From 018058b21d17a988ed29cf31a7002da74b599d1a Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 7 May 2014 20:46:49 +0100 Subject: Make $tls_out_ocsp visible to TPDA (mostly testsuite) --- src/src/deliver.c | 32 +++++++++++++++++++++++++++++--- src/src/globals.c | 1 + src/src/globals.h | 3 ++- src/src/structs.h | 1 + src/src/tls-gnu.c | 7 +++++-- src/src/tls-openssl.c | 36 +++++++++++++++++++++--------------- src/src/transports/smtp.c | 7 +++++-- 7 files changed, 64 insertions(+), 23 deletions(-) (limited to 'src') diff --git a/src/src/deliver.c b/src/src/deliver.c index fff0e2fd0..dd7f888fb 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -718,6 +718,7 @@ uschar *s; /* building log lines; */ void *reset_point; /* released afterwards. */ +DEBUG(D_deliver) debug_printf("B cipher %s\n", addr->cipher); /* Log the delivery on the main log. We use an extensible string to build up the log line, and reset the store afterwards. Remote deliveries should always have a pointer to the host item that succeeded; local deliveries can have a @@ -734,6 +735,7 @@ pointer to a single host item in their host list, for use by the transport. */ s = reset_point = store_get(size); +DEBUG(D_deliver) debug_printf("C cipher %s\n", addr->cipher); log_address = string_log_address(addr, (log_write_selector & L_all_parents) != 0, TRUE); if (msg) s = string_append(s, &size, &ptr, 3, host_and_ident(TRUE), US" ", log_address); @@ -876,6 +878,7 @@ if (addr->transport->tpda_delivery_action) DEBUG(D_deliver) debug_printf(" TPDA(Delivery): tpda_deliver_action=|%s| tpda_delivery_IP=%s\n", addr->transport->tpda_delivery_action, tpda_delivery_ip); +DEBUG(D_deliver) debug_printf("D cipher %s\n", addr->cipher); router_name = addr->router->name; transport_name = addr->transport->name; @@ -1088,6 +1091,11 @@ if (result == OK) addr->ourcert = NULL; tls_out.peercert = addr->peercert; addr->peercert = NULL; + +DEBUG(D_deliver) debug_printf("A cipher %s\n", addr->cipher); + tls_out.cipher = addr->cipher; + tls_out.peerdn = addr->peerdn; + tls_out.ocsp = addr->ocsp; #endif delivery_log(LOG_MAIN, addr, logchar, NULL); @@ -1103,6 +1111,9 @@ if (result == OK) tls_free_cert(tls_out.peercert); tls_out.peercert = NULL; } + tls_out.cipher = NULL; + tls_out.peerdn = NULL; + tls_out.ocsp = OCSP_NOT_REQ; #endif } @@ -2987,9 +2998,7 @@ while (!done) addr->cipher = string_copy(ptr); while (*ptr++); if (*ptr) - { addr->peerdn = string_copy(ptr); - } break; case '2': @@ -3003,6 +3012,14 @@ while (!done) if (*ptr) (void) tls_import_cert(ptr, &addr->ourcert); break; + + #ifdef EXPERIMENTAL_OCSP + case '4': + addr->ocsp = OCSP_NOT_REQ; + if (*ptr) + addr->ocsp = *ptr - '0'; + break; + #endif } while (*ptr++); break; @@ -4132,7 +4149,16 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) *ptr++ = 0; rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); } - #endif + # ifdef EXPERIMENTAL_OCSP + if (addr->ocsp > OCSP_NOT_REQ) + { + ptr = big_buffer; + sprintf(CS ptr, "X4%c", addr->ocsp + '0'); + while(*ptr++); + rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); + } + # endif + #endif /*SUPPORT_TLS if (client_authenticator) { diff --git a/src/src/globals.c b/src/src/globals.c index af2903525..a2cc50313 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -341,6 +341,7 @@ address_item address_defaults = { NULL, /* ourcert */ NULL, /* peercert */ NULL, /* peerdn */ + OCSP_NOT_REQ, /* ocsp */ #endif NULL, /* authenticator */ NULL, /* auth_id */ diff --git a/src/src/globals.h b/src/src/globals.h index 9a42fe27e..8b55321f9 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -92,7 +92,8 @@ typedef struct { enum { OCSP_NOT_REQ=0, /* not requested */ OCSP_NOT_RESP, /* no response to request */ - OCSP_NOT_VFY, /* response not verified */ + OCSP_VFY_NOT_TRIED, /* response not verified */ + OCSP_FAILED, /* verify failed */ OCSP_VFIED /* verified */ } ocsp; /* Stapled OCSP status */ } tls_support; diff --git a/src/src/structs.h b/src/src/structs.h index a6c78f4fc..aba579f89 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -543,6 +543,7 @@ typedef struct address_item { void *ourcert; /* Certificate offered to peer, binary */ void *peercert; /* Certificate from peer, binary */ uschar *peerdn; /* DN of server's certificate */ + int ocsp; /* OCSP status of peer cert */ #endif uschar *authenticator; /* auth driver name used by transport */ diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index b0b67d820..3c926c0d4 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1446,15 +1446,15 @@ server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, { int ret; -tls_in.ocsp = OCSP_NOT_RESP; if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0) { DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n", (char *)ptr); + tls_in.ocsp = OCSP_NOT_RESP; return GNUTLS_E_NO_CERTIFICATE_STATUS; } -tls_in.ocsp = OCSP_NOT_VFY; +tls_in.ocsp = OCSP_VFY_NOT_TRIED; return 0; } @@ -1778,7 +1778,10 @@ if (require_ocsp) } if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0) + { + tls_out.ocsp = OCSP_FAILED; return tls_error(US"certificate status check failed", NULL, state->host); + } DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); tls_out.ocsp = OCSP_VFIED; } diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index fd257f3c6..16612d300 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -572,21 +572,21 @@ if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX } supply_response: -cbinfo->u_ocsp.server.response = resp; + cbinfo->u_ocsp.server.response = resp; return; bad: -if (running_in_test_harness) - { - extern char ** environ; - uschar ** p; - for (p = USS environ; *p != NULL; p++) - if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0) - { - DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n"); - goto supply_response; - } - } + if (running_in_test_harness) + { + extern char ** environ; + uschar ** p; + for (p = USS environ; *p != NULL; p++) + if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0) + { + DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n"); + goto supply_response; + } + } return; } #endif /*EXPERIMENTAL_OCSP*/ @@ -844,9 +844,10 @@ if(!p) DEBUG(D_tls) debug_printf(" null\n"); return cbinfo->u_ocsp.client.verify_required ? 