[exim-cvs] fix tls_cipher memory lifetime.

Gitweb: http://git.exim.org/exim.git/commitdiff/75fe387d4b7dd458b79fc22d593095cd84ca8ea4

Commit:     75fe387d4b7dd458b79fc22d593095cd84ca8ea4
Parent:     4fe99a6c7949056e1bf27f146ad604061b6a3669
Author:     Phil Pennock <pdp@???>
AuthorDate: Thu May 17 17:24:36 2012 -0400
Committer:  Phil Pennock <pdp@???>
CommitDate: Thu May 17 17:24:36 2012 -0400

    fix tls_cipher memory lifetime.

    Some tests had not been updated for the new cert because they were missing an X= log-line.
    Updated those tests now.
---
 src/src/tls-gnu.c    |   34 ++++++++++++++++++++++++++--------
 test/log/2007        |    2 +-
 test/log/2008        |    8 ++++----
 test/log/2012        |    4 ++--
 test/log/2013        |    4 ++--
 test/log/2017        |    4 ++--
 test/log/2019        |    2 +-
 test/log/2026        |    2 +-
 test/log/3451        |    4 ++--
 test/log/3452        |    4 ++--
 test/mail/2019.userx |    2 +-
 test/runtest         |   15 +++++++++++++++
 test/stderr/2008     |    8 ++++----
 test/stderr/2013     |    4 ++--
 14 files changed, 65 insertions(+), 32 deletions(-)

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 328466c..1953be1 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -79,6 +79,7 @@ typedef struct exim_gnutls_state {
BOOL have_set_peerdn;
const struct host_item *host;
uschar *peerdn;
+ uschar *ciphersuite;
uschar *received_sni;

const uschar *tls_certificate;
@@ -99,17 +100,14 @@ typedef struct exim_gnutls_state {
int xfer_buffer_hwm;
int xfer_eof;
int xfer_error;
-
- uschar cipherbuf[256];
} exim_gnutls_state_st;

static const exim_gnutls_state_st exim_gnutls_state_init = {
NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
- NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL,
NULL, 0, 0, 0, 0,
- ""
};

/* Not only do we have our own APIs which don't pass around state, assuming
@@ -313,7 +311,7 @@ cipher = gnutls_cipher_get(state->session);
/* returns size in "bytes" */
tls_bits = gnutls_cipher_get_key_size(cipher) * 8;

-tls_cipher = state->cipherbuf;
+tls_cipher = state->ciphersuite;

DEBUG(D_tls) debug_printf("cipher: %s\n", tls_cipher);

@@ -975,6 +973,20 @@ return OK;
Only this is allowed to set state->peerdn and state->have_set_peerdn
and we use that to detect double-calls.

+NOTE: the state blocks last while the TLS connection is up, which is fine
+for logging in the server side, but for the client side, we log after teardown
+in src/deliver.c.  While the session is up, we can twist about states and
+repoint tls_* globals, but those variables used for logging or other variable
+expansion that happens _after_ delivery need to have a longer life-time.
+
+So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
+doing this more than once per generation of a state context.  We set them in
+the state context, and repoint tls_* to them.  After the state goes away, the
+tls_* copies of the pointers remain valid and client delivery logging is happy.
+
+tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
+don't apply.
+
 Arguments:
   state           exim_gnutls_state_st *

@@ -984,8 +996,9 @@ Returns:          OK/DEFER/FAIL
 static int
 peer_status(exim_gnutls_state_st *state)
 {
+uschar cipherbuf[256];
 const gnutls_datum *cert_list;
-int rc;
+int old_pool, rc;
 unsigned int cert_list_size = 0;
 gnutls_protocol_t protocol;
 gnutls_cipher_algorithm_t cipher;
@@ -1008,7 +1021,7 @@ protocol = gnutls_protocol_get_version(state->session);
 mac = gnutls_mac_get(state->session);
 kx = gnutls_kx_get(state->session);

