Testsuite: munge for TLS1.3 under GnuTLS
[users/jgh/exim.git] / test / runtest
index 3814261f38445bf00329606d3bb4dadb0fa15ad5..b0fb96b7b78a8cea4abf8221ff749fe932b3dad1 100755 (executable)
@@ -460,7 +460,9 @@ RESET_AFTER_EXTRA_LINE_READ:
     {
     my($date1,$date2,$date3,$expired) = ($1,$2,$3,$4);
     $expired = '' if !defined $expired;
     {
     my($date1,$date2,$date3,$expired) = ($1,$2,$3,$4);
     $expired = '' if !defined $expired;
-    my($increment) = date_seconds($date3) - date_seconds($date2);
+
+    # Round the time-difference up to nearest even value
+    my($increment) = ((date_seconds($date3) - date_seconds($date2) + 1) >> 1) << 1;
 
     # We used to use globally unique replacement values, but timing
     # differences make this impossible. Just show the increment on the
 
     # We used to use globally unique replacement values, but timing
     # differences make this impossible. Just show the increment on the
@@ -474,6 +476,13 @@ RESET_AFTER_EXTRA_LINE_READ:
   # more_errno values in exim_dumpdb output which are times
   s/T:(\S+)\s-22\s(\S+)\s/T:$1 -22 xxxx /;
 
   # more_errno values in exim_dumpdb output which are times
   s/T:(\S+)\s-22\s(\S+)\s/T:$1 -22 xxxx /;
 
+  # port numbers in dumpdb output
+  s/T:([a-z.]+(:[0-9.]+)?):$parm_port_n /T:$1:PORT_N /;
+
+  # port numbers in stderr
+  s/^set_process_info: .*\]:\K$parm_port_d /PORT_D /;
+  s/^set_process_info: .*\]:\K$parm_port_s /PORT_S /;
+
 
   # ======== Dates and times ========
 
 
   # ======== Dates and times ========
 
@@ -515,7 +524,7 @@ RESET_AFTER_EXTRA_LINE_READ:
     my($next) = $3 - $2;
     $_ = "  first failed=dddd last try=dddd next try=+$next $4\n";
     }
     my($next) = $3 - $2;
     $_ = "  first failed=dddd last try=dddd next try=+$next $4\n";
     }
-  s/^(\s*)now=\d+ first_failed=\d+ next_try=\d+ expired=(\d)/$1now=tttt first_failed=tttt next_try=tttt expired=$2/;
+  s/^(\s*)now=\d+ first_failed=\d+ next_try=\d+ expired=(\w)/$1now=tttt first_failed=tttt next_try=tttt expired=$2/;
   s/^(\s*)received_time=\d+ diff=\d+ timeout=(\d+)/$1received_time=tttt diff=tttt timeout=$2/;
 
   # Time to retry may vary
   s/^(\s*)received_time=\d+ diff=\d+ timeout=(\d+)/$1received_time=tttt diff=tttt timeout=$2/;
 
   # Time to retry may vary
@@ -535,6 +544,15 @@ RESET_AFTER_EXTRA_LINE_READ:
   s/(could not connect to .*: Connection) reset by peer$/$1 refused/;
 
   # ======== TLS certificate algorithms ========
   s/(could not connect to .*: Connection) reset by peer$/$1 refused/;
 
   # ======== TLS certificate algorithms ========
+  #
+  # In Received: headers, convert RFC 8314 style ciphersuite to
+  # the older (comment) style, keeping only the Auth element
+  # (discarding kex, cipher, mac).  For TLS 1.3 there is no kex
+  # element (and no _WITH); insert a spurious "RSA".
+
+  s/^\s+by .+ with .+ \K tls TLS_.*?([^_]+)_WITH.+$/(TLS1.x:ke-\1-AES256-SHAnnn:xxx)/;
+  s/^\s+by .+ with .+ \K tls TLS_.+$/(TLS1.x:ke-RSA-AES256-SHAnnn:xxx)/;
+
   # Test machines might have various different TLS library versions supporting
   # different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we
   # treat the standard algorithms the same.
   # Test machines might have various different TLS library versions supporting
   # different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we
   # treat the standard algorithms the same.
@@ -557,9 +575,9 @@ RESET_AFTER_EXTRA_LINE_READ:
   #
   # Retain the authentication algorith field as we want to test that.
 
   #
   # Retain the authentication algorith field as we want to test that.
 
-  s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[123]:/$1TLSv1:/xg;
-  s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA)(?!:)/ke-$3-AES256-SHA/g;
-  s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA):(128|256)/ke-$3-AES256-SHA:xxx/g;
+  s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1(\.[123])?:/$1TLS1.x:/xg;
+  s/(?<!ke-)((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA)(?!:)/ke-$3-AES256-SHAnnn/g;
+  s/(?<!ke-)((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA):(128|256)/ke-$3-AES256-SHAnnn:xxx/g;
 
   # OpenSSL TLSv1.3 - unsure what to do about the authentication-variant testcases now,
   # as it seems the protocol no longer supports a user choice.  Replace the "TLS" field with "RSA".
 
