Merge branch '4.next'

6 files changed, 297 insertions, 50 deletions

diff --git a/test/scripts/2000-GnuTLS/2014 b/test/scripts/2000-GnuTLS/2014
index c5a01494a..1e12b4ef5 100644
--- a/test/scripts/2000-GnuTLS/2014
+++ b/test/scripts/2000-GnuTLS/2014
@@ -3,7 +3,7 @@ gnutls
 munge gnutls_unexpected
 exim -DSERVER=server -bd -oX PORT_D
 ****
-# No certificate, certificate required
+### No certificate, certificate required
 client-gnutls HOSTIPV4 PORT_D
 ??? 220
 ehlo rhu1.barb
@@ -16,7 +16,7 @@ ehlo rhu1.barb
 starttls
 ??? 220
 ****
-# No certificate, certificate optional at TLS time, required by ACL
+### No certificate, certificate optional at TLS time, required by ACL
 client-gnutls 127.0.0.1 PORT_D
 ??? 220
 ehlo rhu2.barb
@@ -37,8 +37,8 @@ rcpt to:<userx@test.ex>
 quit
 ??? 221
 ****
-# Good certificate, certificate required
-client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Good certificate, certificate required
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 ??? 220
 ehlo rhu3.barb
 ??? 250-
@@ -56,8 +56,8 @@ rcpt to:<userx@test.ex>
 quit
 ??? 221
 ****
-# Good certificate, certificate optional at TLS time, checked by ACL
-client-gnutls 127.0.0.1 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Good certificate, certificate optional at TLS time, checked by ACL
+client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 ??? 220
 ehlo rhu4.barb
 ??? 250-
@@ -75,8 +75,10 @@ rcpt to:<userx@test.ex>
 quit
 ??? 221
 ****
-# Bad certificate, certificate required
-client-gnutls HOSTIPV4 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Bad certificate, certificate required
+# Actually this test does not have the client presenting a cert at all, as it filters what it has
+# by the options offered by the server first.  So it's not a good testcase.
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
 ??? 220
 ehlo rhu5.barb
 ??? 250-
@@ -88,8 +90,9 @@ ehlo rhu5.barb
 starttls
 ??? 220
 ****
-# Bad certificate, certificate optional at TLS time, reject at ACL time
-client-gnutls 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Bad certificate, certificate optional at TLS time, reject at ACL time
+# (situation as above)
+client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
 ??? 220
 ehlo rhu6.barb
 ??? 250-
@@ -103,16 +106,20 @@ starttls
 mail from:<userx@test.ex>
 ??? 250
 rcpt to:<userx@test.ex>
-??? 550-
 ??? 550
 quit
 ??? 221
 ****
 killdaemon
-exim -DCRL=DIR/aux-fixed/crl.pem -DSERVER=server -bd -oX PORT_D
+#
+#
+#
+#
+exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
 ****
-# Good but revoked certificate, certificate required
-client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Otherwise good but revoked certificate, certificate required
+# GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 ??? 220
 ehlo rhu7.barb
 ??? 250-
@@ -124,8 +131,8 @@ ehlo rhu7.barb
 starttls
 ??? 220
 ****
-# Revoked certificate, certificate optional at TLS time, reject at ACL time
-client-gnutls 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Revoked certificate, certificate optional at TLS time, reject at ACL time
+client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 ??? 220
 ehlo rhu8.barb
 ??? 250-
@@ -139,9 +146,27 @@ starttls
 mail from:<userx@test.ex>
 ??? 250
 rcpt to:<userx@test.ex>
-??? 550-
 ??? 550
 quit
 ??? 221
 ****
+### Good certificate, certificate required - but nonmatching CRL also present
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<userx@test.ex>
+??? 250
+rcpt to:<userx@test.ex>
+??? 250
+quit
+??? 221
+****
 killdaemon
diff --git a/test/scripts/2100-OpenSSL/2114 b/test/scripts/2100-OpenSSL/2114
index 9ba0bf925..49598e366 100644
