Gitweb:
https://git.exim.org/exim.git/commitdiff/7bae7cad680786b64d57e7799ccb7596e091b1bb
Commit: 7bae7cad680786b64d57e7799ccb7596e091b1bb
Parent: 94585d2c0cba68fc9c1de944d84dd2c06836852c
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Feb 10 19:15:43 2019 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Feb 10 19:15:43 2019 +0000
Testsuite: harden for TLS1.3 under GnuTLS
---
test/scripts/2000-GnuTLS/2014 | 2 ++
test/src/client.c | 38 +++++++++++++++++++++++++++++++++++++-
test/stdout/2014 | 6 +++++-
3 files changed, 44 insertions(+), 2 deletions(-)
diff --git a/test/scripts/2000-GnuTLS/2014 b/test/scripts/2000-GnuTLS/2014
index 8c23e2c..5bd5858 100644
--- a/test/scripts/2000-GnuTLS/2014
+++ b/test/scripts/2000-GnuTLS/2014
@@ -134,6 +134,8 @@ ehlo rhu7.barb
??? 250
starttls
??? 220
+mail from:<userx@???>
+??? 554
****
### Revoked certificate, certificate optional at TLS time, reject at ACL time
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
diff --git a/test/src/client.c b/test/src/client.c
index c0c017d..64b8203 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -604,7 +604,21 @@ nextinput:
}
#endif
#ifdef HAVE_GNUTLS
+ retry1:
+ DEBUG { printf("call gnutls_record_recv\n"); fflush(stdout); }
rc = gnutls_record_recv(tls_session, CS inbuffer, bsiz - 1);
+ if (rc < 0)
+ {
+ DEBUG { printf("gnutls_record_recv: %s\n", gnutls_strerror(rc)); fflush(stdout); }
+ if (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN)
+ goto retry1;
+ printf("%s\n", gnutls_strerror(rc));
+ srv->tls_active = FALSE;
+ *inptr = 0;
+ DEBUG { printf("go round\n"); fflush(stdout); }
+ goto nextinput;
+ }
+ DEBUG { printf("gnutls_record_recv: %d\n", rc); fflush(stdout); }
#endif
}
else
@@ -619,7 +633,7 @@ nextinput:
{
if (errno == EINTR && sigalrm_seen && resp_optional)
continue; /* next scriptline */
- printf("Read error %s\n", strerror(errno));
+ printf("Read error: %s\n", strerror(errno));
exit(81);
}
else if (rc == 0)
@@ -702,6 +716,9 @@ nextinput:
#ifdef HAVE_GNUTLS
{
int rc;
+ fd_set rfd;
+ struct timeval tv = { 0, 2000 };
+
sigalrm_seen = FALSE;
alarm(timeout);
do {
@@ -711,6 +728,25 @@ nextinput:
alarm(0);
if (!srv->tls_active) printf("%s\n", gnutls_strerror(rc));
+
+ /* look for an error on the TLS conn */
+ FD_ZERO(&rfd);
+ FD_SET(srv->sock, &rfd);
+ if (select(srv->sock+1, &rfd, NULL, NULL, &tv) > 0)
+ {
+ retry2:
+ DEBUG { printf("call gnutls_record_recv\n"); fflush(stdout); }
+ rc = gnutls_record_recv(tls_session, CS inbuffer, bsiz - 1);
+ if (rc < 0)
+ {
+ DEBUG { printf("gnutls_record_recv: %s\n", gnutls_strerror(rc)); fflush(stdout); }
+ if (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN)
+ goto retry2;
+ printf("%s\n", gnutls_strerror(rc));
+ srv->tls_active = FALSE;
+ }
+ DEBUG { printf("gnutls_record_recv: %d\n", rc); fflush(stdout); }
+ }
}
#endif
diff --git a/test/stdout/2014 b/test/stdout/2014
index d29a3bd..829a86c 100644
--- a/test/stdout/2014
+++ b/test/stdout/2014
@@ -212,7 +212,11 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-Succeeded in starting TLS
+A TLS fatal alert has been received.
+Failed to start TLS
+>>> mail from:<userx@???>
+??? 554
+<<< 554 Security failure
End of script
### Revoked certificate, certificate optional at TLS time, reject at ACL time
Connecting to 127.0.0.1 port 1225 ... connected