-string_format(state->cipherbuf, sizeof(state->cipherbuf),
+string_format(cipherbuf, sizeof(cipherbuf),
     "%s:%s:%d",
     gnutls_protocol_get_name(protocol),
     gnutls_cipher_suite_get_name(kx, cipher, mac),
@@ -1017,9 +1030,14 @@ string_format(state->cipherbuf, sizeof(state->cipherbuf),
 /* I don't see a way that spaces could occur, in the current GnuTLS
 code base, but it was a concern in the old code and perhaps older GnuTLS
 releases did return "TLS 1.0"; play it safe, just in case. */
-for (p = state->cipherbuf; *p != '\0'; ++p)
+for (p = cipherbuf; *p != '\0'; ++p)
   if (isspace(*p))
     *p = '-';
+old_pool = store_pool;
+store_pool = POOL_PERM;
+state->ciphersuite = string_copy(cipherbuf);
+store_pool = old_pool;
+tls_cipher = state->ciphersuite;

/* tls_peerdn */
cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
diff --git a/test/log/2007 b/test/log/2007
index 012677e..dbd395e 100644
--- a/test/log/2007
+++ b/test/log/2007
@@ -1,6 +1,6 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

diff --git a/test/log/2008 b/test/log/2008
index 98494f1..72aa471 100644
--- a/test/log/2008
+++ b/test/log/2008
@@ -1,11 +1,11 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
-1999-03-02 09:44:33 10HmaY-0005vi-00 -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
-1999-03-02 09:44:33 10HmaY-0005vi-00 => abcd@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
+1999-03-02 09:44:33 10HmaY-0005vi-00 -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => abcd@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

diff --git a/test/log/2012 b/test/log/2012
index bdcff38..2d15992 100644
--- a/test/log/2012
+++ b/test/log/2012
@@ -1,7 +1,7 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): invalid
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 CV=yes DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

@@ -9,4 +9,4 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.2:RSA_AES_256_CBC_SHA1:256 CV=yes DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel" S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.2:RSA_AES_256_CBC_SHA1:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@???
diff --git a/test/log/2013 b/test/log/2013
index b41a348..95706bd 100644
--- a/test/log/2013
+++ b/test/log/2013
@@ -1,9 +1,9 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qqf

diff --git a/test/log/2017 b/test/log/2017
index d4e9518..94eb483 100644
--- a/test/log/2017
+++ b/test/log/2017
@@ -1,9 +1,9 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qqf

diff --git a/test/log/2019 b/test/log/2019
index 33b2ea2..630e360 100644
--- a/test/log/2019
+++ b/test/log/2019
@@ -1,6 +1,6 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTPS on port 1225
1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@??? H=(rhu.barb) [127.0.0.1] P=esmtps X=TLS1.0:RSA_AES_256_CBC_SHA1:256 S=sss
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= userx@??? H=[ip4.ip4.ip4.ip4] P=smtp X=TLS1.0:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel" S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= userx@??? H=[ip4.ip4.ip4.ip4] P=smtp X=TLS1.0:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx <userx@???> R=abc T=local_delivery
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
diff --git a/test/log/2026 b/test/log/2026
index e264650..59145cb 100644
--- a/test/log/2026
+++ b/test/log/2026
@@ -7,7 +7,7 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 => userx <userx@???> R=r0 T=t2
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=r1 T=t1 H=127.0.0.1 [127.0.0.1]
-1999-03-02 09:44:33 10HmaX-0005vi-00 => usery@??? R=r1 T=t1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => usery@??? R=r1 T=t1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 => usery <usery@???> R=r0 T=t2
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/log/3451 b/test/log/3451
index f575700..ee29c63 100644
--- a/test/log/3451
+++ b/test/log/3451
@@ -1,9 +1,9 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qqf

diff --git a/test/log/3452 b/test/log/3452
index f575700..ee29c63 100644
--- a/test/log/3452
+++ b/test/log/3452
@@ -1,9 +1,9 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qqf

diff --git a/test/mail/2019.userx b/test/mail/2019.userx
index fa92f60..6ac2073 100644
--- a/test/mail/2019.userx
+++ b/test/mail/2019.userx
@@ -16,7 +16,7 @@ Received: from [ip4.ip4.ip4.ip4]
     (envelope-from <userx@???>)
     id 10HmaY-0005vi-00
     for userx@???; Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.0:RSA_AES_256_CBC_SHA1:256 peerdn=C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel
+TLS: cipher=TLS1.0:RSA_AES_256_CBC_SHA1:256 peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock

This is a test encrypted message from a verified host.

diff --git a/test/runtest b/test/runtest
index 9bcace0..6418d8d 100755
--- a/test/runtest
+++ b/test/runtest
@@ -484,6 +484,7 @@ RESET_AFTER_EXTRA_LINE_READ:
# So far, have seen:
# TLSv1:AES256-SHA:256
# TLSv1.2:AES256-GCM-SHA384:256
+ # TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
# We also need to handle the ciphersuite without the TLS part present, for
# client-ssl's output. We also see some older forced ciphersuites, but
# negotiating TLS 1.2 instead of 1.0.
@@ -493,6 +494,20 @@ RESET_AFTER_EXTRA_LINE_READ:
s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.2:/$1TLSv1:/xg;
s/\bAES256-GCM-SHA384\b/AES256-SHA/g;

+ # GnuTLS have seen:
+ # TLS1.2:RSA_AES_256_CBC_SHA1:256 (canonical)
+ # TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
+ #
+ # X=TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256
+ # X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256
+ # and as stand-alone cipher:
+ # DHE-RSA-AES256-SHA256
+ # DHE-RSA-AES256-SHA
+ # picking latter as canonical simply because regex easier that way.
+ s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA_AES_256_CBC_SHA1:256/g;
+ s/X=TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256/X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256/g;
+ s/\bDHE-RSA-AES256-SHA256\b/DHE-RSA-AES256-SHA/g;
+

# ======== Caller's login, uid, gid, home, gecos ========

diff --git a/test/stderr/2008 b/test/stderr/2008
index b16aa4e..5d33ca7 100644
--- a/test/stderr/2008
+++ b/test/stderr/2008
@@ -28,7 +28,7 @@ Connecting to 127.0.0.1 [127.0.0.1]:1225 ... connected
   SMTP<< 250 OK id=10HmaZ-0005vi-00
   SMTP>> QUIT
 LOG: MAIN
-  => CALLER@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+  => CALLER@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
 LOG: MAIN
   Completed
 delivering 10HmaY-0005vi-00 (queue run pid ppppp)
@@ -61,9 +61,9 @@ Connecting to 127.0.0.1 [127.0.0.1]:1225 ... connected
   SMTP<< 250 OK id=10HmbA-0005vi-00
   SMTP>> QUIT
 LOG: MAIN
-  => CALLER@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+  => CALLER@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
 LOG: MAIN
-  -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+  -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
 Connecting to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:1225 ... connected
   SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
   SMTP>> EHLO myhost.test.ex
@@ -91,7 +91,7 @@ Connecting to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:1225 ... connected
   SMTP<< 250 OK id=10HmbB-0005vi-00
   SMTP>> QUIT
 LOG: MAIN
-  => abcd@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+  => abcd@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
 LOG: MAIN
   Completed
 LOG: queue_run MAIN
diff --git a/test/stderr/2013 b/test/stderr/2013
index a95f155..6a4c1d6 100644
--- a/test/stderr/2013
+++ b/test/stderr/2013
@@ -35,7 +35,7 @@ Connecting to 127.0.0.1 [127.0.0.1]:1225 ... connected
          250-STARTTLS
          250 HELP
 LOG: MAIN
-  => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+  => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
 LOG: MAIN
   Completed
 Exim version x.yz ....
@@ -59,7 +59,7 @@ admin user
   SMTP<< 250 OK id=10HmbA-0005vi-00
   SMTP>> QUIT
 LOG: MAIN
-  => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+  => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.2:RSA_AES_256_CBC_SHA1:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock"
 LOG: MAIN
   Completed

>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>