--- a/test/scripts/2100-OpenSSL/2114
+++ b/test/scripts/2100-OpenSSL/2114
@@ -1,7 +1,7 @@
 # TLS server: mandatory, optional, and revoked certificates
 exim -DSERVER=server -bd -oX PORT_D
 ****
-# No certificate, certificate required
+### No certificate, certificate required
 client-ssl HOSTIPV4 PORT_D
 ??? 220
 ehlo rhu.barb
@@ -14,7 +14,7 @@ ehlo rhu.barb
 starttls
 ??? 220
 ****
-# No certificate, certificate optional at TLS time, required by ACL
+### No certificate, certificate optional at TLS time, required by ACL
 client-ssl 127.0.0.1 PORT_D
 ??? 220
 ehlo rhu.barb
@@ -35,8 +35,8 @@ rcpt to:<userx@test.ex>
 quit
 ??? 221
 ****
-# Good certificate, certificate required
-client-ssl HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Good certificate, certificate required
+client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -54,8 +54,8 @@ rcpt to:<userx@test.ex>
 quit
 ??? 221
 ****
-# Good certificate, certificate optional at TLS time, checked by ACL
-client-ssl 127.0.0.1 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Good certificate, certificate optional at TLS time, checked by ACL
+client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -73,8 +73,8 @@ rcpt to:<userx@test.ex>
 quit
 ??? 221
 ****
-# Bad certificate, certificate required
-client-ssl HOSTIPV4 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Bad certificate, certificate required
+client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -86,8 +86,8 @@ ehlo rhu.barb
 starttls
 ??? 220
 ****
-# Bad certificate, certificate optional at TLS time, reject at ACL time
-client-ssl 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Bad certificate, certificate optional at TLS time, reject at ACL time
+client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -101,16 +101,19 @@ starttls
 mail from:<userx@test.ex>
 ??? 250
 rcpt to:<userx@test.ex>
-??? 550-
 ??? 550
 quit
 ??? 221
 ****
 killdaemon
-exim -DCRL=DIR/aux-fixed/crl.pem -DSERVER=server -bd -oX PORT_D
+#
+#
+#
+#
+exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.chain.pem -DSERVER=server -bd -oX PORT_D
 ****
-# Good but revoked certificate, certificate required
-client-ssl HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Otherwise good but revoked certificate, certificate required
+client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -122,8 +125,8 @@ ehlo rhu.barb
 starttls
 ??? 220
 ****
-# Revoked certificate, certificate optional at TLS time, reject at ACL time
-client-ssl 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Revoked certificate, certificate optional at TLS time, reject at ACL time
+client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -137,9 +140,27 @@ starttls
 mail from:<userx@test.ex>
 ??? 250
 rcpt to:<userx@test.ex>
-??? 550-
 ??? 550
 quit
 ??? 221
 ****
+### Good certificate, certificate required - but nonmatching CRL also present
+client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<userx@test.ex>
+??? 250
+rcpt to:<userx@test.ex>
+??? 250
+quit
+??? 221
+****
 killdaemon
diff --git a/test/scripts/4500-DKIM/4504 b/test/scripts/4500-DKIM/4504
new file mode 100644
index 000000000..5de9e7948
--- /dev/null
+++ b/test/scripts/4500-DKIM/4504
@@ -0,0 +1,45 @@
+# DKIM verify, sha512
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+#
+# This should pass, only Mail::DKIM::Signer does not handle rsa-sha512.
+#  - sha512, 1024b
+# Mail original in aux-fixed/4500.msg1.txt
+# Sig generated by: perl aux-fixed/dkim/sign.pl --algorithm=rsa-sha512 \
+#			--method=simple/simple < aux-fixed/4500.msg1.txt
+#
+# TODO - until we have that we can only test internal consistency,
+# signing vs. verification.
