s/^\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d(\s[+-]\d\d\d\d)?\s/1999-03-02 09:44:33 /gx;
s/^\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d{3}(\s[+-]\d\d\d\d)?\s/2017-07-30 18:51:05.712 /gx;
s/^Logwrite\s"\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d/Logwrite "1999-03-02 09:44:33/gx;
+ # Date/time in syslog test
+ s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\s/2017-07-30 18:51:05 /gx;
+ s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d{3}\s/2017-07-30 18:51:05.712 /gx;
+ s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\s[+-]\d\d\d\d\s/2017-07-30 18:51:05 +9999 /gx;
+ s/^SYSLOG:\s\'\K\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d{3}\s[+-]\d\d\d\d\s/2017-07-30 18:51:05.712 +9999 /gx;
- s/((D|[QD]T)=)\d+s/$1qqs/g;
- s/((D|[QD]T)=)\d\.\d{3}s/$1q.qqqs/g;
+ s/((D|[RQD]T)=)\d+s/$1qqs/g;
+ s/((D|[RQD]T)=)\d\.\d{3}s/$1q.qqqs/g;
# Date/time in message separators
s/(?:[A-Z][a-z]{2}\s){2}\d\d\s\d\d:\d\d:\d\d\s\d\d\d\d
# Test machines might have various different TLS library versions supporting
# different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we
# treat the standard algorithms the same.
+ #
+ # TLSversion : KeyExchange? - Authentication/Signature - C_iph_er - MAC : ???
+ #
# So far, have seen:
# TLSv1:AES128-GCM-SHA256:128
# TLSv1:AES256-SHA:256
# TLSv1.1:AES256-SHA:256
# TLSv1.2:AES256-GCM-SHA384:256
# TLSv1.2:DHE-RSA-AES256-SHA:256
+ # TLSv1.3:TLS_AES_256_GCM_SHA384:256
# TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
# We also need to handle the ciphersuite without the TLS part present, for
# client-ssl's output. We also see some older forced ciphersuites, but
# negotiating TLS 1.2 instead of 1.0.
# Mail headers (...), log-lines X=..., client-ssl output ...
# (and \b doesn't match between ' ' and '(' )
+ #
+ # Retain the authentication algorith field as we want to test that.
- s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[12]:/$1TLSv1:/xg;
- s/\bAES128-GCM-SHA256:128\b/AES256-SHA:256/g;
- s/\bAES128-GCM-SHA256\b/AES256-SHA/g;
- s/\bAES256-GCM-SHA384\b/AES256-SHA/g;
- s/\bDHE-RSA-AES256-SHA\b/AES256-SHA/g;
+ s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[123]:/$1TLSv1:/xg;
+ s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA)(?!:)/ke-$3-AES256-SHA/g;
+ s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA):(128|256)/ke-$3-AES256-SHA:xxx/g;
+
+ # OpenSSL TLSv1.3 - unsure what to do about the authentication-variant testcases now,
+ # as it seems the protocol no longer supports a user choice. Replace the "TLS" field with "RSA".
+ # Also insert a key-exchange field for back-compat, even though 1.3 doesn't do that.
+ #
+ # TLSversion : "TLS" - C_iph_er - MAC : ???
+ #
+ s/TLS_AES(_256)?_GCM_SHA384(?!:)/ke-RSA-AES256-SHA/g;
+ s/:TLS_AES(_256)?_GCM_SHA384:256/:ke-RSA-AES256-SHA:xxx/g;
# LibreSSL
+ # TLSv1:AES256-GCM-SHA384:256
# TLSv1:ECDHE-RSA-CHACHA20-POLY1305:256
- s/\bECDHE-RSA-CHACHA20-POLY1305\b/AES256-SHA/g;
+ #
+ # ECDHE-RSA-CHACHA20-POLY1305
+ # AES256-GCM-SHA384
+
+ s/(?<!-)(AES256-GCM-SHA384)/RSA-$1/;
+ s/((EC)?DHE-)?(RSA|ECDSA)-(AES256|CHACHA20)-(GCM-SHA384|POLY1305)(?!:)/ke-$3-AES256-SHA/g;
+ s/((EC)?DHE-)?(RSA|ECDSA)-(AES256|CHACHA20)-(GCM-SHA384|POLY1305):256/ke-$3-AES256-SHA:xxx/g;
