summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/deliver.c11
-rw-r--r--src/src/globals.h3
-rw-r--r--src/src/spool_in.c3
-rw-r--r--src/src/structs.h3
-rw-r--r--src/src/tls-openssl.c11
5 files changed, 29 insertions, 2 deletions
diff --git a/src/src/deliver.c b/src/src/deliver.c
index b0b4601dc..ebd06b504 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -697,7 +697,15 @@ d_tlslog(uschar * s, int * sizep, int * ptrp, address_item * addr)
if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
addr->cipher != NULL)
s = string_append(s, sizep, ptrp, 2, US" CV=",
- testflag(addr, af_cert_verified)? "yes":"no");
+ testflag(addr, af_cert_verified)
+ ?
+#ifdef EXPERIMENTAL_DANE
+ testflag(addr, af_dane_verified)
+ ? "dane"
+ :
+#endif
+ "yes"
+ : "no");
if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL)
s = string_append(s, sizep, ptrp, 3, US" DN=\"",
string_printing(addr->peerdn), US"\"");
@@ -4125,6 +4133,7 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++)
/* The certificate verification status goes into the flags */
if (tls_out.certificate_verified) setflag(addr, af_cert_verified);
+ if (tls_out.dane_verified) setflag(addr, af_dane_verified);
/* Use an X item only if there's something to send */
#ifdef SUPPORT_TLS
diff --git a/src/src/globals.h b/src/src/globals.h
index 32ddd16e2..654114848 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -82,6 +82,9 @@ typedef struct {
int active; /* fd/socket when in a TLS session */
int bits; /* bits used in TLS session */
BOOL certificate_verified; /* Client certificate verified */
+#ifdef EXPERIMENTAL_DANE
+ BOOL dane_verified; /* ... via DANE */
+#endif
uschar *cipher; /* Cipher used */
BOOL on_connect; /* For older MTAs that don't STARTTLS */
uschar *on_connect_ports; /* Ports always tls-on-connect */
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 6dcb512e4..f53251a86 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -284,6 +284,9 @@ dkim_collect_input = FALSE;
#ifdef SUPPORT_TLS
tls_in.certificate_verified = FALSE;
+# ifdef EXPERIMENTAL_DANE
+tls_in.dane_verified = FALSE;
+# endif
tls_in.cipher = NULL;
tls_in.ourcert = NULL;
tls_in.peercert = NULL;
diff --git a/src/src/structs.h b/src/src/structs.h
index 71ac5d8e3..27b73e903 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -495,6 +495,9 @@ typedef struct address_item_propagated {
# define af_prdr_used 0x08000000 /* delivery used SMTP PRDR */
#endif
#define af_force_command 0x10000000 /* force_command in pipe transport */
+#ifdef EXPERIMENTAL_DANE
+# define af_dane_verified 0x20000000 /* TLS cert verify done with DANE */
+#endif
/* These flags must be propagated when a child is created */
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index e37b1add5..c05253f73 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -386,6 +386,7 @@ return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called,
#ifdef EXPERIMENTAL_DANE
+
/* This gets called *by* the dane library verify callback, which interposes
itself.
*/
@@ -402,10 +403,12 @@ tls_out.peerdn = txt;
tls_out.peercert = X509_dup(cert);
if (state == 1)
+ tls_out.dane_verified =
tls_out.certificate_verified = TRUE;
return 1;
}
-#endif
+
+#endif /*EXPERIMENTAL_DANE*/
/*************************************************
@@ -1442,6 +1445,9 @@ if (expciphers != NULL)
optional, set up appropriately. */
tls_in.certificate_verified = FALSE;
+#ifdef EXPERIMENTAL_DANE
+tls_in.dane_verified = FALSE;
+#endif
server_verify_callback_called = FALSE;
if (verify_check_host(&tls_verify_hosts) == OK)
@@ -1712,6 +1718,9 @@ rc = tls_init(&client_ctx, host, NULL,
if (rc != OK) return rc;
tls_out.certificate_verified = FALSE;
+#ifdef EXPERIMENTAL_DANE
+tls_out.dane_verified = FALSE;
+#endif
client_verify_callback_called = FALSE;
if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",