+#
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@bloggs.com>
+??? 250
+RCPT TO:<a@test.ex>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha512; c=simple/simple; d=test.ex; h=from:to
+	:date:message-id:subject; s=sel2; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1
+	6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP
+	Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh
+	+qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY=
+From: mrgus@text.ex
+To: bakawolf@yahoo.com
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@disco-zombie.net>
+Subject: simple test
+
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+#
+killdaemon
+no_stdout_check
+no_msglog_check
diff --git a/test/scripts/5650-OCSP-GnuTLS/5652 b/test/scripts/5650-OCSP-GnuTLS/5652
new file mode 100644
index 000000000..4a33ea862
--- /dev/null
+++ b/test/scripts/5650-OCSP-GnuTLS/5652
@@ -0,0 +1,37 @@
+# OCSP stapling, server, multiple certs
+#
+#
+#
+exim -z '1: Server sends good staple on request, to client requiring RSA auth'
+****
+#
+exim -bd -oX PORT_D -DSERVER=server
+****
+exim -odf \
+  -DOPT=NONE:+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 \
+  -DCERT=DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+  rsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+#
+#
+#
+#
+exim -z '2: Server sends good staple on request, to client preferring ECDSA auth'
+****
+#
+exim -bd -oX PORT_D -DSERVER=server
+****
+exim -odf \
+  -DOPT=NONE:+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 \
+  -DCERT=DIR/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/ca_chain.pem \
+  ecdsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+no_msglog_check
diff --git a/test/scripts/5820-DANE-GnuTLS/5820 b/test/scripts/5820-DANE-GnuTLS/5820
index 07ad7406d..84684da53 100644
--- a/test/scripts/5820-DANE-GnuTLS/5820
+++ b/test/scripts/5820-DANE-GnuTLS/5820
@@ -1,14 +1,106 @@
 # DANE client: general
 #
-gnutls
-#
-exim -DSERVER=server -bd -oX PORT_D
+exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
+****
+### TLSA (3 1 1)
+exim -odq CALLER@dane256ee.test.ex
+Testing
 ****
-exim CALLER@test.ex
+### TLSA (3 1 2)
+exim -odq CALLER@mxdane512ee.test.ex
 Testing
 ****
 exim -qf
 ****
+#
+#
+### Recipient callout
+exim -DOPT=callout -bhc 127.0.0.1
+MAIL FROM: <CALLER@myhost.test.ex>
+RCPT TO: <rcptuser@dane256ee.test.ex>
+****
+killdaemon
+#
+#
+exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
+****
+### TLSA (2 0 1)
+exim -odf CALLER@mxdane256ta.test.ex
+Testing
+****
+killdaemon
+# 
+#
+### A server with a nonverifying cert and no TLSA
+# Check we get a non-CV but TLS connection, with try_dane but no require_dane
+exim -DSERVER=server -DDETAILS=no -bd -oX PORT_D
+****
+exim -odf CALLER@thishost.test.ex
+Testing
+****
 killdaemon
-exim -DSERVER=server -DNOTDAEMON -qf
+#
+### A server with a verifying cert and no TLSA
+# Check we get a CV and TLS connection, with try_dane but no require_dane
+exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
+****
+exim -odf CALLER@thishost.test.ex
+Testing
+****
+exim -DOPT=no_certname -qf
+****
+killdaemon
+#
+#
+exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
+****
+### A server with two MXs for which both TLSA lookups return defer (delivery should defer)
+exim -odq CALLER@mxdanelazy.test.ex
+Testing
+****
+### A server lacking a TLSA, dane required (should fail)
+exim -odq CALLER@dane.no.1.test.ex
+Testing
+****
+### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC)
+exim -odq CALLER@dane.no.2.test.ex
+Testing
+****
+### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer)
+exim -odq CALLER@danebroken1.test.ex
+Testing
+****
+### A server securely saying "no TLSA records here", dane required (delivery should fail)
+exim -odq CALLER@dane.no.3.test.ex
+Testing
+****
+### A server securely saying "no TLSA records here", dane requested only (should deliver)
+exim -odq CALLER@dane.no.4.test.ex
