[exim-cvs] Break out dane code to separate functions

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Break out dane code to separate functions
Gitweb: http://git.exim.org/exim.git/commitdiff/fde080a4f34a8eb0f92af6dfc7e4e6ae01fd61f8
Commit:     fde080a4f34a8eb0f92af6dfc7e4e6ae01fd61f8
Parent:     85098ee7ec9a0201b9d0df7dff202506097420b1
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Aug 16 22:36:56 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sat Aug 16 22:36:56 2014 +0100


    Break out dane code to separate functions
---
 src/src/tls-openssl.c |  188 ++++++++++++++++++++++++++-----------------------
 1 files changed, 101 insertions(+), 87 deletions(-)


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 2ed1fcb..144be6f 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1610,6 +1610,101 @@ else if (verify_check_host(&ob->tls_try_verify_hosts) == OK)
return OK;
}

+
+#ifdef EXPERIMENTAL_DANE
+static int
+tlsa_lookup(host_item * host, dns_answer * dnsa,
+  BOOL dane_required, BOOL * dane)
+{
+/* move this out to host.c given the similarity to dns_lookup() ? */
+uschar buffer[300];
+uschar * fullname = buffer;
+
+/* TLSA lookup string */
+(void)sprintf(CS buffer, "_%d._tcp.%.256s", host->port, host->name);
+
+switch (dns_lookup(dnsa, buffer, T_TLSA, &fullname))
+  {
+  case DNS_AGAIN:
+    return DEFER; /* just defer this TLS'd conn */
+
+  default:
+  case DNS_FAIL:
+    if (dane_required)
+      {
+      log_write(0, LOG_MAIN, "DANE error: TLSA lookup failed");
+      return FAIL;
+      }
+    break;
+
+  case DNS_SUCCEED:
+    if (!dns_is_secure(dnsa))
+      {
+      log_write(0, LOG_MAIN, "DANE error: TLSA lookup not DNSSEC");
+      return DEFER;
+      }
+    *dane = TRUE;
+    break;
+  }
+return OK;
+}
+
+
+static int
+dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
+{
+dns_record * rr;
+dns_scan dnss;
+const char * hostnames[2] = { CS host->name, NULL };
+int found = 0;
+
+if (DANESSL_init(ssl, NULL, hostnames) != 1)
+  return tls_error(US"hostnames load", host, NULL);
+
+for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+     rr;
+     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
+    ) if (rr->type == T_TLSA)
+  {
+  uschar * p = rr->data;
+  uint8_t usage, selector, mtype;
+  const char * mdname;
+
+  found++;
+  usage = *p++;
+  selector = *p++;
+  mtype = *p++;
+
+  switch (mtype)
+    {
+    default:
+      log_write(0, LOG_MAIN,
+        "DANE error: TLSA record w/bad mtype 0x%x", mtype);
+      return FAIL;
+    case 0:    mdname = NULL; break;
+    case 1:    mdname = "sha256"; break;
+    case 2:    mdname = "sha512"; break;
+    }
+
+  switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
+    {
+    default:
+    case 0:    /* action not taken */
+      return tls_error(US"tlsa load", host, NULL);
+    case 1:    break;
+    }
+  }
+
+if (found)
+  return OK;
+
+log_write(0, LOG_MAIN, "DANE error: No TLSA records");
+return FAIL;
+}
+#endif    /*EXPERIMENTAL_DANE*/
+
+
+
 /*************************************************
 *    Start a TLS session in a client             *
 *************************************************/
@@ -1649,6 +1744,7 @@ BOOL dane_required;
 #endif


 #ifdef EXPERIMENTAL_DANE
+tls_out.dane_verified = FALSE;
 dane_required = verify_check_this_host(&ob->hosts_require_dane, NULL,
               host->name, host->address, NULL) == OK;


@@ -1658,39 +1754,8 @@ if (host->dnssec == DS_YES)
     || verify_check_this_host(&ob->hosts_try_dane, NULL,
               host->name, host->address, NULL) == OK
     )
-    {
-    /* move this out to host.c given the similarity to dns_lookup() ? */
-    uschar buffer[300];
-    uschar * fullname = buffer;
-
-    /* TLSA lookup string */
-    (void)sprintf(CS buffer, "_%d._tcp.%.256s", host->port,
-      host->name);
-
-    switch (rc = dns_lookup(&tlsa_dnsa, buffer, T_TLSA, &fullname))
-      {
-      case DNS_AGAIN:
-    return DEFER; /* just defer this TLS'd conn */
-
-      default:
-      case DNS_FAIL:
-    if (dane_required)
-      {
-      log_write(0, LOG_MAIN, "DANE error: TLSA lookup failed");
-      return FAIL;
-      }
-    break;
-
-      case DNS_SUCCEED:
-    if (!dns_is_secure(&tlsa_dnsa))
-      {
-      log_write(0, LOG_MAIN, "DANE error: TLSA lookup not DNSSEC");
-      return DEFER;
-      }
-    dane = TRUE;
-    break;
-      }
-    }
+    if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK)
+      return rc;
   }
 else if (dane_required)
   {
@@ -1721,9 +1786,6 @@ rc = tls_init(&client_ctx, host, NULL,
 if (rc != OK) return rc;


tls_out.certificate_verified = FALSE;
-#ifdef EXPERIMENTAL_DANE
-tls_out.dane_verified = FALSE;
-#endif
client_verify_callback_called = FALSE;

if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
@@ -1806,56 +1868,8 @@ if (request_ocsp)

 #ifdef EXPERIMENTAL_DANE
 if (dane)
-  {
-  dns_record * rr;
-  dns_scan dnss;
-  const char * hostnames[2] = { CS host->name, NULL };
-  int found = 0;
-
-  if (DANESSL_init(client_ssl, NULL, hostnames) != 1)
-    return tls_error(US"hostnames load", host, NULL);
-
-  for (rr = dns_next_rr(&tlsa_dnsa, &dnss, RESET_ANSWERS);
-       rr;
-       rr = dns_next_rr(&tlsa_dnsa, &dnss, RESET_NEXT)
-      ) if (rr->type == T_TLSA)
-    {
-    uschar * p = rr->data;
-    int usage, selector, mtype;
-    const char * mdname;
-
-    found++;
-    usage = *p++;
-    selector = *p++;
-    mtype = *p++;
-
-    switch (mtype)
-      {
-      default:
-    log_write(0, LOG_MAIN, "DANE error: TLSA record w/bad mtype 0x%x", mtype);
-    return FAIL;
-      case 0:    mdname = NULL; break;
-      case 1:    mdname = "sha256"; break;
-      case 2:    mdname = "sha512"; break;
-      }
-
-    switch (DANESSL_add_tlsa(client_ssl,
-        (uint8_t) usage, (uint8_t) selector,
-        mdname, p, rr->size - (p - rr->data)))
-      {
-      default:
-      case 0:    /* action not taken */
-    return tls_error(US"tlsa load", host, NULL);
-      case 1:    break;
-      }
-    }
-
-  if (!found)
-    {
-    log_write(0, LOG_MAIN, "DANE error: No TLSA records");
-    return FAIL;
-    }
-  }
+  if ((rc = dane_tlsa_load(client_ssl, host, &tlsa_dnsa)) != OK)
+    return rc;
 #endif



@@ -1869,7 +1883,7 @@ alarm(0);

 #ifdef EXPERIMENTAL_DANE
 if (dane)
-  DANESSL_cleanup(client_ssl);    /*XXX earliest possible callpoint. Too early? */
+  DANESSL_cleanup(client_ssl);
 #endif


if (rc <= 0)