# Start by initializing some global variables
-$testversion = "4.78 (08-May-12)";
+$testversion = "4.80 (08-May-12)";
+
+# This gets embedded in the D-H params filename, and the value comes
+# from asking GnuTLS for "normal", but there appears to be no way to
+# use certtool/... to ask what that value currently is. *sigh*
+# We also clamp it because of NSS interop, see addition of tls_dh_max_bits.
+# This value is correct as of GnuTLS 2.12.18 as clamped by tls_dh_max_bits.
+# normal = 2432 tls_dh_max_bits = 2236
+$gnutls_dh_bits_normal = 2236;
$cf = "bin/cf -exact";
$cr = "\r";
$parm_port_d3 = 1227; # Additional for daemon
$parm_port_d4 = 1228; # Additional for daemon
+# Manually set locale
+$ENV{'LC_ALL'} = 'C';
+
###############################################################################
if ($rc == 0 && !$save_output);
system("sudo /bin/rm -rf ./eximdir/*");
+
+print "\nYou were in test $test at the end there.\n\n" if defined $test;
exit $rc if ($rc >= 0);
die "** runtest error: $_[1]\n";
}
# But convert "name=the.local.host address=127.0.0.1" to use "localhost"
s/name=the\.local\.host address=127\.0\.0\.1/name=localhost address=127.0.0.1/g;
+ # The name of the shell may vary
+ s/\s\Q$parm_shell\E\b/ ENV_SHELL/;
+
# Replace the path to the testsuite directory
s?\Q$parm_cwd\E?TESTSUITE?g;
# The message for a non-listening FIFO varies
s/:[^:]+: while opening named pipe/: Error: while opening named pipe/;
- # The name of the shell may vary
- s/\s\Q$parm_shell\E\b/ SHELL/;
-
# Debugging output of lists of hosts may have different sort keys
s/sort=\S+/sort=xx/ if /^\S+ (?:\d+\.){3}\d+ mx=\S+ sort=\S+/;
\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d/Exim statistics from <time> to <time>/x;
+ # ======== TLS certificate algorithms ========
+ # Test machines might have various different TLS library versions supporting
+ # different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we
+ # treat the standard algorithms the same.
+ # So far, have seen:
+ # TLSv1:AES256-SHA:256
+ # TLSv1.2:AES256-GCM-SHA384:256
+ # TLSv1.2:DHE-RSA-AES256-SHA:256
+ # TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
+ # We also need to handle the ciphersuite without the TLS part present, for
+ # client-ssl's output. We also see some older forced ciphersuites, but
+ # negotiating TLS 1.2 instead of 1.0.
+ # Mail headers (...), log-lines X=..., client-ssl output ...
+ # (and \b doesn't match between ' ' and '(' )
+
+ s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.2:/$1TLSv1:/xg;
+ s/\bAES256-GCM-SHA384\b/AES256-SHA/g;
+ s/\bDHE-RSA-AES256-SHA\b/AES256-SHA/g;
+
+ # GnuTLS have seen:
+ # TLS1.2:RSA_AES_256_CBC_SHA1:256 (canonical)
+ # TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
+ #
+ # X=TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256
+ # X=TLS1.2:RSA_AES_256_CBC_SHA1:256
+ # X=TLS1.1:RSA_AES_256_CBC_SHA1:256
+ # X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256
+ # and as stand-alone cipher:
+ # DHE-RSA-AES256-SHA256
+ # DHE-RSA-AES256-SHA
+ # picking latter as canonical simply because regex easier that way.
+ s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA_AES_256_CBC_SHA1:256/g;
+ s/TLS1.[012]:(DHE_)?RSA_AES_256_CBC_SHA(1|256):256/TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256/g;
+ s/\bDHE-RSA-AES256-SHA256\b/DHE-RSA-AES256-SHA/g;
+
+
# ======== Caller's login, uid, gid, home, gecos ========
s/\Q$parm_caller_home\E/CALLER_HOME/g; # NOTE: these must be done
s/(TLS error on connection (?:from|to) .*? \(SSL_\w+\): error:)(.*)/$1 <<detail omitted>>/;
-
# ======== Maildir things ========
# timestamp output in maildir processing
s/(timestamp=|\(timestamp_only\): )\d+/$1ddddddd/g;
# be the case
next if /^changing group to \d+ failed: Operation not permitted/;
+ # We might not keep this check; rather than change all the tests, just
+ # ignore it as long as it succeeds; then we only need to change the
+ # TLS tests where tls_require_ciphers has been set.
+ if (m{^changed uid/gid: calling tls_validate_require_cipher}) {
+ my $discard = <IN>;
+ next;
+ }
+ next if /^tls_validate_require_cipher child \d+ ended: status=0x0/;
+
# We invoke Exim with -D, so we hit this new messag as of Exim 4.73:
next if /^macros_trusted overridden to true by whitelisting/;
if (/^gnutls/)
{
- run_system "sudo cp -p aux-fixed/gnutls-params spool/gnutls-params;" .
- "sudo chown $parm_eximuser:$parm_eximgroup spool/gnutls-params;" .
- "sudo chmod 0400 spool/gnutls-params";
+ my $gen_fn = "spool/gnutls-params-$gnutls_dh_bits_normal";
+ run_system "sudo cp -p aux-fixed/gnutls-params $gen_fn;" .
+ "sudo chown $parm_eximuser:$parm_eximgroup $gen_fn;" .
+ "sudo chmod 0400 $gen_fn";
return 1;
}
print "\n*** Host name is not fully qualified: this may cause problems ***\n\n";
}
-# Find the user's shell
+if ($parm_hostname =~ /[[:upper:]]/)
+ {
+ print "\n*** Host name has upper case characters: this may cause problems ***\n\n";
+ }
-$parm_shell = $ENV{'SHELL'};
##################################################
}
}
+# Set a user's shell, distinguishable from /bin/sh
+
+symlink("/bin/sh","aux-var/sh");
+$ENV{'SHELL'} = $parm_shell = $parm_cwd . "/aux-var/sh";
##################################################
# Create fake DNS zones for this host #