summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--test/dnszones-src/db.test.ex12
-rw-r--r--test/log/584012
-rw-r--r--test/scripts/5840-DANE-OpenSSL/584015
-rw-r--r--test/src/fakens.c16
-rw-r--r--test/stderr/58404
-rw-r--r--test/stdout/58404
6 files changed, 53 insertions, 10 deletions
diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex
index 50bd6b073..f7c9e313b 100644
--- a/test/dnszones-src/db.test.ex
+++ b/test/dnszones-src/db.test.ex
@@ -461,7 +461,8 @@ DNSSEC danelazy2 A 127.0.0.1
DNSSEC _1225._tcp.danelazy CNAME test.again.dns.
DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns.
-; hosts with no TLSA
+; hosts with no TLSA (just missing here, hence the TLSA NXDMAIN is _insecure_; a broken dane config)
+; 1 for dane-required, 2 for merely requested
DNSSEC dane.no.1 A HOSTIPV4
DNSSEC dane.no.2 A 127.0.0.1
@@ -469,6 +470,15 @@ DNSSEC dane.no.2 A 127.0.0.1
DNSSEC danebroken1 A 127.0.0.1
_1225._tcp.danebroken1 CNAME test.fail.dns.
+; a good dns config saying there is no dane support, by securely returning NOXDOMAIN for TLSA lookups
+; 3 for dane-required, 4 for merely requested
+; the TLSA data here is dummy; ignored
+DNSSEC dane.no.3 A HOSTIPV4
+DNSSEC dane.no.4 A 127.0.0.1
+
+DNSSEC NXDOMAIN _1225._tcp.dane.no.3 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
+DNSSEC NXDOMAIN _1225._tcp.dane.no.4 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
+
; ------- Testing delays ------------
DELAY=500 delay500 A HOSTIPV4
diff --git a/test/log/5840 b/test/log/5840
index d02a4c7d7..b2f949009 100644
--- a/test/log/5840
+++ b/test/log/5840
@@ -27,6 +27,8 @@
1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.1.test.ex
1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.2.test.ex
1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken1.test.ex
+1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.3.test.ex
+1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.4.test.ex
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER
1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER
@@ -38,6 +40,13 @@
1999-03-02 09:44:33 10HmbJ-0005vi-00 == CALLER@dane.no.2.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER
1999-03-02 09:44:33 10HmbK-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER
1999-03-02 09:44:33 10HmbK-0005vi-00 == CALLER@danebroken1.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER
+1999-03-02 09:44:33 10HmbL-0005vi-00 ** CALLER@dane.no.3.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL
+1999-03-02 09:44:33 10HmbL-0005vi-00 CALLER@dane.no.3.test.ex: error ignored
+1999-03-02 09:44:33 10HmbL-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.4.test.ex"
+1999-03-02 09:44:33 10HmbM-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbN-0005vi-00"
+1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
@@ -61,3 +70,6 @@
1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <CALLER@thishost.test.ex> R=server
1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbN-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for CALLER@dane.no.4.test.ex
+1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: <CALLER@dane.no.4.test.ex> R=server
+1999-03-02 09:44:33 10HmbN-0005vi-00 Completed
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index fdff36119..142a25ad4 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -73,13 +73,14 @@ Testing
exim -odq CALLER@danebroken1.test.ex
Testing
****
-# ### A server securely saying "no TLSA records here", dane required (should fail)
-# exim -odq CALLER@dane.no.3.test.ex
-# Testing
-# ### A server securely saying "no TLSA records here", dane requested only (should transmit)
-# exim -odq CALLER@dane.no.4.test.ex
-# Testing
-# ****
+### A server securely saying "no TLSA records here", dane required (should fail)
+exim -odq CALLER@dane.no.3.test.ex
+Testing
+****
+### A server securely saying "no TLSA records here", dane requested only (should transmit)
+exim -odq CALLER@dane.no.4.test.ex
+Testing
+****
exim -qf
****
killdaemon
diff --git a/test/src/fakens.c b/test/src/fakens.c
index 34f5ea670..583b01282 100644
--- a/test/src/fakens.c
+++ b/test/src/fakens.c
@@ -53,11 +53,15 @@ HOST_NOT_FOUND.
Any DNS record line in a zone file can be prefixed with "DELAY=" and
a number of milliseconds (followed by one space).
-Any DNS record line in a zone file can be prefixed with "DNSSEC ";
+Any DNS record line can be prefixed with "DNSSEC ";
if all the records found by a lookup are marked
as such then the response will have the "AD" bit set.
-Any DNS record line in a zone file can be prefixed with "AA "
+Any DNS record line can be prefixed with "NXDOMAIN ";
+The record will be ignored (but the prefix set still applied);
+This lets us return a DNSSEC NXDOMAIN.
+
+Any DNS record line can be prefixed with "AA "
if all the records found by a lookup are marked
as such then the response will have the "AA" bit set.
@@ -354,6 +358,7 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
int qtlen = qtypelen;
BOOL rr_sec = FALSE;
BOOL rr_aa = FALSE;
+ BOOL rr_ignore = FALSE;
int delay = 0;
uint ttl = DEFAULT_TTL;
@@ -379,6 +384,11 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
rr_sec = TRUE;
p += 7;
}
+ if (Ustrncmp(p, US"NXDOMAIN ", 9) == 0) /* ignore record content */
+ {
+ rr_ignore = TRUE;
+ p += 9;
+ }
else if (Ustrncmp(p, US"AA ", 3) == 0) /* tagged as authoritative */
{
rr_aa = TRUE;
@@ -464,6 +474,8 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
if (aa && !rr_aa)
*aa = FALSE; /* cancel AA return */
+ if (rr_ignore) continue;
+
yield = 0;
*countptr = *countptr + 1;
diff --git a/test/stderr/5840 b/test/stderr/5840
index 75f938ab4..5ccf7cda0 100644
--- a/test/stderr/5840
+++ b/test/stderr/5840
@@ -73,6 +73,8 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1]
### A server lacking a TLSA, dane required (should fail)
### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC)
### A server where the A is dnssec and the TLSA _fails_
+### A server securely saying "no TLSA records here", dane required (should fail)
+### A server securely saying "no TLSA records here", dane requested only (should transmit)
******** SERVER ********
### TLSA (3 1 1)
@@ -85,3 +87,5 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1]
### A server lacking a TLSA, dane required (should fail)
### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC)
### A server where the A is dnssec and the TLSA _fails_
+### A server securely saying "no TLSA records here", dane required (should fail)
+### A server securely saying "no TLSA records here", dane requested only (should transmit)
diff --git a/test/stdout/5840 b/test/stdout/5840
index 5071e7de5..32425d2e2 100644
--- a/test/stdout/5840
+++ b/test/stdout/5840
@@ -17,6 +17,8 @@
### A server lacking a TLSA, dane required (should fail)
### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC)
### A server where the A is dnssec and the TLSA _fails_
+### A server securely saying "no TLSA records here", dane required (should fail)
+### A server securely saying "no TLSA records here", dane requested only (should transmit)
******** SERVER ********
### TLSA (3 1 1)
@@ -29,3 +31,5 @@
### A server lacking a TLSA, dane required (should fail)
### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC)
### A server where the A is dnssec and the TLSA _fails_
+### A server securely saying "no TLSA records here", dane required (should fail)
+### A server securely saying "no TLSA records here", dane requested only (should transmit)