[exim-cvs] Fix testcase "server missing/empty certificate fi…

Góra strony
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
Dla: exim-cvs
Temat: [exim-cvs] Fix testcase "server missing/empty certificate file"
Gitweb: http://git.exim.org/exim.git/commitdiff/0a92f87f7d62bb4f83fef5b8b10513cdd923fc2e
Commit:     0a92f87f7d62bb4f83fef5b8b10513cdd923fc2e
Parent:     93d4b03a2d9da8858f33c445b57128ef890f77fe
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Apr 21 16:34:01 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Apr 21 16:42:45 2014 +0100


    Fix testcase "server missing/empty certificate file"


    GnuTLS early versions (pre 3.0.0 ?) fail to send a reasonable
    client-cert request when tls_verify_certificates is an empty file.
    Since the test is for missing *server* certs (tls_certificate)
    avoid this by pointing to a real (if non-verifying) cert in
    tls_verify_certificates.
---
 src/src/tls-gnu.c |   14 ++++++--------
 test/confs/2024   |    3 ++-
 test/log/2024     |    2 +-
 test/stdout/2024  |    2 +-
 4 files changed, 10 insertions(+), 11 deletions(-)


diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 7c36252..cbd44d6 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1228,25 +1228,23 @@ unsigned int verify;

*error = NULL;

-rc = peer_status(state);
-if (rc != OK)
+if ((rc = peer_status(state)) != OK)
{
verify = GNUTLS_CERT_INVALID;
- *error = "not supplied";
+ *error = "certificate not supplied";
}
else
- {
rc = gnutls_certificate_verify_peers2(state->session, &verify);
- }

/* Handle the result of verification. INVALID seems to be set as well
as REVOKED, but leave the test for both. */

-if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
+if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
   {
   state->peer_cert_verified = FALSE;
-  if (*error == NULL)
-    *error = ((verify & GNUTLS_CERT_REVOKED) != 0) ? "revoked" : "invalid";
+  if (!*error)
+    *error = verify & GNUTLS_CERT_REVOKED
+      ? "certificate revoked" : "certificate invalid";


   DEBUG(D_tls)
     debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",
diff --git a/test/confs/2024 b/test/confs/2024
index a677c4c..c59e975 100644
--- a/test/confs/2024
+++ b/test/confs/2024
@@ -24,6 +24,7 @@ tls_certificate = CERT
 tls_privatekey = CERT


tls_verify_hosts = HOSTIPV4
-tls_verify_certificates = TVC
+#tls_verify_certificates = TVC
+tls_verify_certificates = CERT

# End
diff --git a/test/log/2024 b/test/log/2024
index c45da6e..117382b 100644
--- a/test/log/2024
+++ b/test/log/2024
@@ -1,4 +1,4 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file.
diff --git a/test/stdout/2024 b/test/stdout/2024
index 2e30f7d..ecedd41 100644
--- a/test/stdout/2024
+++ b/test/stdout/2024
@@ -20,7 +20,7 @@ Key file = aux-fixed/cert2
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-Failed to start TLS
+Succeeded in starting TLS
End of script
Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
Certificate file = aux-fixed/cert2