# GnuTLS have seen:
# TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256
# DHE-RSA-AES256-SHA
# picking latter as canonical simply because regex easier that way.
s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA_AES_256_CBC_SHA1:256/g;
- s/TLS1.[012]:((EC)?DHE_)?RSA_AES_(256|128)_(CBC|GCM)_SHA(1|256|384):(256|128)/TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256/g;
- s/\b(ECDHE-RSA-AES256-SHA|DHE-RSA-AES256-SHA256)\b/AES256-SHA/g;
+ s/TLS1.[012]:((EC)?DHE_)?(RSA|ECDSA)_AES_(256|128)_(CBC|GCM)_SHA(1|256|384):(256|128)/TLS1.x:ke_$3_AES_256_CBC_SHAnnn:256/g;
+ s/\b(ECDHE-(RSA|ECDSA)-AES256-SHA|DHE-RSA-AES256-SHA256)\b/ke-$2-AES256-SHAxx/g;
# GnuTLS library error message changes
s/No certificate was found/The peer did not send any certificate/g;
#(dodgy test?) s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g;
s/\(gnutls_priority_set\): No or insufficient priorities were set/\(gnutls_handshake\): Could not negotiate a supported cipher suite/g;
+ s/\(gnutls_handshake\): \KNo supported cipher suites have been found.$/Could not negotiate a supported cipher suite./;
# (this new one is a generic channel-read error, but the testsuite
# only hits it in one place)
s/\bgid=\d+/gid=gggg/;
s/\begid=\d+/egid=gggg/;
- s/\bpid=\d+/pid=pppp/;
+ s/\b(pid=|PID: )\d+/$1pppp/;
s/\buid=\d+/uid=uuuu/;
s/\beuid=\d+/euid=uuuu/;
s/set_process_info:\s+\d+/set_process_info: pppp/;
s"test-mail/temp\.\d+\."test-mail/temp.pppp.";
# Optional pid in log lines
- s/^(\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d)(\s[+-]\d\d\d\d|)(\s\[\d+\])/
- "$1$2 [" . new_value($3, "%s", \$next_pid) . "]"/gxe;
+ s/^(\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d)(\.\d{3}|)(\s[+-]\d{4}|)(\s\[\d+\])/
+ "$1$2$3 [" . new_value($4, "%s", \$next_pid) . "]"/gxe;
+
+ # Optional pid in syslog test lines
+ s/^(SYSLOG:\s\'([-0-9]{10}\s[:.0-9]{8,12}\s([-+]\d{4}\s)?|))(\[\d+\] )/
+ "$1\[" . new_value($4, "%s", \$next_pid) . "]"/gxe;
# Detect a daemon stderr line with a pid and save the pid for subsequent
# removal from following lines.
# subsecond timstamp info in reported header-files
s/^(-received_time_usec \.)\d{6}$/$1uuuuuu/;
+
+ # Postgres server takes varible time to shut down; lives in various places
+ s/^waiting for server to shut down\.+ done$/waiting for server to shut down.... done/;
+ s/^\/.*postgres /POSTGRES /;
+
+ # ARC is not always supported by the build
+ next if /^arc_sign =/;
}
# ======== stderr ========
next if /name=localhost address=::1/;
# drop pdkim debugging header
- next if /^PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<+$/;
+ next if /^PDKIM( <<<<<<<<<<<<<<<<<<<<<<<<<<<<<+|: no signatures)$/;
# Various other IPv6 lines must be omitted too
# Some DBM libraries seem to make DBM files on opening with O_RDWR without
# O_CREAT; other's don't. In the latter case there is some debugging output
# which is not present in the former. Skip the relevant lines (there are
- # two of them).
+ # three of them).
- if (/TESTSUITE\/spool\/db\/\S+ appears not to exist: trying to create/)
+ if (/returned from EXIM_DBOPEN: \(nil\)/)
{
- $_ = <IN>;
- next;
+ $_ .= <IN>;
+ s?\Q$parm_cwd\E?TESTSUITE?g;
+ if (/TESTSUITE\/spool\/db\/\S+ appears not to exist: trying to create/)
+ { $_ = <IN>; next; }
}
# Some tests turn on +expand debugging to check on expansions.
# Experimental_International
next if / in smtputf8_advertise_hosts\? no \(option unset\)/;
+ # Experimental_REQUIRETLS
+ next if / in tls_advertise_requiretls?\? no \(end of list\)/;
+
+ # TCP Fast Open
+ next if /^setsockopt FASTOPEN: Network Error/;
+
# Environment cleaning
next if /\w+ in keep_environment\? (yes|no)/;
next if /^(ppppp )?setsockopt FASTOPEN: Protocol not available$/;
# Specific pointer values reported for DB operations change from run to run
- s/^(returned from EXIM_DBOPEN: )(0x)?[0-9a-f]+/${1}0xAAAAAAAA/;
- s/^(EXIM_DBCLOSE.)(0x)?[0-9a-f]+/${1}0xAAAAAAAA/;
+ s/^(\s*returned from EXIM_DBOPEN: )(0x)?[0-9a-f]+/${1}0xAAAAAAAA/;
+ s/^(\s*EXIM_DBCLOSE.)(0x)?[0-9a-f]+/${1}0xAAAAAAAA/;
+
+ # Platform-dependent output during MySQL startup
+ next if /PerconaFT file system space/;
+ next if /^Waiting for MySQL server to answer/;
+ next if /mysqladmin: CREATE DATABASE failed; .* database exists/;
+
+ # Not all builds include DMARC
+ next if /^DMARC: no (dmarc_tld_file|sender_host_address)$/ ;
# When Exim is checking the size of directories for maildir, it uses
# the check_dir_size() function to scan directories. Of course, the order
/^Support for:/ ||
/^Routers:/ ||
/^Transports:/ ||
+ /^Malware:/ ||
/^log selectors =/ ||
/^cwd=/ ||
/^Fixed never_users:/ ||
# openssl version variances
s/(TLS error on connection [^:]*: error:)[0-9A-F]{8}(:system library):(?:fopen|func\(4095\)):(No such file or directory)$/$1xxxxxxxx$2:fopen:$3/;
+ s/(DANE attempt failed.*error:)[0-9A-F]{8}(:SSL routines:)(ssl3_get_server_certificate|tls_process_server_certificate|CONNECT_CR_CERT)(?=:certificate verify failed$)/$1xxxxxxxx$2ssl3_get_server_certificate/;
+ s/(DKIM: validation error: )error:[0-9A-F]{8}:rsa routines:(?:(?i)int_rsa_verify|CRYPTO_internal):(?:bad signature|algorithm mismatch)$/$1Public key signature verification has failed./;
+
+ # DKIM timestamps
+ if ( /(DKIM: d=.*) t=([0-9]*) x=([0-9]*) / )
+ {
+ my ($prefix, $t_diff) = ($1, $3 - $2);
+ s/DKIM: d=.* t=[0-9]* x=[0-9]* /${prefix} t=T x=T+${t_diff} /;
+ }
+ }
+
+ # ======== mail ========
+
+ elsif ($is_mail)
+ {
+ # DKIM timestamps, and signatures depending thereon
+ if ( /^(\s+)t=([0-9]*); x=([0-9]*); b=[A-Za-z0-9+\/]+$/ )
+ {
+ my ($indent, $t_diff) = ($1, $3 - $2);
+ s/.*/${indent}t=T; x=T+${t_diff}; b=bbbb;/;
+ <IN>;
+ <IN>;
+ }
}
# ======== All files other than stderr ========
'gnutls_handshake' =>
{ 'mainlog' => 's/\(gnutls_handshake\): Error in the push function/\(gnutls_handshake\): A TLS packet with unexpected length was received/' },
+ 'gnutls_bad_clientcert' =>
+ { 'mainlog' => 's/\(certificate verification failed\): certificate invalid/\(gnutls_handshake\): The peer did not send any certificate./',
