From: Jeremy Harris Date: Sun, 10 Feb 2019 19:15:43 +0000 (+0000) Subject: Testsuite: harden for TLS1.3 under GnuTLS X-Git-Tag: exim-4.93-RC0~287 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/b2ba9267ab?ds=inline Testsuite: harden for TLS1.3 under GnuTLS --- diff --git a/test/scripts/2000-GnuTLS/2014 b/test/scripts/2000-GnuTLS/2014 index 8c23e2cdf..5bd5858db 100644 --- a/test/scripts/2000-GnuTLS/2014 +++ b/test/scripts/2000-GnuTLS/2014 @@ -134,6 +134,8 @@ ehlo rhu7.barb ??? 250 starttls ??? 220 +mail from: +??? 554 **** ### Revoked certificate, certificate optional at TLS time, reject at ACL time client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key diff --git a/test/src/client.c b/test/src/client.c index c0c017dd3..64b8203bf 100644 --- a/test/src/client.c +++ b/test/src/client.c @@ -604,7 +604,21 @@ nextinput: } #endif #ifdef HAVE_GNUTLS + retry1: + DEBUG { printf("call gnutls_record_recv\n"); fflush(stdout); } rc = gnutls_record_recv(tls_session, CS inbuffer, bsiz - 1); + if (rc < 0) + { + DEBUG { printf("gnutls_record_recv: %s\n", gnutls_strerror(rc)); fflush(stdout); } + if (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN) + goto retry1; + printf("%s\n", gnutls_strerror(rc)); + srv->tls_active = FALSE; + *inptr = 0; + DEBUG { printf("go round\n"); fflush(stdout); } + goto nextinput; + } + DEBUG { printf("gnutls_record_recv: %d\n", rc); fflush(stdout); } #endif } else @@ -619,7 +633,7 @@ nextinput: { if (errno == EINTR && sigalrm_seen && resp_optional) continue; /* next scriptline */ - printf("Read error %s\n", strerror(errno)); + printf("Read error: %s\n", strerror(errno)); exit(81); } else if (rc == 0) @@ -702,6 +716,9 @@ nextinput: #ifdef HAVE_GNUTLS { int rc; + fd_set rfd; + struct timeval tv = { 0, 2000 }; + sigalrm_seen = FALSE; alarm(timeout); do { @@ -711,6 +728,25 @@ nextinput: alarm(0); if (!srv->tls_active) printf("%s\n", gnutls_strerror(rc)); + + /* look for an error on the TLS conn */ + FD_ZERO(&rfd); + FD_SET(srv->sock, &rfd); + if (select(srv->sock+1, &rfd, NULL, NULL, &tv) > 0) + { + retry2: + DEBUG { printf("call gnutls_record_recv\n"); fflush(stdout); } + rc = gnutls_record_recv(tls_session, CS inbuffer, bsiz - 1); + if (rc < 0) + { + DEBUG { printf("gnutls_record_recv: %s\n", gnutls_strerror(rc)); fflush(stdout); } + if (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN) + goto retry2; + printf("%s\n", gnutls_strerror(rc)); + srv->tls_active = FALSE; + } + DEBUG { printf("gnutls_record_recv: %d\n", rc); fflush(stdout); } + } } #endif diff --git a/test/stdout/2014 b/test/stdout/2014 index d29a3bd86..829a86c42 100644 --- a/test/stdout/2014 +++ b/test/stdout/2014 @@ -212,7 +212,11 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c ??? 220 <<< 220 TLS go ahead Attempting to start TLS -Succeeded in starting TLS +A TLS fatal alert has been received. +Failed to start TLS +>>> mail from: +??? 554 +<<< 554 Security failure End of script ### Revoked certificate, certificate optional at TLS time, reject at ACL time Connecting to 127.0.0.1 port 1225 ... connected