[exim-cvs] Capture the knowlege that verification succeeded

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Exim Git Commits Mailing List
Data:  
Para: exim-cvs
Assunto: [exim-cvs] Capture the knowlege that verification succeeded
Gitweb: http://git.exim.org/exim.git/commitdiff/e5cccda9bbf169ea7dc97fa3859735523dd4cec0
Commit:     e5cccda9bbf169ea7dc97fa3859735523dd4cec0
Parent:     101de4772d807b083287d84da97a356486792eab
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Aug 10 16:57:15 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Aug 10 16:57:15 2014 +0100


    Capture the knowlege that verification succeeded
---
 src/src/dane-openssl.c |    7 +++----
 src/src/tls-openssl.c  |   27 +++++++++++++++++++++++++--
 test/confs/5850        |    2 +-
 test/log/5850          |   12 ++++++------
 4 files changed, 35 insertions(+), 13 deletions(-)


diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index aab32ca..2430d47 100644
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -859,7 +859,7 @@ X509 *cert = ctx->cert;             /* XXX: accessor? */
 int matched = 0;
 int chain_length = sk_X509_num(ctx->chain);


-DEBUG(D_tls) debug_printf("Dane verify_chain\n");
+DEBUG(D_tls) debug_printf("Dane verify-chain\n");

 issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER];
 leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF];
@@ -952,7 +952,7 @@ int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
 int matched;
 X509 *cert = ctx->cert;             /* XXX: accessor? */


-DEBUG(D_tls) debug_printf("Dane verify_cert\n");
+DEBUG(D_tls) debug_printf("Dane verify-cert\n");

if(ssl_idx < 0)
ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
@@ -1084,7 +1084,7 @@ DANESSL_cleanup(SSL *ssl)
ssl_dane *dane;
int u;

-DEBUG(D_tls) debug_printf("Dane library cleanup fn called\n");
+DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");

if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
return;
@@ -1106,7 +1106,6 @@ if(dane->roots)
if(dane->chain)
sk_X509_pop_free(dane->chain, X509_free);
OPENSSL_free(dane);
-DEBUG(D_tls) debug_printf("Dane library cleanup fn return\n");
}

 static dane_host_list
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 0014034..e37b1ad 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -361,7 +361,7 @@ else
       return 0;                /* reject */
       }
 # endif
-#endif
+#endif    /*EXPERIMENTAL_CERTNAMES*/


   DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
     *calledp ? "" : " authenticated", txt);
@@ -385,6 +385,28 @@ return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called,
 }



+#ifdef EXPERIMENTAL_DANE
+/* This gets called *by* the dane library verify callback, which interposes
+itself.
+*/
+static int
+verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx)
+{
+X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
+static uschar txt[256];
+
+X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
+
+DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt);
+tls_out.peerdn = txt;
+tls_out.peercert = X509_dup(cert);
+
+if (state == 1)
+ tls_out.certificate_verified = TRUE;
+return 1;
+}
+#endif
+

 /*************************************************
 *           Information callback                 *
@@ -999,7 +1021,6 @@ return i;
 #endif    /*!DISABLE_OCSP*/



-
 /*************************************************
 *            Initialize for TLS                  *
 *************************************************/
@@ -1713,6 +1734,8 @@ if (expciphers != NULL)
 #ifdef EXPERIMENTAL_DANE
 if (dane)
   {
+  SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane);
+
   if (!DANESSL_library_init())
     return tls_error(US"library init", host, NULL);
   if (DANESSL_CTX_init(client_ctx) <= 0)
diff --git a/test/confs/5850 b/test/confs/5850
index cd4ccc5..b2c7cb7 100644
--- a/test/confs/5850
+++ b/test/confs/5850
@@ -16,7 +16,7 @@ gecos_name = CALLER_NAME


acl_smtp_rcpt = accept

-log_selector = +tls_peerdn
+log_selector = +received_recipients +tls_peerdn +tls_certificate_verified

queue_only
queue_run_in_order
diff --git a/test/log/5850 b/test/log/5850
index 568396d..7266ec2 100644
--- a/test/log/5850
+++ b/test/log/5850
@@ -1,16 +1,16 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@???
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaY-0005vi-00@???
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@??? for CALLER@???
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <CALLER@???> R=server
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed