From 624f33dfeab938e907251e3cc3062aa45353384f Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 8 Sep 2018 19:31:49 +0100 Subject: DANE - testcase for fail under GnuTLS with TA-mode to a selfsigned server cert --- src/src/lookups/dnsdb.c | 10 ++++------ src/src/tls-gnu.c | 3 ++- src/src/transports/smtp.c | 24 +++++++++++++++++++++++- 3 files changed, 29 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/src/lookups/dnsdb.c b/src/src/lookups/dnsdb.c index a86338261..e75bd1edd 100644 --- a/src/src/lookups/dnsdb.c +++ b/src/src/lookups/dnsdb.c @@ -150,7 +150,7 @@ store as possible later, so we preallocate the result here */ gstring * yield = string_get(256); -dns_record *rr; +dns_record * rr; dns_answer dnsa; dns_scan dnss; @@ -421,7 +421,7 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0))) else if (type == T_TLSA) { uint8_t usage, selector, matching_type; - uint16_t i, payload_length; + uint16_t payload_length; uschar s[MAX_TLSA_EXPANDED_SIZE]; uschar * sp = s; uschar * p = US rr->data; @@ -434,10 +434,8 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0))) sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2, selector, *outsep2, matching_type, *outsep2); /* Now append the cert/identifier, one hex char at a time */ - for (i=0; - i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4); - i++) - sp += sprintf(CS sp, "%02x", (unsigned char)p[i]); + while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4)) + sp += sprintf(CS sp, "%02x", *p++); yield = string_cat(yield, s); } diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index dfe09200b..c5ecf88f9 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1775,7 +1775,8 @@ goodcert: #ifdef SUPPORT_DANE tlsa_prob: - *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc)); + *errstr = string_sprintf("TLSA record problem: %s", + rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc)); #endif badcert: diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 076375158..703ee563a 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1247,7 +1247,29 @@ switch (rc) return DEFER; /* just defer this TLS'd conn */ case DNS_SUCCEED: - if (sec) return OK; + if (sec) + { + DEBUG(D_transport) + { + dns_scan dnss; + dns_record * rr; + for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; + rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_TLSA) + { + uint16_t payload_length = rr->size - 3; + uschar s[MAX_TLSA_EXPANDED_SIZE], * sp = s, * p = US rr->data; + + sp += sprintf(CS sp, "%d ", *p++); /* usage */ + sp += sprintf(CS sp, "%d ", *p++); /* selector */ + sp += sprintf(CS sp, "%d ", *p++); /* matchtype */ + while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4)) + sp += sprintf(CS sp, "%02x", *p++); + + debug_printf(" %s\n", s); + } + } + return OK; + } log_write(0, LOG_MAIN, "DANE error: TLSA lookup for %s not DNSSEC", host->name); /*FALLTRHOUGH*/ -- cgit v1.2.3