+Testing
+****
+exim -qf
 ****
+#
+### A server securely serving a wrong TLSA record, dane requested only (delivery should fail)
+exim -odf CALLER@danebroken2.test.ex
+Testing
+****
+### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE)
+exim -odf CALLER@danebroken3.test.ex
+Testing
+****
+### A server insecurely serving a good TLSA record, dane required (delivery should fail)
+exim -odf CALLER@danebroken4.test.ex
+Testing
+****
+### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
+exim -odf CALLER@danebroken5.test.ex
+Testing
+****
+### A server insecurely serving a good A record, dane required (delivery should fail)
+exim -odf CALLER@danebroken6.test.ex
+Testing
+****
+#
+killdaemon
+no_msglog_check
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index 142a25ad4..7d86621cc 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -25,10 +25,17 @@ killdaemon
 exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
 ****
 ### TLSA (2 0 1)
-exim -odq CALLER@mxdane256ta.test.ex
+exim -odf CALLER@mxdane256ta.test.ex
 Testing
 ****
-exim -qf
+killdaemon
+#
+# OpenSSL-specific regression testcase: certificate having Authority Key ID extension
+exim -DSERVER=server -DCERT=DIR/aux-fixed/exim-ca/example.com/server2.example.com/fullchain.pem -DALLOW=DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key -bd -oX PORT_D
+****
+### TLSA (2 1 1)
+exim -odf CALLER@mxdane256tak.test.ex
+Testing
 ****
 killdaemon
 #
@@ -36,18 +43,16 @@ killdaemon
 # Check we get a non-CV but TLS connection, with try_dane but no require_dane
 exim -DSERVER=server -DDETAILS=no -bd -oX PORT_D
 ****
-exim -odq CALLER@thishost.test.ex
+exim -odf CALLER@thishost.test.ex
 Testing
 ****
-exim -qf
-****
 killdaemon
 #
 ### A server with a verifying cert and no TLSA
 # Check we get a CV and TLS connection, with try_dane but no require_dane
 exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
 ****
-exim -odq CALLER@thishost.test.ex
+exim -odf CALLER@thishost.test.ex
 Testing
 ****
 exim -DOPT=no_certname -qf
@@ -57,7 +62,7 @@ killdaemon
 #
 exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
 ****
-### A server with two MXs for which both TLSA lookups return defer
+### A server with two MXs for which both TLSA lookups return defer (delivery should defer)
 exim -odq CALLER@mxdanelazy.test.ex
 Testing
 ****
@@ -65,23 +70,45 @@ Testing
 exim -odq CALLER@dane.no.1.test.ex
 Testing
 ****
-### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC)
+### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC)
 exim -odq CALLER@dane.no.2.test.ex
 Testing
 ****
-### A server where the A is dnssec and the TLSA _fails_
+### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer)
 exim -odq CALLER@danebroken1.test.ex
 Testing
 ****
-### A server securely saying "no TLSA records here", dane required (should fail)
+### A server securely saying "no TLSA records here", dane required (delivery should fail)
 exim -odq CALLER@dane.no.3.test.ex
 Testing
 ****
-### A server securely saying "no TLSA records here", dane requested only (should transmit)
+### A server securely saying "no TLSA records here", dane requested only (should deliver)
 exim -odq CALLER@dane.no.4.test.ex
 Testing
 ****
 exim -qf
 ****
+#
+### A server securely serving a wrong TLSA record, dane requested only (delivery should fail)
+exim -odf CALLER@danebroken2.test.ex
+Testing
+****
+### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE)
+exim -odf CALLER@danebroken3.test.ex
+Testing
+****
+### A server insecurely serving a good TLSA record, dane required (delivery should fail)
+exim -odf CALLER@danebroken4.test.ex
+Testing
+****
+### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
+exim -odf CALLER@danebroken5.test.ex
+Testing
+****
+### A server insecurely serving a good A record, dane required (delivery should fail)
+exim -odf CALLER@danebroken6.test.ex
+Testing
+****
+#
 killdaemon
 no_msglog_check