summaryrefslogtreecommitdiff
path: root/test/scripts
diff options
context:
space:
mode:
Diffstat (limited to 'test/scripts')
-rw-r--r--test/scripts/2000-GnuTLS/201459
-rw-r--r--test/scripts/2100-OpenSSL/211455
-rw-r--r--test/scripts/4500-DKIM/450445
-rw-r--r--test/scripts/5650-OCSP-GnuTLS/565237
-rw-r--r--test/scripts/5820-DANE-GnuTLS/5820102
-rw-r--r--test/scripts/5840-DANE-OpenSSL/584049
6 files changed, 297 insertions, 50 deletions
diff --git a/test/scripts/2000-GnuTLS/2014 b/test/scripts/2000-GnuTLS/2014
index c5a01494a..1e12b4ef5 100644
--- a/test/scripts/2000-GnuTLS/2014
+++ b/test/scripts/2000-GnuTLS/2014
@@ -3,7 +3,7 @@ gnutls
munge gnutls_unexpected
exim -DSERVER=server -bd -oX PORT_D
****
-# No certificate, certificate required
+### No certificate, certificate required
client-gnutls HOSTIPV4 PORT_D
??? 220
ehlo rhu1.barb
@@ -16,7 +16,7 @@ ehlo rhu1.barb
starttls
??? 220
****
-# No certificate, certificate optional at TLS time, required by ACL
+### No certificate, certificate optional at TLS time, required by ACL
client-gnutls 127.0.0.1 PORT_D
??? 220
ehlo rhu2.barb
@@ -37,8 +37,8 @@ rcpt to:<userx@test.ex>
quit
??? 221
****
-# Good certificate, certificate required
-client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Good certificate, certificate required
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu3.barb
??? 250-
@@ -56,8 +56,8 @@ rcpt to:<userx@test.ex>
quit
??? 221
****
-# Good certificate, certificate optional at TLS time, checked by ACL
-client-gnutls 127.0.0.1 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Good certificate, certificate optional at TLS time, checked by ACL
+client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu4.barb
??? 250-
@@ -75,8 +75,10 @@ rcpt to:<userx@test.ex>
quit
??? 221
****
-# Bad certificate, certificate required
-client-gnutls HOSTIPV4 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Bad certificate, certificate required
+# Actually this test does not have the client presenting a cert at all, as it filters what it has
+# by the options offered by the server first. So it's not a good testcase.
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu5.barb
??? 250-
@@ -88,8 +90,9 @@ ehlo rhu5.barb
starttls
??? 220
****
-# Bad certificate, certificate optional at TLS time, reject at ACL time
-client-gnutls 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Bad certificate, certificate optional at TLS time, reject at ACL time
+# (situation as above)
+client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu6.barb
??? 250-
@@ -103,16 +106,20 @@ starttls
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
-??? 550-
??? 550
quit
??? 221
****
killdaemon
-exim -DCRL=DIR/aux-fixed/crl.pem -DSERVER=server -bd -oX PORT_D
+#
+#
+#
+#
+exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
****
-# Good but revoked certificate, certificate required
-client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Otherwise good but revoked certificate, certificate required
+# GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu7.barb
??? 250-
@@ -124,8 +131,8 @@ ehlo rhu7.barb
starttls
??? 220
****
-# Revoked certificate, certificate optional at TLS time, reject at ACL time
-client-gnutls 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Revoked certificate, certificate optional at TLS time, reject at ACL time
+client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu8.barb
??? 250-
@@ -139,9 +146,27 @@ starttls
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
-??? 550-
??? 550
quit
??? 221
****
+### Good certificate, certificate required - but nonmatching CRL also present
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<userx@test.ex>
+??? 250
+rcpt to:<userx@test.ex>
+??? 250
+quit
+??? 221
+****
killdaemon
diff --git a/test/scripts/2100-OpenSSL/2114 b/test/scripts/2100-OpenSSL/2114
index 9ba0bf925..49598e366 100644
--- a/test/scripts/2100-OpenSSL/2114
+++ b/test/scripts/2100-OpenSSL/2114
@@ -1,7 +1,7 @@
# TLS server: mandatory, optional, and revoked certificates
exim -DSERVER=server -bd -oX PORT_D
****
-# No certificate, certificate required
+### No certificate, certificate required
client-ssl HOSTIPV4 PORT_D
??? 220
ehlo rhu.barb
@@ -14,7 +14,7 @@ ehlo rhu.barb
starttls
??? 220
****
-# No certificate, certificate optional at TLS time, required by ACL
+### No certificate, certificate optional at TLS time, required by ACL
client-ssl 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
@@ -35,8 +35,8 @@ rcpt to:<userx@test.ex>
quit
??? 221
****
-# Good certificate, certificate required
-client-ssl HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Good certificate, certificate required
+client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
@@ -54,8 +54,8 @@ rcpt to:<userx@test.ex>
quit
??? 221
****
-# Good certificate, certificate optional at TLS time, checked by ACL
-client-ssl 127.0.0.1 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Good certificate, certificate optional at TLS time, checked by ACL
+client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
@@ -73,8 +73,8 @@ rcpt to:<userx@test.ex>
quit
??? 221
