From ee0140e6d0b26060972cdd3b51a650ef468d9b52 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 21 Sep 2018 13:25:58 +0100 Subject: [PATCH 1/1] Testsuite: track newer GnuTLS behaviour There are no non-debug functional changes as a result of this. (cherry picked from commits 8008accd32, 1813a1e032, 90901366ce, 316645af5a) --- src/src/tls-gnu.c | 6 +++++- src/src/transports/smtp.c | 1 + test/confs/0366 | 4 ++-- test/confs/2024 | 2 ++ test/confs/2025 | 8 ++++---- test/confs/5821 | 4 ++-- test/log/2024 | 2 +- test/log/2025 | 1 - test/runtest | 6 ++++++ test/scripts/2000-GnuTLS/2024 | 9 +++++++++ test/scripts/2000-GnuTLS/2025 | 1 + test/scripts/5820-DANE-GnuTLS/5821 | 4 ++-- test/stderr/0388 | 4 ++-- test/stderr/0476 | 2 +- test/stdout/0366 | 2 +- test/stdout/2024 | 3 ++- 16 files changed, 41 insertions(+), 18 deletions(-) diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 783cb1a99..7418a2799 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1590,6 +1590,7 @@ uint verify; if (state->verify_requirement == VERIFY_NONE) return TRUE; +DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n"); *errstr = NULL; if ((rc = peer_status(state, errstr)) != OK) @@ -2059,7 +2060,10 @@ if (!state->tlsp->on_connect) } /* Now negotiate the TLS session. We put our own timer on it, since it seems -that the GnuTLS library doesn't. */ +that the GnuTLS library doesn't. +From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you +to set (and clear down afterwards) up a pull-timeout callback function that does +a select, so we're no better off unless avoiding signals becomes an issue. */ gnutls_transport_set_ptr2(state->session, (gnutls_transport_ptr_t)(long) fileno(smtp_in), diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index b9382ad1c..f0cff13c2 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -4598,6 +4598,7 @@ retry_non_continued: "hosts_max_try (message older than host's retry time)\n"); } } + if (running_in_test_harness) millisleep(500); /* let server debug out */ } /* End of loop for trying multiple hosts. */ /* If we failed to find a matching host in the list, for an already-open diff --git a/test/confs/0366 b/test/confs/0366 index de5d9cfc8..97d2e62a1 100644 --- a/test/confs/0366 +++ b/test/confs/0366 @@ -38,7 +38,7 @@ smtp: begin retry -^[^@]+@ten- * F,2s,1s -* * F,2s,1s +^[^@]+@ten- * F,3s,1s +* * F,3s,1s # End diff --git a/test/confs/2024 b/test/confs/2024 index 64502d56b..ea3b28206 100644 --- a/test/confs/2024 +++ b/test/confs/2024 @@ -22,4 +22,6 @@ tls_verify_hosts = HOSTIPV4 #tls_verify_certificates = TVC tls_verify_certificates = CERT +# so we can decode in wireshark +tls_require_ciphers = NORMAL:-KX-ALL:+RSA # End diff --git a/test/confs/2025 b/test/confs/2025 index feaa815a1..fdf1e0405 100644 --- a/test/confs/2025 +++ b/test/confs/2025 @@ -17,8 +17,7 @@ queue_run_in_order tls_advertise_hosts = * -tls_require_ciphers = ${if eq{$sender_host_address}{HOSTIPV4}\ - {NONE}{SECURE256}} +tls_require_ciphers = NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA256 # Set certificate only if server @@ -45,9 +44,10 @@ send_to_server: driver = smtp allow_localhost hosts = HOSTIPV4 : 127.0.0.1 - hosts_require_tls = HOSTIPV4 port = PORT_D - + hosts_require_tls = HOSTIPV4 + tls_require_ciphers = NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA\ + ${if eq{$host}{HOSTIPV4} {384} {256} } # ----- Retry ----- diff --git a/test/confs/5821 b/test/confs/5821 index 9b73181a9..86ddbdedd 100644 --- a/test/confs/5821 +++ b/test/confs/5821 @@ -23,7 +23,7 @@ tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail} tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail} # Permit