0 : 1; } -tls_out.ocsp = OCSP_NOT_VFY; + if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) { + tls_out.ocsp = OCSP_FAILED; if (log_extra_selector & LX_tls_cipher) log_write(0, LOG_MAIN, "Received TLS status response, parse error"); else @@ -856,6 +857,7 @@ if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) if(!(bs = OCSP_response_get1_basic(rsp))) { + tls_out.ocsp = OCSP_FAILED; if (log_extra_selector & LX_tls_cipher) log_write(0, LOG_MAIN, "Received TLS status response, error parsing response"); else @@ -867,7 +869,6 @@ if(!(bs = OCSP_response_get1_basic(rsp))) /* We'd check the nonce here if we'd put one in the request. */ /* However that would defeat cacheability on the server so we don't. */ - /* This section of code reworked from OpenSSL apps source; The OpenSSL Project retains copyright: Copyright (c) 1999 The OpenSSL Project. All rights reserved. @@ -888,6 +889,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) if ((i = OCSP_basic_verify(bs, NULL, cbinfo->u_ocsp.client.verify_store, 0)) <= 0) { + tls_out.ocsp = OCSP_FAILED; BIO_printf(bp, "OCSP response verify failure\n"); ERR_print_errors(bp); i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; @@ -902,6 +904,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) if (sk_OCSP_SINGLERESP_num(sresp) != 1) { + tls_out.ocsp = OCSP_FAILED; log_write(0, LOG_MAIN, "OCSP stapling " "with multiple responses not handled"); i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; @@ -917,6 +920,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE)) { + tls_out.ocsp = OCSP_FAILED; DEBUG(D_tls) ERR_print_errors(bp); log_write(0, LOG_MAIN, "Server OSCP dates invalid"); i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; @@ -928,10 +932,11 @@ if(!(bs = OCSP_response_get1_basic(rsp))) switch(status) { case V_OCSP_CERTSTATUS_GOOD: - i = 1; tls_out.ocsp = OCSP_VFIED; + i = 1; break; case V_OCSP_CERTSTATUS_REVOKED: + tls_out.ocsp = OCSP_FAILED; log_write(0, LOG_MAIN, "Server certificate revoked%s%s", reason != -1 ? "; reason: " : "", reason != -1 ? OCSP_crl_reason_str(reason) : ""); @@ -939,6 +944,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; break; default: + tls_out.ocsp = OCSP_FAILED; log_write(0, LOG_MAIN, "Server certificate status unknown, in OCSP stapling"); i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 9089d90c1..1232965b9 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1232,6 +1232,7 @@ tls_out.peerdn = NULL; #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) tls_out.sni = NULL; #endif +tls_out.ocsp = OCSP_NOT_REQ; /* Flip the legacy TLS-related variables over to the outbound set in case they're used in the context of the transport. Don't bother resetting @@ -1242,8 +1243,8 @@ tls_modify_variables(&tls_out); #ifndef SUPPORT_TLS if (smtps) { - set_errno(addrlist, 0, US"TLS support not available", DEFER, FALSE); - return ERROR; + set_errno(addrlist, 0, US"TLS support not available", DEFER, FALSE); + return ERROR; } #endif @@ -1475,6 +1476,7 @@ if (tls_offered && !suppress_tls && addr->ourcert = tls_out.ourcert; addr->peercert = tls_out.peercert; addr->peerdn = tls_out.peerdn; + addr->ocsp = tls_out.ocsp; } } } @@ -2514,6 +2516,7 @@ for (addr = addrlist; addr != NULL; addr = addr->next) addr->ourcert = NULL; addr->peercert = NULL; addr->peerdn = NULL; + addr->ocsp = OCSP_NOT_REQ; #endif } return first_addr; -- cgit v1.2.3 From 2a15c7fe07222861a5708a118c4a93f3001d7333 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 9 May 2014 21:40:25 +0100 Subject: Remove extraneous debug --- src/src/deliver.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'src') diff --git a/src/src/deliver.c b/src/src/deliver.c index dd7f888fb..851910eb4 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -718,7 +718,6 @@ uschar *s; /* building log lines; */ void *reset_point; /* released afterwards. */ -DEBUG(D_deliver) debug_printf("B cipher %s\n", addr->cipher); /* Log the delivery on the main log. We use an extensible string to build up the log line, and reset the store afterwards. Remote deliveries should always have a pointer to the host item that succeeded; local deliveries can have a @@ -735,7 +734,6 @@ pointer to a single host item in their host list, for use by the transport. */ s = reset_point = store_get(size); -DEBUG(D_deliver) debug_printf("C cipher %s\n", addr->cipher); log_address = string_log_address(addr, (log_write_selector & L_all_parents) != 0, TRUE); if (msg) s = string_append(s, &size, &ptr, 3, host_and_ident(TRUE), US" ", log_address); @@ -878,7 +876,6 @@ if (addr->transport->tpda_delivery_action) DEBUG(D_deliver) debug_printf(" TPDA(Delivery): tpda_deliver_action=|%s| tpda_delivery_IP=%s\n", addr->transport->tpda_delivery_action, tpda_delivery_ip); -DEBUG(D_deliver) debug_printf("D cipher %s\n", addr->cipher); router_name = addr->router->name; transport_name = addr->transport->name; @@ -1092,7 +1089,6 @@ if (result == OK) tls_out.peercert = addr->peercert; addr->peercert = NULL; -DEBUG(D_deliver) debug_printf("A cipher %s\n", addr->cipher); tls_out.cipher = addr->cipher; tls_out.peerdn = addr->peerdn; tls_out.ocsp = addr->ocsp; -- cgit v1.2.3 From e3dd1d67d7e5bfd0b123d6cb84e00a570415bdea Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 11 May 2014 12:27:29 +0100 Subject: Compiler quietening and testcase consistency Fix an unterminated comment from 018058b --- src/src/deliver.c | 2 +- src/src/expand.c | 14 +++++--------- src/src/malware.c | 12 +++++------- src/src/string.c | 2 +- src/src/tls-openssl.c | 1 - src/src/tlscert-openssl.c | 10 +++++----- src/src/transport.c | 1 - src/src/transports/smtp.c | 2 +- test/log/5608 | 32 ++++++++++++++++---------------- test/scripts/5608-OCSP-OpenSSL-TPDA/5608 | 2 ++ 10 files changed, 36 insertions(+), 42 deletions(-) (limited to 'src') diff --git a/src/src/deliver.c b/src/src/deliver.c index 851910eb4..3334ba2cb 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -4154,7 +4154,7 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); } # endif - #endif /*SUPPORT_TLS + #endif /*SUPPORT_TLS*/ if (client_authenticator) { diff --git a/src/src/expand.c b/src/src/expand.c index 01c6e05f4..127134dbc 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -5365,8 +5365,6 @@ while (*s != 0) #ifdef SUPPORT_TLS case EITEM_CERTEXTRACT: { - int i; - int field_number = 1; uschar *save_lookup_value = lookup_value; uschar *sub[2]; int save_expand_nmax = @@ -5382,7 +5380,6 @@ while (*s != 0) /* strip spaces fore & aft */ { int len; - int x = 0; uschar *p = sub[0]; while (isspace(*p)) p++; @@ -5725,7 +5722,7 @@ while (*s != 0) int c; uschar *arg = NULL; uschar *sub; - var_entry *vp; + var_entry *vp = NULL; /* Owing to an historical mis-design, an underscore may be part of the operator name, or it may introduce arguments. We therefore first scan the @@ -5763,7 +5760,6 @@ while (*s != 0) break; } } - vp = NULL; /*FALLTHROUGH*/ #endif default: @@ -5861,7 +5857,7 @@ while (*s != 0) if (vp && *(void **)vp->value) { uschar * cp = tls_cert_fprt_md5(*(void **)vp->value); - yield = string_cat(yield, &size, &ptr, cp, (int)strlen(cp)); + yield = string_cat(yield, &size, &ptr, cp, Ustrlen(cp)); } else #endif @@ -5882,7 +5878,7 @@ while (*s != 0) if (vp && *(void **)vp->value) { uschar * cp = tls_cert_fprt_sha1(*(void **)vp->value); - yield = string_cat(yield, &size, &ptr, cp, (int)strlen(cp)); + yield = string_cat(yield, &size, &ptr, cp, Ustrlen(cp)); } else #endif @@ -6349,7 +6345,7 @@ while (*s != 0) case EOP_UTF8CLEAN: { int seq_len, index = 0; - int bytes_left = 0; + int bytes_left = 0; uschar seq_buff[4]; /* accumulate utf-8 here */ while (*sub != 0) @@ -6360,7 +6356,7 @@ while (*s != 0) complete = 0; c = *sub++; - if(bytes_left) + if (bytes_left) { if ((c & 0xc0) != 0x80) { diff --git a/src/src/malware.c b/src/src/malware.c index aaf3fcb7e..8260a4815 100644 --- a/src/src/malware.c +++ b/src/src/malware.c @@ -401,6 +401,7 @@ malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) case MC_TCP: sock = m_tcpsocket_fromdef(scanner_options, &errstr); break; case MC_UNIX: sock = m_unixsocket(scanner_options, &errstr); break; case MC_STRM: sock = m_streamsocket(scanner_options, &errstr); break; + default: /* compiler quietening */ break; } if (sock < 0) return m_errlog_defer(scanent, errstr); @@ -944,12 +945,10 @@ malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) sep = pclose(scanner_out); signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe); if (sep != 0) - if (sep == -1) return m_errlog_defer(scanent, - string_sprintf("running scanner failed: %s", strerror(sep))); - else - return m_errlog_defer(scanent, - string_sprintf("scanner returned error code: %d", sep)); + sep = -1 + ? string_sprintf("running scanner failed: %s", strerror(sep)) + : string_sprintf("scanner returned error code: %d", sep)); if (trigger) { uschar * s; @@ -1270,8 +1269,7 @@ malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) { free(clamav_fbuf); return m_errlog_defer_3(scanent, - string_sprintf("unable to send file body to socket (%s:%u)", - hostname, port), + string_sprintf("unable to send file body to socket (%s)", hostname), sock); } #endif diff --git a/src/src/string.c b/src/src/string.c index 365eaec03..7b5245557 100644 --- a/src/src/string.c +++ b/src/src/string.c @@ -997,7 +997,7 @@ if (list) new = string_cat(new, &sz, &off, &sep, 1); } -while (sp = Ustrchr(ele, sep)) +while((sp = Ustrchr(ele, sep))) { new = string_cat(new, &sz, &off, ele, sp-ele+1); new = string_cat(new, &sz, &off, &sep, 1); diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 16612d300..db2544c03 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -875,7 +875,6 @@ if(!(bs = OCSP_response_get1_basic(rsp))) */ { BIO * bp = NULL; - OCSP_CERTID *id; int status, reason; ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c index cddde4cdc..a36ec2ee2 100644 --- a/src/src/tlscert-openssl.c +++ b/src/src/tlscert-openssl.c @@ -81,7 +81,7 @@ X509_free((X509 *)cert); static uschar * bio_string_copy(BIO * bp, int len) { -uschar * cp = ""; +uschar * cp = US""; len = len > 0 ? (int) BIO_get_mem_data(bp, &cp) : 0; cp = string_copyn(cp, len); BIO_free(bp); @@ -164,7 +164,7 @@ return cp; uschar * tls_cert_signature_algorithm(void * cert, uschar * mod) { -return string_copy(OBJ_nid2ln(X509_get_signature_type((X509 *)cert))); +return string_copy(US OBJ_nid2ln(X509_get_signature_type((X509 *)cert))); } uschar * @@ -182,7 +182,7 @@ return string_sprintf("%d", X509_get_version((X509 *)cert)); uschar * tls_cert_ext_by_oid(void * cert, uschar * oid, int idx) { -int nid = OBJ_create(oid, "", ""); +int nid = OBJ_create(CS oid, "", ""); int nidx = X509_get_ext_by_NID((X509 *)cert, nid, idx); X509_EXTENSION * ex = X509_get_ext((X509 *)cert, nidx); ASN1_OCTET_STRING * adata = X509_EXTENSION_get_data(ex); @@ -201,7 +201,7 @@ cp3 = cp2 = store_get(len*3+1); while(len) { - sprintf(cp2, "%.2x ", *cp1++); + sprintf(CS cp2, "%.2x ", *cp1++); cp2 += 3; len--; } @@ -341,7 +341,7 @@ if (!X509_digest(cert,fdig,md,&n)) return NULL; } cp = store_get(n*2+1); -for (j = 0; j < (int)n; j++) sprintf(cp+2*j, "%02X", md[j]); +for (j = 0; j < (int)n; j++) sprintf(CS cp+2*j, "%02X", md[j]); return(cp); } diff --git a/src/src/transport.c b/src/src/transport.c index 92de4b92b..00b8fa9d8 100644 --- a/src/src/transport.c +++ b/src/src/transport.c @@ -837,7 +837,6 @@ internal_transport_write_message(address_item *addr, int fd, int options, { int written = 0; int len; -header_line *h; BOOL use_crlf = (options & topt_use_crlf) != 0; /* Initialize pointer in output buffer. */ diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 1232965b9..fd8948620 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -636,7 +636,7 @@ tpda_defer_errstr = addr->message ? string_sprintf("%s: %s", addr->message, strerror(addr->basic_errno)) : string_copy(addr->message) : addr->basic_errno > 0 - ? string_copy(strerror(addr->basic_errno)) + ? string_copy(US strerror(addr->basic_errno)) : NULL; DEBUG(D_transport) diff --git a/test/log/5608 b/test/log/5608 index 2c0c98016..7c8e5d7e0 100644 --- a/test/log/5608 +++ b/test/log/5608 @@ -3,17 +3,17 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp) 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 4 (verified) 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmbA-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00" -1999-03-02 09:44:33 10HmbA-0005vi-00 client ocsp status: 0 (notreq) -1999-03-02 09:44:33 10HmbA-0005vi-00 Completed -1999-03-02 09:44:33 10HmbB-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" -1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 4 (verified) +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 0 (notreq) 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbD-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 client ocsp status: 4 (verified) +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbF-0005vi-00 Received TLS status callback, null content 1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> @@ -39,17 +39,17 @@ 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding -1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 -1999-03-02 09:44:33 10HmbD-0005vi-00 client claims: ocsp status 0 -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 4 +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 0 +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbB-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed -1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbA-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmbD-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbD-0005vi-00 Completed 1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding 1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: ocsp status 4 -1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbB-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbD-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 diff --git a/test/scripts/5608-OCSP-OpenSSL-TPDA/5608 b/test/scripts/5608-OCSP-OpenSSL-TPDA/5608 index 409b48b1b..8010507dc 100644 --- a/test/scripts/5608-OCSP-OpenSSL-TPDA/5608 +++ b/test/scripts/5608-OCSP-OpenSSL-TPDA/5608 @@ -21,6 +21,7 @@ exim -bd -oX PORT_D -DSERVER=server \ exim norequire@test.ex test message. **** +millisleep 500 # # # @@ -29,6 +30,7 @@ test message. exim nostaple@test.ex test message. **** +millisleep 500 # # # -- cgit v1.2.3 From 2381c830c6f89e3abc2dc153d483251a4403e71f Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 11 May 2014 20:27:04 +0100 Subject: More testcase serialization --- src/src/malware.c | 2 +- test/log/5601 | 18 +++++++++--------- test/log/5651 | 18 +++++++++--------- test/log/5658 | 32 ++++++++++++++++---------------- test/scripts/5600-OCSP-OpenSSL/5601 | 1 + test/scripts/5650-OCSP-GnuTLS/5651 | 1 + test/scripts/5658-OCSP-GnuTLS-TPDA/5658 | 2 ++ 7 files changed, 39 insertions(+), 35 deletions(-) (limited to 'src') diff --git a/src/src/malware.c b/src/src/malware.c index 8260a4815..cae0cdd99 100644 --- a/src/src/malware.c +++ b/src/src/malware.c @@ -946,7 +946,7 @@ malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe); if (sep != 0) return m_errlog_defer(scanent, - sep = -1 + sep == -1 ? string_sprintf("running scanner failed: %s", strerror(sep)) : string_sprintf("scanner returned error code: %d", sep)); diff --git a/test/log/5601 b/test/log/5601 index 1276861fc..4daccd975 100644 --- a/test/log/5601 +++ b/test/log/5601 @@ -2,11 +2,11 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" -1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content 1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> @@ -28,13 +28,13 @@ 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: ocsp status 0 (notreq) +1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 0 (notreq) +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbB-0005vi-00 Completed 1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 (verified) -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbA-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbB-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 diff --git a/test/log/5651 b/test/log/5651 index d3a2775b8..f19900e9e 100644 --- a/test/log/5651 +++ b/test/log/5651 @@ -2,11 +2,11 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" -1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed) 1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session @@ -24,12 +24,12 @@ 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: OCSP status 0 (notreq) -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 0 (notreq) +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 4 (verified) -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbA-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbB-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 diff --git a/test/log/5658 b/test/log/5658 index 3479b6691..16f5b31f2 100644 --- a/test/log/5658 +++ b/test/log/5658 @@ -3,17 +3,17 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp) 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 1 (notresp) 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmbA-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00" -1999-03-02 09:44:33 10HmbA-0005vi-00 client ocsp status: 0 (notreq) -1999-03-02 09:44:33 10HmbA-0005vi-00 Completed -1999-03-02 09:44:33 10HmbB-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" -1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 4 (verified) +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 0 (notreq) 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbD-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 client ocsp status: 4 (verified) +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed) 1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 3 (failed) @@ -34,16 +34,16 @@ 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 1 (notresp) -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 0 (notreq) +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbB-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed -1999-03-02 09:44:33 10HmbD-0005vi-00 client claims: OCSP status 0 (notreq) -1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbA-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmbD-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbD-0005vi-00 Completed 1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: OCSP status 4 (verified) -1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbB-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbD-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 diff --git a/test/scripts/5600-OCSP-OpenSSL/5601 b/test/scripts/5600-OCSP-OpenSSL/5601 index cf0f68fc7..521f8fd71 100644 --- a/test/scripts/5600-OCSP-OpenSSL/5601 +++ b/test/scripts/5600-OCSP-OpenSSL/5601 @@ -20,6 +20,7 @@ exim -bd -oX PORT_D -DSERVER=server \ exim nostaple@test.ex test message. **** +millisleep 500 # # # diff --git a/test/scripts/5650-OCSP-GnuTLS/5651 b/test/scripts/5650-OCSP-GnuTLS/5651 index 5ed784be2..2015d43b9 100644 --- a/test/scripts/5650-OCSP-GnuTLS/5651 +++ b/test/scripts/5650-OCSP-GnuTLS/5651 @@ -20,6 +20,7 @@ exim -bd -oX PORT_D -DSERVER=server \ exim nostaple@test.ex test message. **** +millisleep 500 # # # diff --git a/test/scripts/5658-OCSP-GnuTLS-TPDA/5658 b/test/scripts/5658-OCSP-GnuTLS-TPDA/5658 index 2e3028bb3..759810613 100644 --- a/test/scripts/5658-OCSP-GnuTLS-TPDA/5658 +++ b/test/scripts/5658-OCSP-GnuTLS-TPDA/5658 @@ -21,6 +21,7 @@ exim -bd -oX PORT_D -DSERVER=server \ exim norequire@test.ex test message. **** +millisleep 500 # # # @@ -29,6 +30,7 @@ test message. exim nostaple@test.ex test message. **** +millisleep 500 # # # -- cgit v1.2.3 From 9ef9101c7dc24878b83931e716021378ae789d78 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 10 May 2014 15:37:52 +0100 Subject: New expansion operator sha256 for certificates. Bug 1170 --- doc/doc-docbook/spec.xfpt | 14 ++++++++++++++ doc/doc-txt/ChangeLog | 1 + doc/doc-txt/NewStuff | 3 ++- src/src/expand.c | 17 ++++++++++++++++- src/src/functions.h | 1 + src/src/tlscert-gnu.c | 6 ++++++ src/src/tlscert-openssl.c | 6 ++++++ test/confs/2002 | 3 ++- test/confs/2102 | 5 +++-- test/log/2002 | 3 ++- test/log/2102 | 5 +++-- 11 files changed, 56 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 3dd72e9f9..cbe5c1851 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -10036,6 +10036,7 @@ Letters in IPv6 addresses are always output in lower case. .vitem &*${md5:*&<&'string'&>&*}*& .cindex "MD5 hash" .cindex "expansion" "MD5 hash" +.cindex "certificate fingerprint" .cindex "&%md5%& expansion item" The &%md5%& operator computes the MD5 hash value of the string, and returns it as a 32-digit hexadecimal number, in which any letters are in lower case. @@ -10173,11 +10174,24 @@ variables or headers inside regular expressions. .vitem &*${sha1:*&<&'string'&>&*}*& .cindex "SHA-1 hash" .cindex "expansion" "SHA-1 hashing" +.cindex "certificate fingerprint" .cindex "&%sha2%& expansion item" The &%sha1%& operator computes the SHA-1 hash value of the string, and returns it as a 40-digit hexadecimal number, in which any letters are in upper case. +.vitem &*${sha256:*&<&'certificate'&>&*}*& +.cindex "SHA-256 hash" +.cindex "certificate fingerprint" +.cindex "expansion" "SHA-256 hashing" +.cindex "&%sha256%& expansion item" +The &%sha256%& operator computes the SHA-256 hash fingerprint of the +certificate, +and returns +it as a 64-digit hexadecimal number, in which any letters are in upper case. +Only arguments which are a single variable of certificate type are supported. + + .vitem &*${stat:*&<&'string'&>&*}*& .cindex "expansion" "statting a file" .cindex "file" "extracting characteristics" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 9704295e3..33e43b196 