diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-08-10 12:31:21 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-08-10 12:31:21 +0100 |
| commit | b4161d10ee4c4eb7fd61224d827cc89726e2d8f8 (patch) | |
| tree | 7f4176233a67f97f12129f6d7e17bec7b5438524 /src | |
| parent | 4d4c2a9bc67a4cb368703cc26fbc520e7428a428 (diff) | |
Add support in the fakens utility for TLSA records
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/dane-openssl.c | 6 | ||||
| -rw-r--r-- | src/src/dns.c | 2 | ||||
| -rw-r--r-- | src/src/tls-openssl.c | 12 |
3 files changed, 10 insertions, 10 deletions
diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index aee6323bf..4f90caa4a 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -1162,7 +1162,8 @@ dane_cert_list xlist = 0; dane_pkey_list klist = 0; const EVP_MD *md = 0; -DEBUG(D_tls) debug_printf("Dane add_tlsa\n"); +DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n", + usage, selector, mdname); if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx))) { @@ -1340,7 +1341,7 @@ if(sctx->app_verify_callback != verify_cert) return -1; } #else -DEBUG(D_tls) debug_printf("Dane ssl_init\n"); +DEBUG(D_tls) debug_printf("Dane ssl-init\n"); if(dane_idx < 0) { DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT); @@ -1362,7 +1363,6 @@ if(!SSL_set_ex_data(ssl, dane_idx, dane)) OPENSSL_free(dane); return 0; } -DEBUG(D_tls) debug_printf("Dane ssl-init: new dane struct: %p\n", dane); dane->verify = 0; dane->hosts = 0; diff --git a/src/src/dns.c b/src/src/dns.c index 6efb88d58..3d047abba 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -607,7 +607,7 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) /* For an SRV lookup, skip over the first two components (the service and protocol names, which both start with an underscore). */ - if (type == T_SRV) + if (type == T_SRV || type == T_TLSA) { while (*checkname++ != '.'); while (*checkname++ != '.'); diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index eb74605da..70ac63f16 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1663,8 +1663,8 @@ if (host->dnssec == DS_YES) } else if (dane_required) { - /* Hmm - what lookup, precisely? */ /*XXX a shame we only find this after making tcp & smtp connection */ + /* move the test earlier? */ log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC"); return FAIL; } @@ -1714,9 +1714,9 @@ if (expciphers != NULL) if (dane) { if (!DANESSL_library_init()) - return tls_error(US"library init", host, US"DANE library error"); + return tls_error(US"library init", host, NULL); if (DANESSL_CTX_init(client_ctx) <= 0) - return tls_error(US"context init", host, US"DANE library error"); + return tls_error(US"context init", host, NULL); } else @@ -1777,7 +1777,7 @@ if (dane) uschar * hostnames[2] = { host->name, NULL }; if (DANESSL_init(client_ssl, NULL, hostnames) != 1) - return tls_error(US"hostnames load", host, US"DANE library error"); + return tls_error(US"hostnames load", host, NULL); for (rr = dns_next_rr(&tlsa_dnsa, &dnss, RESET_ANSWERS); rr; @@ -1805,8 +1805,8 @@ if (dane) mdname, p, rr->size - (p - rr->data))) { default: - case 0: /* action not taken; log error */ - return FAIL; + case 0: /* action not taken */ + return tls_error(US"tlsa load", host, NULL); case 1: break; } } |