aboutsummaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFiles
* tests: Ensure that pullimap locks its statefile.HEADmasterGuilhem Moulin2024-04-051
|
* tests/*/t: Explicitly pass `-in /dev/stdin` to openssl(1).Guilhem Moulin2024-03-066
|
* tests/certs/generate: Generate X.509 version 3 CA.Guilhem Moulin2024-03-061
| | | | | And pass CA:TRUE as basic constraint. This fixes the test suite with OpenSSL 3.2 with defaults to X.509v3 and CA:FALSE.
* tests/*/t: Replace filetype=sh with filetype=bash.Guilhem Moulin2024-03-0642
|
* tests/pullimap: Allow easy exclusion of --idle'ing tests.Guilhem Moulin2022-02-251
|
* tests/certs/generate: Use custom openssl.cnf.Guilhem Moulin2022-02-252
| | | | To avoid depending on the system default.
* tests/certs/generate: Redirect known error output to the standard output.Guilhem Moulin2022-02-251
| | | | That way we can avoid using autopkgtest's 'allow-stderr' restriction.
* Split interimap and pullimap test suites.Guilhem Moulin2022-02-253
|
* interimap, pullimap: Ensure DB and statefiles are created with mode 0600.Guilhem Moulin2022-02-234
| | | | | | | It wasn't the case for interimap(1), see https://bugs.debian.org/608604 … Fortunately we create $XDG_DATA_HOME/interimap with a secure mode, but there is no reason to have the DB world-readable. Since we can't rely on SQLITE_OPEN_CREATE for secure mode we use sysopen(,,O_CREAT,0600).
* Fix minor space damage.Guilhem Moulin2022-02-231
|
* Don't assume Net::IMAP::InterIMAP is always in @INC.Guilhem Moulin2022-02-233
| | | | | | | | | And make the installation path configurable at `make` time. Moreover, adjust the 'test' target so the site directory and interimap/pullimap path are configurable with INTERIMAP_I and INTERIMAP_PATH respectively. That way one can run `tests/run foo` to check the source, `make test` to check what's been built, and we also have the possibility to check the installed program e.g. for autopkgtests.
* Tests: Dovecot: Bump min protocol level to TLSv1.2.Guilhem Moulin2022-02-211
| | | | | And use security level 2 for ssl_cipher_list. As of dovecot 2.3.18 ssl_min_protocol defaults to TLSv1.2.
* Tests: TLS ciphers/protocols: Downgrade security level to 0.Guilhem Moulin2022-02-212
| | | | | | This is required to test TLS version <1.2 on systems with higher security levels, see SSL_CTX_set_security_level(3ssl). Addapted from a patch from <xnox> for Unbuntu.
* libinterimap: new option SSL_ciphersuites to set the TLSv1.3 ciphersuites.Guilhem Moulin2020-12-175
| | | | | Also, clarify that SSL_cipherlist only applies to TLSv1.2 and below. See SSL_CTX_set_cipher_list(3ssl).
* test suite: use stock OpenSSL config except for tests/tls-protocols.Guilhem Moulin2020-12-173
| | | | | It's best to use a stock (clean) environment when possible. We only need to test TLS protocol version <1.2 for tests/tls-protocols.
* typofixGuilhem Moulin2020-12-131
|
* libinterimap: use default locations for trusted CA certificates when neither ↵Guilhem Moulin2020-12-132
| | | | | | | | | | | CAfile nor CApath are set. In particular, OpenSSL's default locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see SSL_CTX_load_verify_locations(3ssl). This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is used).
* test suite: ensure we haven't started speaking IMAP when the SSL/TLS ↵Guilhem Moulin2020-12-133
| | | | | | handshake is aborted. (Unless STARTTLS is used to upgrade the connection.)
* Make error messages more uniform and consistent.Guilhem Moulin2020-12-132
|
* typofix, spellingGuilhem Moulin2020-12-121
|
* libinterimap: deprecate SSL_protocols and introduce SSL_protocol_{min,max}.Guilhem Moulin2020-12-112
| | | | | | | | Using the libssl interface simplifies our protocol black/whitelist greatly; this only allows simple min/max bounds, but holes are arguably not very useful here. Using the new settings bumps the required libssl version to 1.1.0.
