SUPPORT_TLS tls_in.certificate_verified = FALSE; +# ifdef EXPERIMENTAL_DANE +tls_in.dane_verified = FALSE; +# endif tls_in.cipher = NULL; tls_in.ourcert = NULL; tls_in.peercert = NULL; diff --git a/src/src/structs.h b/src/src/structs.h index 71ac5d8e3..27b73e903 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -495,6 +495,9 @@ typedef struct address_item_propagated { # define af_prdr_used 0x08000000 /* delivery used SMTP PRDR */ #endif #define af_force_command 0x10000000 /* force_command in pipe transport */ +#ifdef EXPERIMENTAL_DANE +# define af_dane_verified 0x20000000 /* TLS cert verify done with DANE */ +#endif /* These flags must be propagated when a child is created */ diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index e37b1add5..c05253f73 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -386,6 +386,7 @@ return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, #ifdef EXPERIMENTAL_DANE + /* This gets called *by* the dane library verify callback, which interposes itself. */ @@ -402,10 +403,12 @@ tls_out.peerdn = txt; tls_out.peercert = X509_dup(cert); if (state == 1) + tls_out.dane_verified = tls_out.certificate_verified = TRUE; return 1; } -#endif + +#endif /*EXPERIMENTAL_DANE*/ /************************************************* @@ -1442,6 +1445,9 @@ if (expciphers != NULL) optional, set up appropriately. */ tls_in.certificate_verified = FALSE; +#ifdef EXPERIMENTAL_DANE +tls_in.dane_verified = FALSE; +#endif server_verify_callback_called = FALSE; if (verify_check_host(&tls_verify_hosts) == OK) @@ -1712,6 +1718,9 @@ rc = tls_init(&client_ctx, host, NULL, if (rc != OK) return rc; tls_out.certificate_verified = FALSE; +#ifdef EXPERIMENTAL_DANE +tls_out.dane_verified = FALSE; +#endif client_verify_callback_called = FALSE; if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers", diff --git a/test/log/5850 b/test/log/5850 index 7266ec26a..498137321 100644 --- a/test/log/5850 +++ b/test/log/5850 @@ -1,9 +1,9 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf -- 2.25.1