Gitweb:
https://git.exim.org/exim.git/commitdiff/ce80533b305c56d57cb7ec1484491f191132cf84
Commit: ce80533b305c56d57cb7ec1484491f191132cf84
Parent: 0abc5a137c8a0824aa3740b2cca8da407303f4fb
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Oct 14 15:22:32 2018 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Oct 14 15:28:31 2018 +0100
Testsuite: client script faciility for handling optional reponses
Use this to deal with fallout from TLS negotiation failure, where the
server sees leftover encrypted data as garbage commands.
---
src/src/smtp_in.c | 4 +++-
test/README | 17 +++++++++++++----
test/scripts/2100-OpenSSL/2114 | 10 ++++++++++
test/src/client.c | 39 ++++++++++++++++++++++++++-------------
test/stdout/2114 | 15 +++++++++++++++
5 files changed, 67 insertions(+), 18 deletions(-)
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index b99b5cd..00c8427 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -5508,7 +5508,9 @@ while (done <= 0)
/* Hard failure. Reject everything except QUIT or closed connection. One
cause for failure is a nested STARTTLS, in which case tls_in.active remains
- set, but we must still reject all incoming commands. */
+ set, but we must still reject all incoming commands. Another is a handshake
+ failure - and there may some encrypted data still in the pipe to us, which we
+ see as garbage commands. */
DEBUG(D_tls) debug_printf("TLS failed to start\n");
while (done <= 0) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
diff --git a/test/README b/test/README
index f4eeddb..5b3a869 100644
--- a/test/README
+++ b/test/README
@@ -1023,18 +1023,27 @@ Lines in client scripts are of several kinds:
line defines the start of expected output from the server. If what is
received does not match, the client bombs out with an error message.
-(2) If a line starts with three plus signs followed by a space, the rest of the
+(2) If a line begins with three question marks and an asterisk, the server
+ is expected to close the connection.
+
+(3) If a line begins with four question marks, the rest of the line defines
+ the start of one or more possible output lines from the server. When it
+ matches, the client silently repeats the comparison using the next server
+ line. When the match fails, the client silently proceeds to the next script
+ line with the then-current server output unconsumed.
+
+(4) If a line starts with three plus signs followed by a space, the rest of the
line specifies a number of seconds to sleep for before proceeding.
-(3) If a line begins with three '>' characters and a space, the rest of the
+(5) If a line begins with three '>' characters and a space, the rest of the
line is input to be sent to the server. Backslash escaping is done as
described below, but no trailing "\r\n" is sent.
-(4) If a line begin with three '<' characters and a space, the rest of the
+(6) If a line begin with three '<' characters and a space, the rest of the
line is a filename; the content of the file is inserted intto the script
at this point.
-(5) Otherwise, the line is an input line line that is sent to the server. Any
+(7) Otherwise, the line is an input line line that is sent to the server. Any
occurrences of \r and \n in the line are turned into carriage return and
linefeed, respectively. This is used for testing PIPELINING.
Any sequences of \x followed by two hex digits are converted to the equvalent
diff --git a/test/scripts/2100-OpenSSL/2114 b/test/scripts/2100-OpenSSL/2114
index 49598e3..cc78ab0 100644
--- a/test/scripts/2100-OpenSSL/2114
+++ b/test/scripts/2100-OpenSSL/2114
@@ -13,6 +13,12 @@ ehlo rhu.barb
??? 250
starttls
??? 220
+noop
+??? 554 Security failure
+quit
+????554 Security failure
+??? 221
+???*
****
### No certificate, certificate optional at TLS time, required by ACL
client-ssl 127.0.0.1 PORT_D
@@ -85,6 +91,8 @@ ehlo rhu.barb
??? 250
starttls
??? 220
+noop
+??? 554 Security failure
****
### Bad certificate, certificate optional at TLS time, reject at ACL time
client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
@@ -124,6 +132,8 @@ ehlo rhu.barb
??? 250
starttls
??? 220
+noop
+??? 554 Security failure
****
### Revoked certificate, certificate optional at TLS time, reject at ACL time
client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
diff --git a/test/src/client.c b/test/src/client.c
index eef82ef..5b998e2 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -553,32 +553,32 @@ while (fgets(CS outbuffer, sizeof(outbuffer), f) != NULL)
/* Expect incoming */
if ( strncmp(CS outbuffer, "???", 3) == 0
- && (outbuffer[3] == ' ' || outbuffer[3] == '*')
+ && (outbuffer[3] == ' ' || outbuffer[3] == '*' || outbuffer[3] == '?')