* test suite: supply our own OpenSSL configuration file with MinProtocol=None.Guilhem Moulin2020-12-116
| | | | | | | | So we can test TLSv1 as well, not just TLSv1.2 and later. Also, explicitly set ssl_min_protocol=TLSv1 in the Dovecot configuration file (the default as of 2.3.11.3), hence running TLS tests now require Dovecot 2.3 or later.
* test suite: `mv tests/snippets tests/config`Guilhem Moulin2020-12-117
|
* libinterimap: remove default SSL_protocols value.Guilhem Moulin2020-12-113
| | | | | | | | Namely, use the system default instead of "!SSLv2 !SSLv3 !TLSv1 !TLSv1.1". As of Debian Buster (OpenSSL 1.1.1) this does not make a difference, however using the system default provides better compatibility with future libssl versions.
* libinterimap: add support for the TLS SNI (Server Name Indication) extension.Guilhem Moulin2020-12-115
| | | | | | This is controlled by the new 'SSL_hostname' option. The default value of that option is the value of the 'host' option when it is hostname, and the empty string (which disables SNI) when it is an IP literal.
* libinterimap: make SSL_verify check the hostname as well.Guilhem Moulin2020-12-114
| | | | | | | | | | More precisely, ensure that the certificate Subject Alternative Name (SAN) or Subject CommonName (CN) matches the hostname or IP literal specified by the 'host' option. Previously it was only verifying the chain of trust. This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version 1.0.2.
* test suite: always generate new certificates on `make test`.Guilhem Moulin2020-12-118
| | | | | In addition, sign test certificates with the same root CA. Hence running `make test` now requires OpenSSL 1.1.1 or later.
* libinterimap: show the matching pinned SPKI in --debug mode.Guilhem Moulin2020-12-113
|
* New test with a server offering both RSA+ECDSA certificates.Guilhem Moulin2020-12-096
| | | | | | | | | | | | This requires dovecot-imapd 2.2.31 or later. Certificate generated with: $ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve \ -out tests/snippets/dovecot/dovecot.ecdsa.key $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \ -key tests/snippets/dovecot/dovecot.ecdsa.key \ -out tests/snippets/dovecot/dovecot.ecdsa.crt
* libinterimap: SSL_fingerprint now supports a space-separate list of digests ↵Guilhem Moulin2020-12-091
| | | | | | | | | to pin. And succeeds if, and only if, the peer certificate SPKI matches one of the pinned digest values. Specifying multiple digest values can key useful in key rollover scenarios and/or when the server supports certificates of different types (for instance RSA+ECDSA).
* test suite: use a RSA certificate rather than ECDSA.Guilhem Moulin2020-12-0910
| | | | | | | | | It's arguably the most common use-case. Generated with $ openssl genpkey -algorithm RSA -out tests/snippets/dovecot/dovecot.rsa.key $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \ -key tests/snippets/dovecot/dovecot.rsa.key \ -out tests/snippets/dovecot/dovecot.rsa.crt
* Upgrade URLs to secure HTTP.Guilhem Moulin2020-08-042
|
* libinterimap: abort on PREAUTH greeting received on plaintext connectionsGuilhem Moulin2020-08-034
| | | | | Set "STARTTLS = NO" to ignore. This is similar to CVE-2020-12398 and CVE-2020-14093.
* libinterimap: Fix response injection vulnerability after STARTTLS.Guilhem Moulin2020-08-035
| | | | For background see https://gitlab.com/muttmua/mutt/-/issues/248 .
* Makefile: Major refactoring, add install and uninstall targets.Guilhem Moulin2020-07-022
| | | | | | Honor BUILD_DOCDIR and DESTDIR variables. Also, remove the `use lib` statement from our executables.
* pullimap: Also compare RFC 5322 date and envelope information in mailbox ↵Guilhem Moulin2020-07-021
| | | | comparison tests.
* tests/run: Don't redirect stderr by process substitution.Guilhem Moulin2019-12-151
| | | | This seems to cause timing issues.
