X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/42427533718a750c21e3bc03df94c6f93581eaec..eb58ddf5828a161dec94f131ff2c5c926c868354:/test/runtest?ds=sidebyside diff --git a/test/runtest b/test/runtest index b6babd06a..d6bc7b03d 100755 --- a/test/runtest +++ b/test/runtest @@ -490,9 +490,14 @@ RESET_AFTER_EXTRA_LINE_READ: s/^\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d(\s[+-]\d\d\d\d)?\s/1999-03-02 09:44:33 /gx; s/^\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d{3}(\s[+-]\d\d\d\d)?\s/2017-07-30 18:51:05.712 /gx; s/^Logwrite\s"\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d/Logwrite "1999-03-02 09:44:33/gx; + # Date/time in syslog test + s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\s/2017-07-30 18:51:05 /gx; + s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d{3}\s/2017-07-30 18:51:05.712 /gx; + s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\s[+-]\d\d\d\d\s/2017-07-30 18:51:05 +9999 /gx; + s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d{3}\s[+-]\d\d\d\d\s/2017-07-30 18:51:05.712 +9999 /gx; - s/((D|[QD]T)=)\d+s/$1qqs/g; - s/((D|[QD]T)=)\d\.\d{3}s/$1q.qqqs/g; + s/((D|[RQD]T)=)\d+s/$1qqs/g; + s/((D|[RQD]T)=)\d\.\d{3}s/$1q.qqqs/g; # Date/time in message separators s/(?:[A-Z][a-z]{2}\s){2}\d\d\s\d\d:\d\d:\d\d\s\d\d\d\d @@ -533,28 +538,47 @@ RESET_AFTER_EXTRA_LINE_READ: # Test machines might have various different TLS library versions supporting # different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we # treat the standard algorithms the same. + # + # TLSversion : KeyExchange? - Authentication/Signature - C_iph_er - MAC : ??? + # # So far, have seen: # TLSv1:AES128-GCM-SHA256:128 # TLSv1:AES256-SHA:256 # TLSv1.1:AES256-SHA:256 # TLSv1.2:AES256-GCM-SHA384:256 # TLSv1.2:DHE-RSA-AES256-SHA:256 + # TLSv1.3:TLS_AES_256_GCM_SHA384:256 # TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128 # We also need to handle the ciphersuite without the TLS part present, for # client-ssl's output. We also see some older forced ciphersuites, but # negotiating TLS 1.2 instead of 1.0. # Mail headers (...), log-lines X=..., client-ssl output ... # (and \b doesn't match between ' ' and '(' ) + # + # Retain the authentication algorith field as we want to test that. - s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[12]:/$1TLSv1:/xg; - s/\bAES128-GCM-SHA256:128\b/AES256-SHA:256/g; - s/\bAES128-GCM-SHA256\b/AES256-SHA/g; - s/\bAES256-GCM-SHA384\b/AES256-SHA/g; - s/\bDHE-RSA-AES256-SHA\b/AES256-SHA/g; + s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[123]:/$1TLSv1:/xg; + s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA)(?!:)/ke-$3-AES256-SHA/g; + s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA):(128|256)/ke-$3-AES256-SHA:xxx/g; + + # OpenSSL TLSv1.3 - unsure what to do about the authentication-variant testcases now, + # as it seems the protocol no longer supports a user choice. Replace the "TLS" field with "RSA". + # Also insert a key-exchange field for back-compat, even though 1.3 doesn't do that. + # + # TLSversion : "TLS" - C_iph_er - MAC : ??? + # + s/:TLS_AES(_256)_GCM_SHA384:256/:ke-RSA-AES256-SHA:xxx/g; # LibreSSL + # TLSv1:AES256-GCM-SHA384:256 # TLSv1:ECDHE-RSA-CHACHA20-POLY1305:256 - s/\bECDHE-RSA-CHACHA20-POLY1305\b/AES256-SHA/g; + # + # ECDHE-RSA-CHACHA20-POLY1305 + # AES256-GCM-SHA384 + + s/(?; + ; + } } # ======== All files other than stderr ======== @@ -1505,6 +1576,11 @@ $munges = 'gnutls_handshake' => { 'mainlog' => 's/\(gnutls_handshake\): Error in the push function/\(gnutls_handshake\): A TLS packet with unexpected length was received/' }, + 'gnutls_bad_clientcert' => + { 'mainlog' => 's/\(certificate verification failed\): certificate invalid/\(gnutls_handshake\): The peer did not send any certificate./', + 'stdout' => 's/Succeeded in starting TLS/A TLS fatal alert has been received.\nFailed to start TLS' + }, + 'optional_events' => { 'stdout' => '/event_action =/' }, @@ -1524,7 +1600,15 @@ $munges = { 'stderr' => 's/(1[5-9]|23\d)\d\d msec/ssss msec/' }, 'tls_anycipher' => - { 'mainlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /' }, + { 'mainlog' => 's! X=TLS\S+ ! X=TLS_proto_and_cipher !; + s! DN="C=! DN="/C=!; + s! DN="[^,"]*\K,!/!; + s! DN="[^,"]*\K,!/!; + s! DN="[^,"]*\K,!/!; + ', + 'rejectlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /', + 'mail' => 's/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/', + }, 'debug_pid' => { 'stderr' => 's/(^\s{0,4}|(?<=Process )|(?<=child ))\d{1,5}/ppppp/g' }, @@ -1535,12 +1619,14 @@ $munges = 'optional_config' => { 'stdout' => '/^( - dkim_(canon|domain|private_key|selector|sign_headers|strict|hash|identity) + dkim_(canon|domain|private_key|selector|sign_headers|strict|hash|identity|timestamps) |gnutls_require_(kx|mac|protocols) |hosts_(requ(est|ire)|try)_(dane|ocsp) + |dane_require_tls_ciphers |hosts_(avoid|nopass|noproxy|require|verify_avoid)_tls |socks_proxy |tls_[^ ]* + |utf8_downconvert )($|[ ]=)/x' }, @@ -2420,6 +2506,7 @@ elsif (/^background$/) $_ =