Testsuite: client script faciility for handling optional reponses

Use this to deal with fallout from TLS negotiation failure, where the
server sees leftover encrypted data as garbage commands.

4 files changed, 64 insertions, 17 deletions

diff --git a/test/README b/test/README
index f4eeddbb4..5b3a86966 100644
--- a/test/README
+++ b/test/README
@@ -1023,18 +1023,27 @@ Lines in client scripts are of several kinds:
     line defines the start of expected output from the server. If what is
     received does not match, the client bombs out with an error message.
 
-(2) If a line starts with three plus signs followed by a space, the rest of the
+(2) If a line begins with three question marks and an asterisk, the server
+    is expected to close the connection.
+
+(3) If a line begins with four question marks, the rest of the line defines
+    the start of one or more possible output lines from the server.  When it
+    matches, the client silently repeats the comparison using the next server
+    line.  When the match fails, the client silently proceeds to the next script
+    line with the then-current server output unconsumed.
+
+(4) If a line starts with three plus signs followed by a space, the rest of the
     line specifies a number of seconds to sleep for before proceeding.
 
-(3) If a line begins with three '>' characters and a space, the rest of the
+(5) If a line begins with three '>' characters and a space, the rest of the
     line is input to be sent to the server.  Backslash escaping is done as
     described below, but no trailing "\r\n" is sent.
 
-(4) If a line begin with three '<' characters and a space, the rest of the
+(6) If a line begin with three '<' characters and a space, the rest of the
     line is a filename; the content of the file is inserted intto the script
     at this point.
 
-(5) Otherwise, the line is an input line line that is sent to the server. Any
+(7) Otherwise, the line is an input line line that is sent to the server. Any
     occurrences of \r and \n in the line are turned into carriage return and
     linefeed, respectively. This is used for testing PIPELINING.
     Any sequences of \x followed by two hex digits are converted to the equvalent
diff --git a/test/scripts/2100-OpenSSL/2114 b/test/scripts/2100-OpenSSL/2114
index 49598e366..cc78ab0fb 100644
--- a/test/scripts/2100-OpenSSL/2114
+++ b/test/scripts/2100-OpenSSL/2114
@@ -13,6 +13,12 @@ ehlo rhu.barb
 ??? 250
 starttls
 ??? 220
+noop
+??? 554 Security failure
+quit
+????554 Security failure
+??? 221
+???*
 ****
 ### No certificate, certificate optional at TLS time, required by ACL
 client-ssl 127.0.0.1 PORT_D
@@ -85,6 +91,8 @@ ehlo rhu.barb
 ??? 250
 starttls
 ??? 220
+noop
+??? 554 Security failure
 ****
 ### Bad certificate, certificate optional at TLS time, reject at ACL time
 client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
@@ -124,6 +132,8 @@ ehlo rhu.barb
 ??? 250
 starttls
 ??? 220
+noop
+??? 554 Security failure
 ****
 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
 client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
diff --git a/test/src/client.c b/test/src/client.c
index eef82ef57..5b998e269 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -553,32 +553,32 @@ while (fgets(CS outbuffer, sizeof(outbuffer), f) != NULL)
   /* Expect incoming */
 
   if (  strncmp(CS outbuffer, "???", 3) == 0
-     && (outbuffer[3] == ' ' || outbuffer[3] == '*')
+     && (outbuffer[3] == ' ' || outbuffer[3] == '*' || outbuffer[3] == '?')
      )
     {
     unsigned char *lineptr;
     unsigned exp_eof = outbuffer[3] == '*';
+    unsigned resp_optional = outbuffer[3] == '?';
 
     printf("%s\n", outbuffer);
     n = unescape_buf(outbuffer, n);
 
+nextinput:
     if (*inptr == 0)   /* Refill input buffer */
       {
+      alarm(timeout);
       if (srv->tls_active)
         {
         #ifdef HAVE_OPENSSL
-        rc = SSL_read (srv->ssl, inbuffer, bsiz - 1);
+        rc = SSL_read(srv->ssl, inbuffer, bsiz - 1);
         #endif
         #ifdef HAVE_GNUTLS
         rc = gnutls_record_recv(tls_session, CS inbuffer, bsiz - 1);
         #endif
         }
       else
-        {
-        alarm(timeout);
         rc = read(srv->sock, inbuffer, bsiz);
-        alarm(0);
-        }
+      alarm(0);
 
       if (rc < 0)
 	{
@@ -618,19 +618,31 @@ while (fgets(CS outbuffer, sizeof(outbuffer), f) != NULL)
       if (*inptr == '\n') inptr++;
       }
 
-    printf("<<< %s\n", lineptr);
     if (strncmp(CS lineptr, CS outbuffer + 4, n - 4) != 0)
-      {
-      printf("\n******** Input mismatch ********\n");
-      exit(79);
-      }
+      if (resp_optional)
+	{
+	inptr = lineptr;	/* consume scriptline, not inputline */
+	continue;
+	}
+      else
+	{
+	printf("<<< %s\n", lineptr);
+	printf("\n******** Input mismatch ********\n");
+	exit(79);
+	}
+
+    /* input matched script */
+
+    if (resp_optional)
+      goto nextinput;		/* consume inputline, not scriptline */
+
+    printf("<<< %s\n", lineptr);
 
     #ifdef HAVE_TLS
     if (srv->sent_starttls)
       {
       if (lineptr[0] == '2')
         {
-int rc;
 	unsigned int verify;
 
         printf("Attempting to start TLS\n");
@@ -1219,7 +1231,8 @@ do_file(&srv, stdin, timeout, inbuffer, sizeof(inbuffer), inptr);
 
 printf("End of script\n");
 shutdown(srv.sock, SHUT_WR);
-while (read(srv.sock, inbuffer, sizeof(inbuffer)) > 0) ;
+if (fcntl(srv.sock, F_SETFL, O_NONBLOCK) == 0)
+  while (read(srv.sock, inbuffer, sizeof(inbuffer)) > 0) ;
 close(srv.sock);
 
 exit(0);
diff --git a/test/stdout/2114 b/test/stdout/2114
index c3fa9ce98..2a26dd128 100644
--- a/test/stdout/2114
+++ b/test/stdout/2114
@@ -21,6 +21,15 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 Attempting to start TLS
 pppp:error:dddddddd:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:[...]:SSL alert number 40
 Failed to start TLS
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+>>> quit
+????554 Security failure
+??? 221
+<<< 221 myhost.test.ex closing connection
+???*
+Expected EOF read
 End of script
 ### No certificate, certificate optional at TLS time, required by ACL
 Connecting to 127.0.0.1 port 1225 ... connected
@@ -153,6 +162,9 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net
 Attempting to start TLS
 pppp:error:dddddddd:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:[...]:SSL alert number 48
 Failed to start TLS
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
 End of script
 ### Bad certificate, certificate optional at TLS time, reject at ACL time
 Connecting to 127.0.0.1 port 1225 ... connected
@@ -214,6 +226,9 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c
 Attempting to start TLS
 pppp:error:dddddddd:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked:[...]:SSL alert number 44
 Failed to start TLS
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
 End of script
 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
 Connecting to 127.0.0.1 port 1225 ... connected