+ 'stdout' => 's/Succeeded in starting TLS/A TLS fatal alert has been received.\nFailed to start TLS'
+ },
+
'optional_events' =>
{ 'stdout' => '/event_action =/' },
{ 'stderr' => 's/(1[5-9]|23\d)\d\d msec/ssss msec/' },
'tls_anycipher' =>
- { 'mainlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /' },
+ { 'mainlog' => 's! X=TLS\S+ ! X=TLS_proto_and_cipher !;
+ s! DN="C=! DN="/C=!;
+ s! DN="[^,"]*\K,!/!;
+ s! DN="[^,"]*\K,!/!;
+ s! DN="[^,"]*\K,!/!;
+ ',
+ 'rejectlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /',
+ 'mail' => 's/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/',
+ },
'debug_pid' =>
{ 'stderr' => 's/(^\s{0,4}|(?<=Process )|(?<=child ))\d{1,5}/ppppp/g' },
'optional_config' =>
{ 'stdout' => '/^(
- dkim_(canon|domain|private_key|selector|sign_headers|strict|hash|identity)
+ dkim_(canon|domain|private_key|selector|sign_headers|strict|hash|identity|timestamps)
|gnutls_require_(kx|mac|protocols)
|hosts_(requ(est|ire)|try)_(dane|ocsp)
+ |dane_require_tls_ciphers
|hosts_(avoid|nopass|noproxy|require|verify_avoid)_tls
|socks_proxy
|tls_[^ ]*
+ |utf8_downconvert
)($|[ ]=)/x'
},
$_ = <SCRIPT>; $lineno++;
chomp;
+ do_substitute($testno);
$line = $_;
if ($debug) { printf ">> daemon: $line >>test-stdout 2>>test-stderr\n"; }
if 0020 & (stat "$parm_cwd/test-config")[2]
and $parm_configure_group != $);
+die "aux-fixed file is world-writeable; best to strip them all, recursively\n"
+ if 0020 & (stat "aux-fixed/0037.f-1")[2];
+
open(EXIMINFO, "$parm_exim -d-all+transport -bV -C $parm_cwd/test-config -DDIR=$parm_cwd |") ||
die "** Cannot run $parm_exim: $!\n";
my(@temp);
if (/^(Exim|Library) version/) { print; }
+ if (/Runtime: /) {print; }
elsif (/^Size of off_t: (\d+)/)
{
}
}
}
+
+ elsif (/^Malware: (.*)/)
+ {
+ print;
+ @temp = split /(\s+)/, $1;
+ push(@temp, ' ');
+ %parm_malware = @temp;
+ }
+
}
close(EXIMINFO);
print "-" x 78, "\n";
die "** ABANDONING.\n";
}
+if ($parm_caller_home eq $parm_cwd)
+ {
+ print "will confuse working dir with homedir; change homedir\n";
+ die "** ABANDONING.\n";
+ }
+
print "You need to be in the Exim group to run these tests. Checking ...";
if (`groups` =~ /\b\Q$parm_eximgroup\E\b/)
{
if (!defined $parm_transports{$1}) { $wantthis = 0; last; }
}
+ elsif (/^malware (.*)$/)
+ {
+ if (!defined $parm_malware{$1}) { $wantthis = 0; last; }
+ }
+ elsif (/^feature (.*)$/)
+ {
+ # move to a subroutine?
+ my $eximinfo = "$parm_exim -C $parm_cwd/test-config -DDIR=$parm_cwd -bP macro $1";
+
+ open (IN, "$parm_cwd/confs/0000") ||
+ tests_exit(-1, "Couldn't open $parm_cwd/confs/0000: $!\n");
+ open (OUT, ">test-config") ||
+ tests_exit(-1, "Couldn't open test-config: $!\n");
+ while (<IN>)
+ {
+ do_substitute($testno);
+ print OUT;
+ }
+ close(IN);
+ close(OUT);
+
+ system($eximinfo . " >/dev/null 2>&1");
+ if ($? != 0) {
+ unlink("$parm_cwd/test-config");
+ $wantthis = 0;
+ $_ = "feature $1";
+ last;
+ }
+ unlink("$parm_cwd/test-config");
+ }
else
{
tests_exit(-1, "Unknown line in \"scripts/$testdir/REQUIRES\": \"$_\"");