Docs: more on $authenticated_fail_id
[users/heiko/exim.git] / test / runtest
index c32222dc010f4f83452a0eea0d664e78aa46a7ee..62d49adf3fd5249e969dfc7b3bcac3719e9187d5 100755 (executable)
@@ -460,7 +460,9 @@ RESET_AFTER_EXTRA_LINE_READ:
     {
     my($date1,$date2,$date3,$expired) = ($1,$2,$3,$4);
     $expired = '' if !defined $expired;
-    my($increment) = date_seconds($date3) - date_seconds($date2);
+
+    # Round the time-difference up to nearest even value
+    my($increment) = ((date_seconds($date3) - date_seconds($date2) + 1) >> 1) << 1;
 
     # We used to use globally unique replacement values, but timing
     # differences make this impossible. Just show the increment on the
@@ -474,6 +476,9 @@ RESET_AFTER_EXTRA_LINE_READ:
   # more_errno values in exim_dumpdb output which are times
   s/T:(\S+)\s-22\s(\S+)\s/T:$1 -22 xxxx /;
 
+  # port numbers in dumpdb output
+  s/T:([a-z.]+(:[0-9.]+)?):$parm_port_n /T:$1:PORT_N /;
+
 
   # ======== Dates and times ========
 
@@ -490,6 +495,11 @@ RESET_AFTER_EXTRA_LINE_READ:
   s/^\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d(\s[+-]\d\d\d\d)?\s/1999-03-02 09:44:33 /gx;
   s/^\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d{3}(\s[+-]\d\d\d\d)?\s/2017-07-30 18:51:05.712 /gx;
   s/^Logwrite\s"\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d/Logwrite "1999-03-02 09:44:33/gx;
+  # Date/time in syslog test
+  s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\s/2017-07-30 18:51:05 /gx;
+  s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d{3}\s/2017-07-30 18:51:05.712 /gx;
+  s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\s[+-]\d\d\d\d\s/2017-07-30 18:51:05 +9999 /gx;
+  s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d{3}\s[+-]\d\d\d\d\s/2017-07-30 18:51:05.712 +9999 /gx;
 
   s/((D|[RQD]T)=)\d+s/$1qqs/g;
   s/((D|[RQD]T)=)\d\.\d{3}s/$1q.qqqs/g;
@@ -533,12 +543,16 @@ RESET_AFTER_EXTRA_LINE_READ:
   # Test machines might have various different TLS library versions supporting
   # different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we
   # treat the standard algorithms the same.
+  #
+  # TLSversion : KeyExchange? - Authentication/Signature - C_iph_er - MAC : ???
+  #
   # So far, have seen:
   #   TLSv1:AES128-GCM-SHA256:128
   #   TLSv1:AES256-SHA:256
   #   TLSv1.1:AES256-SHA:256
   #   TLSv1.2:AES256-GCM-SHA384:256
   #   TLSv1.2:DHE-RSA-AES256-SHA:256
+  #   TLSv1.3:TLS_AES_256_GCM_SHA384:256
   #   TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
   # We also need to handle the ciphersuite without the TLS part present, for
   # client-ssl's output.  We also see some older forced ciphersuites, but
@@ -548,10 +562,19 @@ RESET_AFTER_EXTRA_LINE_READ:
   #
   # Retain the authentication algorith field as we want to test that.
 
-  s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[12]:/$1TLSv1:/xg;
+  s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[123]:/$1TLSv1:/xg;
   s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA)(?!:)/ke-$3-AES256-SHA/g;
   s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA):(128|256)/ke-$3-AES256-SHA:xxx/g;
 
