[exim-cvs] Add support in the fakens utility for marking rec…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Add support in the fakens utility for marking records as "secure"
Gitweb: http://git.exim.org/exim.git/commitdiff/4d4c2a9bc67a4cb368703cc26fbc520e7428a428
Commit:     4d4c2a9bc67a4cb368703cc26fbc520e7428a428
Parent:     cf2b569e3a2f8956b7045191e96bc5edfd366c78
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Aug 10 11:58:06 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Aug 10 11:58:06 2014 +0100


    Add support in the fakens utility for marking records as "secure"
    and returning an AD bit for lookups.
---
 test/dnszones-src/db.test.ex        |    4 +++-
 test/log/5850                       |   11 ++++++-----
 test/scripts/5850-DANE-OpenSSL/5850 |    2 +-
 test/src/fakens.c                   |   30 ++++++++++++++++++++++++++----
 4 files changed, 36 insertions(+), 11 deletions(-)


diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex
index 843a35b..c65baa4 100644
--- a/test/dnszones-src/db.test.ex
+++ b/test/dnszones-src/db.test.ex
@@ -78,7 +78,7 @@ v6           AAAA    V6NET:ffff:836f:0a00:000a:0800:200a:c032


; Alias A and CNAME records for the local host, under the name "eximtesthost"

-eximtesthost     A       HOSTIPV4
+DNSSEC eximtesthost     A       HOSTIPV4
 alias-eximtesthost CNAME eximtesthost.test.ex.


; A bad CNAME
@@ -186,6 +186,8 @@ recurse.test.ex A V4NET.99.0.2

; -------- Testing MX records --------

+DNSSEC mxplain      MX  1  eximtesthost.
+
 mxcased      MX  5  ten-99.TEST.EX.


; Points to a host with both A and AAAA
diff --git a/test/log/5850 b/test/log/5850
index 2913e7c..f0432dd 100644
--- a/test/log/5850
+++ b/test/log/5850
@@ -1,13 +1,14 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaX-0005vi-00 DANE error: TLSA lookup failed
+1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@??? R=client T=send_to_server defer (-37): failure while setting up TLS session
1999-03-02 09:44:33 End queue run: pid=pppp -qf

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@???> R=server
-1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaX-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/scripts/5850-DANE-OpenSSL/5850 b/test/scripts/5850-DANE-OpenSSL/5850
index 0776fb6..963bf4f 100644
--- a/test/scripts/5850-DANE-OpenSSL/5850
+++ b/test/scripts/5850-DANE-OpenSSL/5850
@@ -2,7 +2,7 @@
#
exim -DSERVER=server -bd -oX PORT_D
****
-exim CALLER@???
+exim CALLER@???
Testing
****
exim -d+all -qf
diff --git a/test/src/fakens.c b/test/src/fakens.c
index fa44318..ec7588c 100644
--- a/test/src/fakens.c
+++ b/test/src/fakens.c
@@ -48,7 +48,11 @@ line in the zone file contains exactly this:
PASS ON NOT FOUND

and the domain is not found. It converts the the result to PASS_ON instead of
-HOST_NOT_FOUND. */
+HOST_NOT_FOUND.
+
+Any DNS record line in a zone file can be prefixed with "DNSSEC" and
+at least one space; if all the records found by a lookup are marked
+as such then the response will have the "AD" bit set. */

 #include <ctype.h>
 #include <stdarg.h>
@@ -209,7 +213,7 @@ Returns:      0 on success, else HOST_NOT_FOUND or NO_DATA or NO_RECOVERY or


 static int
 find_records(FILE *f, uschar *zone, uschar *domain, uschar *qtype,
-  int qtypelen, uschar **pkptr, int *countptr)
+  int qtypelen, uschar **pkptr, int *countptr, BOOL * dnssec)
 {
 int yield = HOST_NOT_FOUND;
 int domainlen = Ustrlen(domain);
@@ -233,6 +237,8 @@ if (typeptr->name == NULL)
 rrdomain[0] = 0;                 /* No previous domain */
 (void)fseek(f, 0, SEEK_SET);     /* Start again at the beginning */


+*dnssec = TRUE;            /* cancelled by first nonsecure rec found */
+
 /* Scan for RRs */


while (fgets(CS buffer, sizeof(buffer), f) != NULL)
@@ -243,12 +249,13 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
int i, plen, value;
int tvalue = typeptr->value;
int qtlen = qtypelen;
+ BOOL rr_sec = FALSE;

p = buffer;
while (isspace(*p)) p++;
if (*p == 0 || *p == ';') continue;

-  if (Ustrncmp(p, "PASS ON NOT FOUND", 17) == 0)
+  if (Ustrncmp(p, US"PASS ON NOT FOUND", 17) == 0)
     {
     pass_on_not_found = TRUE;
     continue;
@@ -259,6 +266,12 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
   *ep = 0;


   p = buffer;
+  if (Ustrncmp(p, US"DNSSEC ", 7) == 0)    /* tagged as secure */
+    {
+    rr_sec = TRUE;
+    p += 7;
+    }
+
   if (!isspace(*p))
     {
     uschar *pp = rrdomain;
@@ -311,6 +324,9 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)


/* Found a relevant record */

+  if (!rr_sec)
+    *dnssec = FALSE;            /* cancel AD return */
+
   yield = 0;
   *countptr = *countptr + 1;


@@ -444,6 +460,7 @@ uschar buffer[256];
uschar qtype[12];
uschar packet[512];
uschar *pk = packet;
+BOOL dnssec;

if (argc != 4)
{
@@ -545,7 +562,7 @@ if (f == NULL)
/* Find the records we want, and add them to the result. */

count = 0;
-yield = find_records(f, zone, domain, qtype, qtypelen, &pk, &count);
+yield = find_records(f, zone, domain, qtype, qtypelen, &pk, &count, &dnssec);
if (yield == NO_RECOVERY) goto END_OFF;

packet[6] = (count >> 8) & 255;
@@ -557,6 +574,9 @@ packet[7] = count & 255;
packet[10] = 0;
packet[11] = 0;

+if (dnssec)
+ ((HEADER *)packet)->ad = 1;
+
/* Close the zone file, write the result, and return. */

END_OFF:
@@ -565,4 +585,6 @@ END_OFF:
return yield;
}

+/* vi: aw ai sw=2
+*/
/* End of fakens.c */