From b4161d10ee4c4eb7fd61224d827cc89726e2d8f8 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 10 Aug 2014 12:31:21 +0100 Subject: [PATCH] Add support in the fakens utility for TLSA records --- src/src/dane-openssl.c | 6 +-- src/src/dns.c | 2 +- src/src/tls-openssl.c | 12 +++--- test/dnszones-src/db.test.ex | 3 ++ test/log/5850 | 2 +- test/src/fakens.c | 74 ++++++++++++++++++++++++++---------- 6 files changed, 67 insertions(+), 32 deletions(-) diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index aee6323bf..4f90caa4a 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -1162,7 +1162,8 @@ dane_cert_list xlist = 0; dane_pkey_list klist = 0; const EVP_MD *md = 0; -DEBUG(D_tls) debug_printf("Dane add_tlsa\n"); +DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n", + usage, selector, mdname); if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx))) { @@ -1340,7 +1341,7 @@ if(sctx->app_verify_callback != verify_cert) return -1; } #else -DEBUG(D_tls) debug_printf("Dane ssl_init\n"); +DEBUG(D_tls) debug_printf("Dane ssl-init\n"); if(dane_idx < 0) { DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT); @@ -1362,7 +1363,6 @@ if(!SSL_set_ex_data(ssl, dane_idx, dane)) OPENSSL_free(dane); return 0; } -DEBUG(D_tls) debug_printf("Dane ssl-init: new dane struct: %p\n", dane); dane->verify = 0; dane->hosts = 0; diff --git a/src/src/dns.c b/src/src/dns.c index 6efb88d58..3d047abba 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -607,7 +607,7 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) /* For an SRV lookup, skip over the first two components (the service and protocol names, which both start with an underscore). */ - if (type == T_SRV) + if (type == T_SRV || type == T_TLSA) { while (*checkname++ != '.'); while (*checkname++ != '.'); diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index eb74605da..70ac63f16 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1663,8 +1663,8 @@ if (host->dnssec == DS_YES) } else if (dane_required) { - /* Hmm - what lookup, precisely? */ /*XXX a shame we only find this after making tcp & smtp connection */ + /* move the test earlier? */ log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC"); return FAIL; } @@ -1714,9 +1714,9 @@ if (expciphers != NULL) if (dane) { if (!DANESSL_library_init()) - return tls_error(US"library init", host, US"DANE library error"); + return tls_error(US"library init", host, NULL); if (DANESSL_CTX_init(client_ctx) <= 0) - return tls_error(US"context init", host, US"DANE library error"); + return tls_error(US"context init", host, NULL); } else @@ -1777,7 +1777,7 @@ if (dane) uschar * hostnames[2] = { host->name, NULL }; if (DANESSL_init(client_ssl, NULL, hostnames) != 1) - return tls_error(US"hostnames load", host, US"DANE library error"); + return tls_error(US"hostnames load", host, NULL); for (rr = dns_next_rr(&tlsa_dnsa, &dnss, RESET_ANSWERS); rr; @@ -1805,8 +1805,8 @@ if (dane) mdname, p, rr->size - (p - rr->data))) { default: - case 0: /* action not taken; log error */ - return FAIL; + case 0: /* action not taken */ + return tls_error(US"tlsa load", host, NULL); case 1: break; } } diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index c65baa470..bd334918b 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -77,10 +77,13 @@ badloop A V4NET.0.0.1 v6 AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c032 ; Alias A and CNAME records for the local host, under