From 83b2729321db62e758a300e372b2dd74e527d004 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 20 Aug 2014 20:34:17 +0100
Subject: Merge branch dane-tpda into dane

Conflicts:
	doc/doc-txt/experimental-spec.txt
	src/src/deliver.c
	src/src/functions.h
	src/src/smtp_out.c
	src/src/tls-openssl.c
	src/src/transports/smtp.c
	src/src/verify.c
---
 src/src/deliver.c     |  6 ++++++
 src/src/tls-openssl.c | 26 ++++++++++++++++++++++++++
 src/src/verify.c      |  8 ++++++--
 3 files changed, 38 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/src/deliver.c b/src/src/deliver.c
index d00af9c11..676de556d 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -1134,6 +1134,9 @@ if (result == OK)
   tls_out.cipher = addr->cipher;
   tls_out.peerdn = addr->peerdn;
   tls_out.ocsp = addr->ocsp;
+# ifdef EXPERIMENTAL_DANE
+  tls_out.dane_verified = testflag(addr, af_dane_verified);
+# endif
 #endif
 
   delivery_log(LOG_MAIN, addr, logchar, NULL);
@@ -1152,6 +1155,9 @@ if (result == OK)
   tls_out.cipher = NULL;
   tls_out.peerdn = NULL;
   tls_out.ocsp = OCSP_NOT_REQ;
+# ifdef EXPERIMENTAL_DANE
+  tls_out.dane_verified = FALSE;
+# endif
 #endif
   }
 
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 735ebff06..2e95a467a 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -437,6 +437,9 @@ verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx)
 {
 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
 static uschar txt[256];
+#ifdef EXPERIMENTAL_TPDA
+int depth = X509_STORE_CTX_get_error_depth(x509ctx);
+#endif
 
 X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
 
@@ -444,6 +447,25 @@ DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt);
 tls_out.peerdn = txt;
 tls_out.peercert = X509_dup(cert);
 
+#ifdef EXPERIMENTAL_TPDA
+  if (client_static_cbinfo->event_action)
+    {
+    if (tpda_raise_event(client_static_cbinfo->event_action,
+		    US"tls:cert", string_sprintf("%d", depth)) == DEFER)
+      {
+      log_write(0, LOG_MAIN, "DANE verify denied by event-action: "
+			      "depth=%d cert=%s", depth, txt);
+      tls_out.certificate_verified = FALSE;
+      return 0;			    /* reject */
+      }
+    if (depth != 0)
+      {
+      X509_free(tls_out.peercert);
+      tls_out.peercert = NULL;
+      }
+    }
+#endif
+
 if (state == 1)
   tls_out.dane_verified =
   tls_out.certificate_verified = TRUE;
@@ -1958,6 +1980,10 @@ if (request_ocsp)
 client_static_cbinfo->event_action = tb->tpda_event_action;
 #endif
 
+#ifdef EXPERIMENTAL_TPDA
+client_static_cbinfo->event_action = tb->tpda_event_action;
+#endif
+
 /* There doesn't seem to be a built-in timeout on connection. */
 
 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
diff --git a/src/src/verify.c b/src/src/verify.c
index edd9ad17d..d2ecb9cde 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -660,7 +660,7 @@ else
         /* TLS negotiation failed; give an error.  Try in clear on a new connection,
            if the options permit it for this host. */
         if (rc != OK)
-	  {
+          {
 	  if (  rc == DEFER
 	     && ob->tls_tempfail_tryclear
 	     && !smtps
@@ -672,7 +672,11 @@ else
 #endif
 	     )
 	    {
-	      (void)close(inblock.sock);
+	    (void)close(inblock.sock);
+#ifdef EXPERIMENTAL_TPDA
+	    (void) tpda_raise_event(addr->transport->tpda_event_action,
+				    US"tcp:close", NULL);
+#endif
 	    log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
 	      "to %s [%s] (not in hosts_require_tls)", host->name, host->address);
 	    suppress_tls = TRUE;
-- 
cgit v1.2.3