+  # OpenSSL TLSv1.3 - unsure what to do about the authentication-variant testcases now,
+  # as it seems the protocol no longer supports a user choice.  Replace the "TLS" field with "RSA".
+  # Also insert a key-exchange field for back-compat, even though 1.3 doesn't do that.
+  #
+  # TLSversion : "TLS" - C_iph_er - MAC : ???
+  #
+  s/TLS_AES(_256)?_GCM_SHA384(?!:)/ke-RSA-AES256-SHA/g;
+  s/:TLS_AES(_256)?_GCM_SHA384:256/:ke-RSA-AES256-SHA:xxx/g;
+
   # LibreSSL
   # TLSv1:AES256-GCM-SHA384:256
   # TLSv1:ECDHE-RSA-CHACHA20-POLY1305:256
@@ -586,6 +609,7 @@ RESET_AFTER_EXTRA_LINE_READ:
   s/No certificate was found/The peer did not send any certificate/g;
 #(dodgy test?)  s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g;
   s/\(gnutls_priority_set\): No or insufficient priorities were set/\(gnutls_handshake\): Could not negotiate a supported cipher suite/g;
+  s/\(gnutls_handshake\): \KNo supported cipher suites have been found.$/Could not negotiate a supported cipher suite./;
 
   # (this new one is a generic channel-read error, but the testsuite
   # only hits it in one place)
@@ -675,8 +699,12 @@ RESET_AFTER_EXTRA_LINE_READ:
   s"test-mail/temp\.\d+\."test-mail/temp.pppp.";
 
   # Optional pid in log lines
-  s/^(\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d)(\s[+-]\d\d\d\d|)(\s\[\d+\])/
-    "$1$2 [" . new_value($3, "%s", \$next_pid) . "]"/gxe;
+  s/^(\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d)(\.\d{3}|)(\s[+-]\d{4}|)(\s\[\d+\])/
+    "$1$2$3 [" . new_value($4, "%s", \$next_pid) . "]"/gxe;
+
+  # Optional pid in syslog test lines
+  s/^(SYSLOG:\s\'([-0-9]{10}\s[:.0-9]{8,12}\s([-+]\d{4}\s)?|))(\[\d+\] )/
+    "$1\[" . new_value($4, "%s", \$next_pid) . "]"/gxe;
 
   # Detect a daemon stderr line with a pid and save the pid for subsequent
   # removal from following lines.
@@ -912,6 +940,7 @@ RESET_AFTER_EXTRA_LINE_READ:
     s/SSL3_READ_BYTES/ssl3_read_bytes/i;
     s/CONNECT_CR_FINISHED/ssl3_read_bytes/i;
     s/^\d+:error:\d+(?:E\d+)?(:SSL routines:ssl3_read_bytes:[^:]+:).*(:SSL alert number \d\d)$/pppp:error:dddddddd$1\[...\]$2/;
+    s/^error:[^:]*:(SSL routines:ssl3_read_bytes:(tls|ssl)v\d+ alert)/error:dddddddd:$1/;
 
     # gnutls version variances
     next if /^Error in the pull function./;
@@ -926,6 +955,9 @@ RESET_AFTER_EXTRA_LINE_READ:
     # Postgres server takes varible time to shut down; lives in various places
     s/^waiting for server to shut down\.+ done$/waiting for server to shut down.... done/;
     s/^\/.*postgres /POSTGRES /;
+
+    # ARC is not always supported by the build
+    next if /^arc_sign =/;
     }
 
   # ======== stderr ========
@@ -1006,7 +1038,7 @@ RESET_AFTER_EXTRA_LINE_READ:
     next if /name=localhost address=::1/;
 
     # drop pdkim debugging header
-    next if /^PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<+$/;
+    next if /^PDKIM( <<<<<<<<<<<<<<<<<<<<<<<<<<<<<+|: no signatures)$/;
 
     # Various other IPv6 lines must be omitted too
 
@@ -1049,12 +1081,14 @@ RESET_AFTER_EXTRA_LINE_READ:
     # Some DBM libraries seem to make DBM files on opening with O_RDWR without
     # O_CREAT; other's don't. In the latter case there is some debugging output
     # which is not present in the former. Skip the relevant lines (there are
-    # two of them).
+    # three of them).
 
