/* Hard failure. Reject everything except QUIT or closed connection. One
cause for failure is a nested STARTTLS, in which case tls_in.active remains
- set, but we must still reject all incoming commands. */
+ set, but we must still reject all incoming commands. Another is a handshake
+ failure - and there may some encrypted data still in the pipe to us, which we
+ see as garbage commands. */
DEBUG(D_tls) debug_printf("TLS failed to start\n");
while (done <= 0) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
line defines the start of expected output from the server. If what is
received does not match, the client bombs out with an error message.
-(2) If a line starts with three plus signs followed by a space, the rest of the
+(2) If a line begins with three question marks and an asterisk, the server
+ is expected to close the connection.
+
+(3) If a line begins with four question marks, the rest of the line defines
+ the start of one or more possible output lines from the server. When it
+ matches, the client silently repeats the comparison using the next server
+ line. When the match fails, the client silently proceeds to the next script
+ line with the then-current server output unconsumed.
+
+(4) If a line starts with three plus signs followed by a space, the rest of the
line specifies a number of seconds to sleep for before proceeding.
-(3) If a line begins with three '>' characters and a space, the rest of the
+(5) If a line begins with three '>' characters and a space, the rest of the
line is input to be sent to the server. Backslash escaping is done as
described below, but no trailing "\r\n" is sent.
-(4) If a line begin with three '<' characters and a space, the rest of the
+(6) If a line begin with three '<' characters and a space, the rest of the
line is a filename; the content of the file is inserted intto the script
at this point.
-(5) Otherwise, the line is an input line line that is sent to the server. Any
+(7) Otherwise, the line is an input line line that is sent to the server. Any
occurrences of \r and \n in the line are turned into carriage return and
linefeed, respectively. This is used for testing PIPELINING.
Any sequences of \x followed by two hex digits are converted to the equvalent
??? 250
starttls
??? 220
+noop
+??? 554 Security failure
+quit
+????554 Security failure
+??? 221
+???*
****
### No certificate, certificate optional at TLS time, required by ACL
client-ssl 127.0.0.1 PORT_D
??? 250
starttls
??? 220
+noop
+??? 554 Security failure
****
### Bad certificate, certificate optional at TLS time, reject at ACL time
client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 250
starttls
??? 220
+noop
+??? 554 Security failure
****
### Revoked certificate, certificate optional at TLS time, reject at ACL time
client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
/* Expect incoming */
if ( strncmp(CS outbuffer, "???", 3) == 0
- && (outbuffer[3] == ' ' || outbuffer[3] == '*')
+ && (outbuffer[3] == ' ' || outbuffer[3] == '*' || outbuffer[3] == '?')
)
{
unsigned char *lineptr;
unsigned exp_eof = outbuffer[3] == '*';
+ unsigned resp_optional = outbuffer[3] == '?';
printf("%s\n", outbuffer);
n = unescape_buf(outbuffer, n);
+nextinput:
if (*inptr == 0) /* Refill input buffer */
{
+ alarm(timeout);
if (srv->tls_active)
{
#ifdef HAVE_OPENSSL
- rc = SSL_read (srv->ssl, inbuffer, bsiz - 1);
+ rc = SSL_read(srv->ssl, inbuffer, bsiz - 1);
#endif
#ifdef HAVE_GNUTLS
rc = gnutls_record_recv(tls_session, CS inbuffer, bsiz - 1);
#endif
}
else
- {
- alarm(timeout);
rc = read(srv->sock, inbuffer, bsiz);
- alarm(0);
- }
+ alarm(0);
if (rc < 0)
{
if (*inptr == '\n') inptr++;
}
- printf("<<< %s\n", lineptr);
if (strncmp(CS lineptr, CS outbuffer + 4, n - 4) != 0)
- {
- printf("\n******** Input mismatch ********\n");
- exit(79);
- }
+ if (resp_optional)
+ {
+ inptr = lineptr; /* consume scriptline, not inputline */
+ continue;
+ }
+ else
+ {
+ printf("<<< %s\n", lineptr);
+ printf("\n******** Input mismatch ********\n");
+ exit(79);
+ }
+
+ /* input matched script */
+
+ if (resp_optional)
+ goto nextinput; /* consume inputline, not scriptline */
+
+ printf("<<< %s\n", lineptr);
#ifdef HAVE_TLS
if (srv->sent_starttls)
{
if (lineptr[0] == '2')
{
-int rc;
unsigned int verify;
printf("Attempting to start TLS\n");
printf("End of script\n");
shutdown(srv.sock, SHUT_WR);
-while (read(srv.sock, inbuffer, sizeof(inbuffer)) > 0) ;
+if (fcntl(srv.sock, F_SETFL, O_NONBLOCK) == 0)
+ while (read(srv.sock, inbuffer, sizeof(inbuffer)) > 0) ;
close(srv.sock);
exit(0);
Attempting to start TLS
pppp:error:dddddddd:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:[...]:SSL alert number 40
Failed to start TLS
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+>>> quit
+????554 Security failure
+??? 221
+<<< 221 myhost.test.ex closing connection
+???*
+Expected EOF read
End of script
### No certificate, certificate optional at TLS time, required by ACL
Connecting to 127.0.0.1 port 1225 ... connected
Attempting to start TLS
pppp:error:dddddddd:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:[...]:SSL alert number 48
Failed to start TLS
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
End of script
### Bad certificate, certificate optional at TLS time, reject at ACL time
Connecting to 127.0.0.1 port 1225 ... connected
Attempting to start TLS
pppp:error:dddddddd:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked:[...]:SSL alert number 44
Failed to start TLS
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
End of script
### Revoked certificate, certificate optional at TLS time, reject at ACL time
Connecting to 127.0.0.1 port 1225 ... connected
projects / exim.git / commitdiff