****
-# Bad certificate, certificate required
-client-ssl HOSTIPV4 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Bad certificate, certificate required
+client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
@@ -86,8 +86,8 @@ ehlo rhu.barb
starttls
??? 220
****
-# Bad certificate, certificate optional at TLS time, reject at ACL time
-client-ssl 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Bad certificate, certificate optional at TLS time, reject at ACL time
+client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
@@ -101,16 +101,19 @@ starttls
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
-??? 550-
??? 550
quit
??? 221
****
killdaemon
-exim -DCRL=DIR/aux-fixed/crl.pem -DSERVER=server -bd -oX PORT_D
+#
+#
+#
+#
+exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.chain.pem -DSERVER=server -bd -oX PORT_D
****
-# Good but revoked certificate, certificate required
-client-ssl HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Otherwise good but revoked certificate, certificate required
+client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
@@ -122,8 +125,8 @@ ehlo rhu.barb
starttls
??? 220
****
-# Revoked certificate, certificate optional at TLS time, reject at ACL time
-client-ssl 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Revoked certificate, certificate optional at TLS time, reject at ACL time
+client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
@@ -137,9 +140,27 @@ starttls
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
-??? 550-
??? 550
quit
??? 221
****
+### Good certificate, certificate required - but nonmatching CRL also present
+client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<userx@test.ex>
+??? 250
+rcpt to:<userx@test.ex>
+??? 250
+quit
+??? 221
+****
killdaemon
diff --git a/test/scripts/4500-DKIM/4504 b/test/scripts/4500-DKIM/4504
new file mode 100644
index 000000000..5de9e7948
--- /dev/null
+++ b/test/scripts/4500-DKIM/4504
@@ -0,0 +1,45 @@
+# DKIM verify, sha512
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+#
+# This should pass, only Mail::DKIM::Signer does not handle rsa-sha512.
+# - sha512, 1024b
+# Mail original in aux-fixed/4500.msg1.txt
+# Sig generated by: perl aux-fixed/dkim/sign.pl --algorithm=rsa-sha512 \
+# --method=simple/simple < aux-fixed/4500.msg1.txt
+#
+# TODO - until we have that we can only test internal consistency,
+# signing vs. verification.
+#
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@bloggs.com>
+??? 250
+RCPT TO:<a@test.ex>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha512; c=simple/simple; d=test.ex; h=from:to
+ :date:message-id:subject; s=sel2; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1
+ 6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP
+ Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh
+ +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY=
+From: mrgus@text.ex
+To: bakawolf@yahoo.com
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@disco-zombie.net>
+Subject: simple test
+
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+#
+killdaemon
+no_stdout_check
+no_msglog_check
diff --git a/test/scripts/5650-OCSP-GnuTLS/5652 b/test/scripts/5650-OCSP-GnuTLS/5652
new file mode 100644
index 000000000..4a33ea862
--- /dev/null
+++ b/test/scripts/5650-OCSP-GnuTLS/5652
@@ -0,0 +1,37 @@
+# OCSP stapling, server, multiple certs
+#
+#
+#
+exim -z '1: Server sends good staple on request, to client requiring RSA auth'
+****
+#
+exim -bd -oX PORT_D -DSERVER=server
+****
+exim -odf \
+ -DOPT=NONE:+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 \
+ -DCERT=DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+ rsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+#
+#
+#
+#
+exim -z '2: Server sends good staple on request, to client preferring ECDSA auth'
+****
+#
+exim -bd -oX PORT_D -DSERVER=server
+****
+exim -odf \
+ -DOPT=NONE:+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 \
+ -DCERT=DIR/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/ca_chain.pem \
+ ecdsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+no_msglog_check
diff --git a/test/scripts/5820-DANE-GnuTLS/5820 b/test/scripts/5820-DANE-GnuTLS/5820
index 07ad7406d..84684da53 100644
--- a/test/scripts/5820-DANE-GnuTLS/5820
+++ b/test/scripts/5820-DANE-GnuTLS/5820
@@ -1,14 +1,106 @@
# DANE client: general
#
-gnutls
-#
-exim -DSERVER=server -bd -oX PORT_D
+exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
+****
+### TLSA (3 1 1)
+exim -odq CALLER@dane256ee.test.ex
+Testing
****
-exim CALLER@test.ex
+### TLSA (3 1 2)
+exim -odq CALLER@mxdane512ee.test.ex
Testing
****
exim -qf
****
+#
+#
+### Recipient callout
+exim -DOPT=callout -bhc 127.0.0.1
+MAIL FROM: <CALLER@myhost.test.ex>
+RCPT TO: <rcptuser@dane256ee.test.ex>
+****
+killdaemon
+#
+#
+exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
+****
+### TLSA (2 0 1)
+exim -odf CALLER@mxdane256ta.test.ex
+Testing
+****
+killdaemon
+#
+#
+### A server with a nonverifying cert and no TLSA
+# Check we get a non-CV but TLS connection, with try_dane but no require_dane
+exim -DSERVER=server -DDETAILS=no -bd -oX PORT_D
+****
