Testcases for dane_require_tls_ciphers
authorJeremy Harris <jgh146exb@wizmail.org>
Fri, 30 Mar 2018 14:50:35 +0000 (15:50 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Fri, 30 Mar 2018 14:50:35 +0000 (15:50 +0100)
src/src/tls-gnu.c
test/confs/5821 [new file with mode: 0644]
test/confs/5841 [new file with mode: 0644]
test/log/5821 [new file with mode: 0644]
test/log/5841 [new file with mode: 0644]
test/scripts/5820-DANE-GnuTLS/5821 [new file with mode: 0644]
test/scripts/5840-DANE-OpenSSL/5841 [new file with mode: 0644]
test/stderr/5821 [new file with mode: 0644]
test/stderr/5841 [new file with mode: 0644]
test/stdout/5821 [new file with mode: 0644]
test/stdout/5841 [new file with mode: 0644]

index 0d20fea..d731882 100644 (file)
@@ -2271,16 +2271,14 @@ BOOL request_ocsp = require_ocsp ? TRUE
 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
 
 #ifdef SUPPORT_DANE
-if (ob->dane_require_tls_ciphers)
+if (tlsa_dnsa && ob->dane_require_tls_ciphers)
   {
   /* not using expand_check_tlsvar because not yet in state */
   if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
       &cipher_list, errstr))
     return DEFER;
-  if (cipher_list && *cipher_list)
-    cipher_list = ob->dane_require_tls_ciphers;
-  else
-    cipher_list = ob->tls_require_ciphers;
+  cipher_list = cipher_list && *cipher_list
+    ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
   }
 #endif
 
diff --git a/test/confs/5821 b/test/confs/5821
new file mode 100644 (file)
index 0000000..db2dc19
--- /dev/null
@@ -0,0 +1,61 @@
+# Exim test configuration 5821
+# DANE/OpenSSL - ciphers option
+
+SERVER=
+OPT=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept logwrite = "rcpt ACL"
+
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
+
+tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail}
+tls_privatekey =  ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail}
+
+# Permit two specific ciphers
+tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL
+
+# ----- Routers -----
+begin routers
+
+client:
+  driver =             dnslookup
+  condition =          ${if eq {SERVER}{}}
+  dnssec_request_domains = *
+  self =               send
+  transport =          send_to_server
+  errors_to =          ""
+
+server:
+  driver =             redirect
+  data =               :blackhole:
+
+# ----- Transports -----
+begin transports
+
+send_to_server:
+  driver =                     smtp
+  allow_localhost
+  port =                       PORT_D
+  hosts_try_dane =             *
+  tls_verify_certificates =    CDIR2/ca_chain.pem
+
+  # Some commonly-available cipher, we hope
+  tls_require_ciphers =                NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL
+  dane_require_tls_ciphers =   OPT
+
+# ----- Retry -----
+begin retry
+* * F,5d,10s
+
+# End
diff --git a/test/confs/5841 b/test/confs/5841
new file mode 100644 (file)
index 0000000..867c160
--- /dev/null
@@ -0,0 +1,61 @@
+# Exim test configuration 5841
+# DANE/OpenSSL - ciphers option
+
+SERVER=
+OPT=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept logwrite = "rcpt ACL"
+
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
+
+tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail}
+tls_privatekey =  ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail}
+
+# Permit two specific ciphers
+tls_require_ciphers = ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-GCM-SHA384
+
+# ----- Routers -----
+begin routers
+
+client:
+  driver =             dnslookup
+  condition =          ${if eq {SERVER}{}}
+  dnssec_request_domains = *
+  self =               send
+  transport =          send_to_server
+  errors_to =          ""
+
+server:
+  driver =             redirect
+  data =               :blackhole:
+
+# ----- Transports -----
+begin transports
+
+send_to_server:
+  driver =                     smtp
+  allow_localhost
+  port =                       PORT_D
+  hosts_try_dane =             *
+  tls_verify_certificates =    CDIR2/ca_chain.pem
+
+  # Some commonly-available cipher, we hope
+  tls_require_ciphers =                ECDHE-RSA-AES256-GCM-SHA384
+  dane_require_tls_ciphers =   OPT
+
+# ----- Retry -----
+begin retry
+* * F,5d,10s
+
+# End
diff --git a/test/log/5821 b/test/log/5821
new file mode 100644 (file)
index 0000000..e842e6d
--- /dev/null
@@ -0,0 +1,35 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.2:RSA_CAMELLIA_256_GCM_SHA384:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.2:RSA_CAMELLIA_256_GCM_SHA384:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
diff --git a/test/log/5841 b/test/log/5841
new file mode 100644 (file)
index 0000000..06f8d5d
--- /dev/null
@@ -0,0 +1,35 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ECDHE-RSA-CAMELLIA256-SHA384:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ECDHE-RSA-CAMELLIA256-SHA384:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
diff --git a/test/scripts/5820-DANE-GnuTLS/5821 b/test/scripts/5820-DANE-GnuTLS/5821
new file mode 100644 (file)
index 0000000..f4ea305
--- /dev/null
@@ -0,0 +1,30 @@
+# DANE client: ciphers option
+#
+gnutls
+exim -DSERVER=server -bd -oX PORT_D
+****
+
+### Baseline, dane unused
+exim -odf CALLER@localhost.test.ex
+Testing
+****
+### Baseline, dane used
+exim -odf CALLER@dane256ee.test.ex
+Testing
+****
+#
+#
+### Dane cipher specified, dane unused
+# Since dane unused, should get the same cipher as the baseline
+exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@localhost.test.ex
+Testing
+****
+### Dane cipher specified, dane used
+# Should get the cipher specified here
+exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@dane256ee.test.ex
+Testing
+****
+#
+#
+killdaemon
+no_msglog_check
diff --git a/test/scripts/5840-DANE-OpenSSL/5841 b/test/scripts/5840-DANE-OpenSSL/5841
new file mode 100644 (file)
index 0000000..52fac18
--- /dev/null
@@ -0,0 +1,29 @@
+# DANE client: ciphers option
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+
+### Baseline, dane unused
+exim -odf CALLER@localhost.test.ex
+Testing
+****
+### Baseline, dane used
+exim -odf CALLER@dane256ee.test.ex
+Testing
+****
+#
+#
+### Dane cipher specified, dane unused
+# Since dane unused, should get the same cipher as the baseline
+exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@localhost.test.ex
+Testing
+****
+### Dane cipher specified, dane used
+# Should get the cipher specified here
+exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@dane256ee.test.ex
+Testing
+****
+#
+#
+killdaemon
+no_msglog_check
diff --git a/test/stderr/5821 b/test/stderr/5821
new file mode 100644 (file)
index 0000000..3f9e5f2
--- /dev/null
@@ -0,0 +1,10 @@
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used
+
+******** SERVER ********
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used
diff --git a/test/stderr/5841 b/test/stderr/5841
new file mode 100644 (file)
index 0000000..3f9e5f2
--- /dev/null
@@ -0,0 +1,10 @@
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used
+
+******** SERVER ********
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used
diff --git a/test/stdout/5821 b/test/stdout/5821
new file mode 100644 (file)
index 0000000..3f9e5f2
--- /dev/null
@@ -0,0 +1,10 @@
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used
+
+******** SERVER ********
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used
diff --git a/test/stdout/5841 b/test/stdout/5841
new file mode 100644 (file)
index 0000000..3f9e5f2
--- /dev/null
@@ -0,0 +1,10 @@
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used
+
+******** SERVER ********
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used