[exim-cvs] Change CV= log line element for dane-verified cer…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Change CV= log line element for dane-verified cert
Gitweb: http://git.exim.org/exim.git/commitdiff/53a7196b578115484068f8c13326741824002c32
Commit:     53a7196b578115484068f8c13326741824002c32
Parent:     e5cccda9bbf169ea7dc97fa3859735523dd4cec0
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Aug 10 17:25:26 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Aug 10 17:25:26 2014 +0100


    Change CV= log line element for dane-verified cert
---
 src/src/deliver.c     |   11 ++++++++++-
 src/src/globals.h     |    3 +++
 src/src/spool_in.c    |    3 +++
 src/src/structs.h     |    3 +++
 src/src/tls-openssl.c |   11 ++++++++++-
 test/log/5850         |    4 ++--
 6 files changed, 31 insertions(+), 4 deletions(-)


diff --git a/src/src/deliver.c b/src/src/deliver.c
index b0b4601..ebd06b5 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -697,7 +697,15 @@ d_tlslog(uschar * s, int * sizep, int * ptrp, address_item * addr)
   if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
        addr->cipher != NULL)
     s = string_append(s, sizep, ptrp, 2, US" CV=",
-      testflag(addr, af_cert_verified)? "yes":"no");
+      testflag(addr, af_cert_verified)
+      ?
+#ifdef EXPERIMENTAL_DANE
+        testflag(addr, af_dane_verified)
+      ? "dane"
+      :
+#endif
+        "yes"
+      : "no");
   if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL)
     s = string_append(s, sizep, ptrp, 3, US" DN=\"",
       string_printing(addr->peerdn), US"\"");
@@ -4125,6 +4133,7 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++)


       /* The certificate verification status goes into the flags */
       if (tls_out.certificate_verified) setflag(addr, af_cert_verified);
+      if (tls_out.dane_verified)        setflag(addr, af_dane_verified);


       /* Use an X item only if there's something to send */
       #ifdef SUPPORT_TLS
diff --git a/src/src/globals.h b/src/src/globals.h
index 32ddd16..6541148 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -82,6 +82,9 @@ typedef struct {
   int     active;             /* fd/socket when in a TLS session */
   int     bits;               /* bits used in TLS session */
   BOOL    certificate_verified; /* Client certificate verified */
+#ifdef EXPERIMENTAL_DANE
+  BOOL    dane_verified;        /* ... via DANE */
+#endif
   uschar *cipher;             /* Cipher used */
   BOOL    on_connect;         /* For older MTAs that don't STARTTLS */
   uschar *on_connect_ports;   /* Ports always tls-on-connect */
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 6dcb512..f53251a 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -284,6 +284,9 @@ dkim_collect_input = FALSE;


 #ifdef SUPPORT_TLS
 tls_in.certificate_verified = FALSE;
+# ifdef EXPERIMENTAL_DANE
+tls_in.dane_verified = FALSE;
+# endif
 tls_in.cipher = NULL;
 tls_in.ourcert = NULL;
 tls_in.peercert = NULL;
diff --git a/src/src/structs.h b/src/src/structs.h
index 71ac5d8..27b73e9 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -495,6 +495,9 @@ typedef struct address_item_propagated {
 # define af_prdr_used          0x08000000 /* delivery used SMTP PRDR */
 #endif
 #define af_force_command       0x10000000 /* force_command in pipe transport */
+#ifdef EXPERIMENTAL_DANE
+# define af_dane_verified      0x20000000 /* TLS cert verify done with DANE */
+#endif


/* These flags must be propagated when a child is created */

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index e37b1ad..c05253f 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -386,6 +386,7 @@ return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called,


#ifdef EXPERIMENTAL_DANE
+
/* This gets called *by* the dane library verify callback, which interposes
itself.
*/
@@ -402,10 +403,12 @@ tls_out.peerdn = txt;
tls_out.peercert = X509_dup(cert);

 if (state == 1)
+  tls_out.dane_verified =
   tls_out.certificate_verified = TRUE;
 return 1;
 }
-#endif
+
+#endif    /*EXPERIMENTAL_DANE*/



/*************************************************
@@ -1442,6 +1445,9 @@ if (expciphers != NULL)
optional, set up appropriately. */

tls_in.certificate_verified = FALSE;
+#ifdef EXPERIMENTAL_DANE
+tls_in.dane_verified = FALSE;
+#endif
server_verify_callback_called = FALSE;

if (verify_check_host(&tls_verify_hosts) == OK)
@@ -1712,6 +1718,9 @@ rc = tls_init(&client_ctx, host, NULL,
if (rc != OK) return rc;

tls_out.certificate_verified = FALSE;
+#ifdef EXPERIMENTAL_DANE
+tls_out.dane_verified = FALSE;
+#endif
client_verify_callback_called = FALSE;

if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
diff --git a/test/log/5850 b/test/log/5850
index 7266ec2..4981373 100644
--- a/test/log/5850
+++ b/test/log/5850
@@ -1,9 +1,9 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf