From d8e99d6047e709b35eabb1395c2046100d1a1dda Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 19 Aug 2020 21:09:04 +0100 Subject: [PATCH 32/37] DANE: force SNI to use $domain. Bug 2265 Note: this is not a complete fix for the issue (cherry picked from commit 7044dd8fd62e215572ecf5a2c7f1bb9581cf6628) --- doc/ChangeLog | 10 ++++++++++ src/receive.c | 2 +- src/smtp_in.c | 2 +- src/tls-gnu.c | 2 +- src/tls-openssl.c | 1 + src/transports/smtp.c | 1 + diff --git doc/ChangeLog doc/ChangeLog index ae4050322..ec1b03304 100644 --- doc/ChangeLog +++ doc/ChangeLog @@ -91,6 +91,16 @@ JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for is_tainted() had an off-by-one error in the overenthusiastic direction. Find and fix by Gavan. Although NetBSD is not a supported platform for 4.94 this bug could affect other platforms. +JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. + Previously when a whitespace character was specified it was not inserted + after removing the newline. + +JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be + the domain part of the recipient address. This overrides any tls_sni + option set, which was previously used. + +JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI + in quotes. Exim version 4.94 diff --git src/receive.c src/receive.c index 0db897e9e..ec90e93cd 100644 --- src/receive.c +++ src/receive.c @@ -4004,7 +4004,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) if (LOGGING(tls_peerdn) && tls_in.peerdn) g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); if (LOGGING(tls_sni) && tls_in.sni) - g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); + g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); #endif if (sender_host_authenticated) diff --git src/smtp_in.c src/smtp_in.c index 526164c46..a13f0ed63 100644 --- src/smtp_in.c +++ src/smtp_in.c @@ -1811,7 +1811,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) if (LOGGING(tls_peerdn) && tls_in.peerdn) g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); if (LOGGING(tls_sni) && tls_in.sni) - g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); + g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); return g; } #endif diff --git src/tls-gnu.c src/tls-gnu.c index 875c82efa..a34633390 100644 --- src/tls-gnu.c +++ src/tls-gnu.c @@ -2863,7 +2863,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->so /* If dane is flagged, have either request or require dane for this host, and a TLSA record found. Therefore, dane verify required. Which implies cert must be requested and supplied, dane verify must pass, and cert verify irrelevant -(incl. hostnames), and (caller handled) require_tls */ +(incl. hostnames), and (caller handled) require_tls and sni=$domain */ if (conn_args->dane && ob->dane_require_tls_ciphers) { diff --git src/tls-openssl.c src/tls-openssl.c index a62322928..054b23d0c 100644 --- src/tls-openssl.c +++ src/tls-openssl.c @@ -3197,6 +3197,7 @@ tlsp->tlsa_usage = 0; #ifndef DISABLE_OCSP { # ifdef SUPPORT_DANE + /*XXX this should be moved to caller, to be common across gnutls/openssl */ if ( conn_args->dane && ob->hosts_request_ocsp[0] == '*' && ob->hosts_request_ocsp[1] == '\0' diff --git src/transports/smtp.c src/transports/smtp.c index 8492a7f25..28dd8ff24 100644 --- src/transports/smtp.c +++ src/transports/smtp.c @@ -2020,6 +2020,7 @@ if (!continue_hostname) { case OK: sx->conn_args.dane = TRUE; ob->tls_tempfail_tryclear = FALSE; + ob->tls_sni = sx->addrlist->domain; break; case FAIL_FORCED: break; default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER, -- 2.28.0