From: Jeremy Harris Date: Fri, 1 Aug 2014 17:16:53 +0000 (+0100) Subject: Basic DANE entry points X-Git-Tag: exim-4_85_RC1~67^2~34 X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=commitdiff_plain;h=043b12481513cec52c31717c8ad5248d2b344ad2 Basic DANE entry points --- diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 6657f63c7..1a786356e 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1130,6 +1130,7 @@ in a router. Exim will then send the success DSN himself if requested as if the next hop does not support DSN. Adding it to a redirect router makes no difference. + Certificate name checking -------------------------------------------------------------- The X509 certificates used for TLS are supposed be verified @@ -1148,6 +1149,18 @@ a single wildcard being the initial component of a 3-or-more component FQDN). +DANE +------------------------------------------------------------ +If dane is in use the following transport options are ignored: + tls_verify_hosts + tls_try_verify_hosts + tls_verify_certificates + tls_crl + tls_verify_cert_hostnames + hosts_require_ocsp + hosts_request_ocsp + + -------------------------------------------------------------- End of file diff --git a/src/src/EDITME b/src/src/EDITME index d576fd7a3..01c4ebc9d 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -494,6 +494,9 @@ EXIM_MONITOR=eximon.bin # Uncomment the following line to add DSN support # EXPERIMENTAL_DSN=yes +# Uncomment the following line to add DANE support +# EXPERIMENTAL_DANE=yes + ############################################################################### # THESE ARE THINGS YOU MIGHT WANT TO SPECIFY # ############################################################################### diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index c8099f645..407e6800d 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -1471,6 +1471,11 @@ dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0); Call this once. Probably early in startup will do; may need to be after SSL library init. +=> put after call to tls_init() for now + +Return + 1 Success + 0 Fail */ int diff --git a/src/src/dane.c b/src/src/dane.c index 54fd00cee..20dfe5b18 100644 --- a/src/src/dane.c +++ b/src/src/dane.c @@ -2,15 +2,14 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2012, 2014 */ /* See the file NOTICE for conditions of use and distribution. */ -/* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is -based on a patch that was originally contributed by Steve Haslam. It was -adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is -based on a patch contributed by Nikos Mavroyanopoulos. Because these packages -are so very different, the functions for each are kept in separate files. The -relevant file is #included as required, after any any common functions. +/* This module provides DANE (RFC6659) support for Exim. See also +the draft RFC for DANE-over-SMTP, "SMTP security via opportunistic DANE TLS" +(V. Dukhovni, W. Hardaker) - version 10, dated May 25, 2014. + +The code for DANE support with Openssl was provided by V.Dukhovni. No cryptographic code is included in Exim. All this module does is to call functions from the OpenSSL or GNU TLS libraries. */ @@ -30,15 +29,15 @@ static void dummy(int x) { dummy(x-1); } #else /* Enabling DANE without enabling TLS cannot work. Abort the compilation. */ -#ifndef SUPPORT_TLS -#error DANE support requires that TLS support must be enabled. Abort build. -#endif - -#ifdef USE_GNUTLS -#include "dane-gnu.c" -#else -#include "dane-openssl.c" -#endif +# ifndef SUPPORT_TLS +# error DANE support requires that TLS support must be enabled. Abort build. +# endif + +# ifdef USE_GNUTLS +# include "dane-gnu.c" +# else +# include "dane-openssl.c" +# endif #endif /* EXPERIMENTAL_DANE */ diff --git a/src/src/exim.c b/src/src/exim.c index 517b5435e..8a9de72ac 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -820,6 +820,9 @@ fprintf(f, "Support for:"); #ifdef EXPERIMENTAL_BRIGHTMAIL fprintf(f, " Experimental_Brightmail"); #endif +#ifdef EXPERIMENTAL_DANE + fprintf(f, " Experimental_DANE"); +#endif #ifdef EXPERIMENTAL_DCC fprintf(f, " Experimental_DCC"); #endif diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index eeff64f81..b96dbbf04 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1534,6 +1534,50 @@ return OK; +static int +tls_client_basic_ctx_init(SSL_CTX * ctx, + host_item * host, smtp_transport_options_block * ob +#ifdef EXPERIMENTAL_CERTNAMES + , tls_ext_ctx_cb * cbinfo +#endif + ) +{ +int rc; +/* stick to the old behaviour for compatibility