diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/src/deliver.c | 11 | ||||
-rw-r--r-- | src/src/globals.h | 3 | ||||
-rw-r--r-- | src/src/spool_in.c | 3 | ||||
-rw-r--r-- | src/src/structs.h | 3 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 11 |
5 files changed, 29 insertions, 2 deletions
diff --git a/src/src/deliver.c b/src/src/deliver.c index b0b4601dc..ebd06b504 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -697,7 +697,15 @@ d_tlslog(uschar * s, int * sizep, int * ptrp, address_item * addr) if ((log_extra_selector & LX_tls_certificate_verified) != 0 && addr->cipher != NULL) s = string_append(s, sizep, ptrp, 2, US" CV=", - testflag(addr, af_cert_verified)? "yes":"no"); + testflag(addr, af_cert_verified) + ? +#ifdef EXPERIMENTAL_DANE + testflag(addr, af_dane_verified) + ? "dane" + : +#endif + "yes" + : "no"); if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL) s = string_append(s, sizep, ptrp, 3, US" DN=\"", string_printing(addr->peerdn), US"\""); @@ -4125,6 +4133,7 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) /* The certificate verification status goes into the flags */ if (tls_out.certificate_verified) setflag(addr, af_cert_verified); + if (tls_out.dane_verified) setflag(addr, af_dane_verified); /* Use an X item only if there's something to send */ #ifdef SUPPORT_TLS diff --git a/src/src/globals.h b/src/src/globals.h index 32ddd16e2..654114848 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -82,6 +82,9 @@ typedef struct { int active; /* fd/socket when in a TLS session */ int bits; /* bits used in TLS session */ BOOL certificate_verified; /* Client certificate verified */ +#ifdef EXPERIMENTAL_DANE + BOOL dane_verified; /* ... via DANE */ +#endif uschar *cipher; /* Cipher used */ BOOL on_connect; /* For older MTAs that don't STARTTLS */ uschar *on_connect_ports; /* Ports always tls-on-connect */ diff --git a/src/src/spool_in.c b/src/src/spool_in.c index 6dcb512e4..f53251a86 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -284,6 +284,9 @@ dkim_collect_input = FALSE; #ifdef SUPPORT_TLS tls_in.certificate_verified = FALSE; +# ifdef EXPERIMENTAL_DANE +tls_in.dane_verified = FALSE; +# endif tls_in.cipher = NULL; tls_in.ourcert = NULL; tls_in.peercert = NULL; diff --git a/src/src/structs.h b/src/src/structs.h index 71ac5d8e3..27b73e903 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -495,6 +495,9 @@ typedef struct address_item_propagated { # define af_prdr_used 0x08000000 /* delivery used SMTP PRDR */ #endif #define af_force_command 0x10000000 /* force_command in pipe transport */ +#ifdef EXPERIMENTAL_DANE +# define af_dane_verified 0x20000000 /* TLS cert verify done with DANE */ +#endif /* These flags must be propagated when a child is created */ diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index e37b1add5..c05253f73 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -386,6 +386,7 @@ return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, #ifdef EXPERIMENTAL_DANE + /* This gets called *by* the dane library verify callback, which interposes itself. */ @@ -402,10 +403,12 @@ tls_out.peerdn = txt; tls_out.peercert = X509_dup(cert); if (state == 1) + tls_out.dane_verified = tls_out.certificate_verified = TRUE; return 1; } -#endif + +#endif /*EXPERIMENTAL_DANE*/ /************************************************* @@ -1442,6 +1445,9 @@ if (expciphers != NULL) optional, set up appropriately. */ tls_in.certificate_verified = FALSE; +#ifdef EXPERIMENTAL_DANE +tls_in.dane_verified = FALSE; +#endif server_verify_callback_called = FALSE; if (verify_check_host(&tls_verify_hosts) == OK) @@ -1712,6 +1718,9 @@ rc = tls_init(&client_ctx, host, NULL, if (rc != OK) return rc; tls_out.certificate_verified = FALSE; +#ifdef EXPERIMENTAL_DANE +tls_out.dane_verified = FALSE; +#endif client_verify_callback_called = FALSE; if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers", |