[exim-cvs] Testsuite: quieten timing-dependent testcase

Etusivu
Poista viesti
Vastaa
Lähettäjä: Exim Git Commits Mailing List
Päiväys:  
Vastaanottaja: exim-cvs
Aihe: [exim-cvs] Testsuite: quieten timing-dependent testcase
Gitweb: https://git.exim.org/exim.git/commitdiff/4b98b16dbae9610e439e9d4e60951cbcabd2380d
Commit:     4b98b16dbae9610e439e9d4e60951cbcabd2380d
Parent:     fbc9cad45187d2cf1ef2665cc45a41220fd66513
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Dec 15 20:22:01 2022 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sat Dec 17 14:09:11 2022 +0000


    Testsuite: quieten timing-dependent testcase
---
 test/scripts/2000-GnuTLS/2014 | 17 ++++++++++++----
 test/src/client.c             | 46 +++++++++++++++++++++++++------------------
 test/stdout/2014              | 14 ++++++-------
 3 files changed, 47 insertions(+), 30 deletions(-)


diff --git a/test/scripts/2000-GnuTLS/2014 b/test/scripts/2000-GnuTLS/2014
index 16bcbe4a9..6ecfeccfc 100644
--- a/test/scripts/2000-GnuTLS/2014
+++ b/test/scripts/2000-GnuTLS/2014
@@ -128,8 +128,15 @@ killdaemon
exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
****
### Otherwise good but revoked certificate, certificate required
+# The trace for this test appears in the mainlog
+# - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough
+# then it says that + "Failed to start TLS". But if it's later, it says "Succeeded in starting TLS"
+# and only another command from the client elicits anything from the server (eg "554 Security failure").
+# How can we test this?
+# An option on client to be quiet about tls problems.
+#
# GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
-client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
+client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu7.barb
??? 250-
@@ -138,10 +145,12 @@ ehlo rhu7.barb
??? 250-
??? 250-
??? 250
-starttls
+STARTTLS
??? 220
-helo test
-??? 554
+NOP
+??? 554 Security failure
+QUIT
+220
****
### Revoked certificate, certificate optional at TLS time, reject at ACL time
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
diff --git a/test/src/client.c b/test/src/client.c
index 250f7af8b..2544ec84a 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -137,6 +137,7 @@ static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
#ifdef HAVE_TLS
char * ocsp_stapling = NULL;
char * pri_string = NULL;
+int tls_quiet = 0;
#endif


@@ -739,7 +740,7 @@ nextinput:
       srv->tls_active = rc >= 0;
       alarm(0);


-      if (!srv->tls_active) printf("%s\n", gnutls_strerror(rc));
+      if (!srv->tls_active && !tls_quiet) printf("gnutls_handshake: %s\n", gnutls_strerror(rc));


       /* look for an error on the TLS conn */
       FD_ZERO(&rfd);
@@ -754,7 +755,7 @@ nextinput:
           DEBUG { printf("gnutls_record_recv: %s\n", gnutls_strerror(rc)); fflush(stdout); }
           if (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN)
         goto retry2;
-          printf("%s\n", gnutls_strerror(rc));
+          if (!tls_quiet) printf("gnutls_record_recv: %s\n", gnutls_strerror(rc));
           srv->tls_active = FALSE;
           }
         DEBUG { printf("gnutls_record_recv: %d\n", rc); fflush(stdout); }
@@ -762,15 +763,16 @@ nextinput:
       }
 # endif    /*HAVE_GNUTLS*/


-        if (!srv->tls_active)
-          {
-          printf("Failed to start TLS\n");
-          fflush(stdout);
-          }
+        if (!tls_quiet)
+          if (!srv->tls_active)
+            {
+            printf("Failed to start TLS\n");
+            fflush(stdout);
+            }


 # ifdef HAVE_OPENSSL
-    else if (ocsp_stapling)
-      printf("Succeeded in starting TLS (with OCSP)\n");
+      else if (ocsp_stapling)
+        printf("Succeeded in starting TLS (with OCSP)\n");
 # endif


 # ifdef HAVE_GNUTLS
@@ -965,6 +967,7 @@ Usage: client\n"
 #ifdef HAVE_TLS
 "\
           [-tls-on-connect]\n\
+      [-tls-quiet]\n\
           [-ocsp]\n"
 # ifdef HAVE_GNUTLS
 "\
@@ -1020,12 +1023,17 @@ while (argc >= argi + 1 && argv[argi][0] == '-')
     puts(HELP_MESSAGE);
     exit(0);
     }
+#ifdef HAVE_TLS
   if (strcmp(argv[argi], "-tls-on-connect") == 0)
     {
     tls_on_connect = 1;
     argi++;
     }
-#ifdef HAVE_TLS
+  else if (strcmp(argv[argi], "-tls-quiet") == 0)
+    {
+    tls_quiet = 1;
+    argi++;
+    }
   else if (strcmp(argv[argi], "-ocsp") == 0)
     {
     if (argc < ++argi + 1)
@@ -1045,8 +1053,7 @@ while (argc >= argi + 1 && argv[argi][0] == '-')
       }
     pri_string = argv[argi++];
     }
-#endif
-
+# endif
 #endif
   else if (argv[argi][1] == 't' && isdigit(argv[argi][2]))
     {
@@ -1346,15 +1353,16 @@ if (tls_on_connect)
   }
 #endif


-  if (!srv.tls_active)
-    printf("Failed to start TLS\n");
+  if (!tls_quiet)
+    if (!srv.tls_active)
+      printf("Failed to start TLS\n");
 #if defined(HAVE_GNUTLS) && defined(HAVE_GNUTLS_OCSP)
-  else if (  ocsp_stapling
-      && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
-    printf("Failed to verify certificate status\n");
+    else if (  ocsp_stapling
+        && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
+      printf("Failed to verify certificate status\n");
 #endif
-  else
-    printf("Succeeded in starting TLS%s\n", ocsp_stapling ? " (with OCSP)":"");
+    else
+      printf("Succeeded in starting TLS%s\n", ocsp_stapling ? " (with OCSP)":"");
   }
 #endif


diff --git a/test/stdout/2014 b/test/stdout/2014
index 4eddd724c..edd498aa8 100644
--- a/test/stdout/2014
+++ b/test/stdout/2014
@@ -19,7 +19,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-A TLS fatal alert has been received.
+gnutls_record_recv: A TLS fatal alert has been received.
Failed to start TLS
>>> nop

????554
@@ -156,7 +156,7 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-A TLS fatal alert has been received.
+gnutls_record_recv: A TLS fatal alert has been received.
Failed to start TLS
>>> nop

????554
@@ -217,15 +217,15 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c
<<< 250-STARTTLS
??? 250
<<< 250 HELP
->>> starttls
+>>> STARTTLS
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-A TLS fatal alert has been received.
-Failed to start TLS
->>> helo test
-??? 554
+>>> NOP
+??? 554 Security failure
<<< 554 Security failure
+>>> QUIT
+>>> 220
End of script
### Revoked certificate, certificate optional at TLS time, reject at ACL time
Connecting to 127.0.0.1 port 1225 ... connected