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -113,6 +113,7 @@ JH/21 Observability of OCSP via variables tls_(in,out)_ocsp. Stapling JH/22 Expansion operators ${md5:string} and ${sha1::string} can now operate on certificate variables to give certificate fingerprints + Also new ${sha256:cert_variable}. Exim version 4.82 diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 87bb8a37b..9eebd089f 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -46,7 +46,8 @@ Version 4.83 10. New variables "tls_(in,out)_(our,peer)cert" and expansion item "certextract" to extract fields from them. Hash operators md5 and sha1 - work over them for generating fingerprints. + work over them for generating fingerprints, and a new sha256 operator + for them added. Version 4.82 diff --git a/src/src/expand.c b/src/src/expand.c index 127134dbc..9afc036fa 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -205,6 +205,7 @@ static uschar *op_table_main[] = { US"rxquote", US"s", US"sha1", + US"sha256", US"stat", US"str2b64", US"strlen", @@ -242,6 +243,7 @@ enum { EOP_RXQUOTE, EOP_S, EOP_SHA1, + EOP_SHA256, EOP_STAT, EOP_STR2B64, EOP_STRLEN, @@ -5745,8 +5747,9 @@ while (*s != 0) switch(c) { #ifdef SUPPORT_TLS - case EOP_SHA1: case EOP_MD5: + case EOP_SHA1: + case EOP_SHA256: if (s[1] == '$') { uschar * s1 = s; @@ -5894,6 +5897,18 @@ while (*s != 0) } continue; + case EOP_SHA256: +#ifdef SUPPORT_TLS + if (vp && *(void **)vp->value) + { + uschar * cp = tls_cert_fprt_sha256(*(void **)vp->value); + yield = string_cat(yield, &size, &ptr, cp, (int)strlen(cp)); + } + else +#endif + expand_string_message = US"sha256 only supported for certificates"; + continue; + /* Convert hex encoding to base64 encoding */ case EOP_HEX2B64: diff --git a/src/src/functions.h b/src/src/functions.h index 38ba7f39d..792f3df4d 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -41,6 +41,7 @@ extern uschar * tls_cert_version(void *, uschar * mod); extern uschar * tls_cert_fprt_md5(void *); extern uschar * tls_cert_fprt_sha1(void *); +extern uschar * tls_cert_fprt_sha256(void *); extern int tls_client_start(int, host_item *, address_item *, void *); diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c index 32b1986b8..5a4c231bb 100644 --- a/src/src/tlscert-gnu.c +++ b/src/src/tlscert-gnu.c @@ -421,6 +421,12 @@ tls_cert_fprt_sha1(void * cert) return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1); } +uschar * +tls_cert_fprt_sha256(void * cert) +{ +return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256); +} + /* vi: aw ai sw=2 */ diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c index a36ec2ee2..9903f08f3 100644 --- a/src/src/tlscert-openssl.c +++ b/src/src/tlscert-openssl.c @@ -357,6 +357,12 @@ tls_cert_fprt_sha1(void * cert) return fingerprint((X509 *)cert, EVP_sha1()); } +uschar * +tls_cert_fprt_sha256(void * cert) +{ +return fingerprint((X509 *)cert, EVP_sha256()); +} + /* vi: aw ai sw=2 */ diff --git a/test/confs/2002 b/test/confs/2002 index dfb4feef5..178265d65 100644 --- a/test/confs/2002 +++ b/test/confs/2002 @@ -58,8 +58,9 @@ check_recipient: logwrite = ${certextract {subj_altname} {$tls_in_peercert} {SAN <$value>}{(no SAN)}} # logwrite = ${certextract {ocsp_uri} {$tls_in_peercert} {OCU <$value>}{(no OCU)}} logwrite = ${certextract {crl_uri} {$tls_in_peercert} {CRU <$value>}{(no CRU)}} - logwrite = md5 fingerprint ${md5:$tls_in_peercert} + logwrite = md5 fingerprint ${md5:$tls_in_peercert} logwrite = sha1 fingerprint ${sha1:$tls_in_peercert} + logwrite = sha256 fingerprint ${sha256:$tls_in_peercert} # ----- Routers ----- diff --git a/test/confs/2102 b/test/confs/2102 index 6f29298b1..3d5e51ae6 100644 --- a/test/confs/2102 +++ b/test/confs/2102 @@ -59,8 +59,9 @@ check_recipient: logwrite = ${certextract {subj_altname} {$tls_in_peercert} {SAN <$value>}{(no SAN)}} logwrite = ${certextract {ocsp_uri} {$tls_in_peercert} {OCU <$value>}{(no OCU)}} logwrite = ${certextract {crl_uri} {$tls_in_peercert} {CRU <$value>}{(no CRU)}} - logwrite = md5 fingerprint ${md5:$tls_in_peercert} - logwrite = sha1 fingerprint ${sha1:$tls_in_peercert} + logwrite = md5 fingerprint ${md5:$tls_in_peercert} + logwrite = sha1 fingerprint ${sha1:$tls_in_peercert} + logwrite = sha256 fingerprint ${sha256:$tls_in_peercert} # ----- Routers ----- diff --git a/test/log/2002 b/test/log/2002 index 96762c1a3..6a5d0c899 100644 --- a/test/log/2002 +++ b/test/log/2002 @@ -18,8 +18,9 @@ 1999-03-02 09:44:33 SG <6c 37 41 26 4d 5d f4 b5 31 10 67 ca fb 64 b6 22 98 62 f7 1e 95 7b 6c e6 74 47 21 f4 5e 89 36 3e b9 9c 8a c5 52 bb c4 af 12 93 26 3b d7 3d e0 56 71 1e 1d 21 20 02 ed f0 4e d5 5e 45 42 fd 3c 38 41 54 83 86 0b 3b bf c5 47 39 ff 15 ea 93 dc fd c7 3d 18 58 59 ca dd 2a d8 b9 f9 2f b9 76 93 f4 ae e3 91 56 80 2f 8c 04 2f ad 57 ef d2 51 19 f4 b4 ef 32 9c ac 3a 7c 0d b8 39 db b1 e3 30 73 1a> 1999-03-02 09:44:33 SAN 1999-03-02 09:44:33 CRU -1999-03-02 09:44:33 md5 fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55 +1999-03-02 09:44:33 md5 fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55 1999-03-02 09:44:33 sha1 fingerprint 40B2135E6B67AE36A397696DA328423685E74CE3 +1999-03-02 09:44:33 sha256 fingerprint 6064D93E235FBA6FC66788F2AAC087752D856ECC7901FFCB8B53B21A09D232D2 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server2.example.com" S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER R=abc T=local_delivery diff --git a/test/log/2102 b/test/log/2102 index 77ef15052..57240408d 100644 --- a/test/log/2102 +++ b/test/log/2102 @@ -20,8 +20,9 @@ 1999-03-02 09:44:33 SAN 1999-03-02 09:44:33 OCU 1999-03-02 09:44:33 CRU -1999-03-02 09:44:33 md5 fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55 -1999-03-02 09:44:33 sha1 fingerprint 40B2135E6B67AE36A397696DA328423685E74CE3 +1999-03-02 09:44:33 md5 fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55 +1999-03-02 09:44:33 sha1 fingerprint 40B2135E6B67AE36A397696DA328423685E74CE3 +1999-03-02 09:44:33 sha256 fingerprint 6064D93E235FBA6FC66788F2AAC087752D856ECC7901FFCB8B53B21A09D232D2 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/CN=server2.example.com" S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER R=abc T=local_delivery -- cgit v1.2.3 From c3680ef0b5c4c4fe71a8badba562780bd45ddce4 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 12 May 2014 13:54:33 +0100 Subject: Fix pair of buffer size errors. Bug 1478 Reported-by: David Binderman --- src/Makefile | 1 + src/OS/os.c-Linux | 2 +- src/src/malware.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/Makefile b/src/Makefile index b913aec8a..99f4ab308 100644 --- a/src/Makefile +++ b/src/Makefile @@ -94,6 +94,7 @@ cscope.files: FRC -o -name "os.h*" -print \ -o -name "*akefile*" -print \ -o -name EDITME -print >> $@ + ls OS/* >> $@ FRC: diff --git a/src/OS/os.c-Linux b/src/OS/os.c-Linux index 1e8a6f47d..df0dff9db 100644 --- a/src/OS/os.c-Linux +++ b/src/OS/os.c-Linux @@ -94,7 +94,7 @@ ip_address_item *last = NULL; ip_address_item *next; char addr6p[8][5]; unsigned int plen, scope, dad_status, if_idx; -char devname[20]; +char devname[20+1]; FILE *f; #endif diff --git a/src/src/malware.c b/src/src/malware.c index cae0cdd99..2d2a8c892 100644 --- a/src/src/malware.c +++ b/src/src/malware.c @@ -42,7 +42,7 @@ static struct scan #define MAX_CLAMD_ADDRESS_LENGTH_S "64" typedef struct clamd_address_container { - uschar tcp_addr[MAX_CLAMD_ADDRESS_LENGTH]; + uschar tcp_addr[MAX_CLAMD_ADDRESS_LENGTH+1]; unsigned int tcp_port; } clamd_address_container; -- cgit v1.2.3 From 783b385fe846f97aa5d7a7675cc0600e917b8795 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 12 May 2014 15:30:47 +0100 Subject: Propagate dnssec status from dnslookup router through transport to tpda --- src/src/deliver.c | 28 ++++++++++++++++++++------- src/src/host.c | 48 ++++++++++++++++++++++++++++++++++++++--------- src/src/route.c | 1 + src/src/structs.h | 3 +++ src/src/transports/smtp.c | 3 +++ 5 files changed, 67 insertions(+), 16 deletions(-) (limited to 'src') diff --git a/src/src/deliver.c b/src/src/deliver.c index 3334ba2cb..777ff8dc7 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -730,6 +730,7 @@ pointer to a single host item in their host list, for use by the transport. */ tpda_delivery_local_part = NULL; tpda_delivery_domain = NULL; tpda_delivery_confirmation = NULL; + lookup_dnssec_authenticated = NULL; #endif s = reset_point = store_get(size); @@ -793,7 +794,7 @@ if (addr->transport->info->local) else { - if (addr->host_used != NULL) + if (addr->host_used) { s = d_hostlog(s, &size, &ptr, addr); if (continue_sequence > 1) @@ -806,6 +807,11 @@ else tpda_delivery_local_part = addr->local_part; tpda_delivery_domain = addr->domain; tpda_delivery_confirmation = addr->message; + + /* DNS lookup status */ + lookup_dnssec_authenticated = addr->host_used->dnssec==DS_YES ? US"yes" + : addr->host_used->dnssec==DS_NO ? US"no" + : NULL; #endif } @@ -3019,7 +3025,7 @@ while (!done) } while (*ptr++); break; - #endif + #endif /*SUPPORT_TLS*/ case 'C': /* client authenticator information */ switch (*ptr++) @@ -3039,7 +3045,7 @@ while (!done) #ifdef EXPERIMENTAL_PRDR case 'P': - addr->flags |= af_prdr_used; break; + addr->flags |= af_prdr_used; break; #endif case 'A': @@ -3066,7 +3072,7 @@ while (!done) addr->user_message = (*ptr)? string_copy(ptr) : NULL; while(*ptr++); - /* Always two strings for host information, followed by the port number */ + /* Always two strings for host information, followed by the port number and DNSSEC mark */ if (*ptr != 0) { @@ -3077,6 +3083,10 @@ while (!done) while(*ptr++); memcpy(&(h->port), ptr, sizeof(h->port)); ptr += sizeof(h->port); + h->dnssec = *ptr == '2' ? DS_YES + : *ptr == '1' ? DS_NO + : DS_UNK; + ptr++; addr->host_used = h; } else ptr++; @@ -4104,11 +4114,9 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) retry_item *r; /* The certificate verification status goes into the flags */ - if (tls_out.certificate_verified) setflag(addr, af_cert_verified); /* Use an X item only if there's something to send */ - #ifdef SUPPORT_TLS if (addr->cipher) { @@ -4179,7 +4187,8 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) } #ifdef EXPERIMENTAL_PRDR - if (addr->flags & af_prdr_used) rmt_dlv_checked_write(fd, "P", 1); + if (addr->flags & af_prdr_used) + rmt_dlv_checked_write(fd, "P", 1); #endif /* Retry information: for most success cases this will be null. */ @@ -4233,6 +4242,11 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) while(*ptr++); memcpy(ptr, &(addr->host_used->port), sizeof(addr->host_used->port)); ptr += sizeof(addr->host_used->port); + + /* DNS lookup status */ + *ptr++ = addr->host_used->dnssec==DS_YES ? '2' + : addr->host_used->dnssec==DS_NO ? '1' : '0'; + } rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); } diff --git a/src/src/host.c b/src/src/host.c index a1db7717e..a59c4381b 100644 --- a/src/src/host.c +++ b/src/src/host.c @@ -2065,6 +2065,7 @@ for (i = 1; i <= times; host->port = PORT_NONE; host->status = hstatus_unknown; host->why = hwhy_unknown; + host->dnssec = DS_UNK; last = host; } @@ -2080,6 +2081,7 @@ for (i = 1; i <= times; next->port = PORT_NONE; next->status = hstatus_unknown; next->why = hwhy_unknown; + next->dnssec = DS_UNK; next->last_try = 0; next->next = last->next; last->next = next; @@ -2475,10 +2477,12 @@ int ind_type = 0; int yield; dns_answer dnsa; dns_scan dnss; -BOOL dnssec_request = match_isinlist(host->name, &dnssec_request_domains, - 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK; BOOL dnssec_require = match_isinlist(host->name, &dnssec_require_domains, 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK; +BOOL dnssec_request = dnssec_require + || match_isinlist(host->name, &dnssec_request_domains, + 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK; +dnssec_status_t dnssec; /* Set the default fully qualified name to the incoming name, initialize the resolver if necessary, set up the relevant options, and initialize the flag @@ -2487,7 +2491,7 @@ that gets set for DNS syntax check errors. */ if (fully_qualified_name != NULL) *fully_qualified_name = host->name; dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0, (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0, - dnssec_request || dnssec_require + dnssec_request ); host_find_failed_syntax = FALSE; @@ -2509,9 +2513,17 @@ if ((whichrrs & HOST_FIND_BY_SRV) != 0) the input name, pass back the new original domain, without the prepended magic. */ + dnssec = DS_UNK; + lookup_dnssec_authenticated = NULL; rc = dns_lookup(&dnsa, buffer, ind_type, &temp_fully_qualified_name); - lookup_dnssec_authenticated = !dnssec_request ? NULL - : dns_is_secure(&dnsa) ? US"yes" : US"no"; + + if (dnssec_request) + { + if (dns_is_secure(&dnsa)) + { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; } + else + { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; } + } if (temp_fully_qualified_name != buffer && fully_qualified_name != NULL) *fully_qualified_name = temp_fully_qualified_name + prefix_length; @@ -2547,9 +2559,17 @@ listed as one for which we continue. */ if (rc != DNS_SUCCEED && (whichrrs & HOST_FIND_BY_MX) != 0) { ind_type = T_MX; + dnssec = DS_UNK; + lookup_dnssec_authenticated = NULL; rc = dns_lookup(&dnsa, host->name, ind_type, fully_qualified_name); - lookup_dnssec_authenticated = !dnssec_request ? NULL - : dns_is_secure(&dnsa) ? US"yes" : US"no"; + + if (dnssec_request) + { + if (dns_is_secure(&dnsa)) + { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; } + else + { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; } + } switch (rc) { @@ -2593,9 +2613,19 @@ if (rc != DNS_SUCCEED) last = host; /* End of local chainlet */ host->mx = MX_NONE; host->port = PORT_NONE; + dnssec = DS_UNK; + lookup_dnssec_authenticated = NULL; rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE, fully_qualified_name, dnssec_request, dnssec_require); + if (dnssec_request) + { + if (dns_is_secure(&dnsa)) + { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; } + else + { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; } + } + /* If one or more address records have been found, check that none of them are local. Since we know the host items all have their IP addresses inserted, host_scan_for_local_hosts() can only return HOST_FOUND or @@ -2665,9 +2695,7 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); the same precedence to sort randomly. */ if (ind_type == T_MX) - { weight = random_number(500); - } /* SRV records are specified with a port and a weight. The weight is used in a special algorithm. However, to start with, we just use it to order the @@ -2731,6 +2759,7 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); host->sort_key = precedence * 1000 + weight; host->status = hstatus_unknown; host->why = hwhy_unknown; + host->dnssec = dnssec; last = host; } @@ -2747,6 +2776,7 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); next->sort_key = sort_key; next->status = hstatus_unknown; next->why = hwhy_unknown; + next->dnssec = dnssec; next->last_try = 0; /* Handle the case when we have to insert before the first item. */ diff --git a/src/src/route.c b/src/src/route.c index 271175e4b..0116e12af 100644 --- a/src/src/route.c +++ b/src/src/route.c @@ -1941,6 +1941,7 @@ DEBUG(D_route) if (h->mx >= 0) debug_printf(" MX=%d", h->mx); else if (h->mx != MX_NONE) debug_printf(" rgroup=%d", h->mx); if (h->port != PORT_NONE) debug_printf(" port=%d", h->port); + /* if (h->dnssec != DS_UNK) debug_printf(" dnssec=%s", h->dnssec==DS_YES ? "yes" : "no"); */ debug_printf("\n"); } } diff --git a/src/src/structs.h b/src/src/structs.h index aba579f89..989653e30 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -55,6 +55,8 @@ typedef struct ugid_block { but also used when checking lists of hosts and when transporting. Looking up host addresses is done using this structure. */ +typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t; + typedef struct host_item { struct host_item *next; uschar *name; /* Host name */ @@ -65,6 +67,7 @@ typedef struct host_item { int status; /* Usable, unusable, or unknown */ int why; /* Why host is unusable */ int last_try; /* Time of last try if known */ + dnssec_status_t dnssec; } host_item; /* Chain of rewrite rules, read from the rewrite config, or parsed from the diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index fd8948620..020f76cac 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2919,6 +2919,9 @@ for (cutoff_retry = 0; expired && deliver_host = host->name; deliver_host_address = host->address; + lookup_dnssec_authenticated = host->dnssec == DS_YES ? US"yes" + : host->dnssec == DS_NO ? US"no" + : US""; /* Set up a string for adding to the retry key if the port number is not the standard SMTP port. A host may have its own port setting that overrides -- cgit v1.2.3