From cf2600498039d312e564e9b58cb28691b3fd36e1 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 30 Mar 2018 15:50:35 +0100 Subject: [PATCH] Testcases for dane_require_tls_ciphers --- src/src/tls-gnu.c | 8 ++-- test/confs/5821 | 61 +++++++++++++++++++++++++++++ test/confs/5841 | 61 +++++++++++++++++++++++++++++ test/log/5821 | 35 +++++++++++++++++ test/log/5841 | 35 +++++++++++++++++ test/scripts/5820-DANE-GnuTLS/5821 | 30 ++++++++++++++ test/scripts/5840-DANE-OpenSSL/5841 | 29 ++++++++++++++ test/stderr/5821 | 10 +++++ test/stderr/5841 | 10 +++++ test/stdout/5821 | 10 +++++ test/stdout/5841 | 10 +++++ 11 files changed, 294 insertions(+), 5 deletions(-) create mode 100644 test/confs/5821 create mode 100644 test/confs/5841 create mode 100644 test/log/5821 create mode 100644 test/log/5841 create mode 100644 test/scripts/5820-DANE-GnuTLS/5821 create mode 100644 test/scripts/5840-DANE-OpenSSL/5841 create mode 100644 test/stderr/5821 create mode 100644 test/stderr/5841 create mode 100644 test/stdout/5821 create mode 100644 test/stdout/5841 diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 0d20fea34..d73188277 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2271,16 +2271,14 @@ BOOL request_ocsp = require_ocsp ? TRUE DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd); #ifdef SUPPORT_DANE -if (ob->dane_require_tls_ciphers) +if (tlsa_dnsa && ob->dane_require_tls_ciphers) { /* not using expand_check_tlsvar because not yet in state */ if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers", &cipher_list, errstr)) return DEFER; - if (cipher_list && *cipher_list) - cipher_list = ob->dane_require_tls_ciphers; - else - cipher_list = ob->tls_require_ciphers; + cipher_list = cipher_list && *cipher_list + ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers; } #endif diff --git a/test/confs/5821 b/test/confs/5821 new file mode 100644 index 000000000..db2dc19d2 --- /dev/null +++ b/test/confs/5821 @@ -0,0 +1,61 @@ +# Exim test configuration 5821 +# DANE/OpenSSL - ciphers option + +SERVER= +OPT= + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +acl_smtp_rcpt = accept logwrite = "rcpt ACL" + +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified + +tls_advertise_hosts = * + +# Set certificate only if server +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com + +tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail} +tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail} + +# Permit two specific ciphers +tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL + +# ----- Routers ----- +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{}} + dnssec_request_domains = * + self = send + transport = send_to_server + errors_to = "" + +server: + driver = redirect + data = :blackhole: + +# ----- Transports ----- +begin transports + +send_to_server: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_dane = * + tls_verify_certificates = CDIR2/ca_chain.pem + + # Some commonly-available cipher, we hope + tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL + dane_require_tls_ciphers = OPT + +# ----- Retry ----- +begin retry +* * F,5d,10s + +# End diff --git a/test/confs/5841 b/test/confs/5841 new file mode 100644 index 000000000..867c1607f --- /dev/null +++ b/test/confs/5841 @@ -0,0 +1,61 @@ +# Exim test configuration 5841 +# DANE/OpenSSL - ciphers option + +SERVER= +OPT= + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +acl_smtp_rcpt = accept logwrite = "rcpt ACL" + +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified + +tls_advertise_hosts = * + +# Set certificate only if server +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com + +tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail} +tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail} + +# Permit two specific ciphers +tls_require_ciphers = ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-GCM-SHA384 + +# ----- Routers ----- +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{}} + dnssec_request_domains = * + self = send + transport = send_to_server + errors_to = "" + +server: + driver = redirect + data = :blackhole: + +# ----- Transports ----- +begin transports + +send_to_server: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_dane = * + tls_verify_certificates = CDIR2/ca_chain.pem + + # Some commonly-available cipher, we hope + tls_require_ciphers = ECDHE-RSA-AES256-GCM-SHA384 + dane_require_tls_ciphers = OPT + +# ----- Retry ----- +begin retry +* * F,5d,10s + +# End diff --git a/test/log/5821 b/test/log/5821 new file mode 100644 index 000000000..e842e6dfa --- /dev/null +++ b/test/log/5821 @@ -0,0 +1,35 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.2:RSA_CAMELLIA_256_GCM_SHA384:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 no host name found for IP address ::1 +1999-03-02 09:44:33 no host name found for IP address ::1 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 no host name found for IP address ::1 +1999-03-02 09:44:33 no host name found for IP address ::1 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.2:RSA_CAMELLIA_256_GCM_SHA384:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed diff --git a/test/log/5841 b/test/log/5841 new file mode 100644 index 000000000..06f8d5d63 --- /dev/null +++ b/test/log/5841 @@ -0,0 +1,35 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ECDHE-RSA-CAMELLIA256-SHA384:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 no host name found for IP address ::1 +1999-03-02 09:44:33 no host name found for IP address ::1 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 no host name found for IP address ::1 +1999-03-02 09:44:33 no host name found for IP address ::1 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ECDHE-RSA-CAMELLIA256-SHA384:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed diff --git a/test/scripts/5820-DANE-GnuTLS/5821 b/test/scripts/5820-DANE-GnuTLS/5821 new file mode 100644 index 000000000..f4ea30564 --- /dev/null +++ b/test/scripts/5820-DANE-GnuTLS/5821 @@ -0,0 +1,30 @@ +# DANE client: ciphers option +# +gnutls +exim -DSERVER=server -bd -oX PORT_D +**** + +### Baseline, dane unused +exim -odf CALLER@localhost.test.ex +Testing +**** +### Baseline, dane used +exim -odf CALLER@dane256ee.test.ex +Testing +**** +# +# +### Dane cipher specified, dane unused +# Since dane unused, should get the same cipher as the baseline +exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@localhost.test.ex +Testing +**** +### Dane cipher specified, dane used +# Should get the cipher specified here +exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@dane256ee.test.ex +Testing +**** +# +# +killdaemon +no_msglog_check diff --git a/test/scripts/5840-DANE-OpenSSL/5841 b/test/scripts/5840-DANE-OpenSSL/5841 new file mode 100644 index 000000000..52fac186a --- /dev/null +++ b/test/scripts/5840-DANE-OpenSSL/5841 @@ -0,0 +1,29 @@ +# DANE client: ciphers option +# +exim -DSERVER=server -bd -oX PORT_D +**** + +### Baseline, dane unused +exim -odf CALLER@localhost.test.ex +Testing +**** +### Baseline, dane used +exim -odf CALLER@dane256ee.test.ex +Testing +**** +# +# +### Dane cipher specified, dane unused +# Since dane unused, should get the same cipher as the baseline +exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@localhost.test.ex +Testing +**** +### Dane cipher specified, dane used +# Should get the cipher specified here +exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@dane256ee.test.ex +Testing +**** +# +# +killdaemon +no_msglog_check diff --git a/test/stderr/5821 b/test/stderr/5821 new file mode 100644 index 000000000..3f9e5f261 --- /dev/null +++ b/test/stderr/5821 @@ -0,0 +1,10 @@ +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used + +******** SERVER ******** +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used diff --git a/test/stderr/5841 b/test/stderr/5841 new file mode 100644 index 000000000..3f9e5f261 --- /dev/null +++ b/test/stderr/5841 @@ -0,0 +1,10 @@ +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used + +******** SERVER ******** +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used diff --git a/test/stdout/5821 b/test/stdout/5821 new file mode 100644 index 000000000..3f9e5f261 --- /dev/null +++ b/test/stdout/5821 @@ -0,0 +1,10 @@ +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used + +******** SERVER ******** +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used diff --git a/test/stdout/5841 b/test/stdout/5841 new file mode 100644 index 000000000..3f9e5f261 --- /dev/null +++ b/test/stdout/5841 @@ -0,0 +1,10 @@ +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used + +******** SERVER ******** +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used -- 2.30.2