+exim -odf CALLER@thishost.test.ex
+Testing
+****
killdaemon
-exim -DSERVER=server -DNOTDAEMON -qf
+#
+### A server with a verifying cert and no TLSA
+# Check we get a CV and TLS connection, with try_dane but no require_dane
+exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
+****
+exim -odf CALLER@thishost.test.ex
+Testing
+****
+exim -DOPT=no_certname -qf
+****
+killdaemon
+#
+#
+exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
+****
+### A server with two MXs for which both TLSA lookups return defer (delivery should defer)
+exim -odq CALLER@mxdanelazy.test.ex
+Testing
+****
+### A server lacking a TLSA, dane required (should fail)
+exim -odq CALLER@dane.no.1.test.ex
+Testing
+****
+### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC)
+exim -odq CALLER@dane.no.2.test.ex
+Testing
+****
+### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer)
+exim -odq CALLER@danebroken1.test.ex
+Testing
+****
+### A server securely saying "no TLSA records here", dane required (delivery should fail)
+exim -odq CALLER@dane.no.3.test.ex
+Testing
+****
+### A server securely saying "no TLSA records here", dane requested only (should deliver)
+exim -odq CALLER@dane.no.4.test.ex
+Testing
+****
+exim -qf
****
+#
+### A server securely serving a wrong TLSA record, dane requested only (delivery should fail)
+exim -odf CALLER@danebroken2.test.ex
+Testing
+****
+### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE)
+exim -odf CALLER@danebroken3.test.ex
+Testing
+****
+### A server insecurely serving a good TLSA record, dane required (delivery should fail)
+exim -odf CALLER@danebroken4.test.ex
+Testing
+****
+### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
+exim -odf CALLER@danebroken5.test.ex
+Testing
+****
+### A server insecurely serving a good A record, dane required (delivery should fail)
+exim -odf CALLER@danebroken6.test.ex
+Testing
+****
+#
+killdaemon
+no_msglog_check
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index 142a25ad4..7d86621cc 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -25,10 +25,17 @@ killdaemon
exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
****
### TLSA (2 0 1)
-exim -odq CALLER@mxdane256ta.test.ex
+exim -odf CALLER@mxdane256ta.test.ex
Testing
****
-exim -qf
+killdaemon
+#
+# OpenSSL-specific regression testcase: certificate having Authority Key ID extension
+exim -DSERVER=server -DCERT=DIR/aux-fixed/exim-ca/example.com/server2.example.com/fullchain.pem -DALLOW=DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key -bd -oX PORT_D
+****
+### TLSA (2 1 1)
+exim -odf CALLER@mxdane256tak.test.ex
+Testing
****
killdaemon
#
@@ -36,18 +43,16 @@ killdaemon
# Check we get a non-CV but TLS connection, with try_dane but no require_dane
exim -DSERVER=server -DDETAILS=no -bd -oX PORT_D
****
-exim -odq CALLER@thishost.test.ex
+exim -odf CALLER@thishost.test.ex
Testing
****
-exim -qf
-****
killdaemon
#
### A server with a verifying cert and no TLSA
# Check we get a CV and TLS connection, with try_dane but no require_dane
exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
****
-exim -odq CALLER@thishost.test.ex
+exim -odf CALLER@thishost.test.ex
Testing
****
exim -DOPT=no_certname -qf
@@ -57,7 +62,7 @@ killdaemon
#
exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
****
-### A server with two MXs for which both TLSA lookups return defer
+### A server with two MXs for which both TLSA lookups return defer (delivery should defer)
exim -odq CALLER@mxdanelazy.test.ex
Testing
****
@@ -65,23 +70,45 @@ Testing
exim -odq CALLER@dane.no.1.test.ex
Testing
****
-### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC)
+### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC)
exim -odq CALLER@dane.no.2.test.ex
Testing
****
-### A server where the A is dnssec and the TLSA _fails_
+### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer)
exim -odq CALLER@danebroken1.test.ex
Testing
****
-### A server securely saying "no TLSA records here", dane required (should fail)
+### A server securely saying "no TLSA records here", dane required (delivery should fail)
exim -odq CALLER@dane.no.3.test.ex
Testing
****
-### A server securely saying "no TLSA records here", dane requested only (should transmit)
+### A server securely saying "no TLSA records here", dane requested only (should deliver)
exim -odq CALLER@dane.no.4.test.ex
Testing
****
exim -qf
****
+#
+### A server securely serving a wrong TLSA record, dane requested only (delivery should fail)
+exim -odf CALLER@danebroken2.test.ex
+Testing
+****
+### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE)
+exim -odf CALLER@danebroken3.test.ex
+Testing
+****
+### A server insecurely serving a good TLSA record, dane required (delivery should fail)
+exim -odf CALLER@danebroken4.test.ex
+Testing
+****
+### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
+exim -odf CALLER@danebroken5.test.ex
+Testing
+****
+### A server insecurely serving a good A record, dane required (delivery should fail)
+exim -odf CALLER@danebroken6.test.ex
+Testing
+****
+#
killdaemon
no_msglog_check
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-30 21:38:53 +0000