   # OpenSSL TLSv1.3 - unsure what to do about the authentication-variant testcases now,
   # as it seems the protocol no longer supports a user choice.  Replace the "TLS" field with "RSA".
@@ -567,8 +585,8 @@ RESET_AFTER_EXTRA_LINE_READ:
   #
   # TLSversion : "TLS" - C_iph_er - MAC : ???
   #
   #
   # TLSversion : "TLS" - C_iph_er - MAC : ???
   #
-  s/TLS_AES(_256)?_GCM_SHA384(?!:)/ke-RSA-AES256-SHA/g;
-  s/:TLS_AES(_256)?_GCM_SHA384:256/:ke-RSA-AES256-SHA:xxx/g;
+  s/TLS_AES(_256)?_GCM_SHA384(?!:)/ke-RSA-AES256-SHAnnn/g;
+  s/:TLS_AES(_256)?_GCM_SHA384:256/:ke-RSA-AES256-SHAnnn:xxx/g;
 
   # LibreSSL
   # TLSv1:AES256-GCM-SHA384:256
 
   # LibreSSL
   # TLSv1:AES256-GCM-SHA384:256
@@ -578,13 +596,16 @@ RESET_AFTER_EXTRA_LINE_READ:
   # AES256-GCM-SHA384
 
   s/(?<!-)(AES256-GCM-SHA384)/RSA-$1/;
   # AES256-GCM-SHA384
 
   s/(?<!-)(AES256-GCM-SHA384)/RSA-$1/;
-  s/((EC)?DHE-)?(RSA|ECDSA)-(AES256|CHACHA20)-(GCM-SHA384|POLY1305)(?!:)/ke-$3-AES256-SHA/g;
-  s/((EC)?DHE-)?(RSA|ECDSA)-(AES256|CHACHA20)-(GCM-SHA384|POLY1305):256/ke-$3-AES256-SHA:xxx/g;
+  s/(?<!ke-)((EC)?DHE-)?(RSA|ECDSA)-(AES256|CHACHA20)-(GCM-SHA384|POLY1305)(?!:)/ke-$3-AES256-SHAnnn/g;
+  s/(?<!ke-)((EC)?DHE-)?(RSA|ECDSA)-(AES256|CHACHA20)-(GCM-SHA384|POLY1305):256/ke-$3-AES256-SHAnnn:xxx/g;
 
   # GnuTLS have seen:
 
   # GnuTLS have seen:
+  #   TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
+  #
   #   TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256
   #   TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128
   #   TLS1.2:RSA_AES_256_CBC_SHA1:256 (canonical)
   #   TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256
   #   TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128
   #   TLS1.2:RSA_AES_256_CBC_SHA1:256 (canonical)
+  #   TLS1.2:RSA_AES_128_GCM_SHA256:128
   #   TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
   #
   #   X=TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256
   #   TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
   #
   #   X=TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256
@@ -596,9 +617,9 @@ RESET_AFTER_EXTRA_LINE_READ:
   #   DHE-RSA-AES256-SHA256
   #   DHE-RSA-AES256-SHA
   # picking latter as canonical simply because regex easier that way.
   #   DHE-RSA-AES256-SHA256
   #   DHE-RSA-AES256-SHA
   # picking latter as canonical simply because regex easier that way.
-  s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA_AES_256_CBC_SHA1:256/g;
-  s/TLS1.[012]:((EC)?DHE_)?(RSA|ECDSA)_AES_(256|128)_(CBC|GCM)_SHA(1|256|384):(256|128)/TLS1.x:ke_$3_AES_256_CBC_SHAnnn:256/g;
-  s/\b(ECDHE-(RSA|ECDSA)-AES256-SHA|DHE-RSA-AES256-SHA256)\b/ke-$2-AES256-SHAxx/g;
+  s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA-AES256-SHA1:256/g;
+  s/TLS1.[0-3]:((EC)?DHE_)?(RSA|ECDSA)_AES_(256|128)_(CBC|GCM)_SHA(1|256|384):(256|128)/TLS1.x:ke-$3-AES256-SHAnnn:xxx/g;
+  s/\b(ECDHE-(RSA|ECDSA)-AES256-SHA|DHE-RSA-AES256-SHA256)\b/ke-$2-AES256-SHAnnn/g;
 