-    if (/TESTSUITE\/spool\/db\/\S+ appears not to exist: trying to create/)
+    if (/returned from EXIM_DBOPEN: \(nil\)/)
       {
-      $_ = <IN>;
-      next;
+      $_ .= <IN>;
+      s?\Q$parm_cwd\E?TESTSUITE?g;
+      if (/TESTSUITE\/spool\/db\/\S+ appears not to exist: trying to create/)
+       { $_ = <IN>; next; }
       }
 
     # Some tests turn on +expand debugging to check on expansions.
@@ -1084,6 +1118,15 @@ RESET_AFTER_EXTRA_LINE_READ:
     # Experimental_International
     next if / in smtputf8_advertise_hosts\? no \(option unset\)/;
 
+    # Experimental_REQUIRETLS
+    next if / in tls_advertise_requiretls?\? no \(end of list\)/;
+
+    # TCP Fast Open
+    next if /^(ppppp )?setsockopt FASTOPEN: Network Error/;
+
+    # Experimental_PIPE_CONNECT
+    next if / in (pipelining_connect_advertise_hosts|hosts_pipe_connect)?\? no /;
+
     # Environment cleaning
     next if /\w+ in keep_environment\? (yes|no)/;
 
@@ -1123,18 +1166,21 @@ RESET_AFTER_EXTRA_LINE_READ:
       s/Address family not supported by protocol family/Network Error/;
       s/Network is unreachable/Network Error/;
       }
-
     next if /^(ppppp )?setsockopt FASTOPEN: Protocol not available$/;
+    s/^(Connecting to .* \.\.\. sending) \d+ (nonTFO early-data)$/$1 dd $2/;
 
     # Specific pointer values reported for DB operations change from run to run
-    s/^(returned from EXIM_DBOPEN: )(0x)?[0-9a-f]+/${1}0xAAAAAAAA/;
-    s/^(EXIM_DBCLOSE.)(0x)?[0-9a-f]+/${1}0xAAAAAAAA/;
+    s/^(\s*returned from EXIM_DBOPEN: )(0x)?[0-9a-f]+/${1}0xAAAAAAAA/;
+    s/^(\s*EXIM_DBCLOSE.)(0x)?[0-9a-f]+/${1}0xAAAAAAAA/;
 
     # Platform-dependent output during MySQL startup
     next if /PerconaFT file system space/;
     next if /^Waiting for MySQL server to answer/;
     next if /mysqladmin: CREATE DATABASE failed; .* database exists/;
 
+    # Not all builds include DMARC
+    next if /^DMARC: no (dmarc_tld_file|sender_host_address)$/ ;
+
     # When Exim is checking the size of directories for maildir, it uses
     # the check_dir_size() function to scan directories. Of course, the order
     # of the files that are obtained using readdir() varies from system to
@@ -1195,6 +1241,27 @@ RESET_AFTER_EXTRA_LINE_READ:
     s/(TLS error on connection [^:]*: error:)[0-9A-F]{8}(:system library):(?:fopen|func\(4095\)):(No such file or directory)$/$1xxxxxxxx$2:fopen:$3/;
     s/(DANE attempt failed.*error:)[0-9A-F]{8}(:SSL routines:)(ssl3_get_server_certificate|tls_process_server_certificate|CONNECT_CR_CERT)(?=:certificate verify failed$)/$1xxxxxxxx$2ssl3_get_server_certificate/;
     s/(DKIM: validation error: )error:[0-9A-F]{8}:rsa routines:(?:(?i)int_rsa_verify|CRYPTO_internal):(?:bad signature|algorithm mismatch)$/$1Public key signature verification has failed./;
+
+    # DKIM timestamps
+    if ( /(DKIM: d=.*) t=([0-9]*) x=([0-9]*) / )
+      {
+      my ($prefix, $t_diff) = ($1, $3 - $2);
+      s/DKIM: d=.* t=[0-9]* x=[0-9]* /${prefix} t=T x=T+${t_diff} /;
+      }
+    }
+
+  # ======== mail ========
+
+  elsif ($is_mail)
+    {
+    # DKIM timestamps, and signatures depending thereon
+    if ( /^(\s+)t=([0-9]*); x=([0-9]*); b=[A-Za-z0-9+\/]+$/ )
+      {
+      my ($indent, $t_diff) = ($1, $3 - $2);
+      s/.*/${indent}t=T; x=T+${t_diff}; b=bbbb;/;
+      <IN>;
+      <IN>;
+      }
     }
 
   # ======== All files other than stderr ========
@@ -1524,6 +1591,11 @@ $munges =
     'gnutls_handshake' =>
     { 'mainlog' => 's/\(gnutls_handshake\): Error in the push function/\(gnutls_handshake\): A TLS packet with unexpected length was received/' },
 