if tls_verify_certificates is + set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only + the specified host patterns if one of them is defined */ + +if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) || + (verify_check_host(&ob->tls_verify_hosts) == OK)) + { + if ((rc = setup_certs(ctx, ob->tls_verify_certificates, + ob->tls_crl, host, FALSE, verify_callback_client)) != OK) + return rc; + client_verify_optional = FALSE; + +#ifdef EXPERIMENTAL_CERTNAMES + if (ob->tls_verify_cert_hostnames) + { + if (!expand_check(ob->tls_verify_cert_hostnames, + US"tls_verify_cert_hostnames", + &cbinfo->verify_cert_hostnames)) + return FAIL; + if (cbinfo->verify_cert_hostnames) + DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", + cbinfo->verify_cert_hostnames); + } +#endif + } +else if (verify_check_host(&ob->tls_try_verify_hosts) == OK) + { + if ((rc = setup_certs(ctx, ob->tls_verify_certificates, + ob->tls_crl, host, TRUE, verify_callback_client)) != OK) + return rc; + client_verify_optional = TRUE; + } + +return OK; +} /************************************************* * Start a TLS session in a client * @@ -1562,12 +1606,30 @@ uschar *expciphers; X509* server_cert; int rc; static uschar cipherbuf[256]; + +#ifndef DISABLE_OCSP +BOOL require_ocsp = FALSE; +BOOL request_ocsp = FALSE; +#endif +#ifdef EXPERIMENTAL_DANE +BOOL dane_in_use; +#endif + +#ifdef EXPERIMENTAL_DANE +/*XXX TBD: test for transport options, and for TLSA records */ +dane_in_use = FALSE; + +if (!dane_in_use) +#endif + #ifndef DISABLE_OCSP -BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, - NULL, host->name, host->address, NULL) == OK; -BOOL request_ocsp = require_ocsp ? TRUE - : verify_check_this_host(&ob->hosts_request_ocsp, - NULL, host->name, host->address, NULL) == OK; + { + require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, + NULL, host->name, host->address, NULL) == OK; + request_ocsp = require_ocsp ? TRUE + : verify_check_this_host(&ob->hosts_request_ocsp, + NULL, host->name, host->address, NULL) == OK; + } #endif rc = tls_init(&client_ctx, host, NULL, @@ -1598,38 +1660,24 @@ if (expciphers != NULL) return tls_error(US"SSL_CTX_set_cipher_list", host, NULL); } -/* stick to the old behaviour for compatibility if tls_verify_certificates is - set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only - the specified host patterns if one of them is defined */ - -if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) || - (verify_check_host(&ob->tls_verify_hosts) == OK)) +#ifdef EXPERIMENTAL_DANE +if (dane_in_use) { - if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates, - ob->tls_crl, host, FALSE, verify_callback_client)) != OK) - return rc; - client_verify_optional = FALSE; + if (!DANESSL_library_init()) + return tls_error(US"library init", host, US"DANE library error"); + if (DANESSL_CTX_init(client_ctx) <= 0) + return tls_error(US"context init", host, US"DANE library error"); + } +else +#endif + + if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob #ifdef EXPERIMENTAL_CERTNAMES - if (ob->tls_verify_cert_hostnames) - { - if (!expand_check(ob->tls_verify_cert_hostnames, - US"tls_verify_cert_hostnames", - &client_static_cbinfo->verify_cert_hostnames)) - return FAIL; - if (client_static_cbinfo->verify_cert_hostnames) - DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", - client_static_cbinfo->verify_cert_hostnames); - } + , client_static_cbinfo #endif - } -else if (verify_check_host(&ob->tls_try_verify_hosts) == OK) - { - if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates, - ob->tls_crl, host, TRUE, verify_callback_client)) != OK) + )) != OK) return rc; - client_verify_optional = TRUE; - } if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL); @@ -1671,6 +1719,23 @@ if (request_ocsp) } #endif +#ifdef EXPERIMENTAL_DANE +if (dane_in_use) + { + if (DANESSL_init(client_ssl, NULL, NULL /*??? hostnames*/) != 1) + return tls_error(US"hostnames load", host, US"DANE library error"); + + /* + foreach TLSA record + + DANESSL_add_tlsa(client_ssl, uint8_t usage, uint8_t selector, + const char *mdname, + unsigned const char *data, size_t dlen) + */ + } +#endif + + /* There doesn't seem to be a built-in timeout on connection. */ DEBUG(D_tls) debug_printf("Calling SSL_connect\n"); @@ -1679,6 +1744,10 @@ alarm(ob->command_timeout); rc = SSL_connect(client_ssl); alarm(0); +#ifdef EXPERIMENTAL_DANE +DANESSL_cleanup(client_ssl); /*XXX earliest possible callpoint. Too early? */ +#endif + if (rc <= 0) return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);