[exim-cvs] Merge branch dane-tpda into dane

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Merge branch dane-tpda into dane
Gitweb: http://git.exim.org/exim.git/commitdiff/83b2729321db62e758a300e372b2dd74e527d004
Commit:     83b2729321db62e758a300e372b2dd74e527d004
Parent:     a1bccd48f3956b50a13a34f5aed4b72c658c61af
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Wed Aug 20 20:34:17 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Wed Aug 20 20:36:25 2014 +0100


    Merge branch dane-tpda into dane


    Conflicts:
        doc/doc-txt/experimental-spec.txt
        src/src/deliver.c
        src/src/functions.h
        src/src/smtp_out.c
        src/src/tls-openssl.c
        src/src/transports/smtp.c
        src/src/verify.c
---
 src/src/deliver.c                            |    6 ++
 src/src/tls-openssl.c                        |   26 ++++++++
 src/src/verify.c                             |    8 ++-
 test/confs/5860                              |   88 ++++++++++++++++++++++++++
 test/log/5860                                |   40 ++++++++++++
 test/scripts/5860-DANE-OpenSSL-TPDA/5860     |   30 +++++++++
 test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES |    4 +
 7 files changed, 200 insertions(+), 2 deletions(-)


diff --git a/src/src/deliver.c b/src/src/deliver.c
index d00af9c..676de55 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -1134,6 +1134,9 @@ if (result == OK)
tls_out.cipher = addr->cipher;
tls_out.peerdn = addr->peerdn;
tls_out.ocsp = addr->ocsp;
+# ifdef EXPERIMENTAL_DANE
+ tls_out.dane_verified = testflag(addr, af_dane_verified);
+# endif
#endif

delivery_log(LOG_MAIN, addr, logchar, NULL);
@@ -1152,6 +1155,9 @@ if (result == OK)
tls_out.cipher = NULL;
tls_out.peerdn = NULL;
tls_out.ocsp = OCSP_NOT_REQ;
+# ifdef EXPERIMENTAL_DANE
+ tls_out.dane_verified = FALSE;
+# endif
#endif
}

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 735ebff..2e95a46 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -437,6 +437,9 @@ verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx)
{
X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
static uschar txt[256];
+#ifdef EXPERIMENTAL_TPDA
+int depth = X509_STORE_CTX_get_error_depth(x509ctx);
+#endif

X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));

@@ -444,6 +447,25 @@ DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt);
tls_out.peerdn = txt;
tls_out.peercert = X509_dup(cert);

+#ifdef EXPERIMENTAL_TPDA
+  if (client_static_cbinfo->event_action)
+    {
+    if (tpda_raise_event(client_static_cbinfo->event_action,
+            US"tls:cert", string_sprintf("%d", depth)) == DEFER)
+      {
+      log_write(0, LOG_MAIN, "DANE verify denied by event-action: "
+                  "depth=%d cert=%s", depth, txt);
+      tls_out.certificate_verified = FALSE;
+      return 0;                /* reject */
+      }
+    if (depth != 0)
+      {
+      X509_free(tls_out.peercert);
+      tls_out.peercert = NULL;
+      }
+    }
+#endif
+
 if (state == 1)
   tls_out.dane_verified =
   tls_out.certificate_verified = TRUE;
@@ -1958,6 +1980,10 @@ if (request_ocsp)
 client_static_cbinfo->event_action = tb->tpda_event_action;
 #endif


+#ifdef EXPERIMENTAL_TPDA
+client_static_cbinfo->event_action = tb->tpda_event_action;
+#endif
+
/* There doesn't seem to be a built-in timeout on connection. */

