From 4b98b16dbae9610e439e9d4e60951cbcabd2380d Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 15 Dec 2022 20:22:01 +0000
Subject: Testsuite: quieten timing-dependent testcase

---
 test/scripts/2000-GnuTLS/2014 | 17 ++++++++++++----
 test/src/client.c             | 46 +++++++++++++++++++++++++------------------
 test/stdout/2014              | 14 ++++++-------
 3 files changed, 47 insertions(+), 30 deletions(-)

diff --git a/test/scripts/2000-GnuTLS/2014 b/test/scripts/2000-GnuTLS/2014
index 16bcbe4a9..6ecfeccfc 100644
--- a/test/scripts/2000-GnuTLS/2014
+++ b/test/scripts/2000-GnuTLS/2014
@@ -128,8 +128,15 @@ killdaemon
 exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
 ****
 ### Otherwise good but revoked certificate, certificate required
+# The trace for this test appears in the mainlog
+# - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough
+# then it says that + "Failed to start TLS".  But if it's later, it says "Succeeded in starting TLS"
+# and only another command from the client elicits anything from the server (eg "554 Security failure").
+# How can we test this?
+# An option on client to be quiet about tls problems.
+#
 # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
-client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
+client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 ??? 220
 ehlo rhu7.barb
 ??? 250-
@@ -138,10 +145,12 @@ ehlo rhu7.barb
 ??? 250-
 ??? 250-
 ??? 250
-starttls
+STARTTLS
 ??? 220
-helo test
-??? 554
+NOP
+??? 554 Security failure
+QUIT
+220
 ****
 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
diff --git a/test/src/client.c b/test/src/client.c
index 250f7af8b..2544ec84a 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -137,6 +137,7 @@ static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
 #ifdef HAVE_TLS
 char * ocsp_stapling = NULL;
 char * pri_string = NULL;
+int tls_quiet = 0;
 #endif
 
 
@@ -739,7 +740,7 @@ nextinput:
 	  srv->tls_active = rc >= 0;
 	  alarm(0);
 
-	  if (!srv->tls_active) printf("%s\n", gnutls_strerror(rc));
+	  if (!srv->tls_active && !tls_quiet) printf("gnutls_handshake: %s\n", gnutls_strerror(rc));
 
 	  /* look for an error on the TLS conn */
 	  FD_ZERO(&rfd);
@@ -754,7 +755,7 @@ nextinput:
 	      DEBUG { printf("gnutls_record_recv: %s\n", gnutls_strerror(rc)); fflush(stdout); }
 	      if (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN)
 		goto retry2;
-	      printf("%s\n", gnutls_strerror(rc));
+	      if (!tls_quiet) printf("gnutls_record_recv: %s\n", gnutls_strerror(rc));
 	      srv->tls_active = FALSE;
 	      }
 	    DEBUG { printf("gnutls_record_recv: %d\n", rc); fflush(stdout); }
@@ -762,15 +763,16 @@ nextinput:
 	  }
 # endif	/*HAVE_GNUTLS*/
 
-        if (!srv->tls_active)
-          {
-          printf("Failed to start TLS\n");
-          fflush(stdout);
-          }
+        if (!tls_quiet)
+          if (!srv->tls_active)
+            {
+            printf("Failed to start TLS\n");
+            fflush(stdout);
+            }
 
 # ifdef HAVE_OPENSSL
-	else if (ocsp_stapling)
-	  printf("Succeeded in starting TLS (with OCSP)\n");
+	  else if (ocsp_stapling)
+	    printf("Succeeded in starting TLS (with OCSP)\n");
 # endif
 
 # ifdef HAVE_GNUTLS
@@ -965,6 +967,7 @@ Usage: client\n"
 #ifdef HAVE_TLS
 "\
           [-tls-on-connect]\n\
+	  [-tls-quiet]\n\
           [-ocsp]\n"
 # ifdef HAVE_GNUTLS
 "\
@@ -1020,12 +1023,17 @@ while (argc >= argi + 1 && argv[argi][0] == '-')
     puts(HELP_MESSAGE);
     exit(0);
     }
+#ifdef HAVE_TLS
   if (strcmp(argv[argi], "-tls-on-connect") == 0)
     {
     tls_on_connect = 1;
     argi++;
     }
-#ifdef HAVE_TLS
+  else if (strcmp(argv[argi], "-tls-quiet") == 0)
+    {
+    tls_quiet = 1;
+    argi++;
+    }
   else if (strcmp(argv[argi], "-ocsp") == 0)
     {
     if (argc < ++argi + 1)
@@ -1045,8 +1053,7 @@ while (argc >= argi + 1 && argv[argi][0] == '-')
       }
     pri_string = argv[argi++];
     }
-#endif
-
+# endif
 #endif
   else if (argv[argi][1] == 't' && isdigit(argv[argi][2]))
     {
@@ -1346,15 +1353,16 @@ if (tls_on_connect)
   }
 #endif
 
-  if (!srv.tls_active)
-    printf("Failed to start TLS\n");
+  if (!tls_quiet)
+    if (!srv.tls_active)
+      printf("Failed to start TLS\n");
 #if defined(HAVE_GNUTLS) && defined(HAVE_GNUTLS_OCSP)
-  else if (  ocsp_stapling
-	  && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
-    printf("Failed to verify certificate status\n");
+    else if (  ocsp_stapling
+	    && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
+      printf("Failed to verify certificate status\n");
 #endif
-  else
-    printf("Succeeded in starting TLS%s\n", ocsp_stapling ? " (with OCSP)":"");
+    else
+      printf("Succeeded in starting TLS%s\n", ocsp_stapling ? " (with OCSP)":"");
   }
 #endif
 
diff --git a/test/stdout/2014 b/test/stdout/2014
index 4eddd724c..edd498aa8 100644
--- a/test/stdout/2014
+++ b/test/stdout/2014
@@ -19,7 +19,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-A TLS fatal alert has been received.
+gnutls_record_recv: A TLS fatal alert has been received.
 Failed to start TLS
 >>> nop
 ????554
@@ -156,7 +156,7 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-A TLS fatal alert has been received.
+gnutls_record_recv: A TLS fatal alert has been received.
 Failed to start TLS
 >>> nop
 ????554
@@ -217,15 +217,15 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c
 <<< 250-STARTTLS
 ??? 250
 <<< 250 HELP
->>> starttls
+>>> STARTTLS
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-A TLS fatal alert has been received.
-Failed to start TLS
->>> helo test
-??? 554
+>>> NOP
+??? 554 Security failure
 <<< 554 Security failure
+>>> QUIT
+>>> 220
 End of script
 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
 Connecting to 127.0.0.1 port 1225 ... connected
-- 
cgit v1.2.3