)
{
unsigned char *lineptr;
unsigned exp_eof = outbuffer[3] == '*';
+ unsigned resp_optional = outbuffer[3] == '?';
printf("%s\n", outbuffer);
n = unescape_buf(outbuffer, n);
+nextinput:
if (*inptr == 0) /* Refill input buffer */
{
+ alarm(timeout);
if (srv->tls_active)
{
#ifdef HAVE_OPENSSL
- rc = SSL_read (srv->ssl, inbuffer, bsiz - 1);
+ rc = SSL_read(srv->ssl, inbuffer, bsiz - 1);
#endif
#ifdef HAVE_GNUTLS
rc = gnutls_record_recv(tls_session, CS inbuffer, bsiz - 1);
#endif
}
else
- {
- alarm(timeout);
rc = read(srv->sock, inbuffer, bsiz);
- alarm(0);
- }
+ alarm(0);
if (rc < 0)
{
@@ -618,19 +618,31 @@ while (fgets(CS outbuffer, sizeof(outbuffer), f) != NULL)
if (*inptr == '\n') inptr++;
}
- printf("<<< %s\n", lineptr);
if (strncmp(CS lineptr, CS outbuffer + 4, n - 4) != 0)
- {
- printf("\n******** Input mismatch ********\n");
- exit(79);
- }
+ if (resp_optional)
+ {
+ inptr = lineptr; /* consume scriptline, not inputline */
+ continue;
+ }
+ else
+ {
+ printf("<<< %s\n", lineptr);
+ printf("\n******** Input mismatch ********\n");
+ exit(79);
+ }
+
+ /* input matched script */
+
+ if (resp_optional)
+ goto nextinput; /* consume inputline, not scriptline */
+
+ printf("<<< %s\n", lineptr);
#ifdef HAVE_TLS
if (srv->sent_starttls)
{
if (lineptr[0] == '2')
{
-int rc;
unsigned int verify;
printf("Attempting to start TLS\n");
@@ -1219,7 +1231,8 @@ do_file(&srv, stdin, timeout, inbuffer, sizeof(inbuffer), inptr);
printf("End of script\n");
shutdown(srv.sock, SHUT_WR);
-while (read(srv.sock, inbuffer, sizeof(inbuffer)) > 0) ;
+if (fcntl(srv.sock, F_SETFL, O_NONBLOCK) == 0)
+ while (read(srv.sock, inbuffer, sizeof(inbuffer)) > 0) ;
close(srv.sock);
exit(0);
diff --git a/test/stdout/2114 b/test/stdout/2114
index c3fa9ce..2a26dd1 100644
--- a/test/stdout/2114
+++ b/test/stdout/2114
@@ -21,6 +21,15 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
Attempting to start TLS
pppp:error:dddddddd:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:[...]:SSL alert number 40
Failed to start TLS
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+>>> quit
+????554 Security failure
+??? 221
+<<< 221 myhost.test.ex closing connection
+???*
+Expected EOF read
End of script
### No certificate, certificate optional at TLS time, required by ACL
Connecting to 127.0.0.1 port 1225 ... connected
@@ -153,6 +162,9 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net
Attempting to start TLS
pppp:error:dddddddd:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:[...]:SSL alert number 48
Failed to start TLS
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
End of script
### Bad certificate, certificate optional at TLS time, reject at ACL time
Connecting to 127.0.0.1 port 1225 ... connected
@@ -214,6 +226,9 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c
Attempting to start TLS
pppp:error:dddddddd:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked:[...]:SSL alert number 44
Failed to start TLS
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
End of script
### Revoked certificate, certificate optional at TLS time, reject at ACL time
Connecting to 127.0.0.1 port 1225 ... connected