+    'gnutls_bad_clientcert' =>
+    { 'mainlog' => 's/\(certificate verification failed\): certificate invalid/\(gnutls_handshake\): The peer did not send any certificate./',
+      'stdout'  => 's/Succeeded in starting TLS/A TLS fatal alert has been received.\nFailed to start TLS'
+    },
+
     'optional_events' =>
     { 'stdout' => '/event_action =/' },
 
@@ -1543,7 +1615,15 @@ $munges =
     { 'stderr' => 's/(1[5-9]|23\d)\d\d msec/ssss msec/' },
 
     'tls_anycipher' =>
-    { 'mainlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /' },
+    { 'mainlog'   => 's! X=TLS\S+ ! X=TLS_proto_and_cipher !;
+                     s! DN="C=! DN="/C=!;
+                     s! DN="[^,"]*\K,!/!;
+                     s! DN="[^,"]*\K,!/!;
+                     s! DN="[^,"]*\K,!/!;
+                    ',
+      'rejectlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /',
+      'mail'      => 's/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/',
+    },
 
     'debug_pid' =>
     { 'stderr' => 's/(^\s{0,4}|(?<=Process )|(?<=child ))\d{1,5}/ppppp/g' },
@@ -1554,12 +1634,16 @@ $munges =
 
     'optional_config' =>
     { 'stdout' => '/^(
-                  dkim_(canon|domain|private_key|selector|sign_headers|strict|hash|identity)
+                  dkim_(canon|domain|private_key|selector|sign_headers|strict|hash|identity|timestamps)
                   |gnutls_require_(kx|mac|protocols)
+                 |hosts_pipe_connect
                   |hosts_(requ(est|ire)|try)_(dane|ocsp)
+                 |dane_require_tls_ciphers
                   |hosts_(avoid|nopass|noproxy|require|verify_avoid)_tls
+                  |pipelining_connect_advertise_hosts
                   |socks_proxy
                   |tls_[^ ]*
+                 |utf8_downconvert
                   )($|[ ]=)/x'
     },
 
@@ -2582,7 +2666,7 @@ GetOptions(
     'valgrind' => \$valgrind,
     'range=s{2}'       => \my @range_wanted,
     'test=i@'          => \my @tests_wanted,
-    'flavor|flavour=s' => $flavour,
+    'flavor|flavour=s' => \$flavour,
     'help'             => sub { pod2usage(-exit => 0) },
     'man'              => sub {
         pod2usage(
@@ -3306,6 +3390,12 @@ if ($parm_hostname =~ /[[:upper:]]/)
   print "\n*** Host name has upper case characters: this may cause problems ***\n\n";
   }
 
+if ($parm_hostname =~ /\.example\.com$/)
+  {
+  die "\n*** Host name ends in .example.com; this conflicts with the testsuite use of that domain.\n"
+       . "    Please change the host's name (or comment out this check, and fail several testcases)\n";
+  }
+
 
 
 ##################################################
@@ -3535,6 +3625,32 @@ DIR: for (my $i = 0; $i < @test_dirs; $i++)
         {
         if (!defined $parm_malware{$1}) { $wantthis = 0; last; }
         }
+      elsif (/^feature (.*)$/)
+        {
+       # move to a subroutine?
+       my $eximinfo = "$parm_exim -C $parm_cwd/test-config -DDIR=$parm_cwd -bP macro $1";
+
+       open (IN, "$parm_cwd/confs/0000") ||
+         tests_exit(-1, "Couldn't open $parm_cwd/confs/0000: $!\n");
+       open (OUT, ">test-config") ||
+         tests_exit(-1, "Couldn't open test-config: $!\n");
+       while (<IN>)
+         {
+         do_substitute($testno);
+         print OUT;
+         }
+       close(IN);
+       close(OUT);
+
+       system($eximinfo . " >/dev/null 2>&1");
+       if ($? != 0) {
+         unlink("$parm_cwd/test-config");
+         $wantthis = 0;
+         $_ = "feature $1";
+         last;
+       }
+       unlink("$parm_cwd/test-config");
+        }
       else
         {
         tests_exit(-1, "Unknown line in \"scripts/$testdir/REQUIRES\": \"$_\"");