Test development

author: Jeremy Harris <jgh146exb@wizmail.org> 2014-08-08 21:37:22 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2014-08-08 21:38:10 +0100
commit: 7a31d6431bfe3bce4da48ac8774e3b0e3c038fc7 (patch)
tree: f3f456d1b4e95eecdcd204b7dab5aa8091c67779 /src
parent: 12ee8cf9db5b6c81b0e492c64f305d7ba1cf4dc2 (diff)
4 files changed, 47 insertions, 25 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 201636db0..0bd23ac63 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1618,15 +1618,8 @@ BOOL dane_required;
 #endif
 
 #ifdef EXPERIMENTAL_DANE
-/*XXX TBD: test for transport options, and for TLSA records */
-/*dane = TRUE;*/
-
-# ifdef notyet
 dane_required = verify_check_this_host(&ob->hosts_require_dane, NULL,
 			  host->name, host->address, NULL) == OK;
-# else
-dane_required = FALSE;
-#endif
 
 if (host->dnssec == DS_YES)
   {
@@ -1637,11 +1630,10 @@ if (host->dnssec == DS_YES)
     {
     /* move this out to host.c given the similarity to dns_lookup() ? */
     uschar buffer[300];
-    int prefix_length;	/* why do we want this? */
     uschar * fullname = buffer;
 
     /* TLSA lookup string */
-    (void)sprintf(CS buffer, "_%d._tcp.%n%.256s", host->port, &prefix_length,
+    (void)sprintf(CS buffer, "_%d._tcp.%.256s", host->port,
       host->name);
 
     switch (rc = dns_lookup(&tlsa_dnsa, buffer, T_TLSA, &fullname))
@@ -1653,7 +1645,7 @@ if (host->dnssec == DS_YES)
       case DNS_FAIL:
 	if (dane_required)
 	  {
-	  /* log that TLSA lookup failed */
+	  log_write(0, LOG_MAIN, "DANE error: TLSA lookup failed");
 	  return FAIL;
 	  }
 	break;
@@ -1661,7 +1653,7 @@ if (host->dnssec == DS_YES)
       case DNS_SUCCEED:
 	if (!dns_is_secure(&tlsa_dnsa))
 	  {
-	  /*log it - tlsa should never be non-dnssec */
+	  log_write(0, LOG_MAIN, "DANE error: TLSA lookup not DNSSEC");
 	  return DEFER;
 	  }
 	dane = TRUE;
@@ -1669,9 +1661,10 @@ if (host->dnssec == DS_YES)
       }
     }
   }
-else if (dane_required && !dane)
+else if (dane_required)
   {
-  /* log that dnssec pre-req failed.  Hmm - what? */
+  /* Hmm - what lookup, precisely? */
+  log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC");
   return FAIL;
   }
 
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 2e3a6ced4..9abc69d51 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -109,6 +109,10 @@ optionlist smtp_transport_options[] = {
   { "hosts_require_auth",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
 #ifdef SUPPORT_TLS
+# ifdef EXPERIMENTAL_DANE
+  { "hosts_require_dane",   opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, hosts_require_dane) },
+# endif
 # ifndef DISABLE_OCSP
   { "hosts_require_ocsp",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_ocsp) },
@@ -118,7 +122,7 @@ optionlist smtp_transport_options[] = {
 #endif
   { "hosts_try_auth",       opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
-#ifdef EXPERIMENTAL_DANE
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
   { "hosts_try_dane",       opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_dane) },
 #endif
@@ -206,6 +210,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   NULL,                /* hosts_require_auth */
 #ifdef EXPERIMENTAL_DANE
   NULL,                /* hosts_try_dane */
+  NULL,                /* hosts_require_dane */
 #endif
 #ifndef DISABLE_PRDR
   NULL,                /* hosts_try_prdr */
@@ -1571,8 +1576,13 @@ if (tls_out.active >= 0)
 /* If the host is required to use a secure channel, ensure that we
 have one. */
 
-else if (verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
-          host->address, NULL) == OK)
+else if (  verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
+            host->address, NULL) == OK
+#ifdef EXPERIMENTAL_DANE
+	|| verify_check_this_host(&(ob->hosts_require_dane), NULL, host->name,
+            host->address, NULL) == OK
+#endif
+	)
   {
   save_errno = ERRNO_TLSREQUIRED;
   message = string_sprintf("a TLS session is required for %s [%s], but %s",
@@ -3268,10 +3278,16 @@ for (cutoff_retry = 0; expired &&
       happens inside smtp_deliver().] */
 
       #ifdef SUPPORT_TLS
-      if (rc == DEFER && first_addr->basic_errno == ERRNO_TLSFAILURE &&
-           ob->tls_tempfail_tryclear &&
-           verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
-             host->address, NULL) != OK)
+      if (  rc == DEFER
+	 && first_addr->basic_errno == ERRNO_TLSFAILURE
+	 && ob->tls_tempfail_tryclear
+	 && verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
+             host->address, NULL) != OK
+#ifdef EXPERIMENTAL_DANE
+	 && verify_check_this_host(&(ob->hosts_require_dane), NULL, host->name,
+             host->address, NULL) != OK
+#endif
+	 )
         {
         log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
           "to %s [%s] (not in hosts_require_tls)", host->name, host->address);
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 018f9cfef..d968a4d54 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -23,6 +23,7 @@ typedef struct {
   uschar *hosts_require_auth;
 #ifdef EXPERIMENTAL_DANE
   uschar *hosts_try_dane;
+  uschar *hosts_require_dane;
 #endif
 #ifndef DISABLE_PRDR
   uschar *hosts_try_prdr;
diff --git a/src/src/verify.c b/src/src/verify.c
index b1b9f29a4..c2ee47892 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -644,9 +644,16 @@ else
            if the options permit it for this host. */
         if (rc != OK)
           {
-  	if (rc == DEFER && ob->tls_tempfail_tryclear && !smtps &&
-  	   verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
-  	     host->address, NULL) != OK)
+  	if (  rc == DEFER
+	   && ob->tls_tempfail_tryclear
+	   && !smtps
+	   && verify_check_this_host(&(ob->hosts_require_tls), NULL,
+	     host->name, host->address, NULL) != OK
+#ifdef EXPERIMENTAL_DANE
+	   && verify_check_this_host(&(ob->hosts_require_dane), NULL,
+	     host->name, host->address, NULL) != OK
+#endif
+	   )
   	  {
             (void)close(inblock.sock);
   	  log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
@@ -676,8 +683,13 @@ else
 
     /* If the host is required to use a secure channel, ensure that we have one. */
     if (tls_out.active < 0)
-      if (verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
-      	host->address, NULL) == OK)
+      if (  verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
+	      host->address, NULL) == OK
+#ifdef EXPERIMENTAL_DANE
+	 || verify_check_this_host(&(ob->hosts_require_dane), NULL, host->name,
+	      host->address, NULL) == OK
+#endif
+	 )
         {
         /*save_errno = ERRNO_TLSREQUIRED;*/
         log_write(0, LOG_MAIN, "a TLS session is required for %s [%s], but %s",
author	Jeremy Harris <jgh146exb@wizmail.org>	2014-08-08 21:37:22 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2014-08-08 21:38:10 +0100
commit	7a31d6431bfe3bce4da48ac8774e3b0e3c038fc7 (patch)
tree	f3f456d1b4e95eecdcd204b7dab5aa8091c67779 /src
parent	12ee8cf9db5b6c81b0e492c64f305d7ba1cf4dc2 (diff)