[exim-cvs] Add support in the fakens utility for TLSA record…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Exim Git Commits Mailing List
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] Add support in the fakens utility for TLSA records
Gitweb: http://git.exim.org/exim.git/commitdiff/b4161d10ee4c4eb7fd61224d827cc89726e2d8f8
Commit:     b4161d10ee4c4eb7fd61224d827cc89726e2d8f8
Parent:     4d4c2a9bc67a4cb368703cc26fbc520e7428a428
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Aug 10 12:31:21 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Aug 10 12:31:21 2014 +0100


    Add support in the fakens utility for TLSA records
---
 src/src/dane-openssl.c       |    6 ++--
 src/src/dns.c                |    2 +-
 src/src/tls-openssl.c        |   12 +++---
 test/dnszones-src/db.test.ex |    3 ++
 test/log/5850                |    2 +-
 test/src/fakens.c            |   74 ++++++++++++++++++++++++++++++------------
 6 files changed, 67 insertions(+), 32 deletions(-)


diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index aee6323..4f90caa 100644
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -1162,7 +1162,8 @@ dane_cert_list xlist = 0;
dane_pkey_list klist = 0;
const EVP_MD *md = 0;

-DEBUG(D_tls) debug_printf("Dane add_tlsa\n");
+DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
+              usage, selector, mdname);


if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
{
@@ -1340,7 +1341,7 @@ if(sctx->app_verify_callback != verify_cert)
return -1;
}
#else
-DEBUG(D_tls) debug_printf("Dane ssl_init\n");
+DEBUG(D_tls) debug_printf("Dane ssl-init\n");
if(dane_idx < 0)
{
DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT);
@@ -1362,7 +1363,6 @@ if(!SSL_set_ex_data(ssl, dane_idx, dane))
OPENSSL_free(dane);
return 0;
}
-DEBUG(D_tls) debug_printf("Dane ssl-init: new dane struct: %p\n", dane);

dane->verify = 0;
dane->hosts = 0;
diff --git a/src/src/dns.c b/src/src/dns.c
index 6efb88d..3d047ab 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -607,7 +607,7 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
/* For an SRV lookup, skip over the first two components (the service and
protocol names, which both start with an underscore). */

-  if (type == T_SRV)
+  if (type == T_SRV || type == T_TLSA)
     {
     while (*checkname++ != '.');
     while (*checkname++ != '.');
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index eb74605..70ac63f 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1663,8 +1663,8 @@ if (host->dnssec == DS_YES)
   }
 else if (dane_required)
   {
-  /* Hmm - what lookup, precisely? */
   /*XXX a shame we only find this after making tcp & smtp connection */
+  /* move the test earlier? */
   log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC");
   return FAIL;
   }
@@ -1714,9 +1714,9 @@ if (expciphers != NULL)
 if (dane)
   {
   if (!DANESSL_library_init())
-    return tls_error(US"library init", host, US"DANE library error");
+    return tls_error(US"library init", host, NULL);
   if (DANESSL_CTX_init(client_ctx) <= 0)
-    return tls_error(US"context init", host, US"DANE library error");
+    return tls_error(US"context init", host, NULL);
   }
 else


@@ -1777,7 +1777,7 @@ if (dane)
uschar * hostnames[2] = { host->name, NULL };

   if (DANESSL_init(client_ssl, NULL, hostnames) != 1)
-    return tls_error(US"hostnames load", host, US"DANE library error");
+    return tls_error(US"hostnames load", host, NULL);


   for (rr = dns_next_rr(&tlsa_dnsa, &dnss, RESET_ANSWERS);
        rr;
@@ -1805,8 +1805,8 @@ if (dane)
         mdname, p, rr->size - (p - rr->data)))
       {
       default:
-      case 0:    /* action not taken; log error */
-        return FAIL;
+      case 0:    /* action not taken */
+    return tls_error(US"tlsa load", host, NULL);
       case 1:    break;
       }
     }
diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex
index c65baa4..bd33491 100644
--- a/test/dnszones-src/db.test.ex
+++ b/test/dnszones-src/db.test.ex
@@ -77,10 +77,13 @@ badloop      A       V4NET.0.0.1
 v6           AAAA    V6NET:ffff:836f:0a00:000a:0800:200a:c032


; Alias A and CNAME records for the local host, under the name "eximtesthost"
+; Make the A covered by DNSSEC and add a TLSA for it.

 DNSSEC eximtesthost     A       HOSTIPV4
 alias-eximtesthost CNAME eximtesthost.test.ex.


