From feeb91998a29ca040f6e5dd103e09507a6355e32 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Fri, 11 Dec 2020 18:39:46 +0100
Subject: libinterimap: deprecate SSL_protocols and introduce
 SSL_protocol_{min,max}.

Using the libssl interface simplifies our protocol black/whitelist
greatly; this only allows simple min/max bounds, but holes are arguably
not very useful here.

Using the new settings bumps the required libssl version to 1.1.0.
---
 tests/tls-protocols/t | 64 +++++++++++++++++++++++++++++++++++++++++++++++++--
 tests/tls-rsa+ecdsa/t |  2 +-
 2 files changed, 63 insertions(+), 3 deletions(-)

(limited to 'tests')

diff --git a/tests/tls-protocols/t b/tests/tls-protocols/t
index 5444658..b65d93c 100644
--- a/tests/tls-protocols/t
+++ b/tests/tls-protocols/t
@@ -1,3 +1,10 @@
+# system default
+interimap --debug || error
+! grep -E "^remote: Disabling SSL protocols: " <"$STDERR" || error # TODO deprecated
+! grep -E "^remote: Minimum SSL/TLS protocol version: " <"$STDERR" || error
+! grep -E "^remote: Maximum SSL/TLS protocol version: " <"$STDERR" || error
+grep -E "^remote: SSL protocol: TLSv" <"$STDERR" || error
+
 # backup config
 install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
 with_remote_tls_protocols() {
@@ -5,12 +12,15 @@ with_remote_tls_protocols() {
     printf "SSL_protocols = %s\\n" "$*" >>"$XDG_CONFIG_HOME/interimap/config"
 }
 
-# disable TLSv1.2 and earlier versions
+# disable TLSv1.2 and earlier
 with_remote_tls_protocols "!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"
 interimap --debug || error
 grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2" <"$STDERR" || error
 grep -E "^remote: SSL protocol: TLSv1\.3 " <"$STDERR" || error
 
+interimap || error
+grep -E "^remote: SSL_protocols is deprecated " <"$STDERR" || error "no deprecation message"
+
 # force TLSv1.2
 with_remote_tls_protocols "TLSv1.2"
 interimap --debug || error
@@ -23,7 +33,7 @@ interimap --debug || error
 grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1.3" <"$STDERR" || error
 grep -E "^remote: SSL protocol: TLSv(1\.[12])? " <"$STDERR" || error
 
-# force SSLv2 and SSLv3, fails as it's disabled server side
+# force SSLv2 and SSLv3; this fails due to dovecot's ssl_min_protocol=TLSv1
 with_remote_tls_protocols "SSLv2" "SSLv3"
 ! interimap --debug || error
 grep -Fx "remote: Disabling SSL protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3" <"$STDERR" || error
@@ -31,4 +41,54 @@ grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
 # make sure we didn't send any credentials
 ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
 
+
+# new interface: SSL_protocol_{min,max}
+with_remote_tls_protocol_min_max() {
+    install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config"
+    if [ -n "${1-}" ]; then
+        printf "SSL_protocol_min = %s\\n" "$1" >>"$XDG_CONFIG_HOME/interimap/config"
+    fi
+    if [ -n "${2-}" ]; then
+        printf "SSL_protocol_max = %s\\n" "$2" >>"$XDG_CONFIG_HOME/interimap/config"
+    fi
+}
+
+# disable TLSv1.2 and earlier
+# XXX this test assumes that TLSv1.3 is the highest version supported
+with_remote_tls_protocol_min_max "TLSv1.3"
+interimap --debug || error
+grep -Fx "remote: Minimum SSL/TLS protocol version: TLSv1.3" <"$STDERR" || error
+! grep -E "^remote: Maximum SSL/TLS protocol version: " <"$STDERR" || error
+grep -E "^remote: SSL protocol: TLSv1\.3 " <"$STDERR" || error
+
+# force TLSv1.2
+with_remote_tls_protocol_min_max "TLSv1.2" "TLSv1.2"
+interimap --debug || error
+grep -Fx "remote: Minimum SSL/TLS protocol version: TLSv1.2" <"$STDERR" || error
+grep -Fx "remote: Maximum SSL/TLS protocol version: TLSv1.2" <"$STDERR" || error
+grep -E "^remote: SSL protocol: TLSv1\.2 " <"$STDERR" || error
+
+# disable TLSv1.2 and later
+with_remote_tls_protocol_min_max "" "TLSv1.1"
+interimap --debug || error
+! grep -E "^remote: Minimum SSL/TLS protocol version: " <"$STDERR" || error
+grep -Fx "remote: Maximum SSL/TLS protocol version: TLSv1.1" <"$STDERR" || error
+grep -E "^remote: SSL protocol: TLSv1\.1 " <"$STDERR" || error
+
+# force SSLv3 to to TLSv1.1
+with_remote_tls_protocol_min_max "SSLv3" "TLSv1.1"
+interimap --debug || error
+grep -Fx "remote: Minimum SSL/TLS protocol version: SSLv3" <"$STDERR" || error
+grep -Fx "remote: Maximum SSL/TLS protocol version: TLSv1.1" <"$STDERR" || error
+grep -E "^remote: SSL protocol: TLSv1(\.1)? " <"$STDERR" || error
+
+# force SSLv3; this fails due to dovecot's ssl_min_protocol=TLSv1
+with_remote_tls_protocol_min_max "SSLv3" "SSLv3"
+! interimap --debug || error
+grep -Fx "remote: Minimum SSL/TLS protocol version: SSLv3" <"$STDERR" || error
+grep -Fx "remote: Maximum SSL/TLS protocol version: SSLv3" <"$STDERR" || error
+grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
+# make sure we didn't send any credentials
+! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+
 # vim: set filetype=sh :
diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t
index 2adf930..8b811fd 100644
--- a/tests/tls-rsa+ecdsa/t
+++ b/tests/tls-rsa+ecdsa/t
@@ -38,7 +38,7 @@ grep -Fx -e "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_S
 
 # force RSA (XXX do we really have to force TLSv1.2 here?)
 cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
-	SSL_protocols = TLSv1.2
+	SSL_protocol_max = TLSv1.2
 	SSL_cipherlist = EECDH+AESGCM+aRSA
 EOF
 interimap --debug || error
-- 
cgit v1.2.3