OpenSSL: Fix tls_eccurve on earlier versions than 3.0.0. Bug 2954

Broken-by: ca4014de81e6
author: Jeremy Harris <jgh146exb@wizmail.org> 2023-01-02 15:04:14 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2023-01-02 15:15:36 +0000
commit: 7fa5764c203f2f4a900898a79ed02d674075313f (patch)
tree: 5bf24d059781ac5c04a506a08fe9da0e2d4309b9 /test
parent: b77f1b5c34fd54dd2f05d698410523e0427992b3 (diff)
download: exim4-7fa5764c203f2f4a900898a79ed02d674075313f.tar.gz
3 files changed, 29 insertions, 24 deletions
diff --git a/test/log/2149 b/test/log/2149
index 0d4235846..3832ba076 100644
--- a/test/log/2149
+++ b/test/log/2149
@@ -1,45 +1,45 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => optnotpresent@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => explicitauto@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => explicitempty@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbD-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 => prime256v1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbF-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbF-0005vi-00 => secp384r1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00"
 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbH-0005vi-00 H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed
-1999-03-02 09:44:33 10HmbH-0005vi-00 == userx@test.ex R=client T=send_to_server defer (-38) H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed
-1999-03-02 09:44:33 10HmbH-0005vi-00 ** userx@test.ex: retry timeout exceeded
-1999-03-02 09:44:33 10HmbH-0005vi-00 userx@test.ex: error ignored
+1999-03-02 09:44:33 10HmbH-0005vi-00 == user_fail@test.ex R=client T=send_to_server defer (-38) H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed
+1999-03-02 09:44:33 10HmbH-0005vi-00 ** user_fail@test.ex: retry timeout exceeded
+1999-03-02 09:44:33 10HmbH-0005vi-00 user_fail@test.ex: error ignored
 1999-03-02 09:44:33 10HmbH-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 => optnotpresent <optnotpresent@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbA-0005vi-00 => explicitauto <explicitauto@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbC-0005vi-00 => explicitempty <explicitempty@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1237, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbE-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbE-0005vi-00 => prime256v1 <prime256v1@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1238, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbG-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbG-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbG-0005vi-00 => secp384r1 <secp384r1@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1239, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (Unknown curve name tls_eccurve 'bogus'): error:00000000:lib(0)::reason(0)
+1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] Unknown curve name tls_eccurve 'bogus'
diff --git a/test/runtest b/test/runtest
index c518c1080..900fc7bbb 100755
--- a/test/runtest
+++ b/test/runtest
@@ -1165,6 +1165,9 @@ RESET_AFTER_EXTRA_LINE_READ:
     next if /^TLS: not preloading (CA bundle|cipher list) for server$/;
     next if /^TLS: not preloading server certs$/;
 
+    # some plaatforms are missing the standard CA bundle file
+    next if /^tls_set_watch\(\) fail on '\/usr\/lib\/ssl\/cert.pem': No such file or directory$/;
+
     # drop lookups
     next if /^$time_pid?(?: Lookups\ \(built-in\):
 					| Loading\ lookup\ modules\ from
diff --git a/test/scripts/2100-OpenSSL/2149 b/test/scripts/2100-OpenSSL/2149
index 59263df81..f1af49907 100644
--- a/test/scripts/2100-OpenSSL/2149
+++ b/test/scripts/2100-OpenSSL/2149
@@ -6,14 +6,14 @@
 # Baseline: tls_eccurve option not present
 exim -DSERVER=server -bd -oX PORT_D
 ****
-exim -odf userx@test.ex
+exim -odf optnotpresent@test.ex
 ****
 killdaemon
 #
 # Explicit tls_eccurve setting of "auto"
 exim -DSERVER=server -DDATA=auto -bd -oX PORT_D
 ****
-exim -odf userx@test.ex
+exim -odf explicitauto@test.ex
 ****
 killdaemon
 #
@@ -21,30 +21,32 @@ killdaemon
 # - unclear this works.  At least with OpenSSL 3.0.5 we still get an x25519 keyshare in the Server Hello
 exim -DSERVER=server -DDATA= -bd -oX PORT_D
 ****
-exim -odf userx@test.ex
+exim -odf explicitempty@test.ex
 ****
 killdaemon
 #
 # prime256v1
+# Oddly,  3.0.5 packets show an EC-groups negotiation of C:x255519 S:secp256r1 C:secp384r1 S:secp384r1.
+# Hoever, note that RFC 8446 (TLS1.3) does NOT include prime256v1 as one of the allowable
+# supported groups (and it's not in the client "supported groups" extension, so what we see seems good.
 exim -DSERVER=server -DDATA=prime256v1 -bd -oX PORT_D
 ****
-exim -odf userx@test.ex
+exim -odf prime256v1@test.ex
 ****
 killdaemon
 #
-# X448
-# Client Hello offers an x25519 keyshare, server says "Hello Retry Request" with a KeyShare extension "X448"
-# and the client retries Client Hello with that in the KeyShare.
-exim -DSERVER=server -DDATA=X448 -bd -oX PORT_D
+# secp384r1
+# C:x25519 S:secp384r1
+exim -DSERVER=server -DDATA=secp384r1 -bd -oX PORT_D
 ****
-exim -odf userx@test.ex
+exim -odf secp384r1@test.ex
 ****
 killdaemon
 #
 # "bogus".  Should fail to make connection.
 exim -DSERVER=server -DDATA=bogus -bd -oX PORT_D
 ****
-exim -odf userx@test.ex
+exim -odf user_fail@test.ex
 ****
 killdaemon
 #
author	Jeremy Harris <jgh146exb@wizmail.org>	2023-01-02 15:04:14 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2023-01-02 15:15:36 +0000
commit	7fa5764c203f2f4a900898a79ed02d674075313f (patch)
tree	5bf24d059781ac5c04a506a08fe9da0e2d4309b9 /test
parent	b77f1b5c34fd54dd2f05d698410523e0427992b3 (diff)
download	exim4-7fa5764c203f2f4a900898a79ed02d674075313f.tar.gz