summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
Diffstat (limited to 'test')
-rw-r--r--test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem58
-rwxr-xr-xtest/aux-fixed/exim-ca/genall10
-rw-r--r--test/confs/580010
-rw-r--r--test/confs/582074
-rw-r--r--test/confs/584083
-rw-r--r--test/confs/586088
-rw-r--r--test/dnszones-src/db.test.ex17
-rw-r--r--test/log/584030
-rw-r--r--test/log/586040
-rwxr-xr-xtest/runtest5
-rw-r--r--test/scripts/5800-DANE/580012
-rw-r--r--test/scripts/5800-DANE/REQUIRES2
-rw-r--r--test/scripts/5820-DANE-GnuTLS/582014
-rw-r--r--test/scripts/5820-DANE-GnuTLS/REQUIRES3
-rw-r--r--test/scripts/5840-DANE-OpenSSL/584030
-rw-r--r--test/scripts/5840-DANE-OpenSSL/REQUIRES3
-rw-r--r--test/scripts/5860-DANE-OpenSSL-TPDA/586030
-rw-r--r--test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES4
-rw-r--r--test/src/fakens.c115
-rw-r--r--test/stdout/58004
20 files changed, 608 insertions, 24 deletions
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem
new file mode 100644
index 000000000..27ee5ef4f
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem
@@ -0,0 +1,58 @@
+Bag Attributes
+ friendlyName: server1.example.com
+ localKeyID: 39 11 FB 30 22 36 42 DA FC D7 A2 8A 0C 60 83 2F 66 A7 B8 4E
+subject=/CN=server1.example.com
+issuer=/O=example.com/CN=clica Signing Cert
+-----BEGIN CERTIFICATE-----
+MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
+MzQwNVoXDTM4MDEwMTEyMzQwNVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyAGT263/ZlxGjPEi2BQj
+DMa/86TF+zVzMfozEZNOLiX6Sov54fW5I0nXCm0CjACOelLa2Eos/vqffxu0w5hM
+A8slRHrt0Gak7dJjwgKK/5NAQDrA+WnyJx/62u25299oCKk+egulCC0D3XczA89N
+cLuz8iKvYnWT+rdnbFdAPdcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMGUGA1Ud
+EQReMFyCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIiYWx0ZXJu
+YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLmNvbYITc2VydmVyMS5leGFtcGxlLmNv
+bTANBgkqhkiG9w0BAQUFAAOBgQBWOqQ8y+u4J8KQCHQTiNxIxrUs5Sa+W5HUZ+c8
+SRLXRzDfmNtY7RiofUvbl0j1XH9wuTdjM/EkYnKSYPVu2ra8c8jC3NaVmr0WFqLv
+CvHXQWj2rZha0P/ZG1GfWc4vPYTQ7ugr65syGg4CPswwiUQJKnWBRqe27X1B61pj
++pxY7w==
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Signing Cert
+subject=/O=example.com/CN=clica Signing Cert
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: Certificate Authority
+subject=/O=example.com/CN=clica CA
+issuer=/O=example.com/CN=clica CA
+-----BEGIN CERTIFICATE-----
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw
+MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh
+tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX
+Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02
+H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl
+qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46
+eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z
+RSHyhbTD0HeiJDI281BoOJjm
+-----END CERTIFICATE-----
diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall
index d1901fe7e..0e3feb25e 100755
--- a/test/aux-fixed/exim-ca/genall
+++ b/test/aux-fixed/exim-ca/genall
@@ -17,6 +17,16 @@ do
clica -D example.$tld -p password -s 201 -S server2.example.$tld
clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
+
+
+ # openssl seems to generate a file (ca_chain.pam) in an order it
+ # cannot then use (the key applies to the first cert in the file?).
+ # Generate a shuffled one.
+ cd example.$tld/server1.example.$tld
+ openssl pkcs12 -in server1.example.com.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
+ cat server1.example.com.pem cacerts.pem > fullchain.pem
+ rm cacerts.pem
+ cd ../..