+DNSSEC _1225._tcp.eximtesthost    TLSA    3 1 2 f000baaa
+
 ; A bad CNAME


 badcname     CNAME   rhubarb.test.ex.
diff --git a/test/log/5850 b/test/log/5850
index f0432dd..e8b37bb 100644
--- a/test/log/5850
+++ b/test/log/5850
@@ -1,6 +1,6 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 DANE error: TLSA lookup failed
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to eximtesthost.test.ex [ip4.ip4.ip4.ip4] (tlsa load): error:8006C067:DANE library:func(108):Bad TLSA record digest
 1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@??? R=client T=send_to_server defer (-37): failure while setting up TLS session
 1999-03-02 09:44:33 End queue run: pid=pppp -qf


diff --git a/test/src/fakens.c b/test/src/fakens.c
index ec7588c..912f419 100644
--- a/test/src/fakens.c
+++ b/test/src/fakens.c
@@ -99,21 +99,25 @@ not defined, assume we are in this state. A really old system might not even
know about AAAA and SRV at all. */

 #ifndef ns_t_a
-#define ns_t_a      T_A
-#define ns_t_ns     T_NS
-#define ns_t_cname  T_CNAME
-#define ns_t_soa    T_SOA
-#define ns_t_ptr    T_PTR
-#define ns_t_mx     T_MX
-#define ns_t_txt    T_TXT
-#define ns_t_aaaa   T_AAAA
-#define ns_t_srv    T_SRV
-#ifndef T_AAAA
-#define T_AAAA      28
-#endif
-#ifndef T_SRV
-#define T_SRV       33
-#endif
+# define ns_t_a      T_A
+# define ns_t_ns     T_NS
+# define ns_t_cname  T_CNAME
+# define ns_t_soa    T_SOA
+# define ns_t_ptr    T_PTR
+# define ns_t_mx     T_MX
+# define ns_t_txt    T_TXT
+# define ns_t_aaaa   T_AAAA
+# define ns_t_srv    T_SRV
+# define ns_t_tlsa   T_TLSA
+# ifndef T_AAAA
+#  define T_AAAA      28
+# endif
+# ifndef T_SRV
+#  define T_SRV       33
+# endif
+# ifndef T_TLSA
+#  define T_TLSA      52
+# endif
 #endif


 static tlist type_list[] = {
@@ -126,6 +130,7 @@ static tlist type_list[] = {
   { US"TXT",     ns_t_txt },
   { US"AAAA",    ns_t_aaaa },
   { US"SRV",     ns_t_srv },
+  { US"TLSA",    ns_t_tlsa },
   { NULL,        0 }
 };


@@ -189,6 +194,20 @@ while (*name != 0)
return pk;
}

+uschar *
+shortfield(uschar ** pp, uschar * pk)
+{
+unsigned value = 0;
+uschar * p = *pp;
+
+while (isdigit(*p)) value = value*10 + *p++ - '0';
+while (isspace(*p)) p++;
+*pp = p;
+*pk++ = (value >> 8) & 255;
+*pk++ = value & 255;
+return pk;
+}
+


 /*************************************************
@@ -237,7 +256,7 @@ if (typeptr->name == NULL)
 rrdomain[0] = 0;                 /* No previous domain */
 (void)fseek(f, 0, SEEK_SET);     /* Start again at the beginning */


-*dnssec = TRUE;            /* cancelled by first nonsecure rec found */
+*dnssec = TRUE;            /* cancelled by first nonsecure rec found */ 


/* Scan for RRs */

@@ -387,11 +406,7 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
     break;


     case ns_t_mx:
-    value = 0;
-    while (isdigit(*p)) value = value*10 + *p++ - '0';
-    while (isspace(*p)) p++;
-    *pk++ = (value >> 8) & 255;
-    *pk++ = value & 255;
+    pk = shortfield(&p, pk);
     if (ep[-1] != '.') sprintf(ep, "%s.", zone);
     pk = packname(p, pk);
     plen = Ustrlen(p);
@@ -404,6 +419,23 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
     *pp = pk - pp - 1;
     break;


+    case ns_t_tlsa:
+    pk = shortfield(&p, pk);    /* usage */
+    pk = shortfield(&p, pk);    /* selector */
+    pk = shortfield(&p, pk);    /* match type */
+    while (isxdigit(*p))
+      {
+      value = toupper(*p) - (isdigit(*p) ? '0' : '7') << 4;
+      if (isxdigit(*++p))
+    {
+    value |= toupper(*p) - (isdigit(*p) ? '0' : '7');
+    p++;
+    }
+      *pk++ = value & 255;
+      }
+
+    break;
+
     case ns_t_srv:
     for (i = 0; i < 3; i++)
       {