* tests/*/t: Increase timeout from 2 to 5s after background syncs.Guilhem Moulin2019-12-154
|
* New test for hierarchy delimiter change.Guilhem Moulin2019-12-134
| | | | | | | Cf. https://www.imapwiki.org/ClientImplementation/MailboxList#Hierarchy_separators “Some clients cache the hierarchy separator forever. This has problems if the server configuration is changed (e.g. server software changed). Try to avoid this problem.”
* pullimap: Fix mangling of data lines starting with a dot.Guilhem Moulin2019-11-182
| | | | | | | Some LMTP servers, Dovecot's in particular, trims leading dots that are not doubled (e.g. “.foo” would become “foo”). In RFC 5322 sec. 4.5.2 explicitly says that when an RFC 5322 line starts with a '.', the character needs to be doubled.
* Improve “UIDVALIDITY changed!” error message.Guilhem Moulin2019-11-151
| | | | | Mention the name of the problematic mailbox. (We may detect the violation while not in SELECTED state.)
* Test suite: add new test for pullimap(1).Guilhem Moulin2019-11-138
| | | | | This adds a dependency on Dovecot's LMTPd, which will bind to to TCP port 10024 on the loopback interface.
* Avoid sending large UID EXPUNGE|FETCH|STORE and APPEND commands.Guilhem Moulin2019-11-135
| | | | | | | | | | | | | | | | | | | | | | UID EXPUNGE|FETCH|STORE commands are now split into multiple (sequential) commands when their set representation exceeds 4096 bytes in size. Without splitting logic set representations could grow arbitrarily large, and exceed the server's maximum command size. This adds roundtrips which could be eliminated by pipelining, but it's unlikely to make any difference in typical synchronization work. While set representations seem to remain small in practice, they might grow significantly if many non-contiguous UIDs were flagged and/or expunged, and later synchronized at once. Furthermore, for MULTIAPPEND-capable servers, the number of messages is limited to 128 per APPEND command (also subject to a combined literal size of 1MiB like before). These numbers are currently not configurable. They're intentionally lower than Dovecot's default maximum command size (64k) in order to avoid a deadlock situation after sending 8k-long commands under COMPRESS=DEFLATE: https://dovecot.org/pipermail/dovecot/2019-November/117522.html .
* Net::IMAP::InterIMAP::push_flag_updates() bugfixes.Guilhem Moulin2019-11-132
| | | | | | | | | | | | | | The UNCHANGEDSINCE test from the CONDSTORE extension was incorrectly placed after the flag list in UID STORE commands. In practice this meant the server didn't add the MODIFIED code when needed. The server won't send an untagged FETCH command (and won't increase the message's MODSEQ) if no change was made to the flag list. A panic() was incorrectly triggered in that case. When the flag list was set (by another client) to a superset of the UID STORE command currently processed, the extra flags were not synchronized. Cf. RFC 7162 sec. 3.1.3 ex. 10.
* Test suite: add new test for COMPRESS=DEFLATE.Guilhem Moulin2019-11-134
| | | | | An imapd is required as `doveadm exec imap` won't offer COMPRESS=DEFLATE in its capability list.
* Test suite: add new tests for SSL/TLS.Guilhem Moulin2019-11-1328
| | | | | SSL connections are accepted on TCP port 10993. Also, fix STARTTLS directive, broken since fba1c36…
* Test suite: don't treat broken symlinks as missing.Guilhem Moulin2019-11-131
| | | | | `test -f` deferences paths so fails on broken symlinks, yielding an incorrect test environment and perhaps even a false negative.
* Test suite: add new tests for authentication.Guilhem Moulin2019-11-1321
| | | | | | | | | This can't be done with `doveadm exec imap`, so the IMAPd needs to bind to TCP port 10143 on the loopback interface. Also, no longer pass ‘imap_capability’ Dovecot setting explicitely to `doveadm exec imap`; changed tests/sync-live-crippled to use type=imap instead of type=tunnel.
* Refactor and improve test suite.Guilhem Moulin2019-11-13116
|
* Refactor logging logic.Guilhem Moulin2019-11-075
| | | | | | | Also, introduce new option 'logger-prefix' to determine the prefix of each log line. Closes: #942725.