the name "eximtesthost" +; Make the A covered by DNSSEC and add a TLSA for it. DNSSEC eximtesthost A HOSTIPV4 alias-eximtesthost CNAME eximtesthost.test.ex. +DNSSEC _1225._tcp.eximtesthost TLSA 3 1 2 f000baaa + ; A bad CNAME badcname CNAME rhubarb.test.ex. diff --git a/test/log/5850 b/test/log/5850 index f0432dd7e..e8b37bb61 100644 --- a/test/log/5850 +++ b/test/log/5850 @@ -1,6 +1,6 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 DANE error: TLSA lookup failed +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to eximtesthost.test.ex [ip4.ip4.ip4.ip4] (tlsa load): error:8006C067:DANE library:func(108):Bad TLSA record digest 1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@mxplain.test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/src/fakens.c b/test/src/fakens.c index ec7588cc8..912f41984 100644 --- a/test/src/fakens.c +++ b/test/src/fakens.c @@ -99,21 +99,25 @@ not defined, assume we are in this state. A really old system might not even know about AAAA and SRV at all. */ #ifndef ns_t_a -#define ns_t_a T_A -#define ns_t_ns T_NS -#define ns_t_cname T_CNAME -#define ns_t_soa T_SOA -#define ns_t_ptr T_PTR -#define ns_t_mx T_MX -#define ns_t_txt T_TXT -#define ns_t_aaaa T_AAAA -#define ns_t_srv T_SRV -#ifndef T_AAAA -#define T_AAAA 28 -#endif -#ifndef T_SRV -#define T_SRV 33 -#endif +# define ns_t_a T_A +# define ns_t_ns T_NS +# define ns_t_cname T_CNAME +# define ns_t_soa T_SOA +# define ns_t_ptr T_PTR +# define ns_t_mx T_MX +# define ns_t_txt T_TXT +# define ns_t_aaaa T_AAAA +# define ns_t_srv T_SRV +# define ns_t_tlsa T_TLSA +# ifndef T_AAAA +# define T_AAAA 28 +# endif +# ifndef T_SRV +# define T_SRV 33 +# endif +# ifndef T_TLSA +# define T_TLSA 52 +# endif #endif static tlist type_list[] = { @@ -126,6 +130,7 @@ static tlist type_list[] = { { US"TXT", ns_t_txt }, { US"AAAA", ns_t_aaaa }, { US"SRV", ns_t_srv }, + { US"TLSA", ns_t_tlsa }, { NULL, 0 } }; @@ -189,6 +194,20 @@ while (*name != 0) return pk; } +uschar * +shortfield(uschar ** pp, uschar * pk) +{ +unsigned value = 0; +uschar * p = *pp; + +while (isdigit(*p)) value = value*10 + *p++ - '0'; +while (isspace(*p)) p++; +*pp = p; +*pk++ = (value >> 8) & 255; +*pk++ = value & 255; +return pk; +} + /************************************************* @@ -237,7 +256,7 @@ if (typeptr->name == NULL) rrdomain[0] = 0; /* No previous domain */ (void)fseek(f, 0, SEEK_SET); /* Start again at the beginning */ -*dnssec = TRUE; /* cancelled by first nonsecure rec found */ +*dnssec = TRUE; /* cancelled by first nonsecure rec found */ /* Scan for RRs */ @@ -387,11 +406,7 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) break; case ns_t_mx: - value = 0; - while (isdigit(*p)) value = value*10 + *p++ - '0'; - while (isspace(*p)) p++; - *pk++ = (value >> 8) & 255; - *pk++ = value & 255; + pk = shortfield(&p, pk); if (ep[-1] != '.') sprintf(ep, "%s.", zone); pk = packname(p, pk); plen = Ustrlen(p); @@ -404,6 +419,23 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) *pp = pk - pp - 1; break; + case ns_t_tlsa: + pk = shortfield(&p, pk); /* usage */ + pk = shortfield(&p, pk); /* selector */ + pk = shortfield(&p, pk); /* match type */ + while (isxdigit(*p)) + { + value = toupper(*p) - (isdigit(*p) ? '0' : '7') << 4; + if (isxdigit(*++p)) + { + value |= toupper(*p) - (isdigit(*p) ? '0' : '7'); + p++; + } + *pk++ = value & 255; + } + + break; + case ns_t_srv: for (i = 0; i < 3; i++) { -- 2.25.1