done
# and loop again
diff --git a/test/confs/5800 b/test/confs/5800
new file mode 100644
index 000000000..bd0b77df2
--- /dev/null
+++ b/test/confs/5800
@@ -0,0 +1,10 @@
+# Exim test configuration 5890
+# DANE common
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+spool_directory = DIR/spool
+
+# ----- Main settings -----
+
diff --git a/test/confs/5820 b/test/confs/5820
new file mode 100644
index 000000000..f1bd09d1c
--- /dev/null
+++ b/test/confs/5820
@@ -0,0 +1,74 @@
+# Exim test configuration 5800
+# DANE
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+# needed to force generation
+tls_dhparam = historic
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+
+#tls_verify_hosts = *
+#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = accept
+ condition = ${if eq {SERVER}{server}{no}{yes}}
+ retry_use_local_part
+ transport = send_to_server
+
+server:
+ driver = redirect
+ data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+# tls_certificate = DIR/aux-fixed/cert2
+# tls_privatekey = DIR/aux-fixed/cert2
+# tls_verify_certificates = DIR/aux-fixed/cert2
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/5840 b/test/confs/5840
new file mode 100644
index 000000000..4359b9a59
--- /dev/null
+++ b/test/confs/5840
@@ -0,0 +1,83 @@
+# Exim test configuration 5850
+# DANE
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+CDIR1 = DIR/aux-fixed
+CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
+
+tls_certificate = ${if eq {SERVER}{server} \
+ {${if eq {DETAILS}{ta} \
+ {CDIR2/fullchain.pem}\
+ {CDIR1/cert1}}}\
+ fail}
+
+tls_privatekey = ${if eq {SERVER}{server} \
+ {${if eq {DETAILS}{ta} \
+ {CDIR2/server1.example.com.unlocked.key}\
+ {CDIR1/cert1}}}\
+ fail}
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = dnslookup
+ condition = ${if eq {SERVER}{}}
+ dnssec_request_domains = *
+ self = send
+ transport = send_to_server
+
+server:
+ driver = redirect
+ data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+ driver = smtp
+ allow_localhost
+ port = PORT_D
+
+# hosts_try_dane = *
+ hosts_require_dane = *
+ hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
+ {= {0}{$tls_out_tlsa_usage}} } \
+ {*}{}}
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/5860 b/test/confs/5860
new file mode 100644
index 000000000..7dc4b0952
--- /dev/null
+++ b/test/confs/5860
@@ -0,0 +1,88 @@
+# Exim test configuration 5850
+# DANE
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+CDIR1 = DIR/aux-fixed
+CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
+
+tls_certificate = ${if eq {SERVER}{server} \
+ {${if eq {DETAILS}{ta} \
+ {CDIR2/fullchain.pem}\
+ {CDIR1/cert1}}}\
+ fail}
+
+tls_privatekey = ${if eq {SERVER}{server} \
+ {${if eq {DETAILS}{ta} \
+ {CDIR2/server1.example.com.unlocked.key}\
+ {CDIR1/cert1}}}\
+ fail}
+
+
+begin acl
+
+logger:
+ accept condition = ${if eq {tls} {${listextract{1}{$tpda_event}}}}
+ logwrite = $tpda_event depth = $tpda_data \
+ <${certextract {subject} {$tls_out_peercert}}>
+# message = noooo
+
+ accept condition = ${if eq {msg} {${listextract{1}{$tpda_event}}}}
+ logwrite = $tpda_event dane=$tls_out_dane
+ accept
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = dnslookup
+ condition = ${if eq {SERVER}{}}
+ dnssec_request_domains = *
+ self = send
+ transport = send_to_server
+
+server:
+ driver = redirect
+ data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+ driver = smtp
+ allow_localhost
+ port = PORT_D
+
+# hosts_try_dane = *
+ hosts_require_dane = *
+ hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
+ {= {0}{$tls_out_tlsa_usage}} } \
+ {*}{}}
+
+ tpda_event_action = ${acl {logger}}
+
+# End
diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex
index 843a35b09..4ec367cc9 100644
--- a/test/dnszones-src/db.test.ex
+++ b/test/dnszones-src/db.test.ex
@@ -77,6 +77,7 @@ badloop A V4NET.0.0.1
v6 AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c032
; Alias A and CNAME records for the local host, under the name "eximtesthost"
+; Make the A covered by DNSSEC and add a TLSA for it.
eximtesthost A HOSTIPV4
alias-eximtesthost CNAME eximtesthost.test.ex.
@@ -382,4 +383,20 @@ _client._smtp.csa2 SRV 1 1 0 csa2.test.ex.
csa1 A V4NET.9.8.7
csa2 A V4NET.9.8.8
+; ------- Testing DANE ------------
+
+; full suite dns chain, sha512
+DNSSEC mxdane512ee MX 1 dane512ee.
+DNSSEC dane512ee A HOSTIPV4
+DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d
+
+; A-only, sha256
+DNSSEC dane256ee A HOSTIPV4
+DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3
+
+; full MX, sha256, TA-mode
+DNSSEC mxdane256ta MX 1 dane256ta.
+DNSSEC dane256ta A HOSTIPV4
+DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4
+
; End
diff --git a/test/log/5840 b/test/log/5840
new file mode 100644
index 000000000..62dc13f02
--- /dev/null
+++ b/test/log/5840
@@ -0,0 +1,30 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ta.test.ex
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ta.test.ex R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@mxdane512ee.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@mxdane256ta.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/log/5860 b/test/log/5860
new file mode 100644
index 000000000..7c1bf6657
--- /dev/null
+++ b/test/log/5860
@@ -0,0 +1,40 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 tls:cert depth = 0 <CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK>
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery dane=yes
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth = 0 <CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK>
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery dane=yes
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ta.test.ex
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 <CN=clica CA,O=example.com>
+1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 <CN=server1.example.com>
+1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 <CN=clica CA,O=example.com>
+1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 1 <CN=clica Signing Cert,O=example.com>
+1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 <CN=server1.example.com>
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ta.test.ex R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 msg:delivery dane=yes
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@mxdane512ee.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@mxdane256ta.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/runtest b/test/runtest
index 57caa2c1f..a647b229a 100755
--- a/test/runtest
+++ b/test/runtest
@@ -999,6 +999,11 @@ RESET_AFTER_EXTRA_LINE_READ:
@saved = ();
}
+ # Skip hosts_require_dane checks when the options
+ # are unset, because dane ain't always there.
+
+ next if /in\shosts_require_dane\?\sno\s\(option\sunset\)/x;
+
# Skip some lines that Exim puts out at the start of debugging output
# because they will be different in different binaries.
diff --git a/test/scripts/5800-DANE/5800 b/test/scripts/5800-DANE/5800
new file mode 100644
index 000000000..98a70c115
--- /dev/null
+++ b/test/scripts/5800-DANE/5800
@@ -0,0 +1,12 @@
+# Expansion test for DANE.
+#
+# Some systems seem to use 1-byte fields for the leading
+# 3 fields in a TLSA record, others 2-bytes.
+# We need the result to match the string in dnszones-src/db.test.ex
+
+exim -be
+
+dnslookup tlsa: ${lookup dnsdb {tlsa=_1225._tcp.dane512ee.test.ex} \
+ {$value}{none}}
+
+****
diff --git a/test/scripts/5800-DANE/REQUIRES b/test/scripts/5800-DANE/REQUIRES
new file mode 100644
index 000000000..2314a3236
--- /dev/null
+++ b/test/scripts/5800-DANE/REQUIRES
@@ -0,0 +1,2 @@
+support Experimental_DANE
+running IPv4
diff --git a/test/scripts/5820-DANE-GnuTLS/5820 b/test/scripts/5820-DANE-GnuTLS/5820
new file mode 100644
index 000000000..07ad7406d
--- /dev/null
+++ b/test/scripts/5820-DANE-GnuTLS/5820
@@ -0,0 +1,14 @@
+# DANE client: general
+#
+gnutls
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim CALLER@test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+exim -DSERVER=server -DNOTDAEMON -qf
+****
diff --git a/test/scripts/5820-DANE-GnuTLS/REQUIRES b/test/scripts/5820-DANE-GnuTLS/REQUIRES
new file mode 100644
index 000000000..4234c92f8
--- /dev/null
+++ b/test/scripts/5820-DANE-GnuTLS/REQUIRES
@@ -0,0 +1,3 @@
+support Experimental_DANE
+support GnuTLS
+running IPv4
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
new file mode 100644
index 000000000..814b4b0e8
--- /dev/null
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -0,0 +1,30 @@
+# DANE client: general
+#
+exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
+****
+# TLSA (3 1 1)
+exim CALLER@dane256ee.test.ex
+Testing
+****
+# TLSA (3 1 2)
+exim CALLER@mxdane512ee.test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+exim -DSERVER=server -DDETAILS=ee -DNOTDAEMON -qf
+****
+#
+#
+exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
+****
+# TLSA (2 0 1)
+exim CALLER@mxdane256ta.test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+exim -DSERVER=server -DDETAILS=ta -DNOTDAEMON -qf
+****
diff --git a/test/scripts/5840-DANE-OpenSSL/REQUIRES b/test/scripts/5840-DANE-OpenSSL/REQUIRES
new file mode 100644
index 000000000..59cb7dc91
--- /dev/null
+++ b/test/scripts/5840-DANE-OpenSSL/REQUIRES
@@ -0,0 +1,3 @@
+support Experimental_DANE
+support OpenSSL
+running IPv4
diff --git a/test/scripts/5860-DANE-OpenSSL-TPDA/5860 b/test/scripts/5860-DANE-OpenSSL-TPDA/5860
new file mode 100644
index 000000000..94bc4d2b8
--- /dev/null
+++ b/test/scripts/5860-DANE-OpenSSL-TPDA/5860
@@ -0,0 +1,30 @@
+# DANE client: TPDA
+#
+exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
+****
+# TLSA (3 1 1)
+exim CALLER@dane256ee.test.ex
+Testing
+****
+# TLSA (3 1 2)
+exim CALLER@mxdane512ee.test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+exim -DSERVER=server -DDETAILS=ee -DNOTDAEMON -qf
+****
+#
+#
+exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
+****
+# TLSA (2 0 1)
+exim CALLER@mxdane256ta.test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+exim -DSERVER=server -DDETAILS=ta -DNOTDAEMON -qf
+****
diff --git a/test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES b/test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES
new file mode 100644
index 000000000..7e51b4fa7
--- /dev/null
+++ b/test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES
@@ -0,0 +1,4 @@
+support Experimental_DANE
+support Experimental_TPDA
+support OpenSSL
+running IPv4
diff --git a/test/src/fakens.c b/test/src/fakens.c
index fa4431810..fd3604a3c 100644
--- a/test/src/fakens.c
+++ b/test/src/fakens.c
@@ -48,7 +48,11 @@ line in the zone file contains exactly this:
PASS ON NOT FOUND
and the domain is not found. It converts the the result to PASS_ON instead of
-HOST_NOT_FOUND. */
+HOST_NOT_FOUND.
+
+Any DNS record line in a zone file can be prefixed with "DNSSEC" and
+at least one space; if all the records found by a lookup are marked
+as such then the response will have the "AD" bit set. */
#include <ctype.h>
#include <stdarg.h>
@@ -95,21 +99,25 @@ not defined, assume we are in this state. A really old system might not even
know about AAAA and SRV at all. */
#ifndef ns_t_a
-#define ns_t_a T_A
-#define ns_t_ns T_NS
-#define ns_t_cname T_CNAME
-#define ns_t_soa T_SOA
-#define ns_t_ptr T_PTR
-#define ns_t_mx T_MX
-#define ns_t_txt T_TXT
-#define ns_t_aaaa T_AAAA
-#define ns_t_srv T_SRV
-#ifndef T_AAAA
-#define T_AAAA 28
-#endif
-#ifndef T_SRV
-#define T_SRV 33
-#endif
+# define ns_t_a T_A
+# define ns_t_ns T_NS
+# define ns_t_cname T_CNAME
+# define ns_t_soa T_SOA
+# define ns_t_ptr T_PTR
+# define ns_t_mx T_MX
+# define ns_t_txt T_TXT
+# define ns_t_aaaa T_AAAA
+# define ns_t_srv T_SRV
+# define ns_t_tlsa T_TLSA
+# ifndef T_AAAA
+# define T_AAAA 28
+# endif
+# ifndef T_SRV
+# define T_SRV 33
+# endif
+# ifndef T_TLSA
+# define T_TLSA 52
+# endif
#endif
static tlist type_list[] = {
@@ -122,6 +130,7 @@ static tlist type_list[] = {
{ US"TXT", ns_t_txt },
{ US"AAAA", ns_t_aaaa },
{ US"SRV", ns_t_srv },
+ { US"TLSA", ns_t_tlsa },
{ NULL, 0 }
};
@@ -185,6 +194,33 @@ while (*name != 0)
return pk;
}
+uschar *
+bytefield(uschar ** pp, uschar * pk)
+{
+unsigned value = 0;
+uschar * p = *pp;
+
+while (isdigit(*p)) value = value*10 + *p++ - '0';
+while (isspace(*p)) p++;
+*pp = p;
+*pk++ = value & 255;
+return pk;
+}
+
+uschar *
+shortfield(uschar ** pp, uschar * pk)
+{
+unsigned value = 0;
+uschar * p = *pp;
+
+while (isdigit(*p)) value = value*10 + *p++ - '0';
+while (isspace(*p)) p++;
+*pp = p;
+*pk++ = (value >> 8) & 255;
+*pk++ = value & 255;
+return pk;
+}
+
/*************************************************
@@ -209,7 +245,7 @@ Returns: 0 on success, else HOST_NOT_FOUND or NO_DATA or NO_RECOVERY or
static int
find_records(FILE *f, uschar *zone, uschar *domain, uschar *qtype,
- int qtypelen, uschar **pkptr, int *countptr)
+ int qtypelen, uschar **pkptr, int *countptr, BOOL * dnssec)
{
int yield = HOST_NOT_FOUND;
int domainlen = Ustrlen(domain);
@@ -233,6 +269,8 @@ if (typeptr->name == NULL)
rrdomain[0] = 0; /* No previous domain */
(void)fseek(f, 0, SEEK_SET); /* Start again at the beginning */
+*dnssec = TRUE; /* cancelled by first nonsecure rec found */
+
/* Scan for RRs */
while (fgets(CS buffer, sizeof(buffer), f) != NULL)
@@ -243,12 +281,13 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
int i, plen, value;
int tvalue = typeptr->value;
int qtlen = qtypelen;
+ BOOL rr_sec = FALSE;
p = buffer;
while (isspace(*p)) p++;
if (*p == 0 || *p == ';') continue;
- if (Ustrncmp(p, "PASS ON NOT FOUND", 17) == 0)
+ if (Ustrncmp(p, US"PASS ON NOT FOUND", 17) == 0)
{
pass_on_not_found = TRUE;
continue;
@@ -259,6 +298,12 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
*ep = 0;
p = buffer;
+ if (Ustrncmp(p, US"DNSSEC ", 7) == 0) /* tagged as secure */
+ {
+ rr_sec = TRUE;
+ p += 7;
+ }
+
if (!isspace(*p))
{
uschar *pp = rrdomain;
@@ -311,6 +356,9 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
/* Found a relevant record */
+ if (!rr_sec)
+ *dnssec = FALSE; /* cancel AD return */
+
yield = 0;
*countptr = *countptr + 1;
@@ -371,11 +419,7 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
break;
case ns_t_mx:
- value = 0;
- while (isdigit(*p)) value = value*10 + *p++ - '0';
- while (isspace(*p)) p++;
- *pk++ = (value >> 8) & 255;
- *pk++ = value & 255;
+ pk = shortfield(&p, pk);
if (ep[-1] != '.') sprintf(ep, "%s.", zone);
pk = packname(p, pk);
plen = Ustrlen(p);
@@ -388,6 +432,23 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL)
*pp = pk - pp - 1;
break;
+ case ns_t_tlsa:
+ pk = bytefield(&p, pk); /* usage */
+ pk = bytefield(&p, pk); /* selector */
+ pk = bytefield(&p, pk); /* match type */
+ while (isxdigit(*p))
+ {
+ value = toupper(*p) - (isdigit(*p) ? '0' : '7') << 4;
+ if (isxdigit(*++p))
+ {
+ value |= toupper(*p) - (isdigit(*p) ? '0' : '7');
+ p++;
+ }
+ *pk++ = value & 255;
+ }
+
+ break;
+
case ns_t_srv:
for (i = 0; i < 3; i++)
{
@@ -444,6 +505,7 @@ uschar buffer[256];
uschar qtype[12];
uschar packet[512];
uschar *pk = packet;
+BOOL dnssec;
if (argc != 4)
{
@@ -545,7 +607,7 @@ if (f == NULL)
/* Find the records we want, and add them to the result. */
count = 0;
-yield = find_records(f, zone, domain, qtype, qtypelen, &pk, &count);
+yield = find_records(f, zone, domain, qtype, qtypelen, &pk, &count, &dnssec);
if (yield == NO_RECOVERY) goto END_OFF;
packet[6] = (count >> 8) & 255;
@@ -557,6 +619,9 @@ packet[7] = count & 255;
packet[10] = 0;
packet[11] = 0;
+if (dnssec)
+ ((HEADER *)packet)->ad = 1;
+
/* Close the zone file, write the result, and return. */
END_OFF:
@@ -565,4 +630,6 @@ END_OFF:
return yield;
}
+/* vi: aw ai sw=2
+*/
/* End of fakens.c */
diff --git a/test/stdout/5800 b/test/stdout/5800
new file mode 100644
index 000000000..b9c64fea0
--- /dev/null
+++ b/test/stdout/5800
@@ -0,0 +1,4 @@
+>
+> dnslookup tlsa: 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d
+>
+>
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-22 07:31:20 +0000