two specific ciphers -tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL +tls_require_ciphers = NORMAL:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM # ----- Routers ----- begin routers @@ -52,7 +52,7 @@ send_to_server: tls_verify_certificates = CDIR2/ca_chain.pem # Some commonly-available cipher, we hope - tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL + tls_require_ciphers = NORMAL:-CIPHER-ALL:+AES-128-CBC dane_require_tls_ciphers = OPT # ----- Retry ----- diff --git a/test/log/2024 b/test/log/2024 index f7f6619c0..f16da49b7 100644 --- a/test/log/2024 +++ b/test/log/2024 @@ -1,6 +1,6 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid +1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate. 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file. diff --git a/test/log/2025 b/test/log/2025 index 2b015d5cd..7faa00e61 100644 --- a/test/log/2025 +++ b/test/log/2025 @@ -1,6 +1,5 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: a TLS session is required, but an attempt to start TLS failed 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/runtest b/test/runtest index 7893dcbd7..5c6d3cb14 100755 --- a/test/runtest +++ b/test/runtest @@ -586,6 +586,7 @@ RESET_AFTER_EXTRA_LINE_READ: s/No certificate was found/The peer did not send any certificate/g; #(dodgy test?) s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g; s/\(gnutls_priority_set\): No or insufficient priorities were set/\(gnutls_handshake\): Could not negotiate a supported cipher suite/g; + s/\(gnutls_handshake\): \KNo supported cipher suites have been found.$/Could not negotiate a supported cipher suite./; # (this new one is a generic channel-read error, but the testsuite # only hits it in one place) @@ -1530,6 +1531,11 @@ $munges = 'gnutls_handshake' => { 'mainlog' => 's/\(gnutls_handshake\): Error in the push function/\(gnutls_handshake\): A TLS packet with unexpected length was received/' }, + 'gnutls_bad_clientcert' => + { 'mainlog' => 's/\(certificate verification failed\): certificate invalid/\(gnutls_handshake\): The peer did not send any certificate./', + 'stdout' => 's/Succeeded in starting TLS/A TLS fatal alert has been received.\nFailed to start TLS' + }, + 'optional_events' => { 'stdout' => '/event_action =/' }, diff --git a/test/scripts/2000-GnuTLS/2024 b/test/scripts/2000-GnuTLS/2024 index 7e16b7b05..a2ad20446 100644 --- a/test/scripts/2000-GnuTLS/2024 +++ b/test/scripts/2000-GnuTLS/2024 @@ -2,6 +2,13 @@ gnutls exim -DSERVER=server -bd -oX PORT_D **** +# +# +# This one has a cert, but the server isn't expecting it. +# Earlier versions of GnuTLS would send it despite the server giving a list of acceptable ones, and the +# server would fail its verification. Now the client correctly doesn't send it; the mainlog reflects +# this, the custom munge patches output with old GnuTLS (I hope; not actually tested). +munge gnutls_bad_clientcert client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2 ??? 220 ehlo rhu.barb @@ -15,6 +22,8 @@ starttls ??? 220 **** killdaemon +# +# Here the server really doesn't have a cert exim -DSERVER=server -DCERT=/non/exist -bd -oX PORT_D **** client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2 diff --git a/test/scripts/2000-GnuTLS/2025 b/test/scripts/2000-GnuTLS/2025 index 38ffccf84..892651e68 100644 --- a/test/scripts/2000-GnuTLS/2025 +++ b/test/scripts/2000-GnuTLS/2025 @@ -7,5 +7,6 @@ Testing **** exim -qf **** +millisleep 500 killdaemon no_msglog_check diff --git a/test/scripts/5820-DANE-GnuTLS/5821 b/test/scripts/5820-DANE-GnuTLS/5821 index f4ea30564..7f83a401b 100644 --- a/test/scripts/5820-DANE-GnuTLS/5821 +++ b/test/scripts/5820-DANE-GnuTLS/5821 @@ -16,12 +16,12 @@ Testing # ### Dane cipher specified, dane unused # Since dane unused, should get the same cipher as the baseline -exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@localhost.test.ex +exim -odf -DOPT=NORMAL:-CIPHER-ALL:+CAMELLIA-256-GCM CALLER@localhost.test.ex Testing **** ### Dane cipher specified, dane used # Should get the cipher specified here -exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@dane256ee.test.ex +exim -odf -DOPT=NORMAL:-CIPHER-ALL:+CAMELLIA-256-GCM CALLER@dane256ee.test.ex Testing **** # diff --git a/test/stderr/0388 b/test/stderr/0388 index d5e31159a..733a87ea4 100644 --- a/test/stderr/0388 +++ b/test/stderr/0388 @@ -104,6 +104,7 @@ set_process_info: pppp delivering 10HmaX-0005vi-00: just tried 127.0.0.1 [127.0. address match test: subject=*@127.0.0.1 pattern=* 127.0.0.1 in "*"? yes (matched "*") *@127.0.0.1 in "*"? yes (matched "*") +set_process_info: pppp delivering 10HmaX-0005vi-00: waiting for a remote delivery subprocess to finish checking status of V4NET.0.0.0 locking TESTSUITE/spool/db/retry.lockfile locked TESTSUITE/spool/db/retry.lockfile @@ -120,12 +121,11 @@ set_process_info: pppp delivering 10HmaX-0005vi-00: just tried V4NET.0.0.0 [V4NE added retry item for T:V4NET.0.0.0:V4NET.0.0.0:1224: errno=dd more_errno=dd,A flags=2 set_process_info: pppp delivering 10HmaX-0005vi-00 (just run smtp for x@y in subprocess) search_tidyup called -set_process_info: pppp delivering 10HmaX-0005vi-00: waiting for a remote delivery subprocess to finish -set_process_info: pppp delivering 10HmaX-0005vi-00 reading retry information for T:V4NET.0.0.0:V4NET.0.0.0:1224 from subprocess added retry item reading retry information for R:x@y from subprocess added retry item +set_process_info: pppp delivering 10HmaX-0005vi-00 LOG: MAIN == x@y R=r1 T=smtp defer (dd): Network Error H=127.0.0.1 [127.0.0.1] changed uid/gid: post-delivery tidying diff --git a/test/stderr/0476 b/test/stderr/0476 index 49b49fc5a..41f1c5dfb 100644 --- a/test/stderr/0476 +++ b/test/stderr/0476 @@ -83,12 +83,12 @@ LOG: MAIN H=127.0.0.1 [127.0.0.1] Connection refused set_process_info: pppp delivering 10HmaZ-0005vi-00: just tried 127.0.0.1 [127.0.0.1] for CALLER@the.local.host.name: result DEFER added retry item for T:127.0.0.1:127.0.0.1:1224: errno=dd more_errno=dd,A flags=2 +set_process_info: pppp delivering 10HmaZ-0005vi-00: waiting for a remote delivery subprocess to finish all IP addresses skipped or deferred at least one address updating wait-t1 database added to list for 127.0.0.1 Leaving t1 transport set_process_info: pppp delivering 10HmaZ-0005vi-00 (just run t1 for CALLER@the.local.host.name in subprocess) -set_process_info: pppp delivering 10HmaZ-0005vi-00: waiting for a remote delivery subprocess to finish set_process_info: pppp delivering 10HmaZ-0005vi-00 LOG: MAIN == CALLER@the.local.host.name R=r1 T=t1 defer (dd): Connection refused diff --git a/test/stdout/0366 b/test/stdout/0366 index e72a08edb..40ae88f99 100644 --- a/test/stdout/0366 +++ b/test/stdout/0366 @@ -1 +1 @@ -Retry rule: ^[^@]+@ten- * F,2s,1s; +Retry rule: ^[^@]+@ten- * F,3s,1s; diff --git a/test/stdout/2024 b/test/stdout/2024 index ecedd4193..b25f1c8f4 100644 --- a/test/stdout/2024 +++ b/test/stdout/2024 @@ -20,7 +20,8 @@ Key file = aux-fixed/cert2 ??? 220 <<< 220 TLS go ahead Attempting to start TLS -Succeeded in starting TLS +A TLS fatal alert has been received. +Failed to start TLS End of script Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected Certificate file = aux-fixed/cert2 -- 2.30.2