From 5b195d6b9592fcef09b0b3b31390e73226deffc9 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 14 Nov 2019 15:59:42 +0000 Subject: [PATCH] TLS: variables $tls_(in,out)_tlsver --- doc/doc-docbook/spec.xfpt | 13 +++++++++++++ doc/doc-txt/NewStuff | 3 +++ src/src/deliver.c | 8 ++++++-- src/src/expand.c | 2 ++ src/src/globals.h | 1 + src/src/smtp_in.c | 2 +- src/src/spool_in.c | 19 ++++++++++--------- src/src/spool_out.c | 1 + src/src/structs.h | 1 + src/src/tls-gnu.c | 4 ++++ src/src/tls-openssl.c | 28 ++++++++++++++++++++++------ src/src/transports/smtp.c | 3 +++ test/confs/2002 | 3 +++ test/confs/2102 | 3 +++ test/confs/5710 | 2 ++ test/confs/5720 | 2 ++ test/log/2002 | 3 +++ test/log/2102 | 3 +++ test/log/2102.openssl_1_1_1 | 3 +++ test/log/5710 | 8 ++++++++ test/log/5720 | 8 ++++++++ test/runtest | 15 ++++++++++++--- 22 files changed, 114 insertions(+), 21 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 19c15c211..f0b7a626d 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -13513,6 +13513,19 @@ the transport. .vindex &$tls_out_tlsa_usage$& Bitfield of TLSA record types found. See section &<>&. +.new +.vitem &$tls_in_ver$& +.vindex "&$tls_in_ver$&" +When a message is received from a remote host over an encrypted SMTP connection +this variable is set to the protocol version, eg &'TLS1.2'&. + +.vitem &$tls_out_ver$& +.vindex "&$tls_out_ver$&" +When a message is being delivered to a remote host over an encrypted SMTP connection +this variable is set to the protocol version. +.wen + + .vitem &$tod_bsdinbox$& .vindex "&$tod_bsdinbox$&" The time of day and the date, in the format required for BSD-style mailbox diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index fd1ab8b3d..fbd1a5e4e 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -12,6 +12,9 @@ Version 4.next 1. EXPERIMENTAL_SRS_NATIVE optional build feature. See the experimental.spec file. + 2. Variables $tls_in_ver, $tls_out_ver. + + Version 4.93 ------------ diff --git a/src/src/deliver.c b/src/src/deliver.c index b89671c57..58874add4 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -1610,6 +1610,7 @@ if (result == OK) tls_out.peercert = addr->peercert; addr->peercert = NULL; + tls_out.ver = addr->tlsver; tls_out.cipher = addr->cipher; tls_out.peerdn = addr->peerdn; tls_out.ocsp = addr->ocsp; @@ -1623,6 +1624,7 @@ if (result == OK) #ifndef DISABLE_TLS tls_free_cert(&tls_out.ourcert); tls_free_cert(&tls_out.peercert); + tls_out.ver = NULL; tls_out.cipher = NULL; tls_out.peerdn = NULL; tls_out.ocsp = OCSP_NOT_REQ; @@ -3480,11 +3482,13 @@ while (!done) switch (*subid) { case '1': - addr->cipher = NULL; - addr->peerdn = NULL; + addr->tlsver = addr->cipher = addr->peerdn = NULL; if (*ptr) + { addr->cipher = string_copy(ptr); + addr->tlsver = string_copyn(ptr, Ustrchr(ptr, ':') - ptr); + } while (*ptr++); if (*ptr) addr->peerdn = string_copy(ptr); diff --git a/src/src/expand.c b/src/src/expand.c index 1cd08df89..366cd737a 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -776,6 +776,7 @@ static var_entry var_table[] = { #ifndef DISABLE_TLS { "tls_in_sni", vtype_stringptr, &tls_in.sni }, #endif + { "tls_in_ver", vtype_stringptr, &tls_in.ver }, { "tls_out_bits", vtype_int, &tls_out.bits }, { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified }, { "tls_out_cipher", vtype_stringptr, &tls_out.cipher }, @@ -796,6 +797,7 @@ static var_entry var_table[] = { #ifdef SUPPORT_DANE { "tls_out_tlsa_usage", vtype_int, &tls_out.tlsa_usage }, #endif + { "tls_out_ver", vtype_stringptr, &tls_out.ver }, { "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */ #ifndef DISABLE_TLS diff --git a/src/src/globals.h b/src/src/globals.h index ee89fd1f5..1754d3e89 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -89,6 +89,7 @@ typedef struct { #endif uschar *cipher; /* Cipher used */ const uschar *cipher_stdname; /* Cipher used, RFC version */ + const uschar *ver; /* TLS version */ BOOL on_connect; /* For older MTAs that don't STARTTLS */ uschar *on_connect_ports; /* Ports always tls-on-connect */ diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index bd29d2c1f..ddf98ec61 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -2466,7 +2466,7 @@ if (!host_checking && !f.sender_host_notsocket) authenticated_by = NULL; #ifndef DISABLE_TLS -tls_in.cipher = tls_in.peerdn = NULL; +tls_in.ver = tls_in.cipher = tls_in.peerdn = NULL; tls_in.ourcert = tls_in.peercert = NULL; tls_in.sni = NULL; tls_in.ocsp = OCSP_NOT_REQ; diff --git a/src/src/spool_in.c b/src/src/spool_in.c index f393d4d3e..cbd2751ac 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -278,7 +278,7 @@ tls_in.certificate_verified = FALSE; # ifdef SUPPORT_DANE tls_in.dane_verified = FALSE; # endif -tls_in.cipher = NULL; +tls_in.ver = tls_in.cipher = NULL; # ifndef COMPILE_UTILITY /* tls support fns not built in */ tls_free_cert(&tls_in.ourcert); tls_free_cert(&tls_in.peercert); @@ -665,24 +665,25 @@ for (;;) if (Ustrncmp(q, "certificate_verified", 20) == 0) tls_in.certificate_verified = TRUE; else if (Ustrncmp(q, "cipher", 6) == 0) - tls_in.cipher = string_copy_taint(var + 11, tainted); + tls_in.cipher = string_copy_taint(q+7, tainted); # ifndef COMPILE_UTILITY /* tls support fns not built in */ else if (Ustrncmp(q, "ourcert", 7) == 0) - (void) tls_import_cert(var + 12, &tls_in.ourcert); + (void) tls_import_cert(q+8, &tls_in.ourcert); else if (Ustrncmp(q, "peercert", 8) == 0) - (void) tls_import_cert(var + 13, &tls_in.peercert); + (void) tls_import_cert(q+9, &tls_in.peercert); # endif else if (Ustrncmp(q, "peerdn", 6) == 0) - tls_in.peerdn = string_unprinting(string_copy_taint(var + 11, tainted)); + tls_in.peerdn = string_unprinting(string_copy_taint(q+7, tainted)); else if (Ustrncmp(q, "sni", 3) == 0) - tls_in.sni = string_unprinting(string_copy_taint(var + 8, tainted)); + tls_in.sni = string_unprinting(string_copy_taint(q+4, tainted)); else if (Ustrncmp(q, "ocsp", 4) == 0) - tls_in.ocsp = var[9] - '0'; + tls_in.ocsp = q[5] - '0'; # ifdef EXPERIMENTAL_TLS_RESUME else if (Ustrncmp(q, "resumption", 10) == 0) - tls_in.resumption = var[15] - 'A'; + tls_in.resumption = q[11] - 'A'; # endif - + else if (Ustrncmp(q, "ver", 3) == 0) + tls_in.ver = string_copy_taint(q+4, tainted); } break; #endif diff --git a/src/src/spool_out.c b/src/src/spool_out.c index acc6c7b5f..c766b147d 100644 --- a/src/src/spool_out.c +++ b/src/src/spool_out.c @@ -263,6 +263,7 @@ if (tls_in.ocsp) fprintf(fp, "-tls_ocsp %d\n", tls_in.ocsp); # ifdef EXPERIMENTAL_TLS_RESUME fprintf(fp, "-tls_resumption %c\n", 'A' + tls_in.resumption); # endif +if (tls_in.ver) spool_var_write(fp, US"tls_ver", tls_in.ver); #endif #ifdef SUPPORT_I18N diff --git a/src/src/structs.h b/src/src/structs.h index 6662e6458..1d867c5b6 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -570,6 +570,7 @@ typedef struct address_item { uschar *shadow_message; /* info about shadow transporting */ #ifndef DISABLE_TLS + const uschar *tlsver; /* version used for transport */ uschar *cipher; /* Cipher used for transport */ void *ourcert; /* Certificate offered to peer, binary */ void *peercert; /* Certificate from peer, binary */ diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 6cd9bf75b..eaec862aa 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -468,6 +468,7 @@ Sets: tls_bits strength indicator tls_certificate_verified bool indicator tls_channelbinding_b64 for some SASL mechanisms + tls_ver a string tls_cipher a string tls_peercert pointer to library internal tls_peerdn a string @@ -1754,6 +1755,7 @@ old_pool = store_pool; /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */ for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1); + tlsp->ver = string_copyn(g->s, g->ptr); g = string_catn(g, US":", 1); if (*s) s++; /* now on _ between groups */ while ((c = *s)) @@ -1778,6 +1780,8 @@ old_pool = store_pool; releases did return "TLS 1.0"; play it safe, just in case. */ for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-'; + tlsp->ver = string_copyn(state->ciphersuite, + Ustrchr(state->ciphersuite, ':') - state->ciphersuite); #endif /* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */ diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index c5e1abfe9..7a82e1d55 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -2212,14 +2212,13 @@ Returns: pointer to allocated string in perm-pool */ static uschar * -construct_cipher_name(SSL * ssl, int * bits) +construct_cipher_name(SSL * ssl, const uschar * ver, int * bits) { int pool = store_pool; /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't yet reflect that. It should be a safe change anyway, even 0.9.8 versions have the accessor functions use const in the prototype. */ -const uschar * ver = CUS SSL_get_version(ssl); const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl); uschar * s; @@ -2250,6 +2249,21 @@ return cipher_stdname(id >> 8, id & 0xff); } +static const uschar * +tlsver_name(SSL * ssl) +{ +uschar * s, * p; +int pool = store_pool; + +store_pool = POOL_PERM; +s = string_copy(US SSL_get_version(ssl)); +store_pool = pool; +if ((p = Ustrchr(s, 'v'))) /* TLSv1.2 -> TLS1.2 */ + for (;; p++) if (!(*p = p[1])) break; +return CUS s; +} + + static void peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz) { @@ -2688,12 +2702,13 @@ if (SSL_session_reused(server_ssl)) } #endif -/* TLS has been set up. Adjust the input functions to read via TLS, -and initialize things. */ +/* TLS has been set up. Record data for the connection, +adjust the input functions to read via TLS, and initialize things. */ peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn)); -tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits); +tls_in.ver = tlsver_name(server_ssl); +tls_in.cipher = construct_cipher_name(server_ssl, tls_in.ver, &tls_in.bits); tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl); DEBUG(D_tls) @@ -3278,7 +3293,8 @@ tls_client_resume_posthandshake(exim_client_ctx, tlsp); peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn)); -tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits); +tlsp->ver = tlsver_name(exim_client_ctx->ssl); +tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits); tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl); /* Record the certificate we presented */ diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 383d202b9..dee546ce1 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2084,6 +2084,7 @@ tls_out.ocsp = OCSP_NOT_REQ; #ifdef EXPERIMENTAL_TLS_RESUME tls_out.resumption = 0; #endif +tls_out.ver = NULL; /* Flip the legacy TLS-related variables over to the outbound set in case they're used in the context of the transport. Don't bother resetting @@ -2604,6 +2605,7 @@ if ( smtp_peer_options & OPTION_TLS addr->peercert = tls_out.peercert; addr->peerdn = tls_out.peerdn; addr->ocsp = tls_out.ocsp; + addr->tlsver = tls_out.ver; } } } @@ -4560,6 +4562,7 @@ for (address_item * addr = addrlist; addr; addr = addr->next) addr->peercert = NULL; addr->peerdn = NULL; addr->ocsp = OCSP_NOT_REQ; + addr->tlsver = NULL; #endif #ifdef EXPERIMENTAL_DSN_INFO addr->smtp_greeting = NULL; diff --git a/test/confs/2002 b/test/confs/2002 index dfeb172b1..6475fb7fb 100644 --- a/test/confs/2002 +++ b/test/confs/2002 @@ -62,6 +62,9 @@ check_recipient: logwrite = sha1 fingerprint ${sha1:$tls_in_peercert} logwrite = sha256 fingerprint ${sha256:$tls_in_peercert} logwrite = der_b64 ${base64:$tls_in_peercert} + logwrite = cipher: $tls_in_cipher + logwrite = cipher_ $tls_in_cipher_std + logwrite = ver: $tls_in_ver # ----- Routers ----- diff --git a/test/confs/2102 b/test/confs/2102 index 99f659fd2..5e156d486 100644 --- a/test/confs/2102 +++ b/test/confs/2102 @@ -72,6 +72,9 @@ check_recipient: logwrite = sha1 fingerprint ${sha1:$tls_in_peercert} logwrite = sha256 fingerprint ${sha256:$tls_in_peercert} logwrite = der_b64 ${base64:$tls_in_peercert} + logwrite = cipher: $tls_in_cipher + logwrite = cipher_ $tls_in_cipher_std + logwrite = ver: $tls_in_ver # ----- Routers ----- diff --git a/test/confs/5710 b/test/confs/5710 index 6ab64f4ec..85293a566 100644 --- a/test/confs/5710 +++ b/test/confs/5710 @@ -71,6 +71,8 @@ logger: message = ${acl {ev_tls}} accept condition = ${if eq {smtp:ehlo}{$event_name}} logwrite = $tls_out_cipher smtp:ehlo $event_data + logwrite = cipher_ $tls_out_cipher_std + logwrite = ver: $tls_out_ver accept # ----- Routers ----- diff --git a/test/confs/5720 b/test/confs/5720 index 030434973..906266290 100644 --- a/test/confs/5720 +++ b/test/confs/5720 @@ -71,6 +71,8 @@ logger: message = ${acl {ev_tls}} accept condition = ${if eq {smtp:ehlo}{$event_name}} logwrite = $tls_out_cipher smtp:ehlo $event_data + logwrite = cipher_ $tls_out_cipher_std + logwrite = ver: $tls_out_ver accept # ----- Routers ----- diff --git a/test/log/2002 b/test/log/2002 index 825c0dfd0..36ea6c173 100644 --- a/test/log/2002 +++ b/test/log/2002 @@ -41,6 +41,9 @@ 1999-03-02 09:44:33 sha1 fingerprint E75D537E478758010505D4F339B00DFD73728088 1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6 1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY= +1999-03-02 09:44:33 cipher: TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 cipher_ TLS1.x:ke_RSA_WITH_ci_mac +1999-03-02 09:44:33 ver: TLS1.x 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server2.example.com" S=sss 1999-03-02 09:44:33 Our cert SN: 1999-03-02 09:44:33 Peer did not present a cert diff --git a/test/log/2102 b/test/log/2102 index 215bbe243..bddb8e973 100644 --- a/test/log/2102 +++ b/test/log/2102 @@ -39,6 +39,9 @@ 1999-03-02 09:44:33 sha1 fingerprint E75D537E478758010505D4F339B00DFD73728088 1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6 1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY= +1999-03-02 09:44:33 cipher: TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 cipher_ TLS1.x:ke_RSA_WITH_ci_mac +1999-03-02 09:44:33 ver: TLSv1.x 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server2.example.com" S=sss 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 Our cert SN: diff --git a/test/log/2102.openssl_1_1_1 b/test/log/2102.openssl_1_1_1 index 3e2e65f7a..951caaf1a 100644 --- a/test/log/2102.openssl_1_1_1 +++ b/test/log/2102.openssl_1_1_1 @@ -39,6 +39,9 @@ 1999-03-02 09:44:33 sha1 fingerprint E75D537E478758010505D4F339B00DFD73728088 1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6 1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY= +1999-03-02 09:44:33 cipher: TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 cipher_ TLS1.x:ke_RSA_WITH_ci_mac +1999-03-02 09:44:33 ver: TLS1.x 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server2.example.com" S=sss 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 Our cert SN: diff --git a/test/log/5710 b/test/log/5710 index 72bba14e6..4a3a18095 100644 --- a/test/log/5710 +++ b/test/log/5710 @@ -2,6 +2,8 @@ 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP +1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_ +1999-03-02 09:44:33 10HmaX-0005vi-00 ver: 1999-03-02 09:44:33 10HmaX-0005vi-00 tls:cert depth=0 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:host:defer bad 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented @@ -19,14 +21,20 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 CRU 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=127.0.0.1 [127.0.0.1] (not in hosts_require_tls) 1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP +1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_ TLS1.x:ke_RSA_WITH_ci_mac +1999-03-02 09:44:33 10HmaX-0005vi-00 ver: 1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery bad 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented 1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaY-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP +1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_ +1999-03-02 09:44:33 10HmaY-0005vi-00 ver: 1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=0 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS1.x:ke-RSA-AES256-SHAnnn:xxx smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250 HELP +1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_ TLS1.x:ke_RSA_WITH_ci_mac +1999-03-02 09:44:33 10HmaY-0005vi-00 ver: TLS1.x 1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery good 1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com diff --git a/test/log/5720 b/test/log/5720 index 066f7fb35..4f6254f62 100644 --- a/test/log/5720 +++ b/test/log/5720 @@ -2,6 +2,8 @@ 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP +1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_ +1999-03-02 09:44:33 10HmaX-0005vi-00 ver: 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.com/CN=clica CA rsa 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:host:defer bad 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented @@ -20,16 +22,22 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 (no CRU) 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (SSL_connect): error: <> 1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP +1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_ +1999-03-02 09:44:33 10HmaX-0005vi-00 ver: 1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery bad 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented 1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaY-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP +1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_ +1999-03-02 09:44:33 10HmaY-0005vi-00 ver: 1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=2 1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=1 1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=0 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS1.x:ke-RSA-AES256-SHAnnn:xxx smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250 HELP +1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_ TLS1.x:ke_RSA_WITH_ci_mac +1999-03-02 09:44:33 10HmaY-0005vi-00 ver: TLS1.x 1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery good 1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com diff --git a/test/runtest b/test/runtest index 6e9255b33..3fd125cc0 100755 --- a/test/runtest +++ b/test/runtest @@ -552,15 +552,19 @@ RESET_AFTER_EXTRA_LINE_READ: # the older (comment) style, keeping only the Auth element # (discarding kex, cipher, mac). For TLS 1.3 there is no kex # element (and no _WITH); insert a spurious "RSA". + # Also in $tls_X_cipher_std reporting. s/^\s+by .+ with .+ \K tls TLS_.*?([^_]+)_WITH.+$/(TLS1.x:ke-$1-AES256-SHAnnn:xxx)/; s/^\s+by .+ with .+ \K tls TLS_.+$/(TLS1.x:ke-RSA-AES256-SHAnnn:xxx)/; + s/ cipher_ TLS_.*?([^_]+)_WITH.+$/ cipher_ TLS1.x:ke_$1_WITH_ci_mac/; + s/ cipher_ TLS_.*$/ cipher_ TLS1.x:ke_RSA_WITH_ci_mac/; + # Test machines might have various different TLS library versions supporting # different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we # treat the standard algorithms the same. # - # TLSversion : KeyExchange? - Authentication/Signature - C_iph_er - MAC : ??? + # TLSversion : KeyExchange? - Authentication/Signature - C_iph_er - MAC : bits # # So far, have seen: # TLSv1:AES128-GCM-SHA256:128 @@ -578,7 +582,7 @@ RESET_AFTER_EXTRA_LINE_READ: # # Retain the authentication algorith field as we want to test that. - s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1(\.[123])?:/$1TLS1.x:/xg; + s/( (?: (?:\b|\s) [\(=] ) | \s )TLS1(\.[123])?:/$1TLS1.x:/xg; s/(?PSK)_)?((?RSA|ECDSA)_)? (SECP(256|521)R1|X25519))?__?)? # key-exchange ((?RSA|ECDSA)((_PSS_RSAE)?_SHA(512|256))?__?)? # authentication + (?WITH_)? # stdname-with AES_(256|128)_(CBC|GCM) # cipher (__?AEAD)? # pseudo-MAC (__?SHA(1|256|384))? # PRF @@ -644,10 +649,14 @@ RESET_AFTER_EXTRA_LINE_READ: /"TLS1.x:ke-" . (defined($+{psk}) ? $+{psk} : "") . (defined($+{auth}) ? $+{auth} : "") + . (defined($+{with}) ? $+{with} : "") . "-AES256-SHAnnn:xxx"/gex; s/TLS1.2:RSA__CAMELLIA_256_GCM(_SHA384)?:256/TLS1.2:RSA_CAMELLIA_256_GCM-SHAnnn:256/g; s/\b(ECDHE-(RSA|ECDSA)-AES256-SHA|DHE-RSA-AES256-SHA256)\b/ke-$2-AES256-SHAnnn/g; + # Separate reporting of TLS version + s/ver: TLS1(\.[123])?$/ver: TLS1.x/; + # GnuTLS library error message changes s/(No certificate was found|Certificate is required)/The peer did not send any certificate/g; #(dodgy test?) s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g; -- 2.30.2