[exim-cvs] Testsuite: track newer GnuTLS behaviour

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Exim Git Commits Mailing List
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] Testsuite: track newer GnuTLS behaviour
Gitweb: https://git.exim.org/exim.git/commitdiff/8008accd32d189afed4107a54466130dc1c331e2
Commit:     8008accd32d189afed4107a54466130dc1c331e2
Parent:     5fd28bb83f80141b9f7671ed9ae3e1a4263134e3
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Sep 18 18:02:48 2018 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Tue Sep 18 23:13:09 2018 +0100


    Testsuite: track newer GnuTLS behaviour


    We have lost one log line, for a ciphers-negotiation failure on an early
    host in a list from routing.  We still get something indicative if the
    last one fails, so I'm going to let this pass.
    Test 2025 will fail on earlier GnuTLS library versions as a result.


    NONE no longer works as documented, in priority string for GnuTLS.
---
 src/src/tls-gnu.c                  | 6 +++++-
 src/src/transports/smtp.c          | 2 ++
 test/confs/2024                    | 2 ++
 test/confs/2025                    | 8 ++++----
 test/confs/5821                    | 4 ++--
 test/log/2024                      | 2 +-
 test/log/2025                      | 1 -
 test/runtest                       | 6 ++++++
 test/scripts/2000-GnuTLS/2024      | 9 +++++++++
 test/scripts/2000-GnuTLS/2025      | 1 +
 test/scripts/5820-DANE-GnuTLS/5821 | 4 ++--
 test/stdout/2024                   | 3 ++-
 12 files changed, 36 insertions(+), 12 deletions(-)


diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index ff8064b..fd18a60 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1598,6 +1598,7 @@ uint verify;
if (state->verify_requirement == VERIFY_NONE)
return TRUE;

+DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
*errstr = NULL;

if ((rc = peer_status(state, errstr)) != OK)
@@ -2068,7 +2069,10 @@ if (!state->tlsp->on_connect)
}

/* Now negotiate the TLS session. We put our own timer on it, since it seems
-that the GnuTLS library doesn't. */
+that the GnuTLS library doesn't.
+From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
+to set (and clear down afterwards) up a pull-timeout callback function that does
+a select, so we're no better off unless avoiding signals becomes an issue. */

 gnutls_transport_set_ptr2(state->session,
     (gnutls_transport_ptr_t)(long) fileno(smtp_in),
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index b2adeb5..d7e8396 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2015,6 +2015,7 @@ if (  smtp_peer_options & OPTION_TLS
       /* TLS negotiation failed; give an error. From outside, this function may
       be called again to try in clear on a new connection, if the options permit
       it for this host. */
+      DEBUG(D_tls) debug_printf("TLS session fail: %s\n", errstr);


 # ifdef SUPPORT_DANE
       if (sx->dane)
@@ -4746,6 +4747,7 @@ retry_non_continued:
           "hosts_max_try (message older than host's retry time)\n");
         }
       }
+    if (f.running_in_test_harness) millisleep(500); /* let server debug out */
     }   /* End of loop for trying multiple hosts. */


/* If we failed to find a matching host in the list, for an already-open
diff --git a/test/confs/2024 b/test/confs/2024
index 64502d5..ea3b282 100644
--- a/test/confs/2024
+++ b/test/confs/2024
@@ -22,4 +22,6 @@ tls_verify_hosts = HOSTIPV4
#tls_verify_certificates = TVC
tls_verify_certificates = CERT

+# so we can decode in wireshark
+tls_require_ciphers = NORMAL:-KX-ALL:+RSA
# End
diff --git a/test/confs/2025 b/test/confs/2025
index feaa815..fdf1e04 100644
--- a/test/confs/2025
+++ b/test/confs/2025
@@ -17,8 +17,7 @@ queue_run_in_order

tls_advertise_hosts = *

-tls_require_ciphers = ${if eq{$sender_host_address}{HOSTIPV4}\
-                      {NONE}{SECURE256}}
+tls_require_ciphers = NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA256


# Set certificate only if server

@@ -45,9 +44,10 @@ send_to_server:
   driver = smtp
   allow_localhost
   hosts = HOSTIPV4 : 127.0.0.1
-  hosts_require_tls = HOSTIPV4
   port = PORT_D
-
+  hosts_require_tls = HOSTIPV4
+  tls_require_ciphers = NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA\
+     ${if eq{$host}{HOSTIPV4} {384} {256} }


# ----- Retry -----

diff --git a/test/confs/5821 b/test/confs/5821
index 9b73181..86ddbde 100644
--- a/test/confs/5821
+++ b/test/confs/5821
@@ -23,7 +23,7 @@ tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail}
tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail}

# Permit two specific ciphers
-tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL
+tls_require_ciphers = NORMAL:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM

 # ----- Routers -----
 begin routers
@@ -52,7 +52,7 @@ send_to_server:
   tls_verify_certificates =    CDIR2/ca_chain.pem


   # Some commonly-available cipher, we hope
-  tls_require_ciphers =        NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL
+  tls_require_ciphers =        NORMAL:-CIPHER-ALL:+AES-128-CBC
   dane_require_tls_ciphers =    OPT


# ----- Retry -----
diff --git a/test/log/2024 b/test/log/2024
index f7f6619..f16da49 100644
--- a/test/log/2024
+++ b/test/log/2024
@@ -1,6 +1,6 @@

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file.
diff --git a/test/log/2025 b/test/log/2025
index 2b015d5..7faa00e 100644
--- a/test/log/2025
+++ b/test/log/2025
@@ -1,6 +1,5 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: a TLS session is required, but an attempt to start TLS failed
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/runtest b/test/runtest
index 7a7f661..7921c5b 100755
--- a/test/runtest
+++ b/test/runtest
@@ -596,6 +596,7 @@ RESET_AFTER_EXTRA_LINE_READ:
s/No certificate was found/The peer did not send any certificate/g;
#(dodgy test?) s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g;
s/\(gnutls_priority_set\): No or insufficient priorities were set/\(gnutls_handshake\): Could not negotiate a supported cipher suite/g;
+ s/\(gnutls_handshake\): \KNo supported cipher suites have been found.$/Could not negotiate a supported cipher suite./;

   # (this new one is a generic channel-read error, but the testsuite
   # only hits it in one place)
@@ -1568,6 +1569,11 @@ $munges =
     'gnutls_handshake' =>
     { 'mainlog' => 's/\(gnutls_handshake\): Error in the push function/\(gnutls_handshake\): A TLS packet with unexpected length was received/' },


+    'gnutls_bad_clientcert' =>
+    { 'mainlog' => 's/\(certificate verification failed\): certificate invalid/\(gnutls_handshake\): The peer did not send any certificate./',
+      'stdout'  => 's/Succeeded in starting TLS/A TLS fatal alert has been received.\nFailed to start TLS'
+    },
+
     'optional_events' =>
     { 'stdout' => '/event_action =/' },


diff --git a/test/scripts/2000-GnuTLS/2024 b/test/scripts/2000-GnuTLS/2024
index 7e16b7b..a2ad204 100644
--- a/test/scripts/2000-GnuTLS/2024
+++ b/test/scripts/2000-GnuTLS/2024
@@ -2,6 +2,13 @@
gnutls
exim -DSERVER=server -bd -oX PORT_D
****
+#
+#
+# This one has a cert, but the server isn't expecting it.
+# Earlier versions of GnuTLS would send it despite the server giving a list of acceptable ones, and the
+# server would fail its verification. Now the client correctly doesn't send it; the mainlog reflects
+# this, the custom munge patches output with old GnuTLS (I hope; not actually tested).
+munge gnutls_bad_clientcert
client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
??? 220
ehlo rhu.barb
@@ -15,6 +22,8 @@ starttls
??? 220
****
killdaemon
+#
+# Here the server really doesn't have a cert
exim -DSERVER=server -DCERT=/non/exist -bd -oX PORT_D
****
client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
diff --git a/test/scripts/2000-GnuTLS/2025 b/test/scripts/2000-GnuTLS/2025
index 38ffccf..892651e 100644
--- a/test/scripts/2000-GnuTLS/2025
+++ b/test/scripts/2000-GnuTLS/2025
@@ -7,5 +7,6 @@ Testing
****
exim -qf
****
+millisleep 500
killdaemon
no_msglog_check
diff --git a/test/scripts/5820-DANE-GnuTLS/5821 b/test/scripts/5820-DANE-GnuTLS/5821
index f4ea305..7f83a40 100644
--- a/test/scripts/5820-DANE-GnuTLS/5821
+++ b/test/scripts/5820-DANE-GnuTLS/5821
@@ -16,12 +16,12 @@ Testing
#
### Dane cipher specified, dane unused
# Since dane unused, should get the same cipher as the baseline
-exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@???
+exim -odf -DOPT=NORMAL:-CIPHER-ALL:+CAMELLIA-256-GCM CALLER@???
Testing
****
### Dane cipher specified, dane used
# Should get the cipher specified here
-exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@???
+exim -odf -DOPT=NORMAL:-CIPHER-ALL:+CAMELLIA-256-GCM CALLER@???
Testing
****
#
diff --git a/test/stdout/2024 b/test/stdout/2024
index ecedd41..b25f1c8 100644
--- a/test/stdout/2024
+++ b/test/stdout/2024
@@ -20,7 +20,8 @@ Key file = aux-fixed/cert2
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-Succeeded in starting TLS
+A TLS fatal alert has been received.
+Failed to start TLS
End of script
Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
Certificate file = aux-fixed/cert2