   # GnuTLS library error message changes
   s/No certificate was found/The peer did not send any certificate/g;
 
   # GnuTLS library error message changes
   s/No certificate was found/The peer did not send any certificate/g;
@@ -1104,9 +1125,11 @@ RESET_AFTER_EXTRA_LINE_READ:
 
     # Skip hosts_require_dane checks when the options
     # are unset, because dane ain't always there.
 
     # Skip hosts_require_dane checks when the options
     # are unset, because dane ain't always there.
-
     next if /in\shosts_require_dane\?\sno\s\(option\sunset\)/x;
 
     next if /in\shosts_require_dane\?\sno\s\(option\sunset\)/x;
 
+    # DISABLE_OCSP 
+    next if /in hosts_requ(est|ire)_ocsp\? (no|yes)/;
+
     # SUPPORT_PROXY
     next if /host in hosts_proxy\?/;
 
     # SUPPORT_PROXY
     next if /host in hosts_proxy\?/;
 
@@ -1119,6 +1142,9 @@ RESET_AFTER_EXTRA_LINE_READ:
     # TCP Fast Open
     next if /^(ppppp )?setsockopt FASTOPEN: Network Error/;
 
     # TCP Fast Open
     next if /^(ppppp )?setsockopt FASTOPEN: Network Error/;
 
+    # Experimental_PIPE_CONNECT
+    next if / in (pipelining_connect_advertise_hosts|hosts_pipe_connect)?\? no /;
+
     # Environment cleaning
     next if /\w+ in keep_environment\? (yes|no)/;
 
     # Environment cleaning
     next if /\w+ in keep_environment\? (yes|no)/;
 
@@ -1158,8 +1184,8 @@ RESET_AFTER_EXTRA_LINE_READ:
       s/Address family not supported by protocol family/Network Error/;
       s/Network is unreachable/Network Error/;
       }
       s/Address family not supported by protocol family/Network Error/;
       s/Network is unreachable/Network Error/;
       }
-
     next if /^(ppppp )?setsockopt FASTOPEN: Protocol not available$/;
     next if /^(ppppp )?setsockopt FASTOPEN: Protocol not available$/;
+    s/^(Connecting to .* \.\.\. sending) \d+ (nonTFO early-data)$/$1 dd $2/;
 
     # Specific pointer values reported for DB operations change from run to run
     s/^(\s*returned from EXIM_DBOPEN: )(0x)?[0-9a-f]+/${1}0xAAAAAAAA/;
 
     # Specific pointer values reported for DB operations change from run to run
     s/^(\s*returned from EXIM_DBOPEN: )(0x)?[0-9a-f]+/${1}0xAAAAAAAA/;
@@ -1614,7 +1640,9 @@ $munges =
                      s! DN="[^,"]*\K,!/!;
                     ',
       'rejectlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /',
                      s! DN="[^,"]*\K,!/!;
                     ',
       'rejectlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /',
-      'mail'      => 's/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/',
+      'mail'      => 's/^\s+by .+ with .+ \K tls TLS_.+$/(TLS_proto_and_cipher)/;
+                     s/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/;
+                    ',
     },
 
     'debug_pid' =>
     },
 
     'debug_pid' =>
@@ -1628,9 +1656,11 @@ $munges =
     { 'stdout' => '/^(
                   dkim_(canon|domain|private_key|selector|sign_headers|strict|hash|identity|timestamps)
                   |gnutls_require_(kx|mac|protocols)
     { 'stdout' => '/^(
                   dkim_(canon|domain|private_key|selector|sign_headers|strict|hash|identity|timestamps)
                   |gnutls_require_(kx|mac|protocols)
+                 |hosts_pipe_connect
                   |hosts_(requ(est|ire)|try)_(dane|ocsp)
                  |dane_require_tls_ciphers
                   |hosts_(avoid|nopass|noproxy|require|verify_avoid)_tls
                   |hosts_(requ(est|ire)|try)_(dane|ocsp)
                  |dane_require_tls_ciphers
                   |hosts_(avoid|nopass|noproxy|require|verify_avoid)_tls
+                  |pipelining_connect_advertise_hosts
                   |socks_proxy
                   |tls_[^ ]*
                  |utf8_downconvert
                   |socks_proxy
                   |tls_[^ ]*
                  |utf8_downconvert
@@ -3380,6 +3410,12 @@ if ($parm_hostname =~ /[[:upper:]]/)
   print "\n*** Host name has upper case characters: this may cause problems ***\n\n";
   }
 
   print "\n*** Host name has upper case characters: this may cause problems ***\n\n";
   }
 
+if ($parm_hostname =~ /\.example\.com$/)
+  {
+  die "\n*** Host name ends in .example.com; this conflicts with the testsuite use of that domain.\n"
+       . "    Please change the host's name (or comment out this check, and fail several testcases)\n";
+  }
+
 
 
 ##################################################
 
 
 ##################################################