From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 7 May 2017 16:40:41 +0000 (+0100)
Subject: Testsuite: add DANE cases for DNS secure no-TLSA lookups
X-Git-Tag: exim-4_90_RC1~161
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/ce889807c90746896f1310e9f4957215f46f7836

Testsuite: add DANE cases for DNS secure no-TLSA lookups
---

diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex
index 50bd6b073..f7c9e313b 100644
--- a/test/dnszones-src/db.test.ex
+++ b/test/dnszones-src/db.test.ex
@@ -461,7 +461,8 @@ DNSSEC danelazy2            A       127.0.0.1
 DNSSEC _1225._tcp.danelazy  CNAME   test.again.dns.
 DNSSEC _1225._tcp.danelazy2 CNAME   test.again.dns.
 
-; hosts with no TLSA
+; hosts with no TLSA (just missing here, hence the TLSA NXDMAIN is _insecure_; a broken dane config)
+; 1 for dane-required, 2 for merely requested
 DNSSEC dane.no.1            A       HOSTIPV4
 DNSSEC dane.no.2            A       127.0.0.1
 
@@ -469,6 +470,15 @@ DNSSEC dane.no.2            A       127.0.0.1
 DNSSEC danebroken1          A       127.0.0.1
 _1225._tcp.danebroken1      CNAME   test.fail.dns.
 
+; a good dns config saying there is no dane support, by securely returning NOXDOMAIN for TLSA lookups
+; 3 for dane-required, 4 for merely requested
+; the TLSA data here is dummy; ignored
+DNSSEC dane.no.3            A       HOSTIPV4
+DNSSEC dane.no.4            A       127.0.0.1
+
+DNSSEC NXDOMAIN _1225._tcp.dane.no.3 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
+DNSSEC NXDOMAIN _1225._tcp.dane.no.4 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
+
 ; ------- Testing delays ------------
 
 DELAY=500 delay500   A HOSTIPV4
diff --git a/test/log/5840 b/test/log/5840
index d02a4c7d7..b2f949009 100644
--- a/test/log/5840
+++ b/test/log/5840
@@ -27,6 +27,8 @@
 1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.1.test.ex
 1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.2.test.ex
 1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken1.test.ex
+1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.3.test.ex
+1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.4.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER
 1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER
@@ -38,6 +40,13 @@
 1999-03-02 09:44:33 10HmbJ-0005vi-00 == CALLER@dane.no.2.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER
 1999-03-02 09:44:33 10HmbK-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER
 1999-03-02 09:44:33 10HmbK-0005vi-00 == CALLER@danebroken1.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER
+1999-03-02 09:44:33 10HmbL-0005vi-00 ** CALLER@dane.no.3.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL
+1999-03-02 09:44:33 10HmbL-0005vi-00 CALLER@dane.no.3.test.ex: error ignored
+1999-03-02 09:44:33 10HmbL-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.4.test.ex"
+1999-03-02 09:44:33 10HmbM-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbN-0005vi-00"
+1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
@@ -61,3 +70,6 @@
 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <CALLER@thishost.test.ex> R=server
 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbN-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for CALLER@dane.no.4.test.ex
+1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: <CALLER@dane.no.4.test.ex> R=server
+1999-03-02 09:44:33 10HmbN-0005vi-00 Completed
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index fdff36119..142a25ad4 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -73,13 +73,14 @@ Testing
 exim -odq CALLER@danebroken1.test.ex
 Testing
 ****
-# ### A server securely saying "no TLSA records here", dane required (should fail)
-# exim -odq CALLER@dane.no.3.test.ex
-# Testing
-# ### A server securely saying "no TLSA records here", dane requested only (should transmit)
-# exim -odq CALLER@dane.no.4.test.ex
-# Testing
-# ****
+### A server securely saying "no TLSA records here", dane required (should fail)
+exim -odq CALLER@dane.no.3.test.ex
+Testing
+****
+### A server securely saying "no TLSA records here", dane requested only (should transmit)
+exim -odq CALLER@dane.no.4.test.ex
+Testing
+****
 exim -qf
 ****
 killdaemon
diff --git a/test/src/fakens.c b/test/src/fakens.c
index 34f5ea670..583b01282 100644
--- a/test/src/fakens.c
+++ b/test/src/fakens.c
@@ -53,11 +53,15 @@ HOST_NOT_FOUND.
 Any DNS record line in a zone file can be prefixed with "DELAY=" and
 a number of milliseconds (followed by one space).
 
-Any DNS record line in a zone file can be prefixed with "DNSSEC ";
+Any DNS record line can be prefixed with "DNSSEC ";
 if all the records found by a lookup are marked
 as such then the response will have the "AD" bit set.
 
-Any DNS record line in a zone file can be prefixed with "AA "
+Any DNS record line can be prefixed with "NXDOMAIN ";
+The record will be ignored (but the prefix set still applied);
+This lets us return a DNSSEC NXDOMAIN.
+
+Any DNS record line can be prefixed with "AA "
 if all the records found by a lookup are marked
 as such then the response will have the "AA" bit set.
 
@@ -354,6 +358,7 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
   int qtlen = qtypelen;
   BOOL rr_sec = FALSE;
   BOOL rr_aa = FALSE;
+  BOOL rr_ignore = FALSE;
   int delay = 0;
   uint ttl = DEFAULT_TTL;
 
@@ -379,6 +384,11 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
       rr_sec = TRUE;
       p += 7;
       }
+    if (Ustrncmp(p, US"NXDOMAIN ", 9) == 0)     /* ignore record content */
+      {
+      rr_ignore = TRUE;
+      p += 9;
+      }
     else if (Ustrncmp(p, US"AA ", 3) == 0)      /* tagged as authoritative */
       {
       rr_aa = TRUE;
@@ -464,6 +474,8 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
   if (aa && !rr_aa)
     *aa = FALSE;                        /* cancel AA return */
 
+  if (rr_ignore) continue;
+
   yield = 0;
   *countptr = *countptr + 1;
 
diff --git a/test/stderr/5840 b/test/stderr/5840
index 75f938ab4..5ccf7cda0 100644
--- a/test/stderr/5840
+++ b/test/stderr/5840
@@ -73,6 +73,8 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1]
 ### A server lacking a TLSA, dane required (should fail)
 ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC)
 ### A server where the A is dnssec and the TLSA _fails_
+### A server securely saying "no TLSA records here", dane required (should fail)
+### A server securely saying "no TLSA records here", dane requested only (should transmit)
 
 ******** SERVER ********
 ### TLSA (3 1 1)
@@ -85,3 +87,5 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1]
 ### A server lacking a TLSA, dane required (should fail)
 ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC)
 ### A server where the A is dnssec and the TLSA _fails_
+### A server securely saying "no TLSA records here", dane required (should fail)
+### A server securely saying "no TLSA records here", dane requested only (should transmit)
diff --git a/test/stdout/5840 b/test/stdout/5840
index 5071e7de5..32425d2e2 100644
--- a/test/stdout/5840
+++ b/test/stdout/5840
@@ -17,6 +17,8 @@
 ### A server lacking a TLSA, dane required (should fail)
 ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC)
 ### A server where the A is dnssec and the TLSA _fails_
+### A server securely saying "no TLSA records here", dane required (should fail)
+### A server securely saying "no TLSA records here", dane requested only (should transmit)
 
 ******** SERVER ********
 ### TLSA (3 1 1)
@@ -29,3 +31,5 @@
 ### A server lacking a TLSA, dane required (should fail)
 ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC)
 ### A server where the A is dnssec and the TLSA _fails_
+### A server securely saying "no TLSA records here", dane required (should fail)
+### A server securely saying "no TLSA records here", dane requested only (should transmit)