 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
diff --git a/src/src/verify.c b/src/src/verify.c
index edd9ad1..d2ecb9c 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -660,7 +660,7 @@ else
         /* TLS negotiation failed; give an error.  Try in clear on a new connection,
            if the options permit it for this host. */
         if (rc != OK)
-      {
+          {
       if (  rc == DEFER
          && ob->tls_tempfail_tryclear
          && !smtps
@@ -672,7 +672,11 @@ else
 #endif
          )
         {
-          (void)close(inblock.sock);
+        (void)close(inblock.sock);
+#ifdef EXPERIMENTAL_TPDA
+        (void) tpda_raise_event(addr->transport->tpda_event_action,
+                    US"tcp:close", NULL);
+#endif
         log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
           "to %s [%s] (not in hosts_require_tls)", host->name, host->address);
         suppress_tls = TRUE;
diff --git a/test/confs/5860 b/test/confs/5860
new file mode 100644
index 0000000..7dc4b09
--- /dev/null
+++ b/test/confs/5860
@@ -0,0 +1,88 @@
+# Exim test configuration 5850
+# DANE
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+CDIR1 = DIR/aux-fixed
+CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
+
+tls_certificate = ${if eq {SERVER}{server} \
+    {${if eq {DETAILS}{ta} \
+        {CDIR2/fullchain.pem}\
+        {CDIR1/cert1}}}\
+    fail}
+
+tls_privatekey = ${if eq {SERVER}{server} \
+    {${if eq {DETAILS}{ta} \
+        {CDIR2/server1.example.com.unlocked.key}\
+        {CDIR1/cert1}}}\
+    fail}
+
+
+begin acl
+
+logger:
+  accept condition = ${if eq {tls} {${listextract{1}{$tpda_event}}}}
+     logwrite = $tpda_event depth = $tpda_data \
+            <${certextract {subject} {$tls_out_peercert}}>
+#  message = noooo
+
+  accept condition = ${if eq {msg} {${listextract{1}{$tpda_event}}}}
+     logwrite = $tpda_event dane=$tls_out_dane
+  accept
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = dnslookup
+  condition = ${if eq {SERVER}{}}
+  dnssec_request_domains = *
+  self = send
+  transport = send_to_server
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+  driver = smtp
+  allow_localhost
+  port = PORT_D
+
+#  hosts_try_dane = *
+  hosts_require_dane = *
+  hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
+                 {= {0}{$tls_out_tlsa_usage}} } \
+                        {*}{}}
+
+  tpda_event_action =   ${acl {logger}}
+
+# End
diff --git a/test/log/5860 b/test/log/5860
new file mode 100644
index 0000000..7c1bf66
--- /dev/null
+++ b/test/log/5860
@@ -0,0 +1,40 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 tls:cert depth = 0 <CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK>
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery dane=yes
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth = 0 <CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK>
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery dane=yes
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 <CN=clica CA,O=example.com>
+1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 <CN=server1.example.com>
+1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 <CN=clica CA,O=example.com>
+1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 1 <CN=clica Signing Cert,O=example.com>
+1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 <CN=server1.example.com>
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 msg:delivery dane=yes
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/scripts/5860-DANE-OpenSSL-TPDA/5860 b/test/scripts/5860-DANE-OpenSSL-TPDA/5860
new file mode 100644
index 0000000..94bc4d2
--- /dev/null
+++ b/test/scripts/5860-DANE-OpenSSL-TPDA/5860
@@ -0,0 +1,30 @@
+# DANE client: TPDA
+#
+exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
+****
+# TLSA (3 1 1)
+exim CALLER@???
+Testing
+****
+# TLSA (3 1 2)
+exim CALLER@???
+Testing
+****
+exim -qf
+****
+killdaemon
+exim -DSERVER=server -DDETAILS=ee -DNOTDAEMON -qf
+****
+#
+#
+exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
+****
+# TLSA (2 0 1)
+exim CALLER@???
+Testing
+****
+exim -qf
+****
+killdaemon
+exim -DSERVER=server -DDETAILS=ta -DNOTDAEMON -qf
+****
diff --git a/test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES b/test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES
new file mode 100644
index 0000000..7e51b4f
--- /dev/null
+++ b/test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES
@@ -0,0 +1,4 @@
+support Experimental_DANE
+support Experimental_TPDA
+support OpenSSL
+running IPv4