From 8c43ed9baa905d907a6aad77de2282a852ba69a9 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 13 Dec 2020 17:43:52 +0100
Subject: libinterimap: use default locations for trusted CA certificates when
 neither CAfile nor CApath are set.

In particular, OpenSSL's default locations can be overridden by the
SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see
SSL_CTX_load_verify_locations(3ssl).

This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is
used).
---
 tests/tls-verify-peer/t | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

(limited to 'tests/tls-verify-peer/t')

diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 8cc098a..8326521 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -46,7 +46,9 @@ with_remote_config() {
 }
 
 step_start "peer verification enabled by default"
+# assume our fake root CA is not among OpenSSL's default trusted CAs
 unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
 step_done
 
 step_start "peer verification result honored when pinned pubkey matches"
@@ -54,13 +56,23 @@ with_remote_config <<-EOF
 	SSL_fingerprint = sha256\$$PKEY_SHA256
 EOF
 unverified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
 grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
 step_done
 
+
 capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
 cp -T -- ~/.dovecot/conf.d/ca.crt "$capath/ca-certificates.crt"
 
-step_start "SSL_CAfile"
+step_start "SSL_CAfile/\$SSL_CERT_FILE"
+
+# verify that an error is raised when CAfile can't be loaded
+# (it's not the case for $SSL_CERT_FILE, cf. SSL_CTX_load_verify_locations(3ssl))
+with_remote_config <<<"SSL_CAfile = /nonexistent"
+! interimap --debug || error
+grep -Fx "remote: ERROR: SSL_CTX_load_verify_locations()" <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
+
 if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
     # assume our fake root CA is not there
     with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt"
@@ -71,6 +83,10 @@ fi
 with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt"
 verified_peer
 
+with_remote_config </dev/null
+SSL_CERT_FILE=~/.dovecot/conf.d/ca.crt verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
 # hostnames and IPs included in the subjectAltName should work as well
 for host in "ip6-localhost" "127.0.0.1" "::1"; do
     with_remote_config <<-EOF
@@ -80,7 +96,7 @@ for host in "ip6-localhost" "127.0.0.1" "::1"; do
     verified_peer
 done
 
-# but not for other IPs or hostnames
+# but not for other hostnames or IPs
 for host in "ip6-loopback" "127.0.1.1"; do
     with_remote_config <<-EOF
 		host = $host
@@ -92,7 +108,8 @@ done
 step_done
 
 
-step_start "SSL_CApath"
+step_start "SSL_CApath/\$SSL_CERT_DIR"
+
 if [ -d "/etc/ssl/certs" ]; then
     # assume our fake root CA is not there
     with_remote_config <<<"SSL_CApath = /etc/ssl/certs"
@@ -105,6 +122,10 @@ c_rehash "$capath"
 with_remote_config <<<"SSL_CApath = $capath"
 verified_peer
 
+with_remote_config </dev/null
+SSL_CERT_DIR="$capath" verified_peer
+grep -Fx "remote: Using default locations for trusted CA certificates" <"$STDERR" || error
+
 # hostnames and IPs included in the subjectAltName should work as well
 for host in "ip6-localhost" "127.0.0.1" "::1"; do
     with_remote_config <<-EOF
-- 
cgit v1.2.3