diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2018-09-08 19:31:49 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2018-09-09 15:45:27 +0100 |
| commit | 624f33dfeab938e907251e3cc3062aa45353384f (patch) | |
| tree | 40a0ab340f82728d3460f4c0c42758b210fa056f /src | |
| parent | 2b8d6aff36a25e06f418aec9e90fe7668562914b (diff) | |
DANE - testcase for fail under GnuTLS with TA-mode to a selfsigned server cert
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/lookups/dnsdb.c | 10 | ||||
| -rw-r--r-- | src/src/tls-gnu.c | 3 | ||||
| -rw-r--r-- | src/src/transports/smtp.c | 24 |
3 files changed, 29 insertions, 8 deletions
diff --git a/src/src/lookups/dnsdb.c b/src/src/lookups/dnsdb.c index a86338261..e75bd1edd 100644 --- a/src/src/lookups/dnsdb.c +++ b/src/src/lookups/dnsdb.c @@ -150,7 +150,7 @@ store as possible later, so we preallocate the result here */ gstring * yield = string_get(256); -dns_record *rr; +dns_record * rr; dns_answer dnsa; dns_scan dnss; @@ -421,7 +421,7 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0))) else if (type == T_TLSA) { uint8_t usage, selector, matching_type; - uint16_t i, payload_length; + uint16_t payload_length; uschar s[MAX_TLSA_EXPANDED_SIZE]; uschar * sp = s; uschar * p = US rr->data; @@ -434,10 +434,8 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0))) sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2, selector, *outsep2, matching_type, *outsep2); /* Now append the cert/identifier, one hex char at a time */ - for (i=0; - i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4); - i++) - sp += sprintf(CS sp, "%02x", (unsigned char)p[i]); + while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4)) + sp += sprintf(CS sp, "%02x", *p++); yield = string_cat(yield, s); } diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index dfe09200b..c5ecf88f9 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1775,7 +1775,8 @@ goodcert: #ifdef SUPPORT_DANE tlsa_prob: - *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc)); + *errstr = string_sprintf("TLSA record problem: %s", + rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc)); #endif badcert: diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 076375158..703ee563a 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1247,7 +1247,29 @@ switch (rc) return DEFER; /* just defer this TLS'd conn */ case DNS_SUCCEED: - if (sec) return OK; + if (sec) + { + DEBUG(D_transport) + { + dns_scan dnss; + dns_record * rr; + for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; + rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_TLSA) + { + uint16_t payload_length = rr->size - 3; + uschar s[MAX_TLSA_EXPANDED_SIZE], * sp = s, * p = US rr->data; + + sp += sprintf(CS sp, "%d ", *p++); /* usage */ + sp += sprintf(CS sp, "%d ", *p++); /* selector */ + sp += sprintf(CS sp, "%d ", *p++); /* matchtype */ + while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4)) + sp += sprintf(CS sp, "%02x", *p++); + + debug_printf(" %s\n", s); + } + } + return OK; + } log_write(0, LOG_MAIN, "DANE error: TLSA lookup for %s not DNSSEC", host->name); /*FALLTRHOUGH*/ |