summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/deliver.c6
-rw-r--r--src/src/tls-openssl.c26
-rw-r--r--src/src/verify.c8
3 files changed, 38 insertions, 2 deletions
diff --git a/src/src/deliver.c b/src/src/deliver.c
index d00af9c11..676de556d 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -1134,6 +1134,9 @@ if (result == OK)
tls_out.cipher = addr->cipher;
tls_out.peerdn = addr->peerdn;
tls_out.ocsp = addr->ocsp;
+# ifdef EXPERIMENTAL_DANE
+ tls_out.dane_verified = testflag(addr, af_dane_verified);
+# endif
#endif
delivery_log(LOG_MAIN, addr, logchar, NULL);
@@ -1152,6 +1155,9 @@ if (result == OK)
tls_out.cipher = NULL;
tls_out.peerdn = NULL;
tls_out.ocsp = OCSP_NOT_REQ;
+# ifdef EXPERIMENTAL_DANE
+ tls_out.dane_verified = FALSE;
+# endif
#endif
}
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 735ebff06..2e95a467a 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -437,6 +437,9 @@ verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx)
{
X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
static uschar txt[256];
+#ifdef EXPERIMENTAL_TPDA
+int depth = X509_STORE_CTX_get_error_depth(x509ctx);
+#endif
X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
@@ -444,6 +447,25 @@ DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt);
tls_out.peerdn = txt;
tls_out.peercert = X509_dup(cert);
+#ifdef EXPERIMENTAL_TPDA
+ if (client_static_cbinfo->event_action)
+ {
+ if (tpda_raise_event(client_static_cbinfo->event_action,
+ US"tls:cert", string_sprintf("%d", depth)) == DEFER)
+ {
+ log_write(0, LOG_MAIN, "DANE verify denied by event-action: "
+ "depth=%d cert=%s", depth, txt);
+ tls_out.certificate_verified = FALSE;
+ return 0; /* reject */
+ }
+ if (depth != 0)
+ {
+ X509_free(tls_out.peercert);
+ tls_out.peercert = NULL;
+ }
+ }
+#endif
+
if (state == 1)
tls_out.dane_verified =
tls_out.certificate_verified = TRUE;
@@ -1958,6 +1980,10 @@ if (request_ocsp)
client_static_cbinfo->event_action = tb->tpda_event_action;
#endif
+#ifdef EXPERIMENTAL_TPDA
+client_static_cbinfo->event_action = tb->tpda_event_action;
+#endif
+
/* There doesn't seem to be a built-in timeout on connection. */
DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
diff --git a/src/src/verify.c b/src/src/verify.c
index edd9ad17d..d2ecb9cde 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -660,7 +660,7 @@ else
/* TLS negotiation failed; give an error. Try in clear on a new connection,
if the options permit it for this host. */
if (rc != OK)
- {
+ {
if ( rc == DEFER
&& ob->tls_tempfail_tryclear
&& !smtps
@@ -672,7 +672,11 @@ else
#endif
)
{
- (void)close(inblock.sock);
+ (void)close(inblock.sock);
+#ifdef EXPERIMENTAL_TPDA
+ (void) tpda_raise_event(addr->transport->tpda_event_action,
+ US"tcp:close", NULL);
+#endif
log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
"to %s [%s] (not in hosts_require_tls)", host->name, host->address);
suppress_tls = TRUE;
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-24 10:27:00 +0000