diff options
Diffstat (limited to 'mail/exim/files/patch-z0032-DANE-force-SNI-to-use-domain.-Bug-2265')
| -rw-r--r-- | mail/exim/files/patch-z0032-DANE-force-SNI-to-use-domain.-Bug-2265 | 102 |
1 files changed, 0 insertions, 102 deletions
diff --git a/mail/exim/files/patch-z0032-DANE-force-SNI-to-use-domain.-Bug-2265 b/mail/exim/files/patch-z0032-DANE-force-SNI-to-use-domain.-Bug-2265 deleted file mode 100644 index 3ca3f78622ef..000000000000 --- a/mail/exim/files/patch-z0032-DANE-force-SNI-to-use-domain.-Bug-2265 +++ /dev/null @@ -1,102 +0,0 @@ -From d8e99d6047e709b35eabb1395c2046100d1a1dda Mon Sep 17 00:00:00 2001 -From: Jeremy Harris <jgh146exb@wizmail.org> -Date: Wed, 19 Aug 2020 21:09:04 +0100 -Subject: [PATCH 32/37] DANE: force SNI to use $domain. Bug 2265 - -Note: this is not a complete fix for the issue -(cherry picked from commit 7044dd8fd62e215572ecf5a2c7f1bb9581cf6628) ---- - doc/ChangeLog | 10 ++++++++++ - src/receive.c | 2 +- - src/smtp_in.c | 2 +- - src/tls-gnu.c | 2 +- - src/tls-openssl.c | 1 + - src/transports/smtp.c | 1 + - -diff --git doc/ChangeLog doc/ChangeLog -index ae4050322..ec1b03304 100644 ---- doc/ChangeLog -+++ doc/ChangeLog -@@ -91,6 +91,16 @@ JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for - is_tainted() had an off-by-one error in the overenthusiastic direction. - Find and fix by Gavan. Although NetBSD is not a supported platform for - 4.94 this bug could affect other platforms. -+JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. -+ Previously when a whitespace character was specified it was not inserted -+ after removing the newline. -+ -+JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be -+ the domain part of the recipient address. This overrides any tls_sni -+ option set, which was previously used. -+ -+JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI -+ in quotes. - - - Exim version 4.94 -diff --git src/receive.c src/receive.c -index 0db897e9e..ec90e93cd 100644 ---- src/receive.c -+++ src/receive.c -@@ -4004,7 +4004,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) - if (LOGGING(tls_peerdn) && tls_in.peerdn) - g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); - if (LOGGING(tls_sni) && tls_in.sni) -- g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); -+ g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); - #endif - - if (sender_host_authenticated) -diff --git src/smtp_in.c src/smtp_in.c -index 526164c46..a13f0ed63 100644 ---- src/smtp_in.c -+++ src/smtp_in.c -@@ -1811,7 +1811,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) - if (LOGGING(tls_peerdn) && tls_in.peerdn) - g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); - if (LOGGING(tls_sni) && tls_in.sni) -- g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); -+ g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); - return g; - } - #endif -diff --git src/tls-gnu.c src/tls-gnu.c -index 875c82efa..a34633390 100644 ---- src/tls-gnu.c -+++ src/tls-gnu.c -@@ -2863,7 +2863,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->so - /* If dane is flagged, have either request or require dane for this host, and - a TLSA record found. Therefore, dane verify required. Which implies cert must - be requested and supplied, dane verify must pass, and cert verify irrelevant --(incl. hostnames), and (caller handled) require_tls */ -+(incl. hostnames), and (caller handled) require_tls and sni=$domain */ - - if (conn_args->dane && ob->dane_require_tls_ciphers) - { -diff --git src/tls-openssl.c src/tls-openssl.c -index a62322928..054b23d0c 100644 ---- src/tls-openssl.c -+++ src/tls-openssl.c -@@ -3197,6 +3197,7 @@ tlsp->tlsa_usage = 0; - #ifndef DISABLE_OCSP - { - # ifdef SUPPORT_DANE -+ /*XXX this should be moved to caller, to be common across gnutls/openssl */ - if ( conn_args->dane - && ob->hosts_request_ocsp[0] == '*' - && ob->hosts_request_ocsp[1] == '\0' -diff --git src/transports/smtp.c src/transports/smtp.c -index 8492a7f25..28dd8ff24 100644 ---- src/transports/smtp.c -+++ src/transports/smtp.c -@@ -2020,6 +2020,7 @@ if (!continue_hostname) - { - case OK: sx->conn_args.dane = TRUE; - ob->tls_tempfail_tryclear = FALSE; -+ ob->tls_sni = sx->addrlist->domain; - break; - case FAIL_FORCED: break; - default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER, --- -2.28.0 - |