Gitweb:
https://git.exim.org/exim.git/commitdiff/5b195d6b9592fcef09b0b3b31390e73226deffc9
Commit: 5b195d6b9592fcef09b0b3b31390e73226deffc9
Parent: 5694b9058458fa8bd0a1f28bcb874f5108543ce3
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Nov 14 15:59:42 2019 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Thu Nov 14 15:59:42 2019 +0000
TLS: variables $tls_(in,out)_tlsver
---
doc/doc-docbook/spec.xfpt | 13 +++++++++++++
doc/doc-txt/NewStuff | 3 +++
src/src/deliver.c | 8 ++++++--
src/src/expand.c | 2 ++
src/src/globals.h | 1 +
src/src/smtp_in.c | 2 +-
src/src/spool_in.c | 19 ++++++++++---------
src/src/spool_out.c | 1 +
src/src/structs.h | 1 +
src/src/tls-gnu.c | 4 ++++
src/src/tls-openssl.c | 28 ++++++++++++++++++++++------
src/src/transports/smtp.c | 3 +++
test/confs/2002 | 3 +++
test/confs/2102 | 3 +++
test/confs/5710 | 2 ++
test/confs/5720 | 2 ++
test/log/2002 | 3 +++
test/log/2102 | 3 +++
test/log/2102.openssl_1_1_1 | 3 +++
test/log/5710 | 8 ++++++++
test/log/5720 | 8 ++++++++
test/runtest | 15 ++++++++++++---
22 files changed, 114 insertions(+), 21 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 19c15c2..f0b7a62 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13513,6 +13513,19 @@ the transport.
.vindex &$tls_out_tlsa_usage$&
Bitfield of TLSA record types found. See section &<<SECDANE>>&.
+.new
+.vitem &$tls_in_ver$&
+.vindex "&$tls_in_ver$&"
+When a message is received from a remote host over an encrypted SMTP connection
+this variable is set to the protocol version, eg &'TLS1.2'&.
+
+.vitem &$tls_out_ver$&
+.vindex "&$tls_out_ver$&"
+When a message is being delivered to a remote host over an encrypted SMTP connection
+this variable is set to the protocol version.
+.wen
+
+
.vitem &$tod_bsdinbox$&
.vindex "&$tod_bsdinbox$&"
The time of day and the date, in the format required for BSD-style mailbox
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index fd1ab8b..fbd1a5e 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -12,6 +12,9 @@ Version 4.next
1. EXPERIMENTAL_SRS_NATIVE optional build feature. See the experimental.spec
file.
+ 2. Variables $tls_in_ver, $tls_out_ver.
+
+
Version 4.93
------------
diff --git a/src/src/deliver.c b/src/src/deliver.c
index b89671c..58874ad 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -1610,6 +1610,7 @@ if (result == OK)
tls_out.peercert = addr->peercert;
addr->peercert = NULL;
+ tls_out.ver = addr->tlsver;
tls_out.cipher = addr->cipher;
tls_out.peerdn = addr->peerdn;
tls_out.ocsp = addr->ocsp;
@@ -1623,6 +1624,7 @@ if (result == OK)
#ifndef DISABLE_TLS
tls_free_cert(&tls_out.ourcert);
tls_free_cert(&tls_out.peercert);
+ tls_out.ver = NULL;
tls_out.cipher = NULL;
tls_out.peerdn = NULL;
tls_out.ocsp = OCSP_NOT_REQ;
@@ -3480,11 +3482,13 @@ while (!done)
switch (*subid)
{
case '1':
- addr->cipher = NULL;
- addr->peerdn = NULL;
+ addr->tlsver = addr->cipher = addr->peerdn = NULL;
if (*ptr)
+ {
addr->cipher = string_copy(ptr);
+ addr->tlsver = string_copyn(ptr, Ustrchr(ptr, ':') - ptr);
+ }
while (*ptr++);
if (*ptr)
addr->peerdn = string_copy(ptr);
diff --git a/src/src/expand.c b/src/src/expand.c
index 1cd08df..366cd73 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -776,6 +776,7 @@ static var_entry var_table[] = {
#ifndef DISABLE_TLS
{ "tls_in_sni", vtype_stringptr, &tls_in.sni },
#endif
+ { "tls_in_ver", vtype_stringptr, &tls_in.ver },
{ "tls_out_bits", vtype_int, &tls_out.bits },
{ "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
{ "tls_out_cipher", vtype_stringptr, &tls_out.cipher },
@@ -796,6 +797,7 @@ static var_entry var_table[] = {
#ifdef SUPPORT_DANE
{ "tls_out_tlsa_usage", vtype_int, &tls_out.tlsa_usage },
#endif
+ { "tls_out_ver", vtype_stringptr, &tls_out.ver },
{ "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */
#ifndef DISABLE_TLS
diff --git a/src/src/globals.h b/src/src/globals.h
index ee89fd1..1754d3e 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -89,6 +89,7 @@ typedef struct {
#endif
uschar *cipher; /* Cipher used */
const uschar *cipher_stdname; /* Cipher used, RFC version */
+ const uschar *ver; /* TLS version */
BOOL on_connect; /* For older MTAs that don't STARTTLS */
uschar *on_connect_ports; /* Ports always tls-on-connect */
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index bd29d2c..ddf98ec 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2466,7 +2466,7 @@ if (!host_checking && !f.sender_host_notsocket)
authenticated_by = NULL;
#ifndef DISABLE_TLS
-tls_in.cipher = tls_in.peerdn = NULL;
+tls_in.ver = tls_in.cipher = tls_in.peerdn = NULL;
tls_in.ourcert = tls_in.peercert = NULL;
tls_in.sni = NULL;
tls_in.ocsp = OCSP_NOT_REQ;
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index f393d4d..cbd2751 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -278,7 +278,7 @@ tls_in.certificate_verified = FALSE;
# ifdef SUPPORT_DANE
tls_in.dane_verified = FALSE;
# endif
-tls_in.cipher = NULL;
+tls_in.ver = tls_in.cipher = NULL;
# ifndef COMPILE_UTILITY /* tls support fns not built in */
tls_free_cert(&tls_in.ourcert);
tls_free_cert(&tls_in.peercert);
@@ -665,24 +665,25 @@ for (;;)
if (Ustrncmp(q, "certificate_verified", 20) == 0)
tls_in.certificate_verified = TRUE;
else if (Ustrncmp(q, "cipher", 6) == 0)
- tls_in.cipher = string_copy_taint(var + 11, tainted);
+ tls_in.cipher = string_copy_taint(q+7, tainted);
# ifndef COMPILE_UTILITY /* tls support fns not built in */
else if (Ustrncmp(q, "ourcert", 7) == 0)
- (void) tls_import_cert(var + 12, &tls_in.ourcert);
+ (void) tls_import_cert(q+8, &tls_in.ourcert);
else if (Ustrncmp(q, "peercert", 8) == 0)
- (void) tls_import_cert(var + 13, &tls_in.peercert);
+ (void) tls_import_cert(q+9, &tls_in.peercert);
# endif
else if (Ustrncmp(q, "peerdn", 6) == 0)
- tls_in.peerdn = string_unprinting(string_copy_taint(var + 11, tainted));
+ tls_in.peerdn = string_unprinting(string_copy_taint(q+7, tainted));
else if (Ustrncmp(q, "sni", 3) == 0)
- tls_in.sni = string_unprinting(string_copy_taint(var + 8, tainted));
+ tls_in.sni = string_unprinting(string_copy_taint(q+4, tainted));
else if (Ustrncmp(q, "ocsp", 4) == 0)
- tls_in.ocsp = var[9] - '0';
+ tls_in.ocsp = q[5] - '0';
# ifdef EXPERIMENTAL_TLS_RESUME
else if (Ustrncmp(q, "resumption", 10) == 0)
- tls_in.resumption = var[15] - 'A';
+ tls_in.resumption = q[11] - 'A';
# endif
-
+ else if (Ustrncmp(q, "ver", 3) == 0)
+ tls_in.ver = string_copy_taint(q+4, tainted);
}
break;
#endif
diff --git a/src/src/spool_out.c b/src/src/spool_out.c
index acc6c7b..c766b14 100644
--- a/src/src/spool_out.c
+++ b/src/src/spool_out.c
@@ -263,6 +263,7 @@ if (tls_in.ocsp) fprintf(fp, "-tls_ocsp %d\n", tls_in.ocsp);
# ifdef EXPERIMENTAL_TLS_RESUME
fprintf(fp, "-tls_resumption %c\n", 'A' + tls_in.resumption);
# endif
+if (tls_in.ver) spool_var_write(fp, US"tls_ver", tls_in.ver);
#endif
#ifdef SUPPORT_I18N
diff --git a/src/src/structs.h b/src/src/structs.h
index 6662e64..1d867c5 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -570,6 +570,7 @@ typedef struct address_item {
uschar *shadow_message; /* info about shadow transporting */
#ifndef DISABLE_TLS
+ const uschar *tlsver; /* version used for transport */
uschar *cipher; /* Cipher used for transport */
void *ourcert; /* Certificate offered to peer, binary */
void *peercert; /* Certificate from peer, binary */
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 6cd9bf7..eaec862 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -468,6 +468,7 @@ Sets:
tls_bits strength indicator
tls_certificate_verified bool indicator
tls_channelbinding_b64 for some SASL mechanisms
+ tls_ver a string
tls_cipher a string
tls_peercert pointer to library internal
tls_peerdn a string
@@ -1754,6 +1755,7 @@ old_pool = store_pool;
/* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
+ tlsp->ver = string_copyn(g->s, g->ptr);
g = string_catn(g, US":", 1);
if (*s) s++; /* now on _ between groups */
while ((c = *s))
@@ -1778,6 +1780,8 @@ old_pool = store_pool;
releases did return "TLS 1.0"; play it safe, just in case. */
for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
+ tlsp->ver = string_copyn(state->ciphersuite,
+ Ustrchr(state->ciphersuite, ':') - state->ciphersuite);
#endif
/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index c5e1abf..7a82e1d 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2212,14 +2212,13 @@ Returns: pointer to allocated string in perm-pool
*/
static uschar *
-construct_cipher_name(SSL * ssl, int * bits)
+construct_cipher_name(SSL * ssl, const uschar * ver, int * bits)
{
int pool = store_pool;
/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
the accessor functions use const in the prototype. */
-const uschar * ver = CUS SSL_get_version(ssl);
const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
uschar * s;
@@ -2250,6 +2249,21 @@ return cipher_stdname(id >> 8, id & 0xff);
}
+static const uschar *
+tlsver_name(SSL * ssl)
+{
+uschar * s, * p;
+int pool = store_pool;
+
+store_pool = POOL_PERM;
+s = string_copy(US SSL_get_version(ssl));
+store_pool = pool;
+if ((p = Ustrchr(s, 'v'))) /* TLSv1.2 -> TLS1.2 */
+ for (;; p++) if (!(*p = p[1])) break;
+return CUS s;
+}
+
+
static void
peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
{
@@ -2688,12 +2702,13 @@ if (SSL_session_reused(server_ssl))
}
#endif
-/* TLS has been set up. Adjust the input functions to read via TLS,
-and initialize things. */
+/* TLS has been set up. Record data for the connection,
+adjust the input functions to read via TLS, and initialize things. */
peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
-tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
+tls_in.ver = tlsver_name(server_ssl);
+tls_in.cipher = construct_cipher_name(server_ssl, tls_in.ver, &tls_in.bits);
tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
DEBUG(D_tls)
@@ -3278,7 +3293,8 @@ tls_client_resume_posthandshake(exim_client_ctx, tlsp);
peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
-tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
+tlsp->ver = tlsver_name(exim_client_ctx->ssl);
+tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits);
tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
/* Record the certificate we presented */
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 383d202..dee546c 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2084,6 +2084,7 @@ tls_out.ocsp = OCSP_NOT_REQ;
#ifdef EXPERIMENTAL_TLS_RESUME
tls_out.resumption = 0;
#endif
+tls_out.ver = NULL;
/* Flip the legacy TLS-related variables over to the outbound set in case
they're used in the context of the transport. Don't bother resetting
@@ -2604,6 +2605,7 @@ if ( smtp_peer_options & OPTION_TLS
addr->peercert = tls_out.peercert;
addr->peerdn = tls_out.peerdn;
addr->ocsp = tls_out.ocsp;
+ addr->tlsver = tls_out.ver;
}
}
}
@@ -4560,6 +4562,7 @@ for (address_item * addr = addrlist; addr; addr = addr->next)
addr->peercert = NULL;
addr->peerdn = NULL;
addr->ocsp = OCSP_NOT_REQ;
+ addr->tlsver = NULL;
#endif
#ifdef EXPERIMENTAL_DSN_INFO
addr->smtp_greeting = NULL;
diff --git a/test/confs/2002 b/test/confs/2002
index dfeb172..6475fb7 100644
--- a/test/confs/2002
+++ b/test/confs/2002
@@ -62,6 +62,9 @@ check_recipient:
logwrite = sha1 fingerprint ${sha1:$tls_in_peercert}
logwrite = sha256 fingerprint ${sha256:$tls_in_peercert}
logwrite = der_b64 ${base64:$tls_in_peercert}
+ logwrite = cipher: $tls_in_cipher
+ logwrite = cipher_ $tls_in_cipher_std
+ logwrite = ver: $tls_in_ver
# ----- Routers -----
diff --git a/test/confs/2102 b/test/confs/2102
index 99f659f..5e156d4 100644
--- a/test/confs/2102
+++ b/test/confs/2102
@@ -72,6 +72,9 @@ check_recipient:
logwrite = sha1 fingerprint ${sha1:$tls_in_peercert}
logwrite = sha256 fingerprint ${sha256:$tls_in_peercert}
logwrite = der_b64 ${base64:$tls_in_peercert}
+ logwrite = cipher: $tls_in_cipher
+ logwrite = cipher_ $tls_in_cipher_std
+ logwrite = ver: $tls_in_ver
# ----- Routers -----
diff --git a/test/confs/5710 b/test/confs/5710
index 6ab64f4..85293a5 100644
--- a/test/confs/5710
+++ b/test/confs/5710
@@ -71,6 +71,8 @@ logger:
message = ${acl {ev_tls}}
accept condition = ${if eq {smtp:ehlo}{$event_name}}
logwrite = $tls_out_cipher smtp:ehlo $event_data
+ logwrite = cipher_ $tls_out_cipher_std
+ logwrite = ver: $tls_out_ver
accept
# ----- Routers -----
diff --git a/test/confs/5720 b/test/confs/5720
index 0304349..9062662 100644
--- a/test/confs/5720
+++ b/test/confs/5720
@@ -71,6 +71,8 @@ logger:
message = ${acl {ev_tls}}
accept condition = ${if eq {smtp:ehlo}{$event_name}}
logwrite = $tls_out_cipher smtp:ehlo $event_data
+ logwrite = cipher_ $tls_out_cipher_std
+ logwrite = ver: $tls_out_ver
accept
# ----- Routers -----
diff --git a/test/log/2002 b/test/log/2002
index 825c0df..36ea6c1 100644
--- a/test/log/2002
+++ b/test/log/2002
@@ -41,6 +41,9 @@
1999-03-02 09:44:33 sha1 fingerprint E75D537E478758010505D4F339B00DFD73728088
1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6
1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY=
+1999-03-02 09:44:33 cipher: TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 ver: TLS1.x
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server2.example.com" S=sss
1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
1999-03-02 09:44:33 Peer did not present a cert
diff --git a/test/log/2102 b/test/log/2102
index 215bbe2..bddb8e9 100644
--- a/test/log/2102
+++ b/test/log/2102
@@ -39,6 +39,9 @@
1999-03-02 09:44:33 sha1 fingerprint E75D537E478758010505D4F339B00DFD73728088
1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6
1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY=
+1999-03-02 09:44:33 cipher: TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 ver: TLSv1.x
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server2.example.com" S=sss
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
diff --git a/test/log/2102.openssl_1_1_1 b/test/log/2102.openssl_1_1_1
index 3e2e65f..951caaf 100644
--- a/test/log/2102.openssl_1_1_1
+++ b/test/log/2102.openssl_1_1_1
@@ -39,6 +39,9 @@
1999-03-02 09:44:33 sha1 fingerprint E75D537E478758010505D4F339B00DFD73728088
1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6
1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY=
+1999-03-02 09:44:33 cipher: TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 ver: TLS1.x
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server2.example.com" S=sss
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
diff --git a/test/log/5710 b/test/log/5710
index 72bba14..4a3a180 100644
--- a/test/log/5710
+++ b/test/log/5710
@@ -2,6 +2,8 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_
+1999-03-02 09:44:33 10HmaX-0005vi-00 ver:
1999-03-02 09:44:33 10HmaX-0005vi-00 tls:cert depth=0 <CN=server1.example.com>
1999-03-02 09:44:33 10HmaX-0005vi-00 msg:host:defer bad
1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
@@ -19,14 +21,20 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 CRU <http://crl.example.com/latest.crl>
1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 10HmaX-0005vi-00 ver:
1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery bad
1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_
+1999-03-02 09:44:33 10HmaY-0005vi-00 ver:
1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=0 <CN=server1.example.com>
1999-03-02 09:44:33 10HmaY-0005vi-00 TLS1.x:ke-RSA-AES256-SHAnnn:xxx smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250 HELP
+1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 10HmaY-0005vi-00 ver: TLS1.x
1999-03-02 09:44:33 10HmaY-0005vi-00 => good@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery good
1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com
diff --git a/test/log/5720 b/test/log/5720
index 066f7fb..4f6254f 100644
--- a/test/log/5720
+++ b/test/log/5720
@@ -2,6 +2,8 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_
+1999-03-02 09:44:33 10HmaX-0005vi-00 ver:
1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.com/CN=clica CA rsa
1999-03-02 09:44:33 10HmaX-0005vi-00 msg:host:defer bad
1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
@@ -20,16 +22,22 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 (no CRU)
1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_
+1999-03-02 09:44:33 10HmaX-0005vi-00 ver:
1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery bad
1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_
+1999-03-02 09:44:33 10HmaY-0005vi-00 ver:
1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=2 <CN=clica CA rsa,O=example.com>
1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=1 <CN=clica Signing Cert rsa,O=example.com>
1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=0 <CN=server1.example.com>
1999-03-02 09:44:33 10HmaY-0005vi-00 TLS1.x:ke-RSA-AES256-SHAnnn:xxx smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250 HELP
+1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 10HmaY-0005vi-00 ver: TLS1.x
1999-03-02 09:44:33 10HmaY-0005vi-00 => good@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery good
1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com
diff --git a/test/runtest b/test/runtest
index 6e9255b..3fd125c 100755
--- a/test/runtest
+++ b/test/runtest
@@ -552,15 +552,19 @@ RESET_AFTER_EXTRA_LINE_READ:
# the older (comment) style, keeping only the Auth element
# (discarding kex, cipher, mac). For TLS 1.3 there is no kex
# element (and no _WITH); insert a spurious "RSA".
+ # Also in $tls_X_cipher_std reporting.
s/^\s+by .+ with .+ \K tls TLS_.*?([^_]+)_WITH.+$/(TLS1.x:ke-$1-AES256-SHAnnn:xxx)/;
s/^\s+by .+ with .+ \K tls TLS_.+$/(TLS1.x:ke-RSA-AES256-SHAnnn:xxx)/;
+ s/ cipher_ TLS_.*?([^_]+)_WITH.+$/ cipher_ TLS1.x:ke_$1_WITH_ci_mac/;
+ s/ cipher_ TLS_.*$/ cipher_ TLS1.x:ke_RSA_WITH_ci_mac/;
+
# Test machines might have various different TLS library versions supporting
# different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we
# treat the standard algorithms the same.
#
- # TLSversion : KeyExchange? - Authentication/Signature - C_iph_er - MAC : ???
+ # TLSversion : KeyExchange? - Authentication/Signature - C_iph_er - MAC : bits
#
# So far, have seen:
# TLSv1:AES128-GCM-SHA256:128
@@ -578,7 +582,7 @@ RESET_AFTER_EXTRA_LINE_READ:
#
# Retain the authentication algorith field as we want to test that.
- s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1(\.[123])?:/$1TLS1.x:/xg;
+ s/( (?: (?:\b|\s) [\(=] ) | \s )TLS1(\.[123])?:/$1TLS1.x:/xg;
s/(?<!ke-)((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA)(?!:)/ke-$3-AES256-SHAnnn/g;
s/(?<!ke-)((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA):(128|256)/ke-$3-AES256-SHAnnn:xxx/g;
@@ -633,10 +637,11 @@ RESET_AFTER_EXTRA_LINE_READ:
# DHE-RSA-AES256-SHA
# picking latter as canonical simply because regex easier that way.
s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA-AES256-SHA1:256/g;
- s/TLS1.[0123](-PKIX)?: # TLS version
+ s/TLS1.[x0123](-PKIX)?: # TLS version
((EC)?DHE(_((?<psk>PSK)_)?((?<auth>RSA|ECDSA)_)?
(SECP(256|521)R1|X25519))?__?)? # key-exchange
((?<auth>RSA|ECDSA)((_PSS_RSAE)?_SHA(512|256))?__?)? # authentication
+ (?<with>WITH_)? # stdname-with
AES_(256|128)_(CBC|GCM) # cipher
(__?AEAD)? # pseudo-MAC
(__?SHA(1|256|384))? # PRF
@@ -644,10 +649,14 @@ RESET_AFTER_EXTRA_LINE_READ:
/"TLS1.x:ke-"
. (defined($+{psk}) ? $+{psk} : "")
. (defined($+{auth}) ? $+{auth} : "")
+ . (defined($+{with}) ? $+{with} : "")
. "-AES256-SHAnnn:xxx"/gex;
s/TLS1.2:RSA__CAMELLIA_256_GCM(_SHA384)?:256/TLS1.2:RSA_CAMELLIA_256_GCM-SHAnnn:256/g;
s/\b(ECDHE-(RSA|ECDSA)-AES256-SHA|DHE-RSA-AES256-SHA256)\b/ke-$2-AES256-SHAnnn/g;
+ # Separate reporting of TLS version
+ s/ver: TLS1(\.[123])?$/ver: TLS1.x/;
+
# GnuTLS library error message changes
s/(No certificate was found|Certificate is required)/The peer did not send any certificate/g;
#(dodgy test?) s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g;
