From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 16 Dec 2015 12:04:41 +0000 (+0000)
Subject: Testsuite: GnuTLS version changes
X-Git-Tag: exim-4_87_RC2~7
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/fc4fcc349cf1c46dadd343b9f9fae8c232e6257e

Testsuite: GnuTLS version changes
---

diff --git a/test/confs/2002 b/test/confs/2002
index b154c82d3..7299122e8 100644
--- a/test/confs/2002
+++ b/test/confs/2002
@@ -40,7 +40,8 @@ check_recipient:
                       DES-CBC3-SHA : \
                       DHE_RSA_AES_256_CBC_SHA1 : \
                       DHE_RSA_3DES_EDE_CBC_SHA : \
-                      RSA_AES_256_CBC_SHA1
+                      RSA_AES_256_CBC_SHA1 : \
+		      ECDHE_RSA_AES_256_GCM_SHA384
   warn    logwrite =  ${if def:tls_in_ourcert \
 		{Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
 		{We did not present a cert}}
diff --git a/test/confs/2019 b/test/confs/2019
index f3ddd4591..798eb73d7 100644
--- a/test/confs/2019
+++ b/test/confs/2019
@@ -39,7 +39,8 @@ check_recipient:
                       DES-CBC3-SHA:\
                       DHE_RSA_AES_256_CBC_SHA1:\
                       DHE_RSA_3DES_EDE_CBC_SHA:\
-                      RSA_AES_256_CBC_SHA1
+                      RSA_AES_256_CBC_SHA1 :\
+		      ECDHE_RSA_AES_256_GCM_SHA384
   accept
 
 
diff --git a/test/runtest b/test/runtest
index f4e6bc7a5..724ccd9ed 100755
--- a/test/runtest
+++ b/test/runtest
@@ -859,6 +859,9 @@ RESET_AFTER_EXTRA_LINE_READ:
     next if /^SSL info: SSLv3 read server key exchange A/;
     next if /SSL verify error: depth=0 error=certificate not trusted/;
     s/SSL3_READ_BYTES/ssl3_read_bytes/;
+
+    # gnutls version variances
+    next if /^Error in the pull function./;
     }
 
   # ======== stderr ========
diff --git a/test/src/client.c b/test/src/client.c
index ac9a965e0..2bd640205 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -93,15 +93,16 @@ latter needs a whole pile of tables. */
 
 /* Local static variables for GNUTLS */
 
-static gnutls_dh_params dh_params = NULL;
+static gnutls_dh_params_t dh_params = NULL;
 
 static gnutls_certificate_credentials_t x509_cred = NULL;
-static gnutls_session tls_session = NULL;
+static gnutls_session_t tls_session = NULL;
 
 static int  ssl_session_timeout = 200;
 
 /* Priorities for TLS algorithms to use. */
 
+#if GNUTLS_VERSION_NUMBER < 0x030400
 static const int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
 
 static const int kx_priority[16] = {
@@ -123,7 +124,7 @@ static const int mac_priority[16] = {
   0 };
 
 static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
-static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 };
+#endif
 
 #endif	/*HAVE_GNUTLS*/
 
@@ -356,7 +357,7 @@ init_dh(void)
 {
 int fd;
 int ret;
-gnutls_datum m;
+gnutls_datum_t m;
 uschar filename[200];
 struct stat statbuf;
 
@@ -449,13 +450,14 @@ if (ocsp_stapling)
 *        Initialize a single GNUTLS session      *
 *************************************************/
 
-static gnutls_session
+static gnutls_session_t
 tls_session_init(void)
 {
-gnutls_session session;
+gnutls_session_t session;
 
 gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS);
 
+#if GNUTLS_VERSION_NUMBER < 0x030400
 gnutls_cipher_set_priority(session, default_cipher_priority);
 gnutls_compression_set_priority(session, comp_priority);
 gnutls_kx_set_priority(session, kx_priority);
@@ -463,6 +465,10 @@ gnutls_protocol_set_priority(session, protocol_priority);
 gnutls_mac_set_priority(session, mac_priority);
 
 gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
+#else
+gnutls_set_default_priority(session);
+gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
+#endif
 
 gnutls_dh_set_prime_bits(session, DH_BITS);
 gnutls_db_set_cache_expiration(session, ssl_session_timeout);
@@ -794,7 +800,7 @@ tls_session = tls_session_init();
 if (ocsp_stapling)
   gnutls_ocsp_status_request_enable_client(tls_session, NULL, 0, NULL);
 #endif
-gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)sock);
+gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr_t)(intptr_t)sock);
 
 /* When the server asks for a certificate and the client does not have one,
 there is a SIGPIPE error in the gnutls_handshake() function for some reason
@@ -815,24 +821,32 @@ if (tls_on_connect)
   {
   printf("Attempting to start TLS\n");
 
-  #ifdef HAVE_OPENSSL
+#ifdef HAVE_OPENSSL
   tls_active = tls_start(sock, &ssl, ctx);
-  #endif
+#endif
 
-  #ifdef HAVE_GNUTLS
+#ifdef HAVE_GNUTLS
+  {
+  int rc;
   sigalrm_seen = FALSE;
   alarm(timeout);
-  tls_active = gnutls_handshake(tls_session) >= 0;
+  do {
+    rc = gnutls_handshake(tls_session);
+  } while (rc < 0 && gnutls_error_is_fatal(rc) == 0);
+  tls_active = rc >= 0;
   alarm(0);
-  #endif
+
+  if (!tls_active) printf("%s\n", gnutls_strerror(rc));
+  }
+#endif
 
   if (!tls_active)
     printf("Failed to start TLS\n");
-  #if defined(HAVE_GNUTLS) && defined(HAVE_OCSP)
+#if defined(HAVE_GNUTLS) && defined(HAVE_OCSP)
   else if (  ocsp_stapling
 	  && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
     printf("Failed to verify certificate status\n");
-  #endif
+#endif
   else
     printf("Succeeded in starting TLS\n");
   }
@@ -919,10 +933,18 @@ int rc;
         #endif
 
         #ifdef HAVE_GNUTLS
-        sigalrm_seen = FALSE;
-        alarm(timeout);
-        tls_active = gnutls_handshake(tls_session) >= 0;
-        alarm(0);
+	  {
+	  int rc;
+	  sigalrm_seen = FALSE;
+	  alarm(timeout);
+	  do {
+	    rc = gnutls_handshake(tls_session);
+	  } while (rc < 0 && gnutls_error_is_fatal(rc) == 0);
+	  tls_active = rc >= 0;
+	  alarm(0);
+
+	  if (!tls_active) printf("%s\n", gnutls_strerror(rc));
+	  